What is Agent-Identity Server Shared Secret ?? thanks

Similar Messages

• Identity Server Cookie not found

  Hi all.
  Iam getting a cookie related error message when trying to access a protected web application;
  sequence :
  When i type in the url of my web application, as obvious, i was redirected to my identity login page.
  I also get the this error message ;) in my amAgent log :
  "2003-07-31 12:22:13.832 Warning 7048:d1168 PolicyAgent: Identity Server Cookie not found"
  To add something to this cookie issue:
  when i get authernticated from my identity server, i was successfuly redirected to my web application; but if i invoke any web resource or link, buttons .... - trigger any event, i was thrown way to the login page of the web application - if i login again in my web app, i go to the last page that i was accessing;
  I guess all this funny thing happens because of the cookie, which is missing.
  anyone have an idea, what this cookie is? and what should be done to fix it?
  regards
  Kumar

  Sorr for so many people faced the sam or similar issues. I just joined this support a short while. If you think any old problem which is still critical to you, please repost. We shall try our best to give you assistance. Jerry
  Here are some of tips for debugging Web agent.
  From the AMAgent.properties, are both IIS and AM are in the same domain? If they are not, then you need to use CDSSO. Also please check in AM, under "Service Configuration-> Platform -> Cookie Domains" , whether cookie is set for the entire domain which includes AM and IIS ("test.com") or just the AM machine name.
  Also check whether correct value for "Agent-Identity Server Shared Secret" is entered. This should be your internal ldap password (amldapuser). In the AMAgent.properties for the below property the password will be encrypted and assigned: "com.sun.am.policy.am.password".
  Could you also check if the Identity servver and the IIS web server are time synchronized. The problem may be that agent requests policy decisions and the response from server may be timed out due to non-syncrhonized clock.
  Don't forget to restart the whole IIS service using internet
  management console after making agent changes.
  Some of the common error codes:
  20: Application authentication failed. This occurs when Agent cannot sucessfully authenticate with Identity Server. This is mainly due to incorrect password for agent entered during agent installation. Please refer to another faq describing how to change password.
  7: Policy not found. This error occurs typically if there are no policies defined on Identity server for the given web server URL. Otherwise, there may be time skew between Identity Server and Agent. So, polices fetched from Identity Server is instantly flushed by Agent and attempted to refetch over and over again. This can be solved by running rdate or similar command to synchronize time between the two machines. It is recommended to run NNTP server syncrhonize times between your Identity systems.

• Profile for Cisco IPsec VPN does not set shared secret correctly

  Hi,
  We have a shared secret configuration for a Cisco IPsec (connecting to an ASA). I can correctly configure a profile for the Cisco IPsec VPN and deliver it to the device. However, the VPN connection fails due to an invalid shared secret. If I then go into the VPN settings on the device itself and manually retype the shared secret, it works fine.
  I have noticed this when generating the mobileconfig profile both from Apple's iPhone Configuration Utility and also when using the MobileIron management platform to generate and push profiles.
  Has anyone else seen this problem? I'm really confident that I'm typing the shared secret correctly in the iPCU generated profile as I've tried it many times. It also has happened across every flavor of iOS 3.x and 4.x (including the 4.2 betas).
  thanks

  Hi,
  Thanks for the reply but it is a bit of a strange one. What makes you think the shared secret we are using - which you don't know - is more than 32 characters long. I can promise you it isn't. There's a bug in the way mobileconfig files are storing the encrypted shared secret values. I've now seen it on a third party mobile device management platform too.

• Web Policy Agent 2.1 for Apache 1.3.27 with Identity Server 6.1

  Web Policy Agent 2.1 for Apache 1.3.27 with Identity Server 6.1
  Does anybody has a working combination of the above ? I get a ID login page and after that I always get a access denied page. I get this exception on the agent logs:
  2004-10-14 16:28:00.917 Warning 6347:c1818 PolicyAgent: in get_cookie: no cooki
  e in ap_table
  2004-10-14 16:28:01.895 Warning 6359:c1818 PolicyAgent: Invalid URL for propert
  y (com.sun.am.policy.agents.accessDeniedURL) specified
  2004-10-14 16:28:56.742 Warning 6349:c1818 PolicyAgent: am_web_is_access_allowe
  d(http://xx.xx.xx.net:8080/, GET) denying access: status = access de
  nied (20)
  2004-10-14 16:28:56.743 128 6349:c1818 RemoteLog: User testuser1 was denie
  d access to http://xx.xx.xx.net:8080/.
  2004-10-14 16:28:56.831 -1 6349:c1818 PolicyAgent: URL Access Agent: acces
  s denied to testuser1
  We can ignore Invalid URL property part because its just looking for a custom url in place there. I have cookies enabled in my browser. I even turned on the prompt option. No luck yet.
  Any suggestions would be of great help.
  Thanks,
  Sunil.

  From your description, since the agent installs file with a different JRE, I would suspect it has something to do with the availability of JCE provider in the first JRE. By default, WebSphere's JRE is equipped with IBM JCE provider which is what the agent uses to encrypt the necessary
  information. If this provider is not configured correctly it could result in the error that you are seeing. Please check the WebSphere installation and make sure that the JRE used by it has the necessary IBM JCE provider configured. The java.security file for this should contain something like:
  security.provider.1=sun.security.provider.Sun
  security.provider.2=com.ibm.crypto.provider.IBMJCE
  security.provider.3=com.ibm.jsse.IBMJSSEProvider
  security.provider.4=com.ibm.security.cert.IBMCertPath
  security.provider.5=com.ibm.crypto.pkcs11.provider.IBMPKCS11
  Also, make sure that when you are installing the agent you specify the Java Home as prompted by the agent to point to the location where this JRE is installed. Typically this is under WebSphere/AppServer/java directory. HTH, Jerry

• What port number for Desktop Sharing using in Lync Server 2013 and Lync Online

  Dear All,
        My environment using Lync Server 2013 and Lync online on Office 365. I don't want my user using Desktop Sharing feature. then I need to know what port number for Desktop Sharing using in Lync Server 2013 and Lync Online.
  I will deny this port on personal firewall each client.
        Thank you for your advise.

  Hi,
  I'm not sure you'd be able to do this with ports without impacting other application sharing features such as Q&A, Whiteboard, Poll etc - I'm pretty sure they all come under the same umbrella of ClientAppSharing.
  Ordinarily you would create or modify your conferencing policy to restrict sharing to single programs only using a cmdlet similar to below;
  Set-CsConferencingPolicy -Identity "Global" -EnableAppDesktopSharing SingleApplication
  This would disable desktop sharing but enable users to continue sharing other single programs. If you want to remove that functionality too, then replace the 'SingleApplication' parameter with 'None'. Then users won't be able to share any programs either.
  This is the correct way to do it as the icons will be greyed out for the users. Doing it your way, they would still be able to click them, and it would throw an error - this will lead to a lot more support calls and people assuming a service is broken.
  I hope that helps some.
  Kind regards
  Ben

• Which is the right IDE to develop policy Agents in Identity Server

  Hi,
  Can any one tell me which is the right IDE to develop agents in Identity Server.Am thinking of using Sun One Studio??Any better IDEs??
  Thanks,
  Ramnath

  Your favorite text editor and a comman-line javac. What do you expect from an IDE?!

• Send for shared review - What type of Web server folder works?

  Hello all,
  Can someone please explain to me what type of web server folder works with "Send for shared review"?
  I have created a folder on my GoDaddy server account with full permissions... http://webservername.com/Adobe_Test but after clicking Next, I see the error, "The Shared Folder Location is not valid. Click OK and check the Status field for more information."
  1) It isn't valid? What are the valid server requirements?
  2) "...check the Status field for more information."? What Status field?
  It would have been great if I could use a Google Docs folder but that failed as well.
  What must I do to unlock this neat feature?
  Thank you

  Thanks CtDave.
  I ended up building a WebDAV server and I am now encountering a bunch of new issues. Such as:
  From my workstation, working with Acrobat.
  - After making comments. I click the top button "Publish Comments" - this works well - no errors. But when I attempt to exit the PDF, Acrobat wants to save the document. Attempting to Save results in a read-only error. After trying this, Acrobat gets into a loop where there doesn't appear to be a way to exit Acrobat (other than by Save As new file name):
  Even worse... I understood that reviewers only required the Adobe Reader in order to comment. This doesn't seem to be the case.
  When I emailed a test document for review, this is the message that pops up:
  All that is available is the original content (none of the review comments are available).
  Any ideas?

• Sun One Identity Server Policy Agent 2.0 for IIS 5.0

  Hi,
  I try to use Sun Indentity Server with IIS, so I installed policy agent 2.0 for IIS 5.0. my operating system is Windows 2000 professional. I can see the ISAPI fiiter is loaded, but when I try to test the installation by access a testing page, like http://localhost/test.asp, I can not go anywhere, the sun identity server log in page is not loaded. I checked the debug log file, there are just two warning message:
  2003-02-12 11:11:52.314 Warning 1316:00A548E8 PolicyAgent: Invalid URL for property (com.sun.am.policy.agents.accessDeniedURL) specified
  2003-02-12 11:11:52.798 Warning 1316:00A548E8 PolicyAgent: FqdnHandler::FqdnHandler() No value specified for fqdnMap.
  Could someone help me out here? Any suggestion will be appreciated.
  Thanks,
  Harold Chen

  Well, it's in the Agent's installation guide, section "Read me first", "Setting Fully Qualified Domain Name". :)

• Identity server agent interaction

  I am trying to get an agent to enforce an identity server policy. If I set the agent to "SSO Only" it works fine, but when I try link it to a policy it doesn't work. Any ideas? Thanks.

  Hello,
  (in response to http://swforum.sun.com/jive/thread.jspa?threadID=48651&tstart=0):
  I have not solved this exact problem - but found this is working
  perfekt when using the Tomcat-Agent on Solaris.
  At least, this prove that we don't do anything completely wrong ;-)
  In a few weeks, I should have access to a support contract.
  Then, I will try to solve the posted problems again and complete the
  threads I opened.
  Regards,
  Juergen Maihoefner

• Does URL Policy Agent of SunONE Web Server 6.1 works with Identity Server 6

  Hi,
  I'm using URL Policy Agent of SunONE Web Server 6.1, and using Identity Server 6.1 to configure policy to access web resource such as http://myweb.org.cn/test/*
  After configyration, I try to access the resources http://myweb.org.cn/test/test.html
  The redirection is ok, the IS login appear, but after login successfully, it still tell me that I don't have permission to view this web page.
  Is this because of URL policy agent don't support IS 6.1?
  Many thanks,

  Can anybody help me with the steps to generate core for this issue.. I followed the steps as said in http://blogs.sun.com/meena/entry/troubleshooting_server_crashes_enabling_core but I don't see any core generated when server crashes..
  Setup Info:
  - OS is RHEL 4.0
  - Sun ONE Web Server 6.1SP7
  - Policy Agent 2.2

• What are services in Identity Server ?

  A service is a group of attributes defined under a common name. The attributes define the parameters that the service provides to an organization. For instance, in developing a payroll service, a developer might decide to include attributes that define an employee name, an hourly rate and a tax exemption. When the service is registered to an organization, that organization can use these attributes in the configuration of its entries.
  Identity Server defines services using Extensible Markup Language (XML). The Service Management Services Document Type Definition (sms.dtd) defines the structure of a service XML file.
  This file can be found in the following directory:
  install_dir/SUNWam/web-apps/services/dtd/

  Not sure what you mean here, portal can be used in two ways, open portal and secure portal using the gateway.
  If you are using secure portal, typically the gateway would reside in the DMZ and profile server would reside within your firewall.

• Use of Sun One Identity Server for SAML

  Hi all,
  I want to use Sun One Identity Server as the asserting server and SAP WAS 6.40 as the trusting server. Can any one help me with from where and what patch of Sun One Identity Server i'll have to download and how to make the connectivity of Sun One Identity Server with SAP WAS 6.40.
  Thank you very much.

  Well, it's in the Agent's installation guide, section "Read me first", "Setting Fully Qualified Domain Name". :)

• VPN settings for Apple TV - Shared Secret?

  We are setting up and on network tab on the mac > connect up > the L2TP / VPN server did not respond - verify settings (auto), asks for a shared secret...anyone know what to do....thanks, Louise

  does this have anything to do with AppleTV ?

• IV and hmac from shared secret, and replay attacks.

  Hello all!
  I am working on a client server project where i use the diffi-hellman keyexchange.
  both server and client has the secret and can decrypt enc messages from eachother.
  Q1:Up to now i have only used a predifiened IV for the 3des cbc cipher. But I would like to generate a IV from the shared secret somhow. Which way is the most secure way to do that?
  the way things look now i enc/dec by my self whithout the cipheroutputstream, (got to much trouble whith the cipherbuffers) and just send it over by my self.
  I would like to use a SHA1 hmac and send that over whith the msg.
  Q2: I now use println for sending, is it ok to first send the enc msg, and then send the hmac after, from security point of view?
  Q3: how do i use my shared secre to calculate a sha1 hmac from the msg?
  Q4: how do i use a timestamp whith the above cipher and hmac in a secure way to prevent replay attacks?
  Sry for the many questions, I have tried for several days to figure some of this stuff out, any help/code is appreciated
  /Mike

  Bossk wrote:
  Thanks for your reply.
  I've read most (if not all) .net to java migration threads I could find. None helped me with my problem.
  If I understood your reply correct, there are some fundamental flaws in the .NET encrypt/decrypt routines:Yes but I am not aware of any in the code you are using.
  >
  - the AES blocksize is set to 256 but can only be 128 bitsYour .NET code is using Rijndael which does allow a block size of 256 but your Java code is using AES which does not allow a block size of 256. You need to get a Rijndael implementation from another provider. I suggest you look at BouncyCastle. They may also have an Rfc2898DeriveBytes port.
  - ECB mode is used. However, ECB does not use an IV, right? So the .NET classes must be ignoring this parameter.Yes. What I find interesting about the .NET crypt routines is that they (almost) never throw exceptions when illegal or inappropriate parameters are used.
  >
  I also have the PasswordDerivedBytes class from the thread you linked, when I try to decode using this code it still does not work:.NET class PasswordDerivedBytes is a mess but you actually need an implementation of RFC2898 some of which PasswordDerivedBytes implements. Check with BouncyCastle provider they may have an Rfc2898DeriveBytes class but if not then you need to implement the relevant part of RFC2898. The problem you will have is knowing which of the 5 RFC2898 key generation algorithms is actually uses with the .NET code.

• Custom Authentication Module on Identity Server

  Hi,
  I have a custom authentication module which I am trying to access through the policy agent.
  I have set the following property in AMAgent.properties file
  com.sun.am.policy.am.loginURL= http://host:port/amserver/UI/Login?module=CustomLoginModule.
  My login module code is something like this:
  package com.iplanet.am.samples.authentication.providers;
  import java.util.*;
  import javax.security.auth.Subject;
  import javax.security.auth.callback.Callback;
  import javax.security.auth.callback.NameCallback;
  import javax.security.auth.callback.PasswordCallback;
  import javax.security.auth.login.LoginException;
  import com.sun.identity.authentication.spi.AMLoginModule;
  import com.sun.identity.authentication.spi.AuthLoginException;
  import java.rmi.RemoteException;
  import java.io.FileInputStream;
  import java.util.Properties;
  public class LoginModule1 extends AMLoginModule
  private String userName;
  private String userTokenId;
  private HashMap usersMap;
  private java.security.Principal userPrincipal = null;
  public LoginModule1() throws LoginException
  public void init(Subject subject, Map sharedState, Map options)
            System.out.println("LoginModule1 initialization");
            usersMap = new HashMap();
            ResourceBundle bundle = ResourceBundle.getBundle("users");
            Enumeration users = bundle.getKeys();
            while (users.hasMoreElements())
                 String user = (String)users.nextElement();
                 String password = bundle.getString(user.trim());
                 usersMap.put(user, password);
  public int process(Callback[] callbacks, int state) throws AuthLoginException
            int currentState = state;
            if (currentState == 1)
                 userName = ((NameCallback) callbacks[0]).getName().trim();
                 char[] passwd = ((PasswordCallback) callbacks[1]).getPassword();
                 String passwdString = new String (passwd);
                 if (userName.equals(""))
                      throw new AuthLoginException("names must not be empty");
                 if (userName.equals("testuser") && passwdString.equals("testuser"))
                      userTokenId = userName;
                      return -1;
                 if (usersMap.containsKey(userName))
                      if (usersMap.get(userName).equals(new String(passwd)))
                           userTokenId = userName;
                           return -1;
                 return 0;
       public java.security.Principal getPrincipal()
            if (userPrincipal != null)
                 return userPrincipal;
            else
            if (userTokenId != null)
                 userPrincipal = new SamplePrincipal("testuser");
                 return userPrincipal;
            else
                 return null;
  So When the user requests a protected resource, the policy agent forwards the user to Identity Server with the module as CustomLoginModule. However, after this, authentication does not succeed and I get the following error message in the agent log file.
  2004-08-09 15:24:08.640 Error 2712:130f060 PolicyAgent: validate_session_policy() access allowed to unknown user
  2004-08-09 15:24:09.030 Error 2712:24fda5e8 PolicyAgent: validate_session_policy() access allowed to unknown user
  2004-08-09 15:24:23.484 Error 2712:130f060 PolicyAgent: validate_session_policy() access allowed to unknown user
  2004-08-09 15:24:28.281 Error 2712:24fda5e8 PolicyEngine: am_policy_evaluate: InternalException in Service::construct_auth_svc with error message:Application authentication failed during service creation. and code:20
  2004-08-09 15:24:28.281 Error 2712:24fda5e8 PolicyAgent: validate_session_policy() access allowed to unknown user
  2004-08-09 15:24:29.484 Error 2712:130f060 PolicyAgent: validate_session_policy() access allowed to unknown user
  2004-08-09 15:24:29.499 Error 2712:24fda5e8 PolicyEngine: am_policy_evaluate: InternalException in Service::construct_auth_svc with error message:Application authentication failed during service creation. and code:20
  2004-08-09 15:24:29.499 128 2712:24fda5e8 RemoteLog: User unknown was denied access to http://ps0391.persistent.co.in:80/test/index.html.
  2004-08-09 15:24:29.499 Error 2712:24fda5e8 LogService: LogService::logMessage() loggedBy SSOTokenID is invalid.
  2004-08-09 15:24:29.499 Error 2712:24fda5e8 all: am_log_vlog() failed with status AM_REMOTE_LOG_FAILURE.
  2004-08-09 15:24:29.499 -1 2712:24fda5e8 PolicyAgent: validate_session_policy() access denied to unknown user
  The necessary policy object is already created in Identity Server. Please send your suggestions to fix this problem.
  Thanks
  Srinivas

  Does the principal "testuser" exist in your realm? If I understand your module correctly, it looks like it always returns "testuser".
  I am guessing that Access Manager is not finding your principal. Typically if access manager cannot associate the principal returned by the custom AMLoginModule it will fail the authentication.
  I am wondering if this is related to a seperate problem I have seen with custom login modules. Try chaning the code to return an LDAP style principal it may work:
  so return "uid=testuser,ou=People,dc=yourdomain,dc=com" for example. In theory this should not be necessary but it solved some problems for me, though I am not sure why.