<?xml version="1.0" encoding="UTF-8"?>
<!--

    Copyright (c) 2006, 2020 Oracle and/or its affiliates. All rights reserved.

    This program and the accompanying materials are made available under the
    terms of the Eclipse Public License v. 2.0, which is available at
    http://www.eclipse.org/legal/epl-2.0.

    This Source Code may also be made available under the following Secondary
    Licenses when the conditions for such availability set forth in the
    Eclipse Public License v. 2.0 are satisfied: GNU General Public License,
    version 2 with the GNU Classpath Exception, which is available at
    https://www.gnu.org/software/classpath/license.html.

    SPDX-License-Identifier: EPL-2.0 OR GPL-2.0 WITH Classpath-exception-2.0

-->

<!-- ENTITIES -->
<!-- boolean

  Used in:
    access-log, admin-object-resource, appclient-module,              
    application-ref, availability-service, cluster, config,           
    connector-connection-pool, connector-module, connector-resource,  
    custom-resource, das-config, diagnostic-service,                  
    ejb-container-availability, ejb-module, event,                    
    external-jndi-resource, http-access-log, http-file-cache,         
    http-listener, http-protocol, iiop-listener, iiop-service,        
    j2ee-application, java-config, jdbc-connection-pool,              
    jdbc-resource, jms-availability, jms-service, jmx-connector,      
    lb-config, lifecycle-module, load-balancer, log-service,          
    mail-resource, management-rule, management-rules, mbean,          
    node-agent, persistence-manager-factory-resource, profiler,       
    resource-ref, security-service, server-ref, ssl,                  
    transaction-service, transformation-rule,                         
    web-container-availability, web-module, web-service-endpoint      
-->
<!ENTITY % boolean "(yes | no | on | off | 1 | 0 | true | false)">

<!-- isolation

  Used in:
    jdbc-connection-pool                                              
-->
<!ENTITY % isolation
    "(read-uncommitted | read-committed | repeatable-read | serializable)">    


<!-- validation-level

  Used in:
    das-config                                                        
-->
<!ENTITY % validation-level "(full | parsing | none)">

<!-- object-type
    defines the type of the resource. It can be:                      
    system-all                                                                 
        These are system resources for all instances and DAS          
    system-admin                                                               
        These are system resources only in DAS                        
    system-instance                                                            
        These are system resources only in instances (and not DAS)    
    user                                                                       
        User resources (This is the default for all elements)         

  Used in:
    admin-object-resource, connector-module, connector-resource,      
    custom-resource, ejb-module, external-jndi-resource,              
    j2ee-application, jdbc-resource, mail-resource, mbean,            
    persistence-manager-factory-resource, resource-adapter-config,    
    web-module                                                        
-->
<!ENTITY % object-type "(system-all | system-admin | system-instance | user)">

<!-- rjmx-protocol
    SE/EE related ENTITIES: This will define the available JSR 160    
    connector transport protocols.                                    

  Used in:
    jmx-connector                                                     
-->
<!ENTITY % rjmx-protocol "(rmi_jrmp | rmi_iiop | jmxmp)">

<!-- monitoring-level
    monitoring-level controls the amount of monitoring data collected 
    and exposed to clients                                            
    OFF                                                                        
        no monitoring/statistical data is exposed to the clients.     
    LOW                                                                        
        SE/EE only                                                    
    HIGH                                                                       
        maximum data is gathered and released.                        

  Used in:
    module-monitoring-levels, web-service-endpoint                    
-->
<!ENTITY % monitoring-level "(OFF | LOW | HIGH)">

<!-- persistence-type
    SE/EE related ENTITIES                                            

  Used in:
    web-container-availability                                        
-->
<!ENTITY % persistence-type "(memory | file | ha)">

<!-- session-save-frequency

  Used in:
    web-container-availability                                        
-->
<!ENTITY % session-save-frequency "(web-method | time-based | on-demand)">

<!-- session-save-scope

  Used in:
    web-container-availability                                        
-->
<!ENTITY % session-save-scope
    "(session | modified-session | modified-attribute)">                       


<!-- sfsb-persistence-type

  Used in:
    ejb-container-availability                                        
-->
<!ENTITY % sfsb-persistence-type "(file | ha)">

<!-- apply-to-type

  Used in:
    transformation-rule                                               
-->
<!ENTITY % apply-to-type "(request | response | both)">

<!-- lb-policy-type

  Used in:
    cluster-ref                                                       
-->
<!ENTITY % lb-policy-type
    "(round-robin | weighted-round-robin | user-defined)">                     


<!-- event-type

  Used in:
    event                                                             
-->
<!ENTITY % event-type
    "(log | timer | trace | monitor | cluster | lifecycle | notification)">    


<!-- message-layer

  Used in:
    message-security-config                                           
-->
<!ENTITY % message-layer "(SOAP | HttpServlet)">

<!-- log-level
    Configure the Log Levels for Various Loggers in the SUN ONE       
    Modules. The Default level is set to INFO, The log levels can be  
    changed using one of the seven levels. Please refer JSR 047 to    
    understand the Log Levels.                                        

    The Logs can be completely turned off by using 'OFF' value. The names of   
    the module loggers are self-explanatory                                    


  Used in:
    diagnostic-service, event, module-log-levels                      
-->
<!ENTITY % log-level
    "(FINEST | FINER | FINE | CONFIG | INFO | WARNING | SEVERE | OFF)">        


<!-- ELEMENTS -->

<!-- domain
    Top level Domain Element that includes applications, resources,   
    configs, servers, clusters and node-agents, load balancer         
    configurations and load balancers. node-agents and load balancers 
    are SE/EE related entities only.                                  

  attributes
    application-root                                                           
        for PE this defines the location where applications are       
        deployed                                                      
    locale                                                                     
        If present, overrides OS locale setting.                      
    log-root                                                                   
        specifies where the server instance's log files are kept,     
        including HTTP access logs, server logs, and transaction      
        logs. Default is $INSTANCE-ROOT/logs                          
-->
<!ELEMENT domain
    (applications?, resources?, configs, servers, clusters?, node-agents?,     
    lb-configs?, load-balancers?, system-property*, property*)>                


<!ATTLIST domain
    application-root CDATA #IMPLIED
    log-root CDATA #IMPLIED
    locale CDATA #IMPLIED>


<!-- configs

  Used in:
    domain                                                            
-->
<!ELEMENT configs (config+)>


<!-- servers

  Used in:
    domain                                                            
-->
<!ELEMENT servers (server*)>


<!-- clusters

  Used in:
    domain                                                            
-->
<!ELEMENT clusters (cluster*)>


<!-- node-agents

  Used in:
    domain                                                            
-->
<!ELEMENT node-agents (node-agent*)>


<!-- lb-configs

  Used in:
    domain                                                            
-->
<!ELEMENT lb-configs (lb-config*)>


<!-- applications
    Various types of applications that can be deployed on Sun ONE     
    Application Server instance                                       

  Used in:
    domain                                                            
-->
<!ELEMENT applications
    ((lifecycle-module | j2ee-application | ejb-module | web-module |          
    connector-module | appclient-module | mbean)*)>                            


<!-- lifecycle-module

  attributes
    class-name                                                                 
        fully qualified name of the startup class.                    
    classpath                                                                  
        where this module is actually located, if it is not under     
        applications-root                                             
    enabled                                                                    
        boolean attribute. If set to "false" this module will not be  
        loaded at server start up.                                    
    is-failure-fatal                                                           
        if true, aborts server start up if this module does not load  
        properly.                                                     
    load-order                                                                 
        integer value that can be used to force the order in which    
        deployed lifecycle modules are loaded at server start up.     
        Smaller numbered modules get loaded sooner. Order is          
        unspecified if two or more lifecycle modules have the same    
        load-order value.                                             
    name                                                                       
        unqiue identifier for the deployed server lifecycle event     
        listener module.                                              

  Used in:
    applications                                                      
-->
<!ELEMENT lifecycle-module (description?, property*)>

<!ATTLIST lifecycle-module
    name CDATA #REQUIRED
    class-name CDATA #REQUIRED
    classpath CDATA #IMPLIED
    load-order CDATA #IMPLIED
    is-failure-fatal %boolean; "false"
    enabled %boolean; "true">


<!-- j2ee-application

  attributes
    availability-enabled                                                       
        This boolean flag controls whether availability is enabled    
        for SFSB checkpointing (and potentially passivation). If this 
        is "false", then all SFSB checkpointing is disabled for       
        either the given j2ee app or the given ejb module. If it is   
        "true" (and providing that all the availability-enabled       
        attributes above in precedence are also "true", then the j2ee 
        app or stand-alone ejb modules may be ha enabled.             
        Finer-grained control exists at lower level inside each bean. 
        If this attribute is missing, it defaults to "false".         
    directory-deployed                                                         
        This attribute indicates whether the application has been     
        deployed to a directory or not                                
    java-web-start-enabled                                                     
        This attribute indicates whether Java Web Start access is     
        permitted to eligible application client(s) in this module    
    libraries                                                                  
        System dependent path separator [: for Unix/Solaris/Linux and 
        ; for Windows] separated list of jar paths. These paths could 
        be either relative [relative to                               
        {com.sun.aas.instanceRoot}/lib/applibs] or absolute paths.    
        These dependencies appears *after* the libraries defined in   
        classpath-prefix in the java-config and *before* the          
        application server provided over-rideable jar set. The        
        libraries would be made available to the application in the   
        order in which they were specified.                           

  Used in:
    applications                                                      
-->
<!ELEMENT j2ee-application (description?, web-service-endpoint*, property*)>

<!ATTLIST j2ee-application
    name CDATA #REQUIRED
    location CDATA #REQUIRED
    object-type %object-type; "user"
    enabled %boolean; "true"
    libraries CDATA #IMPLIED
    availability-enabled %boolean; "false"
    directory-deployed %boolean; "false"
    java-web-start-enabled %boolean; "true">


<!-- ejb-module

  attributes
    availability-enabled                                                       
        This boolean flag controls whether availability is enabled    
        for SFSB checkpointing (and potentially passivation). If this 
        is "false", then all SFSB checkpointing is disabled for       
        either the given j2ee app or the given ejb module. If it is   
        "true" (and providing that all the availability-enabled       
        attributes above in precedence are also "true", then the j2ee 
        app or stand-alone ejb modules may be ha enabled.             
        Finer-grained control exists at lower level inside each bean. 
        If this attribute is missing, it defaults to "false".         
    directory-deployed                                                         
        This attribute indicates whether the application has been     
        deployed to a directory or not                                
    libraries                                                                  
        System dependent path separator [: for Unix/Solaris/Linux and 
        ; for Windows] separated list of jar paths. These paths could 
        be either relative [relative to                               
        {com.sun.aas.instanceRoot}/lib/applibs] or absolute paths.    
        These dependencies appears *after* the libraries defined in   
        classpath-prefix in the java-config and *before* the          
        application server provided over-rideable jar set. The        
        libraries would be made available to the application in the   
        order in which they were specified.                           

  Used in:
    applications                                                      
-->
<!ELEMENT ejb-module (description?, web-service-endpoint*, property*)>

<!ATTLIST ejb-module
    name CDATA #REQUIRED
    location CDATA #REQUIRED
    object-type %object-type; "user"
    enabled %boolean; "true"
    libraries CDATA #IMPLIED
    availability-enabled %boolean; "false"
    directory-deployed %boolean; "false">


<!-- web-module

  attributes
    availability-enabled                                                       
        This boolean flag controls whether availability is enabled    
        for HTTP Session Persistence. If this is "false", then all    
        session persistence is disabled for the given web module. If  
        it is "true" (and providing that all the availability-enabled 
        attributes above in precedence are also "true", then the web  
        module may be ha enabled. Finer-grained control exists at     
        lower level (see sun-web.xml). If this attribute is missing,  
        it defaults to "false".                                       
    context-root                                                               
        context-root must match the pattern for the hpath production  
        in RFC 1738 which can be found at:                            
        http://www.w3.org/Addressing/rfc1738.txt. This is flattened   
        to the following regular expression in XML Schema's pattern   
        language:                                                     
        ([a-zA-Z0-9$\-_.+!*'(),]|%[0-9A-Fa-f][0-9A-Fa-f]|;|:|&|=)*(/([
        -zA-Z0-9$\-_.+!*'(),]|%[0-9A-Fa-f][0-9A-Fa-f]|;|:|&|=)*)*     
        Note that this includes the null or empty context root and    
        permits but does not require a context root to start with the 
        '/' character (including a context root which is simply the   
        '/' character).                                               
    directory-deployed                                                         
        This attribute indicates whether the application has been     
        deployed to a directory or not                                
    libraries                                                                  
        System dependent path separator [: for Unix/Solaris/Linux and 
        ; for Windows] separated list of jar paths. These paths could 
        be either relative [relative to                               
        {com.sun.aas.instanceRoot}/lib/applibs] or absolute paths.    
        These dependencies appears *after* the libraries defined in   
        classpath-prefix in the java-config and *before* the          
        application server provided over-rideable jar set. The        
        libraries would be made available to the application in the   
        order in which they were specified.                           

  Used in:
    applications                                                      
-->
<!ELEMENT web-module (description?, web-service-endpoint*, property*)>

<!ATTLIST web-module
    name CDATA #REQUIRED
    context-root CDATA #REQUIRED
    location CDATA #REQUIRED
    object-type %object-type; "user"
    enabled %boolean; "true"
    libraries CDATA #IMPLIED
    availability-enabled %boolean; "false"
    directory-deployed %boolean; "false">


<!-- connector-module

  Used in:
    applications                                                      
-->
<!ELEMENT connector-module (description?, property*)>

<!ATTLIST connector-module
    name CDATA #REQUIRED
    location CDATA #REQUIRED
    object-type %object-type; "user"
    enabled %boolean; "true"
    directory-deployed %boolean; "false">


<!-- appclient-module

  attributes
    java-web-start-enabled                                                     
        This attribute indicates whether Java Web Start access is     
        permitted to eligible application client(s) in this module    

  Used in:
    applications                                                      
-->
<!ELEMENT appclient-module (description?, property*)>

<!ATTLIST appclient-module
    name CDATA #REQUIRED
    location CDATA #REQUIRED
    directory-deployed %boolean; "false"
    java-web-start-enabled %boolean; "true">


<!-- resources
    J2EE Applications look up resources registered with the           
    Application server, using portable JNDI names.                    

  Used in:
    domain                                                            
-->
<!ELEMENT resources
    ((custom-resource | external-jndi-resource | jdbc-resource | mail-resource 
    | persistence-manager-factory-resource | admin-object-resource |           
    connector-resource | resource-adapter-config | jdbc-connection-pool |      
    connector-connection-pool)*)>                                              


<!-- description
    Textual description of a configured entity                        

  Used in:
    admin-object-resource, appclient-module,                          
    connector-connection-pool, connector-module, connector-resource,  
    custom-resource, ejb-module, event, external-jndi-resource,       
    j2ee-application, jdbc-connection-pool, jdbc-resource,            
    lifecycle-module, mail-resource, management-rule, mbean,          
    persistence-manager-factory-resource, property, system-property,  
    web-module                                                        
-->
<!ELEMENT description (#PCDATA)>


<!-- custom-resource
    custom (or generic) resource managed by a user-written factory    
    class.                                                            

  attributes
    jndi-name                                                                  
        JNDI name for generic resource, the fully qualified type of   
        the resource and whether it is enabled at runtime             

  Used in:
    resources                                                         
-->
<!ELEMENT custom-resource (description?, property*)>

<!ATTLIST custom-resource
    jndi-name CDATA #REQUIRED
    res-type CDATA #REQUIRED
    factory-class CDATA #REQUIRED
    object-type %object-type; "user"
    enabled %boolean; "true">


<!-- external-jndi-resource
    resource residing in an external JNDI repository                  

  Used in:
    resources                                                         
-->
<!ELEMENT external-jndi-resource (description?, property*)>

<!ATTLIST external-jndi-resource
    jndi-name CDATA #REQUIRED
    jndi-lookup-name CDATA #REQUIRED
    res-type CDATA #REQUIRED
    factory-class CDATA #REQUIRED
    object-type %object-type; "user"
    enabled %boolean; "true">


<!-- jdbc-resource
    JDBC javax.sql.(XA)DataSource resource definition                 

  Used in:
    resources                                                         
-->
<!ELEMENT jdbc-resource (description?, property*)>

<!ATTLIST jdbc-resource
    jndi-name CDATA #REQUIRED
    pool-name CDATA #REQUIRED
    object-type %object-type; "user"
    enabled %boolean; "true">


<!-- mail-resource
    The mail-resource element describes a jakarta.mail.Session resource 

  attributes
    host                                                                       
        ip V6 or V4 address or hostname.                              

  Used in:
    resources                                                         
-->
<!ELEMENT mail-resource (description?, property*)>

<!ATTLIST mail-resource
    jndi-name CDATA #REQUIRED
    store-protocol CDATA "imap"
    store-protocol-class CDATA "com.sun.mail.imap.IMAPStore"
    transport-protocol CDATA "smtp"
    transport-protocol-class CDATA "com.sun.mail.smtp.SMTPTransport"
    host CDATA #REQUIRED
    user CDATA #REQUIRED
    from CDATA #REQUIRED
    debug %boolean; "false"
    object-type %object-type; "user"
    enabled %boolean; "true">


<!-- persistence-manager-factory-resource
    Persistence Manager runtime configuration.                        

  attributes
    factory-class                                                              
        Class that creates persistence manager instance.              
    jdbc-resource-jndi-name                                                    
        jdbc resource with which database connections are obtained.   
    jndi-name                                                                  
        JNDI name for this resource                                   

  Used in:
    resources                                                         
-->
<!ELEMENT persistence-manager-factory-resource (description?, property*)>

<!ATTLIST persistence-manager-factory-resource
    jndi-name CDATA #REQUIRED
    factory-class CDATA "com.sun.jdo.spi.persistence.support.sqlstore.impl.PersistenceManagerFactoryImpl"
    jdbc-resource-jndi-name CDATA #IMPLIED
    object-type %object-type; "user"
    enabled %boolean; "true">


<!-- admin-object-resource
    The admin-object-resource element describes a administered object 
    for a inbound resource adapter.                                   

  attributes
    jndi-name                                                                  
        JNDI name for this resource                                   
    res-adapter                                                                
        Name of the inbound resource adapter.                         
    res-type                                                                   
        Interface definition for the administered object              

  Used in:
    resources                                                         
-->
<!ELEMENT admin-object-resource (description?, property*)>

<!ATTLIST admin-object-resource
    jndi-name CDATA #REQUIRED
    res-type CDATA #REQUIRED
    res-adapter CDATA #REQUIRED
    object-type %object-type; "user"
    enabled %boolean; "true">


<!-- connector-resource

  Used in:
    resources                                                         
-->
<!ELEMENT connector-resource (description?, property*)>

<!ATTLIST connector-resource
    jndi-name CDATA #REQUIRED
    pool-name CDATA #REQUIRED
    object-type %object-type; "user"
    enabled %boolean; "true">


<!-- resource-adapter-config
    This element is for configuring the resource adapter. These       
    values (properties) over-rides the default values present in      
    ra.xml. The name attribute has to be unique . It is optional for  
    PE. It is used mainly for EE.                                     

  Used in:
    resources                                                         
-->
<!ELEMENT resource-adapter-config (property*)>

<!ATTLIST resource-adapter-config
    name CDATA #IMPLIED
    thread-pool-ids CDATA #IMPLIED
    object-type %object-type; "user"
    resource-adapter-name CDATA #REQUIRED>


<!-- config
    The configuration defines the configuration of a server instance  
    that can be shared by other server instances. The                 
    availability-service and are SE/EE only.                          

  attributes
    dynamic-reconfiguration-enabled                                            
        When set to "true" then any changes to the system (e.g.       
        applications deployed, resources created) will be             
        automatically applied to the affected servers without a       
        restart being required. When set to "false" such changes will 
        only be picked up by the affected servers when each server    
        restarts.                                                     

  Used in:
    configs                                                           
-->
<!ELEMENT config
    (http-service, iiop-service, admin-service, connector-service?,            
    web-container, ejb-container, mdb-container, jms-service?, log-service,    
    security-service, transaction-service, monitoring-service,                 
    diagnostic-service?, java-config, availability-service?, thread-pools,     
    alert-service?, group-management-service?, management-rules?,              
    system-property*, property*)>                                              


<!ATTLIST config
    name CDATA #REQUIRED
    dynamic-reconfiguration-enabled %boolean; "true">


<!-- alert-service
    The Alert service provides a mechanism for users to register for  
    and receive alerts. The alert service collects together a set of  
    alert subscriptions                                               

  Used in:
    config                                                            
-->
<!ELEMENT alert-service (alert-subscription*, property*)>


<!-- alert-subscription
    alert subscription details a specific subscription. The           
    subscription comprises the configuration of a specific listener,  
    and a filter to be applied.                                       

  attributes
    name                                                                       
        The unique name identifying a particular alert service.       

  Used in:
    alert-service                                                     
-->
<!ELEMENT alert-subscription (listener-config, filter-config?)>

<!ATTLIST alert-subscription
    name CDATA #REQUIRED>


<!-- listener-config
    connects a specific listener class with specific managed objects  

  attributes
    listener-class-name                                                        
        The name of a class that can act as a listener for alerts.    
        Non-empty string containing a Java class name.                
    subscribe-listener-with                                                    
        A list of managed object names that the listener should be    
        subscribed to. A non-empty, comma separated list.             

  Used in:
    alert-subscription                                                
-->
<!ELEMENT listener-config (property*)>

<!ATTLIST listener-config
    listener-class-name CDATA #REQUIRED
    subscribe-listener-with CDATA #REQUIRED>


<!-- filter-config
    filter-config provides the means of specifying a filter to be     
    applied to alerts                                                 

  attributes
    filter-class-name                                                          
        The name of a class that can act as a filter. Non-empty       
        string containing a Java class name.                          

  Used in:
    alert-subscription                                                
-->
<!ELEMENT filter-config (property*)>

<!ATTLIST filter-config
    filter-class-name CDATA #REQUIRED>


<!-- http-service

  Used in:
    config                                                            
-->
<!ELEMENT http-service
    (access-log?, http-listener+, virtual-server+, request-processing?,        
    keep-alive?, connection-pool?, http-protocol?, http-file-cache?,           
    property*)>                                                                


<!-- access-log

  attributes
    format                                                                     
        The global format for the access log rotation-policy The      
        policy based on which the log rotation would be done . At     
        this time only time based rotation is enabled.                
    rotation-enabled                                                           
        The flag for enabling the access-log rotation                 
    rotation-interval-in-minutes                                               
        The time interval in minutes between two successive rotations 
        of the access logs.                                           
    rotation-suffix                                                            
        The suffix to be added to the access-log name after rotation. 
        Acceptable values include those supported by                  
        java.text.SimpleDateFormat and                                
        "%YYYY;%MM;%DD;-%hh;h%mm;m%ss;s".                             

  Used in:
    http-service                                                      
-->
<!ELEMENT access-log EMPTY>

<!ATTLIST access-log
    format CDATA "%client.name% %auth-user-name% %datetime% %request% %status% %response.length%"
    rotation-policy (time) "time"
    rotation-interval-in-minutes CDATA "1440"
    rotation-suffix CDATA "yyyyMMdd-HH'h'mm'm'ss's'"
    rotation-enabled %boolean; "true">


<!-- http-listener

  attributes
    acceptor-threads                                                           
        Number of acceptor threads for the listen socket. The         
        recommended value is the number of processors in the machine. 
    address                                                                    
        IP address of the listen socket. Can be in dotted-pair or     
        IPv6 notation. Can also be any for INADDR-ANY. Configuring a  
        listen socket to listen on any is required if more than one   
        http-listener is configured to it.                            
    blocking-enabled                                                           
        Enables blocking for the listen and external ports.           
    default-virtual-server                                                     
        The id attribute of the default virtual server for this       
        particular connection group.                                  
    external-port                                                              
        The port at which the user makes a request , typically a      
        proxy server port.                                            
    family                                                                     
        Specified the family of addresses either inet or ncsa         
    id                                                                         
        Unique identifier for http listener.                          
    port                                                                       
        Port number to create the listen socket on. Legal values are  
        1 - 65535. On Unix, creating sockets that listen on ports 1 - 
        1024 requires superuser privileges. Configuring an SSL listen 
        socket to listen on port 443 is recommended.                  
    redirect-port                                                              
        if the connector is supporting non-SSL requests and a request 
        is received for which a matching security-constraint requires 
        SSL transport catalina will automatically redirect the        
        request to the port number specified here                     
    security-enabled                                                           
        Determines whether the http listener runs SSL. You can turn   
        SSL2 or SSL3 on or off and set ciphers using an ssl element.  
        The enable-ssl in the protocol element should be set to true  
        for this setting to work.                                     
    server-name                                                                
        Tells the server what to put in the host name section of any  
        URLs it sends to the client. This affects URLs the server     
        automatically generates; it doesnt affect the URLs for        
        directories and files stored in the server. This name should  
        be the alias name if your server uses an alias. If you append 
        a colon and port number, that port will be used in URLs the   
        server sends to the client.                                   
    xpowered-by                                                                
        The Servlet 2.4 spec defines a special X-Powered-By:          
        Servlet/2.4 header, which containers may add to               
        servlet-generated responses. This is complemented by the JSP  
        2.0 spec, which defines a X-Powered-By: JSP/2.0 header to be  
        added (on an optional basis) to responses utilizing JSP       
        technology. The goal of these headers is to aid in gathering  
        statistical data about the use of Servlet and JSP technology. 
        If true, these headers will be added.                         

  Used in:
    http-service                                                      
-->
<!ELEMENT http-listener (ssl?, property*)>

<!ATTLIST http-listener
    id CDATA #REQUIRED
    address CDATA #REQUIRED
    port CDATA #REQUIRED
    external-port CDATA #IMPLIED
    family (inet | ncsa) "inet"
    blocking-enabled %boolean; "false"
    acceptor-threads CDATA "1"
    security-enabled %boolean; "false"
    default-virtual-server CDATA #REQUIRED
    server-name CDATA #REQUIRED
    redirect-port CDATA #IMPLIED
    xpowered-by %boolean; "true"
    enabled %boolean; "true">


<!-- ssl
    Define SSL processing parameters                                  

  attributes
    cert-nickname                                                              
        nickname of the server certificate in the certificate         
        database or the PKCS#11 token. In the certificate, the name   
        format is tokenname:nickname. Including the tokenname: part   
        of the name in this attribute is optional.                    
    client-auth-enabled                                                        
        Determines whether SSL3 client authentication is performed on 
        every request, independent of ACL-based access control.       
    ssl2-ciphers                                                               
        A comma-separated list of the SSL2 ciphers used, with the     
        prefix + to enable or - to disable, for example +rc4. Allowed 
        values are rc4, rc4export, rc2, rc2export, idea, des,         
        desede3. If no value is specified, all supported ciphers are  
        assumed to be enabled. NOT Used in PE                         
    ssl2-enabled                                                               
        Determines whether SSL2 is enabled. NOT Used in PE. SSL2 is   
        not supported by either iiop or web-services. When this       
        element is used as a child of the iiop-listener element then  
        the only allowed value for this attribute is "false".         
    ssl3-enabled                                                               
        Determines whether SSL3 is enabled.                           

        If both SSL2 and SSL3 are enabled for a virtual server, the server     
        tries SSL3 encryption first. If that fails, the server tries SSL2      
        encryption.                                                            

    ssl3-tls-ciphers                                                           
        A comma-separated list of the SSL3 ciphers used, with the     
        prefix + to enable or - to disable, for example               
        +SSL_RSA_WITH_RC4_128_MD5. Allowed SSL3/TLS values are        
        SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_3DES_EDE_CBC_SHA,      
        SSL_RSA_WITH_DES_CBC_SHA, SSL_RSA_EXPORT_WITH_RC4_40_MD5,     
        SSL_RSA_WITH_NULL_MD5, SSL_RSA_WITH_RC4_128_SHA,              
        SSL_RSA_WITH_NULL_SHA. If no value is specified, all          
        supported ciphers are assumed to be enabled.                  
    tls-enabled                                                                
        Determines whether TLS is enabled.                            
    tls-rollback-enabled                                                       
        Determines whether TLS rollback is enabled. TLS rollback      
        should be enabled for Microsoft Internet Explorer 5.0 and     
        5.5. NOT Used in PE                                           

  Used in:
    http-listener, iiop-listener, jmx-connector, ssl-client-config    
-->
<!ELEMENT ssl EMPTY>

<!ATTLIST ssl
    cert-nickname CDATA #REQUIRED
    ssl2-enabled %boolean; "false"
    ssl2-ciphers CDATA #IMPLIED
    ssl3-enabled %boolean; "true"
    ssl3-tls-ciphers CDATA #IMPLIED
    tls-enabled %boolean; "true"
    tls-rollback-enabled %boolean; "true"
    client-auth-enabled %boolean; "false">


<!-- virtual-server
    Configuration of Virtual Server                                   

    Virtualization in Application Server allows multiple URL domains to be     
    served by the same HTTP server process, which is listening on multiple     
    host addresses If an application is available at two virtual servers, they 
    still share same physical resource pools, such as JDBC connection pools.   

    Sun ONE Application Server allows a list of virtual servers, to be         
    specified along with web-module and j2ee-application elements. This        
    establishes an association between URL domains, represented by the virtual 
    server and the web modules (standalone web modules or web modules inside   
    the ear file)                                                              


  attributes
    default-web-module                                                         
        stand alone web module associated with this virtual server by 
        default.                                                      
    docroot                                                                    
        The location on the filesystem where the files related to the 
        content to be served by this virtual server is stored.        
    hosts                                                                      
        A comma-separated list of values allowed in the Host request  
        header to select the current virtual server. Each Virtual     
        Server that is configured to the same Connection Group must   
        have a unique hosts value for that group.                     
    http-listeners                                                             
        A comma-separated list of http-listener id(s), Required only  
        for a Virtual Server that is not the default virtual server.  
    id                                                                         
        Virtual server ID. This is a unique ID that allows lookup of  
        a specific virtual server. A virtual server ID cannot begin   
        with a number.                                                
    log-file                                                                   
        Specifies a log file for virtual-server-specific log          
        messages. Default value is                                    
        ${com.sun.aas.instanceRoot}/logs/server.log                   
    state                                                                      
        Determines whether a Virtual Server is active (on) or         
        inactive (off, disable). The default is on (active). When     
        inactive, a Virtual Server does not service requests.         
        off                                                                    
            returns a 404: Status code (404) indicating that the      
            requested resource is not available                       
        disabled                                                               
            returns a 403: Status code (403) indicating the server    
            understood the request but refused to fulfill it.         

  Used in:
    http-service                                                      
-->
<!ELEMENT virtual-server (http-access-log?, property*)>

<!ATTLIST virtual-server
    id CDATA #REQUIRED
    http-listeners CDATA #IMPLIED
    default-web-module CDATA #IMPLIED
    hosts CDATA #REQUIRED
    state (on | off | disabled) "on"
    docroot CDATA #IMPLIED
    log-file CDATA "${com.sun.aas.instanceRoot}/logs/server.log">


<!-- http-access-log

  attributes
    iponly                                                                     
        if the IP address of the user agent should be specified or a  
        DNL lookup should be done                                     
    log-directory                                                              
        location of the access logs specified as a directory.This     
        defaults to the domain.log-root, which by default is          
        ${INSTANCE_ROOT}/logs. Hence the default value for this       
        attribute is ${INSTANCE_ROOT}/logs/access                     

  Used in:
    virtual-server                                                    
-->
<!ELEMENT http-access-log EMPTY>

<!ATTLIST http-access-log
    log-directory CDATA "${com.sun.aas.instanceRoot}/logs/access"
    iponly %boolean; "true">


<!-- request-processing
    This element provides attributes to configure the request         
    processing subsystem in the HTTP service.                         

  attributes
    header-buffer-length-in-bytes                                              
        The size of the buffer used by the request processing threads 
        for reading the request data                                  
    initial-thread-count                                                       
        The no of request processing threads when the http service is 
        initialized                                                   
    request-timeout-in-seconds                                                 
        Time after which the request times out                        
    thread-count                                                               
        Max no of request processing threads.                         
    thread-increment                                                           
        The increment in the no of request processing threads when    
        the no. of requests reaches the number specified by           
        request-threads-init                                          

  Used in:
    http-service                                                      
-->
<!ELEMENT request-processing EMPTY>

<!ATTLIST request-processing
    thread-count CDATA "128"
    initial-thread-count CDATA "48"
    thread-increment CDATA "10"
    request-timeout-in-seconds CDATA "30"
    header-buffer-length-in-bytes CDATA "4096">


<!-- keep-alive
    Keep-alive subsystem configuration                                

  attributes
    max-connections                                                            
        Max no of connection in the Keep Alive mode                   
    thread-count                                                               
        no of Keep Alive threads in the system                        
    timeout-in-seconds                                                         
        Keep Alive timeout , max time a connection can be deemed as   
        idle and kept in the keep-alive state                         

  Used in:
    http-service                                                      
-->
<!ELEMENT keep-alive EMPTY>

<!ATTLIST keep-alive
    thread-count CDATA "1"
    max-connections CDATA "256"
    timeout-in-seconds CDATA "30">


<!-- connection-pool

  attributes
    max-pending-count                                                          
        Max no of pending connections on the listen socket            
    queue-size-in-bytes                                                        
        Size in bytes of the Connection queue                         
    receive-buffer-size-in-bytes                                               
        The buffer size of the receive buffer used by sockets.        
    send-buffer-size-in-bytes                                                  
        The buffer size of the send buffer used by sockets.           

  Used in:
    http-service                                                      
-->
<!ELEMENT connection-pool EMPTY>

<!ATTLIST connection-pool
    queue-size-in-bytes CDATA "4096"
    max-pending-count CDATA "4096"
    receive-buffer-size-in-bytes CDATA "4096"
    send-buffer-size-in-bytes CDATA "8192">


<!-- http-protocol
    HTTP Protocol related settings                                    

  attributes
    default-response-type                                                      
        Setting the default response-type. Specified as a semi-colon  
        delimited string consisting of content-type, encoding,        
        language, charset                                             
    dns-lookup-enabled                                                         
        If the DNS name for a particular ip address from which the    
        request originates needs to be looked up.                     
    forced-response-type                                                       
        The response type to be forced if the content served cannot   
        be matched by any of the MIME mappings for extensions.        
        Specified as a semi-colon delimited string consisting of      
        content-type, encoding, language, charset                     
    ssl-enabled                                                                
        Globally enables SSL across the server                        
    version                                                                    
        The version of the HTTP protocol used by the HTTP Service     

  Used in:
    http-service                                                      
-->
<!ELEMENT http-protocol EMPTY>

<!ATTLIST http-protocol
    version CDATA "HTTP/1.1"
    dns-lookup-enabled %boolean; "false"
    forced-response-type CDATA "text/html; charset=iso-8859-1"
    default-response-type CDATA "text/html; charset=iso-8859-1"
    ssl-enabled %boolean; "true">


<!-- http-file-cache

  attributes
    file-caching-enabled                                                       
        Enables the caching of file content if the file size is less  
        than the one specified ny med-file-size-limit                 
    file-transmission-enabled                                                  
        This is valid on Windows only. Enables the TransmitFileSystem 
        call.                                                         
    globally-enabled                                                           
        globally enables the file cache                               
    hash-init-size                                                             
        Initial no. of hash buckets.                                  
    max-age-in-seconds                                                         
        Maximum age of a valid cache entry                            
    max-files-count                                                            
        Maximum no. of files in the file cache.                       
    medium-file-size-limit-in-bytes                                            
        Maximum size of a cached file that can be stored as a memory  
        mapped file.                                                  
    medium-file-space-in-bytes                                                 
        Total size of all files that are cached as memory mapped      
        files.                                                        
    small-file-size-limit-in-bytes                                             
        Maximum size of a file that can be read into memory.          
    small-file-space-in-bytes                                                  
        Total size of the files that are read into memory.            

  Used in:
    http-service                                                      
-->
<!ELEMENT http-file-cache EMPTY>

<!ATTLIST http-file-cache
    globally-enabled %boolean; "true"
    file-caching-enabled %boolean; "on"
    max-age-in-seconds CDATA "30"
    medium-file-size-limit-in-bytes CDATA "537600"
    medium-file-space-in-bytes CDATA "10485760"
    small-file-size-limit-in-bytes CDATA "2048"
    small-file-space-in-bytes CDATA "1048576"
    file-transmission-enabled %boolean; "false"
    max-files-count CDATA "1024"
    hash-init-size CDATA "0">


<!-- iiop-service

  Used in:
    config                                                            
-->
<!ELEMENT iiop-service (orb, ssl-client-config?, iiop-listener*)>

<!ATTLIST iiop-service
    client-authentication-required %boolean; "false">


<!-- orb
    Orb Configuration properties                                      

  attributes
    max-connections                                                            
        maximum number of incoming connections, on all listeners      
    message-fragment-size                                                      
        GIOPv1.2 messages larger than this will get fragmented.       
        Minimum value is 128.                                         
    use-thread-pool-ids                                                        
        This would refer to the thread-pool-id(s) defined in the      
        thread-pool sub-element of thread-pool-config element in      
        server.xml. These would be the threadpool(s) used by the ORB. 
        More than one thread-pool-id(s) could be specified by using   
        commas to separate the names e.g. orb-thread-pool-1,          
        orb-thread-pool-2                                             

  Used in:
    iiop-service                                                      
-->
<!ELEMENT orb (property*)>

<!ATTLIST orb
    use-thread-pool-ids CDATA #REQUIRED
    message-fragment-size CDATA "1024"
    max-connections CDATA "1024">


<!-- ssl-client-config
    ssl-client-config element specifies the SSL configuration when    
    the Application Server is making outbound IIOP/SSL connections.   

  Used in:
    iiop-service                                                      
-->
<!ELEMENT ssl-client-config (ssl)>


<!-- iiop-listener

  children
    ssl                                                                        
        element specifies optional SSL configuration. Note that the   
        ssl2 ciphers are not supported for iiop, and therefore must   
        be disabled.                                                  

  attributes
    address                                                                    
        ip V6 or V4 address or hostname.                              
    enabled                                                                    
        if false, a configured listener, is disabled                  
    id                                                                         
        unique identifier for this listener.                          
    port                                                                       
        port number                                                   
    security-enabled                                                           
        Determines whether the iiop listener runs SSL. You can turn   
        SSL2 or SSL3 on or off and set ciphers using an ssl element   

  Used in:
    iiop-service                                                      
-->
<!ELEMENT iiop-listener (ssl?, property*)>

<!ATTLIST iiop-listener
    id CDATA #REQUIRED
    address CDATA #REQUIRED
    port CDATA "1072"
    security-enabled %boolean; "false"
    enabled %boolean; "true">


<!-- admin-service
    Admin Service exists in every instance. It is the configuration   
    for either a normal server, DAS or PE instance.                   

  attributes
    type                                                                       
        an instance can either be of type                             
        das                                                                    
            Domain Administration Server in SE/EE or the PE instance  
        das-and-server                                                         
            same as das                                               
        server                                                                 
            Any non-DAS instance in SE/EE. Not valid for PE.          

  Used in:
    config                                                            
-->
<!ELEMENT admin-service (jmx-connector*, das-config?, property*)>

<!ATTLIST admin-service
    type (das | das-and-server | server) "server"
    system-jmx-connector-name CDATA #IMPLIED>


<!-- connector-service
    Configuration of the Connector Container. The attributes          
    specified in the connector container would apply to all resource  
    adapters deployed in this cluster/server-instance                 

  attributes
    shutdown-timeout-in-seconds                                                
        integer value (default 30 seconds). Represents the time-out,  
        in seconds, that would be allowed by the application server,  
        during shutdown, to call the ResourceAdapter.stop() method of 
        this connector module's instance to complete.                 

        Resource Adapters that take longer than the specified                  
        shutdown-timeout-in-seconds time interval would be ignored and the     
        application server shutdown procedure would continue.                  


  Used in:
    config                                                            
-->
<!ELEMENT connector-service EMPTY>

<!ATTLIST connector-service
    shutdown-timeout-in-seconds CDATA "30">


<!-- jmx-connector
    The jmx-connector element defines the configuration of a JSR 160  
    compliant remote JMX Connector.                                   

  attributes
    accept-all                                                                 
        Determines whether the connection can be made on all the      
        network interfaces. A value of false implies that the         
        connections only for this specific address will be selected.  
        This attribute is ignored for SJS AS 8.1.                     
    address                                                                    
        Specifies the IP address or host-name. Ignored for SJS AS 8.1.
    auth-realm-name                                                            
        The name of the auth-realm in this config element that        
        represents the special administrative realm. All              
        authentication (from administraive GUI and CLI) will be       
        handled by this realm.                                        
    enabled                                                                    
        Defines if this connector is enabled. For EE this must be     
        enabled.                                                      
    name                                                                       
        name of jmx connector used for identification                 
    port                                                                       
        Specifies the port of the jmx-connector-server. Note that     
        jmx-service-uRL is a function of protocol, port and address   
        as defined by the JSR 160 1.0 Specification.                  
    protocol                                                                   
        Defines the protocol that this jmx-connector should support.  
        Supported protocols are defined by Entity rjmx-protocol. SJS  
        AS 8.1 PE/SE/EE supports "rmi_jrmp" protocol only. Other      
        protocols can be used by user applications independently. For 
        other protocols supported refer to documentation.             
    security-enabled                                                           
        Decides whether the transport layer security be used in       
        jmx-connector. If true, configure the ssl element.            

  Used in:
    admin-service, node-agent                                         
-->
<!ELEMENT jmx-connector (ssl?, property*)>

<!ATTLIST jmx-connector
    name CDATA #REQUIRED
    enabled %boolean; "true"
    protocol %rjmx-protocol; "rmi_jrmp"
    address CDATA #REQUIRED
    port CDATA #REQUIRED
    accept-all %boolean; "false"
    auth-realm-name CDATA #REQUIRED
    security-enabled %boolean; "true">


<!-- das-config

  attributes
    admin-session-timeout-in-minutes                                           
        timeout in minutes indicating the administration gui session  
        timeout.                                                      
    autodeploy-dir                                                             
        The source directory (relative to instance root) from which   
        autodeploy service will pick deployable components. You can   
        also specify an absolute directory.                           
    autodeploy-enabled                                                         
        This will enable the autodeployment service. If true, the     
        service will automatically starts with the admin-server. Auto 
        Deployment is a feature that enables developers to quickly    
        deploy applications and modules to a running application      
        server withoutrequiring the developer to perform an explicit  
        application server restart or separate deployment operation.  
    autodeploy-jsp-precompilation-enabled                                      
        If true, JSPs will be pre compiled during deployment of the   
        war module(s).                                                
    autodeploy-polling-interval-in-seconds                                     
        The polling interval (in seconds), at the end of which        
        autodeployment service will scan the source directory         
        (specified by "autodeploy-dir" tag) for any new deployable    
        component.                                                    
    autodeploy-verifier-enabled                                                
        To enable/disable verifier, during auto-deployment. If true,  
        verification will be done before any deployment activity. In  
        the event of any verifier test failure, deployment is not     
        performed.                                                    
    deploy-xml-validation                                                      
        specifies if descriptor validation is required or not.        

        full                                                                   
            xml will be validated and in case of xml validation       
            errors, deployment will fail.                             
        parsing                                                                
            xml errors will be reported but deployment process will   
            continue.                                                 
        none                                                                   
            no xml validation will be perfomed on the standard or     
            runtime deployment descriptors.                           

    dynamic-reload-enabled                                                     
        when true, server checks timestamp on a .reload file at every 
        module and application directory level to trigger reload.     
        polling frequency is controlled by                            
        reload-poll-interval-in-seconds                               

  Used in:
    admin-service                                                     
-->
<!ELEMENT das-config (property*)>

<!ATTLIST das-config
    dynamic-reload-enabled %boolean; "false"
    dynamic-reload-poll-interval-in-seconds CDATA "2"
    autodeploy-enabled %boolean; "false"
    autodeploy-polling-interval-in-seconds CDATA "2"
    autodeploy-dir CDATA "autodeploy"
    autodeploy-verifier-enabled %boolean; "false"
    autodeploy-jsp-precompilation-enabled %boolean; "false"
    deploy-xml-validation %validation-level; "full"
    admin-session-timeout-in-minutes CDATA "60">


<!-- web-container

  Used in:
    config                                                            
-->
<!ELEMENT web-container (session-config?, property*)>


<!-- session-config

  Used in:
    web-container                                                     
-->
<!ELEMENT session-config (session-manager?, session-properties?)>


<!-- session-manager

  Used in:
    session-config                                                    
-->
<!ELEMENT session-manager (manager-properties?, store-properties?)>


<!-- manager-properties

  Used in:
    session-manager                                                   
-->
<!ELEMENT manager-properties (property*)>

<!ATTLIST manager-properties
    session-file-name CDATA #IMPLIED
    reap-interval-in-seconds CDATA #IMPLIED
    max-sessions CDATA #IMPLIED
    session-id-generator-classname CDATA #IMPLIED>


<!-- store-properties

  Used in:
    session-manager                                                   
-->
<!ELEMENT store-properties (property*)>

<!ATTLIST store-properties
    directory CDATA #IMPLIED
    reap-interval-in-seconds CDATA #IMPLIED>


<!-- session-properties

  Used in:
    session-config                                                    
-->
<!ELEMENT session-properties (property*)>

<!ATTLIST session-properties
    timeout-in-seconds CDATA #IMPLIED>


<!-- ejb-container
    Configuration of EJB Container.                                   

  children
    ejb-timer-service                                                          
        The ejb-timer-service element contains the configuration for  
        the ejb timer service. There is at most one ejb timer service 
        per server instance.                                          

  attributes
    cache-idle-timeout-in-seconds                                              
        (eb, sfsb) specifies the rate at which the cache cleaner      
        thread is scheduled. All idle instances are passivated at     
        once.                                                         
    cache-resize-quantity                                                      
        (eb,sfsb) Cache elements have identity, hence growth is in    
        unit steps and created on demand. Shrinking of cache happens  

        when cache-idle-timeout-in-seconds timer expires and a cleaner thread  
        passivates beans which have been idle for longer than                  
        cache-idle-timeout-in-seconds. All idle instances are passivated at    
        once. cache-resize-quantity does not apply in this case.               

        when max cache size is reached, an asynchronous task is created to     
        bring the size back under the max-cache-size limit. This task removes  
        cache-resize-quantity elements, consulting the victim-selection-policy.

        Must be greater than 1 and less than max-cache-size.                   

    commit-option                                                              
        (eb) Entity Beans caching is controlled by this setting.      
        Commit Option C implies that no caching is performed in the   
        container.                                                    
    max-cache-size                                                             
        (sfsb,eb) specifies the maximum number of instances that can  
        be cached. For entity beans, internally two caches are        
        maintained for higher concurrency: (i) Ready (R$) (ii) Active 
        in an Incomplete Transaction (TX$). The TX$ is populated with 
        instances from R$ or from the Pool directly. When an instance 
        in TX$ completes the transaction, it is placed back in the R$ 
        (or in pool, in case an instance with same identity already   
        is in R$). max-cache-size only specifies the upper limit for  
        R$. The container computes an appropriate size for TX$. For   
        SFSBs, after the max-cache-size is reached, beans (as         
        determined by the victim-selection-policy) get passivated.    
    max-pool-size                                                              
        (slsb,eb) maximum size, a pool can grow to. A value of 0      
        implies an unbounded pool. Unbounded pools eventually shrink  
        to the steady-pool-size, in steps defined by                  
        pool-resize-quantity.                                         
    pool-idle-timeout-in-seconds                                               
        (slsb,eb) defines the rate at which the pool cleaning thread  
        is executed. this thread checks if current size is greater    
        than steady pool size, it removes pool-resize-quantity        
        elements. If the current size is less than steady-pool-size   
        it is increased by pool-resize-quantity, with a ceiling of    
        min (current-pool-size + pool-resize-quantity, max-pool-size) 
        Only objects that have not been accessed for more than        
        pool-idle-timeout-in-seconds are candidates for removal.      
    pool-resize-quantity                                                       
        (slsb,eb) size of bean pool grows (shrinks) in steps          
        specified by pool-resize-quantity, subject to max-pool-size   
        (steady-pool-size) limit.                                     
    removal-timeout-in-seconds                                                 
        (sfsb) Instance is removed from cache or passivation store,   
        if it is not accesed within this time. All instances that can 
        be removed, will be removed.                                  
    session-store                                                              
        specifies the directory where passivated beans and persisted  
        HTTP sessions are stored on the file system. Defaults to      
        $INSTANCE-ROOT/session-store                                  
    steady-pool-size                                                           
        (slsb,eb) number of bean instances normally maintained in     
        pool. When a pool is first created, it will be populated with 
        size equal to steady-pool-size. When an instance is removed   
        from the pool, it is replenished asynchronously, so that the  
        pool size is at or above the steady-pool-size. This additions 
        will be in multiples of pool-resize-quantity. When a bean is  
        disassociated from a method invocation, it is put back in the 
        pool, subject to max-pool-size limit. If the max pool size is 
        exceeded the bean id destroyed immediately. A pool cleaning   
        thread, executes at an interval defined by                    
        pool-idle-timeout-in-seconds. This thread reduces the pool    
        size to steady-pool-size, in steps defined by                 
        pool-resize-quantity. If the pool is empty, the required      
        object will be created and returned immediately. This         
        prevents threads from blocking till the pool is replenished   
        by the background thread. steady-pool-size must be greater    
        than 1 and at most equal to the max-pool-size.                
    victim-selection-policy                                                    
        (sfsb) Victim selection policy when cache needs to shrink.    
        Victims are passivated. Entity Bean Victims are selected      
        always using fifo discipline. Does not apply to slsb because  
        it does not matter, which particular instances are removed.   
        fifo                                                                   
            method picks victims, oldest instance first.              
        lru                                                                    
            algorithm picks least recently accessed instances.        
        nru                                                                    
            policy tries to pick 'not recently used' instances and is 
            a pseudo-random selection process.                        

  Used in:
    config                                                            
-->
<!ELEMENT ejb-container (ejb-timer-service?, property*)>

<!ATTLIST ejb-container
    steady-pool-size CDATA "32"
    pool-resize-quantity CDATA "16"
    max-pool-size CDATA "64"
    cache-resize-quantity CDATA "32"
    max-cache-size CDATA "512"
    pool-idle-timeout-in-seconds CDATA "600"
    cache-idle-timeout-in-seconds CDATA "600"
    removal-timeout-in-seconds CDATA "5400"
    victim-selection-policy (fifo | lru | nru) "nru"
    commit-option (B | C) "B"
    session-store CDATA #IMPLIED>


<!-- ejb-timer-service
    Configuration for ejb timer service.                              

  attributes
    max-redeliveries                                                           
        is the maximum number of times the ejb timer service will     
        attempt to redeliver a timer expiration due to exception or   
        rollback. The minimum value is 1, per the ejb specification.  
    minimum-delivery-interval-in-millis                                        
        is the minimum number of milliseconds allowed before the next 
        timer expiration for a particular timer can occur. It guards  
        against extremely small timer increments that can overload    
        the server.                                                   
    redelivery-interval-internal-in-millis                                     
        is the number of milliseconds the ejb timer service will wait 
        after a failed ejbTimeout delivery before attempting a        
        redelivery.                                                   
    timer-datasource                                                           
        overrides the cmp-resource (jdbc/__TimerPool) specified in    
        sun-ejb-jar.xml of (__ejb_container_timer_app) of the timer   
        service system application. By default this is set to         
        jdbc/__TimerPool, but can be overridden for the cluster or    
        server instance, if they choose to.                           

  Used in:
    ejb-container                                                     
-->
<!ELEMENT ejb-timer-service (property*)>

<!ATTLIST ejb-timer-service
    minimum-delivery-interval-in-millis CDATA "7000"
    max-redeliveries CDATA "1"
    timer-datasource CDATA #IMPLIED
    redelivery-interval-internal-in-millis CDATA "5000">


<!-- mdb-container

  attributes
    idle-timeout-in-seconds                                                    
        idle bean instance in pool becomes a candidate for deletion,  
        when this timeout expires.                                    
    max-pool-size                                                              
        maximum size, pool can grow to. A non-negative integer.       
    pool-resize-quantity                                                       
        quantum of increase/decrease, when the size of pool           
        grows/shrinks. An integer in the range [0, max-pool-size].    
    steady-pool-size                                                           
        minimum and initial number of message driven beans in pool.   
        An integer in the range [0, max-pool-size].                   

  Used in:
    config                                                            
-->
<!ELEMENT mdb-container (property*)>

<!ATTLIST mdb-container
    steady-pool-size CDATA "10"
    pool-resize-quantity CDATA "2"
    max-pool-size CDATA "60"
    idle-timeout-in-seconds CDATA "600">


<!-- jms-service
    The jms-service element specifies information about the           
    bundled/built-in JMS service that is managed by Application       
    Server.                                                           

  attributes
    addresslist-behavior                                                       
        Determines broker selection from imqAddressList.              
        random                                                                 
            causes selection to be performed randomly                 
        priority                                                               
            causes selection to be performed sequentially             
    addresslist-iterations                                                     
        Number of times reconnect logic should iterate                
        imqAddressList. This property will not be used if the         
        addresslist-behavior is "random". An integer.                 
    default-jms-host                                                           
        reference to a jms-host that to be started when type of       
        jms-service is LOCAL.                                         
    init-timeout-in-seconds                                                    
        specifies the time server instance will wait at start up, for 
        its corresponding JMS service instance to respond. If there   
        is no response within the specifies timeout period,           
        application server startup is aborted. Default value of 60    
        seconds.                                                      
    mq-scheme                                                                  
        Scheme for establishing connection with broker. For example,  
        scheme can be specified as "http" for connecting to MQ broker 
        over http. Default is "mq".                                   
    mq-service                                                                 
        Type of broker service. If a broker supports ssl, then the    
        type of service can be "ssljms". If nothing is specified, MQ  
        will assume 4that service is "jms".                           
    reconnect-attempts                                                         
        Total number of attempts to reconnect. An integer.            
    reconnect-enabled                                                          
        Causes reconnect feature to be enabled (true) or disabled     
        (false). A boolean.                                           
    reconnect-interval-in-seconds                                              
        Interval between reconnect attempts, in seconds. An integer.  
    start-args                                                                 
        specifies the arguments that will be supplied to start up the 
        corresponding JMS service instance.                           
    type                                                                       
        Type of JMS service.                                          

  Used in:
    config                                                            
-->
<!ELEMENT jms-service (jms-host*, property*)>

<!ATTLIST jms-service
    init-timeout-in-seconds CDATA "60"
    type (LOCAL | EMBEDDED | REMOTE) #REQUIRED
    start-args CDATA #IMPLIED
    default-jms-host CDATA #IMPLIED
    reconnect-interval-in-seconds CDATA "5"
    reconnect-attempts CDATA "3"
    reconnect-enabled %boolean; "true"
    addresslist-behavior (random | priority) "random"
    addresslist-iterations CDATA "3"
    mq-scheme CDATA #IMPLIED
    mq-service CDATA #IMPLIED>


<!-- jms-host

  attributes
    admin-password                                                             
        attribute specifies the admin password.                       
    admin-user-name                                                            
        specifies the admin username.                                 
    host                                                                       
        ip V6 or V4 address or hostname.                              
    port                                                                       
        the port number used by the JMS service.                      

  Used in:
    jms-service                                                       
-->
<!ELEMENT jms-host (property*)>

<!ATTLIST jms-host
    name CDATA #REQUIRED
    host CDATA #IMPLIED
    port CDATA "7676"
    admin-user-name CDATA "admin"
    admin-password CDATA "admin">


<!-- log-service
    By default, logs would be kept in $INSTANCE-ROOT/logs. The        
    following log files will be stored under the logs directory.      

    access.log                                                                 
        keeps default virtual server HTTP access messages.            
    server.log                                                                 
        keeps log messages from default virtual server. Messages from 
        other configured virtual servers also go here, unless         
        log-file is explicitly specified in the virtual-server        
        element.                                                      


  attributes
    alarms                                                                     
        if true, will turn on alarms for the logger. The SEVERE and   
        WARNING messages can be routed through the JMX framework to   
        raise SEVERE and WARNING alerts. Alarms are turned off by     
        default.                                                      
    file                                                                       
        can be used to rename or relocate server.log using absolute   
        path.                                                         
    log-filter                                                                 
        Can plug in a log filter to do custom filtering of log        
        records . By default there is no log filter other than the    
        log level filtering provided by JSR 047 log API.              
    log-handler                                                                
        Can plug in a custom log handler to add it to the chain of    
        handlers to log into a different log destination than the     
        default ones given by the system (which are Console, File and 
        Syslog). It is a requirement that customers use the log       
        formatter provided by the the system to maintain uniformity   
        in log messages. The custom log handler will be added at the  
        end of the handler chain after File + Syslog Handler, Console 
        Handler and JMX Handler. User cannot replace the handler      
        provided by the system, because of loosing precious log       
        statements. The Server Initialization will take care of       
        installing the custom handler with the system formatter       
        initialized. The user need to use JSR 047 Log Handler         
        Interface to implement the custom handler.                    
    log-rotation-limit-in-bytes                                                
        Log Files will be rotated when the file size reaches the      
        limit.                                                        
    log-rotation-timelimit-in-minutes                                          
        This is a new attribute to enable time based log rotation.    
        The Log File will be rotated only if this value is non-zero   
        and the valid range is 60 minutes (1 hour) to 10*24*60        
        minutes (10 days). If the value is zero then the files will   
        be rotated based on size specified in                         
        log-rotation-limit-in-bytes.                                  
    log-to-console                                                             
        logs will be sent to stderr when asadmin start-domain verbose 
        is used                                                       
    retain-error-statistics-for-hours                                          
        The number of hours since server start, for which error       
        statistics should be retained in memory. The default and      
        minimum value is 5 hours. The maximum value allowed is 500    
        hours. Note that larger values will incur additional memory   
        overhead.                                                     
    use-system-logging                                                         
        if true, will utilize Unix syslog service or Windows Event    
        Logging to produce and manage logs.                           

  Used in:
    config, node-agent                                                
-->
<!ELEMENT log-service (module-log-levels?, property*)>

<!ATTLIST log-service
    file CDATA #IMPLIED
    use-system-logging %boolean; "false"
    log-handler CDATA #IMPLIED
    log-filter CDATA #IMPLIED
    log-to-console %boolean; "false"
    log-rotation-limit-in-bytes CDATA "500000"
    log-rotation-timelimit-in-minutes CDATA "0"
    alarms %boolean; "false"
    retain-error-statistics-for-hours CDATA "5">


<!-- module-log-levels

  Used in:
    log-service                                                       
-->
<!ELEMENT module-log-levels (property*)>

<!ATTLIST module-log-levels
    root %log-level; "INFO"
    server %log-level; "INFO"
    ejb-container %log-level; "INFO"
    cmp-container %log-level; "INFO"
    mdb-container %log-level; "INFO"
    web-container %log-level; "INFO"
    classloader %log-level; "INFO"
    configuration %log-level; "INFO"
    naming %log-level; "INFO"
    security %log-level; "INFO"
    jts %log-level; "INFO"
    jta %log-level; "INFO"
    admin %log-level; "INFO"
    deployment %log-level; "INFO"
    verifier %log-level; "INFO"
    jaxr %log-level; "INFO"
    jaxrpc %log-level; "INFO"
    saaj %log-level; "INFO"
    corba %log-level; "INFO"
    javamail %log-level; "INFO"
    jms %log-level; "INFO"
    connector %log-level; "INFO"
    jdo %log-level; "INFO"
    cmp %log-level; "INFO"
    util %log-level; "INFO"
    resource-adapter %log-level; "INFO"
    synchronization %log-level; "INFO"
    node-agent %log-level; "INFO"
    self-management %log-level; "INFO"
    group-management-service %log-level; "INFO"
    management-event %log-level; "INFO">


<!-- security-service
    The security service element defines parameters and configuration 
    information needed by the core J2EE security service. Some        
    container-specific security configuration elements are in the     
    various container configuration elements and not here. SSL        
    configuration is also elsewhere. At this time the security        
    service configuration consists of a set of authentication realms. 
    A number of top-level attributes are defined as well.             

  children
    message-security-config                                                    
        Optional list of layer specific lists of configured message   
        security providers.                                           

  attributes
    activate-default-principal-to-role-mapping                                 
        Causes the appserver to apply a default principal to role     
        mapping, to any application that does not have an application 
        specific mapping defined. Every role is mapped to a           
        same-named (as the role) instance of a                        
        java.security.Principal implementation class (see             
        mapped-principal-class). This behavior is similar to that of  
        Tomcat servlet container. It is off by default.               
    anonymous-role                                                             
        Used as role name for default/anonymous role.                 
    audit-enabled                                                              
        If true, additional access logging is performed to provide    
        audit information.                                            
    audit-modules                                                              
        Optional list of audit provider modules which will be used by 
        the audit subsystem. The default value refers to the internal 
        log-based audit module.                                       
    default-principal                                                          
        Used as the identity of default security contexts when        
        necessary and no principal is provided.                       
    default-principal-password                                                 
        Password of default principal.                                
    default-realm                                                              
        Specifies which realm (by name) is used by default when no    
        realm is specifically requested. The file realm is the common 
        default.                                                      
    jacc                                                                       
        Specifies the name of the jacc-provider element to use for    
        setting up the JACC infrastructure. The default value         
        "default" does not need to be changed unless adding a custom  
        JACC provider.                                                
    mapped-principal-class                                                     
        This attribute is used to customize the                       
        java.security.Principal implementation class used in the      
        default principal to role mapping. This attribute is          
        optional. When it is not specified,                           
        com.sun.enterprise.deployment.Group implementation of         
        java.security.Principal is used. The value of this attribute  
        is only relevant when the activate-default                    
        principal-to-role-mapping attribute is set to true.           

  Used in:
    config                                                            
-->
<!ELEMENT security-service
    (auth-realm+, jacc-provider+, audit-module*, message-security-config*,     
    property*)>                                                                


<!ATTLIST security-service
    default-realm CDATA "file"
    default-principal CDATA #IMPLIED
    default-principal-password CDATA #IMPLIED
    anonymous-role CDATA "ANYONE"
    audit-enabled %boolean; "false"
    jacc CDATA "default"
    audit-modules CDATA "default"
    activate-default-principal-to-role-mapping %boolean; "false"
    mapped-principal-class CDATA #IMPLIED>


<!-- audit-module
    An audit-module specifies an optional plug-in module which        
    implements audit capabilities.                                    

  attributes
    classname                                                                  
        defines the java class which implements this audit module     
    name                                                                       
        defines the name of this realm                                

  Used in:
    security-service                                                  
-->
<!ELEMENT audit-module (property*)>

<!ATTLIST audit-module
    name CDATA #REQUIRED
    classname CDATA #REQUIRED>


<!-- auth-realm
    The auth-realm element defines and configures one authentication  
    realm. There must be at least one realm available for a server    
    instance; any number can be configured, as desired.               

    Authentication realms need provider-specific parameters which vary         
    depending on what a particular implementation needs; these are defined as  
    properties since they vary by provider and cannot be predicted for any     
    custom or add-on providers.                                                

    For the default file provider, the param used is: file                     


  attributes
    classname                                                                  
        defines the java class which implements this realm            
    name                                                                       
        defines the name of this realm                                

  Used in:
    node-agent, security-service                                      
-->
<!ELEMENT auth-realm (property*)>

<!ATTLIST auth-realm
    name CDATA #REQUIRED
    classname CDATA #REQUIRED>


<!-- jacc-provider
    The jacc-provider element defines the standard JACC properties    
    used for setting up the JACC provider. It also allows optional    
    properties which can be used by the provider implementation for   
    its configuration.                                                

  attributes
    name                                                                       
        A name for this jacc-provider. Is always "default" for the    
        default provider.                                             
    policy-configuration-factory-provider                                      
        Corresponds to (and can be overridden by) the system property 
        javax.security.jacc.PolicyConfigurationFactory.provider       
    policy-provider                                                            
        Corresponds to (and can be overridden by) the system property 
        javax.security.jacc.policy.provider                           

  Used in:
    security-service                                                  
-->
<!ELEMENT jacc-provider (property*)>

<!ATTLIST jacc-provider
    name CDATA #REQUIRED
    policy-provider CDATA #REQUIRED
    policy-configuration-factory-provider CDATA #REQUIRED>


<!-- transaction-service
    Configuration for Transaction Manager.                            

  attributes
    automatic-recovery                                                         
        if true, server instance attempts recovery at restart.        
    heuristic-decision                                                         
        During recovery, if outcome of a transaction cannot be        
        determined from the logs, then this property is used to fix   
        the outcome.                                                  
    keypoint-interval                                                          
        property used to specify the number of transactions between   
        keypoint operations on the log. A Keypoint operations could   
        reduce the size of the transaction log files. A larger value  
        for this property (for example, 1000) will result in larger   
        transaction log files, between log compactions, but less      
        keypoint operations, and potentially better performance. A    
        smaller value (e.g. 20) results in smaller log files but      
        slightly reduced performance due to the greater frequency of  
        keypoint operations.                                          
    retry-timeout-in-seconds                                                   
        used to determine the retry time in the following scenarios.  

        1 Time to wait at the transaction recovery time, when
            resources are unreachable.
        2 If there are any transient
            exceptions in the second phase of the 2 PC protocol.

        A negative value indicates infinite retry. '0' indicates no   
        retry. A positive value indicates the number of seconds for   
        which retry will be attempted. Default is 10 minutes which    
        may be appropriate for a database being restarted.            
    timeout-in-seconds                                                         
        amount of time the transaction manager waits for response     
        from a datasource participating in transaction. A value of 0  
        implies infinite timeout.                                     
    tx-log-dir                                                                 
        Transaction service creates a sub directory 'tx' under        
        tx-log-dir to store the transaction logs. The default value   
        of the tx-log-dir is $INSTANCE-ROOT/logs. If this attribute   
        is not explicitly specified in the <transaction-service>      
        element, 'tx' sub directory will be created under the path    
        specified in log-root attribute of <domain> element.          

  Used in:
    config                                                            
-->
<!ELEMENT transaction-service (property*)>

<!ATTLIST transaction-service
    automatic-recovery %boolean; "false"
    timeout-in-seconds CDATA "0"
    tx-log-dir CDATA #IMPLIED
    heuristic-decision (rollback | commit) "rollback"
    retry-timeout-in-seconds CDATA "600"
    keypoint-interval CDATA "2048">


<!-- monitoring-service

  Used in:
    config                                                            
-->
<!ELEMENT monitoring-service (module-monitoring-levels?, property*)>


<!-- module-monitoring-levels

  attributes
    connector-connection-pool                                                  
        monitoring level for all the connector-connection-pools used  
        by the runtime.                                               
    ejb-container                                                              
        various ejbs deployed to the server, ejb-pools, ejb-caches    
        and ejb-methods.                                              
    http-service                                                               
        http engine and the http listeners therein.                   
    jdbc-connection-pool                                                       
        monitoring level for all the jdbc-connection-pools used by    
        the runtime.                                                  
    orb                                                                        
        specifies the level for connection managers of the orb, which 
        apply to connections to the orb                               
    thread-pool                                                                
        all the thread-pools used by the run time.                    
    transaction-service                                                        
        transaction subsystem.                                        

  Used in:
    monitoring-service                                                
-->
<!ELEMENT module-monitoring-levels (property*)>

<!ATTLIST module-monitoring-levels
    thread-pool %monitoring-level; "OFF"
    orb %monitoring-level; "OFF"
    ejb-container %monitoring-level; "OFF"
    web-container %monitoring-level; "OFF"
    transaction-service %monitoring-level; "OFF"
    http-service %monitoring-level; "OFF"
    jdbc-connection-pool %monitoring-level; "OFF"
    connector-connection-pool %monitoring-level; "OFF"
    connector-service %monitoring-level; "OFF"
    jms-service %monitoring-level; "OFF"
    jvm %monitoring-level; "OFF">


<!-- diagnostic-service

  attributes
    capture-app-dd                                                             
        boolean attribute. If "true", application deployment          
        descriptors in plain text are captured as part of diagnostic  
        report. If Deployment descriptors contain any confidential    
        information, it's recommended to set it to false.             
    capture-hadb-info                                                          
        boolean attribute to indicate whether HADB related            
        information is collected.                                     
    capture-install-log                                                        
        boolean attribute which indicated whether the log generated   
        during installation of the application server is captured.    
    capture-system-info                                                        
        boolean attribute which specifies whether OS level            
        information is collected as part of diagnostic report.        
    compute-checksum                                                           
        boolean attribute. Indicates whether checksum of binaries is  
        computed.                                                     
    max-log-entries                                                            
        Max no. of log entries being captured as part of diagnostic   
        report. A non negative value.                                 
    min-log-level                                                              
        The log levels can be changed using one of the seven levels.  
        Please refer JSR 047 to understand the Log Levels. The        
        default level is INFO, meaning that messages at that level or 
        higher (WARNING, SEVERE) are captured as part of the          
        diagnostic report.If set to OFF, log contents will not be     
        captured as part of diagnostic report.                        
    verify-config                                                              
        A boolean attribute which indicates whether output of         
        verify-config asadmin command is included in the diagnostic   
        report.                                                       

  Used in:
    config                                                            
-->
<!ELEMENT diagnostic-service (property*)>

<!ATTLIST diagnostic-service
    compute-checksum %boolean; "true"
    verify-config %boolean; "true"
    capture-install-log %boolean; "true"
    capture-system-info %boolean; "true"
    capture-hadb-info %boolean; "true"
    capture-app-dd %boolean; "true"
    min-log-level %log-level; "INFO"
    max-log-entries CDATA "500">


<!-- group-management-service
    group-management-service(GMS) is an in-process service that       
    provides cluster monitoring and group communication services. GMS 
    notifies registered modules in an application server instance     
    when one or more members in the cluster fail (become              
    unreachable). GMS also provides the ability to send and receive   
    messages between a group of processes. GMS is a abstraction layer 
    that plugs-in group communication technologies which rely on a    
    configurable stack of protocols. Each of these protocols has      
    properties that can be changed for a given network and deployment 
    topology. These relevant configurable protocols are: fd-protocol  
    enables its members to periodically monitor other group members   
    to determine their availability in the group. merge-protocol is   
    used to reunite subgroups that formed as a result of a network    
    partition after such a partition has healed. ping-protocol is     
    used for discovery of the group and its members. vs-protocol      
    verifies suspect instances by adding a verification layer to mark 
    a failure suspicion as a confirmed failure.                       

  attributes
    fd-protocol-max-tries                                                      
        Maximum number of attempts to try before GMS confirms that a  
        failure is suspected in the group. Must be a positive integer.
    fd-protocol-timeout-in-millis                                              
        Period of time between monitoring attempts to detect failure. 
        Must be a positive integer.                                   
    merge-protocol-max-interval-in-millis                                      
        Specifies the maximum amount of time to wait to collect       
        sub-group information before performing a merge. Must be a    
        positive integer.                                             
    merge-protocol-min-interval-in-millis                                      
        specifies the minimum amount of time to wait to collect       
        sub-group information before performing a merge. Must be a    
        positive integer.                                             
    ping-protocol-timeout-in-millis                                            
        Amount of time in milliseconds that GMS waits for discovery   
        of other members in this group. Must be a positive integer.   
    vs-protocol-timeout-in-millis                                              
        After this timeout a suspected failure is marked as verified. 
        Must be a positive integer.                                   

  Used in:
    config                                                            
-->
<!ELEMENT group-management-service (property*)>

<!ATTLIST group-management-service
    fd-protocol-max-tries CDATA "3"
    fd-protocol-timeout-in-millis CDATA "2000"
    merge-protocol-max-interval-in-millis CDATA "10000"
    merge-protocol-min-interval-in-millis CDATA "5000"
    ping-protocol-timeout-in-millis CDATA "2000"
    vs-protocol-timeout-in-millis CDATA "1500">


<!-- java-config
    Java Runtime environment configuration                            

  attributes
    bytecode-preprocessors                                                     
        A comma separated list of classnames, each of which must      
        implement the com.sun.appserv.BytecodePreprocessor interface. 
        Each of the specified preprocessor class will be called in    
        the order specified. At the moment the comelling use is for a 
        3rd party Performance Profiling tool.                         
    classpath-prefix                                                           
        A java classpath string that is prefixed to server-classpath  
    classpath-suffix                                                           
        A java classpath string that is appended to server-classpath  
    debug-enabled                                                              
        If set to true, the server starts up in debug mode ready for  
        attaching with a JPDA based debugger.                         
    debug-options                                                              
        JPDA based debugging options string.                          
    env-classpath-ignored                                                      
        If set to false, the CLASSPATH environment variable will be   
        read and appended to the Application Server classpath, which  
        is constructed as described above. The CLASSPATH environment  
        variable will be added after the classpath-suffix, at the     
        very end.                                                     
    javac-options                                                              
        Options string passed to Java compiler, at application        
        deployment time.                                              
    java-home                                                                  
        Specifies the installation directory for Java runtime. JDK    
        1.4 or higher is supported.                                   
    native-library-path-prefix                                                 
        is prepended to the native library path, which is constructed 
        internally.                                                   

        Internally, the native library path is automatically constructed to be 
        a concatenation of Application Server installation relative path for   
        its native shared libraries, standard JRE native library path, the     
        shell environment setting (LD-LIBRARY-PATH on Unix) and any path that  
        may be specified in the profile element.                               

    native-library-path-suffix                                                 
        is appended to the native library path, which is constructed  
        as described above.                                           
    rmic-options                                                               
        Options string passed to RMI compiler, at application         
        deployment time.                                              
    server-classpath                                                           
        A java classpath string that specifies the classes needed by  
        the Application server. Do not expect users to change this    
        under normal conditions. The shared application server        
        classloader forms the final classpath by concatenating        
        classpath-prefix, ${INSTALL_DIR}/lib, server-classpath, and   
        classpath-suffix.                                             
    system-classpath                                                           
        This classpath string supplied to the jvm at server startup.  
        Contains appserv-launch.jar by default. Users may add to this 
        classpath.                                                    

  Used in:
    config                                                            
-->
<!ELEMENT java-config (profiler?, (jvm-options | property)*)>

<!ATTLIST java-config
    java-home CDATA "${com.sun.aas.javaRoot}"
    debug-enabled %boolean; "false"
    debug-options CDATA "-Xdebug -Xrunjdwp:transport=dt_socket,server=y,suspend=n"
    rmic-options CDATA "-iiop -poa -alwaysgenerate -keepgenerated -g"
    javac-options CDATA "-g"
    classpath-prefix CDATA #IMPLIED
    classpath-suffix CDATA #IMPLIED
    server-classpath CDATA #IMPLIED
    system-classpath CDATA #IMPLIED
    native-library-path-prefix CDATA #IMPLIED
    native-library-path-suffix CDATA #IMPLIED
    bytecode-preprocessors CDATA #IMPLIED
    env-classpath-ignored %boolean; "true">


<!-- jvm-options
    String value for options that will be passed to the JVM           

  Used in:
    java-config, profiler                                             
-->
<!ELEMENT jvm-options (#PCDATA)>


<!-- profiler
    Profilers could be one of jprobe, optimizeit, hprof, wily and so  
    on jvm-options and property elements are used to record the       
    settings needed to get a particular profiler going. A server      
    instance is tied to a particular profiler, by the profiler        
    element in java-config. Changing the profiler will require a      
    server restart.                                                   

    The adminstrative graphical interfaces, could list multiple supported      
    profilers (incomplete at this point) and will populate server.xml          
    appropriately.                                                             


  Used in:
    java-config                                                       
-->
<!ELEMENT profiler ((jvm-options | property)*)>

<!ATTLIST profiler
    name CDATA #REQUIRED
    classpath CDATA #IMPLIED
    native-library-path CDATA #IMPLIED
    enabled %boolean; "true">


<!-- availability-service
    SE/EE only: TBD Needs explanation                                 

  attributes
    auto-manage-ha-store                                                       
        If set to true, the lifecycle of the highly available store   
        is matched with the lifecycle of the highly available         
        cluster. The store is started or stopped with the cluster. It 
        is removed when the cluster is deleted. When set to false,    
        the store lifecycle would have to manually managed by the     
        administrator.                                                
    ha-agent-hosts                                                             
        comma-delimited list of server host names or IP addresses     
        where high availability store management agents are running.  
    ha-agent-password                                                          
        password needed to contact highly available store management  
        agents                                                        
    ha-agent-port                                                              
        port number where highly available store management agents    
        can be contacted                                              
    ha-store-healthcheck-enabled                                               
        Application server stops saving session state when the store  
        service does not function properly or is is not accessible    
        for any reason. When this attribute is set to true, periodic  
        checking is done to detect if the store service has become    
        available again. If healthcheck succeeds the session state    
        saving is resumed. Defaults to false.                         
    ha-store-healthcheck-interval-in-seconds                                   
        The periodicity at which store health is checked.             
    ha-store-name                                                              
        Name of the session store                                     
    store-pool-name                                                            
        This is the jndi-name for the JDBC Connection Pool used       
        potentially by both the Web Container and the EJB Stateful    
        Session Bean Container for use in checkpointing/passivation   
        when persistence-type = "ha". See sfsb-ha-persistence-type    
        and sfsb-persistence-type for more details. It will default   
        to "jdbc/hastore". This attribute can be over-ridden in       
        either web-container-availability (with                       
        http-session-store-pool-name) and/or in                       
        ejb-container-availability (with sfsb-store-pool-name). If    
        store-pool-name is not over-ridden then both containers will  
        share the same connection pool. If either container           
        over-rides then it may have its own dedicated pool. In this   
        case there must also be a new corresponding JDBC Resource and 
        JDBC Connection Pool defined for this new pool name.          

  Used in:
    config                                                            
-->
<!ELEMENT availability-service
    (web-container-availability?, ejb-container-availability?,                 
    jms-availability?, property*)>                                             


<!ATTLIST availability-service
    availability-enabled %boolean; "true"
    ha-agent-hosts CDATA #IMPLIED
    ha-agent-port CDATA #IMPLIED
    ha-agent-password CDATA #IMPLIED
    ha-store-name CDATA #IMPLIED
    auto-manage-ha-store %boolean; "false"
    store-pool-name CDATA #IMPLIED
    ha-store-healthcheck-enabled %boolean; "false"
    ha-store-healthcheck-interval-in-seconds CDATA "5">


<!-- web-container-availability
    web-container-availability SE/EE only:                            

  attributes
    availability-enabled                                                       
        This boolean flag controls whether availability is enabled    
        for HTTP session persistence. If this is "false", then        
        session persistence is disabled for all web modules in j2ee   
        apps and stand-alone web modules. If it is "true" (and        
        providing that the global availability-enabled in             
        availability-service is also "true", then j2ee apps and       
        stand-alone web modules may be ha enabled. Finer-grained      
        control exists at lower levels. If this attribute is missing, 
        it "inherits" the value of the global availability-enabled    
        under availability-service.                                   
    http-session-store-pool-name                                               
        This is the jndi-name for the JDBC Connection Pool used by    
        the HTTP Session Persistence Framework. If missing, internal  
        code will default it to value of store-pool-name under        
        availability-service (ultimately "jdbc/hastore").             
    persistence-frequency                                                      
        The persistence frequency used by the session persistence     
        framework, when persistence-type = "ha". Values may be        
        "time-based" or "web-event". If it is missing, then the       
        persistence-type will revert to "memory".                     
    persistence-scope                                                          
        The persistence scope used by the session persistence         
        framework, when persistence-type = "ha". Values may be        
        "session", "modified-session", "modified-attribute". If it is 
        missing, then the persistence-type will revert to "memory".   
    persistence-store-health-check-enabled                                     
        Deprecated. This attribute has no effect. If you wish to      
        control enabling/disabling HADB health check, refer to        
        store-healthcheck-enabled attribute in the                    
        availability-service element.                                 
    persistence-type                                                           
        The persistence type used by the session persistence          
        framework.                                                    
    sso-failover-enabled                                                       
        This controls whether Single-Sign-On state will be made       
        available for failover.                                       

  Used in:
    availability-service                                              
-->
<!ELEMENT web-container-availability (property*)>

<!ATTLIST web-container-availability
    availability-enabled %boolean; #IMPLIED
    persistence-type %persistence-type; "memory"
    persistence-frequency %session-save-frequency; #IMPLIED
    persistence-scope %session-save-scope; #IMPLIED
    persistence-store-health-check-enabled %boolean; "false"
    sso-failover-enabled %boolean; "false"
    http-session-store-pool-name CDATA #IMPLIED>


<!-- ejb-container-availability

  attributes
    availability-enabled                                                       
        This boolean flag controls whether availability is enabled    
        for SFSB checkpointing (and potentially passivation). If this 
        is "false", then all SFSB checkpointing is disabled for all   
        j2ee apps and ejb modules. If it is "true" (and providing     
        that the global availability-enabled in availability-service  
        is also "true", then j2ee apps and stand-alone ejb modules    
        may be ha enabled. Finer-grained control exists at lower      
        levels. If this attribute is missing, it inherits the value   
        of the global availability-enabled under availability-service.
    sfsb-checkpoint-enabled                                                    
        This attribute is deprecated, replaced by                     
        availability-enabled and will be ignored if present.          
    sfsb-ha-persistence-type                                                   
        The persistence type used by the EJB Stateful Session Bean    
        Container for checkpointing and passivating                   
        availability-enabled beans' state. Values may be "file" or    
        "ha". Default is "ha".                                        
    sfsb-quick-checkpoint-enabled                                              
        This attribute is deprecated and will be ignored if present.  
    sfsb-store-pool-name                                                       
        This is the jndi-name for the JDBC Connection Pool used by    
        the EJB Stateful Session Bean Container for use in            
        checkpointing/passivation when persistence-type = "ha". See   
        sfsb-ha-persistence-type and sfsb-persistence-type for more   
        details. It will default to value of store-pool-name under    
        availability-service (ultimately "jdbc/hastore").             

  Used in:
    availability-service                                              
-->
<!ELEMENT ejb-container-availability (property*)>

<!ATTLIST ejb-container-availability
    availability-enabled %boolean; #IMPLIED
    sfsb-ha-persistence-type %sfsb-persistence-type; "ha"
    sfsb-persistence-type %sfsb-persistence-type; "file"
    sfsb-checkpoint-enabled %boolean; #IMPLIED
    sfsb-quick-checkpoint-enabled %boolean; #IMPLIED
    sfsb-store-pool-name CDATA #IMPLIED>


<!-- jdbc-connection-pool
    jdbc-connection-pool defines configuration used to create and     
    manage a pool physical database connections. Pool definition is   
    named, and can be referred to by multiple jdbc-resource elements  
    (See <jdbc-resource>).                                            

    Each named pool definition results in a pool instantiated at server        
    start-up. Pool is populated when accessed for the first time. If two or    
    more jdbc-resource elements point to the same jdbc-connection-pool         
    element, they are using the same pool of connections, at run time.         


  children
    property                                                                   
        Most JDBC 2.0 drivers permit use of standard property lists,  
        to specify User, Password and other resource configuration.   
        While these are optional properties, according to the         
        specification, several of these properties may be necessary   
        for most databases. See Section 5.3 of JDBC 2.0 Standard      
        Extension API.                                                

        The following are the names and corresponding values for these         
        properties                                                             

        databaseName                                                           
            Name of the Database                                      
        serverName                                                             
            Database Server name.                                     
        port                                                                   
            Port where a Database server is listening for requests.   
        networkProtocol                                                        
            Communication Protocol used.                              
        user                                                                   
            default name of the database user with which connections  
            will be stablished. Programmatic database authentication  
            or default-resource-principal specified in vendor         
            specific web and ejb deployment descriptors will take     
            precedence, over this default. The details and caveats    
            are described in detail in the Administrator's guide.     
        password                                                               
            password for default database user                        
        roleName                                                               
            The initial SQL role name.                                
        datasourceName                                                         
            used to name an underlying XADataSource, or               
            ConnectionPoolDataSource when pooling of connections is   
            done                                                      
        description                                                            
            Textual Description                                       

        When one or more of these properties are specified, they are passed as 
        is using set<Name>(<Value>) methods to the vendors Datasource class    
        (specified in datasource-classname). User and Password properties are  
        used as default principal, if Container Managed authentication is      
        specified and a default-resource-principal is not found in application 
        deployment descriptors.                                                


  attributes
    allow-non-component-callers                                                
        A pool with this property set to true, can be used by         
        non-J2EE components (i.e components other than EJBs or        
        Servlets). The returned connection is enlisted automatically  
        with the transaction context obtained from the transaction    
        manager. This property is to enable the pool to be used by    
        non-component callers such as ServletFilters, Lifecycle       
        modules, and 3rd party persistence managers. Standard J2EE    
        components can continue to use such pools. Connections        
        obtained by non-component callers are not automatically       
        cleaned at the end of a transaction by the container. They    
        need to be explicitly closed by the the caller.               
    connection-validation-method                                               
        specifies the type of validation to be performed when         
        is-connection-validation-required is true. The following      
        types of validation are supported:                            
        auto-commit                                                            
            using connection.autoCommit()                             
        meta-data                                                              
            using connection.getMetaData()                            
        table                                                                  
            performing a query on a user specified table (see         
            validation-table-name).                                   
    datasource-classname                                                       
        Name of the vendor supplied JDBC datasource resource manager. 
        An XA or global transactions capable datasource class will    
        implement javax.sql.XADatasource interface. Non XA or Local   
        transactions only datasources will implement                  
        javax.sql.Datasource interface.                               
    fail-all-connections                                                       
        indicates if all connections in the pool must be closed       
        should a single validation check fail. The default is false.  
        One attempt will be made to re-establish failed connections.  
    idle-timeout-in-seconds                                                    
        maximum time in seconds, that a connection can remain idle in 
        the pool. After this time, the pool implementation can close  
        this connection. Note that this does not control connection   
        timeouts enforced at the database server side. Adminsitrators 
        are advised to keep this timeout shorter than the database    
        server side timeout (if such timeouts are configured on the   
        specific vendor's database), to prevent accumulation of       
        unusable connection in Application Server.                    
    is-connection-validation-required                                          
        if true, connections are validated (checked to find out if    
        they are usable) before giving out to the application. The    
        default is false.                                             
    is-isolation-level-guaranteed                                              
        Applicable only when a particular isolation level is          
        specified for transaction-isolation-level. The default value  
        is true. This assures that every time a connection is         
        obtained from the pool, it is guaranteed to have the          
        isolation set to the desired value. This could have some      
        performance impact on some JDBC drivers. Can be set to false  
        by that administrator when they are certain that the          
        application does not change the isolation level before        
        returning the connection.                                     
    max-pool-size                                                              
        maximum number of conections that can be created              
    max-wait-time-in-millis                                                    
        amount of time the caller will wait before getting a          
        connection timeout. The default is 60 seconds. A value of 0   
        will force caller to wait indefinitely.                       
    name                                                                       
        unique name of the pool definition.                           
    non-transactional-connections                                              
        A pool with this property set to true returns                 
        non-transactional connections. This connection does not get   
        automatically enlisted with the transaction manager.          
    pool-resize-quantity                                                       
        number of connections to be removed when                      
        idle-timeout-in-seconds timer expires. Connections that have  
        idled for longer than the timeout are candidates for removal. 
        When the pool size reaches steady-pool-size, the connection   
        removal stops.                                                
    res-type                                                                   
        DataSource implementation class could implement one of of     
        javax.sql.DataSource, javax.sql.XADataSource or               
        javax.sql.ConnectionPoolDataSource interfaces. This optional  
        attribute must be specified to disambiguate when a Datasource 
        class implements two or more of these interfaces. An error is 
        produced when this attribute has a legal value and the        
        indicated interface is not implemented by the datasource      
        class. This attribute has no default value.                   
    steady-pool-size                                                           
        minimum and initial number of connections maintained in the   
        pool.                                                         
    transaction-isolation-level                                                
        Specifies the Transaction Isolation Level on the pooled       
        database connections. Optional. Has no default. If left       
        unspecified the pool operates with default isolation level    
        provided by the JDBC Driver. A desired isolation level can be 
        set using one of the standard transaction isolation levels,   
        which see.                                                    

        Applications that change the Isolation level on a pooled connection    
        programmatically, risk polluting the pool and this could lead to       
        program errors. Also see: is-isolation-level-guaranteed                

    validation-table-name                                                      
        specifies the table name to be used to perform a query to     
        validate a connection. This parameter is mandatory, if        
        connection-validation-type set to table. Verification by      
        accessing a user specified table may become necessary for     
        connection validation, particularly if database driver caches 
        calls to setAutoCommit() and getMetaData().                   

  Used in:
    resources                                                         
-->
<!ELEMENT jdbc-connection-pool (description?, property*)>

<!ATTLIST jdbc-connection-pool
    name CDATA #REQUIRED
    datasource-classname CDATA #REQUIRED
    res-type (javax.sql.DataSource | javax.sql.XADataSource | javax.sql.ConnectionPoolDataSource) #IMPLIED
    steady-pool-size CDATA "8"
    max-pool-size CDATA "32"
    max-wait-time-in-millis CDATA "60000"
    pool-resize-quantity CDATA "2"
    idle-timeout-in-seconds CDATA "300"
    transaction-isolation-level %isolation; #IMPLIED
    is-isolation-level-guaranteed %boolean; "true"
    is-connection-validation-required %boolean; "false"
    connection-validation-method (auto-commit | meta-data | table) "auto-commit"
    validation-table-name CDATA #IMPLIED
    fail-all-connections %boolean; "false"
    non-transactional-connections %boolean; "false"
    allow-non-component-callers %boolean; "false">


<!-- connector-connection-pool
    connector-connection-pool defines configuration used to create    
    and manage a pool of connections to a EIS. Pool definition is     
    named, and can be referred to by multiple connector-resource      
    elements (See connector-resource).                                

    Each named pool definition results in a pool instantiated at server        
    start-up. Pool is populated when accessed for the first time. If two or    
    more connector-resource elements point to the same                         
    connector-connection-pool element, they are using the same pool of         
    connections, at run time.                                                  

    There can be more than one pool for one connection-definition in one       
    resource-adapter.                                                          


  children
    property                                                                   
        Properties are used to override the ManagedConnectionFactory  
        javabean configuration settings.                              

        When one or more of these properties are specified, they are passed as 
        is using set<Name>(<Value>) methods to the Resource Adapter's          
        ManagedConnectionfactory class (specified in ra.xml).                  


  attributes
    connection-definition-name                                                 
        unique name, identifying one connection-definition in a       
        Resource Adapter. Currently this is ConnectionFactory type.   
    fail-all-connections                                                       
        indicates if all connections in the pool must be closed       
        should a single connection fail validation. The default is    
        false. One attempt will be made to re-establish failed        
        connections.                                                  
    idle-timeout-in-seconds                                                    
        maximum time in seconds, that a connection can remain idle in 
        the pool. After this time, the pool implementation can close  
        this connection. Note that this does not control connection   
        timeouts enforced at the database server side. Adminsitrators 
        are advised to keep this timeout shorter than the EIS         
        connection timeout (if such timeouts are configured on the    
        specific EIS), to prevent accumulation of unusable connection 
        in Application Server.                                        
    is-connection-validation-required                                          
        This attribute specifies if the connection that is about to   
        be returned is to be validated by the container,              
    max-pool-size                                                              
        maximum number of conections that can be created              
    max-wait-time-in-millis                                                    
        amount of time the caller will wait before getting a          
        connection timeout. The default is 60 seconds. A value of 0   
        will force caller to wait indefinitely.                       
    name                                                                       
        unique name of the pool definition.                           
    pool-resize-quantity                                                       
        number of connections to be removed when                      
        idle-timeout-in-seconds timer expires. Connections that have  
        idled for longer than the timeout are candidates for removal. 
        When the pool size reaches steady-pool-size, the connection   
        removal stops.                                                
    resource-adapter-name                                                      
        This is the name of resource adapter. Name of .rar file is    
        taken as the unique name for the resource adapter.            
    steady-pool-size                                                           
        minimum and initial number of connections maintained in the   
        pool.                                                         
    transaction-support                                                        
        Indicates the level of transaction support that this pool     
        will have. Possible values are "XATransaction",               
        "LocalTransaction" and "NoTransaction". This attribute will   
        override that transaction support attribute in the Resource   
        Adapter in a downward compatible way, i.e it can support a    
        lower/equal transaction level than specified in the RA, but   
        not a higher level.                                           

  Used in:
    resources                                                         
-->
<!ELEMENT connector-connection-pool (description?, security-map*, property*)>

<!ATTLIST connector-connection-pool
    name CDATA #REQUIRED
    resource-adapter-name CDATA #REQUIRED
    connection-definition-name CDATA #REQUIRED
    steady-pool-size CDATA "8"
    max-pool-size CDATA "32"
    max-wait-time-in-millis CDATA "60000"
    pool-resize-quantity CDATA "2"
    idle-timeout-in-seconds CDATA "300"
    fail-all-connections %boolean; "false"
    transaction-support (XATransaction | LocalTransaction | NoTransaction) #IMPLIED
    is-connection-validation-required %boolean; "false">


<!-- security-map
    Perform mapping from principal received during Servlet/EJB        
    authentication, to credentials accepted by the EIS. This mapping  
    is optional.It is possible to map multiple (server) principal to  
    the same backend principal.                                       

  Used in:
    connector-connection-pool                                         
-->
<!ELEMENT security-map ((principal | user-group)+, backend-principal)>

<!ATTLIST security-map
    name CDATA #REQUIRED>


<!-- principal
    Principal of the Servlet and EJB client                           

  Used in:
    security-map                                                      
-->
<!ELEMENT principal (#PCDATA)>


<!-- user-group

  Used in:
    security-map                                                      
-->
<!ELEMENT user-group (#PCDATA)>


<!-- backend-principal

  Used in:
    security-map                                                      
-->
<!ELEMENT backend-principal EMPTY>

<!ATTLIST backend-principal
    user-name CDATA #REQUIRED
    password CDATA #IMPLIED>


<!-- thread-pools

  Used in:
    config                                                            
-->
<!ELEMENT thread-pools (thread-pool+)>


<!-- thread-pool

  attributes
    idle-thread-timeout-in-seconds                                             
        idle threads are removed from pool, after this time           
    max-thread-pool-size                                                       
        Maximum number of threads in the threadpool servicing         
        requests in this queue. This is the upper bound on the no. of 
        threads that exist in the threadpool.                         
    min-thread-pool-size                                                       
        Minimum number of threads in the threadpool servicing         
        requests in this queue. These are created up front when this  
        threadpool is instantiated                                    
    num-work-queues                                                            
        This denotes the total number of work queues that are         
        serviced by this threadpool.                                  
    thread-pool-id                                                             
        This is an id for the work-queue e.g. "thread-pool-1",        
        "thread-pool-2" etc                                           

  Used in:
    thread-pools                                                      
-->
<!ELEMENT thread-pool EMPTY>

<!ATTLIST thread-pool
    thread-pool-id CDATA #REQUIRED
    min-thread-pool-size CDATA "0"
    max-thread-pool-size CDATA "200"
    idle-thread-timeout-in-seconds CDATA "120"
    num-work-queues CDATA "1">


<!-- property
    Syntax for supplying properties as name value pairs               

  Used in:
    admin-object-resource, admin-service, alert-service,              
    appclient-module, audit-module, auth-realm, availability-service, 
    cluster, config, connector-connection-pool, connector-module,     
    connector-resource, custom-resource, das-config,                  
    diagnostic-service, domain, ejb-container,                        
    ejb-container-availability, ejb-module, ejb-timer-service, event, 
    external-jndi-resource, filter-config, group-management-service,  
    http-listener, http-service, iiop-listener, j2ee-application,     
    jacc-provider, java-config, jdbc-connection-pool, jdbc-resource,  
    jms-availability, jms-host, jms-service, jmx-connector,           
    lb-config, lifecycle-module, listener-config, load-balancer,      
    log-service, mail-resource, manager-properties, mbean,            
    mdb-container, module-log-levels, module-monitoring-levels,       
    monitoring-service, node-agent, orb,                              
    persistence-manager-factory-resource, profiler, provider-config,  
    resource-adapter-config, security-service, server,                
    session-properties, store-properties, transaction-service,        
    virtual-server, web-container, web-container-availability,        
    web-module                                                        
-->
<!ELEMENT property (description?)>

<!ATTLIST property
    name CDATA #REQUIRED
    value CDATA #REQUIRED>


<!-- system-property
    Syntax for supplying system properties as name value pairs        

  Used in:
    cluster, config, domain, server                                   
-->
<!ELEMENT system-property (description?)>

<!ATTLIST system-property
    name CDATA #REQUIRED
    value CDATA #REQUIRED>


<!-- server
    J2EE Application Server Configuration                             

    Each Application Server instance is a J2EEv1.4 compliant container. One    
    server instance is specially designated as the Administration Server in    
    SE/EE. User applications cannot be deployed to an Adminsitration Server    
    instance.                                                                  


  children
    application-ref                                                            
        References to applications deployed to the server instance    
    resource-ref                                                               
        References to resources deployed to the server instance       

  attributes
    config-ref                                                                 
        points to a named config. needed for stand-alone servers. If  
        the server instance is part of a cluster, then it must not be 
        present, and will be ignored.                                 
    lb-weight                                                                  
        Each server instance in a cluster has a weight, which may be  
        used to represent the relative processing capacity of that    
        instance. Default weight is 100 for every instance. Weighted  
        load balancing policies will use this weight while load       
        balancing requests within the cluster. It is the              
        responsibility of the administrator to set the relative       
        weights correctly, keeping in mind deployed hardware capacity.
    name                                                                       
        name of the server instance.                                  
    node-agent-ref                                                             
        SE/EE only. Specifies the name of the node agent where the    
        server instance is hosted.                                    

  Used in:
    servers                                                           
-->
<!ELEMENT server
    (application-ref*, resource-ref*, system-property*, property*)>            


<!ATTLIST server
    name CDATA #REQUIRED
    config-ref CDATA #IMPLIED
    node-agent-ref CDATA #IMPLIED
    lb-weight CDATA "100">


<!-- application-ref

  attributes
    disable-timeout-in-minutes                                                 
        The time, in minutes, that it takes this application to reach 
        a quiescent state after having been disabled                  
    lb-enabled                                                                 
        A boolean flag that causes any and all load-balancers using   
        this application to consider this application unavailable to  
        them. Defaults to unavailable (false).                        

  Used in:
    cluster, server                                                   
-->
<!ELEMENT application-ref EMPTY>

<!ATTLIST application-ref
    enabled %boolean; "true"
    virtual-servers CDATA #IMPLIED
    lb-enabled %boolean; "false"
    disable-timeout-in-minutes CDATA "30"
    ref CDATA #REQUIRED>


<!-- resource-ref

  Used in:
    cluster, server                                                   
-->
<!ELEMENT resource-ref EMPTY>

<!ATTLIST resource-ref
    enabled %boolean; "true"
    ref CDATA #REQUIRED>


<!-- cluster
    SE/EE Cluster configuration. A cluster defines a homogenous set   
    of server instances that share the same applications, resources,  
    and configuration.                                                

  children
    server-ref                                                                 
        list of servers in the cluster                                

  attributes
    config-ref                                                                 
        points to a named config. All server instances in the cluster 
        will share this config.                                       
    heartbeat-address                                                          
        This is the address (only multicast supported) at which GMS   
        will listen for group events.                                 
    heartbeat-enabled                                                          
        When "heartbeat-enabled" is set to "true", the GMS services   
        will be started as a lifecycle module in each the application 
        server in the cluster.When "heartbeat-enabled" is set to      
        "false", GMS will not be started and its services will be     
        unavailable. Clusters should function albeit with reduced     
        functionality.                                                
    heartbeat-port                                                             
        This is the communication port GMS uses to listen for group   
        events . This should be a valid port number.                  
    name                                                                       
        cluster name                                                  

  Used in:
    clusters                                                          
-->
<!ELEMENT cluster
    (server-ref*, resource-ref*, application-ref*, system-property*,           
    property*)>                                                                


<!ATTLIST cluster
    name CDATA #REQUIRED
    config-ref CDATA #REQUIRED
    heartbeat-port CDATA #REQUIRED
    heartbeat-address CDATA #REQUIRED
    heartbeat-enabled %boolean; "true">


<!-- server-ref

  attributes
    disable-timeout-in-minutes                                                 
        The time, in minutes, that it takes this server to reach a    
        quiescent state after having been disabled                    
    enabled                                                                    
        A boolean flag that causes the server to be enabled to serve  
        end-users, or not. Default is to be enabled (true)            
    lb-enabled                                                                 
        A boolean flag that causes any and all load-balancers using   
        this server to consider this server unavailable to them.      
        Defaults to unavailable (false)                               
    ref                                                                        
        A reference to the name of a server defined elsewhere         

  Used in:
    cluster, lb-config                                                
-->
<!ELEMENT server-ref (health-checker?)>

<!ATTLIST server-ref
    ref CDATA #REQUIRED
    disable-timeout-in-minutes CDATA "30"
    lb-enabled %boolean; "false"
    enabled %boolean; "true">


<!-- node-agent
    SE/EE Node Controller. The node agent is an agent that manages    
    server instances on a host machine.                               

  attributes
    name                                                                       
        Node Controller name                                          
    start-servers-in-startup                                                   
        If true starts all managed server instances when the Node     
        Controller is started.                                        
    system-jmx-connector-name                                                  
        The name of the internal jmx connector                        

  Used in:
    node-agents                                                       
-->
<!ELEMENT node-agent (jmx-connector?, auth-realm?, log-service, property*)>

<!ATTLIST node-agent
    name CDATA #REQUIRED
    system-jmx-connector-name CDATA #IMPLIED
    start-servers-in-startup %boolean; "true">


<!-- lb-config

  attributes
    https-routing                                                              
        Boolean flag indicating how load-balancer will route https    
        requests. If true then an https request to the load-balancer  
        will result in an https request to the server; if false then  
        https requests to the load-balancer result in http requests   
        to the server. Default is to use http (i.e. value of false);  
    monitoring-enabled                                                         
        Boolean flag that determines whether monitoring is switched   
        on or not. Default is that monitoring is switched off (false) 
    name                                                                       
        Name of the load balancer configuration                       
    reload-poll-interval-in-seconds                                            
        Maximum period, in seconds, that a change to the load         
        balancer configuration file takes before it is detected by    
        the load balancer and the file reloaded. A value of 0         
        indicates that reloading is disabled. Default period is 1     
        minute (60)                                                   
    response-timeout-in-seconds                                                
        Period within which a server must return a response or        
        otherwise it will be considered unhealthy. Default value is   
        60 seconds. Must be greater than or equal to 0. A value of 0  
        effectively turns off this check functionality, meaning the   
        server will always be considered healthy.                     
    route-cookie-enabled                                                       
        Boolean flag that determines whether a route cookie is or is  
        not enabled. Default is enabled (true).                       

  Used in:
    lb-configs                                                        
-->
<!ELEMENT lb-config ((cluster-ref* | server-ref*), property*)>

<!ATTLIST lb-config
    name CDATA #REQUIRED
    response-timeout-in-seconds CDATA "60"
    https-routing %boolean; "false"
    reload-poll-interval-in-seconds CDATA "60"
    monitoring-enabled %boolean; "false"
    route-cookie-enabled %boolean; "true">


<!-- health-checker
    Each cluster would be configured for a ping based health check    
    mechanism.                                                        

  attributes
    interval-in-seconds                                                        
        Interval, in seconds, between health checks. A value of "0"   
        means that the health check is disabled. Default is 30        
        seconds. Must be 0 or greater.                                
    timeout-in-seconds                                                         
        Maximum time, in seconds, that a server must respond to a     
        health check request to be considered healthy. Default is 10  
        seconds. Must be greater than 0.                              
    url                                                                        
        URL to ping so as to determine the health state of a          
        listener. This must be a relative URL.                        

  Used in:
    cluster-ref, server-ref                                           
-->
<!ELEMENT health-checker EMPTY>

<!ATTLIST health-checker
    url CDATA "/"
    interval-in-seconds CDATA "30"
    timeout-in-seconds CDATA "10">


<!-- cluster-ref
    Element relating a reference to a cluster to be load balanced to  
    an (optional) health-checker                                      

  attributes
    lb-policy                                                                  
        load balancing policy to be used for this cluster. Possible   
        values are round-robin , weighted-round-robin or              
        user-defined. round-robin is the default. For                 
        weighted-round-robin, the weights of the instance are         
        considered while load balancing. For user-defined, the policy 
        is implemented by a shared library which is loaded by the     
        load balancer and the instance selected is delegated to the   
        loaded module.                                                
    lb-policy-module                                                           
        specifies the absolute path to the shared library             
        implementing the user-defined policy. This should be          
        specified only when the lb-policy is user-defined. The shared 
        library should exist and be readable in the machine where     
        load balancer is running.                                     
    ref                                                                        
        A reference to the name of a cluster defined elsewhere        

  Used in:
    lb-config                                                         
-->
<!ELEMENT cluster-ref (health-checker?)>

<!ATTLIST cluster-ref
    ref CDATA #REQUIRED
    lb-policy %lb-policy-type; "round-robin"
    lb-policy-module CDATA #IMPLIED>


<!-- message-security-config
    The message-security-config element defines the message layer     
    specific provider configurations of the application server.       

    All of the providers within a message-security-config element must be able 
    to perform authentication processing at the message layer defined by the   
    value of the auth-layer attribute.                                         


  attributes
    default-client-provider                                                    
        used to identify the client provider to be invoked for any    
        application for which a specific client provider has not been 
        bound.                                                        
    default-provider                                                           
        used to identify the server provider to be invoked for any    
        application for which a specific server provider has not been 
        bound.                                                        

        When a default provider of a type is not defined for a message layer,  
        the container will only invoke a provider of the type (at the layer)   
        for those applications for which a specific provider has been bound.   


  Used in:
    security-service                                                  
-->
<!ELEMENT message-security-config (provider-config+)>

<!ATTLIST message-security-config
    auth-layer %message-layer; #REQUIRED
    default-provider CDATA #IMPLIED
    default-client-provider CDATA #IMPLIED>


<!-- provider-config
    The provider-config element defines the configuration of an       
    authentication provider.                                          

    A provider-config with no contained request-policy or response-policy      
    sub-elements, is a null provider. The container will not instantiate or    
    invoke the methods of a null provider, and as such the implementation      
    class of a null provider need not exist.                                   


  children
    request-policy                                                             
        defines the authentication policy requirements associated     
        with the request processing performed by the authentication   
        provider.                                                     
    response-policy                                                            
        defines the authentication policy requirements associated     
        with the response processing performed by the authentication  
        provider.                                                     

  attributes
    class-name                                                                 
        defines the java implementation class of the provider. Client 
        authentication providers must implement the                   

        com.sun.enterprise.security.jauth.ClientAuthModule            
        interface. Server-side providers must implement the           

        com.sun.enterprise.security.jauth.ServerAuthModule            
        interface. A provider may implement both interfaces, but it   
        must implement the interface corresponding to its provider    
        type.                                                         
    provider-id                                                                
        Identifier used to uniquely identify this                     

        provider-config                                               
        element                                                       
    provider-type                                                              
        defines whether the provider is a client authentication       
        provider or a server authentication provider.                 

  Used in:
    message-security-config                                           
-->
<!ELEMENT provider-config (request-policy?, response-policy?, property*)>

<!ATTLIST provider-config
    provider-id CDATA #REQUIRED
    provider-type (client | server | client-server) #REQUIRED
    class-name CDATA #REQUIRED>


<!-- request-policy
    Used to define the authentication policy requirements associated  
    with the request processing performed by an authentication        
    provider (i.e. when a client provider's                           

    ClientAuthModule.initiateRequest()                                
    method is called or when a server provider's                      

    ServerAuthModule.validateRequest()                                
    method is called).                                                

  attributes
    auth-recipient                                                             
        defines a requirement for message layer authentication of the 
        reciever of a message to its sender (e.g. by XML encryption). 
        before-content                                                         
            indicates that recipient authentication (e.g. encryption) 
            is to occur before any content authentication (e.g.       
            encrypt then sign) with respect to the target of the      
            containing auth-policy.                                   
        after-content                                                          
            indicates that recipient authentication (e.g. encryption) 
            is to occur after any content authentication (e.g. sign   
            then encrypt) with respect to the target of the           
            containing auth-policy.                                   
    auth-source                                                                
        defines a requirement for message layer sender authentication 
        (e.g. username password) or content authentication (e.g.      
        digital signature).                                           

  Used in:
    provider-config                                                   
-->
<!ELEMENT request-policy EMPTY>

<!ATTLIST request-policy
    auth-source (sender | content) #IMPLIED
    auth-recipient (before-content | after-content) #IMPLIED>


<!-- response-policy
    Used to define the authentication policy requirements associated  
    with the response processing performed by an authentication       
    provider (i.e. when a client provider's                           

    ClientAuthModule.validateResponse()                               
    method is called or when a server provider's                      

    ServerAuthModule.secureResponse()                                 
    method is called).                                                

  attributes
    auth-recipient                                                             
        defines a requirement for message layer authentication of the 
        reciever of a message to its sender (e.g. by XML encryption). 
        before-content                                                         
            indicates that recipient authentication (e.g. encryption) 
            is to occur before any content authentication (e.g.       
            encrypt then sign) with respect to the target of the      
            containing auth-policy.                                   
        after-content                                                          
            indicates that recipient authentication (e.g. encryption) 
            is to occur after any content authentication (e.g. sign   
            then encrypt) with respect to the target of the           
            containing auth-policy.                                   
    auth-source                                                                
        defines a requirement for message layer sender authentication 
        (e.g. username password) or content authentication (e.g.      
        digital signature).                                           

  Used in:
    provider-config                                                   
-->
<!ELEMENT response-policy EMPTY>

<!ATTLIST response-policy
    auth-source (sender | content) #IMPLIED
    auth-recipient (before-content | after-content) #IMPLIED>


<!-- web-service-endpoint
    This specifies configuration for a web service end point. This    
    web service end point could be JAXRPC or JSR-109 web service. It  
    contains configuration about Monitoring, Transformation rules and 
    Monitoring Log.                                                   

  attributes
    jbi-enabled                                                                
        when false, it disables the visibility of this endoint as a   
        service in JBI                                                
    max-history-size                                                           
        maximum number of monitoring records stored in history for    
        this end point                                                
    monitoring                                                                 
        monitoring level for this web service.                        
    name                                                                       
        fully qualified web service name. Format:                     
        |ModuleName|#|EndpointName|, if the web service endpoint      
        belongs to an application. (Parent of this element is         
        j2ee-application). |EndpointName|, if the web service         
        endpoint belongs to stand alone ejb-module or web-module.     
        (Parent of this element is either ejb-module or web-module).  

  Used in:
    ejb-module, j2ee-application, web-module                          
-->
<!ELEMENT web-service-endpoint (registry-location*, transformation-rule*)>

<!ATTLIST web-service-endpoint
    name CDATA #REQUIRED
    monitoring %monitoring-level; "OFF"
    max-history-size CDATA "25"
    jbi-enabled %boolean; "true">


<!-- registry-location
    Specifies the registry where web service end point artifacts are  
    published.                                                        

  Used in:
    web-service-endpoint                                              
-->
<!ELEMENT registry-location EMPTY>

<!ATTLIST registry-location
    connector-resource-jndi-name CDATA #REQUIRED>


<!-- transformation-rule
    Specifies configuration for a XSLT transformation rule.           

  attributes
    apply-to                                                                   
        - "request": transformations are applied to request in the order in    
        which they are specified.                                              

        - "response": transformation is applied to response in the order in    
        which they are specified.                                              

        - "both": transformation rule is applied to request and response. The  
        order is reversed for response.                                        

    enabled                                                                    
        if false, this transformation rule is disabled.               
    name                                                                       
        name of the transformation rule                               
    rule-file-location                                                         
        location of rule file to do the transformation. Only XSLT     
        files are allowed. Default location is:                       
        ${com.sun.aas.instanceRoot}/generated/xml/*appOrModule*/*xslt-
        ilename*/ Absolute paths can also be specified.               

  Used in:
    web-service-endpoint                                              
-->
<!ELEMENT transformation-rule EMPTY>

<!ATTLIST transformation-rule
    name CDATA #REQUIRED
    enabled %boolean; "true"
    apply-to %apply-to-type; "request"
    rule-file-location CDATA #REQUIRED>


<!-- load-balancers

  Used in:
    domain                                                            
-->
<!ELEMENT load-balancers (load-balancer*)>


<!-- load-balancer
    known properties:                                                 

    device-host - Host name or IP address for the device                       

    device-admin-port - Device administration port number                      

    ssl-proxy-host - proxy host used for outbound HTTP                         

    ssl-proxy-port - proxy port used for outbound HTTP                         


  attributes
    auto-apply-enabled                                                         
        when true, immediately push changes to lb config to the       
        physical load balancer                                        
    lb-config-name                                                             
        name of the lb-config used by this load balancer              
    name                                                                       
        name of the load balancer                                     

  Used in:
    load-balancers                                                    
-->
<!ELEMENT load-balancer (property*)>

<!ATTLIST load-balancer
    name CDATA #REQUIRED
    lb-config-name CDATA #REQUIRED
    auto-apply-enabled %boolean; "false">


<!-- mbean

  attributes
    enabled                                                                    
    impl-class-name                                                            
        A String that represents fully qualified class name of MBean  
        implementation. This is read-only.                            
    name                                                                       
        A String that represents the name of the MBean. It is         
        required that the name is valid to represent a "value" of a   
        property in the property-list of an MBean ObjectName. The     
        name must be specified and is a primary key for an MBean. An  
        invalid name implies failure of operation.                    
    object-name                                                                
        A String that represents a system-generated Object Name for   
        this MBean.                                                   
    object-type                                                                
        A String representing whether it is a user-defined MBean or a 
        System MBean.                                                 

  Used in:
    applications                                                      
-->
<!ELEMENT mbean (description?, property*)>

<!ATTLIST mbean
    name CDATA #REQUIRED
    object-type %object-type; "user"
    impl-class-name CDATA #REQUIRED
    object-name CDATA #IMPLIED
    enabled %boolean; "true">


<!-- jms-availability

  attributes
    availability-enabled                                                       
        This boolean flag controls whether the MQ cluster associated  
        with the application server cluster is HA enabled or not. If  
        this attribute is "false", then the MQ cluster pointed to by  
        the jms-service element is considered non-HA. JMS Messages    
        are not persisted to a highly available store. If this        
        attribute is "true" the MQ cluster pointed to by the          
        jms-service element is a HA cluster and the MQ cluster uses   
        the database pointed to by mq-store-pool-name to save         
        persistent JMS messages and other broker cluster              
        configuration information. Individual applications will not   
        be able to control or override MQ cluster availability        
        levels. They inherit the availability attribute defined in    
        this element. If this attribute is missing, availability is   
        turned off by default [i.e. the MQ cluster associated with    
        the AS cluster would behave as a non-HA cluster]              
    mq-store-pool-name                                                         
        This is the jndi-name for the JDBC Connection Pool used by    
        the MQ broker cluster for use in saving persistent JMS        
        messages and other broker cluster configuration information.  
        It will default to value of store-pool-name under             
        availability-service (ultimately "jdbc/hastore").             

  Used in:
    availability-service                                              
-->
<!ELEMENT jms-availability (property*)>

<!ATTLIST jms-availability
    availability-enabled %boolean; "false"
    mq-store-pool-name CDATA #IMPLIED>


<!-- management-rules
    Container for self management rules                               

  attributes
    enabled                                                                    
        Acts as high level switch for disabling all the defined       
        rules. If set to "false" all the configured rules would       
        disabled. If set to "true", enabled state of a particular     
        rule will be decided at that rule level.                      

  Used in:
    config                                                            
-->
<!ELEMENT management-rules (management-rule*)>

<!ATTLIST management-rules
    enabled %boolean; "true">


<!-- management-rule
    Defines the configured self management rule                       

  attributes
    enabled                                                                    
        Determines whether the rule is enabled or not. Default value  
        is false.                                                     
    name                                                                       
        Name of the management rule                                   

  Used in:
    management-rules                                                  
-->
<!ELEMENT management-rule (event, action?, description?)>

<!ATTLIST management-rule
    name CDATA #REQUIRED
    enabled %boolean; "true">


<!-- event
    Defines the event associated with the configured rule. For each   
    configured rule there exists one event associated with it.        

  attributes
    level                                                                      
        Specifies at what level to record the event occurance in      
        server log file. Default value is INFO                        
    record-event                                                               
        Specifies whether the occurance of the event is to be logged  
        or not. By default this would be true. If no action is        
        specified, the event would be recorded.                       
    type                                                                       
        Identifies the configured event as one of the predefined      
        event types.                                                  

  Used in:
    management-rule                                                   
-->
<!ELEMENT event (description?, property*)>

<!ATTLIST event
    type %event-type; #REQUIRED
    record-event %boolean; "true"
    level %log-level; "INFO">


<!-- action
    Defines the action MBean associated with the event.               

  attributes
    action-mbean-name                                                          
        identifies the name of the action MBean.                      

  Used in:
    management-rule                                                   
-->
<!ELEMENT action EMPTY>

<!ATTLIST action
    action-mbean-name CDATA #REQUIRED>