Policy Agent 2.1 not redirect

PolicyAgent 2.1
Proxy Server: SunONE Proxy Server 3.6 SP6
Identity Server :6.1
OS : Solaris8
I installed PolicyAgent 2.1 to SunONE Proxy Server 3.6 SP6.
request to the proxy server
"GET /index.html HTTP/1.0"
is redirected to Identity Server
but request like
"GET / HTTP/1.0"
is not redirect to identity Server, i get
the respone from the Web Server instantly
Proxy Server is set up as a reverse proxy
is this a bug? or i miss some configuration?

http://www.sun.com/download/index.jsp?cat=Identity%20Management&tab=3&subcat=Policy%20Agents describes what PA are supported.
I know from my past experience that PA 2.1 works with AM 7.1 in Legacy mode but it is not supported.
If your application server or web container is not supported then you can always use PA 2.2 for Sun Java Web Proxy Server 4.0. In this case, you will to place SJWPS in front of your application and your application will be accessed via proxy server.
Vivek

Similar Messages

Policy Agent 3.0 for Tomcat - Cannot obtain Application SSO token

Hi
I am trying to configure Sun OpenSSO Enterprise Policy Agent 3.0 for Apache Tomcat Application Server 6.
After installing the Policy Agent, Tomcat is not starting.
The Error in the stack is :
=========
Jun 14, 2009 2:21:00 AM
org.apache.tomcat.util.digester.Digester startElement
SEVERE: Begin event threw error
java.lang.ExceptionInInitializerError
at
com.sun.identity.agents.arch.AgentConfiguration.bootStrapClientConfig
uration(AgentConfiguration.java:682)
Caused by:
com.sun.identity.security.AMSecurityPropertiesException:
AdminTokenAction: FATAL ERROR: Cannot obtain Application
SSO token.
Check AMConfig.properties for the following properties
com.sun.identity.agents.app.username
com.iplanet.am.service.password
at
com.sun.identity.security.AdminTokenAction.run(AdminTokenAction.java:
258)
=========
There is no AMConfig.properties file. The Agent uses "OpenSSOAgentBootstrap.properties".
Is there a workaround for this issue ?
Cheers.

Hi,
I have the same Problem, did you come up with a solution for it?
thanks
Matrius

Policy Agent 2.0 redirect after auth

Versions:
Solaris 8
Identity Server 6.0
Policy Agent 2.0
Web Server: iWS 6.0
We are having a problem with redirecting users to a specific page after authentication.
Here is our scenario:
When a user tries to access a URL on our WS with the Policy Agent 2.0 installed, they get redirected to our login page on the Identity Server, which is fine.
The problem is that the original URL is appended in a "goto," and after successfully logging in, the user is redirected to the page in the "goto," and not our default success URL.
We are unable to force the user to a specific success URL after login.
Is there a way to prevent the "goto" from being called, or to force a specific success URL regardless of what is being called in the "goto".
We are unsure if this needs to occur in the setup of the organization in the IS, or if it needs to happen in the AMagent.properties file in the Policy Agent.
Please help!

Thanks for all replies.
Apache: There is nothing special in access_log and error_log. However, there is no problem to use policy agent on Solaris 2.9 + Apache 1.3.26.
IIS: The system path contains the right folder that holds the dll (i think that's done by the installation program), while the system was reboot several times but the situation didn't improve.
Thanks again.
Rgds.

Policy Agent 2.2, IIS 6.0, CDSSO and redirects after authentication

Hi
I've got a problem where a HTTP/1.1 200 and 302 are returned by the Policy Agent / Application, after the Javascripted POST by the CDCServlet content is performed.
The expected functionality is that the user is authenticated with the AM, the CDC Servlet serves the JavaScript page that will do a POST to the Policy Agent. The Policy Agent should then do what it needs to do with the POST, and forward request to the Application. The Application then does what it needs to do, and in this case, serves a HTTP/1.1 302 for redirection back to the browser.
However, it seems that the Policy Agent might be returning a HTTP/1.1 200, and setting the iPlanetDirectoryPro cookie, quickly followed by the HTTP/1.1 302 and the setting of whatever cookies it wants to set.
The Policy Agent should be respecting the return code of the Application. This problem does not appear when run against the Policy Agent for the Sun ONE Web Server.
Wondering if anyone has seen this before?
Here is sanitized output from a trace on the POST and resulting response.
POST /oslp/?sunwMethod=GET HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Accept-Language: en-au
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
Host: sco88342744.corp.qed.qld.gov.au
Content-Length: 3496
Connection: Keep-Alive
Cache-Control: no-cache
X-ProcessAndThread: IEXPLORE.EXE [904; 2908]
LARES=<snip>
HTTP/1.1 200 OK
Date: Wed, 16 May 2007 22:25:42 GMT
Server: Microsoft-IIS/6.0
Set-Cookie: iPlanetDirectoryPro=AQIC5wM2LY4Sfcz8tCfJ96AXxjIgRzuZJDgE7gMeTO0iIS4%3D%40AAJTSQACMDQ%3D%23;Path=/
HTTP/1.1 302 Found
Date: Wed, 16 May 2007 22:25:42 GMT
Server: Microsoft-IIS/6.0
X-AspNet-Version: 1.1.4322
Location: /oslp/user/signon.aspx
Set-Cookie: ASP.NET_SessionId=lh4sus55y1iy2r5514onnjuj; path=/
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 139
<html><head><title>Object moved</title></head><body>
<h2>Object moved to <a href='/oslp/user/signon.aspx'>here</a>.</h2>
</body></html>

Hi,
we had the same problem, but we got support
from readme.txt
Bug#: 6789020
Agent type: All Agents
Description: In CDSSO mode non enforced POST requests cannot be accessed
Bug#: 6736820
Agent type: IIS 6 Agent
Description: IIS 6 agent doesn't work properly with ASP pages in CDSSO mode
Both bugs should be fixed in this version:
Sun Java System Web Agents 2.2-02 hotpatch2

Policy agent using https redirect to AM for authentication

We are using Access Manager 6 2005Q1.
Access Manager is running on box A & box B using the Sun Web Server as its front end web server. Box A & B both have a complete install of Sun Web Server, Access Manager, and Directory Server. The Directory servers are set up to replicate changes between each other. Our Policy Agents are running on box C & box D under the Apache web servers.
Users will access applications on box C/D via https. The policy agents on box C/D should redirect the user to box A/B (via a load balancer VIP)for authentication. The redirect will be https. Once authenticated the user should be redirected back to box C/D.
All subsequent communications between the Agents on box C/D to AM on box A/B (via load balancer VIP) are http.
Our load balancer is currently setup as active/failover because it does not support ssl with cookies.
In our AMAgent.properties file if I set 'com.sun.am.policy.am.loginURL = http://<lb-vip>:80/amserver/UI/Login' and access box C/D as https://<webserver>/<url> I am redirected to AM on box A/B for authentication. Once authenticated I am redirected back to box C/D and allowed access to <url>.
However, if I set 'com.sun.am.policy.am.loginURL = https://<lb-vip>:443/amserver/UI/Login' and access box C/D as https://<webserver>/<url> I am NOT redirected to AM and receive 'Forbidden You don't have permission to access /<url> on this server. Also in the agent log file I see:
     2006-01-30 12:42:30.792 Debug 28126:203470 PolicyAgent: in_not_enforced_list():enforcing access control for https://<webserver>:443/<url>
     2006-01-30 12:42:30.792 Debug 28126:203470 PolicyAgent: am_web_is_access_allowed https://<webserver>:443/<url>S, GET) no sso token, setting status to invalid session.
     2006-01-30 12:42:30.792 Debug 28126:203470 PolicyAgent: Policy Agent: am_web_is_access_allowed returned status=invalid session
     2006-01-30 12:42:32.800 Warning 28126:203470 PolicyAgent: am_web_get_redirect_url() unable to find active Identity Server Auth server.
     2006-01-30 12:42:32.800 Info 28126:203470 PolicyAgent: do_redirect(): Status Code= invalid session.
Interestingly if I set 'com.sun.am.policy.am.loginURL = https://<am-server>:443/amserver/UI/Login' and access box C/D as https://<webserver>/<url> I am redirected to AM on box A/B for authentication. Once authenticated I am redirected back to box C/D and allowed access to <url>. In this scenario the only difference is I am bypassing the load balancer.
Our networking people have monitored the load balancer in front of our AM boxes A/B and see the traffic going to AM in all cases.
From my standpoint it appears the agent is not able to successfully connect to AM via https when going through the load balancer.
Any help with this configuration issue is appreciated.

Bernhard,
From our AMAgent.properties... com.sun.am.policy.agents.version=2.1. Is there a way for me to tell if this is truely only 2.1 or 2.1-xx?
Because our LB does not support SSL with cookies we are currently configured as active/failover so all requests are going to the same AM server until it goes down, at which time I know users have to re-authenticate. Also we have set "com.sun.am.loadBalancer_enable = true" in AMAgent.properties.
We understand your point about loginURL. Infact there are two properties dealing with loginURL, com.sun.am.policy.am.loginURL and com.sun.am.policy.am.library.loginURL. Based on the comments in AMAgent.properties my understanding is that com.sun.am.policy.am.loginURL is where the user is redirected for login when no valid SSO token is found and com.sun.am.policy.am.library.loginURL is what the agent uses to authenticate itself "If the previously specified login URL must be exclusively used for redirecting users..." The interesting part is that if we set com.sun.am.policy.am.loginURL to use http everything works just fine, however if we set it to use https the user never gets redirected. Its almost like the agent is trying to connect there first before doing the redirect and can not.
Craig

IM 6.0 , Policy agent 2.2 , IIS 6.0 not working.

Friends,
I have been trying to communicate from windows 2003 server where the policy agent 2.2 is configured through IIS 6.0 and trying to connect to IM 6.0 on a Solaris 9.0 server in vain. The authentication mode is LDAP ( Sun one directory server version 5.2).
When we start up the IIS 6.0 and try to access the link ( for security reasons I cannot post the link here ) we do not get any logs on the IIS server. There are no logs found anywhere.However we are able to ping the server which hosts IM 6.0 from windows 2003 server.
Is there any best practice which we need to follow ? Could you guys help ?

Seems like you are missing the most important component, AM

URL Policy agent attributes - Not displayed

I installed a Policy Agent on a remote Web Server and pointed the policy agent to the Identity Server installed alongwith the Portal.
When I click on the Policy agent in the Identity Server console , it displays the following message
"There are no attributes to display for this entry".
How to obtain the attributes for the URL Policy Agent Service .Is this a problem concerning the IS . Can anyone throw light on this issue.
thanx in advance
raj

It's the way it supposed to be. There is no configurable attributes for this service.

Uninstall policy agent not working

I am attempting to uninstall the policy agent for SJS Web Server 6.1 on Solaris. (logged on as root, using a telnet session)
When I execute the ./uninstall_agent -nodisplay command I am getting a java exception (see below).
Any ideas on how I can work around this issue; I need to do the uninstall so I can install a new vrsion with a patch.
Thanks
Exception in thread "Thread-0" java.awt.HeadlessException:
No X11 DISPLAY variable was set, but this program performed an operation which requires it.
at java.awt.GraphicsEnvironment.checkHeadless(GraphicsEnvironment.java:159)
at java.awt.ScrollPane.<init>(ScrollPane.java:183)
at java.awt.ScrollPane.<init>(ScrollPane.java:170)
at com.iplanet.install.panels.common.VerifyPanel.run(VerifyPanel.java:283)
at com.iplanet.install.panels.common.VerifyPanel.beginDisplay(VerifyPanel.java:235)
at com.sun.wizards.core.IteratorLayout.setCurrentLeaf(IteratorLayout.java:580)
at com.sun.wizards.core.IteratorLayout.next(IteratorLayout.java:783)
at com.sun.wizards.core.WizardTreeManager.nextButtonPressed(WizardTreeManager.java:1198)
at com.sun.wizards.core.CommandLineConsole.run(CommandLineConsole.java:148)
at java.lang.Thread.run(Thread.java:595)

You can use non-GUI based unintallation option, or setup X-Windows (export DISPLAY=1pAddress:0.0) if you prefer GUI.

Load balancers with web servers & policy agents

I have a pair of host machines, hostA and hostB, running multiple web server instances, portalA, portalB, contentA, contentB, serviceA, serviceB, etc.
The two hosts, hostA and hostB, are sitting behind load balancers. ServiceA and serviceB must be protected by login and I have a policy agent installed on hostA and hostB for these two instances.
The load balancers respond to https://service/* and forward requests to http://serviceA:3456/* or http://serviceB:3456/* depending on the host selected by round-robin.
I've been told that serviceA and serviceB cannot be running on the default 443 port (although we could enable SSL if we wanted) in order to work nicely with the other web server instances that are behind the load balancers.
The problem is that the policy agent knows that it is running as http://serviceA:3456/.
The user makes a request to the load balancers for:
https://service/protected.html
The load balancer passes the request to:
http://serviceA:3456/protected.html
The agent sends a redirect to login which sends the user to:
http://service:3456/protected.html
This final URL is not available through the load balancers and it's obviously not the public URL.
I have fqdnDefault set to 'service.x.x' so the URL is rewritten to that extent. Is there a way to tell the agent that the port it's running on is not the public port (ie. that it's behind a NAT device)? Is there a way to tell the agent that it's should actually redirect to https and not http?

Hi,
CQ authoring does not leverage server side sessions, therefor you'll never loose data because of this.
But: As the cluster has a small delay on synchronisation, it could be, that on a write and subsequent read you'll get the old content, if you don't have sticky sessions (because both requests are not processed by the same server). Therefor I advise you to use sticky sessions in front of a CQ authoring cluster.
Jörg

No log for am policy agent for iis6

Hello!
Im trying to get Policy Agent for IIS to run on my Win Srv 2003 with IIS6 and Sharepoint Services.
I am running the OpenSSO version of Access Manager.
I have installed the agent and done the initial cofiguration.
When i try to browse the resource i get a login prompt (IIS Basic Auth)and cannot login followed by "Not Authorized 401.3"
I should get redirected to the AM Login page, shouldn't I?
I tried to look for answers in the log file but the /debug/<id> directory i empty.
Anyone know what to do?
The amAgent.properties file:
# $Id: AMAgent.properties,v 1.103 2005/09/19 22:08:34 madan Exp $
# The syntax of this file is that of a standard Java properties file,
# see the documentation for the java.util.Properties.load method for a
# complete description. (CAVEAT: The SDK in the parser does not currently
# support any backslash escapes except for wrapping long lines.)
# All property names in this file are case-sensitive.
# NOTE: The value of a property that is specified multiple times is not
# defined.
# WARNING: The contents of this file are classified as an UNSTABLE
# interface by Sun Microsystems, Inc. As such, they are subject to
# significant, incompatible changes in any future release of the
# software.
# The name of the cookie passed between the Access Manager
# and the SDK.
# WARNING: Changing this property without making the corresponding change
# to the Access Manager will disable the SDK.
com.sun.am.cookie.name = iPlanetDirectoryPro
# The URL for the Access Manager Naming service.
com.sun.am.naming.url = http://login.lta.mil.se:8080/opensso/namingservice
# The URL of the login page on the Access Manager.
com.sun.am.policy.am.login.url = http://login.lta.mil.se:8080/opensso/UI/Login
# Name of the file to use for logging messages.
com.sun.am.policy.agents.config.local.log.file = C:/Sun/Access_Manager/Agents/2.2/debug/Identifier_1414639615/amAgent
# This property is used for Log Rotation. The value of the property specifies
# whether the agent deployed on the server supports the feature of not. If set
# to false all log messages are written to the same file.
com.sun.am.policy.agents.config.local.log.rotate = true
# Name of the Access Manager log file to use for logging messages to
# Access Manager.
# Just the name of the file is needed. The directory of the file
# is determined by settings configured on the Access Manager.
com.sun.am.policy.agents.config.remote.log = amAuthLog.sharepoint.lta.mil.se.80
# Set the logging level for the specified logging categories.
# The format of the values is
# <ModuleName>[:<Level>][,<ModuleName>[:<Level>]]*
# The currently used module names are: AuthService, NamingService,
# PolicyService, SessionService, PolicyEngine, ServiceEngine,
# Notification, PolicyAgent, RemoteLog and all.
# The all module can be used to set the logging level for all currently
# none logging modules. This will also establish the default level for
# all subsequently created modules.
# The meaning of the 'Level' value is described below:
# 0 Disable logging from specified module*
# 1 Log error messages
# 2 Log warning and error messages
# 3 Log info, warning, and error messages
# 4 Log debug, info, warning, and error messages
# 5 Like level 4, but with even more debugging messages
# 128 log url access to log file on AM server.
# 256 log url access to log file on local machine.
# If level is omitted, then the logging module will be created with
# the default logging level, which is the logging level associated with
# the 'all' module.
# for level of 128 and 256, you must also specify a logAccessType.
# *Even if the level is set to zero, some messages may be produced for
# a module if they are logged with the special level value of 'always'.
com.sun.am.log.level = 5
# The org, username and password for Agent to login to AM.
com.sun.am.policy.am.username = UrlAccessAgent
com.sun.am.policy.am.password = PN4rEZ1uhx1404ivWY6HPQ==
# Name of the directory containing the certificate databases for SSL.
com.sun.am.sslcert.dir = C:/Sun/Access_Manager/Agents/2.2/iis6/cert
# Set this property if the certificate databases in the directory specified
# by the previous property have a prefix.
com.sun.am.certdb.prefix =
# Should agent trust all server certificates when Access Manager
# is running SSL?
# Possible values are true or false.
com.sun.am.trust_server_certs = true
# Should the policy SDK use the Access Manager notification
# mechanism to maintain the consistency of its internal cache? If the value
# is false, then a polling mechanism is used to maintain cache consistency.
# Possible values are true or false.
com.sun.am.notification.enable = true
# URL to which notification messages should be sent if notification is
# enabled, see previous property.
com.sun.am.notification.url = http://sharepoint.lta.mil.se:80/amagent/UpdateAgentCacheServlet?shortcircuit=false
# This property determines whether URL string case sensitivity is
# obeyed during policy evaluation
com.sun.am.policy.am.url_comparison.case_ignore = true
# This property determines the amount of time (in minutes) an entry
# remains valid after it has been added to the cache. The default
# value for this property is 3 minutes.
com.sun.am.policy.am.polling.interval=3
# This property allows the user to configure the User Id parameter passed
# by the session information from the access manager. The value of User
# Id will be used by the agent to set the value of REMOTE_USER server
# variable. By default this parameter is set to "UserToken"
com.sun.am.policy.am.userid.param=UserToken
# Profile attributes fetch mode
# String attribute mode to specify if additional user profile attributes should
# be introduced into the request. Possible values are:
# NONE - no additional user profile attributes will be introduced.
# HTTP_HEADER - additional user profile attributes will be introduced into
# HTTP header.
# HTTP_COOKIE - additional user profile attributes will be introduced through
# cookies.
# If not within these values, it will be considered as NONE.
com.sun.am.policy.agents.config.profile.attribute.fetch.mode=NONE
# The user profile attributes to be added to the HTTP header. The
# specification is of the format ldap_attribute_name|http_header_name[,...].
# ldap_attribute_name is the attribute in data store to be fetched and
# http_header_name is the name of the header to which the value needs
# to be assigned.
# NOTE: In most cases, in a destination application where a "http_header_name"
# shows up as a request header, it will be prefixed by HTTP_, and all
# lower case letters will become upper case, and any - will become _;
# For example, "common-name" would become "HTTP_COMMON_NAME"
com.sun.am.policy.agents.config.profile.attribute.map=cn|common-name,ou|organiz ational-unit,o|organization,mail|email,employeenumber|employee-number,c|country
# Session attributes mode
# String attribute mode to specify if additional user session attributes should
# be introduced into the request. Possible values are:
# NONE - no additional user session attributes will be introduced.
# HTTP_HEADER - additional user session attributes will be introduced into HTTP header.
# HTTP_COOKIE - additional user session attributes will be introduced through cookies.
# If not within these values, it will be considered as NONE.
com.sun.am.policy.agents.config.session.attribute.fetch.mode=NONE
# The session attributes to be added to the HTTP header. The specification is
# of the format session_attribute_name|http_header_name[,...].
# session_attribute_name is the attribute in session to be fetched and
# http_header_name is the name of the header to which the value needs to be
# assigned.
# NOTE: In most cases, in a destination application where a "http_header_name"
# shows up as a request header, it will be prefixed by HTTP_, and all
# lower case letters will become upper case, and any - will become _;
# For example, "common-name" would become "HTTP_COMMON_NAME"
com.sun.am.policy.agents.config.session.attribute.map=
# Response Attribute Fetch Mode
# String attribute mode to specify if additional user response attributes should
# be introduced into the request. Possible values are:
# NONE - no additional user response attributes will be introduced.
# HTTP_HEADER - additional user response attributes will be introduced into
# HTTP header.
# HTTP_COOKIE - additional user response attributes will be introduced through
# cookies.
# If not within these values, it will be considered as NONE.
com.sun.am.policy.agents.config.response.attribute.fetch.mode=NONE
# The response attributes to be added to the HTTP header. The specification is
# of the format response_attribute_name|http_header_name[,...].
# response_attribute_name is the attribute in policy response to be fetched and
# http_header_name is the name of the header to which the value needs to be
# assigned.
# NOTE: In most cases, in a destination application where a "http_header_name"
# shows up as a request header, it will be prefixed by HTTP_, and all
# lower case letters will become upper case, and any - will become _;
# For example, "common-name" would become "HTTP_COMMON_NAME"
com.sun.am.policy.agents.config.response.attribute.map=
# The cookie name used in iAS for sticky load balancing
com.sun.am.policy.am.lb.cookie.name = GX_jst
# indicate where a load balancer is used for Access Manager
# services.
# true | false
com.sun.am.load_balancer.enable = false
####Agent Configuration####
# this is for product versioning, please do not modify it
com.sun.am.policy.agents.config.version=2.2
# Set the url access logging level. the choices are
# LOG_NONE - do not log user access to url
# LOG_DENY - log url access that was denied.
# LOG_ALLOW - log url access that was allowed.
# LOG_BOTH - log url access that was allowed or denied.
com.sun.am.policy.agents.config.audit.accesstype = LOG_BOTH
# Agent prefix
com.sun.am.policy.agents.config.agenturi.prefix = http://sharepoint.lta.mil.se:80/amagent
# Locale setting.
com.sun.am.policy.agents.config.locale = en_US
# The unique identifier for this agent instance.
com.sun.am.policy.agents.config.instance.name = unused
# Do SSO only
# Boolean attribute to indicate whether the agent will just enforce user
# authentication (SSO) without enforcing policies (authorization)
com.sun.am.policy.agents.config.do_sso_only = true
# The URL of the access denied page. If no value is specified, then
# the agent will return an HTTP status of 403 (Forbidden).
com.sun.am.policy.agents.config.accessdenied.url =
# This property indicates if FQDN checking is enabled or not.
com.sun.am.policy.agents.config.fqdn.check.enable = true
# Default FQDN is the fully qualified hostname that the users should use
# in order to access resources on this web server instance. This is a
# required configuration value without which the Web server may not
# startup correctly.
# The primary purpose of specifying this property is to ensure that if
# the users try to access protected resources on this web server
# instance without specifying the FQDN in the browser URL, the Agent
# can take corrective action and redirect the user to the URL that
# contains the correct FQDN.
# This property is set during the agent installation and need not be
# modified unless absolutely necessary to accommodate deployment
# requirements.
# WARNING: Invalid value for this property can result in the Web Server
# becoming unusable or the resources becoming inaccessible.
# See also: com.sun.am.policy.agents.config.fqdn.check.enable,
# com.sun.am.policy.agents.config.fqdn.map
com.sun.am.policy.agents.config.fqdn.default = sharepoint.lta.mil.se
# The FQDN Map is a simple map that enables the Agent to take corrective
# action in the case where the users may have typed in an incorrect URL
# such as by specifying partial hostname or using an IP address to
# access protected resources. It redirects the browser to the URL
# with fully qualified domain name so that cookies related to the domain
# are received by the agents.
# The format for this property is:
# com.sun.am.policy.agents.config.fqdn.map = [invalid_hostname|valid_hostname][,...]
# This property can also be used so that the agents use the name specified
# in this map instead of the web server's actual name. This can be
# accomplished by doing the following.
# Say you want your server to be addressed as xyz.hostname.com whereas the
# actual name of the server is abc.hostname.com. The browsers only knows
# xyz.hostname.com and you have specified polices using xyz.hostname.com at
# the Access Manager policy console, in this file set the mapping as
# com.sun.am.policy.agents.fqdn.map = valid|xyz.hostname.com
# Another example is if you have multiple virtual servers say rst.hostname.com,
# uvw.hostname.com and xyz.hostname.com pointing to the same actual server
# abc.hostname.com and each of the virtual servers have their own policies
# defined, then the fqdnMap should be defined as follows:
# com.sun.am.policy.agents.fqdn.map = valid1|rst.hostname.com,valid2|uvw.hostname.com,valid3|xyz.hostname.com
# WARNING: Invalid value for this property can result in the Web Server
# becoming unusable or the resources becoming inaccessible.
com.sun.am.policy.agents.config.fqdn.map =
# Cookie Reset
# This property must be set to true, if this agent needs to
# reset cookies in the response before redirecting to
# Access Manager for Authentication.
# By default this is set to false.
# Example : com.sun.am.policy.agents.config.cookie.reset.enable=true
com.sun.am.policy.agents.config.cookie.reset.enable=false
# This property gives the comma separated list of Cookies, that
# need to be included in the Redirect Response to Access Manager.
# This property is used only if the Cookie Reset feature is enabled.
# The Cookie details need to be specified in the following Format
# name[=value][;Domain=value]
# If "Domain" is not specified, then the default agent domain is
# used to set the Cookie.
# Example : com.sun.am.policy.agents.config.cookie.reset.list=LtpaToken,
# token=value;Domain=subdomain.domain.com
com.sun.am.policy.agents.config.cookie.reset.list=
# This property gives the space separated list of domains in
# which cookies have to be set in a CDSSO scenario. This property
# is used only if CDSSO is enabled.
# If this property is left blank then the fully qualified cookie
# domain for the agent server will be used for setting the cookie
# domain. In such case it is a host cookie instead of a domain cookie.
# Example : com.sun.am.policy.agents.config.cookie.domain.list=.sun.com .iplanet.com
com.sun.am.policy.agents.config.cookie.domain.list=
# user id returned if accessing global allow page and not authenticated
com.sun.am.policy.agents.config.anonymous_user=anonymous
# Enable/Disable REMOTE_USER processing for anonymous users
# true | false
com.sun.am.policy.agents.config.anonymous_user.enable=false
# Not enforced list is the list of URLs for which no authentication is
# required. Wildcards can be used to define a pattern of URLs.
# The URLs specified may not contain any query parameters.
# Each service have their own not enforced list. The service name is suffixed
# after "# com.sun.am.policy.agents.notenforcedList." to specify a list
# for a particular service. SPACE is the separator between the URL.
com.sun.am.policy.agents.config.notenforced_list = SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/UI/* SERVER_PROTO://SERVER_HOST:SERVER_PORTCONSOLE_DEPLOY_URI/* SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/login_images/* SERVER_PROTO://SERVER_HOST:SERVER_PORT/docs* SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/namingservice SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/sessionservice SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/loggingservice SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/profileservice SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/policyservice SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/config* SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/js/* SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/css/* SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/authservice SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/SAMLAwareServlet SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/SAMLSOAPReceiver SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/SAMLPOSTProfileServlet
# Boolean attribute to indicate whether the above list is a not enforced list
# or an enforced list; When the value is true, the list means enforced list,
# or in other words, the whole web site is open/accessible without
# authentication except for those URLs in the list.
com.sun.am.policy.agents.config.notenforced_list.invert = false
# Not enforced client IP address list is a list of client IP addresses.
# No authentication and authorization are required for the requests coming
# from these client IP addresses. The IP address must be in the form of
# eg: 192.168.12.2 1.1.1.1
com.sun.am.policy.agents.config.notenforced_client_ip_list =
# Enable POST data preservation; By default it is set to false
com.sun.am.policy.agents.config.postdata.preserve.enable = false
# POST data preservation : POST cache entry lifetime in minutes,
# After the specified interval, the entry will be dropped
com.sun.am.policy.agents.config.postcache.entry.lifetime = 10
# Cross-Domain Single Sign On URL
# Is CDSSO enabled.
com.sun.am.policy.agents.config.cdsso.enable=false
# This is the URL the user will be redirected to for authentication
# in a CDSSO Scenario.
com.sun.am.policy.agents.config.cdcservlet.url =
# Enable/Disable client IP address validation. This validate
# will check if the subsequent browser requests come from the
# same ip address that the SSO token is initially issued against
com.sun.am.policy.agents.config.client_ip_validation.enable = false
# Below properties are used to define cookie prefix and cookie max age
com.sun.am.policy.agents.config.profile.attribute.cookie.prefix = HTTP_
com.sun.am.policy.agents.config.profile.attribute.cookie.maxage = 300
# Logout URL - application's Logout URL.
# This URL is not enforced by policy.
# if set, agent will intercept this URL and destroy the user's session,
# if any. The application's logout URL will be allowed whether or not
# the session destroy is successful.
com.sun.am.policy.agents.config.logout.url=
# Any cookies to be reset upon logout in the same format as cookie_reset_list
com.sun.am.policy.agents.config.logout.cookie.reset.list =
# By default, when a policy decision for a resource is needed,
# agent gets and caches the policy decision of the resource and
# all resource from the root of the resource down, from the Access Manager.
# For example, if the resource is http://host/a/b/c, the the root of the
# resource is http://host/. This is because more resources from the
# same path are likely to be accessed subsequently.
# However this may take a long time the first time if there
# are many many policies defined under the root resource.
# To have agent get and cache the policy decision for the resource only,
# set the following property to false.
com.sun.am.policy.am.fetch_from_root_resource = true
# Whether to get the client's hostname through DNS reverse lookup for use
# in policy evaluation.
# It is true by default, if the property does not exist or if it is
# any value other than false.
com.sun.am.policy.agents.config.get_client_host_name = true
# The following property is to enable native encoding of
# ldap header attributes forwarded by agents. If set to true
# agent will encode the ldap header value in the default
# encoding of OS locale. If set to false ldap header values
# will be encoded in UTF-8
com.sun.am.policy.agents.config.convert_mbyte.enable = false
#When the not enforced list or policy has a wildcard '*' character, agent
#strips the path info from the request URI and uses the resulting request
#URI to check against the not enforced list or policy instead of the entire
#request URI, in order to prevent someone from getting access to any URI by
#simply appending the matching pattern in the policy or not enforced list.
#For example, if the not enforced list has the value http://host/*.gif,
#stripping the path info from the request URI will prevent someone from
#getting access to http://host/index.html by using the URL http://host/index.html?hack.gif.
#However when a web server (for exmample apache) is configured to be a reverse
#proxy server for a J2EE application server, path info is interpreted in a different
#manner since it maps to a resource on the proxy instead of the app server.
#This prevents the not enforced list or policy from being applied to part of
#the URI below the app serverpath if there is a wildcard character. For example,
#if the not enforced list has value http://host/webapp/servcontext/* and the
#request URL is http://host/webapp/servcontext/example.jsp the path info
#is /servcontext/example.jsp and the resulting request URL with path info stripped
#is http://host/webapp, which will not match the not enforced list. By setting the
#following property to true, the path info will not be stripped from the request URL
#even if there is a wild character in the not enforced list or policy.
#Be aware though that if this is set to true there should be nothing following the
#wildcard character '*' in the not enforced list or policy, or the
#security loophole described above may occur.
com.sun.am.policy.agents.config.ignore_path_info = false
# Override the request url given by the web server with
# the protocol, host or port of the agent's uri specified in
# the com.sun.am.policy.agents.agenturiprefix property.
# These may be needed if the agent is sitting behind a ssl off-loader,
# load balancer, or proxy, and either the protocol (HTTP scheme),
# hostname, or port of the machine in front of agent which users go through
# is different from the agent's protocol, host or port.
com.sun.am.policy.agents.config.override_protocol =
com.sun.am.policy.agents.config.override_host =
com.sun.am.policy.agents.config.override_port = true
# Override the notification url in the same way as other request urls.
# Set this to true if any one of the override properties above is true,
# and if the notification url is coming through the proxy or load balancer
# in the same way as other request url's.
com.sun.am.policy.agents.config.override_notification.url =
# The following property defines how long to wait in attempting
# to connect to an Access Manager AUTH server.
# The default value is 2 seconds. This value needs to be increased
# when receiving the error "unable to find active Access Manager Auth server"
com.sun.am.policy.agents.config.connection_timeout =
# Time in milliseconds the agent will wait to receive the
# response from Access Manager. After the timeout, the connection
# will be drop.
# A value of 0 means that the agent will wait until receiving the response.
# WARNING: Invalid value for this property can result in
# the resources becoming inaccessible.
com.sun.am.receive_timeout = 0
# The three following properties are for IIS6 agent only.
# The two first properties allow to set a username and password that will be
# used by the authentication filter to pass the Windows challenge when the Basic
# Authentication option is selected in Microsoft IIS 6.0. The authentication
# filter is named amiis6auth.dll and is located in
# Agent_installation_directory/iis6/bin. It must be installed manually on
# the web site ("ISAPI Filters" tab in the properties of the web site).
# It must also be uninstalled manually when unintalling the agent.
# The last property defines the full path for the authentication filter log file.
com.sun.am.policy.agents.config.iis6.basicAuthentication.username =
com.sun.am.policy.agents.config.iis6.basicAuthentication.password =
com.sun.am.policy.agents.config.iis6.basicAuthentication.logFile = C:/Sun/Access_Manager/Agents/2.2/debug/Identifier_1414639615/amAuthFilter

If the agent doesnot start properly you would always get redirected to com.sun.am.policy.agents.config.accessdenied.url , if thats not specified you will get a 403.
For the agent itself check that the naming.url is correct. the agent username and passwords are correct, and see that the user has priviledges to write to the agent log files. Apart from these post the windows event logs.

Custom login page with Policy Agent 2.2 & Access Manager

Hi,
Im trying to set up policy agent 2.2 and Access Manager to use the login page of the application Im trying to secure. Im not sure if this is the correct forum or not so feel free to move this if need be.
Ive been using this link: http://docs.sun.com/source/816-6884-10/chapter3.html#wp25376 but it doesnt seem to make sense.
In my AMAgent.properties file Ive set up
com.sun.identity.agents.config.login.form[0]=/contextRoot/login/login.jsp to my login page and Ive also configured the web.xml for that application to use the login:
     <login-config>
          <auth-method>FORM</auth-method>
          <form-login-config>
               <form-login-page>/login/login.jsp</form-login-page>
               <form-error-page>/login/login.jsp</form-error-page>
          </form-login-config>
     </login-config>
When I try and access the login page Im redirected to the default access manager login page. I did notice in the AMProperties.xml file the following line:
com.sun.identity.agents.config.login.url[0] = http://amserverhost:80/amserver/UI/Login
It seems like I should change that to point to my login page but I didnt see any documentation supporting that. When I change that property to point to location of my login page, i get a redirect loop error.
When I remove the com.sun.identity.agents.config.login.form[0] property all together, I just get a resource restricted error.
Now when I configure the com.sun.identity.agents.config.login.form[0] property, set the config.login.url = to my login page AND set the com.sun.identity.agents.config.notenforced.uri[0] property equal to my login page (so the login page is no longer protected) I am able to see the login page
Is unrestricting the login page correct? Im able to access the login.jsp page directly and when I try and access protected resources Im redirected back to the login page so everything seems to be working correctly but Im not sure if this is the correct way.

Hi Neeraj,
I still have not been able to resolve that issue. Let me know If you find a solution for the same.
Thanks,
Srinivas

Policy Agent - HTTP login

Hello.
I was wondering if it's possible to somehow authenticate using HTTP Authentication mechanisms, like Basic or Digest authentication (probably over HHTPS) together with Policy Agent?
What I'm looking for is a mechanism that checks if the Identity Server Session Cookie is in the request, and if not, does a normal 401 response.
The browser can then resend the request straight away including user credentials.
This avoids a redirect to the Identity Server, which is a pain in the back side if the request is a large POST data upload or similar.
Anyone heard of something like this?
Regards,
Kyrre

Hi Charlie,
Thanks for the reply. Currently I have implemented permissions for UI elements like this:
1) Used JATO framework in an application JSP page which points to a view bean class. This view bean class instantiates UI elements as required.
2) From the module base servlet, I access SSOToken Manager, SSOToken, AMUser, AMRole objects for the current logged in user. (I am working on role based permissions).
3) Based on the roles available for the user, I set the visibility of certain UI elements.
Can you elaborate a little bit more in this context about how I can create/use the policies? I will try to list out below what you trying to say. Please provide your feedback.
1)Protect http resources say http://www.myapp.com/index.html on Idetity Server similar to what I have currently.
2)Instantiate policy object in the module servlet, have resources for each UI element that needs to be protected in this policy, evaluate policy based on the currently logged in user/role and then return permission like read/edit.
Thanks,
Srinivas

SunONE Web Server 6.1 SP7 crashes with Policy Agent 2.2 plugin

Recently we started facing glibc issues on our webservers and wanted to know if any of you have come across such issues on your setups..
Setup Info:
- OS is RHEL 4.0
- Sun ONE Web Server 6.1SP7
- Policy Agent 2.2
When user logins to our application for first time, the policy agent on our webserver intercepts the request and redirects to AM SSO server's login page for authentication. Before redirecting the request, the policy agent preserves the request (POST data) in our webserver and then redirects the request to SSO server. After the user is authenticated on SSO server, the SSO server redirects the request back to our webserver and the policy agent now tries to fetch the preserved post data for the user where it fails(see errors below) and then the user gets 'page cannot be displayed' error on browser. Internally, the SJSWS crashes and gets restarted :(
From logs:
[29/Apr/2008:06:32:48] warning (13856): CORE3283: stderr: 2008-04-29 06:32:48.163 Warning 13856:897a4b8 ServiceEngine: Service::getPolicyResult():Result size is 0,tree not present for https://server1.gft.com:443/dummypost/sunpostpreserve2008-04-2906:31:50.311
[29/Apr/2008:06:32:48] warning (13856): CORE3283: stderr: *** glibc detected *** free(): invalid pointer: 0x08265670 ***
[29/Apr/2008:06:32:48] warning (13856): CORE3283: stderr: 2008-04-29 06:32:48.529 Warning 13856:897a4b8 ServiceEngine: Service::getPolicyResult():No passwd value in session response.
[29/Apr/2008:06:32:48] catastrophe (13856): CORE3260: Server crash detected (signal SIGSEGV)
[29/Apr/2008:06:32:48] info (13856): CORE3261: Crash occurred in NSAPI SAF service-j2ee
[29/Apr/2008:06:32:48] failure (13107): CORE3107: Child process closed admin channel
(At this point the SJSWS gets restarted)
This issue is not always reproducible though !
Appreciate your help on debugging this..

Hi...
just a guess try looking into this bug details ..it may be helpful
http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=6299862

Does not Redirect to requested page

Hi,
We are trying to deploy Sun Access Manager with Policy Agent 2.2 on Sun Application server 9.1 and Sun WebServer in Solaris.
I have detailed below the steps followed by us to deploy on Solaris 64-bit machine.
We have the following two machines. (Both are 64 bit Sparc 9 Machines)
1. solaris9.tricipher.com
Following is the configuration.
�     Sun Java Application Server 9.1
�     Sun Java System Access Manager 7.1
Steps performed while configuring the Sun Java System Access Manager 7.1.
1.     We created a policy named "TriCipher Policy".
2.     We created a rule named http://sol9test.tricipher.com: 80/TC/welcome.html
and allow for both GET & POST.
3.     We created the subject named "TriCipher Subject" and select "All Authenticated Users "option with it.
4.     We created the user named "tricipheruser" and password.
5.     We created the agent named "tricipheragent" and password
2. sol9test.tricipher.com
Following is the configuration.
�     Sun Java System Web Server 7.0
�     Sun Java System Access Manager Policy Agent 2.2 for Sun Java System Web Server 7.0
Steps performed while configuring the Sun Java System Web Server 7.0
1.     We deployed a .war file named "TC.war". This file contains the simple html file (welcome.html)
2.     We installed the above specified policy agent, which created the file "AMAgent.properties".
3.     While installing the policy agent we specified the agent name "tricipheragent" and its password after encrypting it.
When we tried to access to protected URL from the windows machine of same domain it redirected us to the login page of the Sun Java System Access Manger 7.1 as expected.
We entered the username "tricipheruser" and its password, it verified the user details and it forward the request to the browser with the desired URL, however, and it shows a blank page.
We have checked the web server log and found the following error. "Failure for host 10.66.8.15 trying to GET /TC/welcome.html, func_exec reports: HTTP2302: Function
validate_session_policy aborted the request without setting the status code"
We have identified that the error is at validate_session_policy (PathCheck is the node), which is called in obj.conf at the agent in the web server config folder. (Attached herewith the modified obj.conf folder)
Further we have tried the following too:
1. Tried with IIS Server with the policy agent deployed. However, the
result is same.
2. Secondly we removed all policy agent and configure the Sun Access
Manager such that, on successful login in the Sun Access Manager it will redirect to www.yahoo.com page. It works fine.
3. Thirdly we modified the configuration, such that the successful login of Sun Access Manager will redirect to our site i,e.
http://iis-02-tricipher.com: 80/login.html. Now we are getting blank page.
In order to identify what is coming in the http header; we have installed "http live Header" in Fire fox browser and found that there is an error HTTP/1.x 500 Internal Server Error. We could not find the reason for this.
Looking forward to your help.
Thanks
Prashant Kumar Singh
09891343317
[email protected]
[email protected]

Hi,
One thing that could help is to look at the info in the agent logs, first increase Debug Logging Level, then restart the agent server and click thru your app, then look in agent runtime logs which should have more descriptive errors. For more detail on how to do this, try http://wikis.sun.com/display/OpenSSO/GlassFishAgentTrouble#GlassFishAgentTrouble-generaltips
You could look on this page, which is mostly based on GlassFish server but could help for other servers as well.
http://wikis.sun.com/display/OpenSSO/GlassFishAgentTrouble
I have not installed either of the policy agents you mentioned. But with some of the other agents, like the Sun App server 9 (GlassFish) agent, it comes with a sample application, and I find that this is the best way to ensure your setup is good and you are following all steps etc. Once sample app is up, you can try your own apps with confidence.
Since you already have the SJSAS 9 installed, maybe you could create a new domain and download/install the SJSAS 9 policy agent on the new domain. Then try out the sample app?
Or if those other agents have a sample app then try it out.
hth,
Sean

How to protect both access (http and https) with a Policy Agent

Hi,
During the installation of a web Policy Agent (i.e. Policy Agent for IIS) we have to choose the protocol (and port) of the web server we want to protect.
If we have an IIS with secure (https) and non secure (http) applications, how we manage this scenario with the policy agent?
Regards,

Hi,
Finally, i have installed the agent in IIS5 in the non secure port (http) and in fact it detects both access (http and https) fine.
The problem now is that if i try to access to a non secure url ( http://mynonsecureapp.com ) all works fine, the agent redirects to https://myaccessmanager.com:443/amserver/UI/Login?goto=http://mynonsecureapp.com but when i try to access to a secure url ( https://mysecureapp.com ) the agent try to redirects me to: https://myaccessmanager.com:443/amserver/UI/Login?goto=http://mysecureapp.com (notice that the agent removes the 's' in the url).
The amAgent log file shows:
+2008-07-17 09:44:08.296MaxDebug 656:d8f6b0 PolicyAgent: am_web_is_notification(), https://sigcit.agp.gva.es:443/fullcitriweb is not notification url http://sigcit.agp.gva.es:80/amagent/UpdateAgentCacheServlet?shortcircuit=false.+
+2008-07-17 09:44:08.296 Warning 656:d8f6b0 PolicyAgent: OnPreprocHeaders(): Access Manager Cookie not found.+
+2008-07-17 09:44:08.296 Debug 656:d8f6b0 PolicyAgent: am_web_is_access_allowed(): url 'https://sigcit.agp.gva.es:443/fullcitriweb' path_info ''.+
+2008-07-17 09:44:08.296MaxDebug 656:d8f6b0 PolicyAgent: am_web_is_access_allowed(): processing url http://sigcit.agp.gva.es:80/fullcitriweb.+
+2008-07-17 09:44:08.296 Debug 656:d8f6b0 PolicyAgent: am_web_is_access_allowed(): client_ip 172.27.65.62 not found in client ip not enforced list+
Any ideas?
Regards,
Edited by: idm_oceanic on Jul 17, 2008 1:33 AM

Policy Agent 2.1 not redirect

Similar Messages

Maybe you are looking for