Sun Java System Access Manager 7 2005Q4 Administration Guide

Appendix A AMConfig.properties File

AMConfig.properties is the main configuration file for Access Manager. You can configure some, but not all, of the properties in this file. This chapter provides descriptions of properties contained in AMConfig.properties, default property values, and instructions for modifying values that can be changed without rendering Access Manager unusable.

This chapter contains the following sections:

About the `AMConfig.properties` File

At installation, AMConfig.properties is located in the following directory: etc/opt/SUNWam/config.

AMConfig.properties contains one property per line, and each property has a corresponding value. Properties and values are case-sensitive. Lines that begin with the characters slash and asterisk (/*) are comments, and comments are ignored by the application. Comments end with a last line that contains the closing characters asterisk and slash (*/).

After you modify properties in AMConfig.properties, you must restart Access Manager to activate the changes.

Access Manager Console

com.iplanet.am.console.deploymentDescriptor

Value is set during installation. Example: /amconsole
com.iplanet.am.console.host

Value is set during installation. Example: hostName.domain.Name.com
com.iplanet.am.console.port

Value is set during installation. Example: 80
com.iplanet.am.console.protocol

Value is set during installation. Example: http

Access Manager Server Installation

com.iplanet.am.install.basedir

This is a READ-ONLY property. Do not modify the property value.

Value is set during installation. Example: /opt/SUNWam/web-src/services/WEB-INF
com.iplanet.am.install.vardir

This is a READ-ONLY property. Do not modify the property value.

Value is set during installation. Example: /var/opt/SUNWam
com.iplanet.am.installdir

This is a READ-ONLY property. Do not modify the property value.

Value is set during installation. Example: /opt/SUNWam
com.iplanet.am.jdk.path

Value is set during installation. Example: /usr/jdk/entsys-j2se
com.iplanet.am.locale

Value is set during installation. Example: en_US
com.iplanet.am.server.host

Value is set during installation. Example: hostName.domainName.com
com.iplanet.am.server.port

Value is set during installation. Example: 80
com.iplanet.am.server.protocol

Value is set during installation. Example: http
com.iplanet.am.version

Value is set during installation. Example: 7 2005Q4
com.sun.identity.server.fqdnMap[ ]

Enables Access Manager Authentication service to take corrective action when a user types an incorrect URL . This is useful, for example, when a user specifies a partial hostname or uses an IP address to access protected resources.

The syntax of this property represents invalid FQDN values mapped to their corresponding valid counterparts. The property uses the following form: com.sun.identity.server.fqdnMap[invalid-name]=valid—name . In this example, invalid-name is a possible invalid FQDN host name that may be used by the user, and the valid—name is the FQDN host name the filter will redirect the user to. If overlapping values for the same invalid FQDN exist, the application may become inaccessible. Using an invalid value for this property can also result in the application becoming inaccessible. You can use this property to map multiple host names. This is useful when the applications hosted on a server are accessible by multiple host names.

You can use this property to configure Access Manager so that no corrective action is taken for certain hostname URLs. This is useful, for example, when it is required that no corrective action such as a redirect be used for users who access the application resources by using the raw IP address.

You can specify a map entry such as: com.sun.identity.server.fqdnMap[IP]=IP .

You can specify any number of such properties may as long as they are valid properties and conform to the requirements described above. Examples: com.sun.identity.server.fqdnMap[isserver]=isserver.mydomain.comcom.sun.identity.server.fqdnMap[isserver.mydomain]=isserver.mydomain.com com.sun.identity.server.fqdnMap[IP address]=isserver.mydomain.com

am.util

com.iplanet.am.util.xml.validating

Default value is no. Determines if validation is required when parsing XML documents using the Access Manager XMLUtils class. This property is in effect only when value for the com.iplanet.services.debug.level property is set to warning or message. Allowable values are yes and no. The XML document validation is turned on only if the value for this property yes, and if value for com.iplanet.services.debug.level property is set to warning or message.

amSDK

Each SDK cache entry stores a set of AMObject attributes values for a user.

com.iplanet.am.sdk.cache.maxSize

Default value is 10000. Specifies the size of the SDK cache when caching is enabled. Use an integer greater than 0, or the default size (10000 users) will be used.
com.iplanet.am.sdk.userEntryProcessingImpl

This property specifies a plug-in which implements the com.iplanet.am.sdk.AMUserEntryProcessed interface to perform some post-processing for user create, delete and modify operations. The property if used should specify the fully qualified class name which implements the above interface.
com.iplanet.am.sdk.caching.enabled

Setting this to true enables caching, and setting this to false disables caching. The default is false.

Application Server Installation

com.iplanet.am.iASConfig

Value is set during installation. Example: APPSERVERDEPLOYMENT

This property is used to determine if Access Manager is running on iPlanet Application Server.

Authentication

com.sun.identity.auth.cookieName

Default value is AMAuthCookie. Specifies the cookie name used by Authentication Service to set the session handler ID during the authentication process. Once this process is completed (success or failure), this cookie is cleared or removed.
com.sun.identity.authentication.ocsp.responder.nickname

Value is set during installation. The Certificate Authority (CA) certificate nick name for that responder. Example: Certificate Manager - sun. If set, the CA certificate must be presented in the Web Server's certificate database.
com.sun.identity.authentication.ocsp.responder.url

Value is set during installation. Example: http://ocsp.sun.com/ocsp

Specifies the global OCSP responder URL for this instance. If the OCSP responder URL is set, the OCSP responder nick name must also be set. Otherwise both will be ignored. If both are not set, the OCSP responder URL presented in user's certificate will be used for OCSP validation. If the OCSP responder URL is not presented in user's certificate, then no OCSP validation will be performed.
com.sun.identity.authentication.ocspCheck

Default value is true. The global parameter to enable or disable OCSP checking. If this value is false, the OCSP feature in the Certificate Authentication module type cannot be used. .
com.sun.identity.authentication.special.users

Value is set during installation. Example: cn=dsameuser,ou=DSAME Users,o=AMRoot|cn=amService-UrlAccessAgent,ou=DSAME Users,o=AMRoot

Identifies the special user or users for this Access Manager authentication component. This user is used by the Client APIs to authenticate remote applications to the Access Manager server using the full user DN. The user will always be authenticated against the local directory server. Multiple values of this special user DN are separated by the pipe character (|). Use of this property is restricted to Authentication component only.
com.sun.identity.authentication.super.user

Value is set during installation. Example: uid=amAdmin,ou=People,o=AMRoot

Identifies the super user for this Access Manager instance. This user must use LDAP to log in, and must use the full DN. The user is always authenticated against the local Directory Server.
com.sun.identity.authentication.uniqueCookieDomain

Used to set the cookie domain for the above cookie name. This Cookie domain should be set such that it covers all the instances of the CDC (Cross Domain Controller) services installed in the network. For example,.example.com if all instances of Access Manager are within the domain example.com.
com.sun.identity.authentication.uniqueCookieName

Default value is sunIdentityServerAuthNServer. Specifies the cookie name set to the Access Manager server host URL when Access Manager is running against Session Cookie hijacking.
com.iplanet.am.auth.ldap.createUserAttrList

Specifies a list of user attributes that contain values that will be retrieved from an external Directory Server during LDAP Authentication when the Authentication Service is configured to dynamically create users. The new user created in the local Directory Server will have the values for attributes which have been retrieved from external Directory Server.

Example: attribute1, attribute2, attribute3

Certificate Database

Set these properties to initialize the JSS Socket Factory when iPlanet Web Server is configured for SSL.

com.iplanet.am.admin.cli.certdb.dir

Value is set during installation. Example: /opt/SUNWwbsvr/alias

Specifies certificate database path.
com.iplanet.am.admin.cli.certdb.passfile

Value is set during installation. Example: /etc/opt/SUNWam/config/.wtpass

Specifies certificate database password file.
com.iplanet.am.admin.cli.certdb.prefix

Value is set during installation. Example: https-hostName.domainName.com-hostName-

Specifies certificate database prefix.

Cookies

com.iplanet.am.cookie.encode

This property allows Access Manager to URLencode the cookie value which converts characters to ones that are understandable by HTTP.

Value is set during installation. Example: false
com.iplanet.am.cookie.name

Default value is iPlanetDirectoryPro. Cookie name used by Authentication Service to set the valid session handler ID. The value of this cookie name is used to retrieve the valid session information.
com.iplanet.am.cookie.secure

Allows the Access Manager cookie to be set in a secure mode in which the browser will only return the cookie when a secure protocol such as HTTP(s) is used.

Default value is false.
com.iplanet.am.console.remote

Value is set during installation. Example: false

Determines whether the console is installed on a remote machine, or is installed on a local machine and will be used by authentication console.
com.iplanet.am.pcookie.name

Specifies the cookie name for a persistent cookie. A persistent cookie continues to exist after the browser window is closed. This enables a user to log in with a new browser session without having to reauthenticate. Default value is DProPCookie.
com.sun.identity.cookieRewritingInPath

Default value is true. This property is read by the Authentication Service when Access Manager is configured to run in cookieless mode. The property specifies that the cookie needs to be rewritten as extra path information in the URL using this form: protocol://server:port/uri;cookiename=cookieValue?queryString. If this property is not specified, then the cookie will be written as part of the query string.
com.sun.identity.enableUniqueSSOTokenCookie

Default value is false. Indicates that Access Manager is running against Session Cookie hijacking when the value is set to true.

Debugging

com.iplanet.services.debug.directory

Specifies the output directory where debug files will be created. Value is set during installation. Example: /var/opt/SUNWam/debug
com.iplanet.services.debug.level

Specifies debug level. Default value is error. Possible values are:

off

No debug file is created.

error

Only error messages are logged.

warning

Only warning messages are logged.

message

Error, warning, and informational messages are logged.

Directory Server Installation

com.iplanet.am.defaultOrg

Value is set at installation. Example: o=AMRoot

Specifies the top-level realm or organization in the Access Manager information tree.
com.iplanet.am.directory.host

Value is set during installation. Example: DirectoryServerHost.domainName.com

Specifies fully-qualified host name of the Directory Server.
com.iplanet.am.directory.port

Value is set during installation. Example: 389

Specifies the Directory Server port number .
com.iplanet.am.directory.ssl.enabled

Default value is false. Indicates if Security Socket Layer (SSL) is enabled.
com.iplanet.am.domaincomponent

Value is set during installation. Example: o=AMRoot

Specifies the domain component (dc) attribute for the Access Manager information tree.
com.iplanet.am.rootsuffix

Value is set during installation. Example: o=AMRoot

Event Connection

com.iplanet.am.event.connection.delay.between.retries

Default value is 3000. Specifies the delay in milliseconds between retries to re-establish the Event Service connections.
com.iplanet.am.event.connection.ldap.error.codes.retries

Default values are 80,81,91. Specifies the LDAP exception error codes for which retries to re-establish Event Service connections will trigger.
com.iplanet.am.event.connection.num.retries

Default value is 3. Specifies the number of attempts made to successfully re-establish the Event Service connections.
com.sun.am.event.connection.idle.timeout

Default value is 0. Specifies the number of minutes after which the persistent searches will be restarted.

This property is used when a load balancer or firewall is between the policy agents and the Directory Server, and the persistent search connections are dropped when TCP idle timeoutoccurs. The property value should be lower than the load balancer or firewall TCP timeout. This ensures that the persistent searches are restarted before the connections are dropped. A value of 0 indicates that searches will not be restarted. Only the connections that are timed out will be reset.

Global Services Management

com.iplanet.am.service.secret

Value is set during installation. Example: AQICPX9e1cxSxB2RSy1WG1+O4msWpt/6djZl
com.iplanet.am.services.deploymentDescriptor

Value is set during installation. Example: /amserver
com.iplanet.services.comm.server.pllrequest.maxContentLength

Default value is 16384 or 16k. Specifies the maximum content-length for an HttpRequest that Access Manager will accept.
com.iplanet.services.configpath

Value is set during installation. Example: /etc/opt/SUNWam/config

Helper Daemons

com.iplanet.am.daemons

Default value is unix securid. Description
securidHelper.ports

Default value is 58943. This property takes a space-separated list and is used for the SecurID authentication module and helpers.
unixHelper.ipaddrs

Value is set during installation. Specifies a list of IP addresses to be read by the amserverscript and passed to the UNIX helper when starting the helper. This property can contain a list of space-separated trusted IP Addresses in IPv4 format.
unixHelper.port

Default value is 58946. Used in the UNIX Authentication module type.

Identity Federation

com.sun.identity.federation.alliance.cache.enabled

Default value is true. If true, federation metadata will be cached internally.
com.sun.identity.federation.fedCookieName

Default value is fedCookie. Specifies the name of the Federation Services cookie.
com.sun.identity.federation.proxyfinder

Default value is com.sun.identity.federation.services.FSIDPProxyImpl. Defines the implementation for finding a preferred identity provider to be proxied.
com.sun.identity.federation.services.signingOn

Default value is false. Specifies the level of signature verification for Liberty requests and responses.

true

Liberty requests and responses will be signed when sent, and Liberty requests and responses that are received will be verified for signature validity.

false

Liberty requests and responses that are sent and received will not be verified for signature.

optional

Liberty requests and responses will be signed or verified only if required by the Federation profiles.
com.sun.identity.password.deploymentDescriptor

Value is set during installation. Example: /ampassword
com.sun.identity.policy.Policy.policy_evaluation_weights

Default value is 10:10:10. Indicates the proportional processing cost to evaluate a policy subject, rule, and condition. The values specified influence the order in which the subject, rule, and condition of a policy are evaluated. The value is expressed using three integers which represent a subject, a rule, and a condition. The values are delimited by a colon (:) to indicate the proportional processing cost to evaluate a policy subject, rule, and condition.
com.sun.identity.session.application.maxCacheTime

Default value is 3. Specifies the maximum number of minutes for caching time for Application Sessions. By default, the cache does not expire unless this property is enabled.
com.sun.identity.sm.ldap.enableProxy

Default value is false. Specifies the Proxy Server to use for a connection. Set to true if LDAPProxy is supported by the backend storage. If true, use the Proxy Server for connection If false, no proxy is used for connection.
com.sun.identity.webcontainer

Value is set during installation. Example: WEB_CONTAINER

Specifies the name of the of the web container. Although the servlet or JSPs are not web container dependent, Access Manager uses the servlet 2.3 API request.setCharacterEncoding() to correctly decode incoming non English characters. These APIs will not work if Access Manager is deployed on Sun Java System Web Server 6.1. Access Manager uses the gx_charset mechanism to correctly decode incoming data in Sun Java System Web Server versions 6.1 and S1AS7.0. Possible values BEA6.1, BEA 8.1, IBM5.1 or IAS7.0. If the web container is Sun Java System Web Server, the tag is not replaced.

JSS Proxy

These properties identify the value for SSL ApprovalCallback. If the checkSubjectAltName or resolveIPAddress feature is enabled, you must create cert7.db and key3.db with the prefix value ofcom.iplanet.am.admin.cli.certdb.prefix in the com.iplanet.am.admin.cli.certdb.dirdirectory. Then restart Access Manager .

com.iplanet.am.jssproxy.checkSubjectAltName

Default value is false. When enabled, a server certificate includes the Subject Alternative Name (SubjectAltName) extension, and Access Manager checks all name entries in the extension. If one of the names in the SubjectAltName extension is the same as the server FQDN, Access Manager continues the SSL handshaking. To enable this property, set it to a comma separated list of trusted FQDNs. For example: com.iplanet.am.jssproxy.checkSubjectAltName= amserv1.example.com,amserv2.example.com
com.iplanet.am.jssproxy.resolveIPAddress

Default value is false.
com.iplanet.am.jssproxy.trustAllServerCerts

Default value is false. If enabled (true), Access Manager ignores all certificate-related issues such as a name conflict and continues the SSL handshaking. To prevent a possible security risk, enable this property only for testing purposes, or when the enterprise network is tightly controlled. Avoid enabling this property if a security risk might occur (for example, if a server connects to a server in a different network).
com.iplanet.am.jssproxy.SSLTrustHostListIf set, Access Manager checks the Platform Server list against the server host that is being accessed. If the server FQDNs of the two servers in the Platform Server list match, Access Manager continues the SSL handshaking. Use the following syntax to set the property:

com.iplanet.am.jssproxy.SSLTrustHostList = fqdn_am_server1 ,fqdn_am_server2, fqdn_am_server3
com.sun.identity.jss.donotInstallAtHighestPriority

Default value is false. Determines if JSS will be added with highest priority to JCE. Set to true if other JCE providers should be used for digital signatures and encryptions.

LDAP Connection

com.iplanet.am.ldap.connection.delay.between.retries

Default is 1000. Specifies the number milliseconds between retries.
com.iplanet.am.ldap.connection.ldap.error.codes.retries

Default values are 80,81,91. Specifies the LDAPException error codes for which retries to re-establish the LDAP connection will trigger.
com.iplanet.am.ldap.connection.num.retries

Default value is 3. Specifies the number of attempts made to successfully re-establish the LDAP connection.

Liberty Alliance Interactions

com.sun.identity.liberty.interaction.htmlStyleSheetLocation

Value is set during installation. Example: /opt/SUNWam/lib/is-html.xsl

Specifies path to style sheet that renders the interaction page in HTML.
com.sun.identity.liberty.interaction.wmlStyleSheetLocation

Value is set during installation. Example: /opt/SUNWam/lib/is-wml.xsl

Specifies path to style sheet that renders the interaction page in WML.
com.sun.identity.liberty.interaction.wscSpecifiedInteractionChoice

Default value isinteractIfNeeded. Indicates whether a web service consumer participates in an interaction. Allowed values are:

interactIfNeeded

Interacts only if required. Also used if an invalid value is specified.

doNotInteract

No interaction.

doNotInteractForData

No interaction for data.
com.sun.identity.liberty.interaction.wscSpecifiedMaxInteractionTime

Default value is 80. Web service consumer's preference on the acceptable duration for interaction. The value is expressed in seconds. The default value is used if the value is not specified or if a non-integer value is specified.
com.sun.identity.liberty.interaction.wscWillEnforceHttpsCheck

The default value is yes. Indicates whether a web service consumer enforces the requirement that a request redirected to a URL uses HTTPS. Valid values are yes and no. The case is ignored. The Liberty specification requires the value to be yes. If no value is specified, the default value is used.
com.sun.identity.liberty.interaction.wscWillInlcudeUserInteractionHeader

Default value is yes. If not value is specified, the default value is used. Indicates whether a web service consumer includes userInteractionHeader. Allowable values are yes and no. The case is ignored.
com.sun.identity.liberty.interaction.wscWillRedirect

Default value is yes. Indicates whether the web service consumer redirects user for interaction. Valid values are yes and no. If not value is specified, the default value is used.
com.sun.identity.liberty.interaction.wspRedirectHandler

Value is set during installation. Example: http://hostName.domainName.com:portNumber/amserver/WSPRedirectHandler

Specifies the URL WSPRedirectHandlerServlet uses to handle Liberty WSF WSP-resource owner interactions based on user agent redirects. This should be running in the same JVM where the Liberty service provider is running.
com.sun.identity.liberty.interaction.wspRedirectTime

Default is 30. Web service provider's expected duration for interaction. Expressed in seconds. If the value is not specified, or if the value is a non-integer, the default value is used.
com.sun.identity.liberty.interaction.wspWillEnforceHttpsCheck

Default value is yes. If no value is specified, the default value is used. Indicates whether the web service consumer enforces the requirement that returnToURLuse HTTPS. Valid values are yes and no. (case ignored) the Liberty specification requires the value to be yes.
com.sun.identity.liberty.interaction.

wspWillEnforceReturnToHostEqualsRequestHost

The Liberty specification requires the value to be yes. Indicates whether the web service consumer enforces that returnToHost and requestHost are the same. Valid values areyes and no.
com.sun.identity.liberty.interaction.wspWillRedirect

Default is yes. If no value is specified, the default value is used. Indicates whether a web service provider redirects the user for interaction. Valid values are yes and no. Case is ignored.
com.sun.identity.liberty.interaction.wspWillRedirectForData

Default value is yes. If no value is specified, the default value is used. Indicates whether the web service provider redirects the user for interaction for data. Valid values are yes and no. Case is ignored.
com.sun.identity.liberty.ws.interaction.enable

Default value is false.
com.sun.identity.liberty.ws.jaxb.namespacePrefixMappingList

Default value is
=S=http://schemas.xmlsoap.org/soap/envelope/|sb=urn:liberty:sb:2003-08 |pp=urn:liberty:id-sis-pp:2003-08|ispp=http://www.sun.com/identity/ liberty/pp|is=urn:liberty:is:2003-08
. Specifies the namespace prefix mapping used when marshalling a JAXB content tree to a DOM tree. The syntax is prefix=namespace|prefix=namespace|...
com.sun.identity.liberty.ws.jaxb.packageList

Specifies JAXB package list used when constructing JAXBContext. Each package must be separated by a colon (:).
com.sun.identity.liberty.ws.security.TokenProviderImpl

Default value is com.sun.identity.liberty.ws.security.AMSecurityTokenProviderDescription.
com.sun.identity.liberty.ws.soap.certalias

Value is set during installation. Client certificate alias that will be used in SSL connection for Liberty SOAP Binding.
com.sun.identity.liberty.ws.soap.messageIDCacheCleanupInterval

Default value is 60000. Specifies the number of milliseconds to elapse before cache cleanup events begin. Each message is stored in a cache with its ownmessageID to avoid duplicate messages. When a message's current time less the received time exceeds thestaleTimeLimit value, the message is removed from the cache.
com.sun.identity.liberty.ws.soap.staleTimeLimit

Default value is 300000. Determines if a message is stale and thus no longer trustworthy. If the message timestamp is earlier than the current timestamp by the specified number of milliseconds, the message the considered to be stale.
com.sun.identity.liberty.ws.soap.supportedActors

Default value is http://schemas.xmlsoap.org/soap/actor/next. Specifies supported SOAP actors. Each actor must be separated by a pipe character (|).
com.sun.identity.liberty.ws.ta.certalias

Value is set during installation. Specifies certificate alias for the trusted authority that will be used to sign SAML or SAML. BEARER token of response message.
com.sun.identity.liberty.ws.wsc.certalias

Value is set during installation. Specifies default certificate alias for issuing web service security token for this web service client.
com.sun.identity.liberty.ws.ta.certalias

Value is set during installation. Specifies certificate alias for trusted authority that will be used to sign SAML or SAML. BEARER token of response message.
com.sun.identity.liberty.ws.trustedca.certaliases

Value is set during installation.

Specifies certificate aliases for trusted CA. SAML or SAML BEARER token of incoming request. Message must be signed by a trusted CA in this list. The syntax is cert alias 1[:issuer 1]|cert alias 2[:issuer 2]|..... Example: myalias1:myissuer1|myalias2|myalias3:myissuer3. The value issuer is used when the token doesn't have a KeyInfo inside the signature. The issuer of the token must be in this list, and the corresponding certificate alias will be used to verify the signature. If KeyInfo exists, the keystore must contain a certificate alias that matches the KeyInfo and the certificate alias must be in this list.
com.sun.identity.liberty.ws.security.TokenProviderImpl

Value is set during installation. Specifies implementation for security token provider.
com.sun.identity.saml.removeassertion

Default value is true. A flag to indicate if de-referenced assertions should be removed from the cache. Applies to assertions that were created associated with artifacts, and have been de-referenced.

Logging Service

com.iplanet.am.logstatus

Specifies whether logging is turned on (ACTIVE) or off (INACTIVE). Value is set to ACTIVE during installation.

Logging Properties You Can Add to AMConfig.properties

You can configure the degree of detail to be contained in a specific log file by adding attributes to the AMConfig.properties file. Use the following format:

iplanet-am-logging.logfileName.level=java.util.logging.Level where logfileName is the name of a log file for an Access Manager service (see table 1), andjava.util.logging.Level is an allowable attribute value . Access Manager services log at the INFO level. SAML and Identity Federation services also log at more detailed levels (FINE, FINER, FINEST). Example:

iplanet-am-logging.amSSO.access.level=FINER

Logging to a particular log file can also be turned off. Example:

iplanet-am-logging.amConsole.access.evel=OFF

Table A–1 Access Manager Log Files


Log File Name	Records Logged
`amAdmin.access`	Successful amadmin command-line events
`amAdmin.error`	amadmin command-line error events
`amAuthLog.access`	Access Manager Policy Agent related events. See the Note following this table.
`amAuthentication.access`	Successful authentication events
`amAuthentication.error`	Authentication failures
`amConsole.access`	Console events
`amConsole.error`	Console error events.
`amFederation.access`	Successful Federation events.
`amFederation.error`	Federation error events.
`amPolicy.access`	Storage of policy allow events
`amPolicy.error`	Storage of policy deny events
`amSAML.access`	Successful SAML events
`amSAML.error`	SAME error events
`amLiberty.access`	Successful Liberty events
`amLiberty.error`	Liberty error events
`amSSO.access`	Single sign-on creation and destruction
`amSSO.error`	Single sign-on error events

Note –

The amAuthLog filename is determined by the Policy Agent properties in AMAgent.properties. For Web Policy Agents, the property is com.sun.am.policy.agents.config.remote.log. For J2EE Policy Agents, the property is com.sun.identity.agents.config.remote.logfile. The default is amAuthLog.host.domain.port, where host.domain is the fully-qualified host name of the host running the Policy Agent web server, and where port is the port number of that web server. If you have multiple Policy Agents deployed, you can have multiple instances of this file. The property com.sun.identity.agents.config.audit.accesstype (for both Web and J2EE Agents) determines what data is logged remotely. The logged data can include policy allows, policy denies, both allows and denies, or neither allows nor denies.

Naming Service

com.iplanet.am.naming.failover.url

This property is no longer being used in Access Manager 7.0.
com.iplanet.am.naming.url

Value is set during installation. Example: http://hostName.domainName.com:portNumber/amserver/namingservice

Specifies the naming service URL to use.

Notification Service

Use the following keys to configure the notification thread pool.

com.iplanet.am.notification.threadpool.size

Default value is 10. Defines the size of the pool by specifying the total number of threads.
com.iplanet.am.notification.threadpool.threshold

Default value is 100. Specifies the maximum task queue length.

When a notification task comes in, it is sent to the task queue for processing. If the queue reaches the maximum length, further incoming requests will be rejected along with a ThreadPoolException, until the queue has a vacancy.
com.iplanet.am.notification.url

Value is set during installation. Example: http://hostName.domainName.com:portNumber/amserver/notificationservice

Policy Agents

com.iplanet.am.policy.agents.url.deploymentDescriptor

Value is set during installation. Example: AGENT_DEPLOY_URI
com.sun.identity.agents.app.username

Default value is UrlAccessAgent. Specifies the username to use for the Application authentication module.
com.sun.identity.agents.cache.size

Default value is 1000. Specifies the size of the resource result cache. The cache is created on the server where the policy agent is installed.
com.sun.identity.agents.header.attributes

Default values are cn,ou,o,mail,employeenumber,c. Specifies the policy attributes to be returned by the policy evaluator. Uses the form a[,...]. In this example, a is the attribute in the data store to be fetched.
com.sun.identity.agents.logging.level

Default value is NONE. Controls the granularity of the Policy Client API logging level. The default value is NONE. Possible values are:

ALLOW

Logs access allowed requests.

DENY

Logs access denied requests.

BOTH

Logs both access allowed and access denied requests.

NONE

Logs no requests.
com.sun.identity.agents.notification.enabled

Default value is false. Enables or disables notifications for the Policy Client API.
com.sun.identity.agents.notification.url

Used by the policy client SDK to register policy change notifications. A mis-configuration of this property will result in policy notifications being disabled.
com.sun.identity.agents.polling.interval

Default value is 3. Specifies the polling interval which is the number of minutes after which an entry is dropped from the Client APIs cache.
com.sun.identity.agents.resource.caseSensitive

Default value is false. Description

Indicates whether case sensitive is turned on or off during policy evaluation.
com.sun.identity.agents.true.value

Indicates the true value of a policy action. This value can be ignored if the application does not need to access the PolicyEvaluator.isAllowed method. This value signifies how a policy decision from Access Manager should be interpreted. Default value is allow.
com.sun.identity.agents.resource.comparator.class

Default value is com.sun.identity.policy.plugins.URLResourceName

Specifies the resource comparison class name. Available implementation classes are: com.sun.identity.policy.plugins.PrefixResourceName and com.sun.identity.policy.plugins.URLResourceName.
com.sun.identity.agents.resource.delimiter

Default value is a backslash (/). Specifies the delimiter for the resource name.
com.sun.identity.agents.resource.wildcard

Default value is *. Specifies the wildcard for the resource name.
com.sun.identity.agents.server.log.file.name

Default value is amRemotePolicyLog. Specifies the name of the log file to use for logging messages to Access Manager. Only the name of the file is needed. The directory of the file is determined other Access Manager configuration settings.
com.sun.identity.agents.use.wildcard

Default value is true. Indicates whether to use a wildcard for resource name comparison.

Policy Client API

com.sun.identity.policy.client.booleanActionValues

iPlanetAMWebAgentService|POST|allow|deny

Default value is iPlanetAMWebAgentService|GET|allow|deny:.

Specifies Boolean action values for policy action names. Uses the form serviceName|actionName|trueValue|falseValue. Values for action names are delimited by a colon (:).
com.sun.identity.policy.client.cacheMode

Default value is self. Specifies cache mode for the client policy evaluator. Valid values are subtree and self. If set to subtree, the policy evaluator obtains policy decisions from the server for all the resources from the root of resource actually requested. If set to self, the policy evaluator gets the policy decision from the server only for the resource actually requested.
com.sun.identity.policy.client.clockSkew

Adjusts for time difference between the policy client machine and the policy server. If this property does not exist, and if the policy agent time differs from the policy server time, you occasionally see and incorrect policy decision. You must run a time-syncing service to keep the time on the policy server and on the policy client as close as possible. Use this property to adjust for the small time difference regardless of running time syncing service. Clock skew in seconds = agentTime - serverTime . Comment the property out on the policy server. Uncomment the line and set the appropriate value on the policy client machine or the machine running the policy agent agent-server clock skew (in seconds).
com.sun.identity.policy.client.resourceComparators=

serviceType=iPlanetAMWebAgentService|class=

Specifies ResourceComparators to be used for different service names. Copy the value from the Access Manager console. Go to Service Configuration > PolicyConfiguration > Global:ResourceComparator. Concatenate multiple values from Access Manager using a colon (: ) as the delimiter.
com.sun.identity.policy.plugins.URLResourceName|wildcard

Default value is *|delimiter=/|caseSensitive=trueDescription

Profile Service

com.iplanet.am.profile.host

This property is no longer used in Access Manager 7. It is provided only for backward compatibility. Value is set during installation. Example: hostName.domainName.com
com.iplanet.am.profile.port

This property is no longer used in Access Manager 7. It is provided only for backward compatibility. Value is set during installation. Example: 80

Replication

Use the following keys to configure replication setup.

com.iplanet.am.replica.delay.between.retries

Default value is 1000. Specifies the number of milliseconds between retries.
com.iplanet.am.replica.num.retries

Default value is 0. Specifies the number of times to retry.

SAML Service

com.sun.identity.saml.assertion.version

Default value is 1.1. Specifies default SAML version used. Possible values are 1.0 or 1.1.
com.sun.identity.saml.checkcert

Default value is on. Flag for checking the certificate embedded in the KeyInfo against the certificates in the keystore. Certificates in the keystore are specified by the com.sun.identity.saml.xmlsig.keystore property. Possible values are: on|off. If the flag is "on", * the certification must be presented in the keystore for * XML signature validation. If the flag is "off", skip * the presence checking. */

on

Certification must be presented in the keystore for XML signature validation

off

Skips the presence checking.
com.sun.identity.saml.protocol.version

Default value is 1.1. Specifies default SAML version used. Possible values are 1.0 or 1.1.
com.sun.identity.saml.removeassertion
com.sun.identity.saml.request.maxContentLength

Default value is 16384. Specifies the maximum content-length for an HTTP Request that will be used in SAML.
com.sun.identity.saml.xmlsig.certalias

Default value is test. Description
com.sun.identity.saml.xmlsig.keypass

Value is set during installation. Example: /etc/opt/SUNWam/config/.keypass

Specifies the path to the SAML XML key password file.
com.sun.identity.saml.xmlsig.keystore

Value is set during installation. Example: /etc/opt/SUNWam/config/keystore.jks

Specifies the path to the SAML XML keystore password file.
com.sun.identity.saml.xmlsig.storepass

Value is set during installation. Example: /etc/opt/SUNWam/config/.storepass

Specifies the path to the SAML XML key storepass file.

Security

com.iplanet.security.encryptor

Default value is com.iplanet.services.util.JSSEncryption. Specifies the encrypting class implementation. Available classes are: com.iplanet.services.util.JCEEncryption and com.iplanet.services.util.JSSEncryption.
com.iplanet.security.SecureRandomFactoryImpl

Default value is com.iplanet.am.util.JSSSecureRandomFactoryImpl. Specifies the factory class name for SecureRandomFactory. Available implementation classes are: com.iplanet.am.util.JSSSecureRandomFactoryImpl which uses JSS, and com.iplanet.am.util.SecureRandomFactoryImpl which uses pure Java.
com.iplanet.security.SSLSocketFactoryImpl

Default value is com.iplanet.services.ldap.JSSSocketFactory. Specifies the factory class name for LDAPSocketFactory. Available classes are: com.iplanet.services.ldap.JSSSocketFactory which uses JSS, and netscape.ldap.factory.JSSESocketFactory which uses pure Java.
com.sun.identity.security.checkcaller

Default value is false. Enables or disables Java security manager permissions check for Access Manager. Disabled by default. If enabled, then you should make appropriate changes to the Java policy file of the container in which Access Manager is deployed. This way, Access Manager JAR files can be trusted for performing sensitive operations. For more information, see the Java API Reference (Javadoc) entry for com.sun.identity.security.
am.encryption.pwd

Value is set during installation. Example: dSB9LkwPCSoXfIKHVMhIt3bKgibtsggd

Specifies the key used to encrypt and decrypt passwords.

Session Service

com.iplanet.am.clientIPCheckEnabled

Default value is false. Specifies whether or not the IP address of the client is checked in all SSOToken creations or validations.
com.iplanet.am.session.client.polling.enable

This is a READ-ONLY property. Do not modify the property value.

Default value is false. Enables client-side session polling. Please note that the session polling mode and the session notification mode are mutually exclusive. If the polling mode is enabled, the session notification is automatically turned off, and vice versa.
com.iplanet.am.session.client.polling.period

Default value is 180. Specifies number of seconds in a polling period.
com.iplanet.am.session.httpSession.enabled

Default value is true. Enables or disables USING httpSession.
com.iplanet.am.session.invalidsessionmaxtime

Default value is 10. Specifies the number of minutes after which the invalid session will be removed from the session table if it is created and the user does not login. This value should always be greater than the timeout value in the Authentication module properties file.
com.iplanet.am.session.maxSessions

Default value is 5000. Specify the maximum number of allowable concurrent sessions.

Login sends a Maximum Sessions error if the maximum concurrent sessions value exceeds this number.
com.iplanet.am.session.purgedelay

Default value is 60. Specifies the number of minutes to delay the purge session operation.

After a session times out, this is an extended time period during which the session continues to reside in the session server. This property is used by the client application to check if the session has timed out through SSO APIs. At the end of this extended time period, the session is destroyed. The session is not sustained during the extended time period if the user logs out or if the session is explicitly destroyed by an Access Manager component. The session is in the INVALID state during this extended period.
com.sun.am.session.caseInsensitiveDN

Default value is true. Compares the Agent DN. If the value is false, the comparison is case-sensitive.
com.sun.am.session.enableHostLookUp

Default value is false. Enables or disables host lookup during session logging.

SMTP

com.iplanet.am.smtphost

Default value is localhost. Specifies the mail server host.
com.iplanet.am.smtpport

Default value is 25. Specifies the mail server port.

Statistics Service

com.iplanet.am.stats.interval

Default value is 60. Specifies number of minutes to elapse between statistics logging. Minimum is 5 seconds to avoid CPU saturation. Access Manager assumes any value less than 5 seconds to be 5 seconds.
com.iplanet.services.stats.directory

Value is set during installation. Example: /var/opt/SUNWam/stats Specifies directory where debug files are created.
com.iplanet.services.stats.state

Default value is file. Specifies location of statistics log. Possible values are:

off

No statistics are logged.

file

Statistics are written to a file under the specified directory.

console

Statistics are written into Web Server log files.