Amster

PolicyConfiguration

Realm Operations

Resource path:

/realm-config/services/policyconfiguration

Resource version: 2.0

create

Usage

am> create PolicyConfiguration --realm Realm --body body

Parameters

--body

The resource in JSON format, described by the following JSON schema:

{
  "type" : "object",
  "properties" : {
    "ldapServer" : {
      "title" : "Primary LDAP Server",
      "description" : "Configuration directory server host:port that OpenAM searches for policy information.<p><p>Format: <code>local OpenAM server name | hostname:port</code><p><p>Multiple entries must be prefixed by local server name. Make sure to place the multiple entries on a single line and separate the hostname:port URLs with a space. <p><p>For example, openam.example.com|opendj.example.com:1389 opendj.example.com:2389",
      "propertyOrder" : 400,
      "required" : true,
      "items" : {
        "type" : "string"
      },
      "type" : "array",
      "exampleValue" : ""
    },
    "searchTimeout" : {
      "title" : "Search Timeout",
      "description" : "Time after which OpenAM returns an error for an incomplete search, in seconds.",
      "propertyOrder" : 1500,
      "required" : true,
      "type" : "integer",
      "exampleValue" : ""
    },
    "connectionPoolMinimumSize" : {
      "title" : "LDAP Connection Pool Minimum Size",
      "description" : "Minimum number of connections in the pool.",
      "propertyOrder" : 1700,
      "required" : true,
      "type" : "integer",
      "exampleValue" : ""
    },
    "realmSearchFilter" : {
      "title" : "LDAP Organization Search Filter",
      "description" : "Search filter to match organization entries.",
      "propertyOrder" : 900,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "policyHeartbeatTimeUnit" : {
      "title" : "Heartbeat Unit",
      "description" : "Defines the time unit corresponding to the Heartbeat Interval setting.<br><br>Use this option in case a firewall/loadbalancer can close idle connections, since the heartbeat requests will ensure that the connections won't become idle.",
      "propertyOrder" : 1850,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "maximumSearchResults" : {
      "title" : "Maximum Results Returned from Search",
      "description" : "Search limit for LDAP searches.",
      "propertyOrder" : 1400,
      "required" : true,
      "type" : "integer",
      "exampleValue" : ""
    },
    "usersSearchFilter" : {
      "title" : "LDAP Users Search Filter",
      "description" : "Search filter to match user entries.",
      "propertyOrder" : 1000,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "usersSearchScope" : {
      "title" : "LDAP Users Search Scope",
      "description" : "Search scope to find user entries.",
      "propertyOrder" : 1100,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "mtlsEnabled" : {
      "title" : "mTLS Enabled",
      "description" : "Enables mTLS (mutual TLS) between AM and this store. When mTLS is enabled:<ul><li>Set connection mode to <code>LDAPS</code>. <li>The values for <code>LDAP Bind DN</code> and <code>LDAP Bind Password</code> are ignored.</li>",
      "propertyOrder" : 2200,
      "required" : true,
      "type" : "boolean",
      "exampleValue" : ""
    },
    "usersSearchAttribute" : {
      "title" : "LDAP Users Search Attribute",
      "description" : "Naming attribute for user entries.",
      "propertyOrder" : 1300,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sslEnabled" : {
      "title" : "LDAP SSL/TLS",
      "description" : "If enabled, OpenAM connects securely to the directory server. This requires that you install the directory server certificate.",
      "propertyOrder" : 1600,
      "required" : true,
      "type" : "boolean",
      "exampleValue" : ""
    },
    "subjectsResultTTL" : {
      "title" : "Subjects Result Time to Live",
      "description" : "Maximum time that OpenAM caches a subject result for evaluating policy requests, in minutes. A value of <code>0</code> prevents OpenAM from caching subject evaluations for policy decisions.",
      "propertyOrder" : 1900,
      "required" : true,
      "type" : "integer",
      "exampleValue" : ""
    },
    "usersBaseDn" : {
      "title" : "LDAP Users Base DN",
      "description" : "Base DN for LDAP Users subject searches.",
      "propertyOrder" : 500,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "connectionPoolMaximumSize" : {
      "title" : "LDAP Connection Pool Maximum Size",
      "description" : "Maximum number of connections in the pool.",
      "propertyOrder" : 1800,
      "required" : true,
      "type" : "integer",
      "exampleValue" : ""
    },
    "bindDn" : {
      "title" : "LDAP Bind DN",
      "description" : "Bind DN to connect to the directory server for policy information.This property is ignored if mTLS Enabled is set.",
      "propertyOrder" : 700,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "checkIfResourceTypeExists" : {
      "title" : "Check resources exist when Resource Server is updated",
      "description" : "Check all registered resources exist when updating Resource Server. <p><p>Policy Set will check each registered Resource Types one by one against config datastore if enabled. Consider disabling this option if you have large number of Resource Types registered to a Policy Set.",
      "propertyOrder" : 2100,
      "required" : true,
      "type" : "boolean",
      "exampleValue" : ""
    },
    "userAliasEnabled" : {
      "title" : "User Alias",
      "description" : "If enabled, OpenAM can evaluate policy for remote users aliased to local users.",
      "propertyOrder" : 2000,
      "required" : true,
      "type" : "boolean",
      "exampleValue" : ""
    },
    "policyHeartbeatInterval" : {
      "title" : "Heartbeat Interval",
      "description" : "Specifies how often should OpenAM send a heartbeat request to the directory.<br><br>Use this option in case a firewall/loadbalancer can close idle connections, since the heartbeat requests will ensure that the connections won't become idle.",
      "propertyOrder" : 1840,
      "required" : true,
      "type" : "integer",
      "exampleValue" : ""
    },
    "bindPassword" : {
      "title" : "LDAP Bind Password",
      "description" : "Bind password to connect to the directory server for policy information.This property is ignored if mTLS Enabled is set.",
      "propertyOrder" : 800,
      "required" : true,
      "type" : "string",
      "format" : "password",
      "exampleValue" : ""
    }
  }
}

delete

Usage

am> delete PolicyConfiguration --realm Realm

getAllTypes

Obtain the collection of all secondary configuration types related to the resource.

Usage

am> action PolicyConfiguration --realm Realm --actionName getAllTypes

getCreatableTypes

Obtain the collection of secondary configuration types that have yet to be added to the resource.

Usage

am> action PolicyConfiguration --realm Realm --actionName getCreatableTypes

nextdescendents

Obtain the collection of secondary configuration instances that have been added to the resource.

Usage

am> action PolicyConfiguration --realm Realm --actionName nextdescendents

read

Usage

am> read PolicyConfiguration --realm Realm

update

Usage

am> update PolicyConfiguration --realm Realm --body body

Parameters

--body

The resource in JSON format, described by the following JSON schema:

{
  "type" : "object",
  "properties" : {
    "ldapServer" : {
      "title" : "Primary LDAP Server",
      "description" : "Configuration directory server host:port that OpenAM searches for policy information.<p><p>Format: <code>local OpenAM server name | hostname:port</code><p><p>Multiple entries must be prefixed by local server name. Make sure to place the multiple entries on a single line and separate the hostname:port URLs with a space. <p><p>For example, openam.example.com|opendj.example.com:1389 opendj.example.com:2389",
      "propertyOrder" : 400,
      "required" : true,
      "items" : {
        "type" : "string"
      },
      "type" : "array",
      "exampleValue" : ""
    },
    "searchTimeout" : {
      "title" : "Search Timeout",
      "description" : "Time after which OpenAM returns an error for an incomplete search, in seconds.",
      "propertyOrder" : 1500,
      "required" : true,
      "type" : "integer",
      "exampleValue" : ""
    },
    "connectionPoolMinimumSize" : {
      "title" : "LDAP Connection Pool Minimum Size",
      "description" : "Minimum number of connections in the pool.",
      "propertyOrder" : 1700,
      "required" : true,
      "type" : "integer",
      "exampleValue" : ""
    },
    "realmSearchFilter" : {
      "title" : "LDAP Organization Search Filter",
      "description" : "Search filter to match organization entries.",
      "propertyOrder" : 900,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "policyHeartbeatTimeUnit" : {
      "title" : "Heartbeat Unit",
      "description" : "Defines the time unit corresponding to the Heartbeat Interval setting.<br><br>Use this option in case a firewall/loadbalancer can close idle connections, since the heartbeat requests will ensure that the connections won't become idle.",
      "propertyOrder" : 1850,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "maximumSearchResults" : {
      "title" : "Maximum Results Returned from Search",
      "description" : "Search limit for LDAP searches.",
      "propertyOrder" : 1400,
      "required" : true,
      "type" : "integer",
      "exampleValue" : ""
    },
    "usersSearchFilter" : {
      "title" : "LDAP Users Search Filter",
      "description" : "Search filter to match user entries.",
      "propertyOrder" : 1000,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "usersSearchScope" : {
      "title" : "LDAP Users Search Scope",
      "description" : "Search scope to find user entries.",
      "propertyOrder" : 1100,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "mtlsEnabled" : {
      "title" : "mTLS Enabled",
      "description" : "Enables mTLS (mutual TLS) between AM and this store. When mTLS is enabled:<ul><li>Set connection mode to <code>LDAPS</code>. <li>The values for <code>LDAP Bind DN</code> and <code>LDAP Bind Password</code> are ignored.</li>",
      "propertyOrder" : 2200,
      "required" : true,
      "type" : "boolean",
      "exampleValue" : ""
    },
    "usersSearchAttribute" : {
      "title" : "LDAP Users Search Attribute",
      "description" : "Naming attribute for user entries.",
      "propertyOrder" : 1300,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "sslEnabled" : {
      "title" : "LDAP SSL/TLS",
      "description" : "If enabled, OpenAM connects securely to the directory server. This requires that you install the directory server certificate.",
      "propertyOrder" : 1600,
      "required" : true,
      "type" : "boolean",
      "exampleValue" : ""
    },
    "subjectsResultTTL" : {
      "title" : "Subjects Result Time to Live",
      "description" : "Maximum time that OpenAM caches a subject result for evaluating policy requests, in minutes. A value of <code>0</code> prevents OpenAM from caching subject evaluations for policy decisions.",
      "propertyOrder" : 1900,
      "required" : true,
      "type" : "integer",
      "exampleValue" : ""
    },
    "usersBaseDn" : {
      "title" : "LDAP Users Base DN",
      "description" : "Base DN for LDAP Users subject searches.",
      "propertyOrder" : 500,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "connectionPoolMaximumSize" : {
      "title" : "LDAP Connection Pool Maximum Size",
      "description" : "Maximum number of connections in the pool.",
      "propertyOrder" : 1800,
      "required" : true,
      "type" : "integer",
      "exampleValue" : ""
    },
    "bindDn" : {
      "title" : "LDAP Bind DN",
      "description" : "Bind DN to connect to the directory server for policy information.This property is ignored if mTLS Enabled is set.",
      "propertyOrder" : 700,
      "required" : true,
      "type" : "string",
      "exampleValue" : ""
    },
    "checkIfResourceTypeExists" : {
      "title" : "Check resources exist when Resource Server is updated",
      "description" : "Check all registered resources exist when updating Resource Server. <p><p>Policy Set will check each registered Resource Types one by one against config datastore if enabled. Consider disabling this option if you have large number of Resource Types registered to a Policy Set.",
      "propertyOrder" : 2100,
      "required" : true,
      "type" : "boolean",
      "exampleValue" : ""
    },
    "userAliasEnabled" : {
      "title" : "User Alias",
      "description" : "If enabled, OpenAM can evaluate policy for remote users aliased to local users.",
      "propertyOrder" : 2000,
      "required" : true,
      "type" : "boolean",
      "exampleValue" : ""
    },
    "policyHeartbeatInterval" : {
      "title" : "Heartbeat Interval",
      "description" : "Specifies how often should OpenAM send a heartbeat request to the directory.<br><br>Use this option in case a firewall/loadbalancer can close idle connections, since the heartbeat requests will ensure that the connections won't become idle.",
      "propertyOrder" : 1840,
      "required" : true,
      "type" : "integer",
      "exampleValue" : ""
    },
    "bindPassword" : {
      "title" : "LDAP Bind Password",
      "description" : "Bind password to connect to the directory server for policy information.This property is ignored if mTLS Enabled is set.",
      "propertyOrder" : 800,
      "required" : true,
      "type" : "string",
      "format" : "password",
      "exampleValue" : ""
    }
  }
}

Global Operations

Resource path:

/global-config/services/policyconfiguration

Resource version: 1.0

getAllTypes

Obtain the collection of all secondary configuration types related to the resource.

Usage

am> action PolicyConfiguration --global --actionName getAllTypes

getCreatableTypes

Obtain the collection of secondary configuration types that have yet to be added to the resource.

Usage

am> action PolicyConfiguration --global --actionName getCreatableTypes

nextdescendents

Obtain the collection of secondary configuration instances that have been added to the resource.

Usage

am> action PolicyConfiguration --global --actionName nextdescendents

read

Usage

am> read PolicyConfiguration --global

update

Usage

am> update PolicyConfiguration --global --body body

Parameters

--body

The resource in JSON format, described by the following JSON schema:

{
  "type" : "object",
  "properties" : {
    "continueEvaluationOnDeny" : {
      "title" : "Continue Evaluation on Deny Decision",
      "description" : "If no, then OpenAM stops evaluating policy as soon as it reaches a deny decision.",
      "propertyOrder" : 200,
      "required" : true,
      "type" : "boolean",
      "exampleValue" : ""
    },
    "resourceComparators" : {
      "title" : "Resource Comparator",
      "description" : "OpenAM uses resource comparators to match resources specified in policy rules. When setting comparators on the command line, separate fields with <code>|</code> characters.",
      "propertyOrder" : 100,
      "required" : true,
      "items" : {
        "type" : "string"
      },
      "type" : "array",
      "exampleValue" : ""
    },
    "realmAliasReferrals" : {
      "title" : "Realm Alias Referrals",
      "description" : "If yes, then OpenAM allows creation of policies for HTTP and HTTPS resources whose FQDN matches the DNS alias for the realm even when no referral policy exists.",
      "propertyOrder" : 300,
      "required" : true,
      "type" : "boolean",
      "exampleValue" : ""
    },
    "defaults" : {
      "properties" : {
        "searchTimeout" : {
          "title" : "Search Timeout",
          "description" : "Time after which OpenAM returns an error for an incomplete search, in seconds.",
          "propertyOrder" : 1500,
          "required" : true,
          "type" : "integer",
          "exampleValue" : ""
        },
        "userAliasEnabled" : {
          "title" : "User Alias",
          "description" : "If enabled, OpenAM can evaluate policy for remote users aliased to local users.",
          "propertyOrder" : 2000,
          "required" : true,
          "type" : "boolean",
          "exampleValue" : ""
        },
        "connectionPoolMinimumSize" : {
          "title" : "LDAP Connection Pool Minimum Size",
          "description" : "Minimum number of connections in the pool.",
          "propertyOrder" : 1700,
          "required" : true,
          "type" : "integer",
          "exampleValue" : ""
        },
        "ldapServer" : {
          "title" : "Primary LDAP Server",
          "description" : "Configuration directory server host:port that OpenAM searches for policy information.<p><p>Format: <code>local OpenAM server name | hostname:port</code><p><p>Multiple entries must be prefixed by local server name. Make sure to place the multiple entries on a single line and separate the hostname:port URLs with a space. <p><p>For example, openam.example.com|opendj.example.com:1389 opendj.example.com:2389",
          "propertyOrder" : 400,
          "required" : true,
          "items" : {
            "type" : "string"
          },
          "type" : "array",
          "exampleValue" : ""
        },
        "maximumSearchResults" : {
          "title" : "Maximum Results Returned from Search",
          "description" : "Search limit for LDAP searches.",
          "propertyOrder" : 1400,
          "required" : true,
          "type" : "integer",
          "exampleValue" : ""
        },
        "usersBaseDn" : {
          "title" : "LDAP Users Base DN",
          "description" : "Base DN for LDAP Users subject searches.",
          "propertyOrder" : 500,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "connectionPoolMaximumSize" : {
          "title" : "LDAP Connection Pool Maximum Size",
          "description" : "Maximum number of connections in the pool.",
          "propertyOrder" : 1800,
          "required" : true,
          "type" : "integer",
          "exampleValue" : ""
        },
        "mtlsEnabled" : {
          "title" : "mTLS Enabled",
          "description" : "Enables mTLS (mutual TLS) between AM and this store. When mTLS is enabled:<ul><li>Set connection mode to <code>LDAPS</code>. <li>The values for <code>LDAP Bind DN</code> and <code>LDAP Bind Password</code> are ignored.</li>",
          "propertyOrder" : 2200,
          "required" : true,
          "type" : "boolean",
          "exampleValue" : ""
        },
        "policyHeartbeatTimeUnit" : {
          "title" : "Heartbeat Unit",
          "description" : "Defines the time unit corresponding to the Heartbeat Interval setting.<br><br>Use this option in case a firewall/loadbalancer can close idle connections, since the heartbeat requests will ensure that the connections won't become idle.",
          "propertyOrder" : 1850,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "realmSearchFilter" : {
          "title" : "LDAP Organization Search Filter",
          "description" : "Search filter to match organization entries.",
          "propertyOrder" : 900,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "subjectsResultTTL" : {
          "title" : "Subjects Result Time to Live",
          "description" : "Maximum time that OpenAM caches a subject result for evaluating policy requests, in minutes. A value of <code>0</code> prevents OpenAM from caching subject evaluations for policy decisions.",
          "propertyOrder" : 1900,
          "required" : true,
          "type" : "integer",
          "exampleValue" : ""
        },
        "usersSearchAttribute" : {
          "title" : "LDAP Users Search Attribute",
          "description" : "Naming attribute for user entries.",
          "propertyOrder" : 1300,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "usersSearchScope" : {
          "title" : "LDAP Users Search Scope",
          "description" : "Search scope to find user entries.",
          "propertyOrder" : 1100,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "bindPassword" : {
          "title" : "LDAP Bind Password",
          "description" : "Bind password to connect to the directory server for policy information.This property is ignored if mTLS Enabled is set.",
          "propertyOrder" : 800,
          "required" : true,
          "type" : "string",
          "format" : "password",
          "exampleValue" : ""
        },
        "bindDn" : {
          "title" : "LDAP Bind DN",
          "description" : "Bind DN to connect to the directory server for policy information.This property is ignored if mTLS Enabled is set.",
          "propertyOrder" : 700,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        },
        "checkIfResourceTypeExists" : {
          "title" : "Check resources exist when Resource Server is updated",
          "description" : "Check all registered resources exist when updating Resource Server. <p><p>Policy Set will check each registered Resource Types one by one against config datastore if enabled. Consider disabling this option if you have large number of Resource Types registered to a Policy Set.",
          "propertyOrder" : 2100,
          "required" : true,
          "type" : "boolean",
          "exampleValue" : ""
        },
        "sslEnabled" : {
          "title" : "LDAP SSL/TLS",
          "description" : "If enabled, OpenAM connects securely to the directory server. This requires that you install the directory server certificate.",
          "propertyOrder" : 1600,
          "required" : true,
          "type" : "boolean",
          "exampleValue" : ""
        },
        "policyHeartbeatInterval" : {
          "title" : "Heartbeat Interval",
          "description" : "Specifies how often should OpenAM send a heartbeat request to the directory.<br><br>Use this option in case a firewall/loadbalancer can close idle connections, since the heartbeat requests will ensure that the connections won't become idle.",
          "propertyOrder" : 1840,
          "required" : true,
          "type" : "integer",
          "exampleValue" : ""
        },
        "usersSearchFilter" : {
          "title" : "LDAP Users Search Filter",
          "description" : "Search filter to match user entries.",
          "propertyOrder" : 1000,
          "required" : true,
          "type" : "string",
          "exampleValue" : ""
        }
      },
      "type" : "object",
      "title" : "Realm Defaults"
    }
  }
}