Appendix A
AMConfig.properties File

AMConfig.properties is the resource configuration file for the Sun™ One Identity Server. It provides instructions for the Identity Server deployment. This chapter explains the attributes of AMConfig.properties. It contains the following sections:

Overview
Deployment Properties
Configuration Properties
Read-Only Properties

---

Overview

Identity Server is configured by placing application properties in plain text configuration files. These configuration files contain one proeprty per line and each has a corresponding value. Properties and their values are case-sensitive. Indentation of the properties is consistent throughout the file. Lines which begin with the characters “/*” are comments, and ignored by the application. Comments are completed with a last line that contains the closing characters “*/”. The main configuration file for Identity Server is AMConfig.properties located in IdentityServer_base/SUNWam/lib. The following sections describe the properties and default values of AMConfig.properties.

Note	The Identity Server must be restarted for any modification in AMConfig.properties to take effect.

---

Deployment Properties

Following are the deployment-specific attributes configured in AMConfig.properties.

Identity Server

This section describe properties that define the Identity Server application.

Installation

These properties are defined during installation.

com.iplanet.am.server.host=identity_server_host.domain_name

The value of this property is the DNS domain name of the machine on which the Identity Server is located.

com.iplanet.am.server.port=58080

The value of this property is the port number used by the Identity Server. The default is 58080.

com.iplanet.am.jdk.path=/IdentityServer_base/SUNWam/java

The value of this property is the path to the JDK used by the Identity Server.

com.sun.identity.authentication.super.user=uid=amAdmin,ou=People,dc=top_level_org,dc=com

This property identifies the full LDAP DN of the super user configured during installation of Identity Server; it is amadmin by default. This user must always log in using LDAP authentication as they will always be authenticated against the Directory Server. The UID alone is generally used to login but the full DN as defined in this property can also be used.

Console

These properties are specific to the Identity Server console.

com.iplanet.am.console.host=identity_server_host.domain_name

The value of this property is the DNS domain name of the machine on which the Identity Server console is located.

com.iplanet.am.console.protocol=http

The value of this property is the protocol used to communicate with the Identity Server. The default is http.

com.iplanet.am.console.port=58080

The value of this property is the port number of the machine on which the Identity Server console is located. The default is 58080.

The following directives can be added to the AMConfig.properties file to add their respective functionality to the Identity Server console.

com.iplanet.am.console.display.off=orgs,users,groups

If specified, Identity Server will not perform the initial search for a specified identity object that is done in the Navigation frame when the view menu is changed. For example, after a successful login, the default console view is the organization view. When the view is changed to Users, the Navigation frame is redrawn to display all users; a search is performed to obtain this information. With a large number of users, disabling this search can drastically reduce the time it takes to load the Identity Server console. A filter can then be used to find the desired users. This option is available for any of the view menu types. To disable the search, add any of the following values: orgs, orgUnits, users, policies, groups, roles, groupContainers, and peopleContainers. If more than one value, they are comma-separated.

Caution	The service attribute in the Identity Server console that corresponds to this property is Display Options, an organization attribute in the Administration Service. This console option takes precedence over any value defined in com.iplanet.am.console.display.off. If configuring this property in AMConfig.properties, do not configure it using the console (or vica versa).

com.iplanet.am.console.set.cn=true

If specified, the user common name (cn) will not be displayed in the Create User screen but it will be generated based on information entered in the First Name (givenname), Initial and Last Name (sn) fields of the User profile page and displayed as a read-only value on screen.

Cookies

These properties are specific to Identity Server cookies.

com.iplanet.am.cookie.name=iPlanetDirectoryPro

The value of this property is the name of the cookie. In an Identity Server deployment with more than one instance, it is recommended that the value of this property for one of the instances is changed.

Note	The cookie name defined as com.iplanet.am.cookie.name is the Identity Server cookie and needs to be defined in a sticky load balancing situation. Do not use the HTTP session cookie as in some cases it is not retained.

com.iplanet.am.pcookie.name=DProPCookie

The value of this property is the name of the persistent cookie if that function is enabled.

com.iplanet.am.cookie.secure=false

This property allows the Identity Server cookie to be set in a secure mode in which the browser will only return the cookie when a secure protocol like HTTP(s) is used.

com.iplanet.am.cookie.encode=COOKIE_ENCODE

This property allows Identity Server to URLencode the cookie value which converts characters to ones that are understandable by HTTP.

Miscellaneous

This section is a catch-all for some miscellaneous and self-explanatory values.

com.iplanet.am.daemons=unix
com.iplanet.am.locale=en_US
com.iplanet.am.logstatus=ACTIVE
com.iplanet.am.version=6.1
com.iplanet.services.configpath=/etc/opt/SUNWam/config/ums

The value of this property is the path to the serverconfig.xml file. This file is discussed in Appendix B, "serverconfig.xml File."

Directory Server

This section describe the properties for the Directory Server data store.

Installation

These properties define the Directory Server to which the Identity Server points.

com.iplanet.am.directory.host=identity_server_host.domain_name

The value of this property is the DNS domain name of the machine on which the Directory Server is located.

com.iplanet.am.directory.port=389

The value of this property is the port number of the machine on which the Directory Server is located. The default is 389.

com.iplanet.am.server.protocol=http

The value of this property is the protocol used to communicate with the machine on which the Directory Server is located.

Directory Server Tree

The values of these properties are the top-level organization of the Directory Server tree defined during the installation process.

com.iplanet.am.defaultOrg=dc=top_level_org,dc=com
com.iplanet.am.rootsuffix=dc=top_level_org,dc=com
com.iplanet.am.domaincomponent=dc=top_level_org,dc=com

---

Configuration Properties

There are a number of services configured in AMConfig.properties that can not be configured using the Identity Server console. These back-end services, and several attributes for other services, are defined in this section.

Debug Service

The Debug Service logs developer information in the case of application errors. (The Logging Service writes logs to be monitored by the application administrator.) More information on the Debug Service can be found in "Debug Files" of Chapter 10, "Auditing Features."

com.iplanet.services.debug.level=error

The possible values for this property are: off | error | warning | message. They indicate the level of information recorded in the debug files.

com.iplanet.services.debug.directory=/var/opt/SUNWam/debug

The value of this property is the output directory for the debug information. This directory should be writable by the server process.

Note	In defining values for the Debug Service, remember that trailing spaces are significant. Also, on a Microsoft® Windows® system, use forward slashes “/” to separate directories.Finally, spaces in the file name are allowed only on a Windows system.

Stats Service

The following properties are used to configure the Stats Service for recording service statistics. This service is used by the Identity Server SDK and the Session Service. Code Example A-1 is a portion of the stats file to illustrate the information that is recorded. The file is named amSDKStats by default.

Code Example A-1  Portion of amSDKStats File

11/26/2002 01:46:18:592 PM PST: Thread[Thread-10,5,main] SDK Cache Statistics -------------------- Interval: 214 Hits during interval: 38 Hit ratio for this interval: 0.17757009345794392 Total number of requests: 214 Total number of Hits: 38 Overall Hit ratio: 0.17757009345794392 Total Cache Size: 72

com.iplanet.am.stats.interval=3600

The statistics interval should be at least 5 seconds to avoid CPU saturation. Identity Server will assume that any value less than that is 5 seconds.

com.iplanet.services.stats.directory=/var/opt/SUNWam/debug

This property specifies the output directory for the statistics files. By default, it is the same as the debug directory.

com.iplanet.services.stats.state=off

Possible values for this directive are: off | file | console. file will write to a file named amSDKStats under the directory specified in the com.iplanet.services.stats.directory property and console will write into the deployment container log files.

Note	In defining values for the Stats Service, remember that trailing spaces are significant. On a Windows system, use forward slashes “/” to separate directories. Spaces in the file name are also allowed on a Windows system.

Notification Service

The Notification Service allows Identity Server to send notifications to registered applications when an event has occurred (session destroyed, session timeout, etc.). This service also allows the single sign-on cache to stay up to date. The notification is basically a HTTP post message containing the component notification in its body.

com.iplanet.am.notification.url= http://identity_server_host.domain_name:port/amserver/notificationservice

The value of this property is the URI of the Notification Service.

When a notification task comes in, it is processed in the task queue. If it reaches the maximum length, further incoming requests will be rejected along with a ThreadPoolException, until the queue has vacancy

com.iplanet.am.notification.threadpool.size=10

This parameter is used to define the session thread pool for notification handling. It specifies the size of the pool as the total number of threads allowed.

com.iplanet.am.notification.threadpool.threshold= 100

This parameter specifies the maximum size of the task queue in the thread pool. A task is queued when no thread is available. If the number of unprocessed tasks reaches the value specified, no additional notification tasks will be accepted until there are vacancies. This value is dependent on the system memory resource; each task takes about 3k.

SDK Caching

The caching function in Identity Server is memory-based therefore when an identity-related object is created, deleted or modified, the cache is cleaned up. Each SDK cache entry stores a set of attributes and values of AMObject for a user. Because the size of each object is dependent upon the number of attributes it has, modifying these properties will affect the performance of Identity Server.

com.iplanet.am.sdk.cache.maxSize=10000

This property configures the size of the cache when caching is enabled. The value refers to the number of objects cached and should be an integer greater than 0; if not, the default 10000 will be used.

com.iplanet.am.session.maxSessions=5000

This property specifies the maximum number of concurrent sessions. Logging in when the maximum sessions has been met would send a Maximum Sessions error.

Online Certificate Status Protocol (OCSP)

OCSP is a protocol that specifies the syntax for communication between a server which holds certificate status and a client which is informed of said status.When a user attempts to access a server, OCSP sends a request for certificate status information and receives back a response of current, expired or unknown. If these properties are set, the certificate in question must be in the deployment container’s certificate database. If the OCSP URL is set, the OCSP responder nickname must also be set or both will be ignored. If neither is set, the OCSP responder URL presented in the user’s certificate will be used. If there is none in the user’s certificate, no OCSP validation will be performed.

com.sun.identity.authentication.ocsp.responder.url

The value of this directive is the global OCSP responder URL for this instance of Identity Server, i.e. http://ocsp.example.com/ocsp.

com.sun.identity.authentication.ocsp.responder.nickname

The OCSP responder nickname refers to the Certificate Authority for the responder. This nickname is used to reference the Certificate Authority in the certificate itself.

Identity Object Processing

This property has a value equal to the implementation class of the module used for processing user creates, deletes, and modifies.

com.iplanet.am.sdk.userEntryProcessingImpl=

Security

This property is used to enable Java security permissions. This permission is used to protect the Identity Server resources which should only be accessed by trusted resources. This permission is used to protect the admin DN and password as well as access to the encryption and decryption methods used to encrypt passwords. The default value is false. If enabled, modifications must be made to the deployed web container’s Java policy file. This should be done as detailed in Code Example A-2.

Code Example A-2  Changes To Java Policy File

grant codeBase "file:{directory where jars are located}/-" { com.sun.identity.security.ISSecurityPermission "access", "adminpassword,crypt"; };

com.sun.identity.security.checkcaller=false

SSL

This property is used to enable Secure Socket Layers (SSL). The default is false.

com.iplanet.am.directory.ssl.enabled=false

Certificate Database

These properties are used by the command line utilities and SDK as well as the LDAP and Certificate-based authentication modules when initiating SSL connections to the Directory Server. It is also used when opening HTTP(S) connections from within the servlet container in the deployment container.

com.iplanet.am.admin.cli.certdb.dir=/IdentityServer_base/SUNWam/servers/alias

The value of this property is the name of the path to the certificate database.

com.iplanet.am.admin.cli.certdb.prefix=https-identity_server_host.domain_name-identity_server_host-

The value of this property is the certificate database prefix.

com.iplanet.am.admin.cli.certdb.passfile=/IdentityServer_base/SUNWam/config/.wtpass

The value of this property is the name of the file that contains the password for the certificate database.

Note	When installing Identity Server, these values do not point to a configured certificate database. After creating the certificate database, these values should be reset to point to the Application Server as follows: com.iplanet.am.admin.cli.certdb.dir=/install_directory/SUNWappserver7/domain/server_instance/config com.iplanet.am.admin.cli.certdb.prefix= com.iplanet.am.admin.cli.certdb.passfile=/install_directory/SUNWappserver7/domain/server_instance/config/.wtpass Identity Server should be restarted after the modifications.

Replication

These two properties are not required to support replication but they may be helpful in limiting errors due to latency. Enabling them may have a negative impact on performance but, if replication has significant latency, the retries may be enough to prevent Entry Not Found errors. For example, assume an Identity Server console is pointing to a read-only consumer configured to refer writes to a master. If a new organization is created, all write requests are referred to the master and then replicated back to the consumer. If Identity Server reads the organization back before it has been replicated to the consumer, it will get an Entry Not Found error.

Note	It is not recommended to run the Identity Server console against a read-only consumer. The exception to this rule is when operating against user entries whose creations and modifications do not have the same latency problems as the SDK has special behavior to prevent such problems for these entries.

com.iplanet.am.replica.num.retries=0

This specifies the number of times to retry. When an Entry Not Found error is returned to the SDK, it will retry n times where n is the value of this property.

com.iplanet.am.replica.delay.between.retries=1000

This property specifies the delay time (in milliseconds) between the number of retries defined in the key above.

Event And LDAP Connection

These sets of properties are implemented when load balancers are used between the Identity SDK and the Directory Server. When the SDK performs an operation which fails, it will retry the operation as long as the exception is one defined in the ldap.error.codes property. These properties are necessary for failover configuration when it is accomplished via a load balancer as not all load balancers return the same error codes.

Event Connection

com.iplanet.am.event.connection.num.retries=3

This value specifies the number of time to retry an event connection.

com.iplanet.am.event.connection.delay.between.retries=3000

This value specifies the delay time (in milliseconds) between the number of retries defined in the key above.

com.iplanet.am.event.connection.ldap.error.codes.retries=80,81,91

This key specifies the LDAPException errors for which the retries will occur. The value is any valid LDAP error code.

LDAP Connection

The following keys are used to configure an LDAP connection for the add, delete modify, read and search methods.

com.iplanet.am.ldap.connection.num.retries=3

This value specifies the number of time to retry an LDAP connection.

com.iplanet.am.ldap.connection.delay.between.retries=1000

This value specifies the delay time (in milliseconds) between the number of retries defined in the key above.

com.iplanet.am.ldap.connection.ldap.error.codes.retries=80,81,91

This key specifies the LDAPException errors for which the retries will occur. The value is any valid LDAP error code.

SAML

These properties identify SAML-related configurations including properties relating to the Identity Server keystore file.

com.sun.identity.saml.removeassertion=false

This property indicates if assertions associated with artifacts and now de-referenced should be removed from the cache. If set to true, assertions will be removed. Otherwise, the assertion will be kept in memory and removed only when it is expired itself.

Keystore Properties

Each Identity Server has a keystore file used to store the certificates used for XML signing and verification. A stored certificate might include a partner site’s certificate and the public key used by Identity Server to verify SAML responses and assertions from the partner. The keystore also holds the Identity Server certificate and the private key it uses to sign assertions. For more information on generating the keystore, certificate aliases and other functions, read about the keytool, a key and certificate management utility, in the Readme.html and keystore.html files located in the IdentityServer_base/SUNWam/samples/saml/ xmlsig directory.

com.sun.identity.saml.xmlsig.keystore=/IdentityServer_base/SUNWam/lib/keystore.jks

The value of this property is the name and location of the keystore file. Although, upon installing Identity Server, this property has a default value, the file itself is not initally generated and the name and location of the file can be changed.

com.sun.identity.saml.xmlsig.storepass=/IdentityServer_base/SUNWam/config/.storepass

The value of this property is the location of the password to the keystore.

com.sun.identity.saml.xmlsig.keypass=/IdentityServer_base/SUNWam/config/.keypass

The value of this property is the location of the password to the private key which is used to sign the XML document.

com.sun.identity.saml.xmlsig.certalias=test

All entries (keys and trusted certificate entries) in the keystore file are accessed using unique aliases. The value of this property is the certificate alias of the Identity Server certificate which links to the private key used for signing assertions.

Miscellaneous Services

The following directives define the URIs for miscellaneous services.

com.iplanet.am.profile.host=identity_server_host.domain_name

The value of this property is the DNS domain name of the machine on which the Identity Server (and thus the Profile Service) is located.

com.iplanet.am.profile.port=58080

The value of this property is the port number used by the Identity Server (and thus the Profile Service). The default is 58080.

com.iplanet.am.naming.url=http://identity_server_host.domain_name:port/amserver/namingservice

The value of this property represents the URL where a request by the Identity Server or a remote single sign-on client will be sent to retreive the URLs of Identity Server internal services. This is the URI for the Naming Service.

---

Read-Only Properties

The following properties are read-only and should not be modified. Any changes to these directives may render the Identity Server unusable.

Installation

These properties identify values defined during the installation process.

com.iplanet.am.installdir=/IdentityServer_base/SUNWam

This value is the base directory for the application.

com.iplanet.am.install.basedir=/IdentityServer_base/SUNWam/web-apps/services/WEB-INF

This value is the base directory for the services.

com.iplanet.am.iASConfig=false

This property defines whether the Sun ONE Identity Server is running on the Sun ONE Application Server. The value is set during installation and must not be changed.

com.iplanet.am.console.remote=false

This property defines whether the console is installed on a remote or local machine. It is used by the Authentication Service and the console.

Deployment

These properties are used to identify the URIs for specific services and agents.

com.iplanet.am.services.deploymentDescriptor=/amserver
com.iplanet.am.console.deploymentDescriptor=/amconsole
com.iplanet.am.policy.agents.url.deploymentDescriptor=AGENT_DEPLOY_URI

This last property contains the name of the deployment container. Possible values here are BEA6.1, IBM 4.0.5, S1AS7.0, or WS.

com.sun.identity.webcontainer=WEB_CONTAINER

Note	Although the servlet and JSPs are deployment container independent, servlet 2.3 API request.setCharacterEncoding() (used to correctly decode incoming non-English characters) will not work if Identity Server is deployed on Sun ONE Web Server 6.0 or Sun ONE Application Server 7.0.

Shared Secret

This property is the shared secret for the Authentication Service.

com.iplanet.am.service.secret=AQIC5wM2LY4SfczLlj6134qMTx0nkE5XiFMg

Session Properties

These properties are configurations for the Session Service.

com.iplanet.am.session.failover.enabled=false

This property is used to enable or disable the session failover feature. The following properties are used when this property is set to true.

com.iplanet.am.localserver.protocol=http
com.iplanet.am.localserver.host=identity_server_host.domain_name
com.iplanet.am.localserver.port=58080

com.iplanet.am.session.httpSession.enabled=true

When this property is set to true, an HttpSession will be created for the authenticated user in addition to an Identity Server session. This property is also related to session failover.

com.iplanet.am.session.invalidsessionmaxtime=3

This property disables a session if it is created and the user does not login before the time defined. The value is in minutes (for example, 3 minutes is the default value).

Note	This value should always be greater than the time-out value in your authentication module properties file.

com.iplanet.am.session.client.polling.enable=false

If set to true, the client cache will invalidate itself after the amount of time defined in the next property, forcing data to reload.

com.iplanet.am.session.client.polling.period=180

This property defines the default polling period as 180 seconds.

com.sun.am.session.logging.enableHostLookUp=false

This property allows the session server (i.e. Identity Server) to look for the IP address from the host property and log it. If set to true, a reverse DNS lookup will be used to obtain the Domain Name from the IP address for logging purposes. If false, the IP address will be used thus, increasing performance.

com.iplanet.am.session.purgedelay=60

This property defines the purge delay period in minutes. After a session times out, this is the extended time period for which the token will reside in the Session Service. This can be used by the client application to check if the session has timed out or not (using the SSO APIs). After this time period, the session is destroyed. The session token is in the INVALID state during this extended period.

Note	The session does not remain for this extended life if the user logs out or the session is explicitly destroyed by another Identity Server component.

com.iplanet.am.naming.failover.url=

This property can be used by any remote SDK application that wants failover in, for example, session validation or getting the service URLs.

Simple Mail Transfer Protocol (SMTP)

The following directives can be set to any valid SMTP server and port.

com.iplanet.am.smtphost=localhost

Note	Because of how Microsoft® Windows 2000 processes this information, the default value of this directive, localhost, should be replaced by the actual mail server host name and the Identity Server should be restarted.

com.sun.identity.sm.smptpport=25

Authentication

The following sections define properties used by the Authentication Service.

LDAP

com.iplanet.am.auth.ldap.createUserAttrList=<attr1,attr2,attr3...>

This property specifies a list of user attributes whose values will be retrieved from an external Directory Server during LDAP Authentication if the Authentication Service is configured for dynamically creating users. The new user created in the local Directory Server will have the values for these attributes retrieved from the external Directory Server.

SecurID

securidHelper.ports=58943

The value of this property is a space-separated list used by the SecurID Authentication module and helper(s).

Unix

unixHelper.port=58946

The value of this property is used in the Unix Authentication Service.

unixHelper.ipaddrs=

The value of this property can contain a list of trusted IP addresses. The IP addresses specified in this list are space-separated and will be read by the amserver script and passed to the Unix helper when starting it.

Security

Following are properties that define parameters for security purposes.

SecureRandom

This property specifies the factory class name for SecureRandomFactory.

com.iplanet.security.SecureRandomFactoryImpl=com.iplanet.am.util.JSSSecureRandomFactoryImpl

The available implementation classes are:

com.iplanet.am.util.JSSSecureRandomFactoryImpl (uses JSS)
com.iplanet.am.util.SecureRandomFactoryImpl (pure Java)

SocketFactory

This property specifies the factory class name for LDAPSocketFactory.

com.iplanet.security.SSLSocketFactoryImpl=com.iplanet.services.ldap.JSSSocketFactory

Available classes are:

com.iplanet.services.ldap.JSSSocketFactory (uses JSS)
netscape.ldap.factory.JSSESocketFactory (pure Java)

Encryption

These properties specify encryption information.

com.iplanet.security.encryptor=com.iplanet.services.util.JSSEncryption

The value specifies the encrypting class implementation. Available classes are:

com.iplanet.services.util.JCEEncryption
com.iplanet.services.util.JSSEncryption.

am.encryption.pwd=BcN2Vaek2TUcs3tvO7uW9bRIrcy/Koeo

This is the Data Encryption Standard (DES) encryption key password. The client needs this to decrypt the session ID for token creation. If decryption fails, the client will not be able to retrieve the protocol, server host and the server port information to construct the URL needed to search for a service. Do not change the value of this property without also re-encrypting the passwords in serverconfig.xml. For information, see Appendix B, "serverconfig.xml File."

Note	When installing the Identity Server SDK remotely, the value of this property should be copied into the installation field labeled The key used for encryption of passwords. For information on how to install the Identity Server SDK remotely, see the Sun ONE Identity Server Migration Guide.

IP Address Checking

This property specifies whether the IP address of the client will be checked in SSOToken creations and validations.

com.iplanet.am.clientIPCheckEnabled=false

Remote Policy API

These properties are defined for the Remote Policy API to use with policy agents.

com.sun.identity.agents.app.username=UrlAccessAgent

This property specifies the username for the Application authentication module.

com.sun.identity.agents.server.log.file.name=amRemotePolicyLog

This property specifies the name of the file to use for logging remote policy messages. The directory where this file is located is defined in Logging Service settings.

com.sun.identity.agents.cache.size=1000

This property specifies the size of the cache created on the server where the policy agent resides.

com.sun.identity.agents.polling.interval=3

The polling interval is the duration of time for refreshing the cache

com.sun.identity.agents.notification.enabled=false

This property enable or disables notifications for remote policy API.

com.sun.identity.agents.notification.url=

This property defines the notification URL for remote policy API.

com.sun.identity.agents.logging.level=NONE

This property controls the granularity of logging for the remote policy API. The valid values are ALLOW, DENY, BOTH and NONE. The default value is NONE.

com.sun.identity.agents.use.wildcard=true

This property indicates whether to use wildcard for resource name comparison.

com.sun.identity.agents.header.attributes=cn,ou,o,mail,employeenumber,c

This property defines the attributes to be returned by policy evaluator. The specification is of the format a[,...] where a is the attribute in the data store that will be fetched.

com.sun.identity.agents.resource.comparator.class=com.sun.identity.policy.plugins.PrefixResourceName
com.sun.identity.agents.resource.wildcard=*
com.sun.identity.agents.resource.delimiter=/
com.sun.identity.agents.resource.caseSensitive=false

This is to indicate whether case sensitivity is turned on or off during policy evaluation. The default value is false or off.

com.sun.identity.agents.true.value=allow

This value is ignored if the application does not access the method PolicyEvaluator.isAllowed.

Policy

This property defines weights for policy subjects, rules and conditions. These weights influence the order in which these components are evaluated. The value is three integers delimited by ":". These integers indicate the proportional CPU cost for evaluating the three components, respectively.

com.sun.identity.policy.Policy.policy_evaluation_weights=10:10:10

Federation

These properties configure information for the Federation Management module.

com.sun.identity.federation.fedCookieName=fedCookie

This property defines the name of the federation cookie.

com.sun.identity.federation.services.signingOn=false

This property defines whether federation requests and responses will be signed before sending. It also defines whether federation requests and responses that are received will be verified for signature validity. The default is false.

FQDN Map

The Fully Qulified Domain Name (FQDN) Map is a simple map that enables the Authentication Service to take corrective action in the case where a user may have typed in an incorrect URL either by specifying partial hostname or IP address to access a protected resource.

Valid values must comply with the syntax of this property which represent invalid FQDN values mapped to correct counterparts. The valid format for specifying these maps is:

com.sun.identity.server.fqdnMap[invalid_name]=valid_name

where invalid_name is a possible invalid FQDN host name that may be used by the user, and valid_name is the FQDN host name to which the filter will redirect the user.

Caution	Ensure that there are no invalid or overlapping values for the same invalid FQDN name.

This property can also be used for creating a mapping for more than one host name. This may be the case when applications hosted on a server are accessible by more than one host name. It may also be used to configure Identity Server to NOT take corrective action for certain hostname URLs. For example, if no corrective action (such as a redirect) is desired for users who access application resources using a raw IP address, the map entry would look like:

com.sun.identity.server.fqdnMap[IP_address]=IP_address

Any number of values may be specified as long as they are valid and conform to the above stated requirements.

Examples of FQDN mapping might be:

com.sun.identity.server.fqdnMap[isserver]=isserver.mydomain.com
com.sun.identity.server.fqdnMap[isserver.mydomain]=isserver.mydomain.com
com.sun.identity.server.fqdnMap[IP_address]=isserver.mydomain.com
com.sun.identity.server.fqdnMap[invalid_name]=valid_name

Encryption Key

The value of this property is the password used to generate a symmetric key to encrypt and decrypt other sensitive data including the shared secret.

am.encryption.pwd=ro/LiN3pOxMXxtvbwf+owRFyzDYwxRTw

Previous      Contents      Index      Next

---

Copyright 2003 Sun Microsystems, Inc. All rights reserved.