Sun and OracleChannel SunHow to BuyLog InSvenska

Sun Java System Federation Manager 7.0 User's Guide
  Sök endast i den här boken
Hjälp för sökning
Inom
Hitta mer dokumentation
Supportresurser som ingår
 Ladda ner denna bok i PDF (1566 KB)

Chapter 5 System Administration

The deployment of Sun Java System Federation Manager can be customized by values you set in the system attributes. In addition, Federation Manager has a non-Liberty authentication service.

This chapter contains the following topics:

Organization Properties

The following attributes can be configured for your organization.

Domain Name

This defines the domain to which the organization belongs.

Note –

This attribute is not currently supported.

Status

This defines whether the realm is active or inactive.

Aliases

This defines an alias for the realm.

DNS Alias Names

This defines DNS aliases for the realm.

Console Properties

The Console properties include settings to customize the console for different locales and character sets. This includes:

Globalization Settings

The Globalization Settings contain attributes that enable you to configure Federation Manager for different locales and character sets. The attributes include:

Charsets Supported by Each Locale

This attribute lists the character sets supported for each locale, which indicates the mapping between locale and character set.

The following tasks are associated with character set support.

Charset Aliases

This attribute lists the codeset names (which map to IANA names) that will be used to send the response. These codeset names do not need to match Java codeset names. Currently, there is a hash table to map Java character sets into IANA character sets and vice versa. The following tasks are associated with character set aliases.

The following tasks are associated with character set support.

Auto Generated Common Name Format

This display option allows you to define the way in which a name is automatically generated to accommodate name formats for different locales and character sets. The default syntax is as follows (please note that including commas and/or spaces in the definition will display in the name format):

en_us = {givenname} {initials} {sn}

For example, if you wanted to display a new name format for a user (User One) with a uid (11111) for the Chinese character set, define:

zh = {sn}{givenname}({uid})

The display is:

OneUser 11111

ProcedurTo Add Supported Character Sets

  1. Click Add under Charsets Supported by Each Locale.

    The New Supported Character Sets page is displayed.

  2. Define the following attributes.

    Locale

    The new locale you wish to add.

    Supported Charsets

    Enter the supported character set for the specified locale. Character sets are delimited by a semicolon. For example, charset=charset1;charset2;charset3;...;charsetn

  3. Click OK.

    You are returned to the Globalization Settings page.

ProcedurTo Edit Supported Character Sets

  1. Click Edit next to the name of the character set you want to modify.

  2. Modify the following parameters:

    Locale

    The new locale you wish to add. For more information, see Supported Language Locales.

    Supported Charsets

    Enter the supported character set for the specified locale. Character sets are delimited by a semicolon. For example, charset=charset1;charset2;charset3;...;charsetn

  3. Click OK.

    You are returned to the Globalization Settings page.

ProcedurTo Add New Character Set Aliases

  1. Click Add under Charset Aliases.

    The New Charset Aliases page is displayed.

  2. Define the following attributes.

    MIME name

    The IANA mapping name. For example, Shift_JIS

    Java Name

    The Java character set to map to the IANA character set.

  3. Click OK.

    You are returned to the Globalization Settings page.

ProcedurTo Edit Existing Character Set Aliases

  1. Click Edit next to the name of the character set alias you want to modify.

  2. Modify the following parameters:

    MIME name

    The IANA mapping name. For example, Shift_JIS

    Java Name

    The Java character set to map to the IANA character set.

  3. Click OK.

    You are returned to the Globalization Settings page.

System Properties

The System properties include settings that affect the deployment of Federation Manager. This includes:

Logging

The Logging service provides status and error messages related to Federation Manager administration. An administrator can configures values such as log file size and log file location. Federation Manager can record events in flat text files or in a relational database. The Logging service attributes are global attributes. The attributes are:

Maximum Log Size

This attribute accepts a value for the maximum size (in bytes) of a Federation Manager log file. The default value is 1000000.

Number of History Files

This attribute has a value equal to the number of backup log files that will be retained for historical analysis. Any integer can be entered depending on the partition size and available disk space of the local system. The default value is 3.

Note –

Entering a value of 0 is interpreted to be the same as a value of 1, meaning that if you specify 0, a history log file will be created.

The value in this attribute is only used when the Logging Type attribute is set to FILE. If Logging Type is set to DB (Database), there are no history files.

Log File Location

The file-based logging function needs a location where log files can be stored. This field accepts a full directory path to that location. The default location is /var/opt/SUNWam/fm/logs.

If a non-default directory is specified, Federation Manager will create the directory if it does not exist. You should then set the appropriate permissions for that directory (for example, 0700).

When configuring the log location for database logging (such as, Oracle or MySQL), part of the log location is case sensitive. For example, if you are logging to an Oracle database, the log location should be (note case sensitivity):

jdbc:oracle:thin:@machine.domain:port:DBName

To configure logging to a database, add the JDBC driver files to the web container's Java Virtual Machine (JVM) classpath. You need to manually add JDBC driver files to the classpath of the amadmin script or amadmin logging can not load the JDBC driver.

Note –

Changes to logging attributes usually take effect after you save them. This does not require you to restart the server. If you are changing to secure logging, however, you should restart the server.

Logging Type

Enables you to specify either File, for flat file logging, or DB for database logging.

Caution – Caution –

If either of the following attributes (Database User Name or Database User Password) is invalid, it will seriously affect Federation Manager processing. If Federation Manager or the Federation Manager Console becomes unstable, set the com.iplanet.am.logstatus property in AMConfig.properties to INACTIVE.

After setting the property, restart the server, log in to the console and reset the invalid attribute. Then, change the value of the logstatus property back to ACTIVE and restart the server.

Database User Name

This attribute accepts the name of the user that will connect to the database when the Logging Type attribute is set to DB.

Database User Password

This attribute accepts the database user password when the Logging Type attribute is set to DB.

Database User Password (confirm)

Confirm the database password.

Database Driver Name

This attribute enables you to specify the driver used for the logging implementation class.

Configurable Log Fields

Represents the list of fields that are to be logged. By default, all of the fields are logged. The fields are:

  • DOMAIN

  • HOSTNAME

  • IPADDR

  • LOGGED BY

  • LOGLEVEL

  • LOGINID

  • MODULENAME

At minimum you should log CONTEXTID, DOMAIN, HOSTNAME, LOGINID and MESSAGEID.

Maximum Number of Records

This attribute sets the maximum number of records that the Java LogReader interface returns, regardless of how many records match the read query. By default, it is set to 500. This attribute can be overridden by the caller of the Logging API through the LogQuery class.

Number of Files per Archive

This attribute is only applicable to secure logging. It specifies when the log files and keystore need to be archived, and the secure keystore regenerated, for subsequent secure logging. The default is five files per logger.

Buffer Size

This attribute specifies the maximum number of log records to be buffered in memory before the logging service attempts to write them to the logging repository. The default is one record.

DB Failure Memory Buffer Size

This attribute defines the maximum number of log records held in memory if database logging fails. This attribute is only applicable when DB is specified as the Logging Type. When the Logging Service loses connection to the database, it will buffer up to the number of records specified. This attribute defaults to two times of the value defined in the Buffer Size attribute.

Buffer Time

This attribute defines the amount of time that the log records will buffered in memory before they are sent to the logging service to be logged. This attribute applies if Enable Time Buffering is ON. The default is 3600 seconds.

Enable Time Buffering

When selected as ON, Federation Manager will set a time limit for log records to be buffered in memory. The amount of time is set in the Buffer Time attribute.

Naming

The Naming service is used to get and set URLs, plug-ins and configurations as well as request notifications for various other Federation Manager services such as session, authentication, logging, SAML and Federation. This service enables clients to find the correct service URL if the platform is running more than one instance of Federation Manager. When a naming URL is found, the naming service will decode the session of the user and dynamically replace the protocol, host, and port with the parameters from the session. This ensures that the URL returned for the service is for the host that the user session was created on. The Naming attributes are:

Profile Service URL

This field takes a value equal to protocol://host:port/Server_DEPLOY_URI/profileservice.

This syntax allows for dynamic substitution of the profile URL based on the server host, port number, and deployment URI.

Session Service URL

This field takes a value equal to protocol://host:port/Server_DEPLOY_URI/sessionservice.

This syntax allows for dynamic substitution of the session URL based on the server host, port number, and deployment URI.

Logging Service URL

This field takes a value equal to protocol://host:port/Server_DEPLOY_URI/loggingservice

This syntax allows for dynamic substitution of the logging URL based on the server host, port number, and deployment URI.

Policy Service URL

This field takes a value equal to protocol://host:port/Server_DEPLOY_URI/policyservice.

This syntax allows for dynamic substitution of the policy URL based on the server host, port number, and deployment URI.

Authentication Service URL

This field takes a value equal to protocol://host:port/Server_DEPLOY_URI/authservice.

This syntax allows for dynamic substitution of the authentication URL based on the server host, port number, and deployment URI.

SAML Web Profile/Artifact Service URL

This field takes a value equal to protocol://host:port/Server_DEPLOY_URI/SAMLAwareServlet.

This syntax allows for dynamic substitution of the SAML web profile/artifact URL based on the server host, port number, and deployment URI.

SAML SOAP Service URL

This field takes a value equal to protocol://host:port/Server_DEPLOY_URI/SAMLSOAPReceiver.

This syntax allows for dynamic substitution of the SAML SOAP URL based on the server host, port number, and deployment URI.

SAML Web Profile/POST Service URL

This field takes a value equal to protocol://host:port/Server_DEPLOY_URI/SAMLPOSTProfileServlet.

This syntax allows for dynamic substitution of the SAML web profile/POST URL based on the server host, port number, and deployment URI.

SAML Assertion Manager Service URL

This field takes a value equal to protocol://host:port/Server_DEPLOY_URI/AssertionManagerServlet/AssertionManagerIF.

This syntax allows for dynamic substitution of the SAML Assertion Manager Service URL based on the server host, port number, and deployment URI.

Federation Assertion Manager Service URL

This field takes a value equal to protocol://host:port/Server_DEPLOY_URI/FSAssertionManagerServlet/FSAssertionManagerIF.

This syntax allows for dynamic substitution of the Federation Assertion Manager Service URL based on the server host, port number, and deployment URI.

Security Token Manager URL

This field takes a value equal to protocol://host:port/Server_DEPLOY_URI/SecurityTokenManagerServlet/SecurityTokenManagerIF/.

This syntax allows for dynamic substitution of the Security Token Manager URL based on the server host, port number, and deployment URI.

JAXRPC Endpoint URL

This field takes a value equal to protocol://host:port/Server_DEPLOY_URI/jaxrpc/.

This syntax allows for dynamic substitution of the JAXRPC Endpoint URL based on the server host, port number, and deployment URI.

Platform

The Platform service is where additional servers can be added to the Federation Manager configuration as well as other options applied at the top level of the application. The Platform service attributes are global attributes. The attributes are:

Server List

This list contains the Federation Manager server instances. If the host specified in a request for a service URL is not in this list, the request is rejected.

Platform Locale

The platform locale value is the default language subtype that Federation Manager was installed with. The authentication, logging and administration services are administered in the language of this value. The default is en_US.

Cookie Domains

The list of domains that will be returned in the cookie header when setting a cookie to the user's browser during authentication. If empty, no cookie domain will be set. In other words, the Federation Manager session cookie will only be forwarded to the Federation Manager itself and to no other servers in the domain.

If SSO is required with other servers in the domain, this attribute must be set with the cookie domain. If you had two interfaces in different domains on one Federation Manager then you would need to set both cookie domains in this attribute. If a load balancer is used, the cookie domain must be that of the load balancer's domain, not the servers behind the load balancer. The default value for this field is the domain of the installed Federation Manager.

Login Service URL

This field specifies the URL of the login page. The default value for this attribute is /Service_DEPLOY_URI/UI/Login.

Logout Service URL

This field specifies the URL of the logout page. The default value for this attribute is /Service_DEPLOY_URI/UI/Logout.

Available Locales

This attribute stores all available locales configured for the platform. Consider an application that lets the user choose the user's locale. This application would get this attribute from the platform profile and present the list of locales to the user. The user would choose a locale and the application would set this in the user entry preferredLocale.

Client Character Sets

This attribute specifies the character set for different clients at the platform level. It contains a list of client types and the corresponding character sets.

Note –

This attribute is not currently supported.

Session

Sessions module provides a solution for viewing user session information and managing user sessions. It keeps track of various session times as well as allowing the administrator to invalidate a session. The Session attributes are:

Maximum Number of Search Results

This attribute specifies the maximum number of results returned by a session search. The default value is 120.

Timeout For Search (Seconds)

This attributed defines the maximum amount of time before a session search terminates. The default value is 5 seconds.

Max Session Time (Minutes)

This attribute accepts a value in minutes to express the maximum time before the session expires and the user must reauthenticate to regain access. A value of 1 or higher will be accepted. The default value is 120. Max Session Time limits the validity of the session. It does not get extended beyond the configured value.

Tip –

To balance the requirements of security and convenience, consider setting the Max Session Time interval to a higher value and setting the Max Idle Time interval to a relatively low value.

Max Idle Time (Minutes)

This attribute accepts a value (in minutes) equal to the maximum amount of time without activity before a session expires and the user must reauthenticate to regain access. A value of 1 or higher will be accepted. The default value is 30.

Tip –

To balance the requirements of security and convenience, consider setting the Max Session Time interval to a higher value and setting the Max Idle Time interval to a relatively low value.

Max Caching Time (Minutes)

This attribute accepts a value (in minutes) equal to the maximum interval before the client contacts Federation Manager to refresh cached session information. A value of 0 or higher will be accepted. The default value is 3. It is recommended that the maximum caching time should always be less than the maximum idle time.