Reference of the ForgeRock® Access Management command-line interface entities.

Preface

This reference contains the entities and actions you can perform using Amster.

This guide is written for anyone using Amster to configure and manage ForgeRock Access Management deployments.

About ForgeRock Identity Platform™ Software

ForgeRock Identity Platform™ is the only offering for access management, identity management, user-managed access, directory services, and an identity gateway, designed and built as a single, unified platform.

The platform includes the following components that extend what is available in open source projects to provide fully featured, enterprise-ready software:

  • ForgeRock Access Management (AM)

  • ForgeRock Identity Management (IDM)

  • ForgeRock Directory Services (DS)

  • ForgeRock Identity Gateway (IG)

Chapter 1. Amster Entity Reference

This chapter contains details of the entities available to Amster in AM 5.

1.1. ActiveDirectory

1.1.1. Realm Operations

Resource path: /realm-config/services/id-repositories/LDAPv3ForAD

Resource version: 1.0

1.1.1.1. create

Usage:

am> create ActiveDirectory --realm Realm --id id --body body

Parameters:

--id

The unique identifier for the resource.

--body

The resource in JSON format, described by the following JSON schema:

{
  "type" : "object",
  "properties" : {
    "sunIdRepoClass" : {
      "title" : "LDAPv3 Repository Plug-in Class Name",
      "description" : "",
      "propertyOrder" : 1700,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-dncache-size" : {
      "title" : "DN Cache Size",
      "description" : "In DN items, only used when DN Cache is enabled.",
      "propertyOrder" : 6000,
      "required" : true,
      "type" : "integer",
      "exampleValue" : ""
    },
    "sunIdRepoSupportedOperations" : {
      "title" : "LDAPv3 Plug-in Supported Types and Operations",
      "description" : "",
      "propertyOrder" : 1900,
      "required" : true,
      "items" : {
        "type" : "string"
      },
      "type" : "array",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-organization_name" : {
      "title" : "LDAP Organization DN",
      "description" : "",
      "propertyOrder" : 900,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "openam-idrepo-ldapv3-heartbeat-interval" : {
      "title" : "LDAP Connection Heartbeat Interval",
      "description" : "Specifies how often should OpenAM send a heartbeat request to the directory.<br><br>This setting controls how often OpenAM <b>should</b> send a heartbeat search request to the configured directory. If a connection becomes unresponsive (e.g. due to a network error) then it may take up to the interval period before the problem is detected. Use along with the Heartbeat Time Unit parameter to define the exact interval. Zero or negative value will result in disabling heartbeat requests.",
      "propertyOrder" : 1300,
      "required" : true,
      "type" : "integer",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-createuser-attr-mapping" : {
      "title" : "Create User Attribute Mapping",
      "description" : "Format: attribute name or TargetAttributeName=SourceAttributeName",
      "propertyOrder" : 2500,
      "required" : true,
      "items" : {
        "type" : "string"
      },
      "type" : "array",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-people-container-name" : {
      "title" : "LDAP People Container Naming Attribute",
      "description" : "",
      "propertyOrder" : 5000,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-user-attributes" : {
      "title" : "LDAP User Attributes",
      "description" : "",
      "propertyOrder" : 2400,
      "required" : true,
      "items" : {
        "type" : "string"
      },
      "type" : "array",
      "exampleValue" : ""
    },
    "com.iplanet.am.ldap.connection.delay.between.retries" : {
      "title" : "The Delay Time Between Retries",
      "description" : "In milliseconds.",
      "propertyOrder" : 5800,
      "required" : true,
      "type" : "integer",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-psearchbase" : {
      "title" : "Persistent Search Base DN",
      "description" : "",
      "propertyOrder" : 5500,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-dncache-enabled" : {
      "title" : "DN Cache",
      "description" : "Used to enable/disable the DN Cache within the OpenAM repository implementation.<br><br>The DN Cache is used to cache DN lookups which tend to happen in bursts during authentication. The DN Cache can become out of date when a user is moved or renamed in the underlying LDAP store and this is not reflected in a persistent search result. Enable when the underlying LDAP store supports persistent search and move/rename (mod_dn) results are available.",
      "propertyOrder" : 5900,
      "required" : true,
      "type" : "boolean",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-connection_pool_max_size" : {
      "title" : "LDAP Connection Pool Maximum Size",
      "description" : "",
      "propertyOrder" : 1200,
      "required" : true,
      "type" : "integer",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-groups-search-attribute" : {
      "title" : "LDAP Groups Search Attribute",
      "description" : "",
      "propertyOrder" : 2900,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-auth-kba-attr" : {
      "title" : "Knowledge Based Authentication Attribute Name",
      "description" : "",
      "propertyOrder" : 5300,
      "required" : true,
      "items" : {
        "type" : "string"
      },
      "type" : "array",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-authid" : {
      "title" : "LDAP Bind DN",
      "description" : "A user or admin with sufficient access rights to perform the supported operations.",
      "propertyOrder" : 700,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-connection-mode" : {
      "title" : "LDAP Connection Mode",
      "description" : "Defines which protocol/operation is used to establish the connection to the LDAP Directory Server.<br><br>If 'LDAP' is selected, the connection <b>won't be secured</b> and passwords are transferred in <b>cleartext</b> over the network.<br/> If 'LDAPS' is selected, the connection is secured via SSL or TLS. <br/> If 'StartTLS' is selected, the connection is secured by using StartTLS extended operation.",
      "propertyOrder" : 1000,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-auth-naming-attr" : {
      "title" : "Authentication Naming Attribute",
      "description" : "",
      "propertyOrder" : 5200,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-users-search-attribute" : {
      "title" : "LDAP Users  Search Attribute",
      "description" : "",
      "propertyOrder" : 2100,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-ldap-server" : {
      "title" : "LDAP Server",
      "description" : "Format: LDAP server host name:port | server_ID | site_ID",
      "propertyOrder" : 600,
      "required" : true,
      "items" : {
        "type" : "string"
      },
      "type" : "array",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-auth-kba-index-attr" : {
      "title" : "Knowledge Based Authentication Active Index",
      "description" : "",
      "propertyOrder" : 5400,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-users-search-filter" : {
      "title" : "LDAP Users  Search Filter",
      "description" : "",
      "propertyOrder" : 2200,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-group-container-name" : {
      "title" : "LDAP Groups Container Naming Attribute",
      "description" : "",
      "propertyOrder" : 3100,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-max-result" : {
      "title" : "Maximum Results Returned from Search",
      "description" : "",
      "propertyOrder" : 1500,
      "required" : true,
      "type" : "integer",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-group-attributes" : {
      "title" : "LDAP Groups Attributes",
      "description" : "",
      "propertyOrder" : 3400,
      "required" : true,
      "items" : {
        "type" : "string"
      },
      "type" : "array",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-time-limit" : {
      "title" : "Search Timeout",
      "description" : "In seconds.",
      "propertyOrder" : 1600,
      "required" : true,
      "type" : "integer",
      "exampleValue" : ""
    },
    "openam-idrepo-ldapv3-heartbeat-timeunit" : {
      "title" : "LDAP Connection Heartbeat Time Unit",
      "description" : "Defines the time unit corresponding to the Heartbeat Interval setting.<br><br>This setting controls how often OpenAM <b>should</b> send a heartbeat search request to the configured directory. If a connection becomes unresponsive (e.g. due to a network error) then it may take up to the interval period before the problem is detected. Use along with the Heartbeat Interval parameter to define the exact interval.",
      "propertyOrder" : 1400,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-isactive" : {
      "title" : "Attribute Name of User Status",
      "description" : "",
      "propertyOrder" : 2600,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-inactive" : {
      "title" : "User Status Inactive Value",
      "description" : "",
      "propertyOrder" : 2800,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sunIdRepoAttributeMapping" : {
      "title" : "Attribute Name Mapping",
      "description" : "",
      "propertyOrder" : 1800,
      "required" : true,
      "items" : {
        "type" : "string"
      },
      "type" : "array",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-group-container-value" : {
      "title" : "LDAP Groups Container Value",
      "description" : "",
      "propertyOrder" : 3200,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-authpw" : {
      "title" : "LDAP Bind Password",
      "description" : "",
      "propertyOrder" : 800,
      "required" : true,
      "type" : "string",
      "format" : "password",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-user-objectclass" : {
      "title" : "LDAP User Object Class",
      "description" : "",
      "propertyOrder" : 2300,
      "required" : true,
      "items" : {
        "type" : "string"
      },
      "type" : "array",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-group-objectclass" : {
      "title" : "LDAP Groups Object Class",
      "description" : "",
      "propertyOrder" : 3300,
      "required" : true,
      "items" : {
        "type" : "string"
      },
      "type" : "array",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-memberof" : {
      "title" : "Attribute Name for Group Membership",
      "description" : "",
      "propertyOrder" : 3500,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-uniquemember" : {
      "title" : "Attribute Name of Unique Member",
      "description" : "",
      "propertyOrder" : 3600,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-search-scope" : {
      "title" : "LDAPv3 Plug-in Search Scope",
      "description" : "",
      "propertyOrder" : 2000,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-active" : {
      "title" : "User Status Active Value",
      "description" : "",
      "propertyOrder" : 2700,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-groups-search-filter" : {
      "title" : "LDAP Groups Search Filter",
      "description" : "",
      "propertyOrder" : 3000,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-psearch-scope" : {
      "title" : "Persistent Search Scope",
      "description" : "",
      "propertyOrder" : 5700,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-people-container-value" : {
      "title" : "LDAP People Container Value",
      "description" : "",
      "propertyOrder" : 5100,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    }
  }
}

1.1.1.2. delete

Usage:

am> delete ActiveDirectory --realm Realm --id id

Parameters:

--id

The unique identifier for the resource.

1.1.1.3. getAllTypes

Obtain the collection of all secondary configuration types related to the resource.

Usage:

am> action ActiveDirectory --realm Realm --actionName getAllTypes

1.1.1.4. getCreatableTypes

Obtain the collection of secondary configuration types that have yet to be added to the resource.

Usage:

am> action ActiveDirectory --realm Realm --actionName getCreatableTypes

1.1.1.5. nextdescendents

Obtain the collection of secondary configuration instances that have been added to the resource.

Usage:

am> action ActiveDirectory --realm Realm --actionName nextdescendents

1.1.1.6. query

Get the full list of instances of this collection. This query only supports `_queryFilter=true` filter.

Usage:

am> query ActiveDirectory --realm Realm --filter filter

Parameters:

--filter

A CREST formatted query filter, where "true" will query all.

1.1.1.7. read

Usage:

am> read ActiveDirectory --realm Realm --id id

Parameters:

--id

The unique identifier for the resource.

1.1.1.8. update

Usage:

am> update ActiveDirectory --realm Realm --id id --body body

Parameters:

--id

The unique identifier for the resource.

--body

The resource in JSON format, described by the following JSON schema:

{
  "type" : "object",
  "properties" : {
    "sunIdRepoClass" : {
      "title" : "LDAPv3 Repository Plug-in Class Name",
      "description" : "",
      "propertyOrder" : 1700,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-dncache-size" : {
      "title" : "DN Cache Size",
      "description" : "In DN items, only used when DN Cache is enabled.",
      "propertyOrder" : 6000,
      "required" : true,
      "type" : "integer",
      "exampleValue" : ""
    },
    "sunIdRepoSupportedOperations" : {
      "title" : "LDAPv3 Plug-in Supported Types and Operations",
      "description" : "",
      "propertyOrder" : 1900,
      "required" : true,
      "items" : {
        "type" : "string"
      },
      "type" : "array",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-organization_name" : {
      "title" : "LDAP Organization DN",
      "description" : "",
      "propertyOrder" : 900,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "openam-idrepo-ldapv3-heartbeat-interval" : {
      "title" : "LDAP Connection Heartbeat Interval",
      "description" : "Specifies how often should OpenAM send a heartbeat request to the directory.<br><br>This setting controls how often OpenAM <b>should</b> send a heartbeat search request to the configured directory. If a connection becomes unresponsive (e.g. due to a network error) then it may take up to the interval period before the problem is detected. Use along with the Heartbeat Time Unit parameter to define the exact interval. Zero or negative value will result in disabling heartbeat requests.",
      "propertyOrder" : 1300,
      "required" : true,
      "type" : "integer",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-createuser-attr-mapping" : {
      "title" : "Create User Attribute Mapping",
      "description" : "Format: attribute name or TargetAttributeName=SourceAttributeName",
      "propertyOrder" : 2500,
      "required" : true,
      "items" : {
        "type" : "string"
      },
      "type" : "array",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-people-container-name" : {
      "title" : "LDAP People Container Naming Attribute",
      "description" : "",
      "propertyOrder" : 5000,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-user-attributes" : {
      "title" : "LDAP User Attributes",
      "description" : "",
      "propertyOrder" : 2400,
      "required" : true,
      "items" : {
        "type" : "string"
      },
      "type" : "array",
      "exampleValue" : ""
    },
    "com.iplanet.am.ldap.connection.delay.between.retries" : {
      "title" : "The Delay Time Between Retries",
      "description" : "In milliseconds.",
      "propertyOrder" : 5800,
      "required" : true,
      "type" : "integer",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-psearchbase" : {
      "title" : "Persistent Search Base DN",
      "description" : "",
      "propertyOrder" : 5500,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-dncache-enabled" : {
      "title" : "DN Cache",
      "description" : "Used to enable/disable the DN Cache within the OpenAM repository implementation.<br><br>The DN Cache is used to cache DN lookups which tend to happen in bursts during authentication. The DN Cache can become out of date when a user is moved or renamed in the underlying LDAP store and this is not reflected in a persistent search result. Enable when the underlying LDAP store supports persistent search and move/rename (mod_dn) results are available.",
      "propertyOrder" : 5900,
      "required" : true,
      "type" : "boolean",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-connection_pool_max_size" : {
      "title" : "LDAP Connection Pool Maximum Size",
      "description" : "",
      "propertyOrder" : 1200,
      "required" : true,
      "type" : "integer",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-groups-search-attribute" : {
      "title" : "LDAP Groups Search Attribute",
      "description" : "",
      "propertyOrder" : 2900,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-auth-kba-attr" : {
      "title" : "Knowledge Based Authentication Attribute Name",
      "description" : "",
      "propertyOrder" : 5300,
      "required" : true,
      "items" : {
        "type" : "string"
      },
      "type" : "array",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-authid" : {
      "title" : "LDAP Bind DN",
      "description" : "A user or admin with sufficient access rights to perform the supported operations.",
      "propertyOrder" : 700,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-connection-mode" : {
      "title" : "LDAP Connection Mode",
      "description" : "Defines which protocol/operation is used to establish the connection to the LDAP Directory Server.<br><br>If 'LDAP' is selected, the connection <b>won't be secured</b> and passwords are transferred in <b>cleartext</b> over the network.<br/> If 'LDAPS' is selected, the connection is secured via SSL or TLS. <br/> If 'StartTLS' is selected, the connection is secured by using StartTLS extended operation.",
      "propertyOrder" : 1000,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-auth-naming-attr" : {
      "title" : "Authentication Naming Attribute",
      "description" : "",
      "propertyOrder" : 5200,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-users-search-attribute" : {
      "title" : "LDAP Users  Search Attribute",
      "description" : "",
      "propertyOrder" : 2100,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-ldap-server" : {
      "title" : "LDAP Server",
      "description" : "Format: LDAP server host name:port | server_ID | site_ID",
      "propertyOrder" : 600,
      "required" : true,
      "items" : {
        "type" : "string"
      },
      "type" : "array",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-auth-kba-index-attr" : {
      "title" : "Knowledge Based Authentication Active Index",
      "description" : "",
      "propertyOrder" : 5400,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-users-search-filter" : {
      "title" : "LDAP Users  Search Filter",
      "description" : "",
      "propertyOrder" : 2200,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-group-container-name" : {
      "title" : "LDAP Groups Container Naming Attribute",
      "description" : "",
      "propertyOrder" : 3100,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-max-result" : {
      "title" : "Maximum Results Returned from Search",
      "description" : "",
      "propertyOrder" : 1500,
      "required" : true,
      "type" : "integer",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-group-attributes" : {
      "title" : "LDAP Groups Attributes",
      "description" : "",
      "propertyOrder" : 3400,
      "required" : true,
      "items" : {
        "type" : "string"
      },
      "type" : "array",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-time-limit" : {
      "title" : "Search Timeout",
      "description" : "In seconds.",
      "propertyOrder" : 1600,
      "required" : true,
      "type" : "integer",
      "exampleValue" : ""
    },
    "openam-idrepo-ldapv3-heartbeat-timeunit" : {
      "title" : "LDAP Connection Heartbeat Time Unit",
      "description" : "Defines the time unit corresponding to the Heartbeat Interval setting.<br><br>This setting controls how often OpenAM <b>should</b> send a heartbeat search request to the configured directory. If a connection becomes unresponsive (e.g. due to a network error) then it may take up to the interval period before the problem is detected. Use along with the Heartbeat Interval parameter to define the exact interval.",
      "propertyOrder" : 1400,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-isactive" : {
      "title" : "Attribute Name of User Status",
      "description" : "",
      "propertyOrder" : 2600,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-inactive" : {
      "title" : "User Status Inactive Value",
      "description" : "",
      "propertyOrder" : 2800,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sunIdRepoAttributeMapping" : {
      "title" : "Attribute Name Mapping",
      "description" : "",
      "propertyOrder" : 1800,
      "required" : true,
      "items" : {
        "type" : "string"
      },
      "type" : "array",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-group-container-value" : {
      "title" : "LDAP Groups Container Value",
      "description" : "",
      "propertyOrder" : 3200,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-authpw" : {
      "title" : "LDAP Bind Password",
      "description" : "",
      "propertyOrder" : 800,
      "required" : true,
      "type" : "string",
      "format" : "password",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-user-objectclass" : {
      "title" : "LDAP User Object Class",
      "description" : "",
      "propertyOrder" : 2300,
      "required" : true,
      "items" : {
        "type" : "string"
      },
      "type" : "array",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-group-objectclass" : {
      "title" : "LDAP Groups Object Class",
      "description" : "",
      "propertyOrder" : 3300,
      "required" : true,
      "items" : {
        "type" : "string"
      },
      "type" : "array",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-memberof" : {
      "title" : "Attribute Name for Group Membership",
      "description" : "",
      "propertyOrder" : 3500,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-uniquemember" : {
      "title" : "Attribute Name of Unique Member",
      "description" : "",
      "propertyOrder" : 3600,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-search-scope" : {
      "title" : "LDAPv3 Plug-in Search Scope",
      "description" : "",
      "propertyOrder" : 2000,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-active" : {
      "title" : "User Status Active Value",
      "description" : "",
      "propertyOrder" : 2700,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-groups-search-filter" : {
      "title" : "LDAP Groups Search Filter",
      "description" : "",
      "propertyOrder" : 3000,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-psearch-scope" : {
      "title" : "Persistent Search Scope",
      "description" : "",
      "propertyOrder" : 5700,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-people-container-value" : {
      "title" : "LDAP People Container Value",
      "description" : "",
      "propertyOrder" : 5100,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    }
  }
}

1.2. ActiveDirectoryApplicationModeADAM

1.2.1. Realm Operations

Resource path: /realm-config/services/id-repositories/LDAPv3ForADAM

Resource version: 1.0

1.2.1.1. create

Usage:

am> create ActiveDirectoryApplicationModeADAM --realm Realm --id id --body body

Parameters:

--id

The unique identifier for the resource.

--body

The resource in JSON format, described by the following JSON schema:

{
  "type" : "object",
  "properties" : {
    "openam-idrepo-ldapv3-heartbeat-interval" : {
      "title" : "LDAP Connection Heartbeat Interval",
      "description" : "Specifies how often should OpenAM send a heartbeat request to the directory.<br><br>This setting controls how often OpenAM <b>should</b> send a heartbeat search request to the configured directory. If a connection becomes unresponsive (e.g. due to a network error) then it may take up to the interval period before the problem is detected. Use along with the Heartbeat Time Unit parameter to define the exact interval. Zero or negative value will result in disabling heartbeat requests.",
      "propertyOrder" : 1300,
      "required" : true,
      "type" : "integer",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-max-result" : {
      "title" : "Maximum Results Returned from Search",
      "description" : "",
      "propertyOrder" : 1500,
      "required" : true,
      "type" : "integer",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-dncache-size" : {
      "title" : "DN Cache Size",
      "description" : "In DN items, only used when DN Cache is enabled.",
      "propertyOrder" : 6000,
      "required" : true,
      "type" : "integer",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-auth-naming-attr" : {
      "title" : "Authentication Naming Attribute",
      "description" : "",
      "propertyOrder" : 5200,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-createuser-attr-mapping" : {
      "title" : "Create User Attribute Mapping",
      "description" : "Format: attribute name or TargetAttributeName=SourceAttributeName",
      "propertyOrder" : 2500,
      "required" : true,
      "items" : {
        "type" : "string"
      },
      "type" : "array",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-inactive" : {
      "title" : "User Status Inactive Value",
      "description" : "",
      "propertyOrder" : 2800,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-psearch-scope" : {
      "title" : "Persistent Search Scope",
      "description" : "",
      "propertyOrder" : 5700,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-users-search-filter" : {
      "title" : "LDAP Users  Search Filter",
      "description" : "",
      "propertyOrder" : 2200,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-search-scope" : {
      "title" : "LDAPv3 Plug-in Search Scope",
      "description" : "",
      "propertyOrder" : 2000,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sunIdRepoSupportedOperations" : {
      "title" : "LDAPv3 Plug-in Supported Types and Operations",
      "description" : "",
      "propertyOrder" : 1900,
      "required" : true,
      "items" : {
        "type" : "string"
      },
      "type" : "array",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-uniquemember" : {
      "title" : "Attribute Name of Unique Member",
      "description" : "",
      "propertyOrder" : 3600,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-isactive" : {
      "title" : "Attribute Name of User Status",
      "description" : "",
      "propertyOrder" : 2600,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-people-container-value" : {
      "title" : "LDAP People Container Value",
      "description" : "",
      "propertyOrder" : 5100,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-users-search-attribute" : {
      "title" : "LDAP Users  Search Attribute",
      "description" : "",
      "propertyOrder" : 2100,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "openam-idrepo-ldapv3-heartbeat-timeunit" : {
      "title" : "LDAP Connection Heartbeat Time Unit",
      "description" : "Defines the time unit corresponding to the Heartbeat Interval setting.<br><br>This setting controls how often OpenAM <b>should</b> send a heartbeat search request to the configured directory. If a connection becomes unresponsive (e.g. due to a network error) then it may take up to the interval period before the problem is detected. Use along with the Heartbeat Interval parameter to define the exact interval.",
      "propertyOrder" : 1400,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-user-attributes" : {
      "title" : "LDAP User Attributes",
      "description" : "",
      "propertyOrder" : 2400,
      "required" : true,
      "items" : {
        "type" : "string"
      },
      "type" : "array",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-groups-search-filter" : {
      "title" : "LDAP Groups Search Filter",
      "description" : "",
      "propertyOrder" : 3000,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-time-limit" : {
      "title" : "Search Timeout",
      "description" : "In seconds.",
      "propertyOrder" : 1600,
      "required" : true,
      "type" : "integer",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-group-attributes" : {
      "title" : "LDAP Groups Attributes",
      "description" : "",
      "propertyOrder" : 3400,
      "required" : true,
      "items" : {
        "type" : "string"
      },
      "type" : "array",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-dncache-enabled" : {
      "title" : "DN Cache",
      "description" : "Used to enable/disable the DN Cache within the OpenAM repository implementation.<br><br>The DN Cache is used to cache DN lookups which tend to happen in bursts during authentication. The DN Cache can become out of date when a user is moved or renamed in the underlying LDAP store and this is not reflected in a persistent search result. Enable when the underlying LDAP store supports persistent search and move/rename (mod_dn) results are available.",
      "propertyOrder" : 5900,
      "required" : true,
      "type" : "boolean",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-organization_name" : {
      "title" : "LDAP Organization DN",
      "description" : "",
      "propertyOrder" : 900,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-groups-search-attribute" : {
      "title" : "LDAP Groups Search Attribute",
      "description" : "",
      "propertyOrder" : 2900,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-group-container-name" : {
      "title" : "LDAP Groups Container Naming Attribute",
      "description" : "",
      "propertyOrder" : 3100,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-connection_pool_max_size" : {
      "title" : "LDAP Connection Pool Maximum Size",
      "description" : "",
      "propertyOrder" : 1200,
      "required" : true,
      "type" : "integer",
      "exampleValue" : ""
    },
    "sunIdRepoClass" : {
      "title" : "LDAPv3 Repository Plug-in Class Name",
      "description" : "",
      "propertyOrder" : 1700,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-authpw" : {
      "title" : "LDAP Bind Password",
      "description" : "",
      "propertyOrder" : 800,
      "required" : true,
      "type" : "string",
      "format" : "password",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-group-container-value" : {
      "title" : "LDAP Groups Container Value",
      "description" : "",
      "propertyOrder" : 3200,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-auth-kba-index-attr" : {
      "title" : "Knowledge Based Authentication Active Index",
      "description" : "",
      "propertyOrder" : 5400,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-ldap-server" : {
      "title" : "LDAP Server",
      "description" : "Format: LDAP server host name:port | server_ID | site_ID",
      "propertyOrder" : 600,
      "required" : true,
      "items" : {
        "type" : "string"
      },
      "type" : "array",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-authid" : {
      "title" : "LDAP Bind DN",
      "description" : "A user or admin with sufficient access rights to perform the supported operations.",
      "propertyOrder" : 700,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-user-objectclass" : {
      "title" : "LDAP User Object Class",
      "description" : "",
      "propertyOrder" : 2300,
      "required" : true,
      "items" : {
        "type" : "string"
      },
      "type" : "array",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-psearchbase" : {
      "title" : "Persistent Search Base DN",
      "description" : "",
      "propertyOrder" : 5500,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-connection-mode" : {
      "title" : "LDAP Connection Mode",
      "description" : "Defines which protocol/operation is used to establish the connection to the LDAP Directory Server.<br><br>If 'LDAP' is selected, the connection <b>won't be secured</b> and passwords are transferred in <b>cleartext</b> over the network.<br/> If 'LDAPS' is selected, the connection is secured via SSL or TLS. <br/> If 'StartTLS' is selected, the connection is secured by using StartTLS extended operation.",
      "propertyOrder" : 1000,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "com.iplanet.am.ldap.connection.delay.between.retries" : {
      "title" : "The Delay Time Between Retries",
      "description" : "In milliseconds.",
      "propertyOrder" : 5800,
      "required" : true,
      "type" : "integer",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-active" : {
      "title" : "User Status Active Value",
      "description" : "",
      "propertyOrder" : 2700,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-people-container-name" : {
      "title" : "LDAP People Container Naming Attribute",
      "description" : "",
      "propertyOrder" : 5000,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-auth-kba-attr" : {
      "title" : "Knowledge Based Authentication Attribute Name",
      "description" : "",
      "propertyOrder" : 5300,
      "required" : true,
      "items" : {
        "type" : "string"
      },
      "type" : "array",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-memberof" : {
      "title" : "Attribute Name for Group Membership",
      "description" : "",
      "propertyOrder" : 3500,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sunIdRepoAttributeMapping" : {
      "title" : "Attribute Name Mapping",
      "description" : "",
      "propertyOrder" : 1800,
      "required" : true,
      "items" : {
        "type" : "string"
      },
      "type" : "array",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-group-objectclass" : {
      "title" : "LDAP Groups Object Class",
      "description" : "",
      "propertyOrder" : 3300,
      "required" : true,
      "items" : {
        "type" : "string"
      },
      "type" : "array",
      "exampleValue" : ""
    }
  }
}

1.2.1.2. delete

Usage:

am> delete ActiveDirectoryApplicationModeADAM --realm Realm --id id

Parameters:

--id

The unique identifier for the resource.

1.2.1.3. getAllTypes

Obtain the collection of all secondary configuration types related to the resource.

Usage:

am> action ActiveDirectoryApplicationModeADAM --realm Realm --actionName getAllTypes

1.2.1.4. getCreatableTypes

Obtain the collection of secondary configuration types that have yet to be added to the resource.

Usage:

am> action ActiveDirectoryApplicationModeADAM --realm Realm --actionName getCreatableTypes

1.2.1.5. nextdescendents

Obtain the collection of secondary configuration instances that have been added to the resource.

Usage:

am> action ActiveDirectoryApplicationModeADAM --realm Realm --actionName nextdescendents

1.2.1.6. query

Get the full list of instances of this collection. This query only supports `_queryFilter=true` filter.

Usage:

am> query ActiveDirectoryApplicationModeADAM --realm Realm --filter filter

Parameters:

--filter

A CREST formatted query filter, where "true" will query all.

1.2.1.7. read

Usage:

am> read ActiveDirectoryApplicationModeADAM --realm Realm --id id

Parameters:

--id

The unique identifier for the resource.

1.2.1.8. update

Usage:

am> update ActiveDirectoryApplicationModeADAM --realm Realm --id id --body body

Parameters:

--id

The unique identifier for the resource.

--body

The resource in JSON format, described by the following JSON schema:

{
  "type" : "object",
  "properties" : {
    "openam-idrepo-ldapv3-heartbeat-interval" : {
      "title" : "LDAP Connection Heartbeat Interval",
      "description" : "Specifies how often should OpenAM send a heartbeat request to the directory.<br><br>This setting controls how often OpenAM <b>should</b> send a heartbeat search request to the configured directory. If a connection becomes unresponsive (e.g. due to a network error) then it may take up to the interval period before the problem is detected. Use along with the Heartbeat Time Unit parameter to define the exact interval. Zero or negative value will result in disabling heartbeat requests.",
      "propertyOrder" : 1300,
      "required" : true,
      "type" : "integer",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-max-result" : {
      "title" : "Maximum Results Returned from Search",
      "description" : "",
      "propertyOrder" : 1500,
      "required" : true,
      "type" : "integer",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-dncache-size" : {
      "title" : "DN Cache Size",
      "description" : "In DN items, only used when DN Cache is enabled.",
      "propertyOrder" : 6000,
      "required" : true,
      "type" : "integer",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-auth-naming-attr" : {
      "title" : "Authentication Naming Attribute",
      "description" : "",
      "propertyOrder" : 5200,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-createuser-attr-mapping" : {
      "title" : "Create User Attribute Mapping",
      "description" : "Format: attribute name or TargetAttributeName=SourceAttributeName",
      "propertyOrder" : 2500,
      "required" : true,
      "items" : {
        "type" : "string"
      },
      "type" : "array",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-inactive" : {
      "title" : "User Status Inactive Value",
      "description" : "",
      "propertyOrder" : 2800,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-psearch-scope" : {
      "title" : "Persistent Search Scope",
      "description" : "",
      "propertyOrder" : 5700,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-users-search-filter" : {
      "title" : "LDAP Users  Search Filter",
      "description" : "",
      "propertyOrder" : 2200,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-search-scope" : {
      "title" : "LDAPv3 Plug-in Search Scope",
      "description" : "",
      "propertyOrder" : 2000,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sunIdRepoSupportedOperations" : {
      "title" : "LDAPv3 Plug-in Supported Types and Operations",
      "description" : "",
      "propertyOrder" : 1900,
      "required" : true,
      "items" : {
        "type" : "string"
      },
      "type" : "array",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-uniquemember" : {
      "title" : "Attribute Name of Unique Member",
      "description" : "",
      "propertyOrder" : 3600,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-isactive" : {
      "title" : "Attribute Name of User Status",
      "description" : "",
      "propertyOrder" : 2600,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-people-container-value" : {
      "title" : "LDAP People Container Value",
      "description" : "",
      "propertyOrder" : 5100,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-users-search-attribute" : {
      "title" : "LDAP Users  Search Attribute",
      "description" : "",
      "propertyOrder" : 2100,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "openam-idrepo-ldapv3-heartbeat-timeunit" : {
      "title" : "LDAP Connection Heartbeat Time Unit",
      "description" : "Defines the time unit corresponding to the Heartbeat Interval setting.<br><br>This setting controls how often OpenAM <b>should</b> send a heartbeat search request to the configured directory. If a connection becomes unresponsive (e.g. due to a network error) then it may take up to the interval period before the problem is detected. Use along with the Heartbeat Interval parameter to define the exact interval.",
      "propertyOrder" : 1400,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-user-attributes" : {
      "title" : "LDAP User Attributes",
      "description" : "",
      "propertyOrder" : 2400,
      "required" : true,
      "items" : {
        "type" : "string"
      },
      "type" : "array",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-groups-search-filter" : {
      "title" : "LDAP Groups Search Filter",
      "description" : "",
      "propertyOrder" : 3000,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-time-limit" : {
      "title" : "Search Timeout",
      "description" : "In seconds.",
      "propertyOrder" : 1600,
      "required" : true,
      "type" : "integer",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-group-attributes" : {
      "title" : "LDAP Groups Attributes",
      "description" : "",
      "propertyOrder" : 3400,
      "required" : true,
      "items" : {
        "type" : "string"
      },
      "type" : "array",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-dncache-enabled" : {
      "title" : "DN Cache",
      "description" : "Used to enable/disable the DN Cache within the OpenAM repository implementation.<br><br>The DN Cache is used to cache DN lookups which tend to happen in bursts during authentication. The DN Cache can become out of date when a user is moved or renamed in the underlying LDAP store and this is not reflected in a persistent search result. Enable when the underlying LDAP store supports persistent search and move/rename (mod_dn) results are available.",
      "propertyOrder" : 5900,
      "required" : true,
      "type" : "boolean",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-organization_name" : {
      "title" : "LDAP Organization DN",
      "description" : "",
      "propertyOrder" : 900,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-groups-search-attribute" : {
      "title" : "LDAP Groups Search Attribute",
      "description" : "",
      "propertyOrder" : 2900,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-group-container-name" : {
      "title" : "LDAP Groups Container Naming Attribute",
      "description" : "",
      "propertyOrder" : 3100,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-connection_pool_max_size" : {
      "title" : "LDAP Connection Pool Maximum Size",
      "description" : "",
      "propertyOrder" : 1200,
      "required" : true,
      "type" : "integer",
      "exampleValue" : ""
    },
    "sunIdRepoClass" : {
      "title" : "LDAPv3 Repository Plug-in Class Name",
      "description" : "",
      "propertyOrder" : 1700,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-authpw" : {
      "title" : "LDAP Bind Password",
      "description" : "",
      "propertyOrder" : 800,
      "required" : true,
      "type" : "string",
      "format" : "password",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-group-container-value" : {
      "title" : "LDAP Groups Container Value",
      "description" : "",
      "propertyOrder" : 3200,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-auth-kba-index-attr" : {
      "title" : "Knowledge Based Authentication Active Index",
      "description" : "",
      "propertyOrder" : 5400,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-ldap-server" : {
      "title" : "LDAP Server",
      "description" : "Format: LDAP server host name:port | server_ID | site_ID",
      "propertyOrder" : 600,
      "required" : true,
      "items" : {
        "type" : "string"
      },
      "type" : "array",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-authid" : {
      "title" : "LDAP Bind DN",
      "description" : "A user or admin with sufficient access rights to perform the supported operations.",
      "propertyOrder" : 700,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-user-objectclass" : {
      "title" : "LDAP User Object Class",
      "description" : "",
      "propertyOrder" : 2300,
      "required" : true,
      "items" : {
        "type" : "string"
      },
      "type" : "array",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-psearchbase" : {
      "title" : "Persistent Search Base DN",
      "description" : "",
      "propertyOrder" : 5500,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-connection-mode" : {
      "title" : "LDAP Connection Mode",
      "description" : "Defines which protocol/operation is used to establish the connection to the LDAP Directory Server.<br><br>If 'LDAP' is selected, the connection <b>won't be secured</b> and passwords are transferred in <b>cleartext</b> over the network.<br/> If 'LDAPS' is selected, the connection is secured via SSL or TLS. <br/> If 'StartTLS' is selected, the connection is secured by using StartTLS extended operation.",
      "propertyOrder" : 1000,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "com.iplanet.am.ldap.connection.delay.between.retries" : {
      "title" : "The Delay Time Between Retries",
      "description" : "In milliseconds.",
      "propertyOrder" : 5800,
      "required" : true,
      "type" : "integer",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-active" : {
      "title" : "User Status Active Value",
      "description" : "",
      "propertyOrder" : 2700,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-people-container-name" : {
      "title" : "LDAP People Container Naming Attribute",
      "description" : "",
      "propertyOrder" : 5000,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-auth-kba-attr" : {
      "title" : "Knowledge Based Authentication Attribute Name",
      "description" : "",
      "propertyOrder" : 5300,
      "required" : true,
      "items" : {
        "type" : "string"
      },
      "type" : "array",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-memberof" : {
      "title" : "Attribute Name for Group Membership",
      "description" : "",
      "propertyOrder" : 3500,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sunIdRepoAttributeMapping" : {
      "title" : "Attribute Name Mapping",
      "description" : "",
      "propertyOrder" : 1800,
      "required" : true,
      "items" : {
        "type" : "string"
      },
      "type" : "array",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-group-objectclass" : {
      "title" : "LDAP Groups Object Class",
      "description" : "",
      "propertyOrder" : 3300,
      "required" : true,
      "items" : {
        "type" : "string"
      },
      "type" : "array",
      "exampleValue" : ""
    }
  }
}

1.3. ActiveDirectoryModule

1.3.1. Realm Operations

Resource path: /realm-config/authentication/modules/activedirectory

Resource version: 1.0

1.3.1.1. create

Usage:

am> create ActiveDirectoryModule --realm Realm --id id --body body

Parameters:

--id

The unique identifier for the resource.

--body

The resource in JSON format, described by the following JSON schema:

{
  "type" : "object",
  "properties" : {
    "userBindPassword" : {
      "title" : "Bind User Password",
      "description" : "The password of the administration account.",
      "propertyOrder" : 500,
      "required" : true,
      "type" : "string",
      "format" : "password",
      "exampleValue" : ""
    },
    "userSearchFilter" : {
      "title" : "User Search Filter",
      "description" : "This search filter will be appended to the standard user search filter.<br><br>This attribute can be used to append a custom search filter to the standard filter. For example: <code>(objectClass=person)</code>would result in the following user search filter:<br/><br/><code>(&(uid=<i>user</i>)(objectClass=person))</code>",
      "propertyOrder" : 800,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "profileAttributeMappings" : {
      "title" : "User Creation Attributes",
      "description" : "Controls the mapping of local attribute to external attribute for dynamic profile creation.<br><br>If dynamic profile creation is enabled; this feature allows for a mapping between the attribute/values retrieved from the users authenticated profile and the attribute/values that will be provisioned into their matching account in the data store.<br/><br/>The format of this property is: <br/><br/><code> local attr1|external attr1</code>",
      "propertyOrder" : 1300,
      "required" : true,
      "items" : {
        "type" : "string"
      },
      "type" : "array",
      "exampleValue" : ""
    },
    "openam-auth-ldap-connection-mode" : {
      "title" : "LDAP Connection Mode",
      "description" : "Defines which protocol/operation is used to establish the connection to the LDAP Directory Server.<br><br>If 'LDAP' is selected, the connection <b>won't be secured</b> and passwords are transferred in <b>cleartext</b> over the network.<br/> If 'LDAPS' is selected, the connection is secured via SSL or TLS. <br/> If 'StartTLS' is selected, the connection is secured by using StartTLS extended operation.",
      "propertyOrder" : 1000,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "userBindDN" : {
      "title" : "Bind User DN",
      "description" : "The DN of an admin user used by the module to authentication to the LDAP server<br><br>The LDAP module requires an administration account in order to perform functionality such as password reset.<br/><br/><i>NB </i><code>cn=Directory Manager</code> should not be used in production systems.",
      "propertyOrder" : 400,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "returnUserDN" : {
      "title" : "Return User DN to DataStore",
      "description" : "Controls whether the DN or the username is returned as the authentication principal.",
      "propertyOrder" : 1200,
      "required" : true,
      "type" : "boolean",
      "exampleValue" : ""
    },
    "operationTimeout" : {
      "title" : "LDAP operations timeout",
      "description" : "Defines the timeout in seconds OpenAM should wait for a response of the Directory Server - <code>0</code> means no timeout.<br><br>If the Directory Server's host is down completely or the TCP connection became stale OpenAM waits until operation timeouts from the OS or the JVM are applied. However this setting allows more granular control within OpenAM itself. A value of <code>0</code> means NO timeout is applied on OpenAM level and the timeouts from the JVM or OS will apply.",
      "propertyOrder" : 1700,
      "required" : true,
      "type" : "integer",
      "exampleValue" : ""
    },
    "secondaryLdapServer" : {
      "title" : "Secondary Active Directory Server",
      "description" : "Use this list to set the secondary (failover) Active Directory server used for authentication.<br><br>If the primary Active Directory server fails, the Active Directory authentication module will failover to the secondary server. A single entry must be in the format:<br/><br/><code>server:port</code><br/><br/>Multiple entries allow associations between OpenAM servers and an Active Directory server. The format is:<br/><br/><code>local server name | server:port</code><br/><br/><i>NB </i>The local server name is the full name of the server from the list of servers and sites.",
      "propertyOrder" : 200,
      "required" : true,
      "items" : {
        "type" : "string"
      },
      "type" : "array",
      "exampleValue" : ""
    },
    "authenticationLevel" : {
      "title" : "Authentication Level",
      "description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default). ",
      "propertyOrder" : 1800,
      "required" : true,
      "type" : "integer",
      "exampleValue" : ""
    },
    "userSearchStartDN" : {
      "title" : "DN to Start User Search",
      "description" : "The search for accounts to be authenticated start from this base DN <br><br>For a single server just enter the Base DN to be searched. Multiple OpenAM servers can have different base DNs for the search The format is as follows:<br/><br/><code>local server name | search DN</code><br/><br/><i>NB </i>The local server name is the full name of the server from the list of servers and sites.",
      "propertyOrder" : 300,
      "required" : true,
      "items" : {
        "type" : "string"
      },
      "type" : "array",
      "exampleValue" : ""
    },
    "trustAllServerCertificates" : {
      "title" : "Trust All Server Certificates",
      "description" : "Enables a <code>X509TrustManager</code> that trusts all certificates.<br><br>This feature will allow the LDAP authentication module to connect to LDAP servers protected by self signed or invalid certificates (such as invalid hostname).<br/><br/><i>NB </i>Use this feature with care as it bypasses the normal certificate verification process",
      "propertyOrder" : 1400,
      "required" : true,
      "type" : "boolean",
      "exampleValue" : ""
    },
    "userSearchAttributes" : {
      "title" : "Attributes Used to Search for a User to be Authenticated",
      "description" : "The attributes specified in this list form the LDAP search filter.<br><br>The default value of uid will form the following search filter of <code>uid=<i>user</i></code>, if there are multiple values such as uid and cn, the module will create a search filter as follows <code>(|(uid=<i>user</i>)(cn=<i>user</i>))</code>",
      "propertyOrder" : 700,
      "required" : true,
      "items" : {
        "type" : "string"
      },
      "type" : "array",
      "exampleValue" : ""
    },
    "userProfileRetrievalAttribute" : {
      "title" : "Attribute Used to Retrieve User Profile",
      "description" : "The LDAP module will use this attribute to search of the profile of an authenticated user.<br><br>This is the attribute used to find the profile of the authenticated user. Normally this will be the same attribute used to find the user account. The value will be the name of the user used for authentication.",
      "propertyOrder" : 600,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "primaryLdapServer" : {
      "title" : "Primary Active Directory Server ",
      "description" : "Use this list to set the primary Active Directory server used for authentication. <br><br>The Active Directory authentication module will use this list as the primary server for authentication. A single entry must be in the format:<br/><br/><code>server:port</code><br/><br/>Multiple entries allow associations between OpenAM servers and an Active Directory server. The format is:<br/><br/><code>local server name | server:port</code><br/><br/>The local server name is the full name of the server from the list of servers and sites.",
      "propertyOrder" : 100,
      "required" : true,
      "items" : {
        "type" : "string"
      },
      "type" : "array",
      "exampleValue" : ""
    },
    "connectionHeartbeatInterval" : {
      "title" : "LDAP Connection Heartbeat Interval",
      "description" : "Specifies how often should OpenAM send a heartbeat request to the directory.<br><br>Use this option in case a firewall/loadbalancer can close idle connections, since the heartbeat requests will ensure that the connections won't become idle. Use along with the Heartbeat Time Unit parameter to define the correct interval. Zero or negative value will result in disabling heartbeat requests.",
      "propertyOrder" : 1500,
      "required" : true,
      "type" : "integer",
      "exampleValue" : ""
    },
    "connectionHeartbeatTimeUnit" : {
      "title" : "LDAP Connection Heartbeat Time Unit",
      "description" : "Defines the time unit corresponding to the Heartbeat Interval setting.<br><br>Use this option in case a firewall/loadbalancer can close idle connections, since the heartbeat requests will ensure that the connections won't become idle.",
      "propertyOrder" : 1600,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "searchScope" : {
      "title" : "Search Scope",
      "description" : "The level in the Directory Server that will be searched for a matching user profile.<br><br>This attribute controls how the directory is searched.<br/><br/><ul><li><code>OBJECT</code>: Only the Base DN is searched.</li><li><code>ONELEVEL</code>: Only the single level below (and not the Base DN) is searched</li><li><code>SUBTREE</code>: The Base DN and all levels below are searched</li></ul>",
      "propertyOrder" : 900,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    }
  }
}

1.3.1.2. delete

Usage:

am> delete ActiveDirectoryModule --realm Realm --id id

Parameters:

--id

The unique identifier for the resource.

1.3.1.3. getAllTypes

Obtain the collection of all secondary configuration types related to the resource.

Usage:

am> action ActiveDirectoryModule --realm Realm --actionName getAllTypes

1.3.1.4. getCreatableTypes

Obtain the collection of secondary configuration types that have yet to be added to the resource.

Usage:

am> action ActiveDirectoryModule --realm Realm --actionName getCreatableTypes

1.3.1.5. nextdescendents

Obtain the collection of secondary configuration instances that have been added to the resource.

Usage:

am> action ActiveDirectoryModule --realm Realm --actionName nextdescendents

1.3.1.6. query

Get the full list of instances of this collection. This query only supports `_queryFilter=true` filter.

Usage:

am> query ActiveDirectoryModule --realm Realm --filter filter

Parameters:

--filter

A CREST formatted query filter, where "true" will query all.

1.3.1.7. read

Usage:

am> read ActiveDirectoryModule --realm Realm --id id

Parameters:

--id

The unique identifier for the resource.

1.3.1.8. update

Usage:

am> update ActiveDirectoryModule --realm Realm --id id --body body

Parameters:

--id

The unique identifier for the resource.

--body

The resource in JSON format, described by the following JSON schema:

{
  "type" : "object",
  "properties" : {
    "userBindPassword" : {
      "title" : "Bind User Password",
      "description" : "The password of the administration account.",
      "propertyOrder" : 500,
      "required" : true,
      "type" : "string",
      "format" : "password",
      "exampleValue" : ""
    },
    "userSearchFilter" : {
      "title" : "User Search Filter",
      "description" : "This search filter will be appended to the standard user search filter.<br><br>This attribute can be used to append a custom search filter to the standard filter. For example: <code>(objectClass=person)</code>would result in the following user search filter:<br/><br/><code>(&(uid=<i>user</i>)(objectClass=person))</code>",
      "propertyOrder" : 800,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "profileAttributeMappings" : {
      "title" : "User Creation Attributes",
      "description" : "Controls the mapping of local attribute to external attribute for dynamic profile creation.<br><br>If dynamic profile creation is enabled; this feature allows for a mapping between the attribute/values retrieved from the users authenticated profile and the attribute/values that will be provisioned into their matching account in the data store.<br/><br/>The format of this property is: <br/><br/><code> local attr1|external attr1</code>",
      "propertyOrder" : 1300,
      "required" : true,
      "items" : {
        "type" : "string"
      },
      "type" : "array",
      "exampleValue" : ""
    },
    "openam-auth-ldap-connection-mode" : {
      "title" : "LDAP Connection Mode",
      "description" : "Defines which protocol/operation is used to establish the connection to the LDAP Directory Server.<br><br>If 'LDAP' is selected, the connection <b>won't be secured</b> and passwords are transferred in <b>cleartext</b> over the network.<br/> If 'LDAPS' is selected, the connection is secured via SSL or TLS. <br/> If 'StartTLS' is selected, the connection is secured by using StartTLS extended operation.",
      "propertyOrder" : 1000,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "userBindDN" : {
      "title" : "Bind User DN",
      "description" : "The DN of an admin user used by the module to authentication to the LDAP server<br><br>The LDAP module requires an administration account in order to perform functionality such as password reset.<br/><br/><i>NB </i><code>cn=Directory Manager</code> should not be used in production systems.",
      "propertyOrder" : 400,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "returnUserDN" : {
      "title" : "Return User DN to DataStore",
      "description" : "Controls whether the DN or the username is returned as the authentication principal.",
      "propertyOrder" : 1200,
      "required" : true,
      "type" : "boolean",
      "exampleValue" : ""
    },
    "operationTimeout" : {
      "title" : "LDAP operations timeout",
      "description" : "Defines the timeout in seconds OpenAM should wait for a response of the Directory Server - <code>0</code> means no timeout.<br><br>If the Directory Server's host is down completely or the TCP connection became stale OpenAM waits until operation timeouts from the OS or the JVM are applied. However this setting allows more granular control within OpenAM itself. A value of <code>0</code> means NO timeout is applied on OpenAM level and the timeouts from the JVM or OS will apply.",
      "propertyOrder" : 1700,
      "required" : true,
      "type" : "integer",
      "exampleValue" : ""
    },
    "secondaryLdapServer" : {
      "title" : "Secondary Active Directory Server",
      "description" : "Use this list to set the secondary (failover) Active Directory server used for authentication.<br><br>If the primary Active Directory server fails, the Active Directory authentication module will failover to the secondary server. A single entry must be in the format:<br/><br/><code>server:port</code><br/><br/>Multiple entries allow associations between OpenAM servers and an Active Directory server. The format is:<br/><br/><code>local server name | server:port</code><br/><br/><i>NB </i>The local server name is the full name of the server from the list of servers and sites.",
      "propertyOrder" : 200,
      "required" : true,
      "items" : {
        "type" : "string"
      },
      "type" : "array",
      "exampleValue" : ""
    },
    "authenticationLevel" : {
      "title" : "Authentication Level",
      "description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default). ",
      "propertyOrder" : 1800,
      "required" : true,
      "type" : "integer",
      "exampleValue" : ""
    },
    "userSearchStartDN" : {
      "title" : "DN to Start User Search",
      "description" : "The search for accounts to be authenticated start from this base DN <br><br>For a single server just enter the Base DN to be searched. Multiple OpenAM servers can have different base DNs for the search The format is as follows:<br/><br/><code>local server name | search DN</code><br/><br/><i>NB </i>The local server name is the full name of the server from the list of servers and sites.",
      "propertyOrder" : 300,
      "required" : true,
      "items" : {
        "type" : "string"
      },
      "type" : "array",
      "exampleValue" : ""
    },
    "trustAllServerCertificates" : {
      "title" : "Trust All Server Certificates",
      "description" : "Enables a <code>X509TrustManager</code> that trusts all certificates.<br><br>This feature will allow the LDAP authentication module to connect to LDAP servers protected by self signed or invalid certificates (such as invalid hostname).<br/><br/><i>NB </i>Use this feature with care as it bypasses the normal certificate verification process",
      "propertyOrder" : 1400,
      "required" : true,
      "type" : "boolean",
      "exampleValue" : ""
    },
    "userSearchAttributes" : {
      "title" : "Attributes Used to Search for a User to be Authenticated",
      "description" : "The attributes specified in this list form the LDAP search filter.<br><br>The default value of uid will form the following search filter of <code>uid=<i>user</i></code>, if there are multiple values such as uid and cn, the module will create a search filter as follows <code>(|(uid=<i>user</i>)(cn=<i>user</i>))</code>",
      "propertyOrder" : 700,
      "required" : true,
      "items" : {
        "type" : "string"
      },
      "type" : "array",
      "exampleValue" : ""
    },
    "userProfileRetrievalAttribute" : {
      "title" : "Attribute Used to Retrieve User Profile",
      "description" : "The LDAP module will use this attribute to search of the profile of an authenticated user.<br><br>This is the attribute used to find the profile of the authenticated user. Normally this will be the same attribute used to find the user account. The value will be the name of the user used for authentication.",
      "propertyOrder" : 600,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "primaryLdapServer" : {
      "title" : "Primary Active Directory Server ",
      "description" : "Use this list to set the primary Active Directory server used for authentication. <br><br>The Active Directory authentication module will use this list as the primary server for authentication. A single entry must be in the format:<br/><br/><code>server:port</code><br/><br/>Multiple entries allow associations between OpenAM servers and an Active Directory server. The format is:<br/><br/><code>local server name | server:port</code><br/><br/>The local server name is the full name of the server from the list of servers and sites.",
      "propertyOrder" : 100,
      "required" : true,
      "items" : {
        "type" : "string"
      },
      "type" : "array",
      "exampleValue" : ""
    },
    "connectionHeartbeatInterval" : {
      "title" : "LDAP Connection Heartbeat Interval",
      "description" : "Specifies how often should OpenAM send a heartbeat request to the directory.<br><br>Use this option in case a firewall/loadbalancer can close idle connections, since the heartbeat requests will ensure that the connections won't become idle. Use along with the Heartbeat Time Unit parameter to define the correct interval. Zero or negative value will result in disabling heartbeat requests.",
      "propertyOrder" : 1500,
      "required" : true,
      "type" : "integer",
      "exampleValue" : ""
    },
    "connectionHeartbeatTimeUnit" : {
      "title" : "LDAP Connection Heartbeat Time Unit",
      "description" : "Defines the time unit corresponding to the Heartbeat Interval setting.<br><br>Use this option in case a firewall/loadbalancer can close idle connections, since the heartbeat requests will ensure that the connections won't become idle.",
      "propertyOrder" : 1600,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "searchScope" : {
      "title" : "Search Scope",
      "description" : "The level in the Directory Server that will be searched for a matching user profile.<br><br>This attribute controls how the directory is searched.<br/><br/><ul><li><code>OBJECT</code>: Only the Base DN is searched.</li><li><code>ONELEVEL</code>: Only the single level below (and not the Base DN) is searched</li><li><code>SUBTREE</code>: The Base DN and all levels below are searched</li></ul>",
      "propertyOrder" : 900,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    }
  }
}

1.3.2. Global Operations

Resource path: /global-config/authentication/modules/activedirectory

Resource version: 1.0

1.3.2.1. getAllTypes

Obtain the collection of all secondary configuration types related to the resource.

Usage:

am> action ActiveDirectoryModule --global --actionName getAllTypes

1.3.2.2. getCreatableTypes

Obtain the collection of secondary configuration types that have yet to be added to the resource.

Usage:

am> action ActiveDirectoryModule --global --actionName getCreatableTypes

1.3.2.3. nextdescendents

Obtain the collection of secondary configuration instances that have been added to the resource.

Usage:

am> action ActiveDirectoryModule --global --actionName nextdescendents

1.3.2.4. read

Usage:

am> read ActiveDirectoryModule --global

1.3.2.5. update

Usage:

am> update ActiveDirectoryModule --global --body body

Parameters:

--body

The resource in JSON format, described by the following JSON schema:

{
  "type" : "object",
  "properties" : {
    "defaults" : {
      "properties" : {
        "operationTimeout" : {
          "title" : "LDAP operations timeout",
          "description" : "Defines the timeout in seconds OpenAM should wait for a response of the Directory Server - <code>0</code> means no timeout.<br><br>If the Directory Server's host is down completely or the TCP connection became stale OpenAM waits until operation timeouts from the OS or the JVM are applied. However this setting allows more granular control within OpenAM itself. A value of <code>0</code> means NO timeout is applied on OpenAM level and the timeouts from the JVM or OS will apply.",
          "propertyOrder" : 1700,
          "required" : true,
          "type" : "integer",
          "exampleValue" : ""
        },
        "userSearchStartDN" : {
          "title" : "DN to Start User Search",
          "description" : "The search for accounts to be authenticated start from this base DN <br><br>For a single server just enter the Base DN to be searched. Multiple OpenAM servers can have different base DNs for the search The format is as follows:<br/><br/><code>local server name | search DN</code><br/><br/><i>NB </i>The local server name is the full name of the server from the list of servers and sites.",
          "propertyOrder" : 300,
          "required" : true,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        },
        "openam-auth-ldap-connection-mode" : {
          "title" : "LDAP Connection Mode",
          "description" : "Defines which protocol/operation is used to establish the connection to the LDAP Directory Server.<br><br>If 'LDAP' is selected, the connection <b>won't be secured</b> and passwords are transferred in <b>cleartext</b> over the network.<br/> If 'LDAPS' is selected, the connection is secured via SSL or TLS. <br/> If 'StartTLS' is selected, the connection is secured by using StartTLS extended operation.",
          "propertyOrder" : 1000,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "connectionHeartbeatTimeUnit" : {
          "title" : "LDAP Connection Heartbeat Time Unit",
          "description" : "Defines the time unit corresponding to the Heartbeat Interval setting.<br><br>Use this option in case a firewall/loadbalancer can close idle connections, since the heartbeat requests will ensure that the connections won't become idle.",
          "propertyOrder" : 1600,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "searchScope" : {
          "title" : "Search Scope",
          "description" : "The level in the Directory Server that will be searched for a matching user profile.<br><br>This attribute controls how the directory is searched.<br/><br/><ul><li><code>OBJECT</code>: Only the Base DN is searched.</li><li><code>ONELEVEL</code>: Only the single level below (and not the Base DN) is searched</li><li><code>SUBTREE</code>: The Base DN and all levels below are searched</li></ul>",
          "propertyOrder" : 900,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "connectionHeartbeatInterval" : {
          "title" : "LDAP Connection Heartbeat Interval",
          "description" : "Specifies how often should OpenAM send a heartbeat request to the directory.<br><br>Use this option in case a firewall/loadbalancer can close idle connections, since the heartbeat requests will ensure that the connections won't become idle. Use along with the Heartbeat Time Unit parameter to define the correct interval. Zero or negative value will result in disabling heartbeat requests.",
          "propertyOrder" : 1500,
          "required" : true,
          "type" : "integer",
          "exampleValue" : ""
        },
        "userProfileRetrievalAttribute" : {
          "title" : "Attribute Used to Retrieve User Profile",
          "description" : "The LDAP module will use this attribute to search of the profile of an authenticated user.<br><br>This is the attribute used to find the profile of the authenticated user. Normally this will be the same attribute used to find the user account. The value will be the name of the user used for authentication.",
          "propertyOrder" : 600,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "primaryLdapServer" : {
          "title" : "Primary Active Directory Server ",
          "description" : "Use this list to set the primary Active Directory server used for authentication. <br><br>The Active Directory authentication module will use this list as the primary server for authentication. A single entry must be in the format:<br/><br/><code>server:port</code><br/><br/>Multiple entries allow associations between OpenAM servers and an Active Directory server. The format is:<br/><br/><code>local server name | server:port</code><br/><br/>The local server name is the full name of the server from the list of servers and sites.",
          "propertyOrder" : 100,
          "required" : true,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        },
        "trustAllServerCertificates" : {
          "title" : "Trust All Server Certificates",
          "description" : "Enables a <code>X509TrustManager</code> that trusts all certificates.<br><br>This feature will allow the LDAP authentication module to connect to LDAP servers protected by self signed or invalid certificates (such as invalid hostname).<br/><br/><i>NB </i>Use this feature with care as it bypasses the normal certificate verification process",
          "propertyOrder" : 1400,
          "required" : true,
          "type" : "boolean",
          "exampleValue" : ""
        },
        "returnUserDN" : {
          "title" : "Return User DN to DataStore",
          "description" : "Controls whether the DN or the username is returned as the authentication principal.",
          "propertyOrder" : 1200,
          "required" : true,
          "type" : "boolean",
          "exampleValue" : ""
        },
        "userSearchFilter" : {
          "title" : "User Search Filter",
          "description" : "This search filter will be appended to the standard user search filter.<br><br>This attribute can be used to append a custom search filter to the standard filter. For example: <code>(objectClass=person)</code>would result in the following user search filter:<br/><br/><code>(&(uid=<i>user</i>)(objectClass=person))</code>",
          "propertyOrder" : 800,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "secondaryLdapServer" : {
          "title" : "Secondary Active Directory Server",
          "description" : "Use this list to set the secondary (failover) Active Directory server used for authentication.<br><br>If the primary Active Directory server fails, the Active Directory authentication module will failover to the secondary server. A single entry must be in the format:<br/><br/><code>server:port</code><br/><br/>Multiple entries allow associations between OpenAM servers and an Active Directory server. The format is:<br/><br/><code>local server name | server:port</code><br/><br/><i>NB </i>The local server name is the full name of the server from the list of servers and sites.",
          "propertyOrder" : 200,
          "required" : true,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        },
        "authenticationLevel" : {
          "title" : "Authentication Level",
          "description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default). ",
          "propertyOrder" : 1800,
          "required" : true,
          "type" : "integer",
          "exampleValue" : ""
        },
        "userBindPassword" : {
          "title" : "Bind User Password",
          "description" : "The password of the administration account.",
          "propertyOrder" : 500,
          "required" : true,
          "type" : "string",
          "format" : "password",
          "exampleValue" : ""
        },
        "profileAttributeMappings" : {
          "title" : "User Creation Attributes",
          "description" : "Controls the mapping of local attribute to external attribute for dynamic profile creation.<br><br>If dynamic profile creation is enabled; this feature allows for a mapping between the attribute/values retrieved from the users authenticated profile and the attribute/values that will be provisioned into their matching account in the data store.<br/><br/>The format of this property is: <br/><br/><code> local attr1|external attr1</code>",
          "propertyOrder" : 1300,
          "required" : true,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        },
        "userBindDN" : {
          "title" : "Bind User DN",
          "description" : "The DN of an admin user used by the module to authentication to the LDAP server<br><br>The LDAP module requires an administration account in order to perform functionality such as password reset.<br/><br/><i>NB </i><code>cn=Directory Manager</code> should not be used in production systems.",
          "propertyOrder" : 400,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "userSearchAttributes" : {
          "title" : "Attributes Used to Search for a User to be Authenticated",
          "description" : "The attributes specified in this list form the LDAP search filter.<br><br>The default value of uid will form the following search filter of <code>uid=<i>user</i></code>, if there are multiple values such as uid and cn, the module will create a search filter as follows <code>(|(uid=<i>user</i>)(cn=<i>user</i>))</code>",
          "propertyOrder" : 700,
          "required" : true,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        }
      },
      "type" : "object",
      "title" : "Realm Defaults"
    }
  }
}

1.4. AdaptiveRiskModule

1.4.1. Realm Operations

Resource path: /realm-config/authentication/modules/adaptiverisk

Resource version: 1.0

1.4.1.1. create

Usage:

am> create AdaptiveRiskModule --realm Realm --id id --body body

Parameters:

--id

The unique identifier for the resource.

--body

The resource in JSON format, described by the following JSON schema:

{
  "type" : "object",
  "properties" : {
    "invertRequestHeaderScore" : {
      "title" : "Invert Result",
      "description" : "If the check succeeds the score will be included in the total, for failure the score will not be incremented.",
      "propertyOrder" : 4700,
      "required" : true,
      "type" : "boolean",
      "exampleValue" : ""
    },
    "knownCookieScore" : {
      "title" : "Score",
      "description" : "The amount to increment the score if this check fails.",
      "propertyOrder" : 2000,
      "required" : true,
      "type" : "integer",
      "exampleValue" : ""
    },
    "ipHistoryProfileAttribute" : {
      "title" : "Profile Attribute Name",
      "description" : "The name of the attribute used to store the IP history list in the data store.<br><br>IP history list is stored in the Data Store meaning your Data Store should be able to store values under the configured attribute name. If you're using a directory server as backend, make sure your Data Store configuration contains the necessary objectclass and attribute related settings.",
      "propertyOrder" : 1200,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "ipHistoryCheckEnabled" : {
      "title" : "IP History Check",
      "description" : "Enables the checking of client IP address against a list of past IP addresses.<br><br>If this check is enabled; a set number of past IP addresses used by the client to access OpenAM is recorded in the user profile. This check passes if the current client IP address is present in the history list. If the IP address is not present, the check fails and the IP address is added to list if the overall authentication is successful (causing the oldest IP address to be removed).",
      "propertyOrder" : 1000,
      "required" : true,
      "type" : "boolean",
      "exampleValue" : ""
    },
    "timeSinceLastLoginScore" : {
      "title" : "Score",
      "description" : "The amount to increment the score if this check fails.",
      "propertyOrder" : 2600,
      "required" : true,
      "type" : "integer",
      "exampleValue" : ""
    },
    "ipHistoryScore" : {
      "title" : "Score",
      "description" : "The amount to increment the score if this check fails.",
      "propertyOrder" : 1400,
      "required" : true,
      "type" : "integer",
      "exampleValue" : ""
    },
    "invertProfileRiskAttributeScore" : {
      "title" : "Invert Result",
      "description" : "If the check succeeds the score will be included in the total, for failure the score will not be incremented.",
      "propertyOrder" : 3200,
      "required" : true,
      "type" : "boolean",
      "exampleValue" : ""
    },
    "knownCookieName" : {
      "title" : "Cookie Name",
      "description" : "The name of the cookie to set on the client.",
      "propertyOrder" : 1700,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "profileRiskAttributeName" : {
      "title" : "Attribute Name",
      "description" : "The name of the attribute to retrieve from the user profile in the data store.",
      "propertyOrder" : 2900,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "timeSinceLastLoginCheckEnabled" : {
      "title" : "Time since Last login Check",
      "description" : "Enables the checking of the last time the user successfully authenticated.<br><br>If this check is enabled, the check ensures the user has successfully authenticated within a given interval. If the interval has been exceeded the check will fail. The last authentication for the user is stored in a client cookie.",
      "propertyOrder" : 2200,
      "required" : true,
      "type" : "boolean",
      "exampleValue" : ""
    },
    "deviceCookieName" : {
      "title" : "Cookie Name",
      "description" : "The name of the cookie to be checked for (and optionally set) on the client request",
      "propertyOrder" : 3400,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "requestHeaderScore" : {
      "title" : "Score",
      "description" : "The amount to increment the score if this check fails.",
      "propertyOrder" : 4600,
      "required" : true,
      "type" : "integer",
      "exampleValue" : ""
    },
    "geolocationScore" : {
      "title" : "Score",
      "description" : "The amount to increment the score if this check fails.",
      "propertyOrder" : 4100,
      "required" : true,
      "type" : "integer",
      "exampleValue" : ""
    },
    "invertKnownCookieScore" : {
      "title" : "Invert Result",
      "description" : "If the check succeeds the score will be included in the total, for failure the score will not be incremented.",
      "propertyOrder" : 2100,
      "required" : true,
      "type" : "boolean",
      "exampleValue" : ""
    },
    "profileRiskAttributeCheckEnabled" : {
      "title" : "Profile Risk Attribute check",
      "description" : "Enables the checking of the user profile for a matching attribute and value.<br><br>If this check is enabled, the check will pass if the users profile contains the required risk attribute and value.",
      "propertyOrder" : 2800,
      "required" : true,
      "type" : "boolean",
      "exampleValue" : ""
    },
    "invertDeviceCookieScore" : {
      "title" : "Invert Result",
      "description" : "If the check succeeds the score will be included in the total, for failure the score will not be incremented.",
      "propertyOrder" : 3700,
      "required" : true,
      "type" : "boolean",
      "exampleValue" : ""
    },
    "saveLastLoginTimeOnSuccessfulLogin" : {
      "title" : "Save time of Successful Login",
      "description" : "The last login time will be saved in a client cookie<br><br>The Adaptive Risk Post Authentication Plug-in will update the last login time",
      "propertyOrder" : 2500,
      "required" : true,
      "type" : "boolean",
      "exampleValue" : ""
    },
    "geolocationDatabaseLocation" : {
      "title" : "Geolocation Database location",
      "description" : "The path to the location of the GEO location database.<br><br>The Geolocation database is not distributed with OpenAM, you can get it in binary format from <a href=\"http://www.maxmind.com/app/country\" target=\"_blank\">MaxMind</a>.",
      "propertyOrder" : 3900,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "geolocationCheckEnabled" : {
      "title" : "Geolocation Country Code Check",
      "description" : "Enables the checking of the client IP address against the geolocation database.<br><br>The geolocation database associates IP addresses against their known location. This check passes if the country associated with the client IP address is matched against the list of valid country codes.<br/><br/>The geolocation database is available in binary format at <a href=\"http://www.maxmind.com/app/country\" target=\"_blank\">MaxMind</a>.",
      "propertyOrder" : 3800,
      "required" : true,
      "type" : "boolean",
      "exampleValue" : ""
    },
    "maxTimeSinceLastLogin" : {
      "title" : "Max Time since Last login",
      "description" : "The maximum number of days that can elapse before this test.",
      "propertyOrder" : 2400,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "failedAuthenticationCheckEnabled" : {
      "title" : "Failed Authentication Check",
      "description" : "Checks if the user has past authentication failures.<br><br>Check if the OpenAM account lockout mechanism has recorded past authentication failures for the user.<br/><br/><i>NB </i>For this check to function, Account Lockout must be enabled.",
      "propertyOrder" : 300,
      "required" : true,
      "type" : "boolean",
      "exampleValue" : ""
    },
    "ipRangeCheckEnabled" : {
      "title" : "IP Range Check",
      "description" : "Enables the checking of the client IP address against a list of IP addresses.<br><br>The IP range check compares the IP of the client against a list of IP addresses, if the client IP is found within said list the check is successful.",
      "propertyOrder" : 600,
      "required" : true,
      "type" : "boolean",
      "exampleValue" : ""
    },
    "saveSuccessfulIP" : {
      "title" : "Save Successful IP Address",
      "description" : "The IP History list will be updated in the data store<br><br>The Adaptive Risk Post Authentication Plug-in will update the IP history list if the overall authentication is successful.",
      "propertyOrder" : 1300,
      "required" : true,
      "type" : "boolean",
      "exampleValue" : ""
    },
    "invertIPRangeScoreEnabled" : {
      "title" : "Invert Result",
      "description" : "If the check succeeds the score will be included in the total, for failure the score will not be incremented.",
      "propertyOrder" : 900,
      "required" : true,
      "type" : "boolean",
      "exampleValue" : ""
    },
    "invertIPHistoryScore" : {
      "title" : "Invert Result",
      "description" : "If the check succeeds the score will be included in the total, for failure the score will not be incremented.",
      "propertyOrder" : 1500,
      "required" : true,
      "type" : "boolean",
      "exampleValue" : ""
    },
    "ipRange" : {
      "title" : "IP Range",
      "description" : "The list of IP address to compare against the client IP address.<br><br>The format of the IP address is as follows:<br/><br/><ul><li>Single IP address: <code>172.16.90.1</code></li><li>CIDR notation: <code>172.16.90.0/24</code></li><li>IP net-block with netmask: <code>172.16.90.0:255.255.255.0</code></li></ul>",
      "propertyOrder" : 700,
      "required" : true,
      "items" : {
        "type" : "string"
      },
      "type" : "array",
      "exampleValue" : ""
    },
    "timeSinceLastLoginCookieName" : {
      "title" : "Cookie Name",
      "description" : "The name of the cookie used to store the time of the last successful authentication.",
      "propertyOrder" : 2300,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "knownCookieCheckEnabled" : {
      "title" : "Cookie Value Check",
      "description" : "Enables the checking of a known cookie value in the client request<br><br>If this check is enabled, the check looks for a known cookie in the client request. If the cookie exists and has the correct value then the check will pass. ",
      "propertyOrder" : 1600,
      "required" : true,
      "type" : "boolean",
      "exampleValue" : ""
    },
    "invertTimeSinceLastLoginScore" : {
      "title" : "Invert Result",
      "description" : "If the check succeeds the score will be included in the total, for failure the score will not be incremented.",
      "propertyOrder" : 2700,
      "required" : true,
      "type" : "boolean",
      "exampleValue" : ""
    },
    "invertGeolocationScore" : {
      "title" : "Invert Result",
      "description" : "If the check succeeds the score will be included in the total, for failure the score will not be incremented.",
      "propertyOrder" : 4200,
      "required" : true,
      "type" : "boolean",
      "exampleValue" : ""
    },
    "authenticationLevel" : {
      "title" : "Authentication Level",
      "description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
      "propertyOrder" : 100,
      "required" : true,
      "type" : "integer",
      "exampleValue" : ""
    },
    "saveDeviceCookieValueOnSuccessfulLogin" : {
      "title" : "Save Device Registration on Successful Login",
      "description" : "Set the device cookie on the client response<br><br>The Adaptive Risk Post Authentication Plug-in will set the device cookie on the client response",
      "propertyOrder" : 3500,
      "required" : true,
      "type" : "boolean",
      "exampleValue" : ""
    },
    "deviceCookieCheckEnabled" : {
      "title" : "Device Registration Cookie Check",
      "description" : "Enables the checking of the client request for a known cookie.<br><br>If this check is enabled, the check will pass if the client request contains the named cookie.",
      "propertyOrder" : 3300,
      "required" : true,
      "type" : "boolean",
      "exampleValue" : ""
    },
    "requestHeaderValue" : {
      "title" : "Request Header Value",
      "description" : "The required value of the named HTTP header.",
      "propertyOrder" : 4500,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "requestHeaderName" : {
      "title" : "Request Header Name",
      "description" : "The name of the required HTTP header ",
      "propertyOrder" : 4400,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "deviceCookieScore" : {
      "title" : "Score",
      "description" : "The amount to increment the score if this check fails.",
      "propertyOrder" : 3600,
      "required" : true,
      "type" : "integer",
      "exampleValue" : ""
    },
    "failureScore" : {
      "title" : "Score",
      "description" : "The amount to increment the score if this check fails.",
      "propertyOrder" : 400,
      "required" : true,
      "type" : "integer",
      "exampleValue" : ""
    },
    "riskThreshold" : {
      "title" : "Risk Threshold",
      "description" : "If the risk threshold value is not reached after executing the different tests, the authentication is considered to be successful.<br><br>Associated with many of the adaptive risk checks is a score; if a check does not passes then the score is added to the current running total. The final score is then compared with the <i>Risk Threshold</i>, if the score is lesser than said threshold the module will be successful. ",
      "propertyOrder" : 200,
      "required" : true,
      "type" : "integer",
      "exampleValue" : ""
    },
    "profileRiskAttributeScore" : {
      "title" : "Score",
      "description" : "The amount to increment the score if this check fails.",
      "propertyOrder" : 3100,
      "required" : true,
      "type" : "integer",
      "exampleValue" : ""
    },
    "createKnownCookieOnSuccessfulLogin" : {
      "title" : "Save Cookie Value on Successful Login",
      "description" : "The cookie will be created on the client after successful login<br><br>The Adaptive Risk Post Authentication Plug-in will set the cookie on the client response",
      "propertyOrder" : 1900,
      "required" : true,
      "type" : "boolean",
      "exampleValue" : ""
    },
    "knownCookieValue" : {
      "title" : "Cookie Value",
      "description" : "The value to be set on the cookie.",
      "propertyOrder" : 1800,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "requestHeaderCheckEnabled" : {
      "title" : "Request Header Check",
      "description" : "Enables the checking of the client request for a known header name and value.<br><br>The request header check will pass if the client request contains the required named header and value.",
      "propertyOrder" : 4300,
      "required" : true,
      "type" : "boolean",
      "exampleValue" : ""
    },
    "ipHistoryCount" : {
      "title" : "History size",
      "description" : "The number of client IP addresses to save in the history list.",
      "propertyOrder" : 1100,
      "required" : true,
      "type" : "integer",
      "exampleValue" : ""
    },
    "geolocationValidCountryCodes" : {
      "title" : "Valid Country Codes",
      "description" : "The list of country codes that are considered as valid locations for client IPs.<br><br>The list is made up of country codes separated by a | character; for example:<br/><br/><code>gb|us|no|fr</code>",
      "propertyOrder" : 4000,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "ipRangeScore" : {
      "title" : "Score",
      "description" : "The amount to increment the score if this check fails.",
      "propertyOrder" : 800,
      "required" : true,
      "type" : "integer",
      "exampleValue" : ""
    },
    "profileRiskAttributeValue" : {
      "title" : "Attribute Value",
      "description" : "The required value of the named attribute.",
      "propertyOrder" : 3000,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "invertFailureScore" : {
      "title" : "Invert Result",
      "description" : "If the check succeeds the score will be included in the total, for failure the score will not be incremented.",
      "propertyOrder" : 500,
      "required" : true,
      "type" : "boolean",
      "exampleValue" : ""
    }
  }
}

1.4.1.2. delete

Usage:

am> delete AdaptiveRiskModule --realm Realm --id id

Parameters:

--id

The unique identifier for the resource.

1.4.1.3. getAllTypes

Obtain the collection of all secondary configuration types related to the resource.

Usage:

am> action AdaptiveRiskModule --realm Realm --actionName getAllTypes

1.4.1.4. getCreatableTypes

Obtain the collection of secondary configuration types that have yet to be added to the resource.

Usage:

am> action AdaptiveRiskModule --realm Realm --actionName getCreatableTypes

1.4.1.5. nextdescendents

Obtain the collection of secondary configuration instances that have been added to the resource.

Usage:

am> action AdaptiveRiskModule --realm Realm --actionName nextdescendents

1.4.1.6. query

Get the full list of instances of this collection. This query only supports `_queryFilter=true` filter.

Usage:

am> query AdaptiveRiskModule --realm Realm --filter filter

Parameters:

--filter

A CREST formatted query filter, where "true" will query all.

1.4.1.7. read

Usage:

am> read AdaptiveRiskModule --realm Realm --id id

Parameters:

--id

The unique identifier for the resource.

1.4.1.8. update

Usage:

am> update AdaptiveRiskModule --realm Realm --id id --body body

Parameters:

--id

The unique identifier for the resource.

--body

The resource in JSON format, described by the following JSON schema:

{
  "type" : "object",
  "properties" : {
    "invertRequestHeaderScore" : {
      "title" : "Invert Result",
      "description" : "If the check succeeds the score will be included in the total, for failure the score will not be incremented.",
      "propertyOrder" : 4700,
      "required" : true,
      "type" : "boolean",
      "exampleValue" : ""
    },
    "knownCookieScore" : {
      "title" : "Score",
      "description" : "The amount to increment the score if this check fails.",
      "propertyOrder" : 2000,
      "required" : true,
      "type" : "integer",
      "exampleValue" : ""
    },
    "ipHistoryProfileAttribute" : {
      "title" : "Profile Attribute Name",
      "description" : "The name of the attribute used to store the IP history list in the data store.<br><br>IP history list is stored in the Data Store meaning your Data Store should be able to store values under the configured attribute name. If you're using a directory server as backend, make sure your Data Store configuration contains the necessary objectclass and attribute related settings.",
      "propertyOrder" : 1200,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "ipHistoryCheckEnabled" : {
      "title" : "IP History Check",
      "description" : "Enables the checking of client IP address against a list of past IP addresses.<br><br>If this check is enabled; a set number of past IP addresses used by the client to access OpenAM is recorded in the user profile. This check passes if the current client IP address is present in the history list. If the IP address is not present, the check fails and the IP address is added to list if the overall authentication is successful (causing the oldest IP address to be removed).",
      "propertyOrder" : 1000,
      "required" : true,
      "type" : "boolean",
      "exampleValue" : ""
    },
    "timeSinceLastLoginScore" : {
      "title" : "Score",
      "description" : "The amount to increment the score if this check fails.",
      "propertyOrder" : 2600,
      "required" : true,
      "type" : "integer",
      "exampleValue" : ""
    },
    "ipHistoryScore" : {
      "title" : "Score",
      "description" : "The amount to increment the score if this check fails.",
      "propertyOrder" : 1400,
      "required" : true,
      "type" : "integer",
      "exampleValue" : ""
    },
    "invertProfileRiskAttributeScore" : {
      "title" : "Invert Result",
      "description" : "If the check succeeds the score will be included in the total, for failure the score will not be incremented.",
      "propertyOrder" : 3200,
      "required" : true,
      "type" : "boolean",
      "exampleValue" : ""
    },
    "knownCookieName" : {
      "title" : "Cookie Name",
      "description" : "The name of the cookie to set on the client.",
      "propertyOrder" : 1700,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "profileRiskAttributeName" : {
      "title" : "Attribute Name",
      "description" : "The name of the attribute to retrieve from the user profile in the data store.",
      "propertyOrder" : 2900,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "timeSinceLastLoginCheckEnabled" : {
      "title" : "Time since Last login Check",
      "description" : "Enables the checking of the last time the user successfully authenticated.<br><br>If this check is enabled, the check ensures the user has successfully authenticated within a given interval. If the interval has been exceeded the check will fail. The last authentication for the user is stored in a client cookie.",
      "propertyOrder" : 2200,
      "required" : true,
      "type" : "boolean",
      "exampleValue" : ""
    },
    "deviceCookieName" : {
      "title" : "Cookie Name",
      "description" : "The name of the cookie to be checked for (and optionally set) on the client request",
      "propertyOrder" : 3400,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "requestHeaderScore" : {
      "title" : "Score",
      "description" : "The amount to increment the score if this check fails.",
      "propertyOrder" : 4600,
      "required" : true,
      "type" : "integer",
      "exampleValue" : ""
    },
    "geolocationScore" : {
      "title" : "Score",
      "description" : "The amount to increment the score if this check fails.",
      "propertyOrder" : 4100,
      "required" : true,
      "type" : "integer",
      "exampleValue" : ""
    },
    "invertKnownCookieScore" : {
      "title" : "Invert Result",
      "description" : "If the check succeeds the score will be included in the total, for failure the score will not be incremented.",
      "propertyOrder" : 2100,
      "required" : true,
      "type" : "boolean",
      "exampleValue" : ""
    },
    "profileRiskAttributeCheckEnabled" : {
      "title" : "Profile Risk Attribute check",
      "description" : "Enables the checking of the user profile for a matching attribute and value.<br><br>If this check is enabled, the check will pass if the users profile contains the required risk attribute and value.",
      "propertyOrder" : 2800,
      "required" : true,
      "type" : "boolean",
      "exampleValue" : ""
    },
    "invertDeviceCookieScore" : {
      "title" : "Invert Result",
      "description" : "If the check succeeds the score will be included in the total, for failure the score will not be incremented.",
      "propertyOrder" : 3700,
      "required" : true,
      "type" : "boolean",
      "exampleValue" : ""
    },
    "saveLastLoginTimeOnSuccessfulLogin" : {
      "title" : "Save time of Successful Login",
      "description" : "The last login time will be saved in a client cookie<br><br>The Adaptive Risk Post Authentication Plug-in will update the last login time",
      "propertyOrder" : 2500,
      "required" : true,
      "type" : "boolean",
      "exampleValue" : ""
    },
    "geolocationDatabaseLocation" : {
      "title" : "Geolocation Database location",
      "description" : "The path to the location of the GEO location database.<br><br>The Geolocation database is not distributed with OpenAM, you can get it in binary format from <a href=\"http://www.maxmind.com/app/country\" target=\"_blank\">MaxMind</a>.",
      "propertyOrder" : 3900,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "geolocationCheckEnabled" : {
      "title" : "Geolocation Country Code Check",
      "description" : "Enables the checking of the client IP address against the geolocation database.<br><br>The geolocation database associates IP addresses against their known location. This check passes if the country associated with the client IP address is matched against the list of valid country codes.<br/><br/>The geolocation database is available in binary format at <a href=\"http://www.maxmind.com/app/country\" target=\"_blank\">MaxMind</a>.",
      "propertyOrder" : 3800,
      "required" : true,
      "type" : "boolean",
      "exampleValue" : ""
    },
    "maxTimeSinceLastLogin" : {
      "title" : "Max Time since Last login",
      "description" : "The maximum number of days that can elapse before this test.",
      "propertyOrder" : 2400,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "failedAuthenticationCheckEnabled" : {
      "title" : "Failed Authentication Check",
      "description" : "Checks if the user has past authentication failures.<br><br>Check if the OpenAM account lockout mechanism has recorded past authentication failures for the user.<br/><br/><i>NB </i>For this check to function, Account Lockout must be enabled.",
      "propertyOrder" : 300,
      "required" : true,
      "type" : "boolean",
      "exampleValue" : ""
    },
    "ipRangeCheckEnabled" : {
      "title" : "IP Range Check",
      "description" : "Enables the checking of the client IP address against a list of IP addresses.<br><br>The IP range check compares the IP of the client against a list of IP addresses, if the client IP is found within said list the check is successful.",
      "propertyOrder" : 600,
      "required" : true,
      "type" : "boolean",
      "exampleValue" : ""
    },
    "saveSuccessfulIP" : {
      "title" : "Save Successful IP Address",
      "description" : "The IP History list will be updated in the data store<br><br>The Adaptive Risk Post Authentication Plug-in will update the IP history list if the overall authentication is successful.",
      "propertyOrder" : 1300,
      "required" : true,
      "type" : "boolean",
      "exampleValue" : ""
    },
    "invertIPRangeScoreEnabled" : {
      "title" : "Invert Result",
      "description" : "If the check succeeds the score will be included in the total, for failure the score will not be incremented.",
      "propertyOrder" : 900,
      "required" : true,
      "type" : "boolean",
      "exampleValue" : ""
    },
    "invertIPHistoryScore" : {
      "title" : "Invert Result",
      "description" : "If the check succeeds the score will be included in the total, for failure the score will not be incremented.",
      "propertyOrder" : 1500,
      "required" : true,
      "type" : "boolean",
      "exampleValue" : ""
    },
    "ipRange" : {
      "title" : "IP Range",
      "description" : "The list of IP address to compare against the client IP address.<br><br>The format of the IP address is as follows:<br/><br/><ul><li>Single IP address: <code>172.16.90.1</code></li><li>CIDR notation: <code>172.16.90.0/24</code></li><li>IP net-block with netmask: <code>172.16.90.0:255.255.255.0</code></li></ul>",
      "propertyOrder" : 700,
      "required" : true,
      "items" : {
        "type" : "string"
      },
      "type" : "array",
      "exampleValue" : ""
    },
    "timeSinceLastLoginCookieName" : {
      "title" : "Cookie Name",
      "description" : "The name of the cookie used to store the time of the last successful authentication.",
      "propertyOrder" : 2300,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "knownCookieCheckEnabled" : {
      "title" : "Cookie Value Check",
      "description" : "Enables the checking of a known cookie value in the client request<br><br>If this check is enabled, the check looks for a known cookie in the client request. If the cookie exists and has the correct value then the check will pass. ",
      "propertyOrder" : 1600,
      "required" : true,
      "type" : "boolean",
      "exampleValue" : ""
    },
    "invertTimeSinceLastLoginScore" : {
      "title" : "Invert Result",
      "description" : "If the check succeeds the score will be included in the total, for failure the score will not be incremented.",
      "propertyOrder" : 2700,
      "required" : true,
      "type" : "boolean",
      "exampleValue" : ""
    },
    "invertGeolocationScore" : {
      "title" : "Invert Result",
      "description" : "If the check succeeds the score will be included in the total, for failure the score will not be incremented.",
      "propertyOrder" : 4200,
      "required" : true,
      "type" : "boolean",
      "exampleValue" : ""
    },
    "authenticationLevel" : {
      "title" : "Authentication Level",
      "description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
      "propertyOrder" : 100,
      "required" : true,
      "type" : "integer",
      "exampleValue" : ""
    },
    "saveDeviceCookieValueOnSuccessfulLogin" : {
      "title" : "Save Device Registration on Successful Login",
      "description" : "Set the device cookie on the client response<br><br>The Adaptive Risk Post Authentication Plug-in will set the device cookie on the client response",
      "propertyOrder" : 3500,
      "required" : true,
      "type" : "boolean",
      "exampleValue" : ""
    },
    "deviceCookieCheckEnabled" : {
      "title" : "Device Registration Cookie Check",
      "description" : "Enables the checking of the client request for a known cookie.<br><br>If this check is enabled, the check will pass if the client request contains the named cookie.",
      "propertyOrder" : 3300,
      "required" : true,
      "type" : "boolean",
      "exampleValue" : ""
    },
    "requestHeaderValue" : {
      "title" : "Request Header Value",
      "description" : "The required value of the named HTTP header.",
      "propertyOrder" : 4500,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "requestHeaderName" : {
      "title" : "Request Header Name",
      "description" : "The name of the required HTTP header ",
      "propertyOrder" : 4400,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "deviceCookieScore" : {
      "title" : "Score",
      "description" : "The amount to increment the score if this check fails.",
      "propertyOrder" : 3600,
      "required" : true,
      "type" : "integer",
      "exampleValue" : ""
    },
    "failureScore" : {
      "title" : "Score",
      "description" : "The amount to increment the score if this check fails.",
      "propertyOrder" : 400,
      "required" : true,
      "type" : "integer",
      "exampleValue" : ""
    },
    "riskThreshold" : {
      "title" : "Risk Threshold",
      "description" : "If the risk threshold value is not reached after executing the different tests, the authentication is considered to be successful.<br><br>Associated with many of the adaptive risk checks is a score; if a check does not passes then the score is added to the current running total. The final score is then compared with the <i>Risk Threshold</i>, if the score is lesser than said threshold the module will be successful. ",
      "propertyOrder" : 200,
      "required" : true,
      "type" : "integer",
      "exampleValue" : ""
    },
    "profileRiskAttributeScore" : {
      "title" : "Score",
      "description" : "The amount to increment the score if this check fails.",
      "propertyOrder" : 3100,
      "required" : true,
      "type" : "integer",
      "exampleValue" : ""
    },
    "createKnownCookieOnSuccessfulLogin" : {
      "title" : "Save Cookie Value on Successful Login",
      "description" : "The cookie will be created on the client after successful login<br><br>The Adaptive Risk Post Authentication Plug-in will set the cookie on the client response",
      "propertyOrder" : 1900,
      "required" : true,
      "type" : "boolean",
      "exampleValue" : ""
    },
    "knownCookieValue" : {
      "title" : "Cookie Value",
      "description" : "The value to be set on the cookie.",
      "propertyOrder" : 1800,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "requestHeaderCheckEnabled" : {
      "title" : "Request Header Check",
      "description" : "Enables the checking of the client request for a known header name and value.<br><br>The request header check will pass if the client request contains the required named header and value.",
      "propertyOrder" : 4300,
      "required" : true,
      "type" : "boolean",
      "exampleValue" : ""
    },
    "ipHistoryCount" : {
      "title" : "History size",
      "description" : "The number of client IP addresses to save in the history list.",
      "propertyOrder" : 1100,
      "required" : true,
      "type" : "integer",
      "exampleValue" : ""
    },
    "geolocationValidCountryCodes" : {
      "title" : "Valid Country Codes",
      "description" : "The list of country codes that are considered as valid locations for client IPs.<br><br>The list is made up of country codes separated by a | character; for example:<br/><br/><code>gb|us|no|fr</code>",
      "propertyOrder" : 4000,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "ipRangeScore" : {
      "title" : "Score",
      "description" : "The amount to increment the score if this check fails.",
      "propertyOrder" : 800,
      "required" : true,
      "type" : "integer",
      "exampleValue" : ""
    },
    "profileRiskAttributeValue" : {
      "title" : "Attribute Value",
      "description" : "The required value of the named attribute.",
      "propertyOrder" : 3000,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "invertFailureScore" : {
      "title" : "Invert Result",
      "description" : "If the check succeeds the score will be included in the total, for failure the score will not be incremented.",
      "propertyOrder" : 500,
      "required" : true,
      "type" : "boolean",
      "exampleValue" : ""
    }
  }
}

1.4.2. Global Operations

Resource path: /global-config/authentication/modules/adaptiverisk

Resource version: 1.0

1.4.2.1. getAllTypes

Obtain the collection of all secondary configuration types related to the resource.

Usage:

am> action AdaptiveRiskModule --global --actionName getAllTypes

1.4.2.2. getCreatableTypes

Obtain the collection of secondary configuration types that have yet to be added to the resource.

Usage:

am> action AdaptiveRiskModule --global --actionName getCreatableTypes

1.4.2.3. nextdescendents

Obtain the collection of secondary configuration instances that have been added to the resource.

Usage:

am> action AdaptiveRiskModule --global --actionName nextdescendents

1.4.2.4. read

Usage:

am> read AdaptiveRiskModule --global

1.4.2.5. update

Usage:

am> update AdaptiveRiskModule --global --body body

Parameters:

--body

The resource in JSON format, described by the following JSON schema:

{
  "type" : "object",
  "properties" : {
    "defaults" : {
      "properties" : {
        "attributecheck" : {
          "type" : "object",
          "title" : "Profile Attribute",
          "propertyOrder" : 7,
          "properties" : {
            "profileRiskAttributeName" : {
              "title" : "Attribute Name",
              "description" : "The name of the attribute to retrieve from the user profile in the data store.",
              "propertyOrder" : 2900,
              "required" : true,
              "type" : "string",
              "exampleValue" : ""
            },
            "profileRiskAttributeValue" : {
              "title" : "Attribute Value",
              "description" : "The required value of the named attribute.",
              "propertyOrder" : 3000,
              "required" : true,
              "type" : "string",
              "exampleValue" : ""
            },
            "invertProfileRiskAttributeScore" : {
              "title" : "Invert Result",
              "description" : "If the check succeeds the score will be included in the total, for failure the score will not be incremented.",
              "propertyOrder" : 3200,
              "required" : true,
              "type" : "boolean",
              "exampleValue" : ""
            },
            "profileRiskAttributeCheckEnabled" : {
              "title" : "Profile Risk Attribute check",
              "description" : "Enables the checking of the user profile for a matching attribute and value.<br><br>If this check is enabled, the check will pass if the users profile contains the required risk attribute and value.",
              "propertyOrder" : 2800,
              "required" : true,
              "type" : "boolean",
              "exampleValue" : ""
            },
            "profileRiskAttributeScore" : {
              "title" : "Score",
              "description" : "The amount to increment the score if this check fails.",
              "propertyOrder" : 3100,
              "required" : true,
              "type" : "integer",
              "exampleValue" : ""
            }
          }
        },
        "iprange" : {
          "type" : "object",
          "title" : "IP Address Range",
          "propertyOrder" : 2,
          "properties" : {
            "ipRangeCheckEnabled" : {
              "title" : "IP Range Check",
              "description" : "Enables the checking of the client IP address against a list of IP addresses.<br><br>The IP range check compares the IP of the client against a list of IP addresses, if the client IP is found within said list the check is successful.",
              "propertyOrder" : 600,
              "required" : true,
              "type" : "boolean",
              "exampleValue" : ""
            },
            "ipRangeScore" : {
              "title" : "Score",
              "description" : "The amount to increment the score if this check fails.",
              "propertyOrder" : 800,
              "required" : true,
              "type" : "integer",
              "exampleValue" : ""
            },
            "ipRange" : {
              "title" : "IP Range",
              "description" : "The list of IP address to compare against the client IP address.<br><br>The format of the IP address is as follows:<br/><br/><ul><li>Single IP address: <code>172.16.90.1</code></li><li>CIDR notation: <code>172.16.90.0/24</code></li><li>IP net-block with netmask: <code>172.16.90.0:255.255.255.0</code></li></ul>",
              "propertyOrder" : 700,
              "required" : true,
              "items" : {
                "type" : "string"
              },
              "type" : "array",
              "exampleValue" : ""
            },
            "invertIPRangeScoreEnabled" : {
              "title" : "Invert Result",
              "description" : "If the check succeeds the score will be included in the total, for failure the score will not be incremented.",
              "propertyOrder" : 900,
              "required" : true,
              "type" : "boolean",
              "exampleValue" : ""
            }
          }
        },
        "devicecookie" : {
          "type" : "object",
          "title" : "Device Cookie",
          "propertyOrder" : 5,
          "properties" : {
            "deviceCookieScore" : {
              "title" : "Score",
              "description" : "The amount to increment the score if this check fails.",
              "propertyOrder" : 3600,
              "required" : true,
              "type" : "integer",
              "exampleValue" : ""
            },
            "saveDeviceCookieValueOnSuccessfulLogin" : {
              "title" : "Save Device Registration on Successful Login",
              "description" : "Set the device cookie on the client response<br><br>The Adaptive Risk Post Authentication Plug-in will set the device cookie on the client response",
              "propertyOrder" : 3500,
              "required" : true,
              "type" : "boolean",
              "exampleValue" : ""
            },
            "deviceCookieName" : {
              "title" : "Cookie Name",
              "description" : "The name of the cookie to be checked for (and optionally set) on the client request",
              "propertyOrder" : 3400,
              "required" : true,
              "type" : "string",
              "exampleValue" : ""
            },
            "invertDeviceCookieScore" : {
              "title" : "Invert Result",
              "description" : "If the check succeeds the score will be included in the total, for failure the score will not be incremented.",
              "propertyOrder" : 3700,
              "required" : true,
              "type" : "boolean",
              "exampleValue" : ""
            },
            "deviceCookieCheckEnabled" : {
              "title" : "Device Registration Cookie Check",
              "description" : "Enables the checking of the client request for a known cookie.<br><br>If this check is enabled, the check will pass if the client request contains the named cookie.",
              "propertyOrder" : 3300,
              "required" : true,
              "type" : "boolean",
              "exampleValue" : ""
            }
          }
        },
        "lastlogin" : {
          "type" : "object",
          "title" : "Time Since Last Login",
          "propertyOrder" : 6,
          "properties" : {
            "timeSinceLastLoginCookieName" : {
              "title" : "Cookie Name",
              "description" : "The name of the cookie used to store the time of the last successful authentication.",
              "propertyOrder" : 2300,
              "required" : true,
              "type" : "string",
              "exampleValue" : ""
            },
            "timeSinceLastLoginScore" : {
              "title" : "Score",
              "description" : "The amount to increment the score if this check fails.",
              "propertyOrder" : 2600,
              "required" : true,
              "type" : "integer",
              "exampleValue" : ""
            },
            "timeSinceLastLoginCheckEnabled" : {
              "title" : "Time since Last login Check",
              "description" : "Enables the checking of the last time the user successfully authenticated.<br><br>If this check is enabled, the check ensures the user has successfully authenticated within a given interval. If the interval has been exceeded the check will fail. The last authentication for the user is stored in a client cookie.",
              "propertyOrder" : 2200,
              "required" : true,
              "type" : "boolean",
              "exampleValue" : ""
            },
            "invertTimeSinceLastLoginScore" : {
              "title" : "Invert Result",
              "description" : "If the check succeeds the score will be included in the total, for failure the score will not be incremented.",
              "propertyOrder" : 2700,
              "required" : true,
              "type" : "boolean",
              "exampleValue" : ""
            },
            "maxTimeSinceLastLogin" : {
              "title" : "Max Time since Last login",
              "description" : "The maximum number of days that can elapse before this test.",
              "propertyOrder" : 2400,
              "required" : true,
              "type" : "string",
              "exampleValue" : ""
            },
            "saveLastLoginTimeOnSuccessfulLogin" : {
              "title" : "Save time of Successful Login",
              "description" : "The last login time will be saved in a client cookie<br><br>The Adaptive Risk Post Authentication Plug-in will update the last login time",
              "propertyOrder" : 2500,
              "required" : true,
              "type" : "boolean",
              "exampleValue" : ""
            }
          }
        },
        "geolocation" : {
          "type" : "object",
          "title" : "Geo Location",
          "propertyOrder" : 8,
          "properties" : {
            "geolocationValidCountryCodes" : {
              "title" : "Valid Country Codes",
              "description" : "The list of country codes that are considered as valid locations for client IPs.<br><br>The list is made up of country codes separated by a | character; for example:<br/><br/><code>gb|us|no|fr</code>",
              "propertyOrder" : 4000,
              "required" : true,
              "type" : "string",
              "exampleValue" : ""
            },
            "geolocationCheckEnabled" : {
              "title" : "Geolocation Country Code Check",
              "description" : "Enables the checking of the client IP address against the geolocation database.<br><br>The geolocation database associates IP addresses against their known location. This check passes if the country associated with the client IP address is matched against the list of valid country codes.<br/><br/>The geolocation database is available in binary format at <a href=\"http://www.maxmind.com/app/country\" target=\"_blank\">MaxMind</a>.",
              "propertyOrder" : 3800,
              "required" : true,
              "type" : "boolean",
              "exampleValue" : ""
            },
            "invertGeolocationScore" : {
              "title" : "Invert Result",
              "description" : "If the check succeeds the score will be included in the total, for failure the score will not be incremented.",
              "propertyOrder" : 4200,
              "required" : true,
              "type" : "boolean",
              "exampleValue" : ""
            },
            "geolocationScore" : {
              "title" : "Score",
              "description" : "The amount to increment the score if this check fails.",
              "propertyOrder" : 4100,
              "required" : true,
              "type" : "integer",
              "exampleValue" : ""
            },
            "geolocationDatabaseLocation" : {
              "title" : "Geolocation Database location",
              "description" : "The path to the location of the GEO location database.<br><br>The Geolocation database is not distributed with OpenAM, you can get it in binary format from <a href=\"http://www.maxmind.com/app/country\" target=\"_blank\">MaxMind</a>.",
              "propertyOrder" : 3900,
              "required" : true,
              "type" : "string",
              "exampleValue" : ""
            }
          }
        },
        "iphistory" : {
          "type" : "object",
          "title" : "IP Address History",
          "propertyOrder" : 3,
          "properties" : {
            "ipHistoryCheckEnabled" : {
              "title" : "IP History Check",
              "description" : "Enables the checking of client IP address against a list of past IP addresses.<br><br>If this check is enabled; a set number of past IP addresses used by the client to access OpenAM is recorded in the user profile. This check passes if the current client IP address is present in the history list. If the IP address is not present, the check fails and the IP address is added to list if the overall authentication is successful (causing the oldest IP address to be removed).",
              "propertyOrder" : 1000,
              "required" : true,
              "type" : "boolean",
              "exampleValue" : ""
            },
            "invertIPHistoryScore" : {
              "title" : "Invert Result",
              "description" : "If the check succeeds the score will be included in the total, for failure the score will not be incremented.",
              "propertyOrder" : 1500,
              "required" : true,
              "type" : "boolean",
              "exampleValue" : ""
            },
            "ipHistoryScore" : {
              "title" : "Score",
              "description" : "The amount to increment the score if this check fails.",
              "propertyOrder" : 1400,
              "required" : true,
              "type" : "integer",
              "exampleValue" : ""
            },
            "ipHistoryProfileAttribute" : {
              "title" : "Profile Attribute Name",
              "description" : "The name of the attribute used to store the IP history list in the data store.<br><br>IP history list is stored in the Data Store meaning your Data Store should be able to store values under the configured attribute name. If you're using a directory server as backend, make sure your Data Store configuration contains the necessary objectclass and attribute related settings.",
              "propertyOrder" : 1200,
              "required" : true,
              "type" : "string",
              "exampleValue" : ""
            },
            "ipHistoryCount" : {
              "title" : "History size",
              "description" : "The number of client IP addresses to save in the history list.",
              "propertyOrder" : 1100,
              "required" : true,
              "type" : "integer",
              "exampleValue" : ""
            },
            "saveSuccessfulIP" : {
              "title" : "Save Successful IP Address",
              "description" : "The IP History list will be updated in the data store<br><br>The Adaptive Risk Post Authentication Plug-in will update the IP history list if the overall authentication is successful.",
              "propertyOrder" : 1300,
              "required" : true,
              "type" : "boolean",
              "exampleValue" : ""
            }
          }
        },
        "requestheader" : {
          "type" : "object",
          "title" : "Request Header",
          "propertyOrder" : 9,
          "properties" : {
            "requestHeaderValue" : {
              "title" : "Request Header Value",
              "description" : "The required value of the named HTTP header.",
              "propertyOrder" : 4500,
              "required" : true,
              "type" : "string",
              "exampleValue" : ""
            },
            "requestHeaderCheckEnabled" : {
              "title" : "Request Header Check",
              "description" : "Enables the checking of the client request for a known header name and value.<br><br>The request header check will pass if the client request contains the required named header and value.",
              "propertyOrder" : 4300,
              "required" : true,
              "type" : "boolean",
              "exampleValue" : ""
            },
            "requestHeaderName" : {
              "title" : "Request Header Name",
              "description" : "The name of the required HTTP header ",
              "propertyOrder" : 4400,
              "required" : true,
              "type" : "string",
              "exampleValue" : ""
            },
            "invertRequestHeaderScore" : {
              "title" : "Invert Result",
              "description" : "If the check succeeds the score will be included in the total, for failure the score will not be incremented.",
              "propertyOrder" : 4700,
              "required" : true,
              "type" : "boolean",
              "exampleValue" : ""
            },
            "requestHeaderScore" : {
              "title" : "Score",
              "description" : "The amount to increment the score if this check fails.",
              "propertyOrder" : 4600,
              "required" : true,
              "type" : "integer",
              "exampleValue" : ""
            }
          }
        },
        "authfailed" : {
          "type" : "object",
          "title" : "Failed Authentications",
          "propertyOrder" : 1,
          "properties" : {
            "failedAuthenticationCheckEnabled" : {
              "title" : "Failed Authentication Check",
              "description" : "Checks if the user has past authentication failures.<br><br>Check if the OpenAM account lockout mechanism has recorded past authentication failures for the user.<br/><br/><i>NB </i>For this check to function, Account Lockout must be enabled.",
              "propertyOrder" : 300,
              "required" : true,
              "type" : "boolean",
              "exampleValue" : ""
            },
            "failureScore" : {
              "title" : "Score",
              "description" : "The amount to increment the score if this check fails.",
              "propertyOrder" : 400,
              "required" : true,
              "type" : "integer",
              "exampleValue" : ""
            },
            "invertFailureScore" : {
              "title" : "Invert Result",
              "description" : "If the check succeeds the score will be included in the total, for failure the score will not be incremented.",
              "propertyOrder" : 500,
              "required" : true,
              "type" : "boolean",
              "exampleValue" : ""
            }
          }
        },
        "general" : {
          "type" : "object",
          "title" : "General",
          "propertyOrder" : 0,
          "properties" : {
            "riskThreshold" : {
              "title" : "Risk Threshold",
              "description" : "If the risk threshold value is not reached after executing the different tests, the authentication is considered to be successful.<br><br>Associated with many of the adaptive risk checks is a score; if a check does not passes then the score is added to the current running total. The final score is then compared with the <i>Risk Threshold</i>, if the score is lesser than said threshold the module will be successful. ",
              "propertyOrder" : 200,
              "required" : true,
              "type" : "integer",
              "exampleValue" : ""
            },
            "authenticationLevel" : {
              "title" : "Authentication Level",
              "description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
              "propertyOrder" : 100,
              "required" : true,
              "type" : "integer",
              "exampleValue" : ""
            }
          }
        },
        "knowncookie" : {
          "type" : "object",
          "title" : "Known Cookie",
          "propertyOrder" : 4,
          "properties" : {
            "knownCookieValue" : {
              "title" : "Cookie Value",
              "description" : "The value to be set on the cookie.",
              "propertyOrder" : 1800,
              "required" : true,
              "type" : "string",
              "exampleValue" : ""
            },
            "knownCookieCheckEnabled" : {
              "title" : "Cookie Value Check",
              "description" : "Enables the checking of a known cookie value in the client request<br><br>If this check is enabled, the check looks for a known cookie in the client request. If the cookie exists and has the correct value then the check will pass. ",
              "propertyOrder" : 1600,
              "required" : true,
              "type" : "boolean",
              "exampleValue" : ""
            },
            "createKnownCookieOnSuccessfulLogin" : {
              "title" : "Save Cookie Value on Successful Login",
              "description" : "The cookie will be created on the client after successful login<br><br>The Adaptive Risk Post Authentication Plug-in will set the cookie on the client response",
              "propertyOrder" : 1900,
              "required" : true,
              "type" : "boolean",
              "exampleValue" : ""
            },
            "invertKnownCookieScore" : {
              "title" : "Invert Result",
              "description" : "If the check succeeds the score will be included in the total, for failure the score will not be incremented.",
              "propertyOrder" : 2100,
              "required" : true,
              "type" : "boolean",
              "exampleValue" : ""
            },
            "knownCookieScore" : {
              "title" : "Score",
              "description" : "The amount to increment the score if this check fails.",
              "propertyOrder" : 2000,
              "required" : true,
              "type" : "integer",
              "exampleValue" : ""
            },
            "knownCookieName" : {
              "title" : "Cookie Name",
              "description" : "The name of the cookie to set on the client.",
              "propertyOrder" : 1700,
              "required" : true,
              "type" : "string",
              "exampleValue" : ""
            }
          }
        }
      },
      "type" : "object",
      "title" : "Realm Defaults"
    }
  }
}

1.5. AdvancedProperties

1.5.1. Global Operations

An object of property key-value pairs

Resource path: /global-config/servers/{serverName}/properties/advanced

Resource version: 1.0

1.5.1.1. read

Usage:

am> read AdvancedProperties --global --serverName serverName

Parameters:

--serverName

An object of property key-value pairs

1.5.1.2. update

Usage:

am> update AdvancedProperties --global --serverName serverName --body body

Parameters:

--serverName

An object of property key-value pairs

--body

The resource in JSON format, described by the following JSON schema:

{
  "patternProperties" : {
    ".+" : {
      "type" : "string",
      "title" : "Value",
      "description" : "Any string value"
    }
  },
  "$schema" : "http://json-schema.org/draft-04/schema#",
  "description" : "An object of property key-value pairs",
  "type" : "object",
  "title" : "Advanced Properties"
}

1.6. AgentGroups

1.6.1. Realm Operations

Aggregating Agent Groups handler that is responsible for querying the aggregating agent groups

Resource path: /realm-config/agents/groups

Resource version: 1.0

1.6.1.1. getAllTypes

Obtain the collection of all secondary configuration types related to the resource.

Usage:

am> action AgentGroups --realm Realm --actionName getAllTypes

1.6.1.2. getCreatableTypes

Obtain the collection of secondary configuration types that have yet to be added to the resource.

Usage:

am> action AgentGroups --realm Realm --actionName getCreatableTypes

1.6.1.3. nextdescendents

Obtain the collection of secondary configuration instances that have been added to the resource.

Usage:

am> action AgentGroups --realm Realm --actionName nextdescendents

1.6.1.4. query

Querying the aggregating agent groups

Usage:

am> query AgentGroups --realm Realm --filter filter

Parameters:

--filter

A CREST formatted query filter, where "true" will query all. Fields that can be queried: [*]

1.7. AgentService

1.7.1. Global Operations

Resource path: /global-config/agents/AgentService

Resource version: 1.0

1.7.1.1. getAllTypes

Obtain the collection of all secondary configuration types related to the resource.

Usage:

am> action AgentService --global --actionName getAllTypes

1.7.1.2. getCreatableTypes

Obtain the collection of secondary configuration types that have yet to be added to the resource.

Usage:

am> action AgentService --global --actionName getCreatableTypes

1.7.1.3. nextdescendents

Obtain the collection of secondary configuration instances that have been added to the resource.

Usage:

am> action AgentService --global --actionName nextdescendents

1.7.1.4. read

Usage:

am> read AgentService --global

1.7.1.5. update

Usage:

am> update AgentService --global --body body

Parameters:

--body

The resource in JSON format, described by the following JSON schema:

{
  "type" : "object"
}

1.8. Agents

1.8.1. Realm Operations

Aggregating Agents handler that is responsible for querying the aggregating agents

Resource path: /realm-config/agents

Resource version: 1.0

1.8.1.1. getAllTypes

Obtain the collection of all secondary configuration types related to the resource.

Usage:

am> action Agents --realm Realm --actionName getAllTypes

1.8.1.2. getCreatableTypes

Obtain the collection of secondary configuration types that have yet to be added to the resource.

Usage:

am> action Agents --realm Realm --actionName getCreatableTypes

1.8.1.3. nextdescendents

Obtain the collection of secondary configuration instances that have been added to the resource.

Usage:

am> action Agents --realm Realm --actionName nextdescendents

1.8.1.4. query

Querying the aggregating agents

Usage:

am> query Agents --realm Realm --filter filter

Parameters:

--filter

A CREST formatted query filter, where "true" will query all. Fields that can be queried: [*]

1.8.2. Global Operations

Global and default configuration for agents

Resource path: /global-config/agents

Resource version: 1.0

1.8.2.1. getAllTypes

Obtain the collection of all secondary configuration types related to the resource.

Usage:

am> action Agents --global --actionName getAllTypes

1.8.2.2. getCreatableTypes

Obtain the collection of secondary configuration types that have yet to be added to the resource.

Usage:

am> action Agents --global --actionName getCreatableTypes

1.8.2.3. nextdescendents

Obtain the collection of secondary configuration instances that have been added to the resource.

Usage:

am> action Agents --global --actionName nextdescendents

1.9. AmsterModule

1.9.1. Realm Operations

Resource path: /realm-config/authentication/modules/amster

Resource version: 1.0

1.9.1.1. create

Usage:

am> create AmsterModule --realm Realm --id id --body body

Parameters:

--id

The unique identifier for the resource.

--body

The resource in JSON format, described by the following JSON schema:

{
  "type" : "object",
  "properties" : {
    "enabled" : {
      "title" : "Enabled",
      "description" : "If not enabled, prevents PKI login using the Amster module.",
      "propertyOrder" : 200,
      "required" : true,
      "type" : "boolean",
      "exampleValue" : ""
    },
    "authenticationLevel" : {
      "title" : "Authentication Level",
      "description" : "",
      "propertyOrder" : 300,
      "required" : true,
      "type" : "integer",
      "exampleValue" : ""
    },
    "authorizedKeys" : {
      "title" : "Authorized Keys",
      "description" : "The location of the authorized_keys file (which has the same format as an OpenSSH authorized_keys file) to use to validate remote Amster connections.",
      "propertyOrder" : 100,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    }
  }
}

1.9.1.2. delete

Usage:

am> delete AmsterModule --realm Realm --id id

Parameters:

--id

The unique identifier for the resource.

1.9.1.3. getAllTypes

Obtain the collection of all secondary configuration types related to the resource.

Usage:

am> action AmsterModule --realm Realm --actionName getAllTypes

1.9.1.4. getCreatableTypes

Obtain the collection of secondary configuration types that have yet to be added to the resource.

Usage:

am> action AmsterModule --realm Realm --actionName getCreatableTypes

1.9.1.5. nextdescendents

Obtain the collection of secondary configuration instances that have been added to the resource.

Usage:

am> action AmsterModule --realm Realm --actionName nextdescendents

1.9.1.6. query

Get the full list of instances of this collection. This query only supports `_queryFilter=true` filter.

Usage:

am> query AmsterModule --realm Realm --filter filter

Parameters:

--filter

A CREST formatted query filter, where "true" will query all.

1.9.1.7. read

Usage:

am> read AmsterModule --realm Realm --id id

Parameters:

--id

The unique identifier for the resource.

1.9.1.8. update

Usage:

am> update AmsterModule --realm Realm --id id --body body

Parameters:

--id

The unique identifier for the resource.

--body

The resource in JSON format, described by the following JSON schema:

{
  "type" : "object",
  "properties" : {
    "enabled" : {
      "title" : "Enabled",
      "description" : "If not enabled, prevents PKI login using the Amster module.",
      "propertyOrder" : 200,
      "required" : true,
      "type" : "boolean",
      "exampleValue" : ""
    },
    "authenticationLevel" : {
      "title" : "Authentication Level",
      "description" : "",
      "propertyOrder" : 300,
      "required" : true,
      "type" : "integer",
      "exampleValue" : ""
    },
    "authorizedKeys" : {
      "title" : "Authorized Keys",
      "description" : "The location of the authorized_keys file (which has the same format as an OpenSSH authorized_keys file) to use to validate remote Amster connections.",
      "propertyOrder" : 100,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    }
  }
}

1.9.2. Global Operations

Resource path: /global-config/authentication/modules/amster

Resource version: 1.0

1.9.2.1. getAllTypes

Obtain the collection of all secondary configuration types related to the resource.

Usage:

am> action AmsterModule --global --actionName getAllTypes

1.9.2.2. getCreatableTypes

Obtain the collection of secondary configuration types that have yet to be added to the resource.

Usage:

am> action AmsterModule --global --actionName getCreatableTypes

1.9.2.3. nextdescendents

Obtain the collection of secondary configuration instances that have been added to the resource.

Usage:

am> action AmsterModule --global --actionName nextdescendents

1.9.2.4. read

Usage:

am> read AmsterModule --global

1.9.2.5. update

Usage:

am> update AmsterModule --global --body body

Parameters:

--body

The resource in JSON format, described by the following JSON schema:

{
  "type" : "object",
  "properties" : {
    "defaults" : {
      "properties" : {
        "authorizedKeys" : {
          "title" : "Authorized Keys",
          "description" : "The location of the authorized_keys file (which has the same format as an OpenSSH authorized_keys file) to use to validate remote Amster connections.",
          "propertyOrder" : 100,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "enabled" : {
          "title" : "Enabled",
          "description" : "If not enabled, prevents PKI login using the Amster module.",
          "propertyOrder" : 200,
          "required" : true,
          "type" : "boolean",
          "exampleValue" : ""
        },
        "authenticationLevel" : {
          "title" : "Authentication Level",
          "description" : "",
          "propertyOrder" : 300,
          "required" : true,
          "type" : "integer",
          "exampleValue" : ""
        }
      },
      "type" : "object",
      "title" : "Realm Defaults"
    }
  }
}

1.10. AnonymousModule

1.10.1. Realm Operations

Resource path: /realm-config/authentication/modules/anonymous

Resource version: 1.0

1.10.1.1. create

Usage:

am> create AnonymousModule --realm Realm --id id --body body

Parameters:

--id

The unique identifier for the resource.

--body

The resource in JSON format, described by the following JSON schema:

{
  "type" : "object",
  "properties" : {
    "defaultAnonymousUsername" : {
      "title" : "Default Anonymous User Name",
      "description" : "The default username to use if no username is supplied during authentication.",
      "propertyOrder" : 200,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "validAnonymousUsers" : {
      "title" : "Valid Anonymous Users",
      "description" : "List of accounts that are allowed to login without providing credentials.<br><br>Any username on this list will be allows anonymous access to OpenAM. Usernames listed here must have matching profiles in the data store or the user profile requirement must be disabled. The username can be specified during anonymous authentication as follows:<br/><br/><code>/openam/UI/Login?module=anonymous&IDToken1=<i>username</i></code>",
      "propertyOrder" : 100,
      "required" : true,
      "items" : {
        "type" : "string"
      },
      "type" : "array",
      "exampleValue" : ""
    },
    "caseSensitiveUsernameMatchingEnabled" : {
      "title" : "Case Sensitive User IDs",
      "description" : "If enabled, username matching will be case sensitive.",
      "propertyOrder" : 300,
      "required" : true,
      "type" : "boolean",
      "exampleValue" : ""
    },
    "authenticationLevel" : {
      "title" : "Authentication Level",
      "description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
      "propertyOrder" : 400,
      "required" : true,
      "type" : "integer",
      "exampleValue" : ""
    }
  }
}

1.10.1.2. delete

Usage:

am> delete AnonymousModule --realm Realm --id id

Parameters:

--id

The unique identifier for the resource.

1.10.1.3. getAllTypes

Obtain the collection of all secondary configuration types related to the resource.

Usage:

am> action AnonymousModule --realm Realm --actionName getAllTypes

1.10.1.4. getCreatableTypes

Obtain the collection of secondary configuration types that have yet to be added to the resource.

Usage:

am> action AnonymousModule --realm Realm --actionName getCreatableTypes

1.10.1.5. nextdescendents

Obtain the collection of secondary configuration instances that have been added to the resource.

Usage:

am> action AnonymousModule --realm Realm --actionName nextdescendents

1.10.1.6. query

Get the full list of instances of this collection. This query only supports `_queryFilter=true` filter.

Usage:

am> query AnonymousModule --realm Realm --filter filter

Parameters:

--filter

A CREST formatted query filter, where "true" will query all.

1.10.1.7. read

Usage:

am> read AnonymousModule --realm Realm --id id

Parameters:

--id

The unique identifier for the resource.

1.10.1.8. update

Usage:

am> update AnonymousModule --realm Realm --id id --body body

Parameters:

--id

The unique identifier for the resource.

--body

The resource in JSON format, described by the following JSON schema:

{
  "type" : "object",
  "properties" : {
    "defaultAnonymousUsername" : {
      "title" : "Default Anonymous User Name",
      "description" : "The default username to use if no username is supplied during authentication.",
      "propertyOrder" : 200,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "validAnonymousUsers" : {
      "title" : "Valid Anonymous Users",
      "description" : "List of accounts that are allowed to login without providing credentials.<br><br>Any username on this list will be allows anonymous access to OpenAM. Usernames listed here must have matching profiles in the data store or the user profile requirement must be disabled. The username can be specified during anonymous authentication as follows:<br/><br/><code>/openam/UI/Login?module=anonymous&IDToken1=<i>username</i></code>",
      "propertyOrder" : 100,
      "required" : true,
      "items" : {
        "type" : "string"
      },
      "type" : "array",
      "exampleValue" : ""
    },
    "caseSensitiveUsernameMatchingEnabled" : {
      "title" : "Case Sensitive User IDs",
      "description" : "If enabled, username matching will be case sensitive.",
      "propertyOrder" : 300,
      "required" : true,
      "type" : "boolean",
      "exampleValue" : ""
    },
    "authenticationLevel" : {
      "title" : "Authentication Level",
      "description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
      "propertyOrder" : 400,
      "required" : true,
      "type" : "integer",
      "exampleValue" : ""
    }
  }
}

1.10.2. Global Operations

Resource path: /global-config/authentication/modules/anonymous

Resource version: 1.0

1.10.2.1. getAllTypes

Obtain the collection of all secondary configuration types related to the resource.

Usage:

am> action AnonymousModule --global --actionName getAllTypes

1.10.2.2. getCreatableTypes

Obtain the collection of secondary configuration types that have yet to be added to the resource.

Usage:

am> action AnonymousModule --global --actionName getCreatableTypes

1.10.2.3. nextdescendents

Obtain the collection of secondary configuration instances that have been added to the resource.

Usage:

am> action AnonymousModule --global --actionName nextdescendents

1.10.2.4. read

Usage:

am> read AnonymousModule --global

1.10.2.5. update

Usage:

am> update AnonymousModule --global --body body

Parameters:

--body

The resource in JSON format, described by the following JSON schema:

{
  "type" : "object",
  "properties" : {
    "defaults" : {
      "properties" : {
        "defaultAnonymousUsername" : {
          "title" : "Default Anonymous User Name",
          "description" : "The default username to use if no username is supplied during authentication.",
          "propertyOrder" : 200,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "validAnonymousUsers" : {
          "title" : "Valid Anonymous Users",
          "description" : "List of accounts that are allowed to login without providing credentials.<br><br>Any username on this list will be allows anonymous access to OpenAM. Usernames listed here must have matching profiles in the data store or the user profile requirement must be disabled. The username can be specified during anonymous authentication as follows:<br/><br/><code>/openam/UI/Login?module=anonymous&IDToken1=<i>username</i></code>",
          "propertyOrder" : 100,
          "required" : true,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        },
        "caseSensitiveUsernameMatchingEnabled" : {
          "title" : "Case Sensitive User IDs",
          "description" : "If enabled, username matching will be case sensitive.",
          "propertyOrder" : 300,
          "required" : true,
          "type" : "boolean",
          "exampleValue" : ""
        },
        "authenticationLevel" : {
          "title" : "Authentication Level",
          "description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
          "propertyOrder" : 400,
          "required" : true,
          "type" : "integer",
          "exampleValue" : ""
        }
      },
      "type" : "object",
      "title" : "Realm Defaults"
    }
  }
}

1.11. ApplicationTypes

1.11.1. Realm Operations

Service for reading and listing the available application types. Application types act as templates for policy sets, and define how to compare resources and index policies. OpenAM provides a default application type that represents web resources called iPlanetAMWebAgentService

Resource path: /applicationtypes

Resource version: 1.0

1.11.1.1. query

Lists the application types using a query filter

Usage:

am> query ApplicationTypes --realm Realm --filter filter

Parameters:

--filter

A CREST formatted query filter, where "true" will query all. Fields that can be queried: [*]

1.11.1.2. read

Reads an individual application type by the provided application type name

Usage:

am> read ApplicationTypes --realm Realm --id id

Parameters:

--id

The unique identifier for the resource.

1.12. Applications

1.12.1. Realm Operations

Service for manipulating Applications. It supports the CRUDQ operations.

Resource path: /applications

Resource version: 2.1

1.12.1.1. create

Creates a new Application in a realm

Usage:

am> create Applications --realm Realm --id id --body body

Parameters:

--id

The unique identifier for the resource.

--body

The resource in JSON format, described by the following JSON schema:

{
  "$schema" : "http://json-schema.org/draft-04/schema#",
  "description" : "Application schema",
  "type" : "object",
  "title" : "Application",
  "properties" : {
    "name" : {
      "type" : "string",
      "title" : "Name",
      "description" : "Unique application identifier."
    },
    "displayName" : {
      "type" : "string",
      "title" : "Display name",
      "description" : "When defined, it is displayed in the UI instead of application name."
    },
    "description" : {
      "type" : "string",
      "title" : "Description",
      "description" : "String describing the application."
    },
    "applicationType" : {
      "type" : "string",
      "title" : "Application type",
      "description" : "Name of the application type used as a template for the policy set."
    },
    "conditions" : {
      "type" : "array",
      "items" : {
        "type" : "string",
        "title" : "Conditions",
        "description" : "Condition types allowed in the context of the policy set."
      }
    },
    "subjects" : {
      "type" : "array",
      "items" : {
        "type" : "string",
        "title" : "Subjects",
        "description" : "Subject types allowed in the context of the policy set."
      }
    },
    "resourceTypeUuids" : {
      "type" : "array",
      "items" : {
        "type" : "string",
        "title" : "Resource type uuids",
        "description" : "A list of the UUIDs of the resource types associated with the policy set."
      }
    },
    "entitlementCombiner" : {
      "type" : "string",
      "title" : "Entitlement combiner",
      "description" : "Name of the decision combiner, such as \"DenyOverride\"."
    },
    "searchIndex" : {
      "type" : "string",
      "title" : "Search index",
      "description" : "Class name of the implementation for searching indexes for resource names, such as \"com.sun.identity.entitlement.util.ResourceNameSplitter\" for URL resource names."
    },
    "saveIndex" : {
      "type" : "string",
      "title" : "Save index",
      "description" : "Class name of the implementation for creating indexes for resource names, such as \"com.sun.identity.entitlement.util.ResourceNameIndexGenerator\" for URL resource names."
    },
    "resourceComparator" : {
      "type" : "string",
      "title" : "Resource comparator",
      "description" : "Class name of the resource comparator implementation used in the context of the policy set. The following implementations are available: \"com.sun.identity.entitlement.ExactMatchResourceName\", \"com.sun.identity.entitlement.PrefixResourceName\", \"com.sun.identity.entitlement.RegExResourceName\", \"com.sun.identity.entitlement.URLResourceName\"."
    },
    "attributeNames" : {
      "type" : "array",
      "items" : {
        "type" : "string",
        "title" : "Attribute names",
        "description" : "A list of attribute names such as cn. The list is used to aid policy indexing and lookup."
      }
    },
    "createdBy" : {
      "type" : "string",
      "title" : "Created by",
      "description" : "A string containing the universal identifier DN of the subject that created the application."
    },
    "lastModifiedBy" : {
      "type" : "string",
      "title" : "Last modified by",
      "description" : "A string containing the universal identifier DN of the subject that most recently updated the application. If the application has not been modified since it was created, this will be the same value as createdBy."
    },
    "creationDate" : {
      "type" : "integer",
      "title" : "Creation date",
      "description" : "An integer containing the creation date and time, in number of seconds since the Unix Epoch."
    },
    "lastModifiedDate" : {
      "type" : "integer",
      "title" : "Last modified date",
      "description" : "An integer containing the last modified date and time, in number of seconds since the Unix Epoch. If the application has not been modified since it was created, this will be the same value as creationDate."
    },
    "editable" : {
      "type" : "boolean",
      "title" : "Editable",
      "description" : "It indicates if application is editable."
    }
  },
  "required" : [ "name", "applicationType" ]
}

1.12.1.2. delete

Deletes an individual Application in a realm specified by its name

Usage:

am> delete Applications --realm Realm --id id

Parameters:

--id

The unique identifier for the resource.

1.12.1.3. query

Lists all the Applications in a realm

Usage:

am> query Applications --realm Realm --filter filter

Parameters:

--filter

A CREST formatted query filter, where "true" will query all. Fields that can be queried: [*]

1.12.1.4. read

Reads an individual Application in a realm specified by its name

Usage:

am> read Applications --realm Realm --id id

Parameters:

--id

The unique identifier for the resource.

1.12.1.5. update

Updates an individual Application in a realm specified by its name

Usage:

am> update Applications --realm Realm --id id --body body

Parameters:

--id

The unique identifier for the resource.

--body

The resource in JSON format, described by the following JSON schema:

{
  "$schema" : "http://json-schema.org/draft-04/schema#",
  "description" : "Application schema",
  "type" : "object",
  "title" : "Application",
  "properties" : {
    "name" : {
      "type" : "string",
      "title" : "Name",
      "description" : "Unique application identifier."
    },
    "displayName" : {
      "type" : "string",
      "title" : "Display name",
      "description" : "When defined, it is displayed in the UI instead of application name."
    },
    "description" : {
      "type" : "string",
      "title" : "Description",
      "description" : "String describing the application."
    },
    "applicationType" : {
      "type" : "string",
      "title" : "Application type",
      "description" : "Name of the application type used as a template for the policy set."
    },
    "conditions" : {
      "type" : "array",
      "items" : {
        "type" : "string",
        "title" : "Conditions",
        "description" : "Condition types allowed in the context of the policy set."
      }
    },
    "subjects" : {
      "type" : "array",
      "items" : {
        "type" : "string",
        "title" : "Subjects",
        "description" : "Subject types allowed in the context of the policy set."
      }
    },
    "resourceTypeUuids" : {
      "type" : "array",
      "items" : {
        "type" : "string",
        "title" : "Resource type uuids",
        "description" : "A list of the UUIDs of the resource types associated with the policy set."
      }
    },
    "entitlementCombiner" : {
      "type" : "string",
      "title" : "Entitlement combiner",
      "description" : "Name of the decision combiner, such as \"DenyOverride\"."
    },
    "searchIndex" : {
      "type" : "string",
      "title" : "Search index",
      "description" : "Class name of the implementation for searching indexes for resource names, such as \"com.sun.identity.entitlement.util.ResourceNameSplitter\" for URL resource names."
    },
    "saveIndex" : {
      "type" : "string",
      "title" : "Save index",
      "description" : "Class name of the implementation for creating indexes for resource names, such as \"com.sun.identity.entitlement.util.ResourceNameIndexGenerator\" for URL resource names."
    },
    "resourceComparator" : {
      "type" : "string",
      "title" : "Resource comparator",
      "description" : "Class name of the resource comparator implementation used in the context of the policy set. The following implementations are available: \"com.sun.identity.entitlement.ExactMatchResourceName\", \"com.sun.identity.entitlement.PrefixResourceName\", \"com.sun.identity.entitlement.RegExResourceName\", \"com.sun.identity.entitlement.URLResourceName\"."
    },
    "attributeNames" : {
      "type" : "array",
      "items" : {
        "type" : "string",
        "title" : "Attribute names",
        "description" : "A list of attribute names such as cn. The list is used to aid policy indexing and lookup."
      }
    },
    "createdBy" : {
      "type" : "string",
      "title" : "Created by",
      "description" : "A string containing the universal identifier DN of the subject that created the application."
    },
    "lastModifiedBy" : {
      "type" : "string",
      "title" : "Last modified by",
      "description" : "A string containing the universal identifier DN of the subject that most recently updated the application. If the application has not been modified since it was created, this will be the same value as createdBy."
    },
    "creationDate" : {
      "type" : "integer",
      "title" : "Creation date",
      "description" : "An integer containing the creation date and time, in number of seconds since the Unix Epoch."
    },
    "lastModifiedDate" : {
      "type" : "integer",
      "title" : "Last modified date",
      "description" : "An integer containing the last modified date and time, in number of seconds since the Unix Epoch. If the application has not been modified since it was created, this will be the same value as creationDate."
    },
    "editable" : {
      "type" : "boolean",
      "title" : "Editable",
      "description" : "It indicates if application is editable."
    }
  },
  "required" : [ "name", "applicationType" ]
}

1.13. AuditEvent

1.13.1. Realm Operations

Audit events are logged through a realm audit service.

Resource path: /realm-audit/{topic}

Resource version: 1.0

1.13.1.1. create

Create a new audit event, which will be handled and logged by the configured audit service.

Usage:

am> create AuditEvent --realm Realm --topic topic --body body

Parameters:

--topic

Audit events are logged through a realm audit service.

--body

The resource in JSON format, described by the following JSON schema:

{
  "$schema" : "http://json-schema.org/draft-04/schema#",
  "description" : "The schema contains properties that are common to all topics and some that are unique to a specific topic. The description of each property indicates which topic the property applies to.",
  "title" : "Audit event schema",
  "type" : "object",
  "properties" : {
    "_id" : {
      "title" : "ID",
      "description" : "The ID of the event, used by all topics",
      "type" : "string"
    },
    "timestamp" : {
      "title" : "Timestamp",
      "description" : "The time at which the event occurred, used by all topics",
      "type" : "string"
    },
    "eventName" : {
      "title" : "Event name",
      "description" : "The name of the event, used by all topics",
      "type" : "string"
    },
    "transactionId" : {
      "title" : "Transaction ID",
      "description" : "The transaction ID of the event, used by all topics",
      "type" : "string"
    },
    "userId" : {
      "title" : "User ID",
      "description" : "The ID of the user responsible for the event, used by all topics",
      "type" : "string"
    },
    "trackingIds" : {
      "title" : "Tracking IDs",
      "description" : "The tracking IDs of the event, used by all topics",
      "type" : "array",
      "items" : {
        "id" : "0",
        "type" : "string"
      }
    },
    "component" : {
      "title" : "Component",
      "description" : "The component responsible for the event, used by all topics",
      "type" : "string"
    },
    "realm" : {
      "title" : "Realm",
      "description" : "The realm in which the event occurred, used by all topics",
      "type" : "string"
    },
    "server" : {
      "title" : "Server",
      "description" : "The server details for an access event",
      "type" : "object",
      "properties" : {
        "ip" : {
          "title" : "Server IP address",
          "description" : "The server ip address for an access event",
          "type" : "string"
        },
        "port" : {
          "title" : "Server port",
          "description" : "The server port for an access event",
          "type" : "integer"
        }
      }
    },
    "client" : {
      "title" : "Client",
      "description" : "The client details for an access event",
      "type" : "object",
      "properties" : {
        "ip" : {
          "title" : "Client IP address",
          "description" : "The client IP address for an access event",
          "type" : "string"
        },
        "port" : {
          "title" : "Client port",
          "description" : "The client port for an access event",
          "type" : "integer"
        }
      }
    },
    "request" : {
      "title" : "Request",
      "description" : "The request details for an access event",
      "type" : "object",
      "properties" : {
        "protocol" : {
          "title" : "Request protocol",
          "description" : "The request protocol for an access event",
          "type" : "string"
        },
        "operation" : {
          "title" : "Request operation",
          "description" : "The request operation for an access event",
          "type" : "string"
        },
        "detail" : {
          "title" : "Request detail",
          "description" : "The request detail for an access event",
          "type" : "object"
        }
      }
    },
    "http" : {
      "title" : "Http details",
      "description" : "The Http details for an access event",
      "type" : "object",
      "properties" : {
        "request" : {
          "title" : "Http request",
          "description" : "The http request for an access event",
          "type" : "object",
          "properties" : {
            "secure" : {
              "title" : "Http secure",
              "description" : "The http secure property for an access event",
              "type" : "boolean"
            },
            "method" : {
              "title" : "Http method",
              "description" : "The http method for an access event",
              "type" : "string"
            },
            "path" : {
              "title" : "Http path",
              "description" : "The http path for an access event",
              "type" : "string"
            },
            "queryParameters" : {
              "title" : "Http query parameters",
              "description" : "The http query parameters for an access event",
              "type" : "object",
              "additionalProperties" : {
                "type" : "array",
                "items" : {
                  "type" : "string"
                }
              }
            },
            "headers" : {
              "title" : "Http headers",
              "description" : "The http headers for an access event",
              "type" : "object",
              "additionalProperties" : {
                "type" : "array",
                "items" : {
                  "type" : "string"
                }
              }
            },
            "cookies" : {
              "title" : "Http cookies",
              "description" : "The http cookies for an access event",
              "type" : "object",
              "additionalProperties" : {
                "type" : "string"
              }
            }
          }
        },
        "response" : {
          "title" : "Http response",
          "description" : "The http response for an access event",
          "type" : "object",
          "properties" : {
            "headers" : {
              "title" : "Http request headers",
              "description" : "The http request headers for an access event",
              "type" : "object",
              "additionalProperties" : {
                "type" : "array",
                "items" : {
                  "type" : "string"
                }
              }
            }
          }
        }
      }
    },
    "response" : {
      "title" : "Response",
      "description" : "The response details for an access event",
      "type" : "object",
      "properties" : {
        "status" : {
          "title" : "Response status",
          "description" : "The response status for an access event",
          "type" : "string"
        },
        "statusCode" : {
          "title" : "Response status code",
          "description" : "The response status code for an access event",
          "type" : "string"
        },
        "detail" : {
          "title" : "Response detail",
          "description" : "The response detail for an access event",
          "type" : "object"
        },
        "elapsedTime" : {
          "title" : "Response elapsed time",
          "description" : "The response elapsedTime for an access event",
          "type" : "integer"
        },
        "elapsedTimeUnits" : {
          "title" : "Response elapsed time units",
          "description" : "The response elapsed time units for an access event",
          "type" : "string"
        }
      }
    },
    "runAs" : {
      "title" : "Run as",
      "description" : "What the change that triggered an activity or config event was run as",
      "type" : "string"
    },
    "objectId" : {
      "title" : "Object ID",
      "description" : "The object ID of the change that triggered an activity or config event",
      "type" : "string"
    },
    "operation" : {
      "title" : "Operation",
      "description" : "The operation that triggered an activity or config event",
      "type" : "string"
    },
    "before" : {
      "title" : "Before state",
      "description" : "The state before an activity or config event occurred",
      "type" : "object"
    },
    "after" : {
      "title" : "After state",
      "description" : "The state after an activity or config event occurred",
      "type" : "object"
    },
    "changedFields" : {
      "title" : "Changed fields",
      "description" : "The changed fields after an activity or config event occurred",
      "type" : "array",
      "items" : {
        "id" : "1",
        "type" : "string"
      }
    },
    "revision" : {
      "title" : "Revision",
      "description" : "The revision for an activity or config event",
      "type" : "string"
    },
    "result" : {
      "title" : "Result",
      "description" : "The result of the authentication event",
      "type" : "string"
    },
    "principal" : {
      "title" : "Principal",
      "description" : "The principal responsible for the authentication event",
      "type" : "array",
      "items" : {
        "type" : "string"
      }
    },
    "context" : {
      "title" : "Context",
      "description" : "The context of an authentication event",
      "type" : "object",
      "properties" : { }
    },
    "entries" : {
      "title" : "Entries",
      "description" : "The entries for an authentication event",
      "type" : "array",
      "items" : {
        "type" : "object",
        "properties" : {
          "moduleId" : {
            "title" : "Module ID",
            "description" : "The module ID for the authentication event",
            "type" : "string"
          },
          "result" : {
            "title" : "Module result",
            "description" : "The result of the module authentication event",
            "type" : "string"
          },
          "info" : {
            "title" : "Entries information",
            "description" : "The entries information for an authentication event",
            "type" : "object",
            "properties" : { }
          }
        }
      }
    }
  },
  "required" : [ "transactionId", "timestamp" ]
}

1.13.2. Global Operations

Audit events are logged through the global audit service.

Resource path: /global-audit/{topic}

Resource version: 1.0

1.13.2.1. create

Create a new audit event, which will be handled and logged by the configured audit service.

Usage:

am> create AuditEvent --global --topic topic --body body

Parameters:

--topic

Audit events are logged through the global audit service.

--body

The resource in JSON format, described by the following JSON schema:

{
  "$schema" : "http://json-schema.org/draft-04/schema#",
  "description" : "The schema contains properties that are common to all topics and some that are unique to a specific topic. The description of each property indicates which topic the property applies to.",
  "title" : "Audit event schema",
  "type" : "object",
  "properties" : {
    "_id" : {
      "title" : "ID",
      "description" : "The ID of the event, used by all topics",
      "type" : "string"
    },
    "timestamp" : {
      "title" : "Timestamp",
      "description" : "The time at which the event occurred, used by all topics",
      "type" : "string"
    },
    "eventName" : {
      "title" : "Event name",
      "description" : "The name of the event, used by all topics",
      "type" : "string"
    },
    "transactionId" : {
      "title" : "Transaction ID",
      "description" : "The transaction ID of the event, used by all topics",
      "type" : "string"
    },
    "userId" : {
      "title" : "User ID",
      "description" : "The ID of the user responsible for the event, used by all topics",
      "type" : "string"
    },
    "trackingIds" : {
      "title" : "Tracking IDs",
      "description" : "The tracking IDs of the event, used by all topics",
      "type" : "array",
      "items" : {
        "id" : "0",
        "type" : "string"
      }
    },
    "component" : {
      "title" : "Component",
      "description" : "The component responsible for the event, used by all topics",
      "type" : "string"
    },
    "realm" : {
      "title" : "Realm",
      "description" : "The realm in which the event occurred, used by all topics",
      "type" : "string"
    },
    "server" : {
      "title" : "Server",
      "description" : "The server details for an access event",
      "type" : "object",
      "properties" : {
        "ip" : {
          "title" : "Server IP address",
          "description" : "The server ip address for an access event",
          "type" : "string"
        },
        "port" : {
          "title" : "Server port",
          "description" : "The server port for an access event",
          "type" : "integer"
        }
      }
    },
    "client" : {
      "title" : "Client",
      "description" : "The client details for an access event",
      "type" : "object",
      "properties" : {
        "ip" : {
          "title" : "Client IP address",
          "description" : "The client IP address for an access event",
          "type" : "string"
        },
        "port" : {
          "title" : "Client port",
          "description" : "The client port for an access event",
          "type" : "integer"
        }
      }
    },
    "request" : {
      "title" : "Request",
      "description" : "The request details for an access event",
      "type" : "object",
      "properties" : {
        "protocol" : {
          "title" : "Request protocol",
          "description" : "The request protocol for an access event",
          "type" : "string"
        },
        "operation" : {
          "title" : "Request operation",
          "description" : "The request operation for an access event",
          "type" : "string"
        },
        "detail" : {
          "title" : "Request detail",
          "description" : "The request detail for an access event",
          "type" : "object"
        }
      }
    },
    "http" : {
      "title" : "Http details",
      "description" : "The Http details for an access event",
      "type" : "object",
      "properties" : {
        "request" : {
          "title" : "Http request",
          "description" : "The http request for an access event",
          "type" : "object",
          "properties" : {
            "secure" : {
              "title" : "Http secure",
              "description" : "The http secure property for an access event",
              "type" : "boolean"
            },
            "method" : {
              "title" : "Http method",
              "description" : "The http method for an access event",
              "type" : "string"
            },
            "path" : {
              "title" : "Http path",
              "description" : "The http path for an access event",
              "type" : "string"
            },
            "queryParameters" : {
              "title" : "Http query parameters",
              "description" : "The http query parameters for an access event",
              "type" : "object",
              "additionalProperties" : {
                "type" : "array",
                "items" : {
                  "type" : "string"
                }
              }
            },
            "headers" : {
              "title" : "Http headers",
              "description" : "The http headers for an access event",
              "type" : "object",
              "additionalProperties" : {
                "type" : "array",
                "items" : {
                  "type" : "string"
                }
              }
            },
            "cookies" : {
              "title" : "Http cookies",
              "description" : "The http cookies for an access event",
              "type" : "object",
              "additionalProperties" : {
                "type" : "string"
              }
            }
          }
        },
        "response" : {
          "title" : "Http response",
          "description" : "The http response for an access event",
          "type" : "object",
          "properties" : {
            "headers" : {
              "title" : "Http request headers",
              "description" : "The http request headers for an access event",
              "type" : "object",
              "additionalProperties" : {
                "type" : "array",
                "items" : {
                  "type" : "string"
                }
              }
            }
          }
        }
      }
    },
    "response" : {
      "title" : "Response",
      "description" : "The response details for an access event",
      "type" : "object",
      "properties" : {
        "status" : {
          "title" : "Response status",
          "description" : "The response status for an access event",
          "type" : "string"
        },
        "statusCode" : {
          "title" : "Response status code",
          "description" : "The response status code for an access event",
          "type" : "string"
        },
        "detail" : {
          "title" : "Response detail",
          "description" : "The response detail for an access event",
          "type" : "object"
        },
        "elapsedTime" : {
          "title" : "Response elapsed time",
          "description" : "The response elapsedTime for an access event",
          "type" : "integer"
        },
        "elapsedTimeUnits" : {
          "title" : "Response elapsed time units",
          "description" : "The response elapsed time units for an access event",
          "type" : "string"
        }
      }
    },
    "runAs" : {
      "title" : "Run as",
      "description" : "What the change that triggered an activity or config event was run as",
      "type" : "string"
    },
    "objectId" : {
      "title" : "Object ID",
      "description" : "The object ID of the change that triggered an activity or config event",
      "type" : "string"
    },
    "operation" : {
      "title" : "Operation",
      "description" : "The operation that triggered an activity or config event",
      "type" : "string"
    },
    "before" : {
      "title" : "Before state",
      "description" : "The state before an activity or config event occurred",
      "type" : "object"
    },
    "after" : {
      "title" : "After state",
      "description" : "The state after an activity or config event occurred",
      "type" : "object"
    },
    "changedFields" : {
      "title" : "Changed fields",
      "description" : "The changed fields after an activity or config event occurred",
      "type" : "array",
      "items" : {
        "id" : "1",
        "type" : "string"
      }
    },
    "revision" : {
      "title" : "Revision",
      "description" : "The revision for an activity or config event",
      "type" : "string"
    },
    "result" : {
      "title" : "Result",
      "description" : "The result of the authentication event",
      "type" : "string"
    },
    "principal" : {
      "title" : "Principal",
      "description" : "The principal responsible for the authentication event",
      "type" : "array",
      "items" : {
        "type" : "string"
      }
    },
    "context" : {
      "title" : "Context",
      "description" : "The context of an authentication event",
      "type" : "object",
      "properties" : { }
    },
    "entries" : {
      "title" : "Entries",
      "description" : "The entries for an authentication event",
      "type" : "array",
      "items" : {
        "type" : "object",
        "properties" : {
          "moduleId" : {
            "title" : "Module ID",
            "description" : "The module ID for the authentication event",
            "type" : "string"
          },
          "result" : {
            "title" : "Module result",
            "description" : "The result of the module authentication event",
            "type" : "string"
          },
          "info" : {
            "title" : "Entries information",
            "description" : "The entries information for an authentication event",
            "type" : "object",
            "properties" : { }
          }
        }
      }
    }
  },
  "required" : [ "transactionId", "timestamp" ]
}

1.14. AuditLogging

1.14.1. Realm Operations

Resource path: /realm-config/services/audit

Resource version: 1.0

1.14.1.1. create

Usage:

am> create AuditLogging --realm Realm --body body

Parameters:

--body

The resource in JSON format, described by the following JSON schema:

{
  "type" : "object",
  "properties" : {
    "auditEnabled" : {
      "title" : "Audit logging",
      "description" : "Enable audit logging in OpenAM.",
      "propertyOrder" : 100,
      "required" : true,
      "type" : "boolean",
      "exampleValue" : ""
    },
    "fieldFilterPolicy" : {
      "title" : "Field exclusion policies",
      "description" : "A list of fields or values (JSON pointers) to exclude from the audit event.<br><br>To specify a field or value within a field to be filtered out of the event, start the pointer with the event topic, for example access, activity, authentication, or config, followed by the field name or the path to the value in the field.<p><p>For example, to filter out the <code>userId</code> field in an access event the pointer will be <code>/access/userId</code>.<p>To filter out the <code>content-type</code> value in the <code>http.request.headers</code> field the pointer will be <code>/access/http/request/headers/content-type</code>.<p>Only values that are made up of JSON strings can be manipulated in this way.",
      "propertyOrder" : 200,
      "required" : false,
      "items" : {
        "type" : "string"
      },
      "type" : "array",
      "exampleValue" : ""
    }
  }
}

1.14.1.2. delete

Usage:

am> delete AuditLogging --realm Realm

1.14.1.3. getAllTypes

Obtain the collection of all secondary configuration types related to the resource.

Usage:

am> action AuditLogging --realm Realm --actionName getAllTypes

1.14.1.4. getCreatableTypes

Obtain the collection of secondary configuration types that have yet to be added to the resource.

Usage:

am> action AuditLogging --realm Realm --actionName getCreatableTypes

1.14.1.5. nextdescendents

Obtain the collection of secondary configuration instances that have been added to the resource.

Usage:

am> action AuditLogging --realm Realm --actionName nextdescendents

1.14.1.6. read

Usage:

am> read AuditLogging --realm Realm

1.14.1.7. update

Usage:

am> update AuditLogging --realm Realm --body body

Parameters:

--body

The resource in JSON format, described by the following JSON schema:

{
  "type" : "object",
  "properties" : {
    "auditEnabled" : {
      "title" : "Audit logging",
      "description" : "Enable audit logging in OpenAM.",
      "propertyOrder" : 100,
      "required" : true,
      "type" : "boolean",
      "exampleValue" : ""
    },
    "fieldFilterPolicy" : {
      "title" : "Field exclusion policies",
      "description" : "A list of fields or values (JSON pointers) to exclude from the audit event.<br><br>To specify a field or value within a field to be filtered out of the event, start the pointer with the event topic, for example access, activity, authentication, or config, followed by the field name or the path to the value in the field.<p><p>For example, to filter out the <code>userId</code> field in an access event the pointer will be <code>/access/userId</code>.<p>To filter out the <code>content-type</code> value in the <code>http.request.headers</code> field the pointer will be <code>/access/http/request/headers/content-type</code>.<p>Only values that are made up of JSON strings can be manipulated in this way.",
      "propertyOrder" : 200,
      "required" : false,
      "items" : {
        "type" : "string"
      },
      "type" : "array",
      "exampleValue" : ""
    }
  }
}

1.14.2. Global Operations

Resource path: /global-config/services/audit

Resource version: 1.0

1.14.2.1. getAllTypes

Obtain the collection of all secondary configuration types related to the resource.

Usage:

am> action AuditLogging --global --actionName getAllTypes

1.14.2.2. getCreatableTypes

Obtain the collection of secondary configuration types that have yet to be added to the resource.

Usage:

am> action AuditLogging --global --actionName getCreatableTypes

1.14.2.3. nextdescendents

Obtain the collection of secondary configuration instances that have been added to the resource.

Usage:

am> action AuditLogging --global --actionName nextdescendents

1.14.2.4. read

Usage:

am> read AuditLogging --global

1.14.2.5. update

Usage:

am> update AuditLogging --global --body body

Parameters:

--body

The resource in JSON format, described by the following JSON schema:

{
  "type" : "object",
  "properties" : {
    "auditEnabled" : {
      "title" : "Audit logging",
      "description" : "Enable audit logging in OpenAM.",
      "propertyOrder" : 100,
      "required" : true,
      "type" : "boolean",
      "exampleValue" : ""
    },
    "fieldFilterPolicy" : {
      "title" : "Field exclusion policies",
      "description" : "A list of fields or values (JSON pointers) to exclude from the audit event.<br><br>To specify a field or value within a field to be filtered out of the event, start the pointer with the event topic, for example access, activity, authentication, or config, followed by the field name or the path to the value in the field.<p><p>For example, to filter out the <code>userId</code> field in an access event the pointer will be <code>/access/userId</code>.<p>To filter out the <code>content-type</code> value in the <code>http.request.headers</code> field the pointer will be <code>/access/http/request/headers/content-type</code>.<p>Only values that are made up of JSON strings can be manipulated in this way.",
      "propertyOrder" : 200,
      "required" : false,
      "items" : {
        "type" : "string"
      },
      "type" : "array",
      "exampleValue" : ""
    },
    "defaults" : {
      "properties" : {
        "fieldFilterPolicy" : {
          "title" : "Field exclusion policies",
          "description" : "A list of fields or values (JSON pointers) to exclude from the audit event.<br><br>To specify a field or value within a field to be filtered out of the event, start the pointer with the event topic, for example access, activity, authentication, or config, followed by the field name or the path to the value in the field.<p><p>For example, to filter out the <code>userId</code> field in an access event the pointer will be <code>/access/userId</code>.<p>To filter out the <code>content-type</code> value in the <code>http.request.headers</code> field the pointer will be <code>/access/http/request/headers/content-type</code>.<p>Only values that are made up of JSON strings can be manipulated in this way.",
          "propertyOrder" : 200,
          "required" : false,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        },
        "auditEnabled" : {
          "title" : "Audit logging",
          "description" : "Enable audit logging in OpenAM.",
          "propertyOrder" : 100,
          "required" : true,
          "type" : "boolean",
          "exampleValue" : ""
        }
      },
      "type" : "object",
      "title" : "Realm Defaults"
    }
  }
}

1.15. Authentication

1.15.1. Realm Operations

Resource path: /realm-config/authentication

Resource version: 1.0

1.15.1.1. create

Usage:

am> create Authentication --realm Realm --body body

Parameters:

--body

The resource in JSON format, described by the following JSON schema:

{
  "type" : "object",
  "properties" : {
    "general" : {
      "type" : "object",
      "title" : "General",
      "propertyOrder" : 3,
      "properties" : {
        "identityType" : {
          "title" : "Identity Types",
          "description" : "",
          "propertyOrder" : 2500,
          "required" : true,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        },
        "userStatusCallbackPlugins" : {
          "title" : "Pluggable User Status Event Classes",
          "description" : "List of classes to be called when status of the user account changes.<br><br>When the status of a users account changes, OpenAM can be configured to call into a custom class. The custom class can then be used to perform some action as required. The built in status change events are:<br/><br/><ul><li>Account locked</li><li>Password changed</li></ul><br/>Custom code can also extend this mechanism.",
          "propertyOrder" : 2600,
          "required" : true,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        },
        "twoFactorRequired" : {
          "title" : "Two Factor Authentication Mandatory",
          "description" : "",
          "propertyOrder" : 3900,
          "required" : true,
          "type" : "boolean",
          "exampleValue" : ""
        },
        "locale" : {
          "title" : "Default Authentication Locale",
          "description" : "",
          "propertyOrder" : 600,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "defaultAuthLevel" : {
          "title" : "Default Authentication Level",
          "description" : "The default authentication level for modules in this realm.<br><br>If the authentication module does not set it's own auth level then the module will have the default authentication level for the realm.",
          "propertyOrder" : 4100,
          "required" : true,
          "type" : "integer",
          "exampleValue" : ""
        },
        "statelessSessionsEnabled" : {
          "title" : "Use Stateless Sessions",
          "description" : "Enables stateless sessions.<br><br>Stateless sessions provide elastic scalability by storing all session state on the client in the SSO cookie. See Session service configuration to enable signing and encryption (HIGHLY RECOMMENDED).",
          "propertyOrder" : 3800,
          "required" : true,
          "type" : "boolean",
          "exampleValue" : ""
        }
      }
    },
    "core" : {
      "type" : "object",
      "title" : "Core",
      "propertyOrder" : -1,
      "properties" : {
        "orgConfig" : {
          "title" : "Organization Authentication Configuration",
          "description" : "Default Authentication Chain for users<br><br>This is the authentication chain that will be used to authenticate users to this realm.",
          "propertyOrder" : 700,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "adminAuthModule" : {
          "title" : "Administrator Authentication Configuration",
          "description" : "Default Authentication Chain for administrators<br><br>This is the authentication chain that will be used to authentication administrative users to this realm.",
          "propertyOrder" : 200,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        }
      }
    },
    "security" : {
      "type" : "object",
      "title" : "Security",
      "propertyOrder" : 4,
      "properties" : {
        "sharedSecret" : {
          "title" : "Organization Authentication Signing Secret",
          "description" : "HMAC shared secret for signing RESTful Authentication requests.<br><br>This is the shared secret for signing state used in RESTful authentication requests. Should be at Base-64 encoded and at least 128-bits in length. By default a cryptographically secure random value is generated.",
          "propertyOrder" : 4000,
          "required" : true,
          "type" : "string",
          "format" : "password",
          "exampleValue" : ""
        },
        "zeroPageLoginAllowedWithoutReferrer" : {
          "title" : "Zero Page Login Allowed without Referer?",
          "description" : "Whether to allow Zero Page Login if the HTTP Referer header is missing.<br><br>The HTTP Referer header is sometimes missing from requests (e.g., if making a request to HTTP from HTTPS). This setting controls whether such requests should be allowed or not. Setting to 'true' will reduce the risk of Login CSRF attacks with Zero Page Login, but may potentially deny legitimate requests.",
          "propertyOrder" : 3700,
          "required" : true,
          "type" : "boolean",
          "exampleValue" : ""
        },
        "keyAlias" : {
          "title" : "Persistent Cookie Encryption Certificate Alias",
          "description" : "Keystore Alias for encrypting Persistent Cookies.<br><br>This is the alias for the private/public keys in the Keystore used in Persistent Cookie authentication requests.",
          "propertyOrder" : 3300,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "zeroPageLoginReferrerWhiteList" : {
          "title" : "Zero Page Login Referer Whitelist",
          "description" : "List of allowed HTTP Referer (sic) URLs from which Zero Page Login requests are allowed.<br><br>Enter here all URLs from which you want to allow Zero Page Login. This provides some mitigation against Login CSRF attacks. Leave empty to allow from any Referer. Applies to both GET and POST login requests.",
          "propertyOrder" : 3600,
          "required" : true,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        },
        "moduleBasedAuthEnabled" : {
          "title" : "Module Based Authentication",
          "description" : "Allows a user to authenticate via module based authentication.<br><br>The feature allow users to override the realm configuration and use a named authentication module to authenticate.<br/><br/><i>NB </i>Recommended to turn this feature off in production environments.",
          "propertyOrder" : 2800,
          "required" : true,
          "type" : "boolean",
          "exampleValue" : ""
        },
        "zeroPageLoginEnabled" : {
          "title" : "Zero Page Login",
          "description" : "Allows a user to authenticate using GET request parameters without showing the login screen.<br><br>Enable this feature if the authentication mechanism uses a single authentication screen or the first authentication screen should always be invisible to users (since it is auto-submitted). Use caution when enabling this feature as it can be used to authenticate using regular GET parameters, which could be cached by browsers and logged in server and proxy access logs exposing the values of the GET parameters.",
          "propertyOrder" : 3400,
          "required" : true,
          "type" : "boolean",
          "exampleValue" : ""
        }
      }
    },
    "userprofile" : {
      "type" : "object",
      "title" : "User Profile",
      "propertyOrder" : 0,
      "properties" : {
        "dynamicProfileCreation" : {
          "title" : "User Profile",
          "description" : "Controls the result of the user profile success post successful authentication.<br><br>Controls whether a user profile is required for authentication to be successful or if the profile will be dynamically created if none already exists. Choose ignore if you do not have a data store configured in the realm.",
          "propertyOrder" : 100,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "aliasAttributeName" : {
          "title" : "Alias Search Attribute Name",
          "description" : "The secondary LDAP attribute retrieves the user profile if the primary LDAP attribute specified in 'User Naming Attribute' fails.<br><br>This list of LDAP attributes is used to extend the set of attributes searched by OpenAM to find the users profile.<br>For example: <ul><li>cn</li><li>mail</li><li>givenname</li></ul><br/>A user authenticates to OpenAM under the id of steve, OpenAM will first search using the naming attribute (uid by default) so uid=steve, if no match is found then cn=steve will be searched until a match is found or the list is exhausted.<br><br/><br/><i>NB </i> Only used when User Profile searching is enabled.",
          "propertyOrder" : 400,
          "required" : true,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        },
        "defaultRole" : {
          "title" : "User Profile Dynamic Creation Default Roles",
          "description" : "List of roles of which dynamically created users will be a member.<br><br>Enter the DN for each role that will be assigned to a new user when their profile has been dynamically created by OpenAM.<br/><br/><i>NB </i> Deprecated functionality in OpenAM.",
          "propertyOrder" : 300,
          "required" : true,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        }
      }
    },
    "accountlockout" : {
      "type" : "object",
      "title" : "Account Lockout",
      "propertyOrder" : 2,
      "properties" : {
        "lockoutEmailAddress" : {
          "title" : "Email Address to Send Lockout Notification",
          "description" : "An email address or set of email addresses that receive notifications about account lockout events.<br><br>OpenAM can be configured to send a localisable email message to a set of email addresses when account lockout events occur. The contents of the email message is configured using the following properties in the <code>amAuth.properties</code> file.<br/><ul><li><code>lockOutEmailFrom</code> : The \"From\" address of the email message</li><li><code>lockOutEmailSub</code> : The subject of the email message</li><li><code>lockOutEmailMsg</code> : The contents of the email message</li></ul><br/>The identity for whom the account has been locked is included in the email message.<br/><br/>The format of this property is:<br/><code>emailaddress|locale|charset</code>. Multiple email addresses are space-separated.<br/>Email addresses must include the domain name, such as <code>admin@example.com</code>.",
          "propertyOrder" : 1100,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "lockoutWarnUserCount" : {
          "title" : "Warn User After N Failures",
          "description" : "Warn the user when they reach this level of failed authentications.<br><br>The user will be given a warning when they reach this level of failed authentications during the lockout interval.<br/>The text of the lockout warning is configured using the <code>lockOutWarning</code> property in the <code>amAuth.properties</code> file.",
          "propertyOrder" : 1200,
          "required" : true,
          "type" : "integer",
          "exampleValue" : ""
        },
        "lockoutDurationMultiplier" : {
          "title" : "Lockout Duration Multiplier",
          "description" : "Value multiplied to the Login Failure Lockout Duration for each successive lockout.<br><br>This property is used to enable OpenAM to increase the account lockout duration for each successive account lockout. For example: If the lockout duration is set to 10 and the duration multiplier is set to 2; the duration of the first lockout will be 10 minutes and the duration of the second lockout will be 20 minutes.<br/><br/>The default value of 1 disables this function.  ",
          "propertyOrder" : 1400,
          "required" : true,
          "type" : "integer",
          "exampleValue" : ""
        },
        "loginFailureDuration" : {
          "title" : "Login Failure Lockout Interval",
          "description" : "The lockout interval time is in minutes.<br><br>OpenAM tracks the failed authentication count for a user over the lockout interval.<br/><br/>For example: If the lockout interval is 5 minutes and the lockout count is 5; the user will have to have failed to authenticate 5 times over the previous 5 minutes for the account to be locked. Failed authentications the occurred outside of the 5 minute interval are ignored.",
          "propertyOrder" : 1000,
          "required" : true,
          "type" : "integer",
          "exampleValue" : ""
        },
        "lockoutAttributeValue" : {
          "title" : "Lockout Attribute Value",
          "description" : "Value to set in custom lockout attribute<br><br>This is the value that will be set on the custom attribute in the users profile when they account is locked.",
          "propertyOrder" : 1600,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "lockoutDuration" : {
          "title" : "Login Failure Lockout Duration",
          "description" : "The duration of the users account lockout, in minutes.<br><br>OpenAM can either lockout the users account indefinitely (until administration action) by setting the duration to 0, (the default) or OpenAM can lock the users account for a given number of minutes. After the lockout interval, the user will be able to successfully authenticate to OpenAM.",
          "propertyOrder" : 1300,
          "required" : true,
          "type" : "integer",
          "exampleValue" : ""
        },
        "loginFailureCount" : {
          "title" : "Login Failure Lockout Count",
          "description" : "The maximum number of failed authentications for a user before their account is locked.<br><br>This setting controls the maximum number of failed authentications a user can have during the lockout interval before OpenAM locks the users account.",
          "propertyOrder" : 900,
          "required" : true,
          "type" : "integer",
          "exampleValue" : ""
        },
        "loginFailureLockoutMode" : {
          "title" : "Login Failure Lockout Mode",
          "description" : "Enables account lockout functionality for users authenticating to this realm.<br><br>OpenAM can track the number of failed authentications by a user over time and if a pre-defined limit is breached, OpenAM can lockout the users account and perform additional functions.<br/><br/><i>NB </i>This functionality is in addition to any account lockout behaviour implemented by the LDAP Directory Server.",
          "propertyOrder" : 800,
          "required" : true,
          "type" : "boolean",
          "exampleValue" : ""
        },
        "invalidAttemptsDataAttributeName" : {
          "title" : "Invalid Attempts Data Attribute Name",
          "description" : "The name of the attribute used to store information about failed authentications.<br><br>OpenAM can be configured to store information about invalid authentications in the users profile. This allows multiple instances of OpenAM in the same site to share information about a users invalid authentication attempts. By default the custom attribute; <code>sunAMAuthInvalidAttemptsData</code> defined in the <code>sunAMAuthAccountLockout</code> objectclass is used to store this data. Use this property to change the attribute used by OpenAM to store this information.<br/><br/><i>NB </i>Any attribute specified must be a valid attribute in the data store.",
          "propertyOrder" : 1700,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "storeInvalidAttemptsInDataStore" : {
          "title" : "Store Invalid Attempts in Data Store",
          "description" : "Enables sharing of login failure attempts across AM Instances<br><br>When this setting is enabled OpenAM will store the users invalid authentication information in the data store under the attribute configured in the <i>Invalid Attempts Data Attribute Name</i> property.",
          "propertyOrder" : 2700,
          "required" : true,
          "type" : "boolean",
          "exampleValue" : ""
        },
        "lockoutAttributeName" : {
          "title" : "Lockout Attribute Name",
          "description" : "Name of custom lockout attribute <br><br>When OpenAM locks an account, the <code>inetuserstatus</code> attribute in the locked account is set to Inactive. In addition, OpenAM can set the value of another attribute in the users profile. ",
          "propertyOrder" : 1500,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        }
      }
    },
    "postauthprocess" : {
      "type" : "object",
      "title" : "Post Authentication Processing",
      "propertyOrder" : 5,
      "properties" : {
        "usernameGeneratorClass" : {
          "title" : "Pluggable User Name Generator Class",
          "description" : "The name of the default implementation of the user name generator class.<br><br>The name of the class used to return a list of usernames to the Membership auth module.<br/><br/><i>NB </i>This class must implement the interface <code>com.sun.identity.authentication.spi.UserIDGenerator</code>",
          "propertyOrder" : 2200,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "userAttributeSessionMapping" : {
          "title" : "User Attribute Mapping to Session Attribute",
          "description" : "Mapping of user profile attribute name to session attribute name.<br><br>The setting causes OpenAM to read the named attributes from the users profile in the data store and store their values in the users session.<br/></br>Format: User Profile Attribute|Session Attribute name. ",
          "propertyOrder" : 3000,
          "required" : true,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        },
        "loginSuccessUrl" : {
          "title" : "Default Success Login URL",
          "description" : "Successful logins will be forwarded to this URL<br><br>This is the URL to which clients will be forwarded upon successful authentication. Enter a URL or URI relative to the local OpenAM. URL or URI can be prefixed with the ClientType|URL if client specific. URL without http(s) protocol will be appended to the current URI of OpenAM.",
          "propertyOrder" : 1800,
          "required" : true,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        },
        "usernameGeneratorEnabled" : {
          "title" : "Generate UserID Mode",
          "description" : "Enables this mode in the Membership auth module.<br><br>When this mode is enabled, if the Membership auth module detects that the supplied username already exists in the data store then a list of valid usernames can be shown to the user, if requested by said user.",
          "propertyOrder" : 2100,
          "required" : true,
          "type" : "boolean",
          "exampleValue" : ""
        },
        "loginFailureUrl" : {
          "title" : "Default Failure Login URL ",
          "description" : "Failed logins will be forwarded to this URL<br><br>This is the URL to which clients will be forwarded upon failed authentication. Enter a URL or URI relative to the local OpenAM. URL or URI can be prefixed with ClientType|URL if client specific. URL without http(s) protocol will be appended to the current URI of OpenAM.",
          "propertyOrder" : 1900,
          "required" : true,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        },
        "loginPostProcessClass" : {
          "title" : "Authentication Post Processing Classes",
          "description" : "A list of post authentication processing classes for all users in this realm.<br><br>This is a list of Post Processing Classes that will be called by OpenAM for all users that authenticate to this realm. Refer to the documentation for the places where the list of post authentication classes can be set and their precedence. <br/><br/>For example: org.forgerock.auth.PostProcessClass<br/><i>NB </i>OpenAM must be able to find these classes on the <code>CLASSPATH</code> and must implement the interface <code>com.sun.identity.authentication.spi.AMPostAuthProcessInterface</code>.",
          "propertyOrder" : 2000,
          "required" : true,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        }
      }
    }
  }
}

1.15.1.2. delete

Usage:

am> delete Authentication --realm Realm

1.15.1.3. read

Usage:

am> read Authentication --realm Realm

1.15.1.4. update

Usage:

am> update Authentication --realm Realm --body body

Parameters:

--body

The resource in JSON format, described by the following JSON schema:

{
  "type" : "object",
  "properties" : {
    "general" : {
      "type" : "object",
      "title" : "General",
      "propertyOrder" : 3,
      "properties" : {
        "identityType" : {
          "title" : "Identity Types",
          "description" : "",
          "propertyOrder" : 2500,
          "required" : true,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        },
        "userStatusCallbackPlugins" : {
          "title" : "Pluggable User Status Event Classes",
          "description" : "List of classes to be called when status of the user account changes.<br><br>When the status of a users account changes, OpenAM can be configured to call into a custom class. The custom class can then be used to perform some action as required. The built in status change events are:<br/><br/><ul><li>Account locked</li><li>Password changed</li></ul><br/>Custom code can also extend this mechanism.",
          "propertyOrder" : 2600,
          "required" : true,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        },
        "twoFactorRequired" : {
          "title" : "Two Factor Authentication Mandatory",
          "description" : "",
          "propertyOrder" : 3900,
          "required" : true,
          "type" : "boolean",
          "exampleValue" : ""
        },
        "locale" : {
          "title" : "Default Authentication Locale",
          "description" : "",
          "propertyOrder" : 600,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "defaultAuthLevel" : {
          "title" : "Default Authentication Level",
          "description" : "The default authentication level for modules in this realm.<br><br>If the authentication module does not set it's own auth level then the module will have the default authentication level for the realm.",
          "propertyOrder" : 4100,
          "required" : true,
          "type" : "integer",
          "exampleValue" : ""
        },
        "statelessSessionsEnabled" : {
          "title" : "Use Stateless Sessions",
          "description" : "Enables stateless sessions.<br><br>Stateless sessions provide elastic scalability by storing all session state on the client in the SSO cookie. See Session service configuration to enable signing and encryption (HIGHLY RECOMMENDED).",
          "propertyOrder" : 3800,
          "required" : true,
          "type" : "boolean",
          "exampleValue" : ""
        }
      }
    },
    "core" : {
      "type" : "object",
      "title" : "Core",
      "propertyOrder" : -1,
      "properties" : {
        "orgConfig" : {
          "title" : "Organization Authentication Configuration",
          "description" : "Default Authentication Chain for users<br><br>This is the authentication chain that will be used to authenticate users to this realm.",
          "propertyOrder" : 700,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "adminAuthModule" : {
          "title" : "Administrator Authentication Configuration",
          "description" : "Default Authentication Chain for administrators<br><br>This is the authentication chain that will be used to authentication administrative users to this realm.",
          "propertyOrder" : 200,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        }
      }
    },
    "security" : {
      "type" : "object",
      "title" : "Security",
      "propertyOrder" : 4,
      "properties" : {
        "sharedSecret" : {
          "title" : "Organization Authentication Signing Secret",
          "description" : "HMAC shared secret for signing RESTful Authentication requests.<br><br>This is the shared secret for signing state used in RESTful authentication requests. Should be at Base-64 encoded and at least 128-bits in length. By default a cryptographically secure random value is generated.",
          "propertyOrder" : 4000,
          "required" : true,
          "type" : "string",
          "format" : "password",
          "exampleValue" : ""
        },
        "zeroPageLoginAllowedWithoutReferrer" : {
          "title" : "Zero Page Login Allowed without Referer?",
          "description" : "Whether to allow Zero Page Login if the HTTP Referer header is missing.<br><br>The HTTP Referer header is sometimes missing from requests (e.g., if making a request to HTTP from HTTPS). This setting controls whether such requests should be allowed or not. Setting to 'true' will reduce the risk of Login CSRF attacks with Zero Page Login, but may potentially deny legitimate requests.",
          "propertyOrder" : 3700,
          "required" : true,
          "type" : "boolean",
          "exampleValue" : ""
        },
        "keyAlias" : {
          "title" : "Persistent Cookie Encryption Certificate Alias",
          "description" : "Keystore Alias for encrypting Persistent Cookies.<br><br>This is the alias for the private/public keys in the Keystore used in Persistent Cookie authentication requests.",
          "propertyOrder" : 3300,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "zeroPageLoginReferrerWhiteList" : {
          "title" : "Zero Page Login Referer Whitelist",
          "description" : "List of allowed HTTP Referer (sic) URLs from which Zero Page Login requests are allowed.<br><br>Enter here all URLs from which you want to allow Zero Page Login. This provides some mitigation against Login CSRF attacks. Leave empty to allow from any Referer. Applies to both GET and POST login requests.",
          "propertyOrder" : 3600,
          "required" : true,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        },
        "moduleBasedAuthEnabled" : {
          "title" : "Module Based Authentication",
          "description" : "Allows a user to authenticate via module based authentication.<br><br>The feature allow users to override the realm configuration and use a named authentication module to authenticate.<br/><br/><i>NB </i>Recommended to turn this feature off in production environments.",
          "propertyOrder" : 2800,
          "required" : true,
          "type" : "boolean",
          "exampleValue" : ""
        },
        "zeroPageLoginEnabled" : {
          "title" : "Zero Page Login",
          "description" : "Allows a user to authenticate using GET request parameters without showing the login screen.<br><br>Enable this feature if the authentication mechanism uses a single authentication screen or the first authentication screen should always be invisible to users (since it is auto-submitted). Use caution when enabling this feature as it can be used to authenticate using regular GET parameters, which could be cached by browsers and logged in server and proxy access logs exposing the values of the GET parameters.",
          "propertyOrder" : 3400,
          "required" : true,
          "type" : "boolean",
          "exampleValue" : ""
        }
      }
    },
    "userprofile" : {
      "type" : "object",
      "title" : "User Profile",
      "propertyOrder" : 0,
      "properties" : {
        "dynamicProfileCreation" : {
          "title" : "User Profile",
          "description" : "Controls the result of the user profile success post successful authentication.<br><br>Controls whether a user profile is required for authentication to be successful or if the profile will be dynamically created if none already exists. Choose ignore if you do not have a data store configured in the realm.",
          "propertyOrder" : 100,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "aliasAttributeName" : {
          "title" : "Alias Search Attribute Name",
          "description" : "The secondary LDAP attribute retrieves the user profile if the primary LDAP attribute specified in 'User Naming Attribute' fails.<br><br>This list of LDAP attributes is used to extend the set of attributes searched by OpenAM to find the users profile.<br>For example: <ul><li>cn</li><li>mail</li><li>givenname</li></ul><br/>A user authenticates to OpenAM under the id of steve, OpenAM will first search using the naming attribute (uid by default) so uid=steve, if no match is found then cn=steve will be searched until a match is found or the list is exhausted.<br><br/><br/><i>NB </i> Only used when User Profile searching is enabled.",
          "propertyOrder" : 400,
          "required" : true,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        },
        "defaultRole" : {
          "title" : "User Profile Dynamic Creation Default Roles",
          "description" : "List of roles of which dynamically created users will be a member.<br><br>Enter the DN for each role that will be assigned to a new user when their profile has been dynamically created by OpenAM.<br/><br/><i>NB </i> Deprecated functionality in OpenAM.",
          "propertyOrder" : 300,
          "required" : true,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        }
      }
    },
    "accountlockout" : {
      "type" : "object",
      "title" : "Account Lockout",
      "propertyOrder" : 2,
      "properties" : {
        "lockoutEmailAddress" : {
          "title" : "Email Address to Send Lockout Notification",
          "description" : "An email address or set of email addresses that receive notifications about account lockout events.<br><br>OpenAM can be configured to send a localisable email message to a set of email addresses when account lockout events occur. The contents of the email message is configured using the following properties in the <code>amAuth.properties</code> file.<br/><ul><li><code>lockOutEmailFrom</code> : The \"From\" address of the email message</li><li><code>lockOutEmailSub</code> : The subject of the email message</li><li><code>lockOutEmailMsg</code> : The contents of the email message</li></ul><br/>The identity for whom the account has been locked is included in the email message.<br/><br/>The format of this property is:<br/><code>emailaddress|locale|charset</code>. Multiple email addresses are space-separated.<br/>Email addresses must include the domain name, such as <code>admin@example.com</code>.",
          "propertyOrder" : 1100,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "lockoutWarnUserCount" : {
          "title" : "Warn User After N Failures",
          "description" : "Warn the user when they reach this level of failed authentications.<br><br>The user will be given a warning when they reach this level of failed authentications during the lockout interval.<br/>The text of the lockout warning is configured using the <code>lockOutWarning</code> property in the <code>amAuth.properties</code> file.",
          "propertyOrder" : 1200,
          "required" : true,
          "type" : "integer",
          "exampleValue" : ""
        },
        "lockoutDurationMultiplier" : {
          "title" : "Lockout Duration Multiplier",
          "description" : "Value multiplied to the Login Failure Lockout Duration for each successive lockout.<br><br>This property is used to enable OpenAM to increase the account lockout duration for each successive account lockout. For example: If the lockout duration is set to 10 and the duration multiplier is set to 2; the duration of the first lockout will be 10 minutes and the duration of the second lockout will be 20 minutes.<br/><br/>The default value of 1 disables this function.  ",
          "propertyOrder" : 1400,
          "required" : true,
          "type" : "integer",
          "exampleValue" : ""
        },
        "loginFailureDuration" : {
          "title" : "Login Failure Lockout Interval",
          "description" : "The lockout interval time is in minutes.<br><br>OpenAM tracks the failed authentication count for a user over the lockout interval.<br/><br/>For example: If the lockout interval is 5 minutes and the lockout count is 5; the user will have to have failed to authenticate 5 times over the previous 5 minutes for the account to be locked. Failed authentications the occurred outside of the 5 minute interval are ignored.",
          "propertyOrder" : 1000,
          "required" : true,
          "type" : "integer",
          "exampleValue" : ""
        },
        "lockoutAttributeValue" : {
          "title" : "Lockout Attribute Value",
          "description" : "Value to set in custom lockout attribute<br><br>This is the value that will be set on the custom attribute in the users profile when they account is locked.",
          "propertyOrder" : 1600,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "lockoutDuration" : {
          "title" : "Login Failure Lockout Duration",
          "description" : "The duration of the users account lockout, in minutes.<br><br>OpenAM can either lockout the users account indefinitely (until administration action) by setting the duration to 0, (the default) or OpenAM can lock the users account for a given number of minutes. After the lockout interval, the user will be able to successfully authenticate to OpenAM.",
          "propertyOrder" : 1300,
          "required" : true,
          "type" : "integer",
          "exampleValue" : ""
        },
        "loginFailureCount" : {
          "title" : "Login Failure Lockout Count",
          "description" : "The maximum number of failed authentications for a user before their account is locked.<br><br>This setting controls the maximum number of failed authentications a user can have during the lockout interval before OpenAM locks the users account.",
          "propertyOrder" : 900,
          "required" : true,
          "type" : "integer",
          "exampleValue" : ""
        },
        "loginFailureLockoutMode" : {
          "title" : "Login Failure Lockout Mode",
          "description" : "Enables account lockout functionality for users authenticating to this realm.<br><br>OpenAM can track the number of failed authentications by a user over time and if a pre-defined limit is breached, OpenAM can lockout the users account and perform additional functions.<br/><br/><i>NB </i>This functionality is in addition to any account lockout behaviour implemented by the LDAP Directory Server.",
          "propertyOrder" : 800,
          "required" : true,
          "type" : "boolean",
          "exampleValue" : ""
        },
        "invalidAttemptsDataAttributeName" : {
          "title" : "Invalid Attempts Data Attribute Name",
          "description" : "The name of the attribute used to store information about failed authentications.<br><br>OpenAM can be configured to store information about invalid authentications in the users profile. This allows multiple instances of OpenAM in the same site to share information about a users invalid authentication attempts. By default the custom attribute; <code>sunAMAuthInvalidAttemptsData</code> defined in the <code>sunAMAuthAccountLockout</code> objectclass is used to store this data. Use this property to change the attribute used by OpenAM to store this information.<br/><br/><i>NB </i>Any attribute specified must be a valid attribute in the data store.",
          "propertyOrder" : 1700,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "storeInvalidAttemptsInDataStore" : {
          "title" : "Store Invalid Attempts in Data Store",
          "description" : "Enables sharing of login failure attempts across AM Instances<br><br>When this setting is enabled OpenAM will store the users invalid authentication information in the data store under the attribute configured in the <i>Invalid Attempts Data Attribute Name</i> property.",
          "propertyOrder" : 2700,
          "required" : true,
          "type" : "boolean",
          "exampleValue" : ""
        },
        "lockoutAttributeName" : {
          "title" : "Lockout Attribute Name",
          "description" : "Name of custom lockout attribute <br><br>When OpenAM locks an account, the <code>inetuserstatus</code> attribute in the locked account is set to Inactive. In addition, OpenAM can set the value of another attribute in the users profile. ",
          "propertyOrder" : 1500,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        }
      }
    },
    "postauthprocess" : {
      "type" : "object",
      "title" : "Post Authentication Processing",
      "propertyOrder" : 5,
      "properties" : {
        "usernameGeneratorClass" : {
          "title" : "Pluggable User Name Generator Class",
          "description" : "The name of the default implementation of the user name generator class.<br><br>The name of the class used to return a list of usernames to the Membership auth module.<br/><br/><i>NB </i>This class must implement the interface <code>com.sun.identity.authentication.spi.UserIDGenerator</code>",
          "propertyOrder" : 2200,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "userAttributeSessionMapping" : {
          "title" : "User Attribute Mapping to Session Attribute",
          "description" : "Mapping of user profile attribute name to session attribute name.<br><br>The setting causes OpenAM to read the named attributes from the users profile in the data store and store their values in the users session.<br/></br>Format: User Profile Attribute|Session Attribute name. ",
          "propertyOrder" : 3000,
          "required" : true,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        },
        "loginSuccessUrl" : {
          "title" : "Default Success Login URL",
          "description" : "Successful logins will be forwarded to this URL<br><br>This is the URL to which clients will be forwarded upon successful authentication. Enter a URL or URI relative to the local OpenAM. URL or URI can be prefixed with the ClientType|URL if client specific. URL without http(s) protocol will be appended to the current URI of OpenAM.",
          "propertyOrder" : 1800,
          "required" : true,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        },
        "usernameGeneratorEnabled" : {
          "title" : "Generate UserID Mode",
          "description" : "Enables this mode in the Membership auth module.<br><br>When this mode is enabled, if the Membership auth module detects that the supplied username already exists in the data store then a list of valid usernames can be shown to the user, if requested by said user.",
          "propertyOrder" : 2100,
          "required" : true,
          "type" : "boolean",
          "exampleValue" : ""
        },
        "loginFailureUrl" : {
          "title" : "Default Failure Login URL ",
          "description" : "Failed logins will be forwarded to this URL<br><br>This is the URL to which clients will be forwarded upon failed authentication. Enter a URL or URI relative to the local OpenAM. URL or URI can be prefixed with ClientType|URL if client specific. URL without http(s) protocol will be appended to the current URI of OpenAM.",
          "propertyOrder" : 1900,
          "required" : true,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        },
        "loginPostProcessClass" : {
          "title" : "Authentication Post Processing Classes",
          "description" : "A list of post authentication processing classes for all users in this realm.<br><br>This is a list of Post Processing Classes that will be called by OpenAM for all users that authenticate to this realm. Refer to the documentation for the places where the list of post authentication classes can be set and their precedence. <br/><br/>For example: org.forgerock.auth.PostProcessClass<br/><i>NB </i>OpenAM must be able to find these classes on the <code>CLASSPATH</code> and must implement the interface <code>com.sun.identity.authentication.spi.AMPostAuthProcessInterface</code>.",
          "propertyOrder" : 2000,
          "required" : true,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        }
      }
    }
  }
}

1.15.2. Global Operations

Resource path: /global-config/authentication

Resource version: 1.0

1.15.2.1. read

Usage:

am> read Authentication --global

1.15.2.2. update

Usage:

am> update Authentication --global --body body

Parameters:

--body

The resource in JSON format, described by the following JSON schema:

{
  "type" : "object",
  "properties" : {
    "ldapConnectionPoolDefaultSize" : {
      "title" : "Default LDAP Connection Pool Size",
      "description" : "The default connection pool size; format is: mininum:maximum",
      "propertyOrder" : 2400,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "remoteAuthSecurityEnabled" : {
      "title" : "Remote Auth Security",
      "description" : "OpenAM requires authentication client to authenticate itself before authenticating users.<br><br>When this setting is enabled, OpenAM will require the authentication client (such as a policy agent) to authentication itself to OpenAM before the client will be allow to use the remote authentication API to authenticate users. ",
      "propertyOrder" : 2900,
      "required" : true,
      "type" : "boolean",
      "exampleValue" : ""
    },
    "keepPostProcessInstances" : {
      "title" : "Keep Post Process Objects for Logout Processing",
      "description" : "Store Post Processing Classes for the duration of the session.<br><br>Enabling this setting will cause OpenAM to store instances of post processing classes into the users session. When the user logs out the original instances of the post processing classes will be called instead of new instances. This may be needed for special logout processing.<br/><br/><i>NB </i>Enabling this setting will increase the memory usage of OpenAM.",
      "propertyOrder" : 3100,
      "required" : true,
      "type" : "boolean",
      "exampleValue" : ""
    },
    "ldapConnectionPoolSize" : {
      "title" : "LDAP Connection Pool Size",
      "description" : "Controls the size of the LDAP connection pool used for authentication<br><br>Control the size of the connection pool to the LDAP directory server used by any of the authentication modules that use LDAP directly such as LDAP or Active Directory.Different OpenAM servers can be configured with different connection pool settings.<br/><br/>Format: host:port:minimum:maximum",
      "propertyOrder" : 2300,
      "required" : true,
      "items" : {
        "type" : "string"
      },
      "type" : "array",
      "exampleValue" : ""
    },
    "authenticators" : {
      "title" : "Pluggable Authentication Module Classes",
      "description" : "List of configured authentication modules<br><br>The list of configured authentication modules available to OpenAM. All modules must extend from the <code>com.sun.identity.authentication.spi.AMLoginModule</code> class.",
      "propertyOrder" : 500,
      "required" : true,
      "items" : {
        "type" : "string"
      },
      "type" : "array",
      "exampleValue" : ""
    },
    "defaults" : {
      "properties" : {
        "postauthprocess" : {
          "type" : "object",
          "title" : "Post Authentication Processing",
          "propertyOrder" : 5,
          "properties" : {
            "loginFailureUrl" : {
              "title" : "Default Failure Login URL ",
              "description" : "Failed logins will be forwarded to this URL<br><br>This is the URL to which clients will be forwarded upon failed authentication. Enter a URL or URI relative to the local OpenAM. URL or URI can be prefixed with ClientType|URL if client specific. URL without http(s) protocol will be appended to the current URI of OpenAM.",
              "propertyOrder" : 1900,
              "required" : true,
              "items" : {
                "type" : "string"
              },
              "type" : "array",
              "exampleValue" : ""
            },
            "usernameGeneratorClass" : {
              "title" : "Pluggable User Name Generator Class",
              "description" : "The name of the default implementation of the user name generator class.<br><br>The name of the class used to return a list of usernames to the Membership auth module.<br/><br/><i>NB </i>This class must implement the interface <code>com.sun.identity.authentication.spi.UserIDGenerator</code>",
              "propertyOrder" : 2200,
              "required" : true,
              "type" : "string",
              "exampleValue" : ""
            },
            "userAttributeSessionMapping" : {
              "title" : "User Attribute Mapping to Session Attribute",
              "description" : "Mapping of user profile attribute name to session attribute name.<br><br>The setting causes OpenAM to read the named attributes from the users profile in the data store and store their values in the users session.<br/></br>Format: User Profile Attribute|Session Attribute name. ",
              "propertyOrder" : 3000,
              "required" : true,
              "items" : {
                "type" : "string"
              },
              "type" : "array",
              "exampleValue" : ""
            },
            "loginSuccessUrl" : {
              "title" : "Default Success Login URL",
              "description" : "Successful logins will be forwarded to this URL<br><br>This is the URL to which clients will be forwarded upon successful authentication. Enter a URL or URI relative to the local OpenAM. URL or URI can be prefixed with the ClientType|URL if client specific. URL without http(s) protocol will be appended to the current URI of OpenAM.",
              "propertyOrder" : 1800,
              "required" : true,
              "items" : {
                "type" : "string"
              },
              "type" : "array",
              "exampleValue" : ""
            },
            "usernameGeneratorEnabled" : {
              "title" : "Generate UserID Mode",
              "description" : "Enables this mode in the Membership auth module.<br><br>When this mode is enabled, if the Membership auth module detects that the supplied username already exists in the data store then a list of valid usernames can be shown to the user, if requested by said user.",
              "propertyOrder" : 2100,
              "required" : true,
              "type" : "boolean",
              "exampleValue" : ""
            },
            "loginPostProcessClass" : {
              "title" : "Authentication Post Processing Classes",
              "description" : "A list of post authentication processing classes for all users in this realm.<br><br>This is a list of Post Processing Classes that will be called by OpenAM for all users that authenticate to this realm. Refer to the documentation for the places where the list of post authentication classes can be set and their precedence. <br/><br/>For example: org.forgerock.auth.PostProcessClass<br/><i>NB </i>OpenAM must be able to find these classes on the <code>CLASSPATH</code> and must implement the interface <code>com.sun.identity.authentication.spi.AMPostAuthProcessInterface</code>.",
              "propertyOrder" : 2000,
              "required" : true,
              "items" : {
                "type" : "string"
              },
              "type" : "array",
              "exampleValue" : ""
            }
          }
        },
        "security" : {
          "type" : "object",
          "title" : "Security",
          "propertyOrder" : 4,
          "properties" : {
            "moduleBasedAuthEnabled" : {
              "title" : "Module Based Authentication",
              "description" : "Allows a user to authenticate via module based authentication.<br><br>The feature allow users to override the realm configuration and use a named authentication module to authenticate.<br/><br/><i>NB </i>Recommended to turn this feature off in production environments.",
              "propertyOrder" : 2800,
              "required" : true,
              "type" : "boolean",
              "exampleValue" : ""
            },
            "zeroPageLoginReferrerWhiteList" : {
              "title" : "Zero Page Login Referer Whitelist",
              "description" : "List of allowed HTTP Referer (sic) URLs from which Zero Page Login requests are allowed.<br><br>Enter here all URLs from which you want to allow Zero Page Login. This provides some mitigation against Login CSRF attacks. Leave empty to allow from any Referer. Applies to both GET and POST login requests.",
              "propertyOrder" : 3600,
              "required" : true,
              "items" : {
                "type" : "string"
              },
              "type" : "array",
              "exampleValue" : ""
            },
            "zeroPageLoginEnabled" : {
              "title" : "Zero Page Login",
              "description" : "Allows a user to authenticate using GET request parameters without showing the login screen.<br><br>Enable this feature if the authentication mechanism uses a single authentication screen or the first authentication screen should always be invisible to users (since it is auto-submitted). Use caution when enabling this feature as it can be used to authenticate using regular GET parameters, which could be cached by browsers and logged in server and proxy access logs exposing the values of the GET parameters.",
              "propertyOrder" : 3400,
              "required" : true,
              "type" : "boolean",
              "exampleValue" : ""
            },
            "sharedSecret" : {
              "title" : "Organization Authentication Signing Secret",
              "description" : "HMAC shared secret for signing RESTful Authentication requests.<br><br>This is the shared secret for signing state used in RESTful authentication requests. Should be at Base-64 encoded and at least 128-bits in length. By default a cryptographically secure random value is generated.",
              "propertyOrder" : 4000,
              "required" : true,
              "type" : "string",
              "format" : "password",
              "exampleValue" : ""
            },
            "zeroPageLoginAllowedWithoutReferrer" : {
              "title" : "Zero Page Login Allowed without Referer?",
              "description" : "Whether to allow Zero Page Login if the HTTP Referer header is missing.<br><br>The HTTP Referer header is sometimes missing from requests (e.g., if making a request to HTTP from HTTPS). This setting controls whether such requests should be allowed or not. Setting to 'true' will reduce the risk of Login CSRF attacks with Zero Page Login, but may potentially deny legitimate requests.",
              "propertyOrder" : 3700,
              "required" : true,
              "type" : "boolean",
              "exampleValue" : ""
            },
            "keyAlias" : {
              "title" : "Persistent Cookie Encryption Certificate Alias",
              "description" : "Keystore Alias for encrypting Persistent Cookies.<br><br>This is the alias for the private/public keys in the Keystore used in Persistent Cookie authentication requests.",
              "propertyOrder" : 3300,
              "required" : true,
              "type" : "string",
              "exampleValue" : ""
            }
          }
        },
        "core" : {
          "type" : "object",
          "title" : "Core",
          "propertyOrder" : -1,
          "properties" : {
            "adminAuthModule" : {
              "title" : "Administrator Authentication Configuration",
              "description" : "Default Authentication Chain for administrators<br><br>This is the authentication chain that will be used to authentication administrative users to this realm.",
              "propertyOrder" : 200,
              "required" : true,
              "type" : "string",
              "exampleValue" : ""
            },
            "orgConfig" : {
              "title" : "Organization Authentication Configuration",
              "description" : "Default Authentication Chain for users<br><br>This is the authentication chain that will be used to authenticate users to this realm.",
              "propertyOrder" : 700,
              "required" : true,
              "type" : "string",
              "exampleValue" : ""
            }
          }
        },
        "general" : {
          "type" : "object",
          "title" : "General",
          "propertyOrder" : 3,
          "properties" : {
            "twoFactorRequired" : {
              "title" : "Two Factor Authentication Mandatory",
              "description" : "",
              "propertyOrder" : 3900,
              "required" : true,
              "type" : "boolean",
              "exampleValue" : ""
            },
            "userStatusCallbackPlugins" : {
              "title" : "Pluggable User Status Event Classes",
              "description" : "List of classes to be called when status of the user account changes.<br><br>When the status of a users account changes, OpenAM can be configured to call into a custom class. The custom class can then be used to perform some action as required. The built in status change events are:<br/><br/><ul><li>Account locked</li><li>Password changed</li></ul><br/>Custom code can also extend this mechanism.",
              "propertyOrder" : 2600,
              "required" : true,
              "items" : {
                "type" : "string"
              },
              "type" : "array",
              "exampleValue" : ""
            },
            "statelessSessionsEnabled" : {
              "title" : "Use Stateless Sessions",
              "description" : "Enables stateless sessions.<br><br>Stateless sessions provide elastic scalability by storing all session state on the client in the SSO cookie. See Session service configuration to enable signing and encryption (HIGHLY RECOMMENDED).",
              "propertyOrder" : 3800,
              "required" : true,
              "type" : "boolean",
              "exampleValue" : ""
            },
            "identityType" : {
              "title" : "Identity Types",
              "description" : "",
              "propertyOrder" : 2500,
              "required" : true,
              "items" : {
                "type" : "string"
              },
              "type" : "array",
              "exampleValue" : ""
            },
            "defaultAuthLevel" : {
              "title" : "Default Authentication Level",
              "description" : "The default authentication level for modules in this realm.<br><br>If the authentication module does not set it's own auth level then the module will have the default authentication level for the realm.",
              "propertyOrder" : 4100,
              "required" : true,
              "type" : "integer",
              "exampleValue" : ""
            },
            "locale" : {
              "title" : "Default Authentication Locale",
              "description" : "",
              "propertyOrder" : 600,
              "required" : true,
              "type" : "string",
              "exampleValue" : ""
            }
          }
        },
        "accountlockout" : {
          "type" : "object",
          "title" : "Account Lockout",
          "propertyOrder" : 2,
          "properties" : {
            "loginFailureLockoutMode" : {
              "title" : "Login Failure Lockout Mode",
              "description" : "Enables account lockout functionality for users authenticating to this realm.<br><br>OpenAM can track the number of failed authentications by a user over time and if a pre-defined limit is breached, OpenAM can lockout the users account and perform additional functions.<br/><br/><i>NB </i>This functionality is in addition to any account lockout behaviour implemented by the LDAP Directory Server.",
              "propertyOrder" : 800,
              "required" : true,
              "type" : "boolean",
              "exampleValue" : ""
            },
            "loginFailureCount" : {
              "title" : "Login Failure Lockout Count",
              "description" : "The maximum number of failed authentications for a user before their account is locked.<br><br>This setting controls the maximum number of failed authentications a user can have during the lockout interval before OpenAM locks the users account.",
              "propertyOrder" : 900,
              "required" : true,
              "type" : "integer",
              "exampleValue" : ""
            },
            "lockoutAttributeName" : {
              "title" : "Lockout Attribute Name",
              "description" : "Name of custom lockout attribute <br><br>When OpenAM locks an account, the <code>inetuserstatus</code> attribute in the locked account is set to Inactive. In addition, OpenAM can set the value of another attribute in the users profile. ",
              "propertyOrder" : 1500,
              "required" : true,
              "type" : "string",
              "exampleValue" : ""
            },
            "loginFailureDuration" : {
              "title" : "Login Failure Lockout Interval",
              "description" : "The lockout interval time is in minutes.<br><br>OpenAM tracks the failed authentication count for a user over the lockout interval.<br/><br/>For example: If the lockout interval is 5 minutes and the lockout count is 5; the user will have to have failed to authenticate 5 times over the previous 5 minutes for the account to be locked. Failed authentications the occurred outside of the 5 minute interval are ignored.",
              "propertyOrder" : 1000,
              "required" : true,
              "type" : "integer",
              "exampleValue" : ""
            },
            "lockoutEmailAddress" : {
              "title" : "Email Address to Send Lockout Notification",
              "description" : "An email address or set of email addresses that receive notifications about account lockout events.<br><br>OpenAM can be configured to send a localisable email message to a set of email addresses when account lockout events occur. The contents of the email message is configured using the following properties in the <code>amAuth.properties</code> file.<br/><ul><li><code>lockOutEmailFrom</code> : The \"From\" address of the email message</li><li><code>lockOutEmailSub</code> : The subject of the email message</li><li><code>lockOutEmailMsg</code> : The contents of the email message</li></ul><br/>The identity for whom the account has been locked is included in the email message.<br/><br/>The format of this property is:<br/><code>emailaddress|locale|charset</code>. Multiple email addresses are space-separated.<br/>Email addresses must include the domain name, such as <code>admin@example.com</code>.",
              "propertyOrder" : 1100,
              "required" : true,
              "type" : "string",
              "exampleValue" : ""
            },
            "lockoutWarnUserCount" : {
              "title" : "Warn User After N Failures",
              "description" : "Warn the user when they reach this level of failed authentications.<br><br>The user will be given a warning when they reach this level of failed authentications during the lockout interval.<br/>The text of the lockout warning is configured using the <code>lockOutWarning</code> property in the <code>amAuth.properties</code> file.",
              "propertyOrder" : 1200,
              "required" : true,
              "type" : "integer",
              "exampleValue" : ""
            },
            "lockoutAttributeValue" : {
              "title" : "Lockout Attribute Value",
              "description" : "Value to set in custom lockout attribute<br><br>This is the value that will be set on the custom attribute in the users profile when they account is locked.",
              "propertyOrder" : 1600,
              "required" : true,
              "type" : "string",
              "exampleValue" : ""
            },
            "lockoutDurationMultiplier" : {
              "title" : "Lockout Duration Multiplier",
              "description" : "Value multiplied to the Login Failure Lockout Duration for each successive lockout.<br><br>This property is used to enable OpenAM to increase the account lockout duration for each successive account lockout. For example: If the lockout duration is set to 10 and the duration multiplier is set to 2; the duration of the first lockout will be 10 minutes and the duration of the second lockout will be 20 minutes.<br/><br/>The default value of 1 disables this function.  ",
              "propertyOrder" : 1400,
              "required" : true,
              "type" : "integer",
              "exampleValue" : ""
            },
            "storeInvalidAttemptsInDataStore" : {
              "title" : "Store Invalid Attempts in Data Store",
              "description" : "Enables sharing of login failure attempts across AM Instances<br><br>When this setting is enabled OpenAM will store the users invalid authentication information in the data store under the attribute configured in the <i>Invalid Attempts Data Attribute Name</i> property.",
              "propertyOrder" : 2700,
              "required" : true,
              "type" : "boolean",
              "exampleValue" : ""
            },
            "lockoutDuration" : {
              "title" : "Login Failure Lockout Duration",
              "description" : "The duration of the users account lockout, in minutes.<br><br>OpenAM can either lockout the users account indefinitely (until administration action) by setting the duration to 0, (the default) or OpenAM can lock the users account for a given number of minutes. After the lockout interval, the user will be able to successfully authenticate to OpenAM.",
              "propertyOrder" : 1300,
              "required" : true,
              "type" : "integer",
              "exampleValue" : ""
            },
            "invalidAttemptsDataAttributeName" : {
              "title" : "Invalid Attempts Data Attribute Name",
              "description" : "The name of the attribute used to store information about failed authentications.<br><br>OpenAM can be configured to store information about invalid authentications in the users profile. This allows multiple instances of OpenAM in the same site to share information about a users invalid authentication attempts. By default the custom attribute; <code>sunAMAuthInvalidAttemptsData</code> defined in the <code>sunAMAuthAccountLockout</code> objectclass is used to store this data. Use this property to change the attribute used by OpenAM to store this information.<br/><br/><i>NB </i>Any attribute specified must be a valid attribute in the data store.",
              "propertyOrder" : 1700,
              "required" : true,
              "type" : "string",
              "exampleValue" : ""
            }
          }
        },
        "userprofile" : {
          "type" : "object",
          "title" : "User Profile",
          "propertyOrder" : 0,
          "properties" : {
            "defaultRole" : {
              "title" : "User Profile Dynamic Creation Default Roles",
              "description" : "List of roles of which dynamically created users will be a member.<br><br>Enter the DN for each role that will be assigned to a new user when their profile has been dynamically created by OpenAM.<br/><br/><i>NB </i> Deprecated functionality in OpenAM.",
              "propertyOrder" : 300,
              "required" : true,
              "items" : {
                "type" : "string"
              },
              "type" : "array",
              "exampleValue" : ""
            },
            "aliasAttributeName" : {
              "title" : "Alias Search Attribute Name",
              "description" : "The secondary LDAP attribute retrieves the user profile if the primary LDAP attribute specified in 'User Naming Attribute' fails.<br><br>This list of LDAP attributes is used to extend the set of attributes searched by OpenAM to find the users profile.<br>For example: <ul><li>cn</li><li>mail</li><li>givenname</li></ul><br/>A user authenticates to OpenAM under the id of steve, OpenAM will first search using the naming attribute (uid by default) so uid=steve, if no match is found then cn=steve will be searched until a match is found or the list is exhausted.<br><br/><br/><i>NB </i> Only used when User Profile searching is enabled.",
              "propertyOrder" : 400,
              "required" : true,
              "items" : {
                "type" : "string"
              },
              "type" : "array",
              "exampleValue" : ""
            },
            "dynamicProfileCreation" : {
              "title" : "User Profile",
              "description" : "Controls the result of the user profile success post successful authentication.<br><br>Controls whether a user profile is required for authentication to be successful or if the profile will be dynamically created if none already exists. Choose ignore if you do not have a data store configured in the realm.",
              "propertyOrder" : 100,
              "required" : true,
              "type" : "string",
              "exampleValue" : ""
            }
          }
        }
      },
      "type" : "object",
      "title" : "Realm Defaults"
    }
  }
}

1.16. AuthenticationChains

1.16.1. Realm Operations

Resource path: /realm-config/authentication/chains

Resource version: 1.0

1.16.1.1. create

Usage:

am> create AuthenticationChains --realm Realm --id id --body body

Parameters:

--id

The unique identifier for the resource.

--body

The resource in JSON format, described by the following JSON schema:

{
  "type" : "object",
  "properties" : {
    "loginSuccessUrl" : {
      "title" : "Login Success URL",
      "description" : "URL or ClientType|URL if client specific. URL without http(s) protocol will be appended to the current URI.",
      "propertyOrder" : 200,
      "required" : true,
      "items" : {
        "type" : "string"
      },
      "type" : "array",
      "exampleValue" : ""
    },
    "loginFailureUrl" : {
      "title" : "Login Failed URL",
      "description" : "URL or ClientType|URL if client specific. URL without http(s) protocol will be appended to the current URI.",
      "propertyOrder" : 300,
      "required" : true,
      "items" : {
        "type" : "string"
      },
      "type" : "array",
      "exampleValue" : ""
    },
    "loginPostProcessClass" : {
      "title" : "Authentication Post Processing Classes",
      "description" : "Example: com.abc.authentication.PostProcessClass",
      "propertyOrder" : 400,
      "required" : true,
      "items" : {
        "type" : "string"
      },
      "type" : "array",
      "exampleValue" : ""
    },
    "authChainConfiguration" : {
      "title" : "Authentication Configuration",
      "description" : "",
      "propertyOrder" : 100,
      "required" : true,
      "exampleValue" : "",
      "type" : "array",
      "items" : {
        "type" : "object",
        "properties" : {
          "module" : {
            "type" : "string"
          },
          "criteria" : {
            "type" : "string"
          },
          "options" : {
            "type" : "object",
            "patternProperties" : {
              ".*" : "string"
            }
          }
        }
      }
    }
  }
}

1.16.1.2. delete

Usage:

am> delete AuthenticationChains --realm Realm --id id

Parameters:

--id

The unique identifier for the resource.

1.16.1.3. getAllTypes

Obtain the collection of all secondary configuration types related to the resource.

Usage:

am> action AuthenticationChains --realm Realm --actionName getAllTypes

1.16.1.4. getCreatableTypes

Obtain the collection of secondary configuration types that have yet to be added to the resource.

Usage:

am> action AuthenticationChains --realm Realm --actionName getCreatableTypes

1.16.1.5. nextdescendents

Obtain the collection of secondary configuration instances that have been added to the resource.

Usage:

am> action AuthenticationChains --realm Realm --actionName nextdescendents

1.16.1.6. query

Get the full list of instances of this collection. This query only supports `_queryFilter=true` filter.

Usage:

am> query AuthenticationChains --realm Realm --filter filter

Parameters:

--filter

A CREST formatted query filter, where "true" will query all.

1.16.1.7. read

Usage:

am> read AuthenticationChains --realm Realm --id id

Parameters:

--id

The unique identifier for the resource.

1.16.1.8. update

Usage:

am> update AuthenticationChains --realm Realm --id id --body body

Parameters:

--id

The unique identifier for the resource.

--body

The resource in JSON format, described by the following JSON schema:

{
  "type" : "object",
  "properties" : {
    "loginSuccessUrl" : {
      "title" : "Login Success URL",
      "description" : "URL or ClientType|URL if client specific. URL without http(s) protocol will be appended to the current URI.",
      "propertyOrder" : 200,
      "required" : true,
      "items" : {
        "type" : "string"
      },
      "type" : "array",
      "exampleValue" : ""
    },
    "loginFailureUrl" : {
      "title" : "Login Failed URL",
      "description" : "URL or ClientType|URL if client specific. URL without http(s) protocol will be appended to the current URI.",
      "propertyOrder" : 300,
      "required" : true,
      "items" : {
        "type" : "string"
      },
      "type" : "array",
      "exampleValue" : ""
    },
    "loginPostProcessClass" : {
      "title" : "Authentication Post Processing Classes",
      "description" : "Example: com.abc.authentication.PostProcessClass",
      "propertyOrder" : 400,
      "required" : true,
      "items" : {
        "type" : "string"
      },
      "type" : "array",
      "exampleValue" : ""
    },
    "authChainConfiguration" : {
      "title" : "Authentication Configuration",
      "description" : "",
      "propertyOrder" : 100,
      "required" : true,
      "exampleValue" : "",
      "type" : "array",
      "items" : {
        "type" : "object",
        "properties" : {
          "module" : {
            "type" : "string"
          },
          "criteria" : {
            "type" : "string"
          },
          "options" : {
            "type" : "object",
            "patternProperties" : {
              ".*" : "string"
            }
          }
        }
      }
    }
  }
}

1.16.2. Global Operations

Resource path: /global-config/authentication/chains

Resource version: 1.0

1.16.2.1. getAllTypes

Obtain the collection of all secondary configuration types related to the resource.

Usage:

am> action AuthenticationChains --global --actionName getAllTypes

1.16.2.2. getCreatableTypes

Obtain the collection of secondary configuration types that have yet to be added to the resource.

Usage:

am> action AuthenticationChains --global --actionName getCreatableTypes

1.16.2.3. nextdescendents

Obtain the collection of secondary configuration instances that have been added to the resource.

Usage:

am> action AuthenticationChains --global --actionName nextdescendents

1.16.2.4. read

Usage:

am> read AuthenticationChains --global

1.16.2.5. update

Usage:

am> update AuthenticationChains --global --body body

Parameters:

--body

The resource in JSON format, described by the following JSON schema:

{
  "type" : "object",
  "properties" : {
    "dynamic" : {
      "properties" : {
        "authChainConfiguration" : {
          "title" : "Authentication Configuration",
          "description" : "",
          "propertyOrder" : 100,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        }
      },
      "type" : "object",
      "title" : "Dynamic Attributes"
    }
  }
}

1.17. AuthenticationModules

1.17.1. Realm Operations

The collection of all authentication modules in a realm allows querying for all module instances.

Resource path: /realm-config/authentication/modules

Resource version: 1.0

1.17.1.1. getAllTypes

Obtain the collection of all secondary configuration types related to the resource.

Usage:

am> action AuthenticationModules --realm Realm --actionName getAllTypes

1.17.1.2. getCreatableTypes

Obtain the collection of secondary configuration types that have yet to be added to the resource.

Usage:

am> action AuthenticationModules --realm Realm --actionName getCreatableTypes

1.17.1.3. nextdescendents

Obtain the collection of secondary configuration instances that have been added to the resource.

Usage:

am> action AuthenticationModules --realm Realm --actionName nextdescendents

1.17.1.4. query

Query for authentication module instances

Usage:

am> query AuthenticationModules --realm Realm --filter filter

Parameters:

--filter

A CREST formatted query filter, where "true" will query all. Fields that can be queried: [_id]

1.17.2. Global Operations

Global and default configuration for authentication modules

Resource path: /global-config/authentication/modules

Resource version: 1.0

1.17.2.1. getAllTypes

Obtain the collection of all secondary configuration types related to the resource.

Usage:

am> action AuthenticationModules --global --actionName getAllTypes

1.17.2.2. getCreatableTypes

Obtain the collection of secondary configuration types that have yet to be added to the resource.

Usage:

am> action AuthenticationModules --global --actionName getCreatableTypes

1.17.2.3. nextdescendents

Obtain the collection of secondary configuration instances that have been added to the resource.

Usage:

am> action AuthenticationModules --global --actionName nextdescendents

1.18. AuthenticatorOath

1.18.1. Realm Operations

Resource path: /realm-config/services/authenticatorOathService

Resource version: 1.0

1.18.1.1. create

Usage:

am> create AuthenticatorOath --realm Realm --body body

Parameters:

--body

The resource in JSON format, described by the following JSON schema:

{
  "type" : "object",
  "properties" : {
    "authenticatorOATHDeviceSettingsEncryptionScheme" : {
      "title" : "Device Profile Encryption Scheme",
      "description" : "Encryption scheme for securing device profiles stored on the server.<br><br>If enabled, each device profile is encrypted using a unique random secret key using the given strength of AES encryption in CBC mode with PKCS#5 padding. A HMAC-SHA of the given strength (truncated to half-size) is used to ensure integrity protection and authenticated encryption. The unique random key is encrypted with the given RSA key-pair and stored with the device profile.<p><p><i>Note:</i> AES-256 may require installation of the JCE Unlimited Strength policy files.",
      "propertyOrder" : 200,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "authenticatorOATHDeviceSettingsEncryptionKeystoreKeyPairAlias" : {
      "title" : "Key-Pair Alias",
      "description" : "Alias of the certificate and private key in the keystore. The private key is used to encrypt and decrypt device profiles.",
      "propertyOrder" : 600,
      "required" : false,
      "type" : "string",
      "exampleValue" : ""
    },
    "authenticatorOATHDeviceSettingsEncryptionKeystoreType" : {
      "title" : "Key Store Type",
      "description" : "Type of encryption keystore.<br><br><i>Note:</i> PKCS#11 keystores require hardware support such as a security device or smart card and is not available by default in most JVM installations.<p><p>See the <a href=\"https://docs.oracle.com/javase/8/docs/technotes/guides/security/p11guide.html\" target=\"_blank\">JDK 8 PKCS#11 Reference Guide</a> for more details.",
      "propertyOrder" : 400,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "oathAttrName" : {
      "title" : "Profile Storage Attribute",
      "description" : "Attribute for storing ForgeRock Authenticator OATH profiles.<br><br>The default attribute is added to the user store during OpenAM installation. If you want to use a different attribute, you must make sure to add it to your user store schema prior to deploying two-step verification with a ForgeRock OATH authenticator app in OpenAM. OpenAM must be able to write to the attribute.",
      "propertyOrder" : 100,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "authenticatorOATHDeviceSettingsEncryptionKeystorePassword" : {
      "title" : "Key Store Password",
      "description" : "Password to unlock the keystore. This password will be encrypted.",
      "propertyOrder" : 500,
      "required" : false,
      "type" : "string",
      "format" : "password",
      "exampleValue" : ""
    },
    "authenticatorOATHDeviceSettingsEncryptionKeystorePrivateKeyPassword" : {
      "title" : "Private Key Password",
      "description" : "Password to unlock the private key.",
      "propertyOrder" : 700,
      "required" : false,
      "type" : "string",
      "format" : "password",
      "exampleValue" : ""
    },
    "authenticatorOATHDeviceSettingsEncryptionKeystore" : {
      "title" : "Encryption Key Store",
      "description" : "Path to the keystore from which to load encryption keys.",
      "propertyOrder" : 300,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "authenticatorOATHSkippableName" : {
      "title" : "ForgeRock Authenticator (OATH) Device Skippable Attribute Name",
      "description" : "The data store attribute that holds the user's decision to enable or disable obtaining and providing a password obtained from the ForgeRock Authenticator app. This attribute must be writeable.",
      "propertyOrder" : 800,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    }
  }
}

1.18.1.2. delete

Usage:

am> delete AuthenticatorOath --realm Realm

1.18.1.3. getAllTypes

Obtain the collection of all secondary configuration types related to the resource.

Usage:

am> action AuthenticatorOath --realm Realm --actionName getAllTypes

1.18.1.4. getCreatableTypes

Obtain the collection of secondary configuration types that have yet to be added to the resource.

Usage:

am> action AuthenticatorOath --realm Realm --actionName getCreatableTypes

1.18.1.5. nextdescendents

Obtain the collection of secondary configuration instances that have been added to the resource.

Usage:

am> action AuthenticatorOath --realm Realm --actionName nextdescendents

1.18.1.6. read

Usage:

am> read AuthenticatorOath --realm Realm

1.18.1.7. update

Usage:

am> update AuthenticatorOath --realm Realm --body body

Parameters:

--body

The resource in JSON format, described by the following JSON schema:

{
  "type" : "object",
  "properties" : {
    "authenticatorOATHDeviceSettingsEncryptionScheme" : {
      "title" : "Device Profile Encryption Scheme",
      "description" : "Encryption scheme for securing device profiles stored on the server.<br><br>If enabled, each device profile is encrypted using a unique random secret key using the given strength of AES encryption in CBC mode with PKCS#5 padding. A HMAC-SHA of the given strength (truncated to half-size) is used to ensure integrity protection and authenticated encryption. The unique random key is encrypted with the given RSA key-pair and stored with the device profile.<p><p><i>Note:</i> AES-256 may require installation of the JCE Unlimited Strength policy files.",
      "propertyOrder" : 200,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "authenticatorOATHDeviceSettingsEncryptionKeystoreKeyPairAlias" : {
      "title" : "Key-Pair Alias",
      "description" : "Alias of the certificate and private key in the keystore. The private key is used to encrypt and decrypt device profiles.",
      "propertyOrder" : 600,
      "required" : false,
      "type" : "string",
      "exampleValue" : ""
    },
    "authenticatorOATHDeviceSettingsEncryptionKeystoreType" : {
      "title" : "Key Store Type",
      "description" : "Type of encryption keystore.<br><br><i>Note:</i> PKCS#11 keystores require hardware support such as a security device or smart card and is not available by default in most JVM installations.<p><p>See the <a href=\"https://docs.oracle.com/javase/8/docs/technotes/guides/security/p11guide.html\" target=\"_blank\">JDK 8 PKCS#11 Reference Guide</a> for more details.",
      "propertyOrder" : 400,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "oathAttrName" : {
      "title" : "Profile Storage Attribute",
      "description" : "Attribute for storing ForgeRock Authenticator OATH profiles.<br><br>The default attribute is added to the user store during OpenAM installation. If you want to use a different attribute, you must make sure to add it to your user store schema prior to deploying two-step verification with a ForgeRock OATH authenticator app in OpenAM. OpenAM must be able to write to the attribute.",
      "propertyOrder" : 100,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "authenticatorOATHDeviceSettingsEncryptionKeystorePassword" : {
      "title" : "Key Store Password",
      "description" : "Password to unlock the keystore. This password will be encrypted.",
      "propertyOrder" : 500,
      "required" : false,
      "type" : "string",
      "format" : "password",
      "exampleValue" : ""
    },
    "authenticatorOATHDeviceSettingsEncryptionKeystorePrivateKeyPassword" : {
      "title" : "Private Key Password",
      "description" : "Password to unlock the private key.",
      "propertyOrder" : 700,
      "required" : false,
      "type" : "string",
      "format" : "password",
      "exampleValue" : ""
    },
    "authenticatorOATHDeviceSettingsEncryptionKeystore" : {
      "title" : "Encryption Key Store",
      "description" : "Path to the keystore from which to load encryption keys.",
      "propertyOrder" : 300,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "authenticatorOATHSkippableName" : {
      "title" : "ForgeRock Authenticator (OATH) Device Skippable Attribute Name",
      "description" : "The data store attribute that holds the user's decision to enable or disable obtaining and providing a password obtained from the ForgeRock Authenticator app. This attribute must be writeable.",
      "propertyOrder" : 800,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    }
  }
}

1.18.2. Global Operations

Resource path: /global-config/services/authenticatorOathService

Resource version: 1.0

1.18.2.1. getAllTypes

Obtain the collection of all secondary configuration types related to the resource.

Usage:

am> action AuthenticatorOath --global --actionName getAllTypes

1.18.2.2. getCreatableTypes

Obtain the collection of secondary configuration types that have yet to be added to the resource.

Usage:

am> action AuthenticatorOath --global --actionName getCreatableTypes

1.18.2.3. nextdescendents

Obtain the collection of secondary configuration instances that have been added to the resource.

Usage:

am> action AuthenticatorOath --global --actionName nextdescendents

1.18.2.4. read

Usage:

am> read AuthenticatorOath --global

1.18.2.5. update

Usage:

am> update AuthenticatorOath --global --body body

Parameters:

--body

The resource in JSON format, described by the following JSON schema:

{
  "type" : "object",
  "properties" : {
    "defaults" : {
      "properties" : {
        "authenticatorOATHDeviceSettingsEncryptionScheme" : {
          "title" : "Device Profile Encryption Scheme",
          "description" : "Encryption scheme for securing device profiles stored on the server.<br><br>If enabled, each device profile is encrypted using a unique random secret key using the given strength of AES encryption in CBC mode with PKCS#5 padding. A HMAC-SHA of the given strength (truncated to half-size) is used to ensure integrity protection and authenticated encryption. The unique random key is encrypted with the given RSA key-pair and stored with the device profile.<p><p><i>Note:</i> AES-256 may require installation of the JCE Unlimited Strength policy files.",
          "propertyOrder" : 200,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "authenticatorOATHSkippableName" : {
          "title" : "ForgeRock Authenticator (OATH) Device Skippable Attribute Name",
          "description" : "The data store attribute that holds the user's decision to enable or disable obtaining and providing a password obtained from the ForgeRock Authenticator app. This attribute must be writeable.",
          "propertyOrder" : 800,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "authenticatorOATHDeviceSettingsEncryptionKeystore" : {
          "title" : "Encryption Key Store",
          "description" : "Path to the keystore from which to load encryption keys.",
          "propertyOrder" : 300,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "authenticatorOATHDeviceSettingsEncryptionKeystoreType" : {
          "title" : "Key Store Type",
          "description" : "Type of encryption keystore.<br><br><i>Note:</i> PKCS#11 keystores require hardware support such as a security device or smart card and is not available by default in most JVM installations.<p><p>See the <a href=\"https://docs.oracle.com/javase/8/docs/technotes/guides/security/p11guide.html\" target=\"_blank\">JDK 8 PKCS#11 Reference Guide</a> for more details.",
          "propertyOrder" : 400,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "authenticatorOATHDeviceSettingsEncryptionKeystorePrivateKeyPassword" : {
          "title" : "Private Key Password",
          "description" : "Password to unlock the private key.",
          "propertyOrder" : 700,
          "required" : false,
          "type" : "string",
          "format" : "password",
          "exampleValue" : ""
        },
        "authenticatorOATHDeviceSettingsEncryptionKeystoreKeyPairAlias" : {
          "title" : "Key-Pair Alias",
          "description" : "Alias of the certificate and private key in the keystore. The private key is used to encrypt and decrypt device profiles.",
          "propertyOrder" : 600,
          "required" : false,
          "type" : "string",
          "exampleValue" : ""
        },
        "authenticatorOATHDeviceSettingsEncryptionKeystorePassword" : {
          "title" : "Key Store Password",
          "description" : "Password to unlock the keystore. This password will be encrypted.",
          "propertyOrder" : 500,
          "required" : false,
          "type" : "string",
          "format" : "password",
          "exampleValue" : ""
        },
        "oathAttrName" : {
          "title" : "Profile Storage Attribute",
          "description" : "Attribute for storing ForgeRock Authenticator OATH profiles.<br><br>The default attribute is added to the user store during OpenAM installation. If you want to use a different attribute, you must make sure to add it to your user store schema prior to deploying two-step verification with a ForgeRock OATH authenticator app in OpenAM. OpenAM must be able to write to the attribute.",
          "propertyOrder" : 100,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        }
      },
      "type" : "object",
      "title" : "Realm Defaults"
    }
  }
}

1.19. AuthenticatorOathModule

1.19.1. Realm Operations

Resource path: /realm-config/authentication/modules/authenticatoroath

Resource version: 1.0

1.19.1.1. create

Usage:

am> create AuthenticatorOathModule --realm Realm --id id --body body

Parameters:

--id

The unique identifier for the resource.

--body

The resource in JSON format, described by the following JSON schema:

{
  "type" : "object",
  "properties" : {
    "oathAlgorithm" : {
      "title" : "OATH Algorithm to Use",
      "description" : "Choose the algorithm your device uses to generate the OTP.<br><br>HOTP uses a counter value that is incremented every time a new OTP is generated. TOTP generates a new OTP every few seconds as specified by the time step interval.",
      "propertyOrder" : 400,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "oathIssuerName" : {
      "title" : "Name of the Issuer",
      "description" : "Name to identify the OTP issuer.",
      "propertyOrder" : 1100,
      "required" : true,
      "type" : "string",
      "exampleValue" : "ForgeRock"
    },
    "minimumSecretKeyLength" : {
      "title" : "Minimum Secret Key Length",
      "description" : "Number of hexadecimal characters allowed for the Secret Key.",
      "propertyOrder" : 300,
      "required" : true,
      "type" : "integer",
      "exampleValue" : ""
    },
    "totpMaximumClockDrift" : {
      "title" : "Maximum Allowed Clock Drift",
      "description" : "Number of time steps a client is allowed to get out of sync with the server before manual resynchronisation is required. For example, with 3 allowed drifts and a time step interval of 30 seconds the server will allow codes from up to 90 seconds from the current time to be treated as the current time step. The drift for a user's device is calculated each time they enter a new code. If the drift exceeds this value, the user's authentication code will be rejected.",
      "propertyOrder" : 1000,
      "required" : true,
      "type" : "integer",
      "exampleValue" : ""
    },
    "totpTimeStepInterval" : {
      "title" : "TOTP Time Step Interval",
      "description" : "The TOTP time step in seconds that the OTP device uses to generate the OTP.<br><br>This is the time interval that one OTP is valid for. For example, if the time step is 30 seconds, then a new OTP will be generated every 30 seconds. This makes a single OTP valid for only 30 seconds.",
      "propertyOrder" : 800,
      "required" : true,
      "type" : "integer",
      "exampleValue" : ""
    },
    "authenticationLevel" : {
      "title" : "Authentication Level",
      "description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
      "propertyOrder" : 100,
      "required" : true,
      "type" : "integer",
      "exampleValue" : ""
    },
    "hotpWindowSize" : {
      "title" : "HOTP Window Size",
      "description" : "The size of the window to resynchronize with the client.<br><br>This sets the window that the OTP device and the server counter can be out of sync. For example, if the window size is 100 and the servers last successful login was at counter value 2, then the server will accept a OTP from the OTP device that is from device counter 3 to 102.",
      "propertyOrder" : 500,
      "required" : true,
      "type" : "integer",
      "exampleValue" : ""
    },
    "totpTimeStepsInWindow" : {
      "title" : "TOTP Time Steps",
      "description" : "The number of time steps to check before and after receiving a OTP.<br><br>This is the number of time step intervals to check the received OTP against both forward in time and back in time. For example, with 1 time steps and a time step interval of 30 seconds the server will allow a code between the previous code, the current code and the next code.",
      "propertyOrder" : 900,
      "required" : true,
      "type" : "integer",
      "exampleValue" : ""
    },
    "addChecksumToOtpEnabled" : {
      "title" : "Add Checksum Digit",
      "description" : "This adds a checksum digit to the OTP.<br><br>This adds a digit to the end of the OTP generated to be used as a checksum to verify the OTP was generated correctly. This is in addition to the actual password length. You should only set this if your device supports it.",
      "propertyOrder" : 600,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "passwordLength" : {
      "title" : "One Time Password Length ",
      "description" : "The length of the generated OTP in digits, must be at least 6 and compatible with the hardware/software OTP generators you expect your end-users to use. For example, Google and ForgeRock authenticators support values of 6 and 8.",
      "propertyOrder" : 200,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "truncationOffset" : {
      "title" : "Truncation Offset",
      "description" : "This adds an offset to the generation of the OTP.<br><br>This is an option used by the HOTP algorithm that not all devices support. This should be left default unless you know your device uses a offset.",
      "propertyOrder" : 700,
      "required" : true,
      "type" : "integer",
      "exampleValue" : ""
    }
  }
}

1.19.1.2. delete

Usage:

am> delete AuthenticatorOathModule --realm Realm --id id

Parameters:

--id

The unique identifier for the resource.

1.19.1.3. getAllTypes

Obtain the collection of all secondary configuration types related to the resource.

Usage:

am> action AuthenticatorOathModule --realm Realm --actionName getAllTypes

1.19.1.4. getCreatableTypes

Obtain the collection of secondary configuration types that have yet to be added to the resource.

Usage:

am> action AuthenticatorOathModule --realm Realm --actionName getCreatableTypes

1.19.1.5. nextdescendents

Obtain the collection of secondary configuration instances that have been added to the resource.

Usage:

am> action AuthenticatorOathModule --realm Realm --actionName nextdescendents

1.19.1.6. query

Get the full list of instances of this collection. This query only supports `_queryFilter=true` filter.

Usage:

am> query AuthenticatorOathModule --realm Realm --filter filter

Parameters:

--filter

A CREST formatted query filter, where "true" will query all.

1.19.1.7. read

Usage:

am> read AuthenticatorOathModule --realm Realm --id id

Parameters:

--id

The unique identifier for the resource.

1.19.1.8. update

Usage:

am> update AuthenticatorOathModule --realm Realm --id id --body body

Parameters:

--id

The unique identifier for the resource.

--body

The resource in JSON format, described by the following JSON schema:

{
  "type" : "object",
  "properties" : {
    "oathAlgorithm" : {
      "title" : "OATH Algorithm to Use",
      "description" : "Choose the algorithm your device uses to generate the OTP.<br><br>HOTP uses a counter value that is incremented every time a new OTP is generated. TOTP generates a new OTP every few seconds as specified by the time step interval.",
      "propertyOrder" : 400,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "oathIssuerName" : {
      "title" : "Name of the Issuer",
      "description" : "Name to identify the OTP issuer.",
      "propertyOrder" : 1100,
      "required" : true,
      "type" : "string",
      "exampleValue" : "ForgeRock"
    },
    "minimumSecretKeyLength" : {
      "title" : "Minimum Secret Key Length",
      "description" : "Number of hexadecimal characters allowed for the Secret Key.",
      "propertyOrder" : 300,
      "required" : true,
      "type" : "integer",
      "exampleValue" : ""
    },
    "totpMaximumClockDrift" : {
      "title" : "Maximum Allowed Clock Drift",
      "description" : "Number of time steps a client is allowed to get out of sync with the server before manual resynchronisation is required. For example, with 3 allowed drifts and a time step interval of 30 seconds the server will allow codes from up to 90 seconds from the current time to be treated as the current time step. The drift for a user's device is calculated each time they enter a new code. If the drift exceeds this value, the user's authentication code will be rejected.",
      "propertyOrder" : 1000,
      "required" : true,
      "type" : "integer",
      "exampleValue" : ""
    },
    "totpTimeStepInterval" : {
      "title" : "TOTP Time Step Interval",
      "description" : "The TOTP time step in seconds that the OTP device uses to generate the OTP.<br><br>This is the time interval that one OTP is valid for. For example, if the time step is 30 seconds, then a new OTP will be generated every 30 seconds. This makes a single OTP valid for only 30 seconds.",
      "propertyOrder" : 800,
      "required" : true,
      "type" : "integer",
      "exampleValue" : ""
    },
    "authenticationLevel" : {
      "title" : "Authentication Level",
      "description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
      "propertyOrder" : 100,
      "required" : true,
      "type" : "integer",
      "exampleValue" : ""
    },
    "hotpWindowSize" : {
      "title" : "HOTP Window Size",
      "description" : "The size of the window to resynchronize with the client.<br><br>This sets the window that the OTP device and the server counter can be out of sync. For example, if the window size is 100 and the servers last successful login was at counter value 2, then the server will accept a OTP from the OTP device that is from device counter 3 to 102.",
      "propertyOrder" : 500,
      "required" : true,
      "type" : "integer",
      "exampleValue" : ""
    },
    "totpTimeStepsInWindow" : {
      "title" : "TOTP Time Steps",
      "description" : "The number of time steps to check before and after receiving a OTP.<br><br>This is the number of time step intervals to check the received OTP against both forward in time and back in time. For example, with 1 time steps and a time step interval of 30 seconds the server will allow a code between the previous code, the current code and the next code.",
      "propertyOrder" : 900,
      "required" : true,
      "type" : "integer",
      "exampleValue" : ""
    },
    "addChecksumToOtpEnabled" : {
      "title" : "Add Checksum Digit",
      "description" : "This adds a checksum digit to the OTP.<br><br>This adds a digit to the end of the OTP generated to be used as a checksum to verify the OTP was generated correctly. This is in addition to the actual password length. You should only set this if your device supports it.",
      "propertyOrder" : 600,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "passwordLength" : {
      "title" : "One Time Password Length ",
      "description" : "The length of the generated OTP in digits, must be at least 6 and compatible with the hardware/software OTP generators you expect your end-users to use. For example, Google and ForgeRock authenticators support values of 6 and 8.",
      "propertyOrder" : 200,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "truncationOffset" : {
      "title" : "Truncation Offset",
      "description" : "This adds an offset to the generation of the OTP.<br><br>This is an option used by the HOTP algorithm that not all devices support. This should be left default unless you know your device uses a offset.",
      "propertyOrder" : 700,
      "required" : true,
      "type" : "integer",
      "exampleValue" : ""
    }
  }
}

1.19.2. Global Operations

Resource path: /global-config/authentication/modules/authenticatoroath

Resource version: 1.0

1.19.2.1. getAllTypes

Obtain the collection of all secondary configuration types related to the resource.

Usage:

am> action AuthenticatorOathModule --global --actionName getAllTypes

1.19.2.2. getCreatableTypes

Obtain the collection of secondary configuration types that have yet to be added to the resource.

Usage:

am> action AuthenticatorOathModule --global --actionName getCreatableTypes

1.19.2.3. nextdescendents

Obtain the collection of secondary configuration instances that have been added to the resource.

Usage:

am> action AuthenticatorOathModule --global --actionName nextdescendents

1.19.2.4. read

Usage:

am> read AuthenticatorOathModule --global

1.19.2.5. update

Usage:

am> update AuthenticatorOathModule --global --body body

Parameters:

--body

The resource in JSON format, described by the following JSON schema:

{
  "type" : "object",
  "properties" : {
    "defaults" : {
      "properties" : {
        "truncationOffset" : {
          "title" : "Truncation Offset",
          "description" : "This adds an offset to the generation of the OTP.<br><br>This is an option used by the HOTP algorithm that not all devices support. This should be left default unless you know your device uses a offset.",
          "propertyOrder" : 700,
          "required" : true,
          "type" : "integer",
          "exampleValue" : ""
        },
        "passwordLength" : {
          "title" : "One Time Password Length ",
          "description" : "The length of the generated OTP in digits, must be at least 6 and compatible with the hardware/software OTP generators you expect your end-users to use. For example, Google and ForgeRock authenticators support values of 6 and 8.",
          "propertyOrder" : 200,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "totpTimeStepsInWindow" : {
          "title" : "TOTP Time Steps",
          "description" : "The number of time steps to check before and after receiving a OTP.<br><br>This is the number of time step intervals to check the received OTP against both forward in time and back in time. For example, with 1 time steps and a time step interval of 30 seconds the server will allow a code between the previous code, the current code and the next code.",
          "propertyOrder" : 900,
          "required" : true,
          "type" : "integer",
          "exampleValue" : ""
        },
        "minimumSecretKeyLength" : {
          "title" : "Minimum Secret Key Length",
          "description" : "Number of hexadecimal characters allowed for the Secret Key.",
          "propertyOrder" : 300,
          "required" : true,
          "type" : "integer",
          "exampleValue" : ""
        },
        "hotpWindowSize" : {
          "title" : "HOTP Window Size",
          "description" : "The size of the window to resynchronize with the client.<br><br>This sets the window that the OTP device and the server counter can be out of sync. For example, if the window size is 100 and the servers last successful login was at counter value 2, then the server will accept a OTP from the OTP device that is from device counter 3 to 102.",
          "propertyOrder" : 500,
          "required" : true,
          "type" : "integer",
          "exampleValue" : ""
        },
        "oathAlgorithm" : {
          "title" : "OATH Algorithm to Use",
          "description" : "Choose the algorithm your device uses to generate the OTP.<br><br>HOTP uses a counter value that is incremented every time a new OTP is generated. TOTP generates a new OTP every few seconds as specified by the time step interval.",
          "propertyOrder" : 400,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "oathIssuerName" : {
          "title" : "Name of the Issuer",
          "description" : "Name to identify the OTP issuer.",
          "propertyOrder" : 1100,
          "required" : true,
          "type" : "string",
          "exampleValue" : "ForgeRock"
        },
        "addChecksumToOtpEnabled" : {
          "title" : "Add Checksum Digit",
          "description" : "This adds a checksum digit to the OTP.<br><br>This adds a digit to the end of the OTP generated to be used as a checksum to verify the OTP was generated correctly. This is in addition to the actual password length. You should only set this if your device supports it.",
          "propertyOrder" : 600,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "authenticationLevel" : {
          "title" : "Authentication Level",
          "description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
          "propertyOrder" : 100,
          "required" : true,
          "type" : "integer",
          "exampleValue" : ""
        },
        "totpTimeStepInterval" : {
          "title" : "TOTP Time Step Interval",
          "description" : "The TOTP time step in seconds that the OTP device uses to generate the OTP.<br><br>This is the time interval that one OTP is valid for. For example, if the time step is 30 seconds, then a new OTP will be generated every 30 seconds. This makes a single OTP valid for only 30 seconds.",
          "propertyOrder" : 800,
          "required" : true,
          "type" : "integer",
          "exampleValue" : ""
        },
        "totpMaximumClockDrift" : {
          "title" : "Maximum Allowed Clock Drift",
          "description" : "Number of time steps a client is allowed to get out of sync with the server before manual resynchronisation is required. For example, with 3 allowed drifts and a time step interval of 30 seconds the server will allow codes from up to 90 seconds from the current time to be treated as the current time step. The drift for a user's device is calculated each time they enter a new code. If the drift exceeds this value, the user's authentication code will be rejected.",
          "propertyOrder" : 1000,
          "required" : true,
          "type" : "integer",
          "exampleValue" : ""
        }
      },
      "type" : "object",
      "title" : "Realm Defaults"
    }
  }
}

1.20. AuthenticatorPush

1.20.1. Realm Operations

Resource path: /realm-config/services/authenticatorPushService

Resource version: 1.0

1.20.1.1. create

Usage:

am> create AuthenticatorPush --realm Realm --body body

Parameters:

--body

The resource in JSON format, described by the following JSON schema:

{
  "type" : "object",
  "properties" : {
    "authenticatorPushDeviceSettingsEncryptionKeystoreType" : {
      "title" : "Key Store Type",
      "description" : "Type of KeyStore to load.<br><br><i>Note:</i> PKCS#11 keystores require hardware support such as a security device or smart card and is not available by default in most JVM installations.<p><p>See the <a href=\"https://docs.oracle.com/javase/8/docs/technotes/guides/security/p11guide.html\" target=\"_blank\">JDK 8 PKCS#11 Reference Guide</a> for more details.",
      "propertyOrder" : 400,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "authenticatorPushDeviceSettingsEncryptionKeystorePrivateKeyPassword" : {
      "title" : "Private Key Password",
      "description" : "Password to unlock the private key.",
      "propertyOrder" : 700,
      "required" : true,
      "type" : "string",
      "format" : "password",
      "exampleValue" : ""
    },
    "authenticatorPushDeviceSettingsEncryptionScheme" : {
      "title" : "Device Profile Encryption Scheme",
      "description" : "Encryption scheme to use to secure device profiles stored on the server.<br><br>If enabled, each device profile is encrypted using a unique random secret key using the given strength of AES encryption in CBC mode with PKCS#5 padding. A HMAC-SHA of the given strength (truncated to half-size) is used to ensure integrity protection and authenticated encryption. The unique random key is encrypted with the given RSA key-pair and stored with the device profile.<p><p><i>Note:</i> AES-256 may require installation of the JCE Unlimited Strength policy files.",
      "propertyOrder" : 200,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "pushAttrName" : {
      "title" : "Profile Storage Attribute",
      "description" : "The user's attribute in which to store Push Notification profiles.<br><br>The default attribute is added to the schema when you prepare a user store for use with OpenAM. If you want to use a different attribute, you must make sure to add it to your user store schema prior to deploying push notifications with the ForgeRock Authenticator app in OpenAM. OpenAM must be able to write to the attribute.",
      "propertyOrder" : 100,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "authenticatorPushDeviceSettingsEncryptionKeystoreKeyPairAlias" : {
      "title" : "Key-Pair Alias",
      "description" : "Alias of the certificate and private key in the keystore. The private key is used to encrypt and decrypt device profiles.",
      "propertyOrder" : 600,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "authenticatorPushDeviceSettingsEncryptionKeystorePassword" : {
      "title" : "Key Store Password",
      "description" : "Password to unlock the keystore. This password is encrypted when it is saved in the OpenAM configuration. You should modify the default value.",
      "propertyOrder" : 500,
      "required" : true,
      "type" : "string",
      "format" : "password",
      "exampleValue" : ""
    },
    "authenticatorPushDeviceSettingsEncryptionKeystore" : {
      "title" : "Encryption Key Store",
      "description" : "Path to the keystore from which to load encryption keys.",
      "propertyOrder" : 300,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    }
  }
}

1.20.1.2. delete

Usage:

am> delete AuthenticatorPush --realm Realm

1.20.1.3. getAllTypes

Obtain the collection of all secondary configuration types related to the resource.

Usage:

am> action AuthenticatorPush --realm Realm --actionName getAllTypes

1.20.1.4. getCreatableTypes

Obtain the collection of secondary configuration types that have yet to be added to the resource.

Usage:

am> action AuthenticatorPush --realm Realm --actionName getCreatableTypes

1.20.1.5. nextdescendents

Obtain the collection of secondary configuration instances that have been added to the resource.

Usage:

am> action AuthenticatorPush --realm Realm --actionName nextdescendents

1.20.1.6. read

Usage:

am> read AuthenticatorPush --realm Realm

1.20.1.7. update

Usage:

am> update AuthenticatorPush --realm Realm --body body

Parameters:

--body

The resource in JSON format, described by the following JSON schema:

{
  "type" : "object",
  "properties" : {
    "authenticatorPushDeviceSettingsEncryptionKeystoreType" : {
      "title" : "Key Store Type",
      "description" : "Type of KeyStore to load.<br><br><i>Note:</i> PKCS#11 keystores require hardware support such as a security device or smart card and is not available by default in most JVM installations.<p><p>See the <a href=\"https://docs.oracle.com/javase/8/docs/technotes/guides/security/p11guide.html\" target=\"_blank\">JDK 8 PKCS#11 Reference Guide</a> for more details.",
      "propertyOrder" : 400,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "authenticatorPushDeviceSettingsEncryptionKeystorePrivateKeyPassword" : {
      "title" : "Private Key Password",
      "description" : "Password to unlock the private key.",
      "propertyOrder" : 700,
      "required" : true,
      "type" : "string",
      "format" : "password",
      "exampleValue" : ""
    },
    "authenticatorPushDeviceSettingsEncryptionScheme" : {
      "title" : "Device Profile Encryption Scheme",
      "description" : "Encryption scheme to use to secure device profiles stored on the server.<br><br>If enabled, each device profile is encrypted using a unique random secret key using the given strength of AES encryption in CBC mode with PKCS#5 padding. A HMAC-SHA of the given strength (truncated to half-size) is used to ensure integrity protection and authenticated encryption. The unique random key is encrypted with the given RSA key-pair and stored with the device profile.<p><p><i>Note:</i> AES-256 may require installation of the JCE Unlimited Strength policy files.",
      "propertyOrder" : 200,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "pushAttrName" : {
      "title" : "Profile Storage Attribute",
      "description" : "The user's attribute in which to store Push Notification profiles.<br><br>The default attribute is added to the schema when you prepare a user store for use with OpenAM. If you want to use a different attribute, you must make sure to add it to your user store schema prior to deploying push notifications with the ForgeRock Authenticator app in OpenAM. OpenAM must be able to write to the attribute.",
      "propertyOrder" : 100,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "authenticatorPushDeviceSettingsEncryptionKeystoreKeyPairAlias" : {
      "title" : "Key-Pair Alias",
      "description" : "Alias of the certificate and private key in the keystore. The private key is used to encrypt and decrypt device profiles.",
      "propertyOrder" : 600,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "authenticatorPushDeviceSettingsEncryptionKeystorePassword" : {
      "title" : "Key Store Password",
      "description" : "Password to unlock the keystore. This password is encrypted when it is saved in the OpenAM configuration. You should modify the default value.",
      "propertyOrder" : 500,
      "required" : true,
      "type" : "string",
      "format" : "password",
      "exampleValue" : ""
    },
    "authenticatorPushDeviceSettingsEncryptionKeystore" : {
      "title" : "Encryption Key Store",
      "description" : "Path to the keystore from which to load encryption keys.",
      "propertyOrder" : 300,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    }
  }
}

1.20.2. Global Operations

Resource path: /global-config/services/authenticatorPushService

Resource version: 1.0

1.20.2.1. getAllTypes

Obtain the collection of all secondary configuration types related to the resource.

Usage:

am> action AuthenticatorPush --global --actionName getAllTypes

1.20.2.2. getCreatableTypes

Obtain the collection of secondary configuration types that have yet to be added to the resource.

Usage:

am> action AuthenticatorPush --global --actionName getCreatableTypes

1.20.2.3. nextdescendents

Obtain the collection of secondary configuration instances that have been added to the resource.

Usage:

am> action AuthenticatorPush --global --actionName nextdescendents

1.20.2.4. read

Usage:

am> read AuthenticatorPush --global

1.20.2.5. update

Usage:

am> update AuthenticatorPush --global --body body

Parameters:

--body

The resource in JSON format, described by the following JSON schema:

{
  "type" : "object",
  "properties" : {
    "defaults" : {
      "properties" : {
        "authenticatorPushDeviceSettingsEncryptionKeystorePrivateKeyPassword" : {
          "title" : "Private Key Password",
          "description" : "Password to unlock the private key.",
          "propertyOrder" : 700,
          "required" : true,
          "type" : "string",
          "format" : "password",
          "exampleValue" : ""
        },
        "authenticatorPushDeviceSettingsEncryptionKeystoreType" : {
          "title" : "Key Store Type",
          "description" : "Type of KeyStore to load.<br><br><i>Note:</i> PKCS#11 keystores require hardware support such as a security device or smart card and is not available by default in most JVM installations.<p><p>See the <a href=\"https://docs.oracle.com/javase/8/docs/technotes/guides/security/p11guide.html\" target=\"_blank\">JDK 8 PKCS#11 Reference Guide</a> for more details.",
          "propertyOrder" : 400,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "authenticatorPushDeviceSettingsEncryptionKeystorePassword" : {
          "title" : "Key Store Password",
          "description" : "Password to unlock the keystore. This password is encrypted when it is saved in the OpenAM configuration. You should modify the default value.",
          "propertyOrder" : 500,
          "required" : true,
          "type" : "string",
          "format" : "password",
          "exampleValue" : ""
        },
        "authenticatorPushDeviceSettingsEncryptionScheme" : {
          "title" : "Device Profile Encryption Scheme",
          "description" : "Encryption scheme to use to secure device profiles stored on the server.<br><br>If enabled, each device profile is encrypted using a unique random secret key using the given strength of AES encryption in CBC mode with PKCS#5 padding. A HMAC-SHA of the given strength (truncated to half-size) is used to ensure integrity protection and authenticated encryption. The unique random key is encrypted with the given RSA key-pair and stored with the device profile.<p><p><i>Note:</i> AES-256 may require installation of the JCE Unlimited Strength policy files.",
          "propertyOrder" : 200,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "authenticatorPushDeviceSettingsEncryptionKeystore" : {
          "title" : "Encryption Key Store",
          "description" : "Path to the keystore from which to load encryption keys.",
          "propertyOrder" : 300,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "pushAttrName" : {
          "title" : "Profile Storage Attribute",
          "description" : "The user's attribute in which to store Push Notification profiles.<br><br>The default attribute is added to the schema when you prepare a user store for use with OpenAM. If you want to use a different attribute, you must make sure to add it to your user store schema prior to deploying push notifications with the ForgeRock Authenticator app in OpenAM. OpenAM must be able to write to the attribute.",
          "propertyOrder" : 100,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "authenticatorPushDeviceSettingsEncryptionKeystoreKeyPairAlias" : {
          "title" : "Key-Pair Alias",
          "description" : "Alias of the certificate and private key in the keystore. The private key is used to encrypt and decrypt device profiles.",
          "propertyOrder" : 600,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        }
      },
      "type" : "object",
      "title" : "Realm Defaults"
    }
  }
}

1.21. AuthenticatorPushModule

1.21.1. Realm Operations

Resource path: /realm-config/authentication/modules/authPush

Resource version: 1.0

1.21.1.1. create

Usage:

am> create AuthenticatorPushModule --realm Realm --id id --body body

Parameters:

--id

The unique identifier for the resource.

--body

The resource in JSON format, described by the following JSON schema:

{
  "type" : "object",
  "properties" : {
    "timeoutInMilliSecconds" : {
      "title" : "Return Message Timeout (ms)",
      "description" : "The period of time (in milliseconds) within which a push notification should be replied to.",
      "propertyOrder" : 200,
      "required" : true,
      "type" : "integer",
      "exampleValue" : ""
    },
    "pushMessage" : {
      "title" : "Login Message",
      "description" : "Message transmitted over Push. Use the label {{user}} to replace with the registered login's username, and {{issuer}} to replace with the name of the issuer stored at registration.",
      "propertyOrder" : 300,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "authenticationLevel" : {
      "title" : "Authentication Level",
      "description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
      "propertyOrder" : 100,
      "required" : true,
      "type" : "integer",
      "exampleValue" : ""
    }
  }
}

1.21.1.2. delete

Usage:

am> delete AuthenticatorPushModule --realm Realm --id id

Parameters:

--id

The unique identifier for the resource.

1.21.1.3. getAllTypes

Obtain the collection of all secondary configuration types related to the resource.

Usage:

am> action AuthenticatorPushModule --realm Realm --actionName getAllTypes

1.21.1.4. getCreatableTypes

Obtain the collection of secondary configuration types that have yet to be added to the resource.

Usage:

am> action AuthenticatorPushModule --realm Realm --actionName getCreatableTypes

1.21.1.5. nextdescendents

Obtain the collection of secondary configuration instances that have been added to the resource.

Usage:

am> action AuthenticatorPushModule --realm Realm --actionName nextdescendents

1.21.1.6. query

Get the full list of instances of this collection. This query only supports `_queryFilter=true` filter.

Usage:

am> query AuthenticatorPushModule --realm Realm --filter filter

Parameters:

--filter

A CREST formatted query filter, where "true" will query all.

1.21.1.7. read

Usage:

am> read AuthenticatorPushModule --realm Realm --id id

Parameters:

--id

The unique identifier for the resource.

1.21.1.8. update

Usage:

am> update AuthenticatorPushModule --realm Realm --id id --body body

Parameters:

--id

The unique identifier for the resource.

--body

The resource in JSON format, described by the following JSON schema:

{
  "type" : "object",
  "properties" : {
    "timeoutInMilliSecconds" : {
      "title" : "Return Message Timeout (ms)",
      "description" : "The period of time (in milliseconds) within which a push notification should be replied to.",
      "propertyOrder" : 200,
      "required" : true,
      "type" : "integer",
      "exampleValue" : ""
    },
    "pushMessage" : {
      "title" : "Login Message",
      "description" : "Message transmitted over Push. Use the label {{user}} to replace with the registered login's username, and {{issuer}} to replace with the name of the issuer stored at registration.",
      "propertyOrder" : 300,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "authenticationLevel" : {
      "title" : "Authentication Level",
      "description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
      "propertyOrder" : 100,
      "required" : true,
      "type" : "integer",
      "exampleValue" : ""
    }
  }
}

1.21.2. Global Operations

Resource path: /global-config/authentication/modules/authPush

Resource version: 1.0

1.21.2.1. getAllTypes

Obtain the collection of all secondary configuration types related to the resource.

Usage:

am> action AuthenticatorPushModule --global --actionName getAllTypes

1.21.2.2. getCreatableTypes

Obtain the collection of secondary configuration types that have yet to be added to the resource.

Usage:

am> action AuthenticatorPushModule --global --actionName getCreatableTypes

1.21.2.3. nextdescendents

Obtain the collection of secondary configuration instances that have been added to the resource.

Usage:

am> action AuthenticatorPushModule --global --actionName nextdescendents

1.21.2.4. read

Usage:

am> read AuthenticatorPushModule --global

1.21.2.5. update

Usage:

am> update AuthenticatorPushModule --global --body body

Parameters:

--body

The resource in JSON format, described by the following JSON schema:

{
  "type" : "object",
  "properties" : {
    "defaults" : {
      "properties" : {
        "authenticationLevel" : {
          "title" : "Authentication Level",
          "description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
          "propertyOrder" : 100,
          "required" : true,
          "type" : "integer",
          "exampleValue" : ""
        },
        "pushMessage" : {
          "title" : "Login Message",
          "description" : "Message transmitted over Push. Use the label {{user}} to replace with the registered login's username, and {{issuer}} to replace with the name of the issuer stored at registration.",
          "propertyOrder" : 300,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "timeoutInMilliSecconds" : {
          "title" : "Return Message Timeout (ms)",
          "description" : "The period of time (in milliseconds) within which a push notification should be replied to.",
          "propertyOrder" : 200,
          "required" : true,
          "type" : "integer",
          "exampleValue" : ""
        }
      },
      "type" : "object",
      "title" : "Realm Defaults"
    }
  }
}

1.22. AuthenticatorPushRegistrationModule

1.22.1. Realm Operations

Resource path: /realm-config/authentication/modules/authPushReg

Resource version: 1.0

1.22.1.1. create

Usage:

am> create AuthenticatorPushRegistrationModule --realm Realm --id id --body body

Parameters:

--id

The unique identifier for the resource.

--body

The resource in JSON format, described by the following JSON schema:

{
  "type" : "object",
  "properties" : {
    "issuer" : {
      "title" : "Issuer Name",
      "description" : "The Name of the service as it will appear on the registered device.",
      "propertyOrder" : 200,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "googleLink" : {
      "title" : "Google Play URL",
      "description" : "URL of the app to download on Google Play.",
      "propertyOrder" : 700,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "authenticationLevel" : {
      "title" : "Authentication Level",
      "description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
      "propertyOrder" : 100,
      "required" : true,
      "type" : "integer",
      "exampleValue" : ""
    },
    "appleLink" : {
      "title" : "App Store App URL",
      "description" : "URL of the app to download on the App Store.",
      "propertyOrder" : 600,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "timeoutInMilliSecconds" : {
      "title" : "Registration Response Timeout (ms)",
      "description" : "The period of time (in milliseconds) within which the registration QR code should be replied to.",
      "propertyOrder" : 300,
      "required" : true,
      "type" : "integer",
      "exampleValue" : ""
    },
    "imgUrl" : {
      "title" : "Image URL",
      "description" : "The location of the image to download and display as your identity issuer's logo within the mobile app.",
      "propertyOrder" : 500,
      "required" : true,
      "type" : "string",
      "exampleValue" : "http://example.com/image.png"
    },
    "bgcolour" : {
      "title" : "Background Colour",
      "description" : "The background colour of the image to display behind your identity issuer's logo within the mobile app.",
      "propertyOrder" : 400,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    }
  }
}

1.22.1.2. delete

Usage:

am> delete AuthenticatorPushRegistrationModule --realm Realm --id id

Parameters:

--id

The unique identifier for the resource.

1.22.1.3. getAllTypes

Obtain the collection of all secondary configuration types related to the resource.

Usage:

am> action AuthenticatorPushRegistrationModule --realm Realm --actionName getAllTypes

1.22.1.4. getCreatableTypes

Obtain the collection of secondary configuration types that have yet to be added to the resource.

Usage:

am> action AuthenticatorPushRegistrationModule --realm Realm --actionName getCreatableTypes

1.22.1.5. nextdescendents

Obtain the collection of secondary configuration instances that have been added to the resource.

Usage:

am> action AuthenticatorPushRegistrationModule --realm Realm --actionName nextdescendents

1.22.1.6. query

Get the full list of instances of this collection. This query only supports `_queryFilter=true` filter.

Usage:

am> query AuthenticatorPushRegistrationModule --realm Realm --filter filter

Parameters:

--filter

A CREST formatted query filter, where "true" will query all.

1.22.1.7. read

Usage:

am> read AuthenticatorPushRegistrationModule --realm Realm --id id

Parameters:

--id

The unique identifier for the resource.

1.22.1.8. update

Usage:

am> update AuthenticatorPushRegistrationModule --realm Realm --id id --body body

Parameters:

--id

The unique identifier for the resource.

--body

The resource in JSON format, described by the following JSON schema:

{
  "type" : "object",
  "properties" : {
    "issuer" : {
      "title" : "Issuer Name",
      "description" : "The Name of the service as it will appear on the registered device.",
      "propertyOrder" : 200,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "googleLink" : {
      "title" : "Google Play URL",
      "description" : "URL of the app to download on Google Play.",
      "propertyOrder" : 700,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "authenticationLevel" : {
      "title" : "Authentication Level",
      "description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
      "propertyOrder" : 100,
      "required" : true,
      "type" : "integer",
      "exampleValue" : ""
    },
    "appleLink" : {
      "title" : "App Store App URL",
      "description" : "URL of the app to download on the App Store.",
      "propertyOrder" : 600,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "timeoutInMilliSecconds" : {
      "title" : "Registration Response Timeout (ms)",
      "description" : "The period of time (in milliseconds) within which the registration QR code should be replied to.",
      "propertyOrder" : 300,
      "required" : true,
      "type" : "integer",
      "exampleValue" : ""
    },
    "imgUrl" : {
      "title" : "Image URL",
      "description" : "The location of the image to download and display as your identity issuer's logo within the mobile app.",
      "propertyOrder" : 500,
      "required" : true,
      "type" : "string",
      "exampleValue" : "http://example.com/image.png"
    },
    "bgcolour" : {
      "title" : "Background Colour",
      "description" : "The background colour of the image to display behind your identity issuer's logo within the mobile app.",
      "propertyOrder" : 400,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    }
  }
}

1.22.2. Global Operations

Resource path: /global-config/authentication/modules/authPushReg

Resource version: 1.0

1.22.2.1. getAllTypes

Obtain the collection of all secondary configuration types related to the resource.

Usage:

am> action AuthenticatorPushRegistrationModule --global --actionName getAllTypes

1.22.2.2. getCreatableTypes

Obtain the collection of secondary configuration types that have yet to be added to the resource.

Usage:

am> action AuthenticatorPushRegistrationModule --global --actionName getCreatableTypes

1.22.2.3. nextdescendents

Obtain the collection of secondary configuration instances that have been added to the resource.

Usage:

am> action AuthenticatorPushRegistrationModule --global --actionName nextdescendents

1.22.2.4. read

Usage:

am> read AuthenticatorPushRegistrationModule --global

1.22.2.5. update

Usage:

am> update AuthenticatorPushRegistrationModule --global --body body

Parameters:

--body

The resource in JSON format, described by the following JSON schema:

{
  "type" : "object",
  "properties" : {
    "defaults" : {
      "properties" : {
        "bgcolour" : {
          "title" : "Background Colour",
          "description" : "The background colour of the image to display behind your identity issuer's logo within the mobile app.",
          "propertyOrder" : 400,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "appleLink" : {
          "title" : "App Store App URL",
          "description" : "URL of the app to download on the App Store.",
          "propertyOrder" : 600,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "issuer" : {
          "title" : "Issuer Name",
          "description" : "The Name of the service as it will appear on the registered device.",
          "propertyOrder" : 200,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "googleLink" : {
          "title" : "Google Play URL",
          "description" : "URL of the app to download on Google Play.",
          "propertyOrder" : 700,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "authenticationLevel" : {
          "title" : "Authentication Level",
          "description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
          "propertyOrder" : 100,
          "required" : true,
          "type" : "integer",
          "exampleValue" : ""
        },
        "imgUrl" : {
          "title" : "Image URL",
          "description" : "The location of the image to download and display as your identity issuer's logo within the mobile app.",
          "propertyOrder" : 500,
          "required" : true,
          "type" : "string",
          "exampleValue" : "http://example.com/image.png"
        },
        "timeoutInMilliSecconds" : {
          "title" : "Registration Response Timeout (ms)",
          "description" : "The period of time (in milliseconds) within which the registration QR code should be replied to.",
          "propertyOrder" : 300,
          "required" : true,
          "type" : "integer",
          "exampleValue" : ""
        }
      },
      "type" : "object",
      "title" : "Realm Defaults"
    }
  }
}

1.23. BaseUrlSource

1.23.1. Realm Operations

Resource path: /realm-config/services/baseurl

Resource version: 1.0

1.23.1.1. create

Usage:

am> create BaseUrlSource --realm Realm --body body

Parameters:

--body

The resource in JSON format, described by the following JSON schema:

{
  "type" : "object",
  "properties" : {
    "extensionClassName" : {
      "title" : "Extension class name",
      "description" : "If Extension class is selected as the Base URL source, enter <code>org.forgerock.openam.services.baseurl.BaseURLProvider</code> in the Extension class name field.",
      "propertyOrder" : 300,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "fixedValue" : {
      "title" : "Fixed value base URL",
      "description" : "If Fixed value is selected as the Base URL source, enter the base URL in the Fixed value base URL field.",
      "propertyOrder" : 200,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "source" : {
      "title" : "Base URL Source",
      "description" : "Specifies the source of the base URL. Choose from the following:<ul> <li>Extension class. Specifies that the extension class returns a base URL from a provided HttpServletRequest. In the Extension class name field, enter <code>org.forgerock.openam.services.baseurl.BaseURLProvider</code>.</li><li>Fixed value. Specifies that the base URL is retrieved from a specific base URL value. In the Fixed value base URL field, enter the base URL value.</li><li>Forwarded header. Specifies that the base URL is retrieved from a forwarded header field in the HTTP request. The Forwarded HTTP header field is standardized and specified in <a href=\"https://tools.ietf.org/html/rfc7239\">RFC7239</a>.</li><li>Host/protocol from incoming request. Specifies that the hostname, server name, and port are retrieved from the incoming HTTP request.</li><li>X-Forwarded-* headers. Specifies that the base URL is retrieved from non-standard header fields, such as <code>X-Forwarded-For</code>, <code>X-Forwarded-By</code>, and <code>X-Forwarded-Proto</code>.</li></ul>",
      "propertyOrder" : 100,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "contextPath" : {
      "title" : "Context path",
      "description" : "Specifies the context path for the base URL.<p><p>If provided, the base URL includes the deployment context path appended to the calculated URL.<p>For example, <code>/openam</code>.",
      "propertyOrder" : 400,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    }
  }
}

1.23.1.2. delete

Usage:

am> delete BaseUrlSource --realm Realm

1.23.1.3. getAllTypes

Obtain the collection of all secondary configuration types related to the resource.

Usage:

am> action BaseUrlSource --realm Realm --actionName getAllTypes

1.23.1.4. getCreatableTypes

Obtain the collection of secondary configuration types that have yet to be added to the resource.

Usage:

am> action BaseUrlSource --realm Realm --actionName getCreatableTypes

1.23.1.5. nextdescendents

Obtain the collection of secondary configuration instances that have been added to the resource.

Usage:

am> action BaseUrlSource --realm Realm --actionName nextdescendents

1.23.1.6. read

Usage:

am> read BaseUrlSource --realm Realm

1.23.1.7. update

Usage:

am> update BaseUrlSource --realm Realm --body body

Parameters:

--body

The resource in JSON format, described by the following JSON schema:

{
  "type" : "object",
  "properties" : {
    "extensionClassName" : {
      "title" : "Extension class name",
      "description" : "If Extension class is selected as the Base URL source, enter <code>org.forgerock.openam.services.baseurl.BaseURLProvider</code> in the Extension class name field.",
      "propertyOrder" : 300,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "fixedValue" : {
      "title" : "Fixed value base URL",
      "description" : "If Fixed value is selected as the Base URL source, enter the base URL in the Fixed value base URL field.",
      "propertyOrder" : 200,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "source" : {
      "title" : "Base URL Source",
      "description" : "Specifies the source of the base URL. Choose from the following:<ul> <li>Extension class. Specifies that the extension class returns a base URL from a provided HttpServletRequest. In the Extension class name field, enter <code>org.forgerock.openam.services.baseurl.BaseURLProvider</code>.</li><li>Fixed value. Specifies that the base URL is retrieved from a specific base URL value. In the Fixed value base URL field, enter the base URL value.</li><li>Forwarded header. Specifies that the base URL is retrieved from a forwarded header field in the HTTP request. The Forwarded HTTP header field is standardized and specified in <a href=\"https://tools.ietf.org/html/rfc7239\">RFC7239</a>.</li><li>Host/protocol from incoming request. Specifies that the hostname, server name, and port are retrieved from the incoming HTTP request.</li><li>X-Forwarded-* headers. Specifies that the base URL is retrieved from non-standard header fields, such as <code>X-Forwarded-For</code>, <code>X-Forwarded-By</code>, and <code>X-Forwarded-Proto</code>.</li></ul>",
      "propertyOrder" : 100,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "contextPath" : {
      "title" : "Context path",
      "description" : "Specifies the context path for the base URL.<p><p>If provided, the base URL includes the deployment context path appended to the calculated URL.<p>For example, <code>/openam</code>.",
      "propertyOrder" : 400,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    }
  }
}

1.23.2. Global Operations

Resource path: /global-config/services/baseurl

Resource version: 1.0

1.23.2.1. getAllTypes

Obtain the collection of all secondary configuration types related to the resource.

Usage:

am> action BaseUrlSource --global --actionName getAllTypes

1.23.2.2. getCreatableTypes

Obtain the collection of secondary configuration types that have yet to be added to the resource.

Usage:

am> action BaseUrlSource --global --actionName getCreatableTypes

1.23.2.3. nextdescendents

Obtain the collection of secondary configuration instances that have been added to the resource.

Usage:

am> action BaseUrlSource --global --actionName nextdescendents

1.23.2.4. read

Usage:

am> read BaseUrlSource --global

1.23.2.5. update

Usage:

am> update BaseUrlSource --global --body body

Parameters:

--body

The resource in JSON format, described by the following JSON schema:

{
  "type" : "object",
  "properties" : {
    "defaults" : {
      "properties" : {
        "extensionClassName" : {
          "title" : "Extension class name",
          "description" : "If Extension class is selected as the Base URL source, enter <code>org.forgerock.openam.services.baseurl.BaseURLProvider</code> in the Extension class name field.",
          "propertyOrder" : 300,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "source" : {
          "title" : "Base URL Source",
          "description" : "Specifies the source of the base URL. Choose from the following:<ul> <li>Extension class. Specifies that the extension class returns a base URL from a provided HttpServletRequest. In the Extension class name field, enter <code>org.forgerock.openam.services.baseurl.BaseURLProvider</code>.</li><li>Fixed value. Specifies that the base URL is retrieved from a specific base URL value. In the Fixed value base URL field, enter the base URL value.</li><li>Forwarded header. Specifies that the base URL is retrieved from a forwarded header field in the HTTP request. The Forwarded HTTP header field is standardized and specified in <a href=\"https://tools.ietf.org/html/rfc7239\">RFC7239</a>.</li><li>Host/protocol from incoming request. Specifies that the hostname, server name, and port are retrieved from the incoming HTTP request.</li><li>X-Forwarded-* headers. Specifies that the base URL is retrieved from non-standard header fields, such as <code>X-Forwarded-For</code>, <code>X-Forwarded-By</code>, and <code>X-Forwarded-Proto</code>.</li></ul>",
          "propertyOrder" : 100,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "contextPath" : {
          "title" : "Context path",
          "description" : "Specifies the context path for the base URL.<p><p>If provided, the base URL includes the deployment context path appended to the calculated URL.<p>For example, <code>/openam</code>.",
          "propertyOrder" : 400,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "fixedValue" : {
          "title" : "Fixed value base URL",
          "description" : "If Fixed value is selected as the Base URL source, enter the base URL in the Fixed value base URL field.",
          "propertyOrder" : 200,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        }
      },
      "type" : "object",
      "title" : "Realm Defaults"
    }
  }
}

1.24. CertificateModule

1.24.1. Realm Operations

Resource path: /realm-config/authentication/modules/certificate

Resource version: 1.0

1.24.1.1. create

Usage:

am> create CertificateModule --realm Realm --id id --body body

Parameters:

--id

The unique identifier for the resource.

--body

The resource in JSON format, described by the following JSON schema:

{
  "type" : "object",
  "properties" : {
    "matchCertificateToCRL" : {
      "title" : "Match Certificate to CRL",
      "description" : "The Client Certificate will be checked against the Certificate Revocation list held in the directory<br><br>A Certificate Revocation List can be provisioned into the directory. Having this option enabled will cause all client certificates to be checked against this list.",
      "propertyOrder" : 300,
      "required" : true,
      "type" : "boolean",
      "exampleValue" : ""
    },
    "matchCACertificateToCRL" : {
      "title" : "Match CA Certificate to CRL",
      "description" : "The CA certificate that issued the client certificate will also be checked against the CRL.",
      "propertyOrder" : 600,
      "required" : true,
      "type" : "boolean",
      "exampleValue" : ""
    },
    "ldapCertificateAttribute" : {
      "title" : "Subject DN Attribute Used to Search LDAP for Certificates",
      "description" : "This is the attribute used to search the directory for the certificate<br><br>The Certificate module will search the directory for the certificate using the search filter based on this attribute and the value of the Subject DN taken from the certificate.",
      "propertyOrder" : 200,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "clientCertificateHttpHeaderName" : {
      "title" : "HTTP Header Name for Client Certificate",
      "description" : "The name of the HTTP request header containing the certificate, only used when <i>Trusted Remote Hosts</i> mode is enabled.",
      "propertyOrder" : 1900,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "iplanet-am-auth-cert-gw-cert-preferred" : {
      "title" : "Use only Certificate from HTTP request header",
      "description" : "Strictly use client cert from HTTP header over cert from HTTPS connection/servlet attribute",
      "propertyOrder" : 2000,
      "required" : true,
      "type" : "boolean",
      "exampleValue" : ""
    },
    "matchCertificateInLdap" : {
      "title" : "Match Certificate in LDAP",
      "description" : "The client certificate must exist in the directory for the authentication to be successful.",
      "propertyOrder" : 100,
      "required" : true,
      "type" : "boolean",
      "exampleValue" : ""
    },
    "authenticationLevel" : {
      "title" : "Authentication Level",
      "description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
      "propertyOrder" : 2100,
      "required" : true,
      "type" : "integer",
      "exampleValue" : ""
    },
    "cacheCRLsInMemory" : {
      "title" : "Cache CRLs in memory",
      "description" : "The CRLs will be cached in memory",
      "propertyOrder" : 700,
      "required" : true,
      "type" : "boolean",
      "exampleValue" : ""
    },
    "sslEnabled" : {
      "title" : "Use SSL/TLS for LDAP Access",
      "description" : "The certificate module will use SSL/TLS to access the LDAP server",
      "propertyOrder" : 1400,
      "required" : true,
      "type" : "boolean",
      "exampleValue" : ""
    },
    "userBindDN" : {
      "title" : "LDAP Server Authentication User",
      "description" : "DN of the user used by the module to authenticate to the LDAP server<br><br>The Certificate module authenticates to the LDAP server in order to search for a matching certificate. The DN entered here represents the account used for said authentication and must have read/search access to the LDAP server.",
      "propertyOrder" : 1200,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "certificateLdapServers" : {
      "title" : "LDAP Server Where Certificates are Stored",
      "description" : "Use this list to set the LDAP server used to search for certificates. <br><br>The Certificate authentication module will use this list for the LDAP server used to search for certificates. A single entry must be in the format:<br/><br/><code>ldap_server:port</code><br/><br/>Multiple entries allow associations between OpenAM servers and a LDAP server. The format is:<br/><br/><code>local server name | server:port</code><br/><br/>The local server name is the full name of the server from the list of servers and sites.",
      "propertyOrder" : 1000,
      "required" : true,
      "items" : {
        "type" : "string"
      },
      "type" : "array",
      "exampleValue" : ""
    },
    "crlHttpParameters" : {
      "title" : "HTTP Parameters for CRL Update",
      "description" : "These parameters will be included in any HTTP CRL call to the Certificate Authority<br><br>If the Client or CA certificate contains the Issuing Distribution Point Extension then OpenAM will use this information to retrieve the CRL from the distribution point. This property allow custom HTTP parameters to be included in the CRL request.<br/><br/>The format of the parameter is as follows:<br/><br/><code>param1=value1,param2=value</code>",
      "propertyOrder" : 500,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "crlMatchingCertificateAttribute" : {
      "title" : "Issuer DN Attribute(s) Used to Search LDAP for CRLs",
      "description" : "This is the name of the attribute taken from the CA certificate that will be used to search the CRL.<br><br>If only one attribute name is specified, the ldap searchfilter will be (attrName=Value_of_the_corresponding_Attribute_from_SubjectDN)<br/>e.g. SubjectDN of issuer cert 'C=US, CN=Some CA, serialNumber=123456',attribute name specified is 'CN', searchfilter used will be <code>(CN=Some CA)</code><br/><br/>If serveral attribute names are specified, they have to separated by <code>,</code>. The resulting ldap searchfilter value will be a comma separated list of name attribute values, the search attribute will be <code>cn</code><br/>e.g. SubjectDN of issuer cert 'C=US, CN=Some CA, serialNumber=123456',attribute names specified are 'CN,serialNumber', searchfilter used will be <code>cn=CN=Some CA,serialNumber=123456</code><br/>The order of the values of the attribute names matter as they must match the value of the <code>cn</code> attribute of a crlDistributionPoint entry in the directory server.",
      "propertyOrder" : 400,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "updateCRLsFromDistributionPoint" : {
      "title" : "Update CA CRLs from CRLDistributionPoint",
      "description" : "Fetch new CA CRLs from CRLDistributionPoint and update it in Directory Server<br><br>If the CA certificate includes an IssuingDistributionPoint or has an CRLDistributionPoint extension set OpenAM tries to update the CRLs if neeed (i.e. CRL is out-of-date). <br/>This property controls if the update should be performed.<br/>This property is only used if CA CRL checking is enabled.",
      "propertyOrder" : 800,
      "required" : true,
      "type" : "boolean",
      "exampleValue" : ""
    },
    "ocspValidationEnabled" : {
      "title" : "OCSP Validation",
      "description" : "Enable Online Certificate Status Protocol validation for OCSP aware certificates<br><br>If the certificate contains OCSP validation information then OpenAM will use this information to check the validity of the certificate as part of the authentication process.<br/><br/><i>NB </i>The OpenAM server must have Internet connectivity for OCSP to work",
      "propertyOrder" : 900,
      "required" : true,
      "type" : "boolean",
      "exampleValue" : ""
    },
    "certificateAttributeToProfileMapping" : {
      "title" : "Certificate Field Used to Access User Profile",
      "description" : "The certificate module needs to read a value from the client certificate that can be used to search the LDAP server for a matching certificate.  ",
      "propertyOrder" : 1500,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "userBindPassword" : {
      "title" : "LDAP Server Authentication Password",
      "description" : "The password for the authentication user",
      "propertyOrder" : 1300,
      "required" : true,
      "type" : "string",
      "format" : "password",
      "exampleValue" : ""
    },
    "certificateAttributeProfileMappingExtension" : {
      "title" : "SubjectAltNameExt Value Type to Access User Profile",
      "description" : "Use the Subject Alternative Name Field in preference to one of the standard certificate fields.<br><br>Selecting RFC822Name or UPN will cause this field to have have precedence over the <i>Certificate Field Used to Access User Profile</i> or <i>Other Certificate Field Used to Access User Profile</i> attribute.<br/><br/><i>NB </i>The client certificate must contain the <i>Subject Alternate Name Extension</i> for this function to operate.",
      "propertyOrder" : 1700,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "ldapSearchStartDN" : {
      "title" : "LDAP Search Start or Base DN",
      "description" : "The start point in the LDAP server for the certificate search<br><br>When entering multiple entries, each entry must be prefixed with a local server name. Multiple entries allow different search Base DNs depending on the OpenAM server in use. The format is:<br/><br/><code>local server name | base dn</code><br/><br/>The local server name is the full name of the server from the list of servers and sites.",
      "propertyOrder" : 1100,
      "required" : true,
      "items" : {
        "type" : "string"
      },
      "type" : "array",
      "exampleValue" : ""
    },
    "trustedRemoteHosts" : {
      "title" : "Trusted Remote Hosts",
      "description" : "A list of IP addresses trusted to supply client certificates.<br><br>If SSL/TLS is being terminated at a load balancer or at the Distributed Authentication server then this option can be used to ensure that only specified <i>trusted</i> hosts (identified by IP address) are allowed to supply client certificates to the certificate module,<br/><br/>Valid values for this list are as follows:<ul><li>none</li><li>any</li><li>multiple IP addresses</li></ul><br/><br/>The default value of <i>none</i> disables this functionality",
      "propertyOrder" : 1800,
      "required" : true,
      "items" : {
        "type" : "string"
      },
      "type" : "array",
      "exampleValue" : ""
    },
    "otherCertificateAttributeToProfileMapping" : {
      "title" : "Other Certificate Field Used to Access User Profile",
      "description" : "This field is only used if the <i>Certificate Field Used to Access User Profile</i> attribute is set to <i>other</i>. This field allows a custom certificate field to be used as the basis of the user search.",
      "propertyOrder" : 1600,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    }
  }
}

1.24.1.2. delete

Usage:

am> delete CertificateModule --realm Realm --id id

Parameters:

--id

The unique identifier for the resource.

1.24.1.3. getAllTypes

Obtain the collection of all secondary configuration types related to the resource.

Usage:

am> action CertificateModule --realm Realm --actionName getAllTypes

1.24.1.4. getCreatableTypes

Obtain the collection of secondary configuration types that have yet to be added to the resource.

Usage:

am> action CertificateModule --realm Realm --actionName getCreatableTypes

1.24.1.5. nextdescendents

Obtain the collection of secondary configuration instances that have been added to the resource.

Usage:

am> action CertificateModule --realm Realm --actionName nextdescendents

1.24.1.6. query

Get the full list of instances of this collection. This query only supports `_queryFilter=true` filter.

Usage:

am> query CertificateModule --realm Realm --filter filter

Parameters:

--filter

A CREST formatted query filter, where "true" will query all.

1.24.1.7. read

Usage:

am> read CertificateModule --realm Realm --id id

Parameters:

--id

The unique identifier for the resource.

1.24.1.8. update

Usage:

am> update CertificateModule --realm Realm --id id --body body

Parameters:

--id

The unique identifier for the resource.

--body

The resource in JSON format, described by the following JSON schema:

{
  "type" : "object",
  "properties" : {
    "matchCertificateToCRL" : {
      "title" : "Match Certificate to CRL",
      "description" : "The Client Certificate will be checked against the Certificate Revocation list held in the directory<br><br>A Certificate Revocation List can be provisioned into the directory. Having this option enabled will cause all client certificates to be checked against this list.",
      "propertyOrder" : 300,
      "required" : true,
      "type" : "boolean",
      "exampleValue" : ""
    },
    "matchCACertificateToCRL" : {
      "title" : "Match CA Certificate to CRL",
      "description" : "The CA certificate that issued the client certificate will also be checked against the CRL.",
      "propertyOrder" : 600,
      "required" : true,
      "type" : "boolean",
      "exampleValue" : ""
    },
    "ldapCertificateAttribute" : {
      "title" : "Subject DN Attribute Used to Search LDAP for Certificates",
      "description" : "This is the attribute used to search the directory for the certificate<br><br>The Certificate module will search the directory for the certificate using the search filter based on this attribute and the value of the Subject DN taken from the certificate.",
      "propertyOrder" : 200,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "clientCertificateHttpHeaderName" : {
      "title" : "HTTP Header Name for Client Certificate",
      "description" : "The name of the HTTP request header containing the certificate, only used when <i>Trusted Remote Hosts</i> mode is enabled.",
      "propertyOrder" : 1900,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "iplanet-am-auth-cert-gw-cert-preferred" : {
      "title" : "Use only Certificate from HTTP request header",
      "description" : "Strictly use client cert from HTTP header over cert from HTTPS connection/servlet attribute",
      "propertyOrder" : 2000,
      "required" : true,
      "type" : "boolean",
      "exampleValue" : ""
    },
    "matchCertificateInLdap" : {
      "title" : "Match Certificate in LDAP",
      "description" : "The client certificate must exist in the directory for the authentication to be successful.",
      "propertyOrder" : 100,
      "required" : true,
      "type" : "boolean",
      "exampleValue" : ""
    },
    "authenticationLevel" : {
      "title" : "Authentication Level",
      "description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
      "propertyOrder" : 2100,
      "required" : true,
      "type" : "integer",
      "exampleValue" : ""
    },
    "cacheCRLsInMemory" : {
      "title" : "Cache CRLs in memory",
      "description" : "The CRLs will be cached in memory",
      "propertyOrder" : 700,
      "required" : true,
      "type" : "boolean",
      "exampleValue" : ""
    },
    "sslEnabled" : {
      "title" : "Use SSL/TLS for LDAP Access",
      "description" : "The certificate module will use SSL/TLS to access the LDAP server",
      "propertyOrder" : 1400,
      "required" : true,
      "type" : "boolean",
      "exampleValue" : ""
    },
    "userBindDN" : {
      "title" : "LDAP Server Authentication User",
      "description" : "DN of the user used by the module to authenticate to the LDAP server<br><br>The Certificate module authenticates to the LDAP server in order to search for a matching certificate. The DN entered here represents the account used for said authentication and must have read/search access to the LDAP server.",
      "propertyOrder" : 1200,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "certificateLdapServers" : {
      "title" : "LDAP Server Where Certificates are Stored",
      "description" : "Use this list to set the LDAP server used to search for certificates. <br><br>The Certificate authentication module will use this list for the LDAP server used to search for certificates. A single entry must be in the format:<br/><br/><code>ldap_server:port</code><br/><br/>Multiple entries allow associations between OpenAM servers and a LDAP server. The format is:<br/><br/><code>local server name | server:port</code><br/><br/>The local server name is the full name of the server from the list of servers and sites.",
      "propertyOrder" : 1000,
      "required" : true,
      "items" : {
        "type" : "string"
      },
      "type" : "array",
      "exampleValue" : ""
    },
    "crlHttpParameters" : {
      "title" : "HTTP Parameters for CRL Update",
      "description" : "These parameters will be included in any HTTP CRL call to the Certificate Authority<br><br>If the Client or CA certificate contains the Issuing Distribution Point Extension then OpenAM will use this information to retrieve the CRL from the distribution point. This property allow custom HTTP parameters to be included in the CRL request.<br/><br/>The format of the parameter is as follows:<br/><br/><code>param1=value1,param2=value</code>",
      "propertyOrder" : 500,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "crlMatchingCertificateAttribute" : {
      "title" : "Issuer DN Attribute(s) Used to Search LDAP for CRLs",
      "description" : "This is the name of the attribute taken from the CA certificate that will be used to search the CRL.<br><br>If only one attribute name is specified, the ldap searchfilter will be (attrName=Value_of_the_corresponding_Attribute_from_SubjectDN)<br/>e.g. SubjectDN of issuer cert 'C=US, CN=Some CA, serialNumber=123456',attribute name specified is 'CN', searchfilter used will be <code>(CN=Some CA)</code><br/><br/>If serveral attribute names are specified, they have to separated by <code>,</code>. The resulting ldap searchfilter value will be a comma separated list of name attribute values, the search attribute will be <code>cn</code><br/>e.g. SubjectDN of issuer cert 'C=US, CN=Some CA, serialNumber=123456',attribute names specified are 'CN,serialNumber', searchfilter used will be <code>cn=CN=Some CA,serialNumber=123456</code><br/>The order of the values of the attribute names matter as they must match the value of the <code>cn</code> attribute of a crlDistributionPoint entry in the directory server.",
      "propertyOrder" : 400,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "updateCRLsFromDistributionPoint" : {
      "title" : "Update CA CRLs from CRLDistributionPoint",
      "description" : "Fetch new CA CRLs from CRLDistributionPoint and update it in Directory Server<br><br>If the CA certificate includes an IssuingDistributionPoint or has an CRLDistributionPoint extension set OpenAM tries to update the CRLs if neeed (i.e. CRL is out-of-date). <br/>This property controls if the update should be performed.<br/>This property is only used if CA CRL checking is enabled.",
      "propertyOrder" : 800,
      "required" : true,
      "type" : "boolean",
      "exampleValue" : ""
    },
    "ocspValidationEnabled" : {
      "title" : "OCSP Validation",
      "description" : "Enable Online Certificate Status Protocol validation for OCSP aware certificates<br><br>If the certificate contains OCSP validation information then OpenAM will use this information to check the validity of the certificate as part of the authentication process.<br/><br/><i>NB </i>The OpenAM server must have Internet connectivity for OCSP to work",
      "propertyOrder" : 900,
      "required" : true,
      "type" : "boolean",
      "exampleValue" : ""
    },
    "certificateAttributeToProfileMapping" : {
      "title" : "Certificate Field Used to Access User Profile",
      "description" : "The certificate module needs to read a value from the client certificate that can be used to search the LDAP server for a matching certificate.  ",
      "propertyOrder" : 1500,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "userBindPassword" : {
      "title" : "LDAP Server Authentication Password",
      "description" : "The password for the authentication user",
      "propertyOrder" : 1300,
      "required" : true,
      "type" : "string",
      "format" : "password",
      "exampleValue" : ""
    },
    "certificateAttributeProfileMappingExtension" : {
      "title" : "SubjectAltNameExt Value Type to Access User Profile",
      "description" : "Use the Subject Alternative Name Field in preference to one of the standard certificate fields.<br><br>Selecting RFC822Name or UPN will cause this field to have have precedence over the <i>Certificate Field Used to Access User Profile</i> or <i>Other Certificate Field Used to Access User Profile</i> attribute.<br/><br/><i>NB </i>The client certificate must contain the <i>Subject Alternate Name Extension</i> for this function to operate.",
      "propertyOrder" : 1700,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "ldapSearchStartDN" : {
      "title" : "LDAP Search Start or Base DN",
      "description" : "The start point in the LDAP server for the certificate search<br><br>When entering multiple entries, each entry must be prefixed with a local server name. Multiple entries allow different search Base DNs depending on the OpenAM server in use. The format is:<br/><br/><code>local server name | base dn</code><br/><br/>The local server name is the full name of the server from the list of servers and sites.",
      "propertyOrder" : 1100,
      "required" : true,
      "items" : {
        "type" : "string"
      },
      "type" : "array",
      "exampleValue" : ""
    },
    "trustedRemoteHosts" : {
      "title" : "Trusted Remote Hosts",
      "description" : "A list of IP addresses trusted to supply client certificates.<br><br>If SSL/TLS is being terminated at a load balancer or at the Distributed Authentication server then this option can be used to ensure that only specified <i>trusted</i> hosts (identified by IP address) are allowed to supply client certificates to the certificate module,<br/><br/>Valid values for this list are as follows:<ul><li>none</li><li>any</li><li>multiple IP addresses</li></ul><br/><br/>The default value of <i>none</i> disables this functionality",
      "propertyOrder" : 1800,
      "required" : true,
      "items" : {
        "type" : "string"
      },
      "type" : "array",
      "exampleValue" : ""
    },
    "otherCertificateAttributeToProfileMapping" : {
      "title" : "Other Certificate Field Used to Access User Profile",
      "description" : "This field is only used if the <i>Certificate Field Used to Access User Profile</i> attribute is set to <i>other</i>. This field allows a custom certificate field to be used as the basis of the user search.",
      "propertyOrder" : 1600,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    }
  }
}

1.24.2. Global Operations

Resource path: /global-config/authentication/modules/certificate

Resource version: 1.0

1.24.2.1. getAllTypes

Obtain the collection of all secondary configuration types related to the resource.

Usage:

am> action CertificateModule --global --actionName getAllTypes

1.24.2.2. getCreatableTypes

Obtain the collection of secondary configuration types that have yet to be added to the resource.

Usage:

am> action CertificateModule --global --actionName getCreatableTypes

1.24.2.3. nextdescendents

Obtain the collection of secondary configuration instances that have been added to the resource.

Usage:

am> action CertificateModule --global --actionName nextdescendents

1.24.2.4. read

Usage:

am> read CertificateModule --global

1.24.2.5. update

Usage:

am> update CertificateModule --global --body body

Parameters:

--body

The resource in JSON format, described by the following JSON schema:

{
  "type" : "object",
  "properties" : {
    "defaults" : {
      "properties" : {
        "clientCertificateHttpHeaderName" : {
          "title" : "HTTP Header Name for Client Certificate",
          "description" : "The name of the HTTP request header containing the certificate, only used when <i>Trusted Remote Hosts</i> mode is enabled.",
          "propertyOrder" : 1900,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "ldapSearchStartDN" : {
          "title" : "LDAP Search Start or Base DN",
          "description" : "The start point in the LDAP server for the certificate search<br><br>When entering multiple entries, each entry must be prefixed with a local server name. Multiple entries allow different search Base DNs depending on the OpenAM server in use. The format is:<br/><br/><code>local server name | base dn</code><br/><br/>The local server name is the full name of the server from the list of servers and sites.",
          "propertyOrder" : 1100,
          "required" : true,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        },
        "iplanet-am-auth-cert-gw-cert-preferred" : {
          "title" : "Use only Certificate from HTTP request header",
          "description" : "Strictly use client cert from HTTP header over cert from HTTPS connection/servlet attribute",
          "propertyOrder" : 2000,
          "required" : true,
          "type" : "boolean",
          "exampleValue" : ""
        },
        "ldapCertificateAttribute" : {
          "title" : "Subject DN Attribute Used to Search LDAP for Certificates",
          "description" : "This is the attribute used to search the directory for the certificate<br><br>The Certificate module will search the directory for the certificate using the search filter based on this attribute and the value of the Subject DN taken from the certificate.",
          "propertyOrder" : 200,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "crlHttpParameters" : {
          "title" : "HTTP Parameters for CRL Update",
          "description" : "These parameters will be included in any HTTP CRL call to the Certificate Authority<br><br>If the Client or CA certificate contains the Issuing Distribution Point Extension then OpenAM will use this information to retrieve the CRL from the distribution point. This property allow custom HTTP parameters to be included in the CRL request.<br/><br/>The format of the parameter is as follows:<br/><br/><code>param1=value1,param2=value</code>",
          "propertyOrder" : 500,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "updateCRLsFromDistributionPoint" : {
          "title" : "Update CA CRLs from CRLDistributionPoint",
          "description" : "Fetch new CA CRLs from CRLDistributionPoint and update it in Directory Server<br><br>If the CA certificate includes an IssuingDistributionPoint or has an CRLDistributionPoint extension set OpenAM tries to update the CRLs if neeed (i.e. CRL is out-of-date). <br/>This property controls if the update should be performed.<br/>This property is only used if CA CRL checking is enabled.",
          "propertyOrder" : 800,
          "required" : true,
          "type" : "boolean",
          "exampleValue" : ""
        },
        "userBindPassword" : {
          "title" : "LDAP Server Authentication Password",
          "description" : "The password for the authentication user",
          "propertyOrder" : 1300,
          "required" : true,
          "type" : "string",
          "format" : "password",
          "exampleValue" : ""
        },
        "cacheCRLsInMemory" : {
          "title" : "Cache CRLs in memory",
          "description" : "The CRLs will be cached in memory",
          "propertyOrder" : 700,
          "required" : true,
          "type" : "boolean",
          "exampleValue" : ""
        },
        "crlMatchingCertificateAttribute" : {
          "title" : "Issuer DN Attribute(s) Used to Search LDAP for CRLs",
          "description" : "This is the name of the attribute taken from the CA certificate that will be used to search the CRL.<br><br>If only one attribute name is specified, the ldap searchfilter will be (attrName=Value_of_the_corresponding_Attribute_from_SubjectDN)<br/>e.g. SubjectDN of issuer cert 'C=US, CN=Some CA, serialNumber=123456',attribute name specified is 'CN', searchfilter used will be <code>(CN=Some CA)</code><br/><br/>If serveral attribute names are specified, they have to separated by <code>,</code>. The resulting ldap searchfilter value will be a comma separated list of name attribute values, the search attribute will be <code>cn</code><br/>e.g. SubjectDN of issuer cert 'C=US, CN=Some CA, serialNumber=123456',attribute names specified are 'CN,serialNumber', searchfilter used will be <code>cn=CN=Some CA,serialNumber=123456</code><br/>The order of the values of the attribute names matter as they must match the value of the <code>cn</code> attribute of a crlDistributionPoint entry in the directory server.",
          "propertyOrder" : 400,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "userBindDN" : {
          "title" : "LDAP Server Authentication User",
          "description" : "DN of the user used by the module to authenticate to the LDAP server<br><br>The Certificate module authenticates to the LDAP server in order to search for a matching certificate. The DN entered here represents the account used for said authentication and must have read/search access to the LDAP server.",
          "propertyOrder" : 1200,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "ocspValidationEnabled" : {
          "title" : "OCSP Validation",
          "description" : "Enable Online Certificate Status Protocol validation for OCSP aware certificates<br><br>If the certificate contains OCSP validation information then OpenAM will use this information to check the validity of the certificate as part of the authentication process.<br/><br/><i>NB </i>The OpenAM server must have Internet connectivity for OCSP to work",
          "propertyOrder" : 900,
          "required" : true,
          "type" : "boolean",
          "exampleValue" : ""
        },
        "certificateAttributeProfileMappingExtension" : {
          "title" : "SubjectAltNameExt Value Type to Access User Profile",
          "description" : "Use the Subject Alternative Name Field in preference to one of the standard certificate fields.<br><br>Selecting RFC822Name or UPN will cause this field to have have precedence over the <i>Certificate Field Used to Access User Profile</i> or <i>Other Certificate Field Used to Access User Profile</i> attribute.<br/><br/><i>NB </i>The client certificate must contain the <i>Subject Alternate Name Extension</i> for this function to operate.",
          "propertyOrder" : 1700,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "matchCertificateInLdap" : {
          "title" : "Match Certificate in LDAP",
          "description" : "The client certificate must exist in the directory for the authentication to be successful.",
          "propertyOrder" : 100,
          "required" : true,
          "type" : "boolean",
          "exampleValue" : ""
        },
        "sslEnabled" : {
          "title" : "Use SSL/TLS for LDAP Access",
          "description" : "The certificate module will use SSL/TLS to access the LDAP server",
          "propertyOrder" : 1400,
          "required" : true,
          "type" : "boolean",
          "exampleValue" : ""
        },
        "trustedRemoteHosts" : {
          "title" : "Trusted Remote Hosts",
          "description" : "A list of IP addresses trusted to supply client certificates.<br><br>If SSL/TLS is being terminated at a load balancer or at the Distributed Authentication server then this option can be used to ensure that only specified <i>trusted</i> hosts (identified by IP address) are allowed to supply client certificates to the certificate module,<br/><br/>Valid values for this list are as follows:<ul><li>none</li><li>any</li><li>multiple IP addresses</li></ul><br/><br/>The default value of <i>none</i> disables this functionality",
          "propertyOrder" : 1800,
          "required" : true,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        },
        "authenticationLevel" : {
          "title" : "Authentication Level",
          "description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
          "propertyOrder" : 2100,
          "required" : true,
          "type" : "integer",
          "exampleValue" : ""
        },
        "matchCACertificateToCRL" : {
          "title" : "Match CA Certificate to CRL",
          "description" : "The CA certificate that issued the client certificate will also be checked against the CRL.",
          "propertyOrder" : 600,
          "required" : true,
          "type" : "boolean",
          "exampleValue" : ""
        },
        "certificateLdapServers" : {
          "title" : "LDAP Server Where Certificates are Stored",
          "description" : "Use this list to set the LDAP server used to search for certificates. <br><br>The Certificate authentication module will use this list for the LDAP server used to search for certificates. A single entry must be in the format:<br/><br/><code>ldap_server:port</code><br/><br/>Multiple entries allow associations between OpenAM servers and a LDAP server. The format is:<br/><br/><code>local server name | server:port</code><br/><br/>The local server name is the full name of the server from the list of servers and sites.",
          "propertyOrder" : 1000,
          "required" : true,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        },
        "certificateAttributeToProfileMapping" : {
          "title" : "Certificate Field Used to Access User Profile",
          "description" : "The certificate module needs to read a value from the client certificate that can be used to search the LDAP server for a matching certificate.  ",
          "propertyOrder" : 1500,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "otherCertificateAttributeToProfileMapping" : {
          "title" : "Other Certificate Field Used to Access User Profile",
          "description" : "This field is only used if the <i>Certificate Field Used to Access User Profile</i> attribute is set to <i>other</i>. This field allows a custom certificate field to be used as the basis of the user search.",
          "propertyOrder" : 1600,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "matchCertificateToCRL" : {
          "title" : "Match Certificate to CRL",
          "description" : "The Client Certificate will be checked against the Certificate Revocation list held in the directory<br><br>A Certificate Revocation List can be provisioned into the directory. Having this option enabled will cause all client certificates to be checked against this list.",
          "propertyOrder" : 300,
          "required" : true,
          "type" : "boolean",
          "exampleValue" : ""
        }
      },
      "type" : "object",
      "title" : "Realm Defaults"
    }
  }
}

1.25. CircleOfTrust

1.25.1. Realm Operations

Resource path: /realm-config/federation/circlesoftrust

Resource version: 1.0

1.25.1.1. create

Usage:

am> create CircleOfTrust --realm Realm --id id --body body

Parameters:

--id

The unique identifier for the resource.

--body

The resource in JSON format, described by the following JSON schema:

{
  "type" : "object",
  "properties" : {
    "saml2WriterServiceUrl" : {
      "title" : "a211",
      "description" : "",
      "propertyOrder" : 400,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "status" : {
      "title" : "Status of the Circle of Trust",
      "description" : "",
      "propertyOrder" : 200,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "trustedProviders" : {
      "title" : "Trusted Providers",
      "description" : "",
      "propertyOrder" : 300,
      "required" : true,
      "items" : {
        "type" : "string"
      },
      "type" : "array",
      "exampleValue" : ""
    },
    "saml2ReaderServiceUrl" : {
      "title" : "a212",
      "description" : "",
      "propertyOrder" : 500,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "description" : {
      "title" : "Description of the Circle of Trust ",
      "description" : "",
      "propertyOrder" : 100,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "idffReaderServiceUrl" : {
      "title" : "a214",
      "description" : "",
      "propertyOrder" : 700,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "idffWriterServiceUrl" : {
      "title" : "a213",
      "description" : "",
      "propertyOrder" : 600,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    }
  }
}

1.25.1.2. delete

Usage:

am> delete CircleOfTrust --realm Realm --id id

Parameters:

--id

The unique identifier for the resource.

1.25.1.3. query

Get the full list of instances of this collection. This query only supports `_queryFilter=true` filter.

Usage:

am> query CircleOfTrust --realm Realm --filter filter

Parameters:

--filter

A CREST formatted query filter, where "true" will query all.

1.25.1.4. read

Usage:

am> read CircleOfTrust --realm Realm --id id

Parameters:

--id

The unique identifier for the resource.

1.25.1.5. update

Usage:

am> update CircleOfTrust --realm Realm --id id --body body

Parameters:

--id

The unique identifier for the resource.

--body

The resource in JSON format, described by the following JSON schema:

{
  "type" : "object",
  "properties" : {
    "saml2WriterServiceUrl" : {
      "title" : "a211",
      "description" : "",
      "propertyOrder" : 400,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "status" : {
      "title" : "Status of the Circle of Trust",
      "description" : "",
      "propertyOrder" : 200,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "trustedProviders" : {
      "title" : "Trusted Providers",
      "description" : "",
      "propertyOrder" : 300,
      "required" : true,
      "items" : {
        "type" : "string"
      },
      "type" : "array",
      "exampleValue" : ""
    },
    "saml2ReaderServiceUrl" : {
      "title" : "a212",
      "description" : "",
      "propertyOrder" : 500,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "description" : {
      "title" : "Description of the Circle of Trust ",
      "description" : "",
      "propertyOrder" : 100,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "idffReaderServiceUrl" : {
      "title" : "a214",
      "description" : "",
      "propertyOrder" : 700,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "idffWriterServiceUrl" : {
      "title" : "a213",
      "description" : "",
      "propertyOrder" : 600,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    }
  }
}

1.26. ClientDetection

1.26.1. Global Operations

Resource path: /global-config/services/clientdetection

Resource version: 1.0

1.26.1.1. getAllTypes

Obtain the collection of all secondary configuration types related to the resource.

Usage:

am> action ClientDetection --global --actionName getAllTypes

1.26.1.2. getCreatableTypes

Obtain the collection of secondary configuration types that have yet to be added to the resource.

Usage:

am> action ClientDetection --global --actionName getCreatableTypes

1.26.1.3. nextdescendents

Obtain the collection of secondary configuration instances that have been added to the resource.

Usage:

am> action ClientDetection --global --actionName nextdescendents

1.26.1.4. read

Usage:

am> read ClientDetection --global

1.26.1.5. update

Usage:

am> update ClientDetection --global --body body

Parameters:

--body

The resource in JSON format, described by the following JSON schema:

{
  "type" : "object",
  "properties" : {
    "defaultClientType" : {
      "title" : "Default Client Type",
      "description" : "The name of the client type selected if no client match is found.",
      "propertyOrder" : 100,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "detectionClass" : {
      "title" : "Client Detection Class",
      "description" : "The default client detection plug-in implementation.<br><br>The client detection plug-in is used to determine the client type. The client type is a name that uniquely identifies the client to OpenAM. The plug-in scans the HTTP request from the client in order to determine the name of the client type.<br/><br/>The implementation must implement the <code>com.iplanet.services.cdm.ClientDetectionInterface</code> interface.",
      "propertyOrder" : 200,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "enabled" : {
      "title" : "Enable Client Detection",
      "description" : "Enable/Disable the Client Detection Framework in OpenAM.<br><br>The Client Detection Framework can be used to identify the type of the client and deliver different content in the Authentication User Interface based on the client type. The default client type is HTML.<br/><br/><i>Note:</i> This functionality is disabled in OpenAM; customisation is required before it can be enabled.",
      "propertyOrder" : 300,
      "required" : true,
      "type" : "boolean",
      "exampleValue" : ""
    }
  }
}

1.27. CommonFederationConfiguration

1.27.1. Global Operations

Resource path: /global-config/services/federation/common

Resource version: 1.0

1.27.1.1. getAllTypes

Obtain the collection of all secondary configuration types related to the resource.

Usage:

am> action CommonFederationConfiguration --global --actionName getAllTypes

1.27.1.2. getCreatableTypes

Obtain the collection of secondary configuration types that have yet to be added to the resource.

Usage:

am> action CommonFederationConfiguration --global --actionName getCreatableTypes

1.27.1.3. nextdescendents

Obtain the collection of secondary configuration instances that have been added to the resource.

Usage:

am> action CommonFederationConfiguration --global --actionName nextdescendents

1.27.1.4. read

Usage:

am> read CommonFederationConfiguration --global

1.27.1.5. update

Usage:

am> update CommonFederationConfiguration --global --body body

Parameters:

--body

The resource in JSON format, described by the following JSON schema:

{
  "type" : "object",
  "properties" : {
    "montoring" : {
      "type" : "object",
      "title" : "Monitoring",
      "propertyOrder" : 3,
      "properties" : {
        "monitoringIdffClass" : {
          "title" : "Monitoring Provider Class for ID-FF",
          "description" : "The ID-FF engine uses this class to gain access to the monitoring system.<br><br>The default implementation uses the built-in OpenAM monitoring system. A custom implementation must implement the <code>com.sun.identity.plugin.monitoring.FedMonIDFFSvc</code> interface.",
          "propertyOrder" : 2200,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "monitoringAgentClass" : {
          "title" : "Monitoring Agent Provider Class",
          "description" : "The Federation system uses this class to gain access to the monitoring system.<br><br>The default implementation uses the built-in OpenAM monitoring system. A custom implementation must implement the <code>com.sun.identity.plugin.monitoring.FedMonAgent</code> interface.",
          "propertyOrder" : 1900,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "monitoringSaml1Class" : {
          "title" : "Monitoring Provider Class for SAML1",
          "description" : "The SAMLv1 engine uses this class to gain access to the monitoring system<br><br>The default implementation uses the built-in OpenAM monitoring system. A custom implementation must implement the <code>com.sun.identity.plugin.monitoring.FedMonSAML1Svc</code> interface.",
          "propertyOrder" : 2000,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "monitoringSaml2Class" : {
          "title" : "Monitoring Provider Class for SAML2",
          "description" : "The SAML2 engine uses this class to gain access to the monitoring system.<br><br>The default implementation uses the built-in OpenAM monitoring system. A custom implementation must implement the <code>com.sun.identity.plugin.monitoring.FedMonSAML2Svc</code> interface.",
          "propertyOrder" : 2100,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        }
      }
    },
    "generalConfig" : {
      "type" : "object",
      "title" : "General Configuration",
      "propertyOrder" : 0,
      "properties" : {
        "certificateChecking" : {
          "title" : "Check presence of certificates",
          "description" : "Enable checking of certificates against local copy<br><br>Whether to verify that the partner's signing certificate included in the Federation XML document is the same as the one stored in the said partner's meta data.",
          "propertyOrder" : 900,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "maxContentLength" : {
          "title" : "Maximum allowed content length",
          "description" : "The maximum content length allowed in federation communications, in bytes.",
          "propertyOrder" : 500,
          "required" : true,
          "type" : "integer",
          "exampleValue" : ""
        },
        "samlErrorPageHttpBinding" : {
          "title" : "SAML Error Page HTTP Binding",
          "description" : "The possible values are HTTP-Redirect or HTTP-POST.",
          "propertyOrder" : 1800,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "samlErrorPageUrl" : {
          "title" : "SAML Error Page URL",
          "description" : "OpenAM redirects users here when an error occurs in the SAML2 engine.<br><br>Both relative and absolute URLs are supported. Users are redirected to an absolute URL using the configured HTTP Binding whereas relative URLs are displayed within the request.",
          "propertyOrder" : 1700,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        }
      }
    },
    "algorithms" : {
      "type" : "object",
      "title" : "Algorithms",
      "propertyOrder" : 2,
      "properties" : {
        "canonicalizationAlgorithm" : {
          "title" : "XML canonicalization algorithm",
          "description" : "The algorithm used to canonicalize XML documents.",
          "propertyOrder" : 1000,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "QuerySignatureAlgorithmRSA" : {
          "title" : "Query String signature algorithm (RSA)",
          "description" : "The default signature algorithm to use in case of RSA keys.",
          "propertyOrder" : 1300,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "transformationAlgorithm" : {
          "title" : "XML transformation algorithm",
          "description" : "The algorithm used to transform XML documents.",
          "propertyOrder" : 1600,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "DigestAlgorithm" : {
          "title" : "XML digest algorithm",
          "description" : "The default digest algorithm to use in signing XML.",
          "propertyOrder" : 1200,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "QuerySignatureAlgorithmDSA" : {
          "title" : "Query String signature algorithm (DSA)",
          "description" : "The default signature algorithm to use in case of DSA keys.",
          "propertyOrder" : 1400,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "signatureAlgorithm" : {
          "title" : "XML signature algorithm",
          "description" : "The algorithm used to sign XML documents.",
          "propertyOrder" : 1100,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "QuerySignatureAlgorithmEC" : {
          "title" : "Query String signature algorithm (EC)",
          "description" : "The default signature algorithm to use in case of EC keys.",
          "propertyOrder" : 1500,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        }
      }
    },
    "implementationClasses" : {
      "type" : "object",
      "title" : "Implementation Classes",
      "propertyOrder" : 1,
      "properties" : {
        "passwordDecoderClass" : {
          "title" : "PasswordDecoder SPI implementation class",
          "description" : "The Federation system uses this class to decode password encoded by OpenAM.<br><br>The default implementation uses the internal OpenAM decryption API to decode passwords. A custom implementation must implement the <code>com.sun.identity.saml.xmlsig.PasswordDecoder</code> interface.",
          "propertyOrder" : 600,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "keyProviderClass" : {
          "title" : "KeyProvider SPI implementation class",
          "description" : "The Federation system uses this class to provide access to the underlying Java keystore.<br><br>The default implementation uses the Java Cryptographic Engine to provide access to the Java keystore. A custom implementation must implement the <code>com.sun.identity.saml.xmlsig.KeyProvider</code> interface.",
          "propertyOrder" : 800,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "datastoreClass" : {
          "title" : "Datastore SPI implementation class",
          "description" : "The Federation system uses this class to get/set user profile attributes.<br><br>The default implementation uses the Identity repository APIs to access user profile attributes. A custom implementation must implement the <code>com.sun.identity.plugin.datastore.DataStoreProvider</code> interface. ",
          "propertyOrder" : 100,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "configurationClass" : {
          "title" : "ConfigurationInstance SPI implementation class",
          "description" : "The Federation system uses this class to fetch service configuration.<br><br>The default implementation uses the SMS APIs to access service configuration. A custom implementation must implement the <code>com.sun.identity.plugin.configuration.ConfigurationInstance</code> interface.",
          "propertyOrder" : 200,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "signatureProviderClass" : {
          "title" : "SignatureProvider SPI implementation class",
          "description" : "The Federation system uses this class to digitally sign SAML documents.<br><br>The default implementation uses the XERCES APIs to sign the documents. A custom implementation must implement the <code>com.sun.identity.saml.xmlsig.SignatureProvider</code> interface.",
          "propertyOrder" : 700,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "loggerClass" : {
          "title" : "Logger SPI implementation class",
          "description" : "The Federation system uses this class to record log entries.<br><br>The default implementation uses the Logging APIs to record log entries. A custom implementation must implement the <code>com.sun.identity.plugin.log.Logger</code> interface.",
          "propertyOrder" : 300,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "sessionProviderClass" : {
          "title" : "SessionProvider SPI implementation class",
          "description" : "The Federation system uses this class to interface with the session service.<br><br>The default implementation uses the standard authentication and SSO APIs to access the session service. A custom implementation must implement the <code>com.sun.identity.plugin.session.SessionProvider</code> interface.",
          "propertyOrder" : 400,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        }
      }
    }
  }
}

1.28. ConditionTypes

1.28.1. Realm Operations

Service for querying and reading the environment condition types stored in OpenAM. Environment condition types describe the JSON representation of environment conditions that you can use in policy definitions

Resource path: /conditiontypes

Resource version: 1.0

1.28.1.1. query

Query the list of environment condition types

Usage:

am> query ConditionTypes --realm Realm --filter filter

Parameters:

--filter

A CREST formatted query filter, where "true" will query all. Fields that can be queried: [*]

1.28.1.2. read

Read an individual environment condition type by providing the unique identifier title

Usage:

am> read ConditionTypes --realm Realm --id id

Parameters:

--id

The unique identifier for the resource.

1.29. Csv

1.29.1. Realm Operations

Resource path: /realm-config/services/audit/CSV

Resource version: 1.0

1.29.1.1. create

Usage:

am> create Csv --realm Realm --id id --body body

Parameters:

--id

The unique identifier for the resource.

--body

The resource in JSON format, described by the following JSON schema:

{
  "type" : "object",
  "properties" : {
    "csvFileRotation" : {
      "type" : "object",
      "title" : "File Rotation",
      "propertyOrder" : 3,
      "properties" : {
        "rotationTimes" : {
          "title" : "Rotation Times",
          "description" : "Durations after midnight to trigger file rotation, in seconds.",
          "propertyOrder" : 1100,
          "required" : true,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        },
        "rotationFileSuffix" : {
          "title" : "File Rotation Suffix",
          "description" : "Suffix to append to audit files when they are rotated. Suffix should be a timestamp.",
          "propertyOrder" : 900,
          "required" : false,
          "type" : "string",
          "exampleValue" : ""
        },
        "rotationInterval" : {
          "title" : "Rotation Interval",
          "description" : "Interval to trigger audit file rotations, in seconds. A negative or zero value disables this feature.",
          "propertyOrder" : 1000,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "rotationEnabled" : {
          "title" : "Rotation Enabled",
          "description" : "Enables and disables audit file rotation.",
          "propertyOrder" : 600,
          "required" : true,
          "type" : "boolean",
          "exampleValue" : ""
        },
        "rotationMaxFileSize" : {
          "title" : "Maximum File Size",
          "description" : "Maximum size, in bytes, which an audit file can grow to before rotation is triggered. A negative or zero value indicates this policy is disabled.",
          "propertyOrder" : 700,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "rotationFilePrefix" : {
          "title" : "File Rotation Prefix",
          "description" : "Prefix to prepend to audit files when rotating audit files.",
          "propertyOrder" : 800,
          "required" : false,
          "type" : "string",
          "exampleValue" : ""
        }
      }
    },
    "commonHandlerPlugin" : {
      "type" : "object",
      "title" : "Audit Event Handler Factory",
      "propertyOrder" : 1,
      "properties" : {
        "handlerFactory" : {
          "title" : "Factory Class Name",
          "description" : "The fully qualified class name of the factory responsible for creating the Audit Event Handler. The class must implement <code>org.forgerock.openam.audit.AuditEventHandlerFactory</code>.",
          "propertyOrder" : 2100,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        }
      }
    },
    "csvBuffering" : {
      "type" : "object",
      "title" : "Buffering",
      "propertyOrder" : 5,
      "properties" : {
        "bufferingEnabled" : {
          "title" : "Buffering Enabled",
          "description" : "Enables or disables buffering.",
          "propertyOrder" : 1500,
          "required" : true,
          "type" : "boolean",
          "exampleValue" : ""
        },
        "bufferingAutoFlush" : {
          "title" : "Flush Each Event Immediately",
          "description" : "Performance may be improved by writing all buffered events before flushing.",
          "propertyOrder" : 1600,
          "required" : true,
          "type" : "boolean",
          "exampleValue" : ""
        }
      }
    },
    "csvFileRetention" : {
      "type" : "object",
      "title" : "File Retention",
      "propertyOrder" : 4,
      "properties" : {
        "retentionMaxDiskSpaceToUse" : {
          "title" : "Maximum Disk Space",
          "description" : "The maximum amount of disk space the audit files can occupy, in bytes. A negative or zero value indicates this policy is disabled.",
          "propertyOrder" : 1300,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "retentionMaxNumberOfHistoryFiles" : {
          "title" : "Maximum Number of Historical Files",
          "description" : "Maximum number of backup audit files allowed. A value of <code>-1</code> disables pruning of old history files.",
          "propertyOrder" : 1200,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "retentionMinFreeSpaceRequired" : {
          "title" : "Minimum Free Space Required",
          "description" : "Minimum amount of disk space required, in bytes, on the system where audit files are stored. A negative or zero value indicates this policy is disabled.",
          "propertyOrder" : 1400,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        }
      }
    },
    "csvSecurity" : {
      "type" : "object",
      "title" : "Tamper Evident Configuration",
      "propertyOrder" : 6,
      "properties" : {
        "securityFilename" : {
          "title" : "Certificate Store Location",
          "description" : "Path to Java keystore.",
          "propertyOrder" : 1800,
          "required" : false,
          "type" : "string",
          "exampleValue" : ""
        },
        "securityEnabled" : {
          "title" : "Is Enabled",
          "description" : "Enables the CSV tamper evident feature.",
          "propertyOrder" : 1700,
          "required" : true,
          "type" : "boolean",
          "exampleValue" : ""
        },
        "securitySignatureInterval" : {
          "title" : "Signature Interval",
          "description" : "Signature generation interval, in seconds.",
          "propertyOrder" : 2000,
          "required" : false,
          "type" : "string",
          "exampleValue" : ""
        },
        "securityPassword" : {
          "title" : "Certificate Store Password",
          "description" : "Password for Java keystore.",
          "propertyOrder" : 1900,
          "required" : false,
          "type" : "string",
          "format" : "password",
          "exampleValue" : ""
        }
      }
    },
    "commonHandler" : {
      "type" : "object",
      "title" : "General Handler Configuration",
      "propertyOrder" : 0,
      "properties" : {
        "topics" : {
          "title" : "Topics",
          "description" : "List of topics handled by an audit event handler.",
          "propertyOrder" : 400,
          "required" : true,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        },
        "enabled" : {
          "title" : "Enabled",
          "description" : "Enables or disables an audit event handler.",
          "propertyOrder" : 300,
          "required" : true,
          "type" : "boolean",
          "exampleValue" : ""
        }
      }
    },
    "csvConfig" : {
      "type" : "object",
      "title" : "CSV Configuration",
      "propertyOrder" : 2,
      "properties" : {
        "location" : {
          "title" : "Log Directory",
          "description" : "Directory in which to store audit log CSV files.",
          "propertyOrder" : 500,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        }
      }
    }
  }
}

1.29.1.2. delete

Usage:

am> delete Csv --realm Realm --id id

Parameters:

--id

The unique identifier for the resource.

1.29.1.3. getAllTypes

Obtain the collection of all secondary configuration types related to the resource.

Usage:

am> action Csv --realm Realm --actionName getAllTypes

1.29.1.4. getCreatableTypes

Obtain the collection of secondary configuration types that have yet to be added to the resource.

Usage:

am> action Csv --realm Realm --actionName getCreatableTypes

1.29.1.5. nextdescendents

Obtain the collection of secondary configuration instances that have been added to the resource.

Usage:

am> action Csv --realm Realm --actionName nextdescendents

1.29.1.6. query

Get the full list of instances of this collection. This query only supports `_queryFilter=true` filter.

Usage:

am> query Csv --realm Realm --filter filter

Parameters:

--filter

A CREST formatted query filter, where "true" will query all.

1.29.1.7. read

Usage:

am> read Csv --realm Realm --id id

Parameters:

--id

The unique identifier for the resource.

1.29.1.8. update

Usage:

am> update Csv --realm Realm --id id --body body

Parameters:

--id

The unique identifier for the resource.

--body

The resource in JSON format, described by the following JSON schema:

{
  "type" : "object",
  "properties" : {
    "csvFileRotation" : {
      "type" : "object",
      "title" : "File Rotation",
      "propertyOrder" : 3,
      "properties" : {
        "rotationTimes" : {
          "title" : "Rotation Times",
          "description" : "Durations after midnight to trigger file rotation, in seconds.",
          "propertyOrder" : 1100,
          "required" : true,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        },
        "rotationFileSuffix" : {
          "title" : "File Rotation Suffix",
          "description" : "Suffix to append to audit files when they are rotated. Suffix should be a timestamp.",
          "propertyOrder" : 900,
          "required" : false,
          "type" : "string",
          "exampleValue" : ""
        },
        "rotationInterval" : {
          "title" : "Rotation Interval",
          "description" : "Interval to trigger audit file rotations, in seconds. A negative or zero value disables this feature.",
          "propertyOrder" : 1000,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "rotationEnabled" : {
          "title" : "Rotation Enabled",
          "description" : "Enables and disables audit file rotation.",
          "propertyOrder" : 600,
          "required" : true,
          "type" : "boolean",
          "exampleValue" : ""
        },
        "rotationMaxFileSize" : {
          "title" : "Maximum File Size",
          "description" : "Maximum size, in bytes, which an audit file can grow to before rotation is triggered. A negative or zero value indicates this policy is disabled.",
          "propertyOrder" : 700,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "rotationFilePrefix" : {
          "title" : "File Rotation Prefix",
          "description" : "Prefix to prepend to audit files when rotating audit files.",
          "propertyOrder" : 800,
          "required" : false,
          "type" : "string",
          "exampleValue" : ""
        }
      }
    },
    "commonHandlerPlugin" : {
      "type" : "object",
      "title" : "Audit Event Handler Factory",
      "propertyOrder" : 1,
      "properties" : {
        "handlerFactory" : {
          "title" : "Factory Class Name",
          "description" : "The fully qualified class name of the factory responsible for creating the Audit Event Handler. The class must implement <code>org.forgerock.openam.audit.AuditEventHandlerFactory</code>.",
          "propertyOrder" : 2100,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        }
      }
    },
    "csvBuffering" : {
      "type" : "object",
      "title" : "Buffering",
      "propertyOrder" : 5,
      "properties" : {
        "bufferingEnabled" : {
          "title" : "Buffering Enabled",
          "description" : "Enables or disables buffering.",
          "propertyOrder" : 1500,
          "required" : true,
          "type" : "boolean",
          "exampleValue" : ""
        },
        "bufferingAutoFlush" : {
          "title" : "Flush Each Event Immediately",
          "description" : "Performance may be improved by writing all buffered events before flushing.",
          "propertyOrder" : 1600,
          "required" : true,
          "type" : "boolean",
          "exampleValue" : ""
        }
      }
    },
    "csvFileRetention" : {
      "type" : "object",
      "title" : "File Retention",
      "propertyOrder" : 4,
      "properties" : {
        "retentionMaxDiskSpaceToUse" : {
          "title" : "Maximum Disk Space",
          "description" : "The maximum amount of disk space the audit files can occupy, in bytes. A negative or zero value indicates this policy is disabled.",
          "propertyOrder" : 1300,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "retentionMaxNumberOfHistoryFiles" : {
          "title" : "Maximum Number of Historical Files",
          "description" : "Maximum number of backup audit files allowed. A value of <code>-1</code> disables pruning of old history files.",
          "propertyOrder" : 1200,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "retentionMinFreeSpaceRequired" : {
          "title" : "Minimum Free Space Required",
          "description" : "Minimum amount of disk space required, in bytes, on the system where audit files are stored. A negative or zero value indicates this policy is disabled.",
          "propertyOrder" : 1400,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        }
      }
    },
    "csvSecurity" : {
      "type" : "object",
      "title" : "Tamper Evident Configuration",
      "propertyOrder" : 6,
      "properties" : {
        "securityFilename" : {
          "title" : "Certificate Store Location",
          "description" : "Path to Java keystore.",
          "propertyOrder" : 1800,
          "required" : false,
          "type" : "string",
          "exampleValue" : ""
        },
        "securityEnabled" : {
          "title" : "Is Enabled",
          "description" : "Enables the CSV tamper evident feature.",
          "propertyOrder" : 1700,
          "required" : true,
          "type" : "boolean",
          "exampleValue" : ""
        },
        "securitySignatureInterval" : {
          "title" : "Signature Interval",
          "description" : "Signature generation interval, in seconds.",
          "propertyOrder" : 2000,
          "required" : false,
          "type" : "string",
          "exampleValue" : ""
        },
        "securityPassword" : {
          "title" : "Certificate Store Password",
          "description" : "Password for Java keystore.",
          "propertyOrder" : 1900,
          "required" : false,
          "type" : "string",
          "format" : "password",
          "exampleValue" : ""
        }
      }
    },
    "commonHandler" : {
      "type" : "object",
      "title" : "General Handler Configuration",
      "propertyOrder" : 0,
      "properties" : {
        "topics" : {
          "title" : "Topics",
          "description" : "List of topics handled by an audit event handler.",
          "propertyOrder" : 400,
          "required" : true,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        },
        "enabled" : {
          "title" : "Enabled",
          "description" : "Enables or disables an audit event handler.",
          "propertyOrder" : 300,
          "required" : true,
          "type" : "boolean",
          "exampleValue" : ""
        }
      }
    },
    "csvConfig" : {
      "type" : "object",
      "title" : "CSV Configuration",
      "propertyOrder" : 2,
      "properties" : {
        "location" : {
          "title" : "Log Directory",
          "description" : "Directory in which to store audit log CSV files.",
          "propertyOrder" : 500,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        }
      }
    }
  }
}

1.29.2. Global Operations

Resource path: /global-config/services/audit/CSV

Resource version: 1.0

1.29.2.1. create

Usage:

am> create Csv --global --id id --body body

Parameters:

--id

The unique identifier for the resource.

--body

The resource in JSON format, described by the following JSON schema:

{
  "type" : "object",
  "properties" : {
    "commonHandler" : {
      "type" : "object",
      "title" : "General Handler Configuration",
      "propertyOrder" : 0,
      "properties" : {
        "topics" : {
          "title" : "Topics",
          "description" : "List of topics handled by an audit event handler.",
          "propertyOrder" : 400,
          "required" : true,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        },
        "enabled" : {
          "title" : "Enabled",
          "description" : "Enables or disables an audit event handler.",
          "propertyOrder" : 300,
          "required" : true,
          "type" : "boolean",
          "exampleValue" : ""
        }
      }
    },
    "csvFileRetention" : {
      "type" : "object",
      "title" : "File Retention",
      "propertyOrder" : 4,
      "properties" : {
        "retentionMaxDiskSpaceToUse" : {
          "title" : "Maximum Disk Space",
          "description" : "The maximum amount of disk space the audit files can occupy, in bytes. A negative or zero value indicates this policy is disabled.",
          "propertyOrder" : 1300,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "retentionMaxNumberOfHistoryFiles" : {
          "title" : "Maximum Number of Historical Files",
          "description" : "Maximum number of backup audit files allowed. A value of <code>-1</code> disables pruning of old history files.",
          "propertyOrder" : 1200,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "retentionMinFreeSpaceRequired" : {
          "title" : "Minimum Free Space Required",
          "description" : "Minimum amount of disk space required, in bytes, on the system where audit files are stored. A negative or zero value indicates this policy is disabled.",
          "propertyOrder" : 1400,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        }
      }
    },
    "csvFileRotation" : {
      "type" : "object",
      "title" : "File Rotation",
      "propertyOrder" : 3,
      "properties" : {
        "rotationEnabled" : {
          "title" : "Rotation Enabled",
          "description" : "Enables and disables audit file rotation.",
          "propertyOrder" : 600,
          "required" : true,
          "type" : "boolean",
          "exampleValue" : ""
        },
        "rotationMaxFileSize" : {
          "title" : "Maximum File Size",
          "description" : "Maximum size, in bytes, which an audit file can grow to before rotation is triggered. A negative or zero value indicates this policy is disabled.",
          "propertyOrder" : 700,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "rotationInterval" : {
          "title" : "Rotation Interval",
          "description" : "Interval to trigger audit file rotations, in seconds. A negative or zero value disables this feature.",
          "propertyOrder" : 1000,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "rotationFilePrefix" : {
          "title" : "File Rotation Prefix",
          "description" : "Prefix to prepend to audit files when rotating audit files.",
          "propertyOrder" : 800,
          "required" : false,
          "type" : "string",
          "exampleValue" : ""
        },
        "rotationTimes" : {
          "title" : "Rotation Times",
          "description" : "Durations after midnight to trigger file rotation, in seconds.",
          "propertyOrder" : 1100,
          "required" : true,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        },
        "rotationFileSuffix" : {
          "title" : "File Rotation Suffix",
          "description" : "Suffix to append to audit files when they are rotated. Suffix should be a timestamp.",
          "propertyOrder" : 900,
          "required" : false,
          "type" : "string",
          "exampleValue" : ""
        }
      }
    },
    "csvSecurity" : {
      "type" : "object",
      "title" : "Tamper Evident Configuration",
      "propertyOrder" : 6,
      "properties" : {
        "securitySignatureInterval" : {
          "title" : "Signature Interval",
          "description" : "Signature generation interval, in seconds.",
          "propertyOrder" : 2000,
          "required" : false,
          "type" : "string",
          "exampleValue" : ""
        },
        "securityPassword" : {
          "title" : "Certificate Store Password",
          "description" : "Password for Java keystore.",
          "propertyOrder" : 1900,
          "required" : false,
          "type" : "string",
          "format" : "password",
          "exampleValue" : ""
        },
        "securityFilename" : {
          "title" : "Certificate Store Location",
          "description" : "Path to Java keystore.",
          "propertyOrder" : 1800,
          "required" : false,
          "type" : "string",
          "exampleValue" : ""
        },
        "securityEnabled" : {
          "title" : "Is Enabled",
          "description" : "Enables the CSV tamper evident feature.",
          "propertyOrder" : 1700,
          "required" : true,
          "type" : "boolean",
          "exampleValue" : ""
        }
      }
    },
    "commonHandlerPlugin" : {
      "type" : "object",
      "title" : "Audit Event Handler Factory",
      "propertyOrder" : 1,
      "properties" : {
        "handlerFactory" : {
          "title" : "Factory Class Name",
          "description" : "The fully qualified class name of the factory responsible for creating the Audit Event Handler. The class must implement <code>org.forgerock.openam.audit.AuditEventHandlerFactory</code>.",
          "propertyOrder" : 2100,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        }
      }
    },
    "csvBuffering" : {
      "type" : "object",
      "title" : "Buffering",
      "propertyOrder" : 5,
      "properties" : {
        "bufferingEnabled" : {
          "title" : "Buffering Enabled",
          "description" : "Enables or disables buffering.",
          "propertyOrder" : 1500,
          "required" : true,
          "type" : "boolean",
          "exampleValue" : ""
        },
        "bufferingAutoFlush" : {
          "title" : "Flush Each Event Immediately",
          "description" : "Performance may be improved by writing all buffered events before flushing.",
          "propertyOrder" : 1600,
          "required" : true,
          "type" : "boolean",
          "exampleValue" : ""
        }
      }
    },
    "csvConfig" : {
      "type" : "object",
      "title" : "CSV Configuration",
      "propertyOrder" : 2,
      "properties" : {
        "location" : {
          "title" : "Log Directory",
          "description" : "Directory in which to store audit log CSV files.",
          "propertyOrder" : 500,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        }
      }
    }
  }
}

1.29.2.2. delete

Usage:

am> delete Csv --global --id id

Parameters:

--id

The unique identifier for the resource.

1.29.2.3. getAllTypes

Obtain the collection of all secondary configuration types related to the resource.

Usage:

am> action Csv --global --actionName getAllTypes

1.29.2.4. getCreatableTypes

Obtain the collection of secondary configuration types that have yet to be added to the resource.

Usage:

am> action Csv --global --actionName getCreatableTypes

1.29.2.5. nextdescendents

Obtain the collection of secondary configuration instances that have been added to the resource.

Usage:

am> action Csv --global --actionName nextdescendents

1.29.2.6. query

Get the full list of instances of this collection. This query only supports `_queryFilter=true` filter.

Usage:

am> query Csv --global --filter filter

Parameters:

--filter

A CREST formatted query filter, where "true" will query all.

1.29.2.7. read

Usage:

am> read Csv --global --id id

Parameters:

--id

The unique identifier for the resource.

1.29.2.8. update

Usage:

am> update Csv --global --id id --body body

Parameters:

--id

The unique identifier for the resource.

--body

The resource in JSON format, described by the following JSON schema:

{
  "type" : "object",
  "properties" : {
    "commonHandler" : {
      "type" : "object",
      "title" : "General Handler Configuration",
      "propertyOrder" : 0,
      "properties" : {
        "topics" : {
          "title" : "Topics",
          "description" : "List of topics handled by an audit event handler.",
          "propertyOrder" : 400,
          "required" : true,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        },
        "enabled" : {
          "title" : "Enabled",
          "description" : "Enables or disables an audit event handler.",
          "propertyOrder" : 300,
          "required" : true,
          "type" : "boolean",
          "exampleValue" : ""
        }
      }
    },
    "csvFileRetention" : {
      "type" : "object",
      "title" : "File Retention",
      "propertyOrder" : 4,
      "properties" : {
        "retentionMaxDiskSpaceToUse" : {
          "title" : "Maximum Disk Space",
          "description" : "The maximum amount of disk space the audit files can occupy, in bytes. A negative or zero value indicates this policy is disabled.",
          "propertyOrder" : 1300,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "retentionMaxNumberOfHistoryFiles" : {
          "title" : "Maximum Number of Historical Files",
          "description" : "Maximum number of backup audit files allowed. A value of <code>-1</code> disables pruning of old history files.",
          "propertyOrder" : 1200,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "retentionMinFreeSpaceRequired" : {
          "title" : "Minimum Free Space Required",
          "description" : "Minimum amount of disk space required, in bytes, on the system where audit files are stored. A negative or zero value indicates this policy is disabled.",
          "propertyOrder" : 1400,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        }
      }
    },
    "csvFileRotation" : {
      "type" : "object",
      "title" : "File Rotation",
      "propertyOrder" : 3,
      "properties" : {
        "rotationEnabled" : {
          "title" : "Rotation Enabled",
          "description" : "Enables and disables audit file rotation.",
          "propertyOrder" : 600,
          "required" : true,
          "type" : "boolean",
          "exampleValue" : ""
        },
        "rotationMaxFileSize" : {
          "title" : "Maximum File Size",
          "description" : "Maximum size, in bytes, which an audit file can grow to before rotation is triggered. A negative or zero value indicates this policy is disabled.",
          "propertyOrder" : 700,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "rotationInterval" : {
          "title" : "Rotation Interval",
          "description" : "Interval to trigger audit file rotations, in seconds. A negative or zero value disables this feature.",
          "propertyOrder" : 1000,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "rotationFilePrefix" : {
          "title" : "File Rotation Prefix",
          "description" : "Prefix to prepend to audit files when rotating audit files.",
          "propertyOrder" : 800,
          "required" : false,
          "type" : "string",
          "exampleValue" : ""
        },
        "rotationTimes" : {
          "title" : "Rotation Times",
          "description" : "Durations after midnight to trigger file rotation, in seconds.",
          "propertyOrder" : 1100,
          "required" : true,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        },
        "rotationFileSuffix" : {
          "title" : "File Rotation Suffix",
          "description" : "Suffix to append to audit files when they are rotated. Suffix should be a timestamp.",
          "propertyOrder" : 900,
          "required" : false,
          "type" : "string",
          "exampleValue" : ""
        }
      }
    },
    "csvSecurity" : {
      "type" : "object",
      "title" : "Tamper Evident Configuration",
      "propertyOrder" : 6,
      "properties" : {
        "securitySignatureInterval" : {
          "title" : "Signature Interval",
          "description" : "Signature generation interval, in seconds.",
          "propertyOrder" : 2000,
          "required" : false,
          "type" : "string",
          "exampleValue" : ""
        },
        "securityPassword" : {
          "title" : "Certificate Store Password",
          "description" : "Password for Java keystore.",
          "propertyOrder" : 1900,
          "required" : false,
          "type" : "string",
          "format" : "password",
          "exampleValue" : ""
        },
        "securityFilename" : {
          "title" : "Certificate Store Location",
          "description" : "Path to Java keystore.",
          "propertyOrder" : 1800,
          "required" : false,
          "type" : "string",
          "exampleValue" : ""
        },
        "securityEnabled" : {
          "title" : "Is Enabled",
          "description" : "Enables the CSV tamper evident feature.",
          "propertyOrder" : 1700,
          "required" : true,
          "type" : "boolean",
          "exampleValue" : ""
        }
      }
    },
    "commonHandlerPlugin" : {
      "type" : "object",
      "title" : "Audit Event Handler Factory",
      "propertyOrder" : 1,
      "properties" : {
        "handlerFactory" : {
          "title" : "Factory Class Name",
          "description" : "The fully qualified class name of the factory responsible for creating the Audit Event Handler. The class must implement <code>org.forgerock.openam.audit.AuditEventHandlerFactory</code>.",
          "propertyOrder" : 2100,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        }
      }
    },
    "csvBuffering" : {
      "type" : "object",
      "title" : "Buffering",
      "propertyOrder" : 5,
      "properties" : {
        "bufferingEnabled" : {
          "title" : "Buffering Enabled",
          "description" : "Enables or disables buffering.",
          "propertyOrder" : 1500,
          "required" : true,
          "type" : "boolean",
          "exampleValue" : ""
        },
        "bufferingAutoFlush" : {
          "title" : "Flush Each Event Immediately",
          "description" : "Performance may be improved by writing all buffered events before flushing.",
          "propertyOrder" : 1600,
          "required" : true,
          "type" : "boolean",
          "exampleValue" : ""
        }
      }
    },
    "csvConfig" : {
      "type" : "object",
      "title" : "CSV Configuration",
      "propertyOrder" : 2,
      "properties" : {
        "location" : {
          "title" : "Log Directory",
          "description" : "Directory in which to store audit log CSV files.",
          "propertyOrder" : 500,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        }
      }
    }
  }
}

1.30. CtsDataStoreProperties

1.30.1. Global Operations

An object of property key-value pairs

Resource path: /global-config/servers/{serverName}/properties/cts

Resource version: 1.0

1.30.1.1. read

Usage:

am> read CtsDataStoreProperties --global --serverName serverName

Parameters:

--serverName

An object of property key-value pairs

1.30.1.2. update

Usage:

am> update CtsDataStoreProperties --global --serverName serverName --body body

Parameters:

--serverName

An object of property key-value pairs

--body

The resource in JSON format, described by the following JSON schema:

{
  "type" : "object",
  "properties" : {
    "amconfig.org.forgerock.services.cts.store.common.section" : {
      "title" : "CTS Token Store",
      "type" : "object",
      "propertyOrder" : 0,
      "properties" : {
        "org.forgerock.services.cts.store.location" : {
          "title" : "Store Mode",
          "type" : "object",
          "propertyOrder" : 0,
          "description" : "",
          "properties" : {
            "value" : {
              "enum" : [ "default", "external" ],
              "options" : {
                "enum_titles" : [ "Default Token Store", "External Token Store" ]
              },
              "type" : "string",
              "required" : false
            },
            "inherited" : {
              "type" : "boolean",
              "required" : true
            }
          }
        },
        "org.forgerock.services.cts.store.root.suffix" : {
          "title" : "Root Suffix",
          "type" : "object",
          "propertyOrder" : 1,
          "description" : "",
          "properties" : {
            "value" : {
              "type" : "string",
              "required" : false
            },
            "inherited" : {
              "type" : "boolean",
              "required" : true
            }
          }
        },
        "org.forgerock.services.cts.store.max.connections" : {
          "title" : "Max Connections",
          "type" : "object",
          "propertyOrder" : 2,
          "description" : "",
          "properties" : {
            "value" : {
              "type" : "string",
              "required" : false
            },
            "inherited" : {
              "type" : "boolean",
              "required" : true
            }
          }
        }
      }
    },
    "amconfig.org.forgerock.services.cts.store.external.section" : {
      "title" : "External Store Configuration",
      "type" : "object",
      "propertyOrder" : 1,
      "properties" : {
        "org.forgerock.services.cts.store.ssl.enabled" : {
          "title" : "SSL/TLS Enabled",
          "type" : "object",
          "propertyOrder" : 0,
          "description" : "",
          "properties" : {
            "value" : {
              "type" : "boolean",
              "required" : false
            },
            "inherited" : {
              "type" : "boolean",
              "required" : true
            }
          }
        },
        "org.forgerock.services.cts.store.directory.name" : {
          "title" : "Connection String(s)",
          "type" : "object",
          "propertyOrder" : 1,
          "description" : "An ordered list of connection strings for LDAP directories. Each connection string is composed as follows: <code>HOST:PORT[|SERVERID[|SITEID]]</code>, where server and site IDs are optional parameters that will prioritize that connection to use from the specified nodes. Multiple connection strings should be comma-separated, e.g. <code>host1:389,host2:50389|server1|site1,host3:50389</code>.",
          "properties" : {
            "value" : {
              "type" : "string",
              "required" : false
            },
            "inherited" : {
              "type" : "boolean",
              "required" : true
            }
          }
        },
        "org.forgerock.services.cts.store.loginid" : {
          "title" : "Login Id",
          "type" : "object",
          "propertyOrder" : 2,
          "description" : "",
          "properties" : {
            "value" : {
              "type" : "string",
              "required" : false
            },
            "inherited" : {
              "type" : "boolean",
              "required" : true
            }
          }
        },
        "org.forgerock.services.cts.store.password" : {
          "title" : "Password",
          "type" : "object",
          "propertyOrder" : 3,
          "description" : "",
          "properties" : {
            "value" : {
              "type" : "string",
              "required" : false,
              "format" : "password"
            },
            "inherited" : {
              "type" : "boolean",
              "required" : true
            }
          }
        },
        "org.forgerock.services.cts.store.heartbeat" : {
          "title" : "Heartbeat",
          "type" : "object",
          "propertyOrder" : 4,
          "description" : "",
          "properties" : {
            "value" : {
              "type" : "integer",
              "required" : false
            },
            "inherited" : {
              "type" : "boolean",
              "required" : true
            }
          }
        },
        "org.forgerock.services.cts.store.affinity.enabled" : {
          "title" : "Affinity Enabled",
          "type" : "object",
          "propertyOrder" : 5,
          "description" : "Enables affinity based request load balancing when accessing the CTS servers. It is imperative that the connection string setting is set to the same value for all OpenAM servers in the deployment when this feature is enabled.",
          "properties" : {
            "value" : {
              "type" : "boolean",
              "required" : false
            },
            "inherited" : {
              "type" : "boolean",
              "required" : true
            }
          }
        }
      }
    }
  }
}

1.31. Dashboard

1.31.1. Realm Operations

Resource path: /realm-config/services/dashboard

Resource version: 1.0

1.31.1.1. create

Usage:

am> create Dashboard --realm Realm --body body

Parameters:

--body

The resource in JSON format, described by the following JSON schema:

{
  "type" : "object",
  "properties" : {
    "assignedDashboard" : {
      "title" : "Available Dashboard Apps",
      "description" : "List of application dashboard names available by default for realms with the Dashboard service configured.",
      "propertyOrder" : 700,
      "required" : true,
      "items" : {
        "type" : "string"
      },
      "type" : "array",
      "exampleValue" : ""
    }
  }
}

1.31.1.2. delete

Usage:

am> delete Dashboard --realm Realm

1.31.1.3. getAllTypes

Obtain the collection of all secondary configuration types related to the resource.

Usage:

am> action Dashboard --realm Realm --actionName getAllTypes

1.31.1.4. getCreatableTypes

Obtain the collection of secondary configuration types that have yet to be added to the resource.

Usage:

am> action Dashboard --realm Realm --actionName getCreatableTypes

1.31.1.5. nextdescendents

Obtain the collection of secondary configuration instances that have been added to the resource.

Usage:

am> action Dashboard --realm Realm --actionName nextdescendents

1.31.1.6. read

Usage:

am> read Dashboard --realm Realm

1.31.1.7. update

Usage:

am> update Dashboard --realm Realm --body body

Parameters:

--body

The resource in JSON format, described by the following JSON schema:

{
  "type" : "object",
  "properties" : {
    "assignedDashboard" : {
      "title" : "Available Dashboard Apps",
      "description" : "List of application dashboard names available by default for realms with the Dashboard service configured.",
      "propertyOrder" : 700,
      "required" : true,
      "items" : {
        "type" : "string"
      },
      "type" : "array",
      "exampleValue" : ""
    }
  }
}

1.31.2. Global Operations

Resource path: /global-config/services/dashboard

Resource version: 1.0

1.31.2.1. getAllTypes

Obtain the collection of all secondary configuration types related to the resource.

Usage:

am> action Dashboard --global --actionName getAllTypes

1.31.2.2. getCreatableTypes

Obtain the collection of secondary configuration types that have yet to be added to the resource.

Usage:

am> action Dashboard --global --actionName getCreatableTypes

1.31.2.3. nextdescendents

Obtain the collection of secondary configuration instances that have been added to the resource.

Usage:

am> action Dashboard --global --actionName nextdescendents

1.31.2.4. read

Usage:

am> read Dashboard --global

1.31.2.5. update

Usage:

am> update Dashboard --global --body body

Parameters:

--body

The resource in JSON format, described by the following JSON schema:

{
  "type" : "object",
  "properties" : {
    "defaults" : {
      "properties" : {
        "assignedDashboard" : {
          "title" : "Available Dashboard Apps",
          "description" : "List of application dashboard names available by default for realms with the Dashboard service configured.",
          "propertyOrder" : 700,
          "required" : true,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        }
      },
      "type" : "object",
      "title" : "Realm Defaults"
    }
  }
}

1.32. DashboardInstance

1.32.1. Global Operations

Resource path: /global-config/services/dashboard/instances

Resource version: 1.0

1.32.1.1. create

Usage:

am> create DashboardInstance --global --id id --body body

Parameters:

--id

The unique identifier for the resource.

--body

The resource in JSON format, described by the following JSON schema:

{
  "type" : "object",
  "properties" : {
    "displayName" : {
      "title" : "Dashboard Display Name",
      "description" : "The application name that displays on the dashboard client.",
      "propertyOrder" : 300,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "login" : {
      "title" : "Dashboard Login",
      "description" : "The URL that takes the user to the application.",
      "propertyOrder" : 500,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "name" : {
      "title" : "Dashboard Name",
      "description" : "The application name as it will appear to the administrator for configuring the dashboard.",
      "propertyOrder" : 200,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "icon" : {
      "title" : "Dashboard Icon",
      "description" : "The icon name that will be displayed on the dashboard client identifying the application.",
      "propertyOrder" : 400,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "className" : {
      "title" : "Dashboard Class Name",
      "description" : "Identifies how to access the application, for example <code>SAML2ApplicationClass</code> for a SAML v2.0 application.",
      "propertyOrder" : 100,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "icfIdentifier" : {
      "title" : "ICF Identifier",
      "description" : "",
      "propertyOrder" : 600,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    }
  }
}

1.32.1.2. delete

Usage:

am> delete DashboardInstance --global --id id

Parameters:

--id

The unique identifier for the resource.

1.32.1.3. getAllTypes

Obtain the collection of all secondary configuration types related to the resource.

Usage:

am> action DashboardInstance --global --actionName getAllTypes

1.32.1.4. getCreatableTypes

Obtain the collection of secondary configuration types that have yet to be added to the resource.

Usage:

am> action DashboardInstance --global --actionName getCreatableTypes

1.32.1.5. nextdescendents

Obtain the collection of secondary configuration instances that have been added to the resource.

Usage:

am> action DashboardInstance --global --actionName nextdescendents

1.32.1.6. query

Get the full list of instances of this collection. This query only supports `_queryFilter=true` filter.

Usage:

am> query DashboardInstance --global --filter filter

Parameters:

--filter

A CREST formatted query filter, where "true" will query all.

1.32.1.7. read

Usage:

am> read DashboardInstance --global --id id

Parameters:

--id

The unique identifier for the resource.

1.32.1.8. update

Usage:

am> update DashboardInstance --global --id id --body body

Parameters:

--id

The unique identifier for the resource.

--body

The resource in JSON format, described by the following JSON schema:

{
  "type" : "object",
  "properties" : {
    "displayName" : {
      "title" : "Dashboard Display Name",
      "description" : "The application name that displays on the dashboard client.",
      "propertyOrder" : 300,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "login" : {
      "title" : "Dashboard Login",
      "description" : "The URL that takes the user to the application.",
      "propertyOrder" : 500,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "name" : {
      "title" : "Dashboard Name",
      "description" : "The application name as it will appear to the administrator for configuring the dashboard.",
      "propertyOrder" : 200,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "icon" : {
      "title" : "Dashboard Icon",
      "description" : "The icon name that will be displayed on the dashboard client identifying the application.",
      "propertyOrder" : 400,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "className" : {
      "title" : "Dashboard Class Name",
      "description" : "Identifies how to access the application, for example <code>SAML2ApplicationClass</code> for a SAML v2.0 application.",
      "propertyOrder" : 100,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "icfIdentifier" : {
      "title" : "ICF Identifier",
      "description" : "",
      "propertyOrder" : 600,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    }
  }
}

1.33. Dashboards

1.33.1. Realm Operations

The dashboard service is responsible for returning information from the Dashboard. The only supported operation is read.

Resource path: /dashboard

Resource version: 1.0

1.33.1.1. read

Read dashboard information

Usage:

am> read Dashboards --realm Realm --id id

Parameters:

--id

The unique identifier for the resource.

1.34. DataStoreModule

1.34.1. Realm Operations

Resource path: /realm-config/authentication/modules/datastore

Resource version: 1.0

1.34.1.1. create

Usage:

am> create DataStoreModule --realm Realm --id id --body body

Parameters:

--id

The unique identifier for the resource.

--body

The resource in JSON format, described by the following JSON schema:

{
  "type" : "object",
  "properties" : {
    "authenticationLevel" : {
      "title" : "Authentication Level",
      "description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
      "propertyOrder" : 100,
      "required" : true,
      "type" : "integer",
      "exampleValue" : ""
    }
  }
}

1.34.1.2. delete

Usage:

am> delete DataStoreModule --realm Realm --id id

Parameters:

--id

The unique identifier for the resource.

1.34.1.3. getAllTypes

Obtain the collection of all secondary configuration types related to the resource.

Usage:

am> action DataStoreModule --realm Realm --actionName getAllTypes

1.34.1.4. getCreatableTypes

Obtain the collection of secondary configuration types that have yet to be added to the resource.

Usage:

am> action DataStoreModule --realm Realm --actionName getCreatableTypes

1.34.1.5. nextdescendents

Obtain the collection of secondary configuration instances that have been added to the resource.

Usage:

am> action DataStoreModule --realm Realm --actionName nextdescendents

1.34.1.6. query

Get the full list of instances of this collection. This query only supports `_queryFilter=true` filter.

Usage:

am> query DataStoreModule --realm Realm --filter filter

Parameters:

--filter

A CREST formatted query filter, where "true" will query all.

1.34.1.7. read

Usage:

am> read DataStoreModule --realm Realm --id id

Parameters:

--id

The unique identifier for the resource.

1.34.1.8. update

Usage:

am> update DataStoreModule --realm Realm --id id --body body

Parameters:

--id

The unique identifier for the resource.

--body

The resource in JSON format, described by the following JSON schema:

{
  "type" : "object",
  "properties" : {
    "authenticationLevel" : {
      "title" : "Authentication Level",
      "description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
      "propertyOrder" : 100,
      "required" : true,
      "type" : "integer",
      "exampleValue" : ""
    }
  }
}

1.34.2. Global Operations

Resource path: /global-config/authentication/modules/datastore

Resource version: 1.0

1.34.2.1. getAllTypes

Obtain the collection of all secondary configuration types related to the resource.

Usage:

am> action DataStoreModule --global --actionName getAllTypes

1.34.2.2. getCreatableTypes

Obtain the collection of secondary configuration types that have yet to be added to the resource.

Usage:

am> action DataStoreModule --global --actionName getCreatableTypes

1.34.2.3. nextdescendents

Obtain the collection of secondary configuration instances that have been added to the resource.

Usage:

am> action DataStoreModule --global --actionName nextdescendents

1.34.2.4. read

Usage:

am> read DataStoreModule --global

1.34.2.5. update

Usage:

am> update DataStoreModule --global --body body

Parameters:

--body

The resource in JSON format, described by the following JSON schema:

{
  "type" : "object",
  "properties" : {
    "defaults" : {
      "properties" : {
        "authenticationLevel" : {
          "title" : "Authentication Level",
          "description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
          "propertyOrder" : 100,
          "required" : true,
          "type" : "integer",
          "exampleValue" : ""
        }
      },
      "type" : "object",
      "title" : "Realm Defaults"
    }
  }
}

1.35. DatabaseRepositoryEarlyAccess

1.35.1. Realm Operations

Resource path: /realm-config/services/id-repositories/Database

Resource version: 1.0

1.35.1.1. create

Usage:

am> create DatabaseRepositoryEarlyAccess --realm Realm --id id --body body

Parameters:

--id

The unique identifier for the resource.

--body

The resource in JSON format, described by the following JSON schema:

{
  "type" : "object",
  "properties" : {
    "sun-opensso-database-JDBCDriver" : {
      "title" : "JDBC Driver Class Name",
      "description" : "Class name of JDBC driver to use to get connections. URL, JDBC username and password paramters also needed",
      "propertyOrder" : 7500,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sun-opensso-database-JDBCDbpassword" : {
      "title" : "Password for Connecting to Database",
      "description" : "Password used as parameter by JDBC driver",
      "propertyOrder" : 7600,
      "required" : true,
      "type" : "string",
      "format" : "password",
      "exampleValue" : ""
    },
    "sun-opensso-database-JDBCUrl" : {
      "title" : "JDBC Driver URL",
      "description" : "URL used as parameter by JDBC driver",
      "propertyOrder" : 7700,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sun-opensso-database-UserIDAttr" : {
      "title" : "User ID Attribute Name",
      "description" : "Name of attribute column name in DB table for user id",
      "propertyOrder" : 8200,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sun-opensso-database-config-users-search-attribute" : {
      "title" : "Users Search Attribute in Database",
      "description" : "Name of attribute column name in DB table for users LIKE search queries",
      "propertyOrder" : 8700,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sun-opensso-database-UserAttrs" : {
      "title" : "List of User Attributes Names in Database",
      "description" : "",
      "propertyOrder" : 8000,
      "required" : true,
      "items" : {
        "type" : "string"
      },
      "type" : "array",
      "exampleValue" : ""
    },
    "sun-opensso-database-config-max-result" : {
      "title" : "Maximum Results Returned from Search",
      "description" : "Value to determine the maximum number of search results to fetch",
      "propertyOrder" : 8600,
      "required" : true,
      "type" : "integer",
      "exampleValue" : ""
    },
    "sun-opensso-database-activeValue" : {
      "title" : "User Status Active Value",
      "description" : "Value stored in the db table's user status column to represent an Active user",
      "propertyOrder" : 8400,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sunIdRepoAttributeMapping" : {
      "title" : "Attribute Name Mapping",
      "description" : "",
      "propertyOrder" : 1800,
      "required" : true,
      "items" : {
        "type" : "string"
      },
      "type" : "array",
      "exampleValue" : ""
    },
    "sun-opensso-database-UserTableName" : {
      "title" : "Database User Table Name",
      "description" : "",
      "propertyOrder" : 7900,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sunIdRepoClass" : {
      "title" : "Database Repository Plugin Class Name",
      "description" : "",
      "propertyOrder" : 7000,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sun-opensso-database-inactiveValue" : {
      "title" : "User Status Inactive Value",
      "description" : "Value stored in the db table's user status column to represent an Inactive user",
      "propertyOrder" : 8500,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sun-opensso-database-UserPasswordAttr" : {
      "title" : "User Password Attribute Name",
      "description" : "Name of attribute column name in DB table for user password",
      "propertyOrder" : 8100,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sun-opensso-database-membership-search-attribute" : {
      "title" : "Membership Search Attribute in Database",
      "description" : "Name of attribute column name in DB table for membership LIKE search queries",
      "propertyOrder" : 9000,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sun-opensso-database-dao-JDBCConnectionType" : {
      "title" : "Connection Type",
      "description" : "",
      "propertyOrder" : 7300,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sun-opensso-database-JDBCDbuser" : {
      "title" : "Connect This User to Database",
      "description" : "Connection user name used as parameter by JDBC driver",
      "propertyOrder" : 7800,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sun-opensso-database-UserStatusAttr" : {
      "title" : "Attribute Name of User Status",
      "description" : "Name of attribute column name in DB table to determine if user is active or inactive",
      "propertyOrder" : 8300,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sun-opensso-database-DataSourceJndiName" : {
      "title" : "Database DataSource Name",
      "description" : "Name specified when configuring a DataSource in the application server for connections",
      "propertyOrder" : 7400,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sun-opensso-database-dao-class-name" : {
      "title" : "Database Data Access Object Plugin Class Name",
      "description" : "",
      "propertyOrder" : 7200,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sun-opensso-database-sunIdRepoSupportedOperations" : {
      "title" : "Database Plug-in Supported Types and Operations",
      "description" : "",
      "propertyOrder" : 7100,
      "required" : true,
      "items" : {
        "type" : "string"
      },
      "type" : "array",
      "exampleValue" : ""
    },
    "sun-opensso-database-MembershipIDAttr" : {
      "title" : "Membership ID Attribute Name",
      "description" : "Name of attribute column name in DB membership table to uniquely identify a group",
      "propertyOrder" : 8900,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sun-opensso-database-MembershipTableName" : {
      "title" : "Database Membership table name",
      "description" : "",
      "propertyOrder" : 8800,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    }
  }
}

1.35.1.2. delete

Usage:

am> delete DatabaseRepositoryEarlyAccess --realm Realm --id id

Parameters:

--id

The unique identifier for the resource.

1.35.1.3. getAllTypes

Obtain the collection of all secondary configuration types related to the resource.

Usage:

am> action DatabaseRepositoryEarlyAccess --realm Realm --actionName getAllTypes

1.35.1.4. getCreatableTypes

Obtain the collection of secondary configuration types that have yet to be added to the resource.

Usage:

am> action DatabaseRepositoryEarlyAccess --realm Realm --actionName getCreatableTypes

1.35.1.5. nextdescendents

Obtain the collection of secondary configuration instances that have been added to the resource.

Usage:

am> action DatabaseRepositoryEarlyAccess --realm Realm --actionName nextdescendents

1.35.1.6. query

Get the full list of instances of this collection. This query only supports `_queryFilter=true` filter.

Usage:

am> query DatabaseRepositoryEarlyAccess --realm Realm --filter filter

Parameters:

--filter

A CREST formatted query filter, where "true" will query all.

1.35.1.7. read

Usage:

am> read DatabaseRepositoryEarlyAccess --realm Realm --id id

Parameters:

--id

The unique identifier for the resource.

1.35.1.8. update

Usage:

am> update DatabaseRepositoryEarlyAccess --realm Realm --id id --body body

Parameters:

--id

The unique identifier for the resource.

--body

The resource in JSON format, described by the following JSON schema:

{
  "type" : "object",
  "properties" : {
    "sun-opensso-database-JDBCDriver" : {
      "title" : "JDBC Driver Class Name",
      "description" : "Class name of JDBC driver to use to get connections. URL, JDBC username and password paramters also needed",
      "propertyOrder" : 7500,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sun-opensso-database-JDBCDbpassword" : {
      "title" : "Password for Connecting to Database",
      "description" : "Password used as parameter by JDBC driver",
      "propertyOrder" : 7600,
      "required" : true,
      "type" : "string",
      "format" : "password",
      "exampleValue" : ""
    },
    "sun-opensso-database-JDBCUrl" : {
      "title" : "JDBC Driver URL",
      "description" : "URL used as parameter by JDBC driver",
      "propertyOrder" : 7700,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sun-opensso-database-UserIDAttr" : {
      "title" : "User ID Attribute Name",
      "description" : "Name of attribute column name in DB table for user id",
      "propertyOrder" : 8200,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sun-opensso-database-config-users-search-attribute" : {
      "title" : "Users Search Attribute in Database",
      "description" : "Name of attribute column name in DB table for users LIKE search queries",
      "propertyOrder" : 8700,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sun-opensso-database-UserAttrs" : {
      "title" : "List of User Attributes Names in Database",
      "description" : "",
      "propertyOrder" : 8000,
      "required" : true,
      "items" : {
        "type" : "string"
      },
      "type" : "array",
      "exampleValue" : ""
    },
    "sun-opensso-database-config-max-result" : {
      "title" : "Maximum Results Returned from Search",
      "description" : "Value to determine the maximum number of search results to fetch",
      "propertyOrder" : 8600,
      "required" : true,
      "type" : "integer",
      "exampleValue" : ""
    },
    "sun-opensso-database-activeValue" : {
      "title" : "User Status Active Value",
      "description" : "Value stored in the db table's user status column to represent an Active user",
      "propertyOrder" : 8400,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sunIdRepoAttributeMapping" : {
      "title" : "Attribute Name Mapping",
      "description" : "",
      "propertyOrder" : 1800,
      "required" : true,
      "items" : {
        "type" : "string"
      },
      "type" : "array",
      "exampleValue" : ""
    },
    "sun-opensso-database-UserTableName" : {
      "title" : "Database User Table Name",
      "description" : "",
      "propertyOrder" : 7900,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sunIdRepoClass" : {
      "title" : "Database Repository Plugin Class Name",
      "description" : "",
      "propertyOrder" : 7000,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sun-opensso-database-inactiveValue" : {
      "title" : "User Status Inactive Value",
      "description" : "Value stored in the db table's user status column to represent an Inactive user",
      "propertyOrder" : 8500,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sun-opensso-database-UserPasswordAttr" : {
      "title" : "User Password Attribute Name",
      "description" : "Name of attribute column name in DB table for user password",
      "propertyOrder" : 8100,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sun-opensso-database-membership-search-attribute" : {
      "title" : "Membership Search Attribute in Database",
      "description" : "Name of attribute column name in DB table for membership LIKE search queries",
      "propertyOrder" : 9000,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sun-opensso-database-dao-JDBCConnectionType" : {
      "title" : "Connection Type",
      "description" : "",
      "propertyOrder" : 7300,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sun-opensso-database-JDBCDbuser" : {
      "title" : "Connect This User to Database",
      "description" : "Connection user name used as parameter by JDBC driver",
      "propertyOrder" : 7800,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sun-opensso-database-UserStatusAttr" : {
      "title" : "Attribute Name of User Status",
      "description" : "Name of attribute column name in DB table to determine if user is active or inactive",
      "propertyOrder" : 8300,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sun-opensso-database-DataSourceJndiName" : {
      "title" : "Database DataSource Name",
      "description" : "Name specified when configuring a DataSource in the application server for connections",
      "propertyOrder" : 7400,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sun-opensso-database-dao-class-name" : {
      "title" : "Database Data Access Object Plugin Class Name",
      "description" : "",
      "propertyOrder" : 7200,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sun-opensso-database-sunIdRepoSupportedOperations" : {
      "title" : "Database Plug-in Supported Types and Operations",
      "description" : "",
      "propertyOrder" : 7100,
      "required" : true,
      "items" : {
        "type" : "string"
      },
      "type" : "array",
      "exampleValue" : ""
    },
    "sun-opensso-database-MembershipIDAttr" : {
      "title" : "Membership ID Attribute Name",
      "description" : "Name of attribute column name in DB membership table to uniquely identify a group",
      "propertyOrder" : 8900,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sun-opensso-database-MembershipTableName" : {
      "title" : "Database Membership table name",
      "description" : "",
      "propertyOrder" : 8800,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    }
  }
}

1.36. DecisionCombiners

1.36.1. Realm Operations

Service for querying and reading decision combiners information. Decision combiners describe how to resolve policy decisions when multiple policies apply

Resource path: /decisioncombiners

Resource version: 1.0

1.36.1.1. query

Lists all decision combiners

Usage:

am> query DecisionCombiners --realm Realm --filter filter

Parameters:

--filter

A CREST formatted query filter, where "true" will query all. Fields that can be queried: [title]

1.36.1.2. read

Reads an individual decision combiner specified by its name

Usage:

am> read DecisionCombiners --realm Realm --id id

Parameters:

--id

The unique identifier for the resource.

1.37. DefaultAdvancedProperties

1.37.1. Global Operations

An object of property key-value pairs

Resource path: /global-config/servers/server-default/properties/advanced

Resource version: 1.0

1.37.1.1. read

Usage:

am> read DefaultAdvancedProperties --global

1.37.1.2. update

Usage:

am> update DefaultAdvancedProperties --global --body body

Parameters:

--body

The resource in JSON format, described by the following JSON schema:

{
  "patternProperties" : {
    ".+" : {
      "type" : "string",
      "title" : "Value",
      "description" : "Any string value"
    }
  },
  "$schema" : "http://json-schema.org/draft-04/schema#",
  "description" : "An object of property key-value pairs",
  "type" : "object",
  "title" : "Advanced Properties"
}

1.38. DefaultCtsDataStoreProperties

1.38.1. Global Operations

An object of property key-value pairs

Resource path: /global-config/servers/server-default/properties/cts

Resource version: 1.0

1.38.1.1. read

Usage:

am> read DefaultCtsDataStoreProperties --global

1.38.1.2. update

Usage:

am> update DefaultCtsDataStoreProperties --global --body body

Parameters:

--body

The resource in JSON format, described by the following JSON schema:

{
  "type" : "object",
  "properties" : {
    "amconfig.org.forgerock.services.cts.store.common.section" : {
      "title" : "CTS Token Store",
      "type" : "object",
      "propertyOrder" : 0,
      "properties" : {
        "org.forgerock.services.cts.store.location" : {
          "enum" : [ "default", "external" ],
          "options" : {
            "enum_titles" : [ "Default Token Store", "External Token Store" ]
          },
          "type" : "string",
          "title" : "Store Mode",
          "propertyOrder" : 0,
          "required" : true,
          "description" : ""
        },
        "org.forgerock.services.cts.store.root.suffix" : {
          "type" : "string",
          "title" : "Root Suffix",
          "propertyOrder" : 1,
          "required" : true,
          "description" : ""
        },
        "org.forgerock.services.cts.store.max.connections" : {
          "type" : "string",
          "title" : "Max Connections",
          "propertyOrder" : 2,
          "required" : true,
          "description" : ""
        }
      }
    },
    "amconfig.org.forgerock.services.cts.store.external.section" : {
      "title" : "External Store Configuration",
      "type" : "object",
      "propertyOrder" : 1,
      "properties" : {
        "org.forgerock.services.cts.store.ssl.enabled" : {
          "type" : "boolean",
          "title" : "SSL/TLS Enabled",
          "propertyOrder" : 0,
          "required" : true,
          "description" : ""
        },
        "org.forgerock.services.cts.store.directory.name" : {
          "type" : "string",
          "title" : "Connection String(s)",
          "propertyOrder" : 1,
          "required" : true,
          "description" : "An ordered list of connection strings for LDAP directories. Each connection string is composed as follows: <code>HOST:PORT[|SERVERID[|SITEID]]</code>, where server and site IDs are optional parameters that will prioritize that connection to use from the specified nodes. Multiple connection strings should be comma-separated, e.g. <code>host1:389,host2:50389|server1|site1,host3:50389</code>."
        },
        "org.forgerock.services.cts.store.loginid" : {
          "type" : "string",
          "title" : "Login Id",
          "propertyOrder" : 2,
          "required" : true,
          "description" : ""
        },
        "org.forgerock.services.cts.store.password" : {
          "type" : "string",
          "title" : "Password",
          "propertyOrder" : 3,
          "required" : true,
          "description" : "",
          "format" : "password"
        },
        "org.forgerock.services.cts.store.heartbeat" : {
          "type" : "integer",
          "title" : "Heartbeat",
          "propertyOrder" : 4,
          "required" : true,
          "description" : ""
        },
        "org.forgerock.services.cts.store.affinity.enabled" : {
          "type" : "boolean",
          "title" : "Affinity Enabled",
          "propertyOrder" : 5,
          "required" : true,
          "description" : "Enables affinity based request load balancing when accessing the CTS servers. It is imperative that the connection string setting is set to the same value for all OpenAM servers in the deployment when this feature is enabled."
        }
      }
    }
  }
}

1.39. DefaultDirectoryConfiguration

1.39.1. Global Operations

Connection details for directory server(s).

Resource path: /global-config/servers/server-default/properties/directoryConfiguration

Resource version: 1.0

1.39.1.1. read

Usage:

am> read DefaultDirectoryConfiguration --global

1.39.1.2. update

Usage:

am> update DefaultDirectoryConfiguration --global --body body

Parameters:

--body

The resource in JSON format, described by the following JSON schema:

{
  "type" : "object",
  "properties" : {
    "directoryConfiguration" : {
      "type" : "object",
      "title" : "Directory Configuration",
      "propertyOrder" : 0,
      "properties" : {
        "minConnectionPool" : {
          "title" : "Minimum Connection Pool",
          "propertyOrder" : 0,
          "type" : "number"
        },
        "maxConnectionPool" : {
          "title" : "Maximum Connection Pool",
          "propertyOrder" : 1,
          "type" : "number"
        },
        "bindDn" : {
          "title" : "Bind DN",
          "propertyOrder" : 2,
          "type" : "string"
        },
        "bindPassword" : {
          "title" : "Bind Password",
          "propertyOrder" : 3,
          "type" : "string",
          "format" : "password"
        }
      }
    },
    "directoryServers" : {
      "type" : "array",
      "title" : "Server",
      "propertyOrder" : 1,
      "items" : {
        "type" : "object",
        "required" : [ "serverName", "hostName", "portNumber", "connectionType" ],
        "properties" : {
          "serverName" : {
            "title" : "Name",
            "type" : "string",
            "propertyOrder" : 0
          },
          "hostName" : {
            "title" : "Host Name",
            "type" : "string",
            "propertyOrder" : 1
          },
          "portNumber" : {
            "title" : "Port Number",
            "type" : "string",
            "propertyOrder" : 2
          },
          "connectionType" : {
            "type" : "string",
            "enum" : [ "SIMPLE", "SSL" ],
            "options" : {
              "enum_titles" : [ "SIMPLE", "SSL" ]
            },
            "title" : "Connection Type",
            "propertyOrder" : 3
          }
        }
      }
    }
  }
}

1.40. DefaultGeneralProperties

1.40.1. Global Operations

An object of property key-value pairs

Resource path: /global-config/servers/server-default/properties/general

Resource version: 1.0

1.40.1.1. read

Usage:

am> read DefaultGeneralProperties --global

1.40.1.2. update

Usage:

am> update DefaultGeneralProperties --global --body body

Parameters:

--body

The resource in JSON format, described by the following JSON schema:

{
  "type" : "object",
  "properties" : {
    "amconfig.header.installdir" : {
      "title" : "System",
      "type" : "object",
      "propertyOrder" : 0,
      "properties" : {
        "com.iplanet.services.configpath" : {
          "type" : "string",
          "title" : "Base installation directory",
          "propertyOrder" : 0,
          "required" : true,
          "description" : "Base directory where product's data resides. (property name: com.iplanet.services.configpath)"
        },
        "com.iplanet.am.locale" : {
          "type" : "string",
          "title" : "Default Locale",
          "propertyOrder" : 1,
          "required" : true,
          "description" : "Default locale for the product. (property name: com.iplanet.am.locale)"
        },
        "com.sun.identity.client.notification.url" : {
          "type" : "string",
          "title" : "Notification URL",
          "propertyOrder" : 2,
          "required" : true,
          "description" : "The location of notification service end point. It is usually the product's deployment URI/notificationservice. (property name: com.sun.identity.client.notification.url)"
        },
        "com.iplanet.am.util.xml.validating" : {
          "enum" : [ "on", "off" ],
          "options" : {
            "enum_titles" : [ "On", "Off" ]
          },
          "type" : "string",
          "title" : "XML Validation",
          "propertyOrder" : 3,
          "required" : true,
          "description" : "Specifies if validation is required when parsing XML documents. (property name: com.iplanet.am.util.xml.validating)"
        }
      }
    },
    "amconfig.header.debug" : {
      "title" : "Debugging",
      "type" : "object",
      "propertyOrder" : 1,
      "properties" : {
        "com.iplanet.services.debug.level" : {
          "enum" : [ "off", "error", "warning", "message" ],
          "options" : {
            "enum_titles" : [ "Off", "Error", "Warning", "Message" ]
          },
          "type" : "string",
          "title" : "Debug Level",
          "propertyOrder" : 0,
          "required" : true,
          "description" : "Debug level for all components in the product. (property name: com.iplanet.services.debug.level)"
        },
        "com.sun.services.debug.mergeall" : {
          "enum" : [ "on", "off" ],
          "options" : {
            "enum_titles" : [ "On", "Off" ]
          },
          "type" : "string",
          "title" : "Merge Debug Files",
          "propertyOrder" : 1,
          "required" : true,
          "description" : "On : Directs all debug data to a single file (debug.out); Off : creates separate per-component debug files (property name : com.sun.services.debug.mergeall)"
        },
        "com.iplanet.services.debug.directory" : {
          "type" : "string",
          "title" : "Debug Directory",
          "propertyOrder" : 2,
          "required" : true,
          "description" : "Directory where debug files reside. (property name: com.iplanet.services.debug.directory)"
        }
      }
    },
    "amconfig.header.mailserver" : {
      "title" : "Mail Server",
      "type" : "object",
      "propertyOrder" : 2,
      "properties" : {
        "com.iplanet.am.smtphost" : {
          "type" : "string",
          "title" : "Mail Server Host Name",
          "propertyOrder" : 0,
          "required" : true,
          "description" : "(property name: com.iplanet.am.smtphost)"
        },
        "com.iplanet.am.smtpport" : {
          "type" : "integer",
          "title" : "Mail Server Port Number",
          "propertyOrder" : 1,
          "required" : true,
          "description" : "(property name: com.iplanet.am.smtpport)"
        }
      }
    }
  }
}

1.41. DefaultSdkProperties

1.41.1. Global Operations

An object of property key-value pairs

Resource path: /global-config/servers/server-default/properties/sdk

Resource version: 1.0

1.41.1.1. read

Usage:

am> read DefaultSdkProperties --global

1.41.1.2. update

Usage:

am> update DefaultSdkProperties --global --body body

Parameters:

--body

The resource in JSON format, described by the following JSON schema:

{
  "type" : "object",
  "properties" : {
    "amconfig.header.datastore" : {
      "title" : "Data Store",
      "type" : "object",
      "propertyOrder" : 0,
      "properties" : {
        "com.sun.identity.sm.enableDataStoreNotification" : {
          "type" : "boolean",
          "title" : "Enable Datastore Notification",
          "propertyOrder" : 0,
          "required" : true,
          "description" : "Specifies if backend datastore notification is enabled. If this value is set to 'false', then in-memory notification is enabled. (property name: com.sun.identity.sm.enableDataStoreNotification)"
        },
        "com.sun.identity.sm.ldap.enableProxy" : {
          "type" : "boolean",
          "title" : "Enable Directory Proxy",
          "propertyOrder" : 1,
          "required" : true,
          "description" : "This indicates to Service Management that the Directory Proxy must be used for read, write, and/or modify operations to the Directory Server. This flag also determines if ACIs or delegation privileges are to be used. (property name: com.sun.identity.sm.ldap.enableProxy)"
        },
        "com.sun.identity.sm.notification.threadpool.size" : {
          "type" : "integer",
          "title" : "Notification Pool Size",
          "propertyOrder" : 2,
          "required" : true,
          "description" : "Specifies the size of the sm notification thread pool (total number of threads). (property name: com.sun.identity.sm.notification.threadpool.size)"
        }
      }
    },
    "amconfig.header.eventservice" : {
      "title" : "Event Service",
      "type" : "object",
      "propertyOrder" : 1,
      "properties" : {
        "com.iplanet.am.event.connection.num.retries" : {
          "type" : "integer",
          "title" : "Number of retries for Event Service connections",
          "propertyOrder" : 0,
          "required" : true,
          "description" : "Specifies the number of attempts made to successfully re-establish the Event Service connections. (property name: com.iplanet.am.event.connection.num.retries)"
        },
        "com.iplanet.am.event.connection.delay.between.retries" : {
          "type" : "integer",
          "title" : "Delay between Event Service connection retries",
          "propertyOrder" : 1,
          "required" : true,
          "description" : "Specifies the delay in milliseconds between retries to re-establish the Event Service connections. (property name: com.iplanet.am.event.connection.delay.between.retries)"
        },
        "com.iplanet.am.event.connection.ldap.error.codes.retries" : {
          "type" : "string",
          "title" : "Error codes for Event Service connection retries",
          "propertyOrder" : 2,
          "required" : true,
          "description" : "This secifies the LDAP exception error codes for which retries to re-establish Event Service connections will trigger. (property name: com.iplanet.am.event.connection.ldap.error.codes.retries)"
        },
        "com.sun.am.event.connection.disable.list" : {
          "type" : "string",
          "title" : "Disabled Event Service Connection",
          "propertyOrder" : 3,
          "required" : true,
          "description" : "Specifies which event connection (persistent search) to be disabled. There are three valid values - aci, sm and um (case insensitive). Multiple values should be separated with \",\". (property name: com.sun.am.event.connection.disable.list)"
        }
      }
    },
    "amconfig.header.ldapconnection" : {
      "title" : "LDAP Connection",
      "type" : "object",
      "propertyOrder" : 2,
      "properties" : {
        "com.iplanet.am.ldap.connection.num.retries" : {
          "type" : "integer",
          "title" : "Number of retries for LDAP Connection",
          "propertyOrder" : 0,
          "required" : true,
          "description" : "Specifies the number of attempts made to successfully re-establish LDAP Connection. (property name: com.iplanet.am.ldap.connection.num.retries)"
        },
        "com.iplanet.am.ldap.connection.delay.between.retries" : {
          "type" : "integer",
          "title" : "Delay between LDAP connection retries",
          "propertyOrder" : 1,
          "required" : true,
          "description" : "Specifies the delay in milliseconds between retries to re-establish the LDAP connections. (property name: com.iplanet.am.ldap.connection.delay.between.retries)"
        },
        "com.iplanet.am.ldap.connection.ldap.error.codes.retries" : {
          "type" : "string",
          "title" : "Error codes for LDAP connection retries",
          "propertyOrder" : 2,
          "required" : true,
          "description" : "This secifies the LDAP exception error codes for which retries to re-establish LDAP connections will trigger. (property name: com.iplanet.am.ldap.connection.ldap.error.codes.retries)"
        }
      }
    },
    "amconfig.header.cachingreplica" : {
      "title" : "Caching and Replica",
      "type" : "object",
      "propertyOrder" : 3,
      "properties" : {
        "com.iplanet.am.sdk.cache.maxSize" : {
          "type" : "integer",
          "title" : "SDK Caching Max. Size",
          "propertyOrder" : 0,
          "required" : true,
          "description" : "Specifies the size of the cache when SDK caching is enabled. The size should be an integer greater than 0, or default size (10000) will be used. Changing this value will reset (clear) the contents of the cache. (property name: com.iplanet.am.sdk.cache.maxSize)"
        },
        "com.iplanet.am.replica.num.retries" : {
          "type" : "integer",
          "title" : "SDK Replica Retries",
          "propertyOrder" : 1,
          "required" : true,
          "description" : "Specifies the number of times to retry when an Entry Not Found error is returned to the SDK. (property name: com.iplanet.am.replica.num.retries)"
        },
        "com.iplanet.am.replica.delay.between.retries" : {
          "type" : "integer",
          "title" : "Delay between SDK Replica Retries",
          "propertyOrder" : 2,
          "required" : true,
          "description" : "Specifies the delay time in milliseconds between the retries. (property name: com.iplanet.am.replica.delay.between.retries)"
        }
      }
    },
    "amconfig.header.sdktimetoliveconfig" : {
      "title" : "Time To Live Configuration",
      "type" : "object",
      "propertyOrder" : 4,
      "properties" : {
        "com.iplanet.am.sdk.cache.entry.expire.enabled" : {
          "type" : "boolean",
          "title" : "Cache Entry Expiration Enabled",
          "propertyOrder" : 0,
          "required" : true,
          "description" : "If this property is set, the cache entries will expire based on the time specified in User Entry Expiration Time property. (property name: com.iplanet.am.sdk.cache.entry.expire.enabled)"
        },
        "com.iplanet.am.sdk.cache.entry.user.expire.time" : {
          "type" : "integer",
          "title" : "User Entry Expiration Time",
          "propertyOrder" : 1,
          "required" : true,
          "description" : "This property specifies time in minutes for which the user entries remain valid in cache after their last modification. After this specified period of time elapses (after the last modification/read from the directory), the data for the entry that is cached will expire. At that instant new requests for data for these user entries will result in reading from the Directory. (property name: com.iplanet.am.sdk.cache.entry.user.expire.time)"
        },
        "com.iplanet.am.sdk.cache.entry.default.expire.time" : {
          "type" : "integer",
          "title" : "Default Entry Expiration Time",
          "propertyOrder" : 2,
          "required" : true,
          "description" : "This property specifies time in minutes for which the non-user entries remain valid in cache after their last modification. After this specified period of time elapses (after the last modification/read from the directory), the data for the entry that is cached will expire. At that instant new requests for data for these non-user entries will result in reading from the Directory. (property name: com.iplanet.am.sdk.cache.entry.default.expire.time)"
        }
      }
    }
  }
}

1.42. DefaultSecurityProperties

1.42.1. Global Operations

An object of property key-value pairs

Resource path: /global-config/servers/server-default/properties/security

Resource version: 1.0

1.42.1.1. read

Usage:

am> read DefaultSecurityProperties --global

1.42.1.2. update

Usage:

am> update DefaultSecurityProperties --global --body body

Parameters:

--body

The resource in JSON format, described by the following JSON schema:

{
  "type" : "object",
  "properties" : {
    "amconfig.header.encryption" : {
      "title" : "Encryption",
      "type" : "object",
      "propertyOrder" : 0,
      "properties" : {
        "am.encryption.pwd" : {
          "type" : "string",
          "title" : "Password Encryption Key",
          "propertyOrder" : 0,
          "required" : true,
          "description" : "The encryption key value for decrypting passwords stored in the Service Management System configuration. (property name: am.encryption.pwd)"
        },
        "com.iplanet.security.encryptor" : {
          "type" : "string",
          "title" : "Encryption class",
          "propertyOrder" : 2,
          "required" : true,
          "description" : "The default encryption class. (property name: com.iplanet.security.encryptor)"
        },
        "com.iplanet.security.SecureRandomFactoryImpl" : {
          "type" : "string",
          "title" : "Secure Random Factory Class",
          "propertyOrder" : 3,
          "required" : true,
          "description" : "This property is used for specifying SecureRandomFactory class. Available values for this property are com.iplanet.am.util.JSSSecureRandomFactoryImpl that is using JSS and com.iplanet.am.util.SecureRandomFactoryImpl that is using pure Java only. (property name: com.iplanet.security.SecureRandomFactoryImpl)"
        }
      }
    },
    "amconfig.header.validation" : {
      "title" : "Validation",
      "type" : "object",
      "propertyOrder" : 1,
      "properties" : {
        "com.iplanet.services.comm.server.pllrequest.maxContentLength" : {
          "type" : "integer",
          "title" : "Platform Low Level Comm. Max. Content Length",
          "propertyOrder" : 0,
          "required" : true,
          "description" : "Maximum content-length for an HttpRequest. (property name: com.iplanet.services.comm.server.pllrequest.maxContentLength)"
        },
        "com.iplanet.am.clientIPCheckEnabled" : {
          "type" : "boolean",
          "title" : "Client IP Address Check",
          "propertyOrder" : 1,
          "required" : true,
          "description" : "Specifies whether or not the IP address of the client is checked in all single sign on token creations or validations. (property name: com.iplanet.am.clientIPCheckEnabled)"
        }
      }
    },
    "amconfig.header.cookie" : {
      "title" : "Cookie",
      "type" : "object",
      "propertyOrder" : 2,
      "properties" : {
        "com.iplanet.am.cookie.name" : {
          "type" : "string",
          "title" : "Cookie Name",
          "propertyOrder" : 0,
          "required" : true,
          "description" : "The cookie name used by Authentication Service to set the valid session handler ID. This name is used to retrieve the valid session information. (property name: com.iplanet.am.cookie.name)"
        },
        "com.iplanet.am.cookie.secure" : {
          "type" : "boolean",
          "title" : "Secure Cookie",
          "propertyOrder" : 1,
          "required" : true,
          "description" : "Specifies whether to set cookie in a secure mode in which the browser will only return the cookie when a secure protocol such as HTTP(s) is used. (property name: com.iplanet.am.cookie.secure)"
        },
        "com.iplanet.am.cookie.encode" : {
          "type" : "boolean",
          "title" : "Encode Cookie Value",
          "propertyOrder" : 2,
          "required" : true,
          "description" : "Specifies whether to URL encode the cookie value. (property name: com.iplanet.am.cookie.encode)"
        }
      }
    },
    "amconfig.header.securitykey" : {
      "title" : "Key Store",
      "type" : "object",
      "propertyOrder" : 3,
      "properties" : {
        "com.sun.identity.saml.xmlsig.keystore" : {
          "type" : "string",
          "title" : "Keystore File",
          "propertyOrder" : 0,
          "required" : true,
          "description" : "Specifies the location of the keystore file. (property name: com.sun.identity.saml.xmlsig.keystore)"
        },
        "com.sun.identity.saml.xmlsig.storetype" : {
          "type" : "string",
          "title" : "Keystore Type",
          "propertyOrder" : 1,
          "required" : true,
          "description" : "Specifies the keystore type. (property name: com.sun.identity.saml.xmlsig.storetype)"
        },
        "com.sun.identity.saml.xmlsig.storepass" : {
          "type" : "string",
          "title" : "Keystore Password File",
          "propertyOrder" : 2,
          "required" : true,
          "description" : "Specifies the location of the file that contains the password used to access the keystore file. (property name: com.sun.identity.saml.xmlsig.storepass)"
        },
        "com.sun.identity.saml.xmlsig.keypass" : {
          "type" : "string",
          "title" : "Private Key Password File",
          "propertyOrder" : 3,
          "required" : true,
          "description" : "Specifies the location of the file that contains the password used to protect the private key of a generated key pair. (property name: com.sun.identity.saml.xmlsig.keypass)"
        },
        "com.sun.identity.saml.xmlsig.certalias" : {
          "type" : "string",
          "title" : "Certificate Alias",
          "propertyOrder" : 4,
          "required" : true,
          "description" : "(property name: com.sun.identity.saml.xmlsig.certalias)"
        }
      }
    },
    "amconfig.header.crlcache" : {
      "title" : "Certificate Revocation List Caching",
      "type" : "object",
      "propertyOrder" : 4,
      "properties" : {
        "com.sun.identity.crl.cache.directory.host" : {
          "type" : "string",
          "title" : "LDAP server host name",
          "propertyOrder" : 0,
          "required" : true,
          "description" : ""
        },
        "com.sun.identity.crl.cache.directory.port" : {
          "type" : "integer",
          "title" : "LDAP server port number",
          "propertyOrder" : 1,
          "required" : true,
          "description" : ""
        },
        "com.sun.identity.crl.cache.directory.ssl" : {
          "type" : "boolean",
          "title" : "SSL/TLS Enabled",
          "propertyOrder" : 2,
          "required" : true,
          "description" : ""
        },
        "com.sun.identity.crl.cache.directory.user" : {
          "type" : "string",
          "title" : "LDAP server bind user name",
          "propertyOrder" : 3,
          "required" : true,
          "description" : ""
        },
        "com.sun.identity.crl.cache.directory.password" : {
          "type" : "string",
          "title" : "LDAP server bind password",
          "propertyOrder" : 4,
          "required" : true,
          "description" : "",
          "format" : "password"
        },
        "com.sun.identity.crl.cache.directory.searchlocs" : {
          "type" : "string",
          "title" : "LDAP search base DN",
          "propertyOrder" : 5,
          "required" : true,
          "description" : ""
        },
        "com.sun.identity.crl.cache.directory.searchattr" : {
          "type" : "string",
          "title" : "Search Attributes",
          "propertyOrder" : 6,
          "required" : true,
          "description" : "Any DN component of issuer's subjectDN can be used to retrieve CRL from local LDAP server. It is single value string, like, \"cn\". All Root CA need to use the same search attribute."
        }
      }
    },
    "amconfig.header.ocsp.check" : {
      "title" : "Online Certificate Status Protocol Check",
      "type" : "object",
      "propertyOrder" : 5,
      "properties" : {
        "com.sun.identity.authentication.ocspCheck" : {
          "type" : "boolean",
          "title" : "Check Enabled",
          "propertyOrder" : 0,
          "required" : true,
          "description" : ""
        },
        "com.sun.identity.authentication.ocsp.responder.url" : {
          "type" : "string",
          "title" : "Responder URL",
          "propertyOrder" : 1,
          "required" : true,
          "description" : ""
        },
        "com.sun.identity.authentication.ocsp.responder.nickname" : {
          "type" : "string",
          "title" : "Certificate Nickname",
          "propertyOrder" : 2,
          "required" : true,
          "description" : ""
        }
      }
    },
    "amconfig.header.deserialisationwhitelist" : {
      "title" : "Object Deserialisation Class Whitelist",
      "type" : "object",
      "propertyOrder" : 6,
      "properties" : {
        "openam.deserialisation.classes.whitelist" : {
          "type" : "string",
          "title" : "Whitelist",
          "propertyOrder" : 0,
          "required" : true,
          "description" : "The list of classes that are considered valid when OpenAM performs Object deserialisation operations. The defaults should work for most installations. (property name: openam.deserialisation.classes.whitelist)"
        }
      }
    }
  }
}

1.43. DefaultSessionProperties

1.43.1. Global Operations

An object of property key-value pairs

Resource path: /global-config/servers/server-default/properties/session

Resource version: 1.0

1.43.1.1. read

Usage:

am> read DefaultSessionProperties --global

1.43.1.2. update

Usage:

am> update DefaultSessionProperties --global --body body

Parameters:

--body

The resource in JSON format, described by the following JSON schema:

{
  "type" : "object",
  "properties" : {
    "amconfig.header.sessionthresholds" : {
      "title" : "Session Limits",
      "type" : "object",
      "propertyOrder" : 0,
      "properties" : {
        "org.forgerock.openam.session.service.access.persistence.caching.maxsize" : {
          "type" : "integer",
          "title" : "Maximum Session Cache Size",
          "propertyOrder" : 0,
          "required" : true,
          "description" : "The maximum number of sessions to cache in the per-server internal session cache. (property name: org.forgerock.openam.session.service.access.persistence.caching.maxsize)"
        },
        "com.iplanet.am.session.invalidsessionmaxtime" : {
          "type" : "integer",
          "title" : "Invalidate Session Max Time",
          "propertyOrder" : 1,
          "required" : true,
          "description" : "Duration in minutes after which the invalid session will be removed from the session table if it is created and the user does not login. This value should always be greater than the timeout value in the Authentication module properties file. (property name: com.iplanet.am.session.invalidsessionmaxtime)"
        }
      }
    },
    "amconfig.header.sessionlogging" : {
      "title" : "Statistics",
      "type" : "object",
      "propertyOrder" : 1,
      "properties" : {
        "com.iplanet.am.stats.interval" : {
          "type" : "integer",
          "title" : "Logging Interval (in seconds)",
          "propertyOrder" : 0,
          "required" : true,
          "description" : "Number of seconds to elapse between statistics logging. The interval should be at least 5 seconds to avoid CPU saturation. An interval value less than 5 seconds will be interpreted as 5 seconds. (property name: com.iplanet.am.stats.interval)"
        },
        "com.iplanet.services.stats.state" : {
          "enum" : [ "off", "file", "console" ],
          "options" : {
            "enum_titles" : [ "Off", "File", "Console" ]
          },
          "type" : "string",
          "title" : "State",
          "propertyOrder" : 1,
          "required" : true,
          "description" : "Statistics state 'file' will write to a file under the specified directory, and 'console' will write into webserver log files. (property name: com.iplanet.services.stats.state)"
        },
        "com.iplanet.services.stats.directory" : {
          "type" : "string",
          "title" : "Directory",
          "propertyOrder" : 2,
          "required" : true,
          "description" : "Directory where the statistic files will be created. Use forward slashes \"/\" to separate directories, not backslash \"\\\". Spaces in the file name are allowed for Windows. (property name: com.iplanet.services.stats.directory)"
        },
        "com.sun.am.session.enableHostLookUp" : {
          "type" : "boolean",
          "title" : "Enable Host Lookup",
          "propertyOrder" : 3,
          "required" : true,
          "description" : "Enables or disables host lookup during session logging. (property name: com.sun.am.session.enableHostLookUp)"
        }
      }
    },
    "amconfig.header.sessionnotification" : {
      "title" : "Notification",
      "type" : "object",
      "propertyOrder" : 2,
      "properties" : {
        "com.iplanet.am.notification.threadpool.size" : {
          "type" : "integer",
          "title" : "Notification Pool Size",
          "propertyOrder" : 0,
          "required" : true,
          "description" : "Specifies the size of the notification thread pool (total number of threads). (property name: com.iplanet.am.notification.threadpool.size)"
        },
        "com.iplanet.am.notification.threadpool.threshold" : {
          "type" : "integer",
          "title" : "Notification Thread Pool Threshold",
          "propertyOrder" : 1,
          "required" : true,
          "description" : "Specifies the maximum task queue length for serving notification threads. (property name: com.iplanet.am.notification.threadpool.threshold)"
        }
      }
    },
    "amconfig.header.sessionvalidation" : {
      "title" : "Validation",
      "type" : "object",
      "propertyOrder" : 3,
      "properties" : {
        "com.sun.am.session.caseInsensitiveDN" : {
          "type" : "boolean",
          "title" : "Case Insensitive client DN comparison",
          "propertyOrder" : 0,
          "required" : true,
          "description" : "Specifies if client distinguished name comparison is case insensitive/sensitive. (property name: com.sun.am.session.caseInsensitiveDN)"
        }
      }
    }
  }
}

1.44. DefaultUmaDataStoreProperties

1.44.1. Global Operations

An object of property key-value pairs

Resource path: /global-config/servers/server-default/properties/uma

Resource version: 1.0

1.44.1.1. read

Usage:

am> read DefaultUmaDataStoreProperties --global

1.44.1.2. update

Usage:

am> update DefaultUmaDataStoreProperties --global --body body

Parameters:

--body

The resource in JSON format, described by the following JSON schema:

{
  "type" : "object",
  "properties" : {
    "amconfig.org.forgerock.services.resourcesets.store.common.section" : {
      "title" : "Resource Sets Store",
      "type" : "object",
      "propertyOrder" : 0,
      "properties" : {
        "org.forgerock.services.resourcesets.store.location" : {
          "enum" : [ "default", "external" ],
          "options" : {
            "enum_titles" : [ "Default Token Store", "External Token Store" ]
          },
          "type" : "string",
          "title" : "Store Mode",
          "propertyOrder" : 0,
          "required" : true,
          "description" : ""
        },
        "org.forgerock.services.resourcesets.store.root.suffix" : {
          "type" : "string",
          "title" : "Root Suffix",
          "propertyOrder" : 1,
          "required" : true,
          "description" : ""
        },
        "org.forgerock.services.resourcesets.store.max.connections" : {
          "type" : "string",
          "title" : "Max Connections",
          "propertyOrder" : 2,
          "required" : true,
          "description" : ""
        }
      }
    },
    "amconfig.org.forgerock.services.resourcesets.store.external.section" : {
      "title" : "External Resource Sets Store Configuration",
      "type" : "object",
      "propertyOrder" : 1,
      "properties" : {
        "org.forgerock.services.resourcesets.store.ssl.enabled" : {
          "type" : "boolean",
          "title" : "SSL/TLS Enabled",
          "propertyOrder" : 0,
          "required" : true,
          "description" : ""
        },
        "org.forgerock.services.resourcesets.store.directory.name" : {
          "type" : "string",
          "title" : "Connection String(s)",
          "propertyOrder" : 1,
          "required" : true,
          "description" : "An ordered list of connection strings for LDAP directories. Each connection string is composed as follows: <code>HOST:PORT[|SERVERID[|SITEID]]</code>, where server and site IDs are optional parameters that will prioritize that connection to use from the specified nodes. Multiple connection strings should be comma-separated, e.g. <code>host1:389,host2:50389|server1|site1,host3:50389</code>."
        },
        "org.forgerock.services.resourcesets.store.loginid" : {
          "type" : "string",
          "title" : "Login Id",
          "propertyOrder" : 2,
          "required" : true,
          "description" : ""
        },
        "org.forgerock.services.resourcesets.store.password" : {
          "type" : "string",
          "title" : "Password",
          "propertyOrder" : 3,
          "required" : true,
          "description" : "",
          "format" : "password"
        },
        "org.forgerock.services.resourcesets.store.heartbeat" : {
          "type" : "integer",
          "title" : "Heartbeat",
          "propertyOrder" : 4,
          "required" : true,
          "description" : ""
        }
      }
    },
    "amconfig.org.forgerock.services.umaaudit.store.common.section" : {
      "title" : "UMA Audit Store",
      "type" : "object",
      "propertyOrder" : 2,
      "properties" : {
        "org.forgerock.services.umaaudit.store.location" : {
          "enum" : [ "default", "external" ],
          "options" : {
            "enum_titles" : [ "Default Token Store", "External Token Store" ]
          },
          "type" : "string",
          "title" : "Store Mode",
          "propertyOrder" : 0,
          "required" : true,
          "description" : ""
        },
        "org.forgerock.services.umaaudit.store.root.suffix" : {
          "type" : "string",
          "title" : "Root Suffix",
          "propertyOrder" : 1,
          "required" : true,
          "description" : ""
        },
        "org.forgerock.services.umaaudit.store.max.connections" : {
          "type" : "string",
          "title" : "Max Connections",
          "propertyOrder" : 2,
          "required" : true,
          "description" : ""
        }
      }
    },
    "amconfig.org.forgerock.services.umaaudit.store.external.section" : {
      "title" : "External UMA Audit Store Configuration",
      "type" : "object",
      "propertyOrder" : 3,
      "properties" : {
        "org.forgerock.services.umaaudit.store.ssl.enabled" : {
          "type" : "boolean",
          "title" : "SSL/TLS Enabled",
          "propertyOrder" : 0,
          "required" : true,
          "description" : ""
        },
        "org.forgerock.services.umaaudit.store.directory.name" : {
          "type" : "string",
          "title" : "Connection String(s)",
          "propertyOrder" : 1,
          "required" : true,
          "description" : "An ordered list of connection strings for LDAP directories. Each connection string is composed as follows: <code>HOST:PORT[|SERVERID[|SITEID]]</code>, where server and site IDs are optional parameters that will prioritize that connection to use from the specified nodes. Multiple connection strings should be comma-separated, e.g. <code>host1:389,host2:50389|server1|site1,host3:50389</code>."
        },
        "org.forgerock.services.umaaudit.store.loginid" : {
          "type" : "string",
          "title" : "Login Id",
          "propertyOrder" : 2,
          "required" : true,
          "description" : ""
        },
        "org.forgerock.services.umaaudit.store.password" : {
          "type" : "string",
          "title" : "Password",
          "propertyOrder" : 3,
          "required" : true,
          "description" : "",
          "format" : "password"
        },
        "org.forgerock.services.umaaudit.store.heartbeat" : {
          "type" : "integer",
          "title" : "Heartbeat",
          "propertyOrder" : 4,
          "required" : true,
          "description" : ""
        }
      }
    },
    "amconfig.org.forgerock.services.uma.pendingrequests.store.common.section" : {
      "title" : "Pending Requests Store",
      "type" : "object",
      "propertyOrder" : 4,
      "properties" : {
        "org.forgerock.services.uma.pendingrequests.store.location" : {
          "enum" : [ "default", "external" ],
          "options" : {
            "enum_titles" : [ "Default Token Store", "External Token Store" ]
          },
          "type" : "string",
          "title" : "Store Mode",
          "propertyOrder" : 0,
          "required" : true,
          "description" : ""
        },
        "org.forgerock.services.uma.pendingrequests.store.root.suffix" : {
          "type" : "string",
          "title" : "Root Suffix",
          "propertyOrder" : 1,
          "required" : true,
          "description" : ""
        },
        "org.forgerock.services.uma.pendingrequests.store.max.connections" : {
          "type" : "string",
          "title" : "Max Connections",
          "propertyOrder" : 2,
          "required" : true,
          "description" : ""
        }
      }
    },
    "amconfig.org.forgerock.services.uma.pendingrequests.store.external.section" : {
      "title" : "External Pending Requests Store Configuration",
      "type" : "object",
      "propertyOrder" : 5,
      "properties" : {
        "org.forgerock.services.uma.pendingrequests.store.ssl.enabled" : {
          "type" : "boolean",
          "title" : "SSL/TLS Enabled",
          "propertyOrder" : 0,
          "required" : true,
          "description" : ""
        },
        "org.forgerock.services.uma.pendingrequests.store.directory.name" : {
          "type" : "string",
          "title" : "Connection String(s)",
          "propertyOrder" : 1,
          "required" : true,
          "description" : "An ordered list of connection strings for LDAP directories. Each connection string is composed as follows: <code>HOST:PORT[|SERVERID[|SITEID]]</code>, where server and site IDs are optional parameters that will prioritize that connection to use from the specified nodes. Multiple connection strings should be comma-separated, e.g. <code>host1:389,host2:50389|server1|site1,host3:50389</code>."
        },
        "org.forgerock.services.uma.pendingrequests.store.loginid" : {
          "type" : "string",
          "title" : "Login Id",
          "propertyOrder" : 2,
          "required" : true,
          "description" : ""
        },
        "org.forgerock.services.uma.pendingrequests.store.password" : {
          "type" : "string",
          "title" : "Password",
          "propertyOrder" : 3,
          "required" : true,
          "description" : "",
          "format" : "password"
        },
        "org.forgerock.services.uma.pendingrequests.store.heartbeat" : {
          "type" : "integer",
          "title" : "Heartbeat",
          "propertyOrder" : 4,
          "required" : true,
          "description" : ""
        }
      }
    },
    "amconfig.org.forgerock.services.uma.labels.store.common.section" : {
      "title" : "UMA Resource Set Labels Store",
      "type" : "object",
      "propertyOrder" : 6,
      "properties" : {
        "org.forgerock.services.uma.labels.store.location" : {
          "enum" : [ "default", "external" ],
          "options" : {
            "enum_titles" : [ "Default Token Store", "External Token Store" ]
          },
          "type" : "string",
          "title" : "Store Mode",
          "propertyOrder" : 0,
          "required" : true,
          "description" : ""
        },
        "org.forgerock.services.uma.labels.store.root.suffix" : {
          "type" : "string",
          "title" : "Root Suffix",
          "propertyOrder" : 1,
          "required" : true,
          "description" : ""
        },
        "org.forgerock.services.uma.labels.store.max.connections" : {
          "type" : "string",
          "title" : "Max Connections",
          "propertyOrder" : 2,
          "required" : true,
          "description" : ""
        }
      }
    },
    "amconfig.org.forgerock.services.uma.labels.store.external.section" : {
      "title" : "External Resource Set Labels Store Configuration",
      "type" : "object",
      "propertyOrder" : 7,
      "properties" : {
        "org.forgerock.services.uma.labels.store.ssl.enabled" : {
          "type" : "boolean",
          "title" : "SSL/TLS Enabled",
          "propertyOrder" : 0,
          "required" : true,
          "description" : ""
        },
        "org.forgerock.services.uma.labels.store.directory.name" : {
          "type" : "string",
          "title" : "Connection String(s)",
          "propertyOrder" : 1,
          "required" : true,
          "description" : "An ordered list of connection strings for LDAP directories. Each connection string is composed as follows: <code>HOST:PORT[|SERVERID[|SITEID]]</code>, where server and site IDs are optional parameters that will prioritize that connection to use from the specified nodes. Multiple connection strings should be comma-separated, e.g. <code>host1:389,host2:50389|server1|site1,host3:50389</code>."
        },
        "org.forgerock.services.uma.labels.store.loginid" : {
          "type" : "string",
          "title" : "Login Id",
          "propertyOrder" : 2,
          "required" : true,
          "description" : ""
        },
        "org.forgerock.services.uma.labels.store.password" : {
          "type" : "string",
          "title" : "Password",
          "propertyOrder" : 3,
          "required" : true,
          "description" : "",
          "format" : "password"
        },
        "org.forgerock.services.uma.labels.store.heartbeat" : {
          "type" : "integer",
          "title" : "Heartbeat",
          "propertyOrder" : 4,
          "required" : true,
          "description" : ""
        }
      }
    }
  }
}

1.45. DeviceIdMatchModule

1.45.1. Realm Operations

Resource path: /realm-config/authentication/modules/deviceidmatch

Resource version: 1.0

1.45.1.1. create

Usage:

am> create DeviceIdMatchModule --realm Realm --id id --body body

Parameters:

--id

The unique identifier for the resource.

--body

The resource in JSON format, described by the following JSON schema:

{
  "type" : "object",
  "properties" : {
    "serverScript" : {
      "title" : "Server-side Script",
      "description" : "The server-side script to execute.<br><br>This script will be run on the server, subsequent to any client script having returned. It can be written in the selected language.",
      "propertyOrder" : 300,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "authenticationLevel" : {
      "title" : "Authentication Level",
      "description" : "The authentication level associated with the authentication module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
      "propertyOrder" : 400,
      "required" : true,
      "type" : "integer",
      "exampleValue" : ""
    },
    "clientScript" : {
      "title" : "Client-side Script",
      "description" : "The client-side script.",
      "propertyOrder" : 200,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "clientScriptEnabled" : {
      "title" : "Client-side Script Enabled",
      "description" : "Enable this setting if the client-side script should be executed.",
      "propertyOrder" : 100,
      "required" : true,
      "type" : "boolean",
      "exampleValue" : ""
    }
  }
}

1.45.1.2. delete

Usage:

am> delete DeviceIdMatchModule --realm Realm --id id

Parameters:

--id

The unique identifier for the resource.

1.45.1.3. getAllTypes

Obtain the collection of all secondary configuration types related to the resource.

Usage:

am> action DeviceIdMatchModule --realm Realm --actionName getAllTypes

1.45.1.4. getCreatableTypes

Obtain the collection of secondary configuration types that have yet to be added to the resource.

Usage:

am> action DeviceIdMatchModule --realm Realm --actionName getCreatableTypes

1.45.1.5. nextdescendents

Obtain the collection of secondary configuration instances that have been added to the resource.

Usage:

am> action DeviceIdMatchModule --realm Realm --actionName nextdescendents

1.45.1.6. query

Get the full list of instances of this collection. This query only supports `_queryFilter=true` filter.

Usage:

am> query DeviceIdMatchModule --realm Realm --filter filter

Parameters:

--filter

A CREST formatted query filter, where "true" will query all.

1.45.1.7. read

Usage:

am> read DeviceIdMatchModule --realm Realm --id id

Parameters:

--id

The unique identifier for the resource.

1.45.1.8. update

Usage:

am> update DeviceIdMatchModule --realm Realm --id id --body body

Parameters:

--id

The unique identifier for the resource.

--body

The resource in JSON format, described by the following JSON schema:

{
  "type" : "object",
  "properties" : {
    "serverScript" : {
      "title" : "Server-side Script",
      "description" : "The server-side script to execute.<br><br>This script will be run on the server, subsequent to any client script having returned. It can be written in the selected language.",
      "propertyOrder" : 300,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "authenticationLevel" : {
      "title" : "Authentication Level",
      "description" : "The authentication level associated with the authentication module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
      "propertyOrder" : 400,
      "required" : true,
      "type" : "integer",
      "exampleValue" : ""
    },
    "clientScript" : {
      "title" : "Client-side Script",
      "description" : "The client-side script.",
      "propertyOrder" : 200,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "clientScriptEnabled" : {
      "title" : "Client-side Script Enabled",
      "description" : "Enable this setting if the client-side script should be executed.",
      "propertyOrder" : 100,
      "required" : true,
      "type" : "boolean",
      "exampleValue" : ""
    }
  }
}

1.45.2. Global Operations

Resource path: /global-config/authentication/modules/deviceidmatch

Resource version: 1.0

1.45.2.1. getAllTypes

Obtain the collection of all secondary configuration types related to the resource.

Usage:

am> action DeviceIdMatchModule --global --actionName getAllTypes

1.45.2.2. getCreatableTypes

Obtain the collection of secondary configuration types that have yet to be added to the resource.

Usage:

am> action DeviceIdMatchModule --global --actionName getCreatableTypes

1.45.2.3. nextdescendents

Obtain the collection of secondary configuration instances that have been added to the resource.

Usage:

am> action DeviceIdMatchModule --global --actionName nextdescendents

1.45.2.4. read

Usage:

am> read DeviceIdMatchModule --global

1.45.2.5. update

Usage:

am> update DeviceIdMatchModule --global --body body

Parameters:

--body

The resource in JSON format, described by the following JSON schema:

{
  "type" : "object",
  "properties" : {
    "defaults" : {
      "properties" : {
        "clientScript" : {
          "title" : "Client-side Script",
          "description" : "The client-side script.",
          "propertyOrder" : 200,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "clientScriptEnabled" : {
          "title" : "Client-side Script Enabled",
          "description" : "Enable this setting if the client-side script should be executed.",
          "propertyOrder" : 100,
          "required" : true,
          "type" : "boolean",
          "exampleValue" : ""
        },
        "serverScript" : {
          "title" : "Server-side Script",
          "description" : "The server-side script to execute.<br><br>This script will be run on the server, subsequent to any client script having returned. It can be written in the selected language.",
          "propertyOrder" : 300,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "authenticationLevel" : {
          "title" : "Authentication Level",
          "description" : "The authentication level associated with the authentication module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
          "propertyOrder" : 400,
          "required" : true,
          "type" : "integer",
          "exampleValue" : ""
        }
      },
      "type" : "object",
      "title" : "Realm Defaults"
    }
  }
}

1.46. DeviceIdSaveModule

1.46.1. Realm Operations

Resource path: /realm-config/authentication/modules/deviceidsave

Resource version: 1.0

1.46.1.1. create

Usage:

am> create DeviceIdSaveModule --realm Realm --id id --body body

Parameters:

--id

The unique identifier for the resource.

--body

The resource in JSON format, described by the following JSON schema:

{
  "type" : "object",
  "properties" : {
    "authenticationLevel" : {
      "title" : "Authentication Level",
      "description" : "The authentication level associated with the authentication module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
      "propertyOrder" : 300,
      "required" : true,
      "type" : "integer",
      "exampleValue" : ""
    },
    "autoStoreProfiles" : {
      "title" : "Automatically store new profiles",
      "description" : "Select this checkbox to assume user consent to store every new profile<br><br>If this checkbox is selected user won't be prompted for storing new profiles. After successful OTP confirmation profile will be stored automatically.",
      "propertyOrder" : 100,
      "required" : true,
      "type" : "boolean",
      "exampleValue" : ""
    },
    "maxProfilesAllowed" : {
      "title" : "Maximum stored profile quantity",
      "description" : "No more than specified profiles quantity will be stored in user record",
      "propertyOrder" : 200,
      "required" : true,
      "type" : "integer",
      "exampleValue" : ""
    }
  }
}

1.46.1.2. delete

Usage:

am> delete DeviceIdSaveModule --realm Realm --id id

Parameters:

--id

The unique identifier for the resource.

1.46.1.3. getAllTypes

Obtain the collection of all secondary configuration types related to the resource.

Usage:

am> action DeviceIdSaveModule --realm Realm --actionName getAllTypes

1.46.1.4. getCreatableTypes

Obtain the collection of secondary configuration types that have yet to be added to the resource.

Usage:

am> action DeviceIdSaveModule --realm Realm --actionName getCreatableTypes

1.46.1.5. nextdescendents

Obtain the collection of secondary configuration instances that have been added to the resource.

Usage:

am> action DeviceIdSaveModule --realm Realm --actionName nextdescendents

1.46.1.6. query

Get the full list of instances of this collection. This query only supports `_queryFilter=true` filter.

Usage:

am> query DeviceIdSaveModule --realm Realm --filter filter

Parameters:

--filter

A CREST formatted query filter, where "true" will query all.

1.46.1.7. read

Usage:

am> read DeviceIdSaveModule --realm Realm --id id

Parameters:

--id

The unique identifier for the resource.

1.46.1.8. update

Usage:

am> update DeviceIdSaveModule --realm Realm --id id --body body

Parameters:

--id

The unique identifier for the resource.

--body

The resource in JSON format, described by the following JSON schema:

{
  "type" : "object",
  "properties" : {
    "authenticationLevel" : {
      "title" : "Authentication Level",
      "description" : "The authentication level associated with the authentication module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
      "propertyOrder" : 300,
      "required" : true,
      "type" : "integer",
      "exampleValue" : ""
    },
    "autoStoreProfiles" : {
      "title" : "Automatically store new profiles",
      "description" : "Select this checkbox to assume user consent to store every new profile<br><br>If this checkbox is selected user won't be prompted for storing new profiles. After successful OTP confirmation profile will be stored automatically.",
      "propertyOrder" : 100,
      "required" : true,
      "type" : "boolean",
      "exampleValue" : ""
    },
    "maxProfilesAllowed" : {
      "title" : "Maximum stored profile quantity",
      "description" : "No more than specified profiles quantity will be stored in user record",
      "propertyOrder" : 200,
      "required" : true,
      "type" : "integer",
      "exampleValue" : ""
    }
  }
}

1.46.2. Global Operations

Resource path: /global-config/authentication/modules/deviceidsave

Resource version: 1.0

1.46.2.1. getAllTypes

Obtain the collection of all secondary configuration types related to the resource.

Usage:

am> action DeviceIdSaveModule --global --actionName getAllTypes

1.46.2.2. getCreatableTypes

Obtain the collection of secondary configuration types that have yet to be added to the resource.

Usage:

am> action DeviceIdSaveModule --global --actionName getCreatableTypes

1.46.2.3. nextdescendents

Obtain the collection of secondary configuration instances that have been added to the resource.

Usage:

am> action DeviceIdSaveModule --global --actionName nextdescendents

1.46.2.4. read

Usage:

am> read DeviceIdSaveModule --global

1.46.2.5. update

Usage:

am> update DeviceIdSaveModule --global --body body

Parameters:

--body

The resource in JSON format, described by the following JSON schema:

{
  "type" : "object",
  "properties" : {
    "defaults" : {
      "properties" : {
        "autoStoreProfiles" : {
          "title" : "Automatically store new profiles",
          "description" : "Select this checkbox to assume user consent to store every new profile<br><br>If this checkbox is selected user won't be prompted for storing new profiles. After successful OTP confirmation profile will be stored automatically.",
          "propertyOrder" : 100,
          "required" : true,
          "type" : "boolean",
          "exampleValue" : ""
        },
        "maxProfilesAllowed" : {
          "title" : "Maximum stored profile quantity",
          "description" : "No more than specified profiles quantity will be stored in user record",
          "propertyOrder" : 200,
          "required" : true,
          "type" : "integer",
          "exampleValue" : ""
        },
        "authenticationLevel" : {
          "title" : "Authentication Level",
          "description" : "The authentication level associated with the authentication module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
          "propertyOrder" : 300,
          "required" : true,
          "type" : "integer",
          "exampleValue" : ""
        }
      },
      "type" : "object",
      "title" : "Realm Defaults"
    }
  }
}

1.47. DirectoryConfiguration

1.47.1. Global Operations

Connection details for directory server(s).

Resource path: /global-config/servers/{serverName}/properties/directoryConfiguration

Resource version: 1.0

1.47.1.1. read

Usage:

am> read DirectoryConfiguration --global --serverName serverName

Parameters:

--serverName

Connection details for directory server(s).

1.47.1.2. update

Usage:

am> update DirectoryConfiguration --global --serverName serverName --body body

Parameters:

--serverName

Connection details for directory server(s).

--body

The resource in JSON format, described by the following JSON schema:

{
  "type" : "object",
  "properties" : {
    "directoryConfiguration" : {
      "type" : "object",
      "title" : "Directory Configuration",
      "propertyOrder" : 0,
      "properties" : {
        "minConnectionPool" : {
          "title" : "Minimum Connection Pool",
          "propertyOrder" : 0,
          "type" : "number"
        },
        "maxConnectionPool" : {
          "title" : "Maximum Connection Pool",
          "propertyOrder" : 1,
          "type" : "number"
        },
        "bindDn" : {
          "title" : "Bind DN",
          "propertyOrder" : 2,
          "type" : "string"
        },
        "bindPassword" : {
          "title" : "Bind Password",
          "propertyOrder" : 3,
          "type" : "string",
          "format" : "password"
        }
      }
    },
    "directoryServers" : {
      "type" : "array",
      "title" : "Server",
      "propertyOrder" : 1,
      "items" : {
        "type" : "object",
        "required" : [ "serverName", "hostName", "portNumber", "connectionType" ],
        "properties" : {
          "serverName" : {
            "title" : "Name",
            "type" : "string",
            "propertyOrder" : 0
          },
          "hostName" : {
            "title" : "Host Name",
            "type" : "string",
            "propertyOrder" : 1
          },
          "portNumber" : {
            "title" : "Port Number",
            "type" : "string",
            "propertyOrder" : 2
          },
          "connectionType" : {
            "type" : "string",
            "enum" : [ "SIMPLE", "SSL" ],
            "options" : {
              "enum_titles" : [ "SIMPLE", "SSL" ]
            },
            "title" : "Connection Type",
            "propertyOrder" : 3
          }
        }
      }
    }
  }
}

1.48. ElasticSearch

1.48.1. Realm Operations

Resource path: /realm-config/services/audit/Elasticsearch

Resource version: 1.0

1.48.1.1. create

Usage:

am> create ElasticSearch --realm Realm --id id --body body

Parameters:

--id

The unique identifier for the resource.

--body

The resource in JSON format, described by the following JSON schema:

{
  "type" : "object",
  "properties" : {
    "elasticsearchBuffering" : {
      "type" : "object",
      "title" : "Buffering",
      "propertyOrder" : 4,
      "properties" : {
        "batchSize" : {
          "title" : "Batch Size",
          "description" : "Specifies the number of audit log events to hold in the buffer before writing them to Elasticsearch.",
          "propertyOrder" : 5800,
          "required" : true,
          "type" : "integer",
          "exampleValue" : ""
        },
        "maxEvents" : {
          "title" : "Queue Capacity",
          "description" : "Maximum number of audit logs in the batch queue. Additional audit events are dropped.",
          "propertyOrder" : 5900,
          "required" : true,
          "type" : "integer",
          "exampleValue" : ""
        },
        "writeInterval" : {
          "title" : "Write interval (in milliseconds)",
          "description" : "Specifies the interval in milliseconds at which buffered events are written to Elasticsearch.",
          "propertyOrder" : 6000,
          "required" : true,
          "type" : "integer",
          "exampleValue" : ""
        },
        "bufferingEnabled" : {
          "title" : "Buffering Enabled",
          "description" : "",
          "propertyOrder" : 5700,
          "required" : true,
          "type" : "boolean",
          "exampleValue" : ""
        }
      }
    },
    "elasticsearchConfig" : {
      "type" : "object",
      "title" : "Elasticsearch Configuration",
      "propertyOrder" : 2,
      "properties" : {
        "port" : {
          "title" : "Server Port",
          "description" : "Specifies the port number used to access Elasticsearch's REST API.",
          "propertyOrder" : 5200,
          "required" : true,
          "type" : "integer",
          "exampleValue" : ""
        },
        "index" : {
          "title" : "Elasticsearch Index",
          "description" : "Specifies the name of the Elasticsearch index to be used for OpenAM audit logging.",
          "propertyOrder" : 5400,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "sslEnabled" : {
          "title" : "SSL Enabled",
          "description" : "Specifies whether SSL is configured on the Elasticsearch server.<p><p>If SSL is enabled, be sure to import the CA certificate used to sign Elasticsearch node certificates into the Java keystore on the host that runs OpenAM before attempting to log audit events to Elasticsearch.",
          "propertyOrder" : 5300,
          "required" : true,
          "type" : "boolean",
          "exampleValue" : ""
        },
        "host" : {
          "title" : "Server Hostname",
          "description" : "Host name or IP address of the Elasticsearch server.",
          "propertyOrder" : 5100,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        }
      }
    },
    "commonHandler" : {
      "type" : "object",
      "title" : "General Handler Configuration",
      "propertyOrder" : 0,
      "properties" : {
        "enabled" : {
          "title" : "Enabled",
          "description" : "Enables or disables an audit event handler.",
          "propertyOrder" : 4900,
          "required" : true,
          "type" : "boolean",
          "exampleValue" : ""
        },
        "topics" : {
          "title" : "Topics",
          "description" : "List of topics handled by an audit event handler.",
          "propertyOrder" : 5000,
          "required" : true,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        }
      }
    },
    "elasticsearchAuthentication" : {
      "type" : "object",
      "title" : "Authentication",
      "propertyOrder" : 3,
      "properties" : {
        "password" : {
          "title" : "Password",
          "description" : "Specifies the password to access the Elasticsearch server.<p><p>Required if Elasticsearch Shield authentication is configured.",
          "propertyOrder" : 5600,
          "required" : true,
          "type" : "string",
          "format" : "password",
          "exampleValue" : ""
        },
        "username" : {
          "title" : "Username",
          "description" : "Specifies the username to access the Elasticsearch server.<p><p>Required if Elasticsearch Shield authentication is configured.",
          "propertyOrder" : 5500,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        }
      }
    },
    "commonHandlerPlugin" : {
      "type" : "object",
      "title" : "Audit Event Handler Factory",
      "propertyOrder" : 1,
      "properties" : {
        "handlerFactory" : {
          "title" : "Factory Class Name",
          "description" : "The fully qualified class name of the factory responsible for creating the Audit Event Handler. The class must implement <code>org.forgerock.openam.audit.AuditEventHandlerFactory</code>.",
          "propertyOrder" : 6100,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        }
      }
    }
  }
}

1.48.1.2. delete

Usage:

am> delete ElasticSearch --realm Realm --id id

Parameters:

--id

The unique identifier for the resource.

1.48.1.3. getAllTypes

Obtain the collection of all secondary configuration types related to the resource.

Usage:

am> action ElasticSearch --realm Realm --actionName getAllTypes

1.48.1.4. getCreatableTypes

Obtain the collection of secondary configuration types that have yet to be added to the resource.

Usage:

am> action ElasticSearch --realm Realm --actionName getCreatableTypes

1.48.1.5. nextdescendents

Obtain the collection of secondary configuration instances that have been added to the resource.

Usage:

am> action ElasticSearch --realm Realm --actionName nextdescendents

1.48.1.6. query

Get the full list of instances of this collection. This query only supports `_queryFilter=true` filter.

Usage:

am> query ElasticSearch --realm Realm --filter filter

Parameters:

--filter

A CREST formatted query filter, where "true" will query all.

1.48.1.7. read

Usage:

am> read ElasticSearch --realm Realm --id id

Parameters:

--id

The unique identifier for the resource.

1.48.1.8. update

Usage:

am> update ElasticSearch --realm Realm --id id --body body

Parameters:

--id

The unique identifier for the resource.

--body

The resource in JSON format, described by the following JSON schema:

{
  "type" : "object",
  "properties" : {
    "elasticsearchBuffering" : {
      "type" : "object",
      "title" : "Buffering",
      "propertyOrder" : 4,
      "properties" : {
        "batchSize" : {
          "title" : "Batch Size",
          "description" : "Specifies the number of audit log events to hold in the buffer before writing them to Elasticsearch.",
          "propertyOrder" : 5800,
          "required" : true,
          "type" : "integer",
          "exampleValue" : ""
        },
        "maxEvents" : {
          "title" : "Queue Capacity",
          "description" : "Maximum number of audit logs in the batch queue. Additional audit events are dropped.",
          "propertyOrder" : 5900,
          "required" : true,
          "type" : "integer",
          "exampleValue" : ""
        },
        "writeInterval" : {
          "title" : "Write interval (in milliseconds)",
          "description" : "Specifies the interval in milliseconds at which buffered events are written to Elasticsearch.",
          "propertyOrder" : 6000,
          "required" : true,
          "type" : "integer",
          "exampleValue" : ""
        },
        "bufferingEnabled" : {
          "title" : "Buffering Enabled",
          "description" : "",
          "propertyOrder" : 5700,
          "required" : true,
          "type" : "boolean",
          "exampleValue" : ""
        }
      }
    },
    "elasticsearchConfig" : {
      "type" : "object",
      "title" : "Elasticsearch Configuration",
      "propertyOrder" : 2,
      "properties" : {
        "port" : {
          "title" : "Server Port",
          "description" : "Specifies the port number used to access Elasticsearch's REST API.",
          "propertyOrder" : 5200,
          "required" : true,
          "type" : "integer",
          "exampleValue" : ""
        },
        "index" : {
          "title" : "Elasticsearch Index",
          "description" : "Specifies the name of the Elasticsearch index to be used for OpenAM audit logging.",
          "propertyOrder" : 5400,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "sslEnabled" : {
          "title" : "SSL Enabled",
          "description" : "Specifies whether SSL is configured on the Elasticsearch server.<p><p>If SSL is enabled, be sure to import the CA certificate used to sign Elasticsearch node certificates into the Java keystore on the host that runs OpenAM before attempting to log audit events to Elasticsearch.",
          "propertyOrder" : 5300,
          "required" : true,
          "type" : "boolean",
          "exampleValue" : ""
        },
        "host" : {
          "title" : "Server Hostname",
          "description" : "Host name or IP address of the Elasticsearch server.",
          "propertyOrder" : 5100,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        }
      }
    },
    "commonHandler" : {
      "type" : "object",
      "title" : "General Handler Configuration",
      "propertyOrder" : 0,
      "properties" : {
        "enabled" : {
          "title" : "Enabled",
          "description" : "Enables or disables an audit event handler.",
          "propertyOrder" : 4900,
          "required" : true,
          "type" : "boolean",
          "exampleValue" : ""
        },
        "topics" : {
          "title" : "Topics",
          "description" : "List of topics handled by an audit event handler.",
          "propertyOrder" : 5000,
          "required" : true,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        }
      }
    },
    "elasticsearchAuthentication" : {
      "type" : "object",
      "title" : "Authentication",
      "propertyOrder" : 3,
      "properties" : {
        "password" : {
          "title" : "Password",
          "description" : "Specifies the password to access the Elasticsearch server.<p><p>Required if Elasticsearch Shield authentication is configured.",
          "propertyOrder" : 5600,
          "required" : true,
          "type" : "string",
          "format" : "password",
          "exampleValue" : ""
        },
        "username" : {
          "title" : "Username",
          "description" : "Specifies the username to access the Elasticsearch server.<p><p>Required if Elasticsearch Shield authentication is configured.",
          "propertyOrder" : 5500,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        }
      }
    },
    "commonHandlerPlugin" : {
      "type" : "object",
      "title" : "Audit Event Handler Factory",
      "propertyOrder" : 1,
      "properties" : {
        "handlerFactory" : {
          "title" : "Factory Class Name",
          "description" : "The fully qualified class name of the factory responsible for creating the Audit Event Handler. The class must implement <code>org.forgerock.openam.audit.AuditEventHandlerFactory</code>.",
          "propertyOrder" : 6100,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        }
      }
    }
  }
}

1.48.2. Global Operations

Resource path: /global-config/services/audit/Elasticsearch

Resource version: 1.0

1.48.2.1. create

Usage:

am> create ElasticSearch --global --id id --body body

Parameters:

--id

The unique identifier for the resource.

--body

The resource in JSON format, described by the following JSON schema:

{
  "type" : "object",
  "properties" : {
    "elasticsearchAuthentication" : {
      "type" : "object",
      "title" : "Authentication",
      "propertyOrder" : 3,
      "properties" : {
        "username" : {
          "title" : "Username",
          "description" : "Specifies the username to access the Elasticsearch server.<p><p>Required if Elasticsearch Shield authentication is configured.",
          "propertyOrder" : 5500,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "password" : {
          "title" : "Password",
          "description" : "Specifies the password to access the Elasticsearch server.<p><p>Required if Elasticsearch Shield authentication is configured.",
          "propertyOrder" : 5600,
          "required" : true,
          "type" : "string",
          "format" : "password",
          "exampleValue" : ""
        }
      }
    },
    "elasticsearchBuffering" : {
      "type" : "object",
      "title" : "Buffering",
      "propertyOrder" : 4,
      "properties" : {
        "batchSize" : {
          "title" : "Batch Size",
          "description" : "Specifies the number of audit log events to hold in the buffer before writing them to Elasticsearch.",
          "propertyOrder" : 5800,
          "required" : true,
          "type" : "integer",
          "exampleValue" : ""
        },
        "maxEvents" : {
          "title" : "Queue Capacity",
          "description" : "Maximum number of audit logs in the batch queue. Additional audit events are dropped.",
          "propertyOrder" : 5900,
          "required" : true,
          "type" : "integer",
          "exampleValue" : ""
        },
        "bufferingEnabled" : {
          "title" : "Buffering Enabled",
          "description" : "",
          "propertyOrder" : 5700,
          "required" : true,
          "type" : "boolean",
          "exampleValue" : ""
        },
        "writeInterval" : {
          "title" : "Write interval (in milliseconds)",
          "description" : "Specifies the interval in milliseconds at which buffered events are written to Elasticsearch.",
          "propertyOrder" : 6000,
          "required" : true,
          "type" : "integer",
          "exampleValue" : ""
        }
      }
    },
    "elasticsearchConfig" : {
      "type" : "object",
      "title" : "Elasticsearch Configuration",
      "propertyOrder" : 2,
      "properties" : {
        "port" : {
          "title" : "Server Port",
          "description" : "Specifies the port number used to access Elasticsearch's REST API.",
          "propertyOrder" : 5200,
          "required" : true,
          "type" : "integer",
          "exampleValue" : ""
        },
        "index" : {
          "title" : "Elasticsearch Index",
          "description" : "Specifies the name of the Elasticsearch index to be used for OpenAM audit logging.",
          "propertyOrder" : 5400,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "host" : {
          "title" : "Server Hostname",
          "description" : "Host name or IP address of the Elasticsearch server.",
          "propertyOrder" : 5100,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "sslEnabled" : {
          "title" : "SSL Enabled",
          "description" : "Specifies whether SSL is configured on the Elasticsearch server.<p><p>If SSL is enabled, be sure to import the CA certificate used to sign Elasticsearch node certificates into the Java keystore on the host that runs OpenAM before attempting to log audit events to Elasticsearch.",
          "propertyOrder" : 5300,
          "required" : true,
          "type" : "boolean",
          "exampleValue" : ""
        }
      }
    },
    "commonHandler" : {
      "type" : "object",
      "title" : "General Handler Configuration",
      "propertyOrder" : 0,
      "properties" : {
        "topics" : {
          "title" : "Topics",
          "description" : "List of topics handled by an audit event handler.",
          "propertyOrder" : 5000,
          "required" : true,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        },
        "enabled" : {
          "title" : "Enabled",
          "description" : "Enables or disables an audit event handler.",
          "propertyOrder" : 4900,
          "required" : true,
          "type" : "boolean",
          "exampleValue" : ""
        }
      }
    },
    "commonHandlerPlugin" : {
      "type" : "object",
      "title" : "Audit Event Handler Factory",
      "propertyOrder" : 1,
      "properties" : {
        "handlerFactory" : {
          "title" : "Factory Class Name",
          "description" : "The fully qualified class name of the factory responsible for creating the Audit Event Handler. The class must implement <code>org.forgerock.openam.audit.AuditEventHandlerFactory</code>.",
          "propertyOrder" : 6100,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        }
      }
    }
  }
}

1.48.2.2. delete

Usage:

am> delete ElasticSearch --global --id id

Parameters:

--id

The unique identifier for the resource.

1.48.2.3. getAllTypes

Obtain the collection of all secondary configuration types related to the resource.

Usage:

am> action ElasticSearch --global --actionName getAllTypes

1.48.2.4. getCreatableTypes

Obtain the collection of secondary configuration types that have yet to be added to the resource.

Usage:

am> action ElasticSearch --global --actionName getCreatableTypes

1.48.2.5. nextdescendents

Obtain the collection of secondary configuration instances that have been added to the resource.

Usage:

am> action ElasticSearch --global --actionName nextdescendents

1.48.2.6. query

Get the full list of instances of this collection. This query only supports `_queryFilter=true` filter.

Usage:

am> query ElasticSearch --global --filter filter

Parameters:

--filter

A CREST formatted query filter, where "true" will query all.

1.48.2.7. read

Usage:

am> read ElasticSearch --global --id id

Parameters:

--id

The unique identifier for the resource.

1.48.2.8. update

Usage:

am> update ElasticSearch --global --id id --body body

Parameters:

--id

The unique identifier for the resource.

--body

The resource in JSON format, described by the following JSON schema:

{
  "type" : "object",
  "properties" : {
    "elasticsearchAuthentication" : {
      "type" : "object",
      "title" : "Authentication",
      "propertyOrder" : 3,
      "properties" : {
        "username" : {
          "title" : "Username",
          "description" : "Specifies the username to access the Elasticsearch server.<p><p>Required if Elasticsearch Shield authentication is configured.",
          "propertyOrder" : 5500,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "password" : {
          "title" : "Password",
          "description" : "Specifies the password to access the Elasticsearch server.<p><p>Required if Elasticsearch Shield authentication is configured.",
          "propertyOrder" : 5600,
          "required" : true,
          "type" : "string",
          "format" : "password",
          "exampleValue" : ""
        }
      }
    },
    "elasticsearchBuffering" : {
      "type" : "object",
      "title" : "Buffering",
      "propertyOrder" : 4,
      "properties" : {
        "batchSize" : {
          "title" : "Batch Size",
          "description" : "Specifies the number of audit log events to hold in the buffer before writing them to Elasticsearch.",
          "propertyOrder" : 5800,
          "required" : true,
          "type" : "integer",
          "exampleValue" : ""
        },
        "maxEvents" : {
          "title" : "Queue Capacity",
          "description" : "Maximum number of audit logs in the batch queue. Additional audit events are dropped.",
          "propertyOrder" : 5900,
          "required" : true,
          "type" : "integer",
          "exampleValue" : ""
        },
        "bufferingEnabled" : {
          "title" : "Buffering Enabled",
          "description" : "",
          "propertyOrder" : 5700,
          "required" : true,
          "type" : "boolean",
          "exampleValue" : ""
        },
        "writeInterval" : {
          "title" : "Write interval (in milliseconds)",
          "description" : "Specifies the interval in milliseconds at which buffered events are written to Elasticsearch.",
          "propertyOrder" : 6000,
          "required" : true,
          "type" : "integer",
          "exampleValue" : ""
        }
      }
    },
    "elasticsearchConfig" : {
      "type" : "object",
      "title" : "Elasticsearch Configuration",
      "propertyOrder" : 2,
      "properties" : {
        "port" : {
          "title" : "Server Port",
          "description" : "Specifies the port number used to access Elasticsearch's REST API.",
          "propertyOrder" : 5200,
          "required" : true,
          "type" : "integer",
          "exampleValue" : ""
        },
        "index" : {
          "title" : "Elasticsearch Index",
          "description" : "Specifies the name of the Elasticsearch index to be used for OpenAM audit logging.",
          "propertyOrder" : 5400,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "host" : {
          "title" : "Server Hostname",
          "description" : "Host name or IP address of the Elasticsearch server.",
          "propertyOrder" : 5100,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "sslEnabled" : {
          "title" : "SSL Enabled",
          "description" : "Specifies whether SSL is configured on the Elasticsearch server.<p><p>If SSL is enabled, be sure to import the CA certificate used to sign Elasticsearch node certificates into the Java keystore on the host that runs OpenAM before attempting to log audit events to Elasticsearch.",
          "propertyOrder" : 5300,
          "required" : true,
          "type" : "boolean",
          "exampleValue" : ""
        }
      }
    },
    "commonHandler" : {
      "type" : "object",
      "title" : "General Handler Configuration",
      "propertyOrder" : 0,
      "properties" : {
        "topics" : {
          "title" : "Topics",
          "description" : "List of topics handled by an audit event handler.",
          "propertyOrder" : 5000,
          "required" : true,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        },
        "enabled" : {
          "title" : "Enabled",
          "description" : "Enables or disables an audit event handler.",
          "propertyOrder" : 4900,
          "required" : true,
          "type" : "boolean",
          "exampleValue" : ""
        }
      }
    },
    "commonHandlerPlugin" : {
      "type" : "object",
      "title" : "Audit Event Handler Factory",
      "propertyOrder" : 1,
      "properties" : {
        "handlerFactory" : {
          "title" : "Factory Class Name",
          "description" : "The fully qualified class name of the factory responsible for creating the Audit Event Handler. The class must implement <code>org.forgerock.openam.audit.AuditEventHandlerFactory</code>.",
          "propertyOrder" : 6100,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        }
      }
    }
  }
}

1.49. EmailService

1.49.1. Realm Operations

Resource path: /realm-config/services/email

Resource version: 1.0

1.49.1.1. create

Usage:

am> create EmailService --realm Realm --body body

Parameters:

--body

The resource in JSON format, described by the following JSON schema:

{
  "type" : "object",
  "properties" : {
    "message" : {
      "title" : "Email Content",
      "description" : "Specifies content for notification messages. If you do not set this, OpenAM includes only the confirmation URL in the mail body.",
      "propertyOrder" : 1000,
      "required" : false,
      "type" : "string",
      "exampleValue" : ""
    },
    "username" : {
      "title" : "Mail Server Authentication Username",
      "description" : "Specifies the user name for the SMTP mail server.",
      "propertyOrder" : 400,
      "required" : true,
      "type" : "string",
      "exampleValue" : "username"
    },
    "subject" : {
      "title" : "Email Subject",
      "description" : "Specifies a subject for notification messages. If you do not set this, OpenAM does not set the subject for notification messages.",
      "propertyOrder" : 900,
      "required" : false,
      "type" : "string",
      "exampleValue" : ""
    },
    "from" : {
      "title" : "Email From Address",
      "description" : "Specifies the address from which to send email notifications.",
      "propertyOrder" : 700,
      "required" : true,
      "type" : "string",
      "exampleValue" : "no-reply@example.com"
    },
    "port" : {
      "title" : "Mail Server Host Port",
      "description" : "Specifies the port number for the SMTP mail server.",
      "propertyOrder" : 300,
      "required" : true,
      "type" : "integer",
      "exampleValue" : ""
    },
    "hostname" : {
      "title" : "Mail Server Host Name",
      "description" : "Specifies the fully qualified domain name of the SMTP mail server through which to send email notifications.",
      "propertyOrder" : 200,
      "required" : true,
      "type" : "string",
      "exampleValue" : "smtp.example.com"
    },
    "sslState" : {
      "title" : "Mail Server Secure Connection",
      "description" : "Specifies whether to connect to the SMTP mail server using SSL.",
      "propertyOrder" : 600,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "emailImplClassName" : {
      "title" : "Email Message Implementation Class",
      "description" : "Specifies the class that sends email notifications, such as those sent for user registration and forgotten passwords.",
      "propertyOrder" : 100,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "emailAddressAttribute" : {
      "title" : "Email Attribute Name",
      "description" : "Specifies the profile attribute from which to retrieve the end user's email address.",
      "propertyOrder" : 800,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "password" : {
      "title" : "Mail Server Authentication Password",
      "description" : "Specifies the password for the SMTP user name.",
      "propertyOrder" : 500,
      "required" : true,
      "type" : "string",
      "format" : "password",
      "exampleValue" : ""
    }
  }
}

1.49.1.2. delete

Usage:

am> delete EmailService --realm Realm

1.49.1.3. getAllTypes

Obtain the collection of all secondary configuration types related to the resource.

Usage:

am> action EmailService --realm Realm --actionName getAllTypes

1.49.1.4. getCreatableTypes

Obtain the collection of secondary configuration types that have yet to be added to the resource.

Usage:

am> action EmailService --realm Realm --actionName getCreatableTypes

1.49.1.5. nextdescendents

Obtain the collection of secondary configuration instances that have been added to the resource.

Usage:

am> action EmailService --realm Realm --actionName nextdescendents

1.49.1.6. read

Usage:

am> read EmailService --realm Realm

1.49.1.7. update

Usage:

am> update EmailService --realm Realm --body body

Parameters:

--body

The resource in JSON format, described by the following JSON schema:

{
  "type" : "object",
  "properties" : {
    "message" : {
      "title" : "Email Content",
      "description" : "Specifies content for notification messages. If you do not set this, OpenAM includes only the confirmation URL in the mail body.",
      "propertyOrder" : 1000,
      "required" : false,
      "type" : "string",
      "exampleValue" : ""
    },
    "username" : {
      "title" : "Mail Server Authentication Username",
      "description" : "Specifies the user name for the SMTP mail server.",
      "propertyOrder" : 400,
      "required" : true,
      "type" : "string",
      "exampleValue" : "username"
    },
    "subject" : {
      "title" : "Email Subject",
      "description" : "Specifies a subject for notification messages. If you do not set this, OpenAM does not set the subject for notification messages.",
      "propertyOrder" : 900,
      "required" : false,
      "type" : "string",
      "exampleValue" : ""
    },
    "from" : {
      "title" : "Email From Address",
      "description" : "Specifies the address from which to send email notifications.",
      "propertyOrder" : 700,
      "required" : true,
      "type" : "string",
      "exampleValue" : "no-reply@example.com"
    },
    "port" : {
      "title" : "Mail Server Host Port",
      "description" : "Specifies the port number for the SMTP mail server.",
      "propertyOrder" : 300,
      "required" : true,
      "type" : "integer",
      "exampleValue" : ""
    },
    "hostname" : {
      "title" : "Mail Server Host Name",
      "description" : "Specifies the fully qualified domain name of the SMTP mail server through which to send email notifications.",
      "propertyOrder" : 200,
      "required" : true,
      "type" : "string",
      "exampleValue" : "smtp.example.com"
    },
    "sslState" : {
      "title" : "Mail Server Secure Connection",
      "description" : "Specifies whether to connect to the SMTP mail server using SSL.",
      "propertyOrder" : 600,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "emailImplClassName" : {
      "title" : "Email Message Implementation Class",
      "description" : "Specifies the class that sends email notifications, such as those sent for user registration and forgotten passwords.",
      "propertyOrder" : 100,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "emailAddressAttribute" : {
      "title" : "Email Attribute Name",
      "description" : "Specifies the profile attribute from which to retrieve the end user's email address.",
      "propertyOrder" : 800,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "password" : {
      "title" : "Mail Server Authentication Password",
      "description" : "Specifies the password for the SMTP user name.",
      "propertyOrder" : 500,
      "required" : true,
      "type" : "string",
      "format" : "password",
      "exampleValue" : ""
    }
  }
}

1.49.2. Global Operations

Resource path: /global-config/services/email

Resource version: 1.0

1.49.2.1. getAllTypes

Obtain the collection of all secondary configuration types related to the resource.

Usage:

am> action EmailService --global --actionName getAllTypes

1.49.2.2. getCreatableTypes

Obtain the collection of secondary configuration types that have yet to be added to the resource.

Usage:

am> action EmailService --global --actionName getCreatableTypes

1.49.2.3. nextdescendents

Obtain the collection of secondary configuration instances that have been added to the resource.

Usage:

am> action EmailService --global --actionName nextdescendents

1.49.2.4. read

Usage:

am> read EmailService --global

1.49.2.5. update

Usage:

am> update EmailService --global --body body

Parameters:

--body

The resource in JSON format, described by the following JSON schema:

{
  "type" : "object",
  "properties" : {
    "defaults" : {
      "properties" : {
        "emailImplClassName" : {
          "title" : "Email Message Implementation Class",
          "description" : "Specifies the class that sends email notifications, such as those sent for user registration and forgotten passwords.",
          "propertyOrder" : 100,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "password" : {
          "title" : "Mail Server Authentication Password",
          "description" : "Specifies the password for the SMTP user name.",
          "propertyOrder" : 500,
          "required" : true,
          "type" : "string",
          "format" : "password",
          "exampleValue" : ""
        },
        "username" : {
          "title" : "Mail Server Authentication Username",
          "description" : "Specifies the user name for the SMTP mail server.",
          "propertyOrder" : 400,
          "required" : true,
          "type" : "string",
          "exampleValue" : "username"
        },
        "subject" : {
          "title" : "Email Subject",
          "description" : "Specifies a subject for notification messages. If you do not set this, OpenAM does not set the subject for notification messages.",
          "propertyOrder" : 900,
          "required" : false,
          "type" : "string",
          "exampleValue" : ""
        },
        "sslState" : {
          "title" : "Mail Server Secure Connection",
          "description" : "Specifies whether to connect to the SMTP mail server using SSL.",
          "propertyOrder" : 600,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "message" : {
          "title" : "Email Content",
          "description" : "Specifies content for notification messages. If you do not set this, OpenAM includes only the confirmation URL in the mail body.",
          "propertyOrder" : 1000,
          "required" : false,
          "type" : "string",
          "exampleValue" : ""
        },
        "emailAddressAttribute" : {
          "title" : "Email Attribute Name",
          "description" : "Specifies the profile attribute from which to retrieve the end user's email address.",
          "propertyOrder" : 800,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "hostname" : {
          "title" : "Mail Server Host Name",
          "description" : "Specifies the fully qualified domain name of the SMTP mail server through which to send email notifications.",
          "propertyOrder" : 200,
          "required" : true,
          "type" : "string",
          "exampleValue" : "smtp.example.com"
        },
        "from" : {
          "title" : "Email From Address",
          "description" : "Specifies the address from which to send email notifications.",
          "propertyOrder" : 700,
          "required" : true,
          "type" : "string",
          "exampleValue" : "no-reply@example.com"
        },
        "port" : {
          "title" : "Mail Server Host Port",
          "description" : "Specifies the port number for the SMTP mail server.",
          "propertyOrder" : 300,
          "required" : true,
          "type" : "integer",
          "exampleValue" : ""
        }
      },
      "type" : "object",
      "title" : "Realm Defaults"
    }
  }
}

1.50. FederationModule

1.50.1. Realm Operations

Resource path: /realm-config/authentication/modules/federation

Resource version: 1.0

1.50.1.1. create

Usage:

am> create FederationModule --realm Realm --id id --body body

Parameters:

--id

The unique identifier for the resource.

--body

The resource in JSON format, described by the following JSON schema:

{
  "type" : "object",
  "properties" : {
    "authenticationLevel" : {
      "title" : "Authentication Level",
      "description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
      "propertyOrder" : 100,
      "required" : true,
      "type" : "integer",
      "exampleValue" : ""
    }
  }
}

1.50.1.2. delete

Usage:

am> delete FederationModule --realm Realm --id id

Parameters:

--id

The unique identifier for the resource.

1.50.1.3. getAllTypes

Obtain the collection of all secondary configuration types related to the resource.

Usage:

am> action FederationModule --realm Realm --actionName getAllTypes

1.50.1.4. getCreatableTypes

Obtain the collection of secondary configuration types that have yet to be added to the resource.

Usage:

am> action FederationModule --realm Realm --actionName getCreatableTypes

1.50.1.5. nextdescendents

Obtain the collection of secondary configuration instances that have been added to the resource.

Usage:

am> action FederationModule --realm Realm --actionName nextdescendents

1.50.1.6. query

Get the full list of instances of this collection. This query only supports `_queryFilter=true` filter.

Usage:

am> query FederationModule --realm Realm --filter filter

Parameters:

--filter

A CREST formatted query filter, where "true" will query all.

1.50.1.7. read

Usage:

am> read FederationModule --realm Realm --id id

Parameters:

--id

The unique identifier for the resource.

1.50.1.8. update

Usage:

am> update FederationModule --realm Realm --id id --body body

Parameters:

--id

The unique identifier for the resource.

--body

The resource in JSON format, described by the following JSON schema:

{
  "type" : "object",
  "properties" : {
    "authenticationLevel" : {
      "title" : "Authentication Level",
      "description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
      "propertyOrder" : 100,
      "required" : true,
      "type" : "integer",
      "exampleValue" : ""
    }
  }
}

1.50.2. Global Operations

Resource path: /global-config/authentication/modules/federation

Resource version: 1.0

1.50.2.1. getAllTypes

Obtain the collection of all secondary configuration types related to the resource.

Usage:

am> action FederationModule --global --actionName getAllTypes

1.50.2.2. getCreatableTypes

Obtain the collection of secondary configuration types that have yet to be added to the resource.

Usage:

am> action FederationModule --global --actionName getCreatableTypes

1.50.2.3. nextdescendents

Obtain the collection of secondary configuration instances that have been added to the resource.

Usage:

am> action FederationModule --global --actionName nextdescendents

1.50.2.4. read

Usage:

am> read FederationModule --global

1.50.2.5. update

Usage:

am> update FederationModule --global --body body

Parameters:

--body

The resource in JSON format, described by the following JSON schema:

{
  "type" : "object",
  "properties" : {
    "defaults" : {
      "properties" : {
        "authenticationLevel" : {
          "title" : "Authentication Level",
          "description" : "The authentication level associated with this module.<br><br>Each authentication module has an authentication level that can be used to indicate the level of security associated with the module; 0 is the lowest (and the default).",
          "propertyOrder" : 100,
          "required" : true,
          "type" : "integer",
          "exampleValue" : ""
        }
      },
      "type" : "object",
      "title" : "Realm Defaults"
    }
  }
}

1.51. Files

1.51.1. Realm Operations

Resource path: /realm-config/services/id-repositories/files

Resource version: 1.0

1.51.1.1. create

Usage:

am> create Files --realm Realm --id id --body body

Parameters:

--id

The unique identifier for the resource.

--body

The resource in JSON format, described by the following JSON schema:

{
  "type" : "object",
  "properties" : {
    "sunFilesMonitorForChanges" : {
      "title" : "Caching",
      "description" : "",
      "propertyOrder" : 6300,
      "required" : true,
      "type" : "boolean",
      "exampleValue" : ""
    },
    "sunFilesMonitoringTime" : {
      "title" : "Cache Update Interval",
      "description" : "In minutes.",
      "propertyOrder" : 6400,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sunFilesHashAttrs" : {
      "title" : "Hashed Attributes",
      "description" : "",
      "propertyOrder" : 6800,
      "required" : true,
      "items" : {
        "type" : "string"
      },
      "type" : "array",
      "exampleValue" : ""
    },
    "sunFilesPasswordAttr" : {
      "title" : "Password Attribute",
      "description" : "",
      "propertyOrder" : 6600,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sunFilesObjectClasses" : {
      "title" : "User Object Classes",
      "description" : "",
      "propertyOrder" : 6500,
      "required" : true,
      "items" : {
        "type" : "string"
      },
      "type" : "array",
      "exampleValue" : ""
    },
    "sunIdRepoClass" : {
      "title" : "Files Repository Plugin Class Name",
      "description" : "",
      "propertyOrder" : 6100,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sunFilesEncryptAttrs" : {
      "title" : "Encrypted Attributes",
      "description" : "",
      "propertyOrder" : 6900,
      "required" : true,
      "items" : {
        "type" : "string"
      },
      "type" : "array",
      "exampleValue" : ""
    },
    "sunFilesIdRepoDirectory" : {
      "title" : "Files Repository Directory",
      "description" : "",
      "propertyOrder" : 6200,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sunFilesStatusAttr" : {
      "title" : "Status Attribute",
      "description" : "",
      "propertyOrder" : 6700,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    }
  }
}

1.51.1.2. delete

Usage:

am> delete Files --realm Realm --id id

Parameters:

--id

The unique identifier for the resource.

1.51.1.3. getAllTypes

Obtain the collection of all secondary configuration types related to the resource.

Usage:

am> action Files --realm Realm --actionName getAllTypes

1.51.1.4. getCreatableTypes

Obtain the collection of secondary configuration types that have yet to be added to the resource.

Usage:

am> action Files --realm Realm --actionName getCreatableTypes

1.51.1.5. nextdescendents

Obtain the collection of secondary configuration instances that have been added to the resource.

Usage:

am> action Files --realm Realm --actionName nextdescendents

1.51.1.6. query

Get the full list of instances of this collection. This query only supports `_queryFilter=true` filter.

Usage:

am> query Files --realm Realm --filter filter

Parameters:

--filter

A CREST formatted query filter, where "true" will query all.

1.51.1.7. read

Usage:

am> read Files --realm Realm --id id

Parameters:

--id

The unique identifier for the resource.

1.51.1.8. update

Usage:

am> update Files --realm Realm --id id --body body

Parameters:

--id

The unique identifier for the resource.

--body

The resource in JSON format, described by the following JSON schema:

{
  "type" : "object",
  "properties" : {
    "sunFilesMonitorForChanges" : {
      "title" : "Caching",
      "description" : "",
      "propertyOrder" : 6300,
      "required" : true,
      "type" : "boolean",
      "exampleValue" : ""
    },
    "sunFilesMonitoringTime" : {
      "title" : "Cache Update Interval",
      "description" : "In minutes.",
      "propertyOrder" : 6400,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sunFilesHashAttrs" : {
      "title" : "Hashed Attributes",
      "description" : "",
      "propertyOrder" : 6800,
      "required" : true,
      "items" : {
        "type" : "string"
      },
      "type" : "array",
      "exampleValue" : ""
    },
    "sunFilesPasswordAttr" : {
      "title" : "Password Attribute",
      "description" : "",
      "propertyOrder" : 6600,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sunFilesObjectClasses" : {
      "title" : "User Object Classes",
      "description" : "",
      "propertyOrder" : 6500,
      "required" : true,
      "items" : {
        "type" : "string"
      },
      "type" : "array",
      "exampleValue" : ""
    },
    "sunIdRepoClass" : {
      "title" : "Files Repository Plugin Class Name",
      "description" : "",
      "propertyOrder" : 6100,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sunFilesEncryptAttrs" : {
      "title" : "Encrypted Attributes",
      "description" : "",
      "propertyOrder" : 6900,
      "required" : true,
      "items" : {
        "type" : "string"
      },
      "type" : "array",
      "exampleValue" : ""
    },
    "sunFilesIdRepoDirectory" : {
      "title" : "Files Repository Directory",
      "description" : "",
      "propertyOrder" : 6200,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sunFilesStatusAttr" : {
      "title" : "Status Attribute",
      "description" : "",
      "propertyOrder" : 6700,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    }
  }
}

1.52. ForgottenPassword

1.52.1. Realm Operations

Self Service endpoint for retrieving a forgotten password

Resource path: /selfservice/forgottenPassword

Resource version: 1.0

1.52.1.1. read

Initialise the forgotten password reclamation process.A set of requirements will be returned that will need to be fulfilled and sent to the submitRequirements action.

Usage:

am> read ForgottenPassword --realm Realm

1.52.1.2. submitRequirements

Submit some fulfilled requirements. Returns either a completion status, or a token along with some more requirements. If requirements are returned, they should be submitted with the token as a fresh request to this action.

Usage:

am> action ForgottenPassword --realm Realm --body body --actionName submitRequirements

Parameters:

--body

The resource in JSON format, described by the following JSON schema:

{
  "$schema" : "http://json-schema.org/draft-04/schema#",
  "description" : "The structure of a request to the submitRequirements action.",
  "type" : "object",
  "title" : "Submit requirements structure",
  "properties" : {
    "token" : {
      "type" : "string",
      "title" : "Token",
      "description" : "The token returned from the previous submitRequirements request."
    },
    "input" : {
      "type" : "object",
      "title" : "Input",
      "description" : "The input as collected from the user that has forgotten their password. This object must conform to the JSON Schema of the requirements property from the last response.",
      "patternProperties" : {
        ".*" : {
          "type" : "any",
          "title" : "Input Property",
          "description" : "Valid content according to the received JSON Schema."
        }
      }
    }
  },
  "required" : [ "input" ]
}

1.53. ForgottenUsername

1.53.1. Realm Operations

Self Service endpoint for retrieving a forgotten username

Resource path: /selfservice/forgottenUsername

Resource version: 1.0

1.53.1.1. read

Initialise the forgotten username reclamation process.A set of requirements will be returned that will need to be fulfilled and sent to the submitRequirements action.

Usage:

am> read ForgottenUsername --realm Realm

1.53.1.2. submitRequirements

Submit some fulfilled requirements. Returns either a completion status, or a token along with some more requirements. If requirements are returned, they should be submitted with the token as a fresh request to this action.

Usage:

am> action ForgottenUsername --realm Realm --body body --actionName submitRequirements

Parameters:

--body

The resource in JSON format, described by the following JSON schema:

{
  "$schema" : "http://json-schema.org/draft-04/schema#",
  "description" : "The structure of a request to the submitRequirements action.",
  "type" : "object",
  "title" : "Submit requirements structure",
  "properties" : {
    "token" : {
      "type" : "string",
      "title" : "Token",
      "description" : "The token returned from the previous submitRequirements request."
    },
    "input" : {
      "type" : "object",
      "title" : "Input",
      "description" : "The input as collected from the user that has forgotten their username. This object must conform to the JSON Schema of the requirements property from the last response.",
      "patternProperties" : {
        ".*" : {
          "type" : "any",
          "title" : "Input Property",
          "description" : "Valid content according to the received JSON Schema."
        }
      }
    }
  },
  "required" : [ "input" ]
}

1.54. GeneralProperties

1.54.1. Global Operations

An object of property key-value pairs

Resource path: /global-config/servers/{serverName}/properties/general

Resource version: 1.0

1.54.1.1. read

Usage:

am> read GeneralProperties --global --serverName serverName

Parameters:

--serverName

An object of property key-value pairs

1.54.1.2. update

Usage:

am> update GeneralProperties --global --serverName serverName --body body

Parameters:

--serverName

An object of property key-value pairs

--body

The resource in JSON format, described by the following JSON schema:

{
  "type" : "object",
  "properties" : {
    "amconfig.header.site" : {
      "title" : "Site",
      "type" : "object",
      "propertyOrder" : 0,
      "properties" : {
        "singleChoiceSite" : {
          "enum" : null,
          "options" : {
            "enum_titles" : null
          },
          "type" : "string",
          "title" : "Parent Site",
          "propertyOrder" : 0,
          "required" : false,
          "description" : "Parent Site"
        }
      }
    },
    "amconfig.header.installdir" : {
      "title" : "System",
      "type" : "object",
      "propertyOrder" : 1,
      "properties" : {
        "com.iplanet.services.configpath" : {
          "title" : "Base installation directory",
          "type" : "object",
          "propertyOrder" : 0,
          "description" : "Base directory where product's data resides. (property name: com.iplanet.services.configpath)",
          "properties" : {
            "value" : {
              "type" : "string",
              "required" : false
            },
            "inherited" : {
              "type" : "boolean",
              "required" : true
            }
          }
        },
        "com.iplanet.am.locale" : {
          "title" : "Default Locale",
          "type" : "object",
          "propertyOrder" : 1,
          "description" : "Default locale for the product. (property name: com.iplanet.am.locale)",
          "properties" : {
            "value" : {
              "type" : "string",
              "required" : false
            },
            "inherited" : {
              "type" : "boolean",
              "required" : true
            }
          }
        },
        "com.sun.identity.client.notification.url" : {
          "title" : "Notification URL",
          "type" : "object",
          "propertyOrder" : 2,
          "description" : "The location of notification service end point. It is usually the product's deployment URI/notificationservice. (property name: com.sun.identity.client.notification.url)",
          "properties" : {
            "value" : {
              "type" : "string",
              "required" : false
            },
            "inherited" : {
              "type" : "boolean",
              "required" : true
            }
          }
        },
        "com.iplanet.am.util.xml.validating" : {
          "title" : "XML Validation",
          "type" : "object",
          "propertyOrder" : 3,
          "description" : "Specifies if validation is required when parsing XML documents. (property name: com.iplanet.am.util.xml.validating)",
          "properties" : {
            "value" : {
              "enum" : [ "on", "off" ],
              "options" : {
                "enum_titles" : [ "On", "Off" ]
              },
              "type" : "string",
              "required" : false
            },
            "inherited" : {
              "type" : "boolean",
              "required" : true
            }
          }
        }
      }
    },
    "amconfig.header.debug" : {
      "title" : "Debugging",
      "type" : "object",
      "propertyOrder" : 2,
      "properties" : {
        "com.iplanet.services.debug.level" : {
          "title" : "Debug Level",
          "type" : "object",
          "propertyOrder" : 0,
          "description" : "Debug level for all components in the product. (property name: com.iplanet.services.debug.level)",
          "properties" : {
            "value" : {
              "enum" : [ "off", "error", "warning", "message" ],
              "options" : {
                "enum_titles" : [ "Off", "Error", "Warning", "Message" ]
              },
              "type" : "string",
              "required" : false
            },
            "inherited" : {
              "type" : "boolean",
              "required" : true
            }
          }
        },
        "com.sun.services.debug.mergeall" : {
          "title" : "Merge Debug Files",
          "type" : "object",
          "propertyOrder" : 1,
          "description" : "On : Directs all debug data to a single file (debug.out); Off : creates separate per-component debug files (property name : com.sun.services.debug.mergeall)",
          "properties" : {
            "value" : {
              "enum" : [ "on", "off" ],
              "options" : {
                "enum_titles" : [ "On", "Off" ]
              },
              "type" : "string",
              "required" : false
            },
            "inherited" : {
              "type" : "boolean",
              "required" : true
            }
          }
        },
        "com.iplanet.services.debug.directory" : {
          "title" : "Debug Directory",
          "type" : "object",
          "propertyOrder" : 2,
          "description" : "Directory where debug files reside. (property name: com.iplanet.services.debug.directory)",
          "properties" : {
            "value" : {
              "type" : "string",
              "required" : false
            },
            "inherited" : {
              "type" : "boolean",
              "required" : true
            }
          }
        }
      }
    },
    "amconfig.header.mailserver" : {
      "title" : "Mail Server",
      "type" : "object",
      "propertyOrder" : 3,
      "properties" : {
        "com.iplanet.am.smtphost" : {
          "title" : "Mail Server Host Name",
          "type" : "object",
          "propertyOrder" : 0,
          "description" : "(property name: com.iplanet.am.smtphost)",
          "properties" : {
            "value" : {
              "type" : "string",
              "required" : false
            },
            "inherited" : {
              "type" : "boolean",
              "required" : true
            }
          }
        },
        "com.iplanet.am.smtpport" : {
          "title" : "Mail Server Port Number",
          "type" : "object",
          "propertyOrder" : 1,
          "description" : "(property name: com.iplanet.am.smtpport)",
          "properties" : {
            "value" : {
              "type" : "integer",
              "required" : false
            },
            "inherited" : {
              "type" : "boolean",
              "required" : true
            }
          }
        }
      }
    }
  }
}

1.55. GenericLDAPv3

1.55.1. Realm Operations

Resource path: /realm-config/services/id-repositories/LDAPv3

Resource version: 1.0

1.55.1.1. create

Usage:

am> create GenericLDAPv3 --realm Realm --id id --body body

Parameters:

--id

The unique identifier for the resource.

--body

The resource in JSON format, described by the following JSON schema:

{
  "type" : "object",
  "properties" : {
    "sun-idrepo-ldapv3-config-users-search-filter" : {
      "title" : "LDAP Users  Search Filter",
      "description" : "",
      "propertyOrder" : 2200,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "openam-idrepo-ldapv3-heartbeat-interval" : {
      "title" : "LDAP Connection Heartbeat Interval",
      "description" : "Specifies how often should OpenAM send a heartbeat request to the directory.<br><br>This setting controls how often OpenAM <b>should</b> send a heartbeat search request to the configured directory. If a connection becomes unresponsive (e.g. due to a network error) then it may take up to the interval period before the problem is detected. Use along with the Heartbeat Time Unit parameter to define the exact interval. Zero or negative value will result in disabling heartbeat requests.",
      "propertyOrder" : 1300,
      "required" : true,
      "type" : "integer",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-auth-naming-attr" : {
      "title" : "Authentication Naming Attribute",
      "description" : "",
      "propertyOrder" : 5200,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-connection-mode" : {
      "title" : "LDAP Connection Mode",
      "description" : "Defines which protocol/operation is used to establish the connection to the LDAP Directory Server.<br><br>If 'LDAP' is selected, the connection <b>won't be secured</b> and passwords are transferred in <b>cleartext</b> over the network.<br/> If 'LDAPS' is selected, the connection is secured via SSL or TLS. <br/> If 'StartTLS' is selected, the connection is secured by using StartTLS extended operation.",
      "propertyOrder" : 1000,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-users-search-attribute" : {
      "title" : "LDAP Users  Search Attribute",
      "description" : "",
      "propertyOrder" : 2100,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-psearch-filter" : {
      "title" : "Persistent Search Filter",
      "description" : "",
      "propertyOrder" : 5600,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-isactive" : {
      "title" : "Attribute Name of User Status",
      "description" : "",
      "propertyOrder" : 2600,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-connection_pool_max_size" : {
      "title" : "LDAP Connection Pool Maximum Size",
      "description" : "",
      "propertyOrder" : 1200,
      "required" : true,
      "type" : "integer",
      "exampleValue" : ""
    },
    "sunIdRepoAttributeMapping" : {
      "title" : "Attribute Name Mapping",
      "description" : "",
      "propertyOrder" : 1800,
      "required" : true,
      "items" : {
        "type" : "string"
      },
      "type" : "array",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-dftgroupmember" : {
      "title" : "Default Group Member's User DN",
      "description" : "User automatically added when group is created.",
      "propertyOrder" : 3800,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "openam-idrepo-ldapv3-heartbeat-timeunit" : {
      "title" : "LDAP Connection Heartbeat Time Unit",
      "description" : "Defines the time unit corresponding to the Heartbeat Interval setting.<br><br>This setting controls how often OpenAM <b>should</b> send a heartbeat search request to the configured directory. If a connection becomes unresponsive (e.g. due to a network error) then it may take up to the interval period before the problem is detected. Use along with the Heartbeat Interval parameter to define the exact interval.",
      "propertyOrder" : 1400,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "com.iplanet.am.ldap.connection.delay.between.retries" : {
      "title" : "The Delay Time Between Retries",
      "description" : "In milliseconds.",
      "propertyOrder" : 5800,
      "required" : true,
      "type" : "integer",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-createuser-attr-mapping" : {
      "title" : "Create User Attribute Mapping",
      "description" : "Format: attribute name or TargetAttributeName=SourceAttributeName",
      "propertyOrder" : 2500,
      "required" : true,
      "items" : {
        "type" : "string"
      },
      "type" : "array",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-group-objectclass" : {
      "title" : "LDAP Groups Object Class",
      "description" : "",
      "propertyOrder" : 3300,
      "required" : true,
      "items" : {
        "type" : "string"
      },
      "type" : "array",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-psearch-scope" : {
      "title" : "Persistent Search Scope",
      "description" : "",
      "propertyOrder" : 5700,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-dncache-enabled" : {
      "title" : "DN Cache",
      "description" : "Used to enable/disable the DN Cache within the OpenAM repository implementation.<br><br>The DN Cache is used to cache DN lookups which tend to happen in bursts during authentication. The DN Cache can become out of date when a user is moved or renamed in the underlying LDAP store and this is not reflected in a persistent search result. Enable when the underlying LDAP store supports persistent search and move/rename (mod_dn) results are available.",
      "propertyOrder" : 5900,
      "required" : true,
      "type" : "boolean",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-authid" : {
      "title" : "LDAP Bind DN",
      "description" : "A user or admin with sufficient access rights to perform the supported operations.",
      "propertyOrder" : 700,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-memberurl" : {
      "title" : "Attribute Name of Group Member URL",
      "description" : "",
      "propertyOrder" : 3700,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-user-objectclass" : {
      "title" : "LDAP User Object Class",
      "description" : "",
      "propertyOrder" : 2300,
      "required" : true,
      "items" : {
        "type" : "string"
      },
      "type" : "array",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-group-container-name" : {
      "title" : "LDAP Groups Container Naming Attribute",
      "description" : "",
      "propertyOrder" : 3100,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-group-container-value" : {
      "title" : "LDAP Groups Container Value",
      "description" : "",
      "propertyOrder" : 3200,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-dncache-size" : {
      "title" : "DN Cache Size",
      "description" : "In DN items, only used when DN Cache is enabled.",
      "propertyOrder" : 6000,
      "required" : true,
      "type" : "integer",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-people-container-value" : {
      "title" : "LDAP People Container Value",
      "description" : "",
      "propertyOrder" : 5100,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-time-limit" : {
      "title" : "Search Timeout",
      "description" : "In seconds.",
      "propertyOrder" : 1600,
      "required" : true,
      "type" : "integer",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-inactive" : {
      "title" : "User Status Inactive Value",
      "description" : "",
      "propertyOrder" : 2800,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sunIdRepoClass" : {
      "title" : "LDAPv3 Repository Plug-in Class Name",
      "description" : "",
      "propertyOrder" : 1700,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-ldap-server" : {
      "title" : "LDAP Server",
      "description" : "Format: LDAP server host name:port | server_ID | site_ID",
      "propertyOrder" : 600,
      "required" : true,
      "items" : {
        "type" : "string"
      },
      "type" : "array",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-psearchbase" : {
      "title" : "Persistent Search Base DN",
      "description" : "",
      "propertyOrder" : 5500,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-group-attributes" : {
      "title" : "LDAP Groups Attributes",
      "description" : "",
      "propertyOrder" : 3400,
      "required" : true,
      "items" : {
        "type" : "string"
      },
      "type" : "array",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-max-result" : {
      "title" : "Maximum Results Returned from Search",
      "description" : "",
      "propertyOrder" : 1500,
      "required" : true,
      "type" : "integer",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-memberof" : {
      "title" : "Attribute Name for Group Membership",
      "description" : "",
      "propertyOrder" : 3500,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-uniquemember" : {
      "title" : "Attribute Name of Unique Member",
      "description" : "",
      "propertyOrder" : 3600,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-organization_name" : {
      "title" : "LDAP Organization DN",
      "description" : "",
      "propertyOrder" : 900,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-groups-search-filter" : {
      "title" : "LDAP Groups Search Filter",
      "description" : "",
      "propertyOrder" : 3000,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-user-attributes" : {
      "title" : "LDAP User Attributes",
      "description" : "",
      "propertyOrder" : 2400,
      "required" : true,
      "items" : {
        "type" : "string"
      },
      "type" : "array",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-groups-search-attribute" : {
      "title" : "LDAP Groups Search Attribute",
      "description" : "",
      "propertyOrder" : 2900,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sunIdRepoSupportedOperations" : {
      "title" : "LDAPv3 Plug-in Supported Types and Operations",
      "description" : "",
      "propertyOrder" : 1900,
      "required" : true,
      "items" : {
        "type" : "string"
      },
      "type" : "array",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-active" : {
      "title" : "User Status Active Value",
      "description" : "",
      "propertyOrder" : 2700,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-people-container-name" : {
      "title" : "LDAP People Container Naming Attribute",
      "description" : "",
      "propertyOrder" : 5000,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-search-scope" : {
      "title" : "LDAPv3 Plug-in Search Scope",
      "description" : "",
      "propertyOrder" : 2000,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-authpw" : {
      "title" : "LDAP Bind Password",
      "description" : "",
      "propertyOrder" : 800,
      "required" : true,
      "type" : "string",
      "format" : "password",
      "exampleValue" : ""
    }
  }
}

1.55.1.2. delete

Usage:

am> delete GenericLDAPv3 --realm Realm --id id

Parameters:

--id

The unique identifier for the resource.

1.55.1.3. getAllTypes

Obtain the collection of all secondary configuration types related to the resource.

Usage:

am> action GenericLDAPv3 --realm Realm --actionName getAllTypes

1.55.1.4. getCreatableTypes

Obtain the collection of secondary configuration types that have yet to be added to the resource.

Usage:

am> action GenericLDAPv3 --realm Realm --actionName getCreatableTypes

1.55.1.5. nextdescendents

Obtain the collection of secondary configuration instances that have been added to the resource.

Usage:

am> action GenericLDAPv3 --realm Realm --actionName nextdescendents

1.55.1.6. query

Get the full list of instances of this collection. This query only supports `_queryFilter=true` filter.

Usage:

am> query GenericLDAPv3 --realm Realm --filter filter

Parameters:

--filter

A CREST formatted query filter, where "true" will query all.

1.55.1.7. read

Usage:

am> read GenericLDAPv3 --realm Realm --id id

Parameters:

--id

The unique identifier for the resource.

1.55.1.8. update

Usage:

am> update GenericLDAPv3 --realm Realm --id id --body body

Parameters:

--id

The unique identifier for the resource.

--body

The resource in JSON format, described by the following JSON schema:

{
  "type" : "object",
  "properties" : {
    "sun-idrepo-ldapv3-config-users-search-filter" : {
      "title" : "LDAP Users  Search Filter",
      "description" : "",
      "propertyOrder" : 2200,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "openam-idrepo-ldapv3-heartbeat-interval" : {
      "title" : "LDAP Connection Heartbeat Interval",
      "description" : "Specifies how often should OpenAM send a heartbeat request to the directory.<br><br>This setting controls how often OpenAM <b>should</b> send a heartbeat search request to the configured directory. If a connection becomes unresponsive (e.g. due to a network error) then it may take up to the interval period before the problem is detected. Use along with the Heartbeat Time Unit parameter to define the exact interval. Zero or negative value will result in disabling heartbeat requests.",
      "propertyOrder" : 1300,
      "required" : true,
      "type" : "integer",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-auth-naming-attr" : {
      "title" : "Authentication Naming Attribute",
      "description" : "",
      "propertyOrder" : 5200,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-connection-mode" : {
      "title" : "LDAP Connection Mode",
      "description" : "Defines which protocol/operation is used to establish the connection to the LDAP Directory Server.<br><br>If 'LDAP' is selected, the connection <b>won't be secured</b> and passwords are transferred in <b>cleartext</b> over the network.<br/> If 'LDAPS' is selected, the connection is secured via SSL or TLS. <br/> If 'StartTLS' is selected, the connection is secured by using StartTLS extended operation.",
      "propertyOrder" : 1000,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-users-search-attribute" : {
      "title" : "LDAP Users  Search Attribute",
      "description" : "",
      "propertyOrder" : 2100,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-psearch-filter" : {
      "title" : "Persistent Search Filter",
      "description" : "",
      "propertyOrder" : 5600,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-isactive" : {
      "title" : "Attribute Name of User Status",
      "description" : "",
      "propertyOrder" : 2600,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-connection_pool_max_size" : {
      "title" : "LDAP Connection Pool Maximum Size",
      "description" : "",
      "propertyOrder" : 1200,
      "required" : true,
      "type" : "integer",
      "exampleValue" : ""
    },
    "sunIdRepoAttributeMapping" : {
      "title" : "Attribute Name Mapping",
      "description" : "",
      "propertyOrder" : 1800,
      "required" : true,
      "items" : {
        "type" : "string"
      },
      "type" : "array",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-dftgroupmember" : {
      "title" : "Default Group Member's User DN",
      "description" : "User automatically added when group is created.",
      "propertyOrder" : 3800,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "openam-idrepo-ldapv3-heartbeat-timeunit" : {
      "title" : "LDAP Connection Heartbeat Time Unit",
      "description" : "Defines the time unit corresponding to the Heartbeat Interval setting.<br><br>This setting controls how often OpenAM <b>should</b> send a heartbeat search request to the configured directory. If a connection becomes unresponsive (e.g. due to a network error) then it may take up to the interval period before the problem is detected. Use along with the Heartbeat Interval parameter to define the exact interval.",
      "propertyOrder" : 1400,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "com.iplanet.am.ldap.connection.delay.between.retries" : {
      "title" : "The Delay Time Between Retries",
      "description" : "In milliseconds.",
      "propertyOrder" : 5800,
      "required" : true,
      "type" : "integer",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-createuser-attr-mapping" : {
      "title" : "Create User Attribute Mapping",
      "description" : "Format: attribute name or TargetAttributeName=SourceAttributeName",
      "propertyOrder" : 2500,
      "required" : true,
      "items" : {
        "type" : "string"
      },
      "type" : "array",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-group-objectclass" : {
      "title" : "LDAP Groups Object Class",
      "description" : "",
      "propertyOrder" : 3300,
      "required" : true,
      "items" : {
        "type" : "string"
      },
      "type" : "array",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-psearch-scope" : {
      "title" : "Persistent Search Scope",
      "description" : "",
      "propertyOrder" : 5700,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-dncache-enabled" : {
      "title" : "DN Cache",
      "description" : "Used to enable/disable the DN Cache within the OpenAM repository implementation.<br><br>The DN Cache is used to cache DN lookups which tend to happen in bursts during authentication. The DN Cache can become out of date when a user is moved or renamed in the underlying LDAP store and this is not reflected in a persistent search result. Enable when the underlying LDAP store supports persistent search and move/rename (mod_dn) results are available.",
      "propertyOrder" : 5900,
      "required" : true,
      "type" : "boolean",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-authid" : {
      "title" : "LDAP Bind DN",
      "description" : "A user or admin with sufficient access rights to perform the supported operations.",
      "propertyOrder" : 700,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-memberurl" : {
      "title" : "Attribute Name of Group Member URL",
      "description" : "",
      "propertyOrder" : 3700,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-user-objectclass" : {
      "title" : "LDAP User Object Class",
      "description" : "",
      "propertyOrder" : 2300,
      "required" : true,
      "items" : {
        "type" : "string"
      },
      "type" : "array",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-group-container-name" : {
      "title" : "LDAP Groups Container Naming Attribute",
      "description" : "",
      "propertyOrder" : 3100,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-group-container-value" : {
      "title" : "LDAP Groups Container Value",
      "description" : "",
      "propertyOrder" : 3200,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-dncache-size" : {
      "title" : "DN Cache Size",
      "description" : "In DN items, only used when DN Cache is enabled.",
      "propertyOrder" : 6000,
      "required" : true,
      "type" : "integer",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-people-container-value" : {
      "title" : "LDAP People Container Value",
      "description" : "",
      "propertyOrder" : 5100,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-time-limit" : {
      "title" : "Search Timeout",
      "description" : "In seconds.",
      "propertyOrder" : 1600,
      "required" : true,
      "type" : "integer",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-inactive" : {
      "title" : "User Status Inactive Value",
      "description" : "",
      "propertyOrder" : 2800,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sunIdRepoClass" : {
      "title" : "LDAPv3 Repository Plug-in Class Name",
      "description" : "",
      "propertyOrder" : 1700,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-ldap-server" : {
      "title" : "LDAP Server",
      "description" : "Format: LDAP server host name:port | server_ID | site_ID",
      "propertyOrder" : 600,
      "required" : true,
      "items" : {
        "type" : "string"
      },
      "type" : "array",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-psearchbase" : {
      "title" : "Persistent Search Base DN",
      "description" : "",
      "propertyOrder" : 5500,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-group-attributes" : {
      "title" : "LDAP Groups Attributes",
      "description" : "",
      "propertyOrder" : 3400,
      "required" : true,
      "items" : {
        "type" : "string"
      },
      "type" : "array",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-max-result" : {
      "title" : "Maximum Results Returned from Search",
      "description" : "",
      "propertyOrder" : 1500,
      "required" : true,
      "type" : "integer",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-memberof" : {
      "title" : "Attribute Name for Group Membership",
      "description" : "",
      "propertyOrder" : 3500,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-uniquemember" : {
      "title" : "Attribute Name of Unique Member",
      "description" : "",
      "propertyOrder" : 3600,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-organization_name" : {
      "title" : "LDAP Organization DN",
      "description" : "",
      "propertyOrder" : 900,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-groups-search-filter" : {
      "title" : "LDAP Groups Search Filter",
      "description" : "",
      "propertyOrder" : 3000,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-user-attributes" : {
      "title" : "LDAP User Attributes",
      "description" : "",
      "propertyOrder" : 2400,
      "required" : true,
      "items" : {
        "type" : "string"
      },
      "type" : "array",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-groups-search-attribute" : {
      "title" : "LDAP Groups Search Attribute",
      "description" : "",
      "propertyOrder" : 2900,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sunIdRepoSupportedOperations" : {
      "title" : "LDAPv3 Plug-in Supported Types and Operations",
      "description" : "",
      "propertyOrder" : 1900,
      "required" : true,
      "items" : {
        "type" : "string"
      },
      "type" : "array",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-active" : {
      "title" : "User Status Active Value",
      "description" : "",
      "propertyOrder" : 2700,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-people-container-name" : {
      "title" : "LDAP People Container Naming Attribute",
      "description" : "",
      "propertyOrder" : 5000,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-search-scope" : {
      "title" : "LDAPv3 Plug-in Search Scope",
      "description" : "",
      "propertyOrder" : 2000,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sun-idrepo-ldapv3-config-authpw" : {
      "title" : "LDAP Bind Password",
      "description" : "",
      "propertyOrder" : 800,
      "required" : true,
      "type" : "string",
      "format" : "password",
      "exampleValue" : ""
    }
  }
}

1.56. GlobalScripts

1.56.1. Global Operations

Resource path: /global-config/services/scripting/globalScript

Resource version: 1.0

1.56.1.1. create

Usage:

am> create GlobalScripts --global --id id --body body

Parameters:

--id

The unique identifier for the resource.

--body

The resource in JSON format, described by the following JSON schema:

{
  "type" : "object",
  "properties" : {
    "script" : {
      "title" : "Script",
      "description" : "The source code of the script. The source code is in UTF-8 format and encoded into Base64",
      "propertyOrder" : null,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "creationDate" : {
      "title" : "Creation date",
      "description" : "An integer containing the creation date and time, in ISO 8601 format",
      "propertyOrder" : null,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "lastModifiedBy" : {
      "title" : "Last modifier",
      "description" : "A string containing the universal identifier DN of the subject that most recently updated the script. If the script has not been modified since it was created, this property will have the same value as createdBy",
      "propertyOrder" : null,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "language" : {
      "title" : "Script language",
      "description" : "The language the script is written in - JAVASCRIPT or GROOVY",
      "propertyOrder" : null,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "name" : {
      "title" : "Script name",
      "description" : "The name provided for the script",
      "propertyOrder" : null,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "description" : {
      "title" : "Script description",
      "description" : "An optional text string to help identify the script",
      "propertyOrder" : null,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "lastModifiedDate" : {
      "title" : "Last modification date",
      "description" : "A string containing the last modified date and time, in ISO 8601 format. If the script has not been modified since it was created, this property will have the same value as creationDate",
      "propertyOrder" : null,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "context" : {
      "title" : "Script type",
      "description" : "The script type. Supported values are: POLICY_CONDITION : Policy Condition  AUTHENTICATION_SERVER_SIDE : Server-side Authentication  AUTHENTICATION_CLIENT_SIDE : Client-side Authentication - Note Client-side scripts must be written in JavaScript OIDC_CLAIMS : OIDC Claims",
      "propertyOrder" : null,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "createdBy" : {
      "title" : "Created by",
      "description" : "A string containing the universal identifier DN of the subject that created the script",
      "propertyOrder" : null,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    }
  }
}

1.56.1.2. delete

Usage:

am> delete GlobalScripts --global --id id

Parameters:

--id

The unique identifier for the resource.

1.56.1.3. getAllTypes

Obtain the collection of all secondary configuration types related to the resource.

Usage:

am> action GlobalScripts --global --actionName getAllTypes

1.56.1.4. getCreatableTypes

Obtain the collection of secondary configuration types that have yet to be added to the resource.

Usage:

am> action GlobalScripts --global --actionName getCreatableTypes

1.56.1.5. nextdescendents

Obtain the collection of secondary configuration instances that have been added to the resource.

Usage:

am> action GlobalScripts --global --actionName nextdescendents

1.56.1.6. query

Get the full list of instances of this collection. This query only supports `_queryFilter=true` filter.

Usage:

am> query GlobalScripts --global --filter filter

Parameters:

--filter

A CREST formatted query filter, where "true" will query all.

1.56.1.7. read

Usage:

am> read GlobalScripts --global --id id

Parameters:

--id

The unique identifier for the resource.

1.56.1.8. update

Usage:

am> update GlobalScripts --global --id id --body body

Parameters:

--id

The unique identifier for the resource.

--body

The resource in JSON format, described by the following JSON schema:

{
  "type" : "object",
  "properties" : {
    "script" : {
      "title" : "Script",
      "description" : "The source code of the script. The source code is in UTF-8 format and encoded into Base64",
      "propertyOrder" : null,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "creationDate" : {
      "title" : "Creation date",
      "description" : "An integer containing the creation date and time, in ISO 8601 format",
      "propertyOrder" : null,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "lastModifiedBy" : {
      "title" : "Last modifier",
      "description" : "A string containing the universal identifier DN of the subject that most recently updated the script. If the script has not been modified since it was created, this property will have the same value as createdBy",
      "propertyOrder" : null,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "language" : {
      "title" : "Script language",
      "description" : "The language the script is written in - JAVASCRIPT or GROOVY",
      "propertyOrder" : null,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "name" : {
      "title" : "Script name",
      "description" : "The name provided for the script",
      "propertyOrder" : null,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "description" : {
      "title" : "Script description",
      "description" : "An optional text string to help identify the script",
      "propertyOrder" : null,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "lastModifiedDate" : {
      "title" : "Last modification date",
      "description" : "A string containing the last modified date and time, in ISO 8601 format. If the script has not been modified since it was created, this property will have the same value as creationDate",
      "propertyOrder" : null,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "context" : {
      "title" : "Script type",
      "description" : "The script type. Supported values are: POLICY_CONDITION : Policy Condition  AUTHENTICATION_SERVER_SIDE : Server-side Authentication  AUTHENTICATION_CLIENT_SIDE : Client-side Authentication - Note Client-side scripts must be written in JavaScript OIDC_CLAIMS : OIDC Claims",
      "propertyOrder" : null,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "createdBy" : {
      "title" : "Created by",
      "description" : "A string containing the universal identifier DN of the subject that created the script",
      "propertyOrder" : null,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    }
  }
}

1.57. Globalization

1.57.1. Realm Operations

Resource path: /realm-config/services/globalization

Resource version: 1.0

1.57.1.1. create

Usage:

am> create Globalization --realm Realm --body body

Parameters:

--body

The resource in JSON format, described by the following JSON schema:

{
  "type" : "object",
  "properties" : {
    "commonNameFormats" : {
      "title" : "Auto Generated Common Name Format",
      "description" : "Use this list to configure how OpenAM formats names shown in the console banner.<br><br>This setting allows the name of the authenticated user shown in the OpenAM console banner to be customised based on the locale of the user.",
      "propertyOrder" : 300,
      "required" : true,
      "items" : {
        "type" : "string"
      },
      "type" : "array",
      "exampleValue" : ""
    }
  }
}

1.57.1.2. delete

Usage:

am> delete Globalization --realm Realm

1.57.1.3. getAllTypes

Obtain the collection of all secondary configuration types related to the resource.

Usage:

am> action Globalization --realm Realm --actionName getAllTypes

1.57.1.4. getCreatableTypes

Obtain the collection of secondary configuration types that have yet to be added to the resource.

Usage:

am> action Globalization --realm Realm --actionName getCreatableTypes

1.57.1.5. nextdescendents

Obtain the collection of secondary configuration instances that have been added to the resource.

Usage:

am> action Globalization --realm Realm --actionName nextdescendents

1.57.1.6. read

Usage:

am> read Globalization --realm Realm

1.57.1.7. update

Usage:

am> update Globalization --realm Realm --body body

Parameters:

--body

The resource in JSON format, described by the following JSON schema:

{
  "type" : "object",
  "properties" : {
    "commonNameFormats" : {
      "title" : "Auto Generated Common Name Format",
      "description" : "Use this list to configure how OpenAM formats names shown in the console banner.<br><br>This setting allows the name of the authenticated user shown in the OpenAM console banner to be customised based on the locale of the user.",
      "propertyOrder" : 300,
      "required" : true,
      "items" : {
        "type" : "string"
      },
      "type" : "array",
      "exampleValue" : ""
    }
  }
}

1.57.2. Global Operations

Resource path: /global-config/services/globalization

Resource version: 1.0

1.57.2.1. getAllTypes

Obtain the collection of all secondary configuration types related to the resource.

Usage:

am> action Globalization --global --actionName getAllTypes

1.57.2.2. getCreatableTypes

Obtain the collection of secondary configuration types that have yet to be added to the resource.

Usage:

am> action Globalization --global --actionName getCreatableTypes

1.57.2.3. nextdescendents

Obtain the collection of secondary configuration instances that have been added to the resource.

Usage:

am> action Globalization --global --actionName nextdescendents

1.57.2.4. read

Usage:

am> read Globalization --global

1.57.2.5. update

Usage:

am> update Globalization --global --body body

Parameters:

--body

The resource in JSON format, described by the following JSON schema:

{
  "type" : "object",
  "properties" : {
    "sun-identity-g11n-settings-charset-alias-mapping" : {
      "title" : "Charset Aliases",
      "description" : "Use this list to map between different character set names used in Java and in MIME.",
      "propertyOrder" : 200,
      "required" : true,
      "items" : {
        "type" : "string"
      },
      "type" : "array",
      "exampleValue" : ""
    },
    "charsetMappings" : {
      "title" : "Charsets Supported by Each Locale",
      "description" : "This table lets you configure the order of supported character sets used for each supported locale. Change the settings only if the defaults are not appropriate.",
      "propertyOrder" : 100,
      "required" : true,
      "items" : {
        "type" : "string"
      },
      "type" : "array",
      "exampleValue" : ""
    },
    "defaults" : {
      "properties" : {
        "commonNameFormats" : {
          "title" : "Auto Generated Common Name Format",
          "description" : "Use this list to configure how OpenAM formats names shown in the console banner.<br><br>This setting allows the name of the authenticated user shown in the OpenAM console banner to be customised based on the locale of the user.",
          "propertyOrder" : 300,
          "required" : true,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        }
      },
      "type" : "object",
      "title" : "Realm Defaults"
    }
  }
}

1.58. HotpModule

1.58.1. Realm Operations

Resource path: /realm-config/authentication/modules/hotp

Resource version: 1.0

1.58.1.1. create

Usage:

am> create HotpModule --realm Realm --id id --body body

Parameters:

--id

The unique identifier for the resource.

--body

The resource in JSON format, described by the following JSON schema:

{
  "type" : "object",
  "properties" : {
    "userProfileTelephoneAttribute" : {
      "title" : "Mobile Phone Number Attribute Name",
      "description" : "This is the attribute name used for a requested text message",
      "propertyOrder" : 1200,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "smtpUsername" : {
      "title" : "Mail Server Authentication Username",
      "description" : "The username to use if the mail server is using SMTP authentication",
      "propertyOrder" : 500,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "userProfileEmailAttribute" : {
      "title" : "Email Attribute Name",
      "description" : "This is the attribute name used by the OTP to email the user",
      "propertyOrder" : 1400,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "smtpSslEnabled" : {
      "title" : "Mail Server Secure Connection ",
      "description" : "This setting controls whether the authentication module communicates with the mail server using SSL/TLS",
      "propertyOrder" : 700,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "smtpUserPassword" : {
      "title" : "Mail Server Authentication Password",
      "description" : "The password to use if the mail server is using SMTP authentication",
      "propertyOrder" : 600,
      "required" : true,
      "type" : "string",
      "format" : "password",
      "exampleValue" : ""
    },
    "authenticationLevel" : {
      "title" : "Authentication Level",
      "description" : "The authentication level associated with this module.<br><