Global Properties

Global Properties contain services that enable to define password reset functionality and policy configuration for Access Manager. The services you can configure are:

• Password Reset

• Policy Configuration

• Session

Password Reset

Access Manager provides a Password Reset service to allow users to receive an email message containing a new password or to reset their password for access to a given service or application protected by Access Manager. The Password Reset attributes are realm attributes. The attributes are:

• User Validation

• Secret Question

• Search Filter

• Base DN

• Bind DN

• Bind Password

• Password Reset Option

• Password Change Notification Option

• Password Reset

• Personal Question

• Maximum Number of Questions

• Force Change Password on Next Login

• Password Reset Failure Lockout

• Password Reset Failure Lockout Count

• Password Reset Failure Lockout Interval

• Email Address to Send Lockout Notification

• Warn User After N Failure

• Password Reset Failure Lockout Duration

• Password Reset Lockout Attribute Name

• Password Reset Lockout Attribute Value

User Validation

This attribute specifies the value that is used to search for the user whose password is to be reset.

Secret Question

This field allows you to add a list of questions that the user can use to reset his/her password. To add a question, type it in the Secret Question filed and click Add. The selected questions will appear in the user's User Profile page. The user can then select a question for resetting the password. Users may create their own question if the Personal Question Enabled attribute is selected.

Search Filter

This attribute specifies the search filter to be used to find user entries.

Base DN

This attribute specifies the DN from which the user search will start. If no DN is specified, the search will start from the realm DN. You should not use cn=directorymanager as the base DN, due to proxy authentication conflicts.

Bind DN

This attribute value is used with Bind Password to reset the user password.

Bind Password

This attribute value is used with Bind DN to reset the user password.

Password Reset Option

This attribute determines the classname for resetting the password. The default classname is com.sun.identity.password.RandomPasswordGenerator . The password reset class can be customized through a plug-in. This class needs to be implemented by the PasswordGenerator interface.

Password Change Notification Option

This attribute determines the method for user notification of password resetting. The default classname is: com.sun.identity.password.EmailPassword The password notification class can be customized through a plug-in. This class needs to be implemented by the NotifyPassword interface. See the Access Manager Developer's Guide for more information.

Password Reset

Selecting this attribute will enable the password reset feature.

Personal Question

Selecting this attribute will allow a user to create a unique question for password resetting.

Maximum Number of Questions

This value specifies the maximum number of questions to be asked in the password reset page.

Force Change Password on Next Login

When enabled, this option forces the user to change his or her password on the next login. If you want an administrator, other than the top-level administrator, to set the force password reset option, you must modify the Default Permissions ACIs to allow access to that attribute.

Password Reset Failure Lockout

This attribute specifies whether to disallow users to reset their password if that user initially fails to reset the password using the Password Reset application. By default, this feature is not enabled.

Password Reset Failure Lockout Count

This attributes defines the number of attempts that a user may try to reset a password, within the time interval defined in Password Reset Failure Lockout Interval, before being locked out. For example, if Password Reset Failure Lockout Count is set to 5 and Login Failure Lockout Interval is set to 5 minutes, the user has five chances within five minutes to reset the password before being locked out.

Password Reset Failure Lockout Interval

This attribute defines (in minutes) the amount of time in which the number of password reset attempts (as defined in Password Reset Failure Lockout Count) can be completed, before being locked out.

Email Address to Send Lockout Notification

This attribute specifies an email address that will receive notification if a user is locked out from the Password Reset service. Specify multiple email address in a space-separated list.

Warn User After N Failure

This attribute specifies the number of password reset failures that can occur before Access Manager sends a warning message that user will be locked out.

Password Reset Failure Lockout Duration

This attribute defines (in minutes) the duration that user will not be able to attempt a password reset if a lockout has occurred.

Password Reset Lockout Attribute Name

This attribute contains the inetuserstatus value that is set in Password Reset Lockout Attribute Value. If a user is locked out from Password Reset, and the Password Reset Failure Lockout Duration (minutes) variable is set to 0, inetuserstatus will be set to inactive, prohibiting the user from attempting to reset his or her password.

Password Reset Lockout Attribute Value

This attribute specifies the inetuserstatus value (contained in Password Reset Lockout Attribute Name) of the user status, as either active or inactive. If a user is locked out from Password Reset, and the Password Reset Failure Lockout Duration (minutes) variable is set to 0, inetuserstatus will be set to inactive, prohibiting the user from attempting to reset his or her password.

Policy Configuration

The Policy Configuration attributes enable the administrator to set configuration global and realm properties used by the Policy service.

• Global Properties

• Realm Attributes

Global Properties

The Global Properties are:

Resource Comparator

Specifies the resource comparator information used to compare resources specified in a Policy rule definition. Resource comparison is used for both policy creation and evaluation.

Click the Add button and define the following attributes:

Service Type

Specifies the service to which the comparator should be used.

Class

Defines the Java class that implements the resource comparison algorithm.

Delimiter

Specifies the delimiter to be used in the resource name.

Wildcard

Specifies the wildcard that can be defined in resource names.

One Level Wildcard

Matches zero or more characters, at the same delimiter boundary.

Case Sensitive

Specifies if the comparison of the two resources should consider or ignore case. False ignores case, True considers case.

Continue Evaluation on Deny Decision

Specifies whether or not the policy framework should continue evaluating subsequent policies, even if a DENY policy decision exists. If it is not selected (default), policy evaluation would skip subsequent policies once the DENY decision is recognized.

Advices Handleable by Access Manager

Defines the names of policy advice keys for which the Policy Enforcement Point (Policy Agent) would redirect the user agent to Access Manager. If the agent receives a policy decision that does not allow access to a resource, but does posses advices, the agent checks to see whether it has a advice key listed in this attribute.

If such an advice is found, the user agent is redirected to Access Manager, potentially allowing the access to the resource.

Organization Alias Referrals

When set to Yes, this attribute allows you to create policies in sub-realms without having to create referral policies from the top-level or parent realm. You can only create policies to protect HTTP or HTTPS resources whose fully qualified hostname matches the DNSAlias of the realm. By default, this attribute is defined as No.

Realm Attributes

The LDAP Properties are:

Primary LDAP Server

Specifies the host name and port number of the primary LDAP server specified during Access Manager installation that will be used to search for Policy subjects, such as LDAP users, LDAP roles, LDAP groups, and so forth.

The format is hostname:port. For example: machine1.example.com:389

For failover configuration to multiple LDAP server hosts, this value can be a space-delimited list of hosts. The format is hostname1:port1 hostname2:port2...

For example: machine1.example1.com:389 machine2.example1.com:389

Multiple entries must be prefixed by the local server name. This is to allow specific Access Managers to be configured to talk to specific Directory Servers.

The format is servername|hostname:port For example:

machine1.example1.com|machine1.example1.com:389

machine1.example2.com|machine1.example2.com:389

For failover configuration:

AM_Server1.example1.com|machine1.example1.com:389 machine2.example.com1:389

AM_Server2.example2.com|machine1.example2.com:389 machine2.example2.com:389

LDAP Base DN

Specifies the base DN in the LDAP server from which to begin the search. By default, it is the top-level realm of the Access Manager installation.

LDAP Users Base DN

This attribute specifies the base DN used by the LDAP Users subject in the LDAP server from which to begin the search. By default, it is the top-level realm of the Access Manager installation base.

Access Manager Roles Base DN

Defines the DN of the realm or organization which is used as a base while searching for the values of Access Manager Roles. This attribute is used by the AccessManagerRoles policy subject.

LDAP Bind DN

Specifies the bind DN in the LDAP server.

LDAP Bind Password

Defines the password to be used for binding to the LDAP server. By default, the amldapuser password that was entered during installation is used as the bind user.

LDAP Organization Search Filter

Specifies the search filter to be used to find organization entries. The default is (objectclass=sunMangagedOrganization).

LDAP Organizations Search Scope

Defines the scope to be used to find organization entries. The scope must be one of the following:

• SCOPE_BASE

• SCOPE_ONE

• SCOPE_SUB (default)

LDAP Groups Search Scope

Defines the scope to be used to find group entries. The scope must be one of the following:

• SCOPE_BASE

• SCOPE_ONE

• SCOPE_SUB (default)

LDAP Groups Search Filter

Specifies the search filter to be used to find group entries. The default is (objectclass=groupOfUniqueNames).

LDAP Users Search Filter

Specifies the search filter to be used to find user entries. The default is (objectclass=inetorgperson).

LDAP Users Search Scope

Defines the scope to be used to find user entries. The scope must be one of the following:

• SCOPE_BASE

• SCOPE_ONE

• SCOPE_SUB (default)

LDAP Roles Search Filter

Specifies the search filter to be used to find entries for roles. The default is (&(objectclass=ldapsubentry)(objectclass=nsroledefinitions)) .

LDAP Roles Search Scope

This attribute defines the scope to be used to find entries for roles. The scope must be one of the following:

• SCOPE_BASE

• SCOPE_ONE

• SCOPE_SUB (default)

Access Manager Roles Search Scope

Defines the scope to be used to find entries for Access Manager Roles subject.

• SCOPE_BASE

• SCOPE_ONE

• SCOPE_SUB (default)

LDAP Organization Search Attribute

Defines the attribute type for which to conduct a search on an organization. The default is o.

LDAP Groups Search Attribute

Defines the attribute type for which to conduct a search on a group. The default is cn.

LDAP Users Search Attribute

Defines the attribute type for which to conduct a search on a user. The default is uid.

LDAP Roles Search Attribute

This field defines the attribute type for which to conduct a search on a role. The default is cn.

Maximum Results Returned from Search

This field defines the maximum number of results returned from a search. The default value is 100. If the search limit exceeds the amount specified, the entries that have been found to that point will be returned.

Search Timeout

Specifies the amount of time before a timeout on a search occurs. If the search exceeds the specified time, the entries that have been found to that point will be returned

LDAP SSL

Specifies whether or not the LDAP server is running SSL. Selecting enables SSL, deselecting (default) disables SSL.

If the LDAP Server is running with SSL enabled (LDAPS), you must make sure that Access Manager is configured with proper SSL-trusted certificates so that Access Manager can connect to Directory server over LDAPS protocol.

LDAP Connection Pool Minimum Size

Specifies the minimal size of connection pools to be used for connecting to the Directory Server, as specified in the LDAP server attribute. The default is 1.

Connection Pool Maximum Size

This attribute specifies the maximum size of connection pools to be used for connecting to the Directory Server, as specified in the LDAP server attribute. The default is 10.

Selected Policy Subjects

Allows you to select a set of subject types available to be used for policy definition in the realm.

Selected Policy Conditions

Allows you to select a set of conditions types available to be used for policy definition in the realm.

Selected Policy Referrals

Allows you to select a set of referral types available to be used for policy definition in the realm.

Subject Results Time To Live

This attribute specifies the amount of time (in minutes) that a cached subject result can be used to evaluate the same policy request based on the single sign-on token.

When a policy is initially evaluated for an SSO token, the subject instances in the policy are evaluated to determine whether the policy is applicable to a given user. The subject result, which is keyed by the SSO token ID, is cached in the policy. If another evaluation occurs for the same policy for the same SSO token ID within the time specified in the Subject Result Time To Live attribute, the policy framework retrieves the cached subjects result, instead of evaluating the subject instances. This significantly reduces the time for policy evaluation.

User Alias

This attribute must be enabled if you create a policy to protect a resource whose subject's member in a remote Directory Server aliases a local user. This attribute must be enabled, for example, if you create uid=rmuser in the remote Directory Server and then add rmuser as an alias to a local user (such as uid=luser) in Access Manager. When you login as rmuser, a session is created with the local user (luser) and policy enforcement is successful.

Selected Response Providers

Defines the policy response provider plug-ins that are enabled for the realm. Only the response provider plug-ins selected in this attribute can be added to policies defined in the realm.

Selected Dynamic Response Attributes

Defines the dynamic response attributes that are enabled for the realm. Only a subset of names selected in this attribute can be defined in the dynamic attributes list in IDResponseProvider to be added to policies defined in the realm.

Session

The Session service defines values for an authenticated user session such as maximum session time and maximum idle time. The Session attributes are global, dynamic, or user attributes. The attributes are:

• Secondary Configuration Instance

• Maximum Number of Search Results

• Timeout for Search

• Property Change Notifications

• Quota Constraints

• Read Timeout for Quota Constraint

• Exempt Top-Level Admins From Constraint Checking

• Resulting Behavior If Session Quota Exhausted

• Notification Properties

• Maximum Session Time

• Maximum Idle Time

• Maximum Caching Time

• Active User Sessions

Secondary Configuration Instance

Provides the connection information for the session repository used for the session failover functionality in Access Manager. The URL of the load balancer should be given as the identifier to this secondary configuration. If the secondary configuration is defined in this case, the session failover feature will be automatically enabled and become effective after the server restart. See To Add a Sub Configuration for more information.

Maximum Number of Search Results

This attribute specifies the maximum number of results returned by a session search. The default value is 120.

Timeout for Search

This attributed defines the maximum amount of time before a session search terminates. The default value is 5 seconds.

Property Change Notifications

Enables or disables the feature session property change notification. In a single sign-on environment, one Access Manager session can be shared by multiple applications. If this feature is set to ON, if one application changes any of the session properties specified in the Notification Properties list (defined as a separate session service attribute), the notification will be sent to other applications participating in the same single sign-on environment.

Quota Constraints

Enables or disables session quota constraints. The enforcement of session quota constraints enables administrators to limit a user to have a specific number of active/concurrent sessions based on the constraint settings at the global level, or the configurations associated with the entities (realm/role/user) to which this particular user belongs.

The default setting for this attribute is OFF. You must restart the server if the settings are changed.

Read Timeout for Quota Constraint

Defines the amount of time (in number of milliseconds) that an inquiry to the session repository for the live user session counts will continue before timing out.

After the maximum read time is reached, an error is returned. This attribute will take effect only when the session quota constraint is enabled in the session failover deployment. The default value is 6000 milliseconds. You must restart the server if the settings are changed.

Exempt Top-Level Admins From Constraint Checking

Specifies whether the users with the Top-level Admin Role should be exempt from the session constraint checking. If YES, even though the session constraint is enabled, there will be no session quota checking for these administrators.

The default setting for this attribute is NO. You must restart the server if the settings are changed. This attribute will take effect only when the session quota constraint is enabled.

---

Note –

the super user defined for the Access Manager in AMConfig.properties (com.sun.identity.authentication.super.user) is always exempt from the session quota constraint checking.

---

Resulting Behavior If Session Quota Exhausted

Specifies the resulting behavior when the user session quota is exhausted. There are two selectable options for this attribute:

DESTROY_OLD_SESSION

The next expiring session will be destroyed.

DENY_ACCESS

The new session creation request will be denied.

This attribute will take effect only when the session quota constraint is enabled and the default setting is DESTROY_OLD_SESSION .

Notification Properties

When a change occurs on a session property defined in the list, the notification will be sent to the registered listeners. The attribute will take effect when the feature of Session Property Change Notification is enabled.

Maximum Session Time

This attribute accepts a value in minutes to express the maximum time before the session expires and the user must reauthenticate to regain access. A value of 1 or higher will be accepted. The default value is 120. (To balance the requirements of security and convenience, consider setting the Max Session Time interval to a higher value and setting the Max Idle Time interval to a relatively low value.) Max Session Time limits the validity of the session. It does not get extended beyond the configured value.

Maximum Idle Time

This attribute accepts a value (in minutes) equal to the maximum amount of time without activity before a session expires and the user must reauthenticate to regain access. A value of 1 or higher will be accepted. The default value is 30. (To balance the requirements of security and convenience, consider setting the Max Session Time interval to a higher value and setting the Max Idle Time interval to a relatively low value.)

Maximum Caching Time

This attribute accepts a value (in minutes) equal to the maximum interval before the client contacts Access Manager to refresh cached session information. A value of 0 or higher will be accepted. The default value is 3. It is recommended that the maximum caching time should always be less than the maximum idle time.

Active User Sessions

Specifies the maximum number of concurrent sessions allowed for a user.

To Add a Sub Configuration

1. Click New in the Secondary Configuration Instance list.

2. Enter a name for the new Sub Configuration.

3. Enter data for the following fields:

   Session Store User

   Defines the database user who is used to retrieve and store the session data.

   Session Store Password

   Defines the password for the database user defined in Session Store.

   Session Store Password (Confirm)

   Confirm the password.

   Maximum Wait Time

   Defines the total time a thread is willing to wait for acquiring a database connection object. The value is in milliseconds.

   Database Url

   Specifies the URL of the database.

4. Click Add.

User

The default user preferences are defined through the user service. These include time zone, locale and DN starting view. The User service attributes are dynamic attributes.

• User Preferred Language

• User Preferred Timezone

• Inherited Locale

• Administrator Starting View

• Default User Status

User Preferred Language

This field specifies the user's choice for the text language displayed in the Access Manager console. The default value is en. This value maps a set of localization keys to the user session so that the on-screen text appears in a language appropriate for the user.

User Preferred Timezone

This field specifies the time zone in which the user accesses the Access Manager console. There is no default value.

Inherited Locale

This field specifies the locale for the user. The default value is en_US. See Supported Language Locales for a list of locales.

Administrator Starting View

If this user is a Access Manager administrator, this field specifies the node that would be the starting point displayed in the Access Manager console when this user logs in. There is no default value. A valid DN for which the user has, at the least, read access can be used.

Default User Status

This option indicates the default status for any newly created user. This status is superseded by the User Entry status. Only active users can authenticate through Access Manager. The default value is Active. Either of the following can be selected from the pull-down menu:

Active

The user can authenticate through Access Manager.

Inactive

The user cannot authenticate through Access Manager, but the user profile remains stored in the directory.

The individual user status is set by registering the User service, choosing the value, applying it to a role and adding the role to the user's profile.