SAML  in Access Manager

Similar Messages

• New Segment of Access Manager-Federation Manager FAQ on Liberty and SAML

  Sun Developer Network just published a new segment of a Sun Java System Access Manager and Sun Java System Federation Manager FAQ on Liberty Alliance and Security Assertion Markup Language (SAML). See http://developers.sun.com/identity/overview/faq/libertysaml.jsp.
  The Q&As also shed light on those products' support for identity-based services in Access Manager, on the utilities for creating and maintaining federated connections, on the components in Federation Manager, and on other related topics.

  This may not be the same as the problem you are seeing, but I was recently struggling with debugging an SSL connection out of the amserver, and eventually noticed that the amserver uses its own protocol handler rather than the sun.net.www.protocol included in java 1.4 and above. My guess is that this is because the amserver is older than java 1.4 but I'm not sure, they may have some other reason for using their own implementation.
  If you look at the web server server.xml after the amserver install, you will see a line like:
  <JVMOPTIONS>-Djava.protocol.handler.pkgs=com.iplanet.services.comm</JVMOPTIONS>
  if you replace that with:
  <JVMOPTIONS>-Djava.protocol.handler.pkgs=sun.net.www.protocol</JVMOPTIONS>
  you might get the pre-amserver behaviour that you are after. Basically all of the httpsURLConnection things behave subtly differently otherwise, as when getting a HttpsURLConnection you are getting a com.iplanet.services.comm.https.HttpsURLConnection rather than a sun.net.www.protocol.https.HttpsURLConnection as you might be expecting.

• OWSM: Setting up SAML token verification with Novell Access manager

  Hello,
  We are trying to set-up communication between an OWSM gateway and a Novell Accces Manager to do the following:
  All requests to our services should be secured using Web Services Security SAML Token Profile 1.0. OWSM will validate this token using the SAML – Verify WSS 1.0 Token step. The assertion will be issued by a Novell Access Manager. Are we right that OWSM needs to communicate with the Novell Access Manager for this? In that case Novell requires us to deliver metadata to establish a trust relation between the Identity Provider (Novell) and the Service Provider (OWSM). This metadata should look something like this:
  odysseus:/var/opt/novell/tomcat4/webapps/nidp # cat application.xml
  <?xml version="1.0" encoding="UTF-8"?>
  <!DOCTYPE application PUBLIC '-//Sun Microsystems, Inc.//DTD J2EE Application 1.2//EN' 'http://java.sun.com/j2ee/dtds/application_1_2.dtd'>
  <application>
  <display-name>NIDPJ2EEApp</display-name>
  <description>Novell Identity Provider</description>
  <module>
  <web>
  <web-uri>nidp.war</web-uri>
  <context-root>nidp</context-root>
  </web>
  </module>
  </application>
  However I cannot find anything on this in the OWSM documentation.

  To answer my own question. We found 4 application.xml files which seem to contain the metadata in the folders ccore, coreman, gateway and policymanager of $AS_HOME/owsm/config/.

• Part 2 of Access Manager FAQ on SAML

  SDN has published a second segment of the FAQ on SAML (versions 1.x and 2.x): resolving errors, enabling basic authentication, mapping the SAML 2.0 Authentication Context, differentiating between the Post Profile and the Artifact Profile. Have a look: http://developers.sun.com/identity/overview/faq/libertysaml2.jsp.

  Thanks samk,
  After the installation, I have started the Directory server,admin,and console with following commands:
  bash-3.00# directoryserver start
  bash-3.00# directoryserver start-admin
  SunONE-WebServer-Enterprise/6.0SP3 B05/19/2004 02:48
  warning: daemon is running as super-user
  [LS ls1] http://AM55-zone.ipsolutionshowcase.com <http://AM55-zone.ipsolutionshowcase.com> , port 390 ready to accept requests
  startup: server started successfully
  bash-3.00# directoryserver startconsole
  Recieved the Login console window,logged in and got the ipsolutionshowcase tree.
  What are the next steps I need to folow in order to launch the Access Manager page?
  Ant thoughts?
  Thanks for ye help
  Sid

• Securing web services with Sun Access Manager

  Hi!
  I have gone through some documentation about Sun Access Manager, and I'm a little bit confused.
  What I want is to secure some web services which are deployed on a BEA WebLogic 9.1 server (WLS). Two solutions are possible: To install some kind of plugin into WLS or to place some kind of proxy in front of WLS. In both cases, the purpose would be to authenticate the caller based on some kind of ticket (SAML or similar) and authorize access to the web service.
  I have read about the "Sun Java System Access Manager Policy Agent 2.2 for Weblogic 9.1" (those guys really like long names....), but in this documentation web services aren't mentioned at all. They only seem to care about HTTP requests from a browser.
  I have also read about the Policy Agent 2.2 in the documentation called "Sun Java System Access Manager Policy Agent 2.2 Guide for Sun Java System Application Server 9.0/Web Services" (puh...). This document explicitly talks about securing web services the way I want.
  My questions are:
  1) Is it possible to secure WLS based web services in the same way using the Policy Agent for WLS?
  2) Are there any documentation/tutorials/etc?
  Thanks in advance :-)
  Anders

  what you need is a webservices agent that would enable you to "protect" your webservice provider, which I assume is on a BEA weblogic provider.
  the "Sun Java System Access Manager Policy Agent 2.2 for Weblogic 9.1" is "NOT" awebservices agent, but a normal J2EE policy agent.
  So.. having said that. here's what I'd recommend.
  1. install the webservices agent on bea weblogic. (note: NOT the J2EE policy agent)
  2. configure it to use your access manager instance for authentication.
  3. configure your webservices client to use the webservice provider. (note: you'd need the webservices APi's available on the client too... so the quick dirty method would be to install the webservices agent on your client too....) you can later bundle the webservices client independently and provide your"customers" with a webservices client bundle...
  4. voila... your webservices are not "protected" by acces manager ;-)

• Password ending with % "hangs" access manager

  Dear Guru's
  We are running Sun Access Manager 7.1. We encountered a problem when users try to login with a password ending with the character "%".
  One way or another, the access manager calls the URLDecodeField method of com.iplanet.am.util.Locale twice. This results in a loop in this method.
  Can anyone help me how to get rid of this problem?
  Thanks in Advance

  Ideally you would use SAML or Federation between the Access Manager server and WAS portal. I don't know enough about WAS portal to know if that is supported or not.
  Sun has a policy agent for WAS 6.0 and the WAS PA can be configured to use the AM as a user repository. With AM7 you could try two different realms with two different data stores and have AM authenticate against one realm and the PA use the other realm and see what happens.
  Passing around user credentials between applications is a security issue and you should avoid it if possible.

• Questions about Access Manager tutorials available in netbeans site

  Hi
  Thank you for reading my post
  I have some questions about two tutoral which i find in :
  http://www.netbeans.org/kb/55/amsecurity.html and
  http://www.netbeans.org/kb/55/amsecurity-liberty.html
  here is my problem :
  we have some web services, now we want to have authentication applied for consumer who try to access our web services.
  we need to have most possible flexibility because we may deploy the server for a customer with an already established Identity database ( Database Table with user details)
  Also we need to have Transport level security using SSL.
  I read and studied both of them and now i have some questions :
  -I think Securing Web Services Using the SAML or UserNameToken is what we need for authentication and autorization of web service consumers?
  is that right?
  -Does Sun Java System Access Manager provide flexibility to authenticate user/password with a database table content?
  -How we can apply roles in Sun Java System Access Manager when we authenticate users ?
  Thanks

  Imagine that we want to have an end to end security for our web services
  we thought that we could use message level encryption to protect the soap message and also we should protect our web services from un-authenticated acess,
  we will use userName token for this.
  Our customer has large database which contains many user/password and role of those users.
  some of web services should be available to higher role (manager) and not for all users.
  so we should check a user role before we allows him/her to access a web service.
  my question is whether Sun Access manager can help us with this? or there are other configuration or packages that we should apply to have this feature.
  to explain more :
  our client side is a swing application, users enter username/password to login into system. after they loged in, we send user/pass every time user want to request some data from some services. (is it good to send user/pass every time?)
  We want Sun Access Manager to handle users authentication .
  We also need to handle role related authorization, can Sun access manager handle this?
  Thanks

• Integration access manager and web services manager

  Hi,
  Can the SSO token sent by the access manager be used by the SOA suite web services manager ? I would assume that this is a trivial configuration.
  Can anyone help with some ideas ?
  Thanks,
  Mohan

  SOA Suite has Oracle Web Services Manger which can accept Oracle Access manger token. Instead of passing the obSSOCookie to all the services in SOA Suite ( in which case you are making the services available only to OAM authenticated users) you can create SAML token from your obSSOCookie and then send the SAML token to the SOA.
  If you want to just pass obSSOCookie to SOA Suite/ Oracle WSM, yes it is straightforward. (you have to follow the steps in OWSM document)
  Thanks
  Ram

• Sun Access Manager Event Sequence

  I have a third party black box piece of hardware that is redirecting browser requests to my server for authentication. I want to utilize the Sun Access Manager to perform these authentications. Do I need to use the Policy Agent, or should I attempt to communicate directly with the Access Manager? What benefit will I gain from including the Policy Agent into the mix?
  If I don't use the policy agent, here is the sequence of events as I understand them:
  1) Browser hits Black Box (BB) for protected information.
  2) BB redirects the browser to me.
  3) Browser sends me a SAML snippet. I decode and inflate the snippet, then send it off to the access manager (AM).
  4) The AM throws an invalid id exception because the user has never logged in.
  5) I catch the invalid id exception, and redirect the browser to the AM login URL. The user enters a valid id and password and hits submit.
  6) ... ?
  Is this correct up to step 5, and what happens after step 5? Any hints would be greatly appreciated.

  Okay, never mind then.

• Configuring Access Manager as Service Provider

  Hi All,
  What documentation explains how to configure SSO with Access Manager 7 as Sefrvice Provider using redirect-artifact (or else) binding according to SAML v.2? I have SiteMinder 6.0 as IdP ready to go.
  Thanks

  Bernhard,
  We have upgraded our Web PA to version 2.1-09. One of your previous replies stated the com.iplanet.am.naming.ignoreNamingservice property was not availalbe in the PA agent properties but only in the Java SKD. Indeed we do not see such a key in the new Web PA AMAgent.properties.
  Can you please explain how to configure the AMAgent.properties and/or the Access Manager server (or properties) so that subsequent calls to the services (returned by the call to the naming service) get directed thru the load balancer? Below are the setting in our AMAgent and AMConfig properties files
  AMAgent.properties
  com.sun.am.namingURL = https://lb-mydomain.com:443/amserver/namingservice
  com.sun.am.policy.am.loginURL = https://lb-mydomain.com:443/amserver/UI/Login
  AMConfig.properties
  com.iplanet.am.server.protocol=https
  com.iplanet.am.server.host=am.mydomain.com
  com.iplanet.am.server.port=443
  com.iplanet.am.console.protocol=https
  com.iplanet.am.console.host=lb-mydomain.com
  com.iplanet.am.console.port=443
  com.iplanet.am.profile.host=lb-mydomain.com
  com.iplanet.am.profile.port=443
  com.iplanet.am.naming.url=https://lb-mydomain.com:443/amserver/namingservice
  com.iplanet.am.notification.url=https://lb-mydomain.com:443/amserver/notifica
  tionservice
  If we set com.iplanet.am.server.host=lb-mydomain.com we get an exception when trying to start the AM web container. I don't know if this may be partof our issue or not. Please comment.
  Thanks,
  Craig

• Integrating siteminder and sun access manager

  Hi,
  I need to perform the following integration. I have an client which generates a saml assertion using Sun access manager which is consumed by another system which is again having Sun access manager. Now the client wants to move on to Siteminder. Would there be any compatibility issues? Would the recipient system having Sun access manager be able to consume the saml assertion generated by siteminder?
  Thanks in advance.

  SAML is a standard, therefore you should check SAML versions support in siteminder and do the proper configuration.

• Can not configure Access Manager

  Hi all,
  1. I istalled Sun java messaging server 6.
  2. I edit amsamplesilent to prepare amsamplesilent.my:
  # cd /opt/SUNWam/bin
  #mv amsamplesilent amsamplesilent.my
  3. I configure Access Manager:
  #./amconfig -s amsamplesilent.my but get the following error:
  # ./amconfig amsamplesilent.my
  Usage: amconfig -s <silentinputfile>
  ./amconfig: Sourcing ./amutils
  ln: cannot create /opt/SUNWam/lib/jaxrpc-spi.jar: File exists
  chown: jaxrpc-spi.jar: No such file or directory
  full install
  ./amdsconfig: Sourcing ./amutils
  LD_LIBRARY_PATH is --- /usr/lib/mps/secv1:/usr/lib/mps/secv1:/usr/lib/mps/secv1:/opt/SUNWam/lib:/opt/SUNWam/ldaplib/ldapsdk
  CLASSPATH is --- /opt/SUNWam/locale:/etc/opt/SUNWam/config:/opt/SUNWam/lib:/opt/SUNWam/lib/am_services.jar:/opt/SUNWam/lib/ldapjdk.jar:/usr/share/lib/mps/secv1/jss3.jar:/opt/SUNWam/lib/am_sdk.jar
  ldap_simple_bind: Can't connect to the LDAP server - No route to host
  ldap_simple_bind: Can't connect to the LDAP server - No route to host
  ldap_simple_bind: Can't connect to the LDAP server - No route to host
  ldap_simple_bind: Can't connect to the LDAP server - No route to host
  sleep 3
  ldap_simple_bind: Can't connect to the LDAP server - No route to host
  ldap_simple_bind: Can't connect to the LDAP server - No route to host
  ldap_simple_bind: Can't connect to the LDAP server - No route to host
  sleep 4
  ldap_simple_bind: Can't connect to the LDAP server - No route to host
  ldap_simple_bind: Can't connect to the LDAP server - No route to host
  ldap_simple_bind: Can't connect to the LDAP server - No route to host
  sleep 5
  ldap_simple_bind: Can't connect to the LDAP server - No route to host
  ldap_simple_bind: Can't connect to the LDAP server - No route to host
  ldap_simple_bind: Can't connect to the LDAP server - No route to host
  sleep 6
  ERROR : Loading of Access Manager schema into the Directory failed
  Starting the tag swapping of the install.ldif and installExisting.ldif
  ROOT_SUFFIX is dc=iplanet,dc=com
  People_NM_ROOT_SUFFIX is People_dc=iplanet_dc=com
  SERVER_HOST sample.red.iplanet.com
  DIRECTORY_SERVER sample.red.iplanet.com
  DIRECTORY_PORT 389
  USER_NAMING_ATTR uid
  ORG_NAMING_ATTR o
  CONSOLE_DEPLOY_URI /amconsole
  ORG_OBJECT_CLASS sunismanagedorganization
  RS_RDN iplanet
  USER_OBJECT_CLASS inetorgperson
  ldap_simple_bind: Can't connect to the LDAP server - No route to host
  ldap_simple_bind: Can't connect to the LDAP server - No route to host
  sleep 3
  ERROR : Configuring/Loading of the default DIT in the Directory Server failed
  ldap_simple_bind: Can't connect to the LDAP server - No route to host
  ldap_simple_bind: Can't connect to the LDAP server - No route to host
  sleep 3
  Warning : Plugins and Indexes already exist.
  ./amsvcconfig: Sourcing ./amutils
  LD_LIBRARY_PATH is --- /usr/lib/mps/secv1:/usr/lib/mps/secv1:/usr/lib/mps/secv1:/opt/SUNWam/lib:/opt/SUNWam/ldaplib/ldapsdk
  CLASSPATH is --- /opt/SUNWam/locale:/etc/opt/SUNWam/config:/opt/SUNWam/lib:/opt/SUNWam/lib/am_services.jar:/opt/SUNWam/lib/ldapjdk.jar:/usr/share/lib/mps/secv1/jss3.jar:/opt/SUNWam/lib/am_sdk.jar
  ldap_simple_bind: Can't connect to the LDAP server - No route to host
  Loading service schema XML files ...
  Info 112: Entering ldapAuthenticate method!
  Error 15: Cannot authenticate user.
  LDAP authentication failed.
  Error 9: Operation failed: Error 15: Cannot authenticate user.
  Error occured while loading: /etc/opt/SUNWam/config/ums/ums.xml
  ./amws61config: Sourcing ./amutils
  /opt/SUNWam/console.war: No such file or directory
  current web app is applications
  copying files from sunwamconsdk
  Swapping tag swap in index.html files ...
  Making amconsole.war
  Successfully done making warfile ...
  Deploying from /opt/SUNWam/web-src/applications (/opt/SUNWam/amconsole.war) to /opt/SUNWwbsvr/https-sample.red.iplanet.com/is-web-apps/applications for /amconsole
  wdeploy deploy -u /amconsole -i https-sample.red.iplanet.com -v https-sample.red.iplanet.com -d /opt/SUNWwbsvr/https-sample.red.iplanet.com/is-web-apps/applications /opt/SUNWam/amconsole.war
  [wdeploy] The war file name is /opt/SUNWam/amconsole.war
  [wdeploy] Fatal error in parsing XML file ..Premature end of file.
  [wdeploy] (-1, -1) in file null
  [wdeploy] Error encountered while parsing /opt/SUNWwbsvr/https-sample.red.iplanet.com/config/server.xml
  Failed deploying /amconsole
  /opt/SUNWam/services.war: No such file or directory
  current web app is services
  Swapping tag swap in index.html files ...
  Making amserver.war
  Successfully done making warfile ...
  Deploying from /opt/SUNWam/web-src/services (/opt/SUNWam/amserver.war) to /opt/SUNWwbsvr/https-sample.red.iplanet.com/is-web-apps/services for /amserver
  wdeploy deploy -u /amserver -i https-sample.red.iplanet.com -v https-sample.red.iplanet.com -d /opt/SUNWwbsvr/https-sample.red.iplanet.com/is-web-apps/services /opt/SUNWam/amserver.war
  [wdeploy] The war file name is /opt/SUNWam/amserver.war
  [wdeploy] Fatal error in parsing XML file ..Premature end of file.
  [wdeploy] (-1, -1) in file null
  [wdeploy] Error encountered while parsing /opt/SUNWwbsvr/https-sample.red.iplanet.com/config/server.xml
  Failed deploying /amserver
  /opt/SUNWam/password.war: No such file or directory
  current web app is password
  Swapping tag swap in index.html files ...
  Making ampassword.war
  Successfully done making warfile ...
  Deploying from /opt/SUNWam/web-src/password (/opt/SUNWam/ampassword.war) to /opt/SUNWwbsvr/https-sample.red.iplanet.com/is-web-apps/password for /ampassword
  wdeploy deploy -u /ampassword -i https-sample.red.iplanet.com -v https-sample.red.iplanet.com -d /opt/SUNWwbsvr/https-sample.red.iplanet.com/is-web-apps/password /opt/SUNWam/ampassword.war
  [wdeploy] The war file name is /opt/SUNWam/ampassword.war
  [wdeploy] Fatal error in parsing XML file ..Premature end of file.
  [wdeploy] (-1, -1) in file null
  [wdeploy] Error encountered while parsing /opt/SUNWwbsvr/https-sample.red.iplanet.com/config/server.xml
  Failed deploying /ampassword
  /opt/SUNWam/introduction.war: No such file or directory
  current web app is common
  Swapping tag swap in index.html files ...
  Making amcommon.war
  Successfully done making warfile ...
  Deploying from /opt/SUNWam/web-src/common (/opt/SUNWam/amcommon.war) to /opt/SUNWwbsvr/https-sample.red.iplanet.com/is-web-apps/common for /amcommon
  wdeploy deploy -u /amcommon -i https-sample.red.iplanet.com -v https-sample.red.iplanet.com -d /opt/SUNWwbsvr/https-sample.red.iplanet.com/is-web-apps/common /opt/SUNWam/amcommon.war
  [wdeploy] The war file name is /opt/SUNWam/amcommon.war
  [wdeploy] Fatal error in parsing XML file ..Premature end of file.
  [wdeploy] (-1, -1) in file null
  [wdeploy] Error encountered while parsing /opt/SUNWwbsvr/https-sample.red.iplanet.com/config/server.xml
  Failed deploying /amcommon
  Checking if Web Server is already configed with Access Manager
  Configuring Web Server
  Mime type: 'type=text/vnd.wap.wml' already exists: Skipping ....
  Mime type: 'type=image/vnd.wap.wbmp' already exists: Skipping ....
  I tried again but I still get this error.
  Any Ideas for this problem?
  Thanks.

  ldap_simple_bind: Can't connect to the LDAP server - No route to host
  i would consider this a fatal error.
  The system cannot locate where your Directory Server is. "no route to host" means that it's trying to get to the host, but your networking isn't set up correctly, and it doesn't find any route to get to the specified host.

• Can not login access manager

  mail server version is JES messaging Server 6 2005Q4 :
  My Access Manager:http://hostname:8080/amserver
  last week, i login access manager, under the web label or configuration label�F
  in "ldap" item�Ci add new dc=xx,dc=xx,dc=xx�C
  then save configuration.
  but after that i can not login access manager.
  when i user admin login,it print:"
  Authentication failed".
  what should i do to restore access manage?
  thanks!

  javatoall wrote:
  Hi,
  I login Access Manager, access sample "realm" -> Authentication->
  Advance Properties -> User profiles and then I choiced "Dynamic with user Alias".
  Then I only configure JDBC authentication with mysql database that I don't used ldapservice.
  When I created a one new user in MySQL, I can login into web application that i security as "sample.war" successfull but new user don't right access resource that i protected before.
  When i login access manager with amdmin user, I can not find user that i has been created it in MySQL database. t
  When the users are created through the dynamic profile, the default cn/sn are set to "default" , after creation you need to login to amconsole as amadmin and change/add proper values for these attributes.
  Alternatively you can set the protected resource's policy subject to Authenticated users. This will work but not sure will meet your requirement
  >
  When i login access manager console with new user, it login successful, and view Profile of new user that I has been created.
  Can you tell me How to manage new user that I has been new in MySQL by Access manager console ?
  I want to configure access proteced resourse for that user. How to configure that ?
  read above use the authenticated users subject
  Thank for every help.
  VinhND.

• UWC/CE 6.3 and Access Manager 7.1 SSO sometimes fails (seems like a bug)

  PREAMBULA: I started writing this post thinking that our AM SSO setup was at fault in some step. As I was gathering data, checking the doc-links and config files and finally sniffed the servers for HTTP dialogs, I grew pretty sure there's a bug in UWC/CE, AM SDK or Web Server Policy Agent, whatever implements the AM SSO session checking.
  In short, as written below, our "sunmail" server can POST a broken cookie to AM server, if the cookie originally contained a "plus" character. The "plus" is replaced by a "space", invalidating the session check. As we know, "+" is often used in URLs to "escape" the space character. Perhaps some URL cleanup routine backfired here. I have double-checked, it is not the reverse proxy on "psam" breaking things. It is "sunmail" (UWC/CE or Policy Agent, don't know for certain) supplying the broken request. On the few occasions when the AM cookie contains no "plus" characters, the SSO works like a charm (also checked by a sniffer). Whenever there is a "plus", it breaks.
  Is there some known bug or workaround that matches this description?
  Nevertheless, for completeness' sake I kept the description of our setup. Maybe it's at fault after all :)
  We have an installation of JCS5 with the latest patches as of early July 2008. And as the subject implies, we have problems with AM SSO in UWC/CE web-interface. I have reported them before, then they seemed fixed (not occuring for several tests in a row), but as time has shown, something wrong is still there.
  So I'll try to go into deeper detail now, as we've may have overlooked some nuance... Then again, as my sniffer research below shows, this may be an engine bug and these setup details are irrelevant.
  Our setup is split into several Solaris 10 full-root zones hosted on several servers, some of the components are enroute to HA (perhaps we made some mistakes on this part of the way?)
  So, we have the following software stack:
  1) two MMR Directory Servers (DSEE 6.3 = DSEE 6.2 from JCS5 + 125278-07__DSEE_6.3__x86x64 + 125277-07__DSEE_6.3__x86_sol9 patches) working in zones on two different servers. Except for one time when a manually forced ZFS rollback corrupted one of the server instances, no problems here.
  2) two zones with Directory Proxy Servers (6.3, exact versions as above) running at port 389 provide the clients with an illusion that they have a stable Directory Server, even if one of the actual servers is currently rebooting ;)
  These DPS zones are hosted on two different servers as well and are primarily used by LDAP clients (JCS components) running in other zones on the same respective servers.
  3) A zone with Sun Web Server 7.0U1 and Access Manager 7.1 (+ 126357-01__AM71_x86 patch) and Delegated Admin 6.4-4.01 (from JCS5 + 121582-18__COMMCLI64__x86 patch).
  At the moment there is one such zone (named "cos-psam-01.domain.ru" in the logs below), but we expect(-ed) it to become two similar zones as per AM HA setup.
  Zones listed in (1-3) use private IP numbers, they belong in our internal DMZ.
  Zones listed in (4-5) below use public (routed) IP numbers, they belong in our external DMZ.
  4) A zone with Sun Web Server 7.0U1 used primarily as a reverse-proxy server (optionally with a load-balancer libpassthrough.so plugin) successfully used for other hosted projects. One of its configurations now passes connections from an externally routed IP address published as "psam.domain.ru" to "cos-psam-01.domain.ru", per AM HA setup, so HTTP clients believe they work with an Access Manager instance. This zone has a backend interface with a private IP address to communicate with the actual AM instance.
  In AM configuration (both LDAP and file-based) we have configured a site ID with the publicly known name and mentioned both names (psam and cos-psam-01) in organization's realm/dns aliases.
  5) A zone with the rest of the Sun Java Communications Suite 5, as in Messaging Server 6.3 (6.3-6.03 64-bit: ci-5.0-1.03_solx86_x64__Messaging_Server_6.3-2 + patch 126480-09__MSG63__x86-64), UWC/CE 6.3 (from JCS5 + 122794-17__UWC63-4.01_core__x86), Instant Messaging 7.2 (from JCS5 + 118790-29__IM72__x86-1 + 118787-28__IM72__x86-2), Calendar Server 6.3 (from JCS5 + 121658-28__iCS63__x86). The web-components (UWC/CE, IM, /httpbind) are deployed in a Sun Web Server 7.0U1 as well.
  This zone is named "sunmail.domain.ru" and has a routed IP address for direct external access to its servicess.
  The AM SDK part is also patched (126357-01__AM71_x86); it points to the load-balancer name ("psam.domain.ru") as an actual AM server.
  # imsimta version
  Sun Java(tm) System Messaging Server 6.3-6.03 (built Mar 14 2008; 64bit)
  libimta.so 6.3-6.03 (built 17:15:08, Mar 14 2008; 64bit)
  SunOS sunmail 5.10 Generic_127112-07 i86pc i386 i86pc
  While setting up this server set we tried to use AM SSO as the user login method, but it works unreliably.
  "Unreliably" means that while most of the time entering a correct uid and password in Access Manager login page ("http://psam.domain.ru/amserver/UI/Login") does redirect a user back to "http://sunmail.domain.ru/uwc/auth" along with a new cookie, and the user is redirected again to his or her mailbox, sometimes the user receives the UWC/CE login page. Entering the same uid and password here does log him in, but it breaks the whole point of SSO and only increases the end-user routine required to log in :\
  We have also seen the "missing mail tab" problem - if the users point the browser to any hostname different from "sunmail.domain.ru" (i.e. www.mail.domain.ru which is equivalent in DNS), they have only the Address book, Calendar and Options tabs; no webmail. So far this is resolved by Policy Agent forcing The One name of the server.
  Here's the configuration we did specifically for AM SSO:
  1) in AMConfig.properties of "sunmail" and "cos-psam-01" we set up
  com.iplanet.am.cookie.encode=false
  am.encryption.pwd=<the same value>
  all hostname-related parameters point to "psam.domain.ru"
  2) in AMConfig.properties of "cos-psam-01" a number of FQDN equivalence entries are added (so it does not redirect to a server hostname unknown to visitors):
  com.sun.identity.server.fqdnMap[publicname-or-ip]=psam.domain.ru
  com.sun.identity.server.fqdnMap[cos-psam-01.domain.ru]=cos-psam-01.domain.ru
  3) in "msg.conf" on "sunmail" (entries added via configutil):
  local.webmail.sso.amcookiename = iPlanetDirectoryPro
  local.webmail.sso.amnamingurl = http://psam.domain.ru:80/amserver/namingservice
  local.webmail.sso.singlesignoff = yes
  local.webmail.sso.uwcenabled = 1
  service.http.ipsecurity = no
  (perhaps some more options are required? Looking for confirmation about: local.webmail.sso.uwclogouturl local.webmail.sso.uwccontexturi local.webmail.sso.uwchome service.http.allowadminproxy )
  4) Configured Web Policy Agent for Sun Web Server, so that users without an AM session are required to get one. Set up per [http://msg.wikidoc.info/index.php/AM_redirection_using_Policy_Agent], except that com.sun.am.policy.agents.config.notenforced_list points to the many names our server can go known by.
  5) Updated the logout URL in /opt/SUNWuwc/webmail/main.js:
  --- main.js.orig        Sat Jan 26 07:52:09 2008
  +++ main.js     Mon Jul 21 01:06:29 2008
  @@ -667,7 +667,8 @@
  function cleanup() {
     if(laurel)
  -      top.window.location =  getUWCHost() + "/base/UWCMain?op=logout"
  +//      top.window.location =  getUWCHost() + "/base/UWCMain?op=logout"
  +      top.window.location =  "http://sunmail.domain.ru:80/base/UWCMain?op=logout"
     else
         exec('logout', '', 'exit()')
  @@ -1707,7 +1708,8 @@
     if(lg) {
           url = document.location.href
           url = url.substr(0,url.indexOf('webmail'))
  -        uwcurl = url + 'base/UWCMain?op=logout'        
  +//      uwcurl = url + 'base/UWCMain?op=logout'        
  +        uwcurl = "http://sunmail.domain.ru:80/base/UWCMain?op=logout"
     exit()
  }6) Calendar SSO - per docs...
  According to ngrep sniffing,
  1) the browser goes to "http://sunmail.domain.ru/uwc/auth" without any cookies
  2) receives a redirect and goes to "http://psam.domain.ru/amserver/UI/Login?gotoOnFail=http://sunmail.domain.ru:80/uwc&goto=http%3A%2F%2Fsunmail.domain.ru%3A80%2Fuwc%2Fauth"; sends no cookies either.
  3) The first response from the "psam" server (as redirected from "cos-psam-01") sets a few cookies while rendering the login page:
  Set-cookie: JSESSIONID=7EF8F2810D2071CA03CFEAE9972735B2; Path=/
  Set-cookie: AMAuthCookie=AQIC5wM2LY4SfcwuT2ASCrsfO78nXdceEHXeH1+xTqH7C3I=@AAJTSQACMDI=#; Domain=.domain.ru; Path=/
  Set-cookie: amlbcookie=02; Domain=.domain.ru; Path=/
  4) The browser requests the login page resources (javascripts, images, etc) using these cookies, as in this header line:
  Cookie: JSESSIONID=7EF8F2810D2071CA03CFEAE9972735B2; AMAuthCookie=AQIC5wM2LY4SfcwuT2ASCrsfO78nXdceEHXeH1+xTqH7C3I=@AAJTSQACMDI=#; amlbcookie=02
  5) The browser POSTs the login request to "/amserver/UI/Login" and receives a redirection to http://sunmail.domain.ru:80/uwc/auth
  Set-cookie: iPlanetDirectoryPro=AQIC5wM2LY4SfcwuT2ASCrsfO78nXdceEHXeH1+xTqH7C3I=@AAJTSQACMDI=#; Domain=.domain.ru; Path=/
  Set-cookie: AMAuthCookie=LOGOUT; Domain=.domain.ru; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
  6) The browser requests "http://sunmail.domain.ru/uwc/auth" using the newly set cookie (looks like the old one to me though):
  Cookie: amlbcookie=02; iPlanetDirectoryPro=AQIC5wM2LY4SfcwuT2ASCrsfO78nXdceEHXeH1+xTqH7C3I=@AAJTSQACMDI=#
  7) The "sunmail" web-server checks the AM session validity with the same "psam.domain.ru". It sends a series of POSTs to /amserver/namingservice:
  <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
  <RequestSet vers="1.0" svcid="com.iplanet.am.naming" reqid="685">
  <Request><![CDATA[
  <NamingRequest vers="1.0" reqid="324" sessid="AQIC5wM2LY4SfcwuT2ASCrsfO78nXdceEHXeH1+xTqH7C3I=@AAJTSQACMDI=#">
  <GetNamingProfile>
  </GetNamingProfile>
  </NamingRequest>]]>
  </Request>
  </RequestSet>(receives a large XML list of different Access Manager configuration parameters and URLs)
  ...then a double-request to /amserver/sessionservice:
  <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
  <RequestSet vers="1.0" svcid="Session" reqid="686">
  <Request><![CDATA[
  <SessionRequest vers="1.0" reqid="678">
  <GetSession reset="true">
  <SessionID>AQIC5wM2LY4SfcwuT2ASCrsfO78nXdceEHXeH1+xTqH7C3I=@AAJTSQACMDI=#</SessionID>
  </GetSession>
  </SessionRequest>]]>
  </Request>
  <Request><![CDATA[
  <SessionRequest vers="1.0" reqid="679">
  <AddSessionListener>
  <URL>http://sunmail.domain.ru:80/UpdateAgentCacheServlet?shortcircuit=false</URL>
  <SessionID>AQIC5wM2LY4SfcwuT2ASCrsfO78nXdceEHXeH1+xTqH7C3I=@AAJTSQACMDI=#</SessionID>
  </AddSessionListener>
  </SessionRequest>]]>
  </Request>
  </RequestSet>As a result it receives an XML with a lot of user-specific information (the username, LDAP DN, preferred locale, auth module used, etc.)
  !!!*** Now, the problem part ***!!!
  8) And then "sunmail" POSTs a broken cookie to "psam" (note the space in mid-text, where the "plus" sign was previously). As we know, "+" is often used in URLs to "escape" the space character. Perhaps some URL cleanup routine backfired here.
  I have double-checked, it is not the reverse proxy on "psam" breaking things. It is "sunmail" (UWC/CE or Policy Agent, don't know for certain) supplying the broken request. I looked over the large XML responses to the two previous requests, whenever they mention the session cookie value, the "plus" is there.
  For the most detail I can provide, I'll even paste the whole HTTP packet:
  POST /amserver/sessionservice HTTP/1.1
  Proxy-agent: Sun-Java-System-Web-Server/7.0
  Cookie: iPlanetDirectoryPro=AQIC5wM2LY4SfcwuT2ASCrsfO78nXdceEHXeH1 xTqH7C3I=@AAJTSQACMDI=#;amlbcookie=null
  Content-type: text/xml;charset=UTF-8
  Content-length: 336
  Cache-control: no-cache
  Pragma: no-cache
  User-agent: Java/1.5.0_09
  Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
  Host: cos-psam-01.domain.ru
  Client-ip: 194.xxx.xxx.xxx
  Via: 1.1 https-weblb.domain.ru
  Connection: keep-alive
  <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
  <RequestSet vers="1.0" svcid="session" reqid="258">
  <Request><![CDATA[<SessionRequest vers="1.0" reqid="254">
  <GetSession reset="true">
  <SessionID>AQIC5wM2LY4SfcwuT2ASCrsfO78nXdceEHXeH1 xTqH7C3I=@AAJTSQACMDI=#</SessionID>
  </GetSession>
  </SessionRequest>]]></Request>
  </RequestSet> The server's error response is apparent:
  HTTP/1.1 200 OK
  Server: Sun-Java-System-Web-Server/7.0
  Date: Thu, 31 Jul 2008 05:49:50 GMT
  Content-type: text/html
  Transfer-encoding: chunked
  19b
  <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
  <ResponseSet vers="1.0" svcid="session" reqid="258">
  <Response><![CDATA[<SessionResponse vers="1.0" reqid="254">
  <GetSession>
  <Exception>AQIC5wM2LY4SfcwuT2ASCrsfO78nXdceEHXeH1 xTqH7C3I=@AAJTSQACMDI=# Invalid session ID
  AQIC5wM2LY4SfcwuT2ASCrsfO78nXdceEHXeH1 xTqH7C3I=@AAJTSQACMDI=#</Exception>
  </GetSession>
  </SessionResponse>]]></Response>
  </ResponseSet>On the few occasions when the AM cookie contains no "plus" characters, the SSO works like a charm (also checked by a sniffer). Whenever there is a "plus", it breaks.
  For reference, here's a working final request-response (one with a good cookie, as received by the load-balancer web-server). Request looks a bit different:
  POST /amserver/sessionservice HTTP/1.1
  Cookie: iPlanetDirectoryPro=AQIC5wM2LY4Sfcy/5sEzVmuq9z1ggdHOkBDgVFAwfhqvn4U=@AAJTSQACMDI=#;amlbcookie=null
  Content-Type: text/xml;charset=UTF-8
  Content-Length: 379
  Cache-Control: no-cache
  Pragma: no-cache
  User-Agent: Java/1.5.0_09
  Host: psam.domain.ru
  Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
  Connection: keep-alive
  <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
  <RequestSet vers="1.0" svcid="session" reqid="281">
  <Request><![CDATA[<SessionRequest vers="1.0" reqid="277">
  <SetProperty>
  <SessionID>AQIC5wM2LY4Sfcy/5sEzVmuq9z1ggdHOkBDgVFAwfhqvn4U=@AAJTSQACMDI=#</SessionID>
  <Property name="uwcstatus" value="active"></Property>
  </SetProperty>
  </SessionRequest>]]></Request>
  </RequestSet> ...and the response is OK:
  <?xml version="1.0" encoding="UTF-8" standalone="yes"?>
  <ResponseSet vers="1.0" svcid="session" reqid="281">
  <Response><![CDATA[<SessionResponse vers="1.0" reqid="277">
  <SetProperty>
  <OK></OK>
  </SetProperty>
  </SessionResponse>]]></Response>
  </ResponseSet>

  There have been a few reports of the same behaviour with other customers - specifically with the handling of the encoding of "+" characters to " ". It relates to how cookie encoding/decoding is performed (as you have already observed).
  The solution for these customers was the following:
  => AM server/client side:
  Ensure that com.iplanet.am.cookie.encode=false in AMConfig.properties and AMAgent.properties on all systems.
  => AM client (UWC) side:
  - Set <property name="encodeCookies" value="false"/> in /var/opt/SUNWuwc/WEB-INF/sun-web.xml. This will prevent UWC from trying to urldecode the cookie it receives and therefore stops it turning the + into a space e.g.
  <?xml version="1.0" encoding="UTF-8"?>
  <!DOCTYPE sun-web-app PUBLIC '-//Sun Microsystems, Inc.//DTD Sun ONE Application Server 7.0 Servlet 2.3//EN' 'file:///net/wajra.india.sun.com/export/share/dtd/sun-web-app_2_3-1.dtd'>
  <sun-web-app>
     <property name="encodeCookies" value="false"/>
     <session-config>
        <session-manager/>
     </session-config>
     <jsp-config/>
  <property name="allowLinking" value="true" />
  </sun-web-app>Regards,
  Shane.

• How do I connect to internet with vz access manager for iphone 4S?

  I have VZ Access Manager on my laptop and want to use it to connect to internet on my new iphone 4S.  How do I do this?

  If you can set up an Ad Hoc wireless network from your laptop, you could use it that way. Once again VZ Access Manager will not enter into the sharing part.
  Plug these search terms into Google:
  set up an ad hoc network
  You'll find lots of instructions.
  Best of luck.