3DS Server Configuration Properties

An application.properties file in the $THREEDS_CONFIG_HOME directory is used to set configuration options for the 3DS Server.

The available configuration options and their default values are listed below.

Note: If you don't configure a value for one of the properties in your application.properties, the default value as shown below will be used.

2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
server.port=8080
### Tomcat AJP connector
tomcat.ajp.enabled=
tomcat.ajp.ajp-port=
### Logging
logging.config=classpath:log4j2-prod.xml
#
# Property indicating if the cardholder data should be masked in the log. Cardholder data include: name, IP address,
# shipping and billing address, home, work and mobile phone.
threedss.logging.mask-cardholder-data=true
#
# Configuration indicating which loggers should be used for saving transaction log data. This configuration accepts multiple
# comma-separated values.
#
# Note: If Elasticsearch is used, connection to Elasticsearch should also be configured (see spring.data.elasticsearch.*)
#
# Example to configure logging in file and Elasticsearch: threedss.logging.storage.type=file,elasticsearch
#
# Possible values are:
#   file            saves transaction logs to file
#   db              requires threedsserver.configuration.type property to be equal to "db"
#   elasticsearch   requires valid elasticsearch configuration
#
threedss.logging.storage.type=file
#
# Comma separated list of Elasticsearch endpoint(s)
# Example values: spring.elasticsearch.rest.uris=http://elasticsearch:9200
#
# spring.elasticsearch.rest.uris=
#
#
# Enables signing elasticsearch requests with the AWS request signing interceptor if set to true
#
#nca.acquiring.aws.iam-role-elasticsearch-auth.enabled=false
#
### 3DS Server configuration
#
# Property indicating the type of 3DS Server configuration. There are two supported values:
#
#   1. xml - indicating XML configuration
#   2. db  - indicating Database configuration
#
# If ${threedsserver.configuration.type} property is not set, it defaults to xml - indicating XML
# configuration.
#
threedsserver.configuration.type=xml
#
# When the 3DS Server configuration is persisted in database, the 3DS Server also allows session data to be persisted in database.
# This property indicates the type of 3DS Server session storage. There are three supported values:
#
#   1. cache - indicating EhCache session storage
#   2. db    - indicating Database session storage
#   3. redis - indicating session storage using Redis
#
# If ${threedsserver.session.storage.type} property is not set, it defaults to cache - indicating EhCache session
# storage.
#
# 3DS 1 / UPOP session data is only supported with redis and db session storage type.
# If cache is chosen as session storage type, the 3DS 1 / UPOP session data will be stored in database.
#
threedsserver.session.storage.type=cache
#
### Database Session Storage cleanup configuration
#
### 3DS Method Data
#
# Property indicating whether a cleanup of the 3DS Method data should be scheduled. In a multi-instance setup
# it is recommended to have it enabled on one instance. Other instances should have it false.
#
# If ${threedsserver.session.storage.db.threeds-method-data.cleanup.enabled} property is not set, it defaults true -
# indicating a cleanup of the 3DS Method data to be scheduled according to
# ${threedsserver.session.storage.db.threeds-method-data.cleanup.minutes}.
#
threedsserver.session.storage.db.threeds-method-data.cleanup.enabled=true
#
# The time interval in minutes on which the 3DS Server will clean up the 3DS Method data cache when the
# ${threedsserver.session.storage.type} is set to db - indicating Database session storage,
# or redis - indicating Redis session storage.
#
# The 3DS Server will delete all entries whose time to live minutes -
# ${threedsserver.session.storage.db.threeds-method-data.time-to-live.minutes} have expired.
#
# If not configured differently, this property defaults to 60 minutes indicating hourly cleanup of the
# 3DS Method data table.
#
threedsserver.session.storage.db.threeds-method-data.cleanup.minutes=60
#
# The time to live in minutes of the 3DS Method data table entries. After this period of time, the 3DS Method data
# entries cannot be retrieved, nor updated. On a configured time interval -
# ${threedsserver.session.storage.db.threeds-method-data.cleanup.minutes} all inactive 3DS Method data entries will
# be deleted.
#
threedsserver.session.storage.db.threeds-method-data.time-to-live.minutes=1
#
### Results Data
#
# Property indicating whether a cleanup of the Results data should be scheduled. In a multi-instance setup
# it is recommended to have it enabled on one instance. Other instances should have it false.
#
# If ${threedsserver.session.storage.db.results-data.cleanup.enabled} property is not set, it defaults true -
# indicating a cleanup of the Results data to be scheduled according to
# ${threedsserver.session.storage.db.results-data.cleanup.minutes}.
#
threedsserver.session.storage.db.results-data.cleanup.enabled=true
#
#
# The time interval in minutes on which the 3DS Server will clean up the Results data cache when the
# ${threedsserver.session.storage.type} is set to db - indicating Database session storage,
# or redis - indicating Redis session storage.
#
# The 3DS Server will delete all entries whose time to live minutes -
# ${threedsserver.session.storage.db.results-data.time-to-live.minutes} have expired.
#
# If not configured differently, this property defaults to 60 minutes indicating hourly cleanup of the
# Results data cache.
#
threedsserver.session.storage.db.results-data.cleanup.minutes=60
#
# The time to live in minutes of the Results data table entries. After this period of time, the Results data entries
# cannot be retrieved, nor updated. On a configured time interval -
# ${threedsserver.session.storage.db.results-data.cleanup.minutes} all  inactive Results data entries will be deleted.
#
# With the decoupled authentication introduced in EMV 3DS v2.2.0, the maximum time that the Requestor would wait for the
# results request is defined with the 'threeDSRequestorDecMaxTime' field in the Authentication request (the maximum
# time that could be set to the 'threeDSRequestorDecMaxTime' is 10080 minutes - 7 days). Therefore, if decoupled
# authentication is utilised set this property to a value greater than 'threeDSRequestorDecMaxTime' sent in the
# Authentication request.
#
threedsserver.session.storage.db.results-data.time-to-live.minutes=30
 
# If set to true, divides the list of card range data to be inserted into batches, the maximum size of which is
# determined by the property ${threedsserver.session.storage.db.card-range-data.batch.size}.
#
threedsserver.session.storage.db.card-range-data.batch.parallelized=true
 
# The batch size used if parallel mode is enabled for inserting card range data
# ${threedsserver.session.storage.db.card-range-data.batch.parallelized}.
#
threedsserver.session.storage.db.card-range-data.batch.size=10000
 
# This property is used to specify the period on which 3DS Server checks if card ranges in underlying storage were
# updated to update its own cache of card ranges. If property is not set, it defaults to 60 seconds i.e
# 3DS Server will check for updates on 60 seconds and will update its cache if necessary.
#
threedsserver.session.storage.cache.card-range-data.cache-update-check.seconds=60
 
###
# Redis connection configuration
###
# Hostname of the Redis server
#spring.redis.host=
# Redis port
#spring.redis.port=6379
# Password for the Redis server
#spring.redis.password=
# Timeout in milliseconds for each Redis connection. Default is 240000ms.
spring.redis.timeout=240000
# Maximum number of connections that can be allocated by the pool at a given time. Use a negative value for no limit.
# spring.redis.lettuce.pool.max-active=
# Maximum number of "idle" connections in the pool. Use a negative value to indicate an unlimited number of idle connections.
#spring.redis.lettuce.pool.max-idle=
# Target for the minimum number of idle connections to maintain in the pool. This setting only has an effect if both
# it and time between eviction runs are positive.
#spring.redis.lettuce.pool.min-idle=
# Shutdown timeout
#spring.redis.lettuce.shutdown-timeout=
#
# The default location for various configuration files of the 3DS Server.
# If not specified it defaults to: \${user.home}/.threeDSServer.
# (\${user.home} is the user's home directory)
#
# threedss.config.home=
 
# The resource location of the ThreeDS Server Configuration (e.g. file:/etc/threeDSServerConfiguration/3dss-configuration.xml)
#
# Use a "file:" prefix for resources located on the file system.
# Use a "http:" prefix for resources loaded from an URL.
# Use a "classpath:" prefix for resources located on the classpath.
#
# If ${threedsserver.configuration.location} is not specified (i.e. empty) it defaults to file:${threedss.config.home}/3dss-configuration.xml
# (${threedss.config.home} is the value of the property "threedss.config.home")
#
# If not specified and the property "threedss.config.home" is not set this
# defaults to file:\${user.home}/.threeDSServer/3dss-configuration.xml
# (\${user.home} is the user's home directory)
#
threedsserver.configuration.location=
#
# Property indicating the name of the header field that contains the organization ID.
#
# If ${threedsserver.configuration.organization-id-header-name} property is not set, it defaults to
# "3DS-Organization-ID".
#
threedsserver.configuration.organization-id-header-name=3DS-Organization-ID
#
# Property indicating if the passwords defined for the certificate stores in the XML configuration are encrypted.
#
# If ${threedsserver.configuration.use-encrypted-passwords} property is not set, it defaults false - indicating
# plaintext passwords are used.
#
threedsserver.configuration.use-encrypted-passwords=false
#
# Property indicating whether testing mode is enabled. This property can be used to bypass directory server reference
# number validation while evaluating the 3DS Server product.
#
# If ${threedsserver.testing-mode.enabled} property is not set, it defaults to false - indicating testing mode is
# disabled.
#
threedsserver.testing-mode.enabled=false
#
# Timeout configuration for 3DS Server Authentication Response defined in seconds. This value will be used only if
# timeout configuration is not defined at root level for the 3DS Server.
#
threedsserver.timeouts.ares.seconds=300
#
# Timeout configuration for 3DS Server Preparation Response defined in seconds. This value will be used only if
# timeout configuration is not defined at root level for the 3DS Server.
#
threedsserver.timeouts.pres.seconds=300
##
# Timeout configuration for 3DS Server Method defined in seconds. This value will be used only if
# timeout configuration is not defined at root level for the 3DS Server.
#
threedsserver.timeouts.threedsmethod.seconds=10
##
# Timeout configuration for 3DS Server ProtocolError defined in seconds. This value will be used only when the
# 3DS Server sends protocol error messages to the Directory Server.
#
threedsserver.timeouts.protocol-error.seconds=2
#
# Number of threads serving ThreeDSServerResultsResponse messages invocation to the Requestor.
#
threedsserver.results-response.task-executor.core-pool-size=50
#
# Indicates whether the 3DS Server should validate an empty Acquirer Merchant ID received as part
# of the 3DS Server Authentication Request as valid. Set this property to true only if the 3DS Server
# processes American Express transactions for Online Travel Agencies (OTA) merchants. The 3DS Server will validate
# the empty Acquirer Merchant ID value as valid only if the 3DS Requestor ID, sent in the 3DS Server Authentication Request,
# starts with 'OTA' which is American Express specific requirement.
#
# The default value is false, i.e. the 3DS Server will not treat blank Acquirer Merchant Id as valid.
#
threedsserver.api-authentication-request.allow-empty-acquirer-merchant-id=false
#
# The resource location of the ThreeDS Server license (e.g. file:/etc/threeDSServerLicense/3dss.lic)
#
# Use a "file:" prefix for resources located on the file system.
# Use a "http:" prefix for resources loaded from an URL.
# Use a "classpath:" prefix for resources located on the classpath.
#
# If ${license.resource-location} is not specified (i.e. empty) it defaults to file:${threedss.config.home}/3dss.lic
# (${threedss.config.home} is the value of the property "threedss.config.home")
#
# If not specified and the property "threedss.config.home" is not set this
# defaults to file:\${user.home}/.threeDSServer/3dss.lic
# (\${user.home} is the user's home directory)
#
license.resource-location=
#
# Location of the folder where 3DS Server will store license data files.
# The application needs to have read/write access to the configured folder.
#
# Use a "file:" prefix for resources located on the file system.
#
# If ${license.data.resources-location} is not specified (i.e. empty) it defaults to
# file:${threedss.config.home}
# (${threedss.config.home} is the value of the property "threedss.config.home")
#
# If not specified and the property "threedss.config.home" is not set this
# defaults to file:\${user.home}/.threeDSServer
# (\${user.home} is the user's home directory)
#
license.data.resources-location=
#
# The https protocols (i.e. TLS versions) the threeDS Server should use when establishing a connection to the directory servers.
# According to the 3DS Specification, the minimum supported TLS version is TLSv1.2
#
ds-client.https.protocols=TLSv1.2
#
# The server has default encryption key used to encrypt/decrypt sensitive information like passwords for certificate
# stores. If you want to use your own secret key specify the key alias, keystore location, keystore type
# and keystore password.
#
# Alias for active key which will be used for encrypting. You can change your active secret key alias,
# but the old key must stay present in the keystore in case it is needed for decryption or until you re-encrypt
# all encrypted database entries. Active key must be AES 256 secret key.
#
threedss.encryption.active-key-alias=
#
# Keystore location.
#
threedss.encryption.keystore-location=
#
# Keystore password.
#
threedss.encryption.keystore-password=
#
# Keystore type. Allowed keystore types: PKCS12 and JCEKS.
#
threedss.encryption.keystore-type=
#
# The proxy to use for connecting to the Directory Server (leave empty if not using a proxy).
#
# When specifying a HTTP proxy, HTTPS connections will be tunneled through via the HTTP CONNECT method.
# You may specify a user/password combination in the URL in case your proxy requires authentication.
#
#
# host    : proxy.org
# port    : 8888 (optional; if not specified, the scheme default port will be used)
# scheme  : http
# user    : foo (optional; only specify a user in case your proxy requires authentication)
# password: bar (optional; only specify a password in case your proxy requires authentication)
#
ds-client.proxy=
#
# The maximum number of connections for 3DS 2 requests per-route (i.e Directory Server host)
# held in the connection pool of a Directory Server client.
#
ds-client.max-connection-pool-per-route-size=50
#
# The maximum number of connections for 3DS 2 requests held in all per-route connection pools.
#
ds-client.max-number-of-connections-overall=100
#
# The supported cipher suites for outbound 2-way SSL connections to the DS.
#
ds-client.supported.cipher.suites=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
#
# The connection timeout in milliseconds for establishing a TCP/IP connection to the Directory Server.
#
ds-client.connection.timeout.milliseconds=3000
#
# The maximum number of Directory Server clients to cache.
#
ds-client.max-cached-instances=100
#
# The time (in seconds) for which the RestTemplate cache would expire.
#
ds-client.cached-instance-expiry.seconds=86400
#
# Indicator if PReq scheduling should be enabled. This should be enabled for at least one node.
# If 3DS Server is used with only one node, this property should be enabled.
#
# If 3DS Server is used in clustered environment and only one node will perform the updates,
# enable this feature for the node that will perform the updates. Other nodes should disable this feature.
#
# If ${ds-client.preparation.request.invocation.enabled} is not specified, it defaults to true.
# ds-client.preparation.request.invocation.enabled=
#
# The interval (in hours) for which the directory server is being sent a preparation request. Minimum value is 1 (1 hour),
# meaning the directory server is called on every 1 hour. If you have multiple nodes running and want each node to
# initiate PReq requests, consider setting this property to be the same for each node.
# This combined with ${ds-client.preparation.request.initial-delay.hours}
# will enable the nodes to each run in different time slots not interfering with each other.
#
# If ${ds-client.preparation.request.interval.hours} is not specified (i.e. empty) it defaults to 1.
# The minimum amount is 1 hour (once per hour).
#
# ds-client.preparation.request.interval.hours=
#
# The initial delay (in hours) for when the PReq will start for the first time. This is called when PReq requests are scheduled for
# the first time. It will add the initial delay to the current time to calculate the time of the first run. This is useful if you want
# all nodes to initiate PReq requests, or set the 3DS Server to start sending PReq requests X hours after the server is started.
#
# IMPORTANT NOTE: For concurrency, you will have to adjust the ${ds-client.preparation.request.interval.hours} property.
 
# The 3DS Specification requires PReq requests to be initiated at maximum of once per hour, so the suggested time to set
# the initial delay is (nodeId - 1) * initialDelay. This means that if you run the 3DS Server in 4 nodes,
# the first node will have an initial delay of 0 (will start immediately), second node will start after X hours,
# third after 2*X hours, and fourth after 3*X hours.
#
# If ${ds-client.preparation.request.initial-delay.hours} is not specified, it defaults to 0.
#
# --- DEPRECATED ---
# This field is deprecated and it will be removed in the next release.
# In a clustered environment, we recommend enabling the PReq initiation on one node only or disabling it on all nodes
# and use the endpoint for manual execution of preparation request.
#
# ds-client.preparation.request.initial-delay.hours=
#
# CRON expression indicating the time when the identified supported protocol values of the Directory Servers' endpoints will be
# deleted. This would mean that the 3DS Server will again check for the supported protocol versions of each Directory Server.
# This only applies when ${ds-client.preparation.request.invocation.enabled} is set to true. CRON
# expression must consist of 6 fields. The default value (0 0 3 * * 7) indicates: every Sunday at 3am.
#
ds-client.preparation.request.supported-versions.scheduled-delete.cron=0 0 3 * * 7
#
# Defines the time in milliseconds for reconnecting of all http connections which are opened longer than that time.
# By default this property is -1 which means infinite TTL.
#
ds-client.connection-pool-entry-ttl=-1
#
# The timeout in milliseconds for a connection to the Requestor to be established for the purpose of sending the
# Results Response. A timeout value of zero is interpreted as an infinite timeout. Default value is 1000.
#
threedsserver.results-response.http-client.connection-timeout=1000
#
# The socket timeout (SO_TIMEOUT) in milliseconds for the connections to the Requestor for the purpose of sending the
# Results Response. A timeout value of zero is interpreted as an infinite timeout. Default value is 1000.
#
threedsserver.results-response.http-client.socket-timeout=1000
#
# The maximum time to live for persistent connections to the Requestor for the purpose of sending the
# Results Response. Default value is -1.
#
threedsserver.results-response.http-client.connection-pool-entry-ttl=-1
#
# The number of maximum connections per route for the purpose of sending the Results Response. Default value is 50.
#
threedsserver.results-response.http-client.max-connection-pool-entries-per-route=50
#
# The number of maximum total connections for the purpose of sending the Results Response. Default value is 100.
#
threedsserver.results-response.http-client.max-connection-pool-entries-overall=100
#
# The number of times to retry to send the Results Response to the Requestor in case when the Requestor service is
# unavailable (503 - Service Unavailable response is received) or an IOException occurs (except for the following
# non-retriable IOException classes: InterruptedIOException, UnknownHostException, ConnectException, SSLException).
# The default value is 3.
#
threedsserver.results-response.retry-times=3
#
# Retry interval between subsequent attempts to send the Results Response to the Requestor in milliseconds.
# The default value is 1000.
#
threedsserver.results-response.retry-interval=1000
#
#
# The resource location of the Ehcache configuration XML for the cached data.
#
# Use a "file:" prefix for resources located on the file system.
# Use a "http:" prefix for resources loaded from an URL.
# Use a "classpath:" prefix for resources located on the classpath.
#
# If not specified (i.e. empty) this defaults to file:${threedss.config.home}/ehcache.xml
# (${threedss.config.home} is the value of the property "threedss.config.home")
#
# If not specified and the property "threedss.config.home" is not set this
# defaults to file:\${user.home}/.threeDSServer/ehcache.xml
# (\${user.home} is the user's home directory)
#
ehcache.config-xml.resource-location=
#
# Regular expression used to validate cardholder account numbers and resolve the VISA scheme.
#
cardholder-account-number.regex.visa=^4[0-9]*
#
# Regular expression used to validate cardholder account numbers and resolve the Mastercard scheme.
#
cardholder-account-number.regex.mastercard=^(2(22[1-9]|2[3-9]|[3-6]|7[0-1]|720)|5|60(0|1[0|[2-9]]|[2-9])|6([1-3]|[6-9]))[0-9]*
#
# Regular expression used to validate cardholder account numbers and resolve the American Express scheme.
#
cardholder-account-number.regex.american-express=^(34|37)[0-9]*
#
# Regular expression used to validate cardholder account numbers and resolve the JCB scheme.
#
cardholder-account-number.regex.jcb=^35(2[89]|[3-8][0-9])[0-9]*
#
# Regular expression used to validate cardholder account numbers and resolve the Diners scheme.
#
cardholder-account-number.regex.diners=^(30[0-5]|3095|36|38|39|6011|64|65)[0-9]*
#
# Regular expression used to validate cardholder account numbers and resolve the MIR scheme.
#
cardholder-account-number.regex.mir=^220[0-4][0-9]*
# The token string appended to the 3DS Method Notification URL when 3DS Server implementation of the 3DS Method
# notification response handler is used. The purpose of the token is to randomize the 3DS Method Notification URL, so
# it would not be the same for each Netcetera 3DS Server. The token shall contain only digits and letters.
#
# The configuration of the <ThreeDSMethodNotificationUrl> must be in the format
# 'https://<host>:<port>/3ds/3ds-method-notification/', on which the ${threedsmethod.notification-url.token} is appended.
# If ${threedsmethod.notification-url.token} is not configured, token won't be appended to the base notification URL, so
# it will remain 'https://<host>/3ds/3ds-method-notification/'.
#
threedsmethod.notification-url.token=
#
# Boolean property indicating whether the 3DS Server should do an internal resolving of the 3DS Method completion
# indicator - 'threeDSCompInd' in case when it is not provided from the 3DS Requestor for an authentication request.
# Default value is true meaning that the 3DS Server should do an internal resolving.
#
# In case of an external 3DS Method notification URL, this property should be set to false.
#
threedsmethod.completion-indicator.internal-resolving.enabled=true
# Property indicating which actuator endpoints will be publicly exposed.
#
# When enabled by this property, the metrics and health endpoints will be available on
# 'https://<host>/actuator/metrics/' and 'https://<host>/actuator/health/', respectively. Each particular metric can
# be accessed via 'https://<host>/actuator/metrics/<metric-name>'.
#
# Among other Spring built-in metrics, there is 'http.server.requests' metric which provides info about the number of
# requests handled by the application. The requests are counted and distinguished on a few bases, including the
# request URI, the type of method (GET, POST, etc.), the status code of the response, etc. This metric also provides
# info about the duration of requests being processed by the application.
#
# The 3DS Server adds the following additional metrics '3ds-server.ds.authentication.requests.duration',
# '3ds-server.preparation.requests.duration' and '3ds-server.exceptions'.
#
# The '3ds-server.preparation.requests.duration' metric provides info about the overall duration of the
# execution of a preparation request both on 3DS Server side and in the communication between the 3DS Server and the
# Directory Server.
#
# The '3ds-server.ds.authentication.requests.duration' metric provides info about the duration of the communication
# between the 3DS Server and the Directory Server per authentication request.
#
# The '3ds-server.exceptions' metric holds count info about the exceptions that occurred on 3DS Server side due to
# various reasons. The exceptions are counted and distinguished on a few bases, including the type of exception,
# the message flow in which the exception occurred (PREPARATION, AUTHENTICATION, RESULTS, etc) and the time of
# occurrence of the exception.
#
# The 3DS Server introduces new actuator endpoints available on
# 'https://<host>/admin/dashboard/actuator/transactions/'       - collected metrics about 3DS Server Transactions
# 'https://<host>/admin/dashboard/actuator/exceptions/'         - collected metrics about 3DS Server Exceptions
# 'https://<host>/admin/dashboard/actuator/certificates/'       - information about client certificates used by 3DS Server
# 'https://<host>/admin/dashboard/actuator/card-ranges-cache/'  - information about cached card ranges
# 'https://<host>/admin/dashboard/actuator/configurations/'     - information about tenant configurations used by 3DS Server
# 'https://<host>/admin/dashboard/actuator/license-usage/'      - information about the license usage by 3DS Server
#
# These endpoints should be restricted from within the PSP environment.
#
management.endpoints.web.exposure.include=metrics,health,transactions,exceptions,info,certificates,card-ranges-cache,license-usage,configurations
#
# Property indicating whether the actuator health endpoint should display details(database related details,
# diskspace related details, etc.)
#
management.endpoint.health.show-details=always
#
# Property indicating whether the actuator health endpoint should include/exclude diskspace related details.
# By default, this property is true, meaning when the ${management.endpoint.health.show-details} is set to 'always',
# the diskspace related details will be available. Since the diskspace related details are not relevant information,
# this property is set to false, in order to exclude them from the health endpoint.
#
management.health.diskspace.enabled=false
#
# Property indicating whether Prometheus is enabled. Prometheus is a monitoring system which pulls metrics
# data over HTTP periodically. The 'prometheus' endpoint is disabled by default. When enabled all metrics will be
# published on it.
#
# In order to enable Prometheus set this property to true and add 'prometheus' endpoint in
# ${management.endpoints.web.exposure.include} property in order to publicly expose it.
#
management.metrics.export.prometheus.enabled=false
#
# Comma separated decimal values for publishing percentiles for metrics that are part of service-level agreement.
# By default 0.99, 0.95 and 0.70 percentiles are published.
#
threedss.metrics.sla.percentiles=0.99, 0.95, 0.70
#
#############################################
# Core configuration properties for the MPI #
#############################################
#
# Should MPI use an internal session, used to validate PARes messages,
# or should the external SessionData be provided through the API as part of PaResValidationRequest.
#
mpi.core.session-enabled=true
#
# Should MPI send 3-D Secure error messages to the Directory Servers
# when they send invalid 3-D Secure messages.
#
mpi.core.send-error-messages-to-ds=true
#
# Should MPI send 3-D Secure error messages to the Access Control Servers
# when they send invalid 3-D Secure messages.
#
mpi.core.send-error-messages-to-acs=true
#
# Should the HTTP scheme be considered a valid one, when validating the ACS url.
#
# Note: This should not be allowed in a production environment.
#
mpi.core.allow-http-for-acs-url=true
#
# Should the MPI strictly enforce the XML signature syntax requirements as defined by VISA.
#
# There are some ACSs that don't respect the VISA XML signature syntax requirements
# and for example send a SignedInfo.Reference.Transforms element in the PARes.
# Setting this property to false relaxes the XML signature syntax validation to also
# allow such signatures.
#
# If not specified this defaults to true
#
mpi.core.enforce-xml-signature-syntax-validation=true
#
# Should the MPI strictly enforce the PARes validation.
#
# There are some ACSs that don't respect the Visa syntax requirements
# and for example send a zeroed out pan element in the PARes, for all TransactionStatuses.
# Setting this property to false relaxes the PARes validation to also allow such responses.
#
# If not specified this defaults to true
#
mpi.core.enforce-pares-validation=true
#
# Defines if the MPI should send the mastercard tokenization extension in VEReq for all MasterCard PAN/Token requests.
#
mpi.core.use-master-card-tokenization-extension=true
#
#
# Property indicating whether a cleanup of the MPI session data should be scheduled. In a multi-instance setup
# it is recommended to have it enabled on one instance. Other instances should have it false.
#
# If ${mpi.core.session-data-clean-up-enabled} property is not set, it defaults true -
# indicating a cleanup of the MPI session data to be scheduled according to ${mpi.core.session-data-clean-up-interval}.
#
mpi.core.session-data-clean-up-enabled=true
#
# The time interval in minutes on which the 3DS Server will clean up the MPI session data.
#
# The 3DS Server will delete all entries whose time to live minutes - ${mpi.core.session-data-time-to-live} have expired.
#
# If not configured differently, this property defaults to 60 minutes indicating hourly cleanup.
#
mpi.core.session-data-clean-up-interval=60
#
# The time to live in minutes of the MPI session data table entries. After this period of time, the MPI session data
# entries cannot be retrieved, nor updated. On a configured time interval - ${mpi.core.session-data-clean-up-interval}
# all inactive 3DS Method data entries will be deleted.
#
mpi.core.session-data-time-to-live=30
 
##################################################
# Configuration properties for the MPI DS Client #
##################################################
#
# The maximum number of connections for 3DS 1 requests per-route (i.e Directory Server host)
# held in the connection pool of a Directory Server client.
#
mpi.ds-client.max-connection-pool-per-route-size=50
#
# The maximum number of connections for 3DS 1 requests held in all per-route connection pools.
#
mpi.ds-client.max-number-of-connections-overall=100
#
# The maximum number of Directory Server clients to cache.
#
# Directory Server clients are cached per client certificate due to the
# expensive setup of the underlying SSL socket factory.
#
mpi.ds-client.max-cached-instances=100
#
# The time for which the RestTemplate cache would expire, expressed in seconds.
#
mpi.ds-client.cached-instance-expiry-in-seconds=86400
#
# The proxy to use for connecting to the Directory Server (leave empty if not using a proxy).
#
# When specifying an HTTP proxy, HTTPS connections will be tunneled through via the HTTP CONNECT method.
# You may specify a user/password combination in the URL in case your proxy requires authentication.
#
#
# host    : proxy.org
# port    : 8888 (optional; if not specified, the scheme default port will be used)
# scheme  : http
# user    : foo (optional; only specify a user in case your proxy requires authentication)
# password: bar (optional; only specify a password in case your proxy requires authentication)
#
mpi.ds-client.proxy=
#
# The https protocols (i.e. TLS versions) the MPI should use when establishing a connection to the directory servers.
#
mpi.ds-client.https-protocols=TLSv1.2,TLSv1.1,TLSv1
#
# Defines the connection timeout in milliseconds for establishing a TCP/IP connection to the Directory Server.
#
# A timeout value of zero is interpreted as an infinite timeout.
#
mpi.ds-client.connection-timeout-in-milliseconds=3000
#
# Defines the socket timeout in milliseconds for communication with the Directory Server.
#  (The socket timeout is the timeout for waiting for data  or, put differently,
#   the maximum period of inactivity between two consecutive data packets).
#
# A timeout value of zero is interpreted as an infinite timeout.
#
mpi.ds-client.socket-timeout-in-milliseconds=5000
#
# Should the MPI start in simulation mode, with no communication to the DS Server.
#
mpi.ds-client.ds-response-simulation=false
#
# The resource location for the Directory Server response simulation file, containing entries in the following format:
#
# <pan>=<enrollment-status>,<acs-url>
#
# Possible values to be used for enrollment status are: Y, N or U
#
# When configuring the response simulation file resource location:
# Use a "file:" prefix for resources located on the file system.
# Use a "http:" prefix for resources loaded from an URL.
# Use a "classpath:" prefix for resources located on the classpath.
#
# If not specified (i.e. empty) this defaults to file:${threedss.config.home}/dsResponseSimulation.properties
# (${threedss.config.home} is the value of the system property "threedss.config.home")
#
# If not specified and the system property "mpi.config.home" is not set this
# defaults to file:${user.home}/.threedss/dsResponseSimulation.properties
# (${user.home} is the user's home directory)
#
mpi.ds-client.ds-response-simulation-resource-location=
#
# The max number of threads in the thread pool of the error notifier.
#
# The error notifier is responsible for asynchronously sending error messages to the
# Directory Server or the ACS, whenever the MPI detects an error in a 3-D Secure
# protocol message received from either the Directory Server or the ACS.
#
mpi.ds-client.max-thread-pool-size=10
#
# Defines the time in milliseconds for reconnecting of all http connections which are opened longer than that time.
# By default this property is -1 which means infinite TTL.
#
mpi.ds-client.connection-pool-entry-ttl=-1
 
####################################################
# Configuration properties for the MPI UPOP Client #
####################################################
#
# Proxy used for connecting to UnionPay inquiry server.
# See details about proxy settings above (dsClient.proxy).
#
mpi.upop-client.proxy=
#
# Defines the connection timeout in milliseconds for establishing a TCP/IP connection to the UnionPay Server.
#
# A timeout value of zero is interpreted as an infinite timeout.
#
mpi.upop-client.connection-timeout-in-milliseconds=3000
#
# Defines the socket timeout in milliseconds for communication with the UnionPay Server.
#
# A timeout value of zero is interpreted as an infinite timeout.
#
mpi.upop-client.socket-timeout-in-milliseconds=5000
#
# Fully qualified URL of the 3DS Server instance. This property must be configured per node (in node-<node-ID>.properties).
#
threedss.frontend.configs.backend-api=
#
### Production database connection properties
#
# The datasource URL location. The JDBC connection string may differ depending on the database type, but we recommend
# the specified formats defined below. Supported database types are PostgreSQL, MySQL, Oracle and Microsoft SQL Server.
#
# Recommended JDBC connection strings:
#    PostgreSQL:                jdbc:postgresql://<host>:<port>/<database-name>
#    MySQL:                     jdbc:mysql://<host>:<port>/<database-name>
#    Oracle:                    jdbc:oracle:<oracle-driver>:<host>:<port>:<SID>
#    Microsoft SQL Server:      jdbc:sqlserver://<host>:<port>;database=<database-name>
spring.datasource.url=
#
# The datasource user used by the application. It is recommended that this user has read only privileges to the database
# the 3DS Server application is using.
#
spring.datasource.username=
#
# The password of the datasource user used by the application.
#
spring.datasource.password=
#
# --- DEPRECATED ---
# This field will be deprecated and it will be removed in future versions. Spring Boot will automatically detect the
# driver class from the datasource URL. For MySQL this field is still required since it automatically detects an older
# JDBC driver.
#
# The appropriate Driver used for database connection. Supported database types are PostgreSQL, MySQL, Oracle and
# Microsoft SQL Server. The value should be defined depending on the underlying database.
#
# Default database is PostgreSQL. Accepted values are:
#
#    org.postgresql.Driver                          - indicating PostgreSQL database will be used
#    com.mysql.cj.jdbc.Driver                       - indicating MySQL database will be used
#    oracle.jdbc.OracleDriver                       - indicating Oracle database will be used
#    com.microsoft.sqlserver.jdbc.SQLServerDriver   - indicating Microsoft SQL Server database will be used
#
#spring.datasource.driver-class-name=
#
# The SQL dialect of the underlying database. Supported database types are PostgreSQL, MySQL, Oracle and Microsoft SQL Server.
# The value should be defined depending on the underlying database.
#
# Default database is PostgreSQL. Accepted values are depending on the desired dialect, but it is recommended to use
# one of the following:
#
#    org.hibernate.dialect.PostgreSQL95Dialect      - indicating PostgreSQL 9.5 Dialect will be used
#    org.hibernate.dialect.MySQL57Dialect           - indicating MySQL 5.7 Dialect will be used
#    org.hibernate.dialect.Oracle12cDialect         - indicating Oracle 12 c Dialect will be used
#    org.hibernate.dialect.SQLServer2012Dialect     - indicating Microsoft SQL Server 2012 Dialect will be used
#
spring.jpa.properties.hibernate.dialect=org.hibernate.dialect.PostgreSQL95Dialect
#
# The maximum number of pooled connections to the database. It is recommended to have a bigger number for better
# performance.
#
spring.datasource.hikari.maximum-pool-size=300
#
# Enables/Disables the application to be registered as Eureka Client (it can communicate with the registry).
#
# Disable the Eureka Client for applications that are configured with XML files.
#
eureka.client.enabled=false
#
# Enables/Disables the application to be able to send heartbeats to Eureka Registry.
# This has no effect if: eureka.client.enabled=false
#
# Enable the Eureka Client Healthcheck by default
#
eureka.client.healthcheck.enabled=true
#
# List of Eureka Registry URLs. If the 3DS Server Admin is acting as a Eureka Registry, then the 3DS Server Admin
# endpoint needs to be configured.
#
eureka.client.service-url.defaultZone=
#
# Custom Eureka instance ID. Uncomment this property to set a custom ID for the Eureka instance. If not set
# Eureka will populate it by automatically resolving the host on which the instance is running, together with the port
# and application name.
#eureka.instance.instanceId=
#
# Custom Eureka hostname. Uncomment this property to set the hostname where your Eureka instance is running. If not set
# Eureka will resolve the hostname automatically.
#eureka.instance.hostname=
#
# Custom Eureka instance context path. Uncomment this property to set the context path which will be appended to the
# instance hostname. Should be set only if there is a need of a context path, otherwise only the hostname will be used.
#eureka.instance.metadata-map.contextPath=
#
# A property which decides whether the connection to the instance is secure (https). By default this property is false.
#eureka.instance.securePortEnabled=
#
# The secure port on which the instance should receive traffic. By default this is 443
# or resolved from the server.port property of the instance.
#eureka.instance.securePort=
#
# A property which decides whether the connection to the instance is non secure (http). By default this property is true.
#eureka.instance.nonSecurePortEnabled=
#
# The non secure port on which the instance should receive traffic. By default this is 80
# or resolved from the server.port property of the instance.
#eureka.instance.nonSecurePort=
#
# A property which controls whether an Organization ID header will be sent in to the DS.
# Turn this on when you are using the NDM simulator and have organization based card simulations.
#
ds.send.org.id=false
#
# Property controlling whether IAM database authentication is enabled. This feature is only available
# for MySQL and PostgreSQL databases running on AWS. See more information here:
#
# When the IAM database authentication is enabled, the ${spring.datasource.password}
# property should not be configured.
#
# The default value is false, i.e. by default, the standard way of authentication using username/password is performed.
#
# nca.acquiring.aws.iam-role-db-auth.enabled=false
#
#
# Number of threads serving transactions logging in the underlying storage.
#
threedsserver.transaction-log.task-executor.core-pool-size=50
#
# An AWS KMS symmetric key to be used to decrypt an application property value. Such property value can be defined
# by means of ENC(cypherText) operator. The argument is an KMS encrypted and then Base64 encoded value that can be
# Example of ENC usage:
# spring.datasource.password = ENC(AQICAHhX8AfIOKvwU4uJC5u+Iekn7vfjf9c1YuW+....)
# The encryption key is referenced here either with its ID or its alias and should be of the same format as the key-id
# accepted in AWS CLI encrypt command. Example:
#
# nca.acquiring.aws.property-kms-decryption.key-id=alias/prod-3ds-server-config-properties-encryption-key