BSP - BW Webtemplate Session destroy

Hi, all
I have a question.
We use webtemplate by EP.
webtemplate is called by BSP.
Flow : EP -> BSP -> Web Template
1. EP SSO Method : User Mapping
2. BSP Session : Stateful
Problem is..
In BSP page,
p_page = '/sap/bw/BEx?sap-language=KO&bsplanguage=3E&CMD=LDOC'.
navigation->goto_page( p_page ).
After navigation->goto_page( p_page ), popup window displayed(login)..
But Logon Ticket Method is connected succesfully.
what's the problem?
Please, Give me the solution!
Thanks & Best Regards..

to get the content from a html link, you can use CL_HTTP_CLIENT program.
the sample code would be something like below.
data: vref_httpclient        type ref to if_http_client,
      v_request              type string,
      v_response             type string,
call method cl_http_client=>create_by_url
     exporting
       url                = 'http://.....htm'
     importing
       client             = vref_httpclient
     exceptions
       argument_not_found = 1
       plugin_not_active = 2
       internal_error     = 3
       others             = 4.
   if sy-subrc <> 0.
   endif.
call method vref_httpclient->send
exceptions
    http_communication_failure = 1
    http_invalid_state         = 2.
call method vref_httpclient->receive
exceptions
    http_communication_failure = 1
    http_invalid_state         = 2
    http_processing_failed     = 3.
* get response as character data
   v_response = vref_httpclient->response->get_cdata( ).
Regards
Raja

Similar Messages

Timeout of one session destroys the other

Hi folks,
I got a strange problem regarding sso and session lifew time, which drives me crasy.
Well, I got two web apps which use FORM authentication which I like to use with sso enabled.
sso seems to work fine for my two web-apps App-A and App-B, but when I close App-B, it happens that I have to login to App-A again, after a while.
It looks as if the session times out even if I continue to work with the application.
Once again. If I do the following steps:
1. Starting App-A and login
2. Starting App-B from App-A (it is linked there)
3. Closing the browser window ([X] -Button) of App-B
4. Going on to use App-A
Than, after a while, I fall back to the login form of App-A, suddenly. The timespan until I have to login again seems to be the timeout of App-B
How the hell can this be?!?

OK, this is a very old thread and many things have changed since then.
In the simplest case, you can just add a bit more logic for the third slider and expand on the above example by tst. Should be trivial. Have you tried?
If you have LabVIEW 8.0 or higher, you could wrap the entire thing in an Xcontrol. This has the advantage that there will be no visible code on the diagram and the limits are even enforced if you change the sliders in edit mode.
Maybe you don't need any of this. You could just have a control with three sliders, then sort the three outputs before handing them off to the rest of the code (See attached, LabVIEW 7.0).
LabVIEW Champion . Do more with less code and in less time .
Attachments:
3sliders.vi ‏34 KB

Session destroy in jsp

hi,
is there a simple way to remove everything in a session?
session.setAttribute("user",null);
this is not an option because then I have to do this for everything
any ideas?

Check javax.servlet.http.HttpSession. You can use invalidate() but that will unbind the session also. Maybe you can loop through getAttributeNames() and removeAttribute(...) for each one
HTH
Mike

Destroy the session automatically when the browser is closed by user

Is it possible to automatically destroy a session when the browser is closed by the user with the X?
Basically, what we want to do is to create the same effect when the user is closing the browser (with the X button) as when the ordinary log out button is used. That is to have the session destroyed.
Any ideas?
/Carl-Johan

Hope this helps...
Refer note : 904155
from SAP Note 904155----
Symptom
A BSP application is not terminated correctly when the user closes the browser window or navigates to other URL.
The popup window, which appears on browse closure, contains the
text representing <img> HTML element content in the escaped
form, like that:
<IMG WIDTH=quot; HEIGHT=quot; SRC="...
After the popup disappears, the session remains opened.
Since the session is not removed, that may result in database locks that still remain and can be found in transaction SM12.
Other terms
Business Server Pages, WebAS, sessionexit, session termination, SM12, SM04, SYSTEM, session_single_frame.htm
Reason and Prerequisites
Reason:
The problem is caused by the minor code inconsistency in BSP application SYSTEM -> page SESSIONEXIT.HTM.
Prerequisites:
1. The application is using the SYSTEM application page SESSIONEXIT.HTM for logoff. When it runs, suddenly HTML source code appears on the logoff screen.
2. SAP_BASIS 620 SP57 or SAP_BASIS 640 SP15 or SAP_BASIS 700 SP06 are installed.
Solution
Please install SAP_BASIS 620 SP58 or SAP_BASIS 640 SP16 or SAP_BASIS 700 SP07
or
apply the code correction as described below:
1. Go to BSP Application SYSTEM.
2. Select page SESSIONEXIT.HTM and turn on Change mode.
3. Change the line:
<%=application->session_exit( exit_url = app-exit_url namespace = app-appl_ns name = app-appl_name page = app-page_name )%>
to:
<%raw=application->session_exit( exit_url = app-exit_url namespace = app-appl_ns name = app-appl_name page = app-page_name )%>
Arun
P.S Assigning points is a way of saying thank you on SDN
Message was edited by: Arun Varadarajan

IAC view and BSP iviews gives pop up for user id and password

Hello All,
I am facing a problem in quality portal.
we have SSO configuration between Portal and ECC system and the Jco connection using SSO with login tickets are working fine,test and ping both are succesfull.
The ESS and MSS webdynpro application are also working fine.
But the IAC iviews and BSP iviews says "session managment will not work ! Please check the DMS log files for details" and then ask for user id and password of the ECC system,But the system alias that i am using,is configured for SSO with logon tickets.
same iviews are working fine in devlopment system with system alias with SSO Login tickets but in qa it is asking for id and password ...
I have checked all the system properties also FQDN of ECC system is also maintained.
Please suggest what could be the issue ??
Thank you,
Regards,
Gunja

Hi,
When messages about Session management popup then it is 99% an FQDN issue, but you say you already checked it.
Did you also checked the parameters:
- ITS Host Name
- Web AS Host Name
... in your system object?
Cheers,
B.

Session expired (timeout) without ADF Security using.

Hello!
I have a problem with my application in which i use own security realization without ADF Security using. I realized custom implementation of javax.servlet.http.HttpSessionListener interface, in which i log session creation and expiration events. On WebLogic I realized customDBMS authentification class. Session timeout defined in web.xml (<session-timeout>5</session-timeout>), in weblogic.xml session timeout not define.
Problem description: when session expired (popup warning displayed before this) and press OK button in popup with session expired warning, I see what no any log about session destroying from my HttpSessionListener implementation, so I cant understand, what session expired and process this event in my servlet filter. So I stay at same page (but without data in tables, coz binding variables in VO queries is not defined). If I am not click OK in the popup and wait about minute, then appear a log message about the destroying the session from my HttpSessionListener implementation. Why is the delay between the appearance of warning session expired and the actual destroying of the session in WebLogic?
I use JDeveloper 11.1.1.6.0, application deployed in integrated WebLogic 10.3.5.0

Hi,
Why is the delay between the appearance of warning session expired and the actual destroying of the session in WebLogic?Because warning is given about 2-3 min before session expire
That is why
If I am not click OK in the popup and wait about minute, then appear a log message about the destroying the session from my HttpSessionListener implementation.

Session listener runs twice

Hi!
I have a session listener object in a Tomcat 5.0.19 container, which has the following simple method:
public void sessionDestroyed(HttpSessionEvent e) {
System.out.print("Session destroyed: ");
System.out.println(e.getSession().getId());
My problem is, that this method is called two times after every session is destroyed. The other, sessionCreated() method runs only one time.
Can anybody help me?
Thank you in advance!
Tomasits �kos.

For any Tomcat related questions/bugs, please use one of the following options:
- File a bug at http://nagoya.apache.org/bugzilla/
- Send email to [email protected]
- Send email to [email protected]
Thanks!
Jan

Invalid session in FlexSessionListener.sessionDestroyed

I'm implementing a FlexSessionListener like:
public void sessionDestroyed(FlexSession flexSession) {
if (LOG.isInfoEnabled()) {
LOG.info("Flex session destroyed: " + flexSession
+ " - "
+ flexSession.getUserPrincipal());
unregisterSessions(flexSession); // accesses session
attribute
try {
flexSession.removeSessionDestroyedListener(this);
catch (LocalizedException e) {
LOG.warn("Error during sessionDestroyed for " + flexSession,
e);
Using the flexSession parameter causes exceptions, which is
surprising at best.
Accessing a session attribute causes this:
flex.messaging.LocalizedException: The FlexSession is
invalid.
at
flex.messaging.FlexSession.checkValid(FlexSession.java:515)
at
flex.messaging.FlexSession.getAttribute(FlexSession.java:269)
at
com.acesis.security.SessionRegistry.unregisterSessions(SessionRegistry.java:492)
at
com.acesis.security.SessionRegistry.sessionDestroyed(SessionRegistry.java:345)
at flex.messaging.FlexSession.destroy(FlexSession.java:250)
at
flex.messaging.endpoints.rtmp.RTMPFlexSession.close(RTMPFlexSession.java:42)
at
flex.messaging.endpoints.rtmp.NIORTMPConnection.invalidateFlexSession(NIORTMPConnection.j ava:221)
at
flex.messaging.endpoints.rtmp.RTMPFlexSession.invalidate(RTMPFlexSession.java:47)
at
flex.messaging.security.LoginManager.logout(LoginManager.java:192)
at
flex.messaging.services.AuthenticationService.serviceCommand(AuthenticationService.java:6 5)
at
flex.messaging.MessageBroker.routeCommandToService(MessageBroker.java:622)
at
flex.messaging.endpoints.AbstractEndpoint.serviceMessage(AbstractEndpoint.java:298)
at
flex.messaging.endpoints.rtmp.AbstractRTMPServer.dispatchMessage(AbstractRTMPServer.java: 682)
at
flex.messaging.endpoints.rtmp.NIORTMPConnection$RTMPReader.run(NIORTMPConnection.java:665 )
at
edu.emory.mathcs.backport.java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPo olExecutor.java:643)
at
edu.emory.mathcs.backport.java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolEx ecutor.java:668)
at java.lang.Thread.run(Thread.java:595)
Removing the FlexSessionListener causes this:
flex.messaging.LocalizedException: The FlexSession is
invalid.
at
flex.messaging.FlexSession.checkValid(FlexSession.java:515)
at
flex.messaging.FlexSession.removeSessionDestroyedListener(FlexSession.java:372)
at
com.acesis.security.SessionRegistry.sessionDestroyed(SessionRegistry.java:347)
at flex.messaging.FlexSession.destroy(FlexSession.java:250)
at
flex.messaging.endpoints.rtmp.RTMPFlexSession.close(RTMPFlexSession.java:42)
at
flex.messaging.endpoints.rtmp.NIORTMPConnection.invalidateFlexSession(NIORTMPConnection.j ava:221)
at
flex.messaging.endpoints.rtmp.RTMPFlexSession.invalidate(RTMPFlexSession.java:47)
at
flex.messaging.security.LoginManager.logout(LoginManager.java:192)
at
flex.messaging.services.AuthenticationService.serviceCommand(AuthenticationService.java:6 5)
at
flex.messaging.MessageBroker.routeCommandToService(MessageBroker.java:622)
at
flex.messaging.endpoints.AbstractEndpoint.serviceMessage(AbstractEndpoint.java:298)
at
flex.messaging.endpoints.rtmp.AbstractRTMPServer.dispatchMessage(AbstractRTMPServer.java: 682)
at
flex.messaging.endpoints.rtmp.NIORTMPConnection$RTMPReader.run(NIORTMPConnection.java:665 )
at
edu.emory.mathcs.backport.java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPo olExecutor.java:643)
at
edu.emory.mathcs.backport.java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolEx ecutor.java:668)
at java.lang.Thread.run(Thread.java:595)
The FDS documentation doesn't specify that you cannot do
anything with the flexSession in a sessionDestroyed call.
The same code has worked, IIRC, in GMC 4. It seems that the
behavior changed in GMC 5 or 6. I'm running the released bits now.
Is this the intended behavior?
Jürgen Failenschmid

Hi Jürgen,
The behavior for session destruction notification matches the
behavior defined by the Servlet spec and its HttpSessionListener
interface. The behavior is to notify session destroy listeners
after all attributes have been unbound from the session and the
session have been invalidated. My opinion is that the destory
listener hook as spec'ed isn't very useful (I'd have voted for
pre/post hooks).
If you want to do something on session shutdown, the safer
approach is to create an instance of a class that implements the
FlexSessionBindingListener interface on session creation and add it
as an attribute on the new session. As long as no code removes this
attribute from the session arbitrarily, when the session is
destroyed this attribute will be unbound and its valueUnbound()
callback will be invoked. You shouldn't base your logic in
valueUnbound() on having access to attributes in the session,
because other attributes may be unbound by the time your listener
is unbound.
Best,
Seth

How to forward automatically when session expires ?

Hi Techies,
whenever session expires , I want my struts action to forward to logout page automatically.
I know we can do it by implementing sessionlistener(session destroyed method).
But how to forward using action mapping .
any solution is appreciated.
Thanks,
shekar

HI,
the other method for this is be prepared from the start
of making of the project make an action class that
extends
org.apache.struts.action.Action
class
check all such type of thing ie the session and redirect to global forwards
logout page
and other required things
always extend this ur own made action class
so that it has all functionality of the struts action
and ur own vlaidation too

Help:session control

          it seems that weblogic doesn't support global.jsa, and i want to control the session
          destroy event, what can i do?


What you want to do is to plug a custom TableCellRenderer in for the JTable column that is supposed to display the image. In your case, you will want to take the ImageControl and subclass it so that it implements the TableCellRender interface.
You can go the Java Developer Connection at java.sun.com and search the forum for posts on this topic. You can also go to http://manning.spindoczine.com/sbe/files/uts2/Chapter18html/Chapter18.htm for an example.

Stateful and Stateless BSP Application

Hi Experts,
I would like to know what a stateful/Stateles BSP Applicaiton means. I read the description given in help file but couldn't get the full idea behind it. Could anyone give a practical example for the same and explain. Thanks.
Regards,
Prabaharan

Hi,A stateful BSP application is executed like a normal SAP transaction, independent of all user interactions - in one single context (roll area). This means that data specified by the user during the application execution or data determined by the application itself is available potentially throughout the entire execution duration of the session.
Since the HTTP protocol itself operates in stateless mode and knows no implicit mechanism to assign independent requests to a common logical session, the BSP runtime uses Session Cookies to group requests into one common session. The name of the cookie is sap-contextid, the validity area is restricted to the URL of the BSP application. This means that a BSP application can be executed within a browser only once at any one time. Different BSP applications can operate in parallel in the same browser. Multiple users/browsers can execute the same BSP application in parallel as often as required.
Advantage
The main advantage of stateful BSP applications is that they are simple to program. As usual, you have access to data determined previously and reading or re-calculating data can often be omitted. For database-intensive applications, this can lead to considerably better system performance compared to a procedure where identical read operations have to be executed for every request.
Disadvantage
This significant advantage is at the same time however a disadvantage the improved runtime is offset by a larger memory requirement. The number of possible parallel sessions in an SAP Web Application Server is restricted not least by the amount of available memory space. When this space is exhausted, no further sessions can be started and users cannot log on
Stateless BSP applications only block resources on the SAP Web Application Server during the time one single request is being processed. When the request has been processed, all resources in particular the application context are returned to the system for use in other requests.
Stateless applications allow - at least from the viewpoint of the memory resource optimal scaling regardless of the number of users. On the other hand, releasing the application context after every request may mean that identical data is read from the database and formatted multiple times. In this respect, the runtime may offset the memory saving. This should be evaluated and analyzed on a case by case basis.
Rule of Thumb: Stateful or Stateless?
As a rule of thumb, it is recommended that Internet scenarios used at the same time by a large number of users operate in stateless mode. Stateful programming is recommended for more complex applications that are used by a limited number of users in parallel and that operate with data that is expensive to determine.
hope this helps.
regards,
keerthi.

Close session trigger event

I would like to trigger a event after the session close.
I try to close the session by the following code.
button {
FacesContext context = FacesContext.getCurrentInstance ();
HttpSession session = (HttpSession) context.getExternalContext
().getSession (false);
session.invalidate ();
those event triger by a button , and I found that it can trigger a even in session.destroy(), but if I close the browser , session.destroy does not trigger.
Do anyone can help me to solve this problem.
Thanks

I put your code in button1_action() and put in some logging statements to verify that SessionBean1.destroy() is getting called. Indeed it is.
First, upon initial render, the log output was:
Page1 init called
Page1 prerender called
SessionBean1 init called
Page1 destroy called
Then, when I click the button, the output is:
Page1 init called
Page1 button1_action called
SessionBean1 destroy called
Page1 prerender called
SessionBean1 init called
Page1 destroy called
Did you mean, why doesn't SessionBean1.destroy get called when you simply close the browser window without clicking the button? Of course, just closing the browser window would not invalidate the session. You must explicity invalidate the session, or wait for it to time out.

IIS 6.0 Policyagent not working with AM loadbalancer

Trying to enable SSO for IIS 6.0 website running on port 80 with Access manager 7.0. AM loadbalancer URL is configured on OracleAS webcache.
Everything works fine when policyagent is configured with one of the AM servers instead of load balancer URL. But when configured with AM loadbalancer URL a blank page gets displayed after user gives his credentials on the AM authentication page and submits. Below is the error part of log generated at policyagent's end.
2008-04-21 19:08:04.556MaxDebug 2160:18ef080 AuthService: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<RequestSet vers="1.0" svcid="auth" reqid="0">
<Request><![CDATA[<?xml version="1.0" encoding="UTF-8"?><AuthContext version="1.0">
<Request authIdentifier="0"><NewAuthContext orgName="/"/></Request></AuthContext>]]></Request>
</RequestSet>
2008-04-21 19:08:04.556MaxDebug 2160:18ef080 AuthService: BaseService::sendRequest Request line: POST /amserver/authservice HTTP/1.0
2008-04-21 19:08:04.556 Debug 2160:18ef080 AuthService: BaseService::sendRequest Cookie and Headers =Host: am.xxxx.com
2008-04-21 19:08:04.556 Debug 2160:18ef080 AuthService: BaseService::sendRequest Content-Length =Content-Length: 296
2008-04-21 19:08:04.556 Debug 2160:18ef080 AuthService: BaseService::sendRequest Header Suffix =Accept: text/xml
Content-Type: text/xml; charset=UTF-8
2008-04-21 19:08:04.556MaxDebug 2160:18ef080 AuthService: BaseService::sendRequest(): Total chunks: 9.
2008-04-21 19:08:04.556MaxDebug 2160:18ef080 AuthService: BaseService::sendRequest(): Sent 9 chunks.
2008-04-21 19:08:04.556 Debug 2160:18ef080 AuthService: HTTP Status = 404 (Not Found)
2008-04-21 19:08:04.556MaxDebug 2160:18ef080 AuthService: Http::Response::readAndParse(): Reading headers.
2008-04-21 19:08:04.556MaxDebug 2160:18ef080 AuthService: Content-Type: text/html; charset=iso-8859-1
2008-04-21 19:08:04.556MaxDebug 2160:18ef080 AuthService: Connection: Close
2008-04-21 19:08:04.556MaxDebug 2160:18ef080 AuthService: Server: Oracle-Application-Server-10g/10.1.2.2.0 Oracle-HTTP-Server OracleAS-Web-Cache-10g/10.1.2.2.0 (N;ecid=1254975795829,0)
2008-04-21 19:08:04.556MaxDebug 2160:18ef080 AuthService: Date: Mon, 21 Apr 2008 13:38:04 GMT
2008-04-21 19:08:04.556MaxDebug 2160:18ef080 AuthService: Http::Response::readAndParse(): Reading body content of length: 73435745963999573
2008-04-21 19:08:04.556MaxDebug 2160:18ef080 all: Connection::waitForReply(): returns with status success.
2008-04-21 19:08:04.556MaxDebug 2160:18ef080 AuthService: Http::Response::readAndParse(): Completed processing the response with status: success
2008-04-21 19:08:04.556MaxDebug 2160:18ef080 AuthService: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<HTML><HEAD>
<TITLE>404 Not Found</TITLE>
</HEAD><BODY>
<H1>Not Found</H1>
The requested URL /amserver/authservice was not found on this server.<P>
<HR>
<ADDRESS>Oracle-Application-Server-10g/10.1.2.2.0 Oracle-HTTP-Server Server at INTRANET-WC.xxxx.COM Port 7777</ADDRESS>
</BODY></HTML>
Any idea why it is looking for /amserver/authservice context on the webcache??
Thanks

com.sun.am.cookie.name = iPlanetDirectoryPro
# If this property is set to true the cookies set by the agent
# will be marked secure and will only be transmitted if the
# communications channel with the host is a secure one.
com.sun.am.cookie.secure = false
# The URL for the Access Manager Naming service.
com.sun.am.naming.url = http://<Loadbalancerhostname>:7777/amserver/namingservice http://<Loadbalancerhostname>:7777/amserver/namingservice
com.sun.am.ignore.naming_service = true
# The URL of the login page on the Access Manager.
com.sun.am.policy.am.login.url = http://<Loadbalancerhostname>:7777/amserver/UI/Login http://<Loadbalancerhostname>:7777/amserver/UI/Login
# Name of the file to use for logging messages.
com.sun.am.policy.agents.config.local.log.file = D:/Sun/Access_Manager/Agents/2.2/debug/Identifier_1/amAgent
# This property is used for Log Rotation. The value of the property specifies
# whether the agent deployed on the server supports the feature of not. If set
# to false all log messages are written to the same file.
com.sun.am.policy.agents.config.local.log.rotate = true
# Name of the Access Manager log file to use for logging messages to
# Access Manager.
# Just the name of the file is needed. The directory of the file
# is determined by settings configured on the Access Manager.
com.sun.am.policy.agents.config.remote.log = amAuthLog.<Protectedserverhostname>.80
com.sun.am.log.level = all:5
# The org, username and password for Agent to login to AM.
com.sun.am.policy.am.username = lmsagent1
com.sun.am.policy.am.password = HCuUvbq+uuVQ0LA9cDZUsw==
# Name of the directory containing the certificate databases for SSL.
com.sun.am.sslcert.dir = D:/Sun/Access_Manager/Agents/2.2/iis6/cert
# Set this property if the certificate databases in the directory specified
# by the previous property have a prefix.
com.sun.am.certdb.prefix =
# Should agent trust all server certificates when Access Manager
# is running SSL?
# Possible values are true or false.
com.sun.am.trust_server_certs = true
# Should the policy SDK use the Access Manager notification
# mechanism to maintain the consistency of its internal cache? If the value
# is false, then a polling mechanism is used to maintain cache consistency.
# Possible values are true or false.
com.sun.am.notification.enable = true
# URL to which notification messages should be sent if notification is
# enabled, see previous property.
com.sun.am.notification.url = http://<Protectedserverhostname>:80/amagent/UpdateAgentCacheServlet?shortcircuit=false
# This property determines whether URL string case sensitivity is
# obeyed during policy evaluation
com.sun.am.policy.am.url_comparison.case_ignore = true
# This property determines the amount of time (in minutes) a policy entry
# remains valid after it has been added to the cache. The default
# value for this property is 3 minutes.
com.sun.am.policy.am.polling.interval=3
# This property determines the amount of time (in minutes) an sso entry
# remains valid after it has been added to the cache. The default
# value for this property is 3 minutes.
com.sun.am.sso.polling.period=3
# This property allows the user to configure the User Id parameter passed
# by the session information from the access manager. The value of User
# Id will be used by the agent to set the value of REMOTE_USER server
# variable. By default this parameter is set to "UserToken"
com.sun.am.policy.am.userid.param=UserToken
# Profile attributes fetch mode
# String attribute mode to specify if additional user profile attributes should
# be introduced into the request. Possible values are:
# NONE - no additional user profile attributes will be introduced.
# HTTP_HEADER - additional user profile attributes will be introduced into
# HTTP header.
# HTTP_COOKIE - additional user profile attributes will be introduced through
# cookies.
# If not within these values, it will be considered as NONE.
com.sun.am.policy.agents.config.profile.attribute.fetch.mode=HTTP_HEADER
# The user profile attributes to be added to the HTTP header. The
# specification is of the format ldap_attribute_name|http_header_name[,...].
# ldap_attribute_name is the attribute in data store to be fetched and
# http_header_name is the name of the header to which the value needs
# to be assigned.
# NOTE: In most cases, in a destination application where a "http_header_name"
# shows up as a request header, it will be prefixed by HTTP_, and all
# lower case letters will become upper case, and any - will become _;
# For example, "common-name" would become "HTTP_COMMON_NAME"
com.sun.am.policy.agents.config.profile.attribute.map=myuid|my_uid,cn|common-name,ou|organizational-unit,o|organization,mail|email,employeenumber|employee-number,c|country
# Session attributes mode
# String attribute mode to specify if additional user session attributes should
# be introduced into the request. Possible values are:
# NONE - no additional user session attributes will be introduced.
# HTTP_HEADER - additional user session attributes will be introduced into HTTP header.
# HTTP_COOKIE - additional user session attributes will be introduced through cookies.
# If not within these values, it will be considered as NONE.
com.sun.am.policy.agents.config.session.attribute.fetch.mode=NONE
# The session attributes to be added to the HTTP header. The specification is
# of the format session_attribute_name|http_header_name[,...].
# session_attribute_name is the attribute in session to be fetched and
# http_header_name is the name of the header to which the value needs to be
# assigned.
# NOTE: In most cases, in a destination application where a "http_header_name"
# shows up as a request header, it will be prefixed by HTTP_, and all
# lower case letters will become upper case, and any - will become _;
# For example, "common-name" would become "HTTP_COMMON_NAME"
com.sun.am.policy.agents.config.session.attribute.map=
# Response Attribute Fetch Mode
# String attribute mode to specify if additional user response attributes should
# be introduced into the request. Possible values are:
# NONE - no additional user response attributes will be introduced.
# HTTP_HEADER - additional user response attributes will be introduced into
# HTTP header.
# HTTP_COOKIE - additional user response attributes will be introduced through
# cookies.
# If not within these values, it will be considered as NONE.
com.sun.am.policy.agents.config.response.attribute.fetch.mode=NONE
# The response attributes to be added to the HTTP header. The specification is
# of the format response_attribute_name|http_header_name[,...].
# response_attribute_name is the attribute in policy response to be fetched and
# http_header_name is the name of the header to which the value needs to be
# assigned.
# NOTE: In most cases, in a destination application where a "http_header_name"
# shows up as a request header, it will be prefixed by HTTP_, and all
# lower case letters will become upper case, and any - will become _;
# For example, "common-name" would become "HTTP_COMMON_NAME"
com.sun.am.policy.agents.config.response.attribute.map=
# indicate where a load balancer is used for Access Manager
# services.
# true | false
com.sun.am.load_balancer.enable = true
####Agent Configuration####
# this is for product versioning, please do not modify it
com.sun.am.policy.agents.config.version=2.2
# Set the url access logging level. the choices are
# LOG_NONE - do not log user access to url
# LOG_DENY - log url access that was denied.
# LOG_ALLOW - log url access that was allowed.
# LOG_BOTH - log url access that was allowed or denied.
com.sun.am.policy.agents.config.audit.accesstype = LOG_BOTH
# Agent prefix
com.sun.am.policy.agents.config.agenturi.prefix = http://<Protectedserverhostname>:80/amagent
# Locale setting.
com.sun.am.policy.agents.config.locale = en_US
# The unique identifier for this agent instance.
com.sun.am.policy.agents.config.instance.name = unused
# Do SSO only
# Boolean attribute to indicate whether the agent will just enforce user
# authentication (SSO) without enforcing policies (authorization)
com.sun.am.policy.agents.config.do_sso_only = true
# The URL of the access denied page. If no value is specified, then
# the agent will return an HTTP status of 403 (Forbidden).
com.sun.am.policy.agents.config.accessdenied.url =
# This property indicates if FQDN checking is enabled or not.
com.sun.am.policy.agents.config.fqdn.check.enable = true
# Default FQDN is the fully qualified hostname that the users should use
# in order to access resources on this web server instance. This is a
# required configuration value without which the Web server may not
# startup correctly.
# The primary purpose of specifying this property is to ensure that if
# the users try to access protected resources on this web server
# instance without specifying the FQDN in the browser URL, the Agent
# can take corrective action and redirect the user to the URL that
# contains the correct FQDN.
# This property is set during the agent installation and need not be
# modified unless absolutely necessary to accommodate deployment
# requirements.
# WARNING: Invalid value for this property can result in the Web Server
# becoming unusable or the resources becoming inaccessible.
# See also: com.sun.am.policy.agents.config.fqdn.check.enable,
# com.sun.am.policy.agents.config.fqdn.map
com.sun.am.policy.agents.config.fqdn.default = <Protectedserverhostname>
# The FQDN Map is a simple map that enables the Agent to take corrective
# action in the case where the users may have typed in an incorrect URL
# such as by specifying partial hostname or using an IP address to
# access protected resources. It redirects the browser to the URL
# with fully qualified domain name so that cookies related to the domain
# are received by the agents.
# The format for this property is:
# com.sun.am.policy.agents.config.fqdn.map = [invalid_hostname|valid_hostname][,...]
# This property can also be used so that the agents use the name specified
# in this map instead of the web server's actual name. This can be
# accomplished by doing the following.
# Say you want your server to be addressed as xyz.hostname.com whereas the
# actual name of the server is abc.hostname.com. The browsers only knows
# xyz.hostname.com and you have specified polices using xyz.hostname.com at
# the Access Manager policy console, in this file set the mapping as
# com.sun.am.policy.agents.fqdn.map = valid|xyz.hostname.com
# Another example is if you have multiple virtual servers say rst.hostname.com,
# uvw.hostname.com and xyz.hostname.com pointing to the same actual server
# abc.hostname.com and each of the virtual servers have their own policies
# defined, then the fqdnMap should be defined as follows:
# com.sun.am.policy.agents.fqdn.map = valid1|rst.hostname.com,valid2|uvw.hostname.com,valid3|xyz.hostname.com
# WARNING: Invalid value for this property can result in the Web Server
# becoming unusable or the resources becoming inaccessible.
com.sun.am.policy.agents.config.fqdn.map =
# Cookie Reset
# This property must be set to true, if this agent needs to
# reset cookies in the response before redirecting to
# Access Manager for Authentication.
# By default this is set to false.
# Example : com.sun.am.policy.agents.config.cookie.reset.enable=true
com.sun.am.policy.agents.config.cookie.reset.enable=false
# This property gives the comma separated list of Cookies, that
# need to be included in the Redirect Response to Access Manager.
# This property is used only if the Cookie Reset feature is enabled.
# The Cookie details need to be specified in the following Format
# name[=value][;Domain=value]
# If "Domain" is not specified, then the default agent domain is
# used to set the Cookie.
# Example : com.sun.am.policy.agents.config.cookie.reset.list=LtpaToken,
# token=value;Domain=subdomain.domain.com
com.sun.am.policy.agents.config.cookie.reset.list=
# This property gives the space separated list of domains in
# which cookies have to be set in a CDSSO scenario. This property
# is used only if CDSSO is enabled.
# If this property is left blank then the fully qualified cookie
# domain for the agent server will be used for setting the cookie
# domain. In such case it is a host cookie instead of a domain cookie.
# Example : com.sun.am.policy.agents.config.cookie.domain.list=.sun.com .iplanet.com
com.sun.am.policy.agents.config.cookie.domain.list=
# user id returned if accessing global allow page and not authenticated
com.sun.am.policy.agents.config.anonymous_user=anonymous
# Enable/Disable REMOTE_USER processing for anonymous users
# true | false
com.sun.am.policy.agents.config.anonymous_user.enable=false
# Not enforced list is the list of URLs for which no authentication is
# required. Wildcards can be used to define a pattern of URLs.
# The URLs specified may not contain any query parameters.
# Each service have their own not enforced list. The service name is suffixed
# after "# com.sun.am.policy.agents.notenforcedList." to specify a list
# for a particular service. SPACE is the separator between the URL.
com.sun.am.policy.agents.config.notenforced_list = SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/UI/* SERVER_PROTO://SERVER_HOST:SERVER_PORTCONSOLE_DEPLOY_URI/* SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/login_images/* SERVER_PROTO://SERVER_HOST:SERVER_PORT/docs* SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/namingservice SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/sessionservice SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/loggingservice SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/profileservice SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/policyservice SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/config* SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/js/* SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/css/* SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/authservice SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/SAMLAwareServlet SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/SAMLSOAPReceiver SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/SAMLPOSTProfileServlet
# Boolean attribute to indicate whether the above list is a not enforced list
# or an enforced list; When the value is true, the list means enforced list,
# or in other words, the whole web site is open/accessible without
# authentication except for those URLs in the list.
com.sun.am.policy.agents.config.notenforced_list.invert = false
# Not enforced client IP address list is a list of client IP addresses.
# No authentication and authorization are required for the requests coming
# from these client IP addresses. The IP address must be in the form of
# eg: 192.168.12.2 1.1.1.1
com.sun.am.policy.agents.config.notenforced_client_ip_list =
# Enable POST data preservation; By default it is set to false
com.sun.am.policy.agents.config.postdata.preserve.enable = false
# POST data preservation : POST cache entry lifetime in minutes,
# After the specified interval, the entry will be dropped
com.sun.am.policy.agents.config.postcache.entry.lifetime = 10
# Cross-Domain Single Sign On URL
# Is CDSSO enabled.
com.sun.am.policy.agents.config.cdsso.enable=false
# This is the URL the user will be redirected to for authentication
# in a CDSSO Scenario.
com.sun.am.policy.agents.config.cdcservlet.url =
# Enable/Disable client IP address validation. This validate
# will check if the subsequent browser requests come from the
# same ip address that the SSO token is initially issued against
com.sun.am.policy.agents.config.client_ip_validation.enable = false
# Below properties are used to define cookie prefix and cookie max age
com.sun.am.policy.agents.config.profile.attribute.cookie.prefix = HTTP_
com.sun.am.policy.agents.config.profile.attribute.cookie.maxage = 300
# Logout URL - application's Logout URL.
# This URL is not enforced by policy.
# if set, agent will intercept this URL and destroy the user's session,
# if any. The application's logout URL will be allowed whether or not
# the session destroy is successful.
com.sun.am.policy.agents.config.logout.url=
# Any cookies to be reset upon logout in the same format as cookie_reset_list
com.sun.am.policy.agents.config.logout.cookie.reset.list =
# By default, when a policy decision for a resource is needed,
# agent gets and caches the policy decision of the resource and
# all resource from the root of the resource down, from the Access Manager.
# For example, if the resource is http://host/a/b/c, the the root of the
# resource is http://host/. This is because more resources from the
# same path are likely to be accessed subsequently.
# However this may take a long time the first time if there
# are many many policies defined under the root resource.
# To have agent get and cache the policy decision for the resource only,
# set the following property to false.
com.sun.am.policy.am.fetch_from_root_resource = true
# Whether to get the client's hostname through DNS reverse lookup for use
# in policy evaluation.
# It is true by default, if the property does not exist or if it is
# any value other than false.
com.sun.am.policy.agents.config.get_client_host_name = true
# The following property is to enable native encoding of
# ldap header attributes forwarded by agents. If set to true
# agent will encode the ldap header value in the default
# encoding of OS locale. If set to false ldap header values
# will be encoded in UTF-8
com.sun.am.policy.agents.config.convert_mbyte.enable = false
# The following property is to enable encoding of URL special
# chars, if any. If set to true agent will encode URL special
# characters before sending for policy evaluation.
com.sun.am.policy.agents.config.encode_url_special_chars.enable = false
#When the not enforced list or policy has a wildcard '*' character, agent
#strips the path info from the request URI and uses the resulting request
#URI to check against the not enforced list or policy instead of the entire
#request URI, in order to prevent someone from getting access to any URI by
#simply appending the matching pattern in the policy or not enforced list.
#For example, if the not enforced list has the value http://host/*.gif,
#stripping the path info from the request URI will prevent someone from
#getting access to http://host/index.html by using the URL http://host/index.html?hack.gif.
#However when a web server (for exmample apache) is configured to be a reverse
#proxy server for a J2EE application server, path info is interpreted in a different
#manner since it maps to a resource on the proxy instead of the app server.
#This prevents the not enforced list or policy from being applied to part of
#the URI below the app serverpath if there is a wildcard character. For example,
#if the not enforced list has value http://host/webapp/servcontext/* and the
#request URL is http://host/webapp/servcontext/example.jsp the path info
#is /servcontext/example.jsp and the resulting request URL with path info stripped
#is http://host/webapp, which will not match the not enforced list. By setting the
#following property to true, the path info will not be stripped from the request URL
#even if there is a wild character in the not enforced list or policy.
#Be aware though that if this is set to true there should be nothing following the
#wildcard character '*' in the not enforced list or policy, or the
#security loophole described above may occur.
com.sun.am.policy.agents.config.ignore_path_info = false
# Override the request url given by the web server with
# the protocol, host or port of the agent's uri specified in
# the com.sun.am.policy.agents.agenturiprefix property.
# These may be needed if the agent is sitting behind a ssl off-loader,
# load balancer, or proxy, and either the protocol (HTTP scheme),
# hostname, or port of the machine in front of agent which users go through
# is different from the agent's protocol, host or port.
com.sun.am.policy.agents.config.override_protocol =
com.sun.am.policy.agents.config.override_host =
com.sun.am.policy.agents.config.override_port =
# Override the notification url in the same way as other request urls.
# Set this to true if any one of the override properties above is true,
# and if the notification url is coming through the proxy or load balancer
# in the same way as other request url's.
com.sun.am.policy.agents.config.override_notification.url =
# The following property defines how long to wait in attempting
# to connect to an Access Manager AUTH server.
# The default value is 2 seconds. This value needs to be increased
# when receiving the error "unable to find active Access Manager Auth server"
com.sun.am.policy.agents.config.connection_timeout =
# Time in milliseconds the agent will wait to receive the
# response from Access Manager. After the timeout, the connection
# will be drop.
# A value of 0 means that the agent will wait until receiving the response.
# WARNING: Invalid value for this property can result in
# the resources becoming inaccessible.
com.sun.am.receive_timeout = 0
# The following property in milliseconds indicates how long the
# socket connection needs to be kept open.
# The default value is 0 which implies no timeout.
com.sun.am.connect_timeout = 0
# This property determines the amount of time (in minutes) after which
# the agent polls whether the primary server is up and running.
# The default value is 5 minutes
com.sun.am.poll_primary_server = 5
# Indicate if the socket option TCP_NODELAY should be enabled.
# Possible values are true or false. Default is false
com.sun.am.tcp_nodelay.enable = false
com.sun.am.policy.agents.config.locale = en_US
# Set the IIS filter priority. The choices are
# HIGH - IIS5 filter priority is HIGH.
# LOW - IIS5 filter priority is LOW.
# MEDIUM - IIS5 filter priority is MEDIUM.
# DEFAULT - IIS5 filter priority is DEFAULT.
com.sun.am.policy.agents.config.iis.filter_priority = HIGH

Naming Services cannot work well!!!

Hi,
I have configured the AM2005Q4 and Policy agent with apache, apache http.conf file is like
ProxyRequests Off
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
ProxyPass /hzycportal http://exchange.hzliqun.com:8013/hzycportal
ProxyPassReverse /hzycportal http://exchange.hzliqun.com:8013/hzycportal
When I type http://exchange.hzliqun.com:8080/hzycportal in IE, and type the user/password, but it cannot reach at the application system. The agent debug log is like
2005-11-21 10:23:07.578 Debug 460:82f3d8 NamingService: HTTP Status = 200 (OK)
2005-11-21 10:23:07.578 MaxDebug 460:82f3d8 NamingService: Http::Response::readAndParse(): Reading headers.
2005-11-21 10:23:07.578 MaxDebug 460:82f3d8 NamingService: Server: Sun-Java-System-Web-Server/6.1
2005-11-21 10:23:07.578 MaxDebug 460:82f3d8 NamingService: Date: Mon, 21 Nov 2005 02:22:18 GMT
2005-11-21 10:23:07.578 MaxDebug 460:82f3d8 NamingService: Content-type: text/html
2005-11-21 10:23:07.578 MaxDebug 460:82f3d8 NamingService: Connection: close
2005-11-21 10:23:07.578 Debug 460:82f3d8 NamingService: Http::Response::readAndParse(): No content length in response.
2005-11-21 10:23:07.578 MaxDebug 460:82f3d8 all: Connection::waitForReply(): returns with status success.
2005-11-21 10:23:07.578 MaxDebug 460:82f3d8 NamingService: Http::Response::readAndParse(): Completed processing the response with status: success
2005-11-21 10:23:07.578 MaxDebug 460:82f3d8 NamingService: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<ResponseSet vers="1.0" svcid="com.iplanet.am.naming" reqid="2922">
<Response><![CDATA[<NamingResponse vers="1.0" reqid="2916">
<GetNamingProfile>
<Exception>SessionID ---AQIC5wM2LY4SfcwdVekzKyVgAc5xMpqj1O8RFjf768vqC4w%3D%40AAJTSQACMDE%3D%23---is Invalid</Exception>
</GetNamingProfile>
</NamingResponse>]]></Response>
</ResponseSet>
2005-11-21 10:23:07.578 MaxDebug 460:82f3d8 NamingService: NamingService()::parseNamingResponse(): Buffer to be parsed: <NamingResponse vers="1.0" reqid="2916">
<GetNamingProfile>
<Exception>SessionID ---AQIC5wM2LY4SfcwdVekzKyVgAc5xMpqj1O8RFjf768vqC4w%3D%40AAJTSQACMDE%3D%23---is Invalid</Exception>
</GetNamingProfile>
</NamingResponse>
2005-11-21 10:23:07.578 MaxDebug 460:82f3d8 NamingService: NamingService::parseNamingResponse(): Got Exception in XML.
2005-11-21 10:23:07.578 Debug 460:82f3d8 NamingService: NamingService::parseNamingResponse() returning with status invalid session.
2005-11-21 10:23:07.578 Debug 460:82f3d8 NamingService: NamingService()::getProfile() returning with error code invalid session.
2005-11-21 10:23:07.578 Info 460:82f3d8 PolicyEngine: am_policy_evaluate: InternalException in Service::update_policy with error message:Naming query failed. and code:18
2005-11-21 10:23:07.578 Warning 460:82f3d8 PolicyAgent: am_web_is_access_allowed()(http://exchange.hzliqun.com:8080/hzycportal, GET) denying access: status = invalid session
2005-11-21 10:23:07.578 Debug 460:82f3d8 PolicyAgent: am_web_is_access_allowed(): Successfully logged to remote server for GET action by user unknown user to resource http://exchange.hzliqun.com:8080/hzycportal.
2005-11-21 10:23:07.578 Info 460:82f3d8 PolicyAgent: am_web_is_access_allowed()(http://exchange.hzliqun.com:8080/hzycportal, GET) returning status: invalid session.
2005-11-21 10:23:07.578 Info 460:82f3d8 PolicyAgent: process_request(): Access check for URL http://exchange.hzliqun.com:8080/hzycportal returned invalid session.
2005-11-21 10:23:07.578 MaxDebug 460:82f3d8 PolicyAgent: am_web_get_url_to_redirect(): goto URL is http://exchange.hzliqun.com:8080/hzycportal
2005-11-21 10:23:07.578 Debug 460:82f3d8 PolicyAgent: am_web_get_url_to_redirect: Before invoking find_active_login_server()
2005-11-21 10:23:07.578 Debug 460:82f3d8 PolicyAgent: is_server_alive(): Connection timeout set to 2
2005-11-21 10:23:07.578 Debug 460:82f3d8 PolicyAgent: am_web_get_url_to_redirect: After invoking find_active_login_server()
2005-11-21 10:23:07.578 Debug 460:82f3d8 PolicyAgent: process_access_redirect(): get redirect url returned AM_SUCCESS, redirect url [http://sunam1.hzliqun.com:80/amserver/UI/Login?goto=http%3A%2F%2Fexchange.hzliqun.com%3A8080%2Fhzycportal].
2005-11-21 10:23:07.578 Debug 460:82f3d8 PolicyAgent: process_access_redirect(): returning web result AM_WEB_RESULT_REDIRECT.
2005-11-21 10:23:07.578 Debug 460:82f3d8 PolicyAgent: process_request(): returning web result AM_WEB_RESULT_REDIRECT, data [http://sunam1.hzliqun.com:80/amserver/UI/Login?goto=http%3A%2F%2Fexchange.hzliqun.com%3A8080%2Fhzycportal]
2005-11-21 10:23:07.578 Debug 460:82f3d8 PolicyAgent: am_web_process_request(): Rendering web result AM_WEB_RESULT_REDIRECT
2005-11-21 10:23:07.578 Debug 460:82f3d8 PolicyAgent: am_web_process_request(): render result function returned AM_SUCCESS.
2005-11-21 10:23:07.593 MaxDebug 460:82f3d8 PolicyAgent: get_request_url(): Host: exchange.hzliqun.com:8080
2005-11-21 10:23:07.593 MaxDebug 460:82f3d8 PolicyAgent: get_request_url(): Port is 8080.
2005-11-21 10:23:07.593 Debug 460:82f3d8 PolicyAgent: get_request_url(): Returning request URL http://exchange.hzliqun.com:8080/hzycportal.
2005-11-21 10:23:07.593 Warning 460:82f3d8 PolicyAgent: get_method_num(): Apache request method number did not match method string. Setting method number to match method string GET.
2005-11-21 10:23:07.593 MaxDebug 460:82f3d8 PolicyAgent: am_web_is_notification(), http://exchange.hzliqun.com:8080/hzycportal is not notification url http://exchange.hzliqun.com:8080/amagent/UpdateAgentCacheServlet?shortcircuit=false.
2005-11-21 10:23:07.593 Debug 460:82f3d8 PolicyAgent: find_cookie(): cookie found: header [JSESSIONID=D835480D9BBF3902D562A596CC05E953; iPlanetDirectoryPro=AQIC5wM2LY4SfcwdVekzKyVgAc5xMpqj1O8RFjf768vqC4w%253D%2540AAJTSQACMDE%253D%2523] name [iPlanetDirectoryPro=AQIC5wM2LY4SfcwdVekzKyVgAc5xMpqj1O8RFjf768vqC4w%253D%2540AAJTSQACMDE%253D%2523] val [AQIC5wM2LY4SfcwdVekzKyVgAc5xMpqj1O8RFjf768vqC4w%253D%2540AAJTSQACMDE%253D%2523] val_len [78] next_cookie [NULL]
2005-11-21 10:23:07.593 MaxDebug 460:82f3d8 PolicyAgent: am_web_is_access_allowed(): processing url http://exchange.hzliqun.com:8080/hzycportal.
2005-11-21 10:23:07.593 MaxDebug 460:82f3d8 PolicyAgent: FqdnHandler::isValidFqdnResource() Resource => http://exchange.hzliqun.com:8080/hzycportal, is valid => true
2005-11-21 10:23:07.593 Debug 460:82f3d8 PolicyAgent: am_web_is_access_allowed(): client_ip 10.44.202.218 not found in client ip not enforced list
2005-11-21 10:23:07.593 MaxDebug 460:82f3d8 AM_POLICY_SERVICE_NAME: am_policy_compare_urls(): compare usePatterns=true returned 3
2005-11-21 10:23:07.593 Debug 460:82f3d8 PolicyAgent: in_not_enforced_list: enforcing access control for http://exchange.hzliqun.com:8080/hzycportal
2005-11-21 10:23:07.593 Debug 460:82f3d8 PolicyAgent: set_host_ip_in_env_map: map_insert: client_ip=10.44.202.218
2005-11-21 10:23:07.593 MaxDebug 460:82f3d8 ServiceEngine: Executing update_policy(AQIC5wM2LY4SfcwdVekzKyVgAc5xMpqj1O8RFjf768vqC4w%3D%40AAJTSQACMDE%3D%23, http://exchange.hzliqun.com:8080/hzycportal, GET, 2)
2005-11-21 10:23:07.593 Debug 460:82f3d8 all: cookieList is not empty
2005-11-21 10:23:07.593 Debug 460:82f3d8 all: Exit from buildCookieHeader
2005-11-21 10:23:07.593 MaxDebug 460:82f3d8 NamingService: <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<RequestSet vers="1.0" svcid="com.iplanet.am.naming" reqid="2923">
<Request><![CDATA[
<NamingRequest vers="1.0" reqid="2917" sessid="AQIC5wM2LY4SfcwdVekzKyVgAc5xMpqj1O8RFjf768vqC4w%3D%40AAJTSQACMDE%3D%23">
<GetNamingProfile>
</GetNamingProfile>
</NamingRequest>]]>
</Request>
</RequestSet>
2005-11-21 10:23:07.593 MaxDebug 460:82f3d8 NamingService: BaseService::sendRequest Request line: POST /amserver/namingservice HTTP/1.0
2005-11-21 10:23:07.593 Debug 460:82f3d8 NamingService: BaseService::sendRequest Cookie and Headers =Host: sunam1.hzliqun.com
2005-11-21 10:23:07.593 Debug 460:82f3d8 NamingService: BaseService::sendRequest Content-Length =Content-Length: 346
2005-11-21 10:23:07.593 Debug 460:82f3d8 NamingService: BaseService::sendRequest Header Suffix =Accept: text/xml
Content-Type: text/xml; charset=UTF-8
2005-11-21 10:23:07.593 MaxDebug 460:82f3d8 NamingService: BaseService::sendRequest(): Total chunks: 7.
2005-11-21 10:23:07.593 MaxDebug 460:82f3d8 NamingService: BaseService::sendRequest(): Sent 7 chunks.
And it will recycle these processes. From the logs, it seems that cannot get correct namingservices. But the agent configuration is correct, and likes these
# $Id: AMAgent.properties,v 1.86.2.6 2005/10/25 18:14:11 dknab Exp $
# Copyright ?2002 Sun Microsystems, Inc. All rights reserved.
# U.S. Government Rights - Commercial software. Government users are
# subject to the Sun Microsystems, Inc. standard license agreement and
# applicable provisions of the FAR and its supplements. Use is subject to
# license terms. Sun, Sun Microsystems, the Sun logo and Sun ONE are
# trademarks or registered trademarks of Sun Microsystems, Inc. in the
# U.S. and other countries.
# Copyright ?2002 Sun Microsystems, Inc. Tous droits r�serv�s.
# Droits du gouvernement am�ricain, utlisateurs gouvernmentaux - logiciel
# commercial. Les utilisateurs gouvernmentaux sont soumis au contrat de
# licence standard de Sun Microsystems, Inc., ainsi qu aux dispositions en
# vigueur de la FAR [ (Federal Acquisition Regulations) et des suppl�ments
# ?celles-ci.
# Distribu?par des licences qui en restreignent l'utilisation. Sun, Sun
# Microsystems, le logo Sun et Sun ONE sont des marques de fabrique ou des
# marques d�pos�es de Sun Microsystems, Inc. aux Etats-Unis et dans
# d'autres pays.
# The syntax of this file is that of a standard Java properties file,
# see the documentation for the java.util.Properties.load method for a
# complete description. (CAVEAT: The SDK in the parser does not currently
# support any backslash escapes except for wrapping long lines.)
# All property names in this file are case-sensitive.
# NOTE: The value of a property that is specified multiple times is not
# defined.
# WARNING: The contents of this file are classified as an UNSTABLE
# interface by Sun Microsystems, Inc. As such, they are subject to
# significant, incompatible changes in any future release of the
# software.
# The name of the cookie passed between the Sun [TM] ONE Identity Server
# and the SDK.
# WARNING: Changing this property without making the corresponding change
# to the Sun [TM] ONE Identity Server will disable the SDK.
com.sun.am.cookieName = iPlanetDirectoryPro
# The URL for the Sun [TM] ONE Identity Server Naming service.
com.sun.am.namingURL = http://sunam1.hzliqun.com:80/amserver/namingservice http://sunim1.hzliqun.com:80/amserver/namingservice
# The URL of the login page on the Sun [TM] ONE Identity Server.
com.sun.am.policy.am.loginURL = http://sunam1.hzliqun.com:80/amserver/UI/Login http://sunim1.hzliqun.com:80/amserver/UI/Login
#com.sun.am.policy.am.loginURL = http://sunam1.hzliqun.com:80/amserver/gateway http://sunim1.hzliqun.com:80/amserver/gateway
# By default the agent checks if the Access Manager AUTH server is
# active before performing the login.
# This check can be ignored by setting the following property to true.
# In this case the first server indicated in the loginURL property will
# be selected, wether it is active or not.
com.sun.am.ignore_server_check = false
# Name of the file to use for logging messages.
com.sun.am.logFile = D:/Apache/sun/Identity_Server/Agents/2.1/debug/apache_8080/amAgent
# Name of the Sun [TM] ONE Identity Server log file to use for
# logging messages to Sun [TM] ONE Identity Server.
# Just the name of the file is needed. The directory of the file
# is determined by settings configured on the Sun [TM] ONE Identity Server.
com.sun.am.serverLogFile = amAuthLog.exchange.hzliqun.com.8080
# Set the logging level for the specified logging categories.
# The format of the values is
#     <ModuleName>[:<Level>][,<ModuleName>[:<Level>]]*
# The currently used module names are: AuthService, NamingService,
# PolicyService, SessionService, PolicyEngine, ServiceEngine,
# Notification, PolicyAgent, RemoteLog and all.
# The all module can be used to set the logging level for all currently
# none logging modules. This will also establish the default level for
# all subsequently created modules.
# The meaning of the 'Level' value is described below:
#     0     Disable logging from specified module*
#     1     Log error messages
#     2     Log warning and error messages
#     3     Log info, warning, and error messages
#     4     Log debug, info, warning, and error messages
#     5     Like level 4, but with even more debugging messages
# 128     log url access to log file on IS server.
# 256     log url access to log file on local machine.
# If level is omitted, then the logging module will be created with
# the default logging level, which is the logging level associated with
# the 'all' module.
# for level of 128 and 256, you must also specify a logAccessType.
# *Even if the level is set to zero, some messages may be produced for
# a module if they are logged with the special level value of 'always'.
com.sun.am.logLevels = all:5
# The org, username and password for Agent to login to IS.
#com.sun.am.policy.am.username = UrlAccessAgent
com.sun.am.policy.am.username = amAdmin
com.sun.am.policy.am.password = LYnKyOIgdWt404ivWY6HPQ==
# Name of the directory containing the certificate databases for SSL.
com.sun.am.sslCertDir = D:/Apache/sun/Identity_Server/Agents/2.1/apache/cert
# Set this property if the certificate databases in the directory specified
# by the previous property have a prefix.
com.sun.am.certDbPrefix =
# Should agent trust all server certificates when Sun [TM] ONE Identity Server
# is running SSL?
# Possible values are true or false.
com.sun.am.trustServerCerts = true
# Should the policy SDK use the Sun [TM] ONE Identity Server notification
# mechanism to maintain the consistency of its internal cache? If the value
# is false, then a polling mechanism is used to maintain cache consistency.
# Possible values are true or false.
com.sun.am.notificationEnabled = true
# URL to which notification messages should be sent if notification is
# enabled, see previous property.
com.sun.am.notificationURL = http://exchange.hzliqun.com:8080/amagent/UpdateAgentCacheServlet?shortcircuit=false
# Time in milliseconds the agent will wait to receive the
# response from Access Manager. After the timeout, the connection
# will be drop.
# A value of 0 means that the agent will wait until receiving the response.
# WARNING: Invalid value for this property can result in
# the resources becoming inaccessible.
com.sun.am.receive_timeout = 0
# This property determines whether URL string case sensitivity is
# obeyed during policy evaluation
com.sun.am.policy.am.urlComparison.caseIgnore = true
# This property determines the amount of time (in minutes) an entry
# remains valid after it has been added to the cache. The default
# value for this property is 3 minutes.
com.sun.am.policy.am.cacheEntryLifeTime=3
# This property allows the user to configure the User Id parameter passed
# by the session information from the identity server. The value of User
# Id will be used by the agent to set the value of REMOTE_USER server
# variable. By default this parameter is set to "UserToken"
com.sun.am.policy.am.userIdParam=UserToken
# HTTP Header attributes mode
# String attribute mode to specify if additional policy response attributes should
# be introduced into the request. Possible values are:
# NONE - no additional policy attributes will be introduced.
# HEADER - additional policy attributes will be introduced into HTTP header.
# COOKIE - additional policy attributes will be introduced through cookies.
# If not within these values, it will be considered as NONE.
com.sun.am.policy.am.ldapattribute.mode=NONE
# The policy attributes to be added to the HTTP header. The specification is
# of the format ldap_attribute_name|http_header_name[,...]. ldap_attribute_name
# is the attribute in data store to be fetched and http_header_name
# is the name of the header to which the value needs to be assigned.
# NOTE: In most cases, in a destination application where a "http_header_name"
# shows up as a request header, it will be prefixed by HTTP_, and all
# lower case letters will become upper case, and any - will become _;
# For example, "common-name" would become "HTTP_COMMON_NAME"
com.sun.am.policy.am.headerAttributes=cn|common-name,ou|organizational-unit,o|organization,mail|email,employeenumber|employee-number,c|country
# The cookie name used in iAS for sticky load balancing
com.sun.am.policy.am.ias_SLB_cookie_name = GX_jst
# indicate where a load balancer is used for Sun [TM] ONE Identity Server
# services.
# true | false
com.sun.am.loadBalancer_enable = false
####Agent Configuration####
# this is for product versioning, please do not modify it
com.sun.am.policy.agents.version=2.1
# Set the url access logging level. the choices are
# LOG_NONE - do not log user access to url
# LOG_DENY - log url access that was denied.
# LOG_ALLOW - log url access that was allowed.
# LOG_BOTH - log url access that was allowed or denied.
com.sun.am.policy.agents.logAccessType = LOG_DENY
# Agent prefix
com.sun.am.policy.agents.agenturiprefix = http://exchange.hzliqun.com:8080/amagent
# Locale setting.
com.sun.am.policy.agents.locale = en_US
# The unique identifier for this agent instance.
com.sun.am.policy.agents.instanceName = unused
# Do SSO only
# Boolean attribute to indicate whether the agent will just enforce user
# authentication (SSO) without enforcing policies (authorization)
com.sun.am.policy.agents.do_sso_only = false
# The URL of the access denied page. If no value is specified, then
# the agent will return an HTTP status of 403 (Forbidden).
com.sun.am.policy.agents.accessDeniedURL =
# This property allows the user to configure the URL Redirect parameter
# for different auth modules. By default this parameter is set to "goto"
com.sun.am.policy.agents.urlRedirectParam=goto
# Default FQDN is the fully qualified hostname that the users should use
# in order to access resources on this web server instance. This is a
# required configuration value without which the Web server may not
# startup correctly.
# The primary purpose of specifying this property is to ensure that if
# the users try to access protected resources on this web server
# instance without specifying the FQDN in the browser URL, the Agent
# can take corrective action and redirect the user to the URL that
# contains the correct FQDN.
# This property is set during the agent installation and need not be
# modified unless absolutely necessary to accommodate deployment
# requirements.
# WARNING: Invalid value for this property can result in the Web Server
# becoming unusable or the resources becoming inaccessible.
# See also: com.sun.am.policy.agents.fqdnMap
com.sun.am.policy.agents.fqdnDefault = exchange.hzliqun.com
# The FQDN Map is a simple map that enables the Agent to take corrective
# action in the case where the users may have typed in an incorrect URL
# such as by specifying partial hostname or using an IP address to
# access protected resources. It redirects the browser to the URL
# with fully qualified domain name so that cookies related to the domain
# are received by the agents.
# The format for this property is:
# com.sun.am.policy.agents.fqdnMap = [invalid_hostname|valid_hostname][,...]
# This property can also be used so that the agents use the name specified
# in this map instead of the web server's actual name. This can be
# accomplished by doing the following.
# Say you want your server to be addressed as xyz.hostname.com whereas the
# actual name of the server is abc.hostname.com. The browsers only knows
# xyz.hostname.com and you have specified polices using xyz.hostname.com at
# the Identity Server policy console, in this file set the mapping as
# com.sun.am.policy.agents.fqdnMap = valid|xyz.hostname.com
# WARNING: Invalid value for this property can result in the Web Server
# becoming unusable or the resources becoming inaccessible.
com.sun.am.policy.agents.fqdnMap =
# Cookie Reset
# This property must be set to true, if this agent needs to
# reset cookies in the response before redirecting to
# Identity Server for Authentication.
# By default this is set to false.
# Example : com.sun.am.policy.agents.cookie_reset_enabled=true
com.sun.am.policy.agents.cookie_reset_enabled=false
# This property gives the comma separated list of Cookies, that
# need to be included in the Redirect Response to Identity Server.
# This property is used only if the Cookie Reset feature is enabled.
# The Cookie details need to be specified in the following Format
# name[=value][;Domain=value]
# If "Domain" is not specified, then the default agent domain is
# used to set the Cookie.
# Example : com.sun.am.policy.agents.cookie_reset_list=LtpaToken,
# token=value;Domain=subdomain.domain.com
com.sun.am.policy.agents.cookie_reset_list=
# This property gives the space separated list of domains in
# which cookies have to be set in a CDSSO scenario. This property
# is used only if CDSSO is enabled.
# If this property is left blank then the fully qualified cookie
# domain for the agent server will be used for setting the cookie
# domain. In such case it is a host cookie instead of a domain cookie.
# Example : com.sun.am.policy.agents.cookieDomainList=.sun.com .iplanet.com
com.sun.am.policy.agents.cookieDomainList=
# user id returned if accessing global allow page and not authenticated
com.sun.am.policy.agents.unauthenticatedUser=anonymous
# Enable/Disable REMOTE_USER processing for anonymous users
# true | false
com.sun.am.policy.agents.anonRemoteUserEnabled=false
# Not enforced list is the list of URLs for which no authentication is
# required. Wildcards can be used to define a pattern of URLs.
# The URLs specified may not contain any query parameters.
# Each service have their own not enforced list. The service name is suffixed
# after "# com.sun.am.policy.agents.notenforcedList." to specify a list
# for a particular service. SPACE is the separator between the URL.
# com.sun.am.policy.agents.notenforcedList = SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/UI/* SERVER_PROTO://SERVER_HOST:SERVER_PORTCONSOLE_DEPLOY_URI/* SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/login_images/* SERVER_PROTO://SERVER_HOST:SERVER_PORT/docs* SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/namingservice SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/sessionservice SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/loggingservice SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/profileservice SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/policyservice SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/config* SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/js/* SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/css/* SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/authservice SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/SAMLAwareServlet SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/SAMLSOAPReceiver SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/SAMLPOSTProfileServlet
# Boolean attribute to indicate whether the above list is a not enforced list
# or an enforced list; When the value is true, the list means enforced list,
# or in other words, the whole web site is open/accessible without
# authentication except for those URLs in the list.
com.sun.am.policy.agents.reverse_the_meaning_of_notenforcedList = false
# Not enforced client IP address list is a list of client IP addresses.
# No authentication and authorization are required for the requests coming
# from these client IP addresses. The IP address must be in the form of
# eg: 192.168.12.2 1.1.1.1
com.sun.am.policy.agents.notenforced_client_IP_address_list =
# Enable POST data preservation; By default it is set to false
com.sun.am.policy.agents.is_postdatapreserve_enabled = false
# POST data preservation : POST cache entry lifetime in minutes,
# After the specified interval, the entry will be dropped
com.sun.am.policy.agents.postcacheentrylifetime = 10
# Cross-Domain Single Sign On URL
# Is CDSSO enabled.
com.sun.am.policy.agents.cdsso-enabled=false
# This is the URL the user will be redirected to for authentication
# in a CDSSO Scenario.
com.sun.am.policy.agents.cdcservletURL = http://sunam1.hzliqun.com:80/amserver/cdcservlet
# Enable/Disable client IP address validation. This validate
# will check if the subsequent browser requests come from the
# same ip address that the SSO token is initially issued against
com.sun.am.policy.agents.client_ip_validation_enable = false
# Whether to decode the session cookie before sending it to IS.
# Set to true if the cookie value is URL encoded, false otherwise.
# For example, cookie values from browsers are URL encoded, and
# some containers always returns the cookie URL encoded.
com.sun.am.cookieEncoded = false
# Below properties are used to define cookie prefix and cookie max age
com.sun.am.policy.am.ldapattribute.cookiePrefix = HTTP_
com.sun.am.policy.am.ldapattribute.cookieMaxAge = 300
# Logout URL - application's Logout URL.
# This URL is not enforced by policy.
# if set, agent will intercept this URL and destroy the user's session,
# if any. The application's logout URL will be allowed whether or not
# the session destroy is successful.
com.sun.am.policy.agents.logout.url=
# Any cookies to be reset upon logout in the same format as cookie_reset_list
com.sun.am.policy.agents.logout.cookie_reset_list =
# Below property is reserved for future use. Please do not change the value.
# By default, when a policy decision for a resource is needed,
# agent gets and caches the policy decision of the resource and
# all resource from the root of the resource down, from the Identity Server.
# For example, if the resource is http://host/a/b/c, the the root of the
# resource is http://host/. This is because more resources from the
# same path are likely to be accessed subsequently.
# However this may take a long time the first time if there
# are many many policies defined under the root resource.
# To have agent get and cache the policy decision for the resource only,
# set the following property to false.
com.sun.am.policy.am.fetchFromRootResource = true
# Whether to get the client's hostname through DNS reverse lookup for use
# in policy evaluation.
# It is true by default, if the property does not exist or if it is
# any value other than false.
com.sun.am.policy.agents.getClientHostname = true
# The following property is to enable native encoding of
# ldap header attributes forwarded by agents. If set to true
# agent will encode the ldap header value in the default
# encoding of OS locale. If set to false ldap header values
# will be encoded in UTF-8
com.sun.am.policy.agents.convertMbyteEnabled = false
#When the not enforced list or policy has a wildcard '*' character, agent
#strips the path info from the request URI and uses the resulting request
#URI to check against the not enforced list or policy instead of the entire
#request URI, in order to prevent someone from getting access to any URI by
#simply appending the matching pattern in the policy or not enforced list.
#For example, if the not enforced list has the value http://host/*.gif,
#stripping the path info from the request URI will prevent someone from
#getting access to http://host/index.html by using the URL http://host/index.html?hack.gif.
#However when a web server (for exmample apache) is configured to be a reverse
#proxy server for a J2EE application server, path info is interpreted in a different
#manner since it maps to a resource on the proxy instead of the app server.
#This prevents the not enforced list or policy from being applied to part of
#the URI below the app serverpath if there is a wildcard character. For example,
#if the not enforced list has value http://host/webapp/servcontext/* and the
#request URL is http://host/webapp/servcontext/example.jsp the path info
#is /servcontext/example.jsp and the resulting request URL with path info stripped
#is http://host/webapp, which will not match the not enforced list. By setting the
#following property to true, the path info will not be stripped from the request URL
#even if there is a wild character in the not enforced list or policy.
#Be aware though that if this is set to true there should be nothing following the
#wildcard character '*' in the not enforced list or policy, or the
#security loophole described above may occur.
com.sun.am.ignore_path_info = false
# Override the request url given by the web server with
# the protocol, host or port of the agent's uri specified in
# the com.sun.am.policy.agents.agenturiprefix property.
# These may be needed if the agent is sitting behind a ssl off-loader,
# load balancer, or proxy, and either the protocol (HTTP scheme),
# hostname, or port of the machine in front of agent which users go through
# is different from the agent's protocol, host or port.
com.sun.am.policy.agents.overrideProtocol =
com.sun.am.policy.agents.overrideHost =
com.sun.am.policy.agents.overridePort =
# Override the notification url in the same way as other request urls.
# Set this to true if any one of the override properties above is t

if you can add more details in your question, that'll be better.
in my case, i initially had pix515e with v6.1 on it, and cannot get a dialtone because my sip phone (ata186) is not registered on my proxy. but when i changed my pix to v6.2, it worked just fine. i didn't put any access-list though, as fixup does it for me already.

Too Slow - Domino 6.5.4 with access manager agent 2.2 ?

I don't know how to tune Domino 6.5.4 with access manager agent 2.2?
I think AMAgent.properties is not good for SSO.
Please help me to tune it.
# $Id: AMAgent.properties,v 1.103 2005/09/19 22:08:34 madan Exp $
# Copyright ? 2002 Sun Microsystems, Inc. All rights reserved.
# U.S. Government Rights - Commercial software. Government users are
# subject to the Sun Microsystems, Inc. standard license agreement and
# applicable provisions of the FAR and its supplements. Use is subject to
# license terms. Sun, Sun Microsystems, the Sun logo and Sun ONE are
# trademarks or registered trademarks of Sun Microsystems, Inc. in the
# U.S. and other countries.
# Copyright ? 2002 Sun Microsystems, Inc. Tous droits r閟erv閟.
# Droits du gouvernement am閞icain, utlisateurs gouvernmentaux - logiciel
# commercial. Les utilisateurs gouvernmentaux sont soumis au contrat de
# licence standard de Sun Microsystems, Inc., ainsi qu aux dispositions en
# vigueur de la FAR [ (Federal Acquisition Regulations) et des suppl閙ents
# ? celles-ci.
# Distribu? par des licences qui en restreignent l'utilisation. Sun, Sun
# Microsystems, le logo Sun et Sun ONE sont des marques de fabrique ou des
# marques d閜os閑s de Sun Microsystems, Inc. aux Etats-Unis et dans
# d'autres pays.
# The syntax of this file is that of a standard Java properties file,
# see the documentation for the java.util.Properties.load method for a
# complete description. (CAVEAT: The SDK in the parser does not currently
# support any backslash escapes except for wrapping long lines.)
# All property names in this file are case-sensitive.
# NOTE: The value of a property that is specified multiple times is not
# defined.
# WARNING: The contents of this file are classified as an UNSTABLE
# interface by Sun Microsystems, Inc. As such, they are subject to
# significant, incompatible changes in any future release of the
# software.
# The name of the cookie passed between the Access Manager
# and the SDK.
# WARNING: Changing this property without making the corresponding change
# to the Access Manager will disable the SDK.
com.sun.am.cookie.name = iPlanetDirectoryPro
# The URL for the Access Manager Naming service.
com.sun.am.naming.url = http://sportal.yjy.dqyt.petrochina:80/amserver/namingservice
# The URL of the login page on the Access Manager.
com.sun.am.policy.am.login.url = http://sportal.yjy.dqyt.petrochina:80/amserver/UI/Login
# Name of the file to use for logging messages.
com.sun.am.policy.agents.config.local.log.file = c:/Sun/Access_Manager/Agents/2.2/debug/C__Lotus_Domino/amAgent
# This property is used for Log Rotation. The value of the property specifies
# whether the agent deployed on the server supports the feature of not. If set
# to false all log messages are written to the same file.
com.sun.am.policy.agents.config.local.log.rotate = true
# Name of the Access Manager log file to use for logging messages to
# Access Manager.
# Just the name of the file is needed. The directory of the file
# is determined by settings configured on the Access Manager.
com.sun.am.policy.agents.config.remote.log = amAuthLog.Dominoad.yjy.dqyt.petrochina.80
# Set the logging level for the specified logging categories.
# The format of the values is
#     <ModuleName>[:<Level>][,<ModuleName>[:<Level>]]*
# The currently used module names are: AuthService, NamingService,
# PolicyService, SessionService, PolicyEngine, ServiceEngine,
# Notification, PolicyAgent, RemoteLog and all.
# The all module can be used to set the logging level for all currently
# none logging modules. This will also establish the default level for
# all subsequently created modules.
# The meaning of the 'Level' value is described below:
#     0     Disable logging from specified module*
#     1     Log error messages
#     2     Log warning and error messages
#     3     Log info, warning, and error messages
#     4     Log debug, info, warning, and error messages
#     5     Like level 4, but with even more debugging messages
# 128     log url access to log file on AM server.
# 256     log url access to log file on local machine.
# If level is omitted, then the logging module will be created with
# the default logging level, which is the logging level associated with
# the 'all' module.
# for level of 128 and 256, you must also specify a logAccessType.
# *Even if the level is set to zero, some messages may be produced for
# a module if they are logged with the special level value of 'always'.
com.sun.am.log.level =
# The org, username and password for Agent to login to AM.
com.sun.am.policy.am.username = UrlAccessAgent
com.sun.am.policy.am.password = LYnKyOIgdWt404ivWY6HPQ==
# Name of the directory containing the certificate databases for SSL.
com.sun.am.sslcert.dir = c:/Sun/Access_Manager/Agents/2.2/domino/cert
# Set this property if the certificate databases in the directory specified
# by the previous property have a prefix.
com.sun.am.certdb.prefix =
# Should agent trust all server certificates when Access Manager
# is running SSL?
# Possible values are true or false.
com.sun.am.trust_server_certs = true
# Should the policy SDK use the Access Manager notification
# mechanism to maintain the consistency of its internal cache? If the value
# is false, then a polling mechanism is used to maintain cache consistency.
# Possible values are true or false.
com.sun.am.notification.enable = true
# URL to which notification messages should be sent if notification is
# enabled, see previous property.
com.sun.am.notification.url = http://Dominoad.yjy.dqyt.petrochina:80/amagent/UpdateAgentCacheServlet?shortcircuit=false
# This property determines whether URL string case sensitivity is
# obeyed during policy evaluation
com.sun.am.policy.am.url_comparison.case_ignore = true
# This property determines the amount of time (in minutes) an entry
# remains valid after it has been added to the cache. The default
# value for this property is 3 minutes.
com.sun.am.policy.am.polling.interval=3
# This property allows the user to configure the User Id parameter passed
# by the session information from the access manager. The value of User
# Id will be used by the agent to set the value of REMOTE_USER server
# variable. By default this parameter is set to "UserToken"
com.sun.am.policy.am.userid.param=UserToken
# Profile attributes fetch mode
# String attribute mode to specify if additional user profile attributes should
# be introduced into the request. Possible values are:
# NONE - no additional user profile attributes will be introduced.
# HTTP_HEADER - additional user profile attributes will be introduced into
# HTTP header.
# HTTP_COOKIE - additional user profile attributes will be introduced through
# cookies.
# If not within these values, it will be considered as NONE.
com.sun.am.policy.agents.config.profile.attribute.fetch.mode=NONE
# The user profile attributes to be added to the HTTP header. The
# specification is of the format ldap_attribute_name|http_header_name[,...].
# ldap_attribute_name is the attribute in data store to be fetched and
# http_header_name is the name of the header to which the value needs
# to be assigned.
# NOTE: In most cases, in a destination application where a "http_header_name"
# shows up as a request header, it will be prefixed by HTTP_, and all
# lower case letters will become upper case, and any - will become _;
# For example, "common-name" would become "HTTP_COMMON_NAME"
com.sun.am.policy.agents.config.profile.attribute.map=cn|common-name,ou|organizational-unit,o|organization,mail|email,employeenumber|employee-
number,c|country
# Session attributes mode
# String attribute mode to specify if additional user session attributes should
# be introduced into the request. Possible values are:
# NONE - no additional user session attributes will be introduced.
# HTTP_HEADER - additional user session attributes will be introduced into HTTP header.
# HTTP_COOKIE - additional user session attributes will be introduced through cookies.
# If not within these values, it will be considered as NONE.
com.sun.am.policy.agents.config.session.attribute.fetch.mode=NONE
# The session attributes to be added to the HTTP header. The specification is
# of the format session_attribute_name|http_header_name[,...].
# session_attribute_name is the attribute in session to be fetched and
# http_header_name is the name of the header to which the value needs to be
# assigned.
# NOTE: In most cases, in a destination application where a "http_header_name"
# shows up as a request header, it will be prefixed by HTTP_, and all
# lower case letters will become upper case, and any - will become _;
# For example, "common-name" would become "HTTP_COMMON_NAME"
com.sun.am.policy.agents.config.session.attribute.map=
# Response Attribute Fetch Mode
# String attribute mode to specify if additional user response attributes should
# be introduced into the request. Possible values are:
# NONE - no additional user response attributes will be introduced.
# HTTP_HEADER - additional user response attributes will be introduced into
# HTTP header.
# HTTP_COOKIE - additional user response attributes will be introduced through
# cookies.
# If not within these values, it will be considered as NONE.
com.sun.am.policy.agents.config.response.attribute.fetch.mode=NONE
# The response attributes to be added to the HTTP header. The specification is
# of the format response_attribute_name|http_header_name[,...].
# response_attribute_name is the attribute in policy response to be fetched and
# http_header_name is the name of the header to which the value needs to be
# assigned.
# NOTE: In most cases, in a destination application where a "http_header_name"
# shows up as a request header, it will be prefixed by HTTP_, and all
# lower case letters will become upper case, and any - will become _;
# For example, "common-name" would become "HTTP_COMMON_NAME"
com.sun.am.policy.agents.config.response.attribute.map=
# The cookie name used in iAS for sticky load balancing
com.sun.am.policy.am.lb.cookie.name = GX_jst
# indicate where a load balancer is used for Access Manager
# services.
# true | false
com.sun.am.load_balancer.enable = false
####Agent Configuration####
# this is for product versioning, please do not modify it
com.sun.am.policy.agents.config.version=2.2
# Set the url access logging level. the choices are
# LOG_NONE - do not log user access to url
# LOG_DENY - log url access that was denied.
# LOG_ALLOW - log url access that was allowed.
# LOG_BOTH - log url access that was allowed or denied.
com.sun.am.policy.agents.config.audit.accesstype = LOG_DENY
# Agent prefix
com.sun.am.policy.agents.config.agenturi.prefix = http://Dominoad.yjy.dqyt.petrochina:80/amagent
# Locale setting.
com.sun.am.policy.agents.config.locale = en_US
# The unique identifier for this agent instance.
com.sun.am.policy.agents.config.instance.name = unused
# Do SSO only
# Boolean attribute to indicate whether the agent will just enforce user
# authentication (SSO) without enforcing policies (authorization)
com.sun.am.policy.agents.config.do_sso_only = true
# The URL of the access denied page. If no value is specified, then
# the agent will return an HTTP status of 403 (Forbidden).
com.sun.am.policy.agents.config.accessdenied.url =
# This property indicates if FQDN checking is enabled or not.
com.sun.am.policy.agents.config.fqdn.check.enable = true
# Default FQDN is the fully qualified hostname that the users should use
# in order to access resources on this web server instance. This is a
# required configuration value without which the Web server may not
# startup correctly.
# The primary purpose of specifying this property is to ensure that if
# the users try to access protected resources on this web server
# instance without specifying the FQDN in the browser URL, the Agent
# can take corrective action and redirect the user to the URL that
# contains the correct FQDN.
# This property is set during the agent installation and need not be
# modified unless absolutely necessary to accommodate deployment
# requirements.
# WARNING: Invalid value for this property can result in the Web Server
# becoming unusable or the resources becoming inaccessible.
# See also: com.sun.am.policy.agents.config.fqdn.check.enable,
# com.sun.am.policy.agents.config.fqdn.map
com.sun.am.policy.agents.config.fqdn.default = Dominoad.yjy.dqyt.petrochina
# The FQDN Map is a simple map that enables the Agent to take corrective
# action in the case where the users may have typed in an incorrect URL
# such as by specifying partial hostname or using an IP address to
# access protected resources. It redirects the browser to the URL
# with fully qualified domain name so that cookies related to the domain
# are received by the agents.
# The format for this property is:
# com.sun.am.policy.agents.config.fqdn.map = [invalid_hostname|valid_hostname][,...]
# This property can also be used so that the agents use the name specified
# in this map instead of the web server's actual name. This can be
# accomplished by doing the following.
# Say you want your server to be addressed as xyz.hostname.com whereas the
# actual name of the server is abc.hostname.com. The browsers only knows
# xyz.hostname.com and you have specified polices using xyz.hostname.com at
# the Access Manager policy console, in this file set the mapping as
# com.sun.am.policy.agents.fqdn.map = valid|xyz.hostname.com
# Another example is if you have multiple virtual servers say rst.hostname.com,
# uvw.hostname.com and xyz.hostname.com pointing to the same actual server
# abc.hostname.com and each of the virtual servers have their own policies
# defined, then the fqdnMap should be defined as follows:
# com.sun.am.policy.agents.fqdn.map = valid1|rst.hostname.com,valid2|uvw.hostname.com,valid3|xyz.hostname.com
# WARNING: Invalid value for this property can result in the Web Server
# becoming unusable or the resources becoming inaccessible.
com.sun.am.policy.agents.config.fqdn.map =
# Cookie Reset
# This property must be set to true, if this agent needs to
# reset cookies in the response before redirecting to
# Access Manager for Authentication.
# By default this is set to false.
# Example : com.sun.am.policy.agents.config.cookie.reset.enable=true
com.sun.am.policy.agents.config.cookie.reset.enable=false
# This property gives the comma separated list of Cookies, that
# need to be included in the Redirect Response to Access Manager.
# This property is used only if the Cookie Reset feature is enabled.
# The Cookie details need to be specified in the following Format
# name[=value][;Domain=value]
# If "Domain" is not specified, then the default agent domain is
# used to set the Cookie.
# Example : com.sun.am.policy.agents.config.cookie.reset.list=LtpaToken,
# token=value;Domain=subdomain.domain.com
com.sun.am.policy.agents.config.cookie.reset.list=
# This property gives the space separated list of domains in
# which cookies have to be set in a CDSSO scenario. This property
# is used only if CDSSO is enabled.
# If this property is left blank then the fully qualified cookie
# domain for the agent server will be used for setting the cookie
# domain. In such case it is a host cookie instead of a domain cookie.
# Example : com.sun.am.policy.agents.config.cookie.domain.list=.sun.com .iplanet.com
com.sun.am.policy.agents.config.cookie.domain.list=
# user id returned if accessing global allow page and not authenticated
com.sun.am.policy.agents.config.anonymous_user=anonymous
# Enable/Disable REMOTE_USER processing for anonymous users
# true | false
com.sun.am.policy.agents.config.anonymous_user.enable=false
# Not enforced list is the list of URLs for which no authentication is
# required. Wildcards can be used to define a pattern of URLs.
# The URLs specified may not contain any query parameters.
# Each service have their own not enforced list. The service name is suffixed
# after "# com.sun.am.policy.agents.notenforcedList." to specify a list
# for a particular service. SPACE is the separator between the URL.
com.sun.am.policy.agents.config.notenforced_list = http://dominoad.yjy.dqyt.petrochina/*.nsf http://dominoad.yjy.dqyt.petrochina/teamroom.nsf/TROutline.gif?
OpenImageResource http://dominoad.yjy.dqyt.petrochina/icons/*.gif
# Boolean attribute to indicate whether the above list is a not enforced list
# or an enforced list; When the value is true, the list means enforced list,
# or in other words, the whole web site is open/accessible without
# authentication except for those URLs in the list.
com.sun.am.policy.agents.config.notenforced_list.invert = false
# Not enforced client IP address list is a list of client IP addresses.
# No authentication and authorization are required for the requests coming
# from these client IP addresses. The IP address must be in the form of
# eg: 192.168.12.2 1.1.1.1
com.sun.am.policy.agents.config.notenforced_client_ip_list =
# Enable POST data preservation; By default it is set to false
com.sun.am.policy.agents.config.postdata.preserve.enable = false
# POST data preservation : POST cache entry lifetime in minutes,
# After the specified interval, the entry will be dropped
com.sun.am.policy.agents.config.postcache.entry.lifetime = 10
# Cross-Domain Single Sign On URL
# Is CDSSO enabled.
com.sun.am.policy.agents.config.cdsso.enable=false
# This is the URL the user will be redirected to for authentication
# in a CDSSO Scenario.
com.sun.am.policy.agents.config.cdcservlet.url =
# Enable/Disable client IP address validation. This validate
# will check if the subsequent browser requests come from the
# same ip address that the SSO token is initially issued against
com.sun.am.policy.agents.config.client_ip_validation.enable = false
# Below properties are used to define cookie prefix and cookie max age
com.sun.am.policy.agents.config.profile.attribute.cookie.prefix = HTTP_
com.sun.am.policy.agents.config.profile.attribute.cookie.maxage = 300
# Logout URL - application's Logout URL.
# This URL is not enforced by policy.
# if set, agent will intercept this URL and destroy the user's session,
# if any. The application's logout URL will be allowed whether or not
# the session destroy is successful.
com.sun.am.policy.agents.config.logout.url=
#http://sportal.yjy.dqyt.petrochina/amserver/UI/Logout
# Any cookies to be reset upon logout in the same format as cookie_reset_list
com.sun.am.policy.agents.config.logout.cookie.reset.list =
# By default, when a policy decision for a resource is needed,
# agent gets and caches the policy decision of the resource and
# all resource from the root of the resource down, from the Access Manager.
# For example, if the resource is http://host/a/b/c, the the root of the
# resource is http://host/. This is because more resources from the
# same path are likely to be accessed subsequently.
# However this may take a long time the first time if there
# are many many policies defined under the root resource.
# To have agent get and cache the policy decision for the resource only,
# set the following property to false.
com.sun.am.policy.am.fetch_from_root_resource = true
# Whether to get the client's hostname through DNS reverse lookup for use
# in policy evaluation.
# It is true by default, if the property does not exist or if it is
# any value other than false.
com.sun.am.policy.agents.config.get_client_host_name = false
# The following property is to enable native encoding of
# ldap header attributes forwarded by agents. If set to true
# agent will encode the ldap header value in the default
# encoding of OS locale. If set to false ldap header values
# will be encoded in UTF-8
com.sun.am.policy.agents.config.convert_mbyte.enable = false
#When the not enforced list or policy has a wildcard '*' character, agent
#strips the path info from the request URI and uses the resulting request
#URI to check against the not enforced list or policy instead of the entire
#request URI, in order to prevent someone from getting access to any URI by
#simply appending the matching pattern in the policy or not enforced list.
#For example, if the not enforced list has the value http://host/*.gif,
#stripping the path info from the request URI will prevent someone from
#getting access to http://host/index.html by using the URL http://host/index.html?hack.gif.
#However when a web server (for exmample apache) is configured to be a reverse
#proxy server for a J2EE application server, path info is interpreted in a different
#manner since it maps to a resource on the proxy instead of the app server.
#This prevents the not enforced list or policy from being applied to part of
#the URI below the app serverpath if there is a wildcard character. For example,
#if the not enforced list has value http://host/webapp/servcontext/* and the
#request URL is http://host/webapp/servcontext/example.jsp the path info
#is /servcontext/example.jsp and the resulting request URL with path info stripped
#is http://host/webapp, which will not match the not enforced list. By setting the
#following property to true, the path info will not be stripped from the request URL
#even if there is a wild character in the not enforced list or policy.
#Be aware though that if this is set to true there should be nothing following the
#wildcard character '*' in the not enforced list or policy, or the
#security loophole described above may occur.
com.sun.am.policy.agents.config.ignore_path_info = false
# Override the request url given by the web server with
# the protocol, host or port of the agent's uri specified in
# the com.sun.am.policy.agents.agenturiprefix property.
# These may be needed if the agent is sitting behind a ssl off-loader,
# load balancer, or proxy, and either the protocol (HTTP scheme),
# hostname, or port of the machine in front of agent which users go through
# is different from the agent's protocol, host or port.
com.sun.am.policy.agents.config.override_protocol =
com.sun.am.policy.agents.config.override_host =
com.sun.am.policy.agents.config.override_port =
# Override the notification url in the same way as other request urls.
# Set this to true if any one of the override properties above is true,
# and if the notification url is coming through the proxy or load balancer
# in the same way as other request url's.
com.sun.am.policy.agents.config.override_notification.url =
# The following property defines how long to wait in attempting
# to connect to an Access Manager AUTH server.
# The default value is 2 seconds. This value needs to be increased
# when receiving the error "unable to find active Access Manager Auth server"
com.sun.am.policy.agents.config.connection_timeout =
# Time in milliseconds the agent will wait to receive the
# response from Access Manager. After the timeout, the connection
# will be drop.
# A value of 0 means that the agent will wait until receiving the response.
# WARNING: Invalid value for this property can result in
# the resources becoming inaccessible.
com.sun.am.receive_timeout = 0
# The three following properties are for IIS6 agent only.
# The two first properties allow to set a username and password that will be
# used by the authentication filter to pass the Windows challenge when the Basic
# Authentication option is selected in Microsoft IIS 6.0. The authentication
# filter is named amiis6auth.dll and is located in
# Agent_installation_directory/iis6/bin. It must be installed manually on
# the web site ("ISAPI Filters" tab in the properties of the web site).
# It must also be uninstalled manually when unintalling the agent.
# The last property defines the full path for the authentication filter log file.
com.sun.am.policy.agents.config.iis6.basicAuthentication.username =
com.sun.am.policy.agents.config.iis6.basicAuthentication.password =
com.sun.am.policy.agents.config.iis6.basicAuthentication.logFile = c:/Sun/Access_Manager/Agents/2.2/debug/C__Lotus_Domino/amAuthFilter

Hi,
I installed opensso (so Sun Java(TM) System Access Manager 7.5) and the agent for Domino 6.5.4 and I have the message in logs "amAgent"
2007-07-11 18:40:16.119 Error 1708:3dbcf768 PolicyAgent: render_response(): Entered.
I have the box to identify but it doesnot connect me on my opensso server.
It still identify with Domino's server
Thanks for your response
Thomas

BSP - BW Webtemplate Session destroy

Similar Messages

Maybe you are looking for