Access Manager 6 2005Q1 naming service behind load balancer

Similar Messages

• Distributed naming services for load balancing

  Can distributed naming services can be used for load balancing?

  ata,
  Before jumping to anything so bloated and limited as cougaar, take time to consider what you really need. Before grabing at the fanciest Java features like RMI, JINI, and custom SocketFactories; focus on what you are trying to accomplish.
  There are plenty of great answers right here, at this forum.
  Good hunting,
  John

• Difference bewteen Single Client Access Name (SCAN) & Grid Naming Service

  Hi ,
  Whats the difference bewteen Single Client Access Name (SCAN) & Grid Naming Service in 11g RAC R2?
  Regards,
  Stephen

  Hi Stephen,
  There is a very good document about it (http://www.oracle.com/technetwork/products/clustering/overview/scan-129069.pdf).
  Best regards,
  Gennady

• Site behind load balancer - Key not valid for use in specified state

  Hi,
  I have created a sharepoint application page to access an active end point on ADFS and establish a fedauth session. All works well in single server. But when the page runs behind load balancer with 2 servers, it fails with key not valid for use in specified
  state exception. Stickiness is enabled on load balancer. verified that.
  I had made few changes to config file in microsoft.identitymodel section to accomodate adfs custom login. This included removing securitytokenhandlers and issuertokenresolvers as well. Is this impacting the encryption/decryption in anyway?
  Any pointers would help.
  Reference point for my application page : http://blog.helloitsliam.com/Lists/Posts/Post.aspx?ID=76

  Hi,
  As I understand, you encountered the error “Key not valid for use in specified state” when ADFS custom login.
  In order to run in Windows Azure Web Sites a Web application which uses WIF for handling authentication, you must change the default cookie protection method (DPAPI, not available on Windows Azure Web Sites) to something that will work in a farmed environment
  and with the IIS’ user profile load turned off.
  1. If you are using the Identity and Access Tools for VS2012, just go to the Configuration tab and check the box “Enable Web farm ready cookies”.
  2. If you want to do things by hand, add the following code snippet in your system.identitymodel/identityConfiguration element:
     <securityTokenHandlers>
       <add type="System.IdentityModel.Services.Tokens.MachineKeySessionSecurityTokenHandler, 
               System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />
        <remove type="System.IdentityModel.Tokens.SessionSecurityTokenHandler,
              System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />
      </securityTokenHandlers>
  There is a similar case:
  http://stackoverflow.com/questions/19323287/key-not-valid-for-use-in-specified-state-error-for-net-4-5-mvc-4-application
  Best regards,
  Sara Fan
  TechNet Community Support
  Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact
  [email protected]

• Using IBM Tivoli Access Manager to Secure Tuxedo Services

  Wondering if anybody has any experience using 'IBM Tivoli Access Manager for e-business' to perform tuxedo service authorization ?
  Is there an out-of-the-box integrated solution available or does one have to basically build a security service that use the Tivoli Access Manager APIs to determine if the user is authorized to invoke service?
  Thanks,

  Hi,
  I followed the steps of establishing SSO using TAM for OBIEE application.
  Below is the piece of code that i had inserted in the "instanceconfig.xml" to enable SSO:
  <Listener>
  <!-- other settings ... -->
  </Listener>
  <CredentialStore>
  <CredentialStorage type="file" path="<OracleBIData>/web/config/credentialstore.xml" passphrase="another"/> </CredentialStore>
  <!-- other settings ... -->
  <Auth>
  <SSO enabled="true">
  <ParamList>
  <!--IMPERSONATE param is used to get the authenticated user's username and is re quired -->
  <Param name="IMPERSONATE"
  source="httpHeader" nameInSource="iv-user"/>
  </ParamList> <!--Optional. Replace the URLs with actual logoff/logon URL-->
  <LogonUrl>http://pkmslogin</LogonUrl>
  <LogoffUrl>http://pkmslogout</LogoffUrl>
  </SSO>
  </Auth>
  My credential store file look Like on below
  <sawcs:credential type="usernamePassword" alias="impersonation">
  <sawcs:username>USER</sawcs:username>
  <sawcs:password>password</sawcs:password>
  </sawcs:credential>
  In the above code i am trying to get the userID of a User through the header of the application's URL, who has been already been authenticated by Windows desktop Authentication mechanism .
  but then i try creating a junction using TAM and access the application through the junction i still get the logon page of OBIEE application...
  Can any one help me out in this issue..
  Thanks in Advance...

• WebAS access via Portal: Web Dispatcher required for load balancing ABAP

  Hi Folks -
  We have EP 6.0 SP18 (Java only, WebAS 6.40, Unix/Solaris).  The portal has a CI/SCS and one DI so we have a Web Dispatcher to load balance the portal servers. This works fine (and provides port 80 access).
  This portal will provide access to HTTP services from an ABAP WebAS (6.20 with 6.40 kernel, Unix/Solaris). A landscape configuration entry has been added to the portal for this ABAP system. The ABAP system has a CI and multiple app servers, all capable of handling HTTP requests.  This will also require port 80 access.
  1. Will we need an additional Web Dispatcher to load balance HTTP requests to the 'backend' ABAP WebAS system, or will the portal be smart enough to handle the load balancing itself (perhaps based on the information in the landscape configuration)?
  2. If the portal itself handles the HTTP load balancing can you point me to documentation (so I can make sure I have proper configuration)? 
  3. Are there any changes to this with NW2004s Portal (we plan to upgrade soon)?
  Thanks in advance!  Jeff

  Jeff,
  Regarding:
  Q1. If you create a system object from the "SAP system with load balancing" template in portal and configure the object to point to your CI (msg server), the LB should be handled.
  Q2. Portal load balancing is handled by the message server.  If you point a test URL to the port of your message server, you will notice that you are issued a redirect the URL of your dialog instance.  The web dispatcher is just a proxy (with some intelligence).  When a request is made to the WD, it makes a connection to the MSG server, the list of active instances is queried, a redirect is made to that instanct.  If you use WD, that connection can be proxied behind a standard URL.   If you connect directly to the MSG Server instead, you will notice your URL change, just as it does on the service marketplace.
  WDs are good for providing services, masked (proxied) behind virtual names.  If you do not want the customer to see a physical URL of the server, use the WD.  There are lots of other solutions that can do this too though such as Apache, ISA, Juniper devices, Cisco LDs.  WDs have a very low performance threshold though, especially if you use SSL. WD is a performance bottleneck and should be benchmarked to see if it is right for your application.
  Q3. No changes this architecture in 04s.
  jwise

• ISE behind load balancer

  I have a question regarding ISE profiling servers that are placed behind a load balancer:
  If you have a ISE environment where both computers and users are being authenticated, and Machine Access Restriction (MAR) is enabled (so users can only authenticate on a previously authenticated machine), are the ISE servers aware of all succesfull computer authentications handled by the other ISE servers?
  For example:
  There are 2 ISE appliances (ISE01 and ISE02) behind a load balancer.
  A user starts up his computer, and computer authentication is handled by ISE01 (and the authentication is successful). At the moment the user logs in on that computer, the load balancer chooses ISE02 to authenticate the user.
  Will ISE02 be aware that the corresponding computer was already succesfully authenticated on ISE01, so that the user is able to log in? Or will it deny the user authentication because it thinks the computer is not (yet) authenticated and Machine Access Restrictions is enabled?
  Kind regards,
  Bert

  >> they are independant servers that just replicate their configuration.
  So a user should authenticate always with the same ISE.
  Moreover a load balancer kills profiling since profiling requires you to span some traffic to an ISE <<
  Not entirely correct.  Policy Service nodes are most certainly supported behind a load balancer which is the intention of a node group. This is often the preferred method for high availability and scaling.  In addition to supporting load distribution of RADIUS and other requests, members of a node group maintain a heartbeat to determine if a peer member should fail.  If so, the Monitoring node is queried to determine if there are any transient sessions which may require clean-up via RADIUS COA to help ensure that an endpoint is left in a defunt auth state.  LB functionality will depend on load balancer used.  Cisco ACE for example supports stickiness of RADIUS transactions based on source IP, Calling-Station-ID, or Framed-IP-Address.
  The impact of LB on profiling or other Policy Service node functions depends on the service/probe in question.  For services like client provisioning, posture, and central web auth, https redirection always occurs back to the node which terminated the RADIUS session, so LB is transparent provided direct access is permitted to the real IP for redirected https trnasactions (RADIUS tranasactions would be sent to virtual IP).
  Specific to profiling, SNMP Queries can be triggered and will be sent by Policy Service node that received the RADIUS Accounting Start packet (assumes RADIUS probe enabled) or SNMP Trap (assumes SNMP Trap probe enabled).  SPAN is only one data collection method used primarily for HTTP or DHCP capture.  Methods other than SPAN/RSPAN are available to capture this data, but if used, then it is correct that there is no specific mechansim to move SPANs from one interface to another in case of NIC or node failure.  I believe intelligent taps are available that can accomplish this, or else traffic can be mirrored to multiple nodes at the cost of duplicating profile data.
  As noted, replication of MAR cache will be added to ACS 5.4, and no, this feature is not altogether trivial due to the number of transactions and updates that must be replicated and kept in sync across each node performing RADIUS services. 
  /CH

• IPsec on hosts behind load balancing NAT

  Hi,
  I have a problem configuring IPsec tunnel between two sites, with one is using NAT for load balancing of TCP Traffic. I've been working on this for hours but i foung myself in a dead end.
  I have one router using NAT TCP load balancing of telnet traffic(in real deployment i need ftp load balancing, i am using telnet for testing purposes). This router is connected to another router, where multiple hosts are connected. I need to protect the traffic from those hosts to the server that is load balanced using NAT.
  So far i was no able to configure IPSec to work properly with this setup. I have working configuration with IPSec encrypting some traffic not destinated behind NAT, but once I add a line in the traffic specifying access lists on both sides the IPSec stops working(and it wont work from any site of the connection, from behind the NAT or destinated behind the NAT). The access list on the router performing NAT is configured to allow any traffic destinated to some specific addresses and the access list on the router with connected hosts specifies that any connection destinated to the global address, where the server are reachable, should be encrypted.
  On the side where the traffic comes from i allways see a debug output like this:
  ar  1 05:23:54.294: IPSEC(sa_request): ,
    (key eng. msg.) OUTBOUND local= 10.0.10.2, remote= 10.0.10.1,
      local_proxy= 10.0.2.1/255.255.255.255/6/0 (type=1),
      remote_proxy= 195.10.0.1/255.255.255.255/6/23 (type=1),
      protocol= ESP, transform= esp-des esp-sha-hmac  (Tunnel),
      lifedur= 3600s and 4608000kb,
      spi= 0xA42ED8F1(2754533617), conn_id= 0, keysize= 0, flags= 0x400A
  195.10.0.1 is my global address for the FTP server
  on the side where the encryption should be terminated i allways see an output like this:
  *Mar  1 05:23:54.130: map_db_find_best did not find matching map
  *Mar  1 05:23:54.130: IPSEC(validate_transform_proposal): no IPSEC cryptomap exists for local address 10.0.10.1
  But i can see that there is a crypto map for address 10.0.10.1
  RA#sh cryp map
  Crypto Map: "TCP_ENCRYPTION" idb: Serial0/0 local address: 10.0.10.1
  I tried to use some of the NAT traversal techniques for IPSec but without any success.
  If you have any idea what could be the problem or if you need any additional information or debugging output i will be glad for any help.
  Thanks, Adrian

  This is a lab scenario and i want to test for my learning how IPSec would work in such a case.
  I have tried it but IPSec doesnt work with standard configuration. Below is the configuration
  I have configured 2 loopback. on R1: 100.1.1.1
  on R2: 200.1.1.1
  R1:
  crypto isakmp policy 10
   auth pre
   enc des
   hash md5
   group 2
  crypto isakmp key 0 cisco address 10.1.1.1 (R2's IP)
  crypto ipsec transform-set test esp-des esp-md5-hmac
   mode tunnel
  access-list 101 permit ip host 100.1.1.1 host 200.1.1.1
  crypto map test 10 ipsec-isakmp
   mat address 101
   set peer 10.1.1.1
   set transform-set test
  ip route 0.0.0.0 0.0.0.0 10.1.0.2
  R2:
  crypto isakmp policy 10
   auth pre
   enc des
   hash md5
   group 2
  crypto isakmp key 0 cisco address 10.1.3.1 (R2's IP)
  crypto ipsec transform-set test esp-des esp-md5-hmac
   mode tunnel
  access-list 101 permit ip host 200.1.1.1 host 100.1.1.1
  crypto map test 10 ipsec-isakmp
   mat address 101
   set peer 10.1.3.1 (it will be 10.1.3.1-natted ip right ?)
   set transform-set test
  ip route 0.0.0.0 0.0.0.0 10.1.1.2
  Now when i ping from R1:
  ping 200.1.1.1 source 100.1.1.1
  its not successful. Why doesnt it work any idea ?

• Service Request - Load balancing weight & TM labour schedule

  What is Load balancing weight? How does it work, (I think it must be w.r.t the selecting resources for assigning the task, But how does it work, I am not getting the help menu in this)
  How does the T&M labour schedule is managed
  Regards

  Hi,
  1. I had some time and setup your config. Load Balancing seems to work fine for me. I tried to work with 4 different clients.
  WHat I did to set it up:
  # Failover RG for shared address
  scrgadm -a -g proftp-srg -h mars,saturn
  scrgadm -a -S -j hafast_r -g proftp-srg -l hafast
  # Scalable RG for proftpd
  scrgadm -a -g proftp-rg -y Maximum_primaries=2 -y Desired_primaries=2 -h mars,saturn -y RG_dependencies=proftp-srg
  scrgadm -a -j proftp_r -g proftp-rg -t SUNW.gds -y Network_resources_used=hafast_r -y Port_l
  ist=4443/tcp -x Start_command=/usr/local/sbin/proftpd -x Probe_command=/bin/true -y Scalable=true -y Load_balancing_policy=Lb_sticky_wild
  I assume that the key is the Lb_sticky_wild setting. As proftp forks new processes for every connection and even does reconnects during operation with new ports this seems to be essential. Please try
  2. It was not considered an excellent idea to configure ftp as a scalable service. Reason is that you now have network traffic load balanced. Question is: how do you configure shared storage. Do you have one (1) underlying global filesystem??? That could be a bottleneck. Check it out.
  Regards
  Hartmut
  PS: BTW I used proftp 1.3.0

• ISE node group behind load balancer

  I'm trying to gather info on distributed deployment w/ multiple PSN nodes.
  Having read through some documents, it looks like you can put multiple PSN's in a node group, and then place the node group behind a load balancer.
  Q1:
  Node group config requires multicast.
  Cisco ACE LB doesn't support multicast, except in brige mode.
  How do people support distributed deployment in node group behind Ciso ACE?
  Q2:
  User guide says: "We recommend that you have two, three, or a maximum of four nodes in a node group."
  http://www.cisco.com/en/US/docs/security/ise/1.1.1/user_guide/ise_dis_deploy.html#wp1134272
  What if we need more than 4 PSN nodes to support our network & user base?
  Q3:
  Has anyone been able to implement distributed deployment between two datacenters behind GSS?
  If GSS isn't possible, we'll be happy to just have it in working state behind ACE LB.
  thx!

  I have had close to zero experience with LBs so my answers will be limited:
  Q1: I don't think the multicast plays any role with the LB. The multicast address is needed for the ISE nodes for replication
  Q2: You will have to create a new node group with a new multicast address
  Q3: No help here
  Couple of other things to remember:
  1. The nodes must be layer 2 adjacent
  2. You must use routed mode...no NAT/SNAT. Each node must be reachable directly from the end clients
  3. You must perform sticky
  4. The Load balancers must be listed as NADs in ISE
  Hope this provides some help to you.
  Thank you for rating!

• Livecycle Connector to Sharepoint behind load balancer

  In the environment of our customer, there is a load balancer in front of 2 sharepoint servers.
  Then the PDF document is uploaded from the Livecycle server to sharepoint (via the load balancer).
  However, occasionally it will fail to place the PDF to the folder specified, and placed on the outermost folder in sharepoint. 
  May we have any hint to fix the problem?
  Thanks.
  Raymond

  Trevor,
  I'm sorry to say that extending the Default zone to, say, Internet, did not change the behavior... even with the introduction of host header information.  Could it be something to do with my use of ports?  I am very new to SharePoint. Should I
  be extending the applications (I have many on the same server) and use host header information in place of using any explicit port information when creating these extended zones?
  Tommy S. Armstrong II

• Task List Access Manager Role in Shared Services

  Hi
  The documentation says this role "Assigns task lists and tasks to other users". I have assigned this role to a group (in Shared Services), I have given that group Manage and Assign access to the Task List (in Planning), and have even done a security Refresh.
  Yet, when I go in as a user who is in that group, I do not see the Assign Access button in Manage Task Lists.
  Is this a bug or have I missed a step?
  We are on 11.1.2.1
  Thanks!

  Hi,
  Have you tried generating a provisioning report in Shared Services, have a read of :- http://download.oracle.com/docs/cd/E10530_01/doc/epm.931/html_cas_help/provrep.htm
  If that doesn't suit your requirements then you could always have a look at using CSSImportExportUtility to export provisioning to a csv file. The utility is located in hyperion\common\utilities and has a pdf on instructions how to use it.
  Cheers
  John
  http://john-goodwin.blogspot.com/

• Distributed services with load balancing and failover?

  Hullo;
  What platform would you use to implement something like the following:
  * easy registration of various services
  * delegation of a service request to the best candidate of many, based on some measure (probably reported by the services themselves)
  * quick failover and location of an alternate service in case the best candidate does not respond (real-life environment, uncertain networks and servers;)
  RMI could be a starting point, with a custom SocketFactory to take care of the timeouts and redelegations and a good delegator service to work through. The service concept sounds a lot like JINI, but I don't see any provision for best candidate selection, and wonder whether JINI would really save any time compared to RMI in this case.
  Is there anything else I should be aware of? I wouldn't mind finding a pre-built wheel. (Cougaar (http://www.cougaar.org/) is on my reading list; a quick glance gives me the impression it may be a bit too heavy on the communication level, but maybe I'm wrong.)
  Thanks for your thoughts;
  //ata

  ata,
  Before jumping to anything so bloated and limited as cougaar, take time to consider what you really need. Before grabing at the fanciest Java features like RMI, JINI, and custom SocketFactories; focus on what you are trying to accomplish.
  There are plenty of great answers right here, at this forum.
  Good hunting,
  John

• Load Balancing Directory Servers with Access Manager - Simple questions

  Hi.
  We are in the process of configuring 2 Access Manager instances (servers) accessing the same logical LDAP repository (comprising physically of two Directory Servers working together with Multi-Master Replication configured and tested) For doing this, we are following guide number 819-6258.
  The guide uses BigIP load balancer for load balancing the directory servers. However, we intend to use Directory Proxy Server. Since we faced some (unresolved) issues last time that we used DPS, there are some simple questions that I would be very grateful to have answers to:
  1. The guide, in section 3.2.10 (To configure Access Manager 1 with the Directory Server load balancer), talks about making changes at 4 places, and replacing the existing entry (hostname and port) with the load balancer's hostname and port (assuming that the load balancer has already been configured). It says that changes need not be made on Access Manager 2 since the LDAPs are in replication, and hence changes will be replicated at all places. However, the guide also states that changes have to be made in two files, namely AMConfig.properties, and the serverconfig.xml file. But these changes will not be reflected on Access Manager 2, since these files are local on each machine.
  Question 1. Do changes have to be made in AMConfig.properties and serverconfig.xml files on the other machine hosting Access Manager 2?
  Question 2: What is the purpose of putting these values here? Specifically, what is achieved by specifying the Directory server host and port in AMConfig.properties, as well as in serverconfig.xml?
  Question 3. In the HTTP console, there is the option of specifying multiple primary LDAP servers, as well as multiple secondary LDAP servers. What is the purpose of these? Are secondary servers attempted when none of the list in the primary list are accessible? Also, if there are multiple entries in the primary server list, are they accessed in a round robin fashion (hereby providing rudimentary load balancing), or are other servers accessed only when the one mentioned first is not reachable etc.?
  2. Since I do not have a load balancer setup yet, I tried the following deviation to the above, which, according to me, should have worked. If viewed in the HTTP console, LDAP / Membership / MSISDN and Policy configuration all pointed to the DS on host 1. When I changed all these to point to the directory server on host 2 (and made AMConfig.properties and serverconfig.xml on host 1 point to DS of host 2 as well), things should have worked fine, but apparently Access manager 1 could not be started. Error from Webserver:
  [14/Aug/2006:04:30:36] info (13937): WEB0100: Loading web module in virtual server [https-machine_1_FQDN] at [search]
  [14/Aug/2006:04:31:48] warning (13937): CORE3283: stderr: Exception in thread "EventService" java.lang.ExceptionInInitializerError
  [14/Aug/2006:04:31:48] warning (13937): CORE3283: stderr: at com.iplanet.services.ldap.event.EventServicePolling.run(EventServicePolling.java:132)
  [14/Aug/2006:04:31:48] warning (13937): CORE3283: stderr: at java.lang.Thread.run(Thread.java:595)
  [14/Aug/2006:04:31:48] warning (13937): CORE3283: stderr: Caused by: java.lang.InterruptedException
  [14/Aug/2006:04:31:48] warning (13937): CORE3283: stderr: at com.sun.identity.sm.ServiceManager.<clinit>(ServiceManager.java:74)
  [14/Aug/2006:04:31:48] warning (13937): CORE3283: stderr: ... 2 more
  In effect, AM on 1 did not start. On rolling back the changes, things again worked like previously.
  Will be really grateful for any help / insight / experience on dealing with the above.
  Thanks!

  Update to the above, incase anyone is reading:
  We setup a similar setup in Windows, and it worked. Here is a detailed account of what was done:
  1. Host 1: Start installer, install automatically, chose Directory server, Directory Administration server, Directory Proxy server, Web server, Access Manager.
  All installed, and worked fine. (AMConfig.properties, serverconfig.xml, and the info in LDAP service, all pointed to HOST1:389)
  2. Host 2: Start installer, install automatically, chose Directory server, Directory Administration server, Directory Proxy server, Web server, Access Manager.
  All installed, and worked fine. (AMConfig.properties, serverconfig.xml, and the info in LDAP service, all pointed to HOST2:389)
  3. Host 1: Started replication. Set to Master
  4. Host 2: Started replication. Set to Master
  5. Host 1: Setup replication agreement to Host 2
  6. Host 2: Setup replication agreement to Host 1
  7. Initiated the remote replica from Host 1 ----> Host 2
  Note that since default installation uses abc.....xyz as the encryption key, setting this to same was not an issue.
  9. Started webserver for Host 1 and logged into AM as amadmin.
  10. Added Host 2 FQDN in DNS Aliases / Realms
  11. Added http://HOST2_FQDN:80 in the Platform server (instance) list.
  12. Started Host 2 webserver. Logged in AM on Host 2, things worked fine.
  At this stage, note the following:
  a) Host 1:
  AMConfig.properties file has
  com.iplanet.am.directory.host=host1_FQDN
  and
  com.iplanet.am.directory.port=389
  serverconfig.xml has:
  <Server name="Server1" host="host1_FQDN" port="389" type="SIMPLE" />
  b) Host 2:
  AMConfig.properties file has
  com.iplanet.am.directory.host=host2_FQDN
  and
  com.iplanet.am.directory.port=389
  serverconfig.xml has:
  <Server name="Server1" host="host2_FQDN" port="389" type="SIMPLE" />
  c) If one logs into AM, and checks LDAP servers for LDAP / Policy Configuration / Membership etc services, they all contain Host2_FQDN:389 (which makes sense, since replica 2 was initialized from 1)
  Returning back to the configuations:
  13. On Host 1, login into the Admin server console of the Directory server. Navigate to the DPS, and confgure the following:
  a) Network Group
  b) LDAP servers
  c) Load Balancing
  d) Change Group
  e) Action on-bind
  f) Allow all actions (permit modification / deletion etc.).
  g) any other configuations required - Am willing to give detailed steps if someone needs them to help me / themselves! :)
  So now, we have DPS configured and running on Host1:489, and distributing load to DS1 and DS2 on a 50:50 basis.
  14. Now, log into AM on Host 1, and instead of Host1_fqdn:389 (for DS) in the following places, specify Host1_fqdn:489 (for the DPS)--
  LDAP Authentication
  MSISDN server
  Membership Service
  Policy configuation.
  Verified that this propagated to the Policy Configuration service and the LDAP authentication service that are already registered with the default organization.
  15. Log out of AM. Following the documentation, modify directory.host and directory.port in AMConfig.properties to point to Host 1_FQDN and 489 respectively. Make this change in AMConfig.properties of both Host 1 as well as 2.
  16. Edit serverconfig.xml on both hosts, and instead of they pointing to their local directory servers, point both to host1_FQDN:489
  17. When you start the webserver, it will refuse to start. Will spew errors such as:
  [https-host1_FQDN]: Sun ONE Web Server 6.1SP5 B06/23/2005 17:36
  [https-host1_FQDN]: info: CORE3016: daemon is running as super-user
  [https-host1_FQDN]: info: CORE5076: Using [Java HotSpot(TM) Server VM, Version 1.5.0_04] from [Sun Microsystems Inc.]
  [https-host1_FQDN]: info: WEB0100: Loading web module in virtual server [https-host1_FQDN] at [amserver]
  [https-host1_FQDN]: warning: WEB6100: locale-charset-info is deprecated, please use parameter-encoding
  [https-host1_FQDN]: info: WEB0100: Loading web module in virtual server [https-host1_FQDN] at [ampassword]
  [https-host1_FQDN]: warning: WEB6100: locale-charset-info is deprecated, please use parameter-encoding
  [https-host1_FQDN]: info: WEB0100: Loading web module in virtual server [https-host1_FQDN] at [amcommon]
  [https-host1_FQDN]: info: WEB0100: Loading web module in virtual server [https-host1_FQDN] at [amconsole]
  [https-host1_FQDN]: warning: WEB6100: locale-charset-info is deprecated, please use parameter-encoding
  [https-host1_FQDN]: info: WEB0100: Loading web module in virtual server [https-host1_FQDN] at [search]
  [https-host1_FQDN]: warning: CORE3283: stderr: netscape.ldap.LDAPException: error result (32); matchedDN = dc=sun,dc=com; No such object (DN changed)
  [https-host1_FQDN]: warning: CORE3283: stderr: Got LDAPServiceException code=-1
  [https-host1_FQDN]: warning: CORE3283: stderr: at com.iplanet.services.ldap.DSConfigMgr.getConnection(DSConfigMgr.java:357)
  [https-host1_FQDN]: warning: CORE3283: stderr: at com.iplanet.services.ldap.DSConfigMgr.getNewFailoverConnection(DSConfigMgr.java:314)
  [https-host1_FQDN]: warning: CORE3283: stderr: at com.iplanet.services.ldap.DSConfigMgr.getNewConnection(DSConfigMgr.java:253)
  [https-host1_FQDN]: warning: CORE3283: stderr: at com.iplanet.services.ldap.DSConfigMgr.getNewProxyConnection(DSConfigMgr.java:184)
  [https-host1_FQDN]: warning: CORE3283: stderr: at com.iplanet.services.ldap.DSConfigMgr.getNewProxyConnection(DSConfigMgr.java:194)
  [https-host1_FQDN]: warning: CORE3283: stderr: at com.iplanet.ums.DataLayer.initLdapPool(DataLayer.java:1248)
  [https-host1_FQDN]: warning: CORE3283: stderr: at com.iplanet.ums.DataLayer.(DataLayer.java:190)
  [https-host1_FQDN]: warning: CORE3283: stderr: at com.iplanet.ums.DataLayer.getInstance(DataLayer.java:215)
  [https-host1_FQDN]: warning: CORE3283: stderr: at com.iplanet.ums.DataLayer.getInstance(DataLayer.java:246)
  [https-host1_FQDN]: warning: CORE3283: stderr: at com.sun.identity.sm.ldap.SMSLdapObject.initialize(SMSLdapObject.java:156)
  [https-host1_FQDN]: warning: CORE3283: stderr: at com.sun.identity.sm.ldap.SMSLdapObject.(SMSLdapObject.java:124)
  [https-host1_FQDN]: warning: CORE3283: stderr: at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
  [https-host1_FQDN]: warning: CORE3283: stderr: at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:39)
  [https-host1_FQDN]: warning: CORE3283: stderr: at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:27)
  [https-host1_FQDN]: warning: CORE3283: stderr: at java.lang.reflect.Constructor.newInstance(Constructor.java:494)
  [https-host1_FQDN]: warning: CORE3283: stderr: at java.lang.Class.newInstance0(Class.java:350)
  [https-host1_FQDN]: warning: CORE3283: stderr: at java.lang.Class.newInstance(Class.java:303)
  [https-host1_FQDN]: warning: CORE3283: stderr: at com.sun.identity.sm.SMSEntry.(SMSEntry.java:216)
  [https-host1_FQDN]: warning: CORE3283: stderr: at com.sun.identity.sm.ServiceSchemaManager.(ServiceSchemaManager.java:67)
  [https-host1_FQDN]: warning: CORE3283: stderr: at com.iplanet.am.util.AMClientDetector.getServiceSchemaManager(AMClientDetector.java:219)
  [https-host1_FQDN]: warning: CORE3283: stderr: at com.iplanet.am.util.AMClientDetector.(AMClientDetector.java:94)
  [https-host1_FQDN]: warning: CORE3283: stderr: at com.sun.mobile.filter.AMLController.init(AMLController.java:85)
  [https-host1_FQDN]: warning: CORE3283: stderr: at org.apache.catalina.core.ApplicationFilterConfig.getFilter(ApplicationFilterConfig.java:262)
  [https-host1_FQDN]: warning: CORE3283: stderr: at org.apache.catalina.core.ApplicationFilterConfig.setFilterDef(ApplicationFilterConfig.java:322)
  [https-host1_FQDN]: warning: CORE3283: stderr: at org.apache.catalina.core.ApplicationFilterConfig.(ApplicationFilterConfig.java:120)
  [https-host1_FQDN]: warning: CORE3283: stderr: at org.apache.catalina.core.StandardContext.filterStart(StandardContext.java:3271)
  [https-host1_FQDN]: warning: CORE3283: stderr: at org.apache.catalina.core.StandardContext.start(StandardContext.java:3747)
  [https-host1_FQDN]: warning: CORE3283: stderr: at com.iplanet.ias.web.WebModule.start(WebModule.java:251)
  [https-host1_FQDN]: warning: CORE3283: stderr: at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1133)
  [https-host1_FQDN]: warning: CORE3283: stderr: at org.apache.catalina.core.StandardHost.start(StandardHost.java:652)
  [https-host1_FQDN]: warning: CORE3283: stderr: at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1133)
  [https-host1_FQDN]: warning: CORE3283: stderr: at org.apache.catalina.core.StandardEngine.start(StandardEngine.java:355)
  [https-host1_FQDN]: warning: CORE3283: stderr: at org.apache.catalina.startup.Embedded.start(Embedded.java:995)
  [https-host1_FQDN]: warning: CORE3283: stderr: at com.iplanet.ias.web.WebContainer.start(WebContainer.java:431)
  [https-host1_FQDN]: warning: CORE3283: stderr: at com.iplanet.ias.web.WebContainer.startInstance(WebContainer.java:500)
  [https-host1_FQDN]: warning: CORE3283: stderr: at com.iplanet.ias.server.J2EERunner.confPostInit(J2EERunner.java:161)
  [https-host1_FQDN]: failure: WebModule[amserver]: WEB2783: Servlet /amserver threw load() exception
  [https-host1_FQDN]: javax.servlet.ServletException: WEB2778: Servlet.init() for servlet LoginLogoutMapping threw exception
  [https-host1_FQDN]: at org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:949)
  [https-host1_FQDN]: at org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:813)
  [https-host1_FQDN]: at org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:3478)
  [https-host1_FQDN]: at org.apache.catalina.core.StandardContext.start(StandardContext.java:3760)
  [https-host1_FQDN]: at com.iplanet.ias.web.WebModule.start(WebModule.java:251)
  [https-host1_FQDN]: at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1133)
  [https-host1_FQDN]: at org.apache.catalina.core.StandardHost.start(StandardHost.java:652)
  [https-host1_FQDN]: at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1133)
  [https-host1_FQDN]: at org.apache.catalina.core.StandardEngine.start(StandardEngine.java:355)
  [https-host1_FQDN]: at org.apache.catalina.startup.Embedded.start(Embedded.java:995)
  [https-host1_FQDN]: at com.iplanet.ias.web.WebContainer.start(WebContainer.java:431)
  [https-host1_FQDN]: at com.iplanet.ias.web.WebContainer.startInstance(WebContainer.java:500)
  [https-host1_FQDN]: at com.iplanet.ias.server.J2EERunner.confPostInit(J2EERunner.java:161)
  [https-host1_FQDN]: ----- Root Cause -----
  [https-host1_FQDN]: java.lang.NullPointerException
  [https-host1_FQDN]: at com.sun.identity.authentication.UI.LoginLogoutMapping.init(LoginLogoutMapping.java:71)
  [https-host1_FQDN]: at org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:921)
  [https-host1_FQDN]: at org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:813)
  [https-host1_FQDN]: at org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:3478)
  [https-host1_FQDN]: at org.apache.catalina.core.StandardContext.start(StandardContext.java:3760)
  [https-host1_FQDN]: at com.iplanet.ias.web.WebModule.start(WebModule.java:251)
  [https-host1_FQDN]: at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1133)
  [https-host1_FQDN]: at org.apache.catalina.core.StandardHost.start(StandardHost.java:652)
  [https-host1_FQDN]: at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1133)
  [https-host1_FQDN]: at org.apache.catalina.core.StandardEngine.start(StandardEngine.java:355)
  [https-host1_FQDN]: at org.apache.catalina.startup.Embedded.start(Embedded.java:995)
  [https-host1_FQDN]: at com.iplanet.ias.web.WebContainer.start(WebContainer.java:431)
  [https-host1_FQDN]: at com.iplanet.ias.web.WebContainer.startInstance(WebContainer.java:500)
  [https-host1_FQDN]: at com.iplanet.ias.server.J2EERunner.confPostInit(J2EERunner.java:161)
  [https-host1_FQDN]:
  [https-host1_FQDN]: info: HTTP3072: [LS ls1] http://host1_FQDN:58080 [i]ready to accept requests
  [https-host1_FQDN]: startup: server started successfully
  Success!
  The server https-host1_FQDN has started up.
  The server infact, didn't start up (nothing even listening on 58080).
  However, if AMConfig.properties is left as it originally was, and only serverconfig.xml files were changed as mentioned above, web servers started fine, and things worked all okay. (Alright, except for some glitches when viewed in /amconsole. If /amserver/console is accessed, all is good. Can this mean that all is still not well? I am not sure).
  So far so good. Now comes the sad part. When the same is done on Solaris 9, things dont work. You continue to get the above error, OR the following error, and the web server will refuse to start:
  Differences in Solaris and Windows are as follows:
  1. Windows hosts have 1 IP and hostname. Solaris hosts have 3 IPs and hostnames (for DS, DPS, and webserver).
  No other difference from an architectural perspective.
  Any help / insight on why the above is not working (and why the hell does the documentation seem so sketchy / insecure / incorrect).
  Thanks a bunch!

• Load balancing of Access Manager

  Hi,
  I 'm using 2005Q1 Messaging , Access Manager and Delagted Admin. Every thing is working fine. Now I need to add another Access Manager on a separate machine for load balancing. Plz let me know :
  - How can I add new Access Manager which will use same LDAP which first Access Manager using ?
  - Can we use DNS for Load Balancing (Admin guide only described hardware load balancer and resonate)
  Thanks in advance,
  Rehan

  pls try this way, it works fine.
  http://developers.sun.com/prodtech/identserver/reference/techart/load-balancing.html