Directory Server Replication and Access Manager
I've set up 2 Access Managers instances AM1 and AM2 connected to one Directory Server DS1. Changes to AM1 are replicated to AM1. DS1 is replicated to DS2 using MMR. I'm following Sun's document http://docs.sun.com/app/docs/doc/819-4672/6n6qcof22?a=view to setup failover for this environment. Step 5 says
Modify the following properties to reflect the host and port number of a consumer Directory Server installed in Configuring For Replication .
com.iplanet.am.directory.host = DS1.domain
com.iplanet.am.directory.port = port of DS1
How do I modify above to reflect DS2 so that should DS1 fail, DS2 takes over?
Also step 9 says - In the serverconfig.xml file, specify the host name and port number of the consumer directory installed in Configuring For Replication, as shown in the following example for the serverconfig.xml file.
<iPlanetDataAccessLayer>
<ServerGroup name="default" minConnPool="1"
maxConnPool="10">
<Server name="Server1"
host="consumer1.example.com" port="389"
type="SIMPLE" />
Again, how do I modify serverconfig.xml to reflect the 2nd Directory Server, DS2 so that if DS1 fails both AM1 and AM2 can connect to DS2. If anybody has done this please let me know how it worked, thanks.
Are you talking about Access Manager flopping over from ds1 to ds2 if ds1 is down?
In serverconfig.xml look for the line containing 'Server Name' and add a line like this directly underneath of it:
<Server name="Server2" host="ds2" port="389" type="SIMPLE" />
Save and exit
vi AMConfig.properties and add something like this after the existing com.iplanet.am.directory.host and com.iplanet.am.directory.port:
/* Added for multi-master directory fail-over */
com.iplanet.am.directory.host=ds2
com.iplanet.am.directory.port=389
com.iplanet.am.replica.retries=3
com.iplanet.am.replica.delay.between.retries=5000
/* End Added for multi-master directory fail-over */
Save and exit
Restart the Access Manager web container
Similar Messages
-
Sizing of Oracle IdentityManager and Access Manager on same Weblogic Server
Hi ,
We are planning to deploy Oracle Identity Manager and Access Manager on the same weblogic server in different domains.We have user base of 25000 users.
We can propose two different weblogic servers for OIM and OAM ?
Please let me know the best hardware and software requirements for this installation.
Thanks,
RBMHere is sizing guide for Oracle Identity Manager
http://www.oracle.com/technetwork/middleware/id-mgmt/oim11g-sizingguide-194346.pdf
You can use it as a guideline, and it refers to 25000 users similar to your requirement. There are other factors also consider like, failover, performance etc. Feel free to reach out if you need more info [email protected] -
UWC/CE 6.3 and Access Manager 7.1 SSO sometimes fails (seems like a bug)
PREAMBULA: I started writing this post thinking that our AM SSO setup was at fault in some step. As I was gathering data, checking the doc-links and config files and finally sniffed the servers for HTTP dialogs, I grew pretty sure there's a bug in UWC/CE, AM SDK or Web Server Policy Agent, whatever implements the AM SSO session checking.
In short, as written below, our "sunmail" server can POST a broken cookie to AM server, if the cookie originally contained a "plus" character. The "plus" is replaced by a "space", invalidating the session check. As we know, "+" is often used in URLs to "escape" the space character. Perhaps some URL cleanup routine backfired here. I have double-checked, it is not the reverse proxy on "psam" breaking things. It is "sunmail" (UWC/CE or Policy Agent, don't know for certain) supplying the broken request. On the few occasions when the AM cookie contains no "plus" characters, the SSO works like a charm (also checked by a sniffer). Whenever there is a "plus", it breaks.
Is there some known bug or workaround that matches this description?
Nevertheless, for completeness' sake I kept the description of our setup. Maybe it's at fault after all :)
We have an installation of JCS5 with the latest patches as of early July 2008. And as the subject implies, we have problems with AM SSO in UWC/CE web-interface. I have reported them before, then they seemed fixed (not occuring for several tests in a row), but as time has shown, something wrong is still there.
So I'll try to go into deeper detail now, as we've may have overlooked some nuance... Then again, as my sniffer research below shows, this may be an engine bug and these setup details are irrelevant.
Our setup is split into several Solaris 10 full-root zones hosted on several servers, some of the components are enroute to HA (perhaps we made some mistakes on this part of the way?)
So, we have the following software stack:
1) two MMR Directory Servers (DSEE 6.3 = DSEE 6.2 from JCS5 + 125278-07__DSEE_6.3__x86x64 + 125277-07__DSEE_6.3__x86_sol9 patches) working in zones on two different servers. Except for one time when a manually forced ZFS rollback corrupted one of the server instances, no problems here.
2) two zones with Directory Proxy Servers (6.3, exact versions as above) running at port 389 provide the clients with an illusion that they have a stable Directory Server, even if one of the actual servers is currently rebooting ;)
These DPS zones are hosted on two different servers as well and are primarily used by LDAP clients (JCS components) running in other zones on the same respective servers.
3) A zone with Sun Web Server 7.0U1 and Access Manager 7.1 (+ 126357-01__AM71_x86 patch) and Delegated Admin 6.4-4.01 (from JCS5 + 121582-18__COMMCLI64__x86 patch).
At the moment there is one such zone (named "cos-psam-01.domain.ru" in the logs below), but we expect(-ed) it to become two similar zones as per AM HA setup.
Zones listed in (1-3) use private IP numbers, they belong in our internal DMZ.
Zones listed in (4-5) below use public (routed) IP numbers, they belong in our external DMZ.
4) A zone with Sun Web Server 7.0U1 used primarily as a reverse-proxy server (optionally with a load-balancer libpassthrough.so plugin) successfully used for other hosted projects. One of its configurations now passes connections from an externally routed IP address published as "psam.domain.ru" to "cos-psam-01.domain.ru", per AM HA setup, so HTTP clients believe they work with an Access Manager instance. This zone has a backend interface with a private IP address to communicate with the actual AM instance.
In AM configuration (both LDAP and file-based) we have configured a site ID with the publicly known name and mentioned both names (psam and cos-psam-01) in organization's realm/dns aliases.
5) A zone with the rest of the Sun Java Communications Suite 5, as in Messaging Server 6.3 (6.3-6.03 64-bit: ci-5.0-1.03_solx86_x64__Messaging_Server_6.3-2 + patch 126480-09__MSG63__x86-64), UWC/CE 6.3 (from JCS5 + 122794-17__UWC63-4.01_core__x86), Instant Messaging 7.2 (from JCS5 + 118790-29__IM72__x86-1 + 118787-28__IM72__x86-2), Calendar Server 6.3 (from JCS5 + 121658-28__iCS63__x86). The web-components (UWC/CE, IM, /httpbind) are deployed in a Sun Web Server 7.0U1 as well.
This zone is named "sunmail.domain.ru" and has a routed IP address for direct external access to its servicess.
The AM SDK part is also patched (126357-01__AM71_x86); it points to the load-balancer name ("psam.domain.ru") as an actual AM server.
# imsimta version
Sun Java(tm) System Messaging Server 6.3-6.03 (built Mar 14 2008; 64bit)
libimta.so 6.3-6.03 (built 17:15:08, Mar 14 2008; 64bit)
SunOS sunmail 5.10 Generic_127112-07 i86pc i386 i86pc
While setting up this server set we tried to use AM SSO as the user login method, but it works unreliably.
"Unreliably" means that while most of the time entering a correct uid and password in Access Manager login page ("http://psam.domain.ru/amserver/UI/Login") does redirect a user back to "http://sunmail.domain.ru/uwc/auth" along with a new cookie, and the user is redirected again to his or her mailbox, sometimes the user receives the UWC/CE login page. Entering the same uid and password here does log him in, but it breaks the whole point of SSO and only increases the end-user routine required to log in :\
We have also seen the "missing mail tab" problem - if the users point the browser to any hostname different from "sunmail.domain.ru" (i.e. www.mail.domain.ru which is equivalent in DNS), they have only the Address book, Calendar and Options tabs; no webmail. So far this is resolved by Policy Agent forcing The One name of the server.
Here's the configuration we did specifically for AM SSO:
1) in AMConfig.properties of "sunmail" and "cos-psam-01" we set up
com.iplanet.am.cookie.encode=false
am.encryption.pwd=<the same value>
all hostname-related parameters point to "psam.domain.ru"
2) in AMConfig.properties of "cos-psam-01" a number of FQDN equivalence entries are added (so it does not redirect to a server hostname unknown to visitors):
com.sun.identity.server.fqdnMap[publicname-or-ip]=psam.domain.ru
com.sun.identity.server.fqdnMap[cos-psam-01.domain.ru]=cos-psam-01.domain.ru
3) in "msg.conf" on "sunmail" (entries added via configutil):
local.webmail.sso.amcookiename = iPlanetDirectoryPro
local.webmail.sso.amnamingurl = http://psam.domain.ru:80/amserver/namingservice
local.webmail.sso.singlesignoff = yes
local.webmail.sso.uwcenabled = 1
service.http.ipsecurity = no
(perhaps some more options are required? Looking for confirmation about: local.webmail.sso.uwclogouturl local.webmail.sso.uwccontexturi local.webmail.sso.uwchome service.http.allowadminproxy )
4) Configured Web Policy Agent for Sun Web Server, so that users without an AM session are required to get one. Set up per [http://msg.wikidoc.info/index.php/AM_redirection_using_Policy_Agent], except that com.sun.am.policy.agents.config.notenforced_list points to the many names our server can go known by.
5) Updated the logout URL in /opt/SUNWuwc/webmail/main.js:
--- main.js.orig Sat Jan 26 07:52:09 2008
+++ main.js Mon Jul 21 01:06:29 2008
@@ -667,7 +667,8 @@
function cleanup() {
if(laurel)
- top.window.location = getUWCHost() + "/base/UWCMain?op=logout"
+// top.window.location = getUWCHost() + "/base/UWCMain?op=logout"
+ top.window.location = "http://sunmail.domain.ru:80/base/UWCMain?op=logout"
else
exec('logout', '', 'exit()')
@@ -1707,7 +1708,8 @@
if(lg) {
url = document.location.href
url = url.substr(0,url.indexOf('webmail'))
- uwcurl = url + 'base/UWCMain?op=logout'
+// uwcurl = url + 'base/UWCMain?op=logout'
+ uwcurl = "http://sunmail.domain.ru:80/base/UWCMain?op=logout"
exit()
}6) Calendar SSO - per docs...
According to ngrep sniffing,
1) the browser goes to "http://sunmail.domain.ru/uwc/auth" without any cookies
2) receives a redirect and goes to "http://psam.domain.ru/amserver/UI/Login?gotoOnFail=http://sunmail.domain.ru:80/uwc&goto=http%3A%2F%2Fsunmail.domain.ru%3A80%2Fuwc%2Fauth"; sends no cookies either.
3) The first response from the "psam" server (as redirected from "cos-psam-01") sets a few cookies while rendering the login page:
Set-cookie: JSESSIONID=7EF8F2810D2071CA03CFEAE9972735B2; Path=/
Set-cookie: AMAuthCookie=AQIC5wM2LY4SfcwuT2ASCrsfO78nXdceEHXeH1+xTqH7C3I=@AAJTSQACMDI=#; Domain=.domain.ru; Path=/
Set-cookie: amlbcookie=02; Domain=.domain.ru; Path=/
4) The browser requests the login page resources (javascripts, images, etc) using these cookies, as in this header line:
Cookie: JSESSIONID=7EF8F2810D2071CA03CFEAE9972735B2; AMAuthCookie=AQIC5wM2LY4SfcwuT2ASCrsfO78nXdceEHXeH1+xTqH7C3I=@AAJTSQACMDI=#; amlbcookie=02
5) The browser POSTs the login request to "/amserver/UI/Login" and receives a redirection to http://sunmail.domain.ru:80/uwc/auth
Set-cookie: iPlanetDirectoryPro=AQIC5wM2LY4SfcwuT2ASCrsfO78nXdceEHXeH1+xTqH7C3I=@AAJTSQACMDI=#; Domain=.domain.ru; Path=/
Set-cookie: AMAuthCookie=LOGOUT; Domain=.domain.ru; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
6) The browser requests "http://sunmail.domain.ru/uwc/auth" using the newly set cookie (looks like the old one to me though):
Cookie: amlbcookie=02; iPlanetDirectoryPro=AQIC5wM2LY4SfcwuT2ASCrsfO78nXdceEHXeH1+xTqH7C3I=@AAJTSQACMDI=#
7) The "sunmail" web-server checks the AM session validity with the same "psam.domain.ru". It sends a series of POSTs to /amserver/namingservice:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<RequestSet vers="1.0" svcid="com.iplanet.am.naming" reqid="685">
<Request><![CDATA[
<NamingRequest vers="1.0" reqid="324" sessid="AQIC5wM2LY4SfcwuT2ASCrsfO78nXdceEHXeH1+xTqH7C3I=@AAJTSQACMDI=#">
<GetNamingProfile>
</GetNamingProfile>
</NamingRequest>]]>
</Request>
</RequestSet>(receives a large XML list of different Access Manager configuration parameters and URLs)
...then a double-request to /amserver/sessionservice:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<RequestSet vers="1.0" svcid="Session" reqid="686">
<Request><![CDATA[
<SessionRequest vers="1.0" reqid="678">
<GetSession reset="true">
<SessionID>AQIC5wM2LY4SfcwuT2ASCrsfO78nXdceEHXeH1+xTqH7C3I=@AAJTSQACMDI=#</SessionID>
</GetSession>
</SessionRequest>]]>
</Request>
<Request><![CDATA[
<SessionRequest vers="1.0" reqid="679">
<AddSessionListener>
<URL>http://sunmail.domain.ru:80/UpdateAgentCacheServlet?shortcircuit=false</URL>
<SessionID>AQIC5wM2LY4SfcwuT2ASCrsfO78nXdceEHXeH1+xTqH7C3I=@AAJTSQACMDI=#</SessionID>
</AddSessionListener>
</SessionRequest>]]>
</Request>
</RequestSet>As a result it receives an XML with a lot of user-specific information (the username, LDAP DN, preferred locale, auth module used, etc.)
!!!*** Now, the problem part ***!!!
8) And then "sunmail" POSTs a broken cookie to "psam" (note the space in mid-text, where the "plus" sign was previously). As we know, "+" is often used in URLs to "escape" the space character. Perhaps some URL cleanup routine backfired here.
I have double-checked, it is not the reverse proxy on "psam" breaking things. It is "sunmail" (UWC/CE or Policy Agent, don't know for certain) supplying the broken request. I looked over the large XML responses to the two previous requests, whenever they mention the session cookie value, the "plus" is there.
For the most detail I can provide, I'll even paste the whole HTTP packet:
POST /amserver/sessionservice HTTP/1.1
Proxy-agent: Sun-Java-System-Web-Server/7.0
Cookie: iPlanetDirectoryPro=AQIC5wM2LY4SfcwuT2ASCrsfO78nXdceEHXeH1 xTqH7C3I=@AAJTSQACMDI=#;amlbcookie=null
Content-type: text/xml;charset=UTF-8
Content-length: 336
Cache-control: no-cache
Pragma: no-cache
User-agent: Java/1.5.0_09
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Host: cos-psam-01.domain.ru
Client-ip: 194.xxx.xxx.xxx
Via: 1.1 https-weblb.domain.ru
Connection: keep-alive
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<RequestSet vers="1.0" svcid="session" reqid="258">
<Request><![CDATA[<SessionRequest vers="1.0" reqid="254">
<GetSession reset="true">
<SessionID>AQIC5wM2LY4SfcwuT2ASCrsfO78nXdceEHXeH1 xTqH7C3I=@AAJTSQACMDI=#</SessionID>
</GetSession>
</SessionRequest>]]></Request>
</RequestSet> The server's error response is apparent:
HTTP/1.1 200 OK
Server: Sun-Java-System-Web-Server/7.0
Date: Thu, 31 Jul 2008 05:49:50 GMT
Content-type: text/html
Transfer-encoding: chunked
19b
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<ResponseSet vers="1.0" svcid="session" reqid="258">
<Response><![CDATA[<SessionResponse vers="1.0" reqid="254">
<GetSession>
<Exception>AQIC5wM2LY4SfcwuT2ASCrsfO78nXdceEHXeH1 xTqH7C3I=@AAJTSQACMDI=# Invalid session ID
AQIC5wM2LY4SfcwuT2ASCrsfO78nXdceEHXeH1 xTqH7C3I=@AAJTSQACMDI=#</Exception>
</GetSession>
</SessionResponse>]]></Response>
</ResponseSet>On the few occasions when the AM cookie contains no "plus" characters, the SSO works like a charm (also checked by a sniffer). Whenever there is a "plus", it breaks.
For reference, here's a working final request-response (one with a good cookie, as received by the load-balancer web-server). Request looks a bit different:
POST /amserver/sessionservice HTTP/1.1
Cookie: iPlanetDirectoryPro=AQIC5wM2LY4Sfcy/5sEzVmuq9z1ggdHOkBDgVFAwfhqvn4U=@AAJTSQACMDI=#;amlbcookie=null
Content-Type: text/xml;charset=UTF-8
Content-Length: 379
Cache-Control: no-cache
Pragma: no-cache
User-Agent: Java/1.5.0_09
Host: psam.domain.ru
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Connection: keep-alive
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<RequestSet vers="1.0" svcid="session" reqid="281">
<Request><![CDATA[<SessionRequest vers="1.0" reqid="277">
<SetProperty>
<SessionID>AQIC5wM2LY4Sfcy/5sEzVmuq9z1ggdHOkBDgVFAwfhqvn4U=@AAJTSQACMDI=#</SessionID>
<Property name="uwcstatus" value="active"></Property>
</SetProperty>
</SessionRequest>]]></Request>
</RequestSet> ...and the response is OK:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<ResponseSet vers="1.0" svcid="session" reqid="281">
<Response><![CDATA[<SessionResponse vers="1.0" reqid="277">
<SetProperty>
<OK></OK>
</SetProperty>
</SessionResponse>]]></Response>
</ResponseSet>There have been a few reports of the same behaviour with other customers - specifically with the handling of the encoding of "+" characters to " ". It relates to how cookie encoding/decoding is performed (as you have already observed).
The solution for these customers was the following:
=> AM server/client side:
Ensure that com.iplanet.am.cookie.encode=false in AMConfig.properties and AMAgent.properties on all systems.
=> AM client (UWC) side:
- Set <property name="encodeCookies" value="false"/> in /var/opt/SUNWuwc/WEB-INF/sun-web.xml. This will prevent UWC from trying to urldecode the cookie it receives and therefore stops it turning the + into a space e.g.
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE sun-web-app PUBLIC '-//Sun Microsystems, Inc.//DTD Sun ONE Application Server 7.0 Servlet 2.3//EN' 'file:///net/wajra.india.sun.com/export/share/dtd/sun-web-app_2_3-1.dtd'>
<sun-web-app>
<property name="encodeCookies" value="false"/>
<session-config>
<session-manager/>
</session-config>
<jsp-config/>
<property name="allowLinking" value="true" />
</sun-web-app>Regards,
Shane. -
Oracle Identity and Access Management (11.1.1.3.0) and IM difference?
What is difference between Oracle Identity and Access Management (11.1.1.3.0) and Identity Management (11.1.1.3.0) ?
From
http://www.oracle.com/technetwork/middleware/downloads/oid-11g-161194.htmlWhen you run the config, you are asked to add some product. Have checked the "Oracle Access Manager with Database Policy Store" product?
If not, you can add it by extending the domain. Once done you have to start two WLS servers (AdminServer and oam_server1):
Start AdminServer with $DOMAIN/bin/startWebLogic.sh
Start oam_server1 with $DOMAIN/bin/startManagedWebLogic.sh oam_server1
It might be that oam_server1 asks for username and password. This is fine for the first time. During the first start the necessary directory structure is created. Once it came up and enters RUNNING state, kill it and create a file boot.properties in $DOMAIN/servers/oam_server1/security with the entries username=name and password=pw in two lines and start oam_server1 again.
Starting oam_server1 is recommend to get proper values in the oamconsole.
HTH,
--olaf -
Directory Server Replica and Messaging Server 6
I install Directory Server 5.2 as Master Replica in one machine (V120) and on the other machine (V240) I install the following:
1. SunONE Directory Server 5.2 (Consumer
Replica) or slave replica.
2. SunONE Identity Server
3. SunONE Messaging Server 6
I have successfully install and configured the 3 Servers, when they are running on just one machine (one box). But when I try to run them in two separate machines as described above, the messaging server acts strangely and it's configuration fails, when i try to configure it on the directory server replica.
In simpler words, I want to know if someone has installed Messaging Server in a Directory Server Replication scenario, where there are two machines involve. Because all works well when we install everything on one machine (one box) but I am having hard time configuring the messaging server in this split setup scenario.
So, if someone has idea about how to run the Messaging Server 6 ( ./configure ) file successfully on a Directory Server 5.2 Replica, please suggest me in detail.
Thanking you,
Farhan Ahmed.
Vision Valley, Dubai.Messaging Server uses LDAP in two ways. The obvious one is that user/group/domain information is stored there.
The non-obvious way is that some configuration information is stored in LDAP, in the "o=NetscapeRoot" tree. This tree is NOT ususally replicated, so if you perform the installation against one LDAP server, and then attempt to move the configuration to point to another one, and don't make a separate replication agreement for the configuration, your server won't work correctly.
To configure Messaging against a replica, you also need to understand how the replication and "referral" works. Without studying your scenario, I cannot tell what has failed, but indeed, there are users that have configured Messaging 6.0 against a replica LDAP system.
You may want to open a tech support ticket, and get personal help for your issue. -
Difference between Identity Manager and Access Manager
hi,
Can any body tell me the difference between Identity manager and Access Manager.
thanks in advance
regards
dhawanmayurAccess Manager is for access control (web authentication, authorization), Identity Manager is for identity (userid,profile,role, password etc) provision/management across multi resources (such as unix, active directory, peoplesoft, SAP) etc.
-
Oracle Identity and Access Management Suite Plus Integration with Oracle ADF
Hi All,
Kindly advice if Oracle Identity and Access Management Suite Plus can be integrated with Oracle ADF based applications to manage the end-to-end lifecycle of user accounts specifically addressing to roles/priviledges and security.
Request you to share links to documentation where I can study the steps to integrate both the frameworks.
Looking forward to hear from you soon.
Best Regards,
Ankit GuptaHi Sébastien,
I came across the below link for the required integrations -
Oracle&reg; Fusion Middleware Installation Guide for Oracle Identity and Access Management 11g Release 2 (11.1.2) - …
Oracle&reg; Fusion Middleware Enterprise Deployment Guide for Oracle Identity Management 11g Release 2 (11.1.2) - Co…
Best Regards,
Ankit Gupta -
Discuss Identity and Access Management in the Cloud
Identity and access management in the cloud refers to the processes, technologies, and policies for managing cloud systems identities and controlling how these identities can be used to access cloud resources. Three separate processes are used in most cloud
identity and access management solutions:
Identity provisioning and storage
Authentication
Authorization
Identity management in a cloud system requires a complex collection of technologies to manage authentication, authorization and access control across distributed environments. These environments might include assets both on the internal cloud, which would
be an on-premises private cloud, and services accessed on the public cloud. These environments can also cross-security domains, as when two enterprise-level organizations collaborate and enable cross-domain access to users from the partner security domain.
You can learn more about these topics in the article Identity and Access Management in the Cloud.
Let's talk about that article and the topics of identity and access management in the cloud! Use this thread to get it started.
Thanks!
Tom
Learn more about Private Cloud at the
Private Cloud Solutions HubTom,
I am a novice and attempting to achieve a proof of concept of single sign on. One example I read stated one should install Identity and Access on VS2012. I did this on two different machines. One was in the office domain and it shows the
item "Identity and Access..." in the context menu of the MVC project I created. The other machine is my laptop. I followed the same procedure that worked on the desktop, yet the Identity and Access item in the project context menu does not show.
One difference is that the laptop is not part of a domain, but I am attempting this proof of concept in Windows Azure with the laptop, since we do not have a test AD in our corporate domain.
Is this the right forum to inquire about this issue? Do you have a recommendation about a better forum?
Stephen Pidgeon -
Server.log and access file previous record are overwrite
Hi,
I am having problem that my server.log and access file in all instance have been overwrite by latest record. Suppose all the system.out.print will append to the server.log. However, my problem is the log which has been written to server.log in earlier time (mayb morning till afternoon) is replaced. From the server.log, I am only able to view the log which start from 11 pm. The same case happen to access file as well. This incident is not happen everyday but sometimes.
I am wondering what is happen and how i can solve the problem.
Any help/guidance is highly appreaciate.
Thanks.Hi,
Did anyone know the solution for this issues..
Thanks. -
Identity and Access Management Training in Bangalore
Hi,
I need information if there are any institutes who provide training on Identity and Access Management in Bangalore or Pune? Whats is the basic requirement for starting IAM. I have SQL knowledge.
Thank you
[email protected]You can check out this link for Oracle University in India:
http://education.oracle.com/pls/web_prod-plq-dad/db_pages.getpage?page_id=3
-Kevin -
Print server, AD, and Profile Manager
Having a number of issues that I can resolve regarding printing--I am trying to set up profiles in the Profile Manager, but printers are not available or visable. However they are visable in the workgroup manager. The printers reside on Windows print server (2008 R2). Further I can add the printers to my server, but they are not visable in the "Printer Sharing" section of "sharing". So with that, I have a few questions:
1. Do I need to turn on Kerberos in CUPS? User's don't authenticate to our printers via Kerberos, but via the Account manager of the individual printers.
2. Why do settings in Workgroup manager not apply? I can add the printers via LDAP the the new groups I have added, but when I open profile manager the changes or printers are not implemented.
3. How do I make printers visible in Profile Manager?
I have scoured the net and several manuals, but I can seem to stumble upon the correct answer.Hi,
I have the same issue, very frustrating. Using a Win 2003 AD and 10.8.2 server and clients. If i use WGM I can see all users and groups correctly, but Server.app and Profile Manager does not show them correct.
Strange that we see issues like this since Profile Manager has been around for a while, really interested to hear other peoples experiences.
PS I see a similar thing here: https://discussions.apple.com/thread/4417085?start=0&tstart=0 -
SSL connection between Dist Auth UI Server and Access Manager
Hi,
I have a Dist Auth UI Server installed in Web Server 7 and working properly, but now i want to configure it to talk with Access Manager with a secure port.
I have configured Access Manager (also deployed in Web Server 7) in a secure port (443). I have requested and installed the server certificate in the Access Manager Web Server instance and also the root entity certificate.
My question is: how must i configure the UI Server to communicate with the Access Manager Server in a secure way and trust the certificate that the WS of the AM presents ?
Regards,There have been a few reports of the same behaviour with other customers - specifically with the handling of the encoding of "+" characters to " ". It relates to how cookie encoding/decoding is performed (as you have already observed).
The solution for these customers was the following:
=> AM server/client side:
Ensure that com.iplanet.am.cookie.encode=false in AMConfig.properties and AMAgent.properties on all systems.
=> AM client (UWC) side:
- Set <property name="encodeCookies" value="false"/> in /var/opt/SUNWuwc/WEB-INF/sun-web.xml. This will prevent UWC from trying to urldecode the cookie it receives and therefore stops it turning the + into a space e.g.
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE sun-web-app PUBLIC '-//Sun Microsystems, Inc.//DTD Sun ONE Application Server 7.0 Servlet 2.3//EN' 'file:///net/wajra.india.sun.com/export/share/dtd/sun-web-app_2_3-1.dtd'>
<sun-web-app>
<property name="encodeCookies" value="false"/>
<session-config>
<session-manager/>
</session-config>
<jsp-config/>
<property name="allowLinking" value="true" />
</sun-web-app>Regards,
Shane. -
How to change LDAP server setting in Access Manager 6.2
Hi,
We have initially set authentication as a SunONE Directory Server 5.1 (master DS1) in Sun Java System Access Manager 6.2. In both /etc/opt/SUNWam/config/serverconfig.xml
/etc/opt/SUNWam/config/AMConfig.properties
conf files, DS1 was set initially. Also on console's Service Configuration ->LDAP->Primary LDAP Server was set as "DS1"
Now the problem is that I am not able to change the DS1 to the other master "DS2". I set DS2 in both above conf files and also the Service Configuration page as Primary LDAP Server. I restarted the server. When I stopped the DS1, I couldn't login access manager console with any user. It looks like it is still trying to get authentication from DS1.
Does anybody know what I am missing here?
Regards,After hopeless tries, I finally made it work;) The trick was actually updating the sunKeyValue attribute of the entry:
"dn:ou=default,ou=OrganizationConfig,ou=1.0,ou=iPlanetAMAuthLDAPService,ou=ser
vices,dc=company,dc=com" in one of the master DS I have.
Even though I set DS2 and loadBalancer hosts in all conf files and in Primary LDAP conf in amconsole's Service Configuration, it just didn't work until I inserted loadBalancer host in sunKeyValue attribute.
Hope it helps to someone....
-Bora -
Hello all.
I am looking for a best practices for DS 6.3 replication wth Sun Access Manager and Sun Portal Server.
Here is the scenario:
We have 2 sites, A and B. At each site there are the following: 1 DS 6.3, 1 Sun Access Manager, and 1 Sun Portal Server. The DS 6.3 instance servers both AM and Portal. Both configurations at each site are configured the same except for host name's and IP's. Essentially, what I am looking for is to setup multi-master replication between the 2 site so that user/group data is replicated between the 2 DS instances.
I have configured MMR before, the problem here is that, once it is configured, one side of AM and Portal and corrupted and not usable. I suspect it is that replication overwrites AM and Portal configs that are stored in DS.
Does anyone have any insight on how to set this up properly?I have configured MMR before, the problem here is that, once it is configured, one side of AM and Portal and corrupted and not usable. I suspect it is that replication overwrites AM and Portal configs that are stored in DS.I don't think I understand your problem. What are your replica databases and which suffixes are being overwritten wrongly?
-
Retrieve server status of Access Manager
Hi,
I have just joined a company which uses Access Manager and Identity Manager.
I have joined as a Junior and have been given a small project to work on. It includes creating a website which can retrieve the status of the several application servers. The website will be hosted on a different server to the one AM and IDM are currently hosted on.
Could anyone please put me in the right direction.
Many thanks,
KamAre you talking about Access Manager flopping over from ds1 to ds2 if ds1 is down?
In serverconfig.xml look for the line containing 'Server Name' and add a line like this directly underneath of it:
<Server name="Server2" host="ds2" port="389" type="SIMPLE" />
Save and exit
vi AMConfig.properties and add something like this after the existing com.iplanet.am.directory.host and com.iplanet.am.directory.port:
/* Added for multi-master directory fail-over */
com.iplanet.am.directory.host=ds2
com.iplanet.am.directory.port=389
com.iplanet.am.replica.retries=3
com.iplanet.am.replica.delay.between.retries=5000
/* End Added for multi-master directory fail-over */
Save and exit
Restart the Access Manager web container
Maybe you are looking for
-
Correct Data is not shown while opening Input Schedule
Hi I am facing this issue almost in every template i create After saving data in a particular template in an input schedule, i reopen the template from the dynamic templates library(etools -> open dynamic template) But the data saved previously does
-
Safari update 5.1.4 does not solve logging out of Facebook
After installing the new update for Safari (5.1.4), I am still being logged out of Facebook whenever I close my Mac. What is a reason for this? How can it be solved? I also have FileVault 2 enabled...
-
How do you set the Text in an Accordion Interaction?
When trying to set the text in the Accordion Interaction, it behaves very strange. You can't set it. It starts out at 13 and then changes to either 10 or 30. Can anyone give some advise on how to set this? Thanks.
-
I was creating an iWeb page, had been working for hours, I suddenly got a blank screen and it was gone. Can I recover my page?
-
Importing and converting WMA to AAC error
I am trying to convert my music files and import to itunes. When I attempt to bulk transfer I get an error with one track and the entire process stops. When I retry that track individually it does not produce an error. Why does itunes stop the entire