3DS Server Configuration Properties

An application.properties file in the $THREEDS_CONFIG_HOME directory is used to set configuration options for the 3DS Server.

The available configuration options and their default values are listed below.

Note: If you don't configure a value for one of the properties in your application.properties, the default value as shown below will be used.

2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
server.port=
### Tomcat AJP connector
tomcat.ajp.enabled=
tomcat.ajp.ajp-port=
### Logging
logging.config=classpath:log4j2-prod.xml
#
# Property indicating if the cardholder data should be masked in the log. Cardholder data include: name, IP address,
# shipping and billing address, home, work and mobile phone.
threedss.logging.mask-cardholder-data=true
### 3DS Server configuration
#
# Property indicating the type of 3DS Server configuration. There are two supported values:
#
#   1. xml - indicating XML configuration
#   2. db  - indicating Database configuration
#
# If ${threedsserver.configuration.type} property is not set, it defaults to xml - indicating XML
# configuration.
#
threedsserver.configuration.type=xml
#
# When the 3DS Server configuration is persisted in database, the 3DS Server also allows session data to be persisted in database.
# This property indicates the type of 3DS Server session storage. There are two supported values:
#
#   1. cache - indicating EhCache session storage
#   2. db    - indicating Database session storage
#
# If ${threedsserver.session.storage.type} property is not set, it defaults to cache - indicating EhCache session
# storage.
#
threedsserver.session.storage.type=cache
#
### Database Session Storage cleanup configuration
#
### 3DS Method Data
#
# The time interval in minutes on which the 3DS Server will clean up the 3DS Method data database table when the
# ${threedsserver.session.storage.type} is set to db - indicating Database session storage.
#
# The 3DS Server will delete all entries whose time to live minutes -
# ${threedsserver.session.storage.db.threeds-method-data.time-to-live.minutes} have expired.
#
# If not configured differently, this property defaults to 1440 minutes indicating daily cleanup of the
# 3DS Method data table.
#
threedsserver.session.storage.db.threeds-method-data.cleanup.minutes=1440
#
# The time to live in minutes of the 3DS Method data table entries. After this period of time, the 3DS Method data
# entries cannot be retrieved, nor updated. On a configured time interval -
# ${threedsserver.session.storage.db.threeds-method-data.cleanup.minutes} all inactive 3DS Method data entries will
# be deleted.
#
threedsserver.session.storage.db.threeds-method-data.time-to-live.minutes=1
#
### Results Data
#
# The time interval in minutes on which the 3DS Server will clean up the Results data database table when the
# ${threedsserver.session.storage.type} is set to db - indicating Database session storage.
#
# The 3DS Server will delete all entries whose time to live minutes -
# ${threedsserver.session.storage.db.results-data.time-to-live.minutes} have expired.
#
# If not configured differently, this property defaults to 1440 minutes indicating daily cleanup of the
# Results data table.
#
threedsserver.session.storage.db.results-data.cleanup.minutes=1440
#
# The time to live in minutes of the Results data table entries. After this period of time, the Results data entries
# cannot be retrieved, nor updated. On a configured time interval -
# ${threedsserver.session.storage.db.results-data.cleanup.minutes} all  inactive Results data entries will be deleted.
#
threedsserver.session.storage.db.results-data.time-to-live.minutes=30
#
# The default location for various configuration files of the 3DS Server.
# If not specified it defaults to: \${user.home}/.threeDSServer.
# (\${user.home} is the user's home directory)
#
# threedss.config.home=
 
# The resource location of the ThreeDS Server Configuration (e.g. file:/etc/threeDSServerConfiguration/3dss-configuration.xml)
#
# Use a "file:" prefix for resources located on the file system.
# Use a "http:" prefix for resources loaded from an URL.
# Use a "classpath:" prefix for resources located on the classpath.
#
# If ${threedsserver.configuration.location} is not specified (i.e. empty) it defaults to file:${threedss.config.home}/3dss-configuration.xml
# (${threedss.config.home} is the value of the property "threedss.config.home")
#
# If not specified and the property "threedss.config.home" is not set this
# defaults to file:\${user.home}/.threeDSServer/3dss-configuration.xml
# (\${user.home} is the user's home directory)
#
threedsserver.configuration.location=
#
# Property indicating if the passwords defined for the certificate stores in the XML configuration are encrypted.
#
# If ${threedsserver.configuration.use-encrypted-passwords} property is not set, it defaults false - indicating
# plaintext passwords are used.
#
threedsserver.configuration.use-encrypted-passwords=false
#
# Timeout configuration for 3DS Server Authentication Response defined in seconds. This value will be used only if
# timeout configuration is not defined at root level for the 3DS Server.
#
threedsserver.timeouts.ares.seconds=300
#
# Timeout configuration for 3DS Server Preparation Response defined in seconds. This value will be used only if
# timeout configuration is not defined at root level for the 3DS Server.
#
threedsserver.timeouts.pres.seconds=300
##
# Timeout configuration for 3DS Server Method defined in seconds. This value will be used only if
# timeout configuration is not defined at root level for the 3DS Server.
#
threedsserver.timeouts.threedsmethod.seconds=10
##
# Timeout configuration for 3DS Server ProtocolError defined in seconds. This value will be used only when the
# 3DS Server sends protocol error messages to the Directory Server.
#
threedsserver.timeouts.protocol-error.seconds=2
#
# Number of threads serving ThreeDSServerResultsResponse messages invocation to the Requestor.
#
threedsserver.results-response.task-executor.core-pool-size=50
#
# The resource location of the ThreeDS Server license (e.g. file:/etc/threeDSServerLicense/3dss.lic)
#
# Use a "file:" prefix for resources located on the file system.
# Use a "http:" prefix for resources loaded from an URL.
# Use a "classpath:" prefix for resources located on the classpath.
#
# If ${license.resource-location} is not specified (i.e. empty) it defaults to file:${threedss.config.home}/3dss.lic
# (${threedss.config.home} is the value of the property "threedss.config.home")
#
# If not specified and the property "threedss.config.home" is not set this
# defaults to file:\${user.home}/.threeDSServer/3dss.lic
# (\${user.home} is the user's home directory)
#
license.resource-location=
#
# The https protocols (i.e. TLS versions) the threeDS Server should use when establishing a connection to the directory servers.
# According to the 3DS Specification, the minimum supported TLS version is TLSv1.2
#
ds-client.https.protocols=TLSv1.2
#
# The proxy to use for connecting to the Directory Server (leave empty if not using a proxy).
#
# When specifying a HTTP proxy, HTTPS connections will be tunneled through via the HTTP CONNECT method.
# You may specify a user/password combination in the URL in case your proxy requires authentication.
#
#
# host    : proxy.org
# port    : 8888 (optional; if not specified, the scheme default port will be used)
# scheme  : http
# user    : foo (optional; only specify a user in case your proxy requires authentication)
# password: bar (optional; only specify a password in case your proxy requires authentication)
#
ds-client.proxy=
#
# The supported cipher suites for outbound 2-way SSL connections to the DS.
#
ds-client.supported.cipher.suites=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
#
# The connection timeout in milliseconds for establishing a TCP/IP connection to the Directory Server.
# This is the socket timeout (SO_TIMEOUT), which is the timeout after a connection was established, for waiting
# for data or, put differently, a maximum period inactivity between two consecutive data packets. If a message
# from the opposite side is split up into e.g. 3 TCP packets, this will wait 3 times the timeout, once per
# TCP packet. This means that this is not the time to wait for a full response, but the time to wait for the
# first part of the response.
#
ds-client.connection.timeout.milliseconds=3000
#
# Indicator if PReq scheduling should be enabled. This should be enabled for at least one node.
# If 3DS Server is used with only one node, this property should be enabled.
#
# If 3DS Server is used in clustered environment and only one node will perform the updates,
# enable this feature for the node that will perform the updates. Other nodes should disable this feature.
#
# If ${ds-client.preparation.request.invocation.enabled} is not specified, it defaults to true.
# ds-client.preparation.request.invocation.enabled=
#
# The interval (in hours) for which the directory server is being sent a preparation request. Minimum value is 1 (1 hour),
# meaning the directory server is called on every 1 hour. If you have multiple nodes running and want each node to
# initiate PReq requests, consider setting this property to be the same for each node.
# This combined with ${ds-client.preparation.request.initial-delay.hours}
# will enable the nodes to each run in different time slots not interfering with each other.
#
# If ${ds-client.preparation.request.interval.hours} is not specified (i.e. empty) it defaults to 1.
# The minimum amount is 1 hour (once per hour).
#
# ds-client.preparation.request.interval.hours=
#
# The initial delay (in hours) for when the PReq will start for the first time. This is called when PReq requests are scheduled for
# the first time. It will add the initial delay to the current time to calculate the time of the first run. This is useful if you want
# all nodes to initiate PReq requests, or set the 3DS Server to start sending PReq requests X hours after the server is started.
#
# IMPORTANT NOTE: For concurrency, you will have to adjust the ${ds-client.preparation.request.interval.hours} property.
 
# The 3DS Specification requires PReq requests to be initiated at maximum of once per hour, so the suggested time to set
# the initial delay is (nodeId - 1) * initialDelay. This means that if you run the 3DS Server in 4 nodes,
# the first node will have an initial delay od 0 (will start immediately), second node will start after X hours,
# third after 2*X hours, and fourth after 3*X hours.
#
# If ${ds-client.preparation.request.initial-delay.hours} is not specified, it defaults to 0.
#
# ds-client.preparation.request.initial-delay.hours=
 
#
# The resource location of the Ehcache configuration XML for the cached data.
#
# Use a "file:" prefix for resources located on the file system.
# Use a "http:" prefix for resources loaded from an URL.
# Use a "classpath:" prefix for resources located on the classpath.
#
# If not specified (i.e. empty) this defaults to file:${threedss.config.home}/ehcache.xml
# (${threedss.config.home} is the value of the property "threedss.config.home")
#
# If not specified and the property "threedss.config.home" is not set this
# defaults to file:\${user.home}/.threeDSServer/ehcache.xml
# (\${user.home} is the user's home directory)
#
ehcache.config-xml.resource-location=
#
# Regular expression used to validate cardholder account numbers and resolve the VISA scheme.
#
cardholder-account-number.regex.visa=4[0-9]*
#
# Regular expression used to validate cardholder account numbers and resolve the Mastercard scheme.
#
cardholder-account-number.regex.mastercard=(2[0-1]|220[5-9]|22[1-9]|2[3-9]|5|6)[0-9]*
#
# Regular expression used to validate cardholder account numbers and resolve the American Express scheme.
#
cardholder-account-number.regex.american-express=(34|37)[0-9]*
#
# Regular expression used to validate cardholder account numbers and resolve the JCB scheme.
#
cardholder-account-number.regex.jcb=35[0-9]*
#
# Regular expression used to validate cardholder account numbers and resolve the Diners scheme.
#
cardholder-account-number.regex.diners=36[0-9]*
#
# Regular expression used to validate cardholder account numbers and resolve the MIR scheme.
#
cardholder-account-number.regex.mir=220[0-4][0-9]*
# The token string appended to the 3DS Method Notification URL when 3DS Server implementation of the 3DS Method
# notification response handler is used. The purpose of the token is to randomize the 3DS Method Notification URL, so
# it would not be the same for each Netcetera 3DS Server. The token shall contain only digits and letters.
#
# The configuration of the <ThreeDSMethodNotificationUrl> must be in the format
# 'https://<host>:<port>/3ds/3ds-method-notification/', on which the ${threedsmethod.notification-url.token} is appended.
# If ${threedsmethod.notification-url.token} is not configured, token won't be appended to the base notification URL, so
# it will remain 'https://<host>/3ds/3ds-method-notification/'.
#
threedsmethod.notification-url.token=
#
# Boolean property indicating whether the 3DS Server should do an internal resolving of the 3DS Method completion
# indicator - 'threeDSCompInd' in case when it is not provided from the 3DS Requestor for an authentication request.
# Default value is true meaning that the 3DS Server should do an internal resolving.
#
# In case of an external 3DS Method notification URL, this property should be set to false.
#
threedsmethod.completion-indicator.internal-resolving.enabled=true
#
# Property indicating which actuator endpoints will be publicly exposed.
#
# When enabled by this property, the metrics and health endpoints will be available on
# 'https://<host>/actuator/metrics/' and 'https://<host>/actuator/health/', respectively. Each particular metric can
# be accessed via 'https://<host>/actuator/metrics/<metric-name>'.
#
# Among other Spring built-in metrics, there is 'http.server.requests' metric which provides info about the number of
# requests handled by the application. The requests are counted and distinguished on a few bases, including the
# request URI, the type of method (GET, POST, etc.), the status code of the response, etc. This metric also provides
# info about the duration of requests being processed by the application.
#
# The 3DS Server adds the following additional metrics '3ds-server.ds.authentication.requests.duration',
# '3ds-server.preparation.requests.duration' and '3ds-server.exceptions'.
#
# The '3ds-server.preparation.requests.duration' metric provides info about the overall duration of the
# execution of a preparation request both on 3DS Server side and in the communication between the 3DS Server and the
# Directory Server.
#
# The '3ds-server.ds.authentication.requests.duration' metric provides info about the duration of the communication
# between the 3DS Server and the Directory Server per authentication request.
#
# The '3ds-server.exceptions' metric holds count info about the exceptions that occurred on 3DS Server side due to
# various reasons. The exceptions are counted and distinguished on a few bases, including the type of exception,
# the message flow in which the exception occurred (PREPARATION, AUTHENTICATION, RESULTS, etc) and the time of
# occurrence of the exception.
#
# The 3DS Server introduces two new actuator endpoints available on 'https://<host>/actuator/transactions/' and
# 'https://<host>/actuator/exceptions/' where collected metrics information related to 3DS Server Transactions and 3DS
# Server Exceptions are available.
#
# These endpoints should be restricted from within the PSP environment.
#
management.endpoints.web.exposure.include=metrics,health,transactions,exceptions
#
# Property indicating whether the actuator health endpoint should display details(database related details,
# diskspace related details, etc.)
#
management.endpoint.health.show-details=always
#
# Property indicating whether the actuator health endpoint should include/exclude diskspace related details.
# By default, this property is true, meaning when the ${management.endpoint.health.show-details} is set to 'always',
# the diskspace related details will be available. Since the diskspace related details are not relevant information,
# this property is set to false, in order to exclude them from the health endpoint.
#
management.health.diskspace.enabled=false
#
# Property indicating whether Prometheus is enabled. Prometheus is a monitoring system which pulls metrics
# data over HTTP periodically. The 'prometheus' endpoint is disabled by default. When enabled all metrics will be
# published on it.
#
# In order to enable Prometheus set this property to true and add 'prometheus' endpoint in
# ${management.endpoints.web.exposure.include} property in order to publicly expose it.
#
management.metrics.export.prometheus.enabled=false
#
# Fully qualified URL of the 3DS Server instance. This property must be configured per node (in node-<node-ID>.properties).
#
threedss.frontend.configs.backend-api=
#
### Production database connection properties
#
# The datasource URL location. The JDBC connection string may differ depending on the database type, but we recommend
# the specified formats defined below. Supported database types are PostgreSQL, MySQL, Oracle and Microsoft SQL Server.
#
# Recommended JDBC connection strings:
#    PostgreSQL:                jdbc:postgresql://<host>:<port>/<database-name>
#    MySQL:                     jdbc:mysql://<host>:<port>/<database-name>
#    Oracle:                    jdbc:oracle:<oracle-driver>:<host>:<port>:<SID>
#    Microsoft SQL Server:      jdbc:sqlserver://<host>:<port>;database=<database-name>
spring.datasource.url=
#
# The datasource user used by the application. It is recommended that this user has read only privileges to the database
# the 3DS Server application is using.
#
spring.datasource.username=
#
# The password of the datasource user used by the application.
#
spring.datasource.password=
#
# --- DEPRECATED ---
# This field will be deprecated and it will be removed in future versions. Spring Boot will automatically detect the
# driver class from the datasource URL. For MySQL this field is still required since it automatically detects an older
# JDBC driver.
#
# The appropriate Driver used for database connection. Supported database types are PostgreSQL, MySQL, Oracle and
# Microsoft SQL Server. The value should be defined depending on the underlying database.
#
# Default database is PostgreSQL. Accepted values are:
#
#    org.postgresql.Driver                          - indicating PostgreSQL database will be used
#    com.mysql.cj.jdbc.Driver                       - indicating MySQL database will be used
#    oracle.jdbc.OracleDriver                       - indicating Oracle database will be used
#    com.microsoft.sqlserver.jdbc.SQLServerDriver   - indicating Microsoft SQL Server database will be used
#
#spring.datasource.driver-class-name=
#
# The SQL dialect of the underlying database. Supported database types are PostgreSQL, MySQL, Oracle and Microsoft SQL Server.
# The value should be defined depending on the underlying database.
#
# Default database is PostgreSQL. Accepted values are depending on the desired dialect, but it is recommended to use
# one of the following:
#
#    org.hibernate.dialect.PostgreSQL95Dialect      - indicating PostgreSQL 9.5 Dialect will be used
#    org.hibernate.dialect.MySQL57Dialect           - indicating MySQL 5.7 Dialect will be used
#    org.hibernate.dialect.Oracle12cDialect         - indicating Oracle 12 c Dialect will be used
#    org.hibernate.dialect.SQLServer2012Dialect     - indicating Microsoft SQL Server 2012 Dialect will be used
#
spring.jpa.properties.hibernate.dialect=org.hibernate.dialect.PostgreSQL95Dialect