Chapter 1. Configuration Reference

Table of Contents
1.1. Authentication Configuration
1.2. Console Configuration
1.3. System Configuration
1.4. Global Configuration
1.5. Servers and Sites Configuration

This chapter covers OpenAM configuration properties accessible through the Configuration tab of the console, most of which can be set by using the ssoadm command. The chapter is organized to follow the OpenAM console layout.

1.1. Authentication Configuration

Under Configuration > Authentication you can configure authentication services globally using the same attributes you use to configure authentication modules per realm under Access Control > Realm Name > Authentication > Module Instances, and described in the Administration Guide chapter on Defining Authentication Services.

The primary difference is that when configuring services globally, you set the default values to be used when a module is configured further for a specific realm.

The Core Authentication module includes some fields under this tab that are not available through the realm changes under the Access Control tab. Because attributes set under the Configuration tab apply on a server level, the changes you make here will apply to all realms. Attributes set under the Access Control tab only apply to the realms that you specify. The Authentication table under the Configuration tab lists all existing types of modules available for configuration, including any customized modules you have added.

The following are the global fields you can configure for the Core Authentication module under the Configuration tab.

Pluggable Authentication Module Classes

Add class names for custom authentication modules to this list.

ssoadm attribute: iplanet-am-auth-authenticators

LDAP Connection Pool Size, Default LDAP Connection Pool Size

Sets a minimum and maximum number of LDAP connections in the pool for connecting to a directory server. When tuning for production, start with 10:65 (10 minimum, 65 maximum). Explicit settings for specific servers override the default.

This attribute is for LDAP and Membership authentication services only.

This connection pool is different than the SDK connection pool configured in serverconfig.xml.

ssoadm attributes: iplanet-am-auth-ldap-connection-pool-size, and iplanet-am-auth-ldap-connection-pool-default-size

LDAP Connection Pool Size, Default LDAP Connection Pool Size

Sets a minimum and maximum number of LDAP connections in the pool for connecting to a directory server. When tuning for production, start with 10:65 (10 minimum, 65 maximum). Explicit settings for specific servers override the default.

This attribute is for LDAP and Membership authentication services only.

This connection pool is different than the SDK connection pool configured in serverconfig.xml.

ssoadm attributes: iplanet-am-auth-ldap-connection-pool-size, and iplanet-am-auth-ldap-connection-pool-default-size

Remote Auth Security

Require the authenticating application to send its SSOToken. This allows the Authentication Service to obtain the username and password associated with the application.

ssoadm attribute: sunRemoteAuthSecurityEnabled

Keep Post Process Objects for Logout Processing, Keep Authentication Module Objects for Logout Processing

When enabled, retain objects used to process authentication or post authentication operations in the user session until the user logs out.

ssoadm attributes: sunAMAuthKeepPostProcessInstances, and sunAMAuthKeepAuthModuleIntances

XUI Interface

When enabled, the initial login screen uses the XUI.

ssoadm attribute: openam-xui-interface-enabled

1.2. Console Configuration

Under Configuration > Console you can customize how the OpenAM console appears, and what character sets are used.

Administration

Administration includes both global and realm attributes.

ssoadm service name: iPlanetAMAdminConsoleService

Federation Management

Clear Enabled to disable federation functionality in OpenAM.

ssoadm attribute: iplanet-am-admin-console-liberty-enabled

Maximum Results Returned from Search

Use this attribute to restrict the maximum number of results found in a search, such as a search for user profiles. Increasing the value can negatively impact performance. On the other hand, the default maximum of 100 can explain why administrators unaware of this setting can be surprised not to see all the users they expect in search results.

ssoadm attribute: iplanet-am-admin-console-search-limit

Timeout for Search

Timeout in seconds for a console search. OpenAM returns an error if the search is not completed by the timeout.

ssoadm attribute: iplanet-am-admin-console-search-timeout

Search Return Attribute

List of LDAP attribute types to return in search results. OpenAM sorts users by the first attribute you specify. Use attributes that are actually present in user profiles.

ssoadm attribute: iplanet-am-admin-console-user-return-attribute

Maximum Items Displayed per Page

OpenAM shows a maximum of this many items in a console page before separating the page into multiple screens.

ssoadm attribute: iplanet-am-admin-console-paging-size

Prompt user for old password

If enabled, when the user edits her password in the user view, then OpenAM prompts her for the old password.

ssoadm attribute: iplanet-am-admin-console-password-reset-enabled

Globalization Settings

Globalization settings affect character sets and common name formats. See Localization for a list of supported locales.

ssoadm service name: iPlanetG11NSettings

Charsets Supported by Each Locale

This table lets you configure the order of supported character sets used for each supported locale. Change the settings only if the defaults are not appropriate.

ssoadm attribute: sun-identity-g11n-settings-locale-charset-mapping

Charsets Aliases

Use this list to map between different character set names used in Java and in MIME.

ssoadm attribute: sun-identity-g11n-settings-charset-alias-mapping

Auto Generated Common Name Format

Use this list to configure how OpenAM formats names shown in the console banner.

ssoadm attribute: sun-identity-g11n-settings-common-name-format

1.3. System Configuration

Under Configuration > System, you can change OpenAM settings for server logging, monitoring, service URL naming, locale, cookie domain, and how OpenAM detects specific clients.

Client Detection

OpenAM can detect client user agents by their HTTP requests.

ssoadm service name: iPlanetAMClientDetection

Default Client Type

If no specific match is found for the client type, then this type is used. The default is genericHTML, suitable for supported browsers.

ssoadm attribute: iplanet-am-client-detection-default-client-type

Client Detection Class

The client detection plugin must implement the com.iplanet.services.cdm.ClientDetectionInterface. Client type is a name that uniquely identifies the client to OpenAM. The plugin scans HTTP requests to determine the client type.

ssoadm attribute: iplanet-am-client-detection-class

Enable Client Detection

If this is enabled, then OpenAM needs an appropriate client detection class implementation, and the authentication user interface must be appropriate for the clients detected.

ssoadm attribute: iplanet-am-client-detection-enabled

Logging

You configure global OpenAM logging settings on this page.

ssoadm service name: iPlanetAMLoggingService

Maximum Log Size

Sets the maximum log file size in bytes.

ssoadm attribute: iplanet-am-logging-max-file-size

Number of History Files

Sets the number of history files for each log that OpenAM keeps, including time-based histories. The previously live file is moved to be included in the history count, and a new log is created to serve as the live log file. Any log file in the history count that goes over the number specified here will be deleted. For time-based logs, a new set of logs will be created when OpenAM is started because of the time-based file names that are used.

ssoadm attribute: iplanet-am-logging-num-hist-file

Logfile Rotation Prefix

Set this if you want to add a prefix to log files governed by time-based log rotation.

ssoadm attribute: openam-logging-file-prefix

Logfile Rotation Suffix

Changing this if you want to change the suffix for log files governed by time-based log rotation. You can use SimpleDateFormat patterns. The default is -MM.dd.yy-kk.mm.

ssoadm attribute: openam-logging-file-suffix

Log File Location

This property is interpreted to determine the location of log files, taking either a file system location or a JDBC URL. The default is %BASE_DIR%/%SERVER_URI%/log/.

ssoadm attribute: iplanet-am-logging-location

Log Status

Set this to INACTIVE to disable the logging system.

ssoadm attribute: logstatus

Log Record Resolve Host Name

Enable this to have OpenAM perform a DNS host lookup to populate the host name field for log records. OpenAM requires DNS on the host where it runs. Enabling this feature increases the load on the logging system.

ssoadm attribute: resolveHostName

Logging Type

Set this to DB to log to a database. Default: File. If you choose DB then be sure to set the connection attributes correctly, including the JDBC driver to use.

ssoadm attribute: iplanet-am-logging-type

Database User Name

When logging to a database, set this to the user name used to connect to the database. If this attribute is incorrectly set, OpenAM performance suffers.

ssoadm attribute: iplanet-am-logging-db-user

Database User Password

When logging to a database, set this to the password used to connect to the database. If this attribute is incorrectly set, OpenAM performance suffers.

ssoadm attribute: iplanet-am-logging-db-password

Database Driver Name

When logging to a database, set this to the class name of the JDBC driver used to connect to the database. The default is for Oracle. OpenAM also works with the MySQL database driver.

ssoadm attribute: iplanet-am-logging-db-driver

Configurable Log Fields

Select the fields OpenAM includes in log messages using this attribute. By default all fields are included in log messages.

ssoadm attribute: iplanet-am-logging-logfields

Log Verification Frequency

When secure logging is enabled, set this to how often OpenAM verifies log file content (in seconds).

ssoadm attribute: iplanet-am-logging-verify-period-in-seconds

Log Signature Time

When secure logging is enabled, set this to how often OpenAM signs log file content (in seconds).

ssoadm attribute: iplanet-am-logging-signature-period-in-seconds

Secure Logging

Set this to ON to enable the secure logging system whereby OpenAM digitally signs and verifies log files. You must also set up the Logging Certificate Store for this feature to function.

ssoadm attribute: iplanet-am-logging-security-status

Secure Logging Signing Algorithm

Set this to the algorithm used for digitally signing log records.

ssoadm attribute: iplanet-am-logging-secure-signing-algorithm

Logging Certificate Store Location

The secure logging system uses the certificate with alias Logger that it finds in the key store specified by this path. The default is %BASE_DIR%/%SERVER_URI%/Logger.jks.

ssoadm attribute: iplanet-am-logging-secure-certificate-store

Maximum Number of Records

Set this to the maximum number of records read from the logs through the Logging API.

ssoadm attribute: iplanet-am-logging-max-records

Number of Files per Archive

Set this to the number of files to be archived by the secure logging system.

ssoadm attribute: iplanet-am-logging-files-per-keystore

Buffer Size

The number of log messages buffered in memory before OpenAM flushes them to the log file or the database.

ssoadm attribute: iplanet-am-logging-buffer-size

DB Failure Memory Buffer Size

Set this to the maximum number of log records to hold in memory if the database to which records are logged is unavailable. If the value is less than Buffer Size, that value takes precedence.

ssoadm attribute: sun-am-logging-db-max-in-mem

Buffer Time

Set the time in seconds that OpenAM buffers log messages in memory before flushing the buffer when Time Buffering is ON. The default is 60 seconds.

ssoadm attribute: iplanet-am-logging-buffer-time-in-seconds

Time Buffering

Set this to OFF to cause OpenAM to write each log message separately rather than the default of holding messages in a memory buffer that OpenAM flushes periodically, as specified using the Buffer Time attribute.

ssoadm attribute: iplanet-am-logging-time-buffering-status

Logging Level

Set the log level for OpenAM. OFF is equivalent to setting the status to INACTIVE.

ssoadm attribute: sun-am-log-level

Monitoring

You enable OpenAM monitoring by using these attributes.

ssoadm service name: iPlanetAMMonitoringService

Monitoring Status

Enable monitoring using this attribute.

ssoadm attribute: iplanet-am-monitoring-enabled

Monitoring HTTP Port

Set the port number for the HTML monitoring interface.

ssoadm attribute: iplanet-am-monitoring-http-port

Monitoring HTTP interface status

Enable the HTML monitoring interface using this attribute.

ssoadm attribute: iplanet-am-monitoring-http-enabled

Monitoring HTTP interface authentication file path

Set this to path to indicate the file indicating the user name and password used to protect access to monitoring information. The default user name password combination is demo and changeit. You can encode a new password using the ampasswordcommand.

ssoadm attribute: iplanet-am-monitoring-authfile-path

Monitoring RMI Port

Set the port number for the JMX monitoring interface.

ssoadm attribute: iplanet-am-monitoring-rmi-port

Monitoring RMI interface status

Enable the JMX monitoring interface using this attribute.

ssoadm attribute: iplanet-am-monitoring-rmi-enabled

Monitoring SNMP Port

Set the port number for the SNMP monitoring interface.

ssoadm attribute: iplanet-am-monitoring-snmp-port

Monitoring SNMP interface status

Enable the SNMP monitoring interface using this attribute.

ssoadm attribute: iplanet-am-monitoring-snmp-enabled

Naming

You can configure URLs for service endpoints.

ssoadm service name: iPlanetAMNamingService

Profile Service URL

Set the endpoint used by the profile service.

This attribute is deprecated.

ssoadm attribute: iplanet-am-naming-profile-url

Session Service URL

Set the endpoint used by the session service.

ssoadm attribute: iplanet-am-naming-session-url

Logging Service URL

Set the endpoint used by the logging service.

ssoadm attribute: iplanet-am-naming-logging-url

Policy Service URL

Set the endpoint used by the policy service.

ssoadm attribute: iplanet-am-naming-policy-url

Authentication Service URL

Set the endpoint used by the authentication service.

ssoadm attribute: iplanet-am-naming-auth-url

SAML Web Profile/Artifact Service URL

Set the SAML v1 endpoint.

ssoadm attribute: iplanet-am-naming-samlawareservlet-url

SAML SOAP Service URL

Set the endpoint used by the SAML v1 SOAP service.

ssoadm attribute: iplanet-am-naming-samlsoapreceiver-url

SAML Web Profile/POST Service URL

Set the SAML v1 Web Profile endpoint.

ssoadm attribute: iplanet-am-naming-samlpostservlet-url

SAML Assertion Manager Service URL

Set the endpoint used by the SAML v1 assertion service.

ssoadm attribute: iplanet-am-naming-samlassertionmanager-url

Federation Assertion Manager Service URL

Set the endpoint used by the ID-FF assertion manager service.

ssoadm attribute: iplanet-am-naming-fsassertionmanager-url

Security Token Manager URL

Set the STS endpoint.

ssoadm attribute: iplanet-am-naming-securitytokenmanager-url

JAXRPC Endpoint URL

Set the JAXRPC endpoint used by remote IDM/SMS APIs.

ssoadm attribute: iplanet-am-naming-jaxrpc-url

Identity Web Services Endpoint URL

Set the endpoint for Identity WSDL services.

ssoadm attribute: sun-naming-idsvcs-jaxws-url

Identity REST Services Endpoint URL

Set the endpoint used for Identity REST services.

ssoadm attribute: sun-naming-idsvcs-rest-url

Security Token Service Endpoint URL

Set the STS endpoint.

ssoadm attribute: sun-naming-sts-url

Security Token Service MEX Endpoint URL

Set the STS MEX endpoint.

ssoadm attribute: sun-naming-sts-mex-url

Platform

You can configure the default locale and list of cookie domains.

ssoadm service name: iPlanetAMPlatformService

Platform Locale

Set the fallback locale used when the user locale cannot be determined.

ssoadm attribute: iplanet-am-platform-locale

Cookie Domains

Set the list of domains into which OpenAM writes cookies. If you set multiple cookie domains, OpenAM still only sets the cookie in the domain the client uses to access OpenAM. You can also configure cross domain single sign on (CDSSO) to allow single sign on across multiple domains managed by your organization. See the Administration Guide chapter on Configuring Cross-Domain Single Sign On for details.

ssoadm attribute: iplanet-am-platform-cookie-domains

1.4. Global Configuration

Under Configuration > Global you can set defaults for a range of federation services, for password reset, for policy configuration, for session management, and for dynamic user attributes.

Common Federation Configuration

ssoadm service name: sunFAMFederationCommon

Datastore SPI implementation class

Used by the Federation system to access user profile attributes

ssoadm attribute: DatastoreClass

ConfigurationInstance SPI implementation class

Used by the Federation system to access service configuration

ssoadm attribute: ConfigurationClass

Logger SPI implementation class

Used by the Federation system to record log messages

ssoadm attribute: LoggerClass

SessionProvider SPI implementation class

Used by the Federation system to access the session service

ssoadm attribute: SessionProviderClass

Maximum allowed content length

Maximum number of bytes for Federation communications

ssoadm attribute: MaxContentLength

PasswordDecoder SPI implementation class

Used by the Federation system to decode passwords encoded by OpenAM

ssoadm attribute: PasswordDecoderClass

SignatureProvider SPI implementation class

Used by the Federation system digitally to sign SAML documents

ssoadm attribute: SignatureProviderClass

KeyProvider SPI implementation class

Used by the Federation system to access the Java key store

ssoadm attribute: KeyProviderClass

Check presence of certificates

If enabled, OpenAM checks that the partner's signing certificate presented in the XML matches the certificate from the partner's metadata

ssoadm attribute: CheckCert

XML canonicalization algorithm

Algorithm used to render the canonical versions of XML documents

ssoadm attribute: CannonicalizationAlgorithm

XML signature algorithm

Algorithm used to sign XML documents

ssoadm attribute: SignatureAlgorithm

XML transformation algorithm

Algorithm used for XML transformations

ssoadm attribute: TransformationAlgorithm

SAML Error Page URL

OpenAM redirects users here when an error occurs in the SAML2 engine. Users are redirected to absolute URLs, whereas releative URLs are displayed within the request.

ssoadm attribute: SAMLErrorPageURL

SAML Error Page HTTP Binding

Set this either to HTTP-Redirect or to HTTP-POST.

ssoadm attribute: SAMLErrorPageHTTPBinding

Monitoring Agent Provider Class

Used by the Federation system to access the monitoring system

ssoadm attribute: MonAgentClass

Monitoring Provider Class for SAML1

Used by the SAMLv1 engine to access the monitoring system

ssoadm attribute: MonSAML1Class

Monitoring Provider Class for SAML2

Used by the SAML2 engine to access the monitoring system

ssoadm attribute: MonSAML2Class

Monitoring Provider Class for ID-FF

Used by the ID-FF engine to access the monitoring system

ssoadm attribute: MonIDFFClass

Dashboard Configuration

ssoadm service name: dashboardService

Dashboard Class Name

Identifies how to access the application, for example SAML2ApplicationClass for a SAML 2.0 application

ssoadm attribute: dashboardClassName

Dashboard Name

The application name as it will appear to the administrator for configuring the dashboard

ssoadm attribute: dashboardName

Dashboard Display Name

The application name that displays on the dashboard client

ssoadm attribute: dashboardDisplayName

Dashboard Icon

The icon name that will be displayed on the dashboard client identifying the application

ssoadm attribute: dashboardIcon

Dashboard Login

The URL that takes the user to the application

ssoadm attribute: dashboardLogin

Available Dashboard Apps

List of application dashboard names available by default for realms with the Dashboard configured

ssoadm attribute: assignedDashboard

Email Service

ssoadm service name: ForgeRockSendEmailService

Email Message Implementation Class

Specifies the class that sends email notifications, such as those sent for user registration and forgotten passwords.

Default: org.forgerock.openam.services.email.MailServerImpl

ssoadm attribute: forgerockMailServerImplClassName

Mail Server Host Name

Specifies the fully qualified domain name of the SMTP mail server through which to send email notifications.

Default: smtp.gmail.com

ssoadm attribute: forgerockEmailServiceSMTPHostName

Mail Server Host Port

Specifies the port number for the SMTP mail server.

Default: 465

ssoadm attribute: forgerockEmailServiceSMTPHostPort

Mail Server Authentication Username

Specifies the user name for the SMTP mail server.

Default: forgerocksmtp

ssoadm attribute: forgerockEmailServiceSMTPUserName

Mail Server Authentication Password

Specifies the password for the SMTP user name.

ssoadm attribute: forgerockEmailServiceSMTPUserPassword

Mail Server Secure Connection

Specifies whether to connect to the SMTP mail server using SSL.

Default: use SSL (true)

ssoadm attribute: forgerockEmailServiceSMTPSSLEnabled

Email From Address

Specifies the address from which to send email notifications.

Default: no-reply@openam.org

ssoadm attribute: forgerockEmailServiceSMTPFromAddress

Email Attribute Name

Specifies the profile attribute from which to retrieve the end user's email address.

Default: mail

ssoadm attribute: openamEmailAttribute

Email Subject

Specifies a subject for notification messages. If you do not set this OpenAM does not set the subject for notification messages.

ssoadm attribute: forgerockEmailServiceSMTPSubject

Email Content

Specifies content for notification messages. If you do not set this OpenAM includes only the confirmation URL in the mail body.

ssoadm attribute: forgerockEmailServiceSMTPMessage

Liberty ID-FF Service Configuration

ssoadm service name: sunFAMIDFFConfiguration

Federation Cookie Name

Cookie name for Liberty ID-FF

ssoadm attribute: FedCookieName

IDP Proxy Finder SPI implementation class

Used by the ID-FF engine to find the IDP proxy

ssoadm attribute: IDPProxyFinderClass

Request cache cleanup interval

Seconds between times OpenAM cleans up the request cache

ssoadm attribute: RequestCacheCleanupInterval

Request cache timeout

Seconds cached requests remain valid

ssoadm attribute: RequestCacheTimeout

IDP Login URL

Login URL for the ID-FF IDP

ssoadm attribute: IDPLoginURL

XML signing on

If yes, require XML signing.

ssoadm attribute: XMLSigningOn

Liberty Interaction Service

ssoadm service name: sunFAMLibertyInteractionService

WSP to redirect user for interaction

ssoadm attribute: WSPWillRedirect

WSP to redirect user for interaction for data

ssoadm attribute: WSPWillRedirectForData

WSP's expected duration for interaction

ssoadm attribute: WSPRedirectTime

WSP to enforce that returnToURL must be SSL

ssoadm attribute: WSPWillEnforceHttpsCheck

WSP to enforce return to host be the same as request host

ssoadm attribute: WSPWillEnforceReturnToHostEqualsRequestHost

HTML style sheet location

ssoadm attribute: HTMLStyleSheetLocation

WML style sheet location

ssoadm attribute: WMLStyleSheetLocation

WSP interaction URL

ssoadm attribute: WSPRedirectHandlerURL

WSP interaction URL if behind load balancer

ssoadm attribute: LBWSPRedirectHandler

List of interaction URLs of WSP cluster (site) behind the load balancer

ssoadm attribute: TrustedWspRedirectHandlers

Interaction Configuration Class

ssoadm attribute: InteractionConfigClass

Options for WSC to participate in interaction

ssoadm attribute: WSCSpecifiedInteractionChoice

WSC to include userInteractionHeader

ssoadm attribute: WSCWillIncludeUserInteractionHeader

WSC to redirect user for interaction

ssoadm attribute: WSCWillRedirect

WSC's expected duration for interaction

ssoadm attribute: WSCSpecifiedMaxInteractionTime

WSC to enforce that redirection URL must be SSL

ssoadm attribute: WSCWillEnforceHttpsCheck

Multi-Federation Protocol

ssoadm service name: sunMultiFederationProtocol

Single Logout Handler List

List of logout handlers used for each different federation protocol

ssoadm attribute: SingleLogoutHandlerList

OAuth2 Provider Configuration

ssoadm service name: OAuth2Provider

Authorization Code Lifetime

Lifetime of OAuth 2.0 authorization code in seconds.

ssoadm attribute: forgerock-oauth2-provider-authorization-code-lifetime

Refresh Token Lifetime

Lifetime of OAuth 2.0 refresh token in seconds.

ssoadm attribute: forgerock-oauth2-provider-refresh-token-lifetime

Access Token Lifetime

Lifetime of OAuth 2.0 access token in seconds.

ssoadm attribute: forgerock-oauth2-provider-access-token-lifetime

Issue Refresh Tokens

Whether to issue a refresh token when returning an access token.

ssoadm attribute: forgerock-oauth2-provider-issue-refresh-token

Issue Refresh Tokens on Refreshing Access Tokens

Whether to issue a refresh token when refreshing an access token.

ssoadm attribute: forgerock-oauth2-provider-issue-refresh-token-on-refreshing-token

Scope Implementation Class

Name of class on OpenAM classpath implementing scopes.

ssoadm attribute: forgerock-oauth2-provider-scope-implementation-class

Response Type Plugins

List of plugins that handle the valid response_type values. OAuth 2.0 clients pass response types as parameters to the OAuth 2.0 Authorization end point (/oauth2/authorize) to indicate which grant type is requested from the provider. For example, the client passes code when requesting an authorization code, and token when requesting an access token.

Values in this list take the form response-type|plugin-class-name.

Defaults: code|org.forgerock.restlet.ext.oauth2.flow.responseTypes.CodeResponseType, id_token|org.forgerock.restlet.ext.oauth2.flow.responseTypes, token|org.forgerock.restlet.ext.oauth2.flow.responseTypes.TokenResponseType

ssoadm attribute: forgerock-oauth2-provider-response-type-map-class

User Profile Attribute(s) the Resource Owner is Authenticated On

Names of profile attributes that resource owners use to log in. The default is uid, and you can add others such as mail.

ssoadm attribute: forgerock-oauth2-provider-authentication-attributes

Shared Consent Attribute Name

Name of a multi-valued attribute on resource owner profiles where OpenAM can save authorization consent decisions. When the resource owner chooses to save the decision to authorize access for a client application, then OpenAM updates the resource owner's profile to avoid having to prompt the resource owner to grant authorization when the client issues subsequent authorization requests.

ssoadm attribute: forgerock-oauth2-provider-saved-consent-attribute

JSON Web Key URL

The URL where the OpenID Connect provider's JSON Web Key can be retrieved.

ssoadm attribute: forgerock-oauth2-provider-jkws-uri

ID Token Signing Algorithms supported

Algorithms supported to sign OpenID Connect id_tokens.

ssoadm attribute: forgerock-oauth2-provider-id-token-signing-algorithms-supported

Supported Claims

List of claims supported by the OpenID Connect /oauth2/userinfo endpoint.

ssoadm attribute: forgerock-oauth2-provider-supported-claims

Password Reset
Realm Attributes

See the Administration Guide chapter on Configuring Password Reset for details.

Policy Configuration

You can change global policy configuration, and the defaults per realm.

ssoadm service name: iPlanetAMPolicyConfigService

Resource Comparator

OpenAM uses resource comparators to match resources specified in policy rules. When setting comparators on the command line, separate fields with | characters.

ssoadm attribute: iplanet-am-policy-config-resource-comparator

Continue Evaluation on Deny Decision

If no, then OpenAM stops evaluating policy as soon as it reaches a deny decision.

ssoadm attribute: iplanet-am-policy-config-continue-evaluation-on-deny-decision

Advices Handleable by OpenAM

Lists advice names for which policy agents redirect users to OpenAM for further authentication and authorization

ssoadm attribute: sun-am-policy-config-advices-handleable-by-am

Realm Alias Referrals

If yes, then OpenAM allows creation of policies for HTTP and HTTPS resources whose FQDN matches the DNS alias for the realm even when no referral policy exists.

ssoadm attribute: sun-am-policy-config-org-alias-mapped-resources-enabled

Primary LDAP Server

Configuration directory server host:port that OpenAM searches for policy information

ssoadm attribute: iplanet-am-policy-config-ldap-server

LDAP Base DN

Base DN for policy searches

ssoadm attribute: iplanet-am-policy-config-ldap-base-dn

LDAP Users Base DN

Base DN for LDAP Users subject searches

ssoadm attribute: iplanet-am-policy-config-ldap-users-base-dn

OpenAM Roles Base DN

Base DN for OpenAM Roles searches

ssoadm attribute: iplanet-am-policy-config-is-roles-base-dn

LDAP Bind DN

Bind DN to connect to the directory server for policy information

ssoadm attribute: iplanet-am-policy-config-ldap-bind-dn

LDAP Bind Password

Bind password to connect to the directory server for policy information

ssoadm attribute: iplanet-am-policy-config-ldap-bind-password

LDAP Organization Search Filter

Search filter to match organization entries

ssoadm attribute: iplanet-am-policy-config-ldap-organizations-search-filter

LDAP Organization Search Scope

Search scope to find organization entries

ssoadm attribute: iplanet-am-policy-config-ldap-organizations-search-scope

LDAP Groups Search Filter

Search filter to match group entries

ssoadm attribute: iplanet-am-policy-config-ldap-groups-search-filter

LDAP Groups Search Scope

Search scope to find group entries

ssoadm attribute: iplanet-am-policy-config-ldap-groups-search-scope

LDAP Users Search Filter

Search filter to match user entries

ssoadm attribute: iplanet-am-policy-config-ldap-users-search-filter

LDAP Users Search Scope

Search scope to find user entries

ssoadm attribute: iplanet-am-policy-config-ldap-users-search-scope

LDAP Roles Search Filter

Search filter to match nsRole definition entries

ssoadm attribute: iplanet-am-policy-config-ldap-roles-search-filter

LDAP Roles Search Scope

Search scope to find nsRole definition entries

ssoadm attribute: iplanet-am-policy-config-ldap-roles-search-scope

OpenAM Roles Search Scope

Search scope to find OpenAM roles entries

ssoadm attribute: iplanet-am-policy-config-is-roles-search-scope

LDAP Organization Search Attribute

Naming attribute for organization entries

ssoadm attribute: iplanet-am-policy-config-ldap-organizations-search-attribute

LDAP Groups Search Attribute

Naming attribute for group entries

ssoadm attribute: iplanet-am-policy-config-ldap-groups-search-attribute

LDAP Users Search Attribute

Naming attribute for user entries

ssoadm attribute: iplanet-am-policy-config-ldap-users-search-attribute

LDAP Roles Search Attribute

Naming attribute for nsRole definition entries

ssoadm attribute: iplanet-am-policy-config-ldap-roles-search-attribute

Maximum Results Returned from Search

Search limit for LDAP searches

ssoadm attribute: iplanet-am-policy-config-search-limit

Search Timeout

Seconds after which OpenAM returns an error for an incomplete search

ssoadm attribute: iplanet-am-policy-config-search-timeout

LDAP SSL/TLS

If enabled, OpenAM connects securely to the directory server. This requires that you install the directory server certificate.

ssoadm attribute: iplanet-am-policy-config-ldap-ssl-enabled

LDAP Connection Pool Minimum Size

Minimum number of connections in the pool

ssoadm attribute: iplanet-am-policy-config-connection_pool_min_size

LDAP Connection Pool Maximum Size

Maximum number of connections in the pool

ssoadm attribute: iplanet-am-policy-config-connection_pool_max_size

Selected Policy Subjects

Lists subjects available for policy definition in realms

ssoadm attribute: iplanet-am-policy-selected-subjects

Selected Policy Conditions

Lists conditions available for policy definition in realms

ssoadm attribute: iplanet-am-policy-selected-conditions

Selected Policy Referrals

Lists referral types available for policy definition in realms

ssoadm attribute: iplanet-am-policy-selected-referrals

Subjects Result Time to Live

Maximum minutes OpenAM caches a subject result for evaluating policy requests. A value of 0 prevents OpenAM from caching subject evaluations for policy decisions.

Default: 10

ssoadm attribute: iplanet-am-policy-config-subjects-result-ttl

User Alias

If enabled, OpenAM can evaluate policy for remote users aliased to local users.

ssoadm attribute: iplanet-am-policy-config-user-alias-enabled

Selected Response Providers

Lists available response providers available for policy definition

ssoadm attribute: sun-am-policy-selected-responseproviders

Selected Dynamic Response Attributes

Lists dynamic response attributes available for policy definition

ssoadm attribute: sun-am-policy-dynamic-response-attributes

REST Security

ssoadm service name: RestSecurity

The order of options that appear in the console may vary depending on whether you are running from a new installation or an upgrade of OpenAM.

Self-Registration for Users

If enabled, new users can sign up using a REST API client.

Default: not enabled

ssoadm attribute: forgerockRESTSecuritySelfRegistrationEnabled

Self-Registration Token LifeTime (seconds)

Maximum life time for the token allowing user self-registration using the REST API.

Default: 900 (seconds)

ssoadm attribute: forgerockRESTSecuritySelfRegTokenTTL

Self-Registration Confirmation Email URL

This page handles the HTTP GET request when the user clicks the link sent by email in the confirmation request.

Default: deployment-base-url/XUI/confirm.html where deployment-base-url is something like https://openam.example.com:8443/openam

ssoadm attribute: forgerockRESTSecuritySelfRegConfirmationUrl

Forgot Password for Users

If enabled, users can assign themselves a new password using a REST API client.

Default: not enabled

ssoadm attribute: forgerockRESTSecurityForgotPasswordEnabled

Forgot Password Token LifeTime (seconds)

Maximum life time for the token allowing user to process a forgotten password using the REST API.

Default: 900 (seconds)

ssoadm attribute: forgerockRestSecurityForgotPassTokenTTL

Forgot Password Confirmation Email URL

This page handles the HTTP GET request when the user clicks the link sent by email in the confirmation request.

Default: deployment-base-url/XUI/confirm.html where deployment-base-url is something like https://openam.example.com:8443/openam

ssoadm attribute: forgerockRESTSecurityForgotPassConfirmationUrl

SAMLv2 Service Configuration

ssoadm service name: sunFAMSAML2Configuration

Cache cleanup interval

Seconds between cache cleanup operations

ssoadm attribute: CacheCleanupInterval

Attribute name for Name ID information

User entry attribute to store name identifier information

ssoadm attribute: NameIDInfoAttribute

Attribute name for NAME ID information key

User entry attribute to store the name identifier key

ssoadm attribute: NameIDInfoKeyAttribute

Cookie domain for IDP Discovery Service

Specifies the cookie domain for the IDP discovery service

ssoadm attribute: IDPDiscoveryCookieDomain

Cookie type for IDP Discovery Service

Indicates whether to use PERSISTENT or SESSION cookies

ssoadm attribute: IDPDiscoveryCookieType

URL scheme for IDP Discovery Service

Indicates whether to use HTTP or HTTPS

ssoadm attribute: IDPDiscoveryURLScheme

XML Encryption SPI implementation class

Used by the SAML2 engine to encrypt and decrypt documents

ssoadm attribute: XMLEncryptionClass

Include xenc:EncryptedKey Inside ds:KeyInfo Element

ssoadm attribute: EncryptedKeyInKeyInfo

XML Signing SPI implementation class

Used by the SAML2 engine to sign documents

ssoadm attribute: XMLSigningClass

XML Signing Certificate Validation

If enabled, then validate certificates used to sign documents.

ssoadm attribute: SigningCertValidation

CA Certificate Validation

If enabled, then validate CA certificates.

ssoadm attribute: CACertValidation

Enable SAMLv2 failover

If enabled, the OpenAM can failover requests to another instance.

ssoadm attribute: failOverEnabled

Buffer length to decompress request

The size is specified in bytes.

ssoadm attribute: bufferLength

SAMLv2 SOAP Binding

ssoadm service name: sunfmSAML2SOAPBindingService

Request Handler List

List of handlers to deal with SAML2 requests bound to SOAP. The key for a request handler is the meta alias, whereas the class indicates the name of the class that implements the handler.

ssoadm attribute: sunSAML2RequestHandlerList

Security Token Service

ssoadm service name: sunFAMSTSService

Issuer

Specifies the name of the security token service

ssoadm attribute: stsIssuer

End Point

Specifies the STS service endpoint

ssoadm attribute: stsEndPoint

Lifetime for Security Token

Milliseconds the security token remains valid

ssoadm attribute: stsLifetime

Certificate Alias Name

Specifies the alias for the signing certificate

ssoadm attribute: stsCertAlias

STS End User Token Plugin class

Specifies the class that converts end user tokens

ssoadm attribute: com.sun.identity.wss.sts.clientusertoken

Security Mechanism

Lists credentials used to secure the token, and credentials OpenAM accepts in the incoming request

ssoadm attribute: SecurityMech

Authentication Chain

Specifies the authentication chain OpenAM applies for incoming requests for authenticated security tokens

ssoadm attribute: AuthenticationChain

User Credential

User name and password shared secrets to validate UserName tokens in incoming requests

ssoadm attribute: UserCredential

Detect Message Replay

If yes, then OpenAM checks for and rejects replayed messages.

ssoadm attribute: DetectMessageReplay

Detect User Token Replay

If yes, then OpenAM checks for and rejects replayed user tokens.

ssoadm attribute: DetectUserTokenReplay

Is Request Signature Verified

If yes, then OpenAM verifies signatures on incoming requests.

ssoadm attribute: isRequestSign

Is Response Signed Enabled

If yes, then OpenAM signs the selected parts of the response.

ssoadm attribute: isResponseSign

Signing Reference Type

Specifies the reference type used to sign the response. One of DirectReference, KeyIdentifierRef, or X509IssuerSerialRef.

ssoadm attribute: SigningRefType

Is Request Decrypted

If yes, then OpenAM decrypts the selected parts of the request.

ssoadm attribute: isRequestEncrypt

Is Response Encrypted

If yes, then OpenAM encrypts responses.

ssoadm attribute: isResponseEncrypt

Encryption Algorithm

Specifies the algorithm used to encrypt responses

ssoadm attribute: EncryptionAlgorithm

Private Key Alias

Alias for the private key used to sign responses and decrypt requests

ssoadm attribute: privateKeyAlias

Private Key Type

Type of private key. One of publicKey, symmetricKey, or noProofKey.

ssoadm attribute: privateKeyType

Public Key Alias of Web Service Client

Alias for the certificate used to verify request signatures and encrypt responses

ssoadm attribute: publicKeyAlias

Kerberos Domain Server

Specifies the FQDN of the KDC

ssoadm attribute: KerberosDomainServer

Kerberos Domain

Specifies the domain name of the KDC

ssoadm attribute: KerberosDomain

Kerberos Service Principal

Specifies the Kerberos principal who owns the generated token. Use the format HTTP/host.domain@kdc-domain.

ssoadm attribute: KerberosServicePrincipal

Kerberos Key Tab File

Specifies the key tab file used to issue the token

ssoadm attribute: KerberosKeyTabFile

Is Verify Kerberos Signature

If yes, then OpenAM requires signed Kerberos tokens.

ssoadm attribute: isVerifyKrbSignature

SAML Attribute Mapping

Lists attribute mappings for generated assertions

This attribute applies when OpenAM acts as a WSP, receiving a SAML token or assertion generated by another STS.

ssoadm attribute: SAMLAttributeMapping

NameID Mapper

Specifies the NameID mapper for generated assertions

This attribute applies when OpenAM acts as a WSP, receiving a SAML token or assertion generated by another STS.

ssoadm attribute: NameIDMapper

Should Include Memberships

If yes, then OpenAM requires generated assertions include user memberships.

This attribute applies when OpenAM acts as a WSP, receiving a SAML token or assertion generated by another STS.

ssoadm attribute: includeMemberships

Attribute Namespace

Specifies the namespace for generated assertions

This attribute applies when OpenAM acts as a WSP, receiving a SAML token or assertion generated by another STS.

ssoadm attribute: AttributeNamespace

Trusted Issuers

Lists issuers OpenAM can trust to send security tokens

ssoadm attribute: trustedIssuers

Trusted IP Addresses

Lists issuer IP address that OpenAM can trust to send security tokens

ssoadm attribute: trustedIPAddresses

Session

ssoadm service name: iPlanetAMSessionService

Secondary Configuration Instance

When session failover is configured, you can set up additional configurations for connecting to the session repository here.

Maximum Number of Search Results

Maximum number of results from a session search

ssoadm attribute: iplanet-am-session-max-session-list-size

Timeout for Search

Seconds after which OpenAM sees an incomplete search as having failed

ssoadm attribute: iplanet-am-session-session-list-retrieval-timeout

Enable Property Change Notifications

If on, then OpenAM notifies other applications participating in SSO when a session property in the Notification Properties list changes.

ssoadm attribute: iplanet-am-session-property-change-notification

Enable Quota Constraints

If on, then OpenAM allows you to set constraints on user sessions.

ssoadm attribute: iplanet-am-session-enable-session-constraint

Read Timeout for Quota Constraint

Milliseconds after which OpenAM considers a search for live session count as having failed if quota constraints are enabled

ssoadm attribute: iplanet-am-session-constraint-max-wait-time

Resulting behavior if session quota exhausted

You can either set the next expiring session to be destroyed, DESTROY_NEXT_EXPIRING, the oldest session to be destroyed, DESTROY_OLDEST_SESSION, all previous sessions to be destroyed, DESTROY_OLD_SESSIONS, or deny the new session creation request, DENY_ACCESS.

ssoadm attribute: iplanet-am-session-constraint-resulting-behavior

Deny user login when session repository is down

This attribute takes effect when quota constraints are enabled.

ssoadm attribute: iplanet-am-session-deny-login-if-db-is-down

Notification Properties

Lists session properties for which OpenAM can send notifications upon modification

ssoadm attribute: iplanet-am-session-notification-property-list

DN Restriction Only Enabled

If enabled, OpenAM does not perform DNS lookups when checking restrictions in cookie hijacking mode.

ssoadm attribute: iplanet-am-session-dnrestrictiononly

Enable Session Trimming

If yes, then OpenAM stores only a limited set of session properties after session timeout and before session purging.

ssoadm attribute: iplanet-am-session-enable-session-trimming

Session Timeout Handler implementations

Lists plugin classes implementing session timeout handlers

ssoadm attribute: openam-session-timeout-handler-list

Maximum Session Time

Maximum minutes a session can remain valid before OpenAM requires the user to authenticate again

ssoadm attribute: iplanet-am-session-max-session-time

Maximum Idle Time

Maximum minutes a session can remain idle before OpenAM requires the user to authenticate again

ssoadm attribute: iplanet-am-session-max-idle-time

Maximum Caching Time

Maximum minutes before OpenAM refreshes a session that has been cached

ssoadm attribute: iplanet-am-session-max-caching-time

Active User Sessions

Maximum number of concurrent sessions OpenAM allows a user to have

ssoadm attribute: iplanet-am-session-quota-limit

User

ssoadm service name: iPlanetAMUserService

User Preferred Timezone

Time zone for accessing OpenAM console

ssoadm attribute: preferredtimezone

Administrator DN Starting View

Specifies the DN for the initial screen when the OpenAM administrator successfully logs in to the OpenAM console

ssoadm attribute: iplanet-am-user-admin-start-dn

Default User Status

Inactive users cannot authenticate, though OpenAM stores their profiles. Default: Active

ssoadm attribute: iplanet-am-user-login-status

1.5. Servers and Sites Configuration

Under Configuration > Servers and Sites you can manage server defaults, configuration for OpenAM server instances, and site configurations when using multiple OpenAM server instances.

To change inherited settings that appear read only for a server, click Default Server Settings on the Servers and Sites tab page to access and adjust the defaults, or change the Inheritance Settings for a specific server.

After changing server configurations, restart OpenAM or the web application container where OpenAM runs for the changes to take effect.

Servers > General

The General tab lets you access the settings to inherit, set the site for the server, and also set system, debug, and mail server attributes.

Parent Site

Select the site from the list. You must first create at least one site.

Base installation directory

OpenAM writes the configuration data and logs here.

property: com.iplanet.services.configpath

Default Locale

The locale used when none is requested.

property: com.iplanet.am.locale

Notification URL

The notification service endpoint.

property: com.sun.identity.client.notification.url

XML Validation

If on, then OpenAM validates XML documents that it parses.

property: com.iplanet.am.util.xml.validating

Debug Level

Set the log level shared across components for debug logging.

property: com.iplanet.services.debug.level

Merge Debug Files

If on, then OpenAM writes all debug log messages to a single file, debug.out. By default, OpenAM writes a debug log per component.

property: com.iplanet.services.debug.mergeall

Debug Directory

File system directory where OpenAM writes debug logs.

property: com.iplanet.services.debug.directory

Mail Server Host Name

SMTP host name for email sent by OpenAM.

property: com.iplanet.am.smtphost

Mail Server Port Number

SMTP port number for email sent by OpenAM.

property: com.iplanet.am.smtpport

Servers > Security

Most security settings are inherited by default.

Password Encryption Key

Encryption key for decrypting stored passwords

Example: TF1Aue9c63bWTTY4mmZJeFYubJbNiSE3

property: am.encryption.password

Authentication Service Shared Secret

Shared secret for application authentication

Example: AQICQ7QMKN5TSt1fpyFZBMZ8hRwkYkkrUaFk

property: com.iplanet.am.service.secret

Encryption class

Default class used to handle encryption

Default: com.iplanet.services.util.JCEEncryption

property: com.iplanet.security.encryptor

Secure Random Factory Class

The default implementation uses pure Java, rather than JSS.

Default: com.iplanet.am.util.SecureRandomFactoryImpl

property: com.iplanet.security.SecureRandomFactorImpl

Platform Low Level Comm. Max. Content Length

Maximum content length for an HTTP request

Default: 16384

property: com.iplanet.services.comm.server.pllrequest.maxContentLength

Client IP Address Check

If yes, then OpenAM checks client IP addresses when creating and validating SSO tokens.

Default: No

property: com.iplanet.am.clientIPCheckEnabled

Cookie Name

Cookie name OpenAM uses to set a session handler ID during authentication.

Default: iPlanetDirectoryPro

property: com.iplanet.am.cookie.name

Secure Cookie

If yes, then OpenAM sets the cookie in secure mode such that the browser only returns the cookie if a secure protocol such as HTTPS is used.

Default: No

property: com.iplanet.am.cookie.secure

Encode Cookie Value

If yes, then OpenAM URL encodes cookie values.

Default: No

property: com.iplanet.am.cookie.encode

Keystore File

Path to OpenAM key store file

Default: Path to keystore.jks, located in the directory that holds the OpenAM configuration.

Example: ~/openam/openam/keystore.jks

property: com.sun.identity.saml.xmlsig.keystore

Keystore Password File

Path to password file for key store

Default: Path to .storepass, located in the directory that holds the OpenAM configuration.

Example: ~/openam/openam/.storepass

property: com.sun.identity.saml.xmlsig.storepass

Private Key Password File

Path to password file for OpenAM private key

Default: Path to .keypass, located in the directory that holds the OpenAM configuration.

Example: ~/openam/openam/.keypass

property: com.sun.identity.saml.xmlsig.keypass

Certificate Alias

Alias for OpenAM certificate stored in key store

Not set by default

property: com.sun.identity.saml.xmlsig.certalias

CRL: LDAP server host name

Directory server host name where the certificate revocation list (CRL) is cached

Not set by default

property: com.sun.identity.crl.cache.directory.host

CRL: LDAP server port number

Directory server port number where the certificate revocation list is cached

Not set by default

property: com.sun.identity.crl.cache.directory.port

CRL: SSL/TLS Enabled

If yes, then connect securely when accessing the CRL cache directory server

Default: No

property: com.sun.identity.crl.cache.directory.ssl

CRL: LDAP server bind user name

Bind DN to access CRL cache directory server

Not set by default

property: com.sun.identity.crl.cache.directory.user

CRL: LDAP server bind password

Bind password to access CRL cache directory server

Not set by default

property: com.sun.identity.crl.cache.directory.password

CRL: LDAP search base DN

Base DN under which to search for CRL

Not set by default

property: com.sun.identity.crl.cache.directory.searchlocs

CRL: Search Attributes

DN component of issuer's subject DN used to retrieve the CRL

Not set by default

property: com.sun.identity.crl.cache.directory.searchattr

OCSP: Check Enabled

If yes, then OpenAM runs Online Certificate Status Protocol (OCSP) checks.

Default: Yes

property: com.sun.identity.authentication.ocspCheck

Responder URL

URL for OCSP responder

Not set by default

property: com.sun.identity.authentication.ocsp.responder.url

Certificate Nickname

Nickname for OCSP responder certificate

Not set by default

property: com.sun.identity.authentication.ocsp.responder.nickname

FIPS Mode

If yes, then OpenAM runs in Federal Information Processing Standards mode.

Default: No

property: com.sun.identity.security.fipsmode

Servers > Session

Session settings are inherited by default.

Maximum Sessions

Maximum concurrent sessions OpenAM permits

property: com.iplanet.am.session.maxSessions

Invalidate Session Max Time

Minutes after which invalid sessions are removed from the session table

property: com.iplanet.am.session.invalidsessionmaxtime

Sessions Purge Delay

Minutes OpenAM delays session purging

property: com.iplanet.am.session.purgedelay

Logging Interval

Seconds OpenAM delays between logging sessions statistics

property: com.iplanet.am.stats.interval

State

Whether to write statistics to a file, to the console, or to turn recording off

property: com.iplanet.services.stats.state

Directory

Path to statistics logs directory

property: com.iplanet.services.stats.directory

Enable Host Lookup

If yes, then OpenAM performs host lookup during session logging.

property: com.sun.am.session.enableHostLookUp

Notification Pool Size

Number of threads in the notification pool

property: com.iplanet.am.notification.threadpool.size

Notification Thread Pool Threshold

Maximum number of tasks in the queue for serving notification threads

property: com.iplanet.am.notification.threadpool.threshold

Case Insensitive client DN comparison

If yes, then OpenAM distinguished name comparison is case insensitive.

property: com.sun.am.session.caseInsensitiveDN

Servers > SDK

Most SDK settings are inherited.

Enable Datastore Notification

If yes, then OpenAM uses datastore notification. Otherwise, OpenAM uses in-memory notification.

property: com.sun.identity.sm.enableDataStoreNotification

Enable Directory Proxy

If yes, then OpenAM accounts for the use of a directory proxy to access the directory server.

property: com.sun.identity.sm.ldap.enableProxy

Notification Pool Size

Service management notification thread pool size

property: com.sun.identity.sm.notification.threadpool.size

Number of retries for Event Service connections

Maximum number of attempts to reestablish Event Service connections

property: com.iplanet.am.event.connection.num.retries

Delay between Event Service connection retries

Milliseconds between attempts to reestablish Entry Service connections

property: com.iplanet.am.event.connection.delay.between.retries

Error codes for Event Service connection retries

LDAP error codes for which OpenAM retries rather than returning failure

property: com.iplanet.am.event.connection.ldap.error.codes.retries

Idle Time Out

Minutes after which OpenAM reestablishes idle persistent search connections

property: com.sun.am.event.connection.idle.timeout

Disabled Event Service Connection

Persistent search connections OpenAM can disable

property: com.sun.am.event.connection.disable.list

Number of retries for LDAP Connection

Maximum number of attempts to reestablish LDAP connections

property: com.iplanet.am.ldap.connection.num.retries

Delay between LDAP connection retries

Milliseconds between attempts to reestablish LDAP connections

property: com.iplanet.am.ldap.connection.delay.between.retries

Error Codes for LDAP connection retries

LDAP error codes for which OpenAM retries rather than returning failure

property: com.iplanet.am.ldap.connection.ldap.error.codes.retries

SDK Caching Max. Size

Cache size used if SDK caching is enabled

property: com.iplanet.am.sdk.cache.maxSize

SDK Replica Retries

Maximum number of attempts to retrieve entries returned as not found

property: com.iplanet.am.replica.num.retries

Delay between SDK Replica Retries

Milliseconds between attempts to retrieve entries through the SDK

property: com.iplanet.am.replica.delay.between.retries

Cache Entry Expiration Enabled

If no, then cache entries expire based on User Entry Expiration Time

property: com.iplanet.am.sdk.cache.entry.expire.enabled

User Entry Expiration Time

Minutes user entries remain valid after modification. When OpenAM accesses a user entry that has expired, it rereads the entry from the directory server.

property: com.iplanet.am.sdk.cache.entry.user.expire.time

Default Entry Expiration Time

Minutes non-user entries remain valid after modification

property: com.iplanet.am.sdk.cache.entry.default.expire.time

Servers > Directory Configuration

Use this tab to change connection settings and add additional LDAP configuration directory server instances.

Minimum Connection Pool

Set the minimum number of connections in the pool.

Maximum Connection Pool

Set the maximum number of connections in the pool.

Bind DN

Set the bind DN to connect to the configuration directory servers.

Bind Password

Set the bind password to connect to the configuration directory servers.

Servers > CTS

The Core Token Service (CTS) does not need to be configured in the same LDAP storage as the external or embedded user store. The CTS can instead be configured on its own external directory server. There are some specific requirements for indexing and replication which need to be accounted for. In particular, WAN replication is an important consideration which needs to be handled carefully for optimum performance.

You may also choose to set advanced properties related to token size, including com.sun.identity.session.repository.enableEncryption, com.sun.identity.session.repository.enableCompression, and com.sun.identity.session.repository.enableAttributeCompression. For more information, identify these variables in the following section: Servers > Advanced.

Default Token Store

If selected, CTS tokens are stored in the same external or embedded datastore as is used on an OpenAM configuration store. If you use the default token store, you can only configure the Root Suffix. Associated with the Directory Configuration tab associated with individual servers.

External Token Store

If you use OpenDJ, you can separate the CTS from the configuration on different external servers. On the external CTS server, you can also configure token schema and indexes.

Root Suffix

For either the default or external token stores, enter the base DN for CTS storage information in LDAP format, such as dc=cts,dc=forgerock,dc=com. The Root Suffix would be a database that can be maintained and replicated separately from tha standard user datastore.

SSL/TLS Enabled

Access the directory service using StartTLS or LDAPS.

Directory Name

The hostname of the external server.

Port

Specifies the TCP/IP port number used for communication to to external datastore, such as 389 for LDAP.

Login Id

Specifies the user, in DN format, needed to authenticate. The user needs sufficient privileges to read and write to the root suffix of the external datastore.

Password

Specifies the password associated with the Login Id.

Max Connections

Notes the maximum number of remote connections to the external datastore.

Heartbeat

Specifies how often OpenAM should send a heartbeat request to the directory server to ensure that the connection does not remain idle, in seconds. Default: 10.

Servers > Advanced

Use this page to set advanced properties directly. A partial list of advanced properties follows.

For a list of inherited advanced properties, see the table under the Advanced tab for Default Server Settings.

com.iplanet.am.cookie.c66Encode

Properly URL encode session tokens.

Default: true

com.iplanet.am.cookie.timeToLive

iplanetDirectoryPro cookie lifetime if persistent, in hours

Default: 24

com.iplanet.am.daemons

Modules for which to open daemons at OpenAM startup.

Default: securid

com.iplanet.am.directory.ssl.enabled

Whether to connect to the configuration directory server over LDAPS.

Default: false

com.iplanet.am.installdir

OpenAM Configuration and log file location.

Default: ~/openam/server-uri, such as ~/openam/openam

com.iplanet.am.jssproxy.checkSubjectAltName

When using JSS, check whether the name values in the SubjectAltName certificate match the server FQDN.

Default: false

com.iplanet.am.jssproxy.resolveIPAddress

When using JSS, check that the IP address of the server resolves to the host name.

Default: false

com.iplanet.am.jssproxy.SSLTrustHostList

When using JSS, comma-separated list of server FQDNs to trust if they match the certificate CN, even if the domain name is not correct.

com.iplanet.am.jssproxy.trustAllServerCerts

When using JSS, set to true to trust whatever certificate is presented without checking.

Default: true

com.iplanet.am.lbcookie.name

Used with sticky load balancers that can inspect the cookie value.

Default: amlbcookie

com.iplanet.am.lbcookie.value

Used with sticky load balancers that can inspect the cookie value. Set this property to a unique value if your load balancer requires it. Restart OpenAM for the change to take effect.

Default: 01

com.iplanet.am.pcookie.name

Persistent cookie name.

Default: DProPCookie

com.iplanet.am.profile.host

Not used

Default: server-host, such as openam.example.com

com.iplanet.am.profile.port

Not used

Default: server-port, such as 8080 or 8443

com.iplanet.am.session.agentSessionIdleTime

Time in minutes after which a policy agent session expires.

Default: 0, meaning never time out. Range is 0-30 (minutes).

com.iplanet.am.session.client.polling.enable

Whether client applications such as policy agents poll for configuration changes. If false, then OpenAM notifies clients about changes.

Default: false

com.iplanet.am.session.client.polling.period

If client applications poll for changes, number of seconds between polls.

Default: 180

com.iplanet.am.session.failover.cluster.stateCheck.period

Time in milliseconds between health checks of other servers in the same site.

Default: 1000

com.iplanet.am.session.failover.cluster.stateCheck.timeout

Socket timeout in milliseconds for health checks of other servers in the same site.

Default: 1000

com.iplanet.am.session.httpSession.enabled

Create an HttpSession for users on successful authentication.

Default: true

com.iplanet.security.SSLSocketFactoryImpl

SSL socket factory implementation used by OpenAM.

Default: com.sun.identity.shared.ldap.factory.JSSESocketFactory, uses a pure Java provider

com.iplanet.services.cdc.invalidGotoStrings;

Strings that OpenAM rejects as values in goto query string parameters.

Default: <,>javascript:,javascript%3a,%3c,%3e

com.sun.embedded.replicationport

Replication port for embedded OpenDJ directory server.

Default: 8989

com.sun.embedded.sync.servers

Whether to replicate data between embedded directory servers.

Default: on

com.sun.identity.am.cookie.check

Whether to check for cookie support in the user agent, and if not to return an error.

Default: false

com.sun.identity.appendSessionCookieInURL

Whether to append the session cookie to URL for a zero page session.

Default: true

com.sun.identity.auth.cookieName

Cookie used by the OpenAM authentication service to handle the authentication process.

Default: AMAuthCookie

com.sun.identity.authentication.client.ipAddressHeader

Set the name of the HTTP header that OpenAM can examine to learn the client IP address when requests go through a proxy or load balancer. (When requests go through an HTTP proxy or load balancer, checking the IP address on the request alone returns the address of the proxy or load balancer rather than that of the client.) OpenAM must be able to trust the proxy or load balancer to set the client IP address correctly in the header specified.

Example: com.sun.identity.authentication.client.ipAddressHeader=X-Forwarded-For

com.sun.identity.authentication.multiple.tabs.used

Whether to allow users to open many browser tabs to the login page at the same time without encountering an error.

Default: false

com.sun.identity.authentication.setCookieToAllDomains

Whether to allow multiple cookie domains.

Default: true

com.sun.identity.authentication.special.users

List of special users always authenticated against the local directory server.

Default: cn=dsameuser,ou=DSAME Users,|cn=amService-UrlAccessAgent,ou=DSAME Users,

com.sun.identity.authentication.super.user

OpenAM privileged administrator user.

Default: uid=amAdmin,ou=People,

com.sun.identity.authentication.uniqueCookieName

When cookie hijacking protection is configured, name of the cookie holding the URL to the OpenAM server that authenticated the user.

Default: sunIdentityServerAuthNServer

com.sun.identity.client.notification.url

Notification service endpoint for clients such as policy agents.

Default: server-protocol://server-host:server-port/server-uri/notificationservice, such as https://openam.example.com:8443/openam/notificationservice

com.sun.identity.common.systemtimerpool.size

Number of threads in the shared system timer pool used to schedule operations such as session timeout.

Default: 3

com.sun.identity.cookie.httponly

When set to true, mark cookies as HTTPOnly to prevent scripts and third-party programs from accessing the cookies.

Default: false

com.sun.identity.enableUniqueSSOTokenCookie

If true, then OpenAM is using protection against cookie hijacking.

Default: false

com.sun.identity.jss.donotInstallAtHighestPriority

Whether JSS should take priority over other providers.

Default: true

com.sun.identity.monitoring

Whether monitoring is active for OpenAM.

Default: off

com.sun.identity.monitoring.local.conn.server.url

URL for local connection to the monitoring service.

Default: service:jmx:rmi://

com.sun.identity.password.deploymentDescriptor

Internal property used by OpenAM.

Default: server-uri, such as openam

com.sun.identity.policy.Policy.policy_evaluation_weights

Weights of the cost of evaluating policy subjects, rules, and conditions. Evaluation is in order of heaviest weight to lightest weight.

Default: 10:10:10, meaning evaluation of rules, then conditions, then subjects

com.sun.identity.policy.resultsCacheMaxSize

Maximum number of policy decisions OpenAM caches.

Default: 10000

com.sun.identity.server.fqdnMap

Enables virtual hosts, partial hostname and IP address. Maps invalid or virtual name keys to valid FQDN values for proper redirection.

To map myserver to myserver.example.com, set com.sun.identity.server.fqdnMap[myserver]=myserver.example.com.

com.sun.identity.session.repository.enableEncryption

Enables tokens to be encrypted when stored.

Multi-instance deployments require consistent use of this property, which should be done under the Servers and Sites > Default Server Settings > Advanced.

The am.encryption.pwd property must also be the same for all deployed instances. The am.encryption.pwd is under Servers and Sites > Server > Security > Password Encryption Key. You will need to verify that all servers have the same setting for this property as the default server.

Default: false

com.sun.identity.urlchecker.dorequest

Whether to perform an HTTP GET on com.sun.identity.urlchecker.targeturl as a health check against another server in the same site. If false, then OpenAM only checks the Socket connection, and does not perform an HTTP GET.

If each OpenAM server runs behind a reverse proxy, then setting this property to true means the health check actually runs against the OpenAM instance, rather than checking only the Socket to the reverse proxy.

Default: false

com.sun.identity.urlchecker.targeturl

URL to monitor when com.sun.identity.urlchecker.dorequest is set to true.

Default: URL to the /openam/namingservice endpoint on the remote server

com.sun.identity.security.checkcaller

Whether to perform a Java security permissions check for OpenAM.

Default: false

com.sun.identity.session.repository.enableEncryption

For CTS token encryption, if desired.

Default: false

com.sun.identity.session.repository.enableCompression

For GZip-based compression of CTS tokens, if desired.

Default: false

com.sun.identity.session.repository.enableAttributeCompression

For additional compression of CTS token JSON binaries, beyond GZip, if desired.

Default: false

com.sun.identity.sm.cache.ttl

When service configuration caching time-to-live is enabled, this sets the time to live in minutes.

Default: 30

com.sun.identity.sm.cache.ttl.enable

If service configuration caching is enabled, whether to enable a time-to-live for cached configuration.

Default: false

com.sun.identity.sm.flatfile.root_dir

File system directory to hold file-based representation of OpenAM configuration.

Default: ~/openam/server-uri/sms such as ~/openam/openam/sms

com.sun.identity.sm.sms_object_class_name

Class used to read and write OpenAM service configuration entries in the directory.

Default: com.sun.identity.sm.ldap.SMSEmbeddedLdapObject

com.sun.identity.url.readTimeout

Used to set the read timeout in milliseconds for HTTP and HTTPS connections to other servers.

Default: 30000

com.sun.identity.urlchecker.dorequest

Allows the OpenAM ClusterStateService to work with HTTPS endpoints.

Default: true

com.sun.identity.urlconnection.useCache

Whether to cache documents for HTTP and HTTPS connections to other servers.

Default: false

com.sun.identity.webcontainer

Name of the web container to correctly set character encoding, if necessary.

Default: WEB_CONTAINER

console.privileged.users

Used to assigned privileged console access to particular users. Set to a | separated list of users' Universal IDs, such as console.privileged.users=uid=demo,ou=user,|uid=demo2,ou=user,.

openam.auth.destroy_session_after_upgrade

Where to destroy the old session after a session is successfully upgraded.

Default: true

openam.auth.distAuthCookieName

Cookie used by the OpenAM distributed authentication service to handle the authentication process.

Default: AMDistAuthCookie

openam.auth.session_property_upgrader

Class that controls which session properties are copied during session upgrade, where default is to copy all properties to the upgraded session.

Default: org.forgerock.openam.authentication.service.DefaultSessionPropertyUpgrader

openam.auth.version.header.enabled

The X-DSAMEVersion http header provides detailed information about the version of OpenAM currently running on the system, including the build and date/time of the build. OpenAM will need to be restarted once this property is enabled.

Default: false

openam.authentication.ignore_goto_during_logout

Whether to ignore the goto query string parameter on logout, instead displaying the logout page.

Default: false

openam.cdm.default.charset

Character set used for globalization.

Default: UTF-8

openam.forbidden.to.copy.headers

Comma-separated list of HTTP headers not to copy when the distributed authentication server forwards a request to another distributed authentication server.

Default: connection

openam.forbidden.to.copy.request.headers

Comma-separated list of HTTP headers not to copy when the distributed authentication server forwards a request to another distributed authentication server.

Default: connection

openam.retained.http.headers

Comma-separated list of HTTP headers to copy to the forwarded response when the server forwards a request to another server.

Requests are forwarded when the server receiving the request is not the server that originally initiated authentication. The server that originally initiated authentication is identified by a cookie.

When the distributed authentication service (DAS) is in use, then the cookie is the AMDistAuthCookie that identifies the DAS server by its URL.

When authentication is done directly on OpenAM, then the cookie is the AMAuthCookie that holds a session ID that identifies the OpenAM server.

On subsequent requests the server receiving the request checks the cookie. If the cookie identifies another server, the current server forwards the request to that server.

If a header such as Cache-Control has been included in the list of values for the property openam.retained.http.request.headers and the header must also be copied to the response, then add it to the list of values for this property.

Example: openam.retained.http.headers=X-DSAMEVersion,Cache-Control

Default: X-DSAMEVersion

openam.retained.http.request.headers

Comma-separated list of HTTP headers to copy to the forwarded request when the server forwards a request to another server.

Requests are forwarded when the server receiving the request is not the server that originally initiated authentication. The server that originally initiated authentication is identified by a cookie.

When the distributed authentication service (DAS) is in use, then the cookie is the AMDistAuthCookie that identifies the DAS server by its URL.

When authentication is done directly on OpenAM, then the cookie is the AMAuthCookie that holds a session ID that identifies the OpenAM server.

On subsequent requests the server receiving the request checks the cookie. If the cookie identifies another server, the current server forwards the request to that server.

When configuring the distributed authentication service, or when a reverse proxy is set up to provide the client IP address in the X-Forwarded-For header, if your deployment includes multiple OpenAM servers, then this property must be set to include the header.

Example: openam.retained.http.request.headers=X-DSAMEVersion,X-Forwarded-For

OpenAM copies the header when forwarding a request to the authoritative server where the client originally began the authentication process, so that the authoritative OpenAM server receiving the forwarded request can determine the real client IP address.

In order to retain headers to return in the response to the OpenAM server that forwarded the request, use the property openam.retained.http.headers.

Default: X-DSAMEVersion

openam.session.allow_persist_am_cookie

If true users can extend the lifetime of the iplanetDirectoryPro cookie to com.iplanet.am.cookie.timeToLive on a per-session basis, by using the query string parameter openam.session.persist_am_cookie=Yes.

openam.session.case.sensitive.uuid

Whether universal user IDs are considered case sensitive when matching them.

Default: false

openam.session.persist_am_cookie

If true extend the lifetime of the iplanetDirectoryPro cookie to com.iplanet.am.cookie.timeToLive.

Default: false

openam.session.useLocalSessionsInMultiServerMode

This property is for use in multi-server deployments where session failover is not available. If true, calculate session quotas per server. In other words, if the session quota is 5 sessions and users can access up to 4 servers, they can have a maximum of 20 (5 * 4) sessions.

Default: false

opensso.protocol.handler.pkgs

If the web application containers sets java.protocol.handler.pkgs, then set this property to com.sun.identity.protocol.

org.forgerock.embedded.dsadminport

Administration port for embedded OpenDJ directory server.

Default: 4444

org.forgerock.openam.authentication.accountExpire.days

Days until account expiration set after successful authentication by the account expiration post authentication plugin.

Default: 30

securidHelper.ports

Port on which SecurID daemon listens.

Default: 58943

ssoadm.disabled

Set to false to enable ssoadm.jsp.

Default: true

Sites

Sites involve multiple OpenAM servers working together to provide services. You can use sites with load balancers and session failover to configure pools of servers capable of responding to client requests in highly available fashion.

Primary URL

Set the primary entry point to the site, such as the URL to the load balancer for the site configuration.

Secondary URLs

Set alternate entry points to the site. Used when session failover is configured.

Assigned Servers

Shows the list of OpenAM servers in the site.