1.5. Servers and Sites Configuration

Under Configuration > Servers and Sites you can manage server defaults, configuration for OpenAM server instances, and site configurations when using multiple OpenAM server instances.

To change inherited settings that appear read only for a server, click Default Server Settings on the Servers and Sites tab page to access and adjust the defaults, or change the Inheritance Settings for a specific server.

After changing server configurations, restart OpenAM or the web application container where OpenAM runs for the changes to take effect.

Servers > General

The General tab lets you access the settings to inherit, set the site for the server, and also set system, debug, and mail server attributes.

Parent Site

Select the site from the list. You must first create at least one site.

Base installation directory

OpenAM writes the configuration data and logs here.

property: com.iplanet.services.configpath

Default Locale

The locale used when none is requested.

property: com.iplanet.am.locale

Notification URL

The notification service endpoint.

property: com.sun.identity.client.notification.url

XML Validation

If on, then OpenAM validates XML documents that it parses.

property: com.iplanet.am.util.xml.validating

Debug Level

Set the log level shared across components for debug logging.

property: com.iplanet.services.debug.level

Merge Debug Files

If on, then OpenAM writes all debug log messages to a single file, debug.out. By default, OpenAM writes a debug log per component.

property: com.iplanet.services.debug.mergeall

Debug Directory

File system directory where OpenAM writes debug logs.

property: com.iplanet.services.debug.directory

Mail Server Host Name

SMTP host name for email sent by OpenAM.

property: com.iplanet.am.smtphost

Mail Server Port Number

SMTP port number for email sent by OpenAM.

property: com.iplanet.am.smtpport

Servers > Security

Most security settings are inherited by default.

Password Encryption Key

Encryption key for decrypting stored passwords

Example: TF1Aue9c63bWTTY4mmZJeFYubJbNiSE3

property: am.encryption.password

Authentication Service Shared Secret

Shared secret for application authentication

Example: AQICQ7QMKN5TSt1fpyFZBMZ8hRwkYkkrUaFk

property: com.iplanet.am.service.secret

Encryption class

Default class used to handle encryption

Default: com.iplanet.services.util.JCEEncryption

property: com.iplanet.security.encryptor

Secure Random Factory Class

The default implementation uses pure Java, rather than JSS.

Default: com.iplanet.am.util.SecureRandomFactoryImpl

property: com.iplanet.security.SecureRandomFactorImpl

Platform Low Level Comm. Max. Content Length

Maximum content length for an HTTP request

Default: 16384

property: com.iplanet.services.comm.server.pllrequest.maxContentLength

Client IP Address Check

If yes, then OpenAM checks client IP addresses when creating and validating SSO tokens.

Default: No

property: com.iplanet.am.clientIPCheckEnabled

Cookie Name

Cookie name OpenAM uses to set a session handler ID during authentication.

Default: iPlanetDirectoryPro

property: com.iplanet.am.cookie.name

Secure Cookie

If yes, then OpenAM sets the cookie in secure mode such that the browser only returns the cookie if a secure protocol such as HTTPS is used.

Default: No

property: com.iplanet.am.cookie.secure

Encode Cookie Value

If yes, then OpenAM URL encodes cookie values.

Default: No

property: com.iplanet.am.cookie.encode

Keystore File

Path to OpenAM key store file

Default: Path to keystore.jks, located in the directory that holds the OpenAM configuration.

Example: ~/openam/openam/keystore.jks

property: com.sun.identity.saml.xmlsig.keystore

Keystore Password File

Path to password file for key store

Default: Path to .storepass, located in the directory that holds the OpenAM configuration.

Example: ~/openam/openam/.storepass

property: com.sun.identity.saml.xmlsig.storepass

Private Key Password File

Path to password file for OpenAM private key

Default: Path to .keypass, located in the directory that holds the OpenAM configuration.

Example: ~/openam/openam/.keypass

property: com.sun.identity.saml.xmlsig.keypass

Certificate Alias

Alias for OpenAM certificate stored in key store

Not set by default

property: com.sun.identity.saml.xmlsig.certalias

CRL: LDAP server host name

Directory server host name where the certificate revocation list (CRL) is cached

Not set by default

property: com.sun.identity.crl.cache.directory.host

CRL: LDAP server port number

Directory server port number where the certificate revocation list is cached

Not set by default

property: com.sun.identity.crl.cache.directory.port

CRL: SSL/TLS Enabled

If yes, then connect securely when accessing the CRL cache directory server

Default: No

property: com.sun.identity.crl.cache.directory.ssl

CRL: LDAP server bind user name

Bind DN to access CRL cache directory server

Not set by default

property: com.sun.identity.crl.cache.directory.user

CRL: LDAP server bind password

Bind password to access CRL cache directory server

Not set by default

property: com.sun.identity.crl.cache.directory.password

CRL: LDAP search base DN

Base DN under which to search for CRL

Not set by default

property: com.sun.identity.crl.cache.directory.searchlocs

CRL: Search Attributes

DN component of issuer's subject DN used to retrieve the CRL

Not set by default

property: com.sun.identity.crl.cache.directory.searchattr

OCSP: Check Enabled

If yes, then OpenAM runs Online Certificate Status Protocol (OCSP) checks.

Default: Yes

property: com.sun.identity.authentication.ocspCheck

Responder URL

URL for OCSP responder

Not set by default

property: com.sun.identity.authentication.ocsp.responder.url

Certificate Nickname

Nickname for OCSP responder certificate

Not set by default

property: com.sun.identity.authentication.ocsp.responder.nickname

FIPS Mode

If yes, then OpenAM runs in Federal Information Processing Standards mode.

Default: No

property: com.sun.identity.security.fipsmode

Servers > Session

Session settings are inherited by default.

Maximum Sessions

Maximum concurrent sessions OpenAM permits

property: com.iplanet.am.session.maxSessions

Invalidate Session Max Time

Minutes after which invalid sessions are removed from the session table

property: com.iplanet.am.session.invalidsessionmaxtime

Sessions Purge Delay

Minutes OpenAM delays session purging

property: com.iplanet.am.session.purgedelay

Logging Interval

Seconds OpenAM delays between logging sessions statistics

property: com.iplanet.am.stats.interval

State

Whether to write statistics to a file, to the console, or to turn recording off

property: com.iplanet.services.stats.state

Directory

Path to statistics logs directory

property: com.iplanet.services.stats.directory

Enable Host Lookup

If yes, then OpenAM performs host lookup during session logging.

property: com.sun.am.session.enableHostLookUp

Notification Pool Size

Number of threads in the notification pool

property: com.iplanet.am.notification.threadpool.size

Notification Thread Pool Threshold

Maximum number of tasks in the queue for serving notification threads

property: com.iplanet.am.notification.threadpool.threshold

Case Insensitive client DN comparison

If yes, then OpenAM distinguished name comparison is case insensitive.

property: com.sun.am.session.caseInsensitiveDN

Servers > SDK

Most SDK settings are inherited.

Enable Datastore Notification

If yes, then OpenAM uses datastore notification. Otherwise, OpenAM uses in-memory notification.

property: com.sun.identity.sm.enableDataStoreNotification

Enable Directory Proxy

If yes, then OpenAM accounts for the use of a directory proxy to access the directory server.

property: com.sun.identity.sm.ldap.enableProxy

Notification Pool Size

Service management notification thread pool size

property: com.sun.identity.sm.notification.threadpool.size

Number of retries for Event Service connections

Maximum number of attempts to reestablish Event Service connections

property: com.iplanet.am.event.connection.num.retries

Delay between Event Service connection retries

Milliseconds between attempts to reestablish Entry Service connections

property: com.iplanet.am.event.connection.delay.between.retries

Error codes for Event Service connection retries

LDAP error codes for which OpenAM retries rather than returning failure

property: com.iplanet.am.event.connection.ldap.error.codes.retries

Idle Time Out

Minutes after which OpenAM reestablishes idle persistent search connections

property: com.sun.am.event.connection.idle.timeout

Disabled Event Service Connection

Persistent search connections OpenAM can disable

property: com.sun.am.event.connection.disable.list

Number of retries for LDAP Connection

Maximum number of attempts to reestablish LDAP connections

property: com.iplanet.am.ldap.connection.num.retries

Delay between LDAP connection retries

Milliseconds between attempts to reestablish LDAP connections

property: com.iplanet.am.ldap.connection.delay.between.retries

Error Codes for LDAP connection retries

LDAP error codes for which OpenAM retries rather than returning failure

property: com.iplanet.am.ldap.connection.ldap.error.codes.retries

SDK Caching Max. Size

Cache size used if SDK caching is enabled

property: com.iplanet.am.sdk.cache.maxSize

SDK Replica Retries

Maximum number of attempts to retrieve entries returned as not found

property: com.iplanet.am.replica.num.retries

Delay between SDK Replica Retries

Milliseconds between attempts to retrieve entries through the SDK

property: com.iplanet.am.replica.delay.between.retries

Cache Entry Expiration Enabled

If no, then cache entries expire based on User Entry Expiration Time

property: com.iplanet.am.sdk.cache.entry.expire.enabled

User Entry Expiration Time

Minutes user entries remain valid after modification. When OpenAM accesses a user entry that has expired, it rereads the entry from the directory server.

property: com.iplanet.am.sdk.cache.entry.user.expire.time

Default Entry Expiration Time

Minutes non-user entries remain valid after modification

property: com.iplanet.am.sdk.cache.entry.default.expire.time

Servers > Directory Configuration

Use this tab to change connection settings and add additional LDAP configuration directory server instances.

Minimum Connection Pool

Set the minimum number of connections in the pool.

Maximum Connection Pool

Set the maximum number of connections in the pool.

Bind DN

Set the bind DN to connect to the configuration directory servers.

Bind Password

Set the bind password to connect to the configuration directory servers.

Servers > CTS

The Core Token Service (CTS) does not need to be configured in the same LDAP storage as the external or embedded user store. The CTS can instead be configured on its own external directory server. There are some specific requirements for indexing and replication which need to be accounted for. In particular, WAN replication is an important consideration which needs to be handled carefully for optimum performance.

You may also choose to set advanced properties related to token size, including com.sun.identity.session.repository.enableEncryption, com.sun.identity.session.repository.enableCompression, and com.sun.identity.session.repository.enableAttributeCompression. For more information, identify these variables in the following section: Servers > Advanced.

Default Token Store

If selected, CTS tokens are stored in the same external or embedded datastore as is used on an OpenAM configuration store. If you use the default token store, you can only configure the Root Suffix. Associated with the Directory Configuration tab associated with individual servers.

External Token Store

If you use OpenDJ, you can separate the CTS from the configuration on different external servers. On the external CTS server, you can also configure token schema and indexes.

Root Suffix

For either the default or external token stores, enter the base DN for CTS storage information in LDAP format, such as dc=cts,dc=forgerock,dc=com. The Root Suffix would be a database that can be maintained and replicated separately from tha standard user datastore.

SSL/TLS Enabled

Access the directory service using StartTLS or LDAPS.

Directory Name

The hostname of the external server.

Port

Specifies the TCP/IP port number used for communication to to external datastore, such as 389 for LDAP.

Login Id

Specifies the user, in DN format, needed to authenticate. The user needs sufficient privileges to read and write to the root suffix of the external datastore.

Password

Specifies the password associated with the Login Id.

Max Connections

Notes the maximum number of remote connections to the external datastore.

Heartbeat

Specifies how often OpenAM should send a heartbeat request to the directory server to ensure that the connection does not remain idle, in seconds. Default: 10.

Servers > Advanced

Use this page to set advanced properties directly. A partial list of advanced properties follows.

For a list of inherited advanced properties, see the table under the Advanced tab for Default Server Settings.

com.iplanet.am.cookie.c66Encode

Properly URL encode session tokens.

Default: true

com.iplanet.am.cookie.timeToLive

iplanetDirectoryPro cookie lifetime if persistent, in hours

Default: 24

com.iplanet.am.daemons

Modules for which to open daemons at OpenAM startup.

Default: securid

com.iplanet.am.directory.ssl.enabled

Whether to connect to the configuration directory server over LDAPS.

Default: false

com.iplanet.am.installdir

OpenAM Configuration and log file location.

Default: ~/openam/server-uri, such as ~/openam/openam

com.iplanet.am.jssproxy.checkSubjectAltName

When using JSS, check whether the name values in the SubjectAltName certificate match the server FQDN.

Default: false

com.iplanet.am.jssproxy.resolveIPAddress

When using JSS, check that the IP address of the server resolves to the host name.

Default: false

com.iplanet.am.jssproxy.SSLTrustHostList

When using JSS, comma-separated list of server FQDNs to trust if they match the certificate CN, even if the domain name is not correct.

com.iplanet.am.jssproxy.trustAllServerCerts

When using JSS, set to true to trust whatever certificate is presented without checking.

Default: true

com.iplanet.am.lbcookie.name

Used with sticky load balancers that can inspect the cookie value.

Default: amlbcookie

com.iplanet.am.lbcookie.value

Used with sticky load balancers that can inspect the cookie value. Set this property to a unique value if your load balancer requires it. Restart OpenAM for the change to take effect.

Default: 01

com.iplanet.am.pcookie.name

Persistent cookie name.

Default: DProPCookie

com.iplanet.am.profile.host

Not used

Default: server-host, such as openam.example.com

com.iplanet.am.profile.port

Not used

Default: server-port, such as 8080 or 8443

com.iplanet.am.session.agentSessionIdleTime

Time in minutes after which a policy agent session expires.

Default: 0, meaning never time out. Range is 0-30 (minutes).

com.iplanet.am.session.client.polling.enable

Whether client applications such as policy agents poll for configuration changes. If false, then OpenAM notifies clients about changes.

Default: false

com.iplanet.am.session.client.polling.period

If client applications poll for changes, number of seconds between polls.

Default: 180

com.iplanet.am.session.failover.cluster.stateCheck.period

Time in milliseconds between health checks of other servers in the same site.

Default: 1000

com.iplanet.am.session.failover.cluster.stateCheck.timeout

Socket timeout in milliseconds for health checks of other servers in the same site.

Default: 1000

com.iplanet.am.session.httpSession.enabled

Create an HttpSession for users on successful authentication.

Default: true

com.iplanet.security.SSLSocketFactoryImpl

SSL socket factory implementation used by OpenAM.

Default: com.sun.identity.shared.ldap.factory.JSSESocketFactory, uses a pure Java provider

com.iplanet.services.cdc.invalidGotoStrings;

Strings that OpenAM rejects as values in goto query string parameters.

Default: <,>javascript:,javascript%3a,%3c,%3e

com.sun.embedded.replicationport

Replication port for embedded OpenDJ directory server.

Default: 8989

com.sun.embedded.sync.servers

Whether to replicate data between embedded directory servers.

Default: on

com.sun.identity.am.cookie.check

Whether to check for cookie support in the user agent, and if not to return an error.

Default: false

com.sun.identity.appendSessionCookieInURL

Whether to append the session cookie to URL for a zero page session.

Default: true

com.sun.identity.auth.cookieName

Cookie used by the OpenAM authentication service to handle the authentication process.

Default: AMAuthCookie

com.sun.identity.authentication.client.ipAddressHeader

Set the name of the HTTP header that OpenAM can examine to learn the client IP address when requests go through a proxy or load balancer. (When requests go through an HTTP proxy or load balancer, checking the IP address on the request alone returns the address of the proxy or load balancer rather than that of the client.) OpenAM must be able to trust the proxy or load balancer to set the client IP address correctly in the header specified.

Example: com.sun.identity.authentication.client.ipAddressHeader=X-Forwarded-For

com.sun.identity.authentication.multiple.tabs.used

Whether to allow users to open many browser tabs to the login page at the same time without encountering an error.

Default: false

com.sun.identity.authentication.setCookieToAllDomains

Whether to allow multiple cookie domains.

Default: true

com.sun.identity.authentication.special.users

List of special users always authenticated against the local directory server.

Default: cn=dsameuser,ou=DSAME Users,|cn=amService-UrlAccessAgent,ou=DSAME Users,

com.sun.identity.authentication.super.user

OpenAM privileged administrator user.

Default: uid=amAdmin,ou=People,

com.sun.identity.authentication.uniqueCookieName

When cookie hijacking protection is configured, name of the cookie holding the URL to the OpenAM server that authenticated the user.

Default: sunIdentityServerAuthNServer

com.sun.identity.client.notification.url

Notification service endpoint for clients such as policy agents.

Default: server-protocol://server-host:server-port/server-uri/notificationservice, such as https://openam.example.com:8443/openam/notificationservice

com.sun.identity.common.systemtimerpool.size

Number of threads in the shared system timer pool used to schedule operations such as session timeout.

Default: 3

com.sun.identity.cookie.httponly

When set to true, mark cookies as HTTPOnly to prevent scripts and third-party programs from accessing the cookies.

Default: false

com.sun.identity.enableUniqueSSOTokenCookie

If true, then OpenAM is using protection against cookie hijacking.

Default: false

com.sun.identity.jss.donotInstallAtHighestPriority

Whether JSS should take priority over other providers.

Default: true

com.sun.identity.monitoring

Whether monitoring is active for OpenAM.

Default: off

com.sun.identity.monitoring.local.conn.server.url

URL for local connection to the monitoring service.

Default: service:jmx:rmi://

com.sun.identity.password.deploymentDescriptor

Internal property used by OpenAM.

Default: server-uri, such as openam

com.sun.identity.policy.Policy.policy_evaluation_weights

Weights of the cost of evaluating policy subjects, rules, and conditions. Evaluation is in order of heaviest weight to lightest weight.

Default: 10:10:10, meaning evaluation of rules, then conditions, then subjects

com.sun.identity.policy.resultsCacheMaxSize

Maximum number of policy decisions OpenAM caches.

Default: 10000

com.sun.identity.server.fqdnMap

Enables virtual hosts, partial hostname and IP address. Maps invalid or virtual name keys to valid FQDN values for proper redirection.

To map myserver to myserver.example.com, set com.sun.identity.server.fqdnMap[myserver]=myserver.example.com.

com.sun.identity.session.repository.enableEncryption

Enables tokens to be encrypted when stored.

Multi-instance deployments require consistent use of this property, which should be done under the Servers and Sites > Default Server Settings > Advanced.

The am.encryption.pwd property must also be the same for all deployed instances. The am.encryption.pwd is under Servers and Sites > Server > Security > Password Encryption Key. You will need to verify that all servers have the same setting for this property as the default server.

Default: false

com.sun.identity.urlchecker.dorequest

Whether to perform an HTTP GET on com.sun.identity.urlchecker.targeturl as a health check against another server in the same site. If false, then OpenAM only checks the Socket connection, and does not perform an HTTP GET.

If each OpenAM server runs behind a reverse proxy, then setting this property to true means the health check actually runs against the OpenAM instance, rather than checking only the Socket to the reverse proxy.

Default: false

com.sun.identity.urlchecker.targeturl

URL to monitor when com.sun.identity.urlchecker.dorequest is set to true.

Default: URL to the /openam/namingservice endpoint on the remote server

com.sun.identity.security.checkcaller

Whether to perform a Java security permissions check for OpenAM.

Default: false

com.sun.identity.session.repository.enableEncryption

For CTS token encryption, if desired.

Default: false

com.sun.identity.session.repository.enableCompression

For GZip-based compression of CTS tokens, if desired.

Default: false

com.sun.identity.session.repository.enableAttributeCompression

For additional compression of CTS token JSON binaries, beyond GZip, if desired.

Default: false

com.sun.identity.sm.cache.ttl

When service configuration caching time-to-live is enabled, this sets the time to live in minutes.

Default: 30

com.sun.identity.sm.cache.ttl.enable

If service configuration caching is enabled, whether to enable a time-to-live for cached configuration.

Default: false

com.sun.identity.sm.flatfile.root_dir

File system directory to hold file-based representation of OpenAM configuration.

Default: ~/openam/server-uri/sms such as ~/openam/openam/sms

com.sun.identity.sm.sms_object_class_name

Class used to read and write OpenAM service configuration entries in the directory.

Default: com.sun.identity.sm.ldap.SMSEmbeddedLdapObject

com.sun.identity.url.readTimeout

Used to set the read timeout in milliseconds for HTTP and HTTPS connections to other servers.

Default: 30000

com.sun.identity.urlchecker.dorequest

Allows the OpenAM ClusterStateService to work with HTTPS endpoints.

Default: true

com.sun.identity.urlconnection.useCache

Whether to cache documents for HTTP and HTTPS connections to other servers.

Default: false

com.sun.identity.webcontainer

Name of the web container to correctly set character encoding, if necessary.

Default: WEB_CONTAINER

console.privileged.users

Used to assigned privileged console access to particular users. Set to a | separated list of users' Universal IDs, such as console.privileged.users=uid=demo,ou=user,|uid=demo2,ou=user,.

openam.auth.destroy_session_after_upgrade

Where to destroy the old session after a session is successfully upgraded.

Default: true

openam.auth.distAuthCookieName

Cookie used by the OpenAM distributed authentication service to handle the authentication process.

Default: AMDistAuthCookie

openam.auth.session_property_upgrader

Class that controls which session properties are copied during session upgrade, where default is to copy all properties to the upgraded session.

Default: org.forgerock.openam.authentication.service.DefaultSessionPropertyUpgrader

openam.auth.version.header.enabled

The X-DSAMEVersion http header provides detailed information about the version of OpenAM currently running on the system, including the build and date/time of the build. OpenAM will need to be restarted once this property is enabled.

Default: false

openam.authentication.ignore_goto_during_logout

Whether to ignore the goto query string parameter on logout, instead displaying the logout page.

Default: false

openam.cdm.default.charset

Character set used for globalization.

Default: UTF-8

openam.forbidden.to.copy.headers

Comma-separated list of HTTP headers not to copy when the distributed authentication server forwards a request to another distributed authentication server.

Default: connection

openam.forbidden.to.copy.request.headers

Comma-separated list of HTTP headers not to copy when the distributed authentication server forwards a request to another distributed authentication server.

Default: connection

openam.retained.http.headers

Comma-separated list of HTTP headers to copy to the forwarded response when the server forwards a request to another server.

Requests are forwarded when the server receiving the request is not the server that originally initiated authentication. The server that originally initiated authentication is identified by a cookie.

When the distributed authentication service (DAS) is in use, then the cookie is the AMDistAuthCookie that identifies the DAS server by its URL.

When authentication is done directly on OpenAM, then the cookie is the AMAuthCookie that holds a session ID that identifies the OpenAM server.

On subsequent requests the server receiving the request checks the cookie. If the cookie identifies another server, the current server forwards the request to that server.

If a header such as Cache-Control has been included in the list of values for the property openam.retained.http.request.headers and the header must also be copied to the response, then add it to the list of values for this property.

Example: openam.retained.http.headers=X-DSAMEVersion,Cache-Control

Default: X-DSAMEVersion

openam.retained.http.request.headers

Comma-separated list of HTTP headers to copy to the forwarded request when the server forwards a request to another server.

Requests are forwarded when the server receiving the request is not the server that originally initiated authentication. The server that originally initiated authentication is identified by a cookie.

When the distributed authentication service (DAS) is in use, then the cookie is the AMDistAuthCookie that identifies the DAS server by its URL.

When authentication is done directly on OpenAM, then the cookie is the AMAuthCookie that holds a session ID that identifies the OpenAM server.

On subsequent requests the server receiving the request checks the cookie. If the cookie identifies another server, the current server forwards the request to that server.

When configuring the distributed authentication service, or when a reverse proxy is set up to provide the client IP address in the X-Forwarded-For header, if your deployment includes multiple OpenAM servers, then this property must be set to include the header.

Example: openam.retained.http.request.headers=X-DSAMEVersion,X-Forwarded-For

OpenAM copies the header when forwarding a request to the authoritative server where the client originally began the authentication process, so that the authoritative OpenAM server receiving the forwarded request can determine the real client IP address.

In order to retain headers to return in the response to the OpenAM server that forwarded the request, use the property openam.retained.http.headers.

Default: X-DSAMEVersion

openam.session.allow_persist_am_cookie

If true users can extend the lifetime of the iplanetDirectoryPro cookie to com.iplanet.am.cookie.timeToLive on a per-session basis, by using the query string parameter openam.session.persist_am_cookie=Yes.

openam.session.case.sensitive.uuid

Whether universal user IDs are considered case sensitive when matching them.

Default: false

openam.session.persist_am_cookie

If true extend the lifetime of the iplanetDirectoryPro cookie to com.iplanet.am.cookie.timeToLive.

Default: false

openam.session.useLocalSessionsInMultiServerMode

This property is for use in multi-server deployments where session failover is not available. If true, calculate session quotas per server. In other words, if the session quota is 5 sessions and users can access up to 4 servers, they can have a maximum of 20 (5 * 4) sessions.

Default: false

opensso.protocol.handler.pkgs

If the web application containers sets java.protocol.handler.pkgs, then set this property to com.sun.identity.protocol.

org.forgerock.embedded.dsadminport

Administration port for embedded OpenDJ directory server.

Default: 4444

org.forgerock.openam.authentication.accountExpire.days

Days until account expiration set after successful authentication by the account expiration post authentication plugin.

Default: 30

securidHelper.ports

Port on which SecurID daemon listens.

Default: 58943

ssoadm.disabled

Set to false to enable ssoadm.jsp.

Default: true

Sites

Sites involve multiple OpenAM servers working together to provide services. You can use sites with load balancers and session failover to configure pools of servers capable of responding to client requests in highly available fashion.

Primary URL

Set the primary entry point to the site, such as the URL to the load balancer for the site configuration.

Secondary URLs

Set alternate entry points to the site. Used when session failover is configured.

Assigned Servers

Shows the list of OpenAM servers in the site.