Compiling/running Policy Agent 2.2 for Apache (Linux)

Hi,
I know that running the policy agent for Linux is not supported by Sun on other platforms than Red Hat Enterprise Linux, but anyway I'm qurious to see if others have looked into this.
I've done some testing on my Ubuntu Dapper Linux, using the precompiled version for Red Hat Enterprise, and I kind of made it work. Only problem: I have to start apache using "strace" to have it running. If I run /usr/sbin/apache2 I get "Segmentation Fault", but if I run "strace /usr/sbin/apache2" it runs... I'm able to create a core-dump, but to get something out of it I guess I have to compile the policy agent myself, so I've tried that as well.
To compile I've checked out the opensso package by CVS and installed libxml2-2.6.23, nss-3.11, nspr-4.6.1 and apache-2.0.59, sort of like what it says in the Readme for compiling under Red Hat Enterprise Linux. Result from running "make BUILD_DEBUG=optimize BUILD_AGENT=apache" is:
hash_table.h: In member function �typename smi::HashTable<Element>::EntryType smi::HashTable<Element>::findEntry(const std::string&)�:
hash_table.h:319: error: expected �;� before �__null�
hash_table.h:319: warning: statement has no effect
The test with the precompiled version was done on Ubuntu Dapper Linux using the standard apache 2.0.55 package that comes with Ubuntu. As I said: I've managed to get it running (doing SSO login through Federation Manager running on the same machine, with Access Manager running on another Solaris server) but I would prefer to have a setup that doesn't involve using "strace" to have apache whith the policy agent module running... Anyone else done something like this?
In the end I guess I would like to have some kind of release of the policy agent that doesn't have to be packaged as RPMs just for Red Hat Enterprise servers. It doesn't have to be flagged as "supported by Sun" but more like "you're on your own this release". ;-) That goes for the Federation Manager as well. I've managed to have the FM running on Ubuntu Dapper as well, so I know it's possible...
- Anders

The notes in this thread date from about October of 2006.
Does anyone know why current versions of the gcc compiler refuse to compile the statement that leads to the reported error?
The statement that is failing is:
if (entry && entry->getExpirationTime() < PR_Now()) {
return (HashTable<Element>::EntryType)NULL;with the error
[exec] hash_table.h:320: error: expected �;� before �__null�Is this a problem with the compiler or with the definition of the NULL macro?

Similar Messages

Web Policy Agent 2.1 for Apache 1.3.27 with Identity Server 6.1

Web Policy Agent 2.1 for Apache 1.3.27 with Identity Server 6.1
Does anybody has a working combination of the above ? I get a ID login page and after that I always get a access denied page. I get this exception on the agent logs:
2004-10-14 16:28:00.917 Warning 6347:c1818 PolicyAgent: in get_cookie: no cooki
e in ap_table
2004-10-14 16:28:01.895 Warning 6359:c1818 PolicyAgent: Invalid URL for propert
y (com.sun.am.policy.agents.accessDeniedURL) specified
2004-10-14 16:28:56.742 Warning 6349:c1818 PolicyAgent: am_web_is_access_allowe
d(http://xx.xx.xx.net:8080/, GET) denying access: status = access de
nied (20)
2004-10-14 16:28:56.743 128 6349:c1818 RemoteLog: User testuser1 was denie
d access to http://xx.xx.xx.net:8080/.
2004-10-14 16:28:56.831 -1 6349:c1818 PolicyAgent: URL Access Agent: acces
s denied to testuser1
We can ignore Invalid URL property part because its just looking for a custom url in place there. I have cookies enabled in my browser. I even turned on the prompt option. No luck yet.
Any suggestions would be of great help.
Thanks,
Sunil.

From your description, since the agent installs file with a different JRE, I would suspect it has something to do with the availability of JCE provider in the first JRE. By default, WebSphere's JRE is equipped with IBM JCE provider which is what the agent uses to encrypt the necessary
information. If this provider is not configured correctly it could result in the error that you are seeing. Please check the WebSphere installation and make sure that the JRE used by it has the necessary IBM JCE provider configured. The java.security file for this should contain something like:
security.provider.1=sun.security.provider.Sun
security.provider.2=com.ibm.crypto.provider.IBMJCE
security.provider.3=com.ibm.jsse.IBMJSSEProvider
security.provider.4=com.ibm.security.cert.IBMCertPath
security.provider.5=com.ibm.crypto.pkcs11.provider.IBMPKCS11
Also, make sure that when you are installing the agent you specify the Java Home as prompted by the agent to point to the location where this JRE is installed. Typically this is under WebSphere/AppServer/java directory. HTH, Jerry

Policy Agent 2.2 for Apache HTTP Server

hi,
I'm trying to configure Policy Agent 2.2 for apache http server.
The agent seems to be installed properly, in fact when I access the protected resource, I get the Access Manager login page.
Then I log into access manager, but I'm redirected to an error page.
Looking in log files I can see:
agent's "amAgent" log file:
Debug 10763:f8fe0 AuthService: HTTP Status = 200 (OK)
Debug 10763:f8fe0 AuthService: Http::Response::readAndParse(): No content length in response.
Debug 10763:f8fe0 ServiceEngine: Service::do_agent_auth_login(): Setting password callback.
Debug 10763:f8fe0 ServiceEngine: Service::do_agent_auth_login(): Setting name callback to 'apache2Agent'.
Debug 10763:f8fe0 AuthService: BaseService::sendRequest Cookie and Headers =Host: crmzone.company.icteam.it
               Cookie: JSESSIONID=193E5E1590C924A42B95A00A51DC0479;amlbcookie=01
Debug 10763:f8fe0 AuthService: BaseService::sendRequest Content-Length =Content-Length: 620
Debug 10763:f8fe0 AuthService: BaseService::sendRequest Header Suffix =Accept: text/xml
               Content-Type: text/xml; charset=UTF-8
Debug 10763:f8fe0 AuthService: HTTP Status = 200 (OK)
Debug 10763:f8fe0 AuthService: Http::Response::readAndParse(): No content length in response.
Error 10763:f8fe0 AuthService: AuthService::processLoginStatus() Exception message=[Application user ID is not valid.] errorCode='107' templateName=login_failed_template.jsp.
Error 10763:f8fe0 PolicyEngine: am_policy_evaluate: InternalException in AuthService::processLoginStatus() with error message:Exception message=[Application user ID is not valid.] errorCode='107' templateName=login_failed_template.jsp and code:3
Warning 10763:f8fe0 PolicyAgent: am_web_is_access_allowed()(http://10.0.0.31:80/SugarOS-Full-4.5.0f, GET) denying access: status = Access Manager authentication service failure
Debug 10763:f8fe0 PolicyAgent: am_web_is_access_allowed(): Successfully logged to remote server for GET action by user unknown user to resource http://10.0.0.31:80/SugarOS-Full-4.5.0f.
Info 10763:f8fe0 PolicyAgent: am_web_is_access_allowed()(http://10.0.0.31:80/SugarOS-Full-4.5.0f, GET) returning status: Access Manager authentication service failure.
Info 10763:f8fe0 PolicyAgent: process_request(): Access check for URL http://10.0.0.31/SugarOS-Full-4.5.0f returned Access Manager authentication service failure.
Debug 10763:f8fe0 PolicyAgent: process_request(): returning web result AM_WEB_RESULT_ERROR, data []
Debug 10763:f8fe0 PolicyAgent: am_web_process_request(): Rendering web result AM_WEB_RESULT_ERROR
Debug 10763:f8fe0 PolicyAgent: am_web_process_request(): render result function returned AM_SUCCESS.
Access Manager's "amAuthentication.error" log file:
"Login Failed|module_instance|Application" Application AUTHENTICATION-268 dc=opensso,dc=java,dc=net "Not Available" INFO apache2Agent 10.0.0.31 "cn=dsameuser,ou=DSAME Users,dc=opensso,dc=java,dc=net" CRMzone
I tried to change the name of the agent either in its AMAgent.properties or in Access Manager "Agents" configuration page.
I also used "crypt_util" to generate a new passoword, but nothing seems to happen.
Where should I look to get more info about this problem? Specific log file?
Is it due to wrong name/id/password of the agent? I really checked them many times...
Thanks
Fabio

I think the error message "Application user ID is not valid" is pretty self evident.
Log into the amconsole and go to the root realm/organization. Make sure the Agent profile exists and reset the password again to know value. If you created the agent profile in a sub realm/organization, you will need to make sure the subrealm/organization is set in the AMAgent.properties since the default value is / for the root realm/organization. Update the AMAgent.properties file will the Agent ID and the password generated by the crypt_it tool (com.sun.am.policy.am.username, com.sun.am.policy.am.password)
If that doesn't work, check the amApplication debug log and then look at the ldap server access logs to see why the auth bind failed.

Building OpenSSO Policy Agent 2.2 for Apache 2.x

Hi,
I've been trying to build OpenSSO policy agent using sources from opensso_agentbranch22 on WINNT for Apache 2.0 web server. The reason I can't use the pre-build binary is because we are trying to customize the agent to integrate with another SSO app which sends us data. The compilation itself seems to work OK. But the libamapc2.dll (Apache module dll) created seems to be only 24-26k in size vs the 700k size in the binary distributed by Sun.
Apache fails to start when this agent is installed, saying that the dll is invalid. Am I missing something in my compilation and linking process? I'm using VS 6 for the cl and link, Ant and Cygwin.
Any input from the Sun OpenSSO gurus is greatly appreciated.

I can show a snapshot from the Depends tool that clearly shows that amsdk.dll is dynamically linked. It creates all sorts of issues with Apache 2.0 as it doesn't like the dynamic linking. Until I changed the Makefile in the am directory to use the static library, I could not get my libamapc2.dll to match the libamapc2.dll distributed by Sun. Even now there are issues with libnspr4 and msvcrt.dll. Apache crashes as soon as it loads the libamapc2.dll and the issue has been narrowed down to the strlen() method. This method is used for logging messages by the agent.
I wish Sun maintained a copy of the 3rd party libs they use to build the agent in their CVS instead of asking us to fetch those libraries from another website, in which case libraries may not correspond 1:1.

Problem With Policy Agent 2.2 for APACHE on WINDOWS !!!!

I have been getting a nasty error for weeks configuring PolicyAgent 2.2 for Apache (tried 2.2.x and 2.0.x) on a Windows Server. After the configuring apache could not even start. I get the following error :
Syntax error on line 1 of "C:/Sun/Access_Manager/Agents/2.2/apache/config/apache_80/dsame.conf":
Cannot load C:/Sun/Access_Manager/Agents/2.2/apache/bin/libamapc2.dll into server. The specified module does not exist
Does anyone have any ideas? (I have been pulling my hair off trying to resolve this and I am about to lift up the server and drop it !!! ) The dll file above is available in that path.
Message was edited by:
lreju

This dll file may need/depend other dlls. So sometimes you may still get this error after you download the dll into your windows system folder. But you can use a tool such as http://www.dependencywalker.com to find out which other dlls are needed for your installation....Hope this helps someone !!!

Policy agent 2.1 for apache 1.3.27 reinstallation problem

hi
i've uninstalled Apache_1.3.27_agent_2.1_sparc-sun-solaris2.8 policy agent [Java(TM) 2 Runtime Environment, Standard Edition (build 1.4.2_04-b05)] to reinstall it from scratch.
during the reinstallation i've the problem listed below. i did remove all remaining parts of agent but doesn't work.
Any idea ?
Thanks
Installing Sun ONE Identity Server Policy Agent
Listener:com.iplanet.am.installer.listeners.ApacheInstallListener@1372656 threw exception during "installFinishing" method while listening to SUNWamapc install directory=[DETERMINED AT RUNTIME]:java.lang.reflect.InvocationTargetException
Target Exception trace:
java.lang.RuntimeException: error executing ///bin/config at com.iplanet.am.installer.listeners.InstallListenerBase.executeCommand(InstallListenerBase.java:829) at com.iplanet.am.installer.listeners.InstallListenerBase.configureSolarisWebAgent(InstallListenerBase.java:294) at com.iplanet.am.installer.listeners.InstallListenerBase.installFinishing(InstallListenerBase.java:150) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:324)
at com.sun.install.products.Product.processEvents(Product.java:753) at com.sun.install.products.Product.processEvents(Product.java:787) at com.sun.install.products.Product.processEvents(Product.java:787) at com.sun.install.products.Product.performInstallation(Product.java:643) at com.sun.install.tasks.ProductTask.perform(ProductTask.java:191) at com.sun.wizards.core.Sequence.perform(Sequence.java:336) at com.sun.wizards.core.SequenceManager.run(SequenceManager.java:226) at java.lang.Thread.run(Thread.java:534)

I had the same problem because of a missconfiguration in AMAgent.properties. I changed manually all URLs to the Identity Server from http to https and found out the port number has definitly to be specified (bad URL parsing of Policy Agent). You should check your configuration...
HTH
J�rgen

Policy Agent 3.0 for Tomcat - Cannot obtain Application SSO token

Hi
I am trying to configure Sun OpenSSO Enterprise Policy Agent 3.0 for Apache Tomcat Application Server 6.
After installing the Policy Agent, Tomcat is not starting.
The Error in the stack is :
=========
Jun 14, 2009 2:21:00 AM
org.apache.tomcat.util.digester.Digester startElement
SEVERE: Begin event threw error
java.lang.ExceptionInInitializerError
at
com.sun.identity.agents.arch.AgentConfiguration.bootStrapClientConfig
uration(AgentConfiguration.java:682)
Caused by:
com.sun.identity.security.AMSecurityPropertiesException:
AdminTokenAction: FATAL ERROR: Cannot obtain Application
SSO token.
Check AMConfig.properties for the following properties
com.sun.identity.agents.app.username
com.iplanet.am.service.password
at
com.sun.identity.security.AdminTokenAction.run(AdminTokenAction.java:
258)
=========
There is no AMConfig.properties file. The Agent uses "OpenSSOAgentBootstrap.properties".
Is there a workaround for this issue ?
Cheers.

Hi,
I have the same Problem, did you come up with a solution for it?
thanks
Matrius

Problem Installing Policy Agent 2.2 on Apache 2.2.3

Hi all,
I'm trying to configure policy agent 2.2 on apache 2.2.3 on linux platform CentOS (red hat 5.1).
The configuration and the installation seem to work properly, in effect in the log file install.log you can find :
[06/10/2008 16:38:49:865 CEST] Creating directory layout and configuring Agent file for Agent_001 instance ...SUCCESSFUL.
[06/10/2008 16:38:49:936 CEST] Reading data from file /opt/web_agents/apache22_agent/passwordFile and encrypting it ...SUCCESSFUL.
[06/10/2008 16:38:49:937 CEST] Generating audit log file name ...SUCCESSFUL.
[06/10/2008 16:38:50:022 CEST] Creating tag swapped AMAgent.properties file for instance Agent_001 ...SUCCESSFUL.
[06/10/2008 16:38:50:026 CEST] Creating a backup for file /etc/httpd/conf/httpd.conf ...SUCCESSFUL.
[06/10/2008 16:38:50:031 CEST] Adding Agent parameters to /opt/web_agents/apache22_agent/Agent_001/config/dsame.conf file ...SUCCESSFUL.
[06/10/2008 16:38:50:032 CEST] Adding Agent parameters to /etc/httpd/conf/httpd.conf file ...SUCCESSFUL.
But, when I try to restart Apache it gives me an error and in the error.log file in Apache you can read:
[Tue Jun 10 16:57:33 2008] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Tue Jun 10 16:57:34 2008] [notice] Digest: generating secret for digest authentication ...
[Tue Jun 10 16:57:34 2008] [notice] Digest: done
[Tue Jun 10 16:57:34 2008] [alert] Policy web agent configuration failed: NSPR error
Configuration Failed
Well, I found in the Sun documentation a well known bug about the NSPR and NSS library :
Error message issued during installation of Policy Agent 2.2 on Linux systems
When the Linux operating system is installed, specific components can be selected. Occasionally the specific components of the operating system selected lack the libraries necessary for Policy Agent 2.2 to function. When the complete Linux operating system is installed, all the required libraries are available. The libraries that are required for the agent to function are as follows: NSPR, NSS, and libxml2.
Workaround: If the Linux operating system you are using is not complete, install the latest versions of these libraries as described in the steps that follow:
At the time this note was added, the latest version of the NSPR library packages was NSPR 4.6.x , while the latest version of the NSS library package was NSS 3.11.x.
To Install Missing Libraries for Policy Agent 2.2 on Linux Systems
*+
Install the NSS, and libxml2 libraries. These libraries are usually available as part of Linux installation media. NSPR and NSS are available as part of Mozilla binaries/development packages. You can also check the following sites:
o
NSPR: http://www.mozilla.org/projects/nspr/
o
NSS: http://www.mozilla.org/projects/security/pki/nss/
So, I checked my libraries but they are upgraded to the latest version.
If I comment the line that includes the libamapc22.so in the apache configuration file
LoadModule dsame_module /opt/web_agents/apache22_agent/lib/libamapc22.so
Apache can restart but the agent is misconfigurated!
Any Idea?

thank you Subhodeep for your reply,
I didn't try to change the library file and I didn't find in licterature any information about library file changing in the Policy agent installation. Please, could you suggest me something more about which library to use instead of libamapc22.so?
ps. I am using red hat 5.1, and from the release note of the policy agent seems that the latest platform version supported is red hat enterprise linux 4.0 versions.....
this one could definitely be the reason of the misconfiguration.

This log -------------policy agent 2.1 for iis5.0

Sun Java System Identity Server Policy Agent 2.1 for Microsoft IIS 5.0
Sun\Identity_Server\Agents\2.1\debug\C__Inetpub_wwwroot\amAgent
2004-07-25 18:06:22.156 Warning 1064:00D01120 PolicyAgent: OnPreprocHeaders(): Identity Server Cookie not found.
2004-07-25 18:06:22.156 Error 1064:00D01120 PolicyAgent: do_redirect() ServerSupportFunction did not succeed: Attempted status = 302 Found
2004-07-25 18:06:22.156 Warning 1064:00D01120 PolicyAgent: OnPreprocHeaders(): No cookies found.
2004-07-25 18:06:22.156 Error 1064:00D01120 PolicyAgent: do_redirect() ServerSupportFunction did not succeed: Attempted status = 302 Found
2004-07-25 18:07:53.921 Error 1064:00D01120 PolicyEngine: am_policy_evaluate: InternalException in Service::getPolicyResult with error message:Policy not found for resource: http://guorui.mygodsun.com:49153/index.asp and code:7
2004-07-25 18:07:53.921 Warning 1064:00D01120 PolicyAgent: am_web_is_access_allowed(http://guorui.mygodsun.com:49153/index.asp, GET) denying access: status = no policy found (7)
2004-07-25 18:07:53.937 128 1064:00D01120 RemoteLog: User amAdmin was denied access to http://guorui.mygodsun.com:49153/index.asp.
2004-07-25 18:07:54.062 Error 1064:00D01120 PolicyAgent: do_redirect(): Error while calling am_web_get_redirect_url(): status = success
2004-07-25 18:07:54.078 Error 1064:00D01120 PolicyAgent: do_redirect() WriteClient did not succeed: Attempted message = HTTP/1.1 403 Forbidden
Content-Length: 13
Content-Type: text/plain
403 Forbidden
from that log,help me
my:
Sun Java System Identity Server 6.1
Sun Java System Directory Server 5.2
Sun Java System Identity Server Policy Agent 2.1 for Microsoft IIS 5.0
help me for that how config?
what error ?
thanks!

Sorr for so many people faced the sam or similar issues. I just joined this support a short while. If you think any old problem which is still critical to you, please repost. We shall try our best to give you assistance. Jerry
Here are some of tips for debugging Web agent.
From the AMAgent.properties, are both IIS and AM are in the same domain? If they are not, then you need to use CDSSO. Also please check in AM, under "Service Configuration-> Platform -> Cookie Domains" , whether cookie is set for the entire domain which includes AM and IIS ("test.com") or just the AM machine name.
Also check whether correct value for "Agent-Identity Server Shared Secret" is entered. This should be your internal ldap password (amldapuser). In the AMAgent.properties for the below property the password will be encrypted and assigned: "com.sun.am.policy.am.password".
Could you also check if the Identity servver and the IIS web server are time synchronized. The problem may be that agent requests policy decisions and the response from server may be timed out due to non-syncrhonized clock.
Don't forget to restart the whole IIS service using internet
management console after making agent changes.
Some of the common error codes:
20: Application authentication failed. This occurs when Agent cannot sucessfully authenticate with Identity Server. This is mainly due to incorrect password for agent entered during agent installation. Please refer to another faq describing how to change password.
7: Policy not found. This error occurs typically if there are no policies defined on Identity server for the given web server URL. Otherwise, there may be time skew between Identity Server and Agent. So, polices fetched from Identity Server is instantly flushed by Agent and attempted to refetch over and over again. This can be solved by running rdate or similar command to synchronize time between the two machines. It is recommended to run NNTP server syncrhonize times between your Identity systems.

SUn Policy Agent 2.2 for Weblogic 92

We are using SUN POlicy agent 2.2. (for Weblogic) for Access Manager 6.3
For this particular application I intermittantly get SSOToken invald message
Its a sporadic behavior (sometimes work sometime does not)
error -
02/02/2007 12:22:41:057 PM EST: Thread[[ACTIVE] ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)',5,Pooled Threads]
SSOTokenValidator.validate(): Exception caught
com.iplanet.sso.SSOException: AQIC5wM2LY4Sfcw k8CIsj Jujq92ltM5fNZJxh2qFYpAyw=@AAJTSQACMDE=# Invalid session ID.AQIC5wM2LY4Sfcw k8CIsj Jujq92ltM5fNZJxh2qFYpAyw=@AAJTSQACMDE=#

check the patch level of AM 6.3, it should be higher than 1

Sun One Identity Server Policy Agent 2.0 for IIS 5.0

Hi,
I try to use Sun Indentity Server with IIS, so I installed policy agent 2.0 for IIS 5.0. my operating system is Windows 2000 professional. I can see the ISAPI fiiter is loaded, but when I try to test the installation by access a testing page, like http://localhost/test.asp, I can not go anywhere, the sun identity server log in page is not loaded. I checked the debug log file, there are just two warning message:
2003-02-12 11:11:52.314 Warning 1316:00A548E8 PolicyAgent: Invalid URL for property (com.sun.am.policy.agents.accessDeniedURL) specified
2003-02-12 11:11:52.798 Warning 1316:00A548E8 PolicyAgent: FqdnHandler::FqdnHandler() No value specified for fqdnMap.
Could someone help me out here? Any suggestion will be appreciated.
Thanks,
Harold Chen

Well, it's in the Agent's installation guide, section "Read me first", "Setting Fully Qualified Domain Name". :)

Problem in POST data preserve in Policy Agent 2.2 for SJSWS 6.1

Hi
I am using Policy Agent 2.2 for SJSWS 6.1
I have a requirement to preserve the POST data when during the following situation.
Consider a situation where in the user has logged in to our webapp and the user remains in a page which has a form with Post method .
Mean while the session (of AM) times out and now the user enters the data in the data and submits the form.
The user will be redirected to the login page and then the requested service should be performed, which is not happening in this case(POST). Suppose in if the form used a GET method this works fine.
I have tried by configuring the following property in AMAgent.properties file.
com.sun.am.policy.agents.config.postdata.preserve.enable = true
But it doesn't work. When I tried to troubleshoot, I learned from the following resource that, POST data preservation is only supported on Policy Agent 2.2 for Sun Java System Web Server 7.0 Is it not supported on 6.1?
http://docs.sun.com/app/docs/doc/820-1130/gaueu
I get the following error in the log file of SJSWS.
trying to POST /dummypost/sunpostpreserve2007-09-2804:48:53.379, send-file reports: HTTP4142: can't find /opt/SUNWwbsvr/docs/dummypost/sunpostpreserve2007-09-2804:48:53.379 (File not found)
I have verified that the following entry is made in the obj.conf
PathCheck fn=validate_session_policy
<Object ppath="*/dummypost/sunpostpreserve*">
Service type=text/* method=(GET) fn=append_post_data
</Object>
<Object ppath="*/UpdateAgentCacheServlet*">
Service type=text/* method=(POST) fn=process_notification
</Object>
I am using the PA 2.2 which says that the following bug is fixed.
Bug(s) fixed in 2.2 RTM Hotpatch 8
==================================
Bug#: 6545159
Agent type: Sun Java System Web Server agent
Description: CDSSO mode wipes out form post data
Appreciate your help.
thanks & regards
Madhu

Hi
Now I get 404 error and the logs in amAgent is
2007-10-03 04:56:20.922 Error 22356:a51e558 PolicyAgent: Error Registering POST content body
2007-10-03 04:56:20.922MaxDebug 22356:a51e558 PolicyAgent: Register POST content body : (null)
2007-10-03 04:56:20.923 Debug 22356:a51e558 PolicyAgent: Register POST data key :2007-10-0304:56:20.922
2007-10-03 04:56:20.923 Error 22356:a51e558 PolicyAgent: am_web_postcache_insert(): Unknown exception encountered.
2007-10-03 04:56:20.923 Warning 22356:a51e558 PolicyAgent: Register POST data insert into hash table failed:2007-10-0304:56:20.922
And in the errors log file of SJSWS is+_
[03/Oct/2007:05:13:05] finest (22515): for host 27.63.254.1 trying to POST /dummypost/sunpostpreserve2007-10-0304:56:20.922, func_exec reports: executing fn="uri-clean" Directive="PathCheck"
[03/Oct/2007:05:13:05] finest (22515): for host 27.63.254.1 trying to POST /dummypost/sunpostpreserve2007-10-0304:56:20.922, func_exec reports: fn="uri-clean" Directive="PathCheck" returned 0 (REQ_PROCEED)
[03/Oct/2007:05:13:05] finest (22515): for host 27.63.254.1 trying to POST /dummypost/sunpostpreserve2007-10-0304:56:20.922, func_exec reports: executing fn="find-pathinfo" Directive="PathCheck"
[03/Oct/2007:05:13:05] finest (22515): for host 27.63.254.1 trying to POST /dummypost/sunpostpreserve2007-10-0304:56:20.922, func_exec reports: fn="find-pathinfo" Directive="PathCheck" returned -2 (REQ_NOACTION)
[03/Oct/2007:05:13:05] finest (22515): for host 27.63.254.1 trying to POST /dummypost/sunpostpreserve2007-10-0304:56:20.922, func_exec reports: executing fn="find-index-j2ee" Directive="PathCheck"
[03/Oct/2007:05:13:05] finest (22515): for host 27.63.254.1 trying to POST /dummypost/sunpostpreserve2007-10-0304:56:20.922, func_exec reports: fn="find-index-j2ee" Directive="PathCheck" returned -2 (REQ_NOACTION)
[03/Oct/2007:05:13:05] finest (22515): for host 27.63.254.1 trying to POST /dummypost/sunpostpreserve2007-10-0304:56:20.922, func_exec reports: executing fn="find-index" index-names="index.html,home.html,index.jsp" Directive="PathCheck"
[03/Oct/2007:05:13:05] finest (22515): for host 27.63.254.1 trying to POST /dummypost/sunpostpreserve2007-10-0304:56:20.922, func_exec reports: fn="find-index" index-names="index.html,home.html,index.jsp" Directive="PathCheck" returned -2 (REQ_NOACTION)
[03/Oct/2007:05:13:05] finest (22515): for host 27.63.254.1 trying to POST /dummypost/sunpostpreserve2007-10-0304:56:20.922, func_exec reports: executing fn="validate_session_policy" Directive="PathCheck"
[03/Oct/2007:05:13:05] fine (22515): Updating accelerator cache
[03/Oct/2007:05:13:14] finest (22515): for host 27.63.254.1 trying to POST /dummypost/sunpostpreserve2007-10-0304:56:20.922, func_exec reports: fn="validate_session_policy" Directive="PathCheck" returned 0 (REQ_PROCEED)
[03/Oct/2007:05:13:14] finest (22515): for host 27.63.254.1 trying to POST /dummypost/sunpostpreserve2007-10-0304:56:20.922, func_exec reports: executing fn="type-j2ee" Directive="ObjectType"
[03/Oct/2007:05:13:14] finest (22515): for host 27.63.254.1 trying to POST /dummypost/sunpostpreserve2007-10-0304:56:20.922, func_exec reports: fn="type-j2ee" Directive="ObjectType" returned 0 (REQ_PROCEED)
[03/Oct/2007:05:13:14] finest (22515): for host 27.63.254.1 trying to POST /dummypost/sunpostpreserve2007-10-0304:56:20.922, func_exec reports: executing fn="type-by-extension" Directive="ObjectType"
[03/Oct/2007:05:13:14] finest (22515): for host 27.63.254.1 trying to POST /dummypost/sunpostpreserve2007-10-0304:56:20.922, func_exec reports: fn="type-by-extension" Directive="ObjectType" returned 0 (REQ_PROCEED)
[03/Oct/2007:05:13:14] finest (22515): for host 27.63.254.1 trying to POST /dummypost/sunpostpreserve2007-10-0304:56:20.922, func_exec reports: executing fn="force-type" type="text/plain" Directive="ObjectType"
[03/Oct/2007:05:13:14] finest (22515): for host 27.63.254.1 trying to POST /dummypost/sunpostpreserve2007-10-0304:56:20.922, func_exec reports: fn="force-type" type="text/plain" Directive="ObjectType" returned 0 (REQ_PROCEED)
[03/Oct/2007:05:13:14] finest (22515): for host 27.63.254.1 trying to POST /dummypost/sunpostpreserve2007-10-0304:56:20.922, func_exec reports: executing method="(GET|HEAD|POST)" type="*~magnus-internal/*" fn="send-file" Directive="Service"
[03/Oct/2007:05:13:14] warning (22515): for host 27.63.254.1 trying to POST /dummypost/sunpostpreserve2007-10-0304:56:20.922, send-file reports: HTTP4142: can't find /opt/WMS/rel/www/webserver7/https-localhost.localdomain/docs/dummypost/sunpostpreserve2007-10-0304:56:20.922 (File not found)
[03/Oct/2007:05:13:14] finest (22515): for host 27.63.254.1 trying to POST /dummypost/sunpostpreserve2007-10-0304:56:20.922, func_exec reports: method="(GET|HEAD|POST)" type="*~magnus-internal/*" fn="send-file" Directive="Service" returned -1 (REQ_ABORTED)
[03/Oct/2007:05:13:14] finest (22515): for host 27.63.254.1 trying to POST /dummypost/sunpostpreserve2007-10-0304:56:20.922, func_exec reports: executing fn="error-j2ee" Directive="Error"
[03/Oct/2007:05:13:14] finest (22515): for host 27.63.254.1 trying to POST /dummypost/sunpostpreserve2007-10-0304:56:20.922, func_exec reports: fn="error-j2ee" Directive="Error" returned -2 (REQ_NOACTION)
[03/Oct/2007:05:13:14] finest (22515): for host 27.63.254.1 trying to POST /dummypost/sunpostpreserve2007-10-0304:56:20.922, func_exec reports: executing fn="flex-log" Directive="AddLog"
[03/Oct/2007:05:13:14] finest (22515): for host 27.63.254.1 trying to POST /dummypost/sunpostpreserve2007-10-0304:56:20.922, func_exec reports: fn="flex-log" Directive="AddLog" returned 0 (REQ_PROCEED)
thanks
Madhu

Policy Agent 2.1 for IBM WebSphere Application Server 5.0 can't install

I install Policy Agent 2.1 for IBM WebSphere Application Server 5.0
But Can't install success
resone:
Base Installation completed Successfully
WebSphere 5.0 Agent ClassPath : C:/Sun/IdentityServer/j2ee_agents/lib/am_sdk.jar;C:/Sun/IdentityServer/j2ee_agents/lib/am_services.jar;C:/Sun/IdentityServer/j2ee_agents/lib/am_sso_provider.jar;C:/Sun/IdentityServer/j2ee_agents/lib/am_logging.jar;C:/Sun/IdentityServer/j2ee_agents/config/F__Program Files_WebSphere_AppServer_config_cells_tmbsp103_nodes_tmbsp103_servers_server1;C:/Sun/IdentityServer/j2ee_agents/locale
WebSphere 5.0 Agent Boot ClassPath : C:/Sun/IdentityServer/j2ee_agents/lib/jdk_logging.jar
WebSphere 5.0 Agent JVM options : -Damconfig=AMAgent -Dmax_conn_pool=10 -Dmin_conn_pool=1 -Dcom.iplanet.coreservices.configpath=C:/Sun/IdentityServer/j2ee_agents/config/F__Program Files_WebSphere_AppServer_config_cells_tmbsp103_nodes_tmbsp103_servers_server1/ums -Djava.util.logging.manager=com.sun.identity.log.LogManager -Djava.util.logging.config.file=C:/Sun/IdentityServer/j2ee_agents/config/F__Program Files_WebSphere_AppServer_config_cells_tmbsp103_nodes_tmbsp103_servers_server1/AMAgent.properties -Djava.protocol.handler.pkgs=com.ibm.net.ssl.internal.www.protocol -Dws.ext.dirs=C:/Sun/IdentityServer/j2ee_agents/lib
The server.policy file was configured successfully.
Global Security Settings Configured Successfully.
sas.client.props file Configuration FAILED.
soap.client.props file Configuration FAILED.
sas.client.props /soap.client.props two file how to Configuration ??

From your description, since the agent installs file with a different JRE, I would suspect it has something to do with the availability of JCE provider in the first JRE. By default, WebSphere's JRE is equipped with IBM JCE provider which is what the agent uses to encrypt the necessary
information. If this provider is not configured correctly it could result in the error that you are seeing. Please check the WebSphere installation and make sure that the JRE used by it has the necessary IBM JCE provider configured. The java.security file for this should contain something like:
security.provider.1=sun.security.provider.Sun
security.provider.2=com.ibm.crypto.provider.IBMJCE
security.provider.3=com.ibm.jsse.IBMJSSEProvider
security.provider.4=com.ibm.security.cert.IBMCertPath
security.provider.5=com.ibm.crypto.pkcs11.provider.IBMPKCS11
Also, make sure that when you are installing the agent you specify the Java Home as prompted by the agent to point to the location where this JRE is installed. Typically this is under WebSphere/AppServer/java directory. HTH, Jerry

Unable to install policy agent 2.2 for Webserver 6.1 on Windows 2003

Hi everybody,
I've installed Java Enterprise Server (last version) on Windows 2003 with these components:
- Directory Server
- Access Manager
- Webserver
- Administration Server
Everything works good, I can access all those components.
Now I want to use Policy Agent 2.2. So I've downloaded it and I've tried to install...
But during the installation process, an error message appear when I select the Web Server instance directory to protect.
It says: "invalid web server instance - on windows, Access Manager Policy Agent only supports Web Server 6.0 and 6.1.....".
The problem is that I work with WebServer 6.1....
I really don't know what to do now... This message prevent me to go further.
What's the problem? How can I avoid this?
Thanks for your help!
Adrien

Okay, here's what it says:
"The upgrade patch cannot be installed by the Windows Installer service because the program to be upgraded may be missing, ot the updgrade pathc may update a different version of the program. Verify that the program to be upgraded exists on your computer and that you have the correct update patch".
I don't even know what program I'm supposed to have.
Ideas, anyone?

Error 403 returned from WebSphere running Policy Agent

Hi,
I'm getting an error 403 (forbidden) in my browser when I try to access a URL that I have protected using a Policy that I have setup in SAM.
My configuration is as follows:
Sun Access Manager 6 2005Q1 on Solaris
WebSphere AppServer 5.1.1.5 on Win 2000
WebSphere 5.0 Policy Agent 2.1 on Win 2000
At the moment, all I'm trying to do is protect a URL which is contained in a simple WAR file which I have deployed on WAS.
As per the J2EE Policy Agents guide, I have installed the Agent Filter by adding the following into web.xml
<web-app>
<display-name>...</display-name>
<description>...</description>
<filter>
<filter-name>Agent</filter-name>
<display-name>Agent</display-name>
<description>SunTM ONE Identity Server Policy Agent</description>
<filter-class>com.sun.identity.agents.websphere.AmWAS50AgentFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>Agent</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
</web-app>
I've switched on Global Security in WAS and successfully logged back into the WebSphere Console using amldapuser. This confirms that the Agent Realm is working correctly.
In SAM I set up a Policy with a Rule that specified the URL I want to protect. I added a Subject to this Rule of type LDAP User. The user I chose was amadmin (for the moment).
I also configued an Agent with agentRootURL=http://<WAS fully qualified domain name>:9080/
When I try to access the URL of the servlet in the WAR, I am redirected to the SAM's login page
http://<SAM fully qualified domain name>/amserver/UI/Login?goto=http%3A%2F%2F<WAS fully qualified domain name>%3A9080%2FRoamingApp%2FRoaming
However, when I enter the amadmin/ <password> error 403 is returned to the browser.
I've checked the logs on SAM
From amAuthentication.access
"2005-07-28 11:58:15" "Login Success" LDAP dc=acme,dc=com INFO uid=amAdm
in,ou=People,dc=acme,dc=com <WAS IP address> "cn=dsameuser,ou=DSAME Users,dc=acme,
dc=com" <WAS IP address>
From amSSO.access
"2005-07-28 11:58:15" "SESSION CREATE" amSSO.access dc=acme,dc=com I
NFO uid=amAdmin,ou=People,dc=acme,dc=com <WAS IP address> "cn=dsameuser,ou=
DSAME Users,dc=acme,dc=com" <WAS IP address>
From agent.log (Policy Agent on Win 2000)
[Thursday, July 28, 2005 11:58:15 AM BST] [null]
Access to http://<WAS fully qualified domain name>:9080/RoamingApp/Roaming denied for user UNKNOWN
Perhaps I dont have the Policy in SAM configured correctly..... if anyone has come across this kind of problem before, I would greatly appreciate any help they can give me.
Thanks,
Justin

Thanks for getting back to me Jerry.
I had a look at the role-to-principal mappings you suggested. To do this I added a security constraint to my web.xml file.
Then I reconfigured WebSphere so that the Active User Registry = LDAP instead of Custom. This allowed me to assign the LDAP group (in SAM) to the role (in web.xml). WAR file installed fine with these new bindings and I restarted WAS.
Unfortunately, I'm still getting Error 403 in the browser!
Any ideas as to what I might be doing wrong? Any help you can give me would be much appreciated.
This is the amFilter log file from the Policy Agent...
07/29/2005 05:48:44:980 PM IST: Thread[Servlet.Engine.Transports : 2,5,main]
AmFilter: incoming request =>
HttpServletRequest: class => com.ibm.ws.webcontainer.srt.SRTServletRequest@1af52898
     Character Encoding     : null
     Content Lenght          : -1
     Content Type          : null
     Locale               : en_IE
     Accept Locales:
          en_IE
     Protocol          : HTTP/1.1
     Remote Address          : 172.20.13.96
     Remote Host          : 172.20.13.96
     Scheme               : http
     Server Name          : dubwrk1589.ie.pri.o2.com
     Server Port          : 9080
     Is Secure          : false
     Auth Type          : null
     Context Path          : /RoamingApp
     Cookies:
          amFilterParam: AQIC5wM2LY4Sfcx0xX1Z1+1tK4SfLh/aCFlbIGuRNEPcAVc=
          amFilterRDParam: AQIC5wM2LY4Sfcwb7v6Sof6MpnvtyR8nae7hiKN7Y11QjCagyWAs9LzbAeB9Q4TP8VjruhK+oYForXxw/qq6TqbMAN1PlT1YOQI3Vy92iAaJ2N9x2bSRaUU7NlwZg8oTti+JOLdiRMTzwO17jIoWwCIx/0CtoQXpkX/meuAoFwf1feyAEp2NvK7AIbE82f/p8o4LxQbhK2NQNec=
          WASReqURL: http://dubwrk1589.ie.pri.o2.com:9080/RoamingApp/Roaming
          JSESSIONID: 0000HRZTVpt84dvtjaLaKWBnwzu:-1
     Headers:
          accept:
               image/gif
               image/x-xbitmap
               image/jpeg
               image/pjpeg
               application/msword
               application/vnd.ms-excel
               application/vnd.ms-powerpoint
               application/x-shockwave-flash
          referer:
               http://sam.digifone.com/amserver/UI/Login?goto=http%3A%2F%2Fdubwrk1589.ie.pri.o2.com%3A9080%2FRoamingApp%2Flogin.jsp
          accept-language:
               en-ie
          cookie:
               amFilterParam=AQIC5wM2LY4Sfcx0xX1Z1+1tK4SfLh/aCFlbIGuRNEPcAVc=; amFilterRDParam=AQIC5wM2LY4Sfcwb7v6Sof6MpnvtyR8nae7hiKN7Y11QjCagyWAs9LzbAeB9Q4TP8VjruhK+oYForXxw/qq6TqbMAN1PlT1YOQI3Vy92iAaJ2N9x2bSRaUU7NlwZg8oTti+JOLdiRMTzwO17jIoWwCIx/0CtoQXpkX/meuAoFwf1feyAEp2NvK7AIbE82f/p8o4LxQbhK2NQNec=; WASReqURL=http://dubwrk1589.ie.pri.o2.com:9080/RoamingApp/Roaming; JSESSIONID=0000HRZTVpt84dvtjaLaKWBnwzu:-1
          accept-encoding:
               gzip
               deflate
          user-agent:
               Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322)
          host:
               dubwrk1589.ie.pri.o2.com:9080
          connection:
               Keep-Alive
          cache-control:
               no-cache
     Method               : GET
     Path Info          : null
     Path Trans          : null
     Query String          : null
     Remote User          : null
     Requested Session ID     : 0000HRZTVpt84dvtjaLaKWBnwzu:-1
     Request URI          : /RoamingApp/login.jsp
     Servlet Path          : /login.jsp
     Session               : true
     User Principal          : null
     Attributes:
          com.ibm.servlet.engine.webapp.dispatch_type: forward
07/29/2005 05:48:44:980 PM IST: Thread[Servlet.Engine.Transports : 2,5,main]
FQDNHandler: Incoming Server Name: [dubwrk1589.ie.pri.o2.com] Result: null
07/29/2005 05:48:44:980 PM IST: Thread[Servlet.Engine.Transports : 2,5,main]
PatternRule{*/j_security_check}.matchString(/RoamingApp/login.jsp) => false
07/29/2005 05:48:44:980 PM IST: Thread[Servlet.Engine.Transports : 2,5,main]
NotEnforcedListManager.isNotEnforced(/RoamingApp/login.jsp) => false
07/29/2005 05:48:44:980 PM IST: Thread[Servlet.Engine.Transports : 2,5,main]
AmFilter: Login attempt number: 10
07/29/2005 05:48:44:980 PM IST: Thread[Servlet.Engine.Transports : 2,5,main]
AmFilter: SSO Validation failed for null
07/29/2005 05:48:44:980 PM IST: Thread[Servlet.Engine.Transports : 2,5,main]
AmFilter: Reseting Cookies in Response
07/29/2005 05:48:44:980 PM IST: Thread[Servlet.Engine.Transports : 2,5,main]
WARNING: AmFilter: Login attempt number 10 failed for request URI: /RoamingApp/login.jsp
07/29/2005 05:48:44:980 PM IST: Thread[Servlet.Engine.Transports : 2,5,main]
URLFailoverHelper: Checking if http://sam.digifone.com:80/amserver/UI/Login is available
07/29/2005 05:48:44:980 PM IST: Thread[Servlet.Engine.Transports : 2,5,main]
URLFailoverHelper: URL http://sam.digifone.com:80/amserver/UI/Login is available
07/29/2005 05:48:44:980 PM IST: Thread[Servlet.Engine.Transports : 2,5,main]
URLFailoverHelper: getAvailableURL() => http://sam.digifone.com:80/amserver/UI/Login
07/29/2005 05:48:44:980 PM IST: Thread[Servlet.Engine.Transports : 2,5,main]
AmFilter: redirectURL is: http://sam.digifone.com:80/amserver/UI/Login?goto=http%3A%2F%2Fdubwrk1589.ie.pri.o2.com%3A9080%2FRoamingApp%2Flogin.jsp
07/29/2005 05:48:44:980 PM IST: Thread[Servlet.Engine.Transports : 2,5,main]
WARNING: AmFilter: redirect attempt limit reached for http://sam.digifone.com:80/amserver/UI/Login?goto=http%3A%2F%2Fdubwrk1589.ie.pri.o2.com%3A9080%2FRoamingApp%2Flogin.jsp, access will be denied
07/29/2005 05:48:44:980 PM IST: Thread[Servlet.Engine.Transports : 2,5,main]
AmFilter: Using 403 forbidden to block access
07/29/2005 05:48:44:980 PM IST: Thread[Servlet.Engine.Transports : 2,5,main]
getResource: id = 20004
07/29/2005 05:48:44:980 PM IST: Thread[Servlet.Engine.Transports : 2,5,main]
AmFilter: result =>
FilterResult:
     Status      : FORBIDDEN
     RedirectURL     : null
     RequestHelper:
          null
     Data:
          null
07/29/2005 05:48:44:980 PM IST: Thread[Servlet.Engine.Transports : 2,5,main]
getResource: id = 20008

Compiling/running Policy Agent 2.2 for Apache (Linux)

Similar Messages

Maybe you are looking for