Policy agent protected URL auth problem

Similar Messages

• Can policy agent protect multiple instances of app server

  I created multiple instances of Sun ONE App server 7.0, and one web-app in each instance. But When I am installing Policy Agent 1.1 for the second instance of App server, it told me that I HAVE had it installed.
  How can I protect multiple instances of App server?

  I see another thread on this subject. Thanks.

• URL Policy agent attributes -

  I installed a Policy Agent on a remote Web Server and pointed the policy agent to the Portal's Identity Server .
  When I click on the Policy agent in the Identity Server console , it displays the following message
  "There are no attributes to display for this entry".
  How to obtain the attributes for the URL Policy Agent .Is this a problem concerning the IS . Can anyone throw light on this issue.
  thanx in advance
  raj

  It's the way it supposed to be. There is no configurable attributes for this service.

• Policy Agent + Distributed Authentication UI?

  Can I deploy the distAuth application inside a policy agent protected container, or does it have to be deployed in a non-protected container?
  Thanks,
  Michael.

  Thanks, that's exactly the answer I was looking for. I was trying to deploy on a J2EE container, and while I'm interested in the workarounds, it's probably simpler for me to just deploy another container instance.

• Problem: Protect Sun Web Proxy Server 4.0.5 with Policy Agent 2.2

  We are trying to protect the Sun Web proxy Server 4.0.5 with policy agent 2.2 on solaris 10 machine.
  We are using Access Manager 7.1 along with directory server 6.2
  We are trying to protect the web proxy console url http://domain.example.com with that policy agent so that when we hit web proxy console url
  it should through us access manager login page ie http://abc.com/amserver.
  How can we achieve this.What all changes required in the AMAgent.properties file.Please suggest.

  Hi subho,
  problem is fixed. i have unistalled the policy agent and reinstalled it again. the problem i found is we didnt stop the webproxy instance when installing policy agent. Thanks for the reply

• How to protect both access (http and https) with a Policy Agent

  Hi,
  During the installation of a web Policy Agent (i.e. Policy Agent for IIS) we have to choose the protocol (and port) of the web server we want to protect.
  If we have an IIS with secure (https) and non secure (http) applications, how we manage this scenario with the policy agent?
  Regards,

  Hi,
  Finally, i have installed the agent in IIS5 in the non secure port (http) and in fact it detects both access (http and https) fine.
  The problem now is that if i try to access to a non secure url ( http://mynonsecureapp.com ) all works fine, the agent redirects to https://myaccessmanager.com:443/amserver/UI/Login?goto=http://mynonsecureapp.com but when i try to access to a secure url ( https://mysecureapp.com ) the agent try to redirects me to: https://myaccessmanager.com:443/amserver/UI/Login?goto=http://mysecureapp.com (notice that the agent removes the 's' in the url).
  The amAgent log file shows:
  +2008-07-17 09:44:08.296MaxDebug 656:d8f6b0 PolicyAgent: am_web_is_notification(), https://sigcit.agp.gva.es:443/fullcitriweb is not notification url http://sigcit.agp.gva.es:80/amagent/UpdateAgentCacheServlet?shortcircuit=false.+
  +2008-07-17 09:44:08.296 Warning 656:d8f6b0 PolicyAgent: OnPreprocHeaders(): Access Manager Cookie not found.+
  +2008-07-17 09:44:08.296 Debug 656:d8f6b0 PolicyAgent: am_web_is_access_allowed(): url 'https://sigcit.agp.gva.es:443/fullcitriweb' path_info ''.+
  +2008-07-17 09:44:08.296MaxDebug 656:d8f6b0 PolicyAgent: am_web_is_access_allowed(): processing url http://sigcit.agp.gva.es:80/fullcitriweb.+
  +2008-07-17 09:44:08.296 Debug 656:d8f6b0 PolicyAgent: am_web_is_access_allowed(): client_ip 172.27.65.62 not found in client ip not enforced list+
  Any ideas?
  Regards,
  Edited by: idm_oceanic on Jul 17, 2008 1:33 AM

• Policy Agent 2.0 redirect after auth

  Versions:
  Solaris 8
  Identity Server 6.0
  Policy Agent 2.0
  Web Server: iWS 6.0
  We are having a problem with redirecting users to a specific page after authentication.
  Here is our scenario:
  When a user tries to access a URL on our WS with the Policy Agent 2.0 installed, they get redirected to our login page on the Identity Server, which is fine.
  The problem is that the original URL is appended in a "goto," and after successfully logging in, the user is redirected to the page in the "goto," and not our default success URL.
  We are unable to force the user to a specific success URL after login.
  Is there a way to prevent the "goto" from being called, or to force a specific success URL regardless of what is being called in the "goto".
  We are unsure if this needs to occur in the setup of the organization in the IS, or if it needs to happen in the AMagent.properties file in the Policy Agent.
  Please help!

  Thanks for all replies.
  Apache: There is nothing special in access_log and error_log. However, there is no problem to use policy agent on Solaris 2.9 + Apache 1.3.26.
  IIS: The system path contains the right folder that holds the dll (i think that's done by the installation program), while the system was reboot several times but the situation didn't improve.
  Thanks again.
  Rgds.

• Protecting a REST web service with Policy Agent

  I have deployed a REST web service in Glassfish using Jersey Annotations. A UI in the same Glassfish instance is protected by a policy agent that forces users through a login page. I would like to protect the REST web service with BASIC Authentication using the same policy agent. Is this possible? Is there supporting documentation?

  Hi Daniel,
  When you publish a message through Rest, hope your Restful service will receive/process the posted message?
  So
  YourBizTalk -->(Post Message to)-->RestFulService
  From the error message, "the published message could not be routed because no subscribers were found.", it seems like the this Restful service is a
  wrapper (or service interface) for BizTalk at client end( where message has been posted thru Rest) and actual posted message is “processed” by BizTalk and the error "" is from BizTalk "after" Rest. This message says the message you posted
  through rest is not found subscription at their end.
  So
  YourBizTalk -->(Post Message to)-->RestFulService -->Clients'BizTalk.
  Here problem is at Clients'BizTalk as shown where the posted message to their BizTalk is not processed because no subscription has been found.
  If this answers your question please mark it accordingly. If this post is helpful, please vote as helpful by clicking the upward arrow mark next to my reply.

• URL Policy agent attributes - Not displayed

  I installed a Policy Agent on a remote Web Server and pointed the policy agent to the Identity Server installed alongwith the Portal.
  When I click on the Policy agent in the Identity Server console , it displays the following message
  "There are no attributes to display for this entry".
  How to obtain the attributes for the URL Policy Agent Service .Is this a problem concerning the IS . Can anyone throw light on this issue.
  thanx in advance
  raj

  It's the way it supposed to be. There is no configurable attributes for this service.

• Sun Access Manager + Jboss Policy Agent + Testapplication Problem

  Hello everybody.
  I have set up Access Manager 7.1 on SJSAS 9.1 in a VMware and Jboss with Policy Agent 2.2 and a simple Webapp on another.
  The webapp just displays pages for users in different roles, f.e. admin und user page.
  When i go to the application in the browser und access a protected page, then I get redirected to the AM login screen and can login and get redirected back to the application.
  I did this with declarative security defined in web.xml, but the user doesn't get authenticated in the application.
  In my logfiles i got the following errors:
  amRealm log file
  09/19/2008 01:55:39:756 PM CEST: Thread[http-jboss.ams.com%2F127.0.0.1-8080-2,5,jboss]
  ERROR: AmRealm: failed to authenticate user: bob
  com.iplanet.sso.SSOException: Invalid session ID.AQIC5wM2LY4SfcwBenaL/TbPRPGHXQo8rhVWWfM3jGDEUUM=@AAJTSQACMDE=# AQIC5wM2LY4SfcyYT7kHKvROHG64m6WtlD8hnFLPmsKJyeY=@AAJTSQACMDE=#
     at com.sun.identity.jaxrpc.SOAPClient$SOAPContentHandler.endDocument(SOAPClient.java:910)
     at org.apache.xerces.parsers.AbstractSAXParser.endDocument(Unknown Source)
     at org.apache.xerces.impl.XMLDocumentScannerImpl.endEntity(Unknown Source)
     at org.apache.xerces.impl.XMLEntityManager.endEntity(Unknown Source)
     at org.apache.xerces.impl.XMLEntityScanner.load(Unknown Source)
     at org.apache.xerces.impl.XMLEntityScanner.skipSpaces(Unknown Source)
     at org.apache.xerces.impl.XMLDocumentScannerImpl$TrailingMiscDispatcher.dispatch(Unknown Source)
     at org.apache.xerces.impl.XMLDocumentFragmentScannerImpl.scanDocument(Unknown Source)
     at org.apache.xerces.parsers.XML11Configuration.parse(Unknown Source)
     at org.apache.xerces.parsers.XML11Configuration.parse(Unknown Source)
     at org.apache.xerces.parsers.XMLParser.parse(Unknown Source)
     at org.apache.xerces.parsers.AbstractSAXParser.parse(Unknown Source)
     at org.apache.xerces.jaxp.SAXParserImpl$JAXPSAXParser.parse(Unknown Source)
     at com.sun.identity.jaxrpc.SOAPClient.send(SOAPClient.java:500)
     at com.sun.identity.jaxrpc.SOAPClient.send(SOAPClient.java:467)
     at com.sun.identity.idm.remote.IdRemoteServicesImpl.getMemberships(IdRemoteServicesImpl.java:465)
     at com.sun.identity.idm.AMIdentity.getMemberships(AMIdentity.java:880)
     at com.sun.identity.agents.realm.AmRealm.authenticateInternal(AmRealm.java:227)
     at com.sun.identity.agents.realm.AmRealm.authenticate(AmRealm.java:155)
     at com.sun.identity.agents.jboss.v40.AmJBossLoginModule.validatePassword(AmJBossLoginModule.java:104)
     at org.jboss.security.auth.spi.UsernamePasswordLoginModule.login(UsernamePasswordLoginModule.java:210)
     at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
     at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
     at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
     at java.lang.reflect.Method.invoke(Method.java:597)
     at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769)
     at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
     at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683)
     at java.security.AccessController.doPrivileged(Native Method)
     at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
     at javax.security.auth.login.LoginContext.login(LoginContext.java:579)
     at org.jboss.security.plugins.JaasSecurityManager.defaultLogin(JaasSecurityManager.java:603)
     at org.jboss.security.plugins.JaasSecurityManager.authenticate(JaasSecurityManager.java:537)
     at org.jboss.security.plugins.JaasSecurityManager.isValid(JaasSecurityManager.java:344)
     at org.jboss.web.tomcat.security.JBossSecurityMgrRealm.authenticate(JBossSecurityMgrRealm.java:491)
     at org.apache.catalina.authenticator.FormAuthenticator.authenticate(FormAuthenticator.java:257)
     at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:416)
     at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:84)
     at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
     at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
     at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:157)
     at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
     at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:262)
     at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844)
     at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583)
     at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:446)
     at java.lang.Thread.run(Thread.java:619) jboss logfile
  2008-09-19 13:55:39,756 DEBUG [com.sun.identity.agents.jboss.v40.AmJBossLoginModule] Bad password for username=bob Has anybody had similar erros and knows a solution?
  Thanks.

  Tanks handat      
  I found
  http://download.oracle.com/docs/cd/E19575-01/820-5816/galtf/index.html
  http://download.oracle.com/docs/cd/E19681-01/821-0267/gfxhz.html#scrolltoc     
  greetings
  alex davila

• Policy agent 2.1 for apache 1.3.27 reinstallation problem

  hi
  i've uninstalled Apache_1.3.27_agent_2.1_sparc-sun-solaris2.8 policy agent [Java(TM) 2 Runtime Environment, Standard Edition (build 1.4.2_04-b05)] to reinstall it from scratch.
  during the reinstallation i've the problem listed below. i did remove all remaining parts of agent but doesn't work.
  Any idea ?
  Thanks
  Installing Sun ONE Identity Server Policy Agent
  Listener:com.iplanet.am.installer.listeners.ApacheInstallListener@1372656 threw exception during "installFinishing" method while listening to SUNWamapc install directory=[DETERMINED AT RUNTIME]:java.lang.reflect.InvocationTargetException
  Target Exception trace:
  java.lang.RuntimeException: error executing ///bin/config at com.iplanet.am.installer.listeners.InstallListenerBase.executeCommand(InstallListenerBase.java:829) at com.iplanet.am.installer.listeners.InstallListenerBase.configureSolarisWebAgent(InstallListenerBase.java:294) at com.iplanet.am.installer.listeners.InstallListenerBase.installFinishing(InstallListenerBase.java:150) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:324)
  at com.sun.install.products.Product.processEvents(Product.java:753) at com.sun.install.products.Product.processEvents(Product.java:787) at com.sun.install.products.Product.processEvents(Product.java:787) at com.sun.install.products.Product.performInstallation(Product.java:643) at com.sun.install.tasks.ProductTask.perform(ProductTask.java:191) at com.sun.wizards.core.Sequence.perform(Sequence.java:336) at com.sun.wizards.core.SequenceManager.run(SequenceManager.java:226) at java.lang.Thread.run(Thread.java:534)

  I had the same problem because of a missconfiguration in AMAgent.properties. I changed manually all URLs to the Identity Server from http to https and found out the port number has definitly to be specified (bad URL parsing of Policy Agent). You should check your configuration...
  HTH
  J�rgen

• Setup-Problem while installing AM Policy Agent 2.1 on Solaris 10

  I'm new with AccessManager and try to get it working on Solaris 10 on a Sparc.
  I'm using LDAP-Server, WEB-Server 6.1 and AccessManager from the software-paket: "Sun Java System Access Manager 6 2005Q1" .
  While trying to install policy-agents on the Sparc (by starting setup program), I've got the message: "The installer ist intended for Solaris Operating System only".
  The agent-software I'm trying to install is "Access Manager Policy Agent 2.1 for Sun Java System Web Server 6.1" From there I choosed "Solaris SPARC 8".
  (so I've got the paket "S1WebServer_6[1].1_agent_2.1_sparc-sun-solaris2.8.tar.gz").
  In my opinion, it must be correct. Ist there anything i'done wronge?
  thanks, Paul

  Even when there is no agent available for Solaris 10 now:
  If you don't have any doubt to use an unsupported configuration, at
  least the apache agent is installable.
  You have to extract the packages "SUNWamapc" and "SUNWcom"
  from the tar-archive and install it using pkgadd.
  Then, you have to configure it manually ("include" in "httpd.conf",
  "AMAgent.properties").
  Maybe, it is possible to do something similiar with the agent for
  SUN webserver.
  Be aware that noone will guarantee that such unsupported
  installations won't raise any problems.
  Juergen

• Policy Agent Install - Tomcat problems

  Hello,
  After trying to install policy agent on many different OS with no success, I had to finally ask here:
  I followed the instructions and did the following on Debian, Fedora, and Win server 2003:
  1.downloaded the policy agent for tomcat
  2.stopped tomcat
  3.decompressed the j2ee agents folder to the root of the system,
  4 run the agentadmin -install
  5. put the agentapp folder in the webapps directory
  6. started tomcat...
  get the same error on three OS about it not finding AMRealm,
  I found someone pointing out that setagentclasspath could fix this,
  but I see all the classpaths there, so I went I start moving some classes to the tomcat/lib dir
  then the AMRealm error went away but many others came in.
  What I'm doing wrong !!

  I'm having the same problem with windows 2003 server Enterprise Edition. (installer complains about web server instance directory, is not 6.0 or 6.1...)
  You said that "Policy Agent 2.1 does *NOT* work with MS Windows 2003 Server Enterprise edition". But does Policy Agent 2.2 work with Windows 2003 Server Enterprise edition?
  Thanks for your help!!!

• Does URL Policy Agent of SunONE Web Server 6.1 works with Identity Server 6

  Hi,
  I'm using URL Policy Agent of SunONE Web Server 6.1, and using Identity Server 6.1 to configure policy to access web resource such as http://myweb.org.cn/test/*
  After configyration, I try to access the resources http://myweb.org.cn/test/test.html
  The redirection is ok, the IS login appear, but after login successfully, it still tell me that I don't have permission to view this web page.
  Is this because of URL policy agent don't support IS 6.1?
  Many thanks,

  Can anybody help me with the steps to generate core for this issue.. I followed the steps as said in http://blogs.sun.com/meena/entry/troubleshooting_server_crashes_enabling_core but I don't see any core generated when server crashes..
  Setup Info:
  - OS is RHEL 4.0
  - Sun ONE Web Server 6.1SP7
  - Policy Agent 2.2

• Problem Installing Policy Agent 2.2 on Apache 2.2.3

  Hi all,
  I'm trying to configure policy agent 2.2 on apache 2.2.3 on linux platform CentOS (red hat 5.1).
  The configuration and the installation seem to work properly, in effect in the log file install.log you can find :
  [06/10/2008 16:38:49:865 CEST] Creating directory layout and configuring Agent file for Agent_001 instance ...SUCCESSFUL.
  [06/10/2008 16:38:49:936 CEST] Reading data from file /opt/web_agents/apache22_agent/passwordFile and encrypting it ...SUCCESSFUL.
  [06/10/2008 16:38:49:937 CEST] Generating audit log file name ...SUCCESSFUL.
  [06/10/2008 16:38:50:022 CEST] Creating tag swapped AMAgent.properties file for instance Agent_001 ...SUCCESSFUL.
  [06/10/2008 16:38:50:026 CEST] Creating a backup for file /etc/httpd/conf/httpd.conf ...SUCCESSFUL.
  [06/10/2008 16:38:50:031 CEST] Adding Agent parameters to /opt/web_agents/apache22_agent/Agent_001/config/dsame.conf file ...SUCCESSFUL.
  [06/10/2008 16:38:50:032 CEST] Adding Agent parameters to /etc/httpd/conf/httpd.conf file ...SUCCESSFUL.
  But, when I try to restart Apache it gives me an error and in the error.log file in Apache you can read:
  [Tue Jun 10 16:57:33 2008] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
  [Tue Jun 10 16:57:34 2008] [notice] Digest: generating secret for digest authentication ...
  [Tue Jun 10 16:57:34 2008] [notice] Digest: done
  [Tue Jun 10 16:57:34 2008] [alert] Policy web agent configuration failed: NSPR error
  Configuration Failed
  Well, I found in the Sun documentation a well known bug about the NSPR and NSS library :
  Error message issued during installation of Policy Agent 2.2 on Linux systems
  When the Linux operating system is installed, specific components can be selected. Occasionally the specific components of the operating system selected lack the libraries necessary for Policy Agent 2.2 to function. When the complete Linux operating system is installed, all the required libraries are available. The libraries that are required for the agent to function are as follows: NSPR, NSS, and libxml2.
  Workaround: If the Linux operating system you are using is not complete, install the latest versions of these libraries as described in the steps that follow:
  At the time this note was added, the latest version of the NSPR library packages was NSPR 4.6.x , while the latest version of the NSS library package was NSS 3.11.x.
  To Install Missing Libraries for Policy Agent 2.2 on Linux Systems
  *+
  Install the NSS, and libxml2 libraries. These libraries are usually available as part of Linux installation media. NSPR and NSS are available as part of Mozilla binaries/development packages. You can also check the following sites:
  o
  NSPR: http://www.mozilla.org/projects/nspr/
  o
  NSS: http://www.mozilla.org/projects/security/pki/nss/
  So, I checked my libraries but they are upgraded to the latest version.
  If I comment the line that includes the libamapc22.so in the apache configuration file
  LoadModule dsame_module /opt/web_agents/apache22_agent/lib/libamapc22.so
  Apache can restart but the agent is misconfigurated!
  Any Idea?

  thank you Subhodeep for your reply,
  I didn't try to change the library file and I didn't find in licterature any information about library file changing in the Policy agent installation. Please, could you suggest me something more about which library to use instead of libamapc22.so?
  ps. I am using red hat 5.1, and from the release note of the policy agent seems that the latest platform version supported is red hat enterprise linux 4.0 versions.....
  this one could definitely be the reason of the misconfiguration.