Under Configuration > System, you can change OpenAM settings for server logging, monitoring, service URL naming, locale, cookie domain, and how OpenAM detects specific clients.
Client Detection
OpenAM can detect client user agents by their HTTP requests.
ssoadm service name:
iPlanetAMClientDetection
- Default Client Type
-
If no specific match is found for the client type, then this type is used. The default is
genericHTML
, suitable for supported browsers.ssoadm attribute:
iplanet-am-client-detection-default-client-type
- Client Detection Class
-
The client detection plugin must implement the
com.iplanet.services.cdm.ClientDetectionInterface
. Client type is a name that uniquely identifies the client to OpenAM. The plugin scans HTTP requests to determine the client type.ssoadm attribute:
iplanet-am-client-detection-class
- Enable Client Detection
-
If this is enabled, then OpenAM needs an appropriate client detection class implementation, and the authentication user interface must be appropriate for the clients detected.
ssoadm attribute:
iplanet-am-client-detection-enabled
Logging
You configure global OpenAM logging settings on this page.
ssoadm service name:
iPlanetAMLoggingService
- Maximum Log Size
-
Sets the maximum log file size in bytes.
ssoadm attribute:
iplanet-am-logging-max-file-size
- Number of History Files
-
Sets the number of history files for each log that OpenAM keeps, including time-based histories. The previously live file is moved to be included in the history count, and a new log is created to serve as the live log file. Any log file in the history count that goes over the number specified here will be deleted. For time-based logs, a new set of logs will be created when OpenAM is started because of the time-based file names that are used.
ssoadm attribute:
iplanet-am-logging-num-hist-file
- Logfile Rotation Prefix
-
Set this if you want to add a prefix to log files governed by time-based log rotation.
ssoadm attribute:
openam-logging-file-prefix
- Logfile Rotation Suffix
-
Changing this if you want to change the suffix for log files governed by time-based log rotation. You can use
SimpleDateFormat
patterns. The default is-MM.dd.yy-kk.mm
.ssoadm attribute:
openam-logging-file-suffix
- Log File Location
-
This property is interpreted to determine the location of log files, taking either a file system location or a JDBC URL. The default is
%BASE_DIR%/%SERVER_URI%/log/
.ssoadm attribute:
iplanet-am-logging-location
- Log Status
-
Set this to
INACTIVE
to disable the logging system.ssoadm attribute:
logstatus
- Log Record Resolve Host Name
-
Enable this to have OpenAM perform a DNS host lookup to populate the host name field for log records. OpenAM requires DNS on the host where it runs. Enabling this feature increases the load on the logging system.
ssoadm attribute:
resolveHostName
- Logging Type
-
Set this to
DB
to log to a database. Default:File
. If you chooseDB
then be sure to set the connection attributes correctly, including the JDBC driver to use.ssoadm attribute:
iplanet-am-logging-type
- Database User Name
-
When logging to a database, set this to the user name used to connect to the database. If this attribute is incorrectly set, OpenAM performance suffers.
ssoadm attribute:
iplanet-am-logging-db-user
- Database User Password
-
When logging to a database, set this to the password used to connect to the database. If this attribute is incorrectly set, OpenAM performance suffers.
ssoadm attribute:
iplanet-am-logging-db-password
- Database Driver Name
-
When logging to a database, set this to the class name of the JDBC driver used to connect to the database. The default is for Oracle. OpenAM also works with the MySQL database driver.
ssoadm attribute:
iplanet-am-logging-db-driver
- Configurable Log Fields
-
Select the fields OpenAM includes in log messages using this attribute. By default all fields are included in log messages.
ssoadm attribute:
iplanet-am-logging-logfields
- Log Verification Frequency
-
When secure logging is enabled, set this to how often OpenAM verifies log file content (in seconds).
ssoadm attribute:
iplanet-am-logging-verify-period-in-seconds
- Log Signature Time
-
When secure logging is enabled, set this to how often OpenAM signs log file content (in seconds).
ssoadm attribute:
iplanet-am-logging-signature-period-in-seconds
- Secure Logging
-
Set this to
ON
to enable the secure logging system whereby OpenAM digitally signs and verifies log files. You must also set up the Logging Certificate Store for this feature to function.ssoadm attribute:
iplanet-am-logging-security-status
- Secure Logging Signing Algorithm
-
Set this to the algorithm used for digitally signing log records.
ssoadm attribute:
iplanet-am-logging-secure-signing-algorithm
- Logging Certificate Store Location
-
The secure logging system uses the certificate with alias
Logger
that it finds in the key store specified by this path. The default is%BASE_DIR%/%SERVER_URI%/Logger.jks
.ssoadm attribute:
iplanet-am-logging-secure-certificate-store
- Maximum Number of Records
-
Set this to the maximum number of records read from the logs through the Logging API.
ssoadm attribute:
iplanet-am-logging-max-records
- Number of Files per Archive
-
Set this to the number of files to be archived by the secure logging system.
ssoadm attribute:
iplanet-am-logging-files-per-keystore
- Buffer Size
-
The number of log messages buffered in memory before OpenAM flushes them to the log file or the database.
ssoadm attribute:
iplanet-am-logging-buffer-size
- DB Failure Memory Buffer Size
-
Set this to the maximum number of log records to hold in memory if the database to which records are logged is unavailable. If the value is less than Buffer Size, that value takes precedence.
ssoadm attribute:
sun-am-logging-db-max-in-mem
- Buffer Time
-
Set the time in seconds that OpenAM buffers log messages in memory before flushing the buffer when Time Buffering is ON. The default is 60 seconds.
ssoadm attribute:
iplanet-am-logging-buffer-time-in-seconds
- Time Buffering
-
Set this to OFF to cause OpenAM to write each log message separately rather than the default of holding messages in a memory buffer that OpenAM flushes periodically, as specified using the Buffer Time attribute.
ssoadm attribute:
iplanet-am-logging-time-buffering-status
- Logging Level
-
Set the log level for OpenAM.
OFF
is equivalent to setting the status toINACTIVE
.ssoadm attribute:
sun-am-log-level
Monitoring
You enable OpenAM monitoring by using these attributes.
ssoadm service name:
iPlanetAMMonitoringService
- Monitoring Status
-
Enable monitoring using this attribute.
ssoadm attribute:
iplanet-am-monitoring-enabled
- Monitoring HTTP Port
-
Set the port number for the HTML monitoring interface.
ssoadm attribute:
iplanet-am-monitoring-http-port
- Monitoring HTTP interface status
-
Enable the HTML monitoring interface using this attribute.
ssoadm attribute:
iplanet-am-monitoring-http-enabled
- Monitoring HTTP interface authentication file path
-
Set this to path to indicate the file indicating the user name and password used to protect access to monitoring information. The default user name password combination is
demo
andchangeit
. You can encode a new password using the ampasswordcommand.ssoadm attribute:
iplanet-am-monitoring-authfile-path
- Monitoring RMI Port
-
Set the port number for the JMX monitoring interface.
ssoadm attribute:
iplanet-am-monitoring-rmi-port
- Monitoring RMI interface status
-
Enable the JMX monitoring interface using this attribute.
ssoadm attribute:
iplanet-am-monitoring-rmi-enabled
- Monitoring SNMP Port
-
Set the port number for the SNMP monitoring interface.
ssoadm attribute:
iplanet-am-monitoring-snmp-port
- Monitoring SNMP interface status
-
Enable the SNMP monitoring interface using this attribute.
ssoadm attribute:
iplanet-am-monitoring-snmp-enabled
Naming
You can configure URLs for service endpoints.
ssoadm service name:
iPlanetAMNamingService
- Profile Service URL
-
Set the endpoint used by the profile service.
This attribute is deprecated.
ssoadm attribute:
iplanet-am-naming-profile-url
- Session Service URL
-
Set the endpoint used by the session service.
ssoadm attribute:
iplanet-am-naming-session-url
- Logging Service URL
-
Set the endpoint used by the logging service.
ssoadm attribute:
iplanet-am-naming-logging-url
- Policy Service URL
-
Set the endpoint used by the policy service.
ssoadm attribute:
iplanet-am-naming-policy-url
- Authentication Service URL
-
Set the endpoint used by the authentication service.
ssoadm attribute:
iplanet-am-naming-auth-url
- SAML Web Profile/Artifact Service URL
-
Set the SAML v1 endpoint.
ssoadm attribute:
iplanet-am-naming-samlawareservlet-url
- SAML SOAP Service URL
-
Set the endpoint used by the SAML v1 SOAP service.
ssoadm attribute:
iplanet-am-naming-samlsoapreceiver-url
- SAML Web Profile/POST Service URL
-
Set the SAML v1 Web Profile endpoint.
ssoadm attribute:
iplanet-am-naming-samlpostservlet-url
- SAML Assertion Manager Service URL
-
Set the endpoint used by the SAML v1 assertion service.
ssoadm attribute:
iplanet-am-naming-samlassertionmanager-url
- Federation Assertion Manager Service URL
-
Set the endpoint used by the ID-FF assertion manager service.
ssoadm attribute:
iplanet-am-naming-fsassertionmanager-url
- Security Token Manager URL
-
Set the STS endpoint.
ssoadm attribute:
iplanet-am-naming-securitytokenmanager-url
- JAXRPC Endpoint URL
-
Set the JAXRPC endpoint used by remote IDM/SMS APIs.
ssoadm attribute:
iplanet-am-naming-jaxrpc-url
- Identity Web Services Endpoint URL
-
Set the endpoint for Identity WSDL services.
ssoadm attribute:
sun-naming-idsvcs-jaxws-url
- Identity REST Services Endpoint URL
-
Set the endpoint used for Identity REST services.
ssoadm attribute:
sun-naming-idsvcs-rest-url
- Security Token Service Endpoint URL
-
Set the STS endpoint.
ssoadm attribute:
sun-naming-sts-url
- Security Token Service MEX Endpoint URL
-
Set the STS MEX endpoint.
ssoadm attribute:
sun-naming-sts-mex-url
Platform
You can configure the default locale and list of cookie domains.
ssoadm service name:
iPlanetAMPlatformService
- Platform Locale
-
Set the fallback locale used when the user locale cannot be determined.
ssoadm attribute:
iplanet-am-platform-locale
- Cookie Domains
-
Set the list of domains into which OpenAM writes cookies. If you set multiple cookie domains, OpenAM still only sets the cookie in the domain the client uses to access OpenAM. You can also configure cross domain single sign on (CDSSO) to allow single sign on across multiple domains managed by your organization. See the Administration Guide chapter on Configuring Cross-Domain Single Sign On for details.
ssoadm attribute:
iplanet-am-platform-cookie-domains