Credential Provider configuration

This topic describes how to set up the Credential Provider environment.

 

For optimal performance guidelines, see Recommendations for best performance.

Overview

You can configure the Credential Provider to create a flexible identity management system that answers your specific needs.

The Credential Provider configuration parameters are stored in two configuration files, both of which are accessed with the Credential Provider user.

Configuration file

Description

basic_appprovider.conf

This is the Credential Provider's local configuration file.

It specifies the location of the central configuration file in the Vault, and the parameters that are required to log onto the Vault and retrieve the main configuration file.

Credential Provider (CP) configuration files

This is the main configuration file. It contains all the parameters that determine how the Credential Provider works.

During installation, this file is copied to the Credential Provider Safe (by default, is called AppProviderConf) in the Vault.

This file can serve as a central configuration file for multiple Credential Providers running on the same type of operating system.

If a Credential Provider requires different parameter values to those defined in the central configuration file, you can specify its own main configuration file.

For details, see:

Shared configuration

Several Credential Providers running on the same type of operating system can access the same main configuration file to determine how they work. In this setup, we refer to the main configuration file as the central configuration file.

To configure a shared configuration for multiple Credential Providers, you need to make sure that each Credential Provider's local configuration file (basic_appprovider.conf) specifies the same Vault, the same configuration Safe, and the same main configuration file.

To set up a shared configuration:

  1. Install the first Credential Provider. See the relevant instructions for your implementation platform in Install the Credential Provider.

    Note the values that you use for the Configuration Safe name and the main configuration file name. You will use these values again in the next step.

  2. For each of the other Credential Providers, install the Credential Provider using the instructions relevant to its implementation platform. During installation, specify the same Configuration Safe name and main configuration file name as you specified when you installed the first Credential Provider in the previous step.

     

    The installation does not overwrite the main configuration file that was created when you installed the first Credential Provider.

  3. In the Vault, make sure that the Credential Provider user has the following authorizations on the Safe that contains the central configuration file:

    • List Files
    • Retrieve Files
    • Create Files
    • Update Files
    • Update File Properties
    • Rename Files
    • View Audit
    • View Owners
    • Use Password
    • Initiate Password Management Operations
    • Initiate CPM Change with Manual Password
    • Create/Rename Folder
    • Move Files/Folders

Credential Provider-specific configuration

In a multi-Credential Provider environment, you can create a customized main configuration file for a specific Credential Provider. This Credential Provider uses its customized main configuration file rather than the central configuration file used by all the other Credential Providers (see Shared configuration above).

 

Any parameter defined in a Credential Provider-specific configuration file must be declared in the main configuration file; parameters that are not declared in the main configuration file are discarded. Declare each parameter in the main configuration with its default value and then set the relevant value in the Credential Provider-specific configuration for each provider.

The Credential Provider-specific configuration file's name reflects the name of the Credential Provider that it applies to, and is stored in the same Safe and folder as the central configuration file.

To create a customized main configuration file:

  1. Make a copy of the central configuration file in the same Safe (by default AppProviderConf), and rename the copied file using the following naming convention:

    main_appprovider.conf.<platform>.<version>.<Provider’s Vault username>

     

    Alternatively you can use a copy of the sample main configuration file which is copied to the Env folder during installation.

    The copied file must use the same naming convention described above, and must be stored in the same Vault as the central configuration file.

  2. Open the copied file and customize the parameter values for the specific Credential Provider. For details, see Credential Provider (CP) configuration files. Make sure to specify the section title for the parameters.

  3. Delete all the non-customized parameters.

     

    If a parameter is not defined in this file, the Credential Provider uses the value defined central configuration file.

  4. Save your changes.

  5. In the Vault, make sure the Credential Provider user has the following authorizations on the Safe that contains the configuration file:

    • List Files
    • Retrieve Files
    • Create Files
    • Update Files
    • Update File Properties
    • Rename Files
    • View Audit
    • View Owners
    • Use Password
    • Initiate Password Management Operations
    • Initiate CPM Change with Manual Password
    • Create/Rename Folder
    • Move Files/Folders

Configuration file updates

Each time the Credential Provider service is restarted, the central configuration file and the Credential Provider-specific configuration file are copied to a local cache on the Credential Provider machine. This enables the Credential Provider to work even when the Vault can't be accessed.

If you change the parameters while the Credential Provider is working, they are applied to the Credential Provider as follows:

Parameter

Action

  • MaxConcurrentRequests
  • DisableExceptionHandling
  • CacheLevel
  • KeyStorage
  • CacheFile
  • ProviderCacheFolder
  • Port
  • AutomaticParmsRefreshInterval

These parameters are applied after the Credential Provider is restarted.

  • LogRetentionOnSizeMB
  • LogRetentionOnTimeIntervalMinutes
  • ShutdownTimeoutSec
  • TcpTimeout
  • CacheDebugLevels
  • AppProviderDebugLevels
  • ProtocolDebugLevels
  • VaultAccessInterval
  • OfflineUpdateRetries

These parameters are applied after the parameters have been refreshed, either automatically according to the AutomaticParmsRefreshInterval parameter or manually with the AppPrvMgr utility.

  • CacheRefreshInterval
  • OldLogsRetention
  • OfflineUpdateInterval
  • UnixUserFormatRegexp
  • If these parameters are changed from one positive number to another, they are applied after the parameters have been refreshed, either automatically according to the Automatic ParmsRefreshInterval parameter or manually with the AppPrvMgr utility.
  • If they are changed from zero (not active) to a positive number (active) or vice versa, they are applied after the Credential Provider is restarted.

See also Offline configuration.