Access Management

UMA configuration reference

This topic provides reference information for UMA global settings and UMA datastore settings. See the general Reference for reference information on global services.

  • To configure UMA global settings, go to Configure > Global Settings > UMA Provider.

    For more information, see UMA provider.

  • To configure UMA datastore settings:

    • Go to Configure > Server Defaults > UMA to configure the settings for all your servers.

    • Go to Deployment > Servers > Server Name > UMA to configure the settings for one server.

      For more information, see UMA properties.

UMA properties

UMA server settings are inherited by default.

UMA resource store

The following settings appear on the UMA Resource Store tab:

Store Mode

Specifies the data store where AM stores UMA tokens. Possible values are:

  • Default Token Store: AM stores UMA tokens in the configuration data store.

  • External Token Store: AM stores UMA tokens in an external data store.

Root Suffix

Specifies the base DN for storage information in LDAP format, such as dc=uma-resources,dc=example,dc=com.

Max Connections

Specifies the maximum number of connections to the data store.

External UMA resource store configuration

AM honors the following properties when External Token Store is selected under the Resource Sets Store tab:

SSL/TLS Enabled

When enabled, AM uses SSL or TLS to connect to the external datastore. Make sure AM trusts the datastore’s certificate when using this option.

Connection String(s)

An ordered list of connection strings for external datastores. The format is HOST:PORT[|SERVERID[|SITEID]], where HOST:PORT specify the FQDN and port of the datastore, and SERVERID and SITEID are optional parameters that let you prioritize the particular connection when used by the specified node(s).

Multiple connection strings must be comma-separated, for example, uma-ldap1.example.com:1636|1|1, uma-ldap2.example.com:1636|2|1.

AM uses the first connection string in the list unless the server is unreachable. In this case, it tries the next connection strings in the order in which they’re defined.

In production environments, you should specify more than one connection string for failover purposes.

Login Id

The username AM uses to authenticate to the datastore. For example, uid=am-uma-bind-account,ou=admins,dc=uma,dc=example,dc=com. This user must be able to read and write to the root suffix of the datastore.

Password

The password associated with the login ID property.

Heartbeat

The time period, in seconds, that AM should send a heartbeat request to the datastore to ensure that the connection does not remain idle.

Default: 10

UMA audit store

The following settings appear on the UMA Audit Store tab:

Store Mode

Specifies the data store where AM stores audit information generated when users access UMA resources. Possible values are:

  • Default Token Store: AM stores UMA audit information in the configuration data store.

  • External Token Store: AM stores UMA audit information in an external data store.

Root Suffix

Specifies the base DN for storage information in LDAP format, such as dc=uma-audit,dc=example,dc=com.

Max Connections

Specifies the maximum number of connections to the data store.

External UMA audit store configuration

AM honors the following properties when External Token Store is selected under the UMA Audit Store tab:

SSL/TLS Enabled

When enabled, AM uses SSL or TLS to connect to the external datastore. Make sure AM trusts the datastore’s certificate when using this option.

Connection String(s)

An ordered list of connection strings for external datastores. The format is HOST:PORT[|SERVERID[|SITEID]], where HOST:PORT specify the FQDN and port of the datastore, and SERVERID and SITEID are optional parameters that let you prioritize the particular connection when used by the specified node(s).

Multiple connection strings must be comma-separated, for example, uma-ldap1.example.com:1636|1|1, uma-ldap2.example.com:1636|2|1.

AM uses the first connection string in the list unless the server is unreachable. In this case, it tries the next connection strings in the order in which they’re defined.

In production environments, you should specify more than one connection string for failover purposes.

Login Id

The username AM uses to authenticate to the datastore. For example, uid=am-uma-bind-account,ou=admins,dc=uma,dc=example,dc=com. This user must be able to read and write to the root suffix of the datastore.

Password

The password associated with the login ID property.

Heartbeat

The time period, in seconds, that AM should send a heartbeat request to the datastore to ensure that the connection does not remain idle.

Default: 10

Pending requests store

The following settings appear on the Pending Requests Store tab:

Store Mode

Specifies the data store where AM stores pending requests to UMA resources. Possible values are:

  • Default Token Store: AM stores UMA pending requests in the configuration data store.

  • External Token Store: AM stores UMA pending requests in an external data store.

Root Suffix

Specifies the base DN for storage information in LDAP format, such as dc=uma-pending,dc=forgerock,dc=com.

Max Connections

Specifies the maximum number of connections to the data store.

External pending requests store configuration

AM honors the following properties when External Token Store is selected under the Pending Requests Store tab:

SSL/TLS Enabled

When enabled, AM uses SSL or TLS to connect to the external datastore. Make sure AM trusts the datastore’s certificate when using this option.

Connection String(s)

An ordered list of connection strings for external datastores. The format is HOST:PORT[|SERVERID[|SITEID]], where HOST:PORT specify the FQDN and port of the datastore, and SERVERID and SITEID are optional parameters that let you prioritize the particular connection when used by the specified node(s).

Multiple connection strings must be comma-separated, for example, uma-ldap1.example.com:1636|1|1, uma-ldap2.example.com:1636|2|1.

AM uses the first connection string in the list unless the server is unreachable. In this case, it tries the next connection strings in the order in which they’re defined.

In production environments, you should specify more than one connection string for failover purposes.

Login Id

The username AM uses to authenticate to the datastore. For example, uid=am-uma-bind-account,ou=admins,dc=uma,dc=example,dc=com. This user must be able to read and write to the root suffix of the datastore.

Password

The password associated with the login ID property.

Heartbeat

The time period, in seconds, that AM should send a heartbeat request to the datastore to ensure that the connection does not remain idle.

Default: 10

UMA resource labels store

The following settings appear on the UMA Resource Labels Store tab:

Store Mode

Specifies the data store where AM stores user-created labels used for organizing UMA resources. Possible values are:

  • Default Token Store: AM stores user-created labels in the configuration data store.

  • External Token Store: AM stores user-created labels in an external data store.

Root Suffix

Specifies the base DN for storage information in LDAP format, such as dc=uma-resources-labels,dc=forgerock,dc=com.

Max Connections

Specifies the maximum number of connections to the data store.

External UMA resource labels store configuration

AM honors the following properties when External Token Store is selected under the UMA Resource Labels Store tab.

SSL/TLS Enabled

When enabled, AM uses SSL or TLS to connect to the external datastore. Make sure AM trusts the datastore’s certificate when using this option.

Connection String(s)

An ordered list of connection strings for external datastores. The format is HOST:PORT[|SERVERID[|SITEID]], where HOST:PORT specify the FQDN and port of the datastore, and SERVERID and SITEID are optional parameters that let you prioritize the particular connection when used by the specified node(s).

Multiple connection strings must be comma-separated, for example, uma-ldap1.example.com:1636|1|1, uma-ldap2.example.com:1636|2|1.

AM uses the first connection string in the list unless the server is unreachable. In this case, it tries the next connection strings in the order in which they’re defined.

In production environments, you should specify more than one connection string for failover purposes.

Login Id

The username AM uses to authenticate to the datastore. For example, uid=am-uma-bind-account,ou=admins,dc=uma,dc=example,dc=com. This user must be able to read and write to the root suffix of the datastore.

Password

The password associated with the login ID property.

Heartbeat

The time period, in seconds, that AM should send a heartbeat request to the datastore to ensure that the connection does not remain idle.

Default: 10