Sun ONE logo      Previous      Contents      Index      Next     

Sun ONE Identity Server Customization and API Guide

Appendix B
serverconfig.xml File

serverconfig.xml provides configuration information for the Sun™ One Identity Server regarding the Sun ONE Directory Server that is used as its data store. This chapter explains the elements of the file and how to configure it for failover, how can you have multiple instances, how can you undeploy the console and remove console files from a server. It contains the following sections:


serverconfig.xml is located in /IdentityServer_base/SUNWam/config/ums. It contains the parameters used by the Identity SDK to establish the LDAP connection pool to Directory Server. No other function of the product uses this file. Two users are defined in this file: user1 is a Directory Server proxy user and user2 is the Directory Server administrator.

Proxy User

The Proxy User can take on any user’s privileges (for example, the organization administrator or an end user). The connection pool is created with connections bound to the proxy user. Identity Server creates a proxy user with the DN of cn=puser,ou=DSAME Users,dc=example,dc=com. This user is used for all queries made to Directory Server by IIdentity Server. It benefits from a proxy user ACI already configured in the Directory Server and, therefore, can perform actions on behalf of a user when necessary. It maintains an open connection through which all queries are passed (retrieval of service configurations, organization information, etc.). The proxy user password is always encrypted. Code Example B-1 illustrates where the encrypted password is located in serverconfig.xml.

Code Example B-1  Proxy User In serverconfig.xml

<User name="User1" type="proxy">


cn=puser,ou=DSAME Users,dc=example,dc=com






Admin User

dsameuser is used for binding purposes when the Identity Server SDK performs operations on Directory Server that are not linked to a particular user (for example, retrieving service configuration information). Proxy User performs these operations on behalf of dsameuser, but a bind must first validate the dsameuser credentials. During installation, Identity Server creates cn=dsameuser,ou=DSAME Users,dc=example,dc=com. Code Example B-1 illustrates where the encrypted dsameuser password is found in serverconfig.xml.

Code Example B-2  Admin User In serverconfig.xml

<User name="User2" type="admin">


cn=dsameuser,ou=DSAME Users,dc=example,dc=com






server-config Definition Type Document

server-config.dtd defines the structure for serverconfig.xml. It is located in IdentityServer_base/SUNWam/dtd. This section defines the main elements of the DTD. Code Example B-3 is an example of the serverconfig.xml file.

iPlanetDataAccessLayer Element

iPlanetDataAccessLayer is the root element. It allows for the definition of multiple server groups per XML file. Its immediate sub-element is the ServerGroup Element. It contains no attributes.

ServerGroup Element

ServerGroup defines a pointer to one or more directory servers. They can be master servers or replica servers. The sub-elements that qualify the ServerGroup include Server Element, User Element, BaseDN Element and MiscConfig Element. The XML attributes of ServerGroup are the name of the server group, and minConnPool and maxConnPool which define the minimum (1) and maximum (10) connections that can be opened for the LDAP connection pool. More than one defined ServerGroup element is not supported.


Identity Server uses a connection pool to access Directory Server. All connections are opened when Identity Server starts and are not closed. They are reused.

Server Element

Server defines a specific Directory Server instance. It contains no sub-elements. The required XML attributes of Server are a user-friendly name for the server, the host name, the port number on which the Directory Server runs, and the type of LDAP connection that must be opened (either simple or SSL).


For an example of automatic failover using the Server element, see "Failover Or Multimaster Configuration".

User Element

User contains sub-elements that define the user configured for the Directory Server instance. The sub-elements that qualify User include DirDN and DirPassword. It’s required XML attributes are the name of the user, and the type of user. The values for type identify the user’s privileges and the type of connection that will be opened to the Directory Server instance. Options include:

DirDN Element

DirDN contains the LDAP Distinguished Name of the defined user.

DirPassword Element

DirPassword contains the defined user’s encrypted password.


It is important that passwords and encryption keys are kept consistent throughout the deployment. For example, the passwords defined in this element are also stored in Directory Server. If the password is to be changed in one place, it must be updated in both places. Additionally, this password is encrypted using the key defined in Appendix A, " File." If the encryption key defined in the am.encryption.pwd property is changed, all passwords in serverconfig.xml must be re-encrypted using ampassword --encrypt password. More information on this encryption utility can be found in the Sun ONE Identity Server Administration Guide.

BaseDN Element

BaseDN defines the base Distinguished Name for the server group. It contains no sub-elements and no XML attributes.

MiscConfig Element

MiscConfig is a placeholder for defining any LDAP JDK features like cache size. It contains no sub-elements. It’s required XML attributes are the name of the feature and its defined value.

Code Example B-3  serverconfig.xml

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>


Copyright (c) 2002 Sun Microsystems, Inc. All rights reserved.

Use is subject to license terms.



<ServerGroup name="default" minConnPool="1" maxConnPool="10">

<Server name="Server1" host="identity_server_host.domain_name" port="389"

type="SIMPLE" />

<User name="User1" type="proxy">


cn=puser,ou=DSAME Users,dc=example,dc=com






<User name="User2" type="admin">


cn=dsameuser,ou=DSAME Users,dc=example,dc=com











Failover Or Multimaster Configuration

Identity Server allows automatic failover to any Directory Server defined as a Server Element in serverconfig.xml. More than one server can be configured for failover purposes or multimasters. If the first configured server goes down, the second configured server will takeover. Code Example B-4 illustrates serverconfig.xml with automatic failover configuration.

Code Example B-4   Configured Failover in serverconfig.xml

<?xml version="1.0" encoding="ISO-8859-1" standalone="yes"?>


PROPRIETARY/CONFIDENTIAL. Use of this product is subject to license terms.

Copyright 2002 Sun Microsystems, Inc. All rights reserved.



<ServerGroup name="default" minConnPool="1" maxConnPool="10">

<Server name="Server1" host="identity_server_host1.domain_name" port="389" type="SIMPLE" />

<Server name="Server2" host="identity_server_host2.domain_name" port="389" type="SIMPLE" />

<Server name="Server3" host="identity_server_host3.domain_name" port="390" type="SIMPLE" />

<User name="User1" type="proxy">


cn=puser,ou=DSAME Users,dc=example,dc=com






<User name="User2" type="admin">


cn=dsameuser,ou=DSAME Users,dc=example,dc=com











Previous      Contents      Index      Next     

Copyright 2003 Sun Microsystems, Inc. All rights reserved.