This chapter covers OpenAM configuration properties accessible through the Configuration tab of the console, most of which can be set by using the ssoadm command. The chapter is organized to follow the OpenAM console layout.
Under Configuration > Authentication you can configure
authentication services globally using the same attributes you use to
configure authentication modules per realm under Access Control >
Realm Name
> Authentication > Module
Instances, and described in the Administration Guide
chapter on Defining
Authentication Services.
The primary difference is that when configuring services globally, you set the default values to be used when a module is configured further for a specific realm.
The Core Authentication module includes some fields under this tab that are not
available through the realm changes under the Access Control
tab.
Because attributes set under the Configuration
tab apply on a
server level, the changes you make here will apply to all realms. Attributes
set under the Access Control
tab only apply to the realms that
you specify. The Authentication table under the Configuration
tab
lists all existing types of modules available for configuration, including any
customized modules you have added.
The following are the global fields you can configure for the Core Authentication
module under the Configuration
tab.
Add class names for custom authentication modules to this list.
ssoadm attribute:
iplanet-am-auth-authenticators
Sets a minimum and maximum number of LDAP connections in the pool
for connecting to a directory server. When tuning for production, start
with 10:65
(10 minimum, 65 maximum). Explicit settings
for specific servers override the default.
This attribute is for LDAP and Membership authentication services only.
This connection pool is different than the SDK connection pool
configured in serverconfig.xml
.
ssoadm attributes:
iplanet-am-auth-ldap-connection-pool-size
, and
iplanet-am-auth-ldap-connection-pool-default-size
Sets a minimum and maximum number of LDAP connections in the pool
for connecting to a directory server. When tuning for production, start
with 10:65
(10 minimum, 65 maximum). Explicit settings
for specific servers override the default.
This attribute is for LDAP and Membership authentication services only.
This connection pool is different than the SDK connection pool
configured in serverconfig.xml
.
ssoadm attributes:
iplanet-am-auth-ldap-connection-pool-size
, and
iplanet-am-auth-ldap-connection-pool-default-size
Require the authenticating application to send its SSOToken. This allows the Authentication Service to obtain the username and password associated with the application.
ssoadm attribute:
sunRemoteAuthSecurityEnabled
When enabled, retain objects used to process authentication or post authentication operations in the user session until the user logs out.
ssoadm attributes:
sunAMAuthKeepPostProcessInstances
, and
sunAMAuthKeepAuthModuleIntances
When enabled, the initial login screen uses the XUI.
ssoadm attribute:
openam-xui-interface-enabled
Under Configuration > Console you can customize how the OpenAM console appears, and what character sets are used.
Administration includes both global and realm attributes.
ssoadm service name:
iPlanetAMAdminConsoleService
Clear Enabled to disable federation functionality in OpenAM.
ssoadm attribute:
iplanet-am-admin-console-liberty-enabled
Use this attribute to restrict the maximum number of results found in a search, such as a search for user profiles. Increasing the value can negatively impact performance. On the other hand, the default maximum of 100 can explain why administrators unaware of this setting can be surprised not to see all the users they expect in search results.
ssoadm attribute:
iplanet-am-admin-console-search-limit
Timeout in seconds for a console search. OpenAM returns an error if the search is not completed by the timeout.
ssoadm attribute:
iplanet-am-admin-console-search-timeout
List of LDAP attribute types to return in search results. OpenAM sorts users by the first attribute you specify. Use attributes that are actually present in user profiles.
ssoadm attribute:
iplanet-am-admin-console-user-return-attribute
OpenAM shows a maximum of this many items in a console page before separating the page into multiple screens.
ssoadm attribute:
iplanet-am-admin-console-paging-size
If enabled, when the user edits her password in the user view, then OpenAM prompts her for the old password.
ssoadm attribute:
iplanet-am-admin-console-password-reset-enabled
Globalization settings affect character sets and common name formats. See Localization for a list of supported locales.
ssoadm service name:
iPlanetG11NSettings
This table lets you configure the order of supported character sets used for each supported locale. Change the settings only if the defaults are not appropriate.
ssoadm attribute:
sun-identity-g11n-settings-locale-charset-mapping
Use this list to map between different character set names used in Java and in MIME.
ssoadm attribute:
sun-identity-g11n-settings-charset-alias-mapping
Use this list to configure how OpenAM formats names shown in the console banner.
ssoadm attribute:
sun-identity-g11n-settings-common-name-format
Under Configuration > System, you can change OpenAM settings for server logging, monitoring, service URL naming, locale, cookie domain, and how OpenAM detects specific clients.
OpenAM can detect client user agents by their HTTP requests.
ssoadm service name:
iPlanetAMClientDetection
If no specific match is found for the client type, then this
type is used. The default is genericHTML
, suitable
for supported browsers.
ssoadm attribute:
iplanet-am-client-detection-default-client-type
The client detection plugin must implement the
com.iplanet.services.cdm.ClientDetectionInterface
.
Client type is a name that uniquely identifies the client to OpenAM.
The plugin scans HTTP requests to determine the client type.
ssoadm attribute:
iplanet-am-client-detection-class
If this is enabled, then OpenAM needs an appropriate client detection class implementation, and the authentication user interface must be appropriate for the clients detected.
ssoadm attribute:
iplanet-am-client-detection-enabled
You configure global OpenAM logging settings on this page.
ssoadm service name:
iPlanetAMLoggingService
Sets the maximum log file size in bytes.
ssoadm attribute:
iplanet-am-logging-max-file-size
Sets the number of history files for each log that OpenAM keeps, including time-based histories. The previously live file is moved to be included in the history count, and a new log is created to serve as the live log file. Any log file in the history count that goes over the number specified here will be deleted. For time-based logs, a new set of logs will be created when OpenAM is started because of the time-based file names that are used.
ssoadm attribute:
iplanet-am-logging-num-hist-file
Set this if you want to add a prefix to log files governed by time-based log rotation.
ssoadm attribute:
openam-logging-file-prefix
Changing this if you want to change the suffix for log files
governed by time-based log rotation. You can use
SimpleDateFormat
patterns. The default is
-MM.dd.yy-kk.mm
.
ssoadm attribute:
openam-logging-file-suffix
This property is interpreted to determine the location of log
files, taking either a file system location or a JDBC URL. The default is
%BASE_DIR%/%SERVER_URI%/log/
.
ssoadm attribute:
iplanet-am-logging-location
Set this to INACTIVE
to disable the logging
system.
ssoadm attribute:
logstatus
Enable this to have OpenAM perform a DNS host lookup to populate the host name field for log records. OpenAM requires DNS on the host where it runs. Enabling this feature increases the load on the logging system.
ssoadm attribute:
resolveHostName
Set this to DB
to log to a database. Default:
File
. If you choose DB
then be
sure to set the connection attributes correctly, including the JDBC
driver to use.
ssoadm attribute:
iplanet-am-logging-type
When logging to a database, set this to the user name used to connect to the database. If this attribute is incorrectly set, OpenAM performance suffers.
ssoadm attribute:
iplanet-am-logging-db-user
When logging to a database, set this to the password used to connect to the database. If this attribute is incorrectly set, OpenAM performance suffers.
ssoadm attribute:
iplanet-am-logging-db-password
When logging to a database, set this to the class name of the JDBC driver used to connect to the database. The default is for Oracle. OpenAM also works with the MySQL database driver.
ssoadm attribute:
iplanet-am-logging-db-driver
Select the fields OpenAM includes in log messages using this attribute. By default all fields are included in log messages.
ssoadm attribute:
iplanet-am-logging-logfields
When secure logging is enabled, set this to how often OpenAM verifies log file content (in seconds).
ssoadm attribute:
iplanet-am-logging-verify-period-in-seconds
When secure logging is enabled, set this to how often OpenAM signs log file content (in seconds).
ssoadm attribute:
iplanet-am-logging-signature-period-in-seconds
Set this to ON
to enable the secure logging
system whereby OpenAM digitally signs and verifies log files. You must
also set up the Logging Certificate Store for this feature to
function.
ssoadm attribute:
iplanet-am-logging-security-status
Set this to the algorithm used for digitally signing log records.
ssoadm attribute:
iplanet-am-logging-secure-signing-algorithm
The secure logging system uses the certificate with alias
Logger
that it finds in the key store specified by
this path. The default is
%BASE_DIR%/%SERVER_URI%/Logger.jks
.
ssoadm attribute:
iplanet-am-logging-secure-certificate-store
Set this to the maximum number of records read from the logs through the Logging API.
ssoadm attribute:
iplanet-am-logging-max-records
Set this to the number of files to be archived by the secure logging system.
ssoadm attribute:
iplanet-am-logging-files-per-keystore
The number of log messages buffered in memory before OpenAM flushes them to the log file or the database.
ssoadm attribute:
iplanet-am-logging-buffer-size
Set this to the maximum number of log records to hold in memory if the database to which records are logged is unavailable. If the value is less than Buffer Size, that value takes precedence.
ssoadm attribute:
sun-am-logging-db-max-in-mem
Set the time in seconds that OpenAM buffers log messages in memory before flushing the buffer when Time Buffering is ON. The default is 60 seconds.
ssoadm attribute:
iplanet-am-logging-buffer-time-in-seconds
Set this to OFF to cause OpenAM to write each log message separately rather than the default of holding messages in a memory buffer that OpenAM flushes periodically, as specified using the Buffer Time attribute.
ssoadm attribute:
iplanet-am-logging-time-buffering-status
Set the log level for OpenAM. OFF
is equivalent
to setting the status to INACTIVE
.
ssoadm attribute:
sun-am-log-level
You enable OpenAM monitoring by using these attributes.
ssoadm service name:
iPlanetAMMonitoringService
Enable monitoring using this attribute.
ssoadm attribute:
iplanet-am-monitoring-enabled
Set the port number for the HTML monitoring interface.
ssoadm attribute:
iplanet-am-monitoring-http-port
Enable the HTML monitoring interface using this attribute.
ssoadm attribute:
iplanet-am-monitoring-http-enabled
Set this to path to indicate the file indicating the user name
and password used to protect access to monitoring information. The
default user name password combination is demo
and
changeit
. You can encode a new password using the
ampasswordcommand.
ssoadm attribute:
iplanet-am-monitoring-authfile-path
Set the port number for the JMX monitoring interface.
ssoadm attribute:
iplanet-am-monitoring-rmi-port
Enable the JMX monitoring interface using this attribute.
ssoadm attribute:
iplanet-am-monitoring-rmi-enabled
Set the port number for the SNMP monitoring interface.
ssoadm attribute:
iplanet-am-monitoring-snmp-port
Enable the SNMP monitoring interface using this attribute.
ssoadm attribute:
iplanet-am-monitoring-snmp-enabled
You can configure URLs for service endpoints.
ssoadm service name:
iPlanetAMNamingService
Set the endpoint used by the profile service.
This attribute is deprecated.
ssoadm attribute:
iplanet-am-naming-profile-url
Set the endpoint used by the session service.
ssoadm attribute:
iplanet-am-naming-session-url
Set the endpoint used by the logging service.
ssoadm attribute:
iplanet-am-naming-logging-url
Set the endpoint used by the policy service.
ssoadm attribute:
iplanet-am-naming-policy-url
Set the endpoint used by the authentication service.
ssoadm attribute:
iplanet-am-naming-auth-url
Set the SAML v1 endpoint.
ssoadm attribute:
iplanet-am-naming-samlawareservlet-url
Set the endpoint used by the SAML v1 SOAP service.
ssoadm attribute:
iplanet-am-naming-samlsoapreceiver-url
Set the SAML v1 Web Profile endpoint.
ssoadm attribute:
iplanet-am-naming-samlpostservlet-url
Set the endpoint used by the SAML v1 assertion service.
ssoadm attribute:
iplanet-am-naming-samlassertionmanager-url
Set the endpoint used by the ID-FF assertion manager service.
ssoadm attribute:
iplanet-am-naming-fsassertionmanager-url
Set the STS endpoint.
ssoadm attribute:
iplanet-am-naming-securitytokenmanager-url
Set the JAXRPC endpoint used by remote IDM/SMS APIs.
ssoadm attribute:
iplanet-am-naming-jaxrpc-url
Set the endpoint for Identity WSDL services.
ssoadm attribute:
sun-naming-idsvcs-jaxws-url
Set the endpoint used for Identity REST services.
ssoadm attribute:
sun-naming-idsvcs-rest-url
Set the STS endpoint.
ssoadm attribute:
sun-naming-sts-url
Set the STS MEX endpoint.
ssoadm attribute:
sun-naming-sts-mex-url
You can configure the default locale and list of cookie domains.
ssoadm service name:
iPlanetAMPlatformService
Set the fallback locale used when the user locale cannot be determined.
ssoadm attribute:
iplanet-am-platform-locale
Set the list of domains into which OpenAM writes cookies. If you set multiple cookie domains, OpenAM still only sets the cookie in the domain the client uses to access OpenAM. You can also configure cross domain single sign on (CDSSO) to allow single sign on across multiple domains managed by your organization. See the Administration Guide chapter on Configuring Cross-Domain Single Sign On for details.
ssoadm attribute:
iplanet-am-platform-cookie-domains
Under Configuration > Global you can set defaults for a range of federation services, for password reset, for policy configuration, for session management, and for dynamic user attributes.
ssoadm service name:
sunFAMFederationCommon
Used by the Federation system to access user profile attributes
ssoadm attribute:
DatastoreClass
Used by the Federation system to access service configuration
ssoadm attribute:
ConfigurationClass
Used by the Federation system to record log messages
ssoadm attribute:
LoggerClass
Used by the Federation system to access the session service
ssoadm attribute:
SessionProviderClass
Maximum number of bytes for Federation communications
ssoadm attribute:
MaxContentLength
Used by the Federation system to decode passwords encoded by OpenAM
ssoadm attribute:
PasswordDecoderClass
Used by the Federation system digitally to sign SAML documents
ssoadm attribute:
SignatureProviderClass
Used by the Federation system to access the Java key store
ssoadm attribute:
KeyProviderClass
If enabled, OpenAM checks that the partner's signing certificate presented in the XML matches the certificate from the partner's metadata
ssoadm attribute:
CheckCert
Algorithm used to render the canonical versions of XML documents
ssoadm attribute:
CannonicalizationAlgorithm
Algorithm used to sign XML documents
ssoadm attribute:
SignatureAlgorithm
Algorithm used for XML transformations
ssoadm attribute:
TransformationAlgorithm
OpenAM redirects users here when an error occurs in the SAML2 engine. Users are redirected to absolute URLs, whereas releative URLs are displayed within the request.
ssoadm attribute:
SAMLErrorPageURL
Set this either to HTTP-Redirect
or to
HTTP-POST
.
ssoadm attribute:
SAMLErrorPageHTTPBinding
Used by the Federation system to access the monitoring system
ssoadm attribute:
MonAgentClass
Used by the SAMLv1 engine to access the monitoring system
ssoadm attribute:
MonSAML1Class
Used by the SAML2 engine to access the monitoring system
ssoadm attribute:
MonSAML2Class
Used by the ID-FF engine to access the monitoring system
ssoadm attribute:
MonIDFFClass
ssoadm service name:
dashboardService
Identifies how to access the application, for example
SAML2ApplicationClass
for a SAML 2.0 application
ssoadm attribute:
dashboardClassName
The application name as it will appear to the administrator for configuring the dashboard
ssoadm attribute:
dashboardName
The application name that displays on the dashboard client
ssoadm attribute:
dashboardDisplayName
The icon name that will be displayed on the dashboard client identifying the application
ssoadm attribute:
dashboardIcon
The URL that takes the user to the application
ssoadm attribute:
dashboardLogin
List of application dashboard names available by default for realms with the Dashboard configured
ssoadm attribute:
assignedDashboard
ssoadm service name:
ForgeRockSendEmailService
Specifies the class that sends email notifications, such as those sent for user registration and forgotten passwords.
Default: org.forgerock.openam.services.email.MailServerImpl
ssoadm attribute:
forgerockMailServerImplClassName
Specifies the fully qualified domain name of the SMTP mail server through which to send email notifications.
Default: smtp.gmail.com
ssoadm attribute:
forgerockEmailServiceSMTPHostName
Specifies the port number for the SMTP mail server.
Default: 465
ssoadm attribute:
forgerockEmailServiceSMTPHostPort
Specifies the user name for the SMTP mail server.
Default: forgerocksmtp
ssoadm attribute:
forgerockEmailServiceSMTPUserName
Specifies the password for the SMTP user name.
ssoadm attribute:
forgerockEmailServiceSMTPUserPassword
Specifies whether to connect to the SMTP mail server using SSL.
Default: use SSL (true
)
ssoadm attribute:
forgerockEmailServiceSMTPSSLEnabled
Specifies the address from which to send email notifications.
Default: no-reply@openam.org
ssoadm attribute:
forgerockEmailServiceSMTPFromAddress
Specifies the profile attribute from which to retrieve the end user's email address.
Default: mail
ssoadm attribute:
openamEmailAttribute
Specifies a subject for notification messages. If you do not set this OpenAM does not set the subject for notification messages.
ssoadm attribute:
forgerockEmailServiceSMTPSubject
Specifies content for notification messages. If you do not set this OpenAM includes only the confirmation URL in the mail body.
ssoadm attribute:
forgerockEmailServiceSMTPMessage
ssoadm service name:
sunFAMIDFFConfiguration
Cookie name for Liberty ID-FF
ssoadm attribute:
FedCookieName
Used by the ID-FF engine to find the IDP proxy
ssoadm attribute:
IDPProxyFinderClass
Seconds between times OpenAM cleans up the request cache
ssoadm attribute:
RequestCacheCleanupInterval
Seconds cached requests remain valid
ssoadm attribute:
RequestCacheTimeout
Login URL for the ID-FF IDP
ssoadm attribute:
IDPLoginURL
If yes, require XML signing.
ssoadm attribute:
XMLSigningOn
ssoadm service name:
sunFAMLibertyInteractionService
ssoadm attribute:
WSPWillRedirect
ssoadm attribute:
WSPWillRedirectForData
ssoadm attribute:
WSPRedirectTime
ssoadm attribute:
WSPWillEnforceHttpsCheck
ssoadm attribute:
WSPWillEnforceReturnToHostEqualsRequestHost
ssoadm attribute:
HTMLStyleSheetLocation
ssoadm attribute:
WMLStyleSheetLocation
ssoadm attribute:
WSPRedirectHandlerURL
ssoadm attribute:
LBWSPRedirectHandler
ssoadm attribute:
TrustedWspRedirectHandlers
ssoadm attribute:
InteractionConfigClass
ssoadm attribute:
WSCSpecifiedInteractionChoice
ssoadm attribute:
WSCWillIncludeUserInteractionHeader
ssoadm attribute:
WSCWillRedirect
ssoadm attribute:
WSCSpecifiedMaxInteractionTime
ssoadm attribute:
WSCWillEnforceHttpsCheck
ssoadm service name:
sunMultiFederationProtocol
List of logout handlers used for each different federation protocol
ssoadm attribute:
SingleLogoutHandlerList
ssoadm service name:
OAuth2Provider
Lifetime of OAuth 2.0 authorization code in seconds.
ssoadm attribute:
forgerock-oauth2-provider-authorization-code-lifetime
Lifetime of OAuth 2.0 refresh token in seconds.
ssoadm attribute:
forgerock-oauth2-provider-refresh-token-lifetime
Lifetime of OAuth 2.0 access token in seconds.
ssoadm attribute:
forgerock-oauth2-provider-access-token-lifetime
Whether to issue a refresh token when returning an access token.
ssoadm attribute:
forgerock-oauth2-provider-issue-refresh-token
Whether to issue a refresh token when refreshing an access token.
ssoadm attribute:
forgerock-oauth2-provider-issue-refresh-token-on-refreshing-token
Name of class on OpenAM classpath implementing scopes.
ssoadm attribute:
forgerock-oauth2-provider-scope-implementation-class
List of plugins that handle the valid
response_type
values. OAuth 2.0 clients pass response
types as parameters to the OAuth 2.0 Authorization end point
(/oauth2/authorize
) to indicate which grant type is
requested from the provider. For example, the client passes
code
when requesting an authorization code, and
token
when requesting an access token.
Values in this list take the form
.response-type
|plugin-class-name
Defaults:
code|org.forgerock.restlet.ext.oauth2.flow.responseTypes.CodeResponseType
,
id_token|org.forgerock.restlet.ext.oauth2.flow.responseTypes
,
token|org.forgerock.restlet.ext.oauth2.flow.responseTypes.TokenResponseType
ssoadm attribute:
forgerock-oauth2-provider-response-type-map-class
Names of profile attributes that resource owners use to log in.
The default is uid
, and you can add others such as
mail
.
ssoadm attribute:
forgerock-oauth2-provider-authentication-attributes
Name of a multi-valued attribute on resource owner profiles where OpenAM can save authorization consent decisions. When the resource owner chooses to save the decision to authorize access for a client application, then OpenAM updates the resource owner's profile to avoid having to prompt the resource owner to grant authorization when the client issues subsequent authorization requests.
ssoadm attribute:
forgerock-oauth2-provider-saved-consent-attribute
The URL where the OpenID Connect provider's JSON Web Key can be retrieved.
ssoadm attribute:
forgerock-oauth2-provider-jkws-uri
Algorithms supported to sign OpenID Connect
id_tokens
.
ssoadm attribute:
forgerock-oauth2-provider-id-token-signing-algorithms-supported
List of claims supported by the OpenID Connect
/oauth2/userinfo
endpoint.
ssoadm attribute:
forgerock-oauth2-provider-supported-claims
See the Administration Guide chapter on Configuring Password Reset for details.
You can change global policy configuration, and the defaults per realm.
ssoadm service name:
iPlanetAMPolicyConfigService
OpenAM uses resource comparators to match resources specified in
policy rules. When setting comparators on the command line, separate
fields with |
characters.
ssoadm attribute:
iplanet-am-policy-config-resource-comparator
If no, then OpenAM stops evaluating policy as soon as it reaches a deny decision.
ssoadm attribute:
iplanet-am-policy-config-continue-evaluation-on-deny-decision
Lists advice names for which policy agents redirect users to OpenAM for further authentication and authorization
ssoadm attribute:
sun-am-policy-config-advices-handleable-by-am
If yes, then OpenAM allows creation of policies for HTTP and HTTPS resources whose FQDN matches the DNS alias for the realm even when no referral policy exists.
ssoadm attribute:
sun-am-policy-config-org-alias-mapped-resources-enabled
Configuration directory server host:port that OpenAM searches for policy information
ssoadm attribute:
iplanet-am-policy-config-ldap-server
Base DN for policy searches
ssoadm attribute:
iplanet-am-policy-config-ldap-base-dn
Base DN for LDAP Users subject searches
ssoadm attribute:
iplanet-am-policy-config-ldap-users-base-dn
Base DN for OpenAM Roles searches
ssoadm attribute:
iplanet-am-policy-config-is-roles-base-dn
Bind DN to connect to the directory server for policy information
ssoadm attribute:
iplanet-am-policy-config-ldap-bind-dn
Bind password to connect to the directory server for policy information
ssoadm attribute:
iplanet-am-policy-config-ldap-bind-password
Search filter to match organization entries
ssoadm attribute:
iplanet-am-policy-config-ldap-organizations-search-filter
Search scope to find organization entries
ssoadm attribute:
iplanet-am-policy-config-ldap-organizations-search-scope
Search filter to match group entries
ssoadm attribute:
iplanet-am-policy-config-ldap-groups-search-filter
Search scope to find group entries
ssoadm attribute:
iplanet-am-policy-config-ldap-groups-search-scope
Search filter to match user entries
ssoadm attribute:
iplanet-am-policy-config-ldap-users-search-filter
Search scope to find user entries
ssoadm attribute:
iplanet-am-policy-config-ldap-users-search-scope
Search filter to match nsRole definition entries
ssoadm attribute:
iplanet-am-policy-config-ldap-roles-search-filter
Search scope to find nsRole definition entries
ssoadm attribute:
iplanet-am-policy-config-ldap-roles-search-scope
Search scope to find OpenAM roles entries
ssoadm attribute:
iplanet-am-policy-config-is-roles-search-scope
Naming attribute for organization entries
ssoadm attribute:
iplanet-am-policy-config-ldap-organizations-search-attribute
Naming attribute for group entries
ssoadm attribute:
iplanet-am-policy-config-ldap-groups-search-attribute
Naming attribute for user entries
ssoadm attribute:
iplanet-am-policy-config-ldap-users-search-attribute
Naming attribute for nsRole definition entries
ssoadm attribute:
iplanet-am-policy-config-ldap-roles-search-attribute
Search limit for LDAP searches
ssoadm attribute:
iplanet-am-policy-config-search-limit
Seconds after which OpenAM returns an error for an incomplete search
ssoadm attribute:
iplanet-am-policy-config-search-timeout
If enabled, OpenAM connects securely to the directory server. This requires that you install the directory server certificate.
ssoadm attribute:
iplanet-am-policy-config-ldap-ssl-enabled
Minimum number of connections in the pool
ssoadm attribute:
iplanet-am-policy-config-connection_pool_min_size
Maximum number of connections in the pool
ssoadm attribute:
iplanet-am-policy-config-connection_pool_max_size
Lists subjects available for policy definition in realms
ssoadm attribute:
iplanet-am-policy-selected-subjects
Lists conditions available for policy definition in realms
ssoadm attribute:
iplanet-am-policy-selected-conditions
Lists referral types available for policy definition in realms
ssoadm attribute:
iplanet-am-policy-selected-referrals
Maximum minutes OpenAM caches a subject result for evaluating policy requests. A value of 0 prevents OpenAM from caching subject evaluations for policy decisions.
Default: 10
ssoadm attribute:
iplanet-am-policy-config-subjects-result-ttl
If enabled, OpenAM can evaluate policy for remote users aliased to local users.
ssoadm attribute:
iplanet-am-policy-config-user-alias-enabled
Lists available response providers available for policy definition
ssoadm attribute:
sun-am-policy-selected-responseproviders
Lists dynamic response attributes available for policy definition
ssoadm attribute:
sun-am-policy-dynamic-response-attributes
ssoadm service name:
RestSecurity
The order of options that appear in the console may vary depending on whether you are running from a new installation or an upgrade of OpenAM.
If enabled, new users can sign up using a REST API client.
Default: not enabled
ssoadm attribute:
forgerockRESTSecuritySelfRegistrationEnabled
Maximum life time for the token allowing user self-registration using the REST API.
Default: 900 (seconds)
ssoadm attribute:
forgerockRESTSecuritySelfRegTokenTTL
This page handles the HTTP GET request when the user clicks the link sent by email in the confirmation request.
Default:
where deployment-base-url
/XUI/confirm.htmldeployment-base-url
is something like
https://openam.example.com:8443/openam
ssoadm attribute:
forgerockRESTSecuritySelfRegConfirmationUrl
If enabled, users can assign themselves a new password using a REST API client.
Default: not enabled
ssoadm attribute:
forgerockRESTSecurityForgotPasswordEnabled
Maximum life time for the token allowing user to process a forgotten password using the REST API.
Default: 900 (seconds)
ssoadm attribute:
forgerockRestSecurityForgotPassTokenTTL
This page handles the HTTP GET request when the user clicks the link sent by email in the confirmation request.
Default:
where deployment-base-url
/XUI/confirm.htmldeployment-base-url
is something like
https://openam.example.com:8443/openam
ssoadm attribute:
forgerockRESTSecurityForgotPassConfirmationUrl
ssoadm service name:
sunFAMSAML2Configuration
Seconds between cache cleanup operations
ssoadm attribute:
CacheCleanupInterval
User entry attribute to store name identifier information
ssoadm attribute:
NameIDInfoAttribute
User entry attribute to store the name identifier key
ssoadm attribute:
NameIDInfoKeyAttribute
Specifies the cookie domain for the IDP discovery service
ssoadm attribute:
IDPDiscoveryCookieDomain
Indicates whether to use PERSISTENT or SESSION cookies
ssoadm attribute:
IDPDiscoveryCookieType
Indicates whether to use HTTP or HTTPS
ssoadm attribute:
IDPDiscoveryURLScheme
Used by the SAML2 engine to encrypt and decrypt documents
ssoadm attribute:
XMLEncryptionClass
ssoadm attribute:
EncryptedKeyInKeyInfo
Used by the SAML2 engine to sign documents
ssoadm attribute:
XMLSigningClass
If enabled, then validate certificates used to sign documents.
ssoadm attribute:
SigningCertValidation
If enabled, then validate CA certificates.
ssoadm attribute:
CACertValidation
If enabled, the OpenAM can failover requests to another instance.
ssoadm attribute:
failOverEnabled
The size is specified in bytes.
ssoadm attribute:
bufferLength
ssoadm service name:
sunfmSAML2SOAPBindingService
List of handlers to deal with SAML2 requests bound to SOAP. The key for a request handler is the meta alias, whereas the class indicates the name of the class that implements the handler.
ssoadm attribute:
sunSAML2RequestHandlerList
ssoadm service name:
sunFAMSTSService
Specifies the name of the security token service
ssoadm attribute:
stsIssuer
Specifies the STS service endpoint
ssoadm attribute:
stsEndPoint
Milliseconds the security token remains valid
ssoadm attribute:
stsLifetime
Specifies the alias for the signing certificate
ssoadm attribute:
stsCertAlias
Specifies the class that converts end user tokens
ssoadm attribute:
com.sun.identity.wss.sts.clientusertoken
Lists credentials used to secure the token, and credentials OpenAM accepts in the incoming request
ssoadm attribute:
SecurityMech
Specifies the authentication chain OpenAM applies for incoming requests for authenticated security tokens
ssoadm attribute:
AuthenticationChain
User name and password shared secrets to validate UserName tokens in incoming requests
ssoadm attribute:
UserCredential
If yes, then OpenAM checks for and rejects replayed messages.
ssoadm attribute:
DetectMessageReplay
If yes, then OpenAM checks for and rejects replayed user tokens.
ssoadm attribute:
DetectUserTokenReplay
If yes, then OpenAM verifies signatures on incoming requests.
ssoadm attribute:
isRequestSign
If yes, then OpenAM signs the selected parts of the response.
ssoadm attribute:
isResponseSign
Specifies the reference type used to sign the response. One of
DirectReference
, KeyIdentifierRef
,
or X509IssuerSerialRef
.
ssoadm attribute:
SigningRefType
If yes, then OpenAM decrypts the selected parts of the request.
ssoadm attribute:
isRequestEncrypt
If yes, then OpenAM encrypts responses.
ssoadm attribute:
isResponseEncrypt
Specifies the algorithm used to encrypt responses
ssoadm attribute:
EncryptionAlgorithm
Alias for the private key used to sign responses and decrypt requests
ssoadm attribute:
privateKeyAlias
Type of private key. One of publicKey
,
symmetricKey
, or noProofKey
.
ssoadm attribute:
privateKeyType
Alias for the certificate used to verify request signatures and encrypt responses
ssoadm attribute:
publicKeyAlias
Specifies the FQDN of the KDC
ssoadm attribute:
KerberosDomainServer
Specifies the domain name of the KDC
ssoadm attribute:
KerberosDomain
Specifies the Kerberos principal who owns the generated token.
Use the format HTTP/
.host
.domain
@kdc-domain
ssoadm attribute:
KerberosServicePrincipal
Specifies the key tab file used to issue the token
ssoadm attribute:
KerberosKeyTabFile
If yes, then OpenAM requires signed Kerberos tokens.
ssoadm attribute:
isVerifyKrbSignature
Lists attribute mappings for generated assertions
This attribute applies when OpenAM acts as a WSP, receiving a SAML token or assertion generated by another STS.
ssoadm attribute:
SAMLAttributeMapping
Specifies the NameID mapper for generated assertions
This attribute applies when OpenAM acts as a WSP, receiving a SAML token or assertion generated by another STS.
ssoadm attribute:
NameIDMapper
If yes, then OpenAM requires generated assertions include user memberships.
This attribute applies when OpenAM acts as a WSP, receiving a SAML token or assertion generated by another STS.
ssoadm attribute:
includeMemberships
Specifies the namespace for generated assertions
This attribute applies when OpenAM acts as a WSP, receiving a SAML token or assertion generated by another STS.
ssoadm attribute:
AttributeNamespace
Lists issuers OpenAM can trust to send security tokens
ssoadm attribute:
trustedIssuers
Lists issuer IP address that OpenAM can trust to send security tokens
ssoadm attribute:
trustedIPAddresses
ssoadm service name:
iPlanetAMSessionService
When session failover is configured, you can set up additional configurations for connecting to the session repository here.
Maximum number of results from a session search
ssoadm attribute:
iplanet-am-session-max-session-list-size
Seconds after which OpenAM sees an incomplete search as having failed
ssoadm attribute:
iplanet-am-session-session-list-retrieval-timeout
If on, then OpenAM notifies other applications participating in SSO when a session property in the Notification Properties list changes.
ssoadm attribute:
iplanet-am-session-property-change-notification
If on, then OpenAM allows you to set constraints on user sessions.
ssoadm attribute:
iplanet-am-session-enable-session-constraint
Milliseconds after which OpenAM considers a search for live session count as having failed if quota constraints are enabled
ssoadm attribute:
iplanet-am-session-constraint-max-wait-time
You can either set the next expiring session to be destroyed,
DESTROY_NEXT_EXPIRING
, the oldest session to
be destroyed, DESTROY_OLDEST_SESSION
, all previous
sessions to be destroyed, DESTROY_OLD_SESSIONS
, or deny
the new session creation request, DENY_ACCESS
.
ssoadm attribute:
iplanet-am-session-constraint-resulting-behavior
This attribute takes effect when quota constraints are enabled.
ssoadm attribute:
iplanet-am-session-deny-login-if-db-is-down
Lists session properties for which OpenAM can send notifications upon modification
ssoadm attribute:
iplanet-am-session-notification-property-list
If enabled, OpenAM does not perform DNS lookups when checking restrictions in cookie hijacking mode.
ssoadm attribute:
iplanet-am-session-dnrestrictiononly
If yes, then OpenAM stores only a limited set of session properties after session timeout and before session purging.
ssoadm attribute:
iplanet-am-session-enable-session-trimming
Lists plugin classes implementing session timeout handlers
ssoadm attribute:
openam-session-timeout-handler-list
Maximum minutes a session can remain valid before OpenAM requires the user to authenticate again
ssoadm attribute:
iplanet-am-session-max-session-time
Maximum minutes a session can remain idle before OpenAM requires the user to authenticate again
ssoadm attribute:
iplanet-am-session-max-idle-time
Maximum minutes before OpenAM refreshes a session that has been cached
ssoadm attribute:
iplanet-am-session-max-caching-time
Maximum number of concurrent sessions OpenAM allows a user to have
ssoadm attribute:
iplanet-am-session-quota-limit
ssoadm service name:
iPlanetAMUserService
Time zone for accessing OpenAM console
ssoadm attribute:
preferredtimezone
Specifies the DN for the initial screen when the OpenAM administrator successfully logs in to the OpenAM console
ssoadm attribute:
iplanet-am-user-admin-start-dn
Inactive users cannot authenticate, though OpenAM stores their
profiles. Default: Active
ssoadm attribute:
iplanet-am-user-login-status
Under Configuration > Servers and Sites you can manage server defaults, configuration for OpenAM server instances, and site configurations when using multiple OpenAM server instances.
To change inherited settings that appear read only for a server, click Default Server Settings on the Servers and Sites tab page to access and adjust the defaults, or change the Inheritance Settings for a specific server.
After changing server configurations, restart OpenAM or the web application container where OpenAM runs for the changes to take effect.
The General tab lets you access the settings to inherit, set the site for the server, and also set system, debug, and mail server attributes.
Select the site from the list. You must first create at least one site.
OpenAM writes the configuration data and logs here.
property:
com.iplanet.services.configpath
The locale used when none is requested.
property:
com.iplanet.am.locale
The notification service endpoint.
property:
com.sun.identity.client.notification.url
If on, then OpenAM validates XML documents that it parses.
property:
com.iplanet.am.util.xml.validating
Set the log level shared across components for debug logging.
property:
com.iplanet.services.debug.level
If on, then OpenAM writes all debug log messages to a single file,
debug.out
. By default, OpenAM writes a debug log
per component.
property:
com.iplanet.services.debug.mergeall
File system directory where OpenAM writes debug logs.
property:
com.iplanet.services.debug.directory
SMTP host name for email sent by OpenAM.
property:
com.iplanet.am.smtphost
SMTP port number for email sent by OpenAM.
property:
com.iplanet.am.smtpport
Most security settings are inherited by default.
Encryption key for decrypting stored passwords
Example: TF1Aue9c63bWTTY4mmZJeFYubJbNiSE3
property:
am.encryption.password
Shared secret for application authentication
Example: AQICQ7QMKN5TSt1fpyFZBMZ8hRwkYkkrUaFk
property:
com.iplanet.am.service.secret
Default class used to handle encryption
Default: com.iplanet.services.util.JCEEncryption
property:
com.iplanet.security.encryptor
The default implementation uses pure Java, rather than JSS.
Default: com.iplanet.am.util.SecureRandomFactoryImpl
property:
com.iplanet.security.SecureRandomFactorImpl
Maximum content length for an HTTP request
Default: 16384
property:
com.iplanet.services.comm.server.pllrequest.maxContentLength
If yes, then OpenAM checks client IP addresses when creating and validating SSO tokens.
Default: No
property:
com.iplanet.am.clientIPCheckEnabled
Cookie name OpenAM uses to set a session handler ID during authentication.
Default: iPlanetDirectoryPro
property:
com.iplanet.am.cookie.name
If yes, then OpenAM sets the cookie in secure mode such that the browser only returns the cookie if a secure protocol such as HTTPS is used.
Default: No
property:
com.iplanet.am.cookie.secure
If yes, then OpenAM URL encodes cookie values.
Default: No
property:
com.iplanet.am.cookie.encode
Path to OpenAM key store file
Default: Path to keystore.jks
, located in the
directory that holds the OpenAM configuration.
Example: ~/openam/openam/keystore.jks
property:
com.sun.identity.saml.xmlsig.keystore
Path to password file for key store
Default: Path to .storepass
, located in the
directory that holds the OpenAM configuration.
Example: ~/openam/openam/.storepass
property:
com.sun.identity.saml.xmlsig.storepass
Path to password file for OpenAM private key
Default: Path to .keypass
, located in the
directory that holds the OpenAM configuration.
Example: ~/openam/openam/.keypass
property:
com.sun.identity.saml.xmlsig.keypass
Alias for OpenAM certificate stored in key store
Not set by default
property:
com.sun.identity.saml.xmlsig.certalias
Directory server host name where the certificate revocation list (CRL) is cached
Not set by default
property:
com.sun.identity.crl.cache.directory.host
Directory server port number where the certificate revocation list is cached
Not set by default
property:
com.sun.identity.crl.cache.directory.port
If yes, then connect securely when accessing the CRL cache directory server
Default: No
property:
com.sun.identity.crl.cache.directory.ssl
Bind DN to access CRL cache directory server
Not set by default
property:
com.sun.identity.crl.cache.directory.user
Bind password to access CRL cache directory server
Not set by default
property:
com.sun.identity.crl.cache.directory.password
Base DN under which to search for CRL
Not set by default
property:
com.sun.identity.crl.cache.directory.searchlocs
DN component of issuer's subject DN used to retrieve the CRL
Not set by default
property:
com.sun.identity.crl.cache.directory.searchattr
If yes, then OpenAM runs Online Certificate Status Protocol (OCSP) checks.
Default: Yes
property:
com.sun.identity.authentication.ocspCheck
URL for OCSP responder
Not set by default
property:
com.sun.identity.authentication.ocsp.responder.url
Nickname for OCSP responder certificate
Not set by default
property:
com.sun.identity.authentication.ocsp.responder.nickname
If yes, then OpenAM runs in Federal Information Processing Standards mode.
Default: No
property:
com.sun.identity.security.fipsmode
Session settings are inherited by default.
Maximum concurrent sessions OpenAM permits
property:
com.iplanet.am.session.maxSessions
Minutes after which invalid sessions are removed from the session table
property:
com.iplanet.am.session.invalidsessionmaxtime
Minutes OpenAM delays session purging
property:
com.iplanet.am.session.purgedelay
Seconds OpenAM delays between logging sessions statistics
property:
com.iplanet.am.stats.interval
Whether to write statistics to a file
, to the
console
, or to turn recording
off
property:
com.iplanet.services.stats.state
Path to statistics logs directory
property:
com.iplanet.services.stats.directory
If yes, then OpenAM performs host lookup during session logging.
property:
com.sun.am.session.enableHostLookUp
Number of threads in the notification pool
property:
com.iplanet.am.notification.threadpool.size
Maximum number of tasks in the queue for serving notification threads
property:
com.iplanet.am.notification.threadpool.threshold
If yes, then OpenAM distinguished name comparison is case insensitive.
property:
com.sun.am.session.caseInsensitiveDN
Most SDK settings are inherited.
If yes, then OpenAM uses datastore notification. Otherwise, OpenAM uses in-memory notification.
property:
com.sun.identity.sm.enableDataStoreNotification
If yes, then OpenAM accounts for the use of a directory proxy to access the directory server.
property:
com.sun.identity.sm.ldap.enableProxy
Service management notification thread pool size
property:
com.sun.identity.sm.notification.threadpool.size
Maximum number of attempts to reestablish Event Service connections
property:
com.iplanet.am.event.connection.num.retries
Milliseconds between attempts to reestablish Entry Service connections
property:
com.iplanet.am.event.connection.delay.between.retries
LDAP error codes for which OpenAM retries rather than returning failure
property:
com.iplanet.am.event.connection.ldap.error.codes.retries
Minutes after which OpenAM reestablishes idle persistent search connections
property:
com.sun.am.event.connection.idle.timeout
Persistent search connections OpenAM can disable
property:
com.sun.am.event.connection.disable.list
Maximum number of attempts to reestablish LDAP connections
property:
com.iplanet.am.ldap.connection.num.retries
Milliseconds between attempts to reestablish LDAP connections
property:
com.iplanet.am.ldap.connection.delay.between.retries
LDAP error codes for which OpenAM retries rather than returning failure
property:
com.iplanet.am.ldap.connection.ldap.error.codes.retries
Cache size used if SDK caching is enabled
property:
com.iplanet.am.sdk.cache.maxSize
Maximum number of attempts to retrieve entries returned as not found
property:
com.iplanet.am.replica.num.retries
Milliseconds between attempts to retrieve entries through the SDK
property:
com.iplanet.am.replica.delay.between.retries
If no, then cache entries expire based on User Entry Expiration Time
property:
com.iplanet.am.sdk.cache.entry.expire.enabled
Minutes user entries remain valid after modification. When OpenAM accesses a user entry that has expired, it rereads the entry from the directory server.
property:
com.iplanet.am.sdk.cache.entry.user.expire.time
Minutes non-user entries remain valid after modification
property:
com.iplanet.am.sdk.cache.entry.default.expire.time
Use this tab to change connection settings and add additional LDAP configuration directory server instances.
Set the minimum number of connections in the pool.
Set the maximum number of connections in the pool.
Set the bind DN to connect to the configuration directory servers.
Set the bind password to connect to the configuration directory servers.
The Core Token Service (CTS) does not need to be configured in the same LDAP storage as the external or embedded user store. The CTS can instead be configured on its own external directory server. There are some specific requirements for indexing and replication which need to be accounted for. In particular, WAN replication is an important consideration which needs to be handled carefully for optimum performance.
You may also choose to set advanced properties related to token size, including
com.sun.identity.session.repository.enableEncryption
,
com.sun.identity.session.repository.enableCompression
, and
com.sun.identity.session.repository.enableAttributeCompression
. For more information,
identify these variables in the following section: Servers > Advanced.
If selected, CTS tokens are stored in the same external or embedded datastore as is
used on an OpenAM configuration store. If you use the default token store, you can only
configure the Root Suffix
. Associated with the Directory Configuration
tab associated with individual servers.
If you use OpenDJ, you can separate the CTS from the configuration on different external servers. On the external CTS server, you can also configure token schema and indexes.
For either the default or external token stores, enter the base DN for CTS storage information in
LDAP format, such as dc=cts,dc=forgerock,dc=com
. The Root Suffix
would be a database that can be maintained and replicated separately from tha standard user datastore.
Access the directory service using StartTLS or LDAPS.
The hostname of the external server.
Specifies the TCP/IP port number used for communication to to external datastore, such as 389 for LDAP.
Specifies the user, in DN format, needed to authenticate. The user needs sufficient privileges to read and write to the root suffix of the external datastore.
Specifies the password associated with the Login Id.
Notes the maximum number of remote connections to the external datastore.
Specifies how often OpenAM should send a heartbeat request to the directory server to ensure that the connection does not remain idle, in seconds. Default: 10.
Use this page to set advanced properties directly. A partial list of advanced properties follows.
For a list of inherited advanced properties, see the table under the Advanced tab for Default Server Settings.
com.iplanet.am.cookie.c66Encode
Properly URL encode session tokens.
Default: true
com.iplanet.am.cookie.timeToLive
iplanetDirectoryPro
cookie lifetime if
persistent, in hours
Default: 24
com.iplanet.am.daemons
Modules for which to open daemons at OpenAM startup.
Default: securid
com.iplanet.am.directory.ssl.enabled
Whether to connect to the configuration directory server over LDAPS.
Default: false
com.iplanet.am.installdir
OpenAM Configuration and log file location.
Default: ~/openam/
,
such as server-uri
~/openam/openam
com.iplanet.am.jssproxy.checkSubjectAltName
When using JSS, check whether the name values in the
SubjectAltName
certificate match the server FQDN.
Default: false
com.iplanet.am.jssproxy.resolveIPAddress
When using JSS, check that the IP address of the server resolves to the host name.
Default: false
com.iplanet.am.jssproxy.SSLTrustHostList
When using JSS, comma-separated list of server FQDNs to trust if they match the certificate CN, even if the domain name is not correct.
com.iplanet.am.jssproxy.trustAllServerCerts
When using JSS, set to true
to trust whatever
certificate is presented without checking.
Default: true
com.iplanet.am.lbcookie.name
Used with sticky load balancers that can inspect the cookie value.
Default: amlbcookie
com.iplanet.am.lbcookie.value
Used with sticky load balancers that can inspect the cookie value. Set this property to a unique value if your load balancer requires it. Restart OpenAM for the change to take effect.
Default: 01
com.iplanet.am.pcookie.name
Persistent cookie name.
Default: DProPCookie
com.iplanet.am.profile.host
Not used
Default: server-host
, such as
openam.example.com
com.iplanet.am.profile.port
Not used
Default: server-port
, such as 8080 or
8443
com.iplanet.am.session.agentSessionIdleTime
Time in minutes after which a policy agent session expires.
Default: 0, meaning never time out. Range is 0-30 (minutes).
com.iplanet.am.session.client.polling.enable
Whether client applications such as policy agents poll for
configuration changes. If false
, then OpenAM notifies
clients about changes.
Default: false
com.iplanet.am.session.client.polling.period
If client applications poll for changes, number of seconds between polls.
Default: 180
com.iplanet.am.session.failover.cluster.stateCheck.period
Time in milliseconds between health checks of other servers in the same site.
Default: 1000
com.iplanet.am.session.failover.cluster.stateCheck.timeout
Socket timeout in milliseconds for health checks of other servers in the same site.
Default: 1000
com.iplanet.am.session.httpSession.enabled
Create an HttpSession
for users on successful
authentication.
Default: true
com.iplanet.security.SSLSocketFactoryImpl
SSL socket factory implementation used by OpenAM.
Default: com.sun.identity.shared.ldap.factory.JSSESocketFactory
,
uses a pure Java provider
com.iplanet.services.cdc.invalidGotoStrings
;Strings that OpenAM rejects as values in goto
query string parameters.
Default: <,>javascript:,javascript%3a,%3c,%3e
com.sun.embedded.replicationport
Replication port for embedded OpenDJ directory server.
Default: 8989
com.sun.embedded.sync.servers
Whether to replicate data between embedded directory servers.
Default: on
com.sun.identity.am.cookie.check
Whether to check for cookie support in the user agent, and if not to return an error.
Default: false
com.sun.identity.appendSessionCookieInURL
Whether to append the session cookie to URL for a zero page session.
Default: true
com.sun.identity.auth.cookieName
Cookie used by the OpenAM authentication service to handle the authentication process.
Default: AMAuthCookie
com.sun.identity.authentication.client.ipAddressHeader
Set the name of the HTTP header that OpenAM can examine to learn the client IP address when requests go through a proxy or load balancer. (When requests go through an HTTP proxy or load balancer, checking the IP address on the request alone returns the address of the proxy or load balancer rather than that of the client.) OpenAM must be able to trust the proxy or load balancer to set the client IP address correctly in the header specified.
Example: com.sun.identity.authentication.client.ipAddressHeader=X-Forwarded-For
com.sun.identity.authentication.multiple.tabs.used
Whether to allow users to open many browser tabs to the login page at the same time without encountering an error.
Default: false
com.sun.identity.authentication.setCookieToAllDomains
Whether to allow multiple cookie domains.
Default: true
com.sun.identity.authentication.special.users
List of special users always authenticated against the local directory server.
Default: cn=dsameuser,ou=DSAME Users,|cn=amService-UrlAccessAgent,ou=DSAME Users,
com.sun.identity.authentication.super.user
OpenAM privileged administrator user.
Default: uid=amAdmin,ou=People,
com.sun.identity.authentication.uniqueCookieName
When cookie hijacking protection is configured, name of the cookie holding the URL to the OpenAM server that authenticated the user.
Default: sunIdentityServerAuthNServer
com.sun.identity.client.notification.url
Notification service endpoint for clients such as policy agents.
Default:
, such as server-protocol
://server-host
:server-port
/server-uri
/notificationservicehttps://openam.example.com:8443/openam/notificationservice
com.sun.identity.common.systemtimerpool.size
Number of threads in the shared system timer pool used to schedule operations such as session timeout.
Default: 3
com.sun.identity.cookie.httponly
When set to true
, mark cookies as HTTPOnly to
prevent scripts and third-party programs from accessing the cookies.
Default: false
com.sun.identity.enableUniqueSSOTokenCookie
If true
, then OpenAM is using protection against
cookie hijacking.
Default: false
com.sun.identity.jss.donotInstallAtHighestPriority
Whether JSS should take priority over other providers.
Default: true
com.sun.identity.monitoring
Whether monitoring is active for OpenAM.
Default: off
com.sun.identity.monitoring.local.conn.server.url
URL for local connection to the monitoring service.
Default: service:jmx:rmi://
com.sun.identity.password.deploymentDescriptor
Internal property used by OpenAM.
Default: server-uri
, such as
openam
com.sun.identity.policy.Policy.policy_evaluation_weights
Weights of the cost of evaluating policy subjects, rules, and conditions. Evaluation is in order of heaviest weight to lightest weight.
Default: 10:10:10
, meaning evaluation of rules,
then conditions, then subjects
com.sun.identity.policy.resultsCacheMaxSize
Maximum number of policy decisions OpenAM caches.
Default: 10000
com.sun.identity.server.fqdnMap
Enables virtual hosts, partial hostname and IP address. Maps invalid or virtual name keys to valid FQDN values for proper redirection.
To map myserver
to
myserver.example.com
, set
com.sun.identity.server.fqdnMap[myserver]=myserver.example.com
.
com.sun.identity.session.repository.enableEncryption
Enables tokens to be encrypted when stored.
Multi-instance deployments require consistent use of this property, which should be done under the Servers and Sites > Default Server Settings > Advanced.
The am.encryption.pwd
property must also be the same for
all deployed instances. The am.encryption.pwd
is under
Servers and Sites > Server > Security > Password Encryption Key. You will need to
verify that all servers have the same setting for this property as the default
server.
Default: false
com.sun.identity.urlchecker.dorequest
Whether to perform an HTTP GET on
com.sun.identity.urlchecker.targeturl
as a health
check against another server in the same site. If
false
, then OpenAM only checks the Socket connection,
and does not perform an HTTP GET.
If each OpenAM server runs behind a reverse proxy, then setting
this property to true
means the health check actually
runs against the OpenAM instance, rather than checking only the Socket
to the reverse proxy.
Default: false
com.sun.identity.urlchecker.targeturl
URL to monitor when
com.sun.identity.urlchecker.dorequest
is set to
true
.
Default: URL to the /openam/namingservice
endpoint
on the remote server
com.sun.identity.security.checkcaller
Whether to perform a Java security permissions check for OpenAM.
Default: false
com.sun.identity.session.repository.enableEncryption
For CTS token encryption, if desired.
Default: false
com.sun.identity.session.repository.enableCompression
For GZip-based compression of CTS tokens, if desired.
Default: false
com.sun.identity.session.repository.enableAttributeCompression
For additional compression of CTS token JSON binaries, beyond GZip, if desired.
Default: false
com.sun.identity.sm.cache.ttl
When service configuration caching time-to-live is enabled, this sets the time to live in minutes.
Default: 30
com.sun.identity.sm.cache.ttl.enable
If service configuration caching is enabled, whether to enable a time-to-live for cached configuration.
Default: false
com.sun.identity.sm.flatfile.root_dir
File system directory to hold file-based representation of OpenAM configuration.
Default: ~/openam/
such as server-uri
/sms~/openam/openam/sms
com.sun.identity.sm.sms_object_class_name
Class used to read and write OpenAM service configuration entries in the directory.
Default: com.sun.identity.sm.ldap.SMSEmbeddedLdapObject
com.sun.identity.url.readTimeout
Used to set the read timeout in milliseconds for HTTP and HTTPS connections to other servers.
Default: 30000
com.sun.identity.urlchecker.dorequest
Allows the OpenAM ClusterStateService to work with HTTPS endpoints.
Default: true
com.sun.identity.urlconnection.useCache
Whether to cache documents for HTTP and HTTPS connections to other servers.
Default: false
com.sun.identity.webcontainer
Name of the web container to correctly set character encoding, if necessary.
Default: WEB_CONTAINER
console.privileged.users
Used to assigned privileged console access to particular users. Set
to a |
separated list of users' Universal IDs, such as
console.privileged.users=uid=demo,ou=user,|uid=demo2,ou=user,
.
openam.auth.destroy_session_after_upgrade
Where to destroy the old session after a session is successfully upgraded.
Default: true
openam.auth.distAuthCookieName
Cookie used by the OpenAM distributed authentication service to handle the authentication process.
Default: AMDistAuthCookie
openam.auth.session_property_upgrader
Class that controls which session properties are copied during session upgrade, where default is to copy all properties to the upgraded session.
Default: org.forgerock.openam.authentication.service.DefaultSessionPropertyUpgrader
openam.auth.version.header.enabled
The X-DSAMEVersion http header provides detailed information about the version of OpenAM currently running on the system, including the build and date/time of the build. OpenAM will need to be restarted once this property is enabled.
Default: false
openam.authentication.ignore_goto_during_logout
Whether to ignore the goto
query string parameter
on logout, instead displaying the logout page.
Default: false
openam.cdm.default.charset
Character set used for globalization.
Default: UTF-8
openam.forbidden.to.copy.headers
Comma-separated list of HTTP headers not to copy when the distributed authentication server forwards a request to another distributed authentication server.
Default: connection
openam.forbidden.to.copy.request.headers
Comma-separated list of HTTP headers not to copy when the distributed authentication server forwards a request to another distributed authentication server.
Default: connection
openam.retained.http.headers
Comma-separated list of HTTP headers to copy to the forwarded response when the server forwards a request to another server.
Requests are forwarded when the server receiving the request is not the server that originally initiated authentication. The server that originally initiated authentication is identified by a cookie.
When the distributed authentication service (DAS) is in use, then
the cookie is the AMDistAuthCookie
that identifies the
DAS server by its URL.
When authentication is done directly on OpenAM, then the cookie is
the AMAuthCookie
that holds a session ID that identifies
the OpenAM server.
On subsequent requests the server receiving the request checks the cookie. If the cookie identifies another server, the current server forwards the request to that server.
If a header such as Cache-Control
has been
included in the list of values for the property
openam.retained.http.request.headers
and the header must also be copied to the response, then add it to the
list of values for this property.
Example: openam.retained.http.headers=X-DSAMEVersion,Cache-Control
Default: X-DSAMEVersion
openam.retained.http.request.headers
Comma-separated list of HTTP headers to copy to the forwarded request when the server forwards a request to another server.
Requests are forwarded when the server receiving the request is not the server that originally initiated authentication. The server that originally initiated authentication is identified by a cookie.
When the distributed authentication service (DAS) is in use, then
the cookie is the AMDistAuthCookie
that identifies the
DAS server by its URL.
When authentication is done directly on OpenAM, then the cookie is
the AMAuthCookie
that holds a session ID that identifies
the OpenAM server.
On subsequent requests the server receiving the request checks the cookie. If the cookie identifies another server, the current server forwards the request to that server.
When configuring the distributed authentication service, or when a
reverse proxy is set up to provide the client IP address in the
X-Forwarded-For
header, if your deployment includes
multiple OpenAM servers, then this property must be set to include the
header.
Example: openam.retained.http.request.headers=X-DSAMEVersion,X-Forwarded-For
OpenAM copies the header when forwarding a request to the authoritative server where the client originally began the authentication process, so that the authoritative OpenAM server receiving the forwarded request can determine the real client IP address.
In order to retain headers to return in the response to the OpenAM
server that forwarded the request, use the property
openam.retained.http.headers
.
Default: X-DSAMEVersion
openam.session.allow_persist_am_cookie
If true
users can extend the lifetime of the
iplanetDirectoryPro
cookie to
com.iplanet.am.cookie.timeToLive
on a per-session
basis, by using the query string parameter
openam.session.persist_am_cookie=Yes
.
openam.session.case.sensitive.uuid
Whether universal user IDs are considered case sensitive when matching them.
Default: false
openam.session.persist_am_cookie
If true
extend the lifetime of the
iplanetDirectoryPro
cookie to
com.iplanet.am.cookie.timeToLive
.
Default: false
openam.session.useLocalSessionsInMultiServerMode
This property is for use in multi-server deployments where session
failover is not available. If true
, calculate session
quotas per server. In other words, if the session quota is 5 sessions and
users can access up to 4 servers, they can have a maximum of 20 (5 * 4)
sessions.
Default: false
opensso.protocol.handler.pkgs
If the web application containers sets
java.protocol.handler.pkgs
, then set this property to
com.sun.identity.protocol
.
org.forgerock.embedded.dsadminport
Administration port for embedded OpenDJ directory server.
Default: 4444
org.forgerock.openam.authentication.accountExpire.days
Days until account expiration set after successful authentication by the account expiration post authentication plugin.
Default: 30
securidHelper.ports
Port on which SecurID daemon listens.
Default: 58943
ssoadm.disabled
Set to false
to enable
ssoadm.jsp
.
Default: true
Sites involve multiple OpenAM servers working together to provide services. You can use sites with load balancers and session failover to configure pools of servers capable of responding to client requests in highly available fashion.
Set the primary entry point to the site, such as the URL to the load balancer for the site configuration.
Set alternate entry points to the site. Used when session failover is configured.
Shows the list of OpenAM servers in the site.