Policy Agent 2.2 for Apache HTTP Server

Similar Messages

• Web Policy Agent 2.1 for Apache 1.3.27 with Identity Server 6.1

  Web Policy Agent 2.1 for Apache 1.3.27 with Identity Server 6.1
  Does anybody has a working combination of the above ? I get a ID login page and after that I always get a access denied page. I get this exception on the agent logs:
  2004-10-14 16:28:00.917 Warning 6347:c1818 PolicyAgent: in get_cookie: no cooki
  e in ap_table
  2004-10-14 16:28:01.895 Warning 6359:c1818 PolicyAgent: Invalid URL for propert
  y (com.sun.am.policy.agents.accessDeniedURL) specified
  2004-10-14 16:28:56.742 Warning 6349:c1818 PolicyAgent: am_web_is_access_allowe
  d(http://xx.xx.xx.net:8080/, GET) denying access: status = access de
  nied (20)
  2004-10-14 16:28:56.743 128 6349:c1818 RemoteLog: User testuser1 was denie
  d access to http://xx.xx.xx.net:8080/.
  2004-10-14 16:28:56.831 -1 6349:c1818 PolicyAgent: URL Access Agent: acces
  s denied to testuser1
  We can ignore Invalid URL property part because its just looking for a custom url in place there. I have cookies enabled in my browser. I even turned on the prompt option. No luck yet.
  Any suggestions would be of great help.
  Thanks,
  Sunil.

  From your description, since the agent installs file with a different JRE, I would suspect it has something to do with the availability of JCE provider in the first JRE. By default, WebSphere's JRE is equipped with IBM JCE provider which is what the agent uses to encrypt the necessary
  information. If this provider is not configured correctly it could result in the error that you are seeing. Please check the WebSphere installation and make sure that the JRE used by it has the necessary IBM JCE provider configured. The java.security file for this should contain something like:
  security.provider.1=sun.security.provider.Sun
  security.provider.2=com.ibm.crypto.provider.IBMJCE
  security.provider.3=com.ibm.jsse.IBMJSSEProvider
  security.provider.4=com.ibm.security.cert.IBMCertPath
  security.provider.5=com.ibm.crypto.pkcs11.provider.IBMPKCS11
  Also, make sure that when you are installing the agent you specify the Java Home as prompted by the agent to point to the location where this JRE is installed. Typically this is under WebSphere/AppServer/java directory. HTH, Jerry

• Problem With Policy Agent 2.2 for APACHE on WINDOWS !!!!

  I have been getting a nasty error for weeks configuring PolicyAgent 2.2 for Apache (tried 2.2.x and 2.0.x) on a Windows Server. After the configuring apache could not even start. I get the following error :
  Syntax error on line 1 of "C:/Sun/Access_Manager/Agents/2.2/apache/config/apache_80/dsame.conf":
  Cannot load C:/Sun/Access_Manager/Agents/2.2/apache/bin/libamapc2.dll into server. The specified module does not exist
  Does anyone have any ideas? (I have been pulling my hair off trying to resolve this and I am about to lift up the server and drop it !!! ) The dll file above is available in that path.
  Message was edited by:
  lreju

  This dll file may need/depend other dlls. So sometimes you may still get this error after you download the dll into your windows system folder. But you can use a tool such as http://www.dependencywalker.com to find out which other dlls are needed for your installation....Hope this helps someone !!!

• Building OpenSSO Policy Agent 2.2 for Apache 2.x

  Hi,
  I've been trying to build OpenSSO policy agent using sources from opensso_agentbranch22 on WINNT for Apache 2.0 web server. The reason I can't use the pre-build binary is because we are trying to customize the agent to integrate with another SSO app which sends us data. The compilation itself seems to work OK. But the libamapc2.dll (Apache module dll) created seems to be only 24-26k in size vs the 700k size in the binary distributed by Sun.
  Apache fails to start when this agent is installed, saying that the dll is invalid. Am I missing something in my compilation and linking process? I'm using VS 6 for the cl and link, Ant and Cygwin.
  Any input from the Sun OpenSSO gurus is greatly appreciated.

  I can show a snapshot from the Depends tool that clearly shows that amsdk.dll is dynamically linked. It creates all sorts of issues with Apache 2.0 as it doesn't like the dynamic linking. Until I changed the Makefile in the am directory to use the static library, I could not get my libamapc2.dll to match the libamapc2.dll distributed by Sun. Even now there are issues with libnspr4 and msvcrt.dll. Apache crashes as soon as it loads the libamapc2.dll and the issue has been narrowed down to the strlen() method. This method is used for logging messages by the agent.
  I wish Sun maintained a copy of the 3rd party libs they use to build the agent in their CVS instead of asking us to fetch those libraries from another website, in which case libraries may not correspond 1:1.

• Compiling/running Policy Agent 2.2 for Apache (Linux)

  Hi,
  I know that running the policy agent for Linux is not supported by Sun on other platforms than Red Hat Enterprise Linux, but anyway I'm qurious to see if others have looked into this.
  I've done some testing on my Ubuntu Dapper Linux, using the precompiled version for Red Hat Enterprise, and I kind of made it work. Only problem: I have to start apache using "strace" to have it running. If I run /usr/sbin/apache2 I get "Segmentation Fault", but if I run "strace /usr/sbin/apache2" it runs... I'm able to create a core-dump, but to get something out of it I guess I have to compile the policy agent myself, so I've tried that as well.
  To compile I've checked out the opensso package by CVS and installed libxml2-2.6.23, nss-3.11, nspr-4.6.1 and apache-2.0.59, sort of like what it says in the Readme for compiling under Red Hat Enterprise Linux. Result from running "make BUILD_DEBUG=optimize BUILD_AGENT=apache" is:
  hash_table.h: In member function �typename smi::HashTable<Element>::EntryType smi::HashTable<Element>::findEntry(const std::string&)�:
  hash_table.h:319: error: expected �;� before �__null�
  hash_table.h:319: warning: statement has no effect
  The test with the precompiled version was done on Ubuntu Dapper Linux using the standard apache 2.0.55 package that comes with Ubuntu. As I said: I've managed to get it running (doing SSO login through Federation Manager running on the same machine, with Access Manager running on another Solaris server) but I would prefer to have a setup that doesn't involve using "strace" to have apache whith the policy agent module running... Anyone else done something like this?
  In the end I guess I would like to have some kind of release of the policy agent that doesn't have to be packaged as RPMs just for Red Hat Enterprise servers. It doesn't have to be flagged as "supported by Sun" but more like "you're on your own this release". ;-) That goes for the Federation Manager as well. I've managed to have the FM running on Ubuntu Dapper as well, so I know it's possible...
  - Anders

  The notes in this thread date from about October of 2006.
  Does anyone know why current versions of the gcc compiler refuse to compile the statement that leads to the reported error?
  The statement that is failing is:
      if (entry && entry->getExpirationTime() < PR_Now()) {
       return (HashTable<Element>::EntryType)NULL;with the error
  [exec] hash_table.h:320: error: expected �;� before �__null�Is this a problem with the compiler or with the definition of the NULL macro?

• Policy agent 2.1 for apache 1.3.27 reinstallation problem

  hi
  i've uninstalled Apache_1.3.27_agent_2.1_sparc-sun-solaris2.8 policy agent [Java(TM) 2 Runtime Environment, Standard Edition (build 1.4.2_04-b05)] to reinstall it from scratch.
  during the reinstallation i've the problem listed below. i did remove all remaining parts of agent but doesn't work.
  Any idea ?
  Thanks
  Installing Sun ONE Identity Server Policy Agent
  Listener:com.iplanet.am.installer.listeners.ApacheInstallListener@1372656 threw exception during "installFinishing" method while listening to SUNWamapc install directory=[DETERMINED AT RUNTIME]:java.lang.reflect.InvocationTargetException
  Target Exception trace:
  java.lang.RuntimeException: error executing ///bin/config at com.iplanet.am.installer.listeners.InstallListenerBase.executeCommand(InstallListenerBase.java:829) at com.iplanet.am.installer.listeners.InstallListenerBase.configureSolarisWebAgent(InstallListenerBase.java:294) at com.iplanet.am.installer.listeners.InstallListenerBase.installFinishing(InstallListenerBase.java:150) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:324)
  at com.sun.install.products.Product.processEvents(Product.java:753) at com.sun.install.products.Product.processEvents(Product.java:787) at com.sun.install.products.Product.processEvents(Product.java:787) at com.sun.install.products.Product.performInstallation(Product.java:643) at com.sun.install.tasks.ProductTask.perform(ProductTask.java:191) at com.sun.wizards.core.Sequence.perform(Sequence.java:336) at com.sun.wizards.core.SequenceManager.run(SequenceManager.java:226) at java.lang.Thread.run(Thread.java:534)

  I had the same problem because of a missconfiguration in AMAgent.properties. I changed manually all URLs to the Identity Server from http to https and found out the port number has definitly to be specified (bad URL parsing of Policy Agent). You should check your configuration...
  HTH
  J�rgen

• Sun Policy Agent 2.2 for BEA WebLogic Server/Portal 9.2

  Do you know where can I download this agent? I've searched a lot but no chance. The only available one in the download index page is the 9.0/9.1 agent. Any idea?
  Best regards

  All this time later, and the download for this agent isn't showing up in the right place.
  For now, my blog might be the easiest place to go for Policy Agent 2.2 docs and downloads:
  http://blogs.sun.com/JohnD/page/policyagent
  The quick and dirty answer to thge question is here:
  http://www.sun.com/download/products.xml?id=45cb8a2a
  John D.

• Policy Agent 3.0 for Tomcat - Cannot obtain Application SSO token

  Hi
  I am trying to configure Sun OpenSSO Enterprise Policy Agent 3.0 for Apache Tomcat Application Server 6.
  After installing the Policy Agent, Tomcat is not starting.
  The Error in the stack is :
  =========
  Jun 14, 2009 2:21:00 AM
  org.apache.tomcat.util.digester.Digester startElement
  SEVERE: Begin event threw error
  java.lang.ExceptionInInitializerError
  at
  com.sun.identity.agents.arch.AgentConfiguration.bootStrapClientConfig
  uration(AgentConfiguration.java:682)
  Caused by:
  com.sun.identity.security.AMSecurityPropertiesException:
  AdminTokenAction: FATAL ERROR: Cannot obtain Application
  SSO token.
  Check AMConfig.properties for the following properties
  com.sun.identity.agents.app.username
  com.iplanet.am.service.password
  at
  com.sun.identity.security.AdminTokenAction.run(AdminTokenAction.java:
  258)
  =========
  There is no AMConfig.properties file. The Agent uses "OpenSSOAgentBootstrap.properties".
  Is there a workaround for this issue ?
  Cheers.

  Hi,
  I have the same Problem, did you come up with a solution for it?
  thanks
  Matrius

• Sun One Identity Server Policy Agent 2.0 for IIS 5.0

  Hi,
  I try to use Sun Indentity Server with IIS, so I installed policy agent 2.0 for IIS 5.0. my operating system is Windows 2000 professional. I can see the ISAPI fiiter is loaded, but when I try to test the installation by access a testing page, like http://localhost/test.asp, I can not go anywhere, the sun identity server log in page is not loaded. I checked the debug log file, there are just two warning message:
  2003-02-12 11:11:52.314 Warning 1316:00A548E8 PolicyAgent: Invalid URL for property (com.sun.am.policy.agents.accessDeniedURL) specified
  2003-02-12 11:11:52.798 Warning 1316:00A548E8 PolicyAgent: FqdnHandler::FqdnHandler() No value specified for fqdnMap.
  Could someone help me out here? Any suggestion will be appreciated.
  Thanks,
  Harold Chen

  Well, it's in the Agent's installation guide, section "Read me first", "Setting Fully Qualified Domain Name". :)

• Apache HTTP Server Plug-In for HPUX

  First action:
  Installation of
  BEA Weblogic Server 6.1 Servicepack 4
  Apache Webserver Version 2.0.43
  gcc 3.0.2
  on
  HP-UX hansapp4 B.11.11 U 9000/800
  Apache Webserver can be started !
  Aditional Action:
  Installation of BEA's Apache HTTP Server Plug-In
  as a dynamic shared object:
  Copy of mod_wl_20.so to APACHE_HOME/modules
  Adaption of httpd.conf by adding line
  "LoadModule weblogic_module modules/mod_wl_20.so"
  Result:
  Apache Webserver cannot be started !
  Start of
  root@hansapp4:/usr/local/apache2/bin> ./apachectl configtest
  gives:
  Syntax error on line 234 of /usr/local/apache2/conf/httpd.conf:
  Cannot load /usr/local/apache2/modules/mod_wl_20.so into server:
  Call to mmap() failed - TEXT /usr/local/apache2/modules/mod_wl_20.so

  While the question is for AS 8, you can try this (mod_proxy-based):
  http://docs.sun.com/source/817-3652-10/agplugin.html#wp34000
  -Alexis

• Will Apache HTTP server version 2.2.x be supported for Solaris 10?

  It appears that the Apache 2.0.x package is still being included in the latest release of Solaris 10. When I checked the Apache site, it says they will no longer be releasing updates for the 2.0.x version family. Is Oracle planning to make an Apache 2.2.x package available and develop future patches?

  Hi,
  You can try using the following approach with +'MatchExpression'+ parameter for the +'VirtualHost'+ configuration, which should solve your problem:
  <VirtualHost *:80>
  ServerAdmin [email protected]
  ServerName << Put your apache server ip-address here>>
  ErrorLog logs/error_log
  <Location */CustomLocationPrefix1** >
  SetHandler weblogic-handler
  +## Select the list of apps/urls for APP1+
  WebLogicCluster 192.168.100.1:7001,192.100.1:7002
  CookieName CUSTOM_JSESSIONID_COOKIE_NAME_1
  Debug ALL
  DebugConfigInfo ON
  WLLogFile C:/wlproxy.log
  </Location>
  <Location */CustomLocationPrefix2** >
  SetHandler weblogic-handler
  +## Select the list of apps/urls for APP2+
  WebLogicCluster 192.168.100.3:7001,192.168.100.4:7002
  CookieName CUSTOM_JSESSIONID_COOKIE_NAME_2
  Debug ALL
  DebugConfigInfo ON
  WLLogFile C:/wlproxy.log
  </Location>
  <Location */CustomLocationPrefix3** >
  SetHandler weblogic-handler
  +## Select the list of apps/urls for APP3+
  WebLogicCluster 192.168.100.5:7001,192.168.100.6:7002
  CookieName CUSTOM_JSESSIONID_COOKIE_NAME_3
  Debug ALL
  DebugConfigInfo ON
  WLLogFile C:/wlproxy.log
  </Location>
  <IfModule mod_weblogic.c>
  +## Combine all the locations for the different web-apps you want to route through apache http server+
  +## (i.e., APP1, APP2, APP3 in this case).+
  WebLogicCluster 192.168.100.1:7001,192.168.100.2:7002,192.168.100.3:7001,192.168.100.4:7002,192.168.100.5:7001,192.168.100.6:7002
  MatchExpression *
  +## The following may not be needed (need to recheck)+
  EnforceBasicConstraints OFF
  </IfModule>
  </VirtualHost>
  Regards,
  Deepak Kerur.
  Edited by: user10231088 on Jul 7, 2011 6:36 PM
  Edited by: user10231088 on Jul 7, 2011 6:36 PM

• Policy Agent 2.1 for IBM WebSphere Application Server 5.0 can't install

  I install Policy Agent 2.1 for IBM WebSphere Application Server 5.0
  But Can't install success
  resone:
  Base Installation completed Successfully
  WebSphere 5.0 Agent ClassPath : C:/Sun/IdentityServer/j2ee_agents/lib/am_sdk.jar;C:/Sun/IdentityServer/j2ee_agents/lib/am_services.jar;C:/Sun/IdentityServer/j2ee_agents/lib/am_sso_provider.jar;C:/Sun/IdentityServer/j2ee_agents/lib/am_logging.jar;C:/Sun/IdentityServer/j2ee_agents/config/F__Program Files_WebSphere_AppServer_config_cells_tmbsp103_nodes_tmbsp103_servers_server1;C:/Sun/IdentityServer/j2ee_agents/locale
  WebSphere 5.0 Agent Boot ClassPath : C:/Sun/IdentityServer/j2ee_agents/lib/jdk_logging.jar
  WebSphere 5.0 Agent JVM options : -Damconfig=AMAgent -Dmax_conn_pool=10 -Dmin_conn_pool=1 -Dcom.iplanet.coreservices.configpath=C:/Sun/IdentityServer/j2ee_agents/config/F__Program Files_WebSphere_AppServer_config_cells_tmbsp103_nodes_tmbsp103_servers_server1/ums -Djava.util.logging.manager=com.sun.identity.log.LogManager -Djava.util.logging.config.file=C:/Sun/IdentityServer/j2ee_agents/config/F__Program Files_WebSphere_AppServer_config_cells_tmbsp103_nodes_tmbsp103_servers_server1/AMAgent.properties -Djava.protocol.handler.pkgs=com.ibm.net.ssl.internal.www.protocol -Dws.ext.dirs=C:/Sun/IdentityServer/j2ee_agents/lib
  The server.policy file was configured successfully.
  Global Security Settings Configured Successfully.
  sas.client.props file Configuration FAILED.
  soap.client.props file Configuration FAILED.
  sas.client.props /soap.client.props two file how to Configuration ??

  From your description, since the agent installs file with a different JRE, I would suspect it has something to do with the availability of JCE provider in the first JRE. By default, WebSphere's JRE is equipped with IBM JCE provider which is what the agent uses to encrypt the necessary
  information. If this provider is not configured correctly it could result in the error that you are seeing. Please check the WebSphere installation and make sure that the JRE used by it has the necessary IBM JCE provider configured. The java.security file for this should contain something like:
  security.provider.1=sun.security.provider.Sun
  security.provider.2=com.ibm.crypto.provider.IBMJCE
  security.provider.3=com.ibm.jsse.IBMJSSEProvider
  security.provider.4=com.ibm.security.cert.IBMCertPath
  security.provider.5=com.ibm.crypto.pkcs11.provider.IBMPKCS11
  Also, make sure that when you are installing the agent you specify the Java Home as prompted by the agent to point to the location where this JRE is installed. Typically this is under WebSphere/AppServer/java directory. HTH, Jerry

• Problem Installing Policy Agent 2.2 on Apache 2.2.3

  Hi all,
  I'm trying to configure policy agent 2.2 on apache 2.2.3 on linux platform CentOS (red hat 5.1).
  The configuration and the installation seem to work properly, in effect in the log file install.log you can find :
  [06/10/2008 16:38:49:865 CEST] Creating directory layout and configuring Agent file for Agent_001 instance ...SUCCESSFUL.
  [06/10/2008 16:38:49:936 CEST] Reading data from file /opt/web_agents/apache22_agent/passwordFile and encrypting it ...SUCCESSFUL.
  [06/10/2008 16:38:49:937 CEST] Generating audit log file name ...SUCCESSFUL.
  [06/10/2008 16:38:50:022 CEST] Creating tag swapped AMAgent.properties file for instance Agent_001 ...SUCCESSFUL.
  [06/10/2008 16:38:50:026 CEST] Creating a backup for file /etc/httpd/conf/httpd.conf ...SUCCESSFUL.
  [06/10/2008 16:38:50:031 CEST] Adding Agent parameters to /opt/web_agents/apache22_agent/Agent_001/config/dsame.conf file ...SUCCESSFUL.
  [06/10/2008 16:38:50:032 CEST] Adding Agent parameters to /etc/httpd/conf/httpd.conf file ...SUCCESSFUL.
  But, when I try to restart Apache it gives me an error and in the error.log file in Apache you can read:
  [Tue Jun 10 16:57:33 2008] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
  [Tue Jun 10 16:57:34 2008] [notice] Digest: generating secret for digest authentication ...
  [Tue Jun 10 16:57:34 2008] [notice] Digest: done
  [Tue Jun 10 16:57:34 2008] [alert] Policy web agent configuration failed: NSPR error
  Configuration Failed
  Well, I found in the Sun documentation a well known bug about the NSPR and NSS library :
  Error message issued during installation of Policy Agent 2.2 on Linux systems
  When the Linux operating system is installed, specific components can be selected. Occasionally the specific components of the operating system selected lack the libraries necessary for Policy Agent 2.2 to function. When the complete Linux operating system is installed, all the required libraries are available. The libraries that are required for the agent to function are as follows: NSPR, NSS, and libxml2.
  Workaround: If the Linux operating system you are using is not complete, install the latest versions of these libraries as described in the steps that follow:
  At the time this note was added, the latest version of the NSPR library packages was NSPR 4.6.x , while the latest version of the NSS library package was NSS 3.11.x.
  To Install Missing Libraries for Policy Agent 2.2 on Linux Systems
  *+
  Install the NSS, and libxml2 libraries. These libraries are usually available as part of Linux installation media. NSPR and NSS are available as part of Mozilla binaries/development packages. You can also check the following sites:
  o
  NSPR: http://www.mozilla.org/projects/nspr/
  o
  NSS: http://www.mozilla.org/projects/security/pki/nss/
  So, I checked my libraries but they are upgraded to the latest version.
  If I comment the line that includes the libamapc22.so in the apache configuration file
  LoadModule dsame_module /opt/web_agents/apache22_agent/lib/libamapc22.so
  Apache can restart but the agent is misconfigurated!
  Any Idea?

  thank you Subhodeep for your reply,
  I didn't try to change the library file and I didn't find in licterature any information about library file changing in the Policy agent installation. Please, could you suggest me something more about which library to use instead of libamapc22.so?
  ps. I am using red hat 5.1, and from the release note of the policy agent seems that the latest platform version supported is red hat enterprise linux 4.0 versions.....
  this one could definitely be the reason of the misconfiguration.

• Problem in POST data preserve in Policy Agent 2.2 for SJSWS 6.1

  Hi
  I am using Policy Agent 2.2 for SJSWS 6.1
  I have a requirement to preserve the POST data when during the following situation.
  Consider a situation where in the user has logged in to our webapp and the user remains in a page which has a form with Post method .
  Mean while the session (of AM) times out and now the user enters the data in the data and submits the form.
  The user will be redirected to the login page and then the requested service should be performed, which is not happening in this case(POST). Suppose in if the form used a GET method this works fine.
  I have tried by configuring the following property in AMAgent.properties file.
  com.sun.am.policy.agents.config.postdata.preserve.enable = true
  But it doesn't work. When I tried to troubleshoot, I learned from the following resource that, POST data preservation is only supported on Policy Agent 2.2 for Sun Java System Web Server 7.0 Is it not supported on 6.1?
  http://docs.sun.com/app/docs/doc/820-1130/gaueu
  I get the following error in the log file of SJSWS.
  trying to POST /dummypost/sunpostpreserve2007-09-2804:48:53.379, send-file reports: HTTP4142: can't find /opt/SUNWwbsvr/docs/dummypost/sunpostpreserve2007-09-2804:48:53.379 (File not found)
  I have verified that the following entry is made in the obj.conf
  PathCheck fn=validate_session_policy
  <Object ppath="*/dummypost/sunpostpreserve*">
  Service type=text/* method=(GET) fn=append_post_data
  </Object>
  <Object ppath="*/UpdateAgentCacheServlet*">
  Service type=text/* method=(POST) fn=process_notification
  </Object>
  I am using the PA 2.2 which says that the following bug is fixed.
  Bug(s) fixed in 2.2 RTM Hotpatch 8
  ==================================
  Bug#: 6545159
  Agent type: Sun Java System Web Server agent
  Description: CDSSO mode wipes out form post data
  Appreciate your help.
  thanks & regards
  Madhu

  Hi
  Now I get 404 error and the logs in amAgent is
  2007-10-03 04:56:20.922 Error 22356:a51e558 PolicyAgent: Error Registering POST content body
  2007-10-03 04:56:20.922MaxDebug 22356:a51e558 PolicyAgent: Register POST content body : (null)
  2007-10-03 04:56:20.923 Debug 22356:a51e558 PolicyAgent: Register POST data key :2007-10-0304:56:20.922
  2007-10-03 04:56:20.923 Error 22356:a51e558 PolicyAgent: am_web_postcache_insert(): Unknown exception encountered.
  2007-10-03 04:56:20.923 Warning 22356:a51e558 PolicyAgent: Register POST data insert into hash table failed:2007-10-0304:56:20.922
  And in the errors log file of SJSWS is+_
  [03/Oct/2007:05:13:05] finest (22515): for host 27.63.254.1 trying to POST /dummypost/sunpostpreserve2007-10-0304:56:20.922, func_exec reports: executing fn="uri-clean" Directive="PathCheck"
  [03/Oct/2007:05:13:05] finest (22515): for host 27.63.254.1 trying to POST /dummypost/sunpostpreserve2007-10-0304:56:20.922, func_exec reports: fn="uri-clean" Directive="PathCheck" returned 0 (REQ_PROCEED)
  [03/Oct/2007:05:13:05] finest (22515): for host 27.63.254.1 trying to POST /dummypost/sunpostpreserve2007-10-0304:56:20.922, func_exec reports: executing fn="find-pathinfo" Directive="PathCheck"
  [03/Oct/2007:05:13:05] finest (22515): for host 27.63.254.1 trying to POST /dummypost/sunpostpreserve2007-10-0304:56:20.922, func_exec reports: fn="find-pathinfo" Directive="PathCheck" returned -2 (REQ_NOACTION)
  [03/Oct/2007:05:13:05] finest (22515): for host 27.63.254.1 trying to POST /dummypost/sunpostpreserve2007-10-0304:56:20.922, func_exec reports: executing fn="find-index-j2ee" Directive="PathCheck"
  [03/Oct/2007:05:13:05] finest (22515): for host 27.63.254.1 trying to POST /dummypost/sunpostpreserve2007-10-0304:56:20.922, func_exec reports: fn="find-index-j2ee" Directive="PathCheck" returned -2 (REQ_NOACTION)
  [03/Oct/2007:05:13:05] finest (22515): for host 27.63.254.1 trying to POST /dummypost/sunpostpreserve2007-10-0304:56:20.922, func_exec reports: executing fn="find-index" index-names="index.html,home.html,index.jsp" Directive="PathCheck"
  [03/Oct/2007:05:13:05] finest (22515): for host 27.63.254.1 trying to POST /dummypost/sunpostpreserve2007-10-0304:56:20.922, func_exec reports: fn="find-index" index-names="index.html,home.html,index.jsp" Directive="PathCheck" returned -2 (REQ_NOACTION)
  [03/Oct/2007:05:13:05] finest (22515): for host 27.63.254.1 trying to POST /dummypost/sunpostpreserve2007-10-0304:56:20.922, func_exec reports: executing fn="validate_session_policy" Directive="PathCheck"
  [03/Oct/2007:05:13:05] fine (22515): Updating accelerator cache
  [03/Oct/2007:05:13:14] finest (22515): for host 27.63.254.1 trying to POST /dummypost/sunpostpreserve2007-10-0304:56:20.922, func_exec reports: fn="validate_session_policy" Directive="PathCheck" returned 0 (REQ_PROCEED)
  [03/Oct/2007:05:13:14] finest (22515): for host 27.63.254.1 trying to POST /dummypost/sunpostpreserve2007-10-0304:56:20.922, func_exec reports: executing fn="type-j2ee" Directive="ObjectType"
  [03/Oct/2007:05:13:14] finest (22515): for host 27.63.254.1 trying to POST /dummypost/sunpostpreserve2007-10-0304:56:20.922, func_exec reports: fn="type-j2ee" Directive="ObjectType" returned 0 (REQ_PROCEED)
  [03/Oct/2007:05:13:14] finest (22515): for host 27.63.254.1 trying to POST /dummypost/sunpostpreserve2007-10-0304:56:20.922, func_exec reports: executing fn="type-by-extension" Directive="ObjectType"
  [03/Oct/2007:05:13:14] finest (22515): for host 27.63.254.1 trying to POST /dummypost/sunpostpreserve2007-10-0304:56:20.922, func_exec reports: fn="type-by-extension" Directive="ObjectType" returned 0 (REQ_PROCEED)
  [03/Oct/2007:05:13:14] finest (22515): for host 27.63.254.1 trying to POST /dummypost/sunpostpreserve2007-10-0304:56:20.922, func_exec reports: executing fn="force-type" type="text/plain" Directive="ObjectType"
  [03/Oct/2007:05:13:14] finest (22515): for host 27.63.254.1 trying to POST /dummypost/sunpostpreserve2007-10-0304:56:20.922, func_exec reports: fn="force-type" type="text/plain" Directive="ObjectType" returned 0 (REQ_PROCEED)
  [03/Oct/2007:05:13:14] finest (22515): for host 27.63.254.1 trying to POST /dummypost/sunpostpreserve2007-10-0304:56:20.922, func_exec reports: executing method="(GET|HEAD|POST)" type="*~magnus-internal/*" fn="send-file" Directive="Service"
  [03/Oct/2007:05:13:14] warning (22515): for host 27.63.254.1 trying to POST /dummypost/sunpostpreserve2007-10-0304:56:20.922, send-file reports: HTTP4142: can't find /opt/WMS/rel/www/webserver7/https-localhost.localdomain/docs/dummypost/sunpostpreserve2007-10-0304:56:20.922 (File not found)
  [03/Oct/2007:05:13:14] finest (22515): for host 27.63.254.1 trying to POST /dummypost/sunpostpreserve2007-10-0304:56:20.922, func_exec reports: method="(GET|HEAD|POST)" type="*~magnus-internal/*" fn="send-file" Directive="Service" returned -1 (REQ_ABORTED)
  [03/Oct/2007:05:13:14] finest (22515): for host 27.63.254.1 trying to POST /dummypost/sunpostpreserve2007-10-0304:56:20.922, func_exec reports: executing fn="error-j2ee" Directive="Error"
  [03/Oct/2007:05:13:14] finest (22515): for host 27.63.254.1 trying to POST /dummypost/sunpostpreserve2007-10-0304:56:20.922, func_exec reports: fn="error-j2ee" Directive="Error" returned -2 (REQ_NOACTION)
  [03/Oct/2007:05:13:14] finest (22515): for host 27.63.254.1 trying to POST /dummypost/sunpostpreserve2007-10-0304:56:20.922, func_exec reports: executing fn="flex-log" Directive="AddLog"
  [03/Oct/2007:05:13:14] finest (22515): for host 27.63.254.1 trying to POST /dummypost/sunpostpreserve2007-10-0304:56:20.922, func_exec reports: fn="flex-log" Directive="AddLog" returned 0 (REQ_PROCEED)
  thanks
  Madhu

• This log -------------policy agent 2.1 for iis5.0

  Sun Java System Identity Server Policy Agent 2.1 for Microsoft IIS 5.0
  Sun\Identity_Server\Agents\2.1\debug\C__Inetpub_wwwroot\amAgent
  2004-07-25 18:06:22.156 Warning 1064:00D01120 PolicyAgent: OnPreprocHeaders(): Identity Server Cookie not found.
  2004-07-25 18:06:22.156 Error 1064:00D01120 PolicyAgent: do_redirect() ServerSupportFunction did not succeed: Attempted status = 302 Found
  2004-07-25 18:06:22.156 Warning 1064:00D01120 PolicyAgent: OnPreprocHeaders(): No cookies found.
  2004-07-25 18:06:22.156 Error 1064:00D01120 PolicyAgent: do_redirect() ServerSupportFunction did not succeed: Attempted status = 302 Found
  2004-07-25 18:07:53.921 Error 1064:00D01120 PolicyEngine: am_policy_evaluate: InternalException in Service::getPolicyResult with error message:Policy not found for resource: http://guorui.mygodsun.com:49153/index.asp and code:7
  2004-07-25 18:07:53.921 Warning 1064:00D01120 PolicyAgent: am_web_is_access_allowed(http://guorui.mygodsun.com:49153/index.asp, GET) denying access: status = no policy found (7)
  2004-07-25 18:07:53.937 128 1064:00D01120 RemoteLog: User amAdmin was denied access to http://guorui.mygodsun.com:49153/index.asp.
  2004-07-25 18:07:54.062 Error 1064:00D01120 PolicyAgent: do_redirect(): Error while calling am_web_get_redirect_url(): status = success
  2004-07-25 18:07:54.078 Error 1064:00D01120 PolicyAgent: do_redirect() WriteClient did not succeed: Attempted message = HTTP/1.1 403 Forbidden
  Content-Length: 13
  Content-Type: text/plain
  403 Forbidden
  from that log,help me
  my:
  Sun Java System Identity Server 6.1
  Sun Java System Directory Server 5.2
  Sun Java System Identity Server Policy Agent 2.1 for Microsoft IIS 5.0
  help me for that how config?
  what error ?
  thanks!

  Sorr for so many people faced the sam or similar issues. I just joined this support a short while. If you think any old problem which is still critical to you, please repost. We shall try our best to give you assistance. Jerry
  Here are some of tips for debugging Web agent.
  From the AMAgent.properties, are both IIS and AM are in the same domain? If they are not, then you need to use CDSSO. Also please check in AM, under "Service Configuration-> Platform -> Cookie Domains" , whether cookie is set for the entire domain which includes AM and IIS ("test.com") or just the AM machine name.
  Also check whether correct value for "Agent-Identity Server Shared Secret" is entered. This should be your internal ldap password (amldapuser). In the AMAgent.properties for the below property the password will be encrypted and assigned: "com.sun.am.policy.am.password".
  Could you also check if the Identity servver and the IIS web server are time synchronized. The problem may be that agent requests policy decisions and the response from server may be timed out due to non-syncrhonized clock.
  Don't forget to restart the whole IIS service using internet
  management console after making agent changes.
  Some of the common error codes:
  20: Application authentication failed. This occurs when Agent cannot sucessfully authenticate with Identity Server. This is mainly due to incorrect password for agent entered during agent installation. Please refer to another faq describing how to change password.
  7: Policy not found. This error occurs typically if there are no policies defined on Identity server for the given web server URL. Otherwise, there may be time skew between Identity Server and Agent. So, polices fetched from Identity Server is instantly flushed by Agent and attempted to refetch over and over again. This can be solved by running rdate or similar command to synchronize time between the two machines. It is recommended to run NNTP server syncrhonize times between your Identity systems.