Disabling JavaScript on Access Manager

Hi,
We are testing the liberty samples that come with the access manager using an LECP-enabled client. During the single sign on process, the service provider redirects to the identity provider but after typing the login information on identity provider, the access manager responds with a few redirects and finally sends content that contains javascript. The client browser in our case does not support javascript. We tried disabling javascript for our client on the "Browser UA" screen on the "Edit Client Types" page in the Client Detection Service on Access Manager console but it does not seem to have any effect. Is there any other way to disable Access Manager from sending javascript ?
Please help.
Thanks in advance.
Regards,
Aditya

does your client support meta-refresh tags? AM often uses javascript to redirect the user. You would have to go in and modify/create new template files for your client to work around it.

Similar Messages

GRC AC 10: Emergency Access Management, Logon button is disabled (GRAC_SPM)

Hello Gurus,
I have configured Emergency Access Management in GRC AC 10.
GRC Box (SID) : GR1 client 100
Backend ERP system : D24 client 100
The FIREFIGHTER in GRC system : FFUSER1
Z_SAP_GRAC_SUPERUSER_MGMTUSER
Z_SAP_GRC_FN_BASE
Z_SAP_GRC_NWBC
In the Backend ERP system the FIREFIGHTER ID: ABC wants to access the FIREFIGHTER(FFUSER1)
Hence in NWBC (Setup >Superuser Assignment>Firefighter ID) the assignment is done.
ABC(FIREFIGHTER ID) <--->FFUSER1(FIREFIGHTER)
Now the User login the GRC system using FFUSER1 assigned following roles
Z_SAP_GRAC_SUPERUSER_MGMTUSER
Z_SAP_GRC_FN_BASE
Z_SAP_GRC_NWBC
Z_SAP_GRAC_SPM_FFID
and runs Transaction: GRAC_SPM
and he is able to see that ABC is assigned .
Now the user clicks on "Logon" and the status changes from green to "RED".
A new SAP screen opens asking credintials for Backend ERP system D24 client 100
The User enters his own Id : ABC and password and logs in.
Runs the necessary transactions and logs out using transaction: /nex
The session in GRC is still running and now the "LOGON button" is disabled , he comes out of that screen too.
When the user tries to login again using FFUSER1 to do more task , the "LOGON Button" is seen disabled.
and clicking the "unlock" button also doesn;t help.
When checked in SM04, no live session is reflected .
How can we "enable" the LOGON button in the transaction : GRAC_SPM for the same FIREFIGHTER (FFUSER1) assigned for Firefighter ID (ABC) ??
As it is now not possible to click "LOGON" button and the status is "RED".
Please let me know your opinion .
Thank You.
Regards,
Premjit

Thanks to All

How do I disable javascript in FF 23? It's no longer under 'content'

I consider it a security issue that I no longer have the ability top turn off java/javascript and what not. Is there no way to enable this? This is a terrible decision, if it was a decision. People should be able to control how they interact with the web, not the browser vendor. For a browser/organization that promotes freedom for the web, this is basic functionality for that freedom. Any solution would be helpful and please don't point me at some ugly plugin.

I agree with that Mozilla seems to be taking away prefs, but not that they want to lock your browser, also Note that turning off Javascript has little benefit (it isnt very insecure and cant really take control of the system), you can still disable Java (not Javascript) from the addon manager Firefox Button/Tools => Addons.
DO NOT MIX JAVA AND JAVASCRIPT, they are VERY SEPERATE, to avoid confusion read http://kb.mozillazine.org/JavaScript_is_not_Java <br>
"''JavaScript is a completely separate technology from Java. Java was the "in thing" back in the days when Brendan Eich at Netscape created a programming language that was originally going to be called LiveScript, so unfortunately they decided to rename it from LiveScript to JavaScript in the hope of catching the media’s interest. A JavaScript script is usually a small series of commands that are often embedded in a webpage to do things like create fly-out menus, invoke pop-up windows, and validate form data. Support for JavaScript is built into all XUL-based applications such as Firefox, Thunderbird and Mozilla Suite. (Note that JavaScript is actually a complete programming language, and it is one of the languages in which Mozilla products are written.) Java is a programming language used to create stand-alone software applications (including games). Java programs can also be embedded in webpages, in which case they are called ‘applets’. Java applications and applets require additional software (the Java Runtime Environment) to be installed on your system. For more information about running these technologies in your Mozilla product you should consult the JavaScript and Java articles.''"
In Firefox 23, as part of an effort to simplify the Firefox options set and protect users from unintentially damaging their Firefox, the option to disable JavaScript was removed from the Firefox Options window.
However, the option to disable JavaScript was not removed from Firefox entirely. You can still access it from about:config or by installing an add-on.
'''about:config'''
# In the address bar, type "about:config" (with no quotes), and press Enter.
# Click "I'll be careful, I promise"
# In the search bar, search for "javascript.enabled" (with no quotes).
# Right click the result named "javascript.enabled" and click "Toggle". JavaScript is now disabled.
To Re-enable JavaScript, repeat these steps.
'''Add-ons'''
You can alternatively install an add-on that lets you disable JavaScript, such as
*[https://addons.mozilla.org/firefox/addon/noscript/ No-Script] (to disable JavaScript on a per page basis, as required)
*[https://addons.mozilla.org/firefox/addon/quickjava/ QuickJava] (to easily disable and enable JavaScript, automatic loading of images, and other content)
*[https://addons.mozilla.org/firefox/addon/settingsanity/ SettingSanity] (adds back removed options for JavaScript, Advanced JavaScript Settings, loading images, and showing the Tab Bar)

UWC/CE 6.3 and Access Manager 7.1 SSO sometimes fails (seems like a bug)

PREAMBULA: I started writing this post thinking that our AM SSO setup was at fault in some step. As I was gathering data, checking the doc-links and config files and finally sniffed the servers for HTTP dialogs, I grew pretty sure there's a bug in UWC/CE, AM SDK or Web Server Policy Agent, whatever implements the AM SSO session checking.
In short, as written below, our "sunmail" server can POST a broken cookie to AM server, if the cookie originally contained a "plus" character. The "plus" is replaced by a "space", invalidating the session check. As we know, "+" is often used in URLs to "escape" the space character. Perhaps some URL cleanup routine backfired here. I have double-checked, it is not the reverse proxy on "psam" breaking things. It is "sunmail" (UWC/CE or Policy Agent, don't know for certain) supplying the broken request. On the few occasions when the AM cookie contains no "plus" characters, the SSO works like a charm (also checked by a sniffer). Whenever there is a "plus", it breaks.
Is there some known bug or workaround that matches this description?
Nevertheless, for completeness' sake I kept the description of our setup. Maybe it's at fault after all :)
We have an installation of JCS5 with the latest patches as of early July 2008. And as the subject implies, we have problems with AM SSO in UWC/CE web-interface. I have reported them before, then they seemed fixed (not occuring for several tests in a row), but as time has shown, something wrong is still there.
So I'll try to go into deeper detail now, as we've may have overlooked some nuance... Then again, as my sniffer research below shows, this may be an engine bug and these setup details are irrelevant.
Our setup is split into several Solaris 10 full-root zones hosted on several servers, some of the components are enroute to HA (perhaps we made some mistakes on this part of the way?)
So, we have the following software stack:
1) two MMR Directory Servers (DSEE 6.3 = DSEE 6.2 from JCS5 + 125278-07__DSEE_6.3__x86x64 + 125277-07__DSEE_6.3__x86_sol9 patches) working in zones on two different servers. Except for one time when a manually forced ZFS rollback corrupted one of the server instances, no problems here.
2) two zones with Directory Proxy Servers (6.3, exact versions as above) running at port 389 provide the clients with an illusion that they have a stable Directory Server, even if one of the actual servers is currently rebooting ;)
These DPS zones are hosted on two different servers as well and are primarily used by LDAP clients (JCS components) running in other zones on the same respective servers.
3) A zone with Sun Web Server 7.0U1 and Access Manager 7.1 (+ 126357-01__AM71_x86 patch) and Delegated Admin 6.4-4.01 (from JCS5 + 121582-18__COMMCLI64__x86 patch).
At the moment there is one such zone (named "cos-psam-01.domain.ru" in the logs below), but we expect(-ed) it to become two similar zones as per AM HA setup.
Zones listed in (1-3) use private IP numbers, they belong in our internal DMZ.
Zones listed in (4-5) below use public (routed) IP numbers, they belong in our external DMZ.
4) A zone with Sun Web Server 7.0U1 used primarily as a reverse-proxy server (optionally with a load-balancer libpassthrough.so plugin) successfully used for other hosted projects. One of its configurations now passes connections from an externally routed IP address published as "psam.domain.ru" to "cos-psam-01.domain.ru", per AM HA setup, so HTTP clients believe they work with an Access Manager instance. This zone has a backend interface with a private IP address to communicate with the actual AM instance.
In AM configuration (both LDAP and file-based) we have configured a site ID with the publicly known name and mentioned both names (psam and cos-psam-01) in organization's realm/dns aliases.
5) A zone with the rest of the Sun Java Communications Suite 5, as in Messaging Server 6.3 (6.3-6.03 64-bit: ci-5.0-1.03_solx86_x64__Messaging_Server_6.3-2 + patch 126480-09__MSG63__x86-64), UWC/CE 6.3 (from JCS5 + 122794-17__UWC63-4.01_core__x86), Instant Messaging 7.2 (from JCS5 + 118790-29__IM72__x86-1 + 118787-28__IM72__x86-2), Calendar Server 6.3 (from JCS5 + 121658-28__iCS63__x86). The web-components (UWC/CE, IM, /httpbind) are deployed in a Sun Web Server 7.0U1 as well.
This zone is named "sunmail.domain.ru" and has a routed IP address for direct external access to its servicess.
The AM SDK part is also patched (126357-01__AM71_x86); it points to the load-balancer name ("psam.domain.ru") as an actual AM server.
# imsimta version
Sun Java(tm) System Messaging Server 6.3-6.03 (built Mar 14 2008; 64bit)
libimta.so 6.3-6.03 (built 17:15:08, Mar 14 2008; 64bit)
SunOS sunmail 5.10 Generic_127112-07 i86pc i386 i86pc
While setting up this server set we tried to use AM SSO as the user login method, but it works unreliably.
"Unreliably" means that while most of the time entering a correct uid and password in Access Manager login page ("http://psam.domain.ru/amserver/UI/Login") does redirect a user back to "http://sunmail.domain.ru/uwc/auth" along with a new cookie, and the user is redirected again to his or her mailbox, sometimes the user receives the UWC/CE login page. Entering the same uid and password here does log him in, but it breaks the whole point of SSO and only increases the end-user routine required to log in :\
We have also seen the "missing mail tab" problem - if the users point the browser to any hostname different from "sunmail.domain.ru" (i.e. www.mail.domain.ru which is equivalent in DNS), they have only the Address book, Calendar and Options tabs; no webmail. So far this is resolved by Policy Agent forcing The One name of the server.
Here's the configuration we did specifically for AM SSO:
1) in AMConfig.properties of "sunmail" and "cos-psam-01" we set up
com.iplanet.am.cookie.encode=false
am.encryption.pwd=<the same value>
all hostname-related parameters point to "psam.domain.ru"
2) in AMConfig.properties of "cos-psam-01" a number of FQDN equivalence entries are added (so it does not redirect to a server hostname unknown to visitors):
com.sun.identity.server.fqdnMap[publicname-or-ip]=psam.domain.ru
com.sun.identity.server.fqdnMap[cos-psam-01.domain.ru]=cos-psam-01.domain.ru
3) in "msg.conf" on "sunmail" (entries added via configutil):
local.webmail.sso.amcookiename = iPlanetDirectoryPro
local.webmail.sso.amnamingurl = http://psam.domain.ru:80/amserver/namingservice
local.webmail.sso.singlesignoff = yes
local.webmail.sso.uwcenabled = 1
service.http.ipsecurity = no
(perhaps some more options are required? Looking for confirmation about: local.webmail.sso.uwclogouturl local.webmail.sso.uwccontexturi local.webmail.sso.uwchome service.http.allowadminproxy )
4) Configured Web Policy Agent for Sun Web Server, so that users without an AM session are required to get one. Set up per [http://msg.wikidoc.info/index.php/AM_redirection_using_Policy_Agent], except that com.sun.am.policy.agents.config.notenforced_list points to the many names our server can go known by.
5) Updated the logout URL in /opt/SUNWuwc/webmail/main.js:
--- main.js.orig        Sat Jan 26 07:52:09 2008
+++ main.js     Mon Jul 21 01:06:29 2008
@@ -667,7 +667,8 @@
function cleanup() {
   if(laurel)
-      top.window.location = getUWCHost() + "/base/UWCMain?op=logout"
+//      top.window.location = getUWCHost() + "/base/UWCMain?op=logout"
+      top.window.location = "http://sunmail.domain.ru:80/base/UWCMain?op=logout"
   else
       exec('logout', '', 'exit()')
@@ -1707,7 +1708,8 @@
   if(lg) {
         url = document.location.href
         url = url.substr(0,url.indexOf('webmail'))
-        uwcurl = url + 'base/UWCMain?op=logout'
+//      uwcurl = url + 'base/UWCMain?op=logout'
+        uwcurl = "http://sunmail.domain.ru:80/base/UWCMain?op=logout"
   exit()
}6) Calendar SSO - per docs...
According to ngrep sniffing,
1) the browser goes to "http://sunmail.domain.ru/uwc/auth" without any cookies
2) receives a redirect and goes to "http://psam.domain.ru/amserver/UI/Login?gotoOnFail=http://sunmail.domain.ru:80/uwc&goto=http%3A%2F%2Fsunmail.domain.ru%3A80%2Fuwc%2Fauth"; sends no cookies either.
3) The first response from the "psam" server (as redirected from "cos-psam-01") sets a few cookies while rendering the login page:
Set-cookie: JSESSIONID=7EF8F2810D2071CA03CFEAE9972735B2; Path=/
Set-cookie: AMAuthCookie=AQIC5wM2LY4SfcwuT2ASCrsfO78nXdceEHXeH1+xTqH7C3I=@AAJTSQACMDI=#; Domain=.domain.ru; Path=/
Set-cookie: amlbcookie=02; Domain=.domain.ru; Path=/
4) The browser requests the login page resources (javascripts, images, etc) using these cookies, as in this header line:
Cookie: JSESSIONID=7EF8F2810D2071CA03CFEAE9972735B2; AMAuthCookie=AQIC5wM2LY4SfcwuT2ASCrsfO78nXdceEHXeH1+xTqH7C3I=@AAJTSQACMDI=#; amlbcookie=02
5) The browser POSTs the login request to "/amserver/UI/Login" and receives a redirection to http://sunmail.domain.ru:80/uwc/auth
Set-cookie: iPlanetDirectoryPro=AQIC5wM2LY4SfcwuT2ASCrsfO78nXdceEHXeH1+xTqH7C3I=@AAJTSQACMDI=#; Domain=.domain.ru; Path=/
Set-cookie: AMAuthCookie=LOGOUT; Domain=.domain.ru; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
6) The browser requests "http://sunmail.domain.ru/uwc/auth" using the newly set cookie (looks like the old one to me though):
Cookie: amlbcookie=02; iPlanetDirectoryPro=AQIC5wM2LY4SfcwuT2ASCrsfO78nXdceEHXeH1+xTqH7C3I=@AAJTSQACMDI=#
7) The "sunmail" web-server checks the AM session validity with the same "psam.domain.ru". It sends a series of POSTs to /amserver/namingservice:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<RequestSet vers="1.0" svcid="com.iplanet.am.naming" reqid="685">
<Request><![CDATA[
<NamingRequest vers="1.0" reqid="324" sessid="AQIC5wM2LY4SfcwuT2ASCrsfO78nXdceEHXeH1+xTqH7C3I=@AAJTSQACMDI=#">
<GetNamingProfile>
</GetNamingProfile>
</NamingRequest>]]>
</Request>
</RequestSet>(receives a large XML list of different Access Manager configuration parameters and URLs)
...then a double-request to /amserver/sessionservice:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<RequestSet vers="1.0" svcid="Session" reqid="686">
<Request><![CDATA[
<SessionRequest vers="1.0" reqid="678">
<GetSession reset="true">
<SessionID>AQIC5wM2LY4SfcwuT2ASCrsfO78nXdceEHXeH1+xTqH7C3I=@AAJTSQACMDI=#</SessionID>
</GetSession>
</SessionRequest>]]>
</Request>
<Request><![CDATA[
<SessionRequest vers="1.0" reqid="679">
<AddSessionListener>
<URL>http://sunmail.domain.ru:80/UpdateAgentCacheServlet?shortcircuit=false</URL>
<SessionID>AQIC5wM2LY4SfcwuT2ASCrsfO78nXdceEHXeH1+xTqH7C3I=@AAJTSQACMDI=#</SessionID>
</AddSessionListener>
</SessionRequest>]]>
</Request>
</RequestSet>As a result it receives an XML with a lot of user-specific information (the username, LDAP DN, preferred locale, auth module used, etc.)
!!!*** Now, the problem part ***!!!
8) And then "sunmail" POSTs a broken cookie to "psam" (note the space in mid-text, where the "plus" sign was previously). As we know, "+" is often used in URLs to "escape" the space character. Perhaps some URL cleanup routine backfired here.
I have double-checked, it is not the reverse proxy on "psam" breaking things. It is "sunmail" (UWC/CE or Policy Agent, don't know for certain) supplying the broken request. I looked over the large XML responses to the two previous requests, whenever they mention the session cookie value, the "plus" is there.
For the most detail I can provide, I'll even paste the whole HTTP packet:
POST /amserver/sessionservice HTTP/1.1
Proxy-agent: Sun-Java-System-Web-Server/7.0
Cookie: iPlanetDirectoryPro=AQIC5wM2LY4SfcwuT2ASCrsfO78nXdceEHXeH1 xTqH7C3I=@AAJTSQACMDI=#;amlbcookie=null
Content-type: text/xml;charset=UTF-8
Content-length: 336
Cache-control: no-cache
Pragma: no-cache
User-agent: Java/1.5.0_09
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Host: cos-psam-01.domain.ru
Client-ip: 194.xxx.xxx.xxx
Via: 1.1 https-weblb.domain.ru
Connection: keep-alive
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<RequestSet vers="1.0" svcid="session" reqid="258">
<Request><![CDATA[<SessionRequest vers="1.0" reqid="254">
<GetSession reset="true">
<SessionID>AQIC5wM2LY4SfcwuT2ASCrsfO78nXdceEHXeH1 xTqH7C3I=@AAJTSQACMDI=#</SessionID>
</GetSession>
</SessionRequest>]]></Request>
</RequestSet> The server's error response is apparent:
HTTP/1.1 200 OK
Server: Sun-Java-System-Web-Server/7.0
Date: Thu, 31 Jul 2008 05:49:50 GMT
Content-type: text/html
Transfer-encoding: chunked
19b
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<ResponseSet vers="1.0" svcid="session" reqid="258">
<Response><![CDATA[<SessionResponse vers="1.0" reqid="254">
<GetSession>
<Exception>AQIC5wM2LY4SfcwuT2ASCrsfO78nXdceEHXeH1 xTqH7C3I=@AAJTSQACMDI=# Invalid session ID
AQIC5wM2LY4SfcwuT2ASCrsfO78nXdceEHXeH1 xTqH7C3I=@AAJTSQACMDI=#</Exception>
</GetSession>
</SessionResponse>]]></Response>
</ResponseSet>On the few occasions when the AM cookie contains no "plus" characters, the SSO works like a charm (also checked by a sniffer). Whenever there is a "plus", it breaks.
For reference, here's a working final request-response (one with a good cookie, as received by the load-balancer web-server). Request looks a bit different:
POST /amserver/sessionservice HTTP/1.1
Cookie: iPlanetDirectoryPro=AQIC5wM2LY4Sfcy/5sEzVmuq9z1ggdHOkBDgVFAwfhqvn4U=@AAJTSQACMDI=#;amlbcookie=null
Content-Type: text/xml;charset=UTF-8
Content-Length: 379
Cache-Control: no-cache
Pragma: no-cache
User-Agent: Java/1.5.0_09
Host: psam.domain.ru
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Connection: keep-alive
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<RequestSet vers="1.0" svcid="session" reqid="281">
<Request><![CDATA[<SessionRequest vers="1.0" reqid="277">
<SetProperty>
<SessionID>AQIC5wM2LY4Sfcy/5sEzVmuq9z1ggdHOkBDgVFAwfhqvn4U=@AAJTSQACMDI=#</SessionID>
<Property name="uwcstatus" value="active"></Property>
</SetProperty>
</SessionRequest>]]></Request>
</RequestSet> ...and the response is OK:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<ResponseSet vers="1.0" svcid="session" reqid="281">
<Response><![CDATA[<SessionResponse vers="1.0" reqid="277">
<SetProperty>
<OK></OK>
</SetProperty>
</SessionResponse>]]></Response>
</ResponseSet>

There have been a few reports of the same behaviour with other customers - specifically with the handling of the encoding of "+" characters to " ". It relates to how cookie encoding/decoding is performed (as you have already observed).
The solution for these customers was the following:
=> AM server/client side:
Ensure that com.iplanet.am.cookie.encode=false in AMConfig.properties and AMAgent.properties on all systems.
=> AM client (UWC) side:
- Set <property name="encodeCookies" value="false"/> in /var/opt/SUNWuwc/WEB-INF/sun-web.xml. This will prevent UWC from trying to urldecode the cookie it receives and therefore stops it turning the + into a space e.g.
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE sun-web-app PUBLIC '-//Sun Microsystems, Inc.//DTD Sun ONE Application Server 7.0 Servlet 2.3//EN' 'file:///net/wajra.india.sun.com/export/share/dtd/sun-web-app_2_3-1.dtd'>
<sun-web-app>
   <property name="encodeCookies" value="false"/>
   <session-config>
      <session-manager/>
   </session-config>
   <jsp-config/>
<property name="allowLinking" value="true" />
</sun-web-app>Regards,
Shane.

Too Slow - Domino 6.5.4 with access manager agent 2.2 ?

I don't know how to tune Domino 6.5.4 with access manager agent 2.2?
I think AMAgent.properties is not good for SSO.
Please help me to tune it.
# $Id: AMAgent.properties,v 1.103 2005/09/19 22:08:34 madan Exp $
# Copyright ? 2002 Sun Microsystems, Inc. All rights reserved.
# U.S. Government Rights - Commercial software. Government users are
# subject to the Sun Microsystems, Inc. standard license agreement and
# applicable provisions of the FAR and its supplements. Use is subject to
# license terms. Sun, Sun Microsystems, the Sun logo and Sun ONE are
# trademarks or registered trademarks of Sun Microsystems, Inc. in the
# U.S. and other countries.
# Copyright ? 2002 Sun Microsystems, Inc. Tous droits r閟erv閟.
# Droits du gouvernement am閞icain, utlisateurs gouvernmentaux - logiciel
# commercial. Les utilisateurs gouvernmentaux sont soumis au contrat de
# licence standard de Sun Microsystems, Inc., ainsi qu aux dispositions en
# vigueur de la FAR [ (Federal Acquisition Regulations) et des suppl閙ents
# ? celles-ci.
# Distribu? par des licences qui en restreignent l'utilisation. Sun, Sun
# Microsystems, le logo Sun et Sun ONE sont des marques de fabrique ou des
# marques d閜os閑s de Sun Microsystems, Inc. aux Etats-Unis et dans
# d'autres pays.
# The syntax of this file is that of a standard Java properties file,
# see the documentation for the java.util.Properties.load method for a
# complete description. (CAVEAT: The SDK in the parser does not currently
# support any backslash escapes except for wrapping long lines.)
# All property names in this file are case-sensitive.
# NOTE: The value of a property that is specified multiple times is not
# defined.
# WARNING: The contents of this file are classified as an UNSTABLE
# interface by Sun Microsystems, Inc. As such, they are subject to
# significant, incompatible changes in any future release of the
# software.
# The name of the cookie passed between the Access Manager
# and the SDK.
# WARNING: Changing this property without making the corresponding change
# to the Access Manager will disable the SDK.
com.sun.am.cookie.name = iPlanetDirectoryPro
# The URL for the Access Manager Naming service.
com.sun.am.naming.url = http://sportal.yjy.dqyt.petrochina:80/amserver/namingservice
# The URL of the login page on the Access Manager.
com.sun.am.policy.am.login.url = http://sportal.yjy.dqyt.petrochina:80/amserver/UI/Login
# Name of the file to use for logging messages.
com.sun.am.policy.agents.config.local.log.file = c:/Sun/Access_Manager/Agents/2.2/debug/C__Lotus_Domino/amAgent
# This property is used for Log Rotation. The value of the property specifies
# whether the agent deployed on the server supports the feature of not. If set
# to false all log messages are written to the same file.
com.sun.am.policy.agents.config.local.log.rotate = true
# Name of the Access Manager log file to use for logging messages to
# Access Manager.
# Just the name of the file is needed. The directory of the file
# is determined by settings configured on the Access Manager.
com.sun.am.policy.agents.config.remote.log = amAuthLog.Dominoad.yjy.dqyt.petrochina.80
# Set the logging level for the specified logging categories.
# The format of the values is
#     <ModuleName>[:<Level>][,<ModuleName>[:<Level>]]*
# The currently used module names are: AuthService, NamingService,
# PolicyService, SessionService, PolicyEngine, ServiceEngine,
# Notification, PolicyAgent, RemoteLog and all.
# The all module can be used to set the logging level for all currently
# none logging modules. This will also establish the default level for
# all subsequently created modules.
# The meaning of the 'Level' value is described below:
#     0     Disable logging from specified module*
#     1     Log error messages
#     2     Log warning and error messages
#     3     Log info, warning, and error messages
#     4     Log debug, info, warning, and error messages
#     5     Like level 4, but with even more debugging messages
# 128     log url access to log file on AM server.
# 256     log url access to log file on local machine.
# If level is omitted, then the logging module will be created with
# the default logging level, which is the logging level associated with
# the 'all' module.
# for level of 128 and 256, you must also specify a logAccessType.
# *Even if the level is set to zero, some messages may be produced for
# a module if they are logged with the special level value of 'always'.
com.sun.am.log.level =
# The org, username and password for Agent to login to AM.
com.sun.am.policy.am.username = UrlAccessAgent
com.sun.am.policy.am.password = LYnKyOIgdWt404ivWY6HPQ==
# Name of the directory containing the certificate databases for SSL.
com.sun.am.sslcert.dir = c:/Sun/Access_Manager/Agents/2.2/domino/cert
# Set this property if the certificate databases in the directory specified
# by the previous property have a prefix.
com.sun.am.certdb.prefix =
# Should agent trust all server certificates when Access Manager
# is running SSL?
# Possible values are true or false.
com.sun.am.trust_server_certs = true
# Should the policy SDK use the Access Manager notification
# mechanism to maintain the consistency of its internal cache? If the value
# is false, then a polling mechanism is used to maintain cache consistency.
# Possible values are true or false.
com.sun.am.notification.enable = true
# URL to which notification messages should be sent if notification is
# enabled, see previous property.
com.sun.am.notification.url = http://Dominoad.yjy.dqyt.petrochina:80/amagent/UpdateAgentCacheServlet?shortcircuit=false
# This property determines whether URL string case sensitivity is
# obeyed during policy evaluation
com.sun.am.policy.am.url_comparison.case_ignore = true
# This property determines the amount of time (in minutes) an entry
# remains valid after it has been added to the cache. The default
# value for this property is 3 minutes.
com.sun.am.policy.am.polling.interval=3
# This property allows the user to configure the User Id parameter passed
# by the session information from the access manager. The value of User
# Id will be used by the agent to set the value of REMOTE_USER server
# variable. By default this parameter is set to "UserToken"
com.sun.am.policy.am.userid.param=UserToken
# Profile attributes fetch mode
# String attribute mode to specify if additional user profile attributes should
# be introduced into the request. Possible values are:
# NONE - no additional user profile attributes will be introduced.
# HTTP_HEADER - additional user profile attributes will be introduced into
# HTTP header.
# HTTP_COOKIE - additional user profile attributes will be introduced through
# cookies.
# If not within these values, it will be considered as NONE.
com.sun.am.policy.agents.config.profile.attribute.fetch.mode=NONE
# The user profile attributes to be added to the HTTP header. The
# specification is of the format ldap_attribute_name|http_header_name[,...].
# ldap_attribute_name is the attribute in data store to be fetched and
# http_header_name is the name of the header to which the value needs
# to be assigned.
# NOTE: In most cases, in a destination application where a "http_header_name"
# shows up as a request header, it will be prefixed by HTTP_, and all
# lower case letters will become upper case, and any - will become _;
# For example, "common-name" would become "HTTP_COMMON_NAME"
com.sun.am.policy.agents.config.profile.attribute.map=cn|common-name,ou|organizational-unit,o|organization,mail|email,employeenumber|employee-
number,c|country
# Session attributes mode
# String attribute mode to specify if additional user session attributes should
# be introduced into the request. Possible values are:
# NONE - no additional user session attributes will be introduced.
# HTTP_HEADER - additional user session attributes will be introduced into HTTP header.
# HTTP_COOKIE - additional user session attributes will be introduced through cookies.
# If not within these values, it will be considered as NONE.
com.sun.am.policy.agents.config.session.attribute.fetch.mode=NONE
# The session attributes to be added to the HTTP header. The specification is
# of the format session_attribute_name|http_header_name[,...].
# session_attribute_name is the attribute in session to be fetched and
# http_header_name is the name of the header to which the value needs to be
# assigned.
# NOTE: In most cases, in a destination application where a "http_header_name"
# shows up as a request header, it will be prefixed by HTTP_, and all
# lower case letters will become upper case, and any - will become _;
# For example, "common-name" would become "HTTP_COMMON_NAME"
com.sun.am.policy.agents.config.session.attribute.map=
# Response Attribute Fetch Mode
# String attribute mode to specify if additional user response attributes should
# be introduced into the request. Possible values are:
# NONE - no additional user response attributes will be introduced.
# HTTP_HEADER - additional user response attributes will be introduced into
# HTTP header.
# HTTP_COOKIE - additional user response attributes will be introduced through
# cookies.
# If not within these values, it will be considered as NONE.
com.sun.am.policy.agents.config.response.attribute.fetch.mode=NONE
# The response attributes to be added to the HTTP header. The specification is
# of the format response_attribute_name|http_header_name[,...].
# response_attribute_name is the attribute in policy response to be fetched and
# http_header_name is the name of the header to which the value needs to be
# assigned.
# NOTE: In most cases, in a destination application where a "http_header_name"
# shows up as a request header, it will be prefixed by HTTP_, and all
# lower case letters will become upper case, and any - will become _;
# For example, "common-name" would become "HTTP_COMMON_NAME"
com.sun.am.policy.agents.config.response.attribute.map=
# The cookie name used in iAS for sticky load balancing
com.sun.am.policy.am.lb.cookie.name = GX_jst
# indicate where a load balancer is used for Access Manager
# services.
# true | false
com.sun.am.load_balancer.enable = false
####Agent Configuration####
# this is for product versioning, please do not modify it
com.sun.am.policy.agents.config.version=2.2
# Set the url access logging level. the choices are
# LOG_NONE - do not log user access to url
# LOG_DENY - log url access that was denied.
# LOG_ALLOW - log url access that was allowed.
# LOG_BOTH - log url access that was allowed or denied.
com.sun.am.policy.agents.config.audit.accesstype = LOG_DENY
# Agent prefix
com.sun.am.policy.agents.config.agenturi.prefix = http://Dominoad.yjy.dqyt.petrochina:80/amagent
# Locale setting.
com.sun.am.policy.agents.config.locale = en_US
# The unique identifier for this agent instance.
com.sun.am.policy.agents.config.instance.name = unused
# Do SSO only
# Boolean attribute to indicate whether the agent will just enforce user
# authentication (SSO) without enforcing policies (authorization)
com.sun.am.policy.agents.config.do_sso_only = true
# The URL of the access denied page. If no value is specified, then
# the agent will return an HTTP status of 403 (Forbidden).
com.sun.am.policy.agents.config.accessdenied.url =
# This property indicates if FQDN checking is enabled or not.
com.sun.am.policy.agents.config.fqdn.check.enable = true
# Default FQDN is the fully qualified hostname that the users should use
# in order to access resources on this web server instance. This is a
# required configuration value without which the Web server may not
# startup correctly.
# The primary purpose of specifying this property is to ensure that if
# the users try to access protected resources on this web server
# instance without specifying the FQDN in the browser URL, the Agent
# can take corrective action and redirect the user to the URL that
# contains the correct FQDN.
# This property is set during the agent installation and need not be
# modified unless absolutely necessary to accommodate deployment
# requirements.
# WARNING: Invalid value for this property can result in the Web Server
# becoming unusable or the resources becoming inaccessible.
# See also: com.sun.am.policy.agents.config.fqdn.check.enable,
# com.sun.am.policy.agents.config.fqdn.map
com.sun.am.policy.agents.config.fqdn.default = Dominoad.yjy.dqyt.petrochina
# The FQDN Map is a simple map that enables the Agent to take corrective
# action in the case where the users may have typed in an incorrect URL
# such as by specifying partial hostname or using an IP address to
# access protected resources. It redirects the browser to the URL
# with fully qualified domain name so that cookies related to the domain
# are received by the agents.
# The format for this property is:
# com.sun.am.policy.agents.config.fqdn.map = [invalid_hostname|valid_hostname][,...]
# This property can also be used so that the agents use the name specified
# in this map instead of the web server's actual name. This can be
# accomplished by doing the following.
# Say you want your server to be addressed as xyz.hostname.com whereas the
# actual name of the server is abc.hostname.com. The browsers only knows
# xyz.hostname.com and you have specified polices using xyz.hostname.com at
# the Access Manager policy console, in this file set the mapping as
# com.sun.am.policy.agents.fqdn.map = valid|xyz.hostname.com
# Another example is if you have multiple virtual servers say rst.hostname.com,
# uvw.hostname.com and xyz.hostname.com pointing to the same actual server
# abc.hostname.com and each of the virtual servers have their own policies
# defined, then the fqdnMap should be defined as follows:
# com.sun.am.policy.agents.fqdn.map = valid1|rst.hostname.com,valid2|uvw.hostname.com,valid3|xyz.hostname.com
# WARNING: Invalid value for this property can result in the Web Server
# becoming unusable or the resources becoming inaccessible.
com.sun.am.policy.agents.config.fqdn.map =
# Cookie Reset
# This property must be set to true, if this agent needs to
# reset cookies in the response before redirecting to
# Access Manager for Authentication.
# By default this is set to false.
# Example : com.sun.am.policy.agents.config.cookie.reset.enable=true
com.sun.am.policy.agents.config.cookie.reset.enable=false
# This property gives the comma separated list of Cookies, that
# need to be included in the Redirect Response to Access Manager.
# This property is used only if the Cookie Reset feature is enabled.
# The Cookie details need to be specified in the following Format
# name[=value][;Domain=value]
# If "Domain" is not specified, then the default agent domain is
# used to set the Cookie.
# Example : com.sun.am.policy.agents.config.cookie.reset.list=LtpaToken,
# token=value;Domain=subdomain.domain.com
com.sun.am.policy.agents.config.cookie.reset.list=
# This property gives the space separated list of domains in
# which cookies have to be set in a CDSSO scenario. This property
# is used only if CDSSO is enabled.
# If this property is left blank then the fully qualified cookie
# domain for the agent server will be used for setting the cookie
# domain. In such case it is a host cookie instead of a domain cookie.
# Example : com.sun.am.policy.agents.config.cookie.domain.list=.sun.com .iplanet.com
com.sun.am.policy.agents.config.cookie.domain.list=
# user id returned if accessing global allow page and not authenticated
com.sun.am.policy.agents.config.anonymous_user=anonymous
# Enable/Disable REMOTE_USER processing for anonymous users
# true | false
com.sun.am.policy.agents.config.anonymous_user.enable=false
# Not enforced list is the list of URLs for which no authentication is
# required. Wildcards can be used to define a pattern of URLs.
# The URLs specified may not contain any query parameters.
# Each service have their own not enforced list. The service name is suffixed
# after "# com.sun.am.policy.agents.notenforcedList." to specify a list
# for a particular service. SPACE is the separator between the URL.
com.sun.am.policy.agents.config.notenforced_list = http://dominoad.yjy.dqyt.petrochina/*.nsf http://dominoad.yjy.dqyt.petrochina/teamroom.nsf/TROutline.gif?
OpenImageResource http://dominoad.yjy.dqyt.petrochina/icons/*.gif
# Boolean attribute to indicate whether the above list is a not enforced list
# or an enforced list; When the value is true, the list means enforced list,
# or in other words, the whole web site is open/accessible without
# authentication except for those URLs in the list.
com.sun.am.policy.agents.config.notenforced_list.invert = false
# Not enforced client IP address list is a list of client IP addresses.
# No authentication and authorization are required for the requests coming
# from these client IP addresses. The IP address must be in the form of
# eg: 192.168.12.2 1.1.1.1
com.sun.am.policy.agents.config.notenforced_client_ip_list =
# Enable POST data preservation; By default it is set to false
com.sun.am.policy.agents.config.postdata.preserve.enable = false
# POST data preservation : POST cache entry lifetime in minutes,
# After the specified interval, the entry will be dropped
com.sun.am.policy.agents.config.postcache.entry.lifetime = 10
# Cross-Domain Single Sign On URL
# Is CDSSO enabled.
com.sun.am.policy.agents.config.cdsso.enable=false
# This is the URL the user will be redirected to for authentication
# in a CDSSO Scenario.
com.sun.am.policy.agents.config.cdcservlet.url =
# Enable/Disable client IP address validation. This validate
# will check if the subsequent browser requests come from the
# same ip address that the SSO token is initially issued against
com.sun.am.policy.agents.config.client_ip_validation.enable = false
# Below properties are used to define cookie prefix and cookie max age
com.sun.am.policy.agents.config.profile.attribute.cookie.prefix = HTTP_
com.sun.am.policy.agents.config.profile.attribute.cookie.maxage = 300
# Logout URL - application's Logout URL.
# This URL is not enforced by policy.
# if set, agent will intercept this URL and destroy the user's session,
# if any. The application's logout URL will be allowed whether or not
# the session destroy is successful.
com.sun.am.policy.agents.config.logout.url=
#http://sportal.yjy.dqyt.petrochina/amserver/UI/Logout
# Any cookies to be reset upon logout in the same format as cookie_reset_list
com.sun.am.policy.agents.config.logout.cookie.reset.list =
# By default, when a policy decision for a resource is needed,
# agent gets and caches the policy decision of the resource and
# all resource from the root of the resource down, from the Access Manager.
# For example, if the resource is http://host/a/b/c, the the root of the
# resource is http://host/. This is because more resources from the
# same path are likely to be accessed subsequently.
# However this may take a long time the first time if there
# are many many policies defined under the root resource.
# To have agent get and cache the policy decision for the resource only,
# set the following property to false.
com.sun.am.policy.am.fetch_from_root_resource = true
# Whether to get the client's hostname through DNS reverse lookup for use
# in policy evaluation.
# It is true by default, if the property does not exist or if it is
# any value other than false.
com.sun.am.policy.agents.config.get_client_host_name = false
# The following property is to enable native encoding of
# ldap header attributes forwarded by agents. If set to true
# agent will encode the ldap header value in the default
# encoding of OS locale. If set to false ldap header values
# will be encoded in UTF-8
com.sun.am.policy.agents.config.convert_mbyte.enable = false
#When the not enforced list or policy has a wildcard '*' character, agent
#strips the path info from the request URI and uses the resulting request
#URI to check against the not enforced list or policy instead of the entire
#request URI, in order to prevent someone from getting access to any URI by
#simply appending the matching pattern in the policy or not enforced list.
#For example, if the not enforced list has the value http://host/*.gif,
#stripping the path info from the request URI will prevent someone from
#getting access to http://host/index.html by using the URL http://host/index.html?hack.gif.
#However when a web server (for exmample apache) is configured to be a reverse
#proxy server for a J2EE application server, path info is interpreted in a different
#manner since it maps to a resource on the proxy instead of the app server.
#This prevents the not enforced list or policy from being applied to part of
#the URI below the app serverpath if there is a wildcard character. For example,
#if the not enforced list has value http://host/webapp/servcontext/* and the
#request URL is http://host/webapp/servcontext/example.jsp the path info
#is /servcontext/example.jsp and the resulting request URL with path info stripped
#is http://host/webapp, which will not match the not enforced list. By setting the
#following property to true, the path info will not be stripped from the request URL
#even if there is a wild character in the not enforced list or policy.
#Be aware though that if this is set to true there should be nothing following the
#wildcard character '*' in the not enforced list or policy, or the
#security loophole described above may occur.
com.sun.am.policy.agents.config.ignore_path_info = false
# Override the request url given by the web server with
# the protocol, host or port of the agent's uri specified in
# the com.sun.am.policy.agents.agenturiprefix property.
# These may be needed if the agent is sitting behind a ssl off-loader,
# load balancer, or proxy, and either the protocol (HTTP scheme),
# hostname, or port of the machine in front of agent which users go through
# is different from the agent's protocol, host or port.
com.sun.am.policy.agents.config.override_protocol =
com.sun.am.policy.agents.config.override_host =
com.sun.am.policy.agents.config.override_port =
# Override the notification url in the same way as other request urls.
# Set this to true if any one of the override properties above is true,
# and if the notification url is coming through the proxy or load balancer
# in the same way as other request url's.
com.sun.am.policy.agents.config.override_notification.url =
# The following property defines how long to wait in attempting
# to connect to an Access Manager AUTH server.
# The default value is 2 seconds. This value needs to be increased
# when receiving the error "unable to find active Access Manager Auth server"
com.sun.am.policy.agents.config.connection_timeout =
# Time in milliseconds the agent will wait to receive the
# response from Access Manager. After the timeout, the connection
# will be drop.
# A value of 0 means that the agent will wait until receiving the response.
# WARNING: Invalid value for this property can result in
# the resources becoming inaccessible.
com.sun.am.receive_timeout = 0
# The three following properties are for IIS6 agent only.
# The two first properties allow to set a username and password that will be
# used by the authentication filter to pass the Windows challenge when the Basic
# Authentication option is selected in Microsoft IIS 6.0. The authentication
# filter is named amiis6auth.dll and is located in
# Agent_installation_directory/iis6/bin. It must be installed manually on
# the web site ("ISAPI Filters" tab in the properties of the web site).
# It must also be uninstalled manually when unintalling the agent.
# The last property defines the full path for the authentication filter log file.
com.sun.am.policy.agents.config.iis6.basicAuthentication.username =
com.sun.am.policy.agents.config.iis6.basicAuthentication.password =
com.sun.am.policy.agents.config.iis6.basicAuthentication.logFile = c:/Sun/Access_Manager/Agents/2.2/debug/C__Lotus_Domino/amAuthFilter

Hi,
I installed opensso (so Sun Java(TM) System Access Manager 7.5) and the agent for Domino 6.5.4 and I have the message in logs "amAgent"
2007-07-11 18:40:16.119 Error 1708:3dbcf768 PolicyAgent: render_response(): Entered.
I have the box to identify but it doesnot connect me on my opensso server.
It still identify with Domino's server
Thanks for your response
Thomas

Policy Agent doesn't reset Sun Access Manager session time idle value

Hi,
We have the following setup in our environment:
- apache web server/web and policy agent 2.2 for apache 2.0.54
- webmethods portal server (jetty)
-Sun Access Manager (with Sun Directory Server)
We use policy agent for authentication purpose only (via Sun Access Manager/LDAP) when the users access the portal. We have custom code that creates session in Sun Access Manager for custom LDAP services. For testing purpose, we configure SAM session to have Max Session Timeout at 120mins and Time Idle at 15mins. I would assume that, after the initial login request, for all subsequent accesses to the portal the policy agent should intercept the request and reset the Time Idle value of SAM session. However, when I monitor time idle value using SAM console, session tab, the time idle value didn't change when the portal user access pages, submit actions, etc. I can see in the debug log of policy agent that requests are being intercepted/processed, but the time idle didn't get reset.
Does anyone know if this is a bug in configuration or in policy agent itself or am I making the wrong assumption?
Thanks a lot for the help.

Thanks for the reply, Shivaram. The issue appears to occur at random time, not accurately at the 3 min interval as you mention. I tested changing this value to 1, theoretically, after one 1 minute of idle time, accessing a link would make the agent reset the time idle value for the user session in SAM, but it didn't even after 3 minutes. This seems to be either a policy agent or system access manager bug.
We performed a 'vanilla' test using the apache server manual pages (only plain HTML, no POST requests), the pages are protected by the policy agent. At the first login, rwe were prompted to enter credential to be validated by SAM/LDAP, and then a user session is created in SAM session table. We browse around the manual pages, once in a while, certain pages cause the policy agent to reset the time idle. However, revisiting these links after a few minutes doesn't reset the idle value. Caching setting has been disable as well. Could there be or lack of some settings in AMConfig.properties or AMAgent.properties that might have caused this behavior?
Thanks for all your help,

Oracle Access Manager and Passing Cert Info to HTML or JSP

Friends,
We are trying to pass the CN information from our smartcard (CAC) that looks i.e. john.doe.123456789 as a parameters to an Oracle Forms using the staticHTML implementation utilizing the OBLIX SSO OR utilizing a JSP or HTML file to read these parameters and update OID. We can pass the UID but since we will have First-time Registration of the Smartcards, the UID doesn't count since the CN information from the Smartcard has not been populated at this point to the OID, we are trying to get the functionality going to get the user first to put in their login and password but at submit time, to update the OID with the CN information to a separate column of OID and not the UID.
Utilizing the OAM, we have been able to proof concept the authentication using the UID by using the Policy Manager and the Access System Console --> Access System Configuration. It's works well with the plugin that comes with the OAM (SSOOblixAuth.java) and thx to Oracle Support, but we need to be able to pass other parameters that are specified as a part of the Resource - Action as headervars such as
HeaderVar OBLIX_SN or
hearderVar OBLIX_MAIL
Our Oracle Access Implementation is in halt until we find a way to pass these return Attributes to our Oracle Forms. The Oracle Forms running SSO is working greatly with just the userlogin and password (UID is passed as a header) without the Oracle Access Manager (OBLIX) but now we have shifted to this product for reading and processing Smartcard information.
Any help we can get, we very much appreciate it.
KA

O.K.
I am getting closer but still not getting the ssooblixuser or ssooblixcn. I have
the following jsp to fire after a successful authentication.
The following code is utilized in our SSO environment for changing passwords.
The bolded line should get the ssooblixuser but it is not..
<%
response.setHeader("Cache-Control", "no-cache");
response.setHeader("Pragma", "no-cache");
response.setHeader("Expires", "Thu, 29 Oct 1969 17:04:19 GMT");
request.setCharacterEncoding("UTF-8");
response.setContentType("text/html; charset=UTF-8");
String remoteUser = null;
String userDn = null;
String referer = null;
String oblixheader = null;
remoteUser = request.getRemoteUser();
userDn=request.getHeader("OSSO-USER-DN");
referer=request.getHeader("referer");
oblixuser = request.getHeader("ssooblixuser");
%>
<HTML>
<HEAD>
<SCRIPT language="JavaScript">
function validatePasswordsMatch()
var frm = document.forms["changePassword"];
if(frm.newpwd.value != frm.confirm_newpwd.value)
alert('The Password and verified password do not match!');
return false;
else
document.changePassword.submit();
return false;
function cancelButton()
document.close();
</SCRIPT>
</HEAD>
<BODY bgcolor="#cae3ff" >
<table width="750" height="10" border="0" cellspacing="0" cellpadding="0">
</table>
<TABLE ALIGN="Center">
<TR><TD>User Name</TD><TD> <%=remoteUser%> </TD></TR>
<TR><TD>OBLIX USER</TD><TD> <%=oblixuser%> </TD></TR>
Edited by: user10130371 on Sep 17, 2009 8:09 AM
Edited by: user10130371 on Sep 17, 2009 8:10 AM

Access manager policyagent 2.1 fro webspher5.0 with sun access manager in

Help It is very urgent
I have installed my sun access manager and sun direcory server on same machine solaris10.SSL is diable in directory server.Access manager working on ssl mode means it is working on Http with port 80 and Https with port443.Access manager url is
http://lhostname:80/amconsole or https://hostname:443/amconsole and
http://host:80/amserver/UI/Login or https://host:443/amserver/UI/Login.it is displaying access manager login page.It is working properly standalone.
But when i configure it with policyagent2.1 for WebSphere5.0 .WebSphere installed on windows2000 server.when i type the application URL that is running on WebSphere it does not show access manager login page.It show u r not authurised to view this page.WebSphere running on Http.
and amService log detail is*****************************************************
03/02/2006 05:57:32:018 PM GMT+05:30: Thread[Servlet.Engine.Transports : 0,5,main]
Naming service URL list: [https://my.domain.com:443/amserver/namingservice]
03/02/2006 05:57:32:018 PM GMT+05:30: Thread[Servlet.Engine.Transports : 0,5,main]
Only one naming service URL specified. NamingServiceMonitor will be disabled.
03/02/2006 05:57:32:018 PM GMT+05:30: Thread[Servlet.Engine.Transports : 0,5,main]
getServiceURL for service: auth protocol: https host: my.domain.com port: 443
03/02/2006 05:57:32:112 PM GMT+05:30: Thread[Servlet.Engine.Transports : 0,5,main]
ERROR: Naming service connection failed
com.iplanet.services.comm.client.SendRequestException: com.ibm.ws.orbimpl.transport.protocol.https.HttpsURLConnection
     at com.iplanet.services.comm.client.PLLClient.send(PLLClient.java:141)
     at com.iplanet.services.comm.client.PLLClient.send(PLLClient.java:73)
     at com.iplanet.services.naming.WebtopNaming.getNamingResponse(WebtopNaming.java:360)
     at com.iplanet.services.naming.WebtopNaming.updateNamingTable(WebtopNaming.java:421)
     at com.iplanet.services.naming.WebtopNaming.getNamingProfile(WebtopNaming.java:353)
     at com.iplanet.services.naming.WebtopNaming.getServiceURL(WebtopNaming.java:187)
     at com.sun.identity.authentication.AuthContext.setLocalFlag(AuthContext.java:1159)
     at com.sun.identity.authentication.AuthContext.createAuthContext(AuthContext.java:1100)
     at com.sun.identity.authentication.AuthContext.createAuthContext(AuthContext.java:1071)
     at com.sun.identity.authentication.AuthContext.<init>(AuthContext.java:142)
     at com.sun.identity.policy.client.AuthService.getAppSSOToken(AuthService.java:103)
     at com.sun.identity.policy.client.AuthService.getApplicationSSOToken(AuthService.java:79)
     at com.sun.identity.policy.client.PolicyEvaluator.getAppSSOToken(PolicyEvaluator.java:499)
     at com.sun.identity.policy.client.PolicyEvaluator.init(PolicyEvaluator.java:193)
     at com.sun.identity.policy.client.PolicyEvaluator.<init>(PolicyEvaluator.java:172)
     at com.sun.identity.policy.client.PolicyEvaluatorFactory.getPolicyEvaluator(PolicyEvaluatorFactory.java:118)
     at com.sun.identity.policy.client.PolicyEvaluatorFactory.getPolicyEvaluator(PolicyEvaluatorFactory.java:87)
     at com.sun.identity.agents.policy.AmWebPolicy.<init>(Unknown Source)
     at com.sun.identity.agents.policy.AmWebPolicyManager.<init>(Unknown Source)
     at com.sun.identity.agents.policy.AmWebPolicyManager.<clinit>(Unknown Source)
     at com.sun.identity.agents.filter.AmFilter.<init>(Unknown Source)
     at com.sun.identity.agents.filter.AmFilterManager.getAmFilter(Unknown Source)
     at com.sun.identity.agents.filter.AmFilterManager.getAmFilter(Unknown Source)
     at com.sun.identity.agents.filter.AmFilterManager.getAmFilterInstanceForModeConfigured(Unknown Source)
     at com.sun.identity.agents.filter.AmAgentFilter.doFilter(Unknown Source)
     at com.ibm.ws.webcontainer.filter.FilterInstanceWrapper.doFilter(FilterInstanceWrapper.java:132)
     at com.ibm.ws.webcontainer.filter.WebAppFilterChain.doFilter(WebAppFilterChain.java:71)
     at com.ibm.ws.webcontainer.webapp.WebAppRequestDispatcher.handleWebAppDispatch(WebAppRequestDispatcher.java:863)
     at com.ibm.ws.webcontainer.webapp.WebAppRequestDispatcher.dispatch(WebAppRequestDispatcher.java:491)
     at com.ibm.ws.webcontainer.webapp.WebAppRequestDispatcher.forward(WebAppRequestDispatcher.java:173)
     at com.ibm.ws.webcontainer.srt.WebAppInvoker.doForward(WebAppInvoker.java:79)
     at com.ibm.ws.webcontainer.srt.WebAppInvoker.handleInvocationHook(WebAppInvoker.java:199)
     at com.ibm.ws.webcontainer.cache.invocation.CachedInvocation.handleInvocation(CachedInvocation.java:71)
     at com.ibm.ws.webcontainer.srp.ServletRequestProcessor.dispatchByURI(ServletRequestProcessor.java:182)
     at com.ibm.ws.webcontainer.oselistener.OSEListenerDispatcher.service(OSEListener.java:331)
     at com.ibm.ws.webcontainer.http.HttpConnection.handleRequest(HttpConnection.java:56)
     at com.ibm.ws.http.HttpConnection.readAndHandleRequest(HttpConnection.java:432)
     at com.ibm.ws.http.HttpConnection.run(HttpConnection.java:343)
     at com.ibm.ws.util.ThreadPool$Worker.run(ThreadPool.java:592)
Thanks & Regards
Saini

This is an SSL handshake problem of Websphere - has nothing to do with AM.
Websphere�s JDK does not trust the Signer / Cert of AM�s deployment container.
Either configure a truststore (or use an existing webshpere truststore) where you import the Cert of the Signing CA of your AM DC�s cert.
Other option - import the mentioned cert in cacert file of IBM JDK - but be aware that this might get lost when applying an Websphere fixpack/refreshpack.
BTW what have you configured for server.port,server.host and server.protocol in your AMConfig.properties?
If you have not changed that settings agent will use the port/protocol specified to communicate with AM.
-Bernhard

Access manager installation on solaris zone

Hi
I have installed the Access manager 7.0, Sun java system app server 8.1, Sun sirectory server 5.2 through JES installer on solaris 10 zone AM55-zone. Installer summarry is below, which shows installtion complete without error, but I am not able to launch the amserver login page.
Any suggestion, what I did wrong? any thoughts?
Sid
Installation Complete
Software installation has completed successfully. You can view the installation
summary and log by using the choices below. Summary and log files are available
in /var/sadm/install/logs/.
Your next step is to perform the postinstallation configuration and
verification tasks documented in the Postinstallation Configuration and Startup
Chapter of the Sun Java(TM) Enterprise System Installation Guide. See: http:
//docs.sun.com/doc/819-2328.
Enter 1 to view installation summary and Enter 2 to view installation logs
[1] {"!" exits} 1
Installation Summary Report
Install Summary
Java Enterprise System : Installed
Sun Java(TM) System Message Queue 3 2005Q4 Enterprise Edition : Installed
Sun Java(TM) System Application Server Enterprise Edition 8.1 2005Q4 : Installed
Sun Java(TM) System Directory Preparation Tool : Installed
Sun Java(TM) System Directory Server 5 2005Q4 : Installed
Sun Java(TM) System Access Manager 7 2005Q4 : Installed
Configuration Data
Sun Java(TM) System Application Server Enterprise Edition 8.1 2005Q4 :
Domains and Instance Configuration Directory : /var/opt/SUNWappserver
Application Server Installation Directory : /opt/SUNWappserver
Sun Java(TM) System Directory Preparation Tool :
Directory Preparation Tool Installation Directory : /opt/SUNWcomds
Sun Java(TM) System Directory Server 5 2005Q4 :
Directory Server Admin User : admin
Directory Server Manager : cn=Directory Manager
Directory Server Identifier : AM55-zone
Directory Server Port : 389
Directory Server Root Suffix : dc=ipsolutionshowcase,dc=com
<--[33%]--[ENTER To Continue]--[n To Finish]--> {"!" exits}
Directory Server Administration Domain : ipsolutionshowcase.com
System User : root
System Group : root
Existing Configuration Directory : 0
Configuration Directory Host : AM55-zone.ipsolutionshowcase.com
Configuration Directory Port : 389
Configuration Directory Admin User : admin
Existing User Directory : 0
User Directory Host : AM55-zone.ipsolutionshowcase.com
User Directory Port : 389
User Directory Admin User : admin
User Directory Suffix : dc=ipsolutionshowcase,dc=com
Disable Schema Checking : 0
Add Sample Entries : 0
Populate Database : 1
Sun Java(TM) System Access Manager 7 2005Q4 :
Access Manager Installation Directory : /opt
Access Manager Protocol : http
Access Manager Port : 8080
LDAP User ID : amldapuser
<--[66%]--[ENTER To Continue]--[n To Finish]--> {"!" exits}
Administrator User ID : amAdmin
Web Container : AppServer
Access Manager Application Server Installation Directory :
/opt/SUNWappserver/appserver
Document Root : /var/opt/SUNWappserver/domains/domain1/docroot
Access Manager Console Host (for Existing console) : AM55-zone.
ipsolutionshowcase.com
Access Manager Console Deploy URI : amconsole
Access Manager Password Deploy URI : ampassword
Access Manager Host : AM55-zone.ipsolutionshowcase.com
Access Manager Services Deploy URI : amserver
Access Manager Cookie Domain List : .ipsolutionshowcase.com
Access Manager Common Domain Deploy URI : amcommon
Access Manager Directory Server Host Name : AM55-zone
Access Manager Directory Server Host : AM55-zone.ipsolutionshowcase.com
Access Manager Directory Server Port : 389
Access Manager Directory Root Suffix : dc=ipsolutionshowcase,dc=com
Access Manager Directory Manager DN : cn=Directory Manager
Organization Marker Object Class : sunISManagedOrganization
User Marker Object Class : inetorgperson
Organization Naming Attribute : o
User Naming Attribute : uid
<--[100%]--[ENTER To Continue]--[n To Finish]--> {"!" exits}
Enter 1 to view installation summary and Enter 2 to view installation logs
[1] {"!" exits} !
You have new mail in /var/mail/root
bash-3.00#
bash-3.00# cd /var/opt/mps/serverroot/slapd-AM55-zone
bash-3.00# ./start-slapd

Thanks samk,
After the installation, I have started the Directory server,admin,and console with following commands:
bash-3.00# directoryserver start
bash-3.00# directoryserver start-admin
SunONE-WebServer-Enterprise/6.0SP3 B05/19/2004 02:48
warning: daemon is running as super-user
[LS ls1] http://AM55-zone.ipsolutionshowcase.com <http://AM55-zone.ipsolutionshowcase.com> , port 390 ready to accept requests
startup: server started successfully
bash-3.00# directoryserver startconsole
Recieved the Login console window,logged in and got the ipsolutionshowcase tree.
What are the next steps I need to folow in order to launch the Access Manager page?
Ant thoughts?
Thanks for ye help
Sid

HP Device Access Manager Crashes everytime I open it

I have a brand new 2 days old zbook 17 G2 (k4k44ut#ABA). After having it less than 24 hrs, the system completely crashed, and would not even boot. I used the F11 recovery, and brought the laptop back to factory defaults.
I thought I'd see if "the HP Device Access Manager" was not allowing access to the drive, and when I go into the HP Client Security, and click on "Device Access Manager" it crashes the tool and closes it:
Also, I'm a bit paranoid about the stability of this $2800 new laptop ($3300 with carepak).. so I am trying to back it up with a clickfree C2.. which the HP doesn't appear to let it access. Also, the laptop does't even recognize it as USB 3.0, which the clickfree is... (weird).
I moved from an "also expensive" HP nx9420 business laptop (actually had two nx9420s) to this one and I'm really worried about the zbook, as I've never experienced so much instability on a new laptop before.
I pondered completely removing the HP Device Access manager package.. but not sure of the impact..
Please help me in determining why this thing crashes though, when I open the device access manager.

Disregard getting clickfree to work.. I was able to give it a 15min access... (although would like to extend this).
I just need to figure out why the Device Access Manager crashes now and if i can disable it.

Configure security realm for external Access Manager in App server 8.1

Hi All,
I would like to protect my j2ee application using access manager running on an external host.
I would like to configure the security realm in Sun app Server 8.1 for the external Access Manager
external host & port of AM is:
http://svrd234d.dnn.com.au:58765
Please verify if these are the correct settings for the agentRealm configuration on Sun App server 8.1.
classname="com.sun.amagent.as.realm.AgentRealm"
property name="jaas-context" value="agentRealm"
property name="base-dn" value="ou=People,dc=dnn,dc=com,dc=au"
property name="hostURL " value="http://svrd234d.dnn.com.au:58765"

Did you download AS8.1 agent under http://www.sun.com/download/products.xml?id=4266924d?
If you can unjar am_as81_agent_2_1.jar after installing the J2EE agent, you will find AgentRealm.class under com.sun.amagent.as.realm.
Please also note that page 161 of J2EE agent guide shows how to disable AgentRealm to better fit your agent policy mode. Check it out http://docs-pdf.sun.com/816-6884-10/816-6884-10.pdf
Jerry

Uninstalling Access Manager in Windows platform

Hi,
we need un uninstall Access Manager 7.1 under Windows 2003, but after setting DEPLOY_LEVEL variable to 11, the AMConfig.bat complains with this error:
Error while configuring AccessManager :Invalid deploy type
Is this a known issue?
Any advice to uninstall AM (The Add / Remove Programs from Windows has shown to be painfull with Access Manager)
Thank you,
Mois�s

Hi PabloVDL,
It seems is this two server has register the incorrect DNS, please try to add this server manage NIC IP to your manager hosts file or if possible trmpory disable the useless NIC DNS register. This issue also some times caused by when you installed
the HP insignth management, if in your environment you have this tools please temporarily uninstall it.
More information:
Windows Server 2012 - Server Manager Troubleshooting Guide, Part III: Common
Events and Errors in Server Manager
http://social.technet.microsoft.com/wiki/contents/articles/13445.windows-server-2012-server-manager-troubleshooting-guide-part-iii-common-events-and-errors-in-server-manager.aspx
I’m glad to be of help to you!
We
are trying to better understand customer views on social support experience, so your participation in this
interview project would be greatly appreciated if you have time.
Thanks for helping make community forums a great place.

Why can't we simply have an option to enable/disable Javascript on sites again in the settings for Firefox 27? Suddenly my Gmail attachments won't open. Gmail.

Suddenly my Gmail attachments have stopped opening, and I receive the message: JavaScript must be enabled in order for you to use Gmail in standard view. However, it seems JavaScript is either disabled or not supported by your browser. To use standard view, enable JavaScript by changing your browser options, then try again.
I found a Mozilla support thread where it was explained that Javascript has been turned off for a while in FF. OK. Then there was a complicated answer about how you could still turn it back on by typing in a config code into the address bar. What? Or, you could download an extension to do that for you. Why?
Please-- if you really feel like users can't be trusted, and Javascript must be turned off, at least bring back the ability to enable/disable Javascript on a per site basis in options, without having to know code. It's Gmail.
Thank you.

There is nothing on that thread that says Javascript is turned off by default. to quote:
"In Firefox 23, as part of an effort to simplify the Firefox options set and protect users from unintentially damaging their Firefox, the option to disable JavaScript was removed from the Firefox Options window.
However, the option to disable JavaScript was not removed from Firefox entirely. You can still access it from about:config or by installing an add-on. "
The UI checkbox to disable Javascript was removed, but the option still exists in about:config (which isn't code btw, it's just preferences), nor was Javascript turned off by default, in fact the opposite is true, it is enabled by default with the option to disable it made a little more difficult to find, as only advanced users need to disable Javascript.
Please try to clear the cache and cookies for gmail, let's see if those are causing problems. [[Delete cookies to remove the information websites have stored on your computer]], [[How to clear the Firefox cache]]

How can we disable the OSX Access Point functionality without disabling all wifi.

Curious if anyone knows a way in Lion/Mountain Lion to disable the OSX access point features.
i have about 50+ macs in our company for iOS development. lately we've had a lot of rogue AP's showing up, people bridging the internal network by activating the "become a hotspot" feature in OSX. this is a *GREAT* feature, don't get me wrong. especially the latency and ease of use.. but in our case its causing problems, and i'm looking at a way to disable the AP features without disabling ALL wifi with something like.
/usr/sbin/networksetup -setairportpower en1 off
this is a bit too much ,it disables the entire airport/wifi. we want to only disable the access point capabilities.
any hardcore guru's out there have some advise?
TIA!

Enabling sharing services requires administrative access, so one option is to set this and only give folks standard "managed" access. The Internet Sharing service is a process called "InternetSharing" that runs as the root user and establishes all the appropriate services for the needed connection. You could technically remove or even rename this process on systems to prevent it from being used, or remove or disable its launch daemon. These files are in the following directories:
/System/Library/LaunchDaemons/com.apple.InternetSharing.plist
/usr/libexec/InternetSharing

Access Management Service

when i try to run the AccessManagerSamples.java which is provided as part of access manager sdk, i am getting an error like The Access Management Service is disabled.
Any idea on how to fix this issue.

You need to enable the Access Management Service in your AccessGate configuration as well as in the configuration of the Access server it connects to. Both these changes can be done from the Access System console.
-Vinod

Disabling JavaScript on Access Manager

Similar Messages

Maybe you are looking for