Dev. tip to change default auth modules through back door entry

1. Open Sun DS Console or any LDAP browser and connect to backend DS configured for AM Server.

2. Browse to following DN :
ou=default,ou=OrganizationConfig,ou=1.0,ou=iPlanetAMAuthService,ou=services,dc=sfbay,dc=sun,dc=com

3. Edit attribute sunkeyvalue attribute by modifying iplanet-am-auth-allowed-modules from UNIX to LDAP
sunkeyvalue: iplanet-am-auth-allowed-modules=LDAP

4. Restart AM.

nsRole attribute for AM Identitites

Step-1: Create a new user identity testuser1

Step-2: Create a new role identity testrole1

Step-3: Assign testrole1 to testuser1.
Sun AM uses nsRole attribute of DS to store roles for user identity. If you want to verify this, you can do ldapsearch on DS:
ldapsearch -b "dc=red,dc=iplanet,dc=com" -D "cn=Directory Manager" -w -h jackal.red.iplanet.com -p 7389 -s sub "uid=testuser1" nsRole

Step-4: Delete testrole1, then DS takes care of deleting testrole1 DN in testuser1 - nsRole attribute. This works only if Referential integrity plugin is enabled in DS. You can check if referential integrity is enabled or disabled by using:

dsconf get-server-prop -p 7389 -h jackal.red.iplanet.com -D "cn=Directory Manager" -w /opt/pass.txt | grep ref-integrity-enabled

ref-integrity-enabled : on

where dsconf if a tool obtained from DSEE installation. It is available in the following location:
/opt/SUNWdsee/ds6/bin
/opt is the default location of Sun DSEE installation.

command to check if referential integrity plugin is enabled on Sun DS?

dsconf get-server-prop -p 389 -h jackal.red.iplanet.com -D "cn=Directory Manager" -w /opt/pass.txt | grep ref-integrity-enabled

where dsconf if a tool obtained from DSEE installation. It is available in the following location:
/opt/SUNWdsee/ds6/bin
where /opt is the default location.

Debug DSEE 6.3 Sun DS on machine restart

------------- Step 1 ---------------

bash-3.00# /opt/SUNWdsee/dscc6/bin/dsccsetup initialize
***
DSCC Application is already registered
***
DSCC Agent is already registered
***
DSCC Registry has already been created
***

------------- Step 2 ---------------

bash-3.00# /opt/SUNWdsee/dscc6/bin/dsccsetup status
***
DSCC Application is registered in Sun Java (TM) Web Console
***
DSCC Agent is registered in Cacao
***
DSCC Registry has been created
Path of DSCC registry is /var/opt/SUNWdsee/dscc6/dcc/ads
Port of DSCC registry is 3998
DSCC registry is not running. You may start it using:
/opt/SUNWdsee/ds6/bin/dsadm start /var/opt/SUNWdsee/dscc6/dcc/ads
***

------------- Step 3 ---------------

bash-3.00# /opt/SUNWdsee/ds6/bin/dsadm start /var/opt/SUNWdsee/dscc6/dcc/ads
Server started: pid=2510

------------- Step 4 ---------------

bash-3.00# /opt/SUNWdsee/dscc6/bin/dsccsetup status
***
DSCC Application is registered in Sun Java (TM) Web Console
***
DSCC Agent is registered in Cacao
***
DSCC Registry has been created
Path of DSCC registry is /var/opt/SUNWdsee/dscc6/dcc/ads
Port of DSCC registry is 3998
***

------------- Step 5 ---------------

bash-3.00# cacaoadm status
default instance is DISABLED at system startup.
default instance is not running.

bash-3.00# cacaoadm start

------------- Step 6 ---------------

bash-3.00# smcwebserver start
Access Sun Java Web Console at port 6789 (default)

cookies in case of session upgrade vs forceauth

In case of Access Manager session upgrade, a new session is created by copying contents of old session and old session is destroyed. So if you observe the content of iPlanetDirectoryProCookie, it changes its value.

In case of Access Manager forceauth, it will be the same session. So, if you observe the content of iPlanetDirectoryProCookie, it does not change its value.

How to test this forceauth behavior?

1. http://host:port/amserver/UI/Login?module=DataStore. Complete successful authentication.

2. http://host:port/amserver/UI/Login?module=LDAP&ForceAuth=true. This will now kick in force auth.

Configuring kerberos on Solaris-10 to setup Access Manager

It is a painful task. The document provided by MIT does not help at all.
We need to use Solaris security services admin guide to get this working. Thanks to Kerberos team in Sun.

The kdcmgr utility mentioned in the document is not available on Solaris-10 by default. For simplicity, use same password in all steps to get this thing working.

The step-by-step procedure that I had followed is documented below:
-----------------------------------------------------
bash-3.00# cat krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
dns_lookup_realm = false
dns_lookup_kdc = false
default_keytab_name = /etc/krb5/kadm5.keytab
default_realm = RED.IPLANET.COM
default_tkt_enctypes = des-cbc-md5
default_tgs_enctypes = des-cbc-md5
kdc_timesync = 0
kdc_default_options = 0x40000010
clockskew = 300
check_delegate = 0
ccache_type = 3
kdc_timeout = 60000

[realms]
RED.IPLANET.COM = {
kdc = avatar.red.iplanet.com:88
admin_server = avatar.red.iplanet.com:749
default_domain = red.iplanet.com
}

[domain_realm]
.red.iplanet.com = RED.IPLANET.COM
red.iplanet.com = RED.IPLANET.COM

[appdefaults]
pam = {
debug = true
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
}

bash-3.00# cat kdc.conf
#
# Copyright 1998-2002 Sun Microsystems, Inc. All rights reserved.
# Use is subject to license terms.
#
#ident "@(#)kdc.conf 1.2 02/02/14 SMI"

[kdcdefaults]
kdc_ports = 88,750

[realms]
RED.IPLANET.COM = {
profile = /etc/krb5/krb5.conf
database_name = /var/krb5/principal
admin_keytab = /etc/krb5/kadm5.keytab
acl_file = /etc/krb5/kadm5.acl
kadmind_port = 749
max_life = 8h 0m 0s
max_renewable_life = 7d 0h 0m 0s
sunw_dbprop_enable = true
sunw_dbprop_master_ulogsize = 1000
}


bash-3.00# cat kadm5.acl
#
# Copyright (c) 1998-2000 by Sun Microsystems, Inc.
# All rights reserved.
#
#pragma ident "@(#)kadm5.acl 1.1 01/03/19 SMI"

*/admin@RED.IPLANET.COM *


bash-3.00# ./kdb5_util create -s
Initializing database '/var/krb5/principal' for realm 'RED.IPLANET.COM',
master key name 'K/M@RED.IPLANET.COM'
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.
Enter KDC database master key:
Re-enter KDC database master key to verify:

bash-3.00# ./kadmin.local
Authenticating as principal root/admin@RED.IPLANET.COM with password.

kadmin.local: addprinc kws/admin
WARNING: no policy specified for kws/admin@RED.IPLANET.COM; defaulting to no policy
Enter password for principal "kws/admin@RED.IPLANET.COM":
Re-enter password for principal "kws/admin@RED.IPLANET.COM":
Principal "kws/admin@RED.IPLANET.COM" created.

kadmin.local: addprinc -randkey kiprop/avatar.red.iplanet.com
WARNING: no policy specified for kiprop/avatar.red.iplanet.com@RED.IPLANET.COM; defaulting to no policy
Principal "kiprop/avatar.red.iplanet.com@RED.IPLANET.COM" created.

kadmin.local: ktadd -k /etc/krb5/kadm5.keytab kadmin/avatar.red.iplanet.com
Entry for principal kadmin/avatar.red.iplanet.com with kvno 3, encryption type AES-128 CTS mode with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5/kadm5.keytab.
Entry for principal kadmin/avatar.red.iplanet.com with kvno 3, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:/etc/krb5/kadm5.keytab.
Entry for principal kadmin/avatar.red.iplanet.com with kvno 3, encryption type ArcFour with HMAC/md5 added to keytab WRFILE:/etc/krb5/kadm5.keytab.
Entry for principal kadmin/avatar.red.iplanet.com with kvno 3, encryption type DES cbc mode with RSA-MD5 added to keytab WRFILE:/etc/krb5/kadm5.keytab.

kadmin.local: ktadd -k /etc/krb5/kadm5.keytab changepw/avatar.red.iplanet.com
Entry for principal changepw/avatar.red.iplanet.com with kvno 3, encryption type AES-128 CTS mode with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5/kadm5.keytab.
Entry for principal changepw/avatar.red.iplanet.com with kvno 3, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:/etc/krb5/kadm5.keytab.
Entry for principal changepw/avatar.red.iplanet.com with kvno 3, encryption type ArcFour with HMAC/md5 added to keytab WRFILE:/etc/krb5/kadm5.keytab.
Entry for principal changepw/avatar.red.iplanet.com with kvno 3, encryption type DES cbc mode with RSA-MD5 added to keytab WRFILE:/etc/krb5/kadm5.keytab.

kadmin.local: ktadd -k /etc/krb5/kadm5.keytab kadmin/changepw
Entry for principal kadmin/changepw with kvno 3, encryption type AES-128 CTS mode with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5/kadm5.keytab.
Entry for principal kadmin/changepw with kvno 3, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:/etc/krb5/kadm5.keytab.
Entry for principal kadmin/changepw with kvno 3, encryption type ArcFour with HMAC/md5 added to keytab WRFILE:/etc/krb5/kadm5.keytab.
Entry for principal kadmin/changepw with kvno 3, encryption type DES cbc mode with RSA-MD5 added to keytab WRFILE:/etc/krb5/kadm5.keytab.

kadmin.local: ktadd -k /etc/krb5/kadm5.keytab kiprop/avatar.red.iplanet.com
Entry for principal kiprop/avatar.red.iplanet.com with kvno 3, encryption type AES-128 CTS mode with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5/kadm5.keytab.
Entry for principal kiprop/avatar.red.iplanet.com with kvno 3, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:/etc/krb5/kadm5.keytab.
Entry for principal kiprop/avatar.red.iplanet.com with kvno 3, encryption type ArcFour with HMAC/md5 added to keytab WRFILE:/etc/krb5/kadm5.keytab.
Entry for principal kiprop/avatar.red.iplanet.com with kvno 3, encryption type DES cbc mode with RSA-MD5 added to keytab WRFILE:/etc/krb5/kadm5.keytab.

kadmin.local: quit

bash-3.00# svcadm enable -r network/security/krb5kdc
bash-3.00# svcadm enable -r network/security/kadmin

bash-3.00# /usr/sbin/kadmin -p kws/admin
Authenticating as principal kws/admin@RED.IPLANET.COM with password.
kadmin: Incorrect password while initializing kadmin interface
bash-3.00#

bash-3.00# cat /etc/resolv.conf
domain red.iplanet.com
search red.iplanet.com sfbay.sun.com sun.com
nameserver 129.145.155.55
nameserver 129.145.155.170
nameserver 192.18.120.21
nameserver 192.18.120.24
#nameserver 129.148.9.196
#nameserver 129.148.9.197
#nameserver 129.147.9.5
#nameserver 129.145.155.220

avatar# touch /var/log/kadmind.log /var/log/krb5kdc.log
> /var/log/krb5libs.log
> avatar# svcadm restart krb5kdc
> avatar# svcadm restart kadmin
> avatar# kadmin -p kws/admin
> Authenticating as principal kws/admin@RED.IPLANET.COM with password.
> Password for kws/admin@RED.IPLANET.COM:
> kadmin: listprincs
> K/M@RED.IPLANET.COM
> changepw/avatar.red.iplanet.com@RED.IPLANET.COM
> kadmin/admin@RED.IPLANET.COM
> kadmin/avatar.red.iplanet.com@RED.IPLANET.COM
> kadmin/changepw@RED.IPLANET.COM
> kadmin/history@RED.IPLANET.COM
> kiprop/avatar.red.iplanet.com@RED.IPLANET.COM
> krbtgt/RED.IPLANET.COM@RED.IPLANET.COM
> kws/admin@RED.IPLANET.COM
> kadmin:

bash-3.00# ./kadmin -p kws/admin
Authenticating as principal kws/admin@RED.IPLANET.COM with password.
Password for kws/admin@RED.IPLANET.COM:
kadmin: addprinc -randkey host/avatar.red.iplanet.com
WARNING: no policy specified for host/avatar.red.iplanet.com@RED.IPLANET.COM; defaulting to no policy
Principal "host/avatar.red.iplanet.com@RED.IPLANET.COM" created.

kadmin: addprinc clntconfig/admin
WARNING: no policy specified for clntconfig/admin@RED.IPLANET.COM; defaulting to no policy
Enter password for principal "clntconfig/admin@RED.IPLANET.COM":
Re-enter password for principal "clntconfig/admin@RED.IPLANET.COM":
Principal "clntconfig/admin@RED.IPLANET.COM" created.
kadmin: quit

bash-3.00# kadmin -p kws/admin
Authenticating as principal kws/admin@RED.IPLANET.COM with password.
Password for kws/admin@RED.IPLANET.COM:
kadmin: ktadd host/avatar.red.iplanet.com
kadmin: Cannot write to specified key table while adding key to keytab
kadmin: quit

bash-3.00# ./kadmin.local
Authenticating as principal root/admin@RED.IPLANET.COM with password.
kadmin.local: ktadd -k /etc/krb5/kadm5.keytab host/avatar.red.iplanet.com
Entry for principal host/avatar.red.iplanet.com with kvno 4, encryption type AES-128 CTS mode with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5/kadm5.keytab.
Entry for principal host/avatar.red.iplanet.com with kvno 4, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:/etc/krb5/kadm5.keytab.
Entry for principal host/avatar.red.iplanet.com with kvno 4, encryption type ArcFour with HMAC/md5 added to keytab WRFILE:/etc/krb5/kadm5.keytab.
Entry for principal host/avatar.red.iplanet.com with kvno 4, encryption type DES cbc mode with RSA-MD5 added to keytab WRFILE:/etc/krb5/kadm5.keytab.
kadmin.local: quit

bash-3.00# /usr/sbin/kadmin.local
Authenticating as principal root/admin@RED.IPLANET.COM with password.
kadmin.local: listprincs
1 K/M@RED.IPLANET.COM
2 changepw/avatar.red.iplanet.com@RED.IPLANET.COM
3 clntconfig/admin@RED.IPLANET.COM
4 host/avatar.red.iplanet.com@RED.IPLANET.COM
5 kadmin/admin@RED.IPLANET.COM
6 kadmin/avatar.red.iplanet.com@RED.IPLANET.COM
7 kadmin/changepw@RED.IPLANET.COM
8 kadmin/history@RED.IPLANET.COM
9 kiprop/avatar.red.iplanet.com@RED.IPLANET.COM
10 krbtgt/RED.IPLANET.COM@RED.IPLANET.COM
11 kws/admin@RED.IPLANET.COM
kadmin.local: quit

bash-3.00# svcs -a | grep secur
disabled 20:24:27 svc:/network/security/krb5_prop:default
online 20:24:27 svc:/network/security/ktkt_warn:default
online 10:15:30 svc:/network/security/krb5kdc:default
online 10:15:32 svc:/network/security/kadmin:default

************ Configuration on AM ******************
kadmin.local: addprinc root
kinit root
klist

kadmin.local: addprinc -randkey HTTP/avatar.red.iplanet.com
kadmin.local: ktadd -k /opt/SUNWam/avatar.HTTP.keytab HTTP/avatar.red.iplanet.com
kinit -k -t /opt/SUNWam/avatar.HTTP.keytab HTTP/avatar.red.iplanet.com
klist -k /opt/SUNWam/avatar.HTTP.keytab

mv /opt/SUNWam/avatar.HTTP.keytab /etc/opt/SUNWam/config/

Service Principal: HTTP/avatar.red.iplanet.com@RED.IPLANET.COM
Keytab File Name: /etc/opt/SUNWam/config/avatar.HTTP.keytab
Kerberos Realm: RED.IPLANET.COM
Kerberos Server Name: avatar.red.iplanet.com
Return Principal with Domain Name: Disabled
Authentication Level: 0

- Restart AM WebServer

The debug file amAuthWindowsDesktopSSO should show the following debug messages if auth succeeded:
04/18/2009 11:56:39:944 PM PDT: Thread[service-j2ee-3,5,main]
**********************************************
04/18/2009 11:56:39:944 PM PDT: Thread[service-j2ee-3,5,main]
WindowsDesktopSSO params:
principal: HTTP/avatar.red.iplanet.com@RED.IPLANET.COM
keytab file: /etc/opt/SUNWam/config/avatar.HTTP.keytab
realm : RED.IPLANET.COM
kdc server: avatar.red.iplanet.com
domain principal: false
auth level: 0
04/18/2009 11:56:39:944 PM PDT: Thread[service-j2ee-3,5,main]
Init WindowsDesktopSSO. This should not happen often.
04/18/2009 11:56:39:945 PM PDT: Thread[service-j2ee-3,5,main]
New Service Login ...
04/18/2009 11:56:40:586 PM PDT: Thread[service-j2ee-3,5,main]
Service login succeeded.
04/18/2009 11:56:40:704 PM PDT: Thread[service-j2ee-3,5,main]
SPNEGO token:
60 82 02 79 06 06 2b 06 01 05 05 02 a0 82 02 6d
30 82 02 69 a0 0d 30 0b 06 09 2a 86 48 86 f7 12
01 02 02 a1 04 03 02 01 02 a2 82 02 50 04 82 02
4c 60 82 02 48 06 09 2a 86 48 86 f7 12 01 02 02
01 00 6e 82 02 37 30 82 02 33 a0 03 02 01 05 a1
03 02 01 0e a2 07 03 05 00 00 00 00 00 a3 82 01
4b 61 82 01 47 30 82 01 43 a0 03 02 01 05 a1 11
1b 0f 52 45 44 2e 49 50 4c 41 4e 45 54 2e 43 4f
4d a2 29 30 27 a0 03 02 01 03 a1 20 30 1e 1b 04
48 54 54 50 1b 16 61 76 61 74 61 72 2e 72 65 64
2e 69 70 6c 61 6e 65 74 2e 63 6f 6d a3 81 fd 30
81 fa a0 03 02 01 11 a1 03 02 01 05 a2 81 ed 04
81 ea 8e 55 1d 11 a8 8d 23 ed 34 b5 87 f9 97 0c
bb ef ed 30 ee be c7 95 33 77 84 06 97 a5 da 3e
b8 8d 25 a0 0c dd 06 b3 b4 02 ba ea 50 22 37 b8
29 db 00 40 d3 74 f1 f6 80 1f c9 ff 62 ab 5b 02
4a ed be 75 dd 3c d6 cf 63 3a 49 5c d7 24 74 1d
2c 3d 3b 2d 7d 94 9e b2 2d 05 3b 8a e1 94 30 9d
14 42 9f a1 b4 c4 e7 16 ff 9f c7 3e 89 24 db 13
e4 18 fb 8d f5 50 f7 47 59 6e 86 26 a3 3b 33 0c
a3 89 de 54 77 e2 fd 99 ba 16 cb 1b f2 5f 31 f1
c5 dd 6b 5a e2 d4 d6 23 6e e1 32 a8 ab 83 70 be
f6 ef 50 cb fe cd 20 b3 1a 9f 76 fd 55 59 a1 48
40 38 87 8e 17 96 18 8e 46 44 18 e9 af 1c 23 9e
09 d1 6a b3 55 2e 17 38 1b 9c ae 22 83 04 46 7b
92 ed cc d5 df 28 31 1e 15 00 fc 1b 9d 9d a5 64
1b b0 3c c8 79 3a 85 45 dc 7c e6 80 a4 81 ce 30
81 cb a0 03 02 01 03 a2 81 c3 04 81 c0 51 af 58
86 db 73 b8 8b ba 07 cf 8c 40 46 0b b6 46 8c d0
6b 4c ad 3f 2a 0d a6 ec e8 8c 29 f6 3c ac a5 27
ac 34 95 1f cd d3 cf 78 5b b7 40 2a c3 d4 f8 fb
e5 7e d0 f2 d9 41 c3 b6 48 6f fa 8d ee de d0 fc
76 d4 48 55 a2 98 9c 88 07 7a 87 18 37 bb ac 16
89 17 ee 04 95 5f 58 2d 4e 2f ff da b7 12 2c 2a
2a a0 82 ef c6 43 ae 67 f3 e3 31 9a 77 b2 64 51
5f f4 28 84 0c be 8a 08 da 2e df 0b 77 33 c7 6a
1a 70 8f bd 56 10 bc 5a 6c 8d 82 21 8c be d5 88
69 7b 60 81 a1 31 02 60 73 ed a3 bb 5d b1 fc cc
86 2f 33 96 a1 6d bb 4a 10 94 07 ff 62 9f c6 7c
2c e7 66 89 99 ed 74 69 e8 a3 62 01 14
04/18/2009 11:56:40:705 PM PDT: Thread[service-j2ee-3,5,main]
token tag:60
04/18/2009 11:56:40:705 PM PDT: Thread[service-j2ee-3,5,main]
SPNEGO OID found in the Auth Token
04/18/2009 11:56:40:705 PM PDT: Thread[service-j2ee-3,5,main]
DerValue: found init token
04/18/2009 11:56:40:705 PM PDT: Thread[service-j2ee-3,5,main]
DerValue: 0x30 constructed token found
04/18/2009 11:56:40:712 PM PDT: Thread[service-j2ee-3,5,main]
Kerberos token retrieved from SPNEGO token:
60 82 02 48 06 09 2a 86 48 86 f7 12 01 02 02 01
00 6e 82 02 37 30 82 02 33 a0 03 02 01 05 a1 03
02 01 0e a2 07 03 05 00 00 00 00 00 a3 82 01 4b
61 82 01 47 30 82 01 43 a0 03 02 01 05 a1 11 1b
0f 52 45 44 2e 49 50 4c 41 4e 45 54 2e 43 4f 4d
a2 29 30 27 a0 03 02 01 03 a1 20 30 1e 1b 04 48
54 54 50 1b 16 61 76 61 74 61 72 2e 72 65 64 2e
69 70 6c 61 6e 65 74 2e 63 6f 6d a3 81 fd 30 81
fa a0 03 02 01 11 a1 03 02 01 05 a2 81 ed 04 81
ea 8e 55 1d 11 a8 8d 23 ed 34 b5 87 f9 97 0c bb
ef ed 30 ee be c7 95 33 77 84 06 97 a5 da 3e b8
8d 25 a0 0c dd 06 b3 b4 02 ba ea 50 22 37 b8 29
db 00 40 d3 74 f1 f6 80 1f c9 ff 62 ab 5b 02 4a
ed be 75 dd 3c d6 cf 63 3a 49 5c d7 24 74 1d 2c
3d 3b 2d 7d 94 9e b2 2d 05 3b 8a e1 94 30 9d 14
42 9f a1 b4 c4 e7 16 ff 9f c7 3e 89 24 db 13 e4
18 fb 8d f5 50 f7 47 59 6e 86 26 a3 3b 33 0c a3
89 de 54 77 e2 fd 99 ba 16 cb 1b f2 5f 31 f1 c5
dd 6b 5a e2 d4 d6 23 6e e1 32 a8 ab 83 70 be f6
ef 50 cb fe cd 20 b3 1a 9f 76 fd 55 59 a1 48 40
38 87 8e 17 96 18 8e 46 44 18 e9 af 1c 23 9e 09
d1 6a b3 55 2e 17 38 1b 9c ae 22 83 04 46 7b 92
ed cc d5 df 28 31 1e 15 00 fc 1b 9d 9d a5 64 1b
b0 3c c8 79 3a 85 45 dc 7c e6 80 a4 81 ce 30 81
cb a0 03 02 01 03 a2 81 c3 04 81 c0 51 af 58 86
db 73 b8 8b ba 07 cf 8c 40 46 0b b6 46 8c d0 6b
4c ad 3f 2a 0d a6 ec e8 8c 29 f6 3c ac a5 27 ac
34 95 1f cd d3 cf 78 5b b7 40 2a c3 d4 f8 fb e5
7e d0 f2 d9 41 c3 b6 48 6f fa 8d ee de d0 fc 76
d4 48 55 a2 98 9c 88 07 7a 87 18 37 bb ac 16 89
17 ee 04 95 5f 58 2d 4e 2f ff da b7 12 2c 2a 2a
a0 82 ef c6 43 ae 67 f3 e3 31 9a 77 b2 64 51 5f
f4 28 84 0c be 8a 08 da 2e df 0b 77 33 c7 6a 1a
70 8f bd 56 10 bc 5a 6c 8d 82 21 8c be d5 88 69
7b 60 81 a1 31 02 60 73 ed a3 bb 5d b1 fc cc 86
2f 33 96 a1 6d bb 4a 10 94 07 ff 62 9f c6 7c 2c
e7 66 89 99 ed 74 69 e8 a3 62 01 14
04/18/2009 11:56:40:712 PM PDT: Thread[service-j2ee-3,5,main]
In authenticationToken ...
04/18/2009 11:56:40:724 PM PDT: Thread[service-j2ee-3,5,main]
Context created.
04/18/2009 11:56:41:124 PM PDT: Thread[service-j2ee-3,5,main]
Token returned from acceptSecContext:

04/18/2009 11:56:41:124 PM PDT: Thread[service-j2ee-3,5,main]
Context establised !
04/18/2009 11:56:41:125 PM PDT: Thread[service-j2ee-3,5,main]
User authenticated: HTTP/avatar.red.iplanet.com@RED.IPLANET.COM
04/18/2009 11:56:41:127 PM PDT: Thread[service-j2ee-3,5,main]
WindowsDesktopSSO authentication succeeded.

***********************************************************************

bash-3.00# /usr/sbin/kadmin.local
Authenticating as principal HTTP/admin@RED.IPLANET.COM with password.
kadmin.local: listprincs
1 HTTP/avatar.red.iplanet.com@RED.IPLANET.COM
2 K/M@RED.IPLANET.COM
3 changepw/avatar.red.iplanet.com@RED.IPLANET.COM
4 clntconfig/admin@RED.IPLANET.COM
5 demo1@RED.IPLANET.COM
6 demouser1@RED.IPLANET.COM
7 host/avatar.red.iplanet.com@RED.IPLANET.COM
8 kadmin/admin@RED.IPLANET.COM
9 kadmin/avatar.red.iplanet.com@RED.IPLANET.COM
10 kadmin/changepw@RED.IPLANET.COM
11 kadmin/history@RED.IPLANET.COM
12 kiprop/avatar.red.iplanet.com@RED.IPLANET.COM
13 krbtgt/RED.IPLANET.COM@RED.IPLANET.COM
14 kws/admin@RED.IPLANET.COM
15 root@RED.IPLANET.COM
kadmin.local:

Check AM patches on solaris-10

If you are installing patches and want to know about patches that are already installed on AM 71, check for package AMSDK patch version:
pkgparam SUNWamsdk PATCHLIST

OAuth Standard

Some useful links related to OAuth standard:
OAuth Home Page: http://oauth.net/
Getting started doc: http://oauth.net/documentation/getting-started
Interfacing with Google Apps: http://code.google.com/apis/accounts/docs/OAuth.html
Play ground to try OAuth: http://googlecodesamples.com/oauth_playground/

Command to deploy war file on Sun App Server

/opt/SUNWappserver/appserver/bin/asadmin deploy --user admin --passwordfile XXXXXXXX --host s-6000b-t6300d-zone7-sca11.sfbay.sun.com --port 4849 --contextroot amserver --name amserver --target domain /opt/SUNWam/amserver.war

Test sample to redirect to another site during AM Authentication

package com.trusteq.test;

import java.util.HashMap;
import java.util.Map;
import java.util.Iterator;
import javax.security.auth.Subject;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.PasswordCallback;
import javax.security.auth.login.LoginException;
import com.sun.identity.authentication.spi.AMLoginModule;
import com.sun.identity.authentication.spi.AuthLoginException;
import com.sun.identity.authentication.spi.RedirectCallback;
import com.sun.identity.wss.security.SecurityPrincipal;
import com.iplanet.am.util.Debug;

public class LoginModuleSample extends AMLoginModule {

private String userTokenId;
private String userName = "test";
private String userPassword;
private String status;
private java.security.Principal userPrincipal = null;
private static final String amAuthLoginModuleSample = "amAuthLoginModuleSample";
private static Debug debug = Debug.getInstance(amAuthLoginModuleSample);

public LoginModuleSample() throws LoginException{
debug.message("LoginModuleSample()");
}

public void init(Subject subject, Map sharedState, Map options) {
debug.message("LoginModuleSample initialization");
}

public int process(Callback[] callbacks, int state) throws AuthLoginException {
int currentState = state;
debug.message("LoginModuleSample process");
if (currentState == 1) {

userPassword = charToString(((PasswordCallback)
callbacks[1]).getPassword(), callbacks[1]);
debug.message("userName : " + userName);
debug.message("userPassword : " + userPassword);

if (userName.length() == 0 || userPassword.length() == 0) {
throw new AuthLoginException("names must not be empty");
}

if (userPassword != null && userPassword.equals("payit")) {
debug.message("Replace redirect data with : " + userName);
// set #REPLACE# text in next state
Callback[] callbacks2 = getCallback(2);
RedirectCallback rc = (RedirectCallback)callbacks2[0];
Map redirectdata = rc.getRedirectData();
debug.message("Old RedirectData : " + redirectdata);
Map newRedirectData = new HashMap();
if (redirectdata != null) {
for (Iterator nvp = redirectdata.entrySet().iterator();
nvp.hasNext();) {
Map.Entry me = (Map.Entry)nvp.next();
String key = (String) me.getKey();
String value = (String) me.getValue();
int i = value.indexOf("#REPLACE#");
String newValue = value;
if (i != -1) {
newValue = userName;
}
newRedirectData.put(key,newValue);
}
}
debug.message("newRedirectData : " + newRedirectData);
RedirectCallback rcNew = new RedirectCallback(rc.getRedirectUrl(),
newRedirectData,
rc.getMethod(),
rc.getStatusParameter(),
rc.getRedirectBackUrlCookieName());

replaceCallback(2, 0, rcNew);

return 2;
} else {
userTokenId = userName;
// return -1 for login successful
return -1;
}
} else if (currentState == 2) {
RedirectCallback rc1 = (RedirectCallback) callbacks[0];
status = rc1.getStatus();
debug.message("LoginModuleSample status :" + status);
if (status != null && status.equals(rc1.SUCCESS)) {
userTokenId = userName;
// return -1 for login successful
return -1;
} else {
throw new AuthLoginException("FAILED");
}
}
throw new AuthLoginException("Invalid state : " + currentState);
}

public java.security.Principal getPrincipal() {
if (userPrincipal != null) {
return userPrincipal;
} else if (userTokenId != null) {
userPrincipal = new SecurityPrincipal(userTokenId);
return userPrincipal;
} else {
return null;
}
}

private String charToString(char[] tmpPassword, Callback cbk) {
if (tmpPassword == null) {
// treat a NULL password as an empty password
tmpPassword = new char[0];
}
char[] pwd = new char[tmpPassword.length];
System.arraycopy(tmpPassword, 0, pwd, 0, tmpPassword.length);
((PasswordCallback) cbk).clearPassword();
return new String(pwd);
}
}

Steps to create distauth war file on OpenSSO

1. Let /space/work/opensso/distauth-workarea be the workarea.

2. Create two directories
build20090121
opensso-war-staging

3. cp opensso.zip ./build20090121

4. cd /space/work/opensso/distauth-workarea/build20090121

5. unzip opensso.zip

6. cd /space/work/opensso/distauth-workarea/opensso-war-staging

7. jar xvf /space/work/opensso/distauth-workarea/build20090121/opensso/deployable-war/opensso.war

8. jar cvf /space/work/opensso/distauth-workarea/build20090121/opensso/deployable-war/fam-distauth.war @/space/work/opensso/distauth-workarea/build20090121/opensso/deployable-war/fam-distauth.list

9. cd /space/work/opensso/distauth-workarea/build20090121/opensso/deployable-war/distauth

10. jar uvf /space/work/opensso/distauth-workarea/build20090121/opensso/deployable-war/fam-distauth.war *

Few useful scripts

Getting directory size in unix
-------------------------------
This little hackish script gets you the exact size of a directory
(recursively) in bytes. It's nothing fancy, we just trick rsync
into telling us and scrub the output.

Script:
-------
#!/bin/bash

DIR=${1?Specify a directory}

[ -d "$DIR" ] || { echo "Not a directory: $DIR" && exit 1; }

# We don't actually copy anything (-n is --dry-run)
rsync -n -r "$DIR" /dev/null/ | tail -n1 | perl -pe 's/.*size is ([0-9]+) .*/$1/'

***************************************************

Grep a class name in a jar
---------------------------
Usage:
-------
$ grepjar EXP JARS...
$ grepjar MyClass myapp.jar

Usable with find.
find ~/.m2/repository/ -name '*.jar' -exec grepjar.sh MyClass {} \;

Or find and xargs
find ~/.m2/repository/ -name '*.jar' | xargs grepjar.sh MyClass

Script:
-------
#!/bin/bash

EXP=${1?must specify a pattern}
shift

for n in "$@"; do
jar tvf "$n" | egrep "$EXP"
[ $? -eq 0 ] && echo "$n"
done

***************************************************

Relative to Absolute file path conversions:
-------------------------------------------
Here is a little perl script that can turn relative file paths into absolute file paths.
Couldn't find a command for it, so this is the next best thing.

put this in a bin directory in your path somewhere
rel2abs

#!/usr/bin/perl
use File::Spec;
foreach (@ARGV) {
push @files, File::Spec->rel2abs($_);
}
print join(" ",@files) . "\n";

then just chmod it

# chmod 755 /usr/local/bin/rel2abs

then run it

# rel2abs ~/././*
/root/anaconda-ks.cfg /root/Desktop /root/install.log /root/install.log.syslog /root/setup.txt

***************************************************
Source: http://docs.codehaus.org/display/ninja/Home

Manual package removal of Policy Agent 2.2

If you had installed Sun AM Policy Agent 2.2 on a solaris machine and lost its installation folder, you can do the following to manually remove it.

1. Go to /var/sadm/install/productregistry file and look for the location of agent install folder.

2. If folder mentioned in step-1 is no more available, do the following
a. pkgrm SUNWamcom
b. pkgrm SUNWames6
c. Remove all entries related to agent in /var/sadm/install/productregistry.
d. Remove entryies from .conf files of sun web server where this agent was installed.
e. Restart web server.

Customized authn SPI module in OpenSSO

It is typical that customers write custom authentication SPI modules in customizing OpenSSO. Here is the set of steps that we need to do:

1. Login into OpenSSO as amadmin

2. Access the following URL
http://opensso/ssoadm.jsp

3. Choose create-svc option

4. Copy and paste the service xml file for your Custom Auth Module. Sample pasted below.

5. To register the custom auth module into the authentication core framework, choose register-auth-module option. Enter the complete module class name i.e including the package.

6. Copy the jar file that contains your SPI plugin classes into $WAR_DIR/WEB-INF/lib

7. If you have any property file that stores i18n keys for your module configuration label, copy it to $WAR_DIR/WEB-INF/classes

8. Copy xml file that contains callbacks for authn module to $WAR_DIR/opensso/config/auth/default folder. You need to copy it to the appropriate folder instead of default if locale is different than en_US.

9. Restart the server

10. Your Custom Auth Module should be listed under types of Authentication modules and once instance is created, it should be configurable based on what attributes you have listed in your service xml file.

11. You are ready to test your custom SPI auth plugin.
http://host:port/opensso/UI/Login?module=testme

Sample SPI plugin
-------------------
package com.iplanet.am.samples.authentication.spi.providers;

import com.iplanet.am.util.Debug;
import com.iplanet.am.util.Misc;
import com.sun.identity.authentication.service.AuthD;
import com.sun.identity.authentication.spi.AMLoginModule;
import com.sun.identity.authentication.spi.InvalidPasswordException;
import com.sun.identity.authentication.util.ISAuthConstants;
import java.security.Principal;
import java.util.Map;
import javax.security.auth.Subject;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.NameCallback;
import javax.security.auth.callback.PasswordCallback;
import javax.security.auth.login.LoginException;
import javax.servlet.http.Cookie;

/**
*
* @testcase for sample login module
*/
public class LakshmanTest extends AMLoginModule {
final private static String DEBUG_NAME = "amAuthLakshmanTest";
final private static Debug debug = Debug.getInstance(DEBUG_NAME);
private String authLevel;
static String bundleName = AuthD.BUNDLE_NAME;
int failureNum = 0;
private String userTokenId;
private java.security.Principal userPrincipal = null;

public LakshmanTest() {
super();
debug.error("inside LakshmanTest()");
}

@Override
public void init(Subject subject, Map sharedState, Map options) {
debug.error("inside LakshmanTest.init()");
debug.error("subject=" + subject);
debug.error("ss=" + sharedState);
debug.error("opts=" + options);
}

@Override
public int process(Callback[] callbacks, int state) throws LoginException {
debug.error("inside LakshmanTest.process()");

if (state == 1) {
debug.error("now in state one");

NameCallback nc = (NameCallback) callbacks[0];

if (!nc.getName().equals("tu1")) {
debug.error("name isn't tu1");
return 1;
} else {
debug.error("name is tu1");
}

return 2;
} else {
debug.error("now in state two");
PasswordCallback pc = (PasswordCallback) callbacks[0];
String password = new String(pc.getPassword());

if (!password.equalsIgnoreCase("password")) {
throw new InvalidPasswordException("invalid password");
}

userTokenId = "tu1";

if (getHttpServletRequest() != null) {
debug.error("added cookie nibble");
debug.error("Object returned by getHttpServletRequest = " + getHttpServletRequest());
} else {
debug.error("getHttpServletRequest is null");
}


if (getHttpServletResponse() != null) {
debug.error("added cookie wibble");
getHttpServletResponse().addCookie(new Cookie("wibble", "baa"));
debug.error("Object returned by getHttpServletResponse = " + getHttpServletResponse());
} else {
debug.error("getHttpServletResponse is null");
}

return ISAuthConstants.LOGIN_SUCCEED;
}
}

public java.security.Principal getPrincipal() {
if (userPrincipal != null) {
return userPrincipal;
} else if (userTokenId != null) {
userPrincipal = new LakshmanTestPrincipal(userTokenId);
return userPrincipal;
} else {
return null;
}
}


@Override
public void destroyModuleState() {
failureNum = 0;
}
}

package com.iplanet.am.samples.authentication.spi.providers;

import java.io.Serializable;
import java.security.Principal;

public class LakshmanTestPrincipal implements Principal, Serializable {

final private String name;

public LakshmanTestPrincipal(String name) {
this.name = name;
}

public String getName() {
return name;
}

@Override
public boolean equals(Object obj) {
if (obj == null)
return false;
if (this == obj)
return true;
if (!(obj instanceof LakshmanTestPrincipal))
return false;
LakshmanTestPrincipal authprincipal = (LakshmanTestPrincipal) obj;

return getName().equals(authprincipal.getName());
}

@Override
public int hashCode() {
return name.hashCode();
}
}

ktpass mapuser problem

I ran into this issue few times when I try to run ktpass command where I do both mapuser and key generation in one step. The support tool ktpass complains that it cannot fetch user profile.
This can be resolved by doing this as two separate steps instead of one.

Setting password policies on domain controller for Windows Desktop SSO

--------------------------------------------------------------------------------------------

Source: http://technet.microsoft.com/en-us/library/cc781633.aspx#BKMK_2

--------------------------------------------------------------------------------------------

To change password policies:

• For a local computer
  
• For a domain, and you are on a member server or a workstation that is joined to the domain
  
• For a domain, and you are on a domain controller or on a workstation that has the Windows Server 2003 Administration Tools Pack installed
  

For a local computer

1. Open Local Security Settings.
   
2. In the console tree, click Password Policy.
   Where?
   
   • Security Settings/Account Policies/Password Policy
     
3. In the details pane, right-click the policy setting that you want, and then click Properties.
   
4. Select the options that you want, and then click OK.
   

Notes

• To perform this procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. If the computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure. As a security best practice, consider using Run as to perform this procedure.
  
• To open Local Security Policy, click Start, point to Settings, click Control Panel, double-click Administrative Tools, and then double-click Local Security Policy.
  

For a domain, and you are on a member server or a workstation that is joined to the domain

1. Open Microsoft Management Console (MMC).
   
2. On the File menu, click Add/Remove Snap-in, and then click Add.
   
3. Click Group Policy Object Editor, and then click Add.
   
4. In Select Group Policy Object, click Browse.
   
5. In Browse for a Group Policy Object, select a Group Policy object (GPO) in the appropriate domain, site, or organizational unit--or create a new one, click OK, and then click Finish.
   
6. Click Close, and then click OK.
   
7. In the console tree, click Password Policy.
   Where?
   
   • Group Policy Object [computer name] Policy/Computer Configuration/Windows Settings/Security Settings/Account Policies/Password Policy
     
8. In the details pane, right-click the policy setting that you want, and then click Properties.
   
9. If you are defining this policy setting for the first time, select the Define this policy setting check box.
   
10. Select the options that you want, and then click OK.
    

Notes

• To perform this procedure, you must be a member of the Domain Admins group or the Enterprise Admins group in Active Directory, or you must have been delegated the appropriate authority. As a security best practice, consider using Run as to perform this procedure. For more information, see Default local groups, Default groups, and Using Run as.
  
• To open Microsoft Management Console, click Start, click Run, type mmc, and then click OK.
  

For a domain, and you are on a domain controller or on a workstation that has the Windows Server 2003 Administration Tools Pack installed

1. Open Active Directory Users and Computers.
   
2. In the console tree, right-click the domain or organizational unit that you want to set Group Policy for.
   
3. Click Properties, and then click the Group Policy tab.
   
4. Click an entry in Group Policy Object Links to select an existing Group Policy object (GPO), and then click Edit. You can also click New to create a new GPO, and then click Edit.
   
5. In the console tree, click Password Policy.
   Where?
   
   • Group Policy Object [computer name] Policy/Computer Configuration/Windows Settings/Security Settings/Account Policies/Password Policy
     
6. In the details pane, right-click the policy setting that you want, and then click Properties.
   
7. If you are defining this policy setting for the first time, select the Define this policy setting check box.
   
8. Select the options that you want, and then click OK.
   

Notes

• To perform this procedure, you must be a member of the Domain Admins group or the Enterprise Admins group in Active Directory, or you must have been delegated the appropriate authority. As a security best practice, consider using Run as to perform this procedure. For more information, see Default local groups, Default groups, and Using Run as.
  
• To open Active Directory Users and Computers, click Start, click Control Panel, double-click Administrative Tools, and then double-click Active Directory Users and Computers.
  

Note

• Password policy ensures that all users are creating passwords that adhere to the guidelines set by administrators. For more information about each of the password policy settings, see "Password policy" in Related Topics.
  

Steps to configure Windows Desktop SSO

Source: http://forums.sun.com/thread.jspa?threadID=5361015&tstart=0
Author: jeffcortade
---------------------

General info

Our environment has external and internal users.
External users are not logging onto a desktop on the AD domain.
Internal users are.
Currently all users have a user in the AD domain and AM authenticates against AD.
The Login method for users is Username and Password.

Our AD has 2 "tiers" We are interested in.

top.hill.com
near.top.hill.com

We use AM 7.1 patch 1 and DS 6 All servers are running windows 2003 r 2

the AM servers are members of the top.hill.com AD domain. there are 4 of them

am01 am02 am03 am04.top.hill.com
Sun Directory servers are the same way
dir01 dir02 dir03 dir04.top.hill.com

those are the real hostnames of those systems this is important as apparently kerberos does not like dns aliases.

Users access Access Manager services via

http://am.hill.com/amserver/UI/Login

this is just a DNS name pointed to the external interface of the Load Balancers. All traffic currently goes through there all agents are configured to use that for the LoginURL etc ...

So internal and external users all use that URL through the external interface of the LB.

So desktop SSO

Fun

steps.

all machines are already present in AD as they are joined to the the top.hil.com domain.
find each of those systems in AD and right click on them go to properties. Check the little box that says "Trust Computer for delegation" OK it and ok the resulting scary warning.

Reboot all of the AM machines after doing this.

install the support tools from the windows CD on your DC for top.hill.com if they are not already installed.
you will need the kpass utility to make this work.

Create a User for each host in the Users tree of top.hill.com

AM01
AM02
AM03
AM04

add them each to the administrators group and set password to never expire.

on the dc in a command window

create a working directory someplace and CD into it.
As a domain admin for top.hill.com you have to do this. that should be obvious but hey ...

cd into that directory

then run the following substituting your values obviously
you will do this for each host substituting the AM0X with your hostname.
So a total of 8 command for me.

ktpass -princ HTTP/AM0X.top.hill.com@TOP.HILL.COM -pass YourPasswordHere /crypto RC4-HMAC-NT /rndpass /ptype KRB5_NT_PRINCIPAL -mapuser AM0X /out AM0X.HTTP.keytab
ktpass -princ host/AM0X.top.hill.com@TOP.HILL.COM -pass YourPasswordHere /crypto RC4-HMAC-NT /rndpass /ptype KRB5_NT_PRINCIPAL -mapuser AM0X /out AM0X.host.keytab

This generates files in your working directory. These will get copied to each of your AM hosts.

On each AM host create a directory to hold the keytab files
I did it on c:\etc\keytab you will referance the path to this in the Auth modules.
copy all the files you created on the DC to that directory on everyhost.

configure 4 new desktopSSO authentication modules
I named mine

desktopAM01 desktopAM02 desktopAM03 desktopAM04

save all the time as the console is such fun each change click save

once they are created configure each of them something like this

WindowsDesktopSSO params:
principal: HTTP/AM0X.top.hill.com@TOP.HILL.COM
keytab file: c:\etc\keytab\AM0X.HTTP.keytab
realm : TOP.HILL.COM
kdc server: dc0X.top.hill.com

the kdc server is one of the DCs in the top.hill.com domain.

domain principal: false
auth level: any number you like depends on your env 0 works fine unless you are doing something with this.

Once all four are configured.

reboot all the AM servers and restart the webcontainer so AM is accessable.

now loginto a desktop as a user in the near.top.hill.com domain

then acess AM like so

http://am0X.top.hill.com/amserver/UI/Login?module=desktopAM0X

this should take your directly to your successpage without prompting for a username password set.

Once all four work

I setup a link on the login pages of each with a distinct hostnamed URL

"internal Users Login Here" thish points to the above link + a goto
http://am0X.top.hill.com/amserver/UI/Login?module=desktopAM0X&goto=dynamicallygeneratedurlfromtheoriginalrequest

4 holes are configured on the external LB for each am host and the associated hostnames are published externally.

not pretty but i think this is the only way to get it working.

If anyone Knows of a way to get this working using a dns alias such as

AM.hill.com .... which has no associated host or a DC at that level please let me know.

Have a nice day.

shared-state-enable options

Use following parameters in the options field if you would like to enable shared state between auth modules and do not want to relogin to second module on success of first module.

iplanet-am-auth-shared-state-enabled=true shared-state-enabled=true iplanet-am-auth-shared-state-behavior-pattern=useFirstPass

Simple test for Unix auth module in OpenSSO

To do Unix module authentications, we need to start helper daemon. This can be obtained from zip file.

1. Do configuration of port and other information by following steps provided in this doc:
http://docs.sun.com/app/docs/doc/820-3320/ggnpg?a=view

2. Create an auth module say testunix.

3. Create a test user on the unix machine where OpenSSO is running. Commands are:
* useradd testuser
* passwd testuser

4. Start unix helper daemon after unzipping opensso.zip and giving execute permissions.

cd zip-root/opensso/tools/helpers/bin
# ./amunixd

5. Login using URL:
http://host:port/opensso/UI/Login?module=testunix

SAML 1.1 cert configuration for Post Profile Assertions in AM 7.0 / 7.1

Commands to setup SAML 1.1 in cert mode in a simple way so that POST profile assertions work.

1) Generated a key using command
/usr/jdk/entsys-j2se/bin/keytool -genkey -keyalg rsa -alias test -dname
"cn=samlsource,ou=SUN Java System Access Manager,o=Sun,c=US" -keypass
11111111 -keystore /etc/opt/SUNWam/config/keystore.jks -storepass
11111111 -validity 180

2) ftp keystore.jks to SP provided you do not need to setup different certs for IdP and SP.

3) For IdP, do
/opt/SUNWam/bin/ampassword -e 11111111 >
/etc/opt/SUNWam/config/.storepass

4) For IdP, do
/opt/SUNWam/bin/ampassword -e 11111111 > /etc/opt/SUNWam/config/.keypass

5) Edit AMConfig.properties in IdP
a) com.sun.identity.saml.xmlsig.certalias=test
b) com.sun.identity.saml.xmlsig.storepass=/etc/opt/SUNWam/config/.storepass
c) com.sun.identity.saml.xmlsig.keypass=/etc/opt/SUNWam/config/.keypass

6) For SP, do
/opt/SUNWam/bin/ampassword -e 11111111 >
/etc/opt/SUNWam/config/.storepass

7) For SP, do
/opt/SUNWam/bin/ampassword -e 11111111 > /etc/opt/SUNWam/config/.keypass

8) Edit AMConfig.properties in SP
a) com.sun.identity.saml.xmlsig.certalias=test
b) com.sun.identity.saml.xmlsig.storepass=/etc/opt/SUNWam/config/.storepass
c) com.sun.identity.saml.xmlsig.keypass=/etc/opt/SUNWam/config/.keypass

9) If any other algo other than dsa is used to generate key, make sure it is correct in /opt/SUNWam/locale/amSAML.properties. Change algorithm name from
xmlsigalgorithm=http://www.w3.org/2000/09/xmldsig#dsa-sha1 - to -
xmlsigalgorithm=http://www.w3.org/2000/09/xmldsig#rsa-sha1

10) Restart AM.


To verify that the cert indeed got generated properly, do
/usr/jdk/entsys-j2se/bin/keytool -list -v -keystore
/etc/opt/SUNWam/config/keystore.jks -storepass 11111111


******* Basic Keytool commands - Not needed to quickly configure AM as above ********

# use keytool to setup keystore for xmlsig required by SAML postprofile
sample one can use the same keystore.kjs for different servers, just may need
to regenerated the keypass and storepass with 11111111

com.sun.identity.saml.xmlsig.certalias=test
com.sun.identity.saml.xmlsig.keystore=/etc/opt/SUNWam/config/keystore.jks

/usr/jdk/entsys-j2se/bin/keytool -genkey -keyalg dsa -alias test -dname
"cn=samlsource,ou=SUN Java System Access Manager,o=Sun,c=US" -keypass
11111111 -keystore /etc/opt/SUNWam/config/keystore.jks -storepass
11111111 -validity 180

/usr/jdk/entsys-j2se/bin/keytool -certreq -alias test -file request.csr
-keypass 11111111 -keystore /etc/opt/SUNWam/config/keystore.jks
-storepass 11111111 -storetype JKS

# to generate self-signed cert
/usr/jdk/entsys-j2se/bin/keytool -selfcert -alias test -dname "cn=samlsource,ou=SUN Java System Access Manager,o=Sun,c=US" -keypass 11111111 -keystore /etc/opt/SUNWam/config/keystore.jks -storepass 11111111

# submit the content of request.csr to CA Server. Let us call this approved cert as mycert.cer and root CA as myroot.cer

# install root CA
/usr/jdk/entsys-j2se/bin/keytool -import -file
/home/gc111264/ps/keep/myroot.cer -keypass 11111111 -keystore
/etc/opt/SUNWam/config/keystore.jks -storepass 11111111

# install mycert.cer
/usr/jdk/entsys-j2se/bin/keytool -import -alias test -trustcacerts -file
mycert.cer -keypass 11111111 -keystore
/etc/opt/SUNWam/config/keystore.jks -storepass 11111111

# print a cert
/usr/jdk/entsys-j2se/bin/keytool -printcert -file "mycert.cer"

# list an alias
/usr/jdk/entsys-j2se/bin/keytool -list -alias test -keystore
/etc/opt/SUNWam/config/keystore.jks -storepass 11111111

# list all certs
/usr/jdk/entsys-j2se/bin/keytool -list -v -keystore
/etc/opt/SUNWam/config/keystore.jks -storepass 11111111

Generating a self-signed certificate

A self-signed certificate is one for which the issuer (signer) is the same as the subject (the entity whose public key is being authenticated by the certificate). Whenever the -genkey command is called to generate a new public/private key pair, it also wraps the public key into a self-signed certificate.

You may occasionally wish to generate a new self-signed certificate. For example, you may want to use the same key pair under a different identity (distinguished name). For example, suppose you change departments. You can then:

  1. copy (clone) the original key entry. See -keyclone.

  2. generate a new self-signed certificate for the cloned entry, using your new distinguished name. See below.

  3. generate a Certificate Signing Requests for the cloned entry, and import the reply certificate or certificate chain. See the -certreq and -import commands.

  4. delete the original (now obsolete) entry. See -delete.

To generate a self-signed certificate, use the -selfcert command, as in

   keytool -selfcert -alias dukeNew -keypass b92kqmp
     -dname "cn=Duke Smith, ou=Purchasing, o=BlueSoft, c=US"

The generated certificate is stored as a single-element certificate chain in the keystore entry identified by the specified alias (in this case "dukeNew"), where it replaces the existing certificate chain.

Debugging SecurID auth module

Background of amsecuridd helper deamon

Access Manager SecurID authentication client is implemented using RSA's ACE/Client API and a helper written in C will communicate between Access Manager SecurId module and the SecurId server

Access Manager SecurId module invokes amsecuridd deamon by opening a socket to localhost:57943 to listent for securid authentication requests. port 57943 is the default port number, if this port number is already occupied different port number can be specified for the SecurID Helper Authentication Port attribute in SecurId service configuration.

The interface to amsecuridd is cleartext through stdin. that's why only localhost connections are permitted to this service. the "backend" of this routine uses the SecurID remote API (v5.*), which does the appropriate encryption of sensitive data.

amsecuridd helper listens on another port to receive its configuration information. by default on the port 58943. if this port is occupied, you can run it on different port, by changing the securid service properties through Access Manager Console For each organization/realm that communicates with a different ACE/Server (which has a different sdconf.rec file), a separate instance of SecurID helper should be run.

How to run amsecuridd helper
This deamon can be invoked in two ways,
# Manual invocation
# Using amserver wrapper script
Starting it manually

amsecuridd requires the following shared libararies

libaceclnt.so => /opt/SUNWam/lib/libaceclnt.so
libsocket.so.1 => /lib/libsocket.so.1
libnsl.so.1 => /lib/libnsl.so.1
libthread.so.1 => /lib/libthread.so.1
libc.so.1 => /lib/libc.so.1
libpthread.so.1 => /lib/libpthread.so.1
libmp.so.2 => /lib/libmp.so.2
libmd5.so.1 => /lib/libmd5.so.1
libscf.so.1 => /lib/libscf.so.1
libdoor.so.1 => /lib/libdoor.so.1
libuutil.so.1 => /lib/libuutil.so.1
libm.so.2 => /lib/libm.so.2
/platform/SUNW,Sun-Fire-480R/lib/libc_psr.so.1
/platform/SUNW,Sun-Fire-480R/lib/libmd5_psr.so.1

Most of them can be found in OS.

you need to set LD_LIBRARY_PATH to //SUNWam/lib/ to find libaceclnt.so

amsecuridd: Usage [-v] [-c portnum]


[-v] turn on verbose mode; you need to create the debug file by
touch /var/opt/SUNWam/debug/securid_client.debug

[-c portnum] config listening port number; default 58943.

Starting amsecuridd using amserver script

The amserver script can be found in the /SUNWam/bin/ directory

/opt/SUNWam/bin/amserver start
stopping auth helpers ...
done.
starting auth helpers ...
done.

verify the process has been started

ps -ef | grep amsecuridd

root 1725 1 0 10:26:49 pts/3 0:00 /opt/SUNWam/share/bin/amsecuridd -c 58943

How to disable the amsecuridd deamon from being started

if you dont want the amsecuridd deamon started everytime when amserver start is issued do the following Remove the securid from following property from AMConfig.properties com.iplanet.am.daemons for eg: out of box this property will look like this com.iplanet.am.daemons=unix securid after disabling securid com.iplanet.am.daemons=unix
Limitations

SecurId Authentication module is supported only on Solaris Sparc hosts, it is not supported on Solaris x86 and Linux
Troubleshooting SecurID Authentication

Make sure the amsecuridd deamon is running in verbose mode if not restart it with -v option. then follow these steps on the server where the amsecuridd is running

telnet localhost 58943
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
Enter SecurID Helper Listen Port [57943]:
Enter SecurID Helper Session Timeout [5]:
Enter SecurID Helper Max Sessions [5]:
Enter Config Path for Server [/opt/ace/data]: /var/tmp/ace.iramya
get_config_info: amsecuridd configured successfully
Connection closed by foreign host.

telnet localhost 57943
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
Enter SecurID login: fob56
Enter passcode: 06457646
System generated PIN? (y/n): n
Enter new PIN, containing 4 to 8 digits: 1234
Wait for the code on your token to change, then connect again with the new
PIN
Connection closed by foreign host.

telnet localhost 57943
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
Enter SecurID login: fob56
Enter passcode: 123418924721
Authentication passed
Connection closed by foreign host.

The dialog session may be different based on your securid card configuration

You can find more details about the client communication with ACE server in the /var/opt/SUNWam/debug/securid_client.debug file

The passcode is computed like this: your PIN for the fob + the digits displayed on the fob

for example if your fob displayed 18924721 and your PIN for the fob(securid card) is: 1234

then the passcode will be: 123418924721

if the above step works fine then it is the problem in the Access Manager SecurId atuhentication configuration. Run the server in debug mode

In AM 7.0+ you can dynamically enable debug mode by following these steps
Login as amadmin (or top level admin user) to Access Manager Console
Access ://server:port//Debug.jsp?category=AUTHENTICATION&level=3


Try to look into amAuthSecurID file

Realm VS Legacy mode

http://host:port/amserver/SMSServlet?method=isRealmEnabled

if true then realm mode else legacy mode.

Comparison chart of Realm and Legacy mode functionality wise.

http://docs.sun.com/app/docs/doc/819-4669/6n6q9stbf?a=view

AM server Application module URL

The URL to login into AM server into Application module is:
http(s)://host:port/amserver/UI/Login?module=Application&IDToken0=amadmin&IDToken1=password

For ex:
http://avatar.red.iplanet.com/amserver/UI/Login?module=Application&IDToken0=amadmin&IDToken1=admpassword

Few steps to start a simple load test using Mercury LoadRunner 8.1:

1. Install Load Runner server and controller on a windows machine say Load Runner 8.1 on a machine star.sun.com

2. Go to start-> Programs -> Mercury -> LoadRunner. You will get 3 options in the GUI.
* Create/Edit Scripts * Run Load Tests * Analyze Load Tests

3. Choose Create / Edit Scripts option. It will open Virtual User Generator console. On the left tab, choose new Vuser script.

4. In the dialog box, you have few options. Choose Web (HTTP / HTML).

5. It will take you to "Start Recording" box options. Provide broser type, start url - the first url to hit when the script starts, choose Action for "Record into Action" option. This is the place where you can generate load.

6. Now record the script by doing UI operation like the way you test from a browser. Save it.

7. Provide Scenario options and start the test.

8.If you choose Run Load Tests. It will open a controller console.

9. In the controller console, it will show you previous scripts that you have created or imported earlier.

Configure reverse proxy in few seconds.

Sometimes we may have to configure a load balancer in front of bunch of web servers or just one web server to test some problem. Configuring load balancer could take time. A simple way to do this is to configure reverse proxy plugin in a web server or an app server that is already deployed. It takes few seconds to do this.

For ex: If you have Sun Web sever 7.0 configured, it takes few seconds to do this.

Click on Configurations tab and select the configuration.
Click Virtual Servers tab and select the virtual server.
Click Content Handling > Reverse Proxy tab.
Click New Proxy URI button.

Specify values for the following parameters:
URI - The reverse proxy URI
Server URL - Comma separated URLs of the remote server.
If multiple values are given, the server will distribute load among the specified servers.

If you want to simply route all requests to another web server or app server you can say
URI - /
Server URL - http://avatar.red.iplanet.com:80/opensso

Let us say this reverse proxy plugin is configured on http://bull.red.iplanet.com:5555
webserver, with above paramters, any http request to bull.red.iplanet.com:5555 will be routed
to avatar.red.iplanet.com:80 and user accessing bull,red,iplanet.com:80 will never know that
he is indeed accessing avatar.red.iplanet.com:80.

Steps to configure Enterprise DSEE 6.x

The following steps will help in configuring Sun Enterprise DSEE 6 that comes with JES5 installer.

1. Install all components of DSEE during installation of JES5.

2. To start DS admin console,

# /usr/sbin/smcwebserver status
The output should resemble the following:
Sun Java(TM) Web Console is stopped

# /usr/sbin/smcwebserver start

3. If cacaoadm is not yet started, start it
# /usr/sbin/cacaoadm start

4. Check if DSCC is initialized properly.
# cd /opt/SUNWdsee/dscc6/bin

# ./dsccsetup status

The response should resemble the following:

***
DSCC Application is registered in Sun Java (TM) Web Console
***
DSCC Agent is registered in Cacao
***
DSCC Registry has not been created yet
***

This response indicates that the installer has installed the DSCC packages but did not create a DSCC instance.

Start the DSCC configurator.

# ./dsccsetup install

The response should resemble the following:

### 'install' subcommand is obsolete.
### Use 'ads-create' subcommand instead.
Choose password for Directory Server Manager:

When prompted, type the directory-admin-password.

The response should resemble the following:
Confirm password for Directory Service Manager: Creating DSCC registry...
DSCC Registry has been created successfully.

Confirm that your new DSCC instance is running.

# ps -ef | grep dscc6

The response should resemble the following:

/opt/SUNWdsee/ds6/lib/64/ns-slapd -D /var/opt/SUNWdsee/dscc6/dcc/ads -i /var/opt

If the DSCC instance is not running, start it.

# /opt/SUNWdsee/ds6/bin/dsadm start /var/opt/SUNWdsee/dscc6/dcc/ads

5. Enable web console to start on system reboots
/usr/sbin/smcwebserver enable

6. Login to the console now.
* Access https://machine:6789/
* Login using root credentials of machine where this DSEE is installed. Remember it is root password of the machine.
* Click on DS console
* Enter admin password that you had provided during JES installation.

You can administer DS instances now.