Tuesday, December 22, 2009

Dev. tip to change default auth modules through back door entry

1. Open Sun DS Console or any LDAP browser and connect to backend DS configured for AM Server.

2. Browse to following DN :
ou=default,ou=OrganizationConfig,ou=1.0,ou=iPlanetAMAuthService,ou=services,dc=sfbay,dc=sun,dc=com

3. Edit attribute sunkeyvalue attribute by modifying iplanet-am-auth-allowed-modules from UNIX to LDAP
sunkeyvalue: iplanet-am-auth-allowed-modules=LDAP

4. Restart AM.
Posted by Lakshman at 2:45 PM 0 comments Links to this post
Reactions: 

Thursday, September 3, 2009

nsRole attribute for AM Identitites

Step-1: Create a new user identity testuser1

Step-2: Create a new role identity testrole1

Step-3: Assign testrole1 to testuser1.
Sun AM uses nsRole attribute of DS to store roles for user identity. If you want to verify this, you can do ldapsearch on DS:
ldapsearch -b "dc=red,dc=iplanet,dc=com" -D "cn=Directory Manager" -w -h jackal.red.iplanet.com -p 7389 -s sub "uid=testuser1" nsRole

Step-4: Delete testrole1, then DS takes care of deleting testrole1 DN in testuser1 - nsRole attribute. This works only if Referential integrity plugin is enabled in DS. You can check if referential integrity is enabled or disabled by using:

dsconf get-server-prop -p 7389 -h jackal.red.iplanet.com -D "cn=Directory Manager" -w /opt/pass.txt | grep ref-integrity-enabled

ref-integrity-enabled : on

where dsconf if a tool obtained from DSEE installation. It is available in the following location:
/opt/SUNWdsee/ds6/bin
/opt is the default location of Sun DSEE installation.
Posted by Lakshman at 4:18 PM 1 comments Links to this post
Reactions: 

Wednesday, September 2, 2009

command to check if referential integrity plugin is enabled on Sun DS?

dsconf get-server-prop -p 389 -h jackal.red.iplanet.com -D "cn=Directory Manager" -w /opt/pass.txt | grep ref-integrity-enabled

where dsconf if a tool obtained from DSEE installation. It is available in the following location:
/opt/SUNWdsee/ds6/bin
where /opt is the default location.
Posted by Lakshman at 5:10 PM 0 comments Links to this post
Reactions: 

Wednesday, August 26, 2009

Debug DSEE 6.3 Sun DS on machine restart

------------- Step 1 ---------------

bash-3.00# /opt/SUNWdsee/dscc6/bin/dsccsetup initialize
***
DSCC Application is already registered
***
DSCC Agent is already registered
***
DSCC Registry has already been created
***

------------- Step 2 ---------------

bash-3.00# /opt/SUNWdsee/dscc6/bin/dsccsetup status
***
DSCC Application is registered in Sun Java (TM) Web Console
***
DSCC Agent is registered in Cacao
***
DSCC Registry has been created
Path of DSCC registry is /var/opt/SUNWdsee/dscc6/dcc/ads
Port of DSCC registry is 3998
DSCC registry is not running. You may start it using:
/opt/SUNWdsee/ds6/bin/dsadm start /var/opt/SUNWdsee/dscc6/dcc/ads
***

------------- Step 3 ---------------

bash-3.00# /opt/SUNWdsee/ds6/bin/dsadm start /var/opt/SUNWdsee/dscc6/dcc/ads
Server started: pid=2510

------------- Step 4 ---------------

bash-3.00# /opt/SUNWdsee/dscc6/bin/dsccsetup status
***
DSCC Application is registered in Sun Java (TM) Web Console
***
DSCC Agent is registered in Cacao
***
DSCC Registry has been created
Path of DSCC registry is /var/opt/SUNWdsee/dscc6/dcc/ads
Port of DSCC registry is 3998
***

------------- Step 5 ---------------

bash-3.00# cacaoadm status
default instance is DISABLED at system startup.
default instance is not running.

bash-3.00# cacaoadm start

------------- Step 6 ---------------

bash-3.00# smcwebserver start
Access Sun Java Web Console at port 6789 (default)
Posted by Lakshman at 9:13 PM 0 comments Links to this post
Reactions: 

Wednesday, May 6, 2009

cookies in case of session upgrade vs forceauth

In case of Access Manager session upgrade, a new session is created by copying contents of old session and old session is destroyed. So if you observe the content of iPlanetDirectoryProCookie, it changes its value.

In case of Access Manager forceauth, it will be the same session. So, if you observe the content of iPlanetDirectoryProCookie, it does not change its value.

How to test this forceauth behavior?

1. http://host:port/amserver/UI/Login?module=DataStore. Complete successful authentication.

2. http://host:port/amserver/UI/Login?module=LDAP&ForceAuth=true. This will now kick in force auth.
Posted by Lakshman at 5:41 PM 0 comments Links to this post
Reactions: 

Wednesday, April 15, 2009

Configuring kerberos on Solaris-10 to setup Access Manager

It is a painful task. The document provided by MIT does not help at all.
We need to use Solaris security services admin guide to get this working. Thanks to Kerberos team in Sun.

The kdcmgr utility mentioned in the document is not available on Solaris-10 by default. For simplicity, use same password in all steps to get this thing working.

The step-by-step procedure that I had followed is documented below:
-----------------------------------------------------
bash-3.00# cat krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
dns_lookup_realm = false
dns_lookup_kdc = false
default_keytab_name = /etc/krb5/kadm5.keytab
default_realm = RED.IPLANET.COM
default_tkt_enctypes = des-cbc-md5
default_tgs_enctypes = des-cbc-md5
kdc_timesync = 0
kdc_default_options = 0x40000010
clockskew = 300
check_delegate = 0
ccache_type = 3
kdc_timeout = 60000

[realms]
RED.IPLANET.COM = {
kdc = avatar.red.iplanet.com:88
admin_server = avatar.red.iplanet.com:749
default_domain = red.iplanet.com
}

[domain_realm]
.red.iplanet.com = RED.IPLANET.COM
red.iplanet.com = RED.IPLANET.COM

[appdefaults]
pam = {
debug = true
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}

bash-3.00# cat kdc.conf
#
# Copyright 1998-2002 Sun Microsystems, Inc. All rights reserved.
# Use is subject to license terms.
#
#ident "@(#)kdc.conf 1.2 02/02/14 SMI"

[kdcdefaults]
kdc_ports = 88,750

[realms]
RED.IPLANET.COM = {
profile = /etc/krb5/krb5.conf
database_name = /var/krb5/principal
admin_keytab = /etc/krb5/kadm5.keytab
acl_file = /etc/krb5/kadm5.acl
kadmind_port = 749
max_life = 8h 0m 0s
max_renewable_life = 7d 0h 0m 0s
sunw_dbprop_enable = true
sunw_dbprop_master_ulogsize = 1000
}


bash-3.00# cat kadm5.acl
#
# Copyright (c) 1998-2000 by Sun Microsystems, Inc.
# All rights reserved.
#
#pragma ident "@(#)kadm5.acl 1.1 01/03/19 SMI"

*/admin@RED.IPLANET.COM *


bash-3.00# ./kdb5_util create -s
Initializing database '/var/krb5/principal' for realm 'RED.IPLANET.COM',
master key name 'K/M@RED.IPLANET.COM'
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.
Enter KDC database master key:
Re-enter KDC database master key to verify:

bash-3.00# ./kadmin.local
Authenticating as principal root/admin@RED.IPLANET.COM with password.

kadmin.local: addprinc kws/admin
WARNING: no policy specified for kws/admin@RED.IPLANET.COM; defaulting to no policy
Enter password for principal "kws/admin@RED.IPLANET.COM":
Re-enter password for principal "kws/admin@RED.IPLANET.COM":
Principal "kws/admin@RED.IPLANET.COM" created.

kadmin.local: addprinc -randkey kiprop/avatar.red.iplanet.com
WARNING: no policy specified for kiprop/avatar.red.iplanet.com@RED.IPLANET.COM; defaulting to no policy
Principal "kiprop/avatar.red.iplanet.com@RED.IPLANET.COM" created.

kadmin.local: ktadd -k /etc/krb5/kadm5.keytab kadmin/avatar.red.iplanet.com
Entry for principal kadmin/avatar.red.iplanet.com with kvno 3, encryption type AES-128 CTS mode with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5/kadm5.keytab.
Entry for principal kadmin/avatar.red.iplanet.com with kvno 3, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:/etc/krb5/kadm5.keytab.
Entry for principal kadmin/avatar.red.iplanet.com with kvno 3, encryption type ArcFour with HMAC/md5 added to keytab WRFILE:/etc/krb5/kadm5.keytab.
Entry for principal kadmin/avatar.red.iplanet.com with kvno 3, encryption type DES cbc mode with RSA-MD5 added to keytab WRFILE:/etc/krb5/kadm5.keytab.

kadmin.local: ktadd -k /etc/krb5/kadm5.keytab changepw/avatar.red.iplanet.com
Entry for principal changepw/avatar.red.iplanet.com with kvno 3, encryption type AES-128 CTS mode with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5/kadm5.keytab.
Entry for principal changepw/avatar.red.iplanet.com with kvno 3, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:/etc/krb5/kadm5.keytab.
Entry for principal changepw/avatar.red.iplanet.com with kvno 3, encryption type ArcFour with HMAC/md5 added to keytab WRFILE:/etc/krb5/kadm5.keytab.
Entry for principal changepw/avatar.red.iplanet.com with kvno 3, encryption type DES cbc mode with RSA-MD5 added to keytab WRFILE:/etc/krb5/kadm5.keytab.

kadmin.local: ktadd -k /etc/krb5/kadm5.keytab kadmin/changepw
Entry for principal kadmin/changepw with kvno 3, encryption type AES-128 CTS mode with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5/kadm5.keytab.
Entry for principal kadmin/changepw with kvno 3, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:/etc/krb5/kadm5.keytab.
Entry for principal kadmin/changepw with kvno 3, encryption type ArcFour with HMAC/md5 added to keytab WRFILE:/etc/krb5/kadm5.keytab.
Entry for principal kadmin/changepw with kvno 3, encryption type DES cbc mode with RSA-MD5 added to keytab WRFILE:/etc/krb5/kadm5.keytab.

kadmin.local: ktadd -k /etc/krb5/kadm5.keytab kiprop/avatar.red.iplanet.com
Entry for principal kiprop/avatar.red.iplanet.com with kvno 3, encryption type AES-128 CTS mode with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5/kadm5.keytab.
Entry for principal kiprop/avatar.red.iplanet.com with kvno 3, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:/etc/krb5/kadm5.keytab.
Entry for principal kiprop/avatar.red.iplanet.com with kvno 3, encryption type ArcFour with HMAC/md5 added to keytab WRFILE:/etc/krb5/kadm5.keytab.
Entry for principal kiprop/avatar.red.iplanet.com with kvno 3, encryption type DES cbc mode with RSA-MD5 added to keytab WRFILE:/etc/krb5/kadm5.keytab.

kadmin.local: quit

bash-3.00# svcadm enable -r network/security/krb5kdc
bash-3.00# svcadm enable -r network/security/kadmin

bash-3.00# /usr/sbin/kadmin -p kws/admin
Authenticating as principal kws/admin@RED.IPLANET.COM with password.
kadmin: Incorrect password while initializing kadmin interface
bash-3.00#

bash-3.00# cat /etc/resolv.conf
domain red.iplanet.com
search red.iplanet.com sfbay.sun.com sun.com
nameserver 129.145.155.55
nameserver 129.145.155.170
nameserver 192.18.120.21
nameserver 192.18.120.24
#nameserver 129.148.9.196
#nameserver 129.148.9.197
#nameserver 129.147.9.5
#nameserver 129.145.155.220

avatar# touch /var/log/kadmind.log /var/log/krb5kdc.log
> /var/log/krb5libs.log
> avatar# svcadm restart krb5kdc
> avatar# svcadm restart kadmin
> avatar# kadmin -p kws/admin
> Authenticating as principal kws/admin@RED.IPLANET.COM with password.
> Password for kws/admin@RED.IPLANET.COM:
> kadmin: listprincs
> K/M@RED.IPLANET.COM
> changepw/avatar.red.iplanet.com@RED.IPLANET.COM
> kadmin/admin@RED.IPLANET.COM
> kadmin/avatar.red.iplanet.com@RED.IPLANET.COM
> kadmin/changepw@RED.IPLANET.COM
> kadmin/history@RED.IPLANET.COM
> kiprop/avatar.red.iplanet.com@RED.IPLANET.COM
> krbtgt/RED.IPLANET.COM@RED.IPLANET.COM
> kws/admin@RED.IPLANET.COM
> kadmin:

bash-3.00# ./kadmin -p kws/admin
Authenticating as principal kws/admin@RED.IPLANET.COM with password.
Password for kws/admin@RED.IPLANET.COM:
kadmin: addprinc -randkey host/avatar.red.iplanet.com
WARNING: no policy specified for host/avatar.red.iplanet.com@RED.IPLANET.COM; defaulting to no policy
Principal "host/avatar.red.iplanet.com@RED.IPLANET.COM" created.

kadmin: addprinc clntconfig/admin
WARNING: no policy specified for clntconfig/admin@RED.IPLANET.COM; defaulting to no policy
Enter password for principal "clntconfig/admin@RED.IPLANET.COM":
Re-enter password for principal "clntconfig/admin@RED.IPLANET.COM":
Principal "clntconfig/admin@RED.IPLANET.COM" created.
kadmin: quit

bash-3.00# kadmin -p kws/admin
Authenticating as principal kws/admin@RED.IPLANET.COM with password.
Password for kws/admin@RED.IPLANET.COM:
kadmin: ktadd host/avatar.red.iplanet.com
kadmin: Cannot write to specified key table while adding key to keytab
kadmin: quit

bash-3.00# ./kadmin.local
Authenticating as principal root/admin@RED.IPLANET.COM with password.
kadmin.local: ktadd -k /etc/krb5/kadm5.keytab host/avatar.red.iplanet.com
Entry for principal host/avatar.red.iplanet.com with kvno 4, encryption type AES-128 CTS mode with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5/kadm5.keytab.
Entry for principal host/avatar.red.iplanet.com with kvno 4, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:/etc/krb5/kadm5.keytab.
Entry for principal host/avatar.red.iplanet.com with kvno 4, encryption type ArcFour with HMAC/md5 added to keytab WRFILE:/etc/krb5/kadm5.keytab.
Entry for principal host/avatar.red.iplanet.com with kvno 4, encryption type DES cbc mode with RSA-MD5 added to keytab WRFILE:/etc/krb5/kadm5.keytab.
kadmin.local: quit

bash-3.00# /usr/sbin/kadmin.local
Authenticating as principal root/admin@RED.IPLANET.COM with password.
kadmin.local: listprincs
1 K/M@RED.IPLANET.COM
2 changepw/avatar.red.iplanet.com@RED.IPLANET.COM
3 clntconfig/admin@RED.IPLANET.COM
4 host/avatar.red.iplanet.com@RED.IPLANET.COM
5 kadmin/admin@RED.IPLANET.COM
6 kadmin/avatar.red.iplanet.com@RED.IPLANET.COM
7 kadmin/changepw@RED.IPLANET.COM
8 kadmin/history@RED.IPLANET.COM
9 kiprop/avatar.red.iplanet.com@RED.IPLANET.COM
10 krbtgt/RED.IPLANET.COM@RED.IPLANET.COM
11 kws/admin@RED.IPLANET.COM
kadmin.local: quit

bash-3.00# svcs -a | grep secur
disabled 20:24:27 svc:/network/security/krb5_prop:default
online 20:24:27 svc:/network/security/ktkt_warn:default
online 10:15:30 svc:/network/security/krb5kdc:default
online 10:15:32 svc:/network/security/kadmin:default

************ Configuration on AM ******************
kadmin.local: addprinc root
kinit root
klist

kadmin.local: addprinc -randkey HTTP/avatar.red.iplanet.com
kadmin.local: ktadd -k /opt/SUNWam/avatar.HTTP.keytab HTTP/avatar.red.iplanet.com
kinit -k -t /opt/SUNWam/avatar.HTTP.keytab HTTP/avatar.red.iplanet.com
klist -k /opt/SUNWam/avatar.HTTP.keytab

mv /opt/SUNWam/avatar.HTTP.keytab /etc/opt/SUNWam/config/

Service Principal: HTTP/avatar.red.iplanet.com@RED.IPLANET.COM
Keytab File Name: /etc/opt/SUNWam/config/avatar.HTTP.keytab
Kerberos Realm: RED.IPLANET.COM
Kerberos Server Name: avatar.red.iplanet.com
Return Principal with Domain Name: Disabled
Authentication Level: 0

- Restart AM WebServer

The debug file amAuthWindowsDesktopSSO should show the following debug messages if auth succeeded:
04/18/2009 11:56:39:944 PM PDT: Thread[service-j2ee-3,5,main]
**********************************************
04/18/2009 11:56:39:944 PM PDT: Thread[service-j2ee-3,5,main]
WindowsDesktopSSO params:
principal: HTTP/avatar.red.iplanet.com@RED.IPLANET.COM
keytab file: /etc/opt/SUNWam/config/avatar.HTTP.keytab
realm : RED.IPLANET.COM
kdc server: avatar.red.iplanet.com
domain principal: false
auth level: 0
04/18/2009 11:56:39:944 PM PDT: Thread[service-j2ee-3,5,main]
Init WindowsDesktopSSO. This should not happen often.
04/18/2009 11:56:39:945 PM PDT: Thread[service-j2ee-3,5,main]
New Service Login ...
04/18/2009 11:56:40:586 PM PDT: Thread[service-j2ee-3,5,main]
Service login succeeded.
04/18/2009 11:56:40:704 PM PDT: Thread[service-j2ee-3,5,main]
SPNEGO token:
60 82 02 79 06 06 2b 06 01 05 05 02 a0 82 02 6d
30 82 02 69 a0 0d 30 0b 06 09 2a 86 48 86 f7 12
01 02 02 a1 04 03 02 01 02 a2 82 02 50 04 82 02
4c 60 82 02 48 06 09 2a 86 48 86 f7 12 01 02 02
01 00 6e 82 02 37 30 82 02 33 a0 03 02 01 05 a1
03 02 01 0e a2 07 03 05 00 00 00 00 00 a3 82 01
4b 61 82 01 47 30 82 01 43 a0 03 02 01 05 a1 11
1b 0f 52 45 44 2e 49 50 4c 41 4e 45 54 2e 43 4f
4d a2 29 30 27 a0 03 02 01 03 a1 20 30 1e 1b 04
48 54 54 50 1b 16 61 76 61 74 61 72 2e 72 65 64
2e 69 70 6c 61 6e 65 74 2e 63 6f 6d a3 81 fd 30
81 fa a0 03 02 01 11 a1 03 02 01 05 a2 81 ed 04
81 ea 8e 55 1d 11 a8 8d 23 ed 34 b5 87 f9 97 0c
bb ef ed 30 ee be c7 95 33 77 84 06 97 a5 da 3e
b8 8d 25 a0 0c dd 06 b3 b4 02 ba ea 50 22 37 b8
29 db 00 40 d3 74 f1 f6 80 1f c9 ff 62 ab 5b 02
4a ed be 75 dd 3c d6 cf 63 3a 49 5c d7 24 74 1d
2c 3d 3b 2d 7d 94 9e b2 2d 05 3b 8a e1 94 30 9d
14 42 9f a1 b4 c4 e7 16 ff 9f c7 3e 89 24 db 13
e4 18 fb 8d f5 50 f7 47 59 6e 86 26 a3 3b 33 0c
a3 89 de 54 77 e2 fd 99 ba 16 cb 1b f2 5f 31 f1
c5 dd 6b 5a e2 d4 d6 23 6e e1 32 a8 ab 83 70 be
f6 ef 50 cb fe cd 20 b3 1a 9f 76 fd 55 59 a1 48
40 38 87 8e 17 96 18 8e 46 44 18 e9 af 1c 23 9e
09 d1 6a b3 55 2e 17 38 1b 9c ae 22 83 04 46 7b
92 ed cc d5 df 28 31 1e 15 00 fc 1b 9d 9d a5 64
1b b0 3c c8 79 3a 85 45 dc 7c e6 80 a4 81 ce 30
81 cb a0 03 02 01 03 a2 81 c3 04 81 c0 51 af 58
86 db 73 b8 8b ba 07 cf 8c 40 46 0b b6 46 8c d0
6b 4c ad 3f 2a 0d a6 ec e8 8c 29 f6 3c ac a5 27
ac 34 95 1f cd d3 cf 78 5b b7 40 2a c3 d4 f8 fb
e5 7e d0 f2 d9 41 c3 b6 48 6f fa 8d ee de d0 fc
76 d4 48 55 a2 98 9c 88 07 7a 87 18 37 bb ac 16
89 17 ee 04 95 5f 58 2d 4e 2f ff da b7 12 2c 2a
2a a0 82 ef c6 43 ae 67 f3 e3 31 9a 77 b2 64 51
5f f4 28 84 0c be 8a 08 da 2e df 0b 77 33 c7 6a
1a 70 8f bd 56 10 bc 5a 6c 8d 82 21 8c be d5 88
69 7b 60 81 a1 31 02 60 73 ed a3 bb 5d b1 fc cc
86 2f 33 96 a1 6d bb 4a 10 94 07 ff 62 9f c6 7c
2c e7 66 89 99 ed 74 69 e8 a3 62 01 14
04/18/2009 11:56:40:705 PM PDT: Thread[service-j2ee-3,5,main]
token tag:60
04/18/2009 11:56:40:705 PM PDT: Thread[service-j2ee-3,5,main]
SPNEGO OID found in the Auth Token
04/18/2009 11:56:40:705 PM PDT: Thread[service-j2ee-3,5,main]
DerValue: found init token
04/18/2009 11:56:40:705 PM PDT: Thread[service-j2ee-3,5,main]
DerValue: 0x30 constructed token found
04/18/2009 11:56:40:712 PM PDT: Thread[service-j2ee-3,5,main]
Kerberos token retrieved from SPNEGO token:
60 82 02 48 06 09 2a 86 48 86 f7 12 01 02 02 01
00 6e 82 02 37 30 82 02 33 a0 03 02 01 05 a1 03
02 01 0e a2 07 03 05 00 00 00 00 00 a3 82 01 4b
61 82 01 47 30 82 01 43 a0 03 02 01 05 a1 11 1b
0f 52 45 44 2e 49 50 4c 41 4e 45 54 2e 43 4f 4d
a2 29 30 27 a0 03 02 01 03 a1 20 30 1e 1b 04 48
54 54 50 1b 16 61 76 61 74 61 72 2e 72 65 64 2e
69 70 6c 61 6e 65 74 2e 63 6f 6d a3 81 fd 30 81
fa a0 03 02 01 11 a1 03 02 01 05 a2 81 ed 04 81
ea 8e 55 1d 11 a8 8d 23 ed 34 b5 87 f9 97 0c bb
ef ed 30 ee be c7 95 33 77 84 06 97 a5 da 3e b8
8d 25 a0 0c dd 06 b3 b4 02 ba ea 50 22 37 b8 29
db 00 40 d3 74 f1 f6 80 1f c9 ff 62 ab 5b 02 4a
ed be 75 dd 3c d6 cf 63 3a 49 5c d7 24 74 1d 2c
3d 3b 2d 7d 94 9e b2 2d 05 3b 8a e1 94 30 9d 14
42 9f a1 b4 c4 e7 16 ff 9f c7 3e 89 24 db 13 e4
18 fb 8d f5 50 f7 47 59 6e 86 26 a3 3b 33 0c a3
89 de 54 77 e2 fd 99 ba 16 cb 1b f2 5f 31 f1 c5
dd 6b 5a e2 d4 d6 23 6e e1 32 a8 ab 83 70 be f6
ef 50 cb fe cd 20 b3 1a 9f 76 fd 55 59 a1 48 40
38 87 8e 17 96 18 8e 46 44 18 e9 af 1c 23 9e 09
d1 6a b3 55 2e 17 38 1b 9c ae 22 83 04 46 7b 92
ed cc d5 df 28 31 1e 15 00 fc 1b 9d 9d a5 64 1b
b0 3c c8 79 3a 85 45 dc 7c e6 80 a4 81 ce 30 81
cb a0 03 02 01 03 a2 81 c3 04 81 c0 51 af 58 86
db 73 b8 8b ba 07 cf 8c 40 46 0b b6 46 8c d0 6b
4c ad 3f 2a 0d a6 ec e8 8c 29 f6 3c ac a5 27 ac
34 95 1f cd d3 cf 78 5b b7 40 2a c3 d4 f8 fb e5
7e d0 f2 d9 41 c3 b6 48 6f fa 8d ee de d0 fc 76
d4 48 55 a2 98 9c 88 07 7a 87 18 37 bb ac 16 89
17 ee 04 95 5f 58 2d 4e 2f ff da b7 12 2c 2a 2a
a0 82 ef c6 43 ae 67 f3 e3 31 9a 77 b2 64 51 5f
f4 28 84 0c be 8a 08 da 2e df 0b 77 33 c7 6a 1a
70 8f bd 56 10 bc 5a 6c 8d 82 21 8c be d5 88 69
7b 60 81 a1 31 02 60 73 ed a3 bb 5d b1 fc cc 86
2f 33 96 a1 6d bb 4a 10 94 07 ff 62 9f c6 7c 2c
e7 66 89 99 ed 74 69 e8 a3 62 01 14
04/18/2009 11:56:40:712 PM PDT: Thread[service-j2ee-3,5,main]
In authenticationToken ...
04/18/2009 11:56:40:724 PM PDT: Thread[service-j2ee-3,5,main]
Context created.
04/18/2009 11:56:41:124 PM PDT: Thread[service-j2ee-3,5,main]
Token returned from acceptSecContext:

04/18/2009 11:56:41:124 PM PDT: Thread[service-j2ee-3,5,main]
Context establised !
04/18/2009 11:56:41:125 PM PDT: Thread[service-j2ee-3,5,main]
User authenticated: HTTP/avatar.red.iplanet.com@RED.IPLANET.COM
04/18/2009 11:56:41:127 PM PDT: Thread[service-j2ee-3,5,main]
WindowsDesktopSSO authentication succeeded.

***********************************************************************

bash-3.00# /usr/sbin/kadmin.local
Authenticating as principal HTTP/admin@RED.IPLANET.COM with password.
kadmin.local: listprincs
1 HTTP/avatar.red.iplanet.com@RED.IPLANET.COM
2 K/M@RED.IPLANET.COM
3 changepw/avatar.red.iplanet.com@RED.IPLANET.COM
4 clntconfig/admin@RED.IPLANET.COM
5 demo1@RED.IPLANET.COM
6 demouser1@RED.IPLANET.COM
7 host/avatar.red.iplanet.com@RED.IPLANET.COM
8 kadmin/admin@RED.IPLANET.COM
9 kadmin/avatar.red.iplanet.com@RED.IPLANET.COM
10 kadmin/changepw@RED.IPLANET.COM
11 kadmin/history@RED.IPLANET.COM
12 kiprop/avatar.red.iplanet.com@RED.IPLANET.COM
13 krbtgt/RED.IPLANET.COM@RED.IPLANET.COM
14 kws/admin@RED.IPLANET.COM
15 root@RED.IPLANET.COM
kadmin.local:
Posted by Lakshman at 10:19 AM 0 comments Links to this post
Reactions: 

Friday, March 20, 2009

Check AM patches on solaris-10

If you are installing patches and want to know about patches that are already installed on AM 71, check for package AMSDK patch version:
pkgparam SUNWamsdk PATCHLIST
Posted by Lakshman at 3:00 PM 0 comments Links to this post
Reactions: 

Monday, March 9, 2009

OAuth Standard

Some useful links related to OAuth standard:
OAuth Home Page: http://oauth.net/
Getting started doc: http://oauth.net/documentation/getting-started
Interfacing with Google Apps: http://code.google.com/apis/accounts/docs/OAuth.html
Play ground to try OAuth: http://googlecodesamples.com/oauth_playground/
Posted by Lakshman at 10:00 PM 0 comments Links to this post
Reactions: 

Monday, March 2, 2009

Command to deploy war file on Sun App Server

/opt/SUNWappserver/appserver/bin/asadmin deploy --user admin --passwordfile XXXXXXXX --host s-6000b-t6300d-zone7-sca11.sfbay.sun.com --port 4849 --contextroot amserver --name amserver --target domain /opt/SUNWam/amserver.war
Posted by Lakshman at 1:44 PM 1 comments Links to this post
Reactions: 

Wednesday, February 25, 2009

Test sample to redirect to another site during AM Authentication

package com.trusteq.test;

import java.util.HashMap;
import java.util.Map;
import java.util.Iterator;
import javax.security.auth.Subject;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.PasswordCallback;
import javax.security.auth.login.LoginException;
import com.sun.identity.authentication.spi.AMLoginModule;
import com.sun.identity.authentication.spi.AuthLoginException;
import com.sun.identity.authentication.spi.RedirectCallback;
import com.sun.identity.wss.security.SecurityPrincipal;
import com.iplanet.am.util.Debug;

public class LoginModuleSample extends AMLoginModule {

private String userTokenId;
private String userName = "test";
private String userPassword;
private String status;
private java.security.Principal userPrincipal = null;
private static final String amAuthLoginModuleSample = "amAuthLoginModuleSample";
private static Debug debug = Debug.getInstance(amAuthLoginModuleSample);

public LoginModuleSample() throws LoginException{
debug.message("LoginModuleSample()");
}

public void init(Subject subject, Map sharedState, Map options) {
debug.message("LoginModuleSample initialization");
}

public int process(Callback[] callbacks, int state) throws AuthLoginException {
int currentState = state;
debug.message("LoginModuleSample process");
if (currentState == 1) {

userPassword = charToString(((PasswordCallback)
callbacks[1]).getPassword(), callbacks[1]);
debug.message("userName : " + userName);
debug.message("userPassword : " + userPassword);

if (userName.length() == 0 || userPassword.length() == 0) {
throw new AuthLoginException("names must not be empty");
}

if (userPassword != null && userPassword.equals("payit")) {
debug.message("Replace redirect data with : " + userName);
// set #REPLACE# text in next state
Callback[] callbacks2 = getCallback(2);
RedirectCallback rc = (RedirectCallback)callbacks2[0];
Map redirectdata = rc.getRedirectData();
debug.message("Old RedirectData : " + redirectdata);
Map newRedirectData = new HashMap();
if (redirectdata != null) {
for (Iterator nvp = redirectdata.entrySet().iterator();
nvp.hasNext();) {
Map.Entry me = (Map.Entry)nvp.next();
String key = (String) me.getKey();
String value = (String) me.getValue();
int i = value.indexOf("#REPLACE#");
String newValue = value;
if (i != -1) {
newValue = userName;
}
newRedirectData.put(key,newValue);
}
}
debug.message("newRedirectData : " + newRedirectData);
RedirectCallback rcNew = new RedirectCallback(rc.getRedirectUrl(),
newRedirectData,
rc.getMethod(),
rc.getStatusParameter(),
rc.getRedirectBackUrlCookieName());

replaceCallback(2, 0, rcNew);

return 2;
} else {
userTokenId = userName;
// return -1 for login successful
return -1;
}
} else if (currentState == 2) {
RedirectCallback rc1 = (RedirectCallback) callbacks[0];
status = rc1.getStatus();
debug.message("LoginModuleSample status :" + status);
if (status != null && status.equals(rc1.SUCCESS)) {
userTokenId = userName;
// return -1 for login successful
return -1;
} else {
throw new AuthLoginException("FAILED");
}
}
throw new AuthLoginException("Invalid state : " + currentState);
}

public java.security.Principal getPrincipal() {
if (userPrincipal != null) {
return userPrincipal;
} else if (userTokenId != null) {
userPrincipal = new SecurityPrincipal(userTokenId);
return userPrincipal;
} else {
return null;
}
}

private String charToString(char[] tmpPassword, Callback cbk) {
if (tmpPassword == null) {
// treat a NULL password as an empty password
tmpPassword = new char[0];
}
char[] pwd = new char[tmpPassword.length];
System.arraycopy(tmpPassword, 0, pwd, 0, tmpPassword.length);
((PasswordCallback) cbk).clearPassword();
return new String(pwd);
}
}
Posted by Lakshman at 2:33 PM 0 comments Links to this post
Reactions: 
Subscribe to: Posts (Atom)