AMConfig.properties is the main configuration file for Access Manager. You can configure some, but not all, of the properties in this file. This chapter provides descriptions of properties contained in AMConfig.properties, default property values, and instructions for modifying values that can be changed without rendering Access Manager unusable.
This chapter contains the following sections:
At installation, AMConfig.properties is located in the following directory: etc/opt/SUNWam/config.
AMConfig.properties contains one property per line, and each property has a corresponding value. Properties and values are case-sensitive. Lines that begin with the characters slash and asterisk (/*) are comments, and comments are ignored by the application. Comments end with a last line that contains the closing characters asterisk and slash (*/).
After you modify properties in AMConfig.properties, you must restart Access Manager to activate the changes.
Value is set during installation. Example: /amconsole
Value is set during installation. Example: hostName.domain.Name.com
Value is set during installation. Example: 80
Value is set during installation. Example: http
This is a READ-ONLY property. Do not change the property value.
Value is set during installation. Example: /opt/SUNWam/web-src/services/WEB-INF
This is a READ-ONLY property. Do not change the property value.
Value is set during installation. Example: /var/opt/SUNWam
This is a READ-ONLY property. Do not change the property value.
Value is set during installation. Example: /opt/SUNWam
Value is set during installation. Example: /usr/jdk/entsys-j2se
Value is set during installation. Example: en_US
Value is set during installation. Example: hostName.domainName.com
Value is set during installation. Example: 80
Value is set during installation. Example: http
Value is set during installation. Example: 7 2005Q4
Enables Access Manager Authentication service to take corrective action when a user types an incorrect URL . This is useful, for example, when a user specifies a partial hostname or uses an IP address to access protected resources.
The syntax of this property represents invalid FQDN values mapped to their corresponding valid counterparts. The property uses the following form: com.sun.identity.server.fqdnMap[invalid-name]=valid—name . In this example, invalid-name is a possible invalid FQDN host name that may be used by the user, and the valid—name is the FQDN host name the filter will redirect the user to. If overlapping values for the same invalid FQDN exist, the application may become inaccessible. Using an invalid value for this property can also result in the application becoming inaccessible. You can use this property to map multiple host names. This is useful when the applications hosted on a server are accessible by multiple host names.
You can use this property to configure Access Manager so that no corrective action is taken for certain hostname URLs. This is useful, for example, when it is required that no corrective action such as a redirect be used for users who access the application resources by using the raw IP address.
You can specify a map entry such as: com.sun.identity.server.fqdnMap[IP]=IP .
You can specify any number of such properties may as long as they are valid properties and conform to the requirements described above. Examples: com.sun.identity.server.fqdnMap[isserver]=isserver.mydomain.comcom.sun.identity.server.fqdnMap[isserver.mydomain]=isserver.mydomain.com com.sun.identity.server.fqdnMap[IP address]=isserver.mydomain.com
Default value is no. Determines if validation is required when parsing XML documents using the Access Manager XMLUtils class. This property is in effect only when value for the com.iplanet.services.debug.level property is set to warning or message. Allowable values are yes and no. The XML document validation is turned on only if the value for this property yes, and if value for com.iplanet.services.debug.level property is set to warning or message.
Each SDK cache entry stores a set of AMObject attributes values for a user.
Default value is 10000. Specifies the size of the SDK cache when caching is enabled. Use an integer greater than 0, or the default size (10000 users) will be used.
This property specifies a plug-in which implements the com.iplanet.am.sdk.AMUserEntryProcessed interface to perform some post-processing for user create, delete and modify operations. The property if used should specify the fully qualified class name which implements the above interface.
Setting this to true enables caching, and setting this to false disables caching. The default is true.
Do not set this option to false unless you are running Access manager in a pure debugging mode. It should never be set to false in production.
Value is set during installation. Example: APPSERVERDEPLOYMENT
This property is used to determine if Access Manager is running on iPlanet Application Server.
Default value is AMAuthCookie. Specifies the cookie name used by Authentication Service to set the session handler ID during the authentication process. Once this process is completed (success or failure), this cookie is cleared or removed.
Value is set during installation. The Certificate Authority (CA) certificate nick name for that responder. Example: Certificate Manager - sun. If set, the CA certificate must be presented in the Web Server's certificate database.
Value is set during installation. Example: http://ocsp.sun.com/ocsp
Specifies the global OCSP responder URL for this instance. If the OCSP responder URL is set, the OCSP responder nick name must also be set. Otherwise both will be ignored. If both are not set, the OCSP responder URL presented in user's certificate will be used for OCSP validation. If the OCSP responder URL is not presented in user's certificate, then no OCSP validation will be performed.
Default value is true. The global parameter to enable or disable OCSP checking. If this value is false, the OCSP feature in the Certificate Authentication module type cannot be used. .
Value is set during installation. Example: cn=dsameuser,ou=DSAME Users,o=AMRoot|cn=amService-UrlAccessAgent,ou=DSAME Users,o=AMRoot
Identifies the special user or users for this Access Manager authentication component. This user is used by the Client APIs to authenticate remote applications to the Access Manager server using the full user DN. The user will always be authenticated against the local directory server. Multiple values of this special user DN are separated by the pipe character (|). Use of this property is restricted to Authentication component only.
Value is set during installation. Example: uid=amAdmin,ou=People,o=AMRoot
Identifies the super user for this Access Manager instance. This user must use Data Store to log in, and must use the full DN. The user is always authenticated against the local Directory Server.
Used to set the cookie domain for the above cookie name. This Cookie domain should be set such that it covers all the instances of the CDC (Cross Domain Controller) services installed in the network. For example,.example.com if all instances of Access Manager are within the domain example.com.
Default value is sunIdentityServerAuthNServer. Specifies the cookie name set to the Access Manager server host URL when Access Manager is running against Session Cookie hijacking.
Specifies a list of user attributes that contain values that will be retrieved from an external Directory Server during LDAP Authentication when the Authentication Service is configured to dynamically create users. The new user created in the local Directory Server will have the values for attributes which have been retrieved from external Directory Server.
Example: attribute1, attribute2, attribute3
Set these properties to initialize the JSS Socket Factory when iPlanet Web Server is configured for SSL.
Value is set during installation. Example: /opt/SUNWwbsvr/alias
Specifies certificate database path.
Value is set during installation. Example: /etc/opt/SUNWam/config/.wtpass
Specifies certificate database password file.
Value is set during installation. Example: https-hostName.domainName.com-hostName-
Specifies certificate database prefix.
This property allows Access Manager to URLencode the cookie value which converts characters to ones that are understandable by HTTP.
Value is set during installation. Example: false
Default value is iPlanetDirectoryPro. Cookie name used by Authentication Service to set the valid session handler ID. The value of this cookie name is used to retrieve the valid session information.
Allows the Access Manager cookie to be set in a secure mode in which the browser will only return the cookie when a secure protocol such as HTTP(s) is used.
Default value is false.
Value is set during installation. Example: false
Determines whether the console is installed on a remote machine, or is installed on a local machine and will be used by authentication console.
Specifies the cookie name for a persistent cookie. A persistent cookie continues to exist after the browser window is closed. This enables a user to log in with a new browser session without having to reauthenticate. Default value is DProPCookie.
Default value is true. This property is read by the Authentication Service when Access Manager is configured to run in cookieless mode. The property specifies that the cookie needs to be rewritten as extra path information in the URL using this form: protocol://server:port/uri;cookiename=cookieValue?queryString. If this property is not specified, then the cookie will be written as part of the query string.
Default value is false. Indicates that Access Manager is running against Session Cookie hijacking when the value is set to true.
Specifies the output directory where debug files will be created. Value is set during installation. Example: /var/opt/SUNWam/debug
Specifies debug level. Default value is error. Possible values are:
No debug file is created.
Only error messages are logged.
Only warning messages are logged.
Error, warning, and informational messages are logged.
Value is set at installation. Example: o=AMRoot
Specifies the top-level realm or organization in the Access Manager information tree.
Value is set during installation. Example: DirectoryServerHost.domainName.com
Specifies fully-qualified host name of the Directory Server.
Value is set during installation. Example: 389
Specifies the Directory Server port number .
Default value is false. Indicates if Security Socket Layer (SSL) is enabled.
Value is set during installation. Example: o=AMRoot
Specifies the domain component (dc) attribute for the Access Manager information tree.
Value is set during installation. Example: o=AMRoot
Specifies which event connection can be disabled. Values (case insensitive) can be:
Changes to the aci attribute, with the search using the LDAP filter (aci=*)
Changes in the Access Manager information tree (or service management node), which includes objects with the sunService or sunServiceComponent marker object class. For example, you might create a policy to define access privileges for a protected resource, or you might modify the rules, subjects, conditions, or response providers for an existing policy.
Changes in the user directory (or user management node). For example, you might change a user's name or address.
For example, to disable persistent searches for changes to the Access Manager information tree (or service management node):
To specify multiple values, separate each value with a comma.
Persistent searches cause some performance overhead on Directory Server. If you determine that removing some of this performance overhead is absolutely critical in a production environment, you can disable one or more persistent searches using the com.sun.am.event.connection.disable.list property.
However, before disabling a persistent search, you should understand the limitations described above. It is strongly recommended that this property not be changed unless absolutely required. This property was introduced primarily to avoid overhead on Directory Server when multiple 2.1 J2EE agents are used, because each of these agents establishes these persistent searches. The 2.2 J2EE agents no longer establish these persistent searches, so you might not need to use this property.
Disabling persistent searches for any of these components is not recommended, because a component with a disabled persistent search does not receive notifications from Directory Server. Consequently, changes made in Directory Server for that particular component will not be notified to the component cache. For example, if you disable persistent searches for changes in the user directory (um), Access Manager will not receive notifications from Directory Server. Therefore, an agent would not get notifications from Access Manager to update its local user cache with the new values for the user attribute. Then, if an application queries the agent for the user attributes, it might receive the old value for that attribute.
Use this property only in special circumstances when absolutely required. For example, if you know that Service Configuration changes (related to changing values to any of services such as Session Service and Authentication Services) will not happen in production environment, the persistent search to the Service Management (sm) component can be disabled. However, if any changes occur for any of the services, a server restart would be required. The same condition also applies to other persistent searches, specified by the aci and um values.
Default value is 3000. Specifies the delay in milliseconds between retries to re-establish the Event Service connections.
Default values are 80,81,91. Specifies the LDAP exception error codes for which retries to re-establish Event Service connections will trigger.
Default value is 3. Specifies the number of attempts made to successfully re-establish the Event Service connections.
Default value is 0. Specifies the number of minutes after which the persistent searches will be restarted.
This property is used when a load balancer or firewall is between the policy agents and the Directory Server, and the persistent search connections are dropped when TCP idle timeoutoccurs. The property value should be lower than the load balancer or firewall TCP timeout. This ensures that the persistent searches are restarted before the connections are dropped. A value of 0 indicates that searches will not be restarted. Only the connections that are timed out will be reset.
Value is set during installation. Example: AQICPX9e1cxSxB2RSy1WG1+O4msWpt/6djZl
Value is set during installation. Example: /amserver
Default value is 16384 or 16k. Specifies the maximum content-length for an HttpRequest that Access Manager will accept.
Value is set during installation. Example: /etc/opt/SUNWam/config
Default value is unix securid. Description
Default value is 58943. This property takes a space-separated list and is used for the SecurID authentication module and helpers.
Value is set during installation. Specifies a list of IP addresses to be read by the amserverscript and passed to the UNIX helper when starting the helper. This property can contain a list of space-separated trusted IP Addresses in IPv4 format.
Default value is 58946. Used in the UNIX Authentication module type.
Default value is true. If true, federation metadata will be cached internally.
Default value is fedCookie. Specifies the name of the Federation Services cookie.
Default value is com.sun.identity.federation.services.FSIDPProxyImpl. Defines the implementation for finding a preferred identity provider to be proxied.
Default value is false. Specifies the level of signature verification for Liberty requests and responses.
Liberty requests and responses will be signed when sent, and Liberty requests and responses that are received will be verified for signature validity.
Liberty requests and responses that are sent and received will not be verified for signature.
Liberty requests and responses will be signed or verified only if required by the Federation profiles.
Value is set during installation. Example: /ampassword
Default value is 10:10:10. Indicates the proportional processing cost to evaluate a policy subject, rule, and condition. The values specified influence the order in which the subject, rule, and condition of a policy are evaluated. The value is expressed using three integers which represent a subject, a rule, and a condition. The values are delimited by a colon (:) to indicate the proportional processing cost to evaluate a policy subject, rule, and condition.
Default value is 3. Specifies the maximum number of minutes for caching time for Application Sessions. By default, the cache does not expire unless this property is enabled.
The default is false. The purpose of this flag is to report to Service Management that the Directory Proxy must be used for read, write, and/or modify operations to the Directory Server. This flag also determines if ACIs or delegation privileges are to be used.
This flag must be set to "true" when the Access Manager SDK (from version 7 or 7.1) is communicating with Access Manger version 6.3. For example, in the co-existence/legacy mode this value should be "true". In the legacy DIT, the delegation policies were not supported. Only ACIs were supported, so o to ensure proper delegation check, this flag must be set to 'true' in legacy mode installation to make use of the ACIs for access control. Otherwise the delegation check will fail.
In realm mode, this value should be set to false so only the delegation policies are used for access control. In version 7.0 and later, Access Manager supports data-agnostic feature in realm mode installation. So, in addition to Directory Server, other servers may be used to store service configuration data.
Additionally, this flag will report to the Service Management feature that the Directory Proxy does not need to be used for the read, write, and/or modify operations to the backend storage. This is because some data stores, like Active Directory, may not support proxy.
Value is set during installation. Example: WEB_CONTAINER
Specifies the name of the of the web container. Although the servlet or JSPs are not web container dependent, Access Manager uses the servlet 2.3 API request.setCharacterEncoding() to correctly decode incoming non English characters. These APIs will not work if Access Manager is deployed on Sun Java System Web Server 6.1. Access Manager uses the gx_charset mechanism to correctly decode incoming data in Sun Java System Web Server versions 6.1 and S1AS7.0. Possible values BEA6.1, BEA 8.1, IBM5.1 or IAS7.0. If the web container is Sun Java System Web Server, the tag is not replaced.
These properties identify the value for SSL ApprovalCallback. If the checkSubjectAltName or resolveIPAddress feature is enabled, you must create cert7.db and key3.db with the prefix value ofcom.iplanet.am.admin.cli.certdb.prefix in the com.iplanet.am.admin.cli.certdb.dirdirectory. Then restart Access Manager .
Default value is false. When enabled, a server certificate includes the Subject Alternative Name (SubjectAltName) extension, and Access Manager checks all name entries in the extension. If one of the names in the SubjectAltName extension is the same as the server FQDN, Access Manager continues the SSL handshaking. To enable this property, set it to a comma separated list of trusted FQDNs. For example: com.iplanet.am.jssproxy.checkSubjectAltName= amserv1.example.com,amserv2.example.com
Default value is false.
Default value is false. If enabled (true), Access Manager ignores all certificate-related issues such as a name conflict and continues the SSL handshaking. To prevent a possible security risk, enable this property only for testing purposes, or when the enterprise network is tightly controlled. Avoid enabling this property if a security risk might occur (for example, if a server connects to a server in a different network).
com.iplanet.am.jssproxy.SSLTrustHostListIf set, Access Manager checks each server FQDN in the list against the server host in the certificate CN. If there is a FQDNs in the list that is matched with server certificate cn, Access Manager continues the SSL handshaking even if there is "Incorrect Domain name error". Use the following syntax to set the property:
com.iplanet.am.jssproxy.SSLTrustHostList = fqdn_am_server1 ,fqdn_am_server2, fqdn_am_server3
Default value is false. Determines if JSS will be added with highest priority to JCE. Set to true if other JCE providers should be used for digital signatures and encryptions.
Default is 1000. Specifies the number milliseconds between retries.
Default values are 80,81,91. Specifies the LDAPException error codes for which retries to re-establish the LDAP connection will trigger.
Default value is 3. Specifies the number of attempts made to successfully re-establish the LDAP connection.
Value is set during installation. Example: /opt/SUNWam/lib/is-html.xsl
Specifies path to style sheet that renders the interaction page in HTML.
Value is set during installation. Example: /opt/SUNWam/lib/is-wml.xsl
Specifies path to style sheet that renders the interaction page in WML.
Default value isinteractIfNeeded. Indicates whether a web service consumer participates in an interaction. Allowed values are:
Interacts only if required. Also used if an invalid value is specified.
No interaction for data.
Default value is 80. Web service consumer's preference on the acceptable duration for interaction. The value is expressed in seconds. The default value is used if the value is not specified or if a non-integer value is specified.
The default value is yes. Indicates whether a web service consumer enforces the requirement that a request redirected to a URL uses HTTPS. Valid values are yes and no. The case is ignored. The Liberty specification requires the value to be yes. If no value is specified, the default value is used.
Default value is yes. If not value is specified, the default value is used. Indicates whether a web service consumer includes userInteractionHeader. Allowable values are yes and no. The case is ignored.
Default value is yes. Indicates whether the web service consumer redirects user for interaction. Valid values are yes and no. If not value is specified, the default value is used.
Value is set during installation. Example: http://hostName.domainName.com:portNumber/amserver/WSPRedirectHandler
Specifies the URL WSPRedirectHandlerServlet uses to handle Liberty WSF WSP-resource owner interactions based on user agent redirects. This should be running in the same JVM where the Liberty service provider is running.
Default is 30. Web service provider's expected duration for interaction. Expressed in seconds. If the value is not specified, or if the value is a non-integer, the default value is used.
Default value is yes. If no value is specified, the default value is used. Indicates whether the web service consumer enforces the requirement that returnToURLuse HTTPS. Valid values are yes and no. (case ignored) the Liberty specification requires the value to be yes.
The Liberty specification requires the value to be yes. Indicates whether the web service consumer enforces that returnToHost and requestHost are the same. Valid values areyes and no.
Default is yes. If no value is specified, the default value is used. Indicates whether a web service provider redirects the user for interaction. Valid values are yes and no. Case is ignored.
Default value is yes. If no value is specified, the default value is used. Indicates whether the web service provider redirects the user for interaction for data. Valid values are yes and no. Case is ignored.
Default value is
=S=http://schemas.xmlsoap.org/soap/envelope/|sb=urn:liberty:sb:2003-08 |pp=urn:liberty:id-sis-pp:2003-08|ispp=http://www.sun.com/identity/ liberty/pp|is=urn:liberty:is:2003-08
. Specifies the namespace prefix mapping used when marshalling a JAXB content tree to a DOM tree. The syntax is prefix=namespace|prefix=namespace|...
Specifies JAXB package list used when constructing JAXBContext. Each package must be separated by a colon (:).
Default value is com.sun.identity.liberty.ws.security.AMSecurityTokenProviderDescription.
Value is set during installation. Client certificate alias that will be used in SSL connection for Liberty SOAP Binding.
Default value is 60000. Specifies the number of milliseconds to elapse before cache cleanup events begin. Each message is stored in a cache with its ownmessageID to avoid duplicate messages. When a message's current time less the received time exceeds thestaleTimeLimit value, the message is removed from the cache.
Default value is 300000. Determines if a message is stale and thus no longer trustworthy. If the message timestamp is earlier than the current timestamp by the specified number of milliseconds, the message the considered to be stale.
Default value is http://schemas.xmlsoap.org/soap/actor/next. Specifies supported SOAP actors. Each actor must be separated by a pipe character (|).
Value is set during installation. Specifies certificate alias for the trusted authority that will be used to sign SAML or SAML. BEARER token of response message.
Value is set during installation. Specifies default certificate alias for issuing web service security token for this web service client.
Value is set during installation. Specifies certificate alias for trusted authority that will be used to sign SAML or SAML. BEARER token of response message.
Value is set during installation.
Specifies certificate aliases for trusted CA. SAML or SAML BEARER token of incoming request. Message must be signed by a trusted CA in this list. The syntax is cert alias 1[:issuer 1]|cert alias 2[:issuer 2]|..... Example: myalias1:myissuer1|myalias2|myalias3:myissuer3. The value issuer is used when the token doesn't have a KeyInfo inside the signature. The issuer of the token must be in this list, and the corresponding certificate alias will be used to verify the signature. If KeyInfo exists, the keystore must contain a certificate alias that matches the KeyInfo and the certificate alias must be in this list.
Value is set during installation. Specifies implementation for security token provider.
Default value is true. A flag to indicate if de-referenced assertions should be removed from the cache. Applies to assertions that were created associated with artifacts, and have been de-referenced.
Specifies whether logging is turned on (ACTIVE) or off (INACTIVE). Value is set to ACTIVE during installation.
You can configure the degree of detail to be contained in a specific log file by adding attributes to the AMConfig.properties file. Use the following format:
iplanet-am-logging.logfileName.level=java.util.logging.Level where logfileName is the name of a log file for an Access Manager service (see table 1), andjava.util.logging.Level is an allowable attribute value . Access Manager services log at the INFO level. SAML and Identity Federation services also log at more detailed levels (FINE, FINER, FINEST). Example:
In addition there is a level OFF that can be used to turn off logging, and a level ALL that can be used to enable logging of all messages. Example:
iplanet-am-logging.amConsole.access.evel=OFFTable 6–1 Access Manager Log Files
Log File Name
Successful amadmin command-line events
amadmin command-line error events
Access Manager Policy Agent related events. See the Note following this table.
Successful authentication events
Console error events.
Successful Federation events.
Federation error events.
Storage of policy allow events
Storage of policy deny events
Successful SAML events
SAME error events
Successful Liberty events
Liberty error events
Single sign-on creation and destruction
Single sign-on error events
The amAuthLog filename is determined by the Policy Agent properties in AMAgent.properties. For Web Policy Agents, the property is com.sun.am.policy.agents.config.remote.log. For J2EE Policy Agents, the property is com.sun.identity.agents.config.remote.logfile. The default is amAuthLog.host.domain.port, where host.domain is the fully-qualified host name of the host running the Policy Agent web server, and where port is the port number of that web server. If you have multiple Policy Agents deployed, you can have multiple instances of this file. The property com.sun.identity.agents.config.audit.accesstype (for both Web and J2EE Agents) determines what data is logged remotely. The logged data can include policy allows, policy denies, both allows and denies, or neither allows nor denies.
This property is no longer being used in Access Manager 7.0.
Value is set during installation. Example: http://hostName.domainName.com:portNumber/amserver/namingservice
Specifies the naming service URL to use.
Use the following keys to configure the notification thread pool.
Default value is 10. Defines the size of the pool by specifying the total number of threads.
Default value is 100. Specifies the maximum task queue length.
When a notification task comes in, it is sent to the task queue for processing. If the queue reaches the maximum length, further incoming requests will be rejected along with a ThreadPoolException, until the queue has a vacancy.
Value is set during installation. Example: http://hostName.domainName.com:portNumber/amserver/notificationservice
Value is set during installation. Example: AGENT_DEPLOY_URI
Default value is UrlAccessAgent. Specifies the username to use for the Application authentication module.
Default value is 1000. Specifies the size of the resource result cache. The cache is created on the server where the policy agent is installed.
Default values are cn,ou,o,mail,employeenumber,c. Specifies the policy attributes to be returned by the policy evaluator. Uses the form a[,...]. In this example, a is the attribute in the data store to be fetched.
Default value is NONE. Controls the granularity of the Policy Client API logging level. The default value is NONE. Possible values are:
Logs access allowed requests.
Logs access denied requests.
Logs both access allowed and access denied requests.
Logs no requests.
Default value is false. Enables or disables notifications for the Policy Client API.
Used by the policy client SDK to register policy change notifications. A mis-configuration of this property will result in policy notifications being disabled.
Default value is 3. Specifies the polling interval which is the number of minutes after which an entry is dropped from the Client APIs cache.
Default value is false. Description
Indicates whether case sensitive is turned on or off during policy evaluation.
Indicates the true value of a policy action. This value can be ignored if the application does not need to access the PolicyEvaluator.isAllowed method. This value signifies how a policy decision from Access Manager should be interpreted. Default value is allow.
Default value is com.sun.identity.policy.plugins.URLResourceName
Specifies the resource comparison class name. Available implementation classes are: com.sun.identity.policy.plugins.PrefixResourceName and com.sun.identity.policy.plugins.URLResourceName.
Default value is a backslash (/). Specifies the delimiter for the resource name.
Default value is *. Specifies the wildcard for the resource name.
Default value is amRemotePolicyLog. Specifies the name of the log file to use for logging messages to Access Manager. Only the name of the file is needed. The directory of the file is determined other Access Manager configuration settings.
Default value is true. Indicates whether to use a wildcard for resource name comparison.
Default value is iPlanetAMWebAgentService|GET|allow|deny:.
Specifies Boolean action values for policy action names. Uses the form serviceName|actionName|trueValue|falseValue. Values for action names are delimited by a colon (:).
Default value is self. Specifies cache mode for the client policy evaluator. Valid values are subtree and self. If set to subtree, the policy evaluator obtains policy decisions from the server for all the resources from the root of resource actually requested. If set to self, the policy evaluator gets the policy decision from the server only for the resource actually requested.
Adjusts for time difference between the policy client machine and the policy server. If this property does not exist, and if the policy agent time differs from the policy server time, you occasionally see and incorrect policy decision. You must run a time-syncing service to keep the time on the policy server and on the policy client as close as possible. Use this property to adjust for the small time difference regardless of running time syncing service. Clock skew in seconds = agentTime - serverTime . Comment the property out on the policy server. Uncomment the line and set the appropriate value on the policy client machine or the machine running the policy agent agent-server clock skew (in seconds).
Specifies ResourceComparators to be used for different service names. Copy the value from the Access Manager console. Go to Service Configuration > PolicyConfiguration > Global:ResourceComparator. Concatenate multiple values from Access Manager using a colon (: ) as the delimiter.
Default value is *|delimiter=/|caseSensitive=trueDescription
This property is no longer used in Access Manager 7. It is provided only for backward compatibility. Value is set during installation. Example: hostName.domainName.com
This property is no longer used in Access Manager 7. It is provided only for backward compatibility. Value is set during installation. Example: 80
Use the following keys to configure replication setup.
Default value is 1000. Specifies the number of milliseconds between retries.
Default value is 0. Specifies the number of times to retry.
Default value is 1.1. Specifies default SAML version used. Possible values are 1.0 or 1.1.
Default value is on. Flag for checking the certificate embedded in the KeyInfo against the certificates in the keystore. Certificates in the keystore are specified by the com.sun.identity.saml.xmlsig.keystore property. Possible values are: on|off. If the flag is "on", * the certification must be presented in the keystore for * XML signature validation. If the flag is "off", skip * the presence checking. */
Certification must be presented in the keystore for XML signature validation
Skips the presence checking.
Default value is 1.1. Specifies default SAML version used. Possible values are 1.0 or 1.1.
Default value is 16384. Specifies the maximum content-length for an HTTP Request that will be used in SAML.
Default value is test. Description
Value is set during installation. Example: /etc/opt/SUNWam/config/.keypass
Specifies the path to the SAML XML key password file.
Value is set during installation. Example: /etc/opt/SUNWam/config/keystore.jks
Specifies the path to the SAML XML keystore password file.
Value is set during installation. Example: /etc/opt/SUNWam/config/.storepass
Specifies the path to the SAML XML key storepass file.
Default value is com.iplanet.services.util.JSSEncryption. Specifies the encrypting class implementation. Available classes are: com.iplanet.services.util.JCEEncryption and com.iplanet.services.util.JSSEncryption.
Default value is com.iplanet.am.util.JSSSecureRandomFactoryImpl. Specifies the factory class name for SecureRandomFactory. Available implementation classes are: com.iplanet.am.util.JSSSecureRandomFactoryImpl which uses JSS, and com.iplanet.am.util.SecureRandomFactoryImpl which uses pure Java.
Default value is com.iplanet.services.ldap.JSSSocketFactory. Specifies the factory class name for LDAPSocketFactory. Available classes are: com.iplanet.services.ldap.JSSSocketFactory which uses JSS, and netscape.ldap.factory.JSSESocketFactory which uses pure Java.
Default value is false. Enables or disables Java security manager permissions check for Access Manager. Disabled by default. If enabled, then you should make appropriate changes to the Java policy file of the container in which Access Manager is deployed. This way, Access Manager JAR files can be trusted for performing sensitive operations. For more information, see the Java API Reference (Javadoc) entry for com.sun.identity.security.
Value is set during installation. Example: dSB9LkwPCSoXfIKHVMhIt3bKgibtsggd
Specifies the key used to encrypt and decrypt passwords.
Default value is false. Specifies whether or not the IP address of the client is checked in all SSOToken creations or validations.
This is a READ-ONLY property. Do not modify the property value.
Default value is false. Enables client-side session polling. Please note that the session polling mode and the session notification mode are mutually exclusive. If the polling mode is enabled, the session notification is automatically turned off, and vice versa.
Default value is 180. Specifies number of seconds in a polling period.
Default value is true. Enables or disables USING httpSession.
Default value is 10. Specifies the number of minutes after which the invalid session will be removed from the session table if it is created and the user does not login. This value should always be greater than the timeout value in the Authentication module properties file.
Default value is 5000. Specify the maximum number of allowable concurrent sessions.
Login sends a Maximum Sessions error if the maximum concurrent sessions value exceeds this number.
Allows you to protect certain core or internal session properties from remote updates via the SetProperty method of the Session Service. By setting this “hidden” key security parameter, you can customize session attributes in order to participate in authorization as well as other Access Manager features. To use this parameter:
With a text editor, add the parameter to the AMConfig.properties file.
Set the parameter to the session properties that you want to protect. For example:
com.iplanet.am.session.protectedPropertiesList = PropertyName1,PropertyName2,PropertyName3
Restart the Access Manager Web container for the values to take effect.
Default value is 60. Specifies the number of minutes to delay the purge session operation.
After a session times out, this is an extended time period during which the session continues to reside in the session server. This property is used by the client application to check if the session has timed out through SSO APIs. At the end of this extended time period, the session is destroyed. The session is not sustained during the extended time period if the user logs out or if the session is explicitly destroyed by an Access Manager component. The session is in the INVALID state during this extended period.
Default value is true. Compares the Agent DN. If the value is false, the comparison is case-sensitive.
Default value is false. Enables or disables host lookup during session logging.
Default value is localhost. Specifies the mail server host.
Default value is 25. Specifies the mail server port.
Default value is 60. Specifies number of minutes to elapse between statistics logging. Minimum is 5 seconds to avoid CPU saturation. Access Manager assumes any value less than 5 seconds to be 5 seconds.
Value is set during installation. Example: /var/opt/SUNWam/stats Specifies directory where debug files are created.
Default value is file. Specifies location of statistics log. Possible values are:
No statistics are logged.
Statistics are written to a file under the specified directory.
Statistics are written into Web Server log files.
The file serverconfig.xml provides configuration information for Sun Java™ System Access Manager regarding the Directory Server that is used as its data store. This chapter explains the elements of the file and how to configure it for failover, how can you have multiple instances, how can you un-deploy the console and remove console files from a server. It contains the following sections:
serverconfig.xml is located in / AccessManager-base /SUNWam/config/ums. It contains the parameters used by the Identity SDK to establish the LDAP connection pool to Directory Server. No other function of the product uses this file. Two users are defined in this file: user1 is a Directory Server proxy user and user2 is the Directory Server administrator.
The Proxy User can take on any user’s privileges (for example, the organization administrator or an end user). The connection pool is created with connections bound to the proxy user. Access Manager creates a proxy user with the DN of cn=puser,ou=DSAME Users,dc=example,dc=com. This user is used for all queries made to Directory Server. It benefits from a proxy user ACI already configured in the Directory Server and, therefore, can perform actions on behalf of a user when necessary. It maintains an open connection through which all queries are passed (retrieval of service configurations, organization information, etc.). The proxy user password is always encrypted. Proxy User illustrates where the encrypted password is located in serverconfig.xml .
<User name="User1" type="proxy"> <DirDN> cn=puser,ou=DSAME Users,dc=example,dc=com </DirDN> <DirPassword> AQICkc3qIrCeZrpexyeoL4cdeXih4vv9aCZZ </DirPassword> </User>
dsameuser is used for binding purposes when the Access Manager SDK performs operations on Directory Server that are not linked to a particular user (for example, retrieving service configuration information). Proxy User performs these operations on behalf of dsameuser, but a bind must first validate the dsameuser credentials. During installation, Access Manager creates cn=dsameuser,ou=DSAME Users,dc=example,dc=com . Proxy User illustrates where the encrypted dsameuser password is found in serverconfig.xml .
<User name="User2" type="admin"> <DirDN> cn=dsameuser,ou=DSAME Users,dc=example,dc=com </DirDN> <DirPassword> AQICkc3qIrCeZrpexyeoL4cdeXih4vv9aCZZ </DirPassword> </User>
server-config.dtd defines the structure for serverconfig.xml . It is located in AccessManager-base /SUNWam/dtd. This section defines the main elements of the DTD. MiscConfig Element is an example of the serverconfig.xml file.
iPlanetDataAccessLayer is the root element. It allows for the definition of multiple server groups per XML file. Its immediate sub-element is the ServerGroup Element. It contains no attributes.
ServerGroup defines a pointer to one or more directory servers. They can be master servers or replica servers. The sub-elements that qualify the ServerGroup include Server Element, User Element, BaseDN Element and MiscConfig Element. The XML attributes of ServerGroup are the name of the server group, and minConnPool and maxConnPool which define the minimum (1) and maximum (10) connections that can be opened for the LDAP connection pool. More than one defined ServerGroup element is not supported.
Access Manager uses a connection pool to access Directory Server. All connections are opened when Access Manager starts and are not closed. They are reused.
Server defines a specific Directory Server instance. It contains no sub-elements. The required XML attributes of Server are a user-friendly name for the server, the host name, the port number on which the Directory Server runs, and the type of LDAP connection that must be opened (either simple or SSL).
For an example of automatic failover using the Server element, see Failover Or Multimaster Configuration.
User contains sub-elements that define the user configured for the Directory Server instance. The sub-elements that qualify User include DirDN and DirPassword. It’s required XML attributes are the name of the user, and the type of user. The values for type identify the user’s privileges and the type of connection that will be opened to the Directory Serverinstance. Options include:
auth—defines a user authenticated to Directory Server.
proxy—defines a Directory Server proxy user. See Proxy User for more information.
rebind—defines a user with credentials that can be used to rebind.
admin—defines a user with Directory Server administrative privileges. See Admin User for more information.
DirDN contains the LDAP Distinguished Name of the defined user.
DirPassword contains the defined user’s encrypted password.
It is important that passwords and encryption keys are kept consistent throughout the deployment. For example, the passwords defined in this element are also stored in Directory Server. If the password is to be changed in one place, it must be updated in both places. Additionally, this password is encrypted. If the encryption key defined in the am.encryption.pwd property is changed, all passwords in serverconfig.xml must be re-encrypted using ampassword --encrypt password. .
BaseDN defines the base Distinguished Name for the server group. It contains no sub-elements and no XML attributes.
MiscConfig is a placeholder for defining any LDAP JDK features like cache size. It contains no sub-elements. It’s required XML attributes are the name of the feature and its defined value.
<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <!-- Copyright (c) 2002 Sun Microsystems, Inc. All rights reserved. Use is subject to license terms. --> <iPlanetDataAccessLayer> <ServerGroup name="default" minConnPool="1" maxConnPool="10"> <Server name="Server1" host=" ishost.domain_name" port="389" type="SIMPLE" /> <User name="User1" type="proxy"> <DirDN> cn=puser,ou=DSAME Users,dc=example,dc=com </DirDN> <DirPassword> AQICkc3qIrCeZrpexyeoL4cdeXih4vv9aCZZ </DirPassword> </User> <User name="User2" type="admin"> <DirDN> cn=dsameuser,ou=DSAME Users,dc=example,dc=com </DirDN> <DirPassword> AQICkc3qIrCeZrpexyeoL4cdeXih4vv9aCZZ </DirPassword> </User> <BaseDN> dc=example,dc=com </BaseDN> </ServerGroup> </iPlanetDataAccessLayer>
Access Manager allows automatic failover to any Directory Server defined as a ServerGroup ElementServer Element in serverconfig.xml. More than one server can be configured for failover purposes or multimasters. If the first configured server goes down, the second configured server will takeover. Failover Or Multimaster Configuration illustrates serverconfig.xml with automatic failover configuration.
<?xml version="1.0" encoding="ISO-8859-1" standalone="yes"?> <!-- PROPRIETARY/CONFIDENTIAL. Use of this product is subject to license terms. Copyright 2002 Sun Microsystems, Inc. All rights reserved. --> <iPlanetDataAccessLayer> <ServerGroup name="default" minConnPool="1" maxConnPool="10"> <Server name="Server1" host=" amhost1.domain_name" port="389" type="SIMPLE" /> <Server name="Server2" host=" amhost2.domain_name" port="389" type="SIMPLE" /> <Server name="Server3" host=" amhost3.domain_name" port="390" type="SIMPLE" /> <User name="User1" type="proxy"> <DirDN> cn=puser,ou=DSAME Users,dc=example,dc=com </DirDN> <DirPassword> AQIC5wM2LY4Sfcy+AQBQxghVwhBE92i78cqf </DirPassword> </User> <User name="User2" type="admin"> <DirDN> cn=dsameuser,ou=DSAME Users,dc=example,dc=com </DirDN> <DirPassword> AQIC5wM2LY4Sfcy+AQBQxghVwhBE92i78cqf </DirPassword> </User> <BaseDN> o=isp </BaseDN> </ServerGroup> </iPlanetDataAccessLayer>