SDK (Sun OpenSSO Enterprise 8.0 Administration Reference)

Sun OpenSSO Enterprise 8.0 Administration Reference

SDK

The SDK attributes set configuration definitions for the back-end data store.

Data Store

The Data Store attributes basic datastore configuration:

Enable Datastore Notification

Specifies if the back-end datastore notification is enabled. If this value is set to 'false', then in-memory notification is enabled.

Enable Directory Proxy

The default is false. The purpose of this flag is to report to Service Management that the Directory Proxy must be used for read, write, and/or modify operations to the Directory Server. This flag also determines if ACIs or delegation privileges are to be used. This flag must be set to "true" when the Access Manager SDK (from version 7 or 7.1) is communicating with Access Manager version 6.3.

For example, in the co-existence/legacy mode this value should be "true". In the legacy DIT, the delegation policies were not supported. Only ACIs were supported, so o to ensure proper delegation check, this flag must be set to 'true' in legacy mode installation to make use of the ACIs for access control. Otherwise the delegation check will fail.

In realm mode, this value should be set to false so only the delegation policies are used for access control. In version 7.0 and later, Access Manager or OpenSSO Enterprise supports data-agnostic feature in realm mode installation. So, in addition to Directory Server, other servers may be used to store service configuration data. Additionally, this flag will report to the Service Management feature that the Directory Proxy does not need to be used for the read, write, and/or modify operations to the back-end storage. This is because some data stores, like Active Directory, may not support proxy.

Notification Pool Size

Default value is 10. Defines the size of the pool by specifying the total number of threads.

Event Service

The following attributes define event service notification for the data store:

Number of Retries for Event Service Connections

Default value is 3. Specifies the number of attempts made to successfully re-establish the Event Service connections.

Delay Between LDAP Connection Tries

Default value is 3000. Specifies the delay in milliseconds between retries to re-establish the Event Service connections.

Error Codes for LDAP Connection Tries

Default values are 80,81,91. Specifies the LDAP exception error codes for which retries to re-establish Event Service connections will trigger.

Idle Timeout

Default value is 0. Specifies the number of minutes after which the persistent searches will be restarted.

This property is used when a load balancer or firewall is between the policy agents and the Directory Server, and the persistent search connections are dropped when TCP idle timeout occurs. The property value should be lower than the load balancer or firewall TCP timeout. This ensures that the persistent searches are restarted before the connections are dropped. A value of 0 indicates that searches will not be restarted. Only the connections that are timed out will be reset.

Disabled Event Service Connection

Specifies which event connection can be disabled. Values (case insensitive) can be:

aci — Changes to the aci attribute, with the search using the LDAP filter (aci=*).
sm — Changes in the OpenSSO Enterprise information tree (or service management node), which includes objects with the sunService or sunServiceComponent marker object class. For example, you might create a policy to define access privileges for a protected resource, or you might modify the rules, subjects, conditions, or response providers for an existing policy.
um — Changes in the user directory (or user management node). For example, you might change a user's name or address.

For example, to disable persistent searches for changes to the OpenSSO Enterprise information tree (or service management node):

com.sun.am.event.connection.disable.list=sm

Caution –

Persistent searches cause some performance overhead on Directory Server. If you determine that removing some of this performance overhead is absolutely critical in a production environment, you can disable one or more persistent searches using this property.

However, before disabling a persistent search, you should understand the limitations described above. It is strongly recommended that this property not be changed unless absolutely required. This property was introduced primarily to avoid overhead on Directory Server when multiple 2.1 J2EE agents are used, because each of these agents establishes these persistent searches. The 2.2 J2EE agents no longer establish these persistent searches, so you might not need to use this property.

Disabling persistent searches for any of these components is not recommended, because a component with a disabled persistent search does not receive notifications from Directory Server. Consequently, changes made in Directory Server for that particular component will not be notified to the component cache. For example, if you disable persistent searches for changes in the user directory (um), OpenSSO Enterprise will not receive notifications from Directory Server. Therefore, an agent would not get notifications from OpenSSO Enterprise to update its local user cache with the new values for the user attribute. Then, if an application queries the agent for the user attributes, it might receive the old value for that attribute.

Use this property only in special circumstances when absolutely required. For example, if you know that Service Configuration changes (related to changing values to any of services such as Session Service and Authentication Services) will not happen in production environment, the persistent search to the Service Management (sm) component can be disabled. However, if any changes occur for any of the services, a server restart would be required. The same condition also applies to other persistent searches, specified by the aci and um values.

LDAP Connection

The following attributes set connection data for the back end data store:

Number of Retries for LDAP Connection

Default is 1000. Specifies the number milliseconds between retries.

Delay Between LDAP Connection Retries

Default value is 3. Specifies the number of attempts made to successfully re-establish the LDAP connection.

Error Codes for LDAP Connection Retries

Default values are 80,81,91. Specifies the LDAPException error codes for which retries to re-establish the LDAP connection will trigger.

Caching and Replica

The following attributes define caching and replication configuration:

SDK Caching Max. Size

Default value is 10000. Specifies the size of the SDK cache when caching is enabled. Use an integer greater than 0, or the default size (10000 users) will be used.

SDK Replica Retries

Default value is 0. Specifies the number of times to retry.

Delay Between SDK Replica Tries

Default value is 1000. Specifies the number of milliseconds between retries.

Time To Live Configuration

Cache Entry Expiration Enabled

When enabled, the cache entries will expire based on the time specified in User Entry Expiration Time attribute.

User Entry Expiration Time

This attribute specifies time in minutes for which the user entries remain valid in the cache after their last modification. After this specified period of time elapses (after the last modification/read from the Directory Server), the data for the entry that is cached will expire. At this point, new requests for data for these user entries are read from the Directory Server.

Default Entry Expiration Time

This attribute specifies the time in minutes for which the non-user entries remain valid in the cache after their last modification. After this specified period of time elapses (after the last modification/read from the Directory Server), the data for the entry that is cached will expire. At this point, new requests for data for these non-user entries are read from the Directory Server.