chap-web-config-properties.xml revision ff0c0e121525573110d769aa29fa2cff48bc0a4b
<?xml version="1.0" encoding="UTF-8"?>
<!--
! CCPL HEADER START
!
! This work is licensed under the Creative Commons
! Attribution-NonCommercial-NoDerivs 3.0 Unported License.
! To view a copy of this license, visit
! or send a letter to Creative Commons, 444 Castro Street,
! Suite 900, Mountain View, California, 94041, USA.
!
! You can also obtain a copy of the license at
! See the License for the specific language governing permissions
! and limitations under the License.
!
! If applicable, add the following below this CCPL HEADER, with the fields
! enclosed by brackets "[]" replaced with your own identifying information:
! Portions Copyright [yyyy] [name of copyright owner]
!
! CCPL HEADER END
!
! Copyright 2012-2013 ForgeRock AS
!
-->
<chapter xml:id='chap-web-config-properties'
xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'
xsi:schemaLocation='http://docbook.org/ns/docbook http://docbook.org/xml/5.0/xsd/docbook.xsd'
xmlns:xlink='http://www.w3.org/1999/xlink'
xmlns:xinclude='http://www.w3.org/2001/XInclude'>
<title>Web Agent Configuration Properties</title>
<para>Web agents use the following configuration properties. Bootstrap
properties are always configured locally, whereas other agent configuration
properties are either configured centrally in OpenAM or locally using the
agent properties file.</para>
<section xml:id="web-bootstrap-configuration-properties">
<title>Bootstrap Configuration Properties</title>
<para>These properties are set in
<filename>config/<?eval ${agentsBootstrapFile}?></filename>.</para>
<variablelist>
<varlistentry>
<listitem>
<para>This property takes a comma-separated list of indexes for URL values
indicating the order in which to fail over, where the indexes are taken
from the values set for
<para>For example if
follows:</para>
<literallayout class="monospaced"
http://one.example.com:8080/openam/namingservice</literallayout>
<para>Then the following setting means first use OpenAM on
to enable validation.</para>
<literallayout class="monospaced"
>com.forgerock.agents.ext.url.validation.default.url.set=0,1</literallayout>
<para>When using this failover capability make sure you synchronize URL
each service shares the same index across all properties. In other words,
in the example above each service under
item (index: 0) for each property. This ensures the policy agent fails over
and fails back from one server to another in synchronized fashion for all
services.</para>
<para>This property has no default setting.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>This bootstrap configuration property lets you configure naming URL
validation during the initial bootstrap phase when the policy agent reads
its configuration, and then thereafter if the policy agent is configured
fail over when a naming URL becomes invalid.</para>
<para>When URL validation is fully disabled the policy agent does not need
to connect to OpenAM during the bootstrap phase.</para>
<para>If you leave naming URL validation disabled, then make sure that the
URLs in the policy agent bootstrap configuration file are valid and
correct. As the policy agent performs no further validation after the
bootstrap phase, incorrect naming URLs can cause the agent to crash.</para>
<para>To enable full URL validation, set the property as shown:</para>
<literallayout class="monospaced"
>com.forgerock.agents.ext.url.validation.level = 0</literallayout>
<variablelist>
<para>This property can take the following values.</para>
<varlistentry>
<term>0</term>
<listitem>
<para>Fully validate naming URLs specified by using the
The web policy agent logs into and logs out of OpenAM to check that
a naming URL is valid.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>1</term>
<listitem>
<para>Check that naming URLs are valid by performing an HTTP GET, which
should receive an HTTP 200 response.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>2 (Default)</term>
<listitem>
<para>Disable all naming URL validation.</para>
</listitem>
</varlistentry>
</variablelist>
<itemizedlist>
<para>When naming URL validation is enabled, then set the following
properties.</para>
<listitem>
</listitem>
<listitem>
</listitem>
</itemizedlist>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Set this to the seconds between validation requests against the
current naming URL.</para>
<para>The sum of the values of
exceed this value. Notice that the two timeout values are specified in
milliseconds, whereas this property's value is specified in seconds.</para>
<para>Default: 60 (seconds)</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>If validation requests against the current naming URL fail this
number of times in a row, the web policy agent fails over to the next
service in
<para>Default: 3</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>After failover, if validation requests against the default naming URL
succeed this number of times in a row, the web policy agent fails back to
that service, the first URL in the
list.</para>
<para>Default: 3</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>When SSL is configured, set this to the password for the certificate
database.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>When SSL is configured, set this property if the certificate
databases in the directory specified by
prefix.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>When SSL is configured, set this to the alias of the certificate
used to authenticate.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Set this to the number of milliseconds to keep the socket connection
open before timing out. If you have the web policy agent perform naming
URL validation, then set this property to a reasonable value such as
2000 (2 seconds). The default value is 0 which implies no timeout.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Set this to the full path of the agent's debug log file.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Default is <literal>Error</literal>. Increase to
<literal>Message</literal> or even <literal>All</literal> for
fine-grained detail.</para>
<para>Set the level in the configuration file by module using
the format <literal><replaceable>module</replaceable>[:<replaceable
>level</replaceable>][,<replaceable>module</replaceable>[:<replaceable
>level</replaceable>]]*</literal>, where
<replaceable>module</replaceable> is one of
<literal>AuthService</literal>, <literal>NamingService</literal>,
<literal>PolicyService</literal>, <literal>SessionService</literal>,
<literal>PolicyEngine</literal>, <literal>ServiceEngine</literal>,
<literal>Notification</literal>, <literal>PolicyAgent</literal>,
<literal>RemoteLog</literal>, or <literal>all</literal>,
and <replaceable>level</replaceable> is one of the following.</para>
<itemizedlist>
<listitem>
<para><literal>0</literal>: Disable logging from specified module</para>
<para>At this level the agent nevertheless logs messages having the
level value <literal>always</literal>.</para>
</listitem>
<listitem>
<para><literal>1</literal>: Log error messages</para>
</listitem>
<listitem>
<para><literal>2</literal>: Log warning and error messages</para>
</listitem>
<listitem>
<para><literal>3</literal>: Log info, warning, and error messages</para>
</listitem>
<listitem>
<para><literal>4</literal>: Log debug, info, warning, and error messages</para>
</listitem>
<listitem>
<para><literal>5</literal>: Like level 4, but with even more debugging messages</para>
</listitem>
</itemizedlist>
<para>When you omit <replaceable>level</replaceable>, the agent uses the
default level, which is the level associated with the
<literal>all</literal> module.</para>
<para>The following example used in the local configuration sets the
log overall level to debug for all messages.</para>
<literallayout class="monospaced"
>com.sun.identity.agents.config.debug.level=all:4</literallayout>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>When OpenAM and the agent communicate through a web proxy server
configured in forward proxy mode, set this to the proxy server host
name.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>When OpenAM and the agent communicate through a web proxy server
configured in forward proxy mode and the proxy server has the agent
authenticate using Basic Authentication, set this to the agent's
password.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>When OpenAM and the agent communicate through a web proxy server
configured in forward proxy mode, set this to the proxy server port
number.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>When OpenAM and the agent communicate through a web proxy server
configured in forward proxy mode and the proxy server has the agent
authenticate using Basic Authentication, set this to the agent's
user name.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Set this to the encryption key used to encrypt the agent profile
password.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Set this to the full path for agent's audit log file.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Set this to the naming service URL(s) used for naming lookups in
OpenAM. Separate multiple URLs with single space characters.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Set this to the realm name where the agent authenticates to
OpenAM.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Set this to the encrypted version of the password for the agent
authenticator. Use the command <command>/agentadmin --encrypt
<replaceable>agentInstance</replaceable> <replaceable
>passwordFile</replaceable></command> to get the encrypted version.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Set this to the agent profile name.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Set this to the number of milliseconds to wait for a response from
OpenAM before timing out and dropping the connection. If you have the web
policy agent perform naming URL validation, then set this property to a
reasonable value such as 2000 (2 seconds). The default value is 0 which
implies no timeout.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>When SSL is configured, set this to the directory containing SSL
certificate databases.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Set to <literal>true</literal> to enable the socket option
<literal>TCP_NODELAY</literal>. Default is <literal>false</literal>.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>When SSL is configured, set to <literal>false</literal> to trust the
OpenAM SSL certificate only if the certificate is found to be correct and
valid. Default is <literal>true</literal> to make it easy to try SSL during
evaluation.</para>
<important>
<para>Notice that the default setting, <literal>true</literal>, means that
the web policy agent trusts all server certificates. Change this to
<literal>false</literal>, and test that your web policy agent can trust
server certificates before deploying the policy agent in production.</para>
</important>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Set this to the user name of the agent authenticator.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>When there are multiple agents on a single system, set this to a unique numeric value.</para>
</listitem>
</varlistentry>
<!--
<varlistentry>
<term><literal>com.forgerock.agents.config.cert.key.password</literal></term>
<listitem>
<para>Reserved for future use.</para>
</listitem>
</varlistentry> -->
</variablelist>
</section>
<section xml:id="web-agent-configuration-properties">
<title>Agent Configuration Properties</title>
<para>These properties are set in
<filename>config/<?eval ${agentsConfigurationFile}?></filename> if your
agent uses local configuration. If your agent uses centralized configuration,
the properties are set in OpenAM.</para>
<variablelist>
<varlistentry>
<listitem>
xlink:show="new">Perl-compatible regular expression</link> to filter out
invalid request URLs. The policy agent reject requests to invalid URLs
with HTTP 403 Forbidden status without further processing.</para>
<para>For example, to filter out URLs containing the symbols in the list
./, /., /, ., ,\, %00-%1f, %7f-%ff, %25, %2B, %2C, %7E, .info, use the
following setting.</para>
^((?!(|/\.|\./||*|\.info|%25|%2B|%2C|%[0-1][0-9a-fA-F]|%[7-9a-fA-F][0-9a-fA-F])).)$</programlisting>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Set this property to a <link
regular expression</link> that matches logout URLs.</para>
<para>For example, to match URLs with <literal>protectedA</literal> or
<literal>protectedB</literal> in the path and <literal>op=logout</literal>
in the query string, use the following setting.</para>
.*(/protectedA\?|/protectedB\?/).*(\&op=logout\&)(.*|$)</programlisting>
<para>When you use this property, the agent ignores the settings for
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Set this property to <literal>true</literal> to enable use of
Cache-Control headers that prevent proxies from caching resources accessed
by unauthenticated users. Default: <literal>false</literal>.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Set this property to <literal>true</literal> to disable the HTTP
302 redirect after the LARES POST. By default, the policy agent does an
HTTP redirect after processing the LARES POST message. Default:
<literal>false</literal>.</para>
<para>This property applies only to Apache HTTPD 2.2 and 2.4 policy agents.
Other policy agents do not redirect after processing the LARES POST
message.</para>
</listitem>
</varlistentry>
<varlistentry>
</varlistentry>
<varlistentry>
<listitem>
<para>Set this property to the file name that contains one or more CA certificates.
<note><para>For OpenSSL, PEM format is base 64 encoded ASCII data. The acronym stands for
Privacy Enhanced Mail format, as it was originally designed to secure email using public-key
cryptography.</para></note>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Set this property to the name of the file that contains the PEM encoded
public key certificate.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Set this property to the name of the file that contains the private key.
On UNIX systems, that key should be encoded in PEM format.</para>
<para>On Windows systems,
that entry depends. If SSL mutual authentication is required with OpenAM, that
entry should contain the name of the private key or certificate imported
in the Windows Certificate Manager, part of the Microsoft Management Console.
For a web server, that should point to the Local Machine or Service certificate
store, depending on the account associated with the Web server.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Set this property to the name of the cipher list. That list consists of
one or more <literal>cipher strings</literal> separated by colons, as defined
in the man page for <filename>ciphers</filename> available at <link xlink:show="new"
xlink:href="http://http://www.openssl.org/docs/apps/ciphers.html"
<para>Default: <literal>HIGH:MEDIUM</literal>.</para>
<para>Cipher restrictions can be configured as described in the Microsoft article
<citetitle>How to Restrict the Use of Certain Cryptographic Algorithms and Protocols
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Set this property to <literal>true</literal> to prevent the policy
agent from redirecting to the logout URL when that logout URL matches one
of the logout URL settings. Instead of redirecting the user-agent, the
policy agent performs session logout in the background and then continues
processing access to the current URL.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>As of version 3.0.4, web policy agents with this property set to
<literal>cidr</literal> can use IPv4 netmasks and IP ranges instead of
wildcards as values for
addresses. Version 3.0.5 adds support for IPv6, including the IPv6 loopback
address, <literal>::1</literal>.</para>
<para>When the parameter is defined, wildcards are ignored in
Instead, you can use settings such as those shown in the following
examples.</para>
<variablelist>
<varlistentry>
<term>Netmask Example</term>
<listitem>
<para>To disable policy agent enforcement for addresses in
192.168.1.1 to 192.168.1.255, use the following setting.</para>
<literallayout class="monospaced"
<para>The following example shows a configuration using IPv6.</para>
<literallayout class="monospaced"
<para>Currently the policy agent stops evaluating properties after
reaching an invalid netmask in the list.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>IP Range Example</term>
<listitem>
<para>To disable policy agent enforcement for addresses between
192.168.1.1 to 192.168.4.3 inclusive, use the following setting.</para>
<literallayout class="monospaced"
>com.sun.identity.agents.config.notenforced.ip = 192.168.1.1-192.168.4.3</literallayout>
<para>The following example shows a configuration using IPv6.</para>
<literallayout class="monospaced"
>com.sun.identity.agents.config.notenforced.ip = 2001:5c0:9168:0:0:0:0:1-2001:5c0:9168:0:0:0:0:2</literallayout>
</listitem>
</varlistentry>
</variablelist>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>If you run multiple web servers with policy agents behind a load
balancer that directs traffic based on the request URI, and you need to
preserve POST data, then set this property.</para>
<para>By default, policy agents use a dummy URL for POST data preservation,
<literal>http://<replaceable>agent.host</replaceable>:<replaceable>port</replaceable>/dummypost/sunpostpreserve</literal>,
to handle POST data across redirects to and from OpenAM. When you set this
property, the policy agent prefixes the property value to the dummy URL
path. In other words, when you set
the policy agent uses the dummy URL,
<literal>http://<replaceable>agent.host</replaceable>:<replaceable>port</replaceable>/app1/dummypost/sunpostpreserve</literal>.</para>
<para>Next, use the prefix you set when you define load balancer URI
rules. This ensures that clients end up being redirected to the policy
agent that preserved the POST data.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Set this property to <literal>true</literal> to enable use of regular
expressions in Not Enforced URL settings.</para>
<para>Not Enforced URL settings are configured using the property,
<para>Default: <literal>false</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>The URL of the customized access denied page. If no value is
specified (default), then the agent returns an HTTP status of 403
(Forbidden).</para>
<para>For centralized configurations this property is configured under
Access Control > <replaceable>Realm Name</replaceable> > Agents >
Web > <replaceable>Agent Name</replaceable> > Global > Resources
Access Denied URL.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>List of application logout URLs, such as
The user is logged out of the OpenAM session when these URLs are accessed.
When using this property, specify a value for the Logout Redirect URL
property.</para>
<para>For centralized configurations this property is configured under
Access Control > <replaceable>Realm Name</replaceable> > Agents >
Web > <replaceable>Agent Name</replaceable> > OpenAM Services >
Logout URL List.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>The default value is
<literal><replaceable>agent-root-URL</replaceable>/amagent</literal>.</para>
<para>For centralized configurations this property is configured under
Access Control > <replaceable>Realm Name</replaceable> > Agents >
Web > <replaceable>Agent Name</replaceable> > Global > Agent
Deployment URI Prefix.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Enable or disable REMOTE_USER processing for anonymous users.</para>
<para>For centralized configurations this property is configured under
Access Control > <replaceable>Realm Name</replaceable> > Agents >
Web > <replaceable>Agent Name</replaceable> > Miscellaneous >
Anonymous User.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>User ID of unauthenticated users. Default:
<literal>anonymous</literal>.</para>
<para>For centralized configurations this property is configured under
Access Control > <replaceable>Realm Name</replaceable> > Agents >
Web > <replaceable>Agent Name</replaceable> > Miscellaneous >
Anonymous User Default Value.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Specifies separator for multiple values. Applies to all types of
attributes such as profile, session and response attributes. Default:
<literal>|</literal>.</para>
<para>For centralized configurations this property is configured under
Access Control > <replaceable>Realm Name</replaceable> > Agents >
Web > <replaceable>Agent Name</replaceable> > Application >
Attribute Multi Value Separator.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Types of messages to log based on user URL access attempts.</para>
<para>Valid values for the configuration file property include
<literal>LOG_NONE</literal>, <literal>LOG_ALLOW</literal>,
<literal>LOG_DENY</literal>, and <literal>LOG_BOTH</literal>.</para>
<para>For centralized configurations this property is configured under
Access Control > <replaceable>Realm Name</replaceable> > Agents >
Web > <replaceable>Agent Name</replaceable> > Global > Audit
Access Types.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Timeout period in seconds for an agent connection with OpenAM auth
server. Default: 2</para>
<para>For centralized configurations this property is configured under
Access Control > <replaceable>Realm Name</replaceable> > Agents >
Web > <replaceable>Agent Name</replaceable> > OpenAM Services >
Agent Connection Timeout.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>List of URLs of the available CDSSO controllers that the agent can
use for CDSSO processing. For example,
<para>For centralized configurations this property is configured under
Access Control > <replaceable>Realm Name</replaceable> > Agents >
Web > <replaceable>Agent Name</replaceable> > SSO > CDSSO Servlet
URL.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
cookies have to be set in CDSSO. If this property is left blank, then
the fully qualified domain name of the cookie for the agent server
is used to set the cookie domain, meaning that a host cookie rather than
a domain cookie is set.</para>
include the following.</para>
<literallayout class="monospaced">com.sun.identity.agents.config.cdsso.cookie.domain[0]=.example.com
<para>For centralized configurations this property is configured under
Access Control > <replaceable>Realm Name</replaceable> > Agents >
Web > <replaceable>Agent Name</replaceable> > SSO > Cookies
Domain List.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Enables Cross Domain Single Sign On.</para>
<para>For centralized configurations this property is configured under
Access Control > <replaceable>Realm Name</replaceable> > Agents >
Web > <replaceable>Agent Name</replaceable> > SSO > Cross Domain
SSO.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Enables agent to receive notification messages from OpenAM server
for configuration changes.</para>
<para>For centralized configurations this property is configured under
Access Control > <replaceable>Realm Name</replaceable> > Agents >
Web > <replaceable>Agent Name</replaceable> > Global >
Profile.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Interval in minutes to cleanup old agent configuration entries
unless they are referenced by current requests. Default: 30.</para>
<para>For centralized configurations this property is configured under
Access Control > <replaceable>Realm Name</replaceable> > Agents >
Web > <replaceable>Agent Name</replaceable> > Global >
Configuration Cleanup Interval.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>HTTP header name that holds the hostname of the client.</para>
<para>For centralized configurations this property is configured under
Access Control > <replaceable>Realm Name</replaceable> > Agents >
Web > <replaceable>Agent Name</replaceable> > Advanced > Client
Hostname Header.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>HTTP header name that holds the IP address of the client.</para>
<para>For centralized configurations this property is configured under
Access Control > <replaceable>Realm Name</replaceable> > Agents >
Web > <replaceable>Agent Name</replaceable> > Advanced > Client
IP Address Header.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>When enabled, validate that the subsequent browser requests come
from the same IP address that the SSO token is initially issued
against.</para>
<para>For centralized configurations this property is configured under
Access Control > <replaceable>Realm Name</replaceable> > Agents >
Web > <replaceable>Agent Name</replaceable> > Application >
Client IP Validation.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>When enabled, the agent encodes the LDAP header values in the
default encoding of operating system locale. When disabled, the agent
uses UTF-8.</para>
<para>For centralized configurations this property is configured under
Access Control > <replaceable>Realm Name</replaceable> > Agents >
Web > <replaceable>Agent Name</replaceable> > Miscellaneous >
Native Encoding of Profile Attributes.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Name of the SSO Token cookie used between the OpenAM server and
the agent. Default: <literal>iPlanetDirectoryPro</literal>.</para>
<para>For centralized configurations this property is configured under
Access Control > <replaceable>Realm Name</replaceable> > Agents >
Web > <replaceable>Agent Name</replaceable> > SSO > Cookie
Name.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>When enabled, agent resets cookies in the response before
redirecting to authentication.</para>
<para>For centralized configurations this property is configured under
Access Control > <replaceable>Realm Name</replaceable> > Agents >
Web > <replaceable>Agent Name</replaceable> > SSO > Cookie
Reset.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>List of cookies in the format
<literal><replaceable>name</replaceable>[=<replaceable
>value</replaceable>][;Domain=<replaceable
>value</replaceable>]</literal>.</para>
<para>Concrete examples include the following with two list items
configured.</para>
<itemizedlist>
<listitem>
<para><literal>LtpaToken</literal>, corresponding to
The default domain is taken from FQDN Default.</para>
</listitem>
<listitem>
corresponding to
<literal>com.sun.identity.agents.config.cookie.reset[1]=
</listitem>
</itemizedlist>
<para>For centralized configurations this property is configured under
Access Control > <replaceable>Realm Name</replaceable> > Agents >
Web > <replaceable>Agent Name</replaceable> > SSO > Cookie
Reset Name List.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>When enabled, the agent marks cookies secure, sending them only
if the communication channel is secure.</para>
<para>For centralized configurations this property is configured under
Access Control > <replaceable>Realm Name</replaceable> > Agents >
Web > <replaceable>Agent Name</replaceable> > SSO > Cookie
Security.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>When enabled, rotate the debug file when specified file size is
reached.</para>
<para>For centralized configurations this property is configured under
Access Control > <replaceable>Realm Name</replaceable> > Agents >
Web > <replaceable>Agent Name</replaceable> > Global > Agent
Debug File Rotation.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Debug file size in bytes beyond which the log file is rotated. The
minimum is 1048576 bytes (1 MB), and lower values are reset to 1 MB.
OpenAM console sets a default of 10 MB when it is used to configure the
agent.</para>
<para>For centralized configurations this property is configured under
Access Control > <replaceable>Realm Name</replaceable> > Agents >
Web > <replaceable>Agent Name</replaceable> > Global > Agent
Debug File Size.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Default is <literal>Error</literal>. Increase to
<literal>Message</literal> or even <literal>All</literal> for
fine-grained detail.</para>
<para>You can set the level in the configuration file by module using
the format
<literal><replaceable>module</replaceable>[:<replaceable
>level</replaceable>][,<replaceable>module</replaceable
>[:<replaceable>level</replaceable>]]*</literal>,
where <replaceable>module</replaceable> is one of
<literal>AuthService</literal>, <literal>NamingService</literal>,
<literal>PolicyService</literal>, <literal>SessionService</literal>,
<literal>PolicyEngine</literal>, <literal>ServiceEngine</literal>,
<literal>Notification</literal>, <literal>PolicyAgent</literal>,
<literal>RemoteLog</literal>, or <literal>all</literal>,
and <replaceable>level</replaceable> is one of the following.</para>
<itemizedlist>
<listitem>
<para><literal>0</literal>: Disable logging from specified module</para>
<para>At this level the agent nevertheless logs messages having the
level value <literal>always</literal>.</para>
</listitem>
<listitem>
<para><literal>1</literal>: Log error messages</para>
</listitem>
<listitem>
<para><literal>2</literal>: Log warning and error messages</para>
</listitem>
<listitem>
<para><literal>3</literal>: Log info, warning, and error messages</para>
</listitem>
<listitem>
<para><literal>4</literal>: Log debug, info, warning, and error messages</para>
</listitem>
<listitem>
<para><literal>5</literal>: Like level 4, but with even more debugging messages</para>
</listitem>
</itemizedlist>
<para>When you omit <replaceable>level</replaceable>, the agent uses the
default level, which is the level associated with the
<literal>all</literal> module.</para>
<para>The following example used in the local configuration sets the
log overall level to debug for all messages.</para>
<literallayout class="monospaced"
>com.sun.identity.agents.config.debug.level=all:4</literallayout>
<para>For centralized configurations this property is configured under
Access Control > <replaceable>Realm Name</replaceable> > Agents >
Web > <replaceable>Agent Name</replaceable> > Global > Agent
Debug Level.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>When enabled, the agent checks whether the user exists in the
Domino name database.</para>
<para>For centralized configurations this property is configured under
Access Control > <replaceable>Realm Name</replaceable> > Agents >
Web > <replaceable>Agent Name</replaceable> > Advanced > Check
User in Domino Database.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>The configuration name that the agent uses in order to employ the
LTPA token mechanism.</para>
<para>For centralized configurations this property is configured under
Access Control > <replaceable>Realm Name</replaceable> > Agents >
Web > <replaceable>Agent Name</replaceable> > Advanced >
LTPA Token Configuration Name.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>The name of the cookie that contains the LTPA token.</para>
<para>For centralized configurations this property is configured under
Access Control > <replaceable>Realm Name</replaceable> > Agents >
Web > <replaceable>Agent Name</replaceable> > Advanced > LTPA
Token Cookie Name.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Enable if the agent needs to use LTPA Token.</para>
<para>For centralized configurations this property is configured under
Access Control > <replaceable>Realm Name</replaceable> > Agents >
Web > <replaceable>Agent Name</replaceable> > Advanced > Use LTPA
token.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>The organization name to which the LTPA token belongs.</para>
<para>For centralized configurations this property is configured under
Access Control > <replaceable>Realm Name</replaceable> > Agents >
Web > <replaceable>Agent Name</replaceable> > Advanced > LTPA
Token Organization Name.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>When enabled, encode special chars in cookie by URL encoding.
This is useful when profile, session, and response attributes contain
special characters, and the attributes fetch mode is set to
<literal>HTTP_COOKIE</literal>.</para>
<para>For centralized configurations this property is configured under
Access Control > <replaceable>Realm Name</replaceable> > Agents >
Web > <replaceable>Agent Name</replaceable> > Miscellaneous >
Encode special chars in Cookies.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>When enabled, encodes the URL which has special characters before
doing policy evaluation.</para>
<para>For centralized configurations this property is configured under
Access Control > <replaceable>Realm Name</replaceable> > Agents >
Web > <replaceable>Agent Name</replaceable> > Miscellaneous >
Encode URL's Special Characters.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>When enabled, the agent caches the policy decision of the
resource and all resources from the root of the resource down. For
can be useful when a client is expect to access multiple resources on the
same path. Yet, caching can be expensive if very many policies are
defined for the root resource.</para>
<para>Default: <literal>false</literal></para>
<para>For centralized configurations this property is configured under
Access Control > <replaceable>Realm Name</replaceable> > Agents >
Web > <replaceable>Agent Name</replaceable> > OpenAM Services >
Fetch Policies from Root Resource.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Enables checking of FQDN default value and FQDN map values.</para>
<para>For centralized configurations this property is configured under
Access Control > <replaceable>Realm Name</replaceable> > Agents >
Web > <replaceable>Agent Name</replaceable> > Global > FQDN
Check.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Fully qualified domain name that the users should use in order to
access resources. Without this value, the web server can fail to
start, thus you set the property on agent installation, and only change
it when absolutely necessary.</para>
<para>This property ensures that when users access protected resources
on the web server without specifying the FQDN, the agent can redirect
the users to URLs containing the correct FQDN.</para>
<para>For centralized configurations this property is configured under
Access Control > <replaceable>Realm Name</replaceable> > Agents >
Web > <replaceable>Agent Name</replaceable> > Global > FQDN
Default.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Maps virtual, invalid, or partial hostnames, and IP addresses to the FQDN to access
protected resources. The property allows agents to redirect users to the FQDN and receive
cookies belonging to the domain. It also ensures that invalid FQDN values that can cause the web server
to become unusable or render resources inaccessible get properly mapped to the FQDN.
</para>
<para>The property accepts an <replaceable>invalid_hostname</replaceable> and a <replaceable>validN</replaceable> Map Key value.
The <replaceable>invalid_hostname</replaceable> maps an invalid or a partial hostname, or an IP address to a FQDN.
The <replaceable>validN</replaceable> (where N = 1, 2, 3 ...) Map Key maps virtual hostnames to a FQDN.</para>
<para><literal>com.sun.identity.config.fqdn.mapping[<replaceable>invalid_hostname</replaceable>] = <replaceable>valid_hostname</replaceable></literal>
<literal>com.sun.identity.config.fqdn.mapping[<replaceable>validN</replaceable>] = <replaceable>valid_hostname</replaceable></literal></para>
<para>For example, to map the partial hostname <literal>myserver</literal> to
<literal>myserver</literal> in the Map Key field, enter
<literal>myserver.mydomain.example</literal> in the Corresponding Map Value field and then click Add. This corresponds to:
</para>
<literallayout class="monospaced">com.sun.identity.agents.config.fqdn.mapping[myserver]= myserver.mydomain.example</literallayout>
enter <literal>valid1</literal> in the Map Key field, enter
<literal>xyz.hostname.example</literal> in the Corresponding Map Value field and then click Add. This corresponds to:
</para>
<literallayout class="monospaced">com.sun.identity.agents.config.fqdn.mapping[valid1]= xyz.hostname.com</literallayout>
<para>If you have multiple virtual servers <literal>rst.hostname.com</literal>, <literal>uvw.hostname.com</literal>, and <literal>xyz.hostname.com</literal>
pointing to the same actual server <literal>abc.hostname.com</literal> and each virtual server has its own policies defined, the properties
can be defined as:
</para>
<literallayout class="monospaced">com.sun.identity.agents.config.fqdn.mapping[valid1]= rst.hostname.com
<para>For centralized configurations, this property is configured under
Access Control > <replaceable>Realm Name</replaceable> > Agents >
Web > <replaceable>Agent Name</replaceable> > Global > FQDN
Virtual Host Map.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>When enabled, get the client hostname through DNS reverse lookup
for use in policy evaluation. This setting can impact performance.</para>
<para>For centralized configurations this property is configured under
Access Control > <replaceable>Realm Name</replaceable> > Agents >
Web > <replaceable>Agent Name</replaceable> > OpenAM Services >
Retrieve Client Hostname.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>When enabled, strip path info from the request URL while doing the
Not Enforced List check, and URL policy evaluation. This is designed
to prevent a user from accessing a URI by appending the matching pattern
in the policy or not enforced list.</para>
<note><para>This property is not supported by the Varnish Cache agent.</para></note>
<para>For example, if the not enforced list includes
<para>However, when a web server is configured as a reverse proxy for a
J2EE application server, the path info is interpreted to map a resource
on the proxy server rather than the application server. This prevents the
not enforced list or the policy from being applied to the part of the URI
below the application server path if a wildcard character is used.</para>
<para>For example, if the not enforced list includes
request URL with path info stripped is
not enforced list. Thus when this property is enabled, path info is
not stripped from teh request URL even if there is a wildcard in the not
enforced list or policy.</para>
<para>Make sure therefore when this property is enabled that there is
nothing following the wildcard in the not enforced list or policy.</para>
<para>For centralized configurations this property is configured under
Access Control > <replaceable>Realm Name</replaceable> > Agents >
Web > <replaceable>Agent Name</replaceable> > Miscellaneous >
Ignore Path Info in Request URL.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><literal>com.sun.identity.agents.config.ignore.path.info.for.not.enforced.list</literal></term>
<listitem>
<para>When enabled, the path info and query are stripped from the
request URL before being compared with the URLs of the not enforced list
for those URLs containing a wildcard character. This prevents a user
<note><para>This property is not supported by the Varnish Cache agent.</para></note>
<para>For centralized configurations this property is configured under
Access Control > <replaceable>Realm Name</replaceable> > Agents >
Web > <replaceable>Agent Name</replaceable> > Application >
Ignore Path Info for Not Enforced URLs.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>When enabled, do not send a preferred naming URL in the naming
request.</para>
<para>For centralized configurations this property is configured under
Access Control > <replaceable>Realm Name</replaceable> > Agents >
Web > <replaceable>Agent Name</replaceable> > Miscellaneous >
Ignore Preferred Naming URL in Naming Request.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>When enabled, do not check whether OpenAM is up before doing a
302 redirect.</para>
<para>For centralized configurations this property is configured under
Access Control > <replaceable>Realm Name</replaceable> > Agents >
Web > <replaceable>Agent Name</replaceable> > Miscellaneous >
Ignore Server Check.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>The agent should normally perform authentication, so this is not
required. If necessary, set to <literal>none</literal>.</para>
<para>For centralized configurations this property is configured under
Access Control > <replaceable>Realm Name</replaceable> > Agents >
Web > <replaceable>Agent Name</replaceable> > Advanced >
Authentication Type.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>The loading priority of filter, DEFAULT, HIGH, LOW, or MEDIUM.</para>
<para>For centralized configurations this property is configured under
Access Control > <replaceable>Realm Name</replaceable> > Agents >
Web > <replaceable>Agent Name</replaceable> > Advanced >
Filter Priority.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Enable if the IIS agent filter is configured for OWA.</para>
<para>For centralized configurations this property is configured under
Access Control > <replaceable>Realm Name</replaceable> > Agents >
Web > <replaceable>Agent Name</replaceable> > Advanced >
Filter configured with OWA.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Enable to avoid IE6 security pop-ups.</para>
<para>For centralized configurations this property is configured under
Access Control > <replaceable>Realm Name</replaceable> > Agents >
Web > <replaceable>Agent Name</replaceable> > Advanced > Change
URL Protocol to https.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>URL of the local idle session timeout page.</para>
<para>For centralized configurations this property is configured under
Access Control > <replaceable>Realm Name</replaceable> > Agents >
Web > <replaceable>Agent Name</replaceable> > Advanced > Idle
Session Timeout Page URL.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Enable if a load balancer is used for OpenAM services.</para>
<para>For centralized configurations this property is configured under
Access Control > <replaceable>Realm Name</replaceable> > Agents >
Web > <replaceable>Agent Name</replaceable> > Advanced > Load
Balancer Setup.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>When enabled, audit log files are rotated when reaching the
specified size.</para>
<para>For centralized configurations this property is configured under
Access Control > <replaceable>Realm Name</replaceable> > Agents >
Web > <replaceable>Agent Name</replaceable> > Global > Rotate
Local Audit Log.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Beyond this size limit in bytes the agent rotates the local audit
log file if rotation is enabled. Default: 50 MB</para>
<para>For centralized configurations this property is configured under
Access Control > <replaceable>Realm Name</replaceable> > Agents >
Web > <replaceable>Agent Name</replaceable> > Global > Local
Audit Log Rotation Size.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>The default locale for the agent.</para>
<para>For centralized configurations this property is configured under
Access Control > <replaceable>Realm Name</replaceable> > Agents >
Web > <replaceable>Agent Name</replaceable> > Miscellaneous >
Agent Locale.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Specifies where audit messages are logged. By default, audit
messages are logged remotely.</para>
<para>Valid values for the configuration file property include
<literal>REMOTE</literal>, <literal>LOCAL</literal>, and
<literal>ALL</literal>.</para>
<para>For centralized configurations this property is configured under
Access Control > <replaceable>Realm Name</replaceable> > Agents >
Web > <replaceable>Agent Name</replaceable> > Global > Audit Log
Location.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>OpenAM login page URL, such as
which the agent redirects incoming users without sufficient credentials
so then can authenticate.</para>
<para>For centralized configurations this property is configured under
Access Control > <replaceable>Realm Name</replaceable> > Agents >
Web > <replaceable>Agent Name</replaceable> > OpenAM Services >
OpenAM Login URL.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Cookies to be reset upon logout in the same format as the cookie
reset list.</para>
<para>For centralized configurations this property is configured under
Access Control > <replaceable>Realm Name</replaceable> > Agents >
Web > <replaceable>Agent Name</replaceable> > OpenAM Services >
Logout Cookies List for Reset.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>User gets redirected to this URL after logout. Specify this
property alongside a Logout URL List.</para>
<para>For centralized configurations this property is configured under
Access Control > <replaceable>Realm Name</replaceable> > Agents >
Web > <replaceable>Agent Name</replaceable> > OpenAM Services >
Logout Redirect URL.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>OpenAM logout page URL, such as
<para>For centralized configurations this property is configured under
Access Control > <replaceable>Realm Name</replaceable> > Agents >
Web > <replaceable>Agent Name</replaceable> > OpenAM Services >
OpenAM Logout URL.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>No authentication and authorization are required for the requests
coming from these client IP addresses.</para>
<para>For centralized configurations this property is configured under
Access Control > <replaceable>Realm Name</replaceable> > Agents >
Web > <replaceable>Agent Name</replaceable> > Application >
Not Enforced Client IP List.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>When set to <literal>true</literal>, the agent fetches profile,
response, and session attributes that are mapped by doing policy
evaluation, and forwards these attributes to non-protected URLs.</para>
<para>For centralized configurations this property is configured under
Access Control > <replaceable>Realm Name</replaceable> > Agents >
Web > <replaceable>Agent Name</replaceable> > Application >
Fetch Attributes for Not Enforced URLs.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Only enforce not enforced list of URLs. In other words, enforce
policy only for those URLs and patterns specified in the list.</para>
<para>For centralized configurations this property is configured under
Access Control > <replaceable>Realm Name</replaceable> > Agents >
Web > <replaceable>Agent Name</replaceable> > Application >
Invert Not Enforced URLs.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>List of URLs for which no authentication is required. You can use
wildcards to define a pattern for a URL.</para>
<para>The <literal>*</literal> wildcard matches all characters except
question mark (<literal>?</literal>), cannot be escaped, and spans
multiple levels in a URL. Multiple forward slashes do not match a
single forward slash, so <literal>*</literal> matches
<para>The <literal>-*-</literal> wildcard matches all characters except
forward slash (<literal>/</literal>) or question mark
(<literal>?</literal>), and cannot be escaped. As it does not match
<literal>/</literal>, <literal>-*-</literal> does not span multiple
levels in a URL.</para>
<para>OpenAM does not let you mix <literal>*</literal> and
<literal>-*-</literal> in the same URL.</para>
<para>Examples include
<para>Trailing forward slashes are not recognized as part of a resource
<para>For centralized configurations this property is configured under
Access Control > <replaceable>Realm Name</replaceable> > Agents >
Web > <replaceable>Agent Name</replaceable> > Application >
Not Enforced URLs.</para>
<para>If you set
xlink:show="new">Perl-compatible regular expressions</link> to match
Not Enforced URLs instead. (Do not mix settings; use either the mechanism
described above or Perl-compatible regular expressions, but not both.)</para>
<para>The following example shows settings where no authentication is
required for URLs whose path ends <literal>/publicA</literal> or
<literal>/publicB</literal> (with or without query string parameters),
and no authentication is required to access .png, .jpg, .gif, .js, or .css
files under URLs that do not contain <literal>/protectedA/</literal>
or <literal>/protectedB/</literal>.</para>
<programlisting language="ini"
.*/(PublicServletA|PublicServletB)(\?.*|$)
^(?!.*(/protectedA/|/protectedB/)).*\.(png|jpg|gif|js|css)(\?.*|$)</programlisting>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>If enabled, the agent receives policy updates from the OpenAM
notification mechanism to maintain its internal cache. If disabled, the
agent must poll OpenAM for changes.</para>
<para>For centralized configurations this property is configured under
Access Control > <replaceable>Realm Name</replaceable> > Agents >
Web > <replaceable>Agent Name</replaceable> > Global > Enable
Notifications.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
load balancer, or proxy such that the host name users use is different
from the host name the agent uses. When enabled, the host is overridden
with the value from the Agent Deployment URI Prefix (property:
<para>For centralized configurations this property is configured under
Access Control > <replaceable>Realm Name</replaceable> > Agents >
Web > <replaceable>Agent Name</replaceable> > Advanced > Override
Request URL Host.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
load balancer, or proxy such that the URL users use is different
from the URL the agent uses. When enabled, the URL is overridden
with the value from the Agent Deployment URI Prefix (property:
<para>For centralized configurations this property is configured under
Access Control > <replaceable>Realm Name</replaceable> > Agents >
Web > <replaceable>Agent Name</replaceable> > Advanced > Override
Notification URL.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
load balancer, or proxy such that the port users use is different
from the port the agent uses. When enabled, the port is overridden
with the value from the Agent Deployment URI Prefix (property:
<para>For centralized configurations this property is configured under
Access Control > <replaceable>Realm Name</replaceable> > Agents >
Web > <replaceable>Agent Name</replaceable> > Advanced > Override
Request URL Port.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
load balancer, or proxy such that the protocol users use is different
from the protocol the agent uses. When enabled, the protocol is overridden
with the value from the Agent Deployment URI Prefix (property:
<para>For centralized configurations this property is configured under
Access Control > <replaceable>Realm Name</replaceable> > Agents >
Web > <replaceable>Agent Name</replaceable> > Advanced > Override
Request URL Protocol.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Polling interval in minutes during which an entry remains valid
after being added to the agent's cache.</para>
<para>For centralized configurations this property is configured under
Access Control > <replaceable>Realm Name</replaceable> > Agents >
Web > <replaceable>Agent Name</replaceable> > OpenAM Services >
Policy Cache Polling Period.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Time in seconds used adjust time difference between agent system
and OpenAM. Clock skew in seconds = AgentTime - OpenAMServerTime.</para>
<para>Use this property to adjust for small time differences encountered
despite use of a time synchronization service. When this property is
not set and agent time is greater than OpenAM server time, the agent
can make policy calls to the OpenAM server before the policy subject
cache has expired, or you can see infinite redirection occur.</para>
<para>For centralized configurations this property is configured under
Access Control > <replaceable>Realm Name</replaceable> > Agents >
Web > <replaceable>Agent Name</replaceable> > OpenAM Services >
Policy Clock Skew.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Interval in minutes, agent polls to check the primary server is up
and running. Default: 5.</para>
<para>For centralized configurations this property is configured under
Access Control > <replaceable>Realm Name</replaceable> > Agents >
Web > <replaceable>Agent Name</replaceable> > OpenAM Services >
Polling Period for Primary Server.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Interval in minutes to fetch agent configuration from OpenAM. Used
if notifications are disabled. Default: 60.</para>
<para>For centralized configurations this property is configured under
Access Control > <replaceable>Realm Name</replaceable> > Agents >
Web > <replaceable>Agent Name</replaceable> > Global >
Configuration Reload Interval.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>POST cache entry lifetime in minutes. Default: 10.</para>
<para>For centralized configurations this property is configured under
Access Control > <replaceable>Realm Name</replaceable> > Agents >
Web > <replaceable>Agent Name</replaceable> > Advanced > POST
Data Entries Cache Period.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Enables HTTP POST data preservation. This feature is available in
the Apache 2.2, Microsoft IIS 6, Microsoft IIS 7, and Sun Java System
Web Server web policy agents as of version 3.0.3.</para>
<para>For centralized configurations this property is configured under
Access Control > <replaceable>Realm Name</replaceable> > Agents >
Web > <replaceable>Agent Name</replaceable> > Advanced > POST
Data Preservation.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>When HTTP POST data preservation is enabled, override properties
are set to true, and the agent is behind a load balancer, then this
property sets the name and value of the sticky cookie to use.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Specifies whether to create a cookie, or to append a query string to
the URL to assist with sticky load balancing.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><literal>com.sun.identity.agents.config.postdata.preserve.stickysession.value</literal></term>
<listitem>
<para>Specifies the key-value pair for stickysession mode. For example,
a setting of <literal>lb=myserver</literal> either sets an
<literal>lb</literal> cookie with <literal>myserver</literal> value, or
adds <literal>lb=myserver</literal> to the URL query string.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Maximum age in seconds of custom cookie headers. Default: 300.</para>
<para>For centralized configurations this property is configured under
Access Control > <replaceable>Realm Name</replaceable> > Agents >
Web > <replaceable>Agent Name</replaceable> > Miscellaneous >
Profile Attributes Cookie Maxage.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Sets cookie prefix in the attributes headers. Default:
<literal>HTTP_</literal>.</para>
<para>For centralized configurations this property is configured under
Access Control > <replaceable>Realm Name</replaceable> > Agents >
Web > <replaceable>Agent Name</replaceable> > Miscellaneous >
Profile Attributes Cookie Maxage.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>When set to <literal>HTTP_COOKIE</literal> or
<literal>HTTP_HEADER</literal>, profile attributes are introduced into
the cookie or the headers, respectively.</para>
<para>For centralized configurations this property is configured under
Access Control > <replaceable>Realm Name</replaceable> > Agents >
Web > <replaceable>Agent Name</replaceable> > Application >
Profile Attribute Fetch Mode.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Maps the profile attributes to HTTP headers for the currently
authenticated user. Map Keys are LDAP attribute names, and Map Values
are HTTP header names.</para>
<para>To populate the value of profile attribute CN under
<literal>CUSTOM-Common-Name</literal>: enter CN in the Map Key field,
and enter <literal>CUSTOM-Common-Name</literal> in the Corresponding
Map Value field. This corresponds to
<literal>com.sun.identity.agents.config.profile.attribute.mapping[cn]=CUSTOM-Common-Name</literal>.</para>
<para>In most cases, in a destination application where an HTTP header
name shows up as a request header, it is prefixed by
<literal>HTTP_</literal>, lower case letters become upper case, and
hyphens (<literal>-</literal>) become underscores (<literal>_</literal>).
For example, <literal>common-name</literal> becomes
<literal>HTTP_COMMON_NAME</literal>.</para>
<para>For centralized configurations this property is configured under
Access Control > <replaceable>Realm Name</replaceable> > Agents >
Web > <replaceable>Agent Name</replaceable> > Application >
Profile Attribute Map.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>When enabled ignore the host and port settings for Sun Java System
Proxy.</para>
<para>For centralized configurations this property is configured under
Access Control > <replaceable>Realm Name</replaceable> > Agents >
Web > <replaceable>Agent Name</replaceable> > Advanced > Override
Proxy Server's Host and Port.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Property used only when CDSSO is enabled. Only change the default
value, <literal>goto</literal> when the login URL has a landing page
specified such as,
http://www.example.com/landing.jsp</literal>.
The agent uses this parameter to append the original request URL
to this cdcservlet URL. The landing page consumes this parameter to
redirect to the original URL.</para>
<para>As an example, if you set this value to <literal>goto2</literal>,
then the complete URL sent for authentication is
<para>For centralized configurations this property is configured under
Access Control > <replaceable>Realm Name</replaceable> > Agents >
Web > <replaceable>Agent Name</replaceable> > Miscellaneous >
Goto Parameter Name.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Periodic interval in minutes in which audit log messages are sent
to the remote log file. Default: 5</para>
<para>For centralized configurations this property is configured under
Access Control > <replaceable>Realm Name</replaceable> > Agents >
Web > <replaceable>Agent Name</replaceable> > Global > Remote
Audit Log Interval.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Name of file stored on OpenAM server that contains agent audit
messages if log location is remote or all.</para>
<para>For centralized configurations this property is configured under
Access Control > <replaceable>Realm Name</replaceable> > Agents >
Web > <replaceable>Agent Name</replaceable> > Global > Remote
Log Filename.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>DES key for decrypting the basic authentication password in the
session for IIS.</para>
<para>For centralized configurations this property is configured under
Access Control > <replaceable>Realm Name</replaceable> > Agents >
Web > <replaceable>Agent Name</replaceable> > Advanced > Replay
Password Key.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Whether the agent's configuration is managed centrally through OpenAM
(<literal>centralized</literal>) or locally in the policy agent
configuration file (<literal>local</literal>).</para>
<para>Default: <literal>centralized</literal></para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>When set to <literal>HTTP_COOKIE</literal> or
<literal>HTTP_HEADER</literal>, response attributes are introduced into
the cookie or the headers, respectively.</para>
<para>For centralized configurations this property is configured under
Access Control > <replaceable>Realm Name</replaceable> > Agents >
Web > <replaceable>Agent Name</replaceable> > Application >
Response Attribute Fetch Mode.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Maps the policy response attributes to HTTP headers for the
currently authenticated user. The response attribute is
the attribute in the policy response to be fetched.</para>
<para>To populate the value of response attribute <literal>uid</literal>
under <literal>CUSTOM-User-Name</literal>: enter <literal>uid</literal>
in the Map Key field, and enter <literal>CUSTOM-User-Name</literal> in
the Corresponding Map Value field. This corresponds to
<literal>com.sun.identity.agents.config.response.attribute.mapping[uid]=Custom-User-Name</literal>.</para>
<para>In most cases, in a destination application where an HTTP header
name shows up as a request header, it is prefixed by
<literal>HTTP_</literal>, lower case letters become upper case, and
hyphens (<literal>-</literal>) become underscores (<literal>_</literal>).
For example, <literal>response-attr-one</literal> becomes
<literal>HTTP_RESPONSE_ATTR_ONE</literal>.</para>
<para>For centralized configurations this property is configured under
Access Control > <replaceable>Realm Name</replaceable> > Agents >
Web > <replaceable>Agent Name</replaceable> > Application >
Response Attribute Map.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>When set to <literal>HTTP_COOKIE</literal> or
<literal>HTTP_HEADER</literal>, session attributes are introduced into the
cookie or the headers, respectively.</para>
<para>For centralized configurations this property is configured under
Access Control > <replaceable>Realm Name</replaceable> > Agents >
Web > <replaceable>Agent Name</replaceable> > Application >
Session Attribute Fetch Mode.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Maps session attributes to HTTP headers for the currently
authenticated user. The session attribute is the attribute in the session
to be fetched.</para>
<para>To populate the value of session attribute
<literal>UserToken</literal> under <literal>CUSTOM-userid</literal>:
enter <literal>UserToken</literal> in the Map Key field, and enter
<literal>CUSTOM-userid</literal> in
the Corresponding Map Value field. This corresponds to
<literal>com.sun.identity.agents.config.session.attribute.mapping[UserToken] =CUSTOM-userid</literal>.</para>
<para>In most cases, in a destination application where an HTTP header
name shows up as a request header, it is prefixed by
<literal>HTTP_</literal>, lower case letters become upper case, and
hyphens (<literal>-</literal>) become underscores (<literal>_</literal>).
For example, <literal>success-url</literal> becomes
<literal>HTTP_SUCCESS_URL</literal>.</para>
<para>For centralized configurations this property is configured under
Access Control > <replaceable>Realm Name</replaceable> > Agents >
Web > <replaceable>Agent Name</replaceable> > Application >
Session Attribute Map.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Polling interval in minutes during which an SSO entry remains valid
after being added to the agent's cache.</para>
<para>For centralized configurations this property is configured under
Access Control > <replaceable>Realm Name</replaceable> > Agents >
Web > <replaceable>Agent Name</replaceable> > OpenAM Services >
SSO Cache Polling Period.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>When enabled, agent only enforces authentication (SSO), but no
policies for authorization.</para>
<para>For centralized configurations this property is configured under
Access Control > <replaceable>Realm Name</replaceable> > Agents >
Web > <replaceable>Agent Name</replaceable> > Global > SSO Only
Mode.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>When enabled, enforces case insensitivity in both policy and
not enforced URL evaluation.</para>
<para>For centralized configurations this property is configured under
Access Control > <replaceable>Realm Name</replaceable> > Agents >
Web > <replaceable>Agent Name</replaceable> > Miscellaneous >
URL Comparison Case Sensitivity Check.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Agent sets this value for User Id passed in the session from
OpenAM to the REMOTE_USER server variable. Default: UserToken.</para>
<para>For centralized configurations this property is configured under
Access Control > <replaceable>Realm Name</replaceable> > Agents >
Web > <replaceable>Agent Name</replaceable> > OpenAM Services >
User ID Parameter.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>User ID can be fetched from either SESSION and LDAP attributes.
Default: <literal>SESSION</literal>.</para>
<para>For centralized configurations this property is configured under
Access Control > <replaceable>Realm Name</replaceable> > Agents >
Web > <replaceable>Agent Name</replaceable> > OpenAM Services >
User ID Parameter Type.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>URL used by agent to register notification listeners.</para>
<para>For centralized configurations this property is configured under
Access Control > <replaceable>Realm Name</replaceable> > Agents >
Web > <replaceable>Agent Name</replaceable> > Global > Agent
Notification URL.</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Set this property to <literal>true</literal> to mark
<literal>iPlanetDirectoryPro</literal> cookies as HTTPOnly, preventing
scripts and third-party programs from accessing the cookies.</para>
</listitem>
</varlistentry>
</variablelist>
</section>
</chapter>