Chaining Access Manager Policy Agents

Hi,
Can we chain access manager agents, so we can pass the authentication details on to other apache server web agents.
Step 1 - to configure a reverse proxy which uses the Access Manager & Agent to authenticate (This works ok)..
The reverse proxy directs to a Secure Global Desktop (SGD) server which i want to use the above authentication.
Step 2 - get the SGD server authenticating with Access Manager and the Apache Web Agent (this works ok).
Step 3 - My question is can the web agent on the back end SGD server use the authentication credentials from the initial Reverse Proxy Access manager log in?
This is what i am seeing at the moment.
- I login to the reverse proxy via Access Manager and it then picks a back end SGD server.
- It then looks like the Access Manager sits there trying to connect to the SGD server.
- When it times out the URL in the browser is a bit confusing.. Its https://<sgd server>:<reverse proxy port> The port should be the sgd server port.
It looks like the AM credentials and environment are ok (iPlanetDirectoryPro and REMOTE_USER).. because after it times out trying to connect to the sgd server with the wrong port number, I change this to be the correct SGD server address in the browser, and it automatically logs in like in Step 2 above.
So my question really is can the authentication details provided at the first level apache web agent be passed down to other apache web server agents running on other servers?
Any ideas.
Thanks,
Carl

Similar Messages

Access Manager Policy Agent and Oracle AS

Hi,
my system uses Oracle Application Server. The security dept use Sun Access Manager. I need to integrate the security of the Oracle system with the policy agent. Where this gets a little confusing is that one of my developers tells me that this is difficult to implement and that Sun arent planning on supporting the Oracle AS in future.
What I would like is some clarification from the horses mouth so to speak. In particular is it possible to integrate the policy agent and Oracle AS, and are Sun committed to supporting and developing for this.
Thanks,
Andy.

"Where this gets a little confusing is that one of my developers tells me that this is difficult to implement"
"it is NOT an implementation but an integration ! difficult ? why ?"
"and that Sun arent planning on supporting the Oracle AS in future."
There is a PA 2.2 for Oracle 10g ! It is the latest version(2.2 I mean). I don't see any reasons why Sun should not continue. But it is ONLY my point of view...
"What I would like is some clarification from the horses mouth so to speak. In particular is it possible to integrate the policy agent and Oracle AS, and are Sun committed to supporting and developing for this."
Of course it is possible because you can find the PA that will integrate your Oracle AS with a Sun AM.
1) Please read the documentation.
http://docs.sun.com/app/docs/coll/1322.1
Download the one for Oracle and read also the user guide.
PA are very easy to integrate if you know what you do... Espec. und. the AM auth and sso... If you can be helped by a AM guy from your comp. it is welcome... It is a j2ee agent and of course the PA will make what is necessary to redirect you to AM at login time and later to auth. your request...2)
2) Download the soft and do the job :-)
Product Downloads
Sun Java System Access Manager Policy Agent 2.2 for Oracle Application Server 10g
http://www.sun.com/download/products.xml?id=455d52ed
I did plenty of int. with Sun/Bea/Tomcat AS(don't forget there are also webserver agents like Apache PA) with AM and it is not a big deal. Not Oracle, but it is an AS and I don't see why it should be difficult...
Hope this helps a bit.

Access Manager Policy Agent 2.2

Hello
Has anyone experienced the error noted below. This is occurring after Access Manager has validated the
user and redirected the request back to the agent on the protected box.
PolicyEngine: am_policy_evaluate: InternalException in Service::do_update_policy with error message:Policy query failed. and code:6
PolicyAgent: validate_session_policy() status: Access Manager policy service failure (6)
Any help will be greatly appreciated.

Hi,
Are you using a 2.1 agent ? If yes are you using a custom Authentication module ? try setting the com.sun.am.policy.am.library.loginURL if needed. Also check for valid certs if you are using ssl

NSAPI in Access Manager & Policy Agent

Hi all,
May I know is it possible to use NSAPI to be a communication channel between policy agent and access manager?
I have installed Sun One Web Server together with policy agent, access manager is installed in another machine.
I've looked through all related documentation but could not find NSAPI for policy agent or access manager.
Thanks in advance!

Hi all,
May I know is it possible to use NSAPI to be a communication channel between policy agent and access manager?
I have installed Sun One Web Server together with policy agent, access manager is installed in another machine.
I've looked through all related documentation but could not find NSAPI for policy agent or access manager.
Thanks in advance!

Sun Access Manager,Policy Agent 2.2, IIS7?

Hello everybody
Is it possible to protect IIS7 with policy agent 2.2 and Sun Access Manager 7.1?
Policy Agents 3.0 (for Open SSO) works with Sun Access Manager 7.1?
regards!
Alex Dávila

Tanks handat
I found
http://download.oracle.com/docs/cd/E19575-01/820-5816/galtf/index.html
http://download.oracle.com/docs/cd/E19681-01/821-0267/gfxhz.html#scrolltoc
greetings
alex davila

Need asssitance on openSSO/Access Manager-policy agent on tomcat 5.5

I'm asking here because there is no help from openSSO forum.
I know that openSSO is quite the same with java access manager,
so I assume that openSSO is identical to java access manager.
I'm very much new to the policy agent and I've tried to test it for my own web application, but it doesn't seems to work.
Here is my situation :
I'm using 2 servers:
1. server using windows XP, installed with tomcat 5.5 and opensso inside (acts as openSSO server).
I set the IP to be 192.168.0.3 and tomcat web server will be listening on port 8080
2. server using windows XP, installed with tomcat 5.5 and my web application inside, and the policy agent.
I set the IP to be 192.168.0.1 and tomcat web server will be listening on port 7070
my web application is named "akademis" and I can acess it with the usual method on address http://192.168.0.1:7070/akademis.
I install the policy agent on global web.xml of tomcat configuration and I don't change anything on web.xml of my application.
when I tried to acess the http://192.168.0.1:7070/akademis , I wa redirected to openSSO login page correctly and I entered username and password(username:amadmin). I passed the login page and being redirected to the page that I wanted, but it doesn't do correctly cause I got a HTTP message of 403 (forbidden).
I got some clue in the policy agent logs :
a. the amFilter log
09/30/2006 01:08:25:890 PM ICT: Thread[http-7070-Processor25,5,main]
09/30/2006 01:09:14:515 PM ICT: Thread[http-7070-Processor25,5,main]
ERROR: URLFailoverHelper: No URL is available at this time
09/30/2006 01:09:14:515 PM ICT: Thread[http-7070-Processor25,5,main]
ERROR: AmFilter: Error while delegating to inbound handler: SSO Task Handler, access will be denied
[AgentException Stack]
com.sun.identity.agents.arch.AgentException: No URL is available at this time
at com.sun.identity.agents.common.URLFailoverHelper.getAvailableURL(URLFailoverHelper.java:133)
at com.sun.identity.agents.filter.AmFilterRequestContext.getLoginURL(AmFilterRequestContext.java:748)
at com.sun.identity.agents.filter.AmFilterRequestContext.getAuthRedirectURL(AmFilterRequestContext.java:285)
at com.sun.identity.agents.filter.AmFilterRequestContext.getAuthRedirectURL(AmFilterRequestContext.java:258)
at com.sun.identity.agents.filter.AmFilterRequestContext.getAuthRedirectResult(AmFilterRequestContext.java:363)
at com.sun.identity.agents.filter.AmFilterRequestContext.getAuthRedirectResult(AmFilterRequestContext.java:345)
at com.sun.identity.agents.filter.SSOTaskHandler.doSSOLogin(SSOTaskHandler.java:210)
at com.sun.identity.agents.filter.SSOTaskHandler.process(SSOTaskHandler.java:98)
at com.sun.identity.agents.filter.AmFilter.processTaskHandlers(AmFilter.java:185)
at com.sun.identity.agents.filter.AmFilter.isAccessAllowed(AmFilter.java:152)
at com.sun.identity.agents.filter.AmAgentBaseFilter.doFilter(AmAgentBaseFilter.java:38)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:213)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:178)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:126)
at org.apache.catalina.cluster.tcp.ReplicationValve.invoke(ReplicationValve.java:346)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:105)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:107)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:148)
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:869)
at org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processConnection(Http11BaseProtocol.java:664)
at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:527)
at org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollowerWorkerThread.java:80)
at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:684)
at java.lang.Thread.run(Thread.java:595)
b. the amLog
09/30/2006 01:08:09:921 PM ICT: Thread[main,5,main]
09/30/2006 01:08:10:078 PM ICT: Thread[main,5,main]
ERROR: RemoteHandler.getLogHostURL(): 'null' is malformed. null
I think the reson that I failed is not in the openSSO/java access manager, because I get passed the login page, and also in the amFilter log of the policy agent I see an error of "No URL is available at this time" .
Is there anyone can help me on this problem ? I'll be very glad if somebody can help me.
thanks

Please try the fix as suggested in the following and let us know the results.
http://support.microsoft.com/default.aspx?scid=kb;EN-US;196271
http://forum.java.sun.com/thread.jspa?threadID=346820&messageID=1436761
Thanks,
Subba

Access Manager Policy Agent 2.2 for Oracle 10g

I Installed AM Policy Agent 2.2 on Oracle App Server 10g (10.1.3). After install I don't get the redirect to the AM login page. The agent does not appear to be activated. When I restart the Oracle App server I expect to see logs entries from the agent in <agenthome>/logs/debug, but I don't get any log entries.
The agent was installed as oracle (same as the 10g server).
Entries in the 10g global application.xml for the agent:
ibrary path="/opt/AMAgent/j2ee_agents/am_oracle1012_agent/agent_001/config">
</library>
<library path="/opt/AMAgent/j2ee_agents/am_oracle1012_agent/locale">
</library>
<library path="/opt/AMAgent/j2ee_agents/am_oracle1012_agent/lib/agent.jar">
</library>
<library path="/opt/AMAgent/j2ee_agents/am_oracle1012_agent/lib/amclientsdk.jar">
</library>
AMAgent.properties settings:
com.iplanet.services.debug.level=message
com.sun.identity.agents.config.filter.mode = URL_POLICY
My goal is to protect all apps with SSO and basic url policies.
Any ideas on what I'm doing wrong? missing?

Hi,
have you added the agent filter for the application you are trying to protect
<filter>
<filter-name>Agent</filter-name>
<display-name>Agent</display-name>
<filter-class>
com.sun.identity.agents.filter.AmAgentFilter
</filter-class>
</filter>
<filter-mapping>
<filter-name>Agent</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>

Novell Access Manager J2EE Agent Installation

First post and first time attempting to install NETIQ unto my desktop. I'm a little confused as to the section of "Novell Access Manager J2EE Agent Installation" and what to enter for my Admin Console IP Address, username, password, & Application Server IP Address?... I'm not sure as to where to get this information from,..so if anyone could assist me, I'd greatly appreciate it very much, thanks in advance.

kpjones76,
It appears that in the past few days you have not received a response to your
posting. That concerns us, and has triggered this automated reply.
Has your problem been resolved? If not, you might try one of the following options:
- Visit http://support.novell.com and search the knowledgebase and/or check all
the other self support options and support programs available.
- You could also try posting your message again. Make sure it is posted in the
correct newsgroup. (http://forums.novell.com)
Be sure to read the forum FAQ about what to expect in the way of responses:
http://forums.novell.com/faq.php
If this is a reply to a duplicate posting, please ignore and accept our apologies
and rest assured we will issue a stern reprimand to our posting bot.
Good luck!
Your Novell Product Support Forums Team
http://forums.novell.com/

Oracle access manager - Policy domain - Return Type

Hi,
I have a requirement where I need to return few LDAP parameter values through Policy domain while redirecting. But the return type should be propertytype and not headervar or cookie. This is SSO integration with websphere using JAAS subject. We have inhouse TAI connector developed for integration between websphere and oracle access manager.
Please help me to resolve this issue.
Regards,
Prashant

Hi Prashant,
OAM can return any type that you want, and OAM will set the name/value for that type - you can put "propertytype" in the type column, and the name and return attribute in the respective fields. "Cookie" and "HeaderVar" are the only types used by OAM WebGates, but your AccessGate (custom in-house connector) should be able to retrieve the values of propertytype that OAM sets.
Regards,
Colin

Example to use Query String in Oracle Access Manager Policy.

Hi All,
Can any one please tell me what is the use of Query String and Query String Variable in OAM Policy?
If possible please explain with a sample example.
Thanks in Advance.
Siva Pokuri.

Query string is used to protect URL with complete query string.
Ex: in case you want to protect http://hi.com/first.html?uid=abc&pqr=123 URL then you will specify query string as uid=abc&pqr=123.
In case you want to protect a URL with one of the query parameter as xyz and you do not care of other query parameters, then query string variables are used.
Ex: in case you want to protect http://hi.com/first.html?uid=abc&pqr=123 and http://hi.com/first.html?uid=abc&pqr=456 both with same policy then you will create a policy to protect first.html and in query string variables you will specify uid=abc.
Let me know if you have any problems in understanding this.
Thanks
Kiran Thakkar

Access Manager 7.1, Webserver 7.0 and Policy Agent 2.2 Logging behaviour

Hi,
I have a cluster setup with access manager (2 instances currently). I have a single webserver running access manager policy agent which points to the access manager cluster. Everything works fine, until the Agent session times out, whereupon it can no longer log to the access manager cluster.
i.e. it attempts to write a log entry like this:
2009-04-23 15:40:10.491 Debug 7720:2e7af0 LogService: BaseService::doRequest(): Using server: https://
am.blah.com:443/amserver/loggingservice.
<logRecWrite reqid="57"><log logName="amAuthLog.webserver.blah.com.80" sid="AQIC5wM2LY4SfczdB
6jEQSaqXL52vqgWNfqxVOf2teEx+b0=@AAJTSQACMTEAAlNLAAk0OTA4MTcyMzQAAlMxAAIwMg==#"></log><logRecord><level>8
00</level><recMsg>VXNlciBtb21lcjEgd2FzIGFsbG93ZWQgYWNjZXNzIHRvIGh0dHA6Ly9lcTAwMXRtLmVxLnNlcnZlci1jb21wbG
V4LmNvbTo4MC91d2MvaW5kZXguanNwLg==</recMsg><logInfoMap><logInfo><infoKey>LoginIDSid</infoKey><infoValue>
AQIC5wM2LY4Sfcy3bA/gJl2v7ArZCHla8Bj9bRVx4P6nSN0=@AAJTSQACMTEAAlNLAAstMTAxNzc2NjM2NQACUzEAAjAx#</infoValu
e></logInfo></logInfoMap></logRecord></logRecWrite>]]></Request>
</RequestSet>
and receives an error as follows:
2009-04-23 15:40:10.631MaxDebug 7720:2e7af0 LogService: <?xml version="1.0" encoding="UTF-8" standalone=
"yes"?>
<ResponseSet vers="1.0" svcid="iplanet.webtop.service.logging" reqid="74">
<Response><![CDATA[UNAUTHORIZED]]></Response>
</ResponseSet>
Investigation in the access manager logs shows that the agent session is no longer valid. As a result, I have two questions:
1. How can I make it stop trying to log remotely ? I have this set in the AMAgent.properties: com.sun.am.log.level = all:4
2. How do I exclude agents from the default session expiry times ?
Regards,
Michael Ward.

1. Set com.sun.am.policy.agents.config.audit.accesstype = LOG_NONE
2. Not sure if I understand this. Typically agent itself has to authenticate with the server and that agent session doesn't get expire anytime soon.
-Subba

Setup-Problem while installing AM Policy Agent 2.1 on Solaris 10

I'm new with AccessManager and try to get it working on Solaris 10 on a Sparc.
I'm using LDAP-Server, WEB-Server 6.1 and AccessManager from the software-paket: "Sun Java System Access Manager 6 2005Q1" .
While trying to install policy-agents on the Sparc (by starting setup program), I've got the message: "The installer ist intended for Solaris Operating System only".
The agent-software I'm trying to install is "Access Manager Policy Agent 2.1 for Sun Java System Web Server 6.1" From there I choosed "Solaris SPARC 8".
(so I've got the paket "S1WebServer_6[1].1_agent_2.1_sparc-sun-solaris2.8.tar.gz").
In my opinion, it must be correct. Ist there anything i'done wronge?
thanks, Paul

Even when there is no agent available for Solaris 10 now:
If you don't have any doubt to use an unsupported configuration, at
least the apache agent is installable.
You have to extract the packages "SUNWamapc" and "SUNWcom"
from the tar-archive and install it using pkgadd.
Then, you have to configure it manually ("include" in "httpd.conf",
"AMAgent.properties").
Maybe, it is possible to do something similiar with the agent for
SUN webserver.
Be aware that noone will guarantee that such unsupported
installations won't raise any problems.
Juergen

Securing web services with Sun Access Manager

Hi!
I have gone through some documentation about Sun Access Manager, and I'm a little bit confused.
What I want is to secure some web services which are deployed on a BEA WebLogic 9.1 server (WLS). Two solutions are possible: To install some kind of plugin into WLS or to place some kind of proxy in front of WLS. In both cases, the purpose would be to authenticate the caller based on some kind of ticket (SAML or similar) and authorize access to the web service.
I have read about the "Sun Java System Access Manager Policy Agent 2.2 for Weblogic 9.1" (those guys really like long names....), but in this documentation web services aren't mentioned at all. They only seem to care about HTTP requests from a browser.
I have also read about the Policy Agent 2.2 in the documentation called "Sun Java System Access Manager Policy Agent 2.2 Guide for Sun Java System Application Server 9.0/Web Services" (puh...). This document explicitly talks about securing web services the way I want.
My questions are:
1) Is it possible to secure WLS based web services in the same way using the Policy Agent for WLS?
2) Are there any documentation/tutorials/etc?
Thanks in advance :-)
Anders

what you need is a webservices agent that would enable you to "protect" your webservice provider, which I assume is on a BEA weblogic provider.
the "Sun Java System Access Manager Policy Agent 2.2 for Weblogic 9.1" is "NOT" awebservices agent, but a normal J2EE policy agent.
So.. having said that. here's what I'd recommend.
1. install the webservices agent on bea weblogic. (note: NOT the J2EE policy agent)
2. configure it to use your access manager instance for authentication.
3. configure your webservices client to use the webservice provider. (note: you'd need the webservices APi's available on the client too... so the quick dirty method would be to install the webservices agent on your client too....) you can later bundle the webservices client independently and provide your"customers" with a webservices client bundle...
4. voila... your webservices are not "protected" by acces manager ;-)

Unable to install policy agent 2.2 for Webserver 6.1 on Windows 2003

Hi everybody,
I've installed Java Enterprise Server (last version) on Windows 2003 with these components:
- Directory Server
- Access Manager
- Webserver
- Administration Server
Everything works good, I can access all those components.
Now I want to use Policy Agent 2.2. So I've downloaded it and I've tried to install...
But during the installation process, an error message appear when I select the Web Server instance directory to protect.
It says: "invalid web server instance - on windows, Access Manager Policy Agent only supports Web Server 6.0 and 6.1.....".
The problem is that I work with WebServer 6.1....
I really don't know what to do now... This message prevent me to go further.
What's the problem? How can I avoid this?
Thanks for your help!
Adrien

Okay, here's what it says:
"The upgrade patch cannot be installed by the Windows Installer service because the program to be upgraded may be missing, ot the updgrade pathc may update a different version of the program. Verify that the program to be upgraded exists on your computer and that you have the correct update patch".
I don't even know what program I'm supposed to have.
Ideas, anyone?

Policy Agent

hi all
i have installed policy agent for web server successfully. Afterthat is there any post configuration have to do? How to run the policy agent in web server?
please help me
Thanks in Advance

An Access Manager policy agent? Check out the appropriate forums here:
http://swforum.sun.com/jive/category.jspa?categoryID=15

Chaining Access Manager Policy Agents

Similar Messages

Maybe you are looking for