Where is Role store in Access Manager ?

Hello,
How i get Role of User from Access Manager .
In Access Manager if i create Role = "Sale Role" and assign User to this Role.
Whare is "Sale Role" store in LDAP tree ?

Try the System Administration Guide: Naming and Directory Services (DNS, NIS, and LDAP) ( http://docs.sun.com/doc/806-4077 ). As mentioned in that doc, you'll need to set up Directory Server before you can use it.
Hope that helps,
Mark

Similar Messages

Integrate IdM roles with Sun Access Manager roles

Hi all,
I am currently working on a solution involving Sun Identity Manager 7.1 and Sun Access Manager 7.1 as well. We use AM for overall authentication and SSO across the application, and IdM for user provisioning.
I need to create roles in Identity Manager, and I would like that when I assign a role to a user in Identity Manager, he gets the same role in my Access Manager repository (Sun LDAP). Identity Manager does provide a way to set attribute values in resources when a role is set. Access Manager on the other hand has both dynamic roles, based on an LDAP search, and static roles.
What are the important differences between static and dynamic roles in AM?
Does anybody know a good way to propagate roles from Identity Manager to Access Manager?
Thanks.

I found answers to my question. I succeeded in setting the Access Manager role from Identity Manager using the nsRoleDN attribute. Here are some references to begin with:
About directory server roles:
http://docs.sun.com/app/docs/doc/820-2493/fvbrn?a=view
Forum thread reference:
http://forums.sun.com/thread.jspa?threadID=5208694
Here are roughly the steps I followed to get this working.
Access Manager roles setup:
1. In Access Manager, create a new static role named test_role under the identities realm (in Subjects > Role).
Identity Manager roles setup:
1. Create a new role in Identity Manager: tab Roles, click New....
2. Assign the LDAP resource to synchronize the role with.
3. On the Assigned Resources line, click the Set Attributes Values button. This shows up the attributes listing allowing you to bind your IdM role to your LDAP repository.
4. Set the attribute nsRoleDN to the LDAP DN of the role that was created in AM (nsRoleDN must be added in the resource attributes mapping before).
* In the column Value override, select Text.
* In the column How to set, select Authoritative merge with value, clear existing. (* See IDM Admin guide about this setting, I am still not sure how it reacts with multi-value attributes)
* In the text box, enter the role DN text (ex: cn=test_role,dc=com).
5. Save the role. You can now add the role to a user.

Weblogic9.2 Opensso Access Manager 7.5

Hi,
I configured the Access Manager in weblogic9.2. I downloaded the Agent from Sun for weblogic 9.2. Then I deployed the sampleApplication that comes with the agent and configured users, role etc according to the Readme.txt.
I am always getting Invalid Session ID exception. I read java.net docs and sun's forums and tried to configure accordingly, but with no luck.
I am using the default Flat File store that Access Manager has.
I have been trying to see if there is any docs that show step by step process of how to attach User to role, URL Policy to Role/ groups/ varous authentication mechanisms.
Please let me know if the OpenSSO is tested on Weblogic 9.2 and whether anything special I might have to do to make it work.
Thank you

302 is a redirect. Probably citrix is trying to access a URL on itself and is getting the redirect instead of the content it expects. Analyze the PA and web server logs and see what requests it is making. Add those URL's to the PA's not enforced list

Oracle Access Manager 11gR2 Web application: "oam" failed to preload

Any pointers for troubleshooting this error?
Managed Server starts up but fails to start-up "oam" deployment.
weblogic.application.ModuleException: [HTTP:101216]Servlet: "AMInitServlet" failed to preload on startup in Web application: "oam".
java.lang.ExceptionInInitializerError
        at oracle.security.am.pbl.transport.http.AMInitServlet.initializeAmServer(AMInitServlet.java:113)
        at oracle.security.am.pbl.transport.http.AMInitServlet.init(AMInitServlet.java:79)
        at weblogic.servlet.internal.StubSecurityHelper$ServletInitAction.run(StubSecurityHelper.java:283)
        at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
        at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:120)
        at weblogic.servlet.internal.StubSecurityHelper.createServlet(StubSecurityHelper.java:64)
        at weblogic.servlet.internal.StubLifecycleHelper.createOneInstance(StubLifecycleHelper.java:58)
        at weblogic.servlet.internal.StubLifecycleHelper.<init>(StubLifecycleHelper.java:48)
        at weblogic.servlet.internal.ServletStubImpl.prepareServlet(ServletStubImpl.java:539)
        at weblogic.servlet.internal.WebAppServletContext.preloadServlet(WebAppServletContext.java:1981)
        at weblogic.servlet.internal.WebAppServletContext.loadServletsOnStartup(WebAppServletContext.java:1955)
        at weblogic.servlet.internal.WebAppServletContext.preloadResources(WebAppServletContext.java:1874)
        at weblogic.servlet.internal.WebAppServletContext.start(WebAppServletContext.java:3154)
        at weblogic.servlet.internal.WebAppModule.startContexts(WebAppModule.java:1518)
        at weblogic.servlet.internal.WebAppModule.start(WebAppModule.java:484)
        at weblogic.application.internal.flow.ModuleStateDriver$3.next(ModuleStateDriver.java:425)
        at weblogic.application.utils.StateMachineDriver.nextState(StateMachineDriver.java:52)
        at weblogic.application.internal.flow.ModuleStateDriver.start(ModuleStateDriver.java:119)
        at weblogic.application.internal.flow.ScopedModuleDriver.start(ScopedModuleDriver.java:200)
        at weblogic.application.internal.flow.ModuleListenerInvoker.start(ModuleListenerInvoker.java:247)
        at weblogic.application.internal.flow.ModuleStateDriver$3.next(ModuleStateDriver.java:425)
        at weblogic.application.utils.StateMachineDriver.nextState(StateMachineDriver.java:52)
        at weblogic.application.internal.flow.ModuleStateDriver.start(ModuleStateDriver.java:119)
        at weblogic.application.internal.flow.StartModulesFlow.activate(StartModulesFlow.java:27)
        at weblogic.application.internal.BaseDeployment$2.next(BaseDeployment.java:671)
        at weblogic.application.utils.StateMachineDriver.nextState(StateMachineDriver.java:52)
        at weblogic.application.internal.BaseDeployment.activate(BaseDeployment.java:212)
        at weblogic.application.internal.EarDeployment.activate(EarDeployment.java:59)
        at weblogic.application.internal.DeploymentStateChecker.activate(DeploymentStateChecker.java:161)
        at weblogic.deploy.internal.targetserver.AppContainerInvoker.activate(AppContainerInvoker.java:79)
        at weblogic.deploy.internal.targetserver.operations.AbstractOperation.activate(AbstractOperation.java:569)
        at weblogic.deploy.internal.targetserver.operations.ActivateOperation.activateDeployment(ActivateOperation.java:150)
        at weblogic.deploy.internal.targetserver.operations.ActivateOperation.doCommit(ActivateOperation.java:116)
        at weblogic.deploy.internal.targetserver.operations.StartOperation.doCommit(StartOperation.java:149)
        at weblogic.deploy.internal.targetserver.operations.AbstractOperation.commit(AbstractOperation.java:323)
        at weblogic.deploy.internal.targetserver.DeploymentManager.handleDeploymentCommit(DeploymentManager.java:844)
        at weblogic.deploy.internal.targetserver.DeploymentManager.activateDeploymentList(DeploymentManager.java:1253)
        at weblogic.deploy.internal.targetserver.DeploymentManager.handleCommit(DeploymentManager.java:440)
        at weblogic.deploy.internal.targetserver.DeploymentServiceDispatcher.commit(DeploymentServiceDispatcher.java:163)
        at weblogic.deploy.service.internal.targetserver.DeploymentReceiverCallbackDeliverer.doCommitCallback(DeploymentReceiverCallbackDeliverer.java:195)
        at weblogic.deploy.service.internal.targetserver.DeploymentReceiverCallbackDeliverer.access$100(DeploymentReceiverCallbackDeliverer.java:13)
        at weblogic.deploy.service.internal.targetserver.DeploymentReceiverCallbackDeliverer$2.run(DeploymentReceiverCallbackDeliverer.java:68)
        at weblogic.work.SelfTuningWorkManagerImpl$WorkAdapterImpl.run(SelfTuningWorkManagerImpl.java:545)
        at weblogic.work.ExecuteThread.execute(ExecuteThread.java:256)
        at weblogic.work.ExecuteThread.run(ExecuteThread.java:221)
Caused by: java.lang.NullPointerException
        at oracle.security.am.pbl.diagnostic.DiagnosticUtil.<init>(DiagnosticUtil.java:80)
        at oracle.security.am.pbl.diagnostic.DiagnosticUtil.<clinit>(DiagnosticUtil.java:65)
        ... 45 more
        at weblogic.servlet.internal.WebAppModule.startContexts(WebAppModule.java:1520)
        at weblogic.servlet.internal.WebAppModule.start(WebAppModule.java:484)
        at weblogic.application.internal.flow.ModuleStateDriver$3.next(ModuleStateDriver.java:425)
        at weblogic.application.utils.StateMachineDriver.nextState(StateMachineDriver.java:52)
        at weblogic.application.internal.flow.ModuleStateDriver.start(ModuleStateDriver.java:119)
        Truncated. see log file for complete stacktrace
Caused By: java.lang.NullPointerException
        at oracle.security.am.pbl.diagnostic.DiagnosticUtil.<init>(DiagnosticUtil.java:80)
        at oracle.security.am.pbl.diagnostic.DiagnosticUtil.<clinit>(DiagnosticUtil.java:65)
        at oracle.security.am.pbl.transport.http.AMInitServlet.initializeAmServer(AMInitServlet.java:113)
        at oracle.security.am.pbl.transport.http.AMInitServlet.init(AMInitServlet.java:79)
        at weblogic.servlet.internal.StubSecurityHelper$ServletInitAction.run(StubSecurityHelper.java:283)

SOA is not required. WebGate is a separate installation, separate from where you install the Oracle Access Manager.
Oracle Access Manager is like the management station, WebGate would typically be installed on a host where a Web Server is running. So WebGate running on the WebServer host would be used to provide access control functions for web pages hosted on Web Server. You will have to do the configuration of WebGate separately after Access Manager has been installed. Please mark answer helpful/correct if helpful.

Oracle Access Manager 10.1.4.0.1 WebPass

Hi,
Where can I download Oracle Access Manager WebPass for Sparc machine. I downloaded the whole Access Manager package when I unpack it i found the following webpass file;
Oracle_Access_Manager10_1_4_0_1_sparc-s2_NSAPI_WebPass
During installtion of above file it requires a obj.conf file absolute path instead of httpd.conf. I think I need following file
Oracle_Access_Manager10_1_4_0_1_sparc-s2_OHS2_WebPass
Where can I find above installation file????
Note: I have downloaed the OHS server from following link as I couldn't found any link for 10g version of OHS and the example given on Oracle website is using OHS 2.x for identity manager and following met the requirements.
http://www.oracle.com/technology/software/products/middleware/htdocs/111110_fmw.html
Oracle instruction page to install Identity Manager --> http://www.oracle.com/technology/obe/fusion_middleware/im1014/ovd-oam/oam-ovd/install_oam/install_oam.htm
Please help.

Hi Sheeraz,
The OHS2 WebPass can be found in the file oam_int_solaris_v2_cd2.zip which can be downloaded here:
http://www.oracle.com/technology/software/products/ias/htdocs/101401.html
Click the CD3 link in the 3rd Party Integration row in the Solaris column.
Regards,
Colin

Does idm support maintenance of access manager's group/role/filtered role

The xml of Access Manager Realm Resource Adapter has object types group, role and filtered role with object feature list,create, update and delete. Does that mean with the adapter installed, we can make use the idm to maintain the access manager's group/role/filteredrole? Is there any customization/configuration needed in order to provision these features in idm?
Thanks,

1. The AM agent can return ldap attributes after authentication. What you can do is use Sun Directory Server Proxy to provide a virtual view of both LDAP and your DB to AM.
2. Sun Role Manager is a tool for role mining and attestation, ie it helps with compliancy verifications which is required by many businesses these days. Sun Identity Manager does not need Sun Role Manager if you just want to provision roles for your users, however, as it appears to be the case in your envirionment, the roles created by IDM are exported to SRM for compliance verifications.

Where is Access Manager patch 4?

The release notes for Access Manager patches now includes a description of patch 4 (http://docs.sun.com/app/docs/doc/819-2134/6n4eoarc7?a=view) but I cannot find the patch on the support site. Does anyone know where the patch can be found and downloaded?
Thanks

You can find the page at the following location
http://sunsolve.sun.com/search/advsearch.do?collection=PATCH&type=collections&max=50&language=en&queryKey5=120956&toDocument=yes
++rudy

Central Management Store being accessed is not the active store

We are experiencing issues with our Lync 2013 services after hardening our SQL backend. Even though we have created aliases to the backend database instances and FrontEnd servers is able to access the databases, we are having this error when performing tasks
like enable-csuser or new-clientpolicy from powershell or Lync control panel:
###50023:XdsPublishItems: The central management store being accessed is not the active store. No data can be read or any changes can be made to this store.
Any suggestions or ideas?

Here some guidance that must be followed for Lync Servers
http://blogs.technet.com/b/nexthop/archive/2011/04/12/using-lync-server-2010-with-a-custom-sql-server-network-configuration.aspx
http://technet.microsoft.com/en-us/library/gg195795(v=ocs.14).aspx
Have this been followed ?
Please remember, if you see a post that helped you please click ;Vote As Helpful" and if it answered your question please click "Mark As Answer" Regards Edwin Anthony Joseph

I have 5000 photos on my 16GB iphone, where can I store them where i can access them easily?

I have 5000 photos on my 16GB iphone, where can I store them where i can access them easily?

I completely agree Fox. Photostream should be used as a convenience for sharing, not for anything other than temporary storage. Same goes for the device itself.
At least once a week, I import my photos/videos from my iPhone to my computer, and at least once a month, I make a backup of my computer to an external hard drive. And at least once every few months, I burn 2 DVDs of the past few months worth of photos/videos, one for myself, and one that I put in my fire safe with other important hard copy documents. And there are off-site image storage options out there as well which are available, and I've used occassionally.
The only time I've ever lost photos was about one half-day's worth while I was on vacation when my camera went overboard. And this was on day 5 of my vacation. Each night, I swapped out memory cards and uploaded the current day's card to my laptop. For anyone going on a trip, I recommend at least three memory cards for your camera, or if you're only using an iPhone, backup to either iCloud or iTunes every day.
An ounce of prevention is worth a pound of cure.

Where to download •Oracle Access Manager WebGate 10.1.4.3

i am working on OAM/OID integration with EBS R12(Integrating Oracle E-Business Suite Release 12 with Oracle Access Manager 11gR1 (11.1.1.5) using Oracle E-Business Suite AccessGate [ID 1309013.1]), As per the document i am trying to download Oracle Access Manager WebGate 10.1.4.3 from this link
http://www.oracle.com/technetwork/middleware/ias/downloads/101401-099957.html
i am confused on downloading (Oracle Access Manager Core Components (10.1.4.3.0 or Oracle Access Manager WebGates for OHS 11g and Weblogic Identity Assertion Provider (10.1.4.3.0) or Policy Manager and WebPass on Third Party and non-OHS 11g Web Servers (10.1.4.3.0 )
which one i need to download.

Hi,
Oracle Access Manager 10.1.4.3.0 is a part of 11g R1 release So, you should be fine with OAM 10.1.4.3.0.
OAM 10G R3 consists of OAM 10.1.4.0.1 (and 10.1.4.2.0).
-- Pramod Aravind

Oracle Access Manager - Configuration Manager Success Stories

The Oracle Access Manager Configuration Manager [http://download-uk.oracle.com/docs/cd/B28196_01/idmanage.1014/b32392.pdf] has been around for about a year now. I'm looking for any feedback regarding this product:
Has anyone deployed it?
How successful was the deployment?
Is the tool doing what you expected it to do?
Thanks for any responses.
Mark

@pokurik: cn=orcladmin is the full DN. In OID there are two orcladmin users with different ACLs.
Which OAM version? Always provide the version you are using.
--olaf

Too Slow - Domino 6.5.4 with access manager agent 2.2 ?

I don't know how to tune Domino 6.5.4 with access manager agent 2.2?
I think AMAgent.properties is not good for SSO.
Please help me to tune it.
# $Id: AMAgent.properties,v 1.103 2005/09/19 22:08:34 madan Exp $
# Copyright ? 2002 Sun Microsystems, Inc. All rights reserved.
# U.S. Government Rights - Commercial software. Government users are
# subject to the Sun Microsystems, Inc. standard license agreement and
# applicable provisions of the FAR and its supplements. Use is subject to
# license terms. Sun, Sun Microsystems, the Sun logo and Sun ONE are
# trademarks or registered trademarks of Sun Microsystems, Inc. in the
# U.S. and other countries.
# Copyright ? 2002 Sun Microsystems, Inc. Tous droits r閟erv閟.
# Droits du gouvernement am閞icain, utlisateurs gouvernmentaux - logiciel
# commercial. Les utilisateurs gouvernmentaux sont soumis au contrat de
# licence standard de Sun Microsystems, Inc., ainsi qu aux dispositions en
# vigueur de la FAR [ (Federal Acquisition Regulations) et des suppl閙ents
# ? celles-ci.
# Distribu? par des licences qui en restreignent l'utilisation. Sun, Sun
# Microsystems, le logo Sun et Sun ONE sont des marques de fabrique ou des
# marques d閜os閑s de Sun Microsystems, Inc. aux Etats-Unis et dans
# d'autres pays.
# The syntax of this file is that of a standard Java properties file,
# see the documentation for the java.util.Properties.load method for a
# complete description. (CAVEAT: The SDK in the parser does not currently
# support any backslash escapes except for wrapping long lines.)
# All property names in this file are case-sensitive.
# NOTE: The value of a property that is specified multiple times is not
# defined.
# WARNING: The contents of this file are classified as an UNSTABLE
# interface by Sun Microsystems, Inc. As such, they are subject to
# significant, incompatible changes in any future release of the
# software.
# The name of the cookie passed between the Access Manager
# and the SDK.
# WARNING: Changing this property without making the corresponding change
# to the Access Manager will disable the SDK.
com.sun.am.cookie.name = iPlanetDirectoryPro
# The URL for the Access Manager Naming service.
com.sun.am.naming.url = http://sportal.yjy.dqyt.petrochina:80/amserver/namingservice
# The URL of the login page on the Access Manager.
com.sun.am.policy.am.login.url = http://sportal.yjy.dqyt.petrochina:80/amserver/UI/Login
# Name of the file to use for logging messages.
com.sun.am.policy.agents.config.local.log.file = c:/Sun/Access_Manager/Agents/2.2/debug/C__Lotus_Domino/amAgent
# This property is used for Log Rotation. The value of the property specifies
# whether the agent deployed on the server supports the feature of not. If set
# to false all log messages are written to the same file.
com.sun.am.policy.agents.config.local.log.rotate = true
# Name of the Access Manager log file to use for logging messages to
# Access Manager.
# Just the name of the file is needed. The directory of the file
# is determined by settings configured on the Access Manager.
com.sun.am.policy.agents.config.remote.log = amAuthLog.Dominoad.yjy.dqyt.petrochina.80
# Set the logging level for the specified logging categories.
# The format of the values is
#     <ModuleName>[:<Level>][,<ModuleName>[:<Level>]]*
# The currently used module names are: AuthService, NamingService,
# PolicyService, SessionService, PolicyEngine, ServiceEngine,
# Notification, PolicyAgent, RemoteLog and all.
# The all module can be used to set the logging level for all currently
# none logging modules. This will also establish the default level for
# all subsequently created modules.
# The meaning of the 'Level' value is described below:
#     0     Disable logging from specified module*
#     1     Log error messages
#     2     Log warning and error messages
#     3     Log info, warning, and error messages
#     4     Log debug, info, warning, and error messages
#     5     Like level 4, but with even more debugging messages
# 128     log url access to log file on AM server.
# 256     log url access to log file on local machine.
# If level is omitted, then the logging module will be created with
# the default logging level, which is the logging level associated with
# the 'all' module.
# for level of 128 and 256, you must also specify a logAccessType.
# *Even if the level is set to zero, some messages may be produced for
# a module if they are logged with the special level value of 'always'.
com.sun.am.log.level =
# The org, username and password for Agent to login to AM.
com.sun.am.policy.am.username = UrlAccessAgent
com.sun.am.policy.am.password = LYnKyOIgdWt404ivWY6HPQ==
# Name of the directory containing the certificate databases for SSL.
com.sun.am.sslcert.dir = c:/Sun/Access_Manager/Agents/2.2/domino/cert
# Set this property if the certificate databases in the directory specified
# by the previous property have a prefix.
com.sun.am.certdb.prefix =
# Should agent trust all server certificates when Access Manager
# is running SSL?
# Possible values are true or false.
com.sun.am.trust_server_certs = true
# Should the policy SDK use the Access Manager notification
# mechanism to maintain the consistency of its internal cache? If the value
# is false, then a polling mechanism is used to maintain cache consistency.
# Possible values are true or false.
com.sun.am.notification.enable = true
# URL to which notification messages should be sent if notification is
# enabled, see previous property.
com.sun.am.notification.url = http://Dominoad.yjy.dqyt.petrochina:80/amagent/UpdateAgentCacheServlet?shortcircuit=false
# This property determines whether URL string case sensitivity is
# obeyed during policy evaluation
com.sun.am.policy.am.url_comparison.case_ignore = true
# This property determines the amount of time (in minutes) an entry
# remains valid after it has been added to the cache. The default
# value for this property is 3 minutes.
com.sun.am.policy.am.polling.interval=3
# This property allows the user to configure the User Id parameter passed
# by the session information from the access manager. The value of User
# Id will be used by the agent to set the value of REMOTE_USER server
# variable. By default this parameter is set to "UserToken"
com.sun.am.policy.am.userid.param=UserToken
# Profile attributes fetch mode
# String attribute mode to specify if additional user profile attributes should
# be introduced into the request. Possible values are:
# NONE - no additional user profile attributes will be introduced.
# HTTP_HEADER - additional user profile attributes will be introduced into
# HTTP header.
# HTTP_COOKIE - additional user profile attributes will be introduced through
# cookies.
# If not within these values, it will be considered as NONE.
com.sun.am.policy.agents.config.profile.attribute.fetch.mode=NONE
# The user profile attributes to be added to the HTTP header. The
# specification is of the format ldap_attribute_name|http_header_name[,...].
# ldap_attribute_name is the attribute in data store to be fetched and
# http_header_name is the name of the header to which the value needs
# to be assigned.
# NOTE: In most cases, in a destination application where a "http_header_name"
# shows up as a request header, it will be prefixed by HTTP_, and all
# lower case letters will become upper case, and any - will become _;
# For example, "common-name" would become "HTTP_COMMON_NAME"
com.sun.am.policy.agents.config.profile.attribute.map=cn|common-name,ou|organizational-unit,o|organization,mail|email,employeenumber|employee-
number,c|country
# Session attributes mode
# String attribute mode to specify if additional user session attributes should
# be introduced into the request. Possible values are:
# NONE - no additional user session attributes will be introduced.
# HTTP_HEADER - additional user session attributes will be introduced into HTTP header.
# HTTP_COOKIE - additional user session attributes will be introduced through cookies.
# If not within these values, it will be considered as NONE.
com.sun.am.policy.agents.config.session.attribute.fetch.mode=NONE
# The session attributes to be added to the HTTP header. The specification is
# of the format session_attribute_name|http_header_name[,...].
# session_attribute_name is the attribute in session to be fetched and
# http_header_name is the name of the header to which the value needs to be
# assigned.
# NOTE: In most cases, in a destination application where a "http_header_name"
# shows up as a request header, it will be prefixed by HTTP_, and all
# lower case letters will become upper case, and any - will become _;
# For example, "common-name" would become "HTTP_COMMON_NAME"
com.sun.am.policy.agents.config.session.attribute.map=
# Response Attribute Fetch Mode
# String attribute mode to specify if additional user response attributes should
# be introduced into the request. Possible values are:
# NONE - no additional user response attributes will be introduced.
# HTTP_HEADER - additional user response attributes will be introduced into
# HTTP header.
# HTTP_COOKIE - additional user response attributes will be introduced through
# cookies.
# If not within these values, it will be considered as NONE.
com.sun.am.policy.agents.config.response.attribute.fetch.mode=NONE
# The response attributes to be added to the HTTP header. The specification is
# of the format response_attribute_name|http_header_name[,...].
# response_attribute_name is the attribute in policy response to be fetched and
# http_header_name is the name of the header to which the value needs to be
# assigned.
# NOTE: In most cases, in a destination application where a "http_header_name"
# shows up as a request header, it will be prefixed by HTTP_, and all
# lower case letters will become upper case, and any - will become _;
# For example, "common-name" would become "HTTP_COMMON_NAME"
com.sun.am.policy.agents.config.response.attribute.map=
# The cookie name used in iAS for sticky load balancing
com.sun.am.policy.am.lb.cookie.name = GX_jst
# indicate where a load balancer is used for Access Manager
# services.
# true | false
com.sun.am.load_balancer.enable = false
####Agent Configuration####
# this is for product versioning, please do not modify it
com.sun.am.policy.agents.config.version=2.2
# Set the url access logging level. the choices are
# LOG_NONE - do not log user access to url
# LOG_DENY - log url access that was denied.
# LOG_ALLOW - log url access that was allowed.
# LOG_BOTH - log url access that was allowed or denied.
com.sun.am.policy.agents.config.audit.accesstype = LOG_DENY
# Agent prefix
com.sun.am.policy.agents.config.agenturi.prefix = http://Dominoad.yjy.dqyt.petrochina:80/amagent
# Locale setting.
com.sun.am.policy.agents.config.locale = en_US
# The unique identifier for this agent instance.
com.sun.am.policy.agents.config.instance.name = unused
# Do SSO only
# Boolean attribute to indicate whether the agent will just enforce user
# authentication (SSO) without enforcing policies (authorization)
com.sun.am.policy.agents.config.do_sso_only = true
# The URL of the access denied page. If no value is specified, then
# the agent will return an HTTP status of 403 (Forbidden).
com.sun.am.policy.agents.config.accessdenied.url =
# This property indicates if FQDN checking is enabled or not.
com.sun.am.policy.agents.config.fqdn.check.enable = true
# Default FQDN is the fully qualified hostname that the users should use
# in order to access resources on this web server instance. This is a
# required configuration value without which the Web server may not
# startup correctly.
# The primary purpose of specifying this property is to ensure that if
# the users try to access protected resources on this web server
# instance without specifying the FQDN in the browser URL, the Agent
# can take corrective action and redirect the user to the URL that
# contains the correct FQDN.
# This property is set during the agent installation and need not be
# modified unless absolutely necessary to accommodate deployment
# requirements.
# WARNING: Invalid value for this property can result in the Web Server
# becoming unusable or the resources becoming inaccessible.
# See also: com.sun.am.policy.agents.config.fqdn.check.enable,
# com.sun.am.policy.agents.config.fqdn.map
com.sun.am.policy.agents.config.fqdn.default = Dominoad.yjy.dqyt.petrochina
# The FQDN Map is a simple map that enables the Agent to take corrective
# action in the case where the users may have typed in an incorrect URL
# such as by specifying partial hostname or using an IP address to
# access protected resources. It redirects the browser to the URL
# with fully qualified domain name so that cookies related to the domain
# are received by the agents.
# The format for this property is:
# com.sun.am.policy.agents.config.fqdn.map = [invalid_hostname|valid_hostname][,...]
# This property can also be used so that the agents use the name specified
# in this map instead of the web server's actual name. This can be
# accomplished by doing the following.
# Say you want your server to be addressed as xyz.hostname.com whereas the
# actual name of the server is abc.hostname.com. The browsers only knows
# xyz.hostname.com and you have specified polices using xyz.hostname.com at
# the Access Manager policy console, in this file set the mapping as
# com.sun.am.policy.agents.fqdn.map = valid|xyz.hostname.com
# Another example is if you have multiple virtual servers say rst.hostname.com,
# uvw.hostname.com and xyz.hostname.com pointing to the same actual server
# abc.hostname.com and each of the virtual servers have their own policies
# defined, then the fqdnMap should be defined as follows:
# com.sun.am.policy.agents.fqdn.map = valid1|rst.hostname.com,valid2|uvw.hostname.com,valid3|xyz.hostname.com
# WARNING: Invalid value for this property can result in the Web Server
# becoming unusable or the resources becoming inaccessible.
com.sun.am.policy.agents.config.fqdn.map =
# Cookie Reset
# This property must be set to true, if this agent needs to
# reset cookies in the response before redirecting to
# Access Manager for Authentication.
# By default this is set to false.
# Example : com.sun.am.policy.agents.config.cookie.reset.enable=true
com.sun.am.policy.agents.config.cookie.reset.enable=false
# This property gives the comma separated list of Cookies, that
# need to be included in the Redirect Response to Access Manager.
# This property is used only if the Cookie Reset feature is enabled.
# The Cookie details need to be specified in the following Format
# name[=value][;Domain=value]
# If "Domain" is not specified, then the default agent domain is
# used to set the Cookie.
# Example : com.sun.am.policy.agents.config.cookie.reset.list=LtpaToken,
# token=value;Domain=subdomain.domain.com
com.sun.am.policy.agents.config.cookie.reset.list=
# This property gives the space separated list of domains in
# which cookies have to be set in a CDSSO scenario. This property
# is used only if CDSSO is enabled.
# If this property is left blank then the fully qualified cookie
# domain for the agent server will be used for setting the cookie
# domain. In such case it is a host cookie instead of a domain cookie.
# Example : com.sun.am.policy.agents.config.cookie.domain.list=.sun.com .iplanet.com
com.sun.am.policy.agents.config.cookie.domain.list=
# user id returned if accessing global allow page and not authenticated
com.sun.am.policy.agents.config.anonymous_user=anonymous
# Enable/Disable REMOTE_USER processing for anonymous users
# true | false
com.sun.am.policy.agents.config.anonymous_user.enable=false
# Not enforced list is the list of URLs for which no authentication is
# required. Wildcards can be used to define a pattern of URLs.
# The URLs specified may not contain any query parameters.
# Each service have their own not enforced list. The service name is suffixed
# after "# com.sun.am.policy.agents.notenforcedList." to specify a list
# for a particular service. SPACE is the separator between the URL.
com.sun.am.policy.agents.config.notenforced_list = http://dominoad.yjy.dqyt.petrochina/*.nsf http://dominoad.yjy.dqyt.petrochina/teamroom.nsf/TROutline.gif?
OpenImageResource http://dominoad.yjy.dqyt.petrochina/icons/*.gif
# Boolean attribute to indicate whether the above list is a not enforced list
# or an enforced list; When the value is true, the list means enforced list,
# or in other words, the whole web site is open/accessible without
# authentication except for those URLs in the list.
com.sun.am.policy.agents.config.notenforced_list.invert = false
# Not enforced client IP address list is a list of client IP addresses.
# No authentication and authorization are required for the requests coming
# from these client IP addresses. The IP address must be in the form of
# eg: 192.168.12.2 1.1.1.1
com.sun.am.policy.agents.config.notenforced_client_ip_list =
# Enable POST data preservation; By default it is set to false
com.sun.am.policy.agents.config.postdata.preserve.enable = false
# POST data preservation : POST cache entry lifetime in minutes,
# After the specified interval, the entry will be dropped
com.sun.am.policy.agents.config.postcache.entry.lifetime = 10
# Cross-Domain Single Sign On URL
# Is CDSSO enabled.
com.sun.am.policy.agents.config.cdsso.enable=false
# This is the URL the user will be redirected to for authentication
# in a CDSSO Scenario.
com.sun.am.policy.agents.config.cdcservlet.url =
# Enable/Disable client IP address validation. This validate
# will check if the subsequent browser requests come from the
# same ip address that the SSO token is initially issued against
com.sun.am.policy.agents.config.client_ip_validation.enable = false
# Below properties are used to define cookie prefix and cookie max age
com.sun.am.policy.agents.config.profile.attribute.cookie.prefix = HTTP_
com.sun.am.policy.agents.config.profile.attribute.cookie.maxage = 300
# Logout URL - application's Logout URL.
# This URL is not enforced by policy.
# if set, agent will intercept this URL and destroy the user's session,
# if any. The application's logout URL will be allowed whether or not
# the session destroy is successful.
com.sun.am.policy.agents.config.logout.url=
#http://sportal.yjy.dqyt.petrochina/amserver/UI/Logout
# Any cookies to be reset upon logout in the same format as cookie_reset_list
com.sun.am.policy.agents.config.logout.cookie.reset.list =
# By default, when a policy decision for a resource is needed,
# agent gets and caches the policy decision of the resource and
# all resource from the root of the resource down, from the Access Manager.
# For example, if the resource is http://host/a/b/c, the the root of the
# resource is http://host/. This is because more resources from the
# same path are likely to be accessed subsequently.
# However this may take a long time the first time if there
# are many many policies defined under the root resource.
# To have agent get and cache the policy decision for the resource only,
# set the following property to false.
com.sun.am.policy.am.fetch_from_root_resource = true
# Whether to get the client's hostname through DNS reverse lookup for use
# in policy evaluation.
# It is true by default, if the property does not exist or if it is
# any value other than false.
com.sun.am.policy.agents.config.get_client_host_name = false
# The following property is to enable native encoding of
# ldap header attributes forwarded by agents. If set to true
# agent will encode the ldap header value in the default
# encoding of OS locale. If set to false ldap header values
# will be encoded in UTF-8
com.sun.am.policy.agents.config.convert_mbyte.enable = false
#When the not enforced list or policy has a wildcard '*' character, agent
#strips the path info from the request URI and uses the resulting request
#URI to check against the not enforced list or policy instead of the entire
#request URI, in order to prevent someone from getting access to any URI by
#simply appending the matching pattern in the policy or not enforced list.
#For example, if the not enforced list has the value http://host/*.gif,
#stripping the path info from the request URI will prevent someone from
#getting access to http://host/index.html by using the URL http://host/index.html?hack.gif.
#However when a web server (for exmample apache) is configured to be a reverse
#proxy server for a J2EE application server, path info is interpreted in a different
#manner since it maps to a resource on the proxy instead of the app server.
#This prevents the not enforced list or policy from being applied to part of
#the URI below the app serverpath if there is a wildcard character. For example,
#if the not enforced list has value http://host/webapp/servcontext/* and the
#request URL is http://host/webapp/servcontext/example.jsp the path info
#is /servcontext/example.jsp and the resulting request URL with path info stripped
#is http://host/webapp, which will not match the not enforced list. By setting the
#following property to true, the path info will not be stripped from the request URL
#even if there is a wild character in the not enforced list or policy.
#Be aware though that if this is set to true there should be nothing following the
#wildcard character '*' in the not enforced list or policy, or the
#security loophole described above may occur.
com.sun.am.policy.agents.config.ignore_path_info = false
# Override the request url given by the web server with
# the protocol, host or port of the agent's uri specified in
# the com.sun.am.policy.agents.agenturiprefix property.
# These may be needed if the agent is sitting behind a ssl off-loader,
# load balancer, or proxy, and either the protocol (HTTP scheme),
# hostname, or port of the machine in front of agent which users go through
# is different from the agent's protocol, host or port.
com.sun.am.policy.agents.config.override_protocol =
com.sun.am.policy.agents.config.override_host =
com.sun.am.policy.agents.config.override_port =
# Override the notification url in the same way as other request urls.
# Set this to true if any one of the override properties above is true,
# and if the notification url is coming through the proxy or load balancer
# in the same way as other request url's.
com.sun.am.policy.agents.config.override_notification.url =
# The following property defines how long to wait in attempting
# to connect to an Access Manager AUTH server.
# The default value is 2 seconds. This value needs to be increased
# when receiving the error "unable to find active Access Manager Auth server"
com.sun.am.policy.agents.config.connection_timeout =
# Time in milliseconds the agent will wait to receive the
# response from Access Manager. After the timeout, the connection
# will be drop.
# A value of 0 means that the agent will wait until receiving the response.
# WARNING: Invalid value for this property can result in
# the resources becoming inaccessible.
com.sun.am.receive_timeout = 0
# The three following properties are for IIS6 agent only.
# The two first properties allow to set a username and password that will be
# used by the authentication filter to pass the Windows challenge when the Basic
# Authentication option is selected in Microsoft IIS 6.0. The authentication
# filter is named amiis6auth.dll and is located in
# Agent_installation_directory/iis6/bin. It must be installed manually on
# the web site ("ISAPI Filters" tab in the properties of the web site).
# It must also be uninstalled manually when unintalling the agent.
# The last property defines the full path for the authentication filter log file.
com.sun.am.policy.agents.config.iis6.basicAuthentication.username =
com.sun.am.policy.agents.config.iis6.basicAuthentication.password =
com.sun.am.policy.agents.config.iis6.basicAuthentication.logFile = c:/Sun/Access_Manager/Agents/2.2/debug/C__Lotus_Domino/amAuthFilter

Hi,
I installed opensso (so Sun Java(TM) System Access Manager 7.5) and the agent for Domino 6.5.4 and I have the message in logs "amAgent"
2007-07-11 18:40:16.119 Error 1708:3dbcf768 PolicyAgent: render_response(): Entered.
I have the box to identify but it doesnot connect me on my opensso server.
It still identify with Domino's server
Thanks for your response
Thomas

Where does Messages store attachments on the iPad?

Where does Messages store attachments on the iPad?
some photos are quite large, so it would be good to know where they go, and how to manage the app.... ;)

Managing memory usage is not possible because the user does not have access to the file structure (unless you have jail broken your iPad that is).

Urgent help requested: Access Manager integration with BEA Portal

We're using Access Manager 7.1 and Policy Agent 2.2 to authenticate users for our BEA WL Portal 10 which contains all of our content and applications. The portal contains both anonymous pages and protected pages (for registered users).
Problem: When an anonymous user who is going through a multi-step application flow decides to sign-in to their account (or sign-up) Policy Agent wipes out the current content of the user session, and creates a brand new user session after the user is authenticated. Therefore we cannot send the user back to the same spot in the portal where they were before signing-in.
Is there anyway to make Policy Agent preserve the content and state of http session when authenticating a user?
We have a business requirement to allow users to continue their application process after successfully signing in.
Thanks in advance.

Hi,
I think this problem is not just related to weblogic 10 agent, it is a general problem for any agents.
Can you please clarify what you mean by "anonymous user "? Do you mean that this user has never logged in to Access Manager, and is just browsing the site as an anonymous user, or do you have a role specified as "anonymous user " that they are currently logged into when browsing the site?
thx,
Sean

Communications Express doesn't create access Manager SSO session

Hi all,
I'm running Communications Express, Sun Access Manager and Sun messaging server, each on seperate hosts.
Single Sign On works i.e. when users have a valid session and point their browser at the Communications Express URL they can access their mail, calendar and addressbooks without further ado.
When they don't have a valid session though and the users go to the Communications Express URL they get a username and password prompt. If they enter valid credentials they will be logged in, but the session created is only a local session, not an Access Manager SSO session. This behaviour has changed from the previous versions of Comm Exp which wouldn't work at all without SSO.
Is it possible to configure communications express to either redirect users to the Access Manager's authentication page or have Comm Exp create the SSO session on the users behalf?
TIA
Herman
Versions:
- Communications Express 6.3 update 1
- Sun Java(tm) System Messaging Server 6.3-4.01 (built Aug 3 2007; 32bit)
libimta.so 6.3-4.01 (built 17:13:29, Aug 3 2007; 32bit)

Hi Shane,
as always your anwer is better then I could have expected. A more or less complete manual
just hours after asking my question. Thanks!
shane_hjorth wrote:
The cleanest solution I could develop to address the behavioural change was to
leverage a web-server policy agent to perform the redirections.
I wrote up a guide but never received any feedback unfortunately so results-may-vary.
I have republished this guide externally - feedback is welcome:
http://msg.wikidoc.info/index.php/AM_redirection_using_Policy_AgentTook me some time to implement, test and write feedback:
The setup we have is a little more complex then the a single box scenario you
have tested on:
From the internet working inwards we have load balanced
SSL accelerators (apache+SSL doing reverse proxy) in front of
dedicated application servers running communications express.
Mail is retrieved from separate mail-store clusters.
Access manager is configured similarly: load balanced SSL accelerators
in front of application servers running the login page (disributed
authentication UI). Those then talk to the access manager cluster.
Firewalls and access lists between each of those layers. None of the
applications can be accessed directly from the internet and they are
limited in what they can access in the DMZ as well.
I followed your recipe to the letter. After a bit of tweaking everything
worked like a charm. Policy agent installed and configured on the
SUN webserver where communications express is deployed.
Instructions were very good on detail and easy to follow.
We deploy uwc in the root of the server not in /uwc. Something I didn't notice right away.
It would seem that the policy agent expects the values com.sun.am.naming.url
(The URL for the Access Manager Naming service) and
com.sun.am.policy.am.login.url (The URL of the login page on the Access Manager
where users should enter their credentials) to be the same host.
In our setup the URL/host users have to use to log in can't be accessed by the policy agent.
The policy agent should verify sessions directly against the access manager cluster.
I played with some of the override settings in the policy agent configuration file but
without much success. Eventually I used the hostname our users have to use to log
in and abused the /etc/hosts file to map the external hostname to the internal address
of the access manager cluster. Users end up on the correct login page, and the policy
agent can verify the sessions. Ugly, but it works.
The other issue is that the policy agent redirects to:
com.sun.am.policy.am.login.url?goto=URL_Protected_by_Policy_Agent
When a users enters incorrect credentials they get the default login url, without the
goto parameter. (May be bug in access manager or by design...) After entering their
credentials correctly on their second or third try users won't be redirected back to UWC,
but will end up on the default page defined by their iplanet-am-user-success-url LDAP attribute.
I solved that in the policy agents configuration file by adding the gotoOnFail=URL in the
definition of com.sun.am.policy.am.login.url:
com.sun.am.policy.am.login.url = https://login.domain.com:443/amserver/UI/Login?gotoOnFail=https://uwc.domain.com:443When you enter incorrect credentials you'll be redirected back to uwc (where the policy agent
will again intercept you and send you on to the login page for your next try). May be more of
an issue in the policy agent then your manual.
Regards,
Herman

Where is Role store in Access Manager ?

Similar Messages

Maybe you are looking for