AMAgent.properties revision 4fe4e4f798a84a46e567f64ceadd3648eb0582d4
#
# DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
#
# Copyright (c) 2008 Sun Microsystems, Inc. All Rights Reserved.
#
# The contents of this file are subject to the terms
# of the Common Development and Distribution License
# (the License). You may not use this file except in
# compliance with the License.
#
# You can obtain a copy of the License at
# See the License for the specific language governing
# permission and limitations under the License.
#
# When distributing Covered Code, include this CDDL
# Header Notice in each file and include the License file
# If applicable, add the following below the CDDL Header,
# with the fields enclosed by brackets [] replaced by
# your own identifying information:
# "Portions Copyrighted [year] [name of copyright owner]"
#
# $Id: AMAgent.properties,v 1.4 2008/08/19 19:11:35 veiming Exp $
#
#########################################################################
#
# The syntax of this file is that of a standard Java properties file,
# see the documentation for the java.util.Properties.load method for a
# complete description. (CAVEAT: The SDK in the parser does not currently
# support any backslash escapes except for wrapping long lines.)
# All property names in this file are case-sensitive.
#
# NOTE: The value of a property that is specified multiple times is not
# defined.
#
# WARNING: The contents of this file are classified as an UNSTABLE
# interface by Sun Microsystems, Inc. As such, they are subject to
# significant, incompatible changes in any future release of the
# software.
#
#########################################################################
#
# The name of the cookie passed between the OpenSSO
# and the SDK.
#
# WARNING: Changing this property without making the corresponding change
# to the OpenSSO will disable the SDK.
#
com.sun.am.cookie.name = iPlanetDirectoryPro
#
# If this property is set to true the cookies set by the agent
# will be marked secure and will only be transmitted if the
# communications channel with the host is a secure one.
#
com.sun.am.cookie.secure = false
#
# The URL for the OpenSSO Naming service.
#
#
# The URL of the login page on the OpenSSO.
#
#
# Name of the file to use for logging messages.
#
#
# This property is used for Log Rotation. The value of the property specifies
# whether the agent deployed on the server supports the feature of not. If set
# to false all log messages are written to the same file.
#
#
# Name of the OpenSSO log file to use for logging messages to
# OpenSSO.
# Just the name of the file is needed. The directory of the file
# is determined by settings configured on the OpenSSO.
#
#
# Set the logging level for the specified logging categories.
# The format of the values is
#
# <ModuleName>[:<Level>][,<ModuleName>[:<Level>]]*
#
# The currently used module names are: AuthService, NamingService,
# PolicyService, SessionService, PolicyEngine, ServiceEngine,
# Notification, PolicyAgent, RemoteLog and all.
#
# The all module can be used to set the logging level for all currently
# none logging modules. This will also establish the default level for
# all subsequently created modules.
#
# The meaning of the 'Level' value is described below:
#
# 0 Disable logging from specified module*
# 1 Log error messages
# 2 Log warning and error messages
# 3 Log info, warning, and error messages
# 4 Log debug, info, warning, and error messages
# 5 Like level 4, but with even more debugging messages
# 128 log url access to log file on AM server.
# 256 log url access to log file on local machine.
#
# If level is omitted, then the logging module will be created with
# the default logging level, which is the logging level associated with
# the 'all' module.
#
# for level of 128 and 256, you must also specify a logAccessType.
#
# *Even if the level is set to zero, some messages may be produced for
# a module if they are logged with the special level value of 'always'.
#
com.sun.am.log.level = all:5
#
# The org, username and password for Agent to login to AM.
#
com.sun.am.policy.am.username = USER_NAME
com.sun.am.policy.am.password = SHARED_SECRET
#
# Name of the directory containing the certificate databases for SSL.
#
com.sun.am.sslcert.dir = SERVER_DIR
#
# Set this property if the certificate databases in the directory specified
# by the previous property have a prefix.
#
#com.sun.am.certdb.prefix = AGENT_CERT_PREFIX
#
# Should agent trust all server certificates when OpenSSO
# is running SSL?
#
# Possible values are true or false.
#
#
# Should the policy SDK use the OpenSSO notification
# mechanism to maintain the consistency of its internal cache? If the value
# is false, then a polling mechanism is used to maintain cache consistency.
#
# Possible values are true or false.
#
com.sun.am.notification.enable = NOTIFICATION_ENABLE
#
# URL to which notification messages should be sent if notification is
# enabled, see previous property.
#
#com.sun.am.notification.url = AGENT_URL_PREFIX/UpdateAgentCacheServlet?shortcircuit=false
#
# This property determines whether URL string case sensitivity is
# obeyed during policy evaluation
#
# This property determines the amount of time (in minutes) a policy entry
# remains valid after it has been added to the cache. The default
# value for this property is 3 minutes.
# This property determines the amount of time (in minutes) an sso entry
# remains valid after it has been added to the cache. The default
# value for this property is 3 minutes.
# This property allows the user to configure the User Id parameter passed
# by the session information from the OpenSSO. The value of User
# Id will be used by the agent to set the value of REMOTE_USER server
# variable. By default this parameter is set to "UserToken"
#
com.sun.am.policy.am.userid.param=UserToken
#
# Profile attributes fetch mode
#
# String attribute mode to specify if additional user profile attributes should
# be introduced into the request. Possible values are:
# NONE - no additional user profile attributes will be introduced.
# HTTP_HEADER - additional user profile attributes will be introduced into
# HTTP header.
# HTTP_COOKIE - additional user profile attributes will be introduced through
# cookies.
# If not within these values, it will be considered as NONE.
#
# The user profile attributes to be added to the HTTP header. The
# specification is of the format ldap_attribute_name|http_header_name[,...].
# ldap_attribute_name is the attribute in data store to be fetched and
# http_header_name is the name of the header to which the value needs
# to be assigned.
#
# NOTE: In most cases, in a destination application where a "http_header_name"
# shows up as a request header, it will be prefixed by HTTP_, and all
# lower case letters will become upper case, and any - will become _;
# For example, "common-name" would become "HTTP_COMMON_NAME"
#
com.sun.am.policy.agents.config.profile.attribute.map=cn|common-name,ou|organizational-unit,o|organization,mail|email,employeenumber|employee-number,c|country
#
# Session attributes mode
#
# String attribute mode to specify if additional user session attributes should
# be introduced into the request. Possible values are:
# NONE - no additional user session attributes will be introduced.
# HTTP_HEADER - additional user session attributes will be introduced into HTTP header.
# HTTP_COOKIE - additional user session attributes will be introduced through cookies.
# If not within these values, it will be considered as NONE.
#
# The session attributes to be added to the HTTP header. The specification is
# of the format session_attribute_name|http_header_name[,...].
# session_attribute_name is the attribute in session to be fetched and
# http_header_name is the name of the header to which the value needs to be
# assigned.
#
# NOTE: In most cases, in a destination application where a "http_header_name"
# shows up as a request header, it will be prefixed by HTTP_, and all
# lower case letters will become upper case, and any - will become _;
# For example, "common-name" would become "HTTP_COMMON_NAME"
#
#
# Response Attribute Fetch Mode
#
# String attribute mode to specify if additional user response attributes should
# be introduced into the request. Possible values are:
# NONE - no additional user response attributes will be introduced.
# HTTP_HEADER - additional user response attributes will be introduced into
# HTTP header.
# HTTP_COOKIE - additional user response attributes will be introduced through
# cookies.
# If not within these values, it will be considered as NONE.
#
# The response attributes to be added to the HTTP header. The specification is
# of the format response_attribute_name|http_header_name[,...].
# response_attribute_name is the attribute in policy response to be fetched and
# http_header_name is the name of the header to which the value needs to be
# assigned.
#
# NOTE: In most cases, in a destination application where a "http_header_name"
# shows up as a request header, it will be prefixed by HTTP_, and all
# lower case letters will become upper case, and any - will become _;
# For example, "common-name" would become "HTTP_COMMON_NAME"
#
# indicate where a load balancer is used for OpenSSO
# services.
#
# true | false
#
com.sun.am.load_balancer.enable = false
####Agent Configuration####
# this is for product versioning, please do not modify it
#
#
# Set the url access logging level. the choices are
# LOG_NONE - do not log user access to url
# LOG_DENY - log url access that was denied.
# LOG_ALLOW - log url access that was allowed.
# LOG_BOTH - log url access that was allowed or denied.
# Agent prefix
com.sun.am.policy.agents.config.agenturi.prefix = AGENT_URL_PREFIX
#
# Locale setting.
#
#
# The unique identifier for this agent instance.
#
#
# Do SSO only
# Boolean attribute to indicate whether the agent will just enforce user
# authentication (SSO) without enforcing policies (authorization)
#
#
# The URL of the access denied page. If no value is specified, then
# the agent will return an HTTP status of 403 (Forbidden).
#
#
# This property indicates if FQDN checking is enabled or not.
#
#
# Default FQDN is the fully qualified hostname that the users should use
# in order to access resources on this web server instance. This is a
# required configuration value without which the Web server may not
# startup correctly.
#
# The primary purpose of specifying this property is to ensure that if
# the users try to access protected resources on this web server
# instance without specifying the FQDN in the browser URL, the Agent
# can take corrective action and redirect the user to the URL that
# contains the correct FQDN.
#
# This property is set during the agent installation and need not be
# modified unless absolutely necessary to accommodate deployment
# requirements.
#
# WARNING: Invalid value for this property can result in the Web Server
# becoming unusable or the resources becoming inaccessible.
#
# See also: com.sun.am.policy.agents.config.fqdn.check.enable,
com.sun.am.policy.agents.config.fqdn.default = AGENT_HOST
#
# The FQDN Map is a simple map that enables the Agent to take corrective
# action in the case where the users may have typed in an incorrect URL
# such as by specifying partial hostname or using an IP address to
# access protected resources. It redirects the browser to the URL
# with fully qualified domain name so that cookies related to the domain
# are received by the agents.
#
# The format for this property is:
#
# com.sun.am.policy.agents.config.fqdn.map = [invalid_hostname|valid_hostname][,...]
#
# This property can also be used so that the agents use the name specified
# in this map instead of the web server's actual name. This can be
# accomplished by doing the following.
# Say you want your server to be addressed as xyz.hostname.com whereas the
# actual name of the server is abc.hostname.com. The browsers only knows
# xyz.hostname.com and you have specified polices using xyz.hostname.com at
# the OpenSSO policy console, in this file set the mapping as
#
#
# Another example is if you have multiple virtual servers say rst.hostname.com,
# uvw.hostname.com and xyz.hostname.com pointing to the same actual server
# abc.hostname.com and each of the virtual servers have their own policies
# defined, then the fqdnMap should be defined as follows:
#
# com.sun.am.policy.agents.fqdn.map = valid1|rst.hostname.com,valid2|uvw.hostname.com,valid3|xyz.hostname.com
#
# WARNING: Invalid value for this property can result in the Web Server
# becoming unusable or the resources becoming inaccessible.
# Cookie Reset
# This property must be set to true, if this agent needs to
# reset cookies in the response before redirecting to
# OpenSSO for Authentication.
# By default this is set to false.
#
# Example : com.sun.am.policy.agents.config.cookie.reset.enable=true
#
# This property gives the comma separated list of Cookies, that
# need to be included in the Redirect Response to OpenSSO.
# This property is used only if the Cookie Reset feature is enabled.
#
# The Cookie details need to be specified in the following Format
# name[=value][;Domain=value]
#
# If "Domain" is not specified, then the default agent domain is
# used to set the Cookie.
#
# Example : com.sun.am.policy.agents.config.cookie.reset.list=LtpaToken,
# token=value;Domain=subdomain.domain.com
# This property gives the space separated list of domains in
# which cookies have to be set in a CDSSO scenario. This property
# is used only if CDSSO is enabled.
#
# If this property is left blank then the fully qualified cookie
# domain for the agent server will be used for setting the cookie
# domain. In such case it is a host cookie instead of a domain cookie.
#
# user id returned if accessing global allow page and not authenticated
#
# Enable/Disable REMOTE_USER processing for anonymous users
# true | false
#
#
# Not enforced list is the list of URLs for which no authentication is
# required. Wildcards can be used to define a pattern of URLs.
# The URLs specified may not contain any query parameters.
# Each service have their own not enforced list. The service name is suffixed
# after "com.sun.am.policy.agents.notenforcedList." to specify a list
# for a particular service. SPACE is the separator between the URL.
#
#com.sun.am.policy.agents.config.notenforced_list = SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/UI/* SERVER_PROTO://SERVER_HOST:SERVER_PORTCONSOLE_DEPLOY_URI/* SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/login_images/* SERVER_PROTO://SERVER_HOST:SERVER_PORT/docs* SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/namingservice SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/sessionservice SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/loggingservice SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/profileservice SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/policyservice SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/config* SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/js/* SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/css/* SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/authservice SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/SAMLAwareServlet SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/SAMLSOAPReceiver SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/SAMLPOSTProfileServlet
#
# Boolean attribute to indicate whether the above list is a not enforced list
# or an enforced list; When the value is true, the list means enforced list,
# or in other words, the whole web site is open/accessible without
# authentication except for those URLs in the list.
#
#
# Not enforced client IP address list is a list of client IP addresses.
# No authentication and authorization are required for the requests coming
# from these client IP addresses. The IP address must be in the form of
# eg: 192.168.12.2 1.1.1.1
#
# Enable POST data preservation; By default it is set to false
# POST data preservation : POST cache entry lifetime in minutes,
# After the specified interval, the entry will be dropped
# Cross-Domain Single Sign On URL
# Is CDSSO enabled.
com.sun.am.policy.agents.config.cdsso.enable=CDSSO_ENABLED
# This is the URL the user will be redirected to for authentication
# in a CDSSO Scenario.
com.sun.am.policy.agents.config.cdcservlet.url = CDSSO_SERVER_LOGIN_URL
# Enable/Disable client IP address validation. This validate
# will check if the subsequent browser requests come from the
# same ip address that the SSO token is initially issued against
#
# Below properties are used to define cookie prefix and cookie max age
# Logout URL - application's Logout URL.
# This URL is not enforced by policy.
# if set, agent will intercept this URL and destroy the user's session,
# if any. The application's logout URL will be allowed whether or not
# the session destroy is successful.
# Any cookies to be reset upon logout in the same format as cookie_reset_list
#
# By default, when a policy decision for a resource is needed,
# agent gets and caches the policy decision of the resource and
# all resource from the root of the resource down, from the OpenSSO.
# For example, if the resource is http://host/a/b/c, the the root of the
# resource is http://host/. This is because more resources from the
# same path are likely to be accessed subsequently.
# However this may take a long time the first time if there
# are many many policies defined under the root resource.
# To have agent get and cache the policy decision for the resource only,
# set the following property to false.
#
# Whether to get the client's hostname through DNS reverse lookup for use
# in policy evaluation.
# It is true by default, if the property does not exist or if it is
# any value other than false.
#
# The following property is to enable native encoding of
# ldap header attributes forwarded by agents. If set to true
# agent will encode the ldap header value in the default
# encoding of OS locale. If set to false ldap header values
# will be encoded in UTF-8
# The following property is to enable encoding of URL special
# chars, if any. If set to true agent will encode URL special
# characters before sending for policy evaluation.
#
#When the not enforced list or policy has a wildcard '*' character, agent
#strips the path info from the request URI and uses the resulting request
#URI to check against the not enforced list or policy instead of the entire
#request URI, in order to prevent someone from getting access to any URI by
#simply appending the matching pattern in the policy or not enforced list.
#For example, if the not enforced list has the value http://host/*.gif,
#stripping the path info from the request URI will prevent someone from
#getting access to http://host/index.html by using the URL http://host/index.html?hack.gif.
#However when a web server (for exmample apache) is configured to be a reverse
#proxy server for a J2EE application server, path info is interpreted in a different
#manner since it maps to a resource on the proxy instead of the app server.
#This prevents the not enforced list or policy from being applied to part of
#the URI below the app serverpath if there is a wildcard character. For example,
#if the not enforced list has value http://host/webapp/servcontext/* and the
#request URL is http://host/webapp/servcontext/example.jsp the path info
#is /servcontext/example.jsp and the resulting request URL with path info stripped
#is http://host/webapp, which will not match the not enforced list. By setting the
#following property to true, the path info will not be stripped from the request URL
#even if there is a wild character in the not enforced list or policy.
#Be aware though that if this is set to true there should be nothing following the
#wildcard character '*' in the not enforced list or policy, or the
#security loophole described above may occur.
#
#
# Override the request url given by the web server with
# the protocol, host or port of the agent's uri specified in
# the com.sun.am.policy.agents.agenturiprefix property.
# These may be needed if the agent is sitting behind a ssl off-loader,
# load balancer, or proxy, and either the protocol (HTTP scheme),
# hostname, or port of the machine in front of agent which users go through
# is different from the agent's protocol, host or port.
#
#
# Override the notification url in the same way as other request urls.
# Set this to true if any one of the override properties above is true,
# and if the notification url is coming through the proxy or load balancer
# in the same way as other request url's.
#
#
# The following property defines how long to wait in attempting
# to connect to an OpenSSO AUTH server.
# The default value is 2 seconds. This value needs to be increased
# when receiving the error "unable to find active OpenSSO Auth server"
#
#
# Time in milliseconds the agent will wait to receive the
# response from OpenSSO. After the timeout, the connection
# will be drop.
# A value of 0 means that the agent will wait until receiving the response.
# WARNING: Invalid value for this property can result in
# the resources becoming inaccessible.
#
# The following property in milliseconds indicates how long the
# socket connection needs to be kept open.
# The default value is 0 which implies no timeout.
#
# This property determines the amount of time (in minutes) after which
# the agent polls whether the primary server is up and running.
# The default value is 5 minutes
# Indicate if the socket option TCP_NODELAY should be enabled.
# Possible values are true or false. Default is false
#
com.sun.am.tcp_nodelay.enable = false
# Set the IIS filter priority. The choices are
# HIGH - IIS5 filter priority is HIGH.
# LOW - IIS5 filter priority is LOW.
# MEDIUM - IIS5 filter priority is MEDIUM.
# DEFAULT - IIS5 filter priority is DEFAULT.