Enabling OCSP checking in Access Manager causes Directory lookup error

I have deployed Access Manager 7.1 update 1 to Sun Java Web Server 7. This is on a Solaris 9 sparc server.
If I enable OCSP checking in AMConfig.properties, I get the following in my web server logs:
HTTP3068: Error receiving request from 214.x.x.x (Directory lookup error).
This is when running the webserver as webservd - if I run it as root (not acceptable in my environment) I don't have a problem. I have successful installations on a Solaris 10 x86, and another Solaris 9 sparc server.
It seems to be either a permissions issue, or an environment issue, but after working with LD_LIBRARY_PATH, and adding .jar and .so files to the amserver lib directory, I'm still not getting a working configuration. Does anyone have any ideas?

Thanks samk,
After the installation, I have started the Directory server,admin,and console with following commands:
bash-3.00# directoryserver start
bash-3.00# directoryserver start-admin
SunONE-WebServer-Enterprise/6.0SP3 B05/19/2004 02:48
warning: daemon is running as super-user
[LS ls1] http://AM55-zone.ipsolutionshowcase.com <http://AM55-zone.ipsolutionshowcase.com> , port 390 ready to accept requests
startup: server started successfully
bash-3.00# directoryserver startconsole
Recieved the Login console window,logged in and got the ipsolutionshowcase tree.
What are the next steps I need to folow in order to launch the Access Manager page?
Ant thoughts?
Thanks for ye help
Sid

Similar Messages

Setting up Access Manager and Directory Server for Failover.

I'm setting up 2 Access Managers AM1,AM2 and 2 Directory Servers DS1 and DS2 for failover. I've connected AM1 and AM2 to DS1. Suffixes of DS1 is replicated to DS2. Any change made to AM1 is replicated to AM2 as expected. I just patched AM1 with Access Manager patch 1 and the version information for AM1 shows 7.1 126359-01. I followed the same procedure to patch AM2 but AM2 still shows ver 7.1.
How do I make sure both Access Managers are patched to the same version?
I'm able to authenticate to one IIS6 site and authentication is passed on to Outlook Web Access on AM1 but when I shut down AM1 to test failover to AM2 OWA prompts me again for password. How do I resolve this?
On AM1 http://host.domain/amserver/UI/Login?realm=sso successfully logs in but the same on AM2 gives Warning that "You have already logged in. Do you want to log out and then login to a different organization?"
Please help !!!

I'll answer what bits I can:
Q: AM showing the same version?
A: No idea on this one. I would have expected the operation you described to have produced the right answer. Check that neither your application server nor your web browser are caching old pages (ctrl-F5 in my browser)
Q: How do I resolve re-authentication on failover?
A: The AM documentation includes a deployment example that covers pretty closely what it is you are trying to achieve:
http://docs.sun.com/app/docs/doc/820-2278
Specifically, the problem you are describing is related to session failover. The sessions are stored in a local DB so when you failover the backup server does not store the same information and hence requires a reauthentication. The section of the above doc that deals with this is here:
http://docs.sun.com/app/docs/doc/820-2278/gdsre?l=en&a=view
Q: "You have already logged in" warning
A: No idea. Sorry.
R

Installing Access Manager and Directory Server

Can I install the Access Manager 2005Q4 without installing the directory server?
The products selected for installation have dependency requirements or installation options as indicated below.
Sun Java(TM) System Directory Server 5 2005Q4
------------------------------------------------------------------------

Everytime I click the Access Manager in the JES 2005Q4installer the directory server would click itself. Unchecking this prompted me for a remote repository which worked.
I wasn't able to get the install to complete with the state file, it stopped before configuring access manager.

Unable to use SSL between Access Manager and Directory Server

I am trying to set up Access Manager to use SSL when communicating with Directory Server. Access Manager 7 is running under Sun Web Server 6.1. I have configured Directory Server to use SSL using a Self-Signed CA and have imported the CA certificate into the certificate database for Web Server. When I change the Access Manager configuration as specified in the Admin Guide to use SSL and restart the Web Server, Access Manager fails with the message
(among many others)
netscape.ldap.LDAPException: SSL connection to
eauth1.arc.nasa.gov:636, SSL_ForceHandshake failed: (-8157) Certificate extension not found. (91); Cannot
connect to the LDAP server
I am able to connect to the Directory Server instanc with JXplorer using SSL (with a complaint about an unknown CA). Can someone explain the error message so that I can fix the problem or work around it?
Thanks

in the initial part of AMConfig.properties, you'll find an entry similar to trustSSLCerts . This, by default, is set to false. Trying setting it to true (AM web server instance will need a restart). This lets AM continue with SSL handshaking inspite of errors. Am not sure if this affects AM to DS connectivity as well. It sure affects AM to AM communication (in a multiple server configuration).
Naturally, it is not recommended that you use this feature when you are ready for production, but atleast it'll let you be sure that apart from the cert issue, everything else is okay.
Hope this helps.

"24427 Access to Active Directory failed" error in ACS 5.1

Hello,
I'm working on implementing a RADIUS authentication for wireless access with the following :
- PCs running Windows 7, protocol used is PEAP (without validating the server certificate to make it simple at first),
- AP 1252 configured to use a RADIUS server to authenticate (it's working good with an ACS server 4.2),
- ACS Server 5.1.0.44.5 running as VM connected to an AD domain and working good with VPN connections,
- AD domain running on Windows 2003 Server.
My ACS VM is working good since a couple of months for VPN (RADIUS) and administration (TACACS) remote access, both using Active Directory. Now, I'd like to use it to authenticate people connecting to a 1252 Cisco access point but I'm getting this error "24427 Access to Active Directory failed". I switched from PEAP to LEAP but this is the same.
All I can get running the expert troubleshoot
Investigating failure code: 24427 Access to Active Directory failed
Checking if Active Directory is configured
Active Directory is configured
Attempting connection to Active Directory
Connection to Active Directory was successful.
Troubleshooting completed.
Click on Show Results Summary to view results.
I followed this guide, at least for the ACS certificate section :
http://www.cisco.com/en/US/products/ps10315/products_configuration_example09186a0080b4cdb9.shtml
Anyone has an idea where the problem may come from?
Thanks in advance,
Vincent

hey there, I ran into the same issue with 5.3 and it turned out being this bug. i came across your post looking for instructions on retrieving the logs. thanks mate.
link
Problem: Error "24495 Active Directory servers are not available"
Authentication starts failing with this error: 24495 Active Directory servers are not available. in the ACS 5.3 logs.
Solution
Check the ACSADAgent.log file through the CLI of the ACS 5.x for messages such as:Mar 11 00:06:06 xlpacs01 adclient[30401]: INFO base.bind.healing Lost connection to xxxxxxxx. Running in disconnected mode: unlatch. If you see the Running in disconnected mode: unlatch error message, this means the ACS 5.3 cannot maintain a stable connection with Active Directory. The workaround is to either switch to LDAP or downgrade the ACS to 5.2 version. Refer to Cisco bug ID CSCtx71254 (registered customers only) for more information.

Sun Access Manager causes threads leak in glassfish

Hello,
I have integrated SUN AM with glassfish as basic authentication module for Web Services invocation.
Server is running CentOS, JVM 1.6 64bit, SUN AM 7.1 and glassfish 2.1.1.
The problem is that each request (rejected or accepted) causes creating 6 threads that will never be terminated. This causes running out of memory after about a thousand request. (I'm using visualvm for monitoring JVM)
Session timeouts are set, but it doesn't imply threads termination.
Do you have any hints what can be the problem? of course I'll send more details if you need it.
Best Regards,
Lukasz

The information you provided isn't enough to troubleshoot your problems. You will need to enable debug logs to get more detailed error messages. My guess would be that the password for the dsameuser has expired and/or the dsameuser has been locked/disabled
Edited by: handat on Sep 19, 2012 2:32 PM

Set up for access manager fails with this error. Pl. Help

Bug Report Form
An error has occurred while executing the application.
Your browser does not support automatic mail sending.
Please E-Mail to the following information
Your Name
Organization
E-Mail Address
Phone Number
Comment
Make sure to append the following traceback in the mail.
Traceback \Oblix\coreid\palantir\webplugins\src\setup_admin.cpp:10389: Error: Exception re-thrown in SetupAdmin HandleEvent()
\Oblix\coreid\palantir\webplugins\src\setup_admin.cpp:10604: Error: Exception re-thrown in SetupAdmin HandleEvent()
\Oblix\coreid\palantir\webplugins\src\setup_admin.cpp:4589: Error: Exception re-thrown in SetupAdmin::GenProcessLDAPPersonOC()
\Oblix\coreid\palantir\webplugins\src\setup_admin.cpp:4119: Error: Exception re-thrown in SetupAdmin::CreateConfigInfo()
\Oblix\coreid\palantir\dblib\src\obconfig_db.cpp:460: Error: Exception re-thrown in ObConfigDB::Flush()
\Oblix\coreid\palantir\dblib\src\ldap_config_db.cpp:519: Error: Exception re-thrown in LDAPConfigDB::WriteOblixDBConfig()
ldap_util_failover.cpp:135: Error: Exception re-thrown in LDAPCompareAttrWFailover()
ldap_util_failover.cpp:121: Error: Unable to compare attributes - No such object in LDAPCompareAttr()
Product NetPoint User Manager Version
Platform Microsoft Windows
What to do???

Hi ,
This message occurs when the listener on the remote node cannot be contacted.
Did you add the host name and IP in your DNS server?
You can try tracing the path or the route a connection is taking from the client to the server. If it encounters an error, then it returns the error stack which gives us more information when compared to an cryptic one line error.
Execute the following:
trcroute host_name
This will help you find the problem and fix it. The problem may fall into one of the following areas:
Check TNSNAMES.ORA:
The TNSNAMES.ORA may contain a wrong address. Check the host and port have been specified correctly. Check the details against the LISTENER.ORA file.
Check the remote node:
Check if the listener has been started on the remote node. Check the status with the STATUS command of the listener control utility (lsnrctl):
lsnrctl
lsnrctl> status listener_name
listener_name is the name of the listener defined in the listener.ora file. If you have not changed the listener name, then it would be called LISTENER.
If the listener has not been started, start it with the command:
lsnrctl> start listener_name
You can check if the fix worked by executing tnsping. It should return an "OK" message if the TNSPING has been successful.
Thanks..
Mohit

Sun Java System Access Manager 7.1 config. failed during installation

{color:#0000ff}Hi,
I have installed sun java communication suite 5 on a single host on sun solaris 10.
I have installed required packages and it works fine.
But as per organization need, I have to change domain name.
So i have uninstalled everything and tried to install again with new domain name.
I have made proper entries in hosts file and resolve.conf file.
But duing the first phase of installation only , i failed in configuring access manager 7.1
I have also cerate same scenario in my test environment, but everytime i face the same error.
and sun java access manager 7.1 fails in first stage of installation only.
So would like to know the proper installation procedure while i change the domain name on same hardware...
I have checked both installation logs & summary logs.
But no error, no failed , no severe.
Attached is the summary of installation logs.
Summary Logs :
Installation Summary Report
Install Summary
Sun Java(TM) Communications Suite : Installed
Sun Java(TM) System Web Server 7.0 : Installed, Configured
Java DB : Installed, Configure After Install
Sun Java(TM) System Message Queue 3.7 UR1 : Installed
Sun Java(TM) System Monitoring Console 1.0 : Installed, Configure After Install
Sun Java(TM) System Directory Preparation Tool : Installed
Sun Java(TM) System Directory Server Enterprise Edition 6.0 : Installed, Configured
Sun Java(TM) System Access Manager 7.1 : Installed, Configuration Failed
Sun Java(TM) System Messaging Server 6.3 : Installed, Configure After Install
Sun Java(TM) System Communications Express 6 : Installed, Configure After Install
Communication Services Delegated Administrator : Installed, Configure After Install
Configuration Data
Sun Java(TM) System Web Server 7.0 :
Web Server Instance installation Directory : /var/opt/SUNWwbsvr7
Web Server installation Directory : /opt
Web Server Administration Server Host : RADAGWMSG221.myreliancemail.com
Web Server Admin Server Mode : true
Web Server only CLI installation : false
Sun Java(TM) System Directory Preparation Tool :
Directory Preparation Tool Installation Directory : /opt/SUNWcomds
Sun Java(TM) System Directory Server Enterprise Edition 6.0 :
Directory Server Installation Directory : /opt/SUNWdsee
Sun Java(TM) System Access Manager 7.1 :
Access Manager Installation Directory : /opt
Access Manager Protocol : http
Access Manager Port : 80
LDAP User ID : amldapuser
Administrator User ID : amAdmin
Web Container : WebServer
Access Manager Web Server Host Name : RADAGWMSG221.myreliancemail.com
Access Manager Web Server Instance Directory : /var/opt/SUNWwbsvr7/https-RADAGWMSG221.myreliancemail.com
Access Manager Web Server Port : 80
Access Manager Console Host (for Existing console) : RADAGWMSG221.myreliancemail.com
Access Manager Console Deploy URI : amconsole
Access Manager Password Deploy URI : ampassword
Access Manager Host : RADAGWMSG221.myreliancemail.com
Access Manager Console Port(for Existing console) : 80
Access Manager Services Deploy URI : amserver
Access Manager Cookie Domain List : .myreliancemail.com
Access Manager Common Domain Deploy URI : amcommon
Access Manager Directory Server Host Name : RADAGWMSG221
Access Manager Directory Server Host : RADAGWMSG221.myreliancemail.com
Access Manager Directory Server Port : 389
Access Manager Directory Root Suffix : o=rmail
Access Manager Directory Manager DN : cn=Directory Manager
Organization Marker Object Class : sunISManagedOrganization
User Marker Object Class : inetorgperson
Organization Naming Attribute : o
User Naming Attribute : uid
Sun Java(TM) System Messaging Server 6.3 :
Messaging Server Installation Directory : /opt/SUNWmsgsr
Sun Java(TM) System Communications Express 6 :
Communications Express Installation Directory : /opt/SUNWuwc
Communication Services Delegated Administrator :
Communication Services Delegated Administrator Installation Directory : /opt/SUNWcomm
{color}

Rushi-Reliance wrote:
Kindly let us know how to proceed further as we are waiiting some reply from your team.As I already advised in your previous posting (http://forums.sun.com/thread.jspa?threadID=5359095), you are best off re-installing solaris from scratch and installing Communication Suite 6 update 1 if you cannot get Access Manager 7.1 configured.
Regards
Shane.

Access manager installation on solaris zone

Hi
I have installed the Access manager 7.0, Sun java system app server 8.1, Sun sirectory server 5.2 through JES installer on solaris 10 zone AM55-zone. Installer summarry is below, which shows installtion complete without error, but I am not able to launch the amserver login page.
Any suggestion, what I did wrong? any thoughts?
Sid
Installation Complete
Software installation has completed successfully. You can view the installation
summary and log by using the choices below. Summary and log files are available
in /var/sadm/install/logs/.
Your next step is to perform the postinstallation configuration and
verification tasks documented in the Postinstallation Configuration and Startup
Chapter of the Sun Java(TM) Enterprise System Installation Guide. See: http:
//docs.sun.com/doc/819-2328.
Enter 1 to view installation summary and Enter 2 to view installation logs
[1] {"!" exits} 1
Installation Summary Report
Install Summary
Java Enterprise System : Installed
Sun Java(TM) System Message Queue 3 2005Q4 Enterprise Edition : Installed
Sun Java(TM) System Application Server Enterprise Edition 8.1 2005Q4 : Installed
Sun Java(TM) System Directory Preparation Tool : Installed
Sun Java(TM) System Directory Server 5 2005Q4 : Installed
Sun Java(TM) System Access Manager 7 2005Q4 : Installed
Configuration Data
Sun Java(TM) System Application Server Enterprise Edition 8.1 2005Q4 :
Domains and Instance Configuration Directory : /var/opt/SUNWappserver
Application Server Installation Directory : /opt/SUNWappserver
Sun Java(TM) System Directory Preparation Tool :
Directory Preparation Tool Installation Directory : /opt/SUNWcomds
Sun Java(TM) System Directory Server 5 2005Q4 :
Directory Server Admin User : admin
Directory Server Manager : cn=Directory Manager
Directory Server Identifier : AM55-zone
Directory Server Port : 389
Directory Server Root Suffix : dc=ipsolutionshowcase,dc=com
<--[33%]--[ENTER To Continue]--[n To Finish]--> {"!" exits}
Directory Server Administration Domain : ipsolutionshowcase.com
System User : root
System Group : root
Existing Configuration Directory : 0
Configuration Directory Host : AM55-zone.ipsolutionshowcase.com
Configuration Directory Port : 389
Configuration Directory Admin User : admin
Existing User Directory : 0
User Directory Host : AM55-zone.ipsolutionshowcase.com
User Directory Port : 389
User Directory Admin User : admin
User Directory Suffix : dc=ipsolutionshowcase,dc=com
Disable Schema Checking : 0
Add Sample Entries : 0
Populate Database : 1
Sun Java(TM) System Access Manager 7 2005Q4 :
Access Manager Installation Directory : /opt
Access Manager Protocol : http
Access Manager Port : 8080
LDAP User ID : amldapuser
<--[66%]--[ENTER To Continue]--[n To Finish]--> {"!" exits}
Administrator User ID : amAdmin
Web Container : AppServer
Access Manager Application Server Installation Directory :
/opt/SUNWappserver/appserver
Document Root : /var/opt/SUNWappserver/domains/domain1/docroot
Access Manager Console Host (for Existing console) : AM55-zone.
ipsolutionshowcase.com
Access Manager Console Deploy URI : amconsole
Access Manager Password Deploy URI : ampassword
Access Manager Host : AM55-zone.ipsolutionshowcase.com
Access Manager Services Deploy URI : amserver
Access Manager Cookie Domain List : .ipsolutionshowcase.com
Access Manager Common Domain Deploy URI : amcommon
Access Manager Directory Server Host Name : AM55-zone
Access Manager Directory Server Host : AM55-zone.ipsolutionshowcase.com
Access Manager Directory Server Port : 389
Access Manager Directory Root Suffix : dc=ipsolutionshowcase,dc=com
Access Manager Directory Manager DN : cn=Directory Manager
Organization Marker Object Class : sunISManagedOrganization
User Marker Object Class : inetorgperson
Organization Naming Attribute : o
User Naming Attribute : uid
<--[100%]--[ENTER To Continue]--[n To Finish]--> {"!" exits}
Enter 1 to view installation summary and Enter 2 to view installation logs
[1] {"!" exits} !
You have new mail in /var/mail/root
bash-3.00#
bash-3.00# cd /var/opt/mps/serverroot/slapd-AM55-zone
bash-3.00# ./start-slapd

Thanks samk,
After the installation, I have started the Directory server,admin,and console with following commands:
bash-3.00# directoryserver start
bash-3.00# directoryserver start-admin
SunONE-WebServer-Enterprise/6.0SP3 B05/19/2004 02:48
warning: daemon is running as super-user
[LS ls1] http://AM55-zone.ipsolutionshowcase.com <http://AM55-zone.ipsolutionshowcase.com> , port 390 ready to accept requests
startup: server started successfully
bash-3.00# directoryserver startconsole
Recieved the Login console window,logged in and got the ipsolutionshowcase tree.
What are the next steps I need to folow in order to launch the Access Manager page?
Ant thoughts?
Thanks for ye help
Sid

Access Manager 6 2005Q1 naming service behind load balancer

Access Manager is running on box A & box B using the Sun Web Server as its front end web server. Box A & B both have a complete install of Sun Web Server, Access Manager, and Directory Server. The Directory servers are set up to replicate changes between each other. Our Policy Agents are running on box C & box D under the Apache web servers.
Users will access applications on box C/D via https. The policy agents on box C/D should redirect the user to box A/B (via a load balancer VIP)for authentication. The redirect will be https. Once authenticated the user should be redirected back to box C/D.
All subsequent communications between the Agents on box C/D to AM on box A/B (via load balancer VIP) are http.
The load balancer VIP is setup in active/failover mode so all requests go to one server. We implemented it this way because our load balancers do not support SSL with cookies.
The data returned to the agent from a call to the naming service contains the host name of our AM hosts instead of the load balancer VIP. Subsequent calls from the agent to AM bypass the load balancer and go directly to one of the AM hosts.
We are looking to upgrade our load balancers to a version that supports cookies with ssl in order to take advantage of the second AM host.
How do we configure AM so the values returned by the naming service contain the load balancer VIP instead of the actual AM host names?

Bernhard,
We have upgraded our Web PA to version 2.1-09. One of your previous replies stated the com.iplanet.am.naming.ignoreNamingservice property was not availalbe in the PA agent properties but only in the Java SKD. Indeed we do not see such a key in the new Web PA AMAgent.properties.
Can you please explain how to configure the AMAgent.properties and/or the Access Manager server (or properties) so that subsequent calls to the services (returned by the call to the naming service) get directed thru the load balancer? Below are the setting in our AMAgent and AMConfig properties files
AMAgent.properties
com.sun.am.namingURL = https://lb-mydomain.com:443/amserver/namingservice
com.sun.am.policy.am.loginURL = https://lb-mydomain.com:443/amserver/UI/Login
AMConfig.properties
com.iplanet.am.server.protocol=https
com.iplanet.am.server.host=am.mydomain.com
com.iplanet.am.server.port=443
com.iplanet.am.console.protocol=https
com.iplanet.am.console.host=lb-mydomain.com
com.iplanet.am.console.port=443
com.iplanet.am.profile.host=lb-mydomain.com
com.iplanet.am.profile.port=443
com.iplanet.am.naming.url=https://lb-mydomain.com:443/amserver/namingservice
com.iplanet.am.notification.url=https://lb-mydomain.com:443/amserver/notifica
tionservice
If we set com.iplanet.am.server.host=lb-mydomain.com we get an exception when trying to start the AM web container. I don't know if this may be partof our issue or not. Please comment.
Thanks,
Craig

Sun Access Manager to OpenSSO 8 migration

Hi,
I'm trying to migrate from Sun Java System Access Manager/Sun Directory Server 5.2 to Oracle OpenSSO 8/Sun Directory Server 11. After creating the same suffix (dc=example) from DS 5.2 to DS 11, I installed and configured OpenSSO. After that I export/import my application subtree (o=appl1) from a ldiff file. Everything works good (user, groups, roles, etc) except policies. In Access Manager my policies is keep under ou=iPlanetAMPolicyService,ou=services,o=appl1,dc=example and if I manually create a policy in OpenSSo it's created under ou=iPlanetAMPolicyService,ou=services,o=appl1,ou=services,dc=example. To read policies from my application I use PolicyManager and if it possible I dont want to change the code. Is it possible to tell OpenSSO to keep my policies under ou=iPlanetAMPolicyService,ou=services,o=appl1,dc=example instead of ou=iPlanetAMPolicyService,ou=services,o=appl1,ou=services,dc=example or I need to modify my ldif file or other way ? Thanks for your help.

You should use the MS Access Migration Wizard available from OTN.
Go to the Technology section, then click Migration, then click
Oracle's Migration Toolkits, then click Microsoft Access and from
there you can get the wizard to migrate from Access 2.0. It does
not run on Windows 98. I am not sure whether it is a
recommendation or a requirement to upgrade to Access 97.
bill barnes (guest) wrote:
: I have been tasked with migrating an access 2.0 database to an
: oracle 8 running on novell 5 server. I have found
documentation
: that says it is best to upgrade the access 2.0 database to
access
: 97 then compress the data before the migration. My question is
: whether or not this is necessary/recommended? Which migration
: tool kit/workbench do I need? Any horror stories from a
: migration such as this or any tips to make this as seamless as
: possible?
: Thanks for any help,
: Bill
Oracle Technology Network
http://technet.oracle.com
null

Integrating Identity Manager with Access Manager

We have a plain vanilla installation of Identity Manager 5.5. We are attempting to integrate Access Manager 7 (also plain vanilla install). Both were deployed into Application Server 8.1 (all running on Solaris 10 x86).
Here is what we ran into:
1) When IDM is the only application deployed in Application Server, we can log in to its administration console with the base ID of "configurator" without a problem. Next, we installed Access Manager 7 without any errors. Now when we attempt to log into the IDM administration panel (still using "configurator"), IDM can no longer find the �configurator� ID. We tried using AM to add an ID of "configurator" to the LDAP directory (figuring that was the problem), but we still cannot get into IDM. What do we need to do to "integrate" these two products? We haven't even attempted customization yet.
2) Does anyone know of ANY sample apps that show IDM and AM working together?
Thanks in advance

Raghavan,
Do you have any template doc for this configurations, We did the same only thing that we changes is instead of using the fully qualified DNS name we used the ip address in the AMConfig.properties file.
Any ideas?
--Srini

Unable to open Database: TrueSuite Access Manager

Every time I attempt to register fingerprints in the TrueSuite Access Manager, I receive an error that states that it failed to open the specific database.

Hi there, I have the same problem on a Portege R500, short history:
1. Vista was installed with BIOS and HDD password + fingerprint - worked fine
2. Installed XP with the recovery image, re-formatting the HDD
3. The BIOS and HDD fingerprint was accepted (!) - i.e. he remembered the fingerprints on the board
4. But the Windows welcome screen showed "please wait"
5. New installation of actual version of True Suite Software did not help
6. When running the Access Manager and trying to record new fingerprints, it shows "error: database not found"
7. Another observation: clicking delete fingerprint reveals a fingerprint with a scrambled name, it can't be deleted
8. Ignoring the fingerprint reader works (on BIOS, HDD and Windows logon)
9. I believe it would have been better to delete the BIOS and HDD fingerprint in Vista before installing XP. Now there is an inconsistency between the fingerprints on the board and in the Software database - does that help?
Thanks for keep working on it,
Regards

Load Balancing Directory Servers with Access Manager - Simple questions

Hi.
We are in the process of configuring 2 Access Manager instances (servers) accessing the same logical LDAP repository (comprising physically of two Directory Servers working together with Multi-Master Replication configured and tested) For doing this, we are following guide number 819-6258.
The guide uses BigIP load balancer for load balancing the directory servers. However, we intend to use Directory Proxy Server. Since we faced some (unresolved) issues last time that we used DPS, there are some simple questions that I would be very grateful to have answers to:
1. The guide, in section 3.2.10 (To configure Access Manager 1 with the Directory Server load balancer), talks about making changes at 4 places, and replacing the existing entry (hostname and port) with the load balancer's hostname and port (assuming that the load balancer has already been configured). It says that changes need not be made on Access Manager 2 since the LDAPs are in replication, and hence changes will be replicated at all places. However, the guide also states that changes have to be made in two files, namely AMConfig.properties, and the serverconfig.xml file. But these changes will not be reflected on Access Manager 2, since these files are local on each machine.
Question 1. Do changes have to be made in AMConfig.properties and serverconfig.xml files on the other machine hosting Access Manager 2?
Question 2: What is the purpose of putting these values here? Specifically, what is achieved by specifying the Directory server host and port in AMConfig.properties, as well as in serverconfig.xml?
Question 3. In the HTTP console, there is the option of specifying multiple primary LDAP servers, as well as multiple secondary LDAP servers. What is the purpose of these? Are secondary servers attempted when none of the list in the primary list are accessible? Also, if there are multiple entries in the primary server list, are they accessed in a round robin fashion (hereby providing rudimentary load balancing), or are other servers accessed only when the one mentioned first is not reachable etc.?
2. Since I do not have a load balancer setup yet, I tried the following deviation to the above, which, according to me, should have worked. If viewed in the HTTP console, LDAP / Membership / MSISDN and Policy configuration all pointed to the DS on host 1. When I changed all these to point to the directory server on host 2 (and made AMConfig.properties and serverconfig.xml on host 1 point to DS of host 2 as well), things should have worked fine, but apparently Access manager 1 could not be started. Error from Webserver:
[14/Aug/2006:04:30:36] info (13937): WEB0100: Loading web module in virtual server [https-machine_1_FQDN] at [search]
[14/Aug/2006:04:31:48] warning (13937): CORE3283: stderr: Exception in thread "EventService" java.lang.ExceptionInInitializerError
[14/Aug/2006:04:31:48] warning (13937): CORE3283: stderr: at com.iplanet.services.ldap.event.EventServicePolling.run(EventServicePolling.java:132)
[14/Aug/2006:04:31:48] warning (13937): CORE3283: stderr: at java.lang.Thread.run(Thread.java:595)
[14/Aug/2006:04:31:48] warning (13937): CORE3283: stderr: Caused by: java.lang.InterruptedException
[14/Aug/2006:04:31:48] warning (13937): CORE3283: stderr: at com.sun.identity.sm.ServiceManager.<clinit>(ServiceManager.java:74)
[14/Aug/2006:04:31:48] warning (13937): CORE3283: stderr: ... 2 more
In effect, AM on 1 did not start. On rolling back the changes, things again worked like previously.
Will be really grateful for any help / insight / experience on dealing with the above.
Thanks!

Update to the above, incase anyone is reading:
We setup a similar setup in Windows, and it worked. Here is a detailed account of what was done:
1. Host 1: Start installer, install automatically, chose Directory server, Directory Administration server, Directory Proxy server, Web server, Access Manager.
All installed, and worked fine. (AMConfig.properties, serverconfig.xml, and the info in LDAP service, all pointed to HOST1:389)
2. Host 2: Start installer, install automatically, chose Directory server, Directory Administration server, Directory Proxy server, Web server, Access Manager.
All installed, and worked fine. (AMConfig.properties, serverconfig.xml, and the info in LDAP service, all pointed to HOST2:389)
3. Host 1: Started replication. Set to Master
4. Host 2: Started replication. Set to Master
5. Host 1: Setup replication agreement to Host 2
6. Host 2: Setup replication agreement to Host 1
7. Initiated the remote replica from Host 1 ----> Host 2
Note that since default installation uses abc.....xyz as the encryption key, setting this to same was not an issue.
9. Started webserver for Host 1 and logged into AM as amadmin.
10. Added Host 2 FQDN in DNS Aliases / Realms
11. Added http://HOST2_FQDN:80 in the Platform server (instance) list.
12. Started Host 2 webserver. Logged in AM on Host 2, things worked fine.
At this stage, note the following:
a) Host 1:
AMConfig.properties file has
com.iplanet.am.directory.host=host1_FQDN
and
com.iplanet.am.directory.port=389
serverconfig.xml has:
<Server name="Server1" host="host1_FQDN" port="389" type="SIMPLE" />
b) Host 2:
AMConfig.properties file has
com.iplanet.am.directory.host=host2_FQDN
and
com.iplanet.am.directory.port=389
serverconfig.xml has:
<Server name="Server1" host="host2_FQDN" port="389" type="SIMPLE" />
c) If one logs into AM, and checks LDAP servers for LDAP / Policy Configuration / Membership etc services, they all contain Host2_FQDN:389 (which makes sense, since replica 2 was initialized from 1)
Returning back to the configuations:
13. On Host 1, login into the Admin server console of the Directory server. Navigate to the DPS, and confgure the following:
a) Network Group
b) LDAP servers
c) Load Balancing
d) Change Group
e) Action on-bind
f) Allow all actions (permit modification / deletion etc.).
g) any other configuations required - Am willing to give detailed steps if someone needs them to help me / themselves! :)
So now, we have DPS configured and running on Host1:489, and distributing load to DS1 and DS2 on a 50:50 basis.
14. Now, log into AM on Host 1, and instead of Host1_fqdn:389 (for DS) in the following places, specify Host1_fqdn:489 (for the DPS)--
LDAP Authentication
MSISDN server
Membership Service
Policy configuation.
Verified that this propagated to the Policy Configuration service and the LDAP authentication service that are already registered with the default organization.
15. Log out of AM. Following the documentation, modify directory.host and directory.port in AMConfig.properties to point to Host 1_FQDN and 489 respectively. Make this change in AMConfig.properties of both Host 1 as well as 2.
16. Edit serverconfig.xml on both hosts, and instead of they pointing to their local directory servers, point both to host1_FQDN:489
17. When you start the webserver, it will refuse to start. Will spew errors such as:
[https-host1_FQDN]: Sun ONE Web Server 6.1SP5 B06/23/2005 17:36
[https-host1_FQDN]: info: CORE3016: daemon is running as super-user
[https-host1_FQDN]: info: CORE5076: Using [Java HotSpot(TM) Server VM, Version 1.5.0_04] from [Sun Microsystems Inc.]
[https-host1_FQDN]: info: WEB0100: Loading web module in virtual server [https-host1_FQDN] at [amserver]
[https-host1_FQDN]: warning: WEB6100: locale-charset-info is deprecated, please use parameter-encoding
[https-host1_FQDN]: info: WEB0100: Loading web module in virtual server [https-host1_FQDN] at [ampassword]
[https-host1_FQDN]: warning: WEB6100: locale-charset-info is deprecated, please use parameter-encoding
[https-host1_FQDN]: info: WEB0100: Loading web module in virtual server [https-host1_FQDN] at [amcommon]
[https-host1_FQDN]: info: WEB0100: Loading web module in virtual server [https-host1_FQDN] at [amconsole]
[https-host1_FQDN]: warning: WEB6100: locale-charset-info is deprecated, please use parameter-encoding
[https-host1_FQDN]: info: WEB0100: Loading web module in virtual server [https-host1_FQDN] at [search]
[https-host1_FQDN]: warning: CORE3283: stderr: netscape.ldap.LDAPException: error result (32); matchedDN = dc=sun,dc=com; No such object (DN changed)
[https-host1_FQDN]: warning: CORE3283: stderr: Got LDAPServiceException code=-1
[https-host1_FQDN]: warning: CORE3283: stderr: at com.iplanet.services.ldap.DSConfigMgr.getConnection(DSConfigMgr.java:357)
[https-host1_FQDN]: warning: CORE3283: stderr: at com.iplanet.services.ldap.DSConfigMgr.getNewFailoverConnection(DSConfigMgr.java:314)
[https-host1_FQDN]: warning: CORE3283: stderr: at com.iplanet.services.ldap.DSConfigMgr.getNewConnection(DSConfigMgr.java:253)
[https-host1_FQDN]: warning: CORE3283: stderr: at com.iplanet.services.ldap.DSConfigMgr.getNewProxyConnection(DSConfigMgr.java:184)
[https-host1_FQDN]: warning: CORE3283: stderr: at com.iplanet.services.ldap.DSConfigMgr.getNewProxyConnection(DSConfigMgr.java:194)
[https-host1_FQDN]: warning: CORE3283: stderr: at com.iplanet.ums.DataLayer.initLdapPool(DataLayer.java:1248)
[https-host1_FQDN]: warning: CORE3283: stderr: at com.iplanet.ums.DataLayer.(DataLayer.java:190)
[https-host1_FQDN]: warning: CORE3283: stderr: at com.iplanet.ums.DataLayer.getInstance(DataLayer.java:215)
[https-host1_FQDN]: warning: CORE3283: stderr: at com.iplanet.ums.DataLayer.getInstance(DataLayer.java:246)
[https-host1_FQDN]: warning: CORE3283: stderr: at com.sun.identity.sm.ldap.SMSLdapObject.initialize(SMSLdapObject.java:156)
[https-host1_FQDN]: warning: CORE3283: stderr: at com.sun.identity.sm.ldap.SMSLdapObject.(SMSLdapObject.java:124)
[https-host1_FQDN]: warning: CORE3283: stderr: at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
[https-host1_FQDN]: warning: CORE3283: stderr: at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:39)
[https-host1_FQDN]: warning: CORE3283: stderr: at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:27)
[https-host1_FQDN]: warning: CORE3283: stderr: at java.lang.reflect.Constructor.newInstance(Constructor.java:494)
[https-host1_FQDN]: warning: CORE3283: stderr: at java.lang.Class.newInstance0(Class.java:350)
[https-host1_FQDN]: warning: CORE3283: stderr: at java.lang.Class.newInstance(Class.java:303)
[https-host1_FQDN]: warning: CORE3283: stderr: at com.sun.identity.sm.SMSEntry.(SMSEntry.java:216)
[https-host1_FQDN]: warning: CORE3283: stderr: at com.sun.identity.sm.ServiceSchemaManager.(ServiceSchemaManager.java:67)
[https-host1_FQDN]: warning: CORE3283: stderr: at com.iplanet.am.util.AMClientDetector.getServiceSchemaManager(AMClientDetector.java:219)
[https-host1_FQDN]: warning: CORE3283: stderr: at com.iplanet.am.util.AMClientDetector.(AMClientDetector.java:94)
[https-host1_FQDN]: warning: CORE3283: stderr: at com.sun.mobile.filter.AMLController.init(AMLController.java:85)
[https-host1_FQDN]: warning: CORE3283: stderr: at org.apache.catalina.core.ApplicationFilterConfig.getFilter(ApplicationFilterConfig.java:262)
[https-host1_FQDN]: warning: CORE3283: stderr: at org.apache.catalina.core.ApplicationFilterConfig.setFilterDef(ApplicationFilterConfig.java:322)
[https-host1_FQDN]: warning: CORE3283: stderr: at org.apache.catalina.core.ApplicationFilterConfig.(ApplicationFilterConfig.java:120)
[https-host1_FQDN]: warning: CORE3283: stderr: at org.apache.catalina.core.StandardContext.filterStart(StandardContext.java:3271)
[https-host1_FQDN]: warning: CORE3283: stderr: at org.apache.catalina.core.StandardContext.start(StandardContext.java:3747)
[https-host1_FQDN]: warning: CORE3283: stderr: at com.iplanet.ias.web.WebModule.start(WebModule.java:251)
[https-host1_FQDN]: warning: CORE3283: stderr: at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1133)
[https-host1_FQDN]: warning: CORE3283: stderr: at org.apache.catalina.core.StandardHost.start(StandardHost.java:652)
[https-host1_FQDN]: warning: CORE3283: stderr: at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1133)
[https-host1_FQDN]: warning: CORE3283: stderr: at org.apache.catalina.core.StandardEngine.start(StandardEngine.java:355)
[https-host1_FQDN]: warning: CORE3283: stderr: at org.apache.catalina.startup.Embedded.start(Embedded.java:995)
[https-host1_FQDN]: warning: CORE3283: stderr: at com.iplanet.ias.web.WebContainer.start(WebContainer.java:431)
[https-host1_FQDN]: warning: CORE3283: stderr: at com.iplanet.ias.web.WebContainer.startInstance(WebContainer.java:500)
[https-host1_FQDN]: warning: CORE3283: stderr: at com.iplanet.ias.server.J2EERunner.confPostInit(J2EERunner.java:161)
[https-host1_FQDN]: failure: WebModule[amserver]: WEB2783: Servlet /amserver threw load() exception
[https-host1_FQDN]: javax.servlet.ServletException: WEB2778: Servlet.init() for servlet LoginLogoutMapping threw exception
[https-host1_FQDN]: at org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:949)
[https-host1_FQDN]: at org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:813)
[https-host1_FQDN]: at org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:3478)
[https-host1_FQDN]: at org.apache.catalina.core.StandardContext.start(StandardContext.java:3760)
[https-host1_FQDN]: at com.iplanet.ias.web.WebModule.start(WebModule.java:251)
[https-host1_FQDN]: at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1133)
[https-host1_FQDN]: at org.apache.catalina.core.StandardHost.start(StandardHost.java:652)
[https-host1_FQDN]: at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1133)
[https-host1_FQDN]: at org.apache.catalina.core.StandardEngine.start(StandardEngine.java:355)
[https-host1_FQDN]: at org.apache.catalina.startup.Embedded.start(Embedded.java:995)
[https-host1_FQDN]: at com.iplanet.ias.web.WebContainer.start(WebContainer.java:431)
[https-host1_FQDN]: at com.iplanet.ias.web.WebContainer.startInstance(WebContainer.java:500)
[https-host1_FQDN]: at com.iplanet.ias.server.J2EERunner.confPostInit(J2EERunner.java:161)
[https-host1_FQDN]: ----- Root Cause -----
[https-host1_FQDN]: java.lang.NullPointerException
[https-host1_FQDN]: at com.sun.identity.authentication.UI.LoginLogoutMapping.init(LoginLogoutMapping.java:71)
[https-host1_FQDN]: at org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:921)
[https-host1_FQDN]: at org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:813)
[https-host1_FQDN]: at org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:3478)
[https-host1_FQDN]: at org.apache.catalina.core.StandardContext.start(StandardContext.java:3760)
[https-host1_FQDN]: at com.iplanet.ias.web.WebModule.start(WebModule.java:251)
[https-host1_FQDN]: at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1133)
[https-host1_FQDN]: at org.apache.catalina.core.StandardHost.start(StandardHost.java:652)
[https-host1_FQDN]: at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1133)
[https-host1_FQDN]: at org.apache.catalina.core.StandardEngine.start(StandardEngine.java:355)
[https-host1_FQDN]: at org.apache.catalina.startup.Embedded.start(Embedded.java:995)
[https-host1_FQDN]: at com.iplanet.ias.web.WebContainer.start(WebContainer.java:431)
[https-host1_FQDN]: at com.iplanet.ias.web.WebContainer.startInstance(WebContainer.java:500)
[https-host1_FQDN]: at com.iplanet.ias.server.J2EERunner.confPostInit(J2EERunner.java:161)
[https-host1_FQDN]:
[https-host1_FQDN]: info: HTTP3072: [LS ls1] http://host1_FQDN:58080 [i]ready to accept requests
[https-host1_FQDN]: startup: server started successfully
Success!
The server https-host1_FQDN has started up.
The server infact, didn't start up (nothing even listening on 58080).
However, if AMConfig.properties is left as it originally was, and only serverconfig.xml files were changed as mentioned above, web servers started fine, and things worked all okay. (Alright, except for some glitches when viewed in /amconsole. If /amserver/console is accessed, all is good. Can this mean that all is still not well? I am not sure).
So far so good. Now comes the sad part. When the same is done on Solaris 9, things dont work. You continue to get the above error, OR the following error, and the web server will refuse to start:
Differences in Solaris and Windows are as follows:
1. Windows hosts have 1 IP and hostname. Solaris hosts have 3 IPs and hostnames (for DS, DPS, and webserver).
No other difference from an architectural perspective.
Any help / insight on why the above is not working (and why the hell does the documentation seem so sketchy / insecure / incorrect).
Thanks a bunch!

Distribution Manager Failed To Access The Source Directory

Hello All,
I have this issue distributing content to my Distribution Points for months now. I keep running into this error below:
Distribution Manager Failed to Access the source directory (\\share\folder\file.wim)
Possible Cause: Distribution Manager does not have sufficient rights to the source directory.
Solution: Verify that the site server computer account has at least Read access to the directory you specify as the source directory.
Possible Cause: There is not enough disk space available on the site server.
Solution: Verify that there is enough free disk space available on the site server.
I checked the distmgr.log file and received these messages:
GetTempFileNameA failed; 0x80004005   SMS_DISTRIBUTION_MANAGER   3/24/2015 2:15:38 PM   13952 (0x3680)
CFileLibrary::AddFile failed; 0x80004005   SMS_DISTRIBUTION_MANAGER   3/24/2015 2:15:38 PM   13952 (0x3680)
CContentDefinition::AddFile failed; 0x80004005   SMS_DISTRIBUTION_MANAGER   3/24/2015 2:15:38 PM   13952 (0x3680)
Failed to add the file. Please check if this file exists.   SMS_DISTRIBUTION_MANAGER   3/24/2015 2:15:38 PM   13952 (0x3680)
SnapshotPackage() failed. Error = 0x80004005   SMS_DISTRIBUTION_MANAGER   3/24/2015 2:15:38 PM   13952 (0x3680)
Failed to take snapshot of package CSU0006A   SMS_DISTRIBUTION_MANAGER   3/24/2015 2:15:38 PM   13952 (0x3680)
There is enough space on the site server and the site server has full control over the source directory. I wish I can give you more information but I'm hoping this is enough info to get some assistance. If more information is needed please let me know!

We usually give the DP's computer account and the site server computer account read access to these shares in our environment.
... which is not enough for drivers and updates (as there will also files be added).
Torsten Meringer | http://www.mssccmfaq.de
... And for capture Image too if your capture destination points on that share

Enabling OCSP checking in Access Manager causes Directory lookup error

Similar Messages

Maybe you are looking for