■ com.sun.identity.federation.alliance.cache.enabled
Default value istrue. Iftrue, federation metadata will be cached internally.
■ com.sun.identity.federation.fedCookieName
Default value isfedCookie. Specifies the name of the Federation Services cookie.
■ com.sun.identity.federation.proxyfinder
Default value iscom.sun.identity.federation.services.FSIDPProxyImpl. Defines the implementation for finding a preferred identity provider to be proxied.
■ com.sun.identity.federation.services.signingOn
Default value isfalse. Specifies the level of signature verification for Liberty requests and responses.
true Liberty requests and responses will be signed when sent, and Liberty requests and responses that are received will be verified for signature validity.
false Liberty requests and responses that are sent and received will not be verified for signature.
optional Liberty requests and responses will be signed or verified only if required by the Federation profiles.
■ com.sun.identity.password.deploymentDescriptor Value is set during installation. Example:/ampassword
■ com.sun.identity.policy.Policy.policy_evaluation_weights
Default value is10:10:10. Indicates the proportional processing cost to evaluate a policy subject, rule, and condition. The values specified influence the order in which the subject, rule, and condition of a policy are evaluated. The value is expressed using three integers which represent a subject, a rule, and a condition. The values are delimited by a colon (:) to indicate the proportional processing cost to evaluate a policy subject, rule, and condition.
■ com.sun.identity.session.application.maxCacheTime
Default value is3. Specifies the maximum number of minutes for caching time for Application Sessions. By default, the cache does not expire unless this property is enabled.
■ com.sun.identity.sm.ldap.enableProxy
The default is false. The purpose of this flag is to report to Service Management that the Directory Proxy must be used for read, write, and/or modify operations to the Directory Server. This flag also determines if ACIs or delegation privileges are to be used.
This flag must be set to"true"when the Access Manager SDK (from version 7 or 7.1) is communicating with Access Manger version 6.3. For example, in the co-existence/legacy mode this value should be"true". In the legacy DIT, the delegation policies were not
supported. Only ACIs were supported, so o to ensure proper delegation check, this flag must be set to 'true' in legacy mode installation to make use of the ACIs for access control.
Otherwise the delegation check will fail.
In realm mode, this value should be set to false so only the delegation policies are used for access control. In version 7.0 and later, Access Manager supports data-agnostic feature in realm mode installation. So, in addition to Directory Server, other servers may be used to store service configuration data.
Additionally, this flag will report to the Service Management feature that the Directory Proxy does not need to be used for the read, write, and/or modify operations to the backend storage. This is because some data stores, like Active Directory, may not support proxy.
■ com.sun.identity.webcontainer
Value is set during installation. Example:WEB_CONTAINER
Specifies the name of the of the web container. Although the servlet or JSPs are not web container dependent, Access Manager uses the servlet 2.3 API
request.setCharacterEncoding()to correctly decode incoming non English characters. These APIs will not work if Access Manager is deployed on Sun Java System Web Server 6.1. Access Manager uses thegx_charsetmechanism to correctly decode incoming data in Sun Java System Web Server versions 6.1 and S1AS7.0. Possible valuesBEA6.1,BEA 8.1,IBM5.1 orIAS7.0. If the web container is Sun Java System Web Server, the tag is not replaced.
JSS Proxy
These properties identify the value for SSLApprovalCallback. If thecheckSubjectAltNameor resolveIPAddressfeature is enabled, you must createcert7.dbandkey3.dbwith the prefix value ofcom.iplanet.am.admin.cli.certdb.prefixin the
com.iplanet.am.admin.cli.certdb.dirdirectory. Then restart Access Manager .
■ com.iplanet.am.jssproxy.checkSubjectAltName
Default value isfalse. When enabled, a server certificate includes the Subject Alternative Name (SubjectAltName) extension, and Access Manager checks all name entries in the extension. If one of the names in theSubjectAltNameextension is the same as the server FQDN, Access Manager continues the SSL handshaking. To enable this property, set it to a comma separated list of trusted FQDNs. For example:
com.iplanet.am.jssproxy.checkSubjectAltName= amserv1.example.com,amserv2.example.com
■ com.iplanet.am.jssproxy.resolveIPAddress Default value isfalse.
Default value isfalse. If enabled (true), Access Manager ignores all certificate-related issues such as a name conflict and continues the SSL handshaking. To prevent a possible security risk, enable this property only for testing purposes, or when the enterprise network is tightly controlled. Avoid enabling this property if a security risk might occur (for example, if a server connects to a server in a different network).
■ com.iplanet.am.jssproxy.SSLTrustHostListIf set, Access Manager checks each server
FQDN in the list against the server host in the certificate CN. If there is a FQDNs in the list that is matched with server certificate cn, Access Manager continues the SSL handshaking even if there is"Incorrect Domain name error". Use the following syntax to set the property: com.iplanet.am.jssproxy.SSLTrustHostList = fqdn_am_server1 ,fqdn_am_server2,
fqdn_am_server3
■ com.sun.identity.jss.donotInstallAtHighestPriority
Default value isfalse. Determines if JSS will be added with highest priority to JCE. Set to trueif other JCE providers should be used for digital signatures and encryptions.