Reference of the ForgeRock® Access Management command-line interface entities.

Preface

This reference contains:

  • Entities supported in Amster commands

  • Actions you can perform with Amster commands.

This guide is written for anyone using Amster to configure and manage ForgeRock Access Management deployments.

About ForgeRock Identity Platform™ Software

ForgeRock Identity Platform™ is the only offering for access management, identity management, user-managed access, directory services, and an identity gateway, designed and built as a single, unified platform.

The platform includes the following components that extend what is available in open source projects to provide fully featured, enterprise-ready software:

  • ForgeRock Access Management (AM)

  • ForgeRock Identity Management (IDM)

  • ForgeRock Directory Services (DS)

  • ForgeRock Identity Gateway (IG)

Chapter 1. Amster Entity Reference

This chapter contains details of the entities available to Amster in AM 5.5.

1.1. ActiveDirectory

1.1.1. Realm Operations

Resource path: /realm-config/services/id-repositories/LDAPv3ForAD

Resource version: 1.0

1.1.1.1. create

Usage:

am> create ActiveDirectory --realm Realm --id id --body body

Parameters:

--id

The unique identifier for the resource.

--body

The resource in JSON format, described by the following JSON schema:

{
  "type" : "object",
  "properties" : {
    "sun-idrepo-ldapv3-config-groups-search-attribute" : {
      "title" : "LDAP Groups Search Attribute",
      "description" : "",
      "propertyOrder" : 2900,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "openam-idrepo-ldapv3-heartbeat-timeunit" : {
      "title" : "LDAP Connection Heartbeat Time Unit",
      "description" : "Defines the time unit corresponding to the Heartbeat Interval setting.<br><br>This setting controls how often OpenAM <b>should</b> send a heartbeat search request to the configured directory. If a connection becomes unresponsive (e.g. due to a network error) then it may take up to the interval period before the problem is detected. Use along with the Heartbeat Interval parameter to define the exact interval.",
      "propertyOrder" : 1400,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-auth-naming-attr" : {
      "title" : "Authentication Naming Attribute",
      "description" : "",
      "propertyOrder" : 5200,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-dncache-size" : {
      "title" : "DN Cache Size",
      "description" : "In DN items, only used when DN Cache is enabled.",
      "propertyOrder" : 6000,
      "required" : true,
      "type" : "integer",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-max-result" : {
      "title" : "Maximum Results Returned from Search",
      "description" : "",
      "propertyOrder" : 1500,
      "required" : true,
      "type" : "integer",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-people-container-value" : {
      "title" : "LDAP People Container Value",
      "description" : "",
      "propertyOrder" : 5100,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-users-search-filter" : {
      "title" : "LDAP Users  Search Filter",
      "description" : "",
      "propertyOrder" : 2200,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sunIdRepoAttributeMapping" : {
      "title" : "Attribute Name Mapping",
      "description" : "",
      "propertyOrder" : 1800,
      "required" : true,
      "items" : {
        "type" : "string"
      },
      "type" : "array",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-connection_pool_max_size" : {
      "title" : "LDAP Connection Pool Maximum Size",
      "description" : "",
      "propertyOrder" : 1200,
      "required" : true,
      "type" : "integer",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-people-container-name" : {
      "title" : "LDAP People Container Naming Attribute",
      "description" : "",
      "propertyOrder" : 5000,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "openam-idrepo-ldapv3-heartbeat-interval" : {
      "title" : "LDAP Connection Heartbeat Interval",
      "description" : "Specifies how often should OpenAM send a heartbeat request to the directory.<br><br>This setting controls how often OpenAM <b>should</b> send a heartbeat search request to the configured directory. If a connection becomes unresponsive (e.g. due to a network error) then it may take up to the interval period before the problem is detected. Use along with the Heartbeat Time Unit parameter to define the exact interval. Zero or negative value will result in disabling heartbeat requests.",
      "propertyOrder" : 1300,
      "required" : true,
      "type" : "integer",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-organization_name" : {
      "title" : "LDAP Organization DN",
      "description" : "",
      "propertyOrder" : 900,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sunIdRepoSupportedOperations" : {
      "title" : "LDAPv3 Plug-in Supported Types and Operations",
      "description" : "",
      "propertyOrder" : 1900,
      "required" : true,
      "items" : {
        "type" : "string"
      },
      "type" : "array",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-time-limit" : {
      "title" : "Search Timeout",
      "description" : "In seconds.",
      "propertyOrder" : 1600,
      "required" : true,
      "type" : "integer",
      "exampleValue" : ""
    },
    "com.iplanet.am.ldap.connection.delay.between.retries" : {
      "title" : "The Delay Time Between Retries",
      "description" : "In milliseconds.",
      "propertyOrder" : 5800,
      "required" : true,
      "type" : "integer",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-isactive" : {
      "title" : "Attribute Name of User Status",
      "description" : "",
      "propertyOrder" : 2600,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-memberof" : {
      "title" : "Attribute Name for Group Membership",
      "description" : "",
      "propertyOrder" : 3500,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-search-scope" : {
      "title" : "LDAPv3 Plug-in Search Scope",
      "description" : "",
      "propertyOrder" : 2000,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-group-attributes" : {
      "title" : "LDAP Groups Attributes",
      "description" : "",
      "propertyOrder" : 3400,
      "required" : true,
      "items" : {
        "type" : "string"
      },
      "type" : "array",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-authid" : {
      "title" : "LDAP Bind DN",
      "description" : "A user or admin with sufficient access rights to perform the supported operations.",
      "propertyOrder" : 700,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-authpw" : {
      "title" : "LDAP Bind Password",
      "description" : "",
      "propertyOrder" : 800,
      "required" : true,
      "type" : "string",
      "format" : "password",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-dncache-enabled" : {
      "title" : "DN Cache",
      "description" : "Used to enable/disable the DN Cache within the OpenAM repository implementation.<br><br>The DN Cache is used to cache DN lookups which tend to happen in bursts during authentication. The DN Cache can become out of date when a user is moved or renamed in the underlying LDAP store and this is not reflected in a persistent search result. Enable when the underlying LDAP store supports persistent search and move/rename (mod_dn) results are available.",
      "propertyOrder" : 5900,
      "required" : true,
      "type" : "boolean",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-createuser-attr-mapping" : {
      "title" : "Create User Attribute Mapping",
      "description" : "Format: attribute name or TargetAttributeName=SourceAttributeName",
      "propertyOrder" : 2500,
      "required" : true,
      "items" : {
        "type" : "string"
      },
      "type" : "array",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-user-objectclass" : {
      "title" : "LDAP User Object Class",
      "description" : "",
      "propertyOrder" : 2300,
      "required" : true,
      "items" : {
        "type" : "string"
      },
      "type" : "array",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-groups-search-filter" : {
      "title" : "LDAP Groups Search Filter",
      "description" : "",
      "propertyOrder" : 3000,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-user-attributes" : {
      "title" : "LDAP User Attributes",
      "description" : "",
      "propertyOrder" : 2400,
      "required" : true,
      "items" : {
        "type" : "string"
      },
      "type" : "array",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-connection-mode" : {
      "title" : "LDAP Connection Mode",
      "description" : "Defines which protocol/operation is used to establish the connection to the LDAP Directory Server.<br><br>If 'LDAP' is selected, the connection <b>won't be secured</b> and passwords are transferred in <b>cleartext</b> over the network.<br/> If 'LDAPS' is selected, the connection is secured via SSL or TLS. <br/> If 'StartTLS' is selected, the connection is secured by using StartTLS extended operation.",
      "propertyOrder" : 1000,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-users-search-attribute" : {
      "title" : "LDAP Users  Search Attribute",
      "description" : "",
      "propertyOrder" : 2100,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-inactive" : {
      "title" : "User Status Inactive Value",
      "description" : "",
      "propertyOrder" : 2800,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-auth-kba-index-attr" : {
      "title" : "Knowledge Based Authentication Active Index",
      "description" : "",
      "propertyOrder" : 5400,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-group-container-name" : {
      "title" : "LDAP Groups Container Naming Attribute",
      "description" : "",
      "propertyOrder" : 3100,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-group-objectclass" : {
      "title" : "LDAP Groups Object Class",
      "description" : "",
      "propertyOrder" : 3300,
      "required" : true,
      "items" : {
        "type" : "string"
      },
      "type" : "array",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-group-container-value" : {
      "title" : "LDAP Groups Container Value",
      "description" : "",
      "propertyOrder" : 3200,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-active" : {
      "title" : "User Status Active Value",
      "description" : "",
      "propertyOrder" : 2700,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sunIdRepoClass" : {
      "title" : "LDAPv3 Repository Plug-in Class Name",
      "description" : "",
      "propertyOrder" : 1700,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-uniquemember" : {
      "title" : "Attribute Name of Unique Member",
      "description" : "",
      "propertyOrder" : 3600,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-psearchbase" : {
      "title" : "Persistent Search Base DN",
      "description" : "",
      "propertyOrder" : 5500,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-ldap-server" : {
      "title" : "LDAP Server",
      "description" : "Format: LDAP server host name:port | server_ID | site_ID",
      "propertyOrder" : 600,
      "required" : true,
      "items" : {
        "type" : "string"
      },
      "type" : "array",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-psearch-scope" : {
      "title" : "Persistent Search Scope",
      "description" : "",
      "propertyOrder" : 5700,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-auth-kba-attr" : {
      "title" : "Knowledge Based Authentication Attribute Name",
      "description" : "",
      "propertyOrder" : 5300,
      "required" : true,
      "items" : {
        "type" : "string"
      },
      "type" : "array",
      "exampleValue" : ""
    }
  }
}

1.1.1.2. delete

Usage:

am> delete ActiveDirectory --realm Realm --id id

Parameters:

--id

The unique identifier for the resource.

1.1.1.3. getAllTypes

Obtain the collection of all secondary configuration types related to the resource.

Usage:

am> action ActiveDirectory --realm Realm --actionName getAllTypes

1.1.1.4. getCreatableTypes

Obtain the collection of secondary configuration types that have yet to be added to the resource.

Usage:

am> action ActiveDirectory --realm Realm --actionName getCreatableTypes

1.1.1.5. nextdescendents

Obtain the collection of secondary configuration instances that have been added to the resource.

Usage:

am> action ActiveDirectory --realm Realm --actionName nextdescendents

1.1.1.6. query

Get the full list of instances of this collection. This query only supports `_queryFilter=true` filter.

Usage:

am> query ActiveDirectory --realm Realm --filter filter

Parameters:

--filter

A CREST formatted query filter, where "true" will query all.

1.1.1.7. read

Usage:

am> read ActiveDirectory --realm Realm --id id

Parameters:

--id

The unique identifier for the resource.

1.1.1.8. update

Usage:

am> update ActiveDirectory --realm Realm --id id --body body

Parameters:

--id

The unique identifier for the resource.

--body

The resource in JSON format, described by the following JSON schema:

{
  "type" : "object",
  "properties" : {
    "sun-idrepo-ldapv3-config-groups-search-attribute" : {
      "title" : "LDAP Groups Search Attribute",
      "description" : "",
      "propertyOrder" : 2900,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "openam-idrepo-ldapv3-heartbeat-timeunit" : {
      "title" : "LDAP Connection Heartbeat Time Unit",
      "description" : "Defines the time unit corresponding to the Heartbeat Interval setting.<br><br>This setting controls how often OpenAM <b>should</b> send a heartbeat search request to the configured directory. If a connection becomes unresponsive (e.g. due to a network error) then it may take up to the interval period before the problem is detected. Use along with the Heartbeat Interval parameter to define the exact interval.",
      "propertyOrder" : 1400,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-auth-naming-attr" : {
      "title" : "Authentication Naming Attribute",
      "description" : "",
      "propertyOrder" : 5200,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-dncache-size" : {
      "title" : "DN Cache Size",
      "description" : "In DN items, only used when DN Cache is enabled.",
      "propertyOrder" : 6000,
      "required" : true,
      "type" : "integer",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-max-result" : {
      "title" : "Maximum Results Returned from Search",
      "description" : "",
      "propertyOrder" : 1500,
      "required" : true,
      "type" : "integer",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-people-container-value" : {
      "title" : "LDAP People Container Value",
      "description" : "",
      "propertyOrder" : 5100,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-users-search-filter" : {
      "title" : "LDAP Users  Search Filter",
      "description" : "",
      "propertyOrder" : 2200,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sunIdRepoAttributeMapping" : {
      "title" : "Attribute Name Mapping",
      "description" : "",
      "propertyOrder" : 1800,
      "required" : true,
      "items" : {
        "type" : "string"
      },
      "type" : "array",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-connection_pool_max_size" : {
      "title" : "LDAP Connection Pool Maximum Size",
      "description" : "",
      "propertyOrder" : 1200,
      "required" : true,
      "type" : "integer",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-people-container-name" : {
      "title" : "LDAP People Container Naming Attribute",
      "description" : "",
      "propertyOrder" : 5000,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "openam-idrepo-ldapv3-heartbeat-interval" : {
      "title" : "LDAP Connection Heartbeat Interval",
      "description" : "Specifies how often should OpenAM send a heartbeat request to the directory.<br><br>This setting controls how often OpenAM <b>should</b> send a heartbeat search request to the configured directory. If a connection becomes unresponsive (e.g. due to a network error) then it may take up to the interval period before the problem is detected. Use along with the Heartbeat Time Unit parameter to define the exact interval. Zero or negative value will result in disabling heartbeat requests.",
      "propertyOrder" : 1300,
      "required" : true,
      "type" : "integer",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-organization_name" : {
      "title" : "LDAP Organization DN",
      "description" : "",
      "propertyOrder" : 900,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sunIdRepoSupportedOperations" : {
      "title" : "LDAPv3 Plug-in Supported Types and Operations",
      "description" : "",
      "propertyOrder" : 1900,
      "required" : true,
      "items" : {
        "type" : "string"
      },
      "type" : "array",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-time-limit" : {
      "title" : "Search Timeout",
      "description" : "In seconds.",
      "propertyOrder" : 1600,
      "required" : true,
      "type" : "integer",
      "exampleValue" : ""
    },
    "com.iplanet.am.ldap.connection.delay.between.retries" : {
      "title" : "The Delay Time Between Retries",
      "description" : "In milliseconds.",
      "propertyOrder" : 5800,
      "required" : true,
      "type" : "integer",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-isactive" : {
      "title" : "Attribute Name of User Status",
      "description" : "",
      "propertyOrder" : 2600,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-memberof" : {
      "title" : "Attribute Name for Group Membership",
      "description" : "",
      "propertyOrder" : 3500,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-search-scope" : {
      "title" : "LDAPv3 Plug-in Search Scope",
      "description" : "",
      "propertyOrder" : 2000,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-group-attributes" : {
      "title" : "LDAP Groups Attributes",
      "description" : "",
      "propertyOrder" : 3400,
      "required" : true,
      "items" : {
        "type" : "string"
      },
      "type" : "array",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-authid" : {
      "title" : "LDAP Bind DN",
      "description" : "A user or admin with sufficient access rights to perform the supported operations.",
      "propertyOrder" : 700,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-authpw" : {
      "title" : "LDAP Bind Password",
      "description" : "",
      "propertyOrder" : 800,
      "required" : true,
      "type" : "string",
      "format" : "password",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-dncache-enabled" : {
      "title" : "DN Cache",
      "description" : "Used to enable/disable the DN Cache within the OpenAM repository implementation.<br><br>The DN Cache is used to cache DN lookups which tend to happen in bursts during authentication. The DN Cache can become out of date when a user is moved or renamed in the underlying LDAP store and this is not reflected in a persistent search result. Enable when the underlying LDAP store supports persistent search and move/rename (mod_dn) results are available.",
      "propertyOrder" : 5900,
      "required" : true,
      "type" : "boolean",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-createuser-attr-mapping" : {
      "title" : "Create User Attribute Mapping",
      "description" : "Format: attribute name or TargetAttributeName=SourceAttributeName",
      "propertyOrder" : 2500,
      "required" : true,
      "items" : {
        "type" : "string"
      },
      "type" : "array",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-user-objectclass" : {
      "title" : "LDAP User Object Class",
      "description" : "",
      "propertyOrder" : 2300,
      "required" : true,
      "items" : {
        "type" : "string"
      },
      "type" : "array",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-groups-search-filter" : {
      "title" : "LDAP Groups Search Filter",
      "description" : "",
      "propertyOrder" : 3000,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-user-attributes" : {
      "title" : "LDAP User Attributes",
      "description" : "",
      "propertyOrder" : 2400,
      "required" : true,
      "items" : {
        "type" : "string"
      },
      "type" : "array",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-connection-mode" : {
      "title" : "LDAP Connection Mode",
      "description" : "Defines which protocol/operation is used to establish the connection to the LDAP Directory Server.<br><br>If 'LDAP' is selected, the connection <b>won't be secured</b> and passwords are transferred in <b>cleartext</b> over the network.<br/> If 'LDAPS' is selected, the connection is secured via SSL or TLS. <br/> If 'StartTLS' is selected, the connection is secured by using StartTLS extended operation.",
      "propertyOrder" : 1000,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-users-search-attribute" : {
      "title" : "LDAP Users  Search Attribute",
      "description" : "",
      "propertyOrder" : 2100,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-inactive" : {
      "title" : "User Status Inactive Value",
      "description" : "",
      "propertyOrder" : 2800,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-auth-kba-index-attr" : {
      "title" : "Knowledge Based Authentication Active Index",
      "description" : "",
      "propertyOrder" : 5400,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-group-container-name" : {
      "title" : "LDAP Groups Container Naming Attribute",
      "description" : "",
      "propertyOrder" : 3100,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-group-objectclass" : {
      "title" : "LDAP Groups Object Class",
      "description" : "",
      "propertyOrder" : 3300,
      "required" : true,
      "items" : {
        "type" : "string"
      },
      "type" : "array",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-group-container-value" : {
      "title" : "LDAP Groups Container Value",
      "description" : "",
      "propertyOrder" : 3200,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-active" : {
      "title" : "User Status Active Value",
      "description" : "",
      "propertyOrder" : 2700,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sunIdRepoClass" : {
      "title" : "LDAPv3 Repository Plug-in Class Name",
      "description" : "",
      "propertyOrder" : 1700,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-uniquemember" : {
      "title" : "Attribute Name of Unique Member",
      "description" : "",
      "propertyOrder" : 3600,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-psearchbase" : {
      "title" : "Persistent Search Base DN",
      "description" : "",
      "propertyOrder" : 5500,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-ldap-server" : {
      "title" : "LDAP Server",
      "description" : "Format: LDAP server host name:port | server_ID | site_ID",
      "propertyOrder" : 600,
      "required" : true,
      "items" : {
        "type" : "string"
      },
      "type" : "array",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-psearch-scope" : {
      "title" : "Persistent Search Scope",
      "description" : "",
      "propertyOrder" : 5700,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-auth-kba-attr" : {
      "title" : "Knowledge Based Authentication Attribute Name",
      "description" : "",
      "propertyOrder" : 5300,
      "required" : true,
      "items" : {
        "type" : "string"
      },
      "type" : "array",
      "exampleValue" : ""
    }
  }
}

1.2. ActiveDirectoryApplicationModeADAM

1.2.1. Realm Operations

Resource path: /realm-config/services/id-repositories/LDAPv3ForADAM

Resource version: 1.0

1.2.1.1. create

Usage:

am> create ActiveDirectoryApplicationModeADAM --realm Realm --id id --body body

Parameters:

--id

The unique identifier for the resource.

--body

The resource in JSON format, described by the following JSON schema:

{
  "type" : "object",
  "properties" : {
    "sun-idrepo-ldapv3-config-user-attributes" : {
      "title" : "LDAP User Attributes",
      "description" : "",
      "propertyOrder" : 2400,
      "required" : true,
      "items" : {
        "type" : "string"
      },
      "type" : "array",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-authpw" : {
      "title" : "LDAP Bind Password",
      "description" : "",
      "propertyOrder" : 800,
      "required" : true,
      "type" : "string",
      "format" : "password",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-psearchbase" : {
      "title" : "Persistent Search Base DN",
      "description" : "",
      "propertyOrder" : 5500,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-group-attributes" : {
      "title" : "LDAP Groups Attributes",
      "description" : "",
      "propertyOrder" : 3400,
      "required" : true,
      "items" : {
        "type" : "string"
      },
      "type" : "array",
      "exampleValue" : ""
    },
    "sunIdRepoSupportedOperations" : {
      "title" : "LDAPv3 Plug-in Supported Types and Operations",
      "description" : "",
      "propertyOrder" : 1900,
      "required" : true,
      "items" : {
        "type" : "string"
      },
      "type" : "array",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-people-container-value" : {
      "title" : "LDAP People Container Value",
      "description" : "",
      "propertyOrder" : 5100,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-ldap-server" : {
      "title" : "LDAP Server",
      "description" : "Format: LDAP server host name:port | server_ID | site_ID",
      "propertyOrder" : 600,
      "required" : true,
      "items" : {
        "type" : "string"
      },
      "type" : "array",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-group-container-name" : {
      "title" : "LDAP Groups Container Naming Attribute",
      "description" : "",
      "propertyOrder" : 3100,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-inactive" : {
      "title" : "User Status Inactive Value",
      "description" : "",
      "propertyOrder" : 2800,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-auth-kba-index-attr" : {
      "title" : "Knowledge Based Authentication Active Index",
      "description" : "",
      "propertyOrder" : 5400,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "openam-idrepo-ldapv3-heartbeat-timeunit" : {
      "title" : "LDAP Connection Heartbeat Time Unit",
      "description" : "Defines the time unit corresponding to the Heartbeat Interval setting.<br><br>This setting controls how often OpenAM <b>should</b> send a heartbeat search request to the configured directory. If a connection becomes unresponsive (e.g. due to a network error) then it may take up to the interval period before the problem is detected. Use along with the Heartbeat Interval parameter to define the exact interval.",
      "propertyOrder" : 1400,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-psearch-scope" : {
      "title" : "Persistent Search Scope",
      "description" : "",
      "propertyOrder" : 5700,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-user-objectclass" : {
      "title" : "LDAP User Object Class",
      "description" : "",
      "propertyOrder" : 2300,
      "required" : true,
      "items" : {
        "type" : "string"
      },
      "type" : "array",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-search-scope" : {
      "title" : "LDAPv3 Plug-in Search Scope",
      "description" : "",
      "propertyOrder" : 2000,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sunIdRepoAttributeMapping" : {
      "title" : "Attribute Name Mapping",
      "description" : "",
      "propertyOrder" : 1800,
      "required" : true,
      "items" : {
        "type" : "string"
      },
      "type" : "array",
      "exampleValue" : ""
    },
    "com.iplanet.am.ldap.connection.delay.between.retries" : {
      "title" : "The Delay Time Between Retries",
      "description" : "In milliseconds.",
      "propertyOrder" : 5800,
      "required" : true,
      "type" : "integer",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-memberof" : {
      "title" : "Attribute Name for Group Membership",
      "description" : "",
      "propertyOrder" : 3500,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-people-container-name" : {
      "title" : "LDAP People Container Naming Attribute",
      "description" : "",
      "propertyOrder" : 5000,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-time-limit" : {
      "title" : "Search Timeout",
      "description" : "In seconds.",
      "propertyOrder" : 1600,
      "required" : true,
      "type" : "integer",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-auth-kba-attr" : {
      "title" : "Knowledge Based Authentication Attribute Name",
      "description" : "",
      "propertyOrder" : 5300,
      "required" : true,
      "items" : {
        "type" : "string"
      },
      "type" : "array",
      "exampleValue" : ""
    },
    "sunIdRepoClass" : {
      "title" : "LDAPv3 Repository Plug-in Class Name",
      "description" : "",
      "propertyOrder" : 1700,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-groups-search-attribute" : {
      "title" : "LDAP Groups Search Attribute",
      "description" : "",
      "propertyOrder" : 2900,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "openam-idrepo-ldapv3-heartbeat-interval" : {
      "title" : "LDAP Connection Heartbeat Interval",
      "description" : "Specifies how often should OpenAM send a heartbeat request to the directory.<br><br>This setting controls how often OpenAM <b>should</b> send a heartbeat search request to the configured directory. If a connection becomes unresponsive (e.g. due to a network error) then it may take up to the interval period before the problem is detected. Use along with the Heartbeat Time Unit parameter to define the exact interval. Zero or negative value will result in disabling heartbeat requests.",
      "propertyOrder" : 1300,
      "required" : true,
      "type" : "integer",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-active" : {
      "title" : "User Status Active Value",
      "description" : "",
      "propertyOrder" : 2700,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-connection_pool_max_size" : {
      "title" : "LDAP Connection Pool Maximum Size",
      "description" : "",
      "propertyOrder" : 1200,
      "required" : true,
      "type" : "integer",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-auth-naming-attr" : {
      "title" : "Authentication Naming Attribute",
      "description" : "",
      "propertyOrder" : 5200,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-group-container-value" : {
      "title" : "LDAP Groups Container Value",
      "description" : "",
      "propertyOrder" : 3200,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-connection-mode" : {
      "title" : "LDAP Connection Mode",
      "description" : "Defines which protocol/operation is used to establish the connection to the LDAP Directory Server.<br><br>If 'LDAP' is selected, the connection <b>won't be secured</b> and passwords are transferred in <b>cleartext</b> over the network.<br/> If 'LDAPS' is selected, the connection is secured via SSL or TLS. <br/> If 'StartTLS' is selected, the connection is secured by using StartTLS extended operation.",
      "propertyOrder" : 1000,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-max-result" : {
      "title" : "Maximum Results Returned from Search",
      "description" : "",
      "propertyOrder" : 1500,
      "required" : true,
      "type" : "integer",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-isactive" : {
      "title" : "Attribute Name of User Status",
      "description" : "",
      "propertyOrder" : 2600,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-organization_name" : {
      "title" : "LDAP Organization DN",
      "description" : "",
      "propertyOrder" : 900,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-createuser-attr-mapping" : {
      "title" : "Create User Attribute Mapping",
      "description" : "Format: attribute name or TargetAttributeName=SourceAttributeName",
      "propertyOrder" : 2500,
      "required" : true,
      "items" : {
        "type" : "string"
      },
      "type" : "array",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-group-objectclass" : {
      "title" : "LDAP Groups Object Class",
      "description" : "",
      "propertyOrder" : 3300,
      "required" : true,
      "items" : {
        "type" : "string"
      },
      "type" : "array",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-groups-search-filter" : {
      "title" : "LDAP Groups Search Filter",
      "description" : "",
      "propertyOrder" : 3000,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-dncache-size" : {
      "title" : "DN Cache Size",
      "description" : "In DN items, only used when DN Cache is enabled.",
      "propertyOrder" : 6000,
      "required" : true,
      "type" : "integer",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-users-search-attribute" : {
      "title" : "LDAP Users  Search Attribute",
      "description" : "",
      "propertyOrder" : 2100,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-dncache-enabled" : {
      "title" : "DN Cache",
      "description" : "Used to enable/disable the DN Cache within the OpenAM repository implementation.<br><br>The DN Cache is used to cache DN lookups which tend to happen in bursts during authentication. The DN Cache can become out of date when a user is moved or renamed in the underlying LDAP store and this is not reflected in a persistent search result. Enable when the underlying LDAP store supports persistent search and move/rename (mod_dn) results are available.",
      "propertyOrder" : 5900,
      "required" : true,
      "type" : "boolean",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-uniquemember" : {
      "title" : "Attribute Name of Unique Member",
      "description" : "",
      "propertyOrder" : 3600,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-authid" : {
      "title" : "LDAP Bind DN",
      "description" : "A user or admin with sufficient access rights to perform the supported operations.",
      "propertyOrder" : 700,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-users-search-filter" : {
      "title" : "LDAP Users  Search Filter",
      "description" : "",
      "propertyOrder" : 2200,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    }
  }
}

1.2.1.2. delete

Usage:

am> delete ActiveDirectoryApplicationModeADAM --realm Realm --id id

Parameters:

--id

The unique identifier for the resource.

1.2.1.3. getAllTypes

Obtain the collection of all secondary configuration types related to the resource.

Usage:

am> action ActiveDirectoryApplicationModeADAM --realm Realm --actionName getAllTypes

1.2.1.4. getCreatableTypes

Obtain the collection of secondary configuration types that have yet to be added to the resource.

Usage:

am> action ActiveDirectoryApplicationModeADAM --realm Realm --actionName getCreatableTypes

1.2.1.5. nextdescendents

Obtain the collection of secondary configuration instances that have been added to the resource.

Usage:

am> action ActiveDirectoryApplicationModeADAM --realm Realm --actionName nextdescendents

1.2.1.6. query

Get the full list of instances of this collection. This query only supports `_queryFilter=true` filter.

Usage:

am> query ActiveDirectoryApplicationModeADAM --realm Realm --filter filter

Parameters:

--filter

A CREST formatted query filter, where "true" will query all.

1.2.1.7. read

Usage:

am> read ActiveDirectoryApplicationModeADAM --realm Realm --id id

Parameters:

--id

The unique identifier for the resource.

1.2.1.8. update

Usage:

am> update ActiveDirectoryApplicationModeADAM --realm Realm --id id --body body

Parameters:

--id

The unique identifier for the resource.

--body

The resource in JSON format, described by the following JSON schema:

{
  "type" : "object",
  "properties" : {
    "sun-idrepo-ldapv3-config-user-attributes" : {
      "title" : "LDAP User Attributes",
      "description" : "",
      "propertyOrder" : 2400,
      "required" : true,
      "items" : {
        "type" : "string"
      },
      "type" : "array",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-authpw" : {
      "title" : "LDAP Bind Password",
      "description" : "",
      "propertyOrder" : 800,
      "required" : true,
      "type" : "string",
      "format" : "password",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-psearchbase" : {
      "title" : "Persistent Search Base DN",
      "description" : "",
      "propertyOrder" : 5500,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-group-attributes" : {
      "title" : "LDAP Groups Attributes",
      "description" : "",
      "propertyOrder" : 3400,
      "required" : true,
      "items" : {
        "type" : "string"
      },
      "type" : "array",
      "exampleValue" : ""
    },
    "sunIdRepoSupportedOperations" : {
      "title" : "LDAPv3 Plug-in Supported Types and Operations",
      "description" : "",
      "propertyOrder" : 1900,
      "required" : true,
      "items" : {
        "type" : "string"
      },
      "type" : "array",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-people-container-value" : {
      "title" : "LDAP People Container Value",
      "description" : "",
      "propertyOrder" : 5100,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-ldap-server" : {
      "title" : "LDAP Server",
      "description" : "Format: LDAP server host name:port | server_ID | site_ID",
      "propertyOrder" : 600,
      "required" : true,
      "items" : {
        "type" : "string"
      },
      "type" : "array",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-group-container-name" : {
      "title" : "LDAP Groups Container Naming Attribute",
      "description" : "",
      "propertyOrder" : 3100,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-inactive" : {
      "title" : "User Status Inactive Value",
      "description" : "",
      "propertyOrder" : 2800,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-auth-kba-index-attr" : {
      "title" : "Knowledge Based Authentication Active Index",
      "description" : "",
      "propertyOrder" : 5400,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "openam-idrepo-ldapv3-heartbeat-timeunit" : {
      "title" : "LDAP Connection Heartbeat Time Unit",
      "description" : "Defines the time unit corresponding to the Heartbeat Interval setting.<br><br>This setting controls how often OpenAM <b>should</b> send a heartbeat search request to the configured directory. If a connection becomes unresponsive (e.g. due to a network error) then it may take up to the interval period before the problem is detected. Use along with the Heartbeat Interval parameter to define the exact interval.",
      "propertyOrder" : 1400,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-psearch-scope" : {
      "title" : "Persistent Search Scope",
      "description" : "",
      "propertyOrder" : 5700,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-user-objectclass" : {
      "title" : "LDAP User Object Class",
      "description" : "",
      "propertyOrder" : 2300,
      "required" : true,
      "items" : {
        "type" : "string"
      },
      "type" : "array",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-search-scope" : {
      "title" : "LDAPv3 Plug-in Search Scope",
      "description" : "",
      "propertyOrder" : 2000,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sunIdRepoAttributeMapping" : {
      "title" : "Attribute Name Mapping",
      "description" : "",
      "propertyOrder" : 1800,
      "required" : true,
      "items" : {
        "type" : "string"
      },
      "type" : "array",
      "exampleValue" : ""
    },
    "com.iplanet.am.ldap.connection.delay.between.retries" : {
      "title" : "The Delay Time Between Retries",
      "description" : "In milliseconds.",
      "propertyOrder" : 5800,
      "required" : true,
      "type" : "integer",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-memberof" : {
      "title" : "Attribute Name for Group Membership",
      "description" : "",
      "propertyOrder" : 3500,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-people-container-name" : {
      "title" : "LDAP People Container Naming Attribute",
      "description" : "",
      "propertyOrder" : 5000,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-time-limit" : {
      "title" : "Search Timeout",
      "description" : "In seconds.",
      "propertyOrder" : 1600,
      "required" : true,
      "type" : "integer",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-auth-kba-attr" : {
      "title" : "Knowledge Based Authentication Attribute Name",
      "description" : "",
      "propertyOrder" : 5300,
      "required" : true,
      "items" : {
        "type" : "string"
      },
      "type" : "array",
      "exampleValue" : ""
    },
    "sunIdRepoClass" : {
      "title" : "LDAPv3 Repository Plug-in Class Name",
      "description" : "",
      "propertyOrder" : 1700,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-groups-search-attribute" : {
      "title" : "LDAP Groups Search Attribute",
      "description" : "",
      "propertyOrder" : 2900,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "openam-idrepo-ldapv3-heartbeat-interval" : {
      "title" : "LDAP Connection Heartbeat Interval",
      "description" : "Specifies how often should OpenAM send a heartbeat request to the directory.<br><br>This setting controls how often OpenAM <b>should</b> send a heartbeat search request to the configured directory. If a connection becomes unresponsive (e.g. due to a network error) then it may take up to the interval period before the problem is detected. Use along with the Heartbeat Time Unit parameter to define the exact interval. Zero or negative value will result in disabling heartbeat requests.",
      "propertyOrder" : 1300,
      "required" : true,
      "type" : "integer",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-active" : {
      "title" : "User Status Active Value",
      "description" : "",
      "propertyOrder" : 2700,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-connection_pool_max_size" : {
      "title" : "LDAP Connection Pool Maximum Size",
      "description" : "",
      "propertyOrder" : 1200,
      "required" : true,
      "type" : "integer",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-auth-naming-attr" : {
      "title" : "Authentication Naming Attribute",
      "description" : "",
      "propertyOrder" : 5200,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-group-container-value" : {
      "title" : "LDAP Groups Container Value",
      "description" : "",
      "propertyOrder" : 3200,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-connection-mode" : {
      "title" : "LDAP Connection Mode",
      "description" : "Defines which protocol/operation is used to establish the connection to the LDAP Directory Server.<br><br>If 'LDAP' is selected, the connection <b>won't be secured</b> and passwords are transferred in <b>cleartext</b> over the network.<br/> If 'LDAPS' is selected, the connection is secured via SSL or TLS. <br/> If 'StartTLS' is selected, the connection is secured by using StartTLS extended operation.",
      "propertyOrder" : 1000,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-max-result" : {
      "title" : "Maximum Results Returned from Search",
      "description" : "",
      "propertyOrder" : 1500,
      "required" : true,
      "type" : "integer",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-isactive" : {
      "title" : "Attribute Name of User Status",
      "description" : "",
      "propertyOrder" : 2600,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-organization_name" : {
      "title" : "LDAP Organization DN",
      "description" : "",
      "propertyOrder" : 900,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-createuser-attr-mapping" : {
      "title" : "Create User Attribute Mapping",
      "description" : "Format: attribute name or TargetAttributeName=SourceAttributeName",
      "propertyOrder" : 2500,
      "required" : true,
      "items" : {
        "type" : "string"
      },
      "type" : "array",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-group-objectclass" : {
      "title" : "LDAP Groups Object Class",
      "description" : "",
      "propertyOrder" : 3300,
      "required" : true,
      "items" : {
        "type" : "string"
      },
      "type" : "array",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-groups-search-filter" : {
      "title" : "LDAP Groups Search Filter",
      "description" : "",
      "propertyOrder" : 3000,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-dncache-size" : {
      "title" : "DN Cache Size",
      "description" : "In DN items, only used when DN Cache is enabled.",
      "propertyOrder" : 6000,
      "required" : true,
      "type" : "integer",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-users-search-attribute" : {
      "title" : "LDAP Users  Search Attribute",
      "description" : "",
      "propertyOrder" : 2100,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-dncache-enabled" : {
      "title" : "DN Cache",
      "description" : "Used to enable/disable the DN Cache within the OpenAM repository implementation.<br><br>The DN Cache is used to cache DN lookups which tend to happen in bursts during authentication. The DN Cache can become out of date when a user is moved or renamed in the underlying LDAP store and this is not reflected in a persistent search result. Enable when the underlying LDAP store supports persistent search and move/rename (mod_dn) results are available.",
      "propertyOrder" : 5900,
      "required" : true,
      "type" : "boolean",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-uniquemember" : {
      "title" : "Attribute Name of Unique Member",
      "description" : "",
      "propertyOrder" : 3600,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-authid" : {
      "title" : "LDAP Bind DN",
      "description" : "A user or admin with sufficient access rights to perform the supported operations.",
      "propertyOrder" : 700,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-users-search-filter" : {
      "title" : "LDAP Users  Search Filter",
      "description" : "",
      "propertyOrder" : 2200,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    }
  }
}

1.3. ActiveDirectoryModule

1.3.1. Realm Operations

Resource path: /realm-config/authentication/modules/activedirectory

Resource version: 1.0

1.3.1.1. create

Usage:

am> create ActiveDirectoryModule --realm Realm --id id --body body

Parameters:

--id

The unique identifier for the resource.

--body

The resource in JSON format, described by the following JSON schema:

{
  "type" : "object",
  "properties" : {
    "secondaryLdapServer" : {
      "title" : "Secondary Active Directory Server",
      "description" : "Use this list to set the secondary (failover) Active Directory server used for authentication.<br><br>If the primary Active Directory server fails, the Active Directory authentication module will failover to the secondary server. A single entry must be in the format:<br/><br/><code>server:port</code><br/><br/>Multiple entries allow associations between OpenAM servers and an Active Directory server. The format is:<br/><br/><code>local server name | server:port</code><br/><br/><i>NB </i>The local server name is the full name of the server from the list of servers and sites.",
      "propertyOrder" : 200,
      "required" : true,
      "items" : {
        "type" : "string"
      },
      "type" : "array",
      "exampleValue" : ""
    },
    "authenticationLevel" : {
      "title" : "Authentication Level",
      "description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default). ",
      "propertyOrder" : 1800,
      "required" : true,
      "type" : "integer",
      "exampleValue" : ""
    },
    "userSearchAttributes" : {
      "title" : "Attributes Used to Search for a User to be Authenticated",
      "description" : "The attributes specified in this list form the LDAP search filter.<br><br>The default value of uid will form the following search filter of <code>uid=<i>user</i></code>, if there are multiple values such as uid and cn, the module will create a search filter as follows <code>(|(uid=<i>user</i>)(cn=<i>user</i>))</code>",
      "propertyOrder" : 700,
      "required" : true,
      "items" : {
        "type" : "string"
      },
      "type" : "array",
      "exampleValue" : ""
    },
    "operationTimeout" : {
      "title" : "LDAP operations timeout",
      "description" : "Defines the timeout in seconds OpenAM should wait for a response of the Directory Server - <code>0</code> means no timeout.<br><br>If the Directory Server's host is down completely or the TCP connection became stale OpenAM waits until operation timeouts from the OS or the JVM are applied. However this setting allows more granular control within OpenAM itself. A value of <code>0</code> means NO timeout is applied on OpenAM level and the timeouts from the JVM or OS will apply.",
      "propertyOrder" : 1700,
      "required" : true,
      "type" : "integer",
      "exampleValue" : ""
    },
    "connectionHeartbeatTimeUnit" : {
      "title" : "LDAP Connection Heartbeat Time Unit",
      "description" : "Defines the time unit corresponding to the Heartbeat Interval setting.<br><br>Use this option in case a firewall/loadbalancer can close idle connections, since the heartbeat requests will ensure that the connections won't become idle.",
      "propertyOrder" : 1600,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "connectionHeartbeatInterval" : {
      "title" : "LDAP Connection Heartbeat Interval",
      "description" : "Specifies how often should OpenAM send a heartbeat request to the directory.<br><br>Use this option in case a firewall/loadbalancer can close idle connections, since the heartbeat requests will ensure that the connections won't become idle. Use along with the Heartbeat Time Unit parameter to define the correct interval. Zero or negative value will result in disabling heartbeat requests.",
      "propertyOrder" : 1500,
      "required" : true,
      "type" : "integer",
      "exampleValue" : ""
    },
    "searchScope" : {
      "title" : "Search Scope",
      "description" : "The level in the Directory Server that will be searched for a matching user profile.<br><br>This attribute controls how the directory is searched.<br/><br/><ul><li><code>OBJECT</code>: Only the Base DN is searched.</li><li><code>ONELEVEL</code>: Only the single level below (and not the Base DN) is searched</li><li><code>SUBTREE</code>: The Base DN and all levels below are searched</li></ul>",
      "propertyOrder" : 900,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "primaryLdapServer" : {
      "title" : "Primary Active Directory Server ",
      "description" : "Use this list to set the primary Active Directory server used for authentication. <br><br>The Active Directory authentication module will use this list as the primary server for authentication. A single entry must be in the format:<br/><br/><code>server:port</code><br/><br/>Multiple entries allow associations between OpenAM servers and an Active Directory server. The format is:<br/><br/><code>local server name | server:port</code><br/><br/>The local server name is the full name of the server from the list of servers and sites.",
      "propertyOrder" : 100,
      "required" : true,
      "items" : {
        "type" : "string"
      },
      "type" : "array",
      "exampleValue" : ""
    },
    "userBindPassword" : {
      "title" : "Bind User Password",
      "description" : "The password of the administration account.",
      "propertyOrder" : 500,
      "required" : true,
      "type" : "string",
      "format" : "password",
      "exampleValue" : ""
    },
    "returnUserDN" : {
      "title" : "Return User DN to DataStore",
      "description" : "Controls whether the DN or the username is returned as the authentication principal.",
      "propertyOrder" : 1200,
      "required" : true,
      "type" : "boolean",
      "exampleValue" : ""
    },
    "userBindDN" : {
      "title" : "Bind User DN",
      "description" : "The DN of an admin user used by the module to authentication to the LDAP server<br><br>The LDAP module requires an administration account in order to perform functionality such as password reset.<br/><br/><i>NB </i><code>cn=Directory Manager</code> should not be used in production systems.",
      "propertyOrder" : 400,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "userProfileRetrievalAttribute" : {
      "title" : "Attribute Used to Retrieve User Profile",
      "description" : "The LDAP module will use this attribute to search of the profile of an authenticated user.<br><br>This is the attribute used to find the profile of the authenticated user. Normally this will be the same attribute used to find the user account. The value will be the name of the user used for authentication.",
      "propertyOrder" : 600,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "userSearchFilter" : {
      "title" : "User Search Filter",
      "description" : "This search filter will be appended to the standard user search filter.<br><br>This attribute can be used to append a custom search filter to the standard filter. For example: <code>(objectClass=person)</code>would result in the following user search filter:<br/><br/><code>(&(uid=<i>user</i>)(objectClass=person))</code>",
      "propertyOrder" : 800,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "userSearchStartDN" : {
      "title" : "DN to Start User Search",
      "description" : "The search for accounts to be authenticated start from this base DN <br><br>For a single server just enter the Base DN to be searched. Multiple OpenAM servers can have different base DNs for the search The format is as follows:<br/><br/><code>local server name | search DN</code><br/><br/><i>NB </i>The local server name is the full name of the server from the list of servers and sites.",
      "propertyOrder" : 300,
      "required" : true,
      "items" : {
        "type" : "string"
      },
      "type" : "array",
      "exampleValue" : ""
    },
    "openam-auth-ldap-connection-mode" : {
      "title" : "LDAP Connection Mode",
      "description" : "Defines which protocol/operation is used to establish the connection to the LDAP Directory Server.<br><br>If 'LDAP' is selected, the connection <b>won't be secured</b> and passwords are transferred in <b>cleartext</b> over the network.<br/> If 'LDAPS' is selected, the connection is secured via SSL or TLS. <br/> If 'StartTLS' is selected, the connection is secured by using StartTLS extended operation.",
      "propertyOrder" : 1000,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "trustAllServerCertificates" : {
      "title" : "Trust All Server Certificates",
      "description" : "Enables a <code>X509TrustManager</code> that trusts all certificates.<br><br>This feature will allow the LDAP authentication module to connect to LDAP servers protected by self signed or invalid certificates (such as invalid hostname).<br/><br/><i>NB </i>Use this feature with care as it bypasses the normal certificate verification process",
      "propertyOrder" : 1400,
      "required" : true,
      "type" : "boolean",
      "exampleValue" : ""
    },
    "profileAttributeMappings" : {
      "title" : "User Creation Attributes",
      "description" : "Controls the mapping of local attribute to external attribute for dynamic profile creation.<br><br>If dynamic profile creation is enabled; this feature allows for a mapping between the attribute/values retrieved from the users authenticated profile and the attribute/values that will be provisioned into their matching account in the data store.<br/><br/>The format of this property is: <br/><br/><code> local attr1|external attr1</code>",
      "propertyOrder" : 1300,
      "required" : true,
      "items" : {
        "type" : "string"
      },
      "type" : "array",
      "exampleValue" : ""
    }
  }
}

1.3.1.2. delete

Usage:

am> delete ActiveDirectoryModule --realm Realm --id id

Parameters:

--id

The unique identifier for the resource.

1.3.1.3. getAllTypes

Obtain the collection of all secondary configuration types related to the resource.

Usage:

am> action ActiveDirectoryModule --realm Realm --actionName getAllTypes

1.3.1.4. getCreatableTypes

Obtain the collection of secondary configuration types that have yet to be added to the resource.

Usage:

am> action ActiveDirectoryModule --realm Realm --actionName getCreatableTypes

1.3.1.5. nextdescendents

Obtain the collection of secondary configuration instances that have been added to the resource.

Usage:

am> action ActiveDirectoryModule --realm Realm --actionName nextdescendents

1.3.1.6. query

Get the full list of instances of this collection. This query only supports `_queryFilter=true` filter.

Usage:

am> query ActiveDirectoryModule --realm Realm --filter filter

Parameters:

--filter

A CREST formatted query filter, where "true" will query all.

1.3.1.7. read

Usage:

am> read ActiveDirectoryModule --realm Realm --id id

Parameters:

--id

The unique identifier for the resource.

1.3.1.8. update

Usage:

am> update ActiveDirectoryModule --realm Realm --id id --body body

Parameters:

--id

The unique identifier for the resource.

--body

The resource in JSON format, described by the following JSON schema:

{
  "type" : "object",
  "properties" : {
    "secondaryLdapServer" : {
      "title" : "Secondary Active Directory Server",
      "description" : "Use this list to set the secondary (failover) Active Directory server used for authentication.<br><br>If the primary Active Directory server fails, the Active Directory authentication module will failover to the secondary server. A single entry must be in the format:<br/><br/><code>server:port</code><br/><br/>Multiple entries allow associations between OpenAM servers and an Active Directory server. The format is:<br/><br/><code>local server name | server:port</code><br/><br/><i>NB </i>The local server name is the full name of the server from the list of servers and sites.",
      "propertyOrder" : 200,
      "required" : true,
      "items" : {
        "type" : "string"
      },
      "type" : "array",
      "exampleValue" : ""
    },
    "authenticationLevel" : {
      "title" : "Authentication Level",
      "description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default). ",
      "propertyOrder" : 1800,
      "required" : true,
      "type" : "integer",
      "exampleValue" : ""
    },
    "userSearchAttributes" : {
      "title" : "Attributes Used to Search for a User to be Authenticated",
      "description" : "The attributes specified in this list form the LDAP search filter.<br><br>The default value of uid will form the following search filter of <code>uid=<i>user</i></code>, if there are multiple values such as uid and cn, the module will create a search filter as follows <code>(|(uid=<i>user</i>)(cn=<i>user</i>))</code>",
      "propertyOrder" : 700,
      "required" : true,
      "items" : {
        "type" : "string"
      },
      "type" : "array",
      "exampleValue" : ""
    },
    "operationTimeout" : {
      "title" : "LDAP operations timeout",
      "description" : "Defines the timeout in seconds OpenAM should wait for a response of the Directory Server - <code>0</code> means no timeout.<br><br>If the Directory Server's host is down completely or the TCP connection became stale OpenAM waits until operation timeouts from the OS or the JVM are applied. However this setting allows more granular control within OpenAM itself. A value of <code>0</code> means NO timeout is applied on OpenAM level and the timeouts from the JVM or OS will apply.",
      "propertyOrder" : 1700,
      "required" : true,
      "type" : "integer",
      "exampleValue" : ""
    },
    "connectionHeartbeatTimeUnit" : {
      "title" : "LDAP Connection Heartbeat Time Unit",
      "description" : "Defines the time unit corresponding to the Heartbeat Interval setting.<br><br>Use this option in case a firewall/loadbalancer can close idle connections, since the heartbeat requests will ensure that the connections won't become idle.",
      "propertyOrder" : 1600,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "connectionHeartbeatInterval" : {
      "title" : "LDAP Connection Heartbeat Interval",
      "description" : "Specifies how often should OpenAM send a heartbeat request to the directory.<br><br>Use this option in case a firewall/loadbalancer can close idle connections, since the heartbeat requests will ensure that the connections won't become idle. Use along with the Heartbeat Time Unit parameter to define the correct interval. Zero or negative value will result in disabling heartbeat requests.",
      "propertyOrder" : 1500,
      "required" : true,
      "type" : "integer",
      "exampleValue" : ""
    },
    "searchScope" : {
      "title" : "Search Scope",
      "description" : "The level in the Directory Server that will be searched for a matching user profile.<br><br>This attribute controls how the directory is searched.<br/><br/><ul><li><code>OBJECT</code>: Only the Base DN is searched.</li><li><code>ONELEVEL</code>: Only the single level below (and not the Base DN) is searched</li><li><code>SUBTREE</code>: The Base DN and all levels below are searched</li></ul>",
      "propertyOrder" : 900,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "primaryLdapServer" : {
      "title" : "Primary Active Directory Server ",
      "description" : "Use this list to set the primary Active Directory server used for authentication. <br><br>The Active Directory authentication module will use this list as the primary server for authentication. A single entry must be in the format:<br/><br/><code>server:port</code><br/><br/>Multiple entries allow associations between OpenAM servers and an Active Directory server. The format is:<br/><br/><code>local server name | server:port</code><br/><br/>The local server name is the full name of the server from the list of servers and sites.",
      "propertyOrder" : 100,
      "required" : true,
      "items" : {
        "type" : "string"
      },
      "type" : "array",
      "exampleValue" : ""
    },
    "userBindPassword" : {
      "title" : "Bind User Password",
      "description" : "The password of the administration account.",
      "propertyOrder" : 500,
      "required" : true,
      "type" : "string",
      "format" : "password",
      "exampleValue" : ""
    },
    "returnUserDN" : {
      "title" : "Return User DN to DataStore",
      "description" : "Controls whether the DN or the username is returned as the authentication principal.",
      "propertyOrder" : 1200,
      "required" : true,
      "type" : "boolean",
      "exampleValue" : ""
    },
    "userBindDN" : {
      "title" : "Bind User DN",
      "description" : "The DN of an admin user used by the module to authentication to the LDAP server<br><br>The LDAP module requires an administration account in order to perform functionality such as password reset.<br/><br/><i>NB </i><code>cn=Directory Manager</code> should not be used in production systems.",
      "propertyOrder" : 400,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "userProfileRetrievalAttribute" : {
      "title" : "Attribute Used to Retrieve User Profile",
      "description" : "The LDAP module will use this attribute to search of the profile of an authenticated user.<br><br>This is the attribute used to find the profile of the authenticated user. Normally this will be the same attribute used to find the user account. The value will be the name of the user used for authentication.",
      "propertyOrder" : 600,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "userSearchFilter" : {
      "title" : "User Search Filter",
      "description" : "This search filter will be appended to the standard user search filter.<br><br>This attribute can be used to append a custom search filter to the standard filter. For example: <code>(objectClass=person)</code>would result in the following user search filter:<br/><br/><code>(&(uid=<i>user</i>)(objectClass=person))</code>",
      "propertyOrder" : 800,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "userSearchStartDN" : {
      "title" : "DN to Start User Search",
      "description" : "The search for accounts to be authenticated start from this base DN <br><br>For a single server just enter the Base DN to be searched. Multiple OpenAM servers can have different base DNs for the search The format is as follows:<br/><br/><code>local server name | search DN</code><br/><br/><i>NB </i>The local server name is the full name of the server from the list of servers and sites.",
      "propertyOrder" : 300,
      "required" : true,
      "items" : {
        "type" : "string"
      },
      "type" : "array",
      "exampleValue" : ""
    },
    "openam-auth-ldap-connection-mode" : {
      "title" : "LDAP Connection Mode",
      "description" : "Defines which protocol/operation is used to establish the connection to the LDAP Directory Server.<br><br>If 'LDAP' is selected, the connection <b>won't be secured</b> and passwords are transferred in <b>cleartext</b> over the network.<br/> If 'LDAPS' is selected, the connection is secured via SSL or TLS. <br/> If 'StartTLS' is selected, the connection is secured by using StartTLS extended operation.",
      "propertyOrder" : 1000,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "trustAllServerCertificates" : {
      "title" : "Trust All Server Certificates",
      "description" : "Enables a <code>X509TrustManager</code> that trusts all certificates.<br><br>This feature will allow the LDAP authentication module to connect to LDAP servers protected by self signed or invalid certificates (such as invalid hostname).<br/><br/><i>NB </i>Use this feature with care as it bypasses the normal certificate verification process",
      "propertyOrder" : 1400,
      "required" : true,
      "type" : "boolean",
      "exampleValue" : ""
    },
    "profileAttributeMappings" : {
      "title" : "User Creation Attributes",
      "description" : "Controls the mapping of local attribute to external attribute for dynamic profile creation.<br><br>If dynamic profile creation is enabled; this feature allows for a mapping between the attribute/values retrieved from the users authenticated profile and the attribute/values that will be provisioned into their matching account in the data store.<br/><br/>The format of this property is: <br/><br/><code> local attr1|external attr1</code>",
      "propertyOrder" : 1300,
      "required" : true,
      "items" : {
        "type" : "string"
      },
      "type" : "array",
      "exampleValue" : ""
    }
  }
}

1.3.2. Global Operations

Resource path: /global-config/authentication/modules/activedirectory

Resource version: 1.0

1.3.2.1. getAllTypes

Obtain the collection of all secondary configuration types related to the resource.

Usage:

am> action ActiveDirectoryModule --global --actionName getAllTypes

1.3.2.2. getCreatableTypes

Obtain the collection of secondary configuration types that have yet to be added to the resource.

Usage:

am> action ActiveDirectoryModule --global --actionName getCreatableTypes

1.3.2.3. nextdescendents

Obtain the collection of secondary configuration instances that have been added to the resource.

Usage:

am> action ActiveDirectoryModule --global --actionName nextdescendents

1.3.2.4. read

Usage:

am> read ActiveDirectoryModule --global

1.3.2.5. update

Usage:

am> update ActiveDirectoryModule --global --body body

Parameters:

--body

The resource in JSON format, described by the following JSON schema:

{
  "type" : "object",
  "properties" : {
    "defaults" : {
      "properties" : {
        "secondaryLdapServer" : {
          "title" : "Secondary Active Directory Server",
          "description" : "Use this list to set the secondary (failover) Active Directory server used for authentication.<br><br>If the primary Active Directory server fails, the Active Directory authentication module will failover to the secondary server. A single entry must be in the format:<br/><br/><code>server:port</code><br/><br/>Multiple entries allow associations between OpenAM servers and an Active Directory server. The format is:<br/><br/><code>local server name | server:port</code><br/><br/><i>NB </i>The local server name is the full name of the server from the list of servers and sites.",
          "propertyOrder" : 200,
          "required" : true,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        },
        "userBindPassword" : {
          "title" : "Bind User Password",
          "description" : "The password of the administration account.",
          "propertyOrder" : 500,
          "required" : true,
          "type" : "string",
          "format" : "password",
          "exampleValue" : ""
        },
        "openam-auth-ldap-connection-mode" : {
          "title" : "LDAP Connection Mode",
          "description" : "Defines which protocol/operation is used to establish the connection to the LDAP Directory Server.<br><br>If 'LDAP' is selected, the connection <b>won't be secured</b> and passwords are transferred in <b>cleartext</b> over the network.<br/> If 'LDAPS' is selected, the connection is secured via SSL or TLS. <br/> If 'StartTLS' is selected, the connection is secured by using StartTLS extended operation.",
          "propertyOrder" : 1000,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "userBindDN" : {
          "title" : "Bind User DN",
          "description" : "The DN of an admin user used by the module to authentication to the LDAP server<br><br>The LDAP module requires an administration account in order to perform functionality such as password reset.<br/><br/><i>NB </i><code>cn=Directory Manager</code> should not be used in production systems.",
          "propertyOrder" : 400,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "userSearchFilter" : {
          "title" : "User Search Filter",
          "description" : "This search filter will be appended to the standard user search filter.<br><br>This attribute can be used to append a custom search filter to the standard filter. For example: <code>(objectClass=person)</code>would result in the following user search filter:<br/><br/><code>(&(uid=<i>user</i>)(objectClass=person))</code>",
          "propertyOrder" : 800,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "searchScope" : {
          "title" : "Search Scope",
          "description" : "The level in the Directory Server that will be searched for a matching user profile.<br><br>This attribute controls how the directory is searched.<br/><br/><ul><li><code>OBJECT</code>: Only the Base DN is searched.</li><li><code>ONELEVEL</code>: Only the single level below (and not the Base DN) is searched</li><li><code>SUBTREE</code>: The Base DN and all levels below are searched</li></ul>",
          "propertyOrder" : 900,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "primaryLdapServer" : {
          "title" : "Primary Active Directory Server ",
          "description" : "Use this list to set the primary Active Directory server used for authentication. <br><br>The Active Directory authentication module will use this list as the primary server for authentication. A single entry must be in the format:<br/><br/><code>server:port</code><br/><br/>Multiple entries allow associations between OpenAM servers and an Active Directory server. The format is:<br/><br/><code>local server name | server:port</code><br/><br/>The local server name is the full name of the server from the list of servers and sites.",
          "propertyOrder" : 100,
          "required" : true,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        },
        "userProfileRetrievalAttribute" : {
          "title" : "Attribute Used to Retrieve User Profile",
          "description" : "The LDAP module will use this attribute to search of the profile of an authenticated user.<br><br>This is the attribute used to find the profile of the authenticated user. Normally this will be the same attribute used to find the user account. The value will be the name of the user used for authentication.",
          "propertyOrder" : 600,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "userSearchAttributes" : {
          "title" : "Attributes Used to Search for a User to be Authenticated",
          "description" : "The attributes specified in this list form the LDAP search filter.<br><br>The default value of uid will form the following search filter of <code>uid=<i>user</i></code>, if there are multiple values such as uid and cn, the module will create a search filter as follows <code>(|(uid=<i>user</i>)(cn=<i>user</i>))</code>",
          "propertyOrder" : 700,
          "required" : true,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        },
        "connectionHeartbeatInterval" : {
          "title" : "LDAP Connection Heartbeat Interval",
          "description" : "Specifies how often should OpenAM send a heartbeat request to the directory.<br><br>Use this option in case a firewall/loadbalancer can close idle connections, since the heartbeat requests will ensure that the connections won't become idle. Use along with the Heartbeat Time Unit parameter to define the correct interval. Zero or negative value will result in disabling heartbeat requests.",
          "propertyOrder" : 1500,
          "required" : true,
          "type" : "integer",
          "exampleValue" : ""
        },
        "returnUserDN" : {
          "title" : "Return User DN to DataStore",
          "description" : "Controls whether the DN or the username is returned as the authentication principal.",
          "propertyOrder" : 1200,
          "required" : true,
          "type" : "boolean",
          "exampleValue" : ""
        },
        "userSearchStartDN" : {
          "title" : "DN to Start User Search",
          "description" : "The search for accounts to be authenticated start from this base DN <br><br>For a single server just enter the Base DN to be searched. Multiple OpenAM servers can have different base DNs for the search The format is as follows:<br/><br/><code>local server name | search DN</code><br/><br/><i>NB </i>The local server name is the full name of the server from the list of servers and sites.",
          "propertyOrder" : 300,
          "required" : true,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        },
        "operationTimeout" : {
          "title" : "LDAP operations timeout",
          "description" : "Defines the timeout in seconds OpenAM should wait for a response of the Directory Server - <code>0</code> means no timeout.<br><br>If the Directory Server's host is down completely or the TCP connection became stale OpenAM waits until operation timeouts from the OS or the JVM are applied. However this setting allows more granular control within OpenAM itself. A value of <code>0</code> means NO timeout is applied on OpenAM level and the timeouts from the JVM or OS will apply.",
          "propertyOrder" : 1700,
          "required" : true,
          "type" : "integer",
          "exampleValue" : ""
        },
        "profileAttributeMappings" : {
          "title" : "User Creation Attributes",
          "description" : "Controls the mapping of local attribute to external attribute for dynamic profile creation.<br><br>If dynamic profile creation is enabled; this feature allows for a mapping between the attribute/values retrieved from the users authenticated profile and the attribute/values that will be provisioned into their matching account in the data store.<br/><br/>The format of this property is: <br/><br/><code> local attr1|external attr1</code>",
          "propertyOrder" : 1300,
          "required" : true,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        },
        "connectionHeartbeatTimeUnit" : {
          "title" : "LDAP Connection Heartbeat Time Unit",
          "description" : "Defines the time unit corresponding to the Heartbeat Interval setting.<br><br>Use this option in case a firewall/loadbalancer can close idle connections, since the heartbeat requests will ensure that the connections won't become idle.",
          "propertyOrder" : 1600,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "trustAllServerCertificates" : {
          "title" : "Trust All Server Certificates",
          "description" : "Enables a <code>X509TrustManager</code> that trusts all certificates.<br><br>This feature will allow the LDAP authentication module to connect to LDAP servers protected by self signed or invalid certificates (such as invalid hostname).<br/><br/><i>NB </i>Use this feature with care as it bypasses the normal certificate verification process",
          "propertyOrder" : 1400,
          "required" : true,
          "type" : "boolean",
          "exampleValue" : ""
        },
        "authenticationLevel" : {
          "title" : "Authentication Level",
          "description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default). ",
          "propertyOrder" : 1800,
          "required" : true,
          "type" : "integer",
          "exampleValue" : ""
        }
      },
      "type" : "object",
      "title" : "Realm Defaults"
    }
  }
}

1.4. AdaptiveRiskModule

1.4.1. Realm Operations

Resource path: /realm-config/authentication/modules/adaptiverisk

Resource version: 1.0

1.4.1.1. create

Usage:

am> create AdaptiveRiskModule --realm Realm --id id --body body

Parameters:

--id

The unique identifier for the resource.

--body

The resource in JSON format, described by the following JSON schema:

{
  "type" : "object",
  "properties" : {
    "ipHistoryCheckEnabled" : {
      "title" : "IP History Check",
      "description" : "Enables the checking of client IP address against a list of past IP addresses.<br><br>If this check is enabled; a set number of past IP addresses used by the client to access OpenAM is recorded in the user profile. This check passes if the current client IP address is present in the history list. If the IP address is not present, the check fails and the IP address is added to list if the overall authentication is successful (causing the oldest IP address to be removed).",
      "propertyOrder" : 1000,
      "required" : true,
      "type" : "boolean",
      "exampleValue" : ""
    },
    "knownCookieCheckEnabled" : {
      "title" : "Cookie Value Check",
      "description" : "Enables the checking of a known cookie value in the client request<br><br>If this check is enabled, the check looks for a known cookie in the client request. If the cookie exists and has the correct value then the check will pass. ",
      "propertyOrder" : 1600,
      "required" : true,
      "type" : "boolean",
      "exampleValue" : ""
    },
    "ipRangeScore" : {
      "title" : "Score",
      "description" : "The amount to increment the score if this check fails.",
      "propertyOrder" : 800,
      "required" : true,
      "type" : "integer",
      "exampleValue" : ""
    },
    "deviceCookieName" : {
      "title" : "Cookie Name",
      "description" : "The name of the cookie to be checked for (and optionally set) on the client request",
      "propertyOrder" : 3400,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "ipRangeCheckEnabled" : {
      "title" : "IP Range Check",
      "description" : "Enables the checking of the client IP address against a list of IP addresses.<br><br>The IP range check compares the IP of the client against a list of IP addresses, if the client IP is found within said list the check is successful.",
      "propertyOrder" : 600,
      "required" : true,
      "type" : "boolean",
      "exampleValue" : ""
    },
    "invertProfileRiskAttributeScore" : {
      "title" : "Invert Result",
      "description" : "If the check succeeds the score will be included in the total, for failure the score will not be incremented.",
      "propertyOrder" : 3200,
      "required" : true,
      "type" : "boolean",
      "exampleValue" : ""
    },
    "invertRequestHeaderScore" : {
      "title" : "Invert Result",
      "description" : "If the check succeeds the score will be included in the total, for failure the score will not be incremented.",
      "propertyOrder" : 4700,
      "required" : true,
      "type" : "boolean",
      "exampleValue" : ""
    },
    "invertIPHistoryScore" : {
      "title" : "Invert Result",
      "description" : "If the check succeeds the score will be included in the total, for failure the score will not be incremented.",
      "propertyOrder" : 1500,
      "required" : true,
      "type" : "boolean",
      "exampleValue" : ""
    },
    "requestHeaderScore" : {
      "title" : "Score",
      "description" : "The amount to increment the score if this check fails.",
      "propertyOrder" : 4600,
      "required" : true,
      "type" : "integer",
      "exampleValue" : ""
    },
    "knownCookieValue" : {
      "title" : "Cookie Value",
      "description" : "The value to be set on the cookie.",
      "propertyOrder" : 1800,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "invertFailureScore" : {
      "title" : "Invert Result",
      "description" : "If the check succeeds the score will be included in the total, for failure the score will not be incremented.",
      "propertyOrder" : 500,
      "required" : true,
      "type" : "boolean",
      "exampleValue" : ""
    },
    "knownCookieName" : {
      "title" : "Cookie Name",
      "description" : "The name of the cookie to set on the client.",
      "propertyOrder" : 1700,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "profileRiskAttributeValue" : {
      "title" : "Attribute Value",
      "description" : "The required value of the named attribute.",
      "propertyOrder" : 3000,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "invertKnownCookieScore" : {
      "title" : "Invert Result",
      "description" : "If the check succeeds the score will be included in the total, for failure the score will not be incremented.",
      "propertyOrder" : 2100,
      "required" : true,
      "type" : "boolean",
      "exampleValue" : ""
    },
    "timeSinceLastLoginScore" : {
      "title" : "Score",
      "description" : "The amount to increment the score if this check fails.",
      "propertyOrder" : 2600,
      "required" : true,
      "type" : "integer",
      "exampleValue" : ""
    },
    "invertIPRangeScoreEnabled" : {
      "title" : "Invert Result",
      "description" : "If the check succeeds the score will be included in the total, for failure the score will not be incremented.",
      "propertyOrder" : 900,
      "required" : true,
      "type" : "boolean",
      "exampleValue" : ""
    },
    "createKnownCookieOnSuccessfulLogin" : {
      "title" : "Save Cookie Value on Successful Login",
      "description" : "The cookie will be created on the client after successful login<br><br>The Adaptive Risk Post Authentication Plug-in will set the cookie on the client response",
      "propertyOrder" : 1900,
      "required" : true,
      "type" : "boolean",
      "exampleValue" : ""
    },
    "timeSinceLastLoginCheckEnabled" : {
      "title" : "Time since Last login Check",
      "description" : "Enables the checking of the last time the user successfully authenticated.<br><br>If this check is enabled, the check ensures the user has successfully authenticated within a given interval. If the interval has been exceeded the check will fail. The last authentication for the user is stored in a client cookie.",
      "propertyOrder" : 2200,
      "required" : true,
      "type" : "boolean",
      "exampleValue" : ""
    },
    "knownCookieScore" : {
      "title" : "Score",
      "description" : "The amount to increment the score if this check fails.",
      "propertyOrder" : 2000,
      "required" : true,
      "type" : "integer",
      "exampleValue" : ""
    },
    "saveDeviceCookieValueOnSuccessfulLogin" : {
      "title" : "Save Device Registration on Successful Login",
      "description" : "Set the device cookie on the client response<br><br>The Adaptive Risk Post Authentication Plug-in will set the device cookie on the client response",
      "propertyOrder" : 3500,
      "required" : true,
      "type" : "boolean",
      "exampleValue" : ""
    },
    "deviceCookieScore" : {
      "title" : "Score",
      "description" : "The amount to increment the score if this check fails.",
      "propertyOrder" : 3600,
      "required" : true,
      "type" : "integer",
      "exampleValue" : ""
    },
    "invertGeolocationScore" : {
      "title" : "Invert Result",
      "description" : "If the check succeeds the score will be included in the total, for failure the score will not be incremented.",
      "propertyOrder" : 4200,
      "required" : true,
      "type" : "boolean",
      "exampleValue" : ""
    },
    "failedAuthenticationCheckEnabled" : {
      "title" : "Failed Authentication Check",
      "description" : "Checks if the user has past authentication failures.<br><br>Check if the OpenAM account lockout mechanism has recorded past authentication failures for the user.<br/><br/><i>NB </i>For this check to function, Account Lockout must be enabled.",
      "propertyOrder" : 300,
      "required" : true,
      "type" : "boolean",
      "exampleValue" : ""
    },
    "failureScore" : {
      "title" : "Score",
      "description" : "The amount to increment the score if this check fails.",
      "propertyOrder" : 400,
      "required" : true,
      "type" : "integer",
      "exampleValue" : ""
    },
    "geolocationDatabaseLocation" : {
      "title" : "Geolocation Database location",
      "description" : "The path to the location of the GEO location database.<br><br>The Geolocation database is not distributed with OpenAM, you can get it in binary format from <a href=\"http://www.maxmind.com/app/country\" target=\"_blank\">MaxMind</a>.",
      "propertyOrder" : 3900,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "requestHeaderCheckEnabled" : {
      "title" : "Request Header Check",
      "description" : "Enables the checking of the client request for a known header name and value.<br><br>The request header check will pass if the client request contains the required named header and value.",
      "propertyOrder" : 4300,
      "required" : true,
      "type" : "boolean",
      "exampleValue" : ""
    },
    "geolocationScore" : {
      "title" : "Score",
      "description" : "The amount to increment the score if this check fails.",
      "propertyOrder" : 4100,
      "required" : true,
      "type" : "integer",
      "exampleValue" : ""
    },
    "ipHistoryScore" : {
      "title" : "Score",
      "description" : "The amount to increment the score if this check fails.",
      "propertyOrder" : 1400,
      "required" : true,
      "type" : "integer",
      "exampleValue" : ""
    },
    "saveLastLoginTimeOnSuccessfulLogin" : {
      "title" : "Save time of Successful Login",
      "description" : "The last login time will be saved in a client cookie<br><br>The Adaptive Risk Post Authentication Plug-in will update the last login time",
      "propertyOrder" : 2500,
      "required" : true,
      "type" : "boolean",
      "exampleValue" : ""
    },
    "profileRiskAttributeName" : {
      "title" : "Attribute Name",
      "description" : "The name of the attribute to retrieve from the user profile in the data store.",
      "propertyOrder" : 2900,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "requestHeaderName" : {
      "title" : "Request Header Name",
      "description" : "The name of the required HTTP header ",
      "propertyOrder" : 4400,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "deviceCookieCheckEnabled" : {
      "title" : "Device Registration Cookie Check",
      "description" : "Enables the checking of the client request for a known cookie.<br><br>If this check is enabled, the check will pass if the client request contains the named cookie.",
      "propertyOrder" : 3300,
      "required" : true,
      "type" : "boolean",
      "exampleValue" : ""
    },
    "riskThreshold" : {
      "title" : "Risk Threshold",
      "description" : "If the risk threshold value is not reached after executing the different tests, the authentication is considered to be successful.<br><br>Associated with many of the adaptive risk checks is a score; if a check does not passes then the score is added to the current running total. The final score is then compared with the <i>Risk Threshold</i>, if the score is lesser than said threshold the module will be successful. ",
      "propertyOrder" : 200,
      "required" : true,
      "type" : "integer",
      "exampleValue" : ""
    },
    "authenticationLevel" : {
      "title" : "Authentication Level",
      "description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
      "propertyOrder" : 100,
      "required" : true,
      "type" : "integer",
      "exampleValue" : ""
    },
    "requestHeaderValue" : {
      "title" : "Request Header Value",
      "description" : "The required value of the named HTTP header.",
      "propertyOrder" : 4500,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "ipHistoryCount" : {
      "title" : "History size",
      "description" : "The number of client IP addresses to save in the history list.",
      "propertyOrder" : 1100,
      "required" : true,
      "type" : "integer",
      "exampleValue" : ""
    },
    "geolocationValidCountryCodes" : {
      "title" : "Valid Country Codes",
      "description" : "The list of country codes that are considered as valid locations for client IPs.<br><br>The list is made up of country codes separated by a | character; for example:<br/><br/><code>gb|us|no|fr</code>",
      "propertyOrder" : 4000,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "saveSuccessfulIP" : {
      "title" : "Save Successful IP Address",
      "description" : "The IP History list will be updated in the data store<br><br>The Adaptive Risk Post Authentication Plug-in will update the IP history list if the overall authentication is successful.",
      "propertyOrder" : 1300,
      "required" : true,
      "type" : "boolean",
      "exampleValue" : ""
    },
    "geolocationCheckEnabled" : {
      "title" : "Geolocation Country Code Check",
      "description" : "Enables the checking of the client IP address against the geolocation database.<br><br>The geolocation database associates IP addresses against their known location. This check passes if the country associated with the client IP address is matched against the list of valid country codes.<br/><br/>The geolocation database is available in binary format at <a href=\"http://www.maxmind.com/app/country\" target=\"_blank\">MaxMind</a>.",
      "propertyOrder" : 3800,
      "required" : true,
      "type" : "boolean",
      "exampleValue" : ""
    },
    "profileRiskAttributeCheckEnabled" : {
      "title" : "Profile Risk Attribute check",
      "description" : "Enables the checking of the user profile for a matching attribute and value.<br><br>If this check is enabled, the check will pass if the users profile contains the required risk attribute and value.",
      "propertyOrder" : 2800,
      "required" : true,
      "type" : "boolean",
      "exampleValue" : ""
    },
    "invertDeviceCookieScore" : {
      "title" : "Invert Result",
      "description" : "If the check succeeds the score will be included in the total, for failure the score will not be incremented.",
      "propertyOrder" : 3700,
      "required" : true,
      "type" : "boolean",
      "exampleValue" : ""
    },
    "ipHistoryProfileAttribute" : {
      "title" : "Profile Attribute Name",
      "description" : "The name of the attribute used to store the IP history list in the data store.<br><br>IP history list is stored in the Data Store meaning your Data Store should be able to store values under the configured attribute name. If you're using a directory server as backend, make sure your Data Store configuration contains the necessary objectclass and attribute related settings.",
      "propertyOrder" : 1200,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "profileRiskAttributeScore" : {
      "title" : "Score",
      "description" : "The amount to increment the score if this check fails.",
      "propertyOrder" : 3100,
      "required" : true,
      "type" : "integer",
      "exampleValue" : ""
    },
    "ipRange" : {
      "title" : "IP Range",
      "description" : "The list of IP address to compare against the client IP address.<br><br>The format of the IP address is as follows:<br/><br/><ul><li>Single IP address: <code>172.16.90.1</code></li><li>CIDR notation: <code>172.16.90.0/24</code></li><li>IP net-block with netmask: <code>172.16.90.0:255.255.255.0</code></li></ul>",
      "propertyOrder" : 700,
      "required" : true,
      "items" : {
        "type" : "string"
      },
      "type" : "array",
      "exampleValue" : ""
    },
    "maxTimeSinceLastLogin" : {
      "title" : "Max Time since Last login",
      "description" : "The maximum number of days that can elapse before this test.",
      "propertyOrder" : 2400,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "timeSinceLastLoginCookieName" : {
      "title" : "Cookie Name",
      "description" : "The name of the cookie used to store the time of the last successful authentication.",
      "propertyOrder" : 2300,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "invertTimeSinceLastLoginScore" : {
      "title" : "Invert Result",
      "description" : "If the check succeeds the score will be included in the total, for failure the score will not be incremented.",
      "propertyOrder" : 2700,
      "required" : true,
      "type" : "boolean",
      "exampleValue" : ""
    }
  }
}

1.4.1.2. delete

Usage:

am> delete AdaptiveRiskModule --realm Realm --id id

Parameters:

--id

The unique identifier for the resource.

1.4.1.3. getAllTypes

Obtain the collection of all secondary configuration types related to the resource.

Usage:

am> action AdaptiveRiskModule --realm Realm --actionName getAllTypes

1.4.1.4. getCreatableTypes

Obtain the collection of secondary configuration types that have yet to be added to the resource.

Usage:

am> action AdaptiveRiskModule --realm Realm --actionName getCreatableTypes

1.4.1.5. nextdescendents

Obtain the collection of secondary configuration instances that have been added to the resource.

Usage:

am> action AdaptiveRiskModule --realm Realm --actionName nextdescendents

1.4.1.6. query

Get the full list of instances of this collection. This query only supports `_queryFilter=true` filter.

Usage:

am> query AdaptiveRiskModule --realm Realm --filter filter

Parameters:

--filter

A CREST formatted query filter, where "true" will query all.

1.4.1.7. read

Usage:

am> read AdaptiveRiskModule --realm Realm --id id

Parameters:

--id

The unique identifier for the resource.

1.4.1.8. update

Usage:

am> update AdaptiveRiskModule --realm Realm --id id --body body

Parameters:

--id

The unique identifier for the resource.

--body

The resource in JSON format, described by the following JSON schema:

{
  "type" : "object",
  "properties" : {
    "ipHistoryCheckEnabled" : {
      "title" : "IP History Check",
      "description" : "Enables the checking of client IP address against a list of past IP addresses.<br><br>If this check is enabled; a set number of past IP addresses used by the client to access OpenAM is recorded in the user profile. This check passes if the current client IP address is present in the history list. If the IP address is not present, the check fails and the IP address is added to list if the overall authentication is successful (causing the oldest IP address to be removed).",
      "propertyOrder" : 1000,
      "required" : true,
      "type" : "boolean",
      "exampleValue" : ""
    },
    "knownCookieCheckEnabled" : {
      "title" : "Cookie Value Check",
      "description" : "Enables the checking of a known cookie value in the client request<br><br>If this check is enabled, the check looks for a known cookie in the client request. If the cookie exists and has the correct value then the check will pass. ",
      "propertyOrder" : 1600,
      "required" : true,
      "type" : "boolean",
      "exampleValue" : ""
    },
    "ipRangeScore" : {
      "title" : "Score",
      "description" : "The amount to increment the score if this check fails.",
      "propertyOrder" : 800,
      "required" : true,
      "type" : "integer",
      "exampleValue" : ""
    },
    "deviceCookieName" : {
      "title" : "Cookie Name",
      "description" : "The name of the cookie to be checked for (and optionally set) on the client request",
      "propertyOrder" : 3400,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "ipRangeCheckEnabled" : {
      "title" : "IP Range Check",
      "description" : "Enables the checking of the client IP address against a list of IP addresses.<br><br>The IP range check compares the IP of the client against a list of IP addresses, if the client IP is found within said list the check is successful.",
      "propertyOrder" : 600,
      "required" : true,
      "type" : "boolean",
      "exampleValue" : ""
    },
    "invertProfileRiskAttributeScore" : {
      "title" : "Invert Result",
      "description" : "If the check succeeds the score will be included in the total, for failure the score will not be incremented.",
      "propertyOrder" : 3200,
      "required" : true,
      "type" : "boolean",
      "exampleValue" : ""
    },
    "invertRequestHeaderScore" : {
      "title" : "Invert Result",
      "description" : "If the check succeeds the score will be included in the total, for failure the score will not be incremented.",
      "propertyOrder" : 4700,
      "required" : true,
      "type" : "boolean",
      "exampleValue" : ""
    },
    "invertIPHistoryScore" : {
      "title" : "Invert Result",
      "description" : "If the check succeeds the score will be included in the total, for failure the score will not be incremented.",
      "propertyOrder" : 1500,
      "required" : true,
      "type" : "boolean",
      "exampleValue" : ""
    },
    "requestHeaderScore" : {
      "title" : "Score",
      "description" : "The amount to increment the score if this check fails.",
      "propertyOrder" : 4600,
      "required" : true,
      "type" : "integer",
      "exampleValue" : ""
    },
    "knownCookieValue" : {
      "title" : "Cookie Value",
      "description" : "The value to be set on the cookie.",
      "propertyOrder" : 1800,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "invertFailureScore" : {
      "title" : "Invert Result",
      "description" : "If the check succeeds the score will be included in the total, for failure the score will not be incremented.",
      "propertyOrder" : 500,
      "required" : true,
      "type" : "boolean",
      "exampleValue" : ""
    },
    "knownCookieName" : {
      "title" : "Cookie Name",
      "description" : "The name of the cookie to set on the client.",
      "propertyOrder" : 1700,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "profileRiskAttributeValue" : {
      "title" : "Attribute Value",
      "description" : "The required value of the named attribute.",
      "propertyOrder" : 3000,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "invertKnownCookieScore" : {
      "title" : "Invert Result",
      "description" : "If the check succeeds the score will be included in the total, for failure the score will not be incremented.",
      "propertyOrder" : 2100,
      "required" : true,
      "type" : "boolean",
      "exampleValue" : ""
    },
    "timeSinceLastLoginScore" : {
      "title" : "Score",
      "description" : "The amount to increment the score if this check fails.",
      "propertyOrder" : 2600,
      "required" : true,
      "type" : "integer",
      "exampleValue" : ""
    },
    "invertIPRangeScoreEnabled" : {
      "title" : "Invert Result",
      "description" : "If the check succeeds the score will be included in the total, for failure the score will not be incremented.",
      "propertyOrder" : 900,
      "required" : true,
      "type" : "boolean",
      "exampleValue" : ""
    },
    "createKnownCookieOnSuccessfulLogin" : {
      "title" : "Save Cookie Value on Successful Login",
      "description" : "The cookie will be created on the client after successful login<br><br>The Adaptive Risk Post Authentication Plug-in will set the cookie on the client response",
      "propertyOrder" : 1900,
      "required" : true,
      "type" : "boolean",
      "exampleValue" : ""
    },
    "timeSinceLastLoginCheckEnabled" : {
      "title" : "Time since Last login Check",
      "description" : "Enables the checking of the last time the user successfully authenticated.<br><br>If this check is enabled, the check ensures the user has successfully authenticated within a given interval. If the interval has been exceeded the check will fail. The last authentication for the user is stored in a client cookie.",
      "propertyOrder" : 2200,
      "required" : true,
      "type" : "boolean",
      "exampleValue" : ""
    },
    "knownCookieScore" : {
      "title" : "Score",
      "description" : "The amount to increment the score if this check fails.",
      "propertyOrder" : 2000,
      "required" : true,
      "type" : "integer",
      "exampleValue" : ""
    },
    "saveDeviceCookieValueOnSuccessfulLogin" : {
      "title" : "Save Device Registration on Successful Login",
      "description" : "Set the device cookie on the client response<br><br>The Adaptive Risk Post Authentication Plug-in will set the device cookie on the client response",
      "propertyOrder" : 3500,
      "required" : true,
      "type" : "boolean",
      "exampleValue" : ""
    },
    "deviceCookieScore" : {
      "title" : "Score",
      "description" : "The amount to increment the score if this check fails.",
      "propertyOrder" : 3600,
      "required" : true,
      "type" : "integer",
      "exampleValue" : ""
    },
    "invertGeolocationScore" : {
      "title" : "Invert Result",
      "description" : "If the check succeeds the score will be included in the total, for failure the score will not be incremented.",
      "propertyOrder" : 4200,
      "required" : true,
      "type" : "boolean",
      "exampleValue" : ""
    },
    "failedAuthenticationCheckEnabled" : {
      "title" : "Failed Authentication Check",
      "description" : "Checks if the user has past authentication failures.<br><br>Check if the OpenAM account lockout mechanism has recorded past authentication failures for the user.<br/><br/><i>NB </i>For this check to function, Account Lockout must be enabled.",
      "propertyOrder" : 300,
      "required" : true,
      "type" : "boolean",
      "exampleValue" : ""
    },
    "failureScore" : {
      "title" : "Score",
      "description" : "The amount to increment the score if this check fails.",
      "propertyOrder" : 400,
      "required" : true,
      "type" : "integer",
      "exampleValue" : ""
    },
    "geolocationDatabaseLocation" : {
      "title" : "Geolocation Database location",
      "description" : "The path to the location of the GEO location database.<br><br>The Geolocation database is not distributed with OpenAM, you can get it in binary format from <a href=\"http://www.maxmind.com/app/country\" target=\"_blank\">MaxMind</a>.",
      "propertyOrder" : 3900,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "requestHeaderCheckEnabled" : {
      "title" : "Request Header Check",
      "description" : "Enables the checking of the client request for a known header name and value.<br><br>The request header check will pass if the client request contains the required named header and value.",
      "propertyOrder" : 4300,
      "required" : true,
      "type" : "boolean",
      "exampleValue" : ""
    },
    "geolocationScore" : {
      "title" : "Score",
      "description" : "The amount to increment the score if this check fails.",
      "propertyOrder" : 4100,
      "required" : true,
      "type" : "integer",
      "exampleValue" : ""
    },
    "ipHistoryScore" : {
      "title" : "Score",
      "description" : "The amount to increment the score if this check fails.",
      "propertyOrder" : 1400,
      "required" : true,
      "type" : "integer",
      "exampleValue" : ""
    },
    "saveLastLoginTimeOnSuccessfulLogin" : {
      "title" : "Save time of Successful Login",
      "description" : "The last login time will be saved in a client cookie<br><br>The Adaptive Risk Post Authentication Plug-in will update the last login time",
      "propertyOrder" : 2500,
      "required" : true,
      "type" : "boolean",
      "exampleValue" : ""
    },
    "profileRiskAttributeName" : {
      "title" : "Attribute Name",
      "description" : "The name of the attribute to retrieve from the user profile in the data store.",
      "propertyOrder" : 2900,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "requestHeaderName" : {
      "title" : "Request Header Name",
      "description" : "The name of the required HTTP header ",
      "propertyOrder" : 4400,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "deviceCookieCheckEnabled" : {
      "title" : "Device Registration Cookie Check",
      "description" : "Enables the checking of the client request for a known cookie.<br><br>If this check is enabled, the check will pass if the client request contains the named cookie.",
      "propertyOrder" : 3300,
      "required" : true,
      "type" : "boolean",
      "exampleValue" : ""
    },
    "riskThreshold" : {
      "title" : "Risk Threshold",
      "description" : "If the risk threshold value is not reached after executing the different tests, the authentication is considered to be successful.<br><br>Associated with many of the adaptive risk checks is a score; if a check does not passes then the score is added to the current running total. The final score is then compared with the <i>Risk Threshold</i>, if the score is lesser than said threshold the module will be successful. ",
      "propertyOrder" : 200,
      "required" : true,
      "type" : "integer",
      "exampleValue" : ""
    },
    "authenticationLevel" : {
      "title" : "Authentication Level",
      "description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
      "propertyOrder" : 100,
      "required" : true,
      "type" : "integer",
      "exampleValue" : ""
    },
    "requestHeaderValue" : {
      "title" : "Request Header Value",
      "description" : "The required value of the named HTTP header.",
      "propertyOrder" : 4500,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "ipHistoryCount" : {
      "title" : "History size",
      "description" : "The number of client IP addresses to save in the history list.",
      "propertyOrder" : 1100,
      "required" : true,
      "type" : "integer",
      "exampleValue" : ""
    },
    "geolocationValidCountryCodes" : {
      "title" : "Valid Country Codes",
      "description" : "The list of country codes that are considered as valid locations for client IPs.<br><br>The list is made up of country codes separated by a | character; for example:<br/><br/><code>gb|us|no|fr</code>",
      "propertyOrder" : 4000,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "saveSuccessfulIP" : {
      "title" : "Save Successful IP Address",
      "description" : "The IP History list will be updated in the data store<br><br>The Adaptive Risk Post Authentication Plug-in will update the IP history list if the overall authentication is successful.",
      "propertyOrder" : 1300,
      "required" : true,
      "type" : "boolean",
      "exampleValue" : ""
    },
    "geolocationCheckEnabled" : {
      "title" : "Geolocation Country Code Check",
      "description" : "Enables the checking of the client IP address against the geolocation database.<br><br>The geolocation database associates IP addresses against their known location. This check passes if the country associated with the client IP address is matched against the list of valid country codes.<br/><br/>The geolocation database is available in binary format at <a href=\"http://www.maxmind.com/app/country\" target=\"_blank\">MaxMind</a>.",
      "propertyOrder" : 3800,
      "required" : true,
      "type" : "boolean",
      "exampleValue" : ""
    },
    "profileRiskAttributeCheckEnabled" : {
      "title" : "Profile Risk Attribute check",
      "description" : "Enables the checking of the user profile for a matching attribute and value.<br><br>If this check is enabled, the check will pass if the users profile contains the required risk attribute and value.",
      "propertyOrder" : 2800,
      "required" : true,
      "type" : "boolean",
      "exampleValue" : ""
    },
    "invertDeviceCookieScore" : {
      "title" : "Invert Result",
      "description" : "If the check succeeds the score will be included in the total, for failure the score will not be incremented.",
      "propertyOrder" : 3700,
      "required" : true,
      "type" : "boolean",
      "exampleValue" : ""
    },
    "ipHistoryProfileAttribute" : {
      "title" : "Profile Attribute Name",
      "description" : "The name of the attribute used to store the IP history list in the data store.<br><br>IP history list is stored in the Data Store meaning your Data Store should be able to store values under the configured attribute name. If you're using a directory server as backend, make sure your Data Store configuration contains the necessary objectclass and attribute related settings.",
      "propertyOrder" : 1200,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "profileRiskAttributeScore" : {
      "title" : "Score",
      "description" : "The amount to increment the score if this check fails.",
      "propertyOrder" : 3100,
      "required" : true,
      "type" : "integer",
      "exampleValue" : ""
    },
    "ipRange" : {
      "title" : "IP Range",
      "description" : "The list of IP address to compare against the client IP address.<br><br>The format of the IP address is as follows:<br/><br/><ul><li>Single IP address: <code>172.16.90.1</code></li><li>CIDR notation: <code>172.16.90.0/24</code></li><li>IP net-block with netmask: <code>172.16.90.0:255.255.255.0</code></li></ul>",
      "propertyOrder" : 700,
      "required" : true,
      "items" : {
        "type" : "string"
      },
      "type" : "array",
      "exampleValue" : ""
    },
    "maxTimeSinceLastLogin" : {
      "title" : "Max Time since Last login",
      "description" : "The maximum number of days that can elapse before this test.",
      "propertyOrder" : 2400,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "timeSinceLastLoginCookieName" : {
      "title" : "Cookie Name",
      "description" : "The name of the cookie used to store the time of the last successful authentication.",
      "propertyOrder" : 2300,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "invertTimeSinceLastLoginScore" : {
      "title" : "Invert Result",
      "description" : "If the check succeeds the score will be included in the total, for failure the score will not be incremented.",
      "propertyOrder" : 2700,
      "required" : true,
      "type" : "boolean",
      "exampleValue" : ""
    }
  }
}

1.4.2. Global Operations

Resource path: /global-config/authentication/modules/adaptiverisk

Resource version: 1.0

1.4.2.1. getAllTypes

Obtain the collection of all secondary configuration types related to the resource.

Usage:

am> action AdaptiveRiskModule --global --actionName getAllTypes

1.4.2.2. getCreatableTypes

Obtain the collection of secondary configuration types that have yet to be added to the resource.

Usage:

am> action AdaptiveRiskModule --global --actionName getCreatableTypes

1.4.2.3. nextdescendents

Obtain the collection of secondary configuration instances that have been added to the resource.

Usage:

am> action AdaptiveRiskModule --global --actionName nextdescendents

1.4.2.4. read

Usage:

am> read AdaptiveRiskModule --global

1.4.2.5. update

Usage:

am> update AdaptiveRiskModule --global --body body

Parameters:

--body

The resource in JSON format, described by the following JSON schema:

{
  "type" : "object",
  "properties" : {
    "defaults" : {
      "properties" : {
        "requestheader" : {
          "type" : "object",
          "title" : "Request Header",
          "propertyOrder" : 9,
          "properties" : {
            "requestHeaderCheckEnabled" : {
              "title" : "Request Header Check",
              "description" : "Enables the checking of the client request for a known header name and value.<br><br>The request header check will pass if the client request contains the required named header and value.",
              "propertyOrder" : 4300,
              "required" : true,
              "type" : "boolean",
              "exampleValue" : ""
            },
            "requestHeaderScore" : {
              "title" : "Score",
              "description" : "The amount to increment the score if this check fails.",
              "propertyOrder" : 4600,
              "required" : true,
              "type" : "integer",
              "exampleValue" : ""
            },
            "invertRequestHeaderScore" : {
              "title" : "Invert Result",
              "description" : "If the check succeeds the score will be included in the total, for failure the score will not be incremented.",
              "propertyOrder" : 4700,
              "required" : true,
              "type" : "boolean",
              "exampleValue" : ""
            },
            "requestHeaderName" : {
              "title" : "Request Header Name",
              "description" : "The name of the required HTTP header ",
              "propertyOrder" : 4400,
              "required" : true,
              "type" : "string",
              "exampleValue" : ""
            },
            "requestHeaderValue" : {
              "title" : "Request Header Value",
              "description" : "The required value of the named HTTP header.",
              "propertyOrder" : 4500,
              "required" : true,
              "type" : "string",
              "exampleValue" : ""
            }
          }
        },
        "authfailed" : {
          "type" : "object",
          "title" : "Failed Authentications",
          "propertyOrder" : 1,
          "properties" : {
            "failedAuthenticationCheckEnabled" : {
              "title" : "Failed Authentication Check",
              "description" : "Checks if the user has past authentication failures.<br><br>Check if the OpenAM account lockout mechanism has recorded past authentication failures for the user.<br/><br/><i>NB </i>For this check to function, Account Lockout must be enabled.",
              "propertyOrder" : 300,
              "required" : true,
              "type" : "boolean",
              "exampleValue" : ""
            },
            "failureScore" : {
              "title" : "Score",
              "description" : "The amount to increment the score if this check fails.",
              "propertyOrder" : 400,
              "required" : true,
              "type" : "integer",
              "exampleValue" : ""
            },
            "invertFailureScore" : {
              "title" : "Invert Result",
              "description" : "If the check succeeds the score will be included in the total, for failure the score will not be incremented.",
              "propertyOrder" : 500,
              "required" : true,
              "type" : "boolean",
              "exampleValue" : ""
            }
          }
        },
        "devicecookie" : {
          "type" : "object",
          "title" : "Device Cookie",
          "propertyOrder" : 5,
          "properties" : {
            "invertDeviceCookieScore" : {
              "title" : "Invert Result",
              "description" : "If the check succeeds the score will be included in the total, for failure the score will not be incremented.",
              "propertyOrder" : 3700,
              "required" : true,
              "type" : "boolean",
              "exampleValue" : ""
            },
            "deviceCookieScore" : {
              "title" : "Score",
              "description" : "The amount to increment the score if this check fails.",
              "propertyOrder" : 3600,
              "required" : true,
              "type" : "integer",
              "exampleValue" : ""
            },
            "saveDeviceCookieValueOnSuccessfulLogin" : {
              "title" : "Save Device Registration on Successful Login",
              "description" : "Set the device cookie on the client response<br><br>The Adaptive Risk Post Authentication Plug-in will set the device cookie on the client response",
              "propertyOrder" : 3500,
              "required" : true,
              "type" : "boolean",
              "exampleValue" : ""
            },
            "deviceCookieName" : {
              "title" : "Cookie Name",
              "description" : "The name of the cookie to be checked for (and optionally set) on the client request",
              "propertyOrder" : 3400,
              "required" : true,
              "type" : "string",
              "exampleValue" : ""
            },
            "deviceCookieCheckEnabled" : {
              "title" : "Device Registration Cookie Check",
              "description" : "Enables the checking of the client request for a known cookie.<br><br>If this check is enabled, the check will pass if the client request contains the named cookie.",
              "propertyOrder" : 3300,
              "required" : true,
              "type" : "boolean",
              "exampleValue" : ""
            }
          }
        },
        "iphistory" : {
          "type" : "object",
          "title" : "IP Address History",
          "propertyOrder" : 3,
          "properties" : {
            "ipHistoryCheckEnabled" : {
              "title" : "IP History Check",
              "description" : "Enables the checking of client IP address against a list of past IP addresses.<br><br>If this check is enabled; a set number of past IP addresses used by the client to access OpenAM is recorded in the user profile. This check passes if the current client IP address is present in the history list. If the IP address is not present, the check fails and the IP address is added to list if the overall authentication is successful (causing the oldest IP address to be removed).",
              "propertyOrder" : 1000,
              "required" : true,
              "type" : "boolean",
              "exampleValue" : ""
            },
            "ipHistoryScore" : {
              "title" : "Score",
              "description" : "The amount to increment the score if this check fails.",
              "propertyOrder" : 1400,
              "required" : true,
              "type" : "integer",
              "exampleValue" : ""
            },
            "ipHistoryCount" : {
              "title" : "History size",
              "description" : "The number of client IP addresses to save in the history list.",
              "propertyOrder" : 1100,
              "required" : true,
              "type" : "integer",
              "exampleValue" : ""
            },
            "ipHistoryProfileAttribute" : {
              "title" : "Profile Attribute Name",
              "description" : "The name of the attribute used to store the IP history list in the data store.<br><br>IP history list is stored in the Data Store meaning your Data Store should be able to store values under the configured attribute name. If you're using a directory server as backend, make sure your Data Store configuration contains the necessary objectclass and attribute related settings.",
              "propertyOrder" : 1200,
              "required" : true,
              "type" : "string",
              "exampleValue" : ""
            },
            "saveSuccessfulIP" : {
              "title" : "Save Successful IP Address",
              "description" : "The IP History list will be updated in the data store<br><br>The Adaptive Risk Post Authentication Plug-in will update the IP history list if the overall authentication is successful.",
              "propertyOrder" : 1300,
              "required" : true,
              "type" : "boolean",
              "exampleValue" : ""
            },
            "invertIPHistoryScore" : {
              "title" : "Invert Result",
              "description" : "If the check succeeds the score will be included in the total, for failure the score will not be incremented.",
              "propertyOrder" : 1500,
              "required" : true,
              "type" : "boolean",
              "exampleValue" : ""
            }
          }
        },
        "lastlogin" : {
          "type" : "object",
          "title" : "Time Since Last Login",
          "propertyOrder" : 6,
          "properties" : {
            "invertTimeSinceLastLoginScore" : {
              "title" : "Invert Result",
              "description" : "If the check succeeds the score will be included in the total, for failure the score will not be incremented.",
              "propertyOrder" : 2700,
              "required" : true,
              "type" : "boolean",
              "exampleValue" : ""
            },
            "saveLastLoginTimeOnSuccessfulLogin" : {
              "title" : "Save time of Successful Login",
              "description" : "The last login time will be saved in a client cookie<br><br>The Adaptive Risk Post Authentication Plug-in will update the last login time",
              "propertyOrder" : 2500,
              "required" : true,
              "type" : "boolean",
              "exampleValue" : ""
            },
            "timeSinceLastLoginCookieName" : {
              "title" : "Cookie Name",
              "description" : "The name of the cookie used to store the time of the last successful authentication.",
              "propertyOrder" : 2300,
              "required" : true,
              "type" : "string",
              "exampleValue" : ""
            },
            "timeSinceLastLoginScore" : {
              "title" : "Score",
              "description" : "The amount to increment the score if this check fails.",
              "propertyOrder" : 2600,
              "required" : true,
              "type" : "integer",
              "exampleValue" : ""
            },
            "timeSinceLastLoginCheckEnabled" : {
              "title" : "Time since Last login Check",
              "description" : "Enables the checking of the last time the user successfully authenticated.<br><br>If this check is enabled, the check ensures the user has successfully authenticated within a given interval. If the interval has been exceeded the check will fail. The last authentication for the user is stored in a client cookie.",
              "propertyOrder" : 2200,
              "required" : true,
              "type" : "boolean",
              "exampleValue" : ""
            },
            "maxTimeSinceLastLogin" : {
              "title" : "Max Time since Last login",
              "description" : "The maximum number of days that can elapse before this test.",
              "propertyOrder" : 2400,
              "required" : true,
              "type" : "string",
              "exampleValue" : ""
            }
          }
        },
        "knowncookie" : {
          "type" : "object",
          "title" : "Known Cookie",
          "propertyOrder" : 4,
          "properties" : {
            "knownCookieValue" : {
              "title" : "Cookie Value",
              "description" : "The value to be set on the cookie.",
              "propertyOrder" : 1800,
              "required" : true,
              "type" : "string",
              "exampleValue" : ""
            },
            "knownCookieScore" : {
              "title" : "Score",
              "description" : "The amount to increment the score if this check fails.",
              "propertyOrder" : 2000,
              "required" : true,
              "type" : "integer",
              "exampleValue" : ""
            },
            "createKnownCookieOnSuccessfulLogin" : {
              "title" : "Save Cookie Value on Successful Login",
              "description" : "The cookie will be created on the client after successful login<br><br>The Adaptive Risk Post Authentication Plug-in will set the cookie on the client response",
              "propertyOrder" : 1900,
              "required" : true,
              "type" : "boolean",
              "exampleValue" : ""
            },
            "knownCookieName" : {
              "title" : "Cookie Name",
              "description" : "The name of the cookie to set on the client.",
              "propertyOrder" : 1700,
              "required" : true,
              "type" : "string",
              "exampleValue" : ""
            },
            "knownCookieCheckEnabled" : {
              "title" : "Cookie Value Check",
              "description" : "Enables the checking of a known cookie value in the client request<br><br>If this check is enabled, the check looks for a known cookie in the client request. If the cookie exists and has the correct value then the check will pass. ",
              "propertyOrder" : 1600,
              "required" : true,
              "type" : "boolean",
              "exampleValue" : ""
            },
            "invertKnownCookieScore" : {
              "title" : "Invert Result",
              "description" : "If the check succeeds the score will be included in the total, for failure the score will not be incremented.",
              "propertyOrder" : 2100,
              "required" : true,
              "type" : "boolean",
              "exampleValue" : ""
            }
          }
        },
        "iprange" : {
          "type" : "object",
          "title" : "IP Address Range",
          "propertyOrder" : 2,
          "properties" : {
            "ipRangeCheckEnabled" : {
              "title" : "IP Range Check",
              "description" : "Enables the checking of the client IP address against a list of IP addresses.<br><br>The IP range check compares the IP of the client against a list of IP addresses, if the client IP is found within said list the check is successful.",
              "propertyOrder" : 600,
              "required" : true,
              "type" : "boolean",
              "exampleValue" : ""
            },
            "invertIPRangeScoreEnabled" : {
              "title" : "Invert Result",
              "description" : "If the check succeeds the score will be included in the total, for failure the score will not be incremented.",
              "propertyOrder" : 900,
              "required" : true,
              "type" : "boolean",
              "exampleValue" : ""
            },
            "ipRange" : {
              "title" : "IP Range",
              "description" : "The list of IP address to compare against the client IP address.<br><br>The format of the IP address is as follows:<br/><br/><ul><li>Single IP address: <code>172.16.90.1</code></li><li>CIDR notation: <code>172.16.90.0/24</code></li><li>IP net-block with netmask: <code>172.16.90.0:255.255.255.0</code></li></ul>",
              "propertyOrder" : 700,
              "required" : true,
              "items" : {
                "type" : "string"
              },
              "type" : "array",
              "exampleValue" : ""
            },
            "ipRangeScore" : {
              "title" : "Score",
              "description" : "The amount to increment the score if this check fails.",
              "propertyOrder" : 800,
              "required" : true,
              "type" : "integer",
              "exampleValue" : ""
            }
          }
        },
        "geolocation" : {
          "type" : "object",
          "title" : "Geo Location",
          "propertyOrder" : 8,
          "properties" : {
            "geolocationScore" : {
              "title" : "Score",
              "description" : "The amount to increment the score if this check fails.",
              "propertyOrder" : 4100,
              "required" : true,
              "type" : "integer",
              "exampleValue" : ""
            },
            "invertGeolocationScore" : {
              "title" : "Invert Result",
              "description" : "If the check succeeds the score will be included in the total, for failure the score will not be incremented.",
              "propertyOrder" : 4200,
              "required" : true,
              "type" : "boolean",
              "exampleValue" : ""
            },
            "geolocationDatabaseLocation" : {
              "title" : "Geolocation Database location",
              "description" : "The path to the location of the GEO location database.<br><br>The Geolocation database is not distributed with OpenAM, you can get it in binary format from <a href=\"http://www.maxmind.com/app/country\" target=\"_blank\">MaxMind</a>.",
              "propertyOrder" : 3900,
              "required" : true,
              "type" : "string",
              "exampleValue" : ""
            },
            "geolocationCheckEnabled" : {
              "title" : "Geolocation Country Code Check",
              "description" : "Enables the checking of the client IP address against the geolocation database.<br><br>The geolocation database associates IP addresses against their known location. This check passes if the country associated with the client IP address is matched against the list of valid country codes.<br/><br/>The geolocation database is available in binary format at <a href=\"http://www.maxmind.com/app/country\" target=\"_blank\">MaxMind</a>.",
              "propertyOrder" : 3800,
              "required" : true,
              "type" : "boolean",
              "exampleValue" : ""
            },
            "geolocationValidCountryCodes" : {
              "title" : "Valid Country Codes",
              "description" : "The list of country codes that are considered as valid locations for client IPs.<br><br>The list is made up of country codes separated by a | character; for example:<br/><br/><code>gb|us|no|fr</code>",
              "propertyOrder" : 4000,
              "required" : true,
              "type" : "string",
              "exampleValue" : ""
            }
          }
        },
        "attributecheck" : {
          "type" : "object",
          "title" : "Profile Attribute",
          "propertyOrder" : 7,
          "properties" : {
            "profileRiskAttributeCheckEnabled" : {
              "title" : "Profile Risk Attribute check",
              "description" : "Enables the checking of the user profile for a matching attribute and value.<br><br>If this check is enabled, the check will pass if the users profile contains the required risk attribute and value.",
              "propertyOrder" : 2800,
              "required" : true,
              "type" : "boolean",
              "exampleValue" : ""
            },
            "profileRiskAttributeScore" : {
              "title" : "Score",
              "description" : "The amount to increment the score if this check fails.",
              "propertyOrder" : 3100,
              "required" : true,
              "type" : "integer",
              "exampleValue" : ""
            },
            "profileRiskAttributeName" : {
              "title" : "Attribute Name",
              "description" : "The name of the attribute to retrieve from the user profile in the data store.",
              "propertyOrder" : 2900,
              "required" : true,
              "type" : "string",
              "exampleValue" : ""
            },
            "profileRiskAttributeValue" : {
              "title" : "Attribute Value",
              "description" : "The required value of the named attribute.",
              "propertyOrder" : 3000,
              "required" : true,
              "type" : "string",
              "exampleValue" : ""
            },
            "invertProfileRiskAttributeScore" : {
              "title" : "Invert Result",
              "description" : "If the check succeeds the score will be included in the total, for failure the score will not be incremented.",
              "propertyOrder" : 3200,
              "required" : true,
              "type" : "boolean",
              "exampleValue" : ""
            }
          }
        },
        "general" : {
          "type" : "object",
          "title" : "General",
          "propertyOrder" : 0,
          "properties" : {
            "riskThreshold" : {
              "title" : "Risk Threshold",
              "description" : "If the risk threshold value is not reached after executing the different tests, the authentication is considered to be successful.<br><br>Associated with many of the adaptive risk checks is a score; if a check does not passes then the score is added to the current running total. The final score is then compared with the <i>Risk Threshold</i>, if the score is lesser than said threshold the module will be successful. ",
              "propertyOrder" : 200,
              "required" : true,
              "type" : "integer",
              "exampleValue" : ""
            },
            "authenticationLevel" : {
              "title" : "Authentication Level",
              "description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
              "propertyOrder" : 100,
              "required" : true,
              "type" : "integer",
              "exampleValue" : ""
            }
          }
        }
      },
      "type" : "object",
      "title" : "Realm Defaults"
    }
  }
}

1.5. AdvancedProperties

1.5.1. Global Operations

An object of property key-value pairs

Resource path: /global-config/servers/{serverName}/properties/advanced

Resource version: 1.0

1.5.1.1. read

Usage:

am> read AdvancedProperties --global --serverName serverName

Parameters:

--serverName

An object of property key-value pairs

1.5.1.2. update

Usage:

am> update AdvancedProperties --global --serverName serverName --body body

Parameters:

--serverName

An object of property key-value pairs

--body

The resource in JSON format, described by the following JSON schema:

{
  "patternProperties" : {
    ".+" : {
      "type" : "string",
      "title" : "Value",
      "description" : "Any string value"
    }
  },
  "$schema" : "http://json-schema.org/draft-04/schema#",
  "description" : "An object of property key-value pairs",
  "type" : "object",
  "title" : "Advanced Properties"
}

1.6. AgentGroups

1.6.1. Realm Operations

Aggregating Agent Groups handler that is responsible for querying the aggregating agent groups

Resource path: /realm-config/agents/groups

Resource version: 1.0

1.6.1.1. getAllTypes

Obtain the collection of all secondary configuration types related to the resource.

Usage:

am> action AgentGroups --realm Realm --actionName getAllTypes

1.6.1.2. getCreatableTypes

Obtain the collection of secondary configuration types that have yet to be added to the resource.

Usage:

am> action AgentGroups --realm Realm --actionName getCreatableTypes

1.6.1.3. nextdescendents

Obtain the collection of secondary configuration instances that have been added to the resource.

Usage:

am> action AgentGroups --realm Realm --actionName nextdescendents

1.6.1.4. query

Querying the aggregating agent groups

Usage:

am> query AgentGroups --realm Realm --filter filter

Parameters:

--filter

A CREST formatted query filter, where "true" will query all. Fields that can be queried: [*]

1.7. AgentService

1.7.1. Global Operations

Resource path: /global-config/agents/AgentService

Resource version: 1.0

1.7.1.1. getAllTypes

Obtain the collection of all secondary configuration types related to the resource.

Usage:

am> action AgentService --global --actionName getAllTypes

1.7.1.2. getCreatableTypes

Obtain the collection of secondary configuration types that have yet to be added to the resource.

Usage:

am> action AgentService --global --actionName getCreatableTypes

1.7.1.3. nextdescendents

Obtain the collection of secondary configuration instances that have been added to the resource.

Usage:

am> action AgentService --global --actionName nextdescendents

1.7.1.4. read

Usage:

am> read AgentService --global

1.7.1.5. update

Usage:

am> update AgentService --global --body body

Parameters:

--body

The resource in JSON format, described by the following JSON schema:

{
  "type" : "object"
}

1.8. Agents

1.8.1. Realm Operations

Aggregating Agents handler that is responsible for querying the aggregating agents

Resource path: /realm-config/agents

Resource version: 1.0

1.8.1.1. getAllTypes

Obtain the collection of all secondary configuration types related to the resource.

Usage:

am> action Agents --realm Realm --actionName getAllTypes

1.8.1.2. getCreatableTypes

Obtain the collection of secondary configuration types that have yet to be added to the resource.

Usage:

am> action Agents --realm Realm --actionName getCreatableTypes

1.8.1.3. nextdescendents

Obtain the collection of secondary configuration instances that have been added to the resource.

Usage:

am> action Agents --realm Realm --actionName nextdescendents

1.8.1.4. query

Querying the aggregating agents

Usage:

am> query Agents --realm Realm --filter filter

Parameters:

--filter

A CREST formatted query filter, where "true" will query all. Fields that can be queried: [*]

1.8.2. Global Operations

Global and default configuration for agents

Resource path: /global-config/agents

Resource version: 1.0

1.8.2.1. getAllTypes

Obtain the collection of all secondary configuration types related to the resource.

Usage:

am> action Agents --global --actionName getAllTypes

1.8.2.2. getCreatableTypes

Obtain the collection of secondary configuration types that have yet to be added to the resource.

Usage:

am> action Agents --global --actionName getCreatableTypes

1.8.2.3. nextdescendents

Obtain the collection of secondary configuration instances that have been added to the resource.

Usage:

am> action Agents --global --actionName nextdescendents

1.9. AmsterModule

1.9.1. Realm Operations

Resource path: /realm-config/authentication/modules/amster

Resource version: 1.0

1.9.1.1. create

Usage:

am> create AmsterModule --realm Realm --id id --body body

Parameters:

--id

The unique identifier for the resource.

--body

The resource in JSON format, described by the following JSON schema:

{
  "type" : "object",
  "properties" : {
    "authorizedKeys" : {
      "title" : "Authorized Keys",
      "description" : "The location of the authorized_keys file (which has the same format as an OpenSSH authorized_keys file) to use to validate remote Amster connections.",
      "propertyOrder" : 100,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "enabled" : {
      "title" : "Enabled",
      "description" : "If not enabled, prevents PKI login using the Amster module.",
      "propertyOrder" : 200,
      "required" : true,
      "type" : "boolean",
      "exampleValue" : ""
    },
    "authenticationLevel" : {
      "title" : "Authentication Level",
      "description" : "",
      "propertyOrder" : 300,
      "required" : true,
      "type" : "integer",
      "exampleValue" : ""
    }
  }
}

1.9.1.2. delete

Usage:

am> delete AmsterModule --realm Realm --id id

Parameters:

--id

The unique identifier for the resource.

1.9.1.3. getAllTypes

Obtain the collection of all secondary configuration types related to the resource.

Usage:

am> action AmsterModule --realm Realm --actionName getAllTypes

1.9.1.4. getCreatableTypes

Obtain the collection of secondary configuration types that have yet to be added to the resource.

Usage:

am> action AmsterModule --realm Realm --actionName getCreatableTypes

1.9.1.5. nextdescendents

Obtain the collection of secondary configuration instances that have been added to the resource.

Usage:

am> action AmsterModule --realm Realm --actionName nextdescendents

1.9.1.6. query

Get the full list of instances of this collection. This query only supports `_queryFilter=true` filter.

Usage:

am> query AmsterModule --realm Realm --filter filter

Parameters:

--filter

A CREST formatted query filter, where "true" will query all.

1.9.1.7. read

Usage:

am> read AmsterModule --realm Realm --id id

Parameters:

--id

The unique identifier for the resource.

1.9.1.8. update

Usage:

am> update AmsterModule --realm Realm --id id --body body

Parameters:

--id

The unique identifier for the resource.

--body

The resource in JSON format, described by the following JSON schema:

{
  "type" : "object",
  "properties" : {
    "authorizedKeys" : {
      "title" : "Authorized Keys",
      "description" : "The location of the authorized_keys file (which has the same format as an OpenSSH authorized_keys file) to use to validate remote Amster connections.",
      "propertyOrder" : 100,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "enabled" : {
      "title" : "Enabled",
      "description" : "If not enabled, prevents PKI login using the Amster module.",
      "propertyOrder" : 200,
      "required" : true,
      "type" : "boolean",
      "exampleValue" : ""
    },
    "authenticationLevel" : {
      "title" : "Authentication Level",
      "description" : "",
      "propertyOrder" : 300,
      "required" : true,
      "type" : "integer",
      "exampleValue" : ""
    }
  }
}

1.9.2. Global Operations

Resource path: /global-config/authentication/modules/amster

Resource version: 1.0

1.9.2.1. getAllTypes

Obtain the collection of all secondary configuration types related to the resource.

Usage:

am> action AmsterModule --global --actionName getAllTypes

1.9.2.2. getCreatableTypes

Obtain the collection of secondary configuration types that have yet to be added to the resource.

Usage:

am> action AmsterModule --global --actionName getCreatableTypes

1.9.2.3. nextdescendents

Obtain the collection of secondary configuration instances that have been added to the resource.

Usage:

am> action AmsterModule --global --actionName nextdescendents

1.9.2.4. read

Usage:

am> read AmsterModule --global

1.9.2.5. update

Usage:

am> update AmsterModule --global --body body

Parameters:

--body

The resource in JSON format, described by the following JSON schema:

{
  "type" : "object",
  "properties" : {
    "defaults" : {
      "properties" : {
        "authorizedKeys" : {
          "title" : "Authorized Keys",
          "description" : "The location of the authorized_keys file (which has the same format as an OpenSSH authorized_keys file) to use to validate remote Amster connections.",
          "propertyOrder" : 100,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "enabled" : {
          "title" : "Enabled",
          "description" : "If not enabled, prevents PKI login using the Amster module.",
          "propertyOrder" : 200,
          "required" : true,
          "type" : "boolean",
          "exampleValue" : ""
        },
        "authenticationLevel" : {
          "title" : "Authentication Level",
          "description" : "",
          "propertyOrder" : 300,
          "required" : true,
          "type" : "integer",
          "exampleValue" : ""
        }
      },
      "type" : "object",
      "title" : "Realm Defaults"
    }
  }
}

1.10. AnonymousModule

1.10.1. Realm Operations

Resource path: /realm-config/authentication/modules/anonymous

Resource version: 1.0

1.10.1.1. create

Usage:

am> create AnonymousModule --realm Realm --id id --body body

Parameters:

--id

The unique identifier for the resource.

--body

The resource in JSON format, described by the following JSON schema:

{
  "type" : "object",
  "properties" : {
    "authenticationLevel" : {
      "title" : "Authentication Level",
      "description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
      "propertyOrder" : 400,
      "required" : true,
      "type" : "integer",
      "exampleValue" : ""
    },
    "validAnonymousUsers" : {
      "title" : "Valid Anonymous Users",
      "description" : "List of accounts that are allowed to login without providing credentials.<br><br>Any username on this list will be allows anonymous access to OpenAM. Usernames listed here must have matching profiles in the data store or the user profile requirement must be disabled. The username can be specified during anonymous authentication as follows:<br/><br/><code>/openam/UI/Login?module=anonymous&IDToken1=<i>username</i></code>",
      "propertyOrder" : 100,
      "required" : true,
      "items" : {
        "type" : "string"
      },
      "type" : "array",
      "exampleValue" : ""
    },
    "caseSensitiveUsernameMatchingEnabled" : {
      "title" : "Case Sensitive User IDs",
      "description" : "If enabled, username matching will be case sensitive.",
      "propertyOrder" : 300,
      "required" : true,
      "type" : "boolean",
      "exampleValue" : ""
    },
    "defaultAnonymousUsername" : {
      "title" : "Default Anonymous User Name",
      "description" : "The default username to use if no username is supplied during authentication.",
      "propertyOrder" : 200,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    }
  }
}

1.10.1.2. delete

Usage:

am> delete AnonymousModule --realm Realm --id id

Parameters:

--id

The unique identifier for the resource.

1.10.1.3. getAllTypes

Obtain the collection of all secondary configuration types related to the resource.

Usage:

am> action AnonymousModule --realm Realm --actionName getAllTypes

1.10.1.4. getCreatableTypes

Obtain the collection of secondary configuration types that have yet to be added to the resource.

Usage:

am> action AnonymousModule --realm Realm --actionName getCreatableTypes

1.10.1.5. nextdescendents

Obtain the collection of secondary configuration instances that have been added to the resource.

Usage:

am> action AnonymousModule --realm Realm --actionName nextdescendents

1.10.1.6. query

Get the full list of instances of this collection. This query only supports `_queryFilter=true` filter.

Usage:

am> query AnonymousModule --realm Realm --filter filter

Parameters:

--filter

A CREST formatted query filter, where "true" will query all.

1.10.1.7. read

Usage:

am> read AnonymousModule --realm Realm --id id

Parameters:

--id

The unique identifier for the resource.

1.10.1.8. update

Usage:

am> update AnonymousModule --realm Realm --id id --body body

Parameters:

--id

The unique identifier for the resource.

--body

The resource in JSON format, described by the following JSON schema:

{
  "type" : "object",
  "properties" : {
    "authenticationLevel" : {
      "title" : "Authentication Level",
      "description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
      "propertyOrder" : 400,
      "required" : true,
      "type" : "integer",
      "exampleValue" : ""
    },
    "validAnonymousUsers" : {
      "title" : "Valid Anonymous Users",
      "description" : "List of accounts that are allowed to login without providing credentials.<br><br>Any username on this list will be allows anonymous access to OpenAM. Usernames listed here must have matching profiles in the data store or the user profile requirement must be disabled. The username can be specified during anonymous authentication as follows:<br/><br/><code>/openam/UI/Login?module=anonymous&IDToken1=<i>username</i></code>",
      "propertyOrder" : 100,
      "required" : true,
      "items" : {
        "type" : "string"
      },
      "type" : "array",
      "exampleValue" : ""
    },
    "caseSensitiveUsernameMatchingEnabled" : {
      "title" : "Case Sensitive User IDs",
      "description" : "If enabled, username matching will be case sensitive.",
      "propertyOrder" : 300,
      "required" : true,
      "type" : "boolean",
      "exampleValue" : ""
    },
    "defaultAnonymousUsername" : {
      "title" : "Default Anonymous User Name",
      "description" : "The default username to use if no username is supplied during authentication.",
      "propertyOrder" : 200,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    }
  }
}

1.10.2. Global Operations

Resource path: /global-config/authentication/modules/anonymous

Resource version: 1.0

1.10.2.1. getAllTypes

Obtain the collection of all secondary configuration types related to the resource.

Usage:

am> action AnonymousModule --global --actionName getAllTypes

1.10.2.2. getCreatableTypes

Obtain the collection of secondary configuration types that have yet to be added to the resource.

Usage:

am> action AnonymousModule --global --actionName getCreatableTypes

1.10.2.3. nextdescendents

Obtain the collection of secondary configuration instances that have been added to the resource.

Usage:

am> action AnonymousModule --global --actionName nextdescendents

1.10.2.4. read

Usage:

am> read AnonymousModule --global

1.10.2.5. update

Usage:

am> update AnonymousModule --global --body body

Parameters:

--body

The resource in JSON format, described by the following JSON schema:

{
  "type" : "object",
  "properties" : {
    "defaults" : {
      "properties" : {
        "caseSensitiveUsernameMatchingEnabled" : {
          "title" : "Case Sensitive User IDs",
          "description" : "If enabled, username matching will be case sensitive.",
          "propertyOrder" : 300,
          "required" : true,
          "type" : "boolean",
          "exampleValue" : ""
        },
        "defaultAnonymousUsername" : {
          "title" : "Default Anonymous User Name",
          "description" : "The default username to use if no username is supplied during authentication.",
          "propertyOrder" : 200,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "validAnonymousUsers" : {
          "title" : "Valid Anonymous Users",
          "description" : "List of accounts that are allowed to login without providing credentials.<br><br>Any username on this list will be allows anonymous access to OpenAM. Usernames listed here must have matching profiles in the data store or the user profile requirement must be disabled. The username can be specified during anonymous authentication as follows:<br/><br/><code>/openam/UI/Login?module=anonymous&IDToken1=<i>username</i></code>",
          "propertyOrder" : 100,
          "required" : true,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        },
        "authenticationLevel" : {
          "title" : "Authentication Level",
          "description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
          "propertyOrder" : 400,
          "required" : true,
          "type" : "integer",
          "exampleValue" : ""
        }
      },
      "type" : "object",
      "title" : "Realm Defaults"
    }
  }
}

1.11. ApplicationTypes

1.11.1. Realm Operations

Service for reading and listing the available application types. Application types act as templates for policy sets, and define how to compare resources and index policies. OpenAM provides a default application type that represents web resources called iPlanetAMWebAgentService

Resource path: /applicationtypes

Resource version: 1.0

1.11.1.1. query

Lists the application types using a query filter

Usage:

am> query ApplicationTypes --realm Realm --filter filter

Parameters:

--filter

A CREST formatted query filter, where "true" will query all. Fields that can be queried: [*]

1.11.1.2. read

Reads an individual application type by the provided application type name

Usage:

am> read ApplicationTypes --realm Realm --id id

Parameters:

--id

The unique identifier for the resource.

1.12. Applications

1.12.1. Realm Operations

Service for manipulating Applications. It supports the CRUDQ operations.

Resource path: /applications

Resource version: 2.1

1.12.1.1. create

Creates a new Application in a realm

Usage:

am> create Applications --realm Realm --id id --body body

Parameters:

--id

The unique identifier for the resource.

--body

The resource in JSON format, described by the following JSON schema:

{
  "$schema" : "http://json-schema.org/draft-04/schema#",
  "description" : "Application schema",
  "type" : "object",
  "title" : "Application",
  "properties" : {
    "name" : {
      "type" : "string",
      "title" : "Name",
      "description" : "Unique application identifier."
    },
    "displayName" : {
      "type" : "string",
      "title" : "Display name",
      "description" : "When defined, it is displayed in the UI instead of application name."
    },
    "description" : {
      "type" : "string",
      "title" : "Description",
      "description" : "String describing the application."
    },
    "applicationType" : {
      "type" : "string",
      "title" : "Application type",
      "description" : "Name of the application type used as a template for the policy set."
    },
    "conditions" : {
      "type" : "array",
      "items" : {
        "type" : "string",
        "title" : "Conditions",
        "description" : "Condition types allowed in the context of the policy set."
      }
    },
    "subjects" : {
      "type" : "array",
      "items" : {
        "type" : "string",
        "title" : "Subjects",
        "description" : "Subject types allowed in the context of the policy set."
      }
    },
    "resourceTypeUuids" : {
      "type" : "array",
      "items" : {
        "type" : "string",
        "title" : "Resource type uuids",
        "description" : "A list of the UUIDs of the resource types associated with the policy set."
      }
    },
    "entitlementCombiner" : {
      "type" : "string",
      "title" : "Entitlement combiner",
      "description" : "Name of the decision combiner, such as \"DenyOverride\"."
    },
    "searchIndex" : {
      "type" : "string",
      "title" : "Search index",
      "description" : "Class name of the implementation for searching indexes for resource names, such as \"com.sun.identity.entitlement.util.ResourceNameSplitter\" for URL resource names."
    },
    "saveIndex" : {
      "type" : "string",
      "title" : "Save index",
      "description" : "Class name of the implementation for creating indexes for resource names, such as \"com.sun.identity.entitlement.util.ResourceNameIndexGenerator\" for URL resource names."
    },
    "resourceComparator" : {
      "type" : "string",
      "title" : "Resource comparator",
      "description" : "Class name of the resource comparator implementation used in the context of the policy set. The following implementations are available: \"com.sun.identity.entitlement.ExactMatchResourceName\", \"com.sun.identity.entitlement.PrefixResourceName\", \"com.sun.identity.entitlement.RegExResourceName\", \"com.sun.identity.entitlement.URLResourceName\"."
    },
    "attributeNames" : {
      "type" : "array",
      "items" : {
        "type" : "string",
        "title" : "Attribute names",
        "description" : "A list of attribute names such as cn. The list is used to aid policy indexing and lookup."
      }
    },
    "createdBy" : {
      "type" : "string",
      "title" : "Created by",
      "description" : "A string containing the universal identifier DN of the subject that created the application."
    },
    "lastModifiedBy" : {
      "type" : "string",
      "title" : "Last modified by",
      "description" : "A string containing the universal identifier DN of the subject that most recently updated the application. If the application has not been modified since it was created, this will be the same value as createdBy."
    },
    "creationDate" : {
      "type" : "integer",
      "title" : "Creation date",
      "description" : "An integer containing the creation date and time, in number of seconds since the Unix Epoch."
    },
    "lastModifiedDate" : {
      "type" : "integer",
      "title" : "Last modified date",
      "description" : "An integer containing the last modified date and time, in number of seconds since the Unix Epoch. If the application has not been modified since it was created, this will be the same value as creationDate."
    },
    "editable" : {
      "type" : "boolean",
      "title" : "Editable",
      "description" : "It indicates if application is editable."
    }
  },
  "required" : [ "name", "applicationType" ]
}

1.12.1.2. delete

Deletes an individual Application in a realm specified by its name

Usage:

am> delete Applications --realm Realm --id id

Parameters:

--id

The unique identifier for the resource.

1.12.1.3. query

Lists all the Applications in a realm

Usage:

am> query Applications --realm Realm --filter filter

Parameters:

--filter

A CREST formatted query filter, where "true" will query all. Fields that can be queried: [*]

1.12.1.4. read

Reads an individual Application in a realm specified by its name

Usage:

am> read Applications --realm Realm --id id

Parameters:

--id

The unique identifier for the resource.

1.12.1.5. update

Updates an individual Application in a realm specified by its name

Usage:

am> update Applications --realm Realm --id id --body body

Parameters:

--id

The unique identifier for the resource.

--body

The resource in JSON format, described by the following JSON schema:

{
  "$schema" : "http://json-schema.org/draft-04/schema#",
  "description" : "Application schema",
  "type" : "object",
  "title" : "Application",
  "properties" : {
    "name" : {
      "type" : "string",
      "title" : "Name",
      "description" : "Unique application identifier."
    },
    "displayName" : {
      "type" : "string",
      "title" : "Display name",
      "description" : "When defined, it is displayed in the UI instead of application name."
    },
    "description" : {
      "type" : "string",
      "title" : "Description",
      "description" : "String describing the application."
    },
    "applicationType" : {
      "type" : "string",
      "title" : "Application type",
      "description" : "Name of the application type used as a template for the policy set."
    },
    "conditions" : {
      "type" : "array",
      "items" : {
        "type" : "string",
        "title" : "Conditions",
        "description" : "Condition types allowed in the context of the policy set."
      }
    },
    "subjects" : {
      "type" : "array",
      "items" : {
        "type" : "string",
        "title" : "Subjects",
        "description" : "Subject types allowed in the context of the policy set."
      }
    },
    "resourceTypeUuids" : {
      "type" : "array",
      "items" : {
        "type" : "string",
        "title" : "Resource type uuids",
        "description" : "A list of the UUIDs of the resource types associated with the policy set."
      }
    },
    "entitlementCombiner" : {
      "type" : "string",
      "title" : "Entitlement combiner",
      "description" : "Name of the decision combiner, such as \"DenyOverride\"."
    },
    "searchIndex" : {
      "type" : "string",
      "title" : "Search index",
      "description" : "Class name of the implementation for searching indexes for resource names, such as \"com.sun.identity.entitlement.util.ResourceNameSplitter\" for URL resource names."
    },
    "saveIndex" : {
      "type" : "string",
      "title" : "Save index",
      "description" : "Class name of the implementation for creating indexes for resource names, such as \"com.sun.identity.entitlement.util.ResourceNameIndexGenerator\" for URL resource names."
    },
    "resourceComparator" : {
      "type" : "string",
      "title" : "Resource comparator",
      "description" : "Class name of the resource comparator implementation used in the context of the policy set. The following implementations are available: \"com.sun.identity.entitlement.ExactMatchResourceName\", \"com.sun.identity.entitlement.PrefixResourceName\", \"com.sun.identity.entitlement.RegExResourceName\", \"com.sun.identity.entitlement.URLResourceName\"."
    },
    "attributeNames" : {
      "type" : "array",
      "items" : {
        "type" : "string",
        "title" : "Attribute names",
        "description" : "A list of attribute names such as cn. The list is used to aid policy indexing and lookup."
      }
    },
    "createdBy" : {
      "type" : "string",
      "title" : "Created by",
      "description" : "A string containing the universal identifier DN of the subject that created the application."
    },
    "lastModifiedBy" : {
      "type" : "string",
      "title" : "Last modified by",
      "description" : "A string containing the universal identifier DN of the subject that most recently updated the application. If the application has not been modified since it was created, this will be the same value as createdBy."
    },
    "creationDate" : {
      "type" : "integer",
      "title" : "Creation date",
      "description" : "An integer containing the creation date and time, in number of seconds since the Unix Epoch."
    },
    "lastModifiedDate" : {
      "type" : "integer",
      "title" : "Last modified date",
      "description" : "An integer containing the last modified date and time, in number of seconds since the Unix Epoch. If the application has not been modified since it was created, this will be the same value as creationDate."
    },
    "editable" : {
      "type" : "boolean",
      "title" : "Editable",
      "description" : "It indicates if application is editable."
    }
  },
  "required" : [ "name", "applicationType" ]
}

1.13. AuditEvent

1.13.1. Realm Operations

Audit events are logged through a realm audit service.

Resource path: /realm-audit/{topic}

Resource version: 1.0

1.13.1.1. create

Create a new audit event, which will be handled and logged by the configured audit service.

Usage:

am> create AuditEvent --realm Realm --topic topic --body body

Parameters:

--topic

Audit events are logged through a realm audit service.

--body

The resource in JSON format, described by the following JSON schema:

{
  "$schema" : "http://json-schema.org/draft-04/schema#",
  "description" : "The schema contains properties that are common to all topics and some that are unique to a specific topic. The description of each property indicates which topic the property applies to.",
  "title" : "Audit event schema",
  "type" : "object",
  "properties" : {
    "_id" : {
      "title" : "ID",
      "description" : "The ID of the event, used by all topics",
      "type" : "string"
    },
    "timestamp" : {
      "title" : "Timestamp",
      "description" : "The time at which the event occurred, used by all topics",
      "type" : "string"
    },
    "eventName" : {
      "title" : "Event name",
      "description" : "The name of the event, used by all topics",
      "type" : "string"
    },
    "transactionId" : {
      "title" : "Transaction ID",
      "description" : "The transaction ID of the event, used by all topics",
      "type" : "string"
    },
    "userId" : {
      "title" : "User ID",
      "description" : "The ID of the user responsible for the event, used by all topics",
      "type" : "string"
    },
    "trackingIds" : {
      "title" : "Tracking IDs",
      "description" : "The tracking IDs of the event, used by all topics",
      "type" : "array",
      "items" : {
        "id" : "0",
        "type" : "string"
      }
    },
    "component" : {
      "title" : "Component",
      "description" : "The component responsible for the event, used by all topics",
      "type" : "string"
    },
    "realm" : {
      "title" : "Realm",
      "description" : "The realm in which the event occurred, used by all topics",
      "type" : "string"
    },
    "server" : {
      "title" : "Server",
      "description" : "The server details for an access event",
      "type" : "object",
      "properties" : {
        "ip" : {
          "title" : "Server IP address",
          "description" : "The server ip address for an access event",
          "type" : "string"
        },
        "port" : {
          "title" : "Server port",
          "description" : "The server port for an access event",
          "type" : "integer"
        }
      }
    },
    "client" : {
      "title" : "Client",
      "description" : "The client details for an access event",
      "type" : "object",
      "properties" : {
        "ip" : {
          "title" : "Client IP address",
          "description" : "The client IP address for an access event",
          "type" : "string"
        },
        "port" : {
          "title" : "Client port",
          "description" : "The client port for an access event",
          "type" : "integer"
        }
      }
    },
    "request" : {
      "title" : "Request",
      "description" : "The request details for an access event",
      "type" : "object",
      "properties" : {
        "protocol" : {
          "title" : "Request protocol",
          "description" : "The request protocol for an access event",
          "type" : "string"
        },
        "operation" : {
          "title" : "Request operation",
          "description" : "The request operation for an access event",
          "type" : "string"
        },
        "detail" : {
          "title" : "Request detail",
          "description" : "The request detail for an access event",
          "type" : "object"
        }
      }
    },
    "http" : {
      "title" : "Http details",
      "description" : "The Http details for an access event",
      "type" : "object",
      "properties" : {
        "request" : {
          "title" : "Http request",
          "description" : "The http request for an access event",
          "type" : "object",
          "properties" : {
            "secure" : {
              "title" : "Http secure",
              "description" : "The http secure property for an access event",
              "type" : "boolean"
            },
            "method" : {
              "title" : "Http method",
              "description" : "The http method for an access event",
              "type" : "string"
            },
            "path" : {
              "title" : "Http path",
              "description" : "The http path for an access event",
              "type" : "string"
            },
            "queryParameters" : {
              "title" : "Http query parameters",
              "description" : "The http query parameters for an access event",
              "type" : "object",
              "additionalProperties" : {
                "type" : "array",
                "items" : {
                  "type" : "string"
                }
              }
            },
            "headers" : {
              "title" : "Http headers",
              "description" : "The http headers for an access event",
              "type" : "object",
              "additionalProperties" : {
                "type" : "array",
                "items" : {
                  "type" : "string"
                }
              }
            },
            "cookies" : {
              "title" : "Http cookies",
              "description" : "The http cookies for an access event",
              "type" : "object",
              "additionalProperties" : {
                "type" : "string"
              }
            }
          }
        },
        "response" : {
          "title" : "Http response",
          "description" : "The http response for an access event",
          "type" : "object",
          "properties" : {
            "headers" : {
              "title" : "Http request headers",
              "description" : "The http request headers for an access event",
              "type" : "object",
              "additionalProperties" : {
                "type" : "array",
                "items" : {
                  "type" : "string"
                }
              }
            }
          }
        }
      }
    },
    "response" : {
      "title" : "Response",
      "description" : "The response details for an access event",
      "type" : "object",
      "properties" : {
        "status" : {
          "title" : "Response status",
          "description" : "The response status for an access event",
          "type" : "string"
        },
        "statusCode" : {
          "title" : "Response status code",
          "description" : "The response status code for an access event",
          "type" : "string"
        },
        "detail" : {
          "title" : "Response detail",
          "description" : "The response detail for an access event",
          "type" : "object"
        },
        "elapsedTime" : {
          "title" : "Response elapsed time",
          "description" : "The response elapsedTime for an access event",
          "type" : "integer"
        },
        "elapsedTimeUnits" : {
          "title" : "Response elapsed time units",
          "description" : "The response elapsed time units for an access event",
          "type" : "string"
        }
      }
    },
    "runAs" : {
      "title" : "Run as",
      "description" : "What the change that triggered an activity or config event was run as",
      "type" : "string"
    },
    "objectId" : {
      "title" : "Object ID",
      "description" : "The object ID of the change that triggered an activity or config event",
      "type" : "string"
    },
    "operation" : {
      "title" : "Operation",
      "description" : "The operation that triggered an activity or config event",
      "type" : "string"
    },
    "before" : {
      "title" : "Before state",
      "description" : "The state before an activity or config event occurred",
      "type" : "object"
    },
    "after" : {
      "title" : "After state",
      "description" : "The state after an activity or config event occurred",
      "type" : "object"
    },
    "changedFields" : {
      "title" : "Changed fields",
      "description" : "The changed fields after an activity or config event occurred",
      "type" : "array",
      "items" : {
        "id" : "1",
        "type" : "string"
      }
    },
    "revision" : {
      "title" : "Revision",
      "description" : "The revision for an activity or config event",
      "type" : "string"
    },
    "result" : {
      "title" : "Result",
      "description" : "The result of the authentication event",
      "type" : "string"
    },
    "principal" : {
      "title" : "Principal",
      "description" : "The principal responsible for the authentication event",
      "type" : "array",
      "items" : {
        "type" : "string"
      }
    },
    "context" : {
      "title" : "Context",
      "description" : "The context of an authentication event",
      "type" : "object",
      "properties" : { }
    },
    "entries" : {
      "title" : "Entries",
      "description" : "The entries for an authentication event",
      "type" : "array",
      "items" : {
        "type" : "object",
        "properties" : {
          "moduleId" : {
            "title" : "Module ID",
            "description" : "The module ID for the authentication event",
            "type" : "string"
          },
          "result" : {
            "title" : "Module result",
            "description" : "The result of the module authentication event",
            "type" : "string"
          },
          "info" : {
            "title" : "Entries information",
            "description" : "The entries information for an authentication event",
            "type" : "object",
            "properties" : { }
          }
        }
      }
    }
  },
  "required" : [ "transactionId", "timestamp" ]
}

1.13.2. Global Operations

Audit events are logged through the global audit service.

Resource path: /global-audit/{topic}

Resource version: 1.0

1.13.2.1. create

Create a new audit event, which will be handled and logged by the configured audit service.

Usage:

am> create AuditEvent --global --topic topic --body body

Parameters:

--topic

Audit events are logged through the global audit service.

--body

The resource in JSON format, described by the following JSON schema:

{
  "$schema" : "http://json-schema.org/draft-04/schema#",
  "description" : "The schema contains properties that are common to all topics and some that are unique to a specific topic. The description of each property indicates which topic the property applies to.",
  "title" : "Audit event schema",
  "type" : "object",
  "properties" : {
    "_id" : {
      "title" : "ID",
      "description" : "The ID of the event, used by all topics",
      "type" : "string"
    },
    "timestamp" : {
      "title" : "Timestamp",
      "description" : "The time at which the event occurred, used by all topics",
      "type" : "string"
    },
    "eventName" : {
      "title" : "Event name",
      "description" : "The name of the event, used by all topics",
      "type" : "string"
    },
    "transactionId" : {
      "title" : "Transaction ID",
      "description" : "The transaction ID of the event, used by all topics",
      "type" : "string"
    },
    "userId" : {
      "title" : "User ID",
      "description" : "The ID of the user responsible for the event, used by all topics",
      "type" : "string"
    },
    "trackingIds" : {
      "title" : "Tracking IDs",
      "description" : "The tracking IDs of the event, used by all topics",
      "type" : "array",
      "items" : {
        "id" : "0",
        "type" : "string"
      }
    },
    "component" : {
      "title" : "Component",
      "description" : "The component responsible for the event, used by all topics",
      "type" : "string"
    },
    "realm" : {
      "title" : "Realm",
      "description" : "The realm in which the event occurred, used by all topics",
      "type" : "string"
    },
    "server" : {
      "title" : "Server",
      "description" : "The server details for an access event",
      "type" : "object",
      "properties" : {
        "ip" : {
          "title" : "Server IP address",
          "description" : "The server ip address for an access event",
          "type" : "string"
        },
        "port" : {
          "title" : "Server port",
          "description" : "The server port for an access event",
          "type" : "integer"
        }
      }
    },
    "client" : {
      "title" : "Client",
      "description" : "The client details for an access event",
      "type" : "object",
      "properties" : {
        "ip" : {
          "title" : "Client IP address",
          "description" : "The client IP address for an access event",
          "type" : "string"
        },
        "port" : {
          "title" : "Client port",
          "description" : "The client port for an access event",
          "type" : "integer"
        }
      }
    },
    "request" : {
      "title" : "Request",
      "description" : "The request details for an access event",
      "type" : "object",
      "properties" : {
        "protocol" : {
          "title" : "Request protocol",
          "description" : "The request protocol for an access event",
          "type" : "string"
        },
        "operation" : {
          "title" : "Request operation",
          "description" : "The request operation for an access event",
          "type" : "string"
        },
        "detail" : {
          "title" : "Request detail",
          "description" : "The request detail for an access event",
          "type" : "object"
        }
      }
    },
    "http" : {
      "title" : "Http details",
      "description" : "The Http details for an access event",
      "type" : "object",
      "properties" : {
        "request" : {
          "title" : "Http request",
          "description" : "The http request for an access event",
          "type" : "object",
          "properties" : {
            "secure" : {
              "title" : "Http secure",
              "description" : "The http secure property for an access event",
              "type" : "boolean"
            },
            "method" : {
              "title" : "Http method",
              "description" : "The http method for an access event",
              "type" : "string"
            },
            "path" : {
              "title" : "Http path",
              "description" : "The http path for an access event",
              "type" : "string"
            },
            "queryParameters" : {
              "title" : "Http query parameters",
              "description" : "The http query parameters for an access event",
              "type" : "object",
              "additionalProperties" : {
                "type" : "array",
                "items" : {
                  "type" : "string"
                }
              }
            },
            "headers" : {
              "title" : "Http headers",
              "description" : "The http headers for an access event",
              "type" : "object",
              "additionalProperties" : {
                "type" : "array",
                "items" : {
                  "type" : "string"
                }
              }
            },
            "cookies" : {
              "title" : "Http cookies",
              "description" : "The http cookies for an access event",
              "type" : "object",
              "additionalProperties" : {
                "type" : "string"
              }
            }
          }
        },
        "response" : {
          "title" : "Http response",
          "description" : "The http response for an access event",
          "type" : "object",
          "properties" : {
            "headers" : {
              "title" : "Http request headers",
              "description" : "The http request headers for an access event",
              "type" : "object",
              "additionalProperties" : {
                "type" : "array",
                "items" : {
                  "type" : "string"
                }
              }
            }
          }
        }
      }
    },
    "response" : {
      "title" : "Response",
      "description" : "The response details for an access event",
      "type" : "object",
      "properties" : {
        "status" : {
          "title" : "Response status",
          "description" : "The response status for an access event",
          "type" : "string"
        },
        "statusCode" : {
          "title" : "Response status code",
          "description" : "The response status code for an access event",
          "type" : "string"
        },
        "detail" : {
          "title" : "Response detail",
          "description" : "The response detail for an access event",
          "type" : "object"
        },
        "elapsedTime" : {
          "title" : "Response elapsed time",
          "description" : "The response elapsedTime for an access event",
          "type" : "integer"
        },
        "elapsedTimeUnits" : {
          "title" : "Response elapsed time units",
          "description" : "The response elapsed time units for an access event",
          "type" : "string"
        }
      }
    },
    "runAs" : {
      "title" : "Run as",
      "description" : "What the change that triggered an activity or config event was run as",
      "type" : "string"
    },
    "objectId" : {
      "title" : "Object ID",
      "description" : "The object ID of the change that triggered an activity or config event",
      "type" : "string"
    },
    "operation" : {
      "title" : "Operation",
      "description" : "The operation that triggered an activity or config event",
      "type" : "string"
    },
    "before" : {
      "title" : "Before state",
      "description" : "The state before an activity or config event occurred",
      "type" : "object"
    },
    "after" : {
      "title" : "After state",
      "description" : "The state after an activity or config event occurred",
      "type" : "object"
    },
    "changedFields" : {
      "title" : "Changed fields",
      "description" : "The changed fields after an activity or config event occurred",
      "type" : "array",
      "items" : {
        "id" : "1",
        "type" : "string"
      }
    },
    "revision" : {
      "title" : "Revision",
      "description" : "The revision for an activity or config event",
      "type" : "string"
    },
    "result" : {
      "title" : "Result",
      "description" : "The result of the authentication event",
      "type" : "string"
    },
    "principal" : {
      "title" : "Principal",
      "description" : "The principal responsible for the authentication event",
      "type" : "array",
      "items" : {
        "type" : "string"
      }
    },
    "context" : {
      "title" : "Context",
      "description" : "The context of an authentication event",
      "type" : "object",
      "properties" : { }
    },
    "entries" : {
      "title" : "Entries",
      "description" : "The entries for an authentication event",
      "type" : "array",
      "items" : {
        "type" : "object",
        "properties" : {
          "moduleId" : {
            "title" : "Module ID",
            "description" : "The module ID for the authentication event",
            "type" : "string"
          },
          "result" : {
            "title" : "Module result",
            "description" : "The result of the module authentication event",
            "type" : "string"
          },
          "info" : {
            "title" : "Entries information",
            "description" : "The entries information for an authentication event",
            "type" : "object",
            "properties" : { }
          }
        }
      }
    }
  },
  "required" : [ "transactionId", "timestamp" ]
}

1.14. AuditLogging

1.14.1. Realm Operations

Resource path: /realm-config/services/audit

Resource version: 1.0

1.14.1.1. create

Usage:

am> create AuditLogging --realm Realm --body body

Parameters:

--body

The resource in JSON format, described by the following JSON schema:

{
  "type" : "object",
  "properties" : {
    "fieldFilterPolicy" : {
      "title" : "Field exclusion policies",
      "description" : "A list of fields or values (JSON pointers) to exclude from the audit event.<br><br>To specify a field or value within a field to be filtered out of the event, start the pointer with the event topic, for example access, activity, authentication, or config, followed by the field name or the path to the value in the field.<p><p>For example, to filter out the <code>userId</code> field in an access event the pointer will be <code>/access/userId</code>.<p>To filter out the <code>content-type</code> value in the <code>http.request.headers</code> field the pointer will be <code>/access/http/request/headers/content-type</code>.<p>Only values that are made up of JSON strings can be manipulated in this way.",
      "propertyOrder" : 200,
      "required" : false,
      "items" : {
        "type" : "string"
      },
      "type" : "array",
      "exampleValue" : ""
    },
    "auditEnabled" : {
      "title" : "Audit logging",
      "description" : "Enable audit logging in OpenAM.",
      "propertyOrder" : 100,
      "required" : true,
      "type" : "boolean",
      "exampleValue" : ""
    }
  }
}

1.14.1.2. delete

Usage:

am> delete AuditLogging --realm Realm

1.14.1.3. getAllTypes

Obtain the collection of all secondary configuration types related to the resource.

Usage:

am> action AuditLogging --realm Realm --actionName getAllTypes

1.14.1.4. getCreatableTypes

Obtain the collection of secondary configuration types that have yet to be added to the resource.

Usage:

am> action AuditLogging --realm Realm --actionName getCreatableTypes

1.14.1.5. nextdescendents

Obtain the collection of secondary configuration instances that have been added to the resource.

Usage:

am> action AuditLogging --realm Realm --actionName nextdescendents

1.14.1.6. read

Usage:

am> read AuditLogging --realm Realm

1.14.1.7. update

Usage:

am> update AuditLogging --realm Realm --body body

Parameters:

--body

The resource in JSON format, described by the following JSON schema:

{
  "type" : "object",
  "properties" : {
    "fieldFilterPolicy" : {
      "title" : "Field exclusion policies",
      "description" : "A list of fields or values (JSON pointers) to exclude from the audit event.<br><br>To specify a field or value within a field to be filtered out of the event, start the pointer with the event topic, for example access, activity, authentication, or config, followed by the field name or the path to the value in the field.<p><p>For example, to filter out the <code>userId</code> field in an access event the pointer will be <code>/access/userId</code>.<p>To filter out the <code>content-type</code> value in the <code>http.request.headers</code> field the pointer will be <code>/access/http/request/headers/content-type</code>.<p>Only values that are made up of JSON strings can be manipulated in this way.",
      "propertyOrder" : 200,
      "required" : false,
      "items" : {
        "type" : "string"
      },
      "type" : "array",
      "exampleValue" : ""
    },
    "auditEnabled" : {
      "title" : "Audit logging",
      "description" : "Enable audit logging in OpenAM.",
      "propertyOrder" : 100,
      "required" : true,
      "type" : "boolean",
      "exampleValue" : ""
    }
  }
}

1.14.2. Global Operations

Resource path: /global-config/services/audit

Resource version: 1.0

1.14.2.1. getAllTypes

Obtain the collection of all secondary configuration types related to the resource.

Usage:

am> action AuditLogging --global --actionName getAllTypes

1.14.2.2. getCreatableTypes

Obtain the collection of secondary configuration types that have yet to be added to the resource.

Usage:

am> action AuditLogging --global --actionName getCreatableTypes

1.14.2.3. nextdescendents

Obtain the collection of secondary configuration instances that have been added to the resource.

Usage:

am> action AuditLogging --global --actionName nextdescendents

1.14.2.4. read

Usage:

am> read AuditLogging --global

1.14.2.5. update

Usage:

am> update AuditLogging --global --body body

Parameters:

--body

The resource in JSON format, described by the following JSON schema:

{
  "type" : "object",
  "properties" : {
    "auditEnabled" : {
      "title" : "Audit logging",
      "description" : "Enable audit logging in OpenAM.",
      "propertyOrder" : 100,
      "required" : true,
      "type" : "boolean",
      "exampleValue" : ""
    },
    "fieldFilterPolicy" : {
      "title" : "Field exclusion policies",
      "description" : "A list of fields or values (JSON pointers) to exclude from the audit event.<br><br>To specify a field or value within a field to be filtered out of the event, start the pointer with the event topic, for example access, activity, authentication, or config, followed by the field name or the path to the value in the field.<p><p>For example, to filter out the <code>userId</code> field in an access event the pointer will be <code>/access/userId</code>.<p>To filter out the <code>content-type</code> value in the <code>http.request.headers</code> field the pointer will be <code>/access/http/request/headers/content-type</code>.<p>Only values that are made up of JSON strings can be manipulated in this way.",
      "propertyOrder" : 200,
      "required" : false,
      "items" : {
        "type" : "string"
      },
      "type" : "array",
      "exampleValue" : ""
    },
    "defaults" : {
      "properties" : {
        "fieldFilterPolicy" : {
          "title" : "Field exclusion policies",
          "description" : "A list of fields or values (JSON pointers) to exclude from the audit event.<br><br>To specify a field or value within a field to be filtered out of the event, start the pointer with the event topic, for example access, activity, authentication, or config, followed by the field name or the path to the value in the field.<p><p>For example, to filter out the <code>userId</code> field in an access event the pointer will be <code>/access/userId</code>.<p>To filter out the <code>content-type</code> value in the <code>http.request.headers</code> field the pointer will be <code>/access/http/request/headers/content-type</code>.<p>Only values that are made up of JSON strings can be manipulated in this way.",
          "propertyOrder" : 200,
          "required" : false,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        },
        "auditEnabled" : {
          "title" : "Audit logging",
          "description" : "Enable audit logging in OpenAM.",
          "propertyOrder" : 100,
          "required" : true,
          "type" : "boolean",
          "exampleValue" : ""
        }
      },
      "type" : "object",
      "title" : "Realm Defaults"
    }
  }
}

1.15. AuthLevelDecision

1.15.1. Realm Operations

Resource path: /realm-config/authentication/authenticationtrees/nodes/AuthLevelDecisionNode

Resource version: 1.0

1.15.1.1. create

Usage:

am> create AuthLevelDecision --realm Realm --id id --body body

Parameters:

--id

The unique identifier for the resource.

--body

The resource in JSON format, described by the following JSON schema:

{
  "type" : "object",
  "properties" : {
    "authLevelRequirement" : {
      "title" : "Sufficient Authentication Level",
      "description" : "The current authentication level must be greater than or equal to this value for the decision to return true.",
      "propertyOrder" : 100,
      "required" : true,
      "type" : "integer",
      "exampleValue" : ""
    }
  }
}

1.15.1.2. delete

Usage:

am> delete AuthLevelDecision --realm Realm --id id

Parameters:

--id

The unique identifier for the resource.

1.15.1.3. getAllTypes

Obtain the collection of all secondary configuration types related to the resource.

Usage:

am> action AuthLevelDecision --realm Realm --actionName getAllTypes

1.15.1.4. getCreatableTypes

Obtain the collection of secondary configuration types that have yet to be added to the resource.

Usage:

am> action AuthLevelDecision --realm Realm --actionName getCreatableTypes

1.15.1.5. listOutcomes

List the available outcomes for the node type.

Usage:

am> action AuthLevelDecision --realm Realm --body body --actionName listOutcomes

Parameters:

--body

The resource in JSON format, described by the following JSON schema:

{
  "type" : "object",
  "title" : "Some configuration of the node. This does not need to be complete against the configuration schema."
}

1.15.1.6. nextdescendents

Obtain the collection of secondary configuration instances that have been added to the resource.

Usage:

am> action AuthLevelDecision --realm Realm --actionName nextdescendents

1.15.1.7. query

Get the full list of instances of this collection. This query only supports `_queryFilter=true` filter.

Usage:

am> query AuthLevelDecision --realm Realm --filter filter

Parameters:

--filter

A CREST formatted query filter, where "true" will query all.

1.15.1.8. read

Usage:

am> read AuthLevelDecision --realm Realm --id id

Parameters:

--id

The unique identifier for the resource.

1.15.1.9. update

Usage:

am> update AuthLevelDecision --realm Realm --id id --body body

Parameters:

--id

The unique identifier for the resource.

--body

The resource in JSON format, described by the following JSON schema:

{
  "type" : "object",
  "properties" : {
    "authLevelRequirement" : {
      "title" : "Sufficient Authentication Level",
      "description" : "The current authentication level must be greater than or equal to this value for the decision to return true.",
      "propertyOrder" : 100,
      "required" : true,
      "type" : "integer",
      "exampleValue" : ""
    }
  }
}

1.15.2. Global Operations

Resource path: /global-config/authentication/authenticationtrees/nodes/AuthLevelDecisionNode

Resource version: 1.0

1.15.2.1. getAllTypes

Obtain the collection of all secondary configuration types related to the resource.

Usage:

am> action AuthLevelDecision --global --actionName getAllTypes

1.15.2.2. getCreatableTypes

Obtain the collection of secondary configuration types that have yet to be added to the resource.

Usage:

am> action AuthLevelDecision --global --actionName getCreatableTypes

1.15.2.3. nextdescendents

Obtain the collection of secondary configuration instances that have been added to the resource.

Usage:

am> action AuthLevelDecision --global --actionName nextdescendents

1.15.2.4. read

Usage:

am> read AuthLevelDecision --global

1.15.2.5. update

Usage:

am> update AuthLevelDecision --global --body body

Parameters:

--body

The resource in JSON format, described by the following JSON schema:

{
  "type" : "object"
}

1.16. AuthTree

1.16.1. Realm Operations

Authentication trees.

Resource path: /realm-config/authentication/authenticationtrees/trees

Resource version: 1.0

1.16.1.1. create

Usage:

am> create AuthTree --realm Realm --id id --body body

Parameters:

--id

The unique identifier for the resource.

--body

The resource in JSON format, described by the following JSON schema:

{
  "description" : "A tree contains a set of nodes and their connections.",
  "type" : "object",
  "title" : "Authentication Tree",
  "properties" : {
    "nodes" : {
      "type" : "object",
      "title" : "Nodes",
      "description" : "A map of node ID to node association details.",
      "patternProperties" : {
        ".*" : {
          "type" : "object",
          "title" : "Node",
          "description" : "A association of a node with a tree.",
          "properties" : {
            "connections" : {
              "type" : "object",
              "title" : "Connections",
              "description" : "The node's connected outcomes.",
              "patternProperties" : {
                ".*" : {
                  "type" : "string",
                  "title" : "Node ID",
                  "description" : "The ID of the node that this outcome connects to."
                }
              }
            },
            "_outcomes" : {
              "type" : "array",
              "title" : "Outcomes",
              "description" : "The node's complete set of outcomes.",
              "readOnly" : true,
              "items" : {
                "type" : "object",
                "title" : "Outcome",
                "description" : "A possible outcome of the node.",
                "readOnly" : true,
                "properties" : {
                  "id" : {
                    "type" : "string",
                    "title" : "ID",
                    "description" : "The identifier of the outcome.",
                    "readOnly" : true
                  },
                  "displayName" : {
                    "type" : "string",
                    "title" : "Display Name",
                    "description" : "The display name of the outcome, in the requester's preferred locale.",
                    "readOnly" : true
                  }
                }
              }
            },
            "displayName" : {
              "title" : "Display Name",
              "description" : "The name of the node to show in the tree UI.",
              "propertyOrder" : 200,
              "required" : true,
              "type" : "string",
              "exampleValue" : ""
            },
            "nodeType" : {
              "title" : "Type",
              "description" : "The name of the SMS service for this node.",
              "propertyOrder" : 100,
              "required" : true,
              "type" : "string",
              "exampleValue" : ""
            }
          }
        }
      }
    },
    "entryNodeId" : {
      "title" : "Entry Node",
      "description" : "The ID of the node that the tree starts processing from.",
      "propertyOrder" : null,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    }
  }
}

1.16.1.2. delete

Usage:

am> delete AuthTree --realm Realm --id id

Parameters:

--id

The unique identifier for the resource.

1.16.1.3. getAllTypes

Obtain the collection of all secondary configuration types related to the resource.

Usage:

am> action AuthTree --realm Realm --actionName getAllTypes

1.16.1.4. getCreatableTypes

Obtain the collection of secondary configuration types that have yet to be added to the resource.

Usage:

am> action AuthTree --realm Realm --actionName getCreatableTypes

1.16.1.5. getIds

Get the names of each tree configured in this realm.

Usage:

am> action AuthTree --realm Realm --actionName getIds

1.16.1.6. nextdescendents

Obtain the collection of secondary configuration instances that have been added to the resource.

Usage:

am> action AuthTree --realm Realm --actionName nextdescendents

1.16.1.7. query

Query for all authentication trees. Only a query filter of 'true' is supported.

Usage:

am> query AuthTree --realm Realm --filter filter

Parameters:

--filter

A CREST formatted query filter, where "true" will query all.

1.16.1.8. read

Usage:

am> read AuthTree --realm Realm --id id

Parameters:

--id

The unique identifier for the resource.

1.16.1.9. update

Usage:

am> update AuthTree --realm Realm --id id --body body

Parameters:

--id

The unique identifier for the resource.

--body

The resource in JSON format, described by the following JSON schema:

{
  "description" : "A tree contains a set of nodes and their connections.",
  "type" : "object",
  "title" : "Authentication Tree",
  "properties" : {
    "nodes" : {
      "type" : "object",
      "title" : "Nodes",
      "description" : "A map of node ID to node association details.",
      "patternProperties" : {
        ".*" : {
          "type" : "object",
          "title" : "Node",
          "description" : "A association of a node with a tree.",
          "properties" : {
            "connections" : {
              "type" : "object",
              "title" : "Connections",
              "description" : "The node's connected outcomes.",
              "patternProperties" : {
                ".*" : {
                  "type" : "string",
                  "title" : "Node ID",
                  "description" : "The ID of the node that this outcome connects to."
                }
              }
            },
            "_outcomes" : {
              "type" : "array",
              "title" : "Outcomes",
              "description" : "The node's complete set of outcomes.",
              "readOnly" : true,
              "items" : {
                "type" : "object",
                "title" : "Outcome",
                "description" : "A possible outcome of the node.",
                "readOnly" : true,
                "properties" : {
                  "id" : {
                    "type" : "string",
                    "title" : "ID",
                    "description" : "The identifier of the outcome.",
                    "readOnly" : true
                  },
                  "displayName" : {
                    "type" : "string",
                    "title" : "Display Name",
                    "description" : "The display name of the outcome, in the requester's preferred locale.",
                    "readOnly" : true
                  }
                }
              }
            },
            "displayName" : {
              "title" : "Display Name",
              "description" : "The name of the node to show in the tree UI.",
              "propertyOrder" : 200,
              "required" : true,
              "type" : "string",
              "exampleValue" : ""
            },
            "nodeType" : {
              "title" : "Type",
              "description" : "The name of the SMS service for this node.",
              "propertyOrder" : 100,
              "required" : true,
              "type" : "string",
              "exampleValue" : ""
            }
          }
        }
      }
    },
    "entryNodeId" : {
      "title" : "Entry Node",
      "description" : "The ID of the node that the tree starts processing from.",
      "propertyOrder" : null,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    }
  }
}

1.16.1.10. validate

Validates a tree giving errors and warnings.

Usage:

am> action AuthTree --realm Realm --body body --actionName validate

Parameters:

--body

The resource in JSON format, described by the following JSON schema:

{
  "description" : "A tree contains a set of nodes and their connections.",
  "type" : "object",
  "title" : "Authentication Tree",
  "properties" : {
    "nodes" : {
      "type" : "object",
      "title" : "Nodes",
      "description" : "A map of node ID to node association details.",
      "patternProperties" : {
        ".*" : {
          "type" : "object",
          "title" : "Node",
          "description" : "A association of a node with a tree.",
          "properties" : {
            "connections" : {
              "type" : "object",
              "title" : "Connections",
              "description" : "The node's connected outcomes.",
              "patternProperties" : {
                ".*" : {
                  "type" : "string",
                  "title" : "Node ID",
                  "description" : "The ID of the node that this outcome connects to."
                }
              }
            },
            "_outcomes" : {
              "type" : "array",
              "title" : "Outcomes",
              "description" : "The node's complete set of outcomes.",
              "readOnly" : true,
              "items" : {
                "type" : "object",
                "title" : "Outcome",
                "description" : "A possible outcome of the node.",
                "readOnly" : true,
                "properties" : {
                  "id" : {
                    "type" : "string",
                    "title" : "ID",
                    "description" : "The identifier of the outcome.",
                    "readOnly" : true
                  },
                  "displayName" : {
                    "type" : "string",
                    "title" : "Display Name",
                    "description" : "The display name of the outcome, in the requester's preferred locale.",
                    "readOnly" : true
                  }
                }
              }
            },
            "displayName" : {
              "title" : "Display Name",
              "description" : "The name of the node to show in the tree UI.",
              "propertyOrder" : 200,
              "required" : true,
              "type" : "string",
              "exampleValue" : ""
            },
            "nodeType" : {
              "title" : "Type",
              "description" : "The name of the SMS service for this node.",
              "propertyOrder" : 100,
              "required" : true,
              "type" : "string",
              "exampleValue" : ""
            }
          }
        }
      }
    },
    "entryNodeId" : {
      "title" : "Entry Node",
      "description" : "The ID of the node that the tree starts processing from.",
      "propertyOrder" : null,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    }
  }
}

1.17. Authentication

1.17.1. Realm Operations

Resource path: /realm-config/authentication

Resource version: 1.0

1.17.1.1. create

Usage:

am> create Authentication --realm Realm --body body

Parameters:

--body

The resource in JSON format, described by the following JSON schema:

{
  "type" : "object",
  "properties" : {
    "core" : {
      "type" : "object",
      "title" : "Core",
      "propertyOrder" : -1,
      "properties" : {
        "adminAuthModule" : {
          "title" : "Administrator Authentication Configuration",
          "description" : "Default Authentication Chain for administrators<br><br>This is the authentication chain that will be used to authentication administrative users to this realm.",
          "propertyOrder" : 200,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "orgConfig" : {
          "title" : "Organization Authentication Configuration",
          "description" : "Default Authentication Chain for users<br><br>This is the authentication chain that will be used to authenticate users to this realm.",
          "propertyOrder" : 700,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        }
      }
    },
    "postauthprocess" : {
      "type" : "object",
      "title" : "Post Authentication Processing",
      "propertyOrder" : 5,
      "properties" : {
        "loginSuccessUrl" : {
          "title" : "Default Success Login URL",
          "description" : "Successful logins will be forwarded to this URL<br><br>This is the URL to which clients will be forwarded upon successful authentication. Enter a URL or URI relative to the local OpenAM. URL or URI can be prefixed with the ClientType|URL if client specific. URL without http(s) protocol will be appended to the current URI of OpenAM.",
          "propertyOrder" : 1800,
          "required" : true,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        },
        "loginFailureUrl" : {
          "title" : "Default Failure Login URL ",
          "description" : "Failed logins will be forwarded to this URL<br><br>This is the URL to which clients will be forwarded upon failed authentication. Enter a URL or URI relative to the local OpenAM. URL or URI can be prefixed with ClientType|URL if client specific. URL without http(s) protocol will be appended to the current URI of OpenAM.",
          "propertyOrder" : 1900,
          "required" : true,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        },
        "loginPostProcessClass" : {
          "title" : "Authentication Post Processing Classes",
          "description" : "A list of post authentication processing classes for all users in this realm.<br><br>This is a list of Post Processing Classes that will be called by OpenAM for all users that authenticate to this realm. Refer to the documentation for the places where the list of post authentication classes can be set and their precedence. <br/><br/>For example: org.forgerock.auth.PostProcessClass<br/><i>NB </i>OpenAM must be able to find these classes on the <code>CLASSPATH</code> and must implement the interface <code>com.sun.identity.authentication.spi.AMPostAuthProcessInterface</code>.",
          "propertyOrder" : 2000,
          "required" : true,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        },
        "usernameGeneratorClass" : {
          "title" : "Pluggable User Name Generator Class",
          "description" : "The name of the default implementation of the user name generator class.<br><br>The name of the class used to return a list of usernames to the Membership auth module.<br/><br/><i>NB </i>This class must implement the interface <code>com.sun.identity.authentication.spi.UserIDGenerator</code>",
          "propertyOrder" : 2200,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "usernameGeneratorEnabled" : {
          "title" : "Generate UserID Mode",
          "description" : "Enables this mode in the Membership auth module.<br><br>When this mode is enabled, if the Membership auth module detects that the supplied username already exists in the data store then a list of valid usernames can be shown to the user, if requested by said user.",
          "propertyOrder" : 2100,
          "required" : true,
          "type" : "boolean",
          "exampleValue" : ""
        },
        "userAttributeSessionMapping" : {
          "title" : "User Attribute Mapping to Session Attribute",
          "description" : "Mapping of user profile attribute name to session attribute name.<br><br>The setting causes OpenAM to read the named attributes from the users profile in the data store and store their values in the users session.<br/></br>Format: User Profile Attribute|Session Attribute name. ",
          "propertyOrder" : 3000,
          "required" : true,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        }
      }
    },
    "general" : {
      "type" : "object",
      "title" : "General",
      "propertyOrder" : 3,
      "properties" : {
        "twoFactorRequired" : {
          "title" : "Two Factor Authentication Mandatory",
          "description" : "",
          "propertyOrder" : 3900,
          "required" : true,
          "type" : "boolean",
          "exampleValue" : ""
        },
        "identityType" : {
          "title" : "Identity Types",
          "description" : "",
          "propertyOrder" : 2500,
          "required" : true,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        },
        "locale" : {
          "title" : "Default Authentication Locale",
          "description" : "",
          "propertyOrder" : 600,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "defaultAuthLevel" : {
          "title" : "Default Authentication Level",
          "description" : "The default authentication level for modules in this realm.<br><br>If the authentication module does not set it's own auth level then the module will have the default authentication level for the realm.",
          "propertyOrder" : 4100,
          "required" : true,
          "type" : "integer",
          "exampleValue" : ""
        },
        "userStatusCallbackPlugins" : {
          "title" : "Pluggable User Status Event Classes",
          "description" : "List of classes to be called when status of the user account changes.<br><br>When the status of a users account changes, OpenAM can be configured to call into a custom class. The custom class can then be used to perform some action as required. The built in status change events are:<br/><br/><ul><li>Account locked</li><li>Password changed</li></ul><br/>Custom code can also extend this mechanism.",
          "propertyOrder" : 2600,
          "required" : true,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        },
        "statelessSessionsEnabled" : {
          "title" : "Use Stateless Sessions",
          "description" : "Enables stateless sessions.<br><br>Stateless sessions provide elastic scalability by storing all session state on the client in the SSO cookie. See Session service configuration to enable signing and encryption (HIGHLY RECOMMENDED).",
          "propertyOrder" : 3800,
          "required" : true,
          "type" : "boolean",
          "exampleValue" : ""
        }
      }
    },
    "accountlockout" : {
      "type" : "object",
      "title" : "Account Lockout",
      "propertyOrder" : 2,
      "properties" : {
        "lockoutAttributeName" : {
          "title" : "Lockout Attribute Name",
          "description" : "Name of custom lockout attribute <br><br>When OpenAM locks an account, the <code>inetuserstatus</code> attribute in the locked account is set to Inactive. In addition, OpenAM can set the value of another attribute in the users profile. ",
          "propertyOrder" : 1500,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "lockoutDurationMultiplier" : {
          "title" : "Lockout Duration Multiplier",
          "description" : "Value multiplied to the Login Failure Lockout Duration for each successive lockout.<br><br>This property is used to enable OpenAM to increase the account lockout duration for each successive account lockout. For example: If the lockout duration is set to 10 and the duration multiplier is set to 2; the duration of the first lockout will be 10 minutes and the duration of the second lockout will be 20 minutes.<br/><br/>The default value of 1 disables this function.  ",
          "propertyOrder" : 1400,
          "required" : true,
          "type" : "integer",
          "exampleValue" : ""
        },
        "loginFailureCount" : {
          "title" : "Login Failure Lockout Count",
          "description" : "The maximum number of failed authentications for a user before their account is locked.<br><br>This setting controls the maximum number of failed authentications a user can have during the lockout interval before OpenAM locks the users account.",
          "propertyOrder" : 900,
          "required" : true,
          "type" : "integer",
          "exampleValue" : ""
        },
        "storeInvalidAttemptsInDataStore" : {
          "title" : "Store Invalid Attempts in Data Store",
          "description" : "Enables sharing of login failure attempts across AM Instances<br><br>When this setting is enabled OpenAM will store the users invalid authentication information in the data store under the attribute configured in the <i>Invalid Attempts Data Attribute Name</i> property.",
          "propertyOrder" : 2700,
          "required" : true,
          "type" : "boolean",
          "exampleValue" : ""
        },
        "lockoutDuration" : {
          "title" : "Login Failure Lockout Duration",
          "description" : "The duration of the users account lockout, in minutes.<br><br>OpenAM can either lockout the users account indefinitely (until administration action) by setting the duration to 0, (the default) or OpenAM can lock the users account for a given number of minutes. After the lockout interval, the user will be able to successfully authenticate to OpenAM.",
          "propertyOrder" : 1300,
          "required" : true,
          "type" : "integer",
          "exampleValue" : ""
        },
        "loginFailureLockoutMode" : {
          "title" : "Login Failure Lockout Mode",
          "description" : "Enables account lockout functionality for users authenticating to this realm.<br><br>OpenAM can track the number of failed authentications by a user over time and if a pre-defined limit is breached, OpenAM can lockout the users account and perform additional functions.<br/><br/><i>NB </i>This functionality is in addition to any account lockout behaviour implemented by the LDAP Directory Server.",
          "propertyOrder" : 800,
          "required" : true,
          "type" : "boolean",
          "exampleValue" : ""
        },
        "lockoutWarnUserCount" : {
          "title" : "Warn User After N Failures",
          "description" : "Warn the user when they reach this level of failed authentications.<br><br>The user will be given a warning when they reach this level of failed authentications during the lockout interval.<br/>The text of the lockout warning is configured using the <code>lockOutWarning</code> property in the <code>amAuth.properties</code> file.",
          "propertyOrder" : 1200,
          "required" : true,
          "type" : "integer",
          "exampleValue" : ""
        },
        "lockoutEmailAddress" : {
          "title" : "Email Address to Send Lockout Notification",
          "description" : "An email address or set of email addresses that receive notifications about account lockout events.<br><br>OpenAM can be configured to send a localisable email message to a set of email addresses when account lockout events occur. The contents of the email message is configured using the following properties in the <code>amAuth.properties</code> file.<br/><ul><li><code>lockOutEmailFrom</code> : The \"From\" address of the email message</li><li><code>lockOutEmailSub</code> : The subject of the email message</li><li><code>lockOutEmailMsg</code> : The contents of the email message</li></ul><br/>The identity for whom the account has been locked is included in the email message.<br/><br/>The format of this property is:<br/><code>emailaddress|locale|charset</code>. Multiple email addresses are space-separated.<br/>Email addresses must include the domain name, such as <code>admin@example.com</code>.",
          "propertyOrder" : 1100,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "invalidAttemptsDataAttributeName" : {
          "title" : "Invalid Attempts Data Attribute Name",
          "description" : "The name of the attribute used to store information about failed authentications.<br><br>OpenAM can be configured to store information about invalid authentications in the users profile. This allows multiple instances of OpenAM in the same site to share information about a users invalid authentication attempts. By default the custom attribute; <code>sunAMAuthInvalidAttemptsData</code> defined in the <code>sunAMAuthAccountLockout</code> objectclass is used to store this data. Use this property to change the attribute used by OpenAM to store this information.<br/><br/><i>NB </i>Any attribute specified must be a valid attribute in the data store.",
          "propertyOrder" : 1700,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "loginFailureDuration" : {
          "title" : "Login Failure Lockout Interval",
          "description" : "The lockout interval time is in minutes.<br><br>OpenAM tracks the failed authentication count for a user over the lockout interval.<br/><br/>For example: If the lockout interval is 5 minutes and the lockout count is 5; the user will have to have failed to authenticate 5 times over the previous 5 minutes for the account to be locked. Failed authentications the occurred outside of the 5 minute interval are ignored.",
          "propertyOrder" : 1000,
          "required" : true,
          "type" : "integer",
          "exampleValue" : ""
        },
        "lockoutAttributeValue" : {
          "title" : "Lockout Attribute Value",
          "description" : "Value to set in custom lockout attribute<br><br>This is the value that will be set on the custom attribute in the users profile when they account is locked.",
          "propertyOrder" : 1600,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        }
      }
    },
    "security" : {
      "type" : "object",
      "title" : "Security",
      "propertyOrder" : 4,
      "properties" : {
        "sharedSecret" : {
          "title" : "Organization Authentication Signing Secret",
          "description" : "HMAC shared secret for signing RESTful Authentication requests.<br><br>This is the shared secret for signing state used in RESTful authentication requests. Should be at Base-64 encoded and at least 128-bits in length. By default a cryptographically secure random value is generated.",
          "propertyOrder" : 4000,
          "required" : true,
          "type" : "string",
          "format" : "password",
          "exampleValue" : ""
        },
        "zeroPageLoginAllowedWithoutReferrer" : {
          "title" : "Zero Page Login Allowed without Referer?",
          "description" : "Whether to allow Zero Page Login if the HTTP Referer header is missing.<br><br>The HTTP Referer header is sometimes missing from requests (e.g., if making a request to HTTP from HTTPS). This setting controls whether such requests should be allowed or not. Setting to 'true' will reduce the risk of Login CSRF attacks with Zero Page Login, but may potentially deny legitimate requests.",
          "propertyOrder" : 3700,
          "required" : true,
          "type" : "boolean",
          "exampleValue" : ""
        },
        "zeroPageLoginEnabled" : {
          "title" : "Zero Page Login",
          "description" : "Allows a user to authenticate using GET request parameters without showing the login screen.<br><br>Enable this feature if the authentication mechanism uses a single authentication screen or the first authentication screen should always be invisible to users (since it is auto-submitted). Use caution when enabling this feature as it can be used to authenticate using regular GET parameters, which could be cached by browsers and logged in server and proxy access logs exposing the values of the GET parameters.",
          "propertyOrder" : 3400,
          "required" : true,
          "type" : "boolean",
          "exampleValue" : ""
        },
        "zeroPageLoginReferrerWhiteList" : {
          "title" : "Zero Page Login Referer Whitelist",
          "description" : "List of allowed HTTP Referer (sic) URLs from which Zero Page Login requests are allowed.<br><br>Enter here all URLs from which you want to allow Zero Page Login. This provides some mitigation against Login CSRF attacks. Leave empty to allow from any Referer. Applies to both GET and POST login requests.",
          "propertyOrder" : 3600,
          "required" : true,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        },
        "moduleBasedAuthEnabled" : {
          "title" : "Module Based Authentication",
          "description" : "Allows a user to authenticate via module based authentication.<br><br>The feature allow users to override the realm configuration and use a named authentication module to authenticate.<br/><br/><i>NB </i>Recommended to turn this feature off in production environments.",
          "propertyOrder" : 2800,
          "required" : true,
          "type" : "boolean",
          "exampleValue" : ""
        },
        "keyAlias" : {
          "title" : "Persistent Cookie Encryption Certificate Alias",
          "description" : "Keystore Alias for encrypting Persistent Cookies.<br><br>This is the alias for the private/public keys in the Keystore used in Persistent Cookie authentication requests.",
          "propertyOrder" : 3300,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        }
      }
    },
    "userprofile" : {
      "type" : "object",
      "title" : "User Profile",
      "propertyOrder" : 0,
      "properties" : {
        "defaultRole" : {
          "title" : "User Profile Dynamic Creation Default Roles",
          "description" : "List of roles of which dynamically created users will be a member.<br><br>Enter the DN for each role that will be assigned to a new user when their profile has been dynamically created by OpenAM.<br/><br/><i>NB </i> Deprecated functionality in OpenAM.",
          "propertyOrder" : 300,
          "required" : true,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        },
        "dynamicProfileCreation" : {
          "title" : "User Profile",
          "description" : "Controls the result of the user profile success post successful authentication.<br><br>Controls whether a user profile is required for authentication to be successful or if the profile will be dynamically created if none already exists. Choose ignore if you do not have a data store configured in the realm.",
          "propertyOrder" : 100,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "aliasAttributeName" : {
          "title" : "Alias Search Attribute Name",
          "description" : "The secondary LDAP attribute retrieves the user profile if the primary LDAP attribute specified in 'User Naming Attribute' fails.<br><br>This list of LDAP attributes is used to extend the set of attributes searched by OpenAM to find the users profile.<br>For example: <ul><li>cn</li><li>mail</li><li>givenname</li></ul><br/>A user authenticates to OpenAM under the id of steve, OpenAM will first search using the naming attribute (uid by default) so uid=steve, if no match is found then cn=steve will be searched until a match is found or the list is exhausted.<br><br/><br/><i>NB </i> Only used when User Profile searching is enabled.",
          "propertyOrder" : 400,
          "required" : true,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        }
      }
    }
  }
}

1.17.1.2. delete

Usage:

am> delete Authentication --realm Realm

1.17.1.3. read

Usage:

am> read Authentication --realm Realm

1.17.1.4. update

Usage:

am> update Authentication --realm Realm --body body

Parameters:

--body

The resource in JSON format, described by the following JSON schema:

{
  "type" : "object",
  "properties" : {
    "core" : {
      "type" : "object",
      "title" : "Core",
      "propertyOrder" : -1,
      "properties" : {
        "adminAuthModule" : {
          "title" : "Administrator Authentication Configuration",
          "description" : "Default Authentication Chain for administrators<br><br>This is the authentication chain that will be used to authentication administrative users to this realm.",
          "propertyOrder" : 200,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "orgConfig" : {
          "title" : "Organization Authentication Configuration",
          "description" : "Default Authentication Chain for users<br><br>This is the authentication chain that will be used to authenticate users to this realm.",
          "propertyOrder" : 700,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        }
      }
    },
    "postauthprocess" : {
      "type" : "object",
      "title" : "Post Authentication Processing",
      "propertyOrder" : 5,
      "properties" : {
        "loginSuccessUrl" : {
          "title" : "Default Success Login URL",
          "description" : "Successful logins will be forwarded to this URL<br><br>This is the URL to which clients will be forwarded upon successful authentication. Enter a URL or URI relative to the local OpenAM. URL or URI can be prefixed with the ClientType|URL if client specific. URL without http(s) protocol will be appended to the current URI of OpenAM.",
          "propertyOrder" : 1800,
          "required" : true,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        },
        "loginFailureUrl" : {
          "title" : "Default Failure Login URL ",
          "description" : "Failed logins will be forwarded to this URL<br><br>This is the URL to which clients will be forwarded upon failed authentication. Enter a URL or URI relative to the local OpenAM. URL or URI can be prefixed with ClientType|URL if client specific. URL without http(s) protocol will be appended to the current URI of OpenAM.",
          "propertyOrder" : 1900,
          "required" : true,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        },
        "loginPostProcessClass" : {
          "title" : "Authentication Post Processing Classes",
          "description" : "A list of post authentication processing classes for all users in this realm.<br><br>This is a list of Post Processing Classes that will be called by OpenAM for all users that authenticate to this realm. Refer to the documentation for the places where the list of post authentication classes can be set and their precedence. <br/><br/>For example: org.forgerock.auth.PostProcessClass<br/><i>NB </i>OpenAM must be able to find these classes on the <code>CLASSPATH</code> and must implement the interface <code>com.sun.identity.authentication.spi.AMPostAuthProcessInterface</code>.",
          "propertyOrder" : 2000,
          "required" : true,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        },
        "usernameGeneratorClass" : {
          "title" : "Pluggable User Name Generator Class",
          "description" : "The name of the default implementation of the user name generator class.<br><br>The name of the class used to return a list of usernames to the Membership auth module.<br/><br/><i>NB </i>This class must implement the interface <code>com.sun.identity.authentication.spi.UserIDGenerator</code>",
          "propertyOrder" : 2200,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "usernameGeneratorEnabled" : {
          "title" : "Generate UserID Mode",
          "description" : "Enables this mode in the Membership auth module.<br><br>When this mode is enabled, if the Membership auth module detects that the supplied username already exists in the data store then a list of valid usernames can be shown to the user, if requested by said user.",
          "propertyOrder" : 2100,
          "required" : true,
          "type" : "boolean",
          "exampleValue" : ""
        },
        "userAttributeSessionMapping" : {
          "title" : "User Attribute Mapping to Session Attribute",
          "description" : "Mapping of user profile attribute name to session attribute name.<br><br>The setting causes OpenAM to read the named attributes from the users profile in the data store and store their values in the users session.<br/></br>Format: User Profile Attribute|Session Attribute name. ",
          "propertyOrder" : 3000,
          "required" : true,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        }
      }
    },
    "general" : {
      "type" : "object",
      "title" : "General",
      "propertyOrder" : 3,
      "properties" : {
        "twoFactorRequired" : {
          "title" : "Two Factor Authentication Mandatory",
          "description" : "",
          "propertyOrder" : 3900,
          "required" : true,
          "type" : "boolean",
          "exampleValue" : ""
        },
        "identityType" : {
          "title" : "Identity Types",
          "description" : "",
          "propertyOrder" : 2500,
          "required" : true,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        },
        "locale" : {
          "title" : "Default Authentication Locale",
          "description" : "",
          "propertyOrder" : 600,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "defaultAuthLevel" : {
          "title" : "Default Authentication Level",
          "description" : "The default authentication level for modules in this realm.<br><br>If the authentication module does not set it's own auth level then the module will have the default authentication level for the realm.",
          "propertyOrder" : 4100,
          "required" : true,
          "type" : "integer",
          "exampleValue" : ""
        },
        "userStatusCallbackPlugins" : {
          "title" : "Pluggable User Status Event Classes",
          "description" : "List of classes to be called when status of the user account changes.<br><br>When the status of a users account changes, OpenAM can be configured to call into a custom class. The custom class can then be used to perform some action as required. The built in status change events are:<br/><br/><ul><li>Account locked</li><li>Password changed</li></ul><br/>Custom code can also extend this mechanism.",
          "propertyOrder" : 2600,
          "required" : true,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        },
        "statelessSessionsEnabled" : {
          "title" : "Use Stateless Sessions",
          "description" : "Enables stateless sessions.<br><br>Stateless sessions provide elastic scalability by storing all session state on the client in the SSO cookie. See Session service configuration to enable signing and encryption (HIGHLY RECOMMENDED).",
          "propertyOrder" : 3800,
          "required" : true,
          "type" : "boolean",
          "exampleValue" : ""
        }
      }
    },
    "accountlockout" : {
      "type" : "object",
      "title" : "Account Lockout",
      "propertyOrder" : 2,
      "properties" : {
        "lockoutAttributeName" : {
          "title" : "Lockout Attribute Name",
          "description" : "Name of custom lockout attribute <br><br>When OpenAM locks an account, the <code>inetuserstatus</code> attribute in the locked account is set to Inactive. In addition, OpenAM can set the value of another attribute in the users profile. ",
          "propertyOrder" : 1500,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "lockoutDurationMultiplier" : {
          "title" : "Lockout Duration Multiplier",
          "description" : "Value multiplied to the Login Failure Lockout Duration for each successive lockout.<br><br>This property is used to enable OpenAM to increase the account lockout duration for each successive account lockout. For example: If the lockout duration is set to 10 and the duration multiplier is set to 2; the duration of the first lockout will be 10 minutes and the duration of the second lockout will be 20 minutes.<br/><br/>The default value of 1 disables this function.  ",
          "propertyOrder" : 1400,
          "required" : true,
          "type" : "integer",
          "exampleValue" : ""
        },
        "loginFailureCount" : {
          "title" : "Login Failure Lockout Count",
          "description" : "The maximum number of failed authentications for a user before their account is locked.<br><br>This setting controls the maximum number of failed authentications a user can have during the lockout interval before OpenAM locks the users account.",
          "propertyOrder" : 900,
          "required" : true,
          "type" : "integer",
          "exampleValue" : ""
        },
        "storeInvalidAttemptsInDataStore" : {
          "title" : "Store Invalid Attempts in Data Store",
          "description" : "Enables sharing of login failure attempts across AM Instances<br><br>When this setting is enabled OpenAM will store the users invalid authentication information in the data store under the attribute configured in the <i>Invalid Attempts Data Attribute Name</i> property.",
          "propertyOrder" : 2700,
          "required" : true,
          "type" : "boolean",
          "exampleValue" : ""
        },
        "lockoutDuration" : {
          "title" : "Login Failure Lockout Duration",
          "description" : "The duration of the users account lockout, in minutes.<br><br>OpenAM can either lockout the users account indefinitely (until administration action) by setting the duration to 0, (the default) or OpenAM can lock the users account for a given number of minutes. After the lockout interval, the user will be able to successfully authenticate to OpenAM.",
          "propertyOrder" : 1300,
          "required" : true,
          "type" : "integer",
          "exampleValue" : ""
        },
        "loginFailureLockoutMode" : {
          "title" : "Login Failure Lockout Mode",
          "description" : "Enables account lockout functionality for users authenticating to this realm.<br><br>OpenAM can track the number of failed authentications by a user over time and if a pre-defined limit is breached, OpenAM can lockout the users account and perform additional functions.<br/><br/><i>NB </i>This functionality is in addition to any account lockout behaviour implemented by the LDAP Directory Server.",
          "propertyOrder" : 800,
          "required" : true,
          "type" : "boolean",
          "exampleValue" : ""
        },
        "lockoutWarnUserCount" : {
          "title" : "Warn User After N Failures",
          "description" : "Warn the user when they reach this level of failed authentications.<br><br>The user will be given a warning when they reach this level of failed authentications during the lockout interval.<br/>The text of the lockout warning is configured using the <code>lockOutWarning</code> property in the <code>amAuth.properties</code> file.",
          "propertyOrder" : 1200,
          "required" : true,
          "type" : "integer",
          "exampleValue" : ""
        },
        "lockoutEmailAddress" : {
          "title" : "Email Address to Send Lockout Notification",
          "description" : "An email address or set of email addresses that receive notifications about account lockout events.<br><br>OpenAM can be configured to send a localisable email message to a set of email addresses when account lockout events occur. The contents of the email message is configured using the following properties in the <code>amAuth.properties</code> file.<br/><ul><li><code>lockOutEmailFrom</code> : The \"From\" address of the email message</li><li><code>lockOutEmailSub</code> : The subject of the email message</li><li><code>lockOutEmailMsg</code> : The contents of the email message</li></ul><br/>The identity for whom the account has been locked is included in the email message.<br/><br/>The format of this property is:<br/><code>emailaddress|locale|charset</code>. Multiple email addresses are space-separated.<br/>Email addresses must include the domain name, such as <code>admin@example.com</code>.",
          "propertyOrder" : 1100,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "invalidAttemptsDataAttributeName" : {
          "title" : "Invalid Attempts Data Attribute Name",
          "description" : "The name of the attribute used to store information about failed authentications.<br><br>OpenAM can be configured to store information about invalid authentications in the users profile. This allows multiple instances of OpenAM in the same site to share information about a users invalid authentication attempts. By default the custom attribute; <code>sunAMAuthInvalidAttemptsData</code> defined in the <code>sunAMAuthAccountLockout</code> objectclass is used to store this data. Use this property to change the attribute used by OpenAM to store this information.<br/><br/><i>NB </i>Any attribute specified must be a valid attribute in the data store.",
          "propertyOrder" : 1700,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "loginFailureDuration" : {
          "title" : "Login Failure Lockout Interval",
          "description" : "The lockout interval time is in minutes.<br><br>OpenAM tracks the failed authentication count for a user over the lockout interval.<br/><br/>For example: If the lockout interval is 5 minutes and the lockout count is 5; the user will have to have failed to authenticate 5 times over the previous 5 minutes for the account to be locked. Failed authentications the occurred outside of the 5 minute interval are ignored.",
          "propertyOrder" : 1000,
          "required" : true,
          "type" : "integer",
          "exampleValue" : ""
        },
        "lockoutAttributeValue" : {
          "title" : "Lockout Attribute Value",
          "description" : "Value to set in custom lockout attribute<br><br>This is the value that will be set on the custom attribute in the users profile when they account is locked.",
          "propertyOrder" : 1600,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        }
      }
    },
    "security" : {
      "type" : "object",
      "title" : "Security",
      "propertyOrder" : 4,
      "properties" : {
        "sharedSecret" : {
          "title" : "Organization Authentication Signing Secret",
          "description" : "HMAC shared secret for signing RESTful Authentication requests.<br><br>This is the shared secret for signing state used in RESTful authentication requests. Should be at Base-64 encoded and at least 128-bits in length. By default a cryptographically secure random value is generated.",
          "propertyOrder" : 4000,
          "required" : true,
          "type" : "string",
          "format" : "password",
          "exampleValue" : ""
        },
        "zeroPageLoginAllowedWithoutReferrer" : {
          "title" : "Zero Page Login Allowed without Referer?",
          "description" : "Whether to allow Zero Page Login if the HTTP Referer header is missing.<br><br>The HTTP Referer header is sometimes missing from requests (e.g., if making a request to HTTP from HTTPS). This setting controls whether such requests should be allowed or not. Setting to 'true' will reduce the risk of Login CSRF attacks with Zero Page Login, but may potentially deny legitimate requests.",
          "propertyOrder" : 3700,
          "required" : true,
          "type" : "boolean",
          "exampleValue" : ""
        },
        "zeroPageLoginEnabled" : {
          "title" : "Zero Page Login",
          "description" : "Allows a user to authenticate using GET request parameters without showing the login screen.<br><br>Enable this feature if the authentication mechanism uses a single authentication screen or the first authentication screen should always be invisible to users (since it is auto-submitted). Use caution when enabling this feature as it can be used to authenticate using regular GET parameters, which could be cached by browsers and logged in server and proxy access logs exposing the values of the GET parameters.",
          "propertyOrder" : 3400,
          "required" : true,
          "type" : "boolean",
          "exampleValue" : ""
        },
        "zeroPageLoginReferrerWhiteList" : {
          "title" : "Zero Page Login Referer Whitelist",
          "description" : "List of allowed HTTP Referer (sic) URLs from which Zero Page Login requests are allowed.<br><br>Enter here all URLs from which you want to allow Zero Page Login. This provides some mitigation against Login CSRF attacks. Leave empty to allow from any Referer. Applies to both GET and POST login requests.",
          "propertyOrder" : 3600,
          "required" : true,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        },
        "moduleBasedAuthEnabled" : {
          "title" : "Module Based Authentication",
          "description" : "Allows a user to authenticate via module based authentication.<br><br>The feature allow users to override the realm configuration and use a named authentication module to authenticate.<br/><br/><i>NB </i>Recommended to turn this feature off in production environments.",
          "propertyOrder" : 2800,
          "required" : true,
          "type" : "boolean",
          "exampleValue" : ""
        },
        "keyAlias" : {
          "title" : "Persistent Cookie Encryption Certificate Alias",
          "description" : "Keystore Alias for encrypting Persistent Cookies.<br><br>This is the alias for the private/public keys in the Keystore used in Persistent Cookie authentication requests.",
          "propertyOrder" : 3300,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        }
      }
    },
    "userprofile" : {
      "type" : "object",
      "title" : "User Profile",
      "propertyOrder" : 0,
      "properties" : {
        "defaultRole" : {
          "title" : "User Profile Dynamic Creation Default Roles",
          "description" : "List of roles of which dynamically created users will be a member.<br><br>Enter the DN for each role that will be assigned to a new user when their profile has been dynamically created by OpenAM.<br/><br/><i>NB </i> Deprecated functionality in OpenAM.",
          "propertyOrder" : 300,
          "required" : true,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        },
        "dynamicProfileCreation" : {
          "title" : "User Profile",
          "description" : "Controls the result of the user profile success post successful authentication.<br><br>Controls whether a user profile is required for authentication to be successful or if the profile will be dynamically created if none already exists. Choose ignore if you do not have a data store configured in the realm.",
          "propertyOrder" : 100,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "aliasAttributeName" : {
          "title" : "Alias Search Attribute Name",
          "description" : "The secondary LDAP attribute retrieves the user profile if the primary LDAP attribute specified in 'User Naming Attribute' fails.<br><br>This list of LDAP attributes is used to extend the set of attributes searched by OpenAM to find the users profile.<br>For example: <ul><li>cn</li><li>mail</li><li>givenname</li></ul><br/>A user authenticates to OpenAM under the id of steve, OpenAM will first search using the naming attribute (uid by default) so uid=steve, if no match is found then cn=steve will be searched until a match is found or the list is exhausted.<br><br/><br/><i>NB </i> Only used when User Profile searching is enabled.",
          "propertyOrder" : 400,
          "required" : true,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        }
      }
    }
  }
}

1.17.2. Global Operations

Resource path: /global-config/authentication

Resource version: 1.0

1.17.2.1. read

Usage:

am> read Authentication --global

1.17.2.2. update

Usage:

am> update Authentication --global --body body

Parameters:

--body

The resource in JSON format, described by the following JSON schema:

{
  "type" : "object",
  "properties" : {
    "ldapConnectionPoolDefaultSize" : {
      "title" : "Default LDAP Connection Pool Size",
      "description" : "The default connection pool size; format is: mininum:maximum",
      "propertyOrder" : 2400,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "keepPostProcessInstances" : {
      "title" : "Keep Post Process Objects for Logout Processing",
      "description" : "Store Post Processing Classes for the duration of the session.<br><br>Enabling this setting will cause OpenAM to store instances of post processing classes into the users session. When the user logs out the original instances of the post processing classes will be called instead of new instances. This may be needed for special logout processing.<br/><br/><i>NB </i>Enabling this setting will increase the memory usage of OpenAM.",
      "propertyOrder" : 3100,
      "required" : true,
      "type" : "boolean",
      "exampleValue" : ""
    },
    "remoteAuthSecurityEnabled" : {
      "title" : "Remote Auth Security",
      "description" : "OpenAM requires authentication client to authenticate itself before authenticating users.<br><br>When this setting is enabled, OpenAM will require the authentication client (such as a policy agent) to authentication itself to OpenAM before the client will be allow to use the remote authentication API to authenticate users. ",
      "propertyOrder" : 2900,
      "required" : true,
      "type" : "boolean",
      "exampleValue" : ""
    },
    "authenticators" : {
      "title" : "Pluggable Authentication Module Classes",
      "description" : "List of configured authentication modules<br><br>The list of configured authentication modules available to OpenAM. All modules must extend from the <code>com.sun.identity.authentication.spi.AMLoginModule</code> class.",
      "propertyOrder" : 500,
      "required" : true,
      "items" : {
        "type" : "string"
      },
      "type" : "array",
      "exampleValue" : ""
    },
    "ldapConnectionPoolSize" : {
      "title" : "LDAP Connection Pool Size",
      "description" : "Controls the size of the LDAP connection pool used for authentication<br><br>Control the size of the connection pool to the LDAP directory server used by any of the authentication modules that use LDAP directly such as LDAP or Active Directory.Different OpenAM servers can be configured with different connection pool settings.<br/><br/>Format: host:port:minimum:maximum",
      "propertyOrder" : 2300,
      "required" : true,
      "items" : {
        "type" : "string"
      },
      "type" : "array",
      "exampleValue" : ""
    },
    "defaults" : {
      "properties" : {
        "general" : {
          "type" : "object",
          "title" : "General",
          "propertyOrder" : 3,
          "properties" : {
            "statelessSessionsEnabled" : {
              "title" : "Use Stateless Sessions",
              "description" : "Enables stateless sessions.<br><br>Stateless sessions provide elastic scalability by storing all session state on the client in the SSO cookie. See Session service configuration to enable signing and encryption (HIGHLY RECOMMENDED).",
              "propertyOrder" : 3800,
              "required" : true,
              "type" : "boolean",
              "exampleValue" : ""
            },
            "userStatusCallbackPlugins" : {
              "title" : "Pluggable User Status Event Classes",
              "description" : "List of classes to be called when status of the user account changes.<br><br>When the status of a users account changes, OpenAM can be configured to call into a custom class. The custom class can then be used to perform some action as required. The built in status change events are:<br/><br/><ul><li>Account locked</li><li>Password changed</li></ul><br/>Custom code can also extend this mechanism.",
              "propertyOrder" : 2600,
              "required" : true,
              "items" : {
                "type" : "string"
              },
              "type" : "array",
              "exampleValue" : ""
            },
            "twoFactorRequired" : {
              "title" : "Two Factor Authentication Mandatory",
              "description" : "",
              "propertyOrder" : 3900,
              "required" : true,
              "type" : "boolean",
              "exampleValue" : ""
            },
            "defaultAuthLevel" : {
              "title" : "Default Authentication Level",
              "description" : "The default authentication level for modules in this realm.<br><br>If the authentication module does not set it's own auth level then the module will have the default authentication level for the realm.",
              "propertyOrder" : 4100,
              "required" : true,
              "type" : "integer",
              "exampleValue" : ""
            },
            "locale" : {
              "title" : "Default Authentication Locale",
              "description" : "",
              "propertyOrder" : 600,
              "required" : true,
              "type" : "string",
              "exampleValue" : ""
            },
            "identityType" : {
              "title" : "Identity Types",
              "description" : "",
              "propertyOrder" : 2500,
              "required" : true,
              "items" : {
                "type" : "string"
              },
              "type" : "array",
              "exampleValue" : ""
            }
          }
        },
        "accountlockout" : {
          "type" : "object",
          "title" : "Account Lockout",
          "propertyOrder" : 2,
          "properties" : {
            "lockoutEmailAddress" : {
              "title" : "Email Address to Send Lockout Notification",
              "description" : "An email address or set of email addresses that receive notifications about account lockout events.<br><br>OpenAM can be configured to send a localisable email message to a set of email addresses when account lockout events occur. The contents of the email message is configured using the following properties in the <code>amAuth.properties</code> file.<br/><ul><li><code>lockOutEmailFrom</code> : The \"From\" address of the email message</li><li><code>lockOutEmailSub</code> : The subject of the email message</li><li><code>lockOutEmailMsg</code> : The contents of the email message</li></ul><br/>The identity for whom the account has been locked is included in the email message.<br/><br/>The format of this property is:<br/><code>emailaddress|locale|charset</code>. Multiple email addresses are space-separated.<br/>Email addresses must include the domain name, such as <code>admin@example.com</code>.",
              "propertyOrder" : 1100,
              "required" : true,
              "type" : "string",
              "exampleValue" : ""
            },
            "lockoutWarnUserCount" : {
              "title" : "Warn User After N Failures",
              "description" : "Warn the user when they reach this level of failed authentications.<br><br>The user will be given a warning when they reach this level of failed authentications during the lockout interval.<br/>The text of the lockout warning is configured using the <code>lockOutWarning</code> property in the <code>amAuth.properties</code> file.",
              "propertyOrder" : 1200,
              "required" : true,
              "type" : "integer",
              "exampleValue" : ""
            },
            "storeInvalidAttemptsInDataStore" : {
              "title" : "Store Invalid Attempts in Data Store",
              "description" : "Enables sharing of login failure attempts across AM Instances<br><br>When this setting is enabled OpenAM will store the users invalid authentication information in the data store under the attribute configured in the <i>Invalid Attempts Data Attribute Name</i> property.",
              "propertyOrder" : 2700,
              "required" : true,
              "type" : "boolean",
              "exampleValue" : ""
            },
            "lockoutAttributeName" : {
              "title" : "Lockout Attribute Name",
              "description" : "Name of custom lockout attribute <br><br>When OpenAM locks an account, the <code>inetuserstatus</code> attribute in the locked account is set to Inactive. In addition, OpenAM can set the value of another attribute in the users profile. ",
              "propertyOrder" : 1500,
              "required" : true,
              "type" : "string",
              "exampleValue" : ""
            },
            "invalidAttemptsDataAttributeName" : {
              "title" : "Invalid Attempts Data Attribute Name",
              "description" : "The name of the attribute used to store information about failed authentications.<br><br>OpenAM can be configured to store information about invalid authentications in the users profile. This allows multiple instances of OpenAM in the same site to share information about a users invalid authentication attempts. By default the custom attribute; <code>sunAMAuthInvalidAttemptsData</code> defined in the <code>sunAMAuthAccountLockout</code> objectclass is used to store this data. Use this property to change the attribute used by OpenAM to store this information.<br/><br/><i>NB </i>Any attribute specified must be a valid attribute in the data store.",
              "propertyOrder" : 1700,
              "required" : true,
              "type" : "string",
              "exampleValue" : ""
            },
            "loginFailureDuration" : {
              "title" : "Login Failure Lockout Interval",
              "description" : "The lockout interval time is in minutes.<br><br>OpenAM tracks the failed authentication count for a user over the lockout interval.<br/><br/>For example: If the lockout interval is 5 minutes and the lockout count is 5; the user will have to have failed to authenticate 5 times over the previous 5 minutes for the account to be locked. Failed authentications the occurred outside of the 5 minute interval are ignored.",
              "propertyOrder" : 1000,
              "required" : true,
              "type" : "integer",
              "exampleValue" : ""
            },
            "lockoutDurationMultiplier" : {
              "title" : "Lockout Duration Multiplier",
              "description" : "Value multiplied to the Login Failure Lockout Duration for each successive lockout.<br><br>This property is used to enable OpenAM to increase the account lockout duration for each successive account lockout. For example: If the lockout duration is set to 10 and the duration multiplier is set to 2; the duration of the first lockout will be 10 minutes and the duration of the second lockout will be 20 minutes.<br/><br/>The default value of 1 disables this function.  ",
              "propertyOrder" : 1400,
              "required" : true,
              "type" : "integer",
              "exampleValue" : ""
            },
            "lockoutDuration" : {
              "title" : "Login Failure Lockout Duration",
              "description" : "The duration of the users account lockout, in minutes.<br><br>OpenAM can either lockout the users account indefinitely (until administration action) by setting the duration to 0, (the default) or OpenAM can lock the users account for a given number of minutes. After the lockout interval, the user will be able to successfully authenticate to OpenAM.",
              "propertyOrder" : 1300,
              "required" : true,
              "type" : "integer",
              "exampleValue" : ""
            },
            "lockoutAttributeValue" : {
              "title" : "Lockout Attribute Value",
              "description" : "Value to set in custom lockout attribute<br><br>This is the value that will be set on the custom attribute in the users profile when they account is locked.",
              "propertyOrder" : 1600,
              "required" : true,
              "type" : "string",
              "exampleValue" : ""
            },
            "loginFailureCount" : {
              "title" : "Login Failure Lockout Count",
              "description" : "The maximum number of failed authentications for a user before their account is locked.<br><br>This setting controls the maximum number of failed authentications a user can have during the lockout interval before OpenAM locks the users account.",
              "propertyOrder" : 900,
              "required" : true,
              "type" : "integer",
              "exampleValue" : ""
            },
            "loginFailureLockoutMode" : {
              "title" : "Login Failure Lockout Mode",
              "description" : "Enables account lockout functionality for users authenticating to this realm.<br><br>OpenAM can track the number of failed authentications by a user over time and if a pre-defined limit is breached, OpenAM can lockout the users account and perform additional functions.<br/><br/><i>NB </i>This functionality is in addition to any account lockout behaviour implemented by the LDAP Directory Server.",
              "propertyOrder" : 800,
              "required" : true,
              "type" : "boolean",
              "exampleValue" : ""
            }
          }
        },
        "postauthprocess" : {
          "type" : "object",
          "title" : "Post Authentication Processing",
          "propertyOrder" : 5,
          "properties" : {
            "loginFailureUrl" : {
              "title" : "Default Failure Login URL ",
              "description" : "Failed logins will be forwarded to this URL<br><br>This is the URL to which clients will be forwarded upon failed authentication. Enter a URL or URI relative to the local OpenAM. URL or URI can be prefixed with ClientType|URL if client specific. URL without http(s) protocol will be appended to the current URI of OpenAM.",
              "propertyOrder" : 1900,
              "required" : true,
              "items" : {
                "type" : "string"
              },
              "type" : "array",
              "exampleValue" : ""
            },
            "usernameGeneratorEnabled" : {
              "title" : "Generate UserID Mode",
              "description" : "Enables this mode in the Membership auth module.<br><br>When this mode is enabled, if the Membership auth module detects that the supplied username already exists in the data store then a list of valid usernames can be shown to the user, if requested by said user.",
              "propertyOrder" : 2100,
              "required" : true,
              "type" : "boolean",
              "exampleValue" : ""
            },
            "usernameGeneratorClass" : {
              "title" : "Pluggable User Name Generator Class",
              "description" : "The name of the default implementation of the user name generator class.<br><br>The name of the class used to return a list of usernames to the Membership auth module.<br/><br/><i>NB </i>This class must implement the interface <code>com.sun.identity.authentication.spi.UserIDGenerator</code>",
              "propertyOrder" : 2200,
              "required" : true,
              "type" : "string",
              "exampleValue" : ""
            },
            "loginSuccessUrl" : {
              "title" : "Default Success Login URL",
              "description" : "Successful logins will be forwarded to this URL<br><br>This is the URL to which clients will be forwarded upon successful authentication. Enter a URL or URI relative to the local OpenAM. URL or URI can be prefixed with the ClientType|URL if client specific. URL without http(s) protocol will be appended to the current URI of OpenAM.",
              "propertyOrder" : 1800,
              "required" : true,
              "items" : {
                "type" : "string"
              },
              "type" : "array",
              "exampleValue" : ""
            },
            "userAttributeSessionMapping" : {
              "title" : "User Attribute Mapping to Session Attribute",
              "description" : "Mapping of user profile attribute name to session attribute name.<br><br>The setting causes OpenAM to read the named attributes from the users profile in the data store and store their values in the users session.<br/></br>Format: User Profile Attribute|Session Attribute name. ",
              "propertyOrder" : 3000,
              "required" : true,
              "items" : {
                "type" : "string"
              },
              "type" : "array",
              "exampleValue" : ""
            },
            "loginPostProcessClass" : {
              "title" : "Authentication Post Processing Classes",
              "description" : "A list of post authentication processing classes for all users in this realm.<br><br>This is a list of Post Processing Classes that will be called by OpenAM for all users that authenticate to this realm. Refer to the documentation for the places where the list of post authentication classes can be set and their precedence. <br/><br/>For example: org.forgerock.auth.PostProcessClass<br/><i>NB </i>OpenAM must be able to find these classes on the <code>CLASSPATH</code> and must implement the interface <code>com.sun.identity.authentication.spi.AMPostAuthProcessInterface</code>.",
              "propertyOrder" : 2000,
              "required" : true,
              "items" : {
                "type" : "string"
              },
              "type" : "array",
              "exampleValue" : ""
            }
          }
        },
        "security" : {
          "type" : "object",
          "title" : "Security",
          "propertyOrder" : 4,
          "properties" : {
            "sharedSecret" : {
              "title" : "Organization Authentication Signing Secret",
              "description" : "HMAC shared secret for signing RESTful Authentication requests.<br><br>This is the shared secret for signing state used in RESTful authentication requests. Should be at Base-64 encoded and at least 128-bits in length. By default a cryptographically secure random value is generated.",
              "propertyOrder" : 4000,
              "required" : true,
              "type" : "string",
              "format" : "password",
              "exampleValue" : ""
            },
            "moduleBasedAuthEnabled" : {
              "title" : "Module Based Authentication",
              "description" : "Allows a user to authenticate via module based authentication.<br><br>The feature allow users to override the realm configuration and use a named authentication module to authenticate.<br/><br/><i>NB </i>Recommended to turn this feature off in production environments.",
              "propertyOrder" : 2800,
              "required" : true,
              "type" : "boolean",
              "exampleValue" : ""
            },
            "zeroPageLoginReferrerWhiteList" : {
              "title" : "Zero Page Login Referer Whitelist",
              "description" : "List of allowed HTTP Referer (sic) URLs from which Zero Page Login requests are allowed.<br><br>Enter here all URLs from which you want to allow Zero Page Login. This provides some mitigation against Login CSRF attacks. Leave empty to allow from any Referer. Applies to both GET and POST login requests.",
              "propertyOrder" : 3600,
              "required" : true,
              "items" : {
                "type" : "string"
              },
              "type" : "array",
              "exampleValue" : ""
            },
            "zeroPageLoginEnabled" : {
              "title" : "Zero Page Login",
              "description" : "Allows a user to authenticate using GET request parameters without showing the login screen.<br><br>Enable this feature if the authentication mechanism uses a single authentication screen or the first authentication screen should always be invisible to users (since it is auto-submitted). Use caution when enabling this feature as it can be used to authenticate using regular GET parameters, which could be cached by browsers and logged in server and proxy access logs exposing the values of the GET parameters.",
              "propertyOrder" : 3400,
              "required" : true,
              "type" : "boolean",
              "exampleValue" : ""
            },
            "zeroPageLoginAllowedWithoutReferrer" : {
              "title" : "Zero Page Login Allowed without Referer?",
              "description" : "Whether to allow Zero Page Login if the HTTP Referer header is missing.<br><br>The HTTP Referer header is sometimes missing from requests (e.g., if making a request to HTTP from HTTPS). This setting controls whether such requests should be allowed or not. Setting to 'true' will reduce the risk of Login CSRF attacks with Zero Page Login, but may potentially deny legitimate requests.",
              "propertyOrder" : 3700,
              "required" : true,
              "type" : "boolean",
              "exampleValue" : ""
            },
            "keyAlias" : {
              "title" : "Persistent Cookie Encryption Certificate Alias",
              "description" : "Keystore Alias for encrypting Persistent Cookies.<br><br>This is the alias for the private/public keys in the Keystore used in Persistent Cookie authentication requests.",
              "propertyOrder" : 3300,
              "required" : true,
              "type" : "string",
              "exampleValue" : ""
            }
          }
        },
        "userprofile" : {
          "type" : "object",
          "title" : "User Profile",
          "propertyOrder" : 0,
          "properties" : {
            "aliasAttributeName" : {
              "title" : "Alias Search Attribute Name",
              "description" : "The secondary LDAP attribute retrieves the user profile if the primary LDAP attribute specified in 'User Naming Attribute' fails.<br><br>This list of LDAP attributes is used to extend the set of attributes searched by OpenAM to find the users profile.<br>For example: <ul><li>cn</li><li>mail</li><li>givenname</li></ul><br/>A user authenticates to OpenAM under the id of steve, OpenAM will first search using the naming attribute (uid by default) so uid=steve, if no match is found then cn=steve will be searched until a match is found or the list is exhausted.<br><br/><br/><i>NB </i> Only used when User Profile searching is enabled.",
              "propertyOrder" : 400,
              "required" : true,
              "items" : {
                "type" : "string"
              },
              "type" : "array",
              "exampleValue" : ""
            },
            "dynamicProfileCreation" : {
              "title" : "User Profile",
              "description" : "Controls the result of the user profile success post successful authentication.<br><br>Controls whether a user profile is required for authentication to be successful or if the profile will be dynamically created if none already exists. Choose ignore if you do not have a data store configured in the realm.",
              "propertyOrder" : 100,
              "required" : true,
              "type" : "string",
              "exampleValue" : ""
            },
            "defaultRole" : {
              "title" : "User Profile Dynamic Creation Default Roles",
              "description" : "List of roles of which dynamically created users will be a member.<br><br>Enter the DN for each role that will be assigned to a new user when their profile has been dynamically created by OpenAM.<br/><br/><i>NB </i> Deprecated functionality in OpenAM.",
              "propertyOrder" : 300,
              "required" : true,
              "items" : {
                "type" : "string"
              },
              "type" : "array",
              "exampleValue" : ""
            }
          }
        },
        "core" : {
          "type" : "object",
          "title" : "Core",
          "propertyOrder" : -1,
          "properties" : {
            "adminAuthModule" : {
              "title" : "Administrator Authentication Configuration",
              "description" : "Default Authentication Chain for administrators<br><br>This is the authentication chain that will be used to authentication administrative users to this realm.",
              "propertyOrder" : 200,
              "required" : true,
              "type" : "string",
              "exampleValue" : ""
            },
            "orgConfig" : {
              "title" : "Organization Authentication Configuration",
              "description" : "Default Authentication Chain for users<br><br>This is the authentication chain that will be used to authenticate users to this realm.",
              "propertyOrder" : 700,
              "required" : true,
              "type" : "string",
              "exampleValue" : ""
            }
          }
        }
      },
      "type" : "object",
      "title" : "Realm Defaults"
    }
  }
}

1.18. AuthenticationChains

1.18.1. Realm Operations

Resource path: /realm-config/authentication/chains

Resource version: 1.0

1.18.1.1. create

Usage:

am> create AuthenticationChains --realm Realm --id id --body body

Parameters:

--id

The unique identifier for the resource.

--body

The resource in JSON format, described by the following JSON schema:

{
  "type" : "object",
  "properties" : {
    "loginPostProcessClass" : {
      "title" : "Authentication Post Processing Classes",
      "description" : "Example: com.abc.authentication.PostProcessClass",
      "propertyOrder" : 400,
      "required" : true,
      "items" : {
        "type" : "string"
      },
      "type" : "array",
      "exampleValue" : ""
    },
    "loginSuccessUrl" : {
      "title" : "Login Success URL",
      "description" : "URL or ClientType|URL if client specific. URL without http(s) protocol will be appended to the current URI.",
      "propertyOrder" : 200,
      "required" : true,
      "items" : {
        "type" : "string"
      },
      "type" : "array",
      "exampleValue" : ""
    },
    "authChainConfiguration" : {
      "title" : "Authentication Configuration",
      "description" : "",
      "propertyOrder" : 100,
      "required" : true,
      "exampleValue" : "",
      "type" : "array",
      "items" : {
        "type" : "object",
        "properties" : {
          "module" : {
            "type" : "string"
          },
          "criteria" : {
            "type" : "string"
          },
          "options" : {
            "type" : "object",
            "patternProperties" : {
              ".*" : {
                "type" : "string"
              }
            }
          }
        }
      }
    },
    "loginFailureUrl" : {
      "title" : "Login Failed URL",
      "description" : "URL or ClientType|URL if client specific. URL without http(s) protocol will be appended to the current URI.",
      "propertyOrder" : 300,
      "required" : true,
      "items" : {
        "type" : "string"
      },
      "type" : "array",
      "exampleValue" : ""
    }
  }
}

1.18.1.2. delete

Usage:

am> delete AuthenticationChains --realm Realm --id id

Parameters:

--id

The unique identifier for the resource.

1.18.1.3. getAllTypes

Obtain the collection of all secondary configuration types related to the resource.

Usage:

am> action AuthenticationChains --realm Realm --actionName getAllTypes

1.18.1.4. getCreatableTypes

Obtain the collection of secondary configuration types that have yet to be added to the resource.

Usage:

am> action AuthenticationChains --realm Realm --actionName getCreatableTypes

1.18.1.5. nextdescendents

Obtain the collection of secondary configuration instances that have been added to the resource.

Usage:

am> action AuthenticationChains --realm Realm --actionName nextdescendents

1.18.1.6. query

Get the full list of instances of this collection. This query only supports `_queryFilter=true` filter.

Usage:

am> query AuthenticationChains --realm Realm --filter filter

Parameters:

--filter

A CREST formatted query filter, where "true" will query all.

1.18.1.7. read

Usage:

am> read AuthenticationChains --realm Realm --id id

Parameters:

--id

The unique identifier for the resource.

1.18.1.8. update

Usage:

am> update AuthenticationChains --realm Realm --id id --body body

Parameters:

--id

The unique identifier for the resource.

--body

The resource in JSON format, described by the following JSON schema:

{
  "type" : "object",
  "properties" : {
    "loginPostProcessClass" : {
      "title" : "Authentication Post Processing Classes",
      "description" : "Example: com.abc.authentication.PostProcessClass",
      "propertyOrder" : 400,
      "required" : true,
      "items" : {
        "type" : "string"
      },
      "type" : "array",
      "exampleValue" : ""
    },
    "loginSuccessUrl" : {
      "title" : "Login Success URL",
      "description" : "URL or ClientType|URL if client specific. URL without http(s) protocol will be appended to the current URI.",
      "propertyOrder" : 200,
      "required" : true,
      "items" : {
        "type" : "string"
      },
      "type" : "array",
      "exampleValue" : ""
    },
    "authChainConfiguration" : {
      "title" : "Authentication Configuration",
      "description" : "",
      "propertyOrder" : 100,
      "required" : true,
      "exampleValue" : "",
      "type" : "array",
      "items" : {
        "type" : "object",
        "properties" : {
          "module" : {
            "type" : "string"
          },
          "criteria" : {
            "type" : "string"
          },
          "options" : {
            "type" : "object",
            "patternProperties" : {
              ".*" : {
                "type" : "string"
              }
            }
          }
        }
      }
    },
    "loginFailureUrl" : {
      "title" : "Login Failed URL",
      "description" : "URL or ClientType|URL if client specific. URL without http(s) protocol will be appended to the current URI.",
      "propertyOrder" : 300,
      "required" : true,
      "items" : {
        "type" : "string"
      },
      "type" : "array",
      "exampleValue" : ""
    }
  }
}

1.18.2. Global Operations

Resource path: /global-config/authentication/chains

Resource version: 1.0

1.18.2.1. getAllTypes

Obtain the collection of all secondary configuration types related to the resource.

Usage:

am> action AuthenticationChains --global --actionName getAllTypes

1.18.2.2. getCreatableTypes

Obtain the collection of secondary configuration types that have yet to be added to the resource.

Usage:

am> action AuthenticationChains --global --actionName getCreatableTypes

1.18.2.3. nextdescendents

Obtain the collection of secondary configuration instances that have been added to the resource.

Usage:

am> action AuthenticationChains --global --actionName nextdescendents

1.18.2.4. read

Usage:

am> read AuthenticationChains --global

1.18.2.5. update

Usage:

am> update AuthenticationChains --global --body body

Parameters:

--body

The resource in JSON format, described by the following JSON schema:

{
  "type" : "object",
  "properties" : {
    "dynamic" : {
      "properties" : {
        "authChainConfiguration" : {
          "title" : "Authentication Configuration",
          "description" : "",
          "propertyOrder" : 100,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        }
      },
      "type" : "object",
      "title" : "Dynamic Attributes"
    }
  }
}

1.19. AuthenticationModules

1.19.1. Realm Operations

The collection of all authentication modules in a realm allows querying for all module instances.

Resource path: /realm-config/authentication/modules

Resource version: 1.0

1.19.1.1. getAllTypes

Obtain the collection of all secondary configuration types related to the resource.

Usage:

am> action AuthenticationModules --realm Realm --actionName getAllTypes

1.19.1.2. getCreatableTypes

Obtain the collection of secondary configuration types that have yet to be added to the resource.

Usage:

am> action AuthenticationModules --realm Realm --actionName getCreatableTypes

1.19.1.3. nextdescendents

Obtain the collection of secondary configuration instances that have been added to the resource.

Usage:

am> action AuthenticationModules --realm Realm --actionName nextdescendents

1.19.1.4. query

Query for authentication module instances

Usage:

am> query AuthenticationModules --realm Realm --filter filter

Parameters:

--filter

A CREST formatted query filter, where "true" will query all. Fields that can be queried: [_id]

1.19.2. Global Operations

Global and default configuration for authentication modules

Resource path: /global-config/authentication/modules

Resource version: 1.0

1.19.2.1. getAllTypes

Obtain the collection of all secondary configuration types related to the resource.

Usage:

am> action AuthenticationModules --global --actionName getAllTypes

1.19.2.2. getCreatableTypes

Obtain the collection of secondary configuration types that have yet to be added to the resource.

Usage:

am> action AuthenticationModules --global --actionName getCreatableTypes

1.19.2.3. nextdescendents

Obtain the collection of secondary configuration instances that have been added to the resource.

Usage:

am> action AuthenticationModules --global --actionName nextdescendents

1.20. AuthenticationNodes

1.20.1. Realm Operations

Auth Tree Nodes

Resource path: /realm-config/authentication/authenticationtrees/nodes

Resource version: 1.0

1.20.1.1. getAllTypes

Obtain the collection of all secondary configuration types related to the resource.

Usage:

am> action AuthenticationNodes --realm Realm --actionName getAllTypes

1.20.1.2. getCreatableTypes

Obtain the collection of secondary configuration types that have yet to be added to the resource.

Usage:

am> action AuthenticationNodes --realm Realm --actionName getCreatableTypes

1.20.1.3. nextdescendents

Obtain the collection of secondary configuration instances that have been added to the resource.

Usage:

am> action AuthenticationNodes --realm Realm --actionName nextdescendents

1.20.2. Global Operations

Auth Tree Nodes

Resource path: /global-config/authentication/authenticationtrees/nodes

Resource version: 1.0

1.20.2.1. getAllTypes

Obtain the collection of all secondary configuration types related to the resource.

Usage:

am> action AuthenticationNodes --global --actionName getAllTypes

1.20.2.2. getCreatableTypes

Obtain the collection of secondary configuration types that have yet to be added to the resource.

Usage:

am> action AuthenticationNodes --global --actionName getCreatableTypes

1.20.2.3. nextdescendents

Obtain the collection of secondary configuration instances that have been added to the resource.

Usage:

am> action AuthenticationNodes --global --actionName nextdescendents

1.21. AuthenticationTreesConfiguration

1.21.1. Realm Operations

Sub-path parent for all authentication tree configuration.

Resource path: /realm-config/authentication/authenticationtrees

Resource version: 1.0

1.21.1.1. getAllTypes

Obtain the collection of all secondary configuration types related to the resource.

Usage:

am> action AuthenticationTreesConfiguration --realm Realm --actionName getAllTypes

1.21.1.2. getCreatableTypes

Obtain the collection of secondary configuration types that have yet to be added to the resource.

Usage:

am> action AuthenticationTreesConfiguration --realm Realm --actionName getCreatableTypes

1.21.1.3. nextdescendents

Obtain the collection of secondary configuration instances that have been added to the resource.

Usage:

am> action AuthenticationTreesConfiguration --realm Realm --actionName nextdescendents

1.21.2. Global Operations

Resource path: /global-config/authentication/authenticationtrees

Resource version: 1.0

1.21.2.1. getAllTypes

Obtain the collection of all secondary configuration types related to the resource.

Usage:

am> action AuthenticationTreesConfiguration --global --actionName getAllTypes

1.21.2.2. getCreatableTypes

Obtain the collection of secondary configuration types that have yet to be added to the resource.

Usage:

am> action AuthenticationTreesConfiguration --global --actionName getCreatableTypes

1.21.2.3. nextdescendents

Obtain the collection of secondary configuration instances that have been added to the resource.

Usage:

am> action AuthenticationTreesConfiguration --global --actionName nextdescendents

1.21.2.4. read

Usage:

am> read AuthenticationTreesConfiguration --global

1.21.2.5. update

Usage:

am> update AuthenticationTreesConfiguration --global --body body

Parameters:

--body

The resource in JSON format, described by the following JSON schema:

{
  "type" : "object"
}

1.22. AuthenticatorOath

1.22.1. Realm Operations

Resource path: /realm-config/services/authenticatorOathService

Resource version: 1.0

1.22.1.1. create

Usage:

am> create AuthenticatorOath --realm Realm --body body

Parameters:

--body

The resource in JSON format, described by the following JSON schema:

{
  "type" : "object",
  "properties" : {
    "authenticatorOATHDeviceSettingsEncryptionKeystoreKeyPairAlias" : {
      "title" : "Key-Pair Alias",
      "description" : "Alias of the certificate and private key in the key store. The private key is used to encrypt and decrypt device profiles.",
      "propertyOrder" : 600,
      "required" : false,
      "type" : "string",
      "exampleValue" : ""
    },
    "authenticatorOATHDeviceSettingsEncryptionKeystoreType" : {
      "title" : "Key Store Type",
      "description" : "Type of encryption key store.<br><br><i>Note:</i> PKCS#11 keys tores require hardware support such as a security device or smart card and is not available by default in most JVM installations.<p><p>See the <a href=\"https://docs.oracle.com/javase/8/docs/technotes/guides/security/p11guide.html\" target=\"_blank\">JDK 8 PKCS#11 Reference Guide</a> for more details.",
      "propertyOrder" : 400,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "oathAttrName" : {
      "title" : "Profile Storage Attribute",
      "description" : "Attribute for storing ForgeRock Authenticator OATH profiles.<br><br>The default attribute is added to the user store during OpenAM installation. If you want to use a different attribute, you must make sure to add it to your user store schema prior to deploying two-step verification with a ForgeRock OATH authenticator app in OpenAM. OpenAM must be able to write to the attribute.",
      "propertyOrder" : 100,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "authenticatorOATHDeviceSettingsEncryptionKeystore" : {
      "title" : "Encryption Key Store",
      "description" : "Path to the key store from which to load encryption keys.",
      "propertyOrder" : 300,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "authenticatorOATHDeviceSettingsEncryptionKeystorePassword" : {
      "title" : "Key Store Password",
      "description" : "Password to unlock the key store. This password will be encrypted.",
      "propertyOrder" : 500,
      "required" : false,
      "type" : "string",
      "format" : "password",
      "exampleValue" : ""
    },
    "authenticatorOATHSkippableName" : {
      "title" : "ForgeRock Authenticator (OATH) Device Skippable Attribute Name",
      "description" : "The data store attribute that holds the user's decision to enable or disable obtaining and providing a password obtained from the ForgeRock Authenticator app. This attribute must be writeable.",
      "propertyOrder" : 800,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "authenticatorOATHDeviceSettingsEncryptionScheme" : {
      "title" : "Device Profile Encryption Scheme",
      "description" : "Encryption scheme for securing device profiles stored on the server.<br><br>If enabled, each device profile is encrypted using a unique random secret key using the given strength of AES encryption in CBC mode with PKCS#5 padding. An HMAC-SHA of the given strength (truncated to half-size) is used to ensure integrity protection and authenticated encryption. The unique random key is encrypted with the given RSA key pair and stored with the device profile.<p><p><i>Note:</i> AES-256 may require installation of the JCE Unlimited Strength policy files.",
      "propertyOrder" : 200,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "authenticatorOATHDeviceSettingsEncryptionKeystorePrivateKeyPassword" : {
      "title" : "Private Key Password",
      "description" : "Password to unlock the private key.",
      "propertyOrder" : 700,
      "required" : false,
      "type" : "string",
      "format" : "password",
      "exampleValue" : ""
    }
  }
}

1.22.1.2. delete

Usage:

am> delete AuthenticatorOath --realm Realm

1.22.1.3. getAllTypes

Obtain the collection of all secondary configuration types related to the resource.

Usage:

am> action AuthenticatorOath --realm Realm --actionName getAllTypes

1.22.1.4. getCreatableTypes

Obtain the collection of secondary configuration types that have yet to be added to the resource.

Usage:

am> action AuthenticatorOath --realm Realm --actionName getCreatableTypes

1.22.1.5. nextdescendents

Obtain the collection of secondary configuration instances that have been added to the resource.

Usage:

am> action AuthenticatorOath --realm Realm --actionName nextdescendents

1.22.1.6. read

Usage:

am> read AuthenticatorOath --realm Realm

1.22.1.7. update

Usage:

am> update AuthenticatorOath --realm Realm --body body

Parameters:

--body

The resource in JSON format, described by the following JSON schema:

{
  "type" : "object",
  "properties" : {
    "authenticatorOATHDeviceSettingsEncryptionKeystoreKeyPairAlias" : {
      "title" : "Key-Pair Alias",
      "description" : "Alias of the certificate and private key in the key store. The private key is used to encrypt and decrypt device profiles.",
      "propertyOrder" : 600,
      "required" : false,
      "type" : "string",
      "exampleValue" : ""
    },
    "authenticatorOATHDeviceSettingsEncryptionKeystoreType" : {
      "title" : "Key Store Type",
      "description" : "Type of encryption key store.<br><br><i>Note:</i> PKCS#11 keys tores require hardware support such as a security device or smart card and is not available by default in most JVM installations.<p><p>See the <a href=\"https://docs.oracle.com/javase/8/docs/technotes/guides/security/p11guide.html\" target=\"_blank\">JDK 8 PKCS#11 Reference Guide</a> for more details.",
      "propertyOrder" : 400,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "oathAttrName" : {
      "title" : "Profile Storage Attribute",
      "description" : "Attribute for storing ForgeRock Authenticator OATH profiles.<br><br>The default attribute is added to the user store during OpenAM installation. If you want to use a different attribute, you must make sure to add it to your user store schema prior to deploying two-step verification with a ForgeRock OATH authenticator app in OpenAM. OpenAM must be able to write to the attribute.",
      "propertyOrder" : 100,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "authenticatorOATHDeviceSettingsEncryptionKeystore" : {
      "title" : "Encryption Key Store",
      "description" : "Path to the key store from which to load encryption keys.",
      "propertyOrder" : 300,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "authenticatorOATHDeviceSettingsEncryptionKeystorePassword" : {
      "title" : "Key Store Password",
      "description" : "Password to unlock the key store. This password will be encrypted.",
      "propertyOrder" : 500,
      "required" : false,
      "type" : "string",
      "format" : "password",
      "exampleValue" : ""
    },
    "authenticatorOATHSkippableName" : {
      "title" : "ForgeRock Authenticator (OATH) Device Skippable Attribute Name",
      "description" : "The data store attribute that holds the user's decision to enable or disable obtaining and providing a password obtained from the ForgeRock Authenticator app. This attribute must be writeable.",
      "propertyOrder" : 800,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "authenticatorOATHDeviceSettingsEncryptionScheme" : {
      "title" : "Device Profile Encryption Scheme",
      "description" : "Encryption scheme for securing device profiles stored on the server.<br><br>If enabled, each device profile is encrypted using a unique random secret key using the given strength of AES encryption in CBC mode with PKCS#5 padding. An HMAC-SHA of the given strength (truncated to half-size) is used to ensure integrity protection and authenticated encryption. The unique random key is encrypted with the given RSA key pair and stored with the device profile.<p><p><i>Note:</i> AES-256 may require installation of the JCE Unlimited Strength policy files.",
      "propertyOrder" : 200,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "authenticatorOATHDeviceSettingsEncryptionKeystorePrivateKeyPassword" : {
      "title" : "Private Key Password",
      "description" : "Password to unlock the private key.",
      "propertyOrder" : 700,
      "required" : false,
      "type" : "string",
      "format" : "password",
      "exampleValue" : ""
    }
  }
}

1.22.2. Global Operations

Resource path: /global-config/services/authenticatorOathService

Resource version: 1.0

1.22.2.1. getAllTypes

Obtain the collection of all secondary configuration types related to the resource.

Usage:

am> action AuthenticatorOath --global --actionName getAllTypes

1.22.2.2. getCreatableTypes

Obtain the collection of secondary configuration types that have yet to be added to the resource.

Usage:

am> action AuthenticatorOath --global --actionName getCreatableTypes

1.22.2.3. nextdescendents

Obtain the collection of secondary configuration instances that have been added to the resource.

Usage:

am> action AuthenticatorOath --global --actionName nextdescendents

1.22.2.4. read

Usage:

am> read AuthenticatorOath --global

1.22.2.5. update

Usage:

am> update AuthenticatorOath --global --body body

Parameters:

--body

The resource in JSON format, described by the following JSON schema:

{
  "type" : "object",
  "properties" : {
    "defaults" : {
      "properties" : {
        "authenticatorOATHDeviceSettingsEncryptionKeystorePassword" : {
          "title" : "Key Store Password",
          "description" : "Password to unlock the key store. This password will be encrypted.",
          "propertyOrder" : 500,
          "required" : false,
          "type" : "string",
          "format" : "password",
          "exampleValue" : ""
        },
        "authenticatorOATHDeviceSettingsEncryptionKeystore" : {
          "title" : "Encryption Key Store",
          "description" : "Path to the key store from which to load encryption keys.",
          "propertyOrder" : 300,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "oathAttrName" : {
          "title" : "Profile Storage Attribute",
          "description" : "Attribute for storing ForgeRock Authenticator OATH profiles.<br><br>The default attribute is added to the user store during OpenAM installation. If you want to use a different attribute, you must make sure to add it to your user store schema prior to deploying two-step verification with a ForgeRock OATH authenticator app in OpenAM. OpenAM must be able to write to the attribute.",
          "propertyOrder" : 100,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "authenticatorOATHSkippableName" : {
          "title" : "ForgeRock Authenticator (OATH) Device Skippable Attribute Name",
          "description" : "The data store attribute that holds the user's decision to enable or disable obtaining and providing a password obtained from the ForgeRock Authenticator app. This attribute must be writeable.",
          "propertyOrder" : 800,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "authenticatorOATHDeviceSettingsEncryptionKeystoreType" : {
          "title" : "Key Store Type",
          "description" : "Type of encryption key store.<br><br><i>Note:</i> PKCS#11 keys tores require hardware support such as a security device or smart card and is not available by default in most JVM installations.<p><p>See the <a href=\"https://docs.oracle.com/javase/8/docs/technotes/guides/security/p11guide.html\" target=\"_blank\">JDK 8 PKCS#11 Reference Guide</a> for more details.",
          "propertyOrder" : 400,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "authenticatorOATHDeviceSettingsEncryptionKeystorePrivateKeyPassword" : {
          "title" : "Private Key Password",
          "description" : "Password to unlock the private key.",
          "propertyOrder" : 700,
          "required" : false,
          "type" : "string",
          "format" : "password",
          "exampleValue" : ""
        },
        "authenticatorOATHDeviceSettingsEncryptionKeystoreKeyPairAlias" : {
          "title" : "Key-Pair Alias",
          "description" : "Alias of the certificate and private key in the key store. The private key is used to encrypt and decrypt device profiles.",
          "propertyOrder" : 600,
          "required" : false,
          "type" : "string",
          "exampleValue" : ""
        },
        "authenticatorOATHDeviceSettingsEncryptionScheme" : {
          "title" : "Device Profile Encryption Scheme",
          "description" : "Encryption scheme for securing device profiles stored on the server.<br><br>If enabled, each device profile is encrypted using a unique random secret key using the given strength of AES encryption in CBC mode with PKCS#5 padding. An HMAC-SHA of the given strength (truncated to half-size) is used to ensure integrity protection and authenticated encryption. The unique random key is encrypted with the given RSA key pair and stored with the device profile.<p><p><i>Note:</i> AES-256 may require installation of the JCE Unlimited Strength policy files.",
          "propertyOrder" : 200,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        }
      },
      "type" : "object",
      "title" : "Realm Defaults"
    }
  }
}

1.23. AuthenticatorOathModule

1.23.1. Realm Operations

Resource path: /realm-config/authentication/modules/authenticatoroath

Resource version: 1.0

1.23.1.1. create

Usage:

am> create AuthenticatorOathModule --realm Realm --id id --body body

Parameters:

--id

The unique identifier for the resource.

--body

The resource in JSON format, described by the following JSON schema:

{
  "type" : "object",
  "properties" : {
    "totpTimeStepInterval" : {
      "title" : "TOTP Time Step Interval",
      "description" : "The TOTP time step in seconds that the OTP device uses to generate the OTP.<br><br>This is the time interval that one OTP is valid for. For example, if the time step is 30 seconds, then a new OTP will be generated every 30 seconds. This makes a single OTP valid for only 30 seconds.",
      "propertyOrder" : 800,
      "required" : true,
      "type" : "integer",
      "exampleValue" : ""
    },
    "oathIssuerName" : {
      "title" : "Name of the Issuer",
      "description" : "Name to identify the OTP issuer.",
      "propertyOrder" : 1100,
      "required" : true,
      "type" : "string",
      "exampleValue" : "ForgeRock"
    },
    "oathAlgorithm" : {
      "title" : "OATH Algorithm to Use",
      "description" : "Choose the algorithm your device uses to generate the OTP.<br><br>HOTP uses a counter value that is incremented every time a new OTP is generated. TOTP generates a new OTP every few seconds as specified by the time step interval.",
      "propertyOrder" : 400,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "minimumSecretKeyLength" : {
      "title" : "Minimum Secret Key Length",
      "description" : "Number of hexadecimal characters allowed for the Secret Key.",
      "propertyOrder" : 300,
      "required" : true,
      "type" : "integer",
      "exampleValue" : ""
    },
    "frOathOtpMaxRetry" : {
      "title" : "One Time Password Max Retry",
      "description" : "The number of times entry of the OTP may be attempted. Minimum is 1 maximum is 10 and default is 3.",
      "propertyOrder" : null,
      "required" : true,
      "type" : "integer",
      "exampleValue" : ""
    },
    "truncationOffset" : {
      "title" : "Truncation Offset",
      "description" : "This adds an offset to the generation of the OTP.<br><br>This is an option used by the HOTP algorithm that not all devices support. This should be left default unless you know your device uses a offset.",
      "propertyOrder" : 700,
      "required" : true,
      "type" : "integer",
      "exampleValue" : ""
    },
    "hotpWindowSize" : {
      "title" : "HOTP Window Size",
      "description" : "The size of the window to resynchronize with the client.<br><br>This sets the window that the OTP device and the server counter can be out of sync. For example, if the window size is 100 and the servers last successful login was at counter value 2, then the server will accept a OTP from the OTP device that is from device counter 3 to 102.",
      "propertyOrder" : 500,
      "required" : true,
      "type" : "integer",
      "exampleValue" : ""
    },
    "totpTimeStepsInWindow" : {
      "title" : "TOTP Time Steps",
      "description" : "The number of time steps to check before and after receiving a OTP.<br><br>This is the number of time step intervals to check the received OTP against both forward in time and back in time. For example, with 1 time steps and a time step interval of 30 seconds the server will allow a code between the previous code, the current code and the next code.",
      "propertyOrder" : 900,
      "required" : true,
      "type" : "integer",
      "exampleValue" : ""
    },
    "addChecksumToOtpEnabled" : {
      "title" : "Add Checksum Digit",
      "description" : "This adds a checksum digit to the OTP.<br><br>This adds a digit to the end of the OTP generated to be used as a checksum to verify the OTP was generated correctly. This is in addition to the actual password length. You should only set this if your device supports it.",
      "propertyOrder" : 600,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "authenticationLevel" : {
      "title" : "Authentication Level",
      "description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
      "propertyOrder" : 100,
      "required" : true,
      "type" : "integer",
      "exampleValue" : ""
    },
    "totpMaximumClockDrift" : {
      "title" : "Maximum Allowed Clock Drift",
      "description" : "Number of time steps a client is allowed to get out of sync with the server before manual resynchronisation is required. For example, with 3 allowed drifts and a time step interval of 30 seconds the server will allow codes from up to 90 seconds from the current time to be treated as the current time step. The drift for a user's device is calculated each time they enter a new code. If the drift exceeds this value, the user's authentication code will be rejected.",
      "propertyOrder" : 1000,
      "required" : true,
      "type" : "integer",
      "exampleValue" : ""
    },
    "passwordLength" : {
      "title" : "One Time Password Length ",
      "description" : "The length of the generated OTP in digits, must be at least 6 and compatible with the hardware/software OTP generators you expect your end-users to use. For example, Google and ForgeRock authenticators support values of 6 and 8.",
      "propertyOrder" : 200,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    }
  }
}

1.23.1.2. delete

Usage:

am> delete AuthenticatorOathModule --realm Realm --id id

Parameters:

--id

The unique identifier for the resource.

1.23.1.3. getAllTypes

Obtain the collection of all secondary configuration types related to the resource.

Usage:

am> action AuthenticatorOathModule --realm Realm --actionName getAllTypes

1.23.1.4. getCreatableTypes

Obtain the collection of secondary configuration types that have yet to be added to the resource.

Usage:

am> action AuthenticatorOathModule --realm Realm --actionName getCreatableTypes

1.23.1.5. nextdescendents

Obtain the collection of secondary configuration instances that have been added to the resource.

Usage:

am> action AuthenticatorOathModule --realm Realm --actionName nextdescendents

1.23.1.6. query

Get the full list of instances of this collection. This query only supports `_queryFilter=true` filter.

Usage:

am> query AuthenticatorOathModule --realm Realm --filter filter

Parameters:

--filter

A CREST formatted query filter, where "true" will query all.

1.23.1.7. read

Usage:

am> read AuthenticatorOathModule --realm Realm --id id

Parameters:

--id

The unique identifier for the resource.

1.23.1.8. update

Usage:

am> update AuthenticatorOathModule --realm Realm --id id --body body

Parameters:

--id

The unique identifier for the resource.

--body

The resource in JSON format, described by the following JSON schema:

{
  "type" : "object",
  "properties" : {
    "totpTimeStepInterval" : {
      "title" : "TOTP Time Step Interval",
      "description" : "The TOTP time step in seconds that the OTP device uses to generate the OTP.<br><br>This is the time interval that one OTP is valid for. For example, if the time step is 30 seconds, then a new OTP will be generated every 30 seconds. This makes a single OTP valid for only 30 seconds.",
      "propertyOrder" : 800,
      "required" : true,
      "type" : "integer",
      "exampleValue" : ""
    },
    "oathIssuerName" : {
      "title" : "Name of the Issuer",
      "description" : "Name to identify the OTP issuer.",
      "propertyOrder" : 1100,
      "required" : true,
      "type" : "string",
      "exampleValue" : "ForgeRock"
    },
    "oathAlgorithm" : {
      "title" : "OATH Algorithm to Use",
      "description" : "Choose the algorithm your device uses to generate the OTP.<br><br>HOTP uses a counter value that is incremented every time a new OTP is generated. TOTP generates a new OTP every few seconds as specified by the time step interval.",
      "propertyOrder" : 400,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "minimumSecretKeyLength" : {
      "title" : "Minimum Secret Key Length",
      "description" : "Number of hexadecimal characters allowed for the Secret Key.",
      "propertyOrder" : 300,
      "required" : true,
      "type" : "integer",
      "exampleValue" : ""
    },
    "frOathOtpMaxRetry" : {
      "title" : "One Time Password Max Retry",
      "description" : "The number of times entry of the OTP may be attempted. Minimum is 1 maximum is 10 and default is 3.",
      "propertyOrder" : null,
      "required" : true,
      "type" : "integer",
      "exampleValue" : ""
    },
    "truncationOffset" : {
      "title" : "Truncation Offset",
      "description" : "This adds an offset to the generation of the OTP.<br><br>This is an option used by the HOTP algorithm that not all devices support. This should be left default unless you know your device uses a offset.",
      "propertyOrder" : 700,
      "required" : true,
      "type" : "integer",
      "exampleValue" : ""
    },
    "hotpWindowSize" : {
      "title" : "HOTP Window Size",
      "description" : "The size of the window to resynchronize with the client.<br><br>This sets the window that the OTP device and the server counter can be out of sync. For example, if the window size is 100 and the servers last successful login was at counter value 2, then the server will accept a OTP from the OTP device that is from device counter 3 to 102.",
      "propertyOrder" : 500,
      "required" : true,
      "type" : "integer",
      "exampleValue" : ""
    },
    "totpTimeStepsInWindow" : {
      "title" : "TOTP Time Steps",
      "description" : "The number of time steps to check before and after receiving a OTP.<br><br>This is the number of time step intervals to check the received OTP against both forward in time and back in time. For example, with 1 time steps and a time step interval of 30 seconds the server will allow a code between the previous code, the current code and the next code.",
      "propertyOrder" : 900,
      "required" : true,
      "type" : "integer",
      "exampleValue" : ""
    },
    "addChecksumToOtpEnabled" : {
      "title" : "Add Checksum Digit",
      "description" : "This adds a checksum digit to the OTP.<br><br>This adds a digit to the end of the OTP generated to be used as a checksum to verify the OTP was generated correctly. This is in addition to the actual password length. You should only set this if your device supports it.",
      "propertyOrder" : 600,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "authenticationLevel" : {
      "title" : "Authentication Level",
      "description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
      "propertyOrder" : 100,
      "required" : true,
      "type" : "integer",
      "exampleValue" : ""
    },
    "totpMaximumClockDrift" : {
      "title" : "Maximum Allowed Clock Drift",
      "description" : "Number of time steps a client is allowed to get out of sync with the server before manual resynchronisation is required. For example, with 3 allowed drifts and a time step interval of 30 seconds the server will allow codes from up to 90 seconds from the current time to be treated as the current time step. The drift for a user's device is calculated each time they enter a new code. If the drift exceeds this value, the user's authentication code will be rejected.",
      "propertyOrder" : 1000,
      "required" : true,
      "type" : "integer",
      "exampleValue" : ""
    },
    "passwordLength" : {
      "title" : "One Time Password Length ",
      "description" : "The length of the generated OTP in digits, must be at least 6 and compatible with the hardware/software OTP generators you expect your end-users to use. For example, Google and ForgeRock authenticators support values of 6 and 8.",
      "propertyOrder" : 200,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    }
  }
}

1.23.2. Global Operations

Resource path: /global-config/authentication/modules/authenticatoroath

Resource version: 1.0

1.23.2.1. getAllTypes

Obtain the collection of all secondary configuration types related to the resource.

Usage:

am> action AuthenticatorOathModule --global --actionName getAllTypes

1.23.2.2. getCreatableTypes

Obtain the collection of secondary configuration types that have yet to be added to the resource.

Usage:

am> action AuthenticatorOathModule --global --actionName getCreatableTypes

1.23.2.3. nextdescendents

Obtain the collection of secondary configuration instances that have been added to the resource.

Usage:

am> action AuthenticatorOathModule --global --actionName nextdescendents

1.23.2.4. read

Usage:

am> read AuthenticatorOathModule --global

1.23.2.5. update

Usage:

am> update AuthenticatorOathModule --global --body body

Parameters:

--body

The resource in JSON format, described by the following JSON schema:

{
  "type" : "object",
  "properties" : {
    "defaults" : {
      "properties" : {
        "hotpWindowSize" : {
          "title" : "HOTP Window Size",
          "description" : "The size of the window to resynchronize with the client.<br><br>This sets the window that the OTP device and the server counter can be out of sync. For example, if the window size is 100 and the servers last successful login was at counter value 2, then the server will accept a OTP from the OTP device that is from device counter 3 to 102.",
          "propertyOrder" : 500,
          "required" : true,
          "type" : "integer",
          "exampleValue" : ""
        },
        "totpTimeStepsInWindow" : {
          "title" : "TOTP Time Steps",
          "description" : "The number of time steps to check before and after receiving a OTP.<br><br>This is the number of time step intervals to check the received OTP against both forward in time and back in time. For example, with 1 time steps and a time step interval of 30 seconds the server will allow a code between the previous code, the current code and the next code.",
          "propertyOrder" : 900,
          "required" : true,
          "type" : "integer",
          "exampleValue" : ""
        },
        "truncationOffset" : {
          "title" : "Truncation Offset",
          "description" : "This adds an offset to the generation of the OTP.<br><br>This is an option used by the HOTP algorithm that not all devices support. This should be left default unless you know your device uses a offset.",
          "propertyOrder" : 700,
          "required" : true,
          "type" : "integer",
          "exampleValue" : ""
        },
        "authenticationLevel" : {
          "title" : "Authentication Level",
          "description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
          "propertyOrder" : 100,
          "required" : true,
          "type" : "integer",
          "exampleValue" : ""
        },
        "oathAlgorithm" : {
          "title" : "OATH Algorithm to Use",
          "description" : "Choose the algorithm your device uses to generate the OTP.<br><br>HOTP uses a counter value that is incremented every time a new OTP is generated. TOTP generates a new OTP every few seconds as specified by the time step interval.",
          "propertyOrder" : 400,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "addChecksumToOtpEnabled" : {
          "title" : "Add Checksum Digit",
          "description" : "This adds a checksum digit to the OTP.<br><br>This adds a digit to the end of the OTP generated to be used as a checksum to verify the OTP was generated correctly. This is in addition to the actual password length. You should only set this if your device supports it.",
          "propertyOrder" : 600,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "frOathOtpMaxRetry" : {
          "title" : "One Time Password Max Retry",
          "description" : "The number of times entry of the OTP may be attempted. Minimum is 1 maximum is 10 and default is 3.",
          "propertyOrder" : null,
          "required" : true,
          "type" : "integer",
          "exampleValue" : ""
        },
        "minimumSecretKeyLength" : {
          "title" : "Minimum Secret Key Length",
          "description" : "Number of hexadecimal characters allowed for the Secret Key.",
          "propertyOrder" : 300,
          "required" : true,
          "type" : "integer",
          "exampleValue" : ""
        },
        "oathIssuerName" : {
          "title" : "Name of the Issuer",
          "description" : "Name to identify the OTP issuer.",
          "propertyOrder" : 1100,
          "required" : true,
          "type" : "string",
          "exampleValue" : "ForgeRock"
        },
        "totpMaximumClockDrift" : {
          "title" : "Maximum Allowed Clock Drift",
          "description" : "Number of time steps a client is allowed to get out of sync with the server before manual resynchronisation is required. For example, with 3 allowed drifts and a time step interval of 30 seconds the server will allow codes from up to 90 seconds from the current time to be treated as the current time step. The drift for a user's device is calculated each time they enter a new code. If the drift exceeds this value, the user's authentication code will be rejected.",
          "propertyOrder" : 1000,
          "required" : true,
          "type" : "integer",
          "exampleValue" : ""
        },
        "passwordLength" : {
          "title" : "One Time Password Length ",
          "description" : "The length of the generated OTP in digits, must be at least 6 and compatible with the hardware/software OTP generators you expect your end-users to use. For example, Google and ForgeRock authenticators support values of 6 and 8.",
          "propertyOrder" : 200,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "totpTimeStepInterval" : {
          "title" : "TOTP Time Step Interval",
          "description" : "The TOTP time step in seconds that the OTP device uses to generate the OTP.<br><br>This is the time interval that one OTP is valid for. For example, if the time step is 30 seconds, then a new OTP will be generated every 30 seconds. This makes a single OTP valid for only 30 seconds.",
          "propertyOrder" : 800,
          "required" : true,
          "type" : "integer",
          "exampleValue" : ""
        }
      },
      "type" : "object",
      "title" : "Realm Defaults"
    }
  }
}

1.24. AuthenticatorPush

1.24.1. Realm Operations

Resource path: /realm-config/services/authenticatorPushService

Resource version: 1.0

1.24.1.1. create

Usage:

am> create AuthenticatorPush --realm Realm --body body

Parameters:

--body

The resource in JSON format, described by the following JSON schema:

{
  "type" : "object",
  "properties" : {
    "authenticatorPushDeviceSettingsEncryptionKeystore" : {
      "title" : "Encryption Key Store",
      "description" : "Path to the key store from which to load encryption keys.",
      "propertyOrder" : 300,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "authenticatorPushDeviceSettingsEncryptionKeystorePrivateKeyPassword" : {
      "title" : "Private Key Password",
      "description" : "Password to unlock the private key.",
      "propertyOrder" : 700,
      "required" : true,
      "type" : "string",
      "format" : "password",
      "exampleValue" : ""
    },
    "authenticatorPushDeviceSettingsEncryptionKeystoreType" : {
      "title" : "Key Store Type",
      "description" : "Type of key store to load.<br><br><i>Note:</i> PKCS#11 key stores require hardware support such as a security device or smart card and is not available by default in most JVM installations.<p><p>See the <a href=\"https://docs.oracle.com/javase/8/docs/technotes/guides/security/p11guide.html\" target=\"_blank\">JDK 8 PKCS#11 Reference Guide</a> for more details.",
      "propertyOrder" : 400,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "authenticatorPushDeviceSettingsEncryptionScheme" : {
      "title" : "Device Profile Encryption Scheme",
      "description" : "Encryption scheme to use to secure device profiles stored on the server.<br><br>If enabled, each device profile is encrypted using a unique random secret key using the given strength of AES encryption in CBC mode with PKCS#5 padding. An HMAC-SHA of the given strength (truncated to half-size) is used to ensure integrity protection and authenticated encryption. The unique random key is encrypted with the given RSA key pair and stored with the device profile.<p><p><i>Note:</i> AES-256 may require installation of the JCE Unlimited Strength policy files.",
      "propertyOrder" : 200,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "authenticatorPushDeviceSettingsEncryptionKeystoreKeyPairAlias" : {
      "title" : "Key-Pair Alias",
      "description" : "Alias of the certificate and private key in the key store. The private key is used to encrypt and decrypt device profiles.",
      "propertyOrder" : 600,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "authenticatorPushDeviceSettingsEncryptionKeystorePassword" : {
      "title" : "Key Store Password",
      "description" : "Password to unlock the key store. This password is encrypted when it is saved in the OpenAM configuration. You should modify the default value.",
      "propertyOrder" : 500,
      "required" : true,
      "type" : "string",
      "format" : "password",
      "exampleValue" : ""
    },
    "pushAttrName" : {
      "title" : "Profile Storage Attribute",
      "description" : "The user's attribute in which to store Push Notification profiles.<br><br>The default attribute is added to the schema when you prepare a user store for use with OpenAM. If you want to use a different attribute, you must make sure to add it to your user store schema prior to deploying push notifications with the ForgeRock Authenticator app in OpenAM. OpenAM must be able to write to the attribute.",
      "propertyOrder" : 100,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    }
  }
}

1.24.1.2. delete

Usage:

am> delete AuthenticatorPush --realm Realm

1.24.1.3. getAllTypes

Obtain the collection of all secondary configuration types related to the resource.

Usage:

am> action AuthenticatorPush --realm Realm --actionName getAllTypes

1.24.1.4. getCreatableTypes

Obtain the collection of secondary configuration types that have yet to be added to the resource.

Usage:

am> action AuthenticatorPush --realm Realm --actionName getCreatableTypes

1.24.1.5. nextdescendents

Obtain the collection of secondary configuration instances that have been added to the resource.

Usage:

am> action AuthenticatorPush --realm Realm --actionName nextdescendents

1.24.1.6. read

Usage:

am> read AuthenticatorPush --realm Realm

1.24.1.7. update

Usage:

am> update AuthenticatorPush --realm Realm --body body

Parameters:

--body

The resource in JSON format, described by the following JSON schema:

{
  "type" : "object",
  "properties" : {
    "authenticatorPushDeviceSettingsEncryptionKeystore" : {
      "title" : "Encryption Key Store",
      "description" : "Path to the key store from which to load encryption keys.",
      "propertyOrder" : 300,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "authenticatorPushDeviceSettingsEncryptionKeystorePrivateKeyPassword" : {
      "title" : "Private Key Password",
      "description" : "Password to unlock the private key.",
      "propertyOrder" : 700,
      "required" : true,
      "type" : "string",
      "format" : "password",
      "exampleValue" : ""
    },
    "authenticatorPushDeviceSettingsEncryptionKeystoreType" : {
      "title" : "Key Store Type",
      "description" : "Type of key store to load.<br><br><i>Note:</i> PKCS#11 key stores require hardware support such as a security device or smart card and is not available by default in most JVM installations.<p><p>See the <a href=\"https://docs.oracle.com/javase/8/docs/technotes/guides/security/p11guide.html\" target=\"_blank\">JDK 8 PKCS#11 Reference Guide</a> for more details.",
      "propertyOrder" : 400,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "authenticatorPushDeviceSettingsEncryptionScheme" : {
      "title" : "Device Profile Encryption Scheme",
      "description" : "Encryption scheme to use to secure device profiles stored on the server.<br><br>If enabled, each device profile is encrypted using a unique random secret key using the given strength of AES encryption in CBC mode with PKCS#5 padding. An HMAC-SHA of the given strength (truncated to half-size) is used to ensure integrity protection and authenticated encryption. The unique random key is encrypted with the given RSA key pair and stored with the device profile.<p><p><i>Note:</i> AES-256 may require installation of the JCE Unlimited Strength policy files.",
      "propertyOrder" : 200,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "authenticatorPushDeviceSettingsEncryptionKeystoreKeyPairAlias" : {
      "title" : "Key-Pair Alias",
      "description" : "Alias of the certificate and private key in the key store. The private key is used to encrypt and decrypt device profiles.",
      "propertyOrder" : 600,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "authenticatorPushDeviceSettingsEncryptionKeystorePassword" : {
      "title" : "Key Store Password",
      "description" : "Password to unlock the key store. This password is encrypted when it is saved in the OpenAM configuration. You should modify the default value.",
      "propertyOrder" : 500,
      "required" : true,
      "type" : "string",
      "format" : "password",
      "exampleValue" : ""
    },
    "pushAttrName" : {
      "title" : "Profile Storage Attribute",
      "description" : "The user's attribute in which to store Push Notification profiles.<br><br>The default attribute is added to the schema when you prepare a user store for use with OpenAM. If you want to use a different attribute, you must make sure to add it to your user store schema prior to deploying push notifications with the ForgeRock Authenticator app in OpenAM. OpenAM must be able to write to the attribute.",
      "propertyOrder" : 100,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    }
  }
}

1.24.2. Global Operations

Resource path: /global-config/services/authenticatorPushService

Resource version: 1.0

1.24.2.1. getAllTypes

Obtain the collection of all secondary configuration types related to the resource.

Usage:

am> action AuthenticatorPush --global --actionName getAllTypes

1.24.2.2. getCreatableTypes

Obtain the collection of secondary configuration types that have yet to be added to the resource.

Usage:

am> action AuthenticatorPush --global --actionName getCreatableTypes

1.24.2.3. nextdescendents

Obtain the collection of secondary configuration instances that have been added to the resource.

Usage:

am> action AuthenticatorPush --global --actionName nextdescendents

1.24.2.4. read

Usage:

am> read AuthenticatorPush --global

1.24.2.5. update

Usage:

am> update AuthenticatorPush --global --body body

Parameters:

--body

The resource in JSON format, described by the following JSON schema:

{
  "type" : "object",
  "properties" : {
    "defaults" : {
      "properties" : {
        "pushAttrName" : {
          "title" : "Profile Storage Attribute",
          "description" : "The user's attribute in which to store Push Notification profiles.<br><br>The default attribute is added to the schema when you prepare a user store for use with OpenAM. If you want to use a different attribute, you must make sure to add it to your user store schema prior to deploying push notifications with the ForgeRock Authenticator app in OpenAM. OpenAM must be able to write to the attribute.",
          "propertyOrder" : 100,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "authenticatorPushDeviceSettingsEncryptionScheme" : {
          "title" : "Device Profile Encryption Scheme",
          "description" : "Encryption scheme to use to secure device profiles stored on the server.<br><br>If enabled, each device profile is encrypted using a unique random secret key using the given strength of AES encryption in CBC mode with PKCS#5 padding. An HMAC-SHA of the given strength (truncated to half-size) is used to ensure integrity protection and authenticated encryption. The unique random key is encrypted with the given RSA key pair and stored with the device profile.<p><p><i>Note:</i> AES-256 may require installation of the JCE Unlimited Strength policy files.",
          "propertyOrder" : 200,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "authenticatorPushDeviceSettingsEncryptionKeystoreType" : {
          "title" : "Key Store Type",
          "description" : "Type of key store to load.<br><br><i>Note:</i> PKCS#11 key stores require hardware support such as a security device or smart card and is not available by default in most JVM installations.<p><p>See the <a href=\"https://docs.oracle.com/javase/8/docs/technotes/guides/security/p11guide.html\" target=\"_blank\">JDK 8 PKCS#11 Reference Guide</a> for more details.",
          "propertyOrder" : 400,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "authenticatorPushDeviceSettingsEncryptionKeystore" : {
          "title" : "Encryption Key Store",
          "description" : "Path to the key store from which to load encryption keys.",
          "propertyOrder" : 300,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "authenticatorPushDeviceSettingsEncryptionKeystoreKeyPairAlias" : {
          "title" : "Key-Pair Alias",
          "description" : "Alias of the certificate and private key in the key store. The private key is used to encrypt and decrypt device profiles.",
          "propertyOrder" : 600,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "authenticatorPushDeviceSettingsEncryptionKeystorePrivateKeyPassword" : {
          "title" : "Private Key Password",
          "description" : "Password to unlock the private key.",
          "propertyOrder" : 700,
          "required" : true,
          "type" : "string",
          "format" : "password",
          "exampleValue" : ""
        },
        "authenticatorPushDeviceSettingsEncryptionKeystorePassword" : {
          "title" : "Key Store Password",
          "description" : "Password to unlock the key store. This password is encrypted when it is saved in the OpenAM configuration. You should modify the default value.",
          "propertyOrder" : 500,
          "required" : true,
          "type" : "string",
          "format" : "password",
          "exampleValue" : ""
        }
      },
      "type" : "object",
      "title" : "Realm Defaults"
    }
  }
}

1.25. AuthenticatorPushModule

1.25.1. Realm Operations

Resource path: /realm-config/authentication/modules/authPush

Resource version: 1.0

1.25.1.1. create

Usage:

am> create AuthenticatorPushModule --realm Realm --id id --body body

Parameters:

--id

The unique identifier for the resource.

--body

The resource in JSON format, described by the following JSON schema:

{
  "type" : "object",
  "properties" : {
    "pushMessage" : {
      "title" : "Login Message",
      "description" : "Message transmitted over Push. Use the label {{user}} to replace with the registered login's username, and {{issuer}} to replace with the name of the issuer stored at registration.",
      "propertyOrder" : 300,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "authenticationLevel" : {
      "title" : "Authentication Level",
      "description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
      "propertyOrder" : 100,
      "required" : true,
      "type" : "integer",
      "exampleValue" : ""
    },
    "timeoutInMilliSecconds" : {
      "title" : "Return Message Timeout (ms)",
      "description" : "The period of time (in milliseconds) within which a push notification should be replied to.",
      "propertyOrder" : 200,
      "required" : true,
      "type" : "integer",
      "exampleValue" : ""
    }
  }
}

1.25.1.2. delete

Usage:

am> delete AuthenticatorPushModule --realm Realm --id id

Parameters:

--id

The unique identifier for the resource.

1.25.1.3. getAllTypes

Obtain the collection of all secondary configuration types related to the resource.

Usage:

am> action AuthenticatorPushModule --realm Realm --actionName getAllTypes

1.25.1.4. getCreatableTypes

Obtain the collection of secondary configuration types that have yet to be added to the resource.

Usage:

am> action AuthenticatorPushModule --realm Realm --actionName getCreatableTypes

1.25.1.5. nextdescendents

Obtain the collection of secondary configuration instances that have been added to the resource.

Usage:

am> action AuthenticatorPushModule --realm Realm --actionName nextdescendents

1.25.1.6. query

Get the full list of instances of this collection. This query only supports `_queryFilter=true` filter.

Usage:

am> query AuthenticatorPushModule --realm Realm --filter filter

Parameters:

--filter

A CREST formatted query filter, where "true" will query all.

1.25.1.7. read

Usage:

am> read AuthenticatorPushModule --realm Realm --id id

Parameters:

--id

The unique identifier for the resource.

1.25.1.8. update

Usage:

am> update AuthenticatorPushModule --realm Realm --id id --body body

Parameters:

--id

The unique identifier for the resource.

--body

The resource in JSON format, described by the following JSON schema:

{
  "type" : "object",
  "properties" : {
    "pushMessage" : {
      "title" : "Login Message",
      "description" : "Message transmitted over Push. Use the label {{user}} to replace with the registered login's username, and {{issuer}} to replace with the name of the issuer stored at registration.",
      "propertyOrder" : 300,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "authenticationLevel" : {
      "title" : "Authentication Level",
      "description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
      "propertyOrder" : 100,
      "required" : true,
      "type" : "integer",
      "exampleValue" : ""
    },
    "timeoutInMilliSecconds" : {
      "title" : "Return Message Timeout (ms)",
      "description" : "The period of time (in milliseconds) within which a push notification should be replied to.",
      "propertyOrder" : 200,
      "required" : true,
      "type" : "integer",
      "exampleValue" : ""
    }
  }
}

1.25.2. Global Operations

Resource path: /global-config/authentication/modules/authPush

Resource version: 1.0

1.25.2.1. getAllTypes

Obtain the collection of all secondary configuration types related to the resource.

Usage:

am> action AuthenticatorPushModule --global --actionName getAllTypes

1.25.2.2. getCreatableTypes

Obtain the collection of secondary configuration types that have yet to be added to the resource.

Usage:

am> action AuthenticatorPushModule --global --actionName getCreatableTypes

1.25.2.3. nextdescendents

Obtain the collection of secondary configuration instances that have been added to the resource.

Usage:

am> action AuthenticatorPushModule --global --actionName nextdescendents

1.25.2.4. read

Usage:

am> read AuthenticatorPushModule --global

1.25.2.5. update

Usage:

am> update AuthenticatorPushModule --global --body body

Parameters:

--body

The resource in JSON format, described by the following JSON schema:

{
  "type" : "object",
  "properties" : {
    "defaults" : {
      "properties" : {
        "authenticationLevel" : {
          "title" : "Authentication Level",
          "description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
          "propertyOrder" : 100,
          "required" : true,
          "type" : "integer",
          "exampleValue" : ""
        },
        "pushMessage" : {
          "title" : "Login Message",
          "description" : "Message transmitted over Push. Use the label {{user}} to replace with the registered login's username, and {{issuer}} to replace with the name of the issuer stored at registration.",
          "propertyOrder" : 300,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "timeoutInMilliSecconds" : {
          "title" : "Return Message Timeout (ms)",
          "description" : "The period of time (in milliseconds) within which a push notification should be replied to.",
          "propertyOrder" : 200,
          "required" : true,
          "type" : "integer",
          "exampleValue" : ""
        }
      },
      "type" : "object",
      "title" : "Realm Defaults"
    }
  }
}

1.26. AuthenticatorPushRegistrationModule

1.26.1. Realm Operations

Resource path: /realm-config/authentication/modules/authPushReg

Resource version: 1.0

1.26.1.1. create

Usage:

am> create AuthenticatorPushRegistrationModule --realm Realm --id id --body body

Parameters:

--id

The unique identifier for the resource.

--body

The resource in JSON format, described by the following JSON schema:

{
  "type" : "object",
  "properties" : {
    "imgUrl" : {
      "title" : "Image URL",
      "description" : "The location of the image to download and display as your identity issuer's logo within the mobile app.",
      "propertyOrder" : 500,
      "required" : true,
      "type" : "string",
      "exampleValue" : "http://example.com/image.png"
    },
    "bgcolour" : {
      "title" : "Background Colour",
      "description" : "The background colour of the image to display behind your identity issuer's logo within the mobile app.",
      "propertyOrder" : 400,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "authenticationLevel" : {
      "title" : "Authentication Level",
      "description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
      "propertyOrder" : 100,
      "required" : true,
      "type" : "integer",
      "exampleValue" : ""
    },
    "appleLink" : {
      "title" : "App Store App URL",
      "description" : "URL of the app to download on the App Store.",
      "propertyOrder" : 600,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "timeoutInMilliSecconds" : {
      "title" : "Registration Response Timeout (ms)",
      "description" : "The period of time (in milliseconds) within which the registration QR code should be replied to.",
      "propertyOrder" : 300,
      "required" : true,
      "type" : "integer",
      "exampleValue" : ""
    },
    "googleLink" : {
      "title" : "Google Play URL",
      "description" : "URL of the app to download on Google Play.",
      "propertyOrder" : 700,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "issuer" : {
      "title" : "Issuer Name",
      "description" : "The Name of the service as it will appear on the registered device.",
      "propertyOrder" : 200,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    }
  }
}

1.26.1.2. delete

Usage:

am> delete AuthenticatorPushRegistrationModule --realm Realm --id id

Parameters:

--id

The unique identifier for the resource.

1.26.1.3. getAllTypes

Obtain the collection of all secondary configuration types related to the resource.

Usage:

am> action AuthenticatorPushRegistrationModule --realm Realm --actionName getAllTypes

1.26.1.4. getCreatableTypes

Obtain the collection of secondary configuration types that have yet to be added to the resource.

Usage:

am> action AuthenticatorPushRegistrationModule --realm Realm --actionName getCreatableTypes

1.26.1.5. nextdescendents

Obtain the collection of secondary configuration instances that have been added to the resource.

Usage:

am> action AuthenticatorPushRegistrationModule --realm Realm --actionName nextdescendents

1.26.1.6. query

Get the full list of instances of this collection. This query only supports `_queryFilter=true` filter.

Usage:

am> query AuthenticatorPushRegistrationModule --realm Realm --filter filter

Parameters:

--filter

A CREST formatted query filter, where "true" will query all.

1.26.1.7. read

Usage:

am> read AuthenticatorPushRegistrationModule --realm Realm --id id

Parameters:

--id

The unique identifier for the resource.

1.26.1.8. update

Usage:

am> update AuthenticatorPushRegistrationModule --realm Realm --id id --body body

Parameters:

--id

The unique identifier for the resource.

--body

The resource in JSON format, described by the following JSON schema:

{
  "type" : "object",
  "properties" : {
    "imgUrl" : {
      "title" : "Image URL",
      "description" : "The location of the image to download and display as your identity issuer's logo within the mobile app.",
      "propertyOrder" : 500,
      "required" : true,
      "type" : "string",
      "exampleValue" : "http://example.com/image.png"
    },
    "bgcolour" : {
      "title" : "Background Colour",
      "description" : "The background colour of the image to display behind your identity issuer's logo within the mobile app.",
      "propertyOrder" : 400,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "authenticationLevel" : {
      "title" : "Authentication Level",
      "description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
      "propertyOrder" : 100,
      "required" : true,
      "type" : "integer",
      "exampleValue" : ""
    },
    "appleLink" : {
      "title" : "App Store App URL",
      "description" : "URL of the app to download on the App Store.",
      "propertyOrder" : 600,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "timeoutInMilliSecconds" : {
      "title" : "Registration Response Timeout (ms)",
      "description" : "The period of time (in milliseconds) within which the registration QR code should be replied to.",
      "propertyOrder" : 300,
      "required" : true,
      "type" : "integer",
      "exampleValue" : ""
    },
    "googleLink" : {
      "title" : "Google Play URL",
      "description" : "URL of the app to download on Google Play.",
      "propertyOrder" : 700,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "issuer" : {
      "title" : "Issuer Name",
      "description" : "The Name of the service as it will appear on the registered device.",
      "propertyOrder" : 200,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    }
  }
}

1.26.2. Global Operations

Resource path: /global-config/authentication/modules/authPushReg

Resource version: 1.0

1.26.2.1. getAllTypes

Obtain the collection of all secondary configuration types related to the resource.

Usage:

am> action AuthenticatorPushRegistrationModule --global --actionName getAllTypes

1.26.2.2. getCreatableTypes

Obtain the collection of secondary configuration types that have yet to be added to the resource.

Usage:

am> action AuthenticatorPushRegistrationModule --global --actionName getCreatableTypes

1.26.2.3. nextdescendents

Obtain the collection of secondary configuration instances that have been added to the resource.

Usage:

am> action AuthenticatorPushRegistrationModule --global --actionName nextdescendents

1.26.2.4. read

Usage:

am> read AuthenticatorPushRegistrationModule --global

1.26.2.5. update

Usage:

am> update AuthenticatorPushRegistrationModule --global --body body

Parameters:

--body

The resource in JSON format, described by the following JSON schema:

{
  "type" : "object",
  "properties" : {
    "defaults" : {
      "properties" : {
        "googleLink" : {
          "title" : "Google Play URL",
          "description" : "URL of the app to download on Google Play.",
          "propertyOrder" : 700,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "bgcolour" : {
          "title" : "Background Colour",
          "description" : "The background colour of the image to display behind your identity issuer's logo within the mobile app.",
          "propertyOrder" : 400,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "authenticationLevel" : {
          "title" : "Authentication Level",
          "description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
          "propertyOrder" : 100,
          "required" : true,
          "type" : "integer",
          "exampleValue" : ""
        },
        "issuer" : {
          "title" : "Issuer Name",
          "description" : "The Name of the service as it will appear on the registered device.",
          "propertyOrder" : 200,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "imgUrl" : {
          "title" : "Image URL",
          "description" : "The location of the image to download and display as your identity issuer's logo within the mobile app.",
          "propertyOrder" : 500,
          "required" : true,
          "type" : "string",
          "exampleValue" : "http://example.com/image.png"
        },
        "timeoutInMilliSecconds" : {
          "title" : "Registration Response Timeout (ms)",
          "description" : "The period of time (in milliseconds) within which the registration QR code should be replied to.",
          "propertyOrder" : 300,
          "required" : true,
          "type" : "integer",
          "exampleValue" : ""
        },
        "appleLink" : {
          "title" : "App Store App URL",
          "description" : "URL of the app to download on the App Store.",
          "propertyOrder" : 600,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        }
      },
      "type" : "object",
      "title" : "Realm Defaults"
    }
  }
}

1.27. BaseUrlSource

1.27.1. Realm Operations

Resource path: /realm-config/services/baseurl

Resource version: 1.0

1.27.1.1. create

Usage:

am> create BaseUrlSource --realm Realm --body body

Parameters:

--body

The resource in JSON format, described by the following JSON schema:

{
  "type" : "object",
  "properties" : {
    "fixedValue" : {
      "title" : "Fixed value base URL",
      "description" : "If Fixed value is selected as the Base URL source, enter the base URL in the Fixed value base URL field.",
      "propertyOrder" : 200,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "contextPath" : {
      "title" : "Context path",
      "description" : "Specifies the context path for the base URL.<p><p>If provided, the base URL includes the deployment context path appended to the calculated URL.<p>For example, <code>/openam</code>.",
      "propertyOrder" : 400,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "source" : {
      "title" : "Base URL Source",
      "description" : "Specifies the source of the base URL. Choose from the following:<ul> <li>Extension class. Specifies that the extension class returns a base URL from a provided HttpServletRequest. In the Extension class name field, enter <code>org.forgerock.openam.services.baseurl.BaseURLProvider</code>.</li><li>Fixed value. Specifies that the base URL is retrieved from a specific base URL value. In the Fixed value base URL field, enter the base URL value.</li><li>Forwarded header. Specifies that the base URL is retrieved from a forwarded header field in the HTTP request. The Forwarded HTTP header field is standardized and specified in <a href=\"https://tools.ietf.org/html/rfc7239\">RFC7239</a>.</li><li>Host/protocol from incoming request. Specifies that the hostname, server name, and port are retrieved from the incoming HTTP request.</li><li>X-Forwarded-* headers. Specifies that the base URL is retrieved from non-standard header fields, such as <code>X-Forwarded-For</code>, <code>X-Forwarded-By</code>, and <code>X-Forwarded-Proto</code>.</li></ul>",
      "propertyOrder" : 100,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "extensionClassName" : {
      "title" : "Extension class name",
      "description" : "If Extension class is selected as the Base URL source, enter <code>org.forgerock.openam.services.baseurl.BaseURLProvider</code> in the Extension class name field.",
      "propertyOrder" : 300,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    }
  }
}

1.27.1.2. delete

Usage:

am> delete BaseUrlSource --realm Realm

1.27.1.3. getAllTypes

Obtain the collection of all secondary configuration types related to the resource.

Usage:

am> action BaseUrlSource --realm Realm --actionName getAllTypes

1.27.1.4. getCreatableTypes

Obtain the collection of secondary configuration types that have yet to be added to the resource.

Usage:

am> action BaseUrlSource --realm Realm --actionName getCreatableTypes

1.27.1.5. nextdescendents

Obtain the collection of secondary configuration instances that have been added to the resource.

Usage:

am> action BaseUrlSource --realm Realm --actionName nextdescendents

1.27.1.6. read

Usage:

am> read BaseUrlSource --realm Realm

1.27.1.7. update

Usage:

am> update BaseUrlSource --realm Realm --body body

Parameters:

--body

The resource in JSON format, described by the following JSON schema:

{
  "type" : "object",
  "properties" : {
    "fixedValue" : {
      "title" : "Fixed value base URL",
      "description" : "If Fixed value is selected as the Base URL source, enter the base URL in the Fixed value base URL field.",
      "propertyOrder" : 200,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "contextPath" : {
      "title" : "Context path",
      "description" : "Specifies the context path for the base URL.<p><p>If provided, the base URL includes the deployment context path appended to the calculated URL.<p>For example, <code>/openam</code>.",
      "propertyOrder" : 400,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "source" : {
      "title" : "Base URL Source",
      "description" : "Specifies the source of the base URL. Choose from the following:<ul> <li>Extension class. Specifies that the extension class returns a base URL from a provided HttpServletRequest. In the Extension class name field, enter <code>org.forgerock.openam.services.baseurl.BaseURLProvider</code>.</li><li>Fixed value. Specifies that the base URL is retrieved from a specific base URL value. In the Fixed value base URL field, enter the base URL value.</li><li>Forwarded header. Specifies that the base URL is retrieved from a forwarded header field in the HTTP request. The Forwarded HTTP header field is standardized and specified in <a href=\"https://tools.ietf.org/html/rfc7239\">RFC7239</a>.</li><li>Host/protocol from incoming request. Specifies that the hostname, server name, and port are retrieved from the incoming HTTP request.</li><li>X-Forwarded-* headers. Specifies that the base URL is retrieved from non-standard header fields, such as <code>X-Forwarded-For</code>, <code>X-Forwarded-By</code>, and <code>X-Forwarded-Proto</code>.</li></ul>",
      "propertyOrder" : 100,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "extensionClassName" : {
      "title" : "Extension class name",
      "description" : "If Extension class is selected as the Base URL source, enter <code>org.forgerock.openam.services.baseurl.BaseURLProvider</code> in the Extension class name field.",
      "propertyOrder" : 300,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    }
  }
}

1.27.2. Global Operations

Resource path: /global-config/services/baseurl

Resource version: 1.0

1.27.2.1. getAllTypes

Obtain the collection of all secondary configuration types related to the resource.

Usage:

am> action BaseUrlSource --global --actionName getAllTypes

1.27.2.2. getCreatableTypes

Obtain the collection of secondary configuration types that have yet to be added to the resource.

Usage:

am> action BaseUrlSource --global --actionName getCreatableTypes

1.27.2.3. nextdescendents

Obtain the collection of secondary configuration instances that have been added to the resource.

Usage:

am> action BaseUrlSource --global --actionName nextdescendents

1.27.2.4. read

Usage:

am> read BaseUrlSource --global

1.27.2.5. update

Usage:

am> update BaseUrlSource --global --body body

Parameters:

--body

The resource in JSON format, described by the following JSON schema:

{
  "type" : "object",
  "properties" : {
    "defaults" : {
      "properties" : {
        "source" : {
          "title" : "Base URL Source",
          "description" : "Specifies the source of the base URL. Choose from the following:<ul> <li>Extension class. Specifies that the extension class returns a base URL from a provided HttpServletRequest. In the Extension class name field, enter <code>org.forgerock.openam.services.baseurl.BaseURLProvider</code>.</li><li>Fixed value. Specifies that the base URL is retrieved from a specific base URL value. In the Fixed value base URL field, enter the base URL value.</li><li>Forwarded header. Specifies that the base URL is retrieved from a forwarded header field in the HTTP request. The Forwarded HTTP header field is standardized and specified in <a href=\"https://tools.ietf.org/html/rfc7239\">RFC7239</a>.</li><li>Host/protocol from incoming request. Specifies that the hostname, server name, and port are retrieved from the incoming HTTP request.</li><li>X-Forwarded-* headers. Specifies that the base URL is retrieved from non-standard header fields, such as <code>X-Forwarded-For</code>, <code>X-Forwarded-By</code>, and <code>X-Forwarded-Proto</code>.</li></ul>",
          "propertyOrder" : 100,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "contextPath" : {
          "title" : "Context path",
          "description" : "Specifies the context path for the base URL.<p><p>If provided, the base URL includes the deployment context path appended to the calculated URL.<p>For example, <code>/openam</code>.",
          "propertyOrder" : 400,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "fixedValue" : {
          "title" : "Fixed value base URL",
          "description" : "If Fixed value is selected as the Base URL source, enter the base URL in the Fixed value base URL field.",
          "propertyOrder" : 200,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "extensionClassName" : {
          "title" : "Extension class name",
          "description" : "If Extension class is selected as the Base URL source, enter <code>org.forgerock.openam.services.baseurl.BaseURLProvider</code> in the Extension class name field.",
          "propertyOrder" : 300,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        }
      },
      "type" : "object",
      "title" : "Realm Defaults"
    }
  }
}

1.28. CertificateModule

1.28.1. Realm Operations

Resource path: /realm-config/authentication/modules/certificate

Resource version: 1.0

1.28.1.1. create

Usage:

am> create CertificateModule --realm Realm --id id --body body

Parameters:

--id

The unique identifier for the resource.

--body

The resource in JSON format, described by the following JSON schema:

{
  "type" : "object",
  "properties" : {
    "matchCertificateInLdap" : {
      "title" : "Match Certificate in LDAP",
      "description" : "The client certificate must exist in the directory for the authentication to be successful.",
      "propertyOrder" : 100,
      "required" : true,
      "type" : "boolean",
      "exampleValue" : ""
    },
    "ldapSearchStartDN" : {
      "title" : "LDAP Search Start or Base DN",
      "description" : "The start point in the LDAP server for the certificate search<br><br>When entering multiple entries, each entry must be prefixed with a local server name. Multiple entries allow different search Base DNs depending on the OpenAM server in use. The format is:<br/><br/><code>local server name | base dn</code><br/><br/>The local server name is the full name of the server from the list of servers and sites.",
      "propertyOrder" : 1100,
      "required" : true,
      "items" : {
        "type" : "string"
      },
      "type" : "array",
      "exampleValue" : ""
    },
    "trustedRemoteHosts" : {
      "title" : "Trusted Remote Hosts",
      "description" : "A list of IP addresses trusted to supply client certificates.<br><br>If SSL/TLS is being terminated at a load balancer or at the Distributed Authentication server then this option can be used to ensure that only specified <i>trusted</i> hosts (identified by IP address) are allowed to supply client certificates to the certificate module,<br/><br/>Valid values for this list are as follows:<ul><li>none</li><li>any</li><li>multiple IP addresses</li></ul><br/><br/>The default value of <i>none</i> disables this functionality",
      "propertyOrder" : 1800,
      "required" : true,
      "items" : {
        "type" : "string"
      },
      "type" : "array",
      "exampleValue" : ""
    },
    "otherCertificateAttributeToProfileMapping" : {
      "title" : "Other Certificate Field Used to Access User Profile",
      "description" : "This field is only used if the <i>Certificate Field Used to Access User Profile</i> attribute is set to <i>other</i>. This field allows a custom certificate field to be used as the basis of the user search.",
      "propertyOrder" : 1600,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "certificateAttributeToProfileMapping" : {
      "title" : "Certificate Field Used to Access User Profile",
      "description" : "The certificate module needs to read a value from the client certificate that can be used to search the LDAP server for a matching certificate.  ",
      "propertyOrder" : 1500,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "matchCertificateToCRL" : {
      "title" : "Match Certificate to CRL",
      "description" : "The Client Certificate will be checked against the Certificate Revocation list held in the directory<br><br>A Certificate Revocation List can be provisioned into the directory. Having this option enabled will cause all client certificates to be checked against this list.",
      "propertyOrder" : 300,
      "required" : true,
      "type" : "boolean",
      "exampleValue" : ""
    },
    "authenticationLevel" : {
      "title" : "Authentication Level",
      "description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
      "propertyOrder" : 2100,
      "required" : true,
      "type" : "integer",
      "exampleValue" : ""
    },
    "ldapCertificateAttribute" : {
      "title" : "Subject DN Attribute Used to Search LDAP for Certificates",
      "description" : "This is the attribute used to search the directory for the certificate<br><br>The Certificate module will search the directory for the certificate using the search filter based on this attribute and the value of the Subject DN taken from the certificate.",
      "propertyOrder" : 200,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "userBindPassword" : {
      "title" : "LDAP Server Authentication Password",
      "description" : "The password for the authentication user",
      "propertyOrder" : 1300,
      "required" : true,
      "type" : "string",
      "format" : "password",
      "exampleValue" : ""
    },
    "iplanet-am-auth-cert-gw-cert-preferred" : {
      "title" : "Use only Certificate from HTTP request header",
      "description" : "Strictly use client cert from HTTP header over cert from HTTPS connection/servlet attribute",
      "propertyOrder" : 2000,
      "required" : true,
      "type" : "boolean",
      "exampleValue" : ""
    },
    "clientCertificateHttpHeaderName" : {
      "title" : "HTTP Header Name for Client Certificate",
      "description" : "The name of the HTTP request header containing the certificate, only used when <i>Trusted Remote Hosts</i> mode is enabled.",
      "propertyOrder" : 1900,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "crlMatchingCertificateAttribute" : {
      "title" : "Issuer DN Attribute(s) Used to Search LDAP for CRLs",
      "description" : "This is the name of the attribute taken from the CA certificate that will be used to search the CRL.<br><br>If only one attribute name is specified, the ldap searchfilter will be (attrName=Value_of_the_corresponding_Attribute_from_SubjectDN)<br/>e.g. SubjectDN of issuer cert 'C=US, CN=Some CA, serialNumber=123456',attribute name specified is 'CN', searchfilter used will be <code>(CN=Some CA)</code><br/><br/>If serveral attribute names are specified, they have to separated by <code>,</code>. The resulting ldap searchfilter value will be a comma separated list of name attribute values, the search attribute will be <code>cn</code><br/>e.g. SubjectDN of issuer cert 'C=US, CN=Some CA, serialNumber=123456',attribute names specified are 'CN,serialNumber', searchfilter used will be <code>cn=CN=Some CA,serialNumber=123456</code><br/>The order of the values of the attribute names matter as they must match the value of the <code>cn</code> attribute of a crlDistributionPoint entry in the directory server.",
      "propertyOrder" : 400,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "userBindDN" : {
      "title" : "LDAP Server Authentication User",
      "description" : "DN of the user used by the module to authenticate to the LDAP server<br><br>The Certificate module authenticates to the LDAP server in order to search for a matching certificate. The DN entered here represents the account used for said authentication and must have read/search access to the LDAP server.",
      "propertyOrder" : 1200,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "updateCRLsFromDistributionPoint" : {
      "title" : "Update CA CRLs from CRLDistributionPoint",
      "description" : "Fetch new CA CRLs from CRLDistributionPoint and update it in Directory Server<br><br>If the CA certificate includes an IssuingDistributionPoint or has an CRLDistributionPoint extension set OpenAM tries to update the CRLs if neeed (i.e. CRL is out-of-date). <br/>This property controls if the update should be performed.<br/>This property is only used if CA CRL checking is enabled.",
      "propertyOrder" : 800,
      "required" : true,
      "type" : "boolean",
      "exampleValue" : ""
    },
    "crlHttpParameters" : {
      "title" : "HTTP Parameters for CRL Update",
      "description" : "These parameters will be included in any HTTP CRL call to the Certificate Authority<br><br>If the Client or CA certificate contains the Issuing Distribution Point Extension then OpenAM will use this information to retrieve the CRL from the distribution point. This property allow custom HTTP parameters to be included in the CRL request.<br/><br/>The format of the parameter is as follows:<br/><br/><code>param1=value1,param2=value</code>",
      "propertyOrder" : 500,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "ocspValidationEnabled" : {
      "title" : "OCSP Validation",
      "description" : "Enable Online Certificate Status Protocol validation for OCSP aware certificates<br><br>If the certificate contains OCSP validation information then OpenAM will use this information to check the validity of the certificate as part of the authentication process.<br/><br/><i>NB </i>The OpenAM server must have Internet connectivity for OCSP to work",
      "propertyOrder" : 900,
      "required" : true,
      "type" : "boolean",
      "exampleValue" : ""
    },
    "certificateAttributeProfileMappingExtension" : {
      "title" : "SubjectAltNameExt Value Type to Access User Profile",
      "description" : "Use the Subject Alternative Name Field in preference to one of the standard certificate fields.<br><br>Selecting RFC822Name or UPN will cause this field to have have precedence over the <i>Certificate Field Used to Access User Profile</i> or <i>Other Certificate Field Used to Access User Profile</i> attribute.<br/><br/><i>NB </i>The client certificate must contain the <i>Subject Alternate Name Extension</i> for this function to operate.",
      "propertyOrder" : 1700,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "certificateLdapServers" : {
      "title" : "LDAP Server Where Certificates are Stored",
      "description" : "Use this list to set the LDAP server used to search for certificates. <br><br>The Certificate authentication module will use this list for the LDAP server used to search for certificates. A single entry must be in the format:<br/><br/><code>ldap_server:port</code><br/><br/>Multiple entries allow associations between OpenAM servers and a LDAP server. The format is:<br/><br/><code>local server name | server:port</code><br/><br/>The local server name is the full name of the server from the list of servers and sites.",
      "propertyOrder" : 1000,
      "required" : true,
      "items" : {
        "type" : "string"
      },
      "type" : "array",
      "exampleValue" : ""
    },
    "sslEnabled" : {
      "title" : "Use SSL/TLS for LDAP Access",
      "description" : "The certificate module will use SSL/TLS to access the LDAP server",
      "propertyOrder" : 1400,
      "required" : true,
      "type" : "boolean",
      "exampleValue" : ""
    },
    "cacheCRLsInMemory" : {
      "title" : "Cache CRLs in memory",
      "description" : "The CRLs will be cached in memory",
      "propertyOrder" : 700,
      "required" : true,
      "type" : "boolean",
      "exampleValue" : ""
    },
    "matchCACertificateToCRL" : {
      "title" : "Match CA Certificate to CRL",
      "description" : "The CA certificate that issued the client certificate will also be checked against the CRL.",
      "propertyOrder" : 600,
      "required" : true,
      "type" : "boolean",
      "exampleValue" : ""
    }
  }
}

1.28.1.2. delete

Usage:

am> delete CertificateModule --realm Realm --id id

Parameters:

--id

The unique identifier for the resource.

1.28.1.3. getAllTypes

Obtain the collection of all secondary configuration types related to the resource.

Usage:

am> action CertificateModule --realm Realm --actionName getAllTypes

1.28.1.4. getCreatableTypes

Obtain the collection of secondary configuration types that have yet to be added to the resource.

Usage:

am> action CertificateModule --realm Realm --actionName getCreatableTypes

1.28.1.5. nextdescendents

Obtain the collection of secondary configuration instances that have been added to the resource.

Usage:

am> action CertificateModule --realm Realm --actionName nextdescendents

1.28.1.6. query

Get the full list of instances of this collection. This query only supports `_queryFilter=true` filter.

Usage:

am> query CertificateModule --realm Realm --filter filter

Parameters:

--filter

A CREST formatted query filter, where "true" will query all.

1.28.1.7. read

Usage:

am> read CertificateModule --realm Realm --id id

Parameters:

--id

The unique identifier for the resource.

1.28.1.8. update

Usage:

am> update CertificateModule --realm Realm --id id --body body

Parameters:

--id

The unique identifier for the resource.

--body

The resource in JSON format, described by the following JSON schema:

{
  "type" : "object",
  "properties" : {
    "matchCertificateInLdap" : {
      "title" : "Match Certificate in LDAP",
      "description" : "The client certificate must exist in the directory for the authentication to be successful.",
      "propertyOrder" : 100,
      "required" : true,
      "type" : "boolean",
      "exampleValue" : ""
    },
    "ldapSearchStartDN" : {
      "title" : "LDAP Search Start or Base DN",
      "description" : "The start point in the LDAP server for the certificate search<br><br>When entering multiple entries, each entry must be prefixed with a local server name. Multiple entries allow different search Base DNs depending on the OpenAM server in use. The format is:<br/><br/><code>local server name | base dn</code><br/><br/>The local server name is the full name of the server from the list of servers and sites.",
      "propertyOrder" : 1100,
      "required" : true,
      "items" : {
        "type" : "string"
      },
      "type" : "array",
      "exampleValue" : ""
    },
    "trustedRemoteHosts" : {
      "title" : "Trusted Remote Hosts",
      "description" : "A list of IP addresses trusted to supply client certificates.<br><br>If SSL/TLS is being terminated at a load balancer or at the Distributed Authentication server then this option can be used to ensure that only specified <i>trusted</i> hosts (identified by IP address) are allowed to supply client certificates to the certificate module,<br/><br/>Valid values for this list are as follows:<ul><li>none</li><li>any</li><li>multiple IP addresses</li></ul><br/><br/>The default value of <i>none</i> disables this functionality",
      "propertyOrder" : 1800,
      "required" : true,
      "items" : {
        "type" : "string"
      },
      "type" : "array",
      "exampleValue" : ""
    },
    "otherCertificateAttributeToProfileMapping" : {
      "title" : "Other Certificate Field Used to Access User Profile",
      "description" : "This field is only used if the <i>Certificate Field Used to Access User Profile</i> attribute is set to <i>other</i>. This field allows a custom certificate field to be used as the basis of the user search.",
      "propertyOrder" : 1600,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "certificateAttributeToProfileMapping" : {
      "title" : "Certificate Field Used to Access User Profile",
      "description" : "The certificate module needs to read a value from the client certificate that can be used to search the LDAP server for a matching certificate.  ",
      "propertyOrder" : 1500,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "matchCertificateToCRL" : {
      "title" : "Match Certificate to CRL",
      "description" : "The Client Certificate will be checked against the Certificate Revocation list held in the directory<br><br>A Certificate Revocation List can be provisioned into the directory. Having this option enabled will cause all client certificates to be checked against this list.",
      "propertyOrder" : 300,
      "required" : true,
      "type" : "boolean",
      "exampleValue" : ""
    },
    "authenticationLevel" : {
      "title" : "Authentication Level",
      "description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
      "propertyOrder" : 2100,
      "required" : true,
      "type" : "integer",
      "exampleValue" : ""
    },
    "ldapCertificateAttribute" : {
      "title" : "Subject DN Attribute Used to Search LDAP for Certificates",
      "description" : "This is the attribute used to search the directory for the certificate<br><br>The Certificate module will search the directory for the certificate using the search filter based on this attribute and the value of the Subject DN taken from the certificate.",
      "propertyOrder" : 200,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "userBindPassword" : {
      "title" : "LDAP Server Authentication Password",
      "description" : "The password for the authentication user",
      "propertyOrder" : 1300,
      "required" : true,
      "type" : "string",
      "format" : "password",
      "exampleValue" : ""
    },
    "iplanet-am-auth-cert-gw-cert-preferred" : {
      "title" : "Use only Certificate from HTTP request header",
      "description" : "Strictly use client cert from HTTP header over cert from HTTPS connection/servlet attribute",
      "propertyOrder" : 2000,
      "required" : true,
      "type" : "boolean",
      "exampleValue" : ""
    },
    "clientCertificateHttpHeaderName" : {
      "title" : "HTTP Header Name for Client Certificate",
      "description" : "The name of the HTTP request header containing the certificate, only used when <i>Trusted Remote Hosts</i> mode is enabled.",
      "propertyOrder" : 1900,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "crlMatchingCertificateAttribute" : {
      "title" : "Issuer DN Attribute(s) Used to Search LDAP for CRLs",
      "description" : "This is the name of the attribute taken from the CA certificate that will be used to search the CRL.<br><br>If only one attribute name is specified, the ldap searchfilter will be (attrName=Value_of_the_corresponding_Attribute_from_SubjectDN)<br/>e.g. SubjectDN of issuer cert 'C=US, CN=Some CA, serialNumber=123456',attribute name specified is 'CN', searchfilter used will be <code>(CN=Some CA)</code><br/><br/>If serveral attribute names are specified, they have to separated by <code>,</code>. The resulting ldap searchfilter value will be a comma separated list of name attribute values, the search attribute will be <code>cn</code><br/>e.g. SubjectDN of issuer cert 'C=US, CN=Some CA, serialNumber=123456',attribute names specified are 'CN,serialNumber', searchfilter used will be <code>cn=CN=Some CA,serialNumber=123456</code><br/>The order of the values of the attribute names matter as they must match the value of the <code>cn</code> attribute of a crlDistributionPoint entry in the directory server.",
      "propertyOrder" : 400,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "userBindDN" : {
      "title" : "LDAP Server Authentication User",
      "description" : "DN of the user used by the module to authenticate to the LDAP server<br><br>The Certificate module authenticates to the LDAP server in order to search for a matching certificate. The DN entered here represents the account used for said authentication and must have read/search access to the LDAP server.",
      "propertyOrder" : 1200,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "updateCRLsFromDistributionPoint" : {
      "title" : "Update CA CRLs from CRLDistributionPoint",
      "description" : "Fetch new CA CRLs from CRLDistributionPoint and update it in Directory Server<br><br>If the CA certificate includes an IssuingDistributionPoint or has an CRLDistributionPoint extension set OpenAM tries to update the CRLs if neeed (i.e. CRL is out-of-date). <br/>This property controls if the update should be performed.<br/>This property is only used if CA CRL checking is enabled.",
      "propertyOrder" : 800,
      "required" : true,
      "type" : "boolean",
      "exampleValue" : ""
    },
    "crlHttpParameters" : {
      "title" : "HTTP Parameters for CRL Update",
      "description" : "These parameters will be included in any HTTP CRL call to the Certificate Authority<br><br>If the Client or CA certificate contains the Issuing Distribution Point Extension then OpenAM will use this information to retrieve the CRL from the distribution point. This property allow custom HTTP parameters to be included in the CRL request.<br/><br/>The format of the parameter is as follows:<br/><br/><code>param1=value1,param2=value</code>",
      "propertyOrder" : 500,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "ocspValidationEnabled" : {
      "title" : "OCSP Validation",
      "description" : "Enable Online Certificate Status Protocol validation for OCSP aware certificates<br><br>If the certificate contains OCSP validation information then OpenAM will use this information to check the validity of the certificate as part of the authentication process.<br/><br/><i>NB </i>The OpenAM server must have Internet connectivity for OCSP to work",
      "propertyOrder" : 900,
      "required" : true,
      "type" : "boolean",
      "exampleValue" : ""
    },
    "certificateAttributeProfileMappingExtension" : {
      "title" : "SubjectAltNameExt Value Type to Access User Profile",
      "description" : "Use the Subject Alternative Name Field in preference to one of the standard certificate fields.<br><br>Selecting RFC822Name or UPN will cause this field to have have precedence over the <i>Certificate Field Used to Access User Profile</i> or <i>Other Certificate Field Used to Access User Profile</i> attribute.<br/><br/><i>NB </i>The client certificate must contain the <i>Subject Alternate Name Extension</i> for this function to operate.",
      "propertyOrder" : 1700,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "certificateLdapServers" : {
      "title" : "LDAP Server Where Certificates are Stored",
      "description" : "Use this list to set the LDAP server used to search for certificates. <br><br>The Certificate authentication module will use this list for the LDAP server used to search for certificates. A single entry must be in the format:<br/><br/><code>ldap_server:port</code><br/><br/>Multiple entries allow associations between OpenAM servers and a LDAP server. The format is:<br/><br/><code>local server name | server:port</code><br/><br/>The local server name is the full name of the server from the list of servers and sites.",
      "propertyOrder" : 1000,
      "required" : true,
      "items" : {
        "type" : "string"
      },
      "type" : "array",
      "exampleValue" : ""
    },
    "sslEnabled" : {
      "title" : "Use SSL/TLS for LDAP Access",
      "description" : "The certificate module will use SSL/TLS to access the LDAP server",
      "propertyOrder" : 1400,
      "required" : true,
      "type" : "boolean",
      "exampleValue" : ""
    },
    "cacheCRLsInMemory" : {
      "title" : "Cache CRLs in memory",
      "description" : "The CRLs will be cached in memory",
      "propertyOrder" : 700,
      "required" : true,
      "type" : "boolean",
      "exampleValue" : ""
    },
    "matchCACertificateToCRL" : {
      "title" : "Match CA Certificate to CRL",
      "description" : "The CA certificate that issued the client certificate will also be checked against the CRL.",
      "propertyOrder" : 600,
      "required" : true,
      "type" : "boolean",
      "exampleValue" : ""
    }
  }
}

1.28.2. Global Operations

Resource path: /global-config/authentication/modules/certificate

Resource version: 1.0

1.28.2.1. getAllTypes

Obtain the collection of all secondary configuration types related to the resource.

Usage:

am> action CertificateModule --global --actionName getAllTypes

1.28.2.2. getCreatableTypes

Obtain the collection of secondary configuration types that have yet to be added to the resource.

Usage:

am> action CertificateModule --global --actionName getCreatableTypes

1.28.2.3. nextdescendents

Obtain the collection of secondary configuration instances that have been added to the resource.

Usage:

am> action CertificateModule --global --actionName nextdescendents

1.28.2.4. read

Usage:

am> read CertificateModule --global

1.28.2.5. update

Usage:

am> update CertificateModule --global --body body

Parameters:

--body

The resource in JSON format, described by the following JSON schema:

{
  "type" : "object",
  "properties" : {
    "defaults" : {
      "properties" : {
        "crlHttpParameters" : {
          "title" : "HTTP Parameters for CRL Update",
          "description" : "These parameters will be included in any HTTP CRL call to the Certificate Authority<br><br>If the Client or CA certificate contains the Issuing Distribution Point Extension then OpenAM will use this information to retrieve the CRL from the distribution point. This property allow custom HTTP parameters to be included in the CRL request.<br/><br/>The format of the parameter is as follows:<br/><br/><code>param1=value1,param2=value</code>",
          "propertyOrder" : 500,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "certificateAttributeProfileMappingExtension" : {
          "title" : "SubjectAltNameExt Value Type to Access User Profile",
          "description" : "Use the Subject Alternative Name Field in preference to one of the standard certificate fields.<br><br>Selecting RFC822Name or UPN will cause this field to have have precedence over the <i>Certificate Field Used to Access User Profile</i> or <i>Other Certificate Field Used to Access User Profile</i> attribute.<br/><br/><i>NB </i>The client certificate must contain the <i>Subject Alternate Name Extension</i> for this function to operate.",
          "propertyOrder" : 1700,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "ldapCertificateAttribute" : {
          "title" : "Subject DN Attribute Used to Search LDAP for Certificates",
          "description" : "This is the attribute used to search the directory for the certificate<br><br>The Certificate module will search the directory for the certificate using the search filter based on this attribute and the value of the Subject DN taken from the certificate.",
          "propertyOrder" : 200,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "trustedRemoteHosts" : {
          "title" : "Trusted Remote Hosts",
          "description" : "A list of IP addresses trusted to supply client certificates.<br><br>If SSL/TLS is being terminated at a load balancer or at the Distributed Authentication server then this option can be used to ensure that only specified <i>trusted</i> hosts (identified by IP address) are allowed to supply client certificates to the certificate module,<br/><br/>Valid values for this list are as follows:<ul><li>none</li><li>any</li><li>multiple IP addresses</li></ul><br/><br/>The default value of <i>none</i> disables this functionality",
          "propertyOrder" : 1800,
          "required" : true,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        },
        "crlMatchingCertificateAttribute" : {
          "title" : "Issuer DN Attribute(s) Used to Search LDAP for CRLs",
          "description" : "This is the name of the attribute taken from the CA certificate that will be used to search the CRL.<br><br>If only one attribute name is specified, the ldap searchfilter will be (attrName=Value_of_the_corresponding_Attribute_from_SubjectDN)<br/>e.g. SubjectDN of issuer cert 'C=US, CN=Some CA, serialNumber=123456',attribute name specified is 'CN', searchfilter used will be <code>(CN=Some CA)</code><br/><br/>If serveral attribute names are specified, they have to separated by <code>,</code>. The resulting ldap searchfilter value will be a comma separated list of name attribute values, the search attribute will be <code>cn</code><br/>e.g. SubjectDN of issuer cert 'C=US, CN=Some CA, serialNumber=123456',attribute names specified are 'CN,serialNumber', searchfilter used will be <code>cn=CN=Some CA,serialNumber=123456</code><br/>The order of the values of the attribute names matter as they must match the value of the <code>cn</code> attribute of a crlDistributionPoint entry in the directory server.",
          "propertyOrder" : 400,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "certificateLdapServers" : {
          "title" : "LDAP Server Where Certificates are Stored",
          "description" : "Use this list to set the LDAP server used to search for certificates. <br><br>The Certificate authentication module will use this list for the LDAP server used to search for certificates. A single entry must be in the format:<br/><br/><code>ldap_server:port</code><br/><br/>Multiple entries allow associations between OpenAM servers and a LDAP server. The format is:<br/><br/><code>local server name | server:port</code><br/><br/>The local server name is the full name of the server from the list of servers and sites.",
          "propertyOrder" : 1000,
          "required" : true,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        },
        "userBindDN" : {
          "title" : "LDAP Server Authentication User",
          "description" : "DN of the user used by the module to authenticate to the LDAP server<br><br>The Certificate module authenticates to the LDAP server in order to search for a matching certificate. The DN entered here represents the account used for said authentication and must have read/search access to the LDAP server.",
          "propertyOrder" : 1200,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "matchCertificateInLdap" : {
          "title" : "Match Certificate in LDAP",
          "description" : "The client certificate must exist in the directory for the authentication to be successful.",
          "propertyOrder" : 100,
          "required" : true,
          "type" : "boolean",
          "exampleValue" : ""
        },
        "matchCertificateToCRL" : {
          "title" : "Match Certificate to CRL",
          "description" : "The Client Certificate will be checked against the Certificate Revocation list held in the directory<br><br>A Certificate Revocation List can be provisioned into the directory. Having this option enabled will cause all client certificates to be checked against this list.",
          "propertyOrder" : 300,
          "required" : true,
          "type" : "boolean",
          "exampleValue" : ""
        },
        "iplanet-am-auth-cert-gw-cert-preferred" : {
          "title" : "Use only Certificate from HTTP request header",
          "description" : "Strictly use client cert from HTTP header over cert from HTTPS connection/servlet attribute",
          "propertyOrder" : 2000,
          "required" : true,
          "type" : "boolean",
          "exampleValue" : ""
        },
        "sslEnabled" : {
          "title" : "Use SSL/TLS for LDAP Access",
          "description" : "The certificate module will use SSL/TLS to access the LDAP server",
          "propertyOrder" : 1400,
          "required" : true,
          "type" : "boolean",
          "exampleValue" : ""
        },
        "cacheCRLsInMemory" : {
          "title" : "Cache CRLs in memory",
          "description" : "The CRLs will be cached in memory",
          "propertyOrder" : 700,
          "required" : true,
          "type" : "boolean",
          "exampleValue" : ""
        },
        "ocspValidationEnabled" : {
          "title" : "OCSP Validation",
          "description" : "Enable Online Certificate Status Protocol validation for OCSP aware certificates<br><br>If the certificate contains OCSP validation information then OpenAM will use this information to check the validity of the certificate as part of the authentication process.<br/><br/><i>NB </i>The OpenAM server must have Internet connectivity for OCSP to work",
          "propertyOrder" : 900,
          "required" : true,
          "type" : "boolean",
          "exampleValue" : ""
        },
        "otherCertificateAttributeToProfileMapping" : {
          "title" : "Other Certificate Field Used to Access User Profile",
          "description" : "This field is only used if the <i>Certificate Field Used to Access User Profile</i> attribute is set to <i>other</i>. This field allows a custom certificate field to be used as the basis of the user search.",
          "propertyOrder" : 1600,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "clientCertificateHttpHeaderName" : {
          "title" : "HTTP Header Name for Client Certificate",
          "description" : "The name of the HTTP request header containing the certificate, only used when <i>Trusted Remote Hosts</i> mode is enabled.",
          "propertyOrder" : 1900,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "userBindPassword" : {
          "title" : "LDAP Server Authentication Password",
          "description" : "The password for the authentication user",
          "propertyOrder" : 1300,
          "required" : true,
          "type" : "string",
          "format" : "password",
          "exampleValue" : ""
        },
        "updateCRLsFromDistributionPoint" : {
          "title" : "Update CA CRLs from CRLDistributionPoint",
          "description" : "Fetch new CA CRLs from CRLDistributionPoint and update it in Directory Server<br><br>If the CA certificate includes an IssuingDistributionPoint or has an CRLDistributionPoint extension set OpenAM tries to update the CRLs if neeed (i.e. CRL is out-of-date). <br/>This property controls if the update should be performed.<br/>This property is only used if CA CRL checking is enabled.",
          "propertyOrder" : 800,
          "required" : true,
          "type" : "boolean",
          "exampleValue" : ""
        },
        "certificateAttributeToProfileMapping" : {
          "title" : "Certificate Field Used to Access User Profile",
          "description" : "The certificate module needs to read a value from the client certificate that can be used to search the LDAP server for a matching certificate.  ",
          "propertyOrder" : 1500,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "ldapSearchStartDN" : {
          "title" : "LDAP Search Start or Base DN",
          "description" : "The start point in the LDAP server for the certificate search<br><br>When entering multiple entries, each entry must be prefixed with a local server name. Multiple entries allow different search Base DNs depending on the OpenAM server in use. The format is:<br/><br/><code>local server name | base dn</code><br/><br/>The local server name is the full name of the server from the list of servers and sites.",
          "propertyOrder" : 1100,
          "required" : true,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        },
        "authenticationLevel" : {
          "title" : "Authentication Level",
          "description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
          "propertyOrder" : 2100,
          "required" : true,
          "type" : "integer",
          "exampleValue" : ""
        },
        "matchCACertificateToCRL" : {
          "title" : "Match CA Certificate to CRL",
          "description" : "The CA certificate that issued the client certificate will also be checked against the CRL.",
          "propertyOrder" : 600,
          "required" : true,
          "type" : "boolean",
          "exampleValue" : ""
        }
      },
      "type" : "object",
      "title" : "Realm Defaults"
    }
  }
}

1.29. ChoiceCollector

1.29.1. Realm Operations

Resource path: /realm-config/authentication/authenticationtrees/nodes/ChoiceCollectorNode

Resource version: 1.0

1.29.1.1. create

Usage:

am> create ChoiceCollector --realm Realm --id id --body body

Parameters:

--id

The unique identifier for the resource.

--body

The resource in JSON format, described by the following JSON schema:

{
  "type" : "object",
  "properties" : {
    "choices" : {
      "title" : "Choices",
      "description" : "List of values that represents the choices for the user",
      "propertyOrder" : 100,
      "required" : true,
      "items" : {
        "type" : "string"
      },
      "type" : "array",
      "exampleValue" : ""
    },
    "defaultChoice" : {
      "title" : "Default choice",
      "description" : "The default selected choice value",
      "propertyOrder" : 200,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "prompt" : {
      "title" : "Prompt",
      "description" : "Prompt displayed on the choice page",
      "propertyOrder" : 300,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    }
  }
}

1.29.1.2. delete

Usage:

am> delete ChoiceCollector --realm Realm --id id

Parameters:

--id

The unique identifier for the resource.

1.29.1.3. getAllTypes

Obtain the collection of all secondary configuration types related to the resource.

Usage:

am> action ChoiceCollector --realm Realm --actionName getAllTypes

1.29.1.4. getCreatableTypes

Obtain the collection of secondary configuration types that have yet to be added to the resource.

Usage:

am> action ChoiceCollector --realm Realm --actionName getCreatableTypes

1.29.1.5. listOutcomes

List the available outcomes for the node type.

Usage:

am> action ChoiceCollector --realm Realm --body body --actionName listOutcomes

Parameters:

--body

The resource in JSON format, described by the following JSON schema:

{
  "type" : "object",
  "title" : "Some configuration of the node. This does not need to be complete against the configuration schema."
}

1.29.1.6. nextdescendents

Obtain the collection of secondary configuration instances that have been added to the resource.

Usage:

am> action ChoiceCollector --realm Realm --actionName nextdescendents

1.29.1.7. query

Get the full list of instances of this collection. This query only supports `_queryFilter=true` filter.

Usage:

am> query ChoiceCollector --realm Realm --filter filter

Parameters:

--filter

A CREST formatted query filter, where "true" will query all.

1.29.1.8. read

Usage:

am> read ChoiceCollector --realm Realm --id id

Parameters:

--id

The unique identifier for the resource.

1.29.1.9. update

Usage:

am> update ChoiceCollector --realm Realm --id id --body body

Parameters:

--id

The unique identifier for the resource.

--body

The resource in JSON format, described by the following JSON schema:

{
  "type" : "object",
  "properties" : {
    "choices" : {
      "title" : "Choices",
      "description" : "List of values that represents the choices for the user",
      "propertyOrder" : 100,
      "required" : true,
      "items" : {
        "type" : "string"
      },
      "type" : "array",
      "exampleValue" : ""
    },
    "defaultChoice" : {
      "title" : "Default choice",
      "description" : "The default selected choice value",
      "propertyOrder" : 200,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "prompt" : {
      "title" : "Prompt",
      "description" : "Prompt displayed on the choice page",
      "propertyOrder" : 300,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    }
  }
}

1.29.2. Global Operations

Resource path: /global-config/authentication/authenticationtrees/nodes/ChoiceCollectorNode

Resource version: 1.0

1.29.2.1. getAllTypes

Obtain the collection of all secondary configuration types related to the resource.

Usage:

am> action ChoiceCollector --global --actionName getAllTypes

1.29.2.2. getCreatableTypes

Obtain the collection of secondary configuration types that have yet to be added to the resource.

Usage:

am> action ChoiceCollector --global --actionName getCreatableTypes

1.29.2.3. nextdescendents

Obtain the collection of secondary configuration instances that have been added to the resource.

Usage:

am> action ChoiceCollector --global --actionName nextdescendents

1.29.2.4. read

Usage:

am> read ChoiceCollector --global

1.29.2.5. update

Usage:

am> update ChoiceCollector --global --body body

Parameters:

--body

The resource in JSON format, described by the following JSON schema:

{
  "type" : "object"
}

1.30. CircleOfTrust

1.30.1. Realm Operations

Resource path: /realm-config/federation/circlesoftrust

Resource version: 1.0

1.30.1.1. create

Usage:

am> create CircleOfTrust --realm Realm --id id --body body

Parameters:

--id

The unique identifier for the resource.

--body

The resource in JSON format, described by the following JSON schema:

{
  "type" : "object",
  "properties" : {
    "description" : {
      "title" : "Description of the Circle of Trust ",
      "description" : "",
      "propertyOrder" : 100,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "idffWriterServiceUrl" : {
      "title" : "a213",
      "description" : "",
      "propertyOrder" : 600,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "saml2WriterServiceUrl" : {
      "title" : "a211",
      "description" : "",
      "propertyOrder" : 400,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "trustedProviders" : {
      "title" : "Trusted Providers",
      "description" : "",
      "propertyOrder" : 300,
      "required" : true,
      "items" : {
        "type" : "string"
      },
      "type" : "array",
      "exampleValue" : ""
    },
    "status" : {
      "title" : "Status of the Circle of Trust",
      "description" : "",
      "propertyOrder" : 200,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "idffReaderServiceUrl" : {
      "title" : "a214",
      "description" : "",
      "propertyOrder" : 700,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "saml2ReaderServiceUrl" : {
      "title" : "a212",
      "description" : "",
      "propertyOrder" : 500,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    }
  }
}

1.30.1.2. delete

Usage:

am> delete CircleOfTrust --realm Realm --id id

Parameters:

--id

The unique identifier for the resource.

1.30.1.3. query

Get the full list of instances of this collection. This query only supports `_queryFilter=true` filter.

Usage:

am> query CircleOfTrust --realm Realm --filter filter

Parameters:

--filter

A CREST formatted query filter, where "true" will query all.

1.30.1.4. read

Usage:

am> read CircleOfTrust --realm Realm --id id

Parameters:

--id

The unique identifier for the resource.

1.30.1.5. update

Usage:

am> update CircleOfTrust --realm Realm --id id --body body

Parameters:

--id

The unique identifier for the resource.

--body

The resource in JSON format, described by the following JSON schema:

{
  "type" : "object",
  "properties" : {
    "description" : {
      "title" : "Description of the Circle of Trust ",
      "description" : "",
      "propertyOrder" : 100,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "idffWriterServiceUrl" : {
      "title" : "a213",
      "description" : "",
      "propertyOrder" : 600,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "saml2WriterServiceUrl" : {
      "title" : "a211",
      "description" : "",
      "propertyOrder" : 400,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "trustedProviders" : {
      "title" : "Trusted Providers",
      "description" : "",
      "propertyOrder" : 300,
      "required" : true,
      "items" : {
        "type" : "string"
      },
      "type" : "array",
      "exampleValue" : ""
    },
    "status" : {
      "title" : "Status of the Circle of Trust",
      "description" : "",
      "propertyOrder" : 200,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "idffReaderServiceUrl" : {
      "title" : "a214",
      "description" : "",
      "propertyOrder" : 700,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "saml2ReaderServiceUrl" : {
      "title" : "a212",
      "description" : "",
      "propertyOrder" : 500,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    }
  }
}

1.31. CommonFederationConfiguration

1.31.1. Global Operations

Resource path: /global-config/services/federation/common

Resource version: 1.0

1.31.1.1. getAllTypes

Obtain the collection of all secondary configuration types related to the resource.

Usage:

am> action CommonFederationConfiguration --global --actionName getAllTypes

1.31.1.2. getCreatableTypes

Obtain the collection of secondary configuration types that have yet to be added to the resource.

Usage:

am> action CommonFederationConfiguration --global --actionName getCreatableTypes

1.31.1.3. nextdescendents

Obtain the collection of secondary configuration instances that have been added to the resource.

Usage:

am> action CommonFederationConfiguration --global --actionName nextdescendents

1.31.1.4. read

Usage:

am> read CommonFederationConfiguration --global

1.31.1.5. update

Usage:

am> update CommonFederationConfiguration --global --body body

Parameters:

--body

The resource in JSON format, described by the following JSON schema:

{
  "type" : "object",
  "properties" : {
    "algorithms" : {
      "type" : "object",
      "title" : "Algorithms",
      "propertyOrder" : 2,
      "properties" : {
        "QuerySignatureAlgorithmEC" : {
          "title" : "Query String signature algorithm (EC)",
          "description" : "The default signature algorithm to use in case of EC keys.",
          "propertyOrder" : 1500,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "signatureAlgorithm" : {
          "title" : "XML signature algorithm",
          "description" : "The algorithm used to sign XML documents.",
          "propertyOrder" : 1100,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "canonicalizationAlgorithm" : {
          "title" : "XML canonicalization algorithm",
          "description" : "The algorithm used to canonicalize XML documents.",
          "propertyOrder" : 1000,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "QuerySignatureAlgorithmRSA" : {
          "title" : "Query String signature algorithm (RSA)",
          "description" : "The default signature algorithm to use in case of RSA keys.",
          "propertyOrder" : 1300,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "QuerySignatureAlgorithmDSA" : {
          "title" : "Query String signature algorithm (DSA)",
          "description" : "The default signature algorithm to use in case of DSA keys.",
          "propertyOrder" : 1400,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "transformationAlgorithm" : {
          "title" : "XML transformation algorithm",
          "description" : "The algorithm used to transform XML documents.",
          "propertyOrder" : 1600,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "DigestAlgorithm" : {
          "title" : "XML digest algorithm",
          "description" : "The default digest algorithm to use in signing XML.",
          "propertyOrder" : 1200,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        }
      }
    },
    "montoring" : {
      "type" : "object",
      "title" : "Monitoring",
      "propertyOrder" : 3,
      "properties" : {
        "monitoringSaml2Class" : {
          "title" : "Monitoring Provider Class for SAML2",
          "description" : "The SAML2 engine uses this class to gain access to the monitoring system.<br><br>The default implementation uses the built-in OpenAM monitoring system. A custom implementation must implement the <code>com.sun.identity.plugin.monitoring.FedMonSAML2Svc</code> interface.",
          "propertyOrder" : 2100,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "monitoringSaml1Class" : {
          "title" : "Monitoring Provider Class for SAML1",
          "description" : "The SAMLv1 engine uses this class to gain access to the monitoring system<br><br>The default implementation uses the built-in OpenAM monitoring system. A custom implementation must implement the <code>com.sun.identity.plugin.monitoring.FedMonSAML1Svc</code> interface.",
          "propertyOrder" : 2000,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "monitoringIdffClass" : {
          "title" : "Monitoring Provider Class for ID-FF",
          "description" : "The ID-FF engine uses this class to gain access to the monitoring system.<br><br>The default implementation uses the built-in OpenAM monitoring system. A custom implementation must implement the <code>com.sun.identity.plugin.monitoring.FedMonIDFFSvc</code> interface.",
          "propertyOrder" : 2200,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "monitoringAgentClass" : {
          "title" : "Monitoring Agent Provider Class",
          "description" : "The Federation system uses this class to gain access to the monitoring system.<br><br>The default implementation uses the built-in OpenAM monitoring system. A custom implementation must implement the <code>com.sun.identity.plugin.monitoring.FedMonAgent</code> interface.",
          "propertyOrder" : 1900,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        }
      }
    },
    "implementationClasses" : {
      "type" : "object",
      "title" : "Implementation Classes",
      "propertyOrder" : 1,
      "properties" : {
        "datastoreClass" : {
          "title" : "Datastore SPI implementation class",
          "description" : "The Federation system uses this class to get/set user profile attributes.<br><br>The default implementation uses the Identity repository APIs to access user profile attributes. A custom implementation must implement the <code>com.sun.identity.plugin.datastore.DataStoreProvider</code> interface. ",
          "propertyOrder" : 100,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "loggerClass" : {
          "title" : "Logger SPI implementation class",
          "description" : "The Federation system uses this class to record log entries.<br><br>The default implementation uses the Logging APIs to record log entries. A custom implementation must implement the <code>com.sun.identity.plugin.log.Logger</code> interface.",
          "propertyOrder" : 300,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "passwordDecoderClass" : {
          "title" : "PasswordDecoder SPI implementation class",
          "description" : "The Federation system uses this class to decode password encoded by OpenAM.<br><br>The default implementation uses the internal OpenAM decryption API to decode passwords. A custom implementation must implement the <code>com.sun.identity.saml.xmlsig.PasswordDecoder</code> interface.",
          "propertyOrder" : 600,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "configurationClass" : {
          "title" : "ConfigurationInstance SPI implementation class",
          "description" : "The Federation system uses this class to fetch service configuration.<br><br>The default implementation uses the SMS APIs to access service configuration. A custom implementation must implement the <code>com.sun.identity.plugin.configuration.ConfigurationInstance</code> interface.",
          "propertyOrder" : 200,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "keyProviderClass" : {
          "title" : "KeyProvider SPI implementation class",
          "description" : "The Federation system uses this class to provide access to the underlying Java keystore.<br><br>The default implementation uses the Java Cryptographic Engine to provide access to the Java keystore. A custom implementation must implement the <code>com.sun.identity.saml.xmlsig.KeyProvider</code> interface.",
          "propertyOrder" : 800,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "signatureProviderClass" : {
          "title" : "SignatureProvider SPI implementation class",
          "description" : "The Federation system uses this class to digitally sign SAML documents.<br><br>The default implementation uses the XERCES APIs to sign the documents. A custom implementation must implement the <code>com.sun.identity.saml.xmlsig.SignatureProvider</code> interface.",
          "propertyOrder" : 700,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "sessionProviderClass" : {
          "title" : "SessionProvider SPI implementation class",
          "description" : "The Federation system uses this class to interface with the session service.<br><br>The default implementation uses the standard authentication and SSO APIs to access the session service. A custom implementation must implement the <code>com.sun.identity.plugin.session.SessionProvider</code> interface.",
          "propertyOrder" : 400,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        }
      }
    },
    "generalConfig" : {
      "type" : "object",
      "title" : "General Configuration",
      "propertyOrder" : 0,
      "properties" : {
        "certificateChecking" : {
          "title" : "Check presence of certificates",
          "description" : "Enable checking of certificates against local copy<br><br>Whether to verify that the partner's signing certificate included in the Federation XML document is the same as the one stored in the said partner's meta data.",
          "propertyOrder" : 900,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "maxContentLength" : {
          "title" : "Maximum allowed content length",
          "description" : "The maximum content length allowed in federation communications, in bytes.",
          "propertyOrder" : 500,
          "required" : true,
          "type" : "integer",
          "exampleValue" : ""
        },
        "samlErrorPageUrl" : {
          "title" : "SAML Error Page URL",
          "description" : "OpenAM redirects users here when an error occurs in the SAML2 engine.<br><br>Both relative and absolute URLs are supported. Users are redirected to an absolute URL using the configured HTTP Binding whereas relative URLs are displayed within the request.",
          "propertyOrder" : 1700,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "samlErrorPageHttpBinding" : {
          "title" : "SAML Error Page HTTP Binding",
          "description" : "The possible values are HTTP-Redirect or HTTP-POST.",
          "propertyOrder" : 1800,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        }
      }
    }
  }
}

1.32. ConditionTypes

1.32.1. Realm Operations

Service for querying and reading the environment condition types stored in OpenAM. Environment condition types describe the JSON representation of environment conditions that you can use in policy definitions

Resource path: /conditiontypes

Resource version: 1.0

1.32.1.1. query

Query the list of environment condition types

Usage:

am> query ConditionTypes --realm Realm --filter filter

Parameters:

--filter

A CREST formatted query filter, where "true" will query all. Fields that can be queried: [*]

1.32.1.2. read

Read an individual environment condition type by providing the unique identifier title

Usage:

am> read ConditionTypes --realm Realm --id id

Parameters:

--id

The unique identifier for the resource.

1.33. Csv

1.33.1. Realm Operations

Resource path: /realm-config/services/audit/CSV

Resource version: 1.0

1.33.1.1. create

Usage:

am> create Csv --realm Realm --id id --body body

Parameters:

--id

The unique identifier for the resource.

--body

The resource in JSON format, described by the following JSON schema:

{
  "type" : "object",
  "properties" : {
    "csvBuffering" : {
      "type" : "object",
      "title" : "Buffering",
      "propertyOrder" : 5,
      "properties" : {
        "bufferingEnabled" : {
          "title" : "Buffering Enabled",
          "description" : "Enables or disables buffering.",
          "propertyOrder" : 1500,
          "required" : true,
          "type" : "boolean",
          "exampleValue" : ""
        },
        "bufferingAutoFlush" : {
          "title" : "Flush Each Event Immediately",
          "description" : "Performance may be improved by writing all buffered events before flushing.",
          "propertyOrder" : 1600,
          "required" : true,
          "type" : "boolean",
          "exampleValue" : ""
        }
      }
    },
    "csvFileRotation" : {
      "type" : "object",
      "title" : "File Rotation",
      "propertyOrder" : 3,
      "properties" : {
        "rotationFilePrefix" : {
          "title" : "File Rotation Prefix",
          "description" : "Prefix to prepend to audit files when rotating audit files.",
          "propertyOrder" : 800,
          "required" : false,
          "type" : "string",
          "exampleValue" : ""
        },
        "rotationEnabled" : {
          "title" : "Rotation Enabled",
          "description" : "Enables and disables audit file rotation.",
          "propertyOrder" : 600,
          "required" : true,
          "type" : "boolean",
          "exampleValue" : ""
        },
        "rotationInterval" : {
          "title" : "Rotation Interval",
          "description" : "Interval to trigger audit file rotations, in seconds. A negative or zero value disables this feature.",
          "propertyOrder" : 1000,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "rotationMaxFileSize" : {
          "title" : "Maximum File Size",
          "description" : "Maximum size, in bytes, which an audit file can grow to before rotation is triggered. A negative or zero value indicates this policy is disabled.",
          "propertyOrder" : 700,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "rotationTimes" : {
          "title" : "Rotation Times",
          "description" : "Durations after midnight to trigger file rotation, in seconds.",
          "propertyOrder" : 1100,
          "required" : true,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        },
        "rotationFileSuffix" : {
          "title" : "File Rotation Suffix",
          "description" : "Suffix to append to audit files when they are rotated. Suffix should be a timestamp.",
          "propertyOrder" : 900,
          "required" : false,
          "type" : "string",
          "exampleValue" : ""
        }
      }
    },
    "csvFileRetention" : {
      "type" : "object",
      "title" : "File Retention",
      "propertyOrder" : 4,
      "properties" : {
        "retentionMinFreeSpaceRequired" : {
          "title" : "Minimum Free Space Required",
          "description" : "Minimum amount of disk space required, in bytes, on the system where audit files are stored. A negative or zero value indicates this policy is disabled.",
          "propertyOrder" : 1400,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "retentionMaxDiskSpaceToUse" : {
          "title" : "Maximum Disk Space",
          "description" : "The maximum amount of disk space the audit files can occupy, in bytes. A negative or zero value indicates this policy is disabled.",
          "propertyOrder" : 1300,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "retentionMaxNumberOfHistoryFiles" : {
          "title" : "Maximum Number of Historical Files",
          "description" : "Maximum number of backup audit files allowed. A value of <code>-1</code> disables pruning of old history files.",
          "propertyOrder" : 1200,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        }
      }
    },
    "commonHandlerPlugin" : {
      "type" : "object",
      "title" : "Audit Event Handler Factory",
      "propertyOrder" : 1,
      "properties" : {
        "handlerFactory" : {
          "title" : "Factory Class Name",
          "description" : "The fully qualified class name of the factory responsible for creating the Audit Event Handler. The class must implement <code>org.forgerock.openam.audit.AuditEventHandlerFactory</code>.",
          "propertyOrder" : 2100,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        }
      }
    },
    "commonHandler" : {
      "type" : "object",
      "title" : "General Handler Configuration",
      "propertyOrder" : 0,
      "properties" : {
        "enabled" : {
          "title" : "Enabled",
          "description" : "Enables or disables an audit event handler.",
          "propertyOrder" : 300,
          "required" : true,
          "type" : "boolean",
          "exampleValue" : ""
        },
        "topics" : {
          "title" : "Topics",
          "description" : "List of topics handled by an audit event handler.",
          "propertyOrder" : 400,
          "required" : true,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        }
      }
    },
    "csvSecurity" : {
      "type" : "object",
      "title" : "Tamper Evident Configuration",
      "propertyOrder" : 6,
      "properties" : {
        "securityFilename" : {
          "title" : "Certificate Store Location",
          "description" : "Path to Java keystore.",
          "propertyOrder" : 1800,
          "required" : false,
          "type" : "string",
          "exampleValue" : ""
        },
        "securityEnabled" : {
          "title" : "Is Enabled",
          "description" : "Enables the CSV tamper evident feature.",
          "propertyOrder" : 1700,
          "required" : true,
          "type" : "boolean",
          "exampleValue" : ""
        },
        "securitySignatureInterval" : {
          "title" : "Signature Interval",
          "description" : "Signature generation interval, in seconds.",
          "propertyOrder" : 2000,
          "required" : false,
          "type" : "string",
          "exampleValue" : ""
        },
        "securityPassword" : {
          "title" : "Certificate Store Password",
          "description" : "Password for Java keystore.",
          "propertyOrder" : 1900,
          "required" : false,
          "type" : "string",
          "format" : "password",
          "exampleValue" : ""
        }
      }
    },
    "csvConfig" : {
      "type" : "object",
      "title" : "CSV Configuration",
      "propertyOrder" : 2,
      "properties" : {
        "location" : {
          "title" : "Log Directory",
          "description" : "Directory in which to store audit log CSV files.",
          "propertyOrder" : 500,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        }
      }
    }
  }
}

1.33.1.2. delete

Usage:

am> delete Csv --realm Realm --id id

Parameters:

--id

The unique identifier for the resource.

1.33.1.3. getAllTypes

Obtain the collection of all secondary configuration types related to the resource.

Usage:

am> action Csv --realm Realm --actionName getAllTypes

1.33.1.4. getCreatableTypes

Obtain the collection of secondary configuration types that have yet to be added to the resource.

Usage:

am> action Csv --realm Realm --actionName getCreatableTypes

1.33.1.5. nextdescendents

Obtain the collection of secondary configuration instances that have been added to the resource.

Usage:

am> action Csv --realm Realm --actionName nextdescendents

1.33.1.6. query

Get the full list of instances of this collection. This query only supports `_queryFilter=true` filter.

Usage:

am> query Csv --realm Realm --filter filter

Parameters:

--filter

A CREST formatted query filter, where "true" will query all.

1.33.1.7. read

Usage:

am> read Csv --realm Realm --id id

Parameters:

--id

The unique identifier for the resource.

1.33.1.8. update

Usage:

am> update Csv --realm Realm --id id --body body

Parameters:

--id

The unique identifier for the resource.

--body

The resource in JSON format, described by the following JSON schema:

{
  "type" : "object",
  "properties" : {
    "csvBuffering" : {
      "type" : "object",
      "title" : "Buffering",
      "propertyOrder" : 5,
      "properties" : {
        "bufferingEnabled" : {
          "title" : "Buffering Enabled",
          "description" : "Enables or disables buffering.",
          "propertyOrder" : 1500,
          "required" : true,
          "type" : "boolean",
          "exampleValue" : ""
        },
        "bufferingAutoFlush" : {
          "title" : "Flush Each Event Immediately",
          "description" : "Performance may be improved by writing all buffered events before flushing.",
          "propertyOrder" : 1600,
          "required" : true,
          "type" : "boolean",
          "exampleValue" : ""
        }
      }
    },
    "csvFileRotation" : {
      "type" : "object",
      "title" : "File Rotation",
      "propertyOrder" : 3,
      "properties" : {
        "rotationFilePrefix" : {
          "title" : "File Rotation Prefix",
          "description" : "Prefix to prepend to audit files when rotating audit files.",
          "propertyOrder" : 800,
          "required" : false,
          "type" : "string",
          "exampleValue" : ""
        },
        "rotationEnabled" : {
          "title" : "Rotation Enabled",
          "description" : "Enables and disables audit file rotation.",
          "propertyOrder" : 600,
          "required" : true,
          "type" : "boolean",
          "exampleValue" : ""
        },
        "rotationInterval" : {
          "title" : "Rotation Interval",
          "description" : "Interval to trigger audit file rotations, in seconds. A negative or zero value disables this feature.",
          "propertyOrder" : 1000,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "rotationMaxFileSize" : {
          "title" : "Maximum File Size",
          "description" : "Maximum size, in bytes, which an audit file can grow to before rotation is triggered. A negative or zero value indicates this policy is disabled.",
          "propertyOrder" : 700,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "rotationTimes" : {
          "title" : "Rotation Times",
          "description" : "Durations after midnight to trigger file rotation, in seconds.",
          "propertyOrder" : 1100,
          "required" : true,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        },
        "rotationFileSuffix" : {
          "title" : "File Rotation Suffix",
          "description" : "Suffix to append to audit files when they are rotated. Suffix should be a timestamp.",
          "propertyOrder" : 900,
          "required" : false,
          "type" : "string",
          "exampleValue" : ""
        }
      }
    },
    "csvFileRetention" : {
      "type" : "object",
      "title" : "File Retention",
      "propertyOrder" : 4,
      "properties" : {
        "retentionMinFreeSpaceRequired" : {
          "title" : "Minimum Free Space Required",
          "description" : "Minimum amount of disk space required, in bytes, on the system where audit files are stored. A negative or zero value indicates this policy is disabled.",
          "propertyOrder" : 1400,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "retentionMaxDiskSpaceToUse" : {
          "title" : "Maximum Disk Space",
          "description" : "The maximum amount of disk space the audit files can occupy, in bytes. A negative or zero value indicates this policy is disabled.",
          "propertyOrder" : 1300,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "retentionMaxNumberOfHistoryFiles" : {
          "title" : "Maximum Number of Historical Files",
          "description" : "Maximum number of backup audit files allowed. A value of <code>-1</code> disables pruning of old history files.",
          "propertyOrder" : 1200,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        }
      }
    },
    "commonHandlerPlugin" : {
      "type" : "object",
      "title" : "Audit Event Handler Factory",
      "propertyOrder" : 1,
      "properties" : {
        "handlerFactory" : {
          "title" : "Factory Class Name",
          "description" : "The fully qualified class name of the factory responsible for creating the Audit Event Handler. The class must implement <code>org.forgerock.openam.audit.AuditEventHandlerFactory</code>.",
          "propertyOrder" : 2100,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        }
      }
    },
    "commonHandler" : {
      "type" : "object",
      "title" : "General Handler Configuration",
      "propertyOrder" : 0,
      "properties" : {
        "enabled" : {
          "title" : "Enabled",
          "description" : "Enables or disables an audit event handler.",
          "propertyOrder" : 300,
          "required" : true,
          "type" : "boolean",
          "exampleValue" : ""
        },
        "topics" : {
          "title" : "Topics",
          "description" : "List of topics handled by an audit event handler.",
          "propertyOrder" : 400,
          "required" : true,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        }
      }
    },
    "csvSecurity" : {
      "type" : "object",
      "title" : "Tamper Evident Configuration",
      "propertyOrder" : 6,
      "properties" : {
        "securityFilename" : {
          "title" : "Certificate Store Location",
          "description" : "Path to Java keystore.",
          "propertyOrder" : 1800,
          "required" : false,
          "type" : "string",
          "exampleValue" : ""
        },
        "securityEnabled" : {
          "title" : "Is Enabled",
          "description" : "Enables the CSV tamper evident feature.",
          "propertyOrder" : 1700,
          "required" : true,
          "type" : "boolean",
          "exampleValue" : ""
        },
        "securitySignatureInterval" : {
          "title" : "Signature Interval",
          "description" : "Signature generation interval, in seconds.",
          "propertyOrder" : 2000,
          "required" : false,
          "type" : "string",
          "exampleValue" : ""
        },
        "securityPassword" : {
          "title" : "Certificate Store Password",
          "description" : "Password for Java keystore.",
          "propertyOrder" : 1900,
          "required" : false,
          "type" : "string",
          "format" : "password",
          "exampleValue" : ""
        }
      }
    },
    "csvConfig" : {
      "type" : "object",
      "title" : "CSV Configuration",
      "propertyOrder" : 2,
      "properties" : {
        "location" : {
          "title" : "Log Directory",
          "description" : "Directory in which to store audit log CSV files.",
          "propertyOrder" : 500,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        }
      }
    }
  }
}

1.33.2. Global Operations

Resource path: /global-config/services/audit/CSV

Resource version: 1.0

1.33.2.1. create

Usage:

am> create Csv --global --id id --body body

Parameters:

--id

The unique identifier for the resource.

--body

The resource in JSON format, described by the following JSON schema:

{
  "type" : "object",
  "properties" : {
    "commonHandler" : {
      "type" : "object",
      "title" : "General Handler Configuration",
      "propertyOrder" : 0,
      "properties" : {
        "topics" : {
          "title" : "Topics",
          "description" : "List of topics handled by an audit event handler.",
          "propertyOrder" : 400,
          "required" : true,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        },
        "enabled" : {
          "title" : "Enabled",
          "description" : "Enables or disables an audit event handler.",
          "propertyOrder" : 300,
          "required" : true,
          "type" : "boolean",
          "exampleValue" : ""
        }
      }
    },
    "csvSecurity" : {
      "type" : "object",
      "title" : "Tamper Evident Configuration",
      "propertyOrder" : 6,
      "properties" : {
        "securitySignatureInterval" : {
          "title" : "Signature Interval",
          "description" : "Signature generation interval, in seconds.",
          "propertyOrder" : 2000,
          "required" : false,
          "type" : "string",
          "exampleValue" : ""
        },
        "securityFilename" : {
          "title" : "Certificate Store Location",
          "description" : "Path to Java keystore.",
          "propertyOrder" : 1800,
          "required" : false,
          "type" : "string",
          "exampleValue" : ""
        },
        "securityPassword" : {
          "title" : "Certificate Store Password",
          "description" : "Password for Java keystore.",
          "propertyOrder" : 1900,
          "required" : false,
          "type" : "string",
          "format" : "password",
          "exampleValue" : ""
        },
        "securityEnabled" : {
          "title" : "Is Enabled",
          "description" : "Enables the CSV tamper evident feature.",
          "propertyOrder" : 1700,
          "required" : true,
          "type" : "boolean",
          "exampleValue" : ""
        }
      }
    },
    "commonHandlerPlugin" : {
      "type" : "object",
      "title" : "Audit Event Handler Factory",
      "propertyOrder" : 1,
      "properties" : {
        "handlerFactory" : {
          "title" : "Factory Class Name",
          "description" : "The fully qualified class name of the factory responsible for creating the Audit Event Handler. The class must implement <code>org.forgerock.openam.audit.AuditEventHandlerFactory</code>.",
          "propertyOrder" : 2100,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        }
      }
    },
    "csvBuffering" : {
      "type" : "object",
      "title" : "Buffering",
      "propertyOrder" : 5,
      "properties" : {
        "bufferingAutoFlush" : {
          "title" : "Flush Each Event Immediately",
          "description" : "Performance may be improved by writing all buffered events before flushing.",
          "propertyOrder" : 1600,
          "required" : true,
          "type" : "boolean",
          "exampleValue" : ""
        },
        "bufferingEnabled" : {
          "title" : "Buffering Enabled",
          "description" : "Enables or disables buffering.",
          "propertyOrder" : 1500,
          "required" : true,
          "type" : "boolean",
          "exampleValue" : ""
        }
      }
    },
    "csvFileRotation" : {
      "type" : "object",
      "title" : "File Rotation",
      "propertyOrder" : 3,
      "properties" : {
        "rotationFilePrefix" : {
          "title" : "File Rotation Prefix",
          "description" : "Prefix to prepend to audit files when rotating audit files.",
          "propertyOrder" : 800,
          "required" : false,
          "type" : "string",
          "exampleValue" : ""
        },
        "rotationInterval" : {
          "title" : "Rotation Interval",
          "description" : "Interval to trigger audit file rotations, in seconds. A negative or zero value disables this feature.",
          "propertyOrder" : 1000,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "rotationFileSuffix" : {
          "title" : "File Rotation Suffix",
          "description" : "Suffix to append to audit files when they are rotated. Suffix should be a timestamp.",
          "propertyOrder" : 900,
          "required" : false,
          "type" : "string",
          "exampleValue" : ""
        },
        "rotationTimes" : {
          "title" : "Rotation Times",
          "description" : "Durations after midnight to trigger file rotation, in seconds.",
          "propertyOrder" : 1100,
          "required" : true,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        },
        "rotationMaxFileSize" : {
          "title" : "Maximum File Size",
          "description" : "Maximum size, in bytes, which an audit file can grow to before rotation is triggered. A negative or zero value indicates this policy is disabled.",
          "propertyOrder" : 700,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "rotationEnabled" : {
          "title" : "Rotation Enabled",
          "description" : "Enables and disables audit file rotation.",
          "propertyOrder" : 600,
          "required" : true,
          "type" : "boolean",
          "exampleValue" : ""
        }
      }
    },
    "csvFileRetention" : {
      "type" : "object",
      "title" : "File Retention",
      "propertyOrder" : 4,
      "properties" : {
        "retentionMaxDiskSpaceToUse" : {
          "title" : "Maximum Disk Space",
          "description" : "The maximum amount of disk space the audit files can occupy, in bytes. A negative or zero value indicates this policy is disabled.",
          "propertyOrder" : 1300,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "retentionMinFreeSpaceRequired" : {
          "title" : "Minimum Free Space Required",
          "description" : "Minimum amount of disk space required, in bytes, on the system where audit files are stored. A negative or zero value indicates this policy is disabled.",
          "propertyOrder" : 1400,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "retentionMaxNumberOfHistoryFiles" : {
          "title" : "Maximum Number of Historical Files",
          "description" : "Maximum number of backup audit files allowed. A value of <code>-1</code> disables pruning of old history files.",
          "propertyOrder" : 1200,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        }
      }
    },
    "csvConfig" : {
      "type" : "object",
      "title" : "CSV Configuration",
      "propertyOrder" : 2,
      "properties" : {
        "location" : {
          "title" : "Log Directory",
          "description" : "Directory in which to store audit log CSV files.",
          "propertyOrder" : 500,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        }
      }
    }
  }
}

1.33.2.2. delete

Usage:

am> delete Csv --global --id id

Parameters:

--id

The unique identifier for the resource.

1.33.2.3. getAllTypes

Obtain the collection of all secondary configuration types related to the resource.

Usage:

am> action Csv --global --actionName getAllTypes

1.33.2.4. getCreatableTypes

Obtain the collection of secondary configuration types that have yet to be added to the resource.

Usage:

am> action Csv --global --actionName getCreatableTypes

1.33.2.5. nextdescendents

Obtain the collection of secondary configuration instances that have been added to the resource.

Usage:

am> action Csv --global --actionName nextdescendents

1.33.2.6. query

Get the full list of instances of this collection. This query only supports `_queryFilter=true` filter.

Usage:

am> query Csv --global --filter filter

Parameters:

--filter

A CREST formatted query filter, where "true" will query all.

1.33.2.7. read

Usage:

am> read Csv --global --id id

Parameters:

--id

The unique identifier for the resource.

1.33.2.8. update

Usage:

am> update Csv --global --id id --body body

Parameters:

--id

The unique identifier for the resource.

--body

The resource in JSON format, described by the following JSON schema:

{
  "type" : "object",
  "properties" : {
    "commonHandler" : {
      "type" : "object",
      "title" : "General Handler Configuration",
      "propertyOrder" : 0,
      "properties" : {
        "topics" : {
          "title" : "Topics",
          "description" : "List of topics handled by an audit event handler.",
          "propertyOrder" : 400,
          "required" : true,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        },
        "enabled" : {
          "title" : "Enabled",
          "description" : "Enables or disables an audit event handler.",
          "propertyOrder" : 300,
          "required" : true,
          "type" : "boolean",
          "exampleValue" : ""
        }
      }
    },
    "csvSecurity" : {
      "type" : "object",
      "title" : "Tamper Evident Configuration",
      "propertyOrder" : 6,
      "properties" : {
        "securitySignatureInterval" : {
          "title" : "Signature Interval",
          "description" : "Signature generation interval, in seconds.",
          "propertyOrder" : 2000,
          "required" : false,
          "type" : "string",
          "exampleValue" : ""
        },
        "securityFilename" : {
          "title" : "Certificate Store Location",
          "description" : "Path to Java keystore.",
          "propertyOrder" : 1800,
          "required" : false,
          "type" : "string",
          "exampleValue" : ""
        },
        "securityPassword" : {
          "title" : "Certificate Store Password",
          "description" : "Password for Java keystore.",
          "propertyOrder" : 1900,
          "required" : false,
          "type" : "string",
          "format" : "password",
          "exampleValue" : ""
        },
        "securityEnabled" : {
          "title" : "Is Enabled",
          "description" : "Enables the CSV tamper evident feature.",
          "propertyOrder" : 1700,
          "required" : true,
          "type" : "boolean",
          "exampleValue" : ""
        }
      }
    },
    "commonHandlerPlugin" : {
      "type" : "object",
      "title" : "Audit Event Handler Factory",
      "propertyOrder" : 1,
      "properties" : {
        "handlerFactory" : {
          "title" : "Factory Class Name",
          "description" : "The fully qualified class name of the factory responsible for creating the Audit Event Handler. The class must implement <code>org.forgerock.openam.audit.AuditEventHandlerFactory</code>.",
          "propertyOrder" : 2100,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        }
      }
    },
    "csvBuffering" : {
      "type" : "object",
      "title" : "Buffering",
      "propertyOrder" : 5,
      "properties" : {
        "bufferingAutoFlush" : {
          "title" : "Flush Each Event Immediately",
          "description" : "Performance may be improved by writing all buffered events before flushing.",
          "propertyOrder" : 1600,
          "required" : true,
          "type" : "boolean",
          "exampleValue" : ""
        },
        "bufferingEnabled" : {
          "title" : "Buffering Enabled",
          "description" : "Enables or disables buffering.",
          "propertyOrder" : 1500,
          "required" : true,
          "type" : "boolean",
          "exampleValue" : ""
        }
      }
    },
    "csvFileRotation" : {
      "type" : "object",
      "title" : "File Rotation",
      "propertyOrder" : 3,
      "properties" : {
        "rotationFilePrefix" : {
          "title" : "File Rotation Prefix",
          "description" : "Prefix to prepend to audit files when rotating audit files.",
          "propertyOrder" : 800,
          "required" : false,
          "type" : "string",
          "exampleValue" : ""
        },
        "rotationInterval" : {
          "title" : "Rotation Interval",
          "description" : "Interval to trigger audit file rotations, in seconds. A negative or zero value disables this feature.",
          "propertyOrder" : 1000,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "rotationFileSuffix" : {
          "title" : "File Rotation Suffix",
          "description" : "Suffix to append to audit files when they are rotated. Suffix should be a timestamp.",
          "propertyOrder" : 900,
          "required" : false,
          "type" : "string",
          "exampleValue" : ""
        },
        "rotationTimes" : {
          "title" : "Rotation Times",
          "description" : "Durations after midnight to trigger file rotation, in seconds.",
          "propertyOrder" : 1100,
          "required" : true,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        },
        "rotationMaxFileSize" : {
          "title" : "Maximum File Size",
          "description" : "Maximum size, in bytes, which an audit file can grow to before rotation is triggered. A negative or zero value indicates this policy is disabled.",
          "propertyOrder" : 700,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "rotationEnabled" : {
          "title" : "Rotation Enabled",
          "description" : "Enables and disables audit file rotation.",
          "propertyOrder" : 600,
          "required" : true,
          "type" : "boolean",
          "exampleValue" : ""
        }
      }
    },
    "csvFileRetention" : {
      "type" : "object",
      "title" : "File Retention",
      "propertyOrder" : 4,
      "properties" : {
        "retentionMaxDiskSpaceToUse" : {
          "title" : "Maximum Disk Space",
          "description" : "The maximum amount of disk space the audit files can occupy, in bytes. A negative or zero value indicates this policy is disabled.",
          "propertyOrder" : 1300,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "retentionMinFreeSpaceRequired" : {
          "title" : "Minimum Free Space Required",
          "description" : "Minimum amount of disk space required, in bytes, on the system where audit files are stored. A negative or zero value indicates this policy is disabled.",
          "propertyOrder" : 1400,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "retentionMaxNumberOfHistoryFiles" : {
          "title" : "Maximum Number of Historical Files",
          "description" : "Maximum number of backup audit files allowed. A value of <code>-1</code> disables pruning of old history files.",
          "propertyOrder" : 1200,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        }
      }
    },
    "csvConfig" : {
      "type" : "object",
      "title" : "CSV Configuration",
      "propertyOrder" : 2,
      "properties" : {
        "location" : {
          "title" : "Log Directory",
          "description" : "Directory in which to store audit log CSV files.",
          "propertyOrder" : 500,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        }
      }
    }
  }
}

1.34. CtsDataStoreProperties

1.34.1. Global Operations

An object of property key-value pairs

Resource path: /global-config/servers/{serverName}/properties/cts

Resource version: 1.0

1.34.1.1. read

Usage:

am> read CtsDataStoreProperties --global --serverName serverName

Parameters:

--serverName

An object of property key-value pairs

1.34.1.2. update

Usage:

am> update CtsDataStoreProperties --global --serverName serverName --body body

Parameters:

--serverName

An object of property key-value pairs

--body

The resource in JSON format, described by the following JSON schema:

{
  "type" : "object",
  "properties" : {
    "amconfig.org.forgerock.services.cts.store.common.section" : {
      "title" : "CTS Token Store",
      "type" : "object",
      "propertyOrder" : 0,
      "properties" : {
        "org.forgerock.services.cts.store.location" : {
          "title" : "Store Mode",
          "type" : "object",
          "propertyOrder" : 0,
          "description" : "",
          "properties" : {
            "value" : {
              "enum" : [ "default", "external" ],
              "options" : {
                "enum_titles" : [ "Default Token Store", "External Token Store" ]
              },
              "type" : "string",
              "required" : false
            },
            "inherited" : {
              "type" : "boolean",
              "required" : true
            }
          }
        },
        "org.forgerock.services.cts.store.root.suffix" : {
          "title" : "Root Suffix",
          "type" : "object",
          "propertyOrder" : 1,
          "description" : "",
          "properties" : {
            "value" : {
              "type" : "string",
              "required" : false
            },
            "inherited" : {
              "type" : "boolean",
              "required" : true
            }
          }
        },
        "org.forgerock.services.cts.store.max.connections" : {
          "title" : "Max Connections",
          "type" : "object",
          "propertyOrder" : 2,
          "description" : "",
          "properties" : {
            "value" : {
              "type" : "string",
              "required" : false
            },
            "inherited" : {
              "type" : "boolean",
              "required" : true
            }
          }
        }
      }
    },
    "amconfig.org.forgerock.services.cts.store.external.section" : {
      "title" : "External Store Configuration",
      "type" : "object",
      "propertyOrder" : 1,
      "properties" : {
        "org.forgerock.services.cts.store.ssl.enabled" : {
          "title" : "SSL/TLS Enabled",
          "type" : "object",
          "propertyOrder" : 0,
          "description" : "",
          "properties" : {
            "value" : {
              "type" : "boolean",
              "required" : false
            },
            "inherited" : {
              "type" : "boolean",
              "required" : true
            }
          }
        },
        "org.forgerock.services.cts.store.directory.name" : {
          "title" : "Connection String(s)",
          "type" : "object",
          "propertyOrder" : 1,
          "description" : "An ordered list of connection strings for LDAP directories. Each connection string is composed as follows: <code>HOST:PORT[|SERVERID[|SITEID]]</code>, where server and site IDs are optional parameters that will prioritize that connection to use from the specified nodes. Multiple connection strings should be comma-separated, e.g. <code>host1:389,host2:50389|server1|site1,host3:50389</code>.",
          "properties" : {
            "value" : {
              "type" : "string",
              "required" : false
            },
            "inherited" : {
              "type" : "boolean",
              "required" : true
            }
          }
        },
        "org.forgerock.services.cts.store.loginid" : {
          "title" : "Login Id",
          "type" : "object",
          "propertyOrder" : 2,
          "description" : "",
          "properties" : {
            "value" : {
              "type" : "string",
              "required" : false
            },
            "inherited" : {
              "type" : "boolean",
              "required" : true
            }
          }
        },
        "org.forgerock.services.cts.store.password" : {
          "title" : "Password",
          "type" : "object",
          "propertyOrder" : 3,
          "description" : "",
          "properties" : {
            "value" : {
              "type" : "string",
              "required" : false,
              "format" : "password"
            },
            "inherited" : {
              "type" : "boolean",
              "required" : true
            }
          }
        },
        "org.forgerock.services.cts.store.heartbeat" : {
          "title" : "Heartbeat",
          "type" : "object",
          "propertyOrder" : 4,
          "description" : "",
          "properties" : {
            "value" : {
              "type" : "integer",
              "required" : false
            },
            "inherited" : {
              "type" : "boolean",
              "required" : true
            }
          }
        },
        "org.forgerock.services.cts.store.affinity.enabled" : {
          "title" : "Affinity Enabled",
          "type" : "object",
          "propertyOrder" : 5,
          "description" : "Enables affinity based request load balancing when accessing the CTS servers. It is imperative that the connection string setting is set to the same value for all OpenAM servers in the deployment when this feature is enabled.",
          "properties" : {
            "value" : {
              "type" : "boolean",
              "required" : false
            },
            "inherited" : {
              "type" : "boolean",
              "required" : true
            }
          }
        }
      }
    }
  }
}

1.35. Dashboard

1.35.1. Realm Operations

Resource path: /realm-config/services/dashboard

Resource version: 1.0

1.35.1.1. create

Usage:

am> create Dashboard --realm Realm --body body

Parameters:

--body

The resource in JSON format, described by the following JSON schema:

{
  "type" : "object",
  "properties" : {
    "assignedDashboard" : {
      "title" : "Available Dashboard Apps",
      "description" : "List of application dashboard names available by default for realms with the Dashboard service configured.",
      "propertyOrder" : 700,
      "required" : true,
      "items" : {
        "type" : "string"
      },
      "type" : "array",
      "exampleValue" : ""
    }
  }
}

1.35.1.2. delete

Usage:

am> delete Dashboard --realm Realm

1.35.1.3. getAllTypes

Obtain the collection of all secondary configuration types related to the resource.

Usage:

am> action Dashboard --realm Realm --actionName getAllTypes

1.35.1.4. getCreatableTypes

Obtain the collection of secondary configuration types that have yet to be added to the resource.

Usage:

am> action Dashboard --realm Realm --actionName getCreatableTypes

1.35.1.5. nextdescendents

Obtain the collection of secondary configuration instances that have been added to the resource.

Usage:

am> action Dashboard --realm Realm --actionName nextdescendents

1.35.1.6. read

Usage:

am> read Dashboard --realm Realm

1.35.1.7. update

Usage:

am> update Dashboard --realm Realm --body body

Parameters:

--body

The resource in JSON format, described by the following JSON schema:

{
  "type" : "object",
  "properties" : {
    "assignedDashboard" : {
      "title" : "Available Dashboard Apps",
      "description" : "List of application dashboard names available by default for realms with the Dashboard service configured.",
      "propertyOrder" : 700,
      "required" : true,
      "items" : {
        "type" : "string"
      },
      "type" : "array",
      "exampleValue" : ""
    }
  }
}

1.35.2. Global Operations

Resource path: /global-config/services/dashboard

Resource version: 1.0

1.35.2.1. getAllTypes

Obtain the collection of all secondary configuration types related to the resource.

Usage:

am> action Dashboard --global --actionName getAllTypes

1.35.2.2. getCreatableTypes

Obtain the collection of secondary configuration types that have yet to be added to the resource.

Usage:

am> action Dashboard --global --actionName getCreatableTypes

1.35.2.3. nextdescendents

Obtain the collection of secondary configuration instances that have been added to the resource.

Usage:

am> action Dashboard --global --actionName nextdescendents

1.35.2.4. read

Usage:

am> read Dashboard --global

1.35.2.5. update

Usage:

am> update Dashboard --global --body body

Parameters:

--body

The resource in JSON format, described by the following JSON schema:

{
  "type" : "object",
  "properties" : {
    "defaults" : {
      "properties" : {
        "assignedDashboard" : {
          "title" : "Available Dashboard Apps",
          "description" : "List of application dashboard names available by default for realms with the Dashboard service configured.",
          "propertyOrder" : 700,
          "required" : true,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        }
      },
      "type" : "object",
      "title" : "Realm Defaults"
    }
  }
}

1.36. DashboardInstance

1.36.1. Global Operations

Resource path: /global-config/services/dashboard/instances

Resource version: 1.0

1.36.1.1. create

Usage:

am> create DashboardInstance --global --id id --body body

Parameters:

--id

The unique identifier for the resource.

--body

The resource in JSON format, described by the following JSON schema:

{
  "type" : "object",
  "properties" : {
    "login" : {
      "title" : "Dashboard Login",
      "description" : "The URL that takes the user to the application.",
      "propertyOrder" : 500,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "name" : {
      "title" : "Dashboard Name",
      "description" : "The application name as it will appear to the administrator for configuring the dashboard.",
      "propertyOrder" : 200,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "icon" : {
      "title" : "Dashboard Icon",
      "description" : "The icon name that will be displayed on the dashboard client identifying the application.",
      "propertyOrder" : 400,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "displayName" : {
      "title" : "Dashboard Display Name",
      "description" : "The application name that displays on the dashboard client.",
      "propertyOrder" : 300,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "icfIdentifier" : {
      "title" : "ICF Identifier",
      "description" : "",
      "propertyOrder" : 600,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "className" : {
      "title" : "Dashboard Class Name",
      "description" : "Identifies how to access the application, for example <code>SAML2ApplicationClass</code> for a SAML v2.0 application.",
      "propertyOrder" : 100,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    }
  }
}

1.36.1.2. delete

Usage:

am> delete DashboardInstance --global --id id

Parameters:

--id

The unique identifier for the resource.

1.36.1.3. getAllTypes

Obtain the collection of all secondary configuration types related to the resource.

Usage:

am> action DashboardInstance --global --actionName getAllTypes

1.36.1.4. getCreatableTypes

Obtain the collection of secondary configuration types that have yet to be added to the resource.

Usage:

am> action DashboardInstance --global --actionName getCreatableTypes

1.36.1.5. nextdescendents

Obtain the collection of secondary configuration instances that have been added to the resource.

Usage:

am> action DashboardInstance --global --actionName nextdescendents

1.36.1.6. query

Get the full list of instances of this collection. This query only supports `_queryFilter=true` filter.

Usage:

am> query DashboardInstance --global --filter filter

Parameters:

--filter

A CREST formatted query filter, where "true" will query all.

1.36.1.7. read

Usage:

am> read DashboardInstance --global --id id

Parameters:

--id

The unique identifier for the resource.

1.36.1.8. update

Usage:

am> update DashboardInstance --global --id id --body body

Parameters:

--id

The unique identifier for the resource.

--body

The resource in JSON format, described by the following JSON schema:

{
  "type" : "object",
  "properties" : {
    "login" : {
      "title" : "Dashboard Login",
      "description" : "The URL that takes the user to the application.",
      "propertyOrder" : 500,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "name" : {
      "title" : "Dashboard Name",
      "description" : "The application name as it will appear to the administrator for configuring the dashboard.",
      "propertyOrder" : 200,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "icon" : {
      "title" : "Dashboard Icon",
      "description" : "The icon name that will be displayed on the dashboard client identifying the application.",
      "propertyOrder" : 400,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "displayName" : {
      "title" : "Dashboard Display Name",
      "description" : "The application name that displays on the dashboard client.",
      "propertyOrder" : 300,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "icfIdentifier" : {
      "title" : "ICF Identifier",
      "description" : "",
      "propertyOrder" : 600,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "className" : {
      "title" : "Dashboard Class Name",
      "description" : "Identifies how to access the application, for example <code>SAML2ApplicationClass</code> for a SAML v2.0 application.",
      "propertyOrder" : 100,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    }
  }
}

1.37. Dashboards

1.37.1. Realm Operations

The dashboard service is responsible for returning information from the Dashboard. The only supported operation is read.

Resource path: /dashboard

Resource version: 1.0

1.37.1.1. read

Read dashboard information

Usage:

am> read Dashboards --realm Realm --id id

Parameters:

--id

The unique identifier for the resource.

1.38. DataStoreDecision

1.38.1. Realm Operations

Resource path: /realm-config/authentication/authenticationtrees/nodes/DataStoreDecisionNode

Resource version: 1.0

1.38.1.1. create

Usage:

am> create DataStoreDecision --realm Realm --id id --body body

Parameters:

--id

The unique identifier for the resource.

--body

The resource in JSON format, described by the following JSON schema:

{
  "type" : "object"
}

1.38.1.2. delete

Usage:

am> delete DataStoreDecision --realm Realm --id id

Parameters:

--id

The unique identifier for the resource.

1.38.1.3. getAllTypes

Obtain the collection of all secondary configuration types related to the resource.

Usage:

am> action DataStoreDecision --realm Realm --actionName getAllTypes

1.38.1.4. getCreatableTypes

Obtain the collection of secondary configuration types that have yet to be added to the resource.

Usage:

am> action DataStoreDecision --realm Realm --actionName getCreatableTypes

1.38.1.5. listOutcomes

List the available outcomes for the node type.

Usage:

am> action DataStoreDecision --realm Realm --body body --actionName listOutcomes

Parameters:

--body

The resource in JSON format, described by the following JSON schema:

{
  "type" : "object",
  "title" : "Some configuration of the node. This does not need to be complete against the configuration schema."
}

1.38.1.6. nextdescendents

Obtain the collection of secondary configuration instances that have been added to the resource.

Usage:

am> action DataStoreDecision --realm Realm --actionName nextdescendents

1.38.1.7. query

Get the full list of instances of this collection. This query only supports `_queryFilter=true` filter.

Usage:

am> query DataStoreDecision --realm Realm --filter filter

Parameters:

--filter

A CREST formatted query filter, where "true" will query all.

1.38.1.8. read

Usage:

am> read DataStoreDecision --realm Realm --id id

Parameters:

--id

The unique identifier for the resource.

1.38.1.9. update

Usage:

am> update DataStoreDecision --realm Realm --id id --body body

Parameters:

--id

The unique identifier for the resource.

--body

The resource in JSON format, described by the following JSON schema:

{
  "type" : "object"
}

1.38.2. Global Operations

Resource path: /global-config/authentication/authenticationtrees/nodes/DataStoreDecisionNode

Resource version: 1.0

1.38.2.1. getAllTypes

Obtain the collection of all secondary configuration types related to the resource.

Usage:

am> action DataStoreDecision --global --actionName getAllTypes

1.38.2.2. getCreatableTypes

Obtain the collection of secondary configuration types that have yet to be added to the resource.

Usage:

am> action DataStoreDecision --global --actionName getCreatableTypes

1.38.2.3. nextdescendents

Obtain the collection of secondary configuration instances that have been added to the resource.

Usage:

am> action DataStoreDecision --global --actionName nextdescendents

1.38.2.4. read

Usage:

am> read DataStoreDecision --global

1.38.2.5. update

Usage:

am> update DataStoreDecision --global --body body

Parameters:

--body

The resource in JSON format, described by the following JSON schema:

{
  "type" : "object"
}

1.39. DataStoreModule

1.39.1. Realm Operations

Resource path: /realm-config/authentication/modules/datastore

Resource version: 1.0

1.39.1.1. create

Usage:

am> create DataStoreModule --realm Realm --id id --body body

Parameters:

--id

The unique identifier for the resource.

--body

The resource in JSON format, described by the following JSON schema:

{
  "type" : "object",
  "properties" : {
    "authenticationLevel" : {
      "title" : "Authentication Level",
      "description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
      "propertyOrder" : 100,
      "required" : true,
      "type" : "integer",
      "exampleValue" : ""
    }
  }
}

1.39.1.2. delete

Usage:

am> delete DataStoreModule --realm Realm --id id

Parameters:

--id

The unique identifier for the resource.

1.39.1.3. getAllTypes

Obtain the collection of all secondary configuration types related to the resource.

Usage:

am> action DataStoreModule --realm Realm --actionName getAllTypes

1.39.1.4. getCreatableTypes

Obtain the collection of secondary configuration types that have yet to be added to the resource.

Usage:

am> action DataStoreModule --realm Realm --actionName getCreatableTypes

1.39.1.5. nextdescendents

Obtain the collection of secondary configuration instances that have been added to the resource.

Usage:

am> action DataStoreModule --realm Realm --actionName nextdescendents

1.39.1.6. query

Get the full list of instances of this collection. This query only supports `_queryFilter=true` filter.

Usage:

am> query DataStoreModule --realm Realm --filter filter

Parameters:

--filter

A CREST formatted query filter, where "true" will query all.

1.39.1.7. read

Usage:

am> read DataStoreModule --realm Realm --id id

Parameters:

--id

The unique identifier for the resource.

1.39.1.8. update

Usage:

am> update DataStoreModule --realm Realm --id id --body body

Parameters:

--id

The unique identifier for the resource.

--body

The resource in JSON format, described by the following JSON schema:

{
  "type" : "object",
  "properties" : {
    "authenticationLevel" : {
      "title" : "Authentication Level",
      "description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
      "propertyOrder" : 100,
      "required" : true,
      "type" : "integer",
      "exampleValue" : ""
    }
  }
}

1.39.2. Global Operations

Resource path: /global-config/authentication/modules/datastore

Resource version: 1.0

1.39.2.1. getAllTypes

Obtain the collection of all secondary configuration types related to the resource.

Usage:

am> action DataStoreModule --global --actionName getAllTypes

1.39.2.2. getCreatableTypes

Obtain the collection of secondary configuration types that have yet to be added to the resource.

Usage:

am> action DataStoreModule --global --actionName getCreatableTypes

1.39.2.3. nextdescendents

Obtain the collection of secondary configuration instances that have been added to the resource.

Usage:

am> action DataStoreModule --global --actionName nextdescendents

1.39.2.4. read

Usage:

am> read DataStoreModule --global

1.39.2.5. update

Usage:

am> update DataStoreModule --global --body body

Parameters:

--body

The resource in JSON format, described by the following JSON schema:

{
  "type" : "object",
  "properties" : {
    "defaults" : {
      "properties" : {
        "authenticationLevel" : {
          "title" : "Authentication Level",
          "description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
          "propertyOrder" : 100,
          "required" : true,
          "type" : "integer",
          "exampleValue" : ""
        }
      },
      "type" : "object",
      "title" : "Realm Defaults"
    }
  }
}

1.40. DatabaseRepositoryEarlyAccess

1.40.1. Realm Operations

Resource path: /realm-config/services/id-repositories/Database

Resource version: 1.0

1.40.1.1. create

Usage:

am> create DatabaseRepositoryEarlyAccess --realm Realm --id id --body body

Parameters:

--id

The unique identifier for the resource.

--body

The resource in JSON format, described by the following JSON schema:

{
  "type" : "object",
  "properties" : {
    "sunIdRepoAttributeMapping" : {
      "title" : "Attribute Name Mapping",
      "description" : "",
      "propertyOrder" : 1800,
      "required" : true,
      "items" : {
        "type" : "string"
      },
      "type" : "array",
      "exampleValue" : ""
    },
    "sun-opensso-database-inactiveValue" : {
      "title" : "User Status Inactive Value",
      "description" : "Value stored in the db table's user status column to represent an Inactive user",
      "propertyOrder" : 8500,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sun-opensso-database-dao-class-name" : {
      "title" : "Database Data Access Object Plugin Class Name",
      "description" : "",
      "propertyOrder" : 7200,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sun-opensso-database-UserStatusAttr" : {
      "title" : "Attribute Name of User Status",
      "description" : "Name of attribute column name in DB table to determine if user is active or inactive",
      "propertyOrder" : 8300,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sun-opensso-database-MembershipTableName" : {
      "title" : "Database Membership table name",
      "description" : "",
      "propertyOrder" : 8800,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sun-opensso-database-membership-search-attribute" : {
      "title" : "Membership Search Attribute in Database",
      "description" : "Name of attribute column name in DB table for membership LIKE search queries",
      "propertyOrder" : 9000,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sun-opensso-database-sunIdRepoSupportedOperations" : {
      "title" : "Database Plug-in Supported Types and Operations",
      "description" : "",
      "propertyOrder" : 7100,
      "required" : true,
      "items" : {
        "type" : "string"
      },
      "type" : "array",
      "exampleValue" : ""
    },
    "sun-opensso-database-UserPasswordAttr" : {
      "title" : "User Password Attribute Name",
      "description" : "Name of attribute column name in DB table for user password",
      "propertyOrder" : 8100,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sun-opensso-database-config-users-search-attribute" : {
      "title" : "Users Search Attribute in Database",
      "description" : "Name of attribute column name in DB table for users LIKE search queries",
      "propertyOrder" : 8700,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sun-opensso-database-activeValue" : {
      "title" : "User Status Active Value",
      "description" : "Value stored in the db table's user status column to represent an Active user",
      "propertyOrder" : 8400,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sun-opensso-database-JDBCDbuser" : {
      "title" : "Connect This User to Database",
      "description" : "Connection user name used as parameter by JDBC driver",
      "propertyOrder" : 7800,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sun-opensso-database-dao-JDBCConnectionType" : {
      "title" : "Connection Type",
      "description" : "",
      "propertyOrder" : 7300,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sun-opensso-database-JDBCDriver" : {
      "title" : "JDBC Driver Class Name",
      "description" : "Class name of JDBC driver to use to get connections. URL, JDBC username and password paramters also needed",
      "propertyOrder" : 7500,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sun-opensso-database-DataSourceJndiName" : {
      "title" : "Database DataSource Name",
      "description" : "Name specified when configuring a DataSource in the application server for connections",
      "propertyOrder" : 7400,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sun-opensso-database-UserIDAttr" : {
      "title" : "User ID Attribute Name",
      "description" : "Name of attribute column name in DB table for user id",
      "propertyOrder" : 8200,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sun-opensso-database-config-max-result" : {
      "title" : "Maximum Results Returned from Search",
      "description" : "Value to determine the maximum number of search results to fetch",
      "propertyOrder" : 8600,
      "required" : true,
      "type" : "integer",
      "exampleValue" : ""
    },
    "sun-opensso-database-JDBCUrl" : {
      "title" : "JDBC Driver URL",
      "description" : "URL used as parameter by JDBC driver",
      "propertyOrder" : 7700,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sun-opensso-database-UserAttrs" : {
      "title" : "List of User Attributes Names in Database",
      "description" : "",
      "propertyOrder" : 8000,
      "required" : true,
      "items" : {
        "type" : "string"
      },
      "type" : "array",
      "exampleValue" : ""
    },
    "sun-opensso-database-MembershipIDAttr" : {
      "title" : "Membership ID Attribute Name",
      "description" : "Name of attribute column name in DB membership table to uniquely identify a group",
      "propertyOrder" : 8900,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sunIdRepoClass" : {
      "title" : "Database Repository Plugin Class Name",
      "description" : "",
      "propertyOrder" : 7000,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sun-opensso-database-JDBCDbpassword" : {
      "title" : "Password for Connecting to Database",
      "description" : "Password used as parameter by JDBC driver",
      "propertyOrder" : 7600,
      "required" : true,
      "type" : "string",
      "format" : "password",
      "exampleValue" : ""
    },
    "sun-opensso-database-UserTableName" : {
      "title" : "Database User Table Name",
      "description" : "",
      "propertyOrder" : 7900,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    }
  }
}

1.40.1.2. delete

Usage:

am> delete DatabaseRepositoryEarlyAccess --realm Realm --id id

Parameters:

--id

The unique identifier for the resource.

1.40.1.3. getAllTypes

Obtain the collection of all secondary configuration types related to the resource.

Usage:

am> action DatabaseRepositoryEarlyAccess --realm Realm --actionName getAllTypes

1.40.1.4. getCreatableTypes

Obtain the collection of secondary configuration types that have yet to be added to the resource.

Usage:

am> action DatabaseRepositoryEarlyAccess --realm Realm --actionName getCreatableTypes

1.40.1.5. nextdescendents

Obtain the collection of secondary configuration instances that have been added to the resource.

Usage:

am> action DatabaseRepositoryEarlyAccess --realm Realm --actionName nextdescendents

1.40.1.6. query

Get the full list of instances of this collection. This query only supports `_queryFilter=true` filter.

Usage:

am> query DatabaseRepositoryEarlyAccess --realm Realm --filter filter

Parameters:

--filter

A CREST formatted query filter, where "true" will query all.

1.40.1.7. read

Usage:

am> read DatabaseRepositoryEarlyAccess --realm Realm --id id

Parameters:

--id

The unique identifier for the resource.

1.40.1.8. update

Usage:

am> update DatabaseRepositoryEarlyAccess --realm Realm --id id --body body

Parameters:

--id

The unique identifier for the resource.

--body

The resource in JSON format, described by the following JSON schema:

{
  "type" : "object",
  "properties" : {
    "sunIdRepoAttributeMapping" : {
      "title" : "Attribute Name Mapping",
      "description" : "",
      "propertyOrder" : 1800,
      "required" : true,
      "items" : {
        "type" : "string"
      },
      "type" : "array",
      "exampleValue" : ""
    },
    "sun-opensso-database-inactiveValue" : {
      "title" : "User Status Inactive Value",
      "description" : "Value stored in the db table's user status column to represent an Inactive user",
      "propertyOrder" : 8500,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sun-opensso-database-dao-class-name" : {
      "title" : "Database Data Access Object Plugin Class Name",
      "description" : "",
      "propertyOrder" : 7200,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sun-opensso-database-UserStatusAttr" : {
      "title" : "Attribute Name of User Status",
      "description" : "Name of attribute column name in DB table to determine if user is active or inactive",
      "propertyOrder" : 8300,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sun-opensso-database-MembershipTableName" : {
      "title" : "Database Membership table name",
      "description" : "",
      "propertyOrder" : 8800,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sun-opensso-database-membership-search-attribute" : {
      "title" : "Membership Search Attribute in Database",
      "description" : "Name of attribute column name in DB table for membership LIKE search queries",
      "propertyOrder" : 9000,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sun-opensso-database-sunIdRepoSupportedOperations" : {
      "title" : "Database Plug-in Supported Types and Operations",
      "description" : "",
      "propertyOrder" : 7100,
      "required" : true,
      "items" : {
        "type" : "string"
      },
      "type" : "array",
      "exampleValue" : ""
    },
    "sun-opensso-database-UserPasswordAttr" : {
      "title" : "User Password Attribute Name",
      "description" : "Name of attribute column name in DB table for user password",
      "propertyOrder" : 8100,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sun-opensso-database-config-users-search-attribute" : {
      "title" : "Users Search Attribute in Database",
      "description" : "Name of attribute column name in DB table for users LIKE search queries",
      "propertyOrder" : 8700,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sun-opensso-database-activeValue" : {
      "title" : "User Status Active Value",
      "description" : "Value stored in the db table's user status column to represent an Active user",
      "propertyOrder" : 8400,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sun-opensso-database-JDBCDbuser" : {
      "title" : "Connect This User to Database",
      "description" : "Connection user name used as parameter by JDBC driver",
      "propertyOrder" : 7800,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sun-opensso-database-dao-JDBCConnectionType" : {
      "title" : "Connection Type",
      "description" : "",
      "propertyOrder" : 7300,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sun-opensso-database-JDBCDriver" : {
      "title" : "JDBC Driver Class Name",
      "description" : "Class name of JDBC driver to use to get connections. URL, JDBC username and password paramters also needed",
      "propertyOrder" : 7500,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sun-opensso-database-DataSourceJndiName" : {
      "title" : "Database DataSource Name",
      "description" : "Name specified when configuring a DataSource in the application server for connections",
      "propertyOrder" : 7400,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sun-opensso-database-UserIDAttr" : {
      "title" : "User ID Attribute Name",
      "description" : "Name of attribute column name in DB table for user id",
      "propertyOrder" : 8200,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sun-opensso-database-config-max-result" : {
      "title" : "Maximum Results Returned from Search",
      "description" : "Value to determine the maximum number of search results to fetch",
      "propertyOrder" : 8600,
      "required" : true,
      "type" : "integer",
      "exampleValue" : ""
    },
    "sun-opensso-database-JDBCUrl" : {
      "title" : "JDBC Driver URL",
      "description" : "URL used as parameter by JDBC driver",
      "propertyOrder" : 7700,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sun-opensso-database-UserAttrs" : {
      "title" : "List of User Attributes Names in Database",
      "description" : "",
      "propertyOrder" : 8000,
      "required" : true,
      "items" : {
        "type" : "string"
      },
      "type" : "array",
      "exampleValue" : ""
    },
    "sun-opensso-database-MembershipIDAttr" : {
      "title" : "Membership ID Attribute Name",
      "description" : "Name of attribute column name in DB membership table to uniquely identify a group",
      "propertyOrder" : 8900,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sunIdRepoClass" : {
      "title" : "Database Repository Plugin Class Name",
      "description" : "",
      "propertyOrder" : 7000,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sun-opensso-database-JDBCDbpassword" : {
      "title" : "Password for Connecting to Database",
      "description" : "Password used as parameter by JDBC driver",
      "propertyOrder" : 7600,
      "required" : true,
      "type" : "string",
      "format" : "password",
      "exampleValue" : ""
    },
    "sun-opensso-database-UserTableName" : {
      "title" : "Database User Table Name",
      "description" : "",
      "propertyOrder" : 7900,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    }
  }
}

1.41. DecisionCombiners

1.41.1. Realm Operations

Service for querying and reading decision combiners information. Decision combiners describe how to resolve policy decisions when multiple policies apply

Resource path: /decisioncombiners

Resource version: 1.0

1.41.1.1. query

Lists all decision combiners

Usage:

am> query DecisionCombiners --realm Realm --filter filter

Parameters:

--filter

A CREST formatted query filter, where "true" will query all. Fields that can be queried: [title]

1.41.1.2. read

Reads an individual decision combiner specified by its name

Usage:

am> read DecisionCombiners --realm Realm --id id

Parameters:

--id

The unique identifier for the resource.

1.42. DefaultAdvancedProperties

1.42.1. Global Operations

An object of property key-value pairs

Resource path: /global-config/servers/server-default/properties/advanced

Resource version: 1.0

1.42.1.1. read

Usage:

am> read DefaultAdvancedProperties --global

1.42.1.2. update

Usage:

am> update DefaultAdvancedProperties --global --body body

Parameters:

--body

The resource in JSON format, described by the following JSON schema:

{
  "patternProperties" : {
    ".+" : {
      "type" : "string",
      "title" : "Value",
      "description" : "Any string value"
    }
  },
  "$schema" : "http://json-schema.org/draft-04/schema#",
  "description" : "An object of property key-value pairs",
  "type" : "object",
  "title" : "Advanced Properties"
}

1.43. DefaultCtsDataStoreProperties

1.43.1. Global Operations

An object of property key-value pairs

Resource path: /global-config/servers/server-default/properties/cts

Resource version: 1.0

1.43.1.1. read

Usage:

am> read DefaultCtsDataStoreProperties --global

1.43.1.2. update

Usage:

am> update DefaultCtsDataStoreProperties --global --body body

Parameters:

--body

The resource in JSON format, described by the following JSON schema:

{
  "type" : "object",
  "properties" : {
    "amconfig.org.forgerock.services.cts.store.common.section" : {
      "title" : "CTS Token Store",
      "type" : "object",
      "propertyOrder" : 0,
      "properties" : {
        "org.forgerock.services.cts.store.location" : {
          "enum" : [ "default", "external" ],
          "options" : {
            "enum_titles" : [ "Default Token Store", "External Token Store" ]
          },
          "type" : "string",
          "title" : "Store Mode",
          "propertyOrder" : 0,
          "required" : true,
          "description" : ""
        },
        "org.forgerock.services.cts.store.root.suffix" : {
          "type" : "string",
          "title" : "Root Suffix",
          "propertyOrder" : 1,
          "required" : true,
          "description" : ""
        },
        "org.forgerock.services.cts.store.max.connections" : {
          "type" : "string",
          "title" : "Max Connections",
          "propertyOrder" : 2,
          "required" : true,
          "description" : ""
        }
      }
    },
    "amconfig.org.forgerock.services.cts.store.external.section" : {
      "title" : "External Store Configuration",
      "type" : "object",
      "propertyOrder" : 1,
      "properties" : {
        "org.forgerock.services.cts.store.ssl.enabled" : {
          "type" : "boolean",
          "title" : "SSL/TLS Enabled",
          "propertyOrder" : 0,
          "required" : true,
          "description" : ""
        },
        "org.forgerock.services.cts.store.directory.name" : {
          "type" : "string",
          "title" : "Connection String(s)",
          "propertyOrder" : 1,
          "required" : true,
          "description" : "An ordered list of connection strings for LDAP directories. Each connection string is composed as follows: <code>HOST:PORT[|SERVERID[|SITEID]]</code>, where server and site IDs are optional parameters that will prioritize that connection to use from the specified nodes. Multiple connection strings should be comma-separated, e.g. <code>host1:389,host2:50389|server1|site1,host3:50389</code>."
        },
        "org.forgerock.services.cts.store.loginid" : {
          "type" : "string",
          "title" : "Login Id",
          "propertyOrder" : 2,
          "required" : true,
          "description" : ""
        },
        "org.forgerock.services.cts.store.password" : {
          "type" : "string",
          "title" : "Password",
          "propertyOrder" : 3,
          "required" : true,
          "description" : "",
          "format" : "password"
        },
        "org.forgerock.services.cts.store.heartbeat" : {
          "type" : "integer",
          "title" : "Heartbeat",
          "propertyOrder" : 4,
          "required" : true,
          "description" : ""
        },
        "org.forgerock.services.cts.store.affinity.enabled" : {
          "type" : "boolean",
          "title" : "Affinity Enabled",
          "propertyOrder" : 5,
          "required" : true,
          "description" : "Enables affinity based request load balancing when accessing the CTS servers. It is imperative that the connection string setting is set to the same value for all OpenAM servers in the deployment when this feature is enabled."
        }
      }
    }
  }
}

1.44. DefaultDirectoryConfiguration

1.44.1. Global Operations

Connection details for directory server(s).

Resource path: /global-config/servers/server-default/properties/directoryConfiguration

Resource version: 1.0

1.44.1.1. read

Usage:

am> read DefaultDirectoryConfiguration --global

1.44.1.2. update

Usage:

am> update DefaultDirectoryConfiguration --global --body body

Parameters:

--body

The resource in JSON format, described by the following JSON schema:

{
  "type" : "object",
  "properties" : {
    "directoryConfiguration" : {
      "type" : "object",
      "title" : "Directory Configuration",
      "propertyOrder" : 0,
      "properties" : {
        "minConnectionPool" : {
          "title" : "Minimum Connection Pool",
          "propertyOrder" : 0,
          "type" : "number"
        },
        "maxConnectionPool" : {
          "title" : "Maximum Connection Pool",
          "propertyOrder" : 1,
          "type" : "number"
        },
        "bindDn" : {
          "title" : "Bind DN",
          "propertyOrder" : 2,
          "type" : "string"
        },
        "bindPassword" : {
          "title" : "Bind Password",
          "propertyOrder" : 3,
          "type" : "string",
          "format" : "password"
        }
      }
    },
    "directoryServers" : {
      "type" : "array",
      "title" : "Server",
      "propertyOrder" : 1,
      "items" : {
        "type" : "object",
        "required" : [ "serverName", "hostName", "portNumber", "connectionType" ],
        "properties" : {
          "serverName" : {
            "title" : "Name",
            "type" : "string",
            "propertyOrder" : 0
          },
          "hostName" : {
            "title" : "Host Name",
            "type" : "string",
            "propertyOrder" : 1
          },
          "portNumber" : {
            "title" : "Port Number",
            "type" : "string",
            "propertyOrder" : 2
          },
          "connectionType" : {
            "type" : "string",
            "enum" : [ "SIMPLE", "SSL" ],
            "options" : {
              "enum_titles" : [ "SIMPLE", "SSL" ]
            },
            "title" : "Connection Type",
            "propertyOrder" : 3
          }
        }
      }
    }
  }
}

1.45. DefaultGeneralProperties

1.45.1. Global Operations

An object of property key-value pairs

Resource path: /global-config/servers/server-default/properties/general

Resource version: 1.0

1.45.1.1. read

Usage:

am> read DefaultGeneralProperties --global

1.45.1.2. update

Usage:

am> update DefaultGeneralProperties --global --body body

Parameters:

--body

The resource in JSON format, described by the following JSON schema:

{
  "type" : "object",
  "properties" : {
    "amconfig.header.installdir" : {
      "title" : "System",
      "type" : "object",
      "propertyOrder" : 0,
      "properties" : {
        "com.iplanet.services.configpath" : {
          "type" : "string",
          "title" : "Base installation directory",
          "propertyOrder" : 0,
          "required" : true,
          "description" : "Base directory where product's data resides. (property name: com.iplanet.services.configpath)"
        },
        "com.iplanet.am.locale" : {
          "type" : "string",
          "title" : "Default Locale",
          "propertyOrder" : 1,
          "required" : true,
          "description" : "Default locale for the product. (property name: com.iplanet.am.locale)"
        },
        "com.sun.identity.client.notification.url" : {
          "type" : "string",
          "title" : "Notification URL",
          "propertyOrder" : 2,
          "required" : true,
          "description" : "The location of notification service end point. It is usually the product's deployment URI/notificationservice. (property name: com.sun.identity.client.notification.url)"
        },
        "com.iplanet.am.util.xml.validating" : {
          "enum" : [ "on", "off" ],
          "options" : {
            "enum_titles" : [ "On", "Off" ]
          },
          "type" : "string",
          "title" : "XML Validation",
          "propertyOrder" : 3,
          "required" : true,
          "description" : "Specifies if validation is required when parsing XML documents. (property name: com.iplanet.am.util.xml.validating)"
        }
      }
    },
    "amconfig.header.debug" : {
      "title" : "Debugging",
      "type" : "object",
      "propertyOrder" : 1,
      "properties" : {
        "com.iplanet.services.debug.level" : {
          "enum" : [ "off", "error", "warning", "message" ],
          "options" : {
            "enum_titles" : [ "Off", "Error", "Warning", "Message" ]
          },
          "type" : "string",
          "title" : "Debug Level",
          "propertyOrder" : 0,
          "required" : true,
          "description" : "Debug level for all components in the product. (property name: com.iplanet.services.debug.level)"
        },
        "com.sun.services.debug.mergeall" : {
          "enum" : [ "on", "off" ],
          "options" : {
            "enum_titles" : [ "On", "Off" ]
          },
          "type" : "string",
          "title" : "Merge Debug Files",
          "propertyOrder" : 1,
          "required" : true,
          "description" : "On : Directs all debug data to a single file (debug.out); Off : creates separate per-component debug files (property name : com.sun.services.debug.mergeall)"
        },
        "com.iplanet.services.debug.directory" : {
          "type" : "string",
          "title" : "Debug Directory",
          "propertyOrder" : 2,
          "required" : true,
          "description" : "Directory where debug files reside. (property name: com.iplanet.services.debug.directory)"
        }
      }
    },
    "amconfig.header.mailserver" : {
      "title" : "Mail Server",
      "type" : "object",
      "propertyOrder" : 2,
      "properties" : {
        "com.iplanet.am.smtphost" : {
          "type" : "string",
          "title" : "Mail Server Host Name",
          "propertyOrder" : 0,
          "required" : true,
          "description" : "(property name: com.iplanet.am.smtphost)"
        },
        "com.iplanet.am.smtpport" : {
          "type" : "integer",
          "title" : "Mail Server Port Number",
          "propertyOrder" : 1,
          "required" : true,
          "description" : "(property name: com.iplanet.am.smtpport)"
        }
      }
    }
  }
}

1.46. DefaultSdkProperties

1.46.1. Global Operations

An object of property key-value pairs

Resource path: /global-config/servers/server-default/properties/sdk

Resource version: 1.0

1.46.1.1. read

Usage:

am> read DefaultSdkProperties --global

1.46.1.2. update

Usage:

am> update DefaultSdkProperties --global --body body

Parameters:

--body

The resource in JSON format, described by the following JSON schema:

{
  "type" : "object",
  "properties" : {
    "amconfig.header.datastore" : {
      "title" : "Data Store",
      "type" : "object",
      "propertyOrder" : 0,
      "properties" : {
        "com.sun.identity.sm.enableDataStoreNotification" : {
          "type" : "boolean",
          "title" : "Enable Datastore Notification",
          "propertyOrder" : 0,
          "required" : true,
          "description" : "Specifies if backend datastore notification is enabled. If this value is set to 'false', then in-memory notification is enabled. (property name: com.sun.identity.sm.enableDataStoreNotification)"
        },
        "com.sun.identity.sm.ldap.enableProxy" : {
          "type" : "boolean",
          "title" : "Enable Directory Proxy",
          "propertyOrder" : 1,
          "required" : true,
          "description" : "This indicates to Service Management that the Directory Proxy must be used for read, write, and/or modify operations to the Directory Server. This flag also determines if ACIs or delegation privileges are to be used. (property name: com.sun.identity.sm.ldap.enableProxy)"
        },
        "com.sun.identity.sm.notification.threadpool.size" : {
          "type" : "integer",
          "title" : "Notification Pool Size",
          "propertyOrder" : 2,
          "required" : true,
          "description" : "Specifies the size of the sm notification thread pool (total number of threads). (property name: com.sun.identity.sm.notification.threadpool.size)"
        }
      }
    },
    "amconfig.header.eventservice" : {
      "title" : "Event Service",
      "type" : "object",
      "propertyOrder" : 1,
      "properties" : {
        "com.iplanet.am.event.connection.num.retries" : {
          "type" : "integer",
          "title" : "Number of retries for Event Service connections",
          "propertyOrder" : 0,
          "required" : true,
          "description" : "Specifies the number of attempts made to successfully re-establish the Event Service connections. (property name: com.iplanet.am.event.connection.num.retries)"
        },
        "com.iplanet.am.event.connection.delay.between.retries" : {
          "type" : "integer",
          "title" : "Delay between Event Service connection retries",
          "propertyOrder" : 1,
          "required" : true,
          "description" : "Specifies the delay in milliseconds between retries to re-establish the Event Service connections. (property name: com.iplanet.am.event.connection.delay.between.retries)"
        },
        "com.iplanet.am.event.connection.ldap.error.codes.retries" : {
          "type" : "string",
          "title" : "Error codes for Event Service connection retries",
          "propertyOrder" : 2,
          "required" : true,
          "description" : "This secifies the LDAP exception error codes for which retries to re-establish Event Service connections will trigger. (property name: com.iplanet.am.event.connection.ldap.error.codes.retries)"
        },
        "com.sun.am.event.connection.disable.list" : {
          "type" : "string",
          "title" : "Disabled Event Service Connection",
          "propertyOrder" : 3,
          "required" : true,
          "description" : "Specifies which event connection (persistent search) to be disabled. There are three valid values - aci, sm and um (case insensitive). Multiple values should be separated with \",\". (property name: com.sun.am.event.connection.disable.list)"
        }
      }
    },
    "amconfig.header.ldapconnection" : {
      "title" : "LDAP Connection",
      "type" : "object",
      "propertyOrder" : 2,
      "properties" : {
        "com.iplanet.am.ldap.connection.num.retries" : {
          "type" : "integer",
          "title" : "Number of retries for LDAP Connection",
          "propertyOrder" : 0,
          "required" : true,
          "description" : "Specifies the number of attempts made to successfully re-establish LDAP Connection. (property name: com.iplanet.am.ldap.connection.num.retries)"
        },
        "com.iplanet.am.ldap.connection.delay.between.retries" : {
          "type" : "integer",
          "title" : "Delay between LDAP connection retries",
          "propertyOrder" : 1,
          "required" : true,
          "description" : "Specifies the delay in milliseconds between retries to re-establish the LDAP connections. (property name: com.iplanet.am.ldap.connection.delay.between.retries)"
        },
        "com.iplanet.am.ldap.connection.ldap.error.codes.retries" : {
          "type" : "string",
          "title" : "Error codes for LDAP connection retries",
          "propertyOrder" : 2,
          "required" : true,
          "description" : "This secifies the LDAP exception error codes for which retries to re-establish LDAP connections will trigger. (property name: com.iplanet.am.ldap.connection.ldap.error.codes.retries)"
        }
      }
    },
    "amconfig.header.cachingreplica" : {
      "title" : "Caching and Replica",
      "type" : "object",
      "propertyOrder" : 3,
      "properties" : {
        "com.iplanet.am.sdk.cache.maxSize" : {
          "type" : "integer",
          "title" : "SDK Caching Max. Size",
          "propertyOrder" : 0,
          "required" : true,
          "description" : "Specifies the size of the cache when SDK caching is enabled. The size should be an integer greater than 0, or default size (10000) will be used. Changing this value will reset (clear) the contents of the cache. (property name: com.iplanet.am.sdk.cache.maxSize)"
        },
        "com.iplanet.am.replica.num.retries" : {
          "type" : "integer",
          "title" : "SDK Replica Retries",
          "propertyOrder" : 1,
          "required" : true,
          "description" : "Specifies the number of times to retry when an Entry Not Found error is returned to the SDK. (property name: com.iplanet.am.replica.num.retries)"
        },
        "com.iplanet.am.replica.delay.between.retries" : {
          "type" : "integer",
          "title" : "Delay between SDK Replica Retries",
          "propertyOrder" : 2,
          "required" : true,
          "description" : "Specifies the delay time in milliseconds between the retries. (property name: com.iplanet.am.replica.delay.between.retries)"
        }
      }
    },
    "amconfig.header.sdktimetoliveconfig" : {
      "title" : "Time To Live Configuration",
      "type" : "object",
      "propertyOrder" : 4,
      "properties" : {
        "com.iplanet.am.sdk.cache.entry.expire.enabled" : {
          "type" : "boolean",
          "title" : "Cache Entry Expiration Enabled",
          "propertyOrder" : 0,
          "required" : true,
          "description" : "If this property is set, the cache entries will expire based on the time specified in User Entry Expiration Time property. (property name: com.iplanet.am.sdk.cache.entry.expire.enabled)"
        },
        "com.iplanet.am.sdk.cache.entry.user.expire.time" : {
          "type" : "integer",
          "title" : "User Entry Expiration Time",
          "propertyOrder" : 1,
          "required" : true,
          "description" : "This property specifies time in minutes for which the user entries remain valid in cache after their last modification. After this specified period of time elapses (after the last modification/read from the directory), the data for the entry that is cached will expire. At that instant new requests for data for these user entries will result in reading from the Directory. (property name: com.iplanet.am.sdk.cache.entry.user.expire.time)"
        },
        "com.iplanet.am.sdk.cache.entry.default.expire.time" : {
          "type" : "integer",
          "title" : "Default Entry Expiration Time",
          "propertyOrder" : 2,
          "required" : true,
          "description" : "This property specifies time in minutes for which the non-user entries remain valid in cache after their last modification. After this specified period of time elapses (after the last modification/read from the directory), the data for the entry that is cached will expire. At that instant new requests for data for these non-user entries will result in reading from the Directory. (property name: com.iplanet.am.sdk.cache.entry.default.expire.time)"
        }
      }
    }
  }
}

1.47. DefaultSecurityProperties

1.47.1. Global Operations

An object of property key-value pairs

Resource path: /global-config/servers/server-default/properties/security

Resource version: 1.0

1.47.1.1. read

Usage:

am> read DefaultSecurityProperties --global

1.47.1.2. update

Usage:

am> update DefaultSecurityProperties --global --body body

Parameters:

--body

The resource in JSON format, described by the following JSON schema:

{
  "type" : "object",
  "properties" : {
    "amconfig.header.encryption" : {
      "title" : "Encryption",
      "type" : "object",
      "propertyOrder" : 0,
      "properties" : {
        "am.encryption.pwd" : {
          "type" : "string",
          "title" : "Password Encryption Key",
          "propertyOrder" : 0,
          "required" : true,
          "description" : "The encryption key value for decrypting passwords stored in the Service Management System configuration. (property name: am.encryption.pwd)"
        },
        "com.iplanet.security.encryptor" : {
          "type" : "string",
          "title" : "Encryption class",
          "propertyOrder" : 1,
          "required" : true,
          "description" : "The default encryption class. (property name: com.iplanet.security.encryptor)"
        },
        "com.iplanet.security.SecureRandomFactoryImpl" : {
          "type" : "string",
          "title" : "Secure Random Factory Class",
          "propertyOrder" : 2,
          "required" : true,
          "description" : "This property is used for specifying SecureRandomFactory class. Available values for this property are com.iplanet.am.util.JSSSecureRandomFactoryImpl that is using JSS and com.iplanet.am.util.SecureRandomFactoryImpl that is using pure Java only. (property name: com.iplanet.security.SecureRandomFactoryImpl)"
        }
      }
    },
    "amconfig.header.validation" : {
      "title" : "Validation",
      "type" : "object",
      "propertyOrder" : 1,
      "properties" : {
        "com.iplanet.services.comm.server.pllrequest.maxContentLength" : {
          "type" : "integer",
          "title" : "Platform Low Level Comm. Max. Content Length",
          "propertyOrder" : 0,
          "required" : true,
          "description" : "Maximum content-length for an HttpRequest. (property name: com.iplanet.services.comm.server.pllrequest.maxContentLength)"
        },
        "com.iplanet.am.clientIPCheckEnabled" : {
          "type" : "boolean",
          "title" : "Client IP Address Check",
          "propertyOrder" : 1,
          "required" : true,
          "description" : "Specifies whether or not the IP address of the client is checked in all single sign on token creations or validations. (property name: com.iplanet.am.clientIPCheckEnabled)"
        }
      }
    },
    "amconfig.header.cookie" : {
      "title" : "Cookie",
      "type" : "object",
      "propertyOrder" : 2,
      "properties" : {
        "com.iplanet.am.cookie.name" : {
          "type" : "string",
          "title" : "Cookie Name",
          "propertyOrder" : 0,
          "required" : true,
          "description" : "The cookie name used by Authentication Service to set the valid session handler ID. This name is used to retrieve the valid session information. (property name: com.iplanet.am.cookie.name)"
        },
        "com.iplanet.am.cookie.secure" : {
          "type" : "boolean",
          "title" : "Secure Cookie",
          "propertyOrder" : 1,
          "required" : true,
          "description" : "Specifies whether to set cookie in a secure mode in which the browser will only return the cookie when a secure protocol such as HTTP(s) is used. (property name: com.iplanet.am.cookie.secure)"
        },
        "com.iplanet.am.cookie.encode" : {
          "type" : "boolean",
          "title" : "Encode Cookie Value",
          "propertyOrder" : 2,
          "required" : true,
          "description" : "Specifies whether to URL encode the cookie value. (property name: com.iplanet.am.cookie.encode)"
        }
      }
    },
    "amconfig.header.securitykey" : {
      "title" : "Key Store",
      "type" : "object",
      "propertyOrder" : 3,
      "properties" : {
        "com.sun.identity.saml.xmlsig.keystore" : {
          "type" : "string",
          "title" : "Keystore File",
          "propertyOrder" : 0,
          "required" : true,
          "description" : "Specifies the location of the keystore file. (property name: com.sun.identity.saml.xmlsig.keystore)"
        },
        "com.sun.identity.saml.xmlsig.storetype" : {
          "type" : "string",
          "title" : "Keystore Type",
          "propertyOrder" : 1,
          "required" : true,
          "description" : "Specifies the keystore type. (property name: com.sun.identity.saml.xmlsig.storetype)"
        },
        "com.sun.identity.saml.xmlsig.storepass" : {
          "type" : "string",
          "title" : "Keystore Password File",
          "propertyOrder" : 2,
          "required" : true,
          "description" : "Specifies the location of the file that contains the password used to access the keystore file. (property name: com.sun.identity.saml.xmlsig.storepass)"
        },
        "com.sun.identity.saml.xmlsig.keypass" : {
          "type" : "string",
          "title" : "Private Key Password File",
          "propertyOrder" : 3,
          "required" : true,
          "description" : "Specifies the location of the file that contains the password used to protect the private key of a generated key pair. (property name: com.sun.identity.saml.xmlsig.keypass)"
        },
        "com.sun.identity.saml.xmlsig.certalias" : {
          "type" : "string",
          "title" : "Certificate Alias",
          "propertyOrder" : 4,
          "required" : true,
          "description" : "(property name: com.sun.identity.saml.xmlsig.certalias)"
        }
      }
    },
    "amconfig.header.crlcache" : {
      "title" : "Certificate Revocation List Caching",
      "type" : "object",
      "propertyOrder" : 4,
      "properties" : {
        "com.sun.identity.crl.cache.directory.host" : {
          "type" : "string",
          "title" : "LDAP server host name",
          "propertyOrder" : 0,
          "required" : true,
          "description" : ""
        },
        "com.sun.identity.crl.cache.directory.port" : {
          "type" : "integer",
          "title" : "LDAP server port number",
          "propertyOrder" : 1,
          "required" : true,
          "description" : ""
        },
        "com.sun.identity.crl.cache.directory.ssl" : {
          "type" : "boolean",
          "title" : "SSL/TLS Enabled",
          "propertyOrder" : 2,
          "required" : true,
          "description" : ""
        },
        "com.sun.identity.crl.cache.directory.user" : {
          "type" : "string",
          "title" : "LDAP server bind user name",
          "propertyOrder" : 3,
          "required" : true,
          "description" : ""
        },
        "com.sun.identity.crl.cache.directory.password" : {
          "type" : "string",
          "title" : "LDAP server bind password",
          "propertyOrder" : 4,
          "required" : true,
          "description" : "",
          "format" : "password"
        },
        "com.sun.identity.crl.cache.directory.searchlocs" : {
          "type" : "string",
          "title" : "LDAP search base DN",
          "propertyOrder" : 5,
          "required" : true,
          "description" : ""
        },
        "com.sun.identity.crl.cache.directory.searchattr" : {
          "type" : "string",
          "title" : "Search Attributes",
          "propertyOrder" : 6,
          "required" : true,
          "description" : "Any DN component of issuer's subjectDN can be used to retrieve CRL from local LDAP server. It is single value string, like, \"cn\". All Root CA need to use the same search attribute."
        }
      }
    },
    "amconfig.header.ocsp.check" : {
      "title" : "Online Certificate Status Protocol Check",
      "type" : "object",
      "propertyOrder" : 5,
      "properties" : {
        "com.sun.identity.authentication.ocspCheck" : {
          "type" : "boolean",
          "title" : "Check Enabled",
          "propertyOrder" : 0,
          "required" : true,
          "description" : ""
        },
        "com.sun.identity.authentication.ocsp.responder.url" : {
          "type" : "string",
          "title" : "Responder URL",
          "propertyOrder" : 1,
          "required" : true,
          "description" : ""
        },
        "com.sun.identity.authentication.ocsp.responder.nickname" : {
          "type" : "string",
          "title" : "Certificate Nickname",
          "propertyOrder" : 2,
          "required" : true,
          "description" : ""
        }
      }
    },
    "amconfig.header.deserialisationwhitelist" : {
      "title" : "Object Deserialisation Class Whitelist",
      "type" : "object",
      "propertyOrder" : 6,
      "properties" : {
        "openam.deserialisation.classes.whitelist" : {
          "type" : "string",
          "title" : "Whitelist",
          "propertyOrder" : 0,
          "required" : true,
          "description" : "The list of classes that are considered valid when OpenAM performs Object deserialisation operations. The defaults should work for most installations. (property name: openam.deserialisation.classes.whitelist)"
        }
      }
    }
  }
}

1.48. DefaultSessionProperties

1.48.1. Global Operations

An object of property key-value pairs

Resource path: /global-config/servers/server-default/properties/session

Resource version: 1.0

1.48.1.1. read

Usage:

am> read DefaultSessionProperties --global

1.48.1.2. update

Usage:

am> update DefaultSessionProperties --global --body body

Parameters:

--body

The resource in JSON format, described by the following JSON schema:

{
  "type" : "object",
  "properties" : {
    "amconfig.header.sessionthresholds" : {
      "title" : "Session Limits",
      "type" : "object",
      "propertyOrder" : 0,
      "properties" : {
        "org.forgerock.openam.session.service.access.persistence.caching.maxsize" : {
          "type" : "integer",
          "title" : "Maximum Session Cache Size",
          "propertyOrder" : 0,
          "required" : true,
          "description" : "The maximum number of sessions to cache in the per-server internal session cache. (property name: org.forgerock.openam.session.service.access.persistence.caching.maxsize)"
        },
        "com.iplanet.am.session.invalidsessionmaxtime" : {
          "type" : "integer",
          "title" : "Invalidate Session Max Time",
          "propertyOrder" : 1,
          "required" : true,
          "description" : "Duration in minutes after which the invalid session will be removed from the session table if it is created and the user does not login. This value should always be greater than the timeout value in the Authentication module properties file. (property name: com.iplanet.am.session.invalidsessionmaxtime)"
        }
      }
    },
    "amconfig.header.sessionlogging" : {
      "title" : "Statistics",
      "type" : "object",
      "propertyOrder" : 1,
      "properties" : {
        "com.iplanet.am.stats.interval" : {
          "type" : "integer",
          "title" : "Logging Interval (in seconds)",
          "propertyOrder" : 0,
          "required" : true,
          "description" : "Number of seconds to elapse between statistics logging. The interval should be at least 5 seconds to avoid CPU saturation. An interval value less than 5 seconds will be interpreted as 5 seconds. (property name: com.iplanet.am.stats.interval)"
        },
        "com.iplanet.services.stats.state" : {
          "enum" : [ "off", "file", "console" ],
          "options" : {
            "enum_titles" : [ "Off", "File", "Console" ]
          },
          "type" : "string",
          "title" : "State",
          "propertyOrder" : 1,
          "required" : true,
          "description" : "Statistics state 'file' will write to a file under the specified directory, and 'console' will write into webserver log files. (property name: com.iplanet.services.stats.state)"
        },
        "com.iplanet.services.stats.directory" : {
          "type" : "string",
          "title" : "Directory",
          "propertyOrder" : 2,
          "required" : true,
          "description" : "Directory where the statistic files will be created. Use forward slashes \"/\" to separate directories, not backslash \"\\\". Spaces in the file name are allowed for Windows. (property name: com.iplanet.services.stats.directory)"
        },
        "com.sun.am.session.enableHostLookUp" : {
          "type" : "boolean",
          "title" : "Enable Host Lookup",
          "propertyOrder" : 3,
          "required" : true,
          "description" : "Enables or disables host lookup during session logging. (property name: com.sun.am.session.enableHostLookUp)"
        }
      }
    },
    "amconfig.header.sessionnotification" : {
      "title" : "Notification",
      "type" : "object",
      "propertyOrder" : 2,
      "properties" : {
        "com.iplanet.am.notification.threadpool.size" : {
          "type" : "integer",
          "title" : "Notification Pool Size",
          "propertyOrder" : 0,
          "required" : true,
          "description" : "Specifies the size of the notification thread pool (total number of threads). (property name: com.iplanet.am.notification.threadpool.size)"
        },
        "com.iplanet.am.notification.threadpool.threshold" : {
          "type" : "integer",
          "title" : "Notification Thread Pool Threshold",
          "propertyOrder" : 1,
          "required" : true,
          "description" : "Specifies the maximum task queue length for serving notification threads. (property name: com.iplanet.am.notification.threadpool.threshold)"
        }
      }
    },
    "amconfig.header.sessionvalidation" : {
      "title" : "Validation",
      "type" : "object",
      "propertyOrder" : 3,
      "properties" : {
        "com.sun.am.session.caseInsensitiveDN" : {
          "type" : "boolean",
          "title" : "Case Insensitive client DN comparison",
          "propertyOrder" : 0,
          "required" : true,
          "description" : "Specifies if client distinguished name comparison is case insensitive/sensitive. (property name: com.sun.am.session.caseInsensitiveDN)"
        }
      }
    }
  }
}

1.49. DefaultUmaDataStoreProperties

1.49.1. Global Operations

An object of property key-value pairs

Resource path: /global-config/servers/server-default/properties/uma

Resource version: 1.0

1.49.1.1. read

Usage:

am> read DefaultUmaDataStoreProperties --global

1.49.1.2. update

Usage:

am> update DefaultUmaDataStoreProperties --global --body body

Parameters:

--body

The resource in JSON format, described by the following JSON schema:

{
  "type" : "object",
  "properties" : {
    "amconfig.org.forgerock.services.resourcesets.store.common.section" : {
      "title" : "Resource Sets Store",
      "type" : "object",
      "propertyOrder" : 0,
      "properties" : {
        "org.forgerock.services.resourcesets.store.location" : {
          "enum" : [ "default", "external" ],
          "options" : {
            "enum_titles" : [ "Default Token Store", "External Token Store" ]
          },
          "type" : "string",
          "title" : "Store Mode",
          "propertyOrder" : 0,
          "required" : true,
          "description" : ""
        },
        "org.forgerock.services.resourcesets.store.root.suffix" : {
          "type" : "string",
          "title" : "Root Suffix",
          "propertyOrder" : 1,
          "required" : true,
          "description" : ""
        },
        "org.forgerock.services.resourcesets.store.max.connections" : {
          "type" : "string",
          "title" : "Max Connections",
          "propertyOrder" : 2,
          "required" : true,
          "description" : ""
        }
      }
    },
    "amconfig.org.forgerock.services.resourcesets.store.external.section" : {
      "title" : "External Resource Sets Store Configuration",
      "type" : "object",
      "propertyOrder" : 1,
      "properties" : {
        "org.forgerock.services.resourcesets.store.ssl.enabled" : {
          "type" : "boolean",
          "title" : "SSL/TLS Enabled",
          "propertyOrder" : 0,
          "required" : true,
          "description" : ""
        },
        "org.forgerock.services.resourcesets.store.directory.name" : {
          "type" : "string",
          "title" : "Connection String(s)",
          "propertyOrder" : 1,
          "required" : true,
          "description" : "An ordered list of connection strings for LDAP directories. Each connection string is composed as follows: <code>HOST:PORT[|SERVERID[|SITEID]]</code>, where server and site IDs are optional parameters that will prioritize that connection to use from the specified nodes. Multiple connection strings should be comma-separated, e.g. <code>host1:389,host2:50389|server1|site1,host3:50389</code>."
        },
        "org.forgerock.services.resourcesets.store.loginid" : {
          "type" : "string",
          "title" : "Login Id",
          "propertyOrder" : 2,
          "required" : true,
          "description" : ""
        },
        "org.forgerock.services.resourcesets.store.password" : {
          "type" : "string",
          "title" : "Password",
          "propertyOrder" : 3,
          "required" : true,
          "description" : "",
          "format" : "password"
        },
        "org.forgerock.services.resourcesets.store.heartbeat" : {
          "type" : "integer",
          "title" : "Heartbeat",
          "propertyOrder" : 4,
          "required" : true,
          "description" : ""
        }
      }
    },
    "amconfig.org.forgerock.services.umaaudit.store.common.section" : {
      "title" : "UMA Audit Store",
      "type" : "object",
      "propertyOrder" : 2,
      "properties" : {
        "org.forgerock.services.umaaudit.store.location" : {
          "enum" : [ "default", "external" ],
          "options" : {
            "enum_titles" : [ "Default Token Store", "External Token Store" ]
          },
          "type" : "string",
          "title" : "Store Mode",
          "propertyOrder" : 0,
          "required" : true,
          "description" : ""
        },
        "org.forgerock.services.umaaudit.store.root.suffix" : {
          "type" : "string",
          "title" : "Root Suffix",
          "propertyOrder" : 1,
          "required" : true,
          "description" : ""
        },
        "org.forgerock.services.umaaudit.store.max.connections" : {
          "type" : "string",
          "title" : "Max Connections",
          "propertyOrder" : 2,
          "required" : true,
          "description" : ""
        }
      }
    },
    "amconfig.org.forgerock.services.umaaudit.store.external.section" : {
      "title" : "External UMA Audit Store Configuration",
      "type" : "object",
      "propertyOrder" : 3,
      "properties" : {
        "org.forgerock.services.umaaudit.store.ssl.enabled" : {
          "type" : "boolean",
          "title" : "SSL/TLS Enabled",
          "propertyOrder" : 0,
          "required" : true,
          "description" : ""
        },
        "org.forgerock.services.umaaudit.store.directory.name" : {
          "type" : "string",
          "title" : "Connection String(s)",
          "propertyOrder" : 1,
          "required" : true,
          "description" : "An ordered list of connection strings for LDAP directories. Each connection string is composed as follows: <code>HOST:PORT[|SERVERID[|SITEID]]</code>, where server and site IDs are optional parameters that will prioritize that connection to use from the specified nodes. Multiple connection strings should be comma-separated, e.g. <code>host1:389,host2:50389|server1|site1,host3:50389</code>."
        },
        "org.forgerock.services.umaaudit.store.loginid" : {
          "type" : "string",
          "title" : "Login Id",
          "propertyOrder" : 2,
          "required" : true,
          "description" : ""
        },
        "org.forgerock.services.umaaudit.store.password" : {
          "type" : "string",
          "title" : "Password",
          "propertyOrder" : 3,
          "required" : true,
          "description" : "",
          "format" : "password"
        },
        "org.forgerock.services.umaaudit.store.heartbeat" : {
          "type" : "integer",
          "title" : "Heartbeat",
          "propertyOrder" : 4,
          "required" : true,
          "description" : ""
        }
      }
    },
    "amconfig.org.forgerock.services.uma.pendingrequests.store.common.section" : {
      "title" : "Pending Requests Store",
      "type" : "object",
      "propertyOrder" : 4,
      "properties" : {
        "org.forgerock.services.uma.pendingrequests.store.location" : {
          "enum" : [ "default", "external" ],
          "options" : {
            "enum_titles" : [ "Default Token Store", "External Token Store" ]
          },
          "type" : "string",
          "title" : "Store Mode",
          "propertyOrder" : 0,
          "required" : true,
          "description" : ""
        },
        "org.forgerock.services.uma.pendingrequests.store.root.suffix" : {
          "type" : "string",
          "title" : "Root Suffix",
          "propertyOrder" : 1,
          "required" : true,
          "description" : ""
        },
        "org.forgerock.services.uma.pendingrequests.store.max.connections" : {
          "type" : "string",
          "title" : "Max Connections",
          "propertyOrder" : 2,
          "required" : true,
          "description" : ""
        }
      }
    },
    "amconfig.org.forgerock.services.uma.pendingrequests.store.external.section" : {
      "title" : "External Pending Requests Store Configuration",
      "type" : "object",
      "propertyOrder" : 5,
      "properties" : {
        "org.forgerock.services.uma.pendingrequests.store.ssl.enabled" : {
          "type" : "boolean",
          "title" : "SSL/TLS Enabled",
          "propertyOrder" : 0,
          "required" : true,
          "description" : ""
        },
        "org.forgerock.services.uma.pendingrequests.store.directory.name" : {
          "type" : "string",
          "title" : "Connection String(s)",
          "propertyOrder" : 1,
          "required" : true,
          "description" : "An ordered list of connection strings for LDAP directories. Each connection string is composed as follows: <code>HOST:PORT[|SERVERID[|SITEID]]</code>, where server and site IDs are optional parameters that will prioritize that connection to use from the specified nodes. Multiple connection strings should be comma-separated, e.g. <code>host1:389,host2:50389|server1|site1,host3:50389</code>."
        },
        "org.forgerock.services.uma.pendingrequests.store.loginid" : {
          "type" : "string",
          "title" : "Login Id",
          "propertyOrder" : 2,
          "required" : true,
          "description" : ""
        },
        "org.forgerock.services.uma.pendingrequests.store.password" : {
          "type" : "string",
          "title" : "Password",
          "propertyOrder" : 3,
          "required" : true,
          "description" : "",
          "format" : "password"
        },
        "org.forgerock.services.uma.pendingrequests.store.heartbeat" : {
          "type" : "integer",
          "title" : "Heartbeat",
          "propertyOrder" : 4,
          "required" : true,
          "description" : ""
        }
      }
    },
    "amconfig.org.forgerock.services.uma.labels.store.common.section" : {
      "title" : "UMA Resource Set Labels Store",
      "type" : "object",
      "propertyOrder" : 6,
      "properties" : {
        "org.forgerock.services.uma.labels.store.location" : {
          "enum" : [ "default", "external" ],
          "options" : {
            "enum_titles" : [ "Default Token Store", "External Token Store" ]
          },
          "type" : "string",
          "title" : "Store Mode",
          "propertyOrder" : 0,
          "required" : true,
          "description" : ""
        },
        "org.forgerock.services.uma.labels.store.root.suffix" : {
          "type" : "string",
          "title" : "Root Suffix",
          "propertyOrder" : 1,
          "required" : true,
          "description" : ""
        },
        "org.forgerock.services.uma.labels.store.max.connections" : {
          "type" : "string",
          "title" : "Max Connections",
          "propertyOrder" : 2,
          "required" : true,
          "description" : ""
        }
      }
    },
    "amconfig.org.forgerock.services.uma.labels.store.external.section" : {
      "title" : "External Resource Set Labels Store Configuration",
      "type" : "object",
      "propertyOrder" : 7,
      "properties" : {
        "org.forgerock.services.uma.labels.store.ssl.enabled" : {
          "type" : "boolean",
          "title" : "SSL/TLS Enabled",
          "propertyOrder" : 0,
          "required" : true,
          "description" : ""
        },
        "org.forgerock.services.uma.labels.store.directory.name" : {
          "type" : "string",
          "title" : "Connection String(s)",
          "propertyOrder" : 1,
          "required" : true,
          "description" : "An ordered list of connection strings for LDAP directories. Each connection string is composed as follows: <code>HOST:PORT[|SERVERID[|SITEID]]</code>, where server and site IDs are optional parameters that will prioritize that connection to use from the specified nodes. Multiple connection strings should be comma-separated, e.g. <code>host1:389,host2:50389|server1|site1,host3:50389</code>."
        },
        "org.forgerock.services.uma.labels.store.loginid" : {
          "type" : "string",
          "title" : "Login Id",
          "propertyOrder" : 2,
          "required" : true,
          "description" : ""
        },
        "org.forgerock.services.uma.labels.store.password" : {
          "type" : "string",
          "title" : "Password",
          "propertyOrder" : 3,
          "required" : true,
          "description" : "",
          "format" : "password"
        },
        "org.forgerock.services.uma.labels.store.heartbeat" : {
          "type" : "integer",
          "title" : "Heartbeat",
          "propertyOrder" : 4,
          "required" : true,
          "description" : ""
        }
      }
    }
  }
}

1.50. DeviceIDService

1.50.1. Realm Operations

Resource path: /realm-config/services/deviceIdService

Resource version: 1.0

1.50.1.1. create

Usage:

am> create DeviceIDService --realm Realm --body body

Parameters:

--body

The resource in JSON format, described by the following JSON schema:

{
  "type" : "object",
  "properties" : {
    "deviceIdSettingsEncryptionKeystoreType" : {
      "title" : "Key Store Type",
      "description" : "Type of key store to load.<br><br><i>Note:</i> PKCS#11 key stores require hardware support such as a security device or smart card and is not available by default in most JVM installations.<p><p>See the <a href=\"https://docs.oracle.com/javase/8/docs/technotes/guides/security/p11guide.html\" target=\"_blank\">JDK 8 PKCS#11 Reference Guide</a> for more details.",
      "propertyOrder" : 400,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "deviceIdSettingsEncryptionKeystore" : {
      "title" : "Encryption Key Store",
      "description" : "Path to the key store from which to load encryption keys.",
      "propertyOrder" : 300,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "deviceIdSettingsEncryptionScheme" : {
      "title" : "Device Profile Encryption Scheme",
      "description" : "Encryption scheme to use to secure device profiles stored on the server.<br><br>If enabled, each device profile is encrypted using a unique random secret key using the given strength of AES encryption in CBC mode with PKCS#5 padding. An HMAC-SHA of the given strength (truncated to half-size) is used to ensure integrity protection and authenticated encryption. The unique random key is encrypted with the given RSA key pair and stored with the device profile.<p><p><i>Note:</i> AES-256 may require installation of the JCE Unlimited Strength policy files.",
      "propertyOrder" : 200,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "deviceIdSettingsEncryptionKeystoreKeyPairAlias" : {
      "title" : "Key-Pair Alias",
      "description" : "Alias of the certificate and private key in the key store. The private key is used to encrypt and decrypt device profiles.",
      "propertyOrder" : 600,
      "required" : false,
      "type" : "string",
      "exampleValue" : ""
    },
    "deviceIdSettingsEncryptionKeystorePrivateKeyPassword" : {
      "title" : "Private Key Password",
      "description" : "Password to unlock the private key.",
      "propertyOrder" : 700,
      "required" : false,
      "type" : "string",
      "format" : "password",
      "exampleValue" : ""
    },
    "deviceIdSettingsEncryptionKeystorePassword" : {
      "title" : "Key Store Password",
      "description" : "Password to unlock the key store. This password is encrypted when it is saved in the OpenAM configuration. You should modify the default value.",
      "propertyOrder" : 500,
      "required" : false,
      "type" : "string",
      "format" : "password",
      "exampleValue" : ""
    },
    "deviceIdAttrName" : {
      "title" : "Profile Storage Attribute",
      "description" : "The user's attribute in which to store Device ID profiles.<br><br>The default attribute is added to the schema when you prepare a user store for use with OpenAM. If you want to use a different attribute, you must make sure to add it to your user store schema prior to enabling the Device ID authentication module. OpenAM must be able to write to the attribute.",
      "propertyOrder" : 100,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    }
  }
}

1.50.1.2. delete

Usage:

am> delete DeviceIDService --realm Realm

1.50.1.3. getAllTypes

Obtain the collection of all secondary configuration types related to the resource.

Usage:

am> action DeviceIDService --realm Realm --actionName getAllTypes

1.50.1.4. getCreatableTypes

Obtain the collection of secondary configuration types that have yet to be added to the resource.

Usage:

am> action DeviceIDService --realm Realm --actionName getCreatableTypes

1.50.1.5. nextdescendents

Obtain the collection of secondary configuration instances that have been added to the resource.

Usage:

am> action DeviceIDService --realm Realm --actionName nextdescendents

1.50.1.6. read

Usage:

am> read DeviceIDService --realm Realm

1.50.1.7. update

Usage:

am> update DeviceIDService --realm Realm --body body

Parameters:

--body

The resource in JSON format, described by the following JSON schema:

{
  "type" : "object",
  "properties" : {
    "deviceIdSettingsEncryptionKeystoreType" : {
      "title" : "Key Store Type",
      "description" : "Type of key store to load.<br><br><i>Note:</i> PKCS#11 key stores require hardware support such as a security device or smart card and is not available by default in most JVM installations.<p><p>See the <a href=\"https://docs.oracle.com/javase/8/docs/technotes/guides/security/p11guide.html\" target=\"_blank\">JDK 8 PKCS#11 Reference Guide</a> for more details.",
      "propertyOrder" : 400,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "deviceIdSettingsEncryptionKeystore" : {
      "title" : "Encryption Key Store",
      "description" : "Path to the key store from which to load encryption keys.",
      "propertyOrder" : 300,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "deviceIdSettingsEncryptionScheme" : {
      "title" : "Device Profile Encryption Scheme",
      "description" : "Encryption scheme to use to secure device profiles stored on the server.<br><br>If enabled, each device profile is encrypted using a unique random secret key using the given strength of AES encryption in CBC mode with PKCS#5 padding. An HMAC-SHA of the given strength (truncated to half-size) is used to ensure integrity protection and authenticated encryption. The unique random key is encrypted with the given RSA key pair and stored with the device profile.<p><p><i>Note:</i> AES-256 may require installation of the JCE Unlimited Strength policy files.",
      "propertyOrder" : 200,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "deviceIdSettingsEncryptionKeystoreKeyPairAlias" : {
      "title" : "Key-Pair Alias",
      "description" : "Alias of the certificate and private key in the key store. The private key is used to encrypt and decrypt device profiles.",
      "propertyOrder" : 600,
      "required" : false,
      "type" : "string",
      "exampleValue" : ""
    },
    "deviceIdSettingsEncryptionKeystorePrivateKeyPassword" : {
      "title" : "Private Key Password",
      "description" : "Password to unlock the private key.",
      "propertyOrder" : 700,
      "required" : false,
      "type" : "string",
      "format" : "password",
      "exampleValue" : ""
    },
    "deviceIdSettingsEncryptionKeystorePassword" : {
      "title" : "Key Store Password",
      "description" : "Password to unlock the key store. This password is encrypted when it is saved in the OpenAM configuration. You should modify the default value.",
      "propertyOrder" : 500,
      "required" : false,
      "type" : "string",
      "format" : "password",
      "exampleValue" : ""
    },
    "deviceIdAttrName" : {
      "title" : "Profile Storage Attribute",
      "description" : "The user's attribute in which to store Device ID profiles.<br><br>The default attribute is added to the schema when you prepare a user store for use with OpenAM. If you want to use a different attribute, you must make sure to add it to your user store schema prior to enabling the Device ID authentication module. OpenAM must be able to write to the attribute.",
      "propertyOrder" : 100,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    }
  }
}

1.50.2. Global Operations

Resource path: /global-config/services/deviceIdService

Resource version: 1.0

1.50.2.1. getAllTypes

Obtain the collection of all secondary configuration types related to the resource.

Usage:

am> action DeviceIDService --global --actionName getAllTypes

1.50.2.2. getCreatableTypes

Obtain the collection of secondary configuration types that have yet to be added to the resource.

Usage:

am> action DeviceIDService --global --actionName getCreatableTypes

1.50.2.3. nextdescendents

Obtain the collection of secondary configuration instances that have been added to the resource.

Usage:

am> action DeviceIDService --global --actionName nextdescendents

1.50.2.4. read

Usage:

am> read DeviceIDService --global

1.50.2.5. update

Usage:

am> update DeviceIDService --global --body body

Parameters:

--body

The resource in JSON format, described by the following JSON schema:

{
  "type" : "object",
  "properties" : {
    "defaults" : {
      "properties" : {
        "deviceIdAttrName" : {
          "title" : "Profile Storage Attribute",
          "description" : "The user's attribute in which to store Device ID profiles.<br><br>The default attribute is added to the schema when you prepare a user store for use with OpenAM. If you want to use a different attribute, you must make sure to add it to your user store schema prior to enabling the Device ID authentication module. OpenAM must be able to write to the attribute.",
          "propertyOrder" : 100,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "deviceIdSettingsEncryptionKeystore" : {
          "title" : "Encryption Key Store",
          "description" : "Path to the key store from which to load encryption keys.",
          "propertyOrder" : 300,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "deviceIdSettingsEncryptionKeystorePrivateKeyPassword" : {
          "title" : "Private Key Password",
          "description" : "Password to unlock the private key.",
          "propertyOrder" : 700,
          "required" : false,
          "type" : "string",
          "format" : "password",
          "exampleValue" : ""
        },
        "deviceIdSettingsEncryptionKeystoreType" : {
          "title" : "Key Store Type",
          "description" : "Type of key store to load.<br><br><i>Note:</i> PKCS#11 key stores require hardware support such as a security device or smart card and is not available by default in most JVM installations.<p><p>See the <a href=\"https://docs.oracle.com/javase/8/docs/technotes/guides/security/p11guide.html\" target=\"_blank\">JDK 8 PKCS#11 Reference Guide</a> for more details.",
          "propertyOrder" : 400,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "deviceIdSettingsEncryptionKeystorePassword" : {
          "title" : "Key Store Password",
          "description" : "Password to unlock the key store. This password is encrypted when it is saved in the OpenAM configuration. You should modify the default value.",
          "propertyOrder" : 500,
          "required" : false,
          "type" : "string",
          "format" : "password",
          "exampleValue" : ""
        },
        "deviceIdSettingsEncryptionKeystoreKeyPairAlias" : {
          "title" : "Key-Pair Alias",
          "description" : "Alias of the certificate and private key in the key store. The private key is used to encrypt and decrypt device profiles.",
          "propertyOrder" : 600,
          "required" : false,
          "type" : "string",
          "exampleValue" : ""
        },
        "deviceIdSettingsEncryptionScheme" : {
          "title" : "Device Profile Encryption Scheme",
          "description" : "Encryption scheme to use to secure device profiles stored on the server.<br><br>If enabled, each device profile is encrypted using a unique random secret key using the given strength of AES encryption in CBC mode with PKCS#5 padding. An HMAC-SHA of the given strength (truncated to half-size) is used to ensure integrity protection and authenticated encryption. The unique random key is encrypted with the given RSA key pair and stored with the device profile.<p><p><i>Note:</i> AES-256 may require installation of the JCE Unlimited Strength policy files.",
          "propertyOrder" : 200,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        }
      },
      "type" : "object",
      "title" : "Realm Defaults"
    }
  }
}

1.51. DeviceIdMatchModule

1.51.1. Realm Operations

Resource path: /realm-config/authentication/modules/deviceidmatch

Resource version: 1.0

1.51.1.1. create

Usage:

am> create DeviceIdMatchModule --realm Realm --id id --body body

Parameters:

--id

The unique identifier for the resource.

--body

The resource in JSON format, described by the following JSON schema:

{
  "type" : "object",
  "properties" : {
    "clientScript" : {
      "title" : "Client-side Script",
      "description" : "The client-side script.",
      "propertyOrder" : 200,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "clientScriptEnabled" : {
      "title" : "Client-side Script Enabled",
      "description" : "Enable this setting if the client-side script should be executed.",
      "propertyOrder" : 100,
      "required" : true,
      "type" : "boolean",
      "exampleValue" : ""
    },
    "serverScript" : {
      "title" : "Server-side Script",
      "description" : "The server-side script to execute.<br><br>This script will be run on the server, subsequent to any client script having returned. It can be written in the selected language.",
      "propertyOrder" : 300,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "authenticationLevel" : {
      "title" : "Authentication Level",
      "description" : "The authentication level associated with the authentication module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
      "propertyOrder" : 400,
      "required" : true,
      "type" : "integer",
      "exampleValue" : ""
    }
  }
}

1.51.1.2. delete

Usage:

am> delete DeviceIdMatchModule --realm Realm --id id

Parameters:

--id

The unique identifier for the resource.

1.51.1.3. getAllTypes

Obtain the collection of all secondary configuration types related to the resource.

Usage:

am> action DeviceIdMatchModule --realm Realm --actionName getAllTypes

1.51.1.4. getCreatableTypes

Obtain the collection of secondary configuration types that have yet to be added to the resource.

Usage:

am> action DeviceIdMatchModule --realm Realm --actionName getCreatableTypes

1.51.1.5. nextdescendents

Obtain the collection of secondary configuration instances that have been added to the resource.

Usage:

am> action DeviceIdMatchModule --realm Realm --actionName nextdescendents

1.51.1.6. query

Get the full list of instances of this collection. This query only supports `_queryFilter=true` filter.

Usage:

am> query DeviceIdMatchModule --realm Realm --filter filter

Parameters:

--filter

A CREST formatted query filter, where "true" will query all.

1.51.1.7. read

Usage:

am> read DeviceIdMatchModule --realm Realm --id id

Parameters:

--id

The unique identifier for the resource.

1.51.1.8. update

Usage:

am> update DeviceIdMatchModule --realm Realm --id id --body body

Parameters:

--id

The unique identifier for the resource.

--body

The resource in JSON format, described by the following JSON schema:

{
  "type" : "object",
  "properties" : {
    "clientScript" : {
      "title" : "Client-side Script",
      "description" : "The client-side script.",
      "propertyOrder" : 200,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "clientScriptEnabled" : {
      "title" : "Client-side Script Enabled",
      "description" : "Enable this setting if the client-side script should be executed.",
      "propertyOrder" : 100,
      "required" : true,
      "type" : "boolean",
      "exampleValue" : ""
    },
    "serverScript" : {
      "title" : "Server-side Script",
      "description" : "The server-side script to execute.<br><br>This script will be run on the server, subsequent to any client script having returned. It can be written in the selected language.",
      "propertyOrder" : 300,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "authenticationLevel" : {
      "title" : "Authentication Level",
      "description" : "The authentication level associated with the authentication module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
      "propertyOrder" : 400,
      "required" : true,
      "type" : "integer",
      "exampleValue" : ""
    }
  }
}

1.51.2. Global Operations

Resource path: /global-config/authentication/modules/deviceidmatch

Resource version: 1.0

1.51.2.1. getAllTypes

Obtain the collection of all secondary configuration types related to the resource.

Usage:

am> action DeviceIdMatchModule --global --actionName getAllTypes

1.51.2.2. getCreatableTypes

Obtain the collection of secondary configuration types that have yet to be added to the resource.

Usage:

am> action DeviceIdMatchModule --global --actionName getCreatableTypes

1.51.2.3. nextdescendents

Obtain the collection of secondary configuration instances that have been added to the resource.

Usage:

am> action DeviceIdMatchModule --global --actionName nextdescendents

1.51.2.4. read

Usage:

am> read DeviceIdMatchModule --global

1.51.2.5. update

Usage:

am> update DeviceIdMatchModule --global --body body

Parameters:

--body

The resource in JSON format, described by the following JSON schema:

{
  "type" : "object",
  "properties" : {
    "defaults" : {
      "properties" : {
        "clientScript" : {
          "title" : "Client-side Script",
          "description" : "The client-side script.",
          "propertyOrder" : 200,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "authenticationLevel" : {
          "title" : "Authentication Level",
          "description" : "The authentication level associated with the authentication module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
          "propertyOrder" : 400,
          "required" : true,
          "type" : "integer",
          "exampleValue" : ""
        },
        "serverScript" : {
          "title" : "Server-side Script",
          "description" : "The server-side script to execute.<br><br>This script will be run on the server, subsequent to any client script having returned. It can be written in the selected language.",
          "propertyOrder" : 300,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "clientScriptEnabled" : {
          "title" : "Client-side Script Enabled",
          "description" : "Enable this setting if the client-side script should be executed.",
          "propertyOrder" : 100,
          "required" : true,
          "type" : "boolean",
          "exampleValue" : ""
        }
      },
      "type" : "object",
      "title" : "Realm Defaults"
    }
  }
}

1.52. DeviceIdSaveModule

1.52.1. Realm Operations

Resource path: /realm-config/authentication/modules/deviceidsave

Resource version: 1.0

1.52.1.1. create

Usage:

am> create DeviceIdSaveModule --realm Realm --id id --body body

Parameters:

--id

The unique identifier for the resource.

--body

The resource in JSON format, described by the following JSON schema:

{
  "type" : "object",
  "properties" : {
    "autoStoreProfiles" : {
      "title" : "Automatically store new profiles",
      "description" : "Select this checkbox to assume user consent to store every new profile<br><br>If this checkbox is selected user won't be prompted for storing new profiles. After successful OTP confirmation profile will be stored automatically.",
      "propertyOrder" : 100,
      "required" : true,
      "type" : "boolean",
      "exampleValue" : ""
    },
    "authenticationLevel" : {
      "title" : "Authentication Level",
      "description" : "The authentication level associated with the authentication module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
      "propertyOrder" : 300,
      "required" : true,
      "type" : "integer",
      "exampleValue" : ""
    },
    "maxProfilesAllowed" : {
      "title" : "Maximum stored profile quantity",
      "description" : "No more than specified profiles quantity will be stored in user record",
      "propertyOrder" : 200,
      "required" : true,
      "type" : "integer",
      "exampleValue" : ""
    }
  }
}

1.52.1.2. delete

Usage:

am> delete DeviceIdSaveModule --realm Realm --id id

Parameters:

--id

The unique identifier for the resource.

1.52.1.3. getAllTypes

Obtain the collection of all secondary configuration types related to the resource.

Usage:

am> action DeviceIdSaveModule --realm Realm --actionName getAllTypes

1.52.1.4. getCreatableTypes

Obtain the collection of secondary configuration types that have yet to be added to the resource.

Usage:

am> action DeviceIdSaveModule --realm Realm --actionName getCreatableTypes

1.52.1.5. nextdescendents

Obtain the collection of secondary configuration instances that have been added to the resource.

Usage:

am> action DeviceIdSaveModule --realm Realm --actionName nextdescendents

1.52.1.6. query

Get the full list of instances of this collection. This query only supports `_queryFilter=true` filter.

Usage:

am> query DeviceIdSaveModule --realm Realm --filter filter

Parameters:

--filter

A CREST formatted query filter, where "true" will query all.

1.52.1.7. read

Usage:

am> read DeviceIdSaveModule --realm Realm --id id

Parameters:

--id

The unique identifier for the resource.

1.52.1.8. update

Usage:

am> update DeviceIdSaveModule --realm Realm --id id --body body

Parameters:

--id

The unique identifier for the resource.

--body

The resource in JSON format, described by the following JSON schema:

{
  "type" : "object",
  "properties" : {
    "autoStoreProfiles" : {
      "title" : "Automatically store new profiles",
      "description" : "Select this checkbox to assume user consent to store every new profile<br><br>If this checkbox is selected user won't be prompted for storing new profiles. After successful OTP confirmation profile will be stored automatically.",
      "propertyOrder" : 100,
      "required" : true,
      "type" : "boolean",
      "exampleValue" : ""
    },
    "authenticationLevel" : {
      "title" : "Authentication Level",
      "description" : "The authentication level associated with the authentication module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
      "propertyOrder" : 300,
      "required" : true,
      "type" : "integer",
      "exampleValue" : ""
    },
    "maxProfilesAllowed" : {
      "title" : "Maximum stored profile quantity",
      "description" : "No more than specified profiles quantity will be stored in user record",
      "propertyOrder" : 200,
      "required" : true,
      "type" : "integer",
      "exampleValue" : ""
    }
  }
}

1.52.2. Global Operations

Resource path: /global-config/authentication/modules/deviceidsave

Resource version: 1.0

1.52.2.1. getAllTypes

Obtain the collection of all secondary configuration types related to the resource.

Usage:

am> action DeviceIdSaveModule --global --actionName getAllTypes

1.52.2.2. getCreatableTypes

Obtain the collection of secondary configuration types that have yet to be added to the resource.

Usage:

am> action DeviceIdSaveModule --global --actionName getCreatableTypes

1.52.2.3. nextdescendents

Obtain the collection of secondary configuration instances that have been added to the resource.

Usage:

am> action DeviceIdSaveModule --global --actionName nextdescendents

1.52.2.4. read

Usage:

am> read DeviceIdSaveModule --global

1.52.2.5. update

Usage:

am> update DeviceIdSaveModule --global --body body

Parameters:

--body

The resource in JSON format, described by the following JSON schema:

{
  "type" : "object",
  "properties" : {
    "defaults" : {
      "properties" : {
        "authenticationLevel" : {
          "title" : "Authentication Level",
          "description" : "The authentication level associated with the authentication module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
          "propertyOrder" : 300,
          "required" : true,
          "type" : "integer",
          "exampleValue" : ""
        },
        "maxProfilesAllowed" : {
          "title" : "Maximum stored profile quantity",
          "description" : "No more than specified profiles quantity will be stored in user record",
          "propertyOrder" : 200,
          "required" : true,
          "type" : "integer",
          "exampleValue" : ""
        },
        "autoStoreProfiles" : {
          "title" : "Automatically store new profiles",
          "description" : "Select this checkbox to assume user consent to store every new profile<br><br>If this checkbox is selected user won't be prompted for storing new profiles. After successful OTP confirmation profile will be stored automatically.",
          "propertyOrder" : 100,
          "required" : true,
          "type" : "boolean",
          "exampleValue" : ""
        }
      },
      "type" : "object",
      "title" : "Realm Defaults"
    }
  }
}

1.53. DirectoryConfiguration

1.53.1. Global Operations

Connection details for directory server(s).

Resource path: /global-config/servers/{serverName}/properties/directoryConfiguration

Resource version: 1.0

1.53.1.1. read

Usage:

am> read DirectoryConfiguration --global --serverName serverName

Parameters:

--serverName

Connection details for directory server(s).

1.53.1.2. update

Usage:

am> update DirectoryConfiguration --global --serverName serverName --body body

Parameters:

--serverName

Connection details for directory server(s).

--body

The resource in JSON format, described by the following JSON schema:

{
  "type" : "object",
  "properties" : {
    "directoryConfiguration" : {
      "type" : "object",
      "title" : "Directory Configuration",
      "propertyOrder" : 0,
      "properties" : {
        "minConnectionPool" : {
          "title" : "Minimum Connection Pool",
          "propertyOrder" : 0,
          "type" : "number"
        },
        "maxConnectionPool" : {
          "title" : "Maximum Connection Pool",
          "propertyOrder" : 1,
          "type" : "number"
        },
        "bindDn" : {
          "title" : "Bind DN",
          "propertyOrder" : 2,
          "type" : "string"
        },
        "bindPassword" : {
          "title" : "Bind Password",
          "propertyOrder" : 3,
          "type" : "string",
          "format" : "password"
        }
      }
    },
    "directoryServers" : {
      "type" : "array",
      "title" : "Server",
      "propertyOrder" : 1,
      "items" : {
        "type" : "object",
        "required" : [ "serverName", "hostName", "portNumber", "connectionType" ],
        "properties" : {
          "serverName" : {
            "title" : "Name",
            "type" : "string",
            "propertyOrder" : 0
          },
          "hostName" : {
            "title" : "Host Name",
            "type" : "string",
            "propertyOrder" : 1
          },
          "portNumber" : {
            "title" : "Port Number",
            "type" : "string",
            "propertyOrder" : 2
          },
          "connectionType" : {
            "type" : "string",
            "enum" : [ "SIMPLE", "SSL" ],
            "options" : {
              "enum_titles" : [ "SIMPLE", "SSL" ]
            },
            "title" : "Connection Type",
            "propertyOrder" : 3
          }
        }
      }
    }
  }
}

1.54. EdgeAuthenticationModule

1.54.1. Realm Operations

Resource path: /realm-config/authentication/modules/authEdgeAuthentication

Resource version: 1.0

1.54.1.1. create

Usage:

am> create EdgeAuthenticationModule --realm Realm --id id --body body

Parameters:

--id

The unique identifier for the resource.

--body

The resource in JSON format, described by the following JSON schema:

{
  "type" : "object",
  "properties" : {
    "subjectJwkSetAttr" : {
      "title" : "Subject JWK Set Attribute",
      "description" : "Subject profile attribute that contains a JWK Set of confirmation and encryption keys.",
      "propertyOrder" : 100,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "challengeSigningKey" : {
      "title" : "Challenge Signing Key",
      "description" : "Name of the key (in the AM keystore) to use to sign challenges.",
      "propertyOrder" : 200,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "authenticationLevel" : {
      "title" : "Authentication Level",
      "description" : "The authentication level associated with this module.",
      "propertyOrder" : 10000,
      "required" : true,
      "type" : "integer",
      "exampleValue" : ""
    }
  }
}

1.54.1.2. delete

Usage:

am> delete EdgeAuthenticationModule --realm Realm --id id

Parameters:

--id

The unique identifier for the resource.

1.54.1.3. getAllTypes

Obtain the collection of all secondary configuration types related to the resource.

Usage:

am> action EdgeAuthenticationModule --realm Realm --actionName getAllTypes

1.54.1.4. getCreatableTypes

Obtain the collection of secondary configuration types that have yet to be added to the resource.

Usage:

am> action EdgeAuthenticationModule --realm Realm --actionName getCreatableTypes

1.54.1.5. nextdescendents

Obtain the collection of secondary configuration instances that have been added to the resource.

Usage:

am> action EdgeAuthenticationModule --realm Realm --actionName nextdescendents

1.54.1.6. query

Get the full list of instances of this collection. This query only supports `_queryFilter=true` filter.

Usage:

am> query EdgeAuthenticationModule --realm Realm --filter filter

Parameters:

--filter

A CREST formatted query filter, where "true" will query all.

1.54.1.7. read

Usage:

am> read EdgeAuthenticationModule --realm Realm --id id

Parameters:

--id

The unique identifier for the resource.

1.54.1.8. update

Usage:

am> update EdgeAuthenticationModule --realm Realm --id id --body body

Parameters:

--id

The unique identifier for the resource.

--body

The resource in JSON format, described by the following JSON schema:

{
  "type" : "object",
  "properties" : {
    "subjectJwkSetAttr" : {
      "title" : "Subject JWK Set Attribute",
      "description" : "Subject profile attribute that contains a JWK Set of confirmation and encryption keys.",
      "propertyOrder" : 100,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "challengeSigningKey" : {
      "title" : "Challenge Signing Key",
      "description" : "Name of the key (in the AM keystore) to use to sign challenges.",
      "propertyOrder" : 200,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "authenticationLevel" : {
      "title" : "Authentication Level",
      "description" : "The authentication level associated with this module.",
      "propertyOrder" : 10000,
      "required" : true,
      "type" : "integer",
      "exampleValue" : ""
    }
  }
}

1.54.2. Global Operations

Resource path: /global-config/authentication/modules/authEdgeAuthentication

Resource version: 1.0

1.54.2.1. getAllTypes

Obtain the collection of all secondary configuration types related to the resource.

Usage:

am> action EdgeAuthenticationModule --global --actionName getAllTypes

1.54.2.2. getCreatableTypes

Obtain the collection of secondary configuration types that have yet to be added to the resource.

Usage:

am> action EdgeAuthenticationModule --global --actionName getCreatableTypes

1.54.2.3. nextdescendents

Obtain the collection of secondary configuration instances that have been added to the resource.

Usage:

am> action EdgeAuthenticationModule --global --actionName nextdescendents

1.54.2.4. read

Usage:

am> read EdgeAuthenticationModule --global

1.54.2.5. update

Usage:

am> update EdgeAuthenticationModule --global --body body

Parameters:

--body

The resource in JSON format, described by the following JSON schema:

{
  "type" : "object",
  "properties" : {
    "defaults" : {
      "properties" : {
        "subjectJwkSetAttr" : {
          "title" : "Subject JWK Set Attribute",
          "description" : "Subject profile attribute that contains a JWK Set of confirmation and encryption keys.",
          "propertyOrder" : 100,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "challengeSigningKey" : {
          "title" : "Challenge Signing Key",
          "description" : "Name of the key (in the AM keystore) to use to sign challenges.",
          "propertyOrder" : 200,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "authenticationLevel" : {
          "title" : "Authentication Level",
          "description" : "The authentication level associated with this module.",
          "propertyOrder" : 10000,
          "required" : true,
          "type" : "integer",
          "exampleValue" : ""
        }
      },
      "type" : "object",
      "title" : "Realm Defaults"
    }
  }
}

1.55. EdgeRegistrationModule

1.55.1. Realm Operations

Resource path: /realm-config/authentication/modules/authEdgeRegistration

Resource version: 1.0

1.55.1.1. create

Usage:

am> create EdgeRegistrationModule --realm Realm --id id --body body

Parameters:

--id

The unique identifier for the resource.

--body

The resource in JSON format, described by the following JSON schema:

{
  "type" : "object",
  "properties" : {
    "subjectJwkSetAttr" : {
      "title" : "Subject JWK Set Attribute",
      "description" : "Subject profile attribute that contains a JWK Set of confirmation and encryption keys.",
      "propertyOrder" : 100,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "authenticationLevel" : {
      "title" : "Authentication Level",
      "description" : "The authentication level associated with this module.",
      "propertyOrder" : 10000,