Sun Java System Access Manager 7.1 Administration Reference

Chapter 6 Reference is the main configuration file for Access Manager. You can configure some, but not all, of the properties in this file. This chapter provides descriptions of properties contained in, default property values, and instructions for modifying values that can be changed without rendering Access Manager unusable.

This chapter contains the following sections:

About the File

At installation, is located in the following directory: etc/opt/SUNWam/config. contains one property per line, and each property has a corresponding value. Properties and values are case-sensitive. Lines that begin with the characters slash and asterisk (/*) are comments, and comments are ignored by the application. Comments end with a last line that contains the closing characters asterisk and slash (*/).

After you modify properties in, you must restart Access Manager to activate the changes.

Access Manager Console

Access Manager Server Installation



Each SDK cache entry stores a set of AMObject attributes values for a user.

Application Server Installation


Certificate Database

Set these properties to initialize the JSS Socket Factory when iPlanet Web Server is configured for SSL.



Directory Server Installation

Event Connection

Global Services Management

Helper Daemons

Identity Federation

JSS Proxy

These properties identify the value for SSL ApprovalCallback. If the checkSubjectAltName or resolveIPAddress feature is enabled, you must create cert7.db and key3.db with the prefix value in the Then restart Access Manager .

LDAP Connection

Liberty Alliance Interactions

Logging Service

Logging Properties You Can Add to

You can configure the degree of detail to be contained in a specific log file by adding attributes to the file. Use the following format:

iplanet-am-logging.logfileName.level=java.util.logging.Level where logfileName is the name of a log file for an Access Manager service (see table 1), andjava.util.logging.Level is an allowable attribute value . Access Manager services log at the INFO level. SAML and Identity Federation services also log at more detailed levels (FINE, FINER, FINEST). Example:


In addition there is a level OFF that can be used to turn off logging, and a level ALL that can be used to enable logging of all messages. Example:


Table 6–1 Access Manager Log Files

Log File Name 

Records Logged 


Successful amadmin command-line events 


amadmin command-line error events 


Access Manager Policy Agent related events. See the Note following this table. 


Successful authentication events 


Authentication failures 


Console events 


Console error events. 


Successful Federation events. 


Federation error events. 


Storage of policy allow events 


Storage of policy deny events 


Successful SAML events 


SAME error events 


Successful Liberty events 


Liberty error events 


Single sign-on creation and destruction 


Single sign-on error events 

Note –

The amAuthLog filename is determined by the Policy Agent properties in For Web Policy Agents, the property is For J2EE Policy Agents, the property is com.sun.identity.agents.config.remote.logfile. The default is, where host.domain is the fully-qualified host name of the host running the Policy Agent web server, and where port is the port number of that web server. If you have multiple Policy Agents deployed, you can have multiple instances of this file. The property com.sun.identity.agents.config.audit.accesstype (for both Web and J2EE Agents) determines what data is logged remotely. The logged data can include policy allows, policy denies, both allows and denies, or neither allows nor denies.

Naming Service

Notification Service

Use the following keys to configure the notification thread pool.

Policy Agents

Policy Client API

Profile Service


Use the following keys to configure replication setup.

SAML Service


Session Service


Statistics Service