J2EE Policy Agent

I have read about a J2EE policy agent for the identity server. Does such thing exist?
I am thinking about the scenario where I register a service with the identity server, assign the service and policy to users, and then deploy my service as a webapp to the sunone appserver. Whenever a client attempts access to my webapp, they would be redirected from the appserver to the Identity server login page for SSO and then forwarded back to my webapp, authenticated. The application could then read the users service properties and policy from the identity server to personalize the app.
How can this be achieved? Would it involve creating a custom JAAS LoginModule for the appserver? I had issues with trying to install some of the identity server Servlets in a normal webapp running in tomcat due to the amserver.propries and the cryto libs for the JAAS.

Hi Aaron,
Let me take a stab at this and answer to the best of my ability.
Currently J2EE agents are available only for web logic, in future will be available for other servers as well based on customer requirements.
I am thinking about the scenario where I register a service with the identity server, assign the service and policy to users, and then deploy my service as a webapp to the sunone appserver. Whenever a client attempts access to my webapp, they would be redirected from the appserver to the Identity server login page for SSO and then forwarded back to my webapp, authenticated. The application could then read the users service properties and policy from the identity server to personalize the app. ** This sounds possible though you might have to run the identity server sdk from the app server machine.
** The next release of identity server would be supporting JAAS authentication module.
** In the next two or three months Identity Server and Portal Server will be available with support for App Servers instead of just running it on top of the web server as it is today.

Similar Messages

  • J2ee policy agent + Access Manager sample

    Hello,
    i would like to secure my j2ee application by using j2ee policy agent in combination with Sun Indentity Manager 6.1 (Access Manager).
    I am new in this area, so i would like to ask if somebody know any SAMPLE application / example / turorial that shows step-by-step, how to cover this area.
    Thank you very much for any advise or link.
    -Eugen

    ...\jstudioE704Q4\AppServer7\domains\domain1\server1\logs\server.log
    [26/Sep/2005:18:59:11] INFO ( 1356): CORE3282: stdout: IN WebContainer>>moduleDeployed: customerinfoabout to close all connections
    [26/Sep/2005:18:59:12] INFO ( 1356): CORE3276: Installing a new configuration
    [26/Sep/2005:18:59:17] INFO ( 1356): WEB0100: Loading web module [CustomerInfo] in virtual server [server1] at [CustomerInfo]
    [26/Sep/2005:18:59:17] INFO ( 1356): WEB0121: Enabling no persistence for web module [CustomerInfo]'s sessions: persistence-type = [memory]
    [26/Sep/2005:18:59:17] INFO ( 1356): WEB0100: Loading web module [customerinfo] in virtual server [server1] at []
    [26/Sep/2005:18:59:21] INFO ( 1356): CORE3280: A new configuration was successfully installed
    [26/Sep/2005:18:59:21] INFO ( 1356): WEB4004: Closing web application environment for virtual server [server1]
    [26/Sep/2005:18:59:33] SEVERE ( 1356): HTTP3068: Error receiving request from 192.168.1.222 (Overlapped I/O operation is in progress.)
    [26/Sep/2005:18:59:33] SEVERE ( 1356): HTTP3068: Error receiving request from 192.168.1.222 (Overlapped I/O operation is in progress.)
    [26/Sep/2005:18:59:33] SEVERE ( 1356): HTTP3068: Error receiving request from 192.168.1.222 (Overlapped I/O operation is in progress.)
    [26/Sep/2005:18:59:33] INFO ( 1356): CORE3282: stdout: LENGTH_OF_GENERATED_UUID = 29
    [26/Sep/2005:19:00:29] INFO ( 1356): CORE3282: stdout: IN WebContainer>>moduleRedeployed: /customerinfoabout to close all connections
    [26/Sep/2005:19:00:29] INFO ( 1356): CORE3276: Installing a new configuration
    [26/Sep/2005:19:00:30] INFO ( 1356): WEB0100: Loading web module [CustomerInfo] in virtual server [server1] at [CustomerInfo]
    [26/Sep/2005:19:00:30] INFO ( 1356): WEB0121: Enabling no persistence for web module [CustomerInfo]'s sessions: persistence-type = [memory]
    [26/Sep/2005:19:00:30] INFO ( 1356): WEB0100: Loading web module [customerinfo] in virtual server [server1] at []
    [26/Sep/2005:19:00:31] INFO ( 1356): CORE3280: A new configuration was successfully installed
    [26/Sep/2005:19:00:31] INFO ( 1356): WEB4004: Closing web application environment for virtual server [server1]
    [26/Sep/2005:19:09:30] INFO ( 1356): CORE3282: stdout: IN WebContainer>>moduleRedeployed: /customerinfoabout to close all connections
    [26/Sep/2005:19:09:31] INFO ( 1356): CORE3276: Installing a new configuration
    [26/Sep/2005:19:09:31] INFO ( 1356): WEB0100: Loading web module [CustomerInfo] in virtual server [server1] at [CustomerInfo]
    [26/Sep/2005:19:09:31] INFO ( 1356): WEB0121: Enabling no persistence for web module [CustomerInfo]'s sessions: persistence-type = [memory]
    [26/Sep/2005:19:09:31] INFO ( 1356): WEB0100: Loading web module [customerinfo] in virtual server [server1] at []
    [26/Sep/2005:19:09:33] INFO ( 1356): CORE3280: A new configuration was successfully installed
    [26/Sep/2005:19:09:33] INFO ( 1356): WEB4004: Closing web application environment for virtual server [server1]
    [26/Sep/2005:19:09:49] SEVERE ( 1356): HTTP3068: Error receiving request from 192.168.1.222 (Overlapped I/O operation is in progress.)
    [26/Sep/2005:19:10:43] INFO ( 1356): CORE3282: stdout: IN WebContainer>>moduleRedeployed: /customerinfoabout to close all connections
    [26/Sep/2005:19:10:43] INFO ( 1356): CORE3276: Installing a new configuration
    [26/Sep/2005:19:10:44] INFO ( 1356): WEB0100: Loading web module [CustomerInfo] in virtual server [server1] at [CustomerInfo]
    [26/Sep/2005:19:10:44] INFO ( 1356): WEB0121: Enabling no persistence for web module [CustomerInfo]'s sessions: persistence-type = [memory]
    [26/Sep/2005:19:10:44] INFO ( 1356): WEB0100: Loading web module [customerinfo] in virtual server [server1] at []
    [26/Sep/2005:19:10:45] INFO ( 1356): CORE3280: A new configuration was successfully installed
    [26/Sep/2005:19:10:45] INFO ( 1356): WEB4004: Closing web application environment for virtual server [server1]
    I found no LOG file neither in
    ...\jstudioE704Q4\PolicyAgent\IdentityServer\j2ee_agents\logs
    nor in
    ...\jstudioE704Q4\PolicyAgent\IdentityServer\j2ee_agents\logs\D__Sun_jstudioE704Q4_AppServer7_domains_domain1_server1_config\
    Do you know any other log files to chek ?
    Thanks.
    --Eugen                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   

  • J2ee policy agent sample aplication

    Hello,
    i would like to secure my j2ee application by using j2ee policy agent in combination with Sun Indentity Manager 6.1 (Access Manager).
    I am new in this area, so i would like to ask if somebody know any SAMPLE application / example / turorial that shows step-by-step, who to cover this area.
    Thank you very much for any advise.
    -Eugen

    Hello,
    i would like to secure my j2ee application by using j2ee policy agent in combination with Sun Indentity Manager 6.1 (Access Manager).
    I am new in this area, so i would like to ask if somebody know any SAMPLE application / example / turorial that shows step-by-step, who to cover this area.
    Thank you very much for any advise.
    -Eugen

  • J2EE policy agent notice

    Please note that as of July 27,2005; Sun JCE 1.2.1 has expiried. Detail see following url.
    http://jp.sunsolve.sun.com/search/document.do?assetkey=1-26-101796-1&searchclause=
    We have evaluated the impact and the following J2EE agents will stop functioning as of this date.
    1. J2EE policy agent for BEA WebLogic Server 6.1 SP2 : Solaris/HP-UX/Win2000 [version 2.1 and 2.1.1]
    2. J2EE policy agent for PeopleSoft 8.3/8.4/8.8 : Solaris/Win2000/AIX 5.1,5.2 [version 2.1 and 2.1.1]
    Both these agents should stop fully functioning as of 27th July/05. Please follow the steps listed below to rectify the situation :
    1. Download JCE 1.2.2 from URL : http://java.sun.com/products/jce/index-122.html
    2. Once you download the zip file, extract the following jar files
    * US_export_policy.jar
    * local_policy.jar
    * jce1_2_1.jar
    * sunjce_provider.jar
    3. Replace the four JCE lib jars in the agent installation with the jars downloaded from JCE 1.2.2
    Please note that excepting the two agents mentioned above will be affected; all other agent installations should not be impacted with the expiration of Sun JCE 1.2.1. Thanks, Jerry

    Hi Aaron,
    Let me take a stab at this and answer to the best of my ability.
    Currently J2EE agents are available only for web logic, in future will be available for other servers as well based on customer requirements.
    I am thinking about the scenario where I register a service with the identity server, assign the service and policy to users, and then deploy my service as a webapp to the sunone appserver. Whenever a client attempts access to my webapp, they would be redirected from the appserver to the Identity server login page for SSO and then forwarded back to my webapp, authenticated. The application could then read the users service properties and policy from the identity server to personalize the app. ** This sounds possible though you might have to run the identity server sdk from the app server machine.
    ** The next release of identity server would be supporting JAAS authentication module.
    ** In the next two or three months Identity Server and Portal Server will be available with support for App Servers instead of just running it on top of the web server as it is today.

  • Difference between web policy agent and j2ee Policy agent ?

    Difference between web policy agent and j2ee Policy agent ?

    http://docs.sun.com/app/docs/doc/820-5816/ghscr?a=view

  • J2EE Policy Agent Jars

    Hi,
    Could anyone who has installed a J2EE Policy Agent please send me the following jar files zipped up. My email address is [email protected] thanks for your help.
    /opt/SUNWam/j2ee_agents/lib/am_agent_sdk_2_1.jar
    /opt/SUNWam/j2ee_agents/lib/am_agent_filter_2_1.jar
    /opt/SUNWam/j2ee_agents/lib/am_as81_agent_2_1.jar

    Hi Aaron,
    Let me take a stab at this and answer to the best of my ability.
    Currently J2EE agents are available only for web logic, in future will be available for other servers as well based on customer requirements.
    I am thinking about the scenario where I register a service with the identity server, assign the service and policy to users, and then deploy my service as a webapp to the sunone appserver. Whenever a client attempts access to my webapp, they would be redirected from the appserver to the Identity server login page for SSO and then forwarded back to my webapp, authenticated. The application could then read the users service properties and policy from the identity server to personalize the app. ** This sounds possible though you might have to run the identity server sdk from the app server machine.
    ** The next release of identity server would be supporting JAAS authentication module.
    ** In the next two or three months Identity Server and Portal Server will be available with support for App Servers instead of just running it on top of the web server as it is today.

  • Authorization issue with J2EE Policy Agent for AS7

    Following the documentaion I have created a simple J2EE application with a servlet and 2 jsp's. The 2 JSP's customer.jsp and admin.jsp are mapped to /customer and /admin. The entire web application is subject to a filter like:
    <filter>
    <filter-name>Agent</filter-name>
    <display-name>Agent</display-name>
    <description>SunTM ONE Idenitity Server Policy Agent for SunTM ONE Application Server 7.0</description>
    <filter-class>com.sun.amagent.as.filter.AgentFilter</filter-class>
    </filter>
    <filter-mapping>
    <filter-name>Agent</filter-name>
    <url-pattern>/*</url-pattern>
    </filter-mapping>
    The two resources /customer and /admin are subjected security constraints like:
    <security-constraint>
    <web-resource-collection>
    <web-resource-name>col2</web-resource-name>
    <url-pattern>/customer</url-pattern>
    <http-method>GET</http-method>
    <http-method>POST</http-method>
    </web-resource-collection>
    <auth-constraint>
    <role-name>customer</role-name>
    </auth-constraint>
    <user-data-constraint>
    <transport-guarantee>NONE</transport-guarantee>
    </user-data-constraint>
    </security-constraint>
    The role-to-principal mapping is done in the sun-web.xml like:
    <security-role-mapping>
    <role-name>customer</role-name>
    <group-name>customer</group-name>
    <principal-name>amAdmin</principal-name>
    </security-role-mapping>
    <security-role-mapping>
    <role-name>admin</role-name>
    <group-name>admin</group-name>
    <principal-name>amAdmin</principal-name>
    </security-role-mapping>
    Two roles 'customer' and admin are created via the identity server console and users are added to these roles.
    The application deploys OK, when the app is accesed the user is redirected to the identity server and is authenticated fine. The user is directed to the main servlet and is allowed to access the the two jsp's. All is good till now, when the user access one these links say /customer, access is denied (403). The server logs prints out:
    [21/May/2003:10:34:24] FINE ( 6036): servletPath = /customer
    [21/May/2003:10:34:24] FINE ( 6036): pathInfo = null
    [21/May/2003:10:34:24] FINE ( 6036): SingleSignOn[ids]: Process request for '/idssample/customer'
    [21/May/2003:10:34:24] FINE ( 6036): SingleSignOn[ids]: Checking for SSO cookie
    [21/May/2003:10:34:24] FINE ( 6036): SingleSignOn[ids]: SSO cookie is not present
    [21/May/2003:10:34:24] FINE ( 6036): Authenticator[idssample]: Security checking request GET /idssample/customer
    [21/May/2003:10:34:24] FINE ( 6036): Authenticator[idssample]: We have cached auth type PROGRAMMATIC for principal amAdmin
    [21/May/2003:10:34:24] FINE ( 6036): Authenticator[idssample]: Checking constraint 'SecurityConstraint[col2]' against GET /customer --> false
    [21/May/2003:10:34:24] FINE ( 6036): Authenticator[idssample]: Checking constraint 'SecurityConstraint[col2]' against GET /customer --> true
    [21/May/2003:10:34:24] FINE ( 6036): Authenticator[idssample]: Subject to constraint SecurityConstraint[col2]
    [21/May/2003:10:34:24] FINE ( 6036): Authenticator[idssample]: Calling checkUserData()
    [21/May/2003:10:34:24] FINE ( 6036): Authenticator[idssample]: User data constraint has no restrictions
    [21/May/2003:10:34:24] FINE ( 6036): Authenticator[idssample]: Calling authenticate()
    [21/May/2003:10:34:24] FINE ( 6036): Authenticator[idssample]: User authentication is not required
    [21/May/2003:10:34:24] FINE ( 6036): Authenticator[idssample]: Calling accessControl()
    [21/May/2003:10:34:24] FINEST ( 6036): PRINCIPAL : amAdmin hasRole?: customer
    [21/May/2003:10:34:24] FINEST ( 6036): PRINCIPAL TABLE: {}
    [21/May/2003:10:34:24] FINE ( 6036): Authenticator[idssample]: Failed accessControl() test
    [21/May/2003:10:34:24] WARNING ( 6036): CORE3283: stderr: <May 21, 2003 10:34:24 AM CDT> <Agent> <Info> AgentRealm.getGroupNames(amAdmin)
    [21/May/2003:10:34:24] WARNING ( 6036): CORE3283: stderr: <May 21, 2003 10:34:24 AM CDT> <Agent> <Info> AgentRealm.getGroupNames(amAdmin) => java.util.Vector$1@bb60ad
    Now, snooping around I have found that the AgentRealm.getGroupNames(userdn) does
    return the correct grops viz. customer,admin,anyone.
    PLEASE HELP

    -- Second Update --
    After policy installation I got several problems with PeopleSoft configuration. Which finally were solved.
    1. Some URL's has to be defined as not enforced.
    com.sun.am.policy.amFilter.notenforcedList[1]=/ps/images/*
    com.sun.am.policy.amFilter.notenforcedList[2]=*.css
    com.sun.am.policy.amFilter.notenforcedList[3]=*.ico
    2. In versions older than PeopleSoft 8.4.2 the policy agent modified the file
    /opt/fs/webserv/peoplesoft/applications/peoplesoft/PORTAL/WEB-INF/psftdocs/ps/configuration.properties to add the properties:
    byPassSignon=TRUE
    defaultUserid="DEFAULT_USER"
    defaultPWD="your password"
    signon_page=amsignin.html
    signonError_page=amsignin.html
    logout_page=amsignin.html
    expire_page=amsignin.html
    However, in the newer versions of PeopleSoft this properties are controled from the online Peoplesoft console. Which are set on:
    PeopleTools --> WebProfile ---> WebProfileConfiguration --> [PROFILE] --> Security --> In section "Public Users" the parameters that has to be changed are:
    Allow Public Access (cheked)
    User ID : DEFAULT_USER
    Password : your password
    HTTP Session Inactivity : (SSO TIMEOUT)
    and:
    PeopleTools --> WebProfile ---> WebProfileConfiguration --> [PROFILE] --> Look and Feel -->
    In section "SignOn/Logout" set the following values:
    Signon Page : amsignin.html
    Signon Error Page : amerror.html
    Logout Page : amsignout.html
    Note: After making any changes on the console; restart PIA (weblogic instance).
    With this the SSO with PeopleSoft is working Ok.
    Message was edited by:
    LpzYlnd

  • J2EE Policy agent - login page config questions

    Hi,
    I'm trying to configure a customized login page for an application that is protected by a AM Policy Agent 2.2-01 on SJSAS 8.2.
    I am aware of this link:
    http://docs.sun.com/app/docs/doc/820-2539/gatai?l=en&a=view .
    This describes configuring the custom login for an app. Based on the doc, I have configured the following:
    1. I have the agent and my app on one instance on myhost.mydomain.com
    2. A url policy is protecting my app, configured in Access Manager 7.1. The url is http://myhost.mydomain.com:38080/myapp/*
    3. In my app's web.xml I have the following:
      <login-config>
            <auth-method>FORM</auth-method>
            <form-login-config>
                <form-login-page>/login.jsp</form-login-page>
                <form-error-page>/loginerror.jsp</form-error-page>
            </form-login-config> 4. In AMAgent.properties:
    com.sun.identity.agents.config.login.form[0] = /myapp/login.jsp
    com.sun.identity.agents.config.login.error.uri[0] = /myapp/loginerror.jsp
    com.sun.identity.agents.config.login.use.internal = false
    com.sun.identity.agents.config.login.content.file = FormLoginContent.txtThere doesnt seem to be any change in login page when I go to my app. It just redirects to the Access Manager login page, and when I login it redirects back to the app. The security behavior is correct but I would like the login page to be unique for the app.
    So my questions are:
    1. Am I using com.sun.identity.agents.config.login.use.internal correctly? I dont want it to use internal login, but my login file, right?
    2. My login page is protected by my url policy. Is that a problem? Should I be using com.sun.identity.agents.config.notenforced.uri[0] on the login page?
    3. Can anyone clarify to me exactly how and where the contents of FormLoginContent.txt is used?
    I'm kind of new to AM and Policy Agents, so i apologize if my questions seem very newb. Any help is appreciated. Thanks!
    -Matt

    Changing com.sun.identity.agents.config.filter.mode to URL_POLICY seemed to help. I am now seeing /myapp/login.jsp as the login page for my app. The logins themselves are failing, however. I am confused as to how to set up the jsp to work with the agent to log in.
    -Matt

  • Error 403 returned from WebSphere running Policy Agent

    Hi,
    I'm getting an error 403 (forbidden) in my browser when I try to access a URL that I have protected using a Policy that I have setup in SAM.
    My configuration is as follows:
    Sun Access Manager 6 2005Q1 on Solaris
    WebSphere AppServer 5.1.1.5 on Win 2000
    WebSphere 5.0 Policy Agent 2.1 on Win 2000
    At the moment, all I'm trying to do is protect a URL which is contained in a simple WAR file which I have deployed on WAS.
    As per the J2EE Policy Agents guide, I have installed the Agent Filter by adding the following into web.xml
    <web-app>
    <display-name>...</display-name>
    <description>...</description>
    <filter>
    <filter-name>Agent</filter-name>
    <display-name>Agent</display-name>
    <description>SunTM ONE Identity Server Policy Agent</description>
    <filter-class>com.sun.identity.agents.websphere.AmWAS50AgentFilter</filter-class>
    </filter>
    <filter-mapping>
    <filter-name>Agent</filter-name>
    <url-pattern>/*</url-pattern>
    </filter-mapping>
    </web-app>
    I've switched on Global Security in WAS and successfully logged back into the WebSphere Console using amldapuser. This confirms that the Agent Realm is working correctly.
    In SAM I set up a Policy with a Rule that specified the URL I want to protect. I added a Subject to this Rule of type LDAP User. The user I chose was amadmin (for the moment).
    I also configued an Agent with agentRootURL=http://<WAS fully qualified domain name>:9080/
    When I try to access the URL of the servlet in the WAR, I am redirected to the SAM's login page
    http://<SAM fully qualified domain name>/amserver/UI/Login?goto=http%3A%2F%2F<WAS fully qualified domain name>%3A9080%2FRoamingApp%2FRoaming
    However, when I enter the amadmin/ <password> error 403 is returned to the browser.
    I've checked the logs on SAM
    From amAuthentication.access
    "2005-07-28 11:58:15" "Login Success" LDAP dc=acme,dc=com INFO uid=amAdm
    in,ou=People,dc=acme,dc=com <WAS IP address> "cn=dsameuser,ou=DSAME Users,dc=acme,
    dc=com" <WAS IP address>
    From amSSO.access
    "2005-07-28 11:58:15" "SESSION CREATE" amSSO.access dc=acme,dc=com I
    NFO uid=amAdmin,ou=People,dc=acme,dc=com <WAS IP address> "cn=dsameuser,ou=
    DSAME Users,dc=acme,dc=com" <WAS IP address>
    From agent.log (Policy Agent on Win 2000)
    [Thursday, July 28, 2005 11:58:15 AM BST] [null]
    Access to http://<WAS fully qualified domain name>:9080/RoamingApp/Roaming denied for user UNKNOWN
    Perhaps I dont have the Policy in SAM configured correctly..... if anyone has come across this kind of problem before, I would greatly appreciate any help they can give me.
    Thanks,
    Justin

    Thanks for getting back to me Jerry.
    I had a look at the role-to-principal mappings you suggested. To do this I added a security constraint to my web.xml file.
    Then I reconfigured WebSphere so that the Active User Registry = LDAP instead of Custom. This allowed me to assign the LDAP group (in SAM) to the role (in web.xml). WAR file installed fine with these new bindings and I restarted WAS.
    Unfortunately, I'm still getting Error 403 in the browser!
    Any ideas as to what I might be doing wrong? Any help you can give me would be much appreciated.
    This is the amFilter log file from the Policy Agent...
    07/29/2005 05:48:44:980 PM IST: Thread[Servlet.Engine.Transports : 2,5,main]
    AmFilter: incoming request =>
    HttpServletRequest: class => com.ibm.ws.webcontainer.srt.SRTServletRequest@1af52898
         Character Encoding     : null
         Content Lenght          : -1
         Content Type          : null
         Locale               : en_IE
         Accept Locales:
              en_IE
         Protocol          : HTTP/1.1
         Remote Address          : 172.20.13.96
         Remote Host          : 172.20.13.96
         Scheme               : http
         Server Name          : dubwrk1589.ie.pri.o2.com
         Server Port          : 9080
         Is Secure          : false
         Auth Type          : null
         Context Path          : /RoamingApp
         Cookies:
              amFilterParam: AQIC5wM2LY4Sfcx0xX1Z1+1tK4SfLh/aCFlbIGuRNEPcAVc=
              amFilterRDParam: AQIC5wM2LY4Sfcwb7v6Sof6MpnvtyR8nae7hiKN7Y11QjCagyWAs9LzbAeB9Q4TP8VjruhK+oYForXxw/qq6TqbMAN1PlT1YOQI3Vy92iAaJ2N9x2bSRaUU7NlwZg8oTti+JOLdiRMTzwO17jIoWwCIx/0CtoQXpkX/meuAoFwf1feyAEp2NvK7AIbE82f/p8o4LxQbhK2NQNec=
              WASReqURL: http://dubwrk1589.ie.pri.o2.com:9080/RoamingApp/Roaming
              JSESSIONID: 0000HRZTVpt84dvtjaLaKWBnwzu:-1
         Headers:
              accept:
                   image/gif
                   image/x-xbitmap
                   image/jpeg
                   image/pjpeg
                   application/msword
                   application/vnd.ms-excel
                   application/vnd.ms-powerpoint
                   application/x-shockwave-flash
              referer:
                   http://sam.digifone.com/amserver/UI/Login?goto=http%3A%2F%2Fdubwrk1589.ie.pri.o2.com%3A9080%2FRoamingApp%2Flogin.jsp
              accept-language:
                   en-ie
              cookie:
                   amFilterParam=AQIC5wM2LY4Sfcx0xX1Z1+1tK4SfLh/aCFlbIGuRNEPcAVc=; amFilterRDParam=AQIC5wM2LY4Sfcwb7v6Sof6MpnvtyR8nae7hiKN7Y11QjCagyWAs9LzbAeB9Q4TP8VjruhK+oYForXxw/qq6TqbMAN1PlT1YOQI3Vy92iAaJ2N9x2bSRaUU7NlwZg8oTti+JOLdiRMTzwO17jIoWwCIx/0CtoQXpkX/meuAoFwf1feyAEp2NvK7AIbE82f/p8o4LxQbhK2NQNec=; WASReqURL=http://dubwrk1589.ie.pri.o2.com:9080/RoamingApp/Roaming; JSESSIONID=0000HRZTVpt84dvtjaLaKWBnwzu:-1
              accept-encoding:
                   gzip
                   deflate
              user-agent:
                   Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322)
              host:
                   dubwrk1589.ie.pri.o2.com:9080
              connection:
                   Keep-Alive
              cache-control:
                   no-cache
         Method               : GET
         Path Info          : null
         Path Trans          : null
         Query String          : null
         Remote User          : null
         Requested Session ID     : 0000HRZTVpt84dvtjaLaKWBnwzu:-1
         Request URI          : /RoamingApp/login.jsp
         Servlet Path          : /login.jsp
         Session               : true
         User Principal          : null
         Attributes:
              com.ibm.servlet.engine.webapp.dispatch_type: forward
    07/29/2005 05:48:44:980 PM IST: Thread[Servlet.Engine.Transports : 2,5,main]
    FQDNHandler: Incoming Server Name: [dubwrk1589.ie.pri.o2.com] Result: null
    07/29/2005 05:48:44:980 PM IST: Thread[Servlet.Engine.Transports : 2,5,main]
    PatternRule{*/j_security_check}.matchString(/RoamingApp/login.jsp) => false
    07/29/2005 05:48:44:980 PM IST: Thread[Servlet.Engine.Transports : 2,5,main]
    NotEnforcedListManager.isNotEnforced(/RoamingApp/login.jsp) => false
    07/29/2005 05:48:44:980 PM IST: Thread[Servlet.Engine.Transports : 2,5,main]
    AmFilter: Login attempt number: 10
    07/29/2005 05:48:44:980 PM IST: Thread[Servlet.Engine.Transports : 2,5,main]
    AmFilter: SSO Validation failed for null
    07/29/2005 05:48:44:980 PM IST: Thread[Servlet.Engine.Transports : 2,5,main]
    AmFilter: Reseting Cookies in Response
    07/29/2005 05:48:44:980 PM IST: Thread[Servlet.Engine.Transports : 2,5,main]
    WARNING: AmFilter: Login attempt number 10 failed for request URI: /RoamingApp/login.jsp
    07/29/2005 05:48:44:980 PM IST: Thread[Servlet.Engine.Transports : 2,5,main]
    URLFailoverHelper: Checking if http://sam.digifone.com:80/amserver/UI/Login is available
    07/29/2005 05:48:44:980 PM IST: Thread[Servlet.Engine.Transports : 2,5,main]
    URLFailoverHelper: URL http://sam.digifone.com:80/amserver/UI/Login is available
    07/29/2005 05:48:44:980 PM IST: Thread[Servlet.Engine.Transports : 2,5,main]
    URLFailoverHelper: getAvailableURL() => http://sam.digifone.com:80/amserver/UI/Login
    07/29/2005 05:48:44:980 PM IST: Thread[Servlet.Engine.Transports : 2,5,main]
    AmFilter: redirectURL is: http://sam.digifone.com:80/amserver/UI/Login?goto=http%3A%2F%2Fdubwrk1589.ie.pri.o2.com%3A9080%2FRoamingApp%2Flogin.jsp
    07/29/2005 05:48:44:980 PM IST: Thread[Servlet.Engine.Transports : 2,5,main]
    WARNING: AmFilter: redirect attempt limit reached for http://sam.digifone.com:80/amserver/UI/Login?goto=http%3A%2F%2Fdubwrk1589.ie.pri.o2.com%3A9080%2FRoamingApp%2Flogin.jsp, access will be denied
    07/29/2005 05:48:44:980 PM IST: Thread[Servlet.Engine.Transports : 2,5,main]
    AmFilter: Using 403 forbidden to block access
    07/29/2005 05:48:44:980 PM IST: Thread[Servlet.Engine.Transports : 2,5,main]
    getResource: id = 20004
    07/29/2005 05:48:44:980 PM IST: Thread[Servlet.Engine.Transports : 2,5,main]
    AmFilter: result =>
    FilterResult:
         Status      : FORBIDDEN
         RedirectURL     : null
         RequestHelper:
              null
         Data:
              null
    07/29/2005 05:48:44:980 PM IST: Thread[Servlet.Engine.Transports : 2,5,main]
    getResource: id = 20008

  • Disable J2EE Local Auth Task Handler in policy agent 2.2

    Hi,
    Is there a way of disabling the j2ee local authentication handler for a policy agent 2.2 running in filter mode ALL ?
    If not, is there a way to configure local authentication without session-binding? I am specially interested in the agent for WebLogic Server 8.1.
    Thanks,
    Andrei Dumitru

    Hi,
    Is there a way of disabling the j2ee local authentication handler for a policy agent 2.2 running in filter mode ALL ?
    If not, is there a way to configure local authentication without session-binding? I am specially interested in the agent for WebLogic Server 8.1.
    Thanks,
    Andrei Dumitru

  • No log for am policy agent for iis6

    Hello!
    Im trying to get Policy Agent for IIS to run on my Win Srv 2003 with IIS6 and Sharepoint Services.
    I am running the OpenSSO version of Access Manager.
    I have installed the agent and done the initial cofiguration.
    When i try to browse the resource i get a login prompt (IIS Basic Auth)and cannot login followed by "Not Authorized 401.3"
    I should get redirected to the AM Login page, shouldn't I?
    I tried to look for answers in the log file but the /debug/<id> directory i empty.
    Anyone know what to do?
    The amAgent.properties file:
    # $Id: AMAgent.properties,v 1.103 2005/09/19 22:08:34 madan Exp $
    # The syntax of this file is that of a standard Java properties file,
    # see the documentation for the java.util.Properties.load method for a
    # complete description. (CAVEAT: The SDK in the parser does not currently
    # support any backslash escapes except for wrapping long lines.)
    # All property names in this file are case-sensitive.
    # NOTE: The value of a property that is specified multiple times is not
    # defined.
    # WARNING: The contents of this file are classified as an UNSTABLE
    # interface by Sun Microsystems, Inc. As such, they are subject to
    # significant, incompatible changes in any future release of the
    # software.
    # The name of the cookie passed between the Access Manager
    # and the SDK.
    # WARNING: Changing this property without making the corresponding change
    # to the Access Manager will disable the SDK.
    com.sun.am.cookie.name = iPlanetDirectoryPro
    # The URL for the Access Manager Naming service.
    com.sun.am.naming.url = http://login.lta.mil.se:8080/opensso/namingservice
    # The URL of the login page on the Access Manager.
    com.sun.am.policy.am.login.url = http://login.lta.mil.se:8080/opensso/UI/Login
    # Name of the file to use for logging messages.
    com.sun.am.policy.agents.config.local.log.file = C:/Sun/Access_Manager/Agents/2.2/debug/Identifier_1414639615/amAgent
    # This property is used for Log Rotation. The value of the property specifies
    # whether the agent deployed on the server supports the feature of not. If set
    # to false all log messages are written to the same file.
    com.sun.am.policy.agents.config.local.log.rotate = true
    # Name of the Access Manager log file to use for logging messages to
    # Access Manager.
    # Just the name of the file is needed. The directory of the file
    # is determined by settings configured on the Access Manager.
    com.sun.am.policy.agents.config.remote.log = amAuthLog.sharepoint.lta.mil.se.80
    # Set the logging level for the specified logging categories.
    # The format of the values is
    # <ModuleName>[:<Level>][,<ModuleName>[:<Level>]]*
    # The currently used module names are: AuthService, NamingService,
    # PolicyService, SessionService, PolicyEngine, ServiceEngine,
    # Notification, PolicyAgent, RemoteLog and all.
    # The all module can be used to set the logging level for all currently
    # none logging modules. This will also establish the default level for
    # all subsequently created modules.
    # The meaning of the 'Level' value is described below:
    # 0 Disable logging from specified module*
    # 1 Log error messages
    # 2 Log warning and error messages
    # 3 Log info, warning, and error messages
    # 4 Log debug, info, warning, and error messages
    # 5 Like level 4, but with even more debugging messages
    # 128 log url access to log file on AM server.
    # 256 log url access to log file on local machine.
    # If level is omitted, then the logging module will be created with
    # the default logging level, which is the logging level associated with
    # the 'all' module.
    # for level of 128 and 256, you must also specify a logAccessType.
    # *Even if the level is set to zero, some messages may be produced for
    # a module if they are logged with the special level value of 'always'.
    com.sun.am.log.level = 5
    # The org, username and password for Agent to login to AM.
    com.sun.am.policy.am.username = UrlAccessAgent
    com.sun.am.policy.am.password = PN4rEZ1uhx1404ivWY6HPQ==
    # Name of the directory containing the certificate databases for SSL.
    com.sun.am.sslcert.dir = C:/Sun/Access_Manager/Agents/2.2/iis6/cert
    # Set this property if the certificate databases in the directory specified
    # by the previous property have a prefix.
    com.sun.am.certdb.prefix =
    # Should agent trust all server certificates when Access Manager
    # is running SSL?
    # Possible values are true or false.
    com.sun.am.trust_server_certs = true
    # Should the policy SDK use the Access Manager notification
    # mechanism to maintain the consistency of its internal cache? If the value
    # is false, then a polling mechanism is used to maintain cache consistency.
    # Possible values are true or false.
    com.sun.am.notification.enable = true
    # URL to which notification messages should be sent if notification is
    # enabled, see previous property.
    com.sun.am.notification.url = http://sharepoint.lta.mil.se:80/amagent/UpdateAgentCacheServlet?shortcircuit=false
    # This property determines whether URL string case sensitivity is
    # obeyed during policy evaluation
    com.sun.am.policy.am.url_comparison.case_ignore = true
    # This property determines the amount of time (in minutes) an entry
    # remains valid after it has been added to the cache. The default
    # value for this property is 3 minutes.
    com.sun.am.policy.am.polling.interval=3
    # This property allows the user to configure the User Id parameter passed
    # by the session information from the access manager. The value of User
    # Id will be used by the agent to set the value of REMOTE_USER server
    # variable. By default this parameter is set to "UserToken"
    com.sun.am.policy.am.userid.param=UserToken
    # Profile attributes fetch mode
    # String attribute mode to specify if additional user profile attributes should
    # be introduced into the request. Possible values are:
    # NONE - no additional user profile attributes will be introduced.
    # HTTP_HEADER - additional user profile attributes will be introduced into
    # HTTP header.
    # HTTP_COOKIE - additional user profile attributes will be introduced through
    # cookies.
    # If not within these values, it will be considered as NONE.
    com.sun.am.policy.agents.config.profile.attribute.fetch.mode=NONE
    # The user profile attributes to be added to the HTTP header. The
    # specification is of the format ldap_attribute_name|http_header_name[,...].
    # ldap_attribute_name is the attribute in data store to be fetched and
    # http_header_name is the name of the header to which the value needs
    # to be assigned.
    # NOTE: In most cases, in a destination application where a "http_header_name"
    # shows up as a request header, it will be prefixed by HTTP_, and all
    # lower case letters will become upper case, and any - will become _;
    # For example, "common-name" would become "HTTP_COMMON_NAME"
    com.sun.am.policy.agents.config.profile.attribute.map=cn|common-name,ou|organiz ational-unit,o|organization,mail|email,employeenumber|employee-number,c|country
    # Session attributes mode
    # String attribute mode to specify if additional user session attributes should
    # be introduced into the request. Possible values are:
    # NONE - no additional user session attributes will be introduced.
    # HTTP_HEADER - additional user session attributes will be introduced into HTTP header.
    # HTTP_COOKIE - additional user session attributes will be introduced through cookies.
    # If not within these values, it will be considered as NONE.
    com.sun.am.policy.agents.config.session.attribute.fetch.mode=NONE
    # The session attributes to be added to the HTTP header. The specification is
    # of the format session_attribute_name|http_header_name[,...].
    # session_attribute_name is the attribute in session to be fetched and
    # http_header_name is the name of the header to which the value needs to be
    # assigned.
    # NOTE: In most cases, in a destination application where a "http_header_name"
    # shows up as a request header, it will be prefixed by HTTP_, and all
    # lower case letters will become upper case, and any - will become _;
    # For example, "common-name" would become "HTTP_COMMON_NAME"
    com.sun.am.policy.agents.config.session.attribute.map=
    # Response Attribute Fetch Mode
    # String attribute mode to specify if additional user response attributes should
    # be introduced into the request. Possible values are:
    # NONE - no additional user response attributes will be introduced.
    # HTTP_HEADER - additional user response attributes will be introduced into
    # HTTP header.
    # HTTP_COOKIE - additional user response attributes will be introduced through
    # cookies.
    # If not within these values, it will be considered as NONE.
    com.sun.am.policy.agents.config.response.attribute.fetch.mode=NONE
    # The response attributes to be added to the HTTP header. The specification is
    # of the format response_attribute_name|http_header_name[,...].
    # response_attribute_name is the attribute in policy response to be fetched and
    # http_header_name is the name of the header to which the value needs to be
    # assigned.
    # NOTE: In most cases, in a destination application where a "http_header_name"
    # shows up as a request header, it will be prefixed by HTTP_, and all
    # lower case letters will become upper case, and any - will become _;
    # For example, "common-name" would become "HTTP_COMMON_NAME"
    com.sun.am.policy.agents.config.response.attribute.map=
    # The cookie name used in iAS for sticky load balancing
    com.sun.am.policy.am.lb.cookie.name = GX_jst
    # indicate where a load balancer is used for Access Manager
    # services.
    # true | false
    com.sun.am.load_balancer.enable = false
    ####Agent Configuration####
    # this is for product versioning, please do not modify it
    com.sun.am.policy.agents.config.version=2.2
    # Set the url access logging level. the choices are
    # LOG_NONE - do not log user access to url
    # LOG_DENY - log url access that was denied.
    # LOG_ALLOW - log url access that was allowed.
    # LOG_BOTH - log url access that was allowed or denied.
    com.sun.am.policy.agents.config.audit.accesstype = LOG_BOTH
    # Agent prefix
    com.sun.am.policy.agents.config.agenturi.prefix = http://sharepoint.lta.mil.se:80/amagent
    # Locale setting.
    com.sun.am.policy.agents.config.locale = en_US
    # The unique identifier for this agent instance.
    com.sun.am.policy.agents.config.instance.name = unused
    # Do SSO only
    # Boolean attribute to indicate whether the agent will just enforce user
    # authentication (SSO) without enforcing policies (authorization)
    com.sun.am.policy.agents.config.do_sso_only = true
    # The URL of the access denied page. If no value is specified, then
    # the agent will return an HTTP status of 403 (Forbidden).
    com.sun.am.policy.agents.config.accessdenied.url =
    # This property indicates if FQDN checking is enabled or not.
    com.sun.am.policy.agents.config.fqdn.check.enable = true
    # Default FQDN is the fully qualified hostname that the users should use
    # in order to access resources on this web server instance. This is a
    # required configuration value without which the Web server may not
    # startup correctly.
    # The primary purpose of specifying this property is to ensure that if
    # the users try to access protected resources on this web server
    # instance without specifying the FQDN in the browser URL, the Agent
    # can take corrective action and redirect the user to the URL that
    # contains the correct FQDN.
    # This property is set during the agent installation and need not be
    # modified unless absolutely necessary to accommodate deployment
    # requirements.
    # WARNING: Invalid value for this property can result in the Web Server
    # becoming unusable or the resources becoming inaccessible.
    # See also: com.sun.am.policy.agents.config.fqdn.check.enable,
    # com.sun.am.policy.agents.config.fqdn.map
    com.sun.am.policy.agents.config.fqdn.default = sharepoint.lta.mil.se
    # The FQDN Map is a simple map that enables the Agent to take corrective
    # action in the case where the users may have typed in an incorrect URL
    # such as by specifying partial hostname or using an IP address to
    # access protected resources. It redirects the browser to the URL
    # with fully qualified domain name so that cookies related to the domain
    # are received by the agents.
    # The format for this property is:
    # com.sun.am.policy.agents.config.fqdn.map = [invalid_hostname|valid_hostname][,...]
    # This property can also be used so that the agents use the name specified
    # in this map instead of the web server's actual name. This can be
    # accomplished by doing the following.
    # Say you want your server to be addressed as xyz.hostname.com whereas the
    # actual name of the server is abc.hostname.com. The browsers only knows
    # xyz.hostname.com and you have specified polices using xyz.hostname.com at
    # the Access Manager policy console, in this file set the mapping as
    # com.sun.am.policy.agents.fqdn.map = valid|xyz.hostname.com
    # Another example is if you have multiple virtual servers say rst.hostname.com,
    # uvw.hostname.com and xyz.hostname.com pointing to the same actual server
    # abc.hostname.com and each of the virtual servers have their own policies
    # defined, then the fqdnMap should be defined as follows:
    # com.sun.am.policy.agents.fqdn.map = valid1|rst.hostname.com,valid2|uvw.hostname.com,valid3|xyz.hostname.com
    # WARNING: Invalid value for this property can result in the Web Server
    # becoming unusable or the resources becoming inaccessible.
    com.sun.am.policy.agents.config.fqdn.map =
    # Cookie Reset
    # This property must be set to true, if this agent needs to
    # reset cookies in the response before redirecting to
    # Access Manager for Authentication.
    # By default this is set to false.
    # Example : com.sun.am.policy.agents.config.cookie.reset.enable=true
    com.sun.am.policy.agents.config.cookie.reset.enable=false
    # This property gives the comma separated list of Cookies, that
    # need to be included in the Redirect Response to Access Manager.
    # This property is used only if the Cookie Reset feature is enabled.
    # The Cookie details need to be specified in the following Format
    # name[=value][;Domain=value]
    # If "Domain" is not specified, then the default agent domain is
    # used to set the Cookie.
    # Example : com.sun.am.policy.agents.config.cookie.reset.list=LtpaToken,
    # token=value;Domain=subdomain.domain.com
    com.sun.am.policy.agents.config.cookie.reset.list=
    # This property gives the space separated list of domains in
    # which cookies have to be set in a CDSSO scenario. This property
    # is used only if CDSSO is enabled.
    # If this property is left blank then the fully qualified cookie
    # domain for the agent server will be used for setting the cookie
    # domain. In such case it is a host cookie instead of a domain cookie.
    # Example : com.sun.am.policy.agents.config.cookie.domain.list=.sun.com .iplanet.com
    com.sun.am.policy.agents.config.cookie.domain.list=
    # user id returned if accessing global allow page and not authenticated
    com.sun.am.policy.agents.config.anonymous_user=anonymous
    # Enable/Disable REMOTE_USER processing for anonymous users
    # true | false
    com.sun.am.policy.agents.config.anonymous_user.enable=false
    # Not enforced list is the list of URLs for which no authentication is
    # required. Wildcards can be used to define a pattern of URLs.
    # The URLs specified may not contain any query parameters.
    # Each service have their own not enforced list. The service name is suffixed
    # after "# com.sun.am.policy.agents.notenforcedList." to specify a list
    # for a particular service. SPACE is the separator between the URL.
    com.sun.am.policy.agents.config.notenforced_list = SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/UI/* SERVER_PROTO://SERVER_HOST:SERVER_PORTCONSOLE_DEPLOY_URI/* SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/login_images/* SERVER_PROTO://SERVER_HOST:SERVER_PORT/docs* SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/namingservice SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/sessionservice SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/loggingservice SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/profileservice SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/policyservice SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/config* SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/js/* SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/css/* SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/authservice SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/SAMLAwareServlet SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/SAMLSOAPReceiver SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/SAMLPOSTProfileServlet
    # Boolean attribute to indicate whether the above list is a not enforced list
    # or an enforced list; When the value is true, the list means enforced list,
    # or in other words, the whole web site is open/accessible without
    # authentication except for those URLs in the list.
    com.sun.am.policy.agents.config.notenforced_list.invert = false
    # Not enforced client IP address list is a list of client IP addresses.
    # No authentication and authorization are required for the requests coming
    # from these client IP addresses. The IP address must be in the form of
    # eg: 192.168.12.2 1.1.1.1
    com.sun.am.policy.agents.config.notenforced_client_ip_list =
    # Enable POST data preservation; By default it is set to false
    com.sun.am.policy.agents.config.postdata.preserve.enable = false
    # POST data preservation : POST cache entry lifetime in minutes,
    # After the specified interval, the entry will be dropped
    com.sun.am.policy.agents.config.postcache.entry.lifetime = 10
    # Cross-Domain Single Sign On URL
    # Is CDSSO enabled.
    com.sun.am.policy.agents.config.cdsso.enable=false
    # This is the URL the user will be redirected to for authentication
    # in a CDSSO Scenario.
    com.sun.am.policy.agents.config.cdcservlet.url =
    # Enable/Disable client IP address validation. This validate
    # will check if the subsequent browser requests come from the
    # same ip address that the SSO token is initially issued against
    com.sun.am.policy.agents.config.client_ip_validation.enable = false
    # Below properties are used to define cookie prefix and cookie max age
    com.sun.am.policy.agents.config.profile.attribute.cookie.prefix = HTTP_
    com.sun.am.policy.agents.config.profile.attribute.cookie.maxage = 300
    # Logout URL - application's Logout URL.
    # This URL is not enforced by policy.
    # if set, agent will intercept this URL and destroy the user's session,
    # if any. The application's logout URL will be allowed whether or not
    # the session destroy is successful.
    com.sun.am.policy.agents.config.logout.url=
    # Any cookies to be reset upon logout in the same format as cookie_reset_list
    com.sun.am.policy.agents.config.logout.cookie.reset.list =
    # By default, when a policy decision for a resource is needed,
    # agent gets and caches the policy decision of the resource and
    # all resource from the root of the resource down, from the Access Manager.
    # For example, if the resource is http://host/a/b/c, the the root of the
    # resource is http://host/. This is because more resources from the
    # same path are likely to be accessed subsequently.
    # However this may take a long time the first time if there
    # are many many policies defined under the root resource.
    # To have agent get and cache the policy decision for the resource only,
    # set the following property to false.
    com.sun.am.policy.am.fetch_from_root_resource = true
    # Whether to get the client's hostname through DNS reverse lookup for use
    # in policy evaluation.
    # It is true by default, if the property does not exist or if it is
    # any value other than false.
    com.sun.am.policy.agents.config.get_client_host_name = true
    # The following property is to enable native encoding of
    # ldap header attributes forwarded by agents. If set to true
    # agent will encode the ldap header value in the default
    # encoding of OS locale. If set to false ldap header values
    # will be encoded in UTF-8
    com.sun.am.policy.agents.config.convert_mbyte.enable = false
    #When the not enforced list or policy has a wildcard '*' character, agent
    #strips the path info from the request URI and uses the resulting request
    #URI to check against the not enforced list or policy instead of the entire
    #request URI, in order to prevent someone from getting access to any URI by
    #simply appending the matching pattern in the policy or not enforced list.
    #For example, if the not enforced list has the value http://host/*.gif,
    #stripping the path info from the request URI will prevent someone from
    #getting access to http://host/index.html by using the URL http://host/index.html?hack.gif.
    #However when a web server (for exmample apache) is configured to be a reverse
    #proxy server for a J2EE application server, path info is interpreted in a different
    #manner since it maps to a resource on the proxy instead of the app server.
    #This prevents the not enforced list or policy from being applied to part of
    #the URI below the app serverpath if there is a wildcard character. For example,
    #if the not enforced list has value http://host/webapp/servcontext/* and the
    #request URL is http://host/webapp/servcontext/example.jsp the path info
    #is /servcontext/example.jsp and the resulting request URL with path info stripped
    #is http://host/webapp, which will not match the not enforced list. By setting the
    #following property to true, the path info will not be stripped from the request URL
    #even if there is a wild character in the not enforced list or policy.
    #Be aware though that if this is set to true there should be nothing following the
    #wildcard character '*' in the not enforced list or policy, or the
    #security loophole described above may occur.
    com.sun.am.policy.agents.config.ignore_path_info = false
    # Override the request url given by the web server with
    # the protocol, host or port of the agent's uri specified in
    # the com.sun.am.policy.agents.agenturiprefix property.
    # These may be needed if the agent is sitting behind a ssl off-loader,
    # load balancer, or proxy, and either the protocol (HTTP scheme),
    # hostname, or port of the machine in front of agent which users go through
    # is different from the agent's protocol, host or port.
    com.sun.am.policy.agents.config.override_protocol =
    com.sun.am.policy.agents.config.override_host =
    com.sun.am.policy.agents.config.override_port = true
    # Override the notification url in the same way as other request urls.
    # Set this to true if any one of the override properties above is true,
    # and if the notification url is coming through the proxy or load balancer
    # in the same way as other request url's.
    com.sun.am.policy.agents.config.override_notification.url =
    # The following property defines how long to wait in attempting
    # to connect to an Access Manager AUTH server.
    # The default value is 2 seconds. This value needs to be increased
    # when receiving the error "unable to find active Access Manager Auth server"
    com.sun.am.policy.agents.config.connection_timeout =
    # Time in milliseconds the agent will wait to receive the
    # response from Access Manager. After the timeout, the connection
    # will be drop.
    # A value of 0 means that the agent will wait until receiving the response.
    # WARNING: Invalid value for this property can result in
    # the resources becoming inaccessible.
    com.sun.am.receive_timeout = 0
    # The three following properties are for IIS6 agent only.
    # The two first properties allow to set a username and password that will be
    # used by the authentication filter to pass the Windows challenge when the Basic
    # Authentication option is selected in Microsoft IIS 6.0. The authentication
    # filter is named amiis6auth.dll and is located in
    # Agent_installation_directory/iis6/bin. It must be installed manually on
    # the web site ("ISAPI Filters" tab in the properties of the web site).
    # It must also be uninstalled manually when unintalling the agent.
    # The last property defines the full path for the authentication filter log file.
    com.sun.am.policy.agents.config.iis6.basicAuthentication.username =
    com.sun.am.policy.agents.config.iis6.basicAuthentication.password =
    com.sun.am.policy.agents.config.iis6.basicAuthentication.logFile = C:/Sun/Access_Manager/Agents/2.2/debug/Identifier_1414639615/amAuthFilter

    If the agent doesnot start properly you would always get redirected to com.sun.am.policy.agents.config.accessdenied.url , if thats not specified you will get a 403.
    For the agent itself check that the naming.url is correct. the agent username and passwords are correct, and see that the user has priviledges to write to the agent log files. Apart from these post the windows event logs.

  • Policy agent 2.2 amfilter local authentication with session binding failed

    Hi All,
    I have policy agent 2.2 for weblogic 8.1 sp4 installed on redhat linux. All are working fine in my development box. But I was running all the process under user root, so today I decided to change it to a regular user, joe. I changed all the files' owner for weblogic server and policy agent from root to joe, and restart server as user Joe. After the change, I can not access the application on Weblogic server. I changed file ownership back to root and restart weblogic server as root, still same error.
    Here is the error I got:
    10.4.4 403 Forbidden
    The server understood the request, but is refusing to fulfill it. Authorization will not help and the request SHOULD NOT be repeated. If the request method was not HEAD and the server wishes to make public why the request has not been fulfilled, it SHOULD describe the reason for the refusal in the entity. This status code is commonly used when the server does not wish to reveal exactly why the request has been refused, or when no other response is applicable.
    Here is the error I found from agent log file, amFilter:
    AmFilter: now processing: SSO Task Handler
    05/24/2006 06:27:08:127 PM PDT: Thread[ExecuteThread: '14' for queue: 'weblogic.kernel.Default',5,Thread Group for Queue: 'weblogic.kernel.Default']
    SSOTaskHandler: caching SSO Token for user uid=amAdmin,ou=People,dc=etouch,dc=net
    05/24/2006 06:27:08:127 PM PDT: Thread[ExecuteThread: '14' for queue: 'weblogic.kernel.Default',5,Thread Group for Queue: 'weblogic.kernel.Default']
    AmBaseSSOCache: cached the sso token for user principal : uid=amadmin,ou=people,dc=etouch,dc=net sso token: AQIC5wM2LY4Sfcx4XY/x/M7G1Y3ScVjFj8E3oT0BV45mh0Q=@AAJTSQACMDE=#, cache size = 1
    05/24/2006 06:27:08:127 PM PDT: Thread[ExecuteThread: '14' for queue: 'weblogic.kernel.Default',5,Thread Group for Queue: 'weblogic.kernel.Default']
    SSOTaskHandler: SSO Validation successful for uid=amAdmin,ou=People,dc=etouch,dc=net
    05/24/2006 06:27:08:128 PM PDT: Thread[ExecuteThread: '14' for queue: 'weblogic.kernel.Default',5,Thread Group for Queue: 'weblogic.kernel.Default']
    AmFilter: now processing: J2EE Local Logout Task Handler
    05/24/2006 06:27:08:128 PM PDT: Thread[ExecuteThread: '14' for queue: 'weblogic.kernel.Default',5,Thread Group for Queue: 'weblogic.kernel.Default']
    AmFilter: local logout skipped SSO User => amAdmin, principal =>null
    05/24/2006 06:27:08:128 PM PDT: Thread[ExecuteThread: '14' for queue: 'weblogic.kernel.Default',5,Thread Group for Queue: 'weblogic.kernel.Default']
    AmFilter: now processing: J2EE Local Auth Task Handler
    05/24/2006 06:27:08:128 PM PDT: Thread[ExecuteThread: '14' for queue: 'weblogic.kernel.Default',5,Thread Group for Queue: 'weblogic.kernel.Default']
    LocalAuthTaskHandler: No principal found. Initiating local authentication for amAdmin
    05/24/2006 06:27:08:128 PM PDT: Thread[ExecuteThread: '14' for queue: 'weblogic.kernel.Default',5,Thread Group for Queue: 'weblogic.kernel.Default']
    LocalAuthTaskHandler: doing local authentication with session binding
    05/24/2006 06:27:08:129 PM PDT: Thread[ExecuteThread: '14' for queue: 'weblogic.kernel.Default',5,Thread Group for Queue: 'weblogic.kernel.Default']
    LocalAuthTaskHandler: Local authentication failed, invalidating session.05/24/2006 06:27:08:129 PM PDT: Thread[ExecuteThread: '14' for queue: 'weblogic.kernel.Default',5,Thread Group for Queue: 'weblogic.kernel.Default']
    WARNING: LocalAuthTaskHandler: Local authentication failed for : /portal/index.jsp, SSO Token: AQIC5wM2LY4Sfcx4XY/x/M7G1Y3ScVjFj8E3oT0BV45mh0Q=@AAJTSQACMDE=#
    05/24/2006 06:27:08:129 PM PDT: Thread[ExecuteThread: '14' for queue: 'weblogic.kernel.Default',5,Thread Group for Queue: 'weblogic.kernel.Default']
    AmFilter: result =>
    FilterResult:
         Status      : FORBIDDEN
         RedirectURL     : null
         RequestHelper:
              null
         Data:
              null
    -----------------------------------------------------------

    Hi,
    I'm having the exact same problem in the Prod environment, but on a Sun App Server. In development all is fine, in prod we now have:
    ERROR: AmFilter: Error while delegating to inbound handler: J2EE Local Auth Task Handler, access will be denied
    java.lang.IllegalStateException: invalidate: Session already invalidated
    at org.apache.catalina.session.StandardSession.invalidate(StandardSession.java:1258)
    at org.apache.catalina.session.StandardSessionFacade.invalidate(StandardSessionFacade.java:164)
    at com.sun.identity.agents.filter.LocalAuthTaskHandler.doLocalAuthWithSessionBinding(LocalAuthTaskHandler.java:289)
    at com.sun.identity.agents.filter.LocalAuthTaskHandler.authenticate(LocalAuthTaskHandler.java:159)
    at com.sun.identity.agents.filter.LocalAuthTaskHandler.process(LocalAuthTaskHandler.java:106)
    at com.sun.identity.agents.filter.AmFilter.processTaskHandlers(AmFilter.java:185)
    at com.sun.identity.agents.filter.AmFilter.isAccessAllowed(AmFilter.java:152)
    at com.sun.identity.agents.filter.AmAgentBaseFilter.doFilter(AmAgentBaseFilter.java:38)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:210)
    at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:55)
    at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:161)
    at java.security.AccessController.doPrivileged(Native Method)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:157)
    at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:263)
    at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:551)
    at org.apache.catalina.core.StandardContextValve.invokeInternal(StandardContextValve.java:225)
    FilterResult:
    Status : FORBIDDEN
    RedirectURL : null
    RequestHelper:
    null
    Data:
    null
    Also, we I debug I see:
    LocalAuthTaskHandler: No principal found. Initiating local authentication for ...
    Did you receive any solution for this?
    Many, many thanks,
    Philip

  • SunONE Web Server 6.1 SP7 crashes with Policy Agent 2.2 plugin

    Recently we started facing glibc issues on our webservers and wanted to know if any of you have come across such issues on your setups..
    Setup Info:
    - OS is RHEL 4.0
    - Sun ONE Web Server 6.1SP7
    - Policy Agent 2.2
    When user logins to our application for first time, the policy agent on our webserver intercepts the request and redirects to AM SSO server's login page for authentication. Before redirecting the request, the policy agent preserves the request (POST data) in our webserver and then redirects the request to SSO server. After the user is authenticated on SSO server, the SSO server redirects the request back to our webserver and the policy agent now tries to fetch the preserved post data for the user where it fails(see errors below) and then the user gets 'page cannot be displayed' error on browser. Internally, the SJSWS crashes and gets restarted :(
    From logs:
    [29/Apr/2008:06:32:48] warning (13856): CORE3283: stderr: 2008-04-29 06:32:48.163 Warning 13856:897a4b8 ServiceEngine: Service::getPolicyResult():Result size is 0,tree not present for https://server1.gft.com:443/dummypost/sunpostpreserve2008-04-2906:31:50.311
    [29/Apr/2008:06:32:48] warning (13856): CORE3283: stderr: *** glibc detected *** free(): invalid pointer: 0x08265670 ***
    [29/Apr/2008:06:32:48] warning (13856): CORE3283: stderr: 2008-04-29 06:32:48.529 Warning 13856:897a4b8 ServiceEngine: Service::getPolicyResult():No passwd value in session response.
    [29/Apr/2008:06:32:48] catastrophe (13856): CORE3260: Server crash detected (signal SIGSEGV)
    [29/Apr/2008:06:32:48] info (13856): CORE3261: Crash occurred in NSAPI SAF service-j2ee
    [29/Apr/2008:06:32:48] failure (13107): CORE3107: Child process closed admin channel
    (At this point the SJSWS gets restarted)
    This issue is not always reproducible though !
    Appreciate your help on debugging this..

    Hi...
    just a guess try looking into this bug details ..it may be helpful
    http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=6299862

  • Access Manager Policy Agent and Oracle AS

    Hi,
    my system uses Oracle Application Server. The security dept use Sun Access Manager. I need to integrate the security of the Oracle system with the policy agent. Where this gets a little confusing is that one of my developers tells me that this is difficult to implement and that Sun arent planning on supporting the Oracle AS in future.
    What I would like is some clarification from the horses mouth so to speak. In particular is it possible to integrate the policy agent and Oracle AS, and are Sun committed to supporting and developing for this.
    Thanks,
    Andy.

    "Where this gets a little confusing is that one of my developers tells me that this is difficult to implement"
    "it is NOT an implementation but an integration ! difficult ? why ?"
    "and that Sun arent planning on supporting the Oracle AS in future."
    There is a PA 2.2 for Oracle 10g ! It is the latest version(2.2 I mean). I don't see any reasons why Sun should not continue. But it is ONLY my point of view...
    "What I would like is some clarification from the horses mouth so to speak. In particular is it possible to integrate the policy agent and Oracle AS, and are Sun committed to supporting and developing for this."
    Of course it is possible because you can find the PA that will integrate your Oracle AS with a Sun AM.
    1) Please read the documentation.
    http://docs.sun.com/app/docs/coll/1322.1
    Download the one for Oracle and read also the user guide.
    PA are very easy to integrate if you know what you do... Espec. und. the AM auth and sso... If you can be helped by a AM guy from your comp. it is welcome... It is a j2ee agent and of course the PA will make what is necessary to redirect you to AM at login time and later to auth. your request...2)
    2) Download the soft and do the job :-)
    Product Downloads
    Sun Java System Access Manager Policy Agent 2.2 for Oracle Application Server 10g
    http://www.sun.com/download/products.xml?id=455d52ed
    I did plenty of int. with Sun/Bea/Tomcat AS(don't forget there are also webserver agents like Apache PA) with AM and it is not a big deal. Not Oracle, but it is an AS and I don't see why it should be difficult...
    Hope this helps a bit.

  • Policy Agent Installation : Path to password file to identify the agent ???

    Hi,
    I am trying to install Policy Agent 2.2 on Sun App Server 9.1 which was installed via "Java EE5 SDK Update2" (java tools bundle) on Windows XP Pro.
    In the installation process, I have reached a question to which I want to know the answer.
    "Enter the path to a file that contains the password to be used for identifying the Agent."
    Could someone pls tell me the exact name of the file to find in the server hierarchy?, whose path I can search for.
    My AM is installed at location:
    "D:\Sun\SDK\domains\domain1\applications\j2ee-modules\amserver"
    Thanks in advance.
    Rahul A Honrao

    This is the way I solved it:
    1. copy default pkgadd to pkgadd.orig
    cp /usr/sbin/pkgadd /usr/sbin/pkgadd.orig
    2. create new pkgadd
    cat > /usr/sbin/pkgadd
    #!/bin/sh
    /usr/sbin/pkgadd.orig -G $*
    ^D
    3. Make /usr/sbin/pkgadd executable
    chmod 755 /usr/sbin/pkgadd
    Now install the agent.
    HTH

Maybe you are looking for

  • AirPort Extreme 6th gen, not recognize my printer HP deskjet ink advantage 1515

    I have AirPort Extreme 6th gen, it can not recognize my printer HP deskjet ink advantage 1515. I already contact hp support and they reply my printer is support by AirPort Extreme. This is the link web statement http://h10025.www1.hp.com/ewfrf/wc/doc

  • E63 Text message options

    Can I type a text message and "diarize" it to be delivered on a future date and time?

  • How to give more than 10 Reward Points

    Hi Experts, For your excellent performance for solving problems, if I would like to give more than 10 "Rewards Point", how can I proceed? Can any expert guide me how to give more than 10 Reward Points? Thanks, Hoque Toronto, Canada

  • How to use array function?

    I want to create a array with the data are in the table (one or more than one field). By using function makearray or array, it can create the array with one record e.g. Local  stringvar Array x := MakeArray ({CASES.ASSIGNTO}); ubound(x); the result w

  • How To Enable Commenting By Others??

    Could you tell me how to enable commenting by the individuals I send 3D PDF's to. It is my understanding that recipients of my 3D PDF's do have the ability to measure and comment on my PDF's. Thank you in advance.