1.3. System Configuration

Under Configuration > System, you can change OpenAM settings for server logging, monitoring, service URL naming, locale, cookie domain, and how OpenAM detects specific clients.

Client Detection

OpenAM can detect client user agents by their HTTP requests.

ssoadm service name: iPlanetAMClientDetection

Default Client Type

If no specific match is found for the client type, then this type is used. The default is genericHTML, suitable for supported browsers.

ssoadm attribute: iplanet-am-client-detection-default-client-type

Client Detection Class

The client detection plugin must implement the com.iplanet.services.cdm.ClientDetectionInterface. Client type is a name that uniquely identifies the client to OpenAM. The plugin scans HTTP requests to determine the client type.

ssoadm attribute: iplanet-am-client-detection-class

Enable Client Detection

If this is enabled, then OpenAM needs an appropriate client detection class implementation, and the authentication user interface must be appropriate for the clients detected.

ssoadm attribute: iplanet-am-client-detection-enabled

Logging

You configure global OpenAM logging settings on this page.

ssoadm service name: iPlanetAMLoggingService

Maximum Log Size

Sets the maximum log file size in bytes.

ssoadm attribute: iplanet-am-logging-max-file-size

Number of History Files

Sets the number of history files for each log that OpenAM keeps, including time-based histories. The previously live file is moved to be included in the history count, and a new log is created to serve as the live log file. Any log file in the history count that goes over the number specified here will be deleted. For time-based logs, a new set of logs will be created when OpenAM is started because of the time-based file names that are used.

ssoadm attribute: iplanet-am-logging-num-hist-file

Logfile Rotation Prefix

Set this if you want to add a prefix to log files governed by time-based log rotation.

ssoadm attribute: openam-logging-file-prefix

Logfile Rotation Suffix

Changing this if you want to change the suffix for log files governed by time-based log rotation. You can use SimpleDateFormat patterns. The default is -MM.dd.yy-kk.mm.

ssoadm attribute: openam-logging-file-suffix

Log File Location

This property is interpreted to determine the location of log files, taking either a file system location or a JDBC URL. The default is %BASE_DIR%/%SERVER_URI%/log/.

ssoadm attribute: iplanet-am-logging-location

Log Status

Set this to INACTIVE to disable the logging system.

ssoadm attribute: logstatus

Log Record Resolve Host Name

Enable this to have OpenAM perform a DNS host lookup to populate the host name field for log records. OpenAM requires DNS on the host where it runs. Enabling this feature increases the load on the logging system.

ssoadm attribute: resolveHostName

Logging Type

Set this to DB to log to a database. Default: File. If you choose DB then be sure to set the connection attributes correctly, including the JDBC driver to use.

ssoadm attribute: iplanet-am-logging-type

Database User Name

When logging to a database, set this to the user name used to connect to the database. If this attribute is incorrectly set, OpenAM performance suffers.

ssoadm attribute: iplanet-am-logging-db-user

Database User Password

When logging to a database, set this to the password used to connect to the database. If this attribute is incorrectly set, OpenAM performance suffers.

ssoadm attribute: iplanet-am-logging-db-password

Database Driver Name

When logging to a database, set this to the class name of the JDBC driver used to connect to the database. The default is for Oracle. OpenAM also works with the MySQL database driver.

ssoadm attribute: iplanet-am-logging-db-driver

Configurable Log Fields

Select the fields OpenAM includes in log messages using this attribute. By default all fields are included in log messages.

ssoadm attribute: iplanet-am-logging-logfields

Log Verification Frequency

When secure logging is enabled, set this to how often OpenAM verifies log file content (in seconds).

ssoadm attribute: iplanet-am-logging-verify-period-in-seconds

Log Signature Time

When secure logging is enabled, set this to how often OpenAM signs log file content (in seconds).

ssoadm attribute: iplanet-am-logging-signature-period-in-seconds

Secure Logging

Set this to ON to enable the secure logging system whereby OpenAM digitally signs and verifies log files. You must also set up the Logging Certificate Store for this feature to function.

ssoadm attribute: iplanet-am-logging-security-status

Secure Logging Signing Algorithm

Set this to the algorithm used for digitally signing log records.

ssoadm attribute: iplanet-am-logging-secure-signing-algorithm

Logging Certificate Store Location

The secure logging system uses the certificate with alias Logger that it finds in the key store specified by this path. The default is %BASE_DIR%/%SERVER_URI%/Logger.jks.

ssoadm attribute: iplanet-am-logging-secure-certificate-store

Maximum Number of Records

Set this to the maximum number of records read from the logs through the Logging API.

ssoadm attribute: iplanet-am-logging-max-records

Number of Files per Archive

Set this to the number of files to be archived by the secure logging system.

ssoadm attribute: iplanet-am-logging-files-per-keystore

Buffer Size

The number of log messages buffered in memory before OpenAM flushes them to the log file or the database.

ssoadm attribute: iplanet-am-logging-buffer-size

DB Failure Memory Buffer Size

Set this to the maximum number of log records to hold in memory if the database to which records are logged is unavailable. If the value is less than Buffer Size, that value takes precedence.

ssoadm attribute: sun-am-logging-db-max-in-mem

Buffer Time

Set the time in seconds that OpenAM buffers log messages in memory before flushing the buffer when Time Buffering is ON. The default is 60 seconds.

ssoadm attribute: iplanet-am-logging-buffer-time-in-seconds

Time Buffering

Set this to OFF to cause OpenAM to write each log message separately rather than the default of holding messages in a memory buffer that OpenAM flushes periodically, as specified using the Buffer Time attribute.

ssoadm attribute: iplanet-am-logging-time-buffering-status

Logging Level

Set the log level for OpenAM. OFF is equivalent to setting the status to INACTIVE.

ssoadm attribute: sun-am-log-level

Monitoring

You enable OpenAM monitoring by using these attributes.

ssoadm service name: iPlanetAMMonitoringService

Monitoring Status

Enable monitoring using this attribute.

ssoadm attribute: iplanet-am-monitoring-enabled

Monitoring HTTP Port

Set the port number for the HTML monitoring interface.

ssoadm attribute: iplanet-am-monitoring-http-port

Monitoring HTTP interface status

Enable the HTML monitoring interface using this attribute.

ssoadm attribute: iplanet-am-monitoring-http-enabled

Monitoring HTTP interface authentication file path

Set this to path to indicate the file indicating the user name and password used to protect access to monitoring information. The default user name password combination is demo and changeit. You can encode a new password using the ampasswordcommand.

ssoadm attribute: iplanet-am-monitoring-authfile-path

Monitoring RMI Port

Set the port number for the JMX monitoring interface.

ssoadm attribute: iplanet-am-monitoring-rmi-port

Monitoring RMI interface status

Enable the JMX monitoring interface using this attribute.

ssoadm attribute: iplanet-am-monitoring-rmi-enabled

Monitoring SNMP Port

Set the port number for the SNMP monitoring interface.

ssoadm attribute: iplanet-am-monitoring-snmp-port

Monitoring SNMP interface status

Enable the SNMP monitoring interface using this attribute.

ssoadm attribute: iplanet-am-monitoring-snmp-enabled

Naming

You can configure URLs for service endpoints.

ssoadm service name: iPlanetAMNamingService

Profile Service URL

Set the endpoint used by the profile service.

This attribute is deprecated.

ssoadm attribute: iplanet-am-naming-profile-url

Session Service URL

Set the endpoint used by the session service.

ssoadm attribute: iplanet-am-naming-session-url

Logging Service URL

Set the endpoint used by the logging service.

ssoadm attribute: iplanet-am-naming-logging-url

Policy Service URL

Set the endpoint used by the policy service.

ssoadm attribute: iplanet-am-naming-policy-url

Authentication Service URL

Set the endpoint used by the authentication service.

ssoadm attribute: iplanet-am-naming-auth-url

SAML Web Profile/Artifact Service URL

Set the SAML v1 endpoint.

ssoadm attribute: iplanet-am-naming-samlawareservlet-url

SAML SOAP Service URL

Set the endpoint used by the SAML v1 SOAP service.

ssoadm attribute: iplanet-am-naming-samlsoapreceiver-url

SAML Web Profile/POST Service URL

Set the SAML v1 Web Profile endpoint.

ssoadm attribute: iplanet-am-naming-samlpostservlet-url

SAML Assertion Manager Service URL

Set the endpoint used by the SAML v1 assertion service.

ssoadm attribute: iplanet-am-naming-samlassertionmanager-url

Federation Assertion Manager Service URL

Set the endpoint used by the ID-FF assertion manager service.

ssoadm attribute: iplanet-am-naming-fsassertionmanager-url

Security Token Manager URL

Set the STS endpoint.

ssoadm attribute: iplanet-am-naming-securitytokenmanager-url

JAXRPC Endpoint URL

Set the JAXRPC endpoint used by remote IDM/SMS APIs.

ssoadm attribute: iplanet-am-naming-jaxrpc-url

Identity Web Services Endpoint URL

Set the endpoint for Identity WSDL services.

ssoadm attribute: sun-naming-idsvcs-jaxws-url

Identity REST Services Endpoint URL

Set the endpoint used for Identity REST services.

ssoadm attribute: sun-naming-idsvcs-rest-url

Security Token Service Endpoint URL

Set the STS endpoint.

ssoadm attribute: sun-naming-sts-url

Security Token Service MEX Endpoint URL

Set the STS MEX endpoint.

ssoadm attribute: sun-naming-sts-mex-url

Platform

You can configure the default locale and list of cookie domains.

ssoadm service name: iPlanetAMPlatformService

Platform Locale

Set the fallback locale used when the user locale cannot be determined.

ssoadm attribute: iplanet-am-platform-locale

Cookie Domains

Set the list of domains into which OpenAM writes cookies. If you set multiple cookie domains, OpenAM still only sets the cookie in the domain the client uses to access OpenAM. You can also configure cross domain single sign on (CDSSO) to allow single sign on across multiple domains managed by your organization. See the Administration Guide chapter on Configuring Cross-Domain Single Sign On for details.

ssoadm attribute: iplanet-am-platform-cookie-domains