AM policy agents for Weblogic help

I installed a Policy Agent for Weblogic Server 8.1 When I try to start the Weblogic server after modifications, the portal server throws an exception....
com.sun.identity.agents.AmAgentFilter not found
When u enter the URL for that application running on Weblogic , it is supposed to be forwarded to the Identity Management page ...but this does not happen..
It is apparently able to read the web.xml file in the Weblogic application but is not able to find the particular class above....nor is it able to contact the IDM.
Any suggestions?
Anand

I am trying to install a PA with a Weblogic server. The installation works fine and I have also configured the necessary config files...and the concerned Weblogic server starts up successfully.
But when I enter the URL , I see the following error in the Logs....
<Jan 3, 2006 3:54:12 PM CST> <Error> <HTTP> <BEA-101020> <[ServletContext(id=20772999,name=sbm,context-path=/sbm)] Servlet failed with Exception
java.lang.ExceptionInInitializerError
     at com.sun.identity.agents.filter.AmFilter.<init>(Unknown Source)
     at com.sun.identity.agents.filter.AmFilterManager.getAmFilter(Unknown Source)
     at com.sun.identity.agents.filter.AmFilterManager.getAmFilter(Unknown Source)
     at com.sun.identity.agents.filter.AmFilterManager.getAmFilterInstanceForModeConfigured(Unknown Source)
     at com.sun.identity.agents.filter.AmAgentFilter.doFilter(Unknown Source)
     at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:27)
     at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(WebAppServletContext.java:6724)
     at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
     at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:121)
     at weblogic.servlet.internal.WebAppServletContext.invokeServlet(WebAppServletContext.java:3764)
     at weblogic.servlet.internal.ServletRequestImpl.execute(ServletRequestImpl.java:2644)
     at weblogic.kernel.ExecuteThread.execute(ExecuteThread.java:219)
     at weblogic.kernel.ExecuteThread.run(ExecuteThread.java:178)
Caused by: java.lang.RuntimeException: Exception caught in AmAgentLogManager initializer: Unable to initialize Local Log Handler
     at com.sun.identity.agents.log.AmAgentLogManager.<clinit>(Unknown Source)
Can someone help me taclke this problem??
Thanks!
anand

Similar Messages

  • Urgent :Authentication fails for Policy Agent on weblogic 8 SP3

    Hi
    I am using policy agent for perimeter authentication for an application deployed on weblogic.When i try and access the application using any user which exists on Identity server i get the following exception in the amRealm log.
    09/20/2005 06:17:07:378 PM IST: Thread[ExecuteThread: '14' for queue: 'weblogic.kernel.Default',5,Thread Group for Queue: 'weblogic.kernel.Default']
    AmMappingRealm: authenticateAndFetchAllRoles amAdmin, ...) = []
    09/20/2005 06:17:07:378 PM IST: Thread[ExecuteThread: '14' for queue: 'weblogic.kernel.Default',5,Thread Group for Queue: 'weblogic.kernel.Default']
    WARNING: AmLoginModule.login() : Empty list of principals for user = amAdmin
    09/20/2005 06:17:07:379 PM IST: Thread[ExecuteThread: '14' for queue: 'weblogic.kernel.Default',5,Thread Group for Queue: 'weblogic.kernel.Default']
    AmLoginModule.abort()
    09/20/2005 06:17:12:505 PM IST: Thread[ExecuteThread: '14' for queue: 'weblogic.kernel.Default',5,Thread Group for Queue: 'weblogic.kernel.Default']
    AmLoginModule.authenticate() Initialized callback handler for Subject:
    09/20/2005 06:17:12:506 PM IST: Thread[ExecuteThread: '14' for queue: 'weblogic.kernel.Default',5,Thread Group for Queue: 'weblogic.kernel.Default']
    AmLoginModule.login()
    09/20/2005 06:17:12:506 PM IST: Thread[ExecuteThread: '14' for queue: 'weblogic.kernel.Default',5,Thread Group for Queue: 'weblogic.kernel.Default']
    AmLoginModule.login() : User name from Callback amAdmin
    09/20/2005 06:17:12:506 PM IST: Thread[ExecuteThread: '14' for queue: 'weblogic.kernel.Default',5,Thread Group for Queue: 'weblogic.kernel.Default']
    WARNING: SSOTokenValidator failed with exception
    [AgentException Stack]
    com.sun.identity.agents.arch.AgentException: Invalid transport string version
    at com.sun.identity.agents.util.TransportToken.initializeFromString(Unknown Source)
    at com.sun.identity.agents.util.TransportToken.<init>(Unknown Source)
    at com.sun.identity.agents.common.SSOTokenValidator.validate(Unknown Source)
    at com.sun.identity.agents.realm.AmMappingRealm.authenticateAndFetchAllRoles(Unknown Source)
    at com.sun.identity.agents.weblogic.AmLoginModule.login(Unknown Source)
    at weblogic.security.service.DelegateLoginModuleImpl.login(DelegateLoginModuleImpl.java:71)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
    at java.lang.reflect.Method.invoke(Method.java:324)
    at javax.security.auth.login.LoginContext.invoke(LoginContext.java:675)
    at javax.security.auth.login.LoginContext.access$000(LoginContext.java:129)
    at javax.security.auth.login.LoginContext$4.run(LoginContext.java:610)
    at java.security.AccessController.doPrivileged(Native Method)
    at javax.security.auth.login.LoginContext.invokeModule(LoginContext.java:607)
    at javax.security.auth.login.LoginContext.login(LoginContext.java:534)
    at weblogic.security.service.PrincipalAuthenticator.authInternal(PrincipalAuthenticator.java:326)
    at weblogic.security.service.PrincipalAuthenticator.authenticate(PrincipalAuthenticator.java:279)
    at weblogic.servlet.security.internal.SecurityModule.checkAuthenticate(SecurityModule.java:389)
    at weblogic.servlet.security.internal.SecurityModule.checkAuthenticate(SecurityModule.java:296)
    at weblogic.servlet.security.internal.BasicSecurityModule.checkUserPerm(BasicSecurityModule.java:125)
    at weblogic.servlet.security.internal.SecurityModule.beginCheck(SecurityModule.java:199)
    at weblogic.servlet.security.internal.BasicSecurityModule.checkA(BasicSecurityModule.java:47)
    at weblogic.servlet.security.internal.ServletSecurityManager.checkAccess(ServletSecurityManager.java:145)
    at weblogic.servlet.internal.WebAppServletContext.invokeServlet(WebAppServletContext.java:3568)
    at weblogic.servlet.internal.ServletRequestImpl.execute(ServletRequestImpl.java:2630)
    at weblogic.kernel.ExecuteThread.execute(ExecuteThread.java:219)
    at weblogic.kernel.ExecuteThread.run(ExecuteThread.java:178)
    09/20/2005 06:17:12:507 PM IST: Thread[ExecuteThread: '14' for queue: 'weblogic.kernel.Default',5,Thread Group for Queue: 'weblogic.kernel.Default']
    AmMappingRealm: authenticateAndFetchAllRoles amAdmin, ...) = []
    09/20/2005 06:17:12:507 PM IST: Thread[ExecuteThread: '14' for queue: 'weblogic.kernel.Default',5,Thread Group for Queue: 'weblogic.kernel.Default']
    WARNING: AmLoginModule.login() : Empty list of principals for user = amAdmin
    09/20/2005 06:17:12:507 PM IST: Thread[ExecuteThread: '14' for queue: 'weblogic.kernel.Default',5,Thread Group for Queue: 'weblogic.kernel.Default']
    AmLoginModule.abort()

    Hi,
    I have not set it up as a window service but can try to help. for one thing, this step is not permanent and if it does not work then you can undo this step by re-editting the script to remove the line you added. This step has you change the bea startup script for that domain to call the agent script setAgentEnv_AdminServer(it ws copied into bea domain directory during installation of agent) which just sets some agent resources in the classpath. If you start bea and those things are not in the classpath etc then agent wont work. So no permanent damage, you can change it if it doesnt work.
    I suggest you try it out and start the bea server as a service and see if it works - if not try again.
    I am not sure what the windows service would use to start the app server, but somehow it must specify some environment properties and things in its classpath, so if this script doesnt work then you can just do the things in the setAgentEnv_AdminServer script like setting those things in classpath.
    Please let us know if it works and if any extra steps required? Would be helpful to others to know how to configure as a windows service.
    hth,
    Sean

  • Identity Server Policy agent for BEA Weblogic Server 8.0

    Hi all,
    I donot find policy agents for BEA weblogic 8.X.
    Is the 6.1SP2 version forward compatible?
    Thanks

    You didn't specified the OS. Please find the PA support with different platforms & softwares..
    http://docs.sun.com/source/816-6884-10/chapter1.html#wp21986

  • Authorization issue with J2EE Policy Agent for AS7

    Following the documentaion I have created a simple J2EE application with a servlet and 2 jsp's. The 2 JSP's customer.jsp and admin.jsp are mapped to /customer and /admin. The entire web application is subject to a filter like:
    <filter>
    <filter-name>Agent</filter-name>
    <display-name>Agent</display-name>
    <description>SunTM ONE Idenitity Server Policy Agent for SunTM ONE Application Server 7.0</description>
    <filter-class>com.sun.amagent.as.filter.AgentFilter</filter-class>
    </filter>
    <filter-mapping>
    <filter-name>Agent</filter-name>
    <url-pattern>/*</url-pattern>
    </filter-mapping>
    The two resources /customer and /admin are subjected security constraints like:
    <security-constraint>
    <web-resource-collection>
    <web-resource-name>col2</web-resource-name>
    <url-pattern>/customer</url-pattern>
    <http-method>GET</http-method>
    <http-method>POST</http-method>
    </web-resource-collection>
    <auth-constraint>
    <role-name>customer</role-name>
    </auth-constraint>
    <user-data-constraint>
    <transport-guarantee>NONE</transport-guarantee>
    </user-data-constraint>
    </security-constraint>
    The role-to-principal mapping is done in the sun-web.xml like:
    <security-role-mapping>
    <role-name>customer</role-name>
    <group-name>customer</group-name>
    <principal-name>amAdmin</principal-name>
    </security-role-mapping>
    <security-role-mapping>
    <role-name>admin</role-name>
    <group-name>admin</group-name>
    <principal-name>amAdmin</principal-name>
    </security-role-mapping>
    Two roles 'customer' and admin are created via the identity server console and users are added to these roles.
    The application deploys OK, when the app is accesed the user is redirected to the identity server and is authenticated fine. The user is directed to the main servlet and is allowed to access the the two jsp's. All is good till now, when the user access one these links say /customer, access is denied (403). The server logs prints out:
    [21/May/2003:10:34:24] FINE ( 6036): servletPath = /customer
    [21/May/2003:10:34:24] FINE ( 6036): pathInfo = null
    [21/May/2003:10:34:24] FINE ( 6036): SingleSignOn[ids]: Process request for '/idssample/customer'
    [21/May/2003:10:34:24] FINE ( 6036): SingleSignOn[ids]: Checking for SSO cookie
    [21/May/2003:10:34:24] FINE ( 6036): SingleSignOn[ids]: SSO cookie is not present
    [21/May/2003:10:34:24] FINE ( 6036): Authenticator[idssample]: Security checking request GET /idssample/customer
    [21/May/2003:10:34:24] FINE ( 6036): Authenticator[idssample]: We have cached auth type PROGRAMMATIC for principal amAdmin
    [21/May/2003:10:34:24] FINE ( 6036): Authenticator[idssample]: Checking constraint 'SecurityConstraint[col2]' against GET /customer --> false
    [21/May/2003:10:34:24] FINE ( 6036): Authenticator[idssample]: Checking constraint 'SecurityConstraint[col2]' against GET /customer --> true
    [21/May/2003:10:34:24] FINE ( 6036): Authenticator[idssample]: Subject to constraint SecurityConstraint[col2]
    [21/May/2003:10:34:24] FINE ( 6036): Authenticator[idssample]: Calling checkUserData()
    [21/May/2003:10:34:24] FINE ( 6036): Authenticator[idssample]: User data constraint has no restrictions
    [21/May/2003:10:34:24] FINE ( 6036): Authenticator[idssample]: Calling authenticate()
    [21/May/2003:10:34:24] FINE ( 6036): Authenticator[idssample]: User authentication is not required
    [21/May/2003:10:34:24] FINE ( 6036): Authenticator[idssample]: Calling accessControl()
    [21/May/2003:10:34:24] FINEST ( 6036): PRINCIPAL : amAdmin hasRole?: customer
    [21/May/2003:10:34:24] FINEST ( 6036): PRINCIPAL TABLE: {}
    [21/May/2003:10:34:24] FINE ( 6036): Authenticator[idssample]: Failed accessControl() test
    [21/May/2003:10:34:24] WARNING ( 6036): CORE3283: stderr: <May 21, 2003 10:34:24 AM CDT> <Agent> <Info> AgentRealm.getGroupNames(amAdmin)
    [21/May/2003:10:34:24] WARNING ( 6036): CORE3283: stderr: <May 21, 2003 10:34:24 AM CDT> <Agent> <Info> AgentRealm.getGroupNames(amAdmin) => java.util.Vector$1@bb60ad
    Now, snooping around I have found that the AgentRealm.getGroupNames(userdn) does
    return the correct grops viz. customer,admin,anyone.
    PLEASE HELP

    -- Second Update --
    After policy installation I got several problems with PeopleSoft configuration. Which finally were solved.
    1. Some URL's has to be defined as not enforced.
    com.sun.am.policy.amFilter.notenforcedList[1]=/ps/images/*
    com.sun.am.policy.amFilter.notenforcedList[2]=*.css
    com.sun.am.policy.amFilter.notenforcedList[3]=*.ico
    2. In versions older than PeopleSoft 8.4.2 the policy agent modified the file
    /opt/fs/webserv/peoplesoft/applications/peoplesoft/PORTAL/WEB-INF/psftdocs/ps/configuration.properties to add the properties:
    byPassSignon=TRUE
    defaultUserid="DEFAULT_USER"
    defaultPWD="your password"
    signon_page=amsignin.html
    signonError_page=amsignin.html
    logout_page=amsignin.html
    expire_page=amsignin.html
    However, in the newer versions of PeopleSoft this properties are controled from the online Peoplesoft console. Which are set on:
    PeopleTools --> WebProfile ---> WebProfileConfiguration --> [PROFILE] --> Security --> In section "Public Users" the parameters that has to be changed are:
    Allow Public Access (cheked)
    User ID : DEFAULT_USER
    Password : your password
    HTTP Session Inactivity : (SSO TIMEOUT)
    and:
    PeopleTools --> WebProfile ---> WebProfileConfiguration --> [PROFILE] --> Look and Feel -->
    In section "SignOn/Logout" set the following values:
    Signon Page : amsignin.html
    Signon Error Page : amerror.html
    Logout Page : amsignout.html
    Note: After making any changes on the console; restart PIA (weblogic instance).
    With this the SSO with PeopleSoft is working Ok.
    Message was edited by:
    LpzYlnd

  • Policy Agent for JBoss

    Hi,
    I have installed SAM (together with S1DS, Web Server and Administration Server (from JES installer)).
    I have installed and configured Policy Agent for JBoss AS, but i'm getting a browser "Redirect loop" (Redirection limit for this URL exceeded. Unable to load the requested page. This may be caused by cookies that are blocked.) error after I login with a correct user/password combination when I try to access the sample application.
    My browser accepts cookies from all domains and I get no error in console.
    My AMAgent.properties looks like this:
    com.sun.identity.agents.config.user.mapping.mode = USER_ID
    com.sun.identity.agents.config.user.attribute.name = employeenumber
    com.sun.identity.agents.config.user.principal = false
    com.sun.identity.agents.config.user.token = UserToken
    com.sun.identity.agents.config.client.ip.header =
    com.sun.identity.agents.config.client.hostname.header =
    com.sun.identity.agents.config.load.interval = 0
    com.sun.identity.agents.config.locale.language = en
    com.sun.identity.agents.config.locale.country = US
    com.sun.identity.agents.config.organization.name = /
    com.sun.identity.agents.config.audit.accesstype = LOG_BOTH
    com.sun.identity.agents.config.log.disposition = ALL
    com.sun.identity.agents.config.remote.logfile = amAgent_11_126_14_20_8080.log
    com.sun.identity.agents.config.local.logfile = /home/ciuc/stuff/src/j2ee_agents/am_jboss_agent/agent_001/logs/audit/amAgent_11_126_14_20_8080.log
    com.sun.identity.agents.config.local.log.rotate = false
    com.sun.identity.agents.config.local.log.size = 52428800
    com.sun.identity.agents.config.webservice.enable = false
    com.sun.identity.agents.config.webservice.endpoint[0] =
    com.sun.identity.agents.config.webservice.process.get.enable = true
    com.sun.identity.agents.config.webservice.authenticator =
    com.sun.identity.agents.config.webservice.internalerror.content = WSInternalErrorContent.txt
    com.sun.identity.agents.config.webservice.autherror.content  = WSAuthErrorContent.txt
    com.sun.identity.agents.config.access.denied.uri =
    com.sun.identity.agents.config.login.form[0] =
    com.sun.identity.agents.config.login.error.uri[0] =
    com.sun.identity.agents.config.login.use.internal = true
    com.sun.identity.agents.config.login.content.file = FormLoginContent.txt
    com.sun.identity.agents.config.auth.handler[] =    
    com.sun.identity.agents.config.logout.handler[] =
    com.sun.identity.agents.config.verification.handler[] =
    com.sun.identity.agents.config.redirect.param = goto
    com.sun.identity.agents.config.login.url[0] = http://sam.domain:80/amserver/UI/Login
    com.sun.identity.agents.config.login.url.prioritized = true
    com.sun.identity.agents.config.agent.host =
    com.sun.identity.agents.config.agent.port =
    com.sun.identity.agents.config.agent.protocol =
    com.sun.identity.agents.config.login.attempt.limit = 0
    com.sun.identity.agents.config.sso.decode = true
    com.sun.identity.agents.config.amsso.cache.enable = true
    com.sun.identity.agents.config.cookie.reset.enable = false
    com.sun.identity.agents.config.cookie.reset.name[0] =
    com.sun.identity.agents.config.cookie.reset.domain[] = 
    com.sun.identity.agents.config.cookie.reset.path[] =
    com.sun.identity.agents.config.cdsso.enable = false
    com.sun.identity.agents.config.cdsso.redirect.uri = /agentapp/sunwCDSSORedirectURI
    com.sun.identity.agents.config.cdsso.cdcservlet.url[0] = http://dm-test-win-1:80/amserver/cdcservlet
    com.sun.identity.agents.config.cdsso.clock.skew = 0
    com.sun.identity.agents.config.cdsso.trusted.id.provider[0] = http://dm-test-win-1:80/amserver/cdcservlet
    com.sun.identity.agents.config.logout.application.handler[] =
    com.sun.identity.agents.config.logout.uri[] =
    com.sun.identity.agents.config.logout.request.param[] =
    com.sun.identity.agents.config.logout.introspect.enabled = false
    com.sun.identity.agents.config.logout.entry.uri[] =
    com.sun.identity.agents.config.fqdn.check.enable = true
    com.sun.identity.agents.config.fqdn.default = jbossAS.domain
    com.sun.identity.agents.config.fqdn.mapping[] =
    com.sun.identity.agents.config.legacy.support.enable = false
    com.sun.identity.agents.config.legacy.user.agent[0] = Mozilla/4.7*
    com.sun.identity.agents.config.legacy.redirect.uri = /agentapp/sunwLegacySupportURI
    com.sun.identity.agents.config.response.header[] =
    com.sun.identity.agents.config.redirect.attempt.limit = 0
    com.sun.identity.agents.config.port.check.enable = false
    com.sun.identity.agents.config.port.check.file = PortCheckContent.txt
    com.sun.identity.agents.config.port.check.setting[8080] = http
    com.sun.identity.agents.config.notenforced.uri[0] = /agentsample/public/*
    com.sun.identity.agents.config.notenforced.uri[1] = /agentsample/images/*
    com.sun.identity.agents.config.notenforced.uri[2] = /agentsample/styles/*
    com.sun.identity.agents.config.notenforced.uri[3] = /agentsample/index.html
    com.sun.identity.agents.config.notenforced.uri[4] = /agentsample
    com.sun.identity.agents.config.notenforced.uri.invert = false
    com.sun.identity.agents.config.notenforced.uri.cache.enable = true
    com.sun.identity.agents.config.notenforced.uri.cache.size = 1000
    com.sun.identity.agents.config.notenforced.ip[0] =
    com.sun.identity.agents.config.notenforced.ip.invert = false
    com.sun.identity.agents.config.notenforced.ip.cache.enable = true
    com.sun.identity.agents.config.notenforced.ip.cache.size = 1000
    com.sun.identity.agents.config.attribute.cookie.separator = |
    com.sun.identity.agents.config.attribute.date.format = EEE, d MMM yyyy hh:mm:ss z
    com.sun.identity.agents.config.attribute.cookie.encode = true
    com.sun.identity.agents.config.profile.attribute.fetch.mode = NONE
    com.sun.identity.agents.config.profile.attribute.mapping[] =
    com.sun.identity.agents.config.session.attribute.fetch.mode = NONE
    com.sun.identity.agents.config.session.attribute.mapping[] =
    com.sun.identity.agents.config.response.attribute.fetch.mode = NONE
    com.sun.identity.agents.config.response.attribute.mapping[] =
    com.sun.identity.agents.config.bypass.principal[0] =
    com.sun.identity.agents.config.default.privileged.attribute[0] = AUTHENTICATED_USERS
    com.sun.identity.agents.config.privileged.attribute.type[0] = Role
    com.sun.identity.agents.config.privileged.attribute.tolowercase[Role] = false
    com.sun.identity.agents.config.privileged.session.attribute[0] =
    com.sun.identity.agents.config.service.resolver = com.sun.identity.agents.jboss.v40.AmJBossAgentServiceResolver
    com.sun.identity.agents.app.username = amagent
    com.iplanet.am.service.secret = AQICJmGvlBWYuAYQndALuvNKiw==
    am.encryption.pwd = /mY/WidDT34aJtbcFS0pCKFEt6evPeTF
    com.sun.identity.client.encryptionKey= /mY/WidDT34aJtbcFS0pCKFEt6evPeTF
    com.iplanet.services.debug.level=error
    com.iplanet.services.debug.directory=/home/ciuc/stuff/src/j2ee_agents/am_jboss_agent/agent_001/logs/debug
    com.iplanet.am.cookie.name=iPlanetDirectoryPro
    com.iplanet.am.naming.url=http://sam.domain:80/amserver/namingservice
    com.iplanet.am.notification.url=http://jbossAS.domain:8080/agentapp/notification
    com.iplanet.am.session.client.polling.enable=false
    com.iplanet.am.session.client.polling.period=180
    com.iplanet.security.encryptor=com.iplanet.services.util.JCEEncryption
    com.iplanet.am.sdk.remote.pollingTime=1
    com.sun.identity.sm.cacheTime=1
    com.iplanet.am.localserver.protocol=http
    com.iplanet.am.localserver.host=jbossAS.domain
    com.iplanet.am.localserver.port=8080
    com.iplanet.am.server.protocol=http
    com.iplanet.am.server.host=sam.domain
    com.iplanet.am.server.port=80
    com.sun.identity.agents.server.log.file.name=amRemotePolicyLog
    com.sun.identity.agents.logging.level=BOTH
    com.sun.identity.agents.notification.enabled=true
    com.sun.identity.agents.notification.url=http://jbossAS.domain:8080/agentapp/notification
    com.sun.identity.agents.polling.interval=3
    com.sun.identity.policy.client.cacheMode=subtree
    com.sun.identity.policy.client.booleanActionValues=iPlanetAMWebAgentService|GET|allow|deny:iPlanetAMWebAgentService|POST|allow|deny
    com.sun.identity.policy.client.resourceComparators=serviceType=iPlanetAMWebAgentService|class=com.sun.identity.policy.plugins.HttpURLResourceName|wildcard=*|delimiter=/|caseSensitive=false
    com.sun.identity.policy.client.clockSkew=1011.126.14.20 is the computer where I have the JBoss installation.
    11.126.14.18 is the computer where I have SAM services.
    Do you have any idea why this error may occur?
    Thank you in advance,
    Cristi

    Hi,
    Thanks for your responses, I've included my AMAgent.properties below if you could take a look at it.
    I only seem to run into the problem when I authenticate if the following is set:
    com.sun.identity.agents.config.profile.attribute.fetch.mode = HTTP_HEADER
    If that is set to NONE then I can access the application fine, but if i use the HTTP_HEADER and attempt to pass information via the header I get stuck in the loop which results in the message <strong>".Redirection limit for this URL exceeded. Unable to load the requested page. This may be caused by cookies that are blocked."</strong>
    There is no helpful output in either my container log or the Policy Agent logs.
    The myHost.local. exists within my /etc/hosts file and using ping and other tools resolve fine.
    I am using JBOSS 4.2.2 on Linux (and windows).
    If anyone can help save my sanity it would be appreciated.
    com.sun.identity.agents.config.filter.mode = URL_POLICY
    com.sun.identity.agents.config.user.mapping.mode = USER_ID
    com.sun.identity.agents.config.user.attribute.name = employeenumber
    com.sun.identity.agents.config.user.principal = false
    com.sun.identity.agents.config.user.token = UserToken
    com.sun.identity.agents.config.load.interval = 0
    com.sun.identity.agents.config.locale.language = en
    com.sun.identity.agents.config.locale.country = US
    com.sun.identity.agents.config.audit.accesstype = LOG_NONE
    com.sun.identity.agents.config.log.disposition = REMOTE
    com.sun.identity.agents.config.remote.logfile = amAgent_8089.log
    com.sun.identity.agents.config.local.logfile = /usr/j2ee_agents/am_jboss_agent/agent_001/logs/audit/amAgent_8089.log
    com.sun.identity.agents.config.local.log.rotate = false
    com.sun.identity.agents.config.local.log.size = 52428800
    com.sun.identity.agents.config.webservice.enable = false
    com.sun.identity.agents.config.webservice.endpoint[0] =
    com.sun.identity.agents.config.webservice.process.get.enable = true
    com.sun.identity.agents.config.webservice.authenticator =
    com.sun.identity.agents.config.webservice.internalerror.content = WSInternalErrorContent.txt
    com.sun.identity.agents.config.webservice.autherror.content  = WSAuthErrorContent.txt
    com.sun.identity.agents.config.login.form[0] = /manager/AMLogin.html
    com.sun.identity.agents.config.login.form[1] = /host-manager/AMLogin.html
    com.sun.identity.agents.config.login.error.uri[0] = /manager/AMError.html
    com.sun.identity.agents.config.login.error.uri[1] = /host-manager/AMError.html
    com.sun.identity.agents.config.login.use.internal = true
    com.sun.identity.agents.config.login.content.file = FormLoginContent.txt
    com.sun.identity.agents.config.auth.handler[] =   
    com.sun.identity.agents.config.logout.handler[] =
    com.sun.identity.agents.config.verification.handler[] =
    com.sun.identity.agents.config.redirect.param = goto
    com.sun.identity.agents.config.login.url[0] = http://myHost.local:8080/amserver/UI/Login
    com.sun.identity.agents.config.login.url.prioritized = true
    com.sun.identity.agents.config.login.url.probe.enabled = true
    com.sun.identity.agents.config.login.url.probe.timeout = 2000
    com.sun.identity.agents.config.agent.host =
    com.sun.identity.agents.config.agent.port =
    com.sun.identity.agents.config.agent.protocol =
    com.sun.identity.agents.config.login.attempt.limit = 0
    com.sun.identity.agents.config.sso.decode = true
    com.sun.identity.agents.config.amsso.cache.enable = true
    com.sun.identity.agents.config.cookie.reset.enable = false
    com.sun.identity.agents.config.cookie.reset.name[0] =
    com.sun.identity.agents.config.cookie.reset.domain[] =
    com.sun.identity.agents.config.cookie.reset.path[] =
    com.sun.identity.agents.config.cdsso.enable = false
    com.sun.identity.agents.config.cdsso.redirect.uri = /agentapp/sunwCDSSORedirectURI
    com.sun.identity.agents.config.cdsso.cdcservlet.url[0] = http://myHost.local:8080/amserver/cdcservlet
    com.sun.identity.agents.config.cdsso.clock.skew = 0
    com.sun.identity.agents.config.cdsso.trusted.id.provider[0] = http://myHost.local:8080/amserver/cdcservlet
    com.sun.identity.agents.config.cdsso.secure.enable = false
    #com.sun.identity.agents.config.cdsso.domain[0] =
    com.sun.identity.agents.config.logout.application.handler[] =
    com.sun.identity.agents.config.logout.uri[] =
    com.sun.identity.agents.config.logout.request.param[] =
    com.sun.identity.agents.config.logout.introspect.enabled = false
    com.sun.identity.agents.config.logout.entry.uri[] =
    com.sun.identity.agents.config.fqdn.check.enable = true
    com.sun.identity.agents.config.fqdn.default = am.ufidev.local.
    com.sun.identity.agents.config.fqdn.mapping[] =
    com.sun.identity.agents.config.legacy.support.enable = false
    com.sun.identity.agents.config.legacy.user.agent[0] = Mozilla/4.7*
    com.sun.identity.agents.config.legacy.redirect.uri = /agentapp/sunwLegacySu<br />                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   

  • No log for am policy agent for iis6

    Hello!
    Im trying to get Policy Agent for IIS to run on my Win Srv 2003 with IIS6 and Sharepoint Services.
    I am running the OpenSSO version of Access Manager.
    I have installed the agent and done the initial cofiguration.
    When i try to browse the resource i get a login prompt (IIS Basic Auth)and cannot login followed by "Not Authorized 401.3"
    I should get redirected to the AM Login page, shouldn't I?
    I tried to look for answers in the log file but the /debug/<id> directory i empty.
    Anyone know what to do?
    The amAgent.properties file:
    # $Id: AMAgent.properties,v 1.103 2005/09/19 22:08:34 madan Exp $
    # The syntax of this file is that of a standard Java properties file,
    # see the documentation for the java.util.Properties.load method for a
    # complete description. (CAVEAT: The SDK in the parser does not currently
    # support any backslash escapes except for wrapping long lines.)
    # All property names in this file are case-sensitive.
    # NOTE: The value of a property that is specified multiple times is not
    # defined.
    # WARNING: The contents of this file are classified as an UNSTABLE
    # interface by Sun Microsystems, Inc. As such, they are subject to
    # significant, incompatible changes in any future release of the
    # software.
    # The name of the cookie passed between the Access Manager
    # and the SDK.
    # WARNING: Changing this property without making the corresponding change
    # to the Access Manager will disable the SDK.
    com.sun.am.cookie.name = iPlanetDirectoryPro
    # The URL for the Access Manager Naming service.
    com.sun.am.naming.url = http://login.lta.mil.se:8080/opensso/namingservice
    # The URL of the login page on the Access Manager.
    com.sun.am.policy.am.login.url = http://login.lta.mil.se:8080/opensso/UI/Login
    # Name of the file to use for logging messages.
    com.sun.am.policy.agents.config.local.log.file = C:/Sun/Access_Manager/Agents/2.2/debug/Identifier_1414639615/amAgent
    # This property is used for Log Rotation. The value of the property specifies
    # whether the agent deployed on the server supports the feature of not. If set
    # to false all log messages are written to the same file.
    com.sun.am.policy.agents.config.local.log.rotate = true
    # Name of the Access Manager log file to use for logging messages to
    # Access Manager.
    # Just the name of the file is needed. The directory of the file
    # is determined by settings configured on the Access Manager.
    com.sun.am.policy.agents.config.remote.log = amAuthLog.sharepoint.lta.mil.se.80
    # Set the logging level for the specified logging categories.
    # The format of the values is
    # <ModuleName>[:<Level>][,<ModuleName>[:<Level>]]*
    # The currently used module names are: AuthService, NamingService,
    # PolicyService, SessionService, PolicyEngine, ServiceEngine,
    # Notification, PolicyAgent, RemoteLog and all.
    # The all module can be used to set the logging level for all currently
    # none logging modules. This will also establish the default level for
    # all subsequently created modules.
    # The meaning of the 'Level' value is described below:
    # 0 Disable logging from specified module*
    # 1 Log error messages
    # 2 Log warning and error messages
    # 3 Log info, warning, and error messages
    # 4 Log debug, info, warning, and error messages
    # 5 Like level 4, but with even more debugging messages
    # 128 log url access to log file on AM server.
    # 256 log url access to log file on local machine.
    # If level is omitted, then the logging module will be created with
    # the default logging level, which is the logging level associated with
    # the 'all' module.
    # for level of 128 and 256, you must also specify a logAccessType.
    # *Even if the level is set to zero, some messages may be produced for
    # a module if they are logged with the special level value of 'always'.
    com.sun.am.log.level = 5
    # The org, username and password for Agent to login to AM.
    com.sun.am.policy.am.username = UrlAccessAgent
    com.sun.am.policy.am.password = PN4rEZ1uhx1404ivWY6HPQ==
    # Name of the directory containing the certificate databases for SSL.
    com.sun.am.sslcert.dir = C:/Sun/Access_Manager/Agents/2.2/iis6/cert
    # Set this property if the certificate databases in the directory specified
    # by the previous property have a prefix.
    com.sun.am.certdb.prefix =
    # Should agent trust all server certificates when Access Manager
    # is running SSL?
    # Possible values are true or false.
    com.sun.am.trust_server_certs = true
    # Should the policy SDK use the Access Manager notification
    # mechanism to maintain the consistency of its internal cache? If the value
    # is false, then a polling mechanism is used to maintain cache consistency.
    # Possible values are true or false.
    com.sun.am.notification.enable = true
    # URL to which notification messages should be sent if notification is
    # enabled, see previous property.
    com.sun.am.notification.url = http://sharepoint.lta.mil.se:80/amagent/UpdateAgentCacheServlet?shortcircuit=false
    # This property determines whether URL string case sensitivity is
    # obeyed during policy evaluation
    com.sun.am.policy.am.url_comparison.case_ignore = true
    # This property determines the amount of time (in minutes) an entry
    # remains valid after it has been added to the cache. The default
    # value for this property is 3 minutes.
    com.sun.am.policy.am.polling.interval=3
    # This property allows the user to configure the User Id parameter passed
    # by the session information from the access manager. The value of User
    # Id will be used by the agent to set the value of REMOTE_USER server
    # variable. By default this parameter is set to "UserToken"
    com.sun.am.policy.am.userid.param=UserToken
    # Profile attributes fetch mode
    # String attribute mode to specify if additional user profile attributes should
    # be introduced into the request. Possible values are:
    # NONE - no additional user profile attributes will be introduced.
    # HTTP_HEADER - additional user profile attributes will be introduced into
    # HTTP header.
    # HTTP_COOKIE - additional user profile attributes will be introduced through
    # cookies.
    # If not within these values, it will be considered as NONE.
    com.sun.am.policy.agents.config.profile.attribute.fetch.mode=NONE
    # The user profile attributes to be added to the HTTP header. The
    # specification is of the format ldap_attribute_name|http_header_name[,...].
    # ldap_attribute_name is the attribute in data store to be fetched and
    # http_header_name is the name of the header to which the value needs
    # to be assigned.
    # NOTE: In most cases, in a destination application where a "http_header_name"
    # shows up as a request header, it will be prefixed by HTTP_, and all
    # lower case letters will become upper case, and any - will become _;
    # For example, "common-name" would become "HTTP_COMMON_NAME"
    com.sun.am.policy.agents.config.profile.attribute.map=cn|common-name,ou|organiz ational-unit,o|organization,mail|email,employeenumber|employee-number,c|country
    # Session attributes mode
    # String attribute mode to specify if additional user session attributes should
    # be introduced into the request. Possible values are:
    # NONE - no additional user session attributes will be introduced.
    # HTTP_HEADER - additional user session attributes will be introduced into HTTP header.
    # HTTP_COOKIE - additional user session attributes will be introduced through cookies.
    # If not within these values, it will be considered as NONE.
    com.sun.am.policy.agents.config.session.attribute.fetch.mode=NONE
    # The session attributes to be added to the HTTP header. The specification is
    # of the format session_attribute_name|http_header_name[,...].
    # session_attribute_name is the attribute in session to be fetched and
    # http_header_name is the name of the header to which the value needs to be
    # assigned.
    # NOTE: In most cases, in a destination application where a "http_header_name"
    # shows up as a request header, it will be prefixed by HTTP_, and all
    # lower case letters will become upper case, and any - will become _;
    # For example, "common-name" would become "HTTP_COMMON_NAME"
    com.sun.am.policy.agents.config.session.attribute.map=
    # Response Attribute Fetch Mode
    # String attribute mode to specify if additional user response attributes should
    # be introduced into the request. Possible values are:
    # NONE - no additional user response attributes will be introduced.
    # HTTP_HEADER - additional user response attributes will be introduced into
    # HTTP header.
    # HTTP_COOKIE - additional user response attributes will be introduced through
    # cookies.
    # If not within these values, it will be considered as NONE.
    com.sun.am.policy.agents.config.response.attribute.fetch.mode=NONE
    # The response attributes to be added to the HTTP header. The specification is
    # of the format response_attribute_name|http_header_name[,...].
    # response_attribute_name is the attribute in policy response to be fetched and
    # http_header_name is the name of the header to which the value needs to be
    # assigned.
    # NOTE: In most cases, in a destination application where a "http_header_name"
    # shows up as a request header, it will be prefixed by HTTP_, and all
    # lower case letters will become upper case, and any - will become _;
    # For example, "common-name" would become "HTTP_COMMON_NAME"
    com.sun.am.policy.agents.config.response.attribute.map=
    # The cookie name used in iAS for sticky load balancing
    com.sun.am.policy.am.lb.cookie.name = GX_jst
    # indicate where a load balancer is used for Access Manager
    # services.
    # true | false
    com.sun.am.load_balancer.enable = false
    ####Agent Configuration####
    # this is for product versioning, please do not modify it
    com.sun.am.policy.agents.config.version=2.2
    # Set the url access logging level. the choices are
    # LOG_NONE - do not log user access to url
    # LOG_DENY - log url access that was denied.
    # LOG_ALLOW - log url access that was allowed.
    # LOG_BOTH - log url access that was allowed or denied.
    com.sun.am.policy.agents.config.audit.accesstype = LOG_BOTH
    # Agent prefix
    com.sun.am.policy.agents.config.agenturi.prefix = http://sharepoint.lta.mil.se:80/amagent
    # Locale setting.
    com.sun.am.policy.agents.config.locale = en_US
    # The unique identifier for this agent instance.
    com.sun.am.policy.agents.config.instance.name = unused
    # Do SSO only
    # Boolean attribute to indicate whether the agent will just enforce user
    # authentication (SSO) without enforcing policies (authorization)
    com.sun.am.policy.agents.config.do_sso_only = true
    # The URL of the access denied page. If no value is specified, then
    # the agent will return an HTTP status of 403 (Forbidden).
    com.sun.am.policy.agents.config.accessdenied.url =
    # This property indicates if FQDN checking is enabled or not.
    com.sun.am.policy.agents.config.fqdn.check.enable = true
    # Default FQDN is the fully qualified hostname that the users should use
    # in order to access resources on this web server instance. This is a
    # required configuration value without which the Web server may not
    # startup correctly.
    # The primary purpose of specifying this property is to ensure that if
    # the users try to access protected resources on this web server
    # instance without specifying the FQDN in the browser URL, the Agent
    # can take corrective action and redirect the user to the URL that
    # contains the correct FQDN.
    # This property is set during the agent installation and need not be
    # modified unless absolutely necessary to accommodate deployment
    # requirements.
    # WARNING: Invalid value for this property can result in the Web Server
    # becoming unusable or the resources becoming inaccessible.
    # See also: com.sun.am.policy.agents.config.fqdn.check.enable,
    # com.sun.am.policy.agents.config.fqdn.map
    com.sun.am.policy.agents.config.fqdn.default = sharepoint.lta.mil.se
    # The FQDN Map is a simple map that enables the Agent to take corrective
    # action in the case where the users may have typed in an incorrect URL
    # such as by specifying partial hostname or using an IP address to
    # access protected resources. It redirects the browser to the URL
    # with fully qualified domain name so that cookies related to the domain
    # are received by the agents.
    # The format for this property is:
    # com.sun.am.policy.agents.config.fqdn.map = [invalid_hostname|valid_hostname][,...]
    # This property can also be used so that the agents use the name specified
    # in this map instead of the web server's actual name. This can be
    # accomplished by doing the following.
    # Say you want your server to be addressed as xyz.hostname.com whereas the
    # actual name of the server is abc.hostname.com. The browsers only knows
    # xyz.hostname.com and you have specified polices using xyz.hostname.com at
    # the Access Manager policy console, in this file set the mapping as
    # com.sun.am.policy.agents.fqdn.map = valid|xyz.hostname.com
    # Another example is if you have multiple virtual servers say rst.hostname.com,
    # uvw.hostname.com and xyz.hostname.com pointing to the same actual server
    # abc.hostname.com and each of the virtual servers have their own policies
    # defined, then the fqdnMap should be defined as follows:
    # com.sun.am.policy.agents.fqdn.map = valid1|rst.hostname.com,valid2|uvw.hostname.com,valid3|xyz.hostname.com
    # WARNING: Invalid value for this property can result in the Web Server
    # becoming unusable or the resources becoming inaccessible.
    com.sun.am.policy.agents.config.fqdn.map =
    # Cookie Reset
    # This property must be set to true, if this agent needs to
    # reset cookies in the response before redirecting to
    # Access Manager for Authentication.
    # By default this is set to false.
    # Example : com.sun.am.policy.agents.config.cookie.reset.enable=true
    com.sun.am.policy.agents.config.cookie.reset.enable=false
    # This property gives the comma separated list of Cookies, that
    # need to be included in the Redirect Response to Access Manager.
    # This property is used only if the Cookie Reset feature is enabled.
    # The Cookie details need to be specified in the following Format
    # name[=value][;Domain=value]
    # If "Domain" is not specified, then the default agent domain is
    # used to set the Cookie.
    # Example : com.sun.am.policy.agents.config.cookie.reset.list=LtpaToken,
    # token=value;Domain=subdomain.domain.com
    com.sun.am.policy.agents.config.cookie.reset.list=
    # This property gives the space separated list of domains in
    # which cookies have to be set in a CDSSO scenario. This property
    # is used only if CDSSO is enabled.
    # If this property is left blank then the fully qualified cookie
    # domain for the agent server will be used for setting the cookie
    # domain. In such case it is a host cookie instead of a domain cookie.
    # Example : com.sun.am.policy.agents.config.cookie.domain.list=.sun.com .iplanet.com
    com.sun.am.policy.agents.config.cookie.domain.list=
    # user id returned if accessing global allow page and not authenticated
    com.sun.am.policy.agents.config.anonymous_user=anonymous
    # Enable/Disable REMOTE_USER processing for anonymous users
    # true | false
    com.sun.am.policy.agents.config.anonymous_user.enable=false
    # Not enforced list is the list of URLs for which no authentication is
    # required. Wildcards can be used to define a pattern of URLs.
    # The URLs specified may not contain any query parameters.
    # Each service have their own not enforced list. The service name is suffixed
    # after "# com.sun.am.policy.agents.notenforcedList." to specify a list
    # for a particular service. SPACE is the separator between the URL.
    com.sun.am.policy.agents.config.notenforced_list = SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/UI/* SERVER_PROTO://SERVER_HOST:SERVER_PORTCONSOLE_DEPLOY_URI/* SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/login_images/* SERVER_PROTO://SERVER_HOST:SERVER_PORT/docs* SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/namingservice SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/sessionservice SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/loggingservice SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/profileservice SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/policyservice SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/config* SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/js/* SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/css/* SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/authservice SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/SAMLAwareServlet SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/SAMLSOAPReceiver SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/SAMLPOSTProfileServlet
    # Boolean attribute to indicate whether the above list is a not enforced list
    # or an enforced list; When the value is true, the list means enforced list,
    # or in other words, the whole web site is open/accessible without
    # authentication except for those URLs in the list.
    com.sun.am.policy.agents.config.notenforced_list.invert = false
    # Not enforced client IP address list is a list of client IP addresses.
    # No authentication and authorization are required for the requests coming
    # from these client IP addresses. The IP address must be in the form of
    # eg: 192.168.12.2 1.1.1.1
    com.sun.am.policy.agents.config.notenforced_client_ip_list =
    # Enable POST data preservation; By default it is set to false
    com.sun.am.policy.agents.config.postdata.preserve.enable = false
    # POST data preservation : POST cache entry lifetime in minutes,
    # After the specified interval, the entry will be dropped
    com.sun.am.policy.agents.config.postcache.entry.lifetime = 10
    # Cross-Domain Single Sign On URL
    # Is CDSSO enabled.
    com.sun.am.policy.agents.config.cdsso.enable=false
    # This is the URL the user will be redirected to for authentication
    # in a CDSSO Scenario.
    com.sun.am.policy.agents.config.cdcservlet.url =
    # Enable/Disable client IP address validation. This validate
    # will check if the subsequent browser requests come from the
    # same ip address that the SSO token is initially issued against
    com.sun.am.policy.agents.config.client_ip_validation.enable = false
    # Below properties are used to define cookie prefix and cookie max age
    com.sun.am.policy.agents.config.profile.attribute.cookie.prefix = HTTP_
    com.sun.am.policy.agents.config.profile.attribute.cookie.maxage = 300
    # Logout URL - application's Logout URL.
    # This URL is not enforced by policy.
    # if set, agent will intercept this URL and destroy the user's session,
    # if any. The application's logout URL will be allowed whether or not
    # the session destroy is successful.
    com.sun.am.policy.agents.config.logout.url=
    # Any cookies to be reset upon logout in the same format as cookie_reset_list
    com.sun.am.policy.agents.config.logout.cookie.reset.list =
    # By default, when a policy decision for a resource is needed,
    # agent gets and caches the policy decision of the resource and
    # all resource from the root of the resource down, from the Access Manager.
    # For example, if the resource is http://host/a/b/c, the the root of the
    # resource is http://host/. This is because more resources from the
    # same path are likely to be accessed subsequently.
    # However this may take a long time the first time if there
    # are many many policies defined under the root resource.
    # To have agent get and cache the policy decision for the resource only,
    # set the following property to false.
    com.sun.am.policy.am.fetch_from_root_resource = true
    # Whether to get the client's hostname through DNS reverse lookup for use
    # in policy evaluation.
    # It is true by default, if the property does not exist or if it is
    # any value other than false.
    com.sun.am.policy.agents.config.get_client_host_name = true
    # The following property is to enable native encoding of
    # ldap header attributes forwarded by agents. If set to true
    # agent will encode the ldap header value in the default
    # encoding of OS locale. If set to false ldap header values
    # will be encoded in UTF-8
    com.sun.am.policy.agents.config.convert_mbyte.enable = false
    #When the not enforced list or policy has a wildcard '*' character, agent
    #strips the path info from the request URI and uses the resulting request
    #URI to check against the not enforced list or policy instead of the entire
    #request URI, in order to prevent someone from getting access to any URI by
    #simply appending the matching pattern in the policy or not enforced list.
    #For example, if the not enforced list has the value http://host/*.gif,
    #stripping the path info from the request URI will prevent someone from
    #getting access to http://host/index.html by using the URL http://host/index.html?hack.gif.
    #However when a web server (for exmample apache) is configured to be a reverse
    #proxy server for a J2EE application server, path info is interpreted in a different
    #manner since it maps to a resource on the proxy instead of the app server.
    #This prevents the not enforced list or policy from being applied to part of
    #the URI below the app serverpath if there is a wildcard character. For example,
    #if the not enforced list has value http://host/webapp/servcontext/* and the
    #request URL is http://host/webapp/servcontext/example.jsp the path info
    #is /servcontext/example.jsp and the resulting request URL with path info stripped
    #is http://host/webapp, which will not match the not enforced list. By setting the
    #following property to true, the path info will not be stripped from the request URL
    #even if there is a wild character in the not enforced list or policy.
    #Be aware though that if this is set to true there should be nothing following the
    #wildcard character '*' in the not enforced list or policy, or the
    #security loophole described above may occur.
    com.sun.am.policy.agents.config.ignore_path_info = false
    # Override the request url given by the web server with
    # the protocol, host or port of the agent's uri specified in
    # the com.sun.am.policy.agents.agenturiprefix property.
    # These may be needed if the agent is sitting behind a ssl off-loader,
    # load balancer, or proxy, and either the protocol (HTTP scheme),
    # hostname, or port of the machine in front of agent which users go through
    # is different from the agent's protocol, host or port.
    com.sun.am.policy.agents.config.override_protocol =
    com.sun.am.policy.agents.config.override_host =
    com.sun.am.policy.agents.config.override_port = true
    # Override the notification url in the same way as other request urls.
    # Set this to true if any one of the override properties above is true,
    # and if the notification url is coming through the proxy or load balancer
    # in the same way as other request url's.
    com.sun.am.policy.agents.config.override_notification.url =
    # The following property defines how long to wait in attempting
    # to connect to an Access Manager AUTH server.
    # The default value is 2 seconds. This value needs to be increased
    # when receiving the error "unable to find active Access Manager Auth server"
    com.sun.am.policy.agents.config.connection_timeout =
    # Time in milliseconds the agent will wait to receive the
    # response from Access Manager. After the timeout, the connection
    # will be drop.
    # A value of 0 means that the agent will wait until receiving the response.
    # WARNING: Invalid value for this property can result in
    # the resources becoming inaccessible.
    com.sun.am.receive_timeout = 0
    # The three following properties are for IIS6 agent only.
    # The two first properties allow to set a username and password that will be
    # used by the authentication filter to pass the Windows challenge when the Basic
    # Authentication option is selected in Microsoft IIS 6.0. The authentication
    # filter is named amiis6auth.dll and is located in
    # Agent_installation_directory/iis6/bin. It must be installed manually on
    # the web site ("ISAPI Filters" tab in the properties of the web site).
    # It must also be uninstalled manually when unintalling the agent.
    # The last property defines the full path for the authentication filter log file.
    com.sun.am.policy.agents.config.iis6.basicAuthentication.username =
    com.sun.am.policy.agents.config.iis6.basicAuthentication.password =
    com.sun.am.policy.agents.config.iis6.basicAuthentication.logFile = C:/Sun/Access_Manager/Agents/2.2/debug/Identifier_1414639615/amAuthFilter

    If the agent doesnot start properly you would always get redirected to com.sun.am.policy.agents.config.accessdenied.url , if thats not specified you will get a 403.
    For the agent itself check that the naming.url is correct. the agent username and passwords are correct, and see that the user has priviledges to write to the agent log files. Apart from these post the windows event logs.

  • Does the 2.1 web policy agent for Windows 2003 work on a 64 bit OS ?

    Does the 2.1 web policy agent for Windows 2003 work on a 64 bit OS ?
    I have a customer having a world of issues getting the agent to start.
    Jeff Courtade

    No. 64bit support is not there for 2.1 agents on Windows.
    -Subba

  • Policy Agent for Domino 6.5.1

    I am trying to find out if the 2.2 Policy Agent for Domino (6.5.4) is supported for Domino 6.5.1.
    Thanks in advance,
    Eric

    http://www.sun.com/download/index.jsp?cat=Identity%20Management&tab=3&subcat=Policy%20Agents describes what PA are supported.
    I know from my past experience that PA 2.1 works with AM 7.1 in Legacy mode but it is not supported.
    If your application server or web container is not supported then you can always use PA 2.2 for Sun Java Web Proxy Server 4.0. In this case, you will to place SJWPS in front of your application and your application will be accessed via proxy server.
    Vivek

  • Policy agent for Jetty

    Are there any plans to provide a policy agent for Jetty? Really appreciate your response. Thx.

    Since you are running AM 7.1 in legacy mode you might try the 2.1 agent since it may be backwards compatible.

  • Site Minder Web Agent for Weblogic 6.1

    Hello,
    I am installing Netegrity Peoplesoft connector for Weblogic 6.1 on Solaris. For this as a prequisite I need to install a Site Minder Web Agent for Weblogic 6.1. Can anyone tell me from where I can download this ? appreciate your help

    You need to contact Netegrity Sales representative and register for an evaluation.
    KBL
    Sreekumar <[email protected]> wrote:
    Hello,
    I am installing Netegrity Peoplesoft connector for Weblogic 6.1 on Solaris.
    For this as a prequisite I need to install a Site Minder Web Agent for
    Weblogic 6.1. Can anyone tell me from where I can download this ? appreciate
    your help

  • ID Server and Policy Agent for AS .. is secure?

    Hello there,
    I have a question. Quite critical question, concerning iPlanetDirectoryPro cookie. If I've got it right, this cookie contains SSO Token. And the SSO token can be used with identity server to obtain any SSO assetion. I've experimentaly confirmed this.
    Now, can anyone tell me why this cookie is sent to any host in my domain? The default after instalation is "bgs.sk". This default value enables any host in my domain to impersonate me. Well, I still can change this, but it is now good to have insecure default values anyway, is it?
    Second, and more critical problem: I have Policy Agent installed on my Application Server. It looks like the agent requires access to the iPlanetDirectoryPro cookie to work correctly. But, if my application server has my SSO token, it can impersonate me anywhere. Not a good situation at all. That would mean security hole as big as hangar doors.
    Are my assumptions correct? Am I overlooking something?
    (All valid for ID server 6.0 and Liberty protocols)
    Thanks for any help.

    Although Sun promote Identity Server by emphasizing its Liberty/SAML feature, the product itself use a proprietary protocol for SSO and CDSSO.
    As all we know, this product could be totally useless without Sun's Policy/J2EE Agent deployed. But ironically these agents communicate with Identity Server in its own way, nothing to do with SAML, XACML, or even SOAP.
    The agent approach is usually not a good idea. We saw more and more problem raised from fields related to agent stability and scalability. We never see any performance benchmark data from Sun. Since the communication between agt and Identity Server are proprietary, no ISV can make agent for this product. You have to wait for Sun for agent support if you have new system not on the support matrix.
    In addition to agent, another big issue of Identity Server is its complex DIT structure. In fact, we prefer to have RDBMS as Identity Server's repository. Sun abuse ldap just because this company doesn't have any database product but still want to provide a pure Sun platform (JES) to customer. So they compromise the architecture for business reason, I'd like to tell you, I don't like the way Identity Server store data in DIT, I don't like the console UI (its for technical geek), and on one in our company dare to do any configuration change.
    Now Sun put Identity Server as the core of its JES product stack. If you have time to take a look at how the SJS Portal use Identity Server and how SSO between Portal channel and Email/Calendar Server are achieved, you'll find that you just buy a "framework" (I mean Identity server), not a product, because you have to do every integration work by intensively coding.
    I predict that Identity Server will be significantly rearchitctured in the near future, otherwise we don't see any benefit this product can bring to me. It is a headache for deployment as well as maintenance. If you just need Single Sign-On, there are lots alternative to achieve, Sun's Identity Server is really overkill. It's authentication feature is ok, but authorization feature (policy, role) is very limited. If you have lots of Windows/IIS web app need to do SSO with Identity Server, god bless you... you better have a sharp programmer to wrap up the C API so as your ASP programmer can leverage Identity Server SDK, and you got to pray for IIS agent behave well. In addition, don't forget to learn more about JATO if you want to do some fancy customization on the default login page.

  • Quest - "Foglight" agent for weblogic

    Anyone using Quest - Foglight to monitor WEBLOGIC ?

    Hi Stefan,
    Do you have documentation on configuration & implementation of Siteminder agent with Bea WebLogic server 8.1 or URL to get info? I could not find on Bea Site....Can you guide me please, my email id is [email protected]
    Thanks,
    Gary

  • Extending WebLogic policy agent

    Hello all;
    I am using AM policy agent for WebLogic portal server. Is there a way to extend the functionality of this policy agent. I need to make the agent do more than what it provides OOTB. Is there a way to do that? Any suggestions?
    Thanks

    Hi Aaron;
    I am trying to see if I can force the policy agent to be invoked on non-protected resources. The agent is in J2EE mode. The scenario that I have is the whole site is open and nothing is protected so I have to make the policy agent recognize requests for both protected and non protected resources. The other issue I have is that even if I create a cookie the policy agent doesn't maintain the session state since the requests are for unprotected resources. It (PA) doesn't "touch" the cookie since the requests didn't go through it.
    Thanks,

  • Required Policy for IIS6 Policy Agent

    Hello,
    I have configured the Policy Agent for MS IIS6 and created a Policy
    to enable some users to access the website.
    Unfortunately, until now all users get a "403 - Forbidden"-Message.
    Users dissallowed by policy get the response immediatly, users
    who should have access must wait about 2 Minutes before they
    get the error.
    When I try to login using a account without permission, this is logged
    in the "amAgent"-Logfile:
    <--------------->8-------------->8------------------->
    2004-08-31 15:10:37.578 128 2912:1567ad8 RemoteLog: User e09mahj0 was denied access to http://erlm630a.ts.siemens.de:81/index.htm.
    2004-08-31 15:10:37.593 Error 2912:1567ad8 PolicyAgent: do_redirect(): Error while calling am_web_get_redirect_url(): status = success
    2004-08-31 15:10:37.593 Error 2912:1567ad8 PolicyAgent: do_redirect() WriteClient did not succeed: Attempted message = HTTP/1.1 403 Forbidden
    <--------------->8-------------->8------------------->
    and when using a account who should have access:
    <--------------->8-------------->8------------------->
    2004-08-31 15:24:20.218 Error 2912:153c360 PolicyEngine: am_policy_evaluate: InternalException in Service::update_policy with error message:Policy query failed. and code:16
    2004-08-31 15:24:20.218 128 2912:153c360 RemoteLog: User amAdmin was denied access to http://erlm630a.ts.siemens.de:81/index.htm.
    2004-08-31 15:24:20.234 Error 2912:153c360 PolicyAgent: do_redirect(): Error while calling am_web_get_redirect_url(): status = success
    2004-08-31 15:24:20.234 Error 2912:153c360 PolicyAgent: do_redirect() WriteClient did not succeed: Attempted message = HTTP/1.1 403 Forbidden
    <--------------->8-------------->8------------------->
    I have no idea what "PolicyEngine ... code 16 means".
    Anyone can help?
    Regards,
    Juergen Maihoefner

    I found that page yesterday, but the errors I'm recieving are well out of the range of errors listed on that page
    2008-10-13 16:06:53.578   Error 3232:1c30580 PolicyAgent: do_redirect:  Error while calling am_web_get_url_to_redirect(): status = invalid argument
    2008-10-13 16:06:53.578   Error 3232:1c30580 PolicyAgent: do_redirect: WriteClient did not succeed: Attempted message = HTTP/1.1 403 Forbidden Content-Length: 13 Content-Type: text/plain  403 Forbidden Also, there's no firewall between the agent and the server. In my setup, authorized users don't get this message, its only users who aren't authorized to access sharepoint (the server with the agent) who see the 403 page that's just a plaintext '403 Forbidden' message.
    Probably the strangest thing about this issue is that when I look at the IIS log, it indicates a 401.5 error (which is correct, as the user should just be denied, not forbidden.
    2008-10-13 20:06:44 W3SVC87257621 10.28.204.100 GET /default.aspx - 7000 - 10.28.204.100 Mozilla/5.0+(Windows;+U;+Windows+NT+5.2;+en-US;+rv:1.9.0.3)+Gecko/2008092417+Firefox/3.0.3 302 0 0
    2008-10-13 20:06:53 W3SVC87257621 10.28.204.100 GET /default.aspx - 7000 dan.west 10.28.204.100 Mozilla/5.0+(Windows;+U;+Windows+NT+5.2;+en-US;+rv:1.9.0.3)+Gecko/2008092417+Firefox/3.0.3 401 5 0At the very least, it would be nice to know how the 401 is getting translated into the 403 error, and what would be involved in customizing the error page for this event so that it isn't simply a plaintext message.
    Edit:
    If you're noticing the timestamp difference of 4 hours, it seems there is a known bug with the w3c extended log file format (http://support.microsoft.com/kb/271196).
    Edited by: westd on Oct 14, 2008 5:28 AM

  • Compiling/running Policy Agent 2.2 for Apache (Linux)

    Hi,
    I know that running the policy agent for Linux is not supported by Sun on other platforms than Red Hat Enterprise Linux, but anyway I'm qurious to see if others have looked into this.
    I've done some testing on my Ubuntu Dapper Linux, using the precompiled version for Red Hat Enterprise, and I kind of made it work. Only problem: I have to start apache using "strace" to have it running. If I run /usr/sbin/apache2 I get "Segmentation Fault", but if I run "strace /usr/sbin/apache2" it runs... I'm able to create a core-dump, but to get something out of it I guess I have to compile the policy agent myself, so I've tried that as well.
    To compile I've checked out the opensso package by CVS and installed libxml2-2.6.23, nss-3.11, nspr-4.6.1 and apache-2.0.59, sort of like what it says in the Readme for compiling under Red Hat Enterprise Linux. Result from running "make BUILD_DEBUG=optimize BUILD_AGENT=apache" is:
    hash_table.h: In member function �typename smi::HashTable<Element>::EntryType smi::HashTable<Element>::findEntry(const std::string&)�:
    hash_table.h:319: error: expected �;� before �__null�
    hash_table.h:319: warning: statement has no effect
    The test with the precompiled version was done on Ubuntu Dapper Linux using the standard apache 2.0.55 package that comes with Ubuntu. As I said: I've managed to get it running (doing SSO login through Federation Manager running on the same machine, with Access Manager running on another Solaris server) but I would prefer to have a setup that doesn't involve using "strace" to have apache whith the policy agent module running... Anyone else done something like this?
    In the end I guess I would like to have some kind of release of the policy agent that doesn't have to be packaged as RPMs just for Red Hat Enterprise servers. It doesn't have to be flagged as "supported by Sun" but more like "you're on your own this release". ;-) That goes for the Federation Manager as well. I've managed to have the FM running on Ubuntu Dapper as well, so I know it's possible...
    - Anders

    The notes in this thread date from about October of 2006.
    Does anyone know why current versions of the gcc compiler refuse to compile the statement that leads to the reported error?
    The statement that is failing is:
        if (entry && entry->getExpirationTime() < PR_Now()) {
         return (HashTable<Element>::EntryType)NULL;with the error
    [exec] hash_table.h:320: error: expected �;� before �__null�Is this a problem with the compiler or with the definition of the NULL macro?

Maybe you are looking for

  • Deploying EAR using weblogic 10.3.6 under XP

    Hi Guys, tha last step of deployment EAR is to Star--->Servicing all requests, i am getting the following error? Messages [EJB:011026]The EJB container failed while creating the java:/comp/env namespace for this EJB deployment. weblogic.deployment.En

  • Daily Business Intelligence Administrator

    Hi , Iam newbie to DBI. I have gone through the DBI implementation guide and tried to create a new report. Created a report and published it. In the process of creating Initial Request set (in Daily Business Intelligence Administrator), could not fin

  • Stopping a header reloading with each page

    I've had loads of conflicting advice on this one. Someone must know surely. How do I stop a flash movie from reloading each time a link button is clicked. In other words I just want the movie to load once on the home page and the integrated buttons t

  • BI 7.0 Data Source Question

    I have requirement in Funct spec from Tables EKKO , EKPO  . The data sources 2lis_02_itm ,2lis_02_scl etc will have these tabels data . But in BI 7.0 there is a data source called 2LIS_06_Inv which provides data from all these data sources.i.e, The n

  • Anyone know how to capture error messages?

    I'd like to capture the feedback I receive in the Output panel when testing something in the Flash IDE, and display it in a TextArea included in my movie when it is compiled and running in a live environment.  Is there any way I can make this happen?