Configuring Access Manager as Service Provider

Similar Messages

• Can not configure Access Manager

  Hi all,
  1. I istalled Sun java messaging server 6.
  2. I edit amsamplesilent to prepare amsamplesilent.my:
  # cd /opt/SUNWam/bin
  #mv amsamplesilent amsamplesilent.my
  3. I configure Access Manager:
  #./amconfig -s amsamplesilent.my but get the following error:
  # ./amconfig amsamplesilent.my
  Usage: amconfig -s <silentinputfile>
  ./amconfig: Sourcing ./amutils
  ln: cannot create /opt/SUNWam/lib/jaxrpc-spi.jar: File exists
  chown: jaxrpc-spi.jar: No such file or directory
  full install
  ./amdsconfig: Sourcing ./amutils
  LD_LIBRARY_PATH is --- /usr/lib/mps/secv1:/usr/lib/mps/secv1:/usr/lib/mps/secv1:/opt/SUNWam/lib:/opt/SUNWam/ldaplib/ldapsdk
  CLASSPATH is --- /opt/SUNWam/locale:/etc/opt/SUNWam/config:/opt/SUNWam/lib:/opt/SUNWam/lib/am_services.jar:/opt/SUNWam/lib/ldapjdk.jar:/usr/share/lib/mps/secv1/jss3.jar:/opt/SUNWam/lib/am_sdk.jar
  ldap_simple_bind: Can't connect to the LDAP server - No route to host
  ldap_simple_bind: Can't connect to the LDAP server - No route to host
  ldap_simple_bind: Can't connect to the LDAP server - No route to host
  ldap_simple_bind: Can't connect to the LDAP server - No route to host
  sleep 3
  ldap_simple_bind: Can't connect to the LDAP server - No route to host
  ldap_simple_bind: Can't connect to the LDAP server - No route to host
  ldap_simple_bind: Can't connect to the LDAP server - No route to host
  sleep 4
  ldap_simple_bind: Can't connect to the LDAP server - No route to host
  ldap_simple_bind: Can't connect to the LDAP server - No route to host
  ldap_simple_bind: Can't connect to the LDAP server - No route to host
  sleep 5
  ldap_simple_bind: Can't connect to the LDAP server - No route to host
  ldap_simple_bind: Can't connect to the LDAP server - No route to host
  ldap_simple_bind: Can't connect to the LDAP server - No route to host
  sleep 6
  ERROR : Loading of Access Manager schema into the Directory failed
  Starting the tag swapping of the install.ldif and installExisting.ldif
  ROOT_SUFFIX is dc=iplanet,dc=com
  People_NM_ROOT_SUFFIX is People_dc=iplanet_dc=com
  SERVER_HOST sample.red.iplanet.com
  DIRECTORY_SERVER sample.red.iplanet.com
  DIRECTORY_PORT 389
  USER_NAMING_ATTR uid
  ORG_NAMING_ATTR o
  CONSOLE_DEPLOY_URI /amconsole
  ORG_OBJECT_CLASS sunismanagedorganization
  RS_RDN iplanet
  USER_OBJECT_CLASS inetorgperson
  ldap_simple_bind: Can't connect to the LDAP server - No route to host
  ldap_simple_bind: Can't connect to the LDAP server - No route to host
  sleep 3
  ERROR : Configuring/Loading of the default DIT in the Directory Server failed
  ldap_simple_bind: Can't connect to the LDAP server - No route to host
  ldap_simple_bind: Can't connect to the LDAP server - No route to host
  sleep 3
  Warning : Plugins and Indexes already exist.
  ./amsvcconfig: Sourcing ./amutils
  LD_LIBRARY_PATH is --- /usr/lib/mps/secv1:/usr/lib/mps/secv1:/usr/lib/mps/secv1:/opt/SUNWam/lib:/opt/SUNWam/ldaplib/ldapsdk
  CLASSPATH is --- /opt/SUNWam/locale:/etc/opt/SUNWam/config:/opt/SUNWam/lib:/opt/SUNWam/lib/am_services.jar:/opt/SUNWam/lib/ldapjdk.jar:/usr/share/lib/mps/secv1/jss3.jar:/opt/SUNWam/lib/am_sdk.jar
  ldap_simple_bind: Can't connect to the LDAP server - No route to host
  Loading service schema XML files ...
  Info 112: Entering ldapAuthenticate method!
  Error 15: Cannot authenticate user.
  LDAP authentication failed.
  Error 9: Operation failed: Error 15: Cannot authenticate user.
  Error occured while loading: /etc/opt/SUNWam/config/ums/ums.xml
  ./amws61config: Sourcing ./amutils
  /opt/SUNWam/console.war: No such file or directory
  current web app is applications
  copying files from sunwamconsdk
  Swapping tag swap in index.html files ...
  Making amconsole.war
  Successfully done making warfile ...
  Deploying from /opt/SUNWam/web-src/applications (/opt/SUNWam/amconsole.war) to /opt/SUNWwbsvr/https-sample.red.iplanet.com/is-web-apps/applications for /amconsole
  wdeploy deploy -u /amconsole -i https-sample.red.iplanet.com -v https-sample.red.iplanet.com -d /opt/SUNWwbsvr/https-sample.red.iplanet.com/is-web-apps/applications /opt/SUNWam/amconsole.war
  [wdeploy] The war file name is /opt/SUNWam/amconsole.war
  [wdeploy] Fatal error in parsing XML file ..Premature end of file.
  [wdeploy] (-1, -1) in file null
  [wdeploy] Error encountered while parsing /opt/SUNWwbsvr/https-sample.red.iplanet.com/config/server.xml
  Failed deploying /amconsole
  /opt/SUNWam/services.war: No such file or directory
  current web app is services
  Swapping tag swap in index.html files ...
  Making amserver.war
  Successfully done making warfile ...
  Deploying from /opt/SUNWam/web-src/services (/opt/SUNWam/amserver.war) to /opt/SUNWwbsvr/https-sample.red.iplanet.com/is-web-apps/services for /amserver
  wdeploy deploy -u /amserver -i https-sample.red.iplanet.com -v https-sample.red.iplanet.com -d /opt/SUNWwbsvr/https-sample.red.iplanet.com/is-web-apps/services /opt/SUNWam/amserver.war
  [wdeploy] The war file name is /opt/SUNWam/amserver.war
  [wdeploy] Fatal error in parsing XML file ..Premature end of file.
  [wdeploy] (-1, -1) in file null
  [wdeploy] Error encountered while parsing /opt/SUNWwbsvr/https-sample.red.iplanet.com/config/server.xml
  Failed deploying /amserver
  /opt/SUNWam/password.war: No such file or directory
  current web app is password
  Swapping tag swap in index.html files ...
  Making ampassword.war
  Successfully done making warfile ...
  Deploying from /opt/SUNWam/web-src/password (/opt/SUNWam/ampassword.war) to /opt/SUNWwbsvr/https-sample.red.iplanet.com/is-web-apps/password for /ampassword
  wdeploy deploy -u /ampassword -i https-sample.red.iplanet.com -v https-sample.red.iplanet.com -d /opt/SUNWwbsvr/https-sample.red.iplanet.com/is-web-apps/password /opt/SUNWam/ampassword.war
  [wdeploy] The war file name is /opt/SUNWam/ampassword.war
  [wdeploy] Fatal error in parsing XML file ..Premature end of file.
  [wdeploy] (-1, -1) in file null
  [wdeploy] Error encountered while parsing /opt/SUNWwbsvr/https-sample.red.iplanet.com/config/server.xml
  Failed deploying /ampassword
  /opt/SUNWam/introduction.war: No such file or directory
  current web app is common
  Swapping tag swap in index.html files ...
  Making amcommon.war
  Successfully done making warfile ...
  Deploying from /opt/SUNWam/web-src/common (/opt/SUNWam/amcommon.war) to /opt/SUNWwbsvr/https-sample.red.iplanet.com/is-web-apps/common for /amcommon
  wdeploy deploy -u /amcommon -i https-sample.red.iplanet.com -v https-sample.red.iplanet.com -d /opt/SUNWwbsvr/https-sample.red.iplanet.com/is-web-apps/common /opt/SUNWam/amcommon.war
  [wdeploy] The war file name is /opt/SUNWam/amcommon.war
  [wdeploy] Fatal error in parsing XML file ..Premature end of file.
  [wdeploy] (-1, -1) in file null
  [wdeploy] Error encountered while parsing /opt/SUNWwbsvr/https-sample.red.iplanet.com/config/server.xml
  Failed deploying /amcommon
  Checking if Web Server is already configed with Access Manager
  Configuring Web Server
  Mime type: 'type=text/vnd.wap.wml' already exists: Skipping ....
  Mime type: 'type=image/vnd.wap.wbmp' already exists: Skipping ....
  I tried again but I still get this error.
  Any Ideas for this problem?
  Thanks.

  ldap_simple_bind: Can't connect to the LDAP server - No route to host
  i would consider this a fatal error.
  The system cannot locate where your Directory Server is. "no route to host" means that it's trying to get to the host, but your networking isn't set up correctly, and it doesn't find any route to get to the specified host.

• How do I configure Access Manager?

  I don't have idea how to configure Access Manager, I installed ans configure Directory and Web Server and working well, but I need to configure access Manager, there is a script called " amsamplesilent " it has some variables that i dont understand very well, how do I do to configure?
  Plz help me.

  So you used "configure later" option while installing Access Manager - correct?
  amsamplesilent is not a script - it's an input file for the command "amconfig"
  copy this file and adjust it to your settings (which variables haven't you understood?)
  run amconfig -f <your_sample_install_file>
  -Bernhard

• I don't Configuring Access Manager in SSL Mode

  i only install am7.1 and ws7.0 in windows2003 pack 1.
  then, i read "Sun Java SystemAccess Manager 7.1 Postinstallation Guide" .
  it said that "Login to theWeb Server console.The default port is 8888." but i can't find the default port .
  i think my web server console's default port is 8989.

  Hi,
  As a part of my requirement, I need to Configure Access Manager in SSL Mode. For that, I followed all the steps(Change http to https in web server instance in Access Manager, Install Certificate, Modify AMConfig.properties) mentioned in the PostInstallation Guide of Sun Access Manager to configure the SSL using Selfsigned certificate. so, after doing all these steps, as soon as the hit the Access Manager URL httsp://machinename:portno/amserver/UI/Login, it shows "page cannot be displayed" error. I have checked the web server with SSL enabled in it and its running fine.
  On one of forum post, I read that you need to set this property to true "com.sun.am.jssproxy.trustAllServerCerts" if you are not installing the ROOTCA certificate however this is not listed in the AM documentation.
  Any help on this would be highly appreciated. Let me know if am missing any steps.

• After installing and configuring Workflow Manager and Service Bus, I'm getting 403.

  I've spent the day installing SharePoint 2013 on a Windows Server 2012 environment. This server is not the domain controller. Following instructions on how to install and configure Workflow Manager and service bus, it appears although I'm following the instructions
  (and I get no errors), something is not working.
  If I try to go to the website that it creates in IIS
  http://localhost:12291 I get a 403 error. Also if I perform the powershell query to get the port number "Get-WFFarm | ft WFMgmtHttpPort" I don't get any value returned to me.
  Until I validate that the Workflow Manager is installed and working, I will not attempt to pair it to the SharePoint 2013 farm. Which hopefully makes this a Workflow Manager question not a SharePoint issue.
  Can anyone offer any suggestions please? Should I even get a valid webpage if I hit localhost:12291? According to one walkthrough I've looked at I should get an XML display of workflow and security configurations.

  I experienced the same two issues mentioned in this thread today.
  Regarding  the proper XML not appearing at <workflowhost>:12291 I was experiencing the same with an error message in Chrome saying the caller lacked read permissions, and 403 in IE. I had checked IIS, database permissions and connections and more.
  All of the setup messages and status checks were a-okay. I voted Zimo's comment as helpful because it cued me in to examine the service in Central Administration - where I found there was no administrator assigned to the workflow service. As soon as that was
  done, the workflow host site was brows-able.
  The resolution to SharePoint Designer not offering 2013 workflows as an option was in my case that there was an additional WFE on which I had not installed the Workflow Manager
  Client. This is noted with a bright yellow box in the section about configuring workflow with HTTP here:
  http://technet.microsoft.com/en-us/library/jj658588(v=office.15)
  If puzzles are good for your BRAIN then SharePoint will keep it really healthy!
  Ramona Maxwell MCPD
  SharePoint 2010, MCITP
  SQL Server 2008

• Case Management ECC Service Provider

  Hi.
  In Case mangement for ECC 6.0
  In the Customizing for template, I do what says help SAP
  http://help.sap.com/saphelp_erp2005/helpdata/en/a5/7ad6e3343a6947a90527b550efdebb/content.htm
  With the attribute TEMPLATE_PROFILE, but when I go to the event and selecting Create with Template not send me the following message "No templates available". I don´t understand that.
  I create the profile. SPRO &#61664; Cross-Application Components &#61664; General Application Functions &#61664; Records and Case Management &#61664; Document &#61664; Manage Document Templates
  I have assigned the document SRM_DOC04 DD1D79A8B943E4F1B257001A6458C5AA.
  The assigned is:
  Key = 1
  Profile = ZPROFILE
  Document ID = SRM_DOC04 DD1D79A8B943E4F1B257001A6458C5AA
  Descr = Document
  And.
  TEMPLATE_PROFILE in the Service Provider is ZPROFILE.
  Someboy know, What I can do.
  Help me. Please!
  Thanks.

  hi alfredo
  you just create an action profile and within the action profile you give your processing type as smartforms
  your path in IMG will be like:
  SPRO--->CRM->BASIC FUNCTIONS--> ACTIONS---> ACTIONS IN TRANSACTIONS
  and within the smart form description you can mention your class ,the smartform you have created etc.
  after you are done with the action profile you attach this action profile to the transaction you are working on
  also in the action condtion you give the condition as open
  as you have requirement that when case is open the smartform is escecuted,likewise you can schedule your conditoon and therein it can be
  BUSINESSOBJECT.USERSTATUS  = E0001
  its just an example  with which you can give the condition
  hopes it solves your probs
  best regards
  ashish

• Configure SAP ABAP as service provider using SAML holder-of-key

  Hi
  We are trying to configure "SAML Holder of key" between Microsoft (as
  a service consumer) and SAP ABAP (as service provider).
  The service provider/SAP ABAP is release 7.11 and we need to configure this component.
  We have found SAP note 1254821 and are trying to follow the instructions for
  the "SAML Holder of key" scenario:
  However there is one step that we do not understand: step 5 "The private key to decrypt the
  encrypted....at the provider system must be a WS Security Identity in transaction TRUST"
  Anyone who can elaborate of the meaning of this step and describe a procedure for what
  exactly to do?
  BR
  Tom Bo

  Hi,
  a service provider needs to check two things when processing message. The first thing is that SAML assertion was issued by STS by checking signature of SAML assertion. The SAML assertion is signed by STS (step 4 in OSS note). The second thing is to verify that sender knows key from SubjectConfirmation element (that's why it is called holder of key). One way is to encrypt and sign SOAP message using symmetric key. There is also option to use asymmetric key. The key is encrypted by STS using the public key of service provider. Therefore the private key must be imported in service provider system (step 5 from OSS note). More info can be found [here|http://help.sap.com/saphelp_nw73/helpdata/en/e5/9f9913fc9c418db98c8693b2bbdb7c/frameset.htm].
  Cheers

• Managed IT Services Provider

  I assume you're part of an MSP already and looking to buy out/bring in a new company to expand?  Take a good look at their books, see if there is anything to worry about in there.  Are they making money or loosing money?  What services are the most lucrative, which ones are loosing money?  Which clients are their VIPs?  What procedures are in place for the clients?

  In general, and open for discussion, I'd like to discuss the viability of purchasing a Managed IT Services company.
  The company is still in it's infant stage, but is generating about $35k in recurring revenue (Managed Services), and Project revenue of about $10k. For a total of about $45k per yr.
  The owner has fallen ill and cannot continue to operate the business.
  What are your thoughts about taking on this business? Especially, since the revenue is primarily from managed services.
  Speaking with the clients, they speak very highly of the service they've received thus far.
  Enjoy,
  This topic first appeared in the Spiceworks Community

• How can you manage ssl service provider service in PI 7.1?

  Hello there..
  I am trying to find a place in Netweaver admin tool so that I can add CA certificate into the SSL provider service Trusted Certification Authorities list. I use to be able to do that in Visual Admin tool -> dispatcher node -> Services -> SSL Provider -> Runtime tab -> Client Authentication, but now I cannot find anywhere in the NetWeaver Admin tool.
  Thanks.
  Jerry.

  Hi Jerry,
  Once you login to the NWA, follow this path
  Configuration Management -> Security -> Certificate and keys ->
  You need to import the client certificate under ICM_SSL_xxx and you can find SSL_Provider if you scroll completly down. You need to import the private key of the client certificate under ICM_SSL_xxx.
  You have even Trusted CA's under this list. Please let me know if you have any problems.
  Thanks,
  Srini
  Edited by: srinivas kapu on Dec 18, 2008 9:58 PM

• Category for COREid Identity/Access Management & Web Services - Please!

  The COREid products do not fit into any of the existing categories - we need an IDM, Access & Provisioning category.

  I believe she is looking for a category in these forums that deals strictly with the COREid Identity and Access product. This would include COREid provisioning. I would see COREid Federation and Oracle Web Services Manager having thier own categories. Obviously we are previous Oblix partners who were accustomed to these products having thier own sections in a forum. Is this planned? Is this already in place and we just aren't looking hard enough?
  Thanks,
  Ryan Squires

• Issue while configuring cache management -/osb/service/ResultCache

  Hello, I am trying to configure cache data management through OEM console of 12.1.0.2 version . While executing a coherance select query, I am getting below error message
  "Error occurs while executing the "view" operation. CacheDataManager custom MBean is not registered with the Oracle Coherence JMX Server during startup. The custom MBean is available with the coherenceEMIntg.jar."
  I have even included these jar files in my coherance server startup parameters ..
  <>/agent12c/plugins/oracle.sysman.emas.agent.plugin_12.1.0.3.0/archives/coherence/coherenceEMIntg.jar:
  <>/plugins/oracle.sysman.emas.agent.plugin_12.1.0.3.0/archives/coherence/bulkoperationsmbean.jar
  could someone pls help on this.

  Hi
  To configure the SCAN , this SCAN IP should be resolve through DNS or /etc/hosts file .Please follow the below link to configure the DNS.
  If you face any problem , then please let me know .
  shivenracdba: configure DNS for Installtion of Oracle Grid Infrastructure RAC cluster
  warm regards
  Shivendra Narain Nirala

• Error while accessing Access Manager

  Hi All,
  I am getting the following error after configuring access manager and restarting the web server.
  [25/May/2006:18:14:16] info ( 1724): CORE1116: Sun Java System Web Server 6.1SP5 B01/15/2006 23:04
  [25/May/2006:18:14:30] info ( 1724): HTTP3072: [LS ls1] http://GDYESSER33609.wipro.com:13004 ready to accept requests
  [25/May/2006:18:14:30] info ( 1724): CORE3274: successful server startup
  [25/May/2006:18:15:29] warning ( 1724): CORE3283: stderr: Exception in thread "amStats" java.lang.ExceptionInInitializerError
  [25/May/2006:18:15:29] warning ( 1724): CORE3283: stderr:      at com.sun.identity.authentication.service.AuthStatsListener.printStats(AuthStatsListener.java:56)
  [25/May/2006:18:15:29] warning ( 1724): CORE3283: stderr:      at com.iplanet.am.util.StatsRunner.run(StatsRunner.java:91)
  [25/May/2006:18:15:29] warning ( 1724): CORE3283: stderr: Caused by: java.lang.NullPointerException
  [25/May/2006:18:15:29] warning ( 1724): CORE3283: stderr:      at com.iplanet.services.cdm.ClientsManager.getDefaultInstance(ClientsManager.java:108)
  [25/May/2006:18:15:29] warning ( 1724): CORE3283: stderr:      at com.sun.identity.authentication.service.AuthUtils.<clinit>(AuthUtils.java:199)
  I have configured and restarted the web server, when i try to access the access manager I get the above error. Someone please respond at the earliest.
  Thanks.

  Hi Tanya,
  Thank you for posting in Windows Server Forum.
  From which device you are trying to access RemoteApp program?
  For getting any remote session or accessing RemoteApp the user must be added under “Remote Desktop Users” local group. So please under user under that group and verify. 
  Also add the user under System>Remote Settings>Remote Tab>Allow remote connection to this computer and add the user under that. Now after performing this above steps verify whether user can login remotely.
  Hope it helps!
  Thanks.
  Dharmesh Solanki
  TechNet Community Support
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]

• Load Balancing Directory Servers with Access Manager - Simple questions

  Hi.
  We are in the process of configuring 2 Access Manager instances (servers) accessing the same logical LDAP repository (comprising physically of two Directory Servers working together with Multi-Master Replication configured and tested) For doing this, we are following guide number 819-6258.
  The guide uses BigIP load balancer for load balancing the directory servers. However, we intend to use Directory Proxy Server. Since we faced some (unresolved) issues last time that we used DPS, there are some simple questions that I would be very grateful to have answers to:
  1. The guide, in section 3.2.10 (To configure Access Manager 1 with the Directory Server load balancer), talks about making changes at 4 places, and replacing the existing entry (hostname and port) with the load balancer's hostname and port (assuming that the load balancer has already been configured). It says that changes need not be made on Access Manager 2 since the LDAPs are in replication, and hence changes will be replicated at all places. However, the guide also states that changes have to be made in two files, namely AMConfig.properties, and the serverconfig.xml file. But these changes will not be reflected on Access Manager 2, since these files are local on each machine.
  Question 1. Do changes have to be made in AMConfig.properties and serverconfig.xml files on the other machine hosting Access Manager 2?
  Question 2: What is the purpose of putting these values here? Specifically, what is achieved by specifying the Directory server host and port in AMConfig.properties, as well as in serverconfig.xml?
  Question 3. In the HTTP console, there is the option of specifying multiple primary LDAP servers, as well as multiple secondary LDAP servers. What is the purpose of these? Are secondary servers attempted when none of the list in the primary list are accessible? Also, if there are multiple entries in the primary server list, are they accessed in a round robin fashion (hereby providing rudimentary load balancing), or are other servers accessed only when the one mentioned first is not reachable etc.?
  2. Since I do not have a load balancer setup yet, I tried the following deviation to the above, which, according to me, should have worked. If viewed in the HTTP console, LDAP / Membership / MSISDN and Policy configuration all pointed to the DS on host 1. When I changed all these to point to the directory server on host 2 (and made AMConfig.properties and serverconfig.xml on host 1 point to DS of host 2 as well), things should have worked fine, but apparently Access manager 1 could not be started. Error from Webserver:
  [14/Aug/2006:04:30:36] info (13937): WEB0100: Loading web module in virtual server [https-machine_1_FQDN] at [search]
  [14/Aug/2006:04:31:48] warning (13937): CORE3283: stderr: Exception in thread "EventService" java.lang.ExceptionInInitializerError
  [14/Aug/2006:04:31:48] warning (13937): CORE3283: stderr: at com.iplanet.services.ldap.event.EventServicePolling.run(EventServicePolling.java:132)
  [14/Aug/2006:04:31:48] warning (13937): CORE3283: stderr: at java.lang.Thread.run(Thread.java:595)
  [14/Aug/2006:04:31:48] warning (13937): CORE3283: stderr: Caused by: java.lang.InterruptedException
  [14/Aug/2006:04:31:48] warning (13937): CORE3283: stderr: at com.sun.identity.sm.ServiceManager.<clinit>(ServiceManager.java:74)
  [14/Aug/2006:04:31:48] warning (13937): CORE3283: stderr: ... 2 more
  In effect, AM on 1 did not start. On rolling back the changes, things again worked like previously.
  Will be really grateful for any help / insight / experience on dealing with the above.
  Thanks!

  Update to the above, incase anyone is reading:
  We setup a similar setup in Windows, and it worked. Here is a detailed account of what was done:
  1. Host 1: Start installer, install automatically, chose Directory server, Directory Administration server, Directory Proxy server, Web server, Access Manager.
  All installed, and worked fine. (AMConfig.properties, serverconfig.xml, and the info in LDAP service, all pointed to HOST1:389)
  2. Host 2: Start installer, install automatically, chose Directory server, Directory Administration server, Directory Proxy server, Web server, Access Manager.
  All installed, and worked fine. (AMConfig.properties, serverconfig.xml, and the info in LDAP service, all pointed to HOST2:389)
  3. Host 1: Started replication. Set to Master
  4. Host 2: Started replication. Set to Master
  5. Host 1: Setup replication agreement to Host 2
  6. Host 2: Setup replication agreement to Host 1
  7. Initiated the remote replica from Host 1 ----> Host 2
  Note that since default installation uses abc.....xyz as the encryption key, setting this to same was not an issue.
  9. Started webserver for Host 1 and logged into AM as amadmin.
  10. Added Host 2 FQDN in DNS Aliases / Realms
  11. Added http://HOST2_FQDN:80 in the Platform server (instance) list.
  12. Started Host 2 webserver. Logged in AM on Host 2, things worked fine.
  At this stage, note the following:
  a) Host 1:
  AMConfig.properties file has
  com.iplanet.am.directory.host=host1_FQDN
  and
  com.iplanet.am.directory.port=389
  serverconfig.xml has:
  <Server name="Server1" host="host1_FQDN" port="389" type="SIMPLE" />
  b) Host 2:
  AMConfig.properties file has
  com.iplanet.am.directory.host=host2_FQDN
  and
  com.iplanet.am.directory.port=389
  serverconfig.xml has:
  <Server name="Server1" host="host2_FQDN" port="389" type="SIMPLE" />
  c) If one logs into AM, and checks LDAP servers for LDAP / Policy Configuration / Membership etc services, they all contain Host2_FQDN:389 (which makes sense, since replica 2 was initialized from 1)
  Returning back to the configuations:
  13. On Host 1, login into the Admin server console of the Directory server. Navigate to the DPS, and confgure the following:
  a) Network Group
  b) LDAP servers
  c) Load Balancing
  d) Change Group
  e) Action on-bind
  f) Allow all actions (permit modification / deletion etc.).
  g) any other configuations required - Am willing to give detailed steps if someone needs them to help me / themselves! :)
  So now, we have DPS configured and running on Host1:489, and distributing load to DS1 and DS2 on a 50:50 basis.
  14. Now, log into AM on Host 1, and instead of Host1_fqdn:389 (for DS) in the following places, specify Host1_fqdn:489 (for the DPS)--
  LDAP Authentication
  MSISDN server
  Membership Service
  Policy configuation.
  Verified that this propagated to the Policy Configuration service and the LDAP authentication service that are already registered with the default organization.
  15. Log out of AM. Following the documentation, modify directory.host and directory.port in AMConfig.properties to point to Host 1_FQDN and 489 respectively. Make this change in AMConfig.properties of both Host 1 as well as 2.
  16. Edit serverconfig.xml on both hosts, and instead of they pointing to their local directory servers, point both to host1_FQDN:489
  17. When you start the webserver, it will refuse to start. Will spew errors such as:
  [https-host1_FQDN]: Sun ONE Web Server 6.1SP5 B06/23/2005 17:36
  [https-host1_FQDN]: info: CORE3016: daemon is running as super-user
  [https-host1_FQDN]: info: CORE5076: Using [Java HotSpot(TM) Server VM, Version 1.5.0_04] from [Sun Microsystems Inc.]
  [https-host1_FQDN]: info: WEB0100: Loading web module in virtual server [https-host1_FQDN] at [amserver]
  [https-host1_FQDN]: warning: WEB6100: locale-charset-info is deprecated, please use parameter-encoding
  [https-host1_FQDN]: info: WEB0100: Loading web module in virtual server [https-host1_FQDN] at [ampassword]
  [https-host1_FQDN]: warning: WEB6100: locale-charset-info is deprecated, please use parameter-encoding
  [https-host1_FQDN]: info: WEB0100: Loading web module in virtual server [https-host1_FQDN] at [amcommon]
  [https-host1_FQDN]: info: WEB0100: Loading web module in virtual server [https-host1_FQDN] at [amconsole]
  [https-host1_FQDN]: warning: WEB6100: locale-charset-info is deprecated, please use parameter-encoding
  [https-host1_FQDN]: info: WEB0100: Loading web module in virtual server [https-host1_FQDN] at [search]
  [https-host1_FQDN]: warning: CORE3283: stderr: netscape.ldap.LDAPException: error result (32); matchedDN = dc=sun,dc=com; No such object (DN changed)
  [https-host1_FQDN]: warning: CORE3283: stderr: Got LDAPServiceException code=-1
  [https-host1_FQDN]: warning: CORE3283: stderr: at com.iplanet.services.ldap.DSConfigMgr.getConnection(DSConfigMgr.java:357)
  [https-host1_FQDN]: warning: CORE3283: stderr: at com.iplanet.services.ldap.DSConfigMgr.getNewFailoverConnection(DSConfigMgr.java:314)
  [https-host1_FQDN]: warning: CORE3283: stderr: at com.iplanet.services.ldap.DSConfigMgr.getNewConnection(DSConfigMgr.java:253)
  [https-host1_FQDN]: warning: CORE3283: stderr: at com.iplanet.services.ldap.DSConfigMgr.getNewProxyConnection(DSConfigMgr.java:184)
  [https-host1_FQDN]: warning: CORE3283: stderr: at com.iplanet.services.ldap.DSConfigMgr.getNewProxyConnection(DSConfigMgr.java:194)
  [https-host1_FQDN]: warning: CORE3283: stderr: at com.iplanet.ums.DataLayer.initLdapPool(DataLayer.java:1248)
  [https-host1_FQDN]: warning: CORE3283: stderr: at com.iplanet.ums.DataLayer.(DataLayer.java:190)
  [https-host1_FQDN]: warning: CORE3283: stderr: at com.iplanet.ums.DataLayer.getInstance(DataLayer.java:215)
  [https-host1_FQDN]: warning: CORE3283: stderr: at com.iplanet.ums.DataLayer.getInstance(DataLayer.java:246)
  [https-host1_FQDN]: warning: CORE3283: stderr: at com.sun.identity.sm.ldap.SMSLdapObject.initialize(SMSLdapObject.java:156)
  [https-host1_FQDN]: warning: CORE3283: stderr: at com.sun.identity.sm.ldap.SMSLdapObject.(SMSLdapObject.java:124)
  [https-host1_FQDN]: warning: CORE3283: stderr: at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
  [https-host1_FQDN]: warning: CORE3283: stderr: at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:39)
  [https-host1_FQDN]: warning: CORE3283: stderr: at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:27)
  [https-host1_FQDN]: warning: CORE3283: stderr: at java.lang.reflect.Constructor.newInstance(Constructor.java:494)
  [https-host1_FQDN]: warning: CORE3283: stderr: at java.lang.Class.newInstance0(Class.java:350)
  [https-host1_FQDN]: warning: CORE3283: stderr: at java.lang.Class.newInstance(Class.java:303)
  [https-host1_FQDN]: warning: CORE3283: stderr: at com.sun.identity.sm.SMSEntry.(SMSEntry.java:216)
  [https-host1_FQDN]: warning: CORE3283: stderr: at com.sun.identity.sm.ServiceSchemaManager.(ServiceSchemaManager.java:67)
  [https-host1_FQDN]: warning: CORE3283: stderr: at com.iplanet.am.util.AMClientDetector.getServiceSchemaManager(AMClientDetector.java:219)
  [https-host1_FQDN]: warning: CORE3283: stderr: at com.iplanet.am.util.AMClientDetector.(AMClientDetector.java:94)
  [https-host1_FQDN]: warning: CORE3283: stderr: at com.sun.mobile.filter.AMLController.init(AMLController.java:85)
  [https-host1_FQDN]: warning: CORE3283: stderr: at org.apache.catalina.core.ApplicationFilterConfig.getFilter(ApplicationFilterConfig.java:262)
  [https-host1_FQDN]: warning: CORE3283: stderr: at org.apache.catalina.core.ApplicationFilterConfig.setFilterDef(ApplicationFilterConfig.java:322)
  [https-host1_FQDN]: warning: CORE3283: stderr: at org.apache.catalina.core.ApplicationFilterConfig.(ApplicationFilterConfig.java:120)
  [https-host1_FQDN]: warning: CORE3283: stderr: at org.apache.catalina.core.StandardContext.filterStart(StandardContext.java:3271)
  [https-host1_FQDN]: warning: CORE3283: stderr: at org.apache.catalina.core.StandardContext.start(StandardContext.java:3747)
  [https-host1_FQDN]: warning: CORE3283: stderr: at com.iplanet.ias.web.WebModule.start(WebModule.java:251)
  [https-host1_FQDN]: warning: CORE3283: stderr: at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1133)
  [https-host1_FQDN]: warning: CORE3283: stderr: at org.apache.catalina.core.StandardHost.start(StandardHost.java:652)
  [https-host1_FQDN]: warning: CORE3283: stderr: at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1133)
  [https-host1_FQDN]: warning: CORE3283: stderr: at org.apache.catalina.core.StandardEngine.start(StandardEngine.java:355)
  [https-host1_FQDN]: warning: CORE3283: stderr: at org.apache.catalina.startup.Embedded.start(Embedded.java:995)
  [https-host1_FQDN]: warning: CORE3283: stderr: at com.iplanet.ias.web.WebContainer.start(WebContainer.java:431)
  [https-host1_FQDN]: warning: CORE3283: stderr: at com.iplanet.ias.web.WebContainer.startInstance(WebContainer.java:500)
  [https-host1_FQDN]: warning: CORE3283: stderr: at com.iplanet.ias.server.J2EERunner.confPostInit(J2EERunner.java:161)
  [https-host1_FQDN]: failure: WebModule[amserver]: WEB2783: Servlet /amserver threw load() exception
  [https-host1_FQDN]: javax.servlet.ServletException: WEB2778: Servlet.init() for servlet LoginLogoutMapping threw exception
  [https-host1_FQDN]: at org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:949)
  [https-host1_FQDN]: at org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:813)
  [https-host1_FQDN]: at org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:3478)
  [https-host1_FQDN]: at org.apache.catalina.core.StandardContext.start(StandardContext.java:3760)
  [https-host1_FQDN]: at com.iplanet.ias.web.WebModule.start(WebModule.java:251)
  [https-host1_FQDN]: at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1133)
  [https-host1_FQDN]: at org.apache.catalina.core.StandardHost.start(StandardHost.java:652)
  [https-host1_FQDN]: at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1133)
  [https-host1_FQDN]: at org.apache.catalina.core.StandardEngine.start(StandardEngine.java:355)
  [https-host1_FQDN]: at org.apache.catalina.startup.Embedded.start(Embedded.java:995)
  [https-host1_FQDN]: at com.iplanet.ias.web.WebContainer.start(WebContainer.java:431)
  [https-host1_FQDN]: at com.iplanet.ias.web.WebContainer.startInstance(WebContainer.java:500)
  [https-host1_FQDN]: at com.iplanet.ias.server.J2EERunner.confPostInit(J2EERunner.java:161)
  [https-host1_FQDN]: ----- Root Cause -----
  [https-host1_FQDN]: java.lang.NullPointerException
  [https-host1_FQDN]: at com.sun.identity.authentication.UI.LoginLogoutMapping.init(LoginLogoutMapping.java:71)
  [https-host1_FQDN]: at org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:921)
  [https-host1_FQDN]: at org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:813)
  [https-host1_FQDN]: at org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:3478)
  [https-host1_FQDN]: at org.apache.catalina.core.StandardContext.start(StandardContext.java:3760)
  [https-host1_FQDN]: at com.iplanet.ias.web.WebModule.start(WebModule.java:251)
  [https-host1_FQDN]: at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1133)
  [https-host1_FQDN]: at org.apache.catalina.core.StandardHost.start(StandardHost.java:652)
  [https-host1_FQDN]: at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1133)
  [https-host1_FQDN]: at org.apache.catalina.core.StandardEngine.start(StandardEngine.java:355)
  [https-host1_FQDN]: at org.apache.catalina.startup.Embedded.start(Embedded.java:995)
  [https-host1_FQDN]: at com.iplanet.ias.web.WebContainer.start(WebContainer.java:431)
  [https-host1_FQDN]: at com.iplanet.ias.web.WebContainer.startInstance(WebContainer.java:500)
  [https-host1_FQDN]: at com.iplanet.ias.server.J2EERunner.confPostInit(J2EERunner.java:161)
  [https-host1_FQDN]:
  [https-host1_FQDN]: info: HTTP3072: [LS ls1] http://host1_FQDN:58080 [i]ready to accept requests
  [https-host1_FQDN]: startup: server started successfully
  Success!
  The server https-host1_FQDN has started up.
  The server infact, didn't start up (nothing even listening on 58080).
  However, if AMConfig.properties is left as it originally was, and only serverconfig.xml files were changed as mentioned above, web servers started fine, and things worked all okay. (Alright, except for some glitches when viewed in /amconsole. If /amserver/console is accessed, all is good. Can this mean that all is still not well? I am not sure).
  So far so good. Now comes the sad part. When the same is done on Solaris 9, things dont work. You continue to get the above error, OR the following error, and the web server will refuse to start:
  Differences in Solaris and Windows are as follows:
  1. Windows hosts have 1 IP and hostname. Solaris hosts have 3 IPs and hostnames (for DS, DPS, and webserver).
  No other difference from an architectural perspective.
  Any help / insight on why the above is not working (and why the hell does the documentation seem so sketchy / insecure / incorrect).
  Thanks a bunch!

• Too  Slow - Domino 6.5.4  with access manager agent 2.2 ?

  I don't know how to tune Domino 6.5.4 with access manager agent 2.2?
  I think AMAgent.properties is not good for SSO.
  Please help me to tune it.
  # $Id: AMAgent.properties,v 1.103 2005/09/19 22:08:34 madan Exp $
  # Copyright ? 2002 Sun Microsystems, Inc. All rights reserved.
  # U.S. Government Rights - Commercial software. Government users are
  # subject to the Sun Microsystems, Inc. standard license agreement and
  # applicable provisions of the FAR and its supplements. Use is subject to
  # license terms. Sun, Sun Microsystems, the Sun logo and Sun ONE are
  # trademarks or registered trademarks of Sun Microsystems, Inc. in the
  # U.S. and other countries.
  # Copyright ? 2002 Sun Microsystems, Inc. Tous droits r&#38303;erv&#38303;.
  # Droits du gouvernement am&#38302;icain, utlisateurs gouvernmentaux - logiciel
  # commercial. Les utilisateurs gouvernmentaux sont soumis au contrat de
  # licence standard de Sun Microsystems, Inc., ainsi qu aux dispositions en
  # vigueur de la FAR [ (Federal Acquisition Regulations) et des suppl&#38297;ents
  # ? celles-ci.
  # Distribu? par des licences qui en restreignent l'utilisation. Sun, Sun
  # Microsystems, le logo Sun et Sun ONE sont des marques de fabrique ou des
  # marques d&#38300;os&#38289;s de Sun Microsystems, Inc. aux Etats-Unis et dans
  # d'autres pays.
  # The syntax of this file is that of a standard Java properties file,
  # see the documentation for the java.util.Properties.load method for a
  # complete description. (CAVEAT: The SDK in the parser does not currently
  # support any backslash escapes except for wrapping long lines.)
  # All property names in this file are case-sensitive.
  # NOTE: The value of a property that is specified multiple times is not
  # defined.
  # WARNING: The contents of this file are classified as an UNSTABLE
  # interface by Sun Microsystems, Inc. As such, they are subject to
  # significant, incompatible changes in any future release of the
  # software.
  # The name of the cookie passed between the Access Manager
  # and the SDK.
  # WARNING: Changing this property without making the corresponding change
  # to the Access Manager will disable the SDK.
  com.sun.am.cookie.name = iPlanetDirectoryPro
  # The URL for the Access Manager Naming service.
  com.sun.am.naming.url = http://sportal.yjy.dqyt.petrochina:80/amserver/namingservice
  # The URL of the login page on the Access Manager.
  com.sun.am.policy.am.login.url = http://sportal.yjy.dqyt.petrochina:80/amserver/UI/Login
  # Name of the file to use for logging messages.
  com.sun.am.policy.agents.config.local.log.file = c:/Sun/Access_Manager/Agents/2.2/debug/C__Lotus_Domino/amAgent
  # This property is used for Log Rotation. The value of the property specifies
  # whether the agent deployed on the server supports the feature of not. If set
  # to false all log messages are written to the same file.
  com.sun.am.policy.agents.config.local.log.rotate = true
  # Name of the Access Manager log file to use for logging messages to
  # Access Manager.
  # Just the name of the file is needed. The directory of the file
  # is determined by settings configured on the Access Manager.
  com.sun.am.policy.agents.config.remote.log = amAuthLog.Dominoad.yjy.dqyt.petrochina.80
  # Set the logging level for the specified logging categories.
  # The format of the values is
  #     <ModuleName>[:<Level>][,<ModuleName>[:<Level>]]*
  # The currently used module names are: AuthService, NamingService,
  # PolicyService, SessionService, PolicyEngine, ServiceEngine,
  # Notification, PolicyAgent, RemoteLog and all.
  # The all module can be used to set the logging level for all currently
  # none logging modules. This will also establish the default level for
  # all subsequently created modules.
  # The meaning of the 'Level' value is described below:
  #     0     Disable logging from specified module*
  #     1     Log error messages
  #     2     Log warning and error messages
  #     3     Log info, warning, and error messages
  #     4     Log debug, info, warning, and error messages
  #     5     Like level 4, but with even more debugging messages
  # 128     log url access to log file on AM server.
  # 256     log url access to log file on local machine.
  # If level is omitted, then the logging module will be created with
  # the default logging level, which is the logging level associated with
  # the 'all' module.
  # for level of 128 and 256, you must also specify a logAccessType.
  # *Even if the level is set to zero, some messages may be produced for
  # a module if they are logged with the special level value of 'always'.
  com.sun.am.log.level =
  # The org, username and password for Agent to login to AM.
  com.sun.am.policy.am.username = UrlAccessAgent
  com.sun.am.policy.am.password = LYnKyOIgdWt404ivWY6HPQ==
  # Name of the directory containing the certificate databases for SSL.
  com.sun.am.sslcert.dir = c:/Sun/Access_Manager/Agents/2.2/domino/cert
  # Set this property if the certificate databases in the directory specified
  # by the previous property have a prefix.
  com.sun.am.certdb.prefix =
  # Should agent trust all server certificates when Access Manager
  # is running SSL?
  # Possible values are true or false.
  com.sun.am.trust_server_certs = true
  # Should the policy SDK use the Access Manager notification
  # mechanism to maintain the consistency of its internal cache? If the value
  # is false, then a polling mechanism is used to maintain cache consistency.
  # Possible values are true or false.
  com.sun.am.notification.enable = true
  # URL to which notification messages should be sent if notification is
  # enabled, see previous property.
  com.sun.am.notification.url = http://Dominoad.yjy.dqyt.petrochina:80/amagent/UpdateAgentCacheServlet?shortcircuit=false
  # This property determines whether URL string case sensitivity is
  # obeyed during policy evaluation
  com.sun.am.policy.am.url_comparison.case_ignore = true
  # This property determines the amount of time (in minutes) an entry
  # remains valid after it has been added to the cache. The default
  # value for this property is 3 minutes.
  com.sun.am.policy.am.polling.interval=3
  # This property allows the user to configure the User Id parameter passed
  # by the session information from the access manager. The value of User
  # Id will be used by the agent to set the value of REMOTE_USER server
  # variable. By default this parameter is set to "UserToken"
  com.sun.am.policy.am.userid.param=UserToken
  # Profile attributes fetch mode
  # String attribute mode to specify if additional user profile attributes should
  # be introduced into the request. Possible values are:
  # NONE - no additional user profile attributes will be introduced.
  # HTTP_HEADER - additional user profile attributes will be introduced into
  # HTTP header.
  # HTTP_COOKIE - additional user profile attributes will be introduced through
  # cookies.
  # If not within these values, it will be considered as NONE.
  com.sun.am.policy.agents.config.profile.attribute.fetch.mode=NONE
  # The user profile attributes to be added to the HTTP header. The
  # specification is of the format ldap_attribute_name|http_header_name[,...].
  # ldap_attribute_name is the attribute in data store to be fetched and
  # http_header_name is the name of the header to which the value needs
  # to be assigned.
  # NOTE: In most cases, in a destination application where a "http_header_name"
  # shows up as a request header, it will be prefixed by HTTP_, and all
  # lower case letters will become upper case, and any - will become _;
  # For example, "common-name" would become "HTTP_COMMON_NAME"
  com.sun.am.policy.agents.config.profile.attribute.map=cn|common-name,ou|organizational-unit,o|organization,mail|email,employeenumber|employee-
  number,c|country
  # Session attributes mode
  # String attribute mode to specify if additional user session attributes should
  # be introduced into the request. Possible values are:
  # NONE - no additional user session attributes will be introduced.
  # HTTP_HEADER - additional user session attributes will be introduced into HTTP header.
  # HTTP_COOKIE - additional user session attributes will be introduced through cookies.
  # If not within these values, it will be considered as NONE.
  com.sun.am.policy.agents.config.session.attribute.fetch.mode=NONE
  # The session attributes to be added to the HTTP header. The specification is
  # of the format session_attribute_name|http_header_name[,...].
  # session_attribute_name is the attribute in session to be fetched and
  # http_header_name is the name of the header to which the value needs to be
  # assigned.
  # NOTE: In most cases, in a destination application where a "http_header_name"
  # shows up as a request header, it will be prefixed by HTTP_, and all
  # lower case letters will become upper case, and any - will become _;
  # For example, "common-name" would become "HTTP_COMMON_NAME"
  com.sun.am.policy.agents.config.session.attribute.map=
  # Response Attribute Fetch Mode
  # String attribute mode to specify if additional user response attributes should
  # be introduced into the request. Possible values are:
  # NONE - no additional user response attributes will be introduced.
  # HTTP_HEADER - additional user response attributes will be introduced into
  # HTTP header.
  # HTTP_COOKIE - additional user response attributes will be introduced through
  # cookies.
  # If not within these values, it will be considered as NONE.
  com.sun.am.policy.agents.config.response.attribute.fetch.mode=NONE
  # The response attributes to be added to the HTTP header. The specification is
  # of the format response_attribute_name|http_header_name[,...].
  # response_attribute_name is the attribute in policy response to be fetched and
  # http_header_name is the name of the header to which the value needs to be
  # assigned.
  # NOTE: In most cases, in a destination application where a "http_header_name"
  # shows up as a request header, it will be prefixed by HTTP_, and all
  # lower case letters will become upper case, and any - will become _;
  # For example, "common-name" would become "HTTP_COMMON_NAME"
  com.sun.am.policy.agents.config.response.attribute.map=
  # The cookie name used in iAS for sticky load balancing
  com.sun.am.policy.am.lb.cookie.name = GX_jst
  # indicate where a load balancer is used for Access Manager
  # services.
  # true | false
  com.sun.am.load_balancer.enable = false
  ####Agent Configuration####
  # this is for product versioning, please do not modify it
  com.sun.am.policy.agents.config.version=2.2
  # Set the url access logging level. the choices are
  # LOG_NONE - do not log user access to url
  # LOG_DENY - log url access that was denied.
  # LOG_ALLOW - log url access that was allowed.
  # LOG_BOTH - log url access that was allowed or denied.
  com.sun.am.policy.agents.config.audit.accesstype = LOG_DENY
  # Agent prefix
  com.sun.am.policy.agents.config.agenturi.prefix = http://Dominoad.yjy.dqyt.petrochina:80/amagent
  # Locale setting.
  com.sun.am.policy.agents.config.locale = en_US
  # The unique identifier for this agent instance.
  com.sun.am.policy.agents.config.instance.name = unused
  # Do SSO only
  # Boolean attribute to indicate whether the agent will just enforce user
  # authentication (SSO) without enforcing policies (authorization)
  com.sun.am.policy.agents.config.do_sso_only = true
  # The URL of the access denied page. If no value is specified, then
  # the agent will return an HTTP status of 403 (Forbidden).
  com.sun.am.policy.agents.config.accessdenied.url =
  # This property indicates if FQDN checking is enabled or not.
  com.sun.am.policy.agents.config.fqdn.check.enable = true
  # Default FQDN is the fully qualified hostname that the users should use
  # in order to access resources on this web server instance. This is a
  # required configuration value without which the Web server may not
  # startup correctly.
  # The primary purpose of specifying this property is to ensure that if
  # the users try to access protected resources on this web server
  # instance without specifying the FQDN in the browser URL, the Agent
  # can take corrective action and redirect the user to the URL that
  # contains the correct FQDN.
  # This property is set during the agent installation and need not be
  # modified unless absolutely necessary to accommodate deployment
  # requirements.
  # WARNING: Invalid value for this property can result in the Web Server
  # becoming unusable or the resources becoming inaccessible.
  # See also: com.sun.am.policy.agents.config.fqdn.check.enable,
  # com.sun.am.policy.agents.config.fqdn.map
  com.sun.am.policy.agents.config.fqdn.default = Dominoad.yjy.dqyt.petrochina
  # The FQDN Map is a simple map that enables the Agent to take corrective
  # action in the case where the users may have typed in an incorrect URL
  # such as by specifying partial hostname or using an IP address to
  # access protected resources. It redirects the browser to the URL
  # with fully qualified domain name so that cookies related to the domain
  # are received by the agents.
  # The format for this property is:
  # com.sun.am.policy.agents.config.fqdn.map = [invalid_hostname|valid_hostname][,...]
  # This property can also be used so that the agents use the name specified
  # in this map instead of the web server's actual name. This can be
  # accomplished by doing the following.
  # Say you want your server to be addressed as xyz.hostname.com whereas the
  # actual name of the server is abc.hostname.com. The browsers only knows
  # xyz.hostname.com and you have specified polices using xyz.hostname.com at
  # the Access Manager policy console, in this file set the mapping as
  # com.sun.am.policy.agents.fqdn.map = valid|xyz.hostname.com
  # Another example is if you have multiple virtual servers say rst.hostname.com,
  # uvw.hostname.com and xyz.hostname.com pointing to the same actual server
  # abc.hostname.com and each of the virtual servers have their own policies
  # defined, then the fqdnMap should be defined as follows:
  # com.sun.am.policy.agents.fqdn.map = valid1|rst.hostname.com,valid2|uvw.hostname.com,valid3|xyz.hostname.com
  # WARNING: Invalid value for this property can result in the Web Server
  # becoming unusable or the resources becoming inaccessible.
  com.sun.am.policy.agents.config.fqdn.map =
  # Cookie Reset
  # This property must be set to true, if this agent needs to
  # reset cookies in the response before redirecting to
  # Access Manager for Authentication.
  # By default this is set to false.
  # Example : com.sun.am.policy.agents.config.cookie.reset.enable=true
  com.sun.am.policy.agents.config.cookie.reset.enable=false
  # This property gives the comma separated list of Cookies, that
  # need to be included in the Redirect Response to Access Manager.
  # This property is used only if the Cookie Reset feature is enabled.
  # The Cookie details need to be specified in the following Format
  # name[=value][;Domain=value]
  # If "Domain" is not specified, then the default agent domain is
  # used to set the Cookie.
  # Example : com.sun.am.policy.agents.config.cookie.reset.list=LtpaToken,
  # token=value;Domain=subdomain.domain.com
  com.sun.am.policy.agents.config.cookie.reset.list=
  # This property gives the space separated list of domains in
  # which cookies have to be set in a CDSSO scenario. This property
  # is used only if CDSSO is enabled.
  # If this property is left blank then the fully qualified cookie
  # domain for the agent server will be used for setting the cookie
  # domain. In such case it is a host cookie instead of a domain cookie.
  # Example : com.sun.am.policy.agents.config.cookie.domain.list=.sun.com .iplanet.com
  com.sun.am.policy.agents.config.cookie.domain.list=
  # user id returned if accessing global allow page and not authenticated
  com.sun.am.policy.agents.config.anonymous_user=anonymous
  # Enable/Disable REMOTE_USER processing for anonymous users
  # true | false
  com.sun.am.policy.agents.config.anonymous_user.enable=false
  # Not enforced list is the list of URLs for which no authentication is
  # required. Wildcards can be used to define a pattern of URLs.
  # The URLs specified may not contain any query parameters.
  # Each service have their own not enforced list. The service name is suffixed
  # after "# com.sun.am.policy.agents.notenforcedList." to specify a list
  # for a particular service. SPACE is the separator between the URL.
  com.sun.am.policy.agents.config.notenforced_list = http://dominoad.yjy.dqyt.petrochina/*.nsf http://dominoad.yjy.dqyt.petrochina/teamroom.nsf/TROutline.gif?
  OpenImageResource http://dominoad.yjy.dqyt.petrochina/icons/*.gif
  # Boolean attribute to indicate whether the above list is a not enforced list
  # or an enforced list; When the value is true, the list means enforced list,
  # or in other words, the whole web site is open/accessible without
  # authentication except for those URLs in the list.
  com.sun.am.policy.agents.config.notenforced_list.invert = false
  # Not enforced client IP address list is a list of client IP addresses.
  # No authentication and authorization are required for the requests coming
  # from these client IP addresses. The IP address must be in the form of
  # eg: 192.168.12.2 1.1.1.1
  com.sun.am.policy.agents.config.notenforced_client_ip_list =
  # Enable POST data preservation; By default it is set to false
  com.sun.am.policy.agents.config.postdata.preserve.enable = false
  # POST data preservation : POST cache entry lifetime in minutes,
  # After the specified interval, the entry will be dropped
  com.sun.am.policy.agents.config.postcache.entry.lifetime = 10
  # Cross-Domain Single Sign On URL
  # Is CDSSO enabled.
  com.sun.am.policy.agents.config.cdsso.enable=false
  # This is the URL the user will be redirected to for authentication
  # in a CDSSO Scenario.
  com.sun.am.policy.agents.config.cdcservlet.url =
  # Enable/Disable client IP address validation. This validate
  # will check if the subsequent browser requests come from the
  # same ip address that the SSO token is initially issued against
  com.sun.am.policy.agents.config.client_ip_validation.enable = false
  # Below properties are used to define cookie prefix and cookie max age
  com.sun.am.policy.agents.config.profile.attribute.cookie.prefix = HTTP_
  com.sun.am.policy.agents.config.profile.attribute.cookie.maxage = 300
  # Logout URL - application's Logout URL.
  # This URL is not enforced by policy.
  # if set, agent will intercept this URL and destroy the user's session,
  # if any. The application's logout URL will be allowed whether or not
  # the session destroy is successful.
  com.sun.am.policy.agents.config.logout.url=
  #http://sportal.yjy.dqyt.petrochina/amserver/UI/Logout
  # Any cookies to be reset upon logout in the same format as cookie_reset_list
  com.sun.am.policy.agents.config.logout.cookie.reset.list =
  # By default, when a policy decision for a resource is needed,
  # agent gets and caches the policy decision of the resource and
  # all resource from the root of the resource down, from the Access Manager.
  # For example, if the resource is http://host/a/b/c, the the root of the
  # resource is http://host/. This is because more resources from the
  # same path are likely to be accessed subsequently.
  # However this may take a long time the first time if there
  # are many many policies defined under the root resource.
  # To have agent get and cache the policy decision for the resource only,
  # set the following property to false.
  com.sun.am.policy.am.fetch_from_root_resource = true
  # Whether to get the client's hostname through DNS reverse lookup for use
  # in policy evaluation.
  # It is true by default, if the property does not exist or if it is
  # any value other than false.
  com.sun.am.policy.agents.config.get_client_host_name = false
  # The following property is to enable native encoding of
  # ldap header attributes forwarded by agents. If set to true
  # agent will encode the ldap header value in the default
  # encoding of OS locale. If set to false ldap header values
  # will be encoded in UTF-8
  com.sun.am.policy.agents.config.convert_mbyte.enable = false
  #When the not enforced list or policy has a wildcard '*' character, agent
  #strips the path info from the request URI and uses the resulting request
  #URI to check against the not enforced list or policy instead of the entire
  #request URI, in order to prevent someone from getting access to any URI by
  #simply appending the matching pattern in the policy or not enforced list.
  #For example, if the not enforced list has the value http://host/*.gif,
  #stripping the path info from the request URI will prevent someone from
  #getting access to http://host/index.html by using the URL http://host/index.html?hack.gif.
  #However when a web server (for exmample apache) is configured to be a reverse
  #proxy server for a J2EE application server, path info is interpreted in a different
  #manner since it maps to a resource on the proxy instead of the app server.
  #This prevents the not enforced list or policy from being applied to part of
  #the URI below the app serverpath if there is a wildcard character. For example,
  #if the not enforced list has value http://host/webapp/servcontext/* and the
  #request URL is http://host/webapp/servcontext/example.jsp the path info
  #is /servcontext/example.jsp and the resulting request URL with path info stripped
  #is http://host/webapp, which will not match the not enforced list. By setting the
  #following property to true, the path info will not be stripped from the request URL
  #even if there is a wild character in the not enforced list or policy.
  #Be aware though that if this is set to true there should be nothing following the
  #wildcard character '*' in the not enforced list or policy, or the
  #security loophole described above may occur.
  com.sun.am.policy.agents.config.ignore_path_info = false
  # Override the request url given by the web server with
  # the protocol, host or port of the agent's uri specified in
  # the com.sun.am.policy.agents.agenturiprefix property.
  # These may be needed if the agent is sitting behind a ssl off-loader,
  # load balancer, or proxy, and either the protocol (HTTP scheme),
  # hostname, or port of the machine in front of agent which users go through
  # is different from the agent's protocol, host or port.
  com.sun.am.policy.agents.config.override_protocol =
  com.sun.am.policy.agents.config.override_host =
  com.sun.am.policy.agents.config.override_port =
  # Override the notification url in the same way as other request urls.
  # Set this to true if any one of the override properties above is true,
  # and if the notification url is coming through the proxy or load balancer
  # in the same way as other request url's.
  com.sun.am.policy.agents.config.override_notification.url =
  # The following property defines how long to wait in attempting
  # to connect to an Access Manager AUTH server.
  # The default value is 2 seconds. This value needs to be increased
  # when receiving the error "unable to find active Access Manager Auth server"
  com.sun.am.policy.agents.config.connection_timeout =
  # Time in milliseconds the agent will wait to receive the
  # response from Access Manager. After the timeout, the connection
  # will be drop.
  # A value of 0 means that the agent will wait until receiving the response.
  # WARNING: Invalid value for this property can result in
  # the resources becoming inaccessible.
  com.sun.am.receive_timeout = 0
  # The three following properties are for IIS6 agent only.
  # The two first properties allow to set a username and password that will be
  # used by the authentication filter to pass the Windows challenge when the Basic
  # Authentication option is selected in Microsoft IIS 6.0. The authentication
  # filter is named amiis6auth.dll and is located in
  # Agent_installation_directory/iis6/bin. It must be installed manually on
  # the web site ("ISAPI Filters" tab in the properties of the web site).
  # It must also be uninstalled manually when unintalling the agent.
  # The last property defines the full path for the authentication filter log file.
  com.sun.am.policy.agents.config.iis6.basicAuthentication.username =
  com.sun.am.policy.agents.config.iis6.basicAuthentication.password =
  com.sun.am.policy.agents.config.iis6.basicAuthentication.logFile = c:/Sun/Access_Manager/Agents/2.2/debug/C__Lotus_Domino/amAuthFilter

  Hi,
  I installed opensso (so Sun Java(TM) System Access Manager 7.5) and the agent for Domino 6.5.4 and I have the message in logs "amAgent"
  2007-07-11 18:40:16.119 Error 1708:3dbcf768 PolicyAgent: render_response(): Entered.
  I have the box to identify but it doesnot connect me on my opensso server.
  It still identify with Domino's server
  Thanks for your response
  Thomas

• Sun Java System Access Manager 7.1 config. failed during installation

  {color:#0000ff}Hi,
  I have installed sun java communication suite 5 on a single host on sun solaris 10.
  I have installed required packages and it works fine.
  But as per organization need, I have to change domain name.
  So i have uninstalled everything and tried to install again with new domain name.
  I have made proper entries in hosts file and resolve.conf file.
  But duing the first phase of installation only , i failed in configuring access manager 7.1
  I have also cerate same scenario in my test environment, but everytime i face the same error.
  and sun java access manager 7.1 fails in first stage of installation only.
  So would like to know the proper installation procedure while i change the domain name on same hardware...
  I have checked both installation logs & summary logs.
  But no error, no failed , no severe.
  Attached is the summary of installation logs.
  Summary Logs :
  Installation Summary Report
  Install Summary
  Sun Java(TM) Communications Suite : Installed
  Sun Java(TM) System Web Server 7.0 : Installed, Configured
  Java DB : Installed, Configure After Install
  Sun Java(TM) System Message Queue 3.7 UR1 : Installed
  Sun Java(TM) System Monitoring Console 1.0 : Installed, Configure After Install
  Sun Java(TM) System Directory Preparation Tool : Installed
  Sun Java(TM) System Directory Server Enterprise Edition 6.0 : Installed, Configured
  Sun Java(TM) System Access Manager 7.1 : Installed, Configuration Failed
  Sun Java(TM) System Messaging Server 6.3 : Installed, Configure After Install
  Sun Java(TM) System Communications Express 6 : Installed, Configure After Install
  Communication Services Delegated Administrator : Installed, Configure After Install
  Configuration Data
  Sun Java(TM) System Web Server 7.0 :
  Web Server Instance installation Directory : /var/opt/SUNWwbsvr7
  Web Server installation Directory : /opt
  Web Server Administration Server Host : RADAGWMSG221.myreliancemail.com
  Web Server Admin Server Mode : true
  Web Server only CLI installation : false
  Sun Java(TM) System Directory Preparation Tool :
  Directory Preparation Tool Installation Directory : /opt/SUNWcomds
  Sun Java(TM) System Directory Server Enterprise Edition 6.0 :
  Directory Server Installation Directory : /opt/SUNWdsee
  Sun Java(TM) System Access Manager 7.1 :
  Access Manager Installation Directory : /opt
  Access Manager Protocol : http
  Access Manager Port : 80
  LDAP User ID : amldapuser
  Administrator User ID : amAdmin
  Web Container : WebServer
  Access Manager Web Server Host Name : RADAGWMSG221.myreliancemail.com
  Access Manager Web Server Instance Directory : /var/opt/SUNWwbsvr7/https-RADAGWMSG221.myreliancemail.com
  Access Manager Web Server Port : 80
  Access Manager Console Host (for Existing console) : RADAGWMSG221.myreliancemail.com
  Access Manager Console Deploy URI : amconsole
  Access Manager Password Deploy URI : ampassword
  Access Manager Host : RADAGWMSG221.myreliancemail.com
  Access Manager Console Port(for Existing console) : 80
  Access Manager Services Deploy URI : amserver
  Access Manager Cookie Domain List : .myreliancemail.com
  Access Manager Common Domain Deploy URI : amcommon
  Access Manager Directory Server Host Name : RADAGWMSG221
  Access Manager Directory Server Host : RADAGWMSG221.myreliancemail.com
  Access Manager Directory Server Port : 389
  Access Manager Directory Root Suffix : o=rmail
  Access Manager Directory Manager DN : cn=Directory Manager
  Organization Marker Object Class : sunISManagedOrganization
  User Marker Object Class : inetorgperson
  Organization Naming Attribute : o
  User Naming Attribute : uid
  Sun Java(TM) System Messaging Server 6.3 :
  Messaging Server Installation Directory : /opt/SUNWmsgsr
  Sun Java(TM) System Communications Express 6 :
  Communications Express Installation Directory : /opt/SUNWuwc
  Communication Services Delegated Administrator :
  Communication Services Delegated Administrator Installation Directory : /opt/SUNWcomm
  {color}

  Rushi-Reliance wrote:
  Kindly let us know how to proceed further as we are waiiting some reply from your team.As I already advised in your previous posting (http://forums.sun.com/thread.jspa?threadID=5359095), you are best off re-installing solaris from scratch and installing Communication Suite 6 update 1 if you cannot get Access Manager 7.1 configured.
  Regards
  Shane.