The following can be modified without a TPA reset:
- Any attribute or property whose name begins with "Ldap" for KRB5 and LDAP
- MechanismEnabled property for KRB5, LDAP, JWT, and PROXY
- AuthorizationSupported property for KRB5 and LDAP
- LDAP Service ID and password with no impact to user LDAP logons
- The following properties in the PROXY mechanism:
- Any JWT mechanism property whose name begins with "JWT"
- All canonicalizations including the lightweight authorization structures
The following configuration changes still require a tpareset:
- Changes to any mechanism property not mentioned above require a tpareset
- QoP configuration
- Local or global policy configuration, including service name changes
- TDNEGO and SPNEGO
The run_tdssconfig utility indicates when a TPA reset is required.