Sun Access Manager  - Authentication Error

Similar Messages

• Getting error while opening Sun access manager console

  We are facing problem while accessing console of Sun Access Manager. We got No Page Found error whenever we try to access the Sun Access Manager console. We have tried restarting the directory server and web server but even that doesn�t help us. Following are the error that gets recorded in log files:-
  ERROR: AuthD init() com.iplanet.dpro.session.SessionException: AuthD failed to get auth session
  ERROR: Error creating service session java.lang.NullPointerException

  The ns-slapd.exe process belongs to the Directory Server. You should therefore check if your DS instance is set up properly.
  Michael

• BO Authentication with Sun Access Manager

  Post Author: aboucher
  CA Forum: Authentication
  Hi,
  Is there a way to use Sun Access Manager (Role base) with BO. We are using XIR2 but we are willing to move to XIR3 if this version can do this job. I know that BO can be configured with LDAP, AD, Enterprise but is there a Custom choice. Any idea?
  Thanks

  Post Author: TAZ
  CA Forum: Authentication
  So quickly reviewing sun access manager it doesn't seem to be an LDAP server per se. It's more like a portal used for SSO. If that's the case then you would integrate LDAP accounts and then use technology like trusted authentication for SSO from the sun access maanger portal. In that case trusted auth will support just about any front end as long as the user info can be forwarded to us in one of 7 methods. You can read more about trusted authentication in the XIR2 deployment guide
  http://support.businessobjects.com/documentation/product_guides/default.asp
  Integrations of this level typically involvel in depth planning and should probably be done with the assistance of a BO consultant.
  Regards,
  Tim

• Integrating windows authentication with Sun ACCESS MANAGER

  Hi,
  I have implemented sun access manager and successfully protected an application (ABC). At present iam using the SDS as the authentication and authorization directory. I login in to the machine using the network username and password which is on AD.
  I want to integrate my authentication/authorization mechanism from SDS to AD. so that when i login into the machine and open application ABC it should not ask me for the credentials; instead allow me to the homepage directly.
  How to do this.
  Thanks in advance
  Maruthi

  Hi!
  Maybe this helps you, it describes how to setup AM and policy agent to handle basic authentication protected sites. While the article is about sharepoint it should work for any application.
  http://developers.sun.com/identity/reference/techart/sharepoint.html
  Christoph

• Error while installing Sun Access Manager

  Hi All,
  I am getting an error while installing Sun Java System Access Manager.The error is ns-slapd.exe is not responding.
  How to resolve my error?
  Thanks in advance.
  regards,
  Keets.

  The ns-slapd.exe process belongs to the Directory Server. You should therefore check if your DS instance is set up properly.
  Michael

• Integration of sun identity manager with sun access manager

  Hi i am working on integration of sun identity manager 6.0 with SP1 and sun access manager7.0.IDM was deployed on Sun application server 8.1.SAm is installed on SunOneWebserver i am working on windows 2003 server.I downloaded the agent for the application server and installed.
  when i am configuring resource in IDM i am getting following error.
  testconnection failed for resource(s):
  sun access manager could notconnect as user 'amadmin' with specified password==>com.sun.identity.authentication.spi.AuthLoginException:failed to create new AuthenticationContext{0}\n.
  i modified amagent.properties,amconfig.properties and web.xml also
  can any one help me on this.

  Hi i am working on integration of sun identity manager 6.0 with SP1 and sun access manager7.0.IDM was deployed on Sun application server 8.1.SAm is installed on SunOneWebserver i am working on windows 2003 server.I downloaded the agent for the application server and installed.
  when i am configuring resource in IDM i am getting following error.
  testconnection failed for resource(s):
  sun access manager could notconnect as user 'amadmin' with specified password==>com.sun.identity.authentication.spi.AuthLoginException:failed to create new AuthenticationContext{0}\n.
  i modified amagent.properties,amconfig.properties and web.xml also
  can any one help me on this.

• Access manager policyagent 2.1 fro webspher5.0  with sun access manager in

  Help It is very urgent
  I have installed my sun access manager and sun direcory server on same machine solaris10.SSL is diable in directory server.Access manager working on ssl mode means it is working on Http with port 80 and Https with port443.Access manager url is
  http://lhostname:80/amconsole or https://hostname:443/amconsole and
  http://host:80/amserver/UI/Login or https://host:443/amserver/UI/Login.it is displaying access manager login page.It is working properly standalone.
  But when i configure it with policyagent2.1 for WebSphere5.0 .WebSphere installed on windows2000 server.when i type the application URL that is running on WebSphere it does not show access manager login page.It show u r not authurised to view this page.WebSphere running on Http.
  and amService log detail is*****************************************************
  03/02/2006 05:57:32:018 PM GMT+05:30: Thread[Servlet.Engine.Transports : 0,5,main]
  Naming service URL list: [https://my.domain.com:443/amserver/namingservice]
  03/02/2006 05:57:32:018 PM GMT+05:30: Thread[Servlet.Engine.Transports : 0,5,main]
  Only one naming service URL specified. NamingServiceMonitor will be disabled.
  03/02/2006 05:57:32:018 PM GMT+05:30: Thread[Servlet.Engine.Transports : 0,5,main]
  getServiceURL for service: auth protocol: https host: my.domain.com port: 443
  03/02/2006 05:57:32:112 PM GMT+05:30: Thread[Servlet.Engine.Transports : 0,5,main]
  ERROR: Naming service connection failed
  com.iplanet.services.comm.client.SendRequestException: com.ibm.ws.orbimpl.transport.protocol.https.HttpsURLConnection
       at com.iplanet.services.comm.client.PLLClient.send(PLLClient.java:141)
       at com.iplanet.services.comm.client.PLLClient.send(PLLClient.java:73)
       at com.iplanet.services.naming.WebtopNaming.getNamingResponse(WebtopNaming.java:360)
       at com.iplanet.services.naming.WebtopNaming.updateNamingTable(WebtopNaming.java:421)
       at com.iplanet.services.naming.WebtopNaming.getNamingProfile(WebtopNaming.java:353)
       at com.iplanet.services.naming.WebtopNaming.getServiceURL(WebtopNaming.java:187)
       at com.sun.identity.authentication.AuthContext.setLocalFlag(AuthContext.java:1159)
       at com.sun.identity.authentication.AuthContext.createAuthContext(AuthContext.java:1100)
       at com.sun.identity.authentication.AuthContext.createAuthContext(AuthContext.java:1071)
       at com.sun.identity.authentication.AuthContext.<init>(AuthContext.java:142)
       at com.sun.identity.policy.client.AuthService.getAppSSOToken(AuthService.java:103)
       at com.sun.identity.policy.client.AuthService.getApplicationSSOToken(AuthService.java:79)
       at com.sun.identity.policy.client.PolicyEvaluator.getAppSSOToken(PolicyEvaluator.java:499)
       at com.sun.identity.policy.client.PolicyEvaluator.init(PolicyEvaluator.java:193)
       at com.sun.identity.policy.client.PolicyEvaluator.<init>(PolicyEvaluator.java:172)
       at com.sun.identity.policy.client.PolicyEvaluatorFactory.getPolicyEvaluator(PolicyEvaluatorFactory.java:118)
       at com.sun.identity.policy.client.PolicyEvaluatorFactory.getPolicyEvaluator(PolicyEvaluatorFactory.java:87)
       at com.sun.identity.agents.policy.AmWebPolicy.<init>(Unknown Source)
       at com.sun.identity.agents.policy.AmWebPolicyManager.<init>(Unknown Source)
       at com.sun.identity.agents.policy.AmWebPolicyManager.<clinit>(Unknown Source)
       at com.sun.identity.agents.filter.AmFilter.<init>(Unknown Source)
       at com.sun.identity.agents.filter.AmFilterManager.getAmFilter(Unknown Source)
       at com.sun.identity.agents.filter.AmFilterManager.getAmFilter(Unknown Source)
       at com.sun.identity.agents.filter.AmFilterManager.getAmFilterInstanceForModeConfigured(Unknown Source)
       at com.sun.identity.agents.filter.AmAgentFilter.doFilter(Unknown Source)
       at com.ibm.ws.webcontainer.filter.FilterInstanceWrapper.doFilter(FilterInstanceWrapper.java:132)
       at com.ibm.ws.webcontainer.filter.WebAppFilterChain.doFilter(WebAppFilterChain.java:71)
       at com.ibm.ws.webcontainer.webapp.WebAppRequestDispatcher.handleWebAppDispatch(WebAppRequestDispatcher.java:863)
       at com.ibm.ws.webcontainer.webapp.WebAppRequestDispatcher.dispatch(WebAppRequestDispatcher.java:491)
       at com.ibm.ws.webcontainer.webapp.WebAppRequestDispatcher.forward(WebAppRequestDispatcher.java:173)
       at com.ibm.ws.webcontainer.srt.WebAppInvoker.doForward(WebAppInvoker.java:79)
       at com.ibm.ws.webcontainer.srt.WebAppInvoker.handleInvocationHook(WebAppInvoker.java:199)
       at com.ibm.ws.webcontainer.cache.invocation.CachedInvocation.handleInvocation(CachedInvocation.java:71)
       at com.ibm.ws.webcontainer.srp.ServletRequestProcessor.dispatchByURI(ServletRequestProcessor.java:182)
       at com.ibm.ws.webcontainer.oselistener.OSEListenerDispatcher.service(OSEListener.java:331)
       at com.ibm.ws.webcontainer.http.HttpConnection.handleRequest(HttpConnection.java:56)
       at com.ibm.ws.http.HttpConnection.readAndHandleRequest(HttpConnection.java:432)
       at com.ibm.ws.http.HttpConnection.run(HttpConnection.java:343)
       at com.ibm.ws.util.ThreadPool$Worker.run(ThreadPool.java:592)
  Thanks & Regards
  Saini

  This is an SSL handshake problem of Websphere - has nothing to do with AM.
  Websphere�s JDK does not trust the Signer / Cert of AM�s deployment container.
  Either configure a truststore (or use an existing webshpere truststore) where you import the Cert of the Signing CA of your AM DC�s cert.
  Other option - import the mentioned cert in cacert file of IBM JDK - but be aware that this might get lost when applying an Websphere fixpack/refreshpack.
  BTW what have you configured for server.port,server.host and server.protocol in your AMConfig.properties?
  If you have not changed that settings agent will use the port/protocol specified to communicate with AM.
  -Bernhard

• Not able to login to Sun Access Manager

  Hi All,
  I am new to Sun Access Manager. I changed the LDAP Configuration in Identity Management->Authentication Module->LDAP to some incorrect LDAP Server. Now i am not able to login to the amconsole of Access Manager. I am getting an Authentication fail error. Is there any way i can revert the changes for the LDAP i have made as i am not able to open the console to revert the changes.
  Thanks in advance,
  Annu

  Check your AppServer to see it up and running or not.

• Login to Sun access manager admin console failed.

  we are using Sun access manager 2003Q4. Today i am not able to login to the amconsole itself.it says authentication failed. i tried with all the admin users we have and also with the amadmin same error.
  The ldap is up and running.
  can any one suggest me the probable problem and solution.
  or the log files i need to look at which can help in trouble shooting.
  thanks in advance

  Check your AppServer to see it up and running or not.

• Securing web services with Sun Access Manager

  Hi!
  I have gone through some documentation about Sun Access Manager, and I'm a little bit confused.
  What I want is to secure some web services which are deployed on a BEA WebLogic 9.1 server (WLS). Two solutions are possible: To install some kind of plugin into WLS or to place some kind of proxy in front of WLS. In both cases, the purpose would be to authenticate the caller based on some kind of ticket (SAML or similar) and authorize access to the web service.
  I have read about the "Sun Java System Access Manager Policy Agent 2.2 for Weblogic 9.1" (those guys really like long names....), but in this documentation web services aren't mentioned at all. They only seem to care about HTTP requests from a browser.
  I have also read about the Policy Agent 2.2 in the documentation called "Sun Java System Access Manager Policy Agent 2.2 Guide for Sun Java System Application Server 9.0/Web Services" (puh...). This document explicitly talks about securing web services the way I want.
  My questions are:
  1) Is it possible to secure WLS based web services in the same way using the Policy Agent for WLS?
  2) Are there any documentation/tutorials/etc?
  Thanks in advance :-)
  Anders

  what you need is a webservices agent that would enable you to "protect" your webservice provider, which I assume is on a BEA weblogic provider.
  the "Sun Java System Access Manager Policy Agent 2.2 for Weblogic 9.1" is "NOT" awebservices agent, but a normal J2EE policy agent.
  So.. having said that. here's what I'd recommend.
  1. install the webservices agent on bea weblogic. (note: NOT the J2EE policy agent)
  2. configure it to use your access manager instance for authentication.
  3. configure your webservices client to use the webservice provider. (note: you'd need the webservices APi's available on the client too... so the quick dirty method would be to install the webservices agent on your client too....) you can later bundle the webservices client independently and provide your"customers" with a webservices client bundle...
  4. voila... your webservices are not "protected" by acces manager ;-)

• Policy Agent doesn't reset Sun  Access Manager session time idle value

  Hi,
  We have the following setup in our environment:
  - apache web server/web and policy agent 2.2 for apache 2.0.54
  - webmethods portal server (jetty)
  -Sun Access Manager (with Sun Directory Server)
  We use policy agent for authentication purpose only (via Sun Access Manager/LDAP) when the users access the portal. We have custom code that creates session in Sun Access Manager for custom LDAP services. For testing purpose, we configure SAM session to have Max Session Timeout at 120mins and Time Idle at 15mins. I would assume that, after the initial login request, for all subsequent accesses to the portal the policy agent should intercept the request and reset the Time Idle value of SAM session. However, when I monitor time idle value using SAM console, session tab, the time idle value didn't change when the portal user access pages, submit actions, etc. I can see in the debug log of policy agent that requests are being intercepted/processed, but the time idle didn't get reset.
  Does anyone know if this is a bug in configuration or in policy agent itself or am I making the wrong assumption?
  Thanks a lot for the help.

  Thanks for the reply, Shivaram. The issue appears to occur at random time, not accurately at the 3 min interval as you mention. I tested changing this value to 1, theoretically, after one 1 minute of idle time, accessing a link would make the agent reset the time idle value for the user session in SAM, but it didn't even after 3 minutes. This seems to be either a policy agent or system access manager bug.
  We performed a 'vanilla' test using the apache server manual pages (only plain HTML, no POST requests), the pages are protected by the policy agent. At the first login, rwe were prompted to enter credential to be validated by SAM/LDAP, and then a user session is created in SAM session table. We browse around the manual pages, once in a while, certain pages cause the policy agent to reset the time idle. However, revisiting these links after a few minutes doesn't reset the idle value. Caching setting has been disable as well. Could there be or lack of some settings in AMConfig.properties or AMAgent.properties that might have caused this behavior?
  Thanks for all your help,

• Sun Access Manager Event Sequence

  I have a third party black box piece of hardware that is redirecting browser requests to my server for authentication. I want to utilize the Sun Access Manager to perform these authentications. Do I need to use the Policy Agent, or should I attempt to communicate directly with the Access Manager? What benefit will I gain from including the Policy Agent into the mix?
  If I don't use the policy agent, here is the sequence of events as I understand them:
  1) Browser hits Black Box (BB) for protected information.
  2) BB redirects the browser to me.
  3) Browser sends me a SAML snippet. I decode and inflate the snippet, then send it off to the access manager (AM).
  4) The AM throws an invalid id exception because the user has never logged in.
  5) I catch the invalid id exception, and redirect the browser to the AM login URL. The user enters a valid id and password and hits submit.
  6) ... ?
  Is this correct up to step 5, and what happens after step 5? Any hints would be greatly appreciated.

  Okay, never mind then.

• Sun Access Manager 7.1 configuration

  I am trying to configure Sun Access Manager 7.1 update 1 on websphere 6.1.0.11 running on windows 2003 server and am getting a crypt error on SunJCE. Any suggestions on how to fix this?
  The thread dump looks like this
  05/16/2008 11:22:00:509 AM EDT: Thread[WebContainer : 2,5,main]
  05/16/2008 11:22:00:509 AM EDT: Thread[WebContainer : 2,5,main]ERROR: Crypt: failed to set password-based key
  java.security.NoSuchProviderException: no such provider: SunJCE
  at sun.security.jca.GetInstance.getService(GetInstance.java:82)
  at javax.crypto.b.a(Unknown Source)
  at javax.crypto.SecretKeyFactory.getInstance(Unknown Source)
  at com.iplanet.services.util.JCEEncryption.setPassword(JCEEncryption.java:377)
  at com.iplanet.services.util.Crypt.createInstance(Crypt.java:139)
  at com.iplanet.services.util.Crypt.<clinit>(Crypt.java:103)
  at java.lang.J9VMInternals.initializeImpl(Native Method)
  at java.lang.J9VMInternals.initialize(J9VMInternals.java:192)
  at com.sun.identity.setup.ServicesDefaultValues.validatePassword(ServicesDefaultValues.java:396)
  at com.sun.identity.setup.ServicesDefaultValues.setServiceConfigValues(ServicesDefaultValues.java:107)
  at com.sun.identity.setup.AMSetupServlet.processRequest(AMSetupServlet.java:307)
  at com.ibm._jsp._configurator._jspService(_configurator.java:221)
  at com.ibm.ws.jsp.runtime.HttpJspBase.service(HttpJspBase.java:85)
  at javax.servlet.http.HttpServlet.service(HttpServlet.java:856)
  at com.ibm.ws.webcontainer.servlet.ServletWrapper.service(ServletWrapper.java:989)
  at com.ibm.ws.webcontainer.servlet.ServletWrapper.service(ServletWrapper.java:930)
  at com.ibm.ws.webcontainer.filter.WebAppFilterChain.doFilter(WebAppFilterChain.java:145)
  at com.sun.identity.setup.AMSetupFilter.doFilter(AMSetupFilter.java:89)
  at com.ibm.ws.webcontainer.filter.FilterInstanceWrapper.doFilter(FilterInstanceWrapper.java:190)
  at com.ibm.ws.webcontainer.filter.WebAppFilterChain.doFilter(WebAppFilterChain.java:130)
  at com.ibm.ws.webcontainer.filter.WebAppFilterChain._doFilter(WebAppFilterChain.java:87)
  at com.ibm.ws.webcontainer.filter.WebAppFilterManager.doFilter(WebAppFilterManager.java:761)
  at com.ibm.ws.webcontainer.filter.WebAppFilterManager.doFilter(WebAppFilterManager.java:673)
  at com.ibm.ws.webcontainer.servlet.ServletWrapper.handleRequest(ServletWrapper.java:498)
  at com.ibm.ws.wswebcontainer.servlet.ServletWrapper.handleRequest(ServletWrapper.java:464)
  at com.ibm.wsspi.webcontainer.servlet.GenericServletWrapper.handleRequest(GenericServletWrapper.java:122)
  at com.ibm.ws.jsp.webcontainerext.AbstractJSPExtensionServletWrapper.handleRequest(AbstractJSPExtensionServletWrapper.java:205)
  at com.ibm.ws.webcontainer.webapp.WebApp.handleRequest(WebApp.java:3276)
  at com.ibm.ws.webcontainer.webapp.WebGroup.handleRequest(WebGroup.java:267)
  at com.ibm.ws.webcontainer.WebContainer.handleRequest(WebContainer.java:811)
  at com.ibm.ws.wswebcontainer.WebContainer.handleRequest(WebContainer.java:1455)
  at com.ibm.ws.webcontainer.channel.WCChannelLink.ready(WCChannelLink.java:113)
  at com.ibm.ws.http.channel.inbound.impl.HttpInboundLink.handleDiscrimination(HttpInboundLink.java:454)
  at com.ibm.ws.http.channel.inbound.impl.HttpInboundLink.handleNewInformation(HttpInboundLink.java:383)
  at com.ibm.ws.http.channel.inbound.impl.HttpICLReadCallback.complete(HttpICLReadCallback.java:102)
  at com.ibm.ws.tcp.channel.impl.AioReadCompletionListener.futureCompleted(AioReadCompletionListener.java:165)
  at com.ibm.io.async.AbstractAsyncFuture.invokeCallback(AbstractAsyncFuture.java:217)
  at com.ibm.io.async.AsyncChannelFuture.fireCompletionActions(AsyncChannelFuture.java:161)
  at com.ibm.io.async.AsyncFuture.completed(AsyncFuture.java:136)
  at com.ibm.io.async.ResultHandler.complete(ResultHandler.java:195)
  at com.ibm.io.async.ResultHandler.runEventProcessingLoop(ResultHandler.java:743)
  at com.ibm.io.async.ResultHandler$2.run(ResultHandler.java:873)
  at com.ibm.ws.util.ThreadPool$Worker.run(ThreadPool.java:1469)
  05/16/2008 11:22:00:509 AM EDT: Thread[WebContainer : 2,5,main]ERROR: JCEEncryption:: not yet initialized

  Have you followed the release notes instructions? There is one specifically about changing JCE:
  http://docs.sun.com/app/docs/doc/819-5899/gdpsl?a=view
  http://docs.sun.com/app/docs/doc/819-4683/gfvfl?a=view
  http://docs.sun.com/app/docs/doc/819-5899/gdxas?a=view
  shivaram

• Sun Access Manager 2005Q1 session failover is not working

  Hi All
  I m using Sun access manager 2005Q1,message queue 2005Q1, Sun Directory server 5.2 ,BerkelyDb 4.2.52 and radware hardware load balancer with sticky session.
  I m have configured message queue and BerkeleyDB and both are running with any error.
  I m using http://docs.sun.com/source/817-7644/ch5_scenarios.html#wp41008 doc for session failover.
  Simple failover is working fine but the Session failover is not working.
  Any body has done session failover with Sun Access manager 2005 Q1 I m trying to resolve this issue last two month.
  Please it is urgent.

  It works fine in 2005Q4, after applying a patch 120954 if I am not mistaken. But 2005Q4 and 2005Q1 are probably different in terms of session failover (site configuration etc.)
  1. Stop both AM servers
  2. Set logging to debug mode in AMConfig.properties.
  3. Delete / move everything in /var/opt/SUNWam/debug
  4. tail -f /var/opt/SUNWam/debug/amSession
  5. Post that file here... you should be able to see if session failover is enabled etc....
  hope this helps.

• Integrate IdM roles with Sun Access Manager roles

  Hi all,
  I am currently working on a solution involving Sun Identity Manager 7.1 and Sun Access Manager 7.1 as well. We use AM for overall authentication and SSO across the application, and IdM for user provisioning.
  I need to create roles in Identity Manager, and I would like that when I assign a role to a user in Identity Manager, he gets the same role in my Access Manager repository (Sun LDAP). Identity Manager does provide a way to set attribute values in resources when a role is set. Access Manager on the other hand has both dynamic roles, based on an LDAP search, and static roles.
  What are the important differences between static and dynamic roles in AM?
  Does anybody know a good way to propagate roles from Identity Manager to Access Manager?
  Thanks.

  I found answers to my question. I succeeded in setting the Access Manager role from Identity Manager using the nsRoleDN attribute. Here are some references to begin with:
  About directory server roles:
  http://docs.sun.com/app/docs/doc/820-2493/fvbrn?a=view
  Forum thread reference:
  http://forums.sun.com/thread.jspa?threadID=5208694
  Here are roughly the steps I followed to get this working.
  Access Manager roles setup:
  1. In Access Manager, create a new static role named test_role under the identities realm (in Subjects > Role).
  Identity Manager roles setup:
  1. Create a new role in Identity Manager: tab Roles, click New....
  2. Assign the LDAP resource to synchronize the role with.
  3. On the Assigned Resources line, click the Set Attributes Values button. This shows up the attributes listing allowing you to bind your IdM role to your LDAP repository.
  4. Set the attribute nsRoleDN to the LDAP DN of the role that was created in AM (nsRoleDN must be added in the resource attributes mapping before).
  * In the column Value override, select Text.
  * In the column How to set, select Authoritative merge with value, clear existing. (* See IDM Admin guide about this setting, I am still not sure how it reacts with multi-value attributes)
  * In the text box, enter the role DN text (ex: cn=test_role,dc=com).
  5. Save the role. You can now add the role to a user.