5 Configuring OpenSSO STS System Properties

When you first install the Oracle OpenSSO Security Token Service (OpenSSO STS) server, by default the server is configured to secure all communication between the web service client and the OpenSSO STS. No entity can access the Security Token Service or the server itself until you configure the OpenSSO STS system properties. OpenSSO STS system properties define user access criteria, and also specify the various security mechanisms and other processes OpenSSO STS uses. The following topics are contained in this chapter:

• "Managing OpenSSO STS Servers"

• "Managing OpenSSO STS Sites"

• "Managing User Data Stores"

• "Configuring Global Platform Attributes"

5.1 Managing OpenSSO STS Servers

Whenever you install an OpenSSO STS server, you must edit the default server settings to suit your enterprise needs. When you install multiple servers, you must configure the servers to communicate with each other and to function as a single site or cluster.

5.1.1 To Edit the Default OpenSSO STS Server Settings

1. On the Configuration tab, click the Servers and Sites Subtab.

2. Click the Default Server Settings.

   On the Edit server-default page, the Advanced Properties section lists all properties and default values that apply to the default OpenSSO STS server.

   • To add a new property, click Add.

     A new row is added to the bottom of the list. In the appropriate columns, type a Property Name and Property Value.

   • To delete a property from the Advanced Properties list, click to check the box corresponding to the property, and then click Delete.

3. Click Save.

4. Click "Back to Servers and Sites."

5.1.2 To Add a New OpenSTS Server

1. On the Configuration tab, click the Servers and Sites subtab.

2. Click New.

3. Configure the OpenSSO STS server. See Section 5.1.3, "To Configure an OpenSSO STS Server."

5.1.3 To Configure an OpenSSO STS Server

1. On the Configuration tab, click the Servers and Sites subtab.

   The Servers list displays the Server Name and Site Name of

2. Click the name URL of the server you want to configure.

3. Click the General tab to configure centralized server management properties.

   See Section 5.1.3.1, "To Configure OpenSSO STS Server General Properties."

4. Click the Security tab to configure encryption, validation, and cookie properties that control the level of security for the OpenSSO STS server.

   See Section 5.1.3.2, "To Configure OpenSSO STS Server Security Properties."

5. Click the Session tab to configure OpenSSO STS server sessions.

   See Section 5.1.3.3, "To Configure OpenSSO STS Server Session Properties."

6. Click the SDK tab to configure the back-end data store settings.

   See Section 5.1.3.4, "To Configure OpenSSO STS Server SDK Properties."

7. Click the Directory Configuration tab to edit the embedded Directory Server settings.

   See Section 5.1.3.5, "To Configure OpenSSO STS Server Directory Configuration Properties."

8. Click the Advanced tab to select and add values to server properties that are not present in the OpenSSO STS Console.

   See Section 5.1.3.6, "To Configure OpenSSO STS Server Advanced Properties."

9. Click "Back to Servers and Sites."

5.1.3.1 To Configure OpenSSO STS Server General Properties

1. On the Configuration tab, click the Servers and Sites tab.

2. In the Servers section, click the URL of the OpenSSO STS server you want to configure.

3. Click the General tab.

   Provide values for Site, System, Debugging, and Mail Server properties.

   The following table provides a listing and descriptions of the properties you can configure.

   Table 5-1 OpenSSO STS Server General Properties

   Property	Description
   Site
   Parent Site	Choose the load balancer Site Name (site ID) that maps to the OpenSSO STS server. The site must already exist before you can add the site.
   System
   Base installation directory	Specify the base directory where product data resides. This information is specified in the property com.iplanet.services.configpath.
   Default Locale	Specify the default language subtype that OpenSSO STS was installed with. The default is en_us and is specified in the property com.iplanet.am.locale.
   Notification URL	Specify the location of the Notification service end point. This value is usually the product deployment and uses the form URI/notificationservice. This information is specified in the property com.sun.identity.client.notification.url.
   XML Validation	When enabled, this property is set to On, and validation is required when parsing XML documents. This information is set in the property com.iplanet.am.util.xml.validating.
   Debugging
   Debug Level	Specify a debug level for all components in the product. Choose one of the following levels: Off - No debug information is recorded. Error - Used for production. During production, there should be no errors in the debug files. Warning - Enables Error and Warning debug messages to be written. Message - Enables detailed code tracing. Note: Warning and Message levels should not be used in production. They cause severe performance degradation and an abundance of debug messages. This value is set in the property com.iplanet.services.debug.level.
   Merge Debug Files	When enabled, this property is set to On, and all debug data is directed to a single file named debug.out. When disabled, this property is set to Off, and OpenSSO STS creates a separate component debug file per component. This value is set in the property com.sun.services.debug.mergeall.
   Debug Directory	Specify the directory where debug files reside. Use the form BASE_DIR/SERVER_URI/debug This value is set in the property com.iplanet.services.debug.directory.
   Mail Server
   Mail Server Host Name	Specify the mail server h ost name to use for sending email notifications. Example: localhost This value is set in the property com.iplanet.am.smtphost.
   Mail Server Port Number	Specify the mail server port number. The default is 25. This value is set in the property com.iplanet.am.smtpport.

   
   

4. Click Save.

5. (Optional) Click Inheritance Settings.

   The Inheritance Settings section lists server properties containing default values. A checked box indicates a property that can inherit default server properties. Checked properties will be overwritten for each server instance.

   • To select a property to be overwritten with default values, click its corresponding box until a check appears in the box.

   • To deselect a property and retain any custom configuration, click the property's corresponding box until the box contains no check mark.

6. (Optional) Click Export Configuration.

   The OpenSSO STS console displays your settings so that you can inspect the settings for accuracy.

7. Click Save.

8. Click "Back to Server Profile."

9. Click "Back to Servers and Sites."

5.1.3.2 To Configure OpenSSO STS Server Security Properties

1. On the Configuration tab, click the Servers and Sites tab.

2. In the Servers section, click the URL of the OpenSSO STS server you want to configure.

3. Click the Security tab.

4. Provide values for Encryption, Validation, Cookie, Key Store, Certificate Revocation List Caching, Online Certificate Status Protocol Check, and Federal Information Processing Standards properties.

   The following table provides a listing and descriptions of the properties you can configure.

   Table 5-2 OpenSSO STS Server Security Properties

   Property	Description
   Encryption
   Password Encryption Key	Specify the key to be used to encrypt and decrypt passwords. This key is stored in the Service Management System configuration and its value is set during installation. Example: dSB9LkwPCSoXfIKHVMhIt3bKgibtsggd This value is set in the property am.encryption.pwd.
   Authentication Service Shared Secret	Specify the shared secret for the application authentication module. Value is set during installation. Example: AQICPX9e1cxSxB2RSy1WG1+O4msWpt/6djZl This value is set in the property com.iplanet.am.service.secret.
   Encryption class	Specifies the encrypting class implementation. Available classes are: com.iplanet.services.util.JCEEncryption and com.iplanet.services.util.JSSEncryption. The default value is com.iplanet.services.util.JCEEncryption. This value is set in the property com.iplanet.services.util.JCEEncryption.
   Secure Random Factory Class	Specifies the factory class name for SecureRandomFactory. Available implementation classes are: com.iplanet.am.util.JSSSecureRandomFactoryImpl, which uses JSS, and com.iplanet.am.util.SecureRandomFactoryImpl which uses pure Java. HttpRequest default value is com.iplanet.am.util.JSSSecureRandomFactoryImpl. This value is set in the property com.iplanet.security.SecureRandomFactoryImpl.
   Validation
   Platform Low Level Comm. Max. Content Length	Specifies the maximum number of bytes allowable for content in an HttpRequest that OpenSSO STS will accept. The default value is 1638. This value is set in the property com.iplanet.services.comm.server.pllrequest.maxContentLength
   Client IP Address Check	When enabled, the property is set to Yes, and the IP address of the client is checkmarked in all single sign-on token creations or validations. The default value is No. This value is set in the property com.iplanet.am.clientIP.
   Cookie
   Cookie Name	Specifies the Cookie name to be used by the Authentication service to set the valid session handler ID. The value of this cookie name is used to retrieve the valid session information. The default value is iPlanetDirectoryPro. This value is set in the property com.iplanet.am.cookie.name.
   Secure Cookie	When enabled, this property is set to Yes, and the cookie is set in a secure mode. In secure mode, when a secure protocol such as HTTPS is used, the browser will return only the cookie. The default is No. This value is set in the property com.iplanet.am.cookie.secure.
   Encode Cookie Value	When enabled, this property is set to Yes, and OpenSSO STS URL-encodes the cookie value which converts characters so they are understandable by HTTP. The default value is No. This value is set in the property com.iplanet.am.cookie.encode.
   Key Store
   Keystore File	Specifies the path to the SAML XML keystore password file. Example: OpenSSO-deploy-base/URI/keystore.jks. This value is set during installation in the property propertycom.sun.identity.saml.xmlsig.keystore. Example: OpenSSO-deploy-base/URI/keystore.jks.
   Keystore Password File	Specifies the path to the SAML XML key storepass file. Example: OpenSSO-deply-base/URI/.storepass. This value is set during installation in the property com.sun.identity.saml.xmlsig.storepass.
   Private Key Password File	Specifies the path to the SAML XML key password file. Example: OpenSSO-deploy-base/URI/.keypass The key password file contains the password that protects the private key of a generated key pair. This value is set during installation in the property com.sun.identity.saml.xmlsig.keypass.
   Certificate Alias	This is the private key alias that is used to sign SOAP responses. Default value is test. This value is set in the property com.sun.identity.saml.xmlsig.certalias.
   Certificate Revocation List Caching
   LDAP server port number:	Specifies the port number of the LDAP server where the certificates are stored. The default value is the port specified when OpenSSO STS was installed. You can use port number of any LDAP Server where the certificates are stored.
   SSL/TLS Enabled	When enabled, the value is set to Yes, and the Certificate authentication service uses SSL to access the LDAP server. The default value is No.
   LDAP server bind user name	Specifies the bind DN in the LDAP server.
   LDAP server bind password	Specifies the password for the bind DN. By default, the amldapuser password that was specified during installation is used as the bind user.
   LDAP search base DN	Specifies the base DN used by the LDAP Users subject in the LDAP server from which to begin the search. By default, the value is the top-level realm of the OpenSSO STS installation base.
   Search Attributes	Specifies any DN component of the issuer's subjectDN to be used to retrieve a CRL from a local LDAP server. All Root CAs must use the same search attribute.
   Online Certificate Status Protocol Check
   Check Enabled	When enabled, the value is set at Yes, and OCSP checking occurs. The default value is No.
   Responder URL:	Specifies a URL that identifies the location of the OCSP responder. Example: http://ocsp.example.net:80. By default, the location of the OCSP responder is determined implicitly from the certificate being validated. This property is used when the Authority Information Access extension defined in RFC 3280 is absent from the certificate, or when the Authority Information Access extension must be overridden.
   Certificate Nickname	Specifies the CA certificate nick name for the OCSP responder. Example: Certificate Manager - MyCompany. If set, then the CA certificate must be presented in the web server's certificate database. If the OCSP URL is set, the OCSP responder nickname must be set also. Otherwise, both will be ignored. If they are not set, the OCSP responder URL presented in user's certificate will be used for OCSP validation. If the OCSP responder URL is not presented in user's certificate, no OCSP validation will be performed. If the OCSP responder URL is not presented in user's certificate, no OCSP validation will be performed.
   Federal Information Processing Standards
   FIPS Mode:	When enabled, this value is set to True, and all cryptography operations will run in FIPS-compliant mode. Federal Information Processing Standards Under the Information Technology Management Reform Act (Public Law 104-106), the Secretary of Commerce approves standards and guidelines that are developed by the National Institute of Standards and Technology (NIST) for Federal computer systems. These standards and guidelines are issued by NIST as Federal Information Processing Standards (FIPS) for use government-wide. NIST develops FIPS when there are compelling Federal government requirements such as for security and interoperability and there are no acceptable industry standards or solutions.

   
   

5. Click Save.

6. (Optional) Click Inheritance Settings.

   The Inheritance Settings section lists server properties containing default values. A checked box indicates a property that can inherit default server properties. Unchecked properties can be overwritten for each server instance.

   • To select a property to be overwritten with default values, click its corresponding box until a check appears in the box.

   • To deselect a property and retain any custom configuration, click the property's corresponding box until the box contains no checkmark.

7. (Optional) Click Export Configuration.

   The OpenSSO STS console displays your settings so that you can inspect the settings for accuracy.

8. Click Save.

9. Click "Back to Server Profile."

10. Click "Back to Servers and Sites."

5.1.3.3 To Configure OpenSSO STS Server Session Properties

1. On the Configuration tab, click the Servers and Sites tab.

2. In the Servers section, click the URL of the OpenSSO STS server you want to configure.

3. Click the Session tab.

4. Provide values for Session Limits, Statistics, Notification, and Validation properties.

   The following table provides a listing and descriptions of the properties you can configure.

   Table 5-3 OpenSSO STS Server Session Properties

   Property	Description
   Session Limits
   Maximum Sessions	Specifies the maximum number of concurrent sessions allowed. This value is set in the property com.iplanet.am.session.maxSessions.
   Invalidate Session Max Time	Specifies the number of minutes after which an invalid session will be removed from the session table when a session created but the user does not login. Use a value greater than the timeout value set in the Authentication module properties file. The Invalidate Session Max Time value is set in the property com.iplanet.am.session.invalidsessionmaxtime.
   Sessions Purge Delay	Specifies the number of minutes to delay to purge sessions. This value is set in the property com.iplanet.am.session.purgedelay.
   Statistics
   Logging Interval	Specifies the number of seconds to elapse between statistics logging. The interval should be at least 5 seconds to avoid CPU saturation. An interval value less than 5 seconds will be interpreted as 5 seconds. This value is set in the property com.iplanet.am.stats.interval.
   State	Specifies the location of the statistics log. The following are possible settings: off - No statistics are logged. file - Statistics are written to a file under the specified directory. console - Statistics are written into Web Server log files. This value is set in the property propertycom.iplanet.services.stats.state.
   Directory	Specifies the directory where the statistic files will be created. Example: OpenSSO STS-base/server-URI/stats Uses forward slashes "/" to separate directories. Spaces in the file name are allowed on only the Windows platform. This value is set in the property com.iplanet.services.stats.directory.
   Enable Host Lookup	When enabled, this value is set to Yes, and host lookup occurs during session logging. This value is set in the property com.sun.am.session.enableHostLookUp.
   Notification
   Notification Pool Size	Specifies the total number of threads allowed in the notification thread pool. This value is set in the property com.iplanet.am.notification.threadpool.size.
   Notification Thread Pool Threshold	Specifies the maximum task queue length for serving notification threads. This value is set in the property com.iplanet.am.notification.threadpool.threshold.
   Validation
   Case Insensitive client DN comparison	Yes When enabled, the value is set to Yes, and the client distinguished name comparison is case-insensitive. This value is set in the property com.sun.am.session.caseInsensitiveDN.

   
   

5. Click Save.

6. (Optional) Click Inheritance Settings.

   The Inheritance Settings section lists server properties containing default values. A checked box indicates a property that can inherit default server properties. Unchecked properties can be overwritten for each server instance.

   • To select a property to be overwritten with default values, click its corresponding box until a check appears in the box.

   • To deselect a property and retain any custom configuration, click the property's corresponding box until the box contains no checkmark.

7. (Optional) Click Export Configuration.

   The OpenSSO STS console displays your settings so that you can inspect the settings for accuracy.

8. Click Save.

9. Click "Back to Server Profile."

10. Click "Back to Servers and Sites."

5.1.3.4 To Configure OpenSSO STS Server SDK Properties

1. On the Configuration tab, click the Servers and Sites tab.

2. In the Servers section, click the URL of the OpenSSO STS server you want to configure.

3. Click the SDK tab.

4. Provide values for Data Store, Event Service, LDAP Connection, Caching and Replica, and Time to Live Configuration properties.

   The following table provides a listing and descriptions of the properties you can configure.

   Table 5-4 OpenSSO STS Server SDK Properties

   Property	Description
   Data Store
   Enable Datastore Notification	When enabled, the value is set to Yes, and backend datastore notification occurs. If this value is set to No, then in-memory notification is enabled. This value is set in the property com.sun.identity.sm.enableDataStoreNotification.
   Enable Directory Proxy	When enabled, this value is set to Yes, and the Directory Proxy must be used for read, write, and/or modify operations to the Directory Server. This flag also determines if ACIs or delegation privileges are to be used. This value is set in the property com.sun.identity.sm.ldap.enableProxy.
   Notification Pool Size	Specifies the size of the sm notification thread pool (total number of threads). This value is set in the property com.sun.identity.sm.notification.threadpool.size.
   Event Service
   Number of retries for Event Service connections	Specifies the number of attempts to be made to successfully re-establish the Event Service connections. This value is set in the property com.iplanet.am.event.connection.num.retries.
   Delay between Event Service connection retries	Specifies the number of milliseconds to delay between retries at re-establishing Event Service connections. This value i set in the property com.iplanet.am.event.connection.delay.between.retries.
   Error codes for Event Service connection retries	Specifies the LDAP exception error codes to be triggered by retries at re-establishing Event Service connections. This value is set in the property com.iplanet.am.event.connection.ldap.error.codes.retries.
   Idle Time Out	Specifies the number of minutes after which persistent searches will be restarted. This value is set in the property com.sun.am.event.connection.idle.timeout.
   Disabled Event Service Connection	Specify which event connection (persistent search) is to be disabled. There are three valid values. Entries are case-sensitive: aci - Access Control Instructions sm - Service Management um - User Management Multiple values are comma-separated. This value is set in the property com.sun.am.event.connection.disable.list.
   LDAP Connection
   Number of retries for LDAP Connection	Specifies the number of attempts to be made to successfully re-establish LDAP Connection. This value is set in the property com.iplanet.am.ldap.connection.delay.between.retries.
   Delay between LDAP connection retries	Specifies the number of milliseconds to delay between retries at re-establishing LDAP connections. This value is set in the property com.iplanet.am.ldap.connection.num.retries.
   Error codes for LDAP connection retries	Specify the LDAP exception error codes to be triggered by retries at re-establishing LDAP connections. This value is set in the property com.iplanet.am.ldap.connection.ldap.error.codes.retries.
   Caching and Replica
   SDK Caching Max. Size	Specifies the maximum size of the cache when SDK caching is enabled. The size should be an integer greater than 0, or default size (10000) will be used. This value is set in the property com.iplanet.am.sdk.cache.maxSize.
   SDK Replica Retries	Specifies the number of times to retry when an Entry Not Found error is returned to the SDK. This value is set in the property com.iplanet.am.replica.num.retries.
   Delay between SDK Replica Retries	Specifies the number of milliseconds to delay between the retries. This value is set in the property com.iplanet.am.replica.delay.between.retries.
   Time to Live Configuration
   Cache Entry Expiration Enabled	When enabled, this value is set to Yes, and the cache entries expire based on the time specified in User Entry Expiration Time property. The default value is No. This value is set in the property com.iplanet.am.sdk.cache.entry.expire.enabled.
   User Entry Expiration Time	Specifies the number of minutes entries remain valid in the cache after their last modification. After the time elapses (after the last modification/read from the directory), the data for the entry that is cached will expire. At that instant, new requests for data for these user entries will be read from the Directory. This value is set in the property com.iplanet.am.sdk.cache.entry.user.expire.time.
   Default Entry Expiration Time	Specifies the number of minutes that non-user entries remain valid in the cache after their last modification. After this specified period of time elapses (after the last modification/read from the directory), the data for the entry that is cached will expire. At that instant, new requests for data for these non-user entries will be read from the Directory. This value is set in the property com.iplanet.am.sdk.cache.entry.default.expire.time.

   
   

5. Click Save.

6. (Optional) Click Inheritance Settings.

   The Inheritance Settings section lists server properties containing default values. A checked box indicates a property that can inherit default server properties. Unchecked properties can be overwritten for each server instance.

   • To select a property to be overwritten with default values, click its corresponding box until a check appears in the box.

   • To deselect a property and retain any custom configuration, click the property's corresponding box until the box contains no checkmark.

7. (Optional) Click Export Configuration.

   The OpenSSO STS console displays your settings so that you can inspect the settings for accuracy.

8. Click Save.

9. Click "Back to Server Profile."

10. Click "Back to Servers and Sites."

5.1.3.5 To Configure OpenSSO STS Server Directory Configuration Properties

1. On the Configuration tab, click the Servers and Sites tab.

2. In the Servers section, click the URL of the OpenSSO STS server you want to configure.

3. Click the Directory Configuration tab.

   Provide values for the OpenSSO STS Server Directory Configuration properties. The following table provides a listing and descriptions of the properties you can configure.

   Table 5-5 OpenSSO STS Server Directory Configuration Properties

   Property	Description
   Minimum Connection Pool	Specify the minimal size of connection pools to be used for connecting to the Directory Server, as specified in the LDAP server attribute. The default is value is 1.
   Maximum Connection Pool	Specify the maximum size of connection pools to be used for connecting to the Directory Server, as specified in the LDAP server attribute. The default value is 10.
   Bind DN	Specify the bind DN in the LDAP server.
   Bind Password	Specify the password to be used for binding to the LDAP server. By default, the amldapuser password that was entered during installation is used as the bind user.

   
   

4. To add a configuration directory server to the Server list, click Add.

   • In the New Server page, provide the values for the New Directory Server properties, and then click OK. The following table provides a listing and descriptions of the properties you can configure.

     Table 5-6 New Directory Server Properties

     Property	Description
     Name	Specify an identifier for this server.
     Host Name	Specify the fully-qualified host name of the Directory Server. Example: DirectoryServerHost.domainName.com
     Port Number	Specify the Directory Server port number.
     Connection Type	Choose one of the following the connection type for the Directory Server: Simple SSL/TLS The default value is Simple.

     
     

   • To delete a Directory Server from the Server list, click to check the box corresponding to the Directory Server name, then click Delete.

5. Click Save.

6. Click "Back to Servers and Sites."

5.1.3.6 To Configure OpenSSO STS Server Advanced Properties

1. On the Configuration tab, click the Servers and Sites tab.

2. In the Servers section, click the URL of the OpenSSO STS server you want to configure.

3. Click the Advanced tab.

   The Advanced Properties section lists server properties containing default values.

   • To add a custom property to the list, click Add.

     A new row is added at the bottom of the list. In the appropriate columns, type a Property Name and Property Value.

   • To remove a property from the list, click to check the box corresponding to the property and then click Delete.

4. Click Save.

5. Click "Back to Servers and Sites."

5.1.4 To Clone an OpenSSO STS Server

1. On the Configuration tab, click the Servers and Sites subtab.

2. Click to mark the box corresponding to the server you want to clone.

3. Click Clone

   In the New Server page, in the Server URL field type the URL for the cloned server, and then click OK.

4. Configure the OpenSSO STS server. See Section 5.1.3, "To Configure an OpenSSO STS Server."

5.2 Managing OpenSSO STS Sites

The Servers and Sites configuration enables and administrator to manage multiple OpenSSO STS site and server configurations from a single console.

Multiple OpenSSO STS instances can be deployed on at least two different host servers. For example, you might deploy two instances on one server and a third instance on another server. Or you might deploy all instances on different servers. You can also configure the OpenSSO STS instances in session failover mode if required for your deployment.

One or more load balancers route client requests to the various OpenSSO STS instances in the environment. You configure each load balancer according to your deployment requirements. For example, you could use round-robin or load average load-balancing to distribute the load between the OpenSSO STS instances. A load balancer simplifies the deployment, as well as resolves issues caused by having a firewall between the client and the back-end OpenSSO STS servers. You can use a hardware or software load balancer with your OpenSSO STS deployment. All OpenSSO STS instances access the same Directory Server.

Important:

If you make any changes to the configuration attributes for Servers and Sites, either through the console or the command line interface, you must restart the web container on which OpenSSO STS is deployed for the changes to take effect.

5.2.1 To Add a New OpenSSO STS Site

1. On the Configuration tab, click the Servers and Sites subtab.

2. In the Sites section, click New.

3. In the New Site page, in the Name field type a name for the new site.

4. In the Primary URL field, specify the Primary URL for the site instance, including the site URI.

   Use the form protocol://hostname.domain:port/URI.

5. Configure the new OpenSSO STS Site.

   See Section 5.2.2, "To Configure an OpenSSO STS Site."

5.2.2 To Configure an OpenSSO STS Site

1. On the Configuration tab, click the Servers and Sites subtab.

2. In the Sites section, click the name of the site you want to configure.

3. Provide values for the OpenSSO STS Site properties. The following table provides a listing and descriptions of the properties you can configure.

   Table 5-7 OpenSSO STS Site Properties

   Property	Description
   Primary URL	Specify the primary URL used to access the site.
   Secondary URLs	The Current Values list displays session repositories used for the session failover in an OpenSSO STS deployment. Use the URL of the load balancer as the identifier for this secondary configuration. If the secondary configuration is defined in this case, session failover is automatically enabled and becomes effective after the server restart. To add a new URL to the list, in the New Value field type the new URL, and then click Add. To remove an entry from the Current Values list, select the entry, and then click Remove.
   Assigned Server	Servers assigned to the site.

   
   

4. Click Save.

5. Click "Back to Servers and Sites."

5.2.3 To Delete an OpenSSO STS Site

1. On the Configuration tab, click the Servers and Sites subtab.

2. In the Sites section, click check the box corresponding to the server you want to delete, and then click Delete.

3. Click Save.

5.3 Managing User Data Stores

A user data store, also called an identity repository, is a database where OpenSSO STS stores user attributes and user configuration data. Example: a user data store might contain a user's identifier and password, email address, application preferences and other forms of identity data. The OpenSSO STS interface enables a realm administrator to plug in one or more user data stores into the OpenSSO STS realm. OpenSSO STS provides identity repository plug-ins that in turn connect to a single LDAPv3 identity repository framework. The user data store plug-ins enable you to view and retrieve OpenSSO STS user information without having to make changes in your existing user database.

OpenSSO STS integrates data from the identity repository plug-in with data from other OpenSSO STS plug-ins to form a virtual identity for each user in the repository. OpenSSO STS can then use the universal identity in authentication and authorization processes among more than one identity repository. The virtual user identity is destroyed when the user's session ends.

All OpenSSO STS user data stores share the same underlying plug-in. Although most of the configuration attributes are the same for each of user data stores, the default attribute values vary depending upon the user data store type.

OpenSSO STS supports the following types of user data stores.

Active Directory

An Active Directory user data store uses the LDAP version 3 specification to write identity data to an instance of Microsoft Active Directory.

Generic LDAPv3

A generic LDAPv3 user data store allows identity data to be written to any LDAPv3–compliant database. Note - If the LDAPv3 database you are using does not support Persistent Search, then you cannot use the OpenSSO STS caching feature.

Sun Directory Server With OpenSSO Schema

A Sun Directory Server containing OpenSSO STS Schema resides in a Sun Directory Server instance itself and holds the OpenSSO STS information tree. It is different from the OpenSSO STS Repository Plug-in. A Directory Server with OpenSSO STS Schema contains more configuration attributes and enables you to better customize the user data store.

5.3.1 To Add a New User Data Store

1. On the Access Control tab, click the Data Stores subtab.

2. In the Data Stores section, click New.

3. In the Name field, type the new Data Store name.

   The Data Store name cannot contain spaces.

4. Choose one of the following:

   • Active Directory

   • Generic LDAPv3

   • Sun DS with OpenSSO schema

5. Click Next.

6. Provide values for the User Data Store properties. The following table provides a listing and descriptions of the properties you can configure.

   Table 5-8 User Data Store Properties

   Property	Description
   LDAP Server	The Current Values list displays the name of the LDAP server or servers to which OpenSSO STS will be connected. If more than one LDAP server is listed, OpenSSO STS attempts to connect to the first host in the list. If a connection cannot be made to the first host in the list, then OpenSSO STS tries to access the next host in the list. To add a new LDAP server, in the New Value field enter a server name using the following form: host.domain:portnumber, and then click Add. (Optional) You can append a server identifier and site identifier to the value of the LDAP Server attribute for redundancy. Use the form host.domain:portnumber|serverID|siteID. These identifiers are assigned to the server when they are configured globally. The identifier serverID designates a primary LDAP server. To designate other LDAP servers are as secondary and tertiary fallback servers. If no number is specified, the LDAP server is primary. The identifier siteID is a two-digit number generated internally by OpenSSO STS— for example, 02. To find this value, use an LDAP browser to find the following DN:     ou=accesspoint, ou=site_name,     ou=com-sun-identitysites,ou=default,     ou=GlobalConfig,     ou=iPlanetAMPlatformService,     ou=services,root-suffix Under this DN, see sunkeyvalue:primary-siteid=site-id for the site identifier. Do not change the LDAP Server configuration for the OpenSSO STS embedded data store. This could result in unexpected data store behavior. To remove an entry from the Current Values list, select the entry and them click Remove.
   LDAP Bind DN	Specify the DN that OpenSSO STS will use to authenticate to the LDAP server to which you are currently connected. The user with the DN used to bind to the LDAP server must have the appropriate privileges for adding, modifying, and deleting operations. These privileges are configured in the LDAPv3 Plugin Supported Types and Operations properties.
   LDAP Bind Password	Specify the DN password that OpenSSO STS will use to authenticate to the LDAP server to which you are currently connected.
   LDAP Bind Password (confirm)	Type the password again to confirm it.
   LDAP Organization DN	Specify the DN to which this data store repository will map. This will be the base DN of all operations performed in this data store.
   LDAP SSL	When enabled, OpenSSO STS will connect to the primary server using the HTTPS protocol.
   LDAP Connection Pool Minimum Size	Specify the initial number of connections in the connection pool. Using a connection pool avoids having to create a new connection each time.
   LDAP Connection Pool Maximum Size	Specify the maximum number of connections to allow.
   Maximum Results Returned from Search	Specify the maximum number of entries returned from a search operation. If this limit is reached, Active Directory returns any entries that match the search request.
   Search Timeout	Specify the maximum number of seconds allocated for a search request. If this limit is reached, Active Directory returns any search entries that match the search request.
   LDAP Follows Referral	When enabled, referrals to other LDAP servers are followed automatically.
   LDAPv3 Repository Plugin Class Name	Specify the location of the class file which implements the LDAPv3 repository.
   Attribute Name Mapping	The Current Values list displays common attributes known to the OpenSSO STS framework to be mapped to the native data store. Example: if the framework uses inetUserStatus to determine user status, it is possible that the native data store actually uses userStatus. The attribute definitions are case-sensitive. The defaults are: employeeNumber=distinguishedName portalAddress=sAMAccountName uid=sAMAccountName mail=userPrincipalName telephonenumber=displayName iplanet-am-user-alias-list=objectGUID userPassword=unicodePwd To add a new Attribute Name Mapping, in the New Value field enter an attribute name-value pair, and then click Add. To remove an entry from the Current Values list, select the entry and them click Remove.
   LDAPv3 Plug-in Supported Types and Operations	The Current Values list displays operations that are permitted or can be performed on this LDAP server. The default operations are the only operations that are supported by this LDAPv3 repository plug-in. The following are operations supported by LDAPv3 Repository Plugin: agent: read, create, edit, delete role: read, create, edit, delete group: read, create, edit, delete realm: read, create, edit, delete, service user: read, create, edit, delete, service To add a new LDAPv3 plug-in type and operations, in the New Value field, enter a new type:operations string, and then click Add. To remove an entry from the Current Values list, select the entry and them click Remove. You can remove permissions from all operations except for role operations based on your LDAP server settings and the tasks. You cannot add more permissions to any operation. If the configured LDAPv3 Repository plug-in is pointing to an instance of Sun Directory Server, permissions for the type role can be added. Otherwise, this permission may not be added because other data stores may not support roles. If a user is of supported type, then the read, edit, create, and delete operations allow you to read, edit, create, and delete user entries from the identity repository. The user=service operation enables OpenSSO STS to access attributes in user entries. Additionally, the user is allowed to access the dynamic service attributes if the service is assigned to the realm or role to which the user belongs. The user is also allowed to manage user attributes for any assigned service. If the user has service as the operation (user=service), then the following service-related operations are supported: assignService unassignService getAssignedServices getServiceAttributes removeServiceAttributes modifyService
   LDAPv3 Plug-in Search Scope	Choose the scope to be used to find LDAPv3 plug-in entries. SCOPE_BASE searches only the base DN. SCOPE_ONE searches only the entries under the base DN. SCOPE_SUB (default) searches the base DN and all entries within its subtree.
   LDAP Users Search Attribute	Specify the attribute type to use to a search for a user. Example: if the user DN is uid=user1,ou=people,dc=example,dc=com, then enter uid in this field.
   LDAP Users Search Filter	Specify the search filter to be used to find user entries.
   LDAP User Object Class	The Current Values list displays the object classes for a user. When a user is created, this list of user object classes is added to the user's attributes list. To add a new object class to the list, in the New Value field enter an object class name, and then click Add. To remove an entry from the Current Values list, select the entry and them click Remove.
   LDAP User Attributes	The Current Values list displays the attributes associated with a user. You cannot read or write user attributes not on this list. The attributes are case-sensitive. The object classes and attribute schema must already be defined before you define the object classes and attribute schema here. To add a new LDAP User Attribute, in the New Value field type an attribute name, and then click Add. To remove an entry from the Current Values list, select the entry and them click Remove.
   Create User Attribute Mapping	The Current Values list displays the attributes that are required when a user is created. Attributes uses the following syntax: To add a new user attribute mapping, in the New Values field enter a mapping using the following form: DestinationAttributeName=SourceAttributeName If the source attribute name is missing, the default is the user ID (uid). For example: cn sn=givenName Both cn and sn are required to create a user profile. The attribute cn gets the value of the attribute named uid, and the attribute sn gets the value of the attribute named givenName. To remove an entry from the Current Values list, select the entry and them click Remove.
   Attribute Name of User Status	Specify an attribute name that indicates if the user is active or inactive.
   User Status Active Value	This field is not displayed for the OpenSSO with Schema Data Store. This attribute value is assigned to the user when the user is created. LDAPv3 uses Active. Note used by Schema. For a user to be active, the Active Directory value is 544. For a user to be inactive, the Active Directory value is 546.
   User Status Inactive Value	This field is not displayed for the OpenSSO with Schema Data Store. For Active Directory, this field is not used. LDAPv2 uses Inactive.
   LDAP Groups Search Attribute	The Current Values list displays the attribute types to use for conducting a search on a group. The default is cn. To add a new search attribute, in the New Value field enter an LDAP Group attribute. To remove an entry from the Current Values list, select the entry and them click Remove.
   LDAP Group Search Filter	Specify the search filter to be used to find group entries. The default is (objectclass=groupOfUniqueNames).
   LDAP Groups Container Naming Attribute	Specify the naming attribute for a group container, if groups reside in a container. Otherwise, this attribute is left empty. Example: if a group DN of cn=group1,ou=groups,dc=iplanet,dc=com resides in ou=groups, then the group container naming attribute is ou.
   LDAP Groups Container Value	Specify the value for the group container. Example: if a group DN of cn=group1,ou=groups,dc=iplanet,dc=com resides in a container named ou=groups, then the group container value is groups.
   LDAP Groups Object Classes	The Current Values list displays object classes for groups. When a group is created, this list of group object classes will be added to the group's attributes list. To add a new object class, in the New Value field type the object class name, and then click Add. To remove an entry from the Current Values list, select the entry and them click Remove.
   LDAP Groups Attributes	The Current Values list displays attributes associated with a group. You cannot read or write group attributes that are not on this list. The attributes are case-sensitive. The object classes and attribute schema must be defined before you define the object classes and attribute schema here.
   Attribute Name for Group Membership	Specify the name of the attribute whose values are the names of all the groups to which DN belongs. The default is memberOf.
   Attribute Name of Unique Member	Specify the attribute name whose values is a DN belonging to this group. The default is uniqueMember.
   Attribute Name of Group Member URL	Specify the name of the attribute whose value is an LDAP URL which resolves to members belonging to this group. The default is memberUrl.
   Default Group Member's User DN	This field is not displayed for the OpenSSO with Schema Data Store.
   LDAP Roles Search Attribute	This field is not displayed for Active Directory or LDAPv3 Data Stores. This field defines the attribute type for which to conduct a search on a role. The default is cn.
   LDAP Roles Search Filter	This field is not displayed for Active Directory or LDAPv3 Data Stores. Specify the filter used to search for a role. The LDAP Role Search attribute is prepended to this value to form the actual role search filter. Exampe: if the LDAP Role Search Attribute is CN and LDAP Role Search Filter is (objectClass=sunIdentityServerDevice), then the actual user search filter is: (&(cn=*)(objectClass=sunIdentityServ erDevice))
   LDAP Roles Object Class	This field is not displayed for Active Directory or LDAPv3 Data Stores. Specify the object classes for roles. When a role is created, the list of user object classes will be added to the role's attributes list
   LDAP Roles Attributes	This field is not displayed for Active Directory or LDAPv3 Data Stores. The Current Values list displays attributes associated with a role. Reading or writing agent attributes that are not on this list is not allowed. The attributes are case-sensitive. The object classes and attribute schema must be defined in Directory Server before you define the object classes and attribute schema here.
   LDAP Filter Roles Search Attribute	This field is not displayed for Active Directory or LDAPv3 Data Stores. Specify the attribute type for which to conduct a search on a filter role. The default is cn.
   LDAP Filter Roles Search Filter	This field is not displayed for Active Directory or LDAPv3 Data Stores. The Current Values list displays the filter used to search for a filtered role. The LDAP Filter Role Search attribute is prepended to this field to form the actual filtered role search filter.Exampe: if the LDAP Filter Role Search Attribute is CN and LDAP Filter Role Search Filter is (objectClass=sunIdentityServerDevice), then the actual user search filter will be: (&(cn=*)(objectClass=sunIdentityServ erDevice))
   LDAP Filter Roles Object Class	This field is not displayed for Active Directory or LDAPv3 Data Stores. The Current Values list displays the object classes for filtered roles. When a filtered role is created, the list of user object classes will be added to the filtered role's attributes list
   LDAP Filter Roles Attributes	This field is not displayed for Active Directory or LDAPv3 Data Stores. The Current Values list displays attributes associated with a filtered role. Reading or writing agent attributes that are not on this list is not allowed. The attributes are case-sensitive. The object classes and attribute schema must be defined in Directory Server before you define the object classes and attribute schema here.
   Attribute Name for Filtered Role Membership	This field is not displayed for Active Directory or LDAPv3 Data Stores.
   Attribute Name of Role Membership	This field is not displayed for Active Directory or LDAPv3 Data Stores.
   Attribute Name of Filtered Role Filter	This field is not displayed for Active Directory or LDAPv3 Data Stores.
   LDAP People Container Naming Attribute	If a user resides in a people container, then specify the naming attribute of the people container. If the user does not reside in a people container, then leave this field blank.
   LDAP People Container Value	Specify the value of the people container. The default is people. Caution – The entire tree under the baseDN will be searched if the value of this attribute is set to null (empty).
   Identity Types That Can be Authenticated	Specify that this data store can authenticate user and/or agent identity types when the authentication module mode for the realm is set to Data Store.
   Authentication Naming Attribute	This value is currently not used.
   Persistent Search Base DN	Specify the base DN to use for persistent search. Some LDAPv3 servers only support persistent search at the root suffix level.
   Persistent Search Filter	Specify the filter that will return the specific changes to directory server entries. The data store will only receive the changes that match the defined filter.
   Persistent Search Scope	Specify the scope to be used in a persistent search. The scope must be one of the following: SCOPE_BASE searches only the base DN. SCOPE_ONE searches only the entries under the base DN. SCOPE_SUB (default) searches the base DN and all entries within its subtree.
   Persistent Search Maximum Idle Time Before Restart	Specify the maximum idle time before restarting the persistence search. The value must be great than 1. Values less than or equal to 1 will restart the search regardless of the idle time of the connection. If OpenSSO STS is deployed with a load balancer, some load balancers will time out if it has been idle for a specified amount of time. In this case, you should set the Persistent Search Maximum Idle Time Before Restart to a value less than the specified time for the load balancer.
   Maximum Number of Retries After Error Code	Specify the maximum number of retries for the persistent search operation if it encounters the error codes specified in LDAP Exception Error Codes to Retry On.
   The Delay Time Between Retries	Specify the time to wait before each retry. This only applies to persistent search connection.
   LDAP Exception Error Codes to Retry	Specify the error codes to initiate a retry for the persistent search operation. This attribute is only applicable for the persistent search, and not for all LDAP operations.
   Caching	When enabled, OpenSSO STS caches data retrieved from the data store.
   Maximum Age of Cached Items	Specify the maximum number of seconds data is stored in the cache before it is removed.
   Maximum Size of the Cache	Specify in number of bytes the maximum size of the cache. The larger the value, the more data can be stored, but it will require more memory.

   
   

7. Click Finish.

5.3.2 To Delete a User Data Store

1. In the Access Control tab, click the Data Stores subtab.

2. Click to mark the box corresponding to the data store or data stores you want to delete.

3. Click Delete.

5.4 Configuring Global Platform Attributes

1. On the Configuration tab, click the System subtab.

2. On the System Configuration page, in the System Attributes list, click Platform.

3. Provide values for the Global Platform Attributes. The following table provides a listing and descriptions of the properties you can configure.

   Table 5-9 Global Platform Attributes

   Attribute	Description
   Platform Locale	Specify the default language subtype that OpenSSO STS was installed with. The Authentication, Logging and administration services are administered in the language of this value. The default is en_US.
   Cookie domains	The Current Values list displays domains that will be returned in the cookie header when setting a cookie to the user's browser during authentication. To add a cookie domain to the list, in the New Value field type the domain name, and then click Add. The default value for this field is the domain of the installed OpenSSO STS instance. If the list is empty, no cookie domain will be set. The OpenSSO STS session cookie will be forwarded to only OpenSSO STS itself and to no other servers in the domain. If SSO is required with other servers in the domain, set this attribute with the cookie domain. If you had two interfaces in different domains on one OpenSSO STS instance, then you must set both cookie domains in this attribute. If a load balancer is used, the cookie domain must be that of the load balancer's domain; do not use the cookie domain of the servers behind the load balancer. To remove an entry from the Current Values list, select the entry and them click Remove.
   Hex Encode Cookie	When set to Yes, hex encoding for cookies is enabled. The default is No.

   
   

4. (Optional) To add a new character set, in the Client Character Sets list, click New.

   To delete a character set, in the Client Character Sets section click to mark the box corresponding to the character set you want to remove, and then click Delete.

5. Click OK.