Under Configuration > Servers and Sites you can manage server defaults, configuration for OpenAM server instances, and site configurations when using multiple OpenAM server instances.
To change inherited settings that appear read only for a server, click Default Server Settings on the Servers and Sites tab page to access and adjust the defaults, or change the Inheritance Settings for a specific server.
After changing server configurations, restart OpenAM or the web application container where OpenAM runs for the changes to take effect.
Servers > General
The General tab lets you access the settings to inherit, set the site for the server, and also set system, debug, and mail server attributes.
- Parent Site
-
Select the site from the list. You must first create at least one site.
- Base installation directory
-
OpenAM writes the configuration data and logs here.
property:
com.iplanet.services.configpath
- Default Locale
-
The locale used when none is requested.
property:
com.iplanet.am.locale
- Notification URL
-
The notification service endpoint.
property:
com.sun.identity.client.notification.url
- XML Validation
-
If on, then OpenAM validates XML documents that it parses.
property:
com.iplanet.am.util.xml.validating
- Debug Level
-
Set the log level shared across components for debug logging.
property:
com.iplanet.services.debug.level
- Merge Debug Files
-
If on, then OpenAM writes all debug log messages to a single file,
debug.out
. By default, OpenAM writes a debug log per component.property:
com.iplanet.services.debug.mergeall
- Debug Directory
-
File system directory where OpenAM writes debug logs.
property:
com.iplanet.services.debug.directory
- Mail Server Host Name
-
SMTP host name for email sent by OpenAM.
property:
com.iplanet.am.smtphost
- Mail Server Port Number
-
SMTP port number for email sent by OpenAM.
property:
com.iplanet.am.smtpport
Servers > Security
Most security settings are inherited by default.
- Password Encryption Key
-
Encryption key for decrypting stored passwords
Example:
TF1Aue9c63bWTTY4mmZJeFYubJbNiSE3
property:
am.encryption.password
- Authentication Service Shared Secret
-
Shared secret for application authentication
Example:
AQICQ7QMKN5TSt1fpyFZBMZ8hRwkYkkrUaFk
property:
com.iplanet.am.service.secret
- Encryption class
-
Default class used to handle encryption
Default:
com.iplanet.services.util.JCEEncryption
property:
com.iplanet.security.encryptor
- Secure Random Factory Class
-
The default implementation uses pure Java, rather than JSS.
Default:
com.iplanet.am.util.SecureRandomFactoryImpl
property:
com.iplanet.security.SecureRandomFactorImpl
- Platform Low Level Comm. Max. Content Length
-
Maximum content length for an HTTP request
Default: 16384
property:
com.iplanet.services.comm.server.pllrequest.maxContentLength
- Client IP Address Check
-
If yes, then OpenAM checks client IP addresses when creating and validating SSO tokens.
Default: No
property:
com.iplanet.am.clientIPCheckEnabled
- Cookie Name
-
Cookie name OpenAM uses to set a session handler ID during authentication.
Default:
iPlanetDirectoryPro
property:
com.iplanet.am.cookie.name
- Secure Cookie
-
If yes, then OpenAM sets the cookie in secure mode such that the browser only returns the cookie if a secure protocol such as HTTPS is used.
Default: No
property:
com.iplanet.am.cookie.secure
- Encode Cookie Value
-
If yes, then OpenAM URL encodes cookie values.
Default: No
property:
com.iplanet.am.cookie.encode
- Keystore File
-
Path to OpenAM key store file
Default: Path to
keystore.jks
, located in the directory that holds the OpenAM configuration.Example:
~/openam/openam/keystore.jks
property:
com.sun.identity.saml.xmlsig.keystore
- Keystore Password File
-
Path to password file for key store
Default: Path to
.storepass
, located in the directory that holds the OpenAM configuration.Example:
~/openam/openam/.storepass
property:
com.sun.identity.saml.xmlsig.storepass
- Private Key Password File
-
Path to password file for OpenAM private key
Default: Path to
.keypass
, located in the directory that holds the OpenAM configuration.Example:
~/openam/openam/.keypass
property:
com.sun.identity.saml.xmlsig.keypass
- Certificate Alias
-
Alias for OpenAM certificate stored in key store
Not set by default
property:
com.sun.identity.saml.xmlsig.certalias
- CRL: LDAP server host name
-
Directory server host name where the certificate revocation list (CRL) is cached
Not set by default
property:
com.sun.identity.crl.cache.directory.host
- CRL: LDAP server port number
-
Directory server port number where the certificate revocation list is cached
Not set by default
property:
com.sun.identity.crl.cache.directory.port
- CRL: SSL/TLS Enabled
-
If yes, then connect securely when accessing the CRL cache directory server
Default: No
property:
com.sun.identity.crl.cache.directory.ssl
- CRL: LDAP server bind user name
-
Bind DN to access CRL cache directory server
Not set by default
property:
com.sun.identity.crl.cache.directory.user
- CRL: LDAP server bind password
-
Bind password to access CRL cache directory server
Not set by default
property:
com.sun.identity.crl.cache.directory.password
- CRL: LDAP search base DN
-
Base DN under which to search for CRL
Not set by default
property:
com.sun.identity.crl.cache.directory.searchlocs
- CRL: Search Attributes
-
DN component of issuer's subject DN used to retrieve the CRL
Not set by default
property:
com.sun.identity.crl.cache.directory.searchattr
- OCSP: Check Enabled
-
If yes, then OpenAM runs Online Certificate Status Protocol (OCSP) checks.
Default: Yes
property:
com.sun.identity.authentication.ocspCheck
- Responder URL
-
URL for OCSP responder
Not set by default
property:
com.sun.identity.authentication.ocsp.responder.url
- Certificate Nickname
-
Nickname for OCSP responder certificate
Not set by default
property:
com.sun.identity.authentication.ocsp.responder.nickname
- FIPS Mode
-
If yes, then OpenAM runs in Federal Information Processing Standards mode.
Default: No
property:
com.sun.identity.security.fipsmode
Servers > Session
Session settings are inherited by default.
- Maximum Sessions
-
Maximum concurrent sessions OpenAM permits
property:
com.iplanet.am.session.maxSessions
- Invalidate Session Max Time
-
Minutes after which invalid sessions are removed from the session table
property:
com.iplanet.am.session.invalidsessionmaxtime
- Sessions Purge Delay
-
Minutes OpenAM delays session purging
property:
com.iplanet.am.session.purgedelay
- Logging Interval
-
Seconds OpenAM delays between logging sessions statistics
property:
com.iplanet.am.stats.interval
- State
-
Whether to write statistics to a
file
, to theconsole
, or to turn recordingoff
property:
com.iplanet.services.stats.state
- Directory
-
Path to statistics logs directory
property:
com.iplanet.services.stats.directory
- Enable Host Lookup
-
If yes, then OpenAM performs host lookup during session logging.
property:
com.sun.am.session.enableHostLookUp
- Notification Pool Size
-
Number of threads in the notification pool
property:
com.iplanet.am.notification.threadpool.size
- Notification Thread Pool Threshold
-
Maximum number of tasks in the queue for serving notification threads
property:
com.iplanet.am.notification.threadpool.threshold
- Case Insensitive client DN comparison
-
If yes, then OpenAM distinguished name comparison is case insensitive.
property:
com.sun.am.session.caseInsensitiveDN
Servers > SDK
Most SDK settings are inherited.
- Enable Datastore Notification
-
If yes, then OpenAM uses datastore notification. Otherwise, OpenAM uses in-memory notification.
property:
com.sun.identity.sm.enableDataStoreNotification
- Enable Directory Proxy
-
If yes, then OpenAM accounts for the use of a directory proxy to access the directory server.
property:
com.sun.identity.sm.ldap.enableProxy
- Notification Pool Size
-
Service management notification thread pool size
property:
com.sun.identity.sm.notification.threadpool.size
- Number of retries for Event Service connections
-
Maximum number of attempts to reestablish Event Service connections
property:
com.iplanet.am.event.connection.num.retries
- Delay between Event Service connection retries
-
Milliseconds between attempts to reestablish Entry Service connections
property:
com.iplanet.am.event.connection.delay.between.retries
- Error codes for Event Service connection retries
-
LDAP error codes for which OpenAM retries rather than returning failure
property:
com.iplanet.am.event.connection.ldap.error.codes.retries
- Idle Time Out
-
Minutes after which OpenAM reestablishes idle persistent search connections
property:
com.sun.am.event.connection.idle.timeout
- Disabled Event Service Connection
-
Persistent search connections OpenAM can disable
property:
com.sun.am.event.connection.disable.list
- Number of retries for LDAP Connection
-
Maximum number of attempts to reestablish LDAP connections
property:
com.iplanet.am.ldap.connection.num.retries
- Delay between LDAP connection retries
-
Milliseconds between attempts to reestablish LDAP connections
property:
com.iplanet.am.ldap.connection.delay.between.retries
- Error Codes for LDAP connection retries
-
LDAP error codes for which OpenAM retries rather than returning failure
property:
com.iplanet.am.ldap.connection.ldap.error.codes.retries
- SDK Caching Max. Size
-
Cache size used if SDK caching is enabled
property:
com.iplanet.am.sdk.cache.maxSize
- SDK Replica Retries
-
Maximum number of attempts to retrieve entries returned as not found
property:
com.iplanet.am.replica.num.retries
- Delay between SDK Replica Retries
-
Milliseconds between attempts to retrieve entries through the SDK
property:
com.iplanet.am.replica.delay.between.retries
- Cache Entry Expiration Enabled
-
If no, then cache entries expire based on User Entry Expiration Time
property:
com.iplanet.am.sdk.cache.entry.expire.enabled
- User Entry Expiration Time
-
Minutes user entries remain valid after modification. When OpenAM accesses a user entry that has expired, it rereads the entry from the directory server.
property:
com.iplanet.am.sdk.cache.entry.user.expire.time
- Default Entry Expiration Time
-
Minutes non-user entries remain valid after modification
property:
com.iplanet.am.sdk.cache.entry.default.expire.time
Servers > Directory Configuration
Use this tab to change connection settings and add additional LDAP configuration directory server instances.
- Minimum Connection Pool
-
Set the minimum number of connections in the pool.
- Maximum Connection Pool
-
Set the maximum number of connections in the pool.
- Bind DN
-
Set the bind DN to connect to the configuration directory servers.
- Bind Password
-
Set the bind password to connect to the configuration directory servers.
Servers > CTS
The Core Token Service (CTS) does not need to be configured in the same LDAP storage as the external or embedded user store. The CTS can instead be configured on its own external directory server. There are some specific requirements for indexing and replication which need to be accounted for. In particular, WAN replication is an important consideration which needs to be handled carefully for optimum performance.
You may also choose to set advanced properties related to token size, including
com.sun.identity.session.repository.enableEncryption
,
com.sun.identity.session.repository.enableCompression
, and
com.sun.identity.session.repository.enableAttributeCompression
. For more information,
identify these variables in the following section: Servers > Advanced.
- Default Token Store
-
If selected, CTS tokens are stored in the same external or embedded datastore as is used on an OpenAM configuration store. If you use the default token store, you can only configure the
Root Suffix
. Associated with theDirectory Configuration
tab associated with individual servers. - External Token Store
-
If you use OpenDJ, you can separate the CTS from the configuration on different external servers. On the external CTS server, you can also configure token schema and indexes.
- Root Suffix
-
For either the default or external token stores, enter the base DN for CTS storage information in LDAP format, such as
dc=cts,dc=forgerock,dc=com
. TheRoot Suffix
would be a database that can be maintained and replicated separately from tha standard user datastore. - SSL/TLS Enabled
-
Access the directory service using StartTLS or LDAPS.
- Directory Name
-
The hostname of the external server.
- Port
-
Specifies the TCP/IP port number used for communication to to external datastore, such as 389 for LDAP.
- Login Id
-
Specifies the user, in DN format, needed to authenticate. The user needs sufficient privileges to read and write to the root suffix of the external datastore.
- Password
-
Specifies the password associated with the Login Id.
- Max Connections
-
Notes the maximum number of remote connections to the external datastore.
- Heartbeat
-
Specifies how often OpenAM should send a heartbeat request to the directory server to ensure that the connection does not remain idle, in seconds. Default: 10.
Servers > Advanced
Use this page to set advanced properties directly. A partial list of advanced properties follows.
For a list of inherited advanced properties, see the table under the Advanced tab for Default Server Settings.
com.iplanet.am.cookie.c66Encode
-
Properly URL encode session tokens.
Default:
true
com.iplanet.am.cookie.timeToLive
-
iplanetDirectoryPro
cookie lifetime if persistent, in hoursDefault: 24
com.iplanet.am.daemons
-
Modules for which to open daemons at OpenAM startup.
Default:
securid
com.iplanet.am.directory.ssl.enabled
-
Whether to connect to the configuration directory server over LDAPS.
Default:
false
com.iplanet.am.installdir
-
OpenAM Configuration and log file location.
Default:
~/openam/
, such asserver-uri
~/openam/openam
com.iplanet.am.jssproxy.checkSubjectAltName
-
When using JSS, check whether the name values in the
SubjectAltName
certificate match the server FQDN.Default:
false
com.iplanet.am.jssproxy.resolveIPAddress
-
When using JSS, check that the IP address of the server resolves to the host name.
Default:
false
com.iplanet.am.jssproxy.SSLTrustHostList
-
When using JSS, comma-separated list of server FQDNs to trust if they match the certificate CN, even if the domain name is not correct.
com.iplanet.am.jssproxy.trustAllServerCerts
-
When using JSS, set to
true
to trust whatever certificate is presented without checking.Default:
true
com.iplanet.am.lbcookie.name
-
Used with sticky load balancers that can inspect the cookie value.
Default:
amlbcookie
com.iplanet.am.lbcookie.value
-
Used with sticky load balancers that can inspect the cookie value. Set this property to a unique value if your load balancer requires it. Restart OpenAM for the change to take effect.
Default: 01
com.iplanet.am.pcookie.name
-
Persistent cookie name.
Default:
DProPCookie
com.iplanet.am.profile.host
-
Not used
Default:
server-host
, such asopenam.example.com
com.iplanet.am.profile.port
-
Not used
Default:
server-port
, such as 8080 or 8443 com.iplanet.am.session.agentSessionIdleTime
-
Time in minutes after which a policy agent session expires.
Default: 0, meaning never time out. Range is 0-30 (minutes).
com.iplanet.am.session.client.polling.enable
-
Whether client applications such as policy agents poll for configuration changes. If
false
, then OpenAM notifies clients about changes.Default: false
com.iplanet.am.session.client.polling.period
-
If client applications poll for changes, number of seconds between polls.
Default: 180
com.iplanet.am.session.failover.cluster.stateCheck.period
-
Time in milliseconds between health checks of other servers in the same site.
Default: 1000
com.iplanet.am.session.failover.cluster.stateCheck.timeout
-
Socket timeout in milliseconds for health checks of other servers in the same site.
Default: 1000
com.iplanet.am.session.httpSession.enabled
-
Create an
HttpSession
for users on successful authentication.Default:
true
com.iplanet.security.SSLSocketFactoryImpl
-
SSL socket factory implementation used by OpenAM.
Default:
com.sun.identity.shared.ldap.factory.JSSESocketFactory
, uses a pure Java provider com.iplanet.services.cdc.invalidGotoStrings
;-
Strings that OpenAM rejects as values in
goto
query string parameters.Default:
<,>javascript:,javascript%3a,%3c,%3e
com.sun.embedded.replicationport
-
Replication port for embedded OpenDJ directory server.
Default: 8989
com.sun.embedded.sync.servers
-
Whether to replicate data between embedded directory servers.
Default:
on
com.sun.identity.am.cookie.check
-
Whether to check for cookie support in the user agent, and if not to return an error.
Default:
false
com.sun.identity.appendSessionCookieInURL
-
Whether to append the session cookie to URL for a zero page session.
Default:
true
com.sun.identity.auth.cookieName
-
Cookie used by the OpenAM authentication service to handle the authentication process.
Default:
AMAuthCookie
com.sun.identity.authentication.client.ipAddressHeader
-
Set the name of the HTTP header that OpenAM can examine to learn the client IP address when requests go through a proxy or load balancer. (When requests go through an HTTP proxy or load balancer, checking the IP address on the request alone returns the address of the proxy or load balancer rather than that of the client.) OpenAM must be able to trust the proxy or load balancer to set the client IP address correctly in the header specified.
Example:
com.sun.identity.authentication.client.ipAddressHeader=X-Forwarded-For
com.sun.identity.authentication.multiple.tabs.used
-
Whether to allow users to open many browser tabs to the login page at the same time without encountering an error.
Default:
false
com.sun.identity.authentication.setCookieToAllDomains
-
Whether to allow multiple cookie domains.
Default:
true
com.sun.identity.authentication.special.users
-
List of special users always authenticated against the local directory server.
Default:
cn=dsameuser,ou=DSAME Users,|cn=amService-UrlAccessAgent,ou=DSAME Users,
com.sun.identity.authentication.super.user
-
OpenAM privileged administrator user.
Default:
uid=amAdmin,ou=People,
com.sun.identity.authentication.uniqueCookieName
-
When cookie hijacking protection is configured, name of the cookie holding the URL to the OpenAM server that authenticated the user.
Default:
sunIdentityServerAuthNServer
com.sun.identity.client.notification.url
-
Notification service endpoint for clients such as policy agents.
Default:
, such asserver-protocol
://server-host
:server-port
/server-uri
/notificationservicehttps://openam.example.com:8443/openam/notificationservice
com.sun.identity.common.systemtimerpool.size
-
Number of threads in the shared system timer pool used to schedule operations such as session timeout.
Default: 3
com.sun.identity.cookie.httponly
-
When set to
true
, mark cookies as HTTPOnly to prevent scripts and third-party programs from accessing the cookies.Default:
false
com.sun.identity.enableUniqueSSOTokenCookie
-
If
true
, then OpenAM is using protection against cookie hijacking.Default:
false
com.sun.identity.jss.donotInstallAtHighestPriority
-
Whether JSS should take priority over other providers.
Default:
true
com.sun.identity.monitoring
-
Whether monitoring is active for OpenAM.
Default:
off
com.sun.identity.monitoring.local.conn.server.url
-
URL for local connection to the monitoring service.
Default:
service:jmx:rmi://
com.sun.identity.password.deploymentDescriptor
-
Internal property used by OpenAM.
Default:
server-uri
, such asopenam
com.sun.identity.policy.Policy.policy_evaluation_weights
-
Weights of the cost of evaluating policy subjects, rules, and conditions. Evaluation is in order of heaviest weight to lightest weight.
Default:
10:10:10
, meaning evaluation of rules, then conditions, then subjects com.sun.identity.policy.resultsCacheMaxSize
-
Maximum number of policy decisions OpenAM caches.
Default: 10000
com.sun.identity.server.fqdnMap
-
Enables virtual hosts, partial hostname and IP address. Maps invalid or virtual name keys to valid FQDN values for proper redirection.
To map
myserver
tomyserver.example.com
, setcom.sun.identity.server.fqdnMap[myserver]=myserver.example.com
. com.sun.identity.session.repository.enableEncryption
-
Enables tokens to be encrypted when stored.
Multi-instance deployments require consistent use of this property, which should be done under the Servers and Sites > Default Server Settings > Advanced.
The
am.encryption.pwd
property must also be the same for all deployed instances. Theam.encryption.pwd
is under Servers and Sites > Server > Security > Password Encryption Key. You will need to verify that all servers have the same setting for this property as the default server.Default:
false
com.sun.identity.urlchecker.dorequest
-
Whether to perform an HTTP GET on
com.sun.identity.urlchecker.targeturl
as a health check against another server in the same site. Iffalse
, then OpenAM only checks the Socket connection, and does not perform an HTTP GET.If each OpenAM server runs behind a reverse proxy, then setting this property to
true
means the health check actually runs against the OpenAM instance, rather than checking only the Socket to the reverse proxy.Default:
false
com.sun.identity.urlchecker.targeturl
-
URL to monitor when
com.sun.identity.urlchecker.dorequest
is set totrue
.Default: URL to the
/openam/namingservice
endpoint on the remote server com.sun.identity.security.checkcaller
-
Whether to perform a Java security permissions check for OpenAM.
Default:
false
com.sun.identity.session.repository.enableEncryption
-
For CTS token encryption, if desired.
Default: false
com.sun.identity.session.repository.enableCompression
-
For GZip-based compression of CTS tokens, if desired.
Default: false
com.sun.identity.session.repository.enableAttributeCompression
-
For additional compression of CTS token JSON binaries, beyond GZip, if desired.
Default: false
com.sun.identity.sm.cache.ttl
-
When service configuration caching time-to-live is enabled, this sets the time to live in minutes.
Default: 30
com.sun.identity.sm.cache.ttl.enable
-
If service configuration caching is enabled, whether to enable a time-to-live for cached configuration.
Default:
false
com.sun.identity.sm.flatfile.root_dir
-
File system directory to hold file-based representation of OpenAM configuration.
Default:
~/openam/
such asserver-uri
/sms~/openam/openam/sms
com.sun.identity.sm.sms_object_class_name
-
Class used to read and write OpenAM service configuration entries in the directory.
Default:
com.sun.identity.sm.ldap.SMSEmbeddedLdapObject
com.sun.identity.url.readTimeout
-
Used to set the read timeout in milliseconds for HTTP and HTTPS connections to other servers.
Default: 30000
com.sun.identity.urlchecker.dorequest
-
Allows the OpenAM ClusterStateService to work with HTTPS endpoints.
Default:
true
com.sun.identity.urlconnection.useCache
-
Whether to cache documents for HTTP and HTTPS connections to other servers.
Default:
false
com.sun.identity.webcontainer
-
Name of the web container to correctly set character encoding, if necessary.
Default:
WEB_CONTAINER
console.privileged.users
-
Used to assigned privileged console access to particular users. Set to a
|
separated list of users' Universal IDs, such asconsole.privileged.users=uid=demo,ou=user,|uid=demo2,ou=user,
. openam.auth.destroy_session_after_upgrade
-
Where to destroy the old session after a session is successfully upgraded.
Default:
true
openam.auth.distAuthCookieName
-
Cookie used by the OpenAM distributed authentication service to handle the authentication process.
Default:
AMDistAuthCookie
openam.auth.session_property_upgrader
-
Class that controls which session properties are copied during session upgrade, where default is to copy all properties to the upgraded session.
Default:
org.forgerock.openam.authentication.service.DefaultSessionPropertyUpgrader
openam.auth.version.header.enabled
-
The X-DSAMEVersion http header provides detailed information about the version of OpenAM currently running on the system, including the build and date/time of the build. OpenAM will need to be restarted once this property is enabled.
Default: false
openam.authentication.ignore_goto_during_logout
-
Whether to ignore the
goto
query string parameter on logout, instead displaying the logout page.Default:
false
openam.cdm.default.charset
-
Character set used for globalization.
Default:
UTF-8
openam.forbidden.to.copy.headers
-
Comma-separated list of HTTP headers not to copy when the distributed authentication server forwards a request to another distributed authentication server.
Default:
connection
openam.forbidden.to.copy.request.headers
-
Comma-separated list of HTTP headers not to copy when the distributed authentication server forwards a request to another distributed authentication server.
Default:
connection
openam.retained.http.headers
-
Comma-separated list of HTTP headers to copy to the forwarded response when the server forwards a request to another server.
Requests are forwarded when the server receiving the request is not the server that originally initiated authentication. The server that originally initiated authentication is identified by a cookie.
When the distributed authentication service (DAS) is in use, then the cookie is the
AMDistAuthCookie
that identifies the DAS server by its URL.When authentication is done directly on OpenAM, then the cookie is the
AMAuthCookie
that holds a session ID that identifies the OpenAM server.On subsequent requests the server receiving the request checks the cookie. If the cookie identifies another server, the current server forwards the request to that server.
If a header such as
Cache-Control
has been included in the list of values for the propertyopenam.retained.http.request.headers
and the header must also be copied to the response, then add it to the list of values for this property.Example:
openam.retained.http.headers=X-DSAMEVersion,Cache-Control
Default:
X-DSAMEVersion
openam.retained.http.request.headers
-
Comma-separated list of HTTP headers to copy to the forwarded request when the server forwards a request to another server.
Requests are forwarded when the server receiving the request is not the server that originally initiated authentication. The server that originally initiated authentication is identified by a cookie.
When the distributed authentication service (DAS) is in use, then the cookie is the
AMDistAuthCookie
that identifies the DAS server by its URL.When authentication is done directly on OpenAM, then the cookie is the
AMAuthCookie
that holds a session ID that identifies the OpenAM server.On subsequent requests the server receiving the request checks the cookie. If the cookie identifies another server, the current server forwards the request to that server.
When configuring the distributed authentication service, or when a reverse proxy is set up to provide the client IP address in the
X-Forwarded-For
header, if your deployment includes multiple OpenAM servers, then this property must be set to include the header.Example:
openam.retained.http.request.headers=X-DSAMEVersion,X-Forwarded-For
OpenAM copies the header when forwarding a request to the authoritative server where the client originally began the authentication process, so that the authoritative OpenAM server receiving the forwarded request can determine the real client IP address.
In order to retain headers to return in the response to the OpenAM server that forwarded the request, use the property
openam.retained.http.headers
.Default:
X-DSAMEVersion
openam.session.allow_persist_am_cookie
-
If
true
users can extend the lifetime of theiplanetDirectoryPro
cookie tocom.iplanet.am.cookie.timeToLive
on a per-session basis, by using the query string parameteropenam.session.persist_am_cookie=Yes
. openam.session.case.sensitive.uuid
-
Whether universal user IDs are considered case sensitive when matching them.
Default:
false
openam.session.persist_am_cookie
-
If
true
extend the lifetime of theiplanetDirectoryPro
cookie tocom.iplanet.am.cookie.timeToLive
.Default: false
openam.session.useLocalSessionsInMultiServerMode
-
This property is for use in multi-server deployments where session failover is not available. If
true
, calculate session quotas per server. In other words, if the session quota is 5 sessions and users can access up to 4 servers, they can have a maximum of 20 (5 * 4) sessions.Default:
false
opensso.protocol.handler.pkgs
-
If the web application containers sets
java.protocol.handler.pkgs
, then set this property tocom.sun.identity.protocol
. org.forgerock.embedded.dsadminport
-
Administration port for embedded OpenDJ directory server.
Default: 4444
org.forgerock.openam.authentication.accountExpire.days
-
Days until account expiration set after successful authentication by the account expiration post authentication plugin.
Default: 30
securidHelper.ports
-
Port on which SecurID daemon listens.
Default: 58943
ssoadm.disabled
-
Set to
false
to enablessoadm.jsp
.Default:
true
Sites
Sites involve multiple OpenAM servers working together to provide services. You can use sites with load balancers and session failover to configure pools of servers capable of responding to client requests in highly available fashion.
- Primary URL
-
Set the primary entry point to the site, such as the URL to the load balancer for the site configuration.
- Secondary URLs
-
Set alternate entry points to the site. Used when session failover is configured.
- Assigned Servers
-
Shows the list of OpenAM servers in the site.