Previous
Contents
Index
Next
|
| Sun ONE Identity Server Programmer's Guide |
Appendix A AMConfig.properties File
AMConfig.properties is the resource configuration file for the Sun™ One Identity Server. It provides instructions for the Identity Server set up. This chapter explains the elements of the AMConfig.properties. It contains the following sections:
Overview
Identity Server is configured by placing directives in plain text configuration files. The main configuration file is AMConfig.properties. AMConfig.properties is located in <identity_server_root>/SUNWam/lib. Changes to this configuration files are only recognized when Identity Server is started or restarted.
Identity Server configuration files contain one directive per line and each directive has a corresponding value. Directives and their values are case-sensitive. Indentation of the directives is consistent throughout the file. Lines which begin with the characters "/*" are considered comments, and are ignored by the application. Comments are completed with a last line that contains the closing characters "*/".
Note The Identity Server must be restarted for any change in AMConfig.properties to take effect.
Deployment Directives
There are a number of deployment-specific attributes configured in AMConfig.properties. These are defined in this section.
Identity Server Directives
The following section describe the directives that define the Identity Server.
Installation
The following directives are Identity Server-specific. They are defined during installation.
com.iplanet.am.server.host=sunbox1.red.iplanet.com
The value of this directive is the DNS domain name of the machine on which the Identity Server is located.
com.iplanet.am.server.port=58080
The value of this directive is the port number of the Identity Server.
com.iplanet.am.console.protocol=http
The value of this directive is the protocol used to communicate with the Identity Server.
com.iplanet.am.jdk.path=/export/SUNWam/java
The value of this directive is the path to the JDK used by the Identity Server.
com.sun.identity.authentication.super.user=uid=amAdmin,ou=People,dc=madisonparc,dc=com
This directive identifies the super user for the Sun ONE Identity Server deployment. This user is amadmin by default but may be any user in the Directory Server. The value of the directive is the full DN of the user. This user must always login using LDAP authentication as they will always be authenticated against the Directory Server.
Console
The following directives are specific to the Identity Server console.
com.iplanet.am.console.host=sunbox1.red.iplanet.com
The value of this directive is the DNS domain name of the machine on which the Identity Server console is located.
com.iplanet.am.console.port=58080
The value of this directive is the port number of the Identity Server console.
Cookies
The following directives are specific to Identity Server cookies.
com.iplanet.am.cookie.name=iPlanetDirectoryPro
The value of this key is the name of the cookie.
com.iplanet.am.pcookie.name=DProPCookie
The value of this key is the name of the persistent cookie if that function is enabled.
Miscellaneous Directives
The following directives define miscellaneous values necessary for the Identity Server.
Directory Server
The following directives are Directory Server-specific.
Installation
This information is defined during installation for the Directory Server to which the Identity Server points.
com.iplanet.am.directory.host=sunbox1.red.iplanet.com
The value of this directive is the DNS domain name of the machine on which the Directory Server is located.
com.iplanet.am.directory.port=389
The value of this directive is the port number of the Directory Server.
com.iplanet.am.server.protocol=http
The value of this directive is the protocol used to communicate with the Directory Server.
Directory Server Tree
The values of these directives is the top-level organization defined during the installation process.
Configuration Directives
There are a number of services configured in AMConfig.properties that can not be configured using the Identity Server console. These back-end services are defined in this section.
Debug Service
The following directives are used to configure the Debug Service, which logs developer information in the case of application errors. (The Logging Service writes logs to be monitored by the application administrator.)
com.iplanet.services.debug.level=error
The possible values for this directive are: off | error | warning | message. They indicate the amount of information that would be recorded in the debug files.
com.iplanet.services.debug.directory=/var/opt/SUNWam/debug
The value of this directive specifies the output directory for the debug files. This directory should be writable by the server process.
Stats Service
The following keys are used to configure the Stats Service for recording service statistics. Currently, this service is used by the Identity Server SDK and the Session Service. Code Example 12-1 is a portion of the stats file which also illustrates the information that is recorded. The file is named amSDKStats by default.
com.iplanet.am.stats.interval=3600
The statistics interval should be at least 5 seconds to avoid CPU saturation. Identity Server will assume that any value less than that is 5 seconds.
com.iplanet.services.stats.state=off
Possible values for this directive are: off | file | console. file will write to a file named amSDKStats under the specified directory and console will write into Web Server log files.
com.iplanet.services.stats.directory=/var/opt/SUNWam/debug
This directive specifies the output directory for the statistics files, the debug directory by default.
SAML
These directives identify the SAML XML signature keystore file, the keystore password file and the key password file, respectively.
com.sun.identity.saml.xmlsig.keystore=/export/SUNWam/lib/keystore.jks
com.sun.identity.saml.xmlsig.storepass=/export/SUNWam/config/.storepass
com.sun.identity.saml.xmlsig.keypass=/export/SUNWam/config/.keypass
com.sun.identity.saml.xmlsig.certalias=test
The value of this key is the name of the certificate alias.
Miscellaneous Services
The following directives define the URIs for the Profile, Naming and Notification services.
com.iplanet.am.profile.host=sunbox1.red.iplanet.com
com.iplanet.am.profile.port=58080
com.iplanet.am.naming.url=http://sunbox1.red.iplanet.com:58080/amserver/namingservice
com.iplanet.am.notification.url= http://sunbox1.red.iplanet.com:58080/amserver/notificationservice
SDK Caching
Each SDK cache entry stores a set of attributes and values for a user. Because the size of each object is dependent upon the number of attributes it has, modifying this property will affect the performance of Identity Server.
com.iplanet.am.sdk.cache.maxSize=10000
This directive is used to configure SDK caching; it specifies the size of the cache when caching is enabled. The value of this directive refers to the number of objects cached and should be an integer greater than 0; if not, the default 10000 will be used.
com.iplanet.am.session.maxSessions=5000
This directive is used to specify maximum number of concurrent sessions. Logging in would give a Maximum Sessions error if the maximum concurrent sessions exceeds the defined number.
Simple Mail Transfer Protocol (SMTP)
The following directives can be set to any valid SMTP server and port.
Identity Object Processing
This directive has a value equal to the implementation class of a module used for processing user creates, deletes, and modifies.
com.iplanet.am.sdk.userEntryProcessingImpl=
SSL
This directive enables Secure Socket Layers (SSL).
com.iplanet.am.directory.ssl.enabled=false
Certificate Database
These directives are used by the command line utilities, the SDK and the LDAP and Certificate-based authentication modules when initiating SSL connections to the Directory Server. It is also used when opening https connections from within the servlet container in the Sun ONE Web Server.
com.iplanet.am.admin.cli.certdb.dir=/export/SUNWam/servers/alias
The value of this key is the name of the path to the certificate database.
com.iplanet.am.admin.cli.certdb.prefix=https-sunbox1.red.iplanet.com-sunbox1-
The value of this key is the certificate database prefix.
com.iplanet.am.admin.cli.certdb.passfile=/export/SUNWam/config/.wtpass
The value of this key is the name of the file that contains the password for the certificate database.
OCSP Configuration
These directives define configurations for the OCSP (Online Certificate Server Protocol). If set, the CA cert must be presented in the Web Server's cert database. If the OCSP URL is set, the OCSP responder nickname must be set also or they both will be ignored. If not set, the OCSP responder URL presented in the user's certificate will be used for OCSP validation. If the OCSP responder URL is not presented in user's cert, then no OCSP validation will be performed.
com.sun.identity.authentication.ocsp.responder.url=
This directive defines the OCSP responder URL for this instance of Identity Server (for example, http://ocsp.example.com/ocsp).
com.sun.identity.authentication.ocsp.responder.nickname=
This directive defines the OCSP responder nickname, the Certificate Authority cert nickname for the responder defined above (for example, Certificate Manager - example).
Replication
These two properties are not required to support replication but they may be helpful in limiting errors due to latency. Enabling them may have a negative impact on performance but, if replication has significant latency, the retries may be enough to prevent Entry Not Found errors. For example, let's assume an Identity Server console is pointing to a read-only consumer configured to refer writes to a master. If a new organization is created, all write requests are referred to the master and then replicated back to the consumer. If Identity Server reads the organization back before it has been replicated to the consumer, it will get an Entry Not Found error.
com.iplanet.am.replica.num.retries=0
This key specifies the number of times to retry. When an Entry Not Found error is returned to the SDK, it will retry n times where n is the value of this directive.
com.iplanet.am.replica.delay.between.retries=1000
This key specifies the delay time (in milliseconds) between the retries defined above.
Event Connection And LDAP Connection
These two sets of SDK properties are implemented when load balancers are used between the Identity SDK and the Directory Server. When the SDK performs an operation which fails, it will retry the operation as long as the exception is one defined in the ldap.error.codes property. These properties are necessary for failover configuration when the failover is done via a load balancer and not through the Identity SDK. They are also important since not all load balancers return the same error codes.
com.iplanet.am.event.connection.num.retries=3
This directive specifies the number of time to retry an event connection.
com.iplanet.am.event.connection.delay.between.retries=3000
This directive specifies the delay time (in milliseconds) between retries.
com.iplanet.am.event.connection.ldap.error.codes.retries=80,81,91
This directive specifies the LDAPException errors for which the retries will occur. The value is any valid LDAP error code.
LDAP Connection
The following keys are used to configure LDAP connection for add, delete modify, read and search.
com.iplanet.am.ldap.connection.num.retries=3
This directive specifies the number of times to retry a LDAP connection.
com.iplanet.am.ldap.connection.delay.between.retries=1000
The directive specifies the delay time (in milliseconds) between retries.
com.iplanet.am.ldap.connection.ldap.error.codes.retries=80,81,91
This directive specifies the LDAPException error codes for which the retries will occur.
Read-Only Directives
The following properties are read-only and should not be modified. Any changes to these directives may render the Identity Server unusable.
Base Directory
The following directives identify the base directory as defined during the installation process.
com.iplanet.am.installdir=/export/SUNWam
com.iplanet.am.install.basedir=/export/SUNWam/web-apps/services/WEB-INF
Shared Secret
The following directive is the shared secret for the Authentication module.
com.iplanet.am.service.secret=AQIC5wM2LY4SfczLlj6134qMTx0nkE5XiFMg
Deployment Descriptors
The following directives are used to identify the deployment descriptors (URIs) for Identity Server services and agents.
com.iplanet.am.services.deploymentDescriptor=/amserver
com.iplanet.am.console.deploymentDescriptor=/amconsole
com.iplanet.am.policy.agents.url.deploymentDescriptor=AGENT_DEPLOY_URI
Session Properties
The following directives are configurations for the Session Service.
com.iplanet.am.session.failover.enabled=false
This directive is used to enable or disable the session failover feature.
Note Session failover is an unsupported option in Identity Server 6.0.
com.iplanet.am.naming.failover.url=
This directive can be used by any remote SDK application that wants failover in, for example, session validation or getting the service URLs.
com.iplanet.am.session.httpSession.enabled=true
This directive is used to enable or disable the use of a httpSession.
com.iplanet.am.session.invalidsessionmaxtime=3
This directive is used to keep the invalid session in the session table for this period. The value is in minutes (for example, 3 minutes).
Note
This value should always be greater than the time-out value in your authentication module properties file.
com.iplanet.am.session.client.polling.enable=false
com.iplanet.am.session.client.polling.period=180
The two above directives are used to enable session client side notification. The default polling period is 180 seconds.
The following is used in the Unix authentication module.
unixHelper.port=58946
The following key is used to check whether the Sun ONE Identity Server is running on the Application Server or not. This key is modified only by the installer so do not change it.
com.iplanet.am.iASConfig=false
Cross Domain Single Sign-On Support
The following directives are used for Cross Domain SSO support.
com.iplanet.services.cdsso.CDCURL=http://sunbox1.red.iplanet.com:58080/amserver/cdcservlet
This directive points to the cdcservlet running with the instance of Identity Server.
com.iplanet.services.cdsso.cookiedomain=
This directive specifies a comma separated list of domains for which the cdsso servlet will set a SSOToken (for example: .sun.com,.example.com).
com.iplanet.services.cdc.authLoginUrl=http://sunbox1.red.iplanet.com:58080/amserver/UI/Login
The value of this directive is the URL with which a user can login.
SecureRandom Properties
This directive specifies the factory class name for SecureRandomFactory.
com.iplanet.security.SecureRandomFactoryImpl=com.iplanet.am.util.JSSSecureRandomFactoryImpl
The available implementation classes are:
SocketFactory properties
This directive specifies the factory class name for LDAPSocketFactory.
com.iplanet.security.SSLSocketFactoryImpl=com.iplanet.services.ldap.JSSSocketFactory
Available classes are:
Encryption
This directive specifies the encrypting class implementation.
com.iplanet.security.encryptor=com.iplanet.services.util.JSSEncryption
Available classes are:
Remote Installation
This directive defines whether the console is installed on a remote machine or a local machine. It is used by the Authentication Service and the Identity Server console.
com.iplanet.am.console.remote=false
IP Address Checking
This directive specifies whether the IP address of the client will be checked in SSOToken creations and validations.
com.iplanet.am.clientIPCheckEnabled=false
Remote Policy API Directives
The properties listed below are defined for the Remote Policy API.
Username
This directive specifies the username for the Application authentication module.
com.sun.identity.agents.app.username=UrlAccessAgent
Log File Name
This directive specifies the name of the log file to use for logging remote policy messages. The directory where this file is located is determined by Logging Service settings.
com.sun.identity.agents.server.log.file.name=amRemotePolicyLog
Resource Result Cache Size
This directive specifies the size of the cache created on the server where the policy agent resides.
com.sun.identity.agents.cache.size=1000
Polling Interval
The polling interval is the duration of time for refreshing the cache.
com.sun.identity.agents.polling.interval=3
Resource Name Comparison
This directive indicates whether to use wildcard for resource name comparison.
com.sun.identity.agents.use.wildcard=true
Returned Policy Attributes
This directive defines the policy attributes to be returned by policy evaluator. The specification is of the format a[,...] where a is the attribute in the data store that will be fetched.
com.sun.identity.agents.header.attributes=cn,ou,o,mail,employeenumber,c
Resource Comparator Class Name
com.sun.identity.agents.resource.comparator.class=com.sun.identity.policy.plugins.PrefixResourceName
com.sun.identity.agents.resource.wildcard=*
com.sun.identity.agents.resource.delimiter=/
Case Sensitivity
This is to indicator whether case sensitivity is turned on or off during policy evaluation. The default value is false or off.
com.sun.identity.agents.resource.caseSensitive=false
Policy Action True Value
This value is ignored if the application does not access the method PolicyEvaluator.isAllowed.
Federation Signing
This directive defines whether federation requests and responses will be signed before sending and whether federation requests and responses that are received will be verified for signature validity. The default is false; requests and responses that are sent and received will not be verified for signature.
com.sun.identity.federation.services.signingOn=false
FQDN Map
The FQDN Map is a simple map that enables Identity Server Authentication service to take corrective action in the case where the users may have typed in an incorrect URL such as by specifying partial hostname or using an IP address to access protected resources.
Valid Values
Valid values must comply with the syntax of this property which represent invalid FQDN values mapped to their corresponding valid counterparts. The format for specifying this property is as follows:
com.sun.identity.server.fqdnMap[<invalid-name>]=<valid-name>
where <invalid-name> is a possible invalid FQDN host name that may be used by the user, and the <valid-name> is the FQDN host name the filter will redirect the user to.
Ensure that there are no invalid or overlapping values for the same invalid FQDN name. Failing to do so may lead to the application becoming inaccessible.
This directive can be used for creating a mapping for more than one hostname. This may be the case when the applications hosted on a server are accessible by more than one hostname. It may also be used to configure Identity Server to NOT take corrective action for certain hostname URLs. For example, if no corrective action (such as a redirect) is desired for users who access application resources using a raw IP address, the map entry would look like:
com.sun.identity.server.fqdnMap[<IP>]=<IP>
Any number of such properties may be specified as long as they are valid and conform to the above stated requirements.
Examples of FQDN mapping might be:
Previous Contents Index Next
Copyright 2002 Sun Microsystems, Inc. All rights reserved.
Last Updated December 02, 2002