Part III File Reference

Chapter 6 amConfig.properties Reference

AMConfig.properties is the main configuration file for Access Manager. You can configure some, but not all, of the properties in this file. This chapter provides descriptions of properties contained in AMConfig.properties, default property values, and instructions for modifying values that can be changed without rendering Access Manager unusable.

This chapter contains the following sections:

• About the AMConfig.properties File

• Access Manager Console

• Access Manager Server Installation

• am.util

• amSDK

• Application Server Installation

• Authentication

• Certificate Database

• Cookies

• Debugging

• Directory Server Installation

• Event Connection

• Global Services Management

• Helper Daemons

• Identity Federation

• JSS Proxy

• LDAP Connection

• Logging Service

• Naming Service

• Notification Service

• Policy Agents

• Policy Client API

• Profile Service

• Replication

• SAML Service

• Security

• Session Service

• SMTP

• Statistics Service

About the AMConfig.properties File

At installation, AMConfig.properties is located in the following directory: etc/opt/SUNWam/config.

AMConfig.properties contains one property per line, and each property has a corresponding value. Properties and values are case-sensitive. Lines that begin with the characters slash and asterisk (/*) are comments, and comments are ignored by the application. Comments end with a last line that contains the closing characters asterisk and slash (*/).

After you modify properties in AMConfig.properties, you must restart Access Manager to activate the changes.

Access Manager Console

• com.iplanet.am.console.deploymentDescriptor

  Value is set during installation. Example: /amconsole

• com.iplanet.am.console.host

  Value is set during installation. Example: hostName.domain.Name.com

• com.iplanet.am.console.port

  Value is set during installation. Example: 80

• com.iplanet.am.console.protocol

  Value is set during installation. Example: http

Access Manager Server Installation

• com.iplanet.am.install.basedir

  This is a READ-ONLY property. Do not change the property value.

  Value is set during installation. Example: /opt/SUNWam/web-src/services/WEB-INF

• com.iplanet.am.install.vardir

  This is a READ-ONLY property. Do not change the property value.

  Value is set during installation. Example: /var/opt/SUNWam

• com.iplanet.am.installdir

  This is a READ-ONLY property. Do not change the property value.

  Value is set during installation. Example: /opt/SUNWam

• com.iplanet.am.jdk.path

  Value is set during installation. Example: /usr/jdk/entsys-j2se

• com.iplanet.am.locale

  Value is set during installation. Example: en_US

• com.iplanet.am.server.host

  Value is set during installation. Example: hostName.domainName.com

• com.iplanet.am.server.port

  Value is set during installation. Example: 80

• com.iplanet.am.server.protocol

  Value is set during installation. Example: http

• com.iplanet.am.version

  Value is set during installation. Example: 7 2005Q4

• com.sun.identity.server.fqdnMap[ ]

  Enables Access Manager Authentication service to take corrective action when a user types an incorrect URL . This is useful, for example, when a user specifies a partial hostname or uses an IP address to access protected resources.

  The syntax of this property represents invalid FQDN values mapped to their corresponding valid counterparts. The property uses the following form: com.sun.identity.server.fqdnMap[invalid-name]=valid—name . In this example, invalid-name is a possible invalid FQDN host name that may be used by the user, and the valid—name is the FQDN host name the filter will redirect the user to. If overlapping values for the same invalid FQDN exist, the application may become inaccessible. Using an invalid value for this property can also result in the application becoming inaccessible. You can use this property to map multiple host names. This is useful when the applications hosted on a server are accessible by multiple host names.

  You can use this property to configure Access Manager so that no corrective action is taken for certain hostname URLs. This is useful, for example, when it is required that no corrective action such as a redirect be used for users who access the application resources by using the raw IP address.

  You can specify a map entry such as: com.sun.identity.server.fqdnMap[IP]=IP .

  You can specify any number of such properties may as long as they are valid properties and conform to the requirements described above. Examples: com.sun.identity.server.fqdnMap[isserver]=isserver.mydomain.comcom.sun.identity.server.fqdnMap[isserver.mydomain]=isserver.mydomain.com com.sun.identity.server.fqdnMap[IP address]=isserver.mydomain.com

am.util

• com.iplanet.am.util.xml.validating

  Default value is no. Determines if validation is required when parsing XML documents using the Access Manager XMLUtils class. This property is in effect only when value for the com.iplanet.services.debug.level property is set to warning or message. Allowable values are yes and no. The XML document validation is turned on only if the value for this property yes, and if value for com.iplanet.services.debug.level property is set to warning or message.

amSDK

Each SDK cache entry stores a set of AMObject attributes values for a user.

• com.iplanet.am.sdk.cache.maxSize

  Default value is 10000. Specifies the size of the SDK cache when caching is enabled. Use an integer greater than 0, or the default size (10000 users) will be used.

• com.iplanet.am.sdk.userEntryProcessingImpl

  This property specifies a plug-in which implements the com.iplanet.am.sdk.AMUserEntryProcessed interface to perform some post-processing for user create, delete and modify operations. The property if used should specify the fully qualified class name which implements the above interface.

• com.iplanet.am.sdk.caching.enabled

  Setting this to true enables caching, and setting this to false disables caching. The default is true.

  ---

  Note –

  Do not set this option to false unless you are running Access manager in a pure debugging mode. It should never be set to false in production.

  ---

Application Server Installation

• com.iplanet.am.iASConfig

  Value is set during installation. Example: APPSERVERDEPLOYMENT

  This property is used to determine if Access Manager is running on iPlanet Application Server.

Authentication

• com.sun.identity.auth.cookieName

  Default value is AMAuthCookie. Specifies the cookie name used by Authentication Service to set the session handler ID during the authentication process. Once this process is completed (success or failure), this cookie is cleared or removed.

• com.sun.identity.authentication.ocsp.responder.nickname

  Value is set during installation. The Certificate Authority (CA) certificate nick name for that responder. Example: Certificate Manager - sun. If set, the CA certificate must be presented in the Web Server's certificate database.

• com.sun.identity.authentication.ocsp.responder.url

  Value is set during installation. Example: http://ocsp.sun.com/ocsp

  Specifies the global OCSP responder URL for this instance. If the OCSP responder URL is set, the OCSP responder nick name must also be set. Otherwise both will be ignored. If both are not set, the OCSP responder URL presented in user's certificate will be used for OCSP validation. If the OCSP responder URL is not presented in user's certificate, then no OCSP validation will be performed.

• com.sun.identity.authentication.ocspCheck

  Default value is true. The global parameter to enable or disable OCSP checking. If this value is false, the OCSP feature in the Certificate Authentication module type cannot be used. .

• com.sun.identity.authentication.special.users

  Value is set during installation. Example: cn=dsameuser,ou=DSAME Users,o=AMRoot|cn=amService-UrlAccessAgent,ou=DSAME Users,o=AMRoot

  Identifies the special user or users for this Access Manager authentication component. This user is used by the Client APIs to authenticate remote applications to the Access Manager server using the full user DN. The user will always be authenticated against the local directory server. Multiple values of this special user DN are separated by the pipe character (|). Use of this property is restricted to Authentication component only.

• com.sun.identity.authentication.super.user

  Value is set during installation. Example: uid=amAdmin,ou=People,o=AMRoot

  Identifies the super user for this Access Manager instance. This user must use Data Store to log in, and must use the full DN. The user is always authenticated against the local Directory Server.

• com.sun.identity.authentication.uniqueCookieDomain

  Used to set the cookie domain for the above cookie name. This Cookie domain should be set such that it covers all the instances of the CDC (Cross Domain Controller) services installed in the network. For example,.example.com if all instances of Access Manager are within the domain example.com.

• com.sun.identity.authentication.uniqueCookieName

  Default value is sunIdentityServerAuthNServer. Specifies the cookie name set to the Access Manager server host URL when Access Manager is running against Session Cookie hijacking.

• com.iplanet.am.auth.ldap.createUserAttrList

  Specifies a list of user attributes that contain values that will be retrieved from an external Directory Server during LDAP Authentication when the Authentication Service is configured to dynamically create users. The new user created in the local Directory Server will have the values for attributes which have been retrieved from external Directory Server.

  Example: attribute1, attribute2, attribute3

Certificate Database

Set these properties to initialize the JSS Socket Factory when iPlanet Web Server is configured for SSL.

• com.iplanet.am.admin.cli.certdb.dir

  Value is set during installation. Example: /opt/SUNWwbsvr/alias

  Specifies certificate database path.

• com.iplanet.am.admin.cli.certdb.passfile

  Value is set during installation. Example: /etc/opt/SUNWam/config/.wtpass

  Specifies certificate database password file.

• com.iplanet.am.admin.cli.certdb.prefix

  Value is set during installation. Example: https-hostName.domainName.com-hostName-

  Specifies certificate database prefix.

Cookies

• com.iplanet.am.cookie.encode

  This property allows Access Manager to URLencode the cookie value which converts characters to ones that are understandable by HTTP.

  Value is set during installation. Example: false

• com.iplanet.am.cookie.name

  Default value is iPlanetDirectoryPro. Cookie name used by Authentication Service to set the valid session handler ID. The value of this cookie name is used to retrieve the valid session information.

• com.iplanet.am.cookie.secure

  Allows the Access Manager cookie to be set in a secure mode in which the browser will only return the cookie when a secure protocol such as HTTP(s) is used.

  Default value is false.

• com.iplanet.am.console.remote

  Value is set during installation. Example: false

  Determines whether the console is installed on a remote machine, or is installed on a local machine and will be used by authentication console.

• com.iplanet.am.pcookie.name

  Specifies the cookie name for a persistent cookie. A persistent cookie continues to exist after the browser window is closed. This enables a user to log in with a new browser session without having to reauthenticate. Default value is DProPCookie.

• com.sun.identity.cookieRewritingInPath

  Default value is true. This property is read by the Authentication Service when Access Manager is configured to run in cookieless mode. The property specifies that the cookie needs to be rewritten as extra path information in the URL using this form: protocol://server:port/uri;cookiename=cookieValue?queryString. If this property is not specified, then the cookie will be written as part of the query string.

• com.sun.identity.enableUniqueSSOTokenCookie

  Default value is false. Indicates that Access Manager is running against Session Cookie hijacking when the value is set to true.

Debugging

• com.iplanet.services.debug.directory

  Specifies the output directory where debug files will be created. Value is set during installation. Example: /var/opt/SUNWam/debug

• com.iplanet.services.debug.level

  Specifies debug level. Default value is error. Possible values are:

  off

  No debug file is created.

  error

  Only error messages are logged.

  warning

  Only warning messages are logged.

  message

  Error, warning, and informational messages are logged.

Directory Server Installation

• com.iplanet.am.defaultOrg

  Value is set at installation. Example: o=AMRoot

  Specifies the top-level realm or organization in the Access Manager information tree.

• com.iplanet.am.directory.host

  Value is set during installation. Example: DirectoryServerHost.domainName.com

  Specifies fully-qualified host name of the Directory Server.

• com.iplanet.am.directory.port

  Value is set during installation. Example: 389

  Specifies the Directory Server port number .

• com.iplanet.am.directory.ssl.enabled

  Default value is false. Indicates if Security Socket Layer (SSL) is enabled.

• com.iplanet.am.domaincomponent

  Value is set during installation. Example: o=AMRoot

  Specifies the domain component (dc) attribute for the Access Manager information tree.

• com.iplanet.am.rootsuffix

  Value is set during installation. Example: o=AMRoot

Event Connection

• com.sun.am.event.connection.disable.list

  Specifies which event connection can be disabled. Values (case insensitive) can be:

  aci

  Changes to the aci attribute, with the search using the LDAP filter (aci=*)

  sm

  Changes in the Access Manager information tree (or service management node), which includes objects with the sunService or sunServiceComponent marker object class. For example, you might create a policy to define access privileges for a protected resource, or you might modify the rules, subjects, conditions, or response providers for an existing policy.

  um

  Changes in the user directory (or user management node). For example, you might change a user's name or address.

  For example, to disable persistent searches for changes to the Access Manager information tree (or service management node):

  com.sun.am.event.connection.disable.list=sm

  To specify multiple values, separate each value with a comma.

  ---

  Caution –

  Persistent searches cause some performance overhead on Directory Server. If you determine that removing some of this performance overhead is absolutely critical in a production environment, you can disable one or more persistent searches using the com.sun.am.event.connection.disable.list property.

  However, before disabling a persistent search, you should understand the limitations described above. It is strongly recommended that this property not be changed unless absolutely required. This property was introduced primarily to avoid overhead on Directory Server when multiple 2.1 J2EE agents are used, because each of these agents establishes these persistent searches. The 2.2 J2EE agents no longer establish these persistent searches, so you might not need to use this property.

  Disabling persistent searches for any of these components is not recommended, because a component with a disabled persistent search does not receive notifications from Directory Server. Consequently, changes made in Directory Server for that particular component will not be notified to the component cache. For example, if you disable persistent searches for changes in the user directory (um), Access Manager will not receive notifications from Directory Server. Therefore, an agent would not get notifications from Access Manager to update its local user cache with the new values for the user attribute. Then, if an application queries the agent for the user attributes, it might receive the old value for that attribute.

  Use this property only in special circumstances when absolutely required. For example, if you know that Service Configuration changes (related to changing values to any of services such as Session Service and Authentication Services) will not happen in production environment, the persistent search to the Service Management (sm) component can be disabled. However, if any changes occur for any of the services, a server restart would be required. The same condition also applies to other persistent searches, specified by the aci and um values.

  ---

• com.iplanet.am.event.connection.delay.between.retries

  Default value is 3000. Specifies the delay in milliseconds between retries to re-establish the Event Service connections.

• com.iplanet.am.event.connection.ldap.error.codes.retries

  Default values are 80,81,91. Specifies the LDAP exception error codes for which retries to re-establish Event Service connections will trigger.

• com.iplanet.am.event.connection.num.retries

  Default value is 3. Specifies the number of attempts made to successfully re-establish the Event Service connections.

• com.sun.am.event.connection.idle.timeout

  Default value is 0. Specifies the number of minutes after which the persistent searches will be restarted.

  This property is used when a load balancer or firewall is between the policy agents and the Directory Server, and the persistent search connections are dropped when TCP idle timeoutoccurs. The property value should be lower than the load balancer or firewall TCP timeout. This ensures that the persistent searches are restarted before the connections are dropped. A value of 0 indicates that searches will not be restarted. Only the connections that are timed out will be reset.

Global Services Management

• com.iplanet.am.service.secret

  Value is set during installation. Example: AQICPX9e1cxSxB2RSy1WG1+O4msWpt/6djZl

• com.iplanet.am.services.deploymentDescriptor

  Value is set during installation. Example: /amserver

• com.iplanet.services.comm.server.pllrequest.maxContentLength

  Default value is 16384 or 16k. Specifies the maximum content-length for an HttpRequest that Access Manager will accept.

• com.iplanet.services.configpath

  Value is set during installation. Example: /etc/opt/SUNWam/config

Helper Daemons

• com.iplanet.am.daemons

  Default value is unix securid. Description

• securidHelper.ports

  Default value is 58943. This property takes a space-separated list and is used for the SecurID authentication module and helpers.

• unixHelper.ipaddrs

  Value is set during installation. Specifies a list of IP addresses to be read by the amserverscript and passed to the UNIX helper when starting the helper. This property can contain a list of space-separated trusted IP Addresses in IPv4 format.

• unixHelper.port

  Default value is 58946. Used in the UNIX Authentication module type.

Identity Federation

• com.sun.identity.federation.alliance.cache.enabled

  Default value is true. If true, federation metadata will be cached internally.

• com.sun.identity.federation.fedCookieName

  Default value is fedCookie. Specifies the name of the Federation Services cookie.

• com.sun.identity.federation.proxyfinder

  Default value is com.sun.identity.federation.services.FSIDPProxyImpl. Defines the implementation for finding a preferred identity provider to be proxied.

• com.sun.identity.federation.services.signingOn

  Default value is false. Specifies the level of signature verification for Liberty requests and responses.

  true

  Liberty requests and responses will be signed when sent, and Liberty requests and responses that are received will be verified for signature validity.

  false

  Liberty requests and responses that are sent and received will not be verified for signature.

  optional

  Liberty requests and responses will be signed or verified only if required by the Federation profiles.

• com.sun.identity.password.deploymentDescriptor

  Value is set during installation. Example: /ampassword

• com.sun.identity.policy.Policy.policy_evaluation_weights

  Default value is 10:10:10. Indicates the proportional processing cost to evaluate a policy subject, rule, and condition. The values specified influence the order in which the subject, rule, and condition of a policy are evaluated. The value is expressed using three integers which represent a subject, a rule, and a condition. The values are delimited by a colon (:) to indicate the proportional processing cost to evaluate a policy subject, rule, and condition.

• com.sun.identity.session.application.maxCacheTime

  Default value is 3. Specifies the maximum number of minutes for caching time for Application Sessions. By default, the cache does not expire unless this property is enabled.

• com.sun.identity.sm.ldap.enableProxy

  The default is false. The purpose of this flag is to report to Service Management that the Directory Proxy must be used for read, write, and/or modify operations to the Directory Server. This flag also determines if ACIs or delegation privileges are to be used.

  This flag must be set to "true" when the Access Manager SDK (from version 7 or 7.1) is communicating with Access Manger version 6.3. For example, in the co-existence/legacy mode this value should be "true". In the legacy DIT, the delegation policies were not supported. Only ACIs were supported, so o to ensure proper delegation check, this flag must be set to 'true' in legacy mode installation to make use of the ACIs for access control. Otherwise the delegation check will fail.

  In realm mode, this value should be set to false so only the delegation policies are used for access control. In version 7.0 and later, Access Manager supports data-agnostic feature in realm mode installation. So, in addition to Directory Server, other servers may be used to store service configuration data.

  Additionally, this flag will report to the Service Management feature that the Directory Proxy does not need to be used for the read, write, and/or modify operations to the backend storage. This is because some data stores, like Active Directory, may not support proxy.

• com.sun.identity.webcontainer

  Value is set during installation. Example: WEB_CONTAINER

  Specifies the name of the of the web container. Although the servlet or JSPs are not web container dependent, Access Manager uses the servlet 2.3 API request.setCharacterEncoding() to correctly decode incoming non English characters. These APIs will not work if Access Manager is deployed on Sun Java System Web Server 6.1. Access Manager uses the gx_charset mechanism to correctly decode incoming data in Sun Java System Web Server versions 6.1 and S1AS7.0. Possible values BEA6.1, BEA 8.1, IBM5.1 or IAS7.0. If the web container is Sun Java System Web Server, the tag is not replaced.

JSS Proxy

These properties identify the value for SSL ApprovalCallback. If the checkSubjectAltName or resolveIPAddress feature is enabled, you must create cert7.db and key3.db with the prefix value ofcom.iplanet.am.admin.cli.certdb.prefix in the com.iplanet.am.admin.cli.certdb.dirdirectory. Then restart Access Manager .

• com.iplanet.am.jssproxy.checkSubjectAltName

  Default value is false. When enabled, a server certificate includes the Subject Alternative Name (SubjectAltName) extension, and Access Manager checks all name entries in the extension. If one of the names in the SubjectAltName extension is the same as the server FQDN, Access Manager continues the SSL handshaking. To enable this property, set it to a comma separated list of trusted FQDNs. For example: com.iplanet.am.jssproxy.checkSubjectAltName= amserv1.example.com,amserv2.example.com

• com.iplanet.am.jssproxy.resolveIPAddress

  Default value is false.

• com.iplanet.am.jssproxy.trustAllServerCerts

  Default value is false. If enabled (true), Access Manager ignores all certificate-related issues such as a name conflict and continues the SSL handshaking. To prevent a possible security risk, enable this property only for testing purposes, or when the enterprise network is tightly controlled. Avoid enabling this property if a security risk might occur (for example, if a server connects to a server in a different network).

• com.iplanet.am.jssproxy.SSLTrustHostListIf set, Access Manager checks each server FQDN in the list against the server host in the certificate CN. If there is a FQDNs in the list that is matched with server certificate cn, Access Manager continues the SSL handshaking even if there is "Incorrect Domain name error". Use the following syntax to set the property:

  com.iplanet.am.jssproxy.SSLTrustHostList = fqdn_am_server1 ,fqdn_am_server2, fqdn_am_server3

• com.sun.identity.jss.donotInstallAtHighestPriority

  Default value is false. Determines if JSS will be added with highest priority to JCE. Set to true if other JCE providers should be used for digital signatures and encryptions.

LDAP Connection

• com.iplanet.am.ldap.connection.delay.between.retries

  Default is 1000. Specifies the number milliseconds between retries.

• com.iplanet.am.ldap.connection.ldap.error.codes.retries

  Default values are 80,81,91. Specifies the LDAPException error codes for which retries to re-establish the LDAP connection will trigger.

• com.iplanet.am.ldap.connection.num.retries

  Default value is 3. Specifies the number of attempts made to successfully re-establish the LDAP connection.

Liberty Alliance Interactions

• com.sun.identity.liberty.interaction.htmlStyleSheetLocation

  Value is set during installation. Example: /opt/SUNWam/lib/is-html.xsl

  Specifies path to style sheet that renders the interaction page in HTML.

• com.sun.identity.liberty.interaction.wmlStyleSheetLocation

  Value is set during installation. Example: /opt/SUNWam/lib/is-wml.xsl

  Specifies path to style sheet that renders the interaction page in WML.

• com.sun.identity.liberty.interaction.wscSpecifiedInteractionChoice

  Default value isinteractIfNeeded. Indicates whether a web service consumer participates in an interaction. Allowed values are:

  interactIfNeeded

  Interacts only if required. Also used if an invalid value is specified.

  doNotInteract

  No interaction.

  doNotInteractForData

  No interaction for data.

• com.sun.identity.liberty.interaction.wscSpecifiedMaxInteractionTime

  Default value is 80. Web service consumer's preference on the acceptable duration for interaction. The value is expressed in seconds. The default value is used if the value is not specified or if a non-integer value is specified.

• com.sun.identity.liberty.interaction.wscWillEnforceHttpsCheck

  The default value is yes. Indicates whether a web service consumer enforces the requirement that a request redirected to a URL uses HTTPS. Valid values are yes and no. The case is ignored. The Liberty specification requires the value to be yes. If no value is specified, the default value is used.

• com.sun.identity.liberty.interaction.wscWillInlcudeUserInteractionHeader

  Default value is yes. If not value is specified, the default value is used. Indicates whether a web service consumer includes userInteractionHeader. Allowable values are yes and no. The case is ignored.

• com.sun.identity.liberty.interaction.wscWillRedirect

  Default value is yes. Indicates whether the web service consumer redirects user for interaction. Valid values are yes and no. If not value is specified, the default value is used.

• com.sun.identity.liberty.interaction.wspRedirectHandler

  Value is set during installation. Example: http://hostName.domainName.com:portNumber/amserver/WSPRedirectHandler

  Specifies the URL WSPRedirectHandlerServlet uses to handle Liberty WSF WSP-resource owner interactions based on user agent redirects. This should be running in the same JVM where the Liberty service provider is running.

• com.sun.identity.liberty.interaction.wspRedirectTime

  Default is 30. Web service provider's expected duration for interaction. Expressed in seconds. If the value is not specified, or if the value is a non-integer, the default value is used.

• com.sun.identity.liberty.interaction.wspWillEnforceHttpsCheck

  Default value is yes. If no value is specified, the default value is used. Indicates whether the web service consumer enforces the requirement that returnToURLuse HTTPS. Valid values are yes and no. (case ignored) the Liberty specification requires the value to be yes.

• com.sun.identity.liberty.interaction.

  wspWillEnforceReturnToHostEqualsRequestHost

  The Liberty specification requires the value to be yes. Indicates whether the web service consumer enforces that returnToHost and requestHost are the same. Valid values areyes and no.

• com.sun.identity.liberty.interaction.wspWillRedirect

  Default is yes. If no value is specified, the default value is used. Indicates whether a web service provider redirects the user for interaction. Valid values are yes and no. Case is ignored.

• com.sun.identity.liberty.interaction.wspWillRedirectForData

  Default value is yes. If no value is specified, the default value is used. Indicates whether the web service provider redirects the user for interaction for data. Valid values are yes and no. Case is ignored.

• com.sun.identity.liberty.ws.jaxb.namespacePrefixMappingList

  Default value is

  =S=http://schemas.xmlsoap.org/soap/envelope/|sb=urn:liberty:sb:2003-08 |pp=urn:liberty:id-sis-pp:2003-08|ispp=http://www.sun.com/identity/ liberty/pp|is=urn:liberty:is:2003-08

  . Specifies the namespace prefix mapping used when marshalling a JAXB content tree to a DOM tree. The syntax is prefix=namespace|prefix=namespace|...

• com.sun.identity.liberty.ws.jaxb.packageList

  Specifies JAXB package list used when constructing JAXBContext. Each package must be separated by a colon (:).

• com.sun.identity.liberty.ws.security.TokenProviderImpl

  Default value is com.sun.identity.liberty.ws.security.AMSecurityTokenProviderDescription.

• com.sun.identity.liberty.ws.soap.certalias

  Value is set during installation. Client certificate alias that will be used in SSL connection for Liberty SOAP Binding.

• com.sun.identity.liberty.ws.soap.messageIDCacheCleanupInterval

  Default value is 60000. Specifies the number of milliseconds to elapse before cache cleanup events begin. Each message is stored in a cache with its ownmessageID to avoid duplicate messages. When a message's current time less the received time exceeds thestaleTimeLimit value, the message is removed from the cache.

• com.sun.identity.liberty.ws.soap.staleTimeLimit

  Default value is 300000. Determines if a message is stale and thus no longer trustworthy. If the message timestamp is earlier than the current timestamp by the specified number of milliseconds, the message the considered to be stale.

• com.sun.identity.liberty.ws.soap.supportedActors

  Default value is http://schemas.xmlsoap.org/soap/actor/next. Specifies supported SOAP actors. Each actor must be separated by a pipe character (|).

• com.sun.identity.liberty.ws.ta.certalias

  Value is set during installation. Specifies certificate alias for the trusted authority that will be used to sign SAML or SAML. BEARER token of response message.

• com.sun.identity.liberty.ws.wsc.certalias

  Value is set during installation. Specifies default certificate alias for issuing web service security token for this web service client.

• com.sun.identity.liberty.ws.ta.certalias

  Value is set during installation. Specifies certificate alias for trusted authority that will be used to sign SAML or SAML. BEARER token of response message.

• com.sun.identity.liberty.ws.trustedca.certaliases

  Value is set during installation.

  Specifies certificate aliases for trusted CA. SAML or SAML BEARER token of incoming request. Message must be signed by a trusted CA in this list. The syntax is cert alias 1[:issuer 1]|cert alias 2[:issuer 2]|..... Example: myalias1:myissuer1|myalias2|myalias3:myissuer3. The value issuer is used when the token doesn't have a KeyInfo inside the signature. The issuer of the token must be in this list, and the corresponding certificate alias will be used to verify the signature. If KeyInfo exists, the keystore must contain a certificate alias that matches the KeyInfo and the certificate alias must be in this list.

• com.sun.identity.liberty.ws.security.TokenProviderImpl

  Value is set during installation. Specifies implementation for security token provider.

• com.sun.identity.saml.removeassertion

  Default value is true. A flag to indicate if de-referenced assertions should be removed from the cache. Applies to assertions that were created associated with artifacts, and have been de-referenced.

Logging Service

• com.iplanet.am.logstatus

  Specifies whether logging is turned on (ACTIVE) or off (INACTIVE). Value is set to ACTIVE during installation.

Logging Properties You Can Add to AMConfig.properties

You can configure the degree of detail to be contained in a specific log file by adding attributes to the AMConfig.properties file. Use the following format:

iplanet-am-logging.logfileName.level=java.util.logging.Level where logfileName is the name of a log file for an Access Manager service (see table 1), andjava.util.logging.Level is an allowable attribute value . Access Manager services log at the INFO level. SAML and Identity Federation services also log at more detailed levels (FINE, FINER, FINEST). Example:

iplanet-am-logging.amSSO.access.level=FINER

In addition there is a level OFF that can be used to turn off logging, and a level ALL that can be used to enable logging of all messages. Example:

iplanet-am-logging.amConsole.access.evel=OFF

The amAuthLog filename is determined by the Policy Agent properties in AMAgent.properties. For Web Policy Agents, the property is com.sun.am.policy.agents.config.remote.log. For J2EE Policy Agents, the property is com.sun.identity.agents.config.remote.logfile. The default is amAuthLog.host.domain.port, where host.domain is the fully-qualified host name of the host running the Policy Agent web server, and where port is the port number of that web server. If you have multiple Policy Agents deployed, you can have multiple instances of this file. The property com.sun.identity.agents.config.audit.accesstype (for both Web and J2EE Agents) determines what data is logged remotely. The logged data can include policy allows, policy denies, both allows and denies, or neither allows nor denies.

Naming Service

• com.iplanet.am.naming.failover.url

  This property is no longer being used in Access Manager 7.0.

• com.iplanet.am.naming.url

  Value is set during installation. Example: http://hostName.domainName.com:portNumber/amserver/namingservice

  Specifies the naming service URL to use.

Notification Service

Use the following keys to configure the notification thread pool.

• com.iplanet.am.notification.threadpool.size

  Default value is 10. Defines the size of the pool by specifying the total number of threads.

• com.iplanet.am.notification.threadpool.threshold

  Default value is 100. Specifies the maximum task queue length.

  When a notification task comes in, it is sent to the task queue for processing. If the queue reaches the maximum length, further incoming requests will be rejected along with a ThreadPoolException, until the queue has a vacancy.

• com.iplanet.am.notification.url

  Value is set during installation. Example: http://hostName.domainName.com:portNumber/amserver/notificationservice

Policy Agents

• com.iplanet.am.policy.agents.url.deploymentDescriptor

  Value is set during installation. Example: AGENT_DEPLOY_URI

• com.sun.identity.agents.app.username

  Default value is UrlAccessAgent. Specifies the username to use for the Application authentication module.

• com.sun.identity.agents.cache.size

  Default value is 1000. Specifies the size of the resource result cache. The cache is created on the server where the policy agent is installed.

• com.sun.identity.agents.header.attributes

  Default values are cn,ou,o,mail,employeenumber,c. Specifies the policy attributes to be returned by the policy evaluator. Uses the form a[,...]. In this example, a is the attribute in the data store to be fetched.

• com.sun.identity.agents.logging.level

  Default value is NONE. Controls the granularity of the Policy Client API logging level. The default value is NONE. Possible values are:

  ALLOW

  Logs access allowed requests.

  DENY

  Logs access denied requests.

  BOTH

  Logs both access allowed and access denied requests.

  NONE

  Logs no requests.

• com.sun.identity.agents.notification.enabled

  Default value is false. Enables or disables notifications for the Policy Client API.

• com.sun.identity.agents.notification.url

  Used by the policy client SDK to register policy change notifications. A mis-configuration of this property will result in policy notifications being disabled.

• com.sun.identity.agents.polling.interval

  Default value is 3. Specifies the polling interval which is the number of minutes after which an entry is dropped from the Client APIs cache.

• com.sun.identity.agents.resource.caseSensitive

  Default value is false. Description

  Indicates whether case sensitive is turned on or off during policy evaluation.

• com.sun.identity.agents.true.value

  Indicates the true value of a policy action. This value can be ignored if the application does not need to access the PolicyEvaluator.isAllowed method. This value signifies how a policy decision from Access Manager should be interpreted. Default value is allow.

• com.sun.identity.agents.resource.comparator.class

  Default value is com.sun.identity.policy.plugins.URLResourceName

  Specifies the resource comparison class name. Available implementation classes are: com.sun.identity.policy.plugins.PrefixResourceName and com.sun.identity.policy.plugins.URLResourceName.

• com.sun.identity.agents.resource.delimiter

  Default value is a backslash (/). Specifies the delimiter for the resource name.

• com.sun.identity.agents.resource.wildcard

  Default value is *. Specifies the wildcard for the resource name.

• com.sun.identity.agents.server.log.file.name

  Default value is amRemotePolicyLog. Specifies the name of the log file to use for logging messages to Access Manager. Only the name of the file is needed. The directory of the file is determined other Access Manager configuration settings.

• com.sun.identity.agents.use.wildcard

  Default value is true. Indicates whether to use a wildcard for resource name comparison.

Policy Client API

• com.sun.identity.policy.client.booleanActionValues

  iPlanetAMWebAgentService|POST|allow|deny

  Default value is iPlanetAMWebAgentService|GET|allow|deny:.

  Specifies Boolean action values for policy action names. Uses the form serviceName|actionName|trueValue|falseValue. Values for action names are delimited by a colon (:).

• com.sun.identity.policy.client.cacheMode

  Default value is self. Specifies cache mode for the client policy evaluator. Valid values are subtree and self. If set to subtree, the policy evaluator obtains policy decisions from the server for all the resources from the root of resource actually requested. If set to self, the policy evaluator gets the policy decision from the server only for the resource actually requested.

• com.sun.identity.policy.client.clockSkew

  Adjusts for time difference between the policy client machine and the policy server. If this property does not exist, and if the policy agent time differs from the policy server time, you occasionally see and incorrect policy decision. You must run a time-syncing service to keep the time on the policy server and on the policy client as close as possible. Use this property to adjust for the small time difference regardless of running time syncing service. Clock skew in seconds = agentTime - serverTime . Comment the property out on the policy server. Uncomment the line and set the appropriate value on the policy client machine or the machine running the policy agent agent-server clock skew (in seconds).

• com.sun.identity.policy.client.resourceComparators=

  serviceType=iPlanetAMWebAgentService|class=

  Specifies ResourceComparators to be used for different service names. Copy the value from the Access Manager console. Go to Service Configuration > PolicyConfiguration > Global:ResourceComparator. Concatenate multiple values from Access Manager using a colon (: ) as the delimiter.

• com.sun.identity.policy.plugins.URLResourceName|wildcard

  Default value is *|delimiter=/|caseSensitive=trueDescription

Profile Service

• com.iplanet.am.profile.host

  This property is no longer used in Access Manager 7. It is provided only for backward compatibility. Value is set during installation. Example: hostName.domainName.com

• com.iplanet.am.profile.port

  This property is no longer used in Access Manager 7. It is provided only for backward compatibility. Value is set during installation. Example: 80

Replication

Use the following keys to configure replication setup.

• com.iplanet.am.replica.delay.between.retries

  Default value is 1000. Specifies the number of milliseconds between retries.

• com.iplanet.am.replica.num.retries

  Default value is 0. Specifies the number of times to retry.

SAML Service

• com.sun.identity.saml.assertion.version

  Default value is 1.1. Specifies default SAML version used. Possible values are 1.0 or 1.1.

• com.sun.identity.saml.checkcert

  Default value is on. Flag for checking the certificate embedded in the KeyInfo against the certificates in the keystore. Certificates in the keystore are specified by the com.sun.identity.saml.xmlsig.keystore property. Possible values are: on|off. If the flag is "on", * the certification must be presented in the keystore for * XML signature validation. If the flag is "off", skip * the presence checking. */

  on

  Certification must be presented in the keystore for XML signature validation

  off

  Skips the presence checking.

• com.sun.identity.saml.protocol.version

  Default value is 1.1. Specifies default SAML version used. Possible values are 1.0 or 1.1.

• com.sun.identity.saml.removeassertion

• com.sun.identity.saml.request.maxContentLength

  Default value is 16384. Specifies the maximum content-length for an HTTP Request that will be used in SAML.

• com.sun.identity.saml.xmlsig.certalias

  Default value is test. Description

• com.sun.identity.saml.xmlsig.keypass

  Value is set during installation. Example: /etc/opt/SUNWam/config/.keypass

  Specifies the path to the SAML XML key password file.

• com.sun.identity.saml.xmlsig.keystore

  Value is set during installation. Example: /etc/opt/SUNWam/config/keystore.jks

  Specifies the path to the SAML XML keystore password file.

• com.sun.identity.saml.xmlsig.storepass

  Value is set during installation. Example: /etc/opt/SUNWam/config/.storepass

  Specifies the path to the SAML XML key storepass file.

Security

• com.iplanet.security.encryptor

  Default value is com.iplanet.services.util.JSSEncryption. Specifies the encrypting class implementation. Available classes are: com.iplanet.services.util.JCEEncryption and com.iplanet.services.util.JSSEncryption.

• com.iplanet.security.SecureRandomFactoryImpl

  Default value is com.iplanet.am.util.JSSSecureRandomFactoryImpl. Specifies the factory class name for SecureRandomFactory. Available implementation classes are: com.iplanet.am.util.JSSSecureRandomFactoryImpl which uses JSS, and com.iplanet.am.util.SecureRandomFactoryImpl which uses pure Java.

• com.iplanet.security.SSLSocketFactoryImpl

  Default value is com.iplanet.services.ldap.JSSSocketFactory. Specifies the factory class name for LDAPSocketFactory. Available classes are: com.iplanet.services.ldap.JSSSocketFactory which uses JSS, and netscape.ldap.factory.JSSESocketFactory which uses pure Java.

• com.sun.identity.security.checkcaller

  Default value is false. Enables or disables Java security manager permissions check for Access Manager. Disabled by default. If enabled, then you should make appropriate changes to the Java policy file of the container in which Access Manager is deployed. This way, Access Manager JAR files can be trusted for performing sensitive operations. For more information, see the Java API Reference (Javadoc) entry for com.sun.identity.security.

• am.encryption.pwd

  Value is set during installation. Example: dSB9LkwPCSoXfIKHVMhIt3bKgibtsggd

  Specifies the key used to encrypt and decrypt passwords.

Session Service

• com.iplanet.am.clientIPCheckEnabled

  Default value is false. Specifies whether or not the IP address of the client is checked in all SSOToken creations or validations.

• com.iplanet.am.session.client.polling.enable

  This is a READ-ONLY property. Do not modify the property value.

  Default value is false. Enables client-side session polling. Please note that the session polling mode and the session notification mode are mutually exclusive. If the polling mode is enabled, the session notification is automatically turned off, and vice versa.

• com.iplanet.am.session.client.polling.period

  Default value is 180. Specifies number of seconds in a polling period.

• com.iplanet.am.session.httpSession.enabled

  Default value is true. Enables or disables USING httpSession.

• com.iplanet.am.session.invalidsessionmaxtime

  Default value is 10. Specifies the number of minutes after which the invalid session will be removed from the session table if it is created and the user does not login. This value should always be greater than the timeout value in the Authentication module properties file.

• com.iplanet.am.session.maxSessions

  Default value is 5000. Specify the maximum number of allowable concurrent sessions.

  Login sends a Maximum Sessions error if the maximum concurrent sessions value exceeds this number.

• com.iplanet.am.session.protectedPropertiesList

  Allows you to protect certain core or internal session properties from remote updates via the SetProperty method of the Session Service. By setting this “hidden” key security parameter, you can customize session attributes in order to participate in authorization as well as other Access Manager features. To use this parameter:

  1. With a text editor, add the parameter to the AMConfig.properties file.

  2. Set the parameter to the session properties that you want to protect. For example:

     com.iplanet.am.session.protectedPropertiesList = PropertyName1,PropertyName2,PropertyName3

  3. Restart the Access Manager Web container for the values to take effect.

• com.iplanet.am.session.purgedelay

  Default value is 60. Specifies the number of minutes to delay the purge session operation.

  After a session times out, this is an extended time period during which the session continues to reside in the session server. This property is used by the client application to check if the session has timed out through SSO APIs. At the end of this extended time period, the session is destroyed. The session is not sustained during the extended time period if the user logs out or if the session is explicitly destroyed by an Access Manager component. The session is in the INVALID state during this extended period.

• com.sun.am.session.caseInsensitiveDN

  Default value is true. Compares the Agent DN. If the value is false, the comparison is case-sensitive.

• com.sun.am.session.enableHostLookUp

  Default value is false. Enables or disables host lookup during session logging.

SMTP

• com.iplanet.am.smtphost

  Default value is localhost. Specifies the mail server host.

• com.iplanet.am.smtpport

  Default value is 25. Specifies the mail server port.

Statistics Service

• com.iplanet.am.stats.interval

  Default value is 60. Specifies number of minutes to elapse between statistics logging. Minimum is 5 seconds to avoid CPU saturation. Access Manager assumes any value less than 5 seconds to be 5 seconds.

• com.iplanet.services.stats.directory

  Value is set during installation. Example: /var/opt/SUNWam/stats Specifies directory where debug files are created.

• com.iplanet.services.stats.state

  Default value is file. Specifies location of statistics log. Possible values are:

  off

  No statistics are logged.

  file

  Statistics are written to a file under the specified directory.

  console

  Statistics are written into Web Server log files.

Chapter 7 serverconfig.xml Reference

The file serverconfig.xml provides configuration information for Sun Java™ System Access Manager regarding the Directory Server that is used as its data store. This chapter explains the elements of the file and how to configure it for failover, how can you have multiple instances, how can you un-deploy the console and remove console files from a server. It contains the following sections:

• Overview

• server-config Definition Type Document

• Failover Or Multimaster Configuration

Overview

serverconfig.xml is located in / AccessManager-base /SUNWam/config/ums. It contains the parameters used by the Identity SDK to establish the LDAP connection pool to Directory Server. No other function of the product uses this file. Two users are defined in this file: user1 is a Directory Server proxy user and user2 is the Directory Server administrator.

Proxy User

The Proxy User can take on any user’s privileges (for example, the organization administrator or an end user). The connection pool is created with connections bound to the proxy user. Access Manager creates a proxy user with the DN of cn=puser,ou=DSAME Users,dc=example,dc=com. This user is used for all queries made to Directory Server. It benefits from a proxy user ACI already configured in the Directory Server and, therefore, can perform actions on behalf of a user when necessary. It maintains an open connection through which all queries are passed (retrieval of service configurations, organization information, etc.). The proxy user password is always encrypted. Proxy User illustrates where the encrypted password is located in serverconfig.xml .

Example 7–1 Proxy User In serverconfig.xml

<User name="User1" type="proxy">
<DirDN>
cn=puser,ou=DSAME Users,dc=example,dc=com
</DirDN>
<DirPassword>
AQICkc3qIrCeZrpexyeoL4cdeXih4vv9aCZZ
</DirPassword>
</User>


            

Admin User

dsameuser is used for binding purposes when the Access Manager SDK performs operations on Directory Server that are not linked to a particular user (for example, retrieving service configuration information). Proxy User performs these operations on behalf of dsameuser, but a bind must first validate the dsameuser credentials. During installation, Access Manager creates cn=dsameuser,ou=DSAME Users,dc=example,dc=com . Proxy User illustrates where the encrypted dsameuser password is found in serverconfig.xml .

Example 7–2 Admin User In serverconfig.xml

 <User name="User2" type="admin">
 <DirDN>
 cn=dsameuser,ou=DSAME Users,dc=example,dc=com
 </DirDN>
 <DirPassword>
 AQICkc3qIrCeZrpexyeoL4cdeXih4vv9aCZZ
 </DirPassword>
 </User>


            

server-config Definition Type Document

server-config.dtd defines the structure for serverconfig.xml . It is located in AccessManager-base /SUNWam/dtd. This section defines the main elements of the DTD. MiscConfig Element is an example of the serverconfig.xml file.

iPlanetDataAccessLayer Element

iPlanetDataAccessLayer is the root element. It allows for the definition of multiple server groups per XML file. Its immediate sub-element is the ServerGroup Element. It contains no attributes.

ServerGroup Element

ServerGroup defines a pointer to one or more directory servers. They can be master servers or replica servers. The sub-elements that qualify the ServerGroup include Server Element, User Element, BaseDN Element and MiscConfig Element. The XML attributes of ServerGroup are the name of the server group, and minConnPool and maxConnPool which define the minimum (1) and maximum (10) connections that can be opened for the LDAP connection pool. More than one defined ServerGroup element is not supported.

Access Manager uses a connection pool to access Directory Server. All connections are opened when Access Manager starts and are not closed. They are reused.

Server Element

Server defines a specific Directory Server instance. It contains no sub-elements. The required XML attributes of Server are a user-friendly name for the server, the host name, the port number on which the Directory Server runs, and the type of LDAP connection that must be opened (either simple or SSL).

For an example of automatic failover using the Server element, see Failover Or Multimaster Configuration.

User Element

User contains sub-elements that define the user configured for the Directory Server instance. The sub-elements that qualify User include DirDN and DirPassword. It’s required XML attributes are the name of the user, and the type of user. The values for type identify the user’s privileges and the type of connection that will be opened to the Directory Serverinstance. Options include:

• auth—defines a user authenticated to Directory Server.

• proxy—defines a Directory Server proxy user. See Proxy User for more information.

• rebind—defines a user with credentials that can be used to rebind.

• admin—defines a user with Directory Server administrative privileges. See Admin User for more information.

DirDN Element

DirDN contains the LDAP Distinguished Name of the defined user.

DirPassword Element

DirPassword contains the defined user’s encrypted password.

It is important that passwords and encryption keys are kept consistent throughout the deployment. For example, the passwords defined in this element are also stored in Directory Server. If the password is to be changed in one place, it must be updated in both places. Additionally, this password is encrypted. If the encryption key defined in the am.encryption.pwd property is changed, all passwords in serverconfig.xml must be re-encrypted using ampassword --encrypt password. .

BaseDN Element

BaseDN defines the base Distinguished Name for the server group. It contains no sub-elements and no XML attributes.

MiscConfig Element

MiscConfig is a placeholder for defining any LDAP JDK features like cache size. It contains no sub-elements. It’s required XML attributes are the name of the feature and its defined value.

Example 7–3 serverconfig.xml

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<!--
 Copyright (c) 2002 Sun Microsystems, Inc. All rights reserved.

 Use is subject to license terms.

-->
<iPlanetDataAccessLayer>
        <ServerGroup name="default" minConnPool="1" maxConnPool="10">
                <Server name="Server1" host="
               ishost.domain_name" port="389"
type="SIMPLE" />
                <User name="User1" type="proxy">
                        <DirDN>
                                cn=puser,ou=DSAME Users,dc=example,dc=com
                        </DirDN>
                        <DirPassword>
                                AQICkc3qIrCeZrpexyeoL4cdeXih4vv9aCZZ
                        </DirPassword>
                </User>
                <User name="User2" type="admin">
                        <DirDN>
                                cn=dsameuser,ou=DSAME Users,dc=example,dc=com
                        </DirDN>
                        <DirPassword>
                                AQICkc3qIrCeZrpexyeoL4cdeXih4vv9aCZZ
                        </DirPassword>
                </User>
                <BaseDN>
                        dc=example,dc=com
                </BaseDN>
        </ServerGroup>
</iPlanetDataAccessLayer>


            

Failover Or Multimaster Configuration

Access Manager allows automatic failover to any Directory Server defined as a ServerGroup ElementServer Element in serverconfig.xml. More than one server can be configured for failover purposes or multimasters. If the first configured server goes down, the second configured server will takeover. Failover Or Multimaster Configuration illustrates serverconfig.xml with automatic failover configuration.

Example 7–4 Configured Failover in serverconfig.xml

<?xml version="1.0" encoding="ISO-8859-1" standalone="yes"?>
<!--
PROPRIETARY/CONFIDENTIAL. Use of this product is subject to license terms.
Copyright 2002 Sun Microsystems, Inc. All rights reserved.
-->
<iPlanetDataAccessLayer>
     <ServerGroup name="default" minConnPool="1" maxConnPool="10">
          <Server name="Server1" host="
            amhost1.domain_name" port="389" type="SIMPLE" />
          <Server name="Server2" host="
            amhost2.domain_name" port="389" type="SIMPLE" />
          <Server name="Server3" host="
            amhost3.domain_name" port="390" type="SIMPLE" />
          <User name="User1" type="proxy">
               <DirDN>
                    cn=puser,ou=DSAME Users,dc=example,dc=com
               </DirDN>
               <DirPassword>
                    AQIC5wM2LY4Sfcy+AQBQxghVwhBE92i78cqf
               </DirPassword>
          </User>
          <User name="User2" type="admin">
               <DirDN>
                    cn=dsameuser,ou=DSAME Users,dc=example,dc=com
               </DirDN>
               <DirPassword>
                    AQIC5wM2LY4Sfcy+AQBQxghVwhBE92i78cqf
               </DirPassword>
          </User>
          <BaseDN>
               o=isp
          </BaseDN>
     </ServerGroup>
</iPlanetDataAccessLayer>