Error 403 returned from WebSphere running Policy Agent

Similar Messages

• Error 403 when trying to run a web application

  I am trying to run a web application(J2EE and velocity) that works perfectly fine on Tomcat but doesn't work on weblogic. I was initially getting a nullpointer error but I got rid of it when I removed xercesImpl.jar from my application's library folder and repackaged the war file. However, when I try to run the application now, I get the following error:-
  *Error 403--Forbidden
  From RFC 2068 Hypertext Transfer Protocol -- HTTP/1.1:
  10.4.4 403 Forbidden
  The server understood the request, but is refusing to fulfill it. Authorization will not help and the request SHOULD NOT be repeated. If the request method was not HEAD and the server wishes to make public why the request has not been fulfilled, it SHOULD describe the reason for the refusal in the entity. This status code is commonly used when the server does not wish to reveal exactly why the request has been refused, or when no other response is applicable.*
  The application has been deployed successfully but I am unable to run it using the link generated in the testing tab. The application. I was wondering if there is any workaround for this error.

  The testing link is using, the host:port/contextroot. Note that the URL is per default not accessible and give justly the 403 forbidden error.
  When you have an index.jsp (or something similar) in the root of your Web application it will automatically load that one, otherwise
  you will get the forbidden message.

• How to determine the error code, returned from LDAP server

  I use the next code for connect to LDAP server:
          try{
              ctx = new InitialLdapContext(env, null);
               //if connection successfull ...
          } catch (NamingException){
               //if error occured ...
          }Is it possible to determine the numeric error code, returned from server?

  I was just working on using openldap, binding to it and checking for expired passwords and locked accounts and it looks like that an AuthenticationException is thrown in these circumstances and the ctx is null so it is not possible process connection response controls. But you can look at operation attributes if you have password policy enabled and you are looking for these type of errors

• Error 403-forbidden from IE5 while authenticating a user through NT Realm

  Hi,
  Before posting this request, I checked the forum until Sep.18 to see if nobody
  else experienced my problem, but in vain.
  I am using WLS6.1Sp1 under NT4
  I would like that NT users for defined NT Primary Domain Controller authenticate
  themselves before accessing a web app. For that, I followed thoroughly the BEA
  Doc to get the config.xml, web.xml, weblogic.xml and filerealm.properties correctly
  configured.
  The <auth-method> is set to FORM. The <security-role> and <security-role-assignment>
  are also set with business roles and principals from the NT PDC. the <security-constraint>
  with all the sub-tags are also defined. etc.etc. When I use the WL console, to
  check users and groups lists, it works fine although it takes a lot of time before
  being displayed (15 to 20 minutes !!!).
  Through a Login.jsp, the user enters his/her login name and password. The result
  is that I get the following message :
  "Error 403--Forbidden
  From RFC 2068 Hypertext Transfer Protocol -- HTTP/1.1:
  10.4.4 403 Forbidden
  The server understood the request, but is refusing to fulfill it. Authorization
  will not help and the request SHOULD NOT be repeated. If the request method was
  not HEAD and the server wishes to make public why the request has not been fulfilled,
  it SHOULD describe the reason for the refusal in the entity. This status code
  is commonly used when the server does not wish to reveal exactly why the request
  has been refused, or when no other response is applicable."
  No trace in the log files. No warning . Nothing.
  My questions are:
  1- Has somebody already experienced this?
  2- Could you then help me ?
  By advance , thank you very much.
  Athmani H.
  Note : I can provide you through email the config.xml, web.xml, weblogic.xml and
  filerealm.properties and the concerned .jsp files on demand

  Hi Jerry,
  Many thanks for your interest and your help.
  weblogic.properties file for WLS 6.1 SP1? There is none... I do have a filerealm.properties. I didn't state that I was using a weblogic.properties
  file.
  I checked the URL you proposed. I changed the <Auth-method> from FORM into BASIC.
  A pop-up window is displayed requesting the user to enter username and password.
  The result is that I get a web page displaying an Error 404 --not found.
  Here is the complete error message :"Error 404--Not Found
  From RFC 2068 Hypertext Transfer Protocol -- HTTP/1.1:
  10.4.5 404 Not Found
  The server has not found anything matching the Request-URI. No indication is given
  of whether the condition is temporary or permanent.If the server does not wish
  to make this information available to the client, the status code 403 (Forbidden)
  can be used instead. The 410 (Gone) status code SHOULD be used if the server knows,
  through some internally configurable mechanism, that an old resource is permanently
  unavailable and has no forwarding address."
  The message is displayed when the browser tries to resolve the following URL :http://localhost:7001/examplesWebApp/j_security_check
  Having said that, I had already configured the <security-role-assignement> with
  role-name and principals in weblogic.xml, as well as the <security-role> tag in
  web.xml.
  Thanks for your help
  Cheers
  Habib
  Jerry <[email protected]> wrote:
  Hi Athmani,
  weblogic.properties file for WLS 6.1 SP1? There is none... weblogic.properties
  is in WebLogic
  5.1 and lower -- it was changed to config.xml for WLS 6.0 .. what are
  you using your
  weblogic.properties file for?
  Anyways,
  I have gotten NTRealms to successfully work with WLS 6.1, with security
  on a web app, allowing
  NT users to access certain resources. This stuff works.
  Since you can see your users and groups through the console (even though
  it takes a while) I
  think that your NTRealm setup is okay.
  I would guess that you have a problem with your deployment descriptors
  in your web
  application.
  There are quite a few posts in this newsgroup that illustrate how to
  set up security
  constraints on resources in your web app with the deployment descriptors.
  For example, check out
  http://newsgroups.bea.com/cgi-bin/dnewsweb?cmd=article&group=weblogic.developer.interest.security&item=6244&utag=
  Let me know how it goes, okay?
  Cheers,
  Joe Jerry
  "Athmani H." wrote:
  Hi,
  Before posting this request, I checked the forum until Sep.18 to seeif nobody
  else experienced my problem, but in vain.
  I am using WLS6.1Sp1 under NT4
  I would like that NT users for defined NT Primary Domain Controllerauthenticate
  themselves before accessing a web app. For that, I followed thoroughlythe BEA
  Doc to get the config.xml, web.xml, weblogic.xml and filerealm.propertiescorrectly
  configured.
  The <auth-method> is set to FORM. The <security-role> and <security-role-assignment>
  are also set with business roles and principals from the NT PDC. the<security-constraint>
  with all the sub-tags are also defined. etc.etc. When I use the WLconsole, to
  check users and groups lists, it works fine although it takes a lotof time before
  being displayed (15 to 20 minutes !!!).
  Through a Login.jsp, the user enters his/her login name and password.The result
  is that I get the following message :
  "Error 403--Forbidden
  From RFC 2068 Hypertext Transfer Protocol -- HTTP/1.1:
  10.4.4 403 Forbidden
  The server understood the request, but is refusing to fulfill it. Authorization
  will not help and the request SHOULD NOT be repeated. If the requestmethod was
  not HEAD and the server wishes to make public why the request has notbeen fulfilled,
  it SHOULD describe the reason for the refusal in the entity. This statuscode
  is commonly used when the server does not wish to reveal exactly whythe request
  has been refused, or when no other response is applicable."
  No trace in the log files. No warning . Nothing.
  My questions are:
  1- Has somebody already experienced this?
  2- Could you then help me ?
  By advance , thank you very much.
  Athmani H.
  Note : I can provide you through email the config.xml, web.xml, weblogic.xmland
  filerealm.properties and the concerned .jsp files on demand

• Error 403--Forbidden - From RFC 2068 Hypertext Transfer Protocol -- HTTP/1.

  Hi, I have a problem with WebLogic Server: 10.3.5.0.
  I need to set that anyone who sees my enterprise application can view the website but not how. I always displays an error.
  The error is:
  Error 403--Forbidden
  From RFC 2068 Hypertext Transfer Protocol -- HTTP/1.1:
  10.4.4 403 Forbidden
  The server understood the request, but is refusing to fulfill it. Authorization will not help and the request SHOULD NOT be repeated. If the request method was not HEAD and the server wishes to make public why the request has not been fulfilled, it SHOULD describe the reason for the refusal in the entity. This status code is commonly used when the server does not wish to reveal exactly why the request has been refused, or when no other response is applicable.
  Can you help me?

  When I'm working with web servers, and I've not worked with weblogic for quite a while, it has always been rights that have been the gotcha for the 403 error. You need to make sure that if you want everyone to be able to brouse the given folder, you need public read and execute rights on the contents.

• "System_Error" Error exception return from pipeline processing!

  Hi all,
  I get this error everytime I click the red flag in sxmb_moni:
  com.sap.aii.utilxi.misc.api.BaseRuntimeException
  thrown during application mapping
  com/sap/xi/tf/_CUST_TO_DFS_MM_: RuntimeException
  in Message-Mapping transformatio~
  When I go to TRACE of SOAP Header, I see this error:
    <Trace level="1" type="System_Error">Error exception return from pipeline processing!</Trace>
  The messages were not posted as 'Application document not posted' in we05: they cannot be seen in we05. Because of this, the number of IDOCS posted in we05 is not equal to the XMLs generated in sxmb_moni.
  Please help.
  Thanks.
  Regards,
  IX

  CUST_TO_DFS_MM
  Check this mapping...sometimes just testing in IR is not sufficient....error can also occur at runtime...so take the payload from SXMB_MONI and then test to see why it is failing....
  Also there will be some more error text alongwith CUST_TO_DFS_MM...check it to drill down to the root cause...
  Edited by: abhishek salvi on May 8, 2009 1:00 PM

• Error exception return from pipeline processing

  Hi Friends,
  In my File to Proxy scenario, i am getting the following error:
  "<Trace level="1" type="B" name="CL_XMS_MAIN-WRITE_MESSAGE_LOG_TO_PERSIST" />
    <Trace level="1" type="System_Error">Error exception return from pipeline processing!</Trace>".
  The common error i received in the monitor is Message Mapping error.
  But i have checked clearly in the IR, all the mappinngs are correct. While doing the test, it is going well.
  I have gone through some sdn blogs, they have stated like cache refresh, but after doing cash refresh also i am getting the same error.
  Can anyone give me suggestion?
  Thanks in advance.
  Regards
  Bala

  Hi Aashish Sinha,
  I have checked the source code, it is fine. I am getting error in the target code. It is saying that particular filed cannot be mapped. But in the taget that field is existing.
  Regards
  Bala

• HT5527 Account status: An error was returned from server. Please try again later - I have been trying to access my account for more than a week... always the same answer any advice appreciated.

  I have been trying to access my iCloud account for more than a week...looking to drop it to the 5GB from current 7GB. I always get the same answer any advice appreciated.  System Preferences clcik on clous = Account status: An error was returned from server. Please try again later
  I have tries later many many times.
  Thanks,
  Sophie

  I don't know why you can't access it, but if you were a MobileMe subscriber with the free extra storage this has now been removed and your account will have reverted to 5GB.

• Compiling/running Policy Agent 2.2 for Apache (Linux)

  Hi,
  I know that running the policy agent for Linux is not supported by Sun on other platforms than Red Hat Enterprise Linux, but anyway I'm qurious to see if others have looked into this.
  I've done some testing on my Ubuntu Dapper Linux, using the precompiled version for Red Hat Enterprise, and I kind of made it work. Only problem: I have to start apache using "strace" to have it running. If I run /usr/sbin/apache2 I get "Segmentation Fault", but if I run "strace /usr/sbin/apache2" it runs... I'm able to create a core-dump, but to get something out of it I guess I have to compile the policy agent myself, so I've tried that as well.
  To compile I've checked out the opensso package by CVS and installed libxml2-2.6.23, nss-3.11, nspr-4.6.1 and apache-2.0.59, sort of like what it says in the Readme for compiling under Red Hat Enterprise Linux. Result from running "make BUILD_DEBUG=optimize BUILD_AGENT=apache" is:
  hash_table.h: In member function �typename smi::HashTable<Element>::EntryType smi::HashTable<Element>::findEntry(const std::string&)�:
  hash_table.h:319: error: expected �;� before �__null�
  hash_table.h:319: warning: statement has no effect
  The test with the precompiled version was done on Ubuntu Dapper Linux using the standard apache 2.0.55 package that comes with Ubuntu. As I said: I've managed to get it running (doing SSO login through Federation Manager running on the same machine, with Access Manager running on another Solaris server) but I would prefer to have a setup that doesn't involve using "strace" to have apache whith the policy agent module running... Anyone else done something like this?
  In the end I guess I would like to have some kind of release of the policy agent that doesn't have to be packaged as RPMs just for Red Hat Enterprise servers. It doesn't have to be flagged as "supported by Sun" but more like "you're on your own this release". ;-) That goes for the Federation Manager as well. I've managed to have the FM running on Ubuntu Dapper as well, so I know it's possible...
  - Anders

  The notes in this thread date from about October of 2006.
  Does anyone know why current versions of the gcc compiler refuse to compile the statement that leads to the reported error?
  The statement that is failing is:
      if (entry && entry->getExpirationTime() < PR_Now()) {
       return (HashTable<Element>::EntryType)NULL;with the error
  [exec] hash_table.h:320: error: expected �;� before �__null�Is this a problem with the compiler or with the definition of the NULL macro?

• Annoying 40105 errors upon return from called form

  I have 2 forms, A and B. A (the primary form) calls B via CALL_FORM. Sometimes, upon return from B, I get a whole slew of 40105 errors (cannot resolve reference to item), referring to fields in form B - fields that ARE valid in form B, but obviously not in A. Mind you, I am getting these errors when the primary form (A) is displayed. I have double checked that no reference exists in the primary form for these fields.
  I have put both ON-ERROR and ON-MESSAGE triggers at the form level of A to intercept 40105 yet they still get through.
  Any thoughts??
  Thanks.

  I have 2 forms, A and B. A (the primary form) calls B via CALL_FORM. Sometimes, upon return from B, I get a whole slew of 40105 errors (cannot resolve reference to item), referring to fields in form B - fields that ARE valid in form B, but obviously not in A. Mind you, I am getting these errors when the primary form (A) is displayed. I have double checked that no reference exists in the primary form for these fields.
  I have put both ON-ERROR and ON-MESSAGE triggers at the form level of A to intercept 40105 yet they still get through.
  Any thoughts??
  Thanks.

• How to catch error codes returned from java

  Hi all,
  Is there anyway to capture the exit code that is returned by System.exit() from java. I know a batch file's ERRORLEVEL can do this. However, I want to use c/cpp (JNI) to get this functionality. Please help ..
  Thanks in advance,
  Soujanya.R

  how could you expect me to use JAVA command without compiling it with Javac??
  I complied the java code using javac and then called(executed ) it using the Java..
  I am using JNI_Create/JavaVM() to create a JVM from CPP file. that works fine. Now, my issue is that I want to capture a couple of exit codes that are returned from the System.exit() of the java code.
  now, guys.. is there any way to capture that exit codes returning by Ssytem.exit() in or using JNI ??
  if yes, please help me with the code snippets.
  Thanks,
  Soujanya.R

• Error 403--Forbidden- From RFC 2068 Hypertext Transfer Protocol -- HTTP/1.1

  I am getting the following error
  From RFC 2068 Hypertext Transfer Protocol -- HTTP/1.1:
  10.4.4 403 Forbidden
  The server understood the request, but is refusing to fulfill it. Authorization will not help and the request SHOULD NOT be repeated. If the request method was not HEAD and the server wishes to make public why the request has not been fulfilled, it SHOULD describe the reason for the refusal in the entity. This status code is commonly used when the server does not wish to reveal exactly why the request has been refused, or when no other response is applicable.
  It throws an error when I click on a button which in turn calls form authentication[edit.do] and it fails. LDAP server is configured for group- My Admin. We are using AMAgentFilter
  Its currently working in PRODUCTION WL8 with given configurations, please be noted that we have not changed anything in config files[web.xml/weblogic.xml]
  WEBLOGIC is configured for LDAP Server , i used same credetials to login , i am able to login to welcome screen, but when there is FORM AUTHENTICATION [edit.do], it fails.
  This edit button calls [edit.do]. It fails there. What we need to check for making it working . We are upgarding from WL 8 to WL 10. its working fine in WL8.
  Do we need to provide anything in WEBLOGIC server to configure the group name My Admin
  WEB.XML
       <!-- AM filter used for SSO -->
       <filter>
       <filter-name>Agent</filter-name>
       <display-name>Agent</display-name>
       <filter-class>com.sun.identity.agents.filter.AmAgentFilter</filter-class>
       </filter>
       <filter-mapping>
       <filter-name>Agent</filter-name>
       <url-pattern>/*</url-pattern>
       </filter-mapping>
  <security-constraint>
       <web-resource-collection>
       <web-resource-name>saveAction</web-resource-name>
       <url-pattern>edit.do</url-pattern>
       <url-pattern>update.do</url-pattern>     
       <http-method>POST</http-method>
       <http-method>GET</http-method>
       </web-resource-collection>     
       <auth-constraint>
       <role-name>Admin</role-name>
       </auth-constraint>
  </security-constraint>
  <security-role>
  <description>Admin</description>
  <role-name>Admin</role-name>
  </security-role>
  WEBLOGIC.XML
  <security-role-assignment>
  <role-name>Admin</role-name>
  <principal-name>My Admin</principal-name>
  </security-role-assignment>
  please provide me the checklist to find out the reason for this error.
  1, weblogic server configuration checklist
  2. LDAP Server configuration checklist
  Thanks

  Hi Sandeep M.
  Thanks for your replay,
  Another place means Purchase order standard page is there in that "orders" and " aggriments"  two  tab's are there  under orders Tab  when user click on submitt button
  ex :Go
  when user click on Go button Destination URI=OA.jsp?page=/xxiff/oracle/apps/icx/webui/XXIFFUcmPG&pgType=OrderPG&param={@PoHeaderId}
  same as under aggriments tab
  when user click on  Go button
  Destination URI=OA.jsp?page=/xxiff/oracle/apps/icx/webui/XXIFFUcmPG&pgType=BlanketPG&param={@PoHeaderId}
  This custom page is being called using absolute page path and name not AOL funcation name

• No log for am policy agent for iis6

  Hello!
  Im trying to get Policy Agent for IIS to run on my Win Srv 2003 with IIS6 and Sharepoint Services.
  I am running the OpenSSO version of Access Manager.
  I have installed the agent and done the initial cofiguration.
  When i try to browse the resource i get a login prompt (IIS Basic Auth)and cannot login followed by "Not Authorized 401.3"
  I should get redirected to the AM Login page, shouldn't I?
  I tried to look for answers in the log file but the /debug/<id> directory i empty.
  Anyone know what to do?
  The amAgent.properties file:
  # $Id: AMAgent.properties,v 1.103 2005/09/19 22:08:34 madan Exp $
  # The syntax of this file is that of a standard Java properties file,
  # see the documentation for the java.util.Properties.load method for a
  # complete description. (CAVEAT: The SDK in the parser does not currently
  # support any backslash escapes except for wrapping long lines.)
  # All property names in this file are case-sensitive.
  # NOTE: The value of a property that is specified multiple times is not
  # defined.
  # WARNING: The contents of this file are classified as an UNSTABLE
  # interface by Sun Microsystems, Inc. As such, they are subject to
  # significant, incompatible changes in any future release of the
  # software.
  # The name of the cookie passed between the Access Manager
  # and the SDK.
  # WARNING: Changing this property without making the corresponding change
  # to the Access Manager will disable the SDK.
  com.sun.am.cookie.name = iPlanetDirectoryPro
  # The URL for the Access Manager Naming service.
  com.sun.am.naming.url = http://login.lta.mil.se:8080/opensso/namingservice
  # The URL of the login page on the Access Manager.
  com.sun.am.policy.am.login.url = http://login.lta.mil.se:8080/opensso/UI/Login
  # Name of the file to use for logging messages.
  com.sun.am.policy.agents.config.local.log.file = C:/Sun/Access_Manager/Agents/2.2/debug/Identifier_1414639615/amAgent
  # This property is used for Log Rotation. The value of the property specifies
  # whether the agent deployed on the server supports the feature of not. If set
  # to false all log messages are written to the same file.
  com.sun.am.policy.agents.config.local.log.rotate = true
  # Name of the Access Manager log file to use for logging messages to
  # Access Manager.
  # Just the name of the file is needed. The directory of the file
  # is determined by settings configured on the Access Manager.
  com.sun.am.policy.agents.config.remote.log = amAuthLog.sharepoint.lta.mil.se.80
  # Set the logging level for the specified logging categories.
  # The format of the values is
  # <ModuleName>[:<Level>][,<ModuleName>[:<Level>]]*
  # The currently used module names are: AuthService, NamingService,
  # PolicyService, SessionService, PolicyEngine, ServiceEngine,
  # Notification, PolicyAgent, RemoteLog and all.
  # The all module can be used to set the logging level for all currently
  # none logging modules. This will also establish the default level for
  # all subsequently created modules.
  # The meaning of the 'Level' value is described below:
  # 0 Disable logging from specified module*
  # 1 Log error messages
  # 2 Log warning and error messages
  # 3 Log info, warning, and error messages
  # 4 Log debug, info, warning, and error messages
  # 5 Like level 4, but with even more debugging messages
  # 128 log url access to log file on AM server.
  # 256 log url access to log file on local machine.
  # If level is omitted, then the logging module will be created with
  # the default logging level, which is the logging level associated with
  # the 'all' module.
  # for level of 128 and 256, you must also specify a logAccessType.
  # *Even if the level is set to zero, some messages may be produced for
  # a module if they are logged with the special level value of 'always'.
  com.sun.am.log.level = 5
  # The org, username and password for Agent to login to AM.
  com.sun.am.policy.am.username = UrlAccessAgent
  com.sun.am.policy.am.password = PN4rEZ1uhx1404ivWY6HPQ==
  # Name of the directory containing the certificate databases for SSL.
  com.sun.am.sslcert.dir = C:/Sun/Access_Manager/Agents/2.2/iis6/cert
  # Set this property if the certificate databases in the directory specified
  # by the previous property have a prefix.
  com.sun.am.certdb.prefix =
  # Should agent trust all server certificates when Access Manager
  # is running SSL?
  # Possible values are true or false.
  com.sun.am.trust_server_certs = true
  # Should the policy SDK use the Access Manager notification
  # mechanism to maintain the consistency of its internal cache? If the value
  # is false, then a polling mechanism is used to maintain cache consistency.
  # Possible values are true or false.
  com.sun.am.notification.enable = true
  # URL to which notification messages should be sent if notification is
  # enabled, see previous property.
  com.sun.am.notification.url = http://sharepoint.lta.mil.se:80/amagent/UpdateAgentCacheServlet?shortcircuit=false
  # This property determines whether URL string case sensitivity is
  # obeyed during policy evaluation
  com.sun.am.policy.am.url_comparison.case_ignore = true
  # This property determines the amount of time (in minutes) an entry
  # remains valid after it has been added to the cache. The default
  # value for this property is 3 minutes.
  com.sun.am.policy.am.polling.interval=3
  # This property allows the user to configure the User Id parameter passed
  # by the session information from the access manager. The value of User
  # Id will be used by the agent to set the value of REMOTE_USER server
  # variable. By default this parameter is set to "UserToken"
  com.sun.am.policy.am.userid.param=UserToken
  # Profile attributes fetch mode
  # String attribute mode to specify if additional user profile attributes should
  # be introduced into the request. Possible values are:
  # NONE - no additional user profile attributes will be introduced.
  # HTTP_HEADER - additional user profile attributes will be introduced into
  # HTTP header.
  # HTTP_COOKIE - additional user profile attributes will be introduced through
  # cookies.
  # If not within these values, it will be considered as NONE.
  com.sun.am.policy.agents.config.profile.attribute.fetch.mode=NONE
  # The user profile attributes to be added to the HTTP header. The
  # specification is of the format ldap_attribute_name|http_header_name[,...].
  # ldap_attribute_name is the attribute in data store to be fetched and
  # http_header_name is the name of the header to which the value needs
  # to be assigned.
  # NOTE: In most cases, in a destination application where a "http_header_name"
  # shows up as a request header, it will be prefixed by HTTP_, and all
  # lower case letters will become upper case, and any - will become _;
  # For example, "common-name" would become "HTTP_COMMON_NAME"
  com.sun.am.policy.agents.config.profile.attribute.map=cn|common-name,ou|organiz ational-unit,o|organization,mail|email,employeenumber|employee-number,c|country
  # Session attributes mode
  # String attribute mode to specify if additional user session attributes should
  # be introduced into the request. Possible values are:
  # NONE - no additional user session attributes will be introduced.
  # HTTP_HEADER - additional user session attributes will be introduced into HTTP header.
  # HTTP_COOKIE - additional user session attributes will be introduced through cookies.
  # If not within these values, it will be considered as NONE.
  com.sun.am.policy.agents.config.session.attribute.fetch.mode=NONE
  # The session attributes to be added to the HTTP header. The specification is
  # of the format session_attribute_name|http_header_name[,...].
  # session_attribute_name is the attribute in session to be fetched and
  # http_header_name is the name of the header to which the value needs to be
  # assigned.
  # NOTE: In most cases, in a destination application where a "http_header_name"
  # shows up as a request header, it will be prefixed by HTTP_, and all
  # lower case letters will become upper case, and any - will become _;
  # For example, "common-name" would become "HTTP_COMMON_NAME"
  com.sun.am.policy.agents.config.session.attribute.map=
  # Response Attribute Fetch Mode
  # String attribute mode to specify if additional user response attributes should
  # be introduced into the request. Possible values are:
  # NONE - no additional user response attributes will be introduced.
  # HTTP_HEADER - additional user response attributes will be introduced into
  # HTTP header.
  # HTTP_COOKIE - additional user response attributes will be introduced through
  # cookies.
  # If not within these values, it will be considered as NONE.
  com.sun.am.policy.agents.config.response.attribute.fetch.mode=NONE
  # The response attributes to be added to the HTTP header. The specification is
  # of the format response_attribute_name|http_header_name[,...].
  # response_attribute_name is the attribute in policy response to be fetched and
  # http_header_name is the name of the header to which the value needs to be
  # assigned.
  # NOTE: In most cases, in a destination application where a "http_header_name"
  # shows up as a request header, it will be prefixed by HTTP_, and all
  # lower case letters will become upper case, and any - will become _;
  # For example, "common-name" would become "HTTP_COMMON_NAME"
  com.sun.am.policy.agents.config.response.attribute.map=
  # The cookie name used in iAS for sticky load balancing
  com.sun.am.policy.am.lb.cookie.name = GX_jst
  # indicate where a load balancer is used for Access Manager
  # services.
  # true | false
  com.sun.am.load_balancer.enable = false
  ####Agent Configuration####
  # this is for product versioning, please do not modify it
  com.sun.am.policy.agents.config.version=2.2
  # Set the url access logging level. the choices are
  # LOG_NONE - do not log user access to url
  # LOG_DENY - log url access that was denied.
  # LOG_ALLOW - log url access that was allowed.
  # LOG_BOTH - log url access that was allowed or denied.
  com.sun.am.policy.agents.config.audit.accesstype = LOG_BOTH
  # Agent prefix
  com.sun.am.policy.agents.config.agenturi.prefix = http://sharepoint.lta.mil.se:80/amagent
  # Locale setting.
  com.sun.am.policy.agents.config.locale = en_US
  # The unique identifier for this agent instance.
  com.sun.am.policy.agents.config.instance.name = unused
  # Do SSO only
  # Boolean attribute to indicate whether the agent will just enforce user
  # authentication (SSO) without enforcing policies (authorization)
  com.sun.am.policy.agents.config.do_sso_only = true
  # The URL of the access denied page. If no value is specified, then
  # the agent will return an HTTP status of 403 (Forbidden).
  com.sun.am.policy.agents.config.accessdenied.url =
  # This property indicates if FQDN checking is enabled or not.
  com.sun.am.policy.agents.config.fqdn.check.enable = true
  # Default FQDN is the fully qualified hostname that the users should use
  # in order to access resources on this web server instance. This is a
  # required configuration value without which the Web server may not
  # startup correctly.
  # The primary purpose of specifying this property is to ensure that if
  # the users try to access protected resources on this web server
  # instance without specifying the FQDN in the browser URL, the Agent
  # can take corrective action and redirect the user to the URL that
  # contains the correct FQDN.
  # This property is set during the agent installation and need not be
  # modified unless absolutely necessary to accommodate deployment
  # requirements.
  # WARNING: Invalid value for this property can result in the Web Server
  # becoming unusable or the resources becoming inaccessible.
  # See also: com.sun.am.policy.agents.config.fqdn.check.enable,
  # com.sun.am.policy.agents.config.fqdn.map
  com.sun.am.policy.agents.config.fqdn.default = sharepoint.lta.mil.se
  # The FQDN Map is a simple map that enables the Agent to take corrective
  # action in the case where the users may have typed in an incorrect URL
  # such as by specifying partial hostname or using an IP address to
  # access protected resources. It redirects the browser to the URL
  # with fully qualified domain name so that cookies related to the domain
  # are received by the agents.
  # The format for this property is:
  # com.sun.am.policy.agents.config.fqdn.map = [invalid_hostname|valid_hostname][,...]
  # This property can also be used so that the agents use the name specified
  # in this map instead of the web server's actual name. This can be
  # accomplished by doing the following.
  # Say you want your server to be addressed as xyz.hostname.com whereas the
  # actual name of the server is abc.hostname.com. The browsers only knows
  # xyz.hostname.com and you have specified polices using xyz.hostname.com at
  # the Access Manager policy console, in this file set the mapping as
  # com.sun.am.policy.agents.fqdn.map = valid|xyz.hostname.com
  # Another example is if you have multiple virtual servers say rst.hostname.com,
  # uvw.hostname.com and xyz.hostname.com pointing to the same actual server
  # abc.hostname.com and each of the virtual servers have their own policies
  # defined, then the fqdnMap should be defined as follows:
  # com.sun.am.policy.agents.fqdn.map = valid1|rst.hostname.com,valid2|uvw.hostname.com,valid3|xyz.hostname.com
  # WARNING: Invalid value for this property can result in the Web Server
  # becoming unusable or the resources becoming inaccessible.
  com.sun.am.policy.agents.config.fqdn.map =
  # Cookie Reset
  # This property must be set to true, if this agent needs to
  # reset cookies in the response before redirecting to
  # Access Manager for Authentication.
  # By default this is set to false.
  # Example : com.sun.am.policy.agents.config.cookie.reset.enable=true
  com.sun.am.policy.agents.config.cookie.reset.enable=false
  # This property gives the comma separated list of Cookies, that
  # need to be included in the Redirect Response to Access Manager.
  # This property is used only if the Cookie Reset feature is enabled.
  # The Cookie details need to be specified in the following Format
  # name[=value][;Domain=value]
  # If "Domain" is not specified, then the default agent domain is
  # used to set the Cookie.
  # Example : com.sun.am.policy.agents.config.cookie.reset.list=LtpaToken,
  # token=value;Domain=subdomain.domain.com
  com.sun.am.policy.agents.config.cookie.reset.list=
  # This property gives the space separated list of domains in
  # which cookies have to be set in a CDSSO scenario. This property
  # is used only if CDSSO is enabled.
  # If this property is left blank then the fully qualified cookie
  # domain for the agent server will be used for setting the cookie
  # domain. In such case it is a host cookie instead of a domain cookie.
  # Example : com.sun.am.policy.agents.config.cookie.domain.list=.sun.com .iplanet.com
  com.sun.am.policy.agents.config.cookie.domain.list=
  # user id returned if accessing global allow page and not authenticated
  com.sun.am.policy.agents.config.anonymous_user=anonymous
  # Enable/Disable REMOTE_USER processing for anonymous users
  # true | false
  com.sun.am.policy.agents.config.anonymous_user.enable=false
  # Not enforced list is the list of URLs for which no authentication is
  # required. Wildcards can be used to define a pattern of URLs.
  # The URLs specified may not contain any query parameters.
  # Each service have their own not enforced list. The service name is suffixed
  # after "# com.sun.am.policy.agents.notenforcedList." to specify a list
  # for a particular service. SPACE is the separator between the URL.
  com.sun.am.policy.agents.config.notenforced_list = SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/UI/* SERVER_PROTO://SERVER_HOST:SERVER_PORTCONSOLE_DEPLOY_URI/* SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/login_images/* SERVER_PROTO://SERVER_HOST:SERVER_PORT/docs* SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/namingservice SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/sessionservice SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/loggingservice SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/profileservice SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/policyservice SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/config* SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/js/* SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/css/* SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/authservice SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/SAMLAwareServlet SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/SAMLSOAPReceiver SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/SAMLPOSTProfileServlet
  # Boolean attribute to indicate whether the above list is a not enforced list
  # or an enforced list; When the value is true, the list means enforced list,
  # or in other words, the whole web site is open/accessible without
  # authentication except for those URLs in the list.
  com.sun.am.policy.agents.config.notenforced_list.invert = false
  # Not enforced client IP address list is a list of client IP addresses.
  # No authentication and authorization are required for the requests coming
  # from these client IP addresses. The IP address must be in the form of
  # eg: 192.168.12.2 1.1.1.1
  com.sun.am.policy.agents.config.notenforced_client_ip_list =
  # Enable POST data preservation; By default it is set to false
  com.sun.am.policy.agents.config.postdata.preserve.enable = false
  # POST data preservation : POST cache entry lifetime in minutes,
  # After the specified interval, the entry will be dropped
  com.sun.am.policy.agents.config.postcache.entry.lifetime = 10
  # Cross-Domain Single Sign On URL
  # Is CDSSO enabled.
  com.sun.am.policy.agents.config.cdsso.enable=false
  # This is the URL the user will be redirected to for authentication
  # in a CDSSO Scenario.
  com.sun.am.policy.agents.config.cdcservlet.url =
  # Enable/Disable client IP address validation. This validate
  # will check if the subsequent browser requests come from the
  # same ip address that the SSO token is initially issued against
  com.sun.am.policy.agents.config.client_ip_validation.enable = false
  # Below properties are used to define cookie prefix and cookie max age
  com.sun.am.policy.agents.config.profile.attribute.cookie.prefix = HTTP_
  com.sun.am.policy.agents.config.profile.attribute.cookie.maxage = 300
  # Logout URL - application's Logout URL.
  # This URL is not enforced by policy.
  # if set, agent will intercept this URL and destroy the user's session,
  # if any. The application's logout URL will be allowed whether or not
  # the session destroy is successful.
  com.sun.am.policy.agents.config.logout.url=
  # Any cookies to be reset upon logout in the same format as cookie_reset_list
  com.sun.am.policy.agents.config.logout.cookie.reset.list =
  # By default, when a policy decision for a resource is needed,
  # agent gets and caches the policy decision of the resource and
  # all resource from the root of the resource down, from the Access Manager.
  # For example, if the resource is http://host/a/b/c, the the root of the
  # resource is http://host/. This is because more resources from the
  # same path are likely to be accessed subsequently.
  # However this may take a long time the first time if there
  # are many many policies defined under the root resource.
  # To have agent get and cache the policy decision for the resource only,
  # set the following property to false.
  com.sun.am.policy.am.fetch_from_root_resource = true
  # Whether to get the client's hostname through DNS reverse lookup for use
  # in policy evaluation.
  # It is true by default, if the property does not exist or if it is
  # any value other than false.
  com.sun.am.policy.agents.config.get_client_host_name = true
  # The following property is to enable native encoding of
  # ldap header attributes forwarded by agents. If set to true
  # agent will encode the ldap header value in the default
  # encoding of OS locale. If set to false ldap header values
  # will be encoded in UTF-8
  com.sun.am.policy.agents.config.convert_mbyte.enable = false
  #When the not enforced list or policy has a wildcard '*' character, agent
  #strips the path info from the request URI and uses the resulting request
  #URI to check against the not enforced list or policy instead of the entire
  #request URI, in order to prevent someone from getting access to any URI by
  #simply appending the matching pattern in the policy or not enforced list.
  #For example, if the not enforced list has the value http://host/*.gif,
  #stripping the path info from the request URI will prevent someone from
  #getting access to http://host/index.html by using the URL http://host/index.html?hack.gif.
  #However when a web server (for exmample apache) is configured to be a reverse
  #proxy server for a J2EE application server, path info is interpreted in a different
  #manner since it maps to a resource on the proxy instead of the app server.
  #This prevents the not enforced list or policy from being applied to part of
  #the URI below the app serverpath if there is a wildcard character. For example,
  #if the not enforced list has value http://host/webapp/servcontext/* and the
  #request URL is http://host/webapp/servcontext/example.jsp the path info
  #is /servcontext/example.jsp and the resulting request URL with path info stripped
  #is http://host/webapp, which will not match the not enforced list. By setting the
  #following property to true, the path info will not be stripped from the request URL
  #even if there is a wild character in the not enforced list or policy.
  #Be aware though that if this is set to true there should be nothing following the
  #wildcard character '*' in the not enforced list or policy, or the
  #security loophole described above may occur.
  com.sun.am.policy.agents.config.ignore_path_info = false
  # Override the request url given by the web server with
  # the protocol, host or port of the agent's uri specified in
  # the com.sun.am.policy.agents.agenturiprefix property.
  # These may be needed if the agent is sitting behind a ssl off-loader,
  # load balancer, or proxy, and either the protocol (HTTP scheme),
  # hostname, or port of the machine in front of agent which users go through
  # is different from the agent's protocol, host or port.
  com.sun.am.policy.agents.config.override_protocol =
  com.sun.am.policy.agents.config.override_host =
  com.sun.am.policy.agents.config.override_port = true
  # Override the notification url in the same way as other request urls.
  # Set this to true if any one of the override properties above is true,
  # and if the notification url is coming through the proxy or load balancer
  # in the same way as other request url's.
  com.sun.am.policy.agents.config.override_notification.url =
  # The following property defines how long to wait in attempting
  # to connect to an Access Manager AUTH server.
  # The default value is 2 seconds. This value needs to be increased
  # when receiving the error "unable to find active Access Manager Auth server"
  com.sun.am.policy.agents.config.connection_timeout =
  # Time in milliseconds the agent will wait to receive the
  # response from Access Manager. After the timeout, the connection
  # will be drop.
  # A value of 0 means that the agent will wait until receiving the response.
  # WARNING: Invalid value for this property can result in
  # the resources becoming inaccessible.
  com.sun.am.receive_timeout = 0
  # The three following properties are for IIS6 agent only.
  # The two first properties allow to set a username and password that will be
  # used by the authentication filter to pass the Windows challenge when the Basic
  # Authentication option is selected in Microsoft IIS 6.0. The authentication
  # filter is named amiis6auth.dll and is located in
  # Agent_installation_directory/iis6/bin. It must be installed manually on
  # the web site ("ISAPI Filters" tab in the properties of the web site).
  # It must also be uninstalled manually when unintalling the agent.
  # The last property defines the full path for the authentication filter log file.
  com.sun.am.policy.agents.config.iis6.basicAuthentication.username =
  com.sun.am.policy.agents.config.iis6.basicAuthentication.password =
  com.sun.am.policy.agents.config.iis6.basicAuthentication.logFile = C:/Sun/Access_Manager/Agents/2.2/debug/Identifier_1414639615/amAuthFilter

  If the agent doesnot start properly you would always get redirected to com.sun.am.policy.agents.config.accessdenied.url , if thats not specified you will get a 403.
  For the agent itself check that the naming.url is correct. the agent username and passwords are correct, and see that the user has priviledges to write to the agent log files. Apart from these post the windows event logs.

• Problem Installing Policy Agent 2.2 on Apache 2.2.3

  Hi all,
  I'm trying to configure policy agent 2.2 on apache 2.2.3 on linux platform CentOS (red hat 5.1).
  The configuration and the installation seem to work properly, in effect in the log file install.log you can find :
  [06/10/2008 16:38:49:865 CEST] Creating directory layout and configuring Agent file for Agent_001 instance ...SUCCESSFUL.
  [06/10/2008 16:38:49:936 CEST] Reading data from file /opt/web_agents/apache22_agent/passwordFile and encrypting it ...SUCCESSFUL.
  [06/10/2008 16:38:49:937 CEST] Generating audit log file name ...SUCCESSFUL.
  [06/10/2008 16:38:50:022 CEST] Creating tag swapped AMAgent.properties file for instance Agent_001 ...SUCCESSFUL.
  [06/10/2008 16:38:50:026 CEST] Creating a backup for file /etc/httpd/conf/httpd.conf ...SUCCESSFUL.
  [06/10/2008 16:38:50:031 CEST] Adding Agent parameters to /opt/web_agents/apache22_agent/Agent_001/config/dsame.conf file ...SUCCESSFUL.
  [06/10/2008 16:38:50:032 CEST] Adding Agent parameters to /etc/httpd/conf/httpd.conf file ...SUCCESSFUL.
  But, when I try to restart Apache it gives me an error and in the error.log file in Apache you can read:
  [Tue Jun 10 16:57:33 2008] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
  [Tue Jun 10 16:57:34 2008] [notice] Digest: generating secret for digest authentication ...
  [Tue Jun 10 16:57:34 2008] [notice] Digest: done
  [Tue Jun 10 16:57:34 2008] [alert] Policy web agent configuration failed: NSPR error
  Configuration Failed
  Well, I found in the Sun documentation a well known bug about the NSPR and NSS library :
  Error message issued during installation of Policy Agent 2.2 on Linux systems
  When the Linux operating system is installed, specific components can be selected. Occasionally the specific components of the operating system selected lack the libraries necessary for Policy Agent 2.2 to function. When the complete Linux operating system is installed, all the required libraries are available. The libraries that are required for the agent to function are as follows: NSPR, NSS, and libxml2.
  Workaround: If the Linux operating system you are using is not complete, install the latest versions of these libraries as described in the steps that follow:
  At the time this note was added, the latest version of the NSPR library packages was NSPR 4.6.x , while the latest version of the NSS library package was NSS 3.11.x.
  To Install Missing Libraries for Policy Agent 2.2 on Linux Systems
  *+
  Install the NSS, and libxml2 libraries. These libraries are usually available as part of Linux installation media. NSPR and NSS are available as part of Mozilla binaries/development packages. You can also check the following sites:
  o
  NSPR: http://www.mozilla.org/projects/nspr/
  o
  NSS: http://www.mozilla.org/projects/security/pki/nss/
  So, I checked my libraries but they are upgraded to the latest version.
  If I comment the line that includes the libamapc22.so in the apache configuration file
  LoadModule dsame_module /opt/web_agents/apache22_agent/lib/libamapc22.so
  Apache can restart but the agent is misconfigurated!
  Any Idea?

  thank you Subhodeep for your reply,
  I didn't try to change the library file and I didn't find in licterature any information about library file changing in the Policy agent installation. Please, could you suggest me something more about which library to use instead of libamapc22.so?
  ps. I am using red hat 5.1, and from the release note of the policy agent seems that the latest platform version supported is red hat enterprise linux 4.0 versions.....
  this one could definitely be the reason of the misconfiguration.

• Eprint error creating account: Ajax submit failed: error = 403, Forbidden

  I am trying to create an eprint account. but when I hit submit I get:
  Ajax submit failed: error = 403, Forbidden
  I am running from a mac with OSX 10.8. And a new HP Photosmart 6515. The browser is Safari version 6.0.
  I've tried different namse, screen names passwords etc....
  THANKS,
  Tim
  This question was solved.
  View Solution.

  Hi there, this issue can usually be resolved by deleting your browsers cache and restarting the browser. Other forum users have confirmed that using an alternative browser type can also work (Mozilla FF and Google Chrome have both been cited).
  Try these suggestions and see how you get on.
  If my reply helped you, feel free to click on the Kudos button (hover over the "thumbs up").
  If my reply solved your problem please click on the Accepted Solution button so other Forum users may benefit from viewing the post.
  I am an HP employee.