Migration from Siteminder DMS to Sun Access Manager
Hi
We are working on a project that involves migration of Siteminder and SiteMinder-DMS to Sun Access Manager.
My concerns are
1. Do I need any changes to the Directory Tree of the LDAP..?
2. How do I migrate the policies..>
3. Does Sun have the exact quivalents(the same coarse grained APIs) as Siteminder-DMS..?
4. Heard of a tool that can do the migration from Siteminder to Sun Access Manager. How good is the tool and what in its scope and what are its limitations.?
Thnx
siva
I currently reviewing migrating from SiteMinder to Sun Access Manager. I have the same issues as you have had. I would greatly appreciate any feedback on any of these issues. My email address is [email protected] if you prefer to email me directly.
Similar Messages
-
Integrating siteminder and sun access manager
Hi,
I need to perform the following integration. I have an client which generates a saml assertion using Sun access manager which is consumed by another system which is again having Sun access manager. Now the client wants to move on to Siteminder. Would there be any compatibility issues? Would the recipient system having Sun access manager be able to consume the saml assertion generated by siteminder?
Thanks in advance.SAML is a standard, therefore you should check SAML versions support in siteminder and do the proper configuration.
-
Securing web services with Sun Access Manager
Hi!
I have gone through some documentation about Sun Access Manager, and I'm a little bit confused.
What I want is to secure some web services which are deployed on a BEA WebLogic 9.1 server (WLS). Two solutions are possible: To install some kind of plugin into WLS or to place some kind of proxy in front of WLS. In both cases, the purpose would be to authenticate the caller based on some kind of ticket (SAML or similar) and authorize access to the web service.
I have read about the "Sun Java System Access Manager Policy Agent 2.2 for Weblogic 9.1" (those guys really like long names....), but in this documentation web services aren't mentioned at all. They only seem to care about HTTP requests from a browser.
I have also read about the Policy Agent 2.2 in the documentation called "Sun Java System Access Manager Policy Agent 2.2 Guide for Sun Java System Application Server 9.0/Web Services" (puh...). This document explicitly talks about securing web services the way I want.
My questions are:
1) Is it possible to secure WLS based web services in the same way using the Policy Agent for WLS?
2) Are there any documentation/tutorials/etc?
Thanks in advance :-)
Anderswhat you need is a webservices agent that would enable you to "protect" your webservice provider, which I assume is on a BEA weblogic provider.
the "Sun Java System Access Manager Policy Agent 2.2 for Weblogic 9.1" is "NOT" awebservices agent, but a normal J2EE policy agent.
So.. having said that. here's what I'd recommend.
1. install the webservices agent on bea weblogic. (note: NOT the J2EE policy agent)
2. configure it to use your access manager instance for authentication.
3. configure your webservices client to use the webservice provider. (note: you'd need the webservices APi's available on the client too... so the quick dirty method would be to install the webservices agent on your client too....) you can later bundle the webservices client independently and provide your"customers" with a webservices client bundle...
4. voila... your webservices are not "protected" by acces manager ;-) -
Sun Access Manager Event Sequence
I have a third party black box piece of hardware that is redirecting browser requests to my server for authentication. I want to utilize the Sun Access Manager to perform these authentications. Do I need to use the Policy Agent, or should I attempt to communicate directly with the Access Manager? What benefit will I gain from including the Policy Agent into the mix?
If I don't use the policy agent, here is the sequence of events as I understand them:
1) Browser hits Black Box (BB) for protected information.
2) BB redirects the browser to me.
3) Browser sends me a SAML snippet. I decode and inflate the snippet, then send it off to the access manager (AM).
4) The AM throws an invalid id exception because the user has never logged in.
5) I catch the invalid id exception, and redirect the browser to the AM login URL. The user enters a valid id and password and hits submit.
6) ... ?
Is this correct up to step 5, and what happens after step 5? Any hints would be greatly appreciated.Okay, never mind then.
-
Hi all,
i am developing a sample application using sun access manager.it would be very helpful if anyone could help me out in giving some code examples and help me out in developing a sample web app.I have to use the oracle database to get the users and roles.If anyine could post me some sample code for the same it would be really great of u..
Thanx in advance,
Sidharthya thats right.....i tried the purejaasexample given in that...and it worked...but my problem is that....supppose i create an user in my db and then when his authntication is suceeded then can i know from the console who has logged in and all...tell me what is the best example i can try from the samples directory....
basically i want to create a smaple application using sun access manager and implement it in one of our companys big app -
Sun Access Manager - Authentication Error
Hello everyone,
I'm trying to configure Sun Access Manager 7.0 with sun web server 6.1 and directory server 5.2 on windows xp.
I'm getting the following error when I try to login with uid=amAdmin
"Permission to perform the read operation denied to uid=amAdmin,ou=People,dc=example,dc=com"
I do not see any errors from the debug files. Could anyone help me in fixing this problem.
Thanks in advance,
-krishnaIs your AM log level set to message? If not, set to message and retest. You should get output in your debug logs.
On the agent side, set your logging to all:5 -
Integrate IdM roles with Sun Access Manager roles
Hi all,
I am currently working on a solution involving Sun Identity Manager 7.1 and Sun Access Manager 7.1 as well. We use AM for overall authentication and SSO across the application, and IdM for user provisioning.
I need to create roles in Identity Manager, and I would like that when I assign a role to a user in Identity Manager, he gets the same role in my Access Manager repository (Sun LDAP). Identity Manager does provide a way to set attribute values in resources when a role is set. Access Manager on the other hand has both dynamic roles, based on an LDAP search, and static roles.
What are the important differences between static and dynamic roles in AM?
Does anybody know a good way to propagate roles from Identity Manager to Access Manager?
Thanks.I found answers to my question. I succeeded in setting the Access Manager role from Identity Manager using the nsRoleDN attribute. Here are some references to begin with:
About directory server roles:
http://docs.sun.com/app/docs/doc/820-2493/fvbrn?a=view
Forum thread reference:
http://forums.sun.com/thread.jspa?threadID=5208694
Here are roughly the steps I followed to get this working.
Access Manager roles setup:
1. In Access Manager, create a new static role named test_role under the identities realm (in Subjects > Role).
Identity Manager roles setup:
1. Create a new role in Identity Manager: tab Roles, click New....
2. Assign the LDAP resource to synchronize the role with.
3. On the Assigned Resources line, click the Set Attributes Values button. This shows up the attributes listing allowing you to bind your IdM role to your LDAP repository.
4. Set the attribute nsRoleDN to the LDAP DN of the role that was created in AM (nsRoleDN must be added in the resource attributes mapping before).
* In the column Value override, select Text.
* In the column How to set, select Authoritative merge with value, clear existing. (* See IDM Admin guide about this setting, I am still not sure how it reacts with multi-value attributes)
* In the text box, enter the role DN text (ex: cn=test_role,dc=com).
5. Save the role. You can now add the role to a user. -
HELP GETTING Started with Sun Access Manager without TEARS.
I am new to Sun Access Manager.
I am quite familiar with how Sun Java Identity Manager works.
The following is the issue I am facing.
I've downloaded the following images from the sun website
java_es_05Q4-ga1-solaris-x86-1-iso
and
java_es_05Q4-ga1-solaris-x86-2-iso
I've installed the components on sun solaris 10
The following components were installed
/opt/SUNWcomds
I am not sure what this is for
/opt/SUNWdsvmn
I am not sure what it is.
/opt/SUNWma
What is this I was expecting SUNWam the access management software!
/opt/SUNWwbsvr -- This is the Web Server.
I know how to use it.
Can anyone tell me on how to go about it?
Is there any online tutorial for the same.
What is the difference between sparc version and x86. Can i use any of these on solaris 10?
Anyhelp getting started would be highly appreciated.
I am looking at doing the following things.
ssl,fed, auth, custauth etc
Thanks a ton in Advance.
Regards,
VinodI documented my installation procedure for Access Manager 7.0 (2005Q4) and Portal 7.0. Take a look at my wiki page:
http://wiki.its.queensu.ca/display/JES/Access+Manager+installation
It's a two node Access manager Legacy site and I also implemented session-failover using Message Queue and Berkeley Database. -
BO Authentication with Sun Access Manager
Post Author: aboucher
CA Forum: Authentication
Hi,
Is there a way to use Sun Access Manager (Role base) with BO. We are using XIR2 but we are willing to move to XIR3 if this version can do this job. I know that BO can be configured with LDAP, AD, Enterprise but is there a Custom choice. Any idea?
ThanksPost Author: TAZ
CA Forum: Authentication
So quickly reviewing sun access manager it doesn't seem to be an LDAP server per se. It's more like a portal used for SSO. If that's the case then you would integrate LDAP accounts and then use technology like trusted authentication for SSO from the sun access maanger portal. In that case trusted auth will support just about any front end as long as the user info can be forwarded to us in one of 7 methods. You can read more about trusted authentication in the XIR2 deployment guide
http://support.businessobjects.com/documentation/product_guides/default.asp
Integrations of this level typically involvel in depth planning and should probably be done with the assistance of a BO consultant.
Regards,
Tim -
Integrating windows authentication with Sun ACCESS MANAGER
Hi,
I have implemented sun access manager and successfully protected an application (ABC). At present iam using the SDS as the authentication and authorization directory. I login in to the machine using the network username and password which is on AD.
I want to integrate my authentication/authorization mechanism from SDS to AD. so that when i login into the machine and open application ABC it should not ask me for the credentials; instead allow me to the homepage directly.
How to do this.
Thanks in advance
MaruthiHi!
Maybe this helps you, it describes how to setup AM and policy agent to handle basic authentication protected sites. While the article is about sharepoint it should work for any application.
http://developers.sun.com/identity/reference/techart/sharepoint.html
Christoph -
How to check amsilent file in Sun Access manager patch or redeploying WAR's
h1. How to check amsilent file in Sun Access manager patch or redeploying WAR's
I had a hard time getting all the passwords correct, so I wrote a shell (bash) script that uses most passwords and other parameters in searches and queries. It let's you know before you start if a value is wrong. It does not change anything, only queries.
h2. One pitfall I found ...
during the postinstall of patch 05. I told Sun about it, but I suspect it was too late and is also an issue with patch 06:
Look at the documentation regarding amconfig and the amsilent file:
http://docs.sun.com/app/docs/doc/819-2137/adsav?l=en&q=amconfig&a=view
Two problems that are clear to me now:
1. ADMINPASSWD in practice, this password is used for cn=puser, not amadmin as it says. Perhaps there is something that makes them the same. It was the same for me, so it probably does not matter.
2. AS81_ADMINPASSWD is not the same as ADMINPASSWD using either my definition or the document's definition. However, in the amsilent template, it is set like this, which I found is incorrect and the cause of my recent hair loss:
<blockquote>AS81_ADMINPASSWD="$ADMINPASSWD"</blockquote>
Also, this one if you use the web server:
<blockquote>WL8_PASSWORD="$ADMINPASSWD"</blockquote>
Delete the $ADMINPASSWD and replace it with the password for the app/web server.
h2. The Script.
It tests for the above problem, but I just realized it does not check $ADMINPASSWD. If that is set incorrectly in your amsilent, you'll get errors immediately from amconfig, so no big deal. If you make improvements, please post a reply!
Paste this into a file named checkamsilent. LDAP and appserver must be running. It reads /opt/SUNWam/amsilent. Run it as root or use sudo:
sudo ./checkamsilent
#!/usr/bin/bash
echo "This will test several important parameters of the amsilent file "
echo "run this as root."
echo "### read in the amsilent parameters"
echo "source /opt/SUNWam/amsilent "
source /opt/SUNWam/amsilent
echo "### look for the *server port* with LISTNER, otherwise it's not listening. "
echo "netstat -a | grep $SERVER_PORT "
echo "--------------"
netstat -a | grep $SERVER_PORT
echo "--------------"
echo "."
echo "### *admin port* with LISTNER, otherwise it's not listening. "
echo "netstat -a | grep $ADMIN_PORT "
echo "--------------"
netstat -a | grep $ADMIN_PORT
echo "--------------"
echo "."
echo "### Expect to see a line of XML, otherwise the SERVER_PORT is incorrect in the amsilent file."
echo "grep $SERVER_PORT ${AS81_INSTANCE_DIR}/config/domain.xml "
echo "--------------"
grep $SERVER_PORT ${AS81_INSTANCE_DIR}/config/domain.xml
echo "--------------"
echo "."
echo "### Expect to see a line of XML, otherwise the ADMIN_PORT is incorrect in the amsilent file."
echo "grep $ADMIN_PORT ${AS81_INSTANCE_DIR}/config/domain.xml "
echo "--------------"
grep $ADMIN_PORT ${AS81_INSTANCE_DIR}/config/domain.xml
echo "--------------"
echo "."
echo "### bind as the directory manager "
echo "ldapsearch -v -h $DS_HOST -p 3892 -L -s sub -D \"$DS_DIRMGRDN\" -w \"$DS_DIRMGRPASSWD\" -b 'dc=nsf, dc=gov' \"cn=amldapuser\""
ldapsearch -v -h $DS_HOST -p 3892 -L -s sub -D "$DS_DIRMGRDN" -w "$DS_DIRMGRPASSWD" -b 'dc=nsf, dc=gov' "cn=amldapuser"
echo "."
echo "### check the amldapuser password. "
echo "ldapsearch -w $AMLDAPUSERPASSWD -v -h $DS_HOST -p 3892 -L -s sub -D cn=amldapuser,ou=DSAME Users,dc=nsf,dc=gov -b ou=DSAME Users,dc=nsf,dc=gov cn=* cn "
ldapsearch -w "$AMLDAPUSERPASSWD" -v -h $DS_HOST -p 3892 -L -s sub -D "cn=amldapuser,ou=DSAME Users,dc=nsf,dc=gov" -b "ou=DSAME Users,dc=nsf,dc=gov" cn=* cn
echo "."
echo "### check the app server admin: AS81_ADMIN password: AS81_ADMINPASSWD and port: ADMIN_PORT "
echo "### That's actually a bug in the template. "
echo "### Do not use AS81_ADMINPASSWD=\$ADMINPASSWD Make sure they are different passwords! Don\'t use the default!"
echo "Expect to see a WARNING about --password option. "
echo "/opt/SUNWappserver/appserver/bin/asadmin list-http-listeners --user $AS81_ADMIN --port $ADMIN_PORT -w $AS81_ADMINPASSWD "
/opt/SUNWappserver/appserver/bin/asadmin list-http-listeners --user $AS81_ADMIN --port $ADMIN_PORT -w "$AS81_ADMINPASSWD"
echo "done!"I change the product machine from LG optimus to Samsung Galaxy but the file writing is not working, too.
I copied the source code from Adobe website about FileStream but it is needless too.
-----------------program code------------------------
import flash.filesystem.*;
import flash.filesystem.FileStream;
import flash.events.Event;
//txtFld is a standard textField component
txtFld.text = "Start";var file:File = new File();
//btnSaveFile is a standard button component
btnSaveFile.addEventListener(MouseEvent.CLICK,handlerBtnSaveFile);
function handlerBtnSaveFile(e:Event){
txtFld.text = "Pressed";
file = File.documentsDirectory;
file = file.resolvePath("test.txt");
var fileStream:FileStream = new FileStream();
fileStream.openAsync(file, FileMode.WRITE);
fileStream.writeUTFBytes("Hello");
txtFld.text = file.nativePath.toString();
//fileStream.addEventListener(Event.CLOSE, fileClosed);
fileStream.close();
fcnFileName();
function fcnFileName(){
txtFld.text = file.name.toString();
function fileClosed(event:Event):void {
trace("closed");
txtFld.text = "FileClosed"; -
Does sun provide a training for sun access manager customizations
Hi,
Is there any training available from sun for sun access manager customizations.
I am aware of the following training from sun AM-3480
TIA,
SureshHi, Suresh,
There's some material about customization in AM-3480. What areas are you interested in?
Regards,.
David -
Getting error while opening Sun access manager console
We are facing problem while accessing console of Sun Access Manager. We got No Page Found error whenever we try to access the Sun Access Manager console. We have tried restarting the directory server and web server but even that doesn�t help us. Following are the error that gets recorded in log files:-
ERROR: AuthD init() com.iplanet.dpro.session.SessionException: AuthD failed to get auth session
ERROR: Error creating service session java.lang.NullPointerExceptionThe ns-slapd.exe process belongs to the Directory Server. You should therefore check if your DS instance is set up properly.
Michael -
Policy Agent doesn't reset Sun Access Manager session time idle value
Hi,
We have the following setup in our environment:
- apache web server/web and policy agent 2.2 for apache 2.0.54
- webmethods portal server (jetty)
-Sun Access Manager (with Sun Directory Server)
We use policy agent for authentication purpose only (via Sun Access Manager/LDAP) when the users access the portal. We have custom code that creates session in Sun Access Manager for custom LDAP services. For testing purpose, we configure SAM session to have Max Session Timeout at 120mins and Time Idle at 15mins. I would assume that, after the initial login request, for all subsequent accesses to the portal the policy agent should intercept the request and reset the Time Idle value of SAM session. However, when I monitor time idle value using SAM console, session tab, the time idle value didn't change when the portal user access pages, submit actions, etc. I can see in the debug log of policy agent that requests are being intercepted/processed, but the time idle didn't get reset.
Does anyone know if this is a bug in configuration or in policy agent itself or am I making the wrong assumption?
Thanks a lot for the help.Thanks for the reply, Shivaram. The issue appears to occur at random time, not accurately at the 3 min interval as you mention. I tested changing this value to 1, theoretically, after one 1 minute of idle time, accessing a link would make the agent reset the time idle value for the user session in SAM, but it didn't even after 3 minutes. This seems to be either a policy agent or system access manager bug.
We performed a 'vanilla' test using the apache server manual pages (only plain HTML, no POST requests), the pages are protected by the policy agent. At the first login, rwe were prompted to enter credential to be validated by SAM/LDAP, and then a user session is created in SAM session table. We browse around the manual pages, once in a while, certain pages cause the policy agent to reset the time idle. However, revisiting these links after a few minutes doesn't reset the idle value. Caching setting has been disable as well. Could there be or lack of some settings in AMConfig.properties or AMAgent.properties that might have caused this behavior?
Thanks for all your help, -
Migration from iplanet webserver to Sun Directory Server
Hi,
I have Oracle Iplanet WebServer Enterprise edition V6.0 SP2 in my dev environment. I would want to migrate the system to Sun Java System Directory Server V6.0. I have looked up the migration guide for Sun DS V6.0. But i could not find any reference to Iplanet WebServers.
Can anybody please let me know the migration procedure for migrating from Iplanet Server to Sun Directory server.
Any help would be appreicated
Thank you
NowfalPlease ignore this question since we have dropped the plan to migrate, instead set a new DS instance from the beginning
Maybe you are looking for
-
I am using Livecycle 8.2 running on JBOSS. I get this error in server log 2013-07-25 13:48:33,809 ERROR [com.adobe.idp.config.AdobePreferenceFactory] UserM:GENERIC_ERROR: [Thread Hashcode: 5001776] Problem with system root| [com.adobe.idp.storeprovid
-
AHCI option isn't available in bios
HP 630 AHCI mode isn't available in BIOS
-
Video IPod automatically reboots
Hi - I have a 30GB video IPod. I use it mostly for podcasts. Recently, when trying to load a podcast, the IPod reboots. I try to reload, and it reboots again. This has happened with a few other podcasts as well. Most other podcasts, songs, etc., load
-
I dont want to commit master-detail form untill user press save button
We have department-employee kind of master detail form. 1) We click on any record on department block. 2) Then we change / insert /delete record in employee block. 3) then we move to anothe department. 4) now it ask for saving the changes. THIS WE DO
-
No destination disk seen when trying to re-install mac os on Powermac G4
Hi, I have read previous responses on a similar problem where I should use Utility Disk and reformat the hard drive but I cannot even get the Application Disk to boot...