System Properties

System Properties contain the following default services that you can configure:

• Client Detection

• To Add a New Client

• Logging

• Naming

• Platform

Client Detection

An initial step in the authentication process is to identify the type of client making the HTTP(S) request. This Access Manager feature is known as client detection. The URL information is used to retrieve the client's characteristics. Based on these characteristics, the appropriate authentication pages are returned. For example, when a Netscape browser is used to request a web page, Access Manager 7.1 displays an HTML login page. Once the user is validated, the client type ( Netscape browser) is added to the session token. The attributes defined in the Client Detection service are global attributes.

• Client Types

• Default Client Type

• Client Detection Class

• Client Detection

Client Types

In order to detect client types, Access Manager needs to recognize their identifying characteristics. These characteristics identify the properties of all supported types in the form of client data. This attribute allows you to modify the client data through the Client Manager interface. To access the Client Manager, click the Edit link. Out of the box, Access Manager contains the following client types:

• HDML

• HTML

• JHTML

• VoiceX

• WML

• XHTML

• cHTML

• iHTML

For descriptions of these client types, see the Sun Java System Portal Server, Remote Access Administration Guide at http://docs.sun.com/app/docs/coll/1293.1?l=en.

Client Manager

The Client Manager is the interface that lists the base clients, styles and associated properties, and allows you to add and configure devices. The Base client types are listed at the top of Client Manager. These client types contain the default properties that can be inherited by all devices that belong to the client type.

Client Type

Style Profile The Client Manager groups all available clients, including the Base client type itself, in the Client Type list. For each client, you can modify the client properties by clicking on the device name. The properties are then displayed in the Client Editor window. To edit the properties, select the following classifications from the pull-down list:

Hardware Platform

Contains properties of the device's hardware, such as display size, supported character sets, and so forth.

Software Platform

Contains properties of the device's application environment, operating system, and installed software.

Network Characteristics

Contains properties describing the network environment, including the supported bearers.

BrowserUA

Contains attributes related to the browser user agent running on the device.

WapCharacteristics

Contains properties of the Wireless Application Protocol (WAP) environment supported by the device.

PushCharacteristicNames

Contains properties of the WAP environment supported by the device.

Additional Properties

Contains properties of the Wireless Application Protocol (WAP) environment supported by the device.

---

Note –

For specific property definitions, see the Open Mobile Alliance Ltd. (OMA) Wireless Application Protocol, Version 20-Oct-2001 at http://www1.wapforum.org/tech/terms.asp?doc=WAP-248-UAProf-20011020-a.pdf.

In order to access the document, you may first have to register with WAP Forum^TM. For information, please visit http://www.wapforum.org/faqs/index.htm.

---

Default Client Type

This attribute defines the default client type derived from the list of client types in the Client Types attribute. The default is genericHTML.

Client Detection Class

This attribute defines the client detection class for which all client detection requests are routed. The string returned by this attribute should match one of the client types listed in the Client Types attribute. The default client detection class is com.sun.mobile.cdm.FEDIClientDetector . Access Manager also contains com.iplanet.services.cdm.ClientDetectionDefaultImpl .

Client Detection

Enables client detection. If client detection is enabled (default), every request is routed thought the class specified in the Client Detection Class attribute. By default, the client detection capability is enabled. If this attribute is not selected, Access Manager assumes that the client is genericHTML and will be accessed from a HTML browser.

To Add a New Client

1. Click New in the Client Type list.

2. Select the device type with the following fields:

   Style

   Displays the base style for the device. For example, HTML.

   Device User Agent

   Accepts the name for the device.

3. Click Next.

4. Enter the following information for the new device:

   Client Type Name

   Accepts the name for the device. The name must be unique across all devices

   The HTTP User String

   Defines the User-Agent in the HTTP request header. For example, Mozilla/4.0.

5. Click Finish.

6. To duplicate a device and its properties, click the Duplicate link. Device names must unique. By default, Access Manager will rename the device to copy_of_devicename.

Logging

The Logging service provides status and error messages related to Access Manager administration. An administrator can configures values such as log file size and log file location. Access Manager can record events in flat text files or in a relational database. The Logging service attributes are global attributes. The attributes are:

• Maximum Log Size

• Number of History Files

• Log File Location

• Logging Type

• Database User Name

• Database User Password

• Database User Password (confirm)

• Database Driver Name

• Configurable Log Fields

• Log Verification Frequency

• Log Signature Time

• Secure Logging

• Maximum Number of Records

• Number of Files per Archive

• Buffer Size

• DB Failure Memory Buffer Size

• Buffer Time

• Time Buffering

Maximum Log Size

This attribute accepts a value for the maximum size (in bytes) of a Access Manager log file. The default value is 1000000.

Number of History Files

This attribute has a value equal to the number of backup log files that will be retained for historical analysis. Any integer can be entered depending on the partition size and available disk space of the local system. The default value is 3.

The files only apply to the FILE logging type. When the logging type is set to DB, there are no history files and limit explicitly set by Access Manager to the size of the files.

---

Note –

Entering a value of 0 is interpreted to be the same as a value of 1, meaning that if you specify 0, a history log file will be created.

---

Log File Location

The file-based logging function needs a location where log files can be stored. This field accepts a full directory path to that location. The default location is:

/var/opt/SUNWam/logs

If a non-default directory is specified, Access Manager will create the directory if it does not exist. You should then set the appropriate permissions for that directory (for example, 0700).

When configuring the log location for DB (database) logging (such as, Oracle or MySQL), part of the log location is case sensitive. For example, if you are logging to an Oracle database, the log location should be (note case sensitivity):

jdbc:oracle:thin:@machine.domain:port:DBName

To configure logging to DB, add the JDBC driver files to the web container's JVM classpath. You need to manually add JDBC driver files to the classpath of the amadmin script, otherwise amadmin logging can not load the JDBC driver.

Changes to logging attributes usually take effect after you save them. This does not require you to restart the server. If you are changing to secure logging, however, you should restart the server.

Logging Type

Enables you to specify either File, for flat file logging, or DB for database logging.

If the Database User Name or Database User Password is invalid, it will seriously affect Access Manager processing. If Access manager or the console becomes unstable, you set the following property in AMConfig.properties:

com.iplanet.am.logstatus=INACTIVE

After you have set the property, restart the server. You can then log in to the console and reset the logging attribute. Then, change the logstatus property to ACTIVE and restart the server.

Database User Name

This attribute accepts the name of the user that will connect to the database when the Logging Type attribute is set to DB.

Database User Password

This attribute accepts the database user password when the Logging Type attribute is set to DB.

Database User Password (confirm)

Confirm the database password.

Database Driver Name

This attribute enables you to specify the driver used for the logging implementation class.

Configurable Log Fields

Represents the list of fields that are to be logged. By default, all of the fields are logged. The fields are:

• CONTEXTID

• DOMAIN

• HOSTNAME

• IPADDRESS

• LOGGED BY

• LOGLEVEL

• LOGINID

• MESSAGEID

• MODULENAME

At minimum you should log CONTEXTID, DOMAIN, HOSTNAME, LOGINID and MESSAGEID.

Log Verification Frequency

This attribute sets the frequency (in seconds) that the server should verify the logs to detect tampering. The default time is 3600 seconds. This parameter applies to secure logging only.

Log Signature Time

This parameter sets the frequency (in seconds) that the log will be signed. The default time is 900 seconds. This parameter applies to secure logging only.

Secure Logging

This attribute enables or disables secure logging. By default, secure logging is off. Secure Logging enables detection of unauthorized changes or tampering of security logs.

Secure Logging Signing Algorithm

This attribute defines RSA and DSA (Digital Signature Algorithm), which have private keys for signing and a public key for verification. You can select from the following:

• MD2 w/RSA

• MD5 w/RSA

• SHA1 w/DSA

• SHA1 w/RSA

MD2, MD5 and RSA are one-way hashes.

For example, if you select the signing algorithm MD2 w/RSA, the secure logging feature generates a group of messages with MD2 and encrypts the value with the RSA private key. This encrypted value is the signature of the original logged records and will be appended to the last record of the most recent signature. For validation, it well decrypt the signature with the RSA public key and compare the decrypted value to the group of logged records. The secure logging feature will then will detect any modifications to any logged record.

Maximum Number of Records

This attribute sets the maximum number of records that the Java LogReader interfaces return, regardless of how many records match the read query. By default, it is set to 500. This attribute can be overridden by the caller of the Logging API through the LogQuery class.

Number of Files per Archive

This attribute is only applicable to secure logging. It specifies when the log files and keystore need to be archived, and the secure keystore regenerated, for subsequent secure logging. The default is five files per logger.

Buffer Size

This attribute specifies the maximum number of log records to be buffered in memory before the logging service attempts to write them to the logging repository. The default is one record.

DB Failure Memory Buffer Size

This attribute defines the maximum number of log records held in memory if database (DB) logging fails. This attribute is only applicable when DB logging is specified. When the Access Manager logging service loses connection to the DB, it will buffer up to the number of records specified. This attribute defaults to two times of the value defined in the Buffer Size attribute.

Buffer Time

This attribute defines the amount of time that the log records will buffered in memory before they are sent to the logging service to be logged. This attribute applies if Enable Time Buffering is ON. The default is 3600 seconds.

Time Buffering

When selected as ON, Access Manager will set a time limit for log records to be buffered in memory. The amount of time is set in the Buffer Time attribute.

Naming

The Naming service is used to get and set URLs, plug-ins and configurations as well as request notifications for various other Access Manager services such as session, authentication, logging, SAML and Federation.

This service enables clients to find the correct service URL if the platform is running more than one Access Manager. When a naming URL is found, the naming service will decode the session of the user and dynamically replace the protocol, host, and port with the parameters from the session. This ensures that the URL returned for the service is for the host that the user session was created on. The Naming attributes are:

• Profile Service URL

• Session Service URL

• Logging Service URL

• Policy Service URL

• Authentication Service URL

• SAML Web Profile/Artifact Service URL

• SAML SOAP Service URL

• SAML Web Profile/POST Service URL

• SAML Assertion Manager Service URL

• Federation Assertion Manager Service URL

• Security Token Manager URL

• JAXRPC Endpoint URL

Profile Service URL

This field takes a value equal to :

%protocol://%host:%port/Server_DEPLOY_URI/profileservice

This syntax allows for dynamic substitution of the profile URL based on the specific session parameters.

Session Service URL

This field takes a value equal to:

%protocol://%host:%port/Server_DEPLOY_URI/sessionservice

This syntax allows for dynamic substitution of the session URL based on the specific session parameters.

Logging Service URL

This field takes a value equal to:

%protocol://%host:%port/Server_DEPLOY_URI/loggingservice

This syntax allows for dynamic substitution of the logging URL based on the specific session parameters.

Policy Service URL

This field takes a value equal to:

%protocol://%host:%port/Server_DEPLOY_URI/policyservice

This syntax allows for dynamic substitution of the policy URL based on the specific session parameters.

Authentication Service URL

This field takes a value equal to:

%protocol://%host:%port/Server_DEPLOY_URI/authservice

This syntax allows for dynamic substitution of the authentication URL based on the specific session parameters.

SAML Web Profile/Artifact Service URL

This field takes a value equal to:

%protocol://%host:%port/Server_DEPLOY_URI/SAMLAwareServlet

This syntax allows for dynamic substitution of the SAML web profile/artifact URL based on the specific session parameters.

SAML SOAP Service URL

This field takes a value equal to

%protocol://%host:%port/Server_DEPLOY_URI/SAMLSOAPReceiver

This syntax allows for dynamic substitution of the SAML SOAP URL based on the specific session parameters.

SAML Web Profile/POST Service URL

This field takes a value equal to:

%protocol://%host:%port/Server_DEPLOY_URI/SAMLPOSTProfileServlet

This syntax allows for dynamic substitution of the SAML web profile/POST URL based on the specific session parameters.

SAML Assertion Manager Service URL

This field takes a value equal to:

%protocol://%host:%port/Server_DEPLOY_URI/AssertionManagerServlet/AssertionM anagerIF

This syntax allows for dynamic substitution of the SAML Assertion Manager Service URL based on the specific session parameters.

Federation Assertion Manager Service URL

This field takes a value equal to:

%protocol://%host:%port/amserver/FSAssertionManagerServlet/FSAssertionMana gerIF

This syntax allows for dynamic substitution of the Federation Assertion Manager Service URL based on the specific session parameters.

Security Token Manager URL

This field takes a value equal to:

%protocol://%host:%port/amserver/SecurityTokenManagerServlet/SecurityToken ManagerIF/

This syntax allows for dynamic substitution of the Security Token Manager URL based on the specific session parameters.

JAXRPC Endpoint URL

This field takes a value equal to:

%protocol://%host:%port/amserver/jaxrpc/

This syntax allows for dynamic substitution of the JAXRPC Endpoint URL based on the specific session parameters.

Platform

The Platform service is where additional servers can be added to the Access Manager configuration as well as other options applied at the top level of the Access Manager application. The Platform service attributes are global attributes. The attributes are:

• Site Name

• Instance Name

• Platform Locale

• Cookie Domains

• Login Service URL

• Logout Service URL

• Available Locales

• Client Character Sets

Site Name

The naming service reads this attribute at initialization time. This list uniquely identifies the FQDN with the port number of the load balancer or SRA for load balancing on the back-end Access Manager servers. If the host specified in a request for a service URL is not in this list, the naming service will reject the request. Only the naming service protocol should be used in this attribute. See To Create a New Site Name.

Instance Name

The naming service reads this attribute at initialization time. This list contains the Access Manager session servers in a single Access Manager configuration. For example, if two Access Managers are installed and should work as one, they must both be included in this list. If the host specified in a request for a service URL is not in this list, the naming service will reject the request. Only the naming service protocol should be used in this attribute. See To Create a New Instance Name.

Platform Locale

The platform locale value is the default language subtype that Access Manager was installed with. The authentication, logging and administration services are administered in the language of this value. The default is en_US. See Supported Language Localesfor a listing of supported language subtypes.

Cookie Domains

The list of domains that will be returned in the cookie header when setting a cookie to the user's browser during authentication. If empty, no cookie domain will be set. In other words, the Access Manager session cookie will only be forwarded to the Access Manager itself and to no other servers in the domain.

If SSO is required with other servers in the domain, this attribute must be set with the cookie domain. If you had two interfaces in different domains on one Access Manager then you would need to set both cookie domains in this attribute. If a load balancer is used, the cookie domain must be that of the load balancer's domain, not the servers behind the load balancer. The default value for this field is the domain of the installed Access Manager.

Login Service URL

This field specifies the URL of the login page. The default value for this attribute is /Service_DEPLOY_URI/UI/Login.

Logout Service URL

This field specifies the URL of the logout page. The default value for this attribute is /Service_DEPLOY_URI/UI/Logout.

Available Locales

This attribute stores all available locales configured for the platform. Consider an application that lets the user choose the user's locale. This application would get this attribute from the platform profile and present the list of locales to the user. The user would choose a locale and the application would set this in the user entry preferredLocale.

Client Character Sets

This attribute specifies the character set for different clients at the platform level. It contains a list of client types and the corresponding character sets. SeeTo Create a New Character Set for more information.

To Create a New Site Name

1. Click New in the Site Name list.

2. Enter the host name and port in the Server field.

3. Enter the Site Name.

   This value uniquely identifies the server. Each server that is participating in load balancing or failover needs to have a unique identifier of a two-digit number. For example, 01.

4. Click Save.

   To edit a site name, click an entry in the Site Name list and change the values accordingly.

To Create a New Instance Name

The naming service reads this attribute at initialization time. This list contains the Access Manager session servers in a single Access Manager configuration.

1. Click New in the Instance Name list.

2. Enter the hostname and port in the Server field.

3. Enter the Site Name.

   This value uniquely identifies the server. Each server that is participating in load balancing or failover needs to have a unique identifier. This is also used to shorten the cookie length by mapping the server URL to the server ID. The syntax is:

   intance_ID(|site_ID)

4. Click OK.

   To edit an instance name, click an entry in the Instance Name list and change the values accordingly.

5. Click Save in the Platform Service main page.

To Create a New Character Set

1. Click New from the Client Character Sets list.

2. Enter a value for the Client Type.

3. Enter a value for the Character Set. See Supported Language Locales for the character sets available.

4. Click OK.

5. Click Save in the Platform Service main page.