Policy Agent 2.2 /SJSAS 9.1 EE: security works sporadically

Similar Messages

• J2EE Policy agent - login page config questions

  Hi,
  I'm trying to configure a customized login page for an application that is protected by a AM Policy Agent 2.2-01 on SJSAS 8.2.
  I am aware of this link:
  http://docs.sun.com/app/docs/doc/820-2539/gatai?l=en&a=view .
  This describes configuring the custom login for an app. Based on the doc, I have configured the following:
  1. I have the agent and my app on one instance on myhost.mydomain.com
  2. A url policy is protecting my app, configured in Access Manager 7.1. The url is http://myhost.mydomain.com:38080/myapp/*
  3. In my app's web.xml I have the following:
    <login-config>
          <auth-method>FORM</auth-method>
          <form-login-config>
              <form-login-page>/login.jsp</form-login-page>
              <form-error-page>/loginerror.jsp</form-error-page>
          </form-login-config> 4. In AMAgent.properties:
  com.sun.identity.agents.config.login.form[0] = /myapp/login.jsp
  com.sun.identity.agents.config.login.error.uri[0] = /myapp/loginerror.jsp
  com.sun.identity.agents.config.login.use.internal = false
  com.sun.identity.agents.config.login.content.file = FormLoginContent.txtThere doesnt seem to be any change in login page when I go to my app. It just redirects to the Access Manager login page, and when I login it redirects back to the app. The security behavior is correct but I would like the login page to be unique for the app.
  So my questions are:
  1. Am I using com.sun.identity.agents.config.login.use.internal correctly? I dont want it to use internal login, but my login file, right?
  2. My login page is protected by my url policy. Is that a problem? Should I be using com.sun.identity.agents.config.notenforced.uri[0] on the login page?
  3. Can anyone clarify to me exactly how and where the contents of FormLoginContent.txt is used?
  I'm kind of new to AM and Policy Agents, so i apologize if my questions seem very newb. Any help is appreciated. Thanks!
  -Matt

  Changing com.sun.identity.agents.config.filter.mode to URL_POLICY seemed to help. I am now seeing /myapp/login.jsp as the login page for my app. The logins themselves are failing, however. I am confused as to how to set up the jsp to work with the agent to log in.
  -Matt

• Sun Access Manager + Jboss Policy Agent + Testapplication Problem

  Hello everybody.
  I have set up Access Manager 7.1 on SJSAS 9.1 in a VMware and Jboss with Policy Agent 2.2 and a simple Webapp on another.
  The webapp just displays pages for users in different roles, f.e. admin und user page.
  When i go to the application in the browser und access a protected page, then I get redirected to the AM login screen and can login and get redirected back to the application.
  I did this with declarative security defined in web.xml, but the user doesn't get authenticated in the application.
  In my logfiles i got the following errors:
  amRealm log file
  09/19/2008 01:55:39:756 PM CEST: Thread[http-jboss.ams.com%2F127.0.0.1-8080-2,5,jboss]
  ERROR: AmRealm: failed to authenticate user: bob
  com.iplanet.sso.SSOException: Invalid session ID.AQIC5wM2LY4SfcwBenaL/TbPRPGHXQo8rhVWWfM3jGDEUUM=@AAJTSQACMDE=# AQIC5wM2LY4SfcyYT7kHKvROHG64m6WtlD8hnFLPmsKJyeY=@AAJTSQACMDE=#
     at com.sun.identity.jaxrpc.SOAPClient$SOAPContentHandler.endDocument(SOAPClient.java:910)
     at org.apache.xerces.parsers.AbstractSAXParser.endDocument(Unknown Source)
     at org.apache.xerces.impl.XMLDocumentScannerImpl.endEntity(Unknown Source)
     at org.apache.xerces.impl.XMLEntityManager.endEntity(Unknown Source)
     at org.apache.xerces.impl.XMLEntityScanner.load(Unknown Source)
     at org.apache.xerces.impl.XMLEntityScanner.skipSpaces(Unknown Source)
     at org.apache.xerces.impl.XMLDocumentScannerImpl$TrailingMiscDispatcher.dispatch(Unknown Source)
     at org.apache.xerces.impl.XMLDocumentFragmentScannerImpl.scanDocument(Unknown Source)
     at org.apache.xerces.parsers.XML11Configuration.parse(Unknown Source)
     at org.apache.xerces.parsers.XML11Configuration.parse(Unknown Source)
     at org.apache.xerces.parsers.XMLParser.parse(Unknown Source)
     at org.apache.xerces.parsers.AbstractSAXParser.parse(Unknown Source)
     at org.apache.xerces.jaxp.SAXParserImpl$JAXPSAXParser.parse(Unknown Source)
     at com.sun.identity.jaxrpc.SOAPClient.send(SOAPClient.java:500)
     at com.sun.identity.jaxrpc.SOAPClient.send(SOAPClient.java:467)
     at com.sun.identity.idm.remote.IdRemoteServicesImpl.getMemberships(IdRemoteServicesImpl.java:465)
     at com.sun.identity.idm.AMIdentity.getMemberships(AMIdentity.java:880)
     at com.sun.identity.agents.realm.AmRealm.authenticateInternal(AmRealm.java:227)
     at com.sun.identity.agents.realm.AmRealm.authenticate(AmRealm.java:155)
     at com.sun.identity.agents.jboss.v40.AmJBossLoginModule.validatePassword(AmJBossLoginModule.java:104)
     at org.jboss.security.auth.spi.UsernamePasswordLoginModule.login(UsernamePasswordLoginModule.java:210)
     at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
     at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
     at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
     at java.lang.reflect.Method.invoke(Method.java:597)
     at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769)
     at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
     at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683)
     at java.security.AccessController.doPrivileged(Native Method)
     at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
     at javax.security.auth.login.LoginContext.login(LoginContext.java:579)
     at org.jboss.security.plugins.JaasSecurityManager.defaultLogin(JaasSecurityManager.java:603)
     at org.jboss.security.plugins.JaasSecurityManager.authenticate(JaasSecurityManager.java:537)
     at org.jboss.security.plugins.JaasSecurityManager.isValid(JaasSecurityManager.java:344)
     at org.jboss.web.tomcat.security.JBossSecurityMgrRealm.authenticate(JBossSecurityMgrRealm.java:491)
     at org.apache.catalina.authenticator.FormAuthenticator.authenticate(FormAuthenticator.java:257)
     at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:416)
     at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:84)
     at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
     at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
     at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:157)
     at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
     at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:262)
     at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844)
     at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583)
     at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:446)
     at java.lang.Thread.run(Thread.java:619) jboss logfile
  2008-09-19 13:55:39,756 DEBUG [com.sun.identity.agents.jboss.v40.AmJBossLoginModule] Bad password for username=bob Has anybody had similar erros and knows a solution?
  Thanks.

  Tanks handat      
  I found
  http://download.oracle.com/docs/cd/E19575-01/820-5816/galtf/index.html
  http://download.oracle.com/docs/cd/E19681-01/821-0267/gfxhz.html#scrolltoc     
  greetings
  alex davila

• Policy Agent on Sun Application Server 9.1

  I'm attempting to deploy the Access Manager Policy Agent to Sun Application Server 9.1 and I'm running into some issues.
  Environment:
  amhost - Access Manager 7.0 on Sun Webserver can do both http and https
  ashost - Access Manager Policy AGent 2.2 on Sun Application Server 9.1
  If everything is set to http:
  When i attempt to access a simple servlet application (Headersnooper) I am redirected the the access manager server and when authentication is successful I see the browser attempting to redirect back to the application server and I see the following error in the Policy Agent debug logs amJAXRPC:
  11/13/2007 02:46:18:055 PM EST: Thread[httpSSLWorkerThread-8080-79,10,Grizzly]
  JAXRPCHelper: Connection to URL: https://ssodev.queensu.ca:443/amserver/jaxrpc/SMSObjectIF failed
  javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
  at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:150)
  at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1518)
  at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:174)
  at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:168)
  Why would it think to attempt to connect to https when everything in the agent is configured for http?
  Any thoughts or recommendations would be appreciated.

  Hi,
  One thing that could help is to look at the info in the agent logs, first increase Debug Logging Level, then restart the agent server and click thru your app, then look in agent runtime logs which should have more descriptive errors. For more detail on how to do this, try http://wikis.sun.com/display/OpenSSO/GlassFishAgentTrouble#GlassFishAgentTrouble-generaltips
  You could look on this page, which is mostly based on GlassFish server but could help for other servers as well.
  http://wikis.sun.com/display/OpenSSO/GlassFishAgentTrouble
  I have not installed either of the policy agents you mentioned. But with some of the other agents, like the Sun App server 9 (GlassFish) agent, it comes with a sample application, and I find that this is the best way to ensure your setup is good and you are following all steps etc. Once sample app is up, you can try your own apps with confidence.
  Since you already have the SJSAS 9 installed, maybe you could create a new domain and download/install the SJSAS 9 policy agent on the new domain. Then try out the sample app?
  Or if those other agents have a sample app then try it out.
  hth,
  Sean

• Custom Authentication Issue with Policy Agent

  Hi,
  I have a custom authentication module which is hosted on the BEA application server and I am trying to access through the policy agent on apache.
  I have set the following property in AMAgent.properties file
  com.sun.am.policy.am.loginURL= http://host:port/amserver/UI/Login
  So When the user requests a protected resource, the policy agent forwards the user to Identity Server with the module as CustomLoginModule. However, after this, authentication is succeed, user sesion is being created and I get the following error message in the agent log file.
  2004-10-19 16:20:26.908 Error 27620:e1140 PolicyEngine: am_policy_evaluate: InternalException in Service::construct_auth_svc with error message:Application authentication failed during service creation. and code:3
  2004-10-19 16:20:26.908 128 27620:e1140 RemoteLog: User unknown was denied access to http://hostname:port/weblogic/protapp/protected/a.html.
  2004-10-19 16:20:26.908 Error 27620:e1140 LogService: LogService::logMessage() loggedBy SSOTokenID is invalid.
  2004-10-19 16:20:26.909 Error 27620:e1140 all: am_log_vlog() failed with status AM_REMOTE_LOG_FAILURE.
  2004-10-19 16:20:26.909 -1 27620:e1140 PolicyAgent: URL Access Agent: access denied to unknown user
  The necessary policy object is already created in Identity Server. Please send your suggestions to fix this problem.
  Thanks
  Neeraj

  Hi Neeraj,
  I still have not been able to resolve that issue. Let me know If you find a solution for the same.
  Thanks,
  Srinivas

• Load balancers with web servers & policy agents

  I have a pair of host machines, hostA and hostB, running multiple web server instances, portalA, portalB, contentA, contentB, serviceA, serviceB, etc.
  The two hosts, hostA and hostB, are sitting behind load balancers. ServiceA and serviceB must be protected by login and I have a policy agent installed on hostA and hostB for these two instances.
  The load balancers respond to https://service/* and forward requests to http://serviceA:3456/* or http://serviceB:3456/* depending on the host selected by round-robin.
  I've been told that serviceA and serviceB cannot be running on the default 443 port (although we could enable SSL if we wanted) in order to work nicely with the other web server instances that are behind the load balancers.
  The problem is that the policy agent knows that it is running as http://serviceA:3456/.
  The user makes a request to the load balancers for:
  https://service/protected.html
  The load balancer passes the request to:
  http://serviceA:3456/protected.html
  The agent sends a redirect to login which sends the user to:
  http://service:3456/protected.html
  This final URL is not available through the load balancers and it's obviously not the public URL.
  I have fqdnDefault set to 'service.x.x' so the URL is rewritten to that extent. Is there a way to tell the agent that the port it's running on is not the public port (ie. that it's behind a NAT device)? Is there a way to tell the agent that it's should actually redirect to https and not http?

  Hi,
  CQ authoring does not leverage server side sessions, therefor you'll never loose data because of this.
  But: As the cluster has a small delay on synchronisation, it could be, that on a write and subsequent read you'll get the old content, if you don't have sticky sessions (because both requests are not processed by the same server). Therefor I advise you to use sticky sessions in front of a CQ authoring cluster.
  Jörg

• Setup-Problem while installing AM Policy Agent 2.1 on Solaris 10

  I'm new with AccessManager and try to get it working on Solaris 10 on a Sparc.
  I'm using LDAP-Server, WEB-Server 6.1 and AccessManager from the software-paket: "Sun Java System Access Manager 6 2005Q1" .
  While trying to install policy-agents on the Sparc (by starting setup program), I've got the message: "The installer ist intended for Solaris Operating System only".
  The agent-software I'm trying to install is "Access Manager Policy Agent 2.1 for Sun Java System Web Server 6.1" From there I choosed "Solaris SPARC 8".
  (so I've got the paket "S1WebServer_6[1].1_agent_2.1_sparc-sun-solaris2.8.tar.gz").
  In my opinion, it must be correct. Ist there anything i'done wronge?
  thanks, Paul

  Even when there is no agent available for Solaris 10 now:
  If you don't have any doubt to use an unsupported configuration, at
  least the apache agent is installable.
  You have to extract the packages "SUNWamapc" and "SUNWcom"
  from the tar-archive and install it using pkgadd.
  Then, you have to configure it manually ("include" in "httpd.conf",
  "AMAgent.properties").
  Maybe, it is possible to do something similiar with the agent for
  SUN webserver.
  Be aware that noone will guarantee that such unsupported
  installations won't raise any problems.
  Juergen

• No ?goto= after Policy agent install. Need help urgently....

  Hi all,
  We have installed the Policy Agent successfully on a particular web server instance. But when we try to access the web server instance root
  i.e.
  https://abc.def.com
  1) We are not presented with the access manager login page.
  2) When we type the url https://abc.def.com/search i.e the default search application, we are presented with the Access Manager login page but, the URL in the Browser does not have the "?goto=https://abc.def.com "
  i.e. it does not look like
  http://accessmanagerUrl.ghi.com?goto=https://abc.def.com
  Our setup is as follows
  Policy agent domain: abc.def.com
  Access Manager domain: zyx.wvu.com
  Our webserver isntance is configured for SSL while the Access Manager is not on SSL.
  Can anyone help with this issue? Has something like this been reported on this forum before?

  which policy agent are you using? Can you turn debugging on the agent?

• No log for am policy agent for iis6

  Hello!
  Im trying to get Policy Agent for IIS to run on my Win Srv 2003 with IIS6 and Sharepoint Services.
  I am running the OpenSSO version of Access Manager.
  I have installed the agent and done the initial cofiguration.
  When i try to browse the resource i get a login prompt (IIS Basic Auth)and cannot login followed by "Not Authorized 401.3"
  I should get redirected to the AM Login page, shouldn't I?
  I tried to look for answers in the log file but the /debug/<id> directory i empty.
  Anyone know what to do?
  The amAgent.properties file:
  # $Id: AMAgent.properties,v 1.103 2005/09/19 22:08:34 madan Exp $
  # The syntax of this file is that of a standard Java properties file,
  # see the documentation for the java.util.Properties.load method for a
  # complete description. (CAVEAT: The SDK in the parser does not currently
  # support any backslash escapes except for wrapping long lines.)
  # All property names in this file are case-sensitive.
  # NOTE: The value of a property that is specified multiple times is not
  # defined.
  # WARNING: The contents of this file are classified as an UNSTABLE
  # interface by Sun Microsystems, Inc. As such, they are subject to
  # significant, incompatible changes in any future release of the
  # software.
  # The name of the cookie passed between the Access Manager
  # and the SDK.
  # WARNING: Changing this property without making the corresponding change
  # to the Access Manager will disable the SDK.
  com.sun.am.cookie.name = iPlanetDirectoryPro
  # The URL for the Access Manager Naming service.
  com.sun.am.naming.url = http://login.lta.mil.se:8080/opensso/namingservice
  # The URL of the login page on the Access Manager.
  com.sun.am.policy.am.login.url = http://login.lta.mil.se:8080/opensso/UI/Login
  # Name of the file to use for logging messages.
  com.sun.am.policy.agents.config.local.log.file = C:/Sun/Access_Manager/Agents/2.2/debug/Identifier_1414639615/amAgent
  # This property is used for Log Rotation. The value of the property specifies
  # whether the agent deployed on the server supports the feature of not. If set
  # to false all log messages are written to the same file.
  com.sun.am.policy.agents.config.local.log.rotate = true
  # Name of the Access Manager log file to use for logging messages to
  # Access Manager.
  # Just the name of the file is needed. The directory of the file
  # is determined by settings configured on the Access Manager.
  com.sun.am.policy.agents.config.remote.log = amAuthLog.sharepoint.lta.mil.se.80
  # Set the logging level for the specified logging categories.
  # The format of the values is
  # <ModuleName>[:<Level>][,<ModuleName>[:<Level>]]*
  # The currently used module names are: AuthService, NamingService,
  # PolicyService, SessionService, PolicyEngine, ServiceEngine,
  # Notification, PolicyAgent, RemoteLog and all.
  # The all module can be used to set the logging level for all currently
  # none logging modules. This will also establish the default level for
  # all subsequently created modules.
  # The meaning of the 'Level' value is described below:
  # 0 Disable logging from specified module*
  # 1 Log error messages
  # 2 Log warning and error messages
  # 3 Log info, warning, and error messages
  # 4 Log debug, info, warning, and error messages
  # 5 Like level 4, but with even more debugging messages
  # 128 log url access to log file on AM server.
  # 256 log url access to log file on local machine.
  # If level is omitted, then the logging module will be created with
  # the default logging level, which is the logging level associated with
  # the 'all' module.
  # for level of 128 and 256, you must also specify a logAccessType.
  # *Even if the level is set to zero, some messages may be produced for
  # a module if they are logged with the special level value of 'always'.
  com.sun.am.log.level = 5
  # The org, username and password for Agent to login to AM.
  com.sun.am.policy.am.username = UrlAccessAgent
  com.sun.am.policy.am.password = PN4rEZ1uhx1404ivWY6HPQ==
  # Name of the directory containing the certificate databases for SSL.
  com.sun.am.sslcert.dir = C:/Sun/Access_Manager/Agents/2.2/iis6/cert
  # Set this property if the certificate databases in the directory specified
  # by the previous property have a prefix.
  com.sun.am.certdb.prefix =
  # Should agent trust all server certificates when Access Manager
  # is running SSL?
  # Possible values are true or false.
  com.sun.am.trust_server_certs = true
  # Should the policy SDK use the Access Manager notification
  # mechanism to maintain the consistency of its internal cache? If the value
  # is false, then a polling mechanism is used to maintain cache consistency.
  # Possible values are true or false.
  com.sun.am.notification.enable = true
  # URL to which notification messages should be sent if notification is
  # enabled, see previous property.
  com.sun.am.notification.url = http://sharepoint.lta.mil.se:80/amagent/UpdateAgentCacheServlet?shortcircuit=false
  # This property determines whether URL string case sensitivity is
  # obeyed during policy evaluation
  com.sun.am.policy.am.url_comparison.case_ignore = true
  # This property determines the amount of time (in minutes) an entry
  # remains valid after it has been added to the cache. The default
  # value for this property is 3 minutes.
  com.sun.am.policy.am.polling.interval=3
  # This property allows the user to configure the User Id parameter passed
  # by the session information from the access manager. The value of User
  # Id will be used by the agent to set the value of REMOTE_USER server
  # variable. By default this parameter is set to "UserToken"
  com.sun.am.policy.am.userid.param=UserToken
  # Profile attributes fetch mode
  # String attribute mode to specify if additional user profile attributes should
  # be introduced into the request. Possible values are:
  # NONE - no additional user profile attributes will be introduced.
  # HTTP_HEADER - additional user profile attributes will be introduced into
  # HTTP header.
  # HTTP_COOKIE - additional user profile attributes will be introduced through
  # cookies.
  # If not within these values, it will be considered as NONE.
  com.sun.am.policy.agents.config.profile.attribute.fetch.mode=NONE
  # The user profile attributes to be added to the HTTP header. The
  # specification is of the format ldap_attribute_name|http_header_name[,...].
  # ldap_attribute_name is the attribute in data store to be fetched and
  # http_header_name is the name of the header to which the value needs
  # to be assigned.
  # NOTE: In most cases, in a destination application where a "http_header_name"
  # shows up as a request header, it will be prefixed by HTTP_, and all
  # lower case letters will become upper case, and any - will become _;
  # For example, "common-name" would become "HTTP_COMMON_NAME"
  com.sun.am.policy.agents.config.profile.attribute.map=cn|common-name,ou|organiz ational-unit,o|organization,mail|email,employeenumber|employee-number,c|country
  # Session attributes mode
  # String attribute mode to specify if additional user session attributes should
  # be introduced into the request. Possible values are:
  # NONE - no additional user session attributes will be introduced.
  # HTTP_HEADER - additional user session attributes will be introduced into HTTP header.
  # HTTP_COOKIE - additional user session attributes will be introduced through cookies.
  # If not within these values, it will be considered as NONE.
  com.sun.am.policy.agents.config.session.attribute.fetch.mode=NONE
  # The session attributes to be added to the HTTP header. The specification is
  # of the format session_attribute_name|http_header_name[,...].
  # session_attribute_name is the attribute in session to be fetched and
  # http_header_name is the name of the header to which the value needs to be
  # assigned.
  # NOTE: In most cases, in a destination application where a "http_header_name"
  # shows up as a request header, it will be prefixed by HTTP_, and all
  # lower case letters will become upper case, and any - will become _;
  # For example, "common-name" would become "HTTP_COMMON_NAME"
  com.sun.am.policy.agents.config.session.attribute.map=
  # Response Attribute Fetch Mode
  # String attribute mode to specify if additional user response attributes should
  # be introduced into the request. Possible values are:
  # NONE - no additional user response attributes will be introduced.
  # HTTP_HEADER - additional user response attributes will be introduced into
  # HTTP header.
  # HTTP_COOKIE - additional user response attributes will be introduced through
  # cookies.
  # If not within these values, it will be considered as NONE.
  com.sun.am.policy.agents.config.response.attribute.fetch.mode=NONE
  # The response attributes to be added to the HTTP header. The specification is
  # of the format response_attribute_name|http_header_name[,...].
  # response_attribute_name is the attribute in policy response to be fetched and
  # http_header_name is the name of the header to which the value needs to be
  # assigned.
  # NOTE: In most cases, in a destination application where a "http_header_name"
  # shows up as a request header, it will be prefixed by HTTP_, and all
  # lower case letters will become upper case, and any - will become _;
  # For example, "common-name" would become "HTTP_COMMON_NAME"
  com.sun.am.policy.agents.config.response.attribute.map=
  # The cookie name used in iAS for sticky load balancing
  com.sun.am.policy.am.lb.cookie.name = GX_jst
  # indicate where a load balancer is used for Access Manager
  # services.
  # true | false
  com.sun.am.load_balancer.enable = false
  ####Agent Configuration####
  # this is for product versioning, please do not modify it
  com.sun.am.policy.agents.config.version=2.2
  # Set the url access logging level. the choices are
  # LOG_NONE - do not log user access to url
  # LOG_DENY - log url access that was denied.
  # LOG_ALLOW - log url access that was allowed.
  # LOG_BOTH - log url access that was allowed or denied.
  com.sun.am.policy.agents.config.audit.accesstype = LOG_BOTH
  # Agent prefix
  com.sun.am.policy.agents.config.agenturi.prefix = http://sharepoint.lta.mil.se:80/amagent
  # Locale setting.
  com.sun.am.policy.agents.config.locale = en_US
  # The unique identifier for this agent instance.
  com.sun.am.policy.agents.config.instance.name = unused
  # Do SSO only
  # Boolean attribute to indicate whether the agent will just enforce user
  # authentication (SSO) without enforcing policies (authorization)
  com.sun.am.policy.agents.config.do_sso_only = true
  # The URL of the access denied page. If no value is specified, then
  # the agent will return an HTTP status of 403 (Forbidden).
  com.sun.am.policy.agents.config.accessdenied.url =
  # This property indicates if FQDN checking is enabled or not.
  com.sun.am.policy.agents.config.fqdn.check.enable = true
  # Default FQDN is the fully qualified hostname that the users should use
  # in order to access resources on this web server instance. This is a
  # required configuration value without which the Web server may not
  # startup correctly.
  # The primary purpose of specifying this property is to ensure that if
  # the users try to access protected resources on this web server
  # instance without specifying the FQDN in the browser URL, the Agent
  # can take corrective action and redirect the user to the URL that
  # contains the correct FQDN.
  # This property is set during the agent installation and need not be
  # modified unless absolutely necessary to accommodate deployment
  # requirements.
  # WARNING: Invalid value for this property can result in the Web Server
  # becoming unusable or the resources becoming inaccessible.
  # See also: com.sun.am.policy.agents.config.fqdn.check.enable,
  # com.sun.am.policy.agents.config.fqdn.map
  com.sun.am.policy.agents.config.fqdn.default = sharepoint.lta.mil.se
  # The FQDN Map is a simple map that enables the Agent to take corrective
  # action in the case where the users may have typed in an incorrect URL
  # such as by specifying partial hostname or using an IP address to
  # access protected resources. It redirects the browser to the URL
  # with fully qualified domain name so that cookies related to the domain
  # are received by the agents.
  # The format for this property is:
  # com.sun.am.policy.agents.config.fqdn.map = [invalid_hostname|valid_hostname][,...]
  # This property can also be used so that the agents use the name specified
  # in this map instead of the web server's actual name. This can be
  # accomplished by doing the following.
  # Say you want your server to be addressed as xyz.hostname.com whereas the
  # actual name of the server is abc.hostname.com. The browsers only knows
  # xyz.hostname.com and you have specified polices using xyz.hostname.com at
  # the Access Manager policy console, in this file set the mapping as
  # com.sun.am.policy.agents.fqdn.map = valid|xyz.hostname.com
  # Another example is if you have multiple virtual servers say rst.hostname.com,
  # uvw.hostname.com and xyz.hostname.com pointing to the same actual server
  # abc.hostname.com and each of the virtual servers have their own policies
  # defined, then the fqdnMap should be defined as follows:
  # com.sun.am.policy.agents.fqdn.map = valid1|rst.hostname.com,valid2|uvw.hostname.com,valid3|xyz.hostname.com
  # WARNING: Invalid value for this property can result in the Web Server
  # becoming unusable or the resources becoming inaccessible.
  com.sun.am.policy.agents.config.fqdn.map =
  # Cookie Reset
  # This property must be set to true, if this agent needs to
  # reset cookies in the response before redirecting to
  # Access Manager for Authentication.
  # By default this is set to false.
  # Example : com.sun.am.policy.agents.config.cookie.reset.enable=true
  com.sun.am.policy.agents.config.cookie.reset.enable=false
  # This property gives the comma separated list of Cookies, that
  # need to be included in the Redirect Response to Access Manager.
  # This property is used only if the Cookie Reset feature is enabled.
  # The Cookie details need to be specified in the following Format
  # name[=value][;Domain=value]
  # If "Domain" is not specified, then the default agent domain is
  # used to set the Cookie.
  # Example : com.sun.am.policy.agents.config.cookie.reset.list=LtpaToken,
  # token=value;Domain=subdomain.domain.com
  com.sun.am.policy.agents.config.cookie.reset.list=
  # This property gives the space separated list of domains in
  # which cookies have to be set in a CDSSO scenario. This property
  # is used only if CDSSO is enabled.
  # If this property is left blank then the fully qualified cookie
  # domain for the agent server will be used for setting the cookie
  # domain. In such case it is a host cookie instead of a domain cookie.
  # Example : com.sun.am.policy.agents.config.cookie.domain.list=.sun.com .iplanet.com
  com.sun.am.policy.agents.config.cookie.domain.list=
  # user id returned if accessing global allow page and not authenticated
  com.sun.am.policy.agents.config.anonymous_user=anonymous
  # Enable/Disable REMOTE_USER processing for anonymous users
  # true | false
  com.sun.am.policy.agents.config.anonymous_user.enable=false
  # Not enforced list is the list of URLs for which no authentication is
  # required. Wildcards can be used to define a pattern of URLs.
  # The URLs specified may not contain any query parameters.
  # Each service have their own not enforced list. The service name is suffixed
  # after "# com.sun.am.policy.agents.notenforcedList." to specify a list
  # for a particular service. SPACE is the separator between the URL.
  com.sun.am.policy.agents.config.notenforced_list = SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/UI/* SERVER_PROTO://SERVER_HOST:SERVER_PORTCONSOLE_DEPLOY_URI/* SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/login_images/* SERVER_PROTO://SERVER_HOST:SERVER_PORT/docs* SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/namingservice SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/sessionservice SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/loggingservice SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/profileservice SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/policyservice SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/config* SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/js/* SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/css/* SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/authservice SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/SAMLAwareServlet SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/SAMLSOAPReceiver SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/SAMLPOSTProfileServlet
  # Boolean attribute to indicate whether the above list is a not enforced list
  # or an enforced list; When the value is true, the list means enforced list,
  # or in other words, the whole web site is open/accessible without
  # authentication except for those URLs in the list.
  com.sun.am.policy.agents.config.notenforced_list.invert = false
  # Not enforced client IP address list is a list of client IP addresses.
  # No authentication and authorization are required for the requests coming
  # from these client IP addresses. The IP address must be in the form of
  # eg: 192.168.12.2 1.1.1.1
  com.sun.am.policy.agents.config.notenforced_client_ip_list =
  # Enable POST data preservation; By default it is set to false
  com.sun.am.policy.agents.config.postdata.preserve.enable = false
  # POST data preservation : POST cache entry lifetime in minutes,
  # After the specified interval, the entry will be dropped
  com.sun.am.policy.agents.config.postcache.entry.lifetime = 10
  # Cross-Domain Single Sign On URL
  # Is CDSSO enabled.
  com.sun.am.policy.agents.config.cdsso.enable=false
  # This is the URL the user will be redirected to for authentication
  # in a CDSSO Scenario.
  com.sun.am.policy.agents.config.cdcservlet.url =
  # Enable/Disable client IP address validation. This validate
  # will check if the subsequent browser requests come from the
  # same ip address that the SSO token is initially issued against
  com.sun.am.policy.agents.config.client_ip_validation.enable = false
  # Below properties are used to define cookie prefix and cookie max age
  com.sun.am.policy.agents.config.profile.attribute.cookie.prefix = HTTP_
  com.sun.am.policy.agents.config.profile.attribute.cookie.maxage = 300
  # Logout URL - application's Logout URL.
  # This URL is not enforced by policy.
  # if set, agent will intercept this URL and destroy the user's session,
  # if any. The application's logout URL will be allowed whether or not
  # the session destroy is successful.
  com.sun.am.policy.agents.config.logout.url=
  # Any cookies to be reset upon logout in the same format as cookie_reset_list
  com.sun.am.policy.agents.config.logout.cookie.reset.list =
  # By default, when a policy decision for a resource is needed,
  # agent gets and caches the policy decision of the resource and
  # all resource from the root of the resource down, from the Access Manager.
  # For example, if the resource is http://host/a/b/c, the the root of the
  # resource is http://host/. This is because more resources from the
  # same path are likely to be accessed subsequently.
  # However this may take a long time the first time if there
  # are many many policies defined under the root resource.
  # To have agent get and cache the policy decision for the resource only,
  # set the following property to false.
  com.sun.am.policy.am.fetch_from_root_resource = true
  # Whether to get the client's hostname through DNS reverse lookup for use
  # in policy evaluation.
  # It is true by default, if the property does not exist or if it is
  # any value other than false.
  com.sun.am.policy.agents.config.get_client_host_name = true
  # The following property is to enable native encoding of
  # ldap header attributes forwarded by agents. If set to true
  # agent will encode the ldap header value in the default
  # encoding of OS locale. If set to false ldap header values
  # will be encoded in UTF-8
  com.sun.am.policy.agents.config.convert_mbyte.enable = false
  #When the not enforced list or policy has a wildcard '*' character, agent
  #strips the path info from the request URI and uses the resulting request
  #URI to check against the not enforced list or policy instead of the entire
  #request URI, in order to prevent someone from getting access to any URI by
  #simply appending the matching pattern in the policy or not enforced list.
  #For example, if the not enforced list has the value http://host/*.gif,
  #stripping the path info from the request URI will prevent someone from
  #getting access to http://host/index.html by using the URL http://host/index.html?hack.gif.
  #However when a web server (for exmample apache) is configured to be a reverse
  #proxy server for a J2EE application server, path info is interpreted in a different
  #manner since it maps to a resource on the proxy instead of the app server.
  #This prevents the not enforced list or policy from being applied to part of
  #the URI below the app serverpath if there is a wildcard character. For example,
  #if the not enforced list has value http://host/webapp/servcontext/* and the
  #request URL is http://host/webapp/servcontext/example.jsp the path info
  #is /servcontext/example.jsp and the resulting request URL with path info stripped
  #is http://host/webapp, which will not match the not enforced list. By setting the
  #following property to true, the path info will not be stripped from the request URL
  #even if there is a wild character in the not enforced list or policy.
  #Be aware though that if this is set to true there should be nothing following the
  #wildcard character '*' in the not enforced list or policy, or the
  #security loophole described above may occur.
  com.sun.am.policy.agents.config.ignore_path_info = false
  # Override the request url given by the web server with
  # the protocol, host or port of the agent's uri specified in
  # the com.sun.am.policy.agents.agenturiprefix property.
  # These may be needed if the agent is sitting behind a ssl off-loader,
  # load balancer, or proxy, and either the protocol (HTTP scheme),
  # hostname, or port of the machine in front of agent which users go through
  # is different from the agent's protocol, host or port.
  com.sun.am.policy.agents.config.override_protocol =
  com.sun.am.policy.agents.config.override_host =
  com.sun.am.policy.agents.config.override_port = true
  # Override the notification url in the same way as other request urls.
  # Set this to true if any one of the override properties above is true,
  # and if the notification url is coming through the proxy or load balancer
  # in the same way as other request url's.
  com.sun.am.policy.agents.config.override_notification.url =
  # The following property defines how long to wait in attempting
  # to connect to an Access Manager AUTH server.
  # The default value is 2 seconds. This value needs to be increased
  # when receiving the error "unable to find active Access Manager Auth server"
  com.sun.am.policy.agents.config.connection_timeout =
  # Time in milliseconds the agent will wait to receive the
  # response from Access Manager. After the timeout, the connection
  # will be drop.
  # A value of 0 means that the agent will wait until receiving the response.
  # WARNING: Invalid value for this property can result in
  # the resources becoming inaccessible.
  com.sun.am.receive_timeout = 0
  # The three following properties are for IIS6 agent only.
  # The two first properties allow to set a username and password that will be
  # used by the authentication filter to pass the Windows challenge when the Basic
  # Authentication option is selected in Microsoft IIS 6.0. The authentication
  # filter is named amiis6auth.dll and is located in
  # Agent_installation_directory/iis6/bin. It must be installed manually on
  # the web site ("ISAPI Filters" tab in the properties of the web site).
  # It must also be uninstalled manually when unintalling the agent.
  # The last property defines the full path for the authentication filter log file.
  com.sun.am.policy.agents.config.iis6.basicAuthentication.username =
  com.sun.am.policy.agents.config.iis6.basicAuthentication.password =
  com.sun.am.policy.agents.config.iis6.basicAuthentication.logFile = C:/Sun/Access_Manager/Agents/2.2/debug/Identifier_1414639615/amAuthFilter

  If the agent doesnot start properly you would always get redirected to com.sun.am.policy.agents.config.accessdenied.url , if thats not specified you will get a 403.
  For the agent itself check that the naming.url is correct. the agent username and passwords are correct, and see that the user has priviledges to write to the agent log files. Apart from these post the windows event logs.

• Does the 2.1 web policy agent for Windows 2003 work on a 64 bit OS ?

  Does the 2.1 web policy agent for Windows 2003 work on a 64 bit OS ?
  I have a customer having a world of issues getting the agent to start.
  Jeff Courtade

  No. 64bit support is not there for 2.1 agents on Windows.
  -Subba

• Problem Installing Policy Agent 2.2 on Apache 2.2.3

  Hi all,
  I'm trying to configure policy agent 2.2 on apache 2.2.3 on linux platform CentOS (red hat 5.1).
  The configuration and the installation seem to work properly, in effect in the log file install.log you can find :
  [06/10/2008 16:38:49:865 CEST] Creating directory layout and configuring Agent file for Agent_001 instance ...SUCCESSFUL.
  [06/10/2008 16:38:49:936 CEST] Reading data from file /opt/web_agents/apache22_agent/passwordFile and encrypting it ...SUCCESSFUL.
  [06/10/2008 16:38:49:937 CEST] Generating audit log file name ...SUCCESSFUL.
  [06/10/2008 16:38:50:022 CEST] Creating tag swapped AMAgent.properties file for instance Agent_001 ...SUCCESSFUL.
  [06/10/2008 16:38:50:026 CEST] Creating a backup for file /etc/httpd/conf/httpd.conf ...SUCCESSFUL.
  [06/10/2008 16:38:50:031 CEST] Adding Agent parameters to /opt/web_agents/apache22_agent/Agent_001/config/dsame.conf file ...SUCCESSFUL.
  [06/10/2008 16:38:50:032 CEST] Adding Agent parameters to /etc/httpd/conf/httpd.conf file ...SUCCESSFUL.
  But, when I try to restart Apache it gives me an error and in the error.log file in Apache you can read:
  [Tue Jun 10 16:57:33 2008] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
  [Tue Jun 10 16:57:34 2008] [notice] Digest: generating secret for digest authentication ...
  [Tue Jun 10 16:57:34 2008] [notice] Digest: done
  [Tue Jun 10 16:57:34 2008] [alert] Policy web agent configuration failed: NSPR error
  Configuration Failed
  Well, I found in the Sun documentation a well known bug about the NSPR and NSS library :
  Error message issued during installation of Policy Agent 2.2 on Linux systems
  When the Linux operating system is installed, specific components can be selected. Occasionally the specific components of the operating system selected lack the libraries necessary for Policy Agent 2.2 to function. When the complete Linux operating system is installed, all the required libraries are available. The libraries that are required for the agent to function are as follows: NSPR, NSS, and libxml2.
  Workaround: If the Linux operating system you are using is not complete, install the latest versions of these libraries as described in the steps that follow:
  At the time this note was added, the latest version of the NSPR library packages was NSPR 4.6.x , while the latest version of the NSS library package was NSS 3.11.x.
  To Install Missing Libraries for Policy Agent 2.2 on Linux Systems
  *+
  Install the NSS, and libxml2 libraries. These libraries are usually available as part of Linux installation media. NSPR and NSS are available as part of Mozilla binaries/development packages. You can also check the following sites:
  o
  NSPR: http://www.mozilla.org/projects/nspr/
  o
  NSS: http://www.mozilla.org/projects/security/pki/nss/
  So, I checked my libraries but they are upgraded to the latest version.
  If I comment the line that includes the libamapc22.so in the apache configuration file
  LoadModule dsame_module /opt/web_agents/apache22_agent/lib/libamapc22.so
  Apache can restart but the agent is misconfigurated!
  Any Idea?

  thank you Subhodeep for your reply,
  I didn't try to change the library file and I didn't find in licterature any information about library file changing in the Policy agent installation. Please, could you suggest me something more about which library to use instead of libamapc22.so?
  ps. I am using red hat 5.1, and from the release note of the policy agent seems that the latest platform version supported is red hat enterprise linux 4.0 versions.....
  this one could definitely be the reason of the misconfiguration.

• Policy Agent 3.0 for Tomcat - Cannot obtain Application SSO token

  Hi
  I am trying to configure Sun OpenSSO Enterprise Policy Agent 3.0 for Apache Tomcat Application Server 6.
  After installing the Policy Agent, Tomcat is not starting.
  The Error in the stack is :
  =========
  Jun 14, 2009 2:21:00 AM
  org.apache.tomcat.util.digester.Digester startElement
  SEVERE: Begin event threw error
  java.lang.ExceptionInInitializerError
  at
  com.sun.identity.agents.arch.AgentConfiguration.bootStrapClientConfig
  uration(AgentConfiguration.java:682)
  Caused by:
  com.sun.identity.security.AMSecurityPropertiesException:
  AdminTokenAction: FATAL ERROR: Cannot obtain Application
  SSO token.
  Check AMConfig.properties for the following properties
  com.sun.identity.agents.app.username
  com.iplanet.am.service.password
  at
  com.sun.identity.security.AdminTokenAction.run(AdminTokenAction.java:
  258)
  =========
  There is no AMConfig.properties file. The Agent uses "OpenSSOAgentBootstrap.properties".
  Is there a workaround for this issue ?
  Cheers.

  Hi,
  I have the same Problem, did you come up with a solution for it?
  thanks
  Matrius

• Unable to install policy agent 2.2 for Webserver 6.1 on Windows 2003

  Hi everybody,
  I've installed Java Enterprise Server (last version) on Windows 2003 with these components:
  - Directory Server
  - Access Manager
  - Webserver
  - Administration Server
  Everything works good, I can access all those components.
  Now I want to use Policy Agent 2.2. So I've downloaded it and I've tried to install...
  But during the installation process, an error message appear when I select the Web Server instance directory to protect.
  It says: "invalid web server instance - on windows, Access Manager Policy Agent only supports Web Server 6.0 and 6.1.....".
  The problem is that I work with WebServer 6.1....
  I really don't know what to do now... This message prevent me to go further.
  What's the problem? How can I avoid this?
  Thanks for your help!
  Adrien

  Okay, here's what it says:
  "The upgrade patch cannot be installed by the Windows Installer service because the program to be upgraded may be missing, ot the updgrade pathc may update a different version of the program. Verify that the program to be upgraded exists on your computer and that you have the correct update patch".
  I don't even know what program I'm supposed to have.
  Ideas, anyone?

• Custom login page with Policy Agent 2.2 & Access Manager

  Hi,
  I’m trying to set up policy agent 2.2 and Access Manager to use the login page of the application I’m trying to secure. I’m not sure if this is the correct forum or not so feel free to move this if need be.
  I’ve been using this link: http://docs.sun.com/source/816-6884-10/chapter3.html#wp25376 but it doesn’t seem to make sense.
  In my AMAgent.properties file I’ve set up
  com.sun.identity.agents.config.login.form[0]=/contextRoot/login/login.jsp to my login page and I’ve also configured the web.xml for that application to use the login:
       <login-config>
            <auth-method>FORM</auth-method>
            <form-login-config>
                 <form-login-page>/login/login.jsp</form-login-page>
                 <form-error-page>/login/login.jsp</form-error-page>
            </form-login-config>          
       </login-config>
  When I try and access the login page I’m redirected to the default access manager login page. I did notice in the AMProperties.xml file the following line:
  com.sun.identity.agents.config.login.url[0] = http://amserverhost:80/amserver/UI/Login
  It seems like I should change that to point to my login page but I didn’t see any documentation supporting that. When I change that property to point to location of my login page, i get a redirect loop error.
  When I remove the com.sun.identity.agents.config.login.form[0] property all together, I just get a resource restricted error.
  Now when I configure the com.sun.identity.agents.config.login.form[0] property, set the config.login.url = to my login page AND set the com.sun.identity.agents.config.notenforced.uri[0] property equal to my login page (so the login page is no longer protected) I am able to see the login page
  Is unrestricting the login page correct? I’m able to access the login.jsp page directly and when I try and access protected resources I’m redirected back to the login page so everything seems to be working correctly but I’m not sure if this is the correct way.

  Hi Neeraj,
  I still have not been able to resolve that issue. Let me know If you find a solution for the same.
  Thanks,
  Srinivas

• Policy Agent Error

  Version:
  Solaris: 8
  IS 6.0
  Policy Agent 2.0
  Webserver: iWS 6.0
  I installed the agent, configured a policy protecting the resources on the webserver. When I access any resource, it throws me a login page (as it should). Once I submit the credentials, I get a 403 error on the page. The agent logs show the following:
  2003-01-30 13:38:23.168 Error 4355:42b508 PolicyEngine: am_policy_evaluate: InternalException in Service::construct_auth_svc with error message:Application authentication failed during service creation. and code:20
  2003-01-30 13:38:23.168 Warning 4355:42b508 PolicyAgent: am_web_is_access_allowed(http://server.sub.com:8081/index.html, GET) denying access: status = access denied (20)
  2003-01-30 13:38:23.169 -1 4355:42b508 PolicyAgent: validate_session_policy() access denied to unknown user
  At the same time I can see the user session active under the IS console.
  Can somebody help me here?
  Thanks

  ahhh, what shared secret did you use to install. You should of used the amldapuser account password rather than amadmin
  Use the cryptutil to hash that password and stick it in the AMAgent file. Restart and all will be well.
  Steve