SAP RFC & Access Manager & SSO

Hello,
I need to design an SSO solution in an heterogenous architecture. I think about Sun Access Manager (AM) and its Policy Agents (PA). There are some SAP (ABAP based) systems, which are communicate using SAP Remote Function Call (RFC) protocol. There's no way how to turn it to different protocol.
One of the customer's requests is to authenticate SAP systems together using SSO.
And my question is: Is it possible to install PA in that environment and SSO the RFC protocol? If yes, how to pass through SAP systems original SSO token?
Thanks a lot.
Pat

Similar Messages

Communications Express doesn't create access Manager SSO session

Hi all,
I'm running Communications Express, Sun Access Manager and Sun messaging server, each on seperate hosts.
Single Sign On works i.e. when users have a valid session and point their browser at the Communications Express URL they can access their mail, calendar and addressbooks without further ado.
When they don't have a valid session though and the users go to the Communications Express URL they get a username and password prompt. If they enter valid credentials they will be logged in, but the session created is only a local session, not an Access Manager SSO session. This behaviour has changed from the previous versions of Comm Exp which wouldn't work at all without SSO.
Is it possible to configure communications express to either redirect users to the Access Manager's authentication page or have Comm Exp create the SSO session on the users behalf?
TIA
Herman
Versions:
- Communications Express 6.3 update 1
- Sun Java(tm) System Messaging Server 6.3-4.01 (built Aug 3 2007; 32bit)
libimta.so 6.3-4.01 (built 17:13:29, Aug 3 2007; 32bit)

Hi Shane,
as always your anwer is better then I could have expected. A more or less complete manual
just hours after asking my question. Thanks!
shane_hjorth wrote:
The cleanest solution I could develop to address the behavioural change was to
leverage a web-server policy agent to perform the redirections.
I wrote up a guide but never received any feedback unfortunately so results-may-vary.
I have republished this guide externally - feedback is welcome:
http://msg.wikidoc.info/index.php/AM_redirection_using_Policy_AgentTook me some time to implement, test and write feedback:
The setup we have is a little more complex then the a single box scenario you
have tested on:
From the internet working inwards we have load balanced
SSL accelerators (apache+SSL doing reverse proxy) in front of
dedicated application servers running communications express.
Mail is retrieved from separate mail-store clusters.
Access manager is configured similarly: load balanced SSL accelerators
in front of application servers running the login page (disributed
authentication UI). Those then talk to the access manager cluster.
Firewalls and access lists between each of those layers. None of the
applications can be accessed directly from the internet and they are
limited in what they can access in the DMZ as well.
I followed your recipe to the letter. After a bit of tweaking everything
worked like a charm. Policy agent installed and configured on the
SUN webserver where communications express is deployed.
Instructions were very good on detail and easy to follow.
We deploy uwc in the root of the server not in /uwc. Something I didn't notice right away.
It would seem that the policy agent expects the values com.sun.am.naming.url
(The URL for the Access Manager Naming service) and
com.sun.am.policy.am.login.url (The URL of the login page on the Access Manager
where users should enter their credentials) to be the same host.
In our setup the URL/host users have to use to log in can't be accessed by the policy agent.
The policy agent should verify sessions directly against the access manager cluster.
I played with some of the override settings in the policy agent configuration file but
without much success. Eventually I used the hostname our users have to use to log
in and abused the /etc/hosts file to map the external hostname to the internal address
of the access manager cluster. Users end up on the correct login page, and the policy
agent can verify the sessions. Ugly, but it works.
The other issue is that the policy agent redirects to:
com.sun.am.policy.am.login.url?goto=URL_Protected_by_Policy_Agent
When a users enters incorrect credentials they get the default login url, without the
goto parameter. (May be bug in access manager or by design...) After entering their
credentials correctly on their second or third try users won't be redirected back to UWC,
but will end up on the default page defined by their iplanet-am-user-success-url LDAP attribute.
I solved that in the policy agents configuration file by adding the gotoOnFail=URL in the
definition of com.sun.am.policy.am.login.url:
com.sun.am.policy.am.login.url = https://login.domain.com:443/amserver/UI/Login?gotoOnFail=https://uwc.domain.com:443When you enter incorrect credentials you'll be redirected back to uwc (where the policy agent
will again intercept you and send you on to the login page for your next try). May be more of
an issue in the policy agent then your manual.
Regards,
Herman

OAM Access Manager SSO solution fails to open docs and pdfs

Hi
I have created a solusion for SSO like this.
OAM against AD, running on windows (server A). Webpass is on IIS.
The applikation I'm protecting is an Weblogic 10.0 application running on windows (server B)
I have also installed the webgate on serverB running on Apache 2.0, and all the installation is done by following the documentation for Weblogic sso
(This is to make the application runnable directly through port 80 and redirecting in Apache)
The sso works fine.
But i have a problem in IE6
When the application is trying to open documents to view them in msword or pdf for printing, the document is not opened, I get an "file not found" exeption in the browser, and the url for getting the document seems very long. (The grey popup)
When I open the application in IE8 it works fine, and the url for getting document seems short (just the docID)
(The application is currently only compatible for IE6 so running it in IE8 will cause other problems)
I cannot find any error messages in any logs.
If I run the excact same application without sso its working fine in both IE8 and IE6
Regards
Tine

Hi
This is a followup to the question in this thread
The system is now able to load pdf's and doc documents, and the reason it did not work before was due to the cache settings on the webgate. The system is now caching documents in the temporarInternetfolder created for the users and loads word and pdf files for printing without problems.
Now.. my problem is that the application is also running a kind of "generate pdf, doc, html files" application which are saving some modified files on the local users area. (my computer)
After that the application ask to load these documents into the applications database.
When I use the Apache mod_weblogic.c to proxy the requests, large files (5 MB) are not able to be loaded into the application database. I get a "the connection with the server was terminated abnormally" exeption.
Small files (94 KB) are working fine.
Does anyone have any idea of what can cause this?
I have upgraded Apache from 2.0.58 to Apache 2.0.63 and I use mod_wl128_20.so as the weblogic module.
Regards
Tine

Other than SAP RFC

hi
i have gone through the Documentation providing all necessary details about how to get connected to SAP RFC access through SAP Widget Foundation, however ,please tell me how to access other backends through coding or using tools in SAP Widget development tool
Viswas

Hi,
for example to access MS Access on the computer, you can use COM (on Windows).
Please check http://manual.widgets.yahoo.com/ in the section System DOM Reference / COM.
Maybe you'll also find this link useful for accessing Microsoft Applications: http://support.microsoft.com/kb/222101
Hope it helps,
Ladislav

UWC/CE 6.3 and Access Manager 7.1 SSO sometimes fails (seems like a bug)

PREAMBULA: I started writing this post thinking that our AM SSO setup was at fault in some step. As I was gathering data, checking the doc-links and config files and finally sniffed the servers for HTTP dialogs, I grew pretty sure there's a bug in UWC/CE, AM SDK or Web Server Policy Agent, whatever implements the AM SSO session checking.
In short, as written below, our "sunmail" server can POST a broken cookie to AM server, if the cookie originally contained a "plus" character. The "plus" is replaced by a "space", invalidating the session check. As we know, "+" is often used in URLs to "escape" the space character. Perhaps some URL cleanup routine backfired here. I have double-checked, it is not the reverse proxy on "psam" breaking things. It is "sunmail" (UWC/CE or Policy Agent, don't know for certain) supplying the broken request. On the few occasions when the AM cookie contains no "plus" characters, the SSO works like a charm (also checked by a sniffer). Whenever there is a "plus", it breaks.
Is there some known bug or workaround that matches this description?
Nevertheless, for completeness' sake I kept the description of our setup. Maybe it's at fault after all :)
We have an installation of JCS5 with the latest patches as of early July 2008. And as the subject implies, we have problems with AM SSO in UWC/CE web-interface. I have reported them before, then they seemed fixed (not occuring for several tests in a row), but as time has shown, something wrong is still there.
So I'll try to go into deeper detail now, as we've may have overlooked some nuance... Then again, as my sniffer research below shows, this may be an engine bug and these setup details are irrelevant.
Our setup is split into several Solaris 10 full-root zones hosted on several servers, some of the components are enroute to HA (perhaps we made some mistakes on this part of the way?)
So, we have the following software stack:
1) two MMR Directory Servers (DSEE 6.3 = DSEE 6.2 from JCS5 + 125278-07__DSEE_6.3__x86x64 + 125277-07__DSEE_6.3__x86_sol9 patches) working in zones on two different servers. Except for one time when a manually forced ZFS rollback corrupted one of the server instances, no problems here.
2) two zones with Directory Proxy Servers (6.3, exact versions as above) running at port 389 provide the clients with an illusion that they have a stable Directory Server, even if one of the actual servers is currently rebooting ;)
These DPS zones are hosted on two different servers as well and are primarily used by LDAP clients (JCS components) running in other zones on the same respective servers.
3) A zone with Sun Web Server 7.0U1 and Access Manager 7.1 (+ 126357-01__AM71_x86 patch) and Delegated Admin 6.4-4.01 (from JCS5 + 121582-18__COMMCLI64__x86 patch).
At the moment there is one such zone (named "cos-psam-01.domain.ru" in the logs below), but we expect(-ed) it to become two similar zones as per AM HA setup.
Zones listed in (1-3) use private IP numbers, they belong in our internal DMZ.
Zones listed in (4-5) below use public (routed) IP numbers, they belong in our external DMZ.
4) A zone with Sun Web Server 7.0U1 used primarily as a reverse-proxy server (optionally with a load-balancer libpassthrough.so plugin) successfully used for other hosted projects. One of its configurations now passes connections from an externally routed IP address published as "psam.domain.ru" to "cos-psam-01.domain.ru", per AM HA setup, so HTTP clients believe they work with an Access Manager instance. This zone has a backend interface with a private IP address to communicate with the actual AM instance.
In AM configuration (both LDAP and file-based) we have configured a site ID with the publicly known name and mentioned both names (psam and cos-psam-01) in organization's realm/dns aliases.
5) A zone with the rest of the Sun Java Communications Suite 5, as in Messaging Server 6.3 (6.3-6.03 64-bit: ci-5.0-1.03_solx86_x64__Messaging_Server_6.3-2 + patch 126480-09__MSG63__x86-64), UWC/CE 6.3 (from JCS5 + 122794-17__UWC63-4.01_core__x86), Instant Messaging 7.2 (from JCS5 + 118790-29__IM72__x86-1 + 118787-28__IM72__x86-2), Calendar Server 6.3 (from JCS5 + 121658-28__iCS63__x86). The web-components (UWC/CE, IM, /httpbind) are deployed in a Sun Web Server 7.0U1 as well.
This zone is named "sunmail.domain.ru" and has a routed IP address for direct external access to its servicess.
The AM SDK part is also patched (126357-01__AM71_x86); it points to the load-balancer name ("psam.domain.ru") as an actual AM server.
# imsimta version
Sun Java(tm) System Messaging Server 6.3-6.03 (built Mar 14 2008; 64bit)
libimta.so 6.3-6.03 (built 17:15:08, Mar 14 2008; 64bit)
SunOS sunmail 5.10 Generic_127112-07 i86pc i386 i86pc
While setting up this server set we tried to use AM SSO as the user login method, but it works unreliably.
"Unreliably" means that while most of the time entering a correct uid and password in Access Manager login page ("http://psam.domain.ru/amserver/UI/Login") does redirect a user back to "http://sunmail.domain.ru/uwc/auth" along with a new cookie, and the user is redirected again to his or her mailbox, sometimes the user receives the UWC/CE login page. Entering the same uid and password here does log him in, but it breaks the whole point of SSO and only increases the end-user routine required to log in :\
We have also seen the "missing mail tab" problem - if the users point the browser to any hostname different from "sunmail.domain.ru" (i.e. www.mail.domain.ru which is equivalent in DNS), they have only the Address book, Calendar and Options tabs; no webmail. So far this is resolved by Policy Agent forcing The One name of the server.
Here's the configuration we did specifically for AM SSO:
1) in AMConfig.properties of "sunmail" and "cos-psam-01" we set up
com.iplanet.am.cookie.encode=false
am.encryption.pwd=<the same value>
all hostname-related parameters point to "psam.domain.ru"
2) in AMConfig.properties of "cos-psam-01" a number of FQDN equivalence entries are added (so it does not redirect to a server hostname unknown to visitors):
com.sun.identity.server.fqdnMap[publicname-or-ip]=psam.domain.ru
com.sun.identity.server.fqdnMap[cos-psam-01.domain.ru]=cos-psam-01.domain.ru
3) in "msg.conf" on "sunmail" (entries added via configutil):
local.webmail.sso.amcookiename = iPlanetDirectoryPro
local.webmail.sso.amnamingurl = http://psam.domain.ru:80/amserver/namingservice
local.webmail.sso.singlesignoff = yes
local.webmail.sso.uwcenabled = 1
service.http.ipsecurity = no
(perhaps some more options are required? Looking for confirmation about: local.webmail.sso.uwclogouturl local.webmail.sso.uwccontexturi local.webmail.sso.uwchome service.http.allowadminproxy )
4) Configured Web Policy Agent for Sun Web Server, so that users without an AM session are required to get one. Set up per [http://msg.wikidoc.info/index.php/AM_redirection_using_Policy_Agent], except that com.sun.am.policy.agents.config.notenforced_list points to the many names our server can go known by.
5) Updated the logout URL in /opt/SUNWuwc/webmail/main.js:
--- main.js.orig        Sat Jan 26 07:52:09 2008
+++ main.js     Mon Jul 21 01:06:29 2008
@@ -667,7 +667,8 @@
function cleanup() {
   if(laurel)
-      top.window.location = getUWCHost() + "/base/UWCMain?op=logout"
+//      top.window.location = getUWCHost() + "/base/UWCMain?op=logout"
+      top.window.location = "http://sunmail.domain.ru:80/base/UWCMain?op=logout"
   else
       exec('logout', '', 'exit()')
@@ -1707,7 +1708,8 @@
   if(lg) {
         url = document.location.href
         url = url.substr(0,url.indexOf('webmail'))
-        uwcurl = url + 'base/UWCMain?op=logout'
+//      uwcurl = url + 'base/UWCMain?op=logout'
+        uwcurl = "http://sunmail.domain.ru:80/base/UWCMain?op=logout"
   exit()
}6) Calendar SSO - per docs...
According to ngrep sniffing,
1) the browser goes to "http://sunmail.domain.ru/uwc/auth" without any cookies
2) receives a redirect and goes to "http://psam.domain.ru/amserver/UI/Login?gotoOnFail=http://sunmail.domain.ru:80/uwc&goto=http%3A%2F%2Fsunmail.domain.ru%3A80%2Fuwc%2Fauth"; sends no cookies either.
3) The first response from the "psam" server (as redirected from "cos-psam-01") sets a few cookies while rendering the login page:
Set-cookie: JSESSIONID=7EF8F2810D2071CA03CFEAE9972735B2; Path=/
Set-cookie: AMAuthCookie=AQIC5wM2LY4SfcwuT2ASCrsfO78nXdceEHXeH1+xTqH7C3I=@AAJTSQACMDI=#; Domain=.domain.ru; Path=/
Set-cookie: amlbcookie=02; Domain=.domain.ru; Path=/
4) The browser requests the login page resources (javascripts, images, etc) using these cookies, as in this header line:
Cookie: JSESSIONID=7EF8F2810D2071CA03CFEAE9972735B2; AMAuthCookie=AQIC5wM2LY4SfcwuT2ASCrsfO78nXdceEHXeH1+xTqH7C3I=@AAJTSQACMDI=#; amlbcookie=02
5) The browser POSTs the login request to "/amserver/UI/Login" and receives a redirection to http://sunmail.domain.ru:80/uwc/auth
Set-cookie: iPlanetDirectoryPro=AQIC5wM2LY4SfcwuT2ASCrsfO78nXdceEHXeH1+xTqH7C3I=@AAJTSQACMDI=#; Domain=.domain.ru; Path=/
Set-cookie: AMAuthCookie=LOGOUT; Domain=.domain.ru; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
6) The browser requests "http://sunmail.domain.ru/uwc/auth" using the newly set cookie (looks like the old one to me though):
Cookie: amlbcookie=02; iPlanetDirectoryPro=AQIC5wM2LY4SfcwuT2ASCrsfO78nXdceEHXeH1+xTqH7C3I=@AAJTSQACMDI=#
7) The "sunmail" web-server checks the AM session validity with the same "psam.domain.ru". It sends a series of POSTs to /amserver/namingservice:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<RequestSet vers="1.0" svcid="com.iplanet.am.naming" reqid="685">
<Request><![CDATA[
<NamingRequest vers="1.0" reqid="324" sessid="AQIC5wM2LY4SfcwuT2ASCrsfO78nXdceEHXeH1+xTqH7C3I=@AAJTSQACMDI=#">
<GetNamingProfile>
</GetNamingProfile>
</NamingRequest>]]>
</Request>
</RequestSet>(receives a large XML list of different Access Manager configuration parameters and URLs)
...then a double-request to /amserver/sessionservice:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<RequestSet vers="1.0" svcid="Session" reqid="686">
<Request><![CDATA[
<SessionRequest vers="1.0" reqid="678">
<GetSession reset="true">
<SessionID>AQIC5wM2LY4SfcwuT2ASCrsfO78nXdceEHXeH1+xTqH7C3I=@AAJTSQACMDI=#</SessionID>
</GetSession>
</SessionRequest>]]>
</Request>
<Request><![CDATA[
<SessionRequest vers="1.0" reqid="679">
<AddSessionListener>
<URL>http://sunmail.domain.ru:80/UpdateAgentCacheServlet?shortcircuit=false</URL>
<SessionID>AQIC5wM2LY4SfcwuT2ASCrsfO78nXdceEHXeH1+xTqH7C3I=@AAJTSQACMDI=#</SessionID>
</AddSessionListener>
</SessionRequest>]]>
</Request>
</RequestSet>As a result it receives an XML with a lot of user-specific information (the username, LDAP DN, preferred locale, auth module used, etc.)
!!!*** Now, the problem part ***!!!
8) And then "sunmail" POSTs a broken cookie to "psam" (note the space in mid-text, where the "plus" sign was previously). As we know, "+" is often used in URLs to "escape" the space character. Perhaps some URL cleanup routine backfired here.
I have double-checked, it is not the reverse proxy on "psam" breaking things. It is "sunmail" (UWC/CE or Policy Agent, don't know for certain) supplying the broken request. I looked over the large XML responses to the two previous requests, whenever they mention the session cookie value, the "plus" is there.
For the most detail I can provide, I'll even paste the whole HTTP packet:
POST /amserver/sessionservice HTTP/1.1
Proxy-agent: Sun-Java-System-Web-Server/7.0
Cookie: iPlanetDirectoryPro=AQIC5wM2LY4SfcwuT2ASCrsfO78nXdceEHXeH1 xTqH7C3I=@AAJTSQACMDI=#;amlbcookie=null
Content-type: text/xml;charset=UTF-8
Content-length: 336
Cache-control: no-cache
Pragma: no-cache
User-agent: Java/1.5.0_09
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Host: cos-psam-01.domain.ru
Client-ip: 194.xxx.xxx.xxx
Via: 1.1 https-weblb.domain.ru
Connection: keep-alive
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<RequestSet vers="1.0" svcid="session" reqid="258">
<Request><![CDATA[<SessionRequest vers="1.0" reqid="254">
<GetSession reset="true">
<SessionID>AQIC5wM2LY4SfcwuT2ASCrsfO78nXdceEHXeH1 xTqH7C3I=@AAJTSQACMDI=#</SessionID>
</GetSession>
</SessionRequest>]]></Request>
</RequestSet> The server's error response is apparent:
HTTP/1.1 200 OK
Server: Sun-Java-System-Web-Server/7.0
Date: Thu, 31 Jul 2008 05:49:50 GMT
Content-type: text/html
Transfer-encoding: chunked
19b
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<ResponseSet vers="1.0" svcid="session" reqid="258">
<Response><![CDATA[<SessionResponse vers="1.0" reqid="254">
<GetSession>
<Exception>AQIC5wM2LY4SfcwuT2ASCrsfO78nXdceEHXeH1 xTqH7C3I=@AAJTSQACMDI=# Invalid session ID
AQIC5wM2LY4SfcwuT2ASCrsfO78nXdceEHXeH1 xTqH7C3I=@AAJTSQACMDI=#</Exception>
</GetSession>
</SessionResponse>]]></Response>
</ResponseSet>On the few occasions when the AM cookie contains no "plus" characters, the SSO works like a charm (also checked by a sniffer). Whenever there is a "plus", it breaks.
For reference, here's a working final request-response (one with a good cookie, as received by the load-balancer web-server). Request looks a bit different:
POST /amserver/sessionservice HTTP/1.1
Cookie: iPlanetDirectoryPro=AQIC5wM2LY4Sfcy/5sEzVmuq9z1ggdHOkBDgVFAwfhqvn4U=@AAJTSQACMDI=#;amlbcookie=null
Content-Type: text/xml;charset=UTF-8
Content-Length: 379
Cache-Control: no-cache
Pragma: no-cache
User-Agent: Java/1.5.0_09
Host: psam.domain.ru
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Connection: keep-alive
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<RequestSet vers="1.0" svcid="session" reqid="281">
<Request><![CDATA[<SessionRequest vers="1.0" reqid="277">
<SetProperty>
<SessionID>AQIC5wM2LY4Sfcy/5sEzVmuq9z1ggdHOkBDgVFAwfhqvn4U=@AAJTSQACMDI=#</SessionID>
<Property name="uwcstatus" value="active"></Property>
</SetProperty>
</SessionRequest>]]></Request>
</RequestSet> ...and the response is OK:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<ResponseSet vers="1.0" svcid="session" reqid="281">
<Response><![CDATA[<SessionResponse vers="1.0" reqid="277">
<SetProperty>
<OK></OK>
</SetProperty>
</SessionResponse>]]></Response>
</ResponseSet>

There have been a few reports of the same behaviour with other customers - specifically with the handling of the encoding of "+" characters to " ". It relates to how cookie encoding/decoding is performed (as you have already observed).
The solution for these customers was the following:
=> AM server/client side:
Ensure that com.iplanet.am.cookie.encode=false in AMConfig.properties and AMAgent.properties on all systems.
=> AM client (UWC) side:
- Set <property name="encodeCookies" value="false"/> in /var/opt/SUNWuwc/WEB-INF/sun-web.xml. This will prevent UWC from trying to urldecode the cookie it receives and therefore stops it turning the + into a space e.g.
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE sun-web-app PUBLIC '-//Sun Microsystems, Inc.//DTD Sun ONE Application Server 7.0 Servlet 2.3//EN' 'file:///net/wajra.india.sun.com/export/share/dtd/sun-web-app_2_3-1.dtd'>
<sun-web-app>
   <property name="encodeCookies" value="false"/>
   <session-config>
      <session-manager/>
   </session-config>
   <jsp-config/>
<property name="allowLinking" value="true" />
</sun-web-app>Regards,
Shane.

Error during execution of SSO with Oracle Access Manager 11gR2

Hello friends,
I have a problem with SSO using Oracle Access Manager 11g R2, then describes the steps taken in this test:
1. Is accessed by the OAM protected application through IE browser, Chrome and Firefox for testing purposes.
2. The OAM protected application, here is redirected to the OAM page to enter the credentials for the application.
3. Shows the application, and again reorders authentication credentials.
Here the details of the cookie:
a. cookie1: ADMINCONSOLESESSION
b. cokkie2: OAMAuthnCookie_webgate11g.domain.com: 7777
We also found an error when starting the node oam_server in WebLogic Server 11g (10.3.6)
Log:
[2012-11-29T18:16:02.411-05:00] [oam_server1] [ERROR] [JPS-03156] [oracle.jps.authorization.framework] [tid: [ACTIVE].ExecuteThread: '0' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: <anonymous>] [ecid: 0000JhEStpUFW7WFLzRL8A1GhylJ000002,0] [APP: oam_server#11.1.2.0.0] The exception has been thrown by ARME. The authorization result is set to deny.[[
com.bea.security.providers.authorization.asi.InvocationException: ArmeRUNTIME Exception: null
     at com.bea.security.providers.authorization.asi.AuthorizationProviderImpl.isAccessAllowed(AuthorizationProviderImpl.java:396)
     at com.bea.security.ssal.micro.MicroAuthorizationManagerWrapper.isAccessAllowed(MicroAuthorizationManagerWrapper.java:73)
     at com.bea.security.impl.AuthorizationServiceImpl.isAccessAllowed_internal(AuthorizationServiceImpl.java:914)
     at com.bea.security.impl.AuthorizationServiceImpl.isAccessAllowed(AuthorizationServiceImpl.java:745)
     at com.bea.security.impl.AuthorizationServiceImpl.isAccessAllowed(AuthorizationServiceImpl.java:668)
     at com.bea.security.impl.AuthorizationServiceImpl.isAccessAllowed(AuthorizationServiceImpl.java:622)
     at com.bea.security.AuthorizationService.isAccessAllowed(AuthorizationService.java:365)
     at oracle.security.am.common.policy.runtime.provider.oes.proxy.OESRuntimeProxy.wait4OESRuntimeDBPolicyRefreshCompletion(OESRuntimeProxy.java:263)
     at oracle.security.am.common.policy.runtime.provider.oes.proxy.OESRuntimeProxy.init(OESRuntimeProxy.java:193)
     at oracle.security.am.common.policy.runtime.provider.oes.OESPolicyRuntimeProvider.init(OESPolicyRuntimeProvider.java:167)
     at oracle.security.am.common.policy.runtime.PolicyRuntimeFactory.getNewInstance(PolicyRuntimeFactory.java:162)
     at oracle.security.am.common.policy.runtime.PolicyRuntimeFactory.init(PolicyRuntimeFactory.java:93)
     at oracle.security.am.common.policy.runtime.PolicyRuntimeFactory.getPolicyRuntime(PolicyRuntimeFactory.java:84)
     at oracle.security.am.common.policy.util.PolicyComponentLifecycle.initialize(PolicyComponentLifecycle.java:100)
     at oracle.security.am.lifecycle.ApplicationLifecycle.initComponentBootstrap(ApplicationLifecycle.java:156)
     at oracle.security.am.lifecycle.ApplicationLifecycle.contextInitialized(ApplicationLifecycle.java:86)
     at weblogic.servlet.internal.EventsManager$FireContextListenerAction.run(EventsManager.java:481)
     at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
     at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:120)
     at weblogic.servlet.internal.EventsManager.notifyContextCreatedEvent(EventsManager.java:181)
     at weblogic.servlet.internal.WebAppServletContext.preloadResources(WebAppServletContext.java:1868)
     at weblogic.servlet.internal.WebAppServletContext.start(WebAppServletContext.java:3154)
     at weblogic.servlet.internal.WebAppModule.startContexts(WebAppModule.java:1518)
     at weblogic.servlet.internal.WebAppModule.start(WebAppModule.java:484)
     at weblogic.application.internal.flow.ModuleStateDriver$3.next(ModuleStateDriver.java:425)
     at weblogic.application.utils.StateMachineDriver.nextState(StateMachineDriver.java:52)
     at weblogic.application.internal.flow.ModuleStateDriver.start(ModuleStateDriver.java:119)
     at weblogic.application.internal.flow.ScopedModuleDriver.start(ScopedModuleDriver.java:200)
     at weblogic.application.internal.flow.ModuleListenerInvoker.start(ModuleListenerInvoker.java:247)
     at weblogic.application.internal.flow.ModuleStateDriver$3.next(ModuleStateDriver.java:425)
     at weblogic.application.utils.StateMachineDriver.nextState(StateMachineDriver.java:52)
     at weblogic.application.internal.flow.ModuleStateDriver.start(ModuleStateDriver.java:119)
     at weblogic.application.internal.flow.StartModulesFlow.activate(StartModulesFlow.java:27)
     at weblogic.application.internal.BaseDeployment$2.next(BaseDeployment.java:671)
     at weblogic.application.utils.StateMachineDriver.nextState(StateMachineDriver.java:52)
     at weblogic.application.internal.BaseDeployment.activate(BaseDeployment.java:212)
     at weblogic.application.internal.EarDeployment.activate(EarDeployment.java:59)
     at weblogic.application.internal.DeploymentStateChecker.activate(DeploymentStateChecker.java:161)
     at weblogic.deploy.internal.targetserver.AppContainerInvoker.activate(AppContainerInvoker.java:79)
     at weblogic.deploy.internal.targetserver.BasicDeployment.activate(BasicDeployment.java:184)
     at weblogic.deploy.internal.targetserver.BasicDeployment.activateFromServerLifecycle(BasicDeployment.java:361)
     at weblogic.management.deploy.internal.DeploymentAdapter$1.doActivate(DeploymentAdapter.java:51)
     at weblogic.management.deploy.internal.DeploymentAdapter.activate(DeploymentAdapter.java:200)
     at weblogic.management.deploy.internal.AppTransition$2.transitionApp(AppTransition.java:30)
     at weblogic.management.deploy.internal.ConfiguredDeployments.transitionApps(ConfiguredDeployments.java:261)
     at weblogic.management.deploy.internal.ConfiguredDeployments.transitionApps(ConfiguredDeployments.java:220)
     at weblogic.management.deploy.internal.ConfiguredDeployments.activate(ConfiguredDeployments.java:169)
     at weblogic.management.deploy.internal.ConfiguredDeployments.deploy(ConfiguredDeployments.java:123)
     at weblogic.management.deploy.internal.DeploymentServerService.resume(DeploymentServerService.java:180)
     at weblogic.management.deploy.internal.DeploymentServerService.start(DeploymentServerService.java:96)
     at weblogic.t3.srvr.SubsystemRequest.run(SubsystemRequest.java:64)
     at weblogic.work.ExecuteThread.execute(ExecuteThread.java:256)
     at weblogic.work.ExecuteThread.run(ExecuteThread.java:221)
Caused by: com.wles.InternalException: ArmeRUNTIME Exception: null
     at com.wles.arme.Credentials_ca.exceptionTransport(Credentials_ca.java:606)
     at com.wles.arme.Credentials_ca._accessAllowed(Credentials_ca.java:343)
     at com.wles.arme.CredentialsImpl._accessAllowed(CredentialsImpl.java:400)
     at com.wles.arme.CredentialsImpl._accessAllowed(CredentialsImpl.java:422)
     at com.wles.arme.CachingCredentialsImpl._accessAllowed(CachingCredentialsImpl.java:225)
     at com.wles.arme.CredentialsImpl.accessAllowed(CredentialsImpl.java:452)
     at com.wles.arme.CachingCredentialsImpl.accessAllowed(CachingCredentialsImpl.java:68)
     at com.bea.security.providers.authorization.asi.AuthorizationProviderImpl.ARMEisAccessAllowed(AuthorizationProviderImpl.java:977)
     at com.bea.security.providers.authorization.asi.AuthorizationProviderImpl.isAccessAllowed(AuthorizationProviderImpl.java:347)
     ... 52 more
causal exception is:
com.wles.InternalException: ArmeRUNTIME Exception: null
     at com.wles.arme.Credentials_ca.exceptionTransport(Credentials_ca.java:606)
     at com.wles.arme.Credentials_ca._accessAllowed(Credentials_ca.java:343)
     at com.wles.arme.CredentialsImpl._accessAllowed(CredentialsImpl.java:400)
     at com.wles.arme.CredentialsImpl._accessAllowed(CredentialsImpl.java:422)
     at com.wles.arme.CachingCredentialsImpl._accessAllowed(CachingCredentialsImpl.java:225)
     at com.wles.arme.CredentialsImpl.accessAllowed(CredentialsImpl.java:452)
     at com.wles.arme.CachingCredentialsImpl.accessAllowed(CachingCredentialsImpl.java:68)
     at com.bea.security.providers.authorization.asi.AuthorizationProviderImpl.ARMEisAccessAllowed(AuthorizationProviderImpl.java:977)
     at com.bea.security.providers.authorization.asi.AuthorizationProviderImpl.isAccessAllowed(AuthorizationProviderImpl.java:347)
     at com.bea.security.ssal.micro.MicroAuthorizationManagerWrapper.isAccessAllowed(MicroAuthorizationManagerWrapper.java:73)
     at com.bea.security.impl.AuthorizationServiceImpl.isAccessAllowed_internal(AuthorizationServiceImpl.java:914)
     at com.bea.security.impl.AuthorizationServiceImpl.isAccessAllowed(AuthorizationServiceImpl.java:745)
     at com.bea.security.impl.AuthorizationServiceImpl.isAccessAllowed(AuthorizationServiceImpl.java:668)
     at com.bea.security.impl.AuthorizationServiceImpl.isAccessAllowed(AuthorizationServiceImpl.java:622)
     at com.bea.security.AuthorizationService.isAccessAllowed(AuthorizationService.java:365)
     at oracle.security.am.common.policy.runtime.provider.oes.proxy.OESRuntimeProxy.wait4OESRuntimeDBPolicyRefreshCompletion(OESRuntimeProxy.java:263)
     at oracle.security.am.common.policy.runtime.provider.oes.proxy.OESRuntimeProxy.init(OESRuntimeProxy.java:193)
     at oracle.security.am.common.policy.runtime.provider.oes.OESPolicyRuntimeProvider.init(OESPolicyRuntimeProvider.java:167)
     at oracle.security.am.common.policy.runtime.PolicyRuntimeFactory.getNewInstance(PolicyRuntimeFactory.java:162)
     at oracle.security.am.common.policy.runtime.PolicyRuntimeFactory.init(PolicyRuntimeFactory.java:93)
     at oracle.security.am.common.policy.runtime.PolicyRuntimeFactory.getPolicyRuntime(PolicyRuntimeFactory.java:84)
     at oracle.security.am.common.policy.util.PolicyComponentLifecycle.initialize(PolicyComponentLifecycle.java:100)
     at oracle.security.am.lifecycle.ApplicationLifecycle.initComponentBootstrap(ApplicationLifecycle.java:156)
     at oracle.security.am.lifecycle.ApplicationLifecycle.contextInitialized(ApplicationLifecycle.java:86)
     at weblogic.servlet.internal.EventsManager$FireContextListenerAction.run(EventsManager.java:481)
     at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
     at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:120)
     at weblogic.servlet.internal.EventsManager.notifyContextCreatedEvent(EventsManager.java:181)
     at weblogic.servlet.internal.WebAppServletContext.preloadResources(WebAppServletContext.java:1868)
     at weblogic.servlet.internal.WebAppServletContext.start(WebAppServletContext.java:3154)
     at weblogic.servlet.internal.WebAppModule.startContexts(WebAppModule.java:1518)
     at weblogic.servlet.internal.WebAppModule.start(WebAppModule.java:484)
     at weblogic.application.internal.flow.ModuleStateDriver$3.next(ModuleStateDriver.java:425)
     at weblogic.application.utils.StateMachineDriver.nextState(StateMachineDriver.java:52)
     at weblogic.application.internal.flow.ModuleStateDriver.start(ModuleStateDriver.java:119)
     at weblogic.application.internal.flow.ScopedModuleDriver.start(ScopedModuleDriver.java:200)
     at weblogic.application.internal.flow.ModuleListenerInvoker.start(ModuleListenerInvoker.java:247)
     at weblogic.application.internal.flow.ModuleStateDriver$3.next(ModuleStateDriver.java:425)
     at weblogic.application.utils.StateMachineDriver.nextState(StateMachineDriver.java:52)
     at weblogic.application.internal.flow.ModuleStateDriver.start(ModuleStateDriver.java:119)
     at weblogic.application.internal.flow.StartModulesFlow.activate(StartModulesFlow.java:27)
     at weblogic.application.internal.BaseDeployment$2.next(BaseDeployment.java:671)
     at weblogic.application.utils.StateMachineDriver.nextState(StateMachineDriver.java:52)
     at weblogic.application.internal.BaseDeployment.activate(BaseDeployment.java:212)
     at weblogic.application.internal.EarDeployment.activate(EarDeployment.java:59)
     at weblogic.application.internal.DeploymentStateChecker.activate(DeploymentStateChecker.java:161)
     at weblogic.deploy.internal.targetserver.AppContainerInvoker.activate(AppContainerInvoker.java:79)
     at weblogic.deploy.internal.targetserver.BasicDeployment.activate(BasicDeployment.java:184)
     at weblogic.deploy.internal.targetserver.BasicDeployment.activateFromServerLifecycle(BasicDeployment.java:361)
     at weblogic.management.deploy.internal.DeploymentAdapter$1.doActivate(DeploymentAdapter.java:51)
     at weblogic.management.deploy.internal.DeploymentAdapter.activate(DeploymentAdapter.java:200)
     at weblogic.management.deploy.internal.AppTransition$2.transitionApp(AppTransition.java:30)
     at weblogic.management.deploy.internal.ConfiguredDeployments.transitionApps(ConfiguredDeployments.java:261)
     at weblogic.management.deploy.internal.ConfiguredDeployments.transitionApps(ConfiguredDeployments.java:220)
     at weblogic.management.deploy.internal.ConfiguredDeployments.activate(ConfiguredDeployments.java:169)
     at weblogic.management.deploy.internal.ConfiguredDeployments.deploy(ConfiguredDeployments.java:123)
     at weblogic.management.deploy.internal.DeploymentServerService.resume(DeploymentServerService.java:180)
     at weblogic.management.deploy.internal.DeploymentServerService.start(DeploymentServerService.java:96)
     at weblogic.t3.srvr.SubsystemRequest.run(SubsystemRequest.java:64)
     at weblogic.work.ExecuteThread.execute(ExecuteThread.java:256)
     at weblogic.work.ExecuteThread.run(ExecuteThread.java:221)
We appreciate your support in solving the case. Thanks...
JLK
Edited by: JLK on Nov 30, 2012 9:43 AM

Hi Viju,
Did you executed the python script to register OPSS. If not then you will get the mentioned error:
I have mentioned couple of workarounds. Can you try those and let me know the results. Take the backup of your entire environment before you follow the steps:::
1. For the ARME issue patch can be applied for 11.1.2
OAM Bundle Patch Release History (Doc ID 736372.1)
Yes. This is a benign message. ( the ARME issue)
OAM 11R2 After Upgrade The Managed Server Start With Error ArmeRUNTIME Exception: Null (Doc ID 1509559.1)
The other issue is under investgation and is benign.
<oracle.adfinternal.view.faces.renderkit.rich.RegionRenderer> WARNING when accessing oamconsole (Doc ID 1511967.1)
The final message is spoken to here:
WLS 10.3.3: "Auto-Ref-By: WebApp" deployed as shared library is affecting other web applications. (Doc ID 1210393.1)
Action Plan:
=========
1. For the ARME issue patch can be applied for 11.1.2
OAM Bundle Patch Release History (Doc ID 736372.1)
Hope this helps.

Solution Manager 4.0 Title says "SAP Easy Access CRM"

Hi,
We installed Solution Manager 4.0 on Solaris/Oracle.
Solution Manager 4.0 Title in Easy Access page says "SAP Easy Access
Customer Relationship Management"
I want to change the title. So I created a customer message with SAP. They gave following steps. I followed these steps. It just displays the title. I don't see any option to edit the existing title.
Did you come across this situation?. If so, can you please shed some light?. Thank you very much for your time.
Steps
The menue which is displayed as initial menue can be defined in the IMG
(transaction SPRO) under the following path:
SAP Solution Manager Implementation Guide
- SAP Customizing Einführungsleitfaden
- SAP NetWeaver
- Application Server
- System administration
- Definition on initial menu
Please change this to: AI_SOLAR -SAP Solution Manager

What was the solution?
Hamed

How to Migrate 10g sso integrate with EBS 11.5.10.2 to 11g OAM(oracle access manager) with R12.1.3

How to Migrate 10g sso integrated with EBS 11.5.10.2 to 11g OAM(oracle access manager) with R12.1.3
Os:Linux 64 bit
database:11.2.0.3 Rac

Hi,
You could try working through the EBS -> APEX integration article on the Apex community site (http://www.oracle.com/technetwork/developer-tools/apex/apex-ebs-wp-cabot-consulting-169064.pdf)
Rod West

Very Urgent: Sun Access Manager 7.1 SSO with Domino 6.5.4

Hi,
I am facing some perplexing issue while making SSO work on Domino ( running on Win2k3 )using Sun AM 7.1( running on the same machine ).
After following all the steps outlined in the policy agent 2.2 guide, I am not being able to access 'names.nsf' in the browser. The Domino Server is getting crashed.
The log which I get in 'amagent' says :
2007-05-31 00:31:11.906 Error 4136:7b42aa8 PolicyAgent: render_response(): Entered.
2007-05-31 00:32:01.109 Error 4136:7b43210 PolicyEngine: am_policy_evaluate: InternalException in AuthService::create_auth_context() with error message:Error sending request for authentication context from server. and code:16
What do I need to do inorder to make it work.
I also have some questions regarding the agent. The doc says that the name of the DSAPI filter is "libamdomino6.dll". whereas in the agent which i downloaded from SUN, i only see "amdomino6.dll" & "amdomino.dll". Are the dlls correct. Which one should I use?
Also i have set the values in properties file as :
com.sun.am.policy.am.username =testAgent
com.sun.am.policy.am.password =LYnKyOIgdWt404ivWY6HPQ==
after creating an Agent under Subjects under the main realm. Have also put the crypted password.
Moreover, Now if i remove the DSAPI filter value, then the domino server is no longer protected. And i can access any url on the server.
If you have any idea as to how to make this work, please let me know asap.
Thanks & Regards,
Niraj

Hi,
I installed opensso (so Sun Java(TM) System Access Manager 7.5) and the agent for Domino 6.5.4 and I have the message in logs "amAgent"
2007-07-11 18:40:16.119 Error 1708:3dbcf768 PolicyAgent: render_response(): Entered.
I have the box to identify but it doesnot connect me on my opensso server.
It still identify with Domino's server
Thanks for your response
Thomas

WCI single sign on(SSO) configurations with Oracle Access Manager(OAM)

I have to integrate the oracle access manager with the WCI(ALUI) for the SSO implementation.What are the configurations required to implement SSO with oracle access manager in WCI/ALUI

Any answer to the last question on..?
No, better explain my query with 2 scenarios:
Scenario 1:
Usual scenario authentication of a user to a web application without the single web functionality on the acces single manager:
Login screen of the web application ====> Access to the web application home
Scenario 2:
Scenario authentication of a user to a single web application with web functionality on the acces single manager:
Login screen oracle access manager ====> Display login web application ====> Access to the web application home
My query is:
You can configure the functionality of single sign on to access manager with a web application that does not have its login screen of the web application. For example:
Login screen oracle access manager ====> Access to the web application home

Oracle Apex - SSO with IBM Tivoli Access Manager WebSeal - filters out Files with Server Error 500

Hi,
We are using IBM Tivoli Access Manager for SSO to authenticate users to access our APEX application. The authentication works but...
When the application is being accessed with the WebSeal JS/CSS files are randomly not loaded and show up with either HTTP 400 or HTTP 500 error in the FF Toolbar Console. Of course without certain CSS / JS files the application can't be used by the user.
If the application is accessed without WebSeal all files are loaded successful.
Our set up:
There are two APEX Applications using the WebSeal - the first one apparently works
Apex Listener on Tomcat7.0
Apex 4.2.6
We tried all kind of different WebSeal configurations but nothing worked so far.
I found the following:
interactive report problem with SSO
==> Does anyone know how to use mapping tables and does it help?
Interactive report javascript error due to proxy
==> The solution is for EPG but we use Tomcat as Listener so the solution does not apply
Does anyone know how to configure the WebSeal ?
Thanks

I have same issue with Apex 4.2.6 and Webseal, but only on Mobile Application. Desktop Application is ok.
I have raise a SR on supportweb, but SR engineer tell me it's may be the Webseal issue, they can't reproduce it with Oracle Access Manger.
It's really a tough issue.

Integrate external identity management solution in SAP GRC Access Control

We need to integrate an external identity management solution into SAP GRC Access Enforcer. Some white paper mention extensibility is provided by web services. It seems that none of these web services are documented. Does anybody have infos about these services and documentation. Any hint is appreciated.
thanks
Detlef

Unfortunately Access Enforcer doesn't implement a number of critical requirements and implementing it "as is" would be a lot of steps backwards in our process.
what do the published webservices do? Is there any documentation about them?
In a part of our process, we must manually pick the current roles(1), the pending roles(2) (roles that were approved but not given due to training prerequisites) and the requested new roles(3) and make the simulation in the VCC.
The information (1) and (2) and (3) we have in our internal system, the information (1) we have inside VCC and (2) and(3) must be manually inputted by the operator to run the simulations. Since this operation is repeated 6000+ times a month in my company, eliminating this manual input will cause a great gain in efficiency.
Other thing that we want to do is to create a job where it would automatically desassociate the mitigating controls if the user does not have the risks anymore (users can lose roles automatically in some events here, so it would be coherent that the user also loses the associated mitigating controls)
IMHO as a former programmer, these are classic cases where I would like to consume some webservices for this tasks to avoid a lot of ctrc ctrlv from the operators (inefficient and error prone)
VCC has any documentation that would help me to find how I would do this integrations?
Thanks in advance

Too Slow - Domino 6.5.4 with access manager agent 2.2 ?

I don't know how to tune Domino 6.5.4 with access manager agent 2.2?
I think AMAgent.properties is not good for SSO.
Please help me to tune it.
# $Id: AMAgent.properties,v 1.103 2005/09/19 22:08:34 madan Exp $
# Copyright ? 2002 Sun Microsystems, Inc. All rights reserved.
# U.S. Government Rights - Commercial software. Government users are
# subject to the Sun Microsystems, Inc. standard license agreement and
# applicable provisions of the FAR and its supplements. Use is subject to
# license terms. Sun, Sun Microsystems, the Sun logo and Sun ONE are
# trademarks or registered trademarks of Sun Microsystems, Inc. in the
# U.S. and other countries.
# Copyright ? 2002 Sun Microsystems, Inc. Tous droits r閟erv閟.
# Droits du gouvernement am閞icain, utlisateurs gouvernmentaux - logiciel
# commercial. Les utilisateurs gouvernmentaux sont soumis au contrat de
# licence standard de Sun Microsystems, Inc., ainsi qu aux dispositions en
# vigueur de la FAR [ (Federal Acquisition Regulations) et des suppl閙ents
# ? celles-ci.
# Distribu? par des licences qui en restreignent l'utilisation. Sun, Sun
# Microsystems, le logo Sun et Sun ONE sont des marques de fabrique ou des
# marques d閜os閑s de Sun Microsystems, Inc. aux Etats-Unis et dans
# d'autres pays.
# The syntax of this file is that of a standard Java properties file,
# see the documentation for the java.util.Properties.load method for a
# complete description. (CAVEAT: The SDK in the parser does not currently
# support any backslash escapes except for wrapping long lines.)
# All property names in this file are case-sensitive.
# NOTE: The value of a property that is specified multiple times is not
# defined.
# WARNING: The contents of this file are classified as an UNSTABLE
# interface by Sun Microsystems, Inc. As such, they are subject to
# significant, incompatible changes in any future release of the
# software.
# The name of the cookie passed between the Access Manager
# and the SDK.
# WARNING: Changing this property without making the corresponding change
# to the Access Manager will disable the SDK.
com.sun.am.cookie.name = iPlanetDirectoryPro
# The URL for the Access Manager Naming service.
com.sun.am.naming.url = http://sportal.yjy.dqyt.petrochina:80/amserver/namingservice
# The URL of the login page on the Access Manager.
com.sun.am.policy.am.login.url = http://sportal.yjy.dqyt.petrochina:80/amserver/UI/Login
# Name of the file to use for logging messages.
com.sun.am.policy.agents.config.local.log.file = c:/Sun/Access_Manager/Agents/2.2/debug/C__Lotus_Domino/amAgent
# This property is used for Log Rotation. The value of the property specifies
# whether the agent deployed on the server supports the feature of not. If set
# to false all log messages are written to the same file.
com.sun.am.policy.agents.config.local.log.rotate = true
# Name of the Access Manager log file to use for logging messages to
# Access Manager.
# Just the name of the file is needed. The directory of the file
# is determined by settings configured on the Access Manager.
com.sun.am.policy.agents.config.remote.log = amAuthLog.Dominoad.yjy.dqyt.petrochina.80
# Set the logging level for the specified logging categories.
# The format of the values is
#     <ModuleName>[:<Level>][,<ModuleName>[:<Level>]]*
# The currently used module names are: AuthService, NamingService,
# PolicyService, SessionService, PolicyEngine, ServiceEngine,
# Notification, PolicyAgent, RemoteLog and all.
# The all module can be used to set the logging level for all currently
# none logging modules. This will also establish the default level for
# all subsequently created modules.
# The meaning of the 'Level' value is described below:
#     0     Disable logging from specified module*
#     1     Log error messages
#     2     Log warning and error messages
#     3     Log info, warning, and error messages
#     4     Log debug, info, warning, and error messages
#     5     Like level 4, but with even more debugging messages
# 128     log url access to log file on AM server.
# 256     log url access to log file on local machine.
# If level is omitted, then the logging module will be created with
# the default logging level, which is the logging level associated with
# the 'all' module.
# for level of 128 and 256, you must also specify a logAccessType.
# *Even if the level is set to zero, some messages may be produced for
# a module if they are logged with the special level value of 'always'.
com.sun.am.log.level =
# The org, username and password for Agent to login to AM.
com.sun.am.policy.am.username = UrlAccessAgent
com.sun.am.policy.am.password = LYnKyOIgdWt404ivWY6HPQ==
# Name of the directory containing the certificate databases for SSL.
com.sun.am.sslcert.dir = c:/Sun/Access_Manager/Agents/2.2/domino/cert
# Set this property if the certificate databases in the directory specified
# by the previous property have a prefix.
com.sun.am.certdb.prefix =
# Should agent trust all server certificates when Access Manager
# is running SSL?
# Possible values are true or false.
com.sun.am.trust_server_certs = true
# Should the policy SDK use the Access Manager notification
# mechanism to maintain the consistency of its internal cache? If the value
# is false, then a polling mechanism is used to maintain cache consistency.
# Possible values are true or false.
com.sun.am.notification.enable = true
# URL to which notification messages should be sent if notification is
# enabled, see previous property.
com.sun.am.notification.url = http://Dominoad.yjy.dqyt.petrochina:80/amagent/UpdateAgentCacheServlet?shortcircuit=false
# This property determines whether URL string case sensitivity is
# obeyed during policy evaluation
com.sun.am.policy.am.url_comparison.case_ignore = true
# This property determines the amount of time (in minutes) an entry
# remains valid after it has been added to the cache. The default
# value for this property is 3 minutes.
com.sun.am.policy.am.polling.interval=3
# This property allows the user to configure the User Id parameter passed
# by the session information from the access manager. The value of User
# Id will be used by the agent to set the value of REMOTE_USER server
# variable. By default this parameter is set to "UserToken"
com.sun.am.policy.am.userid.param=UserToken
# Profile attributes fetch mode
# String attribute mode to specify if additional user profile attributes should
# be introduced into the request. Possible values are:
# NONE - no additional user profile attributes will be introduced.
# HTTP_HEADER - additional user profile attributes will be introduced into
# HTTP header.
# HTTP_COOKIE - additional user profile attributes will be introduced through
# cookies.
# If not within these values, it will be considered as NONE.
com.sun.am.policy.agents.config.profile.attribute.fetch.mode=NONE
# The user profile attributes to be added to the HTTP header. The
# specification is of the format ldap_attribute_name|http_header_name[,...].
# ldap_attribute_name is the attribute in data store to be fetched and
# http_header_name is the name of the header to which the value needs
# to be assigned.
# NOTE: In most cases, in a destination application where a "http_header_name"
# shows up as a request header, it will be prefixed by HTTP_, and all
# lower case letters will become upper case, and any - will become _;
# For example, "common-name" would become "HTTP_COMMON_NAME"
com.sun.am.policy.agents.config.profile.attribute.map=cn|common-name,ou|organizational-unit,o|organization,mail|email,employeenumber|employee-
number,c|country
# Session attributes mode
# String attribute mode to specify if additional user session attributes should
# be introduced into the request. Possible values are:
# NONE - no additional user session attributes will be introduced.
# HTTP_HEADER - additional user session attributes will be introduced into HTTP header.
# HTTP_COOKIE - additional user session attributes will be introduced through cookies.
# If not within these values, it will be considered as NONE.
com.sun.am.policy.agents.config.session.attribute.fetch.mode=NONE
# The session attributes to be added to the HTTP header. The specification is
# of the format session_attribute_name|http_header_name[,...].
# session_attribute_name is the attribute in session to be fetched and
# http_header_name is the name of the header to which the value needs to be
# assigned.
# NOTE: In most cases, in a destination application where a "http_header_name"
# shows up as a request header, it will be prefixed by HTTP_, and all
# lower case letters will become upper case, and any - will become _;
# For example, "common-name" would become "HTTP_COMMON_NAME"
com.sun.am.policy.agents.config.session.attribute.map=
# Response Attribute Fetch Mode
# String attribute mode to specify if additional user response attributes should
# be introduced into the request. Possible values are:
# NONE - no additional user response attributes will be introduced.
# HTTP_HEADER - additional user response attributes will be introduced into
# HTTP header.
# HTTP_COOKIE - additional user response attributes will be introduced through
# cookies.
# If not within these values, it will be considered as NONE.
com.sun.am.policy.agents.config.response.attribute.fetch.mode=NONE
# The response attributes to be added to the HTTP header. The specification is
# of the format response_attribute_name|http_header_name[,...].
# response_attribute_name is the attribute in policy response to be fetched and
# http_header_name is the name of the header to which the value needs to be
# assigned.
# NOTE: In most cases, in a destination application where a "http_header_name"
# shows up as a request header, it will be prefixed by HTTP_, and all
# lower case letters will become upper case, and any - will become _;
# For example, "common-name" would become "HTTP_COMMON_NAME"
com.sun.am.policy.agents.config.response.attribute.map=
# The cookie name used in iAS for sticky load balancing
com.sun.am.policy.am.lb.cookie.name = GX_jst
# indicate where a load balancer is used for Access Manager
# services.
# true | false
com.sun.am.load_balancer.enable = false
####Agent Configuration####
# this is for product versioning, please do not modify it
com.sun.am.policy.agents.config.version=2.2
# Set the url access logging level. the choices are
# LOG_NONE - do not log user access to url
# LOG_DENY - log url access that was denied.
# LOG_ALLOW - log url access that was allowed.
# LOG_BOTH - log url access that was allowed or denied.
com.sun.am.policy.agents.config.audit.accesstype = LOG_DENY
# Agent prefix
com.sun.am.policy.agents.config.agenturi.prefix = http://Dominoad.yjy.dqyt.petrochina:80/amagent
# Locale setting.
com.sun.am.policy.agents.config.locale = en_US
# The unique identifier for this agent instance.
com.sun.am.policy.agents.config.instance.name = unused
# Do SSO only
# Boolean attribute to indicate whether the agent will just enforce user
# authentication (SSO) without enforcing policies (authorization)
com.sun.am.policy.agents.config.do_sso_only = true
# The URL of the access denied page. If no value is specified, then
# the agent will return an HTTP status of 403 (Forbidden).
com.sun.am.policy.agents.config.accessdenied.url =
# This property indicates if FQDN checking is enabled or not.
com.sun.am.policy.agents.config.fqdn.check.enable = true
# Default FQDN is the fully qualified hostname that the users should use
# in order to access resources on this web server instance. This is a
# required configuration value without which the Web server may not
# startup correctly.
# The primary purpose of specifying this property is to ensure that if
# the users try to access protected resources on this web server
# instance without specifying the FQDN in the browser URL, the Agent
# can take corrective action and redirect the user to the URL that
# contains the correct FQDN.
# This property is set during the agent installation and need not be
# modified unless absolutely necessary to accommodate deployment
# requirements.
# WARNING: Invalid value for this property can result in the Web Server
# becoming unusable or the resources becoming inaccessible.
# See also: com.sun.am.policy.agents.config.fqdn.check.enable,
# com.sun.am.policy.agents.config.fqdn.map
com.sun.am.policy.agents.config.fqdn.default = Dominoad.yjy.dqyt.petrochina
# The FQDN Map is a simple map that enables the Agent to take corrective
# action in the case where the users may have typed in an incorrect URL
# such as by specifying partial hostname or using an IP address to
# access protected resources. It redirects the browser to the URL
# with fully qualified domain name so that cookies related to the domain
# are received by the agents.
# The format for this property is:
# com.sun.am.policy.agents.config.fqdn.map = [invalid_hostname|valid_hostname][,...]
# This property can also be used so that the agents use the name specified
# in this map instead of the web server's actual name. This can be
# accomplished by doing the following.
# Say you want your server to be addressed as xyz.hostname.com whereas the
# actual name of the server is abc.hostname.com. The browsers only knows
# xyz.hostname.com and you have specified polices using xyz.hostname.com at
# the Access Manager policy console, in this file set the mapping as
# com.sun.am.policy.agents.fqdn.map = valid|xyz.hostname.com
# Another example is if you have multiple virtual servers say rst.hostname.com,
# uvw.hostname.com and xyz.hostname.com pointing to the same actual server
# abc.hostname.com and each of the virtual servers have their own policies
# defined, then the fqdnMap should be defined as follows:
# com.sun.am.policy.agents.fqdn.map = valid1|rst.hostname.com,valid2|uvw.hostname.com,valid3|xyz.hostname.com
# WARNING: Invalid value for this property can result in the Web Server
# becoming unusable or the resources becoming inaccessible.
com.sun.am.policy.agents.config.fqdn.map =
# Cookie Reset
# This property must be set to true, if this agent needs to
# reset cookies in the response before redirecting to
# Access Manager for Authentication.
# By default this is set to false.
# Example : com.sun.am.policy.agents.config.cookie.reset.enable=true
com.sun.am.policy.agents.config.cookie.reset.enable=false
# This property gives the comma separated list of Cookies, that
# need to be included in the Redirect Response to Access Manager.
# This property is used only if the Cookie Reset feature is enabled.
# The Cookie details need to be specified in the following Format
# name[=value][;Domain=value]
# If "Domain" is not specified, then the default agent domain is
# used to set the Cookie.
# Example : com.sun.am.policy.agents.config.cookie.reset.list=LtpaToken,
# token=value;Domain=subdomain.domain.com
com.sun.am.policy.agents.config.cookie.reset.list=
# This property gives the space separated list of domains in
# which cookies have to be set in a CDSSO scenario. This property
# is used only if CDSSO is enabled.
# If this property is left blank then the fully qualified cookie
# domain for the agent server will be used for setting the cookie
# domain. In such case it is a host cookie instead of a domain cookie.
# Example : com.sun.am.policy.agents.config.cookie.domain.list=.sun.com .iplanet.com
com.sun.am.policy.agents.config.cookie.domain.list=
# user id returned if accessing global allow page and not authenticated
com.sun.am.policy.agents.config.anonymous_user=anonymous
# Enable/Disable REMOTE_USER processing for anonymous users
# true | false
com.sun.am.policy.agents.config.anonymous_user.enable=false
# Not enforced list is the list of URLs for which no authentication is
# required. Wildcards can be used to define a pattern of URLs.
# The URLs specified may not contain any query parameters.
# Each service have their own not enforced list. The service name is suffixed
# after "# com.sun.am.policy.agents.notenforcedList." to specify a list
# for a particular service. SPACE is the separator between the URL.
com.sun.am.policy.agents.config.notenforced_list = http://dominoad.yjy.dqyt.petrochina/*.nsf http://dominoad.yjy.dqyt.petrochina/teamroom.nsf/TROutline.gif?
OpenImageResource http://dominoad.yjy.dqyt.petrochina/icons/*.gif
# Boolean attribute to indicate whether the above list is a not enforced list
# or an enforced list; When the value is true, the list means enforced list,
# or in other words, the whole web site is open/accessible without
# authentication except for those URLs in the list.
com.sun.am.policy.agents.config.notenforced_list.invert = false
# Not enforced client IP address list is a list of client IP addresses.
# No authentication and authorization are required for the requests coming
# from these client IP addresses. The IP address must be in the form of
# eg: 192.168.12.2 1.1.1.1
com.sun.am.policy.agents.config.notenforced_client_ip_list =
# Enable POST data preservation; By default it is set to false
com.sun.am.policy.agents.config.postdata.preserve.enable = false
# POST data preservation : POST cache entry lifetime in minutes,
# After the specified interval, the entry will be dropped
com.sun.am.policy.agents.config.postcache.entry.lifetime = 10
# Cross-Domain Single Sign On URL
# Is CDSSO enabled.
com.sun.am.policy.agents.config.cdsso.enable=false
# This is the URL the user will be redirected to for authentication
# in a CDSSO Scenario.
com.sun.am.policy.agents.config.cdcservlet.url =
# Enable/Disable client IP address validation. This validate
# will check if the subsequent browser requests come from the
# same ip address that the SSO token is initially issued against
com.sun.am.policy.agents.config.client_ip_validation.enable = false
# Below properties are used to define cookie prefix and cookie max age
com.sun.am.policy.agents.config.profile.attribute.cookie.prefix = HTTP_
com.sun.am.policy.agents.config.profile.attribute.cookie.maxage = 300
# Logout URL - application's Logout URL.
# This URL is not enforced by policy.
# if set, agent will intercept this URL and destroy the user's session,
# if any. The application's logout URL will be allowed whether or not
# the session destroy is successful.
com.sun.am.policy.agents.config.logout.url=
#http://sportal.yjy.dqyt.petrochina/amserver/UI/Logout
# Any cookies to be reset upon logout in the same format as cookie_reset_list
com.sun.am.policy.agents.config.logout.cookie.reset.list =
# By default, when a policy decision for a resource is needed,
# agent gets and caches the policy decision of the resource and
# all resource from the root of the resource down, from the Access Manager.
# For example, if the resource is http://host/a/b/c, the the root of the
# resource is http://host/. This is because more resources from the
# same path are likely to be accessed subsequently.
# However this may take a long time the first time if there
# are many many policies defined under the root resource.
# To have agent get and cache the policy decision for the resource only,
# set the following property to false.
com.sun.am.policy.am.fetch_from_root_resource = true
# Whether to get the client's hostname through DNS reverse lookup for use
# in policy evaluation.
# It is true by default, if the property does not exist or if it is
# any value other than false.
com.sun.am.policy.agents.config.get_client_host_name = false
# The following property is to enable native encoding of
# ldap header attributes forwarded by agents. If set to true
# agent will encode the ldap header value in the default
# encoding of OS locale. If set to false ldap header values
# will be encoded in UTF-8
com.sun.am.policy.agents.config.convert_mbyte.enable = false
#When the not enforced list or policy has a wildcard '*' character, agent
#strips the path info from the request URI and uses the resulting request
#URI to check against the not enforced list or policy instead of the entire
#request URI, in order to prevent someone from getting access to any URI by
#simply appending the matching pattern in the policy or not enforced list.
#For example, if the not enforced list has the value http://host/*.gif,
#stripping the path info from the request URI will prevent someone from
#getting access to http://host/index.html by using the URL http://host/index.html?hack.gif.
#However when a web server (for exmample apache) is configured to be a reverse
#proxy server for a J2EE application server, path info is interpreted in a different
#manner since it maps to a resource on the proxy instead of the app server.
#This prevents the not enforced list or policy from being applied to part of
#the URI below the app serverpath if there is a wildcard character. For example,
#if the not enforced list has value http://host/webapp/servcontext/* and the
#request URL is http://host/webapp/servcontext/example.jsp the path info
#is /servcontext/example.jsp and the resulting request URL with path info stripped
#is http://host/webapp, which will not match the not enforced list. By setting the
#following property to true, the path info will not be stripped from the request URL
#even if there is a wild character in the not enforced list or policy.
#Be aware though that if this is set to true there should be nothing following the
#wildcard character '*' in the not enforced list or policy, or the
#security loophole described above may occur.
com.sun.am.policy.agents.config.ignore_path_info = false
# Override the request url given by the web server with
# the protocol, host or port of the agent's uri specified in
# the com.sun.am.policy.agents.agenturiprefix property.
# These may be needed if the agent is sitting behind a ssl off-loader,
# load balancer, or proxy, and either the protocol (HTTP scheme),
# hostname, or port of the machine in front of agent which users go through
# is different from the agent's protocol, host or port.
com.sun.am.policy.agents.config.override_protocol =
com.sun.am.policy.agents.config.override_host =
com.sun.am.policy.agents.config.override_port =
# Override the notification url in the same way as other request urls.
# Set this to true if any one of the override properties above is true,
# and if the notification url is coming through the proxy or load balancer
# in the same way as other request url's.
com.sun.am.policy.agents.config.override_notification.url =
# The following property defines how long to wait in attempting
# to connect to an Access Manager AUTH server.
# The default value is 2 seconds. This value needs to be increased
# when receiving the error "unable to find active Access Manager Auth server"
com.sun.am.policy.agents.config.connection_timeout =
# Time in milliseconds the agent will wait to receive the
# response from Access Manager. After the timeout, the connection
# will be drop.
# A value of 0 means that the agent will wait until receiving the response.
# WARNING: Invalid value for this property can result in
# the resources becoming inaccessible.
com.sun.am.receive_timeout = 0
# The three following properties are for IIS6 agent only.
# The two first properties allow to set a username and password that will be
# used by the authentication filter to pass the Windows challenge when the Basic
# Authentication option is selected in Microsoft IIS 6.0. The authentication
# filter is named amiis6auth.dll and is located in
# Agent_installation_directory/iis6/bin. It must be installed manually on
# the web site ("ISAPI Filters" tab in the properties of the web site).
# It must also be uninstalled manually when unintalling the agent.
# The last property defines the full path for the authentication filter log file.
com.sun.am.policy.agents.config.iis6.basicAuthentication.username =
com.sun.am.policy.agents.config.iis6.basicAuthentication.password =
com.sun.am.policy.agents.config.iis6.basicAuthentication.logFile = c:/Sun/Access_Manager/Agents/2.2/debug/C__Lotus_Domino/amAuthFilter

Hi,
I installed opensso (so Sun Java(TM) System Access Manager 7.5) and the agent for Domino 6.5.4 and I have the message in logs "amAgent"
2007-07-11 18:40:16.119 Error 1708:3dbcf768 PolicyAgent: render_response(): Entered.
I have the box to identify but it doesnot connect me on my opensso server.
It still identify with Domino's server
Thanks for your response
Thomas

Setting up Access Manager and Directory Server for Failover.

I'm setting up 2 Access Managers AM1,AM2 and 2 Directory Servers DS1 and DS2 for failover. I've connected AM1 and AM2 to DS1. Suffixes of DS1 is replicated to DS2. Any change made to AM1 is replicated to AM2 as expected. I just patched AM1 with Access Manager patch 1 and the version information for AM1 shows 7.1 126359-01. I followed the same procedure to patch AM2 but AM2 still shows ver 7.1.
How do I make sure both Access Managers are patched to the same version?
I'm able to authenticate to one IIS6 site and authentication is passed on to Outlook Web Access on AM1 but when I shut down AM1 to test failover to AM2 OWA prompts me again for password. How do I resolve this?
On AM1 http://host.domain/amserver/UI/Login?realm=sso successfully logs in but the same on AM2 gives Warning that "You have already logged in. Do you want to log out and then login to a different organization?"
Please help !!!

I'll answer what bits I can:
Q: AM showing the same version?
A: No idea on this one. I would have expected the operation you described to have produced the right answer. Check that neither your application server nor your web browser are caching old pages (ctrl-F5 in my browser)
Q: How do I resolve re-authentication on failover?
A: The AM documentation includes a deployment example that covers pretty closely what it is you are trying to achieve:
http://docs.sun.com/app/docs/doc/820-2278
Specifically, the problem you are describing is related to session failover. The sessions are stored in a local DB so when you failover the backup server does not store the same information and hence requires a reauthentication. The section of the above doc that deals with this is here:
http://docs.sun.com/app/docs/doc/820-2278/gdsre?l=en&a=view
Q: "You have already logged in" warning
A: No idea. Sorry.
R

Problem of degradation in Access Manager 7.1 in SUNWappserv8.2

Hi all,
We have a problem in our enviroment...
Have 2 nodes of AM, periodically we have some problems of degradation in each node, high times of response +30seconds, all seems perfect until some more traffic or requests begin to appears in the system, the rare is somes request going well and other going bad with more 30 seconds of time.... we are searching problems like memory leak but all is perfect "word of our support" even the machine is nice, not saturate....
Not found nothing in server.log, is like nothing happen but our times of resquest are so high even produces than in the other node the queue of notification rise so fast to the limit.
What could be?
could be a problem with our ldap connections than enqueue and affect to the listener?
In the moments of problems even with curls the port of AM response so so slowly more than 30 seconds, but seems fixed in some minutes so, we especulate with the high traffic, but the rare is the other node all is perfect! no problems, not saturate... Only have logs (a lot of) in the server.log of appserv of the node with problems like:
|SEVERE|sun-appserver-ee8.2|javax.enterprise.system.container.web|_ThreadID=73;|failure (11210): HTTP3068: Error
receiving request from xxxxx (Not connected)
And in PA we have some logs than means saturation or high load
"Error 30678:8779160 SSOTokenService::getSessionInfo(): Error 18 for sso token ID"
but like i said the other node not show that, and the high load is basically the same all days.
could we find some answers with a kill -3 of the instance?
We discarded problems with ndsltimeout of ldap firewall or balancer
Thanks a lot!

We found a reason of this degradation, could be possible than, if one Policy Agent not answer, because the appserv -in this case weblogic- is saturated, could affected to the AM? I mean the appserv where the PA is installed depend of a finale system and this system is generating timeouts, and the appserv the is affected and the PA installed in it too, then all requests from the Access Manager have times of 30 40 50 seconds...
Can we have a solution configuring some specs in the AM or the solaris connections? like timeouts or time request?
I think the problem is this, because this PA installed attend the most request of the users
Anyway we thought than can fight to this tunning some specs in solaris like tcp_conn_req_max_q or tcp_conn_req_max_q0 and some timeouts like -Dsun.net.client.defaultConnectTimeout=10000 -Dsun.net.client.defaultReadTimeout=10000 but not seems enough because we are suffering this problems again.
If someone have an idea will be awesome, thanks!

SAP RFC & Access Manager & SSO

Similar Messages

Maybe you are looking for