Policy agent to authentication mulitple realm

I am working on sun access manager 7 2005Q4 with patch 5
I saw that in the PA configuration(AMConfig.properties) I have to specify the login URL.
com.sun.am.policy.am.login.url = http://blahblah.com:8080/amserver/UI/Login?realm=realmName
Which mean i one PA can only manage one relam.
Is my understanding correct?
If otherwise please advise, how to configure the PA so that is this decision is taken by access manager and not defined at PA level.
Why does the access manager resolve the authentication url based on the policy defined under the relam and then throw an authentication page.?

Just a correction
Please read AMConfig.properties as AMAgent.properties.
I think I was a little fed up while writing the post. :-)

Similar Messages

Policy Agent + Distributed Authentication UI?

Can I deploy the distAuth application inside a policy agent protected container, or does it have to be deployed in a non-protected container?
Thanks,
Michael.

Thanks, that's exactly the answer I was looking for. I was trying to deploy on a J2EE container, and while I'm interested in the workarounds, it's probably simpler for me to just deploy another container instance.

Policy Agent doesn't reset Sun Access Manager session time idle value

Hi,
We have the following setup in our environment:
- apache web server/web and policy agent 2.2 for apache 2.0.54
- webmethods portal server (jetty)
-Sun Access Manager (with Sun Directory Server)
We use policy agent for authentication purpose only (via Sun Access Manager/LDAP) when the users access the portal. We have custom code that creates session in Sun Access Manager for custom LDAP services. For testing purpose, we configure SAM session to have Max Session Timeout at 120mins and Time Idle at 15mins. I would assume that, after the initial login request, for all subsequent accesses to the portal the policy agent should intercept the request and reset the Time Idle value of SAM session. However, when I monitor time idle value using SAM console, session tab, the time idle value didn't change when the portal user access pages, submit actions, etc. I can see in the debug log of policy agent that requests are being intercepted/processed, but the time idle didn't get reset.
Does anyone know if this is a bug in configuration or in policy agent itself or am I making the wrong assumption?
Thanks a lot for the help.

Thanks for the reply, Shivaram. The issue appears to occur at random time, not accurately at the 3 min interval as you mention. I tested changing this value to 1, theoretically, after one 1 minute of idle time, accessing a link would make the agent reset the time idle value for the user session in SAM, but it didn't even after 3 minutes. This seems to be either a policy agent or system access manager bug.
We performed a 'vanilla' test using the apache server manual pages (only plain HTML, no POST requests), the pages are protected by the policy agent. At the first login, rwe were prompted to enter credential to be validated by SAM/LDAP, and then a user session is created in SAM session table. We browse around the manual pages, once in a while, certain pages cause the policy agent to reset the time idle. However, revisiting these links after a few minutes doesn't reset the idle value. Caching setting has been disable as well. Could there be or lack of some settings in AMConfig.properties or AMAgent.properties that might have caused this behavior?
Thanks for all your help,

Urgent :Authentication fails for Policy Agent on weblogic 8 SP3

Hi
I am using policy agent for perimeter authentication for an application deployed on weblogic.When i try and access the application using any user which exists on Identity server i get the following exception in the amRealm log.
09/20/2005 06:17:07:378 PM IST: Thread[ExecuteThread: '14' for queue: 'weblogic.kernel.Default',5,Thread Group for Queue: 'weblogic.kernel.Default']
AmMappingRealm: authenticateAndFetchAllRoles amAdmin, ...) = []
09/20/2005 06:17:07:378 PM IST: Thread[ExecuteThread: '14' for queue: 'weblogic.kernel.Default',5,Thread Group for Queue: 'weblogic.kernel.Default']
WARNING: AmLoginModule.login() : Empty list of principals for user = amAdmin
09/20/2005 06:17:07:379 PM IST: Thread[ExecuteThread: '14' for queue: 'weblogic.kernel.Default',5,Thread Group for Queue: 'weblogic.kernel.Default']
AmLoginModule.abort()
09/20/2005 06:17:12:505 PM IST: Thread[ExecuteThread: '14' for queue: 'weblogic.kernel.Default',5,Thread Group for Queue: 'weblogic.kernel.Default']
AmLoginModule.authenticate() Initialized callback handler for Subject:
09/20/2005 06:17:12:506 PM IST: Thread[ExecuteThread: '14' for queue: 'weblogic.kernel.Default',5,Thread Group for Queue: 'weblogic.kernel.Default']
AmLoginModule.login()
09/20/2005 06:17:12:506 PM IST: Thread[ExecuteThread: '14' for queue: 'weblogic.kernel.Default',5,Thread Group for Queue: 'weblogic.kernel.Default']
AmLoginModule.login() : User name from Callback amAdmin
09/20/2005 06:17:12:506 PM IST: Thread[ExecuteThread: '14' for queue: 'weblogic.kernel.Default',5,Thread Group for Queue: 'weblogic.kernel.Default']
WARNING: SSOTokenValidator failed with exception
[AgentException Stack]
com.sun.identity.agents.arch.AgentException: Invalid transport string version
at com.sun.identity.agents.util.TransportToken.initializeFromString(Unknown Source)
at com.sun.identity.agents.util.TransportToken.<init>(Unknown Source)
at com.sun.identity.agents.common.SSOTokenValidator.validate(Unknown Source)
at com.sun.identity.agents.realm.AmMappingRealm.authenticateAndFetchAllRoles(Unknown Source)
at com.sun.identity.agents.weblogic.AmLoginModule.login(Unknown Source)
at weblogic.security.service.DelegateLoginModuleImpl.login(DelegateLoginModuleImpl.java:71)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:324)
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:675)
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:129)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:610)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.LoginContext.invokeModule(LoginContext.java:607)
at javax.security.auth.login.LoginContext.login(LoginContext.java:534)
at weblogic.security.service.PrincipalAuthenticator.authInternal(PrincipalAuthenticator.java:326)
at weblogic.security.service.PrincipalAuthenticator.authenticate(PrincipalAuthenticator.java:279)
at weblogic.servlet.security.internal.SecurityModule.checkAuthenticate(SecurityModule.java:389)
at weblogic.servlet.security.internal.SecurityModule.checkAuthenticate(SecurityModule.java:296)
at weblogic.servlet.security.internal.BasicSecurityModule.checkUserPerm(BasicSecurityModule.java:125)
at weblogic.servlet.security.internal.SecurityModule.beginCheck(SecurityModule.java:199)
at weblogic.servlet.security.internal.BasicSecurityModule.checkA(BasicSecurityModule.java:47)
at weblogic.servlet.security.internal.ServletSecurityManager.checkAccess(ServletSecurityManager.java:145)
at weblogic.servlet.internal.WebAppServletContext.invokeServlet(WebAppServletContext.java:3568)
at weblogic.servlet.internal.ServletRequestImpl.execute(ServletRequestImpl.java:2630)
at weblogic.kernel.ExecuteThread.execute(ExecuteThread.java:219)
at weblogic.kernel.ExecuteThread.run(ExecuteThread.java:178)
09/20/2005 06:17:12:507 PM IST: Thread[ExecuteThread: '14' for queue: 'weblogic.kernel.Default',5,Thread Group for Queue: 'weblogic.kernel.Default']
AmMappingRealm: authenticateAndFetchAllRoles amAdmin, ...) = []
09/20/2005 06:17:12:507 PM IST: Thread[ExecuteThread: '14' for queue: 'weblogic.kernel.Default',5,Thread Group for Queue: 'weblogic.kernel.Default']
WARNING: AmLoginModule.login() : Empty list of principals for user = amAdmin
09/20/2005 06:17:12:507 PM IST: Thread[ExecuteThread: '14' for queue: 'weblogic.kernel.Default',5,Thread Group for Queue: 'weblogic.kernel.Default']
AmLoginModule.abort()

Hi,
I have not set it up as a window service but can try to help. for one thing, this step is not permanent and if it does not work then you can undo this step by re-editting the script to remove the line you added. This step has you change the bea startup script for that domain to call the agent script setAgentEnv_AdminServer(it ws copied into bea domain directory during installation of agent) which just sets some agent resources in the classpath. If you start bea and those things are not in the classpath etc then agent wont work. So no permanent damage, you can change it if it doesnt work.
I suggest you try it out and start the bea server as a service and see if it works - if not try again.
I am not sure what the windows service would use to start the app server, but somehow it must specify some environment properties and things in its classpath, so if this script doesnt work then you can just do the things in the setAgentEnv_AdminServer script like setting those things in classpath.
Please let us know if it works and if any extra steps required? Would be helpful to others to know how to configure as a windows service.
hth,
Sean

Custom Authentication Issue with Policy Agent

Hi,
I have a custom authentication module which is hosted on the BEA application server and I am trying to access through the policy agent on apache.
I have set the following property in AMAgent.properties file
com.sun.am.policy.am.loginURL= http://host:port/amserver/UI/Login
So When the user requests a protected resource, the policy agent forwards the user to Identity Server with the module as CustomLoginModule. However, after this, authentication is succeed, user sesion is being created and I get the following error message in the agent log file.
2004-10-19 16:20:26.908 Error 27620:e1140 PolicyEngine: am_policy_evaluate: InternalException in Service::construct_auth_svc with error message:Application authentication failed during service creation. and code:3
2004-10-19 16:20:26.908 128 27620:e1140 RemoteLog: User unknown was denied access to http://hostname:port/weblogic/protapp/protected/a.html.
2004-10-19 16:20:26.908 Error 27620:e1140 LogService: LogService::logMessage() loggedBy SSOTokenID is invalid.
2004-10-19 16:20:26.909 Error 27620:e1140 all: am_log_vlog() failed with status AM_REMOTE_LOG_FAILURE.
2004-10-19 16:20:26.909 -1 27620:e1140 PolicyAgent: URL Access Agent: access denied to unknown user
The necessary policy object is already created in Identity Server. Please send your suggestions to fix this problem.
Thanks
Neeraj

Hi Neeraj,
I still have not been able to resolve that issue. Let me know If you find a solution for the same.
Thanks,
Srinivas

Policy Agent 2.2, IIS 6.0, CDSSO and redirects after authentication

Hi
I've got a problem where a HTTP/1.1 200 and 302 are returned by the Policy Agent / Application, after the Javascripted POST by the CDCServlet content is performed.
The expected functionality is that the user is authenticated with the AM, the CDC Servlet serves the JavaScript page that will do a POST to the Policy Agent. The Policy Agent should then do what it needs to do with the POST, and forward request to the Application. The Application then does what it needs to do, and in this case, serves a HTTP/1.1 302 for redirection back to the browser.
However, it seems that the Policy Agent might be returning a HTTP/1.1 200, and setting the iPlanetDirectoryPro cookie, quickly followed by the HTTP/1.1 302 and the setting of whatever cookies it wants to set.
The Policy Agent should be respecting the return code of the Application. This problem does not appear when run against the Policy Agent for the Sun ONE Web Server.
Wondering if anyone has seen this before?
Here is sanitized output from a trace on the POST and resulting response.
POST /oslp/?sunwMethod=GET HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Accept-Language: en-au
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)
Host: sco88342744.corp.qed.qld.gov.au
Content-Length: 3496
Connection: Keep-Alive
Cache-Control: no-cache
X-ProcessAndThread: IEXPLORE.EXE [904; 2908]
LARES=<snip>
HTTP/1.1 200 OK
Date: Wed, 16 May 2007 22:25:42 GMT
Server: Microsoft-IIS/6.0
Set-Cookie: iPlanetDirectoryPro=AQIC5wM2LY4Sfcz8tCfJ96AXxjIgRzuZJDgE7gMeTO0iIS4%3D%40AAJTSQACMDQ%3D%23;Path=/
HTTP/1.1 302 Found
Date: Wed, 16 May 2007 22:25:42 GMT
Server: Microsoft-IIS/6.0
X-AspNet-Version: 1.1.4322
Location: /oslp/user/signon.aspx
Set-Cookie: ASP.NET_SessionId=lh4sus55y1iy2r5514onnjuj; path=/
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
Content-Type: text/html; charset=utf-8
Content-Length: 139
<html><head><title>Object moved</title></head><body>
<h2>Object moved to <a href='/oslp/user/signon.aspx'>here</a>.</h2>
</body></html>

Hi,
we had the same problem, but we got support
from readme.txt
Bug#: 6789020
Agent type: All Agents
Description: In CDSSO mode non enforced POST requests cannot be accessed
Bug#: 6736820
Agent type: IIS 6 Agent
Description: IIS 6 agent doesn't work properly with ASP pages in CDSSO mode
Both bugs should be fixed in this version:
Sun Java System Web Agents 2.2-02 hotpatch2

Policy agent using https redirect to AM for authentication

We are using Access Manager 6 2005Q1.
Access Manager is running on box A & box B using the Sun Web Server as its front end web server. Box A & B both have a complete install of Sun Web Server, Access Manager, and Directory Server. The Directory servers are set up to replicate changes between each other. Our Policy Agents are running on box C & box D under the Apache web servers.
Users will access applications on box C/D via https. The policy agents on box C/D should redirect the user to box A/B (via a load balancer VIP)for authentication. The redirect will be https. Once authenticated the user should be redirected back to box C/D.
All subsequent communications between the Agents on box C/D to AM on box A/B (via load balancer VIP) are http.
Our load balancer is currently setup as active/failover because it does not support ssl with cookies.
In our AMAgent.properties file if I set 'com.sun.am.policy.am.loginURL = http://<lb-vip>:80/amserver/UI/Login' and access box C/D as https://<webserver>/<url> I am redirected to AM on box A/B for authentication. Once authenticated I am redirected back to box C/D and allowed access to <url>.
However, if I set 'com.sun.am.policy.am.loginURL = https://<lb-vip>:443/amserver/UI/Login' and access box C/D as https://<webserver>/<url> I am NOT redirected to AM and receive 'Forbidden You don't have permission to access /<url> on this server. Also in the agent log file I see:
     2006-01-30 12:42:30.792 Debug 28126:203470 PolicyAgent: in_not_enforced_list():enforcing access control for https://<webserver>:443/<url>
     2006-01-30 12:42:30.792 Debug 28126:203470 PolicyAgent: am_web_is_access_allowed https://<webserver>:443/<url>S, GET) no sso token, setting status to invalid session.
     2006-01-30 12:42:30.792 Debug 28126:203470 PolicyAgent: Policy Agent: am_web_is_access_allowed returned status=invalid session
     2006-01-30 12:42:32.800 Warning 28126:203470 PolicyAgent: am_web_get_redirect_url() unable to find active Identity Server Auth server.
     2006-01-30 12:42:32.800 Info 28126:203470 PolicyAgent: do_redirect(): Status Code= invalid session.
Interestingly if I set 'com.sun.am.policy.am.loginURL = https://<am-server>:443/amserver/UI/Login' and access box C/D as https://<webserver>/<url> I am redirected to AM on box A/B for authentication. Once authenticated I am redirected back to box C/D and allowed access to <url>. In this scenario the only difference is I am bypassing the load balancer.
Our networking people have monitored the load balancer in front of our AM boxes A/B and see the traffic going to AM in all cases.
From my standpoint it appears the agent is not able to successfully connect to AM via https when going through the load balancer.
Any help with this configuration issue is appreciated.

Bernhard,
From our AMAgent.properties... com.sun.am.policy.agents.version=2.1. Is there a way for me to tell if this is truely only 2.1 or 2.1-xx?
Because our LB does not support SSL with cookies we are currently configured as active/failover so all requests are going to the same AM server until it goes down, at which time I know users have to re-authenticate. Also we have set "com.sun.am.loadBalancer_enable = true" in AMAgent.properties.
We understand your point about loginURL. Infact there are two properties dealing with loginURL, com.sun.am.policy.am.loginURL and com.sun.am.policy.am.library.loginURL. Based on the comments in AMAgent.properties my understanding is that com.sun.am.policy.am.loginURL is where the user is redirected for login when no valid SSO token is found and com.sun.am.policy.am.library.loginURL is what the agent uses to authenticate itself "If the previously specified login URL must be exclusively used for redirecting users..." The interesting part is that if we set com.sun.am.policy.am.loginURL to use http everything works just fine, however if we set it to use https the user never gets redirected. Its almost like the agent is trying to connect there first before doing the redirect and can not.
Craig

Policy Agent Authentication Failed!!!

Hi All,
I configured the Policy Agent based on Apache 2.055, and browsed server, it display 500 error code : Internal Server Error. The followings is the debug log,
Error 900:7f2028 AuthService: AuthService::processLoginStatus() Exception message=[Authentication Failed!!] errorCode='107' templateName=login_failed_template.jsp.
2005-11-15 14:04:38.093 Error 900:7f2028 PolicyEngine: am_policy_evaluate: InternalException in AuthService::processLoginStatus() with error message:Exception message=[Authentication Failed!!] errorCode='107' templateName=login_failed_template.jsp and code:3
2005-11-15 14:04:38.093 Warning 900:7f2028 PolicyAgent: am_web_is_access_allowed()(http://exchange.hzliqun.com:8080/, GET) denying access: status = Identity Server authentication service failure
2005-11-15 14:04:38.093 Debug 900:7f2028 PolicyAgent: am_web_is_access_allowed(): Successfully logged to remote server for GET action by user unknown user to resource http://exchange.hzliqun.com:8080/.
2005-11-15 14:04:38.093 Info 900:7f2028 PolicyAgent: am_web_is_access_allowed()(http://exchange.hzliqun.com:8080/, GET) returning status: Identity Server authentication service failure.
2005-11-15 14:04:38.093 Info 900:7f2028 PolicyAgent: process_request(): Access check for URL http://exchange.hzliqun.com:8080/ returned Identity Server authentication service failure.
2005-11-15 14:04:38.093 Debug 900:7f2028 PolicyAgent: process_request(): returning web result AM_WEB_RESULT_ERROR, data []
2005-11-15 14:04:38.093 Debug 900:7f2028 PolicyAgent: am_web_process_request(): Rendering web result AM_WEB_RESULT_ERROR
2005-11-15 14:04:38.093 Debug 900:7f2028 PolicyAgent: am_web_process_request(): render result function returned AM_SUCCESS.
Please help to sovle it.
Any help will be appreciated.
Thanks,
Peter

Looks like the agent can't authenticate. Check the AM URL and the amldapuser password. Check the amserver amAuthApplication and amComm debug files to see if there are any agent authentication related exceptions. If you have ethereal installed you can do a network trace to see the XML passed between the agent and the server

Policy agent 2.2 amfilter local authentication with session binding failed

Hi All,
I have policy agent 2.2 for weblogic 8.1 sp4 installed on redhat linux. All are working fine in my development box. But I was running all the process under user root, so today I decided to change it to a regular user, joe. I changed all the files' owner for weblogic server and policy agent from root to joe, and restart server as user Joe. After the change, I can not access the application on Weblogic server. I changed file ownership back to root and restart weblogic server as root, still same error.
Here is the error I got:
10.4.4 403 Forbidden
The server understood the request, but is refusing to fulfill it. Authorization will not help and the request SHOULD NOT be repeated. If the request method was not HEAD and the server wishes to make public why the request has not been fulfilled, it SHOULD describe the reason for the refusal in the entity. This status code is commonly used when the server does not wish to reveal exactly why the request has been refused, or when no other response is applicable.
Here is the error I found from agent log file, amFilter:
AmFilter: now processing: SSO Task Handler
05/24/2006 06:27:08:127 PM PDT: Thread[ExecuteThread: '14' for queue: 'weblogic.kernel.Default',5,Thread Group for Queue: 'weblogic.kernel.Default']
SSOTaskHandler: caching SSO Token for user uid=amAdmin,ou=People,dc=etouch,dc=net
05/24/2006 06:27:08:127 PM PDT: Thread[ExecuteThread: '14' for queue: 'weblogic.kernel.Default',5,Thread Group for Queue: 'weblogic.kernel.Default']
AmBaseSSOCache: cached the sso token for user principal : uid=amadmin,ou=people,dc=etouch,dc=net sso token: AQIC5wM2LY4Sfcx4XY/x/M7G1Y3ScVjFj8E3oT0BV45mh0Q=@AAJTSQACMDE=#, cache size = 1
05/24/2006 06:27:08:127 PM PDT: Thread[ExecuteThread: '14' for queue: 'weblogic.kernel.Default',5,Thread Group for Queue: 'weblogic.kernel.Default']
SSOTaskHandler: SSO Validation successful for uid=amAdmin,ou=People,dc=etouch,dc=net
05/24/2006 06:27:08:128 PM PDT: Thread[ExecuteThread: '14' for queue: 'weblogic.kernel.Default',5,Thread Group for Queue: 'weblogic.kernel.Default']
AmFilter: now processing: J2EE Local Logout Task Handler
05/24/2006 06:27:08:128 PM PDT: Thread[ExecuteThread: '14' for queue: 'weblogic.kernel.Default',5,Thread Group for Queue: 'weblogic.kernel.Default']
AmFilter: local logout skipped SSO User => amAdmin, principal =>null
05/24/2006 06:27:08:128 PM PDT: Thread[ExecuteThread: '14' for queue: 'weblogic.kernel.Default',5,Thread Group for Queue: 'weblogic.kernel.Default']
AmFilter: now processing: J2EE Local Auth Task Handler
05/24/2006 06:27:08:128 PM PDT: Thread[ExecuteThread: '14' for queue: 'weblogic.kernel.Default',5,Thread Group for Queue: 'weblogic.kernel.Default']
LocalAuthTaskHandler: No principal found. Initiating local authentication for amAdmin
05/24/2006 06:27:08:128 PM PDT: Thread[ExecuteThread: '14' for queue: 'weblogic.kernel.Default',5,Thread Group for Queue: 'weblogic.kernel.Default']
LocalAuthTaskHandler: doing local authentication with session binding
05/24/2006 06:27:08:129 PM PDT: Thread[ExecuteThread: '14' for queue: 'weblogic.kernel.Default',5,Thread Group for Queue: 'weblogic.kernel.Default']
LocalAuthTaskHandler: Local authentication failed, invalidating session.05/24/2006 06:27:08:129 PM PDT: Thread[ExecuteThread: '14' for queue: 'weblogic.kernel.Default',5,Thread Group for Queue: 'weblogic.kernel.Default']
WARNING: LocalAuthTaskHandler: Local authentication failed for : /portal/index.jsp, SSO Token: AQIC5wM2LY4Sfcx4XY/x/M7G1Y3ScVjFj8E3oT0BV45mh0Q=@AAJTSQACMDE=#
05/24/2006 06:27:08:129 PM PDT: Thread[ExecuteThread: '14' for queue: 'weblogic.kernel.Default',5,Thread Group for Queue: 'weblogic.kernel.Default']
AmFilter: result =>
FilterResult:
     Status      : FORBIDDEN
     RedirectURL     : null
     RequestHelper:
          null
     Data:
          null
-----------------------------------------------------------

Hi,
I'm having the exact same problem in the Prod environment, but on a Sun App Server. In development all is fine, in prod we now have:
ERROR: AmFilter: Error while delegating to inbound handler: J2EE Local Auth Task Handler, access will be denied
java.lang.IllegalStateException: invalidate: Session already invalidated
at org.apache.catalina.session.StandardSession.invalidate(StandardSession.java:1258)
at org.apache.catalina.session.StandardSessionFacade.invalidate(StandardSessionFacade.java:164)
at com.sun.identity.agents.filter.LocalAuthTaskHandler.doLocalAuthWithSessionBinding(LocalAuthTaskHandler.java:289)
at com.sun.identity.agents.filter.LocalAuthTaskHandler.authenticate(LocalAuthTaskHandler.java:159)
at com.sun.identity.agents.filter.LocalAuthTaskHandler.process(LocalAuthTaskHandler.java:106)
at com.sun.identity.agents.filter.AmFilter.processTaskHandlers(AmFilter.java:185)
at com.sun.identity.agents.filter.AmFilter.isAccessAllowed(AmFilter.java:152)
at com.sun.identity.agents.filter.AmAgentBaseFilter.doFilter(AmAgentBaseFilter.java:38)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:210)
at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:55)
at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:161)
at java.security.AccessController.doPrivileged(Native Method)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:157)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:263)
at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:551)
at org.apache.catalina.core.StandardContextValve.invokeInternal(StandardContextValve.java:225)
FilterResult:
Status : FORBIDDEN
RedirectURL : null
RequestHelper:
null
Data:
null
Also, we I debug I see:
LocalAuthTaskHandler: No principal found. Initiating local authentication for ...
Did you receive any solution for this?
Many, many thanks,
Philip

Policy agent error code 21 after authenticating

Hi,
I get the following error in my amAgent logs after successfully authenticating to Sun Policy Manager 7.1:
PolicyEngine: am_policy_evaluate: InternalException in AuthService::submitRequirements() with error message:Error sending client submitted requirements to server. and code:21
A 500 Internal Server Error page is returned with the message: This server has encountered an internal error which prevents it from fulfilling your request. The most likely cause is a misconfiguration. Please ask the administrator to look for messages in the server's error log.
The Policy Manager auth access log shows: "Login Success" for the login attempt.
My configuration:
Solaris 10
Apache 2.0.54
Sun Java System Access Manager Policy Agent 2.2
Has anyone seen or experienced this error before?
Thanks
Edited by: tutro on Aug 7, 2008 7:31 AM

A control character was being read from the password (even though both the encrypted and unencrypted password did not contain any control characters). A password reset resolved the issue.

Reverse Proxy + Policy Agent generates unwanted Basic Authentication

We have a policy agent installed on the SJWS 7.0u1. It's configured as a reverse proxy to a server running on another port on the same machine as the web server. The policy agent catches the request and redirects to the access manager, which authenticates fine. The access manager then redirects back to the web server, which then issues presents the basic authentication dialog. (We did not configure it for basic authentication).
In a previous post I was directed to check my DNS entries. Both servers can resolve each other without problem. I can type nslookup server.practicegreenhealth.org, nslookup server (these are the web server addresses) and they both resolve to the correct ip. I can type nslookup access.practicegreenhealth.org and nslookup access and they both resolve to the correct IP.
I had the application deployed as a JRuby application within the SJWS's servlet container and the setup worked fine. I switched back to using SJWS as a reverse proxy to application running as its own instance and am now presented with the basic auth dialog. I can hit the application fine both from the box it's running on and if I disable the policy agent. It's just the combination of the reverse proxy configuration + the policy agent that doesn't seem to work.
Edited by: phoehne on Jun 23, 2008 12:40 PM

what does the server error log say ? you might want to increase the log level to finest (config/server.xml change info to finest) and restart and look at the server error logs. this could provide us some insight on what is happening. most likely some config parameters in obj.conf need to be fine tuned.

Identity Policy Agent Realm

Hi all
Does anyone know how i can define a group in the AgentRealm of the Policy Agent ???
I already map roles to principals using sun-web.xml and it works, but i don't know how to define a group in the AgentRealm so that i can map a role to a group of users using sun-web.xml
thanks a lot

I had the same problem, and I discovered that although in the sun-web.xml descriptor you map security-roles to group-names, you must declare Roles in the identity server (with the name of the group-name in your descriptor, of course).
Seems like Groups in the identity server are not used for authorization.
Hope this helps,
6q

OpenAM Weblogic Policy Agent

Hi Everyone,
I have installed Weblogic Policy Agent in OpenAM. Followed the URL “http://openam.forgerock.org/openam-documentation/openam-doc-source/doc/agent-install-guide/index/chap-weblogic.html” to install the policy Agent.
I am using Oracle Weblogic server 10.3.5.0 to use deploy the .war file. Same Weblogic server used for Oracle Identity Manager 11.1.1.5.0.
In Weblogic Policy Agent post-installation steps need to select Agent Authenticator for the security Realm.
I have doubt here. Whether i want to create the *"new realm"* or i can use the existing realm *"myrealm"*? But , "myrealm" is consists the details of OIM.
I am thinking to create the new realm for openAM Weblogic policy Agent, if so what are the things i need to do create new realm for OpenAM.
Please suggest me on this.
Thanks & Regards,
Karthick

Hi Aaron;
I am trying to see if I can force the policy agent to be invoked on non-protected resources. The agent is in J2EE mode. The scenario that I have is the whole site is open and nothing is protected so I have to make the policy agent recognize requests for both protected and non protected resources. The other issue I have is that even if I create a cookie the policy agent doesn't maintain the session state since the requests are for unprotected resources. It (PA) doesn't "touch" the cookie since the requests didn't go through it.
Thanks,

Policy Agent 2.2 for Apache HTTP Server

hi,
I'm trying to configure Policy Agent 2.2 for apache http server.
The agent seems to be installed properly, in fact when I access the protected resource, I get the Access Manager login page.
Then I log into access manager, but I'm redirected to an error page.
Looking in log files I can see:
agent's "amAgent" log file:
Debug 10763:f8fe0 AuthService: HTTP Status = 200 (OK)
Debug 10763:f8fe0 AuthService: Http::Response::readAndParse(): No content length in response.
Debug 10763:f8fe0 ServiceEngine: Service::do_agent_auth_login(): Setting password callback.
Debug 10763:f8fe0 ServiceEngine: Service::do_agent_auth_login(): Setting name callback to 'apache2Agent'.
Debug 10763:f8fe0 AuthService: BaseService::sendRequest Cookie and Headers =Host: crmzone.company.icteam.it
               Cookie: JSESSIONID=193E5E1590C924A42B95A00A51DC0479;amlbcookie=01
Debug 10763:f8fe0 AuthService: BaseService::sendRequest Content-Length =Content-Length: 620
Debug 10763:f8fe0 AuthService: BaseService::sendRequest Header Suffix =Accept: text/xml
               Content-Type: text/xml; charset=UTF-8
Debug 10763:f8fe0 AuthService: HTTP Status = 200 (OK)
Debug 10763:f8fe0 AuthService: Http::Response::readAndParse(): No content length in response.
Error 10763:f8fe0 AuthService: AuthService::processLoginStatus() Exception message=[Application user ID is not valid.] errorCode='107' templateName=login_failed_template.jsp.
Error 10763:f8fe0 PolicyEngine: am_policy_evaluate: InternalException in AuthService::processLoginStatus() with error message:Exception message=[Application user ID is not valid.] errorCode='107' templateName=login_failed_template.jsp and code:3
Warning 10763:f8fe0 PolicyAgent: am_web_is_access_allowed()(http://10.0.0.31:80/SugarOS-Full-4.5.0f, GET) denying access: status = Access Manager authentication service failure
Debug 10763:f8fe0 PolicyAgent: am_web_is_access_allowed(): Successfully logged to remote server for GET action by user unknown user to resource http://10.0.0.31:80/SugarOS-Full-4.5.0f.
Info 10763:f8fe0 PolicyAgent: am_web_is_access_allowed()(http://10.0.0.31:80/SugarOS-Full-4.5.0f, GET) returning status: Access Manager authentication service failure.
Info 10763:f8fe0 PolicyAgent: process_request(): Access check for URL http://10.0.0.31/SugarOS-Full-4.5.0f returned Access Manager authentication service failure.
Debug 10763:f8fe0 PolicyAgent: process_request(): returning web result AM_WEB_RESULT_ERROR, data []
Debug 10763:f8fe0 PolicyAgent: am_web_process_request(): Rendering web result AM_WEB_RESULT_ERROR
Debug 10763:f8fe0 PolicyAgent: am_web_process_request(): render result function returned AM_SUCCESS.
Access Manager's "amAuthentication.error" log file:
"Login Failed|module_instance|Application" Application AUTHENTICATION-268 dc=opensso,dc=java,dc=net "Not Available" INFO apache2Agent 10.0.0.31 "cn=dsameuser,ou=DSAME Users,dc=opensso,dc=java,dc=net" CRMzone
I tried to change the name of the agent either in its AMAgent.properties or in Access Manager "Agents" configuration page.
I also used "crypt_util" to generate a new passoword, but nothing seems to happen.
Where should I look to get more info about this problem? Specific log file?
Is it due to wrong name/id/password of the agent? I really checked them many times...
Thanks
Fabio

I think the error message "Application user ID is not valid" is pretty self evident.
Log into the amconsole and go to the root realm/organization. Make sure the Agent profile exists and reset the password again to know value. If you created the agent profile in a sub realm/organization, you will need to make sure the subrealm/organization is set in the AMAgent.properties since the default value is / for the root realm/organization. Update the AMAgent.properties file will the Agent ID and the password generated by the crypt_it tool (com.sun.am.policy.am.username, com.sun.am.policy.am.password)
If that doesn't work, check the amApplication debug log and then look at the ldap server access logs to see why the auth bind failed.

Sun Access Manager + Jboss Policy Agent + Testapplication Problem

Hello everybody.
I have set up Access Manager 7.1 on SJSAS 9.1 in a VMware and Jboss with Policy Agent 2.2 and a simple Webapp on another.
The webapp just displays pages for users in different roles, f.e. admin und user page.
When i go to the application in the browser und access a protected page, then I get redirected to the AM login screen and can login and get redirected back to the application.
I did this with declarative security defined in web.xml, but the user doesn't get authenticated in the application.
In my logfiles i got the following errors:
amRealm log file
09/19/2008 01:55:39:756 PM CEST: Thread[http-jboss.ams.com%2F127.0.0.1-8080-2,5,jboss]
ERROR: AmRealm: failed to authenticate user: bob
com.iplanet.sso.SSOException: Invalid session ID.AQIC5wM2LY4SfcwBenaL/TbPRPGHXQo8rhVWWfM3jGDEUUM=@AAJTSQACMDE=# AQIC5wM2LY4SfcyYT7kHKvROHG64m6WtlD8hnFLPmsKJyeY=@AAJTSQACMDE=#
   at com.sun.identity.jaxrpc.SOAPClient$SOAPContentHandler.endDocument(SOAPClient.java:910)
   at org.apache.xerces.parsers.AbstractSAXParser.endDocument(Unknown Source)
   at org.apache.xerces.impl.XMLDocumentScannerImpl.endEntity(Unknown Source)
   at org.apache.xerces.impl.XMLEntityManager.endEntity(Unknown Source)
   at org.apache.xerces.impl.XMLEntityScanner.load(Unknown Source)
   at org.apache.xerces.impl.XMLEntityScanner.skipSpaces(Unknown Source)
   at org.apache.xerces.impl.XMLDocumentScannerImpl$TrailingMiscDispatcher.dispatch(Unknown Source)
   at org.apache.xerces.impl.XMLDocumentFragmentScannerImpl.scanDocument(Unknown Source)
   at org.apache.xerces.parsers.XML11Configuration.parse(Unknown Source)
   at org.apache.xerces.parsers.XML11Configuration.parse(Unknown Source)
   at org.apache.xerces.parsers.XMLParser.parse(Unknown Source)
   at org.apache.xerces.parsers.AbstractSAXParser.parse(Unknown Source)
   at org.apache.xerces.jaxp.SAXParserImpl$JAXPSAXParser.parse(Unknown Source)
   at com.sun.identity.jaxrpc.SOAPClient.send(SOAPClient.java:500)
   at com.sun.identity.jaxrpc.SOAPClient.send(SOAPClient.java:467)
   at com.sun.identity.idm.remote.IdRemoteServicesImpl.getMemberships(IdRemoteServicesImpl.java:465)
   at com.sun.identity.idm.AMIdentity.getMemberships(AMIdentity.java:880)
   at com.sun.identity.agents.realm.AmRealm.authenticateInternal(AmRealm.java:227)
   at com.sun.identity.agents.realm.AmRealm.authenticate(AmRealm.java:155)
   at com.sun.identity.agents.jboss.v40.AmJBossLoginModule.validatePassword(AmJBossLoginModule.java:104)
   at org.jboss.security.auth.spi.UsernamePasswordLoginModule.login(UsernamePasswordLoginModule.java:210)
   at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
   at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
   at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
   at java.lang.reflect.Method.invoke(Method.java:597)
   at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769)
   at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
   at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683)
   at java.security.AccessController.doPrivileged(Native Method)
   at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
   at javax.security.auth.login.LoginContext.login(LoginContext.java:579)
   at org.jboss.security.plugins.JaasSecurityManager.defaultLogin(JaasSecurityManager.java:603)
   at org.jboss.security.plugins.JaasSecurityManager.authenticate(JaasSecurityManager.java:537)
   at org.jboss.security.plugins.JaasSecurityManager.isValid(JaasSecurityManager.java:344)
   at org.jboss.web.tomcat.security.JBossSecurityMgrRealm.authenticate(JBossSecurityMgrRealm.java:491)
   at org.apache.catalina.authenticator.FormAuthenticator.authenticate(FormAuthenticator.java:257)
   at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:416)
   at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:84)
   at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
   at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
   at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:157)
   at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
   at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:262)
   at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844)
   at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583)
   at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:446)
   at java.lang.Thread.run(Thread.java:619) jboss logfile
2008-09-19 13:55:39,756 DEBUG [com.sun.identity.agents.jboss.v40.AmJBossLoginModule] Bad password for username=bob Has anybody had similar erros and knows a solution?
Thanks.

Tanks handat
I found
http://download.oracle.com/docs/cd/E19575-01/820-5816/galtf/index.html
http://download.oracle.com/docs/cd/E19681-01/821-0267/gfxhz.html#scrolltoc
greetings
alex davila

Policy agent to authentication mulitple realm

Similar Messages

Maybe you are looking for