Policy Agent 2.2, IIS 6.0, CDSSO and redirects after authentication

Similar Messages

• IM 6.0 , Policy agent 2.2 , IIS 6.0 not working.

  Friends,
  I have been trying to communicate from windows 2003 server where the policy agent 2.2 is configured through IIS 6.0 and trying to connect to IM 6.0 on a Solaris 9.0 server in vain. The authentication mode is LDAP ( Sun one directory server version 5.2).
  When we start up the IIS 6.0 and try to access the link ( for security reasons I cannot post the link here ) we do not get any logs on the IIS server. There are no logs found anywhere.However we are able to ping the server which hosts IM 6.0 from windows 2003 server.
  Is there any best practice which we need to follow ? Could you guys help ?

  Seems like you are missing the most important component, AM

• SunONE Web Server 6.1 SP7 crashes with Policy Agent 2.2 plugin

  Recently we started facing glibc issues on our webservers and wanted to know if any of you have come across such issues on your setups..
  Setup Info:
  - OS is RHEL 4.0
  - Sun ONE Web Server 6.1SP7
  - Policy Agent 2.2
  When user logins to our application for first time, the policy agent on our webserver intercepts the request and redirects to AM SSO server's login page for authentication. Before redirecting the request, the policy agent preserves the request (POST data) in our webserver and then redirects the request to SSO server. After the user is authenticated on SSO server, the SSO server redirects the request back to our webserver and the policy agent now tries to fetch the preserved post data for the user where it fails(see errors below) and then the user gets 'page cannot be displayed' error on browser. Internally, the SJSWS crashes and gets restarted :(
  From logs:
  [29/Apr/2008:06:32:48] warning (13856): CORE3283: stderr: 2008-04-29 06:32:48.163 Warning 13856:897a4b8 ServiceEngine: Service::getPolicyResult():Result size is 0,tree not present for https://server1.gft.com:443/dummypost/sunpostpreserve2008-04-2906:31:50.311
  [29/Apr/2008:06:32:48] warning (13856): CORE3283: stderr: *** glibc detected *** free(): invalid pointer: 0x08265670 ***
  [29/Apr/2008:06:32:48] warning (13856): CORE3283: stderr: 2008-04-29 06:32:48.529 Warning 13856:897a4b8 ServiceEngine: Service::getPolicyResult():No passwd value in session response.
  [29/Apr/2008:06:32:48] catastrophe (13856): CORE3260: Server crash detected (signal SIGSEGV)
  [29/Apr/2008:06:32:48] info (13856): CORE3261: Crash occurred in NSAPI SAF service-j2ee
  [29/Apr/2008:06:32:48] failure (13107): CORE3107: Child process closed admin channel
  (At this point the SJSWS gets restarted)
  This issue is not always reproducible though !
  Appreciate your help on debugging this..

  Hi...
  just a guess try looking into this bug details ..it may be helpful
  http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=6299862

• How to manage coexistance of IIS policy agent and sun-passthrough from AS

  We have an ISS 6 with Policy Agent 2.2 and on same instance we have the sun-passthrough plugin installed to redirect certain pages to an Application mounted on Sun App Server 8,2. We need to apply policies to requests to those pages before redirection is done but seams that passthrough plugin is taking precedence over Policy Agent. Therefore, policies are not evaluated and all traffic is passed. PA agent is installed as a wild card and passthrough as an ISAPI filter. We do not see a way to change priority (already set to HIGH) for the passthrough plugin. PA has the option on amAgent.properties and we set it allready to HIGH. Any hint?
  Edited by: blancay on Sep 20, 2008 9:47 AM

  1) How to restrict the new employee from availing any type of leave company have a policy only after completion of probation employee can avail sick leave?
  Note 897623 User Exits in PT
  Use user exit to check It0019 or monitoring of tasks or reminder of dates or 0041 IT
  2) Sick leaves can be availed only after completion of 1 year wht are the settings do i need to set?
  You can use quota deduction and user exit and read dates from 0041 for his entry date in company
  3) Earned leaves can be given to employees those who complete 2 years of service? what are the settings for this?
  base entitlement ie seniority quota check table v_t559l
  4) Intervening holidays and weekly offs can be treated as leaves in sick leave as well as earned leaves what are the customizing settings for this?
  counting rule and exit
  5) only female employees are entitled to avail maternity leave?what are the settings for this?
  feature pe03 MASEX  Set Infotype 80 Admissability for Employees
  read more on help.sap.com

• Liberty IDP/SP/Policy Agent 2.2 and cookie hijacking

  Hi Gurus,
  In our implementation, we have IDP (eauthidp.etc.net) and an SP (eauthsp.etc.net) and some policy agents (eauthdev.etc.net).
  Both IDP and SP are AM 7.1. Policy agent is 2.2.
  We used IDP for authentication and SP for authorization. We would like to implement CookieHijacking changes also between SP and Policy Agents.
  With Liberty, is it possible? If yes then what URL do I need to give in com.sun.am.policy.agents.config.cdcservlet.url property of AMAgent.properties.
  Is there any other way of implementing this?
  Thanks,
  Vivek

  Hi N,
  I looked all the docs and done some analysis. I found that there is no out-of-the-box configuration.
  The way I could come up is:
  1. Configure Cookie HIjacking in PA.
  2. For CDSSO Servlet give following value:
  https://eauthsp2.etc.net/amserver/preLogin?metaAlias=eauthsp2.etc.net
  3. On the SP side, make CDSSO changes.
  4. Create class that implements FederationSPAdapter. In that class either redirect to CDCServlet or do that same processing that CDCServlet does.
  I am still reading the documents on how to stick this class in the SP so that it will be called after SSOFederation process completes.
  Let me know if you think differently....
  Vivek

• Unable to install policy agent 2.2 for Webserver 6.1 on Windows 2003

  Hi everybody,
  I've installed Java Enterprise Server (last version) on Windows 2003 with these components:
  - Directory Server
  - Access Manager
  - Webserver
  - Administration Server
  Everything works good, I can access all those components.
  Now I want to use Policy Agent 2.2. So I've downloaded it and I've tried to install...
  But during the installation process, an error message appear when I select the Web Server instance directory to protect.
  It says: "invalid web server instance - on windows, Access Manager Policy Agent only supports Web Server 6.0 and 6.1.....".
  The problem is that I work with WebServer 6.1....
  I really don't know what to do now... This message prevent me to go further.
  What's the problem? How can I avoid this?
  Thanks for your help!
  Adrien

  Okay, here's what it says:
  "The upgrade patch cannot be installed by the Windows Installer service because the program to be upgraded may be missing, ot the updgrade pathc may update a different version of the program. Verify that the program to be upgraded exists on your computer and that you have the correct update patch".
  I don't even know what program I'm supposed to have.
  Ideas, anyone?

• SJWS 6.1 Policy Agent getting roles

  Hi,
  I've installed Policy Agent 2.2 in SJWS 6.1 and authentication is working properly. I've configured nativeRealm to get the user's principal from a web application (a servlet).
  In this scenarios the user has two roles (it's working on WebLogic 8.1), but the Agent doesn't receive this roles from server, and in servlet the call to the function isUserInRoles doesn't work.
  Anybody knows if is it possible working with roles, using J2EE security in servlets, with Sun Java WebServer 6.1 using Policy Agent 2.2 with Access Manager?
  Thanks a lot
  David

  Have you also tried not to set JAVAHOME at all as mentioned in the docs?
  -Bernhard

• Policy Agent 2.2 with Tomcat connector (isapi_redirect.dll)?

  Dear All,
  We have installed Policy agent 2.2 for IIS6 to enable SSO with SUN Access Manager 7.1. Policy agent 2.2 was installed in IIS6 as wild card application mapping extension.
  Our IIS6 also contains Apache tomcat connector (isapi_redirect.dll) as it needs to front JBOSS application server.
  When we access protected resource Policy agent presents login screen. With the correct login details, policy agent authenticates successfully with SAM 7.1 and creates SSO token, which is good. But policyagent creates "goto" URL as /tomcat/isapi_redirect.dll rather than the original resource that user asked for as below?
  2010-12-23 18:57:57.397 Info 3220:1e5b0d0 PolicyAgent: do_redirect(): redirect_header = Location: http://am-server.com:8080/amserver/login?goto=http%3A%2F%2Ftest-server%3A80%2Ftomcat%2Fisapi_redirect.dll
  Any ideas on how to configure Policy agent for IIS6 when it has isapi_redirect.dll already installed on it.
  Thanks,
  Surya

  Hello Surya
  Did you find a solution for this issue? How did you solve it?
  Thank you
  Prashanth
  Edited by: user8605028 on Jun 15, 2011 1:24 PM

• Policy Agent on Sun Application Server 9.1

  I'm attempting to deploy the Access Manager Policy Agent to Sun Application Server 9.1 and I'm running into some issues.
  Environment:
  amhost - Access Manager 7.0 on Sun Webserver can do both http and https
  ashost - Access Manager Policy AGent 2.2 on Sun Application Server 9.1
  If everything is set to http:
  When i attempt to access a simple servlet application (Headersnooper) I am redirected the the access manager server and when authentication is successful I see the browser attempting to redirect back to the application server and I see the following error in the Policy Agent debug logs amJAXRPC:
  11/13/2007 02:46:18:055 PM EST: Thread[httpSSLWorkerThread-8080-79,10,Grizzly]
  JAXRPCHelper: Connection to URL: https://ssodev.queensu.ca:443/amserver/jaxrpc/SMSObjectIF failed
  javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
  at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:150)
  at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1518)
  at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:174)
  at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:168)
  Why would it think to attempt to connect to https when everything in the agent is configured for http?
  Any thoughts or recommendations would be appreciated.

  Hi,
  One thing that could help is to look at the info in the agent logs, first increase Debug Logging Level, then restart the agent server and click thru your app, then look in agent runtime logs which should have more descriptive errors. For more detail on how to do this, try http://wikis.sun.com/display/OpenSSO/GlassFishAgentTrouble#GlassFishAgentTrouble-generaltips
  You could look on this page, which is mostly based on GlassFish server but could help for other servers as well.
  http://wikis.sun.com/display/OpenSSO/GlassFishAgentTrouble
  I have not installed either of the policy agents you mentioned. But with some of the other agents, like the Sun App server 9 (GlassFish) agent, it comes with a sample application, and I find that this is the best way to ensure your setup is good and you are following all steps etc. Once sample app is up, you can try your own apps with confidence.
  Since you already have the SJSAS 9 installed, maybe you could create a new domain and download/install the SJSAS 9 policy agent on the new domain. Then try out the sample app?
  Or if those other agents have a sample app then try it out.
  hth,
  Sean

• Policy agent and normal portal logon on one portal

  We run a shared portal infrastructure and want to use multiple logon methods for accessing ESS MSS portal applications.
  Is it possible to logon via Policy Agent and with normal sap poral logon to the same application?

  We have 3 bespoke types of SSO logon methods, JAAS, SAML and PKI.
  This means users can logon via our bespoke SSO solutions or via the normal SAP standard delivered logon method with UID and password.
  Currently we are investigating if we can also implement the Sun policy agent as logon method for the Poral and WAS. It should run in parallel with our current solutions without harming them.

• Does URL Policy Agent of SunONE Web Server 6.1 works with Identity Server 6

  Hi,
  I'm using URL Policy Agent of SunONE Web Server 6.1, and using Identity Server 6.1 to configure policy to access web resource such as http://myweb.org.cn/test/*
  After configyration, I try to access the resources http://myweb.org.cn/test/test.html
  The redirection is ok, the IS login appear, but after login successfully, it still tell me that I don't have permission to view this web page.
  Is this because of URL policy agent don't support IS 6.1?
  Many thanks,

  Can anybody help me with the steps to generate core for this issue.. I followed the steps as said in http://blogs.sun.com/meena/entry/troubleshooting_server_crashes_enabling_core but I don't see any core generated when server crashes..
  Setup Info:
  - OS is RHEL 4.0
  - Sun ONE Web Server 6.1SP7
  - Policy Agent 2.2

• Policy agent 2.1 in iis 5 and win 2000 form post

  hi,
  i am facing a typical issue with policy agent 2.1 in windows 2000 iis 5..here is the problem:-
  when ever we try to do a html form post, we get a http 200 response back with a blank screen "ok" written on it.
  there is nothing interesting in the logs ... when i completely uninstall the agent it works fine...even if i put the not_enforced_list=* it has the same issue...
  any help is highly appreciated.

  changed the notificationenabled=true which resolved the problem

• Has anyone got the IIS Policy Agent 3.0 working with an ASP web application

  Hi,
  Can anyone pllease please confirm if they have managed to get the IIS Policy Agent 3.0 working for a asp/asp.net web site on IIS 7 running on Windows Server 2008 64 bit.?
  I have installed the 32bit version of the agent as my web site must support 32 bit applications.
  I have created a simple web site which works fine with the policy agent configured if the page is html, If I rename the html page to be of type asp I get an Object Move error.
  I would much appreciate if someone could confirm if they have managed to get an asp web site working with the policy agent.
  Note: The Policy Agent 2.2 worked perfectly with asp on IIS 6.0.
  Thanks in advance,
  Tommy.

  I managed to make Agent 3 work with IIS 7 for a sample application based on aspx in Dev environment .... after modifying the sample application, I got the same errors as "Object removed" and others .... I have no idea what the hell. Fortunately, a super .Net start here spent a few minutes to do some twicking on IIS, and make it work again .... don't ask me what he did, I am pretty dump, and no idea. :)
  Thanks

• Policy Agent 2.2 on IIS 6 - Windows Server 2003 R2

  We are having problems with the Policy Agent 2.2 Hotpatch 4 not protecting Virtual Directories in IIS 6. Access to those are always allowed and nothing is written to the policy agent log when accessing anything in the virtual directories. Web sites are protected in a normal way.
  Is the protection of virtual directories even supported?
  Is protection of asp-pages supported with the IIS agent?
  We have followed the installation document to the letter. And we have quite a long experience from doing the same thing in java environments.

  I am no expert but try this out.
  Go to access Manager console and under Subjects for an org, go to Agents
  Create a new agent called the UrlAccessAgent and give it the password same as your shared secred found in the AMConfig.Properties file.
  That should probably fix your problem. These suggestions are going by the steps I took to fix this issue.

• Sun One Identity Server Policy Agent 2.0 for IIS 5.0

  Hi,
  I try to use Sun Indentity Server with IIS, so I installed policy agent 2.0 for IIS 5.0. my operating system is Windows 2000 professional. I can see the ISAPI fiiter is loaded, but when I try to test the installation by access a testing page, like http://localhost/test.asp, I can not go anywhere, the sun identity server log in page is not loaded. I checked the debug log file, there are just two warning message:
  2003-02-12 11:11:52.314 Warning 1316:00A548E8 PolicyAgent: Invalid URL for property (com.sun.am.policy.agents.accessDeniedURL) specified
  2003-02-12 11:11:52.798 Warning 1316:00A548E8 PolicyAgent: FqdnHandler::FqdnHandler() No value specified for fqdnMap.
  Could someone help me out here? Any suggestion will be appreciated.
  Thanks,
  Harold Chen

  Well, it's in the Agent's installation guide, section "Read me first", "Setting Fully Qualified Domain Name". :)