Immediate Requirement-----Identity & Access Management Consultants

Dear Friends
My colleaques company is looking for Architects Experienced in any of Identity & Access Management Products.
Must have exposure in Java Platform, CISSP Certification is desirable.
12 Positions Open
Experience Ranging: 5-12 years
If any body interested kindly forward your profile with your Skill Set to [email protected]
Cheers

You can check out this link for Oracle University in India:
http://education.oracle.com/pls/web_prod-plq-dad/db_pages.getpage?page_id=3
-Kevin

Similar Messages

Category for COREid Identity/Access Management & Web Services - Please!

The COREid products do not fit into any of the existing categories - we need an IDM, Access & Provisioning category.

I believe she is looking for a category in these forums that deals strictly with the COREid Identity and Access product. This would include COREid provisioning. I would see COREid Federation and Oracle Web Services Manager having thier own categories. Obviously we are previous Oblix partners who were accustomed to these products having thier own sections in a forum. Is this planned? Is this already in place and we just aren't looking hard enough?
Thanks,
Ryan Squires

Installing Oracle Identity & Access Management suite 11g

Hi,
I have the TEST environment of the customer, where the following components are installed
1. Weblogic
2. SOA SUITE
3. OID
$MW_HOME = /u01/weblogic
The installed location of SOASUITE, OID is /u01
I need to install IdAM Suite 11g with SOA SUITE 11.1.1.2/11.1.1.3
When I am on step of Installation progress it gives me the below error. I had specified $M_HOME as /u01/weblogic
OUI-10136:An Oracle Home with name OH1574127402 already exists at location /u01/weblogic/oracle_common. Please specify another location for Oracle Home
Please suggest.
Thanks & Regards,
Kunal Jain

Remove ORACLE_HOME entry for oracle_common from oraInventory/ContentsXML/inventory.xml
Entry like <HOME NAME="OH1918335049" LOC..
Or change inventory location in oraInst.loc
More on inventory here http://onlineappsdba.com/index.php/2009/10/08/orainventory-location-orainstloc-on-windows-linux-unix/
Regards
Atul Kumar
http://onlineAppsDBA.com

Installing Oracle Access Manager - 11.1.1.5

Hi
I am very new to Identity Management and have been trying to set Oracle Access Manager in Windows XP.
Downloaded ofm_iam_generic_11.1.1.5.0_disk1_1.zip from OTN.
I cannot find the RCU for 11.1.1.5 version from the website directly. All I could see is only RCU for 11.1.1.3 and 11.1.1.2 version.
Can anyone send me the download link for RCU 11.1.1.5 and step by step installation guide for setting up Oracle Access Manager.
I tried creating OAM Domain after installing IDM Suite and running RCU 11.1.1.3 version.
When I run the WebLogic and OAM server I am getting error
Caused By: oracle.security.am.common.policy.admin.PolicyManagerException: oracle.security.am.c
policy.admin.PolicyManagerException: OAMSSA-06251: Unsupported policy store version detected.
ed "11.1.1.5.0" but found "11.1.1.3.0".
Also unable to login to OAM console.
Thanks,
Ram

Daren,
Do you have OAM 11.1.1.3 running and now you wish to upgrade it to 11.1.1.5 or
You wish to install new 11.1.1.5 ?
If this is later then better you should use 11.1.1.5 RCU to create schema as this is straight and easy process with no upgrade.
If you are running 11.1.1.3 and wish to upgrade to 11.1.1.5 then there are steps to apply 11.1.1.5 oatch in My Oracle Support(earlier metalink) Procedure to Upgrade OAM 11.1.1.3.0 to OAM 11.1.1.5.0 [ID 1318524.1
Atul Kumar
http://www.amazon.co.uk/Oracle-Identity-Access-Manager-Administrators/dp/1849682682 <- OIM / OAM 11g Book on Amazon
http://onlineappsdba.com/index.php/book/ <- EBS R12 Integration with OID/OAM for SSO Book

Oracle Identity and Access Management Suite Plus Integration with Oracle ADF

Hi All,
Kindly advice if Oracle Identity and Access Management Suite Plus can be integrated with Oracle ADF based applications to manage the end-to-end lifecycle of user accounts specifically addressing to roles/priviledges and security.
Request you to share links to documentation where I can study the steps to integrate both the frameworks.
Looking forward to hear from you soon.
Best Regards,
Ankit Gupta

Hi Sébastien,
I came across the below link for the required integrations -
Oracle&reg; Fusion Middleware Installation Guide for Oracle Identity and Access Management 11g Release 2 (11.1.2) - …
Oracle&reg; Fusion Middleware Enterprise Deployment Guide for Oracle Identity Management 11g Release 2 (11.1.2) - Co…
Best Regards,
Ankit Gupta

Discuss Identity and Access Management in the Cloud

Identity and access management in the cloud refers to the processes, technologies, and policies for managing cloud systems identities and controlling how these identities can be used to access cloud resources. Three separate processes are used in most cloud
identity and access management solutions:
Identity provisioning and storage
Authentication
Authorization
Identity management in a cloud system requires a complex collection of technologies to manage authentication, authorization and access control across distributed environments. These environments might include assets both on the internal cloud, which would
be an on-premises private cloud, and services accessed on the public cloud. These environments can also cross-security domains, as when two enterprise-level organizations collaborate and enable cross-domain access to users from the partner security domain.
You can learn more about these topics in the article Identity and Access Management in the Cloud.
Let's talk about that article and the topics of identity and access management in the cloud! Use this thread to get it started.
Thanks!
Tom
Learn more about Private Cloud at the
Private Cloud Solutions Hub

Tom,
I am a novice and attempting to achieve a proof of concept of single sign on. One example I read stated one should install Identity and Access on VS2012. I did this on two different machines. One was in the office domain and it shows the
item "Identity and Access..." in the context menu of the MVC project I created. The other machine is my laptop. I followed the same procedure that worked on the desktop, yet the Identity and Access item in the project context menu does not show.
One difference is that the laptop is not part of a domain, but I am attempting this proof of concept in Windows Azure with the laptop, since we do not have a test AD in our corporate domain.
Is this the right forum to inquire about this issue? Do you have a recommendation about a better forum?
Stephen Pidgeon

Identity and Access Management Training in Bangalore

Hi,
I need information if there are any institutes who provide training on Identity and Access Management in Bangalore or Pune? Whats is the basic requirement for starting IAM. I have SQL knowledge.
Thank you
[email protected]

You can check out this link for Oracle University in India:
http://education.oracle.com/pls/web_prod-plq-dad/db_pages.getpage?page_id=3
-Kevin

Integration of sun identity manager with sun access manager

Hi i am working on integration of sun identity manager 6.0 with SP1 and sun access manager7.0.IDM was deployed on Sun application server 8.1.SAm is installed on SunOneWebserver i am working on windows 2003 server.I downloaded the agent for the application server and installed.
when i am configuring resource in IDM i am getting following error.
testconnection failed for resource(s):
sun access manager could notconnect as user 'amadmin' with specified password==>com.sun.identity.authentication.spi.AuthLoginException:failed to create new AuthenticationContext{0}\n.
i modified amagent.properties,amconfig.properties and web.xml also
can any one help me on this.

Hi i am working on integration of sun identity manager 6.0 with SP1 and sun access manager7.0.IDM was deployed on Sun application server 8.1.SAm is installed on SunOneWebserver i am working on windows 2003 server.I downloaded the agent for the application server and installed.
when i am configuring resource in IDM i am getting following error.
testconnection failed for resource(s):
sun access manager could notconnect as user 'amadmin' with specified password==>com.sun.identity.authentication.spi.AuthLoginException:failed to create new AuthenticationContext{0}\n.
i modified amagent.properties,amconfig.properties and web.xml also
can any one help me on this.

Oracle Identity and Access Management (11.1.1.3.0) and IM difference?

What is difference between Oracle Identity and Access Management (11.1.1.3.0) and Identity Management (11.1.1.3.0) ?
From
http://www.oracle.com/technetwork/middleware/downloads/oid-11g-161194.html

When you run the config, you are asked to add some product. Have checked the "Oracle Access Manager with Database Policy Store" product?
If not, you can add it by extending the domain. Once done you have to start two WLS servers (AdminServer and oam_server1):
Start AdminServer with $DOMAIN/bin/startWebLogic.sh
Start oam_server1 with $DOMAIN/bin/startManagedWebLogic.sh oam_server1
It might be that oam_server1 asks for username and password. This is fine for the first time. During the first start the necessary directory structure is created. Once it came up and enters RUNNING state, kill it and create a file boot.properties in $DOMAIN/servers/oam_server1/security with the entries username=name and password=pw in two lines and start oam_server1 again.
Starting oam_server1 is recommend to get proper values in the oamconsole.
HTH,
--olaf

Integrating Identity Manager with Access Manager

We have a plain vanilla installation of Identity Manager 5.5. We are attempting to integrate Access Manager 7 (also plain vanilla install). Both were deployed into Application Server 8.1 (all running on Solaris 10 x86).
Here is what we ran into:
1) When IDM is the only application deployed in Application Server, we can log in to its administration console with the base ID of "configurator" without a problem. Next, we installed Access Manager 7 without any errors. Now when we attempt to log into the IDM administration panel (still using "configurator"), IDM can no longer find the �configurator� ID. We tried using AM to add an ID of "configurator" to the LDAP directory (figuring that was the problem), but we still cannot get into IDM. What do we need to do to "integrate" these two products? We haven't even attempted customization yet.
2) Does anyone know of ANY sample apps that show IDM and AM working together?
Thanks in advance

Raghavan,
Do you have any template doc for this configurations, We did the same only thing that we changes is instead of using the fully qualified DNS name we used the ip address in the AMConfig.properties file.
Any ideas?
--Srini

Oracle Access Manager - Identity Injectors

Hello,
One of my customer has a critical requirement for Oracle Access Manager.
At present they are using Novell Access Manager
With Novell Access Manager they are able to create custom headers with information pulled from LDAP.
such as x-employeeName=Jason
Example :
Some Web applications require more than a name and a value to be injected into the custom header.
Sometimes they require a custom name, a tag, and a value. Sometimes the application requires a
custom name with multiple tags and values. The Inject into Custom Header with Tags option
provides you with the flexibility to add such values to the custom header. For example, your
application could be expecting the following custom header with tag:
X-Custom_Role Role=Manager
You can inject this information by setting the Custom Header Name to X-Custom, the Tag Name to
Role, and the Tag Value to Manager. The value can be set as a static variable or you can retrieve it
from various sources such as a Liberty User Profile attribute or the roles assigned to the current user.
Thanks,
Ram

Hi
Thanks for your reply.
Can you explain me in steps how it can be achieved in OAM 11g?
Thanks,
Ram

Difference between Identity Manager and Access Manager

hi,
Can any body tell me the difference between Identity manager and Access Manager.
thanks in advance
regards
dhawanmayur

Access Manager is for access control (web authentication, authorization), Identity Manager is for identity (userid,profile,role, password etc) provision/management across multi resources (such as unix, active directory, peoplesoft, SAP) etc.

UWC/CE 6.3 and Access Manager 7.1 SSO sometimes fails (seems like a bug)

PREAMBULA: I started writing this post thinking that our AM SSO setup was at fault in some step. As I was gathering data, checking the doc-links and config files and finally sniffed the servers for HTTP dialogs, I grew pretty sure there's a bug in UWC/CE, AM SDK or Web Server Policy Agent, whatever implements the AM SSO session checking.
In short, as written below, our "sunmail" server can POST a broken cookie to AM server, if the cookie originally contained a "plus" character. The "plus" is replaced by a "space", invalidating the session check. As we know, "+" is often used in URLs to "escape" the space character. Perhaps some URL cleanup routine backfired here. I have double-checked, it is not the reverse proxy on "psam" breaking things. It is "sunmail" (UWC/CE or Policy Agent, don't know for certain) supplying the broken request. On the few occasions when the AM cookie contains no "plus" characters, the SSO works like a charm (also checked by a sniffer). Whenever there is a "plus", it breaks.
Is there some known bug or workaround that matches this description?
Nevertheless, for completeness' sake I kept the description of our setup. Maybe it's at fault after all :)
We have an installation of JCS5 with the latest patches as of early July 2008. And as the subject implies, we have problems with AM SSO in UWC/CE web-interface. I have reported them before, then they seemed fixed (not occuring for several tests in a row), but as time has shown, something wrong is still there.
So I'll try to go into deeper detail now, as we've may have overlooked some nuance... Then again, as my sniffer research below shows, this may be an engine bug and these setup details are irrelevant.
Our setup is split into several Solaris 10 full-root zones hosted on several servers, some of the components are enroute to HA (perhaps we made some mistakes on this part of the way?)
So, we have the following software stack:
1) two MMR Directory Servers (DSEE 6.3 = DSEE 6.2 from JCS5 + 125278-07__DSEE_6.3__x86x64 + 125277-07__DSEE_6.3__x86_sol9 patches) working in zones on two different servers. Except for one time when a manually forced ZFS rollback corrupted one of the server instances, no problems here.
2) two zones with Directory Proxy Servers (6.3, exact versions as above) running at port 389 provide the clients with an illusion that they have a stable Directory Server, even if one of the actual servers is currently rebooting ;)
These DPS zones are hosted on two different servers as well and are primarily used by LDAP clients (JCS components) running in other zones on the same respective servers.
3) A zone with Sun Web Server 7.0U1 and Access Manager 7.1 (+ 126357-01__AM71_x86 patch) and Delegated Admin 6.4-4.01 (from JCS5 + 121582-18__COMMCLI64__x86 patch).
At the moment there is one such zone (named "cos-psam-01.domain.ru" in the logs below), but we expect(-ed) it to become two similar zones as per AM HA setup.
Zones listed in (1-3) use private IP numbers, they belong in our internal DMZ.
Zones listed in (4-5) below use public (routed) IP numbers, they belong in our external DMZ.
4) A zone with Sun Web Server 7.0U1 used primarily as a reverse-proxy server (optionally with a load-balancer libpassthrough.so plugin) successfully used for other hosted projects. One of its configurations now passes connections from an externally routed IP address published as "psam.domain.ru" to "cos-psam-01.domain.ru", per AM HA setup, so HTTP clients believe they work with an Access Manager instance. This zone has a backend interface with a private IP address to communicate with the actual AM instance.
In AM configuration (both LDAP and file-based) we have configured a site ID with the publicly known name and mentioned both names (psam and cos-psam-01) in organization's realm/dns aliases.
5) A zone with the rest of the Sun Java Communications Suite 5, as in Messaging Server 6.3 (6.3-6.03 64-bit: ci-5.0-1.03_solx86_x64__Messaging_Server_6.3-2 + patch 126480-09__MSG63__x86-64), UWC/CE 6.3 (from JCS5 + 122794-17__UWC63-4.01_core__x86), Instant Messaging 7.2 (from JCS5 + 118790-29__IM72__x86-1 + 118787-28__IM72__x86-2), Calendar Server 6.3 (from JCS5 + 121658-28__iCS63__x86). The web-components (UWC/CE, IM, /httpbind) are deployed in a Sun Web Server 7.0U1 as well.
This zone is named "sunmail.domain.ru" and has a routed IP address for direct external access to its servicess.
The AM SDK part is also patched (126357-01__AM71_x86); it points to the load-balancer name ("psam.domain.ru") as an actual AM server.
# imsimta version
Sun Java(tm) System Messaging Server 6.3-6.03 (built Mar 14 2008; 64bit)
libimta.so 6.3-6.03 (built 17:15:08, Mar 14 2008; 64bit)
SunOS sunmail 5.10 Generic_127112-07 i86pc i386 i86pc
While setting up this server set we tried to use AM SSO as the user login method, but it works unreliably.
"Unreliably" means that while most of the time entering a correct uid and password in Access Manager login page ("http://psam.domain.ru/amserver/UI/Login") does redirect a user back to "http://sunmail.domain.ru/uwc/auth" along with a new cookie, and the user is redirected again to his or her mailbox, sometimes the user receives the UWC/CE login page. Entering the same uid and password here does log him in, but it breaks the whole point of SSO and only increases the end-user routine required to log in :\
We have also seen the "missing mail tab" problem - if the users point the browser to any hostname different from "sunmail.domain.ru" (i.e. www.mail.domain.ru which is equivalent in DNS), they have only the Address book, Calendar and Options tabs; no webmail. So far this is resolved by Policy Agent forcing The One name of the server.
Here's the configuration we did specifically for AM SSO:
1) in AMConfig.properties of "sunmail" and "cos-psam-01" we set up
com.iplanet.am.cookie.encode=false
am.encryption.pwd=<the same value>
all hostname-related parameters point to "psam.domain.ru"
2) in AMConfig.properties of "cos-psam-01" a number of FQDN equivalence entries are added (so it does not redirect to a server hostname unknown to visitors):
com.sun.identity.server.fqdnMap[publicname-or-ip]=psam.domain.ru
com.sun.identity.server.fqdnMap[cos-psam-01.domain.ru]=cos-psam-01.domain.ru
3) in "msg.conf" on "sunmail" (entries added via configutil):
local.webmail.sso.amcookiename = iPlanetDirectoryPro
local.webmail.sso.amnamingurl = http://psam.domain.ru:80/amserver/namingservice
local.webmail.sso.singlesignoff = yes
local.webmail.sso.uwcenabled = 1
service.http.ipsecurity = no
(perhaps some more options are required? Looking for confirmation about: local.webmail.sso.uwclogouturl local.webmail.sso.uwccontexturi local.webmail.sso.uwchome service.http.allowadminproxy )
4) Configured Web Policy Agent for Sun Web Server, so that users without an AM session are required to get one. Set up per [http://msg.wikidoc.info/index.php/AM_redirection_using_Policy_Agent], except that com.sun.am.policy.agents.config.notenforced_list points to the many names our server can go known by.
5) Updated the logout URL in /opt/SUNWuwc/webmail/main.js:
--- main.js.orig        Sat Jan 26 07:52:09 2008
+++ main.js     Mon Jul 21 01:06:29 2008
@@ -667,7 +667,8 @@
function cleanup() {
   if(laurel)
-      top.window.location = getUWCHost() + "/base/UWCMain?op=logout"
+//      top.window.location = getUWCHost() + "/base/UWCMain?op=logout"
+      top.window.location = "http://sunmail.domain.ru:80/base/UWCMain?op=logout"
   else
       exec('logout', '', 'exit()')
@@ -1707,7 +1708,8 @@
   if(lg) {
         url = document.location.href
         url = url.substr(0,url.indexOf('webmail'))
-        uwcurl = url + 'base/UWCMain?op=logout'
+//      uwcurl = url + 'base/UWCMain?op=logout'
+        uwcurl = "http://sunmail.domain.ru:80/base/UWCMain?op=logout"
   exit()
}6) Calendar SSO - per docs...
According to ngrep sniffing,
1) the browser goes to "http://sunmail.domain.ru/uwc/auth" without any cookies
2) receives a redirect and goes to "http://psam.domain.ru/amserver/UI/Login?gotoOnFail=http://sunmail.domain.ru:80/uwc&goto=http%3A%2F%2Fsunmail.domain.ru%3A80%2Fuwc%2Fauth"; sends no cookies either.
3) The first response from the "psam" server (as redirected from "cos-psam-01") sets a few cookies while rendering the login page:
Set-cookie: JSESSIONID=7EF8F2810D2071CA03CFEAE9972735B2; Path=/
Set-cookie: AMAuthCookie=AQIC5wM2LY4SfcwuT2ASCrsfO78nXdceEHXeH1+xTqH7C3I=@AAJTSQACMDI=#; Domain=.domain.ru; Path=/
Set-cookie: amlbcookie=02; Domain=.domain.ru; Path=/
4) The browser requests the login page resources (javascripts, images, etc) using these cookies, as in this header line:
Cookie: JSESSIONID=7EF8F2810D2071CA03CFEAE9972735B2; AMAuthCookie=AQIC5wM2LY4SfcwuT2ASCrsfO78nXdceEHXeH1+xTqH7C3I=@AAJTSQACMDI=#; amlbcookie=02
5) The browser POSTs the login request to "/amserver/UI/Login" and receives a redirection to http://sunmail.domain.ru:80/uwc/auth
Set-cookie: iPlanetDirectoryPro=AQIC5wM2LY4SfcwuT2ASCrsfO78nXdceEHXeH1+xTqH7C3I=@AAJTSQACMDI=#; Domain=.domain.ru; Path=/
Set-cookie: AMAuthCookie=LOGOUT; Domain=.domain.ru; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
6) The browser requests "http://sunmail.domain.ru/uwc/auth" using the newly set cookie (looks like the old one to me though):
Cookie: amlbcookie=02; iPlanetDirectoryPro=AQIC5wM2LY4SfcwuT2ASCrsfO78nXdceEHXeH1+xTqH7C3I=@AAJTSQACMDI=#
7) The "sunmail" web-server checks the AM session validity with the same "psam.domain.ru". It sends a series of POSTs to /amserver/namingservice:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<RequestSet vers="1.0" svcid="com.iplanet.am.naming" reqid="685">
<Request><![CDATA[
<NamingRequest vers="1.0" reqid="324" sessid="AQIC5wM2LY4SfcwuT2ASCrsfO78nXdceEHXeH1+xTqH7C3I=@AAJTSQACMDI=#">
<GetNamingProfile>
</GetNamingProfile>
</NamingRequest>]]>
</Request>
</RequestSet>(receives a large XML list of different Access Manager configuration parameters and URLs)
...then a double-request to /amserver/sessionservice:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<RequestSet vers="1.0" svcid="Session" reqid="686">
<Request><![CDATA[
<SessionRequest vers="1.0" reqid="678">
<GetSession reset="true">
<SessionID>AQIC5wM2LY4SfcwuT2ASCrsfO78nXdceEHXeH1+xTqH7C3I=@AAJTSQACMDI=#</SessionID>
</GetSession>
</SessionRequest>]]>
</Request>
<Request><![CDATA[
<SessionRequest vers="1.0" reqid="679">
<AddSessionListener>
<URL>http://sunmail.domain.ru:80/UpdateAgentCacheServlet?shortcircuit=false</URL>
<SessionID>AQIC5wM2LY4SfcwuT2ASCrsfO78nXdceEHXeH1+xTqH7C3I=@AAJTSQACMDI=#</SessionID>
</AddSessionListener>
</SessionRequest>]]>
</Request>
</RequestSet>As a result it receives an XML with a lot of user-specific information (the username, LDAP DN, preferred locale, auth module used, etc.)
!!!*** Now, the problem part ***!!!
8) And then "sunmail" POSTs a broken cookie to "psam" (note the space in mid-text, where the "plus" sign was previously). As we know, "+" is often used in URLs to "escape" the space character. Perhaps some URL cleanup routine backfired here.
I have double-checked, it is not the reverse proxy on "psam" breaking things. It is "sunmail" (UWC/CE or Policy Agent, don't know for certain) supplying the broken request. I looked over the large XML responses to the two previous requests, whenever they mention the session cookie value, the "plus" is there.
For the most detail I can provide, I'll even paste the whole HTTP packet:
POST /amserver/sessionservice HTTP/1.1
Proxy-agent: Sun-Java-System-Web-Server/7.0
Cookie: iPlanetDirectoryPro=AQIC5wM2LY4SfcwuT2ASCrsfO78nXdceEHXeH1 xTqH7C3I=@AAJTSQACMDI=#;amlbcookie=null
Content-type: text/xml;charset=UTF-8
Content-length: 336
Cache-control: no-cache
Pragma: no-cache
User-agent: Java/1.5.0_09
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Host: cos-psam-01.domain.ru
Client-ip: 194.xxx.xxx.xxx
Via: 1.1 https-weblb.domain.ru
Connection: keep-alive
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<RequestSet vers="1.0" svcid="session" reqid="258">
<Request><![CDATA[<SessionRequest vers="1.0" reqid="254">
<GetSession reset="true">
<SessionID>AQIC5wM2LY4SfcwuT2ASCrsfO78nXdceEHXeH1 xTqH7C3I=@AAJTSQACMDI=#</SessionID>
</GetSession>
</SessionRequest>]]></Request>
</RequestSet> The server's error response is apparent:
HTTP/1.1 200 OK
Server: Sun-Java-System-Web-Server/7.0
Date: Thu, 31 Jul 2008 05:49:50 GMT
Content-type: text/html
Transfer-encoding: chunked
19b
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<ResponseSet vers="1.0" svcid="session" reqid="258">
<Response><![CDATA[<SessionResponse vers="1.0" reqid="254">
<GetSession>
<Exception>AQIC5wM2LY4SfcwuT2ASCrsfO78nXdceEHXeH1 xTqH7C3I=@AAJTSQACMDI=# Invalid session ID
AQIC5wM2LY4SfcwuT2ASCrsfO78nXdceEHXeH1 xTqH7C3I=@AAJTSQACMDI=#</Exception>
</GetSession>
</SessionResponse>]]></Response>
</ResponseSet>On the few occasions when the AM cookie contains no "plus" characters, the SSO works like a charm (also checked by a sniffer). Whenever there is a "plus", it breaks.
For reference, here's a working final request-response (one with a good cookie, as received by the load-balancer web-server). Request looks a bit different:
POST /amserver/sessionservice HTTP/1.1
Cookie: iPlanetDirectoryPro=AQIC5wM2LY4Sfcy/5sEzVmuq9z1ggdHOkBDgVFAwfhqvn4U=@AAJTSQACMDI=#;amlbcookie=null
Content-Type: text/xml;charset=UTF-8
Content-Length: 379
Cache-Control: no-cache
Pragma: no-cache
User-Agent: Java/1.5.0_09
Host: psam.domain.ru
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Connection: keep-alive
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<RequestSet vers="1.0" svcid="session" reqid="281">
<Request><![CDATA[<SessionRequest vers="1.0" reqid="277">
<SetProperty>
<SessionID>AQIC5wM2LY4Sfcy/5sEzVmuq9z1ggdHOkBDgVFAwfhqvn4U=@AAJTSQACMDI=#</SessionID>
<Property name="uwcstatus" value="active"></Property>
</SetProperty>
</SessionRequest>]]></Request>
</RequestSet> ...and the response is OK:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<ResponseSet vers="1.0" svcid="session" reqid="281">
<Response><![CDATA[<SessionResponse vers="1.0" reqid="277">
<SetProperty>
<OK></OK>
</SetProperty>
</SessionResponse>]]></Response>
</ResponseSet>

There have been a few reports of the same behaviour with other customers - specifically with the handling of the encoding of "+" characters to " ". It relates to how cookie encoding/decoding is performed (as you have already observed).
The solution for these customers was the following:
=> AM server/client side:
Ensure that com.iplanet.am.cookie.encode=false in AMConfig.properties and AMAgent.properties on all systems.
=> AM client (UWC) side:
- Set <property name="encodeCookies" value="false"/> in /var/opt/SUNWuwc/WEB-INF/sun-web.xml. This will prevent UWC from trying to urldecode the cookie it receives and therefore stops it turning the + into a space e.g.
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE sun-web-app PUBLIC '-//Sun Microsystems, Inc.//DTD Sun ONE Application Server 7.0 Servlet 2.3//EN' 'file:///net/wajra.india.sun.com/export/share/dtd/sun-web-app_2_3-1.dtd'>
<sun-web-app>
   <property name="encodeCookies" value="false"/>
   <session-config>
      <session-manager/>
   </session-config>
   <jsp-config/>
<property name="allowLinking" value="true" />
</sun-web-app>Regards,
Shane.

Problem with second instance of access manager

Well, after sorting out things with the first install of access manager, I went on to install a second instance on a different host (it's required for delegated admin..)
Here are the options I used on install:
Access Manager: Administration (1 of 6)
Administrator User ID: amAdmin
Administrator Password [] {"<" goes back, "!" exits}:
Retype Password [] {"<" goes back, "!" exits}:
LDAP User ID: amldapuser
LDAP Password [] {"<" goes back, "!" exits}:
Retype Password [] {"<" goes back, "!" exits}:
Password Encryption Key [gFoe4t8UlUW3wEApngAY3S8bCQFVMlGk] {"<" goes back,
"!" exits}: weW5jtopMLQsODiBZDp+hlEp1/CtbiXX
Install type (Realm/Legacy) Mode [Legacy] {"<" goes back, "!" exits}:
Access Manager: Web Container (2 of 6)
1. Sun Java System Application Server
2. Sun Java System Web Server
Select the container to deploy the component and hit enter key [2] {"<" goes
back, "!" exits}
Access Manager: Sun Java System Web Server (3 of 6)
Host Name [zone2.corenode.com] {"<" goes back, "!" exits}:
Web Server Instance Directory [opt/SUNWwbsvr/https-zone2.corenode.com] {"<"
goes back, "!" exits}:
Web Server Port [80] {"<" goes back, "!" exits}:
Document Root Directory [opt/SUNWwbsvr/docs] {"<" goes back, "!" exits}:
Secure Server Instance Port [No] {"<" goes back, "!" exits}:
Access Manager: Web Container for running Access Manager Services(4 of 6)
Host Name [zone2.corenode.com] {"<" goes back, "!" exits}:
Services Deployment URI [amserver] {"<" goes back, "!" exits}:
Common Domain Deployment URI [amcommon] {"<" goes back, "!" exits}:
Cookie Domain(Assure it is not a top level domain) [.corenode.com] {"<" goes
back, "!" exits}:
Administration Console [Yes] {"<" goes back, "!" exits}:
Console Deployment URI [amconsole] {"<" goes back, "!" exits}:
Password Deployment URI [ampassword] {"<" goes back, "!" exits}:
Access Manager: Directory Server Information (5 of 6)
Directory Server Host [] {"<" goes back, "!" exits}: zone1.corenode.com
Directory Server Port [] {"<" goes back, "!" exits}: 389
Directory Root Suffix [dc=corenode,dc=com] {"<" goes back, "!" exits}:
Directory Manager DN [cn=Directory Manager] {"<" goes back, "!" exits}:
Directory Manager Password [] {"<" goes back, "!" exits}:
Access Manager: Directory Server Information (6 of 6)
Is Directory Server provisioned with user data [No] {"<" goes back, "!"
exits}? Yes
Organization Marker Object Class [sunISManagedOrganization] {"<" goes back,
"!" exits}:
Organization Naming Attribute [o] {"<" goes back, "!" exits}:
User Marker Object Class [inetorgperson] {"<" goes back, "!" exits}:
User Naming Attribute [uid] {"<" goes back, "!" exits}:
Yes, I am using the same key as was used on host1 for access manager. Yes, access manager on host 1 is quite functional right now. Yes, that directory server works. Now I'm really stumped on what to do! Everything in JES seems to work great except access manager, the exceptions it throws really don't help any at all in troubleshooting.
Any ideas?

More info from error logs:
# pwd
/var/opt/SUNWam/debug
# tail -200 amAuth
04/12/2006 09:56:47:127 AM HST: Thread[main,5,main]
ERROR: AuthD failed to get auth session
04/12/2006 09:56:47:165 AM HST: Thread[main,5,main]
ERROR: AuthD init()
com.iplanet.dpro.session.SessionException: AuthD failed to get auth session
at com.sun.identity.authentication.service.AuthD.initAuthSessions(AuthD.java:709)
at com.sun.identity.authentication.service.AuthD.<init>(AuthD.java:229)
at com.sun.identity.authentication.service.AuthD.getAuth(AuthD.java:494)
at com.sun.identity.authentication.UI.LoginLogoutMapping.init(LoginLogoutMapping.java:71)
at org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:921)
at org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:813)
at org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:3478)
at org.apache.catalina.core.StandardContext.start(StandardContext.java:3760)
at com.iplanet.ias.web.WebModule.start(WebModule.java:251)
at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1133)
at org.apache.catalina.core.StandardHost.start(StandardHost.java:652)
at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1133)
at org.apache.catalina.core.StandardEngine.start(StandardEngine.java:355)
at org.apache.catalina.startup.Embedded.start(Embedded.java:995)
at com.iplanet.ias.web.WebContainer.start(WebContainer.java:431)
at com.iplanet.ias.web.WebContainer.startInstance(WebContainer.java:500)
at com.iplanet.ias.server.J2EERunner.confPostInit(J2EERunner.java:161)
# tail -200 amSession
04/12/2006 09:56:47:098 AM HST: Thread[main,5,main]
ERROR: SessionService.SessionService(): Initialization Failed
com.iplanet.services.naming.ServerEntryNotFoundException: Cannot find server ID.
at com.iplanet.services.naming.WebtopNaming.getServerID(WebtopNaming.java:350)
at com.iplanet.dpro.session.service.SessionService.<init>(SessionService.java:1540)
at com.iplanet.dpro.session.service.SessionService.getSessionService(SessionService.java:382)
at com.sun.identity.authentication.service.AuthD.getSS(AuthD.java:685)
at com.sun.identity.authentication.service.AuthD.initAuthSessions(AuthD.java:706)
at com.sun.identity.authentication.service.AuthD.<init>(AuthD.java:229)
at com.sun.identity.authentication.service.AuthD.getAuth(AuthD.java:494)
at com.sun.identity.authentication.UI.LoginLogoutMapping.init(LoginLogoutMapping.java:71)
at org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:921)
at org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:813)
at org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:3478)
at org.apache.catalina.core.StandardContext.start(StandardContext.java:3760)
at com.iplanet.ias.web.WebModule.start(WebModule.java:251)
at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1133)
at org.apache.catalina.core.StandardHost.start(StandardHost.java:652)
at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1133)
at org.apache.catalina.core.StandardEngine.start(StandardEngine.java:355)
at org.apache.catalina.startup.Embedded.start(Embedded.java:995)
at com.iplanet.ias.web.WebContainer.start(WebContainer.java:431)
at com.iplanet.ias.web.WebContainer.startInstance(WebContainer.java:500)
at com.iplanet.ias.server.J2EERunner.confPostInit(J2EERunner.java:161)
04/12/2006 09:56:47:126 AM HST: Thread[main,5,main]
ERROR: Error creating service session
java.lang.NullPointerException
at com.iplanet.dpro.session.service.SessionService.generateEncryptedID(SessionService.java:588)
at com.iplanet.dpro.session.service.SessionService.generateSessionId(SessionService.java:612)
at com.iplanet.dpro.session.service.SessionService.newInternalSession(SessionService.java:557)
at com.iplanet.dpro.session.service.SessionService.getServiceSession(SessionService.java:501)
at com.iplanet.dpro.session.service.SessionService.getAuthenticationSession(SessionService.java:408)
at com.sun.identity.authentication.service.AuthD.initAuthSessions(AuthD.java:706)
at com.sun.identity.authentication.service.AuthD.<init>(AuthD.java:229)
at com.sun.identity.authentication.service.AuthD.getAuth(AuthD.java:494)
at com.sun.identity.authentication.UI.LoginLogoutMapping.init(LoginLogoutMapping.java:71)
at org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:921)
at org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:813)
at org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:3478)
at org.apache.catalina.core.StandardContext.start(StandardContext.java:3760)
at com.iplanet.ias.web.WebModule.start(WebModule.java:251)
at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1133)
at org.apache.catalina.core.StandardHost.start(StandardHost.java:652)
at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1133)
at org.apache.catalina.core.StandardEngine.start(StandardEngine.java:355)
at org.apache.catalina.startup.Embedded.start(Embedded.java:995)
at com.iplanet.ias.web.WebContainer.start(WebContainer.java:431)
at com.iplanet.ias.web.WebContainer.startInstance(WebContainer.java:500)
at com.iplanet.ias.server.J2EERunner.confPostInit(J2EERunner.java:161)
#

Load Balancing Directory Servers with Access Manager - Simple questions

Hi.
We are in the process of configuring 2 Access Manager instances (servers) accessing the same logical LDAP repository (comprising physically of two Directory Servers working together with Multi-Master Replication configured and tested) For doing this, we are following guide number 819-6258.
The guide uses BigIP load balancer for load balancing the directory servers. However, we intend to use Directory Proxy Server. Since we faced some (unresolved) issues last time that we used DPS, there are some simple questions that I would be very grateful to have answers to:
1. The guide, in section 3.2.10 (To configure Access Manager 1 with the Directory Server load balancer), talks about making changes at 4 places, and replacing the existing entry (hostname and port) with the load balancer's hostname and port (assuming that the load balancer has already been configured). It says that changes need not be made on Access Manager 2 since the LDAPs are in replication, and hence changes will be replicated at all places. However, the guide also states that changes have to be made in two files, namely AMConfig.properties, and the serverconfig.xml file. But these changes will not be reflected on Access Manager 2, since these files are local on each machine.
Question 1. Do changes have to be made in AMConfig.properties and serverconfig.xml files on the other machine hosting Access Manager 2?
Question 2: What is the purpose of putting these values here? Specifically, what is achieved by specifying the Directory server host and port in AMConfig.properties, as well as in serverconfig.xml?
Question 3. In the HTTP console, there is the option of specifying multiple primary LDAP servers, as well as multiple secondary LDAP servers. What is the purpose of these? Are secondary servers attempted when none of the list in the primary list are accessible? Also, if there are multiple entries in the primary server list, are they accessed in a round robin fashion (hereby providing rudimentary load balancing), or are other servers accessed only when the one mentioned first is not reachable etc.?
2. Since I do not have a load balancer setup yet, I tried the following deviation to the above, which, according to me, should have worked. If viewed in the HTTP console, LDAP / Membership / MSISDN and Policy configuration all pointed to the DS on host 1. When I changed all these to point to the directory server on host 2 (and made AMConfig.properties and serverconfig.xml on host 1 point to DS of host 2 as well), things should have worked fine, but apparently Access manager 1 could not be started. Error from Webserver:
[14/Aug/2006:04:30:36] info (13937): WEB0100: Loading web module in virtual server [https-machine_1_FQDN] at [search]
[14/Aug/2006:04:31:48] warning (13937): CORE3283: stderr: Exception in thread "EventService" java.lang.ExceptionInInitializerError
[14/Aug/2006:04:31:48] warning (13937): CORE3283: stderr: at com.iplanet.services.ldap.event.EventServicePolling.run(EventServicePolling.java:132)
[14/Aug/2006:04:31:48] warning (13937): CORE3283: stderr: at java.lang.Thread.run(Thread.java:595)
[14/Aug/2006:04:31:48] warning (13937): CORE3283: stderr: Caused by: java.lang.InterruptedException
[14/Aug/2006:04:31:48] warning (13937): CORE3283: stderr: at com.sun.identity.sm.ServiceManager.<clinit>(ServiceManager.java:74)
[14/Aug/2006:04:31:48] warning (13937): CORE3283: stderr: ... 2 more
In effect, AM on 1 did not start. On rolling back the changes, things again worked like previously.
Will be really grateful for any help / insight / experience on dealing with the above.
Thanks!

Update to the above, incase anyone is reading:
We setup a similar setup in Windows, and it worked. Here is a detailed account of what was done:
1. Host 1: Start installer, install automatically, chose Directory server, Directory Administration server, Directory Proxy server, Web server, Access Manager.
All installed, and worked fine. (AMConfig.properties, serverconfig.xml, and the info in LDAP service, all pointed to HOST1:389)
2. Host 2: Start installer, install automatically, chose Directory server, Directory Administration server, Directory Proxy server, Web server, Access Manager.
All installed, and worked fine. (AMConfig.properties, serverconfig.xml, and the info in LDAP service, all pointed to HOST2:389)
3. Host 1: Started replication. Set to Master
4. Host 2: Started replication. Set to Master
5. Host 1: Setup replication agreement to Host 2
6. Host 2: Setup replication agreement to Host 1
7. Initiated the remote replica from Host 1 ----> Host 2
Note that since default installation uses abc.....xyz as the encryption key, setting this to same was not an issue.
9. Started webserver for Host 1 and logged into AM as amadmin.
10. Added Host 2 FQDN in DNS Aliases / Realms
11. Added http://HOST2_FQDN:80 in the Platform server (instance) list.
12. Started Host 2 webserver. Logged in AM on Host 2, things worked fine.
At this stage, note the following:
a) Host 1:
AMConfig.properties file has
com.iplanet.am.directory.host=host1_FQDN
and
com.iplanet.am.directory.port=389
serverconfig.xml has:
<Server name="Server1" host="host1_FQDN" port="389" type="SIMPLE" />
b) Host 2:
AMConfig.properties file has
com.iplanet.am.directory.host=host2_FQDN
and
com.iplanet.am.directory.port=389
serverconfig.xml has:
<Server name="Server1" host="host2_FQDN" port="389" type="SIMPLE" />
c) If one logs into AM, and checks LDAP servers for LDAP / Policy Configuration / Membership etc services, they all contain Host2_FQDN:389 (which makes sense, since replica 2 was initialized from 1)
Returning back to the configuations:
13. On Host 1, login into the Admin server console of the Directory server. Navigate to the DPS, and confgure the following:
a) Network Group
b) LDAP servers
c) Load Balancing
d) Change Group
e) Action on-bind
f) Allow all actions (permit modification / deletion etc.).
g) any other configuations required - Am willing to give detailed steps if someone needs them to help me / themselves! :)
So now, we have DPS configured and running on Host1:489, and distributing load to DS1 and DS2 on a 50:50 basis.
14. Now, log into AM on Host 1, and instead of Host1_fqdn:389 (for DS) in the following places, specify Host1_fqdn:489 (for the DPS)--
LDAP Authentication
MSISDN server
Membership Service
Policy configuation.
Verified that this propagated to the Policy Configuration service and the LDAP authentication service that are already registered with the default organization.
15. Log out of AM. Following the documentation, modify directory.host and directory.port in AMConfig.properties to point to Host 1_FQDN and 489 respectively. Make this change in AMConfig.properties of both Host 1 as well as 2.
16. Edit serverconfig.xml on both hosts, and instead of they pointing to their local directory servers, point both to host1_FQDN:489
17. When you start the webserver, it will refuse to start. Will spew errors such as:
[https-host1_FQDN]: Sun ONE Web Server 6.1SP5 B06/23/2005 17:36
[https-host1_FQDN]: info: CORE3016: daemon is running as super-user
[https-host1_FQDN]: info: CORE5076: Using [Java HotSpot(TM) Server VM, Version 1.5.0_04] from [Sun Microsystems Inc.]
[https-host1_FQDN]: info: WEB0100: Loading web module in virtual server [https-host1_FQDN] at [amserver]
[https-host1_FQDN]: warning: WEB6100: locale-charset-info is deprecated, please use parameter-encoding
[https-host1_FQDN]: info: WEB0100: Loading web module in virtual server [https-host1_FQDN] at [ampassword]
[https-host1_FQDN]: warning: WEB6100: locale-charset-info is deprecated, please use parameter-encoding
[https-host1_FQDN]: info: WEB0100: Loading web module in virtual server [https-host1_FQDN] at [amcommon]
[https-host1_FQDN]: info: WEB0100: Loading web module in virtual server [https-host1_FQDN] at [amconsole]
[https-host1_FQDN]: warning: WEB6100: locale-charset-info is deprecated, please use parameter-encoding
[https-host1_FQDN]: info: WEB0100: Loading web module in virtual server [https-host1_FQDN] at [search]
[https-host1_FQDN]: warning: CORE3283: stderr: netscape.ldap.LDAPException: error result (32); matchedDN = dc=sun,dc=com; No such object (DN changed)
[https-host1_FQDN]: warning: CORE3283: stderr: Got LDAPServiceException code=-1
[https-host1_FQDN]: warning: CORE3283: stderr: at com.iplanet.services.ldap.DSConfigMgr.getConnection(DSConfigMgr.java:357)
[https-host1_FQDN]: warning: CORE3283: stderr: at com.iplanet.services.ldap.DSConfigMgr.getNewFailoverConnection(DSConfigMgr.java:314)
[https-host1_FQDN]: warning: CORE3283: stderr: at com.iplanet.services.ldap.DSConfigMgr.getNewConnection(DSConfigMgr.java:253)
[https-host1_FQDN]: warning: CORE3283: stderr: at com.iplanet.services.ldap.DSConfigMgr.getNewProxyConnection(DSConfigMgr.java:184)
[https-host1_FQDN]: warning: CORE3283: stderr: at com.iplanet.services.ldap.DSConfigMgr.getNewProxyConnection(DSConfigMgr.java:194)
[https-host1_FQDN]: warning: CORE3283: stderr: at com.iplanet.ums.DataLayer.initLdapPool(DataLayer.java:1248)
[https-host1_FQDN]: warning: CORE3283: stderr: at com.iplanet.ums.DataLayer.(DataLayer.java:190)
[https-host1_FQDN]: warning: CORE3283: stderr: at com.iplanet.ums.DataLayer.getInstance(DataLayer.java:215)
[https-host1_FQDN]: warning: CORE3283: stderr: at com.iplanet.ums.DataLayer.getInstance(DataLayer.java:246)
[https-host1_FQDN]: warning: CORE3283: stderr: at com.sun.identity.sm.ldap.SMSLdapObject.initialize(SMSLdapObject.java:156)
[https-host1_FQDN]: warning: CORE3283: stderr: at com.sun.identity.sm.ldap.SMSLdapObject.(SMSLdapObject.java:124)
[https-host1_FQDN]: warning: CORE3283: stderr: at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
[https-host1_FQDN]: warning: CORE3283: stderr: at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:39)
[https-host1_FQDN]: warning: CORE3283: stderr: at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:27)
[https-host1_FQDN]: warning: CORE3283: stderr: at java.lang.reflect.Constructor.newInstance(Constructor.java:494)
[https-host1_FQDN]: warning: CORE3283: stderr: at java.lang.Class.newInstance0(Class.java:350)
[https-host1_FQDN]: warning: CORE3283: stderr: at java.lang.Class.newInstance(Class.java:303)
[https-host1_FQDN]: warning: CORE3283: stderr: at com.sun.identity.sm.SMSEntry.(SMSEntry.java:216)
[https-host1_FQDN]: warning: CORE3283: stderr: at com.sun.identity.sm.ServiceSchemaManager.(ServiceSchemaManager.java:67)
[https-host1_FQDN]: warning: CORE3283: stderr: at com.iplanet.am.util.AMClientDetector.getServiceSchemaManager(AMClientDetector.java:219)
[https-host1_FQDN]: warning: CORE3283: stderr: at com.iplanet.am.util.AMClientDetector.(AMClientDetector.java:94)
[https-host1_FQDN]: warning: CORE3283: stderr: at com.sun.mobile.filter.AMLController.init(AMLController.java:85)
[https-host1_FQDN]: warning: CORE3283: stderr: at org.apache.catalina.core.ApplicationFilterConfig.getFilter(ApplicationFilterConfig.java:262)
[https-host1_FQDN]: warning: CORE3283: stderr: at org.apache.catalina.core.ApplicationFilterConfig.setFilterDef(ApplicationFilterConfig.java:322)
[https-host1_FQDN]: warning: CORE3283: stderr: at org.apache.catalina.core.ApplicationFilterConfig.(ApplicationFilterConfig.java:120)
[https-host1_FQDN]: warning: CORE3283: stderr: at org.apache.catalina.core.StandardContext.filterStart(StandardContext.java:3271)
[https-host1_FQDN]: warning: CORE3283: stderr: at org.apache.catalina.core.StandardContext.start(StandardContext.java:3747)
[https-host1_FQDN]: warning: CORE3283: stderr: at com.iplanet.ias.web.WebModule.start(WebModule.java:251)
[https-host1_FQDN]: warning: CORE3283: stderr: at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1133)
[https-host1_FQDN]: warning: CORE3283: stderr: at org.apache.catalina.core.StandardHost.start(StandardHost.java:652)
[https-host1_FQDN]: warning: CORE3283: stderr: at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1133)
[https-host1_FQDN]: warning: CORE3283: stderr: at org.apache.catalina.core.StandardEngine.start(StandardEngine.java:355)
[https-host1_FQDN]: warning: CORE3283: stderr: at org.apache.catalina.startup.Embedded.start(Embedded.java:995)
[https-host1_FQDN]: warning: CORE3283: stderr: at com.iplanet.ias.web.WebContainer.start(WebContainer.java:431)
[https-host1_FQDN]: warning: CORE3283: stderr: at com.iplanet.ias.web.WebContainer.startInstance(WebContainer.java:500)
[https-host1_FQDN]: warning: CORE3283: stderr: at com.iplanet.ias.server.J2EERunner.confPostInit(J2EERunner.java:161)
[https-host1_FQDN]: failure: WebModule[amserver]: WEB2783: Servlet /amserver threw load() exception
[https-host1_FQDN]: javax.servlet.ServletException: WEB2778: Servlet.init() for servlet LoginLogoutMapping threw exception
[https-host1_FQDN]: at org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:949)
[https-host1_FQDN]: at org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:813)
[https-host1_FQDN]: at org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:3478)
[https-host1_FQDN]: at org.apache.catalina.core.StandardContext.start(StandardContext.java:3760)
[https-host1_FQDN]: at com.iplanet.ias.web.WebModule.start(WebModule.java:251)
[https-host1_FQDN]: at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1133)
[https-host1_FQDN]: at org.apache.catalina.core.StandardHost.start(StandardHost.java:652)
[https-host1_FQDN]: at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1133)
[https-host1_FQDN]: at org.apache.catalina.core.StandardEngine.start(StandardEngine.java:355)
[https-host1_FQDN]: at org.apache.catalina.startup.Embedded.start(Embedded.java:995)
[https-host1_FQDN]: at com.iplanet.ias.web.WebContainer.start(WebContainer.java:431)
[https-host1_FQDN]: at com.iplanet.ias.web.WebContainer.startInstance(WebContainer.java:500)
[https-host1_FQDN]: at com.iplanet.ias.server.J2EERunner.confPostInit(J2EERunner.java:161)
[https-host1_FQDN]: ----- Root Cause -----
[https-host1_FQDN]: java.lang.NullPointerException
[https-host1_FQDN]: at com.sun.identity.authentication.UI.LoginLogoutMapping.init(LoginLogoutMapping.java:71)
[https-host1_FQDN]: at org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:921)
[https-host1_FQDN]: at org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:813)
[https-host1_FQDN]: at org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:3478)
[https-host1_FQDN]: at org.apache.catalina.core.StandardContext.start(StandardContext.java:3760)
[https-host1_FQDN]: at com.iplanet.ias.web.WebModule.start(WebModule.java:251)
[https-host1_FQDN]: at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1133)
[https-host1_FQDN]: at org.apache.catalina.core.StandardHost.start(StandardHost.java:652)
[https-host1_FQDN]: at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1133)
[https-host1_FQDN]: at org.apache.catalina.core.StandardEngine.start(StandardEngine.java:355)
[https-host1_FQDN]: at org.apache.catalina.startup.Embedded.start(Embedded.java:995)
[https-host1_FQDN]: at com.iplanet.ias.web.WebContainer.start(WebContainer.java:431)
[https-host1_FQDN]: at com.iplanet.ias.web.WebContainer.startInstance(WebContainer.java:500)
[https-host1_FQDN]: at com.iplanet.ias.server.J2EERunner.confPostInit(J2EERunner.java:161)
[https-host1_FQDN]:
[https-host1_FQDN]: info: HTTP3072: [LS ls1] http://host1_FQDN:58080 [i]ready to accept requests
[https-host1_FQDN]: startup: server started successfully
Success!
The server https-host1_FQDN has started up.
The server infact, didn't start up (nothing even listening on 58080).
However, if AMConfig.properties is left as it originally was, and only serverconfig.xml files were changed as mentioned above, web servers started fine, and things worked all okay. (Alright, except for some glitches when viewed in /amconsole. If /amserver/console is accessed, all is good. Can this mean that all is still not well? I am not sure).
So far so good. Now comes the sad part. When the same is done on Solaris 9, things dont work. You continue to get the above error, OR the following error, and the web server will refuse to start:
Differences in Solaris and Windows are as follows:
1. Windows hosts have 1 IP and hostname. Solaris hosts have 3 IPs and hostnames (for DS, DPS, and webserver).
No other difference from an architectural perspective.
Any help / insight on why the above is not working (and why the hell does the documentation seem so sketchy / insecure / incorrect).
Thanks a bunch!

Immediate Requirement-----Identity & Access Management Consultants

Similar Messages

Maybe you are looking for