Sun Java System Access Manager 7.1 Administration Reference

Policy Configuration

The Policy Configuration attributes enable the administrator to set configuration global and realm properties used by the Policy service.

Global Properties

The Global Properties are:

Resource Comparator

Specifies the resource comparator information used to compare resources specified in a Policy rule definition. Resource comparison is used for both policy creation and evaluation.

Click the Add button and define the following attributes:

Service Type

Specifies the service to which the comparator should be used.

Class

Defines the Java class that implements the resource comparison algorithm.

Delimiter

Specifies the delimiter to be used in the resource name.

Wildcard

Specifies the wildcard that can be defined in resource names.

One Level Wildcard

Matches zero or more characters, at the same delimiter boundary.

Case Sensitive

Specifies if the comparison of the two resources should consider or ignore case. False ignores case, True considers case.

Continue Evaluation on Deny Decision

Specifies whether or not the policy framework should continue evaluating subsequent policies, even if a DENY policy decision exists. If it is not selected (default), policy evaluation would skip subsequent policies once the DENY decision is recognized.

Advices Handleable by Access Manager

Defines the names of policy advice keys for which the Policy Enforcement Point (Policy Agent) would redirect the user agent to Access Manager. If the agent receives a policy decision that does not allow access to a resource, but does posses advices, the agent checks to see whether it has a advice key listed in this attribute.

If such an advice is found, the user agent is redirected to Access Manager, potentially allowing the access to the resource.

Organization Alias Referrals

When set to Yes, this attribute allows you to create policies in sub-realms without having to create referral policies from the top-level or parent realm. You can only create policies to protect HTTP or HTTPS resources whose fully qualified hostname matches the DNSAlias of the realm. By default, this attribute is defined as No.

Realm Attributes

The LDAP Properties are:

Primary LDAP Server

Specifies the host name and port number of the primary LDAP server specified during Access Manager installation that will be used to search for Policy subjects, such as LDAP users, LDAP roles, LDAP groups, and so forth.

The format is hostname:port. For example: machine1.example.com:389

For failover configuration to multiple LDAP server hosts, this value can be a space-delimited list of hosts. The format is hostname1:port1 hostname2:port2...

For example: machine1.example1.com:389 machine2.example1.com:389

Multiple entries must be prefixed by the local server name. This is to allow specific Access Managers to be configured to talk to specific Directory Servers.

The format is servername|hostname:port For example:

machine1.example1.com|machine1.example1.com:389

machine1.example2.com|machine1.example2.com:389

For failover configuration:

AM_Server1.example1.com|machine1.example1.com:389 machine2.example.com1:389

AM_Server2.example2.com|machine1.example2.com:389 machine2.example2.com:389

LDAP Base DN

Specifies the base DN in the LDAP server from which to begin the search. By default, it is the top-level realm of the Access Manager installation.

LDAP Users Base DN

This attribute specifies the base DN used by the LDAP Users subject in the LDAP server from which to begin the search. By default, it is the top-level realm of the Access Manager installation base.

Access Manager Roles Base DN

Defines the DN of the realm or organization which is used as a base while searching for the values of Access Manager Roles. This attribute is used by the AccessManagerRoles policy subject.

LDAP Bind DN

Specifies the bind DN in the LDAP server.

LDAP Bind Password

Defines the password to be used for binding to the LDAP server. By default, the amldapuser password that was entered during installation is used as the bind user.

LDAP Organization Search Filter

Specifies the search filter to be used to find organization entries. The default is (objectclass=sunMangagedOrganization).

LDAP Organizations Search Scope

Defines the scope to be used to find organization entries. The scope must be one of the following:

LDAP Groups Search Scope

Defines the scope to be used to find group entries. The scope must be one of the following:

LDAP Groups Search Filter

Specifies the search filter to be used to find group entries. The default is (objectclass=groupOfUniqueNames).

LDAP Users Search Filter

Specifies the search filter to be used to find user entries. The default is (objectclass=inetorgperson).

LDAP Users Search Scope

Defines the scope to be used to find user entries. The scope must be one of the following:

LDAP Roles Search Filter

Specifies the search filter to be used to find entries for roles. The default is (&(objectclass=ldapsubentry)(objectclass=nsroledefinitions)) .

LDAP Roles Search Scope

This attribute defines the scope to be used to find entries for roles. The scope must be one of the following:

Access Manager Roles Search Scope

Defines the scope to be used to find entries for Access Manager Roles subject.

LDAP Organization Search Attribute

Defines the attribute type for which to conduct a search on an organization. The default is o.

LDAP Groups Search Attribute

Defines the attribute type for which to conduct a search on a group. The default is cn.

LDAP Users Search Attribute

Defines the attribute type for which to conduct a search on a user. The default is uid.

LDAP Roles Search Attribute

This field defines the attribute type for which to conduct a search on a role. The default is cn.

Maximum Results Returned from Search

This field defines the maximum number of results returned from a search. The default value is 100. If the search limit exceeds the amount specified, the entries that have been found to that point will be returned.

Search Timeout

Specifies the amount of time before a timeout on a search occurs. If the search exceeds the specified time, the entries that have been found to that point will be returned

LDAP SSL

Specifies whether or not the LDAP server is running SSL. Selecting enables SSL, deselecting (default) disables SSL.

If the LDAP Server is running with SSL enabled (LDAPS), you must make sure that Access Manager is configured with proper SSL-trusted certificates so that Access Manager can connect to Directory server over LDAPS protocol.

LDAP Connection Pool Minimum Size

Specifies the minimal size of connection pools to be used for connecting to the Directory Server, as specified in the LDAP server attribute. The default is 1.

Connection Pool Maximum Size

This attribute specifies the maximum size of connection pools to be used for connecting to the Directory Server, as specified in the LDAP server attribute. The default is 10.

Selected Policy Subjects

Allows you to select a set of subject types available to be used for policy definition in the realm.

Selected Policy Conditions

Allows you to select a set of conditions types available to be used for policy definition in the realm.

Selected Policy Referrals

Allows you to select a set of referral types available to be used for policy definition in the realm.

Subject Results Time To Live

This attribute specifies the amount of time (in minutes) that a cached subject result can be used to evaluate the same policy request based on the single sign-on token.

When a policy is initially evaluated for an SSO token, the subject instances in the policy are evaluated to determine whether the policy is applicable to a given user. The subject result, which is keyed by the SSO token ID, is cached in the policy. If another evaluation occurs for the same policy for the same SSO token ID within the time specified in the Subject Result Time To Live attribute, the policy framework retrieves the cached subjects result, instead of evaluating the subject instances. This significantly reduces the time for policy evaluation.

User Alias

This attribute must be enabled if you create a policy to protect a resource whose subject's member in a remote Directory Server aliases a local user. This attribute must be enabled, for example, if you create uid=rmuser in the remote Directory Server and then add rmuser as an alias to a local user (such as uid=luser) in Access Manager. When you login as rmuser, a session is created with the local user (luser) and policy enforcement is successful.

Selected Response Providers

Defines the policy response provider plug-ins that are enabled for the realm. Only the response provider plug-ins selected in this attribute can be added to policies defined in the realm.

Selected Dynamic Response Attributes

Defines the dynamic response attributes that are enabled for the realm. Only a subset of names selected in this attribute can be defined in the dynamic attributes list in IDResponseProvider to be added to policies defined in the realm.