Where is Access Manager patch 4?

The release notes for Access Manager patches now includes a description of patch 4 (http://docs.sun.com/app/docs/doc/819-2134/6n4eoarc7?a=view) but I cannot find the patch on the support site. Does anyone know where the patch can be found and downloaded?
Thanks

You can find the page at the following location
http://sunsolve.sun.com/search/advsearch.do?collection=PATCH&type=collections&max=50&language=en&queryKey5=120956&toDocument=yes
++rudy

Similar Messages

How to check amsilent file in Sun Access manager patch or redeploying WAR's

h1. How to check amsilent file in Sun Access manager patch or redeploying WAR's
I had a hard time getting all the passwords correct, so I wrote a shell (bash) script that uses most passwords and other parameters in searches and queries. It let's you know before you start if a value is wrong. It does not change anything, only queries.
h2. One pitfall I found ...
during the postinstall of patch 05. I told Sun about it, but I suspect it was too late and is also an issue with patch 06:
Look at the documentation regarding amconfig and the amsilent file:
http://docs.sun.com/app/docs/doc/819-2137/adsav?l=en&q=amconfig&a=view
Two problems that are clear to me now:
1. ADMINPASSWD in practice, this password is used for cn=puser, not amadmin as it says. Perhaps there is something that makes them the same. It was the same for me, so it probably does not matter.
2. AS81_ADMINPASSWD is not the same as ADMINPASSWD using either my definition or the document's definition. However, in the amsilent template, it is set like this, which I found is incorrect and the cause of my recent hair loss:
<blockquote>AS81_ADMINPASSWD="$ADMINPASSWD"</blockquote>
Also, this one if you use the web server:
<blockquote>WL8_PASSWORD="$ADMINPASSWD"</blockquote>
Delete the $ADMINPASSWD and replace it with the password for the app/web server.
h2. The Script.
It tests for the above problem, but I just realized it does not check $ADMINPASSWD. If that is set incorrectly in your amsilent, you'll get errors immediately from amconfig, so no big deal. If you make improvements, please post a reply!
Paste this into a file named checkamsilent. LDAP and appserver must be running. It reads /opt/SUNWam/amsilent. Run it as root or use sudo:
sudo ./checkamsilent
#!/usr/bin/bash
        echo "This will test several important parameters of the amsilent file "
        echo "run this as root."
        echo "### read in the amsilent parameters"
        echo "source /opt/SUNWam/amsilent "
source /opt/SUNWam/amsilent
        echo "### look for the *server port* with LISTNER, otherwise it's not listening. "
        echo "netstat -a | grep $SERVER_PORT    "
        echo "--------------"
netstat -a | grep $SERVER_PORT
        echo "--------------"
        echo "."
        echo "### *admin port* with LISTNER, otherwise it's not listening. "
        echo "netstat -a | grep $ADMIN_PORT   "
        echo "--------------"
netstat -a | grep $ADMIN_PORT
        echo "--------------"
        echo "."
        echo "### Expect to see a line of XML, otherwise the SERVER_PORT is incorrect in the amsilent file."
        echo "grep $SERVER_PORT ${AS81_INSTANCE_DIR}/config/domain.xml "
        echo "--------------"
grep $SERVER_PORT ${AS81_INSTANCE_DIR}/config/domain.xml
        echo "--------------"
        echo "."
        echo "### Expect to see a line of XML, otherwise the ADMIN_PORT is incorrect in the amsilent file."
        echo "grep $ADMIN_PORT ${AS81_INSTANCE_DIR}/config/domain.xml "
        echo "--------------"
grep $ADMIN_PORT ${AS81_INSTANCE_DIR}/config/domain.xml
        echo "--------------"
        echo "."
        echo "### bind as the directory manager "
        echo "ldapsearch -v -h $DS_HOST -p 3892 -L -s sub -D \"$DS_DIRMGRDN\" -w \"$DS_DIRMGRPASSWD\" -b 'dc=nsf, dc=gov' \"cn=amldapuser\""
ldapsearch -v -h $DS_HOST -p 3892 -L -s sub -D "$DS_DIRMGRDN" -w "$DS_DIRMGRPASSWD" -b 'dc=nsf, dc=gov' "cn=amldapuser"
        echo "."
        echo "### check the amldapuser password. "
        echo "ldapsearch -w $AMLDAPUSERPASSWD -v -h $DS_HOST -p 3892 -L -s sub -D cn=amldapuser,ou=DSAME Users,dc=nsf,dc=gov -b ou=DSAME Users,dc=nsf,dc=gov cn=* cn "
ldapsearch -w "$AMLDAPUSERPASSWD" -v -h $DS_HOST -p 3892 -L -s sub -D "cn=amldapuser,ou=DSAME Users,dc=nsf,dc=gov" -b "ou=DSAME Users,dc=nsf,dc=gov" cn=* cn
        echo "."
        echo "### check the app server admin: AS81_ADMIN password: AS81_ADMINPASSWD and port: ADMIN_PORT "
     echo "### That's actually a bug in the template. "
     echo "### Do not use AS81_ADMINPASSWD=\$ADMINPASSWD Make sure they are different passwords! Don\'t use the default!"
     echo "Expect to see a WARNING about --password option. "
        echo "/opt/SUNWappserver/appserver/bin/asadmin list-http-listeners --user $AS81_ADMIN --port $ADMIN_PORT -w $AS81_ADMINPASSWD "
/opt/SUNWappserver/appserver/bin/asadmin list-http-listeners --user $AS81_ADMIN --port $ADMIN_PORT -w "$AS81_ADMINPASSWD"
        echo "done!"

I change the product machine from LG optimus to Samsung Galaxy but the file writing is not working, too.
I copied the source code from Adobe website about FileStream but it is needless too.
-----------------program code------------------------
import flash.filesystem.*;
import flash.filesystem.FileStream;
import flash.events.Event;
//txtFld is a standard textField component
txtFld.text = "Start";var file:File = new File();
//btnSaveFile is a standard button component
btnSaveFile.addEventListener(MouseEvent.CLICK,handlerBtnSaveFile);
function handlerBtnSaveFile(e:Event){
txtFld.text = "Pressed";
file = File.documentsDirectory;
file = file.resolvePath("test.txt");
var fileStream:FileStream = new FileStream();
fileStream.openAsync(file, FileMode.WRITE);
fileStream.writeUTFBytes("Hello");
txtFld.text = file.nativePath.toString();
//fileStream.addEventListener(Event.CLOSE, fileClosed);
fileStream.close();
fcnFileName();
function fcnFileName(){
txtFld.text = file.name.toString();
function fileClosed(event:Event):void {
    trace("closed");
txtFld.text = "FileClosed";

Setting up Access Manager and Directory Server for Failover.

I'm setting up 2 Access Managers AM1,AM2 and 2 Directory Servers DS1 and DS2 for failover. I've connected AM1 and AM2 to DS1. Suffixes of DS1 is replicated to DS2. Any change made to AM1 is replicated to AM2 as expected. I just patched AM1 with Access Manager patch 1 and the version information for AM1 shows 7.1 126359-01. I followed the same procedure to patch AM2 but AM2 still shows ver 7.1.
How do I make sure both Access Managers are patched to the same version?
I'm able to authenticate to one IIS6 site and authentication is passed on to Outlook Web Access on AM1 but when I shut down AM1 to test failover to AM2 OWA prompts me again for password. How do I resolve this?
On AM1 http://host.domain/amserver/UI/Login?realm=sso successfully logs in but the same on AM2 gives Warning that "You have already logged in. Do you want to log out and then login to a different organization?"
Please help !!!

I'll answer what bits I can:
Q: AM showing the same version?
A: No idea on this one. I would have expected the operation you described to have produced the right answer. Check that neither your application server nor your web browser are caching old pages (ctrl-F5 in my browser)
Q: How do I resolve re-authentication on failover?
A: The AM documentation includes a deployment example that covers pretty closely what it is you are trying to achieve:
http://docs.sun.com/app/docs/doc/820-2278
Specifically, the problem you are describing is related to session failover. The sessions are stored in a local DB so when you failover the backup server does not store the same information and hence requires a reauthentication. The section of the above doc that deals with this is here:
http://docs.sun.com/app/docs/doc/820-2278/gdsre?l=en&a=view
Q: "You have already logged in" warning
A: No idea. Sorry.
R

What kind of permissions are needed in LDAP to install Access Manager?

Hi people,
I'm trying to install Access Manager in three different machines, and i'll try to configure them in a failover schema, but I'm not the owner of the LDAP where the Access Manager DIT is going to live, my question is what kind of permissions do I need to install it, rigth now I've tried to install it three times and I can't get a succesfull install process, this is a resume of the common errors that I've got in the Java_Enterprise_System_Config_Log.xxxx
adding new entry ou=portalmmm_1.0_n21i,ou=internalData,ou=1.0,ou=SunAMClientData,ou=ClientData,o=bbva
sleep 3
ERROR : Configuring/Loading of the default DIT in the Directory Server failed
CLASSPATH is --- /opt/SUNWam/locale:/etc/opt/SUNWam/config:/opt/SUNWam/lib:/opt/SUNWam/lib/am_services.jar:/opt/SUNWam/lib/ldapjdk.jar:/usr/share/lib/mps/secv1/jss4.jar:/opt/SUNWam/lib/am_sdk.jar
Loading service schema XML files ...
Info 109: Calling SCHEMA MANAGER
Info 110: XML file to import:/etc/opt/SUNWam/config/ums/ums.xml
Info 103: Loading Service Schema XML /etc/opt/SUNWam/config/ums/ums.xml
Loading Service Schema XML /etc/opt/SUNWam/config/ums/ums.xml
Error occured while loading: /etc/opt/SUNWam/config/ums/ums.xml
Error Log:
ldap_modify: Insufficient access
ldap_modify: additional info: Insufficient 'write' privilege to the 'nsslapd-pluginEnabled' attribute of entry 'cn=referential integrity postoperation,cn=plugins,cn=config'.
ldap_modify: Insufficient access
ldap_modify: additional info: Insufficient 'write' privilege to the 'nsslapd-pluginarg10' attribute of entry 'cn=referential integrity postoperation,cn=plugins,cn=config'.
ldap_add: Already exists
ldap_add: Insufficient access
ldap_add: Insufficient access
ldap_add: Insufficient access
ldap_add: Insufficient access
ldap_add: Insufficient access
ldap_add: Already exists
ldap_add: Already exists
ldap_add: Already exists
ldap_add: Already exists
ldap_add: Already exists
ldap_modify: Insufficient access
ldap_modify: additional info: Insufficient 'write' privilege to the 'nsslapd-sizelimit' attribute of entry 'cn=config'.
ldap_modify: Insufficient access
ldap_modify: additional info: Insufficient 'write' privilege to the 'nsslapd-timelimit' attribute of entry 'cn=config'.
ldap_modify: Insufficient access
ldap_modify: additional info: Insufficient 'write' privilege to the 'nsslapd-lookthroughlimit' attribute of entry 'cn=config,cn=ldbm database,cn=plugins,cn=config'.
ldap_add: Already exists
ldap_add: Insufficient access
ldap_add: additional info: Insufficient 'add' privilege to add the entry 'ou=DSAME Users,o=isp'.
ldap_modify: Type or value exists
ldap_modify: Insufficient access
ldap_modify: additional info: Insufficient 'write' privilege to the 'objectClass' attribute of entry 'o=isp'.
ldap_modify: Insufficient access
ldap_modify: additional info: Insufficient 'write' privilege to the 'objectClass' attribute of entry 'o=isp'.
ldap_modify: Insufficient access
ldap_modify: additional info: Insufficient 'write' privilege to the 'objectClass' attribute of entry 'o=isp'.
ldap_add: No such object
ldap_add: matched: o=isp
ldap_add: No such object
ldap_add: matched: o=isp
/opt/SUNWam/bin/amadmin: -Dcom.sun.identity.sm.enableDataStoreNotification=true: not found
Error 29: ServiceManager Exception
Error 10: Cannot process requests:
sms-UNKNOWN_EXCEPTION_OCCURRED
Identity Server Configuration Failed ...
Configuration failed for : ISConfigurator
*** End configuring ISConfigurator***Please suggest...
Thanks in advance
Lalo

You can't install Access Manager without full control on the base organization.
You need the Directory Manager user (maybe with a temporary password) or a user with full permissions on the Access Manager root DN.
Hope It Helps
Saludos!!

Where to download •Oracle Access Manager WebGate 10.1.4.3

i am working on OAM/OID integration with EBS R12(Integrating Oracle E-Business Suite Release 12 with Oracle Access Manager 11gR1 (11.1.1.5) using Oracle E-Business Suite AccessGate [ID 1309013.1]), As per the document i am trying to download Oracle Access Manager WebGate 10.1.4.3 from this link
http://www.oracle.com/technetwork/middleware/ias/downloads/101401-099957.html
i am confused on downloading (Oracle Access Manager Core Components (10.1.4.3.0 or Oracle Access Manager WebGates for OHS 11g and Weblogic Identity Assertion Provider (10.1.4.3.0) or Policy Manager and WebPass on Third Party and non-OHS 11g Web Servers (10.1.4.3.0 )
which one i need to download.

Hi,
Oracle Access Manager 10.1.4.3.0 is a part of 11g R1 release So, you should be fine with OAM 10.1.4.3.0.
OAM 10G R3 consists of OAM 10.1.4.0.1 (and 10.1.4.2.0).
-- Pramod Aravind

Where is Role store in Access Manager ?

Hello,
How i get Role of User from Access Manager .
In Access Manager if i create Role = "Sale Role" and assign User to this Role.
Whare is "Sale Role" store in LDAP tree ?

Try the System Administration Guide: Naming and Directory Services (DNS, NIS, and LDAP) ( http://docs.sun.com/doc/806-4077 ). As mentioned in that doc, you'll need to set up Directory Server before you can use it.
Hope that helps,
Mark

UWC/CE 6.3 and Access Manager 7.1 SSO sometimes fails (seems like a bug)

PREAMBULA: I started writing this post thinking that our AM SSO setup was at fault in some step. As I was gathering data, checking the doc-links and config files and finally sniffed the servers for HTTP dialogs, I grew pretty sure there's a bug in UWC/CE, AM SDK or Web Server Policy Agent, whatever implements the AM SSO session checking.
In short, as written below, our "sunmail" server can POST a broken cookie to AM server, if the cookie originally contained a "plus" character. The "plus" is replaced by a "space", invalidating the session check. As we know, "+" is often used in URLs to "escape" the space character. Perhaps some URL cleanup routine backfired here. I have double-checked, it is not the reverse proxy on "psam" breaking things. It is "sunmail" (UWC/CE or Policy Agent, don't know for certain) supplying the broken request. On the few occasions when the AM cookie contains no "plus" characters, the SSO works like a charm (also checked by a sniffer). Whenever there is a "plus", it breaks.
Is there some known bug or workaround that matches this description?
Nevertheless, for completeness' sake I kept the description of our setup. Maybe it's at fault after all :)
We have an installation of JCS5 with the latest patches as of early July 2008. And as the subject implies, we have problems with AM SSO in UWC/CE web-interface. I have reported them before, then they seemed fixed (not occuring for several tests in a row), but as time has shown, something wrong is still there.
So I'll try to go into deeper detail now, as we've may have overlooked some nuance... Then again, as my sniffer research below shows, this may be an engine bug and these setup details are irrelevant.
Our setup is split into several Solaris 10 full-root zones hosted on several servers, some of the components are enroute to HA (perhaps we made some mistakes on this part of the way?)
So, we have the following software stack:
1) two MMR Directory Servers (DSEE 6.3 = DSEE 6.2 from JCS5 + 125278-07__DSEE_6.3__x86x64 + 125277-07__DSEE_6.3__x86_sol9 patches) working in zones on two different servers. Except for one time when a manually forced ZFS rollback corrupted one of the server instances, no problems here.
2) two zones with Directory Proxy Servers (6.3, exact versions as above) running at port 389 provide the clients with an illusion that they have a stable Directory Server, even if one of the actual servers is currently rebooting ;)
These DPS zones are hosted on two different servers as well and are primarily used by LDAP clients (JCS components) running in other zones on the same respective servers.
3) A zone with Sun Web Server 7.0U1 and Access Manager 7.1 (+ 126357-01__AM71_x86 patch) and Delegated Admin 6.4-4.01 (from JCS5 + 121582-18__COMMCLI64__x86 patch).
At the moment there is one such zone (named "cos-psam-01.domain.ru" in the logs below), but we expect(-ed) it to become two similar zones as per AM HA setup.
Zones listed in (1-3) use private IP numbers, they belong in our internal DMZ.
Zones listed in (4-5) below use public (routed) IP numbers, they belong in our external DMZ.
4) A zone with Sun Web Server 7.0U1 used primarily as a reverse-proxy server (optionally with a load-balancer libpassthrough.so plugin) successfully used for other hosted projects. One of its configurations now passes connections from an externally routed IP address published as "psam.domain.ru" to "cos-psam-01.domain.ru", per AM HA setup, so HTTP clients believe they work with an Access Manager instance. This zone has a backend interface with a private IP address to communicate with the actual AM instance.
In AM configuration (both LDAP and file-based) we have configured a site ID with the publicly known name and mentioned both names (psam and cos-psam-01) in organization's realm/dns aliases.
5) A zone with the rest of the Sun Java Communications Suite 5, as in Messaging Server 6.3 (6.3-6.03 64-bit: ci-5.0-1.03_solx86_x64__Messaging_Server_6.3-2 + patch 126480-09__MSG63__x86-64), UWC/CE 6.3 (from JCS5 + 122794-17__UWC63-4.01_core__x86), Instant Messaging 7.2 (from JCS5 + 118790-29__IM72__x86-1 + 118787-28__IM72__x86-2), Calendar Server 6.3 (from JCS5 + 121658-28__iCS63__x86). The web-components (UWC/CE, IM, /httpbind) are deployed in a Sun Web Server 7.0U1 as well.
This zone is named "sunmail.domain.ru" and has a routed IP address for direct external access to its servicess.
The AM SDK part is also patched (126357-01__AM71_x86); it points to the load-balancer name ("psam.domain.ru") as an actual AM server.
# imsimta version
Sun Java(tm) System Messaging Server 6.3-6.03 (built Mar 14 2008; 64bit)
libimta.so 6.3-6.03 (built 17:15:08, Mar 14 2008; 64bit)
SunOS sunmail 5.10 Generic_127112-07 i86pc i386 i86pc
While setting up this server set we tried to use AM SSO as the user login method, but it works unreliably.
"Unreliably" means that while most of the time entering a correct uid and password in Access Manager login page ("http://psam.domain.ru/amserver/UI/Login") does redirect a user back to "http://sunmail.domain.ru/uwc/auth" along with a new cookie, and the user is redirected again to his or her mailbox, sometimes the user receives the UWC/CE login page. Entering the same uid and password here does log him in, but it breaks the whole point of SSO and only increases the end-user routine required to log in :\
We have also seen the "missing mail tab" problem - if the users point the browser to any hostname different from "sunmail.domain.ru" (i.e. www.mail.domain.ru which is equivalent in DNS), they have only the Address book, Calendar and Options tabs; no webmail. So far this is resolved by Policy Agent forcing The One name of the server.
Here's the configuration we did specifically for AM SSO:
1) in AMConfig.properties of "sunmail" and "cos-psam-01" we set up
com.iplanet.am.cookie.encode=false
am.encryption.pwd=<the same value>
all hostname-related parameters point to "psam.domain.ru"
2) in AMConfig.properties of "cos-psam-01" a number of FQDN equivalence entries are added (so it does not redirect to a server hostname unknown to visitors):
com.sun.identity.server.fqdnMap[publicname-or-ip]=psam.domain.ru
com.sun.identity.server.fqdnMap[cos-psam-01.domain.ru]=cos-psam-01.domain.ru
3) in "msg.conf" on "sunmail" (entries added via configutil):
local.webmail.sso.amcookiename = iPlanetDirectoryPro
local.webmail.sso.amnamingurl = http://psam.domain.ru:80/amserver/namingservice
local.webmail.sso.singlesignoff = yes
local.webmail.sso.uwcenabled = 1
service.http.ipsecurity = no
(perhaps some more options are required? Looking for confirmation about: local.webmail.sso.uwclogouturl local.webmail.sso.uwccontexturi local.webmail.sso.uwchome service.http.allowadminproxy )
4) Configured Web Policy Agent for Sun Web Server, so that users without an AM session are required to get one. Set up per [http://msg.wikidoc.info/index.php/AM_redirection_using_Policy_Agent], except that com.sun.am.policy.agents.config.notenforced_list points to the many names our server can go known by.
5) Updated the logout URL in /opt/SUNWuwc/webmail/main.js:
--- main.js.orig        Sat Jan 26 07:52:09 2008
+++ main.js     Mon Jul 21 01:06:29 2008
@@ -667,7 +667,8 @@
function cleanup() {
   if(laurel)
-      top.window.location = getUWCHost() + "/base/UWCMain?op=logout"
+//      top.window.location = getUWCHost() + "/base/UWCMain?op=logout"
+      top.window.location = "http://sunmail.domain.ru:80/base/UWCMain?op=logout"
   else
       exec('logout', '', 'exit()')
@@ -1707,7 +1708,8 @@
   if(lg) {
         url = document.location.href
         url = url.substr(0,url.indexOf('webmail'))
-        uwcurl = url + 'base/UWCMain?op=logout'
+//      uwcurl = url + 'base/UWCMain?op=logout'
+        uwcurl = "http://sunmail.domain.ru:80/base/UWCMain?op=logout"
   exit()
}6) Calendar SSO - per docs...
According to ngrep sniffing,
1) the browser goes to "http://sunmail.domain.ru/uwc/auth" without any cookies
2) receives a redirect and goes to "http://psam.domain.ru/amserver/UI/Login?gotoOnFail=http://sunmail.domain.ru:80/uwc&goto=http%3A%2F%2Fsunmail.domain.ru%3A80%2Fuwc%2Fauth"; sends no cookies either.
3) The first response from the "psam" server (as redirected from "cos-psam-01") sets a few cookies while rendering the login page:
Set-cookie: JSESSIONID=7EF8F2810D2071CA03CFEAE9972735B2; Path=/
Set-cookie: AMAuthCookie=AQIC5wM2LY4SfcwuT2ASCrsfO78nXdceEHXeH1+xTqH7C3I=@AAJTSQACMDI=#; Domain=.domain.ru; Path=/
Set-cookie: amlbcookie=02; Domain=.domain.ru; Path=/
4) The browser requests the login page resources (javascripts, images, etc) using these cookies, as in this header line:
Cookie: JSESSIONID=7EF8F2810D2071CA03CFEAE9972735B2; AMAuthCookie=AQIC5wM2LY4SfcwuT2ASCrsfO78nXdceEHXeH1+xTqH7C3I=@AAJTSQACMDI=#; amlbcookie=02
5) The browser POSTs the login request to "/amserver/UI/Login" and receives a redirection to http://sunmail.domain.ru:80/uwc/auth
Set-cookie: iPlanetDirectoryPro=AQIC5wM2LY4SfcwuT2ASCrsfO78nXdceEHXeH1+xTqH7C3I=@AAJTSQACMDI=#; Domain=.domain.ru; Path=/
Set-cookie: AMAuthCookie=LOGOUT; Domain=.domain.ru; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
6) The browser requests "http://sunmail.domain.ru/uwc/auth" using the newly set cookie (looks like the old one to me though):
Cookie: amlbcookie=02; iPlanetDirectoryPro=AQIC5wM2LY4SfcwuT2ASCrsfO78nXdceEHXeH1+xTqH7C3I=@AAJTSQACMDI=#
7) The "sunmail" web-server checks the AM session validity with the same "psam.domain.ru". It sends a series of POSTs to /amserver/namingservice:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<RequestSet vers="1.0" svcid="com.iplanet.am.naming" reqid="685">
<Request><![CDATA[
<NamingRequest vers="1.0" reqid="324" sessid="AQIC5wM2LY4SfcwuT2ASCrsfO78nXdceEHXeH1+xTqH7C3I=@AAJTSQACMDI=#">
<GetNamingProfile>
</GetNamingProfile>
</NamingRequest>]]>
</Request>
</RequestSet>(receives a large XML list of different Access Manager configuration parameters and URLs)
...then a double-request to /amserver/sessionservice:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<RequestSet vers="1.0" svcid="Session" reqid="686">
<Request><![CDATA[
<SessionRequest vers="1.0" reqid="678">
<GetSession reset="true">
<SessionID>AQIC5wM2LY4SfcwuT2ASCrsfO78nXdceEHXeH1+xTqH7C3I=@AAJTSQACMDI=#</SessionID>
</GetSession>
</SessionRequest>]]>
</Request>
<Request><![CDATA[
<SessionRequest vers="1.0" reqid="679">
<AddSessionListener>
<URL>http://sunmail.domain.ru:80/UpdateAgentCacheServlet?shortcircuit=false</URL>
<SessionID>AQIC5wM2LY4SfcwuT2ASCrsfO78nXdceEHXeH1+xTqH7C3I=@AAJTSQACMDI=#</SessionID>
</AddSessionListener>
</SessionRequest>]]>
</Request>
</RequestSet>As a result it receives an XML with a lot of user-specific information (the username, LDAP DN, preferred locale, auth module used, etc.)
!!!*** Now, the problem part ***!!!
8) And then "sunmail" POSTs a broken cookie to "psam" (note the space in mid-text, where the "plus" sign was previously). As we know, "+" is often used in URLs to "escape" the space character. Perhaps some URL cleanup routine backfired here.
I have double-checked, it is not the reverse proxy on "psam" breaking things. It is "sunmail" (UWC/CE or Policy Agent, don't know for certain) supplying the broken request. I looked over the large XML responses to the two previous requests, whenever they mention the session cookie value, the "plus" is there.
For the most detail I can provide, I'll even paste the whole HTTP packet:
POST /amserver/sessionservice HTTP/1.1
Proxy-agent: Sun-Java-System-Web-Server/7.0
Cookie: iPlanetDirectoryPro=AQIC5wM2LY4SfcwuT2ASCrsfO78nXdceEHXeH1 xTqH7C3I=@AAJTSQACMDI=#;amlbcookie=null
Content-type: text/xml;charset=UTF-8
Content-length: 336
Cache-control: no-cache
Pragma: no-cache
User-agent: Java/1.5.0_09
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Host: cos-psam-01.domain.ru
Client-ip: 194.xxx.xxx.xxx
Via: 1.1 https-weblb.domain.ru
Connection: keep-alive
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<RequestSet vers="1.0" svcid="session" reqid="258">
<Request><![CDATA[<SessionRequest vers="1.0" reqid="254">
<GetSession reset="true">
<SessionID>AQIC5wM2LY4SfcwuT2ASCrsfO78nXdceEHXeH1 xTqH7C3I=@AAJTSQACMDI=#</SessionID>
</GetSession>
</SessionRequest>]]></Request>
</RequestSet> The server's error response is apparent:
HTTP/1.1 200 OK
Server: Sun-Java-System-Web-Server/7.0
Date: Thu, 31 Jul 2008 05:49:50 GMT
Content-type: text/html
Transfer-encoding: chunked
19b
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<ResponseSet vers="1.0" svcid="session" reqid="258">
<Response><![CDATA[<SessionResponse vers="1.0" reqid="254">
<GetSession>
<Exception>AQIC5wM2LY4SfcwuT2ASCrsfO78nXdceEHXeH1 xTqH7C3I=@AAJTSQACMDI=# Invalid session ID
AQIC5wM2LY4SfcwuT2ASCrsfO78nXdceEHXeH1 xTqH7C3I=@AAJTSQACMDI=#</Exception>
</GetSession>
</SessionResponse>]]></Response>
</ResponseSet>On the few occasions when the AM cookie contains no "plus" characters, the SSO works like a charm (also checked by a sniffer). Whenever there is a "plus", it breaks.
For reference, here's a working final request-response (one with a good cookie, as received by the load-balancer web-server). Request looks a bit different:
POST /amserver/sessionservice HTTP/1.1
Cookie: iPlanetDirectoryPro=AQIC5wM2LY4Sfcy/5sEzVmuq9z1ggdHOkBDgVFAwfhqvn4U=@AAJTSQACMDI=#;amlbcookie=null
Content-Type: text/xml;charset=UTF-8
Content-Length: 379
Cache-Control: no-cache
Pragma: no-cache
User-Agent: Java/1.5.0_09
Host: psam.domain.ru
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Connection: keep-alive
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<RequestSet vers="1.0" svcid="session" reqid="281">
<Request><![CDATA[<SessionRequest vers="1.0" reqid="277">
<SetProperty>
<SessionID>AQIC5wM2LY4Sfcy/5sEzVmuq9z1ggdHOkBDgVFAwfhqvn4U=@AAJTSQACMDI=#</SessionID>
<Property name="uwcstatus" value="active"></Property>
</SetProperty>
</SessionRequest>]]></Request>
</RequestSet> ...and the response is OK:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<ResponseSet vers="1.0" svcid="session" reqid="281">
<Response><![CDATA[<SessionResponse vers="1.0" reqid="277">
<SetProperty>
<OK></OK>
</SetProperty>
</SessionResponse>]]></Response>
</ResponseSet>

There have been a few reports of the same behaviour with other customers - specifically with the handling of the encoding of "+" characters to " ". It relates to how cookie encoding/decoding is performed (as you have already observed).
The solution for these customers was the following:
=> AM server/client side:
Ensure that com.iplanet.am.cookie.encode=false in AMConfig.properties and AMAgent.properties on all systems.
=> AM client (UWC) side:
- Set <property name="encodeCookies" value="false"/> in /var/opt/SUNWuwc/WEB-INF/sun-web.xml. This will prevent UWC from trying to urldecode the cookie it receives and therefore stops it turning the + into a space e.g.
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE sun-web-app PUBLIC '-//Sun Microsystems, Inc.//DTD Sun ONE Application Server 7.0 Servlet 2.3//EN' 'file:///net/wajra.india.sun.com/export/share/dtd/sun-web-app_2_3-1.dtd'>
<sun-web-app>
   <property name="encodeCookies" value="false"/>
   <session-config>
      <session-manager/>
   </session-config>
   <jsp-config/>
<property name="allowLinking" value="true" />
</sun-web-app>Regards,
Shane.

Oracle Access Manager, ADAM & UCM integration? Help please..

I`m currently investigating the potential of using Oracle Access Manager (OAM) as a tool that allows connections to multiple Active Directory(AD) or ADAM servers providing a single point to author and manage users with a good easy to use GUI.
The UCM will connect directly to OAM and authenticate users connecting from AD accounts..
At the moment we use Quest software to manage users, but the cost for setting up users is £15/user where as OAM is only £3. I believe..
Right the questions I have :)
1. Has any one set this type of environment up?
2. ls OAM stand alone or will I need additional software to set it up?
Reading the installation guide it says I need the following:
# Oracle Internet Directory 10g (10.1.4.0.1)
# Microsoft Active Directory
# Oracle Virtual Directory Server 10.1.4.0.1
# Oracle Virtual Directory Manager 10.1.4.0.1
# Oracle Virtual Directory Patch 10.1.4.0.1 (P5667977)
# Stand-alone Oracle HTTP Server 2.x (This needs to be preinstalled in your environment. You can download the OHS 2.x standalone from the Oracle SOA Suite 10g Companion (10.1.3.1.0) release from here.)
3. Can I use IIS instead of Oracle HTTP Server?
4. Can I install OAM on 1 server or do I need multiple servers, I`v been looking at the diagrams and reading through the guides I`m getting a little confused with Identity and Access server?

Hi,
Have you got information reg UCM & OAM integration?
Could you please help me with the integration guide?
Regards,
Ashish

Oracle Access Manager, ADAM & Oracle ECM - UCM integration?

I`m currently investigating the potential of using Oracle Access Manager (OAM) as a tool that allows connections to multiple Active Directory(AD) or ADAM servers providing a single point to author and manage users with a good easy to use GUI.
The UCM will connect directly to OAM and authenticate users connecting from AD accounts..
At the moment we use Quest software to manage users, but the cost for setting up users is £15/user where as OAM is only £3. I believe..
Right the questions I have :)
1. Has any one set this type of environment up?
2. ls OAM stand alone or will I need additional software to set it up?
Reading the installation guide it says I need the following:
# Oracle Internet Directory 10g (10.1.4.0.1)
# Microsoft Active Directory
# Oracle Virtual Directory Server 10.1.4.0.1
# Oracle Virtual Directory Manager 10.1.4.0.1
# Oracle Virtual Directory Patch 10.1.4.0.1 (P5667977)
# Stand-alone Oracle HTTP Server 2.x (This needs to be preinstalled in your environment. You can download the OHS 2.x standalone from the Oracle SOA Suite 10g Companion (10.1.3.1.0) release from here.)
3. Can I use IIS instead of Oracle HTTP Server?
4. Can I install OAM on 1 server or do I need multiple servers, I`v been looking at the diagrams and reading through the guides I`m getting a little confused with Identity and Access server?

The OAM identity system (identity server and WebPass) sound like a good fit for what you want to do. One constraint is that if you want to create/manage users in different directory instances via a single OAM identity system installation, you would also need OVD.
And yes you definitely can have IIS host the WebPass - OHS, OID etc are not required.
-Vinod

Access Manager 7.1 Session Failover

Hello,
I am trying to do a session failover with access Manager 7.1.
My Infrastructure:
OS: Solaris 10
2 Solaris Servers dedicated to 4 LDAP instances (2 each)
2 Solaris Servers dedicated to 2 LDAP Proxy servers configured to access 4 LDAP instances.
2 Solaris Servers dedicated to 2 Sun Application Server 8.2 running 2 instances of Access Manager sharing the 4 LDAP instances through Proxy.
2 Solaris Servers dedicated to 2 instances of JMS servers (1 on each) with Access Manager Session DB configured. JMS is running on cluster mode.
1 Solaris server for Webserver 7.0 configured for Load Balancing (loadbalancer.xml).
Configuration:
2 instances of Access Manager on separate solaris boxes use the same LDAP instance(s).
Access Manager is configured for session failover using amsfoconfig as documented.
The Session failover instances where started as documented
1.     Start session DB using amsfo script
2.     Start the Access Manager instances (by Starting DAS)
3.     Start Webserver
My Problem:
Session Failover does not work. The Amsession log throws
ERROR: JMQSessionRepository.save(): failed to save Session
java.lang.NullPointerException
at com.iplanet.dpro.session.jmqdb.PersistSession.setString(PersistSession.java:310)
at com.iplanet.dpro.session.jmqdb.JMQSessionRepository.save(JMQSessionRepository.java:357)
at com.iplanet.dpro.session.service.SessionService.saveForFailover(SessionService.java:2812)
AmSessionMonitor file continuously throws below error and fills up the disk (20 GB ) space quickly:
04/24/2007 04:28:13:450 PM EDT: Thread[amSessionMonitor,5,main]
WARNING: SessionMonitor runtime exception
java.lang.NullPointerException
at com.iplanet.dpro.session.service.SessionService.locateCurrentHostServer(SessionService.java:1762)
at com.iplanet.dpro.session.service.SessionService.getCurrentHostServer(SessionService.java:1731)
at com.iplanet.dpro.session.service.SessionMonitor.run(SessionMonitor.java:94)
JMS queue Log:
Sun Java(tm) System Message Queue 3.7
Sun Microsystems, Inc.
Version: 3.7 UR1 (Build 9-b)
Compile: Sun Jun 18 22:11:21 PDT 2006
Copyright (c) 2006 Sun Microsystems, Inc. All rights reserved.
SUN PROPRIETARY/CONFIDENTIAL. Use is subject to license terms.
This product includes code licensed from RSA Data Security.
================================================================================
Java Runtime: 1.5.0_09 Sun Microsystems Inc. /usr/jdk/instances/jdk1.5.0/jre
[18/Apr/2007:09:14:28 EDT] License: Sun Java(tm) System Message Queue 3.7 UR1 Enterprise Edition
[18/Apr/2007:09:14:29 EDT] IMQ_HOME=/
"log.txt" 725 lines, 61600 characters
Magic/Version: 469754818/301 Size: 116 Type: ACKNOWLEDGE(24)
Expiration: 0 Timestamp: 1177446120954
Source IP: 172.31.120.44(c0:ca:66:ec:a9:d5) Port: 60437 Sequence: 32
Property Offset: 76 Property Size: 0
Encryption: 0 Priority: 5
Flags: consumerID: 0
TransactionID: 0
MessageID: 32-172.31.120.44(c0:ca:66:ec:a9:d5)-60437-1177446120954
Properties: null
Message Body: 40 bytes [3052053123717449216:16-172.31.120.44(b1:6a:3:39:7d:6)-60434-1177446116385]
Internal Buffers (useDirect=false):
Fixed Header Buffer:java.nio.HeapByteBuffer[pos=0 lim=72 cap=72]
com.sun.messaging.jmq.jmsserver.util.BrokerException: Internal Error: Unable to complete processing acks: Unknown consumer [consumer:30520
53123717449216, type=NONE]
at com.sun.messaging.jmq.jmsserver.data.handlers.AckHandler.handleAcks(AckHandler.java:256)
at com.sun.messaging.jmq.jmsserver.data.handlers.AckHandler.handle(AckHandler.java:166)
at com.sun.messaging.jmq.jmsserver.data.PacketRouter.handleMessage(PacketRouter.java:146)
at com.sun.messaging.jmq.jmsserver.service.imq.IMQConnection.readData(IMQConnection.java:1856)
at com.sun.messaging.jmq.jmsserver.service.imq.IMQConnection.process(IMQConnection.java:816)
at com.sun.messaging.jmq.jmsserver.service.imq.OperationRunnable.process(OperationRunnable.java:141)
at com.sun.messaging.jmq.jmsserver.util.pool.BasicRunnable.run(BasicRunnable.java:459)
at java.lang.Thread.run(Thread.java:595)
[24/Apr/2007:16:22:05 EDT] [B1071]: Established cluster connection : testuidp02.dol.state.nj.us/172.31.120.45:7676 (aminstance)
[24/Apr/2007:16:23:00 EDT] [B1066]: Closing: [email protected]:57590->jms:60425 because "[B0061]: Client exited without closing con
nections". Count=1
[24/Apr/2007:16:24:37 EDT] [B1065]: Accepting: [email protected]:42435->jms:60425. Count=2
[24/Apr/2007:16:26:15 EDT] [B1066]: Closing: [email protected]:42435->jms:60425 because "[B0061]: Client exited without closing con
nections". Count=1
Access Manager via load balancer web server works fine with out session failover configuration.
I noticed through forums that Accessmanager 2005Q4 had similar problem and was fixed with a patch.
Will somebody please help who has done session failover with AM7.1?
Thanks
Kris

Yep, that was me struggling with 2005Q4 before they released a patch (120954-03 if I am not mistaken).
1. Have you configured your AM installation as a site?
2. Have you added a secondary configuration in the session tab?
A restart will be required after that. Try setting log levels to debug. When AM webserver comes up and brings the application live, you'll see information regarding the secondary configuration, and whether things are actually in place or not.
Hope this helps.
Ankush
http://www.iamcg.net

Problem with Oracle Adaptive Access Manager 10g

Hello, I'm trying to install the OAAM following the Installation and Configuration Guide (http://download.oracle.com/docs/cd/E12057_01/doc.1014/e12050/toc.htm).
In The Package Contents section speaks of a zip file named oaam_bin.zip but never says where could I download it. Anybody know where do I get it?
I have already downloaded the Oracle Adaptive Access Manager 10g (10.1.4.2.0) CD1 named V11415-01.zip from http://www.oracle.com/technology/software/products/ias/htdocs/101401.html but it is not the zip file that the documentation talks about.
I'm looking for in many sites but i have no luck.
Thanks a lot!
Guido.

The documentation you are referring to is for 10.1.4.5.0 and not 10.1.4.2.0. After installing version 10.1.4.2.0, install patch 10.1.4.3.0. You will see oaam_bin.zip and the necessary files in it. The patch number is 6987695.
You might be interested in patch 10.1.4.3.1 (#7324863) also. Check the readme file for details.
-shetty2k

What is the latest version of Access Manager

Good day,
where can I download the latest version of Access Manager, also know if there are any patch for the latest version,
Very grateful

The location you are referring to has 10g (10.1.4.0.1) version. The location I'm referring to has the latest version (10.1.4.3.0)
Remember to reach the latest version, you can install the latest version which is (10.1.4.3.0) and if you have an existing setup, you can apply a patch which will update the existing setup to the latest version.

Can not configure Access Manager

Hi all,
1. I istalled Sun java messaging server 6.
2. I edit amsamplesilent to prepare amsamplesilent.my:
# cd /opt/SUNWam/bin
#mv amsamplesilent amsamplesilent.my
3. I configure Access Manager:
#./amconfig -s amsamplesilent.my but get the following error:
# ./amconfig amsamplesilent.my
Usage: amconfig -s <silentinputfile>
./amconfig: Sourcing ./amutils
ln: cannot create /opt/SUNWam/lib/jaxrpc-spi.jar: File exists
chown: jaxrpc-spi.jar: No such file or directory
full install
./amdsconfig: Sourcing ./amutils
LD_LIBRARY_PATH is --- /usr/lib/mps/secv1:/usr/lib/mps/secv1:/usr/lib/mps/secv1:/opt/SUNWam/lib:/opt/SUNWam/ldaplib/ldapsdk
CLASSPATH is --- /opt/SUNWam/locale:/etc/opt/SUNWam/config:/opt/SUNWam/lib:/opt/SUNWam/lib/am_services.jar:/opt/SUNWam/lib/ldapjdk.jar:/usr/share/lib/mps/secv1/jss3.jar:/opt/SUNWam/lib/am_sdk.jar
ldap_simple_bind: Can't connect to the LDAP server - No route to host
ldap_simple_bind: Can't connect to the LDAP server - No route to host
ldap_simple_bind: Can't connect to the LDAP server - No route to host
ldap_simple_bind: Can't connect to the LDAP server - No route to host
sleep 3
ldap_simple_bind: Can't connect to the LDAP server - No route to host
ldap_simple_bind: Can't connect to the LDAP server - No route to host
ldap_simple_bind: Can't connect to the LDAP server - No route to host
sleep 4
ldap_simple_bind: Can't connect to the LDAP server - No route to host
ldap_simple_bind: Can't connect to the LDAP server - No route to host
ldap_simple_bind: Can't connect to the LDAP server - No route to host
sleep 5
ldap_simple_bind: Can't connect to the LDAP server - No route to host
ldap_simple_bind: Can't connect to the LDAP server - No route to host
ldap_simple_bind: Can't connect to the LDAP server - No route to host
sleep 6
ERROR : Loading of Access Manager schema into the Directory failed
Starting the tag swapping of the install.ldif and installExisting.ldif
ROOT_SUFFIX is dc=iplanet,dc=com
People_NM_ROOT_SUFFIX is People_dc=iplanet_dc=com
SERVER_HOST sample.red.iplanet.com
DIRECTORY_SERVER sample.red.iplanet.com
DIRECTORY_PORT 389
USER_NAMING_ATTR uid
ORG_NAMING_ATTR o
CONSOLE_DEPLOY_URI /amconsole
ORG_OBJECT_CLASS sunismanagedorganization
RS_RDN iplanet
USER_OBJECT_CLASS inetorgperson
ldap_simple_bind: Can't connect to the LDAP server - No route to host
ldap_simple_bind: Can't connect to the LDAP server - No route to host
sleep 3
ERROR : Configuring/Loading of the default DIT in the Directory Server failed
ldap_simple_bind: Can't connect to the LDAP server - No route to host
ldap_simple_bind: Can't connect to the LDAP server - No route to host
sleep 3
Warning : Plugins and Indexes already exist.
./amsvcconfig: Sourcing ./amutils
LD_LIBRARY_PATH is --- /usr/lib/mps/secv1:/usr/lib/mps/secv1:/usr/lib/mps/secv1:/opt/SUNWam/lib:/opt/SUNWam/ldaplib/ldapsdk
CLASSPATH is --- /opt/SUNWam/locale:/etc/opt/SUNWam/config:/opt/SUNWam/lib:/opt/SUNWam/lib/am_services.jar:/opt/SUNWam/lib/ldapjdk.jar:/usr/share/lib/mps/secv1/jss3.jar:/opt/SUNWam/lib/am_sdk.jar
ldap_simple_bind: Can't connect to the LDAP server - No route to host
Loading service schema XML files ...
Info 112: Entering ldapAuthenticate method!
Error 15: Cannot authenticate user.
LDAP authentication failed.
Error 9: Operation failed: Error 15: Cannot authenticate user.
Error occured while loading: /etc/opt/SUNWam/config/ums/ums.xml
./amws61config: Sourcing ./amutils
/opt/SUNWam/console.war: No such file or directory
current web app is applications
copying files from sunwamconsdk
Swapping tag swap in index.html files ...
Making amconsole.war
Successfully done making warfile ...
Deploying from /opt/SUNWam/web-src/applications (/opt/SUNWam/amconsole.war) to /opt/SUNWwbsvr/https-sample.red.iplanet.com/is-web-apps/applications for /amconsole
wdeploy deploy -u /amconsole -i https-sample.red.iplanet.com -v https-sample.red.iplanet.com -d /opt/SUNWwbsvr/https-sample.red.iplanet.com/is-web-apps/applications /opt/SUNWam/amconsole.war
[wdeploy] The war file name is /opt/SUNWam/amconsole.war
[wdeploy] Fatal error in parsing XML file ..Premature end of file.
[wdeploy] (-1, -1) in file null
[wdeploy] Error encountered while parsing /opt/SUNWwbsvr/https-sample.red.iplanet.com/config/server.xml
Failed deploying /amconsole
/opt/SUNWam/services.war: No such file or directory
current web app is services
Swapping tag swap in index.html files ...
Making amserver.war
Successfully done making warfile ...
Deploying from /opt/SUNWam/web-src/services (/opt/SUNWam/amserver.war) to /opt/SUNWwbsvr/https-sample.red.iplanet.com/is-web-apps/services for /amserver
wdeploy deploy -u /amserver -i https-sample.red.iplanet.com -v https-sample.red.iplanet.com -d /opt/SUNWwbsvr/https-sample.red.iplanet.com/is-web-apps/services /opt/SUNWam/amserver.war
[wdeploy] The war file name is /opt/SUNWam/amserver.war
[wdeploy] Fatal error in parsing XML file ..Premature end of file.
[wdeploy] (-1, -1) in file null
[wdeploy] Error encountered while parsing /opt/SUNWwbsvr/https-sample.red.iplanet.com/config/server.xml
Failed deploying /amserver
/opt/SUNWam/password.war: No such file or directory
current web app is password
Swapping tag swap in index.html files ...
Making ampassword.war
Successfully done making warfile ...
Deploying from /opt/SUNWam/web-src/password (/opt/SUNWam/ampassword.war) to /opt/SUNWwbsvr/https-sample.red.iplanet.com/is-web-apps/password for /ampassword
wdeploy deploy -u /ampassword -i https-sample.red.iplanet.com -v https-sample.red.iplanet.com -d /opt/SUNWwbsvr/https-sample.red.iplanet.com/is-web-apps/password /opt/SUNWam/ampassword.war
[wdeploy] The war file name is /opt/SUNWam/ampassword.war
[wdeploy] Fatal error in parsing XML file ..Premature end of file.
[wdeploy] (-1, -1) in file null
[wdeploy] Error encountered while parsing /opt/SUNWwbsvr/https-sample.red.iplanet.com/config/server.xml
Failed deploying /ampassword
/opt/SUNWam/introduction.war: No such file or directory
current web app is common
Swapping tag swap in index.html files ...
Making amcommon.war
Successfully done making warfile ...
Deploying from /opt/SUNWam/web-src/common (/opt/SUNWam/amcommon.war) to /opt/SUNWwbsvr/https-sample.red.iplanet.com/is-web-apps/common for /amcommon
wdeploy deploy -u /amcommon -i https-sample.red.iplanet.com -v https-sample.red.iplanet.com -d /opt/SUNWwbsvr/https-sample.red.iplanet.com/is-web-apps/common /opt/SUNWam/amcommon.war
[wdeploy] The war file name is /opt/SUNWam/amcommon.war
[wdeploy] Fatal error in parsing XML file ..Premature end of file.
[wdeploy] (-1, -1) in file null
[wdeploy] Error encountered while parsing /opt/SUNWwbsvr/https-sample.red.iplanet.com/config/server.xml
Failed deploying /amcommon
Checking if Web Server is already configed with Access Manager
Configuring Web Server
Mime type: 'type=text/vnd.wap.wml' already exists: Skipping ....
Mime type: 'type=image/vnd.wap.wbmp' already exists: Skipping ....
I tried again but I still get this error.
Any Ideas for this problem?
Thanks.

ldap_simple_bind: Can't connect to the LDAP server - No route to host
i would consider this a fatal error.
The system cannot locate where your Directory Server is. "no route to host" means that it's trying to get to the host, but your networking isn't set up correctly, and it doesn't find any route to get to the specified host.

Too Slow - Domino 6.5.4 with access manager agent 2.2 ?

I don't know how to tune Domino 6.5.4 with access manager agent 2.2?
I think AMAgent.properties is not good for SSO.
Please help me to tune it.
# $Id: AMAgent.properties,v 1.103 2005/09/19 22:08:34 madan Exp $
# Copyright ? 2002 Sun Microsystems, Inc. All rights reserved.
# U.S. Government Rights - Commercial software. Government users are
# subject to the Sun Microsystems, Inc. standard license agreement and
# applicable provisions of the FAR and its supplements. Use is subject to
# license terms. Sun, Sun Microsystems, the Sun logo and Sun ONE are
# trademarks or registered trademarks of Sun Microsystems, Inc. in the
# U.S. and other countries.
# Copyright ? 2002 Sun Microsystems, Inc. Tous droits r閟erv閟.
# Droits du gouvernement am閞icain, utlisateurs gouvernmentaux - logiciel
# commercial. Les utilisateurs gouvernmentaux sont soumis au contrat de
# licence standard de Sun Microsystems, Inc., ainsi qu aux dispositions en
# vigueur de la FAR [ (Federal Acquisition Regulations) et des suppl閙ents
# ? celles-ci.
# Distribu? par des licences qui en restreignent l'utilisation. Sun, Sun
# Microsystems, le logo Sun et Sun ONE sont des marques de fabrique ou des
# marques d閜os閑s de Sun Microsystems, Inc. aux Etats-Unis et dans
# d'autres pays.
# The syntax of this file is that of a standard Java properties file,
# see the documentation for the java.util.Properties.load method for a
# complete description. (CAVEAT: The SDK in the parser does not currently
# support any backslash escapes except for wrapping long lines.)
# All property names in this file are case-sensitive.
# NOTE: The value of a property that is specified multiple times is not
# defined.
# WARNING: The contents of this file are classified as an UNSTABLE
# interface by Sun Microsystems, Inc. As such, they are subject to
# significant, incompatible changes in any future release of the
# software.
# The name of the cookie passed between the Access Manager
# and the SDK.
# WARNING: Changing this property without making the corresponding change
# to the Access Manager will disable the SDK.
com.sun.am.cookie.name = iPlanetDirectoryPro
# The URL for the Access Manager Naming service.
com.sun.am.naming.url = http://sportal.yjy.dqyt.petrochina:80/amserver/namingservice
# The URL of the login page on the Access Manager.
com.sun.am.policy.am.login.url = http://sportal.yjy.dqyt.petrochina:80/amserver/UI/Login
# Name of the file to use for logging messages.
com.sun.am.policy.agents.config.local.log.file = c:/Sun/Access_Manager/Agents/2.2/debug/C__Lotus_Domino/amAgent
# This property is used for Log Rotation. The value of the property specifies
# whether the agent deployed on the server supports the feature of not. If set
# to false all log messages are written to the same file.
com.sun.am.policy.agents.config.local.log.rotate = true
# Name of the Access Manager log file to use for logging messages to
# Access Manager.
# Just the name of the file is needed. The directory of the file
# is determined by settings configured on the Access Manager.
com.sun.am.policy.agents.config.remote.log = amAuthLog.Dominoad.yjy.dqyt.petrochina.80
# Set the logging level for the specified logging categories.
# The format of the values is
#     <ModuleName>[:<Level>][,<ModuleName>[:<Level>]]*
# The currently used module names are: AuthService, NamingService,
# PolicyService, SessionService, PolicyEngine, ServiceEngine,
# Notification, PolicyAgent, RemoteLog and all.
# The all module can be used to set the logging level for all currently
# none logging modules. This will also establish the default level for
# all subsequently created modules.
# The meaning of the 'Level' value is described below:
#     0     Disable logging from specified module*
#     1     Log error messages
#     2     Log warning and error messages
#     3     Log info, warning, and error messages
#     4     Log debug, info, warning, and error messages
#     5     Like level 4, but with even more debugging messages
# 128     log url access to log file on AM server.
# 256     log url access to log file on local machine.
# If level is omitted, then the logging module will be created with
# the default logging level, which is the logging level associated with
# the 'all' module.
# for level of 128 and 256, you must also specify a logAccessType.
# *Even if the level is set to zero, some messages may be produced for
# a module if they are logged with the special level value of 'always'.
com.sun.am.log.level =
# The org, username and password for Agent to login to AM.
com.sun.am.policy.am.username = UrlAccessAgent
com.sun.am.policy.am.password = LYnKyOIgdWt404ivWY6HPQ==
# Name of the directory containing the certificate databases for SSL.
com.sun.am.sslcert.dir = c:/Sun/Access_Manager/Agents/2.2/domino/cert
# Set this property if the certificate databases in the directory specified
# by the previous property have a prefix.
com.sun.am.certdb.prefix =
# Should agent trust all server certificates when Access Manager
# is running SSL?
# Possible values are true or false.
com.sun.am.trust_server_certs = true
# Should the policy SDK use the Access Manager notification
# mechanism to maintain the consistency of its internal cache? If the value
# is false, then a polling mechanism is used to maintain cache consistency.
# Possible values are true or false.
com.sun.am.notification.enable = true
# URL to which notification messages should be sent if notification is
# enabled, see previous property.
com.sun.am.notification.url = http://Dominoad.yjy.dqyt.petrochina:80/amagent/UpdateAgentCacheServlet?shortcircuit=false
# This property determines whether URL string case sensitivity is
# obeyed during policy evaluation
com.sun.am.policy.am.url_comparison.case_ignore = true
# This property determines the amount of time (in minutes) an entry
# remains valid after it has been added to the cache. The default
# value for this property is 3 minutes.
com.sun.am.policy.am.polling.interval=3
# This property allows the user to configure the User Id parameter passed
# by the session information from the access manager. The value of User
# Id will be used by the agent to set the value of REMOTE_USER server
# variable. By default this parameter is set to "UserToken"
com.sun.am.policy.am.userid.param=UserToken
# Profile attributes fetch mode
# String attribute mode to specify if additional user profile attributes should
# be introduced into the request. Possible values are:
# NONE - no additional user profile attributes will be introduced.
# HTTP_HEADER - additional user profile attributes will be introduced into
# HTTP header.
# HTTP_COOKIE - additional user profile attributes will be introduced through
# cookies.
# If not within these values, it will be considered as NONE.
com.sun.am.policy.agents.config.profile.attribute.fetch.mode=NONE
# The user profile attributes to be added to the HTTP header. The
# specification is of the format ldap_attribute_name|http_header_name[,...].
# ldap_attribute_name is the attribute in data store to be fetched and
# http_header_name is the name of the header to which the value needs
# to be assigned.
# NOTE: In most cases, in a destination application where a "http_header_name"
# shows up as a request header, it will be prefixed by HTTP_, and all
# lower case letters will become upper case, and any - will become _;
# For example, "common-name" would become "HTTP_COMMON_NAME"
com.sun.am.policy.agents.config.profile.attribute.map=cn|common-name,ou|organizational-unit,o|organization,mail|email,employeenumber|employee-
number,c|country
# Session attributes mode
# String attribute mode to specify if additional user session attributes should
# be introduced into the request. Possible values are:
# NONE - no additional user session attributes will be introduced.
# HTTP_HEADER - additional user session attributes will be introduced into HTTP header.
# HTTP_COOKIE - additional user session attributes will be introduced through cookies.
# If not within these values, it will be considered as NONE.
com.sun.am.policy.agents.config.session.attribute.fetch.mode=NONE
# The session attributes to be added to the HTTP header. The specification is
# of the format session_attribute_name|http_header_name[,...].
# session_attribute_name is the attribute in session to be fetched and
# http_header_name is the name of the header to which the value needs to be
# assigned.
# NOTE: In most cases, in a destination application where a "http_header_name"
# shows up as a request header, it will be prefixed by HTTP_, and all
# lower case letters will become upper case, and any - will become _;
# For example, "common-name" would become "HTTP_COMMON_NAME"
com.sun.am.policy.agents.config.session.attribute.map=
# Response Attribute Fetch Mode
# String attribute mode to specify if additional user response attributes should
# be introduced into the request. Possible values are:
# NONE - no additional user response attributes will be introduced.
# HTTP_HEADER - additional user response attributes will be introduced into
# HTTP header.
# HTTP_COOKIE - additional user response attributes will be introduced through
# cookies.
# If not within these values, it will be considered as NONE.
com.sun.am.policy.agents.config.response.attribute.fetch.mode=NONE
# The response attributes to be added to the HTTP header. The specification is
# of the format response_attribute_name|http_header_name[,...].
# response_attribute_name is the attribute in policy response to be fetched and
# http_header_name is the name of the header to which the value needs to be
# assigned.
# NOTE: In most cases, in a destination application where a "http_header_name"
# shows up as a request header, it will be prefixed by HTTP_, and all
# lower case letters will become upper case, and any - will become _;
# For example, "common-name" would become "HTTP_COMMON_NAME"
com.sun.am.policy.agents.config.response.attribute.map=
# The cookie name used in iAS for sticky load balancing
com.sun.am.policy.am.lb.cookie.name = GX_jst
# indicate where a load balancer is used for Access Manager
# services.
# true | false
com.sun.am.load_balancer.enable = false
####Agent Configuration####
# this is for product versioning, please do not modify it
com.sun.am.policy.agents.config.version=2.2
# Set the url access logging level. the choices are
# LOG_NONE - do not log user access to url
# LOG_DENY - log url access that was denied.
# LOG_ALLOW - log url access that was allowed.
# LOG_BOTH - log url access that was allowed or denied.
com.sun.am.policy.agents.config.audit.accesstype = LOG_DENY
# Agent prefix
com.sun.am.policy.agents.config.agenturi.prefix = http://Dominoad.yjy.dqyt.petrochina:80/amagent
# Locale setting.
com.sun.am.policy.agents.config.locale = en_US
# The unique identifier for this agent instance.
com.sun.am.policy.agents.config.instance.name = unused
# Do SSO only
# Boolean attribute to indicate whether the agent will just enforce user
# authentication (SSO) without enforcing policies (authorization)
com.sun.am.policy.agents.config.do_sso_only = true
# The URL of the access denied page. If no value is specified, then
# the agent will return an HTTP status of 403 (Forbidden).
com.sun.am.policy.agents.config.accessdenied.url =
# This property indicates if FQDN checking is enabled or not.
com.sun.am.policy.agents.config.fqdn.check.enable = true
# Default FQDN is the fully qualified hostname that the users should use
# in order to access resources on this web server instance. This is a
# required configuration value without which the Web server may not
# startup correctly.
# The primary purpose of specifying this property is to ensure that if
# the users try to access protected resources on this web server
# instance without specifying the FQDN in the browser URL, the Agent
# can take corrective action and redirect the user to the URL that
# contains the correct FQDN.
# This property is set during the agent installation and need not be
# modified unless absolutely necessary to accommodate deployment
# requirements.
# WARNING: Invalid value for this property can result in the Web Server
# becoming unusable or the resources becoming inaccessible.
# See also: com.sun.am.policy.agents.config.fqdn.check.enable,
# com.sun.am.policy.agents.config.fqdn.map
com.sun.am.policy.agents.config.fqdn.default = Dominoad.yjy.dqyt.petrochina
# The FQDN Map is a simple map that enables the Agent to take corrective
# action in the case where the users may have typed in an incorrect URL
# such as by specifying partial hostname or using an IP address to
# access protected resources. It redirects the browser to the URL
# with fully qualified domain name so that cookies related to the domain
# are received by the agents.
# The format for this property is:
# com.sun.am.policy.agents.config.fqdn.map = [invalid_hostname|valid_hostname][,...]
# This property can also be used so that the agents use the name specified
# in this map instead of the web server's actual name. This can be
# accomplished by doing the following.
# Say you want your server to be addressed as xyz.hostname.com whereas the
# actual name of the server is abc.hostname.com. The browsers only knows
# xyz.hostname.com and you have specified polices using xyz.hostname.com at
# the Access Manager policy console, in this file set the mapping as
# com.sun.am.policy.agents.fqdn.map = valid|xyz.hostname.com
# Another example is if you have multiple virtual servers say rst.hostname.com,
# uvw.hostname.com and xyz.hostname.com pointing to the same actual server
# abc.hostname.com and each of the virtual servers have their own policies
# defined, then the fqdnMap should be defined as follows:
# com.sun.am.policy.agents.fqdn.map = valid1|rst.hostname.com,valid2|uvw.hostname.com,valid3|xyz.hostname.com
# WARNING: Invalid value for this property can result in the Web Server
# becoming unusable or the resources becoming inaccessible.
com.sun.am.policy.agents.config.fqdn.map =
# Cookie Reset
# This property must be set to true, if this agent needs to
# reset cookies in the response before redirecting to
# Access Manager for Authentication.
# By default this is set to false.
# Example : com.sun.am.policy.agents.config.cookie.reset.enable=true
com.sun.am.policy.agents.config.cookie.reset.enable=false
# This property gives the comma separated list of Cookies, that
# need to be included in the Redirect Response to Access Manager.
# This property is used only if the Cookie Reset feature is enabled.
# The Cookie details need to be specified in the following Format
# name[=value][;Domain=value]
# If "Domain" is not specified, then the default agent domain is
# used to set the Cookie.
# Example : com.sun.am.policy.agents.config.cookie.reset.list=LtpaToken,
# token=value;Domain=subdomain.domain.com
com.sun.am.policy.agents.config.cookie.reset.list=
# This property gives the space separated list of domains in
# which cookies have to be set in a CDSSO scenario. This property
# is used only if CDSSO is enabled.
# If this property is left blank then the fully qualified cookie
# domain for the agent server will be used for setting the cookie
# domain. In such case it is a host cookie instead of a domain cookie.
# Example : com.sun.am.policy.agents.config.cookie.domain.list=.sun.com .iplanet.com
com.sun.am.policy.agents.config.cookie.domain.list=
# user id returned if accessing global allow page and not authenticated
com.sun.am.policy.agents.config.anonymous_user=anonymous
# Enable/Disable REMOTE_USER processing for anonymous users
# true | false
com.sun.am.policy.agents.config.anonymous_user.enable=false
# Not enforced list is the list of URLs for which no authentication is
# required. Wildcards can be used to define a pattern of URLs.
# The URLs specified may not contain any query parameters.
# Each service have their own not enforced list. The service name is suffixed
# after "# com.sun.am.policy.agents.notenforcedList." to specify a list
# for a particular service. SPACE is the separator between the URL.
com.sun.am.policy.agents.config.notenforced_list = http://dominoad.yjy.dqyt.petrochina/*.nsf http://dominoad.yjy.dqyt.petrochina/teamroom.nsf/TROutline.gif?
OpenImageResource http://dominoad.yjy.dqyt.petrochina/icons/*.gif
# Boolean attribute to indicate whether the above list is a not enforced list
# or an enforced list; When the value is true, the list means enforced list,
# or in other words, the whole web site is open/accessible without
# authentication except for those URLs in the list.
com.sun.am.policy.agents.config.notenforced_list.invert = false
# Not enforced client IP address list is a list of client IP addresses.
# No authentication and authorization are required for the requests coming
# from these client IP addresses. The IP address must be in the form of
# eg: 192.168.12.2 1.1.1.1
com.sun.am.policy.agents.config.notenforced_client_ip_list =
# Enable POST data preservation; By default it is set to false
com.sun.am.policy.agents.config.postdata.preserve.enable = false
# POST data preservation : POST cache entry lifetime in minutes,
# After the specified interval, the entry will be dropped
com.sun.am.policy.agents.config.postcache.entry.lifetime = 10
# Cross-Domain Single Sign On URL
# Is CDSSO enabled.
com.sun.am.policy.agents.config.cdsso.enable=false
# This is the URL the user will be redirected to for authentication
# in a CDSSO Scenario.
com.sun.am.policy.agents.config.cdcservlet.url =
# Enable/Disable client IP address validation. This validate
# will check if the subsequent browser requests come from the
# same ip address that the SSO token is initially issued against
com.sun.am.policy.agents.config.client_ip_validation.enable = false
# Below properties are used to define cookie prefix and cookie max age
com.sun.am.policy.agents.config.profile.attribute.cookie.prefix = HTTP_
com.sun.am.policy.agents.config.profile.attribute.cookie.maxage = 300
# Logout URL - application's Logout URL.
# This URL is not enforced by policy.
# if set, agent will intercept this URL and destroy the user's session,
# if any. The application's logout URL will be allowed whether or not
# the session destroy is successful.
com.sun.am.policy.agents.config.logout.url=
#http://sportal.yjy.dqyt.petrochina/amserver/UI/Logout
# Any cookies to be reset upon logout in the same format as cookie_reset_list
com.sun.am.policy.agents.config.logout.cookie.reset.list =
# By default, when a policy decision for a resource is needed,
# agent gets and caches the policy decision of the resource and
# all resource from the root of the resource down, from the Access Manager.
# For example, if the resource is http://host/a/b/c, the the root of the
# resource is http://host/. This is because more resources from the
# same path are likely to be accessed subsequently.
# However this may take a long time the first time if there
# are many many policies defined under the root resource.
# To have agent get and cache the policy decision for the resource only,
# set the following property to false.
com.sun.am.policy.am.fetch_from_root_resource = true
# Whether to get the client's hostname through DNS reverse lookup for use
# in policy evaluation.
# It is true by default, if the property does not exist or if it is
# any value other than false.
com.sun.am.policy.agents.config.get_client_host_name = false
# The following property is to enable native encoding of
# ldap header attributes forwarded by agents. If set to true
# agent will encode the ldap header value in the default
# encoding of OS locale. If set to false ldap header values
# will be encoded in UTF-8
com.sun.am.policy.agents.config.convert_mbyte.enable = false
#When the not enforced list or policy has a wildcard '*' character, agent
#strips the path info from the request URI and uses the resulting request
#URI to check against the not enforced list or policy instead of the entire
#request URI, in order to prevent someone from getting access to any URI by
#simply appending the matching pattern in the policy or not enforced list.
#For example, if the not enforced list has the value http://host/*.gif,
#stripping the path info from the request URI will prevent someone from
#getting access to http://host/index.html by using the URL http://host/index.html?hack.gif.
#However when a web server (for exmample apache) is configured to be a reverse
#proxy server for a J2EE application server, path info is interpreted in a different
#manner since it maps to a resource on the proxy instead of the app server.
#This prevents the not enforced list or policy from being applied to part of
#the URI below the app serverpath if there is a wildcard character. For example,
#if the not enforced list has value http://host/webapp/servcontext/* and the
#request URL is http://host/webapp/servcontext/example.jsp the path info
#is /servcontext/example.jsp and the resulting request URL with path info stripped
#is http://host/webapp, which will not match the not enforced list. By setting the
#following property to true, the path info will not be stripped from the request URL
#even if there is a wild character in the not enforced list or policy.
#Be aware though that if this is set to true there should be nothing following the
#wildcard character '*' in the not enforced list or policy, or the
#security loophole described above may occur.
com.sun.am.policy.agents.config.ignore_path_info = false
# Override the request url given by the web server with
# the protocol, host or port of the agent's uri specified in
# the com.sun.am.policy.agents.agenturiprefix property.
# These may be needed if the agent is sitting behind a ssl off-loader,
# load balancer, or proxy, and either the protocol (HTTP scheme),
# hostname, or port of the machine in front of agent which users go through
# is different from the agent's protocol, host or port.
com.sun.am.policy.agents.config.override_protocol =
com.sun.am.policy.agents.config.override_host =
com.sun.am.policy.agents.config.override_port =
# Override the notification url in the same way as other request urls.
# Set this to true if any one of the override properties above is true,
# and if the notification url is coming through the proxy or load balancer
# in the same way as other request url's.
com.sun.am.policy.agents.config.override_notification.url =
# The following property defines how long to wait in attempting
# to connect to an Access Manager AUTH server.
# The default value is 2 seconds. This value needs to be increased
# when receiving the error "unable to find active Access Manager Auth server"
com.sun.am.policy.agents.config.connection_timeout =
# Time in milliseconds the agent will wait to receive the
# response from Access Manager. After the timeout, the connection
# will be drop.
# A value of 0 means that the agent will wait until receiving the response.
# WARNING: Invalid value for this property can result in
# the resources becoming inaccessible.
com.sun.am.receive_timeout = 0
# The three following properties are for IIS6 agent only.
# The two first properties allow to set a username and password that will be
# used by the authentication filter to pass the Windows challenge when the Basic
# Authentication option is selected in Microsoft IIS 6.0. The authentication
# filter is named amiis6auth.dll and is located in
# Agent_installation_directory/iis6/bin. It must be installed manually on
# the web site ("ISAPI Filters" tab in the properties of the web site).
# It must also be uninstalled manually when unintalling the agent.
# The last property defines the full path for the authentication filter log file.
com.sun.am.policy.agents.config.iis6.basicAuthentication.username =
com.sun.am.policy.agents.config.iis6.basicAuthentication.password =
com.sun.am.policy.agents.config.iis6.basicAuthentication.logFile = c:/Sun/Access_Manager/Agents/2.2/debug/C__Lotus_Domino/amAuthFilter

Hi,
I installed opensso (so Sun Java(TM) System Access Manager 7.5) and the agent for Domino 6.5.4 and I have the message in logs "amAgent"
2007-07-11 18:40:16.119 Error 1708:3dbcf768 PolicyAgent: render_response(): Entered.
I have the box to identify but it doesnot connect me on my opensso server.
It still identify with Domino's server
Thanks for your response
Thomas

Am not able to get the Access manager 7- login page

I have installed Access Manager and configured it was worked. but i did the Policy agent cofiguration for Access Manager after that i couldn't login to Access manager ie /amserver while on trying http://localhost:8080/amserver/UI/Login
am getting the following error
exception
javax.servlet.ServletException
     org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:300)
     org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:165)
     java.security.AccessController.doPrivileged(Native Method)
     com.sun.mobile.filter.AMLController.doFilter(AMLController.java:163)
root cause
java.lang.NoClassDefFoundError
     com.sun.identity.authentication.server.AuthContextLocal.(AuthContextLocal.java:140)
     com.sun.identity.authentication.service.LoginState.createAuthContext(LoginState.java:1121)
     com.sun.identity.authentication.service.AuthUtils.getAuthContext(AuthUtils.java:310)
     com.sun.identity.authentication.service.AuthUtils.getAuthContext(AuthUtils.java:250)
     com.sun.identity.authentication.UI.LoginViewBean.forwardTo(LoginViewBean.java:325)
     com.iplanet.jato.ApplicationServletBase.dispatchRequest(ApplicationServletBase.java:981)
     com.iplanet.jato.ApplicationServletBase.processRequest(ApplicationServletBase.java:615)
     com.iplanet.jato.ApplicationServletBase.doGet(ApplicationServletBase.java:459)
     javax.servlet.http.HttpServlet.service(HttpServlet.java:747)
     javax.servlet.http.HttpServlet.service(HttpServlet.java:860)
     sun.reflect.GeneratedMethodAccessor115.invoke(Unknown Source)
     sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
     java.lang.reflect.Method.invoke(Method.java:585)
     org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:249)
     java.security.AccessController.doPrivileged(Native Method)
     javax.security.auth.Subject.doAsPrivileged(Subject.java:517)
     org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:282)
     org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:165)
     java.security.AccessController.doPrivileged(Native Method)
     com.sun.mobile.filter.AMLController.doFilter(AMLController.java:163)
please any do some need full to solve this problem
regards
vimalraj.s

Guys,
This is a common problem that I have noticed when policy agent is installed on the same DAS (Domain Admin Server of Sun java Application Server) instance where access manager is installed.
Best solution is to deploy your application on a different DAS and configure / install policy agent for the new DAS.
If web server is used for Access Manager, Deploy your application on a different instance.
Alternatively, follow these instructions.
Assume that you have policy agent binary installed on /opt/SUNWam/policyagent/ j2ee_agents/am_as81_agent.
When policy agent is configured, it creates a new configuration folder named agent_001.
1.     Login to DAS and remove the class path changes done by the policy agent installer.
These are the class path to remove:
/opt/SUNWam/ policyagent /j2ee_agents/am_as81_agent/lib/agent.jar
/opt/SUNWam/ policyagent /j2ee_agents/am_as81_agent/lib/amclientsdk.jar
/opt/SUNWam/ policyagent /j2ee_agents/am_as81_agent/locale
/opt/SUNWam/ policyagent /j2ee_agents/am_as81_agent/agent_001/config
2.     Add these to the class path to the end of the class path suffix. NOT AT THE START
/opt/SUNWam/ policyagent /j2ee_agents/am_as81_agent/lib/agent.jar
/opt/SUNWam/ policyagent /j2ee_agents/am_as81_agent/lib/locale
3.     Insert amclientsdk.jar to the classpath. Insert this before agent.jar but after am_*.jar files (am_sdk.jar,am_services.jar,am_sso_provider.jar,am_logging.jar )
4.     open amConfig.properties . Add this line to the bottom of the file.
com.sun.identity.agents.config.location=/opt/SUNWam/ policyagent /j2ee_agents/am_as81_agent/agent_001/config/AMAgent.properties
Above line points to the policy agent configuration file.
5.     last but not the least:
a.     Make sure that an agent is created in Access manager with the same name and password as the one that you gave when installing policy agent.
b.     Set property com.sun.identity.agents.config.filter.mode = SSO_ONLY in AMAgent.properties. This will help initial testing of the configuration.
c.     Above configuration is for Unix. But shouldwork for other OS as well.
Best of Luck
KK

Where is Access Manager patch 4?

Similar Messages

Maybe you are looking for