BEA Aqualogic / plumtree / ALUI - Access manager

Hi All,
Im planning to implement BEA aqualogic / ALUI / Plumtree with access manager / open sso. I would like to know the steps / hints / tips on this implementation.
Plumtree requires certain values to be set in the header for enabling the SSO. How do i set those values in access manager ( i meant some custom header values) once the user is logged in using the access manager.
Can any one help me by providing some tips.
Thanks,
Bharat

Hi, I was wondering if you could share how did you integrate Sun Access Manager with Aqualogic? In our scenario, we want Access Manager to do the authentication for the aqualogic portal(which is on websphere portal). We are using sun directory server as the user repository as well. Please let me know the steps you took to take care of the authentication process in your scenario. It will help us building ours. Thanks.

Similar Messages

Urgent help requested: Access Manager integration with BEA Portal

We're using Access Manager 7.1 and Policy Agent 2.2 to authenticate users for our BEA WL Portal 10 which contains all of our content and applications. The portal contains both anonymous pages and protected pages (for registered users).
Problem: When an anonymous user who is going through a multi-step application flow decides to sign-in to their account (or sign-up) Policy Agent wipes out the current content of the user session, and creates a brand new user session after the user is authenticated. Therefore we cannot send the user back to the same spot in the portal where they were before signing-in.
Is there anyway to make Policy Agent preserve the content and state of http session when authenticating a user?
We have a business requirement to allow users to continue their application process after successfully signing in.
Thanks in advance.

Hi,
I think this problem is not just related to weblogic 10 agent, it is a general problem for any agents.
Can you please clarify what you mean by "anonymous user "? Do you mean that this user has never logged in to Access Manager, and is just browsing the site as an anonymous user, or do you have a role specified as "anonymous user " that they are currently logged into when browsing the site?
thx,
Sean

Using BEA Weblogic Portal with Sun Access Manager

Hello all,
I am wondering if anyone has had experience with using Weblogic Portal (versions 8.1 or 9.2) with Sun's Access Manager tool (part of the Identity Management suite).
In particular, I would like to know what access control tasks were performed through access manager, and which were performed portal-side.
Any information would be appreciated.
Thanks!

Hi
Has any one explored the below question.
Is WLP 9.2 compatible with Sun Access Manager?
If yes, please let know the details.
Thanks

Error during execution of SSO with Oracle Access Manager 11gR2

Hello friends,
I have a problem with SSO using Oracle Access Manager 11g R2, then describes the steps taken in this test:
1. Is accessed by the OAM protected application through IE browser, Chrome and Firefox for testing purposes.
2. The OAM protected application, here is redirected to the OAM page to enter the credentials for the application.
3. Shows the application, and again reorders authentication credentials.
Here the details of the cookie:
a. cookie1: ADMINCONSOLESESSION
b. cokkie2: OAMAuthnCookie_webgate11g.domain.com: 7777
We also found an error when starting the node oam_server in WebLogic Server 11g (10.3.6)
Log:
[2012-11-29T18:16:02.411-05:00] [oam_server1] [ERROR] [JPS-03156] [oracle.jps.authorization.framework] [tid: [ACTIVE].ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: <anonymous>] [ecid: 0000JhEStpUFW7WFLzRL8A1GhylJ000002,0] [APP: oam_server#11.1.2.0.0] The exception has been thrown by ARME. The authorization result is set to deny.[[
com.bea.security.providers.authorization.asi.InvocationException: ArmeRUNTIME Exception: null
     at com.bea.security.providers.authorization.asi.AuthorizationProviderImpl.isAccessAllowed(AuthorizationProviderImpl.java:396)
     at com.bea.security.ssal.micro.MicroAuthorizationManagerWrapper.isAccessAllowed(MicroAuthorizationManagerWrapper.java:73)
     at com.bea.security.impl.AuthorizationServiceImpl.isAccessAllowed_internal(AuthorizationServiceImpl.java:914)
     at com.bea.security.impl.AuthorizationServiceImpl.isAccessAllowed(AuthorizationServiceImpl.java:745)
     at com.bea.security.impl.AuthorizationServiceImpl.isAccessAllowed(AuthorizationServiceImpl.java:668)
     at com.bea.security.impl.AuthorizationServiceImpl.isAccessAllowed(AuthorizationServiceImpl.java:622)
     at com.bea.security.AuthorizationService.isAccessAllowed(AuthorizationService.java:365)
     at oracle.security.am.common.policy.runtime.provider.oes.proxy.OESRuntimeProxy.wait4OESRuntimeDBPolicyRefreshCompletion(OESRuntimeProxy.java:263)
     at oracle.security.am.common.policy.runtime.provider.oes.proxy.OESRuntimeProxy.init(OESRuntimeProxy.java:193)
     at oracle.security.am.common.policy.runtime.provider.oes.OESPolicyRuntimeProvider.init(OESPolicyRuntimeProvider.java:167)
     at oracle.security.am.common.policy.runtime.PolicyRuntimeFactory.getNewInstance(PolicyRuntimeFactory.java:162)
     at oracle.security.am.common.policy.runtime.PolicyRuntimeFactory.init(PolicyRuntimeFactory.java:93)
     at oracle.security.am.common.policy.runtime.PolicyRuntimeFactory.getPolicyRuntime(PolicyRuntimeFactory.java:84)
     at oracle.security.am.common.policy.util.PolicyComponentLifecycle.initialize(PolicyComponentLifecycle.java:100)
     at oracle.security.am.lifecycle.ApplicationLifecycle.initComponentBootstrap(ApplicationLifecycle.java:156)
     at oracle.security.am.lifecycle.ApplicationLifecycle.contextInitialized(ApplicationLifecycle.java:86)
     at weblogic.servlet.internal.EventsManager$FireContextListenerAction.run(EventsManager.java:481)
     at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
     at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:120)
     at weblogic.servlet.internal.EventsManager.notifyContextCreatedEvent(EventsManager.java:181)
     at weblogic.servlet.internal.WebAppServletContext.preloadResources(WebAppServletContext.java:1868)
     at weblogic.servlet.internal.WebAppServletContext.start(WebAppServletContext.java:3154)
     at weblogic.servlet.internal.WebAppModule.startContexts(WebAppModule.java:1518)
     at weblogic.servlet.internal.WebAppModule.start(WebAppModule.java:484)
     at weblogic.application.internal.flow.ModuleStateDriver$3.next(ModuleStateDriver.java:425)
     at weblogic.application.utils.StateMachineDriver.nextState(StateMachineDriver.java:52)
     at weblogic.application.internal.flow.ModuleStateDriver.start(ModuleStateDriver.java:119)
     at weblogic.application.internal.flow.ScopedModuleDriver.start(ScopedModuleDriver.java:200)
     at weblogic.application.internal.flow.ModuleListenerInvoker.start(ModuleListenerInvoker.java:247)
     at weblogic.application.internal.flow.ModuleStateDriver$3.next(ModuleStateDriver.java:425)
     at weblogic.application.utils.StateMachineDriver.nextState(StateMachineDriver.java:52)
     at weblogic.application.internal.flow.ModuleStateDriver.start(ModuleStateDriver.java:119)
     at weblogic.application.internal.flow.StartModulesFlow.activate(StartModulesFlow.java:27)
     at weblogic.application.internal.BaseDeployment$2.next(BaseDeployment.java:671)
     at weblogic.application.utils.StateMachineDriver.nextState(StateMachineDriver.java:52)
     at weblogic.application.internal.BaseDeployment.activate(BaseDeployment.java:212)
     at weblogic.application.internal.EarDeployment.activate(EarDeployment.java:59)
     at weblogic.application.internal.DeploymentStateChecker.activate(DeploymentStateChecker.java:161)
     at weblogic.deploy.internal.targetserver.AppContainerInvoker.activate(AppContainerInvoker.java:79)
     at weblogic.deploy.internal.targetserver.BasicDeployment.activate(BasicDeployment.java:184)
     at weblogic.deploy.internal.targetserver.BasicDeployment.activateFromServerLifecycle(BasicDeployment.java:361)
     at weblogic.management.deploy.internal.DeploymentAdapter$1.doActivate(DeploymentAdapter.java:51)
     at weblogic.management.deploy.internal.DeploymentAdapter.activate(DeploymentAdapter.java:200)
     at weblogic.management.deploy.internal.AppTransition$2.transitionApp(AppTransition.java:30)
     at weblogic.management.deploy.internal.ConfiguredDeployments.transitionApps(ConfiguredDeployments.java:261)
     at weblogic.management.deploy.internal.ConfiguredDeployments.transitionApps(ConfiguredDeployments.java:220)
     at weblogic.management.deploy.internal.ConfiguredDeployments.activate(ConfiguredDeployments.java:169)
     at weblogic.management.deploy.internal.ConfiguredDeployments.deploy(ConfiguredDeployments.java:123)
     at weblogic.management.deploy.internal.DeploymentServerService.resume(DeploymentServerService.java:180)
     at weblogic.management.deploy.internal.DeploymentServerService.start(DeploymentServerService.java:96)
     at weblogic.t3.srvr.SubsystemRequest.run(SubsystemRequest.java:64)
     at weblogic.work.ExecuteThread.execute(ExecuteThread.java:256)
     at weblogic.work.ExecuteThread.run(ExecuteThread.java:221)
Caused by: com.wles.InternalException: ArmeRUNTIME Exception: null
     at com.wles.arme.Credentials_ca.exceptionTransport(Credentials_ca.java:606)
     at com.wles.arme.Credentials_ca._accessAllowed(Credentials_ca.java:343)
     at com.wles.arme.CredentialsImpl._accessAllowed(CredentialsImpl.java:400)
     at com.wles.arme.CredentialsImpl._accessAllowed(CredentialsImpl.java:422)
     at com.wles.arme.CachingCredentialsImpl._accessAllowed(CachingCredentialsImpl.java:225)
     at com.wles.arme.CredentialsImpl.accessAllowed(CredentialsImpl.java:452)
     at com.wles.arme.CachingCredentialsImpl.accessAllowed(CachingCredentialsImpl.java:68)
     at com.bea.security.providers.authorization.asi.AuthorizationProviderImpl.ARMEisAccessAllowed(AuthorizationProviderImpl.java:977)
     at com.bea.security.providers.authorization.asi.AuthorizationProviderImpl.isAccessAllowed(AuthorizationProviderImpl.java:347)
     ... 52 more
causal exception is:
com.wles.InternalException: ArmeRUNTIME Exception: null
     at com.wles.arme.Credentials_ca.exceptionTransport(Credentials_ca.java:606)
     at com.wles.arme.Credentials_ca._accessAllowed(Credentials_ca.java:343)
     at com.wles.arme.CredentialsImpl._accessAllowed(CredentialsImpl.java:400)
     at com.wles.arme.CredentialsImpl._accessAllowed(CredentialsImpl.java:422)
     at com.wles.arme.CachingCredentialsImpl._accessAllowed(CachingCredentialsImpl.java:225)
     at com.wles.arme.CredentialsImpl.accessAllowed(CredentialsImpl.java:452)
     at com.wles.arme.CachingCredentialsImpl.accessAllowed(CachingCredentialsImpl.java:68)
     at com.bea.security.providers.authorization.asi.AuthorizationProviderImpl.ARMEisAccessAllowed(AuthorizationProviderImpl.java:977)
     at com.bea.security.providers.authorization.asi.AuthorizationProviderImpl.isAccessAllowed(AuthorizationProviderImpl.java:347)
     at com.bea.security.ssal.micro.MicroAuthorizationManagerWrapper.isAccessAllowed(MicroAuthorizationManagerWrapper.java:73)
     at com.bea.security.impl.AuthorizationServiceImpl.isAccessAllowed_internal(AuthorizationServiceImpl.java:914)
     at com.bea.security.impl.AuthorizationServiceImpl.isAccessAllowed(AuthorizationServiceImpl.java:745)
     at com.bea.security.impl.AuthorizationServiceImpl.isAccessAllowed(AuthorizationServiceImpl.java:668)
     at com.bea.security.impl.AuthorizationServiceImpl.isAccessAllowed(AuthorizationServiceImpl.java:622)
     at com.bea.security.AuthorizationService.isAccessAllowed(AuthorizationService.java:365)
     at oracle.security.am.common.policy.runtime.provider.oes.proxy.OESRuntimeProxy.wait4OESRuntimeDBPolicyRefreshCompletion(OESRuntimeProxy.java:263)
     at oracle.security.am.common.policy.runtime.provider.oes.proxy.OESRuntimeProxy.init(OESRuntimeProxy.java:193)
     at oracle.security.am.common.policy.runtime.provider.oes.OESPolicyRuntimeProvider.init(OESPolicyRuntimeProvider.java:167)
     at oracle.security.am.common.policy.runtime.PolicyRuntimeFactory.getNewInstance(PolicyRuntimeFactory.java:162)
     at oracle.security.am.common.policy.runtime.PolicyRuntimeFactory.init(PolicyRuntimeFactory.java:93)
     at oracle.security.am.common.policy.runtime.PolicyRuntimeFactory.getPolicyRuntime(PolicyRuntimeFactory.java:84)
     at oracle.security.am.common.policy.util.PolicyComponentLifecycle.initialize(PolicyComponentLifecycle.java:100)
     at oracle.security.am.lifecycle.ApplicationLifecycle.initComponentBootstrap(ApplicationLifecycle.java:156)
     at oracle.security.am.lifecycle.ApplicationLifecycle.contextInitialized(ApplicationLifecycle.java:86)
     at weblogic.servlet.internal.EventsManager$FireContextListenerAction.run(EventsManager.java:481)
     at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
     at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:120)
     at weblogic.servlet.internal.EventsManager.notifyContextCreatedEvent(EventsManager.java:181)
     at weblogic.servlet.internal.WebAppServletContext.preloadResources(WebAppServletContext.java:1868)
     at weblogic.servlet.internal.WebAppServletContext.start(WebAppServletContext.java:3154)
     at weblogic.servlet.internal.WebAppModule.startContexts(WebAppModule.java:1518)
     at weblogic.servlet.internal.WebAppModule.start(WebAppModule.java:484)
     at weblogic.application.internal.flow.ModuleStateDriver$3.next(ModuleStateDriver.java:425)
     at weblogic.application.utils.StateMachineDriver.nextState(StateMachineDriver.java:52)
     at weblogic.application.internal.flow.ModuleStateDriver.start(ModuleStateDriver.java:119)
     at weblogic.application.internal.flow.ScopedModuleDriver.start(ScopedModuleDriver.java:200)
     at weblogic.application.internal.flow.ModuleListenerInvoker.start(ModuleListenerInvoker.java:247)
     at weblogic.application.internal.flow.ModuleStateDriver$3.next(ModuleStateDriver.java:425)
     at weblogic.application.utils.StateMachineDriver.nextState(StateMachineDriver.java:52)
     at weblogic.application.internal.flow.ModuleStateDriver.start(ModuleStateDriver.java:119)
     at weblogic.application.internal.flow.StartModulesFlow.activate(StartModulesFlow.java:27)
     at weblogic.application.internal.BaseDeployment$2.next(BaseDeployment.java:671)
     at weblogic.application.utils.StateMachineDriver.nextState(StateMachineDriver.java:52)
     at weblogic.application.internal.BaseDeployment.activate(BaseDeployment.java:212)
     at weblogic.application.internal.EarDeployment.activate(EarDeployment.java:59)
     at weblogic.application.internal.DeploymentStateChecker.activate(DeploymentStateChecker.java:161)
     at weblogic.deploy.internal.targetserver.AppContainerInvoker.activate(AppContainerInvoker.java:79)
     at weblogic.deploy.internal.targetserver.BasicDeployment.activate(BasicDeployment.java:184)
     at weblogic.deploy.internal.targetserver.BasicDeployment.activateFromServerLifecycle(BasicDeployment.java:361)
     at weblogic.management.deploy.internal.DeploymentAdapter$1.doActivate(DeploymentAdapter.java:51)
     at weblogic.management.deploy.internal.DeploymentAdapter.activate(DeploymentAdapter.java:200)
     at weblogic.management.deploy.internal.AppTransition$2.transitionApp(AppTransition.java:30)
     at weblogic.management.deploy.internal.ConfiguredDeployments.transitionApps(ConfiguredDeployments.java:261)
     at weblogic.management.deploy.internal.ConfiguredDeployments.transitionApps(ConfiguredDeployments.java:220)
     at weblogic.management.deploy.internal.ConfiguredDeployments.activate(ConfiguredDeployments.java:169)
     at weblogic.management.deploy.internal.ConfiguredDeployments.deploy(ConfiguredDeployments.java:123)
     at weblogic.management.deploy.internal.DeploymentServerService.resume(DeploymentServerService.java:180)
     at weblogic.management.deploy.internal.DeploymentServerService.start(DeploymentServerService.java:96)
     at weblogic.t3.srvr.SubsystemRequest.run(SubsystemRequest.java:64)
     at weblogic.work.ExecuteThread.execute(ExecuteThread.java:256)
     at weblogic.work.ExecuteThread.run(ExecuteThread.java:221)
We appreciate your support in solving the case. Thanks...
JLK
Edited by: JLK on Nov 30, 2012 9:43 AM

Hi Viju,
Did you executed the python script to register OPSS. If not then you will get the mentioned error:
I have mentioned couple of workarounds. Can you try those and let me know the results. Take the backup of your entire environment before you follow the steps:::
1. For the ARME issue patch can be applied for 11.1.2
OAM Bundle Patch Release History (Doc ID 736372.1)
Yes. This is a benign message. ( the ARME issue)
OAM 11R2 After Upgrade The Managed Server Start With Error ArmeRUNTIME Exception: Null (Doc ID 1509559.1)
The other issue is under investgation and is benign.
<oracle.adfinternal.view.faces.renderkit.rich.RegionRenderer> WARNING when accessing oamconsole (Doc ID 1511967.1)
The final message is spoken to here:
WLS 10.3.3: "Auto-Ref-By: WebApp" deployed as shared library is affecting other web applications. (Doc ID 1210393.1)
Action Plan:
=========
1. For the ARME issue patch can be applied for 11.1.2
OAM Bundle Patch Release History (Doc ID 736372.1)
Hope this helps.

Securing web services with Sun Access Manager

Hi!
I have gone through some documentation about Sun Access Manager, and I'm a little bit confused.
What I want is to secure some web services which are deployed on a BEA WebLogic 9.1 server (WLS). Two solutions are possible: To install some kind of plugin into WLS or to place some kind of proxy in front of WLS. In both cases, the purpose would be to authenticate the caller based on some kind of ticket (SAML or similar) and authorize access to the web service.
I have read about the "Sun Java System Access Manager Policy Agent 2.2 for Weblogic 9.1" (those guys really like long names....), but in this documentation web services aren't mentioned at all. They only seem to care about HTTP requests from a browser.
I have also read about the Policy Agent 2.2 in the documentation called "Sun Java System Access Manager Policy Agent 2.2 Guide for Sun Java System Application Server 9.0/Web Services" (puh...). This document explicitly talks about securing web services the way I want.
My questions are:
1) Is it possible to secure WLS based web services in the same way using the Policy Agent for WLS?
2) Are there any documentation/tutorials/etc?
Thanks in advance :-)
Anders

what you need is a webservices agent that would enable you to "protect" your webservice provider, which I assume is on a BEA weblogic provider.
the "Sun Java System Access Manager Policy Agent 2.2 for Weblogic 9.1" is "NOT" awebservices agent, but a normal J2EE policy agent.
So.. having said that. here's what I'd recommend.
1. install the webservices agent on bea weblogic. (note: NOT the J2EE policy agent)
2. configure it to use your access manager instance for authentication.
3. configure your webservices client to use the webservice provider. (note: you'd need the webservices APi's available on the client too... so the quick dirty method would be to install the webservices agent on your client too....) you can later bundle the webservices client independently and provide your"customers" with a webservices client bundle...
4. voila... your webservices are not "protected" by acces manager ;-)

Access Manager Policy Agent and Oracle AS

Hi,
my system uses Oracle Application Server. The security dept use Sun Access Manager. I need to integrate the security of the Oracle system with the policy agent. Where this gets a little confusing is that one of my developers tells me that this is difficult to implement and that Sun arent planning on supporting the Oracle AS in future.
What I would like is some clarification from the horses mouth so to speak. In particular is it possible to integrate the policy agent and Oracle AS, and are Sun committed to supporting and developing for this.
Thanks,
Andy.

"Where this gets a little confusing is that one of my developers tells me that this is difficult to implement"
"it is NOT an implementation but an integration ! difficult ? why ?"
"and that Sun arent planning on supporting the Oracle AS in future."
There is a PA 2.2 for Oracle 10g ! It is the latest version(2.2 I mean). I don't see any reasons why Sun should not continue. But it is ONLY my point of view...
"What I would like is some clarification from the horses mouth so to speak. In particular is it possible to integrate the policy agent and Oracle AS, and are Sun committed to supporting and developing for this."
Of course it is possible because you can find the PA that will integrate your Oracle AS with a Sun AM.
1) Please read the documentation.
http://docs.sun.com/app/docs/coll/1322.1
Download the one for Oracle and read also the user guide.
PA are very easy to integrate if you know what you do... Espec. und. the AM auth and sso... If you can be helped by a AM guy from your comp. it is welcome... It is a j2ee agent and of course the PA will make what is necessary to redirect you to AM at login time and later to auth. your request...2)
2) Download the soft and do the job :-)
Product Downloads
Sun Java System Access Manager Policy Agent 2.2 for Oracle Application Server 10g
http://www.sun.com/download/products.xml?id=455d52ed
I did plenty of int. with Sun/Bea/Tomcat AS(don't forget there are also webserver agents like Apache PA) with AM and it is not a big deal. Not Oracle, but it is an AS and I don't see why it should be difficult...
Hope this helps a bit.

Working with the BEA AquaLogic BPM Suite

Dev2Dev has just published an article:
Working with the BEA AquaLogic BPM Suite
http://dev2dev.bea.com/pub/a/2006/09/aqualogic-bpm.html
"Learn how the BEA AquaLogic BPM Suite can integrate business process management with existing infrastructure, including Web services, WebLogic Integration, and the AquaLogic Service Bus."
Check it out. If you'd like to write for Dev2Dev, please contact me!
Regards,
Jon
Jon Mountjoy - Editor, Dev2Dev - http://dev2dev.bea.com/pub/au/13

Hi Guys You solved my problem. The working code is:
TaskInstanceManager taskInstanceManager = createTaskInstanceManager();
DataObject taskOutput = taskDetail.getOutputDataObject();
DataObject output = taskOutput.createDataObject(0);
output.setBoolean("Approved",getApprove());
taskOutput.set(0, output);
taskInstanceManager.complete(getTaskId(), taskOutput);
Thanks for helping!
Best regards
Johannes
Edited by: jtrebess on Nov 21, 2011 9:12 PM

Alfresco+BEA Aqualogic(Oracle) BPM Suite Integration.

Hi,
I have two questions to ask:
1.Is BEA Aqua Logic BPM Suite now a part of Oracle BPM Suite or it still exists on its own as a separate entity.
2.I have requirement to integrate BEA Aqua logic(Oracle) BPM Suite with Alfresco to develop advance workflows created using BPM Suite on Alfresco.I have searched on web but not found anything much relevant.Can anybody help me out on how to do it?Is it possible or not?If yes,any link or documentation for the same would be highly appreciated.If no,please confirm the same also.
Thank You,
Regards,
J Lalit

thanks so much, it's of great help.
however, if i want to download the install file of the whole Oracle Business Process Management Suite, which files are required?
as i know, the whole OBPM Suite includes 5 products:
BEA AquaLogic BPM Studio/Server
Oracle BPEL Process Manager
Oracle Business Rules
Oracle Business Activity Monitoring
Oracle Process Portal
i checked
http://edelivery.oracle.com/EPD/Download/get_form?egroup_aru_number=9132671
http://www.oracle.com/technology/software/products/ias/bea_main.html
seems these products are listed seperately. and each product also includes many parts. i don't know which parts should download. especially we're going to intall on Linux 86.
thanks.

BEA AquaLogic? Interaction Collaboration Integration

Hello,
I'm trying to find a solution for integration of "BEA AquaLogic Interaction Collaboration" with "AquaLogic BPM Studio 5.7" without developing a custom JPD component.
Basically I'd like to assign tasks on the community portal as part of the workflow.
Can anyone recommend a product or document that would solve this problem?
Thank you!

ALUI does currently support Linux (both Red Hat & SuSE) with the the 6.0 SP1 version. The latest version (i.e. 6.1) will support Linux when the first Service Pack for 6.1 is released - tentatively scheduled for the first half of next year. ALUI 6.1 currently supports Windows, Solaris & AIX.
ALUI 6.1 is aligned with how BEA licenses other products where the product is essentially available to download and install for an evaluation period for free. Previous versions of ALUI (including 6.0 SP1) are only available for download for paying customers or partners. Correspondingly, only paying customers or partners can log into the ALUI support site.
The UI Customization Installer for 6.1 (for Windows) is currently available for download and eval from http://commerce.bea.com/showproduct.jsp?family=ALI&major=6.1&minor=0
john

WCI single sign on(SSO) configurations with Oracle Access Manager(OAM)

I have to integrate the oracle access manager with the WCI(ALUI) for the SSO implementation.What are the configurations required to implement SSO with oracle access manager in WCI/ALUI

Any answer to the last question on..?
No, better explain my query with 2 scenarios:
Scenario 1:
Usual scenario authentication of a user to a web application without the single web functionality on the acces single manager:
Login screen of the web application ====> Access to the web application home
Scenario 2:
Scenario authentication of a user to a single web application with web functionality on the acces single manager:
Login screen oracle access manager ====> Display login web application ====> Access to the web application home
My query is:
You can configure the functionality of single sign on to access manager with a web application that does not have its login screen of the web application. For example:
Login screen oracle access manager ====> Access to the web application home

BEA Aqualogic Developers Needed

Hello,
I am a recruiter in the local Minneapolis / St. Paul region and we are primary vendor to a major client located here in the Twin Cities. Our client is in very high demand for Aqualogic developers. If you are interested or know of somebody whom is interested please send me an e-mail at [email protected] Thanks. :-)

Hi, I was wondering if you could share how did you integrate Sun Access Manager with Aqualogic? In our scenario, we want Access Manager to do the authentication for the aqualogic portal(which is on websphere portal). We are using sun directory server as the user repository as well. Please let me know the steps you took to take care of the authentication process in your scenario. It will help us building ours. Thanks.

Installing Access Manager 7.1 in JBoss

Hello
From the Access Manager Release Notes: Web Containers supporting:
Sun Java System Web Server
Sun Java System Application Server
BEA WebLogic
IBM WebSphere Application Server
But, �Do anyone know if it's possible to install in Jboss or Apache Tomcat?
�have anyone do it?
Thank you

Hello
From the Access Manager Release Notes: Web Containers supporting:
Sun Java System Web Server
Sun Java System Application Server
BEA WebLogic
IBM WebSphere Application Server
But, �Do anyone know if it's possible to install in Jboss or Apache Tomcat?
�have anyone do it?
Thank you

Can not configure Access Manager

Hi all,
1. I istalled Sun java messaging server 6.
2. I edit amsamplesilent to prepare amsamplesilent.my:
# cd /opt/SUNWam/bin
#mv amsamplesilent amsamplesilent.my
3. I configure Access Manager:
#./amconfig -s amsamplesilent.my but get the following error:
# ./amconfig amsamplesilent.my
Usage: amconfig -s <silentinputfile>
./amconfig: Sourcing ./amutils
ln: cannot create /opt/SUNWam/lib/jaxrpc-spi.jar: File exists
chown: jaxrpc-spi.jar: No such file or directory
full install
./amdsconfig: Sourcing ./amutils
LD_LIBRARY_PATH is --- /usr/lib/mps/secv1:/usr/lib/mps/secv1:/usr/lib/mps/secv1:/opt/SUNWam/lib:/opt/SUNWam/ldaplib/ldapsdk
CLASSPATH is --- /opt/SUNWam/locale:/etc/opt/SUNWam/config:/opt/SUNWam/lib:/opt/SUNWam/lib/am_services.jar:/opt/SUNWam/lib/ldapjdk.jar:/usr/share/lib/mps/secv1/jss3.jar:/opt/SUNWam/lib/am_sdk.jar
ldap_simple_bind: Can't connect to the LDAP server - No route to host
ldap_simple_bind: Can't connect to the LDAP server - No route to host
ldap_simple_bind: Can't connect to the LDAP server - No route to host
ldap_simple_bind: Can't connect to the LDAP server - No route to host
sleep 3
ldap_simple_bind: Can't connect to the LDAP server - No route to host
ldap_simple_bind: Can't connect to the LDAP server - No route to host
ldap_simple_bind: Can't connect to the LDAP server - No route to host
sleep 4
ldap_simple_bind: Can't connect to the LDAP server - No route to host
ldap_simple_bind: Can't connect to the LDAP server - No route to host
ldap_simple_bind: Can't connect to the LDAP server - No route to host
sleep 5
ldap_simple_bind: Can't connect to the LDAP server - No route to host
ldap_simple_bind: Can't connect to the LDAP server - No route to host
ldap_simple_bind: Can't connect to the LDAP server - No route to host
sleep 6
ERROR : Loading of Access Manager schema into the Directory failed
Starting the tag swapping of the install.ldif and installExisting.ldif
ROOT_SUFFIX is dc=iplanet,dc=com
People_NM_ROOT_SUFFIX is People_dc=iplanet_dc=com
SERVER_HOST sample.red.iplanet.com
DIRECTORY_SERVER sample.red.iplanet.com
DIRECTORY_PORT 389
USER_NAMING_ATTR uid
ORG_NAMING_ATTR o
CONSOLE_DEPLOY_URI /amconsole
ORG_OBJECT_CLASS sunismanagedorganization
RS_RDN iplanet
USER_OBJECT_CLASS inetorgperson
ldap_simple_bind: Can't connect to the LDAP server - No route to host
ldap_simple_bind: Can't connect to the LDAP server - No route to host
sleep 3
ERROR : Configuring/Loading of the default DIT in the Directory Server failed
ldap_simple_bind: Can't connect to the LDAP server - No route to host
ldap_simple_bind: Can't connect to the LDAP server - No route to host
sleep 3
Warning : Plugins and Indexes already exist.
./amsvcconfig: Sourcing ./amutils
LD_LIBRARY_PATH is --- /usr/lib/mps/secv1:/usr/lib/mps/secv1:/usr/lib/mps/secv1:/opt/SUNWam/lib:/opt/SUNWam/ldaplib/ldapsdk
CLASSPATH is --- /opt/SUNWam/locale:/etc/opt/SUNWam/config:/opt/SUNWam/lib:/opt/SUNWam/lib/am_services.jar:/opt/SUNWam/lib/ldapjdk.jar:/usr/share/lib/mps/secv1/jss3.jar:/opt/SUNWam/lib/am_sdk.jar
ldap_simple_bind: Can't connect to the LDAP server - No route to host
Loading service schema XML files ...
Info 112: Entering ldapAuthenticate method!
Error 15: Cannot authenticate user.
LDAP authentication failed.
Error 9: Operation failed: Error 15: Cannot authenticate user.
Error occured while loading: /etc/opt/SUNWam/config/ums/ums.xml
./amws61config: Sourcing ./amutils
/opt/SUNWam/console.war: No such file or directory
current web app is applications
copying files from sunwamconsdk
Swapping tag swap in index.html files ...
Making amconsole.war
Successfully done making warfile ...
Deploying from /opt/SUNWam/web-src/applications (/opt/SUNWam/amconsole.war) to /opt/SUNWwbsvr/https-sample.red.iplanet.com/is-web-apps/applications for /amconsole
wdeploy deploy -u /amconsole -i https-sample.red.iplanet.com -v https-sample.red.iplanet.com -d /opt/SUNWwbsvr/https-sample.red.iplanet.com/is-web-apps/applications /opt/SUNWam/amconsole.war
[wdeploy] The war file name is /opt/SUNWam/amconsole.war
[wdeploy] Fatal error in parsing XML file ..Premature end of file.
[wdeploy] (-1, -1) in file null
[wdeploy] Error encountered while parsing /opt/SUNWwbsvr/https-sample.red.iplanet.com/config/server.xml
Failed deploying /amconsole
/opt/SUNWam/services.war: No such file or directory
current web app is services
Swapping tag swap in index.html files ...
Making amserver.war
Successfully done making warfile ...
Deploying from /opt/SUNWam/web-src/services (/opt/SUNWam/amserver.war) to /opt/SUNWwbsvr/https-sample.red.iplanet.com/is-web-apps/services for /amserver
wdeploy deploy -u /amserver -i https-sample.red.iplanet.com -v https-sample.red.iplanet.com -d /opt/SUNWwbsvr/https-sample.red.iplanet.com/is-web-apps/services /opt/SUNWam/amserver.war
[wdeploy] The war file name is /opt/SUNWam/amserver.war
[wdeploy] Fatal error in parsing XML file ..Premature end of file.
[wdeploy] (-1, -1) in file null
[wdeploy] Error encountered while parsing /opt/SUNWwbsvr/https-sample.red.iplanet.com/config/server.xml
Failed deploying /amserver
/opt/SUNWam/password.war: No such file or directory
current web app is password
Swapping tag swap in index.html files ...
Making ampassword.war
Successfully done making warfile ...
Deploying from /opt/SUNWam/web-src/password (/opt/SUNWam/ampassword.war) to /opt/SUNWwbsvr/https-sample.red.iplanet.com/is-web-apps/password for /ampassword
wdeploy deploy -u /ampassword -i https-sample.red.iplanet.com -v https-sample.red.iplanet.com -d /opt/SUNWwbsvr/https-sample.red.iplanet.com/is-web-apps/password /opt/SUNWam/ampassword.war
[wdeploy] The war file name is /opt/SUNWam/ampassword.war
[wdeploy] Fatal error in parsing XML file ..Premature end of file.
[wdeploy] (-1, -1) in file null
[wdeploy] Error encountered while parsing /opt/SUNWwbsvr/https-sample.red.iplanet.com/config/server.xml
Failed deploying /ampassword
/opt/SUNWam/introduction.war: No such file or directory
current web app is common
Swapping tag swap in index.html files ...
Making amcommon.war
Successfully done making warfile ...
Deploying from /opt/SUNWam/web-src/common (/opt/SUNWam/amcommon.war) to /opt/SUNWwbsvr/https-sample.red.iplanet.com/is-web-apps/common for /amcommon
wdeploy deploy -u /amcommon -i https-sample.red.iplanet.com -v https-sample.red.iplanet.com -d /opt/SUNWwbsvr/https-sample.red.iplanet.com/is-web-apps/common /opt/SUNWam/amcommon.war
[wdeploy] The war file name is /opt/SUNWam/amcommon.war
[wdeploy] Fatal error in parsing XML file ..Premature end of file.
[wdeploy] (-1, -1) in file null
[wdeploy] Error encountered while parsing /opt/SUNWwbsvr/https-sample.red.iplanet.com/config/server.xml
Failed deploying /amcommon
Checking if Web Server is already configed with Access Manager
Configuring Web Server
Mime type: 'type=text/vnd.wap.wml' already exists: Skipping ....
Mime type: 'type=image/vnd.wap.wbmp' already exists: Skipping ....
I tried again but I still get this error.
Any Ideas for this problem?
Thanks.

ldap_simple_bind: Can't connect to the LDAP server - No route to host
i would consider this a fatal error.
The system cannot locate where your Directory Server is. "no route to host" means that it's trying to get to the host, but your networking isn't set up correctly, and it doesn't find any route to get to the specified host.

Can not login access manager

mail server version is JES messaging Server 6 2005Q4 :
My Access Manager:http://hostname:8080/amserver
last week, i login access manager, under the web label or configuration label�F
in "ldap" item�Ci add new dc=xx,dc=xx,dc=xx�C
then save configuration.
but after that i can not login access manager.
when i user admin login,it print:"
Authentication failed".
what should i do to restore access manage?
thanks!

javatoall wrote:
Hi,
I login Access Manager, access sample "realm" -> Authentication->
Advance Properties -> User profiles and then I choiced "Dynamic with user Alias".
Then I only configure JDBC authentication with mysql database that I don't used ldapservice.
When I created a one new user in MySQL, I can login into web application that i security as "sample.war" successfull but new user don't right access resource that i protected before.
When i login access manager with amdmin user, I can not find user that i has been created it in MySQL database. t
When the users are created through the dynamic profile, the default cn/sn are set to "default" , after creation you need to login to amconsole as amadmin and change/add proper values for these attributes.
Alternatively you can set the protected resource's policy subject to Authenticated users. This will work but not sure will meet your requirement
>
When i login access manager console with new user, it login successful, and view Profile of new user that I has been created.
Can you tell me How to manage new user that I has been new in MySQL by Access manager console ?
I want to configure access proteced resourse for that user. How to configure that ?
read above use the authenticated users subject
Thank for every help.
VinhND.

UWC/CE 6.3 and Access Manager 7.1 SSO sometimes fails (seems like a bug)

PREAMBULA: I started writing this post thinking that our AM SSO setup was at fault in some step. As I was gathering data, checking the doc-links and config files and finally sniffed the servers for HTTP dialogs, I grew pretty sure there's a bug in UWC/CE, AM SDK or Web Server Policy Agent, whatever implements the AM SSO session checking.
In short, as written below, our "sunmail" server can POST a broken cookie to AM server, if the cookie originally contained a "plus" character. The "plus" is replaced by a "space", invalidating the session check. As we know, "+" is often used in URLs to "escape" the space character. Perhaps some URL cleanup routine backfired here. I have double-checked, it is not the reverse proxy on "psam" breaking things. It is "sunmail" (UWC/CE or Policy Agent, don't know for certain) supplying the broken request. On the few occasions when the AM cookie contains no "plus" characters, the SSO works like a charm (also checked by a sniffer). Whenever there is a "plus", it breaks.
Is there some known bug or workaround that matches this description?
Nevertheless, for completeness' sake I kept the description of our setup. Maybe it's at fault after all :)
We have an installation of JCS5 with the latest patches as of early July 2008. And as the subject implies, we have problems with AM SSO in UWC/CE web-interface. I have reported them before, then they seemed fixed (not occuring for several tests in a row), but as time has shown, something wrong is still there.
So I'll try to go into deeper detail now, as we've may have overlooked some nuance... Then again, as my sniffer research below shows, this may be an engine bug and these setup details are irrelevant.
Our setup is split into several Solaris 10 full-root zones hosted on several servers, some of the components are enroute to HA (perhaps we made some mistakes on this part of the way?)
So, we have the following software stack:
1) two MMR Directory Servers (DSEE 6.3 = DSEE 6.2 from JCS5 + 125278-07__DSEE_6.3__x86x64 + 125277-07__DSEE_6.3__x86_sol9 patches) working in zones on two different servers. Except for one time when a manually forced ZFS rollback corrupted one of the server instances, no problems here.
2) two zones with Directory Proxy Servers (6.3, exact versions as above) running at port 389 provide the clients with an illusion that they have a stable Directory Server, even if one of the actual servers is currently rebooting ;)
These DPS zones are hosted on two different servers as well and are primarily used by LDAP clients (JCS components) running in other zones on the same respective servers.
3) A zone with Sun Web Server 7.0U1 and Access Manager 7.1 (+ 126357-01__AM71_x86 patch) and Delegated Admin 6.4-4.01 (from JCS5 + 121582-18__COMMCLI64__x86 patch).
At the moment there is one such zone (named "cos-psam-01.domain.ru" in the logs below), but we expect(-ed) it to become two similar zones as per AM HA setup.
Zones listed in (1-3) use private IP numbers, they belong in our internal DMZ.
Zones listed in (4-5) below use public (routed) IP numbers, they belong in our external DMZ.
4) A zone with Sun Web Server 7.0U1 used primarily as a reverse-proxy server (optionally with a load-balancer libpassthrough.so plugin) successfully used for other hosted projects. One of its configurations now passes connections from an externally routed IP address published as "psam.domain.ru" to "cos-psam-01.domain.ru", per AM HA setup, so HTTP clients believe they work with an Access Manager instance. This zone has a backend interface with a private IP address to communicate with the actual AM instance.
In AM configuration (both LDAP and file-based) we have configured a site ID with the publicly known name and mentioned both names (psam and cos-psam-01) in organization's realm/dns aliases.
5) A zone with the rest of the Sun Java Communications Suite 5, as in Messaging Server 6.3 (6.3-6.03 64-bit: ci-5.0-1.03_solx86_x64__Messaging_Server_6.3-2 + patch 126480-09__MSG63__x86-64), UWC/CE 6.3 (from JCS5 + 122794-17__UWC63-4.01_core__x86), Instant Messaging 7.2 (from JCS5 + 118790-29__IM72__x86-1 + 118787-28__IM72__x86-2), Calendar Server 6.3 (from JCS5 + 121658-28__iCS63__x86). The web-components (UWC/CE, IM, /httpbind) are deployed in a Sun Web Server 7.0U1 as well.
This zone is named "sunmail.domain.ru" and has a routed IP address for direct external access to its servicess.
The AM SDK part is also patched (126357-01__AM71_x86); it points to the load-balancer name ("psam.domain.ru") as an actual AM server.
# imsimta version
Sun Java(tm) System Messaging Server 6.3-6.03 (built Mar 14 2008; 64bit)
libimta.so 6.3-6.03 (built 17:15:08, Mar 14 2008; 64bit)
SunOS sunmail 5.10 Generic_127112-07 i86pc i386 i86pc
While setting up this server set we tried to use AM SSO as the user login method, but it works unreliably.
"Unreliably" means that while most of the time entering a correct uid and password in Access Manager login page ("http://psam.domain.ru/amserver/UI/Login") does redirect a user back to "http://sunmail.domain.ru/uwc/auth" along with a new cookie, and the user is redirected again to his or her mailbox, sometimes the user receives the UWC/CE login page. Entering the same uid and password here does log him in, but it breaks the whole point of SSO and only increases the end-user routine required to log in :\
We have also seen the "missing mail tab" problem - if the users point the browser to any hostname different from "sunmail.domain.ru" (i.e. www.mail.domain.ru which is equivalent in DNS), they have only the Address book, Calendar and Options tabs; no webmail. So far this is resolved by Policy Agent forcing The One name of the server.
Here's the configuration we did specifically for AM SSO:
1) in AMConfig.properties of "sunmail" and "cos-psam-01" we set up
com.iplanet.am.cookie.encode=false
am.encryption.pwd=<the same value>
all hostname-related parameters point to "psam.domain.ru"
2) in AMConfig.properties of "cos-psam-01" a number of FQDN equivalence entries are added (so it does not redirect to a server hostname unknown to visitors):
com.sun.identity.server.fqdnMap[publicname-or-ip]=psam.domain.ru
com.sun.identity.server.fqdnMap[cos-psam-01.domain.ru]=cos-psam-01.domain.ru
3) in "msg.conf" on "sunmail" (entries added via configutil):
local.webmail.sso.amcookiename = iPlanetDirectoryPro
local.webmail.sso.amnamingurl = http://psam.domain.ru:80/amserver/namingservice
local.webmail.sso.singlesignoff = yes
local.webmail.sso.uwcenabled = 1
service.http.ipsecurity = no
(perhaps some more options are required? Looking for confirmation about: local.webmail.sso.uwclogouturl local.webmail.sso.uwccontexturi local.webmail.sso.uwchome service.http.allowadminproxy )
4) Configured Web Policy Agent for Sun Web Server, so that users without an AM session are required to get one. Set up per [http://msg.wikidoc.info/index.php/AM_redirection_using_Policy_Agent], except that com.sun.am.policy.agents.config.notenforced_list points to the many names our server can go known by.
5) Updated the logout URL in /opt/SUNWuwc/webmail/main.js:
--- main.js.orig        Sat Jan 26 07:52:09 2008
+++ main.js     Mon Jul 21 01:06:29 2008
@@ -667,7 +667,8 @@
function cleanup() {
   if(laurel)
-      top.window.location = getUWCHost() + "/base/UWCMain?op=logout"
+//      top.window.location = getUWCHost() + "/base/UWCMain?op=logout"
+      top.window.location = "http://sunmail.domain.ru:80/base/UWCMain?op=logout"
   else
       exec('logout', '', 'exit()')
@@ -1707,7 +1708,8 @@
   if(lg) {
         url = document.location.href
         url = url.substr(0,url.indexOf('webmail'))
-        uwcurl = url + 'base/UWCMain?op=logout'
+//      uwcurl = url + 'base/UWCMain?op=logout'
+        uwcurl = "http://sunmail.domain.ru:80/base/UWCMain?op=logout"
   exit()
}6) Calendar SSO - per docs...
According to ngrep sniffing,
1) the browser goes to "http://sunmail.domain.ru/uwc/auth" without any cookies
2) receives a redirect and goes to "http://psam.domain.ru/amserver/UI/Login?gotoOnFail=http://sunmail.domain.ru:80/uwc&goto=http%3A%2F%2Fsunmail.domain.ru%3A80%2Fuwc%2Fauth"; sends no cookies either.
3) The first response from the "psam" server (as redirected from "cos-psam-01") sets a few cookies while rendering the login page:
Set-cookie: JSESSIONID=7EF8F2810D2071CA03CFEAE9972735B2; Path=/
Set-cookie: AMAuthCookie=AQIC5wM2LY4SfcwuT2ASCrsfO78nXdceEHXeH1+xTqH7C3I=@AAJTSQACMDI=#; Domain=.domain.ru; Path=/
Set-cookie: amlbcookie=02; Domain=.domain.ru; Path=/
4) The browser requests the login page resources (javascripts, images, etc) using these cookies, as in this header line:
Cookie: JSESSIONID=7EF8F2810D2071CA03CFEAE9972735B2; AMAuthCookie=AQIC5wM2LY4SfcwuT2ASCrsfO78nXdceEHXeH1+xTqH7C3I=@AAJTSQACMDI=#; amlbcookie=02
5) The browser POSTs the login request to "/amserver/UI/Login" and receives a redirection to http://sunmail.domain.ru:80/uwc/auth
Set-cookie: iPlanetDirectoryPro=AQIC5wM2LY4SfcwuT2ASCrsfO78nXdceEHXeH1+xTqH7C3I=@AAJTSQACMDI=#; Domain=.domain.ru; Path=/
Set-cookie: AMAuthCookie=LOGOUT; Domain=.domain.ru; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
6) The browser requests "http://sunmail.domain.ru/uwc/auth" using the newly set cookie (looks like the old one to me though):
Cookie: amlbcookie=02; iPlanetDirectoryPro=AQIC5wM2LY4SfcwuT2ASCrsfO78nXdceEHXeH1+xTqH7C3I=@AAJTSQACMDI=#
7) The "sunmail" web-server checks the AM session validity with the same "psam.domain.ru". It sends a series of POSTs to /amserver/namingservice:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<RequestSet vers="1.0" svcid="com.iplanet.am.naming" reqid="685">
<Request><![CDATA[
<NamingRequest vers="1.0" reqid="324" sessid="AQIC5wM2LY4SfcwuT2ASCrsfO78nXdceEHXeH1+xTqH7C3I=@AAJTSQACMDI=#">
<GetNamingProfile>
</GetNamingProfile>
</NamingRequest>]]>
</Request>
</RequestSet>(receives a large XML list of different Access Manager configuration parameters and URLs)
...then a double-request to /amserver/sessionservice:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<RequestSet vers="1.0" svcid="Session" reqid="686">
<Request><![CDATA[
<SessionRequest vers="1.0" reqid="678">
<GetSession reset="true">
<SessionID>AQIC5wM2LY4SfcwuT2ASCrsfO78nXdceEHXeH1+xTqH7C3I=@AAJTSQACMDI=#</SessionID>
</GetSession>
</SessionRequest>]]>
</Request>
<Request><![CDATA[
<SessionRequest vers="1.0" reqid="679">
<AddSessionListener>
<URL>http://sunmail.domain.ru:80/UpdateAgentCacheServlet?shortcircuit=false</URL>
<SessionID>AQIC5wM2LY4SfcwuT2ASCrsfO78nXdceEHXeH1+xTqH7C3I=@AAJTSQACMDI=#</SessionID>
</AddSessionListener>
</SessionRequest>]]>
</Request>
</RequestSet>As a result it receives an XML with a lot of user-specific information (the username, LDAP DN, preferred locale, auth module used, etc.)
!!!*** Now, the problem part ***!!!
8) And then "sunmail" POSTs a broken cookie to "psam" (note the space in mid-text, where the "plus" sign was previously). As we know, "+" is often used in URLs to "escape" the space character. Perhaps some URL cleanup routine backfired here.
I have double-checked, it is not the reverse proxy on "psam" breaking things. It is "sunmail" (UWC/CE or Policy Agent, don't know for certain) supplying the broken request. I looked over the large XML responses to the two previous requests, whenever they mention the session cookie value, the "plus" is there.
For the most detail I can provide, I'll even paste the whole HTTP packet:
POST /amserver/sessionservice HTTP/1.1
Proxy-agent: Sun-Java-System-Web-Server/7.0
Cookie: iPlanetDirectoryPro=AQIC5wM2LY4SfcwuT2ASCrsfO78nXdceEHXeH1 xTqH7C3I=@AAJTSQACMDI=#;amlbcookie=null
Content-type: text/xml;charset=UTF-8
Content-length: 336
Cache-control: no-cache
Pragma: no-cache
User-agent: Java/1.5.0_09
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Host: cos-psam-01.domain.ru
Client-ip: 194.xxx.xxx.xxx
Via: 1.1 https-weblb.domain.ru
Connection: keep-alive
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<RequestSet vers="1.0" svcid="session" reqid="258">
<Request><![CDATA[<SessionRequest vers="1.0" reqid="254">
<GetSession reset="true">
<SessionID>AQIC5wM2LY4SfcwuT2ASCrsfO78nXdceEHXeH1 xTqH7C3I=@AAJTSQACMDI=#</SessionID>
</GetSession>
</SessionRequest>]]></Request>
</RequestSet> The server's error response is apparent:
HTTP/1.1 200 OK
Server: Sun-Java-System-Web-Server/7.0
Date: Thu, 31 Jul 2008 05:49:50 GMT
Content-type: text/html
Transfer-encoding: chunked
19b
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<ResponseSet vers="1.0" svcid="session" reqid="258">
<Response><![CDATA[<SessionResponse vers="1.0" reqid="254">
<GetSession>
<Exception>AQIC5wM2LY4SfcwuT2ASCrsfO78nXdceEHXeH1 xTqH7C3I=@AAJTSQACMDI=# Invalid session ID
AQIC5wM2LY4SfcwuT2ASCrsfO78nXdceEHXeH1 xTqH7C3I=@AAJTSQACMDI=#</Exception>
</GetSession>
</SessionResponse>]]></Response>
</ResponseSet>On the few occasions when the AM cookie contains no "plus" characters, the SSO works like a charm (also checked by a sniffer). Whenever there is a "plus", it breaks.
For reference, here's a working final request-response (one with a good cookie, as received by the load-balancer web-server). Request looks a bit different:
POST /amserver/sessionservice HTTP/1.1
Cookie: iPlanetDirectoryPro=AQIC5wM2LY4Sfcy/5sEzVmuq9z1ggdHOkBDgVFAwfhqvn4U=@AAJTSQACMDI=#;amlbcookie=null
Content-Type: text/xml;charset=UTF-8
Content-Length: 379
Cache-Control: no-cache
Pragma: no-cache
User-Agent: Java/1.5.0_09
Host: psam.domain.ru
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Connection: keep-alive
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<RequestSet vers="1.0" svcid="session" reqid="281">
<Request><![CDATA[<SessionRequest vers="1.0" reqid="277">
<SetProperty>
<SessionID>AQIC5wM2LY4Sfcy/5sEzVmuq9z1ggdHOkBDgVFAwfhqvn4U=@AAJTSQACMDI=#</SessionID>
<Property name="uwcstatus" value="active"></Property>
</SetProperty>
</SessionRequest>]]></Request>
</RequestSet> ...and the response is OK:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<ResponseSet vers="1.0" svcid="session" reqid="281">
<Response><![CDATA[<SessionResponse vers="1.0" reqid="277">
<SetProperty>
<OK></OK>
</SetProperty>
</SessionResponse>]]></Response>
</ResponseSet>

There have been a few reports of the same behaviour with other customers - specifically with the handling of the encoding of "+" characters to " ". It relates to how cookie encoding/decoding is performed (as you have already observed).
The solution for these customers was the following:
=> AM server/client side:
Ensure that com.iplanet.am.cookie.encode=false in AMConfig.properties and AMAgent.properties on all systems.
=> AM client (UWC) side:
- Set <property name="encodeCookies" value="false"/> in /var/opt/SUNWuwc/WEB-INF/sun-web.xml. This will prevent UWC from trying to urldecode the cookie it receives and therefore stops it turning the + into a space e.g.
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE sun-web-app PUBLIC '-//Sun Microsystems, Inc.//DTD Sun ONE Application Server 7.0 Servlet 2.3//EN' 'file:///net/wajra.india.sun.com/export/share/dtd/sun-web-app_2_3-1.dtd'>
<sun-web-app>
   <property name="encodeCookies" value="false"/>
   <session-config>
      <session-manager/>
   </session-config>
   <jsp-config/>
<property name="allowLinking" value="true" />
</sun-web-app>Regards,
Shane.

BEA Aqualogic / plumtree / ALUI - Access manager

Similar Messages

Maybe you are looking for