OpenAM Web Policy Agent Reference
Chapter 1. Web Agent Configuration Properties

This property takes a comma-separated list of indexes for URL values indicating the order in which to fail over, where the indexes are taken from the values set for com.sun.identity.agents.config.naming.url, com.sun.identity.agents.config.login.url, com.sun.identity.agents.config.cdsso.cdcservlet.url, and com.sun.identity.agents.config.logout.url.

For example if com.sun.identity.agents.config.naming.url is set as follows:

com.sun.identity.agents.config.naming.url=
 http://zero.example.com:8080/openam/namingservice
 http://one.example.com:8080/openam/namingservice

Then the following setting means first use OpenAM on zero.example.com, then fail over if necessary to OpenAM on one.example.com, assuming com.forgerock.agents.ext.url.validation.level is set to enable validation.

com.forgerock.agents.ext.url.validation.default.url.set=0,1

When using this failover capability make sure you synchronize URL settings in com.sun.identity.agents.config.naming.url, com.sun.identity.agents.config.login.url, com.sun.identity.agents.config.cdsso.cdcservlet.url, and com.sun.identity.agents.config.logout.url such that each service shares the same index across all properties. In other words, in the example above each service under http://zero.example.com:8080/openam would be the first item (index: 0) for each property. This ensures the policy agent fails over and fails back from one server to another in synchronized fashion for all services.

This property has no default setting.

This bootstrap configuration property lets you configure naming URL validation during the initial bootstrap phase when the policy agent reads its configuration, and then thereafter if the policy agent is configured fail over when a naming URL becomes invalid.

When URL validation is fully disabled the policy agent does not need to connect to OpenAM during the bootstrap phase.

If you leave naming URL validation disabled, then make sure that the URLs in the policy agent bootstrap configuration file are valid and correct. As the policy agent performs no further validation after the bootstrap phase, incorrect naming URLs can cause the agent to crash.

To enable full URL validation, set the property as shown:

com.forgerock.agents.ext.url.validation.level = 0

Set this to the seconds between validation requests against the current naming URL.

The sum of the values of com.sun.identity.agents.config.connect.timeout and com.sun.identity.agents.config.receive.timeout must not exceed this value. Notice that the two timeout values are specified in milliseconds, whereas this property's value is specified in seconds.

Default: 60 (seconds)

If validation requests against the current naming URL fail this number of times in a row, the web policy agent fails over to the next service in com.forgerock.agents.ext.url.validation.default.url.set.

Default: 3

After failover, if validation requests against the default naming URL succeed this number of times in a row, the web policy agent fails back to that service, the first URL in the com.forgerock.agents.ext.url.validation.default.url.set list.

Default: 3

When SSL is configured, set this to the password for the certificate database.

When SSL is configured, set this property if the certificate databases in the directory specified by com.sun.identity.agents.config.sslcert.dir have a prefix.

When SSL is configured, set this to the alias of the certificate used to authenticate.

Set this to the number of milliseconds to keep the socket connection open before timing out. If you have the web policy agent perform naming URL validation, then set this property to a reasonable value such as 2000 (2 seconds). The default value is 0 which implies no timeout.

Set this to the full path of the agent's debug log file.

Default is Error. Increase to Message or even All for fine-grained detail.

Set the level in the configuration file by module using the format module[:level][,module[:level]]*, where module is one of AuthService, NamingService, PolicyService, SessionService, PolicyEngine, ServiceEngine, Notification, PolicyAgent, RemoteLog, or all, and level is one of the following.

When you omit level, the agent uses the default level, which is the level associated with the all module.

The following example used in the local configuration sets the log overall level to debug for all messages.

com.sun.identity.agents.config.debug.level=all:4

When OpenAM and the agent communicate through a web proxy server configured in forward proxy mode, set this to the proxy server host name.

When OpenAM and the agent communicate through a web proxy server configured in forward proxy mode and the proxy server has the agent authenticate using Basic Authentication, set this to the agent's password.

When OpenAM and the agent communicate through a web proxy server configured in forward proxy mode, set this to the proxy server port number.

When OpenAM and the agent communicate through a web proxy server configured in forward proxy mode and the proxy server has the agent authenticate using Basic Authentication, set this to the agent's user name.

Set this to the encryption key used to encrypt the agent profile password.

Set this to the full path for agent's audit log file.

Set this to the naming service URL(s) used for naming lookups in OpenAM. Separate multiple URLs with single space characters.

Set this to the realm name where the agent authenticates to OpenAM.

Set this to the encrypted version of the password for the agent authenticator. Use the command ./agentadmin --encrypt agentInstance passwordFile to get the encrypted version.

Set this to the agent profile name.

Set this to the number of milliseconds to wait for a response from OpenAM before timing out and dropping the connection. If you have the web policy agent perform naming URL validation, then set this property to a reasonable value such as 2000 (2 seconds). The default value is 0 which implies no timeout.

When SSL is configured, set this to the directory containing SSL certificate databases.

Set to true to enable the socket option TCP_NODELAY. Default is false.

When SSL is configured, set to false to trust the OpenAM SSL certificate only if the certificate is found to be correct and valid. Default is true to make it easy to try SSL during evaluation.

	Important
	Notice that the default setting, true, means that the web policy agent trusts all server certificates. Change this to false, and test that your web policy agent can trust server certificates before deploying the policy agent in production.

Set this to the user name of the agent authenticator.

When there are multiple agents on a single system, set this to a unique numeric value.