2008 R2 Server and Microsoft identity Management for Unix - Lost groups

Similar Messages

• Identity Management for UNIX (aka Windows Services for Unix) Adding 2012 DC to a prep'd 2003 domain.

  We have been successfully using Windows Services for Unix on a 2003 domain for passwd and group maps.
  I prep'd the domain to allow a 2012 R2 server to be added and then added the IdMU role/feature on this new 2012R2 DC. Now the passwd map is still OK but the group map now shows full usernames rather than short names.
  i.e. what DID show with "ypcat group" as ...
  "infra-shared::65550:gfer,jhug,shig", now shows as
  "infra-shared::65550:Garry Ferguson,Jason Hughes,Steve Higgins"
  and so is not usable. I have had to revert to local /etc/group files on all our unix machines!!
  Help/comments would be really appreciated!
  Garry Ferguson

  Hi Gaz Ferg,
  SFU 3.5 is used to installed on windows 2003 and windows XP. SFU 3.5 cannot used on Windows 2012, that makes customer cannot user NFS and user name Mapping services on Windows
  2012.  From windows 2003 R2, NFS is a build-in component in OS, we need to add Roles/Features to use NFS.
  1. What is change in 2012R2
  IDMU component, which was used to authenticate Linux users has been removed. Now a Windows server cannot play role of NIS Master server. 
  Passwords cannot sync to the Unix Machines. Maps can not sync between Windows and Unix computers.
  2. What has not change in 2012R2
  Following methods to authenticate and map a Unix user to Window user are available:-
  Active Directory
  Active Directory Lightweight Directory Services (AD LDS)
  Username Mapping Protocol store (MS-UNMP
  Local passwd and group files
  Unmapped UNIX Username Access (UUUA) (applies to Server for NFS using AUTH_SYS only)
  You can find more information about this here –
  http://blogs.technet.com/b/filecab/archive/2012/10/09/nfs-identity-mapping-in-windows-server-2012.aspx
  http://blogs.msdn.com/b/shan/archive/2006/12/13/sfu-sua-idmu-fun-with-names.aspx
  More information:
  Install Identity Management for UNIX Components
  http://technet.microsoft.com/en-us/library/cc731178.aspx
  I’m glad to be of help to you!
  We
  are trying to better understand customer views on social support experience, so your participation in this
  interview project would be greatly appreciated if you have time.
  Thanks for helping make community forums a great place.

• Is MS Identity Management for Unix / PW Sync supported in WS 2012 R2

  We need to upgrade the AD forest DC servers and the FFL and DFL levels.
  The current AD domain is a one-domain forest, with WS 2003 DC servers.
  Our target is to install the newest Windows servers (WS 2012 R2) as DC's.
  To make the job, we are going to promote new DC's first, then de-promo the old ones, and finally raise the DFL+FFL levels to the newest possible.
  However, currently there are the MS Identity Management for Unix / Password Synchronization software in each of the DC's installed. To keep passwords in sync and thus the IDM to work, the software has to be installed to each of the new DC's, too.
  According to MS article
  http://technet.microsoft.com/en-us/library/cc731178.aspx
  the pw sync can be installed to WS 2012 server.
  My question is that,
  - Can we go forward with WS 2012 R2 DC installation and assume that the pw sync can be used in them, too?
  - Or, do we have to install older DC servers (WS 2012)?
  Br,
  Kari Oikkonen
  Fujitsu Finland

  We found the following TechNet article:
  Windows Server 2012 R2 Packages
  http://technet.microsoft.com/en-us/library/dn452400.aspx
  According to it, the psync package is still there.
  One colleague also shortly tested with R2 server by installing it with
  Dism.exe /online /enable-feature /featurename:psync /all
  command, and the pw sync seemed to install OK.
  So, we now are encouraged to install R2 servers for DC and psync.
  Br, Kari

• Using Identity Management for Securing Web Services

  My goal is to associate my services with an Oracle Internet Directory. I made some attempts to set up SAML authentication for the web services, but it didn't have the right outcome.
  (My identity management server and OID is up and running and I have successfully made authentication modules for other web applications)
  Here is what I did:
  1. I wrote a simple java file, used jdeveloper tools to create and deploy it as a web service to OC4J. I associated an identity management server with this service through OC4J web tools as security provider.
  2. I made a data control for the web service and put it in an ADF application . (client)
  3. I deployed the client project(2) to OC4J.
  I could use the web service through the page.
  Then
  I secured the webservice to expect SAML for authentication.
  Surprisingly, the client could still communicate with the webservice, Why? Shouldn't it have rejected the request because of the problem in SAML token? (The proxy and the data control were not secured, and didn't provide any SAML tokens)
  4.
  I added login page to my client project (through ADF security wizard). It used idenity management for authentication successfully. login process completes and web service data control is displayed.
  5. I want the authentication information to be propagated through the page so that the web service receives the data and uses Identity Management.
  I know I should add <property name="oracle.security.wss.propagate.identity" value ="true"/>
  to one of the configuration files, but don't know where exactly.
  Best Regards,
  Farbod

  It doesnt matter whether the service is invoked as part of your larger process or not, if it is performing any business critical operation then it should be secured.
  The idea of SOA / designing services is to have the services available so that it can be orchestrated as part of any other business process.
  Today you may have secured your parent services and tomorrow you could come up with a new service which may use one of the existing lower level services.
  If all the services are in one Application server you can make the configuration/development environment lot easier by securing them using the Gateway.
  Typical probelm with any gateway architecture is that the service is available without any security enforcement when accessed directly.
  You can enforce rules at your network layer to allow access to the App server only from Gateway.
  When you have the liberty to use OWSM or any other WS-Security products, i would stay away from any extensions. Two things to consider
  The next BPEL developer in your project may not be aware of Security extensions
  Centralizing Security enforcement will make your development and security operations as loosely coupled and addresses scalability.
  Thanks
  Ram

• Exchange 2013 CU2 Hab trasnport and Microsoft Filtering management Services did not start

  Did you were able to fix the issue I have the same problem after Access denied for Transport service and Microsoft Filtering Management Service with Error 0x8000405 unspecified error.

  Hi,
  From your description, I would like to verify if there is an event 2200 in Application log. If yes, please copy the ConfigurationServer.xml file from a normal Exchange server 2013 and add it to your Exchange server to check the result.
  If there is no event 2200, please take your time to post your error event for my further research.
  Here is a thread for your reference.
  Unable to start Microsoft Exchange Transport and Microsoft Filtering Management Service
  https://social.technet.microsoft.com/Forums/en-US/7473fa45-221d-4cfe-87d4-3dc697fc5c85/unable-to-start-microsoft-exchange-transport-and-microsoft-filtering-management-service-fms?forum=exchangesvrsecuremessaging
  Hope this can be helpful to you.
  Best regards,
  Amy Wang
  TechNet Community Support

• I can't resync and uninstall Identity Synchronization for Windows 1.0

  Hi, every body.
  I downloaded and installed Identity Synchronization for Windows 1.0 on Solaris 8.
  But I can't execute idsync resync comannd. The below error message is output on console,
  # ./idsync resync -h crow.bird.soft.hitachi.co.jp -p 3890 -D cn=manager -w managersecret -q netscape -s dc=bird,dc=soft,dc=hitachi,dc=co,dc=jp
  Exception in thread "main" java.lang.NoClassDefFoundError
  at com.sun.directory.wps.registry.model.dao.LDAPConfigurationRegistryDAO.initializeEncryptor(LDAPConfigurationRegistryDAO.java:756)
  at com.sun.directory.wps.registry.model.dao.LDAPConfigurationRegistryDAO.open(LDAPConfigurationRegistryDAO.java:721)
  at com.sun.directory.wps.registry.util.BasicRegistryFacade.openRegistry(BasicRegistryFacade.java:120)
  at com.sun.directory.wps.registry.util.BasicRegistryFacade.openRegistry(BasicRegistryFacade.java:211)
  at com.sun.directory.wps.ui.model.PSWConfigurationFacade.openRegistry(PSWConfigurationFacade.java:1126)
  at com.sun.directory.wps.ui.model.PSWConfigurationFacade.openRegistry(PSWConfigurationFacade.java:1114)
  at com.sun.directory.wps.ui.cli.CRCLIProgram.getConfigurationFacade(CRCLIProgram.java:64)
  at com.sun.directory.wps.ui.cli.RefreshUsers.execute(RefreshUsers.java:283)
  at com.sun.directory.wps.ui.cli.ResyncUsers.<init>(ResyncUsers.java:54)
  at com.sun.directory.wps.ui.cli.IdSyncProgram.execute(IdSyncProgram.java:94)
  at com.sun.directory.wps.ui.cli.IdSyncProgram.<init>(IdSyncProgram.java:129)
  at com.sun.directory.wps.ui.cli.IdSyncProgram.main(IdSyncProgram.java:135)
  And I can't execute runUnInstaller.sh too becasu same error messages in logs/cli/error.log file.
  Both error outputs same message "org/apache/xerces/utils/Base64" in log files, so I think CLASSPATH is wrong.
  In runUninstaller.sh, below jar file name are written -classpath arguments.
  /usr/share/lib/mps/jss3.jar
  /usr/sfw/share/lib/xerces-200.jar
  These Are settings correct?
  If these settings are wrong, resync is set by same wrong settings in binary code?
  Please tell me how to resync and to uninstall Identity Synchronization for Windows 1.0.

  I mistakes log file name.
  I wrote:
  And I can't execute runUnInstaller.sh too becasu same error messages in logs/cli/error.log file.But runUnsitaller.sh outputs to /var/sadm/install/logs/Uninstall-xxxxxxx.log.
  logs/cli directory is where idsync command outpus error.log and audit.log.
  Sorry.

• Can we assign 2 IPs for a SCCM 2012 primary site server and use 1 IP for communicating with its 2 DPs and 2nd one for communicating with its upper hierarchy CAS which is in a different .Domain

  Hi,
  Can we assign 2 IPs for a SCCM 2012 primary site server and use 1 Ip for communicating with its 2 DPs and 2nd one for communicating with its upper hierarchy CAS . ?
  Scenario: We are building 1 SCCM 2012 primary site and 2 DPs in one domain . In future this will attach to a CAS server which is in different domain. Can we assign  2 IPs in Primary site server , one IP will use to communicate with its 2 DPs and second
  IP for communicating with the CAS server which is in a different domain.? 
  Details: 
  1)Server : Windows 2012 R2 Std , VM environment .2) SCCM : SCCM 2012 R2 .3)SQL: SQL 2012 Std
  Thanks
  Rajesh Vasudevan

  First, it's not possible. You cannot attach a primary site to an existing CAS.
  Primary sites in 2012 are *not* the same as primary sites in 2007 and a CAS is 2012 is completely different from a central primary site in 2007.
  CASes cannot manage clients. Also, primary sites are *not* used for delegation in 2012. As Torsten points out, multiple primary sites are used for scale-out (in terms of client count) only. Placing primary sites for different organizational units provides
  no functional differences but does add complexity, latency, and additional failure points.
  Thus, as the others have pointed out, your premise for doing this is completely incorrect. What are your actual business goals?
  As for the IP Addressing, that depends upon your networking infrastructure. There is no way to configure ConfigMgr to use different interfaces for different types of traffic. You could potentially manipulate the routing tables in Windows but that's asking
  for trouble IMO.
  Jason | http://blog.configmgrftw.com | @jasonsandys

• ANT missing from 11.1.7 software to provision Identity Management for FA

  I am provisioning Identity Management for Fusion Applications 11.1.7 version and one of to provision identity management using runIDMProvisioning.sh is to set ANT_HOME but there is no ANT in REPOSITORY (downloaded files), is this part of any zip that I need to unzip ?
  http://docs.oracle.com/cd/E36909_01/fusionapps.1111/e21032/prov_idm.htm#CHDDJFFJ

  Hello onlineAppsDBA.com:
  The focus of this forum and the team moderating it (the Developer Relations team) is on development issues, not install questions.  That said, I'll try to find answer for you.  But you might also want to submit a service request with Oracle Support for this issue.
  Thanks,
  Oliver
  Fusion Apps Developer Relations (@fadevrel)
  http://blogs.oracle.com/fadevrel

• Windows 2008 Web Server and Crystal Reports Runtime 10 comptability

  We have migrated a website that was previoulsy on a Wndows 2003 server using IIS6 and Crystal Reports Runtime v 10 on ASP.NET 2.0
  After migrating the website, and installing the Crytal Reports runtime, we are getting application errors related to Crystal Reports Runtime in event viewer and the browser.
  For one is Crystal Reports Runtime v10 compatible with Windows 2008 Server, IIS 7 ?

  No it is not. You're looking for about a 5 year forward compatibility. At this time, only CR 2008 (12.x) and Crystal Reports Basic for Visual Studio 2008 (10.5) are supported on WIN 2008. See [this|https://wiki.sdn.sap.com/wiki/pages/viewpage.action?pageId=56787567] blog for more details.
  Ludek

• WEB Server And Database Space requirements for deploying Web Application

     Hi,
       We are in requirement of WEB Server  And Database Space requirements for deploying  our Web Application in cloud server. We want to know technical requirements and feasibilities laid by Microsoft team for deploying web
  application.......
  Regards,
  Sreenivasa M S

  Hi,
  Please refer this link and check if it helps:
  http://blogs.technet.com/b/cbernier/archive/2013/09/24/deploy-your-web-application-to-windows-azure-from-with-visual-studio.aspx
  Regards,
  Azam Khan

• What ideal Win Server and Hardware are recommended for 11g DBs

  What best Win Server and Hardware are recommended for 11g DBs?
  - Processor
  - Memory
  - Storage
  - Network
  - Etc...
  Following is the scenario:
  - The server will be for development and test DBs
  - More than one databases will be installed each for each project
  - Maximum 4 databases will be accessed each time
  - Maximum DB size for each DB will be in couple of GBs.

  Which version of 11g ? For 11gR2, see the requirements here - http://download.oracle.com/docs/cd/E11882_01/install.112/e16773/reqs.htm#i1011417
  Any server that exceeds these requirement will suffice. Obviously the more the number of processors, the faster the processors, the more the RAM, the more the disk etc etc, the better.
  HTH
  Srini

• Can't uninstall Premier Pro.  I keep getting messages to quit the Adobe QT32 Server and the dynamiclink manager.  I have no idea how to do these tasks?

  Can't uninstall Premier Pro.  I keep getting messages to quit the Adobe QT32 Server and the dynamiclink manager.  I have no idea how to do these tasks?

  You can kill these 2 task by opening the Windows Task manager (CTRL+ALT+SUPPR)
  Then find the processes named :
  Adobe QT32 Server
  Adobe Dynamic Link Manager
  Kill theses 2 tasks (right click then END OF TASK)
  If you got many of theses tasks, kill each.
  Then uninstall Premiere. It should be OK
  good luck
  noar

• Microsoft Windows Services for UNIX 3.5  - unable to sqlplus

  Hi,
  I have installed - Microsoft Windows Services for UNIX 3.5 on my pc running XP 2002 Service Pack2
  Unable to run sqlplus :
  Error 6 initializing SQL*Plus
  Message file sp1<lang>.msb not found
  SP2-0750: You may need to set ORACLE_HOME to your Oracle software directory
  ORACLE_HOME=/dev/fs/D/oracle/product/10.2.0/db_1
  ORACLE_SID=orcl
  ORAHOME=/dev/fs/D/oracle/product/10.2.0/db_1
  ORASID=orcl
  LD_LIBRARY_PATH=/dev/fs/D/oracle/product/10.2.0/db_1/lib
  Thank you in advance!

  Hi,
  Thanks for your post.
  Did you refer to this article?
  Upgrading an Active Directory Domain from Windows Server 2003 to Windows Server 2008 or Windows Server 2008 R2
  http://blogs.msmvps.com/mweber/2010/02/10/upgrading-an-active-directory-domain-from-windows-server-2003-to-windows-server-2008-or-windows-server-2008-r2/
  Regards.
  Vivian Wang

• Advantage and disadvantages of SAP IDM & Microsoft Identity management Tool

  Hi Folks,
  I am looking some points on SAP IDM and Microsoft tool for Identity Management. I am looking below mention points.
  1. Difference in the feature and prize.
  2. Limitation
  3. Solution architecture for both
  Relevant answers will be rewarded.
  Regards,
  Akshay Shail

  Hi,
  I can add some points about SAP NW IdM. Regarding your question about the prize: If you only connect SAP systems (it can handle all types of SAP ABAP and SAP Java Systems) they don't charge you extra, because it's already in the NetWeaver license. Furthermore, if you use the SAP Central User Administration: It isn't further developed and will be replaced by SAP NW IdM.
  The systems you mentioned can be connected, I think these are basics for everey IdM solution. HR interation is possible with SAP IdM, don't know about the other solution in this point.
  There are some whitepapers and presentations about SAP NW IdM: https://www.sdn.sap.com/irj/sdn/nw-identitymanagement?rid=/webcontent/uuid/f0b68fb1-d8af-2a10-2a8e-cc431c15bb39&anchor=section2.
  Nevertheless, your question about limitations and solution architecture probably needs a PoC if you want to answer them in deep.
  Best regards,
  Nils

• New server and/or CA certificate for connection from custom authentication

  We are running Access Manager version 72005Q4 in the Sun ONE Web Server 6.1SP5 B06/23/2005 container with java build 1.5.0_07-b03. I run a custom authentication module which checks sessions against our university single sign on system which is CAS (from Yale/Jasig). The checks are essentially https calls. All this has been working well for us for the last couple of years.
  I would like to migrate the certificate used on the university CAS system from a Verisign certificate to a wildcard certificate issued by the IPS CA in spain -- these are in most browsers but are not in the standard batch of cacerts CA's -- and are free for .edu domains.
  My other java based authentication plugins (Blackboard, custom apps etc) have worked fine once I import the certificate into the cacerts for the java container, but I'm missing something (obvious probably) about importing this certificate so that my amserver custom authentication module can connect to the CAS server once the CAS server is using the new certificate.
  Could anyone provide guidance on where I need to import this server certificate (or preferably the IPS CA) in order to allow the custom authentication module to work properly? I assume this same problem has been solved by people wishing to connect from the amserver to services with self signed certificates. For some reason I'm finding the debugging unexpectedly difficult, I'll outline some of those details below.
  Relevant things I've tried so far:
  Import both the server cert and the IPS CA into the cacerts of the java container identified in the web server server.xml /usr/jdk/entsys-j2se.
  Import the IPS CA into the web server cert8 style db via the web admin server.
  The debugging has surprised me a bit, as I'm not getting an error that is explicitly SSL related error. It almost seems like the URLConnection object ends up using a HttpURLConnection rather than an HttpsURLConnection and never gives me a cert error, rather a connection refused since there is no non SSL service running on CAS. The same code pointed to the server running the verisign cert works as expected.
  Part of the stack:
  [28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: java.net.ConnectException: Connection refused
  [28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at java.net.PlainSocketImpl.socketConnect(Native Method)
  [28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at java.net.PlainSocketImpl.doConnect(PlainSocketImpl.java:333)
  [28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at java.net.PlainSocketImpl.connectToAddress(PlainSocketImpl.java:195)
  [28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at java.net.PlainSocketImpl.connect(PlainSocketImpl.java:182)
  [28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at java.net.Socket.connect(Socket.java:516)
  [28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at java.net.Socket.connect(Socket.java:466)
  [28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at sun.net.NetworkClient.doConnect(NetworkClient.java:157)
  [28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at sun.net.www.http.HttpClient.openServer(HttpClient.java:365)
  [28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at sun.net.www.http.HttpClient.openServer(HttpClient.java:477)
  [28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at sun.net.www.http.HttpClient.<init>(HttpClient.java:214)
  [28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at sun.net.www.http.HttpClient.New(HttpClient.java:287)
  [28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at sun.net.www.http.HttpClient.New(HttpClient.java:311)
  [28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at sun.net.www.protocol.http.HttpURLConnection.setNewClient(HttpURLConnection.java:489)
  [28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at sun.net.www.protocol.http.HttpURLConnection.setNewClient(HttpURLConnection.java:477)
  [28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at sun.net.www.protocol.http.HttpURLConnection.writeRequests(HttpURLConnection.java:422)
  [28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:937)
  [28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at edu.yale.its.tp.cas.util.SecureURL.retrieve(Unknown Source)
  [28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at edu.yale.its.tp.cas.client.ServiceTicketValidator.validate(Unknown Source)
  [28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at edu.fsu.ucs.authentication.providers.CASAMLoginModule.process(CASAMLoginModule.java:86)
  [28/Mar/2008:17:21:54] warning (25335): CORE3283: stderr: at com.sun.identity.authentication.spi.AMLoginModule.wrapProcess(AMLoginModule.java:729)
  The relevent bit of code from the SecureURL.retrieve looks as follows:
  URL u = new URL(url);
  if (!u.getProtocol().equals("https"))
  throw new IOException("only 'https' URLs are valid for this method");
  URLConnection uc = u.openConnection();
  uc.setRequestProperty("Connection", "close");
  r = new BufferedReader(new InputStreamReader(uc.getInputStream()));
  String line;
  StringBuffer buf = new StringBuffer();
  while ((line = r.readLine()) != null)
  buf.append(line + "\n");
  return buf.toString();
  } finally { ...
  The fact that this same code in other authentication modules running outside the amserver (in other web containers as well, tomcat and resin for example) running java 1.5 works fine with the new CA, as well as with self signed certs that I've imported into the appropriate cacerts file leads me to believe that I'm either importing the certificate into the wrong store, or that there is some additional step needed for the amserver in the Sun Web container.
  Thank you very much for any insights and help,
  Ethan

  I thought since this has had a fair number of views I would give an update.
  I have been able to confirm that the custom authentication module is using the cert8 db defined in the AMConfig property com.iplanet.am.admin.cli.certdb.dir as documented. I do seem to have a problem using the certificate to make outgoing connections, even though the certificate verifies correctly for use as a server certificate. This is likely a question for a different forum, but just to show what I'm looking at:
  root@jbc1 providers#/usr/sfw/bin/certutil -V -n "FSU Wildcard Certificate" -d /opt/SUNWwbsvr/alias -P https-jbc1.ucs.fsu.edu-jbc1- -u V
  certutil: certificate is valid
  root@jbc1 providers#/usr/sfw/bin/certutil -V -n "FSU Wildcard Certificate" -d /opt/SUNWwbsvr/alias -P https-jbc1.ucs.fsu.edu-jbc1- -u C
  certutil: certificate is invalid: Certificate type not approved for application.
  root@jbc1 providers#/usr/sfw/bin/certutil -M -n "FSU Wildcard Certificate" -d /opt/SUNWwbsvr/alias -P https-jbc1.ucs.fsu.edu-jbc1- -t uP,uP,uP
  root@jbc1 providers#/usr/sfw/bin/certutil -V -l -n "FSU Wildcard Certificate" -d /opt/SUNWwbsvr/alias -P https-jbc1.ucs.fsu.edu-jbc1- -u C
  FSU Wildcard Certificate : Certificate type not approved for application.
  So it could be that I don't understand how to use the certutiil to get the permissions I want, or it could be that using the same certificate for both server and client functions is not supported -- though you can see why this would be a common case with wildcard certificates.
  BTW for those interested, it did seem to be the case that when the certificate failure occurred that the attempt was then made by the URLConnection to bind to port 80 in cleartext even though the URL was clearly https. I'm sure this was just an attempt to help out misformed URL, but it seemed that the URLConnection implementation in the amserver would swapped traffic over cleartext if that port had been open on the server I was making the https connection to; that seems dangerous to me, I would not have wanted it to quietly work that way exposing sensitive information to the network.
  This was why I was getting back a connection refused instead of a certificate exception. The URLConnection implementation used by the amserver is defined by java.protocol.handler.pkgs=com.iplanet.services.comm argument passwd to the JVM, and I imagine this is done because the amserver pre-dates the inclusion of the sun.net.www.protocol handlers, but I don't know, there maybe reasons why the amserver wants it own handler. I only noticed that this is what was going on when I as casting the httpsURLConnection objects to other types trying to diagnose the certificate problem. I would be interested in hearing if anyone knows if there is a reason not to use sun.net.www.protocol with the amserver.
  After switching to the sun.net.www.protocol handler I was able to get my certificate errors rather than the "Connection Refused" which is what lead me to the above questions about certutil.