appendix-jee-config-properties.xml revision 1333c72f0f97e72c63d67213bf59885c0654b607
<?xml version="1.0" encoding="UTF-8"?>
<!--
! CCPL HEADER START
!
! This work is licensed under the Creative Commons
! Attribution-NonCommercial-NoDerivs 3.0 Unported License.
! To view a copy of this license, visit
! or send a letter to Creative Commons, 444 Castro Street,
! Suite 900, Mountain View, California, 94041, USA.
!
! You can also obtain a copy of the license at
! See the License for the specific language governing permissions
! and limitations under the License.
!
! If applicable, add the following below this CCPL HEADER, with the fields
! enclosed by brackets "[]" replaced with your own identifying information:
! Portions Copyright [yyyy] [name of copyright owner]
!
! CCPL HEADER END
!
! Copyright 2012-2013 ForgeRock AS
!
-->
<appendix xml:id='appendix-jee-config-properties'
xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'
xsi:schemaLocation='http://docbook.org/ns/docbook http://docbook.org/xml/5.0/xsd/docbook.xsd'
xmlns:xlink='http://www.w3.org/1999/xlink'
xmlns:xinclude='http://www.w3.org/2001/XInclude'>
<title>Java EE Agent Configuration Properties</title>
<para>Java EE Agents use the following configuration properties. Bootstrap
properties are always configured locally, whereas other agent configuration
properties are either configured centrally in OpenAM or locally using the
agent properties file.</para>
<section xml:id="jee-bootstrap-configuration-properties">
<title>Bootstrap Configuration Properties</title>
<para>These properties are set in
<filename>config/<?eval ${agentsBootstrapFile}?></filename>.</para>
<variablelist>
<varlistentry>
<listitem>
<para>When using an encrypted password, set this to the encryption key
used to encrypt the agent profile password.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Set this to the naming service URL(s) used for naming lookups in
OpenAM. Separate multiple URLs with single space characters.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>When using a plain text password, set this to the password for
blank.</para>
<para>When using an encrypted password, set this to the encrypted version
of the password for the agent profile. Use the command
<replaceable>passwordFile</replaceable></command> to get the encrypted
version.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Set this to the URI under which OpenAM is deployed, such as
<literal>/openam</literal>.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Set this to the full path of the agent's debug log directory
where the agent writes debug log files.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Set this to the agent profile name.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Set this to the full path for agent's audit log file.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Set this to <literal>true</literal> to require an agent restart to
allow agent configuration changes, even for hot-swappable parameters.
Default is <literal>false</literal>.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Set this to the realm name where the agent authenticates to
OpenAM.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Set this to the profile name used to fetch agent configuration data.
Unless multiple agents use the same credentials to authenticate, this is
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Set this to the class name of the service resolver used by the
agent.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>When set to <literal>on</literal>, the default, the agent writes all
debug messages to a single file under
</listitem>
</varlistentry>
</variablelist>
</section>
<section xml:id="jee-agent-configuration-properties">
<title>Agent Configuration Properties</title>
<para>These properties are set in
<filename>config/<?eval ${agentsConfigurationFile}?></filename> if your
agent uses local configuration. If your agent uses centralized configuration,
the properties are set in OpenAM.</para>
<variablelist>
<varlistentry>
<listitem>
<para>Name of the SSO Token cookie used between the OpenAM server and
the agent. Default: <literal>iPlanetDirectoryPro</literal>.</para>
<para>For centralized configurations this property is configured under
Access Control > <replaceable>Realm Name</replaceable> > Agents >
J2EE > <replaceable>Agent Name</replaceable> > Global > Cookie
Name.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>If notifications are not enabled and set to a value other than zero,
specifies the time in minutes after which the agent polls to update
cached user management data. Default: 1</para>
<para>For centralized configurations this property is configured under
Access Control > <replaceable>Realm Name</replaceable> > Agents >
J2EE > <replaceable>Agent Name</replaceable> > OpenAM Services >
User Data Cache Polling Time.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Specifies the OpenAM authentication service host name.</para>
<para>For centralized configurations this property is configured under
Access Control > <replaceable>Realm Name</replaceable> > Agents >
J2EE > <replaceable>Agent Name</replaceable> > OpenAM Services >
OpenAM Authentication Service Host Name.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Specifies the OpenAM authentication service port number.</para>
<para>For centralized configurations this property is configured under
Access Control > <replaceable>Realm Name</replaceable> > Agents >
J2EE > <replaceable>Agent Name</replaceable> > OpenAM Services >
OpenAM Authentication Service Port.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Specifies the protocol used by the OpenAM authentication
service.</para>
<para>For centralized configurations this property is configured under
Access Control > <replaceable>Realm Name</replaceable> > Agents >
J2EE > <replaceable>Agent Name</replaceable> > OpenAM Services >
OpenAM Authentication Service Protocol.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>When enabled, the session client polls to update the session cache
rather than relying on notifications from OpenAM.</para>
<para>For centralized configurations this property is configured under
Access Control > <replaceable>Realm Name</replaceable> > Agents >
J2EE > <replaceable>Agent Name</replaceable> > OpenAM Services >
Enable Client Polling.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Specifies the time in seconds after which the session client
requests an update from OpenAM for cached session information. Default:
180</para>
<para>For centralized configurations this property is configured under
Access Control > <replaceable>Realm Name</replaceable> > Agents >
J2EE > <replaceable>Agent Name</replaceable> > OpenAM Services >
Client Polling Period.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Specifies the agent's encryption provider class.</para>
<para>For centralized configurations this property is configured under
Access Control > <replaceable>Realm Name</replaceable> > Agents >
J2EE > <replaceable>Agent Name</replaceable> > Miscellaneous >
Encryption Provider.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Default is <literal>Error</literal>. Increase to
<literal>Message</literal> or even <literal>All</literal> for
fine-grained detail.</para>
<para>For centralized configurations this property is configured under
Access Control > <replaceable>Realm Name</replaceable> > Agents >
J2EE > <replaceable>Agent Name</replaceable> > Global > Agent
Debug Level.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Specifies the URIs of custom pages to return when access is denied.
The key is the web application name. The value is the custom URI.</para>
<para>To set a global custom access denied URI for applications without
other custom access denied URIs defined, leave the key empty and set the
value to the global custom access denied URI,
<para>To set a custom access denied URI for a specific application, set
the key to the name of the application, and the value to the application
<para>For centralized configurations this property is configured under
Access Control > <replaceable>Realm Name</replaceable> > Agents >
J2EE > <replaceable>Agent Name</replaceable> > Application >
Resource Access Denied URI.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Specifies the host name of the agent protected server to show to
client browsers, rather than the actual host name.</para>
<para>For centralized configurations this property is configured under
Access Control > <replaceable>Realm Name</replaceable> > Agents >
J2EE > <replaceable>Agent Name</replaceable> > Advanced >
Alternative Agent Host Name.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Specifies the port number of the agent protected server to show to
client browsers, rather than the actual port number.</para>
<para>For centralized configurations this property is configured under
Access Control > <replaceable>Realm Name</replaceable> > Agents >
J2EE > <replaceable>Agent Name</replaceable> > Advanced >
Alternative Agent Port Name.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Specifies the protocol used to contact the agent from the browser
client browsers, rather than the actual protocol used by the server.
Either <literal>http</literal> or <literal>https</literal>.</para>
<para>For centralized configurations this property is configured under
Access Control > <replaceable>Realm Name</replaceable> > Agents >
J2EE > <replaceable>Agent Name</replaceable> > Advanced >
Alternative Agent Protocol.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>When enabled, the agent exposes SSO Cache through the agent SDK
APIs.</para>
<para>For centralized configurations this property is configured under
Access Control > <replaceable>Realm Name</replaceable> > Agents >
J2EE > <replaceable>Agent Name</replaceable> > SSO > SSO Cache
Enable.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>When enabled, attribute values are URL encoded before being set as
a cookie.</para>
<para>For centralized configurations this property is configured under
Access Control > <replaceable>Realm Name</replaceable> > Agents >
J2EE > <replaceable>Agent Name</replaceable> > Application >
Attribute Cookie Encode.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Specifies the separator for multiple values of the same attribute
when it is set as a cookie. Default: <literal>|</literal>.</para>
<para>For centralized configurations this property is configured under
Access Control > <replaceable>Realm Name</replaceable> > Agents >
J2EE > <replaceable>Agent Name</replaceable> > Application >
Cookie Separator Character.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
attribute values used when an attribute is set in an HTTP header. Default:
<literal>EEE, d MMM yyyy hh:mm:ss z</literal>.</para>
<para>For centralized configurations this property is configured under
Access Control > <replaceable>Realm Name</replaceable> > Agents >
J2EE > <replaceable>Agent Name</replaceable> > Application >
Fetch Attribute Date Format.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Types of messages to log based on user URL access attempts.</para>
<para>Valid values for the configuration file property include
<literal>LOG_NONE</literal>, <literal>LOG_ALLOW</literal>,
<literal>LOG_DENY</literal>, and <literal>LOG_BOTH</literal>.</para>
<para>For centralized configurations this property is configured under
Access Control > <replaceable>Realm Name</replaceable> > Agents >
J2EE > <replaceable>Agent Name</replaceable> > Global > Audit
Access Types.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Specifies custom authentication handler classes for users
authenticated with the application server. The key is the web application
name and the value is the authentication handler class name.</para>
<para>For centralized configurations this property is configured under
Access Control > <replaceable>Realm Name</replaceable> > Agents >
J2EE > <replaceable>Agent Name</replaceable> > Application >
Custom Authentication Handler.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Specifies a list of principals the agent bypasses for
authentication and search purposes, such as <literal>guest</literal>
or <literal>testuser</literal>.</para>
<para>For centralized configurations this property is configured under
Access Control > <replaceable>Realm Name</replaceable> > Agents >
J2EE > <replaceable>Agent Name</replaceable> > Miscellaneous >
Bypass Principal List.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>List of URLs of the available CDSSO controllers that the agent can
use for CDSSO processing. For example,
<para>For centralized configurations this property is configured under
Access Control > <replaceable>Realm Name</replaceable> > Agents >
J2EE > <replaceable>Agent Name</replaceable> > SSO > CDSSO
Servlet URL.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>When set to a value other than zero, specifies the clock skew in
seconds that the agent accepts when determining the validity of the CDSSO
authentication response assertion.</para>
<para>For centralized configurations this property is configured under
Access Control > <replaceable>Realm Name</replaceable> > Agents >
J2EE > <replaceable>Agent Name</replaceable> > SSO > CDSSO Clock
Skew.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
cookies have to be set in CDSSO.</para>
<para>For centralized configurations this property is configured under
Access Control > <replaceable>Realm Name</replaceable> > Agents >
J2EE > <replaceable>Agent Name</replaceable> > SSO > Cross Domain
SSO.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Enables Cross Domain Single Sign On.</para>
<para>For centralized configurations this property is configured under
Access Control > <replaceable>Realm Name</replaceable> > Agents >
J2EE > <replaceable>Agent Name</replaceable> > SSO > Cross Domain
SSO.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Specifies a URI the agent uses to process CDSSO requests.</para>
<para>For centralized configurations this property is configured under
Access Control > <replaceable>Realm Name</replaceable> > Agents >
J2EE > <replaceable>Agent Name</replaceable> > SSO > CDSSO
Redirect URI.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>When enabled, the agent marks the SSO Token cookie as secure, thus
the cookie is only transmitted over secure connections.</para>
<para>For centralized configurations this property is configured under
Access Control > <replaceable>Realm Name</replaceable> > Agents >
J2EE > <replaceable>Agent Name</replaceable> > SSO > Cross Domain
SSO.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Specifies the list of OpenAM servers or identity providers the
agent trusts when evaluating CDC Liberty Responses.</para>
<para>For centralized configurations this property is configured under
Access Control > <replaceable>Realm Name</replaceable> > Agents >
J2EE > <replaceable>Agent Name</replaceable> > SSO > CDSSO
Trusted ID Provider.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Enable agent to receive notification messages from OpenAM server for
configuration changes.</para>
<para>For centralized configurations this property is configured under
Access Control > <replaceable>Realm Name</replaceable> > Agents >
J2EE > <replaceable>Agent Name</replaceable> > Global >
Profile.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>If the agent is behind a proxy or load balancer, then the agent can
get client IP and host name values from the proxy or load balancer. For
proxies and load balancer that support providing the client IP and host
name in HTTP headers, you can use the following properties.</para>
<para>When multiple proxies are load balancers sit in the request path,
the header values can include a comma-separated list of values with the
first value representing the client, as in
<literal>client,next-proxy,first-proxy</literal>.</para>
<para>HTTP header name that holds the hostname of the client.</para>
<para>For centralized configurations this property is configured under
Access Control > <replaceable>Realm Name</replaceable> > Agents >
J2EE > <replaceable>Agent Name</replaceable> > Advanced > Client
Hostname Header.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Similar to
HTTP header name that holds the IP address of the client.</para>
<para>For centralized configurations this property is configured under
Access Control > <replaceable>Realm Name</replaceable> > Agents >
J2EE > <replaceable>Agent Name</replaceable> > Advanced > Client
IP Address Header.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>To conditionally redirect users based on the incoming request URL,
set this property.</para>
<para>This takes the incoming request domain to match, a vertical bar
( <literal>|</literal> ), and then a comma-separated list of URLs to
which to redirect incoming users.</para>
<para>If the domain before the vertical bar matches an incoming request
URL, then the policy agent uses the list of URLs to determine how to
redirect the user-agent. If the global property FQDN Check
is enabled for the policy agent, then the policy agent iterates through
the list until it finds an appropriate redirect URL that matches the
FQDN check. Otherwise, the policy agent redirects the user-agent to the
first URL in the list.</para>
http://openam2.example.com/openam/UI/Login</literal>,
<literal>com.sun.identity.agents.config.conditional.login.url[1]=
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Specifies how names from
correspond to cookie domain values when the cookie is reset.</para>
<para>For centralized configurations this property is configured under
Access Control > <replaceable>Realm Name</replaceable> > Agents >
J2EE > <replaceable>Agent Name</replaceable> > SSO > Cookie Reset
Domain Map.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>When enabled, agent resets cookies in the response before
redirecting to authentication.</para>
<para>For centralized configurations this property is configured under
Access Control > <replaceable>Realm Name</replaceable> > Agents >
J2EE > <replaceable>Agent Name</replaceable> > SSO > Cookie Reset.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>List of cookies to reset if
enabled.</para>
<para>For centralized configurations this property is configured under
Access Control > <replaceable>Realm Name</replaceable> > Agents >
J2EE > <replaceable>Agent Name</replaceable> > SSO > Cookie Reset
Name List.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Specifies how names from the
correspond to cookie paths when the cookie is reset.</para>
<para>For centralized configurations this property is configured under
Access Control > <replaceable>Realm Name</replaceable> > Agents >
J2EE > <replaceable>Agent Name</replaceable> > SSO > Cookie Reset
Path Map.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Specifies the list of privileged attributes granted to all users
with a valid OpenAM session, such as
<literal>AUTHENTICATED_USERS</literal>.</para>
<para>For centralized configurations this property is configured under
Access Control > <replaceable>Realm Name</replaceable> > Agents >
J2EE > <replaceable>Agent Name</replaceable> > Application >
Default Privileged Attribute.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Specifies how the agent filters requests to protected web
applications. The global value functions as a default, and applies for
protected applications that do not have their own filter settings.
Valid settings include the following.</para>
<variablelist>
<varlistentry>
<term><literal>ALL</literal></term>
<listitem>
<para>Enforce both the J2EE policy defined for the web container where
the protected application runs, and also OpenAM policies.</para>
<para>When setting the filter mode to <literal>ALL</literal>, set the
Map Key, but do not set any Corresponding Map Value.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><literal>J2EE_POLICY</literal></term>
<listitem>
<para>Enforce only the J2EE policy defined for the web container where
the protected application runs.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><literal>NONE</literal></term>
<listitem>
<para>Do not enforce policies to protect resources. In other words,
turn off access management. Not for use in production.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><literal>SSO_ONLY</literal></term>
<listitem>
<para>Enforce only authentication, not policies.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><literal>URL_POLICY</literal></term>
<listitem>
<para>Enforce only OpenAM, URL resource based policies.</para>
<para>When setting the filter mode to <literal>URL_POLICY</literal>,
set the Map Key to the application name and the Corresponding Map
Value to <literal>URL_POLICY</literal>.</para>
</listitem>
</varlistentry>
</variablelist>
<para>For centralized configurations this property is configured under
Access Control > <replaceable>Realm Name</replaceable> > Agents >
J2EE > <replaceable>Agent Name</replaceable> > Global > Agent
Filter Mode.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Enables checking of FQDN default value and FQDN map values.</para>
<para>For centralized configurations this property is configured under
Access Control > <replaceable>Realm Name</replaceable> > Agents >
J2EE > <replaceable>Agent Name</replaceable> > Global > FQDN
Check.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Fully qualified domain name that the users should use in order to
access resources.</para>
<para>This property ensures that when users access protected resources
on the web server without specifying the FQDN, the agent can redirect
the users to URLs containing the correct FQDN.</para>
<para>For centralized configurations this property is configured under
Access Control > <replaceable>Realm Name</replaceable> > Agents >
J2EE > <replaceable>Agent Name</replaceable> > Global > FQDN
Default.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Enables virtual hosts, partial hostname and IP address to access
protected resources. Maps invalid or virtual name keys to valid FQDN
values so the agent can properly redirect users and the agents receive
cookies belonging to the domain.</para>
<para>To map <literal>myserver</literal> to
<literal>myserver</literal> in the Map Key field, and enter
field. This corresponds to
<literal>com.sun.identity.agents.config.fqdn.mapping[myserver]= myserver.mydomain.example</literal>.</para>
<para>For centralized configurations this property is configured under
Access Control > <replaceable>Realm Name</replaceable> > Agents >
J2EE > <replaceable>Agent Name</replaceable> > Global > FQDN
Virtual Host Map.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>When enabled the agent invalidates the HTTP session upon login
failure, when the user has no SSO session, or when the principal user
name does not match the SSO user name.</para>
<para>For centralized configurations this property is configured under
Access Control > <replaceable>Realm Name</replaceable> > Agents >
J2EE > <replaceable>Agent Name</replaceable> > Global > HTTP
Session Binding.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>When enabled, strip path info from the request URL while doing the
Not Enforced List check, and URL policy evaluation. This is designed
to prevent a user from accessing a URI by appending the matching pattern
in the policy or not enforced list.</para>
<para>For example, if the not enforced list includes
<literal>/*.gif</literal>, then stripping path info from the request URL
<para>For centralized configurations this property is configured under
Access Control > <replaceable>Realm Name</replaceable> > Agents >
J2EE > <replaceable>Agent Name</replaceable> > Miscellaneous >
Ignore Path Info in Request URL.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>When enabled, allow programmatic authentication with the JBoss
container using the WebAuthentication feature. This feature works only with
JBoss 4.2.2 to 7 when the <literal>J2EE_POLICY</literal> or
<literal>ALL</literal> filter mode is in use.</para>
<para>For centralized configurations this property is configured under
Access Control > <replaceable>Realm Name</replaceable> > Agents >
J2EE > <replaceable>Agent Name</replaceable> > Advanced >
JBoss Application Server.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Specifies a URI the agent uses to redirect legacy user agent
requests.</para>
<para>For centralized configurations this property is configured under
Access Control > <replaceable>Realm Name</replaceable> > Agents >
J2EE > <replaceable>Agent Name</replaceable> > Miscellaneous >
Legacy User Agent Redirect URI.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>When enabled, provide support for legacy browsers.</para>
<para>For centralized configurations this property is configured under
Access Control > <replaceable>Realm Name</replaceable> > Agents >
J2EE > <replaceable>Agent Name</replaceable> > Miscellaneous >
Legacy User Agent Support Enable.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>List of header values that identify legacy browsers. Entries can
use the wildcard character, <literal>*</literal>.</para>
<para>For centralized configurations this property is configured under
Access Control > <replaceable>Realm Name</replaceable> > Agents >
J2EE > <replaceable>Agent Name</replaceable> > Miscellaneous >
Legacy User Agent List.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Interval in seconds to fetch agent configuration from OpenAM. Used
if notifications are disabled. Default: 0</para>
<para>For centralized configurations this property is configured under
Access Control > <replaceable>Realm Name</replaceable> > Agents >
J2EE > <replaceable>Agent Name</replaceable> > Global >
Configuration Reload Interval.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>When enabled, audit log files are rotated when reaching the
specified size.</para>
<para>For centralized configurations this property is configured under
Access Control > <replaceable>Realm Name</replaceable> > Agents >
J2EE > <replaceable>Agent Name</replaceable> > Global >
Rotate Local Audit Log.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Beyond this size limit in bytes the agent rotates the local audit
log file if rotation is enabled. Default: 50 MB</para>
<para>For centralized configurations this property is configured under
Access Control > <replaceable>Realm Name</replaceable> > Agents >
J2EE > <replaceable>Agent Name</replaceable> > Global >
Local Audit Log Rotation Size.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>The default country for the agent.</para>
<para>For centralized configurations this property is configured under
Access Control > <replaceable>Realm Name</replaceable> > Agents >
J2EE > <replaceable>Agent Name</replaceable> > Miscellaneous >
Locale Country.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>The default language for the agent.</para>
<para>For centralized configurations this property is configured under
Access Control > <replaceable>Realm Name</replaceable> > Agents >
J2EE > <replaceable>Agent Name</replaceable> > Miscellaneous >
Locale Language.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Specifies where audit messages are logged. By default, audit
messages are logged remotely.</para>
<para>Valid values for the configuration file property include
<literal>REMOTE</literal>, <literal>LOCAL</literal>, and
<literal>ALL</literal>.</para>
<para>For centralized configurations this property is configured under
Access Control > <replaceable>Realm Name</replaceable> > Agents >
J2EE > <replaceable>Agent Name</replaceable> > Global > Audit
Log Location.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>When set to a value other than zero, this defines the maximum
number of failed login attempts allowed during a single browser session,
after which the agent blocks requests from the user.</para>
<para>For centralized configurations this property is configured under
Access Control > <replaceable>Realm Name</replaceable> > Agents >
J2EE > <replaceable>Agent Name</replaceable> > Global > Login
Attempt Limit.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Full path name to the file containing custom login content when
Use Internal Login is enabled.</para>
<para>For centralized configurations this property is configured under
Access Control > <replaceable>Realm Name</replaceable> > Agents >
J2EE > <replaceable>Agent Name</replaceable> > Application >
Login Content File Name.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Specifies the list of absolute URIs corresponding to a protected
<literal>form-error-page</literal> element, such as
<para>For centralized configurations this property is configured under
Access Control > <replaceable>Realm Name</replaceable> > Agents >
J2EE > <replaceable>Agent Name</replaceable> > Application >
Login Error URI.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Specifies the list of absolute URIs corresponding to a protected
<literal>form-login-page</literal> element, such as
<para>For centralized configurations this property is configured under
Access Control > <replaceable>Realm Name</replaceable> > Agents >
J2EE > <replaceable>Agent Name</replaceable> > Application >
Login Form URI.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>When enabled, OpenAM uses the priority defined in the OpenAM Login
URL list as the priority for Login and CDSSO URLs when handling
failover.</para>
<para>For centralized configurations this property is configured under
Access Control > <replaceable>Realm Name</replaceable> > Agents >
J2EE > <replaceable>Agent Name</replaceable> > OpenAM Services >
Login URL Prioritized.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>When enabled, OpenAM checks the availability of OpenAM Login URLs
before redirecting to them.</para>
<para>For centralized configurations this property is configured under
Access Control > <replaceable>Realm Name</replaceable> > Agents >
J2EE > <replaceable>Agent Name</replaceable> > OpenAM Services >
Login URL Probe.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Timeout period in milliseconds for OpenAM to determine whether
to failover between Login URLs when Login URL Probe is enabled. Default:
2000</para>
<para>For centralized configurations this property is configured under
Access Control > <replaceable>Realm Name</replaceable> > Agents >
J2EE > <replaceable>Agent Name</replaceable> > OpenAM Services >
Login URL Probe Timeout.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>OpenAM login page URL, such as
which the agent redirects incoming users without sufficient credentials
so then can authenticate.</para>
<para>For centralized configurations this property is configured under
Access Control > <replaceable>Realm Name</replaceable> > Agents >
J2EE > <replaceable>Agent Name</replaceable> > OpenAM Services >
OpenAM Login URL.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>When enabled, the agent uses the internal default content file
for the login.</para>
<para>For centralized configurations this property is configured under
Access Control > <replaceable>Realm Name</replaceable> > Agents >
J2EE > <replaceable>Agent Name</replaceable> > Application >
Use Internal Login.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Specifies how logout handlers map to specific applications. The key
is the web application name. The value is the logout handler class.</para>
<para>To set a global logout handler for applications without other
logout handlers defined, leave the key empty and set the value to the
global logout handler class name,
<literal>GlobalApplicationLogoutHandler</literal>.</para>
<para>To set a logout handler for a specific application, set the key
to the name of the application, and the value to the logout handler class
name.</para>
<para>For centralized configurations this property is configured under
Access Control > <replaceable>Realm Name</replaceable> > Agents >
J2EE > <replaceable>Agent Name</replaceable> > Application >
Application Logout Handler.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Specifies the URIs to return after successful logout and subsequent
authentication. The key is the web application name. The value is the
URI to return.</para>
<para>To set a global logout entry URI for applications without other
logout entry URIs defined, leave the key empty and set the value to the
<para>To set a logout entry URI for a specific application, set the key
to the name of the application, and the value to the application
<para>For centralized configurations this property is configured under
Access Control > <replaceable>Realm Name</replaceable> > Agents >
J2EE > <replaceable>Agent Name</replaceable> > Application >
Logout Entry URI.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Specifies custom logout handler classes to log users out of the
application server. The key is the web application name and the value is
the logout handler class name.</para>
<para>For centralized configurations this property is configured under
Access Control > <replaceable>Realm Name</replaceable> > Agents >
J2EE > <replaceable>Agent Name</replaceable> > Application >
Custom Logout Handler.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>When enabled, the agent checks the HTTP request body to locate the
Logout Request Parameter you set.</para>
<para>For centralized configurations this property is configured under
Access Control > <replaceable>Realm Name</replaceable> > Agents >
J2EE > <replaceable>Agent Name</replaceable> > Application >
Logout Introspect Enabled.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Specifies parameters in the HTTP request that indicate logout
events. The key is the web application name. The value is the logout
request parameter.</para>
<para>To set a global logout request parameter for applications without
other logout request parameters defined, leave the key empty and set the
value to the global logout request parameter,
<literal>logoutparam</literal>.</para>
<para>To set a logout request parameter for a specific application, set
the key to the name of the application, and the value to the application
logout request parameter, such as <literal>logoutparam</literal>.</para>
<para>For centralized configurations this property is configured under
Access Control > <replaceable>Realm Name</replaceable> > Agents >
J2EE > <replaceable>Agent Name</replaceable> > Application >
Logout Request Parameter.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Specifies request URIs that indicate logout events. The key is the
web application name. The value is the application logout URI.</para>
<para>To set a global logout URI for applications without other logout
URIs defined, leave the key empty and set the value to the global logout
<para>To set a logout URI for a specific application, set the key to the
name of the application, and the value to the application logout
page.</para>
<para>For centralized configurations this property is configured under
Access Control > <replaceable>Realm Name</replaceable> > Agents >
J2EE > <replaceable>Agent Name</replaceable> > Application >
Application Logout URI.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>When enabled, OpenAM uses the priority defined in the OpenAM Logout
URL list as the priority for Logout URLs when handling failover.</para>
<para>For centralized configurations this property is configured under
Access Control > <replaceable>Realm Name</replaceable> > Agents >
J2EE > <replaceable>Agent Name</replaceable> > OpenAM Services >
Logout URL Prioritized.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>When enabled, OpenAM checks the availability of OpenAM Logout URLs
before redirecting to them.</para>
<para>For centralized configurations this property is configured under
Access Control > <replaceable>Realm Name</replaceable> > Agents >
J2EE > <replaceable>Agent Name</replaceable> > OpenAM Services >
Logout URL Probe.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Timeout period in milliseconds for OpenAM to determine whether
to failover between Logout URLs when Logout URL Probe is enabled. Default:
2000</para>
<para>For centralized configurations this property is configured under
Access Control > <replaceable>Realm Name</replaceable> > Agents >
J2EE > <replaceable>Agent Name</replaceable> > OpenAM Services >
Logout URL Probe Timeout.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>OpenAM logout page URLs, such as
user is logged out of the OpenAM session when accessing these URLs.</para>
<para>For centralized configurations this property is configured under
Access Control > <replaceable>Realm Name</replaceable> > Agents >
J2EE > <replaceable>Agent Name</replaceable> > OpenAM Services >
OpenAM Logout URL.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>When enabled, the agent caches evaluation of the not enforced IP
list.</para>
<para>For centralized configurations this property is configured under
Access Control > <replaceable>Realm Name</replaceable> > Agents >
J2EE > <replaceable>Agent Name</replaceable> > Application >
Not Enforced IP Cache Flag.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>When caching is enabled, this limits the number of not enforced
addresses cached. Default: 1000</para>
<para>For centralized configurations this property is configured under
Access Control > <replaceable>Realm Name</replaceable> > Agents >
J2EE > <replaceable>Agent Name</replaceable> > Application >
Not Enforced IP Cache Size.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Only enforce the not enforced list of IP addresses. In other words,
enforce policy only for those client addresses and patterns specified in
the list.</para>
<para>For centralized configurations this property is configured under
Access Control > <replaceable>Realm Name</replaceable> > Agents >
J2EE > <replaceable>Agent Name</replaceable> > Application >
Not Enforced IP Invert List.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>No authentication and authorization are required for the requests
coming from these client IP addresses.</para>
<para>For centralized configurations this property is configured under
Access Control > <replaceable>Realm Name</replaceable> > Agents >
J2EE > <replaceable>Agent Name</replaceable> > Application >
Not Enforced Client IP List.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>When enabled, the agent reset the session idle time when granting
access to a not enforced URI, prolonging the time before the user must
authenticate again.</para>
<para>For centralized configurations this property is configured under
Access Control > <replaceable>Realm Name</replaceable> > Agents >
J2EE > <replaceable>Agent Name</replaceable> > Application >
Refresh Session Idle Time.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>When enabled, the agent caches evaluation of the not enforced URI
list.</para>
<para>For centralized configurations this property is configured under
Access Control > <replaceable>Realm Name</replaceable> > Agents >
J2EE > <replaceable>Agent Name</replaceable> > Application >
Not Enforced URIs Cache Enabled.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>When caching is enabled, this limits the number of not enforced
URIs cached.</para>
<para>For centralized configurations this property is configured under
Access Control > <replaceable>Realm Name</replaceable> > Agents >
J2EE > <replaceable>Agent Name</replaceable> > Application >
Not Enforced URIs Cache Size.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Only enforce not enforced list of URIs. In other words, enforce
policy only for those URIs and patterns specified in the list.</para>
<para>For centralized configurations this property is configured under
Access Control > <replaceable>Realm Name</replaceable> > Agents >
J2EE > <replaceable>Agent Name</replaceable> > Application >
Invert Not Enforced URIs.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>List of URIs for which no authentication is required, and the agent
does not protect access. You can use wildcards to define a pattern for a
URI.</para>
<para>The <literal>*</literal> wildcard matches all characters except
question mark (<literal>?</literal>), cannot be escaped, and spans
multiple levels in a URI. Multiple forward slashes do not match a
single forward slash, so <literal>*</literal> matches
<para>The <literal>-*-</literal> wildcard matches all characters except
forward slash (<literal>/</literal>) or question mark
(<literal>?</literal>), and cannot be escaped. As it does not match
<literal>/</literal>, <literal>-*-</literal> does not span multiple
levels in a URI.</para>
<para>OpenAM does not let you mix <literal>*</literal> and
<literal>-*-</literal> in the same URI.</para>
<literal>/images/*</literal>, <literal>/css/-*-</literal>, and
<literal>/*.jsp?locale=*</literal>.</para>
<para>Trailing forward slashes are not recognized as part of a resource
name. Therefore <literal>/images//</literal> and
<literal>/images</literal> are equivalent.</para>
<para>For centralized configurations this property is configured under
Access Control > <replaceable>Realm Name</replaceable> > Agents >
J2EE > <replaceable>Agent Name</replaceable> > Application >
Not Enforced URIs.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>When enabled, the remote policy client is configured to use
HTTP-Redirect instead of HTTP-POST for composite advice.</para>
<para>For centralized configurations this property is configured under
Access Control > <replaceable>Realm Name</replaceable> > Agents >
J2EE > <replaceable>Agent Name</replaceable> > OpenAM Services >
Policy Client Service.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Specifies the list of HTTP GET request parameters whose names and
values the agents sets in the environment map for URL policy evaluation
by the OpenAM server.</para>
<para>For centralized configurations this property is configured under
Access Control > <replaceable>Realm Name</replaceable> > Agents >
J2EE > <replaceable>Agent Name</replaceable> > OpenAM Services >
URL Policy Env GET Parameters.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Specifies the list of HTTP session attributes whose names and
values the agents sets in the environment map for URL policy evaluation
by the OpenAM server.</para>
<para>For centralized configurations this property is configured under
Access Control > <replaceable>Realm Name</replaceable> > Agents >
J2EE > <replaceable>Agent Name</replaceable> > OpenAM Services >
URL Policy Env jsession Parameters.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Specifies the list of HTTP POST request parameters whose names and
values the agents sets in the environment map for URL policy evaluation
by the OpenAM server.</para>
<para>For centralized configurations this property is configured under
Access Control > <replaceable>Realm Name</replaceable> > Agents >
J2EE > <replaceable>Agent Name</replaceable> > OpenAM Services >
URL Policy Env POST Parameters.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>When enabled, activate port checking, correcting requests on the
wrong port.</para>
<para>For centralized configurations this property is configured under
Access Control > <replaceable>Realm Name</replaceable> > Agents >
J2EE > <replaceable>Agent Name</replaceable> > Miscellaneous >
Port Check Enable.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Specifies the name of the file containing the content to handle
requests on the wrong port when port checking is enabled.</para>
<para>For centralized configurations this property is configured under
Access Control > <replaceable>Realm Name</replaceable> > Agents >
J2EE > <replaceable>Agent Name</replaceable> > Miscellaneous >
Port Check File.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Specifies which ports correspond to which protocols. The agent uses
the map when handling requests with invalid port numbers during port
checking.</para>
<para>For centralized configurations this property is configured under
Access Control > <replaceable>Realm Name</replaceable> > Agents >
J2EE > <replaceable>Agent Name</replaceable> > Miscellaneous >
Port Check Setting.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>POST data storage lifetime in milliseconds. Default: 300000.</para>
<para>For centralized configurations this property is configured under
Access Control > <replaceable>Realm Name</replaceable> > Agents >
J2EE > <replaceable>Agent Name</replaceable> > Advanced >
Post Data Preservation.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Specifies a list of application-specific URIs if the referenced
Post Data Preservation entry cannot be found in the local cache because
it has exceeded its POST entry TTL. Either the agent redirects to a
URI in this list, or it shows an HTTP 403 Forbidden error.</para>
<para>For centralized configurations this property is configured under
Access Control > <replaceable>Realm Name</replaceable> > Agents >
J2EE > <replaceable>Agent Name</replaceable> > Advanced >
Post Data Preservation.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Enables HTTP POST data preservation, storing POST data before
redirecting the browser to the login screen, and then autosubmitting
the same POST after successful authentication to the original URL.</para>
<para>For centralized configurations this property is configured under
Access Control > <replaceable>Realm Name</replaceable> > Agents >
J2EE > <replaceable>Agent Name</replaceable> > Advanced >
Post Data Preservation.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Specifies whether to create a cookie, or to append a query string to
the URL to assist with sticky load balancing.</para>
<para>For centralized configurations this property is configured under
Access Control > <replaceable>Realm Name</replaceable> > Agents >
J2EE > <replaceable>Agent Name</replaceable> > Advanced >
Post Data Preservation.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><literal>com.sun.identity.agents.config.postdata.preserve.stickysession.value</literal></term>
<listitem>
<para>Specifies the key-value pair for stickysession mode. For example,
a setting of <literal>lb=myserver</literal> either sets an
<literal>lb</literal> cookie with <literal>myserver</literal> value, or
adds <literal>lb=myserver</literal> to the URL query string.</para>
<para>For centralized configurations this property is configured under
Access Control > <replaceable>Realm Name</replaceable> > Agents >
J2EE > <replaceable>Agent Name</replaceable> > Advanced >
Post Data Preservation.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>When enabled, lets you use Privileged Attribute Mapping.</para>
<para>For centralized configurations this property is configured under
Access Control > <replaceable>Realm Name</replaceable> > Agents >
J2EE > <replaceable>Agent Name</replaceable> > Application >
Enable Privileged Attribute Mapping.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Maps OpenAM UUIDs to principal names specified in your web
application's deployment descriptor, such as
[id\=manager,ou\=group,o\=openam] = am_manager_role</literal>
[id\=employee,ou\=group,o\=openam] = am_employee_role</literal></para>
<para>For centralized configurations this property is configured under
Access Control > <replaceable>Realm Name</replaceable> > Agents >
J2EE > <replaceable>Agent Name</replaceable> > Application >
0Privileged Attribute Mapping.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Specifies how privileged attribute types should be converted to
lower case.</para>
<para>For centralized configurations this property is configured under
Access Control > <replaceable>Realm Name</replaceable> > Agents >
J2EE > <replaceable>Agent Name</replaceable> > Application >
Privileged Attributes To Lower Case.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Specifies the list of privileged attribute types fetched for each
user.</para>
<para>For centralized configurations this property is configured under
Access Control > <replaceable>Realm Name</replaceable> > Agents >
J2EE > <replaceable>Agent Name</replaceable> > Application >
Privileged Attribute Type.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Specifies the list of session property names, such as
<literal>UserToken</literal> which hold privileged attributes for
authenticated users.</para>
<para>For centralized configurations this property is configured under
Access Control > <replaceable>Realm Name</replaceable> > Agents >
J2EE > <replaceable>Agent Name</replaceable> > Application >
Privileged Session Attribute.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>When set to <literal>HTTP_COOKIE</literal> or
<literal>HTTP_HEADER</literal>, profile attributes are introduced into
the cookie or the headers, respectively.</para>
<para>For centralized configurations this property is configured under
Access Control > <replaceable>Realm Name</replaceable> > Agents >
J2EE > <replaceable>Agent Name</replaceable> > Application >
Profile Attribute Fetch Mode.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Maps the profile attributes to HTTP headers for the currently
authenticated user. Map Keys are LDAP attribute names, and Map Values
are HTTP header names.</para>
<para>To populate the value of profile attribute CN under
<literal>CUSTOM-Common-Name</literal>: enter CN in the Map Key field,
and enter <literal>CUSTOM-Common-Name</literal> in the Corresponding
Map Value field. This corresponds to
<literal>com.sun.identity.agents.config.profile.attribute.mapping[cn]=CUSTOM-Common-Name</literal>.</para>
<para>In most cases, in a destination application where an HTTP header
name shows up as a request header, it is prefixed by
<literal>HTTP_</literal>, lower case letters become upper case, and
hyphens (<literal>-</literal>) become underscores (<literal>_</literal>).
For example, <literal>common-name</literal> becomes
<literal>HTTP_COMMON_NAME</literal>.</para>
<para>For centralized configurations this property is configured under
Access Control > <replaceable>Realm Name</replaceable> > Agents >
J2EE > <replaceable>Agent Name</replaceable> > Application >
Profile Attribute Mapping.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>When set to a value other than zero, this defines the maximum number
of redirects allowed for a single browser session, after which the agent
blocks the request.</para>
<para>For centralized configurations this property is configured under
Access Control > <replaceable>Realm Name</replaceable> > Agents >
J2EE > <replaceable>Agent Name</replaceable> > Global >
Redirect Attempt Limit.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Property used only when CDSSO is enabled. Only change the default
value, <literal>goto</literal> when the login URL has a landing page
specified such as,
http://www.example.com/landing.jsp</literal>.
The agent uses this parameter to append the original request URL
to this cdcserlet URL. The landing page consumes this parameter to
redirect to the original URL.</para>
<para>As an example, if you set this value to <literal>goto2</literal>,
then the complete URL sent for authentication is
<para>For centralized configurations this property is configured under
Access Control > <replaceable>Realm Name</replaceable> > Agents >
J2EE > <replaceable>Agent Name</replaceable> > Miscellaneous >
Goto Parameter Name.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Name of file stored on OpenAM server that contains agent audit
messages if log location is remote or all.</para>
<para>For centralized configurations this property is configured under
Access Control > <replaceable>Realm Name</replaceable> > Agents >
J2EE > <replaceable>Agent Name</replaceable> > Global >
Remote Log Filename.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Whether the agent's configuration is managed centrally through OpenAM
(<literal>centralized</literal>) or locally in the policy agent
configuration file (<literal>local</literal>).</para>
<para>Default: <literal>centralized</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>When set to <literal>HTTP_COOKIE</literal> or
<literal>HTTP_HEADER</literal>, response attributes are introduced into
the cookie or the headers, respectively. When set to
<literal>REQUEST_ATTRIBUTE</literal>, response attributes are part
of the HTTP response.</para>
<para>For centralized configurations this property is configured under
Access Control > <replaceable>Realm Name</replaceable> > Agents >
J2EE > <replaceable>Agent Name</replaceable> > Application >
Response Attribute Fetch Mode.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Maps the policy response attributes to HTTP headers for the
currently authenticated user. The response attribute is
the attribute in the policy response to be fetched.</para>
<para>To populate the value of response attribute <literal>uid</literal>
under <literal>CUSTOM-User-Name</literal>: enter <literal>uid</literal>
in the Map Key field, and enter <literal>CUSTOM-User-Name</literal> in
the Corresponding Map Value field. This corresponds to
<literal>com.sun.identity.agents.config.response.attribute.mapping[uid]=Custom-User-Name</literal>.</para>
<para>In most cases, in a destination application where an HTTP header
name shows up as a request header, it is prefixed by
<literal>HTTP_</literal>, lower case letters become upper case, and
hyphens (<literal>-</literal>) become underscores (<literal>_</literal>).
For example, <literal>response-attr-one</literal> becomes
<literal>HTTP_RESPONSE_ATTR_ONE</literal>.</para>
<para>For centralized configurations this property is configured under
Access Control > <replaceable>Realm Name</replaceable> > Agents >
J2EE > <replaceable>Agent Name</replaceable> > Application >
Response Attribute Map.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Specifies the custom headers the agent sets for the client. The
key is the header name. The value is the header value.</para>
<para>For example,
<para>For centralized configurations this property is configured under
Access Control > <replaceable>Realm Name</replaceable> > Agents >
J2EE > <replaceable>Agent Name</replaceable> > Global >
Custom Response Header.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>When set to <literal>HTTP_COOKIE</literal> or
<literal>HTTP_HEADER</literal>, session attributes are introduced into the
cookie or the headers, respectively. When set to
<literal>REQUEST_ATTRIBUTE</literal>, session attributes are part
of the HTTP response.</para>
<para>For centralized configurations this property is configured under
Access Control > <replaceable>Realm Name</replaceable> > Agents >
J2EE > <replaceable>Agent Name</replaceable> > Application >
Session Attribute Fetch Mode.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Maps session attributes to HTTP headers for the currently
authenticated user. The session attribute is the attribute in the session
to be fetched.</para>
<para>To populate the value of session attribute
<literal>UserToken</literal> under <literal>CUSTOM-userid</literal>:
enter <literal>UserToken</literal> in the Map Key field, and enter
<literal>CUSTOM-userid</literal> in
the Corresponding Map Value field. This corresponds to
<literal>com.sun.identity.agents.config.session.attribute.mapping[UserToken]=CUSTOM-userid</literal>.</para>
<para>In most cases, in a destination application where an HTTP header
name shows up as a request header, it is prefixed by
<literal>HTTP_</literal>, lower case letters become upper case, and
hyphens (<literal>-</literal>) become underscores (<literal>_</literal>).
For example, <literal>success-url</literal> becomes
<literal>HTTP_SUCCESS_URL</literal>.</para>
<para>For centralized configurations this property is configured under
Access Control > <replaceable>Realm Name</replaceable> > Agents >
J2EE > <replaceable>Agent Name</replaceable> > Application >
Session Attribute Map.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Specifies the data store attribute that contains the user ID.</para>
<para>For centralized configurations this property is configured under
Access Control > <replaceable>Realm Name</replaceable> > Agents >
J2EE > <replaceable>Agent Name</replaceable> > Global >
User Attribute Name.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Specifies the mechanism used to determine the user ID.</para>
<para>For centralized configurations this property is configured under
Access Control > <replaceable>Realm Name</replaceable> > Agents >
J2EE > <replaceable>Agent Name</replaceable> > Global >
User Mapping Mode.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>When enabled, OpenAM uses both the principal user name and also the
user ID for authentication.</para>
<para>For centralized configurations this property is configured under
Access Control > <replaceable>Realm Name</replaceable> > Agents >
J2EE > <replaceable>Agent Name</replaceable> > Global >
User Principal Flag.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Specifies the session property name for the authenticated user's
ID. Default: <literal>UserToken</literal>.</para>
<para>For centralized configurations this property is configured under
Access Control > <replaceable>Realm Name</replaceable> > Agents >
J2EE > <replaceable>Agent Name</replaceable> > Global >
User Token Name.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Specifies custom verification classes to validate user credentials
with the local user repository. The key is the web application name and
the value is the validation handler class name.</para>
<para>For centralized configurations this property is configured under
Access Control > <replaceable>Realm Name</replaceable> > Agents >
J2EE > <replaceable>Agent Name</replaceable> > Application >
Custom Verification Handler.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Specifies an implementation class of interface
that can be used to authenticate web-service requests.</para>
<para>For centralized configurations this property is configured under
Access Control > <replaceable>Realm Name</replaceable> > Agents >
J2EE > <replaceable>Agent Name</replaceable> > Advanced >
Web Service Authenticator.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Specifies a file the agent uses to generate an authorization error
fault for the client application.</para>
<para>For centralized configurations this property is configured under
Access Control > <replaceable>Realm Name</replaceable> > Agents >
J2EE > <replaceable>Agent Name</replaceable> > Advanced >
Web Service Authorization Error Content File.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Enable web service processing.</para>
<para>For centralized configurations this property is configured under
Access Control > <replaceable>Realm Name</replaceable> > Agents >
J2EE > <replaceable>Agent Name</replaceable> > Advanced >
Web Service Enable.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Specifies a list of web application end points that represent web
services.</para>
<para>For centralized configurations this property is configured under
Access Control > <replaceable>Realm Name</replaceable> > Agents >
J2EE > <replaceable>Agent Name</replaceable> > Advanced >
Web Service End Points.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Specifies a file the agent uses to generate an internal error fault
for the client application.</para>
<para>For centralized configurations this property is configured under
Access Control > <replaceable>Realm Name</replaceable> > Agents >
J2EE > <replaceable>Agent Name</replaceable> > Advanced >
Web Service Internal Error Content File.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>When enabled, the agent processes HTTP GET requests for web service
endpoints.</para>
<para>For centralized configurations this property is configured under
Access Control > <replaceable>Realm Name</replaceable> > Agents >
J2EE > <replaceable>Agent Name</replaceable> > Advanced >
Web Service Process GET Enable.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Specifies a class implementing
used to process web service reponses.</para>
<para>For centralized configurations this property is configured under
Access Control > <replaceable>Realm Name</replaceable> > Agents >
J2EE > <replaceable>Agent Name</replaceable> > Advanced >
Web Service Response Processor.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Specifies strings that, when found in the request, cause the agent
to redirect the client to an error page.</para>
<para>For centralized configurations this property is configured under
Access Control > <replaceable>Realm Name</replaceable> > Agents >
J2EE > <replaceable>Agent Name</replaceable> > Advanced >
Cross Site Scripting Detection.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Maps applications to URIs of customized pages to which to redirect
clients upon detection of XSS code elements.</para>
<para>For example, to redirect clients of MyApp to
<para>For centralized configurations this property is configured under
Access Control > <replaceable>Realm Name</replaceable> > Agents >
J2EE > <replaceable>Agent Name</replaceable> > Advanced >
Cross Site Scripting Detection.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>When enabled, OpenAM sends notification about changes to policy.</para>
<para>For centralized configurations this property is configured under
Access Control > <replaceable>Realm Name</replaceable> > Agents >
J2EE > <replaceable>Agent Name</replaceable> > OpenAM Services >
Enable Policy Notifications.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Specifies the time in minutes after which the policy cache is
refreshed. Default: 3</para>
<para>For centralized configurations this property is configured under
Access Control > <replaceable>Realm Name</replaceable> > Agents >
J2EE > <replaceable>Agent Name</replaceable> > OpenAM Services >
Policy Client Polling Interval.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>URL used by agent to register notification listeners.</para>
<para>For centralized configurations this property is configured under
Access Control > <replaceable>Realm Name</replaceable> > Agents >
J2EE > <replaceable>Agent Name</replaceable> > Global >
Agent Notification URL.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>When enabled, receive notification from OpenAM to update user
management data caches.</para>
<para>For centralized configurations this property is configured under
Access Control > <replaceable>Realm Name</replaceable> > Agents >
J2EE > <replaceable>Agent Name</replaceable> > OpenAM Services >
Enable Notification of User Data Caches.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Specifies the values, such as <literal>allow</literal> and
<literal>deny</literal>, that are associated with boolean policy
decisions.</para>
<para>Default: <literal>iPlanetAMWebAgentService|GET|allow|deny:iPlanetAMWebAgentService|POST|allow|deny</literal></para>
<para>For centralized configurations this property is configured under
Access Control > <replaceable>Realm Name</replaceable> > Agents >
J2EE > <replaceable>Agent Name</replaceable> > OpenAM Services >
Policy Client Boolean Action Values.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Set to cache mode subtree when only a small number of policy rules
are defined. For large numbers of policy rules, set to self.</para>
<para>For centralized configurations this property is configured under
Access Control > <replaceable>Realm Name</replaceable> > Agents >
J2EE > <replaceable>Agent Name</replaceable> > OpenAM Services >
Policy Client Cache Mode.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Time in seconds used adjust time difference between agent system
and OpenAM. Clock skew in seconds = AgentTime - OpenAMServerTime.</para>
<para>Default: 10.</para>
<para>For centralized configurations this property is configured under
Access Control > <replaceable>Realm Name</replaceable> > Agents >
J2EE > <replaceable>Agent Name</replaceable> > OpenAM Services >
Policy Client Clock Skew.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Specifies the comparators used for service names in policy.</para>
<para>Default: <literal>serviceType=iPlanetAMWebAgentService|
delimiter=/|caseSensitive=false</literal></para>
<para>For centralized configurations this property is configured under
Access Control > <replaceable>Realm Name</replaceable> > Agents >
J2EE > <replaceable>Agent Name</replaceable> > OpenAM Services >
Policy Client Resource Comparators.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>If notifications are not enabled and set to a value other than zero,
specifies the time in minutes after which the agent polls to update
cached service configuration data. Default: 1</para>
<para>For centralized configurations this property is configured under
Access Control > <replaceable>Realm Name</replaceable> > Agents >
J2EE > <replaceable>Agent Name</replaceable> > OpenAM Services >
Service Data Cache Time.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>When enabled, receive notification from OpenAM to update service
configuration data caches.</para>
<para>For centralized configurations this property is configured under
Access Control > <replaceable>Realm Name</replaceable> > Agents >
J2EE > <replaceable>Agent Name</replaceable> > OpenAM Services >
Enable Notification of Service Data Caches.</para>
</listitem>
</varlistentry>
</variablelist>
</section>
</appendix>