Platform Properties
This section describes the different properties that you can use in the STR to configure the Platform.
Page navigation:
General Properties
Property | Description | SOC 1 | Category | Reason |
|---|---|---|---|---|
auth.oidc.rp.client.id | Default value: Client ID provided by Identity Provider. If it is not present, the SSO functionality is disabled. | Yes | Confidentiality | Controls SSO client identity; misconfig can expose access. |
auth.oidc.rp.provider.url | Default value: Provide the Base URL to the associated Identity Provider. Read access is required for the /.well-known/openid-configuration file to acquire the relevant Provider Configurations. | Yes | Confidentiality | Points to IdP discovery; wrong URL weakens auth. |
auth.oidc.rp.provider.name | Default value: The name of the provider needs to be Azure if it is used and groups are returned as uids. | Yes | Integrity | Ensures correct claim parsing semantics. |
auth.oidc.rp.groupPath | Default value "roles" Path in ID Token or UserInfo object to find an array of users Access groups as defined by the Access Controller, separated with a dot (.). | Yes | Integrity | Maps groups from tokens; wrong path misassigns roles. |
auth.oidc.rp.auth.method | Default value: "CLIENT_SECRET_BASIC" Available authentication methods are CLIENT_SECRET_BASIC and PRIVATE_KEY_JWT | Yes | Confidentiality | Selects RP auth strength (secret vs JWT). |
auth.oidc.rp.client.secret | Default value: This is mandatory when CLIENT_SECRET_BASIC is used as an authentication method. This property sets the relevant Client Secret. | Yes | Confidentiality | Protects RP credential for IdP access. |
auth.oidc.rp.auth.jwt.keystorePath | Default value: Path to JKS keystore when PRIVATE_KEY_JWT is used | Yes | Confidentiality | Locates keys for JWT client auth. |
auth.oidc.rp.auth.jwt.alias | Default value: Alias for key in keystore when PRIVATE_KEY_JWT is used | Yes | Confidentiality | Selects key used for JWT client auth. |
auth.oidc.rp.auth.jwt.keystorePassword | Default value: Keystore password when PRIVATE_KEY_JWT is used, needs to be Encrypted by MediationZone. | Yes | Confidentiality | Secures keystore holding client keys. |
auth.oidc.rp.auth.jwt.keyPassword | Default value: "" Key password when PRIVATE_KEY_JWT is used, needs to be Encrypted by MediationZone. | Yes | Confidentiality | Secures private key for JWT client auth. |
auth.oidc.rp.scopes | Default value: "" Optional additional scopes. Default scopes are openid, profile, and email. | Yes | Confidentiality | Governs token data exposure. |
auth.oidc.rp.claims.username | Default value: "" Claim to use as the user name, if not specify sub will be used. This value should be unique. | Yes | Integrity | Ensures unique, correct user identity mapping. |
auth.oidc.rp.auth.jwt.keyId | Default value: "" Optional Key ID for JWT header when PRIVATE_KEY_JWT is used | Depends | Integrity | Optional header hint; correctness aids key selection. |
auth.oidc.rp.group.syncDisabled | Default value false. When the value is set to true, the group synchronization from the Identity Provider is disabled, and the groups are set manually on each SSO User. | Yes | Integrity | Disables IdP group sync; risks stale/incorrect roles. |
auth.oidc.rp.group.default | Default value "" When Group Sync is disabled, the value of this property will be assigned to the user's default group when the user logs in for the first time. | Yes | Integrity | Sets fallback group when sync off; affects entitlements. |
auth.oidc.rp.multigroupsync.defaultGroup | Default value "" This property assigns a default group to the user who is a member of multiple groups when the user logs in for the first time. It takes effect only when the group synchronization is enabled. The default group can be changed after logging in and must be one of the member groups. Changes made to the default group after logging in will persist in the next login. | Yes | Integrity | Picks default among synced groups; affects role-driven behavior. |
auth.oidc.rp.auth.debug | Default value false. Set this to true during the implementation of SSO Access to get more information. | Depends | Confidentiality | Verbose logs may reveal auth details. |
auth.oidc.request.max.buffer.size | The |
|
|
|
auth.oidc.response.max.buffer.size | See the description above |
|
|
|
cts.source.systems | This parameter (of type list) is valid only for integrations with SAP CTS+. It enables you to restrict the source systems from which exports (regular configuration and Workflow Package)can originate. If the parameter is left empty, exports from any system will be allowed. Things to note:
Example - System Parameter use cts.source.systems ="dev1,test,staging" | Yes | Integrity | Restricts allowed CTS+ source systems for imports. |
mail.smtp.ssl.protocols | Default value: "TLSv1.2" Specifies the SSL protocols that will be enabled for SSL connections. The property value is a whitespace separated list of tokens, with possible values "TLSv1, TLSv1.1, TLSv1.2, TLSv1.3". | Yes | Confidentiality | Enforces secure TLS versions for email. |
mz.codeserver.saveStateInterval | Default value: Whenever an update to the Codeserver state is made, such as when saving a workflow with a change in its APL code, the Codeserver state will have to be saved. Using this property allows you to set the minimum interval (in seconds)for how often the Codeserver saves its state to the disk. | Yes | Integrity | Controls frequency of persisting code state/changes. |
mz.crypto.hash.algorithm | Default value: SHA-256 This property is to use the crypto algorithm for hashing data, for example, files. | Yes | Integrity | Hash choice affects tamper detection. |
mz.crypto.key.crypt | Default value: AES This property is to use the crypto algorithm to encrypt and decrypt sensitive data within communications, for example, passwords. The value can be set to AES/GCM/NoPadding for a higher level of security. Note! If you have set the value to AES/GCM/NoPadding, and you try to decrypt data, and it does not succeed on the first attempt, the property value reverts to AES. | Yes | Confidentiality | Cipher choice protects secrets/data at rest. |
mz.crypto.key.stream | Default value: PBKDF2WithHmacSHA256 This property is to encrypt configurations when you have a user password for the encryption. The value can be set to PBEWithMD5AndDES. Note! If the decryption fails when using the selected algorithm, it will try to use the other algorithm. | Yes | Confidentiality | Algorithm for config encryption (password-based). |
mz.cryptoservice.keystore.path | Default value: This property specifies the full path to the crypto service keystore file. This keystore file is used for encrypting/decrypting passwords with specific keys stored in the keystore, and needs to be of JCEKS type. See the JDK product documentation for further information about using keytool in different scenarios. See also the sections describing the | Yes | Confidentiality | Points to keystore for secret encryption keys. |
mz.cryptoservice.keystore.password | Default value: This property specifies the password for the crypto service keystore file specified by the mz.cryptoservice.keystore.path property. This keystore is used for encrypting/decrypting passwords with specific keys stored in the keystore. See the sections describing the mzsh encryptpassword in the https://infozone.atlassian.net/wiki/spaces/MD95/pages/574726639 for further information. | Yes | Confidentiality | Protects access to encryption keystore. |
mz.database.profile.validation.skip | Default value: Set this property to | Yes | Integrity | Skips DB validation; risks invalid schemas/config. |
mz.desktop.accelerators | Default value: Set this property with the default value to set your own key bindings. You require to unpack a properties file from | Depends | Availability | Custom key bindings can affect operator efficiency only. |
mz.dynamicconnections | Default value: This property specifies if the pico instances for Desktop, mzsh, and Service Contexts must be registered on pico hosts for access:
| Yes | Confidentiality | Controls whether clients must be registered to connect. |
mz.httpd.security.disabled.cipher | Default value: " This property allows you to use regex to manually disable the Java security cipher suite when using any picos to connect to the Platform with SSL enabled. This property is used when the Platform uses a different Java version than the rest of the picos. As there may be differences in the security ciphers between versions, the property aims to disable these ciphers to allow the picos to communicate with the Platform. | Yes | Confidentiality | Disables weak ciphers to secure TLS. |
mz.httpd.security.redirect | Default value: If TLS is enabled and this property is set to | Yes | Confidentiality | Forces HTTPS when TLS is enabled. |
mz.javac.source | Default value: | Depends | Availability | Build/perf tuning; may affect service stability indirectly. |
mz.license.file | Default value: This property specifies the directory that contains the installation license file, i.e. | Yes | Availability | License path required for startup/continuity. |
mz.mailserver | Default value: This property specifies the name or IP address of the mail server to be used for event generated e-mails. Note! The use of this property has been deprecated and will removed in future releases. Use the property | Yes | Availability | Mail host for alerts; impacts notifications. |
mz.mailserver.auth | Default value: Enables SMTP authentication. Note! The use of this property has been deprecated and will removed in future releases. Use the property | Yes | Confidentiality | Toggles SMTP auth usage. |
mz.mailserver.auth.user | Default value: Set the SMTP user to be used for login when having enabled SMTP authentication with the | Yes | Confidentiality | SMTP credential identity. |
mz.mailserver.auth.enabled | Default value: Set this property to true if you want to enable SMTP authentication. If set to | Yes | Confidentiality | Enables SMTP auth requirement. |
mz.mailserver.host | Default value: This property specifies the name or IP address of the mail server to be used for event generated e-mails. | Yes | Availability | Mail host for event notifications. |
mz.mailserver.auth.password | Default value: Set the encrypted password to be used for the SMTP user stated in the To encrypt the password, use the | Yes | Confidentiality | SMTP secret; should be encrypted. |
mz.mailserver.port | Default value: Use this property to configure which port you want to used for sending event generated e-mails. When the | Yes | Availability | Port for email delivery; wrong value blocks alerts. |
mz.notifier.mailfrom | Default value: This property specifies the sending e-mail address to be used for event generated e-mails. You must enter an e-mail address for an event notification to be sent by e-mail. | Depends | Availability | Required sender for notifications to work. |
mz.picostorage.usecache | Default value: This property enables the cache during a system import. | Depends | Availability | Import-time caching; stability/perf trade-off. |
mz.platform.extref.ttl | Default value: 5 Use this property to configure a cache for the external references by entering the number of seconds you want the cache to live. If you require to disable the cache, for example in a development enviroment, set the value to 0. | Yes | Availability | Cache TTL for external refs; affects responsiveness. |