Properties Used by the ClientSDK

Access Manager properties are contained in the AMConfig.properties file. Generate the AMConfig.properties for the Client SDK by running the following command:

# make -f Makefile.clientsdk properties

The following sections describe the properties expected by the Access Manager Client SDK. A client application deployed within a servlet container can register for changes to session, user attributes and policy decisions. These properties must be set to receive such notifications.

Naming URL Properties

com.iplanet.am.naming.url

This is a required property. The value of this property represents the URL where the Client SDK would retrieve the URLs of Access Manager internal services. This is the URI for the Naming Service. Example:

com.iplanet.am.naming.url=http://AcceessManager-HostName.domain_name:port/amserver/namingservice

com.iplanet.am.naming.failover.url

This property can be used by any remote SDK application that wants failover in, for example, session validation or getting the service URLs. Example:

com.iplanet.am.naming.failover.url=http://AcceessManager-HostName.domain_name:
port/amserver/failover

Debug Properties

com.iplanet.services.debug.level

Specifies the debug level. Possible values are levels are: off, error , warning, or message.

com.iplanet.services.debug.directory

The value of this property is the output directory for the debug information. This directory should be writable by the server process. Example:

com.iplanet.services.debug.directory=/var/opt/SUNWam/debug

Notification URL Properties

com.iplanet.am.notification.url

The value of this property is the URI of the Notification Service running on the host machine where you installed the Client SDK. Example:

com.iplanet.am.notification.url= http://clientSDK_host.domain_name:port/amserver/notificationservice

com.sun.identity.agents.notification.enabled

Enables or disables notifications for remote policy API. Example:

com.sun.identity.agents.notification.enabled=false

com.sun.identity.agents.notification.url

Defines the notification URL for remote policy API.

Security Credentials Properties

com.sun.identity.agents.app.username

Reads configuration data. Example:

com.sun.identity.agents.app.username=APPLICATION_USER

com.iplanet.am.service.password

Reads configuration data. Example:

com.iplanet.am.service.password=APPLICATION_PASSWD

com.iplanet.am.service.secret

Contains the encrypted value of the password. . Example:

com.iplanet.am.service.secret=ENCRYPTION_KEY

Encryption Properties

am.encryption.pwd

This key is needed to decrypt passwords stored in the SMS configuration. Example:

am.encryption.pwd=ENCRYPTION_KEY

com.sun.identity.client.encryptionKey

Encryption key that will be used to encrypt and decrypt data used locally within the client. Example:

com.sun.identity.client.encryptionKey=ENCRYPTION_KEY_LOCAL

com.iplanet.security.encryptor

Property to set JCE as the default encryption classes.

com.iplanet.security.encryptor=com.iplanet.services.util.JCEEncryption

Cache Update Properties

com.sun.identity.sm.cacheTime

Cache update time (in minutes) for service configuration data if notification URL is not provided. Example:

com.sun.identity.sm.cacheTime=1

com.iplanet.am.sdk.remote.pollingTime

Cache update time (in minutes) for user management cache if notification URL is not provided. Example: com.iplanet.am.sdk.remote.pollingTime=1

Authentication Service Properties

com.iplanet.am.server.protocol

Server protocol to be used by Authentication Service. Example:

com.iplanet.am.server.protocol=SERVER_PROTOCOL

com.iplanet.am.server.host

Server host to be used by Authentication Service. Example:

com.iplanet.am.server.host=SERVER_HOST

com.iplanet.am.server.port

Server port to be used by Authentication Service. Example:

com.iplanet.am.server.port=SERVER_PORT

Cookie Property

com.iplanet.am.cookie.name

Indicates the Access Manager cookie name. Example:

com.iplanet.am.cookie.name=AM_COOKIE_NAME

Session Service Properties

com.iplanet.am.session.client.polling.enable

Example:

com.iplanet.am.session.client.polling.enable=true

com.iplanet.am.session.client.polling.period

Example:

com.iplanet.am.session.client.polling.period=180

Certificate Database Properties

com.iplanet.am.admin.cli.certdb.dir

Identifies the certificate database directory path for initializing the JSS Socket Factory when the Access Manager web container is configured for SSL. Example:

com.iplanet.am.admin.cli.certdb.dir= CONTAINER_CERTDB_DIR

com.iplanet.am.admin.cli.certdb.passfile

Identifies the certificate database password file for initializing the JSS Socket Factory when the Access Manager web container is configured for SSL. Example:

com.iplanet.am.admin.cli.certdb.passfile= BASEDIR/PRODUCT_DIR/config/.wtpass

com.iplanet.am.admin.cli.certdb.prefix

Identifies the certificate database prefix for initializing the JSS Socket Factory when the Access Manager web container is configured for SSL. Example:

com.iplanet.am.admin.cli.certdb.prefix= CONTAINER_CERTDB_PREFIX

Policy Client Properties

com.sun.identity.agents.server.log.file.name

Specifies file name for the policy decision log file. Example:

com.sun.identity.agents.server.log.file.name=amRemotePolicyLog

com.sun.identity.agents.logging.level

Possible values for policy decision logging level are NONE, ALLOW, DENY, BOTH, and DECISION.

com.sun.identity.agents.notification.enabled

Enables Notification URL for updating cache. Default value is false.

com.sun.identity.agents.notification.url

Specifies use of Notification URL for updating cache. Example:com.sun.identity.agents.notification.url=NOTIFICATION_URL

com.sun.identity.agents.polling.interval

Cache time in minutes. Example:

com.sun.identity.agents.polling.interval=3

com.sun.identity.policy.client.cacheMode

Information to cache. Possible value are subtree or self.

com.sun.identity.policy.client.usePre22BooleanValues

Define and set this property to false if you do not want to use Boolean values. The default value is true if the property is not defined.

Monitoring Framework Property

com.sun.identity.monitoring=off

Explicitly disables Java Enterprise System (JES) monitoring services in the sample client applications.

Remote Client SDK Property

com.iplanet.amsdk.package

If you want to use a remote instance of the Client SDK, set the value of this property as follows:

com.iplanet.amsdk.package=remote

The default value is ldap if the property is not defined.

Federation Properties

The following properties are used to configure interactions in a federated environment. These properties are not automatically generated and placed in the AMConfig.properties file when you run the make -f Makefile.clientsdk properties command. You must manually add the properties to the file as needed.

com.sun.identity.liberty.ws.soap.supportedActor

Supported SOAP actors. Each actor must be separated by a pipe (|). Example:

com.sun.identity.liberty.ws.soap.supportedActors= http://schemas.xmlsoap.org/soap/actor/next

com.sun.identity.liberty.interaction.wspRedirectHandler

Indicates the URL for WSPRedirectHandlerServlet to handle Liberty the WSF web service provider-resource owner. Interactions are based on user agent redirects. The servlet should be running in the same JVM where the Liberty service provider is running.

com.sun.identity.liberty.interaction.wscSpecifiedInteractionChoice

Indicates whether the web service client should participate in an interaction. Valid values are interactIfNeeded | doNotInteract | doNotInteractForData . Default value is interactIfNeeded. Default value is used if an invalid value is specified.

com.sun.identity.liberty.interaction.wscWillInlcudeUserInteractionHeader

Indicates whether the web service client should include userInteractionHeader. Valid values are yes and no (case ignored). Default value is yes. Default value is used if no value is specified.

com.sun.identity.liberty.interaction.wscWillRedirect

Indicates whether the web service client will redirect user for an interaction. Valid values are yes and no. Default value is yes. Default value is used if no value is specified.

com.sun.identity.liberty.interaction.wscSpecifiedMaxInteractionTime

Indicates the web service client preference for acceptable duration (in seconds) for an interaction. If the value is not specified or if a non-integer value is specified, then the default value is 60.

com.sun.identity.liberty.interaction.wscWillEnforceHttpsCheck

Indicates whether the web service client enforces that redirected to URL is HTTPS. Valid values are yes and no (case ignored). The Liberty specification requires the value to be yes. Default value is yes. Default value is used if no value is specified.

com.sun.identity.liberty.interaction.wspWillRedirect

Indicates whether the web service provider redirects the user for an interaction. Valid values are yes and no (case ignored). Default value is yes. Default value is if no value is specified.

com.sun.identity.liberty.interaction.wspWillRedirectForData

Indicates whether the web service provider redirects the user for an interaction for data. Valid values are yes and no. Default value is yes. If no value is specified, the value is yes.

com.sun.identity.liberty.interaction.wspRedirectTime

Web service provider expected duration (in seconds) for an interaction. Default value if the value is not specified or is a non-integer value is 30.

com.sun.identity.liberty.interaction.wspWillEnforceHttpsCheck

Indicates whether the web service client enforces that returnToURL is HTTP. Valid values are yes and no (case ignored). Liberty specification requires the value to be yes. Default value is yes. If no value is specified, then the value used is yes.

com.sun.identity.liberty.interaction.wspWillEnforceReturnToHostEqualsRequestHost

Indicates whether the web services client enforces that returnToHost and requestHost are the same. Valid values are yes and no. Liberty specification requires the value to be yes.

com.sun.identity.liberty.interaction.htmlStyleSheetLocation

Indicates the path to the style sheet used to render the interaction page in HTML.

com.sun.identity.liberty.interaction.wmlStyleSheetLocation

Indicates the path to the style sheet used to render the interaction page in WML.

Example: com.sun.identity.liberty.interaction.wmlStyleSheetLocation=/opt/SUNWam/lib/is-wml.xsl

com.sun.identity.liberty.ws.interaction.enable

Default value is false.

com.sun.identity.wss.provider.config.plugin=com.sun.identity.wss.provider.plugins.AgentProvider

Used by the web services provider to determine the plug-in that will be used to store the configuration.

Example: com.sun.identity.wss.provider.config.plugin=com.sun.identity.wss.provider.plugins.AgentProvider

com.sun.identity.loginurl

Used by the web services clients in ClientSDK mode. Example:

com.sun.identity.loginurl=https://hostName:portNumber/amserver/UI/Login

com.sun.identity.liberty.authnsvc.url

Indicates the Liberty authentication service URL.

com.sun.identity.liberty.wsf.version

Used to determine which version of the Liberty identity web services framework is to be used when the framework can not determine from the inbound message or from the resource offering. This property is used when Access Manager is acting as the web service client. The default version is 1.1. The possible values are 1.0 or 1.1.

com.sun.identity.liberty.ws.soap.certalias

Value is set during installation. Client certificate alias that will be used in SSL connection for Liberty SOAP Binding.

com.sun.identity.liberty.ws.soap.messageIDCacheCleanupInterval

Default value is 60000. Specifies the number of milliseconds to elapse before cache cleanup events begin. Each message is stored in a cache with its ownmessageID to avoid duplicate messages. When a message's current time less the received time exceeds thestaleTimeLimit value, the message is removed from the cache.

com.sun.identity.liberty.ws.soap.staleTimeLimit

Default value is 300000. Determines if a message is stale and thus no longer trustworthy. If the message timestamp is earlier than the current timestamp by the specified number of milliseconds, the message the considered to be stale.

com.sun.identity.liberty.ws.wsc.certalias

Value is set during installation. Specifies default certificate alias for issuing web service security token for this web service client.

com.sun.identity.liberty.ws.trustedca.certaliases

Value is set during installation. Specifies certificate aliases for trusted CA. SAML or SAML BEARER token of incoming request. Message must be signed by a trusted CA in this list. The syntax is cert alias 1[:issuer 1]|cert alias 2[:issuer 2]|..... Example: myalias1:myissuer1|myalias2|myalias3:myissuer3. The value issuer is used when the token doesn't have a KeyInfo inside the signature. The issuer of the token must be in this list, and the corresponding certificate alias will be used to verify the signature. If KeyInfo exists, the keystore must contain a certificate alias that matches the KeyInfo and the certificate alias must be in this list.