OpenAM includes default settings to make it easier for you to evaluate the software. Avoid these default settings in production deployments.
-
When connecting to LDAP, bind with a specific administrative account rather than a root DN account if possible.
-
Change the default
iPlanetDirectoryProcookie name both in OpenAM (com.iplanet.am.cookie.name) and in your policy agent profiles (com.sun.identity.agents.config.cookie.name). -
When installing OpenAM, do not use
/openamor/openssoas the deployment URI. -
Set valid goto URL domains for OpenAM in the core authentication module configuration. The parameter is described in the section providing Hints For the Core Authentication Module (
iplanet-am-auth-valid-goto-domains). -
Create an administrator in the top-level realm with a different ID than the default
amadmin. -
Create specific administrator users to track better who makes configuration changes.
-
Set the OpenAM advanced property
openam.auth.soap.rest.generic.authentication.exceptiontotrue. This causes OpenAM to return the same exception both when the user does not exist, and also when the password is not valid.
