Policy agent and normal portal logon on one portal

Similar Messages

• Policy Agent and WebMethods Portal

  Hi,
  Is the PolicyAgent required to authenticate users and control the access to resources ?
  If yes, can we use the PolicyAgent/AccessManager with any server like for example WebMethods Portal ?
  Thanks,
  Adel

  Thanks for the reply, Shivaram. The issue appears to occur at random time, not accurately at the 3 min interval as you mention. I tested changing this value to 1, theoretically, after one 1 minute of idle time, accessing a link would make the agent reset the time idle value for the user session in SAM, but it didn't even after 3 minutes. This seems to be either a policy agent or system access manager bug.
  We performed a 'vanilla' test using the apache server manual pages (only plain HTML, no POST requests), the pages are protected by the policy agent. At the first login, rwe were prompted to enter credential to be validated by SAM/LDAP, and then a user session is created in SAM session table. We browse around the manual pages, once in a while, certain pages cause the policy agent to reset the time idle. However, revisiting these links after a few minutes doesn't reset the idle value. Caching setting has been disable as well. Could there be or lack of some settings in AMConfig.properties or AMAgent.properties that might have caused this behavior?
  Thanks for all your help,

• Access Manager Policy Agent and Oracle AS

  Hi,
  my system uses Oracle Application Server. The security dept use Sun Access Manager. I need to integrate the security of the Oracle system with the policy agent. Where this gets a little confusing is that one of my developers tells me that this is difficult to implement and that Sun arent planning on supporting the Oracle AS in future.
  What I would like is some clarification from the horses mouth so to speak. In particular is it possible to integrate the policy agent and Oracle AS, and are Sun committed to supporting and developing for this.
  Thanks,
  Andy.

  "Where this gets a little confusing is that one of my developers tells me that this is difficult to implement"
  "it is NOT an implementation but an integration ! difficult ? why ?"
  "and that Sun arent planning on supporting the Oracle AS in future."
  There is a PA 2.2 for Oracle 10g ! It is the latest version(2.2 I mean). I don't see any reasons why Sun should not continue. But it is ONLY my point of view...
  "What I would like is some clarification from the horses mouth so to speak. In particular is it possible to integrate the policy agent and Oracle AS, and are Sun committed to supporting and developing for this."
  Of course it is possible because you can find the PA that will integrate your Oracle AS with a Sun AM.
  1) Please read the documentation.
  http://docs.sun.com/app/docs/coll/1322.1
  Download the one for Oracle and read also the user guide.
  PA are very easy to integrate if you know what you do... Espec. und. the AM auth and sso... If you can be helped by a AM guy from your comp. it is welcome... It is a j2ee agent and of course the PA will make what is necessary to redirect you to AM at login time and later to auth. your request...2)
  2) Download the soft and do the job :-)
  Product Downloads
  Sun Java System Access Manager Policy Agent 2.2 for Oracle Application Server 10g
  http://www.sun.com/download/products.xml?id=455d52ed
  I did plenty of int. with Sun/Bea/Tomcat AS(don't forget there are also webserver agents like Apache PA) with AM and it is not a big deal. Not Oracle, but it is an AS and I don't see why it should be difficult...
  Hope this helps a bit.

• Difference between web policy agent and j2ee Policy agent ?

  Difference between web policy agent and j2ee Policy agent ?

  http://docs.sun.com/app/docs/doc/820-5816/ghscr?a=view

• What is the difference between CE Portal and normal Portal

  Can someone tell me the difference between CE Portal & Normal Portal. I mean, I keep hearing that SAP EP 7.2 is CE portal whereas SAP EP 7.3 is not CE portal.
  Can I assume that CE (Composite environment) is a failure model so SAP switched back to Non-CE environment ? Your inputs please.

  Hello,
  SAP NetWeaver Composition Environment 7.1 and 7.2 have been introduced as a lean "side-car" approach to complement the SAP NetWeaver standard release. Main reason was to provide composition tools and services based on a enhanced Java technology stack (back the time).
  The official successor of SAP NetWeaver 7.0 (or any of the enhancements packages) has been SAP NetWeaver 7.3 (where we brougth various tools together back into one SAP NetWeaver codeline.) Nowadays we recommend the latest release: SAP NetWeaver 7.4 including the Enterprise Portal 7.4.
  Customers & Partners who did not want to install the full SAP NetWeaver Java stack had the chance to only go with the Composition Environment - that contained selected portal core services. These are mainly used for application integration / launching scenarios and not supportin full enterprise portal (intranet / extranet) scenarios - that's why there is no KM included.
  Hope this helps to get a better understanding.
  Regards,
  Thomas

• How to manage coexistance of IIS policy agent and sun-passthrough from AS

  We have an ISS 6 with Policy Agent 2.2 and on same instance we have the sun-passthrough plugin installed to redirect certain pages to an Application mounted on Sun App Server 8,2. We need to apply policies to requests to those pages before redirection is done but seams that passthrough plugin is taking precedence over Policy Agent. Therefore, policies are not evaluated and all traffic is passed. PA agent is installed as a wild card and passthrough as an ISAPI filter. We do not see a way to change priority (already set to HIGH) for the passthrough plugin. PA has the option on amAgent.properties and we set it allready to HIGH. Any hint?
  Edited by: blancay on Sep 20, 2008 9:47 AM

  1) How to restrict the new employee from availing any type of leave company have a policy only after completion of probation employee can avail sick leave?
  Note 897623 User Exits in PT
  Use user exit to check It0019 or monitoring of tasks or reminder of dates or 0041 IT
  2) Sick leaves can be availed only after completion of 1 year wht are the settings do i need to set?
  You can use quota deduction and user exit and read dates from 0041 for his entry date in company
  3) Earned leaves can be given to employees those who complete 2 years of service? what are the settings for this?
  base entitlement ie seniority quota check table v_t559l
  4) Intervening holidays and weekly offs can be treated as leaves in sick leave as well as earned leaves what are the customizing settings for this?
  counting rule and exit
  5) only female employees are entitled to avail maternity leave?what are the settings for this?
  feature pe03 MASEX  Set Infotype 80 Admissability for Employees
  read more on help.sap.com

• . I've tried getting help on the Internet, going to numerous apple agents and asking people but no one seems to have an answer.

  Can anyone give me step by step instructions on how to connect an iPad 3 to an epson sx 445? I can't find a solution anywhere. I've tried getting help on the Internet, going to numerous apple agent shops and asking people but no one seems to have an answer.Please help!!!!!

  The AirPrint compatible list shows:
  EPSON Stylus SX445W
  Is this your printer? If so, you should be able to connect it to your wireless network and use the AirPrint function to print.
  This may help: http://support.apple.com/kb/HT4356

• NSAPI in Access Manager & Policy Agent

  Hi all,
  May I know is it possible to use NSAPI to be a communication channel between policy agent and access manager?
  I have installed Sun One Web Server together with policy agent, access manager is installed in another machine.
  I've looked through all related documentation but could not find NSAPI for policy agent or access manager.
  Thanks in advance!

  Hi all,
  May I know is it possible to use NSAPI to be a communication channel between policy agent and access manager?
  I have installed Sun One Web Server together with policy agent, access manager is installed in another machine.
  I've looked through all related documentation but could not find NSAPI for policy agent or access manager.
  Thanks in advance!

• URL Policy agent attributes -

  I installed a Policy Agent on a remote Web Server and pointed the policy agent to the Portal's Identity Server .
  When I click on the Policy agent in the Identity Server console , it displays the following message
  "There are no attributes to display for this entry".
  How to obtain the attributes for the URL Policy Agent .Is this a problem concerning the IS . Can anyone throw light on this issue.
  thanx in advance
  raj

  It's the way it supposed to be. There is no configurable attributes for this service.

• Policy Agent SSL?

  I am new to access manager and have used another product that creates self-signed certs for their web agents. The self-signed certs provide an encrypted connection between the web agent and access server. How do I encrypt the connection between the policy agent and access manager? AFAIK I set up SSL for the access manager host and when I create a configuration file for the policy agent I state the access manager server protocol as https. Is it that simple? Will the policy agent be affected somehow when I renew the cert on the access manager host?
  And more general, whats best business practice? I assume you want the traffic between the policy agent and access manager to be encrypted.

  I made mine work by adding the same Root CA certificate and two server certificates from the same CA authority to both AM Web Server and the application (policy agent) web server...
  it really depends, if you application contains some sensitive information benig displayed to your user, you should have SSL on the app server (sun one web server) as well..
  if u renew the CA(root) cert on the AM Web server, the same needs to installed on the app web server as well...
  as a practice, your entire architecture should be on SSL except the DS and AM interaction .. since that is probably behind a firewall - again, depends on your configuration...
  let me know if u need mroe help..
  regards,
  saahil

• Extending WebLogic policy agent

  Hello all;
  I am using AM policy agent for WebLogic portal server. Is there a way to extend the functionality of this policy agent. I need to make the agent do more than what it provides OOTB. Is there a way to do that? Any suggestions?
  Thanks

  Hi Aaron;
  I am trying to see if I can force the policy agent to be invoked on non-protected resources. The agent is in J2EE mode. The scenario that I have is the whole site is open and nothing is protected so I have to make the policy agent recognize requests for both protected and non protected resources. The other issue I have is that even if I create a cookie the policy agent doesn't maintain the session state since the requests are for unprotected resources. It (PA) doesn't "touch" the cookie since the requests didn't go through it.
  Thanks,

• Problem: Protect Sun Web Proxy Server 4.0.5 with Policy Agent 2.2

  We are trying to protect the Sun Web proxy Server 4.0.5 with policy agent 2.2 on solaris 10 machine.
  We are using Access Manager 7.1 along with directory server 6.2
  We are trying to protect the web proxy console url http://domain.example.com with that policy agent so that when we hit web proxy console url
  it should through us access manager login page ie http://abc.com/amserver.
  How can we achieve this.What all changes required in the AMAgent.properties file.Please suggest.

  Hi subho,
  problem is fixed. i have unistalled the policy agent and reinstalled it again. the problem i found is we didnt stop the webproxy instance when installing policy agent. Thanks for the reply

• Need asssitance on openSSO/Access Manager-policy agent on tomcat 5.5

  I'm asking here because there is no help from openSSO forum.
  I know that openSSO is quite the same with java access manager,
  so I assume that openSSO is identical to java access manager.
  I'm very much new to the policy agent and I've tried to test it for my own web application, but it doesn't seems to work.
  Here is my situation :
  I'm using 2 servers:
  1. server using windows XP, installed with tomcat 5.5 and opensso inside (acts as openSSO server).
  I set the IP to be 192.168.0.3 and tomcat web server will be listening on port 8080
  2. server using windows XP, installed with tomcat 5.5 and my web application inside, and the policy agent.
  I set the IP to be 192.168.0.1 and tomcat web server will be listening on port 7070
  my web application is named "akademis" and I can acess it with the usual method on address http://192.168.0.1:7070/akademis.
  I install the policy agent on global web.xml of tomcat configuration and I don't change anything on web.xml of my application.
  when I tried to acess the http://192.168.0.1:7070/akademis , I wa redirected to openSSO login page correctly and I entered username and password(username:amadmin). I passed the login page and being redirected to the page that I wanted, but it doesn't do correctly cause I got a HTTP message of 403 (forbidden).
  I got some clue in the policy agent logs :
  a. the amFilter log
  09/30/2006 01:08:25:890 PM ICT: Thread[http-7070-Processor25,5,main]
  09/30/2006 01:09:14:515 PM ICT: Thread[http-7070-Processor25,5,main]
  ERROR: URLFailoverHelper: No URL is available at this time
  09/30/2006 01:09:14:515 PM ICT: Thread[http-7070-Processor25,5,main]
  ERROR: AmFilter: Error while delegating to inbound handler: SSO Task Handler, access will be denied
  [AgentException Stack]
  com.sun.identity.agents.arch.AgentException: No URL is available at this time
  at com.sun.identity.agents.common.URLFailoverHelper.getAvailableURL(URLFailoverHelper.java:133)
  at com.sun.identity.agents.filter.AmFilterRequestContext.getLoginURL(AmFilterRequestContext.java:748)
  at com.sun.identity.agents.filter.AmFilterRequestContext.getAuthRedirectURL(AmFilterRequestContext.java:285)
  at com.sun.identity.agents.filter.AmFilterRequestContext.getAuthRedirectURL(AmFilterRequestContext.java:258)
  at com.sun.identity.agents.filter.AmFilterRequestContext.getAuthRedirectResult(AmFilterRequestContext.java:363)
  at com.sun.identity.agents.filter.AmFilterRequestContext.getAuthRedirectResult(AmFilterRequestContext.java:345)
  at com.sun.identity.agents.filter.SSOTaskHandler.doSSOLogin(SSOTaskHandler.java:210)
  at com.sun.identity.agents.filter.SSOTaskHandler.process(SSOTaskHandler.java:98)
  at com.sun.identity.agents.filter.AmFilter.processTaskHandlers(AmFilter.java:185)
  at com.sun.identity.agents.filter.AmFilter.isAccessAllowed(AmFilter.java:152)
  at com.sun.identity.agents.filter.AmAgentBaseFilter.doFilter(AmAgentBaseFilter.java:38)
  at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202)
  at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
  at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:213)
  at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:178)
  at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:126)
  at org.apache.catalina.cluster.tcp.ReplicationValve.invoke(ReplicationValve.java:346)
  at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:105)
  at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:107)
  at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:148)
  at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:869)
  at org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processConnection(Http11BaseProtocol.java:664)
  at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:527)
  at org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollowerWorkerThread.java:80)
  at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:684)
  at java.lang.Thread.run(Thread.java:595)
  b. the amLog
  09/30/2006 01:08:09:921 PM ICT: Thread[main,5,main]
  09/30/2006 01:08:10:078 PM ICT: Thread[main,5,main]
  ERROR: RemoteHandler.getLogHostURL(): 'null' is malformed. null
  I think the reson that I failed is not in the openSSO/java access manager, because I get passed the login page, and also in the amFilter log of the policy agent I see an error of "No URL is available at this time" .
  Is there anyone can help me on this problem ? I'll be very glad if somebody can help me.
  thanks

  Please try the fix as suggested in the following and let us know the results.
  http://support.microsoft.com/default.aspx?scid=kb;EN-US;196271
  http://forum.java.sun.com/thread.jspa?threadID=346820&messageID=1436761
  Thanks,
  Subba

• ID Server and Policy Agent for AS .. is secure?

  Hello there,
  I have a question. Quite critical question, concerning iPlanetDirectoryPro cookie. If I've got it right, this cookie contains SSO Token. And the SSO token can be used with identity server to obtain any SSO assetion. I've experimentaly confirmed this.
  Now, can anyone tell me why this cookie is sent to any host in my domain? The default after instalation is "bgs.sk". This default value enables any host in my domain to impersonate me. Well, I still can change this, but it is now good to have insecure default values anyway, is it?
  Second, and more critical problem: I have Policy Agent installed on my Application Server. It looks like the agent requires access to the iPlanetDirectoryPro cookie to work correctly. But, if my application server has my SSO token, it can impersonate me anywhere. Not a good situation at all. That would mean security hole as big as hangar doors.
  Are my assumptions correct? Am I overlooking something?
  (All valid for ID server 6.0 and Liberty protocols)
  Thanks for any help.

  Although Sun promote Identity Server by emphasizing its Liberty/SAML feature, the product itself use a proprietary protocol for SSO and CDSSO.
  As all we know, this product could be totally useless without Sun's Policy/J2EE Agent deployed. But ironically these agents communicate with Identity Server in its own way, nothing to do with SAML, XACML, or even SOAP.
  The agent approach is usually not a good idea. We saw more and more problem raised from fields related to agent stability and scalability. We never see any performance benchmark data from Sun. Since the communication between agt and Identity Server are proprietary, no ISV can make agent for this product. You have to wait for Sun for agent support if you have new system not on the support matrix.
  In addition to agent, another big issue of Identity Server is its complex DIT structure. In fact, we prefer to have RDBMS as Identity Server's repository. Sun abuse ldap just because this company doesn't have any database product but still want to provide a pure Sun platform (JES) to customer. So they compromise the architecture for business reason, I'd like to tell you, I don't like the way Identity Server store data in DIT, I don't like the console UI (its for technical geek), and on one in our company dare to do any configuration change.
  Now Sun put Identity Server as the core of its JES product stack. If you have time to take a look at how the SJS Portal use Identity Server and how SSO between Portal channel and Email/Calendar Server are achieved, you'll find that you just buy a "framework" (I mean Identity server), not a product, because you have to do every integration work by intensively coding.
  I predict that Identity Server will be significantly rearchitctured in the near future, otherwise we don't see any benefit this product can bring to me. It is a headache for deployment as well as maintenance. If you just need Single Sign-On, there are lots alternative to achieve, Sun's Identity Server is really overkill. It's authentication feature is ok, but authorization feature (policy, role) is very limited. If you have lots of Windows/IIS web app need to do SSO with Identity Server, god bless you... you better have a sharp programmer to wrap up the C API so as your ASP programmer can leverage Identity Server SDK, and you got to pray for IIS agent behave well. In addition, don't forget to learn more about JATO if you want to do some fancy customization on the default login page.

• Policy Agent 2.2, IIS 6.0, CDSSO and redirects after authentication

  Hi
  I've got a problem where a HTTP/1.1 200 and 302 are returned by the Policy Agent / Application, after the Javascripted POST by the CDCServlet content is performed.
  The expected functionality is that the user is authenticated with the AM, the CDC Servlet serves the JavaScript page that will do a POST to the Policy Agent. The Policy Agent should then do what it needs to do with the POST, and forward request to the Application. The Application then does what it needs to do, and in this case, serves a HTTP/1.1 302 for redirection back to the browser.
  However, it seems that the Policy Agent might be returning a HTTP/1.1 200, and setting the iPlanetDirectoryPro cookie, quickly followed by the HTTP/1.1 302 and the setting of whatever cookies it wants to set.
  The Policy Agent should be respecting the return code of the Application. This problem does not appear when run against the Policy Agent for the Sun ONE Web Server.
  Wondering if anyone has seen this before?
  Here is sanitized output from a trace on the POST and resulting response.
  POST /oslp/?sunwMethod=GET HTTP/1.1
  Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
  Accept-Language: en-au
  Content-Type: application/x-www-form-urlencoded
  Accept-Encoding: gzip, deflate
  User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
  Host: sco88342744.corp.qed.qld.gov.au
  Content-Length: 3496
  Connection: Keep-Alive
  Cache-Control: no-cache
  X-ProcessAndThread: IEXPLORE.EXE [904; 2908]
  LARES=<snip>
  HTTP/1.1 200 OK
  Date: Wed, 16 May 2007 22:25:42 GMT
  Server: Microsoft-IIS/6.0
  Set-Cookie: iPlanetDirectoryPro=AQIC5wM2LY4Sfcz8tCfJ96AXxjIgRzuZJDgE7gMeTO0iIS4%3D%40AAJTSQACMDQ%3D%23;Path=/
  HTTP/1.1 302 Found
  Date: Wed, 16 May 2007 22:25:42 GMT
  Server: Microsoft-IIS/6.0
  X-AspNet-Version: 1.1.4322
  Location: /oslp/user/signon.aspx
  Set-Cookie: ASP.NET_SessionId=lh4sus55y1iy2r5514onnjuj; path=/
  Cache-Control: no-cache
  Pragma: no-cache
  Expires: -1
  Content-Type: text/html; charset=utf-8
  Content-Length: 139
  <html><head><title>Object moved</title></head><body>
  <h2>Object moved to <a href='/oslp/user/signon.aspx'>here</a>.</h2>
  </body></html>

  Hi,
  we had the same problem, but we got support
  from readme.txt
  Bug#: 6789020
  Agent type: All Agents
  Description: In CDSSO mode non enforced POST requests cannot be accessed
  Bug#: 6736820
  Agent type: IIS 6 Agent
  Description: IIS 6 agent doesn't work properly with ASP pages in CDSSO mode
  Both bugs should be fixed in this version:
  Sun Java System Web Agents 2.2-02 hotpatch2