AMDistAuthConfig.properties.template revision f0e56106ee05e35ce4aa00ba4f47ba1789341ec7
a4544a5a0e622ef69e38641f87ab1b5685e05911Phill Cunnington#
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster# DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster#
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster# Copyright (c) 2006 Sun Microsystems Inc. All Rights Reserved
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster#
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster# The contents of this file are subject to the terms
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster# of the Common Development and Distribution License
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster# (the License). You may not use this file except in
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster# compliance with the License.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster#
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster# You can obtain a copy of the License at
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster# https://opensso.dev.java.net/public/CDDLv1.0.html or
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster# opensso/legal/CDDLv1.0.txt
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster# See the License for the specific language governing
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster# permission and limitations under the License.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster#
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster# When distributing Covered Code, include this CDDL
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster# Header Notice in each file and include the License file
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster# at opensso/legal/CDDLv1.0.txt.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster# If applicable, add the following below the CDDL Header,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster# with the fields enclosed by brackets [] replaced by
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster# your own identifying information:
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster# "Portions Copyrighted [year] [name of copyright owner]"
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster#
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster# $Id: AMDistAuthConfig.properties.template,v 1.6 2009/08/12 17:43:03 beomsuk Exp $
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster#
a4544a5a0e622ef69e38641f87ab1b5685e05911Phill Cunnington# Portions Copyrighted 2010-2015 ForgeRock AS.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster/* The following keys are used to configure the Debug service.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Possible values for the key 'level' are: off | error | warning | message.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * The key 'directory' specifies the output directory where the debug files
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * will be created.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Trailing spaces are significant.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Windows: Use forward slashes "/" separate directories, not backslash "\".
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Windows: Spaces in the file name are allowed for Windows.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster */
8af80418ba1ec431c8027fa9668e5678658d3611Allan Fostercom.iplanet.services.debug.level=@DEBUG_LEVEL@
d0da70ccbba38b773e7a7cc71bc124b06206d201Robert Wapshottcom.iplanet.services.debug.directory=@DEBUG_DIR@
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster/*
d0da70ccbba38b773e7a7cc71bc124b06206d201Robert Wapshott * Server mode should be 'false'
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster */
8af80418ba1ec431c8027fa9668e5678658d3611Allan Fostercom.iplanet.am.serverMode=false
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster/*
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Cache enable / disable properties
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster */
8af80418ba1ec431c8027fa9668e5678658d3611Allan Fostercom.iplanet.am.sdk.caching.enabled=false
d0da70ccbba38b773e7a7cc71bc124b06206d201Robert Wapshottcom.sun.identity.idm.cache.enabled=false
8af80418ba1ec431c8027fa9668e5678658d3611Allan Fostercom.sun.identity.sm.cache.enabled=true
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster/*
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Configure remote plugin classes for configuration (SMS)
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster */
8af80418ba1ec431c8027fa9668e5678658d3611Allan Fostercom.sun.identity.sm.sms_object_class_name=com.sun.identity.sm.jaxrpc.SMSJAXRPCObject
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster/*
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Naming URL
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster */
8af80418ba1ec431c8027fa9668e5678658d3611Allan Fostercom.iplanet.am.naming.url=@NAMING_URL@
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster/*
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Notification URL
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster */
8af80418ba1ec431c8027fa9668e5678658d3611Allan Fostercom.sun.identity.client.notification.url=@NOTIFICATION_URL@
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster/*
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Security Credentials to read the configuration data
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster */
8af80418ba1ec431c8027fa9668e5678658d3611Allan Fostercom.sun.identity.agents.app.username=@APPLICATION_USER@
8af80418ba1ec431c8027fa9668e5678658d3611Allan Fostercom.iplanet.am.service.password=@APPLICATION_PASSWD@
8af80418ba1ec431c8027fa9668e5678658d3611Allan Fostercom.iplanet.am.service.secret=@ENCODED_APPLICATION_PASSWORD@
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster/*
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Encryption key that will be used to encrypt and decypt
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * data to communicate with the server.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * This key is needed to decrypt passwords stored
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * in the SMS configuration.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster */
8af80418ba1ec431c8027fa9668e5678658d3611Allan Fosteram.encryption.pwd=@ENCRYPTION_KEY@
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster/*
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * Encryption key that will be used to encrypt and decypt
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster * data used locally within the client.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster */
8af80418ba1ec431c8027fa9668e5678658d3611Allan Fostercom.sun.identity.client.encryptionKey=@ENCRYPTION_KEY_LOCAL@
/*
* Encryption: The key "com.iplanet.security.encryptor" specifies
* the encrypting class implementation.
* Available classes are:
* com.iplanet.services.util.JCEEncryption
* com.iplanet.services.util.JSSEncryption
*/
com.iplanet.security.encryptor=com.iplanet.services.util.JCEEncryption
/*
* Property to enable/disable the notifications for am.sdk and IdRepo Caches.
* If set to "true" notifications are enabled and disabled if set to "false".
*/
com.sun.identity.idm.remote.notification.enabled=true
/*
* Cache update time (in minutes) for am.sdk & IdRepo Caches
* if notification URL is not provided or if notifications are disabled.
* Note:
* 1. This property is applicable only if 'com.iplanet.am.notification.url'
* is not provided or if 'com.sun.identity.idm.remote.notification.enabled'
* is set to 'false'.
* 2. If the polling time is set as 0, then polling is disabled.
*/
com.iplanet.am.sdk.remote.pollingTime=1
/*
* Property to enable/disable the notifications for service management caches.
* If set to "true" notifications are enabled and disabled if set to "false".
*/
com.sun.identity.sm.notification.enabled=true
/*
* Cache update time (in minutes) for service configutation data,
* if notification URL is not provided or if notifications are disabled.
* Note:
* 1. This property is applicable only if 'com.iplanet.am.notification.url'
* is not provided or if 'com.sun.identity.sm.notification.enabled' is
* set to 'false'.
* 2. If the cache time is set as 0, then no cache updates will occur.
*/
com.sun.identity.sm.cacheTime=1
/*
* Server protocol, host and port to be used by Client Services
*/
com.iplanet.am.server.protocol=@SERVER_PROTOCOL@
com.iplanet.am.server.host=@SERVER_HOST@
com.iplanet.am.server.port=@SERVER_PORT@
com.iplanet.am.services.deploymentDescriptor=@DEPLOY_URI@
com.iplanet.am.cookie.name=@AM_COOKIE_NAME@
com.sun.identity.cdcservlet.loginurl=/UI/Login
/*
* Session related properties.
*/
com.iplanet.am.session.client.polling.enable=true
com.iplanet.am.session.client.polling.period=180
/*
* Identify cert db directory path, prefix and password file
* to initialize JSS Socket Factory when Web Container is configured SSL
*/
com.iplanet.am.admin.cli.certdb.dir=@CONTAINER_CERTDB_DIR@
com.iplanet.am.admin.cli.certdb.prefix=@CONTAINER_CERTDB_PREFIX@
com.iplanet.am.admin.cli.certdb.passfile=@BASEDIR@/@PRODUCT_DIR@/config/.wtpass
/*
* Identify property value for SSL ApprovalCallback / HostnameVerifier
* If com.iplanet.services.comm is configured as protocol handler
* and the checkSubjectAltName or resolveIPAddress feature is enabled,
* cert8.db and key3.db with the prefix value of
* com.iplanet.am.admin.cli.certdb.prefix will have to be created under
* the directory of com.iplanet.am.admin.cli.certdb.dir before server is
* restarted.
*/
com.iplanet.am.jssproxy.trustAllServerCerts=false
com.iplanet.am.jssproxy.checkSubjectAltName=false
com.iplanet.am.jssproxy.resolveIPAddress=false
com.iplanet.am.jssproxy.SSLTrustHostList=false
/**************************************************************
* Policy Client parameters
**************************************************************/
/* Policy decision log parameters. Possible values for logging.level
* are NONE, ALLOW, DENY, BOTH, and DECISION */
com.sun.identity.agents.server.log.file.name=amRemotePolicyLog
com.sun.identity.agents.logging.level=NONE
/* Notification URL for updating cache */
com.sun.identity.agents.notification.enabled=false
com.sun.identity.agents.notification.url=@NOTIFICATION_URL@
/* Cache time in minutes */
com.sun.identity.agents.polling.interval=3
/* Information to cache. Possible value are "subtree" or "self" */
com.sun.identity.policy.client.cacheMode=subtree
/* Policy client clock skew value in seconds */
com.sun.identity.policy.client.clockSkew=10
/*
* Explicitly disable monitoring services in the client applications.
*/
com.sun.identity.monitoring=off
/*
* Specify if allow to use cached data for HttpURLConnection
*/
com.sun.identity.urlconnection.useCache=false
/*
* Protocol handler pkg name for HTTPS protocol.
* Default value is none.
* Available impl classes are:
* com.iplanet.services.comm (uses JSS)
* com.sun.identity.protocol (pure Java)
*/
opensso.protocol.handler.pkgs=
/*
* This setting controls whether the AuthContext includes the HttpServletRequest
* and HttpServletResponse objects as serialized Java objects in the remote auth
* XML communications with the server. If the OpenAM server is using custom auth
* modules that make use of the HttpServletRequest or Response objects; the module
* might look for a request parameter or need to set a cookie, then set this value
* to true.
*
* Enabling this functionality has a minimal performance impact due to the
* serialization overhead.
*/
openam.remoteauth.include.reqres=false
/*
* This setting controls the default logout page to which a user is redirected
* if no goto url is specified to the LogoutViewBean.
*/
openam.authentication.distUI.defaultLogoutPage=Logout.jsp
/*
* This setting turns on persistent OpenAM session cookies, traditionally the
* OpenAM session cookie (iPlanetDirectoryPro) has always been a session cookie.
* If the OpenAM session cookie is required by other applications then the cookie
* must be made persistent.
*
* SECURITY NOTE: This setting should only be set to true in very specific
* circumstances. If OpenAM is deployed alongside Enterprise/Desktop SSO
* customisations then this setting can be enabled. This will cause the browser
* to write the value of the OpenAM session cookie to disk enabling Enterprise/
* Desktop SSO. Writing the session cookie to disk will also allow other
* applications to read the cookie. This feature should only be enabled if you
* are aware and accept the security implications.
*/
openam.session.persist_am_cookie=false
/*
* This property controls the length of time for which the OpenAM session cookie
* will be persisted if persistent cookie mode is enabled.
*
* Units: Time in hours
*/
com.iplanet.am.cookie.timeToLive=24
/*
* The URL of the DAS to receive notifications.
*/
com.sun.identity.client.notification.url=@NOTIFICATION_URL@
/*
* Enabled Cookie encoded (should be true when running in Tomcat)
*/
com.iplanet.am.cookie.c66Encode=false
/*
* Invalid characters enforced by the CDCServlet
*/
com.iplanet.services.cdc.invalidGotoStrings=<,>,javascript:,javascript%3a,%3c,%3e
/*
* A comma delimited list of valid Login URI values, enforced by the DAS CDCServlet.
*/
org.forgerock.openam.cdc.validLoginURIs=/UI/Login
/*
* Enable this setting if you want the original session _not_ to be destroyed
* during session upgrade. Useful if you have concurrent access to OpenAM
* during the session upgrade process.
*/
openam.auth.destroy_session_after_upgrade=false
/**
* When the DAS server receives an authcookie with an invalid servername, this
* HTTP error should be sent to the application server, so they can show a
* custom error page to the user. This errorpage should only appear if there
* are multiple OpenAM installations within the same cookie domain.
*/
openam.untrusted.server.http.error.code=403
/**
* Here you can list HTTP header keys, which should be retained, when the user
* is internally rerouted to an another DAS instance. This usually happens
* when the user has an AMAuthCookie from a different DAS server. The list of
* headernames should be separated by a comma (',') character, for example:
* The headers listed here will be copied into the proxied request.
*
* openam.retained.http.request.headers=X-DSAMEVersion,AM_CLIENT_TYPE
*/
openam.retained.http.request.headers=X-DSAMEVersion
/**
* Here you can list HTTP header keys, which should NOT retained, when the
* user is internally rerouted to an another DAS instance. You should only
* modify this list if you're really sure about what you're doing, since
* copying certain headers can cause unexpected errors in your deployment.
* The headers listed here will NOT be copied into the proxied request.
*
* This option is here to supply deafult values for the configuration and
* protect from erroneus header settings.
*/
openam.forbidden.to.copy.request.headers=connection
/**
* Here you can list HTTP header keys, which should be retained, when the user
* is internally rerouted to an another DAS instance. This usually happens
* when the user has an AMAuthCookie from a different DAS server. The list of
* headernames should be separated by a comma (',') character, for example:
* The headers listed here will be copied from the proxied response.
*
* openam.retained.http.headers=X-DSAMEVersion,AM_CLIENT_TYPE,Cache-Control
*/
openam.retained.http.headers=X-DSAMEVersion
/**
* Here you can list HTTP header keys, which should NOT retained, when the
* user is internally rerouted to an another DAS instance. You should only
* modify this list if you're really sure about what you're doing, since
* copying certain headers can cause unexpected errors in your deployment.
* The headers listed here will NOT be copied from the proxied response.
*
* This option is here to supply deafult values for the configuration and
* protect from erroneus header settings.
*/
openam.forbidden.to.copy.headers=connection
/**
* If this property is enabled the DAS logout screen will not redirect the
* clients to the value of the 'goto' parameter in any circumstances, instead
* it will only display the Logout successful screen.
*/
openam.authentication.ignore_goto_during_logout=false
/**
* Whether to allow Zero Page Login for DAS requests. If enabled, this allows
* clients to log in by supplying credentials in query parameters.
*/
openam.auth.zero.page.login.enabled=false
/**
* A space-separated list of HTTP Referer URLs from which Zero Page Login requests are
* accepted. Leave blank to allow from any URL. Provides mitigation against
* Login CSRF attacks when ZPL is enabled.
*/
openam.auth.zero.page.login.referer.whitelist=
/**
* Whether to allow ZPL requests which have no HTTP Referer header.
*/
openam.auth.zero.page.login.allow.null.referer=true
/**
* A comma-separated list of Java classes that are valid for use in OpenAM during Object deserialisation, for example
* in the JATO framework.
*/
openam.deserialisation.classes.whitelist=\
com.iplanet.dpro.session.DNOrIPAddressListTokenRestriction,\
com.sun.identity.common.CaseInsensitiveHashMap,\
com.sun.identity.common.CaseInsensitiveHashSet,\
com.sun.identity.common.CaseInsensitiveKey,\
com.sun.identity.console.base.model.SMSubConfig,\
com.sun.identity.console.service.model.SMDescriptionData,\
com.sun.identity.console.service.model.SMDiscoEntryData,\
com.sun.identity.console.session.model.SMSessionData,\
com.sun.identity.shared.datastruct.OrderedSet,\
com.sun.xml.bind.util.ListImpl,\
com.sun.xml.bind.util.ProxyListImpl,\
java.lang.Boolean,\
java.lang.Integer,\
java.lang.Number,\
java.lang.StringBuffer,\
java.net.InetAddress,\
java.util.ArrayList,\
java.util.Collections$EmptyMap,\
java.util.HashMap,\
java.util.HashSet,\
java.util.Locale,\
org.forgerock.openam.authentication.service.protocol.RemoteCookie,\
org.forgerock.openam.authentication.service.protocol.RemoteHttpServletRequest,\
org.forgerock.openam.authentication.service.protocol.RemoteHttpServletResponse,\
org.forgerock.openam.authentication.service.protocol.RemoteServletRequest,\
org.forgerock.openam.authentication.service.protocol.RemoteServletResponse,\
org.forgerock.openam.authentication.service.protocol.RemoteSession,\
org.forgerock.openam.dpro.session.NoOpTokenRestriction