AMConfig.properties is the main configuration file for Access Manager. You can configure some, but not all, of the properties in this file. This chapter provides descriptions of properties contained in AMConfig.properties, default property values, and instructions for modifying values that can be changed without rendering Access Manager unusable.
This chapter contains the following sections:
At installation, AMConfig.properties is located in the following directory: etc/opt/SUNWam/config.
AMConfig.properties contains one property per line, and each property has a corresponding value. Properties and values are case-sensitive. Lines that begin with the characters slash and asterisk (/*) are comments, and comments are ignored by the application. Comments end with a last line that contains the closing characters asterisk and slash (*/).
After you modify properties in AMConfig.properties, you must restart Access Manager to activate the changes.
com.iplanet.am.console.deploymentDescriptor
Value is set during installation. Example: /amconsole
com.iplanet.am.console.host
Value is set during installation. Example: hostName.domain.Name.com
com.iplanet.am.console.port
Value is set during installation. Example: 80
com.iplanet.am.console.protocol
Value is set during installation. Example: http
com.iplanet.am.install.basedir
This is a READ-ONLY property. Do not change the property value.
Value is set during installation. Example: /opt/SUNWam/web-src/services/WEB-INF
com.iplanet.am.install.vardir
This is a READ-ONLY property. Do not change the property value.
Value is set during installation. Example: /var/opt/SUNWam
com.iplanet.am.installdir
This is a READ-ONLY property. Do not change the property value.
Value is set during installation. Example: /opt/SUNWam
com.iplanet.am.jdk.path
Value is set during installation. Example: /usr/jdk/entsys-j2se
com.iplanet.am.locale
Value is set during installation. Example: en_US
com.iplanet.am.server.host
Value is set during installation. Example: hostName.domainName.com
com.iplanet.am.server.port
Value is set during installation. Example: 80
com.iplanet.am.server.protocol
Value is set during installation. Example: http
com.iplanet.am.version
Value is set during installation. Example: 7 2005Q4
com.sun.identity.server.fqdnMap[ ]
Enables Access Manager Authentication service to take corrective action when a user types an incorrect URL . This is useful, for example, when a user specifies a partial hostname or uses an IP address to access protected resources.
The syntax of this property represents invalid FQDN values mapped to their corresponding valid counterparts. The property uses the following form: com.sun.identity.server.fqdnMap[invalid-name]=valid—name . In this example, invalid-name is a possible invalid FQDN host name that may be used by the user, and the valid—name is the FQDN host name the filter will redirect the user to. If overlapping values for the same invalid FQDN exist, the application may become inaccessible. Using an invalid value for this property can also result in the application becoming inaccessible. You can use this property to map multiple host names. This is useful when the applications hosted on a server are accessible by multiple host names.
You can use this property to configure Access Manager so that no corrective action is taken for certain hostname URLs. This is useful, for example, when it is required that no corrective action such as a redirect be used for users who access the application resources by using the raw IP address.
You can specify a map entry such as: com.sun.identity.server.fqdnMap[IP]=IP .
You can specify any number of such properties may as long as they are valid properties and conform to the requirements described above. Examples: com.sun.identity.server.fqdnMap[isserver]=isserver.mydomain.comcom.sun.identity.server.fqdnMap[isserver.mydomain]=isserver.mydomain.com com.sun.identity.server.fqdnMap[IP address]=isserver.mydomain.com
com.iplanet.am.util.xml.validating
Default value is no. Determines if validation is required when parsing XML documents using the Access Manager XMLUtils class. This property is in effect only when value for the com.iplanet.services.debug.level property is set to warning or message. Allowable values are yes and no. The XML document validation is turned on only if the value for this property yes, and if value for com.iplanet.services.debug.level property is set to warning or message.
Each SDK cache entry stores a set of AMObject attributes values for a user.
com.iplanet.am.sdk.cache.maxSize
Default value is 10000. Specifies the size of the SDK cache when caching is enabled. Use an integer greater than 0, or the default size (10000 users) will be used.
com.iplanet.am.sdk.userEntryProcessingImpl
This property specifies a plug-in which implements the com.iplanet.am.sdk.AMUserEntryProcessed interface to perform some post-processing for user create, delete and modify operations. The property if used should specify the fully qualified class name which implements the above interface.
com.iplanet.am.sdk.caching.enabled
Setting this to true enables caching, and setting this to false disables caching. The default is true.
Do not set this option to false unless you are running Access manager in a pure debugging mode. It should never be set to false in production.
com.iplanet.am.iASConfig
Value is set during installation. Example: APPSERVERDEPLOYMENT
This property is used to determine if Access Manager is running on iPlanet Application Server.
com.sun.identity.auth.cookieName
Default value is AMAuthCookie. Specifies the cookie name used by Authentication Service to set the session handler ID during the authentication process. Once this process is completed (success or failure), this cookie is cleared or removed.
com.sun.identity.authentication.ocsp.responder.nickname
Value is set during installation. The Certificate Authority (CA) certificate nick name for that responder. Example: Certificate Manager - sun. If set, the CA certificate must be presented in the Web Server's certificate database.
com.sun.identity.authentication.ocsp.responder.url
Value is set during installation. Example: http://ocsp.sun.com/ocsp
Specifies the global OCSP responder URL for this instance. If the OCSP responder URL is set, the OCSP responder nick name must also be set. Otherwise both will be ignored. If both are not set, the OCSP responder URL presented in user's certificate will be used for OCSP validation. If the OCSP responder URL is not presented in user's certificate, then no OCSP validation will be performed.
com.sun.identity.authentication.ocspCheck
Default value is true. The global parameter to enable or disable OCSP checking. If this value is false, the OCSP feature in the Certificate Authentication module type cannot be used. .
com.sun.identity.authentication.special.users
Value is set during installation. Example: cn=dsameuser,ou=DSAME Users,o=AMRoot|cn=amService-UrlAccessAgent,ou=DSAME Users,o=AMRoot
Identifies the special user or users for this Access Manager authentication component. This user is used by the Client APIs to authenticate remote applications to the Access Manager server using the full user DN. The user will always be authenticated against the local directory server. Multiple values of this special user DN are separated by the pipe character (|). Use of this property is restricted to Authentication component only.
com.sun.identity.authentication.super.user
Value is set during installation. Example: uid=amAdmin,ou=People,o=AMRoot
Identifies the super user for this Access Manager instance. This user must use Data Store to log in, and must use the full DN. The user is always authenticated against the local Directory Server.
com.sun.identity.authentication.uniqueCookieDomain
Used to set the cookie domain for the above cookie name. This Cookie domain should be set such that it covers all the instances of the CDC (Cross Domain Controller) services installed in the network. For example,.example.com if all instances of Access Manager are within the domain example.com.
com.sun.identity.authentication.uniqueCookieName
Default value is sunIdentityServerAuthNServer. Specifies the cookie name set to the Access Manager server host URL when Access Manager is running against Session Cookie hijacking.
com.iplanet.am.auth.ldap.createUserAttrList
Specifies a list of user attributes that contain values that will be retrieved from an external Directory Server during LDAP Authentication when the Authentication Service is configured to dynamically create users. The new user created in the local Directory Server will have the values for attributes which have been retrieved from external Directory Server.
Example: attribute1, attribute2, attribute3
Set these properties to initialize the JSS Socket Factory when iPlanet Web Server is configured for SSL.
com.iplanet.am.admin.cli.certdb.dir
Value is set during installation. Example: /opt/SUNWwbsvr/alias
Specifies certificate database path.
com.iplanet.am.admin.cli.certdb.passfile
Value is set during installation. Example: /etc/opt/SUNWam/config/.wtpass
Specifies certificate database password file.
com.iplanet.am.admin.cli.certdb.prefix
Value is set during installation. Example: https-hostName.domainName.com-hostName-
Specifies certificate database prefix.
com.iplanet.am.cookie.encode
This property allows Access Manager to URLencode the cookie value which converts characters to ones that are understandable by HTTP.
Value is set during installation. Example: false
com.iplanet.am.cookie.name
Default value is iPlanetDirectoryPro. Cookie name used by Authentication Service to set the valid session handler ID. The value of this cookie name is used to retrieve the valid session information.
com.iplanet.am.cookie.secure
Allows the Access Manager cookie to be set in a secure mode in which the browser will only return the cookie when a secure protocol such as HTTP(s) is used.
Default value is false.
com.iplanet.am.console.remote
Value is set during installation. Example: false
Determines whether the console is installed on a remote machine, or is installed on a local machine and will be used by authentication console.
com.iplanet.am.pcookie.name
Specifies the cookie name for a persistent cookie. A persistent cookie continues to exist after the browser window is closed. This enables a user to log in with a new browser session without having to reauthenticate. Default value is DProPCookie.
com.sun.identity.cookieRewritingInPath
Default value is true. This property is read by the Authentication Service when Access Manager is configured to run in cookieless mode. The property specifies that the cookie needs to be rewritten as extra path information in the URL using this form: protocol://server:port/uri;cookiename=cookieValue?queryString. If this property is not specified, then the cookie will be written as part of the query string.
com.sun.identity.enableUniqueSSOTokenCookie
Default value is false. Indicates that Access Manager is running against Session Cookie hijacking when the value is set to true.
com.iplanet.services.debug.directory
Specifies the output directory where debug files will be created. Value is set during installation. Example: /var/opt/SUNWam/debug
com.iplanet.services.debug.level
Specifies debug level. Default value is error. Possible values are:
No debug file is created.
Only error messages are logged.
Only warning messages are logged.
Error, warning, and informational messages are logged.
com.iplanet.am.defaultOrg
Value is set at installation. Example: o=AMRoot
Specifies the top-level realm or organization in the Access Manager information tree.
com.iplanet.am.directory.host
Value is set during installation. Example: DirectoryServerHost.domainName.com
Specifies fully-qualified host name of the Directory Server.
com.iplanet.am.directory.port
Value is set during installation. Example: 389
Specifies the Directory Server port number .
com.iplanet.am.directory.ssl.enabled
Default value is false. Indicates if Security Socket Layer (SSL) is enabled.
com.iplanet.am.domaincomponent
Value is set during installation. Example: o=AMRoot
Specifies the domain component (dc) attribute for the Access Manager information tree.
com.iplanet.am.rootsuffix
Value is set during installation. Example: o=AMRoot
com.sun.am.event.connection.disable.list
Specifies which event connection can be disabled. Values (case insensitive) can be:
Changes to the aci attribute, with the search using the LDAP filter (aci=*)
Changes in the Access Manager information tree (or service management node), which includes objects with the sunService or sunServiceComponent marker object class. For example, you might create a policy to define access privileges for a protected resource, or you might modify the rules, subjects, conditions, or response providers for an existing policy.
Changes in the user directory (or user management node). For example, you might change a user's name or address.
For example, to disable persistent searches for changes to the Access Manager information tree (or service management node):
com.sun.am.event.connection.disable.list=sm
To specify multiple values, separate each value with a comma.
Persistent searches cause some performance overhead on Directory Server. If you determine that removing some of this performance overhead is absolutely critical in a production environment, you can disable one or more persistent searches using the com.sun.am.event.connection.disable.list property.
However, before disabling a persistent search, you should understand the limitations described above. It is strongly recommended that this property not be changed unless absolutely required. This property was introduced primarily to avoid overhead on Directory Server when multiple 2.1 J2EE agents are used, because each of these agents establishes these persistent searches. The 2.2 J2EE agents no longer establish these persistent searches, so you might not need to use this property.
Disabling persistent searches for any of these components is not recommended, because a component with a disabled persistent search does not receive notifications from Directory Server. Consequently, changes made in Directory Server for that particular component will not be notified to the component cache. For example, if you disable persistent searches for changes in the user directory (um), Access Manager will not receive notifications from Directory Server. Therefore, an agent would not get notifications from Access Manager to update its local user cache with the new values for the user attribute. Then, if an application queries the agent for the user attributes, it might receive the old value for that attribute.
Use this property only in special circumstances when absolutely required. For example, if you know that Service Configuration changes (related to changing values to any of services such as Session Service and Authentication Services) will not happen in production environment, the persistent search to the Service Management (sm) component can be disabled. However, if any changes occur for any of the services, a server restart would be required. The same condition also applies to other persistent searches, specified by the aci and um values.
com.iplanet.am.event.connection.delay.between.retries
Default value is 3000. Specifies the delay in milliseconds between retries to re-establish the Event Service connections.
com.iplanet.am.event.connection.ldap.error.codes.retries
Default values are 80,81,91. Specifies the LDAP exception error codes for which retries to re-establish Event Service connections will trigger.
com.iplanet.am.event.connection.num.retries
Default value is 3. Specifies the number of attempts made to successfully re-establish the Event Service connections.
com.sun.am.event.connection.idle.timeout
Default value is 0. Specifies the number of minutes after which the persistent searches will be restarted.
This property is used when a load balancer or firewall is between the policy agents and the Directory Server, and the persistent search connections are dropped when TCP idle timeoutoccurs. The property value should be lower than the load balancer or firewall TCP timeout. This ensures that the persistent searches are restarted before the connections are dropped. A value of 0 indicates that searches will not be restarted. Only the connections that are timed out will be reset.
com.iplanet.am.service.secret
Value is set during installation. Example: AQICPX9e1cxSxB2RSy1WG1+O4msWpt/6djZl
com.iplanet.am.services.deploymentDescriptor
Value is set during installation. Example: /amserver
com.iplanet.services.comm.server.pllrequest.maxContentLength
Default value is 16384 or 16k. Specifies the maximum content-length for an HttpRequest that Access Manager will accept.
com.iplanet.services.configpath
Value is set during installation. Example: /etc/opt/SUNWam/config
com.iplanet.am.daemons
Default value is unix securid. Description
securidHelper.ports
Default value is 58943. This property takes a space-separated list and is used for the SecurID authentication module and helpers.
unixHelper.ipaddrs
Value is set during installation. Specifies a list of IP addresses to be read by the amserverscript and passed to the UNIX helper when starting the helper. This property can contain a list of space-separated trusted IP Addresses in IPv4 format.
unixHelper.port
Default value is 58946. Used in the UNIX Authentication module type.
com.sun.identity.federation.alliance.cache.enabled
Default value is true. If true, federation metadata will be cached internally.
com.sun.identity.federation.fedCookieName
Default value is fedCookie. Specifies the name of the Federation Services cookie.
com.sun.identity.federation.proxyfinder
Default value is com.sun.identity.federation.services.FSIDPProxyImpl. Defines the implementation for finding a preferred identity provider to be proxied.
com.sun.identity.federation.services.signingOn
Default value is false. Specifies the level of signature verification for Liberty requests and responses.
Liberty requests and responses will be signed when sent, and Liberty requests and responses that are received will be verified for signature validity.
Liberty requests and responses that are sent and received will not be verified for signature.
Liberty requests and responses will be signed or verified only if required by the Federation profiles.
com.sun.identity.password.deploymentDescriptor
Value is set during installation. Example: /ampassword
com.sun.identity.policy.Policy.policy_evaluation_weights
Default value is 10:10:10. Indicates the proportional processing cost to evaluate a policy subject, rule, and condition. The values specified influence the order in which the subject, rule, and condition of a policy are evaluated. The value is expressed using three integers which represent a subject, a rule, and a condition. The values are delimited by a colon (:) to indicate the proportional processing cost to evaluate a policy subject, rule, and condition.
com.sun.identity.session.application.maxCacheTime
Default value is 3. Specifies the maximum number of minutes for caching time for Application Sessions. By default, the cache does not expire unless this property is enabled.
com.sun.identity.sm.ldap.enableProxy
The default is false. The purpose of this flag is to report to Service Management that the Directory Proxy must be used for read, write, and/or modify operations to the Directory Server. This flag also determines if ACIs or delegation privileges are to be used.
This flag must be set to "true" when the Access Manager SDK (from version 7 or 7.1) is communicating with Access Manger version 6.3. For example, in the co-existence/legacy mode this value should be "true". In the legacy DIT, the delegation policies were not supported. Only ACIs were supported, so o to ensure proper delegation check, this flag must be set to 'true' in legacy mode installation to make use of the ACIs for access control. Otherwise the delegation check will fail.
In realm mode, this value should be set to false so only the delegation policies are used for access control. In version 7.0 and later, Access Manager supports data-agnostic feature in realm mode installation. So, in addition to Directory Server, other servers may be used to store service configuration data.
Additionally, this flag will report to the Service Management feature that the Directory Proxy does not need to be used for the read, write, and/or modify operations to the backend storage. This is because some data stores, like Active Directory, may not support proxy.
com.sun.identity.webcontainer
Value is set during installation. Example: WEB_CONTAINER
Specifies the name of the of the web container. Although the servlet or JSPs are not web container dependent, Access Manager uses the servlet 2.3 API request.setCharacterEncoding() to correctly decode incoming non English characters. These APIs will not work if Access Manager is deployed on Sun Java System Web Server 6.1. Access Manager uses the gx_charset mechanism to correctly decode incoming data in Sun Java System Web Server versions 6.1 and S1AS7.0. Possible values BEA6.1, BEA 8.1, IBM5.1 or IAS7.0. If the web container is Sun Java System Web Server, the tag is not replaced.
These properties identify the value for SSL ApprovalCallback. If the checkSubjectAltName or resolveIPAddress feature is enabled, you must create cert7.db and key3.db with the prefix value ofcom.iplanet.am.admin.cli.certdb.prefix in the com.iplanet.am.admin.cli.certdb.dirdirectory. Then restart Access Manager .
com.iplanet.am.jssproxy.checkSubjectAltName
Default value is false. When enabled, a server certificate includes the Subject Alternative Name (SubjectAltName) extension, and Access Manager checks all name entries in the extension. If one of the names in the SubjectAltName extension is the same as the server FQDN, Access Manager continues the SSL handshaking. To enable this property, set it to a comma separated list of trusted FQDNs. For example: com.iplanet.am.jssproxy.checkSubjectAltName= amserv1.example.com,amserv2.example.com
com.iplanet.am.jssproxy.resolveIPAddress
Default value is false.
com.iplanet.am.jssproxy.trustAllServerCerts
Default value is false. If enabled (true), Access Manager ignores all certificate-related issues such as a name conflict and continues the SSL handshaking. To prevent a possible security risk, enable this property only for testing purposes, or when the enterprise network is tightly controlled. Avoid enabling this property if a security risk might occur (for example, if a server connects to a server in a different network).
com.iplanet.am.jssproxy.SSLTrustHostListIf set, Access Manager checks each server FQDN in the list against the server host in the certificate CN. If there is a FQDNs in the list that is matched with server certificate cn, Access Manager continues the SSL handshaking even if there is "Incorrect Domain name error". Use the following syntax to set the property:
com.iplanet.am.jssproxy.SSLTrustHostList = fqdn_am_server1 ,fqdn_am_server2, fqdn_am_server3
com.sun.identity.jss.donotInstallAtHighestPriority
Default value is false. Determines if JSS will be added with highest priority to JCE. Set to true if other JCE providers should be used for digital signatures and encryptions.
com.iplanet.am.ldap.connection.delay.between.retries
Default is 1000. Specifies the number milliseconds between retries.
com.iplanet.am.ldap.connection.ldap.error.codes.retries
Default values are 80,81,91. Specifies the LDAPException error codes for which retries to re-establish the LDAP connection will trigger.
com.iplanet.am.ldap.connection.num.retries
Default value is 3. Specifies the number of attempts made to successfully re-establish the LDAP connection.
com.sun.identity.liberty.interaction.htmlStyleSheetLocation
Value is set during installation. Example: /opt/SUNWam/lib/is-html.xsl
Specifies path to style sheet that renders the interaction page in HTML.
com.sun.identity.liberty.interaction.wmlStyleSheetLocation
Value is set during installation. Example: /opt/SUNWam/lib/is-wml.xsl
Specifies path to style sheet that renders the interaction page in WML.
com.sun.identity.liberty.interaction.wscSpecifiedInteractionChoice
Default value isinteractIfNeeded. Indicates whether a web service consumer participates in an interaction. Allowed values are:
Interacts only if required. Also used if an invalid value is specified.
No interaction.
No interaction for data.
com.sun.identity.liberty.interaction.wscSpecifiedMaxInteractionTime
Default value is 80. Web service consumer's preference on the acceptable duration for interaction. The value is expressed in seconds. The default value is used if the value is not specified or if a non-integer value is specified.
com.sun.identity.liberty.interaction.wscWillEnforceHttpsCheck
The default value is yes. Indicates whether a web service consumer enforces the requirement that a request redirected to a URL uses HTTPS. Valid values are yes and no. The case is ignored. The Liberty specification requires the value to be yes. If no value is specified, the default value is used.
com.sun.identity.liberty.interaction.wscWillInlcudeUserInteractionHeader
Default value is yes. If not value is specified, the default value is used. Indicates whether a web service consumer includes userInteractionHeader. Allowable values are yes and no. The case is ignored.
com.sun.identity.liberty.interaction.wscWillRedirect
Default value is yes. Indicates whether the web service consumer redirects user for interaction. Valid values are yes and no. If not value is specified, the default value is used.
com.sun.identity.liberty.interaction.wspRedirectHandler
Value is set during installation. Example: http://hostName.domainName.com:portNumber/amserver/WSPRedirectHandler
Specifies the URL WSPRedirectHandlerServlet uses to handle Liberty WSF WSP-resource owner interactions based on user agent redirects. This should be running in the same JVM where the Liberty service provider is running.
com.sun.identity.liberty.interaction.wspRedirectTime
Default is 30. Web service provider's expected duration for interaction. Expressed in seconds. If the value is not specified, or if the value is a non-integer, the default value is used.
com.sun.identity.liberty.interaction.wspWillEnforceHttpsCheck
Default value is yes. If no value is specified, the default value is used. Indicates whether the web service consumer enforces the requirement that returnToURLuse HTTPS. Valid values are yes and no. (case ignored) the Liberty specification requires the value to be yes.
com.sun.identity.liberty.interaction.
wspWillEnforceReturnToHostEqualsRequestHost
The Liberty specification requires the value to be yes. Indicates whether the web service consumer enforces that returnToHost and requestHost are the same. Valid values areyes and no.
com.sun.identity.liberty.interaction.wspWillRedirect
Default is yes. If no value is specified, the default value is used. Indicates whether a web service provider redirects the user for interaction. Valid values are yes and no. Case is ignored.
com.sun.identity.liberty.interaction.wspWillRedirectForData
Default value is yes. If no value is specified, the default value is used. Indicates whether the web service provider redirects the user for interaction for data. Valid values are yes and no. Case is ignored.
com.sun.identity.liberty.ws.jaxb.namespacePrefixMappingList
Default value is
=S=http://schemas.xmlsoap.org/soap/envelope/|sb=urn:liberty:sb:2003-08 |pp=urn:liberty:id-sis-pp:2003-08|ispp=http://www.sun.com/identity/ liberty/pp|is=urn:liberty:is:2003-08 |
. Specifies the namespace prefix mapping used when marshalling a JAXB content tree to a DOM tree. The syntax is prefix=namespace|prefix=namespace|...
com.sun.identity.liberty.ws.jaxb.packageList
Specifies JAXB package list used when constructing JAXBContext. Each package must be separated by a colon (:).
com.sun.identity.liberty.ws.security.TokenProviderImpl
Default value is com.sun.identity.liberty.ws.security.AMSecurityTokenProviderDescription.
com.sun.identity.liberty.ws.soap.certalias
Value is set during installation. Client certificate alias that will be used in SSL connection for Liberty SOAP Binding.
com.sun.identity.liberty.ws.soap.messageIDCacheCleanupInterval
Default value is 60000. Specifies the number of milliseconds to elapse before cache cleanup events begin. Each message is stored in a cache with its ownmessageID to avoid duplicate messages. When a message's current time less the received time exceeds thestaleTimeLimit value, the message is removed from the cache.
com.sun.identity.liberty.ws.soap.staleTimeLimit
Default value is 300000. Determines if a message is stale and thus no longer trustworthy. If the message timestamp is earlier than the current timestamp by the specified number of milliseconds, the message the considered to be stale.
com.sun.identity.liberty.ws.soap.supportedActors
Default value is http://schemas.xmlsoap.org/soap/actor/next. Specifies supported SOAP actors. Each actor must be separated by a pipe character (|).
com.sun.identity.liberty.ws.ta.certalias
Value is set during installation. Specifies certificate alias for the trusted authority that will be used to sign SAML or SAML. BEARER token of response message.
com.sun.identity.liberty.ws.wsc.certalias
Value is set during installation. Specifies default certificate alias for issuing web service security token for this web service client.
com.sun.identity.liberty.ws.ta.certalias
Value is set during installation. Specifies certificate alias for trusted authority that will be used to sign SAML or SAML. BEARER token of response message.
com.sun.identity.liberty.ws.trustedca.certaliases
Value is set during installation.
Specifies certificate aliases for trusted CA. SAML or SAML BEARER token of incoming request. Message must be signed by a trusted CA in this list. The syntax is cert alias 1[:issuer 1]|cert alias 2[:issuer 2]|..... Example: myalias1:myissuer1|myalias2|myalias3:myissuer3. The value issuer is used when the token doesn't have a KeyInfo inside the signature. The issuer of the token must be in this list, and the corresponding certificate alias will be used to verify the signature. If KeyInfo exists, the keystore must contain a certificate alias that matches the KeyInfo and the certificate alias must be in this list.
com.sun.identity.liberty.ws.security.TokenProviderImpl
Value is set during installation. Specifies implementation for security token provider.
com.sun.identity.saml.removeassertion
Default value is true. A flag to indicate if de-referenced assertions should be removed from the cache. Applies to assertions that were created associated with artifacts, and have been de-referenced.
com.iplanet.am.logstatus
Specifies whether logging is turned on (ACTIVE) or off (INACTIVE). Value is set to ACTIVE during installation.
You can configure the degree of detail to be contained in a specific log file by adding attributes to the AMConfig.properties file. Use the following format:
iplanet-am-logging.logfileName.level=java.util.logging.Level where logfileName is the name of a log file for an Access Manager service (see table 1), andjava.util.logging.Level is an allowable attribute value . Access Manager services log at the INFO level. SAML and Identity Federation services also log at more detailed levels (FINE, FINER, FINEST). Example:
iplanet-am-logging.amSSO.access.level=FINER
In addition there is a level OFF that can be used to turn off logging, and a level ALL that can be used to enable logging of all messages. Example:
iplanet-am-logging.amConsole.access.evel=OFF
Table 6–1 Access Manager Log Files
Log File Name |
Records Logged |
---|---|
amAdmin.access |
Successful amadmin command-line events |
amAdmin.error |
amadmin command-line error events |
amAuthLog.access |
Access Manager Policy Agent related events. See the Note following this table. |
amAuthentication.access |
Successful authentication events |
amAuthentication.error |
Authentication failures |
amConsole.access |
Console events |
amConsole.error |
Console error events. |
amFederation.access |
Successful Federation events. |
amFederation.error |
Federation error events. |
amPolicy.access |
Storage of policy allow events |
amPolicy.error |
Storage of policy deny events |
amSAML.access |
Successful SAML events |
amSAML.error |
SAME error events |
amLiberty.access |
Successful Liberty events |
amLiberty.error |
Liberty error events |
amSSO.access |
Single sign-on creation and destruction |
amSSO.error |
Single sign-on error events |
The amAuthLog filename is determined by the Policy Agent properties in AMAgent.properties. For Web Policy Agents, the property is com.sun.am.policy.agents.config.remote.log. For J2EE Policy Agents, the property is com.sun.identity.agents.config.remote.logfile. The default is amAuthLog.host.domain.port, where host.domain is the fully-qualified host name of the host running the Policy Agent web server, and where port is the port number of that web server. If you have multiple Policy Agents deployed, you can have multiple instances of this file. The property com.sun.identity.agents.config.audit.accesstype (for both Web and J2EE Agents) determines what data is logged remotely. The logged data can include policy allows, policy denies, both allows and denies, or neither allows nor denies.
com.iplanet.am.naming.failover.url
This property is no longer being used in Access Manager 7.0.
com.iplanet.am.naming.url
Value is set during installation. Example: http://hostName.domainName.com:portNumber/amserver/namingservice
Specifies the naming service URL to use.
Use the following keys to configure the notification thread pool.
com.iplanet.am.notification.threadpool.size
Default value is 10. Defines the size of the pool by specifying the total number of threads.
com.iplanet.am.notification.threadpool.threshold
Default value is 100. Specifies the maximum task queue length.
When a notification task comes in, it is sent to the task queue for processing. If the queue reaches the maximum length, further incoming requests will be rejected along with a ThreadPoolException, until the queue has a vacancy.
com.iplanet.am.notification.url
Value is set during installation. Example: http://hostName.domainName.com:portNumber/amserver/notificationservice
com.iplanet.am.policy.agents.url.deploymentDescriptor
Value is set during installation. Example: AGENT_DEPLOY_URI
com.sun.identity.agents.app.username
Default value is UrlAccessAgent. Specifies the username to use for the Application authentication module.
com.sun.identity.agents.cache.size
Default value is 1000. Specifies the size of the resource result cache. The cache is created on the server where the policy agent is installed.
com.sun.identity.agents.header.attributes
Default values are cn,ou,o,mail,employeenumber,c. Specifies the policy attributes to be returned by the policy evaluator. Uses the form a[,...]. In this example, a is the attribute in the data store to be fetched.
com.sun.identity.agents.logging.level
Default value is NONE. Controls the granularity of the Policy Client API logging level. The default value is NONE. Possible values are:
Logs access allowed requests.
Logs access denied requests.
Logs both access allowed and access denied requests.
Logs no requests.
com.sun.identity.agents.notification.enabled
Default value is false. Enables or disables notifications for the Policy Client API.
com.sun.identity.agents.notification.url
Used by the policy client SDK to register policy change notifications. A mis-configuration of this property will result in policy notifications being disabled.
com.sun.identity.agents.polling.interval
Default value is 3. Specifies the polling interval which is the number of minutes after which an entry is dropped from the Client APIs cache.
com.sun.identity.agents.resource.caseSensitive
Default value is false. Description
Indicates whether case sensitive is turned on or off during policy evaluation.
com.sun.identity.agents.true.value
Indicates the true value of a policy action. This value can be ignored if the application does not need to access the PolicyEvaluator.isAllowed method. This value signifies how a policy decision from Access Manager should be interpreted. Default value is allow.
com.sun.identity.agents.resource.comparator.class
Default value is com.sun.identity.policy.plugins.URLResourceName
Specifies the resource comparison class name. Available implementation classes are: com.sun.identity.policy.plugins.PrefixResourceName and com.sun.identity.policy.plugins.URLResourceName.
com.sun.identity.agents.resource.delimiter
Default value is a backslash (/). Specifies the delimiter for the resource name.
com.sun.identity.agents.resource.wildcard
Default value is *. Specifies the wildcard for the resource name.
com.sun.identity.agents.server.log.file.name
Default value is amRemotePolicyLog. Specifies the name of the log file to use for logging messages to Access Manager. Only the name of the file is needed. The directory of the file is determined other Access Manager configuration settings.
com.sun.identity.agents.use.wildcard
Default value is true. Indicates whether to use a wildcard for resource name comparison.
com.sun.identity.policy.client.booleanActionValues
iPlanetAMWebAgentService|POST|allow|deny
Default value is iPlanetAMWebAgentService|GET|allow|deny:.
Specifies Boolean action values for policy action names. Uses the form serviceName|actionName|trueValue|falseValue. Values for action names are delimited by a colon (:).
com.sun.identity.policy.client.cacheMode
Default value is self. Specifies cache mode for the client policy evaluator. Valid values are subtree and self. If set to subtree, the policy evaluator obtains policy decisions from the server for all the resources from the root of resource actually requested. If set to self, the policy evaluator gets the policy decision from the server only for the resource actually requested.
com.sun.identity.policy.client.clockSkew
Adjusts for time difference between the policy client machine and the policy server. If this property does not exist, and if the policy agent time differs from the policy server time, you occasionally see and incorrect policy decision. You must run a time-syncing service to keep the time on the policy server and on the policy client as close as possible. Use this property to adjust for the small time difference regardless of running time syncing service. Clock skew in seconds = agentTime - serverTime . Comment the property out on the policy server. Uncomment the line and set the appropriate value on the policy client machine or the machine running the policy agent agent-server clock skew (in seconds).
com.sun.identity.policy.client.resourceComparators=
serviceType=iPlanetAMWebAgentService|class=
Specifies ResourceComparators to be used for different service names. Copy the value from the Access Manager console. Go to Service Configuration > PolicyConfiguration > Global:ResourceComparator. Concatenate multiple values from Access Manager using a colon (: ) as the delimiter.
com.sun.identity.policy.plugins.URLResourceName|wildcard
Default value is *|delimiter=/|caseSensitive=trueDescription
com.iplanet.am.profile.host
This property is no longer used in Access Manager 7. It is provided only for backward compatibility. Value is set during installation. Example: hostName.domainName.com
com.iplanet.am.profile.port
This property is no longer used in Access Manager 7. It is provided only for backward compatibility. Value is set during installation. Example: 80
Use the following keys to configure replication setup.
com.iplanet.am.replica.delay.between.retries
Default value is 1000. Specifies the number of milliseconds between retries.
com.iplanet.am.replica.num.retries
Default value is 0. Specifies the number of times to retry.
com.sun.identity.saml.assertion.version
Default value is 1.1. Specifies default SAML version used. Possible values are 1.0 or 1.1.
com.sun.identity.saml.checkcert
Default value is on. Flag for checking the certificate embedded in the KeyInfo against the certificates in the keystore. Certificates in the keystore are specified by the com.sun.identity.saml.xmlsig.keystore property. Possible values are: on|off. If the flag is "on", * the certification must be presented in the keystore for * XML signature validation. If the flag is "off", skip * the presence checking. */
Certification must be presented in the keystore for XML signature validation
Skips the presence checking.
com.sun.identity.saml.protocol.version
Default value is 1.1. Specifies default SAML version used. Possible values are 1.0 or 1.1.
com.sun.identity.saml.removeassertion
com.sun.identity.saml.request.maxContentLength
Default value is 16384. Specifies the maximum content-length for an HTTP Request that will be used in SAML.
com.sun.identity.saml.xmlsig.certalias
Default value is test. Description
com.sun.identity.saml.xmlsig.keypass
Value is set during installation. Example: /etc/opt/SUNWam/config/.keypass
Specifies the path to the SAML XML key password file.
com.sun.identity.saml.xmlsig.keystore
Value is set during installation. Example: /etc/opt/SUNWam/config/keystore.jks
Specifies the path to the SAML XML keystore password file.
com.sun.identity.saml.xmlsig.storepass
Value is set during installation. Example: /etc/opt/SUNWam/config/.storepass
Specifies the path to the SAML XML key storepass file.
com.iplanet.security.encryptor
Default value is com.iplanet.services.util.JSSEncryption. Specifies the encrypting class implementation. Available classes are: com.iplanet.services.util.JCEEncryption and com.iplanet.services.util.JSSEncryption.
com.iplanet.security.SecureRandomFactoryImpl
Default value is com.iplanet.am.util.JSSSecureRandomFactoryImpl. Specifies the factory class name for SecureRandomFactory. Available implementation classes are: com.iplanet.am.util.JSSSecureRandomFactoryImpl which uses JSS, and com.iplanet.am.util.SecureRandomFactoryImpl which uses pure Java.
com.iplanet.security.SSLSocketFactoryImpl
Default value is com.iplanet.services.ldap.JSSSocketFactory. Specifies the factory class name for LDAPSocketFactory. Available classes are: com.iplanet.services.ldap.JSSSocketFactory which uses JSS, and netscape.ldap.factory.JSSESocketFactory which uses pure Java.
com.sun.identity.security.checkcaller
Default value is false. Enables or disables Java security manager permissions check for Access Manager. Disabled by default. If enabled, then you should make appropriate changes to the Java policy file of the container in which Access Manager is deployed. This way, Access Manager JAR files can be trusted for performing sensitive operations. For more information, see the Java API Reference (Javadoc) entry for com.sun.identity.security.
am.encryption.pwd
Value is set during installation. Example: dSB9LkwPCSoXfIKHVMhIt3bKgibtsggd
Specifies the key used to encrypt and decrypt passwords.
com.iplanet.am.clientIPCheckEnabled
Default value is false. Specifies whether or not the IP address of the client is checked in all SSOToken creations or validations.
com.iplanet.am.session.client.polling.enable
This is a READ-ONLY property. Do not modify the property value.
Default value is false. Enables client-side session polling. Please note that the session polling mode and the session notification mode are mutually exclusive. If the polling mode is enabled, the session notification is automatically turned off, and vice versa.
com.iplanet.am.session.client.polling.period
Default value is 180. Specifies number of seconds in a polling period.
com.iplanet.am.session.httpSession.enabled
Default value is true. Enables or disables USING httpSession.
com.iplanet.am.session.invalidsessionmaxtime
Default value is 10. Specifies the number of minutes after which the invalid session will be removed from the session table if it is created and the user does not login. This value should always be greater than the timeout value in the Authentication module properties file.
com.iplanet.am.session.maxSessions
Default value is 5000. Specify the maximum number of allowable concurrent sessions.
Login sends a Maximum Sessions error if the maximum concurrent sessions value exceeds this number.
com.iplanet.am.session.protectedPropertiesList
Allows you to protect certain core or internal session properties from remote updates via the SetProperty method of the Session Service. By setting this “hidden” key security parameter, you can customize session attributes in order to participate in authorization as well as other Access Manager features. To use this parameter:
With a text editor, add the parameter to the AMConfig.properties file.
Set the parameter to the session properties that you want to protect. For example:
com.iplanet.am.session.protectedPropertiesList = PropertyName1,PropertyName2,PropertyName3
Restart the Access Manager Web container for the values to take effect.
com.iplanet.am.session.purgedelay
Default value is 60. Specifies the number of minutes to delay the purge session operation.
After a session times out, this is an extended time period during which the session continues to reside in the session server. This property is used by the client application to check if the session has timed out through SSO APIs. At the end of this extended time period, the session is destroyed. The session is not sustained during the extended time period if the user logs out or if the session is explicitly destroyed by an Access Manager component. The session is in the INVALID state during this extended period.
com.sun.am.session.caseInsensitiveDN
Default value is true. Compares the Agent DN. If the value is false, the comparison is case-sensitive.
com.sun.am.session.enableHostLookUp
Default value is false. Enables or disables host lookup during session logging.
com.iplanet.am.smtphost
Default value is localhost. Specifies the mail server host.
com.iplanet.am.smtpport
Default value is 25. Specifies the mail server port.
com.iplanet.am.stats.interval
Default value is 60. Specifies number of minutes to elapse between statistics logging. Minimum is 5 seconds to avoid CPU saturation. Access Manager assumes any value less than 5 seconds to be 5 seconds.
com.iplanet.services.stats.directory
Value is set during installation. Example: /var/opt/SUNWam/stats Specifies directory where debug files are created.
com.iplanet.services.stats.state
Default value is file. Specifies location of statistics log. Possible values are:
No statistics are logged.
Statistics are written to a file under the specified directory.
Statistics are written into Web Server log files.