Access manager in comm suite 5 issue

Similar Messages

• Oracle Access Manager API (ASDK) - ObUserSession / ObConfig Issues

  I am currently working with the ASDK and CoreID 7.0.4. I have gotten my custom Access Gate to the point where I wanted to start testing it out with my applications. I very quickly ran into some issues:
  Im my code I am making a connection to the Access Server in order to obtain an ObSSOCookie to use while making IDXML requests. Everything works perfectly when I am running a single process.
  Once I palce my code in a few processes I immeadiately start getting some issues.
  When running as a single process, "_OBUserSession.getSessionToken()", returns a nice encoded string that can be placed within an HTML header for my IDXML requests.
  When running multiple processes, only the first process gets a nice encoded token. All subsequent processes get a NON encoded string. The NON encoded strings appears to be a valid session token... Its just not encoded.
  Further more... when I print out the properties of the ObUserSession objects, they all come back as valid, logged-in, and authorized.
  I have narrowed things down to the ObConfig.initialize("MYINSTALLDIR") and ObConfig.shutdown() methods as the cause. Basically, if there is more than one active initialization of my Access Gate, it fails to encode session tokens.
  If anyone has some insight or advice I would greatly appreciate it. I am currently looking into the "Maximum Connections" parameter on my Access Gate to see if that has an effect. I am not confident it will... since I do get a valid ObUserSession object... it just failes to encode the token.
  -thanks

  First I too thought this problem could have surfaced due to multiple initialization of same Access Gate (AG). But that doesn't answer how un-encoded token is availed in subsequent calls to getSessionToken().
  I believe you are on the right track and make sure that you set the "max connections" to a value higher than the number of processes invoking the Initialize. If this doesn't work then you should try with initializing AG only once and try.
  Do let me know if you happen to get the solution for this problem.

• Oracle Identity and Access Management Suite Plus Integration with Oracle ADF

  Hi All,
  Kindly advice if Oracle Identity and Access Management Suite Plus can be integrated with Oracle ADF based applications to manage the end-to-end lifecycle of user accounts specifically addressing to roles/priviledges and security.
  Request you to share links to documentation where I can study the steps to integrate both the frameworks.
  Looking forward to hear from you soon.
  Best Regards,
  Ankit Gupta 

  Hi Sébastien,
  I came across the below link for the required integrations -
  Oracle® Fusion Middleware Installation Guide for Oracle Identity and Access Management 11g Release 2 (11.1.2) - …
  Oracle® Fusion Middleware Enterprise Deployment Guide for Oracle Identity Management 11g Release 2 (11.1.2) - Co…
  Best Regards,
  Ankit Gupta

• Oracle Access Manager 11g Basic with E-Business Suite

  Hi gurus,
  I was just wondering if anyone could tell me if the basic edition of Oracle Access Manager 11g is licensed for use with e-Business Suite 11i as a partner application? Or is it necessary to purchase the full license to use it with EBS?

  925237 wrote:
  Hi gurus,
  I was just wondering if anyone could tell me if the basic edition of Oracle Access Manager 11g is licensed for use with e-Business Suite 11i as a partner application? Or is it necessary to purchase the full license to use it with EBS?You need a license for Oracle Access Manager. However, AccessGate is available at no charge to customers who have already licensed both Oracle E-Business Suite and Oracle Access Manager.
  Oracle E-Business Suite AccessGate Release 1.0.2 Now Available
  https://blogs.oracle.com/stevenChan/entry/ebs_accessgate_102
  Oracle Access Manager 11.1.1.5 Certified with E-Business Suite 12
  https://blogs.oracle.com/stevenChan/entry/oracle_access_manager_11_11
  Oracle Access Manager 11.1.1.3 Certified with E-Business Suite 12
  https://blogs.oracle.com/stevenChan/entry/oracle_access_manager_11_1
  Please contact your Oracle sales representative (account manager), he/she is the best one to answer your license questions.
  Global Pricing and Licensing
  http://www.oracle.com/us/corporate/pricing/index.html
  Thanks,
  Hussein

• Access Manager Basic install (Weblogic Suite)

  Greetings.
  We want to install Access Manager but our customer has Oracle WebLogic Suite license, I understand that there is a restriction in that license and only Access Manager Basic is supported.
  I don't know how to install Oracle Access Manager 11g only, because oracle oam 11g is bundled with Oracle Identity and Access Manager 11g. I don't want to install Oracle Identity Manager because there isn't included in the WebLogic Suite license.
  Could anybody tell me how to install OAM 11g to comply with the OAM basic restrictions included in Oracle Weblogic suite.
  Thanks
  Ramiro Ortíz.

  While installing Oracle fusion middleware suite, you'll get list of product to be installed, you can select only 'Oracle Access Manager' there to install only OAM.
  regards,
  GP

• True Suite Access Manager Fingerprint software

  I have True Suite Access Manager Fingerprint Software on my toshiba satellite M300, the password bank function has stopped working correctly, at first when i would type in login and password information for websites etc it would pop up with the password bank dialog box to save info as it should. It has now stopped doing that. Is there another way of utilising this function or making it work again properly? I am running windows vista.

  Try removing the Fingerprint software, then download and install the latest version from the Toshiba website.
  Also update the Value Added Package and the BIOS.

• Remote Access Management Console - configuration issue with Network Location Server

  2012 Std R2
  The remote Access management console operation status shows  all green except for network location server .
  Error: There is no response from the network location server URL. DirectAccess connectivity might not work as expected, and DirectAccess clients located inside the corporate network might not be able to reach internal resources.
  Resolution listed as:
  1. Configure the network location server on a server that is highly available to clients on the internal network.
  2. If the network location server is running on the Remote Access server, ensure that IIS is running, and that the URL is available.
  The remote access server is located on this server. IIS is running. What URL: show I be looking at?
  Any other thoughts so I can get remote access working.
  l also am getting a remote access error for IPV6, could this be a cause:
  RoutingDomainID- {00000000-0000-0000-0000-000000000000}: Unable to add the interface {D37062B2-A3E0-4496-A459-9E0BBCE5423C} with the Router Manager for the IPV6 protocol. The following error occurred: Cannot complete this function.
  John Lenz

  Hi John,
  please follow the steps to reinstall TCP/IP stack.
  1.Restart your PC into Safe Mode with Networking.
  2.
  Edit your registry. Delete the following keys:
  HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Services/Winsock
  HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Services/Winsock2
  3.
  Open the nettcpip.inf file in your %winroot%/inf folder
  (%winroot% is usually c:/windows).
  Find the [MS_TCPIP.PrimaryInstall] section. Change the Characteristics value from 0xA0 to 0x80.
  Open the properties of the network connection you want to fix. In the General tab, click on the Install button. Click on the Have Disk button, and point the location to %winroot%/inf. After that select TCP/IP (not version 6).
  4.
  Now you would notice that you can uninstall TCP/IP!
  Do that, then restart the PC.
  Go back to your network connection, and install TCP/IP again as per the above. After another reboot, you should be up and running.
  I also noted that the XP network repair tool may yank out the ISA 2004 firewall client stuff. Just run the firewall clinet repair or install it again to fix that problem after you did your reboot. Before you do this kind of crazy stuff.
  5.
  This along with a TCP/IP reset using the netsh command:
  netsh int ip reset resetlog.txt
  wish you have a nice thanksgiving too
  Regards,
  Mike
  Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

• Oracle Access Manager (IDM suite) And Jdev

  We plan to use Access manager et the front end of Jdev ADFBC JSF web application ..
  How can we integrate our java application with Access Manager
  We can't find any code or application sample about that...
  Any extention planned for Access Manager like portlet extention ?
  (is true forum here ?)
  Thanks for your help....

  repost...

• Issues integrating WebCenter with Oracle Access Manager

  Hi All,
  I am trying to integrate WebCenter 10.1.3.2 with Oracle Access Manager (CoreId). Followed the steps described in the Chapter 11 of the OC4J Security Guide.
  I was able to successfully authenticate WebCenter using IWA with Access Manager.
  Then I proceeded with the below steps:
  - Implemented ADF Security in the application. Created application roles and login page and worked fine on my local machine.
  - Provide the auth-method of "COREIDSSO" in orion-application.xml
  - Renamed the app-jazn-data.xml to give the OID groups
  - Mapped the OID groups to application roles in orion-application.xml
  - Used the jazn migration tool to populate the system-jazn-data.xml
  When trying to access the application, it looks like the ADF Context identifies that this is an authenticated user.
  ADFContext.getCurrent().getSecurityContext().isAuthenticated() retruns true
  ADFContext.getCurrent().getSecurityContext().isAuthorizationEnabled() returns true
  I get the below error message on the server console:
  [CoreIDLoginModule::getUserSessionFromCookie]: This user session for F3iwZhUGgjej9RSrMLSo0wjH5Ec6c2oeC0OBRH12y7%2FvfPVncz6dYoBoFD6q8DWAlMtzah%2FYV4T1t7jztVFYbxwfOyu0VOMXMEIosRrFicfJwoPRrM8MOkFsziQxpUqo98XrC9iBRHffdWSItNHZRZK4ZoCJMi6HZZ6noOc4Z%2BGJDGj3kWndYHTWjiG0cJhkSbL95wMmrXCDElzZHjPMdkuNQUHW1TfAJvgSlDeX6hhhIThlc%2BGmxMP3MQ%2FZoxUysbKieIJgDXo1%2FEMmLmTVjA%3D%3D is not valid or user is not logged in.
  I also tried using the "Headervar" variable to display the obmygroups value, but it comes as blank.
  Any help would be appreciated.
  Thanks
  Aneesh

  We recently integrated Webcenter Application (with ADF Authentication and Authorization) with OAM. May be the following will be of some help to you.
  We did the following steps documented in Chapter 11 Oracle Access Manager in Oracle J2EE security guide.
  OAM
  1. Created ALL specified policies , authentication schemes, protection specified in OAM section of the document.
  OC4J
  1. Ran all configuration listed for the OC4J section.
  Webcenter
  1. Developed the Webcenter Application
  2. Enabled ADF Security (Authentication & Authorization)
  3. Deployed the application. While deploying chose File based provider.
  4. After the deployment, changed orion-application.xml to have COREIDSSO as documented in Oracle documentation
  system-jazn-data.xml
  1. Added login module details as specified in the document. (Changed only the application name. Rest all was same as we used names as specified in the earlier steps of the document)
  OID Migration
  Reference document: "Configuring a WebCenter Application to Use Oracle Access Manager" in Webcenter Framework Developer guide.
  1. Located app-jazn-data.xml in the deployed application
  2. Removed "realm-name" and "type" subelements of "grantee" tags. Removed any realm details in user name.
  3. changed references to "class oracle.security.jazn.spi.xml.XMLRealmRole" to "oracle.security.jazn.realm.CoreIDPrincipal"
  4. ran the JAZN migration tool with "all" options. Migration from app-jazn-data.xml to OID.
  OAM
  Created policies for protecting our application.
  Test the application.
  Debugging.
  1. Enable oracle.adf.share.security , oracle.j2ee.security & oracle.j2ee.security.oc4j loggers to debug if the application is not working the way you expect to work.
  2. Set log level in Enterprise manager.
  3. All logging information are written in log.xml in $ORACLE_HOME/j2ee/OC4J_Webcenter/log/OC4J_WebCenter_default_group_1/oc4j
  Thanks

• Reinstalling Comm suite 5

  Hi,
  We're running Sun Java messaging 2005Q4 on Solaris 9 and wanted to upgrade to communication suite 5.
  Instead of direct upgrading, we did uninstall of existing version (by running /var/sadm/prod/SUNW../uninstall) and went successful. But when i tried installing comm suite 5, it went through but webserver gets configured without any "Access Manager" URIs (amcommon, amconsole etc..) and clearly see issue with "Access Manager" (default schema appears as "1" when ran comm_dssetup.pl). This happened to me few many times in the past and reinstalled OS to get rid off this problem.
  This time, we can't go for a fresh build so Please suggest me how to get Access Manager UP and running.
  TIA
  Prvn

  sun_prvnrk wrote:
  We're running Sun Java messaging 2005Q4 on Solaris 9 and wanted to upgrade to communication suite 5.We provide an upgrade guide for this very operation:
  http://docs.sun.com/app/docs/doc/819-7561
  Instead of direct upgrading, we did uninstall of existing version (by running /var/sadm/prod/SUNW../uninstall) and went successful. But when i tried installing comm suite 5, it went through but webserver gets configured without any "Access Manager" URIs (amcommon, amconsole etc..) and clearly see issue with "Access Manager" (default schema appears as "1" when ran comm_dssetup.pl).Sounds like Access Manager wasn't successfully deployed, most-likely because 'uninstalling' JES4 doesn't remove Access-Manager entries in the directory.
  This happened to me few many times in the past and reinstalled OS to get rid off this problem.
  This time, we can't go for a fresh build so Please suggest me how to get Access Manager UP and running.You could try the manual configure-later deployment approach.
  http://docs.sun.com/app/docs/doc/819-7560/gdjwa?a=view
  Regards,
  Shane.

• Too  Slow - Domino 6.5.4  with access manager agent 2.2 ?

  I don't know how to tune Domino 6.5.4 with access manager agent 2.2?
  I think AMAgent.properties is not good for SSO.
  Please help me to tune it.
  # $Id: AMAgent.properties,v 1.103 2005/09/19 22:08:34 madan Exp $
  # Copyright ? 2002 Sun Microsystems, Inc. All rights reserved.
  # U.S. Government Rights - Commercial software. Government users are
  # subject to the Sun Microsystems, Inc. standard license agreement and
  # applicable provisions of the FAR and its supplements. Use is subject to
  # license terms. Sun, Sun Microsystems, the Sun logo and Sun ONE are
  # trademarks or registered trademarks of Sun Microsystems, Inc. in the
  # U.S. and other countries.
  # Copyright ? 2002 Sun Microsystems, Inc. Tous droits r閟erv閟.
  # Droits du gouvernement am閞icain, utlisateurs gouvernmentaux - logiciel
  # commercial. Les utilisateurs gouvernmentaux sont soumis au contrat de
  # licence standard de Sun Microsystems, Inc., ainsi qu aux dispositions en
  # vigueur de la FAR [ (Federal Acquisition Regulations) et des suppl閙ents
  # ? celles-ci.
  # Distribu? par des licences qui en restreignent l'utilisation. Sun, Sun
  # Microsystems, le logo Sun et Sun ONE sont des marques de fabrique ou des
  # marques d閜os閑s de Sun Microsystems, Inc. aux Etats-Unis et dans
  # d'autres pays.
  # The syntax of this file is that of a standard Java properties file,
  # see the documentation for the java.util.Properties.load method for a
  # complete description. (CAVEAT: The SDK in the parser does not currently
  # support any backslash escapes except for wrapping long lines.)
  # All property names in this file are case-sensitive.
  # NOTE: The value of a property that is specified multiple times is not
  # defined.
  # WARNING: The contents of this file are classified as an UNSTABLE
  # interface by Sun Microsystems, Inc. As such, they are subject to
  # significant, incompatible changes in any future release of the
  # software.
  # The name of the cookie passed between the Access Manager
  # and the SDK.
  # WARNING: Changing this property without making the corresponding change
  # to the Access Manager will disable the SDK.
  com.sun.am.cookie.name = iPlanetDirectoryPro
  # The URL for the Access Manager Naming service.
  com.sun.am.naming.url = http://sportal.yjy.dqyt.petrochina:80/amserver/namingservice
  # The URL of the login page on the Access Manager.
  com.sun.am.policy.am.login.url = http://sportal.yjy.dqyt.petrochina:80/amserver/UI/Login
  # Name of the file to use for logging messages.
  com.sun.am.policy.agents.config.local.log.file = c:/Sun/Access_Manager/Agents/2.2/debug/C__Lotus_Domino/amAgent
  # This property is used for Log Rotation. The value of the property specifies
  # whether the agent deployed on the server supports the feature of not. If set
  # to false all log messages are written to the same file.
  com.sun.am.policy.agents.config.local.log.rotate = true
  # Name of the Access Manager log file to use for logging messages to
  # Access Manager.
  # Just the name of the file is needed. The directory of the file
  # is determined by settings configured on the Access Manager.
  com.sun.am.policy.agents.config.remote.log = amAuthLog.Dominoad.yjy.dqyt.petrochina.80
  # Set the logging level for the specified logging categories.
  # The format of the values is
  #     <ModuleName>[:<Level>][,<ModuleName>[:<Level>]]*
  # The currently used module names are: AuthService, NamingService,
  # PolicyService, SessionService, PolicyEngine, ServiceEngine,
  # Notification, PolicyAgent, RemoteLog and all.
  # The all module can be used to set the logging level for all currently
  # none logging modules. This will also establish the default level for
  # all subsequently created modules.
  # The meaning of the 'Level' value is described below:
  #     0     Disable logging from specified module*
  #     1     Log error messages
  #     2     Log warning and error messages
  #     3     Log info, warning, and error messages
  #     4     Log debug, info, warning, and error messages
  #     5     Like level 4, but with even more debugging messages
  # 128     log url access to log file on AM server.
  # 256     log url access to log file on local machine.
  # If level is omitted, then the logging module will be created with
  # the default logging level, which is the logging level associated with
  # the 'all' module.
  # for level of 128 and 256, you must also specify a logAccessType.
  # *Even if the level is set to zero, some messages may be produced for
  # a module if they are logged with the special level value of 'always'.
  com.sun.am.log.level =
  # The org, username and password for Agent to login to AM.
  com.sun.am.policy.am.username = UrlAccessAgent
  com.sun.am.policy.am.password = LYnKyOIgdWt404ivWY6HPQ==
  # Name of the directory containing the certificate databases for SSL.
  com.sun.am.sslcert.dir = c:/Sun/Access_Manager/Agents/2.2/domino/cert
  # Set this property if the certificate databases in the directory specified
  # by the previous property have a prefix.
  com.sun.am.certdb.prefix =
  # Should agent trust all server certificates when Access Manager
  # is running SSL?
  # Possible values are true or false.
  com.sun.am.trust_server_certs = true
  # Should the policy SDK use the Access Manager notification
  # mechanism to maintain the consistency of its internal cache? If the value
  # is false, then a polling mechanism is used to maintain cache consistency.
  # Possible values are true or false.
  com.sun.am.notification.enable = true
  # URL to which notification messages should be sent if notification is
  # enabled, see previous property.
  com.sun.am.notification.url = http://Dominoad.yjy.dqyt.petrochina:80/amagent/UpdateAgentCacheServlet?shortcircuit=false
  # This property determines whether URL string case sensitivity is
  # obeyed during policy evaluation
  com.sun.am.policy.am.url_comparison.case_ignore = true
  # This property determines the amount of time (in minutes) an entry
  # remains valid after it has been added to the cache. The default
  # value for this property is 3 minutes.
  com.sun.am.policy.am.polling.interval=3
  # This property allows the user to configure the User Id parameter passed
  # by the session information from the access manager. The value of User
  # Id will be used by the agent to set the value of REMOTE_USER server
  # variable. By default this parameter is set to "UserToken"
  com.sun.am.policy.am.userid.param=UserToken
  # Profile attributes fetch mode
  # String attribute mode to specify if additional user profile attributes should
  # be introduced into the request. Possible values are:
  # NONE - no additional user profile attributes will be introduced.
  # HTTP_HEADER - additional user profile attributes will be introduced into
  # HTTP header.
  # HTTP_COOKIE - additional user profile attributes will be introduced through
  # cookies.
  # If not within these values, it will be considered as NONE.
  com.sun.am.policy.agents.config.profile.attribute.fetch.mode=NONE
  # The user profile attributes to be added to the HTTP header. The
  # specification is of the format ldap_attribute_name|http_header_name[,...].
  # ldap_attribute_name is the attribute in data store to be fetched and
  # http_header_name is the name of the header to which the value needs
  # to be assigned.
  # NOTE: In most cases, in a destination application where a "http_header_name"
  # shows up as a request header, it will be prefixed by HTTP_, and all
  # lower case letters will become upper case, and any - will become _;
  # For example, "common-name" would become "HTTP_COMMON_NAME"
  com.sun.am.policy.agents.config.profile.attribute.map=cn|common-name,ou|organizational-unit,o|organization,mail|email,employeenumber|employee-
  number,c|country
  # Session attributes mode
  # String attribute mode to specify if additional user session attributes should
  # be introduced into the request. Possible values are:
  # NONE - no additional user session attributes will be introduced.
  # HTTP_HEADER - additional user session attributes will be introduced into HTTP header.
  # HTTP_COOKIE - additional user session attributes will be introduced through cookies.
  # If not within these values, it will be considered as NONE.
  com.sun.am.policy.agents.config.session.attribute.fetch.mode=NONE
  # The session attributes to be added to the HTTP header. The specification is
  # of the format session_attribute_name|http_header_name[,...].
  # session_attribute_name is the attribute in session to be fetched and
  # http_header_name is the name of the header to which the value needs to be
  # assigned.
  # NOTE: In most cases, in a destination application where a "http_header_name"
  # shows up as a request header, it will be prefixed by HTTP_, and all
  # lower case letters will become upper case, and any - will become _;
  # For example, "common-name" would become "HTTP_COMMON_NAME"
  com.sun.am.policy.agents.config.session.attribute.map=
  # Response Attribute Fetch Mode
  # String attribute mode to specify if additional user response attributes should
  # be introduced into the request. Possible values are:
  # NONE - no additional user response attributes will be introduced.
  # HTTP_HEADER - additional user response attributes will be introduced into
  # HTTP header.
  # HTTP_COOKIE - additional user response attributes will be introduced through
  # cookies.
  # If not within these values, it will be considered as NONE.
  com.sun.am.policy.agents.config.response.attribute.fetch.mode=NONE
  # The response attributes to be added to the HTTP header. The specification is
  # of the format response_attribute_name|http_header_name[,...].
  # response_attribute_name is the attribute in policy response to be fetched and
  # http_header_name is the name of the header to which the value needs to be
  # assigned.
  # NOTE: In most cases, in a destination application where a "http_header_name"
  # shows up as a request header, it will be prefixed by HTTP_, and all
  # lower case letters will become upper case, and any - will become _;
  # For example, "common-name" would become "HTTP_COMMON_NAME"
  com.sun.am.policy.agents.config.response.attribute.map=
  # The cookie name used in iAS for sticky load balancing
  com.sun.am.policy.am.lb.cookie.name = GX_jst
  # indicate where a load balancer is used for Access Manager
  # services.
  # true | false
  com.sun.am.load_balancer.enable = false
  ####Agent Configuration####
  # this is for product versioning, please do not modify it
  com.sun.am.policy.agents.config.version=2.2
  # Set the url access logging level. the choices are
  # LOG_NONE - do not log user access to url
  # LOG_DENY - log url access that was denied.
  # LOG_ALLOW - log url access that was allowed.
  # LOG_BOTH - log url access that was allowed or denied.
  com.sun.am.policy.agents.config.audit.accesstype = LOG_DENY
  # Agent prefix
  com.sun.am.policy.agents.config.agenturi.prefix = http://Dominoad.yjy.dqyt.petrochina:80/amagent
  # Locale setting.
  com.sun.am.policy.agents.config.locale = en_US
  # The unique identifier for this agent instance.
  com.sun.am.policy.agents.config.instance.name = unused
  # Do SSO only
  # Boolean attribute to indicate whether the agent will just enforce user
  # authentication (SSO) without enforcing policies (authorization)
  com.sun.am.policy.agents.config.do_sso_only = true
  # The URL of the access denied page. If no value is specified, then
  # the agent will return an HTTP status of 403 (Forbidden).
  com.sun.am.policy.agents.config.accessdenied.url =
  # This property indicates if FQDN checking is enabled or not.
  com.sun.am.policy.agents.config.fqdn.check.enable = true
  # Default FQDN is the fully qualified hostname that the users should use
  # in order to access resources on this web server instance. This is a
  # required configuration value without which the Web server may not
  # startup correctly.
  # The primary purpose of specifying this property is to ensure that if
  # the users try to access protected resources on this web server
  # instance without specifying the FQDN in the browser URL, the Agent
  # can take corrective action and redirect the user to the URL that
  # contains the correct FQDN.
  # This property is set during the agent installation and need not be
  # modified unless absolutely necessary to accommodate deployment
  # requirements.
  # WARNING: Invalid value for this property can result in the Web Server
  # becoming unusable or the resources becoming inaccessible.
  # See also: com.sun.am.policy.agents.config.fqdn.check.enable,
  # com.sun.am.policy.agents.config.fqdn.map
  com.sun.am.policy.agents.config.fqdn.default = Dominoad.yjy.dqyt.petrochina
  # The FQDN Map is a simple map that enables the Agent to take corrective
  # action in the case where the users may have typed in an incorrect URL
  # such as by specifying partial hostname or using an IP address to
  # access protected resources. It redirects the browser to the URL
  # with fully qualified domain name so that cookies related to the domain
  # are received by the agents.
  # The format for this property is:
  # com.sun.am.policy.agents.config.fqdn.map = [invalid_hostname|valid_hostname][,...]
  # This property can also be used so that the agents use the name specified
  # in this map instead of the web server's actual name. This can be
  # accomplished by doing the following.
  # Say you want your server to be addressed as xyz.hostname.com whereas the
  # actual name of the server is abc.hostname.com. The browsers only knows
  # xyz.hostname.com and you have specified polices using xyz.hostname.com at
  # the Access Manager policy console, in this file set the mapping as
  # com.sun.am.policy.agents.fqdn.map = valid|xyz.hostname.com
  # Another example is if you have multiple virtual servers say rst.hostname.com,
  # uvw.hostname.com and xyz.hostname.com pointing to the same actual server
  # abc.hostname.com and each of the virtual servers have their own policies
  # defined, then the fqdnMap should be defined as follows:
  # com.sun.am.policy.agents.fqdn.map = valid1|rst.hostname.com,valid2|uvw.hostname.com,valid3|xyz.hostname.com
  # WARNING: Invalid value for this property can result in the Web Server
  # becoming unusable or the resources becoming inaccessible.
  com.sun.am.policy.agents.config.fqdn.map =
  # Cookie Reset
  # This property must be set to true, if this agent needs to
  # reset cookies in the response before redirecting to
  # Access Manager for Authentication.
  # By default this is set to false.
  # Example : com.sun.am.policy.agents.config.cookie.reset.enable=true
  com.sun.am.policy.agents.config.cookie.reset.enable=false
  # This property gives the comma separated list of Cookies, that
  # need to be included in the Redirect Response to Access Manager.
  # This property is used only if the Cookie Reset feature is enabled.
  # The Cookie details need to be specified in the following Format
  # name[=value][;Domain=value]
  # If "Domain" is not specified, then the default agent domain is
  # used to set the Cookie.
  # Example : com.sun.am.policy.agents.config.cookie.reset.list=LtpaToken,
  # token=value;Domain=subdomain.domain.com
  com.sun.am.policy.agents.config.cookie.reset.list=
  # This property gives the space separated list of domains in
  # which cookies have to be set in a CDSSO scenario. This property
  # is used only if CDSSO is enabled.
  # If this property is left blank then the fully qualified cookie
  # domain for the agent server will be used for setting the cookie
  # domain. In such case it is a host cookie instead of a domain cookie.
  # Example : com.sun.am.policy.agents.config.cookie.domain.list=.sun.com .iplanet.com
  com.sun.am.policy.agents.config.cookie.domain.list=
  # user id returned if accessing global allow page and not authenticated
  com.sun.am.policy.agents.config.anonymous_user=anonymous
  # Enable/Disable REMOTE_USER processing for anonymous users
  # true | false
  com.sun.am.policy.agents.config.anonymous_user.enable=false
  # Not enforced list is the list of URLs for which no authentication is
  # required. Wildcards can be used to define a pattern of URLs.
  # The URLs specified may not contain any query parameters.
  # Each service have their own not enforced list. The service name is suffixed
  # after "# com.sun.am.policy.agents.notenforcedList." to specify a list
  # for a particular service. SPACE is the separator between the URL.
  com.sun.am.policy.agents.config.notenforced_list = http://dominoad.yjy.dqyt.petrochina/*.nsf http://dominoad.yjy.dqyt.petrochina/teamroom.nsf/TROutline.gif?
  OpenImageResource http://dominoad.yjy.dqyt.petrochina/icons/*.gif
  # Boolean attribute to indicate whether the above list is a not enforced list
  # or an enforced list; When the value is true, the list means enforced list,
  # or in other words, the whole web site is open/accessible without
  # authentication except for those URLs in the list.
  com.sun.am.policy.agents.config.notenforced_list.invert = false
  # Not enforced client IP address list is a list of client IP addresses.
  # No authentication and authorization are required for the requests coming
  # from these client IP addresses. The IP address must be in the form of
  # eg: 192.168.12.2 1.1.1.1
  com.sun.am.policy.agents.config.notenforced_client_ip_list =
  # Enable POST data preservation; By default it is set to false
  com.sun.am.policy.agents.config.postdata.preserve.enable = false
  # POST data preservation : POST cache entry lifetime in minutes,
  # After the specified interval, the entry will be dropped
  com.sun.am.policy.agents.config.postcache.entry.lifetime = 10
  # Cross-Domain Single Sign On URL
  # Is CDSSO enabled.
  com.sun.am.policy.agents.config.cdsso.enable=false
  # This is the URL the user will be redirected to for authentication
  # in a CDSSO Scenario.
  com.sun.am.policy.agents.config.cdcservlet.url =
  # Enable/Disable client IP address validation. This validate
  # will check if the subsequent browser requests come from the
  # same ip address that the SSO token is initially issued against
  com.sun.am.policy.agents.config.client_ip_validation.enable = false
  # Below properties are used to define cookie prefix and cookie max age
  com.sun.am.policy.agents.config.profile.attribute.cookie.prefix = HTTP_
  com.sun.am.policy.agents.config.profile.attribute.cookie.maxage = 300
  # Logout URL - application's Logout URL.
  # This URL is not enforced by policy.
  # if set, agent will intercept this URL and destroy the user's session,
  # if any. The application's logout URL will be allowed whether or not
  # the session destroy is successful.
  com.sun.am.policy.agents.config.logout.url=
  #http://sportal.yjy.dqyt.petrochina/amserver/UI/Logout
  # Any cookies to be reset upon logout in the same format as cookie_reset_list
  com.sun.am.policy.agents.config.logout.cookie.reset.list =
  # By default, when a policy decision for a resource is needed,
  # agent gets and caches the policy decision of the resource and
  # all resource from the root of the resource down, from the Access Manager.
  # For example, if the resource is http://host/a/b/c, the the root of the
  # resource is http://host/. This is because more resources from the
  # same path are likely to be accessed subsequently.
  # However this may take a long time the first time if there
  # are many many policies defined under the root resource.
  # To have agent get and cache the policy decision for the resource only,
  # set the following property to false.
  com.sun.am.policy.am.fetch_from_root_resource = true
  # Whether to get the client's hostname through DNS reverse lookup for use
  # in policy evaluation.
  # It is true by default, if the property does not exist or if it is
  # any value other than false.
  com.sun.am.policy.agents.config.get_client_host_name = false
  # The following property is to enable native encoding of
  # ldap header attributes forwarded by agents. If set to true
  # agent will encode the ldap header value in the default
  # encoding of OS locale. If set to false ldap header values
  # will be encoded in UTF-8
  com.sun.am.policy.agents.config.convert_mbyte.enable = false
  #When the not enforced list or policy has a wildcard '*' character, agent
  #strips the path info from the request URI and uses the resulting request
  #URI to check against the not enforced list or policy instead of the entire
  #request URI, in order to prevent someone from getting access to any URI by
  #simply appending the matching pattern in the policy or not enforced list.
  #For example, if the not enforced list has the value http://host/*.gif,
  #stripping the path info from the request URI will prevent someone from
  #getting access to http://host/index.html by using the URL http://host/index.html?hack.gif.
  #However when a web server (for exmample apache) is configured to be a reverse
  #proxy server for a J2EE application server, path info is interpreted in a different
  #manner since it maps to a resource on the proxy instead of the app server.
  #This prevents the not enforced list or policy from being applied to part of
  #the URI below the app serverpath if there is a wildcard character. For example,
  #if the not enforced list has value http://host/webapp/servcontext/* and the
  #request URL is http://host/webapp/servcontext/example.jsp the path info
  #is /servcontext/example.jsp and the resulting request URL with path info stripped
  #is http://host/webapp, which will not match the not enforced list. By setting the
  #following property to true, the path info will not be stripped from the request URL
  #even if there is a wild character in the not enforced list or policy.
  #Be aware though that if this is set to true there should be nothing following the
  #wildcard character '*' in the not enforced list or policy, or the
  #security loophole described above may occur.
  com.sun.am.policy.agents.config.ignore_path_info = false
  # Override the request url given by the web server with
  # the protocol, host or port of the agent's uri specified in
  # the com.sun.am.policy.agents.agenturiprefix property.
  # These may be needed if the agent is sitting behind a ssl off-loader,
  # load balancer, or proxy, and either the protocol (HTTP scheme),
  # hostname, or port of the machine in front of agent which users go through
  # is different from the agent's protocol, host or port.
  com.sun.am.policy.agents.config.override_protocol =
  com.sun.am.policy.agents.config.override_host =
  com.sun.am.policy.agents.config.override_port =
  # Override the notification url in the same way as other request urls.
  # Set this to true if any one of the override properties above is true,
  # and if the notification url is coming through the proxy or load balancer
  # in the same way as other request url's.
  com.sun.am.policy.agents.config.override_notification.url =
  # The following property defines how long to wait in attempting
  # to connect to an Access Manager AUTH server.
  # The default value is 2 seconds. This value needs to be increased
  # when receiving the error "unable to find active Access Manager Auth server"
  com.sun.am.policy.agents.config.connection_timeout =
  # Time in milliseconds the agent will wait to receive the
  # response from Access Manager. After the timeout, the connection
  # will be drop.
  # A value of 0 means that the agent will wait until receiving the response.
  # WARNING: Invalid value for this property can result in
  # the resources becoming inaccessible.
  com.sun.am.receive_timeout = 0
  # The three following properties are for IIS6 agent only.
  # The two first properties allow to set a username and password that will be
  # used by the authentication filter to pass the Windows challenge when the Basic
  # Authentication option is selected in Microsoft IIS 6.0. The authentication
  # filter is named amiis6auth.dll and is located in
  # Agent_installation_directory/iis6/bin. It must be installed manually on
  # the web site ("ISAPI Filters" tab in the properties of the web site).
  # It must also be uninstalled manually when unintalling the agent.
  # The last property defines the full path for the authentication filter log file.
  com.sun.am.policy.agents.config.iis6.basicAuthentication.username =
  com.sun.am.policy.agents.config.iis6.basicAuthentication.password =
  com.sun.am.policy.agents.config.iis6.basicAuthentication.logFile = c:/Sun/Access_Manager/Agents/2.2/debug/C__Lotus_Domino/amAuthFilter

  Hi,
  I installed opensso (so Sun Java(TM) System Access Manager 7.5) and the agent for Domino 6.5.4 and I have the message in logs "amAgent"
  2007-07-11 18:40:16.119 Error 1708:3dbcf768 PolicyAgent: render_response(): Entered.
  I have the box to identify but it doesnot connect me on my opensso server.
  It still identify with Domino's server
  Thanks for your response
  Thomas

• Communications Express doesn't create access Manager SSO session

  Hi all,
  I'm running Communications Express, Sun Access Manager and Sun messaging server, each on seperate hosts.
  Single Sign On works i.e. when users have a valid session and point their browser at the Communications Express URL they can access their mail, calendar and addressbooks without further ado.
  When they don't have a valid session though and the users go to the Communications Express URL they get a username and password prompt. If they enter valid credentials they will be logged in, but the session created is only a local session, not an Access Manager SSO session. This behaviour has changed from the previous versions of Comm Exp which wouldn't work at all without SSO.
  Is it possible to configure communications express to either redirect users to the Access Manager's authentication page or have Comm Exp create the SSO session on the users behalf?
  TIA
  Herman
  Versions:
  - Communications Express 6.3 update 1
  - Sun Java(tm) System Messaging Server 6.3-4.01 (built Aug 3 2007; 32bit)
  libimta.so 6.3-4.01 (built 17:13:29, Aug 3 2007; 32bit)

  Hi Shane,
  as always your anwer is better then I could have expected. A more or less complete manual
  just hours after asking my question. Thanks!
  shane_hjorth wrote:
  The cleanest solution I could develop to address the behavioural change was to
  leverage a web-server policy agent to perform the redirections.
  I wrote up a guide but never received any feedback unfortunately so results-may-vary.
  I have republished this guide externally - feedback is welcome:
  http://msg.wikidoc.info/index.php/AM_redirection_using_Policy_AgentTook me some time to implement, test and write feedback:
  The setup we have is a little more complex then the a single box scenario you
  have tested on:
  From the internet working inwards we have load balanced
  SSL accelerators (apache+SSL doing reverse proxy) in front of
  dedicated application servers running communications express.
  Mail is retrieved from separate mail-store clusters.
  Access manager is configured similarly: load balanced SSL accelerators
  in front of application servers running the login page (disributed
  authentication UI). Those then talk to the access manager cluster.
  Firewalls and access lists between each of those layers. None of the
  applications can be accessed directly from the internet and they are
  limited in what they can access in the DMZ as well.
  I followed your recipe to the letter. After a bit of tweaking everything
  worked like a charm. Policy agent installed and configured on the
  SUN webserver where communications express is deployed.
  Instructions were very good on detail and easy to follow.
  We deploy uwc in the root of the server not in /uwc. Something I didn't notice right away.
  It would seem that the policy agent expects the values com.sun.am.naming.url
  (The URL for the Access Manager Naming service) and
  com.sun.am.policy.am.login.url (The URL of the login page on the Access Manager
  where users should enter their credentials) to be the same host.
  In our setup the URL/host users have to use to log in can't be accessed by the policy agent.
  The policy agent should verify sessions directly against the access manager cluster.
  I played with some of the override settings in the policy agent configuration file but
  without much success. Eventually I used the hostname our users have to use to log
  in and abused the /etc/hosts file to map the external hostname to the internal address
  of the access manager cluster. Users end up on the correct login page, and the policy
  agent can verify the sessions. Ugly, but it works.
  The other issue is that the policy agent redirects to:
  com.sun.am.policy.am.login.url?goto=URL_Protected_by_Policy_Agent
  When a users enters incorrect credentials they get the default login url, without the
  goto parameter. (May be bug in access manager or by design...) After entering their
  credentials correctly on their second or third try users won't be redirected back to UWC,
  but will end up on the default page defined by their iplanet-am-user-success-url LDAP attribute.
  I solved that in the policy agents configuration file by adding the gotoOnFail=URL in the
  definition of com.sun.am.policy.am.login.url:
  com.sun.am.policy.am.login.url = https://login.domain.com:443/amserver/UI/Login?gotoOnFail=https://uwc.domain.com:443When you enter incorrect credentials you'll be redirected back to uwc (where the policy agent
  will again intercept you and send you on to the login page for your next try). May be more of
  an issue in the policy agent then your manual.
  Regards,
  Herman

• Cannot acces the login page of Access Manager 7.1 amserver

  I am new to Access Manager 7.1. After a successfull installation on Solaris 10 11/06 x86, SUN Java Directory Server 6 EE, SUN Java Application Server 8.2 i cannot reach the login page of amserver. The Application Server registers properly the Web Applications, the configuration of the Access Manager was good in my best knowledge. The exeption is as follows
  type Exception report
  message
  description The server encountered an internal error () that prevented it from fulfilling this request.
  exception
  javax.servlet.ServletException: AMSetupFilter.doFilter
       com.sun.identity.setup.AMSetupFilter.doFilter(AMSetupFilter.java:100)
  root cause
  com.iplanet.jato.CompleteRequestException
       com.sun.identity.authentication.UI.AuthenticationServletBase.onUncaughtException(AuthenticationServletBase.java:122)
       com.iplanet.jato.ApplicationServletBase.fireUncaughtException(ApplicationServletBase.java:1164)
       com.iplanet.jato.ApplicationServletBase.processRequest(ApplicationServletBase.java:639)
       com.iplanet.jato.ApplicationServletBase.doGet(ApplicationServletBase.java:459)
       javax.servlet.http.HttpServlet.service(HttpServlet.java:747)
       javax.servlet.http.HttpServlet.service(HttpServlet.java:860)
       sun.reflect.GeneratedMethodAccessor73.invoke(Unknown Source)
       sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
       java.lang.reflect.Method.invoke(Method.java:585)
       org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:249)
       java.security.AccessController.doPrivileged(Native Method)
       javax.security.auth.Subject.doAsPrivileged(Subject.java:517)
       org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:282)
       org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:165)
       java.security.AccessController.doPrivileged(Native Method)
       com.sun.identity.setup.AMSetupFilter.doFilter(AMSetupFilter.java:86)
  note The full stack trace of the root cause is available in the Sun-Java-System/Application-Server logs.
  Could anybody help me to solve this situation.
  Thanks

  Hey,
  were you able to resolve this issue???
  I am getting the same error after I re-installed the SUN suite(including portal,access manager ,directory server etc)
  Please let me know If you can help.!
  Thanks
  Deepak

• Unable to see options in access manager.!!!

  Hey Geeks,
  I am not sure what changes but I do not see 'users","roles" ,"services" on the access manager console under view dropdown.
  has somebody faced this kinda issue.?
  I was able to see all the options earlier and I havent changed anything.Although I did try to modify a users profile in the LDAP directory through ldap browser.
  When I check "display options" for my organization all options are specified.I have no clue why I am not able to see all option for my org.
  any pointers?
  Regards

  Guys,
  I had to re-install the whole Suite to get rid of the problem.Please update me If there is any solution to this.!!!
  Thanks in advance!
  Deepak.

• Help with Deployment Example Comm Suite 6 Update 1 on Single Host

  Our site would like to evaluate Sun's Collaboration Suite, but we are unable to get the eval copy working.
  We are installing the SPARC version.
  I went through the install and got to "Verify the Installation".
  cd /var/opt/SUNWwbsvr7/admin-server/bin
  ./stopserv
  ./startserv
  cd /var/opt/SUNWwbsvr7/https-wireless.comms.beta.com/bin
  ./stopserv
  ./startserv
  The last startserv threw some errors (shown below), but said "successfully started".
  http://<host>:8080/amconsole does not work..says "Not found"
  http://<host> gives "http status 500"
  I also tried https://<host>:8989..and that seems to work fine.
  Any help would be appreciated.
  Thanks
  # ./stopserv
  server not running
  # ./startserv
  Sun Java System Web Server 7.0U1 B07/18/2007 15:51
  info: CORE3016: daemon is running as super-user
  info: CORE5076: Using [Java HotSpot(TM) Server VM, Version 1.5.0_12] from [Sun Microsystems Inc.]
  info: WEB0100: Loading web module in virtual server [<host>] at [amserver]
  warning: WEB6100: locale-charset-info is deprecated, please use parameter-encoding
  failure: WebModule[amserver]StandardWrapper.Throwable
  java.lang.ExceptionInInitializerError
  at com.sun.identity.authentication.UI.LoginLogoutMapping.initializeAuth(LoginLogoutMapping.java:89)
  at com.sun.identity.authentication.UI.LoginLogoutMapping.init(LoginLogoutMapping.java:74)
  at org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1165)
  at org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:994)
  at org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:4731)
  at org.apache.catalina.core.StandardContext.start(StandardContext.java:5123)
  at com.sun.webserver.connector.nsapi.WebModule.start(WebModule.java:182)
  at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1224)
  at org.apache.catalina.core.StandardHost.start(StandardHost.java:924)
  at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1224)
  at org.apache.catalina.core.StandardEngine.start(StandardEngine.java:520)
  at org.apache.catalina.startup.Embedded.start(Embedded.java:917)
  at com.sun.enterprise.web.PwcWebContainer.onStartup(PwcWebContainer.java:70)
  at com.sun.webserver.connector.nsapi.WebContainer.start(WebContainer.java:472)
  at com.sun.webserver.init.J2EERunner.confPostInit(J2EERunner.java:304)
  Caused by: java.lang.NullPointerException
  at com.sun.identity.authentication.service.AuthD.<clinit>(AuthD.java:206)
  ... 15 more
  failure: WebModule[amserver]PWC1396: Servlet /amserver threw load() exception
  java.lang.ExceptionInInitializerError
  at com.sun.identity.authentication.UI.LoginLogoutMapping.initializeAuth(LoginLogoutMapping.java:89)
  at com.sun.identity.authentication.UI.LoginLogoutMapping.init(LoginLogoutMapping.java:74)
  at org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1165)
  at org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:994)
  at org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:4731)
  at org.apache.catalina.core.StandardContext.start(StandardContext.java:5123)
  at com.sun.webserver.connector.nsapi.WebModule.start(WebModule.java:182)
  at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1224)
  at org.apache.catalina.core.StandardHost.start(StandardHost.java:924)
  at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1224)
  at org.apache.catalina.core.StandardEngine.start(StandardEngine.java:520)
  at org.apache.catalina.startup.Embedded.start(Embedded.java:917)
  at com.sun.enterprise.web.PwcWebContainer.onStartup(PwcWebContainer.java:70)
  at com.sun.webserver.connector.nsapi.WebContainer.start(WebContainer.java:472)
  at com.sun.webserver.init.J2EERunner.confPostInit(J2EERunner.java:304)
  Caused by: java.lang.NullPointerException
  at com.sun.identity.authentication.service.AuthD.<clinit>(AuthD.java:206)
  ... 15 more
  info: HTTP3072: http-listener-1: http://<host>:8080 ready to accept requests
  info: CORE3274: successful server startup

  ala_umn wrote:
  I did have trouble with the Identity Suite 5 Update 1 install and ended up uninstalling that and repeating that step.Cleaning up after a failed JES5u1 install/deployment is difficult e.g. "uninstalling" Access Manager does not remove entries/configuration from the Directory Server instance. I usually just re-install Solaris afresh and start again.
  The directory server instance was running, but I did a stop/start-slapd just to be sure. The error you provided indicates there was an authentication problem, usually to the Directory Server instance. There can be any number of causes of this problem including the directory server not running, or the AM authentication details e.g. cn=dsameuser/cn=puser being inconsistent between the DS instance and AM configuration.
  Regards,
  Shane.