Session Management Settings
|
Base Type
|
Default
|
Notes
|
---|---|---|---|
Idle Session Timeout (min)
|
INTEGER
|
30
|
If this setting is changed in Composer, Tomcat must be restarted so that it can go into effect.
In ThingWorx 8.5.6 and later, this value can be set up to 1440 minutes (24 hours).
|
Allow users to call services on their own User entity regardless of permissions
|
BOOLEAN
|
true
|
If this option is not checked, users must be given explicit permissions to call services on their own user entity.
|
Restrict the number of concurrent logged in user sessions
|
BOOLEAN
|
false
|
If this option is selected, all users (including Administrators) can only have one concurrent session at a time. The last login will override a current session.
|
|
If you change the default password hash settings, security could be negatively impacted. The default values are industry-standard recommendations. If you change the values and weaken security, an attacker could recover stored passwords.
|
Password Hash Settings
|
Base Type
|
Default
|
Notes
|
---|---|---|---|
Hashing algorithm
|
STRING
|
PBKDF2WithHmacSHA512
|
One of the supported password-based cryptographic hashing algorithms as defined in RFC 2898 (https://tools.ietf.org/html/rfc2898)
|
Salt size in bytes
|
INTEGER
|
64
|
Number of pseudo-random bytes appended to the user password to increase complexity
|
Hash size in bytes
|
INTEGER
|
64
|
Byte size of the resulting password hash, which is dependent on the selected hashing algorithm (for example, SHA-256 produces a 256 bit/32 byte hash)
|
Hashing iterations
|
INTEGER
|
100000
|
After the salted password is hashed, this setting specifies the number of times to rehash the salted password hash by passing it as input to the hashing algorithm to generate a new hash.
|
Application Key Settings
|
Base Type
|
Default
|
Notes
|
---|---|---|---|
Application Key Lifetime (sec)
|
INTEGER
|
86400 (24 hours)
|
This setting applies to any application keys that do not have an Expiration Date defined.
|
Authentication Settings
|
Base Type
|
Default
|
Notes
|
---|---|---|---|
Sets HTTP Form Authentication as the default fallback mechanism
|
BOOLEAN
|
false
|
When this option is selected in ThingWorx 8.0.7, 8.1.3, and 8.2.1 or higher, users who logged in using an organization's form login page will be prompted for credentials on that same page. This feature uses a cookie, which the form login page stores in the user's browser.
|
Account Lockout Settings
|
Base Type
|
Default
|
Notes
|
||
---|---|---|---|---|---|
Maximum Login Attempts
|
NUMBER
|
5
|
The number of log in attempts a user is allowed within the time specified in Minutes to Attempt Login before lockout.
|
||
Minutes to Attempt Login
|
NUMBER
|
5
|
The amount of time a user has to attempt the maximum log in attempts specified before lockout.
|
||
Minutes Locked Out
|
NUMBER
|
15
|
The amount of time a user is locked out for. For example, if a user attempts five unsuccessful log ins within five minutes, their account will be locked out for 15 minutes. After 15 minutes, the user will have another five attempts.
|
Password Settings
|
Base Type
|
Default
|
Notes
|
||
---|---|---|---|---|---|
Minimum Password Length
|
NUMBER
|
14
|
The minimum number of characters allowed for passwords. Must be a value between 10 and 128.
|
||
Password Blacklist Partial Match
|
BOOLEAN
|
false
|
If set to true, checks if any new passwords include a match from the custom or system blacklists.
|
||
Password Blacklist Case Sensitive
|
BOOLEAN
|
false
|
If set to true, will only flag a new password as invalid if the string matches the exact case of the custom or system blacklist entry.
|