Chapter 1. Java EE Agent Configuration Properties

When using an encrypted password, set this to the encryption key used to encrypt the agent profile password.

Set this to the naming service URL(s) used for naming lookups in OpenAM. Separate multiple URLs with single space characters.

When using a plain text password, set this to the password for the agent profile, and leave am.encryption.pwd blank.

When using an encrypted password, set this to the encrypted version of the password for the agent profile. Use the command ./agentadmin --encrypt agentInstance passwordFile to get the encrypted version.

Set this to the URI under which OpenAM is deployed, such as /openam.

Set this to the full path of the agent's debug log directory where the agent writes debug log files.

Set this to the agent profile name.

Set this to the full path for agent's audit log file.

Set this to true to require an agent restart to allow agent configuration changes, even for hot-swappable parameters. Default is false.

Set this to the realm name where the agent authenticates to OpenAM.

Set this to the profile name used to fetch agent configuration data. Unless multiple agents use the same credentials to authenticate, this is the same as com.sun.identity.agents.app.username.

Set this to the class name of the service resolver used by the agent.

When set to on, the default, the agent writes all debug messages to a single file under com.iplanet.services.debug.directory.

Name of the SSO Token cookie used between the OpenAM server and the agent. Default: iPlanetDirectoryPro.

For centralized configurations this property is configured under Access Control > Realm Name > Agents > J2EE > Agent Name > Global > Cookie Name.

If notifications are not enabled and set to a value other than zero, specifies the time in minutes after which the agent polls to update cached user management data. Default: 1

For centralized configurations this property is configured under Access Control > Realm Name > Agents > J2EE > Agent Name > OpenAM Services > User Data Cache Polling Time.

Specifies the OpenAM authentication service host name.

For centralized configurations this property is configured under Access Control > Realm Name > Agents > J2EE > Agent Name > OpenAM Services > OpenAM Authentication Service Host Name.

Specifies the OpenAM authentication service port number.

For centralized configurations this property is configured under Access Control > Realm Name > Agents > J2EE > Agent Name > OpenAM Services > OpenAM Authentication Service Port.

Specifies the protocol used by the OpenAM authentication service.

For centralized configurations this property is configured under Access Control > Realm Name > Agents > J2EE > Agent Name > OpenAM Services > OpenAM Authentication Service Protocol.

When enabled, the session client polls to update the session cache rather than relying on notifications from OpenAM.

For centralized configurations this property is configured under Access Control > Realm Name > Agents > J2EE > Agent Name > OpenAM Services > Enable Client Polling.

Specifies the time in seconds after which the session client requests an update from OpenAM for cached session information. Default: 180

For centralized configurations this property is configured under Access Control > Realm Name > Agents > J2EE > Agent Name > OpenAM Services > Client Polling Period.

Specifies the agent's encryption provider class.

Default: com.iplanet.services.util.JCEEncryption

For centralized configurations this property is configured under Access Control > Realm Name > Agents > J2EE > Agent Name > Miscellaneous > Encryption Provider.

Default is Error. Increase to Message or even All for fine-grained detail.

For centralized configurations this property is configured under Access Control > Realm Name > Agents > J2EE > Agent Name > Global > Agent Debug Level.

Specifies the URIs of custom pages to return when access is denied. The key is the web application name. The value is the custom URI.

To set a global custom access denied URI for applications without other custom access denied URIs defined, leave the key empty and set the value to the global custom access denied URI, /sample/accessdenied.html.

To set a custom access denied URI for a specific application, set the key to the name of the application, and the value to the application access denied URI, such as /myApp/accessdenied.html.

For centralized configurations this property is configured under Access Control > Realm Name > Agents > J2EE > Agent Name > Application > Resource Access Denied URI.

Specifies the host name of the agent protected server to show to client browsers, rather than the actual host name.

For centralized configurations this property is configured under Access Control > Realm Name > Agents > J2EE > Agent Name > Advanced > Alternative Agent Host Name.

Specifies the port number of the agent protected server to show to client browsers, rather than the actual port number.

For centralized configurations this property is configured under Access Control > Realm Name > Agents > J2EE > Agent Name > Advanced > Alternative Agent Port Name.

Specifies the protocol used to contact the agent from the browser client browsers, rather than the actual protocol used by the server. Either http or https.

For centralized configurations this property is configured under Access Control > Realm Name > Agents > J2EE > Agent Name > Advanced > Alternative Agent Protocol.

When enabled, the agent exposes SSO Cache through the agent SDK APIs.

For centralized configurations this property is configured under Access Control > Realm Name > Agents > J2EE > Agent Name > SSO > SSO Cache Enable.

When enabled, attribute values are URL encoded before being set as a cookie.

For centralized configurations this property is configured under Access Control > Realm Name > Agents > J2EE > Agent Name > Application > Attribute Cookie Encode.

Specifies the separator for multiple values of the same attribute when it is set as a cookie. Default: |.

For centralized configurations this property is configured under Access Control > Realm Name > Agents > J2EE > Agent Name > Application > Cookie Separator Character.

Specifies the java.text.SimpleDateFormat of date attribute values used when an attribute is set in an HTTP header. Default: EEE, d MMM yyyy hh:mm:ss z.

For centralized configurations this property is configured under Access Control > Realm Name > Agents > J2EE > Agent Name > Application > Fetch Attribute Date Format.

Types of messages to log based on user URL access attempts.

Valid values for the configuration file property include LOG_NONE, LOG_ALLOW, LOG_DENY, and LOG_BOTH.

For centralized configurations this property is configured under Access Control > Realm Name > Agents > J2EE > Agent Name > Global > Audit Access Types.

Specifies custom authentication handler classes for users authenticated with the application server. The key is the web application name and the value is the authentication handler class name.

For centralized configurations this property is configured under Access Control > Realm Name > Agents > J2EE > Agent Name > Application > Custom Authentication Handler.

Specifies a list of principals the agent bypasses for authentication and search purposes, such as guest or testuser.

For centralized configurations this property is configured under Access Control > Realm Name > Agents > J2EE > Agent Name > Miscellaneous > Bypass Principal List.

List of URLs of the available CDSSO controllers that the agent can use for CDSSO processing. For example, http://openam.example.com:8080/openam/cdcservlet.

For centralized configurations this property is configured under Access Control > Realm Name > Agents > J2EE > Agent Name > SSO > CDSSO Servlet URL.

When set to a value other than zero, specifies the clock skew in seconds that the agent accepts when determining the validity of the CDSSO authentication response assertion.

For centralized configurations this property is configured under Access Control > Realm Name > Agents > J2EE > Agent Name > SSO > CDSSO Clock Skew.

List of domains, such as .example.com, in which cookies have to be set in CDSSO.

For centralized configurations this property is configured under Access Control > Realm Name > Agents > J2EE > Agent Name > SSO > Cross Domain SSO.

Enables Cross Domain Single Sign On.

For centralized configurations this property is configured under Access Control > Realm Name > Agents > J2EE > Agent Name > SSO > Cross Domain SSO.

Specifies a URI the agent uses to process CDSSO requests.

For centralized configurations this property is configured under Access Control > Realm Name > Agents > J2EE > Agent Name > SSO > CDSSO Redirect URI.

When enabled, the agent marks the SSO Token cookie as secure, thus the cookie is only transmitted over secure connections.

For centralized configurations this property is configured under Access Control > Realm Name > Agents > J2EE > Agent Name > SSO > Cross Domain SSO.

Specifies the list of OpenAM servers or identity providers the agent trusts when evaluating CDC Liberty Responses.

For centralized configurations this property is configured under Access Control > Realm Name > Agents > J2EE > Agent Name > SSO > CDSSO Trusted ID Provider.

Enable agent to receive notification messages from OpenAM server for configuration changes.

For centralized configurations this property is configured under Access Control > Realm Name > Agents > J2EE > Agent Name > Global > Profile.

If the agent is behind a proxy or load balancer, then the agent can get client IP and host name values from the proxy or load balancer. For proxies and load balancer that support providing the client IP and host name in HTTP headers, you can use the following properties.

When multiple proxies are load balancers sit in the request path, the header values can include a comma-separated list of values with the first value representing the client, as in client,next-proxy,first-proxy.

HTTP header name that holds the hostname of the client.

For centralized configurations this property is configured under Access Control > Realm Name > Agents > J2EE > Agent Name > Advanced > Client Hostname Header.

Similar to com.sun.identity.agents.config.client.hostname.header, HTTP header name that holds the IP address of the client.

For centralized configurations this property is configured under Access Control > Realm Name > Agents > J2EE > Agent Name > Advanced > Client IP Address Header.

To conditionally redirect users based on the incoming request URL, set this property.

This takes the incoming request domain to match, a vertical bar ( | ), and then a comma-separated list of URLs to which to redirect incoming users.

If the domain before the vertical bar matches an incoming request URL, then the policy agent uses the list of URLs to determine how to redirect the user-agent. If the global property FQDN Check (com.sun.identity.agents.config.fqdn.check.enable) is enabled for the policy agent, then the policy agent iterates through the list until it finds an appropriate redirect URL that matches the FQDN check. Otherwise, the policy agent redirects the user-agent to the first URL in the list.

Property: com.sun.identity.agents.config.conditional.login.url

Examples: com.sun.identity.agents.config.conditional.login.url[0]= login.example.com|http://openam1.example.com/openam/UI/Login, http://openam2.example.com/openam/UI/Login, com.sun.identity.agents.config.conditional.login.url[1]= signin.example.com|http://openam3.example.com/openam/UI/Login, http://openam4.example.com/openam/UI/Login

If CDSSO is enabled for the policy agent, then this property takes CDSSO Servlet URLs for its values (com.sun.identity.agents.config.cdsso.cdcservlet.url), rather than OpenAM login URLs.

CDSSO examples: com.sun.identity.agents.config.conditional.login.url[0]= login.example.com|http://openam1.example.com/openam/cdcservlet, http://openam2.example.com/openam/cdcservlet, com.sun.identity.agents.config.conditional.login.url[1]= signin.example.com|http://openam3.example.com/openam/cdcservlet, http://openam4.example.com/openam/cdcservlet

The values take the incoming request URL to match and a comma-separated list of URLs to which to redirect users logging out.

Example: com.sun.identity.agents.config.conditional.logout.url[0]= logout.example.com|http://openam1.example.com/openam/UI/Logout, http://openam2.example.com/openam/UI/Logout

Specifies how names from com.sun.identity.agents.config.cookie.reset.name correspond to cookie domain values when the cookie is reset.

For centralized configurations this property is configured under Access Control > Realm Name > Agents > J2EE > Agent Name > SSO > Cookie Reset Domain Map.

When enabled, agent resets cookies in the response before redirecting to authentication.

For centralized configurations this property is configured under Access Control > Realm Name > Agents > J2EE > Agent Name > SSO > Cookie Reset.

List of cookies to reset if com.sun.identity.agents.config.cookie.reset.enable is enabled.

For centralized configurations this property is configured under Access Control > Realm Name > Agents > J2EE > Agent Name > SSO > Cookie Reset Name List.

Specifies how names from the com.sun.identity.agents.config.cookie.reset.name correspond to cookie paths when the cookie is reset.

For centralized configurations this property is configured under Access Control > Realm Name > Agents > J2EE > Agent Name > SSO > Cookie Reset Path Map.

Specifies the list of privileged attributes granted to all users with a valid OpenAM session, such as AUTHENTICATED_USERS.

For centralized configurations this property is configured under Access Control > Realm Name > Agents > J2EE > Agent Name > Application > Default Privileged Attribute.

Specifies how the agent filters requests to protected web applications. The global value functions as a default, and applies for protected applications that do not have their own filter settings. Valid settings include the following.

For centralized configurations this property is configured under Access Control > Realm Name > Agents > J2EE > Agent Name > Global > Agent Filter Mode.

Enables checking of FQDN default value and FQDN map values.

For centralized configurations this property is configured under Access Control > Realm Name > Agents > J2EE > Agent Name > Global > FQDN Check.

Fully qualified domain name that the users should use in order to access resources.

This property ensures that when users access protected resources on the web server without specifying the FQDN, the agent can redirect the users to URLs containing the correct FQDN.

For centralized configurations this property is configured under Access Control > Realm Name > Agents > J2EE > Agent Name > Global > FQDN Default.

Enables virtual hosts, partial hostname and IP address to access protected resources. Maps invalid or virtual name keys to valid FQDN values so the agent can properly redirect users and the agents receive cookies belonging to the domain.

To map myserver to myserver.mydomain.example, enter myserver in the Map Key field, and enter myserver.mydomain.example in the Corresponding Map Value field. This corresponds to com.sun.identity.agents.config.fqdn.mapping[myserver]= myserver.mydomain.example.

For centralized configurations this property is configured under Access Control > Realm Name > Agents > J2EE > Agent Name > Global > FQDN Virtual Host Map.

When enabled the agent invalidates the HTTP session upon login failure, when the user has no SSO session, or when the principal user name does not match the SSO user name.

For centralized configurations this property is configured under Access Control > Realm Name > Agents > J2EE > Agent Name > Global > HTTP Session Binding.

When enabled, strip path info from the request URL while doing the Not Enforced List check, and URL policy evaluation. This is designed to prevent a user from accessing a URI by appending the matching pattern in the policy or not enforced list.

For example, if the not enforced list includes /*.gif, then stripping path info from the request URL prevents access to http://host/index.html by using http://host/index.html?hack.gif.

For centralized configurations this property is configured under Access Control > Realm Name > Agents > J2EE > Agent Name > Miscellaneous > Ignore Path Info in Request URL.

When enabled, allow programmatic authentication with the JBoss container using the WebAuthentication feature. This feature works only with JBoss 4.2.2 to 7 when the J2EE_POLICY or ALL filter mode is in use.

For centralized configurations this property is configured under Access Control > Realm Name > Agents > J2EE > Agent Name > Advanced > JBoss Application Server.

Specifies a URI the agent uses to redirect legacy user agent requests.

For centralized configurations this property is configured under Access Control > Realm Name > Agents > J2EE > Agent Name > Miscellaneous > Legacy User Agent Redirect URI.

When enabled, provide support for legacy browsers.

For centralized configurations this property is configured under Access Control > Realm Name > Agents > J2EE > Agent Name > Miscellaneous > Legacy User Agent Support Enable.

List of header values that identify legacy browsers. Entries can use the wildcard character, *.

For centralized configurations this property is configured under Access Control > Realm Name > Agents > J2EE > Agent Name > Miscellaneous > Legacy User Agent List.

Interval in seconds to fetch agent configuration from OpenAM. Used if notifications are disabled. Default: 0

For centralized configurations this property is configured under Access Control > Realm Name > Agents > J2EE > Agent Name > Global > Configuration Reload Interval.

When enabled, audit log files are rotated when reaching the specified size.

For centralized configurations this property is configured under Access Control > Realm Name > Agents > J2EE > Agent Name > Global > Rotate Local Audit Log.

Beyond this size limit in bytes the agent rotates the local audit log file if rotation is enabled. Default: 50 MB

For centralized configurations this property is configured under Access Control > Realm Name > Agents > J2EE > Agent Name > Global > Local Audit Log Rotation Size.

The default country for the agent.

For centralized configurations this property is configured under Access Control > Realm Name > Agents > J2EE > Agent Name > Miscellaneous > Locale Country.

The default language for the agent.

For centralized configurations this property is configured under Access Control > Realm Name > Agents > J2EE > Agent Name > Miscellaneous > Locale Language.

Specifies where audit messages are logged. By default, audit messages are logged remotely.

Valid values for the configuration file property include REMOTE, LOCAL, and ALL.

For centralized configurations this property is configured under Access Control > Realm Name > Agents > J2EE > Agent Name > Global > Audit Log Location.

When set to a value other than zero, this defines the maximum number of failed login attempts allowed during a single browser session, after which the agent blocks requests from the user.

For centralized configurations this property is configured under Access Control > Realm Name > Agents > J2EE > Agent Name > Global > Login Attempt Limit.

Full path name to the file containing custom login content when Use Internal Login is enabled.

For centralized configurations this property is configured under Access Control > Realm Name > Agents > J2EE > Agent Name > Application > Login Content File Name.

Specifies the list of absolute URIs corresponding to a protected application's web.xml form-error-page element, such as /myApp/jsp/error.jsp.

For centralized configurations this property is configured under Access Control > Realm Name > Agents > J2EE > Agent Name > Application > Login Error URI.

Specifies the list of absolute URIs corresponding to a protected application's web.xml form-login-page element, such as /myApp/jsp/login.jsp.

For centralized configurations this property is configured under Access Control > Realm Name > Agents > J2EE > Agent Name > Application > Login Form URI.

When enabled, OpenAM uses the priority defined in the OpenAM Login URL list as the priority for Login and CDSSO URLs when handling failover.

For centralized configurations this property is configured under Access Control > Realm Name > Agents > J2EE > Agent Name > OpenAM Services > Login URL Prioritized.

When enabled, OpenAM checks the availability of OpenAM Login URLs before redirecting to them.

For centralized configurations this property is configured under Access Control > Realm Name > Agents > J2EE > Agent Name > OpenAM Services > Login URL Probe.

Timeout period in milliseconds for OpenAM to determine whether to failover between Login URLs when Login URL Probe is enabled. Default: 2000

For centralized configurations this property is configured under Access Control > Realm Name > Agents > J2EE > Agent Name > OpenAM Services > Login URL Probe Timeout.

OpenAM login page URL, such as http://openam.example.com:8080/openam/UI/Login, to which the agent redirects incoming users without sufficient credentials so then can authenticate.

For centralized configurations this property is configured under Access Control > Realm Name > Agents > J2EE > Agent Name > OpenAM Services > OpenAM Login URL.

When enabled, the agent uses the internal default content file for the login.

For centralized configurations this property is configured under Access Control > Realm Name > Agents > J2EE > Agent Name > Application > Use Internal Login.

Specifies how logout handlers map to specific applications. The key is the web application name. The value is the logout handler class.

To set a global logout handler for applications without other logout handlers defined, leave the key empty and set the value to the global logout handler class name, GlobalApplicationLogoutHandler.

To set a logout handler for a specific application, set the key to the name of the application, and the value to the logout handler class name.

For centralized configurations this property is configured under Access Control > Realm Name > Agents > J2EE > Agent Name > Application > Application Logout Handler.

Specifies the URIs to return after successful logout and subsequent authentication. The key is the web application name. The value is the URI to return.

To set a global logout entry URI for applications without other logout entry URIs defined, leave the key empty and set the value to the global logout entry URI, /welcome.html.

To set a logout entry URI for a specific application, set the key to the name of the application, and the value to the application logout entry URI, such as /myApp/welcome.html.

For centralized configurations this property is configured under Access Control > Realm Name > Agents > J2EE > Agent Name > Application > Logout Entry URI.

Specifies custom logout handler classes to log users out of the application server. The key is the web application name and the value is the logout handler class name.

For centralized configurations this property is configured under Access Control > Realm Name > Agents > J2EE > Agent Name > Application > Custom Logout Handler.

When enabled, the agent checks the HTTP request body to locate the Logout Request Parameter you set.

For centralized configurations this property is configured under Access Control > Realm Name > Agents > J2EE > Agent Name > Application > Logout Introspect Enabled.

Specifies parameters in the HTTP request that indicate logout events. The key is the web application name. The value is the logout request parameter.

To set a global logout request parameter for applications without other logout request parameters defined, leave the key empty and set the value to the global logout request parameter, logoutparam.

To set a logout request parameter for a specific application, set the key to the name of the application, and the value to the application logout request parameter, such as logoutparam.

For centralized configurations this property is configured under Access Control > Realm Name > Agents > J2EE > Agent Name > Application > Logout Request Parameter.

Specifies request URIs that indicate logout events. The key is the web application name. The value is the application logout URI.

To set a global logout URI for applications without other logout URIs defined, leave the key empty and set the value to the global logout URI, /logout.jsp.

To set a logout URI for a specific application, set the key to the name of the application, and the value to the application logout page.

For centralized configurations this property is configured under Access Control > Realm Name > Agents > J2EE > Agent Name > Application > Application Logout URI.

When enabled, OpenAM uses the priority defined in the OpenAM Logout URL list as the priority for Logout URLs when handling failover.

For centralized configurations this property is configured under Access Control > Realm Name > Agents > J2EE > Agent Name > OpenAM Services > Logout URL Prioritized.

When enabled, OpenAM checks the availability of OpenAM Logout URLs before redirecting to them.

For centralized configurations this property is configured under Access Control > Realm Name > Agents > J2EE > Agent Name > OpenAM Services > Logout URL Probe.

Timeout period in milliseconds for OpenAM to determine whether to failover between Logout URLs when Logout URL Probe is enabled. Default: 2000

For centralized configurations this property is configured under Access Control > Realm Name > Agents > J2EE > Agent Name > OpenAM Services > Logout URL Probe Timeout.

OpenAM logout page URLs, such as http://openam.example.com:8080/openam/UI/Logout. The user is logged out of the OpenAM session when accessing these URLs.

For centralized configurations this property is configured under Access Control > Realm Name > Agents > J2EE > Agent Name > OpenAM Services > OpenAM Logout URL.

When enabled, the agent caches evaluation of the not enforced IP list.

For centralized configurations this property is configured under Access Control > Realm Name > Agents > J2EE > Agent Name > Application > Not Enforced IP Cache Flag.

When caching is enabled, this limits the number of not enforced addresses cached. Default: 1000

For centralized configurations this property is configured under Access Control > Realm Name > Agents > J2EE > Agent Name > Application > Not Enforced IP Cache Size.

Only enforce the not enforced list of IP addresses. In other words, enforce policy only for those client addresses and patterns specified in the list.

For centralized configurations this property is configured under Access Control > Realm Name > Agents > J2EE > Agent Name > Application > Not Enforced IP Invert List.

No authentication and authorization are required for the requests coming from these client IP addresses.

For centralized configurations this property is configured under Access Control > Realm Name > Agents > J2EE > Agent Name > Application > Not Enforced Client IP List.

Loopback addresses are not considered valid IPs on the Not Enforced IP list. If specified, the policy agent ignores the loopback address.

When enabled, the agent reset the session idle time when granting access to a not enforced URI, prolonging the time before the user must authenticate again.

For centralized configurations this property is configured under Access Control > Realm Name > Agents > J2EE > Agent Name > Application > Refresh Session Idle Time.

When enabled, the agent caches evaluation of the not enforced URI list.

For centralized configurations this property is configured under Access Control > Realm Name > Agents > J2EE > Agent Name > Application > Not Enforced URIs Cache Enabled.

When caching is enabled, this limits the number of not enforced URIs cached.

For centralized configurations this property is configured under Access Control > Realm Name > Agents > J2EE > Agent Name > Application > Not Enforced URIs Cache Size.

Only enforce not enforced list of URIs. In other words, enforce policy only for those URIs and patterns specified in the list.

For centralized configurations this property is configured under Access Control > Realm Name > Agents > J2EE > Agent Name > Application > Invert Not Enforced URIs.

List of URIs for which no authentication is required, and the agent does not protect access. You can use wildcards to define a pattern for a URI.

The * wildcard matches all characters except question mark (?), cannot be escaped, and spans multiple levels in a URI. Multiple forward slashes do not match a single forward slash, so * matches mult/iple/dirs, yet mult/*/dirs does not match mult/dirs.

The -*- wildcard matches all characters except forward slash (/) or question mark (?), and cannot be escaped. As it does not match /, -*- does not span multiple levels in a URI.

OpenAM does not let you mix * and -*- in the same URI.

Examples include /logout.html, /images/*, /css/-*-, and /*.jsp?locale=*.

Trailing forward slashes are not recognized as part of a resource name. Therefore /images// and /images are equivalent.

For centralized configurations this property is configured under Access Control > Realm Name > Agents > J2EE > Agent Name > Application > Not Enforced URIs.

When enabled, the remote policy client is configured to use HTTP-Redirect instead of HTTP-POST for composite advice.

For centralized configurations this property is configured under Access Control > Realm Name > Agents > J2EE > Agent Name > OpenAM Services > Policy Client Service.

Specifies the list of HTTP GET request parameters whose names and values the agents sets in the environment map for URL policy evaluation by the OpenAM server.

For centralized configurations this property is configured under Access Control > Realm Name > Agents > J2EE > Agent Name > OpenAM Services > URL Policy Env GET Parameters.

Specifies the list of HTTP session attributes whose names and values the agents sets in the environment map for URL policy evaluation by the OpenAM server.

For centralized configurations this property is configured under Access Control > Realm Name > Agents > J2EE > Agent Name > OpenAM Services > URL Policy Env jsession Parameters.

Specifies the list of HTTP POST request parameters whose names and values the agents sets in the environment map for URL policy evaluation by the OpenAM server.

For centralized configurations this property is configured under Access Control > Realm Name > Agents > J2EE > Agent Name > OpenAM Services > URL Policy Env POST Parameters.

When enabled, activate port checking, correcting requests on the wrong port.

For centralized configurations this property is configured under Access Control > Realm Name > Agents > J2EE > Agent Name > Miscellaneous > Port Check Enable.

Specifies the name of the file containing the content to handle requests on the wrong port when port checking is enabled.

For centralized configurations this property is configured under Access Control > Realm Name > Agents > J2EE > Agent Name > Miscellaneous > Port Check File.

Specifies which ports correspond to which protocols. The agent uses the map when handling requests with invalid port numbers during port checking.

For centralized configurations this property is configured under Access Control > Realm Name > Agents > J2EE > Agent Name > Miscellaneous > Port Check Setting.

POST data storage lifetime in milliseconds. Default: 300000.

For centralized configurations this property is configured under Access Control > Realm Name > Agents > J2EE > Agent Name > Advanced > Post Data Preservation.

Specifies a list of application-specific URIs if the referenced Post Data Preservation entry cannot be found in the local cache because it has exceeded its POST entry TTL. Either the agent redirects to a URI in this list, or it shows an HTTP 403 Forbidden error.

For centralized configurations this property is configured under Access Control > Realm Name > Agents > J2EE > Agent Name > Advanced > Post Data Preservation.

Enables HTTP POST data preservation, storing POST data before redirecting the browser to the login screen, and then autosubmitting the same POST after successful authentication to the original URL.

For centralized configurations this property is configured under Access Control > Realm Name > Agents > J2EE > Agent Name > Advanced > Post Data Preservation.

Specifies whether to create a cookie, or to append a query string to the URL to assist with sticky load balancing.

For centralized configurations this property is configured under Access Control > Realm Name > Agents > J2EE > Agent Name > Advanced > Post Data Preservation.

Specifies the key-value pair for stickysession mode. For example, a setting of lb=myserver either sets an lb cookie with myserver value, or adds lb=myserver to the URL query string.

For centralized configurations this property is configured under Access Control > Realm Name > Agents > J2EE > Agent Name > Advanced > Post Data Preservation.

When enabled, lets you use Privileged Attribute Mapping.

For centralized configurations this property is configured under Access Control > Realm Name > Agents > J2EE > Agent Name > Application > Enable Privileged Attribute Mapping.

Maps OpenAM UUIDs to principal names specified in your web application's deployment descriptor, such as com.sun.identity.agents.config.privileged.attribute.mapping [id\=manager,ou\=group,o\=openam] = am_manager_role or com.sun.identity.agents.config.privileged.attribute.mapping [id\=employee,ou\=group,o\=openam] = am_employee_role

For centralized configurations this property is configured under Access Control > Realm Name > Agents > J2EE > Agent Name > Application > 0Privileged Attribute Mapping.

Specifies how privileged attribute types should be converted to lower case.

For centralized configurations this property is configured under Access Control > Realm Name > Agents > J2EE > Agent Name > Application > Privileged Attributes To Lower Case.

Specifies the list of privileged attribute types fetched for each user.

For centralized configurations this property is configured under Access Control > Realm Name > Agents > J2EE > Agent Name > Application > Privileged Attribute Type.

Specifies the list of session property names, such as UserToken which hold privileged attributes for authenticated users.

For centralized configurations this property is configured under Access Control > Realm Name > Agents > J2EE > Agent Name > Application > Privileged Session Attribute.

When set to HTTP_COOKIE or HTTP_HEADER, profile attributes are introduced into the cookie or the headers, respectively.

For centralized configurations this property is configured under Access Control > Realm Name > Agents > J2EE > Agent Name > Application > Profile Attribute Fetch Mode.

Maps the profile attributes to HTTP headers for the currently authenticated user. Map Keys are LDAP attribute names, and Map Values are HTTP header names.

To populate the value of profile attribute CN under CUSTOM-Common-Name: enter CN in the Map Key field, and enter CUSTOM-Common-Name in the Corresponding Map Value field. This corresponds to com.sun.identity.agents.config.profile.attribute.mapping[cn]=CUSTOM-Common-Name.

In most cases, in a destination application where an HTTP header name shows up as a request header, it is prefixed by HTTP_, lower case letters become upper case, and hyphens (-) become underscores (_). For example, common-name becomes HTTP_COMMON_NAME.

For centralized configurations this property is configured under Access Control > Realm Name > Agents > J2EE > Agent Name > Application > Profile Attribute Mapping.

When set to a value other than zero, this defines the maximum number of redirects allowed for a single browser session, after which the agent blocks the request.

For centralized configurations this property is configured under Access Control > Realm Name > Agents > J2EE > Agent Name > Global > Redirect Attempt Limit.

Property used only when CDSSO is enabled. Only change the default value, goto when the login URL has a landing page specified such as, com.sun.identity.agents.config.cdsso.cdcservlet.url = http://openam.example.com:8080/openam/cdcservlet?goto= http://www.example.com/landing.jsp. The agent uses this parameter to append the original request URL to this cdcserlet URL. The landing page consumes this parameter to redirect to the original URL.

As an example, if you set this value to goto2, then the complete URL sent for authentication is http://openam.example.com:8080/openam/cdcservlet?goto= http://www.example.com/landing.jsp?goto2=http://www.example.com/original.jsp.

For centralized configurations this property is configured under Access Control > Realm Name > Agents > J2EE > Agent Name > Miscellaneous > Goto Parameter Name.

Name of file stored on OpenAM server that contains agent audit messages if log location is remote or all.

For centralized configurations this property is configured under Access Control > Realm Name > Agents > J2EE > Agent Name > Global > Remote Log Filename.

Whether the agent's configuration is managed centrally through OpenAM (centralized) or locally in the policy agent configuration file (local).

Default: centralized

When set to HTTP_COOKIE or HTTP_HEADER, response attributes are introduced into the cookie or the headers, respectively. When set to REQUEST_ATTRIBUTE, response attributes are part of the HTTP response.

For centralized configurations this property is configured under Access Control > Realm Name > Agents > J2EE > Agent Name > Application > Response Attribute Fetch Mode.

Maps the policy response attributes to HTTP headers for the currently authenticated user. The response attribute is the attribute in the policy response to be fetched.

To populate the value of response attribute uid under CUSTOM-User-Name: enter uid in the Map Key field, and enter CUSTOM-User-Name in the Corresponding Map Value field. This corresponds to com.sun.identity.agents.config.response.attribute.mapping[uid]=Custom-User-Name.

In most cases, in a destination application where an HTTP header name shows up as a request header, it is prefixed by HTTP_, lower case letters become upper case, and hyphens (-) become underscores (_). For example, response-attr-one becomes HTTP_RESPONSE_ATTR_ONE.

For centralized configurations this property is configured under Access Control > Realm Name > Agents > J2EE > Agent Name > Application > Response Attribute Map.

Specifies the custom headers the agent sets for the client. The key is the header name. The value is the header value.

For example, com.sun.identity.agents.config.response.header[Cache-Control]=no-cache.

For centralized configurations this property is configured under Access Control > Realm Name > Agents > J2EE > Agent Name > Global > Custom Response Header.

When set to HTTP_COOKIE or HTTP_HEADER, session attributes are introduced into the cookie or the headers, respectively. When set to REQUEST_ATTRIBUTE, session attributes are part of the HTTP response.

For centralized configurations this property is configured under Access Control > Realm Name > Agents > J2EE > Agent Name > Application > Session Attribute Fetch Mode.

Maps session attributes to HTTP headers for the currently authenticated user. The session attribute is the attribute in the session to be fetched.

To populate the value of session attribute UserToken under CUSTOM-userid: enter UserToken in the Map Key field, and enter CUSTOM-userid in the Corresponding Map Value field. This corresponds to com.sun.identity.agents.config.session.attribute.mapping[UserToken]=CUSTOM-userid.

In most cases, in a destination application where an HTTP header name shows up as a request header, it is prefixed by HTTP_, lower case letters become upper case, and hyphens (-) become underscores (_). For example, success-url becomes HTTP_SUCCESS_URL.

For centralized configurations this property is configured under Access Control > Realm Name > Agents > J2EE > Agent Name > Application > Session Attribute Map.

Specifies the data store attribute that contains the user ID.

For centralized configurations this property is configured under Access Control > Realm Name > Agents > J2EE > Agent Name > Global > User Attribute Name.

Specifies the mechanism used to determine the user ID.

For centralized configurations this property is configured under Access Control > Realm Name > Agents > J2EE > Agent Name > Global > User Mapping Mode.

When enabled, OpenAM uses both the principal user name and also the user ID for authentication.

For centralized configurations this property is configured under Access Control > Realm Name > Agents > J2EE > Agent Name > Global > User Principal Flag.

Specifies the session property name for the authenticated user's ID. Default: UserToken.

For centralized configurations this property is configured under Access Control > Realm Name > Agents > J2EE > Agent Name > Global > User Token Name.

Specifies custom verification classes to validate user credentials with the local user repository. The key is the web application name and the value is the validation handler class name.

For centralized configurations this property is configured under Access Control > Realm Name > Agents > J2EE > Agent Name > Application > Custom Verification Handler.

Specifies an implementation class of interface com.sun.identity.agents.filter.IWebServiceAuthenticator that can be used to authenticate web-service requests.

For centralized configurations this property is configured under Access Control > Realm Name > Agents > J2EE > Agent Name > Advanced > Web Service Authenticator.

Specifies a file the agent uses to generate an authorization error fault for the client application.

For centralized configurations this property is configured under Access Control > Realm Name > Agents > J2EE > Agent Name > Advanced > Web Service Authorization Error Content File.

Enable web service processing.

For centralized configurations this property is configured under Access Control > Realm Name > Agents > J2EE > Agent Name > Advanced > Web Service Enable.

Specifies a list of web application end points that represent web services.

For centralized configurations this property is configured under Access Control > Realm Name > Agents > J2EE > Agent Name > Advanced > Web Service End Points.

Specifies a file the agent uses to generate an internal error fault for the client application.

For centralized configurations this property is configured under Access Control > Realm Name > Agents > J2EE > Agent Name > Advanced > Web Service Internal Error Content File.

When enabled, the agent processes HTTP GET requests for web service endpoints.

For centralized configurations this property is configured under Access Control > Realm Name > Agents > J2EE > Agent Name > Advanced > Web Service Process GET Enable.

Specifies a class implementing com.sun.identity.agents.filter.IWebServiceResponseProcessor, used to process web service reponses.

For centralized configurations this property is configured under Access Control > Realm Name > Agents > J2EE > Agent Name > Advanced > Web Service Response Processor.

Specifies strings that, when found in the request, cause the agent to redirect the client to an error page.

For centralized configurations this property is configured under Access Control > Realm Name > Agents > J2EE > Agent Name > Advanced > Cross Site Scripting Detection.

Maps applications to URIs of customized pages to which to redirect clients upon detection of XSS code elements.

For example, to redirect clients of MyApp to /myapp/error.html, use MyApp as the key and /myapp/error.html as the corresponding value.

For centralized configurations this property is configured under Access Control > Realm Name > Agents > J2EE > Agent Name > Advanced > Cross Site Scripting Detection.

When enabled, OpenAM sends notification about changes to policy.

For centralized configurations this property is configured under Access Control > Realm Name > Agents > J2EE > Agent Name > OpenAM Services > Enable Policy Notifications.

Specifies the time in minutes after which the policy cache is refreshed. Default: 3

For centralized configurations this property is configured under Access Control > Realm Name > Agents > J2EE > Agent Name > OpenAM Services > Policy Client Polling Interval.

URL used by agent to register notification listeners.

For centralized configurations this property is configured under Access Control > Realm Name > Agents > J2EE > Agent Name > Global > Agent Notification URL.

When enabled, receive notification from OpenAM to update user management data caches.

For centralized configurations this property is configured under Access Control > Realm Name > Agents > J2EE > Agent Name > OpenAM Services > Enable Notification of User Data Caches.

Specifies the values, such as allow and deny, that are associated with boolean policy decisions.

Default: iPlanetAMWebAgentService|GET|allow|deny:iPlanetAMWebAgentService|POST|allow|deny

For centralized configurations this property is configured under Access Control > Realm Name > Agents > J2EE > Agent Name > OpenAM Services > Policy Client Boolean Action Values.

Set to cache mode subtree when only a small number of policy rules are defined. For large numbers of policy rules, set to self.

For centralized configurations this property is configured under Access Control > Realm Name > Agents > J2EE > Agent Name > OpenAM Services > Policy Client Cache Mode.

Time in seconds used adjust time difference between agent system and OpenAM. Clock skew in seconds = AgentTime - OpenAMServerTime.

Default: 10.

For centralized configurations this property is configured under Access Control > Realm Name > Agents > J2EE > Agent Name > OpenAM Services > Policy Client Clock Skew.

Specifies the comparators used for service names in policy.

Default: serviceType=iPlanetAMWebAgentService| class=com.sun.identity.policy.plugins.HttpURLResourceName|wildcard=*| delimiter=/|caseSensitive=false

For centralized configurations this property is configured under Access Control > Realm Name > Agents > J2EE > Agent Name > OpenAM Services > Policy Client Resource Comparators.

If notifications are not enabled and set to a value other than zero, specifies the time in minutes after which the agent polls to update cached service configuration data. Default: 1

For centralized configurations this property is configured under Access Control > Realm Name > Agents > J2EE > Agent Name > OpenAM Services > Service Data Cache Time.

When enabled, receive notification from OpenAM to update service configuration data caches.

For centralized configurations this property is configured under Access Control > Realm Name > Agents > J2EE > Agent Name > OpenAM Services > Enable Notification of Service Data Caches.