B Oracle Access Manager Parameter Files

Oracle Access Manager provides a simple means for users to modify the way it operates, by changing the content of specified parameter files, also called catalog files. This appendix describes the file format, provides a list of the files, and describes values within them that you can change to customize Oracle Access Manager system operation.

B.1 File Categories and Locations

All of the parameter files are located relative to the Identity System or Access System installation directory, which could be, for example:

On Windows:

c:\OAM\identity\oblix

or

c:\OAM\access\oblix

On Unix:

/var/OAM/identity/oblix

or

/var/OAM/access/oblix

At times this manual refers to the installation directory as the component_install_dir.

Note:

The remainder of this discussion will refer to paths relative to the installation directory, and will use the path separator / . This is to aid readability; it also happens to be the correct syntax for UNIX systems and URLs, as well as relative paths for external references within XML and other files. When referring to file paths on disk, Windows users should replace / with \ as necessary.

The parameter files can be viewed as belonging to one of several categories, distinguished by the type of parameters they contain:

• Parameters that affect the administration of Identity applications: User Manager Configuration, Group Manager Configuration, Org. Manager Configuration.

• Parameters that affect the Identity applications and end user functions: User Manager, Group Manager, Org. Manager, Asynch Mailer, Password Management, Query Builder, Selector.

• Parameters whose effects are common across applications: the user applications, the administrative applications and the Comm Server (a binary streaming data module).

• Parameters that affect Oracle Access Manager interaction with the directory server, further subcategorized as follows: user, group, organization, application, configuration, workflow, and LDAP referential integrity.

• Parameters that affect Oracle Access Manager multi-tier architecture, for example, the WebPass Web application, or the Identity Server engine.

Parameters that control each category in the previous list reside in one of the following files:

Administrative Parameters

apps/admin/bin/objservcenteradminparams.xml

apps/admin/bin/frontpageadminparams.xml

User Parameters

apps/userservcenter/bin/userservcenterparams.xml

apps/userservcenter/bin/usc_wf_params.xml

apps/groupservcenter/bin/groupservcenterparams.xml

apps/groupservcenter/bin/gscaclparams.xml

apps/groupservcenter/bin/gsc_wf_params.xml

apps/objservcenter/bin/objservcenterparams.xml

apps/objservcenter/bin/osc_wf_params.xml

apps/asynch/bin/asynchparams.xml

apps/querybuilder/bin/querybuilderparams.xml

apps/selector/bin/selectorparams.xml

Common Parameters

apps/common/bin/globalparams.xml

apps/common/bin/oblixadminparams.xml

apps/common/bin/oblixappparams.xml

apps/common/bin/oblixbaseparams.xml

apps/common/bin/comm_serverparams.xml

Directory Interaction Parameters

data/common/appdbparams.xml

data/common/configdbparams.xml

data/common/userdbparams.xml

data/common/groupdbparams.xml

data/common/objectdbparams.xml

data/common/workflowdbparams.xml

data/common/ldapappdbparams.xml

data/common/ldapconfigdbparams.xml

data/common/basedbparams.xml

data.ldap/common/ldapreferentialintegrityparams.xml

Oracle Access Manager Multi-tier Architecture Parameters

apps/webpass/bin/webpass.xml

B.2 Modifications to Parameter Files

The parameter files are read once, when the Identity System or Access System starts up. You can modify the parameter files in-place using a text editor or an XML editor. The changes will not take effect until the next time the Identity or Access Server starts up.

It is always a good idea to make a backup copy of all the files before you edit them so that you have a known state to roll back to if you make a mistake.

The parameter files are not validated by Oracle Access Manager. If you see unexpected behavior after making changes, check the Identity System log files located under IdentityServer_install_dir/identity/oblix/logs for error messages that might help you locate the problem. When editing XML files it is relatively easy to break the XML syntax, for instance by omitting a closing tag. Oracle recommends that you use an XML editor instead of a conventional text editor.

If more than one Identity or Access Server is installed, a set of catalog files will have been installed under the component_install_dir of each server instance. If you want your changes to affect all installed servers, propagate the changes to all instances.

B.3 Precedence Rules

Some parameters exist in more than one file. When this occurs, Oracle Access Manager resolves the value using the following heuristics. In all cases, the search stops as soon as the parameter is found:

1. User Application Parameters

   The application-specific parameter file (under the application directory for User Manager, Group Manager, and so on), is searched first.

   Then, the oblixappparams.xml file is searched.

   Then, the oblixbaseparams.xml file is searched.

2. Admin Application Parameters

   The set of application-specific administration parameter files (User Manager Admin, Group Manager Admin, and so on) are searched first.

   Then, the oblixadminparams.xml file is searched.

   Then, the oblixbaseparams.xml file is searched.

3. Directory (DB) Parameters

   The set of parameter files specific to the DB (ldapuserdbparams, and so on) are searched first.

   Then, the default DB parameter files (userdbparams.xml, appdbparams.xml, and so on) are searched.

   Then, the basedbparams.xml file is searched.

B.4 Parameter File Format

Parameter files are expressed in XML. They have a simple structure, and make extensive use of user-friendly names to aid in working with the files.

When working with parameter files, it is essential that you limit your changes to only the text falling within quotation marks and strictly follow the rules for each kind of change.

The following excerpt is from the userservcenterparams.xml file. Methods for providing the parameter values are highlighted in bold in the following example and discussed after the example.

<?xml version="1.0" ?> 
<ParamsCtlg xmlns="http://www.oblix.com"
      CtlgName="userservcenterparams">
   <CompoundList ListName="">
      <SimpleList>
         <NameValPair ParamName="top_frame"
               Value="_top" /> 
         <NameValPair ParamName="top_main_frame"
               Value="main_frame" /> 
         <NameValPair ParamName="min_location_area"
               Value="400" /> 
      </SimpleList>
      <ValList ListName="search_result_views">
         <ValListMember Value="table_view" /> 
         <ValListMember Value="custom_view" /> 
      </ValList>
      <SimpleList>
         <NameValPair ParamName="ObEnhanceSearch"
            Value="true" /> 
      </SimpleList>
      <ValNameList ListName="ObEnhanceSearchList">
         <NameValPair ParamName="OOS"
               Value="That Contains" />
      ...
      ...
         <NameValPair ParamName="OSL"
               Value="That Sounds Like" /> 
      </ValNameList>
      <SimpleList>
         <NameValPair ParamName="navbar_bgcolor" 
               Value="#669966" /> 
      </SimpleList>
   </CompoundList>
</ParamsCtlg>

There are three methods of providing parameter values. These are shown in bold in the previous excerpt:

1. <SimpleList>

   The SimpleList element provides a simple list of NameValPair elements giving parameter names and their values. The parameter names (ParamName ) are known to the Identity Server Manager and are expected to be present. The parameter names and legal values, for this and the other methods, are provided under "Parameter Reference".

2. <ValList ListName="search_result_views">

   The ValList element provides a list of options, such as methods of execution or a choice of display format, as a set of ValListMember elements that are available to the Identity System. The name of the method or format goes in the value attribute. These names are predefined and cannot be changed. You can enhance flexibility for the Identity System by adding a new ValListMember entry. You can reduce functionality by removing a ValListMember element. For example, if you remove the line

   <ValListMember Value="custom_view"/>

   the Identity System is no longer able to display a custom view.

   For this type of change, the Parameter Name column in the tables that follow actually shows the ListName.

3. <ValNameList ListName="ObEnhanceSearchList">

   The ValNameList element is similar to the SimpleList element, because it provides a list of NameValPair elements. Oracle Access Manager generally uses ValNameList parameters to construct pull-down menus in the GUI. The list includes a parameter name (ParamName) and a value for the text describing it. The parameter names are predefined and cannot be changed. You may add them to the list, remove them from the list, or change the text displayed for the parameter in the GUI pull-down menu by changing the content of the value attribute.

   For example, if you remove the line

   <NameValPair ParamName="OOS" Value="That Contains" />

   OOS will no longer appear as a search option. If instead you change the line to the following

   <NameValPair ParamName="OOS" Value="That Holds" />

   OOS will be described as "That Holds" in the GUI pull-down menu.

   For this type of change, the Parameter Name column in the tables shows the ListName.

B.5 Parameter Reference

The following tables describe the parameters that may be present in each parameter file.

The key to the table columns is as follows:

Parameter Name: The name of the parameter. In some cases, a parameter takes a set of subordinate parameters, whose names are listed.

Description: What the parameter is used for.

Default Value: The factory default value in the file when installed.

Possible Values: Alternative values that you can enter for the parameter.

Table B-1 userservcenterparams.xml

Parameter Name	Description	Default Value	Possible Values
min_location_area	The area allocated for the location GIF. This depends on each customer's location image.	400	A positive integer
navbar_bgcolor	The background color for the application navigation bar. This is the value in the obbgcolor attribute of the ObNavbar element.	#669966	Any RGB value
ObEnhanceSearch	Enables extended search user interface and functionality.	true	true false
ObEnhanceSearchList	If the ObEnhanceSearch parameter is set to true, the search page displays a list of search operators. This list is constructed using the ObEnhanceSearchList parameter. The list contains a set of NameValPair elements. The following are the supported ParamName (Value) attribute pairs for all applications: OOS (That Contains) OSM (Contains in Order) OEM (=) OLE (<=) OGE (>=) OBW (That Begins With) OEW (That Ends With) OSL (That Sounds Like) The value text in parentheses describes the semantics of each value, and is also the default text displayed to the user in the list. You can change the display text in the catalog. In the user interface the ParamName, Oxx, is not displayed. It is an operation code sent to the application doing the search.	See the description	All applications: OOS OSM OEM OLE OGE OBW OEW OSL
search_result_views	Display format for User Manager search results. User Manager supports table format and custom format.	table_view custom_view	table_view custom_view
searchString MinimumLength	The minimum number of characters that the user must provide to perform a search operation. Note: This parameter does not appear in the installed version of this file. If you add this parameter, it applies only to the User Manager.	0	0 Or any positive integer
top_frame	Name of the top browser frame in the User Manager.	_top	A frame name
top_main_frame	Name of the main browser frame in the User Manager.	main_frame	A frame name

Table B-2 groupservcenterparams.xml

Parameter Name	Description	Default Value	Possible Values
groupMember SearchString MiminumLength	The minimum length of the search string that the user must enter to do a member search. This is used only in the Group Manager View Members page, where the user can search for members using specific search criteria. A value of 0 enables the user to do a blank search where the application displays all the members of the group. If this parameter has any other value, then the user can only do a search if the search string has at least that many characters.	0	Any positive integer, including zero
navbar_bgcolor	The background color for application navigation bar. The value is presented in the obbgcolor attribute of the ObNavbar element.	#9999CC	Any RGB value
ObEnhanceSearchList	This parameter controls the of search conditions in the Search toolbar. The name is a search condition understood by the application. The value is a display name that appears in the selection menu. OOS (That Contains) OSM (Contains in Order) OEM (=) OLE (<=) OGE (>=) OBW (That Begins With) OEW (That Ends With) OSL (That Sounds Like)	See the description	OOS OSM OEM OLE OGE OBW OEW OSL
search_result_views	When a search is performed in Organization Manager these are the possible display format(s) for the results. Any combination of these values is allowed. The absence of any one of these values disables that search result's view format.	table_view custom_view	table_view custom_view
searchString MinimumLength	The minimum number of characters that the user must provide as the basis for a search. This overrides, for Organization Manager only, the value provided in the oblixappparams.xml file. Note: This parameter does not appear in the installed version of this file. If you add this parameter, the value applies only to Group Manager.	0	Any positive, non-zero integer

Table B-3 objservcenterparams.xml

Parameter Name	Description	Default Value	Possible Values
navbar_bgcolor	The background color for application navigation bar. The value is presented in the obbgcolor attribute of ObNavbar element.	#FFCC00	Any RGB value
ObEnhanceSearchList	A list of search conditions in the search toolbar. The name is a search condition understood by the application. The value in parenthesis is displayed on the selection menu, as follows: OOS (That Contains) OSM (Contains in Order) OEM (=) OLE (<=) OGE (>=) OBW (That Begins With) OEW (That Ends With) OSL (That Sounds Like)	See the description	See the description
search_result_views	When a search is performed in Organization Manager these are the possible display format(s) for the results. Any combination of these values is allowed. The absence of any one of them disables that search results view format.	table_view custom_view	table_view custom_view
searchString MinimumLength	The minimum number of characters that the user must provide as the basis for a search. This overrides, for Organization Manager only, the value provided in the oblixappparams.xml file. Note: This parameter does not appear in the installed version of this file. If you add it, the value applies only to Organization Manager.	0	Any positive, non-zero integer

Table B-4 gsc_wf_params.xml, osc_wf_params.xml, usc_wf_params.xml

Parameter Name	Description	Default Value	Possible Values
A compound list for a workflow type	This compound list contains detailed parameters for each of the workflow types shown in the Possible Values column. Under each workflow type there appears a set of actions compound lists, as explained in the next parameter in this table.	None	CREATE_OBJECT DELETE_OBJECT CHANGE_ATTRIBUTE
Actions compound list	The compound list for a workflow type contains one action compound list for each valid action for that workflow type. For example: CREATE_OBJECT will have compound lists for the following actions: initiate, self_registration, provide_info, approval, provide_approval, activate, commit, external_action, error_report. Under each of these there is a set of parameters and values, as described in the rest of this table.	None	initiate self_registration request provide_info change_info approval provide_approval change_approval activate deactivate commit error_report external_action
archiveFileName	File name of the archive file.	None	Correct file name
deactivate archiveFileName	File name of the deactivated users archive file.	None	Correct file name
exclude_attrs	Excludes an attribute(s) from showing up in relevant data	None	Attribute name in the schema. For SecureWay, gsc_wf_params.xml is replaced by gsc_wf_params-sw.xml during setup. obgroup puredynamic is excluded in CREATE_OBJECT
exit_condition	A ValNameList which defines the two parameters: false true	None	0 and 1 , respectively
forcecommit	Flag indicating whether the entry should be committed before the user action for this action, for example: activate, deactivate.	false	true false
Notifee	A ValList for which the member values may be any of the items in the Possible Values column. These are allowed roles for the person to be notified.	None	dns ob_self previous step owner current step participants next step participants initiator
occurrence	Allowed number of occurrences for each action.	None	1 n
Participant	A ValList for which the member values may be any of the items in the Possible Values column. These are allowed roles for the participant.	None	ob_any dns ob_self
pre_action	A ValList, which is a list of possible actions that may occur before this one.	None	any action name.
relevant_data	A ValList for which the member values may be any of the items in the Possible Values column. These are possible types of relevant data for this action.	None	required provisioned optional
subscription_policies	A ValList for which the member values may be any of the items in the Possible Values column. These are a set of allowed subscription policies.	None	Subscription PolicyOpen Subscription PolicyOpenFilter Subscription PolicyControlled Workflow Subscription PolicyClosed
useraction	A flag that indicates if a user action is required for a particular action. For example, the provide_info, approval, and activate actions will have the useraction flag set to true. Commit and external_action would have useraction as false.	None	false true
wf_name	A compound list of names for the different workflow types. These names should be easy for users to recognize.	None	Can be any meaningful string for the workflow type
wfDateFormat	Workflow date formats.	None	2 (mm/dd/yyyy) 3 (dd/mm/yyyy) 4 (dd/mm/yyyy) 5 (mm/dd/yyyy)
wfDateSeparator	A single character used to separate the YMD parts of a date provided in wfDateFormat. If the parameter file does not specify a character for this parameter, the default is used.	/ (slash)	/ (slash) - (hyphen) . (period) , (comma) (space)
initialStep	Signals if a step with that action can be the first step for that particular type of workflow. You cannot add to the set of permitted first steps, however you can remove items from this set of steps on a per-workflow-type basis. For example, you cannot make the commit step the first step by setting its initialStep parameter to true. However, for a step that is permitted as a first step, you can set its initialStep parameter to false. Note: Oracle does not recommend that you change the values for these parameters.	false	true false

Table B-5 asynchparams.xml

Parameter Name	Description	Default Value	Possible Values
asynch_user	The DN of a user who is allowed to do asynchronous operations.	none	Any valid user DN
mailer_sleep_time	Duration for which the mailer goes to sleep, then wakes up to send the pending mail.	10	Any positive integer value, in seconds
queuewaittime	Queue wait time for the global mail queue.	10	Any positive integer value, in milliseconds

Table B-6 querybuilderparams.xml

Parameter Name	Description	Default Value	Possible Values
navbar_bgcolor	This is used to set the back ground color of the navigation bar in Query Builder.	#CC6666	Any RGB value
ObQBOperators List	List of search conditions in the Query Builder filter toolbar. CND_EQ "Equals" CND_NEQ "Does not equal" CND_LTE "Greater than equal to" CND_GTE "Less than/equal to" CND_LT "Less than" CND_GT "Greater than" CND_CON "Contains" CND_DNC "Does not Contain" CND_PRE "Present" CND_NPR "Not Present" CND_BW "Begins With" CND_EW "Ends With" CND_DBW "Does not begin with" CND_DEW "Does not end with" CND_SLK "Sounds Like" CND_DSLK "Does not sound like"	As listed under Description	As listed under Description

Table B-7 selectorparams.xml

Parameter Name	Description	Default Value	Possible Values
navbar_bgcolor	This is used to set the background color of the navigation bar in the Selector.	"#CC6666"	Any RGB value
ObEnhanceSearchList	List of search conditions in the Search toolbar. The value is the search condition display name that appears in the selection menu that is used by the application.	OOS: That Contains OSM: Contains In Order OEM: Equal to OLE: Less than or equal to(<=) OGE: Greater than or equal to(>=) OBW: That Begins With OEW: That Ends With OSL: That Sounds Like	The same, plus: ONE: Not equal to (!=)

Table B-8 frontpageadminparams.xml

Parameter Name	Description	Default Value	Possible Values
min_location_area	The area allocated for the location GIF. This depends on each customer's location image.	400	A positive integer
top_frame	Name of the top frame in User Manager application.	_top	A frame name
top_main_frame	Name of the main frame in User Manager application	main_frame	A frame name

Table B-9 globalparams.xml

Parameter Name	Description	Default Value	Possible Values
authUserLocation	Position of the authuser variable in the request. Netscape places the authuser variable in the variable section of the request, while Site Minder places it in the request headers.	headers	Auth user location in the request, for example, vars (for Netscape) headers (for Siteminder)
ActiveDirectory	The value of this parameter is true if the Master Administrator selects Active Directory as the directory server type during Identity Server configuration, false otherwise.	None	true false
backslash ReturnedAs	The escaped string representation of the '\' character as returned by the directory. This is used in context of the ObDPostalAddress display type. Since '$' is the delimiter in a postal address string, some directory servers return it in escaped format. In order to distinguish between a \ in an escaped string versus an actual \ in the value, the \ in the value is returned in an escaped format. For example, NDS returns it as "\\", Netscape returns it as "\5c". Note: When a '\' is part of the attribute value itself, it should be escaped and sent as "\5c" as discussed in RFC 2252.	\5c	\5c or \\ and so on
browserNoCache	If this parameter is set to true, (the default), the browser is does not cache the page. If it is set to false, it will cache. You can set this value in the globalparams.xml file, or you can pass it on the URL.	true	true false
BypassAccess ControlForDir Admin	Indicates whether the attribute access control should be bypassed for directory administrators.	true	true false
client_request_retry_attempts	When you configure a WebPass, in the Identity Server Timeout Threshold field, you specify how long (in seconds) the WebPass attempts to contact a non-responsive Identity Server before it considers it unreachable and attempts to contact another server. However if the Identity Server takes longer to service a request than the value of the timeout threshold, the WebPass continues to try to contact the Identity Server with the request. This parameter enables you to set a limit on the number of retries that the WebPass attempts.	-1	An integer. The default of -1 means that an unlimited number of retries are possible.
compound_data_threshold	In the directory schema, the obcompounddata attribute stores multivalued data in XML format. Some directories restrict the size of attribute values. In cases where obcompounddata overflows, you can chunk the obcompounddata value and store it as a multivalued attribute. The default chunk size and threshold value for when the data can be chunked can be specified on this parameter.	-1	The default of -1 means no chunking is done. The value can be any positive integer value, depending on the directory
cookieDomain	The domain that is used when setting a cookie. The default is the computer name. This is usually used if you have set up something like DNS round-robin for better performance or server failover.	""	"" or, for example, oracle.com
cookieSeperator	Cookie delimiter used for compacting the various cookies. Do not change the # value.	# Do not change	# Do not change
cookieSizeLimit	Maximum cookie size.	4096	Integer value = 4096
DBAuditRetry Interval	The interval at which an attempt is made to restore broken connections to the database. Increasing this parameter lessens the risk of thrashing due to failed write attempts.	600	Integer value, in seconds
DBAuditTruncate DataToColLength	During database auditing, data must be truncated for insert operations to work on SQL Server and the Oracle database. This parameter decides the limit for truncation. For Oracle Access Manager 7.0.x, if set to false, audit data is truncated at 255 characters. For Oracle Access Manager 10.1.4.0.1, if set to false, audit data is truncated to 255 characters for the Oracle database and 170 characters for the SQL Server database. For all releases, if set to true, audit data is truncated to the length of the column in the audit schema.	false	true false Note: For an Oracle database with an OCI connection type, set the value to false. Truncation to the length of the column is not supported for the OCI connection type. When an OCI connection type is used, the size limit is 255 characters.
disable_native_deactivate	If the directory is Active Directory, NDS, or iPlanet5, when a user is deactivated, the application uses a directory-native deactivate feature to disable the account. This feature is enabled by default.	true	true false
dollarReturnedAs	The escaped string representation of the "$" character as returned by the directory server. This is used in context of the ObDPostalAddress display type. Since "$" is the delimiter in a postal address string, some directory servers return it in escaped format. For example, NDS returns it as "\$", Netscape returns it as "\24". NOTE that when a '$' is part of the attribute value itself, it should be escaped and sent as "\24" as discussed in RFC 2252.	\24	\24 \$ and so on
excludeOCsFor TreeInApplet	This parameter specifies the list of object classes whose objects are excluded from display in the Identity System. For example, if you remove the group object class item from the list, the group objects will be visible in the Identity System applications. By default, the Identity System does not display every object and attribute in the directory. This parameter enables you to expose object classes in the Identity System applications that would otherwise be hidden.	directory- dependent	directory- dependent
exclusiveAutn Checkout	If a directory server does not support concurrent binds on the same LDAP connection, this parameter ensures that the binds are serialized on the connection. This ensures that multiple connections can be established and that the load is balanced on these connections. This value is set to true for NDS and cannot be changed. NDS does not support concurrent binds on a single LDAP connection. For any other directory that does not support concurrent binds on a single LDAP connection, you must add this parameter with a value of true to the globalparams file.	true	true false
ExcludeOCsFor TreeInApplet	When there are many users under the same parent node, the performance of the user interface control (a Java applet) that enables you to graphically expand the node is adversely affected. This parameter enables you to specify a list of object classes for which expansion should not be performed.	inetOrg Person	Object classes that the customer wants to exclude
formZero Threshold	This parameter controls the space that Oracle Access Manager allocates to a buffer.	1000	Integer
heartbeat_ldap_connection_timeout_in_millis	Used in configuring directory server failover. Specifies the amount of time Identity and Access Servers wait to establish a connection with the directory server. If a connection with the directory server is not established within this time, the Identity and Access Servers assume that the directory is down or not reachable, and the servers start establishing connections with the other directory servers. See the section on failover in the Oracle Access Manager Deployment Guide for details.	4000	A positive integer, in milliseconds -1: Wait for the duration of the platform's connection timeout. If in this time a connection is not established, assume that the directory is down and start establishing connections with another directory server.
heartbeat_enabled	Indicates if the Identity and Access Servers should proactively identify when a directory server is down. Oracle recommends that you enable this function. Note that if your network is slow and heartbeat_ldap_ connection_ timeout_in_ millis is set to a low value (for example, 10 milliseconds), the heartbeat mechanism can give an incorrect indication that directory is unreachable when it is up and working. See the section on failover in the Oracle Access Manager Deployment Guide for details.	true	true false
HTML_Message_End_Tag	HTML support for message catalog changes. HTML_Message_End_Tag is the configurable end tag.	<StopHTML>	Any valid HTML tag
HTML_Message_Start_Tag	HTML support for Message Catalog changes. HTML_Message_Start_Tag is the configurable start tag.	<StartHTML>	Any valid HTML tag
IsADSIEnabled	If using ADSI instead of LDAP to connect to Active Directory, this parameter is set to true.	None	true false
IsBackward Compatible	The IsBackwardCompatible flag in the globalparams.xml file for the Access Server enables older WebGates to talk to the new Access Server. During the upgrade of the Access Server, this flag is set to true. This flag is set to false by default. If you upgrade all of your WebGates, you can reset this parameter to false.	false	true false
LargeStatic Groups	In the Identity System, operations on large static groups, for example, groups with over 10,000 members, can cause memory to spike. If a static group is too large, you can modify the method used to evaluate the group. Note that if you configure the LargeStaticGroups parameter, you must make corresponding changes in the Identity System to ensure that subgroups of this group are searched and evaluated as intended. Generally, you must include these subgroups directly in all search bases, workflow targets, and so on that reference the parent group. See the chapter on performance tuning in the Oracle Access Manager Deployment Guide for details.	None	The DN of the group. Multiple entries are permitted. The following is an example: <ValList xmlns="http:// www.oblix.com" ListName="Large Static Groups"> <ValListMember Value= "cn=testgroup, o=mycompany, c=us"> </ValListMember> </ValList> <ValList xmlns="http:// www.oblix.com" ListName="Large Static Groups"> <ValListMember Value= "cn=testgroup2, o=mycompany, c=us"> </ValListMember> </ValList>
LDAPMaxNoOf Retries	This parameter limits the number of times that the Identity Server, Access Server, or Policy Manager can retry a query to a directory server. This parameter provides a safeguard for when the value of the LDAPOperationTimeout parameter is too low. If the directory server is working, but the Oracle Access Manager component acts as if it is down, the component can go into an infinite loop of switching between failover directory servers. In this case, the operation never returns to the component that made the request. This parameter applies to each query independently of other queries involved in processing a request.	0 Indicates that number of retries is the total number of primary and secondary directory servers that you have configured to communicate with the component.	-1, 0, or any positive whole number. -1 indicates an infinite number of retries. Oracle recommends that you set the value to be greater than the number of directory servers that communicate with the Oracle Access Manager component. This ensures that at least one attempt is made to connect to each configured directory server.
LDAPOperation Timeout	This parameter sets an amount of time that the Identity Server, Access Server, or Policy Manager waits for a response from the directory server before failing over to a secondary directory server, if one is configured. When processing a single user request, Oracle Access Manager components may issue multiple LDAP queries. The LDAPOperationTimeout parameter applies to each query independently of other queries involved in processing the same request. For example, this parameter sets the time that the component waits for a response from the directory server for a single entry of a search result. You configure the time to wait for all search result entries using the Time Limit parameter in the directory profile. See the Oracle Access Manager Administration Guide for details.	-1 This value enables the directory server to determine the time to spend on the request. Warning: If the directory server hangs, this default causes Oracle Access Manager to hang, too. See the chapter on failover in the Oracle Access Manager Deployment Guide for details.	A positive number that indicates a time in milliseconds. A value of -1 gives control to the directory server. Base the value on the amount of data in directory server, network latency, whether SSL is configured, and so on. A value that is too low can result in an infinite loop, where operational directory servers do not have adequate time to return a result. See the chapter on failover in the Oracle Access Manager Deployment Guide for details.
ListOfSupported DS	This parameter lists all the supported data stores: OID—Oracle Internet Directory IPLANET5—Sun Directory Server 5.x Novell—Novell Directory Services (NDS eDirectory) MSAD—Microsoft Active Directory MSADAM—Microsoft Active Directory Application Mode DIRX—Siemens DirX IBMSWAY—IBM Directory Server DataAnywhere—Data Anywhere	NCSP4 Novell MSAD	See the description
locale_params	This parameter contains all the necessary input information for running Oracle Access Manager in different locale modes. charset is character set, language is current language, doUtf Conversion indicates whether to do UTF conversion or not.	charset: iso-8859-1 language: En_US doUtf Conversion: NO	charset: Any valid character set language: Any valid language doUtf Conversion: NO or YES
logRequestUrl	If logRequestUrl is set to true, a URL is set to log requests. It is used by WebPass.	false	true false
maxDBAgentCache Size	Defines the directory agent cache size.	2000	Any positive integer
maxForRanged Member Retrieval	This parameter must be set to retrieve members from groups that have a large number of static members. This parameter is used for Active Directory 2000 and Active Directory 2003.	1000	The default value is 1000, which is appropriate for Active Directory 2000. For Active Directory 2003, set this value to 1500.
MigrateUserData To1014	With Release 10.1.4 Patchset 1 (10.1.4.2.0) a new parameter in the globalparams.xml, MigrateUserDataTo1014, is used by the Identity Server and Access Server during a user's first login. See the Oracle Access Manager Administration Guide for details on Lost Password Management and the Oracle Access Manager Upgrade Guide for details on the in-place component upgrade and zero downtime upgrade.	If you upgrade from an earlier release using the zero downtime upgrade method, the result is a 10.1.4.2.0 instance and the value is false by default. If you upgrade from an earlier release using the in-place component method, and then apply the Release 10.1.4 Patchset 1 (10.1.4.2.0) the result is a 10g (10.1.4.0.1) instance and the value is true by default. If you install 10g (10.1.4.0.1) and then apply Release 10.1.4 Patchset 1 (10.1.4.2.0) , the value is true by default.	true false
nsAuthUser	Name of the authentication user variable for a Netscape or IIS Web server	HTTP_OBLIX_UID	Authentication user variable name. For example, auth-user (for Netscape) SM_USER (for Siteminder)
oisClientTimeout Threshold	How long (in seconds) an Identity Server attempts to contact another Identity Server before it considers it unreachable, in which case an error is logged. Identity Servers communicate with one another primarily for cache flush requests. When a cache is updated on one server, that server tells the other servers to update their caches. The timeout for asynchronous cache flush requests is configured on this parameter.	60	An integer, representing number of seconds. Absence of this parameter or a value of -1 indicates synchronous cache flushing.
OutputFormat	Request an output format, for use with PresentationXML. To override the default value for this parameter, include the format parameter in the Presentation XML request.	default	default: Combine the XML and stylesheet at the server (server side processing). xml: Send the XML and the stylesheet to the browser (client side processing). You cannot override this in the Presentation XML request.
PortalIdCache	PortalIdCache defines information that controls portalId caching. PortalIdCache.maxNum Elems indicates the maximum number of portal IDs to be cached. PortalIdCache.timeout sets the timeout of the portal Id cache refresh. PortalIdCache.disabled indicates whether to disable or enable the Portal ID cache.	PortalId Cache. maxNumElems — 250 PortalId Cache. timeout — 0 PortalId Cache. disabled — false	PortalId Cache. maxNumElems — Integer PortalId Cache. timeout — time in seconds PortalId Cache. disabled — false or true
ResourceFilter SearchScope	The level of scope of search on a given searchbase.	1	1 indicates 1 level down, to as many levels as exist. Entry of any other value uses the default value (1).
samAccountName Length	The number of characters permitted in a Security Access Manager account name. This parameter applies to installations that run Active Directory in mixed mode (not native mode). Increase the default value if you are running in native mode.	20	An integer.
sendMail Notification Enabled	Enables or disables notification events in workflow, attribute change, and container limit events. The flag has no effect on bug or feedback emails since these are routed though the user's email client.	false	true false
SQLDBType	Identifies the type of database used for auditing.	SQLServer	SQLServer: Indicates a SQL Server database. Oracle: Indicates an Oracle Database that uses an ODBC connection type. Oracle_OCI: Indicates an Oracle Database that uses an OCI connection type.
StringStack	Controls the amount of space that the Oracle XML Developer's Kit can use for XSL transformation of the Identity stylesheets. A value of at least 512 is required. For complex stylesheets, the tranformation engine can run out of space, and the Identity Server can exit. You can set this parameter to a higher value for complex stylesheets.	512	An integer value, in KB. Minimum value: 512.
TimeToWaitFor ServiceThreads	A thread that wants to flush the osd and config db caches needs to wait for all other service threads to complete before flushing. This value is the maximum time the flush thread should wait, in seconds, before flushing. If all service threads complete before this time, then the flush thread will stop waiting and start flushing.	60	Integer value greater than or equal to zero. Zero is legal but not a good idea; setting this value too low could lead to SEGV crashes
TurnOffNested GroupEvaluation	This parameter only applies to the Access Server. There are three types of groups in a directory: Static groups have a list of members Dynamic groups are defined by a filter Nested groups consist of one or more static, dynamic, or nested groups This parameter enables or disables the evaluation of nested groups in the directory. It applies to authentication and authorization actions that use the obmygroups parameter and to groups that are assigned to Allow Access and Deny Access conditions in authorization schemes. The default value of false means that nested group evaluation is enabled. When set to true, nested group evaluation is disabled. If you do not use nested groups in your directory, you can set the value of this parameter to true to enhance system performance.	false	true false
UidInfoCache	This parameter contains information about uid caching. When configuring this parameter, to optimize group performance in the Identity System, set the maximum number of elements to double the number of user entries in the directory server. UidInfoCache.maxNumElems — indicates the max number of uid to be cached. UidInfoCache.timeout — sets the time out of the uid cache. UidInfoCache.disabled — indicates whether to disable or enable the Uid info cache.	UidInfo Cache.maxNumElems - 50000 UidInfo Cache .timeout - 0 UidInfo Cache .disabled - false	UidInfoCache .maxNumElems— An integer. The default is 50000, which represents 50 KB. UidInfoCache .timeout — Time in seconds UidInfoCache .disabled — false or true
UseLDAPFor Authentication	In a pure ADSI environment, if this flag is enabled, Oracle Access Manager will use LDAP for authentication calls. All other operations would go through ADSI.	None	true false
whichAttrIsLogin	This parameter indicates which directory attribute is used to log into Oracle Access Manager.	HTTP_OBLIX_LOGIN_VAR	Any directory attribute or HTTP_OBLIX_LOGIN_VAR
whichVarIsOblix Lang	This parameter specifies the name of the header variable that specifies the language of the request.	HTTP_OBLIX_LANGUAGE	Header variable name
whichVarIsAcceptLang	This parameter specifies the name of the header variable in the user's browser that specifies the language of the request.	Accept- Language	Header variable name
whichVarIsUser Type	Name of the HTTP header variable containing user type information. The value must correspond to obnavigation.xml. This is additional support of navigation if the usertype parameter is not in the URL, mainly for single sign-on.	HTTP_OBLIX_USER_TYPE HTTP	Header variable name
XMLStructure Cache	This cache stores in memory the static portion of each XML document. XMLStructureCache. maxNumElems—Maximum number of elements to be stored in the cache (integer). XMLStructureCache. timeout—Number of seconds that an element remains in the cache. If this value is 0, then elements are never timed out of the cache. XMLStructureCache. disabled—If this argument is set to "true", the cache is disabled.	XMLStructureCache. maxNumElems — 20 XMLStructureCache. timeout — 0 XMLStructureCache. disabled — false	XMLStructureCache. maxNumElems — Any integer XMLStructureCache. timeout — Any valid seconds XMLStructureCache. disabled — false or true
XSLProcessor	When using IdentityXML, the XSLProcessor parameter indicates the processor to use when generating the page. Note that the default value is the only officially supported value. This value indicates that the XDK processor should be used. The other processor types should be used only in non-production environments for testing XSL processor issues.	default	default XALAN DGXT
XSLstylesheet CacheSize	Controls the maximum number of stylesheets to hold in the cache. A cached stylesheet is in a binary form that can be used immediately in an XSL transformation to generate a requested page. If the stylesheet for a requested page is not in the cache, it must be loaded from disk and processed by the XML parser before it can be used for a transformation. Caching the most frequently used pages can reduce the perceived latency. The trade-off is that cached binary stylesheets can be quite large. (Exactly how large depends on your stylesheet design.) An efficient strategy to conserve memory is to set this parameter slightly higher than the number of pages that you consider frequently used. All those stylesheets will be cached, and relatively infrequent ones can be brought into cache without flushing the common ones.	20	Any integer greater than zero. Do not use a value less than or equal to zero. If you do, an internal test value is used; this value is not zero.
XSLstylesheet LiveUpdate	This causes the following behavior when the stylesheet for the requested page is already in the stylesheet cache: true — Check timestamp on the top-level stylesheet file. If the file is newer, refresh the cache entry. true is convenient because you do not have to restart the server or artificially fill the cache in order to see the result of a stylesheet update. false — Do not check the timestamp. If the stylesheet is cached, use it. In a stable system, a value of false eliminates unnecessary file system access for cached stylesheets and can result in better performance.	false	true false

Table B-10 oblixadminparams.xml

Parameter Name	Description	Default Value	Possible Values
csv_field_delim	A CSV field delimiter that is used to separate two fields when generating reports.	, (comma)
csv_value_delim	CSV value delimiter is used to separate two values when generating reports.	, (comma)
config_meta_attr_applet_bg	An RGB hexadecimal number that defines the configuration attributes background color.	cccccc	An RGB hexadecimal number for a color
config_meta_attr_applet_fg	An RGB hexadecimal number that defines the configuration attributes foreground color.	000000	An RGB hexadecimal number for a color
mime_type_file_location	The location of the MIME type file.	../../admin/bin/mime_types.lst	Do not configure
oblixNode	The RDN of the node under which all the Oblix configuration information is stored. This is prefixed to the config DN that you specify during setup. The entire DN is the container for all Oblix data. For example, if the configuration DN was specified as "o=company,c=us", and the oblixNode parameter is given the value "o=configdata", then the oblix container DN is "o=configdata, o=company,c=us".	The parameter is not specified in the installed version of this file. Until specified otherwise during setup, the value is taken to be o=oblix .	Any valid RDN values such that they satisfy the container requirements of the parent node [the config DN].

Table B-11 oblixappparams.xml

Parameter Name	Description	Default Value	Possible Values
checkChange AttributeEven AllowModify	For performance reasons, if a user has write (modify) permissions for an attribute, applications do not check that the user is a participant in a Change Attribute workflow for that attribute. If this flag is true and the user has write permission, applications check that the user is a participant. This causes a Request button(s) to appear in the application, next to the attribute to be modified.	false	true false
csv_field_delim	A CSV field delimiter is used to separate two fields when generating reports.	, (comma)
csv_value_delim	A CSV value delimiter is used to separate two values when generating reports.	, (comma)
enable_oaview	Enable optional authentication view.	false	true false or any other string
group_cgi	The URL to get to a group application.	../../group servcenter/ bin/ groupserv center.cgi	../../group servcenter/ bin/group servcenter. cgi
group_view_program	The program that is used to view a group profile (this is used to append to the URL as &program=view) or whatever program you want the application to go to (during cross application linking) view a group.	view	view Go to the Group Manager application for other options such as viewing member details, and so on
initial_search_advance	Use the initial search as the first view when user wants to perform a search.	false	true false or any other string
initial_search_advance_nooffields	The number of fields to display for an initial advanced search. Use with initial_search_advance.	3	Any positive integer
object_cgi	The URL to get to the Organization Manager application.	../../objservcenter/bin/ objservcenter.cgi	../../objservcenter/bin/ objservcenter.cgi
object_view_program	The program used to view an object profile (this is used to append to the URL as &program=view) or whatever program you want the application to go to (during cross application linking) view a object.	view	view (Go to the group manager application for other options)
search_result_show_count	Show the count for the number of search results returned in a search operation.	false	true for true false or any other string
search_result_views	When a search is performed, these are the possible display format(s) for the results. Any combination of these values is allowed. Also the order of the search results side tabs depends on the order of the values listed. The absence of any one of these values disables that search results view format.	table_view custom_view	table_view custom_view
searchSame AttrAsOr	If the same attribute has provided multiple values in a search request, assume that it is an AND if set to false or an OR if set to true.	false	true false
searchString MinimumLength	The minimum number of characters that the end user needs to provide in order to perform a search operation. The value can be overridden for each of the Identity applications by adding this parameter to the parameter file that is specific to the Identity application.	0	Any positive integer.
user_cgi	The URL to access an Identity application, for example, User Manager.	../../user servcenter/ bin/userservcenter.cgi	Same as default
user_view_program	The program that is used to view a user profile (this is used to append to the URL as &program=view) or whatever program you want the application to go to view a user (during cross-application linking).	view	view
validateAllDn ViewMode	Turns DN validation on or off when a user views the values of all DN-type attributes. If it is true, all DN attributes are validated before being displayed to the user, and the logged in user only sees values of the DN-type attributes that he or she has view access to. View access is set on the class attribute for the object class of the DN. View access is also determined by localized access, that is, this DN falls under the user's search bases with respect to the object class type of the DN.	false	true false
validateAllDn ModifyMode	Turns DN validation on or off for the modify mode for the values of all DN-type attributes. If it is true, all DN attributes are validated before being displayed to the user in the form. Validation means that the logged in user see values of the DN that he or she has view access to. View access is set on the class attribute of the object class of the DN. View access can also be localized access, that is, this DN falls under the user's search bases with respect to the type of object class of the DN. The user is allowed to add and remove only the DNs that he has access to.	false	true false
validateDnAttrs ViewMode	Turns DN validation on or off for view mode for the values of the specified DN type attribute. This is a ValList parameter. You provide the list of attributes as a vallist. This parameter is used only if the validateAllDnViewMode parameter is set to false. This enables attribute level validation. The parameter validateAllDnViewMode provides global validation. DN attributes in this vallist are validated before being displayed. Validation means that the logged in user sees values of the DN that he or she has view access to as specified on the class attribute of the object class of the DN, or that he or she has localized access to. That is, this DN falls under the user's search bases with respect to the type of object class of the DN.	none	A vallist of DN type attributes. Use LDAP names, not display names.
validateDnAttrs ModifyMode	Turns DN validation on or off for modify mode for the values of the specified DN type attribute. This is a ValList parameter. You provide the list of attributes as a vallist. This parameter is used only if the parameter validateAllDnModifyMode is set to false. This enables attribute level validation, whereas the parameter validateAllDnModifyMode provides global validation. DN attributes that you specify in this vallist are validated before being displayed in the form. Validation means that the logged in user only sees values of the DN that he or she has view access to, as specified on the class attribute of the object class of the DN, or if he or she has localized access. With localized access, this DN falls under the user's search bases with respect to the type of object class of the DN.	none	A vallist of DN type attributes. Use LDAP names, not display names.

Table B-12 oblixbaseparams.xml

Parameter Name	Description	Default Value	Possible Values
groupservcenter_admin_application_info with sub parameters: VERSION CODE ID PROGRAM DESCRIPTION NAVBAR_GIF NAVBAR_GIF2 NAVBAR_GIFDIR	information about the Group Manager Admin application. The listed parameters define the version of the application running, the code used for license checking, relative path of the application, the mouseover message for the application, the name of the GIF used on the top navigation bar, and the relative path to the GIF used on the top navigation bar.	VERSION=5.00 CODE=GMAD ID=groupserv center_admin PROGRAM=../../ admin/bin/front_page_admin.cgi?target Application=groupservcenter_admin DESCRIPTION= Group Manager Admin NAVBAR_GIF=OTABgroup manager NAVBAR_GIF2=OTABgroupmanager2 NAVBAR_GIFDIR=../../ common/ui/ style0	DESCRIPTION can be any text string NAVBAR_GIF can be any gif name with a .gif extension that exists in the NAVBAR_GIFDIR NAVBAR_GIF2 can be any gif name with a .gif extension that exists in the NAVBAR_GIFDIR
userservcenter_admin_application_info with sub parameters: VERSION CODE ID PROGRAM DESCRIPTION NAVBAR_GIF NAVBAR_GIF2 NAVBAR_GIFDIR	information about the User Manager Admin application. The listed parameters define the version of the application running, the code used for license checking, relative path of the application, mouseover message for the application, name of the GIF used on the top navigation bar, and the relative path to the GIF used on the top navigation bar.	VERSION=5.00 CODE=UMAD ID=userservcenter_admin PROGRAM=../../admin/bin/front_page_admin.cgi?targetApplication=userservcenter_admin DESCRIPTION=User Manager Admin NAVBAR_GIF= OTABusermanager NAVBAR_GIF2= OTABusermanager2 NAVBAR_GIFDIR=../../ common/ui/style0	DESCRIPTION can be any text string NAVBAR_GIF can be any gif name with a .gif extension that exists in the NAVBAR_GIFDIR NAVBAR_GIF2 can be any gif name with a .gif extension that exists in the NAVBAR_GIFDIR
access_control_applet with sub- parameters: applet_dimension_width applet_dimension_height column_width	This list contains customization values for dimensions of the Attribute Access Control applet.	applet_dimension_width=630 applet_dimension_height=765 column_width=135	A positive integer
access_front_page_admin_application_info with sub parameters: VERSION CODE ID PROGRAM DESCRIPTION NAVBAR_GIF NAVBAR_GIF2 NAVBAR_GIFDIR	information about the Access Administration application. The listed parameters define the version of the application running, the code used for license checking, relative path of the application, mouseover message for the application, name of the GIF used on the top navigation bar, and the relative path to the GIF used on the top navigation bar.	VERSION=5.00 CODE=AD30 ID=access_front_page_admin PROGRAM=../../../../../access/oblix/apps/admin/bin/front_page_admin.cgi? DESCRIPTION= Access Administration NAVBAR_GIF= T1TABaccessadmin NAVBAR_GIF2= T1TABaccessadmin NAVBAR_GIFDIR=../../common/ui/style0	DESCRIPTION can be any text string NAVBAR_GIF can be any gif name with a .gif extension that exists in the NAVBAR_GIFDIR NAVBAR_GIF2 can be any gif name with a .gif extension that exists in the NAVBAR_GIFDIR
applet_customiza tions	Enables you to configure dimensions for various applets used in the Identity System This compound list contains the following valname lists. workflow_definition_applet setsearchbase_applet delegate_admin_applet access_control_applet	According to the list
Apply_LostPwdMgmt	Specify whether to apply lost password management.	Default parameter in params file is Yes. If no value is specified in the parameter catalog, then product assumes the value is No.	Yes (case insensitive) All other values mean no
certAttrs	Attribute values that can show up on a certificate.	issuerDN validFrom validTill	This is a multi-valued parameter: issuerDN validFrom validTill SubjectDN PubKeyAlgID Version
checkuseris deactivated	When a user initiates an action, Oracle Access Manager can be set to check to see if that user is deactivated. By default, this check is disabled in order to reduce the number of reads of the directory. The check can be enabled by adding this parameter, and setting its value to true .	false	true false
containment limit_applet with sub-parameters: applet_dimension_width applet_dimension_height column_width	This list contains values for dimensions of the Containment Limit applet.	applet_dimension_width =805 applet_dimension_height=467 column_width=135	A positive integer
cookieBust Limit	Number of people that can be selected, for example, in the Selector application, before the cookie size limit is exceeded. This depends greatly on the size of the DN for each entry, and upon the operating system. Suggested values are 15 or less for Active Directory, 25 or less for others.	30	A positive integer. If there are any Latin-1 characters in the user DN, then each such Latin-1 character should be counted as 3 characters (this is because Latin-1 characters are escaped to their %xx hex equivalent in the cookie)
dateSep	A character used to separate fields in a date value.	/	A single character
dateType	Different formats to display a date value.	ObMDYDate	ObMDYDate (12/31/2000) ObDMYDate (31/12/2000) ObDMonthYDate (31-Dec-2000), ObMonthDYDate (Dec-31-2000), ObIntegerDate (yyyy-mm-ddThh:mm:ss), ObISO8061Date (yyyy-mm-ddThh:mm:ssTZD or yyyymmddThhmmssTZD), where TZD = {+-}hh:mm)
default_display_vals with sub parameters: default DisplayName default DisplayVal	Display name for a no-operation, single-selection menu item and its corresponding value. This is used while creating a report.	default DisplayName=None default DisplayVal=	Any string
default Display ResultVal	Default number of values to display in the results for a search. It is used when the user first does a search, or if the user's cookie file is not available. Subsequent searches get this value from the user's cookie. This value also controls what is shown on Generate Reports, Incoming Requests, Outgoing Requests, and Monitor Requests pages in the Identity Server.	8	A positive integer
delegate_admin_applet with sub parameters: applet_dimension_width applet_dimension_height column_width	This list contains values for dimensions of the Delegate Admin applet.	applet_dimension_width=630 applet_dimension_height=665 column_width=135	A positive integer
front_page_admin_application_info with sub parameters: VERSION CODE ID PROGRAM DESCRIPTION NAVBAR_GIF NAVBAR_GIF2 NAVBAR_GIFDIR	Information about the Identity Administration application. The listed parameters define the version of the application running, the code used for license checking, relative path of the application, mouseover message for the application, name of the GIF used on the top navigation bar, and the relative path to the GIF used on the top navigation bar.	VERSION-5.00 CODE=FPAD ID=front_page_admin PROGRAM=../../admin/bin/front_page_admin.cgi DESCRIPTION= Identity Administration NAVBAR_GIF=T1TABidentityadmin NAVBAR_GIF2=T1TABidentityadmin NAVBAR_GIFDIR=../../common/ui/style0	DESCRIPTION can be any text string NAVBAR_GIF can be any gif name with a .gif extension that exists in the NAVBAR_GIFDIR NAVBAR_GIF2 can be any gif name with a .gif extension that exists in the NAVBAR_GIFDIR
groupservcenter_application_info with sub parameters: VERSION CODE ID PROGRAM DESCRIPTION NAVBAR_GIF NAVBAR_GIF2 NAVBAR_GIFDIR WORKFLOW_ALLOWED	Specific information about the Group Manager application. The listed parameters define the version of the application running, the code used for license checking, relative path of the application, mouseover message for the application, name of the GIF used on the top navigation bar, and the relative path to the GIF used on the top navigation bar.	VERSION=5.00 CODE=GM50 ID= groupservcenter PROGRAM=../../groupservcenter/bin/groupservcenter. cgi DESCRIPTION=Group Manager NAVBAR_GIF=T1TABgroup manager NAVBAR_GIF2= T1TABgroupmanager NAVBAR_GIFDIR=../../common/ui/style0 WORKFLOW_ALLOWED=true	DESCRIPTION can be any text string NAVBAR_GIF can be any gif name with a .gif extension that exists in the NAVBAR_GIFDIR NAVBAR_GIF2 can be any gif name with a .gif extension that exists in the NAVBAR_GIFDIR WORKFLOW_ALLOWED if set to true means allowed, any other values mean not allowed
installed_apps	Name of the applications that are enabled.	N.A.	For the Identity System, the applications are: userservcenter (User Manager), groupservcenter (Group Manager), objservcenter (Organization Manager)
loginslack	Oracle Access Manager expects the machine times for all Web Servers running Policy Manager and Identity Server to be synchronized. If they are not, logging in to the Policy Manager or the Access System Console is not possible. This parameter specifies a slack time in seconds by which the machine times may differ.	60	A positive integer (in seconds)
max_url_length	The maximum URL length for the specified browsers. The length is expressed in bytes.	netscape=4096 ie=1024	netscape: A positive integer ie: A positive integer
objserv center_admin_application_info with sub parameters: VERSION CODE ID PROGRAM DESCRIPTION NAVBAR_GIF NAVBAR_GIF2 NAVBAR_GIFDIR	information about the Organization Manager Admin application. The listed parameters define the version of the application running, the code used for license checking, relative path of the application, mouseover message for the application, name of the GIF used on the top navigation bar, and the relative path to the GIF used on the top navigation bar.	VERSION=5.00 CODE=OMAD ID=objservcenter_admin PROGRAM=../../admin/bin/front_page_admin.cgi?targetApplication=objservcenter_admin DESCRIPTION=Org. Manager Admin NAVBAR_GIF= OTABgroupmanager NAVBAR_GIF2= OTABgroupmanager2 NAVBAR_GIFDIR=../../common/ui/style0	DESCRIPTION can be any text string NAVBAR_GIF can be any gif name with a .gif extension that exists in the NAVBAR_GIFDIR NAVBAR_GIF2 can be any gif name with a .gif extension that exists in the NAVBAR_GIFDIR
objserv center_application_info with sub parameters: VERSION CODE ID PROGRAM DESCRIPTION NAVBAR_GIF NAVBAR_GIF2 NAVBAR_GIFDIR WORKFLOW_ALLOWED	Information about the Organization Manager application. The listed parameters define the version of the application running, the code used for license checking, relative path of the application, mouseover message for the application, name of the GIF used on the top navigation bar, and the relative path to the GIF used on the top navigation bar.	VERSION=5.00 CODE=OM50 ID=objservcenter PROGRAM=../../ objservcenter/bin/ objservcenter.cgi DESCRIPTION=Org. Manager NAVBAR_GIF= T1TABorgmanager NAVBAR_GIF2= T1TABorgmanager NAVBAR_GIFDIR=../../common/ui/style0 WORKFLOW_ALLOWED=true	DESCRIPTION can be any text string NAVBAR_GIF can be any gif name with a .gif extension that exists in the NAVBAR_GIFDIR NAVBAR_GIF2 can be any gif name with a .gif extension that exists in the NAVBAR_GIFDIR WORKFLOW_ALLOWED value of true means allowed, any other values mean not allowed
policyserv center_application_info with sub parameters: VERSION CODE ID PROGRAM DESCRIPTION NAVBAR_GIF NAVBAR_GIF2 NAVBAR_GIFDIR	Information about the Policy Manager application. The listed parameters define the version of the application running, the code used for license checking, relative path of the application, mouseover message for the application, name of the GIF used on the top navigation bar, and the relative path to the GIF used on the top navigation bar.	VERSION=1.0 CODE=PS10 ID= policyservcenter PROGRAM=../../../../../access/oblix/apps/front_page/bin/front_page.cgi DESCRIPTION= Policy Manager NAVBAR_GIF= T1TABaccess manager NAVBAR_GIF2= T1TABaccess manager NAVBAR_GIFDIR=none	DESCRIPTION can be any text string NAVBAR_GIF can be any gif name with a .gif extension that exists in the NAVBAR_GIFDIR NAVBAR_GIF2 can be any gif name with a .gif extension that exists in the NAVBAR_GIFDIR
setsearch base_applet, with sub parameters: applet_dimension_width applet_dimension_height column_width	This list contains values for dimensions of the Set Searchbase applet.	applet_dimension_width=650 applet_dimension_height=740 column_width=135	A positive integer
show Replication Warnings	This parameter determines whether to display replication-related warnings, for example, "Your changes may not be immediately available," after any of the following operations: modify or add attributes, create ticket, process ticket, change style, modify or add location.	true	true false
sysmgmt_application_info with sub parameters: VERSION CODE ID PROGRAM DESCRIPTION NAVBAR_GIF NAVBAR_GIF2 NAVBAR_GIFDIR	Information about the System Admin application. The listed parameters define the version of the application running, the code used for license checking, relative path of the application, mouseover message for the application, name of the GIF used on the top navigation bar, and the relative path to the GIF used on the top navigation bar.	VERSION=5.00 CODE=SMAD ID=sysmgmt PROGRAM=../../ admin/bin/front_page_admin.cgi?target Application=sysmgmt DESCRIPTION= System Admin NAVBAR_GIF=OTABsystem admin NAVBAR_GIF2=OTABsystemadmin2 NAVBAR_GIFDIR=../../common/ui/style0	DESCRIPTION can be any text string NAVBAR_GIF can be any gif name with a .gif extension that exists in the NAVBAR_GIFDIR NAVBAR_GIF2 can be any gif name with a .gif extension that exists in the NAVBAR_GIFDIR
system_consoles	The application to appear on the System Console.	front_page_admin	This is a multi-valued parameter: front_page_admin policyservcenter access_front_page_admin
top_frame	Name of the top frame in the Front Page application.	_top	A frame name (eg._top)
top_main_frame	Name of the main frame in the Front Page application.	main_frame	A frame name (for example, main_frame)
userserv center_application_info with sub parameters: VERSION CODE ID PROGRAM DESCRIPTION NAVBAR_GIF NAVBAR_GIF2 NAVBAR_GIFDIR WORKFLOW _ALLOWED	Information about the User Manager application. The listed parameters define the version of the application running, the code used for license checking, relative path of the application, mouseover message for the application, name of the GIF used on the top navigation bar, and the relative path to the GIF used on the top navigation bar.	VERSION=5.00 CODE=UM50 ID=userservcenter PROGRAM=../../userservcenter/bin/userservcenter.cgi DESCRIPTION=User Manager NAVBAR_GIF= T1TABuser manager NAVBAR_GIF2=T1TABuser manager NAVBAR_GIFDIR=../../common/ui/style0 WORKFLOW_ALLOWED=true	DESCRIPTION can be any text string NAVBAR_GIF can be any gif name with a .gif extension that exists in the NAVBAR_GIFDIR NAVBAR_GIF2 can be any gif name with a .gif extension that exists in the NAVBAR_GIFDIR WORKFLOW_ALLOWED if true means allowed, any other values mean not allowed
ssologouturl	This parameter overrides the SSO Logout URL parameter configured in the Access System Console	None	Any valid URL that does the single sign-on logout.
workflow_definition_applet with sub-parameters: applet_dimension_width applet_dimension_height column_width_workflowdef column_width_workflow_targetdef column_width_workflow_stepdef column_width_participant_notifee	This list contains values for dimensions of the workflow applet. This includes the three pages in workflow creation: workflow definition, target definition and step definition. The column_width parameters apply to the left column of all the respective applets.	applet_dimension_width=650 applet_dimension_height=625 column_width_workflowdef=160 column_width_workflow_targetdef=160 column_width_workflow_stepdef=160 column_width_participant_notifee=100	A positive integer

Table B-13 configdbparams.xml

Parameter Name	Description	Default Value	Possible Values
enableLDAP Referral	When the directory server returns a referral, this parameter controls whether the referral is automatically chased. A referral message provides the address of a master server. A client can chase a referral.	true (automatically chase the referral)	true false

Table B-14 groupdbparams.xml

Parameter Name	Description	Default Value	Possible Values
allow_non_rdn_modifications	If this parameter is set to true, the user can modify an attribute that is part of the DN, if they have modification rights. This check is imposed because non-RDN modification affects the DN itself and results in moving the directory entry to a different subtree. This affects referential integrity issues. This parameter enables the administrator to prevent such operations. This only applies to attributes that make up the non-RDN portion of the DN. For example, ou, o, and c in the DN "cn=John Smith, ou=Corporate, o=Company,c=US".	false (do not allow non-RDN modifications)	true (allow non-RDN modifications) false (do not allow non-RDN modifications)
default_policy	Default policy for access control to generic or location objects when no policy is found.	false (Deny Access)	true (Allow Access) false (Deny Access)
default_subscription_policies	Selects which of the four subscription policies supported by Group Manager are available. The policies are displayed at the time of definition for a Create Group workflow. In the workflow definition, the user can select the subscription policies he wants to allow for groups that are created using this workflow definition. Then at the time of the actual create operation by the end-user, these options are shown in the Subscription Policy field, as a list, from which the end-user is supposed to select one policy that he wants to apply to this group. Note that the subset of the policies that are selected during workflow definition is also stored in each group entry created using that workflow, in an attribute hidden from the user. Later on, if the user wants to modify the subscription policies, then the values are obtained form this hidden attribute and again shown in the single-selection list.	All of the possible values are made available by default.	SubscriptionPolicyOpen — Automatic, no approval necessary SubscriptionPolicyOpenFilter — Automatic if new member satisfies filter, no approval necessary SubscriptionPolicyControlledWorkflow— Needs approval through a workflow SubscriptionPolicyClosed — Nobody can subscribe to this group
default_subscription_policy	Default policy for group subscription when no policy is found in the group entry.	Subscription PolicyClosed	The allowed policies are: SubscriptionPolicyOpen (Automatic, no approval necessary) SubscriptionPolicyOpen Filter (Automatic if new member satisfies filter, no approval necessary) SubscriptionPolicy Controlled Workflow (Needs approval through workflow) SubscriptionPolicyClosed (nobody can subscribe to this group) See the default_subscription_policies parameter in this table for more information.
extra_group_filter	An LDAP filter. This filter, if specified, is used by Group Manager to qualify group searches. This filter may contain an Oblix rule substitution.	ou=$ou$. The meaning of this filter is that the group being searched must have the same ou value as the user who initiates the search. For example, if the user belongs to ou=corporate, a filter of ou=corporate is used to qualify group searches.	Any valid LDAP filter, which may or may not contain a valid rule substitution. Note: Any characters that are valid syntax for an LDAP filter, but are also xml markup, must be specified as entity references.
max_filter_conditions	This parameter can be used to control the length of the filter that is used in group queries. It is an integer that says how many elements can make up the filter. The Group Manager application uses a search algorithm to minimize the number of searches done. It uses OR logic to combine multiple filters (essentially queries) into one large filter. But every directory server has its own limitations on the length of a filter used in doing the LDAP searches. This parameter enables the administrator to tune it according to the directory server used.	20	Any integer value, depending on what the directory server is able to handle
use_extra_group_filter_expansion	Indicates whether or not to use the extra_group_filter to further qualify group searches in group expansion.	false	true false
use_extra_group_filter_mygroups	Indicates whether or not to use the extra_group_filter to further qualify group searches in the MyGroups Profile.	false	true false
user_defined_unique_member	This parameter is applicable to IBM SecureWay. In the SecureWay schema, a uniquemember attribute is required in the schema. Deactivating a user who is also the last member of a group causes an objectclass violation if the deactivation is done through User Manager. Therefore, User Manager attempts to replace this soon-to-be deactivated user with an entry for the Directory Administrators group. This parameter is used in place of the Directory Administrator group, if specified.	None	Any valid dn

Table B-15 objectdbparams.xml

Parameter Name	Description	Default Value	Possible Values
allow_non_rdn_modifications	If this parameter is set to true then modifying an attribute that is part of the DN will effect the DN itself and will result in moving the directory entry to a different subtree. This only applies to attributes that make up the non-RDN portion of the DN. For example, ou, o, and c in the DN "cn=John Smith, ou=Corporate, o=Company, c=US". Unlike similar parameter in groupdbparams.xml and userdbparams.xml, this parameter is configured for each object class.	false (do not move the entry) for each object class	true (allow moving) for each object class false (do not move the entry) for each object class
default_containment_policy	Default policy for Containment Limit when no policy is found.	false (Do not Allow Create)	true (Allow Create) false (Deny Create)
default_policy	Default policy for access control to generic or location objects when no policy is found.	false (Deny Access)	true (Allow Access) false (Deny Access)

Table B-16 workflowdbparams.xml

Parameter Name	Description	Default Value	Possible Values
qs_state_groupservcenter	Controls whether Quickstart is enabled for Group Manager.	true	true false
qs_state_objservcenter	Controls whether Quickstart is enabled for Object Manager.	true	true false
qs_state_userservcenter	Controls whether Quickstart is enabled for User Manager.	true	true false
WfDefCache Disabled	Determines if the workflow caches are to be disabled or not.	false	true false
WfDefCacheMaxNoOfElmts	Maximum number of allowed elements in each of the workflow caches.	25	Unsigned integer
WfDefCache Timeout	Timeout for each individual element in the cache.	0	Long integer
WfDefMaxNumStepDefFilters PerSearch	Determines the maximum number of step definition filters that can be used in each search. If the final number of filters is more than this specified value then multiple searches will be done.	None	Integer
WfInstanceNot Required	A flag indicating if a single-user-action step workflow instance should be written to the directory server. This flag enables you to not save workflow instances if they are based on a single user action step and are not required later (for example, for auditing) and improve workflow runtime performance. false: Write workflow intances to the directory server. true: Do not write to the directory server, unless otherwise required by the workflow definition.	false	true false

Table B-17 ldapappdbparams.xml

Parameter Name	Description	Default Value	Possible Values
ListOfDS AttributesFor Filter Substitution	List of directory server read-only system attributes utilized for ACL filter substitution. These attributes values do not return unless the directory server specifically queries for them. The list is entered as a ValList, in the form <ValList ListName="ListOfDSAttributesForFilterSubstitution"> <ValListMember Value="entrydn" Operation="Add"/> </ValList>	nothing	List of attributes such as entrydn, creatorsname, password expirationtime
osdcache: hashsize	The hash size for the cache.	3001	Any positive integer (preferably a prime number)

Table B-18 ldapconfigdbparams.xml

Parameter Name	Description	Default Value	Possible Values
dynamic Auxiliary	Set objectclass. This is only used for AD: AD does not allow the use of auxiliary class in the objectClass attribute.	false	true false
groupspecial Attrs	Used to cache in attributes for group class.	The cn attribute is derived from the auxiliary class mailrecipient, and hence does not show up on the list of required attributes. Also, sAMAccount Name attribute is cached by default.	Any valid attribute names.
bind-dn password	Bind DN, and password	none	Any valid string value for each
specialAttrs	Used to cache in attributes for person class.	SAMAccount Name attribute is cached.	Any valid attribute names
useOIDNaming Attribute	If the oidnamingattribute flag is set, convert the name to oid. Currently, this flag is only set in the case of Active Directory.	false	true false

Table B-19 basedbparams.xml

Parameter Name	Description	Default Value	Possible Values
default_policy	Default policy for access control to any object. If the driving application database does not override this parameter, the default set here is assumed.	false (Deny Access	true (Allow Access) false (Deny Access)
doAccessServer Flush	This signals that the AccessGate client has been configured on the OIS server and it can now begin to send user flush requests to the Access System, using the Policy Manager API.	false	true false
enableAllow AccessCache	This paramters turns caching of evaluated access control policies on or off. The cache exists only for the duration of processing a request. The cache helps when an access control policy needs to be evaluated more than once in the same request. This cache contains information regarding whether the user is allowed or denied access based on the evaluated policy.	true	true false
SelfReg Generates SSOCookie	This tells the Access System to automatically logon the requester right after self-registration if the person is activated. To do this, the settings for SR_SSOCookieMethod and SR_SSOCookieURL parameters must also be specified in this file.	false	true false
SR_SSOCookie Domain	This is one of the ObSSOCookie generation parameters. If no value is specified for this parameter, the ObSSOCookie is not associated with a particular domain.	None	An valid domain name, for example oblix.com
SR_SSOCookieIP	One of the ObSSOCookie generation parameters. If no value is specified for this parameter, the client IP will be used.	None	Any of the IP or IP addresses, if any, specified in the IPValidationExceptions parameter in the Access System (Access System Configuration tab, AccessGate Configuration page).
SR_SSOCookie Method	Access Manager SDK query parameter, used with self-registration. This parameter, along with the SR_SSOCookieURL parameter, is used by the Access Manager SDK to determine the URL and method that are protected. The SSOCookie will not be generated if this value is not specified.	GET	Any one of the HTTP Request Methods that are protected by the Access System
SR_SSOCookie Path	One of the ObSSOCookie generation parameters. This parameter will be used to generate ObSSOCookie. If none is specified, / will be used.	/	/ or any URL path
SR_SSOCookieURL	Access Manager SDK query parameter, used with self-registration.This parameter, along with the SR_SSOCookieMethod parameter, is used by the Access Manager SDK to determine the URL and method that are protected The SSOCookie will not be generated if this value is not specified.	/identity/ oblix	Any URL protected by the Access System

Table B-20 ldapreferentialintegrityparams.xml

Parameter Name	Description	Default Value	Possible Values
Objectclasses AndAttributesToDoReferential Integrity	This compoundlist contains a set of ValList elements named after object classes. Each ValList may be empty or may contain ValListMember elements named after attributes belonging to the object class. The object classes listed are those that Oracle Access Manager will update whenever an entry is renamed (such as its DN changed). The attributes listed for each object class are of type DN, and thus may refer to the entry which is being renamed. If no attributes are listed for a particular object class, Oracle Access Manager queries the schema to find all the DN attributes for that object class. If there is an attribute list, then only the listed attributes are used for the referential integrity check.	See the following table for a list of objectclasses and attributes.	Any valid objectclass with DN syntax attributes. Note: In order for Oracle Access Manager to work correctly, the default values should NOT be changed. You should only add your own objectclass and attributes to this list.
references_to_non_existing_entries_allowed	Determines how to deal with a reference to a non-existent entry. Since AD and Novell automatically remove references to non-existent entries, this parameter should be set to false for those Directory Servers. The Netscape/iPlanet DS does not; Oracle Access Manager adjusts the reference as you direct.	false	Active Directory: Set to false Novell: Set to false Netscape/ iPlanet: Set to false to have Oracle Access Manager update DN attributes that point to an entry being renamed Set to true to have Oracle Access Manager not update DN attributes referring to an entry being renamed
referential_integrity_using	Determines the responsibility for renaming a DN. The Active Directory and Novell directory servers do this automatically, ds is therefore the proper entry. Netscape does not, leaving it to Oracle Access Manager to make the change; this is indicated by the parameter value oblix . These values are set by the installation process and must not be changed by the user.	Varies with the Directory Server, defined at install time.	Active Directory: Set to ds Novell: Set to ds Netscape: Set to oblix
unique_value_attrs	Specify a list of attributes whose values need to be unique under the configured directory server namespace. Necessary values vary with the brand of directory server. The Possible Values column shows the required entries; users may add additional attributes.	uid	Novell: Remove list Active Directory: Add one ValListMember, sAMAccount Name Netscape: Leave the default ValListMember, uid

Here are the attributes referred to in the previous table, under ObjectclassesAndAttributesToDoReferentialIntegrity:

Table B-21 ObjectClass Attributes for Referential Integrity

ObjectClass	Attributes
groupofuniquenames	uniqueMember owner seeAlso
inetOrgPerson	manager secretary
oblixattribute access	obmodifyaccessuid obviewaccessuid obnotifyuid
oblixAuxLocation	oblocationdn
oblixcreatedeleteaccess	obaccessuid obnotifyuid
oblixGenericResource AuxClass	obResourceUid
oblixgroup	obgroupadministrator obgroupcreator
oblixGroupResource AuxClass	obResourceUid
oblixlocation	obparentlocationdn
oblixorgperson	obindirectmanager oblocationdn
oblixPolicyCondition	obpolicyconditionUid obpolicyconditiongroup
oblixUserResourceAuxClass	obResourceUid

Table B-22 appdbparams.xml

Parameter Name	Description	Default Value	Possible Values
debug	Indicates whether or not the WebPass client should be in debug mode and write debug information to the debug file.	false	true: Use debug mode false: Do not use debug mode
id	Unique identifier for WebPass client plug-in.	webpassdefault	Any
failover Threshold	The number of Identity Server connections that the WebPass client will attempt to keep active. If the number of connections falls under the failoverThreshold, the WebPass client will attempt to open additional connections until the number of open connections equals the failoverThreshold. To meet the failoverThreshold, the WebPass client will use Identity Servers first from the primary server list, then from the secondary server list.	1	Any number
ldapMaxSession TimeInMins	The size of the caches for LDAP connections to the Access Server and Policy Manager increase over time. Oracle Access Manager does not control this caches directly. To prevent the cache size from causing a performance problem, you can configure the ldapMaxSessionTimeInMins parameter to close the connection. Closing the connection clears the cache.	600	An integer (in minutes)
maxConnections	The maximum number of connections to Identity Servers.	1	Any number
maxSessionTime	The time an Identity Server connection will remain open in hours.	24	Any number
osdcache:warmupcache	Warms up the OSD cache.	true	no or false: do not warm up anything else: warm up
primary_server_list	List of primary Identity Servers. Each list entry is a triplet of host, port, numConnections.	The triplet (for example, defaulthost, 6022, 1).	Any valid triplet of (host, port, num Connections): host: The host on which the primary Identity Server resides port: The port on the host on which the primary Identity Server listens num Connections: The number of connections that the WebPass client can open to a particular primary Identity Server.
secondary_server_list	List of secondary Identity Servers. Each list entry is a triplet of (host,port,numConnections)	None	Any valid triplet of (host, port, num Connections) host: The host on which the secondary Identity Server resides port: The port on host on which the secondary Identity Server listens num Connections: The number of connections that the WebPass client will open to a particular secondary Identity Server
security	The mode of transport security used for WebPass client and Identity Servers. open — Transport security mode where no authentication and no encryption is performed. The WebPass client does not demand any proof of the Identity Server's identity, and the Identity Server accepts connections from all WebPass clients connected to it. simple — Transport security mode where communication between the WebPass client and the Identity Server is encrypted using TLS v1 (Transport Layer Security, RFC 2246). Webpass and Identity Server authenticate one another using a global password, which must be the same across installations. cert — Transport security mode under which the data transferred between points is encrypted using SSLand a public key certificate.	open	open simple cert as described in the Description column.
sleepFor	A time interval in seconds. After each interval, the WebPass client will update its configuration if the refresh flag is set to true. Also, the interval after which the WebPass client will do its failoverThreshold calculation and open additional connections, if necessary.	60	Any number.

Table B-23 overridedbprofile.xml

Parameter Name	Description	Default Value	Possible Values
list of agents	List of agents for which the default values obtained from the directory server are to be overridden. Each list has a list name that should be the same as the agent for which the connection parameters are required to be overridden. Each agent should be accompanied by the following (host, port, secureport) This is used in the case where one directory server replicates another, and the user wants to use the replicant. An example of this file is installed at: IdentityServer_install_dir/identity/oblix/data/common You must change the content of the file and move it to: IdentityServer_install_dir/identity/oblix/data.ldap/common in order for it to take effect.	none	A valid agent name along with the following three parameters: host: Hostname for the directory server port: Port at which the directory server listens for open LDAP connections secureport: Secure port for the DS

Table B-24 accessdb.xml, appdb.xml, configdb.xml, obgroupdb.db.xml, obobjectdb.xml,userdb.xml, webresrcdb.xml, workflowdb.xml, ticketdb.xml

Parameter Name	Description	Default Value	Possible Values
ldapRootDN	Bind dn.	Specified during setup	Any valid dn
ldapRootPasswd	Bind password.	Specified during setup	Any password
ldapServerName	LDAP host name for this database.	Specified during setup	Any valid host name
ldapServerPort	LDAP port number.	Specified during setup	Any valid port number
ldapSizeLimit	Client side size limit.	0	Any valid integer
ldapTimeLimit	Client side time limit.	0	Any valid integer
workflow DefinitionBase (only in workflowdb.xml)	The base dn where workflow definitions are stored.	None (obcontainer= workflow Definitions	Any valid dn
workflow InstanceBase (only in workflowdb.xml)	The base dn where workflow instances are stored.	None (obcontainer= workflow Instances under oblix tree)	Any valid dn
xmlns	Oblix xml name space.	http://www. oblix.com	http://www.oblix.com

Table B-25 adsi_params.xml (Active Directory Services Interface Parameters)

Parameter Name	Description	Default Value	Possible Values
sizeLimit	Integer value that limits the number of query results returned for authentication.	0	Do not change this value.
timeLimit	Integer value that limits the number of seconds before a query times out.	0	Any positive integer
pageSize	Page size of results that ADSI request from the server.	100	Any positive integer
useImplicitBind	Which credentials to use.	0	0: Implicit Credentials 1: Explicit Credentials 2: Use User Principal Name
adsiCredential	An LDAP specification of a user, such as "cn=Administrator,cn=users,dc=myhost,dc=mydomain,dc=com".	None	Valid credential
adsiPassword	An encoded text string representing the LDAP user's password.	None	Valid password
useGCForAuthn	Flag, asks the question: do you want to use the Global Catalog for authentication. If set to true, users may not be able to login until user accounts are replicated to the Global Catalog from the respective domain controllers.	false	true false
useDNSPrefixed LDAPPaths	To prefix the domain name to LDAP strings, a new parameter has been added to the adsi_params.xml and adsi_params.lst files. By default this parameter is not in adsi_params.xml. Before running setup, this parameter has to be manually added and set to true for the Identity Server. You do not need to set service login credentials.	None	true false
encryption	When set to true, this flag encrypts the traffic between the Identity and Access Servers and Directory Server. When set to true, the SSL port (636) on Active Directory should be enabled. The rootCA certificates must have been installed in the local store for Trusted Certificate Authorities. This flag is applicable for authentications in all bind modes, and for all directory server traffic for explicit bind types (1 and 2). Note that password change on Active Directory always goes through the SSL port (636), irrespective of what the encryption flag is set to.	false	true false
aynchronous Search	Flag, asks the question: shall ADSI operate in its default mode, enabled to perform asynchronous searches? If set to false, it does synchronous searches.	true	true false