Sun Access Manager 2005Q1 session failover is not working

Similar Messages

• Session-failover-enabled not working in iWS6 with a FileStore

  I'm trying to use a FileStore to implement session persistence using IWSSessionManager. I have the following in my web-apps.xml:
  <web-app uri="/Banking" dir="c:/java/online">
  <session-manager class='com.iplanet.server.http.session.IWSSessionManager'>
  <init-param>
  <param-name>session-data-store</param-name>
  <param-value>com.iplanet.server.http.session.FileStore</param-value>
  </init-param>
  <init-param>
  <param-name>session-data-dir</param-name>
  <param-value>c:/iplanet/servers/SessionData</param-value>
  </init-param>
  <init-param>
  <param-name>session-failover-enabled</param-name>
  <param-value>false</param-value>
  </init-param>
  </session-manager>
  </web-app>
  I'm seeing the following exception in my log:
  [12/Jun/2002:10:10:56] info ( 320): java.io.NotSerializableException: com.iplanet.server.http.servlet.WebApplication
  at java.io.ObjectOutputStream.outputObject(ObjectOutputStream.java:1148)
  at java.io.ObjectOutputStream.writeObject(ObjectOutputStream.java:366)
  at java.io.ObjectOutputStream.outputClassFields(ObjectOutputStream.java:1827)
  at java.io.ObjectOutputStream.defaultWriteObject(ObjectOutputStream.java:480)
  at java.io.ObjectOutputStream.outputObject(ObjectOutputStream.java:1214)
  at java.io.ObjectOutputStream.writeObject(ObjectOutputStream.java:366)
  at java.io.ObjectOutputStream.outputClassFields(ObjectOutputStream.java:1827)
  at java.io.ObjectOutputStream.defaultWriteObject(ObjectOutputStream.java:480)
  at java.io.ObjectOutputStream.outputObject(ObjectOutputStream.java:1214)
  at java.io.ObjectOutputStream.writeObject(ObjectOutputStream.java:366)
  at java.util.Hashtable.writeObject(Hashtable.java:764)
  at java.lang.reflect.Method.invoke(Native Method)
  at java.io.ObjectOutputStream.invokeObjectWriter(ObjectOutputStream.java:1864)
  at java.io.ObjectOutputStream.outputObject(ObjectOutputStream.java:1210)
  at java.io.ObjectOutputStream.writeObject(ObjectOutputStream.java:366)
  at com.iplanet.server.http.session.IWSHttpSession.writeObject(IWSHttpSession.java:764)
  at java.lang.reflect.Method.invoke(Native Method)
  at java.io.ObjectOutputStream.invokeObjectWriter(ObjectOutputStream.java:1864)
  at java.io.ObjectOutputStream.outputObject(ObjectOutputStream.java:1210)
  at java.io.ObjectOutputStream.writeObject(ObjectOutputStream.java:366)
  at com.iplanet.server.http.session.FileStore.save(FileStore.java:167)
  at com.iplanet.server.http.session.IWSSessionManager.update(IWSSessionManager.java:499)
  at com.iplanet.server.http.servlet.NSHttpServletRequest.closeInputStream (NSHttpServletRequest.java:612)
  at com.iplanet.server.http.servlet.NSServletRunner.servicePostProcess(NSServletRunner.java:857)
  at com.iplanet.server.http.servlet.NSServletRunner.invokeServletService(NSServletRunner.java:942)
  at com.iplanet.server.http.servlet.WebApplication.service(WebApplication.java:1065)
  at com.iplanet.server.http.servlet.NSServletRunner.ServiceWebApp(NSServletRunner.java:959)
  Any ideas what's wrong?
  I should note that I don't think it is because I am storing non-serializable things in the session attributes. I think this because originally I was getting an exception that said that a specific attribute wasn't serializable. I changed the class definition of the class I was storing in that attribute to include "implements java.io.Serializable" and that problem went away.

  Hi Sija,
  Can i have detailed scenario in your cluster configuration.
  Means you are saying that going to start cluster package manually, if it is right please make sure that you had the same copy of start, instance profiles of NodeA to Node B. Means you need to maintain two startup, two instance profiles for both nodes. In a normal situation it will picik the profile of node A to start databse from A node. But in a failover situation it will not pick node A profile to start, it should pick Node B s profiles.
  Just make a copy from node A and change the profile name accordingly to Node b. Then try to restart.
  Regards
  Nick Loy

• Sun access Manager session failover

  Hi,
  I am trying to install Sun Access Manager (2005Q1) with Session failover. I have hardware load balancer under which i have configuring Access Manager on two seperate boxes.
  For session failover i have configured Berkelay database on both system but am unable to start the database.
  Now i got the information that Access Manager 6.1 does not support session failover.
  Can anyone confirm if access manager 6.1 supports failover or we need to upgrade it?
  Thx in advance.
  ASN
  Message was edited by:
  asn123

  One clarification. AM 6.1 did have session failvoer feature. But it was container dependent. It used container features to provide this. Each container had its on configuration. It was made independent of the containers in AM 6.3 release. I would stonglry recommend using AM 6.3 or above if you are using session failover.
  shivaram

• Policy Agent doesn't reset Sun  Access Manager session time idle value

  Hi,
  We have the following setup in our environment:
  - apache web server/web and policy agent 2.2 for apache 2.0.54
  - webmethods portal server (jetty)
  -Sun Access Manager (with Sun Directory Server)
  We use policy agent for authentication purpose only (via Sun Access Manager/LDAP) when the users access the portal. We have custom code that creates session in Sun Access Manager for custom LDAP services. For testing purpose, we configure SAM session to have Max Session Timeout at 120mins and Time Idle at 15mins. I would assume that, after the initial login request, for all subsequent accesses to the portal the policy agent should intercept the request and reset the Time Idle value of SAM session. However, when I monitor time idle value using SAM console, session tab, the time idle value didn't change when the portal user access pages, submit actions, etc. I can see in the debug log of policy agent that requests are being intercepted/processed, but the time idle didn't get reset.
  Does anyone know if this is a bug in configuration or in policy agent itself or am I making the wrong assumption?
  Thanks a lot for the help.

  Thanks for the reply, Shivaram. The issue appears to occur at random time, not accurately at the 3 min interval as you mention. I tested changing this value to 1, theoretically, after one 1 minute of idle time, accessing a link would make the agent reset the time idle value for the user session in SAM, but it didn't even after 3 minutes. This seems to be either a policy agent or system access manager bug.
  We performed a 'vanilla' test using the apache server manual pages (only plain HTML, no POST requests), the pages are protected by the policy agent. At the first login, rwe were prompted to enter credential to be validated by SAM/LDAP, and then a user session is created in SAM session table. We browse around the manual pages, once in a while, certain pages cause the policy agent to reset the time idle. However, revisiting these links after a few minutes doesn't reset the idle value. Caching setting has been disable as well. Could there be or lack of some settings in AMConfig.properties or AMAgent.properties that might have caused this behavior?
  Thanks for all your help,

• Not able to login to Sun Access Manager

  Hi All,
  I am new to Sun Access Manager. I changed the LDAP Configuration in Identity Management->Authentication Module->LDAP to some incorrect LDAP Server. Now i am not able to login to the amconsole of Access Manager. I am getting an Authentication fail error. Is there any way i can revert the changes for the LDAP i have made as i am not able to open the console to revert the changes.
  Thanks in advance,
  Annu

  Check your AppServer to see it up and running or not.

• HELP GETTING Started with Sun Access Manager without TEARS.

  I am new to Sun Access Manager.
  I am quite familiar with how Sun Java Identity Manager works.
  The following is the issue I am facing.
  I've downloaded the following images from the sun website
  java_es_05Q4-ga1-solaris-x86-1-iso
  and
  java_es_05Q4-ga1-solaris-x86-2-iso
  I've installed the components on sun solaris 10
  The following components were installed
  /opt/SUNWcomds
  I am not sure what this is for
  /opt/SUNWdsvmn
  I am not sure what it is.
  /opt/SUNWma
  What is this I was expecting SUNWam the access management software!
  /opt/SUNWwbsvr -- This is the Web Server.
  I know how to use it.
  Can anyone tell me on how to go about it?
  Is there any online tutorial for the same.
  What is the difference between sparc version and x86. Can i use any of these on solaris 10?
  Anyhelp getting started would be highly appreciated.
  I am looking at doing the following things.
  ssl,fed, auth, custauth etc
  Thanks a ton in Advance.
  Regards,
  Vinod

  I documented my installation procedure for Access Manager 7.0 (2005Q4) and Portal 7.0. Take a look at my wiki page:
  http://wiki.its.queensu.ca/display/JES/Access+Manager+installation
  It's a two node Access manager Legacy site and I also implemented session-failover using Message Queue and Berkeley Database.

• Communications Express doesn't create access Manager SSO session

  Hi all,
  I'm running Communications Express, Sun Access Manager and Sun messaging server, each on seperate hosts.
  Single Sign On works i.e. when users have a valid session and point their browser at the Communications Express URL they can access their mail, calendar and addressbooks without further ado.
  When they don't have a valid session though and the users go to the Communications Express URL they get a username and password prompt. If they enter valid credentials they will be logged in, but the session created is only a local session, not an Access Manager SSO session. This behaviour has changed from the previous versions of Comm Exp which wouldn't work at all without SSO.
  Is it possible to configure communications express to either redirect users to the Access Manager's authentication page or have Comm Exp create the SSO session on the users behalf?
  TIA
  Herman
  Versions:
  - Communications Express 6.3 update 1
  - Sun Java(tm) System Messaging Server 6.3-4.01 (built Aug 3 2007; 32bit)
  libimta.so 6.3-4.01 (built 17:13:29, Aug 3 2007; 32bit)

  Hi Shane,
  as always your anwer is better then I could have expected. A more or less complete manual
  just hours after asking my question. Thanks!
  shane_hjorth wrote:
  The cleanest solution I could develop to address the behavioural change was to
  leverage a web-server policy agent to perform the redirections.
  I wrote up a guide but never received any feedback unfortunately so results-may-vary.
  I have republished this guide externally - feedback is welcome:
  http://msg.wikidoc.info/index.php/AM_redirection_using_Policy_AgentTook me some time to implement, test and write feedback:
  The setup we have is a little more complex then the a single box scenario you
  have tested on:
  From the internet working inwards we have load balanced
  SSL accelerators (apache+SSL doing reverse proxy) in front of
  dedicated application servers running communications express.
  Mail is retrieved from separate mail-store clusters.
  Access manager is configured similarly: load balanced SSL accelerators
  in front of application servers running the login page (disributed
  authentication UI). Those then talk to the access manager cluster.
  Firewalls and access lists between each of those layers. None of the
  applications can be accessed directly from the internet and they are
  limited in what they can access in the DMZ as well.
  I followed your recipe to the letter. After a bit of tweaking everything
  worked like a charm. Policy agent installed and configured on the
  SUN webserver where communications express is deployed.
  Instructions were very good on detail and easy to follow.
  We deploy uwc in the root of the server not in /uwc. Something I didn't notice right away.
  It would seem that the policy agent expects the values com.sun.am.naming.url
  (The URL for the Access Manager Naming service) and
  com.sun.am.policy.am.login.url (The URL of the login page on the Access Manager
  where users should enter their credentials) to be the same host.
  In our setup the URL/host users have to use to log in can't be accessed by the policy agent.
  The policy agent should verify sessions directly against the access manager cluster.
  I played with some of the override settings in the policy agent configuration file but
  without much success. Eventually I used the hostname our users have to use to log
  in and abused the /etc/hosts file to map the external hostname to the internal address
  of the access manager cluster. Users end up on the correct login page, and the policy
  agent can verify the sessions. Ugly, but it works.
  The other issue is that the policy agent redirects to:
  com.sun.am.policy.am.login.url?goto=URL_Protected_by_Policy_Agent
  When a users enters incorrect credentials they get the default login url, without the
  goto parameter. (May be bug in access manager or by design...) After entering their
  credentials correctly on their second or third try users won't be redirected back to UWC,
  but will end up on the default page defined by their iplanet-am-user-success-url LDAP attribute.
  I solved that in the policy agents configuration file by adding the gotoOnFail=URL in the
  definition of com.sun.am.policy.am.login.url:
  com.sun.am.policy.am.login.url = https://login.domain.com:443/amserver/UI/Login?gotoOnFail=https://uwc.domain.com:443When you enter incorrect credentials you'll be redirected back to uwc (where the policy agent
  will again intercept you and send you on to the login page for your next try). May be more of
  an issue in the policy agent then your manual.
  Regards,
  Herman

• Getting error while opening Sun access manager console

  We are facing problem while accessing console of Sun Access Manager. We got No Page Found error whenever we try to access the Sun Access Manager console. We have tried restarting the directory server and web server but even that doesn�t help us. Following are the error that gets recorded in log files:-
  ERROR: AuthD init() com.iplanet.dpro.session.SessionException: AuthD failed to get auth session
  ERROR: Error creating service session java.lang.NullPointerException

  The ns-slapd.exe process belongs to the Directory Server. You should therefore check if your DS instance is set up properly.
  Michael

• Securing web services with Sun Access Manager

  Hi!
  I have gone through some documentation about Sun Access Manager, and I'm a little bit confused.
  What I want is to secure some web services which are deployed on a BEA WebLogic 9.1 server (WLS). Two solutions are possible: To install some kind of plugin into WLS or to place some kind of proxy in front of WLS. In both cases, the purpose would be to authenticate the caller based on some kind of ticket (SAML or similar) and authorize access to the web service.
  I have read about the "Sun Java System Access Manager Policy Agent 2.2 for Weblogic 9.1" (those guys really like long names....), but in this documentation web services aren't mentioned at all. They only seem to care about HTTP requests from a browser.
  I have also read about the Policy Agent 2.2 in the documentation called "Sun Java System Access Manager Policy Agent 2.2 Guide for Sun Java System Application Server 9.0/Web Services" (puh...). This document explicitly talks about securing web services the way I want.
  My questions are:
  1) Is it possible to secure WLS based web services in the same way using the Policy Agent for WLS?
  2) Are there any documentation/tutorials/etc?
  Thanks in advance :-)
  Anders

  what you need is a webservices agent that would enable you to "protect" your webservice provider, which I assume is on a BEA weblogic provider.
  the "Sun Java System Access Manager Policy Agent 2.2 for Weblogic 9.1" is "NOT" awebservices agent, but a normal J2EE policy agent.
  So.. having said that. here's what I'd recommend.
  1. install the webservices agent on bea weblogic. (note: NOT the J2EE policy agent)
  2. configure it to use your access manager instance for authentication.
  3. configure your webservices client to use the webservice provider. (note: you'd need the webservices APi's available on the client too... so the quick dirty method would be to install the webservices agent on your client too....) you can later bundle the webservices client independently and provide your"customers" with a webservices client bundle...
  4. voila... your webservices are not "protected" by acces manager ;-)

• Username and password for Sun Access Manager 7.1

  Hi
  Thank you for reading my post
  I ge the new Java Application Platform SDK Update 2 which has access manager and portlet management inside it.
  Can you tell me what is username and password for Sun access Manager 7.1 administration cosole?
  thanks

  with me it was amadmin : admin123
  in the readme file in the addons directory:
  Done! Access the AM server URL and see if the Access Manager is working or not -
  <amserver_protocol>://<amserver_host>:<amserver_port>/amserver
  user : 'amadmin', password : <admin password>
  in a config file i found the password was admin123

• Sun Access Manager 7.1 configuration

  I am trying to configure Sun Access Manager 7.1 update 1 on websphere 6.1.0.11 running on windows 2003 server and am getting a crypt error on SunJCE. Any suggestions on how to fix this?
  The thread dump looks like this
  05/16/2008 11:22:00:509 AM EDT: Thread[WebContainer : 2,5,main]
  05/16/2008 11:22:00:509 AM EDT: Thread[WebContainer : 2,5,main]ERROR: Crypt: failed to set password-based key
  java.security.NoSuchProviderException: no such provider: SunJCE
  at sun.security.jca.GetInstance.getService(GetInstance.java:82)
  at javax.crypto.b.a(Unknown Source)
  at javax.crypto.SecretKeyFactory.getInstance(Unknown Source)
  at com.iplanet.services.util.JCEEncryption.setPassword(JCEEncryption.java:377)
  at com.iplanet.services.util.Crypt.createInstance(Crypt.java:139)
  at com.iplanet.services.util.Crypt.<clinit>(Crypt.java:103)
  at java.lang.J9VMInternals.initializeImpl(Native Method)
  at java.lang.J9VMInternals.initialize(J9VMInternals.java:192)
  at com.sun.identity.setup.ServicesDefaultValues.validatePassword(ServicesDefaultValues.java:396)
  at com.sun.identity.setup.ServicesDefaultValues.setServiceConfigValues(ServicesDefaultValues.java:107)
  at com.sun.identity.setup.AMSetupServlet.processRequest(AMSetupServlet.java:307)
  at com.ibm._jsp._configurator._jspService(_configurator.java:221)
  at com.ibm.ws.jsp.runtime.HttpJspBase.service(HttpJspBase.java:85)
  at javax.servlet.http.HttpServlet.service(HttpServlet.java:856)
  at com.ibm.ws.webcontainer.servlet.ServletWrapper.service(ServletWrapper.java:989)
  at com.ibm.ws.webcontainer.servlet.ServletWrapper.service(ServletWrapper.java:930)
  at com.ibm.ws.webcontainer.filter.WebAppFilterChain.doFilter(WebAppFilterChain.java:145)
  at com.sun.identity.setup.AMSetupFilter.doFilter(AMSetupFilter.java:89)
  at com.ibm.ws.webcontainer.filter.FilterInstanceWrapper.doFilter(FilterInstanceWrapper.java:190)
  at com.ibm.ws.webcontainer.filter.WebAppFilterChain.doFilter(WebAppFilterChain.java:130)
  at com.ibm.ws.webcontainer.filter.WebAppFilterChain._doFilter(WebAppFilterChain.java:87)
  at com.ibm.ws.webcontainer.filter.WebAppFilterManager.doFilter(WebAppFilterManager.java:761)
  at com.ibm.ws.webcontainer.filter.WebAppFilterManager.doFilter(WebAppFilterManager.java:673)
  at com.ibm.ws.webcontainer.servlet.ServletWrapper.handleRequest(ServletWrapper.java:498)
  at com.ibm.ws.wswebcontainer.servlet.ServletWrapper.handleRequest(ServletWrapper.java:464)
  at com.ibm.wsspi.webcontainer.servlet.GenericServletWrapper.handleRequest(GenericServletWrapper.java:122)
  at com.ibm.ws.jsp.webcontainerext.AbstractJSPExtensionServletWrapper.handleRequest(AbstractJSPExtensionServletWrapper.java:205)
  at com.ibm.ws.webcontainer.webapp.WebApp.handleRequest(WebApp.java:3276)
  at com.ibm.ws.webcontainer.webapp.WebGroup.handleRequest(WebGroup.java:267)
  at com.ibm.ws.webcontainer.WebContainer.handleRequest(WebContainer.java:811)
  at com.ibm.ws.wswebcontainer.WebContainer.handleRequest(WebContainer.java:1455)
  at com.ibm.ws.webcontainer.channel.WCChannelLink.ready(WCChannelLink.java:113)
  at com.ibm.ws.http.channel.inbound.impl.HttpInboundLink.handleDiscrimination(HttpInboundLink.java:454)
  at com.ibm.ws.http.channel.inbound.impl.HttpInboundLink.handleNewInformation(HttpInboundLink.java:383)
  at com.ibm.ws.http.channel.inbound.impl.HttpICLReadCallback.complete(HttpICLReadCallback.java:102)
  at com.ibm.ws.tcp.channel.impl.AioReadCompletionListener.futureCompleted(AioReadCompletionListener.java:165)
  at com.ibm.io.async.AbstractAsyncFuture.invokeCallback(AbstractAsyncFuture.java:217)
  at com.ibm.io.async.AsyncChannelFuture.fireCompletionActions(AsyncChannelFuture.java:161)
  at com.ibm.io.async.AsyncFuture.completed(AsyncFuture.java:136)
  at com.ibm.io.async.ResultHandler.complete(ResultHandler.java:195)
  at com.ibm.io.async.ResultHandler.runEventProcessingLoop(ResultHandler.java:743)
  at com.ibm.io.async.ResultHandler$2.run(ResultHandler.java:873)
  at com.ibm.ws.util.ThreadPool$Worker.run(ThreadPool.java:1469)
  05/16/2008 11:22:00:509 AM EDT: Thread[WebContainer : 2,5,main]ERROR: JCEEncryption:: not yet initialized

  Have you followed the release notes instructions? There is one specifically about changing JCE:
  http://docs.sun.com/app/docs/doc/819-5899/gdpsl?a=view
  http://docs.sun.com/app/docs/doc/819-4683/gfvfl?a=view
  http://docs.sun.com/app/docs/doc/819-5899/gdxas?a=view
  shivaram

• Sun Access Manager login problem

  Hi,
  This is a very basic problem. I have installed Sun Access Manager 7 using JES installer. It is configured to authenticate against a LDAP datastore. I am able to login into the amconsole application using the amAdmin DN but I am not able to login with any other user that I create through Sun Access Manager.Any help will be highly appreciated.
  TIA.

  Hello,
  When you create any user through SUN Access Manager, is that user is created in LDAP
  datastore, or is it created in SAM flat file repository ?

• Sun Access Manager Resource & password resets

  Hi,
  I've got IDM 7.1 and AM 7.1, with a Sun Access Manager Realm resource. The LDAP directory (DS EE 6.0) sitting behind the AM resource has been set up to "Require Password Change at First Login and After Reset".
  However, if a user in IDM changes their AM password, the connection to AM is done as the resource adapter user, not themselves; this means that the pwdReset flag is not cleared on their account in AM, and AM will demand a password change on next login.
  This is obviously non-optimal for us, as we'd like them to change their password through IDM.
  Is there any way to change the DS policies to allow for this situation, OR to set the pwdReset flag through the resource adapter, OR to get the resource adapter to connect as the user when the Change Password flow is performed?
  Thanks,
  Michael.

  Hi Michael,
  Could you please share the solution for the problem you are facing.
  I am facing a similar issue.
  When an admin resets the password of a user and when the user logs in, he/she needs to be redirected to IDM change password page. Instead the redirection to AM change password functionality is displayed.
  Thanks,
  Vinu

• Sun Access Manager  - Authentication Error

  Hello everyone,
  I'm trying to configure Sun Access Manager 7.0 with sun web server 6.1 and directory server 5.2 on windows xp.
  I'm getting the following error when I try to login with uid=amAdmin
  "Permission to perform the read operation denied to uid=amAdmin,ou=People,dc=example,dc=com"
  I do not see any errors from the debug files. Could anyone help me in fixing this problem.
  Thanks in advance,
  -krishna

  Is your AM log level set to message? If not, set to message and retest. You should get output in your debug logs.
  On the agent side, set your logging to all:5

• Integrate IdM roles with Sun Access Manager roles

  Hi all,
  I am currently working on a solution involving Sun Identity Manager 7.1 and Sun Access Manager 7.1 as well. We use AM for overall authentication and SSO across the application, and IdM for user provisioning.
  I need to create roles in Identity Manager, and I would like that when I assign a role to a user in Identity Manager, he gets the same role in my Access Manager repository (Sun LDAP). Identity Manager does provide a way to set attribute values in resources when a role is set. Access Manager on the other hand has both dynamic roles, based on an LDAP search, and static roles.
  What are the important differences between static and dynamic roles in AM?
  Does anybody know a good way to propagate roles from Identity Manager to Access Manager?
  Thanks.

  I found answers to my question. I succeeded in setting the Access Manager role from Identity Manager using the nsRoleDN attribute. Here are some references to begin with:
  About directory server roles:
  http://docs.sun.com/app/docs/doc/820-2493/fvbrn?a=view
  Forum thread reference:
  http://forums.sun.com/thread.jspa?threadID=5208694
  Here are roughly the steps I followed to get this working.
  Access Manager roles setup:
  1. In Access Manager, create a new static role named test_role under the identities realm (in Subjects > Role).
  Identity Manager roles setup:
  1. Create a new role in Identity Manager: tab Roles, click New....
  2. Assign the LDAP resource to synchronize the role with.
  3. On the Assigned Resources line, click the Set Attributes Values button. This shows up the attributes listing allowing you to bind your IdM role to your LDAP repository.
  4. Set the attribute nsRoleDN to the LDAP DN of the role that was created in AM (nsRoleDN must be added in the resource attributes mapping before).
  * In the column Value override, select Text.
  * In the column How to set, select Authoritative merge with value, clear existing. (* See IDM Admin guide about this setting, I am still not sure how it reacts with multi-value attributes)
  * In the text box, enter the role DN text (ex: cn=test_role,dc=com).
  5. Save the role. You can now add the role to a user.