Sun ONE logo      Previous      Contents      Index      Next     

Sun ONE Identity Server Customization and API Guide

Appendix A File is the resource configuration file for the Sun™ One Identity Server. It provides instructions for the Identity Server deployment. This chapter explains the attributes of It contains the following sections:


Identity Server is configured by placing application properties in plain text configuration files. These configuration files contain one proeprty per line and each has a corresponding value. Properties and their values are case-sensitive. Indentation of the properties is consistent throughout the file. Lines which begin with the characters “/*” are comments, and ignored by the application. Comments are completed with a last line that contains the closing characters “*/”. The main configuration file for Identity Server is located in IdentityServer_base/SUNWam/lib. The following sections describe the properties and default values of


The Identity Server must be restarted for any modification in to take effect.

Deployment Properties

Following are the deployment-specific attributes configured in

Identity Server

This section describe properties that define the Identity Server application.


These properties are defined during installation.


These properties are specific to the Identity Server console.

The following directives can be added to the file to add their respective functionality to the Identity Server console.


These properties are specific to Identity Server cookies.


This section is a catch-all for some miscellaneous and self-explanatory values.

Directory Server

This section describe the properties for the Directory Server data store.


These properties define the Directory Server to which the Identity Server points.

Directory Server Tree

The values of these properties are the top-level organization of the Directory Server tree defined during the installation process.

Configuration Properties

There are a number of services configured in that can not be configured using the Identity Server console. These back-end services, and several attributes for other services, are defined in this section.

Debug Service

The Debug Service logs developer information in the case of application errors. (The Logging Service writes logs to be monitored by the application administrator.) More information on the Debug Service can be found in "Debug Files" of Chapter 10, "Auditing Features."

Stats Service

The following properties are used to configure the Stats Service for recording service statistics. This service is used by the Identity Server SDK and the Session Service. Code Example A-1 is a portion of the stats file to illustrate the information that is recorded. The file is named amSDKStats by default.

Code Example A-1  Portion of amSDKStats File

11/26/2002 01:46:18:592 PM PST: Thread[Thread-10,5,main]

SDK Cache Statistics


Interval: 214

Hits during interval: 38

Hit ratio for this interval: 0.17757009345794392

Total number of requests: 214

Total number of Hits: 38

Overall Hit ratio: 0.17757009345794392

Total Cache Size: 72

Notification Service

The Notification Service allows Identity Server to send notifications to registered applications when an event has occurred (session destroyed, session timeout, etc.). This service also allows the single sign-on cache to stay up to date. The notification is basically a HTTP post message containing the component notification in its body.

When a notification task comes in, it is processed in the task queue. If it reaches the maximum length, further incoming requests will be rejected along with a ThreadPoolException, until the queue has vacancy

SDK Caching

The caching function in Identity Server is memory-based therefore when an identity-related object is created, deleted or modified, the cache is cleaned up. Each SDK cache entry stores a set of attributes and values of AMObject for a user. Because the size of each object is dependent upon the number of attributes it has, modifying these properties will affect the performance of Identity Server.

Online Certificate Status Protocol (OCSP)

OCSP is a protocol that specifies the syntax for communication between a server which holds certificate status and a client which is informed of said status.When a user attempts to access a server, OCSP sends a request for certificate status information and receives back a response of current, expired or unknown. If these properties are set, the certificate in question must be in the deployment container’s certificate database. If the OCSP URL is set, the OCSP responder nickname must also be set or both will be ignored. If neither is set, the OCSP responder URL presented in the user’s certificate will be used. If there is none in the user’s certificate, no OCSP validation will be performed.

Identity Object Processing

This property has a value equal to the implementation class of the module used for processing user creates, deletes, and modifies.


This property is used to enable Java security permissions. This permission is used to protect the Identity Server resources which should only be accessed by trusted resources. This permission is used to protect the admin DN and password as well as access to the encryption and decryption methods used to encrypt passwords. The default value is false. If enabled, modifications must be made to the deployed web container’s Java policy file. This should be done as detailed in Code Example A-2.

Code Example A-2  Changes To Java Policy File

grant codeBase "file:{directory where jars are located}/-" { "access",




This property is used to enable Secure Socket Layers (SSL). The default is false.

Certificate Database

These properties are used by the command line utilities and SDK as well as the LDAP and Certificate-based authentication modules when initiating SSL connections to the Directory Server. It is also used when opening HTTP(S) connections from within the servlet container in the deployment container.


These two properties are not required to support replication but they may be helpful in limiting errors due to latency. Enabling them may have a negative impact on performance but, if replication has significant latency, the retries may be enough to prevent Entry Not Found errors. For example, assume an Identity Server console is pointing to a read-only consumer configured to refer writes to a master. If a new organization is created, all write requests are referred to the master and then replicated back to the consumer. If Identity Server reads the organization back before it has been replicated to the consumer, it will get an Entry Not Found error.


It is not recommended to run the Identity Server console against a read-only consumer. The exception to this rule is when operating against user entries whose creations and modifications do not have the same latency problems as the SDK has special behavior to prevent such problems for these entries.

Event And LDAP Connection

These sets of properties are implemented when load balancers are used between the Identity SDK and the Directory Server. When the SDK performs an operation which fails, it will retry the operation as long as the exception is one defined in the property. These properties are necessary for failover configuration when it is accomplished via a load balancer as not all load balancers return the same error codes.

Event Connection

LDAP Connection

The following keys are used to configure an LDAP connection for the add, delete modify, read and search methods.


These properties identify SAML-related configurations including properties relating to the Identity Server keystore file.

Keystore Properties

Each Identity Server has a keystore file used to store the certificates used for XML signing and verification. A stored certificate might include a partner site’s certificate and the public key used by Identity Server to verify SAML responses and assertions from the partner. The keystore also holds the Identity Server certificate and the private key it uses to sign assertions. For more information on generating the keystore, certificate aliases and other functions, read about the keytool, a key and certificate management utility, in the Readme.html and keystore.html files located in the IdentityServer_base/SUNWam/samples/saml/ xmlsig directory.

Miscellaneous Services

The following directives define the URIs for miscellaneous services.

Read-Only Properties

The following properties are read-only and should not be modified. Any changes to these directives may render the Identity Server unusable.


These properties identify values defined during the installation process.


These properties are used to identify the URIs for specific services and agents.

Shared Secret

This property is the shared secret for the Authentication Service.

Session Properties

These properties are configurations for the Session Service.

Simple Mail Transfer Protocol (SMTP)

The following directives can be set to any valid SMTP server and port.


The following sections define properties used by the Authentication Service.





Following are properties that define parameters for security purposes.


This property specifies the factory class name for SecureRandomFactory.


This property specifies the factory class name for LDAPSocketFactory.


These properties specify encryption information.

IP Address Checking

This property specifies whether the IP address of the client will be checked in SSOToken creations and validations.

Remote Policy API

These properties are defined for the Remote Policy API to use with policy agents.


This property defines weights for policy subjects, rules and conditions. These weights influence the order in which these components are evaluated. The value is three integers delimited by ":". These integers indicate the proportional CPU cost for evaluating the three components, respectively.


These properties configure information for the Federation Management module.


The Fully Qulified Domain Name (FQDN) Map is a simple map that enables the Authentication Service to take corrective action in the case where a user may have typed in an incorrect URL either by specifying partial hostname or IP address to access a protected resource.

Valid values must comply with the syntax of this property which represent invalid FQDN values mapped to correct counterparts. The valid format for specifying these maps is:


where invalid_name is a possible invalid FQDN host name that may be used by the user, and valid_name is the FQDN host name to which the filter will redirect the user.


Ensure that there are no invalid or overlapping values for the same invalid FQDN name.

This property can also be used for creating a mapping for more than one host name. This may be the case when applications hosted on a server are accessible by more than one host name. It may also be used to configure Identity Server to NOT take corrective action for certain hostname URLs. For example, if no corrective action (such as a redirect) is desired for users who access application resources using a raw IP address, the map entry would look like:


Any number of values may be specified as long as they are valid and conform to the above stated requirements.

Examples of FQDN mapping might be:

Encryption Key

The value of this property is the password used to generate a symmetric key to encrypt and decrypt other sensitive data including the shared secret.


Previous      Contents      Index      Next     

Copyright 2003 Sun Microsystems, Inc. All rights reserved.