The following can be modified without a TPA reset:
- Any attribute or property whose name begins with "Ldap" for KRB5 and LDAP
- MechanismEnabled property for KRB5, LDAP, JWT, and PROXY
- AuthorizationSupported property for KRB5 and LDAP
- LDAP Service ID and password with no impact to user LDAP logons
- The following properties in the PROXY mechanism:
- CertificateFile
- PrivateKeyFile
- PrivateKeyPassword
- PrivateKeypasswordProtected
- CACertFile
- CACertDir
- SigningHashAlgorithm
- Any JWT mechanism property whose name begins with "JWT"
- All canonicalizations including the lightweight authorization structures
The following configuration changes still require a TPA reset:
- Changes to any mechanism property not mentioned in the preceding require a TPA reset
- QoP configuration
- Local or global policy configuration, including service name changes
- TDNEGO and SPNEGO
The run_tdssconfig utility indicates when a TPA reset is required.