Difference between revisions of "ars.ini"

The ars.ini configuration file defines one or more IBM Content Manager OnDemand ("IBM CMOD") instances on a server. While most systems only contain a single IBM CMOD server, it is possible to combine multiple OnDemand instances onto a single server -- usually for combining development and test instances.

Default ars.ini configuration parameters

 [@SRV@_ARCHIVE]
 HOST=cmod.example.com
 PROTOCOL=2
 PORT=0
 SRVR_INSTANCE=archive
 SRVR_INSTANCE_OWNER=archive
 SRVR_OD_CFG=/opt/ibm/ondemand/V10.5/config/ars.cfg
 SRVR_DB_CFG=/opt/ibm/ondemand/V10.5/config/ars.dbfs
 SRVR_SM_CFG=/opt/ibm/ondemand/V10.5/config/ars.cache 

[@SRV@_ARCHIVE]

This is the header that defines a server. Any of the parameters below refer to this server - ARCHIVE.

HOST=cmod.example.com

The fully qualified domain name of the server.

PROTOCOL=2

The protocol to use between the server and client. Leave the default value for the version of CMOD you've installed. Communications between Content Manager OnDemand Clients and Servers works over TCP/IP.

PORT=0

The TCP/IP port number to use for CMOD. 0 uses the default, 1445.

Each server must have it's own port number, servers cannot share a port.

This port number must be entered in the client software when defining a server.

SRVR_INSTANCE=archive

Name of the instance.

SRVR_INSTANCE_OWNER=archive

The operating system User ID that owns / controls this instance. This parameter may be case sensitive depending on your Operating System.

SRVR_OD_CFG=/opt/ibm/ondemand/V10.5/config/ars.cfg

Defines the location of your configuration file for the server.

SRVR_DB_CFG=/opt/ibm/ondemand/V10.5/config/ars.dbfs

Defines the location of your configuration file for the database manager.

SRVR_SM_CFG=/opt/ibm/ondemand/V10.5/config/ars.cache

Defines the locatio nof your configuration file for defining cache filesystems.

arsstash related ars.ini configuration parameters

 SRVR_OD_STASH=/opt/IBM/ondemand/V10.5/config/ars.stash

SRVR_OD_STASH=/opt/IBM/ondemand/V10.5/config/ars.stash

This parameter defines the location of the default stash file to use for database connections, arsload, and LDAP authentication.

SSL / TLS related ars.ini configuration parameters

 SSL_PORT=1446
 SSL_KEYRING_FILE=/opt/IBM/ondemand/V10.5/config/ondemand.kdb
 SSL_KEYRING_STASH=/opt/IBM/ondemand/V10.5/config/ondemand.sth 
 SSL_KEYRING_LABEL=IBM CMOD SSL Certificate
 SSL_CLNT_USE_SSL=1

SSL_PORT=1446

Defines the port number for encrypted connections to CMOD.

There is no default port number, common choices are 1443 and 1446, but may be any number between 1024 and 65535 not already in use on your server by other services like TSM (1500, 1501) or DB2 (50000-50006, 60000-60006).

SSL_KEYRING_FILE=/opt/IBM/ondemand/V10.5/config/ondemand.kdb

Defines the location of the key database that contains all the requisite certificates and keys.

SSL_KEYRING_STASH=/opt/IBM/ondemand/V10.5/config/ondemand.sth

Defines the location of the stash file that contains passwords to the keys and certificates in the key database.

This file should have very restrictive permissions.

SSL_KEYRING_LABEL=IBM CMOD SSL Certificate

Defines the label of the SSL Certificate to be used to identify the IBM CMOD server.

SSL_CLNT_USE_SSL=1

Determines if utility clients like arsload should use SSL to connect to IBM CMOD.

This is not necessary if you're not performing remote loads (via arsload), or queries or retrievals (via arsdoc).

Unlisted CMOD Configuration Parameters

ARSSOCK_TLSV12_ONLY

When set to '1', this parameter disables all prior levels of TLS - improving security by disabling older, less secure cryptographic methods.

When setting SSL/TLS parameters for CMOD, you can also add environment variables to modify the behavior of IBM Global Security Kit like GSK_PROTOCOL_TLSV1_2=1.

ARSSOCK_STRICT_SHA2_ONLY_CERTS

When set to '1', this flag instructs Content Manager OnDemand to only allow certificates that use the SHA2 hashing method in CMOD server certificates. This increases security, as certificates signed with SHA1 are considered vulnerable to 'collision' attacks, and as a result, are not secure.

ARSSOCK_FIPS

The default is for CMOD to start up with FIPS compliance enabled.

If you are trying to upgrade to TLS v1.3, you need to disable FIPS support with ARSSOCK_FIPS=0.

SRVR_FLAGS_SECURITY_EXIT

This is the flag to enable the Content Manager OnDemand User Security Exit. The IBM CMOD Security Exit, arsusec is used to extend and customize user authentication in CM OnDemand. When set to 1, CMOD will call the user exit when a user connects to CMOD and attempts to authenticate. arsusec is normally used for providing alternate authentication methods to OnDemand, like Single Sign On ("SSO") and in previous versions, Lightweight Directory Access Protocol ("LDAP").

When enabled, the compiled arsusec binary must be located in the 'exits' directory under the 'bin' directory in your IBM CMOD installation directory, for example, /opt/IBM/ondemand/V9.5/bin/exits. If the parameter is enabled, and the arsusec compiled binary is missing from the 'exits' directory, the server may be unable to start, and cause arssockd to report a ARS4013E - Unable to determine the database engine error.

SRVR_OD_STASH

Specifies the location of the Content Manager OnDemand Server's configuration stash file - passwords for DB2, LDAP, Oracle, ZooKeeper, etc.

This parameter should contain the FULL path to the stash file: SRVR_OD_STASH=/opt/ibm/ondemand/V10.5/ars.stash

NOTE: For security, this file should be protected at the filesystem level with very restrictive permissions: chmod 600 ars.stash   to prevent the password data from being leaked.

Related Articles

LDAP Configuration File