Sun OpenSSO Enterprise 8.0 Administration Reference

Servers and Sites

The Servers and Sites configuration attributes allow for centralized configuration management of sites and servers for the entire deployment.

Multiple (two or more) OpenSSO Enterprise instances can be deployed on at least two different host servers. For example, you might deploy two instances on one server and a third instance on another server. Or you might deploy all instances on different servers. You can also configure the OpenSSO Enterprise instances in session failover mode, if required for your deployment.

One or more load balancers route client requests to the various OpenSSO Enterprise instances. You configure each load balancer according to your deployment requirements (for example, to use round-robin or load average) to distribute the load between the OpenSSO Enterprise instances. A load balancer simplifies the deployment, as well as resolves issues such as a firewall between the client and the back-end OpenSSO Enterprise servers. You can use a hardware or software load balancer with your OpenSSO Enterprise deployment. All OpenSSO Enterprise instances access the same Directory Server.


Caution – Caution –

If you make any changes to the configuration attributes for Servers and Sites, either through the console or the command line interface, you must restart the web container on which OpenSSO Enterprise is deployed for the changes to take effect.


ProcedureTo Create a New Server Instance

An entry for each server is automatically created in the server list when the OpenSSO Enterprise Configurator is run for server configuration. Under normal circumstances, these steps should not be required.

  1. Log into the OpenSSO Enterprise console as the top-level administrator.

  2. Click the Configuration tab and then click Sites and Servers.

  3. Click New in the Servers list.

  4. Enter the FQDN of the server that you wish to add and click OK.

    The FQDN should be in the format of http(s)://host.domain:port/uri.

  5. The newly created server instance appears in the list.

  6. To edit the server, click on the name of the server. The configuration attributes for the server are available for you to customize.

    The Default Server Settings are the set of default values for server instances. Each server instance needs to have a minimum set of properties values and most of the properties values, depending on your deployment, can be the same for all server instance. This setting allows you to enter the basic properties in one place, without having to change hem for each additional server instance.

    These default values can be overwritten. This done by clicking on the Inheritance Settings button, located at the top of the server instance profile page. After this button is clicked, the console displays a page where you can select and deselect which values to inherit or overwrite.

Inheritance Settings

The Inheritance Settings allow you to select which default values can be overwritten for each server instance. Make sure that the attributes that you wish to define for the server instance are unchecked, and then click Save.

General

The General attributes configure basic configuration data for your centralized server management.

Site Attributes

The site attribute is:

Parent Site

This attribute maps the load balancer Site Name (site ID) to the OpenSSO Enterprise server. Note that the site must be created before you can add the site.

System Attributes

The system attributes list location information for the server instance:

Base Installation Directory

Specifies the base directory where product's data resides.

Default Locale

The locale value is the default language subtype that OpenSSO Enterprise was installed with. The default is en_us.

Notification URL

The location of notification service end point. This value is set during installation.

XML Validation

Default value is no. Determines if validation is required when parsing XML documents using the OpenSSO Enterprise XMLUtils class. This property is in effect only when value for the Debug Level attribute is set to warning or message. Allowable values are yes and no. The XML document validation is turned on only if the value for this property yes, and if value for Debug Level attribute is set to warning or message.

Debugging Attributes

The Debugging attributes list basic error checking information:

Debug Level

Specifies debug level. Default value is error. Possible values are:

Merge Debug Files

If set to on, the server directs all debug data to a single file (debug.out). If set to OFF, the server creates separate per-component debug files.

Debug Directory

Specifies the output directory where debug files will be created. Value is set during installation. Example: OpenSSO-deploy-base/uri/debug.

Mail Server

The Mail Server attributes list the host name and port for the mail server:

Mail Server Host Name

Default value is localhost. Specifies the mail server host.

Mail Server Port Number

Default value is 25. Specifies the mail server port.

Security

The Security attributes define encryption, validation and cookie information to control the level of security for the server instance.

Encryption

The encryption attributes are:

Password Encryption Key

Specifies the key used to encrypt and decrypt passwords and is stored in the Service Management System configuration. Value is set during installation. Example: dSB9LkwPCSoXfIKHVMhIt3bKgibtsggd

Authentication Service Shared Secret

The shared secret for application authentication module. Value is set during installation. Example: AQICPX9e1cxSxB2RSy1WG1+O4msWpt/6djZl

Encryption Class

Default value is com.iplanet.services.util.JCEEncryption. Specifies the encrypting class implementation. Available classes are: com.iplanet.services.util.JCEEncryption and com.iplanet.services.util.JSSEncryption.

Secure Random Factory Class

Default value is com.iplanet.am.util.JSSSecureRandomFactoryImpl. Specifies the factory class name for SecureRandomFactory. Available implementation classes are: com.iplanet.am.util.JSSSecureRandomFactoryImpl which uses JSS, and com.iplanet.am.util.SecureRandomFactoryImpl which uses pure Java.

Validation

The validation attributes are:

Platform Low Level Comm. Max. Content Length

Default value is 16384 or 16k. Specifies the maximum content-length for an HttpRequest that OpenSSO Enterprise will accept.

Client IP Address Check

Default value is NO. Specifies whether or not the IP address of the client is checked in all SSOToken creations or validations.

Cookie

The cookie attributes are:

Cookie Name

Default value is iPlanetDirectoryPro. Cookie name used by Authentication Service to set the valid session handler ID. The value of this cookie name is used to retrieve the valid session information.

Secure Cookie

Allows the OpenSSO Enterprise cookie to be set in a secure mode in which the browser will only return the cookie when a secure protocol such as HTTP(s) is used. Default value is false.

Encode Cookie Value

This property allows OpenSSO Enterprise to URLencode the cookie value which converts characters to ones that are understandable by HTTP.

Keystore

The following attributes allow you to configure keystore information for additional sites and servers that you create:

Keystore File

Value is set during installation. Example: OpenSSO-deploy-base/URI/keystore.jks. Specifies the path to the SAML XML keystore password file.

Keystore Password File

Value is set during installation. Example: OpenSSO-deply-base/URI/.storepass. Specifies the path to the SAML XML key storepass file.

Private Key Password File

Value is set during installation. Example: OpenSSO-deploy-base/URI/.keypass Specifies the path to the SAML XML key password file.

Certificate Alias

Default value is test.

Certificate Revocation List Caching

These attributes define the local Certificate Revocation List (CRL) caching repository that is used for keeping the CRL from certificate authorities. Any service that needs to obtain a CRL for certificate validation will receive the CRL based on this information.

LDAP Server Host Name

Specifies the name of the LDAP server where the certificates are stored. The default value is the host name specified when OpenSSO Enterprise was installed. The host name of any LDAP Server where the certificates are stored can be used.

LDAP Server Port Number

Specifies the port number of the LDAP server where the certificates are stored. The default value is the port specified when OpenSSO Enterprise was installed. The port of any LDAP Server where the certificates are stored can be used.

SSL Enabled

Specifies whether to use SSL to access the LDAP server. The default is that the Certificate Authentication service does not use SSL for LDAP access.

LDAP Server Bind User Name

Specifies the bind DN in the LDAP server.

LDAP Server Bind Password

Defines the password to be used for binding to the LDAP server. By default, the amldapuser password that was entered during installation is used as the bind user.

LDAP Search Base DN

This attribute specifies the base DN used by the LDAP Users subject in the LDAP server from which to begin the search. By default, it is the top-level realm of the OpenSSO Enterprise installation base.

Search Attributes

Any DN component of issuer's subjectDN can be used to retrieve a CRL from a local LDAP server. It is a single value string, like, "cn". All Root CAs need to use the same search attribute.

Online Certificate Status Protocol Check

The Online Certificate Status Protocol (OCSP) enables OpenSSO Enterprise services to determine the (revocation) state of a specified certificate. OCSP may be used to satisfy some of the operational requirements of providing more timely revocation information than is possible with CRLs and may also be used to obtain additional status information. An OCSP client issues a status request to an OCSP responder and suspends acceptance of the certificate in question until the responder provides a response.

Check Enabled

This attribute enables OCSP checking. It is enabled by default.

Responder URL

This attribute defines is a URL that identifies the location of the OCSP responder. For example, http://ocsp.example.net:80.

By default, the location of the OCSP responder is determined implicitly from the certificate being validated. The property is used when the Authority Information Access extension (defined in RFC 3280) is absent from the certificate or when it requires overriding.

Certificate Nickname

The OCSP responder nickname is the CA certificate nick name for that responder, for example Certificate Manager - sun. If set, the CA certificate must be presented in the web server's certificate database. If the OCSP URL is set, the OCSP responder nickname must be set also. Otherwise, both will be ignored. If they are not set, the OCSP responder URL presented in user's certificate will be used for OCSP validation. If the OCSP responder URL is not presented in user's certificate, no OCSP validation will be performed.

Federal Information Processing Standards

Under the Information Technology Management Reform Act (Public Law 104-106), the Secretary of Commerce approves standards and guidelines that are developed by the National Institute of Standards and Technology (NIST) for Federal computer systems. These standards and guidelines are issued by NIST as Federal Information Processing Standards (FIPS) for use government-wide. NIST develops FIPS when there are compelling Federal government requirements such as for security and interoperability and there are no acceptable industry standards or solutions.

FIPS Mode

This property can be true or false. All the cryptography operations will be running FIPS compliant mode only if it is true.

Session

The session attributes allow you to configure session information for a additional site and server instances.

Session Limits

The following attributes set server session limits:

Maximum Sessions

Default value is 5000. Specify the maximum number of allowable concurrent sessions. Login sends a Maximum Sessions error if the maximum concurrent sessions value exceeds this number.

Invalidate Session Max Time

Default value is 3. Specifies the number of minutes after which the invalid session will be removed from the session table if it is created and the user does not login. This value should always be greater than the timeout value in the Authentication module properties file.

Session Purge Delay

Default value is 0. Specifies the number of minutes to delay the purge session operation. After a session times out, this is an extended time period during which the session continues to reside in the session server. This property is used by the client application to check if the session has timed out through SSO APIs. At the end of this extended time period, the session is destroyed. The session is not sustained during the extended time period if the user logs out or if the session is explicitly destroyed by an OpenSSO Enterprise component. The session is in the INVALID state during this extended period.

Statistics

The following attributes set statistical configuration:

Logging Interval

Default value is 60. Specifies number of minutes to elapse between statistics logging. Minimum is 5 seconds to avoid CPU saturation. OpenSSO Enterprise assumes any value less than 5 seconds to be 5 seconds.

State

Default value is file. Specifies location of statistics log. Possible values are:

Directory

Value is set during installation. Example: OpenSSO Enterprise-base/server-URI/stats. Specifies directory where debug files are created.

Enable Host Lookup

Default value is false. Enables or disables host lookup during session logging.

Notification

The following attributes set notification configuration:

Notification Pool Size

Default value is 10. Defines the size of the pool by specifying the total number of threads.

Notification Thread Pool Threshold

Default value is 100. Specifies the maximum task queue length. When a notification task comes in, it is sent to the task queue for processing. If the queue reaches the maximum length, further incoming requests will be rejected along with a ThreadPoolException, until the queue has a vacancy.

Validation

The following attribute sets validation configuration:

Case Insensitive Client DN Comparison

Default value is true. Compares the Agent DN. If the value is false, the comparison is case-sensitive.

SDK

The SDK attributes set configuration definitions for the back-end data store.

Data Store

The Data Store attributes basic datastore configuration:

Enable Datastore Notification

Specifies if the back-end datastore notification is enabled. If this value is set to 'false', then in-memory notification is enabled.

Enable Directory Proxy

The default is false. The purpose of this flag is to report to Service Management that the Directory Proxy must be used for read, write, and/or modify operations to the Directory Server. This flag also determines if ACIs or delegation privileges are to be used. This flag must be set to "true" when the Access Manager SDK (from version 7 or 7.1) is communicating with Access Manager version 6.3.

For example, in the co-existence/legacy mode this value should be "true". In the legacy DIT, the delegation policies were not supported. Only ACIs were supported, so o to ensure proper delegation check, this flag must be set to 'true' in legacy mode installation to make use of the ACIs for access control. Otherwise the delegation check will fail.

In realm mode, this value should be set to false so only the delegation policies are used for access control. In version 7.0 and later, Access Manager or OpenSSO Enterprise supports data-agnostic feature in realm mode installation. So, in addition to Directory Server, other servers may be used to store service configuration data. Additionally, this flag will report to the Service Management feature that the Directory Proxy does not need to be used for the read, write, and/or modify operations to the back-end storage. This is because some data stores, like Active Directory, may not support proxy.

Notification Pool Size

Default value is 10. Defines the size of the pool by specifying the total number of threads.

Event Service

The following attributes define event service notification for the data store:

Number of Retries for Event Service Connections

Default value is 3. Specifies the number of attempts made to successfully re-establish the Event Service connections.

Delay Between LDAP Connection Tries

Default value is 3000. Specifies the delay in milliseconds between retries to re-establish the Event Service connections.

Error Codes for LDAP Connection Tries

Default values are 80,81,91. Specifies the LDAP exception error codes for which retries to re-establish Event Service connections will trigger.

Idle Timeout

Default value is 0. Specifies the number of minutes after which the persistent searches will be restarted.

This property is used when a load balancer or firewall is between the policy agents and the Directory Server, and the persistent search connections are dropped when TCP idle timeout occurs. The property value should be lower than the load balancer or firewall TCP timeout. This ensures that the persistent searches are restarted before the connections are dropped. A value of 0 indicates that searches will not be restarted. Only the connections that are timed out will be reset.

Disabled Event Service Connection

Specifies which event connection can be disabled. Values (case insensitive) can be:

For example, to disable persistent searches for changes to the OpenSSO Enterprise information tree (or service management node):

com.sun.am.event.connection.disable.list=sm


Caution – Caution –

Persistent searches cause some performance overhead on Directory Server. If you determine that removing some of this performance overhead is absolutely critical in a production environment, you can disable one or more persistent searches using this property.

However, before disabling a persistent search, you should understand the limitations described above. It is strongly recommended that this property not be changed unless absolutely required. This property was introduced primarily to avoid overhead on Directory Server when multiple 2.1 J2EE agents are used, because each of these agents establishes these persistent searches. The 2.2 J2EE agents no longer establish these persistent searches, so you might not need to use this property.

Disabling persistent searches for any of these components is not recommended, because a component with a disabled persistent search does not receive notifications from Directory Server. Consequently, changes made in Directory Server for that particular component will not be notified to the component cache. For example, if you disable persistent searches for changes in the user directory (um), OpenSSO Enterprise will not receive notifications from Directory Server. Therefore, an agent would not get notifications from OpenSSO Enterprise to update its local user cache with the new values for the user attribute. Then, if an application queries the agent for the user attributes, it might receive the old value for that attribute.

Use this property only in special circumstances when absolutely required. For example, if you know that Service Configuration changes (related to changing values to any of services such as Session Service and Authentication Services) will not happen in production environment, the persistent search to the Service Management (sm) component can be disabled. However, if any changes occur for any of the services, a server restart would be required. The same condition also applies to other persistent searches, specified by the aci and um values.


LDAP Connection

The following attributes set connection data for the back end data store:

Number of Retries for LDAP Connection

Default is 1000. Specifies the number milliseconds between retries.

Delay Between LDAP Connection Retries

Default value is 3. Specifies the number of attempts made to successfully re-establish the LDAP connection.

Error Codes for LDAP Connection Retries

Default values are 80,81,91. Specifies the LDAPException error codes for which retries to re-establish the LDAP connection will trigger.

Caching and Replica

The following attributes define caching and replication configuration:

SDK Caching Max. Size

Default value is 10000. Specifies the size of the SDK cache when caching is enabled. Use an integer greater than 0, or the default size (10000 users) will be used.

SDK Replica Retries

Default value is 0. Specifies the number of times to retry.

Delay Between SDK Replica Tries

Default value is 1000. Specifies the number of milliseconds between retries.

Time To Live Configuration

Cache Entry Expiration Enabled

When enabled, the cache entries will expire based on the time specified in User Entry Expiration Time attribute.

User Entry Expiration Time

This attribute specifies time in minutes for which the user entries remain valid in the cache after their last modification. After this specified period of time elapses (after the last modification/read from the Directory Server), the data for the entry that is cached will expire. At this point, new requests for data for these user entries are read from the Directory Server.

Default Entry Expiration Time

This attribute specifies the time in minutes for which the non-user entries remain valid in the cache after their last modification. After this specified period of time elapses (after the last modification/read from the Directory Server), the data for the entry that is cached will expire. At this point, new requests for data for these non-user entries are read from the Directory Server.

Directory Configuration

The Directory Configuration attributes define basic configuration information for the embedded directory store:

Directory Configuration

The Directory Configuration attributes are:

Minimum Connection Pool

Specifies the minimal size of connection pools to be used for connecting to the Directory Server, as specified in the LDAP server attribute. The default is 1.

Maximum Connection Pool

This attribute specifies the maximum size of connection pools to be used for connecting to the Directory Server, as specified in the LDAP server attribute. The default is 10.

Bind DN

Specifies the bind DN in the LDAP server.

Bind Password

Defines the password to be used for binding to the LDAP server. By default, the amldapuser password that was entered during installation is used as the bind user.

Server

This attribute defines the directory server that will serve as the configuration data store for the OpenSSO Enterprise instance. To add a configuration server, click the Add button, and provide values for the following attributes:

Name

Enter a name for the server.

Host Name

Specifies fully-qualified host name of the Directory Server. For example:

DirectoryServerHost.domainName.com

Port Number

Specifies the Directory Server port number .

Connection Type

Defines the connection type for the Directory Server. By default, SIMPLE is selected. You can also choose SSL.

Legacy Configuration

The following attribute define basic directory-server configurations for Legacy mode instances of OpenSSO Enterprise. These attributes will only appear in a Legacy mode installation.

Minimum Connection Pool

Specifies the minimal size of connection pools to be used for connecting to the Directory Server, as specified in the LDAP server attribute. The default is 1.

Maximum Connection Pool

This attribute specifies the maximum size of connection pools to be used for connecting to the Directory Server, as specified in the LDAP server attribute. The default is 10.

Server

This attribute lists the load balancer protocol, host name, and port. For example: http://lb.example.com:80.

Advanced

The advanced properties enable an administrator to select and add values to server configuration properties that are not present in the OpenSSO Enterprise Console. All Server and Sites properties were located in the AMConfig.properties file in previous releases.

In addition to the default properties displayed in the Advance table of the console, the following properties can be added.


am.encryption.pwd=
am_load_balancer_cookie=
com.iplanet.am.clientIPCheckEnabled=true,false
com.iplanet.am.console.deploymentDescriptor=
com.iplanet.am.console.host=
com.iplanet.am.console.port=integer
com.iplanet.am.console.protocol=https,http
com.iplanet.am.console.remote=true,false
com.iplanet.am.cookie.encode=true,false
com.iplanet.am.cookie.name=
com.iplanet.am.cookie.secure=true,false
com.iplanet.am.directory.host=
com.iplanet.am.directory.port=integer
com.iplanet.am.directory.ssl.enabled=true,false
com.iplanet.am.domaincomponent=
com.iplanet.am.event.connection.delay.between.retries=integer
com.iplanet.am.event.connection.ldap.error.codes.retries=
com.iplanet.am.event.connection.num.retries=integer
com.iplanet.am.jssproxy.checkSubjectAltName=true,false
com.iplanet.am.jssproxy.resolveIPAddress=true,false
com.iplanet.am.jssproxy.SSLTrustHostList=
com.iplanet.am.jssproxy.trustAllServerCerts=true,false
com.iplanet.am.lbcookie.name=
com.iplanet.am.lbcookie.value=
com.iplanet.am.ldap.connection.delay.between.retries=integer
com.iplanet.am.ldap.connection.ldap.error.codes.retries=
com.iplanet.am.ldap.connection.num.retries=integer
com.iplanet.am.locale=
com.iplanet.am.notification.threadpool.size=integer
com.iplanet.am.notification.threadpool.threshold=integer
com.sun.identity.client.notification.url=
com.iplanet.am.replica.delay.between.retries=integer
com.iplanet.am.replica.num.retries=integer
com.iplanet.am.rootsuffix=
com.iplanet.am.sdk.cache.entry.default.expire.time=integer
com.iplanet.am.sdk.cache.entry.expire.enabled=true,false
com.iplanet.am.sdk.cache.entry.user.expire.time=integer
com.iplanet.am.sdk.cache.maxSize=integer
com.iplanet.am.sdk.caching.enabled=true,false
com.iplanet.am.sdk.ldap.debugFileName=
com.iplanet.am.sdk.package=
com.iplanet.am.sdk.remote.pollingTime=integer
com.iplanet.am.server.host=
com.iplanet.am.server.port=integer
com.iplanet.am.server.protocol=https,http
com.iplanet.am.serverMode=true,false
com.iplanet.am.service.secret=
com.iplanet.am.services.deploymentDescriptor=
com.iplanet.am.session.client.polling.enable=true,false
com.iplanet.am.session.client.polling.period=integer
com.iplanet.am.session.failover.cluster.stateCheck.period=integer
com.iplanet.am.session.failover.cluster.stateCheck.timeout=integer
com.iplanet.am.session.failover.httpSessionTrackingCookieName=
com.iplanet.am.session.failover.sunAppServerLBRoutingCookieName=
com.iplanet.am.session.failover.useInternalRequestRouting=true,false
com.iplanet.am.session.failover.useRemoteSaveMethod=true,false
com.iplanet.am.session.invalidsessionmaxtime=integer
com.iplanet.am.session.maxSessions=integer
com.iplanet.am.session.protectedPropertiesList=
com.iplanet.am.session.purgedelay=integer
com.iplanet.am.smtphost=
com.iplanet.am.smtpport=integer
com.iplanet.am.stats.interval=integer
com.iplanet.am.util.xml.validating=on,off
com.iplanet.am.version=
com.iplanet.security.SSLSocketFactoryImpl=
com.iplanet.security.SecureRandomFactoryImpl=
com.iplanet.security.encryptor=
com.iplanet.services.cdsso.cookiedomain=
com.iplanet.services.comm.server.pllrequest.maxContentLength=integer
com.iplanet.services.configpath=
com.iplanet.services.debug.directory=
com.sun.identity.configFilePath=
com.iplanet.am.sdk.userEntryProcessingImpl=
com.iplanet.am.profile.host=
com.iplanet.am.profile.port=integer
com.iplanet.am.pcookie.name=
com.iplanet.am.jssproxy.SSLTrustHostList=
com.sun.identity.authentication.ocspCheck=
com.sun.identity.authentication.ocsp.responder.url=
com.sun.identity.authentication.ocsp.responder.nickname=
com.sun.identity.authentication.super.user=
com.sun.identity.password.deploymentDescriptor=
com.iplanet.am.session.httpSession.enabled=
unixHelper.port=integer
com.sun.identity.policy.Policy.policy_evaluation_weights=
unixHelper.ipaddrs=
com.sun.identity.authentication.uniqueCookieDomain=
com.sun.identity.monitoring.local.conn.server.url=
com.sun.identity.monitoring=
com.iplanet.services.debug.level=off,error,warning,message
com.sun.services.debug.mergeall=on,off
com.sun.embedded.sync.servers=on,off
com.sun.embedded.replicationport=integer
com.iplanet.services.stats.directory=
com.iplanet.services.stats.state=off,file,console
com.sun.am.event.connection.disable.list=
com.sun.am.event.connection.idle.timeout=integer
com.sun.am.ldap.connnection.idle.seconds=integer
com.sun.am.ldap.fallback.sleep.minutes=integer
com.sun.am.session.SessionRepositoryImpl=
com.sun.am.session.caseInsensitiveDN=true,false
com.sun.am.session.enableAddListenerOnAllSessions=true,false
com.sun.am.session.enableHostLookUp=true,false
com.sun.am.session.trustedSourceList=
com.sun.identity.agents.true.value=
com.sun.identity.amsdk.cache.enabled=true,false
com.sun.identity.client.encryptionKey=
com.sun.identity.cookieRewritingInPath=true,false
com.sun.identity.delegation.cache.size=integer
com.sun.identity.enableUniqueSSOTokenCookie=true,false
com.sun.identity.idm.cache.enabled=true,false
com.sun.identity.idm.cache.entry.default.expire.time=integer
com.sun.identity.idm.cache.entry.expire.enabled=true,false
com.sun.identity.idm.cache.entry.user.expire.time=integer
com.sun.identity.jsr196.authenticated.user=
com.sun.identity.jss.donotInstallAtHighestPriority=true,false
com.sun.identity.liberty.ws.util.providerManagerClass=
com.sun.identity.log.logSubdir=
com.sun.identity.loginurl=
com.sun.identity.overrideAMC=true,false
com.sun.identity.plugin.datastore.class.*=
com.sun.identity.security.checkcaller=true,false
com.sun.identity.security.x509.pkg=
com.sun.identity.server.fqdnMap=map
com.sun.identity.session.application.maxCacheTime=integer
com.sun.identity.session.connectionfactory.provider=
com.sun.identity.session.failover.connectionPoolClass=
com.sun.identity.session.httpClientIPHeader=
com.sun.identity.session.polling.threadpool.size=integer
com.sun.identity.session.polling.threadpool.threshold=integer
com.sun.identity.session.repository.cleanupGracePeriod=integer
com.sun.identity.session.repository.cleanupRunPeriod=integer
com.sun.identity.session.repository.dataSourceName=
com.sun.identity.session.repository.enableEncryption=true,false
com.sun.identity.session.repository.healthCheckRunPeriod=integer
com.sun.identity.session.resetLBCookie=true,false
com.sun.identity.session.returnAppSession=true,false
com.sun.identity.sitemonitor.SiteStatusCheck.class=
com.sun.identity.sitemonitor.interval=integer
com.sun.identity.sitemonitor.timeout=integer
com.sun.identity.sm.authservicename.provider=
com.sun.identity.sm.cache.enabled=true,false
com.sun.identity.sm.cacheTime=integer
com.sun.identity.sm.enableDataStoreNotification=true,false
com.sun.identity.sm.flatfile.root_dir=
com.sun.identity.sm.ldap.enableProxy=true,false
com.sun.identity.sm.notification.threadpool.size=integer
com.sun.identity.sm.sms_object_class_name=
com.sun.identity.url.readTimeout=integer
com.sun.identity.url.redirect=
com.sun.identity.urlchecker.invalidate.interval=integer
com.sun.identity.urlchecker.sleep.interval=integer
com.sun.identity.urlchecker.targeturl=
com.sun.identity.util.debug.provider=
com.sun.identity.webcontainer=
com.sun.identity.wss.discovery.config.plugin=
com.sun.identity.wss.provider.config.plugin=
com.sun.identity.wss.security.authenticator=
com.sun.identity.xmlenc.EncryptionProviderImpl=
s1is.java.util.logging.config.class=
s1is.java.util.logging.config.file=
com.sun.identity.authentication.special.users=
com.sun.identity.auth.cookieName=
com.iplanet.am.naming.failover.url=
com.sun.identity.authentication.uniqueCookieName=
securidHelper.ports=integer
com.iplanet.am.daemons=
bootstrap.file=
com.sun.identity.crl.cache.directory.host=
com.sun.identity.crl.cache.directory.port=integer
com.sun.identity.crl.cache.directory.ssl=true,false
com.sun.identity.crl.cache.directory.user=
com.sun.identity.crl.cache.directory.password=
com.sun.identity.crl.cache.directory.searchlocs=
com.sun.identity.crl.cache.directory.searchattr=
com.sun.identity.authentication.ocspCheck=true,false
com.sun.identity.authentication.ocsp.responder.url=
com.sun.identity.authentication.ocsp.responder.nickname=
com.sun.identity.security.fipsmode=true,false
com.sun.identity.urlconnection.useCache=true,false
com.sun.identity.sm.cache.ttl.enable=true,false
com.sun.identity.sm.cache.ttl=integer
com.sun.identity.common.systemtimerpool.size=integer
com.iplanet.services.cdc.invalidGotoStrings=

ProcedureTo Create a New Site Instance

  1. Click New in the Site list.

  2. Enter the Site Name.

    This value uniquely identifies the server and allows the possibility of specifying a second entry point (in addition to the primary URL) to the site. This is also used to shorten the cookie length by mapping the server URL to the server ID.

  3. Enter the Primary URL for the site instance, including the site URI.

  4. Click Save.

    The created site will appear in the site list in the correct format.

ProcedureTo Edit a Site Instance

  1. Click on the name of the site you wish to edit from the Site list.

  2. The primary URL for the site is listed in the Primary URL attribute.

  3. If you wish, add a Secondary URL.

    The secondary URL provides the connection information for the session repository used for the session failover functionality in OpenSSO Enterprise. The URL of the load balancer should be given as the identifier to this secondary configuration. If the secondary configuration is defined in this case, the session failover feature will be automatically enabled and become effective after the server restart.

  4. Click Save.

Servers and Sites Console Attribute Maps

The following table lists the Servers and Sites properties that were included in AMConfig.properties in previous releases, but are now managed as attributes through the OpenSSO Enterprise console. The properties are listed alphabetically. To search for a particular property, use your browser's Search or Find function.

Property Name

The name of the property located in the AMConfig.properties file.

Attribute Name in Console

Is the name of the attribute as it appears in the OpenSSO Enterprise console.

Location in Console

Lists the console location where the attribute is located.

Table 7–1 Servers and Sites Attribute Map

Property Name 

Attribute Name in Console 

Location in Console 

am.encryption.pwd 

Password Encryption Key 

Servers and Sites > Security 

com.iplanet.am.clientIPCheckEnabled 

Client IP Address Check 

Servers and Sites > Security 

com.iplanet.am.cookie.encode 

Encode Cookie Value 

Servers and Sites > Security 

com.iplanet.am.cookie.name 

Cookie Name 

Servers and Sites > Security 

com.iplanet.am.cookie.secure 

Secure Cookie 

Servers and Sites > Security 

com.iplanet.am.event.connection.delay.between.retries 

Delay Between Event Service Connection Retries 

Servers and Sites > SDK 

com.iplanet.am.event.connection.ldap.error.codes.retries 

Error Codes for Event Service Connection Retries 

Servers and Sites > SDK 

com.iplanet.am.event.connection.num.retries 

Number of retries for Event Service Notification  

Servers and Sites > SDK 

com.iplanet.am.ldap.connection.delay.between.retries 

Number of Retries for LDAP Connection  

Servers and Sites > SDK 

com.iplanet.am.ldap.connection.ldap.error.codes.retries 

Error Codes for LDAP Connection Retries 

Servers and Sites > SDK 

com.iplanet.am.ldap.connection.num.retries 

Delay Between LDAP Connection Retries 

Servers and Sites > SDK 

com.iplanet.am.locale 

Default Locale 

Servers and Sites > General 

com.iplanet.am.notification.threadpool.size 

Notification Pool Size 

Servers and Sites > Session 

com.iplanet.am.notification.threadpool.threshold 

Notification Thread Pool Threshold 

Servers and Sites > Session 

com.iplanet.am.replica.delay.between.retries 

Delay Between SDK Replica Retries 

Servers and Sites > SDK 

com.iplanet.am.replica.num.retries 

SDK Replica Retries 

Servers and Sties > SDK 

com.iplanet.am.rootsuffix 

   

com.iplanet.am.sdk.cache.entry.default.expire.time 

Default Entry Expiration Time 

Servers and Sites > SDK 

com.iplanet.am.sdk.cache.entry.expire.enabled 

Cache Entry Expiration Enabled 

Servers and Sites > SDK 

com.iplanet.am.sdk.cache.entry.user.expire.time 

User Entry Expiration Time 

Servers and Sites > SDK 

com.iplanet.am.sdk.cache.maxSize 

SDK Caching Max. Size 

Servers and Sites > SDK 

com.iplanet.am.service.secret 

Authentication Service Shared Secret 

Servers and Sites > Security 

com.iplanet.am.session.invalidsessionmaxtime 

Invalidate Session Max Time 

Servers and Sites > Session 

com.iplanet.am.session.maxSessions 

Maximum Sessions 

Servers and Sites > Session 

com.iplanet.am.session.purgedelay 

Sessions Purge Delay 

Servers and Sites > Session 

com.iplanet.am.smtphost 

Mail Server Host Name 

Servers and Sites > General 

com.iplanet.am.smtpport 

Mail Server Port Number 

Servers and Sites > General 

com.iplanet.am.stats.interval 

Logging Interval 

Servers and Sites > Session 

com.iplanet.security.encryptor 

Encryption Class 

Servers and Sites > Security 

com.iplanet.services.comm.server.pllrequest.maxContentLength 

Platform Low Level. Comm. Max. Content Length 

Servers and Sites > Security 

com.iplanet.services.configpath 

Base Installation Directory 

Servers and Sites > General 

com.iplanet.services.debug.directory 

Debug Directory 

Servers and Sites > General 

com.iplanet.services.debug.level 

Debug Level 

Servers and Sites > General 

com.iplanet.services.stats.directory 

Directory  

Servers and Sites > General 

com.iplanet.services.stats.state 

State 

Servers and Sites > Session 

com.sun.am.event.connection.disable.list 

Disabled Even Service Connection  

Servers and Sites > SDK 

com.sun.am.session.caseInsensitiveDN 

Case Insensitive Client DN Comparison 

Servers and Sites > Session 

com.sun.am.session.enableHostLookUp 

Enable Host Lookup 

Servers and Sites > Session 

com.sun.identity.saml.xmlsig.certalias 

Certificate Alias 

Servers and Sites > Security 

com.sun.identity.saml.xmlsig.keypass 

Private Key Password File 

Servers and Sites > Security 

com.sun.identity.saml.xmlsig.keystore 

Keystore File 

Servers and Sites > Security 

com.sun.identity.saml.xmlsig.storepass 

Keystore Password File 

Servers and Sites > Security 

com.sun.identity.sm.ldap.enableProxy 

Enable Directory Proxy 

Servers and Sites > SDK