Write in the access manager cache

Similar Messages

• Flush the Access Server cache automatically

  Hello,
  I'm trying to follow Oracle® Access Manager Deployment Guide 10g (10.1.4.3) and note ID 403899.1 to allow the user/group cache to update when we call the userservcenter and groupservcenter functions in OAM. I've seen other threads about this, but could derive an answer to my question.
  The instructions say:
  4. Add a dummy AccessGate using the configureAccessGate command line tool, as follows:
  configureAccessGate -i COREid_install_dir/identity/ AccessServerSDK -t AccessGate
  Question: Am I really adding an accessGate here, or am I configuring the one I already have (which is really being used as a WebGate I guess since it's protecting web resources)?
  Thanks!

  I went ahead and used the current AccessGate/WebGate with the configureAccessGate command line tool and that seemed to work, but I'm still not getting the result that I'd like.
  1. I can access a page protected by OAM because I'm in a LDAP group.
  2. I use IdentityXML call to unsubscribe me from the group.
  3. I refresh the page, and can still access the page.
  Is it possible get this to flush the cache when the IdentityXML function is called?
  I changed the doAccessServerFlush to true, used the configureAccessGate to configure the AccessGate/WebGate, changed the Access Management Service on the AccessGate and Access Server to On, and bounced everythying.
  THanks!

• Oracle Access Manager Cache Flush issue

  Need urgent help on this.. We have multiple access servers and 2 policy managers. I am able to flush cache from one of the policy manger the other but get the other one is unable to flush cache on all the access servers. Getting error that "following access server cannot be contacted" with list of some access servers. I am successfully able to make telnet connection to all the access servers. Any suggestions on what may be the issue.
  Thanks.
  VInay

  Hi Vinay,
  Please check that the transport mode (open/simple/cert) is the same of the Access Servers that it is trying to contact, and that the Policy Manager certs are valid (if simple/cert, obviously). Another idea - if the failing Policy Manager is on a different subnet from the Access Servers, it may be timing out trying to contact them.
  Regards,
  Colin

• Am not able to get the Access manager 7-  login page

  I have installed Access Manager and configured it was worked. but i did the Policy agent cofiguration for Access Manager after that i couldn't login to Access manager ie /amserver while on trying http://localhost:8080/amserver/UI/Login
  am getting the following error
  exception
  javax.servlet.ServletException
       org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:300)
       org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:165)
       java.security.AccessController.doPrivileged(Native Method)
       com.sun.mobile.filter.AMLController.doFilter(AMLController.java:163)
  root cause
  java.lang.NoClassDefFoundError
       com.sun.identity.authentication.server.AuthContextLocal.(AuthContextLocal.java:140)
       com.sun.identity.authentication.service.LoginState.createAuthContext(LoginState.java:1121)
       com.sun.identity.authentication.service.AuthUtils.getAuthContext(AuthUtils.java:310)
       com.sun.identity.authentication.service.AuthUtils.getAuthContext(AuthUtils.java:250)
       com.sun.identity.authentication.UI.LoginViewBean.forwardTo(LoginViewBean.java:325)
       com.iplanet.jato.ApplicationServletBase.dispatchRequest(ApplicationServletBase.java:981)
       com.iplanet.jato.ApplicationServletBase.processRequest(ApplicationServletBase.java:615)
       com.iplanet.jato.ApplicationServletBase.doGet(ApplicationServletBase.java:459)
       javax.servlet.http.HttpServlet.service(HttpServlet.java:747)
       javax.servlet.http.HttpServlet.service(HttpServlet.java:860)
       sun.reflect.GeneratedMethodAccessor115.invoke(Unknown Source)
       sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
       java.lang.reflect.Method.invoke(Method.java:585)
       org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:249)
       java.security.AccessController.doPrivileged(Native Method)
       javax.security.auth.Subject.doAsPrivileged(Subject.java:517)
       org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:282)
       org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:165)
       java.security.AccessController.doPrivileged(Native Method)
       com.sun.mobile.filter.AMLController.doFilter(AMLController.java:163)
  please any do some need full to solve this problem
  regards
  vimalraj.s

  Guys,
  This is a common problem that I have noticed when policy agent is installed on the same DAS (Domain Admin Server of Sun java Application Server) instance where access manager is installed.
  Best solution is to deploy your application on a different DAS and configure / install policy agent for the new DAS.
  If web server is used for Access Manager, Deploy your application on a different instance.
  Alternatively, follow these instructions.
  Assume that you have policy agent binary installed on /opt/SUNWam/policyagent/ j2ee_agents/am_as81_agent.
  When policy agent is configured, it creates a new configuration folder named agent_001.
  1.     Login to DAS and remove the class path changes done by the policy agent installer.
  These are the class path to remove:
  /opt/SUNWam/ policyagent /j2ee_agents/am_as81_agent/lib/agent.jar
  /opt/SUNWam/ policyagent /j2ee_agents/am_as81_agent/lib/amclientsdk.jar
  /opt/SUNWam/ policyagent /j2ee_agents/am_as81_agent/locale
  /opt/SUNWam/ policyagent /j2ee_agents/am_as81_agent/agent_001/config
  2.     Add these to the class path to the end of the class path suffix. NOT AT THE START
  /opt/SUNWam/ policyagent /j2ee_agents/am_as81_agent/lib/agent.jar
  /opt/SUNWam/ policyagent /j2ee_agents/am_as81_agent/lib/locale
  3.     Insert amclientsdk.jar to the classpath. Insert this before agent.jar but after am_*.jar files (am_sdk.jar,am_services.jar,am_sso_provider.jar,am_logging.jar )
  4.     open amConfig.properties . Add this line to the bottom of the file.
  com.sun.identity.agents.config.location=/opt/SUNWam/ policyagent /j2ee_agents/am_as81_agent/agent_001/config/AMAgent.properties
  Above line points to the policy agent configuration file.
  5.     last but not the least:
  a.     Make sure that an agent is created in Access manager with the same name and password as the one that you gave when installing policy agent.
  b.     Set property com.sun.identity.agents.config.filter.mode = SSO_ONLY in AMAgent.properties. This will help initial testing of the configuration.
  c.     Above configuration is for Unix. But shouldwork for other OS as well.
  Best of Luck
  KK

• Emptying the Configuration Manager cache

  Hi,
  Does anyone know the Powershell or VBS command(s) to empty the CCMCache ? (if it exists)
  eg.  The PowerShell & VBS commands to increase cache size
  $strUIResource = New-Object -ComObject UIResource.UIResourceMgr
  $strUIResource.GetCacheInfo().Totalsize = 30720
  Restart-Service CCMEXEC
  Dim ClientResource
  Set objShell = WScript.CreateObject ("WScript.shell")
  Set ClientResource = CreateObject("UIResource.UIResourceMgr")
  Set CacheInfo = ClientResource.GetCacheInfo
  CacheInfo.TotalSize = 30720

  Hi
  You should check the SDK for that information.
  But it you look at this thread, there is a script that seems to do what you are looking for:
  http://social.technet.microsoft.com/Forums/systemcenter/en-US/02d919e8-3fb6-42a0-b7a4-0dd81fc06b9c/clearing-ccm-cache?forum=configmgrswdist
  As a side note, normally you wouldn´t have to manage the cache manually because ConfigMgr takes care of that for you and automatically purges "old" content when space is needed unless you used the settings "Persist in cache".

• What does the LoginModule sample do in the Access Manager samples

  hi,
  thanks for reading my question. I just wanted to know what the Login Module sample shows to a user.
  thanks
  dhawanmayur

  Hi Lars,
  Would the information in the link below help you?
  https://websmp208.sap-ag.de/~sapidb/011000358700002294272006E
  From what I understand, the only thing that Service Connector does is to "give the approval and the connection parameters" to your local SAP Router to initiate a network tunnel between your local SAP Router and SAP's SAP Router.
  I hope this helps.

• Not able to start the Sun Java System Access Manager 7 Console

  Hi All,
  I have successfully installed the Sun Java System Portal Server 7 on RHEL 4.0.The problem I am facing is not able to start the Sun Java System Access Manager 7 Console while accessing the URL: http://fqdn:8080/amconsole
  As soon as I try to access this URL it gives me following Excepiton:::::::
  type Exception report
  message
  description The server encountered an internal error () that prevented it from fulfilling this request.
  exception
  com.iplanet.jato.NavigationException: Exception encountered during forward
  Root cause = [java.lang.NullPointerException]
       com.iplanet.jato.view.ViewBeanBase.forward(ViewBeanBase.java:386)
       com.iplanet.jato.view.ViewBeanBase.forwardTo(ViewBeanBase.java:267)
       com.iplanet.am.console.base.ConsoleServletBase.onUncaughtException(ConsoleServletBase.java:338)
       com.iplanet.jato.ApplicationServletBase.fireUncaughtException(ApplicationServletBase.java:1023)
       com.iplanet.jato.ApplicationServletBase.processRequest(ApplicationServletBase.java:469)
       com.iplanet.jato.ApplicationServletBase.doPost(ApplicationServletBase.java:324)
       com.iplanet.jato.ApplicationServletBase.doGet(ApplicationServletBase.java:294)
       javax.servlet.http.HttpServlet.service(HttpServlet.java:747)
       javax.servlet.http.HttpServlet.service(HttpServlet.java:860)
       sun.reflect.GeneratedMethodAccessor106.invoke(Unknown Source)
       sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
       java.lang.reflect.Method.invoke(Method.java:585)
       org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:249)
       java.security.AccessController.doPrivileged(Native Method)
       javax.security.auth.Subject.doAsPrivileged(Subject.java:517)
       org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:282)
       org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:165)
  If anyone have any idea about the cause of this error,please let me know.All suggestions are welcome .
  Thanx and Regards,
  Chirag.

  Hi All,
  I am having exactly the same problem with the same stack trace. Has anybody have an idea how to fix this?
  I have downloaded the Java Identity Management Suite.(java_es-5-identsuite-ga-windows-x86.zip) The first time installation was fine and I was able to bring the Access Manager console. I was able to create users groups etc.
  However, when I uninstalled and installed it again, I got exactly the same error described in the thread. Running "amserver start" and "amserver restart" did not help. I did the installation one more time
  but again I got the same error.
  Thanks for the help.
  celikkan

• Cannot acces the login page of Access Manager 7.1 amserver

  I am new to Access Manager 7.1. After a successfull installation on Solaris 10 11/06 x86, SUN Java Directory Server 6 EE, SUN Java Application Server 8.2 i cannot reach the login page of amserver. The Application Server registers properly the Web Applications, the configuration of the Access Manager was good in my best knowledge. The exeption is as follows
  type Exception report
  message
  description The server encountered an internal error () that prevented it from fulfilling this request.
  exception
  javax.servlet.ServletException: AMSetupFilter.doFilter
       com.sun.identity.setup.AMSetupFilter.doFilter(AMSetupFilter.java:100)
  root cause
  com.iplanet.jato.CompleteRequestException
       com.sun.identity.authentication.UI.AuthenticationServletBase.onUncaughtException(AuthenticationServletBase.java:122)
       com.iplanet.jato.ApplicationServletBase.fireUncaughtException(ApplicationServletBase.java:1164)
       com.iplanet.jato.ApplicationServletBase.processRequest(ApplicationServletBase.java:639)
       com.iplanet.jato.ApplicationServletBase.doGet(ApplicationServletBase.java:459)
       javax.servlet.http.HttpServlet.service(HttpServlet.java:747)
       javax.servlet.http.HttpServlet.service(HttpServlet.java:860)
       sun.reflect.GeneratedMethodAccessor73.invoke(Unknown Source)
       sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
       java.lang.reflect.Method.invoke(Method.java:585)
       org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:249)
       java.security.AccessController.doPrivileged(Native Method)
       javax.security.auth.Subject.doAsPrivileged(Subject.java:517)
       org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:282)
       org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:165)
       java.security.AccessController.doPrivileged(Native Method)
       com.sun.identity.setup.AMSetupFilter.doFilter(AMSetupFilter.java:86)
  note The full stack trace of the root cause is available in the Sun-Java-System/Application-Server logs.
  Could anybody help me to solve this situation.
  Thanks

  Hey,
  were you able to resolve this issue???
  I am getting the same error after I re-installed the SUN suite(including portal,access manager ,directory server etc)
  Please let me know If you can help.!
  Thanks
  Deepak

• Capacity Planning for Azure Managed Cache Service Spreadsheet Missing

  I'm currently choosing between dedicated in-role caching and the azure managed cache service. It seems pretty clear that for in-role caching one must consider the cache access frequency when choosing the in-role cache size (as demonstrated by the capacity
  planning spreadsheet found here http://msdn.microsoft.com/en-us/library/hh914129.aspx although the documentation states "Your application
  is the only consumer of the cache. There are no predefined quotas or throttling. Physical capacity (memory and other physical resources) is the only limiting factor.")
  It is less clear if this is also the case for the azure managed cache service since the documentation simply states:
  “Now, there are no predefined quotas on bandwidth and connections. Physical capacity is the only limiting
  factor and you only pay based upon the cache size. You can now focus solely on your application and its data needs.” 
  and the capacity planning guide spreadsheet found here:
  http://msdn.microsoft.com/en-us/library/dn386139.aspx
  does not lead the actual spreadsheet.
  Is there some way to get the capacity planning guide spreadsheet for the azure managed cache service? If not, can someone tell me whether we need to consider cache access frequency (and not just size) when choosing the azure managed cache service?
  Thanks!

  Just kidding, I found the planning spreadsheets here:
  http://www.microsoft.com/en-us/download/details.aspx?id=30000
  That said, I'm still unsure of whether the data read/write frequency (bandwidth) is relevant in choosing capacity:
  In role:
  "Your
  application is the only consumer of the cache. There are no predefined quotas or throttling. Physical capacity (memory and other physical resources) is the only limiting factor."
  Managed:
  “Now,
  there are no predefined quotas on bandwidth and connections. Physical capacity is the only limiting factor and you only pay based upon the cache size. You can now focus solely on your application and its data needs.” 
  I'm confused because when using the caching capacity planner spreadsheet,
  when the number reads/second is increased, a greater cache size is recommended. But why would I need a larger cache size if the same object is being read by multiple users and there is not limit on bandwidth?

• Too  Slow - Domino 6.5.4  with access manager agent 2.2 ?

  I don't know how to tune Domino 6.5.4 with access manager agent 2.2?
  I think AMAgent.properties is not good for SSO.
  Please help me to tune it.
  # $Id: AMAgent.properties,v 1.103 2005/09/19 22:08:34 madan Exp $
  # Copyright ? 2002 Sun Microsystems, Inc. All rights reserved.
  # U.S. Government Rights - Commercial software. Government users are
  # subject to the Sun Microsystems, Inc. standard license agreement and
  # applicable provisions of the FAR and its supplements. Use is subject to
  # license terms. Sun, Sun Microsystems, the Sun logo and Sun ONE are
  # trademarks or registered trademarks of Sun Microsystems, Inc. in the
  # U.S. and other countries.
  # Copyright ? 2002 Sun Microsystems, Inc. Tous droits r閟erv閟.
  # Droits du gouvernement am閞icain, utlisateurs gouvernmentaux - logiciel
  # commercial. Les utilisateurs gouvernmentaux sont soumis au contrat de
  # licence standard de Sun Microsystems, Inc., ainsi qu aux dispositions en
  # vigueur de la FAR [ (Federal Acquisition Regulations) et des suppl閙ents
  # ? celles-ci.
  # Distribu? par des licences qui en restreignent l'utilisation. Sun, Sun
  # Microsystems, le logo Sun et Sun ONE sont des marques de fabrique ou des
  # marques d閜os閑s de Sun Microsystems, Inc. aux Etats-Unis et dans
  # d'autres pays.
  # The syntax of this file is that of a standard Java properties file,
  # see the documentation for the java.util.Properties.load method for a
  # complete description. (CAVEAT: The SDK in the parser does not currently
  # support any backslash escapes except for wrapping long lines.)
  # All property names in this file are case-sensitive.
  # NOTE: The value of a property that is specified multiple times is not
  # defined.
  # WARNING: The contents of this file are classified as an UNSTABLE
  # interface by Sun Microsystems, Inc. As such, they are subject to
  # significant, incompatible changes in any future release of the
  # software.
  # The name of the cookie passed between the Access Manager
  # and the SDK.
  # WARNING: Changing this property without making the corresponding change
  # to the Access Manager will disable the SDK.
  com.sun.am.cookie.name = iPlanetDirectoryPro
  # The URL for the Access Manager Naming service.
  com.sun.am.naming.url = http://sportal.yjy.dqyt.petrochina:80/amserver/namingservice
  # The URL of the login page on the Access Manager.
  com.sun.am.policy.am.login.url = http://sportal.yjy.dqyt.petrochina:80/amserver/UI/Login
  # Name of the file to use for logging messages.
  com.sun.am.policy.agents.config.local.log.file = c:/Sun/Access_Manager/Agents/2.2/debug/C__Lotus_Domino/amAgent
  # This property is used for Log Rotation. The value of the property specifies
  # whether the agent deployed on the server supports the feature of not. If set
  # to false all log messages are written to the same file.
  com.sun.am.policy.agents.config.local.log.rotate = true
  # Name of the Access Manager log file to use for logging messages to
  # Access Manager.
  # Just the name of the file is needed. The directory of the file
  # is determined by settings configured on the Access Manager.
  com.sun.am.policy.agents.config.remote.log = amAuthLog.Dominoad.yjy.dqyt.petrochina.80
  # Set the logging level for the specified logging categories.
  # The format of the values is
  #     <ModuleName>[:<Level>][,<ModuleName>[:<Level>]]*
  # The currently used module names are: AuthService, NamingService,
  # PolicyService, SessionService, PolicyEngine, ServiceEngine,
  # Notification, PolicyAgent, RemoteLog and all.
  # The all module can be used to set the logging level for all currently
  # none logging modules. This will also establish the default level for
  # all subsequently created modules.
  # The meaning of the 'Level' value is described below:
  #     0     Disable logging from specified module*
  #     1     Log error messages
  #     2     Log warning and error messages
  #     3     Log info, warning, and error messages
  #     4     Log debug, info, warning, and error messages
  #     5     Like level 4, but with even more debugging messages
  # 128     log url access to log file on AM server.
  # 256     log url access to log file on local machine.
  # If level is omitted, then the logging module will be created with
  # the default logging level, which is the logging level associated with
  # the 'all' module.
  # for level of 128 and 256, you must also specify a logAccessType.
  # *Even if the level is set to zero, some messages may be produced for
  # a module if they are logged with the special level value of 'always'.
  com.sun.am.log.level =
  # The org, username and password for Agent to login to AM.
  com.sun.am.policy.am.username = UrlAccessAgent
  com.sun.am.policy.am.password = LYnKyOIgdWt404ivWY6HPQ==
  # Name of the directory containing the certificate databases for SSL.
  com.sun.am.sslcert.dir = c:/Sun/Access_Manager/Agents/2.2/domino/cert
  # Set this property if the certificate databases in the directory specified
  # by the previous property have a prefix.
  com.sun.am.certdb.prefix =
  # Should agent trust all server certificates when Access Manager
  # is running SSL?
  # Possible values are true or false.
  com.sun.am.trust_server_certs = true
  # Should the policy SDK use the Access Manager notification
  # mechanism to maintain the consistency of its internal cache? If the value
  # is false, then a polling mechanism is used to maintain cache consistency.
  # Possible values are true or false.
  com.sun.am.notification.enable = true
  # URL to which notification messages should be sent if notification is
  # enabled, see previous property.
  com.sun.am.notification.url = http://Dominoad.yjy.dqyt.petrochina:80/amagent/UpdateAgentCacheServlet?shortcircuit=false
  # This property determines whether URL string case sensitivity is
  # obeyed during policy evaluation
  com.sun.am.policy.am.url_comparison.case_ignore = true
  # This property determines the amount of time (in minutes) an entry
  # remains valid after it has been added to the cache. The default
  # value for this property is 3 minutes.
  com.sun.am.policy.am.polling.interval=3
  # This property allows the user to configure the User Id parameter passed
  # by the session information from the access manager. The value of User
  # Id will be used by the agent to set the value of REMOTE_USER server
  # variable. By default this parameter is set to "UserToken"
  com.sun.am.policy.am.userid.param=UserToken
  # Profile attributes fetch mode
  # String attribute mode to specify if additional user profile attributes should
  # be introduced into the request. Possible values are:
  # NONE - no additional user profile attributes will be introduced.
  # HTTP_HEADER - additional user profile attributes will be introduced into
  # HTTP header.
  # HTTP_COOKIE - additional user profile attributes will be introduced through
  # cookies.
  # If not within these values, it will be considered as NONE.
  com.sun.am.policy.agents.config.profile.attribute.fetch.mode=NONE
  # The user profile attributes to be added to the HTTP header. The
  # specification is of the format ldap_attribute_name|http_header_name[,...].
  # ldap_attribute_name is the attribute in data store to be fetched and
  # http_header_name is the name of the header to which the value needs
  # to be assigned.
  # NOTE: In most cases, in a destination application where a "http_header_name"
  # shows up as a request header, it will be prefixed by HTTP_, and all
  # lower case letters will become upper case, and any - will become _;
  # For example, "common-name" would become "HTTP_COMMON_NAME"
  com.sun.am.policy.agents.config.profile.attribute.map=cn|common-name,ou|organizational-unit,o|organization,mail|email,employeenumber|employee-
  number,c|country
  # Session attributes mode
  # String attribute mode to specify if additional user session attributes should
  # be introduced into the request. Possible values are:
  # NONE - no additional user session attributes will be introduced.
  # HTTP_HEADER - additional user session attributes will be introduced into HTTP header.
  # HTTP_COOKIE - additional user session attributes will be introduced through cookies.
  # If not within these values, it will be considered as NONE.
  com.sun.am.policy.agents.config.session.attribute.fetch.mode=NONE
  # The session attributes to be added to the HTTP header. The specification is
  # of the format session_attribute_name|http_header_name[,...].
  # session_attribute_name is the attribute in session to be fetched and
  # http_header_name is the name of the header to which the value needs to be
  # assigned.
  # NOTE: In most cases, in a destination application where a "http_header_name"
  # shows up as a request header, it will be prefixed by HTTP_, and all
  # lower case letters will become upper case, and any - will become _;
  # For example, "common-name" would become "HTTP_COMMON_NAME"
  com.sun.am.policy.agents.config.session.attribute.map=
  # Response Attribute Fetch Mode
  # String attribute mode to specify if additional user response attributes should
  # be introduced into the request. Possible values are:
  # NONE - no additional user response attributes will be introduced.
  # HTTP_HEADER - additional user response attributes will be introduced into
  # HTTP header.
  # HTTP_COOKIE - additional user response attributes will be introduced through
  # cookies.
  # If not within these values, it will be considered as NONE.
  com.sun.am.policy.agents.config.response.attribute.fetch.mode=NONE
  # The response attributes to be added to the HTTP header. The specification is
  # of the format response_attribute_name|http_header_name[,...].
  # response_attribute_name is the attribute in policy response to be fetched and
  # http_header_name is the name of the header to which the value needs to be
  # assigned.
  # NOTE: In most cases, in a destination application where a "http_header_name"
  # shows up as a request header, it will be prefixed by HTTP_, and all
  # lower case letters will become upper case, and any - will become _;
  # For example, "common-name" would become "HTTP_COMMON_NAME"
  com.sun.am.policy.agents.config.response.attribute.map=
  # The cookie name used in iAS for sticky load balancing
  com.sun.am.policy.am.lb.cookie.name = GX_jst
  # indicate where a load balancer is used for Access Manager
  # services.
  # true | false
  com.sun.am.load_balancer.enable = false
  ####Agent Configuration####
  # this is for product versioning, please do not modify it
  com.sun.am.policy.agents.config.version=2.2
  # Set the url access logging level. the choices are
  # LOG_NONE - do not log user access to url
  # LOG_DENY - log url access that was denied.
  # LOG_ALLOW - log url access that was allowed.
  # LOG_BOTH - log url access that was allowed or denied.
  com.sun.am.policy.agents.config.audit.accesstype = LOG_DENY
  # Agent prefix
  com.sun.am.policy.agents.config.agenturi.prefix = http://Dominoad.yjy.dqyt.petrochina:80/amagent
  # Locale setting.
  com.sun.am.policy.agents.config.locale = en_US
  # The unique identifier for this agent instance.
  com.sun.am.policy.agents.config.instance.name = unused
  # Do SSO only
  # Boolean attribute to indicate whether the agent will just enforce user
  # authentication (SSO) without enforcing policies (authorization)
  com.sun.am.policy.agents.config.do_sso_only = true
  # The URL of the access denied page. If no value is specified, then
  # the agent will return an HTTP status of 403 (Forbidden).
  com.sun.am.policy.agents.config.accessdenied.url =
  # This property indicates if FQDN checking is enabled or not.
  com.sun.am.policy.agents.config.fqdn.check.enable = true
  # Default FQDN is the fully qualified hostname that the users should use
  # in order to access resources on this web server instance. This is a
  # required configuration value without which the Web server may not
  # startup correctly.
  # The primary purpose of specifying this property is to ensure that if
  # the users try to access protected resources on this web server
  # instance without specifying the FQDN in the browser URL, the Agent
  # can take corrective action and redirect the user to the URL that
  # contains the correct FQDN.
  # This property is set during the agent installation and need not be
  # modified unless absolutely necessary to accommodate deployment
  # requirements.
  # WARNING: Invalid value for this property can result in the Web Server
  # becoming unusable or the resources becoming inaccessible.
  # See also: com.sun.am.policy.agents.config.fqdn.check.enable,
  # com.sun.am.policy.agents.config.fqdn.map
  com.sun.am.policy.agents.config.fqdn.default = Dominoad.yjy.dqyt.petrochina
  # The FQDN Map is a simple map that enables the Agent to take corrective
  # action in the case where the users may have typed in an incorrect URL
  # such as by specifying partial hostname or using an IP address to
  # access protected resources. It redirects the browser to the URL
  # with fully qualified domain name so that cookies related to the domain
  # are received by the agents.
  # The format for this property is:
  # com.sun.am.policy.agents.config.fqdn.map = [invalid_hostname|valid_hostname][,...]
  # This property can also be used so that the agents use the name specified
  # in this map instead of the web server's actual name. This can be
  # accomplished by doing the following.
  # Say you want your server to be addressed as xyz.hostname.com whereas the
  # actual name of the server is abc.hostname.com. The browsers only knows
  # xyz.hostname.com and you have specified polices using xyz.hostname.com at
  # the Access Manager policy console, in this file set the mapping as
  # com.sun.am.policy.agents.fqdn.map = valid|xyz.hostname.com
  # Another example is if you have multiple virtual servers say rst.hostname.com,
  # uvw.hostname.com and xyz.hostname.com pointing to the same actual server
  # abc.hostname.com and each of the virtual servers have their own policies
  # defined, then the fqdnMap should be defined as follows:
  # com.sun.am.policy.agents.fqdn.map = valid1|rst.hostname.com,valid2|uvw.hostname.com,valid3|xyz.hostname.com
  # WARNING: Invalid value for this property can result in the Web Server
  # becoming unusable or the resources becoming inaccessible.
  com.sun.am.policy.agents.config.fqdn.map =
  # Cookie Reset
  # This property must be set to true, if this agent needs to
  # reset cookies in the response before redirecting to
  # Access Manager for Authentication.
  # By default this is set to false.
  # Example : com.sun.am.policy.agents.config.cookie.reset.enable=true
  com.sun.am.policy.agents.config.cookie.reset.enable=false
  # This property gives the comma separated list of Cookies, that
  # need to be included in the Redirect Response to Access Manager.
  # This property is used only if the Cookie Reset feature is enabled.
  # The Cookie details need to be specified in the following Format
  # name[=value][;Domain=value]
  # If "Domain" is not specified, then the default agent domain is
  # used to set the Cookie.
  # Example : com.sun.am.policy.agents.config.cookie.reset.list=LtpaToken,
  # token=value;Domain=subdomain.domain.com
  com.sun.am.policy.agents.config.cookie.reset.list=
  # This property gives the space separated list of domains in
  # which cookies have to be set in a CDSSO scenario. This property
  # is used only if CDSSO is enabled.
  # If this property is left blank then the fully qualified cookie
  # domain for the agent server will be used for setting the cookie
  # domain. In such case it is a host cookie instead of a domain cookie.
  # Example : com.sun.am.policy.agents.config.cookie.domain.list=.sun.com .iplanet.com
  com.sun.am.policy.agents.config.cookie.domain.list=
  # user id returned if accessing global allow page and not authenticated
  com.sun.am.policy.agents.config.anonymous_user=anonymous
  # Enable/Disable REMOTE_USER processing for anonymous users
  # true | false
  com.sun.am.policy.agents.config.anonymous_user.enable=false
  # Not enforced list is the list of URLs for which no authentication is
  # required. Wildcards can be used to define a pattern of URLs.
  # The URLs specified may not contain any query parameters.
  # Each service have their own not enforced list. The service name is suffixed
  # after "# com.sun.am.policy.agents.notenforcedList." to specify a list
  # for a particular service. SPACE is the separator between the URL.
  com.sun.am.policy.agents.config.notenforced_list = http://dominoad.yjy.dqyt.petrochina/*.nsf http://dominoad.yjy.dqyt.petrochina/teamroom.nsf/TROutline.gif?
  OpenImageResource http://dominoad.yjy.dqyt.petrochina/icons/*.gif
  # Boolean attribute to indicate whether the above list is a not enforced list
  # or an enforced list; When the value is true, the list means enforced list,
  # or in other words, the whole web site is open/accessible without
  # authentication except for those URLs in the list.
  com.sun.am.policy.agents.config.notenforced_list.invert = false
  # Not enforced client IP address list is a list of client IP addresses.
  # No authentication and authorization are required for the requests coming
  # from these client IP addresses. The IP address must be in the form of
  # eg: 192.168.12.2 1.1.1.1
  com.sun.am.policy.agents.config.notenforced_client_ip_list =
  # Enable POST data preservation; By default it is set to false
  com.sun.am.policy.agents.config.postdata.preserve.enable = false
  # POST data preservation : POST cache entry lifetime in minutes,
  # After the specified interval, the entry will be dropped
  com.sun.am.policy.agents.config.postcache.entry.lifetime = 10
  # Cross-Domain Single Sign On URL
  # Is CDSSO enabled.
  com.sun.am.policy.agents.config.cdsso.enable=false
  # This is the URL the user will be redirected to for authentication
  # in a CDSSO Scenario.
  com.sun.am.policy.agents.config.cdcservlet.url =
  # Enable/Disable client IP address validation. This validate
  # will check if the subsequent browser requests come from the
  # same ip address that the SSO token is initially issued against
  com.sun.am.policy.agents.config.client_ip_validation.enable = false
  # Below properties are used to define cookie prefix and cookie max age
  com.sun.am.policy.agents.config.profile.attribute.cookie.prefix = HTTP_
  com.sun.am.policy.agents.config.profile.attribute.cookie.maxage = 300
  # Logout URL - application's Logout URL.
  # This URL is not enforced by policy.
  # if set, agent will intercept this URL and destroy the user's session,
  # if any. The application's logout URL will be allowed whether or not
  # the session destroy is successful.
  com.sun.am.policy.agents.config.logout.url=
  #http://sportal.yjy.dqyt.petrochina/amserver/UI/Logout
  # Any cookies to be reset upon logout in the same format as cookie_reset_list
  com.sun.am.policy.agents.config.logout.cookie.reset.list =
  # By default, when a policy decision for a resource is needed,
  # agent gets and caches the policy decision of the resource and
  # all resource from the root of the resource down, from the Access Manager.
  # For example, if the resource is http://host/a/b/c, the the root of the
  # resource is http://host/. This is because more resources from the
  # same path are likely to be accessed subsequently.
  # However this may take a long time the first time if there
  # are many many policies defined under the root resource.
  # To have agent get and cache the policy decision for the resource only,
  # set the following property to false.
  com.sun.am.policy.am.fetch_from_root_resource = true
  # Whether to get the client's hostname through DNS reverse lookup for use
  # in policy evaluation.
  # It is true by default, if the property does not exist or if it is
  # any value other than false.
  com.sun.am.policy.agents.config.get_client_host_name = false
  # The following property is to enable native encoding of
  # ldap header attributes forwarded by agents. If set to true
  # agent will encode the ldap header value in the default
  # encoding of OS locale. If set to false ldap header values
  # will be encoded in UTF-8
  com.sun.am.policy.agents.config.convert_mbyte.enable = false
  #When the not enforced list or policy has a wildcard '*' character, agent
  #strips the path info from the request URI and uses the resulting request
  #URI to check against the not enforced list or policy instead of the entire
  #request URI, in order to prevent someone from getting access to any URI by
  #simply appending the matching pattern in the policy or not enforced list.
  #For example, if the not enforced list has the value http://host/*.gif,
  #stripping the path info from the request URI will prevent someone from
  #getting access to http://host/index.html by using the URL http://host/index.html?hack.gif.
  #However when a web server (for exmample apache) is configured to be a reverse
  #proxy server for a J2EE application server, path info is interpreted in a different
  #manner since it maps to a resource on the proxy instead of the app server.
  #This prevents the not enforced list or policy from being applied to part of
  #the URI below the app serverpath if there is a wildcard character. For example,
  #if the not enforced list has value http://host/webapp/servcontext/* and the
  #request URL is http://host/webapp/servcontext/example.jsp the path info
  #is /servcontext/example.jsp and the resulting request URL with path info stripped
  #is http://host/webapp, which will not match the not enforced list. By setting the
  #following property to true, the path info will not be stripped from the request URL
  #even if there is a wild character in the not enforced list or policy.
  #Be aware though that if this is set to true there should be nothing following the
  #wildcard character '*' in the not enforced list or policy, or the
  #security loophole described above may occur.
  com.sun.am.policy.agents.config.ignore_path_info = false
  # Override the request url given by the web server with
  # the protocol, host or port of the agent's uri specified in
  # the com.sun.am.policy.agents.agenturiprefix property.
  # These may be needed if the agent is sitting behind a ssl off-loader,
  # load balancer, or proxy, and either the protocol (HTTP scheme),
  # hostname, or port of the machine in front of agent which users go through
  # is different from the agent's protocol, host or port.
  com.sun.am.policy.agents.config.override_protocol =
  com.sun.am.policy.agents.config.override_host =
  com.sun.am.policy.agents.config.override_port =
  # Override the notification url in the same way as other request urls.
  # Set this to true if any one of the override properties above is true,
  # and if the notification url is coming through the proxy or load balancer
  # in the same way as other request url's.
  com.sun.am.policy.agents.config.override_notification.url =
  # The following property defines how long to wait in attempting
  # to connect to an Access Manager AUTH server.
  # The default value is 2 seconds. This value needs to be increased
  # when receiving the error "unable to find active Access Manager Auth server"
  com.sun.am.policy.agents.config.connection_timeout =
  # Time in milliseconds the agent will wait to receive the
  # response from Access Manager. After the timeout, the connection
  # will be drop.
  # A value of 0 means that the agent will wait until receiving the response.
  # WARNING: Invalid value for this property can result in
  # the resources becoming inaccessible.
  com.sun.am.receive_timeout = 0
  # The three following properties are for IIS6 agent only.
  # The two first properties allow to set a username and password that will be
  # used by the authentication filter to pass the Windows challenge when the Basic
  # Authentication option is selected in Microsoft IIS 6.0. The authentication
  # filter is named amiis6auth.dll and is located in
  # Agent_installation_directory/iis6/bin. It must be installed manually on
  # the web site ("ISAPI Filters" tab in the properties of the web site).
  # It must also be uninstalled manually when unintalling the agent.
  # The last property defines the full path for the authentication filter log file.
  com.sun.am.policy.agents.config.iis6.basicAuthentication.username =
  com.sun.am.policy.agents.config.iis6.basicAuthentication.password =
  com.sun.am.policy.agents.config.iis6.basicAuthentication.logFile = c:/Sun/Access_Manager/Agents/2.2/debug/C__Lotus_Domino/amAuthFilter

  Hi,
  I installed opensso (so Sun Java(TM) System Access Manager 7.5) and the agent for Domino 6.5.4 and I have the message in logs "amAgent"
  2007-07-11 18:40:16.119 Error 1708:3dbcf768 PolicyAgent: render_response(): Entered.
  I have the box to identify but it doesnot connect me on my opensso server.
  It still identify with Domino's server
  Thanks for your response
  Thomas

• What kind of permissions are needed  in LDAP to install Access Manager?

  Hi people,
  I'm trying to install Access Manager in three different machines, and i'll try to configure them in a failover schema, but I'm not the owner of the LDAP where the Access Manager DIT is going to live, my question is what kind of permissions do I need to install it, rigth now I've tried to install it three times and I can't get a succesfull install process, this is a resume of the common errors that I've got in the Java_Enterprise_System_Config_Log.xxxx
  adding new entry ou=portalmmm_1.0_n21i,ou=internalData,ou=1.0,ou=SunAMClientData,ou=ClientData,o=bbva
  sleep 3
  ERROR : Configuring/Loading of the default DIT in the Directory Server failed
  CLASSPATH is --- /opt/SUNWam/locale:/etc/opt/SUNWam/config:/opt/SUNWam/lib:/opt/SUNWam/lib/am_services.jar:/opt/SUNWam/lib/ldapjdk.jar:/usr/share/lib/mps/secv1/jss4.jar:/opt/SUNWam/lib/am_sdk.jar
  Loading service schema XML files ...
  Info 109: Calling SCHEMA MANAGER
  Info 110: XML file to import:/etc/opt/SUNWam/config/ums/ums.xml
  Info 103: Loading Service Schema XML /etc/opt/SUNWam/config/ums/ums.xml
  Loading Service Schema XML /etc/opt/SUNWam/config/ums/ums.xml
  Error occured while loading: /etc/opt/SUNWam/config/ums/ums.xml
  Error Log:
  ldap_modify: Insufficient access
  ldap_modify: additional info: Insufficient 'write' privilege to the 'nsslapd-pluginEnabled' attribute of entry 'cn=referential integrity postoperation,cn=plugins,cn=config'.
  ldap_modify: Insufficient access
  ldap_modify: additional info: Insufficient 'write' privilege to the 'nsslapd-pluginarg10' attribute of entry 'cn=referential integrity postoperation,cn=plugins,cn=config'.
  ldap_add: Already exists
  ldap_add: Insufficient access
  ldap_add: Insufficient access
  ldap_add: Insufficient access
  ldap_add: Insufficient access
  ldap_add: Insufficient access
  ldap_add: Already exists
  ldap_add: Already exists
  ldap_add: Already exists
  ldap_add: Already exists
  ldap_add: Already exists
  ldap_modify: Insufficient access
  ldap_modify: additional info: Insufficient 'write' privilege to the 'nsslapd-sizelimit' attribute of entry 'cn=config'.
  ldap_modify: Insufficient access
  ldap_modify: additional info: Insufficient 'write' privilege to the 'nsslapd-timelimit' attribute of entry 'cn=config'.
  ldap_modify: Insufficient access
  ldap_modify: additional info: Insufficient 'write' privilege to the 'nsslapd-lookthroughlimit' attribute of entry 'cn=config,cn=ldbm database,cn=plugins,cn=config'.
  ldap_add: Already exists
  ldap_add: Insufficient access
  ldap_add: additional info: Insufficient 'add' privilege to add the entry 'ou=DSAME Users,o=isp'.
  ldap_modify: Type or value exists
  ldap_modify: Insufficient access
  ldap_modify: additional info: Insufficient 'write' privilege to the 'objectClass' attribute of entry 'o=isp'.
  ldap_modify: Insufficient access
  ldap_modify: additional info: Insufficient 'write' privilege to the 'objectClass' attribute of entry 'o=isp'.
  ldap_modify: Insufficient access
  ldap_modify: additional info: Insufficient 'write' privilege to the 'objectClass' attribute of entry 'o=isp'.
  ldap_add: No such object
  ldap_add: matched: o=isp
  ldap_add: No such object
  ldap_add: matched: o=isp
  /opt/SUNWam/bin/amadmin: -Dcom.sun.identity.sm.enableDataStoreNotification=true: not found
  Error 29: ServiceManager Exception
  Error 10: Cannot process requests:
  sms-UNKNOWN_EXCEPTION_OCCURRED
  Identity Server Configuration Failed ...
  Configuration failed for : ISConfigurator
  *** End configuring ISConfigurator***Please suggest...
  Thanks in advance
  Lalo

  You can't install Access Manager without full control on the base organization.
  You need the Directory Manager user (maybe with a temporary password) or a user with full permissions on the Access Manager root DN.
  Hope It Helps
  Saludos!!

• Communications Express doesn't create access Manager SSO session

  Hi all,
  I'm running Communications Express, Sun Access Manager and Sun messaging server, each on seperate hosts.
  Single Sign On works i.e. when users have a valid session and point their browser at the Communications Express URL they can access their mail, calendar and addressbooks without further ado.
  When they don't have a valid session though and the users go to the Communications Express URL they get a username and password prompt. If they enter valid credentials they will be logged in, but the session created is only a local session, not an Access Manager SSO session. This behaviour has changed from the previous versions of Comm Exp which wouldn't work at all without SSO.
  Is it possible to configure communications express to either redirect users to the Access Manager's authentication page or have Comm Exp create the SSO session on the users behalf?
  TIA
  Herman
  Versions:
  - Communications Express 6.3 update 1
  - Sun Java(tm) System Messaging Server 6.3-4.01 (built Aug 3 2007; 32bit)
  libimta.so 6.3-4.01 (built 17:13:29, Aug 3 2007; 32bit)

  Hi Shane,
  as always your anwer is better then I could have expected. A more or less complete manual
  just hours after asking my question. Thanks!
  shane_hjorth wrote:
  The cleanest solution I could develop to address the behavioural change was to
  leverage a web-server policy agent to perform the redirections.
  I wrote up a guide but never received any feedback unfortunately so results-may-vary.
  I have republished this guide externally - feedback is welcome:
  http://msg.wikidoc.info/index.php/AM_redirection_using_Policy_AgentTook me some time to implement, test and write feedback:
  The setup we have is a little more complex then the a single box scenario you
  have tested on:
  From the internet working inwards we have load balanced
  SSL accelerators (apache+SSL doing reverse proxy) in front of
  dedicated application servers running communications express.
  Mail is retrieved from separate mail-store clusters.
  Access manager is configured similarly: load balanced SSL accelerators
  in front of application servers running the login page (disributed
  authentication UI). Those then talk to the access manager cluster.
  Firewalls and access lists between each of those layers. None of the
  applications can be accessed directly from the internet and they are
  limited in what they can access in the DMZ as well.
  I followed your recipe to the letter. After a bit of tweaking everything
  worked like a charm. Policy agent installed and configured on the
  SUN webserver where communications express is deployed.
  Instructions were very good on detail and easy to follow.
  We deploy uwc in the root of the server not in /uwc. Something I didn't notice right away.
  It would seem that the policy agent expects the values com.sun.am.naming.url
  (The URL for the Access Manager Naming service) and
  com.sun.am.policy.am.login.url (The URL of the login page on the Access Manager
  where users should enter their credentials) to be the same host.
  In our setup the URL/host users have to use to log in can't be accessed by the policy agent.
  The policy agent should verify sessions directly against the access manager cluster.
  I played with some of the override settings in the policy agent configuration file but
  without much success. Eventually I used the hostname our users have to use to log
  in and abused the /etc/hosts file to map the external hostname to the internal address
  of the access manager cluster. Users end up on the correct login page, and the policy
  agent can verify the sessions. Ugly, but it works.
  The other issue is that the policy agent redirects to:
  com.sun.am.policy.am.login.url?goto=URL_Protected_by_Policy_Agent
  When a users enters incorrect credentials they get the default login url, without the
  goto parameter. (May be bug in access manager or by design...) After entering their
  credentials correctly on their second or third try users won't be redirected back to UWC,
  but will end up on the default page defined by their iplanet-am-user-success-url LDAP attribute.
  I solved that in the policy agents configuration file by adding the gotoOnFail=URL in the
  definition of com.sun.am.policy.am.login.url:
  com.sun.am.policy.am.login.url = https://login.domain.com:443/amserver/UI/Login?gotoOnFail=https://uwc.domain.com:443When you enter incorrect credentials you'll be redirected back to uwc (where the policy agent
  will again intercept you and send you on to the login page for your next try). May be more of
  an issue in the policy agent then your manual.
  Regards,
  Herman

• How to make the Access Gate SDK work with Web Gate

  When we want control the display of one area in one page, we can define this area as one resource then control the access of it. But when the user has been authenticated in the application, how can we get the user session and then call Access Gate SDK to check if the user is authorized? The following is one utility class to archive it.
  * $Id: CreateUserAction.java,v 1.1 2005/10/11 23:19:34 jason Exp $
  * $Revision: 1.1 $
  * $Date: 2005/10/11 23:19:34 $
  * Copyright (C) 1972 - 2005, Oracle Co. All Rights Reserved
  * The program(s) herein may be used and/or copied only with
  * the written permission of Oracle Co. or in accordance with
  * the terms and conditions stipulated in the agreement/contract
  * under which the program(s) have been supplied.
  package oblix.view;
  import com.oblix.access.ObAccessException;
  import com.oblix.access.ObConfig;
  import com.oblix.access.ObResourceRequest;
  import com.oblix.access.ObUserSession;
  import javax.servlet.http.Cookie;
  import javax.servlet.http.HttpServletRequest;
  * @author zhoujian
  public class OblixUtil {
  private static String ObSSOCookie = "ObSSOCookie";
  private OblixUtil() {
  * Check if the user is Authorized
  * @param request
  * @param rescourceUrl
  * @return
  public static boolean isAuthorized(HttpServletRequest request,
  String rescourceUrl) {
  return isAuthorized(request, "http", rescourceUrl, "GET");
  * Check if the user is Authorized
  * @param request
  * @param resourceType
  * @param rescourceUrl
  * @param resourceMethod
  * @return
  private static boolean isAuthorized(HttpServletRequest request,
  String resourceType, String rescourceUrl, String resourceMethod) {
  try {
  ObConfig.initialize();
  ObResourceRequest resource = new ObResourceRequest(resourceType,
  rescourceUrl, resourceMethod);
  ObUserSession session = getObUserSession(request);
  return session.isAuthorized(resource);
  } catch (ObAccessException oe) {
  oe.printStackTrace();
  ObConfig.shutdown();
  return false;
  * Get the Oblix user session from the request.
  * @param request
  * @return
  * @throws ObAccessException
  private static ObUserSession getObUserSession(HttpServletRequest request)
  throws ObAccessException {
  String token = getCookieValueByName(request.getCookies(), ObSSOCookie);
  if (token != null) {
  return new ObUserSession(token);
  return null;
  private static String getCookieValueByName(Cookie[] cookies, String name) {
  for (int i = 0; i < cookies.length; i++) {
  if (cookies[i].getName().equalsIgnoreCase(name)) {
  return cookies[i].getValue();
  return null;
  }

  Couple of options. You seem have to taken the Access Gate based approach. I will throw this in any way and you can make a call which one you want to use.
  If its a web application you can control authorization based on Resource by defining policy in the Access Manager.
  You mentioned aout display of one area in one page. That should be driven off of User attribute or custom logic. If it is driven off of User attribute then you can return header variable and you can check in the code as opposed to writing custom access gate.
  Now if you do want to write custom access gate when the resource is already protected by a Web gate,
  you can get the ObSSOCookie from the users browser session.
  You can pass the URL to the IsAuthorized method and call.
  Now here you have to install the Access Server SDK on the server, create custom access gate and then write the code and deploy it on that server.
  THanks
  Ram

• How to make the Access Gate work

  have been following the developers guide to write an access gate. my application(simple html) is running on JBoss, want to protect this resouce using the access gate. JAccessGate.java is working fine however the access gate is not intercepting the resource request.
  how do i configure Jboss with the Access Server so that the Access Gate process the request.
  the servlet example isn't working ... constants.REQUEST isn't being recognised despite adding all the pkg's.
  it would be helpful if someone could share the steps to achieve this.
  that apart any idea about how the reverse proxy works ?
  thanks and regards
  Edited by: user642640 on Jun 6, 2009 4:14 AM

  Couple of options. You seem have to taken the Access Gate based approach. I will throw this in any way and you can make a call which one you want to use.
  If its a web application you can control authorization based on Resource by defining policy in the Access Manager.
  You mentioned aout display of one area in one page. That should be driven off of User attribute or custom logic. If it is driven off of User attribute then you can return header variable and you can check in the code as opposed to writing custom access gate.
  Now if you do want to write custom access gate when the resource is already protected by a Web gate,
  you can get the ObSSOCookie from the users browser session.
  You can pass the URL to the IsAuthorized method and call.
  Now here you have to install the Access Server SDK on the server, create custom access gate and then write the code and deploy it on that server.
  THanks
  Ram

• Access Management Basic Questions

  Hello, I have several basic questions regarding the access manager. Short answers are OK for me.
  1) Is there a build in self registration process for end users
  2) Where Access Manager store it's users data (AD, Ldap, Identity Server ? )
  3) Does Access Manager come standalone or it rely in SUN IdM
  4) Does Acess Manager has it's own workflow engine or can rely on IdM
  5) What is the programming language XPRESS or any other.
  Thank You !!!!

  Hi Shivaram, thank you for reply.
  Regarding the 4. What if I want to create the workflow for End User self registration, For example user must be approved by manager. Is this should be done by IDM? Does that mean that all self registration process will be moved to IDM?
  Regarding the 5 ,I meant is there a possibility to write my own code which will expand the Access Manager capabilities .Like make some changes in AM user creation or deletion process? Sending notifications to end users etc. Is there any API or programming language for this?
  Thank You!!!
  Alex.