Documentation Home
> Sun Java System Access Manager 7.1 Administration Guide
Sun Java System Access Manager 7.1 Administration Guide
Book Information
Index
A
C
D
E
F
G
I
L
M
N
O
P
R
S
T
U
V
Preface
Part I Access Control
Chapter 1 The Access Manager Console
Administration View
Realms Mode Console
Legacy Mode Console
Legacy Mode 6.3 Console
User Profile View
Chapter 2 Managing Realms
Creating and Managing Realms
To Create a New Realm
General Properties
Authentication
Services
To Add a Service to a Realm
Privileges
Defining Privileges for Access Manager 7.1
Defining Privileges for an Access Manager 7.0 to 7.1 Upgrade
Chapter 3 Data Stores
Access Manager Data Store Types
Access Manager Repository Plug-in
Active Directory
Flat Files Repository
Generic LDAPv3
Sun Directory Server With Access Manager Schema
To Create a New Data Store
Data Store Attributes
Access Manager Repository Attributes
Class Name
Access Manager Supported Types and Operations
Organization DN Value
People Container Naming Attribute
People Container Value
Agent Container Naming Attribute
Agent Container Value
Recursive Search
Copy Realm Configuration
Flat Files Repository Attributes
Files Repository Plug-in Classname
Files Repository Directory
Cache
Time to Update Cache
File User Object Classes
Password Attribute
Status Attribute
Hashed Attributes
Encrypted Attributes
LDAPv3 Attributes
LDAP Server
LDAP Bind DN
LDAP Bind Password
LDAP Bind Password (confirm)
LDAP Organization DN
LDAP SSL
LDAP Connection Pool Minimum Size
LDAP Connection Pool Maximum Size
Maximum Results Returned from Search
Search Timeout
LDAP Follows Referral
LDAPv3 Repository Plugin Class Name
General Attribute Name Mapping
LDAPv3 Plugin Supported Types and Operations
LDAPv3 Plug-in Search Scope
LDAP Users Search Attribute
LDAP Users Search Filter
LDAP User Object Class
LDAP User Attributes
LDAP User Creation Attribute Mappings
User Status Attribute
User Status Active Value
User Status Inactive Value
LDAP Groups Search Attribute
LDAP Group Search Filter
LDAP Groups Container Naming Attribute
LDAP Groups Container Value
LDAP Groups Object Classes
LDAP Groups Attributes
Group Membership Attribute
Unique Member Attribute
Group Member URL Attribute
LDAP People Container Naming Attribute
LDAP People Container Value
LDAP Agents Search Attribute
LDAP Agents Container Naming Attribute
LDAP Agents Container Value
LDAP Agents Search Filter
LDAP Agents Object Class
LDAP Agents Attributes
Identity Types that can be Authenticated
Persistent Search Base DN
Persistent Search Filter
Persistent Search Maximum Idle Time Before Restart
Maximum Number of Retries After Error Code
The Delay Time Between Retries
LDAPException Error Codes to Retry
Caching
Maximum Age of Cached Items
Maximum Size of the Cache
Chapter 4 Managing Authentication
Configuring Authentication
Authentication Module Types
Core
Active Directory
Anonymous
Certificate
Data Store
HTTP Basic
JDBC
LDAP
Membership
MSISDN
RADIUS
Configuring RADIUS with Sun Java System Application Server
SafeWord
Configuring SafeWord with Sun Java System Application Server
SAML
SecurID
UNIX
Windows Desktop SSO
Known Restriction with Internet Explorer
Configuring Windows Desktop SSO
To Create a User in the Windows 2000 Domain Controller
To Set Up Internet Explorer
Windows NT
Installing the Samba Client
Authentication Module Instances
To Create a New Authentication Module Instance
Authentication Chaining
To Create a New Authentication Chain
Authentication Types
How Authentication Types Determine Access
URL Redirection
Realm-based Authentication
Realm-based Authentication Login URLs
Realm-based Authentication Redirection URLs
Successful realm-based Authentication Redirection URLs
Failed Realm-based Authentication Redirection URLs
To Configure Realm-Based Authentication
To Configure The Realms’s Authentication Attributes
Organization-based Authentication
Organization-based Authentication Login URLs
Organization-based Authentication Redirection URLs
Successful Organization-based Authentication Redirection URLs
Failed Organization-based Authentication Redirection URLs
To Configure Organization-Based Authentication
To Configure The Organizations’s Authentication Attributes
Role-based Authentication
Role-based Authentication Login URLs
Role-based Authentication Redirection URLs
Successful Role-based Authentication Redirection URLs
Failed Role-based Authentication Redirection URLs
To Configure Role-Based Authentication
Service-based Authentication
Service-based Authentication Login URLs
Service-based Authentication Redirection URLs
Successful Service-based Authentication Redirection URLs
Failed Service-based Authentication Redirection URLs
To Configure Service-Based Authentication
User-based Authentication
User-based Authentication Login URLs
User Alias List Attribute
User-based Authentication Redirection URLs
Successful User-based Authentication Redirection URLs
Failed User-based Authentication Redirection URLs
To Configure User-Based Authentication
Authentication Level-based Authentication
Authentication Level-based Authentication Login URLs
Authentication Level-based Authentication Redirection URLs
Successful Authentication Level-based Authentication Redirection URLs
Failed Authentication Level-based Authentication Redirection URLs
Module-based Authentication
Module-based Authentication Login URLs
Module-based Authentication Redirection URLs
Successful Module-based Authentication Redirection URLs
Failed Module-based Authentication Redirection URLs
The User Interface Login URL
Login URL Parameters
goto Parameter
gotoOnFail Parameter
realm Parameter
org Parameter
user Parameter
role Parameter
locale Parameter
module Parameter
service Parameter
arg Parameter
authlevel Parameter
domain Parameter
iPSPCookie Parameter
IDTokenN Parameters
Account Locking
Physical Locking
Memory Locking
Authentication Service Failover
Fully Qualified Domain Name Mapping
Possible Uses For FQDN Mapping
Persistent Cookie
To Enable Persistent Cookies
Multi-LDAP Authentication Module Configuration In Legacy Mode
To Add An Additional LDAP Configuration
Session Upgrade
Validation Plug-in Interface
To Write and Configure a Validation Plug-in
JAAS Shared State
Enabling JAAS Shared State
JAAS Shared State Store Option
Chapter 5 Managing Policies
Overview
Policy Management Feature
URL Policy Agent Service
Policy Agents
The Policy Agent Process
Policy Types
Normal Policy
Rules
Subjects
Access Manager Roles Versus LDAP Roles
Nested Roles
Conditions
Active Session Time
Authentication Chain
Authentication Level (greater than or equal to)
Authentication Level (less than or equal to)
Authentication Module Instance
Current Session Properties
IP Address/DNS Name
LDAP Filter Condition
Realm Authentication
Time (day, date, time, and timezone)
Response Providers
Policy Advices
Referral Policy
Rules
Referrals
Policy Definition Type Document
Policy Element
Rule Element
ServiceName Element
ResourceName Element
AttributeValuePair Element
Attribute Element
Value Element
Subjects Element
Subject Element
Referrals Element
Referral Element
Conditions Element
Condition Element
Adding a Policy Enabled Service
To Add a New Policy Enabled Service
Creating Policies
To Create Policies with amadmin
To Create a Normal Policy With the Access Manager Console
To Create a Referral Policy With the Access Manager Console
Creating Policies for Peer Realms and Sub Realms
To Create a Policy for a Sub Realm
Exporting Policies to Other Access Manager instances
Managing Policies
Modifying a Normal Policy
To Add or Modify a Rule to a Normal Policy
To Add or Modify a Subject to a Normal Policy
To Add a Condition to a Normal Policy
To Add a Response Provider to a Normal Policy
Modifying a Referral Policy
To Add or Modify a Rule to a Referral Policy
To Add or Modify Referrals to a Policy
To Add a Response Provider to a Referral Policy
Policy Configuration Service
Subjects Result Time To Live
Dynamic Attributes
amldapuser Definition
Adding Policy Configuration Services
Resource-Based Authentication
Limitations
To Configure Resource—based Authentication
Chapter 6 Managing Subjects
User
To Create or Modify a User
To Add a User to Roles and Groups
To Add Services to an Identity
Agents Profile
To Create or Modify an Agent
Configuring Access Manager to Protect Against Cookie Hijacking
Filtered Role
To Create a Filtered Role
Roles
To Create or Modify a Role
To Add Users to a Role or Group
Groups
To Create or Modify a Group
Part II Directory Management and Default Services
Chapter 7 Directory Management
Managing Directory Objects
Organizations
To Create an Organization
To Delete an Organization
To Add an Organization to a Policy
Containers
To Create a Container
To Delete a Container
Group Containers
To Create a Group Container
To Delete a Group Container
Groups
To Create a Static Group
To Add or Remove Members to a Static Group
To Create a Dynamic Group
To Add or Remove Members to a Dynamic Group
To Add a Group to a Policy
People Containers
Create a People Container
To Delete a People Container
Users
To Create a User
To Edit the User Profile
To Add a User to Roles and Groups
To Add a User to a Policy
Roles
To Create a Static Role
To Add Users to a Static Role
To Create a Dynamic Role
To Remove Users from a Role
To Add a Role to a Policy
Chapter 8 Current Sessions
The Current Sessions Interface
Session Management
Session Information
Terminating a Session
To Terminate a Session
Chapter 9 Password Reset Service
Registering the Password Reset Service
To Register Password Reset for Users in a Different Realm
Configuring the Password Reset Service
To Configure the Service
To Localize the Secret Question
Password Reset Lockout
Memory Lockout
Physical Lockout
Password Reset for End Users
Customizing Password Reset
To Customize Password Reset
Resetting Forgotten Passwords
To Reset Forgotten Passwords
Password Policies
Chapter 10 Logging Service
Log Files
Access Manager Service Logs
Session Logs
Console Logs
Authentication Logs
Federation Logs
Policy Logs
Agent Logs
SAML Logs
amadmin Logs
Logging Features
Secure Logging
To Enable Secure Logging through a JSS Provider
To Enable Secure Logging Through a JCE Provider
Command Line Logging
Logging Properties
Remote Logging
To Enable Remote Logging with Web Containers
Error and Access Logs
Debug Files
Debug Levels
Debug Output Files
Using Debug Files
Chapter 11 Notification Service
Overview
Enabling The Notification Service
To Receive Session Notifications
To Enable the Notification Service with a Portal-only Installation
© 2010, Oracle Corporation and/or its affiliates