Logout Processing Properties in the Policy Agent 2.2

Hi,
Did anyone ever used these properties? I have a case in which I need to use them but there are no examples and the documentation is a bit laconic. What is this handler? Any ideas? My app has just a simple /Logout.do url that when requested should logout the user in Access Manager too. I tried setting the property like
com.sun.identity.agents.config.logout.uri[myApp] = /Logout.do
But it did't work.
Thank you.
This is the only doco I found, in the AMAgent.properties:
# LOGOUT PROCESSING PROPERTIES
# - logout.application.handler: An application specific (MAP) property
# that identifies a handler to be used for logout processing.
# - logout.uri: An application specific (MAP) property that identifies
# a request URI which indicates a logout event.
# - logout.request.param: An application specific (MAP) property that
# identifies a parameter which when present in the HTTP request
# indicates a logout event.
# - logout.introspect.enabled: A flag that when set allows the Agent
# to search HTTP request body to locate logout parameter.
# - logout.entry.uri: An application specific (MAP) property that identifies
# a URI to be used as an entry point after successful logout and
# subsequent successful authentication if applicable.
# Hot-Swap Enabled: Yes
com.sun.identity.agents.config.logout.application.handler[] =
com.sun.identity.agents.config.logout.uri[] =
com.sun.identity.agents.config.logout.request.param[] =
com.sun.identity.agents.config.logout.introspect.enabled = false
com.sun.identity.agents.config.logout.entry.uri[] =

Hi,
in my scenerion i have set up the SSO between SIM SPE and SAM sucessfully.
I have put the default url of SIM-SPE edit profile page on suceesful login of Access manager. however i am facing the issue in logout of SIM-SPE application. i tried with access manager log out url but on log out and log-in with different user it gives me the profile of previous user however policy agent is fetching the current user (checking from the header). So it seems that some session is not able to destroyed on application (SIM-SPE) side. i came to know from forum even that some logout properties can use for logout.
Can anybody please tell me how to use the following properties in AMAgent.properties file of policy agent on App server.
# LOGOUT PROCESSING PROPERTIES
#   - logout.application.handler: An application specific (MAP) property
#     that identifies a handler to be used for logout processing.
#   - logout.uri: An application specific (MAP) property that identifies
#     a request URI which indicates a logout event.
#   - logout.request.param: An application specific (MAP) property that
#     identifies a parameter which when present in the HTTP request
#     indicates a logout event.
#   - logout.introspect.enabled: A flag that when set allows the Agent
#     to search HTTP request body to locate logout parameter.
#   - logout.entry.uri: An application specific (MAP) property that identifies
#     a URI to be used as an entry point after successful logout and
#     subsequent successful authentication if applicable.
# Hot-Swap Enabled: Yes
com.sun.identity.agents.config.logout.application.handler[] =
com.sun.identity.agents.config.logout.uri[] =
com.sun.identity.agents.config.logout.request.param[] =
com.sun.identity.agents.config.logout.introspect.enabled = false
com.sun.identity.agents.config.logout.entry.uri[] =i tried with http://<host name><port>/idm/spe/user/LogoutSubmit.do as setting the value for logout.uri property but no works.
i would really appreciate your response.

Similar Messages

OPENSSO PRE/POST PROCESSING ATTRIBUTE FETCHING VIA POLICY AGENT

Is it possible to apply filter or post processing when fetching attributes from open sso using a policy agent? If so, do you know if the process is documented and where or under what search criteria should I use to start my search?
Assume the following attribute (keys) can store multiple values:
Keys:
A | 1 (key 1)
B | 4 (key 2)
A | 7 (key 3)
Is there a way to only extract the key values of B | 4 instead of all of the key values (keys 1, 2 & 3) ?

Is it possible to apply filter or post processing when fetching attributes from open sso using a policy agent? If so, do you know if the process is documented and where or under what search criteria should I use to start my search?
Assume the following attribute (keys) can store multiple values:
Keys:
A | 1 (key 1)
B | 4 (key 2)
A | 7 (key 3)
Is there a way to only extract the key values of B | 4 instead of all of the key values (keys 1, 2 & 3) ?

Possible to deploy Dist Auth in the same web container with Policy Agent?

I have a client who has limited hardware resources and wants to deploy the distributed authentication UI in the same web container as the policy agent. Has anyone successfully done this?

I'm sure it's possible just make sure the DAUI context (e.g. /distAuth) in the agent's configuration for the web server is in the not enforced list properties for the agent.
However, it's so easy just to put an Apache HTTP server/tomcat and run daui, then setup another web server (Sun, Apache, etc.) with an agent or vice versa and you don't have to worry about the agent clobbering DAUI.

Has anyone got the IIS Policy Agent 3.0 working with an ASP web application

Hi,
Can anyone pllease please confirm if they have managed to get the IIS Policy Agent 3.0 working for a asp/asp.net web site on IIS 7 running on Windows Server 2008 64 bit.?
I have installed the 32bit version of the agent as my web site must support 32 bit applications.
I have created a simple web site which works fine with the policy agent configured if the page is html, If I rename the html page to be of type asp I get an Object Move error.
I would much appreciate if someone could confirm if they have managed to get an asp web site working with the policy agent.
Note: The Policy Agent 2.2 worked perfectly with asp on IIS 6.0.
Thanks in advance,
Tommy.

I managed to make Agent 3 work with IIS 7 for a sample application based on aspx in Dev environment .... after modifying the sample application, I got the same errors as "Object removed" and others .... I have no idea what the hell. Fortunately, a super .Net start here spent a few minutes to do some twicking on IIS, and make it work again .... don't ask me what he did, I am pretty dump, and no idea. :)
Thanks

Can the IS 6.0 Policy Agent run on FreeBSD?

I see the policy agent can run on Apache 1.3.26 for Red Hat Linux 7.2. Could you get it to work on Apache 1.3.26 for FreeBSD 4.x?

thanks for your reply....
But in the landscape there are two portal server on ep 6.0 and they are trying upgrade only one to EP 7, but they both are pointing to same r3 4.6c which is getting upgraded to ECC 6.0.
than in such a scenario will the existing EP 6.0 based on WAS 620 work with the integrated ITS.
Regards,
Ravi

Authorization issue with J2EE Policy Agent for AS7

Following the documentaion I have created a simple J2EE application with a servlet and 2 jsp's. The 2 JSP's customer.jsp and admin.jsp are mapped to /customer and /admin. The entire web application is subject to a filter like:
<filter>
<filter-name>Agent</filter-name>
<display-name>Agent</display-name>
<description>SunTM ONE Idenitity Server Policy Agent for SunTM ONE Application Server 7.0</description>
<filter-class>com.sun.amagent.as.filter.AgentFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>Agent</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
The two resources /customer and /admin are subjected security constraints like:
<security-constraint>
<web-resource-collection>
<web-resource-name>col2</web-resource-name>
<url-pattern>/customer</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>customer</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
The role-to-principal mapping is done in the sun-web.xml like:
<security-role-mapping>
<role-name>customer</role-name>
<group-name>customer</group-name>
<principal-name>amAdmin</principal-name>
</security-role-mapping>
<security-role-mapping>
<role-name>admin</role-name>
<group-name>admin</group-name>
<principal-name>amAdmin</principal-name>
</security-role-mapping>
Two roles 'customer' and admin are created via the identity server console and users are added to these roles.
The application deploys OK, when the app is accesed the user is redirected to the identity server and is authenticated fine. The user is directed to the main servlet and is allowed to access the the two jsp's. All is good till now, when the user access one these links say /customer, access is denied (403). The server logs prints out:
[21/May/2003:10:34:24] FINE ( 6036): servletPath = /customer
[21/May/2003:10:34:24] FINE ( 6036): pathInfo = null
[21/May/2003:10:34:24] FINE ( 6036): SingleSignOn[ids]: Process request for '/idssample/customer'
[21/May/2003:10:34:24] FINE ( 6036): SingleSignOn[ids]: Checking for SSO cookie
[21/May/2003:10:34:24] FINE ( 6036): SingleSignOn[ids]: SSO cookie is not present
[21/May/2003:10:34:24] FINE ( 6036): Authenticator[idssample]: Security checking request GET /idssample/customer
[21/May/2003:10:34:24] FINE ( 6036): Authenticator[idssample]: We have cached auth type PROGRAMMATIC for principal amAdmin
[21/May/2003:10:34:24] FINE ( 6036): Authenticator[idssample]: Checking constraint 'SecurityConstraint[col2]' against GET /customer --> false
[21/May/2003:10:34:24] FINE ( 6036): Authenticator[idssample]: Checking constraint 'SecurityConstraint[col2]' against GET /customer --> true
[21/May/2003:10:34:24] FINE ( 6036): Authenticator[idssample]: Subject to constraint SecurityConstraint[col2]
[21/May/2003:10:34:24] FINE ( 6036): Authenticator[idssample]: Calling checkUserData()
[21/May/2003:10:34:24] FINE ( 6036): Authenticator[idssample]: User data constraint has no restrictions
[21/May/2003:10:34:24] FINE ( 6036): Authenticator[idssample]: Calling authenticate()
[21/May/2003:10:34:24] FINE ( 6036): Authenticator[idssample]: User authentication is not required
[21/May/2003:10:34:24] FINE ( 6036): Authenticator[idssample]: Calling accessControl()
[21/May/2003:10:34:24] FINEST ( 6036): PRINCIPAL : amAdmin hasRole?: customer
[21/May/2003:10:34:24] FINEST ( 6036): PRINCIPAL TABLE: {}
[21/May/2003:10:34:24] FINE ( 6036): Authenticator[idssample]: Failed accessControl() test
[21/May/2003:10:34:24] WARNING ( 6036): CORE3283: stderr: <May 21, 2003 10:34:24 AM CDT> <Agent> <Info> AgentRealm.getGroupNames(amAdmin)
[21/May/2003:10:34:24] WARNING ( 6036): CORE3283: stderr: <May 21, 2003 10:34:24 AM CDT> <Agent> <Info> AgentRealm.getGroupNames(amAdmin) => java.util.Vector$1@bb60ad
Now, snooping around I have found that the AgentRealm.getGroupNames(userdn) does
return the correct grops viz. customer,admin,anyone.
PLEASE HELP

-- Second Update --
After policy installation I got several problems with PeopleSoft configuration. Which finally were solved.
1. Some URL's has to be defined as not enforced.
com.sun.am.policy.amFilter.notenforcedList[1]=/ps/images/*
com.sun.am.policy.amFilter.notenforcedList[2]=*.css
com.sun.am.policy.amFilter.notenforcedList[3]=*.ico
2. In versions older than PeopleSoft 8.4.2 the policy agent modified the file
/opt/fs/webserv/peoplesoft/applications/peoplesoft/PORTAL/WEB-INF/psftdocs/ps/configuration.properties to add the properties:
byPassSignon=TRUE
defaultUserid="DEFAULT_USER"
defaultPWD="your password"
signon_page=amsignin.html
signonError_page=amsignin.html
logout_page=amsignin.html
expire_page=amsignin.html
However, in the newer versions of PeopleSoft this properties are controled from the online Peoplesoft console. Which are set on:
PeopleTools --> WebProfile ---> WebProfileConfiguration --> [PROFILE] --> Security --> In section "Public Users" the parameters that has to be changed are:
Allow Public Access (cheked)
User ID : DEFAULT_USER
Password : your password
HTTP Session Inactivity : (SSO TIMEOUT)
and:
PeopleTools --> WebProfile ---> WebProfileConfiguration --> [PROFILE] --> Look and Feel -->
In section "SignOn/Logout" set the following values:
Signon Page : amsignin.html
Signon Error Page : amerror.html
Logout Page : amsignout.html
Note: After making any changes on the console; restart PIA (weblogic instance).
With this the SSO with PeopleSoft is working Ok.
Message was edited by:
LpzYlnd

Policy Agent for JBoss

Hi,
I have installed SAM (together with S1DS, Web Server and Administration Server (from JES installer)).
I have installed and configured Policy Agent for JBoss AS, but i'm getting a browser "Redirect loop" (Redirection limit for this URL exceeded. Unable to load the requested page. This may be caused by cookies that are blocked.) error after I login with a correct user/password combination when I try to access the sample application.
My browser accepts cookies from all domains and I get no error in console.
My AMAgent.properties looks like this:
com.sun.identity.agents.config.user.mapping.mode = USER_ID
com.sun.identity.agents.config.user.attribute.name = employeenumber
com.sun.identity.agents.config.user.principal = false
com.sun.identity.agents.config.user.token = UserToken
com.sun.identity.agents.config.client.ip.header =
com.sun.identity.agents.config.client.hostname.header =
com.sun.identity.agents.config.load.interval = 0
com.sun.identity.agents.config.locale.language = en
com.sun.identity.agents.config.locale.country = US
com.sun.identity.agents.config.organization.name = /
com.sun.identity.agents.config.audit.accesstype = LOG_BOTH
com.sun.identity.agents.config.log.disposition = ALL
com.sun.identity.agents.config.remote.logfile = amAgent_11_126_14_20_8080.log
com.sun.identity.agents.config.local.logfile = /home/ciuc/stuff/src/j2ee_agents/am_jboss_agent/agent_001/logs/audit/amAgent_11_126_14_20_8080.log
com.sun.identity.agents.config.local.log.rotate = false
com.sun.identity.agents.config.local.log.size = 52428800
com.sun.identity.agents.config.webservice.enable = false
com.sun.identity.agents.config.webservice.endpoint[0] =
com.sun.identity.agents.config.webservice.process.get.enable = true
com.sun.identity.agents.config.webservice.authenticator =
com.sun.identity.agents.config.webservice.internalerror.content = WSInternalErrorContent.txt
com.sun.identity.agents.config.webservice.autherror.content = WSAuthErrorContent.txt
com.sun.identity.agents.config.access.denied.uri =
com.sun.identity.agents.config.login.form[0] =
com.sun.identity.agents.config.login.error.uri[0] =
com.sun.identity.agents.config.login.use.internal = true
com.sun.identity.agents.config.login.content.file = FormLoginContent.txt
com.sun.identity.agents.config.auth.handler[] =
com.sun.identity.agents.config.logout.handler[] =
com.sun.identity.agents.config.verification.handler[] =
com.sun.identity.agents.config.redirect.param = goto
com.sun.identity.agents.config.login.url[0] = http://sam.domain:80/amserver/UI/Login
com.sun.identity.agents.config.login.url.prioritized = true
com.sun.identity.agents.config.agent.host =
com.sun.identity.agents.config.agent.port =
com.sun.identity.agents.config.agent.protocol =
com.sun.identity.agents.config.login.attempt.limit = 0
com.sun.identity.agents.config.sso.decode = true
com.sun.identity.agents.config.amsso.cache.enable = true
com.sun.identity.agents.config.cookie.reset.enable = false
com.sun.identity.agents.config.cookie.reset.name[0] =
com.sun.identity.agents.config.cookie.reset.domain[] =
com.sun.identity.agents.config.cookie.reset.path[] =
com.sun.identity.agents.config.cdsso.enable = false
com.sun.identity.agents.config.cdsso.redirect.uri = /agentapp/sunwCDSSORedirectURI
com.sun.identity.agents.config.cdsso.cdcservlet.url[0] = http://dm-test-win-1:80/amserver/cdcservlet
com.sun.identity.agents.config.cdsso.clock.skew = 0
com.sun.identity.agents.config.cdsso.trusted.id.provider[0] = http://dm-test-win-1:80/amserver/cdcservlet
com.sun.identity.agents.config.logout.application.handler[] =
com.sun.identity.agents.config.logout.uri[] =
com.sun.identity.agents.config.logout.request.param[] =
com.sun.identity.agents.config.logout.introspect.enabled = false
com.sun.identity.agents.config.logout.entry.uri[] =
com.sun.identity.agents.config.fqdn.check.enable = true
com.sun.identity.agents.config.fqdn.default = jbossAS.domain
com.sun.identity.agents.config.fqdn.mapping[] =
com.sun.identity.agents.config.legacy.support.enable = false
com.sun.identity.agents.config.legacy.user.agent[0] = Mozilla/4.7*
com.sun.identity.agents.config.legacy.redirect.uri = /agentapp/sunwLegacySupportURI
com.sun.identity.agents.config.response.header[] =
com.sun.identity.agents.config.redirect.attempt.limit = 0
com.sun.identity.agents.config.port.check.enable = false
com.sun.identity.agents.config.port.check.file = PortCheckContent.txt
com.sun.identity.agents.config.port.check.setting[8080] = http
com.sun.identity.agents.config.notenforced.uri[0] = /agentsample/public/*
com.sun.identity.agents.config.notenforced.uri[1] = /agentsample/images/*
com.sun.identity.agents.config.notenforced.uri[2] = /agentsample/styles/*
com.sun.identity.agents.config.notenforced.uri[3] = /agentsample/index.html
com.sun.identity.agents.config.notenforced.uri[4] = /agentsample
com.sun.identity.agents.config.notenforced.uri.invert = false
com.sun.identity.agents.config.notenforced.uri.cache.enable = true
com.sun.identity.agents.config.notenforced.uri.cache.size = 1000
com.sun.identity.agents.config.notenforced.ip[0] =
com.sun.identity.agents.config.notenforced.ip.invert = false
com.sun.identity.agents.config.notenforced.ip.cache.enable = true
com.sun.identity.agents.config.notenforced.ip.cache.size = 1000
com.sun.identity.agents.config.attribute.cookie.separator = |
com.sun.identity.agents.config.attribute.date.format = EEE, d MMM yyyy hh:mm:ss z
com.sun.identity.agents.config.attribute.cookie.encode = true
com.sun.identity.agents.config.profile.attribute.fetch.mode = NONE
com.sun.identity.agents.config.profile.attribute.mapping[] =
com.sun.identity.agents.config.session.attribute.fetch.mode = NONE
com.sun.identity.agents.config.session.attribute.mapping[] =
com.sun.identity.agents.config.response.attribute.fetch.mode = NONE
com.sun.identity.agents.config.response.attribute.mapping[] =
com.sun.identity.agents.config.bypass.principal[0] =
com.sun.identity.agents.config.default.privileged.attribute[0] = AUTHENTICATED_USERS
com.sun.identity.agents.config.privileged.attribute.type[0] = Role
com.sun.identity.agents.config.privileged.attribute.tolowercase[Role] = false
com.sun.identity.agents.config.privileged.session.attribute[0] =
com.sun.identity.agents.config.service.resolver = com.sun.identity.agents.jboss.v40.AmJBossAgentServiceResolver
com.sun.identity.agents.app.username = amagent
com.iplanet.am.service.secret = AQICJmGvlBWYuAYQndALuvNKiw==
am.encryption.pwd = /mY/WidDT34aJtbcFS0pCKFEt6evPeTF
com.sun.identity.client.encryptionKey= /mY/WidDT34aJtbcFS0pCKFEt6evPeTF
com.iplanet.services.debug.level=error
com.iplanet.services.debug.directory=/home/ciuc/stuff/src/j2ee_agents/am_jboss_agent/agent_001/logs/debug
com.iplanet.am.cookie.name=iPlanetDirectoryPro
com.iplanet.am.naming.url=http://sam.domain:80/amserver/namingservice
com.iplanet.am.notification.url=http://jbossAS.domain:8080/agentapp/notification
com.iplanet.am.session.client.polling.enable=false
com.iplanet.am.session.client.polling.period=180
com.iplanet.security.encryptor=com.iplanet.services.util.JCEEncryption
com.iplanet.am.sdk.remote.pollingTime=1
com.sun.identity.sm.cacheTime=1
com.iplanet.am.localserver.protocol=http
com.iplanet.am.localserver.host=jbossAS.domain
com.iplanet.am.localserver.port=8080
com.iplanet.am.server.protocol=http
com.iplanet.am.server.host=sam.domain
com.iplanet.am.server.port=80
com.sun.identity.agents.server.log.file.name=amRemotePolicyLog
com.sun.identity.agents.logging.level=BOTH
com.sun.identity.agents.notification.enabled=true
com.sun.identity.agents.notification.url=http://jbossAS.domain:8080/agentapp/notification
com.sun.identity.agents.polling.interval=3
com.sun.identity.policy.client.cacheMode=subtree
com.sun.identity.policy.client.booleanActionValues=iPlanetAMWebAgentService|GET|allow|deny:iPlanetAMWebAgentService|POST|allow|deny
com.sun.identity.policy.client.resourceComparators=serviceType=iPlanetAMWebAgentService|class=com.sun.identity.policy.plugins.HttpURLResourceName|wildcard=*|delimiter=/|caseSensitive=false
com.sun.identity.policy.client.clockSkew=1011.126.14.20 is the computer where I have the JBoss installation.
11.126.14.18 is the computer where I have SAM services.
Do you have any idea why this error may occur?
Thank you in advance,
Cristi

Hi,
Thanks for your responses, I've included my AMAgent.properties below if you could take a look at it.
I only seem to run into the problem when I authenticate if the following is set:
com.sun.identity.agents.config.profile.attribute.fetch.mode = HTTP_HEADER
If that is set to NONE then I can access the application fine, but if i use the HTTP_HEADER and attempt to pass information via the header I get stuck in the loop which results in the message <strong>".Redirection limit for this URL exceeded. Unable to load the requested page. This may be caused by cookies that are blocked."</strong>
There is no helpful output in either my container log or the Policy Agent logs.
The myHost.local. exists within my /etc/hosts file and using ping and other tools resolve fine.
I am using JBOSS 4.2.2 on Linux (and windows).
If anyone can help save my sanity it would be appreciated.
com.sun.identity.agents.config.filter.mode = URL_POLICY
com.sun.identity.agents.config.user.mapping.mode = USER_ID
com.sun.identity.agents.config.user.attribute.name = employeenumber
com.sun.identity.agents.config.user.principal = false
com.sun.identity.agents.config.user.token = UserToken
com.sun.identity.agents.config.load.interval = 0
com.sun.identity.agents.config.locale.language = en
com.sun.identity.agents.config.locale.country = US
com.sun.identity.agents.config.audit.accesstype = LOG_NONE
com.sun.identity.agents.config.log.disposition = REMOTE
com.sun.identity.agents.config.remote.logfile = amAgent_8089.log
com.sun.identity.agents.config.local.logfile = /usr/j2ee_agents/am_jboss_agent/agent_001/logs/audit/amAgent_8089.log
com.sun.identity.agents.config.local.log.rotate = false
com.sun.identity.agents.config.local.log.size = 52428800
com.sun.identity.agents.config.webservice.enable = false
com.sun.identity.agents.config.webservice.endpoint[0] =
com.sun.identity.agents.config.webservice.process.get.enable = true
com.sun.identity.agents.config.webservice.authenticator =
com.sun.identity.agents.config.webservice.internalerror.content = WSInternalErrorContent.txt
com.sun.identity.agents.config.webservice.autherror.content = WSAuthErrorContent.txt
com.sun.identity.agents.config.login.form[0] = /manager/AMLogin.html
com.sun.identity.agents.config.login.form[1] = /host-manager/AMLogin.html
com.sun.identity.agents.config.login.error.uri[0] = /manager/AMError.html
com.sun.identity.agents.config.login.error.uri[1] = /host-manager/AMError.html
com.sun.identity.agents.config.login.use.internal = true
com.sun.identity.agents.config.login.content.file = FormLoginContent.txt
com.sun.identity.agents.config.auth.handler[] =
com.sun.identity.agents.config.logout.handler[] =
com.sun.identity.agents.config.verification.handler[] =
com.sun.identity.agents.config.redirect.param = goto
com.sun.identity.agents.config.login.url[0] = http://myHost.local:8080/amserver/UI/Login
com.sun.identity.agents.config.login.url.prioritized = true
com.sun.identity.agents.config.login.url.probe.enabled = true
com.sun.identity.agents.config.login.url.probe.timeout = 2000
com.sun.identity.agents.config.agent.host =
com.sun.identity.agents.config.agent.port =
com.sun.identity.agents.config.agent.protocol =
com.sun.identity.agents.config.login.attempt.limit = 0
com.sun.identity.agents.config.sso.decode = true
com.sun.identity.agents.config.amsso.cache.enable = true
com.sun.identity.agents.config.cookie.reset.enable = false
com.sun.identity.agents.config.cookie.reset.name[0] =
com.sun.identity.agents.config.cookie.reset.domain[] =
com.sun.identity.agents.config.cookie.reset.path[] =
com.sun.identity.agents.config.cdsso.enable = false
com.sun.identity.agents.config.cdsso.redirect.uri = /agentapp/sunwCDSSORedirectURI
com.sun.identity.agents.config.cdsso.cdcservlet.url[0] = http://myHost.local:8080/amserver/cdcservlet
com.sun.identity.agents.config.cdsso.clock.skew = 0
com.sun.identity.agents.config.cdsso.trusted.id.provider[0] = http://myHost.local:8080/amserver/cdcservlet
com.sun.identity.agents.config.cdsso.secure.enable = false
#com.sun.identity.agents.config.cdsso.domain[0] =
com.sun.identity.agents.config.logout.application.handler[] =
com.sun.identity.agents.config.logout.uri[] =
com.sun.identity.agents.config.logout.request.param[] =
com.sun.identity.agents.config.logout.introspect.enabled = false
com.sun.identity.agents.config.logout.entry.uri[] =
com.sun.identity.agents.config.fqdn.check.enable = true
com.sun.identity.agents.config.fqdn.default = am.ufidev.local.
com.sun.identity.agents.config.fqdn.mapping[] =
com.sun.identity.agents.config.legacy.support.enable = false
com.sun.identity.agents.config.legacy.user.agent[0] = Mozilla/4.7*
com.sun.identity.agents.config.legacy.redirect.uri = /agentapp/sunwLegacySu<br />

Policy Agent doesn't reset Sun Access Manager session time idle value

Hi,
We have the following setup in our environment:
- apache web server/web and policy agent 2.2 for apache 2.0.54
- webmethods portal server (jetty)
-Sun Access Manager (with Sun Directory Server)
We use policy agent for authentication purpose only (via Sun Access Manager/LDAP) when the users access the portal. We have custom code that creates session in Sun Access Manager for custom LDAP services. For testing purpose, we configure SAM session to have Max Session Timeout at 120mins and Time Idle at 15mins. I would assume that, after the initial login request, for all subsequent accesses to the portal the policy agent should intercept the request and reset the Time Idle value of SAM session. However, when I monitor time idle value using SAM console, session tab, the time idle value didn't change when the portal user access pages, submit actions, etc. I can see in the debug log of policy agent that requests are being intercepted/processed, but the time idle didn't get reset.
Does anyone know if this is a bug in configuration or in policy agent itself or am I making the wrong assumption?
Thanks a lot for the help.

Thanks for the reply, Shivaram. The issue appears to occur at random time, not accurately at the 3 min interval as you mention. I tested changing this value to 1, theoretically, after one 1 minute of idle time, accessing a link would make the agent reset the time idle value for the user session in SAM, but it didn't even after 3 minutes. This seems to be either a policy agent or system access manager bug.
We performed a 'vanilla' test using the apache server manual pages (only plain HTML, no POST requests), the pages are protected by the policy agent. At the first login, rwe were prompted to enter credential to be validated by SAM/LDAP, and then a user session is created in SAM session table. We browse around the manual pages, once in a while, certain pages cause the policy agent to reset the time idle. However, revisiting these links after a few minutes doesn't reset the idle value. Caching setting has been disable as well. Could there be or lack of some settings in AMConfig.properties or AMAgent.properties that might have caused this behavior?
Thanks for all your help,

Policy agent protected URL auth problem

Hi all,
Anyone knows why the policy agent failed to identify a user with valid cert and ldap pwd and thus allow the user to goto the protected URL resources? (IIS with policy agent 2.0 for W2K)
The IDS server instance was created with security on and "Client Auth" also on. All the accesses worked OK while the "client auth" in not ON. In fact, the user could goto the user profile page with the cert or the LDAP pwd, OAC were all set to enable cert and LDAP=SUCIFICENT even with "client auth" is on, just could not get to the URL it protected. (IDS is running on a Soalris box, V6.0 mtr from the download center)
The policy agent logs shown that the IDS authentication service failure with code 3.
Any hints on that?

When a user clicks the logout button in your Portal application that link needs to send the user to the /amserver/UI/Logout page to terminate the session. You can specify the goto parameter in the link so the user does not see the logout page. You can also specify a particular logout URL pattern in the AMAgent.properties file that when the agent sees a request for that URL it will terminate the session on the AM server and clear out it's cache.

Custom Authentication Issue with Policy Agent

Hi,
I have a custom authentication module which is hosted on the BEA application server and I am trying to access through the policy agent on apache.
I have set the following property in AMAgent.properties file
com.sun.am.policy.am.loginURL= http://host:port/amserver/UI/Login
So When the user requests a protected resource, the policy agent forwards the user to Identity Server with the module as CustomLoginModule. However, after this, authentication is succeed, user sesion is being created and I get the following error message in the agent log file.
2004-10-19 16:20:26.908 Error 27620:e1140 PolicyEngine: am_policy_evaluate: InternalException in Service::construct_auth_svc with error message:Application authentication failed during service creation. and code:3
2004-10-19 16:20:26.908 128 27620:e1140 RemoteLog: User unknown was denied access to http://hostname:port/weblogic/protapp/protected/a.html.
2004-10-19 16:20:26.908 Error 27620:e1140 LogService: LogService::logMessage() loggedBy SSOTokenID is invalid.
2004-10-19 16:20:26.909 Error 27620:e1140 all: am_log_vlog() failed with status AM_REMOTE_LOG_FAILURE.
2004-10-19 16:20:26.909 -1 27620:e1140 PolicyAgent: URL Access Agent: access denied to unknown user
The necessary policy object is already created in Identity Server. Please send your suggestions to fix this problem.
Thanks
Neeraj

Hi Neeraj,
I still have not been able to resolve that issue. Let me know If you find a solution for the same.
Thanks,
Srinivas

Load balancers with web servers & policy agents

I have a pair of host machines, hostA and hostB, running multiple web server instances, portalA, portalB, contentA, contentB, serviceA, serviceB, etc.
The two hosts, hostA and hostB, are sitting behind load balancers. ServiceA and serviceB must be protected by login and I have a policy agent installed on hostA and hostB for these two instances.
The load balancers respond to https://service/* and forward requests to http://serviceA:3456/* or http://serviceB:3456/* depending on the host selected by round-robin.
I've been told that serviceA and serviceB cannot be running on the default 443 port (although we could enable SSL if we wanted) in order to work nicely with the other web server instances that are behind the load balancers.
The problem is that the policy agent knows that it is running as http://serviceA:3456/.
The user makes a request to the load balancers for:
https://service/protected.html
The load balancer passes the request to:
http://serviceA:3456/protected.html
The agent sends a redirect to login which sends the user to:
http://service:3456/protected.html
This final URL is not available through the load balancers and it's obviously not the public URL.
I have fqdnDefault set to 'service.x.x' so the URL is rewritten to that extent. Is there a way to tell the agent that the port it's running on is not the public port (ie. that it's behind a NAT device)? Is there a way to tell the agent that it's should actually redirect to https and not http?

Hi,
CQ authoring does not leverage server side sessions, therefor you'll never loose data because of this.
But: As the cluster has a small delay on synchronisation, it could be, that on a write and subsequent read you'll get the old content, if you don't have sticky sessions (because both requests are not processed by the same server). Therefor I advise you to use sticky sessions in front of a CQ authoring cluster.
Jörg

Problem Installing Policy Agent 2.2 on Apache 2.2.3

Hi all,
I'm trying to configure policy agent 2.2 on apache 2.2.3 on linux platform CentOS (red hat 5.1).
The configuration and the installation seem to work properly, in effect in the log file install.log you can find :
[06/10/2008 16:38:49:865 CEST] Creating directory layout and configuring Agent file for Agent_001 instance ...SUCCESSFUL.
[06/10/2008 16:38:49:936 CEST] Reading data from file /opt/web_agents/apache22_agent/passwordFile and encrypting it ...SUCCESSFUL.
[06/10/2008 16:38:49:937 CEST] Generating audit log file name ...SUCCESSFUL.
[06/10/2008 16:38:50:022 CEST] Creating tag swapped AMAgent.properties file for instance Agent_001 ...SUCCESSFUL.
[06/10/2008 16:38:50:026 CEST] Creating a backup for file /etc/httpd/conf/httpd.conf ...SUCCESSFUL.
[06/10/2008 16:38:50:031 CEST] Adding Agent parameters to /opt/web_agents/apache22_agent/Agent_001/config/dsame.conf file ...SUCCESSFUL.
[06/10/2008 16:38:50:032 CEST] Adding Agent parameters to /etc/httpd/conf/httpd.conf file ...SUCCESSFUL.
But, when I try to restart Apache it gives me an error and in the error.log file in Apache you can read:
[Tue Jun 10 16:57:33 2008] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Tue Jun 10 16:57:34 2008] [notice] Digest: generating secret for digest authentication ...
[Tue Jun 10 16:57:34 2008] [notice] Digest: done
[Tue Jun 10 16:57:34 2008] [alert] Policy web agent configuration failed: NSPR error
Configuration Failed
Well, I found in the Sun documentation a well known bug about the NSPR and NSS library :
Error message issued during installation of Policy Agent 2.2 on Linux systems
When the Linux operating system is installed, specific components can be selected. Occasionally the specific components of the operating system selected lack the libraries necessary for Policy Agent 2.2 to function. When the complete Linux operating system is installed, all the required libraries are available. The libraries that are required for the agent to function are as follows: NSPR, NSS, and libxml2.
Workaround: If the Linux operating system you are using is not complete, install the latest versions of these libraries as described in the steps that follow:
At the time this note was added, the latest version of the NSPR library packages was NSPR 4.6.x , while the latest version of the NSS library package was NSS 3.11.x.
To Install Missing Libraries for Policy Agent 2.2 on Linux Systems
*+
Install the NSS, and libxml2 libraries. These libraries are usually available as part of Linux installation media. NSPR and NSS are available as part of Mozilla binaries/development packages. You can also check the following sites:
o
NSPR: http://www.mozilla.org/projects/nspr/
o
NSS: http://www.mozilla.org/projects/security/pki/nss/
So, I checked my libraries but they are upgraded to the latest version.
If I comment the line that includes the libamapc22.so in the apache configuration file
LoadModule dsame_module /opt/web_agents/apache22_agent/lib/libamapc22.so
Apache can restart but the agent is misconfigurated!
Any Idea?

thank you Subhodeep for your reply,
I didn't try to change the library file and I didn't find in licterature any information about library file changing in the Policy agent installation. Please, could you suggest me something more about which library to use instead of libamapc22.so?
ps. I am using red hat 5.1, and from the release note of the policy agent seems that the latest platform version supported is red hat enterprise linux 4.0 versions.....
this one could definitely be the reason of the misconfiguration.

Policy Agent 3.0 for Tomcat - Cannot obtain Application SSO token

Hi
I am trying to configure Sun OpenSSO Enterprise Policy Agent 3.0 for Apache Tomcat Application Server 6.
After installing the Policy Agent, Tomcat is not starting.
The Error in the stack is :
=========
Jun 14, 2009 2:21:00 AM
org.apache.tomcat.util.digester.Digester startElement
SEVERE: Begin event threw error
java.lang.ExceptionInInitializerError
at
com.sun.identity.agents.arch.AgentConfiguration.bootStrapClientConfig
uration(AgentConfiguration.java:682)
Caused by:
com.sun.identity.security.AMSecurityPropertiesException:
AdminTokenAction: FATAL ERROR: Cannot obtain Application
SSO token.
Check AMConfig.properties for the following properties
com.sun.identity.agents.app.username
com.iplanet.am.service.password
at
com.sun.identity.security.AdminTokenAction.run(AdminTokenAction.java:
258)
=========
There is no AMConfig.properties file. The Agent uses "OpenSSOAgentBootstrap.properties".
Is there a workaround for this issue ?
Cheers.

Hi,
I have the same Problem, did you come up with a solution for it?
thanks
Matrius

Policy Agent 2.0 redirect after auth

Versions:
Solaris 8
Identity Server 6.0
Policy Agent 2.0
Web Server: iWS 6.0
We are having a problem with redirecting users to a specific page after authentication.
Here is our scenario:
When a user tries to access a URL on our WS with the Policy Agent 2.0 installed, they get redirected to our login page on the Identity Server, which is fine.
The problem is that the original URL is appended in a "goto," and after successfully logging in, the user is redirected to the page in the "goto," and not our default success URL.
We are unable to force the user to a specific success URL after login.
Is there a way to prevent the "goto" from being called, or to force a specific success URL regardless of what is being called in the "goto".
We are unsure if this needs to occur in the setup of the organization in the IS, or if it needs to happen in the AMagent.properties file in the Policy Agent.
Please help!

Thanks for all replies.
Apache: There is nothing special in access_log and error_log. However, there is no problem to use policy agent on Solaris 2.9 + Apache 1.3.26.
IIS: The system path contains the right folder that holds the dll (i think that's done by the installation program), while the system was reboot several times but the situation didn't improve.
Thanks again.
Rgds.

Policy agent using https redirect to AM for authentication

We are using Access Manager 6 2005Q1.
Access Manager is running on box A & box B using the Sun Web Server as its front end web server. Box A & B both have a complete install of Sun Web Server, Access Manager, and Directory Server. The Directory servers are set up to replicate changes between each other. Our Policy Agents are running on box C & box D under the Apache web servers.
Users will access applications on box C/D via https. The policy agents on box C/D should redirect the user to box A/B (via a load balancer VIP)for authentication. The redirect will be https. Once authenticated the user should be redirected back to box C/D.
All subsequent communications between the Agents on box C/D to AM on box A/B (via load balancer VIP) are http.
Our load balancer is currently setup as active/failover because it does not support ssl with cookies.
In our AMAgent.properties file if I set 'com.sun.am.policy.am.loginURL = http://<lb-vip>:80/amserver/UI/Login' and access box C/D as https://<webserver>/<url> I am redirected to AM on box A/B for authentication. Once authenticated I am redirected back to box C/D and allowed access to <url>.
However, if I set 'com.sun.am.policy.am.loginURL = https://<lb-vip>:443/amserver/UI/Login' and access box C/D as https://<webserver>/<url> I am NOT redirected to AM and receive 'Forbidden You don't have permission to access /<url> on this server. Also in the agent log file I see:
     2006-01-30 12:42:30.792 Debug 28126:203470 PolicyAgent: in_not_enforced_list():enforcing access control for https://<webserver>:443/<url>
     2006-01-30 12:42:30.792 Debug 28126:203470 PolicyAgent: am_web_is_access_allowed https://<webserver>:443/<url>S, GET) no sso token, setting status to invalid session.
     2006-01-30 12:42:30.792 Debug 28126:203470 PolicyAgent: Policy Agent: am_web_is_access_allowed returned status=invalid session
     2006-01-30 12:42:32.800 Warning 28126:203470 PolicyAgent: am_web_get_redirect_url() unable to find active Identity Server Auth server.
     2006-01-30 12:42:32.800 Info 28126:203470 PolicyAgent: do_redirect(): Status Code= invalid session.
Interestingly if I set 'com.sun.am.policy.am.loginURL = https://<am-server>:443/amserver/UI/Login' and access box C/D as https://<webserver>/<url> I am redirected to AM on box A/B for authentication. Once authenticated I am redirected back to box C/D and allowed access to <url>. In this scenario the only difference is I am bypassing the load balancer.
Our networking people have monitored the load balancer in front of our AM boxes A/B and see the traffic going to AM in all cases.
From my standpoint it appears the agent is not able to successfully connect to AM via https when going through the load balancer.
Any help with this configuration issue is appreciated.

Bernhard,
From our AMAgent.properties... com.sun.am.policy.agents.version=2.1. Is there a way for me to tell if this is truely only 2.1 or 2.1-xx?
Because our LB does not support SSL with cookies we are currently configured as active/failover so all requests are going to the same AM server until it goes down, at which time I know users have to re-authenticate. Also we have set "com.sun.am.loadBalancer_enable = true" in AMAgent.properties.
We understand your point about loginURL. Infact there are two properties dealing with loginURL, com.sun.am.policy.am.loginURL and com.sun.am.policy.am.library.loginURL. Based on the comments in AMAgent.properties my understanding is that com.sun.am.policy.am.loginURL is where the user is redirected for login when no valid SSO token is found and com.sun.am.policy.am.library.loginURL is what the agent uses to authenticate itself "If the previously specified login URL must be exclusively used for redirecting users..." The interesting part is that if we set com.sun.am.policy.am.loginURL to use http everything works just fine, however if we set it to use https the user never gets redirected. Its almost like the agent is trying to connect there first before doing the redirect and can not.
Craig

Logout Processing Properties in the Policy Agent 2.2

Similar Messages

Maybe you are looking for