6.5.6. Configuring Web Policy Agent Advanced Properties

This section covers advanced web agent properties. After creating the agent profile, you access these properties in the OpenAM console under Access Control > Realm Name > Agents > Web > Agent Name > Advanced.

Client Identification properties

If the agent is behind a proxy or load balancer, then the agent can get client IP and host name values from the proxy or load balancer. For proxies and load balancer that support providing the client IP and host name in HTTP headers, you can use the following properties.

When multiple proxies are load balancers sit in the request path, the header values can include a comma-separated list of values with the first value representing the client, as in client,next-proxy,first-proxy.

Client IP Address Header

HTTP header name that holds the IP address of the client.

Property: com.sun.identity.agents.config.client.ip.header

Client Hostname Header

HTTP header name that holds the hostname of the client.

Property: com.sun.identity.agents.config.client.hostname.header

Load Balancer properties

Load Balancer Setup

Enable if a load balancer is used for OpenAM services.

Property: com.sun.identity.agents.config.load.balancer.enable

Hot swap: no

Override Request URL Protocol

Enable if the agent is sitting behind a SSL/TLS off-loader, load balancer, or proxy such that the protocol users use is different from the protocol the agent uses. When enabled, the protocol is overridden with the value from the Agent Deployment URI Prefix (property: com.sun.identity.agents.config.agenturi.prefix).

Property: com.sun.identity.agents.config.override.protocol

Override Request URL Host

Enable if the agent is sitting behind a SSL/TLS off-loader, load balancer, or proxy such that the host name users use is different from the host name the agent uses. When enabled, the host is overridden with the value from the Agent Deployment URI Prefix (property: com.sun.identity.agents.config.agenturi.prefix).

Property: com.sun.identity.agents.config.override.host

Override Request URL Port

Enable if the agent is sitting behind a SSL/TLS off-loader, load balancer, or proxy such that the port users use is different from the port the agent uses. When enabled, the port is overridden with the value from the Agent Deployment URI Prefix (property: com.sun.identity.agents.config.agenturi.prefix).

Property: com.sun.identity.agents.config.override.port

Override Notification URL

Enable if the agent is sitting behind a SSL/TLS off-loader, load balancer, or proxy such that the URL users use is different from the URL the agent uses. When enabled, the URL is overridden with the value from the Agent Deployment URI Prefix (property: com.sun.identity.agents.config.agenturi.prefix).

Property: com.sun.identity.agents.config.override.notification.url

Post Data Preservation properties

POST Data Preservation

Enables HTTP POST data preservation. This feature is available in the Apache 2.2, Microsoft IIS 6, Microsoft IIS 7, and Sun Java System Web Server web policy agents as of version 3.0.3.

Property: com.sun.identity.agents.config.postdata.preserve.enable

POST Data Entries Cache Period

POST cache entry lifetime in minutes. Default: 10.

Property: com.sun.identity.agents.config.postcache.entry.lifetime

POST Data Preservation Cookie Name (Not yet in OpenAM Console)

When HTTP POST data preservation is enabled, override properties are set to true, and the agent is behind a load balancer, then this property sets the name and value of the sticky cookie to use.

Property: com.sun.identity.agents.config.postdata.preserve.lbcookie

Post Data Preservation URI Prefix (Not yet in OpenAM Console)

If you run multiple web servers with policy agents behind a load balancer that directs traffic based on the request URI, and you need to preserve POST data, then set this property.

By default, policy agents use a dummy URL for POST data preservation, http://agent.host:port/dummypost/sunpostpreserve, to handle POST data across redirects to and from OpenAM. When you set this property, the policy agent prefixes the property value to the dummy URL path. In other words, when you set com.forgerock.agents.config.pdpuri.prefix = app1, the policy agent uses the dummy URL, http://agent.host:port/app1/dummypost/sunpostpreserve.

Next, use the prefix you set when you define load balancer URI rules. This ensures that clients end up being redirected to the policy agent that preserved the POST data.

Property: com.forgerock.agents.config.pdpuri.prefix

Sun Java System Proxy Server properties

Override Proxy Server's Host and Port

When enabled ignore the host and port settings.

Property: com.sun.identity.agents.config.proxy.override.host.port

Hot swap: no

Microsoft IIS Server properties

Authentication Type

The agent should normally perform authentication, so this is not required. If necessary, set to none.

Property: com.sun.identity.agents.config.iis.auth.type

Hot swap: no

Replay Password Key

DES key for decrypting the basic authentication password in the session.

Property: com.sun.identity.agents.config.replaypasswd.key

Filter Priority

The loading priority of filter, DEFAULT, HIGH, LOW, or MEDIUM.

Property: com.sun.identity.agents.config.iis.filter.priority

Filter configured with OWA

Enable if the IIS agent filter is configured for OWA.

Property: com.sun.identity.agents.config.iis.owa.enable

Change URL Protocol to https

Enable to avoid IE6 security pop-ups.

Property: com.sun.identity.agents.config.iis.owa.enable.change.protocol

Idle Session Timeout Page URL

URL of the local idle session timeout page.

Property: com.sun.identity.agents.config.iis.owa.enable.session.timeout.url

IBM Lotus Domino Server properties

Check User in Domino Database

When enabled, the agent checks whether the user exists in the Domino name database.

Property: com.sun.identity.agents.config.domino.check.name.database

Use LTPA token

Enable if the agent needs to use LTPA Token.

Property: com.sun.identity.agents.config.domino.ltpa.enable

LTPA Token Cookie Name

The name of the cookie that contains the LTPA token.

Property: com.sun.identity.agents.config.domino.ltpa.cookie.name

LTPA Token Configuration Name

The configuration name that the agent uses in order to employ the LTPA token mechanism.

Property: com.sun.identity.agents.config.domino.ltpa.config.name

LTPA Token Organization Name

The organization name to which the LTPA token belongs.

Property: com.sun.identity.agents.config.domino.ltpa.org.name

Custom properties

Custom Properties

Additional properties to augment the set of properties supported by agent. Such properties take the following forms.

  • customproperty=custom-value1

  • customlist[0]=customlist-value-0

  • customlist[1]=customlist-value-1

  • custommap[key1]=custommap-value-1

  • custommap[key2]=custommap-value-2

Property: com.sun.identity.agents.config.freeformproperties