AppServer 9 and Policy Agent?

Similar Messages

• Appserver and policy agent

  Hi,
  I want to protect a folder under the docroot of the application server for access only by a certain ldap group. It's just a folder, not a web application. Is this possible with the policy agent? If so, how? There's no web.xml or so ... .
  Right now I have installed the agent, but it is not applying my url policy.
  Any info is welcome.
  Regards,
  Tim

  this should work. you only need the web.xml bit if you want to evaluate policies and pass/propagate j2ee auth tokens to AM. to authenticate ldap groups only, you can just use the urlpolicy agent in sso only mode.

• ID Server and Policy Agent for AS .. is secure?

  Hello there,
  I have a question. Quite critical question, concerning iPlanetDirectoryPro cookie. If I've got it right, this cookie contains SSO Token. And the SSO token can be used with identity server to obtain any SSO assetion. I've experimentaly confirmed this.
  Now, can anyone tell me why this cookie is sent to any host in my domain? The default after instalation is "bgs.sk". This default value enables any host in my domain to impersonate me. Well, I still can change this, but it is now good to have insecure default values anyway, is it?
  Second, and more critical problem: I have Policy Agent installed on my Application Server. It looks like the agent requires access to the iPlanetDirectoryPro cookie to work correctly. But, if my application server has my SSO token, it can impersonate me anywhere. Not a good situation at all. That would mean security hole as big as hangar doors.
  Are my assumptions correct? Am I overlooking something?
  (All valid for ID server 6.0 and Liberty protocols)
  Thanks for any help.

  Although Sun promote Identity Server by emphasizing its Liberty/SAML feature, the product itself use a proprietary protocol for SSO and CDSSO.
  As all we know, this product could be totally useless without Sun's Policy/J2EE Agent deployed. But ironically these agents communicate with Identity Server in its own way, nothing to do with SAML, XACML, or even SOAP.
  The agent approach is usually not a good idea. We saw more and more problem raised from fields related to agent stability and scalability. We never see any performance benchmark data from Sun. Since the communication between agt and Identity Server are proprietary, no ISV can make agent for this product. You have to wait for Sun for agent support if you have new system not on the support matrix.
  In addition to agent, another big issue of Identity Server is its complex DIT structure. In fact, we prefer to have RDBMS as Identity Server's repository. Sun abuse ldap just because this company doesn't have any database product but still want to provide a pure Sun platform (JES) to customer. So they compromise the architecture for business reason, I'd like to tell you, I don't like the way Identity Server store data in DIT, I don't like the console UI (its for technical geek), and on one in our company dare to do any configuration change.
  Now Sun put Identity Server as the core of its JES product stack. If you have time to take a look at how the SJS Portal use Identity Server and how SSO between Portal channel and Email/Calendar Server are achieved, you'll find that you just buy a "framework" (I mean Identity server), not a product, because you have to do every integration work by intensively coding.
  I predict that Identity Server will be significantly rearchitctured in the near future, otherwise we don't see any benefit this product can bring to me. It is a headache for deployment as well as maintenance. If you just need Single Sign-On, there are lots alternative to achieve, Sun's Identity Server is really overkill. It's authentication feature is ok, but authorization feature (policy, role) is very limited. If you have lots of Windows/IIS web app need to do SSO with Identity Server, god bless you... you better have a sharp programmer to wrap up the C API so as your ASP programmer can leverage Identity Server SDK, and you got to pray for IIS agent behave well. In addition, don't forget to learn more about JATO if you want to do some fancy customization on the default login page.

• Access Manager 7.1, Webserver 7.0 and Policy Agent 2.2 Logging behaviour

  Hi,
  I have a cluster setup with access manager (2 instances currently). I have a single webserver running access manager policy agent which points to the access manager cluster. Everything works fine, until the Agent session times out, whereupon it can no longer log to the access manager cluster.
  i.e. it attempts to write a log entry like this:
  2009-04-23 15:40:10.491 Debug 7720:2e7af0 LogService: BaseService::doRequest(): Using server: https://
  am.blah.com:443/amserver/loggingservice.
  <logRecWrite reqid="57"><log logName="amAuthLog.webserver.blah.com.80" sid="AQIC5wM2LY4SfczdB
  6jEQSaqXL52vqgWNfqxVOf2teEx+b0=@AAJTSQACMTEAAlNLAAk0OTA4MTcyMzQAAlMxAAIwMg==#"></log><logRecord><level>8
  00</level><recMsg>VXNlciBtb21lcjEgd2FzIGFsbG93ZWQgYWNjZXNzIHRvIGh0dHA6Ly9lcTAwMXRtLmVxLnNlcnZlci1jb21wbG
  V4LmNvbTo4MC91d2MvaW5kZXguanNwLg==</recMsg><logInfoMap><logInfo><infoKey>LoginIDSid</infoKey><infoValue>
  AQIC5wM2LY4Sfcy3bA/gJl2v7ArZCHla8Bj9bRVx4P6nSN0=@AAJTSQACMTEAAlNLAAstMTAxNzc2NjM2NQACUzEAAjAx#</infoValu
  e></logInfo></logInfoMap></logRecord></logRecWrite>]]></Request>
  </RequestSet>
  and receives an error as follows:
  2009-04-23 15:40:10.631MaxDebug 7720:2e7af0 LogService: <?xml version="1.0" encoding="UTF-8" standalone=
  "yes"?>
  <ResponseSet vers="1.0" svcid="iplanet.webtop.service.logging" reqid="74">
  <Response><![CDATA[UNAUTHORIZED]]></Response>
  </ResponseSet>
  Investigation in the access manager logs shows that the agent session is no longer valid. As a result, I have two questions:
  1. How can I make it stop trying to log remotely ? I have this set in the AMAgent.properties: com.sun.am.log.level = all:4
  2. How do I exclude agents from the default session expiry times ?
  Regards,
  Michael Ward.

  1. Set com.sun.am.policy.agents.config.audit.accesstype = LOG_NONE
  2. Not sure if I understand this. Typically agent itself has to authenticate with the server and that agent session doesn't get expire anytime soon.
  -Subba

• JAAS and Policy Agents

  Hello everybody, I'm trying to create a simple JSP that it is protected using the Access Manager Policy Agent. I have configured the URL policy and it is working fine.
  Now in my JSP I want to know what user is logged in but I don't want to use the AM API, instead I want to use the JAAS module. Any ideas on how to do it?
  I thought thar AM will set the session attribute javax.security.auth.subject but I don't think it is doing it.
  I get the Subject object but when calling the getPrincipals, the set is empty.
  Any ideas?
  Thanks a lot.

  Easy way: Configure your agent to set the user ID in HTTP head so you can read it without touching AM API.
  Tough way: Enable form based authentication, install AM J2EE Agent (not web policy agent), you can get user ID with "getPrincipals" or "getRemoteUser" method.
  Keep in mind, Using JAAS module does not mean you can avoid AM API, but do you have other reason to use JAAS? I usually keep myself away from it.

• Liberty IDP/SP/Policy Agent 2.2 and cookie hijacking

  Hi Gurus,
  In our implementation, we have IDP (eauthidp.etc.net) and an SP (eauthsp.etc.net) and some policy agents (eauthdev.etc.net).
  Both IDP and SP are AM 7.1. Policy agent is 2.2.
  We used IDP for authentication and SP for authorization. We would like to implement CookieHijacking changes also between SP and Policy Agents.
  With Liberty, is it possible? If yes then what URL do I need to give in com.sun.am.policy.agents.config.cdcservlet.url property of AMAgent.properties.
  Is there any other way of implementing this?
  Thanks,
  Vivek

  Hi N,
  I looked all the docs and done some analysis. I found that there is no out-of-the-box configuration.
  The way I could come up is:
  1. Configure Cookie HIjacking in PA.
  2. For CDSSO Servlet give following value:
  https://eauthsp2.etc.net/amserver/preLogin?metaAlias=eauthsp2.etc.net
  3. On the SP side, make CDSSO changes.
  4. Create class that implements FederationSPAdapter. In that class either redirect to CDCServlet or do that same processing that CDCServlet does.
  I am still reading the documents on how to stick this class in the SP so that it will be called after SSOFederation process completes.
  Let me know if you think differently....
  Vivek

• Policy Agent doesn't reset Sun  Access Manager session time idle value

  Hi,
  We have the following setup in our environment:
  - apache web server/web and policy agent 2.2 for apache 2.0.54
  - webmethods portal server (jetty)
  -Sun Access Manager (with Sun Directory Server)
  We use policy agent for authentication purpose only (via Sun Access Manager/LDAP) when the users access the portal. We have custom code that creates session in Sun Access Manager for custom LDAP services. For testing purpose, we configure SAM session to have Max Session Timeout at 120mins and Time Idle at 15mins. I would assume that, after the initial login request, for all subsequent accesses to the portal the policy agent should intercept the request and reset the Time Idle value of SAM session. However, when I monitor time idle value using SAM console, session tab, the time idle value didn't change when the portal user access pages, submit actions, etc. I can see in the debug log of policy agent that requests are being intercepted/processed, but the time idle didn't get reset.
  Does anyone know if this is a bug in configuration or in policy agent itself or am I making the wrong assumption?
  Thanks a lot for the help.

  Thanks for the reply, Shivaram. The issue appears to occur at random time, not accurately at the 3 min interval as you mention. I tested changing this value to 1, theoretically, after one 1 minute of idle time, accessing a link would make the agent reset the time idle value for the user session in SAM, but it didn't even after 3 minutes. This seems to be either a policy agent or system access manager bug.
  We performed a 'vanilla' test using the apache server manual pages (only plain HTML, no POST requests), the pages are protected by the policy agent. At the first login, rwe were prompted to enter credential to be validated by SAM/LDAP, and then a user session is created in SAM session table. We browse around the manual pages, once in a while, certain pages cause the policy agent to reset the time idle. However, revisiting these links after a few minutes doesn't reset the idle value. Caching setting has been disable as well. Could there be or lack of some settings in AMConfig.properties or AMAgent.properties that might have caused this behavior?
  Thanks for all your help,

• Policy agent 2.2 amfilter local authentication with session binding failed

  Hi All,
  I have policy agent 2.2 for weblogic 8.1 sp4 installed on redhat linux. All are working fine in my development box. But I was running all the process under user root, so today I decided to change it to a regular user, joe. I changed all the files' owner for weblogic server and policy agent from root to joe, and restart server as user Joe. After the change, I can not access the application on Weblogic server. I changed file ownership back to root and restart weblogic server as root, still same error.
  Here is the error I got:
  10.4.4 403 Forbidden
  The server understood the request, but is refusing to fulfill it. Authorization will not help and the request SHOULD NOT be repeated. If the request method was not HEAD and the server wishes to make public why the request has not been fulfilled, it SHOULD describe the reason for the refusal in the entity. This status code is commonly used when the server does not wish to reveal exactly why the request has been refused, or when no other response is applicable.
  Here is the error I found from agent log file, amFilter:
  AmFilter: now processing: SSO Task Handler
  05/24/2006 06:27:08:127 PM PDT: Thread[ExecuteThread: '14' for queue: 'weblogic.kernel.Default',5,Thread Group for Queue: 'weblogic.kernel.Default']
  SSOTaskHandler: caching SSO Token for user uid=amAdmin,ou=People,dc=etouch,dc=net
  05/24/2006 06:27:08:127 PM PDT: Thread[ExecuteThread: '14' for queue: 'weblogic.kernel.Default',5,Thread Group for Queue: 'weblogic.kernel.Default']
  AmBaseSSOCache: cached the sso token for user principal : uid=amadmin,ou=people,dc=etouch,dc=net sso token: AQIC5wM2LY4Sfcx4XY/x/M7G1Y3ScVjFj8E3oT0BV45mh0Q=@AAJTSQACMDE=#, cache size = 1
  05/24/2006 06:27:08:127 PM PDT: Thread[ExecuteThread: '14' for queue: 'weblogic.kernel.Default',5,Thread Group for Queue: 'weblogic.kernel.Default']
  SSOTaskHandler: SSO Validation successful for uid=amAdmin,ou=People,dc=etouch,dc=net
  05/24/2006 06:27:08:128 PM PDT: Thread[ExecuteThread: '14' for queue: 'weblogic.kernel.Default',5,Thread Group for Queue: 'weblogic.kernel.Default']
  AmFilter: now processing: J2EE Local Logout Task Handler
  05/24/2006 06:27:08:128 PM PDT: Thread[ExecuteThread: '14' for queue: 'weblogic.kernel.Default',5,Thread Group for Queue: 'weblogic.kernel.Default']
  AmFilter: local logout skipped SSO User => amAdmin, principal =>null
  05/24/2006 06:27:08:128 PM PDT: Thread[ExecuteThread: '14' for queue: 'weblogic.kernel.Default',5,Thread Group for Queue: 'weblogic.kernel.Default']
  AmFilter: now processing: J2EE Local Auth Task Handler
  05/24/2006 06:27:08:128 PM PDT: Thread[ExecuteThread: '14' for queue: 'weblogic.kernel.Default',5,Thread Group for Queue: 'weblogic.kernel.Default']
  LocalAuthTaskHandler: No principal found. Initiating local authentication for amAdmin
  05/24/2006 06:27:08:128 PM PDT: Thread[ExecuteThread: '14' for queue: 'weblogic.kernel.Default',5,Thread Group for Queue: 'weblogic.kernel.Default']
  LocalAuthTaskHandler: doing local authentication with session binding
  05/24/2006 06:27:08:129 PM PDT: Thread[ExecuteThread: '14' for queue: 'weblogic.kernel.Default',5,Thread Group for Queue: 'weblogic.kernel.Default']
  LocalAuthTaskHandler: Local authentication failed, invalidating session.05/24/2006 06:27:08:129 PM PDT: Thread[ExecuteThread: '14' for queue: 'weblogic.kernel.Default',5,Thread Group for Queue: 'weblogic.kernel.Default']
  WARNING: LocalAuthTaskHandler: Local authentication failed for : /portal/index.jsp, SSO Token: AQIC5wM2LY4Sfcx4XY/x/M7G1Y3ScVjFj8E3oT0BV45mh0Q=@AAJTSQACMDE=#
  05/24/2006 06:27:08:129 PM PDT: Thread[ExecuteThread: '14' for queue: 'weblogic.kernel.Default',5,Thread Group for Queue: 'weblogic.kernel.Default']
  AmFilter: result =>
  FilterResult:
       Status      : FORBIDDEN
       RedirectURL     : null
       RequestHelper:
            null
       Data:
            null
  -----------------------------------------------------------

  Hi,
  I'm having the exact same problem in the Prod environment, but on a Sun App Server. In development all is fine, in prod we now have:
  ERROR: AmFilter: Error while delegating to inbound handler: J2EE Local Auth Task Handler, access will be denied
  java.lang.IllegalStateException: invalidate: Session already invalidated
  at org.apache.catalina.session.StandardSession.invalidate(StandardSession.java:1258)
  at org.apache.catalina.session.StandardSessionFacade.invalidate(StandardSessionFacade.java:164)
  at com.sun.identity.agents.filter.LocalAuthTaskHandler.doLocalAuthWithSessionBinding(LocalAuthTaskHandler.java:289)
  at com.sun.identity.agents.filter.LocalAuthTaskHandler.authenticate(LocalAuthTaskHandler.java:159)
  at com.sun.identity.agents.filter.LocalAuthTaskHandler.process(LocalAuthTaskHandler.java:106)
  at com.sun.identity.agents.filter.AmFilter.processTaskHandlers(AmFilter.java:185)
  at com.sun.identity.agents.filter.AmFilter.isAccessAllowed(AmFilter.java:152)
  at com.sun.identity.agents.filter.AmAgentBaseFilter.doFilter(AmAgentBaseFilter.java:38)
  at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:210)
  at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:55)
  at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:161)
  at java.security.AccessController.doPrivileged(Native Method)
  at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:157)
  at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:263)
  at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:551)
  at org.apache.catalina.core.StandardContextValve.invokeInternal(StandardContextValve.java:225)
  FilterResult:
  Status : FORBIDDEN
  RedirectURL : null
  RequestHelper:
  null
  Data:
  null
  Also, we I debug I see:
  LocalAuthTaskHandler: No principal found. Initiating local authentication for ...
  Did you receive any solution for this?
  Many, many thanks,
  Philip

• J2EE Policy agent - login page config questions

  Hi,
  I'm trying to configure a customized login page for an application that is protected by a AM Policy Agent 2.2-01 on SJSAS 8.2.
  I am aware of this link:
  http://docs.sun.com/app/docs/doc/820-2539/gatai?l=en&a=view .
  This describes configuring the custom login for an app. Based on the doc, I have configured the following:
  1. I have the agent and my app on one instance on myhost.mydomain.com
  2. A url policy is protecting my app, configured in Access Manager 7.1. The url is http://myhost.mydomain.com:38080/myapp/*
  3. In my app's web.xml I have the following:
    <login-config>
          <auth-method>FORM</auth-method>
          <form-login-config>
              <form-login-page>/login.jsp</form-login-page>
              <form-error-page>/loginerror.jsp</form-error-page>
          </form-login-config> 4. In AMAgent.properties:
  com.sun.identity.agents.config.login.form[0] = /myapp/login.jsp
  com.sun.identity.agents.config.login.error.uri[0] = /myapp/loginerror.jsp
  com.sun.identity.agents.config.login.use.internal = false
  com.sun.identity.agents.config.login.content.file = FormLoginContent.txtThere doesnt seem to be any change in login page when I go to my app. It just redirects to the Access Manager login page, and when I login it redirects back to the app. The security behavior is correct but I would like the login page to be unique for the app.
  So my questions are:
  1. Am I using com.sun.identity.agents.config.login.use.internal correctly? I dont want it to use internal login, but my login file, right?
  2. My login page is protected by my url policy. Is that a problem? Should I be using com.sun.identity.agents.config.notenforced.uri[0] on the login page?
  3. Can anyone clarify to me exactly how and where the contents of FormLoginContent.txt is used?
  I'm kind of new to AM and Policy Agents, so i apologize if my questions seem very newb. Any help is appreciated. Thanks!
  -Matt

  Changing com.sun.identity.agents.config.filter.mode to URL_POLICY seemed to help. I am now seeing /myapp/login.jsp as the login page for my app. The logins themselves are failing, however. I am confused as to how to set up the jsp to work with the agent to log in.
  -Matt

• Policy Agent on BEA WebLogic when server instance runs as windows service

  hi.
  my environment is: win2k3, bea weblogic server 8.1sp4, access manager 7.1 and policy agent 2.2. installation process of policy agent asks for server startup script (startWebLogic.cmd) which i found under my server instance catalogue. the only issue is that my server instance is installed as a windows service and should not be started in a command window.
  am i safe with just specifying the path to the startup script or is there another way of dealing with this issue?
  might be a dumb question, but it would be nice to be sure that i'm doing the right thing before i go ahead and install policy agent. :)
  thanks,
  tb

  Hi,
  I have not set it up as a window service but can try to help. for one thing, this step is not permanent and if it does not work then you can undo this step by re-editting the script to remove the line you added. This step has you change the bea startup script for that domain to call the agent script setAgentEnv_AdminServer(it ws copied into bea domain directory during installation of agent) which just sets some agent resources in the classpath. If you start bea and those things are not in the classpath etc then agent wont work. So no permanent damage, you can change it if it doesnt work.
  I suggest you try it out and start the bea server as a service and see if it works - if not try again.
  I am not sure what the windows service would use to start the app server, but somehow it must specify some environment properties and things in its classpath, so if this script doesnt work then you can just do the things in the setAgentEnv_AdminServer script like setting those things in classpath.
  Please let us know if it works and if any extra steps required? Would be helpful to others to know how to configure as a windows service.
  hth,
  Sean

• App running on weblogic and opensso,agent running on glassfish

  I am running glassfish v2.1 application server where OpenSSO and Policy Agent apps running on two different domains.
  My app which needs to use federation services is running on weblogic 8 application server.
  After installing opensso and agent softwares, when I was setting up the mini-agentapp app for testing purpose, it says the app which needs to protected by policy agent needs to be under same domain as the agent is installed.
  How does work or does it even work the app being in different server(weblogic) than the Policy agent server (glassfish).
  Please advise?

  You need to install an agent on weblogic as well.

• Policy Agent 2.2 patch for appserver 8.2

  Sparc JES 5 update 1. Appserver 8.2.
  Release notes for Policy Agent 2.2 for Appserver 8.1 say it will work on 8.2 with " the proper patch".
  Obtaining Policy Agent 2.2 for 9.0 does not appear to be possible anymore, and there is no indication that it would not require a patch to work with 8.2... OpenSSO links only to 8.1.
  Searching sunsolve doesn't quite give us the patch number. Some candidates but nothing that is clearly the required patch in this installation.
  If someone could throw some light on this unlit corner of the otherwise excellent JES5u1 release (and I DO like it) I would really appreciate.
  Thanks
  BJ

  Okay, I think I have the answer.
  The patch that enables the Agent for AS 81 to work with 8.2 is currently only available
  through technical support.
  However, you can download the 2.2 agent for As 9.0/9.1 from
  sun download site. This agent supports AS 8.1/8.2/9.0/9.1 servers.
  This agent is available for download here:
  http://www.sun.com/download/products.xml?id=46d7aa66
  Now, I make the download thing sound easy (it should be), but for some reason, searching for that link that I provide above isn't currently easy. At the moment, the download for this agent doesn't show up on the Policy Agent download page, here:
  http://www.sun.com/download/index.jsp?cat=Identity%20Management&tab=3&subcat=Policy%20Agents
  That might be a very temporary condition. I'm trying to straighten this out on the Sun side. Next, I'll add the direct download for this agent on my Policy Agent page here:
  http://blogs.sun.com/JohnD/page/policyagent

• Policy Agent 2.2, IIS 6.0, CDSSO and redirects after authentication

  Hi
  I've got a problem where a HTTP/1.1 200 and 302 are returned by the Policy Agent / Application, after the Javascripted POST by the CDCServlet content is performed.
  The expected functionality is that the user is authenticated with the AM, the CDC Servlet serves the JavaScript page that will do a POST to the Policy Agent. The Policy Agent should then do what it needs to do with the POST, and forward request to the Application. The Application then does what it needs to do, and in this case, serves a HTTP/1.1 302 for redirection back to the browser.
  However, it seems that the Policy Agent might be returning a HTTP/1.1 200, and setting the iPlanetDirectoryPro cookie, quickly followed by the HTTP/1.1 302 and the setting of whatever cookies it wants to set.
  The Policy Agent should be respecting the return code of the Application. This problem does not appear when run against the Policy Agent for the Sun ONE Web Server.
  Wondering if anyone has seen this before?
  Here is sanitized output from a trace on the POST and resulting response.
  POST /oslp/?sunwMethod=GET HTTP/1.1
  Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
  Accept-Language: en-au
  Content-Type: application/x-www-form-urlencoded
  Accept-Encoding: gzip, deflate
  User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
  Host: sco88342744.corp.qed.qld.gov.au
  Content-Length: 3496
  Connection: Keep-Alive
  Cache-Control: no-cache
  X-ProcessAndThread: IEXPLORE.EXE [904; 2908]
  LARES=<snip>
  HTTP/1.1 200 OK
  Date: Wed, 16 May 2007 22:25:42 GMT
  Server: Microsoft-IIS/6.0
  Set-Cookie: iPlanetDirectoryPro=AQIC5wM2LY4Sfcz8tCfJ96AXxjIgRzuZJDgE7gMeTO0iIS4%3D%40AAJTSQACMDQ%3D%23;Path=/
  HTTP/1.1 302 Found
  Date: Wed, 16 May 2007 22:25:42 GMT
  Server: Microsoft-IIS/6.0
  X-AspNet-Version: 1.1.4322
  Location: /oslp/user/signon.aspx
  Set-Cookie: ASP.NET_SessionId=lh4sus55y1iy2r5514onnjuj; path=/
  Cache-Control: no-cache
  Pragma: no-cache
  Expires: -1
  Content-Type: text/html; charset=utf-8
  Content-Length: 139
  <html><head><title>Object moved</title></head><body>
  <h2>Object moved to <a href='/oslp/user/signon.aspx'>here</a>.</h2>
  </body></html>

  Hi,
  we had the same problem, but we got support
  from readme.txt
  Bug#: 6789020
  Agent type: All Agents
  Description: In CDSSO mode non enforced POST requests cannot be accessed
  Bug#: 6736820
  Agent type: IIS 6 Agent
  Description: IIS 6 agent doesn't work properly with ASP pages in CDSSO mode
  Both bugs should be fixed in this version:
  Sun Java System Web Agents 2.2-02 hotpatch2

• How to protect both access (http and https) with a Policy Agent

  Hi,
  During the installation of a web Policy Agent (i.e. Policy Agent for IIS) we have to choose the protocol (and port) of the web server we want to protect.
  If we have an IIS with secure (https) and non secure (http) applications, how we manage this scenario with the policy agent?
  Regards,

  Hi,
  Finally, i have installed the agent in IIS5 in the non secure port (http) and in fact it detects both access (http and https) fine.
  The problem now is that if i try to access to a non secure url ( http://mynonsecureapp.com ) all works fine, the agent redirects to https://myaccessmanager.com:443/amserver/UI/Login?goto=http://mynonsecureapp.com but when i try to access to a secure url ( https://mysecureapp.com ) the agent try to redirects me to: https://myaccessmanager.com:443/amserver/UI/Login?goto=http://mysecureapp.com (notice that the agent removes the 's' in the url).
  The amAgent log file shows:
  +2008-07-17 09:44:08.296MaxDebug 656:d8f6b0 PolicyAgent: am_web_is_notification(), https://sigcit.agp.gva.es:443/fullcitriweb is not notification url http://sigcit.agp.gva.es:80/amagent/UpdateAgentCacheServlet?shortcircuit=false.+
  +2008-07-17 09:44:08.296 Warning 656:d8f6b0 PolicyAgent: OnPreprocHeaders(): Access Manager Cookie not found.+
  +2008-07-17 09:44:08.296 Debug 656:d8f6b0 PolicyAgent: am_web_is_access_allowed(): url 'https://sigcit.agp.gva.es:443/fullcitriweb' path_info ''.+
  +2008-07-17 09:44:08.296MaxDebug 656:d8f6b0 PolicyAgent: am_web_is_access_allowed(): processing url http://sigcit.agp.gva.es:80/fullcitriweb.+
  +2008-07-17 09:44:08.296 Debug 656:d8f6b0 PolicyAgent: am_web_is_access_allowed(): client_ip 172.27.65.62 not found in client ip not enforced list+
  Any ideas?
  Regards,
  Edited by: idm_oceanic on Jul 17, 2008 1:33 AM

• Access Manager Policy Agent and Oracle AS

  Hi,
  my system uses Oracle Application Server. The security dept use Sun Access Manager. I need to integrate the security of the Oracle system with the policy agent. Where this gets a little confusing is that one of my developers tells me that this is difficult to implement and that Sun arent planning on supporting the Oracle AS in future.
  What I would like is some clarification from the horses mouth so to speak. In particular is it possible to integrate the policy agent and Oracle AS, and are Sun committed to supporting and developing for this.
  Thanks,
  Andy.

  "Where this gets a little confusing is that one of my developers tells me that this is difficult to implement"
  "it is NOT an implementation but an integration ! difficult ? why ?"
  "and that Sun arent planning on supporting the Oracle AS in future."
  There is a PA 2.2 for Oracle 10g ! It is the latest version(2.2 I mean). I don't see any reasons why Sun should not continue. But it is ONLY my point of view...
  "What I would like is some clarification from the horses mouth so to speak. In particular is it possible to integrate the policy agent and Oracle AS, and are Sun committed to supporting and developing for this."
  Of course it is possible because you can find the PA that will integrate your Oracle AS with a Sun AM.
  1) Please read the documentation.
  http://docs.sun.com/app/docs/coll/1322.1
  Download the one for Oracle and read also the user guide.
  PA are very easy to integrate if you know what you do... Espec. und. the AM auth and sso... If you can be helped by a AM guy from your comp. it is welcome... It is a j2ee agent and of course the PA will make what is necessary to redirect you to AM at login time and later to auth. your request...2)
  2) Download the soft and do the job :-)
  Product Downloads
  Sun Java System Access Manager Policy Agent 2.2 for Oracle Application Server 10g
  http://www.sun.com/download/products.xml?id=455d52ed
  I did plenty of int. with Sun/Bea/Tomcat AS(don't forget there are also webserver agents like Apache PA) with AM and it is not a big deal. Not Oracle, but it is an AS and I don't see why it should be difficult...
  Hope this helps a bit.