Exporting Access Manager configuration

Is there a way that one can import and export Access Manager configurations (i.e. realms, datastores, policy configs, etc) from an existing installed instance?
We have a number of environments planned to host Access Manager for different project phases (e.g. test, staging, production). We want to configure one AM instance only, and then simply apply all configs in other environments in an easy manner. At the moment we have to manually enter all configuration details through the Access Manager web console; huge hassle!

Hi,
You need to user "amadmin" script for this to export xml configuration files ( amPolicyConfig.xml, amAuthDataStore.xml ).
You can also try something "brute-force" like exporting configurations from LDAP server to ldif, modifying the necessary stuff ( server-names etc, platform id ) and then importing them to another environment with AM installed. I have done this for AM 7.1 before discovering the export tools, it works.
Hope it helps,
Andrei

Similar Messages

Oracle Access Manager - Configuration Manager Success Stories

The Oracle Access Manager Configuration Manager [http://download-uk.oracle.com/docs/cd/B28196_01/idmanage.1014/b32392.pdf] has been around for about a year now. I'm looking for any feedback regarding this product:
Has anyone deployed it?
How successful was the deployment?
Is the tool doing what you expected it to do?
Thanks for any responses.
Mark

@pokurik: cn=orcladmin is the full DN. In OID there are two orcladmin users with different ACLs.
Which OAM version? Always provide the version you are using.
--olaf

Oracle Access Manager Configuration : Cannot find the Person Object Class

Hi,
I am trying to install OAM , I am getting the following error when i am configuring the Identity server for the first time.
1) I have installed OID. I am using one OID for both config and user data.
2) I have installed Identity server and have modified the OID schema automically during installation.
3) I have installed web pass.
I have gone to the url: http://trn-ps-oid.oracle.com:7777/identity/oblix
Here i gone to Identity System Console to configure Identity server.
Following are the config data i have given
Configuration DN : dc=mydomain,dc=com
Search Base : dc=mydomain,dc=com
Host : mypc.mydomain.com
Port Number : 389
Root DN : cn=orcladmin
Root Password : *******
Directory Server Security Mode : Open
Is the Configuration data stored in this directory also : Yes
Person Object Class : inetorgperson
Auto configure objectclass : yes
Group Object Class : groupOfUniqueNames
Auto configure objectclass : yes
After this I have clicked on the restart server button.
It comes back to the page asking to enter Person Object class details.
I Get the Error : Cannot find the Person Object Class.
I have checked the object class in OID it is there, I have verified the connection details are also correct.
Any Ideas what might be wrong.
Earlier during setup i had to modify the OID schema, how do i check if this has been done.
Any Ideas

<?xml version="1.0" encoding="utf-8"?>
<ValNameList
xmlns="http://www.oblix.com"
ListName="setup.xml">
<NameValPair
ParamName="mainOIS"
Value="true"></NameValPair>
<NameValPair
ParamName="currentStep"
Value="LDAP_CONFIG_CHANGES"></NameValPair>
<NameValPair
ParamName="status"
Value="incomplete"></NameValPair>
<NameValPair
ParamName="whichDB"
Value="OID"></NameValPair>
<NameValPair
ParamName="dataDirCopied"
Value="TRUE"></NameValPair>
<NameValPair
ParamName="machineNo"
Value="localhost"></NameValPair>
<NameValPair
ParamName="portNo"
Value="389"></NameValPair>
<NameValPair
ParamName="rootDN"
Value="cn=orcladmin,cn=Users,dc=mydomain,dc=com"></NameValPair>
<NameValPair
ParamName="ldapRootPasswd"
Value="**************"></NameValPair>
<NameValPair
ParamName="securityMode"
Value="Open"></NameValPair>
<NameValPair
ParamName="oblixUserDataSame"
Value="Yes"></NameValPair>
<NameValPair
ParamName="searchBase"
Value="dc=mydomain,dc=com"></NameValPair>
<NameValPair
ParamName="configDN"
Value="dc=mydomain,dc=com"></NameValPair>
<NameValPair
ParamName="obClassPerson"
Value="inetorgperson"></NameValPair>
<NameValPair
ParamName="defaultConfigForPersonOC"
Value="true"></NameValPair>
<NameValPair
ParamName="obClassGroup"
Value="groupOfUniqueNames"></NameValPair>
<NameValPair
ParamName="defaultConfigForGroupOC"
Value="true"></NameValPair>
<NameValPair
ParamName="obOldClassPerson"
Value="inetorgperson"></NameValPair>
<NameValPair
ParamName="obOldClassGroup"
Value="groupOfUniqueNames"></NameValPair>
</ValNameList>

Can not configure Access Manager

Hi all,
1. I istalled Sun java messaging server 6.
2. I edit amsamplesilent to prepare amsamplesilent.my:
# cd /opt/SUNWam/bin
#mv amsamplesilent amsamplesilent.my
3. I configure Access Manager:
#./amconfig -s amsamplesilent.my but get the following error:
# ./amconfig amsamplesilent.my
Usage: amconfig -s <silentinputfile>
./amconfig: Sourcing ./amutils
ln: cannot create /opt/SUNWam/lib/jaxrpc-spi.jar: File exists
chown: jaxrpc-spi.jar: No such file or directory
full install
./amdsconfig: Sourcing ./amutils
LD_LIBRARY_PATH is --- /usr/lib/mps/secv1:/usr/lib/mps/secv1:/usr/lib/mps/secv1:/opt/SUNWam/lib:/opt/SUNWam/ldaplib/ldapsdk
CLASSPATH is --- /opt/SUNWam/locale:/etc/opt/SUNWam/config:/opt/SUNWam/lib:/opt/SUNWam/lib/am_services.jar:/opt/SUNWam/lib/ldapjdk.jar:/usr/share/lib/mps/secv1/jss3.jar:/opt/SUNWam/lib/am_sdk.jar
ldap_simple_bind: Can't connect to the LDAP server - No route to host
ldap_simple_bind: Can't connect to the LDAP server - No route to host
ldap_simple_bind: Can't connect to the LDAP server - No route to host
ldap_simple_bind: Can't connect to the LDAP server - No route to host
sleep 3
ldap_simple_bind: Can't connect to the LDAP server - No route to host
ldap_simple_bind: Can't connect to the LDAP server - No route to host
ldap_simple_bind: Can't connect to the LDAP server - No route to host
sleep 4
ldap_simple_bind: Can't connect to the LDAP server - No route to host
ldap_simple_bind: Can't connect to the LDAP server - No route to host
ldap_simple_bind: Can't connect to the LDAP server - No route to host
sleep 5
ldap_simple_bind: Can't connect to the LDAP server - No route to host
ldap_simple_bind: Can't connect to the LDAP server - No route to host
ldap_simple_bind: Can't connect to the LDAP server - No route to host
sleep 6
ERROR : Loading of Access Manager schema into the Directory failed
Starting the tag swapping of the install.ldif and installExisting.ldif
ROOT_SUFFIX is dc=iplanet,dc=com
People_NM_ROOT_SUFFIX is People_dc=iplanet_dc=com
SERVER_HOST sample.red.iplanet.com
DIRECTORY_SERVER sample.red.iplanet.com
DIRECTORY_PORT 389
USER_NAMING_ATTR uid
ORG_NAMING_ATTR o
CONSOLE_DEPLOY_URI /amconsole
ORG_OBJECT_CLASS sunismanagedorganization
RS_RDN iplanet
USER_OBJECT_CLASS inetorgperson
ldap_simple_bind: Can't connect to the LDAP server - No route to host
ldap_simple_bind: Can't connect to the LDAP server - No route to host
sleep 3
ERROR : Configuring/Loading of the default DIT in the Directory Server failed
ldap_simple_bind: Can't connect to the LDAP server - No route to host
ldap_simple_bind: Can't connect to the LDAP server - No route to host
sleep 3
Warning : Plugins and Indexes already exist.
./amsvcconfig: Sourcing ./amutils
LD_LIBRARY_PATH is --- /usr/lib/mps/secv1:/usr/lib/mps/secv1:/usr/lib/mps/secv1:/opt/SUNWam/lib:/opt/SUNWam/ldaplib/ldapsdk
CLASSPATH is --- /opt/SUNWam/locale:/etc/opt/SUNWam/config:/opt/SUNWam/lib:/opt/SUNWam/lib/am_services.jar:/opt/SUNWam/lib/ldapjdk.jar:/usr/share/lib/mps/secv1/jss3.jar:/opt/SUNWam/lib/am_sdk.jar
ldap_simple_bind: Can't connect to the LDAP server - No route to host
Loading service schema XML files ...
Info 112: Entering ldapAuthenticate method!
Error 15: Cannot authenticate user.
LDAP authentication failed.
Error 9: Operation failed: Error 15: Cannot authenticate user.
Error occured while loading: /etc/opt/SUNWam/config/ums/ums.xml
./amws61config: Sourcing ./amutils
/opt/SUNWam/console.war: No such file or directory
current web app is applications
copying files from sunwamconsdk
Swapping tag swap in index.html files ...
Making amconsole.war
Successfully done making warfile ...
Deploying from /opt/SUNWam/web-src/applications (/opt/SUNWam/amconsole.war) to /opt/SUNWwbsvr/https-sample.red.iplanet.com/is-web-apps/applications for /amconsole
wdeploy deploy -u /amconsole -i https-sample.red.iplanet.com -v https-sample.red.iplanet.com -d /opt/SUNWwbsvr/https-sample.red.iplanet.com/is-web-apps/applications /opt/SUNWam/amconsole.war
[wdeploy] The war file name is /opt/SUNWam/amconsole.war
[wdeploy] Fatal error in parsing XML file ..Premature end of file.
[wdeploy] (-1, -1) in file null
[wdeploy] Error encountered while parsing /opt/SUNWwbsvr/https-sample.red.iplanet.com/config/server.xml
Failed deploying /amconsole
/opt/SUNWam/services.war: No such file or directory
current web app is services
Swapping tag swap in index.html files ...
Making amserver.war
Successfully done making warfile ...
Deploying from /opt/SUNWam/web-src/services (/opt/SUNWam/amserver.war) to /opt/SUNWwbsvr/https-sample.red.iplanet.com/is-web-apps/services for /amserver
wdeploy deploy -u /amserver -i https-sample.red.iplanet.com -v https-sample.red.iplanet.com -d /opt/SUNWwbsvr/https-sample.red.iplanet.com/is-web-apps/services /opt/SUNWam/amserver.war
[wdeploy] The war file name is /opt/SUNWam/amserver.war
[wdeploy] Fatal error in parsing XML file ..Premature end of file.
[wdeploy] (-1, -1) in file null
[wdeploy] Error encountered while parsing /opt/SUNWwbsvr/https-sample.red.iplanet.com/config/server.xml
Failed deploying /amserver
/opt/SUNWam/password.war: No such file or directory
current web app is password
Swapping tag swap in index.html files ...
Making ampassword.war
Successfully done making warfile ...
Deploying from /opt/SUNWam/web-src/password (/opt/SUNWam/ampassword.war) to /opt/SUNWwbsvr/https-sample.red.iplanet.com/is-web-apps/password for /ampassword
wdeploy deploy -u /ampassword -i https-sample.red.iplanet.com -v https-sample.red.iplanet.com -d /opt/SUNWwbsvr/https-sample.red.iplanet.com/is-web-apps/password /opt/SUNWam/ampassword.war
[wdeploy] The war file name is /opt/SUNWam/ampassword.war
[wdeploy] Fatal error in parsing XML file ..Premature end of file.
[wdeploy] (-1, -1) in file null
[wdeploy] Error encountered while parsing /opt/SUNWwbsvr/https-sample.red.iplanet.com/config/server.xml
Failed deploying /ampassword
/opt/SUNWam/introduction.war: No such file or directory
current web app is common
Swapping tag swap in index.html files ...
Making amcommon.war
Successfully done making warfile ...
Deploying from /opt/SUNWam/web-src/common (/opt/SUNWam/amcommon.war) to /opt/SUNWwbsvr/https-sample.red.iplanet.com/is-web-apps/common for /amcommon
wdeploy deploy -u /amcommon -i https-sample.red.iplanet.com -v https-sample.red.iplanet.com -d /opt/SUNWwbsvr/https-sample.red.iplanet.com/is-web-apps/common /opt/SUNWam/amcommon.war
[wdeploy] The war file name is /opt/SUNWam/amcommon.war
[wdeploy] Fatal error in parsing XML file ..Premature end of file.
[wdeploy] (-1, -1) in file null
[wdeploy] Error encountered while parsing /opt/SUNWwbsvr/https-sample.red.iplanet.com/config/server.xml
Failed deploying /amcommon
Checking if Web Server is already configed with Access Manager
Configuring Web Server
Mime type: 'type=text/vnd.wap.wml' already exists: Skipping ....
Mime type: 'type=image/vnd.wap.wbmp' already exists: Skipping ....
I tried again but I still get this error.
Any Ideas for this problem?
Thanks.

ldap_simple_bind: Can't connect to the LDAP server - No route to host
i would consider this a fatal error.
The system cannot locate where your Directory Server is. "no route to host" means that it's trying to get to the host, but your networking isn't set up correctly, and it doesn't find any route to get to the specified host.

UWC/CE 6.3 and Access Manager 7.1 SSO sometimes fails (seems like a bug)

PREAMBULA: I started writing this post thinking that our AM SSO setup was at fault in some step. As I was gathering data, checking the doc-links and config files and finally sniffed the servers for HTTP dialogs, I grew pretty sure there's a bug in UWC/CE, AM SDK or Web Server Policy Agent, whatever implements the AM SSO session checking.
In short, as written below, our "sunmail" server can POST a broken cookie to AM server, if the cookie originally contained a "plus" character. The "plus" is replaced by a "space", invalidating the session check. As we know, "+" is often used in URLs to "escape" the space character. Perhaps some URL cleanup routine backfired here. I have double-checked, it is not the reverse proxy on "psam" breaking things. It is "sunmail" (UWC/CE or Policy Agent, don't know for certain) supplying the broken request. On the few occasions when the AM cookie contains no "plus" characters, the SSO works like a charm (also checked by a sniffer). Whenever there is a "plus", it breaks.
Is there some known bug or workaround that matches this description?
Nevertheless, for completeness' sake I kept the description of our setup. Maybe it's at fault after all :)
We have an installation of JCS5 with the latest patches as of early July 2008. And as the subject implies, we have problems with AM SSO in UWC/CE web-interface. I have reported them before, then they seemed fixed (not occuring for several tests in a row), but as time has shown, something wrong is still there.
So I'll try to go into deeper detail now, as we've may have overlooked some nuance... Then again, as my sniffer research below shows, this may be an engine bug and these setup details are irrelevant.
Our setup is split into several Solaris 10 full-root zones hosted on several servers, some of the components are enroute to HA (perhaps we made some mistakes on this part of the way?)
So, we have the following software stack:
1) two MMR Directory Servers (DSEE 6.3 = DSEE 6.2 from JCS5 + 125278-07__DSEE_6.3__x86x64 + 125277-07__DSEE_6.3__x86_sol9 patches) working in zones on two different servers. Except for one time when a manually forced ZFS rollback corrupted one of the server instances, no problems here.
2) two zones with Directory Proxy Servers (6.3, exact versions as above) running at port 389 provide the clients with an illusion that they have a stable Directory Server, even if one of the actual servers is currently rebooting ;)
These DPS zones are hosted on two different servers as well and are primarily used by LDAP clients (JCS components) running in other zones on the same respective servers.
3) A zone with Sun Web Server 7.0U1 and Access Manager 7.1 (+ 126357-01__AM71_x86 patch) and Delegated Admin 6.4-4.01 (from JCS5 + 121582-18__COMMCLI64__x86 patch).
At the moment there is one such zone (named "cos-psam-01.domain.ru" in the logs below), but we expect(-ed) it to become two similar zones as per AM HA setup.
Zones listed in (1-3) use private IP numbers, they belong in our internal DMZ.
Zones listed in (4-5) below use public (routed) IP numbers, they belong in our external DMZ.
4) A zone with Sun Web Server 7.0U1 used primarily as a reverse-proxy server (optionally with a load-balancer libpassthrough.so plugin) successfully used for other hosted projects. One of its configurations now passes connections from an externally routed IP address published as "psam.domain.ru" to "cos-psam-01.domain.ru", per AM HA setup, so HTTP clients believe they work with an Access Manager instance. This zone has a backend interface with a private IP address to communicate with the actual AM instance.
In AM configuration (both LDAP and file-based) we have configured a site ID with the publicly known name and mentioned both names (psam and cos-psam-01) in organization's realm/dns aliases.
5) A zone with the rest of the Sun Java Communications Suite 5, as in Messaging Server 6.3 (6.3-6.03 64-bit: ci-5.0-1.03_solx86_x64__Messaging_Server_6.3-2 + patch 126480-09__MSG63__x86-64), UWC/CE 6.3 (from JCS5 + 122794-17__UWC63-4.01_core__x86), Instant Messaging 7.2 (from JCS5 + 118790-29__IM72__x86-1 + 118787-28__IM72__x86-2), Calendar Server 6.3 (from JCS5 + 121658-28__iCS63__x86). The web-components (UWC/CE, IM, /httpbind) are deployed in a Sun Web Server 7.0U1 as well.
This zone is named "sunmail.domain.ru" and has a routed IP address for direct external access to its servicess.
The AM SDK part is also patched (126357-01__AM71_x86); it points to the load-balancer name ("psam.domain.ru") as an actual AM server.
# imsimta version
Sun Java(tm) System Messaging Server 6.3-6.03 (built Mar 14 2008; 64bit)
libimta.so 6.3-6.03 (built 17:15:08, Mar 14 2008; 64bit)
SunOS sunmail 5.10 Generic_127112-07 i86pc i386 i86pc
While setting up this server set we tried to use AM SSO as the user login method, but it works unreliably.
"Unreliably" means that while most of the time entering a correct uid and password in Access Manager login page ("http://psam.domain.ru/amserver/UI/Login") does redirect a user back to "http://sunmail.domain.ru/uwc/auth" along with a new cookie, and the user is redirected again to his or her mailbox, sometimes the user receives the UWC/CE login page. Entering the same uid and password here does log him in, but it breaks the whole point of SSO and only increases the end-user routine required to log in :\
We have also seen the "missing mail tab" problem - if the users point the browser to any hostname different from "sunmail.domain.ru" (i.e. www.mail.domain.ru which is equivalent in DNS), they have only the Address book, Calendar and Options tabs; no webmail. So far this is resolved by Policy Agent forcing The One name of the server.
Here's the configuration we did specifically for AM SSO:
1) in AMConfig.properties of "sunmail" and "cos-psam-01" we set up
com.iplanet.am.cookie.encode=false
am.encryption.pwd=<the same value>
all hostname-related parameters point to "psam.domain.ru"
2) in AMConfig.properties of "cos-psam-01" a number of FQDN equivalence entries are added (so it does not redirect to a server hostname unknown to visitors):
com.sun.identity.server.fqdnMap[publicname-or-ip]=psam.domain.ru
com.sun.identity.server.fqdnMap[cos-psam-01.domain.ru]=cos-psam-01.domain.ru
3) in "msg.conf" on "sunmail" (entries added via configutil):
local.webmail.sso.amcookiename = iPlanetDirectoryPro
local.webmail.sso.amnamingurl = http://psam.domain.ru:80/amserver/namingservice
local.webmail.sso.singlesignoff = yes
local.webmail.sso.uwcenabled = 1
service.http.ipsecurity = no
(perhaps some more options are required? Looking for confirmation about: local.webmail.sso.uwclogouturl local.webmail.sso.uwccontexturi local.webmail.sso.uwchome service.http.allowadminproxy )
4) Configured Web Policy Agent for Sun Web Server, so that users without an AM session are required to get one. Set up per [http://msg.wikidoc.info/index.php/AM_redirection_using_Policy_Agent], except that com.sun.am.policy.agents.config.notenforced_list points to the many names our server can go known by.
5) Updated the logout URL in /opt/SUNWuwc/webmail/main.js:
--- main.js.orig        Sat Jan 26 07:52:09 2008
+++ main.js     Mon Jul 21 01:06:29 2008
@@ -667,7 +667,8 @@
function cleanup() {
   if(laurel)
-      top.window.location = getUWCHost() + "/base/UWCMain?op=logout"
+//      top.window.location = getUWCHost() + "/base/UWCMain?op=logout"
+      top.window.location = "http://sunmail.domain.ru:80/base/UWCMain?op=logout"
   else
       exec('logout', '', 'exit()')
@@ -1707,7 +1708,8 @@
   if(lg) {
         url = document.location.href
         url = url.substr(0,url.indexOf('webmail'))
-        uwcurl = url + 'base/UWCMain?op=logout'
+//      uwcurl = url + 'base/UWCMain?op=logout'
+        uwcurl = "http://sunmail.domain.ru:80/base/UWCMain?op=logout"
   exit()
}6) Calendar SSO - per docs...
According to ngrep sniffing,
1) the browser goes to "http://sunmail.domain.ru/uwc/auth" without any cookies
2) receives a redirect and goes to "http://psam.domain.ru/amserver/UI/Login?gotoOnFail=http://sunmail.domain.ru:80/uwc&goto=http%3A%2F%2Fsunmail.domain.ru%3A80%2Fuwc%2Fauth"; sends no cookies either.
3) The first response from the "psam" server (as redirected from "cos-psam-01") sets a few cookies while rendering the login page:
Set-cookie: JSESSIONID=7EF8F2810D2071CA03CFEAE9972735B2; Path=/
Set-cookie: AMAuthCookie=AQIC5wM2LY4SfcwuT2ASCrsfO78nXdceEHXeH1+xTqH7C3I=@AAJTSQACMDI=#; Domain=.domain.ru; Path=/
Set-cookie: amlbcookie=02; Domain=.domain.ru; Path=/
4) The browser requests the login page resources (javascripts, images, etc) using these cookies, as in this header line:
Cookie: JSESSIONID=7EF8F2810D2071CA03CFEAE9972735B2; AMAuthCookie=AQIC5wM2LY4SfcwuT2ASCrsfO78nXdceEHXeH1+xTqH7C3I=@AAJTSQACMDI=#; amlbcookie=02
5) The browser POSTs the login request to "/amserver/UI/Login" and receives a redirection to http://sunmail.domain.ru:80/uwc/auth
Set-cookie: iPlanetDirectoryPro=AQIC5wM2LY4SfcwuT2ASCrsfO78nXdceEHXeH1+xTqH7C3I=@AAJTSQACMDI=#; Domain=.domain.ru; Path=/
Set-cookie: AMAuthCookie=LOGOUT; Domain=.domain.ru; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
6) The browser requests "http://sunmail.domain.ru/uwc/auth" using the newly set cookie (looks like the old one to me though):
Cookie: amlbcookie=02; iPlanetDirectoryPro=AQIC5wM2LY4SfcwuT2ASCrsfO78nXdceEHXeH1+xTqH7C3I=@AAJTSQACMDI=#
7) The "sunmail" web-server checks the AM session validity with the same "psam.domain.ru". It sends a series of POSTs to /amserver/namingservice:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<RequestSet vers="1.0" svcid="com.iplanet.am.naming" reqid="685">
<Request><![CDATA[
<NamingRequest vers="1.0" reqid="324" sessid="AQIC5wM2LY4SfcwuT2ASCrsfO78nXdceEHXeH1+xTqH7C3I=@AAJTSQACMDI=#">
<GetNamingProfile>
</GetNamingProfile>
</NamingRequest>]]>
</Request>
</RequestSet>(receives a large XML list of different Access Manager configuration parameters and URLs)
...then a double-request to /amserver/sessionservice:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<RequestSet vers="1.0" svcid="Session" reqid="686">
<Request><![CDATA[
<SessionRequest vers="1.0" reqid="678">
<GetSession reset="true">
<SessionID>AQIC5wM2LY4SfcwuT2ASCrsfO78nXdceEHXeH1+xTqH7C3I=@AAJTSQACMDI=#</SessionID>
</GetSession>
</SessionRequest>]]>
</Request>
<Request><![CDATA[
<SessionRequest vers="1.0" reqid="679">
<AddSessionListener>
<URL>http://sunmail.domain.ru:80/UpdateAgentCacheServlet?shortcircuit=false</URL>
<SessionID>AQIC5wM2LY4SfcwuT2ASCrsfO78nXdceEHXeH1+xTqH7C3I=@AAJTSQACMDI=#</SessionID>
</AddSessionListener>
</SessionRequest>]]>
</Request>
</RequestSet>As a result it receives an XML with a lot of user-specific information (the username, LDAP DN, preferred locale, auth module used, etc.)
!!!*** Now, the problem part ***!!!
8) And then "sunmail" POSTs a broken cookie to "psam" (note the space in mid-text, where the "plus" sign was previously). As we know, "+" is often used in URLs to "escape" the space character. Perhaps some URL cleanup routine backfired here.
I have double-checked, it is not the reverse proxy on "psam" breaking things. It is "sunmail" (UWC/CE or Policy Agent, don't know for certain) supplying the broken request. I looked over the large XML responses to the two previous requests, whenever they mention the session cookie value, the "plus" is there.
For the most detail I can provide, I'll even paste the whole HTTP packet:
POST /amserver/sessionservice HTTP/1.1
Proxy-agent: Sun-Java-System-Web-Server/7.0
Cookie: iPlanetDirectoryPro=AQIC5wM2LY4SfcwuT2ASCrsfO78nXdceEHXeH1 xTqH7C3I=@AAJTSQACMDI=#;amlbcookie=null
Content-type: text/xml;charset=UTF-8
Content-length: 336
Cache-control: no-cache
Pragma: no-cache
User-agent: Java/1.5.0_09
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Host: cos-psam-01.domain.ru
Client-ip: 194.xxx.xxx.xxx
Via: 1.1 https-weblb.domain.ru
Connection: keep-alive
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<RequestSet vers="1.0" svcid="session" reqid="258">
<Request><![CDATA[<SessionRequest vers="1.0" reqid="254">
<GetSession reset="true">
<SessionID>AQIC5wM2LY4SfcwuT2ASCrsfO78nXdceEHXeH1 xTqH7C3I=@AAJTSQACMDI=#</SessionID>
</GetSession>
</SessionRequest>]]></Request>
</RequestSet> The server's error response is apparent:
HTTP/1.1 200 OK
Server: Sun-Java-System-Web-Server/7.0
Date: Thu, 31 Jul 2008 05:49:50 GMT
Content-type: text/html
Transfer-encoding: chunked
19b
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<ResponseSet vers="1.0" svcid="session" reqid="258">
<Response><![CDATA[<SessionResponse vers="1.0" reqid="254">
<GetSession>
<Exception>AQIC5wM2LY4SfcwuT2ASCrsfO78nXdceEHXeH1 xTqH7C3I=@AAJTSQACMDI=# Invalid session ID
AQIC5wM2LY4SfcwuT2ASCrsfO78nXdceEHXeH1 xTqH7C3I=@AAJTSQACMDI=#</Exception>
</GetSession>
</SessionResponse>]]></Response>
</ResponseSet>On the few occasions when the AM cookie contains no "plus" characters, the SSO works like a charm (also checked by a sniffer). Whenever there is a "plus", it breaks.
For reference, here's a working final request-response (one with a good cookie, as received by the load-balancer web-server). Request looks a bit different:
POST /amserver/sessionservice HTTP/1.1
Cookie: iPlanetDirectoryPro=AQIC5wM2LY4Sfcy/5sEzVmuq9z1ggdHOkBDgVFAwfhqvn4U=@AAJTSQACMDI=#;amlbcookie=null
Content-Type: text/xml;charset=UTF-8
Content-Length: 379
Cache-Control: no-cache
Pragma: no-cache
User-Agent: Java/1.5.0_09
Host: psam.domain.ru
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Connection: keep-alive
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<RequestSet vers="1.0" svcid="session" reqid="281">
<Request><![CDATA[<SessionRequest vers="1.0" reqid="277">
<SetProperty>
<SessionID>AQIC5wM2LY4Sfcy/5sEzVmuq9z1ggdHOkBDgVFAwfhqvn4U=@AAJTSQACMDI=#</SessionID>
<Property name="uwcstatus" value="active"></Property>
</SetProperty>
</SessionRequest>]]></Request>
</RequestSet> ...and the response is OK:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<ResponseSet vers="1.0" svcid="session" reqid="281">
<Response><![CDATA[<SessionResponse vers="1.0" reqid="277">
<SetProperty>
<OK></OK>
</SetProperty>
</SessionResponse>]]></Response>
</ResponseSet>

There have been a few reports of the same behaviour with other customers - specifically with the handling of the encoding of "+" characters to " ". It relates to how cookie encoding/decoding is performed (as you have already observed).
The solution for these customers was the following:
=> AM server/client side:
Ensure that com.iplanet.am.cookie.encode=false in AMConfig.properties and AMAgent.properties on all systems.
=> AM client (UWC) side:
- Set <property name="encodeCookies" value="false"/> in /var/opt/SUNWuwc/WEB-INF/sun-web.xml. This will prevent UWC from trying to urldecode the cookie it receives and therefore stops it turning the + into a space e.g.
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE sun-web-app PUBLIC '-//Sun Microsystems, Inc.//DTD Sun ONE Application Server 7.0 Servlet 2.3//EN' 'file:///net/wajra.india.sun.com/export/share/dtd/sun-web-app_2_3-1.dtd'>
<sun-web-app>
   <property name="encodeCookies" value="false"/>
   <session-config>
      <session-manager/>
   </session-config>
   <jsp-config/>
<property name="allowLinking" value="true" />
</sun-web-app>Regards,
Shane.

Error when installing access manager

Hi im following this install steps:
http://wikis.sun.com/display/CommSuite/Sun+Java+Communications+Suite+6+on+a+Single+Host+(Linux)
i cannot install access manage from JES in my RH4
during installation i see the error in the instal log:
Java not found at ${JAVA_HOME}/bin/java|#]
[#|2008-09-09T18:56:26-05:00|SEVERE|JavaES|JavaESConfig|_versionID=1.0;_threadID=11;_SourceJavaFile=IdentityServLinuxConfigurator;_SourceMethodName=execConfigScipt();_JavaESMessageID=JavaES_ConfigIS24;_JavaESResourceBundle=EntSysLoggingResources;_JavaESArg1=2|Access Manager Configuration Failed ...2|#]
[#|2008-09-09T18:56:26-05:00|FINE|JavaES|JavaESConfig|_versionID=1.0;_threadID=11;_SourceJavaFile=IdentityServLinuxConfigurator;_SourceMethodName=execConfigScipt();_JavaESMessageID=JavaES_ConfigIS10;_JavaESResourceBundle=EntSysLoggingResources|Exiting Method|#]look at my java_home:
[root@xxx Linux_x86]# ${JAVA_HOME}/bin/java -version
java version "1.5.0_16"
Java(TM) 2 Runtime Environment, Standard Edition (build 1.5.0_16-b02)
Java HotSpot(TM) Server VM (build 1.5.0_16-b02, mixed mode)
cd ${JAVA_HOME}/bin/
[root@xxx bin]# ls -la java
-rwxr-xr-x 1 root root 64280 May 28 04:48 javathanks for the help.

JavierGalindo wrote:
[root@xxx Linux_x86]# ${JAVA_HOME}/bin/java -version
java version "1.5.0_16"
Java(TM) 2 Runtime Environment, Standard Edition (build 1.5.0_16-b02)
Java HotSpot(TM) Server VM (build 1.5.0_16-b02, mixed mode)
Your problem may indeed be due to JAVA_HOME pointing to a JRE install vs. the full JDK install which is provided by the JES installer. My own test installation which I based in the installation guide on doesn't have JAVA_HOME set e.g.
[root@server bin]# env | grep JAVA_HOME
[root@melkor bin]#Try un-setting the JAVA_HOME environment setting (e.g. unset JAVA_HOME) and reattempt the install.
Regards,
Shane.

Portal 7.1 + Access Manager in realm mode

OS Solaris SPARC 9.
Components already installed: SJES Directory Server + SJES5 Web Server + SJES5 Access Manager (configured in realm mode with 'Configure now' option selected).
Web Server is listenin on port 8088.
It is said in "SJES5 Installation Guide for UNIX) that Portal Server supports Realm mode only if Access Manager is configured with Directory Server, with AMSDK configured for the data store.
I've installed AMSDK at the same time when installed AM itself. No postinstallition configuration was made.
But when I try to install Portal 7.1 (using SJES5 GUI installer, in 'configure now' mode) in realm mode, i receive following errors during installition:
Sun enterprise system 5 - installed
Java DB - installed (configure after install)
System Registry 3.1 installed (configure after install)
Java System Portal - installed (configuration failed)
Exploring /var/opt/SUNWportal/logs/config/portal.fabric.0.0.log shows following errors:
WARNING     SJS Portal Server     debug.com.sun.portal.fabric.config     "ThreadID=10; ClassName=com.sun.portal.fabric.config.ValidatePortalInputData; MethodName=validateSharedComponents; "     PSFB_CSPFC0301:The Directory PrivateLibDir is *not* being validated.
SEVERE     SJS Portal Server     debug.com.sun.portal.fabric.config     "ThreadID=10; ClassName=com.sun.portal.fabric.config.ValidatePortalInputData; MethodName=checkPSAMInstallData; "     PSFB_CSPFC0061:The Access Manager Configuration File /etc/opt/SUNWam/config/AMConfig.properties exists with required permissions.
SEVERE     SJS Portal Server     debug.com.sun.portal.fabric.util     "ThreadID=10; ClassName=com.sun.portal.fabric.util.NetworkUtil; MethodName=isPortValid; "     PSFB_CSPFU0011: The Port 8989 on server.org.com is being used.
SEVERE     SJS Portal Server     debug.com.sun.portal.fabric.util     "ThreadID=10; ClassName=com.sun.portal.fabric.util.NetworkUtil; MethodName=isPortValid; "     PSFB_CSPFU0011: The Port 8088 on server.org.com is being used.
SEVERE     SJS Portal Server     debug.com.sun.portal.fabric.config     "ThreadID=10; ClassName=com.sun.portal.fabric.config.PortalConfigurator; MethodName=createPortalInstances; "     PSFB_CSPFC0041:Failed invoking mbean action : create instance.
javax.management.MBeanException: Exception thrown in operation createAndFinalizeInstance
"     at com.sun.jmx.mbeanserver.StandardMetaDataImpl.invoke(StandardMetaDataImpl.java:435)"
"     at com.sun.jmx.mbeanserver.MetaDataImpl.invoke(MetaDataImpl.java:220)"
"     at com.sun.jmx.interceptor.DefaultMBeanServerInterceptor.invoke(DefaultMBeanServerInterceptor.java:815)"
"     at com.sun.jmx.mbeanserver.JmxMBeanServer.invoke(JmxMBeanServer.java:784)"
"     at com.sun.jdmk.interceptor.DefaultMBeanServerInterceptor.invoke(DefaultMBeanServerInterceptor.java:203)"
"     at com.sun.jdmk.interceptor.MBeanServerInterceptorWrapper.invoke(MBeanServerInterceptorWrapper.java:512)"
"     at com.sun.portal.admin.server.PortalServerLoggingInterceptor.invoke(PortalServerLoggingInterceptor.java:422)"
"     at com.sun.cacao.agent.DispatchInterceptor.invoke(DispatchInterceptor.java:662)"
"     at com.sun.cacao.agent.auth.impl.AccessControlInterceptor.invoke(AccessControlInterceptor.java:618)"
"     at com.sun.jdmk.JdmkMBeanServerImpl.invoke(JdmkMBeanServerImpl.java:764)"
"     at com.sun.cacao.common.instrum.impl.InstrumDefaultForwarder.invoke(InstrumDefaultForwarder.java:106)"
"     at javax.management.remote.generic.ServerIntermediary.handleRequest(ServerIntermediary.java:280)"
"     at javax.management.remote.generic.ServerIntermediary$PrivilegedRequestJob.run(ServerIntermediary.java:951)"
"     at java.security.AccessController.doPrivileged(Native Method)"
"     at javax.management.remote.generic.ServerIntermediary$RequestHandler.handleMBSReqMessage(ServerIntermediary.java:727)"
"     at javax.management.remote.generic.ServerIntermediary$RequestHandler.execute(ServerIntermediary.java:629)"
"     at com.sun.jmx.remote.generic.ServerSynchroMessageConnectionImpl$RemoteJob.run(ServerSynchroMessageConnectionImpl.java:249)"
"     at com.sun.jmx.remote.opt.util.ThreadService$ThreadServiceJob.run(ThreadService.java:208)"
"     at com.sun.jmx.remote.opt.util.JobExecutor.run(JobExecutor.java:59)"
Caused by: com.sun.portal.admin.common.PSMBeanException: java.lang.SecurityException: authentication failure: Authentication failed: Error occurred while processing XML request.
Connection refused
com.sun.cacao.agent.impl.CacaoJmxConnectorProvider.newJMXConnector(CacaoJmxConnectorProvider.java:388)
javax.management.remote.JMXConnectorFactory.getConnectorAsService(JMXConnectorFactory.java:415)
javax.management.remote.JMXConnectorFactory.newJMXConnector(JMXConnectorFactory.java:307)
javax.management.remote.JMXConnectorFactory.connect(JMXConnectorFactory.java:247)
com.sun.portal.admin.common.util.AdminUtil.getConnector(AdminUtil.java:813)
com.sun.portal.admin.server.AdminServerUtil.getJMXConnector(AdminServerUtil.java:81)
com.sun.portal.fabric.mbeans.Portal.createAndFinalizeInstance(Portal.java:549)
sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
java.lang.reflect.Method.invoke(Method.java:585)
com.sun.jmx.mbeanserver.StandardMetaDataImpl.invoke(StandardMetaDataImpl.java:414)
com.sun.jmx.mbeanserver.MetaDataImpl.invoke(MetaDataImpl.java:220)
com.sun.jmx.interceptor.DefaultMBeanServerInterceptor.invoke(DefaultMBeanServerInterceptor.java:815)
com.sun.jmx.mbeanserver.JmxMBeanServer.invoke(JmxMBeanServer.java:784)
com.sun.jdmk.interceptor.DefaultMBeanServerInterceptor.invoke(DefaultMBeanServerInterceptor.java:203)
com.sun.jdmk.interceptor.MBeanServerInterceptorWrapper.invoke(MBeanServerInterceptorWrapper.java:512)
com.sun.portal.admin.server.PortalServerLoggingInterceptor.invoke(PortalServerLoggingInterceptor.java:422)
com.sun.cacao.agent.DispatchInterceptor.invoke(DispatchInterceptor.java:662)
com.sun.cacao.agent.auth.impl.AccessControlInterceptor.invoke(AccessControlInterceptor.java:618)
com.sun.jdmk.JdmkMBeanServerImpl.invoke(JdmkMBeanServerImpl.java:764)
com.sun.cacao.common.instrum.impl.InstrumDefaultForwarder.invoke(InstrumDefaultForwarder.java:106)
javax.management.remote.generic.ServerIntermediary.handleRequest(ServerIntermediary.java:280)
javax.management.remote.generic.ServerIntermediary$PrivilegedRequestJob.run(ServerIntermediary.java:951)
java.security.AccessController.doPrivileged(Native Method)
javax.management.remote.generic.ServerIntermediary$RequestHandler.handleMBSReqMessage(ServerIntermediary.java:727)
javax.management.remote.generic.ServerIntermediary$RequestHandler.execute(ServerIntermediary.java:629)
com.sun.jmx.remote.generic.ServerSynchroMessageConnectionImpl$RemoteJob.run(ServerSynchroMessageConnectionImpl.java:249)
com.sun.jmx.remote.opt.util.ThreadService$ThreadServiceJob.run(ThreadService.java:208)
com.sun.jmx.remote.opt.util.JobExecutor.run(JobExecutor.java:59)
"     at com.sun.portal.fabric.mbeans.Portal.createAndFinalizeInstance(Portal.java:564)"
"     at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)"
"     at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)"
"     at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)"
"     at java.lang.reflect.Method.invoke(Method.java:585)"
"     at com.sun.jmx.mbeanserver.StandardMetaDataImpl.invoke(StandardMetaDataImpl.java:414)"
"     ... 18 more"
[#     2007-06-14T19:35:27.195+0400     SEVERE     SJS Portal Server     debug.com.sun.portal.fabric.config     "ThreadID=10; ClassName=com.sun.portal.fabric.config.PortalConfigurator; MethodName=configurePortal; "     PSFB_CSPFC0034:Encountered Exception while configuring the Portal
com.sun.portal.fabric.tasks.ConfigurationException: javax.management.MBeanException: Exception thrown in operation createAndFinalizeInstance
"     at com.sun.portal.fabric.config.PortalConfigurator.createPortalInstances(PortalConfigurator.java:1314)"
"     at com.sun.portal.fabric.config.PortalConfigurator.configurePortal(PortalConfigurator.java:842)"
"     at com.sun.portal.fabric.config.ConfigurePortal.main(ConfigurePortal.java:189)"
Caused by: javax.management.MBeanException: Exception thrown in operation createAndFinalizeInstance
"     at com.sun.jmx.mbeanserver.StandardMetaDataImpl.invoke(StandardMetaDataImpl.java:435)"
"     at com.sun.jmx.mbeanserver.MetaDataImpl.invoke(MetaDataImpl.java:220)"
"     at com.sun.jmx.interceptor.DefaultMBeanServerInterceptor.invoke(DefaultMBeanServerInterceptor.java:815)"
"     at com.sun.jmx.mbeanserver.JmxMBeanServer.invoke(JmxMBeanServer.java:784)"
"     at com.sun.jdmk.interceptor.DefaultMBeanServerInterceptor.invoke(DefaultMBeanServerInterceptor.java:203)"
"     at com.sun.jdmk.interceptor.MBeanServerInterceptorWrapper.invoke(MBeanServerInterceptorWrapper.java:512)"
"     at com.sun.portal.admin.server.PortalServerLoggingInterceptor.invoke(PortalServerLoggingInterceptor.java:422)"
"     at com.sun.cacao.agent.DispatchInterceptor.invoke(DispatchInterceptor.java:662)"
"     at com.sun.cacao.agent.auth.impl.AccessControlInterceptor.invoke(AccessControlInterceptor.java:618)"
"     at com.sun.jdmk.JdmkMBeanServerImpl.invoke(JdmkMBeanServerImpl.java:764)"
"     at com.sun.cacao.common.instrum.impl.InstrumDefaultForwarder.invoke(InstrumDefaultForwarder.java:106)"
"     at javax.management.remote.generic.ServerIntermediary.handleRequest(ServerIntermediary.java:280)"
"     at javax.management.remote.generic.ServerIntermediary$PrivilegedRequestJob.run(ServerIntermediary.java:951)"
"     at java.security.AccessController.doPrivileged(Native Method)"
"     at javax.management.remote.generic.ServerIntermediary$RequestHandler.handleMBSReqMessage(ServerIntermediary.java:727)"
"     at javax.management.remote.generic.ServerIntermediary$RequestHandler.execute(ServerIntermediary.java:629)"
"     at com.sun.jmx.remote.generic.ServerSynchroMessageConnectionImpl$RemoteJob.run(ServerSynchroMessageConnectionImpl.java:249)"
"     at com.sun.jmx.remote.opt.util.ThreadService$ThreadServiceJob.run(ThreadService.java:208)"
"     at com.sun.jmx.remote.opt.util.JobExecutor.run(JobExecutor.java:59)"
Caused by: com.sun.portal.admin.common.PSMBeanException: java.lang.SecurityException: authentication failure: Authentication failed: Error occurred while processing XML request.
Connection refused
com.sun.cacao.agent.impl.CacaoJmxConnectorProvider.newJMXConnector(CacaoJmxConnectorProvider.java:388)
javax.management.remote.JMXConnectorFactory.getConnectorAsService(JMXConnectorFactory.java:415)
javax.management.remote.JMXConnectorFactory.newJMXConnector(JMXConnectorFactory.java:307)
javax.management.remote.JMXConnectorFactory.connect(JMXConnectorFactory.java:247)
com.sun.portal.admin.common.util.AdminUtil.getConnector(AdminUtil.java:813)
com.sun.portal.admin.server.AdminServerUtil.getJMXConnector(AdminServerUtil.java:81)
com.sun.portal.fabric.mbeans.Portal.createAndFinalizeInstance(Portal.java:549)
sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
java.lang.reflect.Method.invoke(Method.java:585)
com.sun.jmx.mbeanserver.StandardMetaDataImpl.invoke(StandardMetaDataImpl.java:414)
com.sun.jmx.mbeanserver.MetaDataImpl.invoke(MetaDataImpl.java:220)
com.sun.jmx.interceptor.DefaultMBeanServerInterceptor.invoke(DefaultMBeanServerInterceptor.java:815)
com.sun.jmx.mbeanserver.JmxMBeanServer.invoke(JmxMBeanServer.java:784)
com.sun.jdmk.interceptor.DefaultMBeanServerInterceptor.invoke(DefaultMBeanServerInterceptor.java:203)
com.sun.jdmk.interceptor.MBeanServerInterceptorWrapper.invoke(MBeanServerInterceptorWrapper.java:512)
com.sun.portal.admin.server.PortalServerLoggingInterceptor.invoke(PortalServerLoggingInterceptor.java:422)
com.sun.cacao.agent.DispatchInterceptor.invoke(DispatchInterceptor.java:662)
com.sun.cacao.agent.auth.impl.AccessControlInterceptor.invoke(AccessControlInterceptor.java:618)
com.sun.jdmk.JdmkMBeanServerImpl.invoke(JdmkMBeanServerImpl.java:764)
com.sun.cacao.common.instrum.impl.InstrumDefaultForwarder.invoke(InstrumDefaultForwarder.java:106)
javax.management.remote.generic.ServerIntermediary.handleRequest(ServerIntermediary.java:280)
javax.management.remote.generic.ServerIntermediary$PrivilegedRequestJob.run(ServerIntermediary.java:951)
java.security.AccessController.doPrivileged(Native Method)
javax.management.remote.generic.ServerIntermediary$RequestHandler.handleMBSReqMessage(ServerIntermediary.java:727)
javax.management.remote.generic.ServerIntermediary$RequestHandler.execute(ServerIntermediary.java:629)
com.sun.jmx.remote.generic.ServerSynchroMessageConnectionImpl$RemoteJob.run(ServerSynchroMessageConnectionImpl.java:249)
com.sun.jmx.remote.opt.util.ThreadService$ThreadServiceJob.run(ThreadService.java:208)
com.sun.jmx.remote.opt.util.JobExecutor.run(JobExecutor.java:59)
"     at com.sun.portal.fabric.mbeans.Portal.createAndFinalizeInstance(Portal.java:564)"
"     at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)"
"     at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)"
"     at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)"
"     at java.lang.reflect.Method.invoke(Method.java:585)"
"     at com.sun.jmx.mbeanserver.StandardMetaDataImpl.invoke(StandardMetaDataImpl.java:414)"
"     ... 18 more"
[#     2007-06-14T19:35:27.792+0400     SEVERE     SJS Portal Server     debug.com.sun.portal.fabric.config     "ThreadID=10; ClassName=com.sun.portal.fabric.config.ConfigurePortal; MethodName=main; "     PSFB_CSPFC0014:Failed configuring Portal Server!!
com.sun.portal.fabric.tasks.ConfigurationException: com.sun.portal.fabric.tasks.ConfigurationException: javax.management.MBeanException: Exception thrown in operation createAndFinalizeInstance
"     at com.sun.portal.fabric.config.PortalConfigurator.configurePortal(PortalConfigurator.java:849)"
"     at com.sun.portal.fabric.config.ConfigurePortal.main(ConfigurePortal.java:189)"
Caused by: com.sun.portal.fabric.tasks.ConfigurationException: javax.management.MBeanException: Exception thrown in operation createAndFinalizeInstance
"     at com.sun.portal.fabric.config.PortalConfigurator.createPortalInstances(PortalConfigurator.java:1314)"
"     at com.sun.portal.fabric.config.PortalConfigurator.configurePortal(PortalConfigurator.java:842)"
"     ... 1 more"
Caused by: javax.management.MBeanException: Exception thrown in operation createAndFinalizeInstance
"     at com.sun.jmx.mbeanserver.StandardMetaDataImpl.invoke(StandardMetaDataImpl.java:435)"
"     at com.sun.jmx.mbeanserver.MetaDataImpl.invoke(MetaDataImpl.java:220)"
"     at com.sun.jmx.interceptor.DefaultMBeanServerInterceptor.invoke(DefaultMBeanServerInterceptor.java:815)"
"     at com.sun.jmx.mbeanserver.JmxMBeanServer.invoke(JmxMBeanServer.java:784)"
"     at com.sun.jdmk.interceptor.DefaultMBeanServerInterceptor.invoke(DefaultMBeanServerInterceptor.java:203)"
"     at com.sun.jdmk.interceptor.MBeanServerInterceptorWrapper.invoke(MBeanServerInterceptorWrapper.java:512)"
"     at com.sun.portal.admin.server.PortalServerLoggingInterceptor.invoke(PortalServerLoggingInterceptor.java:422)"
"     at com.sun.cacao.agent.DispatchInterceptor.invoke(DispatchInterceptor.java:662)"
"     at com.sun.cacao.agent.auth.impl.AccessControlInterceptor.invoke(AccessControlInterceptor.java:618)"
"     at com.sun.jdmk.JdmkMBeanServerImpl.invoke(JdmkMBeanServerImpl.java:764)"
"     at com.sun.cacao.common.instrum.impl.InstrumDefaultForwarder.invoke(InstrumDefaultForwarder.java:106)"
"     at javax.management.remote.generic.ServerIntermediary.handleRequest(ServerIntermediary.java:280)"
"     at javax.management.remote.generic.ServerIntermediary$PrivilegedRequestJob.run(ServerIntermediary.java:951)"
"     at java.security.AccessController.doPrivileged(Native Method)"
"     at javax.management.remote.generic.ServerIntermediary$RequestHandler.handleMBSReqMessage(ServerIntermediary.java:727)"
"     at javax.management.remote.generic.ServerIntermediary$RequestHandler.execute(ServerIntermediary.java:629)"
"     at com.sun.jmx.remote.generic.ServerSynchroMessageConnectionImpl$RemoteJob.run(ServerSynchroMessageConnectionImpl.java:249)"
"     at com.sun.jmx.remote.opt.util.ThreadService$ThreadServiceJob.run(ThreadService.java:208)"
"     at com.sun.jmx.remote.opt.util.JobExecutor.run(JobExecutor.java:59)"
Caused by: com.sun.portal.admin.common.PSMBeanException: java.lang.SecurityException: authentication failure: Authentication failed: Error occurred while processing XML request.
Connection refused
com.sun.cacao.agent.impl.CacaoJmxConnectorProvider.newJMXConnector(CacaoJmxConnectorProvider.java:388)
javax.management.remote.JMXConnectorFactory.getConnectorAsService(JMXConnectorFactory.java:415)
javax.management.remote.JMXConnectorFactory.newJMXConnector(JMXConnectorFactory.java:307)
javax.management.remote.JMXConnectorFactory.connect(JMXConnectorFactory.java:247)
com.sun.portal.admin.common.util.AdminUtil.getConnector(AdminUtil.java:813)
com.sun.portal.admin.server.AdminServerUtil.getJMXConnector(AdminServerUtil.java:81)
com.sun.portal.fabric.mbeans.Portal.createAndFinalizeInstance(Portal.java:549)
sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
java.lang.reflect.Method.invoke(Method.java:585)
com.sun.jmx.mbeanserver.StandardMetaDataImpl.invoke(StandardMetaDataImpl.java:414)
com.sun.jmx.mbeanserver.MetaDataImpl.invoke(MetaDataImpl.java:220)
com.sun.jmx.interceptor.DefaultMBeanServerInterceptor.invoke(DefaultMBeanServerInterceptor.java:815)
com.sun.jmx.mbeanserver.JmxMBeanServer.invoke(JmxMBeanServer.java:784)
com.sun.jdmk.interceptor.DefaultMBeanServerInterceptor.invoke(DefaultMBeanServerInterceptor.java:203)
com.sun.jdmk.interceptor.MBeanServerInterceptorWrapper.invoke(MBeanServerInterceptorWrapper.java:512)
com.sun.portal.admin.server.PortalServerLoggingInterceptor.invoke(PortalServerLoggingInterceptor.java:422)
com.sun.cacao.agent.DispatchInterceptor.invoke(DispatchInterceptor.java:662)
com.sun.cacao.agent.auth.impl.AccessControlInterceptor.invoke(AccessControlInterceptor.java:618)
com.sun.jdmk.JdmkMBeanServerImpl.invoke(JdmkMBeanServerImpl.java:764)
com.sun.cacao.common.instrum.impl.InstrumDefaultForwarder.invoke(InstrumDefaultForwarder.java:106)
javax.management.remote.generic.ServerIntermediary.handleRequest(ServerIntermediary.java:280)
javax.management.remote.generic.ServerIntermediary$PrivilegedRequestJob.run(ServerIntermediary.java:951)
java.security.AccessController.doPrivileged(Native Method)
javax.management.remote.generic.ServerIntermediary$RequestHandler.handleMBSReqMessage(ServerIntermediary.java:727)
javax.management.remote.generic.ServerIntermediary$RequestHandler.execute(ServerIntermediary.java:629)
com.sun.jmx.remote.generic.ServerSynchroMessageConnectionImpl$RemoteJob.run(ServerSynchroMessageConnectionImpl.java:249)
com.sun.jmx.remote.opt.util.ThreadService$ThreadServiceJob.run(ThreadService.java:208)
com.sun.jmx.remote.opt.util.JobExecutor.run(JobExecutor.java:59)
"     at com.sun.portal.fabric.mbeans.Portal.createAndFinalizeInstance(Portal.java:564)"
"     at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)"
"     at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)"
"     at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)"
"     at java.lang.reflect.Method.invoke(Method.java:585)"
"     at com.sun.jmx.mbeanserver.StandardMetaDataImpl.invoke(StandardMetaDataImpl.java:414)"
"     ... 18 more"
May the problem be that AMSDK need additional configuration for datastore?

Yes, copy config is enabled in all organisations.
I also tried to create an ldap data store instead of amsdk, but same behavior.
I have "fixed" the issue through a hack now by creating my own ldap login module, simply copied the original one and replaced LDAPPrincipal with my own version. It returns now a correct dn for the user in portal instead of the username only.
Works this way. Alas, it is just a hack...
As far as I can see, the problem is in the IDRepository. Its somewhat:
If (username is a DN) return username;
else return UniversalID;
This universal ID is then used by ps to get desktop information and since it is not a valid dn in ldap the desktop servlet cannot proceed...
I guess the problem does not appear in your environment. Maybe it was introduced with update 1? Do you use update 2?
Thanks, Chris

Unable to use SSL between Access Manager and Directory Server

I am trying to set up Access Manager to use SSL when communicating with Directory Server. Access Manager 7 is running under Sun Web Server 6.1. I have configured Directory Server to use SSL using a Self-Signed CA and have imported the CA certificate into the certificate database for Web Server. When I change the Access Manager configuration as specified in the Admin Guide to use SSL and restart the Web Server, Access Manager fails with the message
(among many others)
netscape.ldap.LDAPException: SSL connection to
eauth1.arc.nasa.gov:636, SSL_ForceHandshake failed: (-8157) Certificate extension not found. (91); Cannot
connect to the LDAP server
I am able to connect to the Directory Server instanc with JXplorer using SSL (with a complaint about an unknown CA). Can someone explain the error message so that I can fix the problem or work around it?
Thanks

in the initial part of AMConfig.properties, you'll find an entry similar to trustSSLCerts . This, by default, is set to false. Trying setting it to true (AM web server instance will need a restart). This lets AM continue with SSL handshaking inspite of errors. Am not sure if this affects AM to DS connectivity as well. It sure affects AM to AM communication (in a multiple server configuration).
Naturally, it is not recommended that you use this feature when you are ready for production, but atleast it'll let you be sure that apart from the cert issue, everything else is okay.
Hope this helps.

Remote Access Management Console - configuration issue with Network Location Server

2012 Std R2
The remote Access management console operation status shows all green except for network location server .
Error: There is no response from the network location server URL. DirectAccess connectivity might not work as expected, and DirectAccess clients located inside the corporate network might not be able to reach internal resources.
Resolution listed as:
1. Configure the network location server on a server that is highly available to clients on the internal network.
2. If the network location server is running on the Remote Access server, ensure that IIS is running, and that the URL is available.
The remote access server is located on this server. IIS is running. What URL: show I be looking at?
Any other thoughts so I can get remote access working.
l also am getting a remote access error for IPV6, could this be a cause:
RoutingDomainID- {00000000-0000-0000-0000-000000000000}: Unable to add the interface {D37062B2-A3E0-4496-A459-9E0BBCE5423C} with the Router Manager for the IPV6 protocol. The following error occurred: Cannot complete this function.
John Lenz

Hi John,
please follow the steps to reinstall TCP/IP stack.
1.Restart your PC into Safe Mode with Networking.
2.
Edit your registry. Delete the following keys:
HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Services/Winsock
HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Services/Winsock2
3.
Open the nettcpip.inf file in your %winroot%/inf folder
(%winroot% is usually c:/windows).
Find the [MS_TCPIP.PrimaryInstall] section. Change the Characteristics value from 0xA0 to 0x80.
Open the properties of the network connection you want to fix. In the General tab, click on the Install button. Click on the Have Disk button, and point the location to %winroot%/inf. After that select TCP/IP (not version 6).
4.
Now you would notice that you can uninstall TCP/IP!
Do that, then restart the PC.
Go back to your network connection, and install TCP/IP again as per the above. After another reboot, you should be up and running.
I also noted that the XP network repair tool may yank out the ISA 2004 firewall client stuff. Just run the firewall clinet repair or install it again to fix that problem after you did your reboot. Before you do this kind of crazy stuff.
5.
This along with a TCP/IP reset using the netsh command:
netsh int ip reset resetlog.txt
wish you have a nice thanksgiving too
Regards,
Mike
Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Sun Access Manager 7.1 configuration

I am trying to configure Sun Access Manager 7.1 update 1 on websphere 6.1.0.11 running on windows 2003 server and am getting a crypt error on SunJCE. Any suggestions on how to fix this?
The thread dump looks like this
05/16/2008 11:22:00:509 AM EDT: Thread[WebContainer : 2,5,main]
05/16/2008 11:22:00:509 AM EDT: Thread[WebContainer : 2,5,main]ERROR: Crypt: failed to set password-based key
java.security.NoSuchProviderException: no such provider: SunJCE
at sun.security.jca.GetInstance.getService(GetInstance.java:82)
at javax.crypto.b.a(Unknown Source)
at javax.crypto.SecretKeyFactory.getInstance(Unknown Source)
at com.iplanet.services.util.JCEEncryption.setPassword(JCEEncryption.java:377)
at com.iplanet.services.util.Crypt.createInstance(Crypt.java:139)
at com.iplanet.services.util.Crypt.<clinit>(Crypt.java:103)
at java.lang.J9VMInternals.initializeImpl(Native Method)
at java.lang.J9VMInternals.initialize(J9VMInternals.java:192)
at com.sun.identity.setup.ServicesDefaultValues.validatePassword(ServicesDefaultValues.java:396)
at com.sun.identity.setup.ServicesDefaultValues.setServiceConfigValues(ServicesDefaultValues.java:107)
at com.sun.identity.setup.AMSetupServlet.processRequest(AMSetupServlet.java:307)
at com.ibm._jsp._configurator._jspService(_configurator.java:221)
at com.ibm.ws.jsp.runtime.HttpJspBase.service(HttpJspBase.java:85)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:856)
at com.ibm.ws.webcontainer.servlet.ServletWrapper.service(ServletWrapper.java:989)
at com.ibm.ws.webcontainer.servlet.ServletWrapper.service(ServletWrapper.java:930)
at com.ibm.ws.webcontainer.filter.WebAppFilterChain.doFilter(WebAppFilterChain.java:145)
at com.sun.identity.setup.AMSetupFilter.doFilter(AMSetupFilter.java:89)
at com.ibm.ws.webcontainer.filter.FilterInstanceWrapper.doFilter(FilterInstanceWrapper.java:190)
at com.ibm.ws.webcontainer.filter.WebAppFilterChain.doFilter(WebAppFilterChain.java:130)
at com.ibm.ws.webcontainer.filter.WebAppFilterChain._doFilter(WebAppFilterChain.java:87)
at com.ibm.ws.webcontainer.filter.WebAppFilterManager.doFilter(WebAppFilterManager.java:761)
at com.ibm.ws.webcontainer.filter.WebAppFilterManager.doFilter(WebAppFilterManager.java:673)
at com.ibm.ws.webcontainer.servlet.ServletWrapper.handleRequest(ServletWrapper.java:498)
at com.ibm.ws.wswebcontainer.servlet.ServletWrapper.handleRequest(ServletWrapper.java:464)
at com.ibm.wsspi.webcontainer.servlet.GenericServletWrapper.handleRequest(GenericServletWrapper.java:122)
at com.ibm.ws.jsp.webcontainerext.AbstractJSPExtensionServletWrapper.handleRequest(AbstractJSPExtensionServletWrapper.java:205)
at com.ibm.ws.webcontainer.webapp.WebApp.handleRequest(WebApp.java:3276)
at com.ibm.ws.webcontainer.webapp.WebGroup.handleRequest(WebGroup.java:267)
at com.ibm.ws.webcontainer.WebContainer.handleRequest(WebContainer.java:811)
at com.ibm.ws.wswebcontainer.WebContainer.handleRequest(WebContainer.java:1455)
at com.ibm.ws.webcontainer.channel.WCChannelLink.ready(WCChannelLink.java:113)
at com.ibm.ws.http.channel.inbound.impl.HttpInboundLink.handleDiscrimination(HttpInboundLink.java:454)
at com.ibm.ws.http.channel.inbound.impl.HttpInboundLink.handleNewInformation(HttpInboundLink.java:383)
at com.ibm.ws.http.channel.inbound.impl.HttpICLReadCallback.complete(HttpICLReadCallback.java:102)
at com.ibm.ws.tcp.channel.impl.AioReadCompletionListener.futureCompleted(AioReadCompletionListener.java:165)
at com.ibm.io.async.AbstractAsyncFuture.invokeCallback(AbstractAsyncFuture.java:217)
at com.ibm.io.async.AsyncChannelFuture.fireCompletionActions(AsyncChannelFuture.java:161)
at com.ibm.io.async.AsyncFuture.completed(AsyncFuture.java:136)
at com.ibm.io.async.ResultHandler.complete(ResultHandler.java:195)
at com.ibm.io.async.ResultHandler.runEventProcessingLoop(ResultHandler.java:743)
at com.ibm.io.async.ResultHandler$2.run(ResultHandler.java:873)
at com.ibm.ws.util.ThreadPool$Worker.run(ThreadPool.java:1469)
05/16/2008 11:22:00:509 AM EDT: Thread[WebContainer : 2,5,main]ERROR: JCEEncryption:: not yet initialized

Have you followed the release notes instructions? There is one specifically about changing JCE:
http://docs.sun.com/app/docs/doc/819-5899/gdpsl?a=view
http://docs.sun.com/app/docs/doc/819-4683/gfvfl?a=view
http://docs.sun.com/app/docs/doc/819-5899/gdxas?a=view
shivaram

Configuring IIS6.0 with Sun Access manager

As I am new to Sun java Access manager .I have installed and configured the Sun Access manager 7.1 on Tomcat and able to login to the console also.Now I am looking to configure the web application which resides in IIS 6.0 with Sun Access manager,To do this are there any documents about how to configure the Windows IIS 6.0Policy agent with Sun Accessmanager?In the Sun website I didnt see any document related to this configuration,could anyone please help how to work on this?
Thanks in advance.

http://docs.sun.com/app/docs/doc/819-4771?l=en
should give you all the information you need. For server changes like policy refer to AM 7.1 docs on docs.sun.com

How do I configure Access Manager?

I don't have idea how to configure Access Manager, I installed ans configure Directory and Web Server and working well, but I need to configure access Manager, there is a script called " amsamplesilent " it has some variables that i dont understand very well, how do I do to configure?
Plz help me.

So you used "configure later" option while installing Access Manager - correct?
amsamplesilent is not a script - it's an input file for the command "amconfig"
copy this file and adjust it to your settings (which variables haven't you understood?)
run amconfig -f <your_sample_install_file>
-Bernhard

I don't Configuring Access Manager in SSL Mode

i only install am7.1 and ws7.0 in windows2003 pack 1.
then, i read "Sun Java SystemAccess Manager 7.1 Postinstallation Guide" .
it said that "Login to theWeb Server console.The default port is 8888." but i can't find the default port .
i think my web server console's default port is 8989.

Hi,
As a part of my requirement, I need to Configure Access Manager in SSL Mode. For that, I followed all the steps(Change http to https in web server instance in Access Manager, Install Certificate, Modify AMConfig.properties) mentioned in the PostInstallation Guide of Sun Access Manager to configure the SSL using Selfsigned certificate. so, after doing all these steps, as soon as the hit the Access Manager URL httsp://machinename:portno/amserver/UI/Login, it shows "page cannot be displayed" error. I have checked the web server with SSL enabled in it and its running fine.
On one of forum post, I read that you need to set this property to true "com.sun.am.jssproxy.trustAllServerCerts" if you are not installing the ROOTCA certificate however this is not listed in the AM documentation.
Any help on this would be highly appreciated. Let me know if am missing any steps.

Configuring Access Manager as Service Provider

Hi All,
What documentation explains how to configure SSO with Access Manager 7 as Sefrvice Provider using redirect-artifact (or else) binding according to SAML v.2? I have SiteMinder 6.0 as IdP ready to go.
Thanks

Bernhard,
We have upgraded our Web PA to version 2.1-09. One of your previous replies stated the com.iplanet.am.naming.ignoreNamingservice property was not availalbe in the PA agent properties but only in the Java SKD. Indeed we do not see such a key in the new Web PA AMAgent.properties.
Can you please explain how to configure the AMAgent.properties and/or the Access Manager server (or properties) so that subsequent calls to the services (returned by the call to the naming service) get directed thru the load balancer? Below are the setting in our AMAgent and AMConfig properties files
AMAgent.properties
com.sun.am.namingURL = https://lb-mydomain.com:443/amserver/namingservice
com.sun.am.policy.am.loginURL = https://lb-mydomain.com:443/amserver/UI/Login
AMConfig.properties
com.iplanet.am.server.protocol=https
com.iplanet.am.server.host=am.mydomain.com
com.iplanet.am.server.port=443
com.iplanet.am.console.protocol=https
com.iplanet.am.console.host=lb-mydomain.com
com.iplanet.am.console.port=443
com.iplanet.am.profile.host=lb-mydomain.com
com.iplanet.am.profile.port=443
com.iplanet.am.naming.url=https://lb-mydomain.com:443/amserver/namingservice
com.iplanet.am.notification.url=https://lb-mydomain.com:443/amserver/notifica
tionservice
If we set com.iplanet.am.server.host=lb-mydomain.com we get an exception when trying to start the AM web container. I don't know if this may be partof our issue or not. Please comment.
Thanks,
Craig

Configure security realm for external Access Manager in App server 8.1

Hi All,
I would like to protect my j2ee application using access manager running on an external host.
I would like to configure the security realm in Sun app Server 8.1 for the external Access Manager
external host & port of AM is:
http://svrd234d.dnn.com.au:58765
Please verify if these are the correct settings for the agentRealm configuration on Sun App server 8.1.
classname="com.sun.amagent.as.realm.AgentRealm"
property name="jaas-context" value="agentRealm"
property name="base-dn" value="ou=People,dc=dnn,dc=com,dc=au"
property name="hostURL " value="http://svrd234d.dnn.com.au:58765"

Did you download AS8.1 agent under http://www.sun.com/download/products.xml?id=4266924d?
If you can unjar am_as81_agent_2_1.jar after installing the J2EE agent, you will find AgentRealm.class under com.sun.amagent.as.realm.
Please also note that page 161 of J2EE agent guide shows how to disable AgentRealm to better fit your agent policy mode. Check it out http://docs-pdf.sun.com/816-6884-10/816-6884-10.pdf
Jerry

Exporting Access Manager configuration

Similar Messages

Maybe you are looking for