Access Manager - No Such Organization Found
I'm getting this error. It has something to do with sunPreferredDomain - I need to change this value from the installed default, and when I do, sooner or later (after restarting the WS) I get the error. Changing it back allows me to login to /amconsole.
This also affects whether or not I can use the DA to update user attributes e.g. quota (and likely other DA actions). Though it doesn't appear to affect login to the DA. I can switch the value back (to the needed/altered value) after login to either AM or DA, and continue using them.
Also, what's the difference between /amserver and /amconsole? Is /amserver where you configure AM to handle access for different services?
How would I make Access Manager control access to a resource on an Apache server? I know I would need a policy agent on the Apache... (also posting to AM forum).
Thanks,
s7
starman7 wrote:
The error I am getting that affects AM and DA is:
Access Manager - No Such Organization FoundWhat domain are you setting for the sunPreferredDomain: attribute and is this domain also a hostname (e.g. sunPreferredDomain: server.aus.sun.com) and/or a root of another domain (e.g. you have a hosted domain aus.sun.com and added sunPreferredDomain: sun.com)?
When you connect to amconsole it redirects you to amserver link but defines a login domain/organisation e.g.
http://server.aus.sun.com/amconsole ->
http://server.aus.sun.com/amserver/UI/Login?service=adminconsoleservice&goto=/amconsole/base/AMAdminFrame&&<sessionid>&org=dc%3Daus%2Cdc%3Dsun%2Cdc%3Dcom&gx_charset=UTF-8Note the: "&org=" value
You will probably find that this org value is changing when you modify the sunPreferredDomain: and as a result the base search is different and the admin/amadmin account cannot be found.
Regards,
Shane.
Similar Messages
-
Access Manager installation/re-installation problems
Good time of day for ALL!
I have a problem, when trying to reinstall SUN JES 2005Q4. Prevously installed Q1 version was uninstalled with JES unistaller, Portal entries (this checkbox exists in one of forms) were removed, /etc/opt/.... /var/opt/... /opt/.... files & catalogues were removed.
Then a new version JESQ4 was installed. (All products.) All configuration steps were made and all seems to work properly: I rceived working application,WEB,Calendar, Messaging servers, Instant messaging. BUT when I tried to use Access Manager, I saw
"No such Organization found." message in my browser when tried to access http://localhost:8080/amserver.
How can I reinstall this product to make it usefull again?!
Sincerelly.
PS. In 10 minutes ago The JES was fully uninstalled(look up) and then installed again. The situation restored in the same position 8-(((Good time of day for All!
The problem described in my previous topic is go on 8-((((
-System( sol10 sparc) was reinstalled.
-JES 2005q4 was installed in several steps.
1- Admin server,Message Queue,Web server,Directory server.
2. Web server.
Then all installed parts were tested. They works finely
3. Application server.
It was configured by default (/..../domain1) and some scripts for it's autostarting were created in rc3.d
App server& its admin server works fine!
4. Portal server& Access manager. AM was installed in Realm mode. When tying to access to ..../amserver page
" Authentication Service is not initialized.<br />Contact your system administrator. " message appear in login screen.
Who can answer:
1-What is wrong?
2-Where i can find REALLY TESTED STEP BY STEP workflow of JES installation? -
Integrate IdM roles with Sun Access Manager roles
Hi all,
I am currently working on a solution involving Sun Identity Manager 7.1 and Sun Access Manager 7.1 as well. We use AM for overall authentication and SSO across the application, and IdM for user provisioning.
I need to create roles in Identity Manager, and I would like that when I assign a role to a user in Identity Manager, he gets the same role in my Access Manager repository (Sun LDAP). Identity Manager does provide a way to set attribute values in resources when a role is set. Access Manager on the other hand has both dynamic roles, based on an LDAP search, and static roles.
What are the important differences between static and dynamic roles in AM?
Does anybody know a good way to propagate roles from Identity Manager to Access Manager?
Thanks.I found answers to my question. I succeeded in setting the Access Manager role from Identity Manager using the nsRoleDN attribute. Here are some references to begin with:
About directory server roles:
http://docs.sun.com/app/docs/doc/820-2493/fvbrn?a=view
Forum thread reference:
http://forums.sun.com/thread.jspa?threadID=5208694
Here are roughly the steps I followed to get this working.
Access Manager roles setup:
1. In Access Manager, create a new static role named test_role under the identities realm (in Subjects > Role).
Identity Manager roles setup:
1. Create a new role in Identity Manager: tab Roles, click New....
2. Assign the LDAP resource to synchronize the role with.
3. On the Assigned Resources line, click the Set Attributes Values button. This shows up the attributes listing allowing you to bind your IdM role to your LDAP repository.
4. Set the attribute nsRoleDN to the LDAP DN of the role that was created in AM (nsRoleDN must be added in the resource attributes mapping before).
* In the column Value override, select Text.
* In the column How to set, select Authoritative merge with value, clear existing. (* See IDM Admin guide about this setting, I am still not sure how it reacts with multi-value attributes)
* In the text box, enter the role DN text (ex: cn=test_role,dc=com).
5. Save the role. You can now add the role to a user. -
What kind of permissions are needed in LDAP to install Access Manager?
Hi people,
I'm trying to install Access Manager in three different machines, and i'll try to configure them in a failover schema, but I'm not the owner of the LDAP where the Access Manager DIT is going to live, my question is what kind of permissions do I need to install it, rigth now I've tried to install it three times and I can't get a succesfull install process, this is a resume of the common errors that I've got in the Java_Enterprise_System_Config_Log.xxxx
adding new entry ou=portalmmm_1.0_n21i,ou=internalData,ou=1.0,ou=SunAMClientData,ou=ClientData,o=bbva
sleep 3
ERROR : Configuring/Loading of the default DIT in the Directory Server failed
CLASSPATH is --- /opt/SUNWam/locale:/etc/opt/SUNWam/config:/opt/SUNWam/lib:/opt/SUNWam/lib/am_services.jar:/opt/SUNWam/lib/ldapjdk.jar:/usr/share/lib/mps/secv1/jss4.jar:/opt/SUNWam/lib/am_sdk.jar
Loading service schema XML files ...
Info 109: Calling SCHEMA MANAGER
Info 110: XML file to import:/etc/opt/SUNWam/config/ums/ums.xml
Info 103: Loading Service Schema XML /etc/opt/SUNWam/config/ums/ums.xml
Loading Service Schema XML /etc/opt/SUNWam/config/ums/ums.xml
Error occured while loading: /etc/opt/SUNWam/config/ums/ums.xml
Error Log:
ldap_modify: Insufficient access
ldap_modify: additional info: Insufficient 'write' privilege to the 'nsslapd-pluginEnabled' attribute of entry 'cn=referential integrity postoperation,cn=plugins,cn=config'.
ldap_modify: Insufficient access
ldap_modify: additional info: Insufficient 'write' privilege to the 'nsslapd-pluginarg10' attribute of entry 'cn=referential integrity postoperation,cn=plugins,cn=config'.
ldap_add: Already exists
ldap_add: Insufficient access
ldap_add: Insufficient access
ldap_add: Insufficient access
ldap_add: Insufficient access
ldap_add: Insufficient access
ldap_add: Already exists
ldap_add: Already exists
ldap_add: Already exists
ldap_add: Already exists
ldap_add: Already exists
ldap_modify: Insufficient access
ldap_modify: additional info: Insufficient 'write' privilege to the 'nsslapd-sizelimit' attribute of entry 'cn=config'.
ldap_modify: Insufficient access
ldap_modify: additional info: Insufficient 'write' privilege to the 'nsslapd-timelimit' attribute of entry 'cn=config'.
ldap_modify: Insufficient access
ldap_modify: additional info: Insufficient 'write' privilege to the 'nsslapd-lookthroughlimit' attribute of entry 'cn=config,cn=ldbm database,cn=plugins,cn=config'.
ldap_add: Already exists
ldap_add: Insufficient access
ldap_add: additional info: Insufficient 'add' privilege to add the entry 'ou=DSAME Users,o=isp'.
ldap_modify: Type or value exists
ldap_modify: Insufficient access
ldap_modify: additional info: Insufficient 'write' privilege to the 'objectClass' attribute of entry 'o=isp'.
ldap_modify: Insufficient access
ldap_modify: additional info: Insufficient 'write' privilege to the 'objectClass' attribute of entry 'o=isp'.
ldap_modify: Insufficient access
ldap_modify: additional info: Insufficient 'write' privilege to the 'objectClass' attribute of entry 'o=isp'.
ldap_add: No such object
ldap_add: matched: o=isp
ldap_add: No such object
ldap_add: matched: o=isp
/opt/SUNWam/bin/amadmin: -Dcom.sun.identity.sm.enableDataStoreNotification=true: not found
Error 29: ServiceManager Exception
Error 10: Cannot process requests:
sms-UNKNOWN_EXCEPTION_OCCURRED
Identity Server Configuration Failed ...
Configuration failed for : ISConfigurator
*** End configuring ISConfigurator***Please suggest...
Thanks in advance
LaloYou can't install Access Manager without full control on the base organization.
You need the Directory Manager user (maybe with a temporary password) or a user with full permissions on the Access Manager root DN.
Hope It Helps
Saludos!! -
UWC/CE 6.3 and Access Manager 7.1 SSO sometimes fails (seems like a bug)
PREAMBULA: I started writing this post thinking that our AM SSO setup was at fault in some step. As I was gathering data, checking the doc-links and config files and finally sniffed the servers for HTTP dialogs, I grew pretty sure there's a bug in UWC/CE, AM SDK or Web Server Policy Agent, whatever implements the AM SSO session checking.
In short, as written below, our "sunmail" server can POST a broken cookie to AM server, if the cookie originally contained a "plus" character. The "plus" is replaced by a "space", invalidating the session check. As we know, "+" is often used in URLs to "escape" the space character. Perhaps some URL cleanup routine backfired here. I have double-checked, it is not the reverse proxy on "psam" breaking things. It is "sunmail" (UWC/CE or Policy Agent, don't know for certain) supplying the broken request. On the few occasions when the AM cookie contains no "plus" characters, the SSO works like a charm (also checked by a sniffer). Whenever there is a "plus", it breaks.
Is there some known bug or workaround that matches this description?
Nevertheless, for completeness' sake I kept the description of our setup. Maybe it's at fault after all :)
We have an installation of JCS5 with the latest patches as of early July 2008. And as the subject implies, we have problems with AM SSO in UWC/CE web-interface. I have reported them before, then they seemed fixed (not occuring for several tests in a row), but as time has shown, something wrong is still there.
So I'll try to go into deeper detail now, as we've may have overlooked some nuance... Then again, as my sniffer research below shows, this may be an engine bug and these setup details are irrelevant.
Our setup is split into several Solaris 10 full-root zones hosted on several servers, some of the components are enroute to HA (perhaps we made some mistakes on this part of the way?)
So, we have the following software stack:
1) two MMR Directory Servers (DSEE 6.3 = DSEE 6.2 from JCS5 + 125278-07__DSEE_6.3__x86x64 + 125277-07__DSEE_6.3__x86_sol9 patches) working in zones on two different servers. Except for one time when a manually forced ZFS rollback corrupted one of the server instances, no problems here.
2) two zones with Directory Proxy Servers (6.3, exact versions as above) running at port 389 provide the clients with an illusion that they have a stable Directory Server, even if one of the actual servers is currently rebooting ;)
These DPS zones are hosted on two different servers as well and are primarily used by LDAP clients (JCS components) running in other zones on the same respective servers.
3) A zone with Sun Web Server 7.0U1 and Access Manager 7.1 (+ 126357-01__AM71_x86 patch) and Delegated Admin 6.4-4.01 (from JCS5 + 121582-18__COMMCLI64__x86 patch).
At the moment there is one such zone (named "cos-psam-01.domain.ru" in the logs below), but we expect(-ed) it to become two similar zones as per AM HA setup.
Zones listed in (1-3) use private IP numbers, they belong in our internal DMZ.
Zones listed in (4-5) below use public (routed) IP numbers, they belong in our external DMZ.
4) A zone with Sun Web Server 7.0U1 used primarily as a reverse-proxy server (optionally with a load-balancer libpassthrough.so plugin) successfully used for other hosted projects. One of its configurations now passes connections from an externally routed IP address published as "psam.domain.ru" to "cos-psam-01.domain.ru", per AM HA setup, so HTTP clients believe they work with an Access Manager instance. This zone has a backend interface with a private IP address to communicate with the actual AM instance.
In AM configuration (both LDAP and file-based) we have configured a site ID with the publicly known name and mentioned both names (psam and cos-psam-01) in organization's realm/dns aliases.
5) A zone with the rest of the Sun Java Communications Suite 5, as in Messaging Server 6.3 (6.3-6.03 64-bit: ci-5.0-1.03_solx86_x64__Messaging_Server_6.3-2 + patch 126480-09__MSG63__x86-64), UWC/CE 6.3 (from JCS5 + 122794-17__UWC63-4.01_core__x86), Instant Messaging 7.2 (from JCS5 + 118790-29__IM72__x86-1 + 118787-28__IM72__x86-2), Calendar Server 6.3 (from JCS5 + 121658-28__iCS63__x86). The web-components (UWC/CE, IM, /httpbind) are deployed in a Sun Web Server 7.0U1 as well.
This zone is named "sunmail.domain.ru" and has a routed IP address for direct external access to its servicess.
The AM SDK part is also patched (126357-01__AM71_x86); it points to the load-balancer name ("psam.domain.ru") as an actual AM server.
# imsimta version
Sun Java(tm) System Messaging Server 6.3-6.03 (built Mar 14 2008; 64bit)
libimta.so 6.3-6.03 (built 17:15:08, Mar 14 2008; 64bit)
SunOS sunmail 5.10 Generic_127112-07 i86pc i386 i86pc
While setting up this server set we tried to use AM SSO as the user login method, but it works unreliably.
"Unreliably" means that while most of the time entering a correct uid and password in Access Manager login page ("http://psam.domain.ru/amserver/UI/Login") does redirect a user back to "http://sunmail.domain.ru/uwc/auth" along with a new cookie, and the user is redirected again to his or her mailbox, sometimes the user receives the UWC/CE login page. Entering the same uid and password here does log him in, but it breaks the whole point of SSO and only increases the end-user routine required to log in :\
We have also seen the "missing mail tab" problem - if the users point the browser to any hostname different from "sunmail.domain.ru" (i.e. www.mail.domain.ru which is equivalent in DNS), they have only the Address book, Calendar and Options tabs; no webmail. So far this is resolved by Policy Agent forcing The One name of the server.
Here's the configuration we did specifically for AM SSO:
1) in AMConfig.properties of "sunmail" and "cos-psam-01" we set up
com.iplanet.am.cookie.encode=false
am.encryption.pwd=<the same value>
all hostname-related parameters point to "psam.domain.ru"
2) in AMConfig.properties of "cos-psam-01" a number of FQDN equivalence entries are added (so it does not redirect to a server hostname unknown to visitors):
com.sun.identity.server.fqdnMap[publicname-or-ip]=psam.domain.ru
com.sun.identity.server.fqdnMap[cos-psam-01.domain.ru]=cos-psam-01.domain.ru
3) in "msg.conf" on "sunmail" (entries added via configutil):
local.webmail.sso.amcookiename = iPlanetDirectoryPro
local.webmail.sso.amnamingurl = http://psam.domain.ru:80/amserver/namingservice
local.webmail.sso.singlesignoff = yes
local.webmail.sso.uwcenabled = 1
service.http.ipsecurity = no
(perhaps some more options are required? Looking for confirmation about: local.webmail.sso.uwclogouturl local.webmail.sso.uwccontexturi local.webmail.sso.uwchome service.http.allowadminproxy )
4) Configured Web Policy Agent for Sun Web Server, so that users without an AM session are required to get one. Set up per [http://msg.wikidoc.info/index.php/AM_redirection_using_Policy_Agent], except that com.sun.am.policy.agents.config.notenforced_list points to the many names our server can go known by.
5) Updated the logout URL in /opt/SUNWuwc/webmail/main.js:
--- main.js.orig Sat Jan 26 07:52:09 2008
+++ main.js Mon Jul 21 01:06:29 2008
@@ -667,7 +667,8 @@
function cleanup() {
if(laurel)
- top.window.location = getUWCHost() + "/base/UWCMain?op=logout"
+// top.window.location = getUWCHost() + "/base/UWCMain?op=logout"
+ top.window.location = "http://sunmail.domain.ru:80/base/UWCMain?op=logout"
else
exec('logout', '', 'exit()')
@@ -1707,7 +1708,8 @@
if(lg) {
url = document.location.href
url = url.substr(0,url.indexOf('webmail'))
- uwcurl = url + 'base/UWCMain?op=logout'
+// uwcurl = url + 'base/UWCMain?op=logout'
+ uwcurl = "http://sunmail.domain.ru:80/base/UWCMain?op=logout"
exit()
}6) Calendar SSO - per docs...
According to ngrep sniffing,
1) the browser goes to "http://sunmail.domain.ru/uwc/auth" without any cookies
2) receives a redirect and goes to "http://psam.domain.ru/amserver/UI/Login?gotoOnFail=http://sunmail.domain.ru:80/uwc&goto=http%3A%2F%2Fsunmail.domain.ru%3A80%2Fuwc%2Fauth"; sends no cookies either.
3) The first response from the "psam" server (as redirected from "cos-psam-01") sets a few cookies while rendering the login page:
Set-cookie: JSESSIONID=7EF8F2810D2071CA03CFEAE9972735B2; Path=/
Set-cookie: AMAuthCookie=AQIC5wM2LY4SfcwuT2ASCrsfO78nXdceEHXeH1+xTqH7C3I=@AAJTSQACMDI=#; Domain=.domain.ru; Path=/
Set-cookie: amlbcookie=02; Domain=.domain.ru; Path=/
4) The browser requests the login page resources (javascripts, images, etc) using these cookies, as in this header line:
Cookie: JSESSIONID=7EF8F2810D2071CA03CFEAE9972735B2; AMAuthCookie=AQIC5wM2LY4SfcwuT2ASCrsfO78nXdceEHXeH1+xTqH7C3I=@AAJTSQACMDI=#; amlbcookie=02
5) The browser POSTs the login request to "/amserver/UI/Login" and receives a redirection to http://sunmail.domain.ru:80/uwc/auth
Set-cookie: iPlanetDirectoryPro=AQIC5wM2LY4SfcwuT2ASCrsfO78nXdceEHXeH1+xTqH7C3I=@AAJTSQACMDI=#; Domain=.domain.ru; Path=/
Set-cookie: AMAuthCookie=LOGOUT; Domain=.domain.ru; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
6) The browser requests "http://sunmail.domain.ru/uwc/auth" using the newly set cookie (looks like the old one to me though):
Cookie: amlbcookie=02; iPlanetDirectoryPro=AQIC5wM2LY4SfcwuT2ASCrsfO78nXdceEHXeH1+xTqH7C3I=@AAJTSQACMDI=#
7) The "sunmail" web-server checks the AM session validity with the same "psam.domain.ru". It sends a series of POSTs to /amserver/namingservice:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<RequestSet vers="1.0" svcid="com.iplanet.am.naming" reqid="685">
<Request><![CDATA[
<NamingRequest vers="1.0" reqid="324" sessid="AQIC5wM2LY4SfcwuT2ASCrsfO78nXdceEHXeH1+xTqH7C3I=@AAJTSQACMDI=#">
<GetNamingProfile>
</GetNamingProfile>
</NamingRequest>]]>
</Request>
</RequestSet>(receives a large XML list of different Access Manager configuration parameters and URLs)
...then a double-request to /amserver/sessionservice:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<RequestSet vers="1.0" svcid="Session" reqid="686">
<Request><![CDATA[
<SessionRequest vers="1.0" reqid="678">
<GetSession reset="true">
<SessionID>AQIC5wM2LY4SfcwuT2ASCrsfO78nXdceEHXeH1+xTqH7C3I=@AAJTSQACMDI=#</SessionID>
</GetSession>
</SessionRequest>]]>
</Request>
<Request><![CDATA[
<SessionRequest vers="1.0" reqid="679">
<AddSessionListener>
<URL>http://sunmail.domain.ru:80/UpdateAgentCacheServlet?shortcircuit=false</URL>
<SessionID>AQIC5wM2LY4SfcwuT2ASCrsfO78nXdceEHXeH1+xTqH7C3I=@AAJTSQACMDI=#</SessionID>
</AddSessionListener>
</SessionRequest>]]>
</Request>
</RequestSet>As a result it receives an XML with a lot of user-specific information (the username, LDAP DN, preferred locale, auth module used, etc.)
!!!*** Now, the problem part ***!!!
8) And then "sunmail" POSTs a broken cookie to "psam" (note the space in mid-text, where the "plus" sign was previously). As we know, "+" is often used in URLs to "escape" the space character. Perhaps some URL cleanup routine backfired here.
I have double-checked, it is not the reverse proxy on "psam" breaking things. It is "sunmail" (UWC/CE or Policy Agent, don't know for certain) supplying the broken request. I looked over the large XML responses to the two previous requests, whenever they mention the session cookie value, the "plus" is there.
For the most detail I can provide, I'll even paste the whole HTTP packet:
POST /amserver/sessionservice HTTP/1.1
Proxy-agent: Sun-Java-System-Web-Server/7.0
Cookie: iPlanetDirectoryPro=AQIC5wM2LY4SfcwuT2ASCrsfO78nXdceEHXeH1 xTqH7C3I=@AAJTSQACMDI=#;amlbcookie=null
Content-type: text/xml;charset=UTF-8
Content-length: 336
Cache-control: no-cache
Pragma: no-cache
User-agent: Java/1.5.0_09
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Host: cos-psam-01.domain.ru
Client-ip: 194.xxx.xxx.xxx
Via: 1.1 https-weblb.domain.ru
Connection: keep-alive
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<RequestSet vers="1.0" svcid="session" reqid="258">
<Request><![CDATA[<SessionRequest vers="1.0" reqid="254">
<GetSession reset="true">
<SessionID>AQIC5wM2LY4SfcwuT2ASCrsfO78nXdceEHXeH1 xTqH7C3I=@AAJTSQACMDI=#</SessionID>
</GetSession>
</SessionRequest>]]></Request>
</RequestSet> The server's error response is apparent:
HTTP/1.1 200 OK
Server: Sun-Java-System-Web-Server/7.0
Date: Thu, 31 Jul 2008 05:49:50 GMT
Content-type: text/html
Transfer-encoding: chunked
19b
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<ResponseSet vers="1.0" svcid="session" reqid="258">
<Response><![CDATA[<SessionResponse vers="1.0" reqid="254">
<GetSession>
<Exception>AQIC5wM2LY4SfcwuT2ASCrsfO78nXdceEHXeH1 xTqH7C3I=@AAJTSQACMDI=# Invalid session ID
AQIC5wM2LY4SfcwuT2ASCrsfO78nXdceEHXeH1 xTqH7C3I=@AAJTSQACMDI=#</Exception>
</GetSession>
</SessionResponse>]]></Response>
</ResponseSet>On the few occasions when the AM cookie contains no "plus" characters, the SSO works like a charm (also checked by a sniffer). Whenever there is a "plus", it breaks.
For reference, here's a working final request-response (one with a good cookie, as received by the load-balancer web-server). Request looks a bit different:
POST /amserver/sessionservice HTTP/1.1
Cookie: iPlanetDirectoryPro=AQIC5wM2LY4Sfcy/5sEzVmuq9z1ggdHOkBDgVFAwfhqvn4U=@AAJTSQACMDI=#;amlbcookie=null
Content-Type: text/xml;charset=UTF-8
Content-Length: 379
Cache-Control: no-cache
Pragma: no-cache
User-Agent: Java/1.5.0_09
Host: psam.domain.ru
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Connection: keep-alive
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<RequestSet vers="1.0" svcid="session" reqid="281">
<Request><![CDATA[<SessionRequest vers="1.0" reqid="277">
<SetProperty>
<SessionID>AQIC5wM2LY4Sfcy/5sEzVmuq9z1ggdHOkBDgVFAwfhqvn4U=@AAJTSQACMDI=#</SessionID>
<Property name="uwcstatus" value="active"></Property>
</SetProperty>
</SessionRequest>]]></Request>
</RequestSet> ...and the response is OK:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<ResponseSet vers="1.0" svcid="session" reqid="281">
<Response><![CDATA[<SessionResponse vers="1.0" reqid="277">
<SetProperty>
<OK></OK>
</SetProperty>
</SessionResponse>]]></Response>
</ResponseSet>There have been a few reports of the same behaviour with other customers - specifically with the handling of the encoding of "+" characters to " ". It relates to how cookie encoding/decoding is performed (as you have already observed).
The solution for these customers was the following:
=> AM server/client side:
Ensure that com.iplanet.am.cookie.encode=false in AMConfig.properties and AMAgent.properties on all systems.
=> AM client (UWC) side:
- Set <property name="encodeCookies" value="false"/> in /var/opt/SUNWuwc/WEB-INF/sun-web.xml. This will prevent UWC from trying to urldecode the cookie it receives and therefore stops it turning the + into a space e.g.
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE sun-web-app PUBLIC '-//Sun Microsystems, Inc.//DTD Sun ONE Application Server 7.0 Servlet 2.3//EN' 'file:///net/wajra.india.sun.com/export/share/dtd/sun-web-app_2_3-1.dtd'>
<sun-web-app>
<property name="encodeCookies" value="false"/>
<session-config>
<session-manager/>
</session-config>
<jsp-config/>
<property name="allowLinking" value="true" />
</sun-web-app>Regards,
Shane. -
Too Slow - Domino 6.5.4 with access manager agent 2.2 ?
I don't know how to tune Domino 6.5.4 with access manager agent 2.2?
I think AMAgent.properties is not good for SSO.
Please help me to tune it.
# $Id: AMAgent.properties,v 1.103 2005/09/19 22:08:34 madan Exp $
# Copyright ? 2002 Sun Microsystems, Inc. All rights reserved.
# U.S. Government Rights - Commercial software. Government users are
# subject to the Sun Microsystems, Inc. standard license agreement and
# applicable provisions of the FAR and its supplements. Use is subject to
# license terms. Sun, Sun Microsystems, the Sun logo and Sun ONE are
# trademarks or registered trademarks of Sun Microsystems, Inc. in the
# U.S. and other countries.
# Copyright ? 2002 Sun Microsystems, Inc. Tous droits r閟erv閟.
# Droits du gouvernement am閞icain, utlisateurs gouvernmentaux - logiciel
# commercial. Les utilisateurs gouvernmentaux sont soumis au contrat de
# licence standard de Sun Microsystems, Inc., ainsi qu aux dispositions en
# vigueur de la FAR [ (Federal Acquisition Regulations) et des suppl閙ents
# ? celles-ci.
# Distribu? par des licences qui en restreignent l'utilisation. Sun, Sun
# Microsystems, le logo Sun et Sun ONE sont des marques de fabrique ou des
# marques d閜os閑s de Sun Microsystems, Inc. aux Etats-Unis et dans
# d'autres pays.
# The syntax of this file is that of a standard Java properties file,
# see the documentation for the java.util.Properties.load method for a
# complete description. (CAVEAT: The SDK in the parser does not currently
# support any backslash escapes except for wrapping long lines.)
# All property names in this file are case-sensitive.
# NOTE: The value of a property that is specified multiple times is not
# defined.
# WARNING: The contents of this file are classified as an UNSTABLE
# interface by Sun Microsystems, Inc. As such, they are subject to
# significant, incompatible changes in any future release of the
# software.
# The name of the cookie passed between the Access Manager
# and the SDK.
# WARNING: Changing this property without making the corresponding change
# to the Access Manager will disable the SDK.
com.sun.am.cookie.name = iPlanetDirectoryPro
# The URL for the Access Manager Naming service.
com.sun.am.naming.url = http://sportal.yjy.dqyt.petrochina:80/amserver/namingservice
# The URL of the login page on the Access Manager.
com.sun.am.policy.am.login.url = http://sportal.yjy.dqyt.petrochina:80/amserver/UI/Login
# Name of the file to use for logging messages.
com.sun.am.policy.agents.config.local.log.file = c:/Sun/Access_Manager/Agents/2.2/debug/C__Lotus_Domino/amAgent
# This property is used for Log Rotation. The value of the property specifies
# whether the agent deployed on the server supports the feature of not. If set
# to false all log messages are written to the same file.
com.sun.am.policy.agents.config.local.log.rotate = true
# Name of the Access Manager log file to use for logging messages to
# Access Manager.
# Just the name of the file is needed. The directory of the file
# is determined by settings configured on the Access Manager.
com.sun.am.policy.agents.config.remote.log = amAuthLog.Dominoad.yjy.dqyt.petrochina.80
# Set the logging level for the specified logging categories.
# The format of the values is
# <ModuleName>[:<Level>][,<ModuleName>[:<Level>]]*
# The currently used module names are: AuthService, NamingService,
# PolicyService, SessionService, PolicyEngine, ServiceEngine,
# Notification, PolicyAgent, RemoteLog and all.
# The all module can be used to set the logging level for all currently
# none logging modules. This will also establish the default level for
# all subsequently created modules.
# The meaning of the 'Level' value is described below:
# 0 Disable logging from specified module*
# 1 Log error messages
# 2 Log warning and error messages
# 3 Log info, warning, and error messages
# 4 Log debug, info, warning, and error messages
# 5 Like level 4, but with even more debugging messages
# 128 log url access to log file on AM server.
# 256 log url access to log file on local machine.
# If level is omitted, then the logging module will be created with
# the default logging level, which is the logging level associated with
# the 'all' module.
# for level of 128 and 256, you must also specify a logAccessType.
# *Even if the level is set to zero, some messages may be produced for
# a module if they are logged with the special level value of 'always'.
com.sun.am.log.level =
# The org, username and password for Agent to login to AM.
com.sun.am.policy.am.username = UrlAccessAgent
com.sun.am.policy.am.password = LYnKyOIgdWt404ivWY6HPQ==
# Name of the directory containing the certificate databases for SSL.
com.sun.am.sslcert.dir = c:/Sun/Access_Manager/Agents/2.2/domino/cert
# Set this property if the certificate databases in the directory specified
# by the previous property have a prefix.
com.sun.am.certdb.prefix =
# Should agent trust all server certificates when Access Manager
# is running SSL?
# Possible values are true or false.
com.sun.am.trust_server_certs = true
# Should the policy SDK use the Access Manager notification
# mechanism to maintain the consistency of its internal cache? If the value
# is false, then a polling mechanism is used to maintain cache consistency.
# Possible values are true or false.
com.sun.am.notification.enable = true
# URL to which notification messages should be sent if notification is
# enabled, see previous property.
com.sun.am.notification.url = http://Dominoad.yjy.dqyt.petrochina:80/amagent/UpdateAgentCacheServlet?shortcircuit=false
# This property determines whether URL string case sensitivity is
# obeyed during policy evaluation
com.sun.am.policy.am.url_comparison.case_ignore = true
# This property determines the amount of time (in minutes) an entry
# remains valid after it has been added to the cache. The default
# value for this property is 3 minutes.
com.sun.am.policy.am.polling.interval=3
# This property allows the user to configure the User Id parameter passed
# by the session information from the access manager. The value of User
# Id will be used by the agent to set the value of REMOTE_USER server
# variable. By default this parameter is set to "UserToken"
com.sun.am.policy.am.userid.param=UserToken
# Profile attributes fetch mode
# String attribute mode to specify if additional user profile attributes should
# be introduced into the request. Possible values are:
# NONE - no additional user profile attributes will be introduced.
# HTTP_HEADER - additional user profile attributes will be introduced into
# HTTP header.
# HTTP_COOKIE - additional user profile attributes will be introduced through
# cookies.
# If not within these values, it will be considered as NONE.
com.sun.am.policy.agents.config.profile.attribute.fetch.mode=NONE
# The user profile attributes to be added to the HTTP header. The
# specification is of the format ldap_attribute_name|http_header_name[,...].
# ldap_attribute_name is the attribute in data store to be fetched and
# http_header_name is the name of the header to which the value needs
# to be assigned.
# NOTE: In most cases, in a destination application where a "http_header_name"
# shows up as a request header, it will be prefixed by HTTP_, and all
# lower case letters will become upper case, and any - will become _;
# For example, "common-name" would become "HTTP_COMMON_NAME"
com.sun.am.policy.agents.config.profile.attribute.map=cn|common-name,ou|organizational-unit,o|organization,mail|email,employeenumber|employee-
number,c|country
# Session attributes mode
# String attribute mode to specify if additional user session attributes should
# be introduced into the request. Possible values are:
# NONE - no additional user session attributes will be introduced.
# HTTP_HEADER - additional user session attributes will be introduced into HTTP header.
# HTTP_COOKIE - additional user session attributes will be introduced through cookies.
# If not within these values, it will be considered as NONE.
com.sun.am.policy.agents.config.session.attribute.fetch.mode=NONE
# The session attributes to be added to the HTTP header. The specification is
# of the format session_attribute_name|http_header_name[,...].
# session_attribute_name is the attribute in session to be fetched and
# http_header_name is the name of the header to which the value needs to be
# assigned.
# NOTE: In most cases, in a destination application where a "http_header_name"
# shows up as a request header, it will be prefixed by HTTP_, and all
# lower case letters will become upper case, and any - will become _;
# For example, "common-name" would become "HTTP_COMMON_NAME"
com.sun.am.policy.agents.config.session.attribute.map=
# Response Attribute Fetch Mode
# String attribute mode to specify if additional user response attributes should
# be introduced into the request. Possible values are:
# NONE - no additional user response attributes will be introduced.
# HTTP_HEADER - additional user response attributes will be introduced into
# HTTP header.
# HTTP_COOKIE - additional user response attributes will be introduced through
# cookies.
# If not within these values, it will be considered as NONE.
com.sun.am.policy.agents.config.response.attribute.fetch.mode=NONE
# The response attributes to be added to the HTTP header. The specification is
# of the format response_attribute_name|http_header_name[,...].
# response_attribute_name is the attribute in policy response to be fetched and
# http_header_name is the name of the header to which the value needs to be
# assigned.
# NOTE: In most cases, in a destination application where a "http_header_name"
# shows up as a request header, it will be prefixed by HTTP_, and all
# lower case letters will become upper case, and any - will become _;
# For example, "common-name" would become "HTTP_COMMON_NAME"
com.sun.am.policy.agents.config.response.attribute.map=
# The cookie name used in iAS for sticky load balancing
com.sun.am.policy.am.lb.cookie.name = GX_jst
# indicate where a load balancer is used for Access Manager
# services.
# true | false
com.sun.am.load_balancer.enable = false
####Agent Configuration####
# this is for product versioning, please do not modify it
com.sun.am.policy.agents.config.version=2.2
# Set the url access logging level. the choices are
# LOG_NONE - do not log user access to url
# LOG_DENY - log url access that was denied.
# LOG_ALLOW - log url access that was allowed.
# LOG_BOTH - log url access that was allowed or denied.
com.sun.am.policy.agents.config.audit.accesstype = LOG_DENY
# Agent prefix
com.sun.am.policy.agents.config.agenturi.prefix = http://Dominoad.yjy.dqyt.petrochina:80/amagent
# Locale setting.
com.sun.am.policy.agents.config.locale = en_US
# The unique identifier for this agent instance.
com.sun.am.policy.agents.config.instance.name = unused
# Do SSO only
# Boolean attribute to indicate whether the agent will just enforce user
# authentication (SSO) without enforcing policies (authorization)
com.sun.am.policy.agents.config.do_sso_only = true
# The URL of the access denied page. If no value is specified, then
# the agent will return an HTTP status of 403 (Forbidden).
com.sun.am.policy.agents.config.accessdenied.url =
# This property indicates if FQDN checking is enabled or not.
com.sun.am.policy.agents.config.fqdn.check.enable = true
# Default FQDN is the fully qualified hostname that the users should use
# in order to access resources on this web server instance. This is a
# required configuration value without which the Web server may not
# startup correctly.
# The primary purpose of specifying this property is to ensure that if
# the users try to access protected resources on this web server
# instance without specifying the FQDN in the browser URL, the Agent
# can take corrective action and redirect the user to the URL that
# contains the correct FQDN.
# This property is set during the agent installation and need not be
# modified unless absolutely necessary to accommodate deployment
# requirements.
# WARNING: Invalid value for this property can result in the Web Server
# becoming unusable or the resources becoming inaccessible.
# See also: com.sun.am.policy.agents.config.fqdn.check.enable,
# com.sun.am.policy.agents.config.fqdn.map
com.sun.am.policy.agents.config.fqdn.default = Dominoad.yjy.dqyt.petrochina
# The FQDN Map is a simple map that enables the Agent to take corrective
# action in the case where the users may have typed in an incorrect URL
# such as by specifying partial hostname or using an IP address to
# access protected resources. It redirects the browser to the URL
# with fully qualified domain name so that cookies related to the domain
# are received by the agents.
# The format for this property is:
# com.sun.am.policy.agents.config.fqdn.map = [invalid_hostname|valid_hostname][,...]
# This property can also be used so that the agents use the name specified
# in this map instead of the web server's actual name. This can be
# accomplished by doing the following.
# Say you want your server to be addressed as xyz.hostname.com whereas the
# actual name of the server is abc.hostname.com. The browsers only knows
# xyz.hostname.com and you have specified polices using xyz.hostname.com at
# the Access Manager policy console, in this file set the mapping as
# com.sun.am.policy.agents.fqdn.map = valid|xyz.hostname.com
# Another example is if you have multiple virtual servers say rst.hostname.com,
# uvw.hostname.com and xyz.hostname.com pointing to the same actual server
# abc.hostname.com and each of the virtual servers have their own policies
# defined, then the fqdnMap should be defined as follows:
# com.sun.am.policy.agents.fqdn.map = valid1|rst.hostname.com,valid2|uvw.hostname.com,valid3|xyz.hostname.com
# WARNING: Invalid value for this property can result in the Web Server
# becoming unusable or the resources becoming inaccessible.
com.sun.am.policy.agents.config.fqdn.map =
# Cookie Reset
# This property must be set to true, if this agent needs to
# reset cookies in the response before redirecting to
# Access Manager for Authentication.
# By default this is set to false.
# Example : com.sun.am.policy.agents.config.cookie.reset.enable=true
com.sun.am.policy.agents.config.cookie.reset.enable=false
# This property gives the comma separated list of Cookies, that
# need to be included in the Redirect Response to Access Manager.
# This property is used only if the Cookie Reset feature is enabled.
# The Cookie details need to be specified in the following Format
# name[=value][;Domain=value]
# If "Domain" is not specified, then the default agent domain is
# used to set the Cookie.
# Example : com.sun.am.policy.agents.config.cookie.reset.list=LtpaToken,
# token=value;Domain=subdomain.domain.com
com.sun.am.policy.agents.config.cookie.reset.list=
# This property gives the space separated list of domains in
# which cookies have to be set in a CDSSO scenario. This property
# is used only if CDSSO is enabled.
# If this property is left blank then the fully qualified cookie
# domain for the agent server will be used for setting the cookie
# domain. In such case it is a host cookie instead of a domain cookie.
# Example : com.sun.am.policy.agents.config.cookie.domain.list=.sun.com .iplanet.com
com.sun.am.policy.agents.config.cookie.domain.list=
# user id returned if accessing global allow page and not authenticated
com.sun.am.policy.agents.config.anonymous_user=anonymous
# Enable/Disable REMOTE_USER processing for anonymous users
# true | false
com.sun.am.policy.agents.config.anonymous_user.enable=false
# Not enforced list is the list of URLs for which no authentication is
# required. Wildcards can be used to define a pattern of URLs.
# The URLs specified may not contain any query parameters.
# Each service have their own not enforced list. The service name is suffixed
# after "# com.sun.am.policy.agents.notenforcedList." to specify a list
# for a particular service. SPACE is the separator between the URL.
com.sun.am.policy.agents.config.notenforced_list = http://dominoad.yjy.dqyt.petrochina/*.nsf http://dominoad.yjy.dqyt.petrochina/teamroom.nsf/TROutline.gif?
OpenImageResource http://dominoad.yjy.dqyt.petrochina/icons/*.gif
# Boolean attribute to indicate whether the above list is a not enforced list
# or an enforced list; When the value is true, the list means enforced list,
# or in other words, the whole web site is open/accessible without
# authentication except for those URLs in the list.
com.sun.am.policy.agents.config.notenforced_list.invert = false
# Not enforced client IP address list is a list of client IP addresses.
# No authentication and authorization are required for the requests coming
# from these client IP addresses. The IP address must be in the form of
# eg: 192.168.12.2 1.1.1.1
com.sun.am.policy.agents.config.notenforced_client_ip_list =
# Enable POST data preservation; By default it is set to false
com.sun.am.policy.agents.config.postdata.preserve.enable = false
# POST data preservation : POST cache entry lifetime in minutes,
# After the specified interval, the entry will be dropped
com.sun.am.policy.agents.config.postcache.entry.lifetime = 10
# Cross-Domain Single Sign On URL
# Is CDSSO enabled.
com.sun.am.policy.agents.config.cdsso.enable=false
# This is the URL the user will be redirected to for authentication
# in a CDSSO Scenario.
com.sun.am.policy.agents.config.cdcservlet.url =
# Enable/Disable client IP address validation. This validate
# will check if the subsequent browser requests come from the
# same ip address that the SSO token is initially issued against
com.sun.am.policy.agents.config.client_ip_validation.enable = false
# Below properties are used to define cookie prefix and cookie max age
com.sun.am.policy.agents.config.profile.attribute.cookie.prefix = HTTP_
com.sun.am.policy.agents.config.profile.attribute.cookie.maxage = 300
# Logout URL - application's Logout URL.
# This URL is not enforced by policy.
# if set, agent will intercept this URL and destroy the user's session,
# if any. The application's logout URL will be allowed whether or not
# the session destroy is successful.
com.sun.am.policy.agents.config.logout.url=
#http://sportal.yjy.dqyt.petrochina/amserver/UI/Logout
# Any cookies to be reset upon logout in the same format as cookie_reset_list
com.sun.am.policy.agents.config.logout.cookie.reset.list =
# By default, when a policy decision for a resource is needed,
# agent gets and caches the policy decision of the resource and
# all resource from the root of the resource down, from the Access Manager.
# For example, if the resource is http://host/a/b/c, the the root of the
# resource is http://host/. This is because more resources from the
# same path are likely to be accessed subsequently.
# However this may take a long time the first time if there
# are many many policies defined under the root resource.
# To have agent get and cache the policy decision for the resource only,
# set the following property to false.
com.sun.am.policy.am.fetch_from_root_resource = true
# Whether to get the client's hostname through DNS reverse lookup for use
# in policy evaluation.
# It is true by default, if the property does not exist or if it is
# any value other than false.
com.sun.am.policy.agents.config.get_client_host_name = false
# The following property is to enable native encoding of
# ldap header attributes forwarded by agents. If set to true
# agent will encode the ldap header value in the default
# encoding of OS locale. If set to false ldap header values
# will be encoded in UTF-8
com.sun.am.policy.agents.config.convert_mbyte.enable = false
#When the not enforced list or policy has a wildcard '*' character, agent
#strips the path info from the request URI and uses the resulting request
#URI to check against the not enforced list or policy instead of the entire
#request URI, in order to prevent someone from getting access to any URI by
#simply appending the matching pattern in the policy or not enforced list.
#For example, if the not enforced list has the value http://host/*.gif,
#stripping the path info from the request URI will prevent someone from
#getting access to http://host/index.html by using the URL http://host/index.html?hack.gif.
#However when a web server (for exmample apache) is configured to be a reverse
#proxy server for a J2EE application server, path info is interpreted in a different
#manner since it maps to a resource on the proxy instead of the app server.
#This prevents the not enforced list or policy from being applied to part of
#the URI below the app serverpath if there is a wildcard character. For example,
#if the not enforced list has value http://host/webapp/servcontext/* and the
#request URL is http://host/webapp/servcontext/example.jsp the path info
#is /servcontext/example.jsp and the resulting request URL with path info stripped
#is http://host/webapp, which will not match the not enforced list. By setting the
#following property to true, the path info will not be stripped from the request URL
#even if there is a wild character in the not enforced list or policy.
#Be aware though that if this is set to true there should be nothing following the
#wildcard character '*' in the not enforced list or policy, or the
#security loophole described above may occur.
com.sun.am.policy.agents.config.ignore_path_info = false
# Override the request url given by the web server with
# the protocol, host or port of the agent's uri specified in
# the com.sun.am.policy.agents.agenturiprefix property.
# These may be needed if the agent is sitting behind a ssl off-loader,
# load balancer, or proxy, and either the protocol (HTTP scheme),
# hostname, or port of the machine in front of agent which users go through
# is different from the agent's protocol, host or port.
com.sun.am.policy.agents.config.override_protocol =
com.sun.am.policy.agents.config.override_host =
com.sun.am.policy.agents.config.override_port =
# Override the notification url in the same way as other request urls.
# Set this to true if any one of the override properties above is true,
# and if the notification url is coming through the proxy or load balancer
# in the same way as other request url's.
com.sun.am.policy.agents.config.override_notification.url =
# The following property defines how long to wait in attempting
# to connect to an Access Manager AUTH server.
# The default value is 2 seconds. This value needs to be increased
# when receiving the error "unable to find active Access Manager Auth server"
com.sun.am.policy.agents.config.connection_timeout =
# Time in milliseconds the agent will wait to receive the
# response from Access Manager. After the timeout, the connection
# will be drop.
# A value of 0 means that the agent will wait until receiving the response.
# WARNING: Invalid value for this property can result in
# the resources becoming inaccessible.
com.sun.am.receive_timeout = 0
# The three following properties are for IIS6 agent only.
# The two first properties allow to set a username and password that will be
# used by the authentication filter to pass the Windows challenge when the Basic
# Authentication option is selected in Microsoft IIS 6.0. The authentication
# filter is named amiis6auth.dll and is located in
# Agent_installation_directory/iis6/bin. It must be installed manually on
# the web site ("ISAPI Filters" tab in the properties of the web site).
# It must also be uninstalled manually when unintalling the agent.
# The last property defines the full path for the authentication filter log file.
com.sun.am.policy.agents.config.iis6.basicAuthentication.username =
com.sun.am.policy.agents.config.iis6.basicAuthentication.password =
com.sun.am.policy.agents.config.iis6.basicAuthentication.logFile = c:/Sun/Access_Manager/Agents/2.2/debug/C__Lotus_Domino/amAuthFilterHi,
I installed opensso (so Sun Java(TM) System Access Manager 7.5) and the agent for Domino 6.5.4 and I have the message in logs "amAgent"
2007-07-11 18:40:16.119 Error 1708:3dbcf768 PolicyAgent: render_response(): Entered.
I have the box to identify but it doesnot connect me on my opensso server.
It still identify with Domino's server
Thanks for your response
Thomas -
After two days of not being able to open Firefox, I found an article on this website which suggested that I create a new profile. I followed the instructions (which never stated that I should first backup Firefox or my old profile) After creating the new profile, Firefox is once again working fine but, I am unable to access important data such as bookmarks and history.
I have followed several suggestion on this website but, I am still unable to find my old profile content.As long as you did not uninstall Firefox and remove personal data, your old profile still should be in the same location. Depending on how messed up it was, here are two options:
'''(1) Use the profile manager to start Firefox up in your old profile and create a fresh bookmarks backup.''' If it didn't run, this won't be useful.
To start in a different profile, Exit out of Firefox and start it up from the Start menu, search box, using
firefox.exe -P
Your old profile may have a name like default.
Then you can create a fresh backup or export of your bookmarks (or both) to a neutral location (e.g., the Documents folder). These articles have the steps for creating these files:
* [[Restore bookmarks from backup or move them to another computer]]
* [[Export Firefox bookmarks to an HTML file to back up or transfer bookmarks]] (note: does not preserve tags you have assigned to bookmarks, if any)
Exit Firefox, use the profile manager to return to your new profile, then you can either restore the bookmark backup or import the HTML file. The difference is that a restore completely replaces whatever exists now, while an import adds to what you have now.
* [[Restore bookmarks from backup or move them to another computer]]
* [[Import Bookmarks from an HTML file]]
Success?
'''(2) Restore an old bookmark backup.''' Firefox creates these files regularly, but it might not be perfectly complete.
To access the old files, I suggest starting from your current (new) profile folder. You can open that from within Firefox using either:
* "3-bar" menu button > "?" button > Troubleshooting Information
* (menu bar) Help > Troubleshooting Information
* type or paste about:support in the address bar and press Enter
In the first table on the page, click the "Show Folder" button. This should launch a new window showing your ''current'' settings files. Using the address bar of that window, click up to the Profiles folder level and then double-click into your old profile folder, then into its bookmarkbackups folder. Copy the latest backup file to a neutral location (such as your Documents folder).
Back in Firefox, try to restore the older backup. Note: this will completely replace your bookmarks in this profile, so if you have saved new bookmarks you want to save, please perform the optional steps in the following list:
* Optional (preserve new bookmarks): [[Export Firefox bookmarks to an HTML file to back up or transfer bookmarks]]
* [[Restore bookmarks from backup or move them to another computer]] - use Choose File to go to your Documents folder to get the old backup
* Optional (add new bookmarks to the restored set): [[Import Bookmarks from an HTML file]]
Success? -
Load Balancing Directory Servers with Access Manager - Simple questions
Hi.
We are in the process of configuring 2 Access Manager instances (servers) accessing the same logical LDAP repository (comprising physically of two Directory Servers working together with Multi-Master Replication configured and tested) For doing this, we are following guide number 819-6258.
The guide uses BigIP load balancer for load balancing the directory servers. However, we intend to use Directory Proxy Server. Since we faced some (unresolved) issues last time that we used DPS, there are some simple questions that I would be very grateful to have answers to:
1. The guide, in section 3.2.10 (To configure Access Manager 1 with the Directory Server load balancer), talks about making changes at 4 places, and replacing the existing entry (hostname and port) with the load balancer's hostname and port (assuming that the load balancer has already been configured). It says that changes need not be made on Access Manager 2 since the LDAPs are in replication, and hence changes will be replicated at all places. However, the guide also states that changes have to be made in two files, namely AMConfig.properties, and the serverconfig.xml file. But these changes will not be reflected on Access Manager 2, since these files are local on each machine.
Question 1. Do changes have to be made in AMConfig.properties and serverconfig.xml files on the other machine hosting Access Manager 2?
Question 2: What is the purpose of putting these values here? Specifically, what is achieved by specifying the Directory server host and port in AMConfig.properties, as well as in serverconfig.xml?
Question 3. In the HTTP console, there is the option of specifying multiple primary LDAP servers, as well as multiple secondary LDAP servers. What is the purpose of these? Are secondary servers attempted when none of the list in the primary list are accessible? Also, if there are multiple entries in the primary server list, are they accessed in a round robin fashion (hereby providing rudimentary load balancing), or are other servers accessed only when the one mentioned first is not reachable etc.?
2. Since I do not have a load balancer setup yet, I tried the following deviation to the above, which, according to me, should have worked. If viewed in the HTTP console, LDAP / Membership / MSISDN and Policy configuration all pointed to the DS on host 1. When I changed all these to point to the directory server on host 2 (and made AMConfig.properties and serverconfig.xml on host 1 point to DS of host 2 as well), things should have worked fine, but apparently Access manager 1 could not be started. Error from Webserver:
[14/Aug/2006:04:30:36] info (13937): WEB0100: Loading web module in virtual server [https-machine_1_FQDN] at [search]
[14/Aug/2006:04:31:48] warning (13937): CORE3283: stderr: Exception in thread "EventService" java.lang.ExceptionInInitializerError
[14/Aug/2006:04:31:48] warning (13937): CORE3283: stderr: at com.iplanet.services.ldap.event.EventServicePolling.run(EventServicePolling.java:132)
[14/Aug/2006:04:31:48] warning (13937): CORE3283: stderr: at java.lang.Thread.run(Thread.java:595)
[14/Aug/2006:04:31:48] warning (13937): CORE3283: stderr: Caused by: java.lang.InterruptedException
[14/Aug/2006:04:31:48] warning (13937): CORE3283: stderr: at com.sun.identity.sm.ServiceManager.<clinit>(ServiceManager.java:74)
[14/Aug/2006:04:31:48] warning (13937): CORE3283: stderr: ... 2 more
In effect, AM on 1 did not start. On rolling back the changes, things again worked like previously.
Will be really grateful for any help / insight / experience on dealing with the above.
Thanks!Update to the above, incase anyone is reading:
We setup a similar setup in Windows, and it worked. Here is a detailed account of what was done:
1. Host 1: Start installer, install automatically, chose Directory server, Directory Administration server, Directory Proxy server, Web server, Access Manager.
All installed, and worked fine. (AMConfig.properties, serverconfig.xml, and the info in LDAP service, all pointed to HOST1:389)
2. Host 2: Start installer, install automatically, chose Directory server, Directory Administration server, Directory Proxy server, Web server, Access Manager.
All installed, and worked fine. (AMConfig.properties, serverconfig.xml, and the info in LDAP service, all pointed to HOST2:389)
3. Host 1: Started replication. Set to Master
4. Host 2: Started replication. Set to Master
5. Host 1: Setup replication agreement to Host 2
6. Host 2: Setup replication agreement to Host 1
7. Initiated the remote replica from Host 1 ----> Host 2
Note that since default installation uses abc.....xyz as the encryption key, setting this to same was not an issue.
9. Started webserver for Host 1 and logged into AM as amadmin.
10. Added Host 2 FQDN in DNS Aliases / Realms
11. Added http://HOST2_FQDN:80 in the Platform server (instance) list.
12. Started Host 2 webserver. Logged in AM on Host 2, things worked fine.
At this stage, note the following:
a) Host 1:
AMConfig.properties file has
com.iplanet.am.directory.host=host1_FQDN
and
com.iplanet.am.directory.port=389
serverconfig.xml has:
<Server name="Server1" host="host1_FQDN" port="389" type="SIMPLE" />
b) Host 2:
AMConfig.properties file has
com.iplanet.am.directory.host=host2_FQDN
and
com.iplanet.am.directory.port=389
serverconfig.xml has:
<Server name="Server1" host="host2_FQDN" port="389" type="SIMPLE" />
c) If one logs into AM, and checks LDAP servers for LDAP / Policy Configuration / Membership etc services, they all contain Host2_FQDN:389 (which makes sense, since replica 2 was initialized from 1)
Returning back to the configuations:
13. On Host 1, login into the Admin server console of the Directory server. Navigate to the DPS, and confgure the following:
a) Network Group
b) LDAP servers
c) Load Balancing
d) Change Group
e) Action on-bind
f) Allow all actions (permit modification / deletion etc.).
g) any other configuations required - Am willing to give detailed steps if someone needs them to help me / themselves! :)
So now, we have DPS configured and running on Host1:489, and distributing load to DS1 and DS2 on a 50:50 basis.
14. Now, log into AM on Host 1, and instead of Host1_fqdn:389 (for DS) in the following places, specify Host1_fqdn:489 (for the DPS)--
LDAP Authentication
MSISDN server
Membership Service
Policy configuation.
Verified that this propagated to the Policy Configuration service and the LDAP authentication service that are already registered with the default organization.
15. Log out of AM. Following the documentation, modify directory.host and directory.port in AMConfig.properties to point to Host 1_FQDN and 489 respectively. Make this change in AMConfig.properties of both Host 1 as well as 2.
16. Edit serverconfig.xml on both hosts, and instead of they pointing to their local directory servers, point both to host1_FQDN:489
17. When you start the webserver, it will refuse to start. Will spew errors such as:
[https-host1_FQDN]: Sun ONE Web Server 6.1SP5 B06/23/2005 17:36
[https-host1_FQDN]: info: CORE3016: daemon is running as super-user
[https-host1_FQDN]: info: CORE5076: Using [Java HotSpot(TM) Server VM, Version 1.5.0_04] from [Sun Microsystems Inc.]
[https-host1_FQDN]: info: WEB0100: Loading web module in virtual server [https-host1_FQDN] at [amserver]
[https-host1_FQDN]: warning: WEB6100: locale-charset-info is deprecated, please use parameter-encoding
[https-host1_FQDN]: info: WEB0100: Loading web module in virtual server [https-host1_FQDN] at [ampassword]
[https-host1_FQDN]: warning: WEB6100: locale-charset-info is deprecated, please use parameter-encoding
[https-host1_FQDN]: info: WEB0100: Loading web module in virtual server [https-host1_FQDN] at [amcommon]
[https-host1_FQDN]: info: WEB0100: Loading web module in virtual server [https-host1_FQDN] at [amconsole]
[https-host1_FQDN]: warning: WEB6100: locale-charset-info is deprecated, please use parameter-encoding
[https-host1_FQDN]: info: WEB0100: Loading web module in virtual server [https-host1_FQDN] at [search]
[https-host1_FQDN]: warning: CORE3283: stderr: netscape.ldap.LDAPException: error result (32); matchedDN = dc=sun,dc=com; No such object (DN changed)
[https-host1_FQDN]: warning: CORE3283: stderr: Got LDAPServiceException code=-1
[https-host1_FQDN]: warning: CORE3283: stderr: at com.iplanet.services.ldap.DSConfigMgr.getConnection(DSConfigMgr.java:357)
[https-host1_FQDN]: warning: CORE3283: stderr: at com.iplanet.services.ldap.DSConfigMgr.getNewFailoverConnection(DSConfigMgr.java:314)
[https-host1_FQDN]: warning: CORE3283: stderr: at com.iplanet.services.ldap.DSConfigMgr.getNewConnection(DSConfigMgr.java:253)
[https-host1_FQDN]: warning: CORE3283: stderr: at com.iplanet.services.ldap.DSConfigMgr.getNewProxyConnection(DSConfigMgr.java:184)
[https-host1_FQDN]: warning: CORE3283: stderr: at com.iplanet.services.ldap.DSConfigMgr.getNewProxyConnection(DSConfigMgr.java:194)
[https-host1_FQDN]: warning: CORE3283: stderr: at com.iplanet.ums.DataLayer.initLdapPool(DataLayer.java:1248)
[https-host1_FQDN]: warning: CORE3283: stderr: at com.iplanet.ums.DataLayer.(DataLayer.java:190)
[https-host1_FQDN]: warning: CORE3283: stderr: at com.iplanet.ums.DataLayer.getInstance(DataLayer.java:215)
[https-host1_FQDN]: warning: CORE3283: stderr: at com.iplanet.ums.DataLayer.getInstance(DataLayer.java:246)
[https-host1_FQDN]: warning: CORE3283: stderr: at com.sun.identity.sm.ldap.SMSLdapObject.initialize(SMSLdapObject.java:156)
[https-host1_FQDN]: warning: CORE3283: stderr: at com.sun.identity.sm.ldap.SMSLdapObject.(SMSLdapObject.java:124)
[https-host1_FQDN]: warning: CORE3283: stderr: at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
[https-host1_FQDN]: warning: CORE3283: stderr: at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:39)
[https-host1_FQDN]: warning: CORE3283: stderr: at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:27)
[https-host1_FQDN]: warning: CORE3283: stderr: at java.lang.reflect.Constructor.newInstance(Constructor.java:494)
[https-host1_FQDN]: warning: CORE3283: stderr: at java.lang.Class.newInstance0(Class.java:350)
[https-host1_FQDN]: warning: CORE3283: stderr: at java.lang.Class.newInstance(Class.java:303)
[https-host1_FQDN]: warning: CORE3283: stderr: at com.sun.identity.sm.SMSEntry.(SMSEntry.java:216)
[https-host1_FQDN]: warning: CORE3283: stderr: at com.sun.identity.sm.ServiceSchemaManager.(ServiceSchemaManager.java:67)
[https-host1_FQDN]: warning: CORE3283: stderr: at com.iplanet.am.util.AMClientDetector.getServiceSchemaManager(AMClientDetector.java:219)
[https-host1_FQDN]: warning: CORE3283: stderr: at com.iplanet.am.util.AMClientDetector.(AMClientDetector.java:94)
[https-host1_FQDN]: warning: CORE3283: stderr: at com.sun.mobile.filter.AMLController.init(AMLController.java:85)
[https-host1_FQDN]: warning: CORE3283: stderr: at org.apache.catalina.core.ApplicationFilterConfig.getFilter(ApplicationFilterConfig.java:262)
[https-host1_FQDN]: warning: CORE3283: stderr: at org.apache.catalina.core.ApplicationFilterConfig.setFilterDef(ApplicationFilterConfig.java:322)
[https-host1_FQDN]: warning: CORE3283: stderr: at org.apache.catalina.core.ApplicationFilterConfig.(ApplicationFilterConfig.java:120)
[https-host1_FQDN]: warning: CORE3283: stderr: at org.apache.catalina.core.StandardContext.filterStart(StandardContext.java:3271)
[https-host1_FQDN]: warning: CORE3283: stderr: at org.apache.catalina.core.StandardContext.start(StandardContext.java:3747)
[https-host1_FQDN]: warning: CORE3283: stderr: at com.iplanet.ias.web.WebModule.start(WebModule.java:251)
[https-host1_FQDN]: warning: CORE3283: stderr: at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1133)
[https-host1_FQDN]: warning: CORE3283: stderr: at org.apache.catalina.core.StandardHost.start(StandardHost.java:652)
[https-host1_FQDN]: warning: CORE3283: stderr: at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1133)
[https-host1_FQDN]: warning: CORE3283: stderr: at org.apache.catalina.core.StandardEngine.start(StandardEngine.java:355)
[https-host1_FQDN]: warning: CORE3283: stderr: at org.apache.catalina.startup.Embedded.start(Embedded.java:995)
[https-host1_FQDN]: warning: CORE3283: stderr: at com.iplanet.ias.web.WebContainer.start(WebContainer.java:431)
[https-host1_FQDN]: warning: CORE3283: stderr: at com.iplanet.ias.web.WebContainer.startInstance(WebContainer.java:500)
[https-host1_FQDN]: warning: CORE3283: stderr: at com.iplanet.ias.server.J2EERunner.confPostInit(J2EERunner.java:161)
[https-host1_FQDN]: failure: WebModule[amserver]: WEB2783: Servlet /amserver threw load() exception
[https-host1_FQDN]: javax.servlet.ServletException: WEB2778: Servlet.init() for servlet LoginLogoutMapping threw exception
[https-host1_FQDN]: at org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:949)
[https-host1_FQDN]: at org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:813)
[https-host1_FQDN]: at org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:3478)
[https-host1_FQDN]: at org.apache.catalina.core.StandardContext.start(StandardContext.java:3760)
[https-host1_FQDN]: at com.iplanet.ias.web.WebModule.start(WebModule.java:251)
[https-host1_FQDN]: at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1133)
[https-host1_FQDN]: at org.apache.catalina.core.StandardHost.start(StandardHost.java:652)
[https-host1_FQDN]: at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1133)
[https-host1_FQDN]: at org.apache.catalina.core.StandardEngine.start(StandardEngine.java:355)
[https-host1_FQDN]: at org.apache.catalina.startup.Embedded.start(Embedded.java:995)
[https-host1_FQDN]: at com.iplanet.ias.web.WebContainer.start(WebContainer.java:431)
[https-host1_FQDN]: at com.iplanet.ias.web.WebContainer.startInstance(WebContainer.java:500)
[https-host1_FQDN]: at com.iplanet.ias.server.J2EERunner.confPostInit(J2EERunner.java:161)
[https-host1_FQDN]: ----- Root Cause -----
[https-host1_FQDN]: java.lang.NullPointerException
[https-host1_FQDN]: at com.sun.identity.authentication.UI.LoginLogoutMapping.init(LoginLogoutMapping.java:71)
[https-host1_FQDN]: at org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:921)
[https-host1_FQDN]: at org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:813)
[https-host1_FQDN]: at org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:3478)
[https-host1_FQDN]: at org.apache.catalina.core.StandardContext.start(StandardContext.java:3760)
[https-host1_FQDN]: at com.iplanet.ias.web.WebModule.start(WebModule.java:251)
[https-host1_FQDN]: at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1133)
[https-host1_FQDN]: at org.apache.catalina.core.StandardHost.start(StandardHost.java:652)
[https-host1_FQDN]: at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1133)
[https-host1_FQDN]: at org.apache.catalina.core.StandardEngine.start(StandardEngine.java:355)
[https-host1_FQDN]: at org.apache.catalina.startup.Embedded.start(Embedded.java:995)
[https-host1_FQDN]: at com.iplanet.ias.web.WebContainer.start(WebContainer.java:431)
[https-host1_FQDN]: at com.iplanet.ias.web.WebContainer.startInstance(WebContainer.java:500)
[https-host1_FQDN]: at com.iplanet.ias.server.J2EERunner.confPostInit(J2EERunner.java:161)
[https-host1_FQDN]:
[https-host1_FQDN]: info: HTTP3072: [LS ls1] http://host1_FQDN:58080 [i]ready to accept requests
[https-host1_FQDN]: startup: server started successfully
Success!
The server https-host1_FQDN has started up.
The server infact, didn't start up (nothing even listening on 58080).
However, if AMConfig.properties is left as it originally was, and only serverconfig.xml files were changed as mentioned above, web servers started fine, and things worked all okay. (Alright, except for some glitches when viewed in /amconsole. If /amserver/console is accessed, all is good. Can this mean that all is still not well? I am not sure).
So far so good. Now comes the sad part. When the same is done on Solaris 9, things dont work. You continue to get the above error, OR the following error, and the web server will refuse to start:
Differences in Solaris and Windows are as follows:
1. Windows hosts have 1 IP and hostname. Solaris hosts have 3 IPs and hostnames (for DS, DPS, and webserver).
No other difference from an architectural perspective.
Any help / insight on why the above is not working (and why the hell does the documentation seem so sketchy / insecure / incorrect).
Thanks a bunch! -
Sun Access Manager to OpenSSO 8 migration
Hi,
I'm trying to migrate from Sun Java System Access Manager/Sun Directory Server 5.2 to Oracle OpenSSO 8/Sun Directory Server 11. After creating the same suffix (dc=example) from DS 5.2 to DS 11, I installed and configured OpenSSO. After that I export/import my application subtree (o=appl1) from a ldiff file. Everything works good (user, groups, roles, etc) except policies. In Access Manager my policies is keep under ou=iPlanetAMPolicyService,ou=services,o=appl1,dc=example and if I manually create a policy in OpenSSo it's created under ou=iPlanetAMPolicyService,ou=services,o=appl1,ou=services,dc=example. To read policies from my application I use PolicyManager and if it possible I dont want to change the code. Is it possible to tell OpenSSO to keep my policies under ou=iPlanetAMPolicyService,ou=services,o=appl1,dc=example instead of ou=iPlanetAMPolicyService,ou=services,o=appl1,ou=services,dc=example or I need to modify my ldif file or other way ? Thanks for your help.You should use the MS Access Migration Wizard available from OTN.
Go to the Technology section, then click Migration, then click
Oracle's Migration Toolkits, then click Microsoft Access and from
there you can get the wizard to migrate from Access 2.0. It does
not run on Windows 98. I am not sure whether it is a
recommendation or a requirement to upgrade to Access 97.
bill barnes (guest) wrote:
: I have been tasked with migrating an access 2.0 database to an
: oracle 8 running on novell 5 server. I have found
documentation
: that says it is best to upgrade the access 2.0 database to
access
: 97 then compress the data before the migration. My question is
: whether or not this is necessary/recommended? Which migration
: tool kit/workbench do I need? Any horror stories from a
: migration such as this or any tips to make this as seamless as
: possible?
: Thanks for any help,
: Bill
Oracle Technology Network
http://technet.oracle.com
null -
How to trigger other devices by Cisco Physical Access Management?
Hi all,
A question about Cisco Physical Access Management(PAM) here. We will achieve a goal like this:
step 1. A staff swipe the badge and get into the room;
step 2. The device in this room will be triggered to set up or to turn on at the same time, such as Ip-phone, light, screen of DMP...
step 3.(optional) When the staff exits the room and swipes the badge, all the devices will be turned off.
Is this dorable for PAM to finish this trigger? Or some more work of developing need to do based on PAM?
Thanks!
Ziwei FanHi Bharaty,
thanks for your suggestion. I tried adding the tag as you suggested, sadly it does not work for me.
I had a little look at the coding in the tag, as I hope for the solution being in there. What makes me wonder is that I can specify the attribute TIMER in the tag, but the coding does not access it. The amount of time the "Please wait..." is shown is read from the technical profile.Which is 0 in my case.
Thus I tried setting it to 5000 in the debugger, but still no spinning thingy locking the UI.
Anyhow in the Scripts repository I found the JS functions usually used to trigger the functionality:
showSubmitInProgress(show, delay)
Even calling it directly does not work for me
I really suppose it has something to do with the area frame tag and the late rendering. It still keeps me wondering why I can not trigger server round trips from JS as I can normally do.
cheers Carsten -
Can not configure Access Manager
Hi all,
1. I istalled Sun java messaging server 6.
2. I edit amsamplesilent to prepare amsamplesilent.my:
# cd /opt/SUNWam/bin
#mv amsamplesilent amsamplesilent.my
3. I configure Access Manager:
#./amconfig -s amsamplesilent.my but get the following error:
# ./amconfig amsamplesilent.my
Usage: amconfig -s <silentinputfile>
./amconfig: Sourcing ./amutils
ln: cannot create /opt/SUNWam/lib/jaxrpc-spi.jar: File exists
chown: jaxrpc-spi.jar: No such file or directory
full install
./amdsconfig: Sourcing ./amutils
LD_LIBRARY_PATH is --- /usr/lib/mps/secv1:/usr/lib/mps/secv1:/usr/lib/mps/secv1:/opt/SUNWam/lib:/opt/SUNWam/ldaplib/ldapsdk
CLASSPATH is --- /opt/SUNWam/locale:/etc/opt/SUNWam/config:/opt/SUNWam/lib:/opt/SUNWam/lib/am_services.jar:/opt/SUNWam/lib/ldapjdk.jar:/usr/share/lib/mps/secv1/jss3.jar:/opt/SUNWam/lib/am_sdk.jar
ldap_simple_bind: Can't connect to the LDAP server - No route to host
ldap_simple_bind: Can't connect to the LDAP server - No route to host
ldap_simple_bind: Can't connect to the LDAP server - No route to host
ldap_simple_bind: Can't connect to the LDAP server - No route to host
sleep 3
ldap_simple_bind: Can't connect to the LDAP server - No route to host
ldap_simple_bind: Can't connect to the LDAP server - No route to host
ldap_simple_bind: Can't connect to the LDAP server - No route to host
sleep 4
ldap_simple_bind: Can't connect to the LDAP server - No route to host
ldap_simple_bind: Can't connect to the LDAP server - No route to host
ldap_simple_bind: Can't connect to the LDAP server - No route to host
sleep 5
ldap_simple_bind: Can't connect to the LDAP server - No route to host
ldap_simple_bind: Can't connect to the LDAP server - No route to host
ldap_simple_bind: Can't connect to the LDAP server - No route to host
sleep 6
ERROR : Loading of Access Manager schema into the Directory failed
Starting the tag swapping of the install.ldif and installExisting.ldif
ROOT_SUFFIX is dc=iplanet,dc=com
People_NM_ROOT_SUFFIX is People_dc=iplanet_dc=com
SERVER_HOST sample.red.iplanet.com
DIRECTORY_SERVER sample.red.iplanet.com
DIRECTORY_PORT 389
USER_NAMING_ATTR uid
ORG_NAMING_ATTR o
CONSOLE_DEPLOY_URI /amconsole
ORG_OBJECT_CLASS sunismanagedorganization
RS_RDN iplanet
USER_OBJECT_CLASS inetorgperson
ldap_simple_bind: Can't connect to the LDAP server - No route to host
ldap_simple_bind: Can't connect to the LDAP server - No route to host
sleep 3
ERROR : Configuring/Loading of the default DIT in the Directory Server failed
ldap_simple_bind: Can't connect to the LDAP server - No route to host
ldap_simple_bind: Can't connect to the LDAP server - No route to host
sleep 3
Warning : Plugins and Indexes already exist.
./amsvcconfig: Sourcing ./amutils
LD_LIBRARY_PATH is --- /usr/lib/mps/secv1:/usr/lib/mps/secv1:/usr/lib/mps/secv1:/opt/SUNWam/lib:/opt/SUNWam/ldaplib/ldapsdk
CLASSPATH is --- /opt/SUNWam/locale:/etc/opt/SUNWam/config:/opt/SUNWam/lib:/opt/SUNWam/lib/am_services.jar:/opt/SUNWam/lib/ldapjdk.jar:/usr/share/lib/mps/secv1/jss3.jar:/opt/SUNWam/lib/am_sdk.jar
ldap_simple_bind: Can't connect to the LDAP server - No route to host
Loading service schema XML files ...
Info 112: Entering ldapAuthenticate method!
Error 15: Cannot authenticate user.
LDAP authentication failed.
Error 9: Operation failed: Error 15: Cannot authenticate user.
Error occured while loading: /etc/opt/SUNWam/config/ums/ums.xml
./amws61config: Sourcing ./amutils
/opt/SUNWam/console.war: No such file or directory
current web app is applications
copying files from sunwamconsdk
Swapping tag swap in index.html files ...
Making amconsole.war
Successfully done making warfile ...
Deploying from /opt/SUNWam/web-src/applications (/opt/SUNWam/amconsole.war) to /opt/SUNWwbsvr/https-sample.red.iplanet.com/is-web-apps/applications for /amconsole
wdeploy deploy -u /amconsole -i https-sample.red.iplanet.com -v https-sample.red.iplanet.com -d /opt/SUNWwbsvr/https-sample.red.iplanet.com/is-web-apps/applications /opt/SUNWam/amconsole.war
[wdeploy] The war file name is /opt/SUNWam/amconsole.war
[wdeploy] Fatal error in parsing XML file ..Premature end of file.
[wdeploy] (-1, -1) in file null
[wdeploy] Error encountered while parsing /opt/SUNWwbsvr/https-sample.red.iplanet.com/config/server.xml
Failed deploying /amconsole
/opt/SUNWam/services.war: No such file or directory
current web app is services
Swapping tag swap in index.html files ...
Making amserver.war
Successfully done making warfile ...
Deploying from /opt/SUNWam/web-src/services (/opt/SUNWam/amserver.war) to /opt/SUNWwbsvr/https-sample.red.iplanet.com/is-web-apps/services for /amserver
wdeploy deploy -u /amserver -i https-sample.red.iplanet.com -v https-sample.red.iplanet.com -d /opt/SUNWwbsvr/https-sample.red.iplanet.com/is-web-apps/services /opt/SUNWam/amserver.war
[wdeploy] The war file name is /opt/SUNWam/amserver.war
[wdeploy] Fatal error in parsing XML file ..Premature end of file.
[wdeploy] (-1, -1) in file null
[wdeploy] Error encountered while parsing /opt/SUNWwbsvr/https-sample.red.iplanet.com/config/server.xml
Failed deploying /amserver
/opt/SUNWam/password.war: No such file or directory
current web app is password
Swapping tag swap in index.html files ...
Making ampassword.war
Successfully done making warfile ...
Deploying from /opt/SUNWam/web-src/password (/opt/SUNWam/ampassword.war) to /opt/SUNWwbsvr/https-sample.red.iplanet.com/is-web-apps/password for /ampassword
wdeploy deploy -u /ampassword -i https-sample.red.iplanet.com -v https-sample.red.iplanet.com -d /opt/SUNWwbsvr/https-sample.red.iplanet.com/is-web-apps/password /opt/SUNWam/ampassword.war
[wdeploy] The war file name is /opt/SUNWam/ampassword.war
[wdeploy] Fatal error in parsing XML file ..Premature end of file.
[wdeploy] (-1, -1) in file null
[wdeploy] Error encountered while parsing /opt/SUNWwbsvr/https-sample.red.iplanet.com/config/server.xml
Failed deploying /ampassword
/opt/SUNWam/introduction.war: No such file or directory
current web app is common
Swapping tag swap in index.html files ...
Making amcommon.war
Successfully done making warfile ...
Deploying from /opt/SUNWam/web-src/common (/opt/SUNWam/amcommon.war) to /opt/SUNWwbsvr/https-sample.red.iplanet.com/is-web-apps/common for /amcommon
wdeploy deploy -u /amcommon -i https-sample.red.iplanet.com -v https-sample.red.iplanet.com -d /opt/SUNWwbsvr/https-sample.red.iplanet.com/is-web-apps/common /opt/SUNWam/amcommon.war
[wdeploy] The war file name is /opt/SUNWam/amcommon.war
[wdeploy] Fatal error in parsing XML file ..Premature end of file.
[wdeploy] (-1, -1) in file null
[wdeploy] Error encountered while parsing /opt/SUNWwbsvr/https-sample.red.iplanet.com/config/server.xml
Failed deploying /amcommon
Checking if Web Server is already configed with Access Manager
Configuring Web Server
Mime type: 'type=text/vnd.wap.wml' already exists: Skipping ....
Mime type: 'type=image/vnd.wap.wbmp' already exists: Skipping ....
I tried again but I still get this error.
Any Ideas for this problem?
Thanks.ldap_simple_bind: Can't connect to the LDAP server - No route to host
i would consider this a fatal error.
The system cannot locate where your Directory Server is. "no route to host" means that it's trying to get to the host, but your networking isn't set up correctly, and it doesn't find any route to get to the specified host. -
Problem with second instance of access manager
Well, after sorting out things with the first install of access manager, I went on to install a second instance on a different host (it's required for delegated admin..)
Here are the options I used on install:
Access Manager: Administration (1 of 6)
Administrator User ID: amAdmin
Administrator Password [] {"<" goes back, "!" exits}:
Retype Password [] {"<" goes back, "!" exits}:
LDAP User ID: amldapuser
LDAP Password [] {"<" goes back, "!" exits}:
Retype Password [] {"<" goes back, "!" exits}:
Password Encryption Key [gFoe4t8UlUW3wEApngAY3S8bCQFVMlGk] {"<" goes back,
"!" exits}: weW5jtopMLQsODiBZDp+hlEp1/CtbiXX
Install type (Realm/Legacy) Mode [Legacy] {"<" goes back, "!" exits}:
Access Manager: Web Container (2 of 6)
1. Sun Java System Application Server
2. Sun Java System Web Server
Select the container to deploy the component and hit enter key [2] {"<" goes
back, "!" exits}
Access Manager: Sun Java System Web Server (3 of 6)
Host Name [zone2.corenode.com] {"<" goes back, "!" exits}:
Web Server Instance Directory [opt/SUNWwbsvr/https-zone2.corenode.com] {"<"
goes back, "!" exits}:
Web Server Port [80] {"<" goes back, "!" exits}:
Document Root Directory [opt/SUNWwbsvr/docs] {"<" goes back, "!" exits}:
Secure Server Instance Port [No] {"<" goes back, "!" exits}:
Access Manager: Web Container for running Access Manager Services(4 of 6)
Host Name [zone2.corenode.com] {"<" goes back, "!" exits}:
Services Deployment URI [amserver] {"<" goes back, "!" exits}:
Common Domain Deployment URI [amcommon] {"<" goes back, "!" exits}:
Cookie Domain(Assure it is not a top level domain) [.corenode.com] {"<" goes
back, "!" exits}:
Administration Console [Yes] {"<" goes back, "!" exits}:
Console Deployment URI [amconsole] {"<" goes back, "!" exits}:
Password Deployment URI [ampassword] {"<" goes back, "!" exits}:
Access Manager: Directory Server Information (5 of 6)
Directory Server Host [] {"<" goes back, "!" exits}: zone1.corenode.com
Directory Server Port [] {"<" goes back, "!" exits}: 389
Directory Root Suffix [dc=corenode,dc=com] {"<" goes back, "!" exits}:
Directory Manager DN [cn=Directory Manager] {"<" goes back, "!" exits}:
Directory Manager Password [] {"<" goes back, "!" exits}:
Access Manager: Directory Server Information (6 of 6)
Is Directory Server provisioned with user data [No] {"<" goes back, "!"
exits}? Yes
Organization Marker Object Class [sunISManagedOrganization] {"<" goes back,
"!" exits}:
Organization Naming Attribute [o] {"<" goes back, "!" exits}:
User Marker Object Class [inetorgperson] {"<" goes back, "!" exits}:
User Naming Attribute [uid] {"<" goes back, "!" exits}:
Yes, I am using the same key as was used on host1 for access manager. Yes, access manager on host 1 is quite functional right now. Yes, that directory server works. Now I'm really stumped on what to do! Everything in JES seems to work great except access manager, the exceptions it throws really don't help any at all in troubleshooting.
Any ideas?More info from error logs:
# pwd
/var/opt/SUNWam/debug
# tail -200 amAuth
04/12/2006 09:56:47:127 AM HST: Thread[main,5,main]
ERROR: AuthD failed to get auth session
04/12/2006 09:56:47:165 AM HST: Thread[main,5,main]
ERROR: AuthD init()
com.iplanet.dpro.session.SessionException: AuthD failed to get auth session
at com.sun.identity.authentication.service.AuthD.initAuthSessions(AuthD.java:709)
at com.sun.identity.authentication.service.AuthD.<init>(AuthD.java:229)
at com.sun.identity.authentication.service.AuthD.getAuth(AuthD.java:494)
at com.sun.identity.authentication.UI.LoginLogoutMapping.init(LoginLogoutMapping.java:71)
at org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:921)
at org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:813)
at org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:3478)
at org.apache.catalina.core.StandardContext.start(StandardContext.java:3760)
at com.iplanet.ias.web.WebModule.start(WebModule.java:251)
at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1133)
at org.apache.catalina.core.StandardHost.start(StandardHost.java:652)
at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1133)
at org.apache.catalina.core.StandardEngine.start(StandardEngine.java:355)
at org.apache.catalina.startup.Embedded.start(Embedded.java:995)
at com.iplanet.ias.web.WebContainer.start(WebContainer.java:431)
at com.iplanet.ias.web.WebContainer.startInstance(WebContainer.java:500)
at com.iplanet.ias.server.J2EERunner.confPostInit(J2EERunner.java:161)
# tail -200 amSession
04/12/2006 09:56:47:098 AM HST: Thread[main,5,main]
ERROR: SessionService.SessionService(): Initialization Failed
com.iplanet.services.naming.ServerEntryNotFoundException: Cannot find server ID.
at com.iplanet.services.naming.WebtopNaming.getServerID(WebtopNaming.java:350)
at com.iplanet.dpro.session.service.SessionService.<init>(SessionService.java:1540)
at com.iplanet.dpro.session.service.SessionService.getSessionService(SessionService.java:382)
at com.sun.identity.authentication.service.AuthD.getSS(AuthD.java:685)
at com.sun.identity.authentication.service.AuthD.initAuthSessions(AuthD.java:706)
at com.sun.identity.authentication.service.AuthD.<init>(AuthD.java:229)
at com.sun.identity.authentication.service.AuthD.getAuth(AuthD.java:494)
at com.sun.identity.authentication.UI.LoginLogoutMapping.init(LoginLogoutMapping.java:71)
at org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:921)
at org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:813)
at org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:3478)
at org.apache.catalina.core.StandardContext.start(StandardContext.java:3760)
at com.iplanet.ias.web.WebModule.start(WebModule.java:251)
at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1133)
at org.apache.catalina.core.StandardHost.start(StandardHost.java:652)
at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1133)
at org.apache.catalina.core.StandardEngine.start(StandardEngine.java:355)
at org.apache.catalina.startup.Embedded.start(Embedded.java:995)
at com.iplanet.ias.web.WebContainer.start(WebContainer.java:431)
at com.iplanet.ias.web.WebContainer.startInstance(WebContainer.java:500)
at com.iplanet.ias.server.J2EERunner.confPostInit(J2EERunner.java:161)
04/12/2006 09:56:47:126 AM HST: Thread[main,5,main]
ERROR: Error creating service session
java.lang.NullPointerException
at com.iplanet.dpro.session.service.SessionService.generateEncryptedID(SessionService.java:588)
at com.iplanet.dpro.session.service.SessionService.generateSessionId(SessionService.java:612)
at com.iplanet.dpro.session.service.SessionService.newInternalSession(SessionService.java:557)
at com.iplanet.dpro.session.service.SessionService.getServiceSession(SessionService.java:501)
at com.iplanet.dpro.session.service.SessionService.getAuthenticationSession(SessionService.java:408)
at com.sun.identity.authentication.service.AuthD.initAuthSessions(AuthD.java:706)
at com.sun.identity.authentication.service.AuthD.<init>(AuthD.java:229)
at com.sun.identity.authentication.service.AuthD.getAuth(AuthD.java:494)
at com.sun.identity.authentication.UI.LoginLogoutMapping.init(LoginLogoutMapping.java:71)
at org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:921)
at org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:813)
at org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:3478)
at org.apache.catalina.core.StandardContext.start(StandardContext.java:3760)
at com.iplanet.ias.web.WebModule.start(WebModule.java:251)
at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1133)
at org.apache.catalina.core.StandardHost.start(StandardHost.java:652)
at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1133)
at org.apache.catalina.core.StandardEngine.start(StandardEngine.java:355)
at org.apache.catalina.startup.Embedded.start(Embedded.java:995)
at com.iplanet.ias.web.WebContainer.start(WebContainer.java:431)
at com.iplanet.ias.web.WebContainer.startInstance(WebContainer.java:500)
at com.iplanet.ias.server.J2EERunner.confPostInit(J2EERunner.java:161)
# -
Setting up Access Manager and Directory Server for Failover.
I'm setting up 2 Access Managers AM1,AM2 and 2 Directory Servers DS1 and DS2 for failover. I've connected AM1 and AM2 to DS1. Suffixes of DS1 is replicated to DS2. Any change made to AM1 is replicated to AM2 as expected. I just patched AM1 with Access Manager patch 1 and the version information for AM1 shows 7.1 126359-01. I followed the same procedure to patch AM2 but AM2 still shows ver 7.1.
How do I make sure both Access Managers are patched to the same version?
I'm able to authenticate to one IIS6 site and authentication is passed on to Outlook Web Access on AM1 but when I shut down AM1 to test failover to AM2 OWA prompts me again for password. How do I resolve this?
On AM1 http://host.domain/amserver/UI/Login?realm=sso successfully logs in but the same on AM2 gives Warning that "You have already logged in. Do you want to log out and then login to a different organization?"
Please help !!!I'll answer what bits I can:
Q: AM showing the same version?
A: No idea on this one. I would have expected the operation you described to have produced the right answer. Check that neither your application server nor your web browser are caching old pages (ctrl-F5 in my browser)
Q: How do I resolve re-authentication on failover?
A: The AM documentation includes a deployment example that covers pretty closely what it is you are trying to achieve:
http://docs.sun.com/app/docs/doc/820-2278
Specifically, the problem you are describing is related to session failover. The sessions are stored in a local DB so when you failover the backup server does not store the same information and hence requires a reauthentication. The section of the above doc that deals with this is here:
http://docs.sun.com/app/docs/doc/820-2278/gdsre?l=en&a=view
Q: "You have already logged in" warning
A: No idea. Sorry.
R -
Problem of degradation in Access Manager 7.1 in SUNWappserv8.2
Hi all,
We have a problem in our enviroment...
Have 2 nodes of AM, periodically we have some problems of degradation in each node, high times of response +30seconds, all seems perfect until some more traffic or requests begin to appears in the system, the rare is somes request going well and other going bad with more 30 seconds of time.... we are searching problems like memory leak but all is perfect "word of our support" even the machine is nice, not saturate....
Not found nothing in server.log, is like nothing happen but our times of resquest are so high even produces than in the other node the queue of notification rise so fast to the limit.
What could be?
could be a problem with our ldap connections than enqueue and affect to the listener?
In the moments of problems even with curls the port of AM response so so slowly more than 30 seconds, but seems fixed in some minutes so, we especulate with the high traffic, but the rare is the other node all is perfect! no problems, not saturate... Only have logs (a lot of) in the server.log of appserv of the node with problems like:
|SEVERE|sun-appserver-ee8.2|javax.enterprise.system.container.web|_ThreadID=73;|failure (11210): HTTP3068: Error
receiving request from xxxxx (Not connected)
And in PA we have some logs than means saturation or high load
"Error 30678:8779160 SSOTokenService::getSessionInfo(): Error 18 for sso token ID"
but like i said the other node not show that, and the high load is basically the same all days.
could we find some answers with a kill -3 of the instance?
We discarded problems with ndsltimeout of ldap firewall or balancer
Thanks a lot!We found a reason of this degradation, could be possible than, if one Policy Agent not answer, because the appserv -in this case weblogic- is saturated, could affected to the AM? I mean the appserv where the PA is installed depend of a finale system and this system is generating timeouts, and the appserv the is affected and the PA installed in it too, then all requests from the Access Manager have times of 30 40 50 seconds...
Can we have a solution configuring some specs in the AM or the solaris connections? like timeouts or time request?
I think the problem is this, because this PA installed attend the most request of the users
Anyway we thought than can fight to this tunning some specs in solaris like tcp_conn_req_max_q or tcp_conn_req_max_q0 and some timeouts like -Dsun.net.client.defaultConnectTimeout=10000 -Dsun.net.client.defaultReadTimeout=10000 but not seems enough because we are suffering this problems again.
If someone have an idea will be awesome, thanks! -
Getting error while opening Sun access manager console
We are facing problem while accessing console of Sun Access Manager. We got No Page Found error whenever we try to access the Sun Access Manager console. We have tried restarting the directory server and web server but even that doesn�t help us. Following are the error that gets recorded in log files:-
ERROR: AuthD init() com.iplanet.dpro.session.SessionException: AuthD failed to get auth session
ERROR: Error creating service session java.lang.NullPointerExceptionThe ns-slapd.exe process belongs to the Directory Server. You should therefore check if your DS instance is set up properly.
Michael
Maybe you are looking for
-
Acrobat 6.0 upgrade to Acrobat XI?
I have a new copy of Adobe Acrobat 6.0 that has never been used. I would like to install it on Windows 8.1 and upgrade it to Acrobat XI. Is that possible?
-
I connected two USB drives to my MBP yesterday and all I was doing was transferring files from one USB drive to the other. One of the USB drives in the middle of the transfer would disconnect for no reason and the transfer would freeze. I tried to do
-
Hi. I'm pretty new to actionscript and especially object oriented programming. I'm trying to create simple puzzle game in which three sets of colored pieces move on a board like knights in chess; except when the pieces are on black sqares, in which c
-
Looking for "save as" in File ?
WHow do I locate "save as" ? I know it should be in File. Help
-
How can I get the font to be larger on my Outlook Express?
Yesterday, I was on my email Outlook Express....I'm not sure why, but the font became very small. I can't figure out how to make it a larger font so it will be easier to read.