System Properties

System Properties contain the following default services that you can configure:

• Client Detection

• Logging

• Naming

• Platform

• To Specify a New Character Set

Client Detection

An initial step in the authentication process is to identify the type of client making the HTTP(S) request. This OpenSSO Enterprise feature is known as client detection. The URL information is used to retrieve the client's characteristics. Based on these characteristics, the appropriate authentication pages are returned. For example, when a Netscape browser is used to request a web page, OpenSSO Enterprise 8.0 displays an HTML login page. Once the user is validated, the client type ( Netscape browser) is added to the session token. The attributes defined in the Client Detection service are global attributes.

• Default Client Type

• Client Detection Class

• Enable Client Detection

Default Client Type

This attribute defines the default client type derived from the list of client types in the Client Types attribute. The default is genericHTML.

Client Detection Class

This attribute defines the client detection class for which all client detection requests are routed. The string returned by this attribute should match one of the client types listed in the Client Types attribute. The default client detection class is com.sun.mobile.cdm.FEDIClientDetector. OpenSSO Enterprise also contains com.iplanet.services.cdm.ClientDetectionDefaultImpl .

Enable Client Detection

Enables client detection. If client detection is enabled (default), every request is routed thought the class specified in the Client Detection Class attribute. By default, the client detection capability is enabled. If this attribute is not selected, OpenSSO Enterprise assumes that the client is genericHTML and will be accessed from a HTML browser.

Logging

The Logging service provides status and error messages related to OpenSSO Enterprise administration. An administrator can configures values such as log file size and log file location. OpenSSO Enterprise can record events in flat text files or in a relational database. The Logging service attributes are global attributes. The attributes are:

• Maximum Log Size

• Number of History Files

• Log File Location

• Log Status

• Log Record Resolve Host Name

• Logging Type

• Database User Name

• Database User Password

• Database User Password (confirm)

• Database Driver Name

• Configurable Log Fields

• Log Verification Frequency

• Log Signature Time

• Secure Logging

• Secure Logging Signing Algorithm

• Logging Certificate Store Location

• Maximum Number of Records

• Number of Files per Archive

• Buffer Size

• DB Failure Memory Buffer Size

• Buffer Time

• Time Buffering

• Logging Level

Maximum Log Size

This attribute accepts a value for the maximum size (in bytes) of a OpenSSO Enterprise log file. The default value is 100000000.

The files only apply to the FILE logging type. When the logging type is set to DB, there are no history files and limit explicitly set by OpenSSO Enterprise to the size of the files.

Number of History Files

This attribute has a value equal to the number of backup log files that will be retained for historical analysis. Any integer can be entered depending on the partition size and available disk space of the local system. The default value is 1.

The files only apply to the FILE logging type. When the logging type is set to DB, there are no history files and limit explicitly set by OpenSSO Enterprise to the size of the files.

---

Note –

Entering a value of 0 is interpreted to be the same as a value of 1, meaning that if you specify 0, a history log file will be created.

---

Log File Location

The file-based logging function needs a location where log files can be stored. . The default location is:

OpenSSO-deploy-base/uri/log

OpenSSO-deploy-base/uri/logare tags representing the base configuration directory and the OpenSSO Enterprise deployment URI. each specified during post-installation configuration. At runtime, the logging service determines the instance's proper directory for logging. This attribute's value can be set to an explicit path , but the base path should be its configuration directory (the value of OpenSSO-deploy-base) to avoid permissions problems.

If a non-default directory is specified, OpenSSO Enterprise will create the directory if it does not exist. You should then set the appropriate permissions for that directory (for example, 0700).

When configuring the log location for DB (database) logging (such as, Oracle or MySQL), part of the log location is case sensitive. For example, if you are logging to an Oracle database, the log location should be (note case sensitivity):

jdbc:oracle:thin:@machine.domain:port:DBName

To configure logging to DB, add the JDBC driver files to the web container's JVM classpath. You need to manually add JDBC driver files to the classpath of the ssoadm script, otherwise ssoadm logging can not load the JDBC driver.

Changes to logging attributes usually take effect after you save them. This does not require you to restart the server. If you are changing to secure logging, however, you should restart the server.

Log Status

Specifies whether logging is turned on (ACTIVE) or off (INACTIVE). Value is set to ACTIVE during installation.

Log Record Resolve Host Name

If set to false, host lookups will not be performed to populate the LogRecord's HostName field.

Logging Type

Enables you to specify either File, for flat file logging, or DB for database logging.

If the Database User Name or Database User Password is invalid, it will seriously affect OpenSSO Enterprise processing. If OpenSSO Enterprise or the console becomes unstable, you set the Log Status attribute to Inactive.

After you have set the property, restart the server. You can then log in to the console and reset the logging attribute. Then, change the Log Status property to ACTIVE and restart the server.

Database User Name

This attribute accepts the name of the user that will connect to the database when the Logging Type attribute is set to DB.

Database User Password

This attribute accepts the database user password when the Logging Type attribute is set to DB.

Database User Password (confirm)

Confirm the database password.

Database Driver Name

This attribute enables you to specify the driver used for the logging implementation class.

Configurable Log Fields

Represents the list of fields that are to be logged. By default, all of the fields are logged. The fields are:

• CONTEXTID

• DOMAIN

• HOSTNAME

• IPADDRESS

• LOGGED BY

• LOGINID

• LOGLEVEL

• MESSAGEID

• MODULENAME

• NAMEID

At minimum you should log CONTEXTID, DOMAIN, HOSTNAME, LOGINID and MESSAGEID.

Log Verification Frequency

This attribute sets the frequency (in seconds) that the server should verify the logs to detect tampering. The default time is 3600 seconds. This parameter applies to secure logging only.

Log Signature Time

This parameter sets the frequency (in seconds) that the log will be signed. The default time is 900 seconds. This parameter applies to secure logging only.

Secure Logging

This attribute enables or disables secure logging. By default, secure logging is off. Secure Logging enables detection of unauthorized changes or tampering of security logs.

---

Note –

Secure logging can only be used for flat files. This option does not work for Database (DB) logging.

---

Secure Logging Signing Algorithm

This attribute defines RSA and DSA (Digital Signature Algorithm), which have private keys for signing and a public key for verification. You can select from the following:

• MD2 w/RSA

• MD5 w/RSA

• SHA1 w/DSA

• SHA1 w/RSA

MD2, MD5 and RSA are one-way hashes. For example, if you select the signing algorithm MD2 w/RSA, the secure logging feature generates a group of messages with MD2 and encrypts the value with the RSA private key. This encrypted value is the signature of the original logged records and will be appended to the last record of the most recent signature. For validation, it well decrypt the signature with the RSA public key and compare the decrypted value to the group of logged records. The secure logging feature will then will detect any modifications to any logged record.

Logging Certificate Store Location

When secure logging is enabled, the logging service looks for its certificate at the location specified by this attribute. The actual directory path is determined at runtime. The value can be set to an explicit path, but the base path should be accessible by the OpenSSO Enterprise instance.

The default value is OpenSSO-deploy-base/uri/Logger.jks.

Maximum Number of Records

This attribute sets the maximum number of records that the Java LogReader interfaces return, regardless of how many records match the read query. By default, it is set to 500. This attribute can be overridden by the caller of the Logging API through the LogQuery class.

Number of Files per Archive

This attribute is only applicable to secure logging. It specifies when the log files and keystore need to be archived, and the secure keystore regenerated, for subsequent secure logging. The default is five files per logger.

Buffer Size

This attribute specifies the maximum number of log records to be buffered in memory before the logging service attempts to write them to the logging repository. The default is one record.

DB Failure Memory Buffer Size

This attribute defines the maximum number of log records held in memory if database (DB) logging fails. This attribute is only applicable when DB logging is specified. When the OpenSSO Enterprise logging service loses connection to the DB, it will buffer up to the number of records specified. This attribute defaults to two times of the value defined in the Buffer Size attribute.

Buffer Time

This attribute defines the amount of time that the log records will be buffered in memory before they are sent to the logging service to be written. This attribute applies if Time Buffering is ON. The default is 3600 seconds.

Time Buffering

When selected as ON, OpenSSO Enterprise will set a time limit for log records to be buffered in memory before they are written. The amount of time is set in the Buffer Time attribute.

Logging Level

Use this attribute to configure the degree of detail for all OpenSSO Enterprise log files. the default is the INFO level. FINE, FINER, FINEST provide more detail and more log records. In addition there is a level OFF that can be used to turn off logging, which is essentially the same as setting the Log Status attribute to INACTIVE..

Naming

The Naming service is used to get and set URLs, plug-ins and configurations as well as request notifications for various other OpenSSO Enterprise services such as session, authentication, logging, SAML and Federation.

This service enables clients to find the correct service URL if the platform is running more than one OpenSSO Enterprise. When a naming URL is found, the naming service will decode the session of the user and dynamically replace the protocol, host, and port with the parameters from the session. This ensures that the URL returned for the service is for the host that the user session was created on. The Naming attributes are:

• Profile Service URL

• Session Service URL

• Logging Service URL

• Policy Service URL

• Authentication Service URL

• SAML Web Profile/Artifact Service URL

• SAML SOAP Service URL

• SAML Web Profile/POST Service URL

• SAML Assertion Manager Service URL

• Federation Assertion Manager Service URL

• Security Token Manager URL

• JAXRPC Endpoint URL

• Identity Web Services Endpoint URL

• Identity REST Services Endpoint URL

• Security Token Service Endpoint URL

• Security Token Service MEX Endpoint URL

Profile Service URL

This field takes a value equal to :

%protocol://%host:%port/Server_DEPLOY_URI/profileservice

This syntax allows for dynamic substitution of the profile URL based on the specific session parameters.

Session Service URL

This field takes a value equal to:

%protocol://%host:%port/Server_DEPLOY_URI/sessionservice

This syntax allows for dynamic substitution of the session URL based on the specific session parameters.

Logging Service URL

This field takes a value equal to:

%protocol://%host:%port/Server_DEPLOY_URI/loggingservice

This syntax allows for dynamic substitution of the logging URL based on the specific session parameters.

Policy Service URL

This field takes a value equal to:

%protocol://%host:%port/Server_DEPLOY_URI/policyservice

This syntax allows for dynamic substitution of the policy URL based on the specific session parameters.

Authentication Service URL

This field takes a value equal to:

%protocol://%host:%port/Server_DEPLOY_URI/authservice

This syntax allows for dynamic substitution of the authentication URL based on the specific session parameters.

SAML Web Profile/Artifact Service URL

This field takes a value equal to:

%protocol://%host:%port/Server_DEPLOY_URI/SAMLAwareServlet

This syntax allows for dynamic substitution of the SAML web profile/artifact URL based on the specific session parameters.

SAML SOAP Service URL

This field takes a value equal to

%protocol://%host:%port/Server_DEPLOY_URI/SAMLSOAPReceiver

This syntax allows for dynamic substitution of the SAML SOAP URL based on the specific session parameters.

SAML Web Profile/POST Service URL

This field takes a value equal to:

%protocol://%host:%port/Server_DEPLOY_URI/SAMLPOSTProfileServlet

This syntax allows for dynamic substitution of the SAML web profile/POST URL based on the specific session parameters.

SAML Assertion Manager Service URL

This field takes a value equal to:

%protocol://%host:%port/Server_DEPLOY_URI/AssertionManagerServlet/AssertionM anagerIF

This syntax allows for dynamic substitution of the SAML Assertion Manager Service URL based on the specific session parameters.

Federation Assertion Manager Service URL

This field takes a value equal to:

%protocol://%host:%port/amserver/FSAssertionManagerServlet/FSAssertionMana gerIF

This syntax allows for dynamic substitution of the Federation Assertion Manager Service URL based on the specific session parameters.

Security Token Manager URL

This field takes a value equal to:

%protocol://%host:%port/amserver/SecurityTokenManagerServlet/SecurityToken ManagerIF/

This syntax allows for dynamic substitution of the Security Token Manager URL based on the specific session parameters.

JAXRPC Endpoint URL

This field takes a value equal to:

%protocol://%host:%port/amserver/jaxrpc/

This syntax allows for dynamic substitution of the JAXRPC Endpoint URL based on the specific session parameters.

Identity Web Services Endpoint URL

This field takes a value equal to:

%protocol://%host:%port%uri/identityservices/

This syntax allows for dynamic substitution of the Identity Web Services Endpoint URL based on the specific session parameters.

Identity REST Services Endpoint URL

This field takes a value equal to:

%protocol://%host:%port%uri/identity//

This syntax allows for dynamic substitution of the Identity REST Services Endpoint URL based on the specific session parameters.

Security Token Service Endpoint URL

This field takes a value equal to:

%protocol://%host:%port%uri/sts

This syntax allows for dynamic substitution of the Security Token Service Endpoint URL based on the specific session parameters.

Security Token Service MEX Endpoint URL

This field takes a value equal to:

%protocol://%host:%port%uri/sts/mex

This syntax allows for dynamic substitution of the Security Token Service MEX Endpoint URL based on the specific session parameters.

Platform

The Platform service is where additional servers can be added to the OpenSSO Enterprise configuration as well as other options applied at the top level of the OpenSSO Enterprise application. The Platform service attributes are global attributes. The attributes are:

• Platform Locale

• Cookie Domains

• Hex Encode Cookies

• Client Character Sets

Platform Locale

The platform locale value is the default language subtype that OpenSSO Enterprise was installed with. The authentication, logging and administration services are administered in the language of this value. The default is en_US. See Supported Language Localesfor a listing of supported language subtypes.

Cookie Domains

The list of domains that will be returned in the cookie header when setting a cookie to the user's browser during authentication. If empty, no cookie domain will be set. In other words, the OpenSSO Enterprise session cookie will only be forwarded to the OpenSSO Enterprise itself and to no other servers in the domain.

If SSO is required with other servers in the domain, this attribute must be set with the cookie domain. If you had two interfaces in different domains on one OpenSSO Enterprise then you would need to set both cookie domains in this attribute. If a load balancer is used, the cookie domain must be that of the load balancer's domain, not the servers behind the load balancer. The default value for this field is the domain of the installed OpenSSO Enterprise.

Hex Encode Cookies

If set to yes, this attribute enable hex encoding for cookies. The default is No.

Client Character Sets

This attribute specifies the character set for different clients at the platform level. It contains a list of client types and the corresponding character sets.

To Specify a New Character Set

1. Click New from the Client Character Sets list.

2. Enter a value for the Client Type.

3. Enter a value for the Character Set. See Supported Language Locales for the character sets available.

4. Click OK.

5. Click Save in the Platform Service main page.