Protect ad odument using identity server

How can i protect a *.html that it is deploy in the application server using the identity server?
I mean if you got a html en /sp1/hoja.html and you want to ask for the auth to see the person who wants to access it, what can i do?
I must only create a policy in the identity or i must install a police agent web o j2ee.

To secure a resource that has been deployed to the application server (let say as an EAR file) you need to do the following:
- define the secured resources in your web.xml file
- define the authentication method in your web.xml file
- in the sun-application.xml file link the role to a group that represents a group in Ldap for example

Similar Messages

  • Using Identity Server as a JAAS authentication provider

    My client wants to use Identity Server to provide JAAS authentication for the Java application they're developing.
    The JAAS tutorial shows how the name of the Java class that provides the authentication service is provided, then an instance of this class is instantiated and the .login method invoked to actually perform the authentication.
    The stated principle behind the tutorial is one of using a pluggable authentication framework, and one should not care how authentication is performed. As long as the callbacks to allow the authentication framework to ask for the credentials required, it should not matter.
    The example of how to do LDAP authentication using Identity server requires using some identity server classes. ie the com.sun.identity.authentication.AuthContext class. They specifically want to use pure JAAS authentication rather than creating a dependance in their application on Identity Server.
    Is a Java class available which provides this functionality?
    Thanks

    In Apache you can specify the authentication parameters in the virtual host configuration

  • Using Identity Server to get userid

    Hello.
    We're currently changing a legacy system written in C++, that runs on an Apache server. We have found out that after a user has signed in to the Identity server, we're handed the session ID in a cookie header. We need to be able to be able to ask the Identity server in some way in order to get a hold of the user ID. Because this is a legacy system, we have no way of getting the client to send the userid.
    I've tried reading a bit about SAML, and the C++ implementation, openSAML, but having a bit of trouble getting my head around it. Would this solve my problem?
    Any suggestions?

    From your C++ application POST to URL https://identity.server:58080/amserver/sessionservice:
    <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
    <RequestSet vers="1.0" svcid="Session" reqid="0">
    <Request><![CDATA[<SessionRequest ver="1.0" reqid="0">
    <GetSession reset="true">
    <SessionID>' + TOKENID_HERE + '</SessionID>
    </GetSession></SessionRequest>]]></Request>
    </RequestSet>'
    Reply will contain user ID, DN, session information, etc.

  • OAM : Which identity server is used by Password Policy?

    Hi,
    The OAM setup has two identity servers (ois1, ois2), two webpass (wp1, wp2) on two web servers. wp1 is pointing to ois1 only and wp2 is pointing to ois2.
    We have two sets of Policy manager, Access server and WebGate. wg1 is pointing to aaa1 and wg2 is pointing to aaa2.
    Now, when a user tries to access a OAM webgate protected page and the password policy gets applied, do the identity server comes into picture? if yes, which identity server is used here, ois1 or ois2?
    I want to use ois1 for all the requests coming to webserver with wg1. How do I do it?
    Thanks in advance.

    Hi Colin,
    Thanks for your reply.
    The reason I put this question was - in a scenario when I dont have Access Server (any access component), then also Password Polices work. So, I understand identity server is used here. When we have access side components, what makes OAM not to use identity server at all. Or is it the feature of OAM - when the accessed resource is ptotected by WebGate the Password policies are taken care of by Access Server, otherwise by identity server or is it because of the 'obReadPasswdMode' and 'obWritePasswdMode' in the authentication scheme?
    I stopped my identity server and I saw the password policy working - so I know the behavior; still asking the above question for my better understanding of OAM.
    Thanks for your help!

  • Identity Server has not been configured for this new user/group suffix

    Hi all
    I am having a problem trying to configure the Directory Server (5.2) for Messaging Server.
    My configuration is as follows:
    SJES Q12005
    Server 1 - Directory Server 5.2
    Server 1 - Access Manager (formerly Identity Server)
    Server 1 - Web Server 6.1
    I have successfully installed the above and can login to Access Manager.
    I next installed Calendar & Messengar Server on "Server 1". Upon running "comm_dssetup.pl" from /opt/SUNWcomds/sbin, I get the following error:
    "Identity Server has not been configured for this new user/group suffix"
    Copy and paste of what I entered:
    bash-2.05# perl comm_dssetup.pl
    Welcome to the Directory Server preparation tool for
    Sun Java(tm) System communication services.
    (Version 6.3 Revision 1.0)
    This tool prepares your directory server for use by the
    communications services which include Messaging, Calendar and their components.
    The logfile is /var/tmp/dssetup_20050830165940.log.
    Do you want to continue [y]:
    Please enter the full path to the directory where the Sun ONE
    Directory Server was installed.
    Directory server root [var/opt/mps/serverroot] : /opt/mps/serverroot
    Please select a directory server instance from the following list:
    [1] slapd-sunldap
    Which instance do you want [1]:
    Please enter the directory manager DN [cn=Directory Manager]: cn=DirMan
    Password:
    Detected DS version 5.2
    Will this directory server be used for users/groups [Yes]:
    Please enter the Users/Groups base suffix [dc=samplecompany-dev,dc=co,dc=uk] : ou=infrastructure,o=sampletown,dc=samplecompany-dev,dc=co,dc=uk
    There are 3 possible schema types:
    1 - schema 1 for systems with iMS 5.x data
    1.5 - schema 2 compatibility for systems with iMS 5.x data
    that has been converted with commdirmig
    2 - schema 2 native for systems using Identity Server
    Please enter the Schema Type (1, 1.5, 2) [1]: 2
    Identity Server has not been configured for this new user/group suffix
    You can opt to continue, but you will not be able to use
    features that depend on Identity Server
    Are you sure you want this schema type? [n]:
    I have entered my user group suffix exactly as specified during the Access Manager install (hence I am able to login as "amadmin").
    Looking at the LDAP logs to try and figure out whats going wrong I see its not getting hits on all searches it is performing:
    [30/Aug/2005:16:41:18 +0100] conn=299 op=159 msgId=161 - SRCH base="ou=services,ou=infrastructure,o=northampton,dc=dataforce-
    dev,dc=co,dc=uk" scope=1 filter="(|(&(numSubordinates=*)(numSubordinates>=1)(|(objectClass=*)(objectClass=ldapsubentry)))(obj
    ectClass=referral)(objectClass=organization)(objectClass=organizationalUnit)(objectClass=netscapeServer)(objectClass=netscape
    Resource)(objectClass=domain))" attrs="dn"
    [30/Aug/2005:16:41:18 +0100] conn=299 op=159 msgId=161 - RESULT err=4 tag=101 nentries=1 etime=0
    [30/Aug/2005:16:41:18 +0100] conn=299 op=160 msgId=162 - ABANDON targetop=NOTFOUND msgid=161
    [30/Aug/2005:16:41:18 +0100] conn=299 op=161 msgId=163 - SRCH base="ou=people,ou=infrastructure,o=northampton,dc=dataforce-de
    v,dc=co,dc=uk" scope=1 filter="(|(&(numSubordinates=*)(numSubordinates>=1)(|(objectClass=*)(objectClass=ldapsubentry)))(objec
    tClass=referral)(objectClass=organization)(objectClass=organizationalUnit)(objectClass=netscapeServer)(objectClass=netscapeRe
    source)(objectClass=domain))" attrs="dn"
    [30/Aug/2005:16:41:18 +0100] conn=299 op=161 msgId=163 - RESULT err=0 tag=101 nentries=0 etime=0
    [30/Aug/2005:16:41:18 +0100] conn=299 op=162 msgId=164 - SRCH base="ou=clientdata,ou=infrastructure,o=northampton,dc=dataforc
    e-dev,dc=co,dc=uk" scope=1 filter="(|(&(numSubordinates=*)(numSubordinates>=1)(|(objectClass=*)(objectClass=ldapsubentry)))(o
    bjectClass=referral)(objectClass=organization)(objectClass=organizationalUnit)(objectClass=netscapeServer)(objectClass=netsca
    peResource)(objectClass=domain))" attrs="dn"
    [30/Aug/2005:16:41:18 +0100] conn=299 op=162 msgId=164 - RESULT err=0 tag=101 nentries=1 etime=0
    [30/Aug/2005:16:41:18 +0100] conn=299 op=163 msgId=165 - ABANDON targetop=NOTFOUND msgid=164
    [30/Aug/2005:16:41:20 +0100] conn=299 op=164 msgId=166 - SRCH base="ou=services,ou=infrastructure,o=northampton,dc=dataforce-
    dev,dc=co,dc=uk" scope=1 filter="(|(objectClass=*)(objectClass=ldapsubentry))" attrs="objectClass numSubordinates ref aci"
    [30/Aug/2005:16:41:20 +0100] conn=299 op=164 msgId=166 - RESULT err=0 tag=101 nentries=41 etime=0
    [30/Aug/2005:16:41:28 +0100] conn=299 op=165 msgId=167 - SRCH base="ou=services,ou=infrastructure,o=northampton,dc=dataforce-
    dev,dc=co,dc=uk" scope=0 filter="(|(objectClass=*)(objectClass=ldapsubentry))" attrs="objectClass numSubordinates ref aci"
    [30/Aug/2005:16:41:28 +0100] conn=299 op=165 msgId=167 - RESULT err=0 tag=101 nentries=1 etime=0
    [30/Aug/2005:16:41:28 +0100] conn=299 op=166 msgId=168 - SRCH base="ou=services,ou=infrastructure,o=northampton,dc=dataforce-
    dev,dc=co,dc=uk" scope=1 filter="(|(&(numSubordinates=*)(numSubordinates>=1)(|(objectClass=*)(objectClass=ldapsubentry)))(obj
    ectClass=referral)(objectClass=organization)(objectClass=organizationalUnit)(objectClass=netscapeServer)(objectClass=netscape
    Resource)(objectClass=domain))" attrs="objectClass numSubordinates ref aci"
    [30/Aug/2005:16:41:29 +0100] conn=299 op=166 msgId=168 - RESULT err=0 tag=101 nentries=41 etime=1
    [30/Aug/2005:16:41:29 +0100] conn=299 op=167 msgId=169 - SRCH base="ou=iplanetamauthservice,ou=services,ou=infrastructure,o=n
    orthampton,dc=dataforce-dev,dc=co,dc=uk" scope=1 filter="(|(&(numSubordinates=*)(numSubordinates>=1)(|(objectClass=*)(objectC
    lass=ldapsubentry)))(objectClass=referral)(objectClass=organization)(objectClass=organizationalUnit)(objectClass=netscapeServ
    er)(objectClass=netscapeResource)(objectClass=domain))" attrs="dn"
    [30/Aug/2005:16:41:29 +0100] conn=299 op=167 msgId=169 - RESULT err=0 tag=101 nentries=1 etime=0
    [30/Aug/2005:16:41:29 +0100] conn=299 op=168 msgId=170 - ABANDON targetop=NOTFOUND msgid=169
    [30/Aug/2005:16:41:29 +0100] conn=299 op=169 msgId=171 - SRCH base="ou=iplanetamauthldapservice,ou=services,ou=infrastructure
    ,o=northampton,dc=dataforce-dev,dc=co,dc=uk" scope=1 filter="(|(&(numSubordinates=*)(numSubordinates>=1)(|(objectClass=*)(obj
    ectClass=ldapsubentry)))(objectClass=referral)(objectClass=organization)(objectClass=organizationalUnit)(objectClass=netscape
    Server)(objectClass=netscapeResource)(objectClass=domain))" attrs="dn"
    [30/Aug/2005:16:41:29 +0100] conn=299 op=169 msgId=171 - RESULT err=0 tag=101 nentries=1 etime=0
    [30/Aug/2005:16:41:29 +0100] conn=299 op=170 msgId=172 - ABANDON targetop=NOTFOUND msgid=171
    [30/Aug/2005:16:41:29 +0100] conn=299 op=171 msgId=173 - SRCH base="ou=iplanetampolicyconfigservice,ou=services,ou=infrastruc
    ture,o=northampton,dc=dataforce-dev,dc=co,dc=uk" scope=1 filter="(|(&(numSubordinates=*)(numSubordinates>=1)(|(objectClass=*)
    (objectClass=ldapsubentry)))(objectClass=referral)(objectClass=organization)(objectClass=organizationalUnit)(objectClass=nets
    capeServer)(objectClass=netscapeResource)(objectClass=domain))" attrs="dn"
    [30/Aug/2005:16:41:29 +0100] conn=299 op=171 msgId=173 - RESULT err=0 tag=101 nentries=1 etime=0
    [30/Aug/2005:16:41:29 +0100] conn=299 op=172 msgId=174 - ABANDON targetop=NOTFOUND msgid=173
    [30/Aug/2005:16:41:29 +0100] conn=299 op=173 msgId=175 - SRCH base="ou=iplanetamauthenticationdomainconfigservice,ou=services
    ,ou=infrastructure,o=northampton,dc=dataforce-dev,dc=co,dc=uk" scope=1 filter="(|(&(numSubordinates=*)(numSubordinates>=1)(|(
    --More--(83%)
    The list goes on.
    Can anyone give me any pointers?
    Thanks

    Hi
    Thanks for your reply!
    I did mis-type, my mistake - sorry about that.
    If I dont over-ride the default it works, I've pretty much got the whole setup working now but I'm not particularly over the moon about the way the ldap tree is setup, I'd like finer granuality as we are going to attempt to get syncronization working with AD.
    I have an idea about how I'd like to set up our Mail/Calendar/LDAP infrastructure the 2nd time around (I'm just testing at the mo) - so I might have a question or two for you if you dont mind taking a look when you have a minute?
    Thanks Jay

  • Security solution with Identity server for SOX compliance

    Hi all,
    Has anybody used Identity Server as security solution to achieve SOX compliance? i want to know general view, opinions , experiance of ppl while implementing such solution.
    Just a little background of SOX: It is Created by US Congress in the wake of corporate scandals like Enron in 2001 and 2002.it is an attempts to tighten controls over corporate financial reporting and transparency.
    I am basically interested in implementing security solutions using Identity server for SOX compliance. Section 404 of this act deals with internal controls, which essentially requires organizations to provide following facilities -
    1. User Identification, authorization and access
    2. User control of user accounts
    3. Central identification and access rights/permissions management
    4. Violation and security activity report
    Has anybody developed such solution? What are your general experiance, problems , issues etc? Please share your view....

    Just too quick to draw conclusion: See below FAQ
    If you are not in the same AS container, let me know. Jerry
    Copy from J2EE agent FAQ
    Question - Is it possible to install a J2EE 2.1agent and Identity Server on the same instance of the application server ?
    Installing the IS60SP1/IS61 server and J2EE 2.1 policy agent on the sameninstance of Application server is not a supported configuration. We do support the 21 J2EE agent and IS installed on different instances of the application server. So, users can install theJ2EE 2.1 agent on a one instance of the application server and install IS on a different instance of the apps server.

  • Role Delegation in Identity Server 5.1

    Have anyone try to set two adminitrators in Identity Server 5.1 say Admin-A & Admin-B so that Admin-A can only add/del Role-A to all user and Admin-B can only add/del Role-B to all user?
    Moreover, is it possible that users created by Admin-A can only remove by Admin-A and users created by Admin-B can only remove by Admin-B given that all users is in the same people container?
    Thanks,
    Clive Chan

    Yes it is possible to setup a delegation model like that ..
    This documentation should have been added to that identity server unfortunately it had been left out.
    Anyway the same documentation is provided in the link below ..
    http://docs.sun.com/source/816-6359-10/dadmadm.html#26847
    Note: this documentation is for portal server but portal server uses identity server as its infrastructure and is actually a service that sits on the identity server ..
    HTH ..

  • Does URL Policy Agent of SunONE Web Server 6.1 works with Identity Server 6

    Hi,
    I'm using URL Policy Agent of SunONE Web Server 6.1, and using Identity Server 6.1 to configure policy to access web resource such as http://myweb.org.cn/test/*
    After configyration, I try to access the resources http://myweb.org.cn/test/test.html
    The redirection is ok, the IS login appear, but after login successfully, it still tell me that I don't have permission to view this web page.
    Is this because of URL policy agent don't support IS 6.1?
    Many thanks,

    Can anybody help me with the steps to generate core for this issue.. I followed the steps as said in http://blogs.sun.com/meena/entry/troubleshooting_server_crashes_enabling_core but I don't see any core generated when server crashes..
    Setup Info:
    - OS is RHEL 4.0
    - Sun ONE Web Server 6.1SP7
    - Policy Agent 2.2

  • Use of Sun One Identity Server for SAML

    Hi all,
    I want to use Sun One Identity Server as the asserting server and SAP WAS 6.40 as the trusting server. Can any one help me with from where and what patch of Sun One Identity Server i'll have to download and how to make the connectivity of Sun One Identity Server with SAP WAS 6.40.
    Thank you very much.

    Well, it's in the Agent's installation guide, section "Read me first", "Setting Fully Qualified Domain Name". :)

  • Not able to access database from a remote machine using SQL Server Management Studio

    Hi,
    I have a DB_BOX with SQL Server 2008 R2 installed. I can access the databases on the local machine using SQL Server Management Studio but it is not accessible from other machines, though the machines are in same domain.
    I have remote enabled on SQL Server box, TCP enabled, firewall off. I checked with IP Address too, all SQL Server services are running.
    The SQL Server log shows the message
    The requested service has been stopped or disabled and is unavailable at this time. The connection has been closed.
    I get the below message in SSMS from remote machine.
    Details of error message are
    ===================================
    Cannot connect to DB_BOX.
    ===================================
    A connection was successfully established with the server, but then an error occurred during the login process. (provider: TCP Provider, error: 0 - The specified network name is no longer available.) (.Net SqlClient Data Provider)
    For help, click: http://go.microsoft.com/fwlink?ProdName=Microsoft+SQL+Server&EvtSrc=MSSQLServer&EvtID=64&LinkId=20476
    Server Name: DB_BOX
    Error Number: 64
    Severity: 20
    State: 0
    Program Location:
       at System.Data.SqlClient.SqlInternalConnection.OnError(SqlException exception, Boolean breakConnection)
       at System.Data.SqlClient.TdsParser.ThrowExceptionAndWarning(TdsParserStateObject stateObj)
       at System.Data.SqlClient.TdsParserStateObject.ReadSniError(TdsParserStateObject stateObj, UInt32 error)
       at System.Data.SqlClient.TdsParserStateObject.ReadSni(DbAsyncResult asyncResult, TdsParserStateObject stateObj)
       at System.Data.SqlClient.TdsParserStateObject.ReadNetworkPacket()
       at System.Data.SqlClient.TdsParserStateObject.ReadBuffer()
       at System.Data.SqlClient.TdsParserStateObject.ReadByte()
       at System.Data.SqlClient.TdsParser.Run(RunBehavior runBehavior, SqlCommand cmdHandler, SqlDataReader dataStream, BulkCopySimpleResultSet bulkCopyHandler, TdsParserStateObject stateObj)
       at System.Data.SqlClient.SqlInternalConnectionTds.CompleteLogin(Boolean enlistOK)
       at System.Data.SqlClient.SqlInternalConnectionTds.AttemptOneLogin(ServerInfo serverInfo, String newPassword, Boolean ignoreSniOpenTimeout, Int64 timerExpire, SqlConnection owningObject)
       at System.Data.SqlClient.SqlInternalConnectionTds.LoginNoFailover(String host, String newPassword, Boolean redirectedUserInstance, SqlConnection owningObject, SqlConnectionString connectionOptions, Int64 timerStart)
       at System.Data.SqlClient.SqlInternalConnectionTds.OpenLoginEnlist(SqlConnection owningObject, SqlConnectionString connectionOptions, String newPassword, Boolean redirectedUserInstance)
       at System.Data.SqlClient.SqlInternalConnectionTds..ctor(DbConnectionPoolIdentity identity, SqlConnectionString connectionOptions, Object providerInfo, String newPassword, SqlConnection owningObject, Boolean redirectedUserInstance)
       at System.Data.SqlClient.SqlConnectionFactory.CreateConnection(DbConnectionOptions options, Object poolGroupProviderInfo, DbConnectionPool pool, DbConnection owningConnection)
       at System.Data.ProviderBase.DbConnectionFactory.CreateNonPooledConnection(DbConnection owningConnection, DbConnectionPoolGroup poolGroup)
       at System.Data.ProviderBase.DbConnectionFactory.GetConnection(DbConnection owningConnection)
       at System.Data.ProviderBase.DbConnectionClosed.OpenConnection(DbConnection outerConnection, DbConnectionFactory connectionFactory)
       at System.Data.SqlClient.SqlConnection.Open()
       at Microsoft.SqlServer.Management.SqlStudio.Explorer.ObjectExplorerService.ValidateConnection(UIConnectionInfo ci, IServerType server)
       at Microsoft.SqlServer.Management.UI.ConnectionDlg.Connector.ConnectionThreadUser()

    Sorry, missed the message from the errorlog in the original post. You shouldn't have included that big .Net dump that hid the important facts. :-)
    My first Google attempt on that message (which I have never seen before) suggests that the TCP Enpoint is stopped, so try this:
    ALTER ENDPOINT [TSQL Default TCP]
    STATE=STARTED;
    Erland Sommarskog, SQL Server MVP, [email protected]
    This solves the problem. Thanks...

  • Integrating Messaging Server and Identity Server

    I've got JES 2004Q2, and I'm trying to install the various components on different workstations to prove that a) the software works, and b) it's a viable alternative to Exchange (so please please help me get it working!)
    The problem I have is getting Messenger Server and Directory Server talking properly so that I can create users and then log in as those users. After days of frustrating searching for solutions to this problem (and also find people who have successfully done this), I decided to install the components onto one server.
    And it worked. Installing Messaging Server, Identity Server, Web Server (contained for Identity Server), Directory Server, and Admin Server all on the same box, configuring them all to use the same directory server for UG and preferences, running the various configuration tools that come with the software, and it all works together fine. Using "./commadmin domain modify .... -S mail", I get "OK". I can add users with the "-S mail" option, log in as those users, and send emails between those users. So this tells me that the software does work, albeit on one box.
    When I try to separate the services out to separate boxes, they don't seem to integrate properly. I thought that maybe the order in which you configured applications made a difference (ie. configuring Identity Server after Messenger Server means IS will pick up on the changes made to the directory by MS, and enable it). I also tried to see if using the same options directory server from different boxes helped, but nothing. I've even tried patching them using 116568-52 and 116585-10 but no luck.
    Therefore, I've found that installing all servers on one box works, but installing them on separate boxes doesn't (despite using the same directory servers). My conclusion in this is that one of two things must be the case:
    a) there's something in the install that has to be changed to reflect the fact that the services are running on different boxes
    b) the install of the services adds files to the system somewhere which other packages in JES pick up on (hence the reason why installing everything on one box works), and this isn't documented anywhere
    Unfortunately, the output of commadmin when it fails isn't that helpful (nothing against the developers, however it doesn't really help in the fault finding process). I do believe however that the problem is with Identity Server and its configuration, rather than Messaging Server.
    Here's some (possibly) useful info:
    kipling# ./imsimta version
    Sun Java(tm) System Messaging Server 6.1 HotFix 0.01 (built Jun 24 2004)
    libimta.so 6.1 HotFix 0.01 (built 12:52:04, Jun 24 2004)
    SunOS kipling 5.8 Generic_117350-02 sun4u sparc SUNW,Sun-Blade-1500
    kipling#
    (on UG server)
    # ./commadmin domain modify -D admin -w <password> -d uwe.ac.uk -n uwe.ac.uk -S mail -H kipling.uwe.ac.uk
    FAIL
    Unable to set attribute(s)
    (some verbose mode output)
    [Debug]: Contacting : http://bronte.uwe.ac.uk:10080/commcli/TaskManager
    [Debug]: To servlet: task=ModifyDomain&objecttype=Domain&domain=uwe.ac.uk&add_services=mail&add_preferredmailhost=kipling.uwe.ac.uk
    [Debug]: RECV: FAIL
    [Debug]: RECV: Unable to set attribute(s)
    [Debug]: CLITask: status returned =FAIL
    FAIL
    Unable to set attribute(s)
    [Debug]: DBG: doOne returned code=6
    [Debug]: Contacting : http://bronte.uwe.ac.uk:10080/commcli/logout
    [Debug]: Logout ...
    [Debug]: RECV: SSOToken id AQIC5wM2LY4SfcyW5hbVBGXqCdsYYDjVarSFRMd6HIxsGho=@AAJTSQACMDE=#
    [Debug]: RECV: destroyed
    Root suffix: dc=uwe,dc=ac,dc=uk (all "o=" references have been dropped)
    All services have their own local options directory server.
    Can anyone give me any suggestions? If I log a support call with Sun, what is the likely resolution time? My ultimate goal is to get the whole suite running together, then install Portal server. Once that's working, download the connectors for Outlook and get it all working with Outlook. As I said at the start, we're hoping to show this is a viable alternative to Exchange (certainly for the backend) so any help will be greatly appreciated!
    Iain

    slo_chewie wrote:
    Does the email recipient address change when the email is sent to gmail i.e. does an email sent to [email protected] become [email protected]?
    We've got google for domains setup, so users would retain a @domain.com address regardless if there mailbox was hosted on the internal server or hosted at google.You can make use of the mailRoutingAddress: user attribute and source routing to get the desired behaviour e.g.
    => Set the following value to the LDAP entry of the user who is hosted on the gmail server. The "[email protected]" address should match the users mail: address:
    mailRoutingAddress: @gmail.com:[email protected]=> Ensure the following option has been tcp_local channel in your imta.cnf file. This option strips off the "@gmail.com" value of the recipient address before sending the email to the gmail.com servers.
    dequeue_removerouteMake sure you run "./imsimta cnbuild;./imsimta restart" after modifying the imta.cnf file.
    Regards,
    Shane.

  • Error 49: LDAP Invalid credential Supplied when installing Identity Server

    I am installing oracle Acess manager with Active directory for windows server 2003. While installing
    the identity server we facing the issue with
    Error 49: LDAP Invalid credential supplied. Please see the attached screen shot for more details.

    At which stage are getting this error?
    If you are getting this error after specifying LDAP Directory details during identity server install, make sure that your username/password for AD are correct.
    if your domain name = example.com
    and the user you are using is under cn=users in AD use:
    1. cn=your_username,cn=users,dc=example,dc=com
    and your password
    2. if this doesn't work, try:
    [email protected]
    and your password.

  • Identity Server Cookie not found

    Hi all.
    Iam getting a cookie related error message when trying to access a protected web application;
    sequence :
    When i type in the url of my web application, as obvious, i was redirected to my identity login page.
    I also get the this error message ;) in my amAgent log :
    "2003-07-31 12:22:13.832 Warning 7048:d1168 PolicyAgent: Identity Server Cookie not found"
    To add something to this cookie issue:
    when i get authernticated from my identity server, i was successfuly redirected to my web application; but if i invoke any web resource or link, buttons .... - trigger any event, i was thrown way to the login page of the web application - if i login again in my web app, i go to the last page that i was accessing;
    I guess all this funny thing happens because of the cookie, which is missing.
    anyone have an idea, what this cookie is? and what should be done to fix it?
    regards
    Kumar

    Sorr for so many people faced the sam or similar issues. I just joined this support a short while. If you think any old problem which is still critical to you, please repost. We shall try our best to give you assistance. Jerry
    Here are some of tips for debugging Web agent.
    From the AMAgent.properties, are both IIS and AM are in the same domain? If they are not, then you need to use CDSSO. Also please check in AM, under "Service Configuration-> Platform -> Cookie Domains" , whether cookie is set for the entire domain which includes AM and IIS ("test.com") or just the AM machine name.
    Also check whether correct value for "Agent-Identity Server Shared Secret" is entered. This should be your internal ldap password (amldapuser). In the AMAgent.properties for the below property the password will be encrypted and assigned: "com.sun.am.policy.am.password".
    Could you also check if the Identity servver and the IIS web server are time synchronized. The problem may be that agent requests policy decisions and the response from server may be timed out due to non-syncrhonized clock.
    Don't forget to restart the whole IIS service using internet
    management console after making agent changes.
    Some of the common error codes:
    20: Application authentication failed. This occurs when Agent cannot sucessfully authenticate with Identity Server. This is mainly due to incorrect password for agent entered during agent installation. Please refer to another faq describing how to change password.
    7: Policy not found. This error occurs typically if there are no policies defined on Identity server for the given web server URL. Otherwise, there may be time skew between Identity Server and Agent. So, polices fetched from Identity Server is instantly flushed by Agent and attempted to refetch over and over again. This can be solved by running rdate or similar command to synchronize time between the two machines. It is recommended to run NNTP server syncrhonize times between your Identity systems.

  • Cannot send message using the server (null)

    i use mail 2.1.
    i have a .mac account and have three other email accounts attached to my mail account.
    lately, i cannot send any email.
    the switchiing ports fix hasn't helped either.
    this is the error message:
    CANNOT SEND MESSAGE USING THE SERVER (null)
    The server response was: 5.1.0 <email [email protected]>...
    From address does not match authentication.
    Use the pop-up menu below to try a different outgoing mail server. All messages will use this server until you quit Mail or change your network settings.
    Message from: email <[email protected]>
    Send message using: [there is a combo box here with all the four accounts servers listed]
    no matter which one i pick it doesn't work and no email is sent.
    anyone have this error before? or now how to fix it?
    i'd be appreciative.
    thanks
    1.67 GHz Power PC PowerBook G4   Mac OS X (10.4.6)   Sony HDR HC3 HD HandyCam MiniDV

    I was having a similar problem (don't feel like typing all the details)
    I was about to to delete my com.apple.mail.plist, when finally it hit me.
    I ran ethereal (again, I'm sorry, but learning how to use ethereal is a topic unto itself). Following the TCP stream (ie. looking at the smtp messages being sent back and forth) I came across two problems. For some reason my port number was set to 567 or something like that, when it's supposed to be 25, as I had originally set it to.
    Once I corrected the port number I started receiving an error message from the smtp server. It said the return email address could not be authenticated. (using xyz.com as an example) The correct return email address was supposed to be [email protected], but for some reason it was changed to john@xyz in the account settings.
    Anyway, to get to the point, another thing to check is that your return address has been set correctly, and if all else fails, make sure you have X11 installed and use fink to install and run ethereal. This will let you know if you are actually connecting to the server, and will show you any error messages.
    PS. I think this problem started occurring with the last update made to mail. I believe it somehow corrupted my settings. This would explain how my port number could have been changed to the default port number of .mac mail.

  • Custom Authentication Module on Identity Server

    Hi,
    I have a custom authentication module which I am trying to access through the policy agent.
    I have set the following property in AMAgent.properties file
    com.sun.am.policy.am.loginURL= http://host:port/amserver/UI/Login?module=CustomLoginModule.
    My login module code is something like this:
    package com.iplanet.am.samples.authentication.providers;
    import java.util.*;
    import javax.security.auth.Subject;
    import javax.security.auth.callback.Callback;
    import javax.security.auth.callback.NameCallback;
    import javax.security.auth.callback.PasswordCallback;
    import javax.security.auth.login.LoginException;
    import com.sun.identity.authentication.spi.AMLoginModule;
    import com.sun.identity.authentication.spi.AuthLoginException;
    import java.rmi.RemoteException;
    import java.io.FileInputStream;
    import java.util.Properties;
    public class LoginModule1 extends AMLoginModule
    private String userName;
    private String userTokenId;
    private HashMap usersMap;
    private java.security.Principal userPrincipal = null;
    public LoginModule1() throws LoginException
    public void init(Subject subject, Map sharedState, Map options)
              System.out.println("LoginModule1 initialization");
              usersMap = new HashMap();
              ResourceBundle bundle = ResourceBundle.getBundle("users");
              Enumeration users = bundle.getKeys();
              while (users.hasMoreElements())
                   String user = (String)users.nextElement();
                   String password = bundle.getString(user.trim());
                   usersMap.put(user, password);
    public int process(Callback[] callbacks, int state) throws AuthLoginException
              int currentState = state;
              if (currentState == 1)
                   userName = ((NameCallback) callbacks[0]).getName().trim();
                   char[] passwd = ((PasswordCallback) callbacks[1]).getPassword();
                   String passwdString = new String (passwd);
                   if (userName.equals(""))
                        throw new AuthLoginException("names must not be empty");
                   if (userName.equals("testuser") && passwdString.equals("testuser"))
                        userTokenId = userName;
                        return -1;
                   if (usersMap.containsKey(userName))
                        if (usersMap.get(userName).equals(new String(passwd)))
                             userTokenId = userName;
                             return -1;
                   return 0;
         public java.security.Principal getPrincipal()
              if (userPrincipal != null)
                   return userPrincipal;
              else
              if (userTokenId != null)
                   userPrincipal = new SamplePrincipal("testuser");
                   return userPrincipal;
              else
                   return null;
    So When the user requests a protected resource, the policy agent forwards the user to Identity Server with the module as CustomLoginModule. However, after this, authentication does not succeed and I get the following error message in the agent log file.
    2004-08-09 15:24:08.640 Error 2712:130f060 PolicyAgent: validate_session_policy() access allowed to unknown user
    2004-08-09 15:24:09.030 Error 2712:24fda5e8 PolicyAgent: validate_session_policy() access allowed to unknown user
    2004-08-09 15:24:23.484 Error 2712:130f060 PolicyAgent: validate_session_policy() access allowed to unknown user
    2004-08-09 15:24:28.281 Error 2712:24fda5e8 PolicyEngine: am_policy_evaluate: InternalException in Service::construct_auth_svc with error message:Application authentication failed during service creation. and code:20
    2004-08-09 15:24:28.281 Error 2712:24fda5e8 PolicyAgent: validate_session_policy() access allowed to unknown user
    2004-08-09 15:24:29.484 Error 2712:130f060 PolicyAgent: validate_session_policy() access allowed to unknown user
    2004-08-09 15:24:29.499 Error 2712:24fda5e8 PolicyEngine: am_policy_evaluate: InternalException in Service::construct_auth_svc with error message:Application authentication failed during service creation. and code:20
    2004-08-09 15:24:29.499 128 2712:24fda5e8 RemoteLog: User unknown was denied access to http://ps0391.persistent.co.in:80/test/index.html.
    2004-08-09 15:24:29.499 Error 2712:24fda5e8 LogService: LogService::logMessage() loggedBy SSOTokenID is invalid.
    2004-08-09 15:24:29.499 Error 2712:24fda5e8 all: am_log_vlog() failed with status AM_REMOTE_LOG_FAILURE.
    2004-08-09 15:24:29.499 -1 2712:24fda5e8 PolicyAgent: validate_session_policy() access denied to unknown user
    The necessary policy object is already created in Identity Server. Please send your suggestions to fix this problem.
    Thanks
    Srinivas

    Does the principal "testuser" exist in your realm? If I understand your module correctly, it looks like it always returns "testuser".
    I am guessing that Access Manager is not finding your principal. Typically if access manager cannot associate the principal returned by the custom AMLoginModule it will fail the authentication.
    I am wondering if this is related to a seperate problem I have seen with custom login modules. Try chaning the code to return an LDAP style principal it may work:
    so return "uid=testuser,ou=People,dc=yourdomain,dc=com" for example. In theory this should not be necessary but it solved some problems for me, though I am not sure why.

Maybe you are looking for

  • Audio Line In interference problem

    I'm using my macbook for Garageband for recording and all was well until last night... now when I connect any 15mm jack to the line in I get noise, regardless of whether the other end is plugged into anything or not. If I reduce the input volume to ~

  • Transparent Backgrounds

    This is a beginner's question. I am using Illustrator v.10. I am just trying to produce some text that has a drop shadow and a transparent background. I want to export to a jpg file and put it in a website header so the gradient of the header with sh

  • Reading data from table control

    Hi, Intially I have a table control and in that I am entering deliveries(manually), how to read them into internal table..plz advise regards.

  • App Server performance monitoring

    Hi Does anyone know a good J2EE performance monitoring tool for Sun ONE AppServer 7 ??? I have found a few, but most of them support Weblogic, Websphere and they leave Sun ONE in the "others". I want to know if there's a tool made specially for Sun O

  • HT1351 now synch to my new computer. any suggestions as to what I do now? thanks

    I synched my nano to an old computer which died on me. how do i now synch it to my new computer. thanks PS haven't a clue what my original apple id. just created a new one .