Configure security realm for external Access Manager in App server 8.1

Similar Messages

• How to configure security realm for Active Directory ?

  Hi,
  Can any body suggest how to configure security realm in weblogic 8.1
  I have simple login page where in user can enter his credentials, and i have MS-Active Directory where we maintain all users.
  users who loged into web application has to be authenticated from Active Directory.
  please suggest what are the steps that we need to follow
  thanks in advance

  Hi Sankar,
  You can login to the weblogic server admin console and create a new realm.
  Once you have created the realm you can add the authentication provider.You add the Active Authentication Provider.But you must have the the configuration inforamation of MS AD.You can read my blog http://dev2dev.bea.com/blog/bishnu_kumar/
  where the integration is with iPlanet LDAP.Steps will be similar.
  You must have a login portlet in your portal application and that should have been in accordance with j2ee security standards.For example you may use basic authentication or userlogin control or p13n API
  Regards
  Bishnu

• Installing Access Manager under App Server platform

  We have done an install of Access Manager 2005Q1 under App Server platform edition 2005Q1 (v8.1) on Linux Redhat Enterprise edition (v3).
  When starting up Access Manager, we get a NoClassDefFound exception. Some postings mention some issues with the SUN mobile access, and suggest uninstalling / reinstalling, but these seem to apply to Solaris only. We have had no luck with this suggestion with Linux.
  Does anyone have any other suggestions?
  Thanx,
  GB
  [#|2005-09-14T10:50:34.118-0700|SEVERE|sun-appserver-pe8.1_01|javax.enterpri
  se.system.container.web|_ThreadID=10;|WebModule[/a
  mserver]Exception starting filter amlcontroller
  java.lang.NoClassDefFoundError
  at com.iplanet.services.ldap.LDAPUser.getPasswd(LDAPUser.java:117)
  at
  com.iplanet.services.ldap.ServerInstance.getPasswd(ServerInstance.java:128)
  at
  com.sun.identity.security.ServerInstanceAction.run(ServerInstanceAction.java
  :92)
  at java.security.AccessController.doPrivileged(Native Method)
  at com.iplanet.ums.DataLayer.getInstance(DataLayer.java:210)
  at
  com.sun.identity.sm.ldap.SMSLdapObject.initialize(SMSLdapObject.java:143)
  at
  com.sun.identity.sm.ldap.SMSLdapObject.<init>(SMSLdapObject.java:118)
  at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native
  Method)
  at
  sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAcces
  sorImpl.java:39)
  at
  sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstruc
  torAccessorImpl.java:27)
  at java.lang.reflect.Constructor.newInstance(Constructor.java:274)
  at java.lang.Class.newInstance0(Class.java:308)
  at java.lang.Class.newInstance(Class.java:261)
  at com.sun.identity.sm.SMSEntry.<clinit>(SMSEntry.java:116)
  at
  com.sun.identity.sm.ServiceSchemaManager.<clinit>(ServiceSchemaManager.java:
  67)
  at
  com.iplanet.am.util.AMClientDetector.getServiceSchemaManager(AMClientDetecto
  r.java:219)
  at
  com.iplanet.am.util.AMClientDetector.<clinit>(AMClientDetector.java:94)
  at com.sun.mobile.filter.AMLController.init(AMLController.java:85)
  at
  org.apache.catalina.core.ApplicationFilterConfig.getFilter(ApplicationFilter
  Config.java:229)
  at
  org.apache.catalina.core.ApplicationFilterConfig.setFilterDef(ApplicationFil
  terConfig.java:312)
  at
  org.apache.catalina.core.ApplicationFilterConfig.<init>(ApplicationFilterCon
  fig.java:83)
  at
  org.apache.catalina.core.StandardContext.filterStart(StandardContext.java:38
  81)
  at
  org.apache.catalina.core.StandardContext.start(StandardContext.java:4528)
  at com.sun.enterprise.web.WebModule.start(WebModule.java:241)
  at
  org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1086)
  at
  org.apache.catalina.core.StandardHost.start(StandardHost.java:833)
  at
  org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1086)
  at
  org.apache.catalina.core.StandardEngine.start(StandardEngine.java:483)
  at org.apache.catalina.startup.Embedded.start(Embedded.java:894)
  at com.sun.enterprise.web.WebContainer.start(WebContainer.java:707)
  at
  com.sun.enterprise.web.PEWebContainer.startInstance(PEWebContainer.java:507)
  at
  com.sun.enterprise.web.PEWebContainerLifecycle.onStartup(PEWebContainerLifec
  ycle.java:54)
  at
  com.sun.enterprise.server.ApplicationServer.onStartup(ApplicationServer.java
  :300)
  at com.sun.enterprise.server.PEMain.run(PEMain.java:294)
  at com.sun.enterprise.server.PEMain.main(PEMain.java:220)
  |#]

  Everytime I click the Access Manager in the JES 2005Q4installer the directory server would click itself. Unchecking this prompted me for a remote repository which worked.
  I wasn't able to get the install to complete with the state file, it stopped before configuring access manager.

• Network Error: Clean Access Server could not establish a secure connection to Clean Access Manager

  Hello everyone
  I am implementing a failover solution of NAC in OOB VG version 4.8, I have 2 CAS and 2 CAM.
  The Error I am getting is when I connect to both IP address and the FQDN of the CAS.
  ===========
  Network Error:
  Clean Access Server could not establish a secure connection to Clean Access Manager at camsrv3.cadivi.gob.ve.
  This could be due to one or more of the following reasons: 1) Clean Access Manager certificate has expired 2) Clean Access Manager certificate cannot be trusted or 3) Clean Access Manager cannot be reached.
  Please report this to your network administrator.
  ==========
  For the CAM's I use this names camsrv1 and camsrv2. then generate a CSR in the camsrv1 with the name camsrv3.mycompany.com corresponding  to virtual ip and it exported to camsrv2, Install the CA certificate of the company and everything works perfect.
  This is the failover configuration
  CAM:
  Primary:     10.1.206.248 camsrv1.mycompany.com
  Secondary: 10.1.206.249 camsrv2.mycompany.com
  Virtual:       10.1.206.250 camsrv3.mycompany.com
  Then I do exactly the same steps for the CAS's and this is the failover configuration:
  Primary:     10.1.216.248 cassrv1.mycompany.com
  Secondary: 10.1.216.249 cassrv2.mycompany.com
  Virtual:       10.1.216.250 cassrv3.mycompany.com
  Then I add the certificate of CAM in the CAS on the tab "Trusted Certificate Authorities"  and vice versa.
  The communication between all the CAM´s and CAS´s is correct (Primary, Secondary and Virtual). I can ping the IP and the FQDN and I can also manage the CAS through the CAM.
  I verify that the time was right in the CAM and the CAS and all good up there.
  Appreciate your help
  Eduardo Navas

  Eduardo,
  Bump up the CAS/CAS communications logging on both the CAS and CAMs, and then look in the log files for clues.
  On CAM they live in /perfigo/control/tomcat/logs and on CAS in /perfigo/access/tomcat/logs
  HTH,
  Faisal
  If you find this post helpful, please rate so others can find the answer easily

• Condition-pricing for External Service Management

  Dear Support,
      Please provide the detail document for pricing for External Service Management,and the use of procedure MS0000 (Performance Procedure) & procedure MS0001 (Perf.Procedure f.Master Cond.)

  Hi,
  please read the following SAP notes:
  499722 
  25357
  27024
  691852 
  438718
  798798  
  353482
  Regards,
  Edit

• Username and password for Sun Access Manager 7.1

  Hi
  Thank you for reading my post
  I ge the new Java Application Platform SDK Update 2 which has access manager and portlet management inside it.
  Can you tell me what is username and password for Sun access Manager 7.1 administration cosole?
  thanks

  with me it was amadmin : admin123
  in the readme file in the addons directory:
  Done! Access the AM server URL and see if the Access Manager is working or not -
  <amserver_protocol>://<amserver_host>:<amserver_port>/amserver
  user : 'amadmin', password : <admin password>
  in a config file i found the password was admin123

• One custom security realm for many wl servers?

  Is it possible to use one custom security realm for many weblogic servers...ie
  one login for all application on different weblogic server.

  Is it possible to use one custom security realm for many weblogic servers...ie
  one login for all application on different weblogic server.

• SAN certificate for external access for edge server and reverse proxy

  Hello
  I have a question related to the certificate planning for LYNC 2013 EDGE SERVER .
  For external access and mobile user's , Iwant to enable all the feature for external user's .
  im planning to purchase san certificate ,
  my first question do I need only one SAN for both my edge server and the reverse proxy ?
  my second question about the name's that shoud be added to the certificate ?
  sip.mydomain.com
  av.mydomain.com
  webconf.mydomain.com
  what else I should add ? I want to add the names for all feature access.
  Kind Regards
  MK

  Your Front End Pool should only contain front end servers, does it also contain your edge and back end? If so, this is a misconfiguration.
  If you're planning to implement high availability, you'll want a different internal web services FQDN name than your pool name (unless you load balance the entire pool with a hardware load balancer).
  You'll want your external web services FQDN to be different from your pool name if you want to use the mobile client on the internal network.  Once you've come up with a new and otherwise unused FQDN for this purpose, you'll want that as additional
  SAN on your cert.
  Since you're not using this for the internal certificate, you can also pull admin.mydomain.com and LYNC2013-FE.mydomain.com off of the cert as those are needed internally only. 
  Lyncdiscoverinternal you can leave on if you need your internal mobile clients to not throw certificate errors because they don't trust your internal certificate authority, but this name would then need to be pointed to a reverse proxy or something that
  can present the third party certificate.
  Please remember, if you see a post that helped you please click "Vote As Helpful" and if it answered your question please click "Mark As Answer".
  SWC Unified Communications
  This forum post is based upon my personal experience and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

• Does sun provide a training for sun access manager customizations

  Hi,
  Is there any training available from sun for sun access manager customizations.
  I am aware of the following training from sun AM-3480
  TIA,
  Suresh

  Hi, Suresh,
  There's some material about customization in AM-3480. What areas are you interested in?
  Regards,.
  David

• How to create db conn for JDBC-ODBC Bridge for MS Access in ADF APP?

  Sir,
  How to create db conn for JDBC-ODBC Bridge for MS Access in ADF APP?
  Regards

  Hello Every Body!
  I succeeded in getting connect to the ms access database in adf application in jdeveloper as below:
  First in control panel to to admin tools and  go to data source(odbc) and create system dsn as bellow pic
  Then go to jdeveloper resources ide conn and then database and new database conn and then select jdbc-odbc briddge and then give custom jdbc url as bellow pic
  Cheers
  tanvir

• Do I have to configure realm policy in Access Manager for IDM SPML Request

  Hi all,
  I wanted to run a SPML request from my application to the IDM which is presently protected by an AM server. Somehow, I get the following error, while I run a search using SpmlClient:
  org.openspml.util.SpmlException: Unsupported response content type "text/html", must be: "text/xml".
  Do I have to set a policy in Sun Access manager for the realm? Guys, pls help.
  Thanks,
  Aneesh.

  > I believe as long as you have access to the above two you can turn the CA off if you want.
  Enterprise CAs are not intended to be offline. Therefore, you should not turn off them. If these root CAs issue certificates only to subordinate CAs, then you should consider to implement offline Standalone (not Enterprise) Root CAs.
  > I believe the location of the CRL is detailed in the CDP which is detailed on the Certs issued but a given CA, so the client can look in the Cert and see what it states about the CDP and thereby get the list of revoked certs.
  this is correct.
  > to place its CDP at a location other than the  default location in case it overwrites the existing CRL at the default location
  no, CDP locations should be defined in the post-installation script.
  > does the fully qualified X500 name of the CDP include the CA Name (and therefore be unique) and it will not over write the original
  yes, LDAP URL includes CA server's NetBIOS name to differentiate between CAs.
  My weblog: en-us.sysadmins.lv
  PowerShell PKI Module: pspki.codeplex.com
  PowerShell Cmdlet Help Editor pscmdlethelpeditor.codeplex.com
  Check out new: SSL Certificate Verifier
  Check out new:
  PowerShell FCIV tool.

• Proper security realm for ecommerce user

  I would like to use j2ee security on our ecommerce site (isUserInRole, getUserPrincipal,
  web.xml declarative functionality to protect resources), but my problem is not
  knowing what security realm to I use to manage the user. The site has thousands
  of users and they need the ability to create an account which will determine their
  "role" based on what membership fee they paid. After they have an account they
  can login an have access to sections of the site that are permitted to them based
  on role. All the examples I've seen about weblogic security is using LDAPs or
  their internal RDMS. How can I have weblogic use our own database or is there
  a best practice to accomplish the task I need? Any information would be helpful!!

  It sounds like you have many users in your database, but not that many roles
  & policies.
  Probably you can use the DefaultRoleMapper and DefaultAuthorizer for your
  roles & policies.
  You need a database based authentication provider. Check out the sample
  dbms authentication provider on the dev2dev center:
  http://dev2dev.bea.com/codelibrary/code/sec_rdbms.jsp
  -tm
  "fed " <[email protected]> wrote in message
  news:4010111d$[email protected]..
  >
  I would like to use j2ee security on our ecommerce site (isUserInRole,getUserPrincipal,
  web.xml declarative functionality to protect resources), but my problem isnot
  knowing what security realm to I use to manage the user. The site hasthousands
  of users and they need the ability to create an account which willdetermine their
  "role" based on what membership fee they paid. After they have an accountthey
  can login an have access to sections of the site that are permitted tothem based
  on role. All the examples I've seen about weblogic security is usingLDAPs or
  their internal RDMS. How can I have weblogic use our own database or isthere
  a best practice to accomplish the task I need? Any information would behelpful!!

• Sample Security realm for OpenLDAP and WLS7

  Hello,
  I would like to set up WLS 7 so it uses the Oracle implementation of OpenLDAP.
  I am looking for a Custom Security Provider for OpenLDAP for WLS7. I can not use
  the embedded LDAP as it does not allow me to programatically create new users.
  If anyone has a sample implementation, please send it to me. I would really appreciate
  it.
  Thanks
  Gavin

  It is possible to create new users programatically in embedded LDAP. Here
  is an example
  package test.jmx;
  import javax.naming.Context;
  import javax.naming.NamingException;
  import javax.naming.AuthenticationException;
  import javax.naming.CommunicationException;
  import weblogic.jndi.Environment;
  import weblogic.management.*;
  import weblogic.management.security.authentication.*;
  import weblogic.security.providers.authentication.*;
  import javax.management.*;
  import weblogic.management.configuration.*;
  import weblogic.management.runtime.*;
  import java.util.*;
  public class Test {
  public static void main(String[] args) {
  String url = "t3://localhost:7001"; //URL of the Administration server
  String username = "weblogic";
  String password = "weblogic";
  MBeanHome home = null;
  SecurityConfigurationMBean conBean;
  weblogic.management.security.RealmMBean realmBean;
  AuthenticationProviderMBean authBean;
  AuthenticationProviderMBean[] authBeans;
  DefaultAuthenticatorMBean defBean;
  try {
  Environment env = new Environment();
  env.setSecurityPrincipal(username);
  env.setSecurityCredentials(password);
  env.setProviderUrl(url);
  Context ctx = env.getInitialContext();
  home = (MBeanHome) ctx.lookup(MBeanHome.ADMIN_JNDI_NAME);
  System.out.println("Got the MBeanHome: " + home);
  System.out.println("\n\n");
  WebLogicObjectName objName = new
  WebLogicObjectName("mydomain:Name=mydomain,Type=SecurityConfiguration");
  conBean = (SecurityConfigurationMBean) home.getMBean(objName);
  System.out.println("Security configuration MBean: " + conBean);
  System.out.println("\n\n"); realmBean = conBean.findDefaultRealm();
  System.out.println("Got the default realm: " + realmBean);
  System.out.println("\n\n");
  authBeans = realmBean.getAuthenticationProviders(); //is it the
  defaultAuthenticationProviderMBean???
  defBean = (DefaultAuthenticatorMBean)authBeans[0];
  defBean.createUser("test","weblogic","just a test of wls70 security");
  System.out.println("\ncreate successfully!");
  System.out.println("\n\n");
  } catch (Exception e) { e.printStackTrace(); } } }
  "Gavin" <[email protected]> wrote in message
  news:[email protected]...
  >
  Hello,
  I would like to set up WLS 7 so it uses the Oracle implementation ofOpenLDAP.
  I am looking for a Custom Security Provider for OpenLDAP for WLS7. I cannot use
  the embedded LDAP as it does not allow me to programatically create newusers.
  >
  If anyone has a sample implementation, please send it to me. I wouldreally appreciate
  it.
  Thanks
  Gavin

• Setting up Access Manager and Directory Server for Failover.

  I'm setting up 2 Access Managers AM1,AM2 and 2 Directory Servers DS1 and DS2 for failover. I've connected AM1 and AM2 to DS1. Suffixes of DS1 is replicated to DS2. Any change made to AM1 is replicated to AM2 as expected. I just patched AM1 with Access Manager patch 1 and the version information for AM1 shows 7.1 126359-01. I followed the same procedure to patch AM2 but AM2 still shows ver 7.1.
  How do I make sure both Access Managers are patched to the same version?
  I'm able to authenticate to one IIS6 site and authentication is passed on to Outlook Web Access on AM1 but when I shut down AM1 to test failover to AM2 OWA prompts me again for password. How do I resolve this?
  On AM1 http://host.domain/amserver/UI/Login?realm=sso successfully logs in but the same on AM2 gives Warning that "You have already logged in. Do you want to log out and then login to a different organization?"
  Please help !!!

  I'll answer what bits I can:
  Q: AM showing the same version?
  A: No idea on this one. I would have expected the operation you described to have produced the right answer. Check that neither your application server nor your web browser are caching old pages (ctrl-F5 in my browser)
  Q: How do I resolve re-authentication on failover?
  A: The AM documentation includes a deployment example that covers pretty closely what it is you are trying to achieve:
  http://docs.sun.com/app/docs/doc/820-2278
  Specifically, the problem you are describing is related to session failover. The sessions are stored in a local DB so when you failover the backup server does not store the same information and hence requires a reauthentication. The section of the above doc that deals with this is here:
  http://docs.sun.com/app/docs/doc/820-2278/gdsre?l=en&a=view
  Q: "You have already logged in" warning
  A: No idea. Sorry.
  R

• WLC as a Mobility Anchor for guest access - Management on DMZ or not DMZ

  When using Guest Access Cisco recommend a Mobility Anchor Controller be placed on a DMZ and the guest access wireless Lan is tunneled to this controller.  This means that 2 DMZ subnetworks are required - one for the management interface and one for the wireless lan's dynamic interface itself.
  I am trying to see if there are any disadvantages/security risks using 2 physical ports on the controller (no LAG) and placing one on a corporate network inside the firewall for management and to terminate the mobility anchor tunnel, and one outside the firewall on a DMZ for the wireless lan's dynamic interface.
  Advantages that I see are that no tunnels need to go though a firewall, management of the WLC is kept completely inside the corporate network, protected by the firewall and not left on the DMZ.
  Thanks.

  OK, so to recap;
  - place the 2nd WLC in the DMZ with only 1 port (set for dynamic AP management)?
  - Then Anchor the guest SSID (on it's DMZ IP instead of management IP as is now)
  And to make that kind of anchoring work, I have to open ports below on the firewall.. right?
  UDP port 16666 for inter-WLC  communication, and IP protocol ID 97 Ethernet in IP for client traffic.
  and:
  •TCP 161 and 162 for SNMP 
  •UDP 69 for TFTP 
  •TCP 80 or 443 for HTTP, or HTTPS for GUI access 
  •TCP 23 or 22 for Telnet, or SSH for CLI access
  Thanks to confirm that