Advanced properties

Each server has a list of advanced properties that can be modified at Deployment > Servers > server name > Advanced. For a list of inherited advanced properties relevant to all servers, go to Configure > Server Defaults > Advanced.

am.authorization.policy.cache.expirationDurationSeconds

The time period, in seconds, before the policy cache expires. During this period, all policy evaluation requests are read from the policy cache.

The recommended value for this property depends on your specific deployment.

The policy cache isn’t updated when you update or delete a policy definition. Policy evaluation is based on the cached definition until the maximum cache duration is reached, or until you restart AM.

Find more information in Tune policy evaluation.

Default: 0 seconds (policy caching is disabled)

Policy caching remains disabled if either the maximum cache size or the expiry duration is set to 0.

am.authorization.policy.cache.maxSize

The maximum cache size for authorization policies.

The recommended value for this property depends on your specific deployment.

Find more information in Tune policy evaluation.

If your AM service handles a large number of policy evaluations per second, tuning this property can result in a performance improvement. Setting this value slightly higher than the maximum number of policies configured across all policy sets in all realms ensures all policies are cached.

Default: 0 (policy caching is disabled)

Policy caching remains disabled if either the maximum cache size or the expiry duration is set to 0.

am.authorization.policySet.cache.expirationDurationSeconds

The time period, in seconds, before the policy set cache expires. During this timeframe, all policy sets are read from the policy set cache.

The recommended value for this property depends on your specific deployment.

Find more information in Tune policy evaluation.

Default: 0 seconds (policy caching is disabled)

Policy set caching remains disabled if either the maximum cache size or the expiry duration is set to 0.

am.authorization.policySet.cache.maxSize

The maximum cache size for authorization policy sets.

The recommended value for this property depends on your specific deployment.

Find more information in Tune policy evaluation.

If your AM service handles a large number of policy evaluations per second, tuning this property can result in a performance improvement. Setting this value to the maximum number of policy sets across all realms in your deployment ensures all policy sets are cached.

Default: 0 (policy caching is disabled)

Policy set caching remains disabled if either the maximum cache size or the expiry duration is set to 0.

am.nodes.certificatechain.validation.enforced: If true, the Certificate Collector node collects the entire chain of certificates from the request, and the Certificate Validation node validates all certificates in the chain. Otherwise, only the first certificate in the chain (the user certificate) is collected and validated.

Default: true

am.cts.use.etag.assertion.on.update: By default, parallel updates can’t be made for CTS sessions. AM checks that the state of the CTS token in the CTS store is the same as the state previously read by the thread making the update. This prevents parallel replay attacks from circumventing authentication session allowlisting.

To enable parallel updates on CTS sessions, set this parameter to false.

Unless you use in-memory sessions for authentication, disabling the assertion check can expose your CTS sessions to parallel replay attacks.

am.oauth2.request.object.restrictions.enforced

Aligns AM behavior with the following specifications:

OAuth 2.0 Pushed Authorization Requests (PAR) (RFC 9126)
OAuth 2.0 Authorization Framework: JWT-Secured Authorization Request (JAR) (RFC 9101).

These specifications indicate the following:

The authorization server should ignore authorize parameters outside the request_uri.
When sending a JWT-Secured Authorization Request (JAR), the request_uri must be an https URI.

To enforce this behavior in AM, set this property to true.

Default: false

am.secrets.gsm.stableid.version.only

By default, for certificates stored in a GSM secret store, the public key published in the JWK_URI has a Key-ID (kid) value that includes the name of the secret. To override the default kid value with only the GSM secret version, set this property to true.

Default: false

Find more information in Overwrite default kid values.

bootstrap.file

File that contains the path to the AM configuration folder. By default, the .openamcfg directory is created in the home directory of the user that runs the web container. For example, $HOME/.openamcfg/AMConfig_path_to_tomcat_webapps_am_.

com.iplanet.am.cookie.c66Encode

Properly URL encode session tokens.

Default: true

com.iplanet.am.daemons

This property was used only for authentication with modules and chains and is no longer documented.

com.iplanet.am.directory.ssl.enabled

If true AM connects to the configuration directory server over LDAPS.

Default: false

com.iplanet.am.installdir

AM Configuration and log file location.

Default: ~/openam/, such as ~/am

com.iplanet.am.jssproxy.checkSubjectAltName

When using JSS or JSSE, check whether the name values in the SubjectAltName certificate match the server FQDN.

Default: false

com.iplanet.am.jssproxy.resolveIPAddress

When using JSS or JSSE, check that the IP address of the server resolves to the host name.

Default: false

com.iplanet.am.jssproxy.SSLTrustHostList

When using JSS or JSSE, comma-separated list of server FQDNs to trust if they match the certificate CN, even if the domain name isn’t correct.

com.iplanet.am.jssproxy.trustAllServerCerts

When using JSS or JSSE, set to true to trust whatever certificate is presented without checking.

Default: true

com.iplanet.am.lbcookie.name

Used with sticky load balancers that can inspect the cookie value.

Default: amlbcookie

com.iplanet.am.lbcookie.value

Used with sticky load balancers that can inspect the cookie value. The value of this property defaults to the unique AM server ID, although you can set your own unique value.

To improve AM server performance, keep the value of the cookie set to the AM server ID when using Web Agents.

If you have replaced the value of this property and you need to match the AM server URLs with their corresponding server IDs, query the global-config/servers endpoint. For example:

$ curl \
--request GET \
--header "Accept: application/json" \
--header "iPlanetDirectoryPro: AQIC5…NDU1*" \
'https://am.example.com:8443/am/json/global-config/servers?_queryFilter=true'
{
  "result": [
    {
      "_id": "01",
      "_rev": "1372703177",
      "url": "https://am.example.com:8443/am",
      "siteName": null
    }
  ],
  "resultCount": 1,
  "pagedResultsCookie": null,
  "totalPagedResultsPolicy": "NONE",
  "totalPagedResults": -1,
  "remainingPagedResults": -1
}

In the example, the server ID for server https://am.example.com:8443/am is 01.

Default: 01

com.iplanet.am.pcookie.name

Persistent cookie name.

Default: DProPCookie

com.iplanet.am.profile.host

Not used

Default: server-host, such as am.example.com

com.iplanet.am.profile.port

Not used

Default: server-port, such as 8080 or 8443

com.iplanet.am.sdk.caching.enabled

Enables caching for configuration data and user data.

Learn more in the Overall server cache settings section.

Changes to this property take effect immediately. No server restart is necessary.

Default: true

com.iplanet.am.session.agentSessionIdleTime

Time in minutes after which a web or Java agent’s server-side session expires. Note that this setting is ignored when AM creates a client-side session for a web or Java agent.

Default: 1440 (session expires after one day). You can set this property to 0 (session never expires), or any integer higher than 30 (no maximum limit).

com.iplanet.am.session.client.polling.enable

If true, client applications such as web or Java agents poll for server-side session changes. If false, client applications register listeners for notifications about changes to server-side sessions.

Default: false

com.iplanet.am.session.client.polling.period

If client applications poll for changes, number of seconds between polls.

Default: 180

com.iplanet.am.session.httpSession.enabled

Create an HttpSession for users on successful authentication.

Default: true

com.iplanet.security.SSLSocketFactoryImpl

SSL socket factory implementation used by AM.

Default: com.sun.identity.shared.ldap.factory.JSSESocketFactory, uses a pure Java provider

com.sun.identity.am.cookie.check

If true, AM checks for cookie support in the user agent and returns an error if cookies aren’t supported.

Default: false

com.sun.identity.appendSessionCookieInURL

If true, AM appends the session cookie to the URL for a zero page session.

Default: true

com.sun.identity.auth.cookieName

Cookie used by the AM authentication service to handle the authentication process.

Default: AMAuthCookie

com.sun.identity.authentication.client.ipAddressHeader

Set the name of the HTTP header that AM can examine to learn the client IP address when requests go through a proxy or load balancer. (When requests go through an HTTP proxy or load balancer, checking the IP address on the request alone returns the address of the proxy or load balancer rather than that of the client.) AM must be able to trust the proxy or load balancer to set the client IP address correctly in the header specified.

Example: com.sun.identity.authentication.client.ipAddressHeader=X-Forwarded-For

com.sun.identity.authentication.multiple.tabs.used

If true, users can open many browser tabs to the login page at the same time without encountering an error.

Default: false

com.sun.identity.authentication.setCookieToAllDomains

If true, AM allows multiple cookie domains.

Default: true

com.sun.identity.authentication.special.users

List of special users always authenticated against the local directory server.

Default: cn=dsameuser,ou=DSAME Users,%ROOT_SUFFIX%|cn=amService-UrlAccessAgent,ou=DSAME Users,%ROOT_SUFFIX%

com.sun.identity.authentication.super.user

Identifies an administrative user that replaces the amAdmin user. For example, uid=superroot,ou=people,dc=example,dc=com.

You must manually create a user account for the new administrative user in the configuration datastore that has the same privileges as the uid=admin user.

The amAdmin account is "hard-coded" in the source of several files. The code in these files may affect the functionality of a top-level administrative user with a name other than amAdmin.

Default: uid=amAdmin,ou=People,%ROOT_SUFFIX%

com.sun.identity.authentication.uniqueCookieName

When cookie hijacking protection is configured, name of the cookie holding the URL to the AM server that authenticated the user.

Default: sunIdentityServerAuthNServer

com.sun.identity.client.notification.url

Notification service endpoint for clients such as web and Java agents.

Default: server-protocol://server-host:server-port/server-uri/notificationservice, such as https://am.example.com:8443/am/notificationservice

com.sun.identity.common.systemtimerpool.size

Number of threads in the shared system timer pool used to schedule operations such as session timeout.

Default: 3

com.sun.identity.cookie.httponly

When set to true, mark cookies as HTTPOnly to prevent scripts and third-party programs from accessing the cookies.

This configuration option is used only in non-UI deployments. The UI can’t set the HttpOnly name in a cookie.

Default: true

com.sun.identity.cookie.samesite

Configures support for applying SameSite cookie rules, as per internet-draft Cookies:HTTP State Management Mechanism.

Available settings are as follows:

strict

Requests originating from different domains won’t have cookies sent with them.

When this mode is enabled, any AM functionality that relies on requests being redirected back to the AM instance may not operate correctly. For example, OAuth 2.0 flows and SAML federation may not operate correctly if AM can’t access the required cookies.

lax

Cookies received from different domains can’t be accessed unless the request is a top-level request and uses a "safe" HTTP method, such as GET, HEAD, OPTIONS, and TRACE.

off

AM applies no restrictions on cookie domains.

You must disable SameSite support if any of the following is true:

You must set Access-Control-Allow-Credentials=true in your CORS configuration.

Learn more about configuring CORS in AM in Configure CORS support.
You are using SAML HTTP-POST bindings.

For example, IdP-initiated single logout (SLO) functionality won’t operate correctly if SameSite support is enabled, as the iPlanetDirectoryPro cookie wouldn’t be accessible in cross-domain POST requests. Learn more in Implement SSO and SLO.

Default: off

com.sun.identity.enableUniqueSSOTokenCookie

If true, AM uses protection against cookie hijacking.

Default: false

com.sun.identity.jss.donotInstallAtHighestPriority

If false, JSS takes priority over other providers.

Default: true

com.sun.identity.monitoring

Activates AM monitoring.

Default: off

com.sun.identity.monitoring.local.conn.server.url

URL for local connection to the monitoring service.

Default: service:jmx:rmi://

com.sun.identity.password.deploymentDescriptor

Internal property used by AM.

Default: server-uri, such as am

com.sun.identity.policy.Policy.policy_evaluation_weights

Weights of the cost of evaluating policy subjects, rules, and conditions. Evaluation is in order of the heaviest weight to the lightest.

Default: 10:10:10, meaning evaluation of rules, then conditions, then subjects

com.sun.identity.policy.resultsCacheMaxSize

Maximum number of policy decisions AM caches.

Default: 10000

com.sun.identity.security.checkcaller

If true, AM performs a Java security permissions check.

Default: false

com.sun.identity.server.fqdnMap

Enables virtual hosts, partial hostname and IP address. Maps invalid or virtual name keys to valid FQDN values for proper redirection.

To map myserver to myserver.example.com, set com.sun.identity.server.fqdnMap[myserver]=myserver.example.com.

com.sun.identity.session.repository.enableAttributeCompression

For additional compression of CTS token JSON binaries, beyond GZip, if desired.

Default: false

com.sun.identity.session.repository.enableCompression

For GZip-based compression of CTS tokens, if desired.

Default: false

com.sun.identity.session.repository.enableEncryption

Enables tokens to be encrypted when stored.

Multi-instance deployments require consistent use of this property, which should be configured under Configure > Server Defaults > Advanced.

The am.encryption.pwd property must also be the same for all deployed instances. You can set the Password Encryption Key property under Deployment > Servers > server name > Security. Verify that all servers have the same setting for this property.

Default: false

com.sun.identity.sm.cache.enabled

Enables service configuration caching.

Find important information about this property in Overall server cache settings.

Changes to this property take effect immediately. No server restart is necessary.

Default: true

com.sun.identity.sm.cache.ttl

When service configuration caching time-to-live is enabled, this sets the time to live in minutes.

Changes to this property take effect immediately. No server restart is necessary.

Default: 30

com.sun.identity.sm.cache.ttl.enable

If service configuration caching is enabled, whether to enable a time-to-live for cached configuration.

Changes to this property take effect immediately. No server restart is necessary.

Default: false

com.sun.identity.sm.flatfile.root_dir

File system directory to hold file-based representation of AM configuration.

Default: /path/to/am/

com.sun.identity.sm.sms_object_class_name

Class used to read and write AM service configuration entries in the directory.

Default: com.sun.identity.sm.SmsWrapperObject

com.sun.identity.url.readTimeout

Used to set the read timeout in milliseconds for HTTP and HTTPS connections to other servers.

Default: 30000

com.sun.identity.urlchecker.dorequest

If true, AM sends an HTTP GET request to the com.sun.identity.urlchecker.targeturl as a health check against another server in the same site.

If false, AM only checks the Socket connection and doesn’t send an HTTP GET request.

If each AM server runs behind a reverse proxy, then the default setting of true means the health check actually runs against the AM instance, rather than checking only the Socket to the reverse proxy.

Default: true

com.sun.identity.urlchecker.targeturl

URL to monitor when com.sun.identity.urlchecker.dorequest is set to true.

Default: URL to the /am/namingservice endpoint on the remote server

com.sun.identity.urlconnection.useCache

If true, AM caches documents for HTTP and HTTPS connections to other servers.

Default: false

com.sun.identity.webcontainer

Name of the web container to correctly set character encoding, if necessary.

Default: WEB_CONTAINER

console.privileged.users

Used to assign privileged console access to particular users. Set to a | separated list of users' Universal IDs, such as console.privileged.users=uid=bjensen,ou=user,dc=am,dc=example,dc=com|uid=scarter,ou=user,dc=am,dc=example,dc=com.

oauth2.provider.request.object.processing.enforced: Forces AM to use the specification set in the Request Object Processing Specification field of the OAuth 2.0 provider configuration for JWT requests.

If set to true, this parameter overrides the default behavior, which is for AM to infer the request type from the contents of the request, if possible.

Default: false
openam.auth.destroy_session_after_upgrade: Where to destroy the old session after a session is successfully upgraded.

Default: true
openam.auth.session_property_upgrader: Class that controls which session properties are copied during session upgrade, where default is to copy all properties to the upgraded session.

Default: org.forgerock.openam.authentication.service.DefaultSessionPropertyUpgrader
openam.auth.version.header.enabled: The X-DSAMEVersion http header provides detailed information about the version of AM currently running on the system, including the build and date/time of the build. AM will need to be restarted once this property is enabled.

Default: false
openam.authentication.ignore_goto_during_logout: If true, AM ignores the goto query string parameter on logout and displays the logout page instead.

Default: false
openam.cdm.default.charset: Character set used for globalization.

Default: UTF-8
openam.forbidden.to.copy.headers: Comma-separated list of HTTP headers not to copy when the distributed authentication server forwards a request to another distributed authentication server.

Default: connection
openam.forbidden.to.copy.request.headers: Comma-separated list of HTTP headers not to copy when the distributed authentication server forwards a request to another distributed authentication server.

Default: connection

openam.retained.http.request.headers: Comma-separated list of HTTP headers to copy to the forwarded request when the server forwards a request to another server.

Requests are forwarded when the server receiving the request isn’t the server that originally initiated authentication. The server that originally initiated authentication is identified by a session ID stored in the AMAuthCookie cookie.

On subsequent requests, the server receiving the request checks the cookie. If the cookie identifies another server, the current server forwards the request to that server.

When a reverse proxy is set up to provide the client IP address in the X-Forwarded-For header, if your deployment includes multiple AM servers, then this property must be set to include the header.

Example: openam.retained.http.request.headers=X-DSAMEVersion,X-Forwarded-For

AM copies the header when forwarding a request to the authoritative server where the client originally began the authentication process, so that the authoritative AM server receiving the forwarded request can determine the real client IP address.

Use the openam.retained.http.headers property to retain headers to return in the response to the AM server that forwarded the request.

Default: X-DSAMEVersion
openam.session.case.sensitive.uuid: If true, universal user IDs are considered case-sensitive when matching them.

Default: false

org.forgerock.allow.http.client.debug

Specifies whether AM can output logging at the Message level for the org.apache.http.wire and org.apache.http.headers logging appenders.

Possible values are:

true. The appenders' debug log level can take the same value as AM’s, even Message.

The appenders can log cleartext passwords or sensitive information related to client interactions. For example, scripted authentication or STS transactions.

Enable this property for debugging purposes only when required.

false. The appender’s debug log level is always warning, unless debug is disabled.

You can also set this property as a JVM option in the container where AM runs.
Default: false

org.forgerock.openam.http.ssl.connection.manager

The class that implements the org.forgerock.openam.http.SslConnectionManager interface, which controls both keystore and truststore settings, as well as hostname verification.

If the container in which AM runs is configured with the java.protocol.handler.pkgs property set, then ensure this property is set to com.sun.identity.protocol.AmSslConnectionManager.

In previous versions of AM, this property was named opensso.protocol.handler.pkgs, and required a value of com.sun.identity.protocol if the java.protocol.handler.pkgs property was set by the container.

org.forgerock.openam.audit.identity.activity.events.blacklist

A comma-separated list of audit events that won’t be logged.

For example, AM-ACCESS-ATTEMPT,AM-GROUP-CHANGE.

Logging all events can impact performance. You should log only those events you intend to monitor.

Changes to this property require a server restart.

Default: AM-ACCESS-ATTEMPT,AM-IDENTITY-CHANGE,AM-GROUP-CHANGE

org.forgerock.openam.authLevel.excludeRequiredOrRequisite

This property was used only for authentication with modules and chains and is no longer documented.

org.forgerock.openam.auth.audit.nodes.enabled

When true, AM generates audit log messages for each authentication node reached during authentication tree flows.

Possible values are true or false.

Default: true

org.forgerock.openam.auth.audit.trees.enabled

When true, AM generates audit log messages with the outcome of authentication tree flows.

Possible values are true or false.

Default: true

org.forgerock.openam.auth.transactionauth.returnErrorOnAuthFailure

Specifies whether AM returns an HTTP 200 or HTTP 401 message when the user fails to complete the required actions to perform session upgrade during transactional authorization. Possible values are:

false. AM returns an HTTP 200 message with the original SSO token.

For example:
```
{
    "tokenId": "AQIC5wM...TU3OQ*",
    "successUrl": "http://example.com/index.html",
    "realm": "/"
}
```
In this case, the user is redirected to the success URL and, when trying to access the protected resource, policy evaluation will fail since transactional authorization has failed.

true. AM returns an HTTP 401 message.

For example:

{
    "code":401,
    "reason":"Unauthorized",
    "message":"Login failure",
    "detail":{
        "failureUrl":"http://example.com/unauthorized.html"
    }
}

In this case, the user is redirected to the failure URL.

Default: false

org.forgerock.openam.authentication.accountExpire.days

Days until account expiration set after successful authentication by the account expiration post-authentication plugin.

Default: 30

org.forgerock.openam.authentication.forceAuth.enabled

This property was used only for authentication with modules and chains and is no longer documented.

org.forgerock.openam.console.autocomplete.enabled

Specifies whether input forms and password fields can be autocompleted. This property only affects end-user pages in the classic UI. Possible values are true, to enable autocomplete, and false, to disable it.

Default: true

org.forgerock.openam.core.resource.lookup.cache.enabled

Controls whether the results of resource file lookup should be cached.

While you are customizing the UI as described in UI customization, set this property to false to allow AM immediately to pick up changes to the files as you customize them.

Reset this to the default, true, when using AM in production.

Default: true

org.forgerock.openam.core.sms.always.fail.on.invalid.attributes

Specifies whether the server should throw an exception, when it encounters an unknown attribute while parsing file-based configurations. By default, the server ignores any unknown attributes, and doesn’t throw an exception. To override this behavior, set this property to true.

Default: false

org.forgerock.openam.core.sms.placeholder_api_enabled

For file-based configurations, enables property value substitution.

Takes the following values:

ON enables property value substitution for all property types.
STRING_ONLY enables property value substitution for properties with string values only.
OFF disables property value substitution.

Default: OFF

The recommended way to enable property value substitution is through a Java system property, rather than with this advanced server property.

org.forgerock.openam.cts.rest.enabled

Enables access to the CTS REST endpoint /json/tokens.

Even when access to the CTS REST endpoint is enabled, only the AM global administrator has authorization to perform operations against /json/tokens.

Default: false

After changing this property, you must restart AM or the container in which it runs for the change to take effect.

org.forgerock.openam.encryption.key.digest

Determines the digest algorithm used along with PBKDF2 key derivation method for AES Key Wrap encryption. Possible values are SHA1, SHA256, SHA384, or SHA512.

Set this property in AM’s web container’s startup script. Learn more in Use stronger encryption algorithms.

Default: SHA1

org.forgerock.openam.encryption.key.iterations

The number of iterations for the key derivation process specified in the org.forgerock.openam.encryption.key.digest advanced property.

Set this property in AM’s web container’s startup script. Learn more in Use stronger encryption algorithms.

Default:`10000`

org.forgerock.openam.encryption.key.size

The size of the derived key for the AES Key Wrap encryption operations.

Set this property in AM’s web container’s startup script. Learn more in Use stronger encryption algorithms.

Default: 128

org.forgerock.openam.encryption.useextractandexpand

Enables the algorithm to reduce the performance cost of AES Key Wrap encryption even when high-iteration counts are used. Possible values are true, to enable it, and false to disable it.

If you configure a large iteration count when this property is set to false, AM startup times may indicate a performance impact if there are many agents in your deployment.

Set this property in AM’s web container’s startup script. Learn more in Use stronger encryption algorithms.

Default: false

org.forgerock.openam.httpclienthandler.system.clients.connection.timeout

The time new client connections using the client handler will wait before timing out.

The value is a string specifying a number and a unit of time.

Restart AM or the container in which it runs for the change to take effect.

Default: 10 seconds

org.forgerock.openam.httpclienthandler.system.clients.max.connections

The maximum number of connections allowed in the pool available for clients using the client handler.

Use this property only when the org.forgerock.openam.httpclienthandler.system.clients.reuse.connections.enabled advanced server property is enabled.

Restart AM or the container in which it runs for the change to take effect.

Default: 64

org.forgerock.openam.httpclienthandler.system.clients.pool.ttl

The maximum time-to-live, in milliseconds, for pooled client connections using the client handler.

Restart AM or the container in which it runs for the change to take effect.

Default: Not set

org.forgerock.openam.httpclienthandler.system.clients.response.timeout

The time a client using the client handler will wait for a response before timing out.

The value is a string specifying a number and a unit of time.

Restart AM or the container in which it runs for the change to take effect.

Default: 10 seconds

org.forgerock.openam.httpclienthandler.system.clients.retry.failed.requests.enabled

Specifies whether the client handler should retry failed connections. Possible values are true or false.

Restart AM or the container in which it runs for the change to take effect.

Default: true

org.forgerock.openam.httpclienthandler.system.clients.reuse.connections.enabled

When true the client handler pools and reuses connections. Possible values are true or false.

Restart AM or the container in which it runs for changes to this property to take effect.

Default: true

org.forgerock.openam.httpclienthandler.system.nonProxyHosts

Lists the target hosts for which requests shouldn’t be proxied. Use commas to separate hostnames.

This property supports wildcards at the start and end of any value. For example, *.example.com would result in a match for customers.example.com and staff.example.com, and requests wouldn’t be proxied for those target hosts.

Configure alongside the org.forgerock.openam.httpclienthandler.system.proxy.uri and org.forgerock.openam.httpclienthandler.system.proxy.username advanced server properties.

Store the proxy password in a secret store, instead of in the configuration. Use the secret label am.servers.httpclienthandler.proxy.secret to map an alias for the password.

If AM finds a matching secret for the am.servers.httpclienthandler.proxy.secret label in a secret store, AM ignores the org.forgerock.openam.httpclienthandler.system.proxy.password advanced server property.

Default: localhost,127.*,[::1],0.0.0.0,[::0]

org.forgerock.openam.httpclienthandler.system.proxy.enabled

When set to true, AM routes outgoing HttpClientHandler requests through the HTTP proxy defined on the JVM.

Restart AM or the container in which it runs for the change to take effect.

This setting can be overridden at the request level. Learn more in the HTTP Client service settings.

Default: Not set

org.forgerock.openam.httpclienthandler.system.proxy.password

The password of the proxy that AM uses to route outgoing client handler requests.

For greater security, store the proxy password in a secret store, instead of in the configuration. Use the secret label am.servers.httpclienthandler.proxy.secret to map an alias for the password.

Configure alongside the org.forgerock.openam.httpclienthandler.system.proxy.username, org.forgerock.openam.httpclienthandler.system.proxy.uri, and org.forgerock.openam.httpclienthandler.system.nonProxyHosts advanced server properties.

If you change this password in the configuration, you must restart AM or the container in which it runs for the change to take effect. If you store the proxy password in a secret store, you can rotate the secret without having to restart AM.

This setting can be overridden at the request level. Learn more in the HTTP Client service settings.

Default: Not set

org.forgerock.openam.httpclienthandler.system.proxy.uri

The URI of the proxy that AM will use to route outgoing client handler requests. The URI must be in the format scheme://hostname:port. For example, https://myproxy.example.com:443.

If the proxy requires authentication, also configure the org.forgerock.openam.httpclienthandler.system.proxy.username and, optionally, the org.forgerock.openam.httpclienthandler.system.nonProxyHosts property.

Store the proxy password in a secret store. and use the secret label am.servers.httpclienthandler.proxy.secret to map an alias for the password. If AM finds a matching secret for the am.servers.httpclienthandler.proxy.secret label in a secret store, AM ignores the org.forgerock.openam.httpclienthandler.system.proxy.password advanced server property.

This property takes precedence over the org.forgerock.openam.httpclienthandler.system.proxy.enabled advanced server property and its related JVM properties.

Learn more in Configure AM for outbound communication.

Restart AM or the container in which it runs for the change to take effect.

This setting can be overridden at the request level. Learn more in the HTTP Client service settings.

Default: Not set

org.forgerock.openam.httpclienthandler.system.proxy.username

The username of the proxy AM will use to route outgoing client handler requests.

Configure alongside the org.forgerock.openam.httpclienthandler.system.proxy.password and org.forgerock.openam.httpclienthandler.system.proxy.uri advanced server properties.

Restart AM or the container in which it runs for the change to take effect.

This setting can be overridden at the request level. Learn more in the HTTP Client service settings.

Default: Not set

org.forgerock.openam.idm.attribute.names.lower.case

Specifies whether the fields in JSON responses are always returned in lowercase. When true, AM converts the fields to lowercase.

Default: false

org.forgerock.openam.introspect.token.query.param.allowed

Specifies whether AM allows HTTP GET requests, and the use of token as a query parameter in POST requests, on the oauth2/introspect endpoint.

For security reasons, and in accordance with the OAuth 2.0 Token Introspection specification, AM disallows HTTP GET requests on the introspection endpoint, and requires HTTP POST requests instead. AM also disallows the use of token as a query parameter in a POST request on that endpoint; for example, /oauth2/introspect?token=access-token.

If your clients in an existing deployment need to send a GET request or token as a query parameter to the oauth2/introspect endpoint, you can change this setting to true. However, it is recommended that you adjust your clients to use the more secure setting.

Default: false

org.forgerock.openam.ldap.default.time.limit

Configures the client-side timeout, in milliseconds, applied to LDAP operations performed with the Netscape LDAP SDK.

Default: 0 (no time limit)

org.forgerock.openam.ldap.dncache.expire.time

Sets the DN cache timeout, in milliseconds, after which an entry should be removed from the cache. A value of 0 means that the DN cache won’t expire, and entries won’t be removed automatically.

Setting this value too low can have a severe performance impact.

Default: 0 (no time limit)

org.forgerock.openam.ldap.heartbeat.timeout

The number of seconds AM should wait for a heartbeat operation to the DS server to complete, before considering the connection unavailable.

Some network administrators configure firewalls and load balancers to drop connections that are idle for too long. You can turn this off by setting the value to 0.

Default: 10

org.forgerock.openam.ldap.secure.protocol.version: The protocols AM uses to connect to a secure LDAP server.

Specify a single value, for example TLSv1.2, for AM to use only that protocol when connecting to affected external resources. Learn more in Secure network communication.

Specify a comma-separated list with multiple protocols for AM to use the most secure protocol supported by the external resources.

A value of TLSv1.3,TLSv1.2 means that AM attempts to use the TLSv1.3 protocol to connect to the configuration and user *s, but if a TLSv1.3 connection isn’t supported, AM uses TLSv1.2.

Default: TLSv1.3,TLSv1.2
org.forgerock.openam.notifications.agents.enabled: Controls whether to publish notifications for consumption by web agents and Java agents.

Learn more about notifications in the Web Agents Maintenance Guide and the Java Agents Maintenance Guide.

Default: true

org.forgerock.openam.oauth2.checkIssuerForIdTokenInfo: If set to true, a query to the /oauth2/idtokeninfo endpoint validates the iss (issuer) claim against the AM issuers. If the value of the iss claim differs from the AM issuer, AM returns the following error:

bad_request: Invalid id token issuer

Default: false

org.forgerock.openam.oauth2.tokenexpiry.skewAllowance: The period, in seconds, during which an OIDC ID token remains valid after its expiry time.

This property allows for clock skews between servers.

Default: 300 (5 minutes)

org.forgerock.openam.oauth2.client.graceperiod.disabled

Lets you override the default maximum refresh token grace period.

By default, you cannot set a grace period that exceeds 120 seconds. Setting this server property to true disables the maximum and lets you set any grace period up to the maximum positive integer value. This value affects the refresh token grace period set in the OAuth2.0 provider configuration or on any OAuth 2.0 clients.

Having a long grace period poses a security risk. You should therefore keep the grace period as small as possible. Exceeding the default maximum of 120 seconds is not recommended.

Default: false

org.forgerock.openam.oidc.SocialProvider.sub.claim.is.not.unique: By default, OIDC social authentication flows use the sub claim to identify the subject, in accordance with the OIDC specification, which mandates that the sub claim should uniquely identify the user.

However, some identity providers don’t provide a unique value for the sub claim. In this case, you can set this property to true. When set to true, AM uses the value of the Auth ID Key in the social provider configuration to identify the subject.

Default: false
org.forgerock.openam.openidconnect.allow.open.dynamic.registration: Controls whether OpenID Connect clients can register dynamically without providing an access token.

If you set this to true in production, take care to limit or throttle dynamic client registrations.

Default: false

org.forgerock.openam.radius.server.context.cache.size: Maximum number of RADIUS client sessions that can be cached concurrently on the AM server.

Default: 5000

org.forgerock.openam.redirecturlvalidator.maxUrlLength

Specifies the maximum length of redirection URLs validated by AM. The Validation Service and other AM services perform redirection URL validation. Learn more in Configure trusted URLs.

The default value should be adequate in most cases. Increase the default value as needed if messages similar to the following appear in your debug log files with message-level debugging enabled:

RedirectUrlValidator.isRedirectUrlValid: The url was length 2015 which is longer than the allowed maximum of 2000

Default: 2000

org.forgerock.openam.request.max.bytes.entity.size

Specifies the maximum size of the body of any request made to AM. Learn more in Limit the size of the request body.

The property is hot-swappable. You don’t need to restart AM for the changes to take effect.

Default: 1 MB (1048576 bytes)

org.forgerock.openam.secrets.keystore.keyid.provider

Specifies the name of the KeyStoreKeyIdProvider implementation AM uses to provide key ID (kids) to public keys when AM is configured as an OAuth 2.0 authorization server.

Learn more in Customizing Public Key IDs.

Default: org.forgerock.openam.secrets.DefaultKeyStoreKeyIdProvider.

org.forgerock.openam.secrets.googlekms.decryptionkey

Specifies the fully qualified resource ID of the Google Cloud KMS secret used to decrypt secrets as they are read from the filesystem, environment variables, or system properties.

This property may also specify the Google Cloud KMS secret used to decrypt the hash of the password of the amAdmin user, if the value of the org.forgerock.openam.secrets.special.user.passwords.format advanced server property is set to GOOGLE_KMS_ENCRYPTED.

Only one key can be specified at a time.

Learn more in Using Google Cloud KMS Secrets to Decrypt AM Secrets and Store the amAdmin password in a secret store.

This property has no default.

org.forgerock.openam.secrets.special.user.passwords.format

The format used to store the hash of the amAdmin user password.

Possible values are:

ENCRYPTED_PLAIN. The hash is encrypted with the AM encryption key.
PLAIN. The hash is unencrypted. The password must be randomly generated and have high entropy.
GOOGLE_KMS_ENCRYPTED. The hash is encrypted with the Google Cloud KMS secret specified in the org.forgerock.openam.secrets.googlekms.decryptionkey advanced server property.

Learn more in Store the amAdmin password in a secret store.

Default: ENCRYPTED_PLAIN

org.forgerock.openam.secrets.special.user.secret.refresh.seconds

The period, in seconds, after which the special administrator secret cache expires.

Learn more in Store the amAdmin password in a secret store.

Default: 900 (15 minutes)

org.forgerock.openam.session.stateless.encryption.method

Sets the encryption method for client-side sessions. Possible values are:

A128CBC-HS256. AES 128-bit in CBC mode using HMAC-SHA-256-128 hash (HS256 truncated to 128 bits)
A192CBC-HS384. AES 192-bit in CBC mode using HMAC-SHA-384-192 hash (HS384 truncated to 192 bits)
A256CBC-HS512. AES 256-bit in CBC mode using HMAC-SHA-512-256 hash (HS512 truncated to 256 bits)
A128GCM. AES 128-bit in GCM mode
A192GCM. AES 192-bit in GCM mode
A256GCM. AES 256-bit in GCM mode

Default: A128CBC-HS256

org.forgerock.openam.session.stateless.logout.cache.expiryCheckIntervalSeconds

The period (in seconds) after which the logout token cache purges expired entries. Changes to this property require a server restart.

Default: 60

Learn more in Invalidate all sessions for a user.

org.forgerock.openam.session.stateless.rsa.padding

Sets the padding mode for RSA encryption of client-side sessions. Possible values are:

RSA1_5. RSA with PKCS#1 v1.5 padding.
RSA-OAEP. RSA with OAEP and SHA-1.
RSA-OAEP-256. RSA with OAEP padding and SHA-256.

Default: RSA-OAEP-256

org.forgerock.openam.session.stateless.signing.allownone

Specifies whether signing client-side sessions is enabled. When true, AM allows selecting NONE as the signing algorithm for client-side sessions under Configure > Global Services > Session > Client-Side Sessions.

org.forgerock.openam.smtp.system.connect.timeout

Specifies the amount of time, in milliseconds, that AM waits before considering that an outbound SMTP connection is unavailable.

Default: 10000

org.forgerock.openam.smtp.system.socket.read.timeout

Specifies the amount of time, in milliseconds, that AM waits for an SMTP read request to receive an acknowledgement before returning an error.

Default: 10000

org.forgerock.openam.smtp.system.socket.write.timeout

Specifies the amount of time, in milliseconds, that AM waits for an SMTP write request to receive an acknowledgement before returning an error.

Default: 10000

org.forgerock.openam.slf4j.enableTraceInMessage

Controls whether trace-level logging messages are generated when message-level debug logging is enabled in AM.

Certain components that run in AM’s JVM write a large volume of trace-level debug records that aren’t required for troubleshooting in many cases. With this option set to false, trace-level debug records aren’t written for these components.

If you set this to true in production, take care to monitor the amount of disk space occupied by the AM debug logs.

Default: false

org.forgerock.openam.sso.providers.list

Specifies an ordered list of SSO providers. AM chooses the first applicable provider depending on the context for the requested SSO operation.

Default: org.forgerock.openidconnect.ssoprovider.OpenIdConnectSSOProvider, org.forgerock.openam.sso.providers.stateless.StatelessSSOProvider

org.forgerock.openam.trees.consumedstatedata.cache.size

Specifies the maximum number of trees in a realm for which to cache the results of "state" scans.

AM recursively scans the nodes and paths in authentication trees to determine the state data that each node consumes. Caching this information for a number of trees in each realm means AM doesn’t have to make multiple calls to get the tree’s structure.

If you have many complex authentication trees and a large number of realms, increasing this value may reduce the impact on performance of the consumed state scans.

Default: 15

org.forgerock.openam.xui.user.session.validation.enabled

Changes the UI’s behavior when an authenticated session expires. Possible values are false, where the user notices that their session has expired when trying to interact with the UI and they are redirected to the login screen, or true, where AM redirects the user to a page with the session expired message when their session expires. This prevents the display of possible sensitive information on the screen after a session expires.

This setting doesn’t apply to those users that are global or realm administrators, for example, amAdmin.

Default: true

org.forgerock.openidconnect.ssoprovider.maxcachesize

Maximum size in entries of the OpenIdConnectSSOProvider provider’s cache. This cache is used to map OIDC tokens to SSO tokens for quick lookup.

Default: 5000

org.forgerock.policy.subject.evaluation.cache.size

Maintains a record of subject IDs matched or not matched in a given session. The cache is keyed on the token ID and the session is cleared when destroyed.

Default: 10000

org.forgerock.security.entitlement.enforce.realm: By default, calls to the subjectattributes endpoint are enforced per realm.

Learn more in Query subject attributes.

Default: true

org.forgerock.security.oauth2.enforce.sub.claim.uniqueness

Specifies the format of the subject (sub) claim of an OAuth 2.0 access token, logout token, and OIDC ID token.

AM accepts tokens that use the old sub format, even if you enable this property. Before enabling this property, ensure that your clients can use the new sub claim format, or a combination of the sub and the subname claims.

About the subname Claim

The value of the subname claim matches the value of the sub claim used in versions of AM earlier than 7.1. It also matches the value of the sub claim if you disable the org.forgerock.security.oauth2.enforce.sub.claim.uniqueness property.

An example of the value of the subname claim is bjensen, or myOauth2Client.

AM adds this claim to access and ID tokens by default.

If you don’t want the subname claim added by default, disable the Include subname claim in tokens issued by the OAuth2 Provider property in the OAuth2 Provider service configuration.

Default: true for new installations, false for upgrades

Possible values are:

false.

The value of the sub claim is the username of the identity, or the name or the client that’s the subject of the token.

For example, bjensen, or myOauth2Client.
true.

The subject claim is in the format (type!subject), where:
- subject is the identifier of the user/identity, or the name of the OAuth 2.0/OpenID Connect client that is the subject of the token.
- type can be one of the following:
  - age. Indicates the subject is an OAuth 2.0/OpenID Connect-related user-agent or client. For example, an OAuth 2.0 client, a Remote Consent Service agent, and a Web and Java Agent internal client.
  - usr. Indicates the subject is a user/identity.

For example, (usr!bjensen), or (age!myOAuth2Client).

org.forgerock.services.cts.reaper.cache.pollFrequencyMilliseconds

How often to poll the reaper cache for tokens that have expired, and delete them.

By default, an AM instance will review its cache for tokens eligible for deletion every 100 milliseconds.

Default: 100 (milliseconds)

Learn more in Tune the CTS.

org.forgerock.services.cts.reaper.cache.size

The number of records an AM instance will store in its CTS reaper cache.

Default: 500000

Learn more in Tune the CTS.

org.forgerock.services.cts.reaper.search.gracePeriodMilliseconds

Specifies a grace period used when searching for expired tokens. Any tokens that expired more than the specified duration ago are returned.

Default: 300000 (milliseconds)

Learn more in Tune the CTS.

org.forgerock.services.cts.reaper.search.pollFrequencyMilliseconds

How often to perform a search for expired tokens in the CTS persistence store.

Default: 5000 (milliseconds)

Learn more in Tune the CTS.

org.forgerock.services.cts.reaper.search.tokenLimit

The maximum number of expired tokens to return to the AM reaper when searching the CTS store.

Default: 5000

Learn more in Tune the CTS.

org.forgerock.services.cts.store.ttlsupport.enabled

Specifies whether AM support for the DS entry expiration and deletion feature is enabled. Enabling this setting causes AM to clone the value of the coreTokenExpirationDate attribute to the coreTokenTtlDate attribute during token creation, which allows DS to index tokens using the coreTokenTtlDate attribute for the entry expiration and deletion feature.

This property doesn’t clone the values of tokens that were created before the setting was enabled.

Set this property to true in conjunction with the org.forgerock.services.cts.store.ttlsupport.exclusionlist advanced server property when you need to configure the AM reaper to manage the expiration time for a subset of the tokens in the CTS store only.

Learn more in Manage expired CTS tokens.

Default: false

org.forgerock.services.cts.store.reaper.enabled

Specifies whether the AM reaper is enabled.

Don’t disable the AM reaper unless you have a system in place to clean up expired tokens, such as the DS entry expiration and deletion feature.

Set this property to true in the following scenarios:

When the AM reaper must manage the expiration times for all the tokens in the CTS store.
When the AM reaper must manage the expiration time for a subset of the tokens in the CTS store.

Learn more in Manage expired CTS tokens.

Default: true

org.forgerock.services.cts.store.ttlsupport.exclusionlist

When the org.forgerock.services.cts.store.ttlsupport.enabled advanced server property is set to true, this property specifies a list of token types which won’t have their coreTokenExpirationDate data cloned. For example, SESSION.

The AM reaper will delete the excluded tokens when they expire.

The CTS token store lists the token types in use in your environment.

Learn more in Manage expired CTS tokens.
Default: Not set

org.forgerock.services.datalayer.connection.timeout

Timeout in seconds for LDAP connections to the configuration *.

Default: 10 (seconds)

Find the suggested settings in Tuning CTS Store LDAP Connections.

org.forgerock.services.datalayer.connection.timeout.cts.async

Timeout in seconds for LDAP connections used for most CTS operations.

Default: 10 (seconds)

Find the suggested settings in Tuning CTS Store LDAP Connections.

org.forgerock.services.datalayer.connection.timeout.cts.reaper

Timeout in seconds for the LDAP connection used for CTS token cleanup.

Default: None (don’t time out)

Find the suggested settings in Tuning CTS Store LDAP Connections.

org.forgerock.session.stateless.jwtcache.expiry.time

The maximum time, in seconds, that AM caches client-side session JWTs.

Setting a long cache timeout may be more efficient, but AM won’t detect if a client-side session JWT has expired or has become invalid until the cache expires.

The property is hot-swappable. You don’t need to restart AM for the changes to take effect.

Default: 10

org.forgerock.session.stateless.jwtcache.size

The size, in bytes, of the cache where AM stores client-side session JWTs.

Default: 10000

org.forgerock.openam.ldap.keepalive.search.base

Defines the search base for:

The heartbeat request that checks connections to the LDAP server are alive and prevents idle timeouts (keepalive).
The load balancer availability check.

The LDAP server connection pool will be marked as unavailable if the search fails with an error, returns no entries, or if more than one entry is returned.

If the search results in an error, AM fails to start up with an exception such as org.forgerock.opendj.ldap.ConnectionException: Connect Error: No operational connection factories available.

Default: [Empty]

org.forgerock.openam.ldap.keepalive.search.filter

Defines the search filter for:

The heartbeat request that checks connections to the LDAP server are alive and prevents idle timeouts (keepalive).
The load balancer availability check.

You can also use the absolute True and False filter (&).

The LDAP server connection pool will be marked as unavailable if the search fails with an error, returns no entries, or if more than one entry is returned.

If the search results in an error, AM fails to start up with an exception such as org.forgerock.opendj.ldap.ConnectionException: Connect Error: No operational connection factories available.

Default: (objectClass=*)

org.forgerock.am.auth.trees.authenticate.identified.identity: During authentication, AM records the type of user identified in an identity store. When this setting is enabled, AM uses these stored identities to decide which user to log in.

This lets the authentication trees engine correctly resolve identities that have the same username.

Learn more in the custom node documentation and scripted decision node API.

Default: true

org.forgerock.am.auth.node.versioning.enable.v1.audit.detail: The node version is logged in the Authentication log under the AM-NODE-LOGIN-COMPLETED event. When this property is set to true, version is logged for all node versions.

If false, version is logged only for node versions greater than 1.0.

Default: false

org.forgerock.am.oauth2.aiagents.enabled: Set this property to true to enable AI agents in AM.

Learn more in Enable AI agents.

Default: false

PingAM

Advanced properties