Time-based log rotation in Access Manager

Hi,
We have configured Access Manager for size-based log rotation. So the log files undergo rotation whenever the log files reach the size limit specified.
But I would like to know if the Access Manager Logging module provides options for:
Time-based Log Rotation : so that log files get rotated on a periodic basis.
Log File Name Customization: At present the old log files get suffixed with -n (e.g. amPolicy.access-1), where 'n' denotes the number in the rotation sequence . Is it possible to configure Access Manager to generate a timestamp as a suffix for old log files.
e.g. amPolicy.access-05_29_2005.
Regards,
Chetan Desai

The AM admin guide (ftp://docs-pdf.sun.com/817-7647/817-7647.pdf) page 335 has listed all available Logging attribute. It doesn't have the time based parameter and time stamp suffix. If you wish to have those features, please contact Sun Identity sales for filing a RFE. Also checking Logging API and see whether you can program yourself to achieve those features. (see page 47 of 817-7650.pdf) Jerry

Similar Messages

Cron-based log rotation problem

In setting up Sun Web Server 6.1 2005Q4 SP5, I successfully restarted schedulerd after setting up cron-based log rotation for 12 AM for each Web instance. But still no rotated logs. I notice these messages in /app/sunone/https-admserv/logs/scheduler.error:
Tue Mar 14 00:00:00 2006: Warning: cron has no information about finished child process 11303
Tue Mar 14 23:00:03 2006: Warning: Process 11303 didn't finish in time, had to terminate it
Any ideas?
Thanks!

This bug is addressed in SunSolve:
Document ID:     4953147
Title:     cron based log rotation fails when admin user is root and instance is non-root
The workaround is to update this line in WS_ROOT/https-admserv/config/scheduler.conf:
    User <non-root user ID such as "nobody">to:
    User rootThen I restarted cron from the Server Manager to make sure the change was picked up.

Change beasvc.exe default stdout log rotation parameters in WLS10.0

Weblogic Server 10.0:
I'm trying to change default log rotation parameters for weblogic server service as suggested here:
http://edocs.bea.com/wls/docs100/server_start/winservice.html#wp1193277
my installsvc.cmd contains:
set ROTATION_TYPE = TIME
set TIME_START_DATE = Jun 12 2008 15:07:00
set TIME_INTERVAL_MINS = 3
set STD_LOG=C:\logs\stdout.log
beasvc.exe -install.... -log:"%STD_LOG%"
This is the sniplet from the stdout.log:
[Thu Jun 12 15:45:09 2008] [initLog] initializing logger
[Thu Jun 12 15:45:09 2008] [E] [initLog] No 'ROTATION_TYPE' header found. 'TIME' based rotation will be used by default.
[Thu Jun 12 15:45:09 2008] [E] [initLog] No 'TIME_START_DATE' header found or value is invalid. Rotation will take place every 24 hours beginning today at 23:59:59
[Thu Jun 12 15:45:09 2008] [E] [initLog] No 'TIME_INTERVAL_MINS' header found. Using the default value of 24 hours.
[Thu Jun 12 15:45:09 2008] [I] [initLog] TIME based log rotation is ON
[Thu Jun 12 15:45:09 2008] [I] [trigger] First rotation due in 29690 secs
[Thu Jun 12 15:45:09 2008] [I] [ServiceStart] console allocation successful. THREAD_DUMP redirection enabled
[Thu Jun 12 15:45:09 2008] [I] [ServiceStart] About to execute CreateThread()
the service then starts ok and works with default settings, but that's not what I'm looking for...
any ideas are welcome ;)
thanks!

yes, the parameters are set when service is being installed. Also, I can see in the log when changes are made to the parameters and service reinstalled.

Access Manager 7.1, Webserver 7.0 and Policy Agent 2.2 Logging behaviour

Hi,
I have a cluster setup with access manager (2 instances currently). I have a single webserver running access manager policy agent which points to the access manager cluster. Everything works fine, until the Agent session times out, whereupon it can no longer log to the access manager cluster.
i.e. it attempts to write a log entry like this:
2009-04-23 15:40:10.491 Debug 7720:2e7af0 LogService: BaseService::doRequest(): Using server: https://
am.blah.com:443/amserver/loggingservice.
<logRecWrite reqid="57"><log logName="amAuthLog.webserver.blah.com.80" sid="AQIC5wM2LY4SfczdB
6jEQSaqXL52vqgWNfqxVOf2teEx+b0=@AAJTSQACMTEAAlNLAAk0OTA4MTcyMzQAAlMxAAIwMg==#"></log><logRecord><level>8
00</level><recMsg>VXNlciBtb21lcjEgd2FzIGFsbG93ZWQgYWNjZXNzIHRvIGh0dHA6Ly9lcTAwMXRtLmVxLnNlcnZlci1jb21wbG
V4LmNvbTo4MC91d2MvaW5kZXguanNwLg==</recMsg><logInfoMap><logInfo><infoKey>LoginIDSid</infoKey><infoValue>
AQIC5wM2LY4Sfcy3bA/gJl2v7ArZCHla8Bj9bRVx4P6nSN0=@AAJTSQACMTEAAlNLAAstMTAxNzc2NjM2NQACUzEAAjAx#</infoValu
e></logInfo></logInfoMap></logRecord></logRecWrite>]]></Request>
</RequestSet>
and receives an error as follows:
2009-04-23 15:40:10.631MaxDebug 7720:2e7af0 LogService: <?xml version="1.0" encoding="UTF-8" standalone=
"yes"?>
<ResponseSet vers="1.0" svcid="iplanet.webtop.service.logging" reqid="74">
<Response><![CDATA[UNAUTHORIZED]]></Response>
</ResponseSet>
Investigation in the access manager logs shows that the agent session is no longer valid. As a result, I have two questions:
1. How can I make it stop trying to log remotely ? I have this set in the AMAgent.properties: com.sun.am.log.level = all:4
2. How do I exclude agents from the default session expiry times ?
Regards,
Michael Ward.

1. Set com.sun.am.policy.agents.config.audit.accesstype = LOG_NONE
2. Not sure if I understand this. Typically agent itself has to authenticate with the server and that agent session doesn't get expire anytime soon.
-Subba

Access and Error Log Rotation

When turning on Archive for the logs. cron style. The log gets archived with the date etc, but the new files access and error do not get created. I have ns-cron on and the rotation occurs, but the files name only changes and it never create the new files and only keeps changing the file names with the new name.

You may be running into Problem 4684892 mentioned in the release notes:
http://docs.sun.com/source/817-5170-10/rn60sp7.html
The Administration Server and the cron daemon must be run as root for cron-based log rotation to function properly. You may have to modify your cron.conf user to run as root.
Thanks,
Manish

Too Slow - Domino 6.5.4 with access manager agent 2.2 ?

I don't know how to tune Domino 6.5.4 with access manager agent 2.2?
I think AMAgent.properties is not good for SSO.
Please help me to tune it.
# $Id: AMAgent.properties,v 1.103 2005/09/19 22:08:34 madan Exp $
# Copyright ? 2002 Sun Microsystems, Inc. All rights reserved.
# U.S. Government Rights - Commercial software. Government users are
# subject to the Sun Microsystems, Inc. standard license agreement and
# applicable provisions of the FAR and its supplements. Use is subject to
# license terms. Sun, Sun Microsystems, the Sun logo and Sun ONE are
# trademarks or registered trademarks of Sun Microsystems, Inc. in the
# U.S. and other countries.
# Copyright ? 2002 Sun Microsystems, Inc. Tous droits r閟erv閟.
# Droits du gouvernement am閞icain, utlisateurs gouvernmentaux - logiciel
# commercial. Les utilisateurs gouvernmentaux sont soumis au contrat de
# licence standard de Sun Microsystems, Inc., ainsi qu aux dispositions en
# vigueur de la FAR [ (Federal Acquisition Regulations) et des suppl閙ents
# ? celles-ci.
# Distribu? par des licences qui en restreignent l'utilisation. Sun, Sun
# Microsystems, le logo Sun et Sun ONE sont des marques de fabrique ou des
# marques d閜os閑s de Sun Microsystems, Inc. aux Etats-Unis et dans
# d'autres pays.
# The syntax of this file is that of a standard Java properties file,
# see the documentation for the java.util.Properties.load method for a
# complete description. (CAVEAT: The SDK in the parser does not currently
# support any backslash escapes except for wrapping long lines.)
# All property names in this file are case-sensitive.
# NOTE: The value of a property that is specified multiple times is not
# defined.
# WARNING: The contents of this file are classified as an UNSTABLE
# interface by Sun Microsystems, Inc. As such, they are subject to
# significant, incompatible changes in any future release of the
# software.
# The name of the cookie passed between the Access Manager
# and the SDK.
# WARNING: Changing this property without making the corresponding change
# to the Access Manager will disable the SDK.
com.sun.am.cookie.name = iPlanetDirectoryPro
# The URL for the Access Manager Naming service.
com.sun.am.naming.url = http://sportal.yjy.dqyt.petrochina:80/amserver/namingservice
# The URL of the login page on the Access Manager.
com.sun.am.policy.am.login.url = http://sportal.yjy.dqyt.petrochina:80/amserver/UI/Login
# Name of the file to use for logging messages.
com.sun.am.policy.agents.config.local.log.file = c:/Sun/Access_Manager/Agents/2.2/debug/C__Lotus_Domino/amAgent
# This property is used for Log Rotation. The value of the property specifies
# whether the agent deployed on the server supports the feature of not. If set
# to false all log messages are written to the same file.
com.sun.am.policy.agents.config.local.log.rotate = true
# Name of the Access Manager log file to use for logging messages to
# Access Manager.
# Just the name of the file is needed. The directory of the file
# is determined by settings configured on the Access Manager.
com.sun.am.policy.agents.config.remote.log = amAuthLog.Dominoad.yjy.dqyt.petrochina.80
# Set the logging level for the specified logging categories.
# The format of the values is
#     <ModuleName>[:<Level>][,<ModuleName>[:<Level>]]*
# The currently used module names are: AuthService, NamingService,
# PolicyService, SessionService, PolicyEngine, ServiceEngine,
# Notification, PolicyAgent, RemoteLog and all.
# The all module can be used to set the logging level for all currently
# none logging modules. This will also establish the default level for
# all subsequently created modules.
# The meaning of the 'Level' value is described below:
#     0     Disable logging from specified module*
#     1     Log error messages
#     2     Log warning and error messages
#     3     Log info, warning, and error messages
#     4     Log debug, info, warning, and error messages
#     5     Like level 4, but with even more debugging messages
# 128     log url access to log file on AM server.
# 256     log url access to log file on local machine.
# If level is omitted, then the logging module will be created with
# the default logging level, which is the logging level associated with
# the 'all' module.
# for level of 128 and 256, you must also specify a logAccessType.
# *Even if the level is set to zero, some messages may be produced for
# a module if they are logged with the special level value of 'always'.
com.sun.am.log.level =
# The org, username and password for Agent to login to AM.
com.sun.am.policy.am.username = UrlAccessAgent
com.sun.am.policy.am.password = LYnKyOIgdWt404ivWY6HPQ==
# Name of the directory containing the certificate databases for SSL.
com.sun.am.sslcert.dir = c:/Sun/Access_Manager/Agents/2.2/domino/cert
# Set this property if the certificate databases in the directory specified
# by the previous property have a prefix.
com.sun.am.certdb.prefix =
# Should agent trust all server certificates when Access Manager
# is running SSL?
# Possible values are true or false.
com.sun.am.trust_server_certs = true
# Should the policy SDK use the Access Manager notification
# mechanism to maintain the consistency of its internal cache? If the value
# is false, then a polling mechanism is used to maintain cache consistency.
# Possible values are true or false.
com.sun.am.notification.enable = true
# URL to which notification messages should be sent if notification is
# enabled, see previous property.
com.sun.am.notification.url = http://Dominoad.yjy.dqyt.petrochina:80/amagent/UpdateAgentCacheServlet?shortcircuit=false
# This property determines whether URL string case sensitivity is
# obeyed during policy evaluation
com.sun.am.policy.am.url_comparison.case_ignore = true
# This property determines the amount of time (in minutes) an entry
# remains valid after it has been added to the cache. The default
# value for this property is 3 minutes.
com.sun.am.policy.am.polling.interval=3
# This property allows the user to configure the User Id parameter passed
# by the session information from the access manager. The value of User
# Id will be used by the agent to set the value of REMOTE_USER server
# variable. By default this parameter is set to "UserToken"
com.sun.am.policy.am.userid.param=UserToken
# Profile attributes fetch mode
# String attribute mode to specify if additional user profile attributes should
# be introduced into the request. Possible values are:
# NONE - no additional user profile attributes will be introduced.
# HTTP_HEADER - additional user profile attributes will be introduced into
# HTTP header.
# HTTP_COOKIE - additional user profile attributes will be introduced through
# cookies.
# If not within these values, it will be considered as NONE.
com.sun.am.policy.agents.config.profile.attribute.fetch.mode=NONE
# The user profile attributes to be added to the HTTP header. The
# specification is of the format ldap_attribute_name|http_header_name[,...].
# ldap_attribute_name is the attribute in data store to be fetched and
# http_header_name is the name of the header to which the value needs
# to be assigned.
# NOTE: In most cases, in a destination application where a "http_header_name"
# shows up as a request header, it will be prefixed by HTTP_, and all
# lower case letters will become upper case, and any - will become _;
# For example, "common-name" would become "HTTP_COMMON_NAME"
com.sun.am.policy.agents.config.profile.attribute.map=cn|common-name,ou|organizational-unit,o|organization,mail|email,employeenumber|employee-
number,c|country
# Session attributes mode
# String attribute mode to specify if additional user session attributes should
# be introduced into the request. Possible values are:
# NONE - no additional user session attributes will be introduced.
# HTTP_HEADER - additional user session attributes will be introduced into HTTP header.
# HTTP_COOKIE - additional user session attributes will be introduced through cookies.
# If not within these values, it will be considered as NONE.
com.sun.am.policy.agents.config.session.attribute.fetch.mode=NONE
# The session attributes to be added to the HTTP header. The specification is
# of the format session_attribute_name|http_header_name[,...].
# session_attribute_name is the attribute in session to be fetched and
# http_header_name is the name of the header to which the value needs to be
# assigned.
# NOTE: In most cases, in a destination application where a "http_header_name"
# shows up as a request header, it will be prefixed by HTTP_, and all
# lower case letters will become upper case, and any - will become _;
# For example, "common-name" would become "HTTP_COMMON_NAME"
com.sun.am.policy.agents.config.session.attribute.map=
# Response Attribute Fetch Mode
# String attribute mode to specify if additional user response attributes should
# be introduced into the request. Possible values are:
# NONE - no additional user response attributes will be introduced.
# HTTP_HEADER - additional user response attributes will be introduced into
# HTTP header.
# HTTP_COOKIE - additional user response attributes will be introduced through
# cookies.
# If not within these values, it will be considered as NONE.
com.sun.am.policy.agents.config.response.attribute.fetch.mode=NONE
# The response attributes to be added to the HTTP header. The specification is
# of the format response_attribute_name|http_header_name[,...].
# response_attribute_name is the attribute in policy response to be fetched and
# http_header_name is the name of the header to which the value needs to be
# assigned.
# NOTE: In most cases, in a destination application where a "http_header_name"
# shows up as a request header, it will be prefixed by HTTP_, and all
# lower case letters will become upper case, and any - will become _;
# For example, "common-name" would become "HTTP_COMMON_NAME"
com.sun.am.policy.agents.config.response.attribute.map=
# The cookie name used in iAS for sticky load balancing
com.sun.am.policy.am.lb.cookie.name = GX_jst
# indicate where a load balancer is used for Access Manager
# services.
# true | false
com.sun.am.load_balancer.enable = false
####Agent Configuration####
# this is for product versioning, please do not modify it
com.sun.am.policy.agents.config.version=2.2
# Set the url access logging level. the choices are
# LOG_NONE - do not log user access to url
# LOG_DENY - log url access that was denied.
# LOG_ALLOW - log url access that was allowed.
# LOG_BOTH - log url access that was allowed or denied.
com.sun.am.policy.agents.config.audit.accesstype = LOG_DENY
# Agent prefix
com.sun.am.policy.agents.config.agenturi.prefix = http://Dominoad.yjy.dqyt.petrochina:80/amagent
# Locale setting.
com.sun.am.policy.agents.config.locale = en_US
# The unique identifier for this agent instance.
com.sun.am.policy.agents.config.instance.name = unused
# Do SSO only
# Boolean attribute to indicate whether the agent will just enforce user
# authentication (SSO) without enforcing policies (authorization)
com.sun.am.policy.agents.config.do_sso_only = true
# The URL of the access denied page. If no value is specified, then
# the agent will return an HTTP status of 403 (Forbidden).
com.sun.am.policy.agents.config.accessdenied.url =
# This property indicates if FQDN checking is enabled or not.
com.sun.am.policy.agents.config.fqdn.check.enable = true
# Default FQDN is the fully qualified hostname that the users should use
# in order to access resources on this web server instance. This is a
# required configuration value without which the Web server may not
# startup correctly.
# The primary purpose of specifying this property is to ensure that if
# the users try to access protected resources on this web server
# instance without specifying the FQDN in the browser URL, the Agent
# can take corrective action and redirect the user to the URL that
# contains the correct FQDN.
# This property is set during the agent installation and need not be
# modified unless absolutely necessary to accommodate deployment
# requirements.
# WARNING: Invalid value for this property can result in the Web Server
# becoming unusable or the resources becoming inaccessible.
# See also: com.sun.am.policy.agents.config.fqdn.check.enable,
# com.sun.am.policy.agents.config.fqdn.map
com.sun.am.policy.agents.config.fqdn.default = Dominoad.yjy.dqyt.petrochina
# The FQDN Map is a simple map that enables the Agent to take corrective
# action in the case where the users may have typed in an incorrect URL
# such as by specifying partial hostname or using an IP address to
# access protected resources. It redirects the browser to the URL
# with fully qualified domain name so that cookies related to the domain
# are received by the agents.
# The format for this property is:
# com.sun.am.policy.agents.config.fqdn.map = [invalid_hostname|valid_hostname][,...]
# This property can also be used so that the agents use the name specified
# in this map instead of the web server's actual name. This can be
# accomplished by doing the following.
# Say you want your server to be addressed as xyz.hostname.com whereas the
# actual name of the server is abc.hostname.com. The browsers only knows
# xyz.hostname.com and you have specified polices using xyz.hostname.com at
# the Access Manager policy console, in this file set the mapping as
# com.sun.am.policy.agents.fqdn.map = valid|xyz.hostname.com
# Another example is if you have multiple virtual servers say rst.hostname.com,
# uvw.hostname.com and xyz.hostname.com pointing to the same actual server
# abc.hostname.com and each of the virtual servers have their own policies
# defined, then the fqdnMap should be defined as follows:
# com.sun.am.policy.agents.fqdn.map = valid1|rst.hostname.com,valid2|uvw.hostname.com,valid3|xyz.hostname.com
# WARNING: Invalid value for this property can result in the Web Server
# becoming unusable or the resources becoming inaccessible.
com.sun.am.policy.agents.config.fqdn.map =
# Cookie Reset
# This property must be set to true, if this agent needs to
# reset cookies in the response before redirecting to
# Access Manager for Authentication.
# By default this is set to false.
# Example : com.sun.am.policy.agents.config.cookie.reset.enable=true
com.sun.am.policy.agents.config.cookie.reset.enable=false
# This property gives the comma separated list of Cookies, that
# need to be included in the Redirect Response to Access Manager.
# This property is used only if the Cookie Reset feature is enabled.
# The Cookie details need to be specified in the following Format
# name[=value][;Domain=value]
# If "Domain" is not specified, then the default agent domain is
# used to set the Cookie.
# Example : com.sun.am.policy.agents.config.cookie.reset.list=LtpaToken,
# token=value;Domain=subdomain.domain.com
com.sun.am.policy.agents.config.cookie.reset.list=
# This property gives the space separated list of domains in
# which cookies have to be set in a CDSSO scenario. This property
# is used only if CDSSO is enabled.
# If this property is left blank then the fully qualified cookie
# domain for the agent server will be used for setting the cookie
# domain. In such case it is a host cookie instead of a domain cookie.
# Example : com.sun.am.policy.agents.config.cookie.domain.list=.sun.com .iplanet.com
com.sun.am.policy.agents.config.cookie.domain.list=
# user id returned if accessing global allow page and not authenticated
com.sun.am.policy.agents.config.anonymous_user=anonymous
# Enable/Disable REMOTE_USER processing for anonymous users
# true | false
com.sun.am.policy.agents.config.anonymous_user.enable=false
# Not enforced list is the list of URLs for which no authentication is
# required. Wildcards can be used to define a pattern of URLs.
# The URLs specified may not contain any query parameters.
# Each service have their own not enforced list. The service name is suffixed
# after "# com.sun.am.policy.agents.notenforcedList." to specify a list
# for a particular service. SPACE is the separator between the URL.
com.sun.am.policy.agents.config.notenforced_list = http://dominoad.yjy.dqyt.petrochina/*.nsf http://dominoad.yjy.dqyt.petrochina/teamroom.nsf/TROutline.gif?
OpenImageResource http://dominoad.yjy.dqyt.petrochina/icons/*.gif
# Boolean attribute to indicate whether the above list is a not enforced list
# or an enforced list; When the value is true, the list means enforced list,
# or in other words, the whole web site is open/accessible without
# authentication except for those URLs in the list.
com.sun.am.policy.agents.config.notenforced_list.invert = false
# Not enforced client IP address list is a list of client IP addresses.
# No authentication and authorization are required for the requests coming
# from these client IP addresses. The IP address must be in the form of
# eg: 192.168.12.2 1.1.1.1
com.sun.am.policy.agents.config.notenforced_client_ip_list =
# Enable POST data preservation; By default it is set to false
com.sun.am.policy.agents.config.postdata.preserve.enable = false
# POST data preservation : POST cache entry lifetime in minutes,
# After the specified interval, the entry will be dropped
com.sun.am.policy.agents.config.postcache.entry.lifetime = 10
# Cross-Domain Single Sign On URL
# Is CDSSO enabled.
com.sun.am.policy.agents.config.cdsso.enable=false
# This is the URL the user will be redirected to for authentication
# in a CDSSO Scenario.
com.sun.am.policy.agents.config.cdcservlet.url =
# Enable/Disable client IP address validation. This validate
# will check if the subsequent browser requests come from the
# same ip address that the SSO token is initially issued against
com.sun.am.policy.agents.config.client_ip_validation.enable = false
# Below properties are used to define cookie prefix and cookie max age
com.sun.am.policy.agents.config.profile.attribute.cookie.prefix = HTTP_
com.sun.am.policy.agents.config.profile.attribute.cookie.maxage = 300
# Logout URL - application's Logout URL.
# This URL is not enforced by policy.
# if set, agent will intercept this URL and destroy the user's session,
# if any. The application's logout URL will be allowed whether or not
# the session destroy is successful.
com.sun.am.policy.agents.config.logout.url=
#http://sportal.yjy.dqyt.petrochina/amserver/UI/Logout
# Any cookies to be reset upon logout in the same format as cookie_reset_list
com.sun.am.policy.agents.config.logout.cookie.reset.list =
# By default, when a policy decision for a resource is needed,
# agent gets and caches the policy decision of the resource and
# all resource from the root of the resource down, from the Access Manager.
# For example, if the resource is http://host/a/b/c, the the root of the
# resource is http://host/. This is because more resources from the
# same path are likely to be accessed subsequently.
# However this may take a long time the first time if there
# are many many policies defined under the root resource.
# To have agent get and cache the policy decision for the resource only,
# set the following property to false.
com.sun.am.policy.am.fetch_from_root_resource = true
# Whether to get the client's hostname through DNS reverse lookup for use
# in policy evaluation.
# It is true by default, if the property does not exist or if it is
# any value other than false.
com.sun.am.policy.agents.config.get_client_host_name = false
# The following property is to enable native encoding of
# ldap header attributes forwarded by agents. If set to true
# agent will encode the ldap header value in the default
# encoding of OS locale. If set to false ldap header values
# will be encoded in UTF-8
com.sun.am.policy.agents.config.convert_mbyte.enable = false
#When the not enforced list or policy has a wildcard '*' character, agent
#strips the path info from the request URI and uses the resulting request
#URI to check against the not enforced list or policy instead of the entire
#request URI, in order to prevent someone from getting access to any URI by
#simply appending the matching pattern in the policy or not enforced list.
#For example, if the not enforced list has the value http://host/*.gif,
#stripping the path info from the request URI will prevent someone from
#getting access to http://host/index.html by using the URL http://host/index.html?hack.gif.
#However when a web server (for exmample apache) is configured to be a reverse
#proxy server for a J2EE application server, path info is interpreted in a different
#manner since it maps to a resource on the proxy instead of the app server.
#This prevents the not enforced list or policy from being applied to part of
#the URI below the app serverpath if there is a wildcard character. For example,
#if the not enforced list has value http://host/webapp/servcontext/* and the
#request URL is http://host/webapp/servcontext/example.jsp the path info
#is /servcontext/example.jsp and the resulting request URL with path info stripped
#is http://host/webapp, which will not match the not enforced list. By setting the
#following property to true, the path info will not be stripped from the request URL
#even if there is a wild character in the not enforced list or policy.
#Be aware though that if this is set to true there should be nothing following the
#wildcard character '*' in the not enforced list or policy, or the
#security loophole described above may occur.
com.sun.am.policy.agents.config.ignore_path_info = false
# Override the request url given by the web server with
# the protocol, host or port of the agent's uri specified in
# the com.sun.am.policy.agents.agenturiprefix property.
# These may be needed if the agent is sitting behind a ssl off-loader,
# load balancer, or proxy, and either the protocol (HTTP scheme),
# hostname, or port of the machine in front of agent which users go through
# is different from the agent's protocol, host or port.
com.sun.am.policy.agents.config.override_protocol =
com.sun.am.policy.agents.config.override_host =
com.sun.am.policy.agents.config.override_port =
# Override the notification url in the same way as other request urls.
# Set this to true if any one of the override properties above is true,
# and if the notification url is coming through the proxy or load balancer
# in the same way as other request url's.
com.sun.am.policy.agents.config.override_notification.url =
# The following property defines how long to wait in attempting
# to connect to an Access Manager AUTH server.
# The default value is 2 seconds. This value needs to be increased
# when receiving the error "unable to find active Access Manager Auth server"
com.sun.am.policy.agents.config.connection_timeout =
# Time in milliseconds the agent will wait to receive the
# response from Access Manager. After the timeout, the connection
# will be drop.
# A value of 0 means that the agent will wait until receiving the response.
# WARNING: Invalid value for this property can result in
# the resources becoming inaccessible.
com.sun.am.receive_timeout = 0
# The three following properties are for IIS6 agent only.
# The two first properties allow to set a username and password that will be
# used by the authentication filter to pass the Windows challenge when the Basic
# Authentication option is selected in Microsoft IIS 6.0. The authentication
# filter is named amiis6auth.dll and is located in
# Agent_installation_directory/iis6/bin. It must be installed manually on
# the web site ("ISAPI Filters" tab in the properties of the web site).
# It must also be uninstalled manually when unintalling the agent.
# The last property defines the full path for the authentication filter log file.
com.sun.am.policy.agents.config.iis6.basicAuthentication.username =
com.sun.am.policy.agents.config.iis6.basicAuthentication.password =
com.sun.am.policy.agents.config.iis6.basicAuthentication.logFile = c:/Sun/Access_Manager/Agents/2.2/debug/C__Lotus_Domino/amAuthFilter

Hi,
I installed opensso (so Sun Java(TM) System Access Manager 7.5) and the agent for Domino 6.5.4 and I have the message in logs "amAgent"
2007-07-11 18:40:16.119 Error 1708:3dbcf768 PolicyAgent: render_response(): Entered.
I have the box to identify but it doesnot connect me on my opensso server.
It still identify with Domino's server
Thanks for your response
Thomas

New log rotation problem

I have resolved some log rotation problem...I have set del log rtation by size...and now the first time the log rotate,but then the output continue to go on the lod with the extension .log001 and not on the configured file.
why?

no,it the server rotates the log only the first time but then it continues to write on the .log001.On the original file it continues to write some server exception.
the server launch line in the scritp is the follow
nohup "$JAVA_HOME/bin/java" ${JAVA_VM} ${JAVA_OPTIONS_NODE} ${JAVA_OPTIONS} \
Dweblogic.Name=${SERVER_NAME} \
Dweblogic.ProductionModeEnabled=${PRODUCTION_MODE} \
Djava.security.policy="${WL_HOME}/server/lib/weblogic.policy" \
Dweblogic.Stdout=/u02/bea/weblogic81/mydomain/mydomain_LOG/myserver_Admin.log \
Dweblogic.Stderr=/u02/bea/weblogic81/mydomain/mydomain_LOG/myserver_Admin.log \
weblogic.Server > /dev/null &
and the config.xml part for the server configuration is the follow
<Server COMEnabled="true" CompleteMessageTimeout="0"
ConsoleInputEnabled="false" EnabledForDomainLog="true"
ExpectedToRun="false" JDBCLogFileName="./mydomain_LOG/jdbc.log"
JDBCLoggingEnabled="true" JavaCompiler="javac"
ListenAddress="10.2.1.16" ListenPort="10001"
MaxMessageSize="100000000" Name="myserver_Admin"
ServerVersion="8.1.3.0" SocketReaderTimeoutMaxMillis="10"
StagingMode="nostage" StdoutDebugEnabled="true"
StdoutEnabled="true" StdoutSeverityLevel="16" TransactionLogFilePrefix="../myserver_LOG/myserverAdminTransaction.log">
<SSL Enabled="false" IdentityAndTrustLocations="KeyStores"
ListenPort="10002" Name="myserver_Admin"/>
<Log FileCount="4" FileMinSize="30"
FileName="/u02/bea/weblogic81/mydomain/mydomain_LOG/myserver_Admin.log"
FileTimeSpan="1" Name="myserver_Admin"
NumberOfFilesLimited="true" RotationType="bySize"/>
<WebServer LogFileCount="2" LogFileLimitEnabled="true"
LogFileName="./mydomain_LOG/access.log"
LogRotationPeriodMins="360" LogRotationType="size"
MaxLogFileSizeKBytes="20000" Name="myserver_Admin"/>

LDAP Log Rotation

Does anybody know how to change the time of the log rotation for access and error logs. Currently, the logs rotate at 12:50 in the afternoon. I would like to change that. I have looked at the admin console and documentation and there is nothing on changing the time. You can change the size and interval. I assume that it does it at 12:50 because that's when the database was created.

The time (12:50) is the time you started the server. Unfortunately, iDS will only rotate your logs on this time. One solution is to start your server on another time. Another solution is to manually rotate your logs using a script. But, you need to shutdown your server to manually rotate logfiles.

Manual Log Rotation

Hello,
I am trying to figure out how to go about doing log rotation in my production
environment. The requirements are that I send a daily logfile over to a centralized
server each night around midnight. There are three options that I would think
possible:
1) Shutdown the instance and manually rotate the logs with a script.
2) Setup by TIME log rotation
3) Figure out which mbean is responsible for log rotation and access it directly.
Ok, #1 is out of the question. #2 doesn't work because it's relative to the boot
time of the instance. #3 is what I really would like to do, has anyone done this?
Or doesn't anyone have any ideas of how I could do it?
Thanks!
Brett Bajcsi

Did you use the logrot script or the web gui?
The scheduler is activated?

Urgent help requested: Access Manager integration with BEA Portal

We're using Access Manager 7.1 and Policy Agent 2.2 to authenticate users for our BEA WL Portal 10 which contains all of our content and applications. The portal contains both anonymous pages and protected pages (for registered users).
Problem: When an anonymous user who is going through a multi-step application flow decides to sign-in to their account (or sign-up) Policy Agent wipes out the current content of the user session, and creates a brand new user session after the user is authenticated. Therefore we cannot send the user back to the same spot in the portal where they were before signing-in.
Is there anyway to make Policy Agent preserve the content and state of http session when authenticating a user?
We have a business requirement to allow users to continue their application process after successfully signing in.
Thanks in advance.

Hi,
I think this problem is not just related to weblogic 10 agent, it is a general problem for any agents.
Can you please clarify what you mean by "anonymous user "? Do you mean that this user has never logged in to Access Manager, and is just browsing the site as an anonymous user, or do you have a role specified as "anonymous user " that they are currently logged into when browsing the site?
thx,
Sean

Can't login System Access Manager and Delegated Administrator page

Hi.
Suddenly I can't log in System Access Manager & Delegated Administrator page. Yesterday,I could.
Do you help me?
thanks.

k-m-i wrote:
Suddenly I can't log in System Access Manager & Delegated Administrator page. Yesterday,I could.Given that you have provided nothing in the way of usable information to isolate the problem I can only suggest restarting your directory server (assuming it hasn't crashed) then restarting the web-container hosting Access Manager and see if that fixes the problem.
If not, you will have to look further into the web-server logs and the directory server logs to see why the problem is occurring.
Regards,
Shane.

Questions about Access Manager tutorials available in netbeans site

Hi
Thank you for reading my post
I have some questions about two tutoral which i find in :
http://www.netbeans.org/kb/55/amsecurity.html and
http://www.netbeans.org/kb/55/amsecurity-liberty.html
here is my problem :
we have some web services, now we want to have authentication applied for consumer who try to access our web services.
we need to have most possible flexibility because we may deploy the server for a customer with an already established Identity database ( Database Table with user details)
Also we need to have Transport level security using SSL.
I read and studied both of them and now i have some questions :
-I think Securing Web Services Using the SAML or UserNameToken is what we need for authentication and autorization of web service consumers?
is that right?
-Does Sun Java System Access Manager provide flexibility to authenticate user/password with a database table content?
-How we can apply roles in Sun Java System Access Manager when we authenticate users ?
Thanks

Imagine that we want to have an end to end security for our web services
we thought that we could use message level encryption to protect the soap message and also we should protect our web services from un-authenticated acess,
we will use userName token for this.
Our customer has large database which contains many user/password and role of those users.
some of web services should be available to higher role (manager) and not for all users.
so we should check a user role before we allows him/her to access a web service.
my question is whether Sun Access manager can help us with this? or there are other configuration or packages that we should apply to have this feature.
to explain more :
our client side is a swing application, users enter username/password to login into system. after they loged in, we send user/pass every time user want to request some data from some services. (is it good to send user/pass every time?)
We want Sun Access Manager to handle users authentication .
We also need to handle role related authorization, can Sun access manager handle this?
Thanks

Network access manager gone crazy?

Hey network techies out there. Why in the log for Network access manager is it consistently filling with block of port 137, and 138? Does this happen on other computers too? I am connected to a 100 base T network at school and I have file and printer sharing off.
Secondly, in the administrative properties tab and then the version area...does everyones else say it can't find nCLI.exe?

Hi There Sdiver2489
I am a network administrator for a college running 2000 machines ...
Questions
Quote
Does this happen on other computers too?
Is This On The Server You Are Doing It With The Network Software Installed ?
Quote
Secondly, in the administrative properties tab and then the version area...does everyones else say it can't find nCLI.exe?
Nope i don't get any problems my end i sugest a full uninstall and reinstall of the software

LMS - log rotation based on time period

Dear All
can we configure log rotation to be based on time period (ex:past one year)instead of log file size.
if it is feasable please advise who to do it?
Regards;
Antonio

I am not sure if I understand it correct, but you can do this easily by defining the expected file size of the log file to rotate;
logrot runs on a scheduled basis and checks if the log file has reached the defined file size - if not it will do nothing else the file will be backed up. The key point is the configured file size;
I use this for the syslog file to have a backup for each month:
schedule logrot to run every first of each month and set the file size to a low value guarantes that I ve got a file for every month;
from the online help of logrot:
http://:1741/help/cmf/index.html?sysad_adm_logrotate.html
4. Specify the number of archive revisions. If you do not want to keep any archives, enter 0 (the default) for this option.
5. Specify the maximum file size. The log will not be rotated until this size is reached. The unit is in kilobytes (KB). The default is 1024 KB or 1 MB.
why do you want to keep all log messages of a complete year in one file - what do you want to do?

Extended format of access.log and log rotation

I am using WebLogic Server 6.1sp1. I want to use extended format of web
server access log. I also want to use log rotation based on date. But it
seems not to work together. After my investigation I can say:
- access.log in common format can be rotated based on date an on size,
- access.log in extended format (either in its default form or
completely redefined) cannot be rotated neither based on date nor size.
In the second case at first time WebLogic tries to rotate logfile
IOException is thrown with a message like "java.io.IOException: Failed
to rename log file on attempt to rotate logs". Than it throws
IOException with a message "Exception flushing HTTP log file. (Bad file
descriptor)." when it tries to flush content of logfile to the disk.
After that WebLogic server stops to write to access.log.
Is it possible to rotate access.log in extended format?
Thanks,
Andrzej Derlacki
Infovide, Poland
[email protected]
[email protected]

i am pasting the entries below which i see in the log( access_log ) . I don't see DEBUG in them.
<AGENT_IP_ADDRESS> - - [29/Jun/2007:09:48:23 -0400] "GET /em/upload?ACTION=HEARTBEAT&EMD
_URL=https%3a%2f%2flph010%2egep%2ege%2ecom%3a3872%2femd%2fmain%2f&HEARTBEAT_TI
ME=2007-06-29+09%3a40%3a09&OUTSTANDING_SEVS=FALSE&EMD_UPTIME=2007-06-18+10%3a20%
3a23&OLDEST_COLL_TIME=2007-06-29+09%3a40%3a09&INSTALL_TYPE=agent&X-ORCL-EMOV=4%2
e0%2e0&X-ORCL-EMCV=10%2e2%2e0%2e1%2e0&X-ORCL-EMSV=10%2e2%2e0%2e1%2e0 HTTP/1.1" 2
00 5
<AGENT_IP_ADDRESS>- - [29/Jun/2007:09:48:23 -0400] "GET /em/upload?ACTION=HEARTBEAT&EM
D_URL=https%3a%2f%2fprdes%2eeur%2egep%2ege%2ecom%3a3872%2femd%2fmain%2f&HE
ARTBEAT_TIME=2007-06-29+15%3a48%3a23&OUTSTANDING_SEVS=FALSE&EMD_UPTIME=2007-06-1
8+18%3a27%3a33&OLDEST_COLL_TIME=2007-06-29+15%3a48%3a23&INSTALL_TYPE=agent&X-ORC
L-EMOV=4%2e0%2e0&X-ORCL-EMCV=10%2e2%2e0%2e1%2e0&X-ORCL-EMSV=10%2e2%2e0%2e1%2e0 H
TTP/1.1" 200 5
<AGENT_IP_ADDRESS> - - [29/Jun/2007:09:48:24 -0400] "GET /em/upload?ACTION=HEARTBEAT&E
MD_URL=https%3a%2f%2fug038%2egep%2ege%2ecom%3a3872%2femd%2fmain%2f&HEARTBEAT_
TIME=2007-06-29+22%3a19%3a35&OUTSTANDING_SEVS=FALSE&EMD_UPTIME=2007-06-18+18%3a3
7%3a03&OLDEST_COLL_TIME=2007-06-29+22%3a19%3a35&INSTALL_TYPE=agent&X-ORCL-EMOV=4
%2e0%2e0&X-ORCL-EMCV=10%2e2%2e0%2e1%2e0&X-ORCL-EMSV=10%2e2%2e0%2e1%2e0 HTTP/1.1"
200 5

Time-based log rotation in Access Manager

Similar Messages

Maybe you are looking for