Please help me about Sun Access Manager . . .

Similar Messages

• Problems about Sun Access Manager

  when I using Sun Access Manager, I found It is very slowly to access "http://host:ip/amserver" , but I also using OpenSSO, It is normal to access "http://host:ip/amserver".
  Can anyone give any suggestions ?
  Best Regards!

  Hi,
  I added a page to the wiki which adds more detail to the steps to create the sample app policies on the am/fam/opensso server console UI. This includes some screen shots as well.
  This is one good thing about the sample app is that you have to learn to install the opensso server, install the agent, configure the agents properties for the sample app security and also use the opensso server UI to create policies.
  It is a bit of work, but when done you will know how to use a lot of opensso features.
  You do not need a directory server. The sample app readme refers to some directory things that really can be ignored. The wording should be changed.
  Anyhow you can use this wiki page along with the readme to help you set up the policies, the subjects etc that map to the sample app
  http://wikis.sun.com/display/OpenSSO/samplepolicy
  I will try to make a getting started page for new users, though you have done most the steps now, and need to set up sample. But this page might be useful for others who want to get started http://wikis.sun.com/display/OpenSSO/getstarted
  hth,
  Sean

• Securing web services with Sun Access Manager

  Hi!
  I have gone through some documentation about Sun Access Manager, and I'm a little bit confused.
  What I want is to secure some web services which are deployed on a BEA WebLogic 9.1 server (WLS). Two solutions are possible: To install some kind of plugin into WLS or to place some kind of proxy in front of WLS. In both cases, the purpose would be to authenticate the caller based on some kind of ticket (SAML or similar) and authorize access to the web service.
  I have read about the "Sun Java System Access Manager Policy Agent 2.2 for Weblogic 9.1" (those guys really like long names....), but in this documentation web services aren't mentioned at all. They only seem to care about HTTP requests from a browser.
  I have also read about the Policy Agent 2.2 in the documentation called "Sun Java System Access Manager Policy Agent 2.2 Guide for Sun Java System Application Server 9.0/Web Services" (puh...). This document explicitly talks about securing web services the way I want.
  My questions are:
  1) Is it possible to secure WLS based web services in the same way using the Policy Agent for WLS?
  2) Are there any documentation/tutorials/etc?
  Thanks in advance :-)
  Anders

  what you need is a webservices agent that would enable you to "protect" your webservice provider, which I assume is on a BEA weblogic provider.
  the "Sun Java System Access Manager Policy Agent 2.2 for Weblogic 9.1" is "NOT" awebservices agent, but a normal J2EE policy agent.
  So.. having said that. here's what I'd recommend.
  1. install the webservices agent on bea weblogic. (note: NOT the J2EE policy agent)
  2. configure it to use your access manager instance for authentication.
  3. configure your webservices client to use the webservice provider. (note: you'd need the webservices APi's available on the client too... so the quick dirty method would be to install the webservices agent on your client too....) you can later bundle the webservices client independently and provide your"customers" with a webservices client bundle...
  4. voila... your webservices are not "protected" by acces manager ;-)

• HELP GETTING Started with Sun Access Manager without TEARS.

  I am new to Sun Access Manager.
  I am quite familiar with how Sun Java Identity Manager works.
  The following is the issue I am facing.
  I've downloaded the following images from the sun website
  java_es_05Q4-ga1-solaris-x86-1-iso
  and
  java_es_05Q4-ga1-solaris-x86-2-iso
  I've installed the components on sun solaris 10
  The following components were installed
  /opt/SUNWcomds
  I am not sure what this is for
  /opt/SUNWdsvmn
  I am not sure what it is.
  /opt/SUNWma
  What is this I was expecting SUNWam the access management software!
  /opt/SUNWwbsvr -- This is the Web Server.
  I know how to use it.
  Can anyone tell me on how to go about it?
  Is there any online tutorial for the same.
  What is the difference between sparc version and x86. Can i use any of these on solaris 10?
  Anyhelp getting started would be highly appreciated.
  I am looking at doing the following things.
  ssl,fed, auth, custauth etc
  Thanks a ton in Advance.
  Regards,
  Vinod

  I documented my installation procedure for Access Manager 7.0 (2005Q4) and Portal 7.0. Take a look at my wiki page:
  http://wiki.its.queensu.ca/display/JES/Access+Manager+installation
  It's a two node Access manager Legacy site and I also implemented session-failover using Message Queue and Berkeley Database.

• Configuring IIS6.0 with Sun Access manager

  As I am new to Sun java Access manager .I have installed and configured the Sun Access manager 7.1 on Tomcat and able to login to the console also.Now I am looking to configure the web application which resides in IIS 6.0 with Sun Access manager,To do this are there any documents about how to configure the Windows IIS 6.0Policy agent with Sun Accessmanager?In the Sun website I didnt see any document related to this configuration,could anyone please help how to work on this?
  Thanks in advance.

  http://docs.sun.com/app/docs/doc/819-4771?l=en
  should give you all the information you need. For server changes like policy refer to AM 7.1 docs on docs.sun.com

• Log file size in Sun Access Manager

  Does anyone have an idea about the how the Sun Access Manager's log file size will increase in size with respective to the actions performed?
  Can someone give a data regarding this? If someone has a better scenario and the supportive data w.r.t log file size it will be helpful.
  Thanks,

  I would like to take the log files backup daily (for future reference).
  I need to know the following:
  1) What log files need to be backup? Do I need to take all am*.* files (It will be around 3.5 GB in size)?
  2) Ideally, I believe that only few MB of data goes into these am*.* files but, I cannot store every day 3.5 + GB of logs
  3) I observed that these files (am*.* have every days activity added to them), So I would like to enable the Log rotation
  Please let me know how can I proceed.
  Thanks

• Sun Access Manager 2005Q1 session failover is not working

  Hi All
  I m using Sun access manager 2005Q1,message queue 2005Q1, Sun Directory server 5.2 ,BerkelyDb 4.2.52 and radware hardware load balancer with sticky session.
  I m have configured message queue and BerkeleyDB and both are running with any error.
  I m using http://docs.sun.com/source/817-7644/ch5_scenarios.html#wp41008 doc for session failover.
  Simple failover is working fine but the Session failover is not working.
  Any body has done session failover with Sun Access manager 2005 Q1 I m trying to resolve this issue last two month.
  Please it is urgent.

  It works fine in 2005Q4, after applying a patch 120954 if I am not mistaken. But 2005Q4 and 2005Q1 are probably different in terms of session failover (site configuration etc.)
  1. Stop both AM servers
  2. Set logging to debug mode in AMConfig.properties.
  3. Delete / move everything in /var/opt/SUNWam/debug
  4. tail -f /var/opt/SUNWam/debug/amSession
  5. Post that file here... you should be able to see if session failover is enabled etc....
  hope this helps.

• Integrating windows authentication with Sun ACCESS MANAGER

  Hi,
  I have implemented sun access manager and successfully protected an application (ABC). At present iam using the SDS as the authentication and authorization directory. I login in to the machine using the network username and password which is on AD.
  I want to integrate my authentication/authorization mechanism from SDS to AD. so that when i login into the machine and open application ABC it should not ask me for the credentials; instead allow me to the homepage directly.
  How to do this.
  Thanks in advance
  Maruthi

  Hi!
  Maybe this helps you, it describes how to setup AM and policy agent to handle basic authentication protected sites. While the article is about sharepoint it should work for any application.
  http://developers.sun.com/identity/reference/techart/sharepoint.html
  Christoph

• How to configura multiple ldap server to the sun access manager

  Hi,
  please help how to configure multiple ldap server to the sun access manager, for example access manager does't find the user in ldap1 then it should search in ldap2.
  Thanks
  Mouli

  There�s no need for deleting the default amSDK based datastore because it�s needed for some default accounts.
  You may try to create the datastore using the commandline (amadmin)
  Have a look /etc/opt/SUNWam/config/xml/idRepoService.xml
  You may also try to create amadmin account in the external ldap directory.
  (Un)fortunately i�ve never tried to remove the default datastore.
  -Bernhard

• How to check amsilent file in Sun Access manager patch or redeploying WAR's

  h1. How to check amsilent file in Sun Access manager patch or redeploying WAR's
  I had a hard time getting all the passwords correct, so I wrote a shell (bash) script that uses most passwords and other parameters in searches and queries. It let's you know before you start if a value is wrong. It does not change anything, only queries.
  h2. One pitfall I found ...
  during the postinstall of patch 05. I told Sun about it, but I suspect it was too late and is also an issue with patch 06:
  Look at the documentation regarding amconfig and the amsilent file:
  http://docs.sun.com/app/docs/doc/819-2137/adsav?l=en&q=amconfig&a=view
  Two problems that are clear to me now:
  1. ADMINPASSWD in practice, this password is used for cn=puser, not amadmin as it says. Perhaps there is something that makes them the same. It was the same for me, so it probably does not matter.
  2. AS81_ADMINPASSWD is not the same as ADMINPASSWD using either my definition or the document's definition. However, in the amsilent template, it is set like this, which I found is incorrect and the cause of my recent hair loss:
  <blockquote>AS81_ADMINPASSWD="$ADMINPASSWD"</blockquote>
  Also, this one if you use the web server:
  <blockquote>WL8_PASSWORD="$ADMINPASSWD"</blockquote>
  Delete the $ADMINPASSWD and replace it with the password for the app/web server.
  h2. The Script.
  It tests for the above problem, but I just realized it does not check $ADMINPASSWD. If that is set incorrectly in your amsilent, you'll get errors immediately from amconfig, so no big deal. If you make improvements, please post a reply!
  Paste this into a file named checkamsilent. LDAP and appserver must be running. It reads /opt/SUNWam/amsilent. Run it as root or use sudo:
  sudo ./checkamsilent
  #!/usr/bin/bash
          echo "This will test several important parameters of the amsilent file "
          echo "run this as root."
          echo "### read in the amsilent parameters"
          echo "source /opt/SUNWam/amsilent  "
  source /opt/SUNWam/amsilent
          echo "### look for the *server port* with LISTNER, otherwise it's not listening. "
          echo "netstat -a | grep $SERVER_PORT    "
          echo "--------------"
  netstat -a | grep $SERVER_PORT  
          echo "--------------"
          echo "."
          echo "### *admin port* with LISTNER, otherwise it's not listening. "
          echo "netstat -a | grep $ADMIN_PORT   "
          echo "--------------"
  netstat -a | grep $ADMIN_PORT 
          echo "--------------"
          echo "."
          echo "### Expect to see a line of XML, otherwise the SERVER_PORT is incorrect in the amsilent file."
          echo "grep $SERVER_PORT  ${AS81_INSTANCE_DIR}/config/domain.xml  "
          echo "--------------"
  grep $SERVER_PORT  ${AS81_INSTANCE_DIR}/config/domain.xml
          echo "--------------"
          echo "."
          echo "### Expect to see a line of XML, otherwise the ADMIN_PORT is incorrect in the amsilent file."
          echo "grep $ADMIN_PORT  ${AS81_INSTANCE_DIR}/config/domain.xml "
          echo "--------------"
  grep $ADMIN_PORT  ${AS81_INSTANCE_DIR}/config/domain.xml
          echo "--------------"
          echo "."
          echo "### bind as the directory manager "
          echo "ldapsearch -v -h $DS_HOST -p 3892  -L -s sub -D \"$DS_DIRMGRDN\" -w \"$DS_DIRMGRPASSWD\" -b 'dc=nsf, dc=gov' \"cn=amldapuser\"" 
  ldapsearch -v -h $DS_HOST -p 3892  -L -s sub -D "$DS_DIRMGRDN" -w "$DS_DIRMGRPASSWD" -b 'dc=nsf, dc=gov' "cn=amldapuser" 
          echo "."
          echo "### check the amldapuser password. "
          echo "ldapsearch -w $AMLDAPUSERPASSWD -v -h $DS_HOST -p 3892  -L -s sub -D cn=amldapuser,ou=DSAME Users,dc=nsf,dc=gov -b ou=DSAME Users,dc=nsf,dc=gov cn=* cn  "
  ldapsearch -w "$AMLDAPUSERPASSWD" -v -h $DS_HOST -p 3892  -L -s sub -D "cn=amldapuser,ou=DSAME Users,dc=nsf,dc=gov" -b "ou=DSAME Users,dc=nsf,dc=gov" cn=* cn
          echo "."
          echo "### check the app server admin: AS81_ADMIN password: AS81_ADMINPASSWD  and port: ADMIN_PORT "
       echo "### That's actually a bug in the template.  "
       echo "### Do not use AS81_ADMINPASSWD=\$ADMINPASSWD  Make sure they are  different passwords! Don\'t use the default!"
       echo "Expect to see a WARNING about --password option. "
          echo "/opt/SUNWappserver/appserver/bin/asadmin  list-http-listeners --user $AS81_ADMIN --port $ADMIN_PORT  -w $AS81_ADMINPASSWD  "
  /opt/SUNWappserver/appserver/bin/asadmin  list-http-listeners --user $AS81_ADMIN --port $ADMIN_PORT  -w "$AS81_ADMINPASSWD"
          echo "done!"

  I change the product machine from LG optimus to Samsung Galaxy but the file writing is not working, too.
  I copied the source code from Adobe website about FileStream  but it is needless too.
  -----------------program code------------------------
  import flash.filesystem.*;
  import flash.filesystem.FileStream;
  import flash.events.Event;
  //txtFld is a standard textField component
  txtFld.text = "Start";var file:File = new File();
  //btnSaveFile is a standard button component
  btnSaveFile.addEventListener(MouseEvent.CLICK,handlerBtnSaveFile);
  function handlerBtnSaveFile(e:Event){
  txtFld.text = "Pressed";
  file = File.documentsDirectory;
  file = file.resolvePath("test.txt");
  var fileStream:FileStream = new FileStream();
  fileStream.openAsync(file, FileMode.WRITE);
  fileStream.writeUTFBytes("Hello");
  txtFld.text = file.nativePath.toString();
  //fileStream.addEventListener(Event.CLOSE, fileClosed);
  fileStream.close();
  fcnFileName();
  function fcnFileName(){
  txtFld.text = file.name.toString();
  function fileClosed(event:Event):void {
      trace("closed");
  txtFld.text = "FileClosed";

• Getting error while opening Sun access manager console

  We are facing problem while accessing console of Sun Access Manager. We got No Page Found error whenever we try to access the Sun Access Manager console. We have tried restarting the directory server and web server but even that doesn�t help us. Following are the error that gets recorded in log files:-
  ERROR: AuthD init() com.iplanet.dpro.session.SessionException: AuthD failed to get auth session
  ERROR: Error creating service session java.lang.NullPointerException

  The ns-slapd.exe process belongs to the Directory Server. You should therefore check if your DS instance is set up properly.
  Michael

• Policy Agent doesn't reset Sun  Access Manager session time idle value

  Hi,
  We have the following setup in our environment:
  - apache web server/web and policy agent 2.2 for apache 2.0.54
  - webmethods portal server (jetty)
  -Sun Access Manager (with Sun Directory Server)
  We use policy agent for authentication purpose only (via Sun Access Manager/LDAP) when the users access the portal. We have custom code that creates session in Sun Access Manager for custom LDAP services. For testing purpose, we configure SAM session to have Max Session Timeout at 120mins and Time Idle at 15mins. I would assume that, after the initial login request, for all subsequent accesses to the portal the policy agent should intercept the request and reset the Time Idle value of SAM session. However, when I monitor time idle value using SAM console, session tab, the time idle value didn't change when the portal user access pages, submit actions, etc. I can see in the debug log of policy agent that requests are being intercepted/processed, but the time idle didn't get reset.
  Does anyone know if this is a bug in configuration or in policy agent itself or am I making the wrong assumption?
  Thanks a lot for the help.

  Thanks for the reply, Shivaram. The issue appears to occur at random time, not accurately at the 3 min interval as you mention. I tested changing this value to 1, theoretically, after one 1 minute of idle time, accessing a link would make the agent reset the time idle value for the user session in SAM, but it didn't even after 3 minutes. This seems to be either a policy agent or system access manager bug.
  We performed a 'vanilla' test using the apache server manual pages (only plain HTML, no POST requests), the pages are protected by the policy agent. At the first login, rwe were prompted to enter credential to be validated by SAM/LDAP, and then a user session is created in SAM session table. We browse around the manual pages, once in a while, certain pages cause the policy agent to reset the time idle. However, revisiting these links after a few minutes doesn't reset the idle value. Caching setting has been disable as well. Could there be or lack of some settings in AMConfig.properties or AMAgent.properties that might have caused this behavior?
  Thanks for all your help,

• Sun Access manager

  Hi all,
  i am developing a sample application using sun access manager.it would be very helpful if anyone could help me out in giving some code examples and help me out in developing a sample web app.I have to use the oracle database to get the users and roles.If anyine could post me some sample code for the same it would be really great of u..
  Thanx in advance,
  Sidharth

  ya thats right.....i tried the purejaasexample given in that...and it worked...but my problem is that....supppose i create an user in my db and then when his authntication is suceeded then can i know from the console who has logged in and all...tell me what is the best example i can try from the samples directory....
  basically i want to create a smaple application using sun access manager and implement it in one of our companys big app

• Sun Access Manager 7.1 configuration

  I am trying to configure Sun Access Manager 7.1 update 1 on websphere 6.1.0.11 running on windows 2003 server and am getting a crypt error on SunJCE. Any suggestions on how to fix this?
  The thread dump looks like this
  05/16/2008 11:22:00:509 AM EDT: Thread[WebContainer : 2,5,main]
  05/16/2008 11:22:00:509 AM EDT: Thread[WebContainer : 2,5,main]ERROR: Crypt: failed to set password-based key
  java.security.NoSuchProviderException: no such provider: SunJCE
  at sun.security.jca.GetInstance.getService(GetInstance.java:82)
  at javax.crypto.b.a(Unknown Source)
  at javax.crypto.SecretKeyFactory.getInstance(Unknown Source)
  at com.iplanet.services.util.JCEEncryption.setPassword(JCEEncryption.java:377)
  at com.iplanet.services.util.Crypt.createInstance(Crypt.java:139)
  at com.iplanet.services.util.Crypt.<clinit>(Crypt.java:103)
  at java.lang.J9VMInternals.initializeImpl(Native Method)
  at java.lang.J9VMInternals.initialize(J9VMInternals.java:192)
  at com.sun.identity.setup.ServicesDefaultValues.validatePassword(ServicesDefaultValues.java:396)
  at com.sun.identity.setup.ServicesDefaultValues.setServiceConfigValues(ServicesDefaultValues.java:107)
  at com.sun.identity.setup.AMSetupServlet.processRequest(AMSetupServlet.java:307)
  at com.ibm._jsp._configurator._jspService(_configurator.java:221)
  at com.ibm.ws.jsp.runtime.HttpJspBase.service(HttpJspBase.java:85)
  at javax.servlet.http.HttpServlet.service(HttpServlet.java:856)
  at com.ibm.ws.webcontainer.servlet.ServletWrapper.service(ServletWrapper.java:989)
  at com.ibm.ws.webcontainer.servlet.ServletWrapper.service(ServletWrapper.java:930)
  at com.ibm.ws.webcontainer.filter.WebAppFilterChain.doFilter(WebAppFilterChain.java:145)
  at com.sun.identity.setup.AMSetupFilter.doFilter(AMSetupFilter.java:89)
  at com.ibm.ws.webcontainer.filter.FilterInstanceWrapper.doFilter(FilterInstanceWrapper.java:190)
  at com.ibm.ws.webcontainer.filter.WebAppFilterChain.doFilter(WebAppFilterChain.java:130)
  at com.ibm.ws.webcontainer.filter.WebAppFilterChain._doFilter(WebAppFilterChain.java:87)
  at com.ibm.ws.webcontainer.filter.WebAppFilterManager.doFilter(WebAppFilterManager.java:761)
  at com.ibm.ws.webcontainer.filter.WebAppFilterManager.doFilter(WebAppFilterManager.java:673)
  at com.ibm.ws.webcontainer.servlet.ServletWrapper.handleRequest(ServletWrapper.java:498)
  at com.ibm.ws.wswebcontainer.servlet.ServletWrapper.handleRequest(ServletWrapper.java:464)
  at com.ibm.wsspi.webcontainer.servlet.GenericServletWrapper.handleRequest(GenericServletWrapper.java:122)
  at com.ibm.ws.jsp.webcontainerext.AbstractJSPExtensionServletWrapper.handleRequest(AbstractJSPExtensionServletWrapper.java:205)
  at com.ibm.ws.webcontainer.webapp.WebApp.handleRequest(WebApp.java:3276)
  at com.ibm.ws.webcontainer.webapp.WebGroup.handleRequest(WebGroup.java:267)
  at com.ibm.ws.webcontainer.WebContainer.handleRequest(WebContainer.java:811)
  at com.ibm.ws.wswebcontainer.WebContainer.handleRequest(WebContainer.java:1455)
  at com.ibm.ws.webcontainer.channel.WCChannelLink.ready(WCChannelLink.java:113)
  at com.ibm.ws.http.channel.inbound.impl.HttpInboundLink.handleDiscrimination(HttpInboundLink.java:454)
  at com.ibm.ws.http.channel.inbound.impl.HttpInboundLink.handleNewInformation(HttpInboundLink.java:383)
  at com.ibm.ws.http.channel.inbound.impl.HttpICLReadCallback.complete(HttpICLReadCallback.java:102)
  at com.ibm.ws.tcp.channel.impl.AioReadCompletionListener.futureCompleted(AioReadCompletionListener.java:165)
  at com.ibm.io.async.AbstractAsyncFuture.invokeCallback(AbstractAsyncFuture.java:217)
  at com.ibm.io.async.AsyncChannelFuture.fireCompletionActions(AsyncChannelFuture.java:161)
  at com.ibm.io.async.AsyncFuture.completed(AsyncFuture.java:136)
  at com.ibm.io.async.ResultHandler.complete(ResultHandler.java:195)
  at com.ibm.io.async.ResultHandler.runEventProcessingLoop(ResultHandler.java:743)
  at com.ibm.io.async.ResultHandler$2.run(ResultHandler.java:873)
  at com.ibm.ws.util.ThreadPool$Worker.run(ThreadPool.java:1469)
  05/16/2008 11:22:00:509 AM EDT: Thread[WebContainer : 2,5,main]ERROR: JCEEncryption:: not yet initialized

  Have you followed the release notes instructions? There is one specifically about changing JCE:
  http://docs.sun.com/app/docs/doc/819-5899/gdpsl?a=view
  http://docs.sun.com/app/docs/doc/819-4683/gfvfl?a=view
  http://docs.sun.com/app/docs/doc/819-5899/gdxas?a=view
  shivaram

• Sun Access Manager login problem

  Hi,
  This is a very basic problem. I have installed Sun Access Manager 7 using JES installer. It is configured to authenticate against a LDAP datastore. I am able to login into the amconsole application using the amAdmin DN but I am not able to login with any other user that I create through Sun Access Manager.Any help will be highly appreciated.
  TIA.

  Hello,
  When you create any user through SUN Access Manager, is that user is created in LDAP
  datastore, or is it created in SAM flat file repository ?