Access Manager 7.1 Session Failover

Similar Messages

• Access Manager v7.1 - Sessions / Cookies

  Is their a way to allow the user to open more than once session. Example: I login to web site "A" and access manager authenticates me and allows me in. Now I want to start a new tab to login to web site "A" as a different user. Currently I am unable to do that, when I go to the URL access manager has already been authenticated and allows me in. If I click logout it logs out of both browsers.
  Currently the system act like the cookie are persistent. In v7.1.1 Sun added support for this but doesn't really talk about when to and not to use it. None of the realms are setup to use persistent cookies.
  Any help is appreciated.......

  The problem is not with the Access Manager. Your browser use the same session cookies for all tabs and windows. You must have two differents instances of the browser to have different session cookies. Try any other site and you will see the same thing.

• Sun access Manager session failover

  Hi,
  I am trying to install Sun Access Manager (2005Q1) with Session failover. I have hardware load balancer under which i have configuring Access Manager on two seperate boxes.
  For session failover i have configured Berkelay database on both system but am unable to start the database.
  Now i got the information that Access Manager 6.1 does not support session failover.
  Can anyone confirm if access manager 6.1 supports failover or we need to upgrade it?
  Thx in advance.
  ASN
  Message was edited by:
  asn123

  One clarification. AM 6.1 did have session failvoer feature. But it was container dependent. It used container features to provide this. Each container had its on configuration. It was made independent of the containers in AM 6.3 release. I would stonglry recommend using AM 6.3 or above if you are using session failover.
  shivaram

• Sun Access Manager 2005Q1 session failover is not working

  Hi All
  I m using Sun access manager 2005Q1,message queue 2005Q1, Sun Directory server 5.2 ,BerkelyDb 4.2.52 and radware hardware load balancer with sticky session.
  I m have configured message queue and BerkeleyDB and both are running with any error.
  I m using http://docs.sun.com/source/817-7644/ch5_scenarios.html#wp41008 doc for session failover.
  Simple failover is working fine but the Session failover is not working.
  Any body has done session failover with Sun Access manager 2005 Q1 I m trying to resolve this issue last two month.
  Please it is urgent.

  It works fine in 2005Q4, after applying a patch 120954 if I am not mistaken. But 2005Q4 and 2005Q1 are probably different in terms of session failover (site configuration etc.)
  1. Stop both AM servers
  2. Set logging to debug mode in AMConfig.properties.
  3. Delete / move everything in /var/opt/SUNWam/debug
  4. tail -f /var/opt/SUNWam/debug/amSession
  5. Post that file here... you should be able to see if session failover is enabled etc....
  hope this helps.

• Setting up Access Manager and Directory Server for Failover.

  I'm setting up 2 Access Managers AM1,AM2 and 2 Directory Servers DS1 and DS2 for failover. I've connected AM1 and AM2 to DS1. Suffixes of DS1 is replicated to DS2. Any change made to AM1 is replicated to AM2 as expected. I just patched AM1 with Access Manager patch 1 and the version information for AM1 shows 7.1 126359-01. I followed the same procedure to patch AM2 but AM2 still shows ver 7.1.
  How do I make sure both Access Managers are patched to the same version?
  I'm able to authenticate to one IIS6 site and authentication is passed on to Outlook Web Access on AM1 but when I shut down AM1 to test failover to AM2 OWA prompts me again for password. How do I resolve this?
  On AM1 http://host.domain/amserver/UI/Login?realm=sso successfully logs in but the same on AM2 gives Warning that "You have already logged in. Do you want to log out and then login to a different organization?"
  Please help !!!

  I'll answer what bits I can:
  Q: AM showing the same version?
  A: No idea on this one. I would have expected the operation you described to have produced the right answer. Check that neither your application server nor your web browser are caching old pages (ctrl-F5 in my browser)
  Q: How do I resolve re-authentication on failover?
  A: The AM documentation includes a deployment example that covers pretty closely what it is you are trying to achieve:
  http://docs.sun.com/app/docs/doc/820-2278
  Specifically, the problem you are describing is related to session failover. The sessions are stored in a local DB so when you failover the backup server does not store the same information and hence requires a reauthentication. The section of the above doc that deals with this is here:
  http://docs.sun.com/app/docs/doc/820-2278/gdsre?l=en&a=view
  Q: "You have already logged in" warning
  A: No idea. Sorry.
  R

• SUN Access Manager session attributes

  I'm trying to find out which session attributes that are available for a Policy Agent out of the box from Access Manager 7.1
  The AMAgent.properties file has a property:
  com.sun.am.policy.agents.config.session.attribute.map=
  But the question is which attributes you can fetch through this settup.
  I'm only found the property: successURL.
  I would like to get the authentication level and end user IP adress.

  One clarification. AM 6.1 did have session failvoer feature. But it was container dependent. It used container features to provide this. Each container had its on configuration. It was made independent of the containers in AM 6.3 release. I would stonglry recommend using AM 6.3 or above if you are using session failover.
  shivaram

• Policy Agent doesn't reset Sun  Access Manager session time idle value

  Hi,
  We have the following setup in our environment:
  - apache web server/web and policy agent 2.2 for apache 2.0.54
  - webmethods portal server (jetty)
  -Sun Access Manager (with Sun Directory Server)
  We use policy agent for authentication purpose only (via Sun Access Manager/LDAP) when the users access the portal. We have custom code that creates session in Sun Access Manager for custom LDAP services. For testing purpose, we configure SAM session to have Max Session Timeout at 120mins and Time Idle at 15mins. I would assume that, after the initial login request, for all subsequent accesses to the portal the policy agent should intercept the request and reset the Time Idle value of SAM session. However, when I monitor time idle value using SAM console, session tab, the time idle value didn't change when the portal user access pages, submit actions, etc. I can see in the debug log of policy agent that requests are being intercepted/processed, but the time idle didn't get reset.
  Does anyone know if this is a bug in configuration or in policy agent itself or am I making the wrong assumption?
  Thanks a lot for the help.

  Thanks for the reply, Shivaram. The issue appears to occur at random time, not accurately at the 3 min interval as you mention. I tested changing this value to 1, theoretically, after one 1 minute of idle time, accessing a link would make the agent reset the time idle value for the user session in SAM, but it didn't even after 3 minutes. This seems to be either a policy agent or system access manager bug.
  We performed a 'vanilla' test using the apache server manual pages (only plain HTML, no POST requests), the pages are protected by the policy agent. At the first login, rwe were prompted to enter credential to be validated by SAM/LDAP, and then a user session is created in SAM session table. We browse around the manual pages, once in a while, certain pages cause the policy agent to reset the time idle. However, revisiting these links after a few minutes doesn't reset the idle value. Caching setting has been disable as well. Could there be or lack of some settings in AMConfig.properties or AMAgent.properties that might have caused this behavior?
  Thanks for all your help,

• Communications Express doesn't create access Manager SSO session

  Hi all,
  I'm running Communications Express, Sun Access Manager and Sun messaging server, each on seperate hosts.
  Single Sign On works i.e. when users have a valid session and point their browser at the Communications Express URL they can access their mail, calendar and addressbooks without further ado.
  When they don't have a valid session though and the users go to the Communications Express URL they get a username and password prompt. If they enter valid credentials they will be logged in, but the session created is only a local session, not an Access Manager SSO session. This behaviour has changed from the previous versions of Comm Exp which wouldn't work at all without SSO.
  Is it possible to configure communications express to either redirect users to the Access Manager's authentication page or have Comm Exp create the SSO session on the users behalf?
  TIA
  Herman
  Versions:
  - Communications Express 6.3 update 1
  - Sun Java(tm) System Messaging Server 6.3-4.01 (built Aug 3 2007; 32bit)
  libimta.so 6.3-4.01 (built 17:13:29, Aug 3 2007; 32bit)

  Hi Shane,
  as always your anwer is better then I could have expected. A more or less complete manual
  just hours after asking my question. Thanks!
  shane_hjorth wrote:
  The cleanest solution I could develop to address the behavioural change was to
  leverage a web-server policy agent to perform the redirections.
  I wrote up a guide but never received any feedback unfortunately so results-may-vary.
  I have republished this guide externally - feedback is welcome:
  http://msg.wikidoc.info/index.php/AM_redirection_using_Policy_AgentTook me some time to implement, test and write feedback:
  The setup we have is a little more complex then the a single box scenario you
  have tested on:
  From the internet working inwards we have load balanced
  SSL accelerators (apache+SSL doing reverse proxy) in front of
  dedicated application servers running communications express.
  Mail is retrieved from separate mail-store clusters.
  Access manager is configured similarly: load balanced SSL accelerators
  in front of application servers running the login page (disributed
  authentication UI). Those then talk to the access manager cluster.
  Firewalls and access lists between each of those layers. None of the
  applications can be accessed directly from the internet and they are
  limited in what they can access in the DMZ as well.
  I followed your recipe to the letter. After a bit of tweaking everything
  worked like a charm. Policy agent installed and configured on the
  SUN webserver where communications express is deployed.
  Instructions were very good on detail and easy to follow.
  We deploy uwc in the root of the server not in /uwc. Something I didn't notice right away.
  It would seem that the policy agent expects the values com.sun.am.naming.url
  (The URL for the Access Manager Naming service) and
  com.sun.am.policy.am.login.url (The URL of the login page on the Access Manager
  where users should enter their credentials) to be the same host.
  In our setup the URL/host users have to use to log in can't be accessed by the policy agent.
  The policy agent should verify sessions directly against the access manager cluster.
  I played with some of the override settings in the policy agent configuration file but
  without much success. Eventually I used the hostname our users have to use to log
  in and abused the /etc/hosts file to map the external hostname to the internal address
  of the access manager cluster. Users end up on the correct login page, and the policy
  agent can verify the sessions. Ugly, but it works.
  The other issue is that the policy agent redirects to:
  com.sun.am.policy.am.login.url?goto=URL_Protected_by_Policy_Agent
  When a users enters incorrect credentials they get the default login url, without the
  goto parameter. (May be bug in access manager or by design...) After entering their
  credentials correctly on their second or third try users won't be redirected back to UWC,
  but will end up on the default page defined by their iplanet-am-user-success-url LDAP attribute.
  I solved that in the policy agents configuration file by adding the gotoOnFail=URL in the
  definition of com.sun.am.policy.am.login.url:
  com.sun.am.policy.am.login.url = https://login.domain.com:443/amserver/UI/Login?gotoOnFail=https://uwc.domain.com:443When you enter incorrect credentials you'll be redirected back to uwc (where the policy agent
  will again intercept you and send you on to the login page for your next try). May be more of
  an issue in the policy agent then your manual.
  Regards,
  Herman

• VZ access manager is already running in another user's session

  Help! My parents currently use an USB Modem - I think the 551 L - for their internet access. They have been receiving the following message:
  VZ access manager is already running in another user's session
  They do not have a wireless router installed.
  Help please!

  VZAccess can only connect one user/session at a time.  Either your parents did not properly shutdown VZA the last time they used it or the USB Modem is not hanging up its previous connection.
  The easiest thing to do would be to reinstall VZA on that computer and see if the problem goes away.  Ask your parents to disconnect the Modem before logging off or shutting down the computer to reduce the chance of the problem coming back.

• HELP GETTING Started with Sun Access Manager without TEARS.

  I am new to Sun Access Manager.
  I am quite familiar with how Sun Java Identity Manager works.
  The following is the issue I am facing.
  I've downloaded the following images from the sun website
  java_es_05Q4-ga1-solaris-x86-1-iso
  and
  java_es_05Q4-ga1-solaris-x86-2-iso
  I've installed the components on sun solaris 10
  The following components were installed
  /opt/SUNWcomds
  I am not sure what this is for
  /opt/SUNWdsvmn
  I am not sure what it is.
  /opt/SUNWma
  What is this I was expecting SUNWam the access management software!
  /opt/SUNWwbsvr -- This is the Web Server.
  I know how to use it.
  Can anyone tell me on how to go about it?
  Is there any online tutorial for the same.
  What is the difference between sparc version and x86. Can i use any of these on solaris 10?
  Anyhelp getting started would be highly appreciated.
  I am looking at doing the following things.
  ssl,fed, auth, custauth etc
  Thanks a ton in Advance.
  Regards,
  Vinod

  I documented my installation procedure for Access Manager 7.0 (2005Q4) and Portal 7.0. Take a look at my wiki page:
  http://wiki.its.queensu.ca/display/JES/Access+Manager+installation
  It's a two node Access manager Legacy site and I also implemented session-failover using Message Queue and Berkeley Database.

• Does the SCAN feature in 11gR2 provide session failover?

  I setup a two-node RAC environment (11.2.0.2), and I can successfully connect to it using Single Client Access Name (SCAN). My clients' tnsnames.ora is as simple as:
  RAC =
  (DESCRIPTION =
  (ADDRESS = (PROTOCOL = TCP)(HOST = cluster-scan)(PORT = 1521))
  (CONNECT_DATA =
  (SERVER = DEDICATED)
  (SERVICE_NAME = rac)
  I was told by the senior DBA that SCAN provides session failover. By that I mean: suppose there are two nodes, and I have a client establish a connection through sqlplus in another machine (client version 11.2.0.2 as well), eg:
  sqlplus system/password@rac
  I then use something like "SELECT host_name, instance_name FROM v$instance" to figure out which instance I am connected to and I shutdown that instance by running "shutdown abort" there. The expected behavior is for that client to automatically switch to the surviving node (*in the same session*).
  However, it doesn't work that way. Instead, the next SQL statement issued in that sqlplus session results in a "ORA-03113: end-of-file on communication channel." I managed to have it failover automatically, without adding anything (eg: FAILOVER_MODE) in the clients' tnsnames files by creating a service with TAF using srvctl:
  srvctl add service -d rac -s ractaf -P BASIC -m BASIC -e SELECT -z 5 -w 120
  But I have been told this step is not necessary with 11gR2, and session failover should occur automatically if I installed the grid infrastructure and set up SCAN correctly. But I haven't been able to find anything in the documentation indicating this is the case. So, does the SCAN feature in 11gR2 provide session failover?
  Edited by: 894946 on Nov 3, 2011 10:16 AM

  I think you are right because session failover is a service property linked to cluster database instances and not a scan listener feature that basically establish connection with right instance.

• Access Manager FAQ on performance and sizing, policy, et al

  Check out the ninth segment of the Sun Java System Access Manager FAQ on Sun Developer Network at http://developers.sun.com/identity/overview/faq/perf-policy-failover-agents.jsp. These latest Q&As focus on performance and policy, session failover, deployment, and agents, with tips and guidelines for configurations and best practices.

  Hi Steve,
  Of the three components relevent in this case :
  1) the core server itself.
  2) the webapplication - also referred to as client resources.
  3) Multiplexors.
  The webapplication which gets hosted on the app/web server - contains only static information.
  That is, it has the client jars, jnlp's for fetching these, a few jsp and launcher html files for endusers to launch the im client over webstart.
  So, this webclient can be moved to any webcontainer of your choice - and has no restrictions or dependencies on anything.
  Just install the client resources on any server of your choice (which is accessible by end users) and configure/deploy it to your webserver - it needs no access to the backend in any way at all.
  The IM server uses the access manager sdk (amsdk) to talk to access manager - hence, you will need to modify AMConfig.properties appropriately in case you are making the deployment changes after installation and configuration of IM and amsdk on IM server (please refer to IM and AM documentation for more info on how to do this).
  Since what you are attempting looks like a AM supported config, you should not have any issues in configuring IM with that for auth and policy enforcement.
  The multiplexor is totally oblivious to all this - just needs to be accessible by clients and should be able to talk to server - thats all.
  Hope this helps.
  Regards,
  Mridul

• Accessing the same stateful session bean from multiple clients in a clustered environment

  I am trying to access the same stateful session bean from multiple
            clients. I also want this bean to have failover support so we want to
            deploy it in a cluster. The following description is how we have tried
            to solve this problem, but it does not seem to be working. Any
            insight would be greatly appreciated!
            I have set up a cluster of three servers. I deployed a stateful
            session bean with in memory replication across the cluster. A client
            obtains a reference to an instance of one of these beans to handle a
            request. Subsequent requests will have to use the same bean and could
            come from various clients. So after using the bean the first client
            stores the handle to the bean (actually the replica aware stub) to be
            used by other clients to be able to obtain the bean. When another
            client retrieves the handle gets the replica aware stub and makes a
            call to the bean the request seems to unpredictably go to any of the
            three servers rather than the primary server hosting that bean. If the
            call goes to the primary server everything seems to work fine the
            session data is available and it gets backed up on the secondary
            server. If it happens to go to the secondary server a bean that has
            the correct session data services the request but gives the error
            <Failed to update the secondary copy of a stateful session bean from
            home:ejb20-statefulSession-TraderHome>. Then any subsequent requests
            to the primary server will not reflect changes made on the secondary
            and vice versa. If the request happens to go to the third server that
            is not hosting an instance of that bean then the client receives an
            error that the bean was not available. From my understanding I thought
            the replica aware stub would know which server is the primary host for
            that bean and send the request there.
            Thanks in advance,
            Justin
            

            If 'allow-concurrent-call' does exactly what you need, then you don't have a problem,
            do you?
            Except of course if you switch ejb containers. Oh well.
            Mike
            "FBenvadi" <[email protected]> wrote:
            >I've got the same problem.
            >I understand from you that concurrent access to a stateful session bean
            >is
            >not allowed but there is a
            >token is weblogic-ejb-jar.xml that is called 'allow-concurrent-call'
            >that
            >does exactly what I need.
            >What you mean 'you'll get a surprise when you go to production' ?
            >I need to understand becouse I can still change the design.
            >Thanks Francesco
            >[email protected]
            >
            >"Mike Reiche" <[email protected]> wrote in message
            >news:[email protected]...
            >>
            >> Get the fix immediately from BEA and test it. It would be a shame to
            >wait
            >until
            >> December only to get a fix - that doesn't work.
            >>
            >> As for stateful session bean use - just remember that concurrent access
            >to
            >a stateful
            >> session bean is not allowed. Things will work fine until you go to
            >production
            >> and encounter some real load - then you will get a surprise.
            >>
            >> Mike
            >>
            >> [email protected] (Justin Meyer) wrote:
            >> >I just heard back from WebLogic Tech Support and they have confirmed
            >> >that this is a bug. Here is their reply:
            >> >
            >> >There is some problem in failover of stateful session beans when its
            >> >run from a java client.However, it is fixed now.
            >> >
            >> >The fix will be in SP2 which will be out by december.
            >> >
            >> >
            >> >Mike,
            >> >Thanks for your reply. I do infact believe we are correctly using
            >a
            >> >stateful session bean however it may have been misleading from my
            >> >description of the problem. We are not accessing the bean
            >> >concurrently from 2 different clients. The second client will only
            >> >come into play if the first client fails. In this case we want to
            >be
            >> >able to reacquire the handle to our stateful session bean and call
            >it
            >> >from the secondary client.
            >> >
            >> >
            >> >Justin
            >> >
            >> >"Mike Reiche" <[email protected]> wrote in message
            >news:<[email protected]>...
            >> >> You should be using an entity bean, not a stateful session bean
            >for
            >> >this application.
            >> >>
            >> >> A stateful session bean is intended to be keep state (stateful)
            >for
            >> >the duration
            >> >> of a client's session (session).
            >> >>
            >> >> It is not meant to be shared by different clients - in fact, if
            >you
            >> >attempt to
            >> >> access the same stateful session bean concurrently - it will throw
            >> >an exception.
            >> >>
            >> >> We did your little trick (storing/retrieving handle) with a stateful
            >> >session bean
            >> >> on WLS 5.1 - and it did work properly - not as you describe. Our
            >sfsb's
            >> >were not
            >> >> replicated as yours are.
            >> >>
            >> >> Mike
            >> >>
            >> >> [email protected] (Justin Meyer) wrote:
            >> >> >I am trying to access the same stateful session bean from multiple
            >> >> >clients. I also want this bean to have failover support so we want
            >> >to
            >> >> >deploy it in a cluster. The following description is how we have
            >tried
            >> >> >to solve this problem, but it does not seem to be working. Any
            >> >> >insight would be greatly appreciated!
            >> >> >
            >> >> >I have set up a cluster of three servers. I deployed a stateful
            >> >> >session bean with in memory replication across the cluster. A client
            >> >> >obtains a reference to an instance of one of these beans to handle
            >> >a
            >> >> >request. Subsequent requests will have to use the same bean and
            >could
            >> >> >come from various clients. So after using the bean the first client
            >> >> >stores the handle to the bean (actually the replica aware stub)
            >to
            >> >be
            >> >> >used by other clients to be able to obtain the bean. When another
            >> >> >client retrieves the handle gets the replica aware stub and makes
            >> >a
            >> >> >call to the bean the request seems to unpredictably go to any of
            >the
            >> >> >three servers rather than the primary server hosting that bean.
            >If
            >> >the
            >> >> >call goes to the primary server everything seems to work fine the
            >> >> >session data is available and it gets backed up on the secondary
            >> >> >server. If it happens to go to the secondary server a bean that
            >has
            >> >> >the correct session data services the request but gives the error
            >> >> ><Failed to update the secondary copy of a stateful session bean
            >from
            >> >> >home:ejb20-statefulSession-TraderHome>. Then any subsequent requests
            >> >> >to the primary server will not reflect changes made on the secondary
            >> >> >and vice versa. If the request happens to go to the third server
            >that
            >> >> >is not hosting an instance of that bean then the client receives
            >an
            >> >> >error that the bean was not available. From my understanding I
            >thought
            >> >> >the replica aware stub would know which server is the primary host
            >> >for
            >> >> >that bean and send the request there.
            >> >> >
            >> >> >Thanks in advance,
            >> >> >Justin
            >>
            >
            >
            

• UWC/CE 6.3 and Access Manager 7.1 SSO sometimes fails (seems like a bug)

  PREAMBULA: I started writing this post thinking that our AM SSO setup was at fault in some step. As I was gathering data, checking the doc-links and config files and finally sniffed the servers for HTTP dialogs, I grew pretty sure there's a bug in UWC/CE, AM SDK or Web Server Policy Agent, whatever implements the AM SSO session checking.
  In short, as written below, our "sunmail" server can POST a broken cookie to AM server, if the cookie originally contained a "plus" character. The "plus" is replaced by a "space", invalidating the session check. As we know, "+" is often used in URLs to "escape" the space character. Perhaps some URL cleanup routine backfired here. I have double-checked, it is not the reverse proxy on "psam" breaking things. It is "sunmail" (UWC/CE or Policy Agent, don't know for certain) supplying the broken request. On the few occasions when the AM cookie contains no "plus" characters, the SSO works like a charm (also checked by a sniffer). Whenever there is a "plus", it breaks.
  Is there some known bug or workaround that matches this description?
  Nevertheless, for completeness' sake I kept the description of our setup. Maybe it's at fault after all :)
  We have an installation of JCS5 with the latest patches as of early July 2008. And as the subject implies, we have problems with AM SSO in UWC/CE web-interface. I have reported them before, then they seemed fixed (not occuring for several tests in a row), but as time has shown, something wrong is still there.
  So I'll try to go into deeper detail now, as we've may have overlooked some nuance... Then again, as my sniffer research below shows, this may be an engine bug and these setup details are irrelevant.
  Our setup is split into several Solaris 10 full-root zones hosted on several servers, some of the components are enroute to HA (perhaps we made some mistakes on this part of the way?)
  So, we have the following software stack:
  1) two MMR Directory Servers (DSEE 6.3 = DSEE 6.2 from JCS5 + 125278-07__DSEE_6.3__x86x64 + 125277-07__DSEE_6.3__x86_sol9 patches) working in zones on two different servers. Except for one time when a manually forced ZFS rollback corrupted one of the server instances, no problems here.
  2) two zones with Directory Proxy Servers (6.3, exact versions as above) running at port 389 provide the clients with an illusion that they have a stable Directory Server, even if one of the actual servers is currently rebooting ;)
  These DPS zones are hosted on two different servers as well and are primarily used by LDAP clients (JCS components) running in other zones on the same respective servers.
  3) A zone with Sun Web Server 7.0U1 and Access Manager 7.1 (+ 126357-01__AM71_x86 patch) and Delegated Admin 6.4-4.01 (from JCS5 + 121582-18__COMMCLI64__x86 patch).
  At the moment there is one such zone (named "cos-psam-01.domain.ru" in the logs below), but we expect(-ed) it to become two similar zones as per AM HA setup.
  Zones listed in (1-3) use private IP numbers, they belong in our internal DMZ.
  Zones listed in (4-5) below use public (routed) IP numbers, they belong in our external DMZ.
  4) A zone with Sun Web Server 7.0U1 used primarily as a reverse-proxy server (optionally with a load-balancer libpassthrough.so plugin) successfully used for other hosted projects. One of its configurations now passes connections from an externally routed IP address published as "psam.domain.ru" to "cos-psam-01.domain.ru", per AM HA setup, so HTTP clients believe they work with an Access Manager instance. This zone has a backend interface with a private IP address to communicate with the actual AM instance.
  In AM configuration (both LDAP and file-based) we have configured a site ID with the publicly known name and mentioned both names (psam and cos-psam-01) in organization's realm/dns aliases.
  5) A zone with the rest of the Sun Java Communications Suite 5, as in Messaging Server 6.3 (6.3-6.03 64-bit: ci-5.0-1.03_solx86_x64__Messaging_Server_6.3-2 + patch 126480-09__MSG63__x86-64), UWC/CE 6.3 (from JCS5 + 122794-17__UWC63-4.01_core__x86), Instant Messaging 7.2 (from JCS5 + 118790-29__IM72__x86-1 + 118787-28__IM72__x86-2), Calendar Server 6.3 (from JCS5 + 121658-28__iCS63__x86). The web-components (UWC/CE, IM, /httpbind) are deployed in a Sun Web Server 7.0U1 as well.
  This zone is named "sunmail.domain.ru" and has a routed IP address for direct external access to its servicess.
  The AM SDK part is also patched (126357-01__AM71_x86); it points to the load-balancer name ("psam.domain.ru") as an actual AM server.
  # imsimta version
  Sun Java(tm) System Messaging Server 6.3-6.03 (built Mar 14 2008; 64bit)
  libimta.so 6.3-6.03 (built 17:15:08, Mar 14 2008; 64bit)
  SunOS sunmail 5.10 Generic_127112-07 i86pc i386 i86pc
  While setting up this server set we tried to use AM SSO as the user login method, but it works unreliably.
  "Unreliably" means that while most of the time entering a correct uid and password in Access Manager login page ("http://psam.domain.ru/amserver/UI/Login") does redirect a user back to "http://sunmail.domain.ru/uwc/auth" along with a new cookie, and the user is redirected again to his or her mailbox, sometimes the user receives the UWC/CE login page. Entering the same uid and password here does log him in, but it breaks the whole point of SSO and only increases the end-user routine required to log in :\
  We have also seen the "missing mail tab" problem - if the users point the browser to any hostname different from "sunmail.domain.ru" (i.e. www.mail.domain.ru which is equivalent in DNS), they have only the Address book, Calendar and Options tabs; no webmail. So far this is resolved by Policy Agent forcing The One name of the server.
  Here's the configuration we did specifically for AM SSO:
  1) in AMConfig.properties of "sunmail" and "cos-psam-01" we set up
  com.iplanet.am.cookie.encode=false
  am.encryption.pwd=<the same value>
  all hostname-related parameters point to "psam.domain.ru"
  2) in AMConfig.properties of "cos-psam-01" a number of FQDN equivalence entries are added (so it does not redirect to a server hostname unknown to visitors):
  com.sun.identity.server.fqdnMap[publicname-or-ip]=psam.domain.ru
  com.sun.identity.server.fqdnMap[cos-psam-01.domain.ru]=cos-psam-01.domain.ru
  3) in "msg.conf" on "sunmail" (entries added via configutil):
  local.webmail.sso.amcookiename = iPlanetDirectoryPro
  local.webmail.sso.amnamingurl = http://psam.domain.ru:80/amserver/namingservice
  local.webmail.sso.singlesignoff = yes
  local.webmail.sso.uwcenabled = 1
  service.http.ipsecurity = no
  (perhaps some more options are required? Looking for confirmation about: local.webmail.sso.uwclogouturl local.webmail.sso.uwccontexturi local.webmail.sso.uwchome service.http.allowadminproxy )
  4) Configured Web Policy Agent for Sun Web Server, so that users without an AM session are required to get one. Set up per [http://msg.wikidoc.info/index.php/AM_redirection_using_Policy_Agent], except that com.sun.am.policy.agents.config.notenforced_list points to the many names our server can go known by.
  5) Updated the logout URL in /opt/SUNWuwc/webmail/main.js:
  --- main.js.orig        Sat Jan 26 07:52:09 2008
  +++ main.js     Mon Jul 21 01:06:29 2008
  @@ -667,7 +667,8 @@
  function cleanup() {
     if(laurel)
  -      top.window.location =  getUWCHost() + "/base/UWCMain?op=logout"
  +//      top.window.location =  getUWCHost() + "/base/UWCMain?op=logout"
  +      top.window.location =  "http://sunmail.domain.ru:80/base/UWCMain?op=logout"
     else
         exec('logout', '', 'exit()')
  @@ -1707,7 +1708,8 @@
     if(lg) {
           url = document.location.href
           url = url.substr(0,url.indexOf('webmail'))
  -        uwcurl = url + 'base/UWCMain?op=logout'        
  +//      uwcurl = url + 'base/UWCMain?op=logout'        
  +        uwcurl = "http://sunmail.domain.ru:80/base/UWCMain?op=logout"
     exit()
  }6) Calendar SSO - per docs...
  According to ngrep sniffing,
  1) the browser goes to "http://sunmail.domain.ru/uwc/auth" without any cookies
  2) receives a redirect and goes to "http://psam.domain.ru/amserver/UI/Login?gotoOnFail=http://sunmail.domain.ru:80/uwc&goto=http%3A%2F%2Fsunmail.domain.ru%3A80%2Fuwc%2Fauth"; sends no cookies either.
  3) The first response from the "psam" server (as redirected from "cos-psam-01") sets a few cookies while rendering the login page:
  Set-cookie: JSESSIONID=7EF8F2810D2071CA03CFEAE9972735B2; Path=/
  Set-cookie: AMAuthCookie=AQIC5wM2LY4SfcwuT2ASCrsfO78nXdceEHXeH1+xTqH7C3I=@AAJTSQACMDI=#; Domain=.domain.ru; Path=/
  Set-cookie: amlbcookie=02; Domain=.domain.ru; Path=/
  4) The browser requests the login page resources (javascripts, images, etc) using these cookies, as in this header line:
  Cookie: JSESSIONID=7EF8F2810D2071CA03CFEAE9972735B2; AMAuthCookie=AQIC5wM2LY4SfcwuT2ASCrsfO78nXdceEHXeH1+xTqH7C3I=@AAJTSQACMDI=#; amlbcookie=02
  5) The browser POSTs the login request to "/amserver/UI/Login" and receives a redirection to http://sunmail.domain.ru:80/uwc/auth
  Set-cookie: iPlanetDirectoryPro=AQIC5wM2LY4SfcwuT2ASCrsfO78nXdceEHXeH1+xTqH7C3I=@AAJTSQACMDI=#; Domain=.domain.ru; Path=/
  Set-cookie: AMAuthCookie=LOGOUT; Domain=.domain.ru; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
  6) The browser requests "http://sunmail.domain.ru/uwc/auth" using the newly set cookie (looks like the old one to me though):
  Cookie: amlbcookie=02; iPlanetDirectoryPro=AQIC5wM2LY4SfcwuT2ASCrsfO78nXdceEHXeH1+xTqH7C3I=@AAJTSQACMDI=#
  7) The "sunmail" web-server checks the AM session validity with the same "psam.domain.ru". It sends a series of POSTs to /amserver/namingservice:
  <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
  <RequestSet vers="1.0" svcid="com.iplanet.am.naming" reqid="685">
  <Request><![CDATA[
  <NamingRequest vers="1.0" reqid="324" sessid="AQIC5wM2LY4SfcwuT2ASCrsfO78nXdceEHXeH1+xTqH7C3I=@AAJTSQACMDI=#">
  <GetNamingProfile>
  </GetNamingProfile>
  </NamingRequest>]]>
  </Request>
  </RequestSet>(receives a large XML list of different Access Manager configuration parameters and URLs)
  ...then a double-request to /amserver/sessionservice:
  <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
  <RequestSet vers="1.0" svcid="Session" reqid="686">
  <Request><![CDATA[
  <SessionRequest vers="1.0" reqid="678">
  <GetSession reset="true">
  <SessionID>AQIC5wM2LY4SfcwuT2ASCrsfO78nXdceEHXeH1+xTqH7C3I=@AAJTSQACMDI=#</SessionID>
  </GetSession>
  </SessionRequest>]]>
  </Request>
  <Request><![CDATA[
  <SessionRequest vers="1.0" reqid="679">
  <AddSessionListener>
  <URL>http://sunmail.domain.ru:80/UpdateAgentCacheServlet?shortcircuit=false</URL>
  <SessionID>AQIC5wM2LY4SfcwuT2ASCrsfO78nXdceEHXeH1+xTqH7C3I=@AAJTSQACMDI=#</SessionID>
  </AddSessionListener>
  </SessionRequest>]]>
  </Request>
  </RequestSet>As a result it receives an XML with a lot of user-specific information (the username, LDAP DN, preferred locale, auth module used, etc.)
  !!!*** Now, the problem part ***!!!
  8) And then "sunmail" POSTs a broken cookie to "psam" (note the space in mid-text, where the "plus" sign was previously). As we know, "+" is often used in URLs to "escape" the space character. Perhaps some URL cleanup routine backfired here.
  I have double-checked, it is not the reverse proxy on "psam" breaking things. It is "sunmail" (UWC/CE or Policy Agent, don't know for certain) supplying the broken request. I looked over the large XML responses to the two previous requests, whenever they mention the session cookie value, the "plus" is there.
  For the most detail I can provide, I'll even paste the whole HTTP packet:
  POST /amserver/sessionservice HTTP/1.1
  Proxy-agent: Sun-Java-System-Web-Server/7.0
  Cookie: iPlanetDirectoryPro=AQIC5wM2LY4SfcwuT2ASCrsfO78nXdceEHXeH1 xTqH7C3I=@AAJTSQACMDI=#;amlbcookie=null
  Content-type: text/xml;charset=UTF-8
  Content-length: 336
  Cache-control: no-cache
  Pragma: no-cache
  User-agent: Java/1.5.0_09
  Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
  Host: cos-psam-01.domain.ru
  Client-ip: 194.xxx.xxx.xxx
  Via: 1.1 https-weblb.domain.ru
  Connection: keep-alive
  <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
  <RequestSet vers="1.0" svcid="session" reqid="258">
  <Request><![CDATA[<SessionRequest vers="1.0" reqid="254">
  <GetSession reset="true">
  <SessionID>AQIC5wM2LY4SfcwuT2ASCrsfO78nXdceEHXeH1 xTqH7C3I=@AAJTSQACMDI=#</SessionID>
  </GetSession>
  </SessionRequest>]]></Request>
  </RequestSet> The server's error response is apparent:
  HTTP/1.1 200 OK
  Server: Sun-Java-System-Web-Server/7.0
  Date: Thu, 31 Jul 2008 05:49:50 GMT
  Content-type: text/html
  Transfer-encoding: chunked
  19b
  <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
  <ResponseSet vers="1.0" svcid="session" reqid="258">
  <Response><![CDATA[<SessionResponse vers="1.0" reqid="254">
  <GetSession>
  <Exception>AQIC5wM2LY4SfcwuT2ASCrsfO78nXdceEHXeH1 xTqH7C3I=@AAJTSQACMDI=# Invalid session ID
  AQIC5wM2LY4SfcwuT2ASCrsfO78nXdceEHXeH1 xTqH7C3I=@AAJTSQACMDI=#</Exception>
  </GetSession>
  </SessionResponse>]]></Response>
  </ResponseSet>On the few occasions when the AM cookie contains no "plus" characters, the SSO works like a charm (also checked by a sniffer). Whenever there is a "plus", it breaks.
  For reference, here's a working final request-response (one with a good cookie, as received by the load-balancer web-server). Request looks a bit different:
  POST /amserver/sessionservice HTTP/1.1
  Cookie: iPlanetDirectoryPro=AQIC5wM2LY4Sfcy/5sEzVmuq9z1ggdHOkBDgVFAwfhqvn4U=@AAJTSQACMDI=#;amlbcookie=null
  Content-Type: text/xml;charset=UTF-8
  Content-Length: 379
  Cache-Control: no-cache
  Pragma: no-cache
  User-Agent: Java/1.5.0_09
  Host: psam.domain.ru
  Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
  Connection: keep-alive
  <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
  <RequestSet vers="1.0" svcid="session" reqid="281">
  <Request><![CDATA[<SessionRequest vers="1.0" reqid="277">
  <SetProperty>
  <SessionID>AQIC5wM2LY4Sfcy/5sEzVmuq9z1ggdHOkBDgVFAwfhqvn4U=@AAJTSQACMDI=#</SessionID>
  <Property name="uwcstatus" value="active"></Property>
  </SetProperty>
  </SessionRequest>]]></Request>
  </RequestSet> ...and the response is OK:
  <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
  <ResponseSet vers="1.0" svcid="session" reqid="281">
  <Response><![CDATA[<SessionResponse vers="1.0" reqid="277">
  <SetProperty>
  <OK></OK>
  </SetProperty>
  </SessionResponse>]]></Response>
  </ResponseSet>

  There have been a few reports of the same behaviour with other customers - specifically with the handling of the encoding of "+" characters to " ". It relates to how cookie encoding/decoding is performed (as you have already observed).
  The solution for these customers was the following:
  => AM server/client side:
  Ensure that com.iplanet.am.cookie.encode=false in AMConfig.properties and AMAgent.properties on all systems.
  => AM client (UWC) side:
  - Set <property name="encodeCookies" value="false"/> in /var/opt/SUNWuwc/WEB-INF/sun-web.xml. This will prevent UWC from trying to urldecode the cookie it receives and therefore stops it turning the + into a space e.g.
  <?xml version="1.0" encoding="UTF-8"?>
  <!DOCTYPE sun-web-app PUBLIC '-//Sun Microsystems, Inc.//DTD Sun ONE Application Server 7.0 Servlet 2.3//EN' 'file:///net/wajra.india.sun.com/export/share/dtd/sun-web-app_2_3-1.dtd'>
  <sun-web-app>
     <property name="encodeCookies" value="false"/>
     <session-config>
        <session-manager/>
     </session-config>
     <jsp-config/>
  <property name="allowLinking" value="true" />
  </sun-web-app>Regards,
  Shane.

• Problem with second instance of access manager

  Well, after sorting out things with the first install of access manager, I went on to install a second instance on a different host (it's required for delegated admin..)
  Here are the options I used on install:
  Access Manager: Administration (1 of 6)
  Administrator User ID: amAdmin
  Administrator Password [] {"<" goes back, "!" exits}:
  Retype Password [] {"<" goes back, "!" exits}:
  LDAP User ID: amldapuser
  LDAP Password [] {"<" goes back, "!" exits}:
  Retype Password [] {"<" goes back, "!" exits}:
  Password Encryption Key [gFoe4t8UlUW3wEApngAY3S8bCQFVMlGk] {"<" goes back,
  "!" exits}: weW5jtopMLQsODiBZDp+hlEp1/CtbiXX
  Install type (Realm/Legacy) Mode [Legacy] {"<" goes back, "!" exits}:
  Access Manager: Web Container (2 of 6)
  1. Sun Java System Application Server
  2. Sun Java System Web Server
  Select the container to deploy the component and hit enter key [2] {"<" goes
  back, "!" exits}
  Access Manager: Sun Java System Web Server (3 of 6)
  Host Name [zone2.corenode.com] {"<" goes back, "!" exits}:
  Web Server Instance Directory [opt/SUNWwbsvr/https-zone2.corenode.com] {"<"
  goes back, "!" exits}:
  Web Server Port [80] {"<" goes back, "!" exits}:
  Document Root Directory [opt/SUNWwbsvr/docs] {"<" goes back, "!" exits}:
  Secure Server Instance Port [No] {"<" goes back, "!" exits}:
  Access Manager: Web Container for running Access Manager Services(4 of 6)
  Host Name [zone2.corenode.com] {"<" goes back, "!" exits}:
  Services Deployment URI [amserver] {"<" goes back, "!" exits}:
  Common Domain Deployment URI [amcommon] {"<" goes back, "!" exits}:
  Cookie Domain(Assure it is not a top level domain) [.corenode.com] {"<" goes
  back, "!" exits}:
  Administration Console [Yes] {"<" goes back, "!" exits}:
  Console Deployment URI [amconsole] {"<" goes back, "!" exits}:
  Password Deployment URI [ampassword] {"<" goes back, "!" exits}:
  Access Manager: Directory Server Information (5 of 6)
  Directory Server Host [] {"<" goes back, "!" exits}: zone1.corenode.com
  Directory Server Port [] {"<" goes back, "!" exits}: 389
  Directory Root Suffix [dc=corenode,dc=com] {"<" goes back, "!" exits}:
  Directory Manager DN [cn=Directory Manager] {"<" goes back, "!" exits}:
  Directory Manager Password [] {"<" goes back, "!" exits}:
  Access Manager: Directory Server Information (6 of 6)
  Is Directory Server provisioned with user data [No] {"<" goes back, "!"
  exits}? Yes
  Organization Marker Object Class [sunISManagedOrganization] {"<" goes back,
  "!" exits}:
  Organization Naming Attribute [o] {"<" goes back, "!" exits}:
  User Marker Object Class [inetorgperson] {"<" goes back, "!" exits}:
  User Naming Attribute [uid] {"<" goes back, "!" exits}:
  Yes, I am using the same key as was used on host1 for access manager. Yes, access manager on host 1 is quite functional right now. Yes, that directory server works. Now I'm really stumped on what to do! Everything in JES seems to work great except access manager, the exceptions it throws really don't help any at all in troubleshooting.
  Any ideas?

  More info from error logs:
  # pwd
  /var/opt/SUNWam/debug
  # tail -200 amAuth
  04/12/2006 09:56:47:127 AM HST: Thread[main,5,main]
  ERROR: AuthD failed to get auth session
  04/12/2006 09:56:47:165 AM HST: Thread[main,5,main]
  ERROR: AuthD init()
  com.iplanet.dpro.session.SessionException: AuthD failed to get auth session
  at com.sun.identity.authentication.service.AuthD.initAuthSessions(AuthD.java:709)
  at com.sun.identity.authentication.service.AuthD.<init>(AuthD.java:229)
  at com.sun.identity.authentication.service.AuthD.getAuth(AuthD.java:494)
  at com.sun.identity.authentication.UI.LoginLogoutMapping.init(LoginLogoutMapping.java:71)
  at org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:921)
  at org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:813)
  at org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:3478)
  at org.apache.catalina.core.StandardContext.start(StandardContext.java:3760)
  at com.iplanet.ias.web.WebModule.start(WebModule.java:251)
  at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1133)
  at org.apache.catalina.core.StandardHost.start(StandardHost.java:652)
  at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1133)
  at org.apache.catalina.core.StandardEngine.start(StandardEngine.java:355)
  at org.apache.catalina.startup.Embedded.start(Embedded.java:995)
  at com.iplanet.ias.web.WebContainer.start(WebContainer.java:431)
  at com.iplanet.ias.web.WebContainer.startInstance(WebContainer.java:500)
  at com.iplanet.ias.server.J2EERunner.confPostInit(J2EERunner.java:161)
  # tail -200 amSession
  04/12/2006 09:56:47:098 AM HST: Thread[main,5,main]
  ERROR: SessionService.SessionService(): Initialization Failed
  com.iplanet.services.naming.ServerEntryNotFoundException: Cannot find server ID.
  at com.iplanet.services.naming.WebtopNaming.getServerID(WebtopNaming.java:350)
  at com.iplanet.dpro.session.service.SessionService.<init>(SessionService.java:1540)
  at com.iplanet.dpro.session.service.SessionService.getSessionService(SessionService.java:382)
  at com.sun.identity.authentication.service.AuthD.getSS(AuthD.java:685)
  at com.sun.identity.authentication.service.AuthD.initAuthSessions(AuthD.java:706)
  at com.sun.identity.authentication.service.AuthD.<init>(AuthD.java:229)
  at com.sun.identity.authentication.service.AuthD.getAuth(AuthD.java:494)
  at com.sun.identity.authentication.UI.LoginLogoutMapping.init(LoginLogoutMapping.java:71)
  at org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:921)
  at org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:813)
  at org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:3478)
  at org.apache.catalina.core.StandardContext.start(StandardContext.java:3760)
  at com.iplanet.ias.web.WebModule.start(WebModule.java:251)
  at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1133)
  at org.apache.catalina.core.StandardHost.start(StandardHost.java:652)
  at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1133)
  at org.apache.catalina.core.StandardEngine.start(StandardEngine.java:355)
  at org.apache.catalina.startup.Embedded.start(Embedded.java:995)
  at com.iplanet.ias.web.WebContainer.start(WebContainer.java:431)
  at com.iplanet.ias.web.WebContainer.startInstance(WebContainer.java:500)
  at com.iplanet.ias.server.J2EERunner.confPostInit(J2EERunner.java:161)
  04/12/2006 09:56:47:126 AM HST: Thread[main,5,main]
  ERROR: Error creating service session
  java.lang.NullPointerException
  at com.iplanet.dpro.session.service.SessionService.generateEncryptedID(SessionService.java:588)
  at com.iplanet.dpro.session.service.SessionService.generateSessionId(SessionService.java:612)
  at com.iplanet.dpro.session.service.SessionService.newInternalSession(SessionService.java:557)
  at com.iplanet.dpro.session.service.SessionService.getServiceSession(SessionService.java:501)
  at com.iplanet.dpro.session.service.SessionService.getAuthenticationSession(SessionService.java:408)
  at com.sun.identity.authentication.service.AuthD.initAuthSessions(AuthD.java:706)
  at com.sun.identity.authentication.service.AuthD.<init>(AuthD.java:229)
  at com.sun.identity.authentication.service.AuthD.getAuth(AuthD.java:494)
  at com.sun.identity.authentication.UI.LoginLogoutMapping.init(LoginLogoutMapping.java:71)
  at org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:921)
  at org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:813)
  at org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:3478)
  at org.apache.catalina.core.StandardContext.start(StandardContext.java:3760)
  at com.iplanet.ias.web.WebModule.start(WebModule.java:251)
  at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1133)
  at org.apache.catalina.core.StandardHost.start(StandardHost.java:652)
  at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1133)
  at org.apache.catalina.core.StandardEngine.start(StandardEngine.java:355)
  at org.apache.catalina.startup.Embedded.start(Embedded.java:995)
  at com.iplanet.ias.web.WebContainer.start(WebContainer.java:431)
  at com.iplanet.ias.web.WebContainer.startInstance(WebContainer.java:500)
  at com.iplanet.ias.server.J2EERunner.confPostInit(J2EERunner.java:161)
  #