Access Manager Authentication

Hi every1,
im using JES 2005Q4 on solaris 10 box.
i have created a web application which i deployed using the application server. i successfully secured few pages in my application using <security-constraints>. i used filerealm on the application server to authenticate.
how can i use access manager authentication in my application?
Im a newbee so plz help me out here.
Thanks in adv.
Mike

Is your AM log level set to message? If not, set to message and retest. You should get output in your debug logs.
On the agent side, set your logging to all:5

Similar Messages

Sun Access Manager - Authentication Error

Hello everyone,
I'm trying to configure Sun Access Manager 7.0 with sun web server 6.1 and directory server 5.2 on windows xp.
I'm getting the following error when I try to login with uid=amAdmin
"Permission to perform the read operation denied to uid=amAdmin,ou=People,dc=example,dc=com"
I do not see any errors from the debug files. Could anyone help me in fixing this problem.
Thanks in advance,
-krishna

Is your AM log level set to message? If not, set to message and retest. You should get output in your debug logs.
On the agent side, set your logging to all:5

Error Login Access Manager

Hi all.
In login of Access manager authentication failure
in path /var/opt/SUNWam/debug/amAuthLDAP
show:
LDAP initialize()
11/23/2012 06:27:27:175 PM CLST: Thread[service-j2ee,5,main]
No primary server for confing LDAP
11/23/2012 06:27:27:175 PM CLST: Thread[service-j2ee,5,main]
LDAP initialize()
11/23/2012 06:27:27:175 PM CLST: Thread[service-j2ee,5,main]
No secondary server for confing LDAP
11/23/2012 06:30:58:463 PM CLST: Thread[Thread-48,5,main]
Checking for server null:0:null
help!

hey Rodrigo,
1) Looks like your 'Identity Server' on OAM configuration is down or it is not communicating with OAM Access Server.
1.1) Check communication between OAM Server and LDAP doing: 1.1.1-Telnet against LDAP Port . 1.1.2- LDAPBind from Access Server to Identity Sever(LDAP).
I hope this helps,
Thiago Leoncio.

Oracle Access manager 10.1.4 (coreid) multiple authentication for same URL

I am evaluating oracle access manager hence new to this product.
I have a requirement where i have a /wps URL.
Users coming externally go through reverse proxy server to the final IIS web server. Internal user access IIS directly.
/wps should be protected by reverse proxy using forms authentication
while IIS server also protect /wps but should use basic authentication.
Looks like policy is shared by all webgates so i can define one authentication method for /wps.
Comparing this with CA Siteminder each agent have their own URLs to protect and so two agents can protect the same URL but with different authentication method. The single signon works as the protection level is same.

I have not done what you are speaking of; so I would assume that Boland is correct. One thing that you may want to consider is making the external users log into another resource before they hit the /wps. If the other resource is forms protected and at the same authentication level (number on auth scheme), then they can hit the external login resource, get their OBSSO cookie, then slide right thru the basic authentication request of the current policy domain.
Another idea would be to get a little more granular with your current policy domain. Have a file that's protected with forms auth in your policy domain that the external users authenticate to. Remember, this could be as simple as a dummy page that just does an HTTP redirect.
Good luck.
--Aaron

BO Authentication with Sun Access Manager

Post Author: aboucher
CA Forum: Authentication
Hi,
Is there a way to use Sun Access Manager (Role base) with BO. We are using XIR2 but we are willing to move to XIR3 if this version can do this job. I know that BO can be configured with LDAP, AD, Enterprise but is there a Custom choice. Any idea?
Thanks

Post Author: TAZ
CA Forum: Authentication
So quickly reviewing sun access manager it doesn't seem to be an LDAP server per se. It's more like a portal used for SSO. If that's the case then you would integrate LDAP accounts and then use technology like trusted authentication for SSO from the sun access maanger portal. In that case trusted auth will support just about any front end as long as the user info can be forwarded to us in one of 7 methods. You can read more about trusted authentication in the XIR2 deployment guide
http://support.businessobjects.com/documentation/product_guides/default.asp
Integrations of this level typically involvel in depth planning and should probably be done with the assistance of a BO consultant.
Regards,
Tim

Integrating windows authentication with Sun ACCESS MANAGER

Hi,
I have implemented sun access manager and successfully protected an application (ABC). At present iam using the SDS as the authentication and authorization directory. I login in to the machine using the network username and password which is on AD.
I want to integrate my authentication/authorization mechanism from SDS to AD. so that when i login into the machine and open application ABC it should not ask me for the credentials; instead allow me to the homepage directly.
How to do this.
Thanks in advance
Maruthi

Hi!
Maybe this helps you, it describes how to setup AM and policy agent to handle basic authentication protected sites. While the article is about sharepoint it should work for any application.
http://developers.sun.com/identity/reference/techart/sharepoint.html
Christoph

BPC authentication via Tivoli Access Manager

Hello experts,
I'm now investigating BPC authentication mechanism with third vendor authentication software.
Is it possible to login to BPC v7.5 MS version via Tivoli Access Manager with 'Reverse Proxy' ?
And can BPC get a login-user information as a http-header from Tivoli Access Manager at this time ?
If the above situation is possible, can BPC utilize BO enterprise authentication with Tivoli Access Manager ?
Best regards,
Tatsuo Oba

SAP BOPC can use Reverse Proxy.
I'm not sure how you want to use Tivoli Access Manager with SAP BOPC?
It is very interesting to know also the reason you woudl like to use SAP BOPC in this way.
It can be a very nice case study.
BPC can not get information like an HTTP header and something like that it will be unsafe from security point of view.
Regarding your question:
BPC to utilize CMS authentication with Tivoli Access Manager
I think you have to provide more information? Why do I need Tivoli Access Manager to access BPC or to do authentication to CMS.
I have to mention I don't know how it is working Tivoli Access Manager and because of that I'm asking you to provide more information.
Regards
Sorin Radulescu

Can not configure Access Manager

Hi all,
1. I istalled Sun java messaging server 6.
2. I edit amsamplesilent to prepare amsamplesilent.my:
# cd /opt/SUNWam/bin
#mv amsamplesilent amsamplesilent.my
3. I configure Access Manager:
#./amconfig -s amsamplesilent.my but get the following error:
# ./amconfig amsamplesilent.my
Usage: amconfig -s <silentinputfile>
./amconfig: Sourcing ./amutils
ln: cannot create /opt/SUNWam/lib/jaxrpc-spi.jar: File exists
chown: jaxrpc-spi.jar: No such file or directory
full install
./amdsconfig: Sourcing ./amutils
LD_LIBRARY_PATH is --- /usr/lib/mps/secv1:/usr/lib/mps/secv1:/usr/lib/mps/secv1:/opt/SUNWam/lib:/opt/SUNWam/ldaplib/ldapsdk
CLASSPATH is --- /opt/SUNWam/locale:/etc/opt/SUNWam/config:/opt/SUNWam/lib:/opt/SUNWam/lib/am_services.jar:/opt/SUNWam/lib/ldapjdk.jar:/usr/share/lib/mps/secv1/jss3.jar:/opt/SUNWam/lib/am_sdk.jar
ldap_simple_bind: Can't connect to the LDAP server - No route to host
ldap_simple_bind: Can't connect to the LDAP server - No route to host
ldap_simple_bind: Can't connect to the LDAP server - No route to host
ldap_simple_bind: Can't connect to the LDAP server - No route to host
sleep 3
ldap_simple_bind: Can't connect to the LDAP server - No route to host
ldap_simple_bind: Can't connect to the LDAP server - No route to host
ldap_simple_bind: Can't connect to the LDAP server - No route to host
sleep 4
ldap_simple_bind: Can't connect to the LDAP server - No route to host
ldap_simple_bind: Can't connect to the LDAP server - No route to host
ldap_simple_bind: Can't connect to the LDAP server - No route to host
sleep 5
ldap_simple_bind: Can't connect to the LDAP server - No route to host
ldap_simple_bind: Can't connect to the LDAP server - No route to host
ldap_simple_bind: Can't connect to the LDAP server - No route to host
sleep 6
ERROR : Loading of Access Manager schema into the Directory failed
Starting the tag swapping of the install.ldif and installExisting.ldif
ROOT_SUFFIX is dc=iplanet,dc=com
People_NM_ROOT_SUFFIX is People_dc=iplanet_dc=com
SERVER_HOST sample.red.iplanet.com
DIRECTORY_SERVER sample.red.iplanet.com
DIRECTORY_PORT 389
USER_NAMING_ATTR uid
ORG_NAMING_ATTR o
CONSOLE_DEPLOY_URI /amconsole
ORG_OBJECT_CLASS sunismanagedorganization
RS_RDN iplanet
USER_OBJECT_CLASS inetorgperson
ldap_simple_bind: Can't connect to the LDAP server - No route to host
ldap_simple_bind: Can't connect to the LDAP server - No route to host
sleep 3
ERROR : Configuring/Loading of the default DIT in the Directory Server failed
ldap_simple_bind: Can't connect to the LDAP server - No route to host
ldap_simple_bind: Can't connect to the LDAP server - No route to host
sleep 3
Warning : Plugins and Indexes already exist.
./amsvcconfig: Sourcing ./amutils
LD_LIBRARY_PATH is --- /usr/lib/mps/secv1:/usr/lib/mps/secv1:/usr/lib/mps/secv1:/opt/SUNWam/lib:/opt/SUNWam/ldaplib/ldapsdk
CLASSPATH is --- /opt/SUNWam/locale:/etc/opt/SUNWam/config:/opt/SUNWam/lib:/opt/SUNWam/lib/am_services.jar:/opt/SUNWam/lib/ldapjdk.jar:/usr/share/lib/mps/secv1/jss3.jar:/opt/SUNWam/lib/am_sdk.jar
ldap_simple_bind: Can't connect to the LDAP server - No route to host
Loading service schema XML files ...
Info 112: Entering ldapAuthenticate method!
Error 15: Cannot authenticate user.
LDAP authentication failed.
Error 9: Operation failed: Error 15: Cannot authenticate user.
Error occured while loading: /etc/opt/SUNWam/config/ums/ums.xml
./amws61config: Sourcing ./amutils
/opt/SUNWam/console.war: No such file or directory
current web app is applications
copying files from sunwamconsdk
Swapping tag swap in index.html files ...
Making amconsole.war
Successfully done making warfile ...
Deploying from /opt/SUNWam/web-src/applications (/opt/SUNWam/amconsole.war) to /opt/SUNWwbsvr/https-sample.red.iplanet.com/is-web-apps/applications for /amconsole
wdeploy deploy -u /amconsole -i https-sample.red.iplanet.com -v https-sample.red.iplanet.com -d /opt/SUNWwbsvr/https-sample.red.iplanet.com/is-web-apps/applications /opt/SUNWam/amconsole.war
[wdeploy] The war file name is /opt/SUNWam/amconsole.war
[wdeploy] Fatal error in parsing XML file ..Premature end of file.
[wdeploy] (-1, -1) in file null
[wdeploy] Error encountered while parsing /opt/SUNWwbsvr/https-sample.red.iplanet.com/config/server.xml
Failed deploying /amconsole
/opt/SUNWam/services.war: No such file or directory
current web app is services
Swapping tag swap in index.html files ...
Making amserver.war
Successfully done making warfile ...
Deploying from /opt/SUNWam/web-src/services (/opt/SUNWam/amserver.war) to /opt/SUNWwbsvr/https-sample.red.iplanet.com/is-web-apps/services for /amserver
wdeploy deploy -u /amserver -i https-sample.red.iplanet.com -v https-sample.red.iplanet.com -d /opt/SUNWwbsvr/https-sample.red.iplanet.com/is-web-apps/services /opt/SUNWam/amserver.war
[wdeploy] The war file name is /opt/SUNWam/amserver.war
[wdeploy] Fatal error in parsing XML file ..Premature end of file.
[wdeploy] (-1, -1) in file null
[wdeploy] Error encountered while parsing /opt/SUNWwbsvr/https-sample.red.iplanet.com/config/server.xml
Failed deploying /amserver
/opt/SUNWam/password.war: No such file or directory
current web app is password
Swapping tag swap in index.html files ...
Making ampassword.war
Successfully done making warfile ...
Deploying from /opt/SUNWam/web-src/password (/opt/SUNWam/ampassword.war) to /opt/SUNWwbsvr/https-sample.red.iplanet.com/is-web-apps/password for /ampassword
wdeploy deploy -u /ampassword -i https-sample.red.iplanet.com -v https-sample.red.iplanet.com -d /opt/SUNWwbsvr/https-sample.red.iplanet.com/is-web-apps/password /opt/SUNWam/ampassword.war
[wdeploy] The war file name is /opt/SUNWam/ampassword.war
[wdeploy] Fatal error in parsing XML file ..Premature end of file.
[wdeploy] (-1, -1) in file null
[wdeploy] Error encountered while parsing /opt/SUNWwbsvr/https-sample.red.iplanet.com/config/server.xml
Failed deploying /ampassword
/opt/SUNWam/introduction.war: No such file or directory
current web app is common
Swapping tag swap in index.html files ...
Making amcommon.war
Successfully done making warfile ...
Deploying from /opt/SUNWam/web-src/common (/opt/SUNWam/amcommon.war) to /opt/SUNWwbsvr/https-sample.red.iplanet.com/is-web-apps/common for /amcommon
wdeploy deploy -u /amcommon -i https-sample.red.iplanet.com -v https-sample.red.iplanet.com -d /opt/SUNWwbsvr/https-sample.red.iplanet.com/is-web-apps/common /opt/SUNWam/amcommon.war
[wdeploy] The war file name is /opt/SUNWam/amcommon.war
[wdeploy] Fatal error in parsing XML file ..Premature end of file.
[wdeploy] (-1, -1) in file null
[wdeploy] Error encountered while parsing /opt/SUNWwbsvr/https-sample.red.iplanet.com/config/server.xml
Failed deploying /amcommon
Checking if Web Server is already configed with Access Manager
Configuring Web Server
Mime type: 'type=text/vnd.wap.wml' already exists: Skipping ....
Mime type: 'type=image/vnd.wap.wbmp' already exists: Skipping ....
I tried again but I still get this error.
Any Ideas for this problem?
Thanks.

ldap_simple_bind: Can't connect to the LDAP server - No route to host
i would consider this a fatal error.
The system cannot locate where your Directory Server is. "no route to host" means that it's trying to get to the host, but your networking isn't set up correctly, and it doesn't find any route to get to the specified host.

Can not login access manager

mail server version is JES messaging Server 6 2005Q4 :
My Access Manager:http://hostname:8080/amserver
last week, i login access manager, under the web label or configuration label�F
in "ldap" item�Ci add new dc=xx,dc=xx,dc=xx�C
then save configuration.
but after that i can not login access manager.
when i user admin login,it print:"
Authentication failed".
what should i do to restore access manage?
thanks!

javatoall wrote:
Hi,
I login Access Manager, access sample "realm" -> Authentication->
Advance Properties -> User profiles and then I choiced "Dynamic with user Alias".
Then I only configure JDBC authentication with mysql database that I don't used ldapservice.
When I created a one new user in MySQL, I can login into web application that i security as "sample.war" successfull but new user don't right access resource that i protected before.
When i login access manager with amdmin user, I can not find user that i has been created it in MySQL database. t
When the users are created through the dynamic profile, the default cn/sn are set to "default" , after creation you need to login to amconsole as amadmin and change/add proper values for these attributes.
Alternatively you can set the protected resource's policy subject to Authenticated users. This will work but not sure will meet your requirement
>
When i login access manager console with new user, it login successful, and view Profile of new user that I has been created.
Can you tell me How to manage new user that I has been new in MySQL by Access manager console ?
I want to configure access proteced resourse for that user. How to configure that ?
read above use the authenticated users subject
Thank for every help.
VinhND.

Problem with second instance of access manager

Well, after sorting out things with the first install of access manager, I went on to install a second instance on a different host (it's required for delegated admin..)
Here are the options I used on install:
Access Manager: Administration (1 of 6)
Administrator User ID: amAdmin
Administrator Password [] {"<" goes back, "!" exits}:
Retype Password [] {"<" goes back, "!" exits}:
LDAP User ID: amldapuser
LDAP Password [] {"<" goes back, "!" exits}:
Retype Password [] {"<" goes back, "!" exits}:
Password Encryption Key [gFoe4t8UlUW3wEApngAY3S8bCQFVMlGk] {"<" goes back,
"!" exits}: weW5jtopMLQsODiBZDp+hlEp1/CtbiXX
Install type (Realm/Legacy) Mode [Legacy] {"<" goes back, "!" exits}:
Access Manager: Web Container (2 of 6)
1. Sun Java System Application Server
2. Sun Java System Web Server
Select the container to deploy the component and hit enter key [2] {"<" goes
back, "!" exits}
Access Manager: Sun Java System Web Server (3 of 6)
Host Name [zone2.corenode.com] {"<" goes back, "!" exits}:
Web Server Instance Directory [opt/SUNWwbsvr/https-zone2.corenode.com] {"<"
goes back, "!" exits}:
Web Server Port [80] {"<" goes back, "!" exits}:
Document Root Directory [opt/SUNWwbsvr/docs] {"<" goes back, "!" exits}:
Secure Server Instance Port [No] {"<" goes back, "!" exits}:
Access Manager: Web Container for running Access Manager Services(4 of 6)
Host Name [zone2.corenode.com] {"<" goes back, "!" exits}:
Services Deployment URI [amserver] {"<" goes back, "!" exits}:
Common Domain Deployment URI [amcommon] {"<" goes back, "!" exits}:
Cookie Domain(Assure it is not a top level domain) [.corenode.com] {"<" goes
back, "!" exits}:
Administration Console [Yes] {"<" goes back, "!" exits}:
Console Deployment URI [amconsole] {"<" goes back, "!" exits}:
Password Deployment URI [ampassword] {"<" goes back, "!" exits}:
Access Manager: Directory Server Information (5 of 6)
Directory Server Host [] {"<" goes back, "!" exits}: zone1.corenode.com
Directory Server Port [] {"<" goes back, "!" exits}: 389
Directory Root Suffix [dc=corenode,dc=com] {"<" goes back, "!" exits}:
Directory Manager DN [cn=Directory Manager] {"<" goes back, "!" exits}:
Directory Manager Password [] {"<" goes back, "!" exits}:
Access Manager: Directory Server Information (6 of 6)
Is Directory Server provisioned with user data [No] {"<" goes back, "!"
exits}? Yes
Organization Marker Object Class [sunISManagedOrganization] {"<" goes back,
"!" exits}:
Organization Naming Attribute [o] {"<" goes back, "!" exits}:
User Marker Object Class [inetorgperson] {"<" goes back, "!" exits}:
User Naming Attribute [uid] {"<" goes back, "!" exits}:
Yes, I am using the same key as was used on host1 for access manager. Yes, access manager on host 1 is quite functional right now. Yes, that directory server works. Now I'm really stumped on what to do! Everything in JES seems to work great except access manager, the exceptions it throws really don't help any at all in troubleshooting.
Any ideas?

More info from error logs:
# pwd
/var/opt/SUNWam/debug
# tail -200 amAuth
04/12/2006 09:56:47:127 AM HST: Thread[main,5,main]
ERROR: AuthD failed to get auth session
04/12/2006 09:56:47:165 AM HST: Thread[main,5,main]
ERROR: AuthD init()
com.iplanet.dpro.session.SessionException: AuthD failed to get auth session
at com.sun.identity.authentication.service.AuthD.initAuthSessions(AuthD.java:709)
at com.sun.identity.authentication.service.AuthD.<init>(AuthD.java:229)
at com.sun.identity.authentication.service.AuthD.getAuth(AuthD.java:494)
at com.sun.identity.authentication.UI.LoginLogoutMapping.init(LoginLogoutMapping.java:71)
at org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:921)
at org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:813)
at org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:3478)
at org.apache.catalina.core.StandardContext.start(StandardContext.java:3760)
at com.iplanet.ias.web.WebModule.start(WebModule.java:251)
at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1133)
at org.apache.catalina.core.StandardHost.start(StandardHost.java:652)
at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1133)
at org.apache.catalina.core.StandardEngine.start(StandardEngine.java:355)
at org.apache.catalina.startup.Embedded.start(Embedded.java:995)
at com.iplanet.ias.web.WebContainer.start(WebContainer.java:431)
at com.iplanet.ias.web.WebContainer.startInstance(WebContainer.java:500)
at com.iplanet.ias.server.J2EERunner.confPostInit(J2EERunner.java:161)
# tail -200 amSession
04/12/2006 09:56:47:098 AM HST: Thread[main,5,main]
ERROR: SessionService.SessionService(): Initialization Failed
com.iplanet.services.naming.ServerEntryNotFoundException: Cannot find server ID.
at com.iplanet.services.naming.WebtopNaming.getServerID(WebtopNaming.java:350)
at com.iplanet.dpro.session.service.SessionService.<init>(SessionService.java:1540)
at com.iplanet.dpro.session.service.SessionService.getSessionService(SessionService.java:382)
at com.sun.identity.authentication.service.AuthD.getSS(AuthD.java:685)
at com.sun.identity.authentication.service.AuthD.initAuthSessions(AuthD.java:706)
at com.sun.identity.authentication.service.AuthD.<init>(AuthD.java:229)
at com.sun.identity.authentication.service.AuthD.getAuth(AuthD.java:494)
at com.sun.identity.authentication.UI.LoginLogoutMapping.init(LoginLogoutMapping.java:71)
at org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:921)
at org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:813)
at org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:3478)
at org.apache.catalina.core.StandardContext.start(StandardContext.java:3760)
at com.iplanet.ias.web.WebModule.start(WebModule.java:251)
at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1133)
at org.apache.catalina.core.StandardHost.start(StandardHost.java:652)
at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1133)
at org.apache.catalina.core.StandardEngine.start(StandardEngine.java:355)
at org.apache.catalina.startup.Embedded.start(Embedded.java:995)
at com.iplanet.ias.web.WebContainer.start(WebContainer.java:431)
at com.iplanet.ias.web.WebContainer.startInstance(WebContainer.java:500)
at com.iplanet.ias.server.J2EERunner.confPostInit(J2EERunner.java:161)
04/12/2006 09:56:47:126 AM HST: Thread[main,5,main]
ERROR: Error creating service session
java.lang.NullPointerException
at com.iplanet.dpro.session.service.SessionService.generateEncryptedID(SessionService.java:588)
at com.iplanet.dpro.session.service.SessionService.generateSessionId(SessionService.java:612)
at com.iplanet.dpro.session.service.SessionService.newInternalSession(SessionService.java:557)
at com.iplanet.dpro.session.service.SessionService.getServiceSession(SessionService.java:501)
at com.iplanet.dpro.session.service.SessionService.getAuthenticationSession(SessionService.java:408)
at com.sun.identity.authentication.service.AuthD.initAuthSessions(AuthD.java:706)
at com.sun.identity.authentication.service.AuthD.<init>(AuthD.java:229)
at com.sun.identity.authentication.service.AuthD.getAuth(AuthD.java:494)
at com.sun.identity.authentication.UI.LoginLogoutMapping.init(LoginLogoutMapping.java:71)
at org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:921)
at org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:813)
at org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:3478)
at org.apache.catalina.core.StandardContext.start(StandardContext.java:3760)
at com.iplanet.ias.web.WebModule.start(WebModule.java:251)
at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1133)
at org.apache.catalina.core.StandardHost.start(StandardHost.java:652)
at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1133)
at org.apache.catalina.core.StandardEngine.start(StandardEngine.java:355)
at org.apache.catalina.startup.Embedded.start(Embedded.java:995)
at com.iplanet.ias.web.WebContainer.start(WebContainer.java:431)
at com.iplanet.ias.web.WebContainer.startInstance(WebContainer.java:500)
at com.iplanet.ias.server.J2EERunner.confPostInit(J2EERunner.java:161)
#

Too Slow - Domino 6.5.4 with access manager agent 2.2 ?

I don't know how to tune Domino 6.5.4 with access manager agent 2.2?
I think AMAgent.properties is not good for SSO.
Please help me to tune it.
# $Id: AMAgent.properties,v 1.103 2005/09/19 22:08:34 madan Exp $
# Copyright ? 2002 Sun Microsystems, Inc. All rights reserved.
# U.S. Government Rights - Commercial software. Government users are
# subject to the Sun Microsystems, Inc. standard license agreement and
# applicable provisions of the FAR and its supplements. Use is subject to
# license terms. Sun, Sun Microsystems, the Sun logo and Sun ONE are
# trademarks or registered trademarks of Sun Microsystems, Inc. in the
# U.S. and other countries.
# Copyright ? 2002 Sun Microsystems, Inc. Tous droits r閟erv閟.
# Droits du gouvernement am閞icain, utlisateurs gouvernmentaux - logiciel
# commercial. Les utilisateurs gouvernmentaux sont soumis au contrat de
# licence standard de Sun Microsystems, Inc., ainsi qu aux dispositions en
# vigueur de la FAR [ (Federal Acquisition Regulations) et des suppl閙ents
# ? celles-ci.
# Distribu? par des licences qui en restreignent l'utilisation. Sun, Sun
# Microsystems, le logo Sun et Sun ONE sont des marques de fabrique ou des
# marques d閜os閑s de Sun Microsystems, Inc. aux Etats-Unis et dans
# d'autres pays.
# The syntax of this file is that of a standard Java properties file,
# see the documentation for the java.util.Properties.load method for a
# complete description. (CAVEAT: The SDK in the parser does not currently
# support any backslash escapes except for wrapping long lines.)
# All property names in this file are case-sensitive.
# NOTE: The value of a property that is specified multiple times is not
# defined.
# WARNING: The contents of this file are classified as an UNSTABLE
# interface by Sun Microsystems, Inc. As such, they are subject to
# significant, incompatible changes in any future release of the
# software.
# The name of the cookie passed between the Access Manager
# and the SDK.
# WARNING: Changing this property without making the corresponding change
# to the Access Manager will disable the SDK.
com.sun.am.cookie.name = iPlanetDirectoryPro
# The URL for the Access Manager Naming service.
com.sun.am.naming.url = http://sportal.yjy.dqyt.petrochina:80/amserver/namingservice
# The URL of the login page on the Access Manager.
com.sun.am.policy.am.login.url = http://sportal.yjy.dqyt.petrochina:80/amserver/UI/Login
# Name of the file to use for logging messages.
com.sun.am.policy.agents.config.local.log.file = c:/Sun/Access_Manager/Agents/2.2/debug/C__Lotus_Domino/amAgent
# This property is used for Log Rotation. The value of the property specifies
# whether the agent deployed on the server supports the feature of not. If set
# to false all log messages are written to the same file.
com.sun.am.policy.agents.config.local.log.rotate = true
# Name of the Access Manager log file to use for logging messages to
# Access Manager.
# Just the name of the file is needed. The directory of the file
# is determined by settings configured on the Access Manager.
com.sun.am.policy.agents.config.remote.log = amAuthLog.Dominoad.yjy.dqyt.petrochina.80
# Set the logging level for the specified logging categories.
# The format of the values is
#     <ModuleName>[:<Level>][,<ModuleName>[:<Level>]]*
# The currently used module names are: AuthService, NamingService,
# PolicyService, SessionService, PolicyEngine, ServiceEngine,
# Notification, PolicyAgent, RemoteLog and all.
# The all module can be used to set the logging level for all currently
# none logging modules. This will also establish the default level for
# all subsequently created modules.
# The meaning of the 'Level' value is described below:
#     0     Disable logging from specified module*
#     1     Log error messages
#     2     Log warning and error messages
#     3     Log info, warning, and error messages
#     4     Log debug, info, warning, and error messages
#     5     Like level 4, but with even more debugging messages
# 128     log url access to log file on AM server.
# 256     log url access to log file on local machine.
# If level is omitted, then the logging module will be created with
# the default logging level, which is the logging level associated with
# the 'all' module.
# for level of 128 and 256, you must also specify a logAccessType.
# *Even if the level is set to zero, some messages may be produced for
# a module if they are logged with the special level value of 'always'.
com.sun.am.log.level =
# The org, username and password for Agent to login to AM.
com.sun.am.policy.am.username = UrlAccessAgent
com.sun.am.policy.am.password = LYnKyOIgdWt404ivWY6HPQ==
# Name of the directory containing the certificate databases for SSL.
com.sun.am.sslcert.dir = c:/Sun/Access_Manager/Agents/2.2/domino/cert
# Set this property if the certificate databases in the directory specified
# by the previous property have a prefix.
com.sun.am.certdb.prefix =
# Should agent trust all server certificates when Access Manager
# is running SSL?
# Possible values are true or false.
com.sun.am.trust_server_certs = true
# Should the policy SDK use the Access Manager notification
# mechanism to maintain the consistency of its internal cache? If the value
# is false, then a polling mechanism is used to maintain cache consistency.
# Possible values are true or false.
com.sun.am.notification.enable = true
# URL to which notification messages should be sent if notification is
# enabled, see previous property.
com.sun.am.notification.url = http://Dominoad.yjy.dqyt.petrochina:80/amagent/UpdateAgentCacheServlet?shortcircuit=false
# This property determines whether URL string case sensitivity is
# obeyed during policy evaluation
com.sun.am.policy.am.url_comparison.case_ignore = true
# This property determines the amount of time (in minutes) an entry
# remains valid after it has been added to the cache. The default
# value for this property is 3 minutes.
com.sun.am.policy.am.polling.interval=3
# This property allows the user to configure the User Id parameter passed
# by the session information from the access manager. The value of User
# Id will be used by the agent to set the value of REMOTE_USER server
# variable. By default this parameter is set to "UserToken"
com.sun.am.policy.am.userid.param=UserToken
# Profile attributes fetch mode
# String attribute mode to specify if additional user profile attributes should
# be introduced into the request. Possible values are:
# NONE - no additional user profile attributes will be introduced.
# HTTP_HEADER - additional user profile attributes will be introduced into
# HTTP header.
# HTTP_COOKIE - additional user profile attributes will be introduced through
# cookies.
# If not within these values, it will be considered as NONE.
com.sun.am.policy.agents.config.profile.attribute.fetch.mode=NONE
# The user profile attributes to be added to the HTTP header. The
# specification is of the format ldap_attribute_name|http_header_name[,...].
# ldap_attribute_name is the attribute in data store to be fetched and
# http_header_name is the name of the header to which the value needs
# to be assigned.
# NOTE: In most cases, in a destination application where a "http_header_name"
# shows up as a request header, it will be prefixed by HTTP_, and all
# lower case letters will become upper case, and any - will become _;
# For example, "common-name" would become "HTTP_COMMON_NAME"
com.sun.am.policy.agents.config.profile.attribute.map=cn|common-name,ou|organizational-unit,o|organization,mail|email,employeenumber|employee-
number,c|country
# Session attributes mode
# String attribute mode to specify if additional user session attributes should
# be introduced into the request. Possible values are:
# NONE - no additional user session attributes will be introduced.
# HTTP_HEADER - additional user session attributes will be introduced into HTTP header.
# HTTP_COOKIE - additional user session attributes will be introduced through cookies.
# If not within these values, it will be considered as NONE.
com.sun.am.policy.agents.config.session.attribute.fetch.mode=NONE
# The session attributes to be added to the HTTP header. The specification is
# of the format session_attribute_name|http_header_name[,...].
# session_attribute_name is the attribute in session to be fetched and
# http_header_name is the name of the header to which the value needs to be
# assigned.
# NOTE: In most cases, in a destination application where a "http_header_name"
# shows up as a request header, it will be prefixed by HTTP_, and all
# lower case letters will become upper case, and any - will become _;
# For example, "common-name" would become "HTTP_COMMON_NAME"
com.sun.am.policy.agents.config.session.attribute.map=
# Response Attribute Fetch Mode
# String attribute mode to specify if additional user response attributes should
# be introduced into the request. Possible values are:
# NONE - no additional user response attributes will be introduced.
# HTTP_HEADER - additional user response attributes will be introduced into
# HTTP header.
# HTTP_COOKIE - additional user response attributes will be introduced through
# cookies.
# If not within these values, it will be considered as NONE.
com.sun.am.policy.agents.config.response.attribute.fetch.mode=NONE
# The response attributes to be added to the HTTP header. The specification is
# of the format response_attribute_name|http_header_name[,...].
# response_attribute_name is the attribute in policy response to be fetched and
# http_header_name is the name of the header to which the value needs to be
# assigned.
# NOTE: In most cases, in a destination application where a "http_header_name"
# shows up as a request header, it will be prefixed by HTTP_, and all
# lower case letters will become upper case, and any - will become _;
# For example, "common-name" would become "HTTP_COMMON_NAME"
com.sun.am.policy.agents.config.response.attribute.map=
# The cookie name used in iAS for sticky load balancing
com.sun.am.policy.am.lb.cookie.name = GX_jst
# indicate where a load balancer is used for Access Manager
# services.
# true | false
com.sun.am.load_balancer.enable = false
####Agent Configuration####
# this is for product versioning, please do not modify it
com.sun.am.policy.agents.config.version=2.2
# Set the url access logging level. the choices are
# LOG_NONE - do not log user access to url
# LOG_DENY - log url access that was denied.
# LOG_ALLOW - log url access that was allowed.
# LOG_BOTH - log url access that was allowed or denied.
com.sun.am.policy.agents.config.audit.accesstype = LOG_DENY
# Agent prefix
com.sun.am.policy.agents.config.agenturi.prefix = http://Dominoad.yjy.dqyt.petrochina:80/amagent
# Locale setting.
com.sun.am.policy.agents.config.locale = en_US
# The unique identifier for this agent instance.
com.sun.am.policy.agents.config.instance.name = unused
# Do SSO only
# Boolean attribute to indicate whether the agent will just enforce user
# authentication (SSO) without enforcing policies (authorization)
com.sun.am.policy.agents.config.do_sso_only = true
# The URL of the access denied page. If no value is specified, then
# the agent will return an HTTP status of 403 (Forbidden).
com.sun.am.policy.agents.config.accessdenied.url =
# This property indicates if FQDN checking is enabled or not.
com.sun.am.policy.agents.config.fqdn.check.enable = true
# Default FQDN is the fully qualified hostname that the users should use
# in order to access resources on this web server instance. This is a
# required configuration value without which the Web server may not
# startup correctly.
# The primary purpose of specifying this property is to ensure that if
# the users try to access protected resources on this web server
# instance without specifying the FQDN in the browser URL, the Agent
# can take corrective action and redirect the user to the URL that
# contains the correct FQDN.
# This property is set during the agent installation and need not be
# modified unless absolutely necessary to accommodate deployment
# requirements.
# WARNING: Invalid value for this property can result in the Web Server
# becoming unusable or the resources becoming inaccessible.
# See also: com.sun.am.policy.agents.config.fqdn.check.enable,
# com.sun.am.policy.agents.config.fqdn.map
com.sun.am.policy.agents.config.fqdn.default = Dominoad.yjy.dqyt.petrochina
# The FQDN Map is a simple map that enables the Agent to take corrective
# action in the case where the users may have typed in an incorrect URL
# such as by specifying partial hostname or using an IP address to
# access protected resources. It redirects the browser to the URL
# with fully qualified domain name so that cookies related to the domain
# are received by the agents.
# The format for this property is:
# com.sun.am.policy.agents.config.fqdn.map = [invalid_hostname|valid_hostname][,...]
# This property can also be used so that the agents use the name specified
# in this map instead of the web server's actual name. This can be
# accomplished by doing the following.
# Say you want your server to be addressed as xyz.hostname.com whereas the
# actual name of the server is abc.hostname.com. The browsers only knows
# xyz.hostname.com and you have specified polices using xyz.hostname.com at
# the Access Manager policy console, in this file set the mapping as
# com.sun.am.policy.agents.fqdn.map = valid|xyz.hostname.com
# Another example is if you have multiple virtual servers say rst.hostname.com,
# uvw.hostname.com and xyz.hostname.com pointing to the same actual server
# abc.hostname.com and each of the virtual servers have their own policies
# defined, then the fqdnMap should be defined as follows:
# com.sun.am.policy.agents.fqdn.map = valid1|rst.hostname.com,valid2|uvw.hostname.com,valid3|xyz.hostname.com
# WARNING: Invalid value for this property can result in the Web Server
# becoming unusable or the resources becoming inaccessible.
com.sun.am.policy.agents.config.fqdn.map =
# Cookie Reset
# This property must be set to true, if this agent needs to
# reset cookies in the response before redirecting to
# Access Manager for Authentication.
# By default this is set to false.
# Example : com.sun.am.policy.agents.config.cookie.reset.enable=true
com.sun.am.policy.agents.config.cookie.reset.enable=false
# This property gives the comma separated list of Cookies, that
# need to be included in the Redirect Response to Access Manager.
# This property is used only if the Cookie Reset feature is enabled.
# The Cookie details need to be specified in the following Format
# name[=value][;Domain=value]
# If "Domain" is not specified, then the default agent domain is
# used to set the Cookie.
# Example : com.sun.am.policy.agents.config.cookie.reset.list=LtpaToken,
# token=value;Domain=subdomain.domain.com
com.sun.am.policy.agents.config.cookie.reset.list=
# This property gives the space separated list of domains in
# which cookies have to be set in a CDSSO scenario. This property
# is used only if CDSSO is enabled.
# If this property is left blank then the fully qualified cookie
# domain for the agent server will be used for setting the cookie
# domain. In such case it is a host cookie instead of a domain cookie.
# Example : com.sun.am.policy.agents.config.cookie.domain.list=.sun.com .iplanet.com
com.sun.am.policy.agents.config.cookie.domain.list=
# user id returned if accessing global allow page and not authenticated
com.sun.am.policy.agents.config.anonymous_user=anonymous
# Enable/Disable REMOTE_USER processing for anonymous users
# true | false
com.sun.am.policy.agents.config.anonymous_user.enable=false
# Not enforced list is the list of URLs for which no authentication is
# required. Wildcards can be used to define a pattern of URLs.
# The URLs specified may not contain any query parameters.
# Each service have their own not enforced list. The service name is suffixed
# after "# com.sun.am.policy.agents.notenforcedList." to specify a list
# for a particular service. SPACE is the separator between the URL.
com.sun.am.policy.agents.config.notenforced_list = http://dominoad.yjy.dqyt.petrochina/*.nsf http://dominoad.yjy.dqyt.petrochina/teamroom.nsf/TROutline.gif?
OpenImageResource http://dominoad.yjy.dqyt.petrochina/icons/*.gif
# Boolean attribute to indicate whether the above list is a not enforced list
# or an enforced list; When the value is true, the list means enforced list,
# or in other words, the whole web site is open/accessible without
# authentication except for those URLs in the list.
com.sun.am.policy.agents.config.notenforced_list.invert = false
# Not enforced client IP address list is a list of client IP addresses.
# No authentication and authorization are required for the requests coming
# from these client IP addresses. The IP address must be in the form of
# eg: 192.168.12.2 1.1.1.1
com.sun.am.policy.agents.config.notenforced_client_ip_list =
# Enable POST data preservation; By default it is set to false
com.sun.am.policy.agents.config.postdata.preserve.enable = false
# POST data preservation : POST cache entry lifetime in minutes,
# After the specified interval, the entry will be dropped
com.sun.am.policy.agents.config.postcache.entry.lifetime = 10
# Cross-Domain Single Sign On URL
# Is CDSSO enabled.
com.sun.am.policy.agents.config.cdsso.enable=false
# This is the URL the user will be redirected to for authentication
# in a CDSSO Scenario.
com.sun.am.policy.agents.config.cdcservlet.url =
# Enable/Disable client IP address validation. This validate
# will check if the subsequent browser requests come from the
# same ip address that the SSO token is initially issued against
com.sun.am.policy.agents.config.client_ip_validation.enable = false
# Below properties are used to define cookie prefix and cookie max age
com.sun.am.policy.agents.config.profile.attribute.cookie.prefix = HTTP_
com.sun.am.policy.agents.config.profile.attribute.cookie.maxage = 300
# Logout URL - application's Logout URL.
# This URL is not enforced by policy.
# if set, agent will intercept this URL and destroy the user's session,
# if any. The application's logout URL will be allowed whether or not
# the session destroy is successful.
com.sun.am.policy.agents.config.logout.url=
#http://sportal.yjy.dqyt.petrochina/amserver/UI/Logout
# Any cookies to be reset upon logout in the same format as cookie_reset_list
com.sun.am.policy.agents.config.logout.cookie.reset.list =
# By default, when a policy decision for a resource is needed,
# agent gets and caches the policy decision of the resource and
# all resource from the root of the resource down, from the Access Manager.
# For example, if the resource is http://host/a/b/c, the the root of the
# resource is http://host/. This is because more resources from the
# same path are likely to be accessed subsequently.
# However this may take a long time the first time if there
# are many many policies defined under the root resource.
# To have agent get and cache the policy decision for the resource only,
# set the following property to false.
com.sun.am.policy.am.fetch_from_root_resource = true
# Whether to get the client's hostname through DNS reverse lookup for use
# in policy evaluation.
# It is true by default, if the property does not exist or if it is
# any value other than false.
com.sun.am.policy.agents.config.get_client_host_name = false
# The following property is to enable native encoding of
# ldap header attributes forwarded by agents. If set to true
# agent will encode the ldap header value in the default
# encoding of OS locale. If set to false ldap header values
# will be encoded in UTF-8
com.sun.am.policy.agents.config.convert_mbyte.enable = false
#When the not enforced list or policy has a wildcard '*' character, agent
#strips the path info from the request URI and uses the resulting request
#URI to check against the not enforced list or policy instead of the entire
#request URI, in order to prevent someone from getting access to any URI by
#simply appending the matching pattern in the policy or not enforced list.
#For example, if the not enforced list has the value http://host/*.gif,
#stripping the path info from the request URI will prevent someone from
#getting access to http://host/index.html by using the URL http://host/index.html?hack.gif.
#However when a web server (for exmample apache) is configured to be a reverse
#proxy server for a J2EE application server, path info is interpreted in a different
#manner since it maps to a resource on the proxy instead of the app server.
#This prevents the not enforced list or policy from being applied to part of
#the URI below the app serverpath if there is a wildcard character. For example,
#if the not enforced list has value http://host/webapp/servcontext/* and the
#request URL is http://host/webapp/servcontext/example.jsp the path info
#is /servcontext/example.jsp and the resulting request URL with path info stripped
#is http://host/webapp, which will not match the not enforced list. By setting the
#following property to true, the path info will not be stripped from the request URL
#even if there is a wild character in the not enforced list or policy.
#Be aware though that if this is set to true there should be nothing following the
#wildcard character '*' in the not enforced list or policy, or the
#security loophole described above may occur.
com.sun.am.policy.agents.config.ignore_path_info = false
# Override the request url given by the web server with
# the protocol, host or port of the agent's uri specified in
# the com.sun.am.policy.agents.agenturiprefix property.
# These may be needed if the agent is sitting behind a ssl off-loader,
# load balancer, or proxy, and either the protocol (HTTP scheme),
# hostname, or port of the machine in front of agent which users go through
# is different from the agent's protocol, host or port.
com.sun.am.policy.agents.config.override_protocol =
com.sun.am.policy.agents.config.override_host =
com.sun.am.policy.agents.config.override_port =
# Override the notification url in the same way as other request urls.
# Set this to true if any one of the override properties above is true,
# and if the notification url is coming through the proxy or load balancer
# in the same way as other request url's.
com.sun.am.policy.agents.config.override_notification.url =
# The following property defines how long to wait in attempting
# to connect to an Access Manager AUTH server.
# The default value is 2 seconds. This value needs to be increased
# when receiving the error "unable to find active Access Manager Auth server"
com.sun.am.policy.agents.config.connection_timeout =
# Time in milliseconds the agent will wait to receive the
# response from Access Manager. After the timeout, the connection
# will be drop.
# A value of 0 means that the agent will wait until receiving the response.
# WARNING: Invalid value for this property can result in
# the resources becoming inaccessible.
com.sun.am.receive_timeout = 0
# The three following properties are for IIS6 agent only.
# The two first properties allow to set a username and password that will be
# used by the authentication filter to pass the Windows challenge when the Basic
# Authentication option is selected in Microsoft IIS 6.0. The authentication
# filter is named amiis6auth.dll and is located in
# Agent_installation_directory/iis6/bin. It must be installed manually on
# the web site ("ISAPI Filters" tab in the properties of the web site).
# It must also be uninstalled manually when unintalling the agent.
# The last property defines the full path for the authentication filter log file.
com.sun.am.policy.agents.config.iis6.basicAuthentication.username =
com.sun.am.policy.agents.config.iis6.basicAuthentication.password =
com.sun.am.policy.agents.config.iis6.basicAuthentication.logFile = c:/Sun/Access_Manager/Agents/2.2/debug/C__Lotus_Domino/amAuthFilter

Hi,
I installed opensso (so Sun Java(TM) System Access Manager 7.5) and the agent for Domino 6.5.4 and I have the message in logs "amAgent"
2007-07-11 18:40:16.119 Error 1708:3dbcf768 PolicyAgent: render_response(): Entered.
I have the box to identify but it doesnot connect me on my opensso server.
It still identify with Domino's server
Thanks for your response
Thomas

How to change LDAP server setting in Access Manager 6.2

Hi,
We have initially set authentication as a SunONE Directory Server 5.1 (master DS1) in Sun Java System Access Manager 6.2. In both /etc/opt/SUNWam/config/serverconfig.xml
/etc/opt/SUNWam/config/AMConfig.properties
conf files, DS1 was set initially. Also on console's Service Configuration ->LDAP->Primary LDAP Server was set as "DS1"
Now the problem is that I am not able to change the DS1 to the other master "DS2". I set DS2 in both above conf files and also the Service Configuration page as Primary LDAP Server. I restarted the server. When I stopped the DS1, I couldn't login access manager console with any user. It looks like it is still trying to get authentication from DS1.
Does anybody know what I am missing here?
Regards,

After hopeless tries, I finally made it work;) The trick was actually updating the sunKeyValue attribute of the entry:
"dn:ou=default,ou=OrganizationConfig,ou=1.0,ou=iPlanetAMAuthLDAPService,ou=ser
vices,dc=company,dc=com" in one of the master DS I have.
Even though I set DS2 and loadBalancer hosts in all conf files and in Primary LDAP conf in amconsole's Service Configuration, it just didn't work until I inserted loadBalancer host in sunKeyValue attribute.
Hope it helps to someone....
-Bora

Setting up Access Manager and Directory Server for Failover.

I'm setting up 2 Access Managers AM1,AM2 and 2 Directory Servers DS1 and DS2 for failover. I've connected AM1 and AM2 to DS1. Suffixes of DS1 is replicated to DS2. Any change made to AM1 is replicated to AM2 as expected. I just patched AM1 with Access Manager patch 1 and the version information for AM1 shows 7.1 126359-01. I followed the same procedure to patch AM2 but AM2 still shows ver 7.1.
How do I make sure both Access Managers are patched to the same version?
I'm able to authenticate to one IIS6 site and authentication is passed on to Outlook Web Access on AM1 but when I shut down AM1 to test failover to AM2 OWA prompts me again for password. How do I resolve this?
On AM1 http://host.domain/amserver/UI/Login?realm=sso successfully logs in but the same on AM2 gives Warning that "You have already logged in. Do you want to log out and then login to a different organization?"
Please help !!!

I'll answer what bits I can:
Q: AM showing the same version?
A: No idea on this one. I would have expected the operation you described to have produced the right answer. Check that neither your application server nor your web browser are caching old pages (ctrl-F5 in my browser)
Q: How do I resolve re-authentication on failover?
A: The AM documentation includes a deployment example that covers pretty closely what it is you are trying to achieve:
http://docs.sun.com/app/docs/doc/820-2278
Specifically, the problem you are describing is related to session failover. The sessions are stored in a local DB so when you failover the backup server does not store the same information and hence requires a reauthentication. The section of the above doc that deals with this is here:
http://docs.sun.com/app/docs/doc/820-2278/gdsre?l=en&a=view
Q: "You have already logged in" warning
A: No idea. Sorry.
R

Am not able to get the Access manager 7- login page

I have installed Access Manager and configured it was worked. but i did the Policy agent cofiguration for Access Manager after that i couldn't login to Access manager ie /amserver while on trying http://localhost:8080/amserver/UI/Login
am getting the following error
exception
javax.servlet.ServletException
     org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:300)
     org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:165)
     java.security.AccessController.doPrivileged(Native Method)
     com.sun.mobile.filter.AMLController.doFilter(AMLController.java:163)
root cause
java.lang.NoClassDefFoundError
     com.sun.identity.authentication.server.AuthContextLocal.(AuthContextLocal.java:140)
     com.sun.identity.authentication.service.LoginState.createAuthContext(LoginState.java:1121)
     com.sun.identity.authentication.service.AuthUtils.getAuthContext(AuthUtils.java:310)
     com.sun.identity.authentication.service.AuthUtils.getAuthContext(AuthUtils.java:250)
     com.sun.identity.authentication.UI.LoginViewBean.forwardTo(LoginViewBean.java:325)
     com.iplanet.jato.ApplicationServletBase.dispatchRequest(ApplicationServletBase.java:981)
     com.iplanet.jato.ApplicationServletBase.processRequest(ApplicationServletBase.java:615)
     com.iplanet.jato.ApplicationServletBase.doGet(ApplicationServletBase.java:459)
     javax.servlet.http.HttpServlet.service(HttpServlet.java:747)
     javax.servlet.http.HttpServlet.service(HttpServlet.java:860)
     sun.reflect.GeneratedMethodAccessor115.invoke(Unknown Source)
     sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
     java.lang.reflect.Method.invoke(Method.java:585)
     org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:249)
     java.security.AccessController.doPrivileged(Native Method)
     javax.security.auth.Subject.doAsPrivileged(Subject.java:517)
     org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:282)
     org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:165)
     java.security.AccessController.doPrivileged(Native Method)
     com.sun.mobile.filter.AMLController.doFilter(AMLController.java:163)
please any do some need full to solve this problem
regards
vimalraj.s

Guys,
This is a common problem that I have noticed when policy agent is installed on the same DAS (Domain Admin Server of Sun java Application Server) instance where access manager is installed.
Best solution is to deploy your application on a different DAS and configure / install policy agent for the new DAS.
If web server is used for Access Manager, Deploy your application on a different instance.
Alternatively, follow these instructions.
Assume that you have policy agent binary installed on /opt/SUNWam/policyagent/ j2ee_agents/am_as81_agent.
When policy agent is configured, it creates a new configuration folder named agent_001.
1.     Login to DAS and remove the class path changes done by the policy agent installer.
These are the class path to remove:
/opt/SUNWam/ policyagent /j2ee_agents/am_as81_agent/lib/agent.jar
/opt/SUNWam/ policyagent /j2ee_agents/am_as81_agent/lib/amclientsdk.jar
/opt/SUNWam/ policyagent /j2ee_agents/am_as81_agent/locale
/opt/SUNWam/ policyagent /j2ee_agents/am_as81_agent/agent_001/config
2.     Add these to the class path to the end of the class path suffix. NOT AT THE START
/opt/SUNWam/ policyagent /j2ee_agents/am_as81_agent/lib/agent.jar
/opt/SUNWam/ policyagent /j2ee_agents/am_as81_agent/lib/locale
3.     Insert amclientsdk.jar to the classpath. Insert this before agent.jar but after am_*.jar files (am_sdk.jar,am_services.jar,am_sso_provider.jar,am_logging.jar )
4.     open amConfig.properties . Add this line to the bottom of the file.
com.sun.identity.agents.config.location=/opt/SUNWam/ policyagent /j2ee_agents/am_as81_agent/agent_001/config/AMAgent.properties
Above line points to the policy agent configuration file.
5.     last but not the least:
a.     Make sure that an agent is created in Access manager with the same name and password as the one that you gave when installing policy agent.
b.     Set property com.sun.identity.agents.config.filter.mode = SSO_ONLY in AMAgent.properties. This will help initial testing of the configuration.
c.     Above configuration is for Unix. But shouldwork for other OS as well.
Best of Luck
KK

Error while accessing Access Manager

Hi All,
I am getting the following error after configuring access manager and restarting the web server.
[25/May/2006:18:14:16] info ( 1724): CORE1116: Sun Java System Web Server 6.1SP5 B01/15/2006 23:04
[25/May/2006:18:14:30] info ( 1724): HTTP3072: [LS ls1] http://GDYESSER33609.wipro.com:13004 ready to accept requests
[25/May/2006:18:14:30] info ( 1724): CORE3274: successful server startup
[25/May/2006:18:15:29] warning ( 1724): CORE3283: stderr: Exception in thread "amStats" java.lang.ExceptionInInitializerError
[25/May/2006:18:15:29] warning ( 1724): CORE3283: stderr:      at com.sun.identity.authentication.service.AuthStatsListener.printStats(AuthStatsListener.java:56)
[25/May/2006:18:15:29] warning ( 1724): CORE3283: stderr:      at com.iplanet.am.util.StatsRunner.run(StatsRunner.java:91)
[25/May/2006:18:15:29] warning ( 1724): CORE3283: stderr: Caused by: java.lang.NullPointerException
[25/May/2006:18:15:29] warning ( 1724): CORE3283: stderr:      at com.iplanet.services.cdm.ClientsManager.getDefaultInstance(ClientsManager.java:108)
[25/May/2006:18:15:29] warning ( 1724): CORE3283: stderr:      at com.sun.identity.authentication.service.AuthUtils.<clinit>(AuthUtils.java:199)
I have configured and restarted the web server, when i try to access the access manager I get the above error. Someone please respond at the earliest.
Thanks.

Hi Tanya,
Thank you for posting in Windows Server Forum.
From which device you are trying to access RemoteApp program?
For getting any remote session or accessing RemoteApp the user must be added under “Remote Desktop Users” local group. So please under user under that group and verify.
Also add the user under System>Remote Settings>Remote Tab>Allow remote connection to this computer and add the user under that. Now after performing this above steps verify whether user can login remotely.
Hope it helps!
Thanks.
Dharmesh Solanki
TechNet Community Support
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]

Access Manager Authentication

Similar Messages

Maybe you are looking for