chap-config-ref.xml revision 02b85867be37dad95903d24592f5a8e6f9fb64ba
<?xml version="1.0" encoding="UTF-8"?>
<!--
! CCPL HEADER START
!
! This work is licensed under the Creative Commons
! Attribution-NonCommercial-NoDerivs 3.0 Unported License.
! To view a copy of this license, visit
! or send a letter to Creative Commons, 444 Castro Street,
! Suite 900, Mountain View, California, 94041, USA.
!
! You can also obtain a copy of the license at
! See the License for the specific language governing permissions
! and limitations under the License.
!
! If applicable, add the following below this CCPL HEADER, with the fields
! enclosed by brackets "[]" replaced with your own identifying information:
! Portions Copyright [yyyy] [name of copyright owner]
!
! CCPL HEADER END
!
! Copyright 2012-2014 ForgeRock AS
!
-->
<chapter xml:id='chap-config-ref'
xmlns='http://docbook.org/ns/docbook'
version='5.0' xml:lang='en'
xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'
xsi:schemaLocation='http://docbook.org/ns/docbook
xmlns:xlink='http://www.w3.org/1999/xlink'>
<title>Configuration Reference</title>
<indexterm><primary>Configuration</primary></indexterm>
<para>This chapter covers OpenAM configuration properties accessible through
the Configuration tab of the console, most of which can be set by using the
<command>ssoadm</command> command. The chapter is organized to follow the
OpenAM console layout.</para>
<section xml:id="authentication-configuration">
<title>Authentication Configuration</title>
<indexterm>
<primary>Configuration</primary>
<secondary>Authentication</secondary>
</indexterm>
<para>Under Configuration > Authentication you can configure
authentication services globally using the same attributes you use to
configure authentication modules per realm under Access Control >
<replaceable>Realm Name</replaceable> > Authentication > Module
Instances, and described in the <citetitle>Administration Guide</citetitle>
chapter on <link xlink:href="admin-guide#chap-auth-services"
Authentication Services</citetitle></link>.</para>
<para>The primary difference is that when configuring services globally,
you set the default values to be used when a module is configured further
for a specific realm.</para>
<para>The Core Authentication module includes some fields under this tab that are not
available through the realm changes under the <literal>Access Control</literal> tab.
Because attributes set under the <literal>Configuration</literal> tab apply on a
server level, the changes you make here will apply to all realms. Attributes
set under the <literal>Access Control</literal> tab only apply to the realms that
you specify. The Authentication table under the <literal>Configuration</literal> tab
lists all existing types of modules available for configuration, including any
customized modules you have added.</para>
<para>The following are the global fields you can configure for the Core Authentication
module under the <literal>Configuration</literal> tab.</para>
<variablelist>
<varlistentry>
<term>Pluggable Authentication Module Classes</term>
<listitem>
<para>Add class names for custom authentication modules to this list.</para>
<para><command>ssoadm</command> attribute:
<literal>iplanet-am-auth-authenticators</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<term>LDAP Connection Pool Size, Default LDAP Connection Pool Size</term>
<listitem>
<para>Sets a minimum and maximum number of LDAP connections in the pool
for connecting to a directory server. When tuning for production, start
with <literal>10:65</literal> (10 minimum, 65 maximum). Explicit settings
for specific servers override the default.</para>
<para>This attribute is for LDAP and Membership authentication services
only.</para>
<para>This connection pool is different than the SDK connection pool
<para><command>ssoadm</command> attributes:
<literal>iplanet-am-auth-ldap-connection-pool-size</literal>, and
<literal>iplanet-am-auth-ldap-connection-pool-default-size</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<term>LDAP Connection Pool Size, Default LDAP Connection Pool Size</term>
<listitem>
<para>Sets a minimum and maximum number of LDAP connections in the pool
for connecting to a directory server. When tuning for production, start
with <literal>10:65</literal> (10 minimum, 65 maximum). Explicit settings
for specific servers override the default.</para>
<para>This attribute is for LDAP and Membership authentication services
only.</para>
<para>This connection pool is different than the SDK connection pool
<para><command>ssoadm</command> attributes:
<literal>iplanet-am-auth-ldap-connection-pool-size</literal>, and
<literal>iplanet-am-auth-ldap-connection-pool-default-size</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<term>Remote Auth Security</term>
<listitem>
<para>Require the authenticating application to send its SSOToken. This
allows the Authentication Service to obtain the username and password
associated with the application.</para>
<para><command>ssoadm</command> attribute:
<literal>sunRemoteAuthSecurityEnabled</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<term>Keep Post Process Objects for Logout Processing, Keep Authentication
Module Objects for Logout Processing</term>
<listitem>
<para>When enabled, retain objects used to process authentication or
post authentication operations in the user session until the user
logs out.</para>
<para><command>ssoadm</command> attributes:
<literal>sunAMAuthKeepPostProcessInstances</literal>, and
<literal>sunAMAuthKeepAuthModuleIntances</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<term>XUI Interface</term>
<listitem>
<para>When enabled, the initial login screen uses the XUI.</para>
<para><command>ssoadm</command> attribute:
<literal>openam-xui-interface-enabled</literal></para>
</listitem>
</varlistentry>
</variablelist>
</section>
<section xml:id="das-configuration">
<title>Distributed Authentication UI Configuration</title>
<indexterm>
<primary>Configuration</primary>
<secondary>Distributed Authentication UI</secondary>
</indexterm>
<para>OpenAM provides a distributed authentication service (DAS) that forwards
user login authentication requests through a single firewall or a network demilitarized zone (DMZ)
to the OpenAM core server. The DAS uses the OpenAM ClientSDK JAX-RPC interfaces to
effectively limit the OpenAM core server's exposure to the Internet. Note that DAS has no federation capability.</para>
<para>If you have a multi-instance OpenAM deployment, you can set up a configuration properties file,
<literal>$HOME/FAMDistAuth/*AmDistAuthConfig.properties</literal>, to configure each server in the deployment.
For instructions on installing DAS war, see <link xlink:href="install-guide#chap-install-das"
Authentication</citetitle></link>.</para>
<para>This section presents the properties that you can set in the DAS properties file to configure your
OpenAM instances.</para>
<variablelist xml:id="das-properties">
<title>Administration</title>
<varlistentry>
<listitem>
<para>Specifies the level of the Debug service. Possible values are: off | error (default) | warning | message.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Specifies the output directory for the debug information.
For Windows platforms, use forward slashes "/" to separate the directories, not the backslash "\".
Spaces in the file name are allowed for Windows.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Specifies if the configured WAR is running on an OpenAM server or a client to the OpenAM server.
For the DAS, the value will be <literal>false</literal>.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Specifies if the Identity Repository and Service Management caches are both enabled.
Set this value to <literal>false</literal>.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Specifies if the Identity Repository cache is enabled or disabled.
Set the value to <literal>false</literal> to disable the cache.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Specifies if the Service Management cache is enabled or disabled.
Set the value to <literal>true</literal> to enable the cache.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Specifies the remote plugin classes for SMS configuration.
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Specifies the URI of the Naming Service.
</listitem>
</varlistentry>
</variablelist>
<variablelist xml:id="security-credentials-to-read-config-data">
<title>Security Credentials</title>
<varlistentry>
<listitem>
<para>Specifies the Agent Username to read the configuration data.
Set this to <literal>UrlAccessAgent</literal>.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Specifies the Agent's password (plain text) to read the configuration data.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Specifies the Agent's encrypted password to read the configuration data.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Specifies the Agent's encryption key if the password is encrypted.
This allows the agent to read the configuration data.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Specifies the encryption key that is used to encrypt and decrypt data locally within the client.
The key is needed to decrypt passwords stored in the SMS configuration.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Specifies the encrypting class implementation. Available classes are:
</listitem>
</varlistentry>
</variablelist>
<variablelist xml:id="cache-notifications">
<title>Identity Repository and Service Management Caches</title>
<varlistentry>
<listitem>
<para>Enable or disable the notifications for am.sdk and IdRepo caches.
If set to <literal>true</literal>, notifications are enabled. If set to <literal>false</literal>,
notifications are disabled.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Specifies the cache update time (in minutes) for am.sdk and IdRepo caches if the notification URL
is not provided or if notifications are disabled. This property is only applicable if
<literal>com.sun.identity.idm.remote.notification.enabled</literal> is set to <literal>false</literal>.
If the polling time is set to 0, then polling is disabled.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Enable or disable notifications for the service management cache.
If set to <literal>true</literal>, notifications are enabled. If set to <literal>false</literal>,
notifications are disabled.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Specifies the cache update time (in minutes) for the service configuration data
if the notification URL is not provided or if notifications are disabled. This property is only
If the cache time is set to 0, then no cache updates will occur.</para>
</listitem>
</varlistentry>
</variablelist>
<variablelist xml:id="server-protocol-host-port-descriptor">
<title>Client Services</title>
<varlistentry>
<listitem>
<para>Specifies the OpenAM protocol used by Client Services.
For example, <literal>http</literal>.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Specifies the OpenAM server host used by Client Services.
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Specifies the OpenAM server port used by Client Services.
For example, <literal>8080</literal>.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Specifies the OpenAM deployment descriptor user by Client Services.
For example, <literal>/openam</literal>.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Specifies the OpenAM cookie name.
Set the value to the <literal>iPlanetDirectoryPro</literal>.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Specifies the login URL of the OpenAM deployment.
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Enables or disables the client-side session polling. If set to <literal>true</literal>,
enable session polling. If set to <literal>false</literal>, disable session polling.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Specifies the client-side polling period in seconds. Default value is 180.</para>
</listitem>
</varlistentry>
</variablelist>
<variablelist xml:id="cert-db">
<title>JSS</title>
<varlistentry>
<listitem>
<para>Specifies the certificate database directory path to initialize the JSS Socket Factory
when the web container is configured with SSL.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Specifies the prefix for the certificate database.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Specifies the directory path to the password file for the certificate database. </para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Specifies if OpenAM should trust all server certificates.
Default value is <literal>false</literal>.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Specifies that the Subject Alternate Name extension be included with the certificate.
If one of the names in the extension matches the server FQDN, continue the SSL handshake.
The default value is <literal>false</literal>. If <literal>com.iplanet.services.com</literal> is configured as a protocol handler and
the <literal>checkSubjectAltName</literal> or <literal>resolveIPAddress</literal> feature is enabled,
before the server is restarted.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Specifies if the JSS proxy should resolve IP addresses.
Default value is <literal>false</literal>.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Specifies if the JSS proxy should check the server list of FQDNs against the host.
If the FQDNs of the servers on the list match, continue the SSL handshake.
You may specify a comma-delimited list of server FQDNs as property values.
</para>
</listitem>
</varlistentry>
</variablelist>
<variablelist xml:id="policy-decision-log">
<title>Policy Client</title>
<varlistentry>
<listitem>
<para>Specifies the name of the policy log file.
By default, the property is set to <literal>amRemotePolicyLog</literal>.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Specifies the level of information detail logged to the policy log file.
Possible values are: <literal>NONE</literal>, <literal>ALLOW</literal> (allowed-access decisions),
<literal>DENY</literal> (denied-access decisions), <literal>BOTH</literal> (both allowed-access
and denied-access decisions), <literal>DECISION</literal>.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Enable or disable notifications from the OpenAM server to update the cache.
Possible values are <literal>true</literal> or <literal>false</literal> (default).</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Specifies the URl of the notification server.
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Specifies the number of minutes that an entry is in the cache.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Specifies the information to cache. Possible values are:
<literal>subtree</literal> (obtain policy decisions from the server for all resources from the
root of the resource requested), <literal>self</literal> (obtain policy decisions from the server
only for the resource requested).</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Specifies the policy client clock skew in seconds. Default value is <literal>10</literal>.</para>
</listitem>
</varlistentry>
</variablelist>
<variablelist xml:id="das-monitoring">
<title>Monitoring</title>
<varlistentry>
<listitem>
<para>Explicitly disable monitoring services in the client applications.
Default is <literal>off</literal>.</para>
</listitem>
</varlistentry>
</variablelist>
<variablelist xml:id="general">
<title>General</title>
<varlistentry>
<listitem>
<para>Specifies if cache data is used for HttpURLConnection.
Default value is <literal>false</literal>.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Specifies the protocol handler package name for the HTTPS protocol.
Default value is <literal>none</literal>. Available classes are:
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Specifies whether the AuthContext includes the HttpServletRequest
and HttpServletResponse objects as serialized Java objects in the remote auth
XML communications with the server. If the OpenAM server is using custom auth
modules that make use of the HttpServletRequest or Response objects to allow the module
to look for a request parameter or to set a cookie, then set this value
to <literal>true</literal>. Enabling this functionality has a minimal performance impact due to the
serialization overhead. Default value is <literal>false</literal>.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Specifies the default logout page to which a user is redirected if no goto url is
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Turn on persistent OpenAM session cookies. Traditionally, the
OpenAM session cookie (iPlanetDirectoryPro) has always been a session cookie.
If the OpenAM session cookie is required by other applications, then the cookie
must be made persistent.</para>
<para>SECURITY NOTE: This property should only be set to <literal>true</literal> in very specific
circumstances. If OpenAM is deployed alongside Enterprise/Desktop SSO
customizations, then this setting can be enabled. This will cause the browser
to write the value of the OpenAM session cookie to disk enabling Enterprise/Desktop SSO.
Writing the session cookie to disk will also allow other
applications to read the cookie. This feature should only be enabled if you
are aware and accept the security implications.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Specifies the length of time for which the OpenAM session cookie will be persisted
if persistent cookie mode is enabled.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Specifies the URL of the DAS to receive notifications.
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Enable cookie encoding. This property must be set to <literal>true</literal> when running in Tomcat.
Default value is <literal>true</literal>.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Specifies the invalid characters enforced by the CDCServlet.
Default value is <literal>%lt;,>,javascript:,javascript%3a,%3c,%3e</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Specifies if the original session should be destroyed during the session upgrade.
This property is useful if you have concurrent access to OpenAM during the session upgrade
process. Default value is <literal>true</literal>.</para>
</listitem>
</varlistentry>
</variablelist>
<variablelist xml:id="http-header-properties">
<title>HTTP Headers</title>
<varlistentry>
<listitem>
<para>Specifies the HTTP error code that is sent to the application server
when the DAS server receives an authcookie with an invalid servername.
This allows the application server to present a custom error page to the user.
This error page should only appear if there
are multiple OpenAM installations within the same cookie domain.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Specifies the list of HTTP header keys that should be retained when the user
is internally rerouted to another DAS instance.
Default value is <literal>X-DSAMEVersion</literal>.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Specifies the list of HTTP header keys that should NOT be copied.
Default value is <literal>connection</literal>.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Specifies the list of HTTP header keys that should be retained when the user is
internally rerouted to another DAS instance. This usually happens
when the user has an AMAuthCookie from a different DAS server. The list of
header names should be separated by a comma (','). For example,
the headers listed will be copied from the proxied response:
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Specifies the list of HTTP header keys that should NOT be retained when the user is
internally rerouted to another DAS instance. The headers listed here will NOT be copied from the
proxied response. This option is present to supply default values for the configuration and
protect from erroneous header settings. Default value is <literal>connection</literal>.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Specifies that if <literal>true</literal>, the Logout Successful screen is displayed.
If <literal>false</literal> (default), the DAS logout screen redirects the clients
to the value of the 'goto' parameter.</para>
</listitem>
</varlistentry>
</variablelist>
<variablelist xml:id="load-balancer">
<title>DAS Configuration</title>
<varlistentry>
<listitem>
<para>Specifies the server protocol. For example, <literal>http</literal> or <literal>https</literal>.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Specifies the server port. For example, <literal>8080</literal>.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Specifies a deployment descriptor. For example, <literal>/das</literal>.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Specifies if the cookie is secure (<literal>true</literal>) or not (<literal>false</literal>).
Default value is <literal>false</literal>.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Specifies if the cookie is encoded (<literal>true</literal>) or not (<literal>false</literal>).
Default value is <literal>false</literal>.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Specifies the load balancer cookie name to be used when there are multiple DAS servers
behind a load balancer. For example, <literal>DistAuthLBCookieName</literal>.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Specifies the load balancer cookie value to be used when there are multiple DAS servers
behind a load balancer. For example, <literal>DistAuthLBCookieValue</literal>.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Specifies the load balancer cookie name when there are multiple OpenAM server instances
behind the load balancer. Default value is <literal>amlbcookie</literal>.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Specifies the DAS cookie name used to set the session handler ID during the authentication
process. For example, <literal>AMDistAuthCookie</literal>.</para>
</listitem>
</varlistentry>
</variablelist>
</section>
<section xml:id="console-configuration">
<title>Console Configuration</title>
<indexterm>
<primary>Configuration</primary>
<secondary>Console</secondary>
</indexterm>
<para>Under Configuration > Console you can customize how the OpenAM
console appears, and what character sets are used.</para>
<variablelist xml:id="console-administration">
<title>Administration</title>
<para>Administration includes both global and realm attributes.</para>
<para><command>ssoadm</command> service name:
<literal>iPlanetAMAdminConsoleService</literal></para>
<varlistentry>
<term>Federation Management</term>
<listitem>
<para>Clear Enabled to disable federation functionality in OpenAM.</para>
<para><command>ssoadm</command> attribute:
<literal>iplanet-am-admin-console-liberty-enabled</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<term>Maximum Results Returned from Search</term>
<listitem>
<para>Use this attribute to restrict the maximum number of results found
in a search, such as a search for user profiles. Increasing the value can
negatively impact performance. On the other hand, the default maximum of
100 can explain why administrators unaware of this setting can be
surprised not to see all the users they expect in search results.</para>
<para><command>ssoadm</command> attribute:
<literal>iplanet-am-admin-console-search-limit</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<term>Timeout for Search</term>
<listitem>
<para>Timeout in seconds for a console search. OpenAM returns an error
if the search is not completed by the timeout.</para>
<para><command>ssoadm</command> attribute:
<literal>iplanet-am-admin-console-search-timeout</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<term>Search Return Attribute</term>
<listitem>
<para>List of LDAP attribute types to return in search results. OpenAM
sorts users by the first attribute you specify. Use attributes that are
actually present in user profiles.</para>
<para><command>ssoadm</command> attribute:
<literal>iplanet-am-admin-console-user-return-attribute</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<term>Maximum Items Displayed per Page</term>
<listitem>
<para>OpenAM shows a maximum of this many items in a console page before
separating the page into multiple screens.</para>
<para><command>ssoadm</command> attribute:
<literal>iplanet-am-admin-console-paging-size</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<term>Prompt user for old password</term>
<listitem>
<para>If enabled, when the user edits her password in the user view, then
OpenAM prompts her for the old password.</para>
<para><command>ssoadm</command> attribute:
<literal>iplanet-am-admin-console-password-reset-enabled</literal></para>
</listitem>
</varlistentry>
</variablelist>
<variablelist xml:id="console-g11n">
<title>Globalization Settings</title>
<para>Globalization settings affect character sets and common name
formats. See <link xlink:href="reference#chap-l10n"
>Localization</citetitle></link> for a list of supported locales.</para>
<para><command>ssoadm</command> service name:
<literal>iPlanetG11NSettings</literal></para>
<varlistentry>
<term>Charsets Supported by Each Locale</term>
<listitem>
<para>This table lets you configure the order of supported character
sets used for each supported locale. Change the settings only if the
defaults are not appropriate.</para>
<para><command>ssoadm</command> attribute:
<literal>sun-identity-g11n-settings-locale-charset-mapping</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<term>Charsets Aliases</term>
<listitem>
<para>Use this list to map between different character set names used in
Java and in MIME.</para>
<para><command>ssoadm</command> attribute:
<literal>sun-identity-g11n-settings-charset-alias-mapping</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<term>Auto Generated Common Name Format</term>
<listitem>
<para>Use this list to configure how OpenAM formats names shown in the
console banner.</para>
<para><command>ssoadm</command> attribute:
<literal>sun-identity-g11n-settings-common-name-format</literal></para>
</listitem>
</varlistentry>
</variablelist>
</section>
<section xml:id="system-configuration">
<title>System Configuration</title>
<indexterm>
<primary>Configuration</primary>
<secondary>System</secondary>
</indexterm>
<para>Under Configuration > System, you can change OpenAM settings for
server logging, monitoring, service URL naming, locale, cookie domain, and
how OpenAM detects specific clients.</para>
<variablelist xml:id="system-client-detection">
<title>Client Detection</title>
<para>OpenAM can detect client user agents by their HTTP requests.</para>
<para><command>ssoadm</command> service name:
<literal>iPlanetAMClientDetection</literal></para>
<varlistentry>
<term>Default Client Type</term>
<listitem>
<para>If no specific match is found for the client type, then this
type is used. The default is <literal>genericHTML</literal>, suitable
for supported browsers.</para>
<para><command>ssoadm</command> attribute:
<literal>iplanet-am-client-detection-default-client-type</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<term>Client Detection Class</term>
<listitem>
<para>The client detection plugin must implement the
Client type is a name that uniquely identifies the client to OpenAM.
The plugin scans HTTP requests to determine the client type.</para>
<para><command>ssoadm</command> attribute:
<literal>iplanet-am-client-detection-class</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<term>Enable Client Detection</term>
<listitem>
<para>If this is enabled, then OpenAM needs an appropriate client
detection class implementation, and the authentication user interface
must be appropriate for the clients detected.</para>
<para><command>ssoadm</command> attribute:
<literal>iplanet-am-client-detection-enabled</literal></para>
</listitem>
</varlistentry>
</variablelist>
<variablelist xml:id="system-logging">
<title>Logging</title>
<para>You configure global OpenAM logging settings on this page.</para>
<para><command>ssoadm</command> service name:
<literal>iPlanetAMLoggingService</literal></para>
<varlistentry>
<term>Maximum Log Size</term>
<listitem>
<para>Sets the maximum log file size in bytes.</para>
<para><command>ssoadm</command> attribute:
<literal>iplanet-am-logging-max-file-size</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<term>Number of History Files</term>
<listitem>
<para>Sets the number of history files for each log that OpenAM keeps,
including time-based histories. The previously live file is moved to
be included in the history count, and a new log is created to serve as
the live log file. Any log file in the history count that goes over
the number specified here will be deleted. For time-based logs, a new
set of logs will be created when OpenAM is started because of the time-based
file names that are used.</para>
<para><command>ssoadm</command> attribute:
<literal>iplanet-am-logging-num-hist-file</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<term>Logfile Rotation Prefix</term>
<listitem>
<para>Set this if you want to add a prefix to log files governed by
time-based log rotation.</para>
<para><command>ssoadm</command> attribute:
<literal>openam-logging-file-prefix</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<term>Logfile Rotation Suffix</term>
<listitem>
<para>Changing this if you want to change the suffix for log files
governed by time-based log rotation. You can use
<literal>SimpleDateFormat</literal> patterns. The default is
<para><command>ssoadm</command> attribute:
<literal>openam-logging-file-suffix</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<term>Log File Location</term>
<listitem>
<para>This property is interpreted to determine the location of log
files, taking either a file system location or a JDBC URL. The default is
<literal>%BASE_DIR%/%SERVER_URI%/log/</literal>.</para>
<para><command>ssoadm</command> attribute:
<literal>iplanet-am-logging-location</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<term>Log Status</term>
<listitem>
<para>Set this to <literal>INACTIVE</literal> to disable the logging
system.</para>
<para><command>ssoadm</command> attribute:
<literal>logstatus</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<term>Log Record Resolve Host Name</term>
<listitem>
<para>Enable this to have OpenAM perform a DNS host lookup to populate the
host name field for log records. OpenAM requires DNS on the host where it
runs. Enabling this feature increases the load on the logging
system.</para>
<para><command>ssoadm</command> attribute:
<literal>resolveHostName</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<term>Logging Type</term>
<listitem>
<para>Set this to <literal>DB</literal> to log to a database. Default:
<literal>File</literal>. If you choose <literal>DB</literal> then be
sure to set the connection attributes correctly, including the JDBC
driver to use.</para>
<para><command>ssoadm</command> attribute:
<literal>iplanet-am-logging-type</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<term>Database User Name</term>
<listitem>
<para>When logging to a database, set this to the user name used to
connect to the database. If this attribute is incorrectly set, OpenAM
performance suffers.</para>
<para><command>ssoadm</command> attribute:
<literal>iplanet-am-logging-db-user</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<term>Database User Password</term>
<listitem>
<para>When logging to a database, set this to the password used to connect
to the database. If this attribute is incorrectly set, OpenAM performance
suffers.</para>
<para><command>ssoadm</command> attribute:
<literal>iplanet-am-logging-db-password</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<term>Database Driver Name</term>
<listitem>
<para>When logging to a database, set this to the class name of the JDBC
driver used to connect to the database. The default is for Oracle. OpenAM
also works with the MySQL database driver.</para>
<para><command>ssoadm</command> attribute:
<literal>iplanet-am-logging-db-driver</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<term>Configurable Log Fields</term>
<listitem>
<para>Select the fields OpenAM includes in log messages using this
attribute. By default all fields are included in log messages.</para>
<para><command>ssoadm</command> attribute:
<literal>iplanet-am-logging-logfields</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<term>Log Verification Frequency</term>
<listitem>
<para>When secure logging is enabled, set this to how often OpenAM
verifies log file content (in seconds).</para>
<para><command>ssoadm</command> attribute:
<literal>iplanet-am-logging-verify-period-in-seconds</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<term>Log Signature Time</term>
<listitem>
<para>When secure logging is enabled, set this to how often OpenAM signs
log file content (in seconds).</para>
<para><command>ssoadm</command> attribute:
<literal>iplanet-am-logging-signature-period-in-seconds</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<term>Secure Logging</term>
<listitem>
<para>Set this to <literal>ON</literal> to enable the secure logging
system whereby OpenAM digitally signs and verifies log files. You must
also set up the Logging Certificate Store for this feature to
function.</para>
<para><command>ssoadm</command> attribute:
<literal>iplanet-am-logging-security-status</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<term>Secure Logging Signing Algorithm</term>
<listitem>
<para>Set this to the algorithm used for digitally signing log
records.</para>
<para><command>ssoadm</command> attribute:
<literal>iplanet-am-logging-secure-signing-algorithm</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<term>Logging Certificate Store Location</term>
<listitem>
<para>The secure logging system uses the certificate with alias
<literal>Logger</literal> that it finds in the key store specified by
this path. The default is
<para><command>ssoadm</command> attribute:
<literal>iplanet-am-logging-secure-certificate-store</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<term>Maximum Number of Records</term>
<listitem>
<para>Set this to the maximum number of records read from the logs
through the Logging API.</para>
<para><command>ssoadm</command> attribute:
<literal>iplanet-am-logging-max-records</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<term>Number of Files per Archive</term>
<listitem>
<para>Set this to the number of files to be archived by the secure logging
system.</para>
<para><command>ssoadm</command> attribute:
<literal>iplanet-am-logging-files-per-keystore</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<term>Buffer Size</term>
<listitem>
<para>The number of log messages buffered in memory before OpenAM flushes
them to the log file or the database.</para>
<para><command>ssoadm</command> attribute:
<literal>iplanet-am-logging-buffer-size</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<term>DB Failure Memory Buffer Size</term>
<listitem>
<para>Set this to the maximum number of log records to hold in memory
if the database to which records are logged is unavailable. If the value
is less than Buffer Size, that value takes precedence.</para>
<para><command>ssoadm</command> attribute:
<literal>sun-am-logging-db-max-in-mem</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<term>Buffer Time</term>
<listitem>
<para>Set the time in seconds that OpenAM buffers log messages in memory
before flushing the buffer when Time Buffering is ON. The default is 60
seconds.</para>
<para><command>ssoadm</command> attribute:
<literal>iplanet-am-logging-buffer-time-in-seconds</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<term>Time Buffering</term>
<listitem>
<para>Set this to OFF to cause OpenAM to write each log message separately
rather than the default of holding messages in a memory buffer that OpenAM
flushes periodically, as specified using the Buffer Time attribute.</para>
<para><command>ssoadm</command> attribute:
<literal>iplanet-am-logging-time-buffering-status</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<term>Logging Level</term>
<listitem>
<para>Set the log level for OpenAM. <literal>OFF</literal> is equivalent
to setting the status to <literal>INACTIVE</literal>.</para>
<para><command>ssoadm</command> attribute:
<literal>sun-am-log-level</literal></para>
</listitem>
</varlistentry>
</variablelist>
<variablelist xml:id="system-monitoring">
<title>Monitoring</title>
<para>You enable OpenAM monitoring by using these attributes.</para>
<para><command>ssoadm</command> service name:
<literal>iPlanetAMMonitoringService</literal></para>
<varlistentry>
<term>Monitoring Status</term>
<listitem>
<para>Enable monitoring using this attribute.</para>
<para><command>ssoadm</command> attribute:
<literal>iplanet-am-monitoring-enabled</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<term>Monitoring HTTP Port</term>
<listitem>
<para>Set the port number for the HTML monitoring interface.</para>
<para><command>ssoadm</command> attribute:
<literal>iplanet-am-monitoring-http-port</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<term>Monitoring HTTP interface status</term>
<listitem>
<para>Enable the HTML monitoring interface using this attribute.</para>
<para><command>ssoadm</command> attribute:
<literal>iplanet-am-monitoring-http-enabled</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<term>Monitoring HTTP interface authentication file path</term>
<listitem>
<para>Set this to path to indicate the file indicating the user name
and password used to protect access to monitoring information. The
default user name password combination is <literal>demo</literal> and
<literal>changeit</literal>. You can encode a new password using the
<link xlink:href="reference#ampassword-1"
>ampassword</command></link>command.</para>
<para><command>ssoadm</command> attribute:
<literal>iplanet-am-monitoring-authfile-path</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<term>Monitoring RMI Port</term>
<listitem>
<para>Set the port number for the JMX monitoring interface.</para>
<para><command>ssoadm</command> attribute:
<literal>iplanet-am-monitoring-rmi-port</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<term>Monitoring RMI interface status</term>
<listitem>
<para>Enable the JMX monitoring interface using this attribute.</para>
<para><command>ssoadm</command> attribute:
<literal>iplanet-am-monitoring-rmi-enabled</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<term>Monitoring SNMP Port</term>
<listitem>
<para>Set the port number for the SNMP monitoring interface.</para>
<para><command>ssoadm</command> attribute:
<literal>iplanet-am-monitoring-snmp-port</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<term>Monitoring SNMP interface status</term>
<listitem>
<para>Enable the SNMP monitoring interface using this attribute.</para>
<para><command>ssoadm</command> attribute:
<literal>iplanet-am-monitoring-snmp-enabled</literal></para>
</listitem>
</varlistentry>
</variablelist>
<variablelist xml:id="system-platform">
<title>Naming</title>
<para>You can configure URLs for service endpoints.</para>
<para><command>ssoadm</command> service name:
<literal>iPlanetAMNamingService</literal></para>
<varlistentry>
<term>Profile Service URL</term>
<listitem>
<para>Set the endpoint used by the profile service.</para>
<para>This attribute is deprecated.</para>
<para><command>ssoadm</command> attribute:
<literal>iplanet-am-naming-profile-url</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<term>Session Service URL</term>
<listitem>
<para>Set the endpoint used by the session service.</para>
<para><command>ssoadm</command> attribute:
<literal>iplanet-am-naming-session-url</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<term>Logging Service URL</term>
<listitem>
<para>Set the endpoint used by the logging service.</para>
<para><command>ssoadm</command> attribute:
<literal>iplanet-am-naming-logging-url</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<term>Policy Service URL</term>
<listitem>
<para>Set the endpoint used by the policy service.</para>
<para><command>ssoadm</command> attribute:
<literal>iplanet-am-naming-policy-url</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<term>Authentication Service URL</term>
<listitem>
<para>Set the endpoint used by the authentication service.</para>
<para><command>ssoadm</command> attribute:
<literal>iplanet-am-naming-auth-url</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Set the SAML v1 endpoint.</para>
<para><command>ssoadm</command> attribute:
<literal>iplanet-am-naming-samlawareservlet-url</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<term>SAML SOAP Service URL</term>
<listitem>
<para>Set the endpoint used by the SAML v1 SOAP service.</para>
<para><command>ssoadm</command> attribute:
<literal>iplanet-am-naming-samlsoapreceiver-url</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Set the SAML v1 Web Profile endpoint.</para>
<para><command>ssoadm</command> attribute:
<literal>iplanet-am-naming-samlpostservlet-url</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<term>SAML Assertion Manager Service URL</term>
<listitem>
<para>Set the endpoint used by the SAML v1 assertion service.</para>
<para><command>ssoadm</command> attribute:
<literal>iplanet-am-naming-samlassertionmanager-url</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<term>Federation Assertion Manager Service URL</term>
<listitem>
<para>Set the endpoint used by the ID-FF assertion manager service.</para>
<para><command>ssoadm</command> attribute:
<literal>iplanet-am-naming-fsassertionmanager-url</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<term>Security Token Manager URL</term>
<listitem>
<para>Set the STS endpoint.</para>
<para><command>ssoadm</command> attribute:
<literal>iplanet-am-naming-securitytokenmanager-url</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<term>JAXRPC Endpoint URL</term>
<listitem>
<para><command>ssoadm</command> attribute:
<literal>iplanet-am-naming-jaxrpc-url</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<term>Identity Web Services Endpoint URL</term>
<listitem>
<para>Set the endpoint for Identity WSDL services.</para>
<para><command>ssoadm</command> attribute:
<literal>sun-naming-idsvcs-jaxws-url</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<term>Identity REST Services Endpoint URL</term>
<listitem>
<para>Set the endpoint used for Identity REST services.</para>
<para><command>ssoadm</command> attribute:
<literal>sun-naming-idsvcs-rest-url</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<term>Security Token Service Endpoint URL</term>
<listitem>
<para>Set the STS endpoint.</para>
<para><command>ssoadm</command> attribute:
<literal>sun-naming-sts-url</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<term>Security Token Service MEX Endpoint URL</term>
<listitem>
<para>Set the STS MEX endpoint.</para>
<para><command>ssoadm</command> attribute:
<literal>sun-naming-sts-mex-url</literal></para>
</listitem>
</varlistentry>
</variablelist>
<variablelist xml:id="system-platform-attrs">
<title>Platform</title>
<para>You can configure the default locale and list of cookie domains.</para>
<para><command>ssoadm</command> service name:
<literal>iPlanetAMPlatformService</literal></para>
<varlistentry>
<term>Platform Locale</term>
<listitem>
<para>Set the fallback locale used when the user locale cannot be
determined.</para>
<para><command>ssoadm</command> attribute:
<literal>iplanet-am-platform-locale</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<term>Cookie Domains</term>
<listitem>
<para>Set the list of domains into which OpenAM writes cookies. If you
set multiple cookie domains, OpenAM still only sets the cookie in the
domain the client uses to access OpenAM. You can also configure cross
domain single sign on (CDSSO) to allow single sign on across multiple
domains managed by your organization. See the <citetitle>Administration
Guide</citetitle> chapter on <link xlink:href="admin-guide#chap-cdsso"
Cross-Domain Single Sign On</citetitle></link> for details.</para>
<para><command>ssoadm</command> attribute:
<literal>iplanet-am-platform-cookie-domains</literal></para>
</listitem>
</varlistentry>
</variablelist>
</section>
<section xml:id="global-configuration">
<title>Global Configuration</title>
<indexterm>
<primary>Configuration</primary>
<secondary>Global</secondary>
</indexterm>
<para>Under Configuration > Global you can set defaults for a range of
federation services, for password reset, for policy configuration, for
session management, and for dynamic user attributes.</para>
<variablelist xml:id="common-federation-configuration">
<title>Common Federation Configuration</title>
<para><command>ssoadm</command> service name:
<literal>sunFAMFederationCommon</literal></para>
<varlistentry>
<term>Datastore SPI implementation class</term>
<listitem>
<para>Used by the Federation system to access user profile
attributes</para>
<para><command>ssoadm</command> attribute:
<literal>DatastoreClass</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<term>ConfigurationInstance SPI implementation class</term>
<listitem>
<para>Used by the Federation system to access service configuration</para>
<para><command>ssoadm</command> attribute:
<literal>ConfigurationClass</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<term>Logger SPI implementation class</term>
<listitem>
<para>Used by the Federation system to record log messages</para>
<para><command>ssoadm</command> attribute:
<literal>LoggerClass</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<term>SessionProvider SPI implementation class</term>
<listitem>
<para>Used by the Federation system to access the session service</para>
<para><command>ssoadm</command> attribute:
<literal>SessionProviderClass</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<term>Maximum allowed content length</term>
<listitem>
<para>Maximum number of bytes for Federation communications</para>
<para><command>ssoadm</command> attribute:
<literal>MaxContentLength</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<term>PasswordDecoder SPI implementation class</term>
<listitem>
<para>Used by the Federation system to decode passwords encoded by
OpenAM</para>
<para><command>ssoadm</command> attribute:
<literal>PasswordDecoderClass</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<term>SignatureProvider SPI implementation class</term>
<listitem>
<para>Used by the Federation system digitally to sign SAML documents</para>
<para><command>ssoadm</command> attribute:
<literal>SignatureProviderClass</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<term>KeyProvider SPI implementation class</term>
<listitem>
<para>Used by the Federation system to access the Java key store</para>
<para><command>ssoadm</command> attribute:
<literal>KeyProviderClass</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<term>Check presence of certificates</term>
<listitem>
<para>If enabled, OpenAM checks that the partner's signing certificate
presented in the XML matches the certificate from the partner's
metadata</para>
<para><command>ssoadm</command> attribute:
<literal>CheckCert</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<term>XML canonicalization algorithm</term>
<listitem>
<para>Algorithm used to render the canonical versions of XML
documents</para>
<para><command>ssoadm</command> attribute:
<literal>CannonicalizationAlgorithm</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<term>XML signature algorithm</term>
<listitem>
<para>Algorithm used to sign XML documents</para>
<para><command>ssoadm</command> attribute:
<literal>SignatureAlgorithm</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<term>XML transformation algorithm</term>
<listitem>
<para>Algorithm used for XML transformations</para>
<para><command>ssoadm</command> attribute:
<literal>TransformationAlgorithm</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<term>SAML Error Page URL</term>
<listitem>
<para>OpenAM redirects users here when an error occurs in the SAML2
engine. Users are redirected to absolute URLs, whereas releative URLs
are displayed within the request.</para>
<para><command>ssoadm</command> attribute:
<literal>SAMLErrorPageURL</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<term>SAML Error Page HTTP Binding</term>
<listitem>
<para>Set this either to <literal>HTTP-Redirect</literal> or to
<literal>HTTP-POST</literal>.</para>
<para><command>ssoadm</command> attribute:
<literal>SAMLErrorPageHTTPBinding</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<term>Monitoring Agent Provider Class</term>
<listitem>
<para>Used by the Federation system to access the monitoring system</para>
<para><command>ssoadm</command> attribute:
<literal>MonAgentClass</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<term>Monitoring Provider Class for SAML1</term>
<listitem>
<para>Used by the SAMLv1 engine to access the monitoring system</para>
<para><command>ssoadm</command> attribute:
<literal>MonSAML1Class</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<term>Monitoring Provider Class for SAML2</term>
<listitem>
<para>Used by the SAML2 engine to access the monitoring system</para>
<para><command>ssoadm</command> attribute:
<literal>MonSAML2Class</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<term>Monitoring Provider Class for ID-FF</term>
<listitem>
<para>Used by the ID-FF engine to access the monitoring system</para>
<para><command>ssoadm</command> attribute:
<literal>MonIDFFClass</literal></para>
</listitem>
</varlistentry>
</variablelist>
<!-- Commenting out, assuming the corresponding screen is also commented out, per OPENAM-3164
<variablelist xml:id="core-token-service-configuration">
<title>Core Token Service</title>
<para><command>ssoadm</command> service name:
<literal>sunCoreTokenConfigService</literal></para>
<varlistentry>
<term>Searchable Attribute List</term>
<listitem>
<para>List of attribute names used in token search operations</para>
<para><command>ssoadm</command> attribute:
<literal>searchableAttributes</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<term>Token cleanup interval for token expiry</term>
<listitem>
<para>Seconds OpenAM delays cleanup after token expiry</para>
<para><command>ssoadm</command> attribute:
<literal>tokenCleanupInterval</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<term>Token types without ETag enforcement</term>
<listitem>
<para><command>ssoadm</command> attribute:
<literal>tokenTypesWithoutEtagEnforcement</literal></para>
</listitem>
</varlistentry>
</variablelist>
-->
<variablelist xml:id="dashboard-configuration">
<title>Dashboard Configuration</title>
<para><command>ssoadm</command> service name:
<literal>dashboardService</literal></para>
<varlistentry>
<term>Dashboard Class Name</term>
<listitem>
<para>Identifies how to access the application, for example
<literal>SAML2ApplicationClass</literal> for a SAML 2.0 application</para>
<para><command>ssoadm</command> attribute:
<literal>dashboardClassName</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<term>Dashboard Name</term>
<listitem>
<para>The application name as it will appear to the administrator for
configuring the dashboard</para>
<para><command>ssoadm</command> attribute:
<literal>dashboardName</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<term>Dashboard Display Name</term>
<listitem>
<para>The application name that displays on the dashboard client</para>
<para><command>ssoadm</command> attribute:
<literal>dashboardDisplayName</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<term>Dashboard Icon</term>
<listitem>
<para>The icon name that will be displayed on the dashboard client
identifying the application</para>
<para><command>ssoadm</command> attribute:
<literal>dashboardIcon</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<term>Dashboard Login</term>
<listitem>
<para>The URL that takes the user to the application</para>
<para><command>ssoadm</command> attribute:
<literal>dashboardLogin</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<term>Available Dashboard Apps</term>
<listitem>
<para>List of application dashboard names available by default for
realms with the Dashboard configured</para>
<para><command>ssoadm</command> attribute:
<literal>assignedDashboard</literal></para>
</listitem>
</varlistentry>
</variablelist>
<variablelist xml:id="email-service-configuration">
<title>Email Service</title>
<para><command>ssoadm</command> service name:
<literal>ForgeRockSendEmailService</literal></para>
<varlistentry>
<term>Email Message Implementation Class</term>
<listitem>
<para>Specifies the class that sends email notifications, such as those
sent for user registration and forgotten passwords.</para>
<para><command>ssoadm</command> attribute:
<literal>forgerockMailServerImplClassName</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<term>Mail Server Host Name</term>
<listitem>
<para>Specifies the fully qualified domain name of the SMTP mail server
through which to send email notifications.</para>
<para><command>ssoadm</command> attribute:
<literal>forgerockEmailServiceSMTPHostName</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<term>Mail Server Host Port</term>
<listitem>
<para>Specifies the port number for the SMTP mail server.</para>
<para>Default: 465</para>
<para><command>ssoadm</command> attribute:
<literal>forgerockEmailServiceSMTPHostPort</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<term>Mail Server Authentication Username</term>
<listitem>
<para>Specifies the user name for the SMTP mail server.</para>
<para>Default: <literal>forgerocksmtp</literal></para>
<para><command>ssoadm</command> attribute:
<literal>forgerockEmailServiceSMTPUserName</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<term>Mail Server Authentication Password</term>
<listitem>
<para>Specifies the password for the SMTP user name.</para>
<para><command>ssoadm</command> attribute:
<literal>forgerockEmailServiceSMTPUserPassword</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<term>Mail Server Secure Connection</term>
<listitem>
<para>Specifies whether to connect to the SMTP mail server using SSL.</para>
<para>Default: use SSL (<literal>true</literal>)</para>
<para><command>ssoadm</command> attribute:
<literal>forgerockEmailServiceSMTPSSLEnabled</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<term>Email From Address</term>
<listitem>
<para>Specifies the address from which to send email notifications.</para>
<para>Default: <literal>no-reply@openam.org</literal></para>
<para><command>ssoadm</command> attribute:
<literal>forgerockEmailServiceSMTPFromAddress</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<term>Email Attribute Name</term>
<listitem>
<para>Specifies the profile attribute from which to retrieve the end user's
email address.</para>
<para>Default: <literal>mail</literal></para>
<para><command>ssoadm</command> attribute:
<literal>openamEmailAttribute</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<term>Email Subject</term>
<listitem>
<para>Specifies a subject for notification messages. If you do not set this
OpenAM does not set the subject for notification messages.</para>
<para><command>ssoadm</command> attribute:
<literal>forgerockEmailServiceSMTPSubject</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<term>Email Content</term>
<listitem>
<para>Specifies content for notification messages. If you do not set this
OpenAM includes only the confirmation URL in the mail body.</para>
<para><command>ssoadm</command> attribute:
<literal>forgerockEmailServiceSMTPMessage</literal></para>
</listitem>
</varlistentry>
</variablelist>
<variablelist xml:id="liberty-id-ff-service-configuration">
<title>Liberty ID-FF Service Configuration</title>
<para><command>ssoadm</command> service name:
<literal>sunFAMIDFFConfiguration</literal></para>
<varlistentry>
<term>Federation Cookie Name</term>
<listitem>
<para>Cookie name for Liberty ID-FF</para>
<para><command>ssoadm</command> attribute:
<literal>FedCookieName</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<term>IDP Proxy Finder SPI implementation class</term>
<listitem>
<para>Used by the ID-FF engine to find the IDP proxy</para>
<para><command>ssoadm</command> attribute:
<literal>IDPProxyFinderClass</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<term>Request cache cleanup interval</term>
<listitem>
<para>Seconds between times OpenAM cleans up the request cache</para>
<para><command>ssoadm</command> attribute:
<literal>RequestCacheCleanupInterval</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<term>Request cache timeout</term>
<listitem>
<para>Seconds cached requests remain valid</para>
<para><command>ssoadm</command> attribute:
<literal>RequestCacheTimeout</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<term>IDP Login URL</term>
<listitem>
<para>Login URL for the ID-FF IDP</para>
<para><command>ssoadm</command> attribute:
<literal>IDPLoginURL</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<term>XML signing on</term>
<listitem>
<para>If yes, require XML signing.</para>
<para><command>ssoadm</command> attribute:
<literal>XMLSigningOn</literal></para>
</listitem>
</varlistentry>
</variablelist>
<variablelist xml:id="liberty-interaction-service-configuration">
<title>Liberty Interaction Service</title>
<para><command>ssoadm</command> service name:
<literal>sunFAMLibertyInteractionService</literal></para>
<varlistentry>
<term>WSP to redirect user for interaction</term>
<listitem>
<para><command>ssoadm</command> attribute:
<literal>WSPWillRedirect</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<term>WSP to redirect user for interaction for data</term>
<listitem>
<para><command>ssoadm</command> attribute:
<literal>WSPWillRedirectForData</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<term>WSP's expected duration for interaction</term>
<listitem>
<para><command>ssoadm</command> attribute:
<literal>WSPRedirectTime</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<term>WSP to enforce that returnToURL must be SSL</term>
<listitem>
<para><command>ssoadm</command> attribute:
<literal>WSPWillEnforceHttpsCheck</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<term>WSP to enforce return to host be the same as request host</term>
<listitem>
<para><command>ssoadm</command> attribute:
<literal>WSPWillEnforceReturnToHostEqualsRequestHost</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<term>HTML style sheet location</term>
<listitem>
<para><command>ssoadm</command> attribute:
<literal>HTMLStyleSheetLocation</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<term>WML style sheet location</term>
<listitem>
<para><command>ssoadm</command> attribute:
<literal>WMLStyleSheetLocation</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<term>WSP interaction URL</term>
<listitem>
<para><command>ssoadm</command> attribute:
<literal>WSPRedirectHandlerURL</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<term>WSP interaction URL if behind load balancer</term>
<listitem>
<para><command>ssoadm</command> attribute:
<literal>LBWSPRedirectHandler</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<term>List of interaction URLs of WSP cluster (site) behind the load
balancer</term>
<listitem>
<para><command>ssoadm</command> attribute:
<literal>TrustedWspRedirectHandlers</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<term>Interaction Configuration Class</term>
<listitem>
<para><command>ssoadm</command> attribute:
<literal>InteractionConfigClass</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<term>Options for WSC to participate in interaction</term>
<listitem>
<para><command>ssoadm</command> attribute:
<literal>WSCSpecifiedInteractionChoice</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<term>WSC to include userInteractionHeader</term>
<listitem>
<para><command>ssoadm</command> attribute:
<literal>WSCWillIncludeUserInteractionHeader</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<term>WSC to redirect user for interaction</term>
<listitem>
<para><command>ssoadm</command> attribute:
<literal>WSCWillRedirect</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<term>WSC's expected duration for interaction</term>
<listitem>
<para><command>ssoadm</command> attribute:
<literal>WSCSpecifiedMaxInteractionTime</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<term>WSC to enforce that redirection URL must be SSL</term>
<listitem>
<para><command>ssoadm</command> attribute:
<literal>WSCWillEnforceHttpsCheck</literal></para>
</listitem>
</varlistentry>
</variablelist>
<variablelist xml:id="multi-federation-protocol-configuration">
<title>Multi-Federation Protocol</title>
<para><command>ssoadm</command> service name:
<literal>sunMultiFederationProtocol</literal></para>
<varlistentry>
<term>Single Logout Handler List</term>
<listitem>
<para>List of logout handlers used for each different federation
protocol</para>
<para><command>ssoadm</command> attribute:
<literal>SingleLogoutHandlerList</literal></para>
</listitem>
</varlistentry>
</variablelist>
<variablelist xml:id="oauth2-provider-configuration">
<title>OAuth2 Provider Configuration</title>
<para><command>ssoadm</command> service name:
<literal>OAuth2Provider</literal></para>
<varlistentry>
<term>Authorization Code Lifetime</term>
<listitem>
<para>Lifetime of OAuth 2.0 authorization code in seconds.</para>
<para><command>ssoadm</command> attribute:
<literal>forgerock-oauth2-provider-authorization-code-lifetime</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<term>Refresh Token Lifetime</term>
<listitem>
<para>Lifetime of OAuth 2.0 refresh token in seconds.</para>
<para><command>ssoadm</command> attribute:
<literal>forgerock-oauth2-provider-refresh-token-lifetime</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<term>Access Token Lifetime</term>
<listitem>
<para>Lifetime of OAuth 2.0 access token in seconds.</para>
<para><command>ssoadm</command> attribute:
<literal>forgerock-oauth2-provider-access-token-lifetime</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<term>Issue Refresh Tokens</term>
<listitem>
<para>Whether to issue a refresh token when returning an access
token.</para>
<para><command>ssoadm</command> attribute:
<literal>forgerock-oauth2-provider-issue-refresh-token</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<term>Issue Refresh Tokens on Refreshing Access Tokens</term>
<listitem>
<para>Whether to issue a refresh token when refreshing an access
token.</para>
<para><command>ssoadm</command> attribute:
<literal>forgerock-oauth2-provider-issue-refresh-token-on-refreshing-token</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<term>Scope Implementation Class</term>
<listitem>
<para>Name of class on OpenAM classpath implementing scopes.</para>
<para><command>ssoadm</command> attribute:
<literal>forgerock-oauth2-provider-scope-implementation-class</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<term>Response Type Plugins</term>
<listitem>
<para>List of plugins that handle the valid
<literal>response_type</literal> values. OAuth 2.0 clients pass response
types as parameters to the OAuth 2.0 Authorization end point
requested from the provider. For example, the client passes
<literal>code</literal> when requesting an authorization code, and
<literal>token</literal> when requesting an access token.</para>
<para>Values in this list take the form <literal
><replaceable>response-type</replaceable>|<replaceable
>plugin-class-name</replaceable></literal>.</para>
<para>Defaults:
<para><command>ssoadm</command> attribute:
<literal>forgerock-oauth2-provider-response-type-map-class</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<term>User Profile Attribute(s) the Resource Owner is Authenticated On</term>
<listitem>
<para>Names of profile attributes that resource owners use to log in.
The default is <literal>uid</literal>, and you can add others such as
<literal>mail</literal>.</para>
<para><command>ssoadm</command> attribute:
<literal>forgerock-oauth2-provider-authentication-attributes</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<term>Saved Consent Attribute Name</term>
<listitem>
<para>Name of a multi-valued attribute on resource owner profiles where
OpenAM can save authorization consent decisions. When the resource owner
chooses to save the decision to authorize access for a client application,
then OpenAM updates the resource owner's profile to avoid having to
prompt the resource owner to grant authorization when the client issues
subsequent authorization requests.</para>
<para><command>ssoadm</command> attribute:
<literal>forgerock-oauth2-provider-saved-consent-attribute</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<term>JSON Web Key URL</term>
<listitem>
<para>The URL where the OpenID Connect provider's JSON Web Key can be
retrieved.</para>
<para><command>ssoadm</command> attribute:
<literal>forgerock-oauth2-provider-jkws-uri</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<term>Subject Types supported</term>
<listitem>
<para>
List of OpenID Connect subject types supported.
Values are <literal>pairwise</literal> and <literal>public</literal>.
Pairwise is the same as confidential.
</para>
<para>
Default: <literal>public</literal>
</para>
<para><command>ssoadm</command> attribute:
<literal>forgerock-oauth2-provider-subject-types-supported</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<term>ID Token Signing Algorithms supported</term>
<listitem>
<para>Algorithms supported to sign OpenID Connect
<literal>id_tokens</literal>.</para>
<para><command>ssoadm</command> attribute:
<literal>forgerock-oauth2-provider-id-token-signing-algorithms-supported</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<term>Supported Claims</term>
<listitem>
<para>List of claims supported by the OpenID Connect
<para><command>ssoadm</command> attribute:
<literal>forgerock-oauth2-provider-supported-claims</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<term>OpenID Connect JWT Token Lifetime (seconds)</term>
<listitem>
<para>
Time in seconds that a JWT is valid.
</para>
<para>
Default: 600 (10 minutes)
</para>
<para>
<command>ssoadm</command> attribute:
<literal>forgerock-oauth2-provider-jwt-token-lifetime</literal>
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>Alias of ID Token Signing Key</term>
<listitem>
<para>
Alias of key in OpenAM's key store that is used to sign ID Tokens.
</para>
<para>
Default: <literal>test</literal> (OpenAM test key pair,
not for use in production)
</para>
<para>
See <link xlink:show="new" xlink:href="admin-guide#change-signing-key"
>To Change the Signing Key for Federation</citetitle></link> for
instructions on changing the key pair.
</para>
<para>
<command>ssoadm</command> attribute:
<literal>forgerock-oauth2-provider-keypair-name</literal>
</para>
</listitem>
</varlistentry>
</variablelist>
<variablelist xml:id="password-reset-configuration">
<title>Password Reset</title>
<varlistentry>
<term>Realm Attributes</term>
<listitem>
<para>See the <citetitle>Administration Guide</citetitle> chapter on
<link xlink:href="admin-guide#chap-pwd-reset"
Password Reset</citetitle></link> for details.</para>
</listitem>
</varlistentry>
</variablelist>
<variablelist xml:id="policy-configuration">
<title>Policy Configuration</title>
<para>You can change global policy configuration, and the defaults per
realm.</para>
<para><command>ssoadm</command> service name:
<literal>iPlanetAMPolicyConfigService</literal></para>
<varlistentry>
<term>Resource Comparator</term>
<listitem>
<para>OpenAM uses resource comparators to match resources specified in
policy rules. When setting comparators on the command line, separate
fields with <literal>|</literal> characters.</para>
<para><command>ssoadm</command> attribute:
<literal>iplanet-am-policy-config-resource-comparator</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<term>Continue Evaluation on Deny Decision</term>
<listitem>
<para>If no, then OpenAM stops evaluating policy as soon as it reaches a
deny decision.</para>
<para><command>ssoadm</command> attribute:
<literal>iplanet-am-policy-config-continue-evaluation-on-deny-decision</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<term>Advices Handleable by OpenAM</term>
<listitem>
<para>Lists advice names for which policy agents redirect users to
OpenAM for further authentication and authorization</para>
<para><command>ssoadm</command> attribute:
<literal>sun-am-policy-config-advices-handleable-by-am</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<term>Realm Alias Referrals</term>
<listitem>
<para>If yes, then OpenAM allows creation of policies for HTTP and HTTPS
resources whose FQDN matches the DNS alias for the realm even when no
referral policy exists.</para>
<para><command>ssoadm</command> attribute:
<literal>sun-am-policy-config-org-alias-mapped-resources-enabled</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<term>Primary LDAP Server</term>
<listitem>
<para>Configuration directory server host:port that OpenAM searches for
policy information</para>
<para><command>ssoadm</command> attribute:
<literal>iplanet-am-policy-config-ldap-server</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<term>LDAP Base DN</term>
<listitem>
<para>Base DN for policy searches</para>
<para><command>ssoadm</command> attribute:
<literal>iplanet-am-policy-config-ldap-base-dn</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<term>LDAP Users Base DN</term>
<listitem>
<para>Base DN for LDAP Users subject searches</para>
<para><command>ssoadm</command> attribute:
<literal>iplanet-am-policy-config-ldap-users-base-dn</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<term>OpenAM Roles Base DN</term>
<listitem>
<para>Base DN for OpenAM Roles searches</para>
<para><command>ssoadm</command> attribute:
<literal>iplanet-am-policy-config-is-roles-base-dn</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<term>LDAP Bind DN</term>
<listitem>
<para>Bind DN to connect to the directory server for policy
information</para>
<para><command>ssoadm</command> attribute:
<literal>iplanet-am-policy-config-ldap-bind-dn</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<term>LDAP Bind Password</term>
<listitem>
<para>Bind password to connect to the directory server for policy
information</para>
<para><command>ssoadm</command> attribute:
<literal>iplanet-am-policy-config-ldap-bind-password</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<term>LDAP Organization Search Filter</term>
<listitem>
<para>Search filter to match organization entries</para>
<para><command>ssoadm</command> attribute:
<literal>iplanet-am-policy-config-ldap-organizations-search-filter</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<term>LDAP Organization Search Scope</term>
<listitem>
<para>Search scope to find organization entries</para>
<para><command>ssoadm</command> attribute:
<literal>iplanet-am-policy-config-ldap-organizations-search-scope</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<term>LDAP Groups Search Filter</term>
<listitem>
<para>Search filter to match group entries</para>
<para><command>ssoadm</command> attribute:
<literal>iplanet-am-policy-config-ldap-groups-search-filter</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<term>LDAP Groups Search Scope</term>
<listitem>
<para>Search scope to find group entries</para>
<para><command>ssoadm</command> attribute:
<literal>iplanet-am-policy-config-ldap-groups-search-scope</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<term>LDAP Users Search Filter</term>
<listitem>
<para>Search filter to match user entries</para>
<para><command>ssoadm</command> attribute:
<literal>iplanet-am-policy-config-ldap-users-search-filter</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<term>LDAP Users Search Scope</term>
<listitem>
<para>Search scope to find user entries</para>
<para><command>ssoadm</command> attribute:
<literal>iplanet-am-policy-config-ldap-users-search-scope</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<term>LDAP Roles Search Filter</term>
<listitem>
<para>Search filter to match nsRole definition entries</para>
<para><command>ssoadm</command> attribute:
<literal>iplanet-am-policy-config-ldap-roles-search-filter</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<term>LDAP Roles Search Scope</term>
<listitem>
<para>Search scope to find nsRole definition entries</para>
<para><command>ssoadm</command> attribute:
<literal>iplanet-am-policy-config-ldap-roles-search-scope</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<term>OpenAM Roles Search Scope</term>
<listitem>
<para>Search scope to find OpenAM roles entries</para>
<para><command>ssoadm</command> attribute:
<literal>iplanet-am-policy-config-is-roles-search-scope</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<term>LDAP Organization Search Attribute</term>
<listitem>
<para>Naming attribute for organization entries</para>
<para><command>ssoadm</command> attribute:
<literal>iplanet-am-policy-config-ldap-organizations-search-attribute</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<term>LDAP Groups Search Attribute</term>
<listitem>
<para>Naming attribute for group entries</para>
<para><command>ssoadm</command> attribute:
<literal>iplanet-am-policy-config-ldap-groups-search-attribute</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<term>LDAP Users Search Attribute</term>
<listitem>
<para>Naming attribute for user entries</para>
<para><command>ssoadm</command> attribute:
<literal>iplanet-am-policy-config-ldap-users-search-attribute</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<term>LDAP Roles Search Attribute</term>
<listitem>
<para>Naming attribute for nsRole definition entries</para>
<para><command>ssoadm</command> attribute:
<literal>iplanet-am-policy-config-ldap-roles-search-attribute</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<term>Maximum Results Returned from Search</term>
<listitem>
<para>Search limit for LDAP searches</para>
<para><command>ssoadm</command> attribute:
<literal>iplanet-am-policy-config-search-limit</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<term>Search Timeout</term>
<listitem>
<para>Seconds after which OpenAM returns an error for an incomplete
search</para>
<para><command>ssoadm</command> attribute:
<literal>iplanet-am-policy-config-search-timeout</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>If enabled, OpenAM connects securely to the directory server. This
requires that you install the directory server certificate.</para>
<para><command>ssoadm</command> attribute:
<literal>iplanet-am-policy-config-ldap-ssl-enabled</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<term>LDAP Connection Pool Minimum Size</term>
<listitem>
<para>Minimum number of connections in the pool</para>
<para><command>ssoadm</command> attribute:
<literal>iplanet-am-policy-config-connection_pool_min_size</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<term>LDAP Connection Pool Maximum Size</term>
<listitem>
<para>Maximum number of connections in the pool</para>
<para><command>ssoadm</command> attribute:
<literal>iplanet-am-policy-config-connection_pool_max_size</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<term>Selected Policy Subjects</term>
<listitem>
<para>Lists subjects available for policy definition in realms</para>
<para><command>ssoadm</command> attribute:
<literal>iplanet-am-policy-selected-subjects</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<term>Selected Policy Conditions</term>
<listitem>
<para>Lists conditions available for policy definition in realms</para>
<para><command>ssoadm</command> attribute:
<literal>iplanet-am-policy-selected-conditions</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<term>Selected Policy Referrals</term>
<listitem>
<para>Lists referral types available for policy definition in realms</para>
<para><command>ssoadm</command> attribute:
<literal>iplanet-am-policy-selected-referrals</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<term>Subjects Result Time to Live</term>
<listitem>
<para>Maximum minutes OpenAM caches a subject result for evaluating
policy requests. A value of 0 prevents OpenAM from caching subject
evaluations for policy decisions.</para>
<para>Default: 10</para>
<para><command>ssoadm</command> attribute:
<literal>iplanet-am-policy-config-subjects-result-ttl</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<term>User Alias</term>
<listitem>
<para>If enabled, OpenAM can evaluate policy for remote users aliased
to local users.</para>
<para><command>ssoadm</command> attribute:
<literal>iplanet-am-policy-config-user-alias-enabled</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<term>Selected Response Providers</term>
<listitem>
<para>Lists available response providers available for policy
definition</para>
<para><command>ssoadm</command> attribute:
<literal>sun-am-policy-selected-responseproviders</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<term>Selected Dynamic Response Attributes</term>
<listitem>
<para>Lists dynamic response attributes available for policy
definition</para>
<para><command>ssoadm</command> attribute:
<literal>sun-am-policy-dynamic-response-attributes</literal></para>
</listitem>
</varlistentry>
</variablelist>
<variablelist xml:id="rest-security-configuration">
<title>REST Security</title>
<para><command>ssoadm</command> service name:
<literal>RestSecurity</literal></para>
<para>The order of options that appear in the console may vary depending on whether you are running from
a new installation or an upgrade of OpenAM.</para>
<!-- May be affected by OPENAM-3027, where, in an upgrade situation,
the Forgot Password Token LifeTime (seconds) label has
been incorrectly replaced with another instance of Forgot Password for Users -->
<varlistentry>
<term>Self-Registration for Users</term>
<listitem>
<para>If enabled, new users can sign up using a REST API client.</para>
<para>Default: not enabled</para>
<para><command>ssoadm</command> attribute:
<literal>forgerockRESTSecuritySelfRegistrationEnabled</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<term>Self-Registration Token LifeTime (seconds)</term>
<listitem>
<para>Maximum life time for the token allowing user self-registration using
the REST API.</para>
<para>Default: 900 (seconds)</para>
<para><command>ssoadm</command> attribute:
<literal>forgerockRESTSecuritySelfRegTokenTTL</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<term>Self-Registration Confirmation Email URL</term>
<listitem>
<para>
This page handles the HTTP GET request
when the user clicks the link sent by email in the confirmation request.
</para>
<para>
Default:
where <replaceable>deployment-base-url</replaceable> is something like
</para>
<para><command>ssoadm</command> attribute:
<literal>forgerockRESTSecuritySelfRegConfirmationUrl</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<term>Forgot Password for Users</term>
<listitem>
<para>If enabled, users can assign themselves a new password using a REST API client.</para>
<para>Default: not enabled</para>
<para><command>ssoadm</command> attribute:
<literal>forgerockRESTSecurityForgotPasswordEnabled</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<term>Forgot Password Token LifeTime (seconds)</term>
<listitem>
<para>Maximum life time for the token allowing user to process a forgotten
password using the REST API.</para>
<para>Default: 900 (seconds)</para>
<para><command>ssoadm</command> attribute:
<literal>forgerockRestSecurityForgotPassTokenTTL</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<term>Forgot Password Confirmation Email URL</term>
<listitem>
<para>
This page handles the HTTP GET request
when the user clicks the link sent by email in the confirmation request.
</para>
<para>
Default:
where <replaceable>deployment-base-url</replaceable> is something like
</para>
<para><command>ssoadm</command> attribute:
<literal>forgerockRESTSecurityForgotPassConfirmationUrl</literal></para>
</listitem>
</varlistentry>
</variablelist>
<variablelist xml:id="saml2-service-configuration">
<title>SAMLv2 Service Configuration</title>
<para><command>ssoadm</command> service name:
<literal>sunFAMSAML2Configuration</literal></para>
<varlistentry>
<term>Cache cleanup interval</term>
<listitem>
<para>Seconds between cache cleanup operations</para>
<para><command>ssoadm</command> attribute:
<literal>CacheCleanupInterval</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<term>Attribute name for Name ID information</term>
<listitem>
<para>User entry attribute to store name identifier information</para>
<para><command>ssoadm</command> attribute:
<literal>NameIDInfoAttribute</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<term>Attribute name for NAME ID information key</term>
<listitem>
<para>User entry attribute to store the name identifier key</para>
<para><command>ssoadm</command> attribute:
<literal>NameIDInfoKeyAttribute</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<term>Cookie domain for IDP Discovery Service</term>
<listitem>
<para>Specifies the cookie domain for the IDP discovery service</para>
<para><command>ssoadm</command> attribute:
<literal>IDPDiscoveryCookieDomain</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<term>Cookie type for IDP Discovery Service</term>
<listitem>
<para>Indicates whether to use PERSISTENT or SESSION cookies</para>
<para><command>ssoadm</command> attribute:
<literal>IDPDiscoveryCookieType</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<term>URL scheme for IDP Discovery Service</term>
<listitem>
<para>Indicates whether to use HTTP or HTTPS</para>
<para><command>ssoadm</command> attribute:
<literal>IDPDiscoveryURLScheme</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<term>XML Encryption SPI implementation class</term>
<listitem>
<para>Used by the SAML2 engine to encrypt and decrypt documents</para>
<para><command>ssoadm</command> attribute:
<literal>XMLEncryptionClass</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<term>Include xenc:EncryptedKey Inside ds:KeyInfo Element</term>
<listitem>
<para><command>ssoadm</command> attribute:
<literal>EncryptedKeyInKeyInfo</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<term>XML Signing SPI implementation class</term>
<listitem>
<para>Used by the SAML2 engine to sign documents</para>
<para><command>ssoadm</command> attribute:
<literal>XMLSigningClass</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<term>XML Signing Certificate Validation</term>
<listitem>
<para>If enabled, then validate certificates used to sign documents.</para>
<para><command>ssoadm</command> attribute:
<literal>SigningCertValidation</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<term>CA Certificate Validation</term>
<listitem>
<para>If enabled, then validate CA certificates.</para>
<para><command>ssoadm</command> attribute:
<literal>CACertValidation</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<term>Enable SAMLv2 failover</term>
<listitem>
<para>If enabled, the OpenAM can failover requests to another
instance.</para>
<para><command>ssoadm</command> attribute:
<literal>failOverEnabled</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<term>Buffer length to decompress request</term>
<listitem>
<para>The size is specified in bytes.</para>
<para><command>ssoadm</command> attribute:
<literal>bufferLength</literal></para>
</listitem>
</varlistentry>
</variablelist>
<variablelist xml:id="saml2-soap-configuration">
<title>SAMLv2 SOAP Binding</title>
<para><command>ssoadm</command> service name:
<literal>sunfmSAML2SOAPBindingService</literal></para>
<varlistentry>
<term>Request Handler List</term>
<listitem>
<para>List of handlers to deal with SAML2 requests bound to SOAP. The
key for a request handler is the meta alias, whereas the class indicates
the name of the class that implements the handler.</para>
<para><command>ssoadm</command> attribute:
<literal>sunSAML2RequestHandlerList</literal></para>
</listitem>
</varlistentry>
</variablelist>
<variablelist xml:id="sts-configuration">
<title>Security Token Service</title>
<para><command>ssoadm</command> service name:
<literal>sunFAMSTSService</literal></para>
<varlistentry>
<term>Issuer</term>
<listitem>
<para>Specifies the name of the security token service</para>
<para><command>ssoadm</command> attribute:
<literal>stsIssuer</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<term>End Point</term>
<listitem>
<para>Specifies the STS service endpoint</para>
<para><command>ssoadm</command> attribute:
<literal>stsEndPoint</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<term>Lifetime for Security Token</term>
<listitem>
<para>Milliseconds the security token remains valid</para>
<para><command>ssoadm</command> attribute:
<literal>stsLifetime</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<term>Certificate Alias Name</term>
<listitem>
<para>Specifies the alias for the signing certificate</para>
<para><command>ssoadm</command> attribute:
<literal>stsCertAlias</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<term>STS End User Token Plugin class</term>
<listitem>
<para>Specifies the class that converts end user tokens</para>
<para><command>ssoadm</command> attribute:
</listitem>
</varlistentry>
<varlistentry>
<term>Security Mechanism</term>
<listitem>
<para>Lists credentials used to secure the token, and credentials OpenAM
accepts in the incoming request</para>
<para><command>ssoadm</command> attribute:
<literal>SecurityMech</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<term>Authentication Chain</term>
<listitem>
<para>Specifies the authentication chain OpenAM applies for incoming
requests for authenticated security tokens</para>
<para><command>ssoadm</command> attribute:
<literal>AuthenticationChain</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<term>User Credential</term>
<listitem>
<para>User name and password shared secrets to validate UserName tokens
in incoming requests</para>
<para><command>ssoadm</command> attribute:
<literal>UserCredential</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<term>Detect Message Replay</term>
<listitem>
<para>If yes, then OpenAM checks for and rejects replayed messages.</para>
<para><command>ssoadm</command> attribute:
<literal>DetectMessageReplay</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<term>Detect User Token Replay</term>
<listitem>
<para>If yes, then OpenAM checks for and rejects replayed user
tokens.</para>
<para><command>ssoadm</command> attribute:
<literal>DetectUserTokenReplay</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<term>Is Request Signature Verified</term>
<listitem>
<para>If yes, then OpenAM verifies signatures on incoming requests.</para>
<para><command>ssoadm</command> attribute:
<literal>isRequestSign</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<term>Is Response Signed Enabled</term>
<listitem>
<para>If yes, then OpenAM signs the selected parts of the response.</para>
<para><command>ssoadm</command> attribute:
<literal>isResponseSign</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<term>Signing Reference Type</term>
<listitem>
<para>Specifies the reference type used to sign the response. One of
<literal>DirectReference</literal>, <literal>KeyIdentifierRef</literal>,
or <literal>X509IssuerSerialRef</literal>.</para>
<para><command>ssoadm</command> attribute:
<literal>SigningRefType</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<term>Is Request Decrypted</term>
<listitem>
<para>If yes, then OpenAM decrypts the selected parts of the
request.</para>
<para><command>ssoadm</command> attribute:
<literal>isRequestEncrypt</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<term>Is Response Encrypted</term>
<listitem>
<para>If yes, then OpenAM encrypts responses.</para>
<para><command>ssoadm</command> attribute:
<literal>isResponseEncrypt</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<term>Encryption Algorithm</term>
<listitem>
<para>Specifies the algorithm used to encrypt responses</para>
<para><command>ssoadm</command> attribute:
<literal>EncryptionAlgorithm</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<term>Private Key Alias</term>
<listitem>
<para>Alias for the private key used to sign responses and decrypt
requests</para>
<para><command>ssoadm</command> attribute:
<literal>privateKeyAlias</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<term>Private Key Type</term>
<listitem>
<para>Type of private key. One of <literal>publicKey</literal>,
<literal>symmetricKey</literal>, or <literal>noProofKey</literal>.</para>
<para><command>ssoadm</command> attribute:
<literal>privateKeyType</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<term>Public Key Alias of Web Service Client</term>
<listitem>
<para>Alias for the certificate used to verify request signatures and
encrypt responses</para>
<para><command>ssoadm</command> attribute:
<literal>publicKeyAlias</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<term>Kerberos Domain Server</term>
<listitem>
<para>Specifies the FQDN of the KDC</para>
<para><command>ssoadm</command> attribute:
<literal>KerberosDomainServer</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<term>Kerberos Domain</term>
<listitem>
<para>Specifies the domain name of the KDC</para>
<para><command>ssoadm</command> attribute:
<literal>KerberosDomain</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<term>Kerberos Service Principal</term>
<listitem>
<para>Specifies the Kerberos principal who owns the generated token.
Use the format <literal>HTTP/<replaceable
>host</replaceable>.<replaceable
>domain</replaceable>@<replaceable
>kdc-domain</replaceable></literal>.</para>
<para><command>ssoadm</command> attribute:
<literal>KerberosServicePrincipal</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<term>Kerberos Key Tab File</term>
<listitem>
<para>Specifies the key tab file used to issue the token</para>
<para><command>ssoadm</command> attribute:
<literal>KerberosKeyTabFile</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<term>Is Verify Kerberos Signature</term>
<listitem>
<para>If yes, then OpenAM requires signed Kerberos tokens.</para>
<para><command>ssoadm</command> attribute:
<literal>isVerifyKrbSignature</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<term>SAML Attribute Mapping</term>
<listitem>
<para>Lists attribute mappings for generated assertions</para>
<para>This attribute applies when OpenAM acts as a WSP, receiving a
SAML token or assertion generated by another STS.</para>
<para><command>ssoadm</command> attribute:
<literal>SAMLAttributeMapping</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<term>NameID Mapper</term>
<listitem>
<para>Specifies the NameID mapper for generated assertions</para>
<para>This attribute applies when OpenAM acts as a WSP, receiving a
SAML token or assertion generated by another STS.</para>
<para><command>ssoadm</command> attribute:
<literal>NameIDMapper</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<term>Should Include Memberships</term>
<listitem>
<para>If yes, then OpenAM requires generated assertions include user
memberships.</para>
<para>This attribute applies when OpenAM acts as a WSP, receiving a
SAML token or assertion generated by another STS.</para>
<para><command>ssoadm</command> attribute:
<literal>includeMemberships</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<term>Attribute Namespace</term>
<listitem>
<para>Specifies the namespace for generated assertions</para>
<para>This attribute applies when OpenAM acts as a WSP, receiving a
SAML token or assertion generated by another STS.</para>
<para><command>ssoadm</command> attribute:
<literal>AttributeNamespace</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<term>Trusted Issuers</term>
<listitem>
<para>Lists issuers OpenAM can trust to send security tokens</para>
<para><command>ssoadm</command> attribute:
<literal>trustedIssuers</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<term>Trusted IP Addresses</term>
<listitem>
<para>Lists issuer IP address that OpenAM can trust to send security
tokens</para>
<para><command>ssoadm</command> attribute:
<literal>trustedIPAddresses</literal></para>
</listitem>
</varlistentry>
</variablelist>
<variablelist xml:id="session-configuration-attributes">
<title>Session</title>
<para><command>ssoadm</command> service name:
<literal>iPlanetAMSessionService</literal></para>
<varlistentry>
<term>Secondary Configuration Instance</term>
<listitem>
<para>When session failover is configured, you can set up additional
configurations for connecting to the session repository here.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>Maximum Number of Search Results</term>
<listitem>
<para>Maximum number of results from a session search</para>
<para><command>ssoadm</command> attribute:
<literal>iplanet-am-session-max-session-list-size</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<term>Timeout for Search</term>
<listitem>
<para>Seconds after which OpenAM sees an incomplete search as having
failed</para>
<para><command>ssoadm</command> attribute:
<literal>iplanet-am-session-session-list-retrieval-timeout</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<term>Enable Property Change Notifications</term>
<listitem>
<para>If on, then OpenAM notifies other applications participating in
SSO when a session property in the Notification Properties list
changes.</para>
<para><command>ssoadm</command> attribute:
<literal>iplanet-am-session-property-change-notification</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<term>Enable Quota Constraints</term>
<listitem>
<para>If on, then OpenAM allows you to set constraints on user
sessions.</para>
<para><command>ssoadm</command> attribute:
<literal>iplanet-am-session-enable-session-constraint</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<term>Read Timeout for Quota Constraint</term>
<listitem>
<para>Milliseconds after which OpenAM considers a search for live session
count as having failed if quota constraints are enabled</para>
<para><command>ssoadm</command> attribute:
<literal>iplanet-am-session-constraint-max-wait-time</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<term>Resulting behavior if session quota exhausted</term>
<listitem>
<para>You can either set the next expiring session to be destroyed,
<literal>DESTROY_NEXT_EXPIRING</literal>, the oldest session to
be destroyed, <literal>DESTROY_OLDEST_SESSION</literal>, all previous
sessions to be destroyed, <literal>DESTROY_OLD_SESSIONS</literal>, or deny
the new session creation request, <literal>DENY_ACCESS</literal>.</para>
<para><command>ssoadm</command> attribute:
<literal>iplanet-am-session-constraint-resulting-behavior</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<term>Deny user login when session repository is down</term>
<listitem>
<para>This attribute takes effect when quota constraints are
enabled.</para>
<para><command>ssoadm</command> attribute:
<literal>iplanet-am-session-deny-login-if-db-is-down</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<term>Notification Properties</term>
<listitem>
<para>Lists session properties for which OpenAM can send notifications
upon modification</para>
<para><command>ssoadm</command> attribute:
<literal>iplanet-am-session-notification-property-list</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<term>DN Restriction Only Enabled</term>
<listitem>
<para>If enabled, OpenAM does not perform DNS lookups when checking
restrictions in cookie hijacking mode.</para>
<para><command>ssoadm</command> attribute:
<literal>iplanet-am-session-dnrestrictiononly</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<term>Enable Session Trimming</term>
<listitem>
<para>If yes, then OpenAM stores only a limited set of session properties
after session timeout and before session purging.</para>
<para><command>ssoadm</command> attribute:
<literal>iplanet-am-session-enable-session-trimming</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<term>Session Timeout Handler implementations</term>
<listitem>
<para>Lists plugin classes implementing session timeout handlers</para>
<para><command>ssoadm</command> attribute:
<literal>openam-session-timeout-handler-list</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<term>Maximum Session Time</term>
<listitem>
<para>Maximum minutes a session can remain valid before OpenAM requires
the user to authenticate again</para>
<para><command>ssoadm</command> attribute:
<literal>iplanet-am-session-max-session-time</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<term>Maximum Idle Time</term>
<listitem>
<para>Maximum minutes a session can remain idle before OpenAM requires
the user to authenticate again</para>
<para><command>ssoadm</command> attribute:
<literal>iplanet-am-session-max-idle-time</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<term>Maximum Caching Time</term>
<listitem>
<para>Maximum minutes before OpenAM refreshes a session that has been
cached</para>
<para><command>ssoadm</command> attribute:
<literal>iplanet-am-session-max-caching-time</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<term>Active User Sessions</term>
<listitem>
<para>Maximum number of concurrent sessions OpenAM allows a user to
have</para>
<para><command>ssoadm</command> attribute:
<literal>iplanet-am-session-quota-limit</literal></para>
</listitem>
</varlistentry>
</variablelist>
<variablelist xml:id="user-configuration-attributes">
<title>User</title>
<para><command>ssoadm</command> service name:
<literal>iPlanetAMUserService</literal></para>
<varlistentry>
<term>User Preferred Timezone</term>
<listitem>
<para>Time zone for accessing OpenAM console</para>
<para><command>ssoadm</command> attribute:
<literal>preferredtimezone</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<term>Administrator DN Starting View</term>
<listitem>
<para>Specifies the DN for the initial screen when the OpenAM
administrator successfully logs in to the OpenAM console</para>
<para><command>ssoadm</command> attribute:
<literal>iplanet-am-user-admin-start-dn</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<term>Default User Status</term>
<listitem>
<para>Inactive users cannot authenticate, though OpenAM stores their
profiles. Default: <literal>Active</literal></para>
<para><command>ssoadm</command> attribute:
<literal>iplanet-am-user-login-status</literal></para>
</listitem>
</varlistentry>
</variablelist>
</section>
<section xml:id="servers-and-sites-configuration">
<title>Servers and Sites Configuration</title>
<indexterm>
<primary>Configuration</primary>
<secondary>Servers and Sites</secondary>
</indexterm>
<para>Under Configuration > Servers and Sites you can manage server
defaults, configuration for OpenAM server instances, and site configurations
when using multiple OpenAM server instances.</para>
<para>To change inherited settings that appear read only for a server,
click Default Server Settings on the Servers and Sites tab page to access
and adjust the defaults, or change the Inheritance Settings for a specific
server.</para>
<para>After changing server configurations, restart OpenAM or the web
application container where OpenAM runs for the changes to take
effect.</para>
<variablelist xml:id="servers-general-configuration">
<title>Servers > General</title>
<para>The General tab lets you access the settings to inherit, set the
site for the server, and also set system, debug, and mail server
attributes.</para>
<varlistentry>
<term>Parent Site</term>
<listitem>
<para>Select the site from the list. You must first create at least one
site.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>Base installation directory</term>
<listitem>
<para>OpenAM writes the configuration data and logs here.</para>
<para>property:
</listitem>
</varlistentry>
<varlistentry>
<term>Default Locale</term>
<listitem>
<para>The locale used when none is requested.</para>
<para>property:
</listitem>
</varlistentry>
<varlistentry>
<term>Notification URL</term>
<listitem>
<para>The notification service endpoint.</para>
<para>property:
</listitem>
</varlistentry>
<varlistentry>
<term>XML Validation</term>
<listitem>
<para>If on, then OpenAM validates XML documents that it parses.</para>
<para>property:
</listitem>
</varlistentry>
<varlistentry>
<term>Debug Level</term>
<listitem>
<para>Set the log level shared across components for debug logging.</para>
<para>property:
</listitem>
</varlistentry>
<varlistentry>
<term>Merge Debug Files</term>
<listitem>
<para>If on, then OpenAM writes all debug log messages to a single file,
per component.</para>
<para>property:
</listitem>
</varlistentry>
<varlistentry>
<term>Debug Directory</term>
<listitem>
<para>File system directory where OpenAM writes debug logs.</para>
<para>property:
</listitem>
</varlistentry>
<varlistentry>
<term>Mail Server Host Name</term>
<listitem>
<para>SMTP host name for email sent by OpenAM.</para>
<para>property:
</listitem>
</varlistentry>
<varlistentry>
<term>Mail Server Port Number</term>
<listitem>
<para>SMTP port number for email sent by OpenAM.</para>
<para>property:
</listitem>
</varlistentry>
</variablelist>
<variablelist xml:id="servers-security-configuration">
<title>Servers > Security</title>
<para>Most security settings are inherited by default.</para>
<varlistentry>
<term>Password Encryption Key</term>
<listitem>
<para>Encryption key for decrypting stored passwords</para>
<para>Example: <literal>TF1Aue9c63bWTTY4mmZJeFYubJbNiSE3</literal></para>
<para>property:
</listitem>
</varlistentry>
<varlistentry>
<term>Authentication Service Shared Secret</term>
<listitem>
<para>Shared secret for application authentication</para>
<para>Example: <literal>AQICQ7QMKN5TSt1fpyFZBMZ8hRwkYkkrUaFk</literal></para>
<para>property:
</listitem>
</varlistentry>
<varlistentry>
<term>Encryption class</term>
<listitem>
<para>Default class used to handle encryption</para>
<para>property:
</listitem>
</varlistentry>
<varlistentry>
<term>Secure Random Factory Class</term>
<listitem>
<para>The default implementation uses pure Java, rather than JSS.</para>
<para>property:
</listitem>
</varlistentry>
<varlistentry>
<term>Platform Low Level Comm. Max. Content Length</term>
<listitem>
<para>Maximum content length for an HTTP request</para>
<para>Default: 16384</para>
<para>property:
</listitem>
</varlistentry>
<varlistentry>
<term>Client IP Address Check</term>
<listitem>
<para>If yes, then OpenAM checks client IP addresses when creating and
validating SSO tokens.</para>
<para>Default: No</para>
<para>property:
</listitem>
</varlistentry>
<varlistentry>
<term>Cookie Name</term>
<listitem>
<para>Cookie name OpenAM uses to set a session handler ID during
authentication.</para>
<para>Default: <literal>iPlanetDirectoryPro</literal></para>
<para>property:
</listitem>
</varlistentry>
<varlistentry>
<term>Secure Cookie</term>
<listitem>
<para>If yes, then OpenAM sets the cookie in secure mode such that the
browser only returns the cookie if a secure protocol such as HTTPS is
used.</para>
<para>Default: No</para>
<para>property:
</listitem>
</varlistentry>
<varlistentry>
<term>Encode Cookie Value</term>
<listitem>
<para>If yes, then OpenAM URL encodes cookie values.</para>
<para>Default: No</para>
<para>property:
</listitem>
</varlistentry>
<varlistentry>
<term>Keystore File</term>
<listitem>
<para>Path to OpenAM key store file</para>
directory that holds the OpenAM configuration.</para>
<para>property:
</listitem>
</varlistentry>
<varlistentry>
<term>Keystore Password File</term>
<listitem>
<para>Path to password file for key store</para>
<para>Default: Path to <filename>.storepass</filename>, located in the
directory that holds the OpenAM configuration.</para>
<para>property:
</listitem>
</varlistentry>
<varlistentry>
<term>Private Key Password File</term>
<listitem>
<para>Path to password file for OpenAM private key</para>
<para>Default: Path to <filename>.keypass</filename>, located in the
directory that holds the OpenAM configuration.</para>
<para>property:
</listitem>
</varlistentry>
<varlistentry>
<term>Certificate Alias</term>
<listitem>
<para>Alias for OpenAM certificate stored in key store</para>
<para>Not set by default</para>
<para>property:
</listitem>
</varlistentry>
<varlistentry>
<term>CRL: LDAP server host name</term>
<listitem>
<para>Directory server host name where the certificate revocation list
(CRL) is cached</para>
<para>Not set by default</para>
<para>property:
</listitem>
</varlistentry>
<varlistentry>
<term>CRL: LDAP server port number</term>
<listitem>
<para>Directory server port number where the certificate revocation list
is cached</para>
<para>Not set by default</para>
<para>property:
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>If yes, then connect securely when accessing the CRL cache
directory server</para>
<para>Default: No</para>
<para>property:
</listitem>
</varlistentry>
<varlistentry>
<term>CRL: LDAP server bind user name</term>
<listitem>
<para>Bind DN to access CRL cache directory server</para>
<para>Not set by default</para>
<para>property:
</listitem>
</varlistentry>
<varlistentry>
<term>CRL: LDAP server bind password</term>
<listitem>
<para>Bind password to access CRL cache directory server</para>
<para>Not set by default</para>
<para>property:
</listitem>
</varlistentry>
<varlistentry>
<term>CRL: LDAP search base DN</term>
<listitem>
<para>Base DN under which to search for CRL</para>
<para>Not set by default</para>
<para>property:
</listitem>
</varlistentry>
<varlistentry>
<term>CRL: Search Attributes</term>
<listitem>
<para>DN component of issuer's subject DN used to retrieve the CRL</para>
<para>Not set by default</para>
<para>property:
</listitem>
</varlistentry>
<varlistentry>
<term>OCSP: Check Enabled</term>
<listitem>
<para>If yes, then OpenAM runs Online Certificate Status Protocol (OCSP)
checks.</para>
<para>Default: Yes</para>
<para>property:
</listitem>
</varlistentry>
<varlistentry>
<term>Responder URL</term>
<listitem>
<para>URL for OCSP responder</para>
<para>Not set by default</para>
<para>property:
</listitem>
</varlistentry>
<varlistentry>
<term>Certificate Nickname</term>
<listitem>
<para>Nickname for OCSP responder certificate</para>
<para>Not set by default</para>
<para>property:
</listitem>
</varlistentry>
<varlistentry>
<term>FIPS Mode</term>
<listitem>
<para>If yes, then OpenAM runs in Federal Information Processing Standards
mode.</para>
<para>Default: No</para>
<para>property:
</listitem>
</varlistentry>
</variablelist>
<variablelist xml:id="servers-session-configuration">
<title>Servers > Session</title>
<para>Session settings are inherited by default.</para>
<varlistentry>
<term>Maximum Sessions</term>
<listitem>
<para>Maximum concurrent sessions OpenAM permits</para>
<para>property:
</listitem>
</varlistentry>
<varlistentry>
<term>Invalidate Session Max Time</term>
<listitem>
<para>Minutes after which invalid sessions are removed from the session
table</para>
<para>property:
</listitem>
</varlistentry>
<varlistentry>
<term>Sessions Purge Delay</term>
<listitem>
<para>Minutes OpenAM delays session purging</para>
<para>property:
</listitem>
</varlistentry>
<varlistentry>
<term>Logging Interval</term>
<listitem>
<para>Seconds OpenAM delays between logging sessions statistics</para>
<para>property:
</listitem>
</varlistentry>
<varlistentry>
<term>State</term>
<listitem>
<para>Whether to write statistics to a <literal>file</literal>, to the
<literal>console</literal>, or to turn recording
<literal>off</literal></para>
<para>property:
</listitem>
</varlistentry>
<varlistentry>
<term>Directory</term>
<listitem>
<para>Path to statistics logs directory</para>
<para>property:
</listitem>
</varlistentry>
<varlistentry>
<term>Enable Host Lookup</term>
<listitem>
<para>If yes, then OpenAM performs host lookup during session
logging.</para>
<para>property:
</listitem>
</varlistentry>
<varlistentry>
<term>Notification Pool Size</term>
<listitem>
<para>Number of threads in the notification pool</para>
<para>property:
</listitem>
</varlistentry>
<varlistentry>
<term>Notification Thread Pool Threshold</term>
<listitem>
<para>Maximum number of tasks in the queue for serving notification
threads</para>
<para>property:
</listitem>
</varlistentry>
<varlistentry>
<term>Case Insensitive client DN comparison</term>
<listitem>
<para>If yes, then OpenAM distinguished name comparison is case
insensitive.</para>
<para>property:
</listitem>
</varlistentry>
</variablelist>
<variablelist xml:id="servers-sdk-configuration">
<title>Servers > SDK</title>
<para>Most SDK settings are inherited.</para>
<varlistentry>
<term>Enable Datastore Notification</term>
<listitem>
<para>If yes, then OpenAM uses datastore notification. Otherwise, OpenAM
uses in-memory notification.</para>
<para>property:
</listitem>
</varlistentry>
<varlistentry>
<term>Enable Directory Proxy</term>
<listitem>
<para>If yes, then OpenAM accounts for the use of a directory proxy to
access the directory server.</para>
<para>property:
</listitem>
</varlistentry>
<varlistentry>
<term>Notification Pool Size</term>
<listitem>
<para>Service management notification thread pool size</para>
<para>property:
</listitem>
</varlistentry>
<varlistentry>
<term>Number of retries for Event Service connections</term>
<listitem>
<para>Maximum number of attempts to reestablish Event Service
connections</para>
<para>property:
</listitem>
</varlistentry>
<varlistentry>
<term>Delay between Event Service connection retries</term>
<listitem>
<para>Milliseconds between attempts to reestablish Entry Service
connections</para>
<para>property:
</listitem>
</varlistentry>
<varlistentry>
<term>Error codes for Event Service connection retries</term>
<listitem>
<para>LDAP error codes for which OpenAM retries rather than returning
failure</para>
<para>property:
</listitem>
</varlistentry>
<varlistentry>
<term>Idle Time Out</term>
<listitem>
<para>Minutes after which OpenAM reestablishes idle persistent search
connections</para>
<para>property:
</listitem>
</varlistentry>
<varlistentry>
<term>Disabled Event Service Connection</term>
<listitem>
<para>Persistent search connections OpenAM can disable</para>
<para>property:
</listitem>
</varlistentry>
<varlistentry>
<term>Number of retries for LDAP Connection</term>
<listitem>
<para>Maximum number of attempts to reestablish LDAP connections</para>
<para>property:
</listitem>
</varlistentry>
<varlistentry>
<term>Delay between LDAP connection retries</term>
<listitem>
<para>Milliseconds between attempts to reestablish LDAP connections</para>
<para>property:
</listitem>
</varlistentry>
<varlistentry>
<term>Error Codes for LDAP connection retries</term>
<listitem>
<para>LDAP error codes for which OpenAM retries rather than returning
failure</para>
<para>property:
</listitem>
</varlistentry>
<varlistentry>
<term>SDK Caching Max. Size</term>
<listitem>
<para>Cache size used if SDK caching is enabled</para>
<para>property:
</listitem>
</varlistentry>
<varlistentry>
<term>SDK Replica Retries</term>
<listitem>
<para>Maximum number of attempts to retrieve entries returned as not
found</para>
<para>property:
</listitem>
</varlistentry>
<varlistentry>
<term>Delay between SDK Replica Retries</term>
<listitem>
<para>Milliseconds between attempts to retrieve entries through the
SDK</para>
<para>property:
</listitem>
</varlistentry>
<varlistentry>
<term>Cache Entry Expiration Enabled</term>
<listitem>
<para>If no, then cache entries expire based on User Entry Expiration
Time</para>
<para>property:
</listitem>
</varlistentry>
<varlistentry>
<term>User Entry Expiration Time</term>
<listitem>
<para>Minutes user entries remain valid after modification. When OpenAM
accesses a user entry that has expired, it rereads the entry from the
directory server.</para>
<para>property:
</listitem>
</varlistentry>
<varlistentry>
<term>Default Entry Expiration Time</term>
<listitem>
<para>Minutes non-user entries remain valid after modification</para>
<para>property:
</listitem>
</varlistentry>
</variablelist>
<variablelist xml:id="servers-directory-configuration">
<title>Servers > Directory Configuration</title>
<para>Use this tab to change connection settings and add additional
LDAP configuration directory server instances.</para>
<varlistentry>
<term>Minimum Connection Pool</term>
<listitem>
<para>Set the minimum number of connections in the pool.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>Maximum Connection Pool</term>
<listitem>
<para>Set the maximum number of connections in the pool.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>Bind DN</term>
<listitem>
<para>Set the bind DN to connect to the configuration directory
servers.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>Bind Password</term>
<listitem>
<para>Set the bind password to connect to the configuration directory
servers.</para>
</listitem>
</varlistentry>
</variablelist>
<variablelist xml:id="servers-cts">
<title>Servers > CTS</title>
<para>The Core Token Service (CTS) does not need to be configured in the same LDAP storage as the
external or embedded user store. The CTS can instead be configured on its own external directory server.
There are some specific requirements for indexing and replication which need to be accounted for.
In particular, WAN replication is an important consideration which needs to be handled carefully for
optimum performance.</para>
<para>You may also choose to set advanced properties related to token size, including
<literal>com.sun.identity.session.repository.enableAttributeCompression</literal>. For more information,
identify these variables in the following section: <xref linkend="servers-advanced-configuration" />.</para>
<varlistentry>
<term>Default Token Store</term>
<listitem>
<para>If selected, CTS tokens are stored in the same external or embedded datastore as is
used on an OpenAM configuration store. If you use the default token store, you can only
configure the <literal>Root Suffix</literal>. Associated with the <literal>Directory Configuration</literal>
tab associated with individual servers.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>External Token Store</term>
<listitem>
<para>If you use OpenDJ, you can separate the CTS from the configuration on different external servers.
On the external CTS server, you can also configure token schema and indexes.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>Root Suffix</term>
<listitem>
<para>For either the default or external token stores, enter the base DN for CTS storage information in
LDAP format, such as <literal>dc=cts,dc=forgerock,dc=com</literal>. The <literal>Root Suffix</literal>
would be a database that can be maintained and replicated separately from tha standard user datastore.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Access the directory service using StartTLS or LDAPS.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>Directory Name</term>
<listitem>
<para>The hostname of the external server.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>Port</term>
<listitem>
such as 389 for LDAP.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>Login Id</term>
<listitem>
<para>Specifies the user, in DN format, needed to authenticate. The user needs sufficient
privileges to read and write to the root suffix of the external datastore.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>Password</term>
<listitem>
<para>Specifies the password associated with the Login Id.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>Max Connections</term>
<listitem>
<para>Notes the maximum number of remote connections to the external datastore.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>Heartbeat</term>
<listitem>
<para>Specifies how often OpenAM should send a heartbeat request to the directory server
to ensure that the connection does not remain idle, in seconds. Default: 10.</para>
</listitem>
</varlistentry>
</variablelist>
<variablelist xml:id="servers-advanced-configuration">
<title>Servers > Advanced</title>
<para>Use this page to set advanced properties directly. A partial list of
advanced properties follows.</para>
<para>For a list of inherited advanced properties, see the table under the
Advanced tab for Default Server Settings.</para>
<varlistentry>
<listitem>
<para>Properly URL encode session tokens.</para>
<para>Default: <literal>true</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para><literal>iplanetDirectoryPro</literal> cookie lifetime if
persistent, in hours</para>
<para>Default: 24</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Modules for which to open daemons at OpenAM startup.</para>
<para>Default: <literal>securid</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Whether to connect to the configuration directory server over
LDAPS.</para>
<para>Default: <literal>false</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>OpenAM Configuration and log file location.</para>
<para>Default: <literal>~/openam/<replaceable>server-uri</replaceable></literal>,
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>When using JSS, check whether the name values in the
<literal>SubjectAltName</literal> certificate match the server FQDN.</para>
<para>Default: <literal>false</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>When using JSS, check that the IP address of the server resolves
to the host name.</para>
<para>Default: <literal>false</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>When using JSS, comma-separated list of server FQDNs to trust if
they match the certificate CN, even if the domain name is not
correct.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>When using JSS, set to <literal>true</literal> to trust whatever
certificate is presented without checking.</para>
<para>Default: <literal>true</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Used with sticky load balancers that can inspect the cookie
value.</para>
<para>Default: <literal>amlbcookie</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Used with sticky load balancers that can inspect the cookie value.
Set this property to a unique value if your load balancer requires it.
Restart OpenAM for the change to take effect.</para>
<para>Default: 01</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Persistent cookie name.</para>
<para>Default: <literal>DProPCookie</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Not used</para>
<para>Default: <replaceable>server-host</replaceable>, such as
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Not used</para>
<para>Default: <replaceable>server-port</replaceable>, such as 8080 or
8443</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Time in minutes after which a policy agent session expires.</para>
<para>Default: 0, meaning never time out. Range is 0-30 (minutes).</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Whether client applications such as policy agents poll for
configuration changes. If <literal>false</literal>, then OpenAM notifies
clients about changes.</para>
<para>Default: false</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>If client applications poll for changes, number of seconds between
polls.</para>
<para>Default: 180</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Time in milliseconds between health checks of other servers in the
same site.</para>
<para>Default: 1000</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Socket timeout in milliseconds for health checks of other servers in
the same site.</para>
<para>Default: 1000</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Create an <literal>HttpSession</literal> for users on successful
authentication.</para>
<para>Default: <literal>true</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>SSL socket factory implementation used by OpenAM.</para>
uses a pure Java provider</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Strings that OpenAM rejects as values in <literal>goto</literal>
query string parameters.</para>
<para>Default: <literal><,>javascript:,javascript%3a,%3c,%3e</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Replication port for embedded OpenDJ directory server.</para>
<para>Default: 8989</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Whether to replicate data between embedded directory servers.</para>
<para>Default: <literal>on</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Whether to check for cookie support in the user agent, and if not to
return an error.</para>
<para>Default: <literal>false</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Whether to append the session cookie to URL for a zero page
session.</para>
<para>Default: <literal>true</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Cookie used by the OpenAM authentication service to handle the
authentication process.</para>
<para>Default: <literal>AMAuthCookie</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Set the name of the HTTP header that OpenAM can examine to learn the
client IP address when requests go through a proxy or load balancer. (When
requests go through an HTTP proxy or load balancer, checking the IP address
on the request alone returns the address of the proxy or load balancer
rather than that of the client.) OpenAM must be able to trust the proxy or
load balancer to set the client IP address correctly in the header
specified.</para>
<para>Example: <literal>com.sun.identity.authentication.client.ipAddressHeader=X-Forwarded-For</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Whether to allow users to open many browser tabs to the login page
at the same time without encountering an error.</para>
<para>Default: <literal>false</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Whether to allow multiple cookie domains.</para>
<para>Default: <literal>true</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>List of special users always authenticated against the local
directory server.</para>
<para>Default: <literal>cn=dsameuser,ou=DSAME Users,<?eval
${defaultRootSuffix}?>|cn=amService-UrlAccessAgent,ou=DSAME Users,<?eval
${defaultRootSuffix}?></literal></para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>OpenAM privileged administrator user.</para>
<para>Default: <literal>uid=amAdmin,ou=People,<?eval
${defaultRootSuffix}?></literal></para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>When cookie hijacking protection is configured, name of the cookie
holding the URL to the OpenAM server that authenticated the user.</para>
<para>Default: <literal>sunIdentityServerAuthNServer</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Notification service endpoint for clients such as policy agents.</para>
<para>Default: <literal><replaceable>server-protocol</replaceable
>://<replaceable>server-host</replaceable>:<replaceable
>server-port</replaceable>/<replaceable>server-uri</replaceable
>/notificationservice</literal>, such as <literal
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Number of threads in the shared system timer pool used to schedule
operations such as session timeout.</para>
<para>Default: 3</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>When set to <literal>true</literal>, mark cookies as HTTPOnly to
prevent scripts and third-party programs from accessing the cookies.</para>
<para>Default: <literal>false</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>If <literal>true</literal>, then OpenAM is using protection against
cookie hijacking.</para>
<para>Default: <literal>false</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Whether JSS should take priority over other providers.</para>
<para>Default: <literal>true</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Whether monitoring is active for OpenAM.</para>
<para>Default: <literal>off</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>URL for local connection to the monitoring service.</para>
<para>Default: <literal>service:jmx:rmi://</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Internal property used by OpenAM.</para>
<para>Default: <replaceable>server-uri</replaceable>, such as
<literal>openam</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Weights of the cost of evaluating policy subjects, rules, and
conditions. Evaluation is in order of heaviest weight to lightest weight.</para>
<para>Default: <literal>10:10:10</literal>, meaning evaluation of rules,
then conditions, then subjects</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Maximum number of policy decisions OpenAM caches.</para>
<para>Default: 10000</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Enables virtual hosts, partial hostname and IP address. Maps invalid
or virtual name keys to valid FQDN values for proper redirection.</para>
<para>To map <literal>myserver</literal> to
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Enables tokens to be encrypted when stored.</para>
<para>Multi-instance deployments require consistent use of this property, which should
be done under the Servers and Sites > Default Server Settings > Advanced.</para>
Servers and Sites > Server > Security > Password Encryption Key. You will need to
verify that all servers have the same setting for this property as the default
server.</para>
<para>Default: <literal>false</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Whether to perform an HTTP GET on
check against another server in the same site. If
<literal>false</literal>, then OpenAM only checks the Socket connection,
and does not perform an HTTP GET.</para>
<para>If each OpenAM server runs behind a reverse proxy, then setting
this property to <literal>true</literal> means the health check actually
runs against the OpenAM instance, rather than checking only the Socket
to the reverse proxy.</para>
<para>Default: <literal>false</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>URL to monitor when
<literal>true</literal>.</para>
on the remote server</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Whether to perform a Java security permissions check for OpenAM.</para>
<para>Default: <literal>false</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>For CTS token encryption, if desired.</para>
<para>Default: false</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>For GZip-based compression of CTS tokens, if desired.</para>
<para>Default: false</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>For additional compression of CTS token JSON binaries, beyond GZip, if desired.</para>
<para>Default: false</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>When service configuration caching time-to-live is enabled, this
sets the time to live in minutes.</para>
<para>Default: 30</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>If service configuration caching is enabled, whether to enable a
time-to-live for cached configuration.</para>
<para>Default: <literal>false</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>File system directory to hold file-based representation of OpenAM
configuration.</para>
<para>Default: <literal>~/openam/<replaceable>server-uri</replaceable
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Class used to read and write OpenAM service configuration entries
in the directory.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Used to set the read timeout in milliseconds for HTTP and HTTPS
connections to other servers.</para>
<para>Default: 30000</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Allows the OpenAM ClusterStateService to work with HTTPS
endpoints.</para>
<para>Default: <literal>true</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Whether to cache documents for HTTP and HTTPS connections to other
servers.</para>
<para>Default: <literal>false</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Name of the web container to correctly set character encoding, if
necessary.</para>
<para>Default: <literal>WEB_CONTAINER</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Used to assigned privileged console access to particular users. Set
to a <literal>|</literal> separated list of users' Universal IDs, such as
${defaultRootSuffix}?>|uid=demo2,ou=user,<?eval
${defaultRootSuffix}?></literal>.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Where to destroy the old session after a session is successfully
upgraded.</para>
<para>Default: <literal>true</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Cookie used by the OpenAM distributed authentication service to
handle the authentication process.</para>
<para>Default: <literal>AMDistAuthCookie</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Class that controls which session properties are copied during
session upgrade, where default is to copy all properties to the upgraded
session.</para>
<para>Default: <literal>org.forgerock.openam.authentication.service.DefaultSessionPropertyUpgrader</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>The X-DSAMEVersion http header provides detailed information about the version
the build. OpenAM will need to be restarted once this property is enabled.</para>
<para>Default: false</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Whether to ignore the <literal>goto</literal> query string parameter
on logout, instead displaying the logout page.</para>
<para>Default: <literal>false</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Character set used for globalization.</para>
<para>Default: <literal>UTF-8</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Comma-separated list of HTTP headers not to copy when the distributed
authentication server forwards a request to another distributed
authentication server.</para>
<para>Default: <literal>connection</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Comma-separated list of HTTP headers not to copy when the distributed
authentication server forwards a request to another distributed
authentication server.</para>
<para>Default: <literal>connection</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Comma-separated list of HTTP headers to copy to the forwarded
response when the server forwards a request to another server.</para>
<para>Requests are forwarded when the server receiving the request is
not the server that originally initiated authentication. The server that
originally initiated authentication is identified by a cookie.</para>
<para>When the distributed authentication service (DAS) is in use, then
the cookie is the <literal>AMDistAuthCookie</literal> that identifies the
DAS server by its URL.</para>
<para>When authentication is done directly on OpenAM, then the cookie is
the <literal>AMAuthCookie</literal> that holds a session ID that identifies
the OpenAM server.</para>
<para>On subsequent requests the server receiving the request checks the
cookie. If the cookie identifies another server, the current server
forwards the request to that server.</para>
<para>If a header such as <literal>Cache-Control</literal> has been
included in the list of values for the property
and the header must also be copied to the response, then add it to the
list of values for this property.</para>
<para>Default: <literal>X-DSAMEVersion</literal></para>
</listitem>
</varlistentry>
<varlistentry xml:id="openam-retained-http-request-headers">
<listitem>
<para>Comma-separated list of HTTP headers to copy to the forwarded request
when the server forwards a request to another server.</para>
<para>Requests are forwarded when the server receiving the request is
not the server that originally initiated authentication. The server that
originally initiated authentication is identified by a cookie.</para>
<para>When the distributed authentication service (DAS) is in use, then
the cookie is the <literal>AMDistAuthCookie</literal> that identifies the
DAS server by its URL.</para>
<para>When authentication is done directly on OpenAM, then the cookie is
the <literal>AMAuthCookie</literal> that holds a session ID that identifies
the OpenAM server.</para>
<para>On subsequent requests the server receiving the request checks the
cookie. If the cookie identifies another server, the current server
forwards the request to that server.</para>
<para>When configuring the distributed authentication service, or when a
reverse proxy is set up to provide the client IP address in the
<literal>X-Forwarded-For</literal> header, if your deployment includes
multiple OpenAM servers, then this property must be set to include the
header.</para>
<para>Example: <literal>openam.retained.http.request.headers=X-DSAMEVersion,X-Forwarded-For</literal></para>
<para>OpenAM copies the header when forwarding a request to the
authoritative server where the client originally began the authentication
process, so that the authoritative OpenAM server receiving the forwarded
request can determine the real client IP address.</para>
<para>In order to retain headers to return in the response to the OpenAM
server that forwarded the request, use the property
<para>Default: <literal>X-DSAMEVersion</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>If <literal>true</literal> users can extend the lifetime of the
<literal>iplanetDirectoryPro</literal> cookie to
basis, by using the query string parameter
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Whether universal user IDs are considered case sensitive when
matching them.</para>
<para>Default: <literal>false</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>If <literal>true</literal> extend the lifetime of the
<literal>iplanetDirectoryPro</literal> cookie to
<para>Default: false</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>This property is for use in multi-server deployments where session
failover is not available. If <literal>true</literal>, calculate session
quotas per server. In other words, if the session quota is 5 sessions and
users can access up to 4 servers, they can have a maximum of 20 (5 * 4)
sessions.</para>
<para>Default: <literal>false</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>If the web application containers sets
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Administration port for embedded OpenDJ directory server.</para>
<para>Default: 4444</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Days until account expiration set after successful authentication
by the account expiration post authentication plugin.</para>
<para>Default: 30</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Port on which SecurID daemon listens.</para>
<para>Default: 58943</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Set to <literal>false</literal> to enable
<para>Default: <literal>true</literal></para>
</listitem>
</varlistentry>
</variablelist>
<variablelist xml:id="sites-configuration">
<title>Sites</title>
<para>Sites involve multiple OpenAM servers working together to provide
services. You can use sites with load balancers and session failover to
configure pools of servers capable of responding to client requests in
highly available fashion.</para>
<varlistentry>
<term>Primary URL</term>
<listitem>
<para>Set the primary entry point to the site, such as the URL to the
load balancer for the site configuration.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>Secondary URLs</term>
<listitem>
<para>Set alternate entry points to the site. Used when session failover
is configured.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>Assigned Servers</term>
<listitem>
<para>Shows the list of OpenAM servers in the site.</para>
</listitem>
</varlistentry>
</variablelist>
</section>
</chapter>