2N/A<?
xml version="1.0" encoding="UTF-8"?>
2N/A ! This work is licensed under the Creative Commons 2N/A ! Attribution-NonCommercial-NoDerivs 3.0 Unported License. 2N/A ! To view a copy of this license, visit 2N/A ! or send a letter to Creative Commons, 444 Castro Street, 2N/A ! Suite 900, Mountain View, California, 94041, USA. 2N/A ! You can also obtain a copy of the license at 2N/A ! See the License for the specific language governing permissions 2N/A ! and limitations under the License. 2N/A ! If applicable, add the following below this CCPL HEADER, with the fields 2N/A ! enclosed by brackets "[]" replaced with your own identifying information: 2N/A ! Portions Copyright [yyyy] [name of copyright owner] 2N/A ! Copyright 2012-2014 ForgeRock AS 2N/A<
chapter xml:
id='chap-config-ref' 2N/A version='5.0' xml:
lang='en' 2N/A <
title>Configuration Reference</
title>
2N/A <
indexterm><
primary>Configuration</
primary></
indexterm>
2N/A <
para>This chapter covers OpenAM configuration properties accessible through
2N/A the Configuration tab of the console, most of which can be set by using the
2N/A <
command>ssoadm</
command> command. The chapter is organized to follow the
2N/A OpenAM console layout.</
para>
2N/A <
section xml:
id="authentication-configuration">
2N/A <
title>Authentication Configuration</
title>
2N/A <
primary>Configuration</
primary>
2N/A <
secondary>Authentication</
secondary>
2N/A <
para>Under Configuration > Authentication you can configure
2N/A authentication services globally using the same attributes you use to
2N/A configure authentication modules per realm under Access Control >
2N/A <
replaceable>Realm Name</
replaceable> > Authentication > Module
2N/A Instances, and described in the <
citetitle>Administration Guide</
citetitle>
2N/A chapter on <
link xlink:
href="admin-guide#chap-auth-services" 2N/A Authentication Services</
citetitle></
link>.</
para>
2N/A <
para>The primary difference is that when configuring services globally,
2N/A you set the default values to be used when a module is configured further
2N/A for a specific realm.</
para>
2N/A <
para>The Core Authentication module includes some fields under this tab that are not
2N/A available through the realm changes under the <
literal>Access Control</
literal> tab.
2N/A Because attributes set under the <
literal>Configuration</
literal> tab apply on a
2N/A server level, the changes you make here will apply to all realms. Attributes
2N/A set under the <
literal>Access Control</
literal> tab only apply to the realms that
2N/A you specify. The Authentication table under the <
literal>Configuration</
literal> tab
2N/A lists all existing types of modules available for configuration, including any
2N/A customized modules you have added.</
para>
2N/A <
para>The following are the global fields you can configure for the Core Authentication
2N/A module under the <
literal>Configuration</
literal> tab.</
para>
2N/A <
term>Pluggable Authentication Module Classes</
term>
2N/A <
para>Add class names for custom authentication modules to this list.</
para>
2N/A <
para><
command>ssoadm</
command> attribute:
2N/A <
literal>iplanet-am-auth-authenticators</
literal></
para>
2N/A <
term>LDAP Connection Pool Size, Default LDAP Connection Pool Size</
term>
2N/A <
para>Sets a minimum and maximum number of LDAP connections in the pool
2N/A for connecting to a directory server. When tuning for production, start
2N/A with <
literal>10:65</
literal> (10 minimum, 65 maximum). Explicit settings
2N/A for specific servers override the default.</
para>
2N/A <
para>This attribute is for LDAP and Membership authentication services
2N/A <
para>This connection pool is different than the SDK connection pool
2N/A <
para><
command>ssoadm</
command> attributes:
2N/A <
literal>iplanet-am-auth-ldap-connection-pool-size</
literal>, and
2N/A <
literal>iplanet-am-auth-ldap-connection-pool-default-size</
literal></
para>
2N/A <
term>LDAP Connection Pool Size, Default LDAP Connection Pool Size</
term>
2N/A <
para>Sets a minimum and maximum number of LDAP connections in the pool
2N/A for connecting to a directory server. When tuning for production, start
2N/A with <
literal>10:65</
literal> (10 minimum, 65 maximum). Explicit settings
2N/A for specific servers override the default.</
para>
2N/A <
para>This attribute is for LDAP and Membership authentication services
2N/A <
para>This connection pool is different than the SDK connection pool
2N/A <
para><
command>ssoadm</
command> attributes:
2N/A <
literal>iplanet-am-auth-ldap-connection-pool-size</
literal>, and
2N/A <
literal>iplanet-am-auth-ldap-connection-pool-default-size</
literal></
para>
2N/A <
term>Remote Auth Security</
term>
2N/A <
para>Require the authenticating application to send its SSOToken. This
2N/A allows the Authentication Service to obtain the username and password
2N/A associated with the application.</
para>
2N/A <
para><
command>ssoadm</
command> attribute:
2N/A <
literal>sunRemoteAuthSecurityEnabled</
literal></
para>
2N/A <
term>Keep Post Process Objects for Logout Processing, Keep Authentication
2N/A Module Objects for Logout Processing</
term>
2N/A <
para>When enabled, retain objects used to process authentication or
2N/A post authentication operations in the user session until the user
2N/A <
para><
command>ssoadm</
command> attributes:
2N/A <
literal>sunAMAuthKeepPostProcessInstances</
literal>, and
2N/A <
literal>sunAMAuthKeepAuthModuleIntances</
literal></
para>
2N/A <
term>XUI Interface</
term>
2N/A <
para>When enabled, the initial login screen uses the XUI.</
para>
2N/A <
para><
command>ssoadm</
command> attribute:
2N/A <
literal>openam-xui-interface-enabled</
literal></
para>
2N/A <
section xml:
id="console-configuration">
2N/A <
title>Console Configuration</
title>
2N/A <
primary>Configuration</
primary>
2N/A <
secondary>Console</
secondary>
2N/A <
para>Under Configuration > Console you can customize how the OpenAM
2N/A console appears, and what character sets are used.</
para>
2N/A <
variablelist xml:
id="console-administration">
2N/A <
title>Administration</
title>
2N/A <
para>Administration includes both global and realm attributes.</
para>
2N/A <
para><
command>ssoadm</
command> service name:
2N/A <
literal>iPlanetAMAdminConsoleService</
literal></
para>
2N/A <
term>Federation Management</
term>
2N/A <
para>Clear Enabled to disable federation functionality in OpenAM.</
para>
2N/A <
para><
command>ssoadm</
command> attribute:
2N/A <
literal>iplanet-am-admin-console-liberty-enabled</
literal></
para>
2N/A <
term>Maximum Results Returned from Search</
term>
2N/A <
para>Use this attribute to restrict the maximum number of results found
2N/A in a search, such as a search for user profiles. Increasing the value can
2N/A negatively impact performance. On the other hand, the default maximum of
2N/A 100 can explain why administrators unaware of this setting can be
2N/A surprised not to see all the users they expect in search results.</
para>
2N/A <
para><
command>ssoadm</
command> attribute:
2N/A <
literal>iplanet-am-admin-console-search-limit</
literal></
para>
2N/A <
term>Timeout for Search</
term>
2N/A <
para>Timeout in seconds for a console search. OpenAM returns an error
2N/A if the search is not completed by the timeout.</
para>
2N/A <
para><
command>ssoadm</
command> attribute:
2N/A <
literal>iplanet-am-admin-console-search-timeout</
literal></
para>
2N/A <
term>Search Return Attribute</
term>
2N/A <
para>List of LDAP attribute types to return in search results. OpenAM
2N/A sorts users by the first attribute you specify. Use attributes that are
2N/A actually present in user profiles.</
para>
2N/A <
para><
command>ssoadm</
command> attribute:
2N/A <
literal>iplanet-am-admin-console-user-return-attribute</
literal></
para>
2N/A <
term>Maximum Items Displayed per Page</
term>
2N/A <
para>OpenAM shows a maximum of this many items in a console page before
2N/A separating the page into multiple screens.</
para>
2N/A <
para><
command>ssoadm</
command> attribute:
2N/A <
literal>iplanet-am-admin-console-paging-size</
literal></
para>
2N/A <
term>Prompt user for old password</
term>
2N/A <
para>If enabled, when the user edits her password in the user view, then
2N/A OpenAM prompts her for the old password.</
para>
2N/A <
para><
command>ssoadm</
command> attribute:
2N/A <
literal>iplanet-am-admin-console-password-reset-enabled</
literal></
para>
2N/A <
variablelist xml:
id="console-g11n">
2N/A <
title>Globalization Settings</
title>
2N/A <
para>Globalization settings affect character sets and common name
2N/A formats. See <
link xlink:
href="reference#chap-l10n" 2N/A >Localization</
citetitle></
link> for a list of supported locales.</
para>
2N/A <
para><
command>ssoadm</
command> service name:
2N/A <
literal>iPlanetG11NSettings</
literal></
para>
2N/A <
term>Charsets Supported by Each Locale</
term>
2N/A <
para>This table lets you configure the order of supported character
2N/A sets used for each supported locale. Change the settings only if the
2N/A defaults are not appropriate.</
para>
2N/A <
para><
command>ssoadm</
command> attribute:
2N/A <
literal>sun-identity-g11n-settings-locale-charset-mapping</
literal></
para>
2N/A <
term>Charsets Aliases</
term>
2N/A <
para>Use this list to map between different character set names used in
2N/A Java and in MIME.</
para>
2N/A <
para><
command>ssoadm</
command> attribute:
2N/A <
literal>sun-identity-g11n-settings-charset-alias-mapping</
literal></
para>
2N/A <
term>Auto Generated Common Name Format</
term>
2N/A <
para>Use this list to configure how OpenAM formats names shown in the
2N/A console banner.</
para>
2N/A <
para><
command>ssoadm</
command> attribute:
2N/A <
literal>sun-identity-g11n-settings-common-name-format</
literal></
para>
2N/A <
section xml:
id="system-configuration">
2N/A <
title>System Configuration</
title>
2N/A <
primary>Configuration</
primary>
2N/A <
secondary>System</
secondary>
2N/A <
para>Under Configuration > System, you can change OpenAM settings for
2N/A server logging, monitoring, service URL naming, locale, cookie domain, and
2N/A how OpenAM detects specific clients.</
para>
2N/A <
variablelist xml:
id="system-client-detection">
2N/A <
title>Client Detection</
title>
2N/A <
para>OpenAM can detect client user agents by their HTTP requests.</
para>
2N/A <
para><
command>ssoadm</
command> service name:
2N/A <
literal>iPlanetAMClientDetection</
literal></
para>
2N/A <
term>Default Client Type</
term>
2N/A <
para>If no specific match is found for the client type, then this
2N/A type is used. The default is <
literal>genericHTML</
literal>, suitable
2N/A for supported browsers.</
para>
2N/A <
para><
command>ssoadm</
command> attribute:
2N/A <
literal>iplanet-am-client-detection-default-client-type</
literal></
para>
2N/A <
term>Client Detection Class</
term>
2N/A <
para>The client detection plugin must implement the
2N/A Client type is a name that uniquely identifies the client to OpenAM.
2N/A The plugin scans HTTP requests to determine the client type.</
para>
2N/A <
para><
command>ssoadm</
command> attribute:
2N/A <
literal>iplanet-am-client-detection-class</
literal></
para>
2N/A <
term>Enable Client Detection</
term>
2N/A <
para>If this is enabled, then OpenAM needs an appropriate client
2N/A detection class implementation, and the authentication user interface
2N/A must be appropriate for the clients detected.</
para>
2N/A <
para><
command>ssoadm</
command> attribute:
2N/A <
literal>iplanet-am-client-detection-enabled</
literal></
para>
2N/A <
variablelist xml:
id="system-logging">
2N/A <
title>Logging</
title>
2N/A <
para>You configure global OpenAM logging settings on this page.</
para>
2N/A <
para><
command>ssoadm</
command> service name:
2N/A <
literal>iPlanetAMLoggingService</
literal></
para>
2N/A <
term>Maximum Log Size</
term>
2N/A <
para>Sets the maximum log file size in bytes.</
para>
2N/A <
para><
command>ssoadm</
command> attribute:
2N/A <
literal>iplanet-am-logging-max-file-size</
literal></
para>
2N/A <
term>Number of History Files</
term>
2N/A <
para>Sets the number of history files for each log that OpenAM keeps,
2N/A including time-based histories. The previously live file is moved to
2N/A be included in the history count, and a new log is created to serve as
2N/A the live log file. Any log file in the history count that goes over
2N/A the number specified here will be deleted. For time-based logs, a new
2N/A set of logs will be created when OpenAM is started because of the time-based
2N/A file names that are used.</
para>
2N/A <
para><
command>ssoadm</
command> attribute:
2N/A <
literal>iplanet-am-logging-num-hist-file</
literal></
para>
2N/A <
term>Logfile Rotation Prefix</
term>
2N/A <
para>Set this if you want to add a prefix to log files governed by
2N/A time-based log rotation.</
para>
2N/A <
para><
command>ssoadm</
command> attribute:
2N/A <
literal>openam-logging-file-prefix</
literal></
para>
2N/A <
term>Logfile Rotation Suffix</
term>
2N/A <
para>Changing this if you want to change the suffix for log files
2N/A governed by time-based log rotation. You can use
2N/A <
literal>SimpleDateFormat</
literal> patterns. The default is
2N/A <
para><
command>ssoadm</
command> attribute:
2N/A <
literal>openam-logging-file-suffix</
literal></
para>
2N/A <
term>Log File Location</
term>
2N/A <
para>This property is interpreted to determine the location of log
2N/A files, taking either a file system location or a JDBC URL. The default is
2N/A <
literal>%BASE_DIR%/%SERVER_URI%/log/</
literal>.</
para>
2N/A <
para><
command>ssoadm</
command> attribute:
2N/A <
literal>iplanet-am-logging-location</
literal></
para>
2N/A <
term>Log Status</
term>
2N/A <
para>Set this to <
literal>INACTIVE</
literal> to disable the logging
2N/A <
para><
command>ssoadm</
command> attribute:
2N/A <
literal>logstatus</
literal></
para>
2N/A <
term>Log Record Resolve Host Name</
term>
2N/A <
para>Enable this to have OpenAM perform a DNS host lookup to populate the
2N/A host name field for log records. OpenAM requires DNS on the host where it
2N/A runs. Enabling this feature increases the load on the logging
2N/A <
para><
command>ssoadm</
command> attribute:
2N/A <
literal>resolveHostName</
literal></
para>
2N/A <
term>Logging Type</
term>
2N/A <
para>Set this to <
literal>DB</
literal> to log to a database. Default:
2N/A <
literal>File</
literal>. If you choose <
literal>DB</
literal> then be
2N/A sure to set the connection attributes correctly, including the JDBC
2N/A driver to use.</
para>
2N/A <
para><
command>ssoadm</
command> attribute:
2N/A <
literal>iplanet-am-logging-type</
literal></
para>
2N/A <
term>Database User Name</
term>
2N/A <
para>When logging to a database, set this to the user name used to
2N/A connect to the database. If this attribute is incorrectly set, OpenAM
2N/A performance suffers.</
para>
2N/A <
para><
command>ssoadm</
command> attribute:
2N/A <
literal>iplanet-am-logging-db-user</
literal></
para>
2N/A <
term>Database User Password</
term>
2N/A <
para>When logging to a database, set this to the password used to connect
2N/A to the database. If this attribute is incorrectly set, OpenAM performance
2N/A <
para><
command>ssoadm</
command> attribute:
2N/A <
literal>iplanet-am-logging-db-password</
literal></
para>
2N/A <
term>Database Driver Name</
term>
2N/A <
para>When logging to a database, set this to the class name of the JDBC
2N/A driver used to connect to the database. The default is for Oracle. OpenAM
2N/A also works with the MySQL database driver.</
para>
2N/A <
para><
command>ssoadm</
command> attribute:
2N/A <
literal>iplanet-am-logging-db-driver</
literal></
para>
2N/A <
term>Configurable Log Fields</
term>
2N/A <
para>Select the fields OpenAM includes in log messages using this
2N/A attribute. By default all fields are included in log messages.</
para>
2N/A <
para><
command>ssoadm</
command> attribute:
2N/A <
literal>iplanet-am-logging-logfields</
literal></
para>
2N/A <
term>Log Verification Frequency</
term>
2N/A <
para>When secure logging is enabled, set this to how often OpenAM
2N/A verifies log file content (in seconds).</
para>
2N/A <
para><
command>ssoadm</
command> attribute:
2N/A <
literal>iplanet-am-logging-verify-period-in-seconds</
literal></
para>
2N/A <
term>Log Signature Time</
term>
2N/A <
para>When secure logging is enabled, set this to how often OpenAM signs
2N/A log file content (in seconds).</
para>
2N/A <
para><
command>ssoadm</
command> attribute:
2N/A <
literal>iplanet-am-logging-signature-period-in-seconds</
literal></
para>
2N/A <
term>Secure Logging</
term>
2N/A <
para>Set this to <
literal>ON</
literal> to enable the secure logging
2N/A system whereby OpenAM digitally signs and verifies log files. You must
2N/A also set up the Logging Certificate Store for this feature to
2N/A <
para><
command>ssoadm</
command> attribute:
2N/A <
literal>iplanet-am-logging-security-status</
literal></
para>
2N/A <
term>Secure Logging Signing Algorithm</
term>
2N/A <
para>Set this to the algorithm used for digitally signing log
2N/A <
para><
command>ssoadm</
command> attribute:
2N/A <
literal>iplanet-am-logging-secure-signing-algorithm</
literal></
para>
2N/A <
term>Logging Certificate Store Location</
term>
2N/A <
para>The secure logging system uses the certificate with alias
2N/A <
literal>Logger</
literal> that it finds in the key store specified by
2N/A this path. The default is
2N/A <
para><
command>ssoadm</
command> attribute:
2N/A <
literal>iplanet-am-logging-secure-certificate-store</
literal></
para>
2N/A <
term>Maximum Number of Records</
term>
2N/A <
para>Set this to the maximum number of records read from the logs
2N/A through the Logging API.</
para>
2N/A <
para><
command>ssoadm</
command> attribute:
2N/A <
literal>iplanet-am-logging-max-records</
literal></
para>
2N/A <
term>Number of Files per Archive</
term>
2N/A <
para>Set this to the number of files to be archived by the secure logging
2N/A <
para><
command>ssoadm</
command> attribute:
2N/A <
literal>iplanet-am-logging-files-per-keystore</
literal></
para>
2N/A <
term>Buffer Size</
term>
2N/A <
para>The number of log messages buffered in memory before OpenAM flushes
2N/A them to the log file or the database.</
para>
2N/A <
para><
command>ssoadm</
command> attribute:
2N/A <
literal>iplanet-am-logging-buffer-size</
literal></
para>
2N/A <
term>DB Failure Memory Buffer Size</
term>
2N/A <
para>Set this to the maximum number of log records to hold in memory
2N/A if the database to which records are logged is unavailable. If the value
2N/A is less than Buffer Size, that value takes precedence.</
para>
2N/A <
para><
command>ssoadm</
command> attribute:
2N/A <
literal>sun-am-logging-db-max-in-mem</
literal></
para>
2N/A <
term>Buffer Time</
term>
2N/A <
para>Set the time in seconds that OpenAM buffers log messages in memory
2N/A before flushing the buffer when Time Buffering is ON. The default is 60
2N/A <
para><
command>ssoadm</
command> attribute:
2N/A <
literal>iplanet-am-logging-buffer-time-in-seconds</
literal></
para>
2N/A <
term>Time Buffering</
term>
2N/A <
para>Set this to OFF to cause OpenAM to write each log message separately
2N/A rather than the default of holding messages in a memory buffer that OpenAM
2N/A flushes periodically, as specified using the Buffer Time attribute.</
para>
2N/A <
para><
command>ssoadm</
command> attribute:
2N/A <
literal>iplanet-am-logging-time-buffering-status</
literal></
para>
2N/A <
term>Logging Level</
term>
2N/A <
para>Set the log level for OpenAM. <
literal>OFF</
literal> is equivalent
2N/A to setting the status to <
literal>INACTIVE</
literal>.</
para>
2N/A <
para><
command>ssoadm</
command> attribute:
2N/A <
literal>sun-am-log-level</
literal></
para>
2N/A <
variablelist xml:
id="system-monitoring">
2N/A <
title>Monitoring</
title>
2N/A <
para>You enable OpenAM monitoring by using these attributes.</
para>
2N/A <
para><
command>ssoadm</
command> service name:
2N/A <
literal>iPlanetAMMonitoringService</
literal></
para>
2N/A <
term>Monitoring Status</
term>
2N/A <
para>Enable monitoring using this attribute.</
para>
2N/A <
para><
command>ssoadm</
command> attribute:
2N/A <
literal>iplanet-am-monitoring-enabled</
literal></
para>
2N/A <
term>Monitoring HTTP Port</
term>
2N/A <
para>Set the port number for the HTML monitoring interface.</
para>
2N/A <
para><
command>ssoadm</
command> attribute:
2N/A <
literal>iplanet-am-monitoring-http-port</
literal></
para>
2N/A <
term>Monitoring HTTP interface status</
term>
2N/A <
para>Enable the HTML monitoring interface using this attribute.</
para>
2N/A <
para><
command>ssoadm</
command> attribute:
2N/A <
literal>iplanet-am-monitoring-http-enabled</
literal></
para>
2N/A <
term>Monitoring HTTP interface authentication file path</
term>
2N/A <
para>Set this to path to indicate the file indicating the user name
2N/A and password used to protect access to monitoring information. The
2N/A default user name password combination is <
literal>demo</
literal> and
2N/A <
literal>changeit</
literal>. You can encode a new password using the
2N/A <
link xlink:
href="reference#ampassword-1" 2N/A >ampassword</
command></
link>command.</
para>
2N/A <
para><
command>ssoadm</
command> attribute:
2N/A <
literal>iplanet-am-monitoring-authfile-path</
literal></
para>
2N/A <
term>Monitoring RMI Port</
term>
2N/A <
para>Set the port number for the JMX monitoring interface.</
para>
2N/A <
para><
command>ssoadm</
command> attribute:
2N/A <
literal>iplanet-am-monitoring-rmi-port</
literal></
para>
2N/A <
term>Monitoring RMI interface status</
term>
2N/A <
para>Enable the JMX monitoring interface using this attribute.</
para>
2N/A <
para><
command>ssoadm</
command> attribute:
2N/A <
literal>iplanet-am-monitoring-rmi-enabled</
literal></
para>
2N/A <
term>Monitoring SNMP Port</
term>
2N/A <
para>Set the port number for the SNMP monitoring interface.</
para>
2N/A <
para><
command>ssoadm</
command> attribute:
2N/A <
literal>iplanet-am-monitoring-snmp-port</
literal></
para>
2N/A <
term>Monitoring SNMP interface status</
term>
2N/A <
para>Enable the SNMP monitoring interface using this attribute.</
para>
2N/A <
para><
command>ssoadm</
command> attribute:
2N/A <
literal>iplanet-am-monitoring-snmp-enabled</
literal></
para>
2N/A <
variablelist xml:
id="system-platform">
2N/A <
title>Naming</
title>
2N/A <
para>You can configure URLs for service endpoints.</
para>
2N/A <
para><
command>ssoadm</
command> service name:
2N/A <
literal>iPlanetAMNamingService</
literal></
para>
2N/A <
term>Profile Service URL</
term>
2N/A <
para>Set the endpoint used by the profile service.</
para>
2N/A <
para>This attribute is deprecated.</
para>
2N/A <
para><
command>ssoadm</
command> attribute:
2N/A <
literal>iplanet-am-naming-profile-url</
literal></
para>
2N/A <
term>Session Service URL</
term>
2N/A <
para>Set the endpoint used by the session service.</
para>
2N/A <
para><
command>ssoadm</
command> attribute:
2N/A <
literal>iplanet-am-naming-session-url</
literal></
para>
2N/A <
term>Logging Service URL</
term>
2N/A <
para>Set the endpoint used by the logging service.</
para>
2N/A <
para><
command>ssoadm</
command> attribute:
2N/A <
literal>iplanet-am-naming-logging-url</
literal></
para>
2N/A <
term>Policy Service URL</
term>
2N/A <
para>Set the endpoint used by the policy service.</
para>
2N/A <
para><
command>ssoadm</
command> attribute:
2N/A <
literal>iplanet-am-naming-policy-url</
literal></
para>
2N/A <
term>Authentication Service URL</
term>
2N/A <
para>Set the endpoint used by the authentication service.</
para>
2N/A <
para><
command>ssoadm</
command> attribute:
2N/A <
literal>iplanet-am-naming-auth-url</
literal></
para>
2N/A <
para>Set the SAML v1 endpoint.</
para>
2N/A <
para><
command>ssoadm</
command> attribute:
2N/A <
literal>iplanet-am-naming-samlawareservlet-url</
literal></
para>
2N/A <
term>SAML SOAP Service URL</
term>
2N/A <
para>Set the endpoint used by the SAML v1 SOAP service.</
para>
2N/A <
para><
command>ssoadm</
command> attribute:
2N/A <
literal>iplanet-am-naming-samlsoapreceiver-url</
literal></
para>
2N/A <
para>Set the SAML v1 Web Profile endpoint.</
para>
2N/A <
para><
command>ssoadm</
command> attribute:
2N/A <
literal>iplanet-am-naming-samlpostservlet-url</
literal></
para>
2N/A <
term>SAML Assertion Manager Service URL</
term>
2N/A <
para>Set the endpoint used by the SAML v1 assertion service.</
para>
2N/A <
para><
command>ssoadm</
command> attribute:
2N/A <
literal>iplanet-am-naming-samlassertionmanager-url</
literal></
para>
2N/A <
term>Federation Assertion Manager Service URL</
term>
2N/A <
para>Set the endpoint used by the ID-FF assertion manager service.</
para>
2N/A <
para><
command>ssoadm</
command> attribute:
2N/A <
literal>iplanet-am-naming-fsassertionmanager-url</
literal></
para>
2N/A <
term>Security Token Manager URL</
term>
2N/A <
para>Set the STS endpoint.</
para>
2N/A <
para><
command>ssoadm</
command> attribute:
2N/A <
literal>iplanet-am-naming-securitytokenmanager-url</
literal></
para>
2N/A <
term>JAXRPC Endpoint URL</
term>
2N/A <
para>Set the JAXRPC endpoint used by remote
IDM/
SMS APIs.</
para>
2N/A <
para><
command>ssoadm</
command> attribute:
2N/A <
literal>iplanet-am-naming-jaxrpc-url</
literal></
para>
2N/A <
term>Identity Web Services Endpoint URL</
term>
2N/A <
para>Set the endpoint for Identity WSDL services.</
para>
2N/A <
para><
command>ssoadm</
command> attribute:
2N/A <
literal>sun-naming-idsvcs-jaxws-url</
literal></
para>
2N/A <
term>Identity REST Services Endpoint URL</
term>
2N/A <
para>Set the endpoint used for Identity REST services.</
para>
2N/A <
para><
command>ssoadm</
command> attribute:
2N/A <
literal>sun-naming-idsvcs-rest-url</
literal></
para>
2N/A <
term>Security Token Service Endpoint URL</
term>
2N/A <
para>Set the STS endpoint.</
para>
2N/A <
para><
command>ssoadm</
command> attribute:
2N/A <
literal>sun-naming-sts-url</
literal></
para>
2N/A <
term>Security Token Service MEX Endpoint URL</
term>
2N/A <
para>Set the STS MEX endpoint.</
para>
2N/A <
para><
command>ssoadm</
command> attribute:
2N/A <
literal>sun-naming-sts-mex-url</
literal></
para>
2N/A <
variablelist xml:
id="system-platform-attrs">
2N/A <
title>Platform</
title>
2N/A <
para>You can configure the default locale and list of cookie domains.</
para>
2N/A <
para><
command>ssoadm</
command> service name:
2N/A <
literal>iPlanetAMPlatformService</
literal></
para>
2N/A <
term>Platform Locale</
term>
2N/A <
para>Set the fallback locale used when the user locale cannot be
2N/A <
para><
command>ssoadm</
command> attribute:
2N/A <
literal>iplanet-am-platform-locale</
literal></
para>
2N/A <
term>Cookie Domains</
term>
2N/A <
para>Set the list of domains into which OpenAM writes cookies. If you
2N/A set multiple cookie domains, OpenAM still only sets the cookie in the
2N/A domain the client uses to access OpenAM. You can also configure cross
2N/A domain single sign on (CDSSO) to allow single sign on across multiple
2N/A domains managed by your organization. See the <
citetitle>Administration
2N/A Guide</
citetitle> chapter on <
link xlink:
href="admin-guide#chap-cdsso" 2N/A Cross-Domain Single Sign On</
citetitle></
link> for details.</
para>
2N/A <
para><
command>ssoadm</
command> attribute:
2N/A <
literal>iplanet-am-platform-cookie-domains</
literal></
para>
2N/A <
section xml:
id="global-configuration">
2N/A <
title>Global Configuration</
title>
2N/A <
primary>Configuration</
primary>
2N/A <
secondary>Global</
secondary>
2N/A <
para>Under Configuration > Global you can set defaults for a range of
2N/A federation services, for password reset, for policy configuration, for
2N/A session management, and for dynamic user attributes.</
para>
2N/A <
variablelist xml:
id="common-federation-configuration">
2N/A <
title>Common Federation Configuration</
title>
2N/A <
para><
command>ssoadm</
command> service name:
2N/A <
literal>sunFAMFederationCommon</
literal></
para>
2N/A <
term>Datastore SPI implementation class</
term>
2N/A <
para>Used by the Federation system to access user profile
2N/A <
para><
command>ssoadm</
command> attribute:
2N/A <
literal>DatastoreClass</
literal></
para>
2N/A <
term>ConfigurationInstance SPI implementation class</
term>
2N/A <
para>Used by the Federation system to access service configuration</
para>
2N/A <
para><
command>ssoadm</
command> attribute:
2N/A <
literal>ConfigurationClass</
literal></
para>
2N/A <
term>Logger SPI implementation class</
term>
2N/A <
para>Used by the Federation system to record log messages</
para>
2N/A <
para><
command>ssoadm</
command> attribute:
2N/A <
literal>LoggerClass</
literal></
para>
2N/A <
term>SessionProvider SPI implementation class</
term>
2N/A <
para>Used by the Federation system to access the session service</
para>
2N/A <
para><
command>ssoadm</
command> attribute:
2N/A <
literal>SessionProviderClass</
literal></
para>
2N/A <
term>Maximum allowed content length</
term>
2N/A <
para>Maximum number of bytes for Federation communications</
para>
2N/A <
para><
command>ssoadm</
command> attribute:
2N/A <
literal>MaxContentLength</
literal></
para>
2N/A <
term>PasswordDecoder SPI implementation class</
term>
2N/A <
para>Used by the Federation system to decode passwords encoded by
2N/A <
para><
command>ssoadm</
command> attribute:
2N/A <
literal>PasswordDecoderClass</
literal></
para>
2N/A <
term>SignatureProvider SPI implementation class</
term>
2N/A <
para>Used by the Federation system digitally to sign SAML documents</
para>
2N/A <
para><
command>ssoadm</
command> attribute:
2N/A <
literal>SignatureProviderClass</
literal></
para>
2N/A <
term>KeyProvider SPI implementation class</
term>
2N/A <
para>Used by the Federation system to access the Java key store</
para>
2N/A <
para><
command>ssoadm</
command> attribute:
2N/A <
literal>KeyProviderClass</
literal></
para>
2N/A <
term>Check presence of certificates</
term>
2N/A <
para>If enabled, OpenAM checks that the partner's signing certificate
2N/A presented in the XML matches the certificate from the partner's
2N/A <
para><
command>ssoadm</
command> attribute:
2N/A <
literal>CheckCert</
literal></
para>
2N/A <
term>XML canonicalization algorithm</
term>
2N/A <
para>Algorithm used to render the canonical versions of XML
2N/A <
para><
command>ssoadm</
command> attribute:
2N/A <
literal>CannonicalizationAlgorithm</
literal></
para>
2N/A <
term>XML signature algorithm</
term>
2N/A <
para>Algorithm used to sign XML documents</
para>
2N/A <
para><
command>ssoadm</
command> attribute:
2N/A <
literal>SignatureAlgorithm</
literal></
para>
2N/A <
term>XML transformation algorithm</
term>
2N/A <
para>Algorithm used for XML transformations</
para>
2N/A <
para><
command>ssoadm</
command> attribute:
2N/A <
literal>TransformationAlgorithm</
literal></
para>
2N/A <
term>SAML Error Page URL</
term>
2N/A <
para>OpenAM redirects users here when an error occurs in the SAML2
2N/A engine. Users are redirected to absolute URLs, whereas releative URLs
2N/A are displayed within the request.</
para>
2N/A <
para><
command>ssoadm</
command> attribute:
2N/A <
literal>SAMLErrorPageURL</
literal></
para>
2N/A <
term>SAML Error Page HTTP Binding</
term>
2N/A <
para>Set this either to <
literal>HTTP-Redirect</
literal> or to
2N/A <
literal>HTTP-POST</
literal>.</
para>
2N/A <
para><
command>ssoadm</
command> attribute:
2N/A <
literal>SAMLErrorPageHTTPBinding</
literal></
para>
2N/A <
term>Monitoring Agent Provider Class</
term>
2N/A <
para>Used by the Federation system to access the monitoring system</
para>
2N/A <
para><
command>ssoadm</
command> attribute:
2N/A <
literal>MonAgentClass</
literal></
para>
2N/A <
term>Monitoring Provider Class for SAML1</
term>
2N/A <
para>Used by the SAMLv1 engine to access the monitoring system</
para>
2N/A <
para><
command>ssoadm</
command> attribute:
2N/A <
literal>MonSAML1Class</
literal></
para>
2N/A <
term>Monitoring Provider Class for SAML2</
term>
2N/A <
para>Used by the SAML2 engine to access the monitoring system</
para>
2N/A <
para><
command>ssoadm</
command> attribute:
2N/A <
literal>MonSAML2Class</
literal></
para>
2N/A <
term>Monitoring Provider Class for ID-FF</
term>
2N/A <
para>Used by the ID-FF engine to access the monitoring system</
para>
2N/A <
para><
command>ssoadm</
command> attribute:
2N/A <
literal>MonIDFFClass</
literal></
para>
2N/A<!-- Commenting out, assuming the corresponding screen is also commented out, per OPENAM-3164 2N/A <variablelist xml:id="core-token-service-configuration"> 2N/A <title>Core Token Service</title> 2N/A <para><command>ssoadm</command> service name: 2N/A <literal>sunCoreTokenConfigService</literal></para> 2N/A <term>Searchable Attribute List</term> 2N/A <para>List of attribute names used in token search operations</para> 2N/A <para><command>ssoadm</command> attribute: 2N/A <literal>searchableAttributes</literal></para> 2N/A <term>Token cleanup interval for token expiry</term> 2N/A <para>Seconds OpenAM delays cleanup after token expiry</para> 2N/A <para><command>ssoadm</command> attribute: 2N/A <literal>tokenCleanupInterval</literal></para> 2N/A <term>Token types without ETag enforcement</term> 2N/A <para><command>ssoadm</command> attribute: 2N/A <literal>tokenTypesWithoutEtagEnforcement</literal></para> 2N/A <
variablelist xml:
id="dashboard-configuration">
2N/A <
title>Dashboard Configuration</
title>
2N/A <
para><
command>ssoadm</
command> service name:
2N/A <
literal>dashboardService</
literal></
para>
2N/A <
term>Dashboard Class Name</
term>
2N/A <
para>Identifies how to access the application, for example
2N/A <
literal>SAML2ApplicationClass</
literal> for a SAML 2.0 application</
para>
2N/A <
para><
command>ssoadm</
command> attribute:
2N/A <
literal>dashboardClassName</
literal></
para>
2N/A <
term>Dashboard Name</
term>
2N/A <
para>The application name as it will appear to the administrator for
2N/A configuring the dashboard</
para>
2N/A <
para><
command>ssoadm</
command> attribute:
2N/A <
literal>dashboardName</
literal></
para>
2N/A <
term>Dashboard Display Name</
term>
2N/A <
para>The application name that displays on the dashboard client</
para>
2N/A <
para><
command>ssoadm</
command> attribute:
2N/A <
literal>dashboardDisplayName</
literal></
para>
2N/A <
term>Dashboard Icon</
term>
2N/A <
para>The icon name that will be displayed on the dashboard client
2N/A identifying the application</
para>
2N/A <
para><
command>ssoadm</
command> attribute:
2N/A <
literal>dashboardIcon</
literal></
para>
2N/A <
term>Dashboard Login</
term>
2N/A <
para>The URL that takes the user to the application</
para>
2N/A <
para><
command>ssoadm</
command> attribute:
2N/A <
literal>dashboardLogin</
literal></
para>
2N/A <
term>Available Dashboard Apps</
term>
2N/A <
para>List of application dashboard names available by default for
2N/A realms with the Dashboard configured</
para>
2N/A <
para><
command>ssoadm</
command> attribute:
2N/A <
literal>assignedDashboard</
literal></
para>
2N/A <
variablelist xml:
id="email-service-configuration">
2N/A <
title>Email Service</
title>
2N/A <
para><
command>ssoadm</
command> service name:
2N/A <
literal>ForgeRockSendEmailService</
literal></
para>
2N/A <
term>Email Message Implementation Class</
term>
2N/A <
para>Specifies the class that sends email notifications, such as those
2N/A sent for user registration and forgotten passwords.</
para>
2N/A <
para><
command>ssoadm</
command> attribute:
2N/A <
literal>forgerockMailServerImplClassName</
literal></
para>
2N/A <
term>Mail Server Host Name</
term>
2N/A <
para>Specifies the fully qualified domain name of the SMTP mail server
2N/A through which to send email notifications.</
para>
2N/A <
para><
command>ssoadm</
command> attribute:
2N/A <
literal>forgerockEmailServiceSMTPHostName</
literal></
para>
2N/A <
term>Mail Server Host Port</
term>
2N/A <
para>Specifies the port number for the SMTP mail server.</
para>
2N/A <
para>Default: 465</
para>
2N/A <
para><
command>ssoadm</
command> attribute:
2N/A <
literal>forgerockEmailServiceSMTPHostPort</
literal></
para>
2N/A <
term>Mail Server Authentication Username</
term>
2N/A <
para>Specifies the user name for the SMTP mail server.</
para>
2N/A <
para>Default: <
literal>forgerocksmtp</
literal></
para>
2N/A <
para><
command>ssoadm</
command> attribute:
2N/A <
literal>forgerockEmailServiceSMTPUserName</
literal></
para>
2N/A <
term>Mail Server Authentication Password</
term>
2N/A <
para>Specifies the password for the SMTP user name.</
para>
2N/A <
para><
command>ssoadm</
command> attribute:
2N/A <
literal>forgerockEmailServiceSMTPUserPassword</
literal></
para>
2N/A <
term>Mail Server Secure Connection</
term>
2N/A <
para>Specifies whether to connect to the SMTP mail server using SSL.</
para>
2N/A <
para>Default: use SSL (<
literal>true</
literal>)</
para>
2N/A <
para><
command>ssoadm</
command> attribute:
2N/A <
literal>forgerockEmailServiceSMTPSSLEnabled</
literal></
para>
2N/A <
term>Email From Address</
term>
2N/A <
para>Specifies the address from which to send email notifications.</
para>
2N/A <
para>Default: <
literal>no-reply@openam.org</
literal></
para>
2N/A <
para><
command>ssoadm</
command> attribute:
2N/A <
literal>forgerockEmailServiceSMTPFromAddress</
literal></
para>
2N/A <
term>Email Attribute Name</
term>
2N/A <
para>Specifies the profile attribute from which to retrieve the end user's
2N/A email address.</
para>
2N/A <
para>Default: <
literal>mail</
literal></
para>
2N/A <
para><
command>ssoadm</
command> attribute:
2N/A <
literal>openamEmailAttribute</
literal></
para>
2N/A <
term>Email Subject</
term>
2N/A <
para>Specifies a subject for notification messages. If you do not set this
2N/A OpenAM does not set the subject for notification messages.</
para>
2N/A <
para><
command>ssoadm</
command> attribute:
2N/A <
literal>forgerockEmailServiceSMTPSubject</
literal></
para>
2N/A <
term>Email Content</
term>
2N/A <
para>Specifies content for notification messages. If you do not set this
2N/A OpenAM includes only the confirmation URL in the mail body.</
para>
2N/A <
para><
command>ssoadm</
command> attribute:
2N/A <
literal>forgerockEmailServiceSMTPMessage</
literal></
para>
2N/A <
variablelist xml:
id="liberty-id-ff-service-configuration">
2N/A <
title>Liberty ID-FF Service Configuration</
title>
2N/A <
para><
command>ssoadm</
command> service name:
2N/A <
literal>sunFAMIDFFConfiguration</
literal></
para>
2N/A <
term>Federation Cookie Name</
term>
2N/A <
para>Cookie name for Liberty ID-FF</
para>
2N/A <
para><
command>ssoadm</
command> attribute:
2N/A <
literal>FedCookieName</
literal></
para>
2N/A <
term>IDP Proxy Finder SPI implementation class</
term>
2N/A <
para>Used by the ID-FF engine to find the IDP proxy</
para>
2N/A <
para><
command>ssoadm</
command> attribute:
2N/A <
literal>IDPProxyFinderClass</
literal></
para>
2N/A <
term>Request cache cleanup interval</
term>
2N/A <
para>Seconds between times OpenAM cleans up the request cache</
para>
2N/A <
para><
command>ssoadm</
command> attribute:
2N/A <
literal>RequestCacheCleanupInterval</
literal></
para>
2N/A <
term>Request cache timeout</
term>
2N/A <
para>Seconds cached requests remain valid</
para>
2N/A <
para><
command>ssoadm</
command> attribute:
2N/A <
literal>RequestCacheTimeout</
literal></
para>
2N/A <
term>IDP Login URL</
term>
2N/A <
para>Login URL for the ID-FF IDP</
para>
2N/A <
para><
command>ssoadm</
command> attribute:
2N/A <
literal>IDPLoginURL</
literal></
para>
2N/A <
term>XML signing on</
term>
2N/A <
para>If yes, require XML signing.</
para>
2N/A <
para><
command>ssoadm</
command> attribute:
2N/A <
literal>XMLSigningOn</
literal></
para>
2N/A <
variablelist xml:
id="liberty-interaction-service-configuration">
2N/A <
title>Liberty Interaction Service</
title>
2N/A <
para><
command>ssoadm</
command> service name:
2N/A <
literal>sunFAMLibertyInteractionService</
literal></
para>
2N/A <
term>WSP to redirect user for interaction</
term>
2N/A <
para><
command>ssoadm</
command> attribute:
2N/A <
literal>WSPWillRedirect</
literal></
para>
2N/A <
term>WSP to redirect user for interaction for data</
term>
2N/A <
para><
command>ssoadm</
command> attribute:
2N/A <
literal>WSPWillRedirectForData</
literal></
para>
2N/A <
term>WSP's expected duration for interaction</
term>
2N/A <
para><
command>ssoadm</
command> attribute:
2N/A <
literal>WSPRedirectTime</
literal></
para>
2N/A <
term>WSP to enforce that returnToURL must be SSL</
term>
2N/A <
para><
command>ssoadm</
command> attribute:
2N/A <
literal>WSPWillEnforceHttpsCheck</
literal></
para>
2N/A <
term>WSP to enforce return to host be the same as request host</
term>
2N/A <
para><
command>ssoadm</
command> attribute:
2N/A <
literal>WSPWillEnforceReturnToHostEqualsRequestHost</
literal></
para>
2N/A <
term>HTML style sheet location</
term>
2N/A <
para><
command>ssoadm</
command> attribute:
2N/A <
literal>HTMLStyleSheetLocation</
literal></
para>
2N/A <
term>WML style sheet location</
term>
2N/A <
para><
command>ssoadm</
command> attribute:
2N/A <
literal>WMLStyleSheetLocation</
literal></
para>
2N/A <
term>WSP interaction URL</
term>
2N/A <
para><
command>ssoadm</
command> attribute:
2N/A <
literal>WSPRedirectHandlerURL</
literal></
para>
2N/A <
term>WSP interaction URL if behind load balancer</
term>
2N/A <
para><
command>ssoadm</
command> attribute:
2N/A <
literal>LBWSPRedirectHandler</
literal></
para>
2N/A <
term>List of interaction URLs of WSP cluster (site) behind the load
2N/A <
para><
command>ssoadm</
command> attribute:
2N/A <
literal>TrustedWspRedirectHandlers</
literal></
para>
2N/A <
term>Interaction Configuration Class</
term>
2N/A <
para><
command>ssoadm</
command> attribute:
2N/A <
literal>InteractionConfigClass</
literal></
para>
2N/A <
term>Options for WSC to participate in interaction</
term>
2N/A <
para><
command>ssoadm</
command> attribute:
2N/A <
literal>WSCSpecifiedInteractionChoice</
literal></
para>
2N/A <
term>WSC to include userInteractionHeader</
term>
2N/A <
para><
command>ssoadm</
command> attribute:
2N/A <
literal>WSCWillIncludeUserInteractionHeader</
literal></
para>
2N/A <
term>WSC to redirect user for interaction</
term>
2N/A <
para><
command>ssoadm</
command> attribute:
2N/A <
literal>WSCWillRedirect</
literal></
para>
2N/A <
term>WSC's expected duration for interaction</
term>
2N/A <
para><
command>ssoadm</
command> attribute:
2N/A <
literal>WSCSpecifiedMaxInteractionTime</
literal></
para>
2N/A <
term>WSC to enforce that redirection URL must be SSL</
term>
2N/A <
para><
command>ssoadm</
command> attribute:
2N/A <
literal>WSCWillEnforceHttpsCheck</
literal></
para>
2N/A <
variablelist xml:
id="multi-federation-protocol-configuration">
2N/A <
title>Multi-Federation Protocol</
title>
2N/A <
para><
command>ssoadm</
command> service name:
2N/A <
literal>sunMultiFederationProtocol</
literal></
para>
2N/A <
term>Single Logout Handler List</
term>
2N/A <
para>List of logout handlers used for each different federation
2N/A <
para><
command>ssoadm</
command> attribute:
2N/A <
literal>SingleLogoutHandlerList</
literal></
para>
2N/A <
variablelist xml:
id="oauth2-provider-configuration">
2N/A <
title>OAuth2 Provider Configuration</
title>
2N/A <
para><
command>ssoadm</
command> service name:
2N/A <
literal>OAuth2Provider</
literal></
para>
2N/A <
term>Authorization Code Lifetime</
term>
2N/A <
para>Lifetime of OAuth 2.0 authorization code in seconds.</
para>
2N/A <
para><
command>ssoadm</
command> attribute:
2N/A <
literal>forgerock-oauth2-provider-authorization-code-lifetime</
literal></
para>
2N/A <
term>Refresh Token Lifetime</
term>
2N/A <
para>Lifetime of OAuth 2.0 refresh token in seconds.</
para>
2N/A <
para><
command>ssoadm</
command> attribute:
2N/A <
literal>forgerock-oauth2-provider-refresh-token-lifetime</
literal></
para>
2N/A <
term>Access Token Lifetime</
term>
2N/A <
para>Lifetime of OAuth 2.0 access token in seconds.</
para>
2N/A <
para><
command>ssoadm</
command> attribute:
2N/A <
literal>forgerock-oauth2-provider-access-token-lifetime</
literal></
para>
2N/A <
term>Issue Refresh Tokens</
term>
2N/A <
para>Whether to issue a refresh token when returning an access
2N/A <
para><
command>ssoadm</
command> attribute:
2N/A <
literal>forgerock-oauth2-provider-issue-refresh-token</
literal></
para>
2N/A <
term>Issue Refresh Tokens on Refreshing Access Tokens</
term>
2N/A <
para>Whether to issue a refresh token when refreshing an access
2N/A <
para><
command>ssoadm</
command> attribute:
2N/A <
literal>forgerock-oauth2-provider-issue-refresh-token-on-refreshing-token</
literal></
para>
2N/A <
term>Scope Implementation Class</
term>
2N/A <
para>Name of class on OpenAM classpath implementing scopes.</
para>
2N/A <
para><
command>ssoadm</
command> attribute:
2N/A <
literal>forgerock-oauth2-provider-scope-implementation-class</
literal></
para>
2N/A <
term>Response Type Plugins</
term>
2N/A <
para>List of plugins that handle the valid
2N/A <
literal>response_type</
literal> values. OAuth 2.0 clients pass response
2N/A types as parameters to the OAuth 2.0 Authorization end point
2N/A requested from the provider. For example, the client passes
2N/A <
literal>code</
literal> when requesting an authorization code, and
2N/A <
literal>token</
literal> when requesting an access token.</
para>
2N/A <
para>Values in this list take the form <
literal 2N/A ><
replaceable>response-type</
replaceable>|<
replaceable 2N/A >plugin-class-name</
replaceable></
literal>.</
para>
2N/A <
para><
command>ssoadm</
command> attribute:
2N/A <
literal>forgerock-oauth2-provider-response-type-map-class</
literal></
para>
2N/A <
term>User Profile Attribute(s) the Resource Owner is Authenticated On</
term>
2N/A <
para>Names of profile attributes that resource owners use to log in.
2N/A The default is <
literal>uid</
literal>, and you can add others such as
2N/A <
literal>mail</
literal>.</
para>
2N/A <
para><
command>ssoadm</
command> attribute:
2N/A <
literal>forgerock-oauth2-provider-authentication-attributes</
literal></
para>
2N/A <
term>Shared Consent Attribute Name</
term>
2N/A <
para>Name of a multi-valued attribute on resource owner profiles where
2N/A OpenAM can save authorization consent decisions. When the resource owner
2N/A chooses to save the decision to authorize access for a client application,
2N/A then OpenAM updates the resource owner's profile to avoid having to
2N/A prompt the resource owner to grant authorization when the client issues
2N/A subsequent authorization requests.</
para>
2N/A <
para><
command>ssoadm</
command> attribute:
2N/A <
literal>forgerock-oauth2-provider-saved-consent-attribute</
literal></
para>
2N/A <
term>JSON Web Key URL</
term>
2N/A <
para>The URL where the OpenID Connect provider's JSON Web Key can be
2N/A <
para><
command>ssoadm</
command> attribute:
2N/A <
literal>forgerock-oauth2-provider-jkws-uri</
literal></
para>
2N/A <term>Subject Types supported</term> 2N/A <para>List of OpenID Connect subject types supported. Values are 2N/A <literal>pairwise</literal> and <literal>public</literal>, and both are 2N/A supported by default. Pairwise is the same as confidential.</para> 2N/A <para><command>ssoadm</command> attribute: 2N/A <literal>forgerock-oauth2-provider-subject-types-supported</literal></para> 2N/A <
term>ID Token Signing Algorithms supported</
term>
2N/A <
para>Algorithms supported to sign OpenID Connect
2N/A <
literal>id_tokens</
literal>.</
para>
2N/A <
para><
command>ssoadm</
command> attribute:
2N/A <
literal>forgerock-oauth2-provider-id-token-signing-algorithms-supported</
literal></
para>
2N/A <
term>Supported Claims</
term>
2N/A <
para>List of claims supported by the OpenID Connect
2N/A <
para><
command>ssoadm</
command> attribute:
2N/A <
literal>forgerock-oauth2-provider-supported-claims</
literal></
para>
2N/A <
variablelist xml:
id="password-reset-configuration">
2N/A <
title>Password Reset</
title>
2N/A <
term>Realm Attributes</
term>
2N/A <
para>See the <
citetitle>Administration Guide</
citetitle> chapter on
2N/A <
link xlink:
href="admin-guide#chap-pwd-reset" 2N/A Password Reset</
citetitle></
link> for details.</
para>
2N/A <
variablelist xml:
id="policy-configuration">
2N/A <
title>Policy Configuration</
title>
2N/A <
para>You can change global policy configuration, and the defaults per
2N/A <
para><
command>ssoadm</
command> service name:
2N/A <
literal>iPlanetAMPolicyConfigService</
literal></
para>
2N/A <
term>Resource Comparator</
term>
2N/A <
para>OpenAM uses resource comparators to match resources specified in
2N/A policy rules. When setting comparators on the command line, separate
2N/A fields with <
literal>|</
literal> characters.</
para>
2N/A <
para><
command>ssoadm</
command> attribute:
2N/A <
literal>iplanet-am-policy-config-resource-comparator</
literal></
para>
2N/A <
term>Continue Evaluation on Deny Decision</
term>
2N/A <
para>If no, then OpenAM stops evaluating policy as soon as it reaches a
2N/A deny decision.</
para>
2N/A <
para><
command>ssoadm</
command> attribute:
2N/A <
literal>iplanet-am-policy-config-continue-evaluation-on-deny-decision</
literal></
para>
2N/A <
term>Advices Handleable by OpenAM</
term>
2N/A <
para>Lists advice names for which policy agents redirect users to
2N/A OpenAM for further authentication and authorization</
para>
2N/A <
para><
command>ssoadm</
command> attribute:
2N/A <
literal>sun-am-policy-config-advices-handleable-by-am</
literal></
para>
2N/A <
term>Realm Alias Referrals</
term>
2N/A <
para>If yes, then OpenAM allows creation of policies for HTTP and HTTPS
2N/A resources whose FQDN matches the DNS alias for the realm even when no
2N/A referral policy exists.</
para>
2N/A <
para><
command>ssoadm</
command> attribute:
2N/A <
literal>sun-am-policy-config-org-alias-mapped-resources-enabled</
literal></
para>
2N/A <
term>Primary LDAP Server</
term>
2N/A <
para>Configuration directory server host:port that OpenAM searches for
2N/A policy information</
para>
2N/A <
para><
command>ssoadm</
command> attribute:
2N/A <
literal>iplanet-am-policy-config-ldap-server</
literal></
para>
2N/A <
term>LDAP Base DN</
term>
2N/A <
para>Base DN for policy searches</
para>
2N/A <
para><
command>ssoadm</
command> attribute:
2N/A <
literal>iplanet-am-policy-config-ldap-base-dn</
literal></
para>
2N/A <
term>LDAP Users Base DN</
term>
2N/A <
para>Base DN for LDAP Users subject searches</
para>
2N/A <
para><
command>ssoadm</
command> attribute:
2N/A <
literal>iplanet-am-policy-config-ldap-users-base-dn</
literal></
para>
2N/A <
term>OpenAM Roles Base DN</
term>
2N/A <
para>Base DN for OpenAM Roles searches</
para>
2N/A <
para><
command>ssoadm</
command> attribute:
2N/A <
literal>iplanet-am-policy-config-is-roles-base-dn</
literal></
para>
2N/A <
term>LDAP Bind DN</
term>
2N/A <
para>Bind DN to connect to the directory server for policy
2N/A <
para><
command>ssoadm</
command> attribute:
2N/A <
literal>iplanet-am-policy-config-ldap-bind-dn</
literal></
para>
2N/A <
term>LDAP Bind Password</
term>
2N/A <
para>Bind password to connect to the directory server for policy
2N/A <
para><
command>ssoadm</
command> attribute:
2N/A <
literal>iplanet-am-policy-config-ldap-bind-password</
literal></
para>
2N/A <
term>LDAP Organization Search Filter</
term>
2N/A <
para>Search filter to match organization entries</
para>
2N/A <
para><
command>ssoadm</
command> attribute:
2N/A <
literal>iplanet-am-policy-config-ldap-organizations-search-filter</
literal></
para>
2N/A <
term>LDAP Organization Search Scope</
term>
2N/A <
para>Search scope to find organization entries</
para>
2N/A <
para><
command>ssoadm</
command> attribute:
2N/A <
literal>iplanet-am-policy-config-ldap-organizations-search-scope</
literal></
para>
2N/A <
term>LDAP Groups Search Filter</
term>
2N/A <
para>Search filter to match group entries</
para>
2N/A <
para><
command>ssoadm</
command> attribute:
2N/A <
literal>iplanet-am-policy-config-ldap-groups-search-filter</
literal></
para>
2N/A <
term>LDAP Groups Search Scope</
term>
2N/A <
para>Search scope to find group entries</
para>
2N/A <
para><
command>ssoadm</
command> attribute:
2N/A <
literal>iplanet-am-policy-config-ldap-groups-search-scope</
literal></
para>
2N/A <
term>LDAP Users Search Filter</
term>
2N/A <
para>Search filter to match user entries</
para>
2N/A <
para><
command>ssoadm</
command> attribute:
2N/A <
literal>iplanet-am-policy-config-ldap-users-search-filter</
literal></
para>
2N/A <
term>LDAP Users Search Scope</
term>
2N/A <
para>Search scope to find user entries</
para>
2N/A <
para><
command>ssoadm</
command> attribute:
2N/A <
literal>iplanet-am-policy-config-ldap-users-search-scope</
literal></
para>
2N/A <
term>LDAP Roles Search Filter</
term>
2N/A <
para>Search filter to match nsRole definition entries</
para>
2N/A <
para><
command>ssoadm</
command> attribute:
2N/A <
literal>iplanet-am-policy-config-ldap-roles-search-filter</
literal></
para>
2N/A <
term>LDAP Roles Search Scope</
term>
2N/A <
para>Search scope to find nsRole definition entries</
para>
2N/A <
para><
command>ssoadm</
command> attribute:
2N/A <
literal>iplanet-am-policy-config-ldap-roles-search-scope</
literal></
para>
2N/A <
term>OpenAM Roles Search Scope</
term>
2N/A <
para>Search scope to find OpenAM roles entries</
para>
2N/A <
para><
command>ssoadm</
command> attribute:
2N/A <
literal>iplanet-am-policy-config-is-roles-search-scope</
literal></
para>
2N/A <
term>LDAP Organization Search Attribute</
term>
2N/A <
para>Naming attribute for organization entries</
para>
2N/A <
para><
command>ssoadm</
command> attribute:
2N/A <
literal>iplanet-am-policy-config-ldap-organizations-search-attribute</
literal></
para>
2N/A <
term>LDAP Groups Search Attribute</
term>
2N/A <
para>Naming attribute for group entries</
para>
2N/A <
para><
command>ssoadm</
command> attribute:
2N/A <
literal>iplanet-am-policy-config-ldap-groups-search-attribute</
literal></
para>
2N/A <
term>LDAP Users Search Attribute</
term>
2N/A <
para>Naming attribute for user entries</
para>
2N/A <
para><
command>ssoadm</
command> attribute:
2N/A <
literal>iplanet-am-policy-config-ldap-users-search-attribute</
literal></
para>
2N/A <
term>LDAP Roles Search Attribute</
term>
2N/A <
para>Naming attribute for nsRole definition entries</
para>
2N/A <
para><
command>ssoadm</
command> attribute:
2N/A <
literal>iplanet-am-policy-config-ldap-roles-search-attribute</
literal></
para>
2N/A <
term>Maximum Results Returned from Search</
term>
2N/A <
para>Search limit for LDAP searches</
para>
2N/A <
para><
command>ssoadm</
command> attribute:
2N/A <
literal>iplanet-am-policy-config-search-limit</
literal></
para>
2N/A <
term>Search Timeout</
term>
2N/A <
para>Seconds after which OpenAM returns an error for an incomplete
2N/A <
para><
command>ssoadm</
command> attribute:
2N/A <
literal>iplanet-am-policy-config-search-timeout</
literal></
para>
2N/A <
para>If enabled, OpenAM connects securely to the directory server. This
2N/A requires that you install the directory server certificate.</
para>
2N/A <
para><
command>ssoadm</
command> attribute:
2N/A <
literal>iplanet-am-policy-config-ldap-ssl-enabled</
literal></
para>
2N/A <
term>LDAP Connection Pool Minimum Size</
term>
2N/A <
para>Minimum number of connections in the pool</
para>
2N/A <
para><
command>ssoadm</
command> attribute:
2N/A <
literal>iplanet-am-policy-config-connection_pool_min_size</
literal></
para>
2N/A <
term>LDAP Connection Pool Maximum Size</
term>
2N/A <
para>Maximum number of connections in the pool</
para>
2N/A <
para><
command>ssoadm</
command> attribute:
2N/A <
literal>iplanet-am-policy-config-connection_pool_max_size</
literal></
para>
2N/A <
term>Selected Policy Subjects</
term>
2N/A <
para>Lists subjects available for policy definition in realms</
para>
2N/A <
para><
command>ssoadm</
command> attribute:
2N/A <
literal>iplanet-am-policy-selected-subjects</
literal></
para>
2N/A <
term>Selected Policy Conditions</
term>
2N/A <
para>Lists conditions available for policy definition in realms</
para>
2N/A <
para><
command>ssoadm</
command> attribute:
2N/A <
literal>iplanet-am-policy-selected-conditions</
literal></
para>
2N/A <
term>Selected Policy Referrals</
term>
2N/A <
para>Lists referral types available for policy definition in realms</
para>
2N/A <
para><
command>ssoadm</
command> attribute:
2N/A <
literal>iplanet-am-policy-selected-referrals</
literal></
para>
2N/A <
term>Subjects Result Time to Live</
term>
2N/A <
para>Maximum minutes OpenAM caches a subject result for evaluating
2N/A policy requests. A value of 0 prevents OpenAM from caching subject
2N/A evaluations for policy decisions.</
para>
2N/A <
para>Default: 10</
para>
2N/A <
para><
command>ssoadm</
command> attribute:
2N/A <
literal>iplanet-am-policy-config-subjects-result-ttl</
literal></
para>
2N/A <
term>User Alias</
term>
2N/A <
para>If enabled, OpenAM can evaluate policy for remote users aliased
2N/A to local users.</
para>
2N/A <
para><
command>ssoadm</
command> attribute:
2N/A <
literal>iplanet-am-policy-config-user-alias-enabled</
literal></
para>
2N/A <
term>Selected Response Providers</
term>
2N/A <
para>Lists available response providers available for policy
2N/A <
para><
command>ssoadm</
command> attribute:
2N/A <
literal>sun-am-policy-selected-responseproviders</
literal></
para>
2N/A <
term>Selected Dynamic Response Attributes</
term>
2N/A <
para>Lists dynamic response attributes available for policy
2N/A <
para><
command>ssoadm</
command> attribute:
2N/A <
literal>sun-am-policy-dynamic-response-attributes</
literal></
para>
2N/A <
variablelist xml:
id="rest-security-configuration">
2N/A <
title>REST Security</
title>
2N/A <
para><
command>ssoadm</
command> service name:
2N/A <
literal>RestSecurity</
literal></
para>
2N/A <
para>The order of options that appear in the console may vary depending on whether you are running from
2N/A a new installation or an upgrade of OpenAM.</
para>
2N/A <!-- May be affected by OPENAM-3027, where, in an upgrade situation, 2N/A the Forgot Password Token LifeTime (seconds) label has 2N/A been incorrectly replaced with another instance of Forgot Password for Users --> 2N/A <
term>Self-Registration for Users</
term>
2N/A <
para>If enabled, new users can sign up using a REST API client.</
para>
2N/A <
para>Default: not enabled</
para>
2N/A <
para><
command>ssoadm</
command> attribute:
2N/A <
literal>forgerockRESTSecuritySelfRegistrationEnabled</
literal></
para>
2N/A <
term>Self-Registration Token LifeTime (seconds)</
term>
2N/A <
para>Maximum life time for the token allowing user self-registration using
2N/A the REST API.</
para>
2N/A <
para>Default: 900 (seconds)</
para>
2N/A <
para><
command>ssoadm</
command> attribute:
2N/A <
literal>forgerockRESTSecuritySelfRegTokenTTL</
literal></
para>
2N/A <
term>Self-Registration Confirmation Email URL</
term>
2N/A This page handles the HTTP GET request
2N/A when the user clicks the link sent by email in the confirmation request.
2N/A where <
replaceable>deployment-base-url</
replaceable> is something like
2N/A <
para><
command>ssoadm</
command> attribute:
2N/A <
literal>forgerockRESTSecuritySelfRegConfirmationUrl</
literal></
para>
2N/A <
term>Forgot Password for Users</
term>
2N/A <
para>If enabled, users can assign themselves a new password using a REST API client.</
para>
2N/A <
para>Default: not enabled</
para>
2N/A <
para><
command>ssoadm</
command> attribute:
2N/A <
literal>forgerockRESTSecurityForgotPasswordEnabled</
literal></
para>
2N/A <
term>Forgot Password Token LifeTime (seconds)</
term>
2N/A <
para>Maximum life time for the token allowing user to process a forgotten
2N/A password using the REST API.</
para>
2N/A <
para>Default: 900 (seconds)</
para>
2N/A <
para><
command>ssoadm</
command> attribute:
2N/A <
literal>forgerockRestSecurityForgotPassTokenTTL</
literal></
para>
2N/A <
term>Forgot Password Confirmation Email URL</
term>
2N/A This page handles the HTTP GET request
2N/A when the user clicks the link sent by email in the confirmation request.
2N/A where <
replaceable>deployment-base-url</
replaceable> is something like
2N/A <
para><
command>ssoadm</
command> attribute:
2N/A <
literal>forgerockRESTSecurityForgotPassConfirmationUrl</
literal></
para>
2N/A <
variablelist xml:
id="saml2-service-configuration">
2N/A <
title>SAMLv2 Service Configuration</
title>
2N/A <
para><
command>ssoadm</
command> service name:
2N/A <
literal>sunFAMSAML2Configuration</
literal></
para>
2N/A <
term>Cache cleanup interval</
term>
2N/A <
para>Seconds between cache cleanup operations</
para>
2N/A <
para><
command>ssoadm</
command> attribute:
2N/A <
literal>CacheCleanupInterval</
literal></
para>
2N/A <
term>Attribute name for Name ID information</
term>
2N/A <
para>User entry attribute to store name identifier information</
para>
2N/A <
para><
command>ssoadm</
command> attribute:
2N/A <
literal>NameIDInfoAttribute</
literal></
para>
2N/A <
term>Attribute name for NAME ID information key</
term>
2N/A <
para>User entry attribute to store the name identifier key</
para>
2N/A <
para><
command>ssoadm</
command> attribute:
2N/A <
literal>NameIDInfoKeyAttribute</
literal></
para>
2N/A <
term>Cookie domain for IDP Discovery Service</
term>
2N/A <
para>Specifies the cookie domain for the IDP discovery service</
para>
2N/A <
para><
command>ssoadm</
command> attribute:
2N/A <
literal>IDPDiscoveryCookieDomain</
literal></
para>
2N/A <
term>Cookie type for IDP Discovery Service</
term>
2N/A <
para>Indicates whether to use PERSISTENT or SESSION cookies</
para>
2N/A <
para><
command>ssoadm</
command> attribute:
2N/A <
literal>IDPDiscoveryCookieType</
literal></
para>
2N/A <
term>URL scheme for IDP Discovery Service</
term>
2N/A <
para>Indicates whether to use HTTP or HTTPS</
para>
2N/A <
para><
command>ssoadm</
command> attribute:
2N/A <
literal>IDPDiscoveryURLScheme</
literal></
para>
2N/A <
term>XML Encryption SPI implementation class</
term>
2N/A <
para>Used by the SAML2 engine to encrypt and decrypt documents</
para>
2N/A <
para><
command>ssoadm</
command> attribute:
2N/A <
literal>XMLEncryptionClass</
literal></
para>
2N/A <
term>Include xenc:EncryptedKey Inside ds:KeyInfo Element</
term>
2N/A <
para><
command>ssoadm</
command> attribute:
2N/A <
literal>EncryptedKeyInKeyInfo</
literal></
para>
2N/A <
term>XML Signing SPI implementation class</
term>
2N/A <
para>Used by the SAML2 engine to sign documents</
para>
2N/A <
para><
command>ssoadm</
command> attribute:
2N/A <
literal>XMLSigningClass</
literal></
para>
2N/A <
term>XML Signing Certificate Validation</
term>
2N/A <
para>If enabled, then validate certificates used to sign documents.</
para>
2N/A <
para><
command>ssoadm</
command> attribute:
2N/A <
literal>SigningCertValidation</
literal></
para>
2N/A <
term>CA Certificate Validation</
term>
2N/A <
para>If enabled, then validate CA certificates.</
para>
2N/A <
para><
command>ssoadm</
command> attribute:
2N/A <
literal>CACertValidation</
literal></
para>
2N/A <
term>Enable SAMLv2 failover</
term>
2N/A <
para>If enabled, the OpenAM can failover requests to another
2N/A <
para><
command>ssoadm</
command> attribute:
2N/A <
literal>failOverEnabled</
literal></
para>
2N/A <
term>Buffer length to decompress request</
term>
2N/A <
para>The size is specified in bytes.</
para>
2N/A <
para><
command>ssoadm</
command> attribute:
2N/A <
literal>bufferLength</
literal></
para>
2N/A <
variablelist xml:
id="saml2-soap-configuration">
2N/A <
title>SAMLv2 SOAP Binding</
title>
2N/A <
para><
command>ssoadm</
command> service name:
2N/A <
literal>sunfmSAML2SOAPBindingService</
literal></
para>
2N/A <
term>Request Handler List</
term>
2N/A <
para>List of handlers to deal with SAML2 requests bound to SOAP. The
2N/A key for a request handler is the meta alias, whereas the class indicates
2N/A the name of the class that implements the handler.</
para>
2N/A <
para><
command>ssoadm</
command> attribute:
2N/A <
literal>sunSAML2RequestHandlerList</
literal></
para>
2N/A <
variablelist xml:
id="sts-configuration">
2N/A <
title>Security Token Service</
title>
2N/A <
para><
command>ssoadm</
command> service name:
2N/A <
literal>sunFAMSTSService</
literal></
para>
2N/A <
para>Specifies the name of the security token service</
para>
2N/A <
para><
command>ssoadm</
command> attribute:
2N/A <
literal>stsIssuer</
literal></
para>
2N/A <
term>End Point</
term>
2N/A <
para>Specifies the STS service endpoint</
para>
2N/A <
para><
command>ssoadm</
command> attribute:
2N/A <
literal>stsEndPoint</
literal></
para>
2N/A <
term>Lifetime for Security Token</
term>
2N/A <
para>Milliseconds the security token remains valid</
para>
2N/A <
para><
command>ssoadm</
command> attribute:
2N/A <
literal>stsLifetime</
literal></
para>
2N/A <
term>Certificate Alias Name</
term>
2N/A <
para>Specifies the alias for the signing certificate</
para>
2N/A <
para><
command>ssoadm</
command> attribute:
2N/A <
literal>stsCertAlias</
literal></
para>
2N/A <
term>STS End User Token Plugin class</
term>
2N/A <
para>Specifies the class that converts end user tokens</
para>
2N/A <
para><
command>ssoadm</
command> attribute:
2N/A <
term>Security Mechanism</
term>
2N/A <
para>Lists credentials used to secure the token, and credentials OpenAM
2N/A accepts in the incoming request</
para>
2N/A <
para><
command>ssoadm</
command> attribute:
2N/A <
literal>SecurityMech</
literal></
para>
2N/A <
term>Authentication Chain</
term>
2N/A <
para>Specifies the authentication chain OpenAM applies for incoming
2N/A requests for authenticated security tokens</
para>
2N/A <
para><
command>ssoadm</
command> attribute:
2N/A <
literal>AuthenticationChain</
literal></
para>
2N/A <
term>User Credential</
term>
2N/A <
para>User name and password shared secrets to validate UserName tokens
2N/A in incoming requests</
para>
2N/A <
para><
command>ssoadm</
command> attribute:
2N/A <
literal>UserCredential</
literal></
para>
2N/A <
term>Detect Message Replay</
term>
2N/A <
para>If yes, then OpenAM checks for and rejects replayed messages.</
para>
2N/A <
para><
command>ssoadm</
command> attribute:
2N/A <
literal>DetectMessageReplay</
literal></
para>
2N/A <
term>Detect User Token Replay</
term>
2N/A <
para>If yes, then OpenAM checks for and rejects replayed user
2N/A <
para><
command>ssoadm</
command> attribute:
2N/A <
literal>DetectUserTokenReplay</
literal></
para>
2N/A <
term>Is Request Signature Verified</
term>
2N/A <
para>If yes, then OpenAM verifies signatures on incoming requests.</
para>
2N/A <
para><
command>ssoadm</
command> attribute:
2N/A <
literal>isRequestSign</
literal></
para>
2N/A <
term>Is Response Signed Enabled</
term>
2N/A <
para>If yes, then OpenAM signs the selected parts of the response.</
para>
2N/A <
para><
command>ssoadm</
command> attribute:
2N/A <
literal>isResponseSign</
literal></
para>
2N/A <
term>Signing Reference Type</
term>
2N/A <
para>Specifies the reference type used to sign the response. One of
2N/A <
literal>DirectReference</
literal>, <
literal>KeyIdentifierRef</
literal>,
2N/A or <
literal>X509IssuerSerialRef</
literal>.</
para>
2N/A <
para><
command>ssoadm</
command> attribute:
2N/A <
literal>SigningRefType</
literal></
para>
2N/A <
term>Is Request Decrypted</
term>
2N/A <
para>If yes, then OpenAM decrypts the selected parts of the
2N/A <
para><
command>ssoadm</
command> attribute:
2N/A <
literal>isRequestEncrypt</
literal></
para>
2N/A <
term>Is Response Encrypted</
term>
2N/A <
para>If yes, then OpenAM encrypts responses.</
para>
2N/A <
para><
command>ssoadm</
command> attribute:
2N/A <
literal>isResponseEncrypt</
literal></
para>
2N/A <
term>Encryption Algorithm</
term>
2N/A <
para>Specifies the algorithm used to encrypt responses</
para>
2N/A <
para><
command>ssoadm</
command> attribute:
2N/A <
literal>EncryptionAlgorithm</
literal></
para>
2N/A <
term>Private Key Alias</
term>
2N/A <
para>Alias for the private key used to sign responses and decrypt
2N/A <
para><
command>ssoadm</
command> attribute:
2N/A <
literal>privateKeyAlias</
literal></
para>
2N/A <
term>Private Key Type</
term>
2N/A <
para>Type of private key. One of <
literal>publicKey</
literal>,
2N/A <
literal>symmetricKey</
literal>, or <
literal>noProofKey</
literal>.</
para>
2N/A <
para><
command>ssoadm</
command> attribute:
2N/A <
literal>privateKeyType</
literal></
para>
2N/A <
term>Public Key Alias of Web Service Client</
term>
2N/A <
para>Alias for the certificate used to verify request signatures and
2N/A encrypt responses</
para>
2N/A <
para><
command>ssoadm</
command> attribute:
2N/A <
literal>publicKeyAlias</
literal></
para>
2N/A <
term>Kerberos Domain Server</
term>
2N/A <
para>Specifies the FQDN of the KDC</
para>
2N/A <
para><
command>ssoadm</
command> attribute:
2N/A <
literal>KerberosDomainServer</
literal></
para>
2N/A <
term>Kerberos Domain</
term>
2N/A <
para>Specifies the domain name of the KDC</
para>
2N/A <
para><
command>ssoadm</
command> attribute:
2N/A <
literal>KerberosDomain</
literal></
para>
2N/A <
term>Kerberos Service Principal</
term>
2N/A <
para>Specifies the Kerberos principal who owns the generated token.
2N/A Use the format <
literal>HTTP/<
replaceable 2N/A >host</
replaceable>.<
replaceable 2N/A >domain</
replaceable>@<
replaceable 2N/A >kdc-domain</
replaceable></
literal>.</
para>
2N/A <
para><
command>ssoadm</
command> attribute:
2N/A <
literal>KerberosServicePrincipal</
literal></
para>
2N/A <
term>Kerberos Key Tab File</
term>
2N/A <
para>Specifies the key tab file used to issue the token</
para>
2N/A <
para><
command>ssoadm</
command> attribute:
2N/A <
literal>KerberosKeyTabFile</
literal></
para>
2N/A <
term>Is Verify Kerberos Signature</
term>
2N/A <
para>If yes, then OpenAM requires signed Kerberos tokens.</
para>
2N/A <
para><
command>ssoadm</
command> attribute:
2N/A <
literal>isVerifyKrbSignature</
literal></
para>
2N/A <
term>SAML Attribute Mapping</
term>
2N/A <
para>Lists attribute mappings for generated assertions</
para>
2N/A <
para>This attribute applies when OpenAM acts as a WSP, receiving a
2N/A SAML token or assertion generated by another STS.</
para>
2N/A <
para><
command>ssoadm</
command> attribute:
2N/A <
literal>SAMLAttributeMapping</
literal></
para>
2N/A <
term>NameID Mapper</
term>
2N/A <
para>Specifies the NameID mapper for generated assertions</
para>
2N/A <
para>This attribute applies when OpenAM acts as a WSP, receiving a
2N/A SAML token or assertion generated by another STS.</
para>
2N/A <
para><
command>ssoadm</
command> attribute:
2N/A <
literal>NameIDMapper</
literal></
para>
2N/A <
term>Should Include Memberships</
term>
2N/A <
para>If yes, then OpenAM requires generated assertions include user
2N/A <
para>This attribute applies when OpenAM acts as a WSP, receiving a
2N/A SAML token or assertion generated by another STS.</
para>
2N/A <
para><
command>ssoadm</
command> attribute:
2N/A <
literal>includeMemberships</
literal></
para>
2N/A <
term>Attribute Namespace</
term>
2N/A <
para>Specifies the namespace for generated assertions</
para>
2N/A <
para>This attribute applies when OpenAM acts as a WSP, receiving a
2N/A SAML token or assertion generated by another STS.</
para>
2N/A <
para><
command>ssoadm</
command> attribute:
2N/A <
literal>AttributeNamespace</
literal></
para>
2N/A <
term>Trusted Issuers</
term>
2N/A <
para>Lists issuers OpenAM can trust to send security tokens</
para>
2N/A <
para><
command>ssoadm</
command> attribute:
2N/A <
literal>trustedIssuers</
literal></
para>
2N/A <
term>Trusted IP Addresses</
term>
2N/A <
para>Lists issuer IP address that OpenAM can trust to send security
2N/A <
para><
command>ssoadm</
command> attribute:
2N/A <
literal>trustedIPAddresses</
literal></
para>
2N/A <
variablelist xml:
id="session-configuration-attributes">
2N/A <
title>Session</
title>
2N/A <
para><
command>ssoadm</
command> service name:
2N/A <
literal>iPlanetAMSessionService</
literal></
para>
2N/A <
term>Secondary Configuration Instance</
term>
2N/A <
para>When session failover is configured, you can set up additional
2N/A configurations for connecting to the session repository here.</
para>
2N/A <
term>Maximum Number of Search Results</
term>
2N/A <
para>Maximum number of results from a session search</
para>
2N/A <
para><
command>ssoadm</
command> attribute:
2N/A <
literal>iplanet-am-session-max-session-list-size</
literal></
para>
2N/A <
term>Timeout for Search</
term>
2N/A <
para>Seconds after which OpenAM sees an incomplete search as having
2N/A <
para><
command>ssoadm</
command> attribute:
2N/A <
literal>iplanet-am-session-session-list-retrieval-timeout</
literal></
para>
2N/A <
term>Enable Property Change Notifications</
term>
2N/A <
para>If on, then OpenAM notifies other applications participating in
2N/A SSO when a session property in the Notification Properties list
2N/A <
para><
command>ssoadm</
command> attribute:
2N/A <
literal>iplanet-am-session-property-change-notification</
literal></
para>
2N/A <
term>Enable Quota Constraints</
term>
2N/A <
para>If on, then OpenAM allows you to set constraints on user
2N/A <
para><
command>ssoadm</
command> attribute:
2N/A <
literal>iplanet-am-session-enable-session-constraint</
literal></
para>
2N/A <
term>Read Timeout for Quota Constraint</
term>
2N/A <
para>Milliseconds after which OpenAM considers a search for live session
2N/A count as having failed if quota constraints are enabled</
para>
2N/A <
para><
command>ssoadm</
command> attribute:
2N/A <
literal>iplanet-am-session-constraint-max-wait-time</
literal></
para>
2N/A <
term>Resulting behavior if session quota exhausted</
term>
2N/A <
para>You can either set the next expiring session to be destroyed,
2N/A <
literal>DESTROY_NEXT_EXPIRING</
literal>, the oldest session to
2N/A be destroyed, <
literal>DESTROY_OLDEST_SESSION</
literal>, all previous
2N/A sessions to be destroyed, <
literal>DESTROY_OLD_SESSIONS</
literal>, or deny
2N/A the new session creation request, <
literal>DENY_ACCESS</
literal>.</
para>
2N/A <
para><
command>ssoadm</
command> attribute:
2N/A <
literal>iplanet-am-session-constraint-resulting-behavior</
literal></
para>
2N/A <
term>Deny user login when session repository is down</
term>
2N/A <
para>This attribute takes effect when quota constraints are
2N/A <
para><
command>ssoadm</
command> attribute:
2N/A <
literal>iplanet-am-session-deny-login-if-db-is-down</
literal></
para>
2N/A <
term>Notification Properties</
term>
2N/A <
para>Lists session properties for which OpenAM can send notifications
2N/A upon modification</
para>
2N/A <
para><
command>ssoadm</
command> attribute:
2N/A <
literal>iplanet-am-session-notification-property-list</
literal></
para>
2N/A <
term>DN Restriction Only Enabled</
term>
2N/A <
para>If enabled, OpenAM does not perform DNS lookups when checking
2N/A restrictions in cookie hijacking mode.</
para>
2N/A <
para><
command>ssoadm</
command> attribute:
2N/A <
literal>iplanet-am-session-dnrestrictiononly</
literal></
para>
2N/A <
term>Enable Session Trimming</
term>
2N/A <
para>If yes, then OpenAM stores only a limited set of session properties
2N/A after session timeout and before session purging.</
para>
2N/A <
para><
command>ssoadm</
command> attribute:
2N/A <
literal>iplanet-am-session-enable-session-trimming</
literal></
para>
2N/A <
term>Session Timeout Handler implementations</
term>
2N/A <
para>Lists plugin classes implementing session timeout handlers</
para>
2N/A <
para><
command>ssoadm</
command> attribute:
2N/A <
literal>openam-session-timeout-handler-list</
literal></
para>
2N/A <
term>Maximum Session Time</
term>
2N/A <
para>Maximum minutes a session can remain valid before OpenAM requires
2N/A the user to authenticate again</
para>
2N/A <
para><
command>ssoadm</
command> attribute:
2N/A <
literal>iplanet-am-session-max-session-time</
literal></
para>
2N/A <
term>Maximum Idle Time</
term>
2N/A <
para>Maximum minutes a session can remain idle before OpenAM requires
2N/A the user to authenticate again</
para>
2N/A <
para><
command>ssoadm</
command> attribute:
2N/A <
literal>iplanet-am-session-max-idle-time</
literal></
para>
2N/A <
term>Maximum Caching Time</
term>
2N/A <
para>Maximum minutes before OpenAM refreshes a session that has been
2N/A <
para><
command>ssoadm</
command> attribute:
2N/A <
literal>iplanet-am-session-max-caching-time</
literal></
para>
2N/A <
term>Active User Sessions</
term>
2N/A <
para>Maximum number of concurrent sessions OpenAM allows a user to
2N/A <
para><
command>ssoadm</
command> attribute:
2N/A <
literal>iplanet-am-session-quota-limit</
literal></
para>
2N/A <
variablelist xml:
id="user-configuration-attributes">
2N/A <
para><
command>ssoadm</
command> service name:
2N/A <
literal>iPlanetAMUserService</
literal></
para>
2N/A <
term>User Preferred Timezone</
term>
2N/A <
para>Time zone for accessing OpenAM console</
para>
2N/A <
para><
command>ssoadm</
command> attribute:
2N/A <
literal>preferredtimezone</
literal></
para>
2N/A <
term>Administrator DN Starting View</
term>
2N/A <
para>Specifies the DN for the initial screen when the OpenAM
2N/A administrator successfully logs in to the OpenAM console</
para>
2N/A <
para><
command>ssoadm</
command> attribute:
2N/A <
literal>iplanet-am-user-admin-start-dn</
literal></
para>
2N/A <
term>Default User Status</
term>
2N/A <
para>Inactive users cannot authenticate, though OpenAM stores their
2N/A profiles. Default: <
literal>Active</
literal></
para>
2N/A <
para><
command>ssoadm</
command> attribute:
2N/A <
literal>iplanet-am-user-login-status</
literal></
para>
2N/A <
section xml:
id="servers-and-sites-configuration">
2N/A <
title>Servers and Sites Configuration</
title>
2N/A <
primary>Configuration</
primary>
2N/A <
secondary>Servers and Sites</
secondary>
2N/A <
para>Under Configuration > Servers and Sites you can manage server
2N/A defaults, configuration for OpenAM server instances, and site configurations
2N/A when using multiple OpenAM server instances.</
para>
2N/A <
para>To change inherited settings that appear read only for a server,
2N/A click Default Server Settings on the Servers and Sites tab page to access
2N/A and adjust the defaults, or change the Inheritance Settings for a specific
2N/A <
para>After changing server configurations, restart OpenAM or the web
2N/A application container where OpenAM runs for the changes to take
2N/A <
variablelist xml:
id="servers-general-configuration">
2N/A <
title>Servers > General</
title>
2N/A <
para>The General tab lets you access the settings to inherit, set the
2N/A site for the server, and also set system, debug, and mail server
2N/A <
term>Parent Site</
term>
2N/A <
para>Select the site from the list. You must first create at least one
2N/A <
term>Base installation directory</
term>
2N/A <
para>OpenAM writes the configuration data and logs here.</
para>
2N/A <
term>Default Locale</
term>
2N/A <
para>The locale used when none is requested.</
para>
2N/A <
term>Notification URL</
term>
2N/A <
para>The notification service endpoint.</
para>
2N/A <
term>XML Validation</
term>
2N/A <
para>If on, then OpenAM validates XML documents that it parses.</
para>
2N/A <
term>Debug Level</
term>
2N/A <
para>Set the log level shared across components for debug logging.</
para>
2N/A <
term>Merge Debug Files</
term>
2N/A <
para>If on, then OpenAM writes all debug log messages to a single file,
2N/A <
filename>
debug.out</
filename>. By default, OpenAM writes a debug log
2N/A per component.</
para>
2N/A <
term>Debug Directory</
term>
2N/A <
para>File system directory where OpenAM writes debug logs.</
para>
2N/A <
term>Mail Server Host Name</
term>
2N/A <
para>SMTP host name for email sent by OpenAM.</
para>
2N/A <
term>Mail Server Port Number</
term>
2N/A <
para>SMTP port number for email sent by OpenAM.</
para>
2N/A <
variablelist xml:
id="servers-security-configuration">
2N/A <
title>Servers > Security</
title>
2N/A <
para>Most security settings are inherited by default.</
para>
2N/A <
term>Password Encryption Key</
term>
2N/A <
para>Encryption key for decrypting stored passwords</
para>
2N/A <
para>Example: <
literal>TF1Aue9c63bWTTY4mmZJeFYubJbNiSE3</
literal></
para>
2N/A <
term>Authentication Service Shared Secret</
term>
2N/A <
para>Shared secret for application authentication</
para>
2N/A <
para>Example: <
literal>AQICQ7QMKN5TSt1fpyFZBMZ8hRwkYkkrUaFk</
literal></
para>
2N/A <
term>Encryption class</
term>
2N/A <
para>Default class used to handle encryption</
para>
2N/A <
term>Secure Random Factory Class</
term>
2N/A <
para>The default implementation uses pure Java, rather than JSS.</
para>
2N/A <
term>Platform Low Level Comm. Max. Content Length</
term>
2N/A <
para>Maximum content length for an HTTP request</
para>
2N/A <
para>Default: 16384</
para>
2N/A <
term>Client IP Address Check</
term>
2N/A <
para>If yes, then OpenAM checks client IP addresses when creating and
2N/A validating SSO tokens.</
para>
2N/A <
para>Default: No</
para>
2N/A <
term>Cookie Name</
term>
2N/A <
para>Cookie name OpenAM uses to set a session handler ID during
2N/A authentication.</
para>
2N/A <
para>Default: <
literal>iPlanetDirectoryPro</
literal></
para>
2N/A <
term>Secure Cookie</
term>
2N/A <
para>If yes, then OpenAM sets the cookie in secure mode such that the
2N/A browser only returns the cookie if a secure protocol such as HTTPS is
2N/A <
para>Default: No</
para>
2N/A <
term>Encode Cookie Value</
term>
2N/A <
para>If yes, then OpenAM URL encodes cookie values.</
para>
2N/A <
para>Default: No</
para>
2N/A <
term>Keystore File</
term>
2N/A <
para>Path to OpenAM key store file</
para>
2N/A directory that holds the OpenAM configuration.</
para>
2N/A <
term>Keystore Password File</
term>
2N/A <
para>Path to password file for key store</
para>
2N/A <
para>Default: Path to <
filename>.storepass</
filename>, located in the
2N/A directory that holds the OpenAM configuration.</
para>
2N/A <
term>Private Key Password File</
term>
2N/A <
para>Path to password file for OpenAM private key</
para>
2N/A <
para>Default: Path to <
filename>.keypass</
filename>, located in the
2N/A directory that holds the OpenAM configuration.</
para>
2N/A <
term>Certificate Alias</
term>
2N/A <
para>Alias for OpenAM certificate stored in key store</
para>
2N/A <
para>Not set by default</
para>
2N/A <
term>CRL: LDAP server host name</
term>
2N/A <
para>Directory server host name where the certificate revocation list
2N/A (CRL) is cached</
para>
2N/A <
para>Not set by default</
para>
2N/A <
term>CRL: LDAP server port number</
term>
2N/A <
para>Directory server port number where the certificate revocation list
2N/A <
para>Not set by default</
para>
2N/A <
para>If yes, then connect securely when accessing the CRL cache
2N/A directory server</
para>
2N/A <
para>Default: No</
para>
2N/A <
term>CRL: LDAP server bind user name</
term>
2N/A <
para>Bind DN to access CRL cache directory server</
para>
2N/A <
para>Not set by default</
para>
2N/A <
term>CRL: LDAP server bind password</
term>
2N/A <
para>Bind password to access CRL cache directory server</
para>
2N/A <
para>Not set by default</
para>
2N/A <
term>CRL: LDAP search base DN</
term>
2N/A <
para>Base DN under which to search for CRL</
para>
2N/A <
para>Not set by default</
para>
2N/A <
term>CRL: Search Attributes</
term>
2N/A <
para>DN component of issuer's subject DN used to retrieve the CRL</
para>
2N/A <
para>Not set by default</
para>
2N/A <
term>OCSP: Check Enabled</
term>
2N/A <
para>If yes, then OpenAM runs Online Certificate Status Protocol (OCSP)
2N/A <
para>Default: Yes</
para>
2N/A <
term>Responder URL</
term>
2N/A <
para>URL for OCSP responder</
para>
2N/A <
para>Not set by default</
para>
2N/A <
term>Certificate Nickname</
term>
2N/A <
para>Nickname for OCSP responder certificate</
para>
2N/A <
para>Not set by default</
para>
2N/A <
term>FIPS Mode</
term>
2N/A <
para>If yes, then OpenAM runs in Federal Information Processing Standards
2N/A <
para>Default: No</
para>
2N/A <
variablelist xml:
id="servers-session-configuration">
2N/A <
title>Servers > Session</
title>
2N/A <
para>Session settings are inherited by default.</
para>
2N/A <
term>Maximum Sessions</
term>
2N/A <
para>Maximum concurrent sessions OpenAM permits</
para>
2N/A <
term>Invalidate Session Max Time</
term>
2N/A <
para>Minutes after which invalid sessions are removed from the session
2N/A <
term>Sessions Purge Delay</
term>
2N/A <
para>Minutes OpenAM delays session purging</
para>
2N/A <
term>Logging Interval</
term>
2N/A <
para>Seconds OpenAM delays between logging sessions statistics</
para>
2N/A <
para>Whether to write statistics to a <
literal>file</
literal>, to the
2N/A <
literal>console</
literal>, or to turn recording
2N/A <
literal>off</
literal></
para>
2N/A <
term>Directory</
term>
2N/A <
para>Path to statistics logs directory</
para>
2N/A <
term>Enable Host Lookup</
term>
2N/A <
para>If yes, then OpenAM performs host lookup during session
2N/A <
term>Notification Pool Size</
term>
2N/A <
para>Number of threads in the notification pool</
para>
2N/A <
term>Notification Thread Pool Threshold</
term>
2N/A <
para>Maximum number of tasks in the queue for serving notification
2N/A <
term>Case Insensitive client DN comparison</
term>
2N/A <
para>If yes, then OpenAM distinguished name comparison is case
2N/A <
variablelist xml:
id="servers-sdk-configuration">
2N/A <
title>Servers > SDK</
title>
2N/A <
para>Most SDK settings are inherited.</
para>
2N/A <
term>Enable Datastore Notification</
term>
2N/A <
para>If yes, then OpenAM uses datastore notification. Otherwise, OpenAM
2N/A uses in-memory notification.</
para>
2N/A <
term>Enable Directory Proxy</
term>
2N/A <
para>If yes, then OpenAM accounts for the use of a directory proxy to
2N/A access the directory server.</
para>
2N/A <
term>Notification Pool Size</
term>
2N/A <
para>Service management notification thread pool size</
para>
2N/A <
term>Number of retries for Event Service connections</
term>
2N/A <
para>Maximum number of attempts to reestablish Event Service
2N/A <
term>Delay between Event Service connection retries</
term>
2N/A <
para>Milliseconds between attempts to reestablish Entry Service
2N/A <
term>Error codes for Event Service connection retries</
term>
2N/A <
para>LDAP error codes for which OpenAM retries rather than returning
2N/A <
term>Idle Time Out</
term>
2N/A <
para>Minutes after which OpenAM reestablishes idle persistent search
2N/A <
term>Disabled Event Service Connection</
term>
2N/A <
para>Persistent search connections OpenAM can disable</
para>
2N/A <
term>Number of retries for LDAP Connection</
term>
2N/A <
para>Maximum number of attempts to reestablish LDAP connections</
para>
2N/A <
term>Delay between LDAP connection retries</
term>
2N/A <
para>Milliseconds between attempts to reestablish LDAP connections</
para>
2N/A <
term>Error Codes for LDAP connection retries</
term>
2N/A <
para>LDAP error codes for which OpenAM retries rather than returning
2N/A <
term>SDK Caching Max. Size</
term>
2N/A <
para>Cache size used if SDK caching is enabled</
para>
2N/A <
term>SDK Replica Retries</
term>
2N/A <
para>Maximum number of attempts to retrieve entries returned as not
2N/A <
term>Delay between SDK Replica Retries</
term>
2N/A <
para>Milliseconds between attempts to retrieve entries through the
2N/A <
term>Cache Entry Expiration Enabled</
term>
2N/A <
para>If no, then cache entries expire based on User Entry Expiration
2N/A <
term>User Entry Expiration Time</
term>
2N/A <
para>Minutes user entries remain valid after modification. When OpenAM
2N/A accesses a user entry that has expired, it rereads the entry from the
2N/A directory server.</
para>
2N/A <
term>Default Entry Expiration Time</
term>
2N/A <
para>Minutes non-user entries remain valid after modification</
para>
2N/A <
variablelist xml:
id="servers-directory-configuration">
2N/A <
title>Servers > Directory Configuration</
title>
2N/A <
para>Use this tab to change connection settings and add additional
2N/A LDAP configuration directory server instances.</
para>
2N/A <
term>Minimum Connection Pool</
term>
2N/A <
para>Set the minimum number of connections in the pool.</
para>
2N/A <
term>Maximum Connection Pool</
term>
2N/A <
para>Set the maximum number of connections in the pool.</
para>
2N/A <
term>Bind DN</
term>
2N/A <
para>Set the bind DN to connect to the configuration directory
2N/A <
term>Bind Password</
term>
2N/A <
para>Set the bind password to connect to the configuration directory
2N/A <
variablelist xml:
id="servers-cts">
2N/A <
title>Servers > CTS</
title>
2N/A <
para>The Core Token Service (CTS) does not need to be configured in the same LDAP storage as the
2N/A external or embedded user store. The CTS can instead be configured on its own external directory server.
2N/A There are some specific requirements for indexing and replication which need to be accounted for.
2N/A In particular, WAN replication is an important consideration which needs to be handled carefully for
2N/A optimum performance.</
para>
2N/A <
para>You may also choose to set advanced properties related to token size, including
2N/A identify these variables in the following section: <
xref linkend="servers-advanced-configuration" />.</
para>
2N/A <
term>Default Token Store</
term>
2N/A <
para>If selected, CTS tokens are stored in the same external or embedded datastore as is
2N/A used on an OpenAM configuration store. If you use the default token store, you can only
2N/A configure the <
literal>Root Suffix</
literal>. Associated with the <
literal>Directory Configuration</
literal>
2N/A tab associated with individual servers.</
para>
2N/A <
term>External Token Store</
term>
2N/A <
para>If you use OpenDJ, you can separate the CTS from the configuration on different external servers.
2N/A On the external CTS server, you can also configure token schema and indexes.</
para>
2N/A <
term>Root Suffix</
term>
2N/A <
para>For either the default or external token stores, enter the base DN for CTS storage information in
2N/A LDAP format, such as <
literal>dc=cts,dc=forgerock,dc=com</
literal>. The <
literal>Root Suffix</
literal>
2N/A would be a database that can be maintained and replicated separately from tha standard user datastore.</
para>
2N/A <
para>Access the directory service using StartTLS or LDAPS.</
para>
2N/A <
term>Directory Name</
term>
2N/A <
para>The hostname of the external server.</
para>
2N/A <
para>Specifies the
TCP/
IP port number used for communication to to external datastore,
2N/A such as 389 for LDAP.</
para>
2N/A <
term>Login Id</
term>
2N/A <
para>Specifies the user, in DN format, needed to authenticate. The user needs sufficient
2N/A privileges to read and write to the root suffix of the external datastore.</
para>
2N/A <
term>Password</
term>
2N/A <
para>Specifies the password associated with the Login Id.</
para>
2N/A <
term>Max Connections</
term>
2N/A <
para>Notes the maximum number of remote connections to the external datastore.</
para>
2N/A <
term>Heartbeat</
term>
2N/A <
para>Specifies how often OpenAM should send a heartbeat request to the directory server
2N/A to ensure that the connection does not remain idle, in seconds. Default: 10.</
para>
2N/A <
variablelist xml:
id="servers-advanced-configuration">
2N/A <
title>Servers > Advanced</
title>
2N/A <
para>Use this page to set advanced properties directly. A partial list of
2N/A advanced properties follows.</
para>
2N/A <
para>For a list of inherited advanced properties, see the table under the
2N/A Advanced tab for Default Server Settings.</
para>
2N/A <
para>Properly URL encode session tokens.</
para>
2N/A <
para>Default: <
literal>true</
literal></
para>
2N/A <
para><
literal>iplanetDirectoryPro</
literal> cookie lifetime if
2N/A persistent, in hours</
para>
2N/A <
para>Default: 24</
para>
2N/A <
para>Modules for which to open daemons at OpenAM startup.</
para>
2N/A <
para>Default: <
literal>securid</
literal></
para>
2N/A <
para>Whether to connect to the configuration directory server over
2N/A <
para>Default: <
literal>false</
literal></
para>
2N/A <
para>OpenAM Configuration and log file location.</
para>
2N/A <
para>Default: <
literal>~/openam/<
replaceable>server-uri</
replaceable></
literal>,
2N/A <
para>When using JSS, check whether the name values in the
2N/A <
literal>SubjectAltName</
literal> certificate match the server FQDN.</
para>
2N/A <
para>Default: <
literal>false</
literal></
para>
2N/A <
para>When using JSS, check that the IP address of the server resolves
2N/A to the host name.</
para>
2N/A <
para>Default: <
literal>false</
literal></
para>
2N/A <
para>When using JSS, comma-separated list of server FQDNs to trust if
2N/A they match the certificate CN, even if the domain name is not
2N/A <
para>When using JSS, set to <
literal>true</
literal> to trust whatever
2N/A certificate is presented without checking.</
para>
2N/A <
para>Default: <
literal>true</
literal></
para>
2N/A <
para>Used with sticky load balancers that can inspect the cookie
2N/A <
para>Default: <
literal>amlbcookie</
literal></
para>
2N/A <
para>Used with sticky load balancers that can inspect the cookie value.
2N/A Set this property to a unique value if your load balancer requires it.
2N/A Restart OpenAM for the change to take effect.</
para>
2N/A <
para>Default: 01</
para>
2N/A <
para>Persistent cookie name.</
para>
2N/A <
para>Default: <
literal>DProPCookie</
literal></
para>
2N/A <
para>Not used</
para>
2N/A <
para>Default: <
replaceable>server-host</
replaceable>, such as
2N/A <
para>Not used</
para>
2N/A <
para>Default: <
replaceable>server-port</
replaceable>, such as 8080 or
2N/A <
para>Time in minutes after which a policy agent session expires.</
para>
2N/A <
para>Default: 0, meaning never time out. Range is 0-30 (minutes).</
para>
2N/A <
para>Whether client applications such as policy agents poll for
2N/A configuration changes. If <
literal>false</
literal>, then OpenAM notifies
2N/A clients about changes.</
para>
2N/A <
para>Default: false</
para>
2N/A <
para>If client applications poll for changes, number of seconds between
2N/A <
para>Default: 180</
para>
2N/A <
para>Time in milliseconds between health checks of other servers in the
2N/A <
para>Default: 1000</
para>
2N/A <
para>Socket timeout in milliseconds for health checks of other servers in
2N/A the same site.</
para>
2N/A <
para>Default: 1000</
para>
2N/A <
para>Create an <
literal>HttpSession</
literal> for users on successful
2N/A authentication.</
para>
2N/A <
para>Default: <
literal>true</
literal></
para>
2N/A <
para>SSL socket factory implementation used by OpenAM.</
para>
2N/A uses a pure Java provider</
para>
2N/A <
para>Strings that OpenAM rejects as values in <
literal>goto</
literal>
2N/A query string parameters.</
para>
2N/A <
para>Default: <
literal><,>javascript:,javascript%3a,%3c,%3e</
literal></
para>
2N/A <
para>Replication port for embedded OpenDJ directory server.</
para>
2N/A <
para>Default: 8989</
para>
2N/A <
para>Whether to replicate data between embedded directory servers.</
para>
2N/A <
para>Default: <
literal>on</
literal></
para>
2N/A <
para>Whether to check for cookie support in the user agent, and if not to
2N/A return an error.</
para>
2N/A <
para>Default: <
literal>false</
literal></
para>
2N/A <
para>Whether to append the session cookie to URL for a zero page
2N/A <
para>Default: <
literal>true</
literal></
para>
2N/A <
para>Cookie used by the OpenAM authentication service to handle the
2N/A authentication process.</
para>
2N/A <
para>Default: <
literal>AMAuthCookie</
literal></
para>
2N/A <
para>Set the name of the HTTP header that OpenAM can examine to learn the
2N/A client IP address when requests go through a proxy or load balancer. (When
2N/A requests go through an HTTP proxy or load balancer, checking the IP address
2N/A on the request alone returns the address of the proxy or load balancer
2N/A rather than that of the client.) OpenAM must be able to trust the proxy or
2N/A load balancer to set the client IP address correctly in the header
2N/A <
para>Whether to allow users to open many browser tabs to the login page
2N/A at the same time without encountering an error.</
para>
2N/A <
para>Default: <
literal>false</
literal></
para>
2N/A <
para>Whether to allow multiple cookie domains.</
para>
2N/A <
para>Default: <
literal>true</
literal></
para>
2N/A <
para>List of special users always authenticated against the local
2N/A directory server.</
para>
2N/A <
para>Default: <
literal>cn=dsameuser,ou=DSAME Users,<?
eval 2N/A ${
defaultRootSuffix}?>|cn=amService-UrlAccessAgent,ou=DSAME Users,<?
eval 2N/A ${
defaultRootSuffix}?></
literal></
para>
2N/A <
para>OpenAM privileged administrator user.</
para>
2N/A <
para>Default: <
literal>uid=amAdmin,ou=People,<?
eval 2N/A ${
defaultRootSuffix}?></
literal></
para>
2N/A <
para>When cookie hijacking protection is configured, name of the cookie
2N/A holding the URL to the OpenAM server that authenticated the user.</
para>
2N/A <
para>Default: <
literal>sunIdentityServerAuthNServer</
literal></
para>
2N/A <
para>Notification service endpoint for clients such as policy agents.</
para>
2N/A <
para>Default: <
literal><
replaceable>server-protocol</
replaceable 2N/A >://<
replaceable>server-host</
replaceable>:<
replaceable 2N/A >server-port</
replaceable>/<
replaceable>server-uri</
replaceable 2N/A >/notificationservice</
literal>, such as <
literal 2N/A <
para>Number of threads in the shared system timer pool used to schedule
2N/A operations such as session timeout.</
para>
2N/A <
para>Default: 3</
para>
2N/A <
para>When set to <
literal>true</
literal>, mark cookies as HTTPOnly to
2N/A prevent scripts and third-party programs from accessing the cookies.</
para>
2N/A <
para>Default: <
literal>false</
literal></
para>
2N/A <
para>If <
literal>true</
literal>, then OpenAM is using protection against
2N/A cookie hijacking.</
para>
2N/A <
para>Default: <
literal>false</
literal></
para>
2N/A <
para>Whether JSS should take priority over other providers.</
para>
2N/A <
para>Default: <
literal>true</
literal></
para>
2N/A <
para>Whether monitoring is active for OpenAM.</
para>
2N/A <
para>Default: <
literal>off</
literal></
para>
2N/A <
para>URL for local connection to the monitoring service.</
para>
2N/A <
para>Default: <
literal>service:jmx:rmi://</
literal></
para>
2N/A <
para>Internal property used by OpenAM.</
para>
2N/A <
para>Default: <
replaceable>server-uri</
replaceable>, such as
2N/A <
literal>openam</
literal></
para>
2N/A <
para>Weights of the cost of evaluating policy subjects, rules, and
2N/A conditions. Evaluation is in order of heaviest weight to lightest weight.</
para>
2N/A <
para>Default: <
literal>10:10:10</
literal>, meaning evaluation of rules,
2N/A then conditions, then subjects</
para>
2N/A <
para>Maximum number of policy decisions OpenAM caches.</
para>
2N/A <
para>Default: 10000</
para>
2N/A <
para>Enables virtual hosts, partial hostname and IP address. Maps invalid
2N/A or virtual name keys to valid FQDN values for proper redirection.</
para>
2N/A <
para>To map <
literal>myserver</
literal> to
2N/A <
para>Enables tokens to be encrypted when stored.</
para>
2N/A <
para>Multi-instance deployments require consistent use of this property, which should
2N/A be done under the Servers and Sites > Default Server Settings > Advanced.</
para>
2N/A Servers and Sites > Server > Security > Password Encryption Key. You will need to
2N/A verify that all servers have the same setting for this property as the default
2N/A <
para>Default: <
literal>false</
literal></
para>
2N/A <
para>Whether to perform an HTTP GET on
2N/A check against another server in the same site. If
2N/A <
literal>false</
literal>, then OpenAM only checks the Socket connection,
2N/A and does not perform an HTTP GET.</
para>
2N/A <
para>If each OpenAM server runs behind a reverse proxy, then setting
2N/A this property to <
literal>true</
literal> means the health check actually
2N/A runs against the OpenAM instance, rather than checking only the Socket
2N/A to the reverse proxy.</
para>
2N/A <
para>Default: <
literal>false</
literal></
para>
2N/A <
para>URL to monitor when
2N/A <
literal>true</
literal>.</
para>
2N/A on the remote server</
para>
2N/A <
para>Whether to perform a Java security permissions check for OpenAM.</
para>
2N/A <
para>Default: <
literal>false</
literal></
para>
2N/A <
para>For CTS token encryption, if desired.</
para>
2N/A <
para>Default: false</
para>
2N/A <
para>For GZip-based compression of CTS tokens, if desired.</
para>
2N/A <
para>Default: false</
para>
2N/A <
para>For additional compression of CTS token JSON binaries, beyond GZip, if desired.</
para>
2N/A <
para>Default: false</
para>
2N/A <
para>When service configuration caching time-to-live is enabled, this
2N/A sets the time to live in minutes.</
para>
2N/A <
para>Default: 30</
para>
2N/A <
para>If service configuration caching is enabled, whether to enable a
2N/A time-to-live for cached configuration.</
para>
2N/A <
para>Default: <
literal>false</
literal></
para>
2N/A <
para>File system directory to hold file-based representation of OpenAM
2N/A configuration.</
para>
2N/A <
para>Default: <
literal>~/openam/<
replaceable>server-uri</
replaceable 2N/A <
para>Class used to read and write OpenAM service configuration entries
2N/A in the directory.</
para>
2N/A <
para>Used to set the read timeout in milliseconds for HTTP and HTTPS
2N/A connections to other servers.</
para>
2N/A <
para>Default: 30000</
para>
2N/A <
para>Allows the OpenAM ClusterStateService to work with HTTPS
2N/A <
para>Default: <
literal>true</
literal></
para>
2N/A <
para>Whether to cache documents for HTTP and HTTPS connections to other
2N/A <
para>Default: <
literal>false</
literal></
para>
2N/A <
para>Name of the web container to correctly set character encoding, if
2N/A <
para>Default: <
literal>WEB_CONTAINER</
literal></
para>
2N/A <
para>Used to assigned privileged console access to particular users. Set
2N/A to a <
literal>|</
literal> separated list of users' Universal IDs, such as
2N/A ${
defaultRootSuffix}?>|uid=demo2,ou=user,<?
eval 2N/A ${
defaultRootSuffix}?></
literal>.</
para>
2N/A <
para>Where to destroy the old session after a session is successfully
2N/A <
para>Default: <
literal>true</
literal></
para>
2N/A <
para>Cookie used by the OpenAM distributed authentication service to
2N/A handle the authentication process.</
para>
2N/A <
para>Default: <
literal>AMDistAuthCookie</
literal></
para>
2N/A <
para>Class that controls which session properties are copied during
2N/A session upgrade, where default is to copy all properties to the upgraded
2N/A <
para>The X-DSAMEVersion http header provides detailed information about the version
2N/A of OpenAM currently running on the system, including the build and
date/
time of
2N/A the build. OpenAM will need to be restarted once this property is enabled.</
para>
2N/A <
para>Default: false</
para>
2N/A <
para>Whether to ignore the <
literal>goto</
literal> query string parameter
2N/A on logout, instead displaying the logout page.</
para>
2N/A <
para>Default: <
literal>false</
literal></
para>
2N/A <
para>Character set used for globalization.</
para>
2N/A <
para>Default: <
literal>UTF-8</
literal></
para>
2N/A <
para>Comma-separated list of HTTP headers not to copy when the distributed
2N/A authentication server forwards a request to another distributed
2N/A authentication server.</
para>
2N/A <
para>Default: <
literal>connection</
literal></
para>
2N/A <
para>Comma-separated list of HTTP headers not to copy when the distributed
2N/A authentication server forwards a request to another distributed
2N/A authentication server.</
para>
2N/A <
para>Default: <
literal>connection</
literal></
para>
2N/A <
para>Comma-separated list of HTTP headers to copy to the forwarded
2N/A response when the server forwards a request to another server.</
para>
2N/A <
para>Requests are forwarded when the server receiving the request is
2N/A not the server that originally initiated authentication. The server that
2N/A originally initiated authentication is identified by a cookie.</
para>
2N/A <
para>When the distributed authentication service (DAS) is in use, then
2N/A the cookie is the <
literal>AMDistAuthCookie</
literal> that identifies the
2N/A DAS server by its URL.</
para>
2N/A <
para>When authentication is done directly on OpenAM, then the cookie is
2N/A the <
literal>AMAuthCookie</
literal> that holds a session ID that identifies
2N/A the OpenAM server.</
para>
2N/A <
para>On subsequent requests the server receiving the request checks the
2N/A cookie. If the cookie identifies another server, the current server
2N/A forwards the request to that server.</
para>
2N/A <
para>If a header such as <
literal>Cache-Control</
literal> has been
2N/A included in the list of values for the property
2N/A and the header must also be copied to the response, then add it to the
2N/A list of values for this property.</
para>
2N/A <
para>Default: <
literal>X-DSAMEVersion</
literal></
para>
2N/A <
varlistentry xml:
id="openam-retained-http-request-headers">
2N/A <
para>Comma-separated list of HTTP headers to copy to the forwarded request
2N/A when the server forwards a request to another server.</
para>
2N/A <
para>Requests are forwarded when the server receiving the request is
2N/A not the server that originally initiated authentication. The server that
2N/A originally initiated authentication is identified by a cookie.</
para>
2N/A <
para>When the distributed authentication service (DAS) is in use, then
2N/A the cookie is the <
literal>AMDistAuthCookie</
literal> that identifies the
2N/A DAS server by its URL.</
para>
2N/A <
para>When authentication is done directly on OpenAM, then the cookie is
2N/A the <
literal>AMAuthCookie</
literal> that holds a session ID that identifies
2N/A the OpenAM server.</
para>
2N/A <
para>On subsequent requests the server receiving the request checks the
2N/A cookie. If the cookie identifies another server, the current server
2N/A forwards the request to that server.</
para>
2N/A <
para>When configuring the distributed authentication service, or when a
2N/A reverse proxy is set up to provide the client IP address in the
2N/A <
literal>X-Forwarded-For</
literal> header, if your deployment includes
2N/A multiple OpenAM servers, then this property must be set to include the
2N/A <
para>OpenAM copies the header when forwarding a request to the
2N/A authoritative server where the client originally began the authentication
2N/A process, so that the authoritative OpenAM server receiving the forwarded
2N/A request can determine the real client IP address.</
para>
2N/A <
para>In order to retain headers to return in the response to the OpenAM
2N/A server that forwarded the request, use the property
2N/A <
para>Default: <
literal>X-DSAMEVersion</
literal></
para>
2N/A <
para>If <
literal>true</
literal> users can extend the lifetime of the
2N/A <
literal>iplanetDirectoryPro</
literal> cookie to
2N/A basis, by using the query string parameter
2N/A <
para>Whether universal user IDs are considered case sensitive when
2N/A matching them.</
para>
2N/A <
para>Default: <
literal>false</
literal></
para>
2N/A <
para>If <
literal>true</
literal> extend the lifetime of the
2N/A <
literal>iplanetDirectoryPro</
literal> cookie to
2N/A <
para>Default: false</
para>
2N/A <
para>This property is for use in multi-server deployments where session
2N/A failover is not available. If <
literal>true</
literal>, calculate session
2N/A quotas per server. In other words, if the session quota is 5 sessions and
2N/A users can access up to 4 servers, they can have a maximum of 20 (5 * 4)
2N/A <
para>Default: <
literal>false</
literal></
para>
2N/A <
para>If the web application containers sets
2N/A <
para>Administration port for embedded OpenDJ directory server.</
para>
2N/A <
para>Default: 4444</
para>
2N/A <
para>Days until account expiration set after successful authentication
2N/A by the account expiration post authentication plugin.</
para>
2N/A <
para>Default: 30</
para>
2N/A <
para>Port on which SecurID daemon listens.</
para>
2N/A <
para>Default: 58943</
para>
2N/A <
para>Set to <
literal>false</
literal> to enable
2N/A <
para>Default: <
literal>true</
literal></
para>
2N/A <
variablelist xml:
id="sites-configuration">
2N/A <
title>Sites</
title>
2N/A <
para>Sites involve multiple OpenAM servers working together to provide
2N/A services. You can use sites with load balancers and session failover to
2N/A configure pools of servers capable of responding to client requests in
2N/A highly available fashion.</
para>
2N/A <
term>Primary URL</
term>
2N/A <
para>Set the primary entry point to the site, such as the URL to the
2N/A load balancer for the site configuration.</
para>
2N/A <
term>Secondary URLs</
term>
2N/A <
para>Set alternate entry points to the site. Used when session failover
2N/A is configured.</
para>
2N/A <
term>Assigned Servers</
term>
2N/A <
para>Shows the list of OpenAM servers in the site.</
para>