Contained WithinFind More DocumentationFeatured Support Resources |  Download this book in PDF (1503 KB)
Part II Configuration Attribute ReferenceChapter 5 Configuration AttributesThe Configuration page contains all of the attributes to configure Access Manager's default services. The attributes that comprise an Access Manager service are classified as one of the following types (some services may have more than one type): Global – Applied across the Access Manager configuration. They cannot be applied to users, roles or realms as the goal of global attributes is to customize the Identity Server application. Realm – Realm attributes are only assigned to realms. No object classes are associated with realm attributes. Attributes listed in the authentication services are defined as realm attributes because authentication is done at the realm level rather than at a subtree or user level. Dynamic – Assigned to an Access Manager configured role or realm. When the role is assigned to a user or a user is created in an realm, the dynamic attribute then becomes a characteristic of the user. User – Assigned directly to each user. They are not inherited from a role or an realm and, typically, are different for each user. The Configuration properties you can modify are: AuthenticationAccess Manager is installed with a set of default authentication module types. An authentication module instance is a plug-in that collects user information such as a user ID and password, checks the information against entries in a database, and allows or denies access to the user. Multiple instances of the same type can be created and configured separately. This section provides attribute descriptions that configure the default authentication module types. AnonymousThis module type allows a user to log in without specifying credentials. You can create an Anonymous user so that anyone can log in as Anonymous without having to provide a password. Anonymous connections are usually customized by the Access Manager administrator so that Anonymous users have limited access to the server. The Anonymous authentication attributes are realm attributes. The attributes are: Valid Anonymous UsersContains a list of user IDs that have permission to login without providing credentials. If a user's login name matches a user ID in this list, access is granted and the session is assigned to the specified user ID. If this list is empty, accessing the following default module instance login URL will be authenticated as the Default Anonymous User Name: protocol://server_host.server_domain:server_port/server_deploy_uri/UI/Login?module=Anonymous&org=org_name If this list is not empty, accessing Default module instance login URL (same as above) will prompt the user to enter any valid Anonymous user name. If this list is not empty, the user can log in without seeing the login page by accessing the following URL: protocol://server_host.server_domain:server_port/server_deploy_uri/UI/Login?module=Anonymous&org=org_name&IDToken1=<valid Anonymous username> Default Anonymous User NameDefines the user ID that a session is assigned to if Valid Anonymous User List is empty and the following default module instance login URL is accessed: protocol://server_host.server_domain:server_port/server_deploy_uri/UI/Login?module=Anonymous&org=org_name The default value is anonymous. An Anonymous user must also be created in the realm. Note – If Valid Anonymous User List is not empty, you can login without accessing the login page by using the user defined in Default Anonymous User Name. This can be done by accessing the following URL: protocol://server_host.server_domain:server_port/server_deploy_uri/UI/Login?module=Anonymous&org=org_name&IDToken1= DefaultAnonymous User Name Case Sensitive User IDsIf enabled, this option allows for case-sensitivity for user IDs. By default, this attribute is not enabled. Authentication LevelThe authentication level is set separately for each method of authentication. The value indicates how much to trust an authentication mechanism. Once a user has authenticated, this value is stored in the SSO token for the session. When the SSO token is presented to an application the user wants to access, the application uses the stored value to determine whether the level is sufficient to grant the user access. If the authentication level stored in an SSO token does not meet the minimum value required, the application can prompt the user to authenticate again through a service with a higher authentication level. The default value is 0. Note – If no authentication level is specified, the SSO token stores the value specified in the Core Authentication attribute Default Authentication Level. Active DirectoryThis module type works similarly to the LDAP authentication module type, but uses the Microsoft Active Directory instead of an LDAP directory. Using this module type makes it possible to have both LDAP and Active Directory coexist under the same realm. The Active Directory authentication attributes are realm attributes. The attributes are: Primary Active Directory ServerSpecifies the host name and port number of the primary Active Directory server specified during Access Manager installation. This is the first server contacted for Active Directory authentication. The format ishostname:port. If there is no port number, assume 389. If you have Access Manager deployed with multiple domains, you can specify the communication link between specific instances of Access Manager and Directory Server in the following format (multiple entries must be prefixed by the local server name): local_servername|server:port local_servername2|server2:port2 ... For example, if you have two Access Manager instances deployed in different locations (L1-machine1-IS and L2- machine2-IS) communicating with different instances of Directory Server (L1-machine1-DS and L2-machine2-DS), it would look the following: L1-machine1-IS.example.com|L1-machine1-DS.example.com:389 L2-machine2-IS.example.com|L2-machine2-DS.example.com:389 Secondary Active Directory ServerSpecifies the host name and port number of a secondary Active Directory server available to the Access Manager platform. If the primary Active Directory server does not respond to a request for authentication, this server would then be contacted. If the primary server is up, Access Manager will switch back to the primary server. The format is also hostname:port. Multiple entries must be prefixed by the local server name.  Caution – When authenticating users from a Directory Server that is remote from the Access Manager enterprise, it is important that both the Primary and Secondary LDAP Server Ports have values. The value for one Directory Server location can be used for both fields. DN to Start User SearchSpecifies the DN of the node where the search for a user would start. (For performance reasons, this DN should be as specific as possible.) The default value is the root of the directory tree. Any valid DN will be recognized. If OBJECT is selected in the Search Scope attribute, the DN should specify one level above the level in which the profile exists. Multiple entries must be prefixed by the local server name. The format is servername|search dn. For multiple entries: servername1|search dn servername2|search dn servername3|search dn... If multiple entries exist under the root organization with the same user ID, then this parameter should be set so that the only one entry can be searched for or found in order to be authenticated. For example, in the case where the agent ID and user ID is same under root org, this parameter should be ou=Agents for the root organization to authenticate using Agent ID and ou=People, for the root organization to authenticate using User ID. DN for Root User BindSpecifies the DN of the user that will be used to bind to the Directory Server specified in the Primary LDAP Server and Port field as administrator. The authentication service needs to bind as this DN in order to search for a matching user DN based on the user login ID. The default is amldapuser. Any valid DN will be recognized. Make sure that password is correct before you logout. If it is incorrect, you will be locked out. If this should occur, you can login with the super user DN in the com.iplanet.authentication.super.user property in the AMConfig.Properties file. By default, this the amAdmin account with which you would normally log in, although you will use the full DN. For example: uid_amAdmin,ou=People,AccessManager-base Password for Root User BindCarries the password for the administrator profile specified in the DN for Root User Bind field. There is no default value. Only the administrator's valid Active Directory password is recognized. Password for Root User Bind (confirm)Confirm the password. Attribute Used to Retrieve User ProfileSpecifies the attribute used for the naming convention of user entries. By default, Access Manager assumes that user entries are identified by the uid attribute. If your Directory Server uses a different attribute (such as givenname) specify the attribute name in this field. Attributes Used to Search for a User to be AuthenticatedLists the attributes to be used to form the search filter for a user that is to be authenticated, and allows the user to authenticate with more than one attribute in the user's entry. For example, if this field is set to uid, employeenumber , and mail, the user could authenticate with any of these names. User Search FilterSpecifies an attribute to be used to find the user under the DN to Start User Search field. It works with the User Naming Attribute. There is no default value. Any valid user entry attribute will be recognized. Search ScopeIndicates the number of levels in the Directory Server that will be searched for a matching user profile. The search begins from the node specified in DN to Start User Search. The default value is SUBTREE. One of the following choices can be selected from the list:
SSL Access to Active Directory ServerEnables SSL access to the Directory Server specified in the Primary and Secondary Server and Port field. By default, the box is not checked and the SSL protocol will not be used to access the Directory Server. If the Active Directory server is running with SSL enabled (LDAPS), you must make sure that Access Manager is configured with proper SSL trusted certificates so that AM could connect to Directory server over LDAPS protocol Return User DN to AuthenticateWhen the Access Manager directory is the same as the directory configured for Active Directory, this option may be enabled. If enabled, this option allows the Active Directory authentication module instance to return the DN instead of the User ID, and no search is necessary. Normally, an authentication module instance returns only the User ID, and the authentication service searches for the user in the local Access Manager instance. If an external Active Directory is used, this option is typically not enabled. Active Directory Server Check IntervalThis attribute is used for Active Directory Server failback. It defines the number of minutes in which a thread will “sleep” before verifying that the primary Active Directory server is running. User Creation AttributesThis attribute is used by the Active Directory authentication module instance when the Active Directory server is configured as an external Active Directory server. It contains a mapping of attributes between a local and an external Directory Server. This attribute has the following format: attr1|externalattr1 attr2|externalattr2 When this attribute is populated, the values of the external attributes are read from the external Directory Server and are set for the internal Directory Server attributes. The values of the external attributes are set in the internal attributes only when the User Profileattribute (in the Core Authentication module type) is set to Dynamically Created and the user does not exist in local Directory Server instance. The newly created user will contain the values for internal attributes, as specified in User Creation Attributes List, with the external attribute values to which they map. Authentication LevelThe authentication level is set separately for each method of authentication. The value indicates how much to trust an authentication mechanism. Once a user has authenticated, this value is stored in the SSO token for the session. When the SSO token is presented to an application the user wants to access, the application uses the stored value to determine whether the level is sufficient to grant the user access. If the authentication level stored in an SSO token does not meet the minimum value required, the application can prompt the user to authenticate again through a service with a higher authentication level. The default value is 0. Note – If no authentication level is specified, the SSO token stores the value specified in the Core Authentication attribute Default Authentication Level. Authentication ConfigurationOnce an authentication module instance is defined, the instance can be configured for authentication module chaining, to supply redirect URLs, and a post-processing Java class specification based on a successful or failed authentication process. Before an authentication module instance can be configured, the Core authentication attribute Organization Authentication Configuration must be modified to include the specific authentication module instance name. CertificateThis module enables a user to log in through a personal digital certificate (PDC). The module instance can require the use of the Online Certificate Status Protocol (OCSP) to determine the state of a certificate. Use of the OCSP is optional. The user is granted or denied access to a resource based on whether or not the certificate is valid. The Certificate authentication attributes are realm attributes. The attributes are: Match Certificate in LDAPSpecifies whether to check if the user certificate presented at login is stored in the LDAP Server. If no match is found, the user is denied access. If a match is found and no other validation is required, the user is granted access. The default is that the Certificate Authentication service does not check for the user certificate. Note – A certificate stored in the Directory Server is not necessarily valid; it may be on the certificate revocation list. See Match Certificate to CRL. However, the web container may check the validity of the user certificate presented at login. Subject DN Attribute Used to Search LDAP for CertificatesSpecifies the attribute of the certificate's SubjectDN value that will be used to search LDAP for certificates. This attribute must uniquely identify a user entry. The actual value will be used for the search. The default is cn. Match Certificate to CRLSpecifies whether to compare the user certificate against the Certificate Revocation List (CRL) in the LDAP Server. The CRL is located by one of the attribute names in the issuer's SubjectDN. If the certificate is on the CRL, the user is denied access; if not, the user is allowed to proceed. This attribute is, by default, not enabled. Certificates should be revoked when the owner of the certificate has changed status and no longer has the right to use the certificate or when the private key of a certificate owner has been compromised. When the Certificate authentication module possesses a client certificate for authentication, it checks the configured option first. If CRL validation is enabled, it accesses the CRL from the local Directory Server. If the CRL is valid, it validates the client certificate with the current CRL from the local Directory Server. If the CRL is not valid or needs to be updated, it retrieves CRLDP information from the client certificate and gets a new CRL from the CRLDP and replaces the old CRL with a new one. If the CRL is not valid or needs to be updated but the client certificate does not have CRLDP, it retrieves IssuingDP information from the current CRL and gets the new CRL from the IssuingDP and replaces the old CRL with a new one. It then validates the client certificate with this new CRL. Issuer DN Attribute Used to Search LDAP for CRLsSpecifies the attribute of the received certificate's issuer subjectDN value that will be used to search LDAP for CRLs. This field is used only when the Match Certificate to CRL attribute is enabled. The actual value will be used for the search. The default is cn. HTTP Parameters for CRL UpdateSpecifies the HTTP parameters for obtaining a CRL from a servlet for a CRL update. Contact the administrator of your CA for these parameters. OCSP ValidationEnables OCSP validation to be performed by contacting the corresponding OCSP responder. The OCSP responder is decided as follows during runtime:
Before enabling OCSP Validation, make sure that the time of the Access Manager machine and the OCSP responder machine are in sync as close as possible. Also, the time on the Access Manager machine must not be behind the time on the OCSP responder. For example: OCSP responder machine - 12:00:00 pm Access Manager machine - 12:00:30 pm LDAP Server Where Certificates are StoredSpecifies the name and port number of the LDAP server where the certificates are stored. The default value is the host name and port specified when Access Manager was installed. The host name and port of any LDAP Server where the certificates are stored can be used. The format is hostname:port. LDAP Start Search DNSpecifies the DN of the node where the search for the user's certificate should start. There is no default value. The field will recognize any valid DN. Multiple entries must be prefixed by the local server name. The format is as follows: servername|search dn For multiple entries: servername1|search dn servername2|search dn servername3|search dn... If multiple entries exist under the root organization with the same user ID, then this parameter should be set so that the only one entry can be searched for or found in order to be authenticated. For example, in the case where the agent ID and user ID is same under root org, this parameter should be ou=Agents for the root organization to authenticate using Agent ID and ou=People, for the root organization to authenticate using User ID. LDAP Server Principal UserThis field accepts the DN of the principal user for the LDAP server where the certificates are stored. There is no default value for this field which will recognize any valid DN. The principal user must be authorized to read, and search certificate information stored in the Directory Server. LDAP Server Principal PasswordThis field carries the LDAP password associated with the user specified in the LDAP Server Principal User field. There is no default value for this field which will recognize the valid LDAP password for the specified principal user. This value is stored as readable text in the directory. LDAP Server Principal Password (confirm)Confirm the password. LDAP Attribute for Profile IDSpecifies the attribute in the Directory Server entry that matches the certificate whose value should be used to identify the correct user profile. There is no default value for this field which will recognize any valid attribute in a user entry (cn, sn, and so forth) that can be used as the UserID. Use SSL for LDAP AccessSpecifies whether to use SSL to access the LDAP server. The default is that the Certificate Authentication service does not use SSL for LDAP access. Certificate Field Used to Access User ProfileSpecifies which field in the certificate's Subject DN should be used to search for a matching user profile. For example, if you choose email address, the certificate authentication service will search for the user profile that matches the attribute emailAddr in the user certificate. The user logging in then uses the matched profile. The default field is subject CN. The list contains:
Other Certificate Field Used to Access User ProfileIf the value of the Certificate Field Used to Access User Profile attribute is set to other, then this field specifies the attribute that will be selected from the received certificate's subjectDN value. The authentication service will then search the user profile that matches the value of that attribute. Trusted Remote HostsDefines a list of trusted hosts that can be trusted to send certificates to Access Manager. Access Manager must verify whether the certificate emanated from one of these hosts. This attribute is only used for SSL termination.
SSL Port NumberSpecifies the port number for the secure socket layer. Currently, this attribute is only used by the Gateway servlet. Before you add or change an SSL Port Number, see the "Policy-Based Resource Management" section in the Access Manager Administration Guide. HTTP Header Name for Client CertificateThis attribute is used only when the Trusted Remote Hosts attribute is set to all or has a specific host name defined. The administrator must specify the http header name for the client certificate that is inserted by the load balancer or SRA. Authentication LevelThe authentication level is set separately for each method of authentication. The value indicates how much to trust an authentication mechanism. Once a user has authenticated, this value is stored in the SSO token for the session. When the SSO token is presented to an application the user wants to access, the application uses the stored value to determine whether the level is sufficient to grant the user access. If the authentication level stored in an SSO token does not meet the minimum value required, the application can prompt the user to authenticate again through a service with a higher authentication level. The default value is 0. Note – If no authentication level is specified, the SSO token stores the value specified in the Core authentication attribute Default Authentication Level. CoreThis module is the general configuration base for the Access Manager authentication services. It must be registered and configured to use any of the specific authentication module instances. It enables the administrator to define default values that will be picked up for the values that are not specifically set in the Access Manager default authentication modules. The Core attributes are global and realm. The attributes are: Pluggable Authentication Module ClassesSpecifies the Java classes of the authentication modules available to any realm configured within the Access Manager platform. You can write custom authentication modules by implementing the AMLoginModule SPI or the JAAS LoginModule SPI. For more information, see the Access Manager Developer's Guide. To define new services, this field must take a text string specifying the full class name (including package name) of each new authentication service. Supported Authentication Module for ClientsSpecifies a list of supported authentication modules for a specific client. The format is as follows: clientType | module1,module2,module3 This attribute is in effect when Client Detection is enabled. LDAP Connection Pool SizeSpecifies the minimum and maximum connection pool to be used on a specific LDAP server and port. This attribute is for LDAP and Membership authentication services only. The format is as follows: host:port:min:max Note – This connection pool is different than the SDK connection pool configured in serverconfig.xml. Default LDAP Connection Pool SizeSets the default minimum and maximum connection pool to be used with all LDAP authentication module configurations. If an entry for the host and port exists in the LDAP Connection Pool Size attribute, the minimum and maximum settings will not be used from LDAP Connection Default Pool Size. User ProfileThis option enables you to specify options for a user profile. The options are:
Administrator Authentication ConfigurationDefines the authentication service for administrators only. This attribute can be used if the authentication module for administrators needs to be different from the module for end users. The modules configured in this attribute are picked up when the Access Manager console is accessed. For example: http://servername.port/console_deploy_uri User Profile Dynamic Creation Default RolesThis field specifies the roles assigned to a new user whose profiles are created if Dynamic Creation is selected through the User Profile. There is no default value. The administrator must specify the DNs of the roles that will be assigned to the new user. Note – The role specified must be under the realm for which authentication is being configured. This role can be either an Access Manager or LDAP role, but it cannot be a filtered role. If you wish to automatically assign specific services to the user, you have to configure the Required Services attribute in the User Profile. Persistent Cookie ModeThis option determines whether users can restart the browser and still return to their authenticated session. User sessions can be retained by enabling Enable Persistent Cookie Mode. When Enable Persistent Cookie Mode is enabled, a user session does not expire until its persistent cookie expires, or the user explicitly logs out. The expiration time is specified in Persistent Cookie Maximum Time. The default value is that Persistent Cookie Mode is not enabled and the authentication service uses only memory cookies. Note – A persistent cookie must be explicitly requested by the client using the iPSPCookie=yes parameter in the login URL. Persistent Cookie Maximum TimeSpecifies the interval after which a persistent cookie expires. The interval begins when the user's session is successfully authenticated. The maximum value is 2147483647 (time in seconds). The field will accept any integer value less than the maximum. Alias Search Attribute NameAfter successful authentication by a user, the user's profile is retrieved. This field specifies a second LDAP attribute to search from if a search on the first LDAP attribute fails to locate a matching user profile. Primarily, this attribute will be used when the user identification returned from an authentication module is not the same as that specified in User Naming Attribute. For example, a RADIUS server might return abc1234 but the user name is abc. There is no default value for this attribute. The field will take any valid LDAP attribute (for example, cn). Default Authentication LocaleSpecifies the default language subtype to be used by the authentication service. The default value is en_US. See Supported Language Locales for a listing of valid language subtypes. In order to use a different locale, all authentication templates for that locale must first be created. A new directory must then be created for these templates. See "Login URL Parameters" in the Administration Guide for more information. Organization Authentication ConfigurationSets the authentication module for the organization. The default authentication module is LDAP. Login Failure Lockout ModeSpecifies whether a user can attempt a second authentication if the first attempt failed. Selecting this attribute enables a lockout and the user will have only one chance at authentication. By default, the lockout feature is not enabled. This attribute works in conjunction with Lockout-related and notification attributes. Login Failure Lockout CountDefines the number of attempts that a user may try to authenticate, within the time interval defined in Login Failure Lockout Interval, before being locked out. Login Failure Lockout IntervalDefines (in minutes) the time between two failed login attempts. If a login fails and is followed by another failed login that occurs within the lockout interval, then the lockout count is incremented. Otherwise, the lockout count is reset. Email Address to Send Lockout NotificationSpecifies an email address that will receive notification if a user lockout occurs. To send email notification to multiple addresses, separate each email address with a space. For non-English locales, the format is: email_address|locale|charset Warn User After N FailuresSpecifies the number of authentication failures that can occur before Access Manager sends a warning message that the user will be locked out. Login Failure Lockout DurationEnables memory locking. By default, the lockout mechanism will inactivate the User Profile (after a login failure) defined in Lockout Attribute Name. If the value of Login Failure Lockout Duration is greater than 0, then its memory locking and the user account will be locked for the number of minutes specified. Lockout Attribute NameDesignates any LDAP attribute that is to be set for lockout. The value in Lockout Attribute Value must also be changed to enable lockout for this attribute name. By default, Lockout Attribute Name is empty in the Access Manager Console. The default implementation values are inetuserstatus (LDAP attribute) and inactive when the user is locked out and Login Failure Lockout Duration is set to 0. Lockout Attribute ValueThis attribute specifies whether lockout is enabled or disabled for the attribute defined in Lockout Attribute Name. By default, the value is set to inactive for inetuserstatus. Default Success Login URLThis field accepts a list of multiple values that specify the URL to which users are redirected after successful authentication. The format of this attribute is clientType|URL, although you can specify only the value of the URL which assumes a default type of HTML. The default value is /amserver/console . Default Failure Login URLThis field accepts a list of multiple values that specify the URL to which users are redirected after an unsuccessful authentication. The format of this attribute is clientType|URL, although you can specify only the value of the URL which assumes a default type of HTML. Authentication Post Processing ClassSpecifies the name of the Java class used to customize post authentication processes for successful or unsuccessful logins. Example: com.abc.authentication.PostProcessClass The Java class must implement the following Java interface: com.sun.identity.authentication.spi.AMPostAuthProcessInterface Additionally, you must add the path to where the class is located to the Web Server's Java Classpath attribute. Generate UserID ModeThis attribute is used by the Membership authentication module. If this attribute field is enabled, the Membership module is able to generate user IDs, during the Self Registration process, for a specific user if the user ID already exists. The user IDs are generated from the Java class specified in Pluggable User Name Generator Class. Pluggable User Name Generator ClassSpecifies the name of the Java class is used to generate User IDs when Enable Generate UserID Mode is used. Identity TypesLists the type or types of identities for which Access Manager will search. Pluggable User Status Event ClassesExtends the authentication SPIs to provide a callback mechanism for user status changes during the authentication process. The following status changes are supported:
Store Invalid Attempts in Data StoreIf enabled, this attribute allows the sharing of login failure attempts in a identity repository that is shared by multiple Access Manager instances. For example, if the identity repository that is used for a specific deployment is Directory Server, the invalid attempts are stored in the sunAMAuthInvalidAttemptsData (which belongs to sunAMAuthAccountLockoutobjectclass). The format of the data is stored as: <InvalidPassword><InvalidCount></InvalidCount><LastInvalidAt></LastInvalidAt><LockedoutAt></LockedoutAt><ActualLockoutDuration></ActualLockoutDuration></InvalidPassword> This information is maintained in the Directory Server for each user. As the invalid attempts occur, <InvalidCount> is increased. Module-based AuthenticationIf enabled, this attribute allows users to authenticate through module-based authentication. If this attribute is not enabled, module-based login is not allowed. All login attempts with module=< module_instance_name> will result in login failure. Default Authentication LevelThe authentication level value indicates how much to trust authentications. Once a user has authenticated, this value is stored in the SSO token for the session. When the SSO token is presented to an application the user wants to access, the application can use the stored value to determine whether the level is sufficient to grant the user access. If the authentication level stored in an SSO token does not meet the minimum value required, the application can prompt the user to authenticate again through a service with a higher authentication level. The authentication level should be set within the realm's specific authentication template. The Default Authentication Level value described here will apply only when no authentication level has been specified in the Authentication Level field for a specific realm's authentication template. The Default Authentication Level default value is 0. (The value in this attribute is not used by Access Manager but by any external application that may chose to use it.) Data StoreThe Data Store authentication module allows a login using the Identity Repository of the realm to authenticate users. Using the Data Store module removes the requirement to write an authentication plug- in module, load, and then configure the authentication module if you need to authenticate against the same data store repository. Additionally, you do not need to write a custom authentication module where flat-file authentication is needed for the corresponding repository in that realm. Authentication LevelThe authentication level is set separately for each method of authentication. The value indicates how much to trust an authentication mechanism. Once a user has authenticated, this value is stored in the SSO token for the session. When the SSO token is presented to an application the user wants to access, the application uses the stored value to determine whether the level is sufficient to grant the user access. If the authentication level stored in an SSO token does not meet the minimum value required, the application can prompt the user to authenticate again through a service with a higher authentication level. The default value is 0. Note – If no authentication level is specified, the SSO token stores the value specified in the Core Authentication attribute Default Authentication Level. HTTP BasicThe HTTP authentication module allows a login using the HTTP basic authentication with no data encryption. A user name and password are requested through the use of a web browser. Credentials are validated internally using the LDAP authentication module. Authentication LevelThe authentication level is set separately for each method of authentication. The value indicates how much to trust an authentication mechanism. Once a user has authenticated, this value is stored in the SSO token for the session. When the SSO token is presented to an application the user wants to access, the application uses the stored value to determine whether the level is sufficient to grant the user access. If the authentication level stored in an SSO token does not meet the minimum value required, the application can prompt the user to authenticate again through a service with a higher authentication level. The default value is 0. Note – If no authentication level is specified, the SSO token stores the value specified in the Core Authentication attribute Default Authentication Level. JDBCThe Java Database Connectivity (JDBC) authentication module allows Access Manager to authenticate users through any Structured Query Language (SQL) databases that provide JDBC-enabled drivers. The connection to the SQL database can be either directly through a JDBC driver or through a JNDI connection pool. The JDBC attributes are realm attributes. The attributes are: Connection TypeSpecifies the connection type to the SQL database, using either a JNDI (Java Naming and Directory Interface) connection pool or JDBC driver. The options are:
The JNDI connection pool utilizes the configuration from the underlying web container. Connection Pool JNDI NameIf JNDI is selected in Connection Type, this field specifies the connection pool name. Because JDBC authentication uses the JNDI connection pool provided by the web container, the setup of JNDI connection pool may not be consistent among other web containers. See the Access Manager Administration Guide for examples JDBC DriverIf JDBC is selected in Connection Type, this field specifies the JDBC driver provided by the SQL database. For example, com.mysql.jdbc.Driver. JDBC URLSpecifies the database URL if JDBC is select in Connection Type. For example, the URL for mySQL is jdbc.mysql://hostname:port/databaseName. Connect This User to DatabaseSpecifies the user name from whom the database connection is made for the JDBC connection. Password for Connecting to DatabaseDefines the password for the user specified in User to Connect to Database. Password for Connecting to Database ConfirmConfirm the password. Password Column StringSpecifies the password column name in the SQL database. Prepared StatementSpecifies the SQL statement that retrieves the password of the user that is logging in. For example:
Class to Transform Password SyntaxSpecifies the class name that transforms the password retrieved from the database, to the format of the user input, for password comparison. This class must implement the JDBCPasswordSyntaxTransform interface. Authentication LevelThe authentication level is set separately for each method of authentication. The value indicates how much to trust an authentication mechanism. Once a user has authenticated, this value is stored in the SSO token for the session. When the SSO token is presented to an application the user wants to access, the application uses the stored value to determine whether the level is sufficient to grant the user access. If the authentication level stored in an SSO token does not meet the minimum value required, the application can prompt the user to authenticate again through a service with a higher authentication level. The default value is 0. Note – If no authentication level is specified, the SSO token stores the value specified in the Core Authentication attribute Default Authentication Level.
|
|
Language Tag |
Language |
|
af |
Afrikaans |
|
be |
Byelorussian |
|
bg |
Bulgarian |
|
ca |
Catalan |
|
cs |
Czechoslovakian |
|
da |
Danish |
|
de |
German |
|
el |
Greek |
|
en |
English |
|
es |
Spanish |
|
eu |
Basque |
|
fi |
Finnish |
|
fo |
Faroese |
|
fr |
French |
|
ga |
Irish |
|
gl |
Galician |
|
hr |
Croatian |
|
hu |
Hungarian |
|
id |
Indonesian |
|
is |
Icelandic |
|
it |
Italian |
|
ja |
Japanese |
|
ko |
Korean |
|
nl |
Dutch |
|
no |
Norwegian |
|
pl |
Polish |
|
pt |
Portuguese |
|
ro |
Romanian |
|
ru |
Russian |
|
sk |
Slovakian |
|
sl |
Slovenian |
|
sq |
Albanian |
|
sr |
Serbian |
|
sv |
Swedish |
|
tr |
Turkish |
|
uk |
Ukrainian |
|
zh |
Chinese |
Console Properties
The Console properties contain services that enable you to configure the Access Manager console and to define console properties for different locales and character sets. The Console properties contain the following:
Administration
The Administration service enables you to configure the Access Manager console at both the application level as well as at a configured realm level (Preferences or Options specific to a configured realm). The Administration service attributes are global and realm attributes. The attributes are:
Federation Management
Enables Federation Management. It is selected by default. To disable this feature, deselect the field The Federation Management tab will not appear in the console.
User Management
Enables User Management. This is enabled by default. This attribute is applicable when Access Manager is installed in legacy mode.
People Containers
This attribute is deselected by default and is applicable only when Access Manager is installed in legacy mode. Selecting this attribute will display people containers under the Directory Management tab. It is recommended that you use a single people container in your DIT and then use roles to manage accounts and services. The default behavior of the Access Manager console is to hide the People Containers. However, if you have multiple people containers in your DIT, select this attribute to display People Containers as managed objects.
Organizational Unit Containers
This attribute is deselected by default and is applicable when Access Manager is installed in legacy mode. Selecting this attribute will display containers in the Directory Management tab.
Group Containers
This attribute is deselected by default and is applicable when Access Manager is installed in legacy mode. Selecting this attribute will display group containers in the Directory Management tab.
Managed Group Type
Specifies whether subscription groups created through the console are static or dynamic. The console will either create and display subscription groups that are static or dynamic, not both. (Filtered groups are always supported regardless of the value given to this attribute.) The default value is dynamic.
-
A static group explicitly lists each group member using the groupOfNames or groupOfUniqueNames object class. The group entry contains the uniqueMember attribute for each member of the group. Members of static groups are manually added; the user entry itself remains unchanged. Static groups are suitable for groups with few members.
-
A dynamic group uses a memberOf attribute in the entry of each group member. Members of dynamic groups are generated through the use of an LDAP filter which searches and returns all entries which contain the memberOf attribute. Dynamic groups are suitable for groups that have a very large membership.
-
A filtered group uses an LDAP filter to search and return members that meet the requirement of the filter. For instance, the filter can generate members with a specific uid (uid=g*) or email address (mail=*@example.com).
In the examples above, the LDAP filter would return all users whose uid begins with g or whose email address ends with example.com, respectively. Filtered groups can only be created within the User Management view by choosing Membership by Filter.
An administrator can select one of the following:
-
Dynamic - Groups created through the Membership By Subscription option will be dynamic.
-
Static - Groups created through the Membership By Subscription option will be static.
Default Role Permissions
Defines a list of default access control instructions (ACIs) or permissions that are used to grant administrator privileges when creating new roles. Select one of these ACIs for the level of privilege you wish. Access Manager ships with four default role permissions:
No Permissions — No permissions are to be set on the role.
Organization Admin — The Organization Administrator has read and write access to all entries in the configured organization.
Organization Help Desk Admin — The Organization Help Desk Administrator has read access to all entries in the configured organization and write access to the userPassword attribute.
Organization Policy Admin — The Organization Policy Administrator has read and write access to all policies in the realm. The Organization Policy Administrator can not create a referral policy.
Domain Component Tree
The Domain Component tree (DC tree) is a specific DIT structure used by many Sun Java System components to map between DNS names and realm entries.
When this option is enabled, the DC tree entry for an realm is created, provided that the DNS name of the realm is entered at the time the realm is created. The DNS name field will appear in the realm Create page. This option is only applicable to top-level realms, and will not be displayed for subrealms.
Any status change made to the inetdomainstatus attribute through the Access Manager SDK in the realm tree will update the corresponding DC tree entry status. (Updates to status that are not made through the Access Manager SDK will not be synchronized.) For example, if a new realm, sun, is created with the DNS name attribute sun.com , the following entry will be created in the DC tree:
dc=sun,dc=com,o=internet,root suffix
The DC tree may optionally have its own root suffix configured by setting com.iplanet.am.domaincomponent in AMConfig.properties. By default, this is set to the Access Manager root. If a different suffix is desired, this suffix must be created using LDAP commands. The ACIs for administrators that create realms required modification so that they have unrestricted access to the new DC tree root.
Administrative Groups
Specifies whether to create the DomainAdministrators and DomainHelpDeskAdministrators groups. If enabled, these groups are created and associated with the Organization Admin Role and Organization Help Desk Admin Role, respectively. Once created, adding or removing a user to one of these associated roles automatically adds or removes the user from the corresponding group. This behavior, however, does not work in reverse. Adding or removing a user to one of these groups will not add or remove the user in the user's associated roles.
The DomainAdministrators and DomainHelpDeskAdministrators groups are only created in realms that are created after this option is enabled.
Note –
This option does not apply to subrealms, with the exception of the root realm. At the root realm, the ServiceAdministrators and ServiceHelpDesk Administrators groups are created and associated with the Top-level Admin and Top-level Help Desk Admin roles, respectively. The same behavior applies.
Compliance User Deletion
Specifies whether a user's entry will be deleted, or just marked as deleted, from the directory. This attribute is only applicable when Access Manager is installed in legacy mode.
When a user's entry is deleted and this option is selected (true), the user's entry will still exist in the directory, but will be marked as deleted. User entries that are marked for deletion are not returned during Directory Server searches. If this option is not selected, the user's entry will be deleted from the directory.
Dynamic Administrative Roles ACIs
This attribute defines the access control instructions for the administrator roles that are created dynamically when a group or realm is configured using Access Manager. These roles are used for granting administrative privileges for the specific grouping of entries created. The default ACIs can be modified only under this attribute listing.
Note –
Administrators at the realm level have a wider scope of access than do group administrators. But, by default, when a user is added to a group administrator role, that user can change the password of anyone in the group. This would include any realm administrator who is a member of that group.
The Container Help Desk Admin role has read access to all entries in a realm and write access to the userPassword attribute in user entries only in this container unit.
The Realm Help Desk Admin has read access to all entries in a realm and write access to the userPassword attribute. When a sub—realm is created, remember that the administration roles are created in the sub-realm, not in the parent realm.
The Container Admin role has read and write access to all entries in an LDAP organizational unit. In Access Manager, the LDAP organizational unit is often referred to as a container.
The Organization Policy Administrator has read and write access to all policies, and can create, assign, modify, and delete all policies within that realm.
ThePeople Container Admin is by default, any user entry in an newly created realm is a member of that realm's People Container. The People Container Administrator has read and write access to all user entries in the realm's People Container. Keep in mind that this role DOES NOT have read and write access to the attributes that contain role and group DNs therefore, they cannot modify the attributes of, or remove a user from, a role or a group.
Other containers can be configured with Access Manager to hold user entries, group entries or even other containers. To apply an Administrator role to a container created after the realm has already been configured, the Container Admin Role or Container Help Desk Admin defaults would be used.
The Group Admin has read and write access to all members of a specific group, and can create new users, assign users to the groups they manage, and delete the users the that they have created. When a group is created, the Group Administrator role is automatically generated with the necessary privileges to manage the group. The role is not automatically assigned to a group member. It must be assigned by the group's creator, or anyone that has access to the Group Administrator Role.
The Top-level Admin has read and write access to all entries in the top-level realm. In other words, this Top-level Admin role has privileges for every configuration principal within the Access Manager application.
The Organization Administrator has read and write access to all entries in a realm. When a realm is created, the Organization Admin role is automatically generated with the necessary privileges to manage the realm.
User Profile Service Classes
Lists the services that will have a custom display in the User Profile page. The default display generated by the console may not be sufficient for some services. This attribute creates a custom display for any service, giving full control over what and how the service information is displayed. The syntax is as follows:
service name | relative url()
Services that are listed in this attribute will not display in the User Create pages. Any data configuration for a custom service display must be performed the User Profile pages.
DC Node Attribute List
Defines the set of attributes that will be set in the DC tree entry when an object is created. The default parameters are:
|
maildomainwelcomemessage |
|
preferredmailhost |
|
mailclientattachmentquota |
|
mailroutingsmarthost |
|
mailaccessproxyreplay |
|
preferredlanguage |
|
domainuidseparator |
|
maildomainmsgquota |
|
maildomainallowedserviceaccess |
|
preferredmailmessagestore |
|
maildomaindiskquota |
|
maildomaindiskquota |
|
objectclass=maildomain |
|
mailroutinghosts |
Search Filters for Deleted Objects
Defines the search filters for objects to be removed when User Compliance Deletion mode is enabled.
Default People Container
Specifies the default people container into which the user is created.
Default Groups Container
Specifies the default groups container into which the group is created.
Default Agents Container
Specifies the default agent container into which the agent is created. The default is Agents.
Groups Default People Container
Specifies the default People Container where users will be placed when they are created. There is no default value. A valid value is the DN of a people container. See the note under Groups People Container List attribute for the People Container fallback order.
Groups People Container List
Specifies a list of People Containers from which a Group Administrator can choose when creating a new user. This list can be used if there are multiple People Containers in the directory tree. (If no People Containers are specified in this list or in the Groups Default People Container field, users are created in the default Access Manager people container, ou=people.) There is no default value for this field.
The syntax for this attribute is:
dn of group | dn of people container
When a user is created, this attribute is checked for a container in which to place the entry. If the attribute is empty, the Groups Default People Container attribute is checked for a container. If the latter attribute is empty, the entry is created under ou=people .
This attribute is only applicable when Access Manager is installed in legacy mode. There is no default value.
User Profile Display Class
Specifies the Java class used by the Access Manager console when it displays the User Profile pages.
End User Profile Display Class
Specifies the Java class used by the Access Manager console when it displays the End User Profile pages.
Show Roles on User Profile Page
Specifies whether to display a list of roles assigned to a user as part of the user's User Profile page. If the parameter is not enabled (the default), the User Profile page shows the user's roles only for administrators.
Show Groups on User Profile Page
Specifies whether to display a list of groups assigned to a user as part of the user's User Profile page. If this parameter is not enabled (the default), the User Profile page shows the user's groups only for administrators.
User Self Subscription to Group
This parameter specifies whether users can add themselves to groups that are open to subscription. If the parameter is not enabled (the default), the user profile page allows the user's group membership to be modified only by an administrator. This parameter applies only when the Show Groups on User Profile Page option is selected.
User Profile Display Options
This menu specifies which service attributes will be displayed in the user profile page. An administrator can select from the following:
- UserOnly
-
Display viewable User schema attributes for services assigned to the user. User service attribute values are viewable by the user when the attribute contains the keyword Display. See the Access Manager Developer's Guide for details.
- Combined
-
Display viewable User and Dynamic schema attributes for services assigned to the user.
User Creation Default Roles
This listing defines roles that will be assigned to newly created users automatically. There is no default value. An administrator can input the DN of one or more roles.
This field only takes a full Distinguished Name address, not a role name. The roles can only be Access Manager roles, not LDAP (Directory Server) roles.
Administrative Console Tabs
This field lists the Java classes of modules that will be displayed at the top of the console. The syntax is i18N key | java class name.
The i18N key is used for the localized name of the entry in the console.
Maximum Results Returned From Search
This field defines the maximum number of results returned from a search. The default value is 200.
Do not set this attribute to a large value (greater than 1000) unless sufficient system resources are allocated.
Note –
Access Manager is preconfigured to return a maximum size of 4000 search entries. This value can be changed through the console or by using ldapmodify. If you wish to change it using ldapmodify,create a newConfig.xml, with the following values (in this example, nsSizeLimit: -1 means unlimited):
dn: cn=puser,ou=DSAME Users,ORG_ROOT_SUFFIX changetype: modify replace:nsSizeLimit nsSizeLimit: -1
Then, run ldapmodify. For example:
setenv LD_LIBRARY_PATH /opt/SUNWam/lib/:/opt/SUNWam/ldaplib/ldapsdk:/usr/lib/mps:/usr/share/lib/mps/secv1:/usr/lib/mps/secv1: $LD_LIBRARY_PATH ./ldapmodify -D "cn=Directory Manager" -w "iplanet333" -c -a -h hostname.domain -p 389 -f newConfig.xml
Modifications to this attribute done through LDAPModify will take precedence to those made through the Access Manager Console.
Timeout For Search
Defines the amount of time (in number of seconds) that a search will continue before timing out. It is used to stop potentially long searches. After the maximum search time is reached, the search terminates and returns an error. The default is 5 seconds.
Note –
Directory Server is been preconfigured with a timeout value of 120 seconds. This value can be changed through the Directory Server console or by using ldapmodify. If you wish to change it using ldapmodify,create a newConfig.xml, with the following values (this example changes the timeout from 120 seconds to 3600 seconds):
dn: cn=config changetype: modify replace:nsslapd-timelimit nsslapd-timelimit: 3600
Then, run ldapmodify. For example:
setenv LD_LIBRARY_PATH /opt/SUNWam/lib/:/opt/SUNWam/ldaplib/ldapsdk:/usr/lib/mps:/usr/share/lib/mps/secv1:/usr/lib/mps/secv1: $LD_LIBRARY_PATH ./ldapmodify -D "cn=Directory Manager" -w "iplanet333" -c -a -h hostname.domain -p 389 -f newConfig.xml
JSP Directory Name
Specifies the name of the directory that contains the JSP files for a realm. It allows administrator to have different appearance (customization) for different realm. The default value for this attribute is console. This attribute is applicable only when Access Manager is installed in legacy mode.
Online Help Documents
This field lists the online help links that will be created on the main Access Manager help page. This allows other applications to add their online help links in the Access Manager page. The format for this attribute is:
linki18nkey | html page to load | i18n properties file | remote server
The remote server attribute is an optional argument that allows you to specify the remote server on which the online help document is located. The default value is:
DSAME Help|/contents.html|amAdminModlueMsgs
This attribute is only applicable when Access Manager is installed in legacy mode.
Required Services
This field lists the services that are dynamically added to the users' entries when they are created. Administrators can choose which services are added at the time of creation. This attribute is not used by the console, but by the Access Manager SDK. Users that are dynamically created by the amadmin command line utility will be assigned the services listed in this attribute.
User Search Key
This attribute defines the attribute name that is to be searched upon when performing a simple search in the Navigation page. The default value for this attribute is cn.
For example, if you enter j* in the Name field in the Navigation frame, users whose names begins with "j" or "J" will be displayed.
User Search Return Attribute
This field defines the attribute name used when displaying the users returned from a simple search. The default of this attribute is uid cn. This will display the user ID and the user's full name.
The attribute name that is listed first is also used as the key for sorting the set of users that will be returned. To avoid performance degradation, use an attribute whose value is set in a user's entry.
User Creation Notification List
This field defines a list of email addresses that will be sent notification when a new user is created. Multiple email addresses can be specified, as in the following syntax:
e-mail|locale|charset
e-mail|locale|charset
e-mail|locale|charset
The notification list also accepts different locales by using the -|locale option.
See Supported Language Localesfor a list of locales.
The sender email ID can be changed by modifying property 497 in amProfile.properties, which is located, by default, at AccessManager-base/SUNWam/locale .
User Deletion Notification List
This field defines a list of email addresses that will be sent notification when a user is deleted. Multiple email addresses can be specified, as in the following syntax:
e-mail|locale|charset
e-mail|locale|charset
e-mail|locale|charset
The notification list also accepts different locales by using the -|locale option.
See for a list of localSupported Language Locales.
The sender email ID can be changed by modifying property 497 in amProfile.properties, which is located, by default, at AccessManager-base/SUNWam/locale .
The default sender ID is DSAME.
User Modification Notification List
Defines a list of attributes and email addresses associated with the attribute. When a user modification occurs on an attribute defined in the list, the email address associated with the attribute will be sent notification. Each attribute can have a different set of addresses associated to it. Multiple email address can be specified, as in the following syntax:
attrName e-mail| locale|charset e-mail |locale|charset .....
attrName e-mail| locale|charset e-mail |locale|charset .....
The -self keyword may be used in place of one of the addresses. This sends mail to the user whose profile was modified. For example, assume the following:
manager someuser@sun.com|self|admin@sun.com
Mail will be sent to the address specified in the manager attribute, someuser@sun.com, admin@sun, the person who modified the user (self).
The notification list also accepts different locales by using the -|locale option. For example, to send the notification to an administrator in France:
manager someuser@sun.com|self|admin@sun.com|fr SeeSupported Language Locales for a list of locales.
The attribute name is the same as it appears in the Directory Server schema, and not as the display name in the console.
Maximum Entries Displayed per Page
This attribute allows you to define the maximum rows that can be displayed per page. The default is 25. For example, if a user search returns 100 rows, there will be 4 pages with 25 rows displayed in each page.
Event Listener Classes
This attribute contains a list of listeners that receive creation, modification and deletion events from the Access Manager console.
Pre and Post Processing Classes
This field defines a list of implementation classes through plug-ins that extend the com.iplanet.am.sdk.AMCallBack class to receive callbacks during pre and post processing operations for users, realm, roles and groups. The operations are:
-
create
-
delete
-
modify
-
add users to roles/groups
-
delete users from roles/groups
You must enter the full class name of the plug-in and then change the class path of your web container (from the Access Manager installation base) to include the full path to the location of the plug-in class
External Attributes Fetch
This option enables callbacks for plug-ins to retrieve external attributes (any external application-specific attribute). External attributes are not cached in the Access Manager SDK, so this attribute allows you enable attribute retrieval per realm level. By default, this option is not enabled
Invalid User ID Characters
This attribute defines a list of characters that are not allowed in a user's name. Each character must be separated by the | character. For example:
*|(|)|&|!
UserID and Password Validation Plug-in Class
This class provides a userID and password validation plug-in mechanism. The methods of this class need to be overridden by the implementation plug-in modules that validate the userID and/or password for the user. The implementation plug-in modules will be invoked whenever a userID or password value is being added or modified using the Access Manager console, the amadmin command line interface, or using the SDK.
The plug-ins that extend this class can be configured per realm. If a plug-in is not configured for an realm, then the plug-in configured at the global level will be used.
If the validation of the plug-in fails, the plug-in module can throw an exception to notify the application to indicate the error in the userID or password supplied by the user.
Globalization Settings
The Globalization Settings service contains global attributes that enable you to configure Access Manager for different locales and character sets. The attributes are:
Charsets Supported By Each Locale
This attribute lists the character sets supported for each locale, which indicates the mapping between locale and character set. The format is as follows:
To add a New Supported Charset, click Add and define the following parameters:
- Locale
-
The new locale you wish to add. SeeSupported Language Locales for more information.
- Supported Charsets
-
Enter the supported charset for the specified locale. Charsets are delimited by a semicolon. For example, charset=charset1;charset2;charset3;...;charsetn
To edit any existing Supported Charset, click the name in the Supported Charset table. Click OK when you are finished.
Charset Aliases
This attribute lists the codeset names (which map to IANA names) that will be used to send the response. These codeset names do not need to match Java codeset names. Currently, there is a hash table to map Java character sets into IANA charsets and vice versa.
To add a New Charset Alias, click Add button and define the following parameters:
- MIME name
-
The IANA mapping name. For example, Shift_JIS
- Java Name
-
The Java character set to map to the IANA character set.
To edit any existing Charset Alias, click the name in the table. Click OK when you are finished.
Auto Generated Common Name Format
This display option allows you to define the way in which a name is automatically generated to accommodate name formats for different locales and character sets. The default syntax is as follows (please note that including commas and/or spaces in the definition will display in the name format):
en_us = {givenname} {initials} {sn}
For example, if you wanted to display a new name format for a user (User One) with a uid (11111) for the Chinese character set, define:
zh = {sn}{givenname}({uid})
The display is:
OneUser 11111
Global Properties
Global Properties contain services that enable to define password reset functionality and policy configuration for Access Manager. The services you can configure are:
Password Reset
Access Manager provides a Password Reset service to allow users to receive an email message containing a new password or to reset their password for access to a given service or application protected by Access Manager. The Password Reset attributes are realm attributes. The attributes are:
User Validation
This attribute specifies the value that is used to search for the user whose password is to be reset.
Secret Question
This field allows you to add a list of questions that the user can use to reset his/her password. To add a question, type it in the Secret Question filed and click Add. The selected questions will appear in the user's User Profile page. The user can then select a question for resetting the password. Users may create their own question if the Personal Question Enabled attribute is selected.
Search Filter
This attribute specifies the search filter to be used to find user entries.
Base DN
This attribute specifies the DN from which the user search will start. If no DN is specified, the search will start from the realm DN. You should not use cn=directorymanager as the base DN, due to proxy authentication conflicts.
Bind DN
This attribute value is used with Bind Password to reset the user password.
Bind Password
This attribute value is used with Bind DN to reset the user password.
Password Reset Option
This attribute determines the classname for resetting the password. The default classname is com.sun.identity.password.RandomPasswordGenerator . The password reset class can be customized through a plug-in. This class needs to be implemented by the PasswordGenerator interface.
Password Change Notification Option
This attribute determines the method for user notification of password resetting. The default classname is: com.sun.identity.password.EmailPassword The password notification class can be customized through a plug-in. This class needs to be implemented by the NotifyPassword interface. See the Access Manager Developer's Guide for more information.
Password Reset
Selecting this attribute will enable the password reset feature.
Personal Question
Selecting this attribute will allow a user to create a unique question for password resetting.
Maximum Number of Questions
This value specifies the maximum number of questions to be asked in the password reset page.
Force Change Password on Next Login
When enabled, this option forces the user to change his or her password on the next login. If you want an administrator, other than the top-level administrator, to set the force password reset option, you must modify the Default Permissions ACIs to allow access to that attribute.
Password Reset Failure Lockout
This attribute specifies whether to disallow users to reset their password if that user initially fails to reset the password using the Password Reset application. By default, this feature is not enabled.
Password Reset Failure Lockout Count
This attributes defines the number of attempts that a user may try to reset a password, within the time interval defined in Password Reset Failure Lockout Interval, before being locked out. For example, if Password Reset Failure Lockout Count is set to 5 and Login Failure Lockout Interval is set to 5 minutes, the user has five chances within five minutes to reset the password before being locked out.
Password Reset Failure Lockout Interval
This attribute defines (in minutes) the amount of time in which the number of password reset attempts (as defined in Password Reset Failure Lockout Count) can be completed, before being locked out.
Email Address to Send Lockout Notification
This attribute specifies an email address that will receive notification if a user is locked out from the Password Reset service. Specify multiple email address in a space-separated list.
Warn User After N Failure
This attribute specifies the number of password reset failures that can occur before Access Manager sends a warning message that user will be locked out.
Password Reset Failure Lockout Duration
This attribute defines (in minutes) the duration that user will not be able to attempt a password reset if a lockout has occurred.
Password Reset Lockout Attribute Name
This attribute contains the inetuserstatus value that is set in Password Reset Lockout Attribute Value. If a user is locked out from Password Reset, and the Password Reset Failure Lockout Duration (minutes) variable is set to 0, inetuserstatus will be set to inactive, prohibiting the user from attempting to reset his or her password.
Password Reset Lockout Attribute Value
This attribute specifies the inetuserstatus value (contained in Password Reset Lockout Attribute Name) of the user status, as either active or inactive. If a user is locked out from Password Reset, and the Password Reset Failure Lockout Duration (minutes) variable is set to 0, inetuserstatus will be set to inactive, prohibiting the user from attempting to reset his or her password.
Policy Configuration
The Policy Configuration attributes enable the administrator to set configuration global and realm properties used by the Policy service.
Global Properties
The Global Properties are:
Resource Comparator
Specifies the resource comparator information used to compare resources specified in a Policy rule definition. Resource comparison is used for both policy creation and evaluation.
Click the Add button and define the following attributes:
- Service Type
-
Specifies the service to which the comparator should be used.
- Class
-
Defines the Java class that implements the resource comparison algorithm.
- Delimiter
-
Specifies the delimiter to be used in the resource name.
- Wildcard
-
Specifies the wildcard that can be defined in resource names.
- One Level Wildcard
-
Matches zero or more characters, at the same delimiter boundary.
- Case Sensitive
-
Specifies if the comparison of the two resources should consider or ignore case. False ignores case, True considers case.
Continue Evaluation on Deny Decision
Specifies whether or not the policy framework should continue evaluating subsequent policies, even if a DENY policy decision exists. If it is not selected (default), policy evaluation would skip subsequent policies once the DENY decision is recognized.
Advices Handleable by Access Manager
Defines the names of policy advice keys for which the Policy Enforcement Point (Policy Agent) would redirect the user agent to Access Manager. If the agent receives a policy decision that does not allow access to a resource, but does posses advices, the agent checks to see whether it has a advice key listed in this attribute.
If such an advice is found, the user agent is redirected to Access Manager, potentially allowing the access to the resource.
Organization Alias Referrals
When set to Yes, this attribute allows you to create policies in sub-realms without having to create referral policies from the top-level or parent realm. You can only create policies to protect HTTP or HTTPS resources whose fully qualified hostname matches the DNSAlias of the realm. By default, this attribute is defined as No.
Realm Attributes
The LDAP Properties are:
Primary LDAP Server
Specifies the host name and port number of the primary LDAP server specified during Access Manager installation that will be used to search for Policy subjects, such as LDAP users, LDAP roles, LDAP groups, and so forth.
The format is hostname:port. For example: machine1.example.com:389
For failover configuration to multiple LDAP server hosts, this value can be a space-delimited list of hosts. The format is hostname1:port1 hostname2:port2...
For example: machine1.example1.com:389 machine2.example1.com:389
Multiple entries must be prefixed by the local server name. This is to allow specific Access Managers to be configured to talk to specific Directory Servers.
The format is servername|hostname:port For example:
machine1.example1.com|machine1.example1.com:389
machine1.example2.com|machine1.example2.com:389
For failover configuration:
AM_Server1.example1.com|machine1.example1.com:389 machine2.example.com1:389
AM_Server2.example2.com|machine1.example2.com:389 machine2.example2.com:389
LDAP Base DN
Specifies the base DN in the LDAP server from which to begin the search. By default, it is the top-level realm of the Access Manager installation.
LDAP Users Base DN
This attribute specifies the base DN used by the LDAP Users subject in the LDAP server from which to begin the search. By default, it is the top-level realm of the Access Manager installation base.
Access Manager Roles Base DN
Defines the DN of the realm or organization which is used as a base while searching for the values of Access Manager Roles. This attribute is used by the AccessManagerRoles policy subject.
LDAP Bind DN
Specifies the bind DN in the LDAP server.
LDAP Bind Password
Defines the password to be used for binding to the LDAP server. By default, the amldapuser password that was entered during installation is used as the bind user.
LDAP Organization Search Filter
Specifies the search filter to be used to find organization entries. The default is (objectclass=sunMangagedOrganization).
LDAP Organizations Search Scope
Defines the scope to be used to find organization entries. The scope must be one of the following:
-
SCOPE_BASE
-
SCOPE_ONE
-
SCOPE_SUB (default)
LDAP Groups Search Scope
Defines the scope to be used to find group entries. The scope must be one of the following:
-
SCOPE_BASE
-
SCOPE_ONE
-
SCOPE_SUB (default)
LDAP Groups Search Filter
Specifies the search filter to be used to find group entries. The default is (objectclass=groupOfUniqueNames).
LDAP Users Search Filter
Specifies the search filter to be used to find user entries. The default is (objectclass=inetorgperson).
LDAP Users Search Scope
Defines the scope to be used to find user entries. The scope must be one of the following:
-
SCOPE_BASE
-
SCOPE_ONE
-
SCOPE_SUB (default)
LDAP Roles Search Filter
Specifies the search filter to be used to find entries for roles. The default is (&(objectclass=ldapsubentry)(objectclass=nsroledefinitions)) .
LDAP Roles Search Scope
This attribute defines the scope to be used to find entries for roles. The scope must be one of the following:
-
SCOPE_BASE
-
SCOPE_ONE
-
SCOPE_SUB (default)
Access Manager Roles Search Scope
Defines the scope to be used to find entries for Access Manager Roles subject.
-
SCOPE_BASE
-
SCOPE_ONE
-
SCOPE_SUB (default)
LDAP Organization Search Attribute
Defines the attribute type for which to conduct a search on an organization. The default is o.
LDAP Groups Search Attribute
Defines the attribute type for which to conduct a search on a group. The default is cn.
LDAP Users Search Attribute
Defines the attribute type for which to conduct a search on a user. The default is uid.
LDAP Roles Search Attribute
This field defines the attribute type for which to conduct a search on a role. The default is cn.
Maximum Results Returned from Search
This field defines the maximum number of results returned from a search. The default value is 100. If the search limit exceeds the amount specified, the entries that have been found to that point will be returned.
Search Timeout
Specifies the amount of time before a timeout on a search occurs. If the search exceeds the specified time, the entries that have been found to that point will be returned
LDAP SSL
Specifies whether or not the LDAP server is running SSL. Selecting enables SSL, deselecting (default) disables SSL.
If the LDAP Server is running with SSL enabled (LDAPS), you must make sure that Access Manager is configured with proper SSL-trusted certificates so that Access Manager can connect to Directory server over LDAPS protocol.
LDAP Connection Pool Minimum Size
Specifies the minimal size of connection pools to be used for connecting to the Directory Server, as specified in the LDAP server attribute. The default is 1.
Connection Pool Maximum Size
This attribute specifies the maximum size of connection pools to be used for connecting to the Directory Server, as specified in the LDAP server attribute. The default is 10.
Selected Policy Subjects
Allows you to select a set of subject types available to be used for policy definition in the realm.
Selected Policy Conditions
Allows you to select a set of conditions types available to be used for policy definition in the realm.
Selected Policy Referrals
Allows you to select a set of referral types available to be used for policy definition in the realm.
Subject Results Time To Live
This attribute specifies the amount of time (in minutes) that a cached subject result can be used to evaluate the same policy request based on the single sign-on token.
When a policy is initially evaluated for an SSO token, the subject instances in the policy are evaluated to determine whether the policy is applicable to a given user. The subject result, which is keyed by the SSO token ID, is cached in the policy. If another evaluation occurs for the same policy for the same SSO token ID within the time specified in the Subject Result Time To Live attribute, the policy framework retrieves the cached subjects result, instead of evaluating the subject instances. This significantly reduces the time for policy evaluation.
User Alias
This attribute must be enabled if you create a policy to protect a resource whose subject's member in a remote Directory Server aliases a local user. This attribute must be enabled, for example, if you create uid=rmuser in the remote Directory Server and then add rmuser as an alias to a local user (such as uid=luser) in Access Manager. When you login as rmuser, a session is created with the local user (luser) and policy enforcement is successful.
Selected Response Providers
Defines the policy response provider plug-ins that are enabled for the realm. Only the response provider plug-ins selected in this attribute can be added to policies defined in the realm.
Selected Dynamic Response Attributes
Defines the dynamic response attributes that are enabled for the realm. Only a subset of names selected in this attribute can be defined in the dynamic attributes list in IDResponseProvider to be added to policies defined in the realm.
Session
The Session service defines values for an authenticated user session such as maximum session time and maximum idle time. The Session attributes are global, dynamic, or user attributes. The attributes are:
Secondary Configuration Instance
Provides the connection information for the session repository used for the session failover functionality in Access Manager. The URL of the load balancer should be given as the identifier to this secondary configuration. If the secondary configuration is defined in this case, the session failover feature will be automatically enabled and become effective after the server restart. See To Add a Sub Configuration for more information.
Maximum Number of Search Results
This attribute specifies the maximum number of results returned by a session search. The default value is 120.
Timeout for Search
This attributed defines the maximum amount of time before a session search terminates. The default value is 5 seconds.
Property Change Notifications
Enables or disables the feature session property change notification. In a single sign-on environment, one Access Manager session can be shared by multiple applications. If this feature is set to ON, if one application changes any of the session properties specified in the Notification Properties list (defined as a separate session service attribute), the notification will be sent to other applications participating in the same single sign-on environment.
Quota Constraints
Enables or disables session quota constraints. The enforcement of session quota constraints enables administrators to limit a user to have a specific number of active/concurrent sessions based on the constraint settings at the global level, or the configurations associated with the entities (realm/role/user) to which this particular user belongs.
The default setting for this attribute is OFF. You must restart the server if the settings are changed.
Read Timeout for Quota Constraint
Defines the amount of time (in number of milliseconds) that an inquiry to the session repository for the live user session counts will continue before timing out.
After the maximum read time is reached, an error is returned. This attribute will take effect only when the session quota constraint is enabled in the session failover deployment. The default value is 6000 milliseconds. You must restart the server if the settings are changed.
Exempt Top-Level Admins From Constraint Checking
Specifies whether the users with the Top-level Admin Role should be exempt from the session constraint checking. If YES, even though the session constraint is enabled, there will be no session quota checking for these administrators.
The default setting for this attribute is NO. You must restart the server if the settings are changed. This attribute will take effect only when the session quota constraint is enabled.
Note –
the super user defined for the Access Manager in AMConfig.properties (com.sun.identity.authentication.super.user) is always exempt from the session quota constraint checking.
Resulting Behavior If Session Quota Exhausted
Specifies the resulting behavior when the user session quota is exhausted. There are two selectable options for this attribute:
- DESTROY_OLD_SESSION
-
The next expiring session will be destroyed.
- DENY_ACCESS
-
The new session creation request will be denied.
This attribute will take effect only when the session quota constraint is enabled and the default setting is DESTROY_OLD_SESSION .
Notification Properties
When a change occurs on a session property defined in the list, the notification will be sent to the registered listeners. The attribute will take effect when the feature of Session Property Change Notification is enabled.
Maximum Session Time
This attribute accepts a value in minutes to express the maximum time before the session expires and the user must reauthenticate to regain access. A value of 1 or higher will be accepted. The default value is 120. (To balance the requirements of security and convenience, consider setting the Max Session Time interval to a higher value and setting the Max Idle Time interval to a relatively low value.) Max Session Time limits the validity of the session. It does not get extended beyond the configured value.
Maximum Idle Time
This attribute accepts a value (in minutes) equal to the maximum amount of time without activity before a session expires and the user must reauthenticate to regain access. A value of 1 or higher will be accepted. The default value is 30. (To balance the requirements of security and convenience, consider setting the Max Session Time interval to a higher value and setting the Max Idle Time interval to a relatively low value.)
Maximum Caching Time
This attribute accepts a value (in minutes) equal to the maximum interval before the client contacts Access Manager to refresh cached session information. A value of 0 or higher will be accepted. The default value is 3. It is recommended that the maximum caching time should always be less than the maximum idle time.
Active User Sessions
Specifies the maximum number of concurrent sessions allowed for a user.
To Add a Sub Configuration
-
Enter a name for the new Sub Configuration.
-
Enter data for the following fields:
- Session Store User
-
Defines the database user who is used to retrieve and store the session data.
- Session Store Password
-
Defines the password for the database user defined in Session Store.
- Session Store Password (Confirm)
-
Confirm the password.
- Maximum Wait Time
-
Defines the total time a thread is willing to wait for acquiring a database connection object. The value is in milliseconds.
- Database Url
-
Specifies the URL of the database.
-
Click Add.
User
The default user preferences are defined through the user service. These include time zone, locale and DN starting view. The User service attributes are dynamic attributes.
User Preferred Language
This field specifies the user's choice for the text language displayed in the Access Manager console. The default value is en. This value maps a set of localization keys to the user session so that the on-screen text appears in a language appropriate for the user.
User Preferred Timezone
This field specifies the time zone in which the user accesses the Access Manager console. There is no default value.
Inherited Locale
This field specifies the locale for the user. The default value is en_US. See Supported Language Locales for a list of locales.
Administrator Starting View
If this user is a Access Manager administrator, this field specifies the node that would be the starting point displayed in the Access Manager console when this user logs in. There is no default value. A valid DN for which the user has, at the least, read access can be used.
Default User Status
This option indicates the default status for any newly created user. This status is superseded by the User Entry status. Only active users can authenticate through Access Manager. The default value is Active. Either of the following can be selected from the pull-down menu:
- Active
-
The user can authenticate through Access Manager.
- Inactive
-
The user cannot authenticate through Access Manager, but the user profile remains stored in the directory.
The individual user status is set by registering the User service, choosing the value, applying it to a role and adding the role to the user's profile.
System Properties
System Properties contain the following default services that you can configure:
Client Detection
An initial step in the authentication process is to identify the type of client making the HTTP(S) request. This Access Manager feature is known as client detection. The URL information is used to retrieve the client's characteristics. Based on these characteristics, the appropriate authentication pages are returned. For example, when a Netscape browser is used to request a web page, Access Manager 7.1 displays an HTML login page. Once the user is validated, the client type ( Netscape browser) is added to the session token. The attributes defined in the Client Detection service are global attributes.
Client Types
In order to detect client types, Access Manager needs to recognize their identifying characteristics. These characteristics identify the properties of all supported types in the form of client data. This attribute allows you to modify the client data through the Client Manager interface. To access the Client Manager, click the Edit link. Out of the box, Access Manager contains the following client types:
-
HDML
-
HTML
-
JHTML
-
VoiceX
-
WML
-
XHTML
-
cHTML
-
iHTML
For descriptions of these client types, see the Sun Java System Portal Server, Remote Access Administration Guide at http://docs.sun.com/app/docs/coll/1293.1?l=en.
Client Manager
The Client Manager is the interface that lists the base clients, styles and associated properties, and allows you to add and configure devices. The Base client types are listed at the top of Client Manager. These client types contain the default properties that can be inherited by all devices that belong to the client type.
Client Type
Style Profile The Client Manager groups all available clients, including the Base client type itself, in the Client Type list. For each client, you can modify the client properties by clicking on the device name. The properties are then displayed in the Client Editor window. To edit the properties, select the following classifications from the pull-down list:
- Hardware Platform
-
Contains properties of the device's hardware, such as display size, supported character sets, and so forth.
- Software Platform
-
Contains properties of the device's application environment, operating system, and installed software.
- Network Characteristics
-
Contains properties describing the network environment, including the supported bearers.
- BrowserUA
-
Contains attributes related to the browser user agent running on the device.
- WapCharacteristics
-
Contains properties of the Wireless Application Protocol (WAP) environment supported by the device.
- PushCharacteristicNames
-
Contains properties of the WAP environment supported by the device.
- Additional Properties
-
Contains properties of the Wireless Application Protocol (WAP) environment supported by the device.
Note –
For specific property definitions, see the Open Mobile Alliance Ltd. (OMA) Wireless Application Protocol, Version 20-Oct-2001 at http://www1.wapforum.org/tech/terms.asp?doc=WAP-248-UAProf-20011020-a.pdf.
In order to access the document, you may first have to register with WAP ForumTM. For information, please visit http://www.wapforum.org/faqs/index.htm.
Default Client Type
This attribute defines the default client type derived from the list of client types in the Client Types attribute. The default is genericHTML.
Client Detection Class
This attribute defines the client detection class for which all client detection requests are routed. The string returned by this attribute should match one of the client types listed in the Client Types attribute. The default client detection class is com.sun.mobile.cdm.FEDIClientDetector . Access Manager also contains com.iplanet.services.cdm.ClientDetectionDefaultImpl .
Client Detection
Enables client detection. If client detection is enabled (default), every request is routed thought the class specified in the Client Detection Class attribute. By default, the client detection capability is enabled. If this attribute is not selected, Access Manager assumes that the client is genericHTML and will be accessed from a HTML browser.
To Add a New Client
-
Select the device type with the following fields:
- Style
-
Displays the base style for the device. For example, HTML.
- Device User Agent
-
Accepts the name for the device.
-
Click Next.
-
Enter the following information for the new device:
- Client Type Name
-
Accepts the name for the device. The name must be unique across all devices
- The HTTP User String
-
Defines the User-Agent in the HTTP request header. For example, Mozilla/4.0.
-
Click Finish.
-
To duplicate a device and its properties, click the Duplicate link. Device names must unique. By default, Access Manager will rename the device to copy_of_devicename.
Logging
The Logging service provides status and error messages related to Access Manager administration. An administrator can configures values such as log file size and log file location. Access Manager can record events in flat text files or in a relational database. The Logging service attributes are global attributes. The attributes are:
Maximum Log Size
This attribute accepts a value for the maximum size (in bytes) of a Access Manager log file. The default value is 1000000.
Number of History Files
This attribute has a value equal to the number of backup log files that will be retained for historical analysis. Any integer can be entered depending on the partition size and available disk space of the local system. The default value is 3.
The files only apply to the FILE logging type. When the logging type is set to DB, there are no history files and limit explicitly set by Access Manager to the size of the files.
Note –
Entering a value of 0 is interpreted to be the same as a value of 1, meaning that if you specify 0, a history log file will be created.
Log File Location
The file-based logging function needs a location where log files can be stored. This field accepts a full directory path to that location. The default location is:
/var/opt/SUNWam/logs
If a non-default directory is specified, Access Manager will create the directory if it does not exist. You should then set the appropriate permissions for that directory (for example, 0700).
When configuring the log location for DB (database) logging (such as, Oracle or MySQL), part of the log location is case sensitive. For example, if you are logging to an Oracle database, the log location should be (note case sensitivity):
jdbc:oracle:thin:@machine.domain:port:DBName
To configure logging to DB, add the JDBC driver files to the web container's JVM classpath. You need to manually add JDBC driver files to the classpath of the amadmin script, otherwise amadmin logging can not load the JDBC driver.
Changes to logging attributes usually take effect after you save them. This does not require you to restart the server. If you are changing to secure logging, however, you should restart the server.
Logging Type
Enables you to specify either File, for flat file logging, or DB for database logging.
If the Database User Name or Database User Password is invalid, it will seriously affect Access Manager processing. If Access manager or the console becomes unstable, you set the following property in AMConfig.properties:
com.iplanet.am.logstatus=INACTIVE
After you have set the property, restart the server. You can then log in to the console and reset the logging attribute. Then, change the logstatus property to ACTIVE and restart the server.
Database User Name
This attribute accepts the name of the user that will connect to the database when the Logging Type attribute is set to DB.
Database User Password
This attribute accepts the database user password when the Logging Type attribute is set to DB.
Database User Password (confirm)
Confirm the database password.
Database Driver Name
This attribute enables you to specify the driver used for the logging implementation class.
Configurable Log Fields
Represents the list of fields that are to be logged. By default, all of the fields are logged. The fields are:
-
CONTEXTID
-
DOMAIN
-
HOSTNAME
-
IPADDRESS
-
LOGGED BY
-
LOGLEVEL
-
LOGINID
-
MESSAGEID
-
MODULENAME
At minimum you should log CONTEXTID, DOMAIN, HOSTNAME, LOGINID and MESSAGEID.
Log Verification Frequency
This attribute sets the frequency (in seconds) that the server should verify the logs to detect tampering. The default time is 3600 seconds. This parameter applies to secure logging only.
Log Signature Time
This parameter sets the frequency (in seconds) that the log will be signed. The default time is 900 seconds. This parameter applies to secure logging only.
Secure Logging
This attribute enables or disables secure logging. By default, secure logging is off. Secure Logging enables detection of unauthorized changes or tampering of security logs.
Secure Logging Signing Algorithm
This attribute defines RSA and DSA (Digital Signature Algorithm), which have private keys for signing and a public key for verification. You can select from the following:
-
MD2 w/RSA
-
MD5 w/RSA
-
SHA1 w/DSA
-
SHA1 w/RSA
MD2, MD5 and RSA are one-way hashes.
For example, if you select the signing algorithm MD2 w/RSA, the secure logging feature generates a group of messages with MD2 and encrypts the value with the RSA private key. This encrypted value is the signature of the original logged records and will be appended to the last record of the most recent signature. For validation, it well decrypt the signature with the RSA public key and compare the decrypted value to the group of logged records. The secure logging feature will then will detect any modifications to any logged record.
Maximum Number of Records
This attribute sets the maximum number of records that the Java LogReader interfaces return, regardless of how many records match the read query. By default, it is set to 500. This attribute can be overridden by the caller of the Logging API through the LogQuery class.
Number of Files per Archive
This attribute is only applicable to secure logging. It specifies when the log files and keystore need to be archived, and the secure keystore regenerated, for subsequent secure logging. The default is five files per logger.
Buffer Size
This attribute specifies the maximum number of log records to be buffered in memory before the logging service attempts to write them to the logging repository. The default is one record.
DB Failure Memory Buffer Size
This attribute defines the maximum number of log records held in memory if database (DB) logging fails. This attribute is only applicable when DB logging is specified. When the Access Manager logging service loses connection to the DB, it will buffer up to the number of records specified. This attribute defaults to two times of the value defined in the Buffer Size attribute.
Buffer Time
This attribute defines the amount of time that the log records will buffered in memory before they are sent to the logging service to be logged. This attribute applies if Enable Time Buffering is ON. The default is 3600 seconds.
Time Buffering
When selected as ON, Access Manager will set a time limit for log records to be buffered in memory. The amount of time is set in the Buffer Time attribute.
Naming
The Naming service is used to get and set URLs, plug-ins and configurations as well as request notifications for various other Access Manager services such as session, authentication, logging, SAML and Federation.
This service enables clients to find the correct service URL if the platform is running more than one Access Manager. When a naming URL is found, the naming service will decode the session of the user and dynamically replace the protocol, host, and port with the parameters from the session. This ensures that the URL returned for the service is for the host that the user session was created on. The Naming attributes are:
Profile Service URL
This field takes a value equal to :
%protocol://%host:%port/Server_DEPLOY_URI/profileservice
This syntax allows for dynamic substitution of the profile URL based on the specific session parameters.
Session Service URL
This field takes a value equal to:
%protocol://%host:%port/Server_DEPLOY_URI/sessionservice
This syntax allows for dynamic substitution of the session URL based on the specific session parameters.
Logging Service URL
This field takes a value equal to:
%protocol://%host:%port/Server_DEPLOY_URI/loggingservice
This syntax allows for dynamic substitution of the logging URL based on the specific session parameters.
Policy Service URL
This field takes a value equal to:
%protocol://%host:%port/Server_DEPLOY_URI/policyservice
This syntax allows for dynamic substitution of the policy URL based on the specific session parameters.
Authentication Service URL
This field takes a value equal to:
%protocol://%host:%port/Server_DEPLOY_URI/authservice
This syntax allows for dynamic substitution of the authentication URL based on the specific session parameters.
SAML Web Profile/Artifact Service URL
This field takes a value equal to:
%protocol://%host:%port/Server_DEPLOY_URI/SAMLAwareServlet
This syntax allows for dynamic substitution of the SAML web profile/artifact URL based on the specific session parameters.
SAML SOAP Service URL
This field takes a value equal to
%protocol://%host:%port/Server_DEPLOY_URI/SAMLSOAPReceiver
This syntax allows for dynamic substitution of the SAML SOAP URL based on the specific session parameters.
SAML Web Profile/POST Service URL
This field takes a value equal to:
%protocol://%host:%port/Server_DEPLOY_URI/SAMLPOSTProfileServlet
This syntax allows for dynamic substitution of the SAML web profile/POST URL based on the specific session parameters.
SAML Assertion Manager Service URL
This field takes a value equal to:
%protocol://%host:%port/Server_DEPLOY_URI/AssertionManagerServlet/AssertionM anagerIF
This syntax allows for dynamic substitution of the SAML Assertion Manager Service URL based on the specific session parameters.
Federation Assertion Manager Service URL
This field takes a value equal to:
%protocol://%host:%port/amserver/FSAssertionManagerServlet/FSAssertionMana gerIF
This syntax allows for dynamic substitution of the Federation Assertion Manager Service URL based on the specific session parameters.
Security Token Manager URL
This field takes a value equal to:
%protocol://%host:%port/amserver/SecurityTokenManagerServlet/SecurityToken ManagerIF/
This syntax allows for dynamic substitution of the Security Token Manager URL based on the specific session parameters.
JAXRPC Endpoint URL
This field takes a value equal to:
%protocol://%host:%port/amserver/jaxrpc/
This syntax allows for dynamic substitution of the JAXRPC Endpoint URL based on the specific session parameters.
Platform
The Platform service is where additional servers can be added to the Access Manager configuration as well as other options applied at the top level of the Access Manager application. The Platform service attributes are global attributes. The attributes are:
Site Name
The naming service reads this attribute at initialization time. This list uniquely identifies the FQDN with the port number of the load balancer or SRA for load balancing on the back-end Access Manager servers. If the host specified in a request for a service URL is not in this list, the naming service will reject the request. Only the naming service protocol should be used in this attribute. See To Create a New Site Name.
Instance Name
The naming service reads this attribute at initialization time. This list contains the Access Manager session servers in a single Access Manager configuration. For example, if two Access Managers are installed and should work as one, they must both be included in this list. If the host specified in a request for a service URL is not in this list, the naming service will reject the request. Only the naming service protocol should be used in this attribute. See To Create a New Instance Name.
Platform Locale
The platform locale value is the default language subtype that Access Manager was installed with. The authentication, logging and administration services are administered in the language of this value. The default is en_US. See Supported Language Localesfor a listing of supported language subtypes.
Cookie Domains
The list of domains that will be returned in the cookie header when setting a cookie to the user's browser during authentication. If empty, no cookie domain will be set. In other words, the Access Manager session cookie will only be forwarded to the Access Manager itself and to no other servers in the domain.
If SSO is required with other servers in the domain, this attribute must be set with the cookie domain. If you had two interfaces in different domains on one Access Manager then you would need to set both cookie domains in this attribute. If a load balancer is used, the cookie domain must be that of the load balancer's domain, not the servers behind the load balancer. The default value for this field is the domain of the installed Access Manager.
Login Service URL
This field specifies the URL of the login page. The default value for this attribute is /Service_DEPLOY_URI/UI/Login.
Logout Service URL
This field specifies the URL of the logout page. The default value for this attribute is /Service_DEPLOY_URI/UI/Logout.
Available Locales
This attribute stores all available locales configured for the platform. Consider an application that lets the user choose the user's locale. This application would get this attribute from the platform profile and present the list of locales to the user. The user would choose a locale and the application would set this in the user entry preferredLocale.
Client Character Sets
This attribute specifies the character set for different clients at the platform level. It contains a list of client types and the corresponding character sets. SeeTo Create a New Character Set for more information.
To Create a New Site
Name
-
Enter the host name and port in the Server field.
-
Enter the Site Name.
This value uniquely identifies the server. Each server that is participating in load balancing or failover needs to have a unique identifier of a two-digit number. For example, 01.
-
Click Save.
To edit a site name, click an entry in the Site Name list and change the values accordingly.
To Create a New Instance Name
The naming service reads this attribute at initialization time. This list contains the Access Manager session servers in a single Access Manager configuration.
-
Click New in the Instance Name list.
-
Enter the hostname and port in the Server field.
-
Enter the Site Name.
This value uniquely identifies the server. Each server that is participating in load balancing or failover needs to have a unique identifier. This is also used to shorten the cookie length by mapping the server URL to the server ID. The syntax is:
intance_ID(|site_ID)
-
Click OK.
To edit an instance name, click an entry in the Instance Name list and change the values accordingly.
-
Click Save in the Platform Service main page.
To Create a
New Character Set
-
Enter a value for the Client Type.
-
Enter a value for the Character Set. See Supported Language Locales for the character sets available.
-
Click OK.
-
Click Save in the Platform Service main page.