Agent Privileges / Profiles
Hi all,
does anybody know what privileges / profiles an odi agent user requires. We try to avoid a user with "Supervisor Access Privileges" in our odiparams file.
Regards,
Jens
Hi all,
it seems that the odi agent or the at least the "internal" ODI API requires "Supervisor Access Privileges". See below the error message from our agent.log.
Regards,
Jens
[2013-09-24T16:47:02.751+02:00] [] [NOTIFICATION] [ODI-1128] [] [tid: 10] [ecid: 0000K5GS0jl7y0qTGMy0Sf1IGQNa000001,0] Agent ODIAGENT01 is starting. Container: STANDALONE. Agent Version: 11.1.1.7.0 - 02/03/2013. Port: 56101. JMX Port: 57101.
[2013-09-24T16:47:05.764+02:00] [odi] [ERROR] [] [oracle.odi.core] [tid: 10] [ecid: 0000K5GS0jl7y0qTGMy0Sf1IGQNa000001,0] odi.core.security.SecurityManager.createAuthenthication(suservisor, pwd,runasuser) detected user: ODI_BATCH is not supservisor
[2013-09-24T16:47:05.777+02:00] [] [WARNING] [ODI-1436] [] [tid: 10] [ecid: 0000K5GS0jl7y0qTGMy0Sf1IGQNa000001,0] Error retrieving ID statistics for repository ODIREP22.[[
oracle.odi.core.security.PermissionDeniedException: ODI-10164: Only supervisor user can invoke this API.
Similar Messages
-
I am seeking information about the user profile that is named in the Agent Dashboard, and how these are set-up. We are using CRM 4.0 Web Client. This particular agent dashboard screen is located on the main default login page of the web client and by clicking on the date in the lower right corner of this main page.
Hi
Sorry for the delayed reply i havnt looked in to ibots for last few months...
Steps to configure device..
After login into analytics....click on ur username u used to login and select My Account..there u can Add email..
As for as i know u can do this only if u are sending ibots to few users...
we have to create SA system subject area as shown in below URL
http://oraclebizint.wordpress.com/2008/04/25/oracle-bi-ee-101332-sa-system-subject-area-autoloading-profiles-and-bursting/
please send a test mail to [email protected] i will send u a doc with screen shots on how to add Device..
Apologies again...for the delayed reply -
Erros in Agent Inbox Profiles for Account Factsheet
Hello All,
I need my service request and service orders to appear in the account fact sheet in the interaction center role
For the missing customization I go to CRM-Interaction Center WebClient-Agent Inbox-Define Inbox Profiles where I have created a z profile screen shot attached
When I try to add my custom transaction type
The system gives me the error message below
Entry ZRVR does not exist in crmc_aui_maincat
Kind Regards
AtulHello,
You may want to follow the system instruction, and maintain entry in the given table.
This can be found in the SPRO here :
Interaction Center WebClient->Agent Inbox->Inbox Search Definitions->Define Item Types for Searches
Best regards,
Sylvain AGUETTAZ -
ISE 1.2 Profiling - User Agent attribute incorrect
Hi all,
Just troubleshooting some profiling issues and have found that multiple devices are profiling incorrectly eg MAC OSX profiling as Apple-Device. Basically the issue is the user-agent string profiled by ISE is incorrect meaning that only the OUI is matched. During the BYOD onboarding process, non Internet Browser, applications and services (games and OCSP Daemons etc) are presenting their specific user-agent strings eg "OCSPD\1.0.2" to ISE resulting in incorrect profiling.
Does anybody have any suggestions on how to resolve this issue as it is resulting in about 50% of devices been profiled at the "top level" ie Apple-Device or Windows Workstation (anything based on User-Agent). Can any one explain whether profiler works on the basis of first agent received, last agent received and why it doesn't hold onto a list of presented agents to make a decision? In my mind this is a pretty big issue in that some of the more popular device profiling policies are based on a user-agent string thus potentially preventing you from defining tight Authz policies eg IPAD only etc"Unless you have suppression configured, ISE will continue to collect profiling data and will re-profile a device as long as a rule with higher certainty factor is hit. However, if the certainty factor is the same the device will remain at its originally profiled group."
The suppression feature will not affect the re-profiling of a device. The suppression only affects the logging on the MnT node. Since the Profiling is a PSN function the suppression has no affect on the outcome of a profiling event.
You are correct in that a rule with a higher certainty factor "wins" and this is the profile that is chosen. Again, an understanding of how profiles work is not the issue here.
For example say only the RADIUS and HTTP probes are being utilized for an endpoint. There are two endpoints one is a iPad and the other an iPhone. The endpoint attributes that are known about the device are the MAC OUI and the useragent.
Based on the default profiling rules there are two three things that need to be identified either an iPhone or an iPad. The first common item is that the MAC OUI is identified as apple. This increases the certainty factor by 10. The second is either the HTTP User agent containing either iPad/iPhone or the DHCP hostname containing either iPad/iPhone. Both of those conditions would increase the certainty factor by 20 for a total of 30. Since DHCP is not being used in this example we can remove that for a possibility and say that for an iPhone to be profiled as an iPhone it must both have a MAC OUI of apple and the useragent must contain iPhone. Same goes for iPad, but iPad in the useragent.
Like smcbridebpc stated every application that uses HTTP will have a useragent string. The profiler rules assume that the useragent that is being used contains either the word iPhone or iPad to distinguish these types of devices. If an application on the device sends a useragent string such as "OCSPD\1.0.2" which is obviously the OCSP Daemon. This useragent string is "stuck" on the endpoint and no other usable useragents can be used to profile the device. Therefore a race condition exists and depending on the application that wins determines if the profiler will be accurate or not.
The only two solutions that I can think of would be to have a useragent filter that would allow you to manually filter out useragents like "OCSPD\1.0.2" (or the ISE developers could filter known unusable user agents out on the backend) OR everytime a new useragent is presented to the profiler for a device the useragent is joined to a list of useragents.
If the useragent was overwritten everytime a new useragent was presented then it would cause the device to be reclassified everytime the different applications presented useragents which would not be good.
It does look like a bug may have been filed and marked as fixed in release pending, but the bug notes do not list enough information to identify if this is the same issue that we are seeing.
https://tools.cisco.com/bugsearch/bug/CSCuj45373 -
Hi,
I have installed SAM (together with S1DS, Web Server and Administration Server (from JES installer)).
I have installed and configured Policy Agent for JBoss AS, but i'm getting a browser "Redirect loop" (Redirection limit for this URL exceeded. Unable to load the requested page. This may be caused by cookies that are blocked.) error after I login with a correct user/password combination when I try to access the sample application.
My browser accepts cookies from all domains and I get no error in console.
My AMAgent.properties looks like this:
com.sun.identity.agents.config.user.mapping.mode = USER_ID
com.sun.identity.agents.config.user.attribute.name = employeenumber
com.sun.identity.agents.config.user.principal = false
com.sun.identity.agents.config.user.token = UserToken
com.sun.identity.agents.config.client.ip.header =
com.sun.identity.agents.config.client.hostname.header =
com.sun.identity.agents.config.load.interval = 0
com.sun.identity.agents.config.locale.language = en
com.sun.identity.agents.config.locale.country = US
com.sun.identity.agents.config.organization.name = /
com.sun.identity.agents.config.audit.accesstype = LOG_BOTH
com.sun.identity.agents.config.log.disposition = ALL
com.sun.identity.agents.config.remote.logfile = amAgent_11_126_14_20_8080.log
com.sun.identity.agents.config.local.logfile = /home/ciuc/stuff/src/j2ee_agents/am_jboss_agent/agent_001/logs/audit/amAgent_11_126_14_20_8080.log
com.sun.identity.agents.config.local.log.rotate = false
com.sun.identity.agents.config.local.log.size = 52428800
com.sun.identity.agents.config.webservice.enable = false
com.sun.identity.agents.config.webservice.endpoint[0] =
com.sun.identity.agents.config.webservice.process.get.enable = true
com.sun.identity.agents.config.webservice.authenticator =
com.sun.identity.agents.config.webservice.internalerror.content = WSInternalErrorContent.txt
com.sun.identity.agents.config.webservice.autherror.content = WSAuthErrorContent.txt
com.sun.identity.agents.config.access.denied.uri =
com.sun.identity.agents.config.login.form[0] =
com.sun.identity.agents.config.login.error.uri[0] =
com.sun.identity.agents.config.login.use.internal = true
com.sun.identity.agents.config.login.content.file = FormLoginContent.txt
com.sun.identity.agents.config.auth.handler[] =
com.sun.identity.agents.config.logout.handler[] =
com.sun.identity.agents.config.verification.handler[] =
com.sun.identity.agents.config.redirect.param = goto
com.sun.identity.agents.config.login.url[0] = http://sam.domain:80/amserver/UI/Login
com.sun.identity.agents.config.login.url.prioritized = true
com.sun.identity.agents.config.agent.host =
com.sun.identity.agents.config.agent.port =
com.sun.identity.agents.config.agent.protocol =
com.sun.identity.agents.config.login.attempt.limit = 0
com.sun.identity.agents.config.sso.decode = true
com.sun.identity.agents.config.amsso.cache.enable = true
com.sun.identity.agents.config.cookie.reset.enable = false
com.sun.identity.agents.config.cookie.reset.name[0] =
com.sun.identity.agents.config.cookie.reset.domain[] =
com.sun.identity.agents.config.cookie.reset.path[] =
com.sun.identity.agents.config.cdsso.enable = false
com.sun.identity.agents.config.cdsso.redirect.uri = /agentapp/sunwCDSSORedirectURI
com.sun.identity.agents.config.cdsso.cdcservlet.url[0] = http://dm-test-win-1:80/amserver/cdcservlet
com.sun.identity.agents.config.cdsso.clock.skew = 0
com.sun.identity.agents.config.cdsso.trusted.id.provider[0] = http://dm-test-win-1:80/amserver/cdcservlet
com.sun.identity.agents.config.logout.application.handler[] =
com.sun.identity.agents.config.logout.uri[] =
com.sun.identity.agents.config.logout.request.param[] =
com.sun.identity.agents.config.logout.introspect.enabled = false
com.sun.identity.agents.config.logout.entry.uri[] =
com.sun.identity.agents.config.fqdn.check.enable = true
com.sun.identity.agents.config.fqdn.default = jbossAS.domain
com.sun.identity.agents.config.fqdn.mapping[] =
com.sun.identity.agents.config.legacy.support.enable = false
com.sun.identity.agents.config.legacy.user.agent[0] = Mozilla/4.7*
com.sun.identity.agents.config.legacy.redirect.uri = /agentapp/sunwLegacySupportURI
com.sun.identity.agents.config.response.header[] =
com.sun.identity.agents.config.redirect.attempt.limit = 0
com.sun.identity.agents.config.port.check.enable = false
com.sun.identity.agents.config.port.check.file = PortCheckContent.txt
com.sun.identity.agents.config.port.check.setting[8080] = http
com.sun.identity.agents.config.notenforced.uri[0] = /agentsample/public/*
com.sun.identity.agents.config.notenforced.uri[1] = /agentsample/images/*
com.sun.identity.agents.config.notenforced.uri[2] = /agentsample/styles/*
com.sun.identity.agents.config.notenforced.uri[3] = /agentsample/index.html
com.sun.identity.agents.config.notenforced.uri[4] = /agentsample
com.sun.identity.agents.config.notenforced.uri.invert = false
com.sun.identity.agents.config.notenforced.uri.cache.enable = true
com.sun.identity.agents.config.notenforced.uri.cache.size = 1000
com.sun.identity.agents.config.notenforced.ip[0] =
com.sun.identity.agents.config.notenforced.ip.invert = false
com.sun.identity.agents.config.notenforced.ip.cache.enable = true
com.sun.identity.agents.config.notenforced.ip.cache.size = 1000
com.sun.identity.agents.config.attribute.cookie.separator = |
com.sun.identity.agents.config.attribute.date.format = EEE, d MMM yyyy hh:mm:ss z
com.sun.identity.agents.config.attribute.cookie.encode = true
com.sun.identity.agents.config.profile.attribute.fetch.mode = NONE
com.sun.identity.agents.config.profile.attribute.mapping[] =
com.sun.identity.agents.config.session.attribute.fetch.mode = NONE
com.sun.identity.agents.config.session.attribute.mapping[] =
com.sun.identity.agents.config.response.attribute.fetch.mode = NONE
com.sun.identity.agents.config.response.attribute.mapping[] =
com.sun.identity.agents.config.bypass.principal[0] =
com.sun.identity.agents.config.default.privileged.attribute[0] = AUTHENTICATED_USERS
com.sun.identity.agents.config.privileged.attribute.type[0] = Role
com.sun.identity.agents.config.privileged.attribute.tolowercase[Role] = false
com.sun.identity.agents.config.privileged.session.attribute[0] =
com.sun.identity.agents.config.service.resolver = com.sun.identity.agents.jboss.v40.AmJBossAgentServiceResolver
com.sun.identity.agents.app.username = amagent
com.iplanet.am.service.secret = AQICJmGvlBWYuAYQndALuvNKiw==
am.encryption.pwd = /mY/WidDT34aJtbcFS0pCKFEt6evPeTF
com.sun.identity.client.encryptionKey= /mY/WidDT34aJtbcFS0pCKFEt6evPeTF
com.iplanet.services.debug.level=error
com.iplanet.services.debug.directory=/home/ciuc/stuff/src/j2ee_agents/am_jboss_agent/agent_001/logs/debug
com.iplanet.am.cookie.name=iPlanetDirectoryPro
com.iplanet.am.naming.url=http://sam.domain:80/amserver/namingservice
com.iplanet.am.notification.url=http://jbossAS.domain:8080/agentapp/notification
com.iplanet.am.session.client.polling.enable=false
com.iplanet.am.session.client.polling.period=180
com.iplanet.security.encryptor=com.iplanet.services.util.JCEEncryption
com.iplanet.am.sdk.remote.pollingTime=1
com.sun.identity.sm.cacheTime=1
com.iplanet.am.localserver.protocol=http
com.iplanet.am.localserver.host=jbossAS.domain
com.iplanet.am.localserver.port=8080
com.iplanet.am.server.protocol=http
com.iplanet.am.server.host=sam.domain
com.iplanet.am.server.port=80
com.sun.identity.agents.server.log.file.name=amRemotePolicyLog
com.sun.identity.agents.logging.level=BOTH
com.sun.identity.agents.notification.enabled=true
com.sun.identity.agents.notification.url=http://jbossAS.domain:8080/agentapp/notification
com.sun.identity.agents.polling.interval=3
com.sun.identity.policy.client.cacheMode=subtree
com.sun.identity.policy.client.booleanActionValues=iPlanetAMWebAgentService|GET|allow|deny:iPlanetAMWebAgentService|POST|allow|deny
com.sun.identity.policy.client.resourceComparators=serviceType=iPlanetAMWebAgentService|class=com.sun.identity.policy.plugins.HttpURLResourceName|wildcard=*|delimiter=/|caseSensitive=false
com.sun.identity.policy.client.clockSkew=1011.126.14.20 is the computer where I have the JBoss installation.
11.126.14.18 is the computer where I have SAM services.
Do you have any idea why this error may occur?
Thank you in advance,
CristiHi,
Thanks for your responses, I've included my AMAgent.properties below if you could take a look at it.
I only seem to run into the problem when I authenticate if the following is set:
com.sun.identity.agents.config.profile.attribute.fetch.mode = HTTP_HEADER
If that is set to NONE then I can access the application fine, but if i use the HTTP_HEADER and attempt to pass information via the header I get stuck in the loop which results in the message <strong>".Redirection limit for this URL exceeded. Unable to load the requested page. This may be caused by cookies that are blocked."</strong>
There is no helpful output in either my container log or the Policy Agent logs.
The myHost.local. exists within my /etc/hosts file and using ping and other tools resolve fine.
I am using JBOSS 4.2.2 on Linux (and windows).
If anyone can help save my sanity it would be appreciated.
com.sun.identity.agents.config.filter.mode = URL_POLICY
com.sun.identity.agents.config.user.mapping.mode = USER_ID
com.sun.identity.agents.config.user.attribute.name = employeenumber
com.sun.identity.agents.config.user.principal = false
com.sun.identity.agents.config.user.token = UserToken
com.sun.identity.agents.config.load.interval = 0
com.sun.identity.agents.config.locale.language = en
com.sun.identity.agents.config.locale.country = US
com.sun.identity.agents.config.audit.accesstype = LOG_NONE
com.sun.identity.agents.config.log.disposition = REMOTE
com.sun.identity.agents.config.remote.logfile = amAgent_8089.log
com.sun.identity.agents.config.local.logfile = /usr/j2ee_agents/am_jboss_agent/agent_001/logs/audit/amAgent_8089.log
com.sun.identity.agents.config.local.log.rotate = false
com.sun.identity.agents.config.local.log.size = 52428800
com.sun.identity.agents.config.webservice.enable = false
com.sun.identity.agents.config.webservice.endpoint[0] =
com.sun.identity.agents.config.webservice.process.get.enable = true
com.sun.identity.agents.config.webservice.authenticator =
com.sun.identity.agents.config.webservice.internalerror.content = WSInternalErrorContent.txt
com.sun.identity.agents.config.webservice.autherror.content = WSAuthErrorContent.txt
com.sun.identity.agents.config.login.form[0] = /manager/AMLogin.html
com.sun.identity.agents.config.login.form[1] = /host-manager/AMLogin.html
com.sun.identity.agents.config.login.error.uri[0] = /manager/AMError.html
com.sun.identity.agents.config.login.error.uri[1] = /host-manager/AMError.html
com.sun.identity.agents.config.login.use.internal = true
com.sun.identity.agents.config.login.content.file = FormLoginContent.txt
com.sun.identity.agents.config.auth.handler[] =
com.sun.identity.agents.config.logout.handler[] =
com.sun.identity.agents.config.verification.handler[] =
com.sun.identity.agents.config.redirect.param = goto
com.sun.identity.agents.config.login.url[0] = http://myHost.local:8080/amserver/UI/Login
com.sun.identity.agents.config.login.url.prioritized = true
com.sun.identity.agents.config.login.url.probe.enabled = true
com.sun.identity.agents.config.login.url.probe.timeout = 2000
com.sun.identity.agents.config.agent.host =
com.sun.identity.agents.config.agent.port =
com.sun.identity.agents.config.agent.protocol =
com.sun.identity.agents.config.login.attempt.limit = 0
com.sun.identity.agents.config.sso.decode = true
com.sun.identity.agents.config.amsso.cache.enable = true
com.sun.identity.agents.config.cookie.reset.enable = false
com.sun.identity.agents.config.cookie.reset.name[0] =
com.sun.identity.agents.config.cookie.reset.domain[] =
com.sun.identity.agents.config.cookie.reset.path[] =
com.sun.identity.agents.config.cdsso.enable = false
com.sun.identity.agents.config.cdsso.redirect.uri = /agentapp/sunwCDSSORedirectURI
com.sun.identity.agents.config.cdsso.cdcservlet.url[0] = http://myHost.local:8080/amserver/cdcservlet
com.sun.identity.agents.config.cdsso.clock.skew = 0
com.sun.identity.agents.config.cdsso.trusted.id.provider[0] = http://myHost.local:8080/amserver/cdcservlet
com.sun.identity.agents.config.cdsso.secure.enable = false
#com.sun.identity.agents.config.cdsso.domain[0] =
com.sun.identity.agents.config.logout.application.handler[] =
com.sun.identity.agents.config.logout.uri[] =
com.sun.identity.agents.config.logout.request.param[] =
com.sun.identity.agents.config.logout.introspect.enabled = false
com.sun.identity.agents.config.logout.entry.uri[] =
com.sun.identity.agents.config.fqdn.check.enable = true
com.sun.identity.agents.config.fqdn.default = am.ufidev.local.
com.sun.identity.agents.config.fqdn.mapping[] =
com.sun.identity.agents.config.legacy.support.enable = false
com.sun.identity.agents.config.legacy.user.agent[0] = Mozilla/4.7*
com.sun.identity.agents.config.legacy.redirect.uri = /agentapp/sunwLegacySu<br /> -
Run as account and profile associate
Dears,
Sorry I am new to Managing Linux in SCOM, so I have a 2 questions.
In below link:
http://technet.microsoft.com/en-us/library/hh212926.aspx
it is mentioned that we have to create 2 type of Run as accounts:
A monitoring account
An agent maintenance account
It is mentioned that we have to associate the Run as accounts with profile as below:
UNIX/Linux Action Account:
Add a monitoring Run As account that has unprivileged credentials, to this profile.
UNIX/Linux Privileged Account:
Add a monitoring Run As account that has privileged credentials or credentials to be elevated, to this profile.
UNIX/Linux Agent Maintenance Account:
Add a monitoring Run As account that has privileged credentials or credentials to be elevated, to this profile.
Questions are:
Why we have to associate "Monitor Run as account" with "UNIX/Linux Agent Maintenance Account" ?
What if we associate "Agent maintenance account" with "UNIX/Linux Agent Maintenance Account" ?
When we will use the "Agent maintenance account"?
Thank youHello,
The "Agent Maintenance" account type is for use with the ssh protocol. It allows for the use of ssh key authentication and su elevation (as an alternative to sudo elevation). Therefore, it is not compatible with any Run As Profile other than the Agent
Maintenance profile. The Action & Privileged account profiles are used for "monitoring" operations with the WS-Man protocol, and don't support the ssh-specific options for the Agent Maintenance account. A "Monitoring" account type can be used
in all three profiles, but the "Agent maintenance" account type can only be used in the Agent Maintenance Account profile.
To address your questions directly:
Why we have to associate "Monitor Run as account" with "UNIX/Linux Agent Maintenance Account" ?
The documentation here looks like it could be improved. An account type of Monitoring or Agent Maintenance can be used in this profile.
What if we associate "Agent maintenance account" with "UNIX/Linux Agent Maintenance Account" ?
This is completely OK.
When we will use the "Agent maintenance account"?
The agent maintenance account is only used in two cases: 1) when you upgrade existing agents and 2) when you uninstall existing agents. Ultimately, it is an optional profile.
I hope this helps,
Kris
www.operatingquadrant.com -
Too Slow - Domino 6.5.4 with access manager agent 2.2 ?
I don't know how to tune Domino 6.5.4 with access manager agent 2.2?
I think AMAgent.properties is not good for SSO.
Please help me to tune it.
# $Id: AMAgent.properties,v 1.103 2005/09/19 22:08:34 madan Exp $
# Copyright ? 2002 Sun Microsystems, Inc. All rights reserved.
# U.S. Government Rights - Commercial software. Government users are
# subject to the Sun Microsystems, Inc. standard license agreement and
# applicable provisions of the FAR and its supplements. Use is subject to
# license terms. Sun, Sun Microsystems, the Sun logo and Sun ONE are
# trademarks or registered trademarks of Sun Microsystems, Inc. in the
# U.S. and other countries.
# Copyright ? 2002 Sun Microsystems, Inc. Tous droits r閟erv閟.
# Droits du gouvernement am閞icain, utlisateurs gouvernmentaux - logiciel
# commercial. Les utilisateurs gouvernmentaux sont soumis au contrat de
# licence standard de Sun Microsystems, Inc., ainsi qu aux dispositions en
# vigueur de la FAR [ (Federal Acquisition Regulations) et des suppl閙ents
# ? celles-ci.
# Distribu? par des licences qui en restreignent l'utilisation. Sun, Sun
# Microsystems, le logo Sun et Sun ONE sont des marques de fabrique ou des
# marques d閜os閑s de Sun Microsystems, Inc. aux Etats-Unis et dans
# d'autres pays.
# The syntax of this file is that of a standard Java properties file,
# see the documentation for the java.util.Properties.load method for a
# complete description. (CAVEAT: The SDK in the parser does not currently
# support any backslash escapes except for wrapping long lines.)
# All property names in this file are case-sensitive.
# NOTE: The value of a property that is specified multiple times is not
# defined.
# WARNING: The contents of this file are classified as an UNSTABLE
# interface by Sun Microsystems, Inc. As such, they are subject to
# significant, incompatible changes in any future release of the
# software.
# The name of the cookie passed between the Access Manager
# and the SDK.
# WARNING: Changing this property without making the corresponding change
# to the Access Manager will disable the SDK.
com.sun.am.cookie.name = iPlanetDirectoryPro
# The URL for the Access Manager Naming service.
com.sun.am.naming.url = http://sportal.yjy.dqyt.petrochina:80/amserver/namingservice
# The URL of the login page on the Access Manager.
com.sun.am.policy.am.login.url = http://sportal.yjy.dqyt.petrochina:80/amserver/UI/Login
# Name of the file to use for logging messages.
com.sun.am.policy.agents.config.local.log.file = c:/Sun/Access_Manager/Agents/2.2/debug/C__Lotus_Domino/amAgent
# This property is used for Log Rotation. The value of the property specifies
# whether the agent deployed on the server supports the feature of not. If set
# to false all log messages are written to the same file.
com.sun.am.policy.agents.config.local.log.rotate = true
# Name of the Access Manager log file to use for logging messages to
# Access Manager.
# Just the name of the file is needed. The directory of the file
# is determined by settings configured on the Access Manager.
com.sun.am.policy.agents.config.remote.log = amAuthLog.Dominoad.yjy.dqyt.petrochina.80
# Set the logging level for the specified logging categories.
# The format of the values is
# <ModuleName>[:<Level>][,<ModuleName>[:<Level>]]*
# The currently used module names are: AuthService, NamingService,
# PolicyService, SessionService, PolicyEngine, ServiceEngine,
# Notification, PolicyAgent, RemoteLog and all.
# The all module can be used to set the logging level for all currently
# none logging modules. This will also establish the default level for
# all subsequently created modules.
# The meaning of the 'Level' value is described below:
# 0 Disable logging from specified module*
# 1 Log error messages
# 2 Log warning and error messages
# 3 Log info, warning, and error messages
# 4 Log debug, info, warning, and error messages
# 5 Like level 4, but with even more debugging messages
# 128 log url access to log file on AM server.
# 256 log url access to log file on local machine.
# If level is omitted, then the logging module will be created with
# the default logging level, which is the logging level associated with
# the 'all' module.
# for level of 128 and 256, you must also specify a logAccessType.
# *Even if the level is set to zero, some messages may be produced for
# a module if they are logged with the special level value of 'always'.
com.sun.am.log.level =
# The org, username and password for Agent to login to AM.
com.sun.am.policy.am.username = UrlAccessAgent
com.sun.am.policy.am.password = LYnKyOIgdWt404ivWY6HPQ==
# Name of the directory containing the certificate databases for SSL.
com.sun.am.sslcert.dir = c:/Sun/Access_Manager/Agents/2.2/domino/cert
# Set this property if the certificate databases in the directory specified
# by the previous property have a prefix.
com.sun.am.certdb.prefix =
# Should agent trust all server certificates when Access Manager
# is running SSL?
# Possible values are true or false.
com.sun.am.trust_server_certs = true
# Should the policy SDK use the Access Manager notification
# mechanism to maintain the consistency of its internal cache? If the value
# is false, then a polling mechanism is used to maintain cache consistency.
# Possible values are true or false.
com.sun.am.notification.enable = true
# URL to which notification messages should be sent if notification is
# enabled, see previous property.
com.sun.am.notification.url = http://Dominoad.yjy.dqyt.petrochina:80/amagent/UpdateAgentCacheServlet?shortcircuit=false
# This property determines whether URL string case sensitivity is
# obeyed during policy evaluation
com.sun.am.policy.am.url_comparison.case_ignore = true
# This property determines the amount of time (in minutes) an entry
# remains valid after it has been added to the cache. The default
# value for this property is 3 minutes.
com.sun.am.policy.am.polling.interval=3
# This property allows the user to configure the User Id parameter passed
# by the session information from the access manager. The value of User
# Id will be used by the agent to set the value of REMOTE_USER server
# variable. By default this parameter is set to "UserToken"
com.sun.am.policy.am.userid.param=UserToken
# Profile attributes fetch mode
# String attribute mode to specify if additional user profile attributes should
# be introduced into the request. Possible values are:
# NONE - no additional user profile attributes will be introduced.
# HTTP_HEADER - additional user profile attributes will be introduced into
# HTTP header.
# HTTP_COOKIE - additional user profile attributes will be introduced through
# cookies.
# If not within these values, it will be considered as NONE.
com.sun.am.policy.agents.config.profile.attribute.fetch.mode=NONE
# The user profile attributes to be added to the HTTP header. The
# specification is of the format ldap_attribute_name|http_header_name[,...].
# ldap_attribute_name is the attribute in data store to be fetched and
# http_header_name is the name of the header to which the value needs
# to be assigned.
# NOTE: In most cases, in a destination application where a "http_header_name"
# shows up as a request header, it will be prefixed by HTTP_, and all
# lower case letters will become upper case, and any - will become _;
# For example, "common-name" would become "HTTP_COMMON_NAME"
com.sun.am.policy.agents.config.profile.attribute.map=cn|common-name,ou|organizational-unit,o|organization,mail|email,employeenumber|employee-
number,c|country
# Session attributes mode
# String attribute mode to specify if additional user session attributes should
# be introduced into the request. Possible values are:
# NONE - no additional user session attributes will be introduced.
# HTTP_HEADER - additional user session attributes will be introduced into HTTP header.
# HTTP_COOKIE - additional user session attributes will be introduced through cookies.
# If not within these values, it will be considered as NONE.
com.sun.am.policy.agents.config.session.attribute.fetch.mode=NONE
# The session attributes to be added to the HTTP header. The specification is
# of the format session_attribute_name|http_header_name[,...].
# session_attribute_name is the attribute in session to be fetched and
# http_header_name is the name of the header to which the value needs to be
# assigned.
# NOTE: In most cases, in a destination application where a "http_header_name"
# shows up as a request header, it will be prefixed by HTTP_, and all
# lower case letters will become upper case, and any - will become _;
# For example, "common-name" would become "HTTP_COMMON_NAME"
com.sun.am.policy.agents.config.session.attribute.map=
# Response Attribute Fetch Mode
# String attribute mode to specify if additional user response attributes should
# be introduced into the request. Possible values are:
# NONE - no additional user response attributes will be introduced.
# HTTP_HEADER - additional user response attributes will be introduced into
# HTTP header.
# HTTP_COOKIE - additional user response attributes will be introduced through
# cookies.
# If not within these values, it will be considered as NONE.
com.sun.am.policy.agents.config.response.attribute.fetch.mode=NONE
# The response attributes to be added to the HTTP header. The specification is
# of the format response_attribute_name|http_header_name[,...].
# response_attribute_name is the attribute in policy response to be fetched and
# http_header_name is the name of the header to which the value needs to be
# assigned.
# NOTE: In most cases, in a destination application where a "http_header_name"
# shows up as a request header, it will be prefixed by HTTP_, and all
# lower case letters will become upper case, and any - will become _;
# For example, "common-name" would become "HTTP_COMMON_NAME"
com.sun.am.policy.agents.config.response.attribute.map=
# The cookie name used in iAS for sticky load balancing
com.sun.am.policy.am.lb.cookie.name = GX_jst
# indicate where a load balancer is used for Access Manager
# services.
# true | false
com.sun.am.load_balancer.enable = false
####Agent Configuration####
# this is for product versioning, please do not modify it
com.sun.am.policy.agents.config.version=2.2
# Set the url access logging level. the choices are
# LOG_NONE - do not log user access to url
# LOG_DENY - log url access that was denied.
# LOG_ALLOW - log url access that was allowed.
# LOG_BOTH - log url access that was allowed or denied.
com.sun.am.policy.agents.config.audit.accesstype = LOG_DENY
# Agent prefix
com.sun.am.policy.agents.config.agenturi.prefix = http://Dominoad.yjy.dqyt.petrochina:80/amagent
# Locale setting.
com.sun.am.policy.agents.config.locale = en_US
# The unique identifier for this agent instance.
com.sun.am.policy.agents.config.instance.name = unused
# Do SSO only
# Boolean attribute to indicate whether the agent will just enforce user
# authentication (SSO) without enforcing policies (authorization)
com.sun.am.policy.agents.config.do_sso_only = true
# The URL of the access denied page. If no value is specified, then
# the agent will return an HTTP status of 403 (Forbidden).
com.sun.am.policy.agents.config.accessdenied.url =
# This property indicates if FQDN checking is enabled or not.
com.sun.am.policy.agents.config.fqdn.check.enable = true
# Default FQDN is the fully qualified hostname that the users should use
# in order to access resources on this web server instance. This is a
# required configuration value without which the Web server may not
# startup correctly.
# The primary purpose of specifying this property is to ensure that if
# the users try to access protected resources on this web server
# instance without specifying the FQDN in the browser URL, the Agent
# can take corrective action and redirect the user to the URL that
# contains the correct FQDN.
# This property is set during the agent installation and need not be
# modified unless absolutely necessary to accommodate deployment
# requirements.
# WARNING: Invalid value for this property can result in the Web Server
# becoming unusable or the resources becoming inaccessible.
# See also: com.sun.am.policy.agents.config.fqdn.check.enable,
# com.sun.am.policy.agents.config.fqdn.map
com.sun.am.policy.agents.config.fqdn.default = Dominoad.yjy.dqyt.petrochina
# The FQDN Map is a simple map that enables the Agent to take corrective
# action in the case where the users may have typed in an incorrect URL
# such as by specifying partial hostname or using an IP address to
# access protected resources. It redirects the browser to the URL
# with fully qualified domain name so that cookies related to the domain
# are received by the agents.
# The format for this property is:
# com.sun.am.policy.agents.config.fqdn.map = [invalid_hostname|valid_hostname][,...]
# This property can also be used so that the agents use the name specified
# in this map instead of the web server's actual name. This can be
# accomplished by doing the following.
# Say you want your server to be addressed as xyz.hostname.com whereas the
# actual name of the server is abc.hostname.com. The browsers only knows
# xyz.hostname.com and you have specified polices using xyz.hostname.com at
# the Access Manager policy console, in this file set the mapping as
# com.sun.am.policy.agents.fqdn.map = valid|xyz.hostname.com
# Another example is if you have multiple virtual servers say rst.hostname.com,
# uvw.hostname.com and xyz.hostname.com pointing to the same actual server
# abc.hostname.com and each of the virtual servers have their own policies
# defined, then the fqdnMap should be defined as follows:
# com.sun.am.policy.agents.fqdn.map = valid1|rst.hostname.com,valid2|uvw.hostname.com,valid3|xyz.hostname.com
# WARNING: Invalid value for this property can result in the Web Server
# becoming unusable or the resources becoming inaccessible.
com.sun.am.policy.agents.config.fqdn.map =
# Cookie Reset
# This property must be set to true, if this agent needs to
# reset cookies in the response before redirecting to
# Access Manager for Authentication.
# By default this is set to false.
# Example : com.sun.am.policy.agents.config.cookie.reset.enable=true
com.sun.am.policy.agents.config.cookie.reset.enable=false
# This property gives the comma separated list of Cookies, that
# need to be included in the Redirect Response to Access Manager.
# This property is used only if the Cookie Reset feature is enabled.
# The Cookie details need to be specified in the following Format
# name[=value][;Domain=value]
# If "Domain" is not specified, then the default agent domain is
# used to set the Cookie.
# Example : com.sun.am.policy.agents.config.cookie.reset.list=LtpaToken,
# token=value;Domain=subdomain.domain.com
com.sun.am.policy.agents.config.cookie.reset.list=
# This property gives the space separated list of domains in
# which cookies have to be set in a CDSSO scenario. This property
# is used only if CDSSO is enabled.
# If this property is left blank then the fully qualified cookie
# domain for the agent server will be used for setting the cookie
# domain. In such case it is a host cookie instead of a domain cookie.
# Example : com.sun.am.policy.agents.config.cookie.domain.list=.sun.com .iplanet.com
com.sun.am.policy.agents.config.cookie.domain.list=
# user id returned if accessing global allow page and not authenticated
com.sun.am.policy.agents.config.anonymous_user=anonymous
# Enable/Disable REMOTE_USER processing for anonymous users
# true | false
com.sun.am.policy.agents.config.anonymous_user.enable=false
# Not enforced list is the list of URLs for which no authentication is
# required. Wildcards can be used to define a pattern of URLs.
# The URLs specified may not contain any query parameters.
# Each service have their own not enforced list. The service name is suffixed
# after "# com.sun.am.policy.agents.notenforcedList." to specify a list
# for a particular service. SPACE is the separator between the URL.
com.sun.am.policy.agents.config.notenforced_list = http://dominoad.yjy.dqyt.petrochina/*.nsf http://dominoad.yjy.dqyt.petrochina/teamroom.nsf/TROutline.gif?
OpenImageResource http://dominoad.yjy.dqyt.petrochina/icons/*.gif
# Boolean attribute to indicate whether the above list is a not enforced list
# or an enforced list; When the value is true, the list means enforced list,
# or in other words, the whole web site is open/accessible without
# authentication except for those URLs in the list.
com.sun.am.policy.agents.config.notenforced_list.invert = false
# Not enforced client IP address list is a list of client IP addresses.
# No authentication and authorization are required for the requests coming
# from these client IP addresses. The IP address must be in the form of
# eg: 192.168.12.2 1.1.1.1
com.sun.am.policy.agents.config.notenforced_client_ip_list =
# Enable POST data preservation; By default it is set to false
com.sun.am.policy.agents.config.postdata.preserve.enable = false
# POST data preservation : POST cache entry lifetime in minutes,
# After the specified interval, the entry will be dropped
com.sun.am.policy.agents.config.postcache.entry.lifetime = 10
# Cross-Domain Single Sign On URL
# Is CDSSO enabled.
com.sun.am.policy.agents.config.cdsso.enable=false
# This is the URL the user will be redirected to for authentication
# in a CDSSO Scenario.
com.sun.am.policy.agents.config.cdcservlet.url =
# Enable/Disable client IP address validation. This validate
# will check if the subsequent browser requests come from the
# same ip address that the SSO token is initially issued against
com.sun.am.policy.agents.config.client_ip_validation.enable = false
# Below properties are used to define cookie prefix and cookie max age
com.sun.am.policy.agents.config.profile.attribute.cookie.prefix = HTTP_
com.sun.am.policy.agents.config.profile.attribute.cookie.maxage = 300
# Logout URL - application's Logout URL.
# This URL is not enforced by policy.
# if set, agent will intercept this URL and destroy the user's session,
# if any. The application's logout URL will be allowed whether or not
# the session destroy is successful.
com.sun.am.policy.agents.config.logout.url=
#http://sportal.yjy.dqyt.petrochina/amserver/UI/Logout
# Any cookies to be reset upon logout in the same format as cookie_reset_list
com.sun.am.policy.agents.config.logout.cookie.reset.list =
# By default, when a policy decision for a resource is needed,
# agent gets and caches the policy decision of the resource and
# all resource from the root of the resource down, from the Access Manager.
# For example, if the resource is http://host/a/b/c, the the root of the
# resource is http://host/. This is because more resources from the
# same path are likely to be accessed subsequently.
# However this may take a long time the first time if there
# are many many policies defined under the root resource.
# To have agent get and cache the policy decision for the resource only,
# set the following property to false.
com.sun.am.policy.am.fetch_from_root_resource = true
# Whether to get the client's hostname through DNS reverse lookup for use
# in policy evaluation.
# It is true by default, if the property does not exist or if it is
# any value other than false.
com.sun.am.policy.agents.config.get_client_host_name = false
# The following property is to enable native encoding of
# ldap header attributes forwarded by agents. If set to true
# agent will encode the ldap header value in the default
# encoding of OS locale. If set to false ldap header values
# will be encoded in UTF-8
com.sun.am.policy.agents.config.convert_mbyte.enable = false
#When the not enforced list or policy has a wildcard '*' character, agent
#strips the path info from the request URI and uses the resulting request
#URI to check against the not enforced list or policy instead of the entire
#request URI, in order to prevent someone from getting access to any URI by
#simply appending the matching pattern in the policy or not enforced list.
#For example, if the not enforced list has the value http://host/*.gif,
#stripping the path info from the request URI will prevent someone from
#getting access to http://host/index.html by using the URL http://host/index.html?hack.gif.
#However when a web server (for exmample apache) is configured to be a reverse
#proxy server for a J2EE application server, path info is interpreted in a different
#manner since it maps to a resource on the proxy instead of the app server.
#This prevents the not enforced list or policy from being applied to part of
#the URI below the app serverpath if there is a wildcard character. For example,
#if the not enforced list has value http://host/webapp/servcontext/* and the
#request URL is http://host/webapp/servcontext/example.jsp the path info
#is /servcontext/example.jsp and the resulting request URL with path info stripped
#is http://host/webapp, which will not match the not enforced list. By setting the
#following property to true, the path info will not be stripped from the request URL
#even if there is a wild character in the not enforced list or policy.
#Be aware though that if this is set to true there should be nothing following the
#wildcard character '*' in the not enforced list or policy, or the
#security loophole described above may occur.
com.sun.am.policy.agents.config.ignore_path_info = false
# Override the request url given by the web server with
# the protocol, host or port of the agent's uri specified in
# the com.sun.am.policy.agents.agenturiprefix property.
# These may be needed if the agent is sitting behind a ssl off-loader,
# load balancer, or proxy, and either the protocol (HTTP scheme),
# hostname, or port of the machine in front of agent which users go through
# is different from the agent's protocol, host or port.
com.sun.am.policy.agents.config.override_protocol =
com.sun.am.policy.agents.config.override_host =
com.sun.am.policy.agents.config.override_port =
# Override the notification url in the same way as other request urls.
# Set this to true if any one of the override properties above is true,
# and if the notification url is coming through the proxy or load balancer
# in the same way as other request url's.
com.sun.am.policy.agents.config.override_notification.url =
# The following property defines how long to wait in attempting
# to connect to an Access Manager AUTH server.
# The default value is 2 seconds. This value needs to be increased
# when receiving the error "unable to find active Access Manager Auth server"
com.sun.am.policy.agents.config.connection_timeout =
# Time in milliseconds the agent will wait to receive the
# response from Access Manager. After the timeout, the connection
# will be drop.
# A value of 0 means that the agent will wait until receiving the response.
# WARNING: Invalid value for this property can result in
# the resources becoming inaccessible.
com.sun.am.receive_timeout = 0
# The three following properties are for IIS6 agent only.
# The two first properties allow to set a username and password that will be
# used by the authentication filter to pass the Windows challenge when the Basic
# Authentication option is selected in Microsoft IIS 6.0. The authentication
# filter is named amiis6auth.dll and is located in
# Agent_installation_directory/iis6/bin. It must be installed manually on
# the web site ("ISAPI Filters" tab in the properties of the web site).
# It must also be uninstalled manually when unintalling the agent.
# The last property defines the full path for the authentication filter log file.
com.sun.am.policy.agents.config.iis6.basicAuthentication.username =
com.sun.am.policy.agents.config.iis6.basicAuthentication.password =
com.sun.am.policy.agents.config.iis6.basicAuthentication.logFile = c:/Sun/Access_Manager/Agents/2.2/debug/C__Lotus_Domino/amAuthFilterHi,
I installed opensso (so Sun Java(TM) System Access Manager 7.5) and the agent for Domino 6.5.4 and I have the message in logs "amAgent"
2007-07-11 18:40:16.119 Error 1708:3dbcf768 PolicyAgent: render_response(): Entered.
I have the box to identify but it doesnot connect me on my opensso server.
It still identify with Domino's server
Thanks for your response
Thomas -
No log for am policy agent for iis6
Hello!
Im trying to get Policy Agent for IIS to run on my Win Srv 2003 with IIS6 and Sharepoint Services.
I am running the OpenSSO version of Access Manager.
I have installed the agent and done the initial cofiguration.
When i try to browse the resource i get a login prompt (IIS Basic Auth)and cannot login followed by "Not Authorized 401.3"
I should get redirected to the AM Login page, shouldn't I?
I tried to look for answers in the log file but the /debug/<id> directory i empty.
Anyone know what to do?
The amAgent.properties file:
# $Id: AMAgent.properties,v 1.103 2005/09/19 22:08:34 madan Exp $
# The syntax of this file is that of a standard Java properties file,
# see the documentation for the java.util.Properties.load method for a
# complete description. (CAVEAT: The SDK in the parser does not currently
# support any backslash escapes except for wrapping long lines.)
# All property names in this file are case-sensitive.
# NOTE: The value of a property that is specified multiple times is not
# defined.
# WARNING: The contents of this file are classified as an UNSTABLE
# interface by Sun Microsystems, Inc. As such, they are subject to
# significant, incompatible changes in any future release of the
# software.
# The name of the cookie passed between the Access Manager
# and the SDK.
# WARNING: Changing this property without making the corresponding change
# to the Access Manager will disable the SDK.
com.sun.am.cookie.name = iPlanetDirectoryPro
# The URL for the Access Manager Naming service.
com.sun.am.naming.url = http://login.lta.mil.se:8080/opensso/namingservice
# The URL of the login page on the Access Manager.
com.sun.am.policy.am.login.url = http://login.lta.mil.se:8080/opensso/UI/Login
# Name of the file to use for logging messages.
com.sun.am.policy.agents.config.local.log.file = C:/Sun/Access_Manager/Agents/2.2/debug/Identifier_1414639615/amAgent
# This property is used for Log Rotation. The value of the property specifies
# whether the agent deployed on the server supports the feature of not. If set
# to false all log messages are written to the same file.
com.sun.am.policy.agents.config.local.log.rotate = true
# Name of the Access Manager log file to use for logging messages to
# Access Manager.
# Just the name of the file is needed. The directory of the file
# is determined by settings configured on the Access Manager.
com.sun.am.policy.agents.config.remote.log = amAuthLog.sharepoint.lta.mil.se.80
# Set the logging level for the specified logging categories.
# The format of the values is
# <ModuleName>[:<Level>][,<ModuleName>[:<Level>]]*
# The currently used module names are: AuthService, NamingService,
# PolicyService, SessionService, PolicyEngine, ServiceEngine,
# Notification, PolicyAgent, RemoteLog and all.
# The all module can be used to set the logging level for all currently
# none logging modules. This will also establish the default level for
# all subsequently created modules.
# The meaning of the 'Level' value is described below:
# 0 Disable logging from specified module*
# 1 Log error messages
# 2 Log warning and error messages
# 3 Log info, warning, and error messages
# 4 Log debug, info, warning, and error messages
# 5 Like level 4, but with even more debugging messages
# 128 log url access to log file on AM server.
# 256 log url access to log file on local machine.
# If level is omitted, then the logging module will be created with
# the default logging level, which is the logging level associated with
# the 'all' module.
# for level of 128 and 256, you must also specify a logAccessType.
# *Even if the level is set to zero, some messages may be produced for
# a module if they are logged with the special level value of 'always'.
com.sun.am.log.level = 5
# The org, username and password for Agent to login to AM.
com.sun.am.policy.am.username = UrlAccessAgent
com.sun.am.policy.am.password = PN4rEZ1uhx1404ivWY6HPQ==
# Name of the directory containing the certificate databases for SSL.
com.sun.am.sslcert.dir = C:/Sun/Access_Manager/Agents/2.2/iis6/cert
# Set this property if the certificate databases in the directory specified
# by the previous property have a prefix.
com.sun.am.certdb.prefix =
# Should agent trust all server certificates when Access Manager
# is running SSL?
# Possible values are true or false.
com.sun.am.trust_server_certs = true
# Should the policy SDK use the Access Manager notification
# mechanism to maintain the consistency of its internal cache? If the value
# is false, then a polling mechanism is used to maintain cache consistency.
# Possible values are true or false.
com.sun.am.notification.enable = true
# URL to which notification messages should be sent if notification is
# enabled, see previous property.
com.sun.am.notification.url = http://sharepoint.lta.mil.se:80/amagent/UpdateAgentCacheServlet?shortcircuit=false
# This property determines whether URL string case sensitivity is
# obeyed during policy evaluation
com.sun.am.policy.am.url_comparison.case_ignore = true
# This property determines the amount of time (in minutes) an entry
# remains valid after it has been added to the cache. The default
# value for this property is 3 minutes.
com.sun.am.policy.am.polling.interval=3
# This property allows the user to configure the User Id parameter passed
# by the session information from the access manager. The value of User
# Id will be used by the agent to set the value of REMOTE_USER server
# variable. By default this parameter is set to "UserToken"
com.sun.am.policy.am.userid.param=UserToken
# Profile attributes fetch mode
# String attribute mode to specify if additional user profile attributes should
# be introduced into the request. Possible values are:
# NONE - no additional user profile attributes will be introduced.
# HTTP_HEADER - additional user profile attributes will be introduced into
# HTTP header.
# HTTP_COOKIE - additional user profile attributes will be introduced through
# cookies.
# If not within these values, it will be considered as NONE.
com.sun.am.policy.agents.config.profile.attribute.fetch.mode=NONE
# The user profile attributes to be added to the HTTP header. The
# specification is of the format ldap_attribute_name|http_header_name[,...].
# ldap_attribute_name is the attribute in data store to be fetched and
# http_header_name is the name of the header to which the value needs
# to be assigned.
# NOTE: In most cases, in a destination application where a "http_header_name"
# shows up as a request header, it will be prefixed by HTTP_, and all
# lower case letters will become upper case, and any - will become _;
# For example, "common-name" would become "HTTP_COMMON_NAME"
com.sun.am.policy.agents.config.profile.attribute.map=cn|common-name,ou|organiz ational-unit,o|organization,mail|email,employeenumber|employee-number,c|country
# Session attributes mode
# String attribute mode to specify if additional user session attributes should
# be introduced into the request. Possible values are:
# NONE - no additional user session attributes will be introduced.
# HTTP_HEADER - additional user session attributes will be introduced into HTTP header.
# HTTP_COOKIE - additional user session attributes will be introduced through cookies.
# If not within these values, it will be considered as NONE.
com.sun.am.policy.agents.config.session.attribute.fetch.mode=NONE
# The session attributes to be added to the HTTP header. The specification is
# of the format session_attribute_name|http_header_name[,...].
# session_attribute_name is the attribute in session to be fetched and
# http_header_name is the name of the header to which the value needs to be
# assigned.
# NOTE: In most cases, in a destination application where a "http_header_name"
# shows up as a request header, it will be prefixed by HTTP_, and all
# lower case letters will become upper case, and any - will become _;
# For example, "common-name" would become "HTTP_COMMON_NAME"
com.sun.am.policy.agents.config.session.attribute.map=
# Response Attribute Fetch Mode
# String attribute mode to specify if additional user response attributes should
# be introduced into the request. Possible values are:
# NONE - no additional user response attributes will be introduced.
# HTTP_HEADER - additional user response attributes will be introduced into
# HTTP header.
# HTTP_COOKIE - additional user response attributes will be introduced through
# cookies.
# If not within these values, it will be considered as NONE.
com.sun.am.policy.agents.config.response.attribute.fetch.mode=NONE
# The response attributes to be added to the HTTP header. The specification is
# of the format response_attribute_name|http_header_name[,...].
# response_attribute_name is the attribute in policy response to be fetched and
# http_header_name is the name of the header to which the value needs to be
# assigned.
# NOTE: In most cases, in a destination application where a "http_header_name"
# shows up as a request header, it will be prefixed by HTTP_, and all
# lower case letters will become upper case, and any - will become _;
# For example, "common-name" would become "HTTP_COMMON_NAME"
com.sun.am.policy.agents.config.response.attribute.map=
# The cookie name used in iAS for sticky load balancing
com.sun.am.policy.am.lb.cookie.name = GX_jst
# indicate where a load balancer is used for Access Manager
# services.
# true | false
com.sun.am.load_balancer.enable = false
####Agent Configuration####
# this is for product versioning, please do not modify it
com.sun.am.policy.agents.config.version=2.2
# Set the url access logging level. the choices are
# LOG_NONE - do not log user access to url
# LOG_DENY - log url access that was denied.
# LOG_ALLOW - log url access that was allowed.
# LOG_BOTH - log url access that was allowed or denied.
com.sun.am.policy.agents.config.audit.accesstype = LOG_BOTH
# Agent prefix
com.sun.am.policy.agents.config.agenturi.prefix = http://sharepoint.lta.mil.se:80/amagent
# Locale setting.
com.sun.am.policy.agents.config.locale = en_US
# The unique identifier for this agent instance.
com.sun.am.policy.agents.config.instance.name = unused
# Do SSO only
# Boolean attribute to indicate whether the agent will just enforce user
# authentication (SSO) without enforcing policies (authorization)
com.sun.am.policy.agents.config.do_sso_only = true
# The URL of the access denied page. If no value is specified, then
# the agent will return an HTTP status of 403 (Forbidden).
com.sun.am.policy.agents.config.accessdenied.url =
# This property indicates if FQDN checking is enabled or not.
com.sun.am.policy.agents.config.fqdn.check.enable = true
# Default FQDN is the fully qualified hostname that the users should use
# in order to access resources on this web server instance. This is a
# required configuration value without which the Web server may not
# startup correctly.
# The primary purpose of specifying this property is to ensure that if
# the users try to access protected resources on this web server
# instance without specifying the FQDN in the browser URL, the Agent
# can take corrective action and redirect the user to the URL that
# contains the correct FQDN.
# This property is set during the agent installation and need not be
# modified unless absolutely necessary to accommodate deployment
# requirements.
# WARNING: Invalid value for this property can result in the Web Server
# becoming unusable or the resources becoming inaccessible.
# See also: com.sun.am.policy.agents.config.fqdn.check.enable,
# com.sun.am.policy.agents.config.fqdn.map
com.sun.am.policy.agents.config.fqdn.default = sharepoint.lta.mil.se
# The FQDN Map is a simple map that enables the Agent to take corrective
# action in the case where the users may have typed in an incorrect URL
# such as by specifying partial hostname or using an IP address to
# access protected resources. It redirects the browser to the URL
# with fully qualified domain name so that cookies related to the domain
# are received by the agents.
# The format for this property is:
# com.sun.am.policy.agents.config.fqdn.map = [invalid_hostname|valid_hostname][,...]
# This property can also be used so that the agents use the name specified
# in this map instead of the web server's actual name. This can be
# accomplished by doing the following.
# Say you want your server to be addressed as xyz.hostname.com whereas the
# actual name of the server is abc.hostname.com. The browsers only knows
# xyz.hostname.com and you have specified polices using xyz.hostname.com at
# the Access Manager policy console, in this file set the mapping as
# com.sun.am.policy.agents.fqdn.map = valid|xyz.hostname.com
# Another example is if you have multiple virtual servers say rst.hostname.com,
# uvw.hostname.com and xyz.hostname.com pointing to the same actual server
# abc.hostname.com and each of the virtual servers have their own policies
# defined, then the fqdnMap should be defined as follows:
# com.sun.am.policy.agents.fqdn.map = valid1|rst.hostname.com,valid2|uvw.hostname.com,valid3|xyz.hostname.com
# WARNING: Invalid value for this property can result in the Web Server
# becoming unusable or the resources becoming inaccessible.
com.sun.am.policy.agents.config.fqdn.map =
# Cookie Reset
# This property must be set to true, if this agent needs to
# reset cookies in the response before redirecting to
# Access Manager for Authentication.
# By default this is set to false.
# Example : com.sun.am.policy.agents.config.cookie.reset.enable=true
com.sun.am.policy.agents.config.cookie.reset.enable=false
# This property gives the comma separated list of Cookies, that
# need to be included in the Redirect Response to Access Manager.
# This property is used only if the Cookie Reset feature is enabled.
# The Cookie details need to be specified in the following Format
# name[=value][;Domain=value]
# If "Domain" is not specified, then the default agent domain is
# used to set the Cookie.
# Example : com.sun.am.policy.agents.config.cookie.reset.list=LtpaToken,
# token=value;Domain=subdomain.domain.com
com.sun.am.policy.agents.config.cookie.reset.list=
# This property gives the space separated list of domains in
# which cookies have to be set in a CDSSO scenario. This property
# is used only if CDSSO is enabled.
# If this property is left blank then the fully qualified cookie
# domain for the agent server will be used for setting the cookie
# domain. In such case it is a host cookie instead of a domain cookie.
# Example : com.sun.am.policy.agents.config.cookie.domain.list=.sun.com .iplanet.com
com.sun.am.policy.agents.config.cookie.domain.list=
# user id returned if accessing global allow page and not authenticated
com.sun.am.policy.agents.config.anonymous_user=anonymous
# Enable/Disable REMOTE_USER processing for anonymous users
# true | false
com.sun.am.policy.agents.config.anonymous_user.enable=false
# Not enforced list is the list of URLs for which no authentication is
# required. Wildcards can be used to define a pattern of URLs.
# The URLs specified may not contain any query parameters.
# Each service have their own not enforced list. The service name is suffixed
# after "# com.sun.am.policy.agents.notenforcedList." to specify a list
# for a particular service. SPACE is the separator between the URL.
com.sun.am.policy.agents.config.notenforced_list = SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/UI/* SERVER_PROTO://SERVER_HOST:SERVER_PORTCONSOLE_DEPLOY_URI/* SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/login_images/* SERVER_PROTO://SERVER_HOST:SERVER_PORT/docs* SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/namingservice SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/sessionservice SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/loggingservice SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/profileservice SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/policyservice SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/config* SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/js/* SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/css/* SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/authservice SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/SAMLAwareServlet SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/SAMLSOAPReceiver SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/SAMLPOSTProfileServlet
# Boolean attribute to indicate whether the above list is a not enforced list
# or an enforced list; When the value is true, the list means enforced list,
# or in other words, the whole web site is open/accessible without
# authentication except for those URLs in the list.
com.sun.am.policy.agents.config.notenforced_list.invert = false
# Not enforced client IP address list is a list of client IP addresses.
# No authentication and authorization are required for the requests coming
# from these client IP addresses. The IP address must be in the form of
# eg: 192.168.12.2 1.1.1.1
com.sun.am.policy.agents.config.notenforced_client_ip_list =
# Enable POST data preservation; By default it is set to false
com.sun.am.policy.agents.config.postdata.preserve.enable = false
# POST data preservation : POST cache entry lifetime in minutes,
# After the specified interval, the entry will be dropped
com.sun.am.policy.agents.config.postcache.entry.lifetime = 10
# Cross-Domain Single Sign On URL
# Is CDSSO enabled.
com.sun.am.policy.agents.config.cdsso.enable=false
# This is the URL the user will be redirected to for authentication
# in a CDSSO Scenario.
com.sun.am.policy.agents.config.cdcservlet.url =
# Enable/Disable client IP address validation. This validate
# will check if the subsequent browser requests come from the
# same ip address that the SSO token is initially issued against
com.sun.am.policy.agents.config.client_ip_validation.enable = false
# Below properties are used to define cookie prefix and cookie max age
com.sun.am.policy.agents.config.profile.attribute.cookie.prefix = HTTP_
com.sun.am.policy.agents.config.profile.attribute.cookie.maxage = 300
# Logout URL - application's Logout URL.
# This URL is not enforced by policy.
# if set, agent will intercept this URL and destroy the user's session,
# if any. The application's logout URL will be allowed whether or not
# the session destroy is successful.
com.sun.am.policy.agents.config.logout.url=
# Any cookies to be reset upon logout in the same format as cookie_reset_list
com.sun.am.policy.agents.config.logout.cookie.reset.list =
# By default, when a policy decision for a resource is needed,
# agent gets and caches the policy decision of the resource and
# all resource from the root of the resource down, from the Access Manager.
# For example, if the resource is http://host/a/b/c, the the root of the
# resource is http://host/. This is because more resources from the
# same path are likely to be accessed subsequently.
# However this may take a long time the first time if there
# are many many policies defined under the root resource.
# To have agent get and cache the policy decision for the resource only,
# set the following property to false.
com.sun.am.policy.am.fetch_from_root_resource = true
# Whether to get the client's hostname through DNS reverse lookup for use
# in policy evaluation.
# It is true by default, if the property does not exist or if it is
# any value other than false.
com.sun.am.policy.agents.config.get_client_host_name = true
# The following property is to enable native encoding of
# ldap header attributes forwarded by agents. If set to true
# agent will encode the ldap header value in the default
# encoding of OS locale. If set to false ldap header values
# will be encoded in UTF-8
com.sun.am.policy.agents.config.convert_mbyte.enable = false
#When the not enforced list or policy has a wildcard '*' character, agent
#strips the path info from the request URI and uses the resulting request
#URI to check against the not enforced list or policy instead of the entire
#request URI, in order to prevent someone from getting access to any URI by
#simply appending the matching pattern in the policy or not enforced list.
#For example, if the not enforced list has the value http://host/*.gif,
#stripping the path info from the request URI will prevent someone from
#getting access to http://host/index.html by using the URL http://host/index.html?hack.gif.
#However when a web server (for exmample apache) is configured to be a reverse
#proxy server for a J2EE application server, path info is interpreted in a different
#manner since it maps to a resource on the proxy instead of the app server.
#This prevents the not enforced list or policy from being applied to part of
#the URI below the app serverpath if there is a wildcard character. For example,
#if the not enforced list has value http://host/webapp/servcontext/* and the
#request URL is http://host/webapp/servcontext/example.jsp the path info
#is /servcontext/example.jsp and the resulting request URL with path info stripped
#is http://host/webapp, which will not match the not enforced list. By setting the
#following property to true, the path info will not be stripped from the request URL
#even if there is a wild character in the not enforced list or policy.
#Be aware though that if this is set to true there should be nothing following the
#wildcard character '*' in the not enforced list or policy, or the
#security loophole described above may occur.
com.sun.am.policy.agents.config.ignore_path_info = false
# Override the request url given by the web server with
# the protocol, host or port of the agent's uri specified in
# the com.sun.am.policy.agents.agenturiprefix property.
# These may be needed if the agent is sitting behind a ssl off-loader,
# load balancer, or proxy, and either the protocol (HTTP scheme),
# hostname, or port of the machine in front of agent which users go through
# is different from the agent's protocol, host or port.
com.sun.am.policy.agents.config.override_protocol =
com.sun.am.policy.agents.config.override_host =
com.sun.am.policy.agents.config.override_port = true
# Override the notification url in the same way as other request urls.
# Set this to true if any one of the override properties above is true,
# and if the notification url is coming through the proxy or load balancer
# in the same way as other request url's.
com.sun.am.policy.agents.config.override_notification.url =
# The following property defines how long to wait in attempting
# to connect to an Access Manager AUTH server.
# The default value is 2 seconds. This value needs to be increased
# when receiving the error "unable to find active Access Manager Auth server"
com.sun.am.policy.agents.config.connection_timeout =
# Time in milliseconds the agent will wait to receive the
# response from Access Manager. After the timeout, the connection
# will be drop.
# A value of 0 means that the agent will wait until receiving the response.
# WARNING: Invalid value for this property can result in
# the resources becoming inaccessible.
com.sun.am.receive_timeout = 0
# The three following properties are for IIS6 agent only.
# The two first properties allow to set a username and password that will be
# used by the authentication filter to pass the Windows challenge when the Basic
# Authentication option is selected in Microsoft IIS 6.0. The authentication
# filter is named amiis6auth.dll and is located in
# Agent_installation_directory/iis6/bin. It must be installed manually on
# the web site ("ISAPI Filters" tab in the properties of the web site).
# It must also be uninstalled manually when unintalling the agent.
# The last property defines the full path for the authentication filter log file.
com.sun.am.policy.agents.config.iis6.basicAuthentication.username =
com.sun.am.policy.agents.config.iis6.basicAuthentication.password =
com.sun.am.policy.agents.config.iis6.basicAuthentication.logFile = C:/Sun/Access_Manager/Agents/2.2/debug/Identifier_1414639615/amAuthFilterIf the agent doesnot start properly you would always get redirected to com.sun.am.policy.agents.config.accessdenied.url , if thats not specified you will get a 403.
For the agent itself check that the naming.url is correct. the agent username and passwords are correct, and see that the user has priviledges to write to the agent log files. Apart from these post the windows event logs. -
UCCE 7.5.10 - Modify Agent Skill Groups via Database instead of Config or Re-Skill tool?
Background - We would like to bulk modify agent skill groups on a weekly basis, but have over 400 agents, 3 teams and over 5 skill groups per agent. We are hoping to build a query to modify the tables required to skill an agent properly. We would problably use a .csv file from our fiance dept. to determine skill groups per agent.
Has anyone been successful or know what tables must be updated/inserted to change an agent's skill groups? Is there a hack/workaround to do it using POST/URL in the Cisco Reskill Tool?
Thanks,
Ray KhanIt is about time for Cisco to realize that this is something that their biggest contact center competitor, Avaya offers as a standard feature, out of the box (I'm sure they know it without me pointing it out). This is "old" technology for Avaya.
We are doing this now in our Avaya contact center with a VB Script and scheduled tasks in Windows. Needless to say, it didn't take a developer to set it up. The scheduled tasks run twice per day to "reset" the agents' skills to pre-determined default values. This allows us the spend less time worrying about intraday skill changes, and whether or not any additional skills were removed from an agent's profile. We know that they'll be changed back twice per day.
We essentially have three different configurations based on time of day and day of week: Monday through Friday, 6:00am to 6:00 pm (Business Hours); Saturday and Sunday 6:00am to 6:00pm (Weekend Daytime); and Sunday through Saturday, 6:00pm to 6:00am (Overnights). We would have to have three UCCX skills with time of day routing to every one Avaya skill achieve this in UCCX.
Also, this capability enables us to re-skill our entire call center, or any subset thereof to a predetermined skill-set with a single mouse click.
I'd love to see Cisco allow and support this or similar functionality.
Sent from Cisco Technical Support iPhone App -
"Forward To" option in Agent Inbox
Hi,
We are facing issue in "Forward To" functionality in Agent Inbox.
We have done below configuration steps to execute "Forward To".
- Define Reciepient profile:
Here define responsible groups (which are already maintained in Org model as a Org. unit).
- Assign Reciepeint profile to agent inbox profile:
We forward inbox item to particular group. Now forwared item should be visible in that particular group.
The issue is "Forwarded item is not reflecting in that group.
Please let us know if we missing any steps.
Regards
MohitHi Arun,
Yes we are using IC_Agent role and inbox profile is assigned this role.
I am trying to forward inbox item (service order , interaction record etc.) to different groups and these groups are maintained as Org. unit in org. model.
Regards
Mohit -
I have been trying to install agent10g to my OEM grid on AIX 5.3. OUI installation finished without errors and all semms to be correct but ... it is impossible to even check a status of agent.
Every command emctl <whatever> agent returns the same output.
EM Configuration issue. /oracle/product/10.2.0/db/devel_EMREP not found.
where /oracle/product/10.2.0/db is my databases $ORACLE_HOME
EMREP is a OEM GRID database
devel hostname where all these staffs are located
is it correct it searches for files in database $ORACLE_HOME instead of agent$ORACLE_HOME?
Anyway I tried to configure agent using agentca -f - it finishes without any errors - just a few warnings like :
OPatch Session completed with warnings.
but emctl.log file and it returns errors
+132070 :: Thu Aug 27 13:57:55 2009::AgentLifeCycle.pm: Processing stop agent+
+132070 :: Thu Aug 27 13:57:56 2009::AgentStatus.pm:emdctl status agent returned 3+
+132070 :: Thu Aug 27 13:57:56 2009::AgentLifeCycle.pm:istatusCEMD returned 3+
+132070 :: Thu Aug 27 13:57:57 2009::AgentLifeCycle.pm:emdctl stop agent returned 4+
+132070 :: Thu Aug 27 13:57:58 2009::AgentStatus.pm:emdctl status agent returned 1+
+132070 :: Thu Aug 27 13:57:58 2009::AgentLifeCycle.pm:exited loop with 1+
+582410 :: Thu Aug 27 13:59:01 2009::AgentLifeCycle.pm: Processing secure agent+
+582410 :: Thu Aug 27 13:59:01 2009::AgentStatus.pm:Processing secure agent+
+582410 :: Thu Aug 27 13:59:31 2009::AgentStatus.pm:emdctl gensudoprops returned 0+
+577976 :: Thu Aug 27 14:00:22 2009::AgentLifeCycle.pm: Processing start agent+
+577976 :: Thu Aug 27 14:00:22 2009::AgentLifeCycle.pm: EMHOME is /oracle/product/agent10g+
+577976 :: Thu Aug 27 14:00:22 2009::AgentLifeCycle.pm: service name is+
+577976 :: Thu Aug 27 14:00:23 2009::AgentLifeCycle.pm:status agent returned with retCode=1+
+577976 :: Thu Aug 27 14:00:35 2009::AgentLifeCycle.pm: Exited loop with retCode=3+
+1725766 :: Thu Aug 27 14:00:37 2009::AgentStatus.pm:emdctl gensudoprops returned 0+
any advices how to proceed in my case ?omg - you are absolutely right! I did a mistake in my agent's .profile file. OK - now it uses corrent emctl. :)
But ...still it is not ok. emctl status agent shows correct output but in OEM most of targets has status "Metric collection error".
I know it is difficult to guess what is wrong with my configuration so maybe could you recommend me any articles, webpages where I can read from scratch about agent and OMS services. I do not want to just configure it. I want to know general concept and all rules how it works as well as all usefull tools and configuration files.
of course all other suggestion regarding my issue are welcome :)
KP> -
Agent Inbox Search Oldest Emails
For high inbound email call centers, does anyone have a best practice to handle the requirement of returning the oldest emails to ensure the agent can process the oldest email?
We are thinking of doing this:
use the custom_hit_list to sort by posting_date asc if they sort by creation date
if the status filter is set to Non-Complete, set the max hit results to 1000 to ensure that the agent can process the oldest email as the sort still returns the newest emails.
ThanksHi, please check your configuration.
Find out the Agent inbox profile and go to customizing tcode CRMC_IC_AUI_PROFILE (SPRO --> CRM --> Interaction Center WebClient --> AgentInbox --> Define Inbox profiles).
Select your inbox profile and check main categories assignment. Might be that you have to remove entries.
Kind regards, -
[SOLVED] ssh-agent support removed from kde-agent
Hi all,
Since its upgrade yesterday, kde-agent does not support ssh-agent anymore (see here). I consequently can't store unlocked SSH keys anymore, because ssh-add from a konsole can't connect to ssh-agent.
The update note above mentions that the SSH agent is not needed by KDE since years. What's the recommended way to start it now ?
Thanks a lot !
Aurélien.
Last edited by aurelieng (2014-01-03 08:39:49)I have been using ssh-agent with KDE on a daily basis for years and AFAIK, there is no better or more convenient way of keeping your private keys available. So in my opinion, the removal of ssh-agent, a tiny daemon that doesn't do any harm yet serves its purpose very well, was a bad idea.
I found a solution that does not run multiple ssh-agent daemons, even if KDE crashes. The solution is based on the fact that ssh-agent can be used as a wrapper around a session startup script or program. Unfortunately, my solution is very intrusive and will disappear on each KDE update. It works as follows:
# cd /usr/bin
# mv startkde startkde-inner
# cat > startkde <<- HERE
#!/bin/sh
exec /usr/bin/ssh-agent /usr/bin/startkde-inner
HERE
# chmod +x startkde
Now the ssh-agent will be started on each KDE session and there will always be only one ssh-agent per KDE session. Comments in the startkde script suggest starting ssh-agent later in the process and then killing it on logout. However, such a solution is inherently unreliable, because it will not kill your ssh-agent when the X-server or KDE crashes. The same problem applies to starting ssh-agent from profile scripts. The wrapper method resolves the issue in a quite reasonable way.
Last edited by andrej.podzimek (2014-01-08 13:27:25) -
Policy web agent configuration failed: NSPR error Configuration Failed!!!!
I am having troubles to install agent Apache 2.2!!!!!
The libamapc22.so uses libstdc++.so.5....
so i have this error:
root@ped-02 bin# service httpd start
Starting httpd: httpd: Syntax error on line 995 of /etc/httpd/conf/httpd.conf: Syntax error on line 1 of /opt/web_agents/apache22_agent/Agent_006/config/dsame.conf: Cannot load n/opt/web_agents/apache22_agent/lib/libamapc22.so into server: libstdc++.so.5: cannot open shared object file: No such file or directory
In my OS is Installed the libstdc++.so.6
if I Install the libstdc++.so.5
I have this error:
[Wed Aug 20 15:50:35 2008] [notice] Digest: generating secret for digest authentication ...
[Wed Aug 20 15:50:35 2008] [notice] Digest: done
[Wed Aug 20 15:50:35 2008] [alert] Policy web agent configuration failed: NSPR error Configuration Failed
So I have installed NSPR and NSS but this error persists.
In log /opt/web_agents/apache22_agent/Agent_006/logs/debug/amAgent
===========
2008-08-20 16:16:36.152 Error 18271:b949c3d0 all: Connection::initialize() unable to initialize SSL libraries: NSS_Initialize returned -8128
2008-08-20 16:16:36.156 Error 18271:b949c3d0 all: initialization error: am_properties_load(com.sun.am.policy.agents.config.stopInInit) failed, error = NSPR error (12): exiting...
2008-08-20 16:16:36.156 Error 18271:b949c3d0 all: Process initialization failure:NSPR error
My configuration: ---- AMAgent.properties
com.sun.am.cookie.name = iPlanetDirectoryPro
com.sun.am.cookie.secure = false
com.sun.am.naming.url = http://accessmanager.coreo.network.ctbc:8080/opensso/namingservice
com.sun.am.policy.am.login.url = http://accessmanager.coreo.network.ctbc:8080/opensso/UI/Login
com.sun.am.policy.agents.config.local.log.file =/opt/web_agents/apache22_agent/Agent_006/logs/debug/amAgent
com.sun.am.policy.agents.config.local.log.rotate = false
com.sun.am.policy.agents.config.remote.log = amAuthLog.accessmanager.coreo.network.ctbc.80
com.sun.am.log.level =
com.sun.am.policy.am.username = amadmin
com.sun.am.policy.am.password = fhfeUCQselvAndSuo17Pww==
com.sun.am.sslcert.dir =
com.sun.am.certdb.prefix =
com.sun.am.trust_server_certs = true
com.sun.am.notification.enable = false
com.sun.am.notification.url=http://accessmaager.coreo.network.ctbc:80/UpdateAgentCacheServlet?shortcircuit=false
com.sun.am.policy.am.url_comparison.case_ignore = true
com.sun.am.policy.am.polling.interval=3
com.sun.am.sso.polling.period=3
com.sun.am.policy.am.userid.param=UserToken
com.sun.am.policy.agents.config.profile.attribute.fetch.mode=NONE
com.sun.am.policy.agents.config.profile.attribute.map=cn|common-name,ou|organizational-unit,o|organization,mail|email,employeenumber|employee-number,c|country
com.sun.am.policy.agents.config.session.attribute.fetch.mode=NONE
com.sun.am.policy.agents.config.session.attribute.map=
com.sun.am.policy.agents.config.response.attribute.fetch.mode=NONE
com.sun.am.policy.agents.config.response.attribute.map=
com.sun.am.load_balancer.enable = false
com.sun.am.policy.agents.config.version=2.2
com.sun.am.policy.agents.config.audit.accesstype = LOG_DENY
com.sun.am.policy.agents.config.agenturi.prefix = http://accessmanager.coreo.network.ctbc:80/amagent
com.sun.am.policy.agents.config.locale = en_US
com.sun.am.policy.agents.config.instance.name = unused
com.sun.am.policy.agents.config.do_sso_only = false
com.sun.am.policy.agents.config.accessdenied.url =
com.sun.am.policy.agents.config.fqdn.check.enable = true
com.sun.am.policy.agents.config.fqdn.default = accessmanager.coreo.network.ctbc
com.sun.am.policy.agents.config.fqdn.map =
com.sun.am.policy.agents.config.cookie.reset.enable=false
com.sun.am.policy.agents.config.cookie.reset.list=
com.sun.am.policy.agents.config.cookie.domain.list=
com.sun.am.policy.agents.config.anonymous_user=anonymous
com.sun.am.policy.agents.config.anonymous_user.enable=false
com.sun.am.policy.agents.config.notenforced_list = SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/UI/* SERVER_PROTO://SERVER_HOST:SERVER_PORTCONSOLE_DEPLOY_URI/* SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/login_images/* SERVER_PROTO://SERVER_HOST:SERVER_PORT/docs* SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/namingservice SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/sessionservice SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/loggingservice SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/profileservice SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/policyservice SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/config* SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/js/* SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/css/* SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/authservice SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/SAMLAwareServlet SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/SAMLSOAPReceiver SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/SAMLPOSTProfileServlet
com.sun.am.policy.agents.config.notenforced_list.invert = false
com.sun.am.policy.agents.config.notenforced_client_ip_list =
com.sun.am.policy.agents.config.postdata.preserve.enable = false
com.sun.am.policy.agents.config.postcache.entry.lifetime = 10
com.sun.am.policy.agents.config.client_ip_validation.enable = false
com.sun.am.policy.agents.config.profile.attribute.cookie.prefix = HTTP_
com.sun.am.policy.agents.config.profile.attribute.cookie.maxage = 300
com.sun.am.policy.agents.config.logout.url=
com.sun.am.policy.agents.config.logout.cookie.reset.list =
com.sun.am.policy.am.fetch_from_root_resource = true
com.sun.am.policy.agents.config.get_client_host_name = true
com.sun.am.policy.agents.config.convert_mbyte.enable = false
com.sun.am.policy.agents.config.ignore_path_info = false
com.sun.am.policy.agents.config.override_protocol =
com.sun.am.policy.agents.config.override_host =
com.sun.am.policy.agents.config.override_port =
com.sun.am.policy.agents.config.override_notification.url =
com.sun.am.policy.agents.config.connection_timeout =
com.sun.am.receive_timeout = 0
com.sun.am.connect_timeout = 0
com.sun.am.poll_primary_server = 5
com.sun.am.tcp_nodelay.enable = false
com.sun.am.policy.agents.config.encode_url_special_chars.enable = false
com.sun.am.policy.agents.config.iis.filter_priority = HIGH
com.sun.am.policy.agents.config.cdsso.enable=false
com.sun.am.policy.agents.config.cdcservlet.url = http://accessmanager.coreo.network.ctbc:8080/opensso/cdcservlet
Jonathan Costa Muniz.Hi joncmuniz,
Are you managed to resolve this problem? I have the same.
In logs i have such information:
2008-10-08 16:48:02.471 Debug 23153:84d5368 all: Connection::initialize() calling NSS_Initialize() with directory = "" and prefix = ""
2008-10-08 16:48:02.471 Debug 23153:84d5368 all: Connection::initialize() Connection timeout wen receiving data = 0 milliseconds
2008-10-08 16:48:02.472 Error 23153:84d5368 all: Connection::initialize() unable to initialize SSL libraries: NSS_Initialize returned -8128
2008-10-08 16:48:02.475 Error 23153:84d5368 all: initialization error: am_properties_load(com.sun.am.policy.agents.config.stopInInit) failed, error = NSPRerror (12): exiting...
2008-10-08 16:48:02.475 Error 23153:84d5368 all: Process initialization failure:NSPR errorI think the problem is with certificates, but i can't point where.
Can you help? -
The agent inbox doesnu2019t display email
Hi Gurus,
I need to customizing the email inbound in agent inbox, but I cannot see the email in agent inbox only can see it in the E-mail Inbox with salespro business rol.
I did the following:
1.- I created a user MAILADM with the Email (emailin@company) and Comm. Method (RML Remote Mail)
2.- I Maintained my user with the Email (emailin@company), Comm. Method (E-Mail) and Comment (emailin@company).
3.- In the tx CRMC_IC_AUIGNADR, Address / Number (emailin@company), Comm. Method (INT) and Workflow Priority (High).
4.- In the tx CRMC_IC_AUI_GEN, Reply Address (emailin@company).
5.- In the tx CRMC_IC_AUICOMM, Object ID (14008030) and Comm. Method (INT).
5.- I assigned Agents for E-Mail Handling. My Position.
6.- In the tx So28, Recipient (emailin@company), New recipient - SAP object instance - AUI: Support object (emailin@company).
7.- I maintained Inbound Processing, with (emailin@company).
8.- I defined Agent Inbox Profile, and Assigned Main Categories u2013 INT.
Please, somebody know what I need to do for solve this problem
Thanks.Dear Alfredo,
From information provided I understand that trx: SWI1 shows no Instance of WS14000164, although most of your customizing looks to reviewed/set. I understand that WS14000164 has been activated (trx: CRMC_IC_MAIL_WF) and E-mail address properly maintained at SO28.
Confirm that Event: <ICAUISUPP, MAILRECEIVED, WS14000164>, is not getting deactivated (trx: SWE2).
Via Event Trace (SWEL/SWELS) you can determine, if event is being triggered or not. If No Event is being triggered and E-mail actually shows at SOIN, activate SAPConnect Trace, refer to Note:194926. Check if SAPConnect Trace provides further information
about your case.
From an e-mail sent by Juan Miguel Silva, I noticed you have setup SO50, as test could you please check if such entries are conflicting with E-mail handled by Workflow: WS14000164. Make note of them and remove them temporally. Repeat your test. Check if Event is triggered and Workflow is started.
If no e-mail is shown at SOIN, confirm you have setup inbound e-mails, refer to SAP Note: 455140, if so, send for example, an inbound e-mail to a SAP-User, which can review it via SBWP. If no email is shown at SOIN, I am afraid problem would be outside SAP CRM system. You may follow Note: 607108, to send an e-mail via TELNET command to SAP CRM System to address maintained [SO28], and check if e-mail are received. If so, contact your Mail Administrator to review why E-mails are note getting to SAP CRM System.
Luis Vera
AGS Primary Support, Global Support Center, Spain
Edited by: Luis Vera on Jul 1, 2011 10:37 AM
Maybe you are looking for
-
To say that I am livid would be the greatest understatement EVER made in the ENTIRE history of the planet. Last night my iPhone 5 decided it would go into Recovery Mode. (That is.....a Black screen showing the iTunes logo, a white 'up' arrow and with
-
No business area is assigned to the material
HI SAP Gurus I tryed to create a Product cost controller (KKF6n). After I typed the Product version, I get this error "No business area is assigned to the material". Could yo give me some information about this error. Thanks Emre
-
Sub -collection within a collection
Hello, I have a function that uses a collection structure. The structure is as follows : type rec is record ( x number, y number) table tbl is table of rec index by binary_integer; Now inside the function I want to read the structure and do some oper
-
Error Pop-up in Timesheet (Time and Expenses)
Where can I find the pop error logs in PMDB? I want to find out the cases where user cannot save/submit his timesheet because the Project/Task against which he is entering his time has ended. Can I find this data anywhere in PVDB? I could find the da
-
PLEASE SUGGEST SOME OPTIMIZER HINTS TO TUNE QUERY
Below is explain plan for query SELECT STATEMENT ALL_ROWSCost: 607,111 Bytes: 169 Cardinality: 1 18 HASH GROUP BY Cost: 607,111 Bytes: 169 Cardinality: 1