There is a single service account that can access the REST API (Application Programming Interface) in the system. The username, password, and the permissible source host are defined in this section.

These configurations are available in the eidm2.properties file.

rest.passwordauthentication.enabled

This property defines whether REST API can be accessed by using API user account credentials rest.username and rest.password either via HTTP Basic Authentication or in request URL parameters. There are two possible values, see also REST API authentication:

• true: REST API can be accessed by using API user account credentials, OAuth2 is an additional option
• false: REST API cannot be accessed by using API user account credentials but OAuth2 is the only option

Initially, this less insecure authentication method shall be enabled by default but it is recommended to switch to the more secure OAuth2 based authentication and disable authentication with API user account credentials.

Default is true

Example:

rest.passwordauthentication.enabled = false

rest.oauth2.client.uuid

NOTE: this property is included in the eidm2_generated.properties file and there is no reason to modify or reset it in eidm2.properties. See Setup template on Linux / Setup template on Windows.

rest.oauth2.client.secret

NOTE: this property is included in the eidm2_generated.properties file and there is no reason to modify or reset it in eidm2.properties. See Setup template on Linux / Setup template on Windows.

rest.oauth2.introspection.url

NOTE: this property is included in the eidm2_generated.properties file and there is no reason to modify or reset it in eidm2.properties. See Setup template on Linux / Setup template on Windows.

rest.oauth2.client.pool.size

If you need to change the size of the connection pool available for REST API OAuth2 authentication token introspection requests you can add the setting to specify an integer value.

Default is 50.

Example:

rest.oauth2.client.pool.size = 100

rest.username

This property is obsolete in case of OAuth2 based authentication, see REST API authentication.

This property defines the username that will be used for authentication when performing REST API calls. Usually this property is included in the eidm2_generated.properties file and there is no reason to modify it or reset it.

Default is restuser

Example:

rest.username = restuser

rest.password

This property is obsolete in case of OAuth2 based authentication, see REST API authentication.

This property defines the password that will be used for authentication when performing REST API calls. It is recommended that the password is at least 32 characters long. Usually this property is included in the eidm2_generated.properties file and there is no reason to modify it or reset it unless you want to increase security and change the password to a longer one. If you change the password then you should make sure that you also change it in the win32.config file (or linux.config file if Ubisecure CustomerID is installed on a Linux machine). You may also have to run setup again after changing the password as some scripts that use REST services might not work after the password change and before running setup to complete it.

Default is secret. Do not use this default value. Always set your own or use the generated value.

Example:

rest.password = secret

rest.roles.recursion

This property defines if user roles are listed recursively or if just the direct memberships are included. There are two possible values:

• true: User roles are listed recursively.
• false: Just the direct memberships are included.

Default is true.

Example:

rest.roles.recursion = true

rest.inviter.email

This optional property defines the email address for REST "inviter". When emails are sent because a REST call has been made this is the email address that is included in the mail text as the sender of the email. If not configured email notification(s) will not be sent for REST "inviter".

Possible values are: Any valid email address.

Default is <not set>

Example:

rest.inviter.email = firstname.lastname@organization.com