Sun Java System Access Manager Policy Agent 2.2 Guide for JBoss Application Server 4.0

Appendix B J2EE Agent AMAgent.properties Configuration File in Policy Agent 2.2

The J2EE AMAgent.properties configuration file contains the necessary configuration properties needed for the agent to function properly. It also contains the necessary information needed for the Sun Java System Access Manager SDK to function properly in a client installation mode as used by the agent.


Caution – Caution –

The content of the J2EE agent AMAgent.properties configuration file is very sensitive. Changes made can result in changes in how the agent works. Errors made can cause the agent to malfunction.


This appendix provides basic information about the J2EE AMAgent.properties configuration file. Specifically, this appendix describes where the configuration is located, provides a quick list of the properties, and provides the same list but with a simple description of each property. This appendix organizes the information as follows:

Each property is described in more detail in the actual J2EE AMAgent.properties configuration file. Furthermore, for an explanation of key features of this configuration file and tasks that you can accomplish with it, see Key Features and Tasks Performed With the J2EE AMAgent.properties Configuration File.

Location of the J2EE AMAgent.properties Configuration File

The following is the location of the J2EE AMAgent.properties configuration file:

PolicyAgent-base/AgentInstance-Dir/config

For more information about the Policy Agent 2.2 directory structure, see J2EE Agent Directory Structure in Policy Agent 2.2.

List of Properties in the J2EE AMAgent.properties Configuration File

This section provides a list of all the J2EE agent properties in the AMAgent.properties configuration file. The properties are divided into categories according to the aspect of Policy Agent that each property enables you to modify.

Filter Operation Mode Property

com.sun.identity.agents.config.filter.mode

User Mapping Properties

com.sun.identity.agents.config.user.mapping.mode[]

com.sun.identity.agents.config.user.attribute.name

com.sun.identity.agents.config.user.principal

com.sun.identity.agents.config.user.token

Client Identification Properties

com.sun.identity.agents.config.client.ip.header

com.sun.identity.agents.config.client.hostname.header

Configuration Reload Interval Property

com.sun.identity.agents.config.load.interval

Local Identification Properties

com.sun.identity.agents.config.locale.language

com.sun.identity.agents.config.locale.country

Organization Name Property

com.sun.identity.agents.config.organization.name

Audit Log Properties

com.sun.identity.agents.config.audit.accesstype

com.sun.identity.agents.config.log.disposition

com.sun.identity.agents.config.remote.logfile

com.sun.identity.agents.config.local.logfile

com.sun.identity.agents.config.local.log.rotate

com.sun.identity.agents.config.local.log.size

Web Service Processing Properties

com.sun.identity.agents.config.webservice.enable

com.sun.identity.agents.config.webservice.endpoint[]

com.sun.identity.agents.config.webservice.process.get.enable

com.sun.identity.agents.config.webservice.authenticator

com.sun.identity.agents.config.webservice.internalerror.content

com.sun.identity.agents.config.webservice.autherror.content

Access Denied URI Property

com.sun.identity.agents.config.access.denied.uri

Form Login Processing Properties

com.sun.identity.agents.config.login.form[]

com.sun.identity.agents.config.login.error.uri[]

com.sun.identity.agents.config.login.use.internal

com.sun.identity.agents.config.login.content.file

Local Authentication Processing Properties

com.sun.identity.agents.config.auth.handler[]

com.sun.identity.agents.config.logout.handler[]

com.sun.identity.agents.config.verification.handler[]

Goto Parameter Name Property

com.sun.identity.agents.config.redirect.param

Login URL Property

com.sun.identity.agents.config.login.url[]

Login URL Prioritized Flag Property

com.sun.identity.agents.config.login.url.prioritized

Agent Server Properties

com.sun.identity.agents.config.agent.host

com.sun.identity.agents.config.agent.port

com.sun.identity.agents.config.agent.protocol

Login Attempt Limit Property

com.sun.identity.agents.config.login.attempt.limit

URL Decode SSO Token Property

com.sun.identity.agents.config.sso.decode

SSO Cache Enable Property

com.sun.identity.agents.config.amsso.cache.enable

Cookie Reset Processing Properties

com.sun.identity.agents.config.cookie.reset.enable

com.sun.identity.agents.config.cookie.reset.name[]

com.sun.identity.agents.config.cookie.reset.domain[]

com.sun.identity.agents.config.cookie.reset.path[]

CDSSO Processing Properties

com.sun.identity.agents.config.cdsso.enable

com.sun.identity.agents.config.cdsso.redirect.uri

com.sun.identity.agents.config.cdsso.cdcservlet.url[]

com.sun.identity.agents.config.cdsso.clock.skew

com.sun.identity.agents.config.cdsso.trusted.id.provider[]

Logout Processing Properties

com.sun.identity.agents.config.logout.application.handler[]

com.sun.identity.agents.config.logout.uri[]

com.sun.identity.agents.config.logout.request.param[]

com.sun.identity.agents.config.logout.introspect.enabled

com.sun.identity.agents.config.logout.entry.uri[]

FQDN Processing Properties

com.sun.identity.agents.config.fqdn.check.enable

com.sun.identity.agents.config.fqdn.default

com.sun.identity.agents.config.fqdn.mapping[]

Legacy User Agent Processing Properties

com.sun.identity.agents.config.legacy.support.enable

com.sun.identity.agents.config.legacy.user.agent[]

com.sun.identity.agents.config.legacy.redirect.uri

Custom Response Headers Property

com.sun.identity.agents.config.response.header[]

Redirect Attempt Limit Property

com.sun.identity.agents.config.redirect.attempt.limit

Port Check Processing Properties

com.sun.identity.agents.config.port.check.enable

com.sun.identity.agents.config.port.check.file

com.sun.identity.agents.config.port.check.setting[]

Not-Enforced URI Processing Properties

com.sun.identity.agents.config.notenforced.uri[]

com.sun.identity.agents.config.notenforced.uri.invert

com.sun.identity.agents.config.notenforced.uri.cache.enable

com.sun.identity.agents.config.notenforced.uri.cache.size

Not-Enforced Client IP Processing Properties

com.sun.identity.agents.config.notenforced.ip[]

com.sun.identity.agents.config.notenforced.ip.invert

com.sun.identity.agents.config.notenforced.ip.cache.enable

com.sun.identity.agents.config.notenforced.ip.cache.size

Common Attribute Fetch Processing Properties

com.sun.identity.agents.config.attribute.cookie.separator

com.sun.identity.agents.config.attribute.date.format

com.sun.identity.agents.config.attribute.cookie.encode

Profile Attribute Processing Properties

com.sun.identity.agents.config.profile.attribute.fetch.mode

com.sun.identity.agents.config.profile.attribute.mapping[]

Session Attribute Processing Properties

com.sun.identity.agents.config.session.attribute.fetch.mode

com.sun.identity.agents.config.session.attribute.mapping[]

Response Attribute Processing Properties

com.sun.identity.agents.config.response.attribute.fetch.mode

com.sun.identity.agents.config.response.attribute.mapping[]

Bypass Principal List Property

com.sun.identity.agents.config.bypass.principal[]

Privileged Attribute Processing Properties

com.sun.identity.agents.config.default.privileged.attribute[]

com.sun.identity.agents.config.privileged.attribute.type[]

com.sun.identity.agents.config.privileged.attribute.tolowercase[]

com.sun.identity.agents.config.privileged.session.attribute[]

Service Resolver Property

com.sun.identity.agents.config.service.resolver

Agent Username and Password Properties

com.sun.identity.agents.app.username

com.iplanet.am.service.secret

Encryption Key Properties

am.encryption.pwd

com.sun.identity.client.encryptionKey

Debug Service Properties

com.iplanet.services.debug.level

com.iplanet.services.debug.directory

SSO Token Cookie Name Property

com.iplanet.am.cookie.name

Naming Service URL Property

com.iplanet.am.naming.url

Session Client Properties

com.iplanet.am.notification.url

com.iplanet.am.session.client.polling.enable

com.iplanet.am.session.client.polling.period

Encryption Provider Property

com.iplanet.security.encryptor

User Data Cache Update Time Property

com.iplanet.am.sdk.remote.pollingTime

Service Data Cache Update Time Property

com.sun.identity.sm.cacheTime

SAML Service Properties

com.iplanet.am.localserver.protocol

com.iplanet.am.localserver.host

com.iplanet.am.localserver.port

Authentication Service Properties

com.iplanet.am.server.protocol

com.iplanet.am.server.host

com.iplanet.am.server.port

Policy Client Properties

com.sun.identity.agents.server.log.file.name

com.sun.identity.agents.logging.level

com.sun.identity.agents.notification.enabled

com.sun.identity.agents.notification.url

com.sun.identity.agents.polling.interval

com.sun.identity.policy.client.cacheMode

com.sun.identity.policy.client.booleanActionValues

com.sun.identity.policy.client.resourceComparators

com.sun.identity.policy.client.clockSkew

Description of Properties in the J2EE AMAgent.properties Configuration File

This section provides a brief description of all the J2EE agent properties in the AMAgent.properties configuration file. The properties are divided into categories according to the aspect of Policy Agent that each property enables you to modify.

Filter Operation Mode Property

· com.sun.identity.agents.config.filter.mode

Hot-swap enabled: No

This property specifies the mode of operation of the filter. The following are valid values for this property:

NONE

SSO_ONLY

URL_POLICY

J2EE_POLICY

ALL

This property can also be specified as an application specific property. However, the global property must be overwritten.

User Mapping Properties

com.sun.identity.agents.config.user.mapping.mode[]

com.sun.identity.agents.config.user.attribute.name

com.sun.identity.agents.config.user.principal

com.sun.identity.agents.config.user.token

· com.sun.identity.agents.config.user.mapping.mode[]

Hot-swap enabled: No

This property specifies the mechanism by which the user ID used on the protected server for the authenticated user is determined by the J2EE agent. The following are valid values for this property:

USER_ID

PROFILE_ATTRIBUTE

HTTP_HEADER

SESSION_PROPERTY

· com.sun.identity.agents.config.user.attribute.name

Hot-swap enabled: No

This property specifies the name of the profile attribute, HTTP header, or session property that contains the user ID used on the protected server for the authenticated user.

Key Properties Affecting This Property

This property is not used when the following property is set as shown:

com.sun.identity.agents.config.user.mapping.mode = USER_ID

· com.sun.identity.agents.config.user.principal

Hot-swap enabled: No

This property is a flag that indicates how the user is authenticated on the protected server. When this property is set to true, the principal of the authenticated user, not simply the user ID, is used for authentication purposes.

Key Properties Affecting This Property

This property is only used when the following property is set as shown:

com.sun.identity.agents.config.user.mapping.mode = USER_ID

· com.sun.identity.agents.config.user.token

Hot-swap enabled: No

This property specifies a session property name which contains the user ID of the authenticated user in session.

Key Properties Affecting This Property

This property is only used when the following properties are set as shown:

com.sun.identity.agents.config.user.mapping.mode = USER_ID
com.sun.identity.agents.config.user.principal = false

Client Identification Properties

com.sun.identity.agents.config.client.ip.header

com.sun.identity.agents.config.client.hostname.header

· com.sun.identity.agents.config.client.ip.header

Hot-swap enabled: No

This property specifies an HTTP header name that holds the IP address of the client. If you will not employ this property, leave it blank.

· com.sun.identity.agents.config.client.hostname.header

Hot-swap enabled: No

This property specifies an HTTP header name that holds the hostname of the client. If you do not use this property, leave it blank.

Configuration Reload Interval Property

· com.sun.identity.agents.config.load.interval

Hot-swap enabled: Yes

This property specifies the interval in seconds between configuration reloads. When this property is set to 0, the hot-swap mechanism is disabled.

Locale Identification Properties

com.sun.identity.agents.config.locale.language

com.sun.identity.agents.config.locale.country

· com.sun.identity.agents.config.locale.language

Hot-swap enabled: No

This property specifies the language code, such as en for English, for identifying the locale in which the site operates.

· com.sun.identity.agents.config.locale.country

Hot-swap enabled: No

This property specifies the country code for identifying the locale in which the site operates.

Organization Name Property

· com.sun.identity.agents.config.organization.name

Hot-swap enabled: No

This property specifies the organization or realm name used to authenticate the agent during runtime. The default value “/” identifies the root organization or realm.

Audit Log Properties

com.sun.identity.agents.config.audit.accesstype

com.sun.identity.agents.config.log.disposition

com.sun.identity.agents.config.remote.logfile

com.sun.identity.agents.config.local.logfile

com.sun.identity.agents.config.local.log.rotate

com.sun.identity.agents.config.local.log.size

· com.sun.identity.agents.config.audit.accesstype

Hot-swap enabled: No

This property specifies the access type or access types logged by the agent. The following are valid values for this property:

LOG_NONE

LOG_ALLOW

LOG_DENY

LOG_BOTH

· com.sun.identity.agents.config.log.disposition

Hot-swap enabled: Yes

This property specifies the audit log mode that the agent uses when writing audit log messages. The following are valid values for this property:

LOCAL

REMOTE

ALL

Key Properties Affecting This Property

This property is not used when the following property is set as shown:

com.sun.identity.agents.config.audit.accesstype = LOG_NONE

· com.sun.identity.agents.config.remote.logfile

Hot-swap enabled: Yes

This property specifies the file name used on the remote server.

Key Properties Affecting This Property

This property is not used when the following property is set as shown:

com.sun.identity.agents.config.log.disposition = LOCAL

· com.sun.identity.agents.config.local.logfile

Hot-swap enabled: Yes

This property specifies the complete path to the local audit log file to be used by the agent.

Key Properties Affecting This Property

This property is only used when the following property is set as shown:

com.sun.identity.agents.config.log.disposition = LOCAL

· com.sun.identity.agents.config.local.log.rotate

Hot-swap enabled: Yes

This property is a flag that indicates whether the rotation of audit log local file is enabled or disabled.

Key Properties Affecting This Property

This property is only used when the following property is set as shown:

com.sun.identity.agents.config.log.disposition = LOCAL

· com.sun.identity.agents.config.local.log.size

Hot-swap enabled: Yes

This property specifies the size in bytes of the local audit log file, beyond which the agent rotates the log file.

Key Properties Affecting This Property

This property is only used when the following property is set as shown:

com.sun.identity.agents.config.log.disposition = LOCAL

Web Service Processing Properties

com.sun.identity.agents.config.webservice.enable

com.sun.identity.agents.config.webservice.endpoint[]

com.sun.identity.agents.config.webservice.process.get.enable

com.sun.identity.agents.config.webservice.authenticator

com.sun.identity.agents.config.webservice.internalerror.content

com.sun.identity.agents.config.webservice.autherror.content

· com.sun.identity.agents.config.webservice.enable

Hot-swap enabled: Yes

This property is a flag that indicates whether web service processing is enabled or disabled.

· com.sun.identity.agents.config.webservice.endpoint[]

Hot-swap enabled: Yes

This property is a list construct for listing web application end points that represent web services.

· com.sun.identity.agents.config.webservice.process.get.enable

Hot-swap enabled: Yes

This property is a flag that indicates whether the processing of HTTP GET requests for web service endpoints is enabled or disabled.

· com.sun.identity.agents.config.webservice.authenticator

Hot-swap enabled: Yes

This property specifies an implementation class that can be used to authenticate web-service requests.

· com.sun.identity.agents.config.webservice.internalerror.content

Hot-swap enabled: Yes

This property specifies the name of a file that contains content used by the agent to generate an internal error fault for clients.

· com.sun.identity.agents.config.webservice.autherror.content

Hot-swap enabled: Yes

This property specifies the name of a file that contains content used by the agent to generate an authorization error fault for clients.

Access Denied URI Property

· com.sun.identity.agents.config.access.denied.uri

Hot-swap enabled: Yes

This property specifies the URI used by the agent to block unauthorized access requests. If you will not employ this property, leave it blank.

Form Login Processing Properties

com.sun.identity.agents.config.login.form[]

com.sun.identity.agents.config.login.error.uri[]

com.sun.identity.agents.config.login.use.internal

com.sun.identity.agents.config.login.content.file

· com.sun.identity.agents.config.login.form[]

Hot-swap enabled: Yes

This property is a list construct. This property is used by the agent to identify login requests and to take appropriate action. Each entry in the list should be the absolute URI of the resource specified in the web.xml deployment descriptor of the protected application in the element form-login-page.

· com.sun.identity.agents.config.login.error.uri[]

Hot-swap enabled: Yes

This property is a list construct. This property is used by the agent to identify error page requests and to take appropriate action. Each entry in the list should be the absolute URI of the resource specified in the web.xml deployment descriptor of the protected application in the element form-error-page.

· com.sun.identity.agents.config.login.use.internal

Hot-swap enabled: Yes

This property is a flag that specifies whether the agent should use internal content for handling form login requests.

· com.sun.identity.agents.config.login.content.file

Hot-swap enabled: Yes

This property specifies the name or complete path of the file used by the agent for handling form login requests.

Key Properties Affecting This Property

This property is only used when the following property is set as shown:

com.sun.identity.agents.config.login.use.internal = true

Local Authentication Processing Properties

com.sun.identity.agents.config.auth.handler[]

com.sun.identity.agents.config.logout.handler[]

com.sun.identity.agents.config.verification.handler[]

· com.sun.identity.agents.config.auth.handler[]

Hot-swap enabled: Yes

This property is a map construct that specifies the application specific authentication handler used by the agent to authenticate the logged on user with the deployment container for the particular application.

· com.sun.identity.agents.config.logout.handler[]

Hot-swap enabled: Yes

This property is a map construct that specifies the application specific logout handler used by the agent to log out the logged on user within the deployment container for the particular application.

· com.sun.identity.agents.config.verification.handler[]

Hot-swap enabled: Yes

This property is a map construct that specifies the application specific local verification handler used by the agent to validate the user credentials with the local repository.

Goto Parameter Name Property

· com.sun.identity.agents.config.redirect.param

Hot-swap enabled: Yes

This property specifies the parameter name used by the agent when redirecting the user to the appropriate authentication service. The value of this parameter is used by the authentication service to redirect the user to the original requested destination.

Login URL Property

· com.sun.identity.agents.config.login.url[]

Hot-swap enabled: Yes

This property is a list construct for listing the login URL (one or more) to be used by the agent to redirect incoming users without sufficient credentials to the Access Manager authentication service.

Login URL Prioritized Flag Property

· com.sun.identity.agents.config.login.url.prioritized

Hot-swap enabled: Yes

This property is a flag that specifies if the failover sequence for the login URL list and the CDSSO URL list is prioritized. The URL associated with the lowest index, [0], has the highest priority. When set to true, this property turns on prioritization for both the login URL list and the CDSSO URL list, assuming each list exists. The following properties are used to create these two URL lists:

Login URL List

com.sun.identity.agents.config.login.url[]

CDSSO URL List

com.sun.identity.agents.config.cdsso.cdcservlet.url[]

For more information about enabling failover, see Enabling Failover in J2EE Agents.

Agent Server Properties

com.sun.identity.agents.config.agent.host

com.sun.identity.agents.config.agent.port

com.sun.identity.agents.config.agent.protocol

· com.sun.identity.agents.config.agent.host

Hot-swap enabled: Yes

This property specifies the host name that identifies the agent protected server to client browsers if the host name is different from the actual host name. If you will not employ this property, leave it blank.

· com.sun.identity.agents.config.agent.port

Hot-swap enabled: Yes

This property specifies the port number that identifies the agent protected server listening port to client browsers if the port number is different from the actual listening port. If you will not employ this property, leave it blank.

· com.sun.identity.agents.config.agent.protocol

Hot-swap enabled: Yes

The property specifies the protocol, HTTP or HTTPS , used by client browsers to communicate with the agent protected server if the protocol is different from the actual protocol used by the server.

Login Attempt Limit Property

· com.sun.identity.agents.config.login.attempt.limit

Hot-swap enabled: Yes

This property specifies the number of unsuccessful login attempts users are allowed to make during a single browser session before such attempts trigger a block on further requests. Setting the value of this property to 0 disables this feature.

URL Decode SSO Token Flag Property

· com.sun.identity.agents.config.sso.decode

Hot-swap enabled: Yes

This property is a flag that specifies whether the SSO Token needs to be URL decoded by the agent before it can be used.

SSO Cache Enable Property

· com.sun.identity.agents.config.amsso.cache.enable

Hot-swap enabled: Yes

This property is a flag that specifies whether the SSO cache is active for the agent. This cache is used through public API exposed by the agent SDK.

Cookie Reset Processing Properties

com.sun.identity.agents.config.cookie.reset.enable

com.sun.identity.agents.config.cookie.reset.name[]

com.sun.identity.agents.config.cookie.reset.domain[]

com.sun.identity.agents.config.cookie.reset.path[]

· com.sun.identity.agents.config.cookie.reset.enable

Hot-swap enabled: Yes

This property is a flag that specifies whether cookie reset processing is enabled or disabled.

· com.sun.identity.agents.config.cookie.reset.name[]

Hot-swap enabled: Yes

This property is a list construct for listing cookie names that are reset by the agent

Key Properties Affecting This Property

This property is only used when the following property is set as shown:

com.sun.identity.agents.config.cookie.reset.enable = true

· com.sun.identity.agents.config.cookie.reset.domain[]

Hot-swap enabled: Yes

This property is a map construct. The key for this map construct is a cookie name and the value for this map construct is the domain of that cookie.

Key Properties Affecting This Property

This property is used when one of the cookies listed in following property matches the key for this property:

com.sun.identity.agents.config.cookie.reset.name[]

· com.sun.identity.agents.config.cookie.reset.path[]

Hot-swap enabled: Yes

This property is a map construct. The key for this map construct is a cookie name and the value for this map construct is the path of that cookie.

Key Properties Affecting This Property

This property is used when one of the path names listed in following property matches the key for this property:

com.sun.identity.agents.config.cookie.reset.name[]

CDSSO Processing Properties

com.sun.identity.agents.config.cdsso.enable

com.sun.identity.agents.config.cdsso.redirect.uri

com.sun.identity.agents.config.cdsso.cdcservlet.url[]

com.sun.identity.agents.config.cdsso.clock.skew

com.sun.identity.agents.config.cdsso.trusted.id.provider[]

· com.sun.identity.agents.config.cdsso.enable

Hot-swap enabled: Yes

This property is a flag that specifies whether CDSSO processing is enabled or disabled.

· com.sun.identity.agents.config.cdsso.redirect.uri

Hot-swap enabled: Yes

This property specifies an intermediate URI that is used by the agent for processing CDSSO requests.

· com.sun.identity.agents.config.cdsso.cdcservlet.url[]

Hot-swap enabled: Yes

This property is a list construct for listing the URL of the available CDSSO controllers that can be used by the agent for CDSSO processing.

· com.sun.identity.agents.config.cdsso.clock.skew

Hot-swap enabled: Yes

This property specifies a time in seconds that is used by the agent to determine the validity of the CDSSO AuthnResponse assertion.

· com.sun.identity.agents.config.cdsso.trusted.id.provider[]

Hot-swap enabled: Yes

This property is a list construct for listing the Access Manager server providers, ID providers, or both to be trusted by the agent during the evaluation process.

Logout Processing Properties

com.sun.identity.agents.config.logout.application.handler[]

com.sun.identity.agents.config.logout.uri[]

com.sun.identity.agents.config.logout.request.param[]

com.sun.identity.agents.config.logout.introspect.enabled

com.sun.identity.agents.config.logout.entry.uri[]

· com.sun.identity.agents.config.logout.application.handler[]

Hot-swap enabled: Yes

This property is a map construct that is application specific. It identifies a handler to be used for logout processing.

· com.sun.identity.agents.config.logout.uri[]

Hot-swap enabled: Yes

This property is a map construct that is application specific. It identifies a request URI which indicates a logout event.

· com.sun.identity.agents.config.logout.request.param[]

Hot-swap enabled: Yes

This property is a map construct that is application specific. It identifies a parameter which when present in the HTTP request indicates a logout event.

· com.sun.identity.agents.config.logout.introspect.enabled

Hot-swap enabled: Yes

This property is a flag that allows the agent to search an HTTP request body for a logout parameter.

· com.sun.identity.agents.config.logout.entry.uri[]

Hot-swap enabled: Yes

This property is a map construct that is application specific. It identifies a URI to be used as an entry point after successful logout and subsequent to successful authentication if applicable.

FQDN Processing Properties

com.sun.identity.agents.config.fqdn.check.enable

com.sun.identity.agents.config.fqdn.default

com.sun.identity.agents.config.fqdn.mapping[]

· com.sun.identity.agents.config.fqdn.check.enable

Hot-swap enabled: Yes

This property is a flag that indicates whether FQDN checking is enabled or disabled.

· com.sun.identity.agents.config.fqdn.default

Hot-swap enabled: Yes

This property specifies a hostname that represents the default FQDN to be used by the agent when necessary.

· com.sun.identity.agents.config.fqdn.mapping[]

Hot-swap enabled: Yes

This property is a map construct that specifies a mapping from the key, which is an invalid FQDN entry to its value, which is a valid FQDN entry.

Legacy User Agent Processing Properties

com.sun.identity.agents.config.legacy.support.enable

com.sun.identity.agents.config.legacy.user.agent[]

com.sun.identity.agents.config.legacy.redirect.uri

· com.sun.identity.agents.config.legacy.support.enable

Hot-swap enabled: Yes

This property is a flag that specifies whether legacy user agent support is enabled or disabled.

· com.sun.identity.agents.config.legacy.user.agent[]

Hot-swap enabled: Yes

This property is a list construct for listing user agent header values. These values identify legacy browsers. Entries in this list can contain the wild card character “*.”

· com.sun.identity.agents.config.legacy.redirect.uri

Hot-swap enabled: Yes

This property specifies an intermediate URI used by the agent to redirect legacy user agent requests.

Custom Response Headers Property

· com.sun.identity.agents.config.response.header[]

Hot-swap enabled: Yes

This property is a map construct that specifies the custom headers that are set by the agent on the client browser. The key is the header name while the value represents the header value.

Redirect Attempt Limit Property

· com.sun.identity.agents.config.redirect.attempt.limit

Hot-swap enabled: Yes

This property specifies the number of successive single point redirects that users are allowed during a single browser session before such redirects trigger a block of the user request. Setting the value of this property to 0 disables this feature.

Port Check Processing Properties

com.sun.identity.agents.config.port.check.enable

com.sun.identity.agents.config.port.check.file

com.sun.identity.agents.config.port.check.setting[]

· com.sun.identity.agents.config.port.check.enable

Hot-swap enabled: Yes

This property is a flag that indicates whether port check functionality is enabled or disabled.

· com.sun.identity.agents.config.port.check.file

Hot-swap enabled: Yes

This property specifies the name or complete path of a file that has the content required to process requests that call for port correction.

· com.sun.identity.agents.config.port.check.setting[]

Hot-swap enabled: Yes

This property is a map construct of port versus protocol entries where the key is the listening port number and the value is the listening protocol used by the agent to identify requests with invalid port numbers.

Not-Enforced URI Processing Properties

com.sun.identity.agents.config.notenforced.uri[]

com.sun.identity.agents.config.notenforced.uri.invert

com.sun.identity.agents.config.notenforced.uri.cache.enable

com.sun.identity.agents.config.notenforced.uri.cache.size

· com.sun.identity.agents.config.notenforced.uri[]

Hot-swap enabled: Yes

This property is a list construct for listing URI for which protection is not enforced by the agent.

· com.sun.identity.agents.config.notenforced.uri.invert

Hot-swap enabled: Yes

This property is a flag that specifies whether to invert the list of URI on the not-enforced list. A value of true directs the agent to deny access (enforce protection) to URI on the list and to allow access (not enforce protection) to URI that are not on the list. Entries on this list can contain the wild card character “*.”

Key Properties Affecting This Property

This property enforces URI on the not-enforced list, which is the list assigned to the following property:

com.sun.identity.agents.config.notenforced.uri[]

· com.sun.identity.agents.config.notenforced.uri.cache.enable

Hot-swap enabled: Yes

This property is a flag that specifies whether the caching of the not-enforced URI list evaluation results is enabled or disabled.

· com.sun.identity.agents.config.notenforced.uri.cache.size

Hot-swap enabled: Yes

This property specifies the size of the cache to be used if caching of not-enforced URI list evaluation results is enabled.

Key Properties Affecting This Property

This property is only used when the following property is set as shown:

com.sun.identity.agents.config.notenforced.uri.cache.enable = true

Not-Enforced Client IP Processing Properties

com.sun.identity.agents.config.notenforced.ip[]

com.sun.identity.agents.config.notenforced.ip.invert

com.sun.identity.agents.config.notenforced.ip.cache.enable

com.sun.identity.agents.config.notenforced.ip.cache.size

· com.sun.identity.agents.config.notenforced.ip[]

Hot-swap enabled: Yes

This property is a list construct for listing client IP addresses for which protection is not enforced by the agent.

· com.sun.identity.agents.config.notenforced.ip.invert

Hot-swap enabled: Yes

This property is a flag that specifies whether to invert the not-enforced client IP address list. A value of true directs the agent to deny access (enforce protection) to client IP addresses on the list and to allow access (not enforce protection) for all other client IP addresses. Entries on this list can contain the wild card character “*.”

Key Properties Affecting This Property

This property enforces URI on the not-enforced IP list, which is the list assigned to the following property:

com.sun.identity.agents.config.notenforced.ip[]

· com.sun.identity.agents.config.notenforced.ip.cache.enable

Hot-swap enabled: Yes

A flag that specifies whether the caching of not-enforced IP list evaluation results is enabled or disabled.

· com.sun.identity.agents.config.notenforced.ip.cache.size

Hot-swap enabled: Yes

This property specifies the size of the cache to be used if caching of not-enforced IP list evaluation results is enabled.

Key Properties Affecting This Property

This property is only used when the following property is set as shown:

com.sun.identity.agents.config.notenforced.ip.cache.enable = true

Common Attribute Fetch Processing Properties

com.sun.identity.agents.config.attribute.cookie.separator

com.sun.identity.agents.config.attribute.date.format

com.sun.identity.agents.config.attribute.cookie.encode

· com.sun.identity.agents.config.attribute.cookie.separator

Hot-swap enabled: Yes

This property specifies that a character be used to separate multiple values of the same attribute when it is being set as a cookie.

· com.sun.identity.agents.config.attribute.cookie.encode

Hot-swap enabled: Yes

This property is a flag that indicates whether the value of the attribute should be URL encoded before being set as a cookie.

· com.sun.identity.agents.config.attribute.date.format

Hot-swap enabled: Yes

This property specifies the format of date attribute values used when the attribute is set as an HTTP header. This format is based on the definition provided in java.text.SimpleDateFormat.

Profile Attribute Processing Properties

com.sun.identity.agents.config.profile.attribute.fetch.mode

com.sun.identity.agents.config.profile.attribute.mapping[]

· com.sun.identity.agents.config.profile.attribute.fetch.mode

Hot-swap enabled: Yes

This property specifies the mode used to fetch profile attributes. The following are valid values for this property:

NONE

HTTP_HEADER

REQUEST_ATTRIBUTE

HTTP_COOKIE

· com.sun.identity.agents.config.profile.attribute.mapping[]

Hot-swap enabled: Yes

This property is a map construct that specifies the profile attributes populated under specific names for the currently authenticated user. The key for this map construct is the profile attribute name and the value is the name under which that attribute is made available.

Session Attribute Processing Properties

com.sun.identity.agents.config.session.attribute.fetch.mode

com.sun.identity.agents.config.session.attribute.mapping[]

· com.sun.identity.agents.config.session.attribute.fetch.mode

Hot-swap enabled: Yes

This property specifies the mode used to fetch session attributes. The following are valid values for this property:

NONE

HTTP_HEADER

REQUEST_ATTRIBUTE

HTTP_COOKIE

· com.sun.identity.agents.config.session.attribute.mapping[]

Hot-swap enabled: Yes

This property is a map construct that specifies the session attributes populated under specific names for the currently authenticated user. The key for this map construct is the session attribute name and the value is the name under which that attribute is made available.

Response Attribute Processing Properties

com.sun.identity.agents.config.response.attribute.fetch.mode

com.sun.identity.agents.config.response.attribute.mapping[]

· com.sun.identity.agents.config.response.attribute.fetch.mode

Hot-swap enabled: Yes

This property specifies the mode used to fetch policy response attributes. The following are valid values for this property:

NONE

HTTP_HEADER

REQUEST_ATTRIBUTE

HTTP_COOKIE

· com.sun.identity.agents.config.response.attribute.mapping[]

Hot-swap enabled: Yes

This property is a map construct that specifies the policy response attributes to be populated under specific names for the currently authenticated user. The key for this map construct is the policy response attribute name and the value is the name under which that attribute is made available.

Bypass Principal List Property

· com.sun.identity.agents.config.bypass.principal[]

Hot-swap enabled: No

This property is a list construct for listing principals that are to be bypassed by the agent for authentication and search purposes.

Privileged Attribute Processing Properties

com.sun.identity.agents.config.default.privileged.attribute[]

com.sun.identity.agents.config.privileged.attribute.type[]

com.sun.identity.agents.config.privileged.attribute.tolowercase[]

com.sun.identity.agents.config.privileged.session.attribute[]

· com.sun.identity.agents.config.default.privileged.attribute[]

Hot-swap enabled: No

This property is a list construct for listing privileged attributes to be granted to all users who have a valid Access Manager session.

· com.sun.identity.agents.config.privileged.attribute.type[]

Hot-swap enabled: No

This property is a list construct for listing privileged attribute types to be fetched for each user.

· com.sun.identity.agents.config.privileged.attribute.tolowercase[]

Hot-swap enabled: No

This property is a map construct that specifies whether the privileged attribute types are converted to lowercase.

Key Properties Affecting This Property

This property converts the attribute types assigned to the following property to lower case:

com.sun.identity.agents.config.privileged.attribute.type[]

· com.sun.identity.agents.config.privileged.session.attribute[]

Hot-swap enabled: No

This property is a list construct for listing session property names that hold privileged attributes for the authenticated user.

Service Resolver Property

· com.sun.identity.agents.config.service.resolver

Hot-swap enabled: No

This property specifies the service resolver used by this agent.

Agent Username and Password Properties

com.sun.identity.agents.app.username

com.iplanet.am.service.secret

· com.sun.identity.agents.app.username

Hot-swap enabled: No

This property specifies the user name used by the agent to identify and authenticate itself to Access Manager before requesting any services that require such agent authentication.

· com.iplanet.am.service.secret

Hot-swap enabled: No

This property specifies the password used by the agent to identify and authenticate itself to Access Managerbefore requesting any services that require such agent authentication.

Encryption Key Properties

am.encryption.pwd

com.sun.identity.client.encryptionKey

· am.encryption.pwd

Hot-swap enabled: No

This property specifies a global encryption key used when applications use client SDK API. This encryption key is used to secure data globally by all Access Manager server instances and by clients.

· com.sun.identity.client.encryptionKey

Hot-swap enabled: No

This property specifies the encryption key used to encrypt the agent profile password as it is stored in the J2EE agent. The agent profile password is encrypted in a different manner in Access Manager. This encryption key is not shared with Access Manager or with other clients.

Debug Service Properties

com.iplanet.services.debug.level

com.iplanet.services.debug.directory

· com.iplanet.services.debug.level

Hot-swap enabled: No

This property specifies the debug level to be used. The following are valid values for this property:

off

error

warning

message

· com.iplanet.services.debug.directory

Hot-swap enabled: No

This property specifies the complete path to the directory where debug files are to be stored by the agent.

SSO Token Cookie Name Property

· com.iplanet.am.cookie.name

Hot-swap enabled: No

This property specifies the name of the SSO token cookie used betweenAccess Manager and the agent.

Naming Service URL Property

· com.iplanet.am.naming.url

Hot-swap enabled: No

This property specifies the naming service URL (one or more) that can be used by the system for naming lookups. Multiple URL can be specified for this property as a string. URL are separated from one another in the string by a single space character.

Session Client Properties

com.iplanet.am.notification.url

com.iplanet.am.session.client.polling.enable

com.iplanet.am.session.client.polling.period

· com.iplanet.am.notification.url

Hot-swap enabled: No

This property specifies the notification URL to be used by the agent to receive session notifications.

· com.iplanet.am.session.client.polling.enable

Hot-swap enabled: No

This property is a flag that specifies whether the session client uses polling for updating session information instead of depending upon server notifications.

· com.iplanet.am.session.client.polling.period

Hot-swap enabled: No

This property specifies the time in seconds after which the session client requests an update of cached session information from the server.

Encryption Provider Property

· com.iplanet.security.encryptor

Hot-swap enabled: No

This property specifies the encryption provider implementation to be used by the agent.

User Data Cache Update Time Property

· com.iplanet.am.sdk.remote.pollingTime

Hot-swap enabled: No

This property specifies the cache update time in minutes for user management data if a notification URL is not provided.

Key Properties Affecting This Property

This property is used if a notification URL is not specified with the following property:

com.iplanet.am.notification.url

Service Data Cache Update Time Property

· com.sun.identity.sm.cacheTime

Hot-swap enabled: No

This property specifies the cache update time in minutes for service configuration data if a notification URL is not provided.

Key Properties Affecting This Property

This property is used if a notification URL is not specified with the following property:

com.iplanet.am.notification.url

SAML Service Properties

com.iplanet.am.localserver.protocol

com.iplanet.am.localserver.host

com.iplanet.am.localserver.port

· com.iplanet.am.localserver.protocol

Hot-swap enabled: No

This property specifies the server protocol to be used for SAML service.

· com.iplanet.am.localserver.host

Hot-swap enabled: No

This property specifies the server host to be used for SAML service.

· com.iplanet.am.localserver.port

Hot-swap enabled: No

This property specifies the server port to be used for SAML service.

Authentication Service Properties

com.iplanet.am.server.protocol

com.iplanet.am.server.host

com.iplanet.am.server.port

· com.iplanet.am.server.protocol

Hot-swap enabled: No

This property specifies the protocol to be used by Authentication Service.

· com.iplanet.am.server.host

Hot-swap enabled: No

This property specifies the host to be used by Authentication Service.

· com.iplanet.am.server.port

Hot-swap enabled: No

This property specifies the port to be used by Authentication Service.

Policy Client Properties

com.sun.identity.agents.server.log.file.name

com.sun.identity.agents.logging.level

com.sun.identity.agents.notification.enabled

com.sun.identity.agents.notification.url

com.sun.identity.agents.polling.interval

com.sun.identity.policy.client.cacheMode

com.sun.identity.policy.client.booleanActionValues

com.sun.identity.policy.client.resourceComparators

com.sun.identity.policy.client.clockSkew

· com.sun.identity.agents.server.log.file.name

Hot-swap enabled: No

This property specifies the name of the log file for logging messages to Access Manager.

· com.sun.identity.agents.logging.level

Hot-swap enabled: No

This property specifies the level of remote policy logging. The following are valid values for this property:

ALLOW

DENY

BOTH

NONE

· com.sun.identity.agents.notification.enabled

Hot-swap enabled: No

This property is a flag that specifies whether notifications are enabled or disabled for the remote policy client.

· com.sun.identity.agents.notification.url

Hot-swap enabled: No

This property specifies the notification URL for the remote policy client.

Key Properties Affecting This Property

This property is used if notification is enabled for a remote policy client property, which occurs when the following property is set as shown:

com.sun.identity.agents.notification.enabled = true

· com.sun.identity.agents.polling.interval

Hot-swap enabled: No

This property specifies the duration in minutes after which the cached entries are refreshed by the remote policy client.

· com.sun.identity.policy.client.cacheMode

Hot-swap enabled: No

This property specifies the mode of caching to be used by the remote policy client. The following are valid values for this property:

subtree

self

The subtree value is preferable for a small number of policy rules. In all other cases, the self value is preferable.

· com.sun.identity.policy.client.booleanActionValues

Hot-swap enabled: No

This property specifies boolean action values for policy action names. Assign values to this property using the following format:

serviceName|actionName|trueValue|falseValue

· com.sun.identity.policy.client.resourceComparators

Hot-swap enabled: No

This property specifies resource comparators to be used for different service names.

· com.sun.identity.policy.client.clockSkew

Hot-swap enabled: No

This property specifies the time in seconds which is allowed to accommodate the time difference between the Access Manager machine and the remote policy client machine.