Under Configuration > System, you can change OpenAM settings for server logging, monitoring, service URL naming, locale, cookie domain, and how OpenAM detects specific clients.
Client Detection
OpenAM can detect client user agents by their HTTP requests.
ssoadm service name:
iPlanetAMClientDetection
If no specific match is found for the client type, then this
type is used. The default is genericHTML
, suitable
for supported browsers.
ssoadm attribute:
iplanet-am-client-detection-default-client-type
The client detection plugin must implement the
com.iplanet.services.cdm.ClientDetectionInterface
.
Client type is a name that uniquely identifies the client to OpenAM.
The plugin scans HTTP requests to determine the client type.
ssoadm attribute:
iplanet-am-client-detection-class
If this is enabled, then OpenAM needs an appropriate client detection class implementation, and the authentication user interface must be appropriate for the clients detected.
ssoadm attribute:
iplanet-am-client-detection-enabled
Logging
You configure global OpenAM logging settings on this page.
ssoadm service name:
iPlanetAMLoggingService
Sets the maximum log file size in bytes.
ssoadm attribute:
iplanet-am-logging-max-file-size
Sets the number of history files for each log that OpenAM keeps, including time-based histories. The previously live file is moved to be included in the history count, and a new log is created to serve as the live log file. Any log file in the history count that goes over the number specified here will be deleted. For time-based logs, a new set of logs will be created when OpenAM is started because of the time-based file names that are used.
ssoadm attribute:
iplanet-am-logging-num-hist-file
Set this if you want to add a prefix to log files governed by time-based log rotation.
ssoadm attribute:
openam-logging-file-prefix
Changing this if you want to change the suffix for log files
governed by time-based log rotation. You can use
SimpleDateFormat
patterns. The default is
-MM.dd.yy-kk.mm
.
ssoadm attribute:
openam-logging-file-suffix
This property is interpreted to determine the location of log
files, taking either a file system location or a JDBC URL. The default is
%BASE_DIR%/%SERVER_URI%/log/
.
ssoadm attribute:
iplanet-am-logging-location
Set this to INACTIVE
to disable the logging
system.
ssoadm attribute:
logstatus
Enable this to have OpenAM perform a DNS host lookup to populate the host name field for log records. OpenAM requires DNS on the host where it runs. Enabling this feature increases the load on the logging system.
ssoadm attribute:
resolveHostName
Set this to DB
to log to a database. Default:
File
. If you choose DB
then be
sure to set the connection attributes correctly, including the JDBC
driver to use.
ssoadm attribute:
iplanet-am-logging-type
When logging to a database, set this to the user name used to connect to the database. If this attribute is incorrectly set, OpenAM performance suffers.
ssoadm attribute:
iplanet-am-logging-db-user
When logging to a database, set this to the password used to connect to the database. If this attribute is incorrectly set, OpenAM performance suffers.
ssoadm attribute:
iplanet-am-logging-db-password
When logging to a database, set this to the class name of the JDBC driver used to connect to the database. The default is for Oracle. OpenAM also works with the MySQL database driver.
ssoadm attribute:
iplanet-am-logging-db-driver
Select the fields OpenAM includes in log messages using this attribute. By default all fields are included in log messages.
ssoadm attribute:
iplanet-am-logging-logfields
When secure logging is enabled, set this to how often OpenAM verifies log file content (in seconds).
ssoadm attribute:
iplanet-am-logging-verify-period-in-seconds
When secure logging is enabled, set this to how often OpenAM signs log file content (in seconds).
ssoadm attribute:
iplanet-am-logging-signature-period-in-seconds
Set this to ON
to enable the secure logging
system whereby OpenAM digitally signs and verifies log files. You must
also set up the Logging Certificate Store for this feature to
function.
ssoadm attribute:
iplanet-am-logging-security-status
Set this to the algorithm used for digitally signing log records.
ssoadm attribute:
iplanet-am-logging-secure-signing-algorithm
The secure logging system uses the certificate with alias
Logger
that it finds in the key store specified by
this path. The default is
%BASE_DIR%/%SERVER_URI%/Logger.jks
.
ssoadm attribute:
iplanet-am-logging-secure-certificate-store
Set this to the maximum number of records read from the logs through the Logging API.
ssoadm attribute:
iplanet-am-logging-max-records
Set this to the number of files to be archived by the secure logging system.
ssoadm attribute:
iplanet-am-logging-files-per-keystore
The number of log messages buffered in memory before OpenAM flushes them to the log file or the database.
ssoadm attribute:
iplanet-am-logging-buffer-size
Set this to the maximum number of log records to hold in memory if the database to which records are logged is unavailable. If the value is less than Buffer Size, that value takes precedence.
ssoadm attribute:
sun-am-logging-db-max-in-mem
Set the time in seconds that OpenAM buffers log messages in memory before flushing the buffer when Time Buffering is ON. The default is 60 seconds.
ssoadm attribute:
iplanet-am-logging-buffer-time-in-seconds
Set this to OFF to cause OpenAM to write each log message separately rather than the default of holding messages in a memory buffer that OpenAM flushes periodically, as specified using the Buffer Time attribute.
ssoadm attribute:
iplanet-am-logging-time-buffering-status
Set the log level for OpenAM. OFF
is equivalent
to setting the status to INACTIVE
.
ssoadm attribute:
sun-am-log-level
Monitoring
You enable OpenAM monitoring by using these attributes.
ssoadm service name:
iPlanetAMMonitoringService
Enable monitoring using this attribute.
ssoadm attribute:
iplanet-am-monitoring-enabled
Set the port number for the HTML monitoring interface.
ssoadm attribute:
iplanet-am-monitoring-http-port
Enable the HTML monitoring interface using this attribute.
ssoadm attribute:
iplanet-am-monitoring-http-enabled
Set this to path to indicate the file indicating the user name
and password used to protect access to monitoring information. The
default user name password combination is demo
and
changeit
. You can encode a new password using the
ampasswordcommand.
ssoadm attribute:
iplanet-am-monitoring-authfile-path
Set the port number for the JMX monitoring interface.
ssoadm attribute:
iplanet-am-monitoring-rmi-port
Enable the JMX monitoring interface using this attribute.
ssoadm attribute:
iplanet-am-monitoring-rmi-enabled
Set the port number for the SNMP monitoring interface.
ssoadm attribute:
iplanet-am-monitoring-snmp-port
Enable the SNMP monitoring interface using this attribute.
ssoadm attribute:
iplanet-am-monitoring-snmp-enabled
Naming
You can configure URLs for service endpoints.
ssoadm service name:
iPlanetAMNamingService
Set the endpoint used by the profile service.
This attribute is deprecated.
ssoadm attribute:
iplanet-am-naming-profile-url
Set the endpoint used by the session service.
ssoadm attribute:
iplanet-am-naming-session-url
Set the endpoint used by the logging service.
ssoadm attribute:
iplanet-am-naming-logging-url
Set the endpoint used by the policy service.
ssoadm attribute:
iplanet-am-naming-policy-url
Set the endpoint used by the authentication service.
ssoadm attribute:
iplanet-am-naming-auth-url
Set the SAML v1 endpoint.
ssoadm attribute:
iplanet-am-naming-samlawareservlet-url
Set the endpoint used by the SAML v1 SOAP service.
ssoadm attribute:
iplanet-am-naming-samlsoapreceiver-url
Set the SAML v1 Web Profile endpoint.
ssoadm attribute:
iplanet-am-naming-samlpostservlet-url
Set the endpoint used by the SAML v1 assertion service.
ssoadm attribute:
iplanet-am-naming-samlassertionmanager-url
Set the endpoint used by the ID-FF assertion manager service.
ssoadm attribute:
iplanet-am-naming-fsassertionmanager-url
Set the STS endpoint.
ssoadm attribute:
iplanet-am-naming-securitytokenmanager-url
Set the JAXRPC endpoint used by remote IDM/SMS APIs.
ssoadm attribute:
iplanet-am-naming-jaxrpc-url
Set the endpoint for Identity WSDL services.
ssoadm attribute:
sun-naming-idsvcs-jaxws-url
Set the endpoint used for Identity REST services.
ssoadm attribute:
sun-naming-idsvcs-rest-url
Set the STS endpoint.
ssoadm attribute:
sun-naming-sts-url
Set the STS MEX endpoint.
ssoadm attribute:
sun-naming-sts-mex-url
Platform
You can configure the default locale and list of cookie domains.
ssoadm service name:
iPlanetAMPlatformService
Set the fallback locale used when the user locale cannot be determined.
ssoadm attribute:
iplanet-am-platform-locale
Set the list of domains into which OpenAM writes cookies. If you set multiple cookie domains, OpenAM still only sets the cookie in the domain the client uses to access OpenAM. You can also configure cross domain single sign on (CDSSO) to allow single sign on across multiple domains managed by your organization. See the Administration Guide chapter on Configuring Cross-Domain Single Sign On for details.
ssoadm attribute:
iplanet-am-platform-cookie-domains