Device Access Manager deactivation possible?
I have a Seagate 1TB hard drive connected via USB as a backup (Memeo-backup software) to my HP Probook 470 G2 (Windows 7 Pro). The Device Access Manager asks me to authenticate myself every 15 min (approx). This is very annoying. Is the solution to uninstall the DAM s/w and what will the consequences be? Or has anyone a better solution to get around the Device Access Manager?
Rgds
Tommy
This question was solved.
View Solution.
Togu wrote:
I have a Seagate 1TB hard drive connected via USB as a backup (Memeo-backup software) to my HP Probook 470 G2 (Windows 7 Pro). The Device Access Manager asks me to authenticate myself every 15 min (approx). This is very annoying. Is the solution to uninstall the DAM s/w and what will the consequences be? Or has anyone a better solution to get around the Device Access Manager?
Rgds
Tommy
You can uninstall Device Access Manager for HP ProtectTools without any worry. It's only there to restrict users from plugging in devices and copying data to external drives.
Similar Messages
-
HP Device Access Manager Crashes everytime I open it
I have a brand new 2 days old zbook 17 G2 (k4k44ut#ABA). After having it less than 24 hrs, the system completely crashed, and would not even boot. I used the F11 recovery, and brought the laptop back to factory defaults.
I thought I'd see if "the HP Device Access Manager" was not allowing access to the drive, and when I go into the HP Client Security, and click on "Device Access Manager" it crashes the tool and closes it:
Also, I'm a bit paranoid about the stability of this $2800 new laptop ($3300 with carepak).. so I am trying to back it up with a clickfree C2.. which the HP doesn't appear to let it access. Also, the laptop does't even recognize it as USB 3.0, which the clickfree is... (weird).
I moved from an "also expensive" HP nx9420 business laptop (actually had two nx9420s) to this one and I'm really worried about the zbook, as I've never experienced so much instability on a new laptop before.
I pondered completely removing the HP Device Access manager package.. but not sure of the impact..
Please help me in determining why this thing crashes though, when I open the device access manager.Disregard getting clickfree to work.. I was able to give it a 15min access... (although would like to extend this).
I just need to figure out why the Device Access Manager crashes now and if i can disable it. -
ProtectTools Device Access Manager blocking Windows 10 upgrade
Hello, I'm having trouble upgrading Windows 7 Pro to Windows 10. The installation (manual and automatic) fails due to the incompatibility of ProtectTools Security Manager (according to Microsoft). This is also described in a document I found on the HP website: http://h20565.www2.hp.com/hpsc/doc/public/display?sp4ts.oid=5212912&docId=emr_na-c04734799&docLocale=en_US .Before I can uninstall ProtectTools, I need to unistall other HP tools, like Device Access Manager,... And there lies my problem: how do I uninstall Device Access manager? It's not listed under 'Programs and features'. I tried uninstall tools like CCleaner and Revo Unistaller, but they can't find it either. I have installed the latest version of ProtectTools, via the SoftPaq Download Manager and disabled all features in ProtectTools, as far as I can tell. How do I uninstall the ProtectTools suite? Best regards,Wim.
I found a way to remove it, on this website: http://www.shouldiremoveit.com/Device-Access-Manager-for-HP-ProtectTools-9553-program.aspx Run: MsiExec.exe /X{55B52830-024A-443E-AF61-61E1E71AFA1B} That fixed it for me.
-
How to trigger other devices by Cisco Physical Access Management?
Hi all,
A question about Cisco Physical Access Management(PAM) here. We will achieve a goal like this:
step 1. A staff swipe the badge and get into the room;
step 2. The device in this room will be triggered to set up or to turn on at the same time, such as Ip-phone, light, screen of DMP...
step 3.(optional) When the staff exits the room and swipes the badge, all the devices will be turned off.
Is this dorable for PAM to finish this trigger? Or some more work of developing need to do based on PAM?
Thanks!
Ziwei FanHi Bharaty,
thanks for your suggestion. I tried adding the tag as you suggested, sadly it does not work for me.
I had a little look at the coding in the tag, as I hope for the solution being in there. What makes me wonder is that I can specify the attribute TIMER in the tag, but the coding does not access it. The amount of time the "Please wait..." is shown is read from the technical profile.Which is 0 in my case.
Thus I tried setting it to 5000 in the debugger, but still no spinning thingy locking the UI.
Anyhow in the Scripts repository I found the JS functions usually used to trigger the functionality:
showSubmitInProgress(show, delay)
Even calling it directly does not work for me
I really suppose it has something to do with the area frame tag and the late rendering. It still keeps me wondering why I can not trigger server round trips from JS as I can normally do.
cheers Carsten -
Email profile uses Device Enrollment Manager user?
Hello,
I have an iOS device that was enrolled via the Apple Device Enrollment Program, using a Device Enrollment Manager account, and I have since deployed an email profile configuration policy to it. After it received the policy now the account
of the Device Enrollment Manager is locked in as the user in the email profile. Is that normal behavior? I thought that enrolling a device using a user who is a member of the Device Enrollment Management group would leave the device open for another
user?
Thanks!Hello, I was looking through TechNet a little more about this and unless I'm reading this wrong, which is certainly possible, it seems to suggest that you should be able to access company data as the end user using CYOD enrollment or a device enrollment
manager enrollment scenario:
User affiliation – Specifies how devices are enrolled.
Prompt for user affinity – The device can be affiliated with a user during initial setup and could then be permitted to access company data and email as that user. This mode supports a number of scenarios:
Corporate-owned personal device – “Choose Your Own Device” (CYOD) Similar to privately owned or personal devices but the administrator has certain privileges including permission to wipe, reset, administer, and unenroll the device. The
device’s user can install apps and has most other permissions for device use where not blocked by management policy.
Device enrollment manager account – The device is enrolled using a special Intune administrator account. It can be managed as a private account, but only a user who knows the enrollment manager credentials can install apps, wipe, reset,
administer, and unenroll the device. For information about enrolling a device shared by many users through a common account, see
Enroll corporate-owned devices with the Device Enrollment Manager in Microsoft Intune.
No user affinity – The device is user-less. Use this affiliation for devices that perform tasks without accessing local user data. Apps requiring user affiliation are disabled or won’t work.
With this in mind, since accessing corporate data as the user is supported with CYOD and device enrollment manager, I can't imagine that the intention of the device enrollment managers (DEM) group was designed so when a device is enrolled with a DEM
user that only data for that DEM user is available, right? That just wouldn't make sense. Also, if enrolling a device using a DEM user account is only for devices that don't need access to corporate data, then what's the difference between enrolling
a device using a DEM user, or enrolling a device with "No user affinity"? Also, when I've enrolled a device using a DEM account, I was later easily able to install apps with no prompt for DEM credentials, TechNet seems to imply that credentials
are needed for functions like that. Shouldn't something have asked me for permission to install an app? -
Too Slow - Domino 6.5.4 with access manager agent 2.2 ?
I don't know how to tune Domino 6.5.4 with access manager agent 2.2?
I think AMAgent.properties is not good for SSO.
Please help me to tune it.
# $Id: AMAgent.properties,v 1.103 2005/09/19 22:08:34 madan Exp $
# Copyright ? 2002 Sun Microsystems, Inc. All rights reserved.
# U.S. Government Rights - Commercial software. Government users are
# subject to the Sun Microsystems, Inc. standard license agreement and
# applicable provisions of the FAR and its supplements. Use is subject to
# license terms. Sun, Sun Microsystems, the Sun logo and Sun ONE are
# trademarks or registered trademarks of Sun Microsystems, Inc. in the
# U.S. and other countries.
# Copyright ? 2002 Sun Microsystems, Inc. Tous droits r閟erv閟.
# Droits du gouvernement am閞icain, utlisateurs gouvernmentaux - logiciel
# commercial. Les utilisateurs gouvernmentaux sont soumis au contrat de
# licence standard de Sun Microsystems, Inc., ainsi qu aux dispositions en
# vigueur de la FAR [ (Federal Acquisition Regulations) et des suppl閙ents
# ? celles-ci.
# Distribu? par des licences qui en restreignent l'utilisation. Sun, Sun
# Microsystems, le logo Sun et Sun ONE sont des marques de fabrique ou des
# marques d閜os閑s de Sun Microsystems, Inc. aux Etats-Unis et dans
# d'autres pays.
# The syntax of this file is that of a standard Java properties file,
# see the documentation for the java.util.Properties.load method for a
# complete description. (CAVEAT: The SDK in the parser does not currently
# support any backslash escapes except for wrapping long lines.)
# All property names in this file are case-sensitive.
# NOTE: The value of a property that is specified multiple times is not
# defined.
# WARNING: The contents of this file are classified as an UNSTABLE
# interface by Sun Microsystems, Inc. As such, they are subject to
# significant, incompatible changes in any future release of the
# software.
# The name of the cookie passed between the Access Manager
# and the SDK.
# WARNING: Changing this property without making the corresponding change
# to the Access Manager will disable the SDK.
com.sun.am.cookie.name = iPlanetDirectoryPro
# The URL for the Access Manager Naming service.
com.sun.am.naming.url = http://sportal.yjy.dqyt.petrochina:80/amserver/namingservice
# The URL of the login page on the Access Manager.
com.sun.am.policy.am.login.url = http://sportal.yjy.dqyt.petrochina:80/amserver/UI/Login
# Name of the file to use for logging messages.
com.sun.am.policy.agents.config.local.log.file = c:/Sun/Access_Manager/Agents/2.2/debug/C__Lotus_Domino/amAgent
# This property is used for Log Rotation. The value of the property specifies
# whether the agent deployed on the server supports the feature of not. If set
# to false all log messages are written to the same file.
com.sun.am.policy.agents.config.local.log.rotate = true
# Name of the Access Manager log file to use for logging messages to
# Access Manager.
# Just the name of the file is needed. The directory of the file
# is determined by settings configured on the Access Manager.
com.sun.am.policy.agents.config.remote.log = amAuthLog.Dominoad.yjy.dqyt.petrochina.80
# Set the logging level for the specified logging categories.
# The format of the values is
# <ModuleName>[:<Level>][,<ModuleName>[:<Level>]]*
# The currently used module names are: AuthService, NamingService,
# PolicyService, SessionService, PolicyEngine, ServiceEngine,
# Notification, PolicyAgent, RemoteLog and all.
# The all module can be used to set the logging level for all currently
# none logging modules. This will also establish the default level for
# all subsequently created modules.
# The meaning of the 'Level' value is described below:
# 0 Disable logging from specified module*
# 1 Log error messages
# 2 Log warning and error messages
# 3 Log info, warning, and error messages
# 4 Log debug, info, warning, and error messages
# 5 Like level 4, but with even more debugging messages
# 128 log url access to log file on AM server.
# 256 log url access to log file on local machine.
# If level is omitted, then the logging module will be created with
# the default logging level, which is the logging level associated with
# the 'all' module.
# for level of 128 and 256, you must also specify a logAccessType.
# *Even if the level is set to zero, some messages may be produced for
# a module if they are logged with the special level value of 'always'.
com.sun.am.log.level =
# The org, username and password for Agent to login to AM.
com.sun.am.policy.am.username = UrlAccessAgent
com.sun.am.policy.am.password = LYnKyOIgdWt404ivWY6HPQ==
# Name of the directory containing the certificate databases for SSL.
com.sun.am.sslcert.dir = c:/Sun/Access_Manager/Agents/2.2/domino/cert
# Set this property if the certificate databases in the directory specified
# by the previous property have a prefix.
com.sun.am.certdb.prefix =
# Should agent trust all server certificates when Access Manager
# is running SSL?
# Possible values are true or false.
com.sun.am.trust_server_certs = true
# Should the policy SDK use the Access Manager notification
# mechanism to maintain the consistency of its internal cache? If the value
# is false, then a polling mechanism is used to maintain cache consistency.
# Possible values are true or false.
com.sun.am.notification.enable = true
# URL to which notification messages should be sent if notification is
# enabled, see previous property.
com.sun.am.notification.url = http://Dominoad.yjy.dqyt.petrochina:80/amagent/UpdateAgentCacheServlet?shortcircuit=false
# This property determines whether URL string case sensitivity is
# obeyed during policy evaluation
com.sun.am.policy.am.url_comparison.case_ignore = true
# This property determines the amount of time (in minutes) an entry
# remains valid after it has been added to the cache. The default
# value for this property is 3 minutes.
com.sun.am.policy.am.polling.interval=3
# This property allows the user to configure the User Id parameter passed
# by the session information from the access manager. The value of User
# Id will be used by the agent to set the value of REMOTE_USER server
# variable. By default this parameter is set to "UserToken"
com.sun.am.policy.am.userid.param=UserToken
# Profile attributes fetch mode
# String attribute mode to specify if additional user profile attributes should
# be introduced into the request. Possible values are:
# NONE - no additional user profile attributes will be introduced.
# HTTP_HEADER - additional user profile attributes will be introduced into
# HTTP header.
# HTTP_COOKIE - additional user profile attributes will be introduced through
# cookies.
# If not within these values, it will be considered as NONE.
com.sun.am.policy.agents.config.profile.attribute.fetch.mode=NONE
# The user profile attributes to be added to the HTTP header. The
# specification is of the format ldap_attribute_name|http_header_name[,...].
# ldap_attribute_name is the attribute in data store to be fetched and
# http_header_name is the name of the header to which the value needs
# to be assigned.
# NOTE: In most cases, in a destination application where a "http_header_name"
# shows up as a request header, it will be prefixed by HTTP_, and all
# lower case letters will become upper case, and any - will become _;
# For example, "common-name" would become "HTTP_COMMON_NAME"
com.sun.am.policy.agents.config.profile.attribute.map=cn|common-name,ou|organizational-unit,o|organization,mail|email,employeenumber|employee-
number,c|country
# Session attributes mode
# String attribute mode to specify if additional user session attributes should
# be introduced into the request. Possible values are:
# NONE - no additional user session attributes will be introduced.
# HTTP_HEADER - additional user session attributes will be introduced into HTTP header.
# HTTP_COOKIE - additional user session attributes will be introduced through cookies.
# If not within these values, it will be considered as NONE.
com.sun.am.policy.agents.config.session.attribute.fetch.mode=NONE
# The session attributes to be added to the HTTP header. The specification is
# of the format session_attribute_name|http_header_name[,...].
# session_attribute_name is the attribute in session to be fetched and
# http_header_name is the name of the header to which the value needs to be
# assigned.
# NOTE: In most cases, in a destination application where a "http_header_name"
# shows up as a request header, it will be prefixed by HTTP_, and all
# lower case letters will become upper case, and any - will become _;
# For example, "common-name" would become "HTTP_COMMON_NAME"
com.sun.am.policy.agents.config.session.attribute.map=
# Response Attribute Fetch Mode
# String attribute mode to specify if additional user response attributes should
# be introduced into the request. Possible values are:
# NONE - no additional user response attributes will be introduced.
# HTTP_HEADER - additional user response attributes will be introduced into
# HTTP header.
# HTTP_COOKIE - additional user response attributes will be introduced through
# cookies.
# If not within these values, it will be considered as NONE.
com.sun.am.policy.agents.config.response.attribute.fetch.mode=NONE
# The response attributes to be added to the HTTP header. The specification is
# of the format response_attribute_name|http_header_name[,...].
# response_attribute_name is the attribute in policy response to be fetched and
# http_header_name is the name of the header to which the value needs to be
# assigned.
# NOTE: In most cases, in a destination application where a "http_header_name"
# shows up as a request header, it will be prefixed by HTTP_, and all
# lower case letters will become upper case, and any - will become _;
# For example, "common-name" would become "HTTP_COMMON_NAME"
com.sun.am.policy.agents.config.response.attribute.map=
# The cookie name used in iAS for sticky load balancing
com.sun.am.policy.am.lb.cookie.name = GX_jst
# indicate where a load balancer is used for Access Manager
# services.
# true | false
com.sun.am.load_balancer.enable = false
####Agent Configuration####
# this is for product versioning, please do not modify it
com.sun.am.policy.agents.config.version=2.2
# Set the url access logging level. the choices are
# LOG_NONE - do not log user access to url
# LOG_DENY - log url access that was denied.
# LOG_ALLOW - log url access that was allowed.
# LOG_BOTH - log url access that was allowed or denied.
com.sun.am.policy.agents.config.audit.accesstype = LOG_DENY
# Agent prefix
com.sun.am.policy.agents.config.agenturi.prefix = http://Dominoad.yjy.dqyt.petrochina:80/amagent
# Locale setting.
com.sun.am.policy.agents.config.locale = en_US
# The unique identifier for this agent instance.
com.sun.am.policy.agents.config.instance.name = unused
# Do SSO only
# Boolean attribute to indicate whether the agent will just enforce user
# authentication (SSO) without enforcing policies (authorization)
com.sun.am.policy.agents.config.do_sso_only = true
# The URL of the access denied page. If no value is specified, then
# the agent will return an HTTP status of 403 (Forbidden).
com.sun.am.policy.agents.config.accessdenied.url =
# This property indicates if FQDN checking is enabled or not.
com.sun.am.policy.agents.config.fqdn.check.enable = true
# Default FQDN is the fully qualified hostname that the users should use
# in order to access resources on this web server instance. This is a
# required configuration value without which the Web server may not
# startup correctly.
# The primary purpose of specifying this property is to ensure that if
# the users try to access protected resources on this web server
# instance without specifying the FQDN in the browser URL, the Agent
# can take corrective action and redirect the user to the URL that
# contains the correct FQDN.
# This property is set during the agent installation and need not be
# modified unless absolutely necessary to accommodate deployment
# requirements.
# WARNING: Invalid value for this property can result in the Web Server
# becoming unusable or the resources becoming inaccessible.
# See also: com.sun.am.policy.agents.config.fqdn.check.enable,
# com.sun.am.policy.agents.config.fqdn.map
com.sun.am.policy.agents.config.fqdn.default = Dominoad.yjy.dqyt.petrochina
# The FQDN Map is a simple map that enables the Agent to take corrective
# action in the case where the users may have typed in an incorrect URL
# such as by specifying partial hostname or using an IP address to
# access protected resources. It redirects the browser to the URL
# with fully qualified domain name so that cookies related to the domain
# are received by the agents.
# The format for this property is:
# com.sun.am.policy.agents.config.fqdn.map = [invalid_hostname|valid_hostname][,...]
# This property can also be used so that the agents use the name specified
# in this map instead of the web server's actual name. This can be
# accomplished by doing the following.
# Say you want your server to be addressed as xyz.hostname.com whereas the
# actual name of the server is abc.hostname.com. The browsers only knows
# xyz.hostname.com and you have specified polices using xyz.hostname.com at
# the Access Manager policy console, in this file set the mapping as
# com.sun.am.policy.agents.fqdn.map = valid|xyz.hostname.com
# Another example is if you have multiple virtual servers say rst.hostname.com,
# uvw.hostname.com and xyz.hostname.com pointing to the same actual server
# abc.hostname.com and each of the virtual servers have their own policies
# defined, then the fqdnMap should be defined as follows:
# com.sun.am.policy.agents.fqdn.map = valid1|rst.hostname.com,valid2|uvw.hostname.com,valid3|xyz.hostname.com
# WARNING: Invalid value for this property can result in the Web Server
# becoming unusable or the resources becoming inaccessible.
com.sun.am.policy.agents.config.fqdn.map =
# Cookie Reset
# This property must be set to true, if this agent needs to
# reset cookies in the response before redirecting to
# Access Manager for Authentication.
# By default this is set to false.
# Example : com.sun.am.policy.agents.config.cookie.reset.enable=true
com.sun.am.policy.agents.config.cookie.reset.enable=false
# This property gives the comma separated list of Cookies, that
# need to be included in the Redirect Response to Access Manager.
# This property is used only if the Cookie Reset feature is enabled.
# The Cookie details need to be specified in the following Format
# name[=value][;Domain=value]
# If "Domain" is not specified, then the default agent domain is
# used to set the Cookie.
# Example : com.sun.am.policy.agents.config.cookie.reset.list=LtpaToken,
# token=value;Domain=subdomain.domain.com
com.sun.am.policy.agents.config.cookie.reset.list=
# This property gives the space separated list of domains in
# which cookies have to be set in a CDSSO scenario. This property
# is used only if CDSSO is enabled.
# If this property is left blank then the fully qualified cookie
# domain for the agent server will be used for setting the cookie
# domain. In such case it is a host cookie instead of a domain cookie.
# Example : com.sun.am.policy.agents.config.cookie.domain.list=.sun.com .iplanet.com
com.sun.am.policy.agents.config.cookie.domain.list=
# user id returned if accessing global allow page and not authenticated
com.sun.am.policy.agents.config.anonymous_user=anonymous
# Enable/Disable REMOTE_USER processing for anonymous users
# true | false
com.sun.am.policy.agents.config.anonymous_user.enable=false
# Not enforced list is the list of URLs for which no authentication is
# required. Wildcards can be used to define a pattern of URLs.
# The URLs specified may not contain any query parameters.
# Each service have their own not enforced list. The service name is suffixed
# after "# com.sun.am.policy.agents.notenforcedList." to specify a list
# for a particular service. SPACE is the separator between the URL.
com.sun.am.policy.agents.config.notenforced_list = http://dominoad.yjy.dqyt.petrochina/*.nsf http://dominoad.yjy.dqyt.petrochina/teamroom.nsf/TROutline.gif?
OpenImageResource http://dominoad.yjy.dqyt.petrochina/icons/*.gif
# Boolean attribute to indicate whether the above list is a not enforced list
# or an enforced list; When the value is true, the list means enforced list,
# or in other words, the whole web site is open/accessible without
# authentication except for those URLs in the list.
com.sun.am.policy.agents.config.notenforced_list.invert = false
# Not enforced client IP address list is a list of client IP addresses.
# No authentication and authorization are required for the requests coming
# from these client IP addresses. The IP address must be in the form of
# eg: 192.168.12.2 1.1.1.1
com.sun.am.policy.agents.config.notenforced_client_ip_list =
# Enable POST data preservation; By default it is set to false
com.sun.am.policy.agents.config.postdata.preserve.enable = false
# POST data preservation : POST cache entry lifetime in minutes,
# After the specified interval, the entry will be dropped
com.sun.am.policy.agents.config.postcache.entry.lifetime = 10
# Cross-Domain Single Sign On URL
# Is CDSSO enabled.
com.sun.am.policy.agents.config.cdsso.enable=false
# This is the URL the user will be redirected to for authentication
# in a CDSSO Scenario.
com.sun.am.policy.agents.config.cdcservlet.url =
# Enable/Disable client IP address validation. This validate
# will check if the subsequent browser requests come from the
# same ip address that the SSO token is initially issued against
com.sun.am.policy.agents.config.client_ip_validation.enable = false
# Below properties are used to define cookie prefix and cookie max age
com.sun.am.policy.agents.config.profile.attribute.cookie.prefix = HTTP_
com.sun.am.policy.agents.config.profile.attribute.cookie.maxage = 300
# Logout URL - application's Logout URL.
# This URL is not enforced by policy.
# if set, agent will intercept this URL and destroy the user's session,
# if any. The application's logout URL will be allowed whether or not
# the session destroy is successful.
com.sun.am.policy.agents.config.logout.url=
#http://sportal.yjy.dqyt.petrochina/amserver/UI/Logout
# Any cookies to be reset upon logout in the same format as cookie_reset_list
com.sun.am.policy.agents.config.logout.cookie.reset.list =
# By default, when a policy decision for a resource is needed,
# agent gets and caches the policy decision of the resource and
# all resource from the root of the resource down, from the Access Manager.
# For example, if the resource is http://host/a/b/c, the the root of the
# resource is http://host/. This is because more resources from the
# same path are likely to be accessed subsequently.
# However this may take a long time the first time if there
# are many many policies defined under the root resource.
# To have agent get and cache the policy decision for the resource only,
# set the following property to false.
com.sun.am.policy.am.fetch_from_root_resource = true
# Whether to get the client's hostname through DNS reverse lookup for use
# in policy evaluation.
# It is true by default, if the property does not exist or if it is
# any value other than false.
com.sun.am.policy.agents.config.get_client_host_name = false
# The following property is to enable native encoding of
# ldap header attributes forwarded by agents. If set to true
# agent will encode the ldap header value in the default
# encoding of OS locale. If set to false ldap header values
# will be encoded in UTF-8
com.sun.am.policy.agents.config.convert_mbyte.enable = false
#When the not enforced list or policy has a wildcard '*' character, agent
#strips the path info from the request URI and uses the resulting request
#URI to check against the not enforced list or policy instead of the entire
#request URI, in order to prevent someone from getting access to any URI by
#simply appending the matching pattern in the policy or not enforced list.
#For example, if the not enforced list has the value http://host/*.gif,
#stripping the path info from the request URI will prevent someone from
#getting access to http://host/index.html by using the URL http://host/index.html?hack.gif.
#However when a web server (for exmample apache) is configured to be a reverse
#proxy server for a J2EE application server, path info is interpreted in a different
#manner since it maps to a resource on the proxy instead of the app server.
#This prevents the not enforced list or policy from being applied to part of
#the URI below the app serverpath if there is a wildcard character. For example,
#if the not enforced list has value http://host/webapp/servcontext/* and the
#request URL is http://host/webapp/servcontext/example.jsp the path info
#is /servcontext/example.jsp and the resulting request URL with path info stripped
#is http://host/webapp, which will not match the not enforced list. By setting the
#following property to true, the path info will not be stripped from the request URL
#even if there is a wild character in the not enforced list or policy.
#Be aware though that if this is set to true there should be nothing following the
#wildcard character '*' in the not enforced list or policy, or the
#security loophole described above may occur.
com.sun.am.policy.agents.config.ignore_path_info = false
# Override the request url given by the web server with
# the protocol, host or port of the agent's uri specified in
# the com.sun.am.policy.agents.agenturiprefix property.
# These may be needed if the agent is sitting behind a ssl off-loader,
# load balancer, or proxy, and either the protocol (HTTP scheme),
# hostname, or port of the machine in front of agent which users go through
# is different from the agent's protocol, host or port.
com.sun.am.policy.agents.config.override_protocol =
com.sun.am.policy.agents.config.override_host =
com.sun.am.policy.agents.config.override_port =
# Override the notification url in the same way as other request urls.
# Set this to true if any one of the override properties above is true,
# and if the notification url is coming through the proxy or load balancer
# in the same way as other request url's.
com.sun.am.policy.agents.config.override_notification.url =
# The following property defines how long to wait in attempting
# to connect to an Access Manager AUTH server.
# The default value is 2 seconds. This value needs to be increased
# when receiving the error "unable to find active Access Manager Auth server"
com.sun.am.policy.agents.config.connection_timeout =
# Time in milliseconds the agent will wait to receive the
# response from Access Manager. After the timeout, the connection
# will be drop.
# A value of 0 means that the agent will wait until receiving the response.
# WARNING: Invalid value for this property can result in
# the resources becoming inaccessible.
com.sun.am.receive_timeout = 0
# The three following properties are for IIS6 agent only.
# The two first properties allow to set a username and password that will be
# used by the authentication filter to pass the Windows challenge when the Basic
# Authentication option is selected in Microsoft IIS 6.0. The authentication
# filter is named amiis6auth.dll and is located in
# Agent_installation_directory/iis6/bin. It must be installed manually on
# the web site ("ISAPI Filters" tab in the properties of the web site).
# It must also be uninstalled manually when unintalling the agent.
# The last property defines the full path for the authentication filter log file.
com.sun.am.policy.agents.config.iis6.basicAuthentication.username =
com.sun.am.policy.agents.config.iis6.basicAuthentication.password =
com.sun.am.policy.agents.config.iis6.basicAuthentication.logFile = c:/Sun/Access_Manager/Agents/2.2/debug/C__Lotus_Domino/amAuthFilterHi,
I installed opensso (so Sun Java(TM) System Access Manager 7.5) and the agent for Domino 6.5.4 and I have the message in logs "amAgent"
2007-07-11 18:40:16.119 Error 1708:3dbcf768 PolicyAgent: render_response(): Entered.
I have the box to identify but it doesnot connect me on my opensso server.
It still identify with Domino's server
Thanks for your response
Thomas -
Problem of degradation in Access Manager 7.1 in SUNWappserv8.2
Hi all,
We have a problem in our enviroment...
Have 2 nodes of AM, periodically we have some problems of degradation in each node, high times of response +30seconds, all seems perfect until some more traffic or requests begin to appears in the system, the rare is somes request going well and other going bad with more 30 seconds of time.... we are searching problems like memory leak but all is perfect "word of our support" even the machine is nice, not saturate....
Not found nothing in server.log, is like nothing happen but our times of resquest are so high even produces than in the other node the queue of notification rise so fast to the limit.
What could be?
could be a problem with our ldap connections than enqueue and affect to the listener?
In the moments of problems even with curls the port of AM response so so slowly more than 30 seconds, but seems fixed in some minutes so, we especulate with the high traffic, but the rare is the other node all is perfect! no problems, not saturate... Only have logs (a lot of) in the server.log of appserv of the node with problems like:
|SEVERE|sun-appserver-ee8.2|javax.enterprise.system.container.web|_ThreadID=73;|failure (11210): HTTP3068: Error
receiving request from xxxxx (Not connected)
And in PA we have some logs than means saturation or high load
"Error 30678:8779160 SSOTokenService::getSessionInfo(): Error 18 for sso token ID"
but like i said the other node not show that, and the high load is basically the same all days.
could we find some answers with a kill -3 of the instance?
We discarded problems with ndsltimeout of ldap firewall or balancer
Thanks a lot!We found a reason of this degradation, could be possible than, if one Policy Agent not answer, because the appserv -in this case weblogic- is saturated, could affected to the AM? I mean the appserv where the PA is installed depend of a finale system and this system is generating timeouts, and the appserv the is affected and the PA installed in it too, then all requests from the Access Manager have times of 30 40 50 seconds...
Can we have a solution configuring some specs in the AM or the solaris connections? like timeouts or time request?
I think the problem is this, because this PA installed attend the most request of the users
Anyway we thought than can fight to this tunning some specs in solaris like tcp_conn_req_max_q or tcp_conn_req_max_q0 and some timeouts like -Dsun.net.client.defaultConnectTimeout=10000 -Dsun.net.client.defaultReadTimeout=10000 but not seems enough because we are suffering this problems again.
If someone have an idea will be awesome, thanks! -
Error while accessing Access Manager
Hi All,
I am getting the following error after configuring access manager and restarting the web server.
[25/May/2006:18:14:16] info ( 1724): CORE1116: Sun Java System Web Server 6.1SP5 B01/15/2006 23:04
[25/May/2006:18:14:30] info ( 1724): HTTP3072: [LS ls1] http://GDYESSER33609.wipro.com:13004 ready to accept requests
[25/May/2006:18:14:30] info ( 1724): CORE3274: successful server startup
[25/May/2006:18:15:29] warning ( 1724): CORE3283: stderr: Exception in thread "amStats" java.lang.ExceptionInInitializerError
[25/May/2006:18:15:29] warning ( 1724): CORE3283: stderr: at com.sun.identity.authentication.service.AuthStatsListener.printStats(AuthStatsListener.java:56)
[25/May/2006:18:15:29] warning ( 1724): CORE3283: stderr: at com.iplanet.am.util.StatsRunner.run(StatsRunner.java:91)
[25/May/2006:18:15:29] warning ( 1724): CORE3283: stderr: Caused by: java.lang.NullPointerException
[25/May/2006:18:15:29] warning ( 1724): CORE3283: stderr: at com.iplanet.services.cdm.ClientsManager.getDefaultInstance(ClientsManager.java:108)
[25/May/2006:18:15:29] warning ( 1724): CORE3283: stderr: at com.sun.identity.authentication.service.AuthUtils.<clinit>(AuthUtils.java:199)
I have configured and restarted the web server, when i try to access the access manager I get the above error. Someone please respond at the earliest.
Thanks.Hi Tanya,
Thank you for posting in Windows Server Forum.
From which device you are trying to access RemoteApp program?
For getting any remote session or accessing RemoteApp the user must be added under “Remote Desktop Users” local group. So please under user under that group and verify.
Also add the user under System>Remote Settings>Remote Tab>Allow remote connection to this computer and add the user under that. Now after performing this above steps verify whether user can login remotely.
Hope it helps!
Thanks.
Dharmesh Solanki
TechNet Community Support
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected] -
Install Oracle Access Manager in existing Access Manager domain
Hi
I am operator of a windows system with Oracle Access Manager installed.
We use OAM for SSO against Webpages in OIM running on Jboss, and now we are going to implement against a WebLogic webapplication too.
The userbase is standard Active Directory
I did not set up OAM myself so I'm not completely sure how it works.
To be able to test the SSO solution given by an external provider, I need to have a proper stage environment.
My idea is to set up another OAM on another server, wich points towards the same AD domaincontroller as the existing OAM
Is this possible? In the installation guide I find that the new AccessManager system should be added into the existing OAM configuration , before we turn of the existing OAM and then install the complete OAM on the new server. Then we can turn on the existing OAM again, and implement them as clusters. I would like them to be two indipendent instances not affecting one another, but in the same AD domain to be able to test features in one of them and use the other as the production server.
My fear is that I "mess up" the form in AD created from the old OAM, and that way mess the upp production environment.
Edited by: user631873 on 11.sep.2009 06:22Hi,
Technically, you can certainly set up a new OAM infrastructure which points to the existing AD instance. You could do this in a number of ways, for example:
- set up the new instance so that it points to the same users and configuration branch as the existing instance, so that the new instance is effectively just an extension of the existing instance (with extra Identity and Access Servers, etc) ;
- set up the new instance so that it points to the same AD instance, but uses different User searchbase and Config branch. In this case the new instance is more or less completely separate, but it happens to use the same directory ;
- set up the new instance so that it points to the same Users, but a different Config branch, in which case the new instance has independed OAM configuration (policies, authentication schemes etc) but operates on the same user base.
(In OAM you can define separate ldap locations for the Users, Identity Config and Access Config.)
It depends on exactly what you want, but if the idea is to have a proper stage environment, then it is usually better for them to be completely independent, including the directory. OAM can update users as well as policies, and additionally different major versions of OAM have different schemas, so there are risks when using the same directory instance. Load testing is also an issue, since the directory is accessed extensivley by OAM.
Regards,
Colin -
Securing web services with Sun Access Manager
Hi!
I have gone through some documentation about Sun Access Manager, and I'm a little bit confused.
What I want is to secure some web services which are deployed on a BEA WebLogic 9.1 server (WLS). Two solutions are possible: To install some kind of plugin into WLS or to place some kind of proxy in front of WLS. In both cases, the purpose would be to authenticate the caller based on some kind of ticket (SAML or similar) and authorize access to the web service.
I have read about the "Sun Java System Access Manager Policy Agent 2.2 for Weblogic 9.1" (those guys really like long names....), but in this documentation web services aren't mentioned at all. They only seem to care about HTTP requests from a browser.
I have also read about the Policy Agent 2.2 in the documentation called "Sun Java System Access Manager Policy Agent 2.2 Guide for Sun Java System Application Server 9.0/Web Services" (puh...). This document explicitly talks about securing web services the way I want.
My questions are:
1) Is it possible to secure WLS based web services in the same way using the Policy Agent for WLS?
2) Are there any documentation/tutorials/etc?
Thanks in advance :-)
Anderswhat you need is a webservices agent that would enable you to "protect" your webservice provider, which I assume is on a BEA weblogic provider.
the "Sun Java System Access Manager Policy Agent 2.2 for Weblogic 9.1" is "NOT" awebservices agent, but a normal J2EE policy agent.
So.. having said that. here's what I'd recommend.
1. install the webservices agent on bea weblogic. (note: NOT the J2EE policy agent)
2. configure it to use your access manager instance for authentication.
3. configure your webservices client to use the webservice provider. (note: you'd need the webservices APi's available on the client too... so the quick dirty method would be to install the webservices agent on your client too....) you can later bundle the webservices client independently and provide your"customers" with a webservices client bundle...
4. voila... your webservices are not "protected" by acces manager ;-) -
GRC AC 10: Emergency Access Management, Logon button is disabled (GRAC_SPM)
Hello Gurus,
I have configured Emergency Access Management in GRC AC 10.
GRC Box (SID) : GR1 client 100
Backend ERP system : D24 client 100
The FIREFIGHTER in GRC system : FFUSER1
Z_SAP_GRAC_SUPERUSER_MGMTUSER
Z_SAP_GRC_FN_BASE
Z_SAP_GRC_NWBC
In the Backend ERP system the FIREFIGHTER ID: ABC wants to access the FIREFIGHTER(FFUSER1)
Hence in NWBC (Setup >Superuser Assignment>Firefighter ID) the assignment is done.
ABC(FIREFIGHTER ID) <--->FFUSER1(FIREFIGHTER)
Now the User login the GRC system using FFUSER1 assigned following roles
Z_SAP_GRAC_SUPERUSER_MGMTUSER
Z_SAP_GRC_FN_BASE
Z_SAP_GRC_NWBC
Z_SAP_GRAC_SPM_FFID
and runs Transaction: GRAC_SPM
and he is able to see that ABC is assigned .
Now the user clicks on "Logon" and the status changes from green to "RED".
A new SAP screen opens asking credintials for Backend ERP system D24 client 100
The User enters his own Id : ABC and password and logs in.
Runs the necessary transactions and logs out using transaction: /nex
The session in GRC is still running and now the "LOGON button" is disabled , he comes out of that screen too.
When the user tries to login again using FFUSER1 to do more task , the "LOGON Button" is seen disabled.
and clicking the "unlock" button also doesn;t help.
When checked in SM04, no live session is reflected .
How can we "enable" the LOGON button in the transaction : GRAC_SPM for the same FIREFIGHTER (FFUSER1) assigned for Firefighter ID (ABC) ??
As it is now not possible to click "LOGON" button and the status is "RED".
Please let me know your opinion .
Thank You.
Regards,
PremjitThanks to All
-
Access Manager + Portal Server + Zones + Subnets
Hi
Appreciate your help.
I'm installing Access Manager and Portal Server, this is the environment:
- 3 machines - Solaris 10, 2 local zones per machine
ie
root@global1 # zoneadm list -cv
ID NAME STATUS PATH
0 global running /
1 accesclbp1 running /zone-access
2 portalclbp1 running /zone-portal
Every local zone assigned to Portal Server and the global zone lives on the same VLAN, and every local zone assigned to AM lives on a different VLAN.
The failover of AM is been working rigth now, but I have a problem trying to install the Portal Server's, when I try to connect to AM through the VIP I'm loosing the connections to AM, sometimes I can connect and sometimes is not possible.
Somebody has an environment like this? PS + AM + zones + subnets???We have this configuration as well.
A few things we have experienced during installation:
1. If Access Manager is https the Portal install fails even the cert is included in the installer JVM.
2. Zones: We use DNS and in nsswitch.conf - hosts and ipnodes were both set to files dns. Once I changed ipnodes to files only problem disappeared.
3. Check that Password Encryption Key is the same across the AMSDKs and the Access Manager servers. -
Communications Express doesn't create access Manager SSO session
Hi all,
I'm running Communications Express, Sun Access Manager and Sun messaging server, each on seperate hosts.
Single Sign On works i.e. when users have a valid session and point their browser at the Communications Express URL they can access their mail, calendar and addressbooks without further ado.
When they don't have a valid session though and the users go to the Communications Express URL they get a username and password prompt. If they enter valid credentials they will be logged in, but the session created is only a local session, not an Access Manager SSO session. This behaviour has changed from the previous versions of Comm Exp which wouldn't work at all without SSO.
Is it possible to configure communications express to either redirect users to the Access Manager's authentication page or have Comm Exp create the SSO session on the users behalf?
TIA
Herman
Versions:
- Communications Express 6.3 update 1
- Sun Java(tm) System Messaging Server 6.3-4.01 (built Aug 3 2007; 32bit)
libimta.so 6.3-4.01 (built 17:13:29, Aug 3 2007; 32bit)Hi Shane,
as always your anwer is better then I could have expected. A more or less complete manual
just hours after asking my question. Thanks!
shane_hjorth wrote:
The cleanest solution I could develop to address the behavioural change was to
leverage a web-server policy agent to perform the redirections.
I wrote up a guide but never received any feedback unfortunately so results-may-vary.
I have republished this guide externally - feedback is welcome:
http://msg.wikidoc.info/index.php/AM_redirection_using_Policy_AgentTook me some time to implement, test and write feedback:
The setup we have is a little more complex then the a single box scenario you
have tested on:
From the internet working inwards we have load balanced
SSL accelerators (apache+SSL doing reverse proxy) in front of
dedicated application servers running communications express.
Mail is retrieved from separate mail-store clusters.
Access manager is configured similarly: load balanced SSL accelerators
in front of application servers running the login page (disributed
authentication UI). Those then talk to the access manager cluster.
Firewalls and access lists between each of those layers. None of the
applications can be accessed directly from the internet and they are
limited in what they can access in the DMZ as well.
I followed your recipe to the letter. After a bit of tweaking everything
worked like a charm. Policy agent installed and configured on the
SUN webserver where communications express is deployed.
Instructions were very good on detail and easy to follow.
We deploy uwc in the root of the server not in /uwc. Something I didn't notice right away.
It would seem that the policy agent expects the values com.sun.am.naming.url
(The URL for the Access Manager Naming service) and
com.sun.am.policy.am.login.url (The URL of the login page on the Access Manager
where users should enter their credentials) to be the same host.
In our setup the URL/host users have to use to log in can't be accessed by the policy agent.
The policy agent should verify sessions directly against the access manager cluster.
I played with some of the override settings in the policy agent configuration file but
without much success. Eventually I used the hostname our users have to use to log
in and abused the /etc/hosts file to map the external hostname to the internal address
of the access manager cluster. Users end up on the correct login page, and the policy
agent can verify the sessions. Ugly, but it works.
The other issue is that the policy agent redirects to:
com.sun.am.policy.am.login.url?goto=URL_Protected_by_Policy_Agent
When a users enters incorrect credentials they get the default login url, without the
goto parameter. (May be bug in access manager or by design...) After entering their
credentials correctly on their second or third try users won't be redirected back to UWC,
but will end up on the default page defined by their iplanet-am-user-success-url LDAP attribute.
I solved that in the policy agents configuration file by adding the gotoOnFail=URL in the
definition of com.sun.am.policy.am.login.url:
com.sun.am.policy.am.login.url = https://login.domain.com:443/amserver/UI/Login?gotoOnFail=https://uwc.domain.com:443When you enter incorrect credentials you'll be redirected back to uwc (where the policy agent
will again intercept you and send you on to the login page for your next try). May be more of
an issue in the policy agent then your manual.
Regards,
Herman -
Password ending with % "hangs" access manager
Dear Guru's
We are running Sun Access Manager 7.1. We encountered a problem when users try to login with a password ending with the character "%".
One way or another, the access manager calls the URLDecodeField method of com.iplanet.am.util.Locale twice. This results in a loop in this method.
Can anyone help me how to get rid of this problem?
Thanks in AdvanceIdeally you would use SAML or Federation between the Access Manager server and WAS portal. I don't know enough about WAS portal to know if that is supported or not.
Sun has a policy agent for WAS 6.0 and the WAS PA can be configured to use the AM as a user repository. With AM7 you could try two different realms with two different data stores and have AM authenticate against one realm and the PA use the other realm and see what happens.
Passing around user credentials between applications is a security issue and you should avoid it if possible. -
Integrating WebSphere Portal Server with Sun Java System Access Manager
Hi All,
Is it possible to Integrate WebSphere Portal Server with Sun java System Access Manager?. If so plz send me any doc or web site link for the same.
Thanks in Advance
Rgds,
Lessly JRushi-Reliance wrote:
Kindly let us know how to proceed further as we are waiiting some reply from your team.As I already advised in your previous posting (http://forums.sun.com/thread.jspa?threadID=5359095), you are best off re-installing solaris from scratch and installing Communication Suite 6 update 1 if you cannot get Access Manager 7.1 configured.
Regards
Shane.
Maybe you are looking for
-
Save billing document as pdf file in a shared folder
hi experts, my requirement is to save the billing documents as a pdf file whenever it is generated automatically. is it possible to define a output type to save the pdf file similar to the one used for sending pdf files as attachemnts in email.
-
PLEASE help me.. I need my phone for work... my alarm... it's my life!
-
HI, I have a Dell 3000CN Network Laser Printer. How do I get it to work with my Mac (IMac i3 17 Quad Core) ? Help Please
-
Hi, I am trying to move one panel(1) inside another one - panel(2) with DnD. I think that everything works good, but only one problem. Can't change positioning (x,y) of panel(1) inside the panel(2). I am trying to use MouseMotionListener-mouseDragged
-
Portal sizing -- BI query rendering.
Hi We have a BI Nw04s system running on stack 11. And the same level is the Portal system. All these days, when someone clicks on an i view which invloves BI query rendering, it will happen inside BI. Now in Nw04s we have EPC also. Now we are plannin