The J2EE AMAgent.properties configuration file contains the necessary configuration properties needed for the agent to function properly. It also contains the necessary information needed for the Sun Java System Access Manager SDK to function properly in a client installation mode as used by the agent.
The content of the J2EE agent AMAgent.properties configuration file is very sensitive. Changes made can result in changes in how the agent works. Errors made can cause the agent to malfunction.
This appendix provides basic information about the J2EE AMAgent.properties configuration file. Specifically, this appendix describes where the configuration is located, provides a quick list of the properties, and provides the same list but with a simple description of each property. This appendix organizes the information as follows:
List of Properties in the J2EE AMAgent.properties Configuration File
Description of Properties in the J2EE AMAgent.properties Configuration File
Each property is described in more detail in the actual J2EE AMAgent.properties configuration file. Furthermore, for an explanation of key features of this configuration file and tasks that you can accomplish with it, see Key Features and Tasks Performed With the J2EE AMAgent.properties Configuration File.
The following is the location of the J2EE AMAgent.properties configuration file:
PolicyAgent-base/AgentInstance-Dir/config
For more information about the Policy Agent 2.2 directory structure, see J2EE Agent Directory Structure in Policy Agent 2.2.
This section provides a list of all the J2EE agent properties in the AMAgent.properties configuration file. The properties are divided into categories according to the aspect of Policy Agent that each property enables you to modify.
Filter Operation Mode Property |
com.sun.identity.agents.config.filter.mode |
User Mapping Properties |
com.sun.identity.agents.config.user.mapping.mode[] |
com.sun.identity.agents.config.user.attribute.name |
com.sun.identity.agents.config.user.principal |
com.sun.identity.agents.config.user.token |
Client Identification Properties |
com.sun.identity.agents.config.client.ip.header |
com.sun.identity.agents.config.client.hostname.header |
Configuration Reload Interval Property |
com.sun.identity.agents.config.load.interval |
Local Identification Properties |
com.sun.identity.agents.config.locale.language |
com.sun.identity.agents.config.locale.country |
Organization Name Property |
com.sun.identity.agents.config.organization.name |
Audit Log Properties |
com.sun.identity.agents.config.audit.accesstype |
com.sun.identity.agents.config.log.disposition |
com.sun.identity.agents.config.remote.logfile |
com.sun.identity.agents.config.local.logfile |
com.sun.identity.agents.config.local.log.rotate |
com.sun.identity.agents.config.local.log.size |
Web Service Processing Properties |
com.sun.identity.agents.config.webservice.enable |
com.sun.identity.agents.config.webservice.endpoint[] |
com.sun.identity.agents.config.webservice.process.get.enable |
com.sun.identity.agents.config.webservice.authenticator |
com.sun.identity.agents.config.webservice.internalerror.content |
com.sun.identity.agents.config.webservice.autherror.content |
Access Denied URI Property |
com.sun.identity.agents.config.access.denied.uri |
Form Login Processing Properties |
com.sun.identity.agents.config.login.form[] |
com.sun.identity.agents.config.login.error.uri[] |
com.sun.identity.agents.config.login.use.internal |
com.sun.identity.agents.config.login.content.file |
Local Authentication Processing Properties |
com.sun.identity.agents.config.auth.handler[] |
com.sun.identity.agents.config.logout.handler[] |
com.sun.identity.agents.config.verification.handler[] |
Goto Parameter Name Property |
com.sun.identity.agents.config.redirect.param |
Login URL Property |
com.sun.identity.agents.config.login.url[] |
Login URL Prioritized Flag Property |
com.sun.identity.agents.config.login.url.prioritized |
Agent Server Properties |
com.sun.identity.agents.config.agent.host |
com.sun.identity.agents.config.agent.port |
com.sun.identity.agents.config.agent.protocol |
Login Attempt Limit Property |
com.sun.identity.agents.config.login.attempt.limit |
URL Decode SSO Token Property |
com.sun.identity.agents.config.sso.decode |
SSO Cache Enable Property |
com.sun.identity.agents.config.amsso.cache.enable |
Cookie Reset Processing Properties |
com.sun.identity.agents.config.cookie.reset.enable |
com.sun.identity.agents.config.cookie.reset.name[] |
com.sun.identity.agents.config.cookie.reset.domain[] |
com.sun.identity.agents.config.cookie.reset.path[] |
CDSSO Processing Properties |
com.sun.identity.agents.config.cdsso.enable |
com.sun.identity.agents.config.cdsso.redirect.uri |
com.sun.identity.agents.config.cdsso.cdcservlet.url[] |
com.sun.identity.agents.config.cdsso.clock.skew |
com.sun.identity.agents.config.cdsso.trusted.id.provider[] |
Logout Processing Properties |
com.sun.identity.agents.config.logout.application.handler[] |
com.sun.identity.agents.config.logout.uri[] |
com.sun.identity.agents.config.logout.request.param[] |
com.sun.identity.agents.config.logout.introspect.enabled |
com.sun.identity.agents.config.logout.entry.uri[] |
FQDN Processing Properties |
com.sun.identity.agents.config.fqdn.check.enable |
com.sun.identity.agents.config.fqdn.default |
com.sun.identity.agents.config.fqdn.mapping[] |
Legacy User Agent Processing Properties |
com.sun.identity.agents.config.legacy.support.enable |
com.sun.identity.agents.config.legacy.user.agent[] |
com.sun.identity.agents.config.legacy.redirect.uri |
Custom Response Headers Property |
com.sun.identity.agents.config.response.header[] |
Redirect Attempt Limit Property |
com.sun.identity.agents.config.redirect.attempt.limit |
Port Check Processing Properties |
com.sun.identity.agents.config.port.check.enable |
com.sun.identity.agents.config.port.check.file |
com.sun.identity.agents.config.port.check.setting[] |
Not-Enforced URI Processing Properties |
com.sun.identity.agents.config.notenforced.uri[] |
com.sun.identity.agents.config.notenforced.uri.invert |
com.sun.identity.agents.config.notenforced.uri.cache.enable |
com.sun.identity.agents.config.notenforced.uri.cache.size |
Not-Enforced Client IP Processing Properties |
com.sun.identity.agents.config.notenforced.ip[] |
com.sun.identity.agents.config.notenforced.ip.invert |
com.sun.identity.agents.config.notenforced.ip.cache.enable |
com.sun.identity.agents.config.notenforced.ip.cache.size |
Common Attribute Fetch Processing Properties |
com.sun.identity.agents.config.attribute.cookie.separator |
com.sun.identity.agents.config.attribute.date.format |
com.sun.identity.agents.config.attribute.cookie.encode |
Profile Attribute Processing Properties |
com.sun.identity.agents.config.profile.attribute.fetch.mode |
com.sun.identity.agents.config.profile.attribute.mapping[] |
Session Attribute Processing Properties |
com.sun.identity.agents.config.session.attribute.fetch.mode |
com.sun.identity.agents.config.session.attribute.mapping[] |
Response Attribute Processing Properties |
com.sun.identity.agents.config.response.attribute.fetch.mode |
com.sun.identity.agents.config.response.attribute.mapping[] |
Bypass Principal List Property |
com.sun.identity.agents.config.bypass.principal[] |
Privileged Attribute Processing Properties |
com.sun.identity.agents.config.default.privileged.attribute[] |
com.sun.identity.agents.config.privileged.attribute.type[] |
com.sun.identity.agents.config.privileged.attribute.tolowercase[] |
com.sun.identity.agents.config.privileged.session.attribute[] |
Service Resolver Property |
com.sun.identity.agents.config.service.resolver |
Agent Username and Password Properties |
com.sun.identity.agents.app.username |
com.iplanet.am.service.secret |
Encryption Key Properties |
am.encryption.pwd |
com.sun.identity.client.encryptionKey |
Debug Service Properties |
com.iplanet.services.debug.level |
com.iplanet.services.debug.directory |
SSO Token Cookie Name Property |
com.iplanet.am.cookie.name |
Naming Service URL Property |
com.iplanet.am.naming.url |
Session Client Properties |
com.iplanet.am.notification.url |
com.iplanet.am.session.client.polling.enable |
com.iplanet.am.session.client.polling.period |
Encryption Provider Property |
com.iplanet.security.encryptor |
User Data Cache Update Time Property |
com.iplanet.am.sdk.remote.pollingTime |
Service Data Cache Update Time Property |
com.sun.identity.sm.cacheTime |
SAML Service Properties |
com.iplanet.am.localserver.protocol |
com.iplanet.am.localserver.host |
com.iplanet.am.localserver.port |
Authentication Service Properties |
com.iplanet.am.server.protocol |
com.iplanet.am.server.host |
com.iplanet.am.server.port |
Policy Client Properties |
com.sun.identity.agents.server.log.file.name |
com.sun.identity.agents.logging.level |
com.sun.identity.agents.notification.enabled |
com.sun.identity.agents.notification.url |
com.sun.identity.agents.polling.interval |
com.sun.identity.policy.client.cacheMode |
com.sun.identity.policy.client.booleanActionValues |
com.sun.identity.policy.client.resourceComparators |
com.sun.identity.policy.client.clockSkew |
This section provides a brief description of all the J2EE agent properties in the AMAgent.properties configuration file. The properties are divided into categories according to the aspect of Policy Agent that each property enables you to modify.
· com.sun.identity.agents.config.filter.mode
Hot-swap enabled: No
This property specifies the mode of operation of the filter. The following are valid values for this property:
NONE |
SSO_ONLY |
URL_POLICY |
This property can also be specified as an application specific property. However, the global property must be overwritten.
com.sun.identity.agents.config.user.mapping.mode[] |
com.sun.identity.agents.config.user.attribute.name |
com.sun.identity.agents.config.user.principal |
com.sun.identity.agents.config.user.token |
· com.sun.identity.agents.config.user.mapping.mode[]
Hot-swap enabled: No
This property specifies the mechanism by which the user ID used on the protected server for the authenticated user is determined by the J2EE agent. The following are valid values for this property:
USER_ID |
PROFILE_ATTRIBUTE |
HTTP_HEADER |
SESSION_PROPERTY |
· com.sun.identity.agents.config.user.attribute.name
Hot-swap enabled: No
This property specifies the name of the profile attribute, HTTP header, or session property that contains the user ID used on the protected server for the authenticated user.
Key Properties Affecting This Property
This property is not used when the following property is set as shown:
com.sun.identity.agents.config.user.mapping.mode = USER_ID
· com.sun.identity.agents.config.user.principal
Hot-swap enabled: No
This property is a flag that indicates how the user is authenticated on the protected server. When this property is set to true, the principal of the authenticated user, not simply the user ID, is used for authentication purposes.
Key Properties Affecting This Property
This property is only used when the following property is set as shown:
com.sun.identity.agents.config.user.mapping.mode = USER_ID
· com.sun.identity.agents.config.user.token
Hot-swap enabled: No
This property specifies a session property name which contains the user ID of the authenticated user in session.
Key Properties Affecting This Property
This property is only used when the following properties are set as shown:
com.sun.identity.agents.config.user.mapping.mode = USER_ID com.sun.identity.agents.config.user.principal = false
com.sun.identity.agents.config.client.ip.header |
com.sun.identity.agents.config.client.hostname.header |
· com.sun.identity.agents.config.client.ip.header
Hot-swap enabled: No
This property specifies an HTTP header name that holds the IP address of the client. If you will not employ this property, leave it blank.
· com.sun.identity.agents.config.client.hostname.header
Hot-swap enabled: No
This property specifies an HTTP header name that holds the hostname of the client. If you do not use this property, leave it blank.
· com.sun.identity.agents.config.load.interval
Hot-swap enabled: Yes
This property specifies the interval in seconds between configuration reloads. When this property is set to 0, the hot-swap mechanism is disabled.
com.sun.identity.agents.config.locale.language |
com.sun.identity.agents.config.locale.country |
· com.sun.identity.agents.config.locale.language
Hot-swap enabled: No
This property specifies the language code, such as en for English, for identifying the locale in which the site operates.
· com.sun.identity.agents.config.locale.country
Hot-swap enabled: No
This property specifies the country code for identifying the locale in which the site operates.
· com.sun.identity.agents.config.organization.name
Hot-swap enabled: No
This property specifies the organization or realm name used to authenticate the agent during runtime. The default value “/” identifies the root organization or realm.
com.sun.identity.agents.config.audit.accesstype |
com.sun.identity.agents.config.log.disposition |
com.sun.identity.agents.config.remote.logfile |
com.sun.identity.agents.config.local.logfile |
com.sun.identity.agents.config.local.log.rotate |
com.sun.identity.agents.config.local.log.size |
· com.sun.identity.agents.config.audit.accesstype
Hot-swap enabled: No
This property specifies the access type or access types logged by the agent. The following are valid values for this property:
LOG_NONE |
LOG_ALLOW |
LOG_DENY |
LOG_BOTH |
· com.sun.identity.agents.config.log.disposition
Hot-swap enabled: Yes
This property specifies the audit log mode that the agent uses when writing audit log messages. The following are valid values for this property:
LOCAL |
REMOTE |
ALL |
Key Properties Affecting This Property
This property is not used when the following property is set as shown:
com.sun.identity.agents.config.audit.accesstype = LOG_NONE
· com.sun.identity.agents.config.remote.logfile
Hot-swap enabled: Yes
This property specifies the file name used on the remote server.
Key Properties Affecting This Property
This property is not used when the following property is set as shown:
com.sun.identity.agents.config.log.disposition = LOCAL
· com.sun.identity.agents.config.local.logfile
Hot-swap enabled: Yes
This property specifies the complete path to the local audit log file to be used by the agent.
Key Properties Affecting This Property
This property is only used when the following property is set as shown:
com.sun.identity.agents.config.log.disposition = LOCAL
· com.sun.identity.agents.config.local.log.rotate
Hot-swap enabled: Yes
This property is a flag that indicates whether the rotation of audit log local file is enabled or disabled.
Key Properties Affecting This Property
This property is only used when the following property is set as shown:
com.sun.identity.agents.config.log.disposition = LOCAL
· com.sun.identity.agents.config.local.log.size
Hot-swap enabled: Yes
This property specifies the size in bytes of the local audit log file, beyond which the agent rotates the log file.
Key Properties Affecting This Property
This property is only used when the following property is set as shown:
com.sun.identity.agents.config.log.disposition = LOCAL
com.sun.identity.agents.config.webservice.enable |
com.sun.identity.agents.config.webservice.endpoint[] |
com.sun.identity.agents.config.webservice.process.get.enable |
com.sun.identity.agents.config.webservice.authenticator |
com.sun.identity.agents.config.webservice.internalerror.content |
com.sun.identity.agents.config.webservice.autherror.content |
· com.sun.identity.agents.config.webservice.enable
Hot-swap enabled: Yes
This property is a flag that indicates whether web service processing is enabled or disabled.
· com.sun.identity.agents.config.webservice.endpoint[]
Hot-swap enabled: Yes
This property is a list construct for listing web application end points that represent web services.
· com.sun.identity.agents.config.webservice.process.get.enable
Hot-swap enabled: Yes
This property is a flag that indicates whether the processing of HTTP GET requests for web service endpoints is enabled or disabled.
· com.sun.identity.agents.config.webservice.authenticator
Hot-swap enabled: Yes
This property specifies an implementation class that can be used to authenticate web-service requests.
· com.sun.identity.agents.config.webservice.internalerror.content
Hot-swap enabled: Yes
This property specifies the name of a file that contains content used by the agent to generate an internal error fault for clients.
· com.sun.identity.agents.config.webservice.autherror.content
Hot-swap enabled: Yes
This property specifies the name of a file that contains content used by the agent to generate an authorization error fault for clients.
· com.sun.identity.agents.config.access.denied.uri
Hot-swap enabled: Yes
This property specifies the URI used by the agent to block unauthorized access requests. If you will not employ this property, leave it blank.
com.sun.identity.agents.config.login.form[] |
com.sun.identity.agents.config.login.error.uri[] |
com.sun.identity.agents.config.login.use.internal |
com.sun.identity.agents.config.login.content.file |
· com.sun.identity.agents.config.login.form[]
Hot-swap enabled: Yes
This property is a list construct. This property is used by the agent to identify login requests and to take appropriate action. Each entry in the list should be the absolute URI of the resource specified in the web.xml deployment descriptor of the protected application in the element form-login-page.
· com.sun.identity.agents.config.login.error.uri[]
Hot-swap enabled: Yes
This property is a list construct. This property is used by the agent to identify error page requests and to take appropriate action. Each entry in the list should be the absolute URI of the resource specified in the web.xml deployment descriptor of the protected application in the element form-error-page.
· com.sun.identity.agents.config.login.use.internal
Hot-swap enabled: Yes
This property is a flag that specifies whether the agent should use internal content for handling form login requests.
· com.sun.identity.agents.config.login.content.file
Hot-swap enabled: Yes
This property specifies the name or complete path of the file used by the agent for handling form login requests.
Key Properties Affecting This Property
This property is only used when the following property is set as shown:
com.sun.identity.agents.config.login.use.internal = true
com.sun.identity.agents.config.auth.handler[] |
com.sun.identity.agents.config.logout.handler[] |
com.sun.identity.agents.config.verification.handler[] |
· com.sun.identity.agents.config.auth.handler[]
Hot-swap enabled: Yes
This property is a map construct that specifies the application specific authentication handler used by the agent to authenticate the logged on user with the deployment container for the particular application.
· com.sun.identity.agents.config.logout.handler[]
Hot-swap enabled: Yes
This property is a map construct that specifies the application specific logout handler used by the agent to log out the logged on user within the deployment container for the particular application.
· com.sun.identity.agents.config.verification.handler[]
Hot-swap enabled: Yes
This property is a map construct that specifies the application specific local verification handler used by the agent to validate the user credentials with the local repository.
· com.sun.identity.agents.config.redirect.param
Hot-swap enabled: Yes
This property specifies the parameter name used by the agent when redirecting the user to the appropriate authentication service. The value of this parameter is used by the authentication service to redirect the user to the original requested destination.
· com.sun.identity.agents.config.login.url[]
Hot-swap enabled: Yes
This property is a list construct for listing the login URL (one or more) to be used by the agent to redirect incoming users without sufficient credentials to the Access Manager authentication service.
· com.sun.identity.agents.config.login.url.prioritized
Hot-swap enabled: Yes
This property is a flag that specifies if the failover sequence for the login URL list and the CDSSO URL list is prioritized. The URL associated with the lowest index, [0], has the highest priority. When set to true, this property turns on prioritization for both the login URL list and the CDSSO URL list, assuming each list exists. The following properties are used to create these two URL lists:
com.sun.identity.agents.config.login.url[]
com.sun.identity.agents.config.cdsso.cdcservlet.url[]
For more information about enabling failover, see Enabling Failover in J2EE Agents.
com.sun.identity.agents.config.agent.host |
com.sun.identity.agents.config.agent.port |
com.sun.identity.agents.config.agent.protocol |
· com.sun.identity.agents.config.agent.host
Hot-swap enabled: Yes
This property specifies the host name that identifies the agent protected server to client browsers if the host name is different from the actual host name. If you will not employ this property, leave it blank.
· com.sun.identity.agents.config.agent.port
Hot-swap enabled: Yes
This property specifies the port number that identifies the agent protected server listening port to client browsers if the port number is different from the actual listening port. If you will not employ this property, leave it blank.
· com.sun.identity.agents.config.agent.protocol
Hot-swap enabled: Yes
The property specifies the protocol, HTTP or HTTPS , used by client browsers to communicate with the agent protected server if the protocol is different from the actual protocol used by the server.
· com.sun.identity.agents.config.login.attempt.limit
Hot-swap enabled: Yes
This property specifies the number of unsuccessful login attempts users are allowed to make during a single browser session before such attempts trigger a block on further requests. Setting the value of this property to 0 disables this feature.
· com.sun.identity.agents.config.sso.decode
Hot-swap enabled: Yes
This property is a flag that specifies whether the SSO Token needs to be URL decoded by the agent before it can be used.
· com.sun.identity.agents.config.amsso.cache.enable
Hot-swap enabled: Yes
This property is a flag that specifies whether the SSO cache is active for the agent. This cache is used through public API exposed by the agent SDK.
com.sun.identity.agents.config.cookie.reset.enable |
com.sun.identity.agents.config.cookie.reset.name[] |
com.sun.identity.agents.config.cookie.reset.domain[] |
com.sun.identity.agents.config.cookie.reset.path[] |
· com.sun.identity.agents.config.cookie.reset.enable
Hot-swap enabled: Yes
This property is a flag that specifies whether cookie reset processing is enabled or disabled.
· com.sun.identity.agents.config.cookie.reset.name[]
Hot-swap enabled: Yes
This property is a list construct for listing cookie names that are reset by the agent
Key Properties Affecting This Property
This property is only used when the following property is set as shown:
com.sun.identity.agents.config.cookie.reset.enable = true
· com.sun.identity.agents.config.cookie.reset.domain[]
Hot-swap enabled: Yes
This property is a map construct. The key for this map construct is a cookie name and the value for this map construct is the domain of that cookie.
Key Properties Affecting This Property
This property is used when one of the cookies listed in following property matches the key for this property:
com.sun.identity.agents.config.cookie.reset.name[]
· com.sun.identity.agents.config.cookie.reset.path[]
Hot-swap enabled: Yes
This property is a map construct. The key for this map construct is a cookie name and the value for this map construct is the path of that cookie.
Key Properties Affecting This Property
This property is used when one of the path names listed in following property matches the key for this property:
com.sun.identity.agents.config.cookie.reset.name[]
com.sun.identity.agents.config.cdsso.enable |
com.sun.identity.agents.config.cdsso.redirect.uri |
com.sun.identity.agents.config.cdsso.cdcservlet.url[] |
com.sun.identity.agents.config.cdsso.clock.skew |
com.sun.identity.agents.config.cdsso.trusted.id.provider[] |
· com.sun.identity.agents.config.cdsso.enable
Hot-swap enabled: Yes
This property is a flag that specifies whether CDSSO processing is enabled or disabled.
· com.sun.identity.agents.config.cdsso.redirect.uri
Hot-swap enabled: Yes
This property specifies an intermediate URI that is used by the agent for processing CDSSO requests.
· com.sun.identity.agents.config.cdsso.cdcservlet.url[]
Hot-swap enabled: Yes
This property is a list construct for listing the URL of the available CDSSO controllers that can be used by the agent for CDSSO processing.
· com.sun.identity.agents.config.cdsso.clock.skew
Hot-swap enabled: Yes
This property specifies a time in seconds that is used by the agent to determine the validity of the CDSSO AuthnResponse assertion.
· com.sun.identity.agents.config.cdsso.trusted.id.provider[]
Hot-swap enabled: Yes
This property is a list construct for listing the Access Manager server providers, ID providers, or both to be trusted by the agent during the evaluation process.
com.sun.identity.agents.config.logout.application.handler[] |
com.sun.identity.agents.config.logout.uri[] |
com.sun.identity.agents.config.logout.request.param[] |
com.sun.identity.agents.config.logout.introspect.enabled |
com.sun.identity.agents.config.logout.entry.uri[] |
· com.sun.identity.agents.config.logout.application.handler[]
Hot-swap enabled: Yes
This property is a map construct that is application specific. It identifies a handler to be used for logout processing.
· com.sun.identity.agents.config.logout.uri[]
Hot-swap enabled: Yes
This property is a map construct that is application specific. It identifies a request URI which indicates a logout event.
· com.sun.identity.agents.config.logout.request.param[]
Hot-swap enabled: Yes
This property is a map construct that is application specific. It identifies a parameter which when present in the HTTP request indicates a logout event.
· com.sun.identity.agents.config.logout.introspect.enabled
Hot-swap enabled: Yes
This property is a flag that allows the agent to search an HTTP request body for a logout parameter.
· com.sun.identity.agents.config.logout.entry.uri[]
Hot-swap enabled: Yes
This property is a map construct that is application specific. It identifies a URI to be used as an entry point after successful logout and subsequent to successful authentication if applicable.
com.sun.identity.agents.config.fqdn.check.enable |
com.sun.identity.agents.config.fqdn.default |
com.sun.identity.agents.config.fqdn.mapping[] |
· com.sun.identity.agents.config.fqdn.check.enable
Hot-swap enabled: Yes
This property is a flag that indicates whether FQDN checking is enabled or disabled.
· com.sun.identity.agents.config.fqdn.default
Hot-swap enabled: Yes
This property specifies a hostname that represents the default FQDN to be used by the agent when necessary.
· com.sun.identity.agents.config.fqdn.mapping[]
Hot-swap enabled: Yes
This property is a map construct that specifies a mapping from the key, which is an invalid FQDN entry to its value, which is a valid FQDN entry.
com.sun.identity.agents.config.legacy.support.enable |
com.sun.identity.agents.config.legacy.user.agent[] |
com.sun.identity.agents.config.legacy.redirect.uri |
· com.sun.identity.agents.config.legacy.support.enable
Hot-swap enabled: Yes
This property is a flag that specifies whether legacy user agent support is enabled or disabled.
· com.sun.identity.agents.config.legacy.user.agent[]
Hot-swap enabled: Yes
This property is a list construct for listing user agent header values. These values identify legacy browsers. Entries in this list can contain the wild card character “*.”
· com.sun.identity.agents.config.legacy.redirect.uri
Hot-swap enabled: Yes
This property specifies an intermediate URI used by the agent to redirect legacy user agent requests.
· com.sun.identity.agents.config.response.header[]
Hot-swap enabled: Yes
This property is a map construct that specifies the custom headers that are set by the agent on the client browser. The key is the header name while the value represents the header value.
· com.sun.identity.agents.config.redirect.attempt.limit
Hot-swap enabled: Yes
This property specifies the number of successive single point redirects that users are allowed during a single browser session before such redirects trigger a block of the user request. Setting the value of this property to 0 disables this feature.
|
com.sun.identity.agents.config.port.check.enable |
com.sun.identity.agents.config.port.check.file |
com.sun.identity.agents.config.port.check.setting[] |
· com.sun.identity.agents.config.port.check.enable
Hot-swap enabled: Yes
This property is a flag that indicates whether port check functionality is enabled or disabled.
· com.sun.identity.agents.config.port.check.file
Hot-swap enabled: Yes
This property specifies the name or complete path of a file that has the content required to process requests that call for port correction.
· com.sun.identity.agents.config.port.check.setting[]
Hot-swap enabled: Yes
This property is a map construct of port versus protocol entries where the key is the listening port number and the value is the listening protocol used by the agent to identify requests with invalid port numbers.
com.sun.identity.agents.config.notenforced.uri[] |
com.sun.identity.agents.config.notenforced.uri.invert |
com.sun.identity.agents.config.notenforced.uri.cache.enable |
com.sun.identity.agents.config.notenforced.uri.cache.size |
· com.sun.identity.agents.config.notenforced.uri[]
Hot-swap enabled: Yes
This property is a list construct for listing URI for which protection is not enforced by the agent.
· com.sun.identity.agents.config.notenforced.uri.invert
Hot-swap enabled: Yes
This property is a flag that specifies whether to invert the list of URI on the not-enforced list. A value of true directs the agent to deny access (enforce protection) to URI on the list and to allow access (not enforce protection) to URI that are not on the list. Entries on this list can contain the wild card character “*.”
Key Properties Affecting This Property
This property enforces URI on the not-enforced list, which is the list assigned to the following property:
com.sun.identity.agents.config.notenforced.uri[]
· com.sun.identity.agents.config.notenforced.uri.cache.enable
Hot-swap enabled: Yes
This property is a flag that specifies whether the caching of the not-enforced URI list evaluation results is enabled or disabled.
· com.sun.identity.agents.config.notenforced.uri.cache.size
Hot-swap enabled: Yes
This property specifies the size of the cache to be used if caching of not-enforced URI list evaluation results is enabled.
Key Properties Affecting This Property
This property is only used when the following property is set as shown:
com.sun.identity.agents.config.notenforced.uri.cache.enable = true
com.sun.identity.agents.config.notenforced.ip[] |
com.sun.identity.agents.config.notenforced.ip.invert |
com.sun.identity.agents.config.notenforced.ip.cache.enable |
com.sun.identity.agents.config.notenforced.ip.cache.size |
· com.sun.identity.agents.config.notenforced.ip[]
Hot-swap enabled: Yes
This property is a list construct for listing client IP addresses for which protection is not enforced by the agent.
· com.sun.identity.agents.config.notenforced.ip.invert
Hot-swap enabled: Yes
This property is a flag that specifies whether to invert the not-enforced client IP address list. A value of true directs the agent to deny access (enforce protection) to client IP addresses on the list and to allow access (not enforce protection) for all other client IP addresses. Entries on this list can contain the wild card character “*.”
Key Properties Affecting This Property
This property enforces URI on the not-enforced IP list, which is the list assigned to the following property:
com.sun.identity.agents.config.notenforced.ip[]
· com.sun.identity.agents.config.notenforced.ip.cache.enable
Hot-swap enabled: Yes
A flag that specifies whether the caching of not-enforced IP list evaluation results is enabled or disabled.
· com.sun.identity.agents.config.notenforced.ip.cache.size
Hot-swap enabled: Yes
This property specifies the size of the cache to be used if caching of not-enforced IP list evaluation results is enabled.
Key Properties Affecting This Property
This property is only used when the following property is set as shown:
com.sun.identity.agents.config.notenforced.ip.cache.enable = true
com.sun.identity.agents.config.attribute.cookie.separator |
com.sun.identity.agents.config.attribute.date.format |
com.sun.identity.agents.config.attribute.cookie.encode |
· com.sun.identity.agents.config.attribute.cookie.separator
Hot-swap enabled: Yes
This property specifies that a character be used to separate multiple values of the same attribute when it is being set as a cookie.
· com.sun.identity.agents.config.attribute.cookie.encode
Hot-swap enabled: Yes
This property is a flag that indicates whether the value of the attribute should be URL encoded before being set as a cookie.
· com.sun.identity.agents.config.attribute.date.format
Hot-swap enabled: Yes
This property specifies the format of date attribute values used when the attribute is set as an HTTP header. This format is based on the definition provided in java.text.SimpleDateFormat.
com.sun.identity.agents.config.profile.attribute.fetch.mode |
com.sun.identity.agents.config.profile.attribute.mapping[] |
· com.sun.identity.agents.config.profile.attribute.fetch.mode
Hot-swap enabled: Yes
This property specifies the mode used to fetch profile attributes. The following are valid values for this property:
NONE |
HTTP_HEADER |
REQUEST_ATTRIBUTE |
HTTP_COOKIE |
· com.sun.identity.agents.config.profile.attribute.mapping[]
Hot-swap enabled: Yes
This property is a map construct that specifies the profile attributes populated under specific names for the currently authenticated user. The key for this map construct is the profile attribute name and the value is the name under which that attribute is made available.
com.sun.identity.agents.config.session.attribute.fetch.mode |
com.sun.identity.agents.config.session.attribute.mapping[] |
· com.sun.identity.agents.config.session.attribute.fetch.mode
Hot-swap enabled: Yes
This property specifies the mode used to fetch session attributes. The following are valid values for this property:
NONE |
HTTP_HEADER |
REQUEST_ATTRIBUTE |
HTTP_COOKIE |
· com.sun.identity.agents.config.session.attribute.mapping[]
Hot-swap enabled: Yes
This property is a map construct that specifies the session attributes populated under specific names for the currently authenticated user. The key for this map construct is the session attribute name and the value is the name under which that attribute is made available.
com.sun.identity.agents.config.response.attribute.fetch.mode |
com.sun.identity.agents.config.response.attribute.mapping[] |
· com.sun.identity.agents.config.response.attribute.fetch.mode
Hot-swap enabled: Yes
This property specifies the mode used to fetch policy response attributes. The following are valid values for this property:
NONE |
HTTP_HEADER |
REQUEST_ATTRIBUTE |
HTTP_COOKIE |
· com.sun.identity.agents.config.response.attribute.mapping[]
Hot-swap enabled: Yes
This property is a map construct that specifies the policy response attributes to be populated under specific names for the currently authenticated user. The key for this map construct is the policy response attribute name and the value is the name under which that attribute is made available.
· com.sun.identity.agents.config.bypass.principal[]
Hot-swap enabled: No
This property is a list construct for listing principals that are to be bypassed by the agent for authentication and search purposes.
com.sun.identity.agents.config.default.privileged.attribute[] |
com.sun.identity.agents.config.privileged.attribute.type[] |
com.sun.identity.agents.config.privileged.attribute.tolowercase[] |
com.sun.identity.agents.config.privileged.session.attribute[] |
· com.sun.identity.agents.config.default.privileged.attribute[]
Hot-swap enabled: No
This property is a list construct for listing privileged attributes to be granted to all users who have a valid Access Manager session.
· com.sun.identity.agents.config.privileged.attribute.type[]
Hot-swap enabled: No
This property is a list construct for listing privileged attribute types to be fetched for each user.
· com.sun.identity.agents.config.privileged.attribute.tolowercase[]
Hot-swap enabled: No
This property is a map construct that specifies whether the privileged attribute types are converted to lowercase.
Key Properties Affecting This Property
This property converts the attribute types assigned to the following property to lower case:
com.sun.identity.agents.config.privileged.attribute.type[]
· com.sun.identity.agents.config.privileged.session.attribute[]
Hot-swap enabled: No
This property is a list construct for listing session property names that hold privileged attributes for the authenticated user.
· com.sun.identity.agents.config.service.resolver
Hot-swap enabled: No
This property specifies the service resolver used by this agent.
com.sun.identity.agents.app.username |
com.iplanet.am.service.secret |
· com.sun.identity.agents.app.username
Hot-swap enabled: No
This property specifies the user name used by the agent to identify and authenticate itself to Access Manager before requesting any services that require such agent authentication.
· com.iplanet.am.service.secret
Hot-swap enabled: No
This property specifies the password used by the agent to identify and authenticate itself to Access Managerbefore requesting any services that require such agent authentication.
am.encryption.pwd |
com.sun.identity.client.encryptionKey |
· am.encryption.pwd
Hot-swap enabled: No
This property specifies a global encryption key used when applications use client SDK API. This encryption key is used to secure data globally by all Access Manager server instances and by clients.
· com.sun.identity.client.encryptionKey
Hot-swap enabled: No
This property specifies the encryption key used to encrypt the agent profile password as it is stored in the J2EE agent. The agent profile password is encrypted in a different manner in Access Manager. This encryption key is not shared with Access Manager or with other clients.
com.iplanet.services.debug.level |
com.iplanet.services.debug.directory |
· com.iplanet.services.debug.level
Hot-swap enabled: No
This property specifies the debug level to be used. The following are valid values for this property:
off |
error |
warning |
message |
· com.iplanet.services.debug.directory
Hot-swap enabled: No
This property specifies the complete path to the directory where debug files are to be stored by the agent.
· com.iplanet.am.cookie.name
Hot-swap enabled: No
This property specifies the name of the SSO token cookie used betweenAccess Manager and the agent.
· com.iplanet.am.naming.url
Hot-swap enabled: No
This property specifies the naming service URL (one or more) that can be used by the system for naming lookups. Multiple URL can be specified for this property as a string. URL are separated from one another in the string by a single space character.
com.iplanet.am.notification.url |
com.iplanet.am.session.client.polling.enable |
com.iplanet.am.session.client.polling.period |
· com.iplanet.am.notification.url
Hot-swap enabled: No
This property specifies the notification URL to be used by the agent to receive session notifications.
· com.iplanet.am.session.client.polling.enable
Hot-swap enabled: No
This property is a flag that specifies whether the session client uses polling for updating session information instead of depending upon server notifications.
· com.iplanet.am.session.client.polling.period
Hot-swap enabled: No
This property specifies the time in seconds after which the session client requests an update of cached session information from the server.
· com.iplanet.security.encryptor
Hot-swap enabled: No
This property specifies the encryption provider implementation to be used by the agent.
· com.iplanet.am.sdk.remote.pollingTime
Hot-swap enabled: No
This property specifies the cache update time in minutes for user management data if a notification URL is not provided.
Key Properties Affecting This Property
This property is used if a notification URL is not specified with the following property:
com.iplanet.am.notification.url
· com.sun.identity.sm.cacheTime
Hot-swap enabled: No
This property specifies the cache update time in minutes for service configuration data if a notification URL is not provided.
Key Properties Affecting This Property
This property is used if a notification URL is not specified with the following property:
com.iplanet.am.notification.url
com.iplanet.am.localserver.protocol |
com.iplanet.am.localserver.host |
com.iplanet.am.localserver.port |
· com.iplanet.am.localserver.protocol
Hot-swap enabled: No
This property specifies the server protocol to be used for SAML service.
· com.iplanet.am.localserver.host
Hot-swap enabled: No
This property specifies the server host to be used for SAML service.
· com.iplanet.am.localserver.port
Hot-swap enabled: No
This property specifies the server port to be used for SAML service.
com.iplanet.am.server.protocol |
com.iplanet.am.server.host |
com.iplanet.am.server.port |
· com.iplanet.am.server.protocol
Hot-swap enabled: No
This property specifies the protocol to be used by Authentication Service.
· com.iplanet.am.server.host
Hot-swap enabled: No
This property specifies the host to be used by Authentication Service.
· com.iplanet.am.server.port
Hot-swap enabled: No
This property specifies the port to be used by Authentication Service.
com.sun.identity.agents.server.log.file.name |
com.sun.identity.agents.logging.level |
com.sun.identity.agents.notification.enabled |
com.sun.identity.agents.notification.url |
com.sun.identity.agents.polling.interval |
com.sun.identity.policy.client.cacheMode |
com.sun.identity.policy.client.booleanActionValues |
com.sun.identity.policy.client.resourceComparators |
com.sun.identity.policy.client.clockSkew |
· com.sun.identity.agents.server.log.file.name
Hot-swap enabled: No
This property specifies the name of the log file for logging messages to Access Manager.
· com.sun.identity.agents.logging.level
Hot-swap enabled: No
This property specifies the level of remote policy logging. The following are valid values for this property:
ALLOW |
DENY |
BOTH |
NONE |
· com.sun.identity.agents.notification.enabled
Hot-swap enabled: No
This property is a flag that specifies whether notifications are enabled or disabled for the remote policy client.
· com.sun.identity.agents.notification.url
Hot-swap enabled: No
This property specifies the notification URL for the remote policy client.
Key Properties Affecting This Property
This property is used if notification is enabled for a remote policy client property, which occurs when the following property is set as shown:
com.sun.identity.agents.notification.enabled = true
· com.sun.identity.agents.polling.interval
Hot-swap enabled: No
This property specifies the duration in minutes after which the cached entries are refreshed by the remote policy client.
· com.sun.identity.policy.client.cacheMode
Hot-swap enabled: No
This property specifies the mode of caching to be used by the remote policy client. The following are valid values for this property:
subtree |
self |
The subtree value is preferable for a small number of policy rules. In all other cases, the self value is preferable.
· com.sun.identity.policy.client.booleanActionValues
Hot-swap enabled: No
This property specifies boolean action values for policy action names. Assign values to this property using the following format:
serviceName|actionName|trueValue|falseValue
· com.sun.identity.policy.client.resourceComparators
Hot-swap enabled: No
This property specifies resource comparators to be used for different service names.
· com.sun.identity.policy.client.clockSkew
Hot-swap enabled: No
This property specifies the time in seconds which is allowed to accommodate the time difference between the Access Manager machine and the remote policy client machine.