The deployment of Sun Java System Federation Manager can be customized by values you set in the system attributes. In addition, Federation Manager has a non-Liberty authentication service.
This chapter contains the following topics:
The following attributes can be configured for your organization.
This defines the domain to which the organization belongs.
This attribute is not currently supported.
This defines whether the realm is active or inactive.
This defines an alias for the realm.
This defines DNS aliases for the realm.
The Console properties include settings to customize the console for different locales and character sets. This includes:
The Globalization Settings contain attributes that enable you to configure Federation Manager for different locales and character sets. The attributes include:
This attribute lists the character sets supported for each locale, which indicates the mapping between locale and character set.
The following tasks are associated with character set support.
This attribute lists the codeset names (which map to IANA names) that will be used to send the response. These codeset names do not need to match Java codeset names. Currently, there is a hash table to map Java character sets into IANA character sets and vice versa. The following tasks are associated with character set aliases.
The following tasks are associated with character set support.
This display option allows you to define the way in which a name is automatically generated to accommodate name formats for different locales and character sets. The default syntax is as follows (please note that including commas and/or spaces in the definition will display in the name format):
en_us = {givenname} {initials} {sn}
For example, if you wanted to display a new name format for a user (User One) with a uid (11111) for the Chinese character set, define:
zh = {sn}{givenname}({uid})
The display is:
OneUser 11111
Click Add under Charsets Supported by Each Locale.
The New Supported Character Sets page is displayed.
Define the following attributes.
The new locale you wish to add.
Enter the supported character set for the specified locale. Character sets are delimited by a semicolon. For example, charset=charset1;charset2;charset3;...;charsetn
Click OK.
You are returned to the Globalization Settings page.
Click Edit next to the name of the character set you want to modify.
Modify the following parameters:
The new locale you wish to add. For more information, see Supported Language Locales.
Enter the supported character set for the specified locale. Character sets are delimited by a semicolon. For example, charset=charset1;charset2;charset3;...;charsetn
Click OK.
You are returned to the Globalization Settings page.
Click Add under Charset Aliases.
The New Charset Aliases page is displayed.
Define the following attributes.
The IANA mapping name. For example, Shift_JIS
The Java character set to map to the IANA character set.
Click OK.
You are returned to the Globalization Settings page.
Click Edit next to the name of the character set alias you want to modify.
Modify the following parameters:
The IANA mapping name. For example, Shift_JIS
The Java character set to map to the IANA character set.
Click OK.
You are returned to the Globalization Settings page.
The System properties include settings that affect the deployment of Federation Manager. This includes:
The Logging service provides status and error messages related to Federation Manager administration. An administrator can configures values such as log file size and log file location. Federation Manager can record events in flat text files or in a relational database. The Logging service attributes are global attributes. The attributes are:
This attribute accepts a value for the maximum size (in bytes) of a Federation Manager log file. The default value is 1000000.
This attribute has a value equal to the number of backup log files that will be retained for historical analysis. Any integer can be entered depending on the partition size and available disk space of the local system. The default value is 3.
Entering a value of 0 is interpreted to be the same as a value of 1, meaning that if you specify 0, a history log file will be created.
The value in this attribute is only used when the Logging Type attribute is set to FILE. If Logging Type is set to DB (Database), there are no history files.
The file-based logging function needs a location where log files can be stored. This field accepts a full directory path to that location. The default location is /var/opt/SUNWam/fm/logs.
If a non-default directory is specified, Federation Manager will create the directory if it does not exist. You should then set the appropriate permissions for that directory (for example, 0700).
When configuring the log location for database logging (such as, Oracle or MySQL), part of the log location is case sensitive. For example, if you are logging to an Oracle database, the log location should be (note case sensitivity):
jdbc:oracle:thin:@machine.domain:port:DBName
To configure logging to a database, add the JDBC driver files to the web container's Java Virtual Machine (JVM) classpath. You need to manually add JDBC driver files to the classpath of the amadmin script or amadmin logging can not load the JDBC driver.
Changes to logging attributes usually take effect after you save them. This does not require you to restart the server. If you are changing to secure logging, however, you should restart the server.
Enables you to specify either File, for flat file logging, or DB for database logging.
If either of the following attributes (Database User Name or Database User Password) is invalid, it will seriously affect Federation Manager processing. If Federation Manager or the Federation Manager Console becomes unstable, set the com.iplanet.am.logstatus property in AMConfig.properties to INACTIVE.
After setting the property, restart the server, log in to the console and reset the invalid attribute. Then, change the value of the logstatus property back to ACTIVE and restart the server.
This attribute accepts the name of the user that will connect to the database when the Logging Type attribute is set to DB.
This attribute accepts the database user password when the Logging Type attribute is set to DB.
Confirm the database password.
This attribute enables you to specify the driver used for the logging implementation class.
Represents the list of fields that are to be logged. By default, all of the fields are logged. The fields are:
DOMAIN
HOSTNAME
IPADDR
LOGGED BY
LOGLEVEL
LOGINID
MODULENAME
At minimum you should log CONTEXTID, DOMAIN, HOSTNAME, LOGINID and MESSAGEID.
This attribute sets the maximum number of records that the Java LogReader interface returns, regardless of how many records match the read query. By default, it is set to 500. This attribute can be overridden by the caller of the Logging API through the LogQuery class.
This attribute is only applicable to secure logging. It specifies when the log files and keystore need to be archived, and the secure keystore regenerated, for subsequent secure logging. The default is five files per logger.
This attribute specifies the maximum number of log records to be buffered in memory before the logging service attempts to write them to the logging repository. The default is one record.
This attribute defines the maximum number of log records held in memory if database logging fails. This attribute is only applicable when DB is specified as the Logging Type. When the Logging Service loses connection to the database, it will buffer up to the number of records specified. This attribute defaults to two times of the value defined in the Buffer Size attribute.
This attribute defines the amount of time that the log records will buffered in memory before they are sent to the logging service to be logged. This attribute applies if Enable Time Buffering is ON. The default is 3600 seconds.
When selected as ON, Federation Manager will set a time limit for log records to be buffered in memory. The amount of time is set in the Buffer Time attribute.
The Naming service is used to get and set URLs, plug-ins and configurations as well as request notifications for various other Federation Manager services such as session, authentication, logging, SAML and Federation. This service enables clients to find the correct service URL if the platform is running more than one instance of Federation Manager. When a naming URL is found, the naming service will decode the session of the user and dynamically replace the protocol, host, and port with the parameters from the session. This ensures that the URL returned for the service is for the host that the user session was created on. The Naming attributes are:
This field takes a value equal to protocol://host:port/Server_DEPLOY_URI/profileservice.
This syntax allows for dynamic substitution of the profile URL based on the server host, port number, and deployment URI.
This field takes a value equal to protocol://host:port/Server_DEPLOY_URI/sessionservice.
This syntax allows for dynamic substitution of the session URL based on the server host, port number, and deployment URI.
This field takes a value equal to protocol://host:port/Server_DEPLOY_URI/loggingservice
This syntax allows for dynamic substitution of the logging URL based on the server host, port number, and deployment URI.
This field takes a value equal to protocol://host:port/Server_DEPLOY_URI/policyservice.
This syntax allows for dynamic substitution of the policy URL based on the server host, port number, and deployment URI.
This field takes a value equal to protocol://host:port/Server_DEPLOY_URI/authservice.
This syntax allows for dynamic substitution of the authentication URL based on the server host, port number, and deployment URI.
This field takes a value equal to protocol://host:port/Server_DEPLOY_URI/SAMLAwareServlet.
This syntax allows for dynamic substitution of the SAML web profile/artifact URL based on the server host, port number, and deployment URI.
This field takes a value equal to protocol://host:port/Server_DEPLOY_URI/SAMLSOAPReceiver.
This syntax allows for dynamic substitution of the SAML SOAP URL based on the server host, port number, and deployment URI.
This field takes a value equal to protocol://host:port/Server_DEPLOY_URI/SAMLPOSTProfileServlet.
This syntax allows for dynamic substitution of the SAML web profile/POST URL based on the server host, port number, and deployment URI.
This field takes a value equal to protocol://host:port/Server_DEPLOY_URI/AssertionManagerServlet/AssertionManagerIF.
This syntax allows for dynamic substitution of the SAML Assertion Manager Service URL based on the server host, port number, and deployment URI.
This field takes a value equal to protocol://host:port/Server_DEPLOY_URI/FSAssertionManagerServlet/FSAssertionManagerIF.
This syntax allows for dynamic substitution of the Federation Assertion Manager Service URL based on the server host, port number, and deployment URI.
This field takes a value equal to protocol://host:port/Server_DEPLOY_URI/SecurityTokenManagerServlet/SecurityTokenManagerIF/.
This syntax allows for dynamic substitution of the Security Token Manager URL based on the server host, port number, and deployment URI.
This field takes a value equal to protocol://host:port/Server_DEPLOY_URI/jaxrpc/.
This syntax allows for dynamic substitution of the JAXRPC Endpoint URL based on the server host, port number, and deployment URI.
The Platform service is where additional servers can be added to the Federation Manager configuration as well as other options applied at the top level of the application. The Platform service attributes are global attributes. The attributes are:
This list contains the Federation Manager server instances. If the host specified in a request for a service URL is not in this list, the request is rejected.
The platform locale value is the default language subtype that Federation Manager was installed with. The authentication, logging and administration services are administered in the language of this value. The default is en_US.
The list of domains that will be returned in the cookie header when setting a cookie to the user's browser during authentication. If empty, no cookie domain will be set. In other words, the Federation Manager session cookie will only be forwarded to the Federation Manager itself and to no other servers in the domain.
If SSO is required with other servers in the domain, this attribute must be set with the cookie domain. If you had two interfaces in different domains on one Federation Manager then you would need to set both cookie domains in this attribute. If a load balancer is used, the cookie domain must be that of the load balancer's domain, not the servers behind the load balancer. The default value for this field is the domain of the installed Federation Manager.
This field specifies the URL of the login page. The default value for this attribute is /Service_DEPLOY_URI/UI/Login.
This field specifies the URL of the logout page. The default value for this attribute is /Service_DEPLOY_URI/UI/Logout.
This attribute stores all available locales configured for the platform. Consider an application that lets the user choose the user's locale. This application would get this attribute from the platform profile and present the list of locales to the user. The user would choose a locale and the application would set this in the user entry preferredLocale.
This attribute specifies the character set for different clients at the platform level. It contains a list of client types and the corresponding character sets.
This attribute is not currently supported.
Sessions module provides a solution for viewing user session information and managing user sessions. It keeps track of various session times as well as allowing the administrator to invalidate a session. The Session attributes are:
This attribute specifies the maximum number of results returned by a session search. The default value is 120.
This attributed defines the maximum amount of time before a session search terminates. The default value is 5 seconds.
This attribute accepts a value in minutes to express the maximum time before the session expires and the user must reauthenticate to regain access. A value of 1 or higher will be accepted. The default value is 120. Max Session Time limits the validity of the session. It does not get extended beyond the configured value.
To balance the requirements of security and convenience, consider setting the Max Session Time interval to a higher value and setting the Max Idle Time interval to a relatively low value.
This attribute accepts a value (in minutes) equal to the maximum amount of time without activity before a session expires and the user must reauthenticate to regain access. A value of 1 or higher will be accepted. The default value is 30.
To balance the requirements of security and convenience, consider setting the Max Session Time interval to a higher value and setting the Max Idle Time interval to a relatively low value.
This attribute accepts a value (in minutes) equal to the maximum interval before the client contacts Federation Manager to refresh cached session information. A value of 0 or higher will be accepted. The default value is 3. It is recommended that the maximum caching time should always be less than the maximum idle time.