Remote Logging for ACS

Similar Messages

• Remote Agent for ACS for Windows 2008 R2 64-bit

  Hi,
  We having difficulties with installing remote agent on windows 2008 R2 64-bit server and got the attached error.
  Our ACS is 4.2.0.124 and remote agents we tried are :Remote-Agent-ACSse-win-v4.2.1.15-K9.zip and Acs-4.2.1.15.9-RA.zip.
  I see following urls says it does not support Windows 2008 R2 and also 64-bit Windows,
  https://supportforums.cisco.com/message/3135061#3135061
  http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_solution_engine/4.2/installation/guide/remote_agent/rawi.html#wp289019
  However following url says its support 2008 R2 with 64-bit version
  http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2.1/Release_Notes/acs421_rn.html
  Appreciate if someone can adivse us what vesion (file name) of Remote Agent can support (or working) for Windows 2008 R2 64-bit.
  thanks in advance

  Hi Tarik,
  What I wanted to say that the below url says that ACS 4.2 does not support on 64-bit OS:
  ACS Requirements
  You must use ACS Remote Agent for Windows, version 4.2, with ACS SE, version 4.2. We do not support other Cisco Secure ACS releases.
  Note ACS Remote Agent 4.2 for Windows does not support 64-bit operating systems.
  http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_solution_engine/4.2/installation/guide/remote_agent/rawi.html#wp289019
  However could you please let me know what exact Remote Agent file you recommend to use for windwos 2008 R2 64-bit Server. The ACS SE version that I have is 4.2.0.124.
  Thanks

• Passed Authentication Logs on ACS 4113 SE appliance

  I need to get a copy of all Passed Authentication logs from our appliance. Is there a way that I can ftp all those files to another device? Or is there another way that I can retrieve those files?
  Thanks
  Dwane

  Dwane,
  Yes, you can send logs to another system on the network using remote agent.
  Remote Logging for ACS SE with ACS Remote Agents
  The Remote Logging feature enables ACS to send data to one or more ACS Remote Agents. The remote agent runs on a computer on your network. It writes the data that ACS sends to it into CSV files. You can configure many ACS Solution Engines to point to a single remote agent, thus making the computer that runs the remote agent a central logging server.
  For more information about installing and configuring an ACS Remote Agent, see Installation and Configuration Guide for Cisco Secure ACS Remote Agents Release 4.1
  Regards,
  ~JG
  Do rate helpful posts

• Remote Log Targets not working in ACS

  Dear all
  I have 2 x ACS boxes configured as Primary & secondary.
  In ACS1 - In monitoring and reports-> option  I can see the User authentication, authorization and Accounting activities logs. I want to configure ACS2 as remote log server.
  For that in ACS1, in System administration->Log configuration-> remote log targets->new
  Added as - ACS2- 1.1.1.2 - in Advance options -
  Port-20514 (default is 514, need to change to 20514 , Instructions  from Cisco),
  Facility mode - Level6
  Maximum length -1024
  In logging categoris - in Global - Edit "AAA Audit" - remote syslog Targets - i have added - Logcollector (ACS1) and ACS2.
  In Log collector optin --> ACS1 is configured.
  After this , i  open ACS2 - Monitoring and reports optin to view the logs but when ever i click - it is diverting to ACS1.
  if i change log collector in ACS1 as ACS2, i can see the logs on ACS2. so at a time i can see logs only one ACS box.
  I would like to view the logs in both ACS boxes. can any one help me please.

  As per Cisco,  you can not able to User 2 ACS boxes simultanously to recevie log messages. Remote Log targets for Syslog Server.
  so, i can't use simultanously 2 x acs boxes , i need to go for syslog server.
  Chapter 19, "Understanding Logging"
  Configuring Remote Log Targets
  You can configure specific remote log targets (on a syslog server only) to receive the logging messages for a specific logging category. See Chapter 19, "Understanding Logging" for more information on remote log targets. See Configuring Logging Categories, page 18-25 for more information on the preconfigured ACS logging categories.
  Closing this ticket.. answered by Mohammed Feroz.

• ACS 5.2 - unable to delete remote log target

  Hello Everyone,
  I have two ACS 5.2 running as primary and secondary instances respectively.  When I try to delete a remote log target under
  System Administration >
  ... >
  Configuration >
  Log Configuration >
  Remote Log Targets
  I get the following error message...."The item you trying to delete is referenced by other items. You must remove all references to this item before it
  can be deleted".
  I have searched the configuration within the web gui and was unable to find anything that reference the object that I'm trying to delete.  Has anyone
  experienced the same thing?
  Thanks.

  Did you check the logging categories?
  For each category check the "Remote syslog Target" tab and see if the log Target you are trying to delete appears in any of the "Selected Targets"

• AAA Radius Authentication for Remote VPN With ACS Server Across L2L VPN

  Hi,
  I have an ASA running fine on the network which provide L2L tunnel to remote site and provide Remote VPN for remote access users.
  Currently, there is a need for the users to authenticate against an ACS server that located across the L2L VPN tunnel.
  The topology is just simple with 2 interfaces on the ASA, inside and outside, and a default route pointing to the ISP IP Address.
  I can ping the IP address of the ACS Server (which located at the remote site, IP addr: 10.10.10.56) from the ASA:
  ping inside 10.10.10.56
  However when I configure the ASA for the AAA group with commands:
  aaa-server ACSAuth protocol radius
  aaa-server ACSAuth host (inside) 10.10.10.56 key AcsSecret123
  Then when I do the show run, here is the result:
  aaa-server ACSAuth protocol radius
  aaa-server host 10.10.10.56
  key AcsSecret123
  From what I thought is, with this running config, traffic is not directed to the L2L VPN tunnel
  (seems to be directed to the default gateway due to the default route information) which cause failure to do the AAA authentication.
  Does anybody ever implement such this thing and whether is it possible? And if yes, how should be the config?
  Your help will be really appreciated!
  Thanks.
  Best Regards,
  Jo

  AAA is designed to enable you to dynamically configure the type of authentication and authorization you want on a per-line (per-user) or per-service (for example, IP, IPX, or VPDN) basis. You define the type of authentication and authorization you want by creating method lists, then applying those method lists to specific services or interfaces.
  http://www.cisco.com/en/US/docs/ios/12_4/secure/configuration/guide/schaaa.html

• Acs:Delete specific log for user X

  Hi Experts
  on the acs 5.2 , how to delete specific log for user X, ?
  thanks
  jamil

  Not sure if this answers the question you are asking but the following option is available:
  Monitoring Configuration > System Configuration > Collection Filters
  Pres "Create" and Syslog Attribute of "User" and set the user name your are interested in
  This option prevents records for this user from being collected. It does not remove any records that have already been collected

• Remote Logging on CISCO 1120 ACS 5

  Hi
  I have configured the appliance everything is working fine
  We have a remote syslog server and I have configured the  remote syslog server details in the "Remote Log Targets" and  and Logging Categories.
  But I cannot see any logs on my syslog server  
  NOTE:-  In the Log Collector   current log collector is set as the local appliance , I am unable to change it to the remote syslog server.
  kindly advice
  best regards
  Muralee

  Hi
  tks for the reply
  Actually  I need to update my query
  Now I can see the logs are written to syslog-ng installed on my log monitoring server
  We have configured our Splunk server to read the log files , but it does not appear in the searches
  Further I have booked a ticket with splunk for further troubleshooting will update the thread accordingly.

• ACS SE 4.01 crashing when enabled remote logging

  We are running acs se 4.01 and whenever i turn on the remote logging to our agent, the ACS itself becomes unusable until I turn logging off again. Any ideas?

  Hi
  If you mean, that as soon as you enable remote logging, authentication starts failing, then there are some issues with remote logging.
  Also consider upgrading to latest ACS version, rather then being on 4.0(1)
  CSCeg40355 : Authentication failures when remote logging fails
  I am pretty sure its resolved in 4.1.1
  http://tools.cisco.com/Support/BugToolKit/action.do?hdnAction=searchBugs
  Be sure to use same remote agent version, as your ACS server software version.
  Regards,
  Prem

• Ports for ACS

  What ports are need to be open for ACS remote managemet , default port 2002 its clear, but communication than move to 3857 so any others???... Is there any list of required ports????

  Hello,
  Here is a list with different UDP and TCP ports used by the ACS:
  Cisco Secure ACS Ports Usage
  Service name - UDP Port
  Dynamic Host Configuration Protocol (DHCP) - 68
  RADIUS authentication and authorization (original draft RFC) - 1645
  RADIUS accounting (original draft RFC) - 1646
  RADIUS authentication and authorization (revised RFC) - 1812
  RADIUS accounting (original draft RFC) - 1813
  Service name - TCP Port
  TACACS+ AAA - 49
  Replication and RDBM synchronization - 2000
  ACS remote logging - 2001
  HTTP administrative access (at login) - 2002
  ACS distributed logging (appliance only) - 2003
  Administrative access (after login)
  port range Configurable (default 1024-65535) ACS assigns unique port number from the range to each administration session
  Hope this helps! Please rate all posts.
  Regards, Martin

• Keyboard issue using Danish keyboard on Remote app for iOS.

  Hi there.
  I have noticed a quite annoying issue with the Remote Desktop for iOS when using foreign keyboards along with the Remote Desktop app.
  The PC I'm remoting to from my iPad Air is a Windows 7 machine with an English Windows.
  I have a danish keyboard layout installed, and have removed the English keyboard.
  But.. Here comes the strange issue.
  If I connect via Remote Desktop before I log into my PC (from my PC), the special characters like :;/*^%}{ ect. works just fine on my iPad.
  If I then log on to my PC from the PC, the keyboard on the PC has been changed to english, even though there's no english keybord layout installed on my PC.
  The special characters like the danish æøå has been changed out with ; and other wrong characters.
  I then have to press CTRL+SHIFT on my PC to change it back to the danish layout.
  But... If I do so on my PC and afterwards connect via the Remote Desktop app on my iPad Air, the keyboard is messed up on my iPad.
  All the special characters like /:;)(^#%{ is placed wrong and give me a wrong character.
  And that happens even if I change the keyboard on my iPad to English.
  I really hope you will be able to fix this in a future update enabling full support for foreign keyboards between iOS7 and Windows 7.
  Thanks in advance.
  - Bjørn, Denmark

  Hi,
  Why are the characters mixed up in the session?
  This issue can occur if the keyboard language has been switched on the remote PC while running a remote desktop session. In the case you would like to switch to a different keyboard language
  follow these instructions.
  Note: The remote PC selects the system language of the device running the remote desktop client and not the keyboard language. When switching the keyboard language on your device, you need
  to manually switch the keyboard language on the remote PC.
  1. Open settings on your device.
  2. Tap General and then tap International.
  3. Tap Language and select the language running on the remote PC.
  4. Open the RD Client and connect to the remote PC and check if the Windows keyboard language matches the language that you selected.
  http://technet.microsoft.com/library/dn473015
  Hope this helps.
  Jeremy Wu
  TechNet Community Support

• Need help to enable trace/logging for java debugging CRM 5.0 WebShop

  Dear experts,
  I'm new to sap, and i'm working on CRM 5.0 WebShop J2ee application with nwdi.
  I have to add a new functionnality, which has to call a custom FM in CRM. This FM has been tested and is OK.
  I have read the 2 files SAP_ISA50_DevAndExtGuide.pdf and ISA50_DevAndExtTuts_v1_0.pdf which have explain to me the process flow and organization of the framework.
  By helping me with the tutorials, I wrote all the files for my functionnality, from the jsp with the form, to the custom business backend with the call of the FM with parameters and JCo connection. (+ custom BOM, custom BO, BE interface, BE CRM implementation)
  Everything builds without error, and I deploy the application on my test env.
  Then I go to my webapp, I call the custom jsp with form, I put values, then I validate the form, but my FM is not called, and I don't know where is the problem, because I can't see a trace of the process flow, to know where is the error.
  By searching in this forum I found 2 notes that explain how to activate debug trace for all the application, one note for systems before SP11 and another for systems with SP11 and higher. But I don't know how to see the patchlevel of the system (I went to system information of the j2ee server and the on ly thing I can notice is below the server0 properties : Kernel Version:  7.00 PatchLevel.
  In these notes I read about Visual Administrator : I found this directly on the server with remote desktop, but the progress bar at the bottom of the window don't arrives to 100% and I can't see the properties and values of the parameters for the Log.
  I went to XCM too, and set appinfo and logfiledownload to true, then went to Logging into e-commerce administration console : in the Log configuration tab, I can create new configurations but the effective severity automatically sets to error, even if I set All or Debug manually ; in the session log tab, i tried to launch the application, then start log, then validate my form, then stop log, but I can't find anything about the trace of the process flow in the generated file.
  Please help, I have to finish this for end of week and I'm alone ...
  PS I'm french, and don't speak very well English please excuse me.
  Thank you very much.
  J. Lag.

  Hi
  For logs follow this note no[Creation of logs for B2B and B2C Release 5.0|https://service.sap.com/sap/support/notes/1090753]
  Follow this code for calling custom Function Module
  1) ZBOM.java
  public class ZBOM extends DefaultBusinessObjectManager implements BOManager, BackendAware {
  public static final String ZCUSTOM_BOM = "ZCUSTOM-BOM";
  private ZFunction func;
  public ZBOM() { }
  public ZFunction getFUNC() {
    if (func== null) {
     func= new ZFunction();
     assignBackendObjectManager(func);  }
    return func; }
  public void release() { }
  2) ZFUNCTION.java
  public class ZFunction extends BOBase implements BackendAware {
  private ZInterface backendInterface;
  private BackendObjectManager bem;
  private ZInterface getInterface() {
    if (backendInterface == null) {
     try {
      backendInterface = (ZInterface) bem.createBackendBusinessObject("ZCustomBO");
     } catch (BackendException e) {
    return backendInterface;
  public void setBackendObjectManager(BackendObjectManager bem) {
    this.bem = bem;
  public String getCustomFunc(String value) {
    try {
     return getInterface().getIncotermListvalue) ;
    } catch (RuntimeException e) { return ""; }
  3)ZINTERFACE.java
  public interface ZInterface extends BackendBusinessObject {
       public  String getCustomFunc(String value);
  4) ZBACKEND.java
  public class ZBackend extends BackendBusinessObjectBaseSAP implements ZInterface {
       String exportvalue="";
       public String getCustomFunc(String value) {
            try {
                 Function func =getDefaultJCoConnection().getJCoFunction("Z_CUSTOM_FUNCTION_MODULE");
                 func.getImportParameterList().getField("IMPORTPARAMETER").setValue(value);
                 getDefaultJCoConnection().execute(func);
                 exportvalue = func.getExportParameterList().getString("IMPORTPARAMETER");
            } catch (Exception e) {
                 return exportvalue ;
  5) WEB_INF/xcm/customer/modification/bom-config.xml
  <BusinessObjectManager name="ZCUSTOM-BOM" className="com.sap.isa.custom.ZBOM"/>
  6) WEB_INF/xcm/customer/modification/bom-config.xml
  <config isa:extends="../config[@id='crmdefault']">          
     <businessObject type="ZCustomBO"
                  name="ZCustomBO"
                  className="com.sap.isa.custom.ZBackend"
                  connectionFactoryName="JCO"
                  defaultConnectionName="ISAStateless"/>           
  </config>
  Regards,
  [Sateesh Chandra|http://sateeshchandrach.googlepages.com/isa]

• No log for am policy agent for iis6

  Hello!
  Im trying to get Policy Agent for IIS to run on my Win Srv 2003 with IIS6 and Sharepoint Services.
  I am running the OpenSSO version of Access Manager.
  I have installed the agent and done the initial cofiguration.
  When i try to browse the resource i get a login prompt (IIS Basic Auth)and cannot login followed by "Not Authorized 401.3"
  I should get redirected to the AM Login page, shouldn't I?
  I tried to look for answers in the log file but the /debug/<id> directory i empty.
  Anyone know what to do?
  The amAgent.properties file:
  # $Id: AMAgent.properties,v 1.103 2005/09/19 22:08:34 madan Exp $
  # The syntax of this file is that of a standard Java properties file,
  # see the documentation for the java.util.Properties.load method for a
  # complete description. (CAVEAT: The SDK in the parser does not currently
  # support any backslash escapes except for wrapping long lines.)
  # All property names in this file are case-sensitive.
  # NOTE: The value of a property that is specified multiple times is not
  # defined.
  # WARNING: The contents of this file are classified as an UNSTABLE
  # interface by Sun Microsystems, Inc. As such, they are subject to
  # significant, incompatible changes in any future release of the
  # software.
  # The name of the cookie passed between the Access Manager
  # and the SDK.
  # WARNING: Changing this property without making the corresponding change
  # to the Access Manager will disable the SDK.
  com.sun.am.cookie.name = iPlanetDirectoryPro
  # The URL for the Access Manager Naming service.
  com.sun.am.naming.url = http://login.lta.mil.se:8080/opensso/namingservice
  # The URL of the login page on the Access Manager.
  com.sun.am.policy.am.login.url = http://login.lta.mil.se:8080/opensso/UI/Login
  # Name of the file to use for logging messages.
  com.sun.am.policy.agents.config.local.log.file = C:/Sun/Access_Manager/Agents/2.2/debug/Identifier_1414639615/amAgent
  # This property is used for Log Rotation. The value of the property specifies
  # whether the agent deployed on the server supports the feature of not. If set
  # to false all log messages are written to the same file.
  com.sun.am.policy.agents.config.local.log.rotate = true
  # Name of the Access Manager log file to use for logging messages to
  # Access Manager.
  # Just the name of the file is needed. The directory of the file
  # is determined by settings configured on the Access Manager.
  com.sun.am.policy.agents.config.remote.log = amAuthLog.sharepoint.lta.mil.se.80
  # Set the logging level for the specified logging categories.
  # The format of the values is
  # <ModuleName>[:<Level>][,<ModuleName>[:<Level>]]*
  # The currently used module names are: AuthService, NamingService,
  # PolicyService, SessionService, PolicyEngine, ServiceEngine,
  # Notification, PolicyAgent, RemoteLog and all.
  # The all module can be used to set the logging level for all currently
  # none logging modules. This will also establish the default level for
  # all subsequently created modules.
  # The meaning of the 'Level' value is described below:
  # 0 Disable logging from specified module*
  # 1 Log error messages
  # 2 Log warning and error messages
  # 3 Log info, warning, and error messages
  # 4 Log debug, info, warning, and error messages
  # 5 Like level 4, but with even more debugging messages
  # 128 log url access to log file on AM server.
  # 256 log url access to log file on local machine.
  # If level is omitted, then the logging module will be created with
  # the default logging level, which is the logging level associated with
  # the 'all' module.
  # for level of 128 and 256, you must also specify a logAccessType.
  # *Even if the level is set to zero, some messages may be produced for
  # a module if they are logged with the special level value of 'always'.
  com.sun.am.log.level = 5
  # The org, username and password for Agent to login to AM.
  com.sun.am.policy.am.username = UrlAccessAgent
  com.sun.am.policy.am.password = PN4rEZ1uhx1404ivWY6HPQ==
  # Name of the directory containing the certificate databases for SSL.
  com.sun.am.sslcert.dir = C:/Sun/Access_Manager/Agents/2.2/iis6/cert
  # Set this property if the certificate databases in the directory specified
  # by the previous property have a prefix.
  com.sun.am.certdb.prefix =
  # Should agent trust all server certificates when Access Manager
  # is running SSL?
  # Possible values are true or false.
  com.sun.am.trust_server_certs = true
  # Should the policy SDK use the Access Manager notification
  # mechanism to maintain the consistency of its internal cache? If the value
  # is false, then a polling mechanism is used to maintain cache consistency.
  # Possible values are true or false.
  com.sun.am.notification.enable = true
  # URL to which notification messages should be sent if notification is
  # enabled, see previous property.
  com.sun.am.notification.url = http://sharepoint.lta.mil.se:80/amagent/UpdateAgentCacheServlet?shortcircuit=false
  # This property determines whether URL string case sensitivity is
  # obeyed during policy evaluation
  com.sun.am.policy.am.url_comparison.case_ignore = true
  # This property determines the amount of time (in minutes) an entry
  # remains valid after it has been added to the cache. The default
  # value for this property is 3 minutes.
  com.sun.am.policy.am.polling.interval=3
  # This property allows the user to configure the User Id parameter passed
  # by the session information from the access manager. The value of User
  # Id will be used by the agent to set the value of REMOTE_USER server
  # variable. By default this parameter is set to "UserToken"
  com.sun.am.policy.am.userid.param=UserToken
  # Profile attributes fetch mode
  # String attribute mode to specify if additional user profile attributes should
  # be introduced into the request. Possible values are:
  # NONE - no additional user profile attributes will be introduced.
  # HTTP_HEADER - additional user profile attributes will be introduced into
  # HTTP header.
  # HTTP_COOKIE - additional user profile attributes will be introduced through
  # cookies.
  # If not within these values, it will be considered as NONE.
  com.sun.am.policy.agents.config.profile.attribute.fetch.mode=NONE
  # The user profile attributes to be added to the HTTP header. The
  # specification is of the format ldap_attribute_name|http_header_name[,...].
  # ldap_attribute_name is the attribute in data store to be fetched and
  # http_header_name is the name of the header to which the value needs
  # to be assigned.
  # NOTE: In most cases, in a destination application where a "http_header_name"
  # shows up as a request header, it will be prefixed by HTTP_, and all
  # lower case letters will become upper case, and any - will become _;
  # For example, "common-name" would become "HTTP_COMMON_NAME"
  com.sun.am.policy.agents.config.profile.attribute.map=cn|common-name,ou|organiz ational-unit,o|organization,mail|email,employeenumber|employee-number,c|country
  # Session attributes mode
  # String attribute mode to specify if additional user session attributes should
  # be introduced into the request. Possible values are:
  # NONE - no additional user session attributes will be introduced.
  # HTTP_HEADER - additional user session attributes will be introduced into HTTP header.
  # HTTP_COOKIE - additional user session attributes will be introduced through cookies.
  # If not within these values, it will be considered as NONE.
  com.sun.am.policy.agents.config.session.attribute.fetch.mode=NONE
  # The session attributes to be added to the HTTP header. The specification is
  # of the format session_attribute_name|http_header_name[,...].
  # session_attribute_name is the attribute in session to be fetched and
  # http_header_name is the name of the header to which the value needs to be
  # assigned.
  # NOTE: In most cases, in a destination application where a "http_header_name"
  # shows up as a request header, it will be prefixed by HTTP_, and all
  # lower case letters will become upper case, and any - will become _;
  # For example, "common-name" would become "HTTP_COMMON_NAME"
  com.sun.am.policy.agents.config.session.attribute.map=
  # Response Attribute Fetch Mode
  # String attribute mode to specify if additional user response attributes should
  # be introduced into the request. Possible values are:
  # NONE - no additional user response attributes will be introduced.
  # HTTP_HEADER - additional user response attributes will be introduced into
  # HTTP header.
  # HTTP_COOKIE - additional user response attributes will be introduced through
  # cookies.
  # If not within these values, it will be considered as NONE.
  com.sun.am.policy.agents.config.response.attribute.fetch.mode=NONE
  # The response attributes to be added to the HTTP header. The specification is
  # of the format response_attribute_name|http_header_name[,...].
  # response_attribute_name is the attribute in policy response to be fetched and
  # http_header_name is the name of the header to which the value needs to be
  # assigned.
  # NOTE: In most cases, in a destination application where a "http_header_name"
  # shows up as a request header, it will be prefixed by HTTP_, and all
  # lower case letters will become upper case, and any - will become _;
  # For example, "common-name" would become "HTTP_COMMON_NAME"
  com.sun.am.policy.agents.config.response.attribute.map=
  # The cookie name used in iAS for sticky load balancing
  com.sun.am.policy.am.lb.cookie.name = GX_jst
  # indicate where a load balancer is used for Access Manager
  # services.
  # true | false
  com.sun.am.load_balancer.enable = false
  ####Agent Configuration####
  # this is for product versioning, please do not modify it
  com.sun.am.policy.agents.config.version=2.2
  # Set the url access logging level. the choices are
  # LOG_NONE - do not log user access to url
  # LOG_DENY - log url access that was denied.
  # LOG_ALLOW - log url access that was allowed.
  # LOG_BOTH - log url access that was allowed or denied.
  com.sun.am.policy.agents.config.audit.accesstype = LOG_BOTH
  # Agent prefix
  com.sun.am.policy.agents.config.agenturi.prefix = http://sharepoint.lta.mil.se:80/amagent
  # Locale setting.
  com.sun.am.policy.agents.config.locale = en_US
  # The unique identifier for this agent instance.
  com.sun.am.policy.agents.config.instance.name = unused
  # Do SSO only
  # Boolean attribute to indicate whether the agent will just enforce user
  # authentication (SSO) without enforcing policies (authorization)
  com.sun.am.policy.agents.config.do_sso_only = true
  # The URL of the access denied page. If no value is specified, then
  # the agent will return an HTTP status of 403 (Forbidden).
  com.sun.am.policy.agents.config.accessdenied.url =
  # This property indicates if FQDN checking is enabled or not.
  com.sun.am.policy.agents.config.fqdn.check.enable = true
  # Default FQDN is the fully qualified hostname that the users should use
  # in order to access resources on this web server instance. This is a
  # required configuration value without which the Web server may not
  # startup correctly.
  # The primary purpose of specifying this property is to ensure that if
  # the users try to access protected resources on this web server
  # instance without specifying the FQDN in the browser URL, the Agent
  # can take corrective action and redirect the user to the URL that
  # contains the correct FQDN.
  # This property is set during the agent installation and need not be
  # modified unless absolutely necessary to accommodate deployment
  # requirements.
  # WARNING: Invalid value for this property can result in the Web Server
  # becoming unusable or the resources becoming inaccessible.
  # See also: com.sun.am.policy.agents.config.fqdn.check.enable,
  # com.sun.am.policy.agents.config.fqdn.map
  com.sun.am.policy.agents.config.fqdn.default = sharepoint.lta.mil.se
  # The FQDN Map is a simple map that enables the Agent to take corrective
  # action in the case where the users may have typed in an incorrect URL
  # such as by specifying partial hostname or using an IP address to
  # access protected resources. It redirects the browser to the URL
  # with fully qualified domain name so that cookies related to the domain
  # are received by the agents.
  # The format for this property is:
  # com.sun.am.policy.agents.config.fqdn.map = [invalid_hostname|valid_hostname][,...]
  # This property can also be used so that the agents use the name specified
  # in this map instead of the web server's actual name. This can be
  # accomplished by doing the following.
  # Say you want your server to be addressed as xyz.hostname.com whereas the
  # actual name of the server is abc.hostname.com. The browsers only knows
  # xyz.hostname.com and you have specified polices using xyz.hostname.com at
  # the Access Manager policy console, in this file set the mapping as
  # com.sun.am.policy.agents.fqdn.map = valid|xyz.hostname.com
  # Another example is if you have multiple virtual servers say rst.hostname.com,
  # uvw.hostname.com and xyz.hostname.com pointing to the same actual server
  # abc.hostname.com and each of the virtual servers have their own policies
  # defined, then the fqdnMap should be defined as follows:
  # com.sun.am.policy.agents.fqdn.map = valid1|rst.hostname.com,valid2|uvw.hostname.com,valid3|xyz.hostname.com
  # WARNING: Invalid value for this property can result in the Web Server
  # becoming unusable or the resources becoming inaccessible.
  com.sun.am.policy.agents.config.fqdn.map =
  # Cookie Reset
  # This property must be set to true, if this agent needs to
  # reset cookies in the response before redirecting to
  # Access Manager for Authentication.
  # By default this is set to false.
  # Example : com.sun.am.policy.agents.config.cookie.reset.enable=true
  com.sun.am.policy.agents.config.cookie.reset.enable=false
  # This property gives the comma separated list of Cookies, that
  # need to be included in the Redirect Response to Access Manager.
  # This property is used only if the Cookie Reset feature is enabled.
  # The Cookie details need to be specified in the following Format
  # name[=value][;Domain=value]
  # If "Domain" is not specified, then the default agent domain is
  # used to set the Cookie.
  # Example : com.sun.am.policy.agents.config.cookie.reset.list=LtpaToken,
  # token=value;Domain=subdomain.domain.com
  com.sun.am.policy.agents.config.cookie.reset.list=
  # This property gives the space separated list of domains in
  # which cookies have to be set in a CDSSO scenario. This property
  # is used only if CDSSO is enabled.
  # If this property is left blank then the fully qualified cookie
  # domain for the agent server will be used for setting the cookie
  # domain. In such case it is a host cookie instead of a domain cookie.
  # Example : com.sun.am.policy.agents.config.cookie.domain.list=.sun.com .iplanet.com
  com.sun.am.policy.agents.config.cookie.domain.list=
  # user id returned if accessing global allow page and not authenticated
  com.sun.am.policy.agents.config.anonymous_user=anonymous
  # Enable/Disable REMOTE_USER processing for anonymous users
  # true | false
  com.sun.am.policy.agents.config.anonymous_user.enable=false
  # Not enforced list is the list of URLs for which no authentication is
  # required. Wildcards can be used to define a pattern of URLs.
  # The URLs specified may not contain any query parameters.
  # Each service have their own not enforced list. The service name is suffixed
  # after "# com.sun.am.policy.agents.notenforcedList." to specify a list
  # for a particular service. SPACE is the separator between the URL.
  com.sun.am.policy.agents.config.notenforced_list = SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/UI/* SERVER_PROTO://SERVER_HOST:SERVER_PORTCONSOLE_DEPLOY_URI/* SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/login_images/* SERVER_PROTO://SERVER_HOST:SERVER_PORT/docs* SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/namingservice SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/sessionservice SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/loggingservice SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/profileservice SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/policyservice SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/config* SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/js/* SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/css/* SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/authservice SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/SAMLAwareServlet SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/SAMLSOAPReceiver SERVER_PROTO://SERVER_HOST:SERVER_PORTSERVER_DEPLOY_URI/SAMLPOSTProfileServlet
  # Boolean attribute to indicate whether the above list is a not enforced list
  # or an enforced list; When the value is true, the list means enforced list,
  # or in other words, the whole web site is open/accessible without
  # authentication except for those URLs in the list.
  com.sun.am.policy.agents.config.notenforced_list.invert = false
  # Not enforced client IP address list is a list of client IP addresses.
  # No authentication and authorization are required for the requests coming
  # from these client IP addresses. The IP address must be in the form of
  # eg: 192.168.12.2 1.1.1.1
  com.sun.am.policy.agents.config.notenforced_client_ip_list =
  # Enable POST data preservation; By default it is set to false
  com.sun.am.policy.agents.config.postdata.preserve.enable = false
  # POST data preservation : POST cache entry lifetime in minutes,
  # After the specified interval, the entry will be dropped
  com.sun.am.policy.agents.config.postcache.entry.lifetime = 10
  # Cross-Domain Single Sign On URL
  # Is CDSSO enabled.
  com.sun.am.policy.agents.config.cdsso.enable=false
  # This is the URL the user will be redirected to for authentication
  # in a CDSSO Scenario.
  com.sun.am.policy.agents.config.cdcservlet.url =
  # Enable/Disable client IP address validation. This validate
  # will check if the subsequent browser requests come from the
  # same ip address that the SSO token is initially issued against
  com.sun.am.policy.agents.config.client_ip_validation.enable = false
  # Below properties are used to define cookie prefix and cookie max age
  com.sun.am.policy.agents.config.profile.attribute.cookie.prefix = HTTP_
  com.sun.am.policy.agents.config.profile.attribute.cookie.maxage = 300
  # Logout URL - application's Logout URL.
  # This URL is not enforced by policy.
  # if set, agent will intercept this URL and destroy the user's session,
  # if any. The application's logout URL will be allowed whether or not
  # the session destroy is successful.
  com.sun.am.policy.agents.config.logout.url=
  # Any cookies to be reset upon logout in the same format as cookie_reset_list
  com.sun.am.policy.agents.config.logout.cookie.reset.list =
  # By default, when a policy decision for a resource is needed,
  # agent gets and caches the policy decision of the resource and
  # all resource from the root of the resource down, from the Access Manager.
  # For example, if the resource is http://host/a/b/c, the the root of the
  # resource is http://host/. This is because more resources from the
  # same path are likely to be accessed subsequently.
  # However this may take a long time the first time if there
  # are many many policies defined under the root resource.
  # To have agent get and cache the policy decision for the resource only,
  # set the following property to false.
  com.sun.am.policy.am.fetch_from_root_resource = true
  # Whether to get the client's hostname through DNS reverse lookup for use
  # in policy evaluation.
  # It is true by default, if the property does not exist or if it is
  # any value other than false.
  com.sun.am.policy.agents.config.get_client_host_name = true
  # The following property is to enable native encoding of
  # ldap header attributes forwarded by agents. If set to true
  # agent will encode the ldap header value in the default
  # encoding of OS locale. If set to false ldap header values
  # will be encoded in UTF-8
  com.sun.am.policy.agents.config.convert_mbyte.enable = false
  #When the not enforced list or policy has a wildcard '*' character, agent
  #strips the path info from the request URI and uses the resulting request
  #URI to check against the not enforced list or policy instead of the entire
  #request URI, in order to prevent someone from getting access to any URI by
  #simply appending the matching pattern in the policy or not enforced list.
  #For example, if the not enforced list has the value http://host/*.gif,
  #stripping the path info from the request URI will prevent someone from
  #getting access to http://host/index.html by using the URL http://host/index.html?hack.gif.
  #However when a web server (for exmample apache) is configured to be a reverse
  #proxy server for a J2EE application server, path info is interpreted in a different
  #manner since it maps to a resource on the proxy instead of the app server.
  #This prevents the not enforced list or policy from being applied to part of
  #the URI below the app serverpath if there is a wildcard character. For example,
  #if the not enforced list has value http://host/webapp/servcontext/* and the
  #request URL is http://host/webapp/servcontext/example.jsp the path info
  #is /servcontext/example.jsp and the resulting request URL with path info stripped
  #is http://host/webapp, which will not match the not enforced list. By setting the
  #following property to true, the path info will not be stripped from the request URL
  #even if there is a wild character in the not enforced list or policy.
  #Be aware though that if this is set to true there should be nothing following the
  #wildcard character '*' in the not enforced list or policy, or the
  #security loophole described above may occur.
  com.sun.am.policy.agents.config.ignore_path_info = false
  # Override the request url given by the web server with
  # the protocol, host or port of the agent's uri specified in
  # the com.sun.am.policy.agents.agenturiprefix property.
  # These may be needed if the agent is sitting behind a ssl off-loader,
  # load balancer, or proxy, and either the protocol (HTTP scheme),
  # hostname, or port of the machine in front of agent which users go through
  # is different from the agent's protocol, host or port.
  com.sun.am.policy.agents.config.override_protocol =
  com.sun.am.policy.agents.config.override_host =
  com.sun.am.policy.agents.config.override_port = true
  # Override the notification url in the same way as other request urls.
  # Set this to true if any one of the override properties above is true,
  # and if the notification url is coming through the proxy or load balancer
  # in the same way as other request url's.
  com.sun.am.policy.agents.config.override_notification.url =
  # The following property defines how long to wait in attempting
  # to connect to an Access Manager AUTH server.
  # The default value is 2 seconds. This value needs to be increased
  # when receiving the error "unable to find active Access Manager Auth server"
  com.sun.am.policy.agents.config.connection_timeout =
  # Time in milliseconds the agent will wait to receive the
  # response from Access Manager. After the timeout, the connection
  # will be drop.
  # A value of 0 means that the agent will wait until receiving the response.
  # WARNING: Invalid value for this property can result in
  # the resources becoming inaccessible.
  com.sun.am.receive_timeout = 0
  # The three following properties are for IIS6 agent only.
  # The two first properties allow to set a username and password that will be
  # used by the authentication filter to pass the Windows challenge when the Basic
  # Authentication option is selected in Microsoft IIS 6.0. The authentication
  # filter is named amiis6auth.dll and is located in
  # Agent_installation_directory/iis6/bin. It must be installed manually on
  # the web site ("ISAPI Filters" tab in the properties of the web site).
  # It must also be uninstalled manually when unintalling the agent.
  # The last property defines the full path for the authentication filter log file.
  com.sun.am.policy.agents.config.iis6.basicAuthentication.username =
  com.sun.am.policy.agents.config.iis6.basicAuthentication.password =
  com.sun.am.policy.agents.config.iis6.basicAuthentication.logFile = C:/Sun/Access_Manager/Agents/2.2/debug/Identifier_1414639615/amAuthFilter

  If the agent doesnot start properly you would always get redirected to com.sun.am.policy.agents.config.accessdenied.url , if thats not specified you will get a 403.
  For the agent itself check that the naming.url is correct. the agent username and passwords are correct, and see that the user has priviledges to write to the agent log files. Apart from these post the windows event logs.

• How to enable remote debugging for a session other than the current one

  Hi all,
  I am trying to figure out how to enable remote debugging for a session other than the one I am currently using.
  More specifically, we have an application that is making database calls to Oracle 11gR2. Something is causing an exception during this invocation. My system is currently not set up to recompile said application, so I can't just add the debug call to the code and recompile. Therefore I would like to be able to log into the database (as sys, if necessary) and invoke dbms_debug_jdwp.connect_tcp on the desired session.
  The docs indicate that I should be able to do so:
  dbms_debug_jdwp.connect_tcp(
  host IN VARCHAR2,
  port IN VARCHAR2,
  session_id IN PLS_INTEGER := NULL,
  session_serial IN PLS_INTEGER := NULL,
  debug_role IN VARCHAR2 := NULL,
  debug_role_pwd IN VARCHAR2 := NULL,
  option_flags IN PLS_INTEGER := 0,
  extensions_cmd_set IN PLS_INTEGER := 128);
  But when I try (even as sys), I get the following:
  exec dbms_debug_jdwp.connect_tcp('1.2.3.4',5678,<session id>,<session serial>);ORA-00022: invalid session ID; access denied
  ORA-06512: at "SYS.DBMS_DEBUG_JDWP", line 68
  ORA-06512: at line 1
  00022. 00000 - "invalid session ID; access denied"
  *Cause:    Either the session specified does not exist or the caller
  does not have the privilege to access it.
  *Action:   Specify a valid session ID that you have privilege to access,
  that is either you own it or you have the CHANGE_USER privilege.
  I've tried granting the 'BECOME USER' privilege for the relevant users, but that didn't help. I read something about having to set some kind of ACL as of 11gR1, but the reference documentation was very confusing.
  Would someone be able to point me in the right direction? Is this even possible, or did I misread the documentation?

  Interesting deduction, that would be very useful indeed. I hate recompiling just to add the debug call, and it can't be done in our production environment. But it seems unlikely to me it would be implemented this way.
  I would cross-post this in the SQL AND PL/SQL forum though, as this is really a database issue, not with the SQL Developer tool. Do add the links to the other posts in each.
  Regards,
  K.

• WCF service connection forcibly closed by the remote host for large data

  Hello ,
                      WCF service is used to generate excel report , When the stored procedure returns large data around 30,000 records. Service fails
  to return the data . Below is the mentioned erorr log :
  System.ServiceModel.CommunicationException: An error occurred while receiving the HTTP
  response to <service url> This could be due to the service
   endpoint binding not using the HTTP protocol. This could also be due to an HTTP request context being aborted by
  the server (possibly due to the service shutting down). See server logs for more details. ---> System.Net.WebException:
  The underlying connection was closed: An unexpected error occurred on a receive. ---> System.IO.IOException:
  Unable to read data from the transport connection: An existing connection was forcibly closed by the remote host.
  ---> System.Net.Sockets.SocketException: An existing connection was forcibly closed by the remote host
     at System.Net.Sockets.Socket.Receive(Byte[] buffer, Int32 offset, Int32 size, SocketFlags socketFlags)
     at System.Net.Sockets.NetworkStream.Read(Byte[] buffer, Int32 offset, Int32 size)
     --- End of inner exception stack trace ---
     at System.Net.Sockets.NetworkStream.Read(Byte[] buffer, Int32 offset, Int32 size)
     at System.Net.PooledStream.Read(Byte[] buffer, Int32 offset, Int32 size)
     at System.Net.Connection.SyncRead(HttpWebRequest request, Boolean userRetrievedStream, Boolean probeRead)
     --- End of inner exception stack trace ---
     at System.Net.HttpWebRequest.GetResponse()
     at System.ServiceModel.Channels.HttpChannelFactory.HttpRequestChannel.HttpChannelRequest.WaitForReply(TimeSpan timeout).
     --- End of inner exception stack trace ---
  Server stack trace:
     at System.ServiceModel.Channels.HttpChannelUtilities.ProcessGetResponseWebException(WebException webException, HttpWebRequest request, HttpAbortReason abortReason)
     at System.ServiceModel.Channels.HttpChannelFactory.HttpRequestChannel.HttpChannelRequest.WaitForReply(TimeSpan timeout)
     at System.ServiceModel.Channels.RequestChannel.Request(Message message, TimeSpan timeout)
     at System.ServiceModel.Dispatcher.RequestChannelBinder.Request(Message message, TimeSpan timeout)
     at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout)
     at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation)
     at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)
  Exception rethrown at [0]:
     at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg)
     at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type)
     at IDataSetService.GetMastersData(Int32 tableID, String userID, String action, Int32 maxRecordLimit, Auditor& audit, DataSet& resultSet, Object[] FieldValues)
     at SPARC.UI.Web.Entities.Reports.Framework.Presenters.MasterPresenter.GetDataSet(Int32 masterID, Object[] procParams, Auditor& audit, Int32 maxRecordLimit).
  WEB CONFIG SETTINGS OF SERVICE
  <httpRuntime maxRequestLength="2147483647" executionTimeout="360"/>
  <binding name="BasicHttpBinding_Common"  closeTimeout="10:00:00"  openTimeout="10:00:00"
         receiveTimeout="10:00:00"  sendTimeout="10:00:00"  allowCookies="false"
         bypassProxyOnLocal="false"  hostNameComparisonMode="StrongWildcard"
         maxBufferSize="2147483647"  maxBufferPoolSize="0"  maxReceivedMessageSize="2147483647"
         messageEncoding="Text"  textEncoding="utf-8"   transferMode="Buffered"
         useDefaultWebProxy="true">
  <readerQuotas     maxDepth="2147483647"
        maxStringContentLength="2147483647"  maxArrayLength="2147483647"
        maxBytesPerRead="2147483647"  maxNameTableCharCount="2147483647" />
       <security mode="None"> 
  WEB CONFIG SETTINGS OF CLIENT
  <httpRuntime maxRequestLength="2147483647" requestValidationMode="2.0"/>
  <binding name="BasicHttpBinding_Common"
         closeTimeout="10:00:00"       openTimeout="10:00:00"
         receiveTimeout="10:00:00"       sendTimeout="10:00:00"
          allowCookies="false"        bypassProxyOnLocal="false"
          hostNameComparisonMode="StrongWildcard"        maxBufferSize="2147483647"
          maxBufferPoolSize="2147483647"        maxReceivedMessageSize="2147483647"
          messageEncoding="Text"        textEncoding="utf-8"
          transferMode="Buffered"        useDefaultWebProxy="true">
   <readerQuotas
         maxDepth="2147483647"
         maxStringContentLength="2147483647"
         maxArrayLength="2147483647"
         maxBytesPerRead="2147483647"
         maxNameTableCharCount="2147483647" />   

  Doing binding configuration on a WCF service to override the default settings is not done the sameway it would be done on the client-side config file.
  A custom bindng must be used on the WCF service-side config to override the defualt binding settings on the WCF service-side.
  http://robbincremers.me/2012/01/01/wcf-custom-binding-by-configuration-and-by-binding-standardbindingelement-and-standardbindingcollectionelement/
  Thee readerQuotas and everything else must be given in the Custom Bindings to override any default setttings on the WCF service side.
  Also, you are posting to the wrong forum.
  http://social.msdn.microsoft.com/Forums/vstudio/en-us/home?forum=wcf