Configuration Reference

This table lets you configure the order of supported character sets used for each supported locale. Change the settings only if the defaults are not appropriate.

Use this list to map between different character set names used in Java and in MIME.

Use this list to configure how OpenAM formats names shown in the console banner.

If no specific match is found for the client type, then this type is used. The default is genericHTML, suitable for supported browsers.

The client detection plugin must implement the com.iplanet.services.cdm.ClientDetectionInterface. Client type is a name that uniquely identifies the client to OpenAM. The plugin scans HTTP requests to determine the client type.

If this is enabled, then OpenAM needs an appropriate client detection class implementation, and the authentication user interface must be appropriate for the clients detected.

Enable log rotation to cause new log files to be created when configured thresholds are reached, such as Maximum Log Size or Logfile Rotation Interval.

Sets the maximum log file size in bytes.

Sets the number of history files for each log that OpenAM keeps, including time-based histories. The previously live file is moved and is included in the history count, and a new log is created to serve as the live log file. Any log file in the history count that goes over the number specified here will be deleted. For time-based logs, a new set of logs will be created when OpenAM is started because of the time-based file names that are used.

Set this if you want to add a prefix to log files governed by time-based log rotation.

Specify a string to append to log file names when time-based rotation is enabled by using the Logfile Rotation Interval setting.

Specify the amount of time before log file rotation occurs, in minutes. Set to -1 (the default) to disable time-based logfile rotation and revert to sized-based rotation.

This property is interpreted to determine the location of log files, taking either a file system location or a JDBC URL. The default is %BASE_DIR%/%SERVER_URI%/log/.

Set this to INACTIVE to disable the logging system.

Enable this to have OpenAM perform a DNS host lookup to populate the host name field for log records. OpenAM requires DNS on the host where it runs. Enabling this feature increases the load on the logging system.

Set this to DB to log to a database, or Syslog to log to a syslog server. Default: File. If you choose DB then be sure to set the connection attributes correctly, including the JDBC driver to use.

When logging to a database, set this to the user name used to connect to the database. If this attribute is incorrectly set, OpenAM performance suffers.

When logging to a database, set this to the password used to connect to the database. If this attribute is incorrectly set, OpenAM performance suffers.

When logging to a database, set this to the class name of the JDBC driver used to connect to the database. The default is for Oracle. OpenAM also works with the MySQL database driver.

The URL or IP address of the syslog server, for example http://mysyslog.example.com, or localhost.

The port number the syslog server is configured to listen to. Often 514.

The protocol to use to connect to the syslog server. Either UDP or TCP.

Syslog uses the facility level to determine the type of program that is logging the message. Often between local0 and local7.

The amount of time to wait when attempting to connect to the syslog server before reporting a failure, in seconds.

Select the fields OpenAM includes in log messages using this attribute. By default all fields are included in log messages.

When secure logging is enabled, set this to how often OpenAM verifies log file content (in seconds).

When secure logging is enabled, set this to how often OpenAM signs log file content (in seconds).

Set this to ON to enable the secure logging system whereby OpenAM digitally signs and verifies log files. You must also set up the Logging Certificate Store for this feature to function.

Set this to the algorithm used for digitally signing log records.

The secure logging system uses the certificate with alias Logger that it finds in the keystore specified by this path. The default is %BASE_DIR%/%SERVER_URI%/Logger.jks.

Set this to the maximum number of records read from the logs through the Logging API.

Set this to the number of files to be archived by the secure logging system.

The number of log messages buffered in memory before OpenAM flushes them to the log file or the database.

Set this to the maximum number of log records to hold in memory if the database to which records are logged is unavailable. If the value is less than Buffer Size, that value takes precedence.

Set the time in seconds that OpenAM buffers log messages in memory before flushing the buffer when Time Buffering is ON. The default is 60 seconds.

Set this to OFF to cause OpenAM to write each log message separately rather than the default of holding messages in a memory buffer that OpenAM flushes periodically, as specified using the Buffer Time attribute.

Set the log level for OpenAM. OFF is equivalent to setting the status to INACTIVE.

Enable monitoring using this attribute.

Set the port number for the HTML monitoring interface.

Enable the HTML monitoring interface using this attribute.

Set this to path to indicate the file indicating the user name and password used to protect access to monitoring information. The default user name password combination is demo and changeit. You can encode a new password using the ampassword(1)command.

Set the port number for the JMX monitoring interface.

Enable the JMX monitoring interface using this attribute.

Set the port number for the SNMP monitoring interface.

Enable the SNMP monitoring interface using this attribute.

Maximum number of policy evaluations on which to base the data exposed through the monitoring system

Maximum number of session operations on which to base the data exposed through the monitoring system

Set the endpoint used by the profile service.

Set the endpoint used by the session service.

Set the endpoint used by the logging service.

Set the endpoint used by the policy service.

Set the endpoint used by the authentication service.

Set the SAML v1 endpoint.

Set the endpoint used by the SAML v1 SOAP service.

Set the SAML v1 Web Profile endpoint.

Set the endpoint used by the SAML v1 assertion service.

Set the endpoint used by the ID-FF assertion manager service.

Set the STS endpoint.

Set the JAXRPC endpoint used by remote IDM/SMS APIs.

Set the endpoint for Identity WSDL services.

Set the endpoint used for Identity REST services.

Set the STS endpoint.

Set the STS MEX endpoint.

Set the fallback locale used when the user locale cannot be determined.

Set the list of domains into which OpenAM writes cookies.

Enables audit logging.

Enables filtering of audit events, which will exclude any fields specified from the logs.

Enables the CSV audit log handler.

Specifies the topics for the CSV handler.

Specifies the location of the CSV audit log.

Enables the audit log rotation.

Specifies the maximum file size (bytes) until log rotation should occur.

Specifies the prefix to prepend to audit filenames when rotating the audit files.

Specifies the suffix to append to audit filenames when rotating the audit files. The suffix should be a timestamp format.

Specifies the interval to trigger audit file rotations. A negative or zero value disables this feature.

Specifies a time duration after midnight to trigger file rotation, in seconds. For example, you can provide a value of 3600 to trigger rotation at 1:00 AM.

Specifies a maximum number of allowed backup audit files. A value of -1 disables pruning of old audit files.

Specifies the maximum amount of disk space the audit files can occupy. OpenAM does not check the amount of disk space audit log files occupy if yo specify a negative number or zero.

Specifies the minimum amount of disk space required on the filesystem where audit files are stored. A negative or zero value disables this policy.

Enables log buffering.

Enables automatic flushing of the buffer after each event.

Enables tamper evident logging.

Specifies the location of the Java keystore used for tamper proofing.

Specifies the Java keystore password.

Specifies the time interval in seconds that a digital signature should be inserted into the audit log entry.

Specifies the class name of the factory responsible for creating the Audit Event Handler. The class must implement the org.forgerock.openam.audit.AuditEventHandlerFactory interface.

Enables the syslog audit log handler.

Specifies the topics for the syslog handler.

Specifies the syslog server hostname.

Specifies the syslog server port.

Specifies the syslog transport protocol.

Specifies the connection timeout (seconds) to the syslog server.

Specifies the syslog facility value to apply to all events.

Enables log buffering.

Specifies the class name of the factory responsible for creating the Audit Event Handler. The class must implement the org.forgerock.openam.audit.AuditEventHandlerFactory interface.

Enables the JDBC audit log handler.

Specifies the topics for the JDBC handler.

Specifies the database type for the JDBC handler.

Specifies the database URL.

Specifies the JDBC driver class name.

Specifies the username to access the database server.

Specifies the password to access the database server.

Specifies the maximum wait time in seconds before failing the connection. attempt.

Specifies the maximum idle time in seconds before the connection is closed. attempt.

Specifies the maximum time in seconds a JDBC connection can be open. attempt.

Specifies the minimum number of idle connections in the connection pool.

Specifies the maximum number of connections in the connection pool.

Specifies if the database connection should be in autocommit mode.

Specifies the authentication event table.

Specifies the authentication event columns.

Specifies the activity event table.

Specifies the activity event columns.

Specifies the access event table.

Specifies the access event columns.

Specifies the config event table.

Specifies the access event columns.

Enables log buffering.

Specifies the size of the buffer queue.

Specifies the interval (seconds) at which buffered events are written to the database.

Specifies the number of threads used to write the buffered events.

Specifies the maximum number of batched statements the database can support per connection.

Specifies the class name of the factory responsible for creating the Audit Event Handler. The class must implement the org.forgerock.openam.audit.AuditEventHandlerFactory interface.

Enables the Elasticsearch audit log handler.

Specifies the topics for the Elasticsearch handler.

Host name or IP address of the Elasticsearch server.

Specifies the port number used to access Elasticsearch’s REST API.

Specifies whether SSL is configured on the Elasticsearch server.

Specifies the name of the Elasticsearch index to be used for OpenAM audit logging.

Specifies the username to access the Elasticsearch server. Required if Elasticsearch Shield authentication is configured.

Specifies the password to access the Elasticsearch server. Required if Elasticsearch Shield authentication is configured.

Enables log buffering.

Specifies the number of audit log events to hold in the buffer before writing them to Elasticsearch.

Specifies the maximum number of audit events in the buffer. Additional audit events are dropped.

Specifies the interval (milliseconds) at which buffered events are written to the database.

Specifies the class name of the factory responsible for creating the Audit Event Handler. The class must implement the org.forgerock.openam.audit.AuditEventHandlerFactory interface.

Enables the JMS audit log handler.

Specifies the topics ^[1] for the JMS audit log handler.

Specifies whether JMS messages used to transmit audit events use persistent or non-persistent delivery.

Specifies the JMS session acknowledgement mode: auto mode, duplicates OK mode, or client mode:

Specifies JNDI properties that OpenAM uses to connect to the JMS message broker to which OpenAM will publish audit events.

Specifies the name of the JMS topic^[1] to which OpenAM publishes audit events.

Specifies the JNDI lookup name for the connection factory exposed by your JMS message broker. OpenAM performs a JNDI lookup on this name to locate your broker’s connection factory.

Enables batch delivery of audit events.

Specifies the maximum number of audit events in the batch queue. When this number is exceeded, additional audit events are dropped.

Specifies the maximum number of audit events transmitted before a batch acknowledgement is received from JMS.

Specifies the number of concurrent worker threads that OpenAM uses to pull audit events from the batch queue and transmit them to the JMS message broker.

Specifies the timeout period (seconds) for queued events to be transmitted to the JMS message broker.

Specifies the period (seconds) that worker threads wait for new audit events before becoming idle.

Specifies the period (seconds) that worker threads wait for new audit events before shutting down.

Specifies the class name of the factory responsible for creating the Audit Event Handler. The class must implement the org.forgerock.openam.audit.AuditEventHandlerFactory interface.

Used by the Federation system to access user profile attributes

Used by the Federation system to access service configuration

Used by the Federation system to record log messages

Used by the Federation system to access the session service

Maximum number of bytes for Federation communications

Used by the Federation system to decode passwords encoded by OpenAM

Used by the Federation system digitally to sign SAML documents

Used by the Federation system to access the Java keystore

If enabled, OpenAM checks that the partner’s signing certificate presented in the XML matches the certificate from the partner’s metadata

Algorithm used to render the canonical versions of XML documents

Algorithm used to sign XML documents

Digest algorithm used to sign XML documents

Default signature algorithm used with RSA keys

Default signature algorithm used with DSA keys

Default signature algorithm used with EC keys

Algorithm used for XML transformations

OpenAM redirects users here when an error occurs in the SAML2 engine. Users are redirected to absolute URLs, whereas relative URLs are displayed within the request.

Set this either to HTTP-Redirect or to HTTP-POST.

Used by the Federation system to access the monitoring system

Used by the SAMLv1 engine to access the monitoring system

Used by the SAML2 engine to access the monitoring system

Used by the ID-FF engine to access the monitoring system

Identifies how to access the application, for example SAML2ApplicationClass for a SAML v2.0 application

The application name as it will appear to the administrator for configuring the dashboard

The application name that displays on the dashboard client

The icon name that will be displayed on the dashboard client identifying the application

The URL that takes the user to the application

List of application dashboard names available by default for realms with the Dashboard configured

Specifies the class that sends email notifications, such as those sent for user registration and forgotten passwords.

Specifies the fully qualified domain name of the SMTP mail server through which to send email notifications.

Specifies the port number for the SMTP mail server.

Specifies the user name for the SMTP mail server.

Specifies the password for the SMTP user name.

Specifies whether to connect to the SMTP mail server using SSL.

Specifies the address from which to send email notifications.

Specifies the profile attribute from which to retrieve the end user’s email address.

Specifies a subject for notification messages. If you do not set this OpenAM does not set the subject for notification messages.

Specifies content for notification messages. If you do not set this OpenAM includes only the confirmation URL in the mail body.

Attribute for storing ForgeRock Authenticator OATH profiles. The default attribute, oathDeviceProfiles, is added to the user store during OpenAM installation. If you want to use a different attribute, you must make sure to add it to your user store schema prior to deploying two-step verification with a ForgeRock OATH authenticator app in OpenAM. OpenAM must be able to write to the attribute.

Encryption scheme for securing device profiles stored on the server. You can choose not to encrypt the device profiles, or to use one of the following encryption schemes:

Path to the keystore from which to load encryption keys.

Type of encryption keystore. Options include JCEKS, JKS, PKCS#11, and PKCS#12. Default: JKS

Password to unlock the keystore. This password is encrypted when it is saved in the OpenAM configuration. You should modify the default value, changeit.

Alias of the certificate and private key in the keystore. The private key is used to encrypt and decrypt device profiles.

Password to unlock the private key.

The data store attribute that holds the user’s decision to enable or disable obtaining a providing a password obtained from a ForgeRock OATH authenticator app. This attribute must be writeable. The default attribute is oath2faEnabled.

Attribute for storing ForgeRock Authenticator Push device profiles. The default attribute, pushDeviceProfiles, is added to the schema when you prepare a user store for use with OpenAM. If you want to use a different attribute, you must make sure to add it to your user store schema prior to deploying push notifications with the ForgeRock Authenticator app in OpenAM. OpenAM must be able to write to the attribute.

Encryption scheme for securing device profiles stored on the server. You can choose not to encrypt the device profiles, or to use one of the following encryption schemes:

Path to the keystore from which to load encryption keys.

Type of encryption keystore. Options include JCEKS, JKS, PKCS#11, and PKCS#12.

Password to unlock the keystore. This password is encrypted when it is saved in the OpenAM configuration. You should modify the default value, changeit.

Alias of the certificate and private key in the keystore. The private key is used to encrypt and decrypt device profiles.

Password to unlock the private key.

If enabled, new users can sign up using a REST API client.

Maximum life time for the token allowing user self-registration using the REST API.

This page handles the HTTP GET request when the user clicks the link sent by email in the confirmation request.

If enabled, users can assign themselves a new password using a REST API client.

Maximum life time for the token that allows a user to process a forgotten password using the REST API.

This page handles the HTTP GET request when the user clicks the link sent by email in the confirmation request.

A list of user profile attributes. Users modifying any of the attributes in this list will be required to enter a password as confirmation before the change is accepted.

Cookie name for Liberty ID-FF

Used by the ID-FF engine to find the IDP proxy

Seconds between times OpenAM cleans up the request cache

Seconds cached requests remain valid

Login URL for the ID-FF IDP

If yes, require XML signing.

List of logout handlers used for each different federation protocol.

Number of blacklisted tokesn to cache in memory to speed up blacklist checks and reduce the CST load.

Length of time in seconds to poll for token blacklist changes from other servers.

Length of time in minutes to blacklist tokens beyond their expiry time.

When enabled, OpenAM issues access and refresh tokens that can be inspected by resource servers.

Lifetime of OAuth 2.0 authorization code in seconds.

Lifetime of OAuth 2.0 refresh token in seconds.

Lifetime of OAuth 2.0 access token in seconds.

Whether to issue a refresh token when returning an access token.

Whether to issue a refresh token when refreshing an access token.

Custom URL for handling login, to override the default OpenAM login page.

Name of class on OpenAM classpath implementing scopes.

The script that is run when issuing an ID token or making a request to the userinfo endpoint duing OpenID requests.

List of plugins that handle the valid response_type values. OAuth 2.0 clients pass response types as parameters to the OAuth 2.0 Authorization endpoint (/oauth2/authorize) to indicate which grant type is requested from the provider. For example, the client passes code when requesting an authorization code, and token when requesting an access token.

Names of profile attributes that resource owners use to log in. The default is uid, and you can add others, such as mail.

Name of a multi-valued attribute on resource owner profiles where OpenAM can save authorization consent decisions. When the resource owner chooses to save the decision to authorize access for a client application, then OpenAM updates the resource owner’s profile to avoid having to prompt the resource owner to grant authorization when the client issues subsequent authorization requests.

The profile attribute that contains the name to be displayed for the user on the consent page.

The set of supported scopes, with translations.

The remote URL where the OpenID Connect provider’s JSON Web Key can be retrieved.

Set of OpenID Connect subject types supported. Valid values are as follows:

Algorithms supported to sign OpenID Connect id_tokens.

Algorithms supported to encrypt OpenID Connect id_tokens to hide its contents.

Encryption methods supported to encrypt OpenID Connect id_tokens to hide its contents.

Set of claims supported by the OpenID Connect /oauth2/userinfo endpoint.

Time in seconds that a JWT is valid.

Algorithm used to sign stateless OAuth2 tokens to detect tampering.

Base-64-encoded key used by HS256, HS384, and HS512.

Alias of key in OpenAM’s keystore that is used to sign ID Tokens.

List of public/private key pairs used for the elliptic curve algorithms (ES256/ES384/ES512)

Allow clients to register without an access token.

Whether to generate Registration Access Tokens for clients that register via open dynamic client registration.

Map of Mobile Connect levels of assurance, sent as acr_values in the authorization request, to OpenAM authentication chains provide those levels of assurance.

The acr claim value to return in the ID Token when falling back to the default authentication chain.

Map of the amr values to return in the ID Token after successfully authenticating with specified authentication modules.

The identity Data Store attributes used to return updated_at values in the ID Token.

Set of scopes a client will be granted if they request dynamic registration without requesting specific scopes.

Enable requests for individual claims by using query parameters, as described in the OpenID Connect specification.

Used in the salting of hashes for returning specific sub claims to individuals that are using the same request_uri or sector_identifier_uri.

If enabled, include scope-derived claims in the id_token, even if an access token is also returned that could provide access to get the claims from the userInfo endpoint.

If enabled, requests using the authorization code grant require a code_challenge attribute.

The URL that users must visit to complete login and consent when using the OAuth 2.0 device flow.

The URL that users are redirected to upon completion of login and consent when using the OAuth 2.0 device flow.

Lifetime of OAuth 2.0 device codes in seconds.

The minimum number of seconds devices should pause for between polling for authorization tokens when using the OAuth 2.0 device flow.

When enabled, OpenAM stores the operation tokens corresponding to OIDC sessions in CTS. Note that session management-related endpoints will not work when this setting is enabled.

When enabled, clients may be configured so that the resource owner will not be asked for consent during authorization flows.

If enabled, the /oauth2/idtokeninfo endpoint requires client authentication if the signature algorithm is HS256/HS384/HS512.

If enabled, authentication module failure messages are used to create Resource Owner Password Credentials Grant failure messages. If disabled, a standard authentication failed message is used.

OpenAM uses this LDAP attribute and the value entered by the user to look up the user profile in the data store.

This list corresponds to property values held in the file amPasswordReset.properties inside openam-core-13.5.2.jar, which you can find under WEB-INF/lib/ where OpenAM is installed.

favourite-restaurant=What is your favorite restaurant?

favourite-restaurant=Quel est votre restaurant préféré?

An additional LDAP search filter you specify here is &-ed with the filter constructed for user validation to find the user entry in the data store.

If you specify no base DN for the search, the search for the user entry starts from the base DN for the realm.

The DN of the user with access to change passwords in the LDAP data store.

The password of the user with access to change passwords in the LDAP data store.

Classname of a plugin that implements the PasswordGenerator interface.

Classname of a plugin that implements the NotifyPassword interface.

Enables the service.

When enabled, allows the user to create custom secret questions.

Maximum number of questions to ask during password reset.

When enabled, the users must change their password next time they log in after OpenAM resetting their password.

When enabled, users only gets the specified number of tries before their account is locked.

If Password Reset Failure Lockout is enabled, this specifies the maximum number of tries to reset a password within the specified interval before the user’s account is locked.

This interval applies when Password Reset Failure Lockout is enabled, and when Password Reset Failure Lockout Count is set. During this interval, user can try to reset their password the specified number of times before being locked out. For example, if this interval is 5 minutes and the count is set to 3, users get 3 tries during a given 5 minute interval to reset their password.

This specifies the administrator address(es) which receive(s) notification on user account lockout. Each address must be a full email address, such as admin@example.com, or admin@host.domain.

If you configure Password Reset Failure Lockout, set this to warn users who are about to use up their count of tries.

If you configure Password Reset Failure Lockout, set this to a number of minutes other than 0, so that lockout is temporary, requiring only that locked-out users wait to try again to reset their password, rather than asking for help from an administrator.

If you configure Password Reset Failure Lockout, then OpenAM sets data store attribute to inactive upon lockout.

If set to inactive, then users who are locked out cannot attempt to reset their password if the Password Reset Failure Lockout Duration is 0.

Identity attribute that holds the user’s email address.

Regular expression used to locate invalid characters in naming attribute.

OpenAM uses resource comparators to match resources specified in policy rules. When setting comparators on the command line, separate fields with | characters.

If no, then OpenAM stops evaluating policy as soon as it reaches a deny decision.

If yes, then OpenAM allows creation of policies for HTTP and HTTPS resources whose FQDN matches the DNS alias for the realm even when no referral policy exists.

Configuration directory server host:port that OpenAM searches for policy information.

Base DN for LDAP Users subject searches.

Base DN for OpenAM Roles searches

Bind DN to connect to the directory server for policy information.

Bind password to connect to the directory server for policy information.

Search filter to match organization entries.

Search filter to match user entries.

Search scope to find user entries.

Search scope to find OpenAM roles entries.

Naming attribute for user entries

Search limit for LDAP searches

Seconds after which OpenAM returns an error for an incomplete search.

If enabled, OpenAM connects securely to the directory server. This requires that you install the directory server certificate.

Minimum number of connections in the pool.

Maximum number of connections in the pool.

Maximum minutes OpenAM caches a subject result for evaluating policy requests. A value of 0 prevents OpenAM from caching subject evaluations for policy decisions.

If enabled, OpenAM can evaluate policy for remote users aliased to local users.

Specifies the interval at which OpenAM sends a heartbeat request to the policy store.

Defines the time unit corresponding to the Heartbeat Interval setting.

Lists advice names for which policy agents redirect users to OpenAM for further authentication and authorization.

Base DN for policy searches.

Search scope to find organization entries.

Search filter to match group entries.

Search scope to find group entries.

Search filter to match nsRole definition entries.

Search scope to find nsRole definition entries.

Naming attribute for organization entries.

Naming attribute for group entries.

Naming attribute for nsRole definition entries.

Lists subjects available for policy definition in realms.

Lists conditions available for policy definition in realms.

Lists response attribute providers available for policy definition.

Lists dynamic response attributes available for policy definition.

The access key ID, for example AKIAIOSFODNN7EXAMPLE, used to access Amazon Simple Notification Service (SNS) endpoints.

The access key secret associated with the access key ID, for example wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY, used to access Amazon Simple Notification Service endpoints.

The Simple Notification Service endpoint in Amazon Resource Name format, used to send push messages to the Apple Push Notification Service (APNS).

The Simple Notification Service endpoint in Amazon Resource Name format, used to send push messages to the Google Cloud Messaging (GCM) service.

The region of the Amazon Simple Notification Service instance.

The fully-qualified class name of the factory responsible for creating a PushNotificationDelegate. The class must implement the org.forgerock.openam.services.push.PushNotificationDelegate interface.

The minimum lifetime (in seconds) to keep unanswered message records in the message dispatcher cache.

Level of concurrency to use when accessing the message dispatcher cache. Defaults to 16, and must be greater than 0.

Maximum size of the message dispatcher cache, in number of records. If set to 0 the cache can grow indefinitely.

Enables the OpenAM RADIUS server to listen for requests on the listener port and to handle the requests.

UDP port on which the OpenAM RADIUS server listens for incoming requests. Specify a value between 1024 and 65535.

Number of threads to keep in the pool, even if they are idle. When a new incoming request is received by the RADIUS server, a new thread is created to handle the request if fewer than the Thread Pool Core Size threads are running even if other worker threads are idle.

Maximum number of threads allowed in the pool.

Amount of idle time a thread can have before being terminated when there are more threads in the pool than the Thread Pool Core Size.

Number of requests that can be queued for the pool awaiting handling by a pool thread. When the number of pool threads is less than the Thread Pool Max Size and the queue is full, further requests cause new threads to be added until the Thread Pool Max Size is reached. When the number of pool threads is equal to the Thread Pool Max Size and the queue is full, further requests are silently dropped without any response to the client.

IP address of the client.

Shared secret configured in the RADIUS client. The RADIUS protocol hashes users' passwords with the MD5 hashing algorithm using this shared secret.

Whether to log packet contents to the Radius debug log. Enable packet logging only when troubleshooting, because logging increases the debug log file size significantly and slows RADIUS server performance.

Java class that handles incoming Access-Request packets and provides a suitable response. Specify the default value unless you have deployed a custom class that implements the org.forgerock.openam.radius.server.spi.AccessRequestHandler interface.

One or more key value pairs in which the key and the value are separated by the = character. These properties are provided to the handler prior to calls to handle request packets.

The API version to use when the REST request does not specify a desired version. Values are Latest, Oldest, and None.

Whether to include a warning header in the response to a request that fails to include the Accept-API-Version header. Values are Enabled and Disabled.

Seconds between cache cleanup operations.

User entry attribute to store name identifier information.

User entry attribute to store the name identifier key.

Specifies the cookie domain for the IDP discovery service.

Indicates whether to use PERSISTENT or SESSION cookies

Indicates whether to use HTTP or HTTPS.

Used by the SAML2 engine to encrypt and decrypt documents.

ssoadm attribute: EncryptedKeyInKeyInfo

Used by the SAML2 engine to sign documents.

If enabled, then validate certificates used to sign documents.

If enabled, then validate CA certificates.

If enabled, the OpenAM can failover requests to another instance.

The size is specified in bytes.

Private key alias that is used when requesting signed metadata (either using exportmetadata.jsp or ssoadm) to sign the entity’s metadata.

The password used to retrieve the signing key from the keystore.

List of handlers to deal with SAML2 requests bound to SOAP. The key for a request handler is the meta alias, whereas the class indicates the name of the class that implements the handler.

The default script context type when creating a new script.

When session failover is configured, you can set up additional configurations for connecting to the session repository here.

If enabled, OpenAM does not perform DNS lookups when checking restrictions in cookie hijacking mode.

If yes, then OpenAM stores only a limited set of session properties after session timeout and before session purging.

Lists plugin classes implementing session timeout handlers.

Maximum number of results from a session search.

Seconds after which OpenAM sees an incomplete search as having failed.

If on, then OpenAM notifies other applications participating in SSO when a session property in the Notification Properties list changes on a stateful session.

Lists session properties for which OpenAM can send notifications upon modification. Session notification applies to stateful sessions only.

If on, then OpenAM allows you to set constraints on stateful sessions.

Milliseconds after which OpenAM considers a search for live session count as having failed if quota constraints are enabled.

You can either set the next expiring session to be destroyed, DESTROY_NEXT_EXPIRING, the oldest session to be destroyed, DESTROY_OLDEST_SESSION, all previous sessions to be destroyed, DESTROY_OLD_SESSIONS, or deny the new session creation request, DENY_ACCESS.

This attribute takes effect when quota constraints are enabled.

Specifies the algorithm that OpenAM uses to sign a JSON Web Token (JWT) containing a stateless session. Signing the JWT enables tampering detection. Note that OpenAM stores stateless sessions in a JWT that resides in an HTTP cookie.

Specifies the shared secret that OpenAM uses when performing HMAC signing on the stateless session JWT. Specify a shared secret when using a Signing Algorithm Type of HS256, HS384, or HS512.

Specifies the name of a certificate containing a public/private key pair that OpenAM uses when performing RSA signing on the stateless session JWT. Specify a signing certificate alias when using a Signing Algorithm Type of RS256.

Specifies the algorithm that OpenAM uses to encrypt JWTs containing stateless sessions. Encrypting the JWT hides its contents.

Specifies the name of a certificate containing a public/private key pair that OpenAM uses when encrypting a JWT. Specify an encryption certificate alias when using an Encryption Algorithm Type of RSA.

Enables session blacklisting for logged out stateless sessions.

Specifies the size of the cache of logged out stateless sessions. The cache size should be around the number of logouts expected in the maximum session time.

Specifies the interval, in seconds, at which OpenAM polls the Core Token Service for changes to logged out sessions. The longer the polling interval, the more time a malicious user has to connect to other OpenAM servers in a cluster and make use of a stolen session cookie. Shortening the polling interval improves the security for logged out sessions, but might incur a minimal decrease in overall OpenAM performance due to increased network activity.

When added to the maximum session time, specifies the amount of time that OpenAM tracks logged out sessions. Increase the blacklist purge delay if you expect system clock skews in a cluster of OpenAM servers to be greater than one minute. There is no need to increase the blacklist purge delay for servers running a clock synchronization protocol, such as Network Time Protocol.

Maximum minutes a session can remain valid before OpenAM requires the user to authenticate again.

Maximum minutes a stateful session can remain idle before OpenAM requires the user to authenticate again.

Maximum minutes before OpenAM refreshes a session that has been cached.

Maximum number of concurrent stateful sessions OpenAM allows a user to have.

A list of properties that can be set in, or read from, users' sessions.

The maximum life of a Requesting Party Token (RPT) before it expires, in seconds.

The maximum life of a permission ticket before it expires, in seconds.

Delete all user policies that relate to a Resource Server when removing the OAuth2 agent entry or removing the uma_protection scope from the OAuth2 agent.

Delete all resource sets that relate to a Resource Server when removing the OAuth2 agent entry or removing the uma_protection scope from the OAuth2 agent.

Email the Resource Owner if a Pending Request is created by a Requesting Party.

Email the Requesting Party when a Pending Request is allowed by the Resource Owner.

The profile attribute in which to store the user’s preferred Locale.

Allow all users to re-share resource sets that have been shared with them.

Determine if trust elevation is required and claims (such as an OpenID Connection ID token) need to be present in the authorization request. If not, the AAT is sufficient to determine the requesting party of the authorization request.

Time zone for accessing OpenAM console.

Specifies the DN for the initial screen when the OpenAM administrator successfully logs in to the OpenAM console.

Inactive users cannot authenticate, though OpenAM stores their profiles. Default: Active

An encryption key alias in the OpenAM server’s JCEKS^[2] keystore. OpenAM uses the key to encrypt the JWT token that OpenAM uses to track end users during user self-service operations. For more information, see "Configuring the Signing and Encryption Key Aliases" in the Administration Guide.

An signing secret key alias in the OpenAM server’s JCEKS^[2] keystore. OpenAM uses the key to sign the JWT token that OpenAM uses to track end users during user self-service operations. For more information, see "Configuring the Signing and Encryption Key Aliases" in the Administration Guide.

Google reCAPTCHA plugin site key. For more information, see "Configuring the Google reCAPTCHA Plugin" in the Administration Guide.

Google reCAPTCHA plugin secret key. For more information, see "Configuring the Google reCAPTCHA Plugin" in the Administration Guide.

Google reCAPTCHA plugin verification URL. For more information, see "Configuring the Google reCAPTCHA Plugin" in the Administration Guide.

Specifies the default set of knowledge-based authentication (KBA) security questions. The security questions can be set for the user self-registration, forgotten password reset, and forgotten username services, respectively.

Specifies the minimum number of KBA answers that users must define.

Specifies the minimum number of KBA questions that users need to answer to be granted the privilege to carry out an action, such as registering for an account, resetting a password, or retrieving a username.

Specifies the valid query attributes used to search for the user. This is a list of attributes used to identify your account for forgotten password and forgotten username.

If enabled, new users can sign up for an account.

If enabled, users can solve a Google reCAPTCHA puzzle during user self-registration to mitigate against software bots.

If enabled, users who self-register receive email verification.

If enabled, users must set up their security questions during the self-registration process.

Maximum lifetime for the token allowing user self-registration.

Customizes the user self-registration email verification subject text.

Customizes the user self-registration email body text.

Specifies a list of user attributes that can be set during user creation.

Specifies the action to be taken after a user successfully registers a new account.

If enabled, users can reset their password.

If enabled, users can solve a Google reCAPTCHA puzzle during forgotten password reset to mitigate against software bots.

If enabled, users receive email verification while attempting to retrieve a forgotten password.

If enabled, users must answer their security questions during the forgotten password process.

Maximum lifetime for the token allowing forgotten password reset.

Customizes the forgotten password email subject text.

Customizes the forgotten password email body text.

If enabled, users can retrieve their forgotten username.

If enabled, users can solve a Google reCAPTCHA puzzle during the forgotten username process to mitigate against software bots.

If enabled, users must answer their security questions during the forgotten username process.

If enabled, users can receive their forgotten username by email.

If enabled, users can receive their forgotten username on a browser page.

Maximum lifetime for the token allowing forgotten username.

Customizes the forgotten username email subject text.

Customizes the forgotten username email body text.

Specifies a profile’s protected user attributes, which causes re-authentication when the user attempts to modify these attributes.

Specifies the confirmation URL that the user receives during the self-registration process.

Specifies the confirmation URL that the user receives after confirming their identity during the forgotten password process.

Specifies the provider class for any custom plugins.

Specifies the provider class to configure any custom plugins.

Specifies the provider class to configure any custom plugins.

By default, OpenAM redirects the user to one of the URLs specified in the goto parameter supplied to the authentication interface. To enhance security, a list of valid URL resources can be specified here so OpenAM can validate the goto URL against them. OpenAM will only redirect a user if the goto URL matches any of the resources specified in this setting. If no setting is present, it is assumed that the goto URL is valid. Resources defined here can have the "" wildcard defined, where "" matches all characters except "?".

Set the primary entry point to the site, such as the URL to the load balancer for the site configuration.

Set alternate entry points to the site. Used when session failover is configured.