Under Configuration > Servers and Sites you can manage server defaults, configuration for OpenAM server instances, and site configurations when using multiple OpenAM server instances.
To change inherited settings that appear read only for a server, click Default Server Settings on the Servers and Sites tab page to access and adjust the defaults, or change the Inheritance Settings for a specific server.
After changing server configurations, restart OpenAM or the web application container where OpenAM runs for the changes to take effect.
Servers > General
The General tab lets you access the settings to inherit, set the site for the server, and also set system, debug, and mail server attributes.
Select the site from the list. You must first create at least one site.
OpenAM writes the configuration data and logs here.
property:
com.iplanet.services.configpath
The locale used when none is requested.
property:
com.iplanet.am.locale
The notification service endpoint.
property:
com.sun.identity.client.notification.url
If on, then OpenAM validates XML documents that it parses.
property:
com.iplanet.am.util.xml.validating
Set the log level shared across components for debug logging.
property:
com.iplanet.services.debug.level
If on, then OpenAM writes all debug log messages to a single file,
debug.out
. By default, OpenAM writes a debug log
per component.
property:
com.iplanet.services.debug.mergeall
File system directory where OpenAM writes debug logs.
property:
com.iplanet.services.debug.directory
SMTP host name for email sent by OpenAM.
property:
com.iplanet.am.smtphost
SMTP port number for email sent by OpenAM.
property:
com.iplanet.am.smtpport
Servers > Security
Most security settings are inherited by default.
Encryption key for decrypting stored passwords
Example: TF1Aue9c63bWTTY4mmZJeFYubJbNiSE3
property:
am.encryption.password
Shared secret for application authentication
Example: AQICQ7QMKN5TSt1fpyFZBMZ8hRwkYkkrUaFk
property:
com.iplanet.am.service.secret
Default class used to handle encryption
Default: com.iplanet.services.util.JCEEncryption
property:
com.iplanet.security.encryptor
The default implementation uses pure Java, rather than JSS.
Default: com.iplanet.am.util.SecureRandomFactoryImpl
property:
com.iplanet.security.SecureRandomFactorImpl
Maximum content length for an HTTP request
Default: 16384
property:
com.iplanet.services.comm.server.pllrequest.maxContentLength
If yes, then OpenAM checks client IP addresses when creating and validating SSO tokens.
Default: No
property:
com.iplanet.am.clientIPCheckEnabled
Cookie name OpenAM uses to set a session handler ID during authentication.
Default: iPlanetDirectoryPro
property:
com.iplanet.am.cookie.name
If yes, then OpenAM sets the cookie in secure mode such that the browser only returns the cookie if a secure protocol such as HTTPS is used.
Default: No
property:
com.iplanet.am.cookie.secure
If yes, then OpenAM URL encodes cookie values.
Default: No
property:
com.iplanet.am.cookie.encode
Path to OpenAM key store file
Default: Path to keystore.jks
, located in the
directory that holds the OpenAM configuration.
Example: ~/openam/openam/keystore.jks
property:
com.sun.identity.saml.xmlsig.keystore
Path to password file for key store
Default: Path to .storepass
, located in the
directory that holds the OpenAM configuration.
Example: ~/openam/openam/.storepass
property:
com.sun.identity.saml.xmlsig.storepass
Path to password file for OpenAM private key
Default: Path to .keypass
, located in the
directory that holds the OpenAM configuration.
Example: ~/openam/openam/.keypass
property:
com.sun.identity.saml.xmlsig.keypass
Alias for OpenAM certificate stored in key store
Not set by default
property:
com.sun.identity.saml.xmlsig.certalias
Directory server host name where the certificate revocation list (CRL) is cached
Not set by default
property:
com.sun.identity.crl.cache.directory.host
Directory server port number where the certificate revocation list is cached
Not set by default
property:
com.sun.identity.crl.cache.directory.port
If yes, then connect securely when accessing the CRL cache directory server
Default: No
property:
com.sun.identity.crl.cache.directory.ssl
Bind DN to access CRL cache directory server
Not set by default
property:
com.sun.identity.crl.cache.directory.user
Bind password to access CRL cache directory server
Not set by default
property:
com.sun.identity.crl.cache.directory.password
Base DN under which to search for CRL
Not set by default
property:
com.sun.identity.crl.cache.directory.searchlocs
DN component of issuer's subject DN used to retrieve the CRL
Not set by default
property:
com.sun.identity.crl.cache.directory.searchattr
If yes, then OpenAM runs Online Certificate Status Protocol (OCSP) checks.
Default: Yes
property:
com.sun.identity.authentication.ocspCheck
URL for OCSP responder
Not set by default
property:
com.sun.identity.authentication.ocsp.responder.url
Nickname for OCSP responder certificate
Not set by default
property:
com.sun.identity.authentication.ocsp.responder.nickname
If yes, then OpenAM runs in Federal Information Processing Standards mode.
Default: No
property:
com.sun.identity.security.fipsmode
Servers > Session
Session settings are inherited by default.
Maximum concurrent sessions OpenAM permits
property:
com.iplanet.am.session.maxSessions
Minutes after which invalid sessions are removed from the session table
property:
com.iplanet.am.session.invalidsessionmaxtime
Minutes OpenAM delays session purging
property:
com.iplanet.am.session.purgedelay
Seconds OpenAM delays between logging sessions statistics
property:
com.iplanet.am.stats.interval
Whether to write statistics to a file
, to the
console
, or to turn recording
off
property:
com.iplanet.services.stats.state
Path to statistics logs directory
property:
com.iplanet.services.stats.directory
If yes, then OpenAM performs host lookup during session logging.
property:
com.sun.am.session.enableHostLookUp
Number of threads in the notification pool
property:
com.iplanet.am.notification.threadpool.size
Maximum number of tasks in the queue for serving notification threads
property:
com.iplanet.am.notification.threadpool.threshold
If yes, then OpenAM distinguished name comparison is case insensitive.
property:
com.sun.am.session.caseInsensitiveDN
Servers > SDK
Most SDK settings are inherited.
If yes, then OpenAM uses datastore notification. Otherwise, OpenAM uses in-memory notification.
property:
com.sun.identity.sm.enableDataStoreNotification
If yes, then OpenAM accounts for the use of a directory proxy to access the directory server.
property:
com.sun.identity.sm.ldap.enableProxy
Service management notification thread pool size
property:
com.sun.identity.sm.notification.threadpool.size
Maximum number of attempts to reestablish Event Service connections
property:
com.iplanet.am.event.connection.num.retries
Milliseconds between attempts to reestablish Entry Service connections
property:
com.iplanet.am.event.connection.delay.between.retries
LDAP error codes for which OpenAM retries rather than returning failure
property:
com.iplanet.am.event.connection.ldap.error.codes.retries
Minutes after which OpenAM reestablishes idle persistent search connections
property:
com.sun.am.event.connection.idle.timeout
Persistent search connections OpenAM can disable
property:
com.sun.am.event.connection.disable.list
Maximum number of attempts to reestablish LDAP connections
property:
com.iplanet.am.ldap.connection.num.retries
Milliseconds between attempts to reestablish LDAP connections
property:
com.iplanet.am.ldap.connection.delay.between.retries
LDAP error codes for which OpenAM retries rather than returning failure
property:
com.iplanet.am.ldap.connection.ldap.error.codes.retries
Cache size used if SDK caching is enabled
property:
com.iplanet.am.sdk.cache.maxSize
Maximum number of attempts to retrieve entries returned as not found
property:
com.iplanet.am.replica.num.retries
Milliseconds between attempts to retrieve entries through the SDK
property:
com.iplanet.am.replica.delay.between.retries
If no, then cache entries expire based on User Entry Expiration Time
property:
com.iplanet.am.sdk.cache.entry.expire.enabled
Minutes user entries remain valid after modification. When OpenAM accesses a user entry that has expired, it rereads the entry from the directory server.
property:
com.iplanet.am.sdk.cache.entry.user.expire.time
Minutes non-user entries remain valid after modification
property:
com.iplanet.am.sdk.cache.entry.default.expire.time
Servers > Directory Configuration
Use this tab to change connection settings and add additional LDAP configuration directory server instances.
Set the minimum number of connections in the pool.
Set the maximum number of connections in the pool.
Set the bind DN to connect to the configuration directory servers.
Set the bind password to connect to the configuration directory servers.
Servers > CTS
The Core Token Service (CTS) does not need to be configured in the same LDAP storage as the external or embedded user store. The CTS can instead be configured on its own external directory server. There are some specific requirements for indexing and replication which need to be accounted for. In particular, WAN replication is an important consideration which needs to be handled carefully for optimum performance.
You may also choose to set advanced properties related to token size, including
com.sun.identity.session.repository.enableEncryption
,
com.sun.identity.session.repository.enableCompression
, and
com.sun.identity.session.repository.enableAttributeCompression
. For more information,
identify these variables in the following section: Servers > Advanced.
If selected, CTS tokens are stored in the same external or embedded datastore as is
used on an OpenAM configuration store. If you use the default token store, you can only
configure the Root Suffix
. Associated with the Directory Configuration
tab associated with individual servers.
If you use OpenDJ, you can separate the CTS from the configuration on different external servers. On the external CTS server, you can also configure token schema and indexes.
For either the default or external token stores, enter the base DN for CTS storage information in
LDAP format, such as dc=cts,dc=forgerock,dc=com
. The Root Suffix
would be a database that can be maintained and replicated separately from tha standard user datastore.
Access the directory service using StartTLS or LDAPS.
The hostname of the external server.
Specifies the TCP/IP port number used for communication to to external datastore, such as 389 for LDAP.
Specifies the user, in DN format, needed to authenticate. The user needs sufficient privileges to read and write to the root suffix of the external datastore.
Specifies the password associated with the Login Id.
Notes the maximum number of remote connections to the external datastore.
Specifies how often OpenAM should send a heartbeat request to the directory server to ensure that the connection does not remain idle, in seconds. Default: 10.
Servers > Advanced
Use this page to set advanced properties directly. A partial list of advanced properties follows.
For a list of inherited advanced properties, see the table under the Advanced tab for Default Server Settings.
com.iplanet.am.cookie.c66Encode
Properly URL encode session tokens.
Default: true
com.iplanet.am.cookie.timeToLive
iplanetDirectoryPro
cookie lifetime if
persistent, in hours
Default: 24
com.iplanet.am.daemons
Modules for which to open daemons at OpenAM startup.
Default: securid
com.iplanet.am.directory.ssl.enabled
Whether to connect to the configuration directory server over LDAPS.
Default: false
com.iplanet.am.installdir
OpenAM Configuration and log file location.
Default: ~/openam/
,
such as server-uri
~/openam/openam
com.iplanet.am.jssproxy.checkSubjectAltName
When using JSS, check whether the name values in the
SubjectAltName
certificate match the server FQDN.
Default: false
com.iplanet.am.jssproxy.resolveIPAddress
When using JSS, check that the IP address of the server resolves to the host name.
Default: false
com.iplanet.am.jssproxy.SSLTrustHostList
When using JSS, comma-separated list of server FQDNs to trust if they match the certificate CN, even if the domain name is not correct.
com.iplanet.am.jssproxy.trustAllServerCerts
When using JSS, set to true
to trust whatever
certificate is presented without checking.
Default: true
com.iplanet.am.lbcookie.name
Used with sticky load balancers that can inspect the cookie value.
Default: amlbcookie
com.iplanet.am.lbcookie.value
Used with sticky load balancers that can inspect the cookie value. Set this property to a unique value if your load balancer requires it. Restart OpenAM for the change to take effect.
Default: 01
com.iplanet.am.pcookie.name
Persistent cookie name.
Default: DProPCookie
com.iplanet.am.profile.host
Not used
Default: server-host
, such as
openam.example.com
com.iplanet.am.profile.port
Not used
Default: server-port
, such as 8080 or
8443
com.iplanet.am.session.agentSessionIdleTime
Time in minutes after which a policy agent session expires.
Default: 0, meaning never time out. Range is 0-30 (minutes).
com.iplanet.am.session.client.polling.enable
Whether client applications such as policy agents poll for
configuration changes. If false
, then OpenAM notifies
clients about changes.
Default: false
com.iplanet.am.session.client.polling.period
If client applications poll for changes, number of seconds between polls.
Default: 180
com.iplanet.am.session.failover.cluster.stateCheck.period
Time in milliseconds between health checks of other servers in the same site.
Default: 1000
com.iplanet.am.session.failover.cluster.stateCheck.timeout
Socket timeout in milliseconds for health checks of other servers in the same site.
Default: 1000
com.iplanet.am.session.httpSession.enabled
Create an HttpSession
for users on successful
authentication.
Default: true
com.iplanet.security.SSLSocketFactoryImpl
SSL socket factory implementation used by OpenAM.
Default: com.sun.identity.shared.ldap.factory.JSSESocketFactory
,
uses a pure Java provider
com.iplanet.services.cdc.invalidGotoStrings
;Strings that OpenAM rejects as values in goto
query string parameters.
Default: <,>javascript:,javascript%3a,%3c,%3e
com.sun.embedded.replicationport
Replication port for embedded OpenDJ directory server.
Default: 8989
com.sun.embedded.sync.servers
Whether to replicate data between embedded directory servers.
Default: on
com.sun.identity.am.cookie.check
Whether to check for cookie support in the user agent, and if not to return an error.
Default: false
com.sun.identity.appendSessionCookieInURL
Whether to append the session cookie to URL for a zero page session.
Default: true
com.sun.identity.auth.cookieName
Cookie used by the OpenAM authentication service to handle the authentication process.
Default: AMAuthCookie
com.sun.identity.authentication.client.ipAddressHeader
Set the name of the HTTP header that OpenAM can examine to learn the client IP address when requests go through a proxy or load balancer. (When requests go through an HTTP proxy or load balancer, checking the IP address on the request alone returns the address of the proxy or load balancer rather than that of the client.) OpenAM must be able to trust the proxy or load balancer to set the client IP address correctly in the header specified.
Example: com.sun.identity.authentication.client.ipAddressHeader=X-Forwarded-For
com.sun.identity.authentication.multiple.tabs.used
Whether to allow users to open many browser tabs to the login page at the same time without encountering an error.
Default: false
com.sun.identity.authentication.setCookieToAllDomains
Whether to allow multiple cookie domains.
Default: true
com.sun.identity.authentication.special.users
List of special users always authenticated against the local directory server.
Default: cn=dsameuser,ou=DSAME Users,|cn=amService-UrlAccessAgent,ou=DSAME Users,
com.sun.identity.authentication.super.user
OpenAM privileged administrator user.
Default: uid=amAdmin,ou=People,
com.sun.identity.authentication.uniqueCookieName
When cookie hijacking protection is configured, name of the cookie holding the URL to the OpenAM server that authenticated the user.
Default: sunIdentityServerAuthNServer
com.sun.identity.client.notification.url
Notification service endpoint for clients such as policy agents.
Default:
, such as server-protocol
://server-host
:server-port
/server-uri
/notificationservicehttps://openam.example.com:8443/openam/notificationservice
com.sun.identity.common.systemtimerpool.size
Number of threads in the shared system timer pool used to schedule operations such as session timeout.
Default: 3
com.sun.identity.cookie.httponly
When set to true
, mark cookies as HTTPOnly to
prevent scripts and third-party programs from accessing the cookies.
Default: false
com.sun.identity.enableUniqueSSOTokenCookie
If true
, then OpenAM is using protection against
cookie hijacking.
Default: false
com.sun.identity.jss.donotInstallAtHighestPriority
Whether JSS should take priority over other providers.
Default: true
com.sun.identity.monitoring
Whether monitoring is active for OpenAM.
Default: off
com.sun.identity.monitoring.local.conn.server.url
URL for local connection to the monitoring service.
Default: service:jmx:rmi://
com.sun.identity.password.deploymentDescriptor
Internal property used by OpenAM.
Default: server-uri
, such as
openam
com.sun.identity.policy.Policy.policy_evaluation_weights
Weights of the cost of evaluating policy subjects, rules, and conditions. Evaluation is in order of heaviest weight to lightest weight.
Default: 10:10:10
, meaning evaluation of rules,
then conditions, then subjects
com.sun.identity.policy.resultsCacheMaxSize
Maximum number of policy decisions OpenAM caches.
Default: 10000
com.sun.identity.server.fqdnMap
Enables virtual hosts, partial hostname and IP address. Maps invalid or virtual name keys to valid FQDN values for proper redirection.
To map myserver
to
myserver.example.com
, set
com.sun.identity.server.fqdnMap[myserver]=myserver.example.com
.
com.sun.identity.session.repository.enableEncryption
Enables tokens to be encrypted when stored.
Multi-instance deployments require consistent use of this property, which should be done under the Servers and Sites > Default Server Settings > Advanced.
The am.encryption.pwd
property must also be the same for
all deployed instances. The am.encryption.pwd
is under
Servers and Sites > Server > Security > Password Encryption Key. You will need to
verify that all servers have the same setting for this property as the default
server.
Default: false
com.sun.identity.urlchecker.dorequest
Whether to perform an HTTP GET on
com.sun.identity.urlchecker.targeturl
as a health
check against another server in the same site. If
false
, then OpenAM only checks the Socket connection,
and does not perform an HTTP GET.
If each OpenAM server runs behind a reverse proxy, then setting
this property to true
means the health check actually
runs against the OpenAM instance, rather than checking only the Socket
to the reverse proxy.
Default: false
com.sun.identity.urlchecker.targeturl
URL to monitor when
com.sun.identity.urlchecker.dorequest
is set to
true
.
Default: URL to the /openam/namingservice
endpoint
on the remote server
com.sun.identity.security.checkcaller
Whether to perform a Java security permissions check for OpenAM.
Default: false
com.sun.identity.session.repository.enableEncryption
For CTS token encryption, if desired.
Default: false
com.sun.identity.session.repository.enableCompression
For GZip-based compression of CTS tokens, if desired.
Default: false
com.sun.identity.session.repository.enableAttributeCompression
For additional compression of CTS token JSON binaries, beyond GZip, if desired.
Default: false
com.sun.identity.sm.cache.ttl
When service configuration caching time-to-live is enabled, this sets the time to live in minutes.
Default: 30
com.sun.identity.sm.cache.ttl.enable
If service configuration caching is enabled, whether to enable a time-to-live for cached configuration.
Default: false
com.sun.identity.sm.flatfile.root_dir
File system directory to hold file-based representation of OpenAM configuration.
Default: ~/openam/
such as server-uri
/sms~/openam/openam/sms
com.sun.identity.sm.sms_object_class_name
Class used to read and write OpenAM service configuration entries in the directory.
Default: com.sun.identity.sm.ldap.SMSEmbeddedLdapObject
com.sun.identity.url.readTimeout
Used to set the read timeout in milliseconds for HTTP and HTTPS connections to other servers.
Default: 30000
com.sun.identity.urlchecker.dorequest
Allows the OpenAM ClusterStateService to work with HTTPS endpoints.
Default: true
com.sun.identity.urlconnection.useCache
Whether to cache documents for HTTP and HTTPS connections to other servers.
Default: false
com.sun.identity.webcontainer
Name of the web container to correctly set character encoding, if necessary.
Default: WEB_CONTAINER
console.privileged.users
Used to assigned privileged console access to particular users. Set
to a |
separated list of users' Universal IDs, such as
console.privileged.users=uid=demo,ou=user,|uid=demo2,ou=user,
.
openam.auth.destroy_session_after_upgrade
Where to destroy the old session after a session is successfully upgraded.
Default: true
openam.auth.distAuthCookieName
Cookie used by the OpenAM distributed authentication service to handle the authentication process.
Default: AMDistAuthCookie
openam.auth.session_property_upgrader
Class that controls which session properties are copied during session upgrade, where default is to copy all properties to the upgraded session.
Default: org.forgerock.openam.authentication.service.DefaultSessionPropertyUpgrader
openam.auth.version.header.enabled
The X-DSAMEVersion http header provides detailed information about the version of OpenAM currently running on the system, including the build and date/time of the build. OpenAM will need to be restarted once this property is enabled.
Default: false
openam.authentication.ignore_goto_during_logout
Whether to ignore the goto
query string parameter
on logout, instead displaying the logout page.
Default: false
openam.cdm.default.charset
Character set used for globalization.
Default: UTF-8
openam.forbidden.to.copy.headers
Comma-separated list of HTTP headers not to copy when the distributed authentication server forwards a request to another distributed authentication server.
Default: connection
openam.forbidden.to.copy.request.headers
Comma-separated list of HTTP headers not to copy when the distributed authentication server forwards a request to another distributed authentication server.
Default: connection
openam.retained.http.headers
Comma-separated list of HTTP headers to copy to the forwarded response when the server forwards a request to another server.
Requests are forwarded when the server receiving the request is not the server that originally initiated authentication. The server that originally initiated authentication is identified by a cookie.
When the distributed authentication service (DAS) is in use, then
the cookie is the AMDistAuthCookie
that identifies the
DAS server by its URL.
When authentication is done directly on OpenAM, then the cookie is
the AMAuthCookie
that holds a session ID that identifies
the OpenAM server.
On subsequent requests the server receiving the request checks the cookie. If the cookie identifies another server, the current server forwards the request to that server.
If a header such as Cache-Control
has been
included in the list of values for the property
openam.retained.http.request.headers
and the header must also be copied to the response, then add it to the
list of values for this property.
Example: openam.retained.http.headers=X-DSAMEVersion,Cache-Control
Default: X-DSAMEVersion
openam.retained.http.request.headers
Comma-separated list of HTTP headers to copy to the forwarded request when the server forwards a request to another server.
Requests are forwarded when the server receiving the request is not the server that originally initiated authentication. The server that originally initiated authentication is identified by a cookie.
When the distributed authentication service (DAS) is in use, then
the cookie is the AMDistAuthCookie
that identifies the
DAS server by its URL.
When authentication is done directly on OpenAM, then the cookie is
the AMAuthCookie
that holds a session ID that identifies
the OpenAM server.
On subsequent requests the server receiving the request checks the cookie. If the cookie identifies another server, the current server forwards the request to that server.
When configuring the distributed authentication service, or when a
reverse proxy is set up to provide the client IP address in the
X-Forwarded-For
header, if your deployment includes
multiple OpenAM servers, then this property must be set to include the
header.
Example: openam.retained.http.request.headers=X-DSAMEVersion,X-Forwarded-For
OpenAM copies the header when forwarding a request to the authoritative server where the client originally began the authentication process, so that the authoritative OpenAM server receiving the forwarded request can determine the real client IP address.
In order to retain headers to return in the response to the OpenAM
server that forwarded the request, use the property
openam.retained.http.headers
.
Default: X-DSAMEVersion
openam.session.allow_persist_am_cookie
If true
users can extend the lifetime of the
iplanetDirectoryPro
cookie to
com.iplanet.am.cookie.timeToLive
on a per-session
basis, by using the query string parameter
openam.session.persist_am_cookie=Yes
.
openam.session.case.sensitive.uuid
Whether universal user IDs are considered case sensitive when matching them.
Default: false
openam.session.persist_am_cookie
If true
extend the lifetime of the
iplanetDirectoryPro
cookie to
com.iplanet.am.cookie.timeToLive
.
Default: false
openam.session.useLocalSessionsInMultiServerMode
This property is for use in multi-server deployments where session
failover is not available. If true
, calculate session
quotas per server. In other words, if the session quota is 5 sessions and
users can access up to 4 servers, they can have a maximum of 20 (5 * 4)
sessions.
Default: false
opensso.protocol.handler.pkgs
If the web application containers sets
java.protocol.handler.pkgs
, then set this property to
com.sun.identity.protocol
.
org.forgerock.embedded.dsadminport
Administration port for embedded OpenDJ directory server.
Default: 4444
org.forgerock.openam.authentication.accountExpire.days
Days until account expiration set after successful authentication by the account expiration post authentication plugin.
Default: 30
securidHelper.ports
Port on which SecurID daemon listens.
Default: 58943
ssoadm.disabled
Set to false
to enable
ssoadm.jsp
.
Default: true
Sites
Sites involve multiple OpenAM servers working together to provide services. You can use sites with load balancers and session failover to configure pools of servers capable of responding to client requests in highly available fashion.
Set the primary entry point to the site, such as the URL to the load balancer for the site configuration.
Set alternate entry points to the site. Used when session failover is configured.
Shows the list of OpenAM servers in the site.