tag:blogger.com,1999:blog-81481243887718603132011-12-29T08:27:45.797-08:00Lakshman Abburihttp://www.blogger.com/profile/16622225315502007403noreply@blogger.comBlogger42125tag:blogger.com,1999:blog-8148124388771860313.post-42029956140422757202011-06-24T02:00:00.000-07:002011-06-24T02:16:50.106-07:002011-06-24T02:16:50.106-07:00Creating Custom Attributes for User Profile<br />============================================<br />Step-1:<br />=======<br />* Should not use GUI form designer for users.<br />* Browser -> OIM Login -> Advanced -> User Configurtion<br />* Left Panel -> Actions -> User Attributes<br />* Right Panel -> "Custom Attributes" Category Name -> Create Attribute Button<br /><br />Step-2: Create Authorization Policy<br />=======<br />* Browser -> OIM Login -> Administration -> Create Authorization Policy<br />* Policy Name = test; Entity Name = User Management -> Next<br />* Permissions : Check "Enable All Permissions" checkbox at top -> Next<br />* Data Constraints : All Users -> Next<br />* Assigment: Click on Add Command Button -> A new search box will display -> Without entering any data, click on Search -> A list will display. Just select all of them<br />* Save it.<br /><br />Related Bugs:<br /><a href="http://forums.oracle.com/forums/thread.jspa?messageID=9210759">OTN-1</a><br /><br />Creating Custom Attributes for Roles, Organizations, etc<br />=========================================================<br />* All customizations happen through GUI<br />* Choose Administration -> User Defined Fields.<br />* There will be 4 tables, one for Organizations, One for Roles, etc...<br />* Add Attributes, Add Properties<br />* Save<br />* Check these new things in Web UI.<br />This document describes complete example for all except users<br /><br /><a href="http://download.oracle.com/docs/cd/E14571_01/doc.1111/e14309.pdf">Developer Guide</a> - Chapter : 13.3 User Defined Field Definition Form Page 303 of 802<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/8148124388771860313-4202995614042275720?l=sunjavaidm.blogspot.com' alt='' /></div> <p><a href="http://feedads.g.doubleclick.net/~a/qDOGdm5LDo5iZyUuR_LuhGDdwoM/0/da"><img src="http://feedads.g.doubleclick.net/~a/qDOGdm5LDo5iZyUuR_LuhGDdwoM/0/di" border="0" ismap="true"></img></a><br/> <a href="http://feedads.g.doubleclick.net/~a/qDOGdm5LDo5iZyUuR_LuhGDdwoM/1/da"><img src="http://feedads.g.doubleclick.net/~a/qDOGdm5LDo5iZyUuR_LuhGDdwoM/1/di" border="0" ismap="true"></img></a></p><img src="http://feeds.feedburner.com/~r/SunIdentityManagementProducts/~4/UfTIA0HpcDQ" height="1" width="1"/>Lakshman Abburihttp://www.blogger.com/profile/16622225315502007403noreply@blogger.com0http://sunjavaidm.blogspot.com/2011/06/creating-custom-attributes-in-11g.htmltag:blogger.com,1999:blog-8148124388771860313.post-24530873346233838302011-06-23T22:19:00.000-07:002011-06-24T11:13:52.226-07:002011-06-24T11:13:52.226-07:00Step-1 : Copy files to ConnectorDefaultDirectory<br />=======<br />* ade:[ labburi_dmuBug12682244 ] [labburi@adc2171727 ConnectorDefaultDirectory]$ pwd<br />/scratch/labburi/view_storage/labburi_dmuBug12682244/oracle/work/OIM/ConnectorDefaultDirectory<br />* ade:[ labburi_dmuBug12682244 ] [labburi@adc2171727 ConnectorDefaultDirectory]$ cp -R /work/labburi/installables/connectors/DBAT91050/Database_App_Tables_9.1.0.5.0 ./<br /><br />Step-2: Install Connector<br />=======<br />* Browser -> OIM Login --> Advanced Tab --> Install Connector<br />* Screen-1: <br /> - Select DBAT connector<br /> - Click on Load<br /> - Click on Continue<br /><br />* Screen-2:<br /> - Install. Following message will display<br /> DatabaseApplicationTables 9.1.0.5.0 Installation Status : Successful<br /> Configuration of Connector Libraries<br /> Import of Connector XML Files (Using Deployment Manager)<br /> Compilation of Adapter Definitions<br /> Perform the following steps before you start using this connector.<br /> 1. Go to Resource Management >> Create IT Resource and create an IT resource for this connector.<br /> 2. Go to Advanced >> System Management >> Search Scheduled Job and configure the following scheduled Jobs that are already created for this connector. <br /> <br />* Do not follow these steps. These are not required<br /> 1. Go to Resource Management >> Create IT Resource and create an IT resource for this connector.<br /> 2. Go to Advanced >> System Management >> Search Scheduled Job and configure the following scheduled Jobs that are already created for this connector. <br /> ITResource will be created automatically when you configure GTC.<br /><br /><br />Step-3: Configure GTC<br />=======<br />* Browser -> OIM Login --> Advanced Tab --> Create Generic Connector<br /><br />* Screen-1:<br /> - Provide name - DBAT91050<br /> - Select Provisioning checkbox (This testcase needs this)<br /> - Deselect Reconcilation checkbox<br /> - Transport Provider : DBAT Provisioning<br /> - Format Provider : DBAT Provisioning<br /><br />* Screen-2: Specify Paramater Values (This works for DB XE 10g too)<br /> - DB Driver : oracle.jdbc.driver.OracleDriver<br /> - DB URL : jdbc:oracle:thin:@10.133.169.36:1521:xe<br /> - DB User ID : SYSTEM<br /> - DB Password : ********<br /> - Parent Table / View Name : oim_target<br /> - All other fields should not be touched. Leave them and click continue<br /><br />* Screen-3: Map Data as needed.<br /><br />Step-4: Verify<br />=======<br />* Verify that ITResource for DBAT is created automatically through Web UI.<br />* Verify that a new provisioning process is created automatically from Steps-2&3 through GUI. <br /> <br />Step-5: Test<br />=======<br />* Create a test user<br />* Provision DBAT91050<br />* Using SQL Developer, connect to target system and verify that oim_target table is populated with test user data from OIM<br /><br />References:<br />===========<br /><a href="file:///D:/lakshman/work/OIM/connectors/DBAT_91050/Database_App_Tables_9.1.0.5.0/documentation/DBApplicationTables_guide/prepare.htm#BABEBAEG">DBApplicationTables_guide</a><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/8148124388771860313-2453087334623383830?l=sunjavaidm.blogspot.com' alt='' /></div> <p><a href="http://feedads.g.doubleclick.net/~a/MoPiUwrU6BQ2e5IYEi5sXPiAWL4/0/da"><img src="http://feedads.g.doubleclick.net/~a/MoPiUwrU6BQ2e5IYEi5sXPiAWL4/0/di" border="0" ismap="true"></img></a><br/> <a href="http://feedads.g.doubleclick.net/~a/MoPiUwrU6BQ2e5IYEi5sXPiAWL4/1/da"><img src="http://feedads.g.doubleclick.net/~a/MoPiUwrU6BQ2e5IYEi5sXPiAWL4/1/di" border="0" ismap="true"></img></a></p><img src="http://feeds.feedburner.com/~r/SunIdentityManagementProducts/~4/TBS7I9ELox0" height="1" width="1"/>Lakshman Abburihttp://www.blogger.com/profile/16622225315502007403noreply@blogger.com0http://sunjavaidm.blogspot.com/2011/06/installation-of-dbat-connector-for.htmltag:blogger.com,1999:blog-8148124388771860313.post-1042064151197005912011-06-23T11:17:00.000-07:002011-06-29T20:09:08.532-07:002011-06-29T20:09:08.532-07:00To get some documentation on OIM Tables, try the following:<br />-----------------------------------------------------------<br />- Connect to OIM DB using Oracle SQL Developer.<br />- Left Panel -> List of Tables -> Click on table name. You will see table information on Right Panel<br />- Right Panel -> Detail Tab -> Look for Comments Field at the end. It has some documentation.<br /><br />****************<br />Tables Analysis<br />****************<br /><br />* SDC - User Defined Fields in User Form, etc...<br />- Used by interface - getFormFeildsData() to get user defined attributes.<br />Sample Query<br />------------<br />SELECT sdc.sdc_key, sdc.sdk_key, sdc_name, sdc_variant_type, sdc_sql_length, sdc_label, sdc_field_type, SDC_DEFAULT_VALUE, sdc_order, sdc_profile_enabled, sdc_encrypted, sdc_rowver,sdc_version, sdpv.sdp_property_value as Editable, sdpr.sdp_property_value as Optional, sdpv.sdp_property_value as Visible , sdplkv.sdp_property_value as LookupCode FROM sdk, sdc LEFT OUTER JOIN sdp_visible_v sdpv on sdc.sdc_key=sdpv.sdc_key LEFT OUTER JOIN sdp_required_v sdpr on sdc.sdc_key=sdpr.sdc_key LEFT OUTER JOIN sdp_lookupcode_v sdplkv on sdc.sdc_key=sdplkv.sdc_key WHERE sdc.sdk_key=sdk.sdk_key and (sdc.sdc_default is null or sdc.sdc_default='0') and sdc.sdc_version=0 and sdk.sdk_key=3 ORDER BY sdc_order asc, sdc.sdc_key asc;<br /><br />Sample Result<br />--------------<br />155 3 USR_UDF_OBGUID String 300 ObjectGUID TextField 1 0 0000000000000001 0 false false <br />561 3 USR_UDF_MYCUSTATTR1BN String 25 MyCustAttr1 TextField CustAttr1DefValue 2 0 0000000000000000 0 <br />562 3 USR_UDF_MYCUSTAATR2BN String 25 MyCustAttr2 TextField CustAttr2DefVal 3 0 0000000000000000 0 <br /><br />* ORC: Order Content Item Table<br />- Used by ScheduledTask to run a set of ordered events.<br /><br />* SCH - Schedulted Item Table<br />- Used by tcScheduledTask to run scheduled Tasks.<br /><br />* MIL : Tasks in Processes<br />- Contains all tasks from all processes.<br /><br />* GCD : Generic Connector definitions Table.<br />- When you do "Install Connector" + "Create Generic Connector" in 11g UI, the entire information that you enter to create a new connector - like Format, data mapping between source and target, etc... will be formed into an XML document and will be stored in GCD_XML Field of GCD Table.<br />- During provisioning, a scheduled task will kick-in Generic Connector package - transform operation in OIM. This will transform data from USR tables' user record into target systems record using GCD_XML fields' connector definition.<br /><br />* PTY - Property definition<br />- Properties Table<br />- Metadata used by OIM for System Properties defined. Product uses this to set status etc... as defined by OIM configuration<br />Sample Data<br />------------<br />70 XL.GTCAutoImport true GTC Auto Import 1 S 2 01-APR-11 1 01-APR-11 1 0000000000000000<br />71 XL.PagingSystemDefaultMaxRecords 1000 Paging System Default Max Records 1 S 2 01-APR-11 1 01-APR-11 1 0000000000000000<br />72 XL.SoDCheckRequired FALSE XL.SoDCheckRequired 1 S 2 01-APR-11 1 01-APR-11 1 000000000000<br />57 XL.RequestRaisedByYou.DayLimit 30 Property to indicate day limit set for Request raised by you 1 S 2 31-MAR-11 1 31-MAR-11 1 0000000000000000<br />58 XL.RequestRaisedForYou.DayLimit 30 Property to indicate day limit set for Request raised for you 1 S 2 31-MAR-11 1 31-MAR-11 1 0000000000000000<br /><br />**************************************************<br />User Tables<br />**************************************************<br />* USR : All user information - very important table.<br />* UPH: User Policy Profile History Table<br /><br />**************************************************<br />Resource Objects<br />**************************************************<br />Just like we have a class definition and a class instance in Java, we have Resource Object Definition and Resource Object Instance.<br />* OBJ : Resource Object Definition<br />- Defines structure of an object<br />Sample Data<br />------------<br />21 21 U Generic 1 1 Laptopres 0 1 1 0 0 0 05-APR-11 1 05-APR-11 1 0000000000000003 0 0<br />83 86 U Generic 1 1 Stapler 0 1 1 0 0 1 29-APR-11 1 29-APR-11 1 0000000000000001 0 0<br /><br />* OBI : Resource Object Instance<br />- Entry for a resource object instantiated at run time.<br />- Very important as Provisioning operates on tcOBI to complete Provisioning.<br />Sample Data<br />------------<br />466 126 131 Data Received 1 27-JUN-11 1 27-JUN-11 1 0000000000000000<br /><br />* RIU : Request Users Resolved Object Instances<br />- When you revoke a resource object from users resources, OIM will update revoke request information in this table<br />- Table Fields<br />RIU_KEY NUMBER, REQ_KEY NUMBER, OBJ_KEY NUMBER, USR_KEY NUMBER,<br />OIU_KEY NUMBER, OBI_KEY NUMBER, RIU_COMPLETED, RIU_DATA_LEVEL, RIU_CREATE<br />RIU_CREATEBY, RIU_UPDATE, RIU_UPDATEBY, RIU_NOTE, RIU_ROWVER<br />Sample Query Result<br />====================<br />1 110 125 182 235 444 1 27-JUN-11 1 27-JUN-11 1 0000000000000001<br />2 110 126 182 236 445 0 27-JUN-11 1 27-JUN-11 1 0000000000000000<br />3 111 125 183 237 448 1 27-JUN-11 1 27-JUN-11 1 0000000000000001<br /><br />* OST : OBJECT STATUS INFORMATION.<br />- Contains users, resource objects and all objects<br />Sample Query Result<br />====================<br />268 110 Revoked 0 20-JUN-11 1 20-JUN-11 1 0000000000000000<br />269 110 Provisioned 1 20-JUN-11 1 20-JUN-11 1 0000000000000000<br />270 110 Provide Information 0 20-JUN-11 1 20-JUN-11 1 0000000000000000<br /><br /><br />**************************************************<br />Request Object Tables<br />**************************************************<br />* RQH - Request History Table<br />Sample Query Result<br />====================<br />66 41 1 Object Approval Complete 14-APR-11 1 14-APR-11 1 0000000000000000<br />67 41 61 181 Approved 14-APR-11 1 14-APR-11 1 0000000000000000<br />68 42 1 Request Initialized 14-APR-11 62 14-APR-11 62 0000000000000000<br />69 42 61 182 Awaiting Data 14-APR-11 62 14-APR-11 62 0000000000000000<br />70 42 61 182 Data Received 14-APR-11 62 14-APR-11 62 0000000000000000<br /><br />* RQO - ? TODO<br />Sample Query Result<br />====================<br /><br /><br /><br /><br />**************************************************************************<br /> SAMPLE QUERIES<br />***************************************************************************<br />* SELECT sdc.sdc_key, sdc.sdk_key, sdc_name, sdc_variant_type, sdc_sql_length, sdc_label, sdc_field_type, SDC_DEFAULT_VALUE, sdc_order, sdc_profile_enabled, sdc_encrypted, sdc_rowver,sdc_version, sdpv.sdp_property_value as Editable, sdpr.sdp_property_value as Optional, sdpv.sdp_property_value as Visible , sdplkv.sdp_property_value as LookupCode FROM sdk, sdc LEFT OUTER JOIN sdp_visible_v sdpv on sdc.sdc_key=sdpv.sdc_key LEFT OUTER JOIN sdp_required_v sdpr on sdc.sdc_key=sdpr.sdc_key LEFT OUTER JOIN sdp_lookupcode_v sdplkv on sdc.sdc_key=sdplkv.sdc_key WHERE sdc.sdk_key=sdk.sdk_key and (sdc.sdc_default is null or sdc.sdc_default='0') and sdc.sdc_version=0 and sdk.sdk_key=3 ORDER BY sdc_order asc, sdc.sdc_key asc;<br /><br />* select ost.ost_key, ost_status from ost ost, obj obj where obj.obj_key=ost.obj_key and obj.obj_name='Request';<br /><br />* select ost.ost_key, ost_status from ost ost, rqo rqo where ost.obj_key=rqo.obj_key and rqo.req_key=130;<br /><br />* select * from OST where OST_STATUS='Object Approval Complete';<br /><br />* select osi.orc_key, osi.mil_key, osi.sch_key, osi_rowver, sch_rowver, osi_retry_for, sch_offlined from osi osi, sch sch where osi.sch_key=sch.sch_key and sch.sch_key=1091;<br /><br />* select mil_name from osi osi,sch sch,pkg pkg,tos tos,mil mil where osi.sch_key = sch.sch_key and osi.pkg_key=pkg.pkg_key and pkg.pkg_key = tos.pkg_key and tos.tos_key = mil.tos_key and pkg_type='Approval' and mil_name in('Awaiting Object Data','Awaiting Approval Data') and osi.mil_key = mil.mil_key and osi.sch_key=1091;<br /><br />* select * from act act where act_name='Requests'<br /><br />* select obi.obi_key, obi.obj_key, obi_status, obi_rowver, rqo_rowver, obd.obd_parent_key from rqo rqo, obi obi left outer join obd obd on obd.obd_child_key=obi.obj_key where rqo.obi_key = obi.obi_key and rqo.req_key=131 order by obd.obd_parent_key desc;<br /><br />* select act_key from act act where act_name='Requests';<br /><br />* select obj_autolaunch from obj where obj_key = 126;<br /><br />* select pty_value from pty where pty_keyword='XL.RequestCompleteStatus';<br /><br />* select orc.orc_key, orc.orc_status, oiu.oiu_key, riu.riu_key from orc orc, oiu oiu, riu riu where orc.orc_key=oiu.orc_key and riu.oiu_key=oiu.oiu_key and riu.req_key=131 and riu.obj_key=125;<br /><br />* select riu.oiu_key, oiu.oiu_rowver from riu riu, oiu oiu where riu.oiu_key=oiu.oiu_key and riu.req_key=131 and riu.obj_key=125;<br /><br />* select pty_value from pty where pty_keyword='XL.RequestCompleteStatus';<br /><br />Table Updates<br />--------------<br />update RIU set RIU_COMPLETED=0 where riu_key=2;<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/8148124388771860313-104206415119700591?l=sunjavaidm.blogspot.com' alt='' /></div> <p><a href="http://feedads.g.doubleclick.net/~a/Hj5HqtnCLfFdG_M41-dhHNtu7mk/0/da"><img src="http://feedads.g.doubleclick.net/~a/Hj5HqtnCLfFdG_M41-dhHNtu7mk/0/di" border="0" ismap="true"></img></a><br/> <a href="http://feedads.g.doubleclick.net/~a/Hj5HqtnCLfFdG_M41-dhHNtu7mk/1/da"><img src="http://feedads.g.doubleclick.net/~a/Hj5HqtnCLfFdG_M41-dhHNtu7mk/1/di" border="0" ismap="true"></img></a></p><img src="http://feeds.feedburner.com/~r/SunIdentityManagementProducts/~4/Wi0QcGHEnoM" height="1" width="1"/>Lakshman Abburihttp://www.blogger.com/profile/16622225315502007403noreply@blogger.com0http://sunjavaidm.blogspot.com/2011/06/oim-9x-db-table-description.htmltag:blogger.com,1999:blog-8148124388771860313.post-26256657713937725002011-06-23T11:10:00.000-07:002011-06-23T13:52:44.316-07:002011-06-23T13:52:44.316-07:001. Get resource objects to operate for a user. This happens during access policy evaluation when user is being created. <br />- Post Event during user creation process.<br />Query<br />-----<br />select obj.obj_key, obj.obj_name, obj.obj_allow_multiple, obj.obj_allowall, pop.pop_denial, pop.pop_revoke_object from pop pop, obj obj where pop.pol_key = 41 and pop.obj_key = obj.obj_key;<br />Results<br />--------<br />108 RO_A 1 1 0 0<br />109 RO_B 1 1 0 1<br />110 RO_C 1 1 0 1<br /><br />2. List of provioned objects for an user<br />Query<br />-----<br />select * from oiu oiu, obj obj, obi obi, ost ost where oiu.obi_key = obi.obi_key and obi.obj_key = obj.obj_key and oiu.usr_key = 161 and oiu.ost_key = ost.ost_key and ost.ost_status != 'Revoked';<br /><br />3. Get a particular task from a provisioning process<br />Query<br />------<br />select mil_key, mil_name, mil_sequence, mil_day, mil_hour, mil_minute,mil_create_multiple, mil_cancel_while_pending, mil_comp_on_rec, mil_required_complete, mil_retry_period, mil_retry_count, evt_key, mil_default_assignee, mil_assign_to_manager from mil where mil_key=373;<br />Results<br />-------<br />373 Enable User 0 1 1 0 0 1<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/8148124388771860313-2625665771393772500?l=sunjavaidm.blogspot.com' alt='' /></div> <p><a href="http://feedads.g.doubleclick.net/~a/Jf5gtvcDXODbaaD9Sf8fpJd1aNI/0/da"><img src="http://feedads.g.doubleclick.net/~a/Jf5gtvcDXODbaaD9Sf8fpJd1aNI/0/di" border="0" ismap="true"></img></a><br/> <a href="http://feedads.g.doubleclick.net/~a/Jf5gtvcDXODbaaD9Sf8fpJd1aNI/1/da"><img src="http://feedads.g.doubleclick.net/~a/Jf5gtvcDXODbaaD9Sf8fpJd1aNI/1/di" border="0" ismap="true"></img></a></p><img src="http://feeds.feedburner.com/~r/SunIdentityManagementProducts/~4/jGMlQkQokTg" height="1" width="1"/>Lakshman Abburihttp://www.blogger.com/profile/16622225315502007403noreply@blogger.com0http://sunjavaidm.blogspot.com/2011/06/oim-9x-db-queries-fired-by-oim.htmltag:blogger.com,1999:blog-8148124388771860313.post-68059529921279432442011-06-22T09:08:00.000-07:002011-06-22T09:17:18.505-07:002011-06-22T09:17:18.505-07:001. Goto Design Console GUI --> Resource Management --> Rule Designer,<br /> Create a new rule as - <br /> * GroupMemMiddleName : Rule Type - "General" : Rule Sub Type - Empty : Rule Operator - "AND"<br /> * Save it.<br /> * Add a new "Rule Elemenent" - "Middle Name == Roger"<br /> * Save it.<br /><br />2. Goto Browser UI --> Manage User Groups --> "Test Group" --> Memebership Rules<br /> Assign this new rule to the group.<br /><br />Now if a new user with middle name Roger is created, he will be member of this "Test Group" automatically.<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/8148124388771860313-6805952992127943244?l=sunjavaidm.blogspot.com' alt='' /></div> <p><a href="http://feedads.g.doubleclick.net/~a/7P7ECGBR1h0ueciPWFLE1i1p-N4/0/da"><img src="http://feedads.g.doubleclick.net/~a/7P7ECGBR1h0ueciPWFLE1i1p-N4/0/di" border="0" ismap="true"></img></a><br/> <a href="http://feedads.g.doubleclick.net/~a/7P7ECGBR1h0ueciPWFLE1i1p-N4/1/da"><img src="http://feedads.g.doubleclick.net/~a/7P7ECGBR1h0ueciPWFLE1i1p-N4/1/di" border="0" ismap="true"></img></a></p><img src="http://feeds.feedburner.com/~r/SunIdentityManagementProducts/~4/w1LfKYLbPNY" height="1" width="1"/>Lakshman Abburihttp://www.blogger.com/profile/16622225315502007403noreply@blogger.com0http://sunjavaidm.blogspot.com/2011/06/oim-9x-membership-auto-assign.htmltag:blogger.com,1999:blog-8148124388771860313.post-35329092319891381342011-06-22T08:33:00.000-07:002011-06-22T09:21:06.398-07:002011-06-22T09:21:06.398-07:00Create User : "Required for Completion" : tcCompleteTask : C-Completed-Provisioned : None for "Task Effect"<br /><br />Delete User : "Conditional" : tcCompleteTask : C-Completed-Revoked : None for "Task Effect"<br /><br />Enable User : "Conditional" : tcCompleteTask : C-Completed-Revoked : "Enable Process or Access to Application" for "Task Effect"<br /><br />Disable User: "Conditional" : tcCompleteTask : C-Completed-Revoked : "Disable Process or Access to Application" for "Task Effect"<br /><br />* With above tasks in a provisioning process, when you enable a user, Enable User task in Provisioning process will kick-in. This will kick-in not because of task name but because of Task-Effect configured above.<br /><br />* With above tasks in a provisioning process, when you disable a user, Disable User task in Provisioning process will kick-in. This will kick-in not because of task name but because of Task-Effect configured above.<br /><br />========================================<br />How to define reserved names for tasks?<br />========================================<br />* In Design Console GUI --> Administration --> Lookup Definition, Type *trigger* in "Code" text box --> Click Lookup in toolbar menu.<br />* In Lookup Definition Table --> Select "Lookup.USR_PROCESS_TRIGGERS"<br />You will get a "Code Key" - "Decode" table<br /><br />In this table, you will see that task names are defined for a particular operation. For ex: "USR_FIRST_NAME" - "Change First Name"<br />So if you define a task in Provisioning process with task name "change First Name", then OIM will trigger this particular task when user profile modifies for "First Name" field.<br /><br />You can extend this table for new tasks if needed.<br /><br />=================<br />Test Case to try:<br />==================<br />Define a provisioning process for resource object Laptop. Add a new task<br /><br />Create User : "Required for Completion" : tcCompleteTask : C-Completed-Provisioned : None for "Task Effect"<br /><br />1. Try provisiong this resource object Laptop to test user - tu1. Provisioning will happen. <br />2. Disable the user. You will see that OIM reports that - there is no task for Disable.<br /><br />======<br />Notes<br />======<br />* OIM operates task-based. If a particular task "Disable User" with Task Effect as described above in 10 Provisioning Processes. If a user - tu1 is disabled, then all 10 provisioning processes - tasks will be triggered.<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/8148124388771860313-3532909231989138134?l=sunjavaidm.blogspot.com' alt='' /></div> <p><a href="http://feedads.g.doubleclick.net/~a/ucO9agMxupZ-qyiEZrv5UiXzTxM/0/da"><img src="http://feedads.g.doubleclick.net/~a/ucO9agMxupZ-qyiEZrv5UiXzTxM/0/di" border="0" ismap="true"></img></a><br/> <a href="http://feedads.g.doubleclick.net/~a/ucO9agMxupZ-qyiEZrv5UiXzTxM/1/da"><img src="http://feedads.g.doubleclick.net/~a/ucO9agMxupZ-qyiEZrv5UiXzTxM/1/di" border="0" ismap="true"></img></a></p><img src="http://feeds.feedburner.com/~r/SunIdentityManagementProducts/~4/X-8dpJX8GCw" height="1" width="1"/>Lakshman Abburihttp://www.blogger.com/profile/16622225315502007403noreply@blogger.com0http://sunjavaidm.blogspot.com/2011/06/adding-tasks-to-provisioning-process.htmltag:blogger.com,1999:blog-8148124388771860313.post-37602665182240513772011-06-15T20:04:00.000-07:002011-06-24T11:03:05.638-07:002011-06-24T11:03:05.638-07:00Code Example: <a href="http://code.google.com/p/adfsampleapplications/source/browse/trunk/SelectOrderShuttleSample.zip">GoogleCodeLink</a><br /><br />PanelStretchLayout Geometry - <a href="http://jdevadf.oracle.com/adf-richclient-demo/docs/tagdoc/af_panelStretchLayout.html">Link</a><br /><br />Some discussion: <br />1. <a href="http://forums.oracle.com/forums/thread.jspa?threadID=2234749&tstart=90">OTN-Thread1</a><br />2. <a href="http://forums.oracle.com/forums/thread.jspa?threadID=555489">OTN-Thread2</a><br />3. <a href="http://forums.oracle.com/forums/thread.jspa?threadID=2170750&tstart=1">OTN-Thread3</a><br /><br />ADF Documentation<br />1. <a href="http://www.oracle.com/technetwork/developer-tools/adf/overview/index.html">ADF Overview</a><br />2. <a href="http://www.oracle.com/technetwork/developer-tools/jdev/overview/index.html">JDEV Overview</a><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/8148124388771860313-3760266518224051377?l=sunjavaidm.blogspot.com' alt='' /></div> <p><a href="http://feedads.g.doubleclick.net/~a/GxtlvGASgRYMVPQdodNvrJHiBeY/0/da"><img src="http://feedads.g.doubleclick.net/~a/GxtlvGASgRYMVPQdodNvrJHiBeY/0/di" border="0" ismap="true"></img></a><br/> <a href="http://feedads.g.doubleclick.net/~a/GxtlvGASgRYMVPQdodNvrJHiBeY/1/da"><img src="http://feedads.g.doubleclick.net/~a/GxtlvGASgRYMVPQdodNvrJHiBeY/1/di" border="0" ismap="true"></img></a></p><img src="http://feeds.feedburner.com/~r/SunIdentityManagementProducts/~4/1xbK57VFkj0" height="1" width="1"/>Lakshman Abburihttp://www.blogger.com/profile/16622225315502007403noreply@blogger.com0http://sunjavaidm.blogspot.com/2011/06/select-order-shuttle.htmltag:blogger.com,1999:blog-8148124388771860313.post-82028414688335266372011-06-13T19:42:00.000-07:002011-06-15T20:07:36.560-07:002011-06-15T20:07:36.560-07:00Oracle Deployment doc: <a href="http://www.oracle.com/webfolder/technetwork/tutorials/obe/fmw/oim/oim_11g/customizing_oim_ui_selfservice_to_add_an_adf_tab/customizing_oim_ui_selfservice_to_add_an_adf_tab.pdf">OracleDocLink </a><br /><br />Step-1 : Copy src code of new tab<br />======<br />ade:[ lakshman_IAM0612 ] [lakshman@parrot lib]$ pwd<br />ade:[ lakshman_IAM0612 ] [lakshman@parrot lib]$ /scratch/lakshman/view_storage/lakshman_IAM0612/tklocal/oimDeployments/oim.ear/iam-consoles-faces.war/WEB-INF/lib/.<br />ade:[ lakshman_IAM0612 ] [lakshman@parrot lib]$ cp /work/lakshman/bugs/tabBug/cuFiles/CustomTabApp/deploy/adflibCustomTabs1.jar .<br /><br />Step-2: No need to do any change in Self.jspx<br />=======<br /><br /><br />Step-3 : Make changes to faces-config-self.xml<br />======<br /><br />ade:[ lakshman_IAM0612 ] [lakshman@parrot oim.ear]$ diff ./iam-consoles-faces.war/WEB-INF/faces-config-self.xml /work/lakshman/bugs/tabBug/myChanges/faces-config-self.xml<br />235a236,250<br />> <managed-bean><br />> <managed-bean-name>customPage</managed-bean-name><br />> <managed-bean-class>oracle.iam.consoles.faces.backing.Self$OperationAction</managed-bean-class><br />> <managed-bean-scope>application</managed-bean-scope><br />> <managed-property><br />> <property-name>id</property-name><br />> <property-class>java.lang.String</property-class><br />> <value>customization_page</value><br />> </managed-property><br />> <managed-property><br />> <property-name>pageUrl</property-name><br />> <property-class>java.lang.String</property-class><br />> <value>/examples/MyProfile.jspx</value><br />> </managed-property><br />> </managed-bean><br />258a274,277<br />> <map-entry><br />> <key>#{customPage.id}</key><br />> <value>#{customPage}</value><br />> </map-entry><br /><br /><br />ade:[ lakshman_IAM0612 ] [lakshman@parrot oim.ear]$ cp /work/lakshman/bugs/tabBug/myChanges/faces-config-self.xml ./iam-consoles-faces.war/WEB-INF/faces-config-self.xml<br /><br /><br />Step-4: Copy Self.properties<br />=======<br />* cp iam-consoles-faces.jar /work/lakshman/bugs/tabBug/myChanges/<br />* cd /work/lakshman/bugs/tabBug/myChanges/<br />* mkdir dir_iam-consoles-faces.jar<br />* mv iam-consoles-faces.jar ./dir_iam-consoles-faces.jar/<br />* cd ./dir_iam-consoles-faces.jar/<br />* jar -xvf iam-consoles-faces.jar<br />* rm iam-consoles-faces.jar<br />* cp ../Self.properties ./oracle/iam/consoles/faces/resources/Self.properties<br />* cd /work/lakshman/bugs/tabBug/myChanges/dir_iam-consoles-faces.jar<br />* jar -cvf ../iam-consoles-faces.jar ./*<br />* jar -tvf /work/lakshman/bugs/tabBug/myChanges/iam-consoles-faces.jar - Check if there is anything wrong.<br />* cd /scratch/lakshman/view_storage/lakshman_IAM0612/tklocal/oimDeployments/oim.ear/iam-consoles-faces.war/WEB-INF/lib<br />* cp /work/lakshman/bugs/tabBug/myChanges/iam-consoles-faces.jar ./<br /><br />Step-5: Restart wls server<br />=======<br /><br />Step-6: Make changes and re-test<br />=======<br />When the user first accesses the Self Service console and a custom ADF tab the MyProfile.jspx file is copied into iam-consoles-faces.war. This file will need to be deleted when any new changes to the source file are redeployed.<br />Delete: oim.ear/iam-consoles-faces.war/examples/MyProfile.jspx<br />Note: this file will only exist after a user access the Self Service console.<br /><br />********<br />Notes:<br />********<br />* Use latest JDev 11g for ADF development.<br />* Mapping between MyProfile.jspx and CustomUserProfile.java (bean class with business logic) is provided in faces-config.xml. You have managed bean name, class etc... here<br />* In MyProfile.jspx, we reference all business logic using beanName.logic. Example:<br /> inputText label="#{customtabsBundle.EMAIL}"<br /> value="#{profile.userprofile.email}" id="abc"<br /><br /> commandButton text="#{customtabsBundle.APPLY}"<br /> actionListener="#{profile.updateAction}"<br /> id="xyz"<br />where profile is bean name, useprofile is data member of this bean class.<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/8148124388771860313-8202841468833526637?l=sunjavaidm.blogspot.com' alt='' /></div> <p><a href="http://feedads.g.doubleclick.net/~a/dt5wW9s2Cl5Q8c5k17inh0tp1YU/0/da"><img src="http://feedads.g.doubleclick.net/~a/dt5wW9s2Cl5Q8c5k17inh0tp1YU/0/di" border="0" ismap="true"></img></a><br/> <a href="http://feedads.g.doubleclick.net/~a/dt5wW9s2Cl5Q8c5k17inh0tp1YU/1/da"><img src="http://feedads.g.doubleclick.net/~a/dt5wW9s2Cl5Q8c5k17inh0tp1YU/1/di" border="0" ismap="true"></img></a></p><img src="http://feeds.feedburner.com/~r/SunIdentityManagementProducts/~4/8b0dBPIloj8" height="1" width="1"/>Lakshman Abburihttp://www.blogger.com/profile/16622225315502007403noreply@blogger.com0http://sunjavaidm.blogspot.com/2011/06/creating-new-sample-adf-tab-in-oim-11g.htmltag:blogger.com,1999:blog-8148124388771860313.post-82796502783958847662011-03-30T01:28:00.000-07:002011-03-30T01:57:42.738-07:002011-03-30T01:57:42.738-07:00----- Create -------<br /><br />[root@adc2171727 oracle.oamprovider_11.1.1]# /work/installations/oracle/middleware/jrockit_160_22_D1.1.1-3/bin/java -jar oamcfgtool.jar mode=CREATE app_domain="domain1" cookie_domain=".us.oracle.com" protected_uris="/em,/console" app_agent_password="welcome1" ldap_host="parrot.us.oracle.com" ldap_port=5389 ldap_userdn="cn=Directory Manager" ldap_userpassword=password ldap_base="dc=us,dc=oracle,dc=com" oam_aaa_host=parrot.us.oracle.com oam_aaa_port=6522<br />Mar 30, 2011 1:26:39 AM oracle.security.oam.oamcfg.OAMCfgGlobalConfigHandler constructGlobalConfig<br />INFO: Processed input parameters<br />Mar 30, 2011 1:26:40 AM oracle.security.oam.oamcfg.OAMCfgGlobalConfigHandler constructGlobalConfig<br />INFO: Initialized Global Configuration<br />Mar 30, 2011 1:26:49 AM oracle.security.oam.oamcfg.create.impl.OAMCfgConfigCreator doCreate<br />INFO: Successfully completed the Create operation.<br />Mar 30, 2011 1:26:49 AM oracle.security.oam.oamcfg.create.impl.OAMCfgConfigCreator doCreate<br />INFO: Operation Summary:<br />Mar 30, 2011 1:26:49 AM oracle.security.oam.oamcfg.create.impl.OAMCfgConfigCreator doCreate<br />INFO: Policy Domain : domain1<br />Mar 30, 2011 1:26:49 AM oracle.security.oam.oamcfg.create.impl.OAMCfgConfigCreator doCreate<br />INFO: Host Identifier: domain1<br />Mar 30, 2011 1:26:49 AM oracle.security.oam.oamcfg.create.impl.OAMCfgConfigCreator doCreate<br />INFO: Access Gate ID : domain1_AG<br />[root@adc2171727 oracle.oamprovider_11.1.1]#<br /><br />----- Delete -------<br /><br />[root@adc2171727 oracle.oamprovider_11.1.1]# /work/installations/oracle/middleware/jrockit_160_22_D1.1.1-3/bin/java -jar oamcfgtool.jar mode=DELETE authn_schemes="OraDefaultI18NFormAuthNScheme" ldap_base="dc=us,dc=oracle,dc=com" ldap_host=parrot.us.oracle.com ldap_port=5389 ldap_userdn="cn=Directory Manager" ldap_userpassword=password oam_aaa_host=parrot.us.oracle.com oam_aaa_port=6522<br />Mar 30, 2011 1:55:31 AM oracle.security.oam.oamcfg.OAMCfgGlobalConfigHandler processOAMCfgParams<br />INFO:<br />This operation would delete the parameters specified and cannot be undone...<br />If needed, type 'No' and refer help (java -jar jar -help)<br />Enter Yes to continue deletion and No to exit<br />Yes<br />Mar 30, 2011 1:55:35 AM oracle.security.oam.oamcfg.OAMCfgGlobalConfigHandler constructGlobalConfig<br />INFO: Processed input parameters<br />Mar 30, 2011 1:55:35 AM oracle.security.oam.oamcfg.OAMCfgGlobalConfigHandler constructGlobalConfig<br />INFO: Initialized Global Configuration<br />Mar 30, 2011 1:55:35 AM oracle.security.oam.oamcfg.delete.impl.OAMCfgConfigDeleter doDelete<br />INFO: Successfully completed the Delete operation.<br />[root@adc2171727 oracle.oamprovider_11.1.1]#<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/8148124388771860313-8279650278395884766?l=sunjavaidm.blogspot.com' alt='' /></div> <p><a href="http://feedads.g.doubleclick.net/~a/oRVjLju2-0ED7Dav6kCFGdpbrvc/0/da"><img src="http://feedads.g.doubleclick.net/~a/oRVjLju2-0ED7Dav6kCFGdpbrvc/0/di" border="0" ismap="true"></img></a><br/> <a href="http://feedads.g.doubleclick.net/~a/oRVjLju2-0ED7Dav6kCFGdpbrvc/1/da"><img src="http://feedads.g.doubleclick.net/~a/oRVjLju2-0ED7Dav6kCFGdpbrvc/1/di" border="0" ismap="true"></img></a></p><img src="http://feeds.feedburner.com/~r/SunIdentityManagementProducts/~4/Md1tLxtt2q8" height="1" width="1"/>Lakshman Abburihttp://www.blogger.com/profile/16622225315502007403noreply@blogger.com0http://sunjavaidm.blogspot.com/2011/03/oamcfgtool-commands.htmltag:blogger.com,1999:blog-8148124388771860313.post-82107027878717740612011-02-18T12:10:00.000-08:002011-02-21T10:17:35.622-08:002011-02-21T10:17:35.622-08:00Configuring OAM (Access and Identity System) to use password policy is not very obvious. There is no single document or post that describes all required steps at one place. Hence this effort.<br /><br />=======<br />Step-1: Import ldifs to DS configured against OAM.<br />=======<br /><br />* Create an ldif file - lpm.ldif with following schema change (for LPM functionality)<br />---------------------<br />dn: cn=schema<br />changetype: modify<br />add: attributetypes<br />attributetypes: ( 1.3.6.1.4.1.9999.1.1094.204 NAME 'myChallenge' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' )<br /><br />dn: cn=schema<br />changetype: modify<br />add: attributetypes<br />attributetypes: ( 1.3.6.1.4.1.9999.1.1094.205 NAME 'myResponse' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' )<br /><br />dn: cn=schema<br />changetype: modify<br />add: objectclasses<br />objectclasses: ( 1.3.6.1.4.1.9999.1.1094.206 NAME 'oblixAuxPerson4LPM' DESC 'User defined objectclass' SUP top AUXILIARY MAY ( myChallenge $ myResponse ) )<br />---------------------<br /><br />Import above lpm.ldif to DS containing user data.<br /><br />* Create ldif pwd.ldif with following data entry. <br />Note : schema change for this class was already done as part of Oblix Schema change during setup.<br />---------------------<br />dn:obclass=oblixPersonPwdPolicy,o=Oblix,dc=red,dc=iplanet,dc=com<br />objectclass: top<br />objectclass: OblixClass<br />obready: true<br />obclasstype: personClass<br />obclass: oblixPersonPwdPolicy<br />obclasskind: Auxiliary<br />obver: 10.1.4.0<br />----------------------<br /><br />Import above pwd.ldif to DS containing oblix tree.<br /><br />=======<br />Step-2: Configure oblixAuxPerson4LPM in Identity Console (for LPM functionality)<br />=======<br />a) goto Identity System Console --> Common Configuration --> Object Classes <br />* Add auxiliary class oblixauxperson4lpm. <br />Object Class - oblixauxperson4lpm<br />Class Attribute - No Class Attribute is specified.<br />Class Type - Person<br />Class Kind - Auxiliary<br /><br />b) goto Identity System Console --> User Manager Configuration --> Tabs --> Employees<br />* Modify Employees tab to associate auxiliary class oblixauxperson4lpm.<br /><br />c) goto Identity System Console --> User Manager Configuration --> Tabs --> Employees --> View Object Profile --> Configure Panels<br />* Configure your default panel or lpm panel to add myChallenge and myResponse attributes to user profile depending upon your customization.<br /><br />d) goto User Manager --> Configuration --> Attribute Access Control<br />* Set attribute access to myChallenge and myResponse as desired.<br /><br />=======<br />Step-3: Configure oblixPersonPwdPolicy in Identity Console<br />=======<br />a) goto Identity System Console --> User Manager Configuration --> Tabs --> Employees<br />* Modify Employees tab to associate auxiliary class oblixPersonPwdPolicy<br /><br />=======<br />Step-4: Setup Password Policy<br />=======<br />a) goto Identity System Console --> System Configuration --> Password Policy --> Add<br />* Create a new password policy as you need. <br /><br />My test password policy looks like - <br />Password Policy Name : testpwdpolicy<br />Password Policy Domain : dc=red,dc=iplanet,dc=com<br />Password policy filter : Did not specify <br />Lost Password Policy Name : Did not specify <br />Password Minimum Length : 3 characters<br />Minimum Number of Uppercase Characters : 0 characters<br />Minimum Number of Lowercase Characters : 0 characters<br />Minimum Number of Nonalphanumeric Characters : 0 characters<br />Minimum Number of Numeric Characters : 0 characters<br />Externally specified validation rules : Did not check<br />Password Validity Period : 4 days <br />Password Expiry Notice Period : 3 days<br />Mode of Conveying the Expiry Notice : At Login<br />Password minimum age : Did not specify<br />Change on Reset : Enable <br />Password History : No Password History <br />Number of login tries allowed : 3<br />Lockout Duration : 1 Hours <br />Login tries reset : 2 days <br />Lost Password Redirect Stylesheet : Defaults<br />Password Change Redirect Stylesheet : Defaults<br />Password Expiry Warning Redirect URL : Defaults<br />Custom Account Lockout Redirect URL : Defaults<br />Password Policy Enable : Enable<br /><br />b) Create default URLs for redirects<br /><br />My test configuration looks like -<br />Lost Password Redirect URL : http://parrot.red.iplanet.com:8080/identity/oblix/apps/lost_pwd_mgmt/bin/lost_pwd_mgmt.cgi?program=passwordChallengeResponse&login=%userid%&backURL=%HostTarget%%RESOURCE%&target=top<br />Password Change Redirect URL : http://parrot.red.iplanet.com:8080/identity/oblix/apps/lost_pwd_mgmt/bin/lost_pwd_mgmt.cgi?program=redirectforchangepwd&login=%userid%&backURL=%HostTarget%%RESOURCE%&target=top<br />Password Expiry Warning Redirect URL : http://parrot.red.iplanet.com:8080/sample/passwordexpiry.html<br />Custom Account Lockout Redirect URL : http://parrot.red.iplanet.com:8080/sample/accountlockout.html<br /><br />Log Authentication attempts:<br />Successful Attempts Attribute : Enable<br />Failed Attempts Attribute : Enable<br /><br />=======<br />Step-5: Enabling access system to use password policy.<br />=======<br />By default access server does not use password policy defined through identity system. You had to do oblixPersonPwdPolicy configuration for this. In addition do the following<br />a) goto Access System Console --> Access System Configuration --> Authentication Management --> Basic Over LDAP --> Plugins --> validate_password<br />* Modify it as<br />obCredentialPassword="password",obReadPasswdMode="LDAP",obWritePasswdMode="LDAP"<br /><br />Note: Make sure there is no typo in the above value. You can copy paste this text to your text editor and make sure there are no special characters or typos. I had to debug for long time because of some special character in this (copy paste error).<br /><br />=======<br />Step-6: Configure LPM policy<br />=======<br />a) goto Identity System Console --> System Configuration --> Lost Password Policy --> Add<br />* Create a new password policy as you need. <br />* Link it with Password Policy setup in Step-4 if you need<br /><br />=======<br />Step-7: Restart Identity and Access System<br />=======<br /><br />=======<br />Step-8: Test<br />=======<br />* To test Redirect URLs defined in password policy, you need to test a resource protected by access system. If you test your password policy by accessing Identity or Access Console, you will not be redirected.<br /><br />a) Access a protected resource <br />http://parrot.red.iplanet.com:8080/sample/test.html<br /><br />Try authentication failure. Open LDAP browser to data store. You can see that user entry will get updated with lockout and password related information. This means Access System is kicking in password policy. Now test as you wish.<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/8148124388771860313-8210702787871774061?l=sunjavaidm.blogspot.com' alt='' /></div> <p><a href="http://feedads.g.doubleclick.net/~a/APeKGpplses3naTAh9c1l9JJI48/0/da"><img src="http://feedads.g.doubleclick.net/~a/APeKGpplses3naTAh9c1l9JJI48/0/di" border="0" ismap="true"></img></a><br/> <a href="http://feedads.g.doubleclick.net/~a/APeKGpplses3naTAh9c1l9JJI48/1/da"><img src="http://feedads.g.doubleclick.net/~a/APeKGpplses3naTAh9c1l9JJI48/1/di" border="0" ismap="true"></img></a></p><img src="http://feeds.feedburner.com/~r/SunIdentityManagementProducts/~4/YRDzo8Jbm9g" height="1" width="1"/>Lakshman Abburihttp://www.blogger.com/profile/16622225315502007403noreply@blogger.com0http://sunjavaidm.blogspot.com/2011/02/configuring-password-policy-in-oracle.htmltag:blogger.com,1999:blog-8148124388771860313.post-22501784826201541652011-01-10T18:47:00.001-08:002011-02-21T10:19:24.682-08:002011-02-21T10:19:24.682-08:00Ex-Sun QA manager wrote this OpenSSO book by compiling documentation available in OpenSSO product docs<br /><a href="http://indirat.wordpress.com/2011/01/07/my-book-on-openam-formerly-opensso/">http://indirat.wordpress.com</a><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/8148124388771860313-2250178482620154165?l=sunjavaidm.blogspot.com' alt='' /></div> <p><a href="http://feedads.g.doubleclick.net/~a/8jiyM-0mCf4dXYYhsb9r8u2XMpI/0/da"><img src="http://feedads.g.doubleclick.net/~a/8jiyM-0mCf4dXYYhsb9r8u2XMpI/0/di" border="0" ismap="true"></img></a><br/> <a href="http://feedads.g.doubleclick.net/~a/8jiyM-0mCf4dXYYhsb9r8u2XMpI/1/da"><img src="http://feedads.g.doubleclick.net/~a/8jiyM-0mCf4dXYYhsb9r8u2XMpI/1/di" border="0" ismap="true"></img></a></p><img src="http://feeds.feedburner.com/~r/SunIdentityManagementProducts/~4/5E7yWyFIEno" height="1" width="1"/>Lakshman Abburihttp://www.blogger.com/profile/16622225315502007403noreply@blogger.com0http://sunjavaidm.blogspot.com/2011/01/opensso-book-written-by-ex-sun-qa.htmltag:blogger.com,1999:blog-8148124388771860313.post-67813584432573982772010-06-16T18:05:00.000-07:002010-06-16T18:10:38.703-07:002010-06-16T18:10:38.703-07:00Step-1: Deploy amauthdistui.war that you get with installation or by building it.<br /><br />Step-2: Copy AMConfig.properties to WEB-INF/classes of web-app directory. File is pasted below. Change it depending upon environment<br /><br />Step-3: Copy amclientsdk.jar to WEB-INF/lib of web-app directory.<br /><br />Restart container.<br /><br />--- Working AMConfig.properties file from my setup ---<br /><br />/* The following keys are used to configure the Debug service.<br /> * Possible values for the key 'level' are: off | error | warning | message.<br /> * The key 'directory' specifies the output directory where the debug files<br /> * will be created.<br /> * Trailing spaces are significant.<br /> * Windows: Use forward slashes "/" separate directories, not backslash "\".<br /> * Windows: Spaces in the file name are allowed for Windows.<br /> */<br />com.iplanet.services.debug.level=error<br />com.iplanet.services.debug.directory=/var/opt/SUNWam/distauth/debug<br /><br />/*<br /> * Naming URL<br /> */<br />com.iplanet.am.naming.url=http://avatar.red.iplanet.com:80/amserver/namingservice<br /><br />/*<br /> * Notification URL<br /> */<br />com.iplanet.am.notification.url=<br /><br />/*<br /> * Security Credentials to identify the client to AccessManager and<br /> * used to get the configuration data from AccessManager.<br /> * com.sun.identity.agents.app.username is the name to identitfy<br /> * the application.<br /> * It is recommended that you create an agent identity to identify<br /> * each client in the Access Manager.<br /> * Then, use the agent identity corresponding to the client.<br /> * This would provide better security and provide a better audit trail.<br /> * The default for com.sun.identity.agents.app.username in this file may be<br /> * set as "anonymous" only for ease of use.<br /> *<br /> * com.iplanet.am.service.password is the password corresponding to<br /> * com.sun.identity.agents.app.username.<br /> * Please remember to change this password when you change the value for<br /> * com.sun.identity.agents.app.username<br /> */<br />com.sun.identity.agents.app.username=distauth<br />com.iplanet.am.service.password=password<br /><br />/*<br /> * Property to set JCE as the default encryption classes<br /> */<br />com.iplanet.security.encryptor=com.iplanet.services.util.JCEEncryption<br /><br />/*<br /> * Cache update time (in minutes) for user management cache,<br /> * if notification URL is not provided<br /> */<br />com.iplanet.am.sdk.remote.pollingTime=1<br /><br />/*<br /> * Cache update time (in minutes) for service configutation data,<br /> * if notification URL is not provided<br /> */<br />com.sun.identity.sm.cacheTime=1<br /><br />/*<br /> * Server protocol, host and port<br /> */<br />com.iplanet.am.server.protocol=http<br />com.iplanet.am.server.host=avatar.red.iplanet.com<br />com.iplanet.am.server.port=80<br /><br />/*<br /> * Distributed Authentication Server protocol, host and port<br /> */<br />com.iplanet.distAuth.server.protocol=http<br />com.iplanet.distAuth.server.host=jackal.red.iplanet.com<br />com.iplanet.distAuth.server.port=7070<br /><br />com.iplanet.am.cookie.name=iPlanetDirectoryPro<br />com.iplanet.am.cookie.secure=false<br />com.iplanet.am.cookie.encode=false<br /><br />/*<br /> * Distributed Authentication Server deploy URI<br /> */<br />com.iplanet.am.services.deploymentDescriptor=/amauthdistui<br />com.iplanet.am.version=7.1<br /><br />/*<br /> * Distributed Authentication deploy URI<br /> */<br />com.iplanet.am.distauth.deploymentDescriptor=/amauthdistui<br /><br />/*<br /> * List of comma separated trusted Distributed Authentication servers in cluster<br /> */<br />com.sun.identity.distauth.cluster=<br /><br />/*<br /> * Identify cert db directory path, prefix and password file<br /> * to initialize JSS Socket Factory when Web Container is configured SSL<br /> */<br />com.iplanet.am.admin.cli.certdb.dir=CONTAINER_CERTDB_DIR<br />com.iplanet.am.admin.cli.certdb.prefix=CONTAINER_CERTDB_PREFIX<br />com.iplanet.am.admin.cli.certdb.passfile=CONFIG_DIR/.wtpass<br /><br />/*<br /> * Since the notification handler is not registered on Distributed<br /> * authentication side, the following polling parameters need to be specified<br /> * to enable the SessionPoller thread.<br /> */<br />com.iplanet.am.session.client.polling.enable=true<br />com.iplanet.am.session.client.polling.period=180<br /><br />/*<br /> * Load Balancer cookie name and value to be used when there are multiple<br /> * Distributed authentication web application servers behind Load Balancer.<br /> */<br />#com.iplanet.am.lbcookie.name=DistAuthLBCookieName<br />#com.iplanet.am.lbcookie.value=DistAuthLBCookieValue<br /><br />com.sun.identity.auth.cookieName=AMDistAuthCookie<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/8148124388771860313-6781358443257398277?l=sunjavaidm.blogspot.com' alt='' /></div> <p><a href="http://feedads.g.doubleclick.net/~a/KQFMvnFXmM2CjKeQs-laVf4n3II/0/da"><img src="http://feedads.g.doubleclick.net/~a/KQFMvnFXmM2CjKeQs-laVf4n3II/0/di" border="0" ismap="true"></img></a><br/> <a href="http://feedads.g.doubleclick.net/~a/KQFMvnFXmM2CjKeQs-laVf4n3II/1/da"><img src="http://feedads.g.doubleclick.net/~a/KQFMvnFXmM2CjKeQs-laVf4n3II/1/di" border="0" ismap="true"></img></a></p><img src="http://feeds.feedburner.com/~r/SunIdentityManagementProducts/~4/4K7eXa863eY" height="1" width="1"/>Lakshman Abburihttp://www.blogger.com/profile/16622225315502007403noreply@blogger.com0http://sunjavaidm.blogspot.com/2010/06/3-steps-to-deploy-dist-auth-on-am-71.htmltag:blogger.com,1999:blog-8148124388771860313.post-46538139180504054092010-04-08T15:19:00.000-07:002010-04-08T15:37:36.425-07:002010-04-08T15:37:36.425-07:00Deployment example:<br />------------------<br />OpenSSO updat1 patch 3 server on machine avatar.red.iplanet.com<br />Glassfish 3.0 J2EE Policy Agent on machine rub-s10-6.sfbay.sun.com<br /><br /><br />Step-1: Install OpenSSO server. Configure agent profile, policies.<br /><br />Step-2: Install J2EE Policy Agent 3.0<br /><br />Step-3: In container hosting agent, deploy mini agent sample application from http://developers.sun.com/identity/reference/techart/policyagents/agent-mini-app.zip<br /><br />Step-4: In container hosting agent, deploy agentapp.war This is not installed by default. It is available in the following location: <br />/opt/lakshman/installations/agents/j2ee_agents/appserver_v9_agent/etc<br /><br />Step-5: Configure agent profile for 3 properties mentioned in the link:<br />http://docs.sun.com/app/docs/doc/820-5816/aeabl?a=view<br />In my sample, the values are (Agent Profile -> SSO tab):<br />a) Enabled "Cross Domain SSO" checkbox<br />b) CDSSO Servlet URL: http://avatar.red.iplanet.com:8080/opensso/cdcservlet<br />c) CDSSO Domain List: .sun.com<br /><br />Step-6: Set property "CDSSO Clock Skew" if you have not synchronized time between two machines hosting OpenSSO and agent.<br /><br />Step-7: Add agent machine domain name to Realm/DNS Aliases<br /><br />Step-8: Restart both containers hosting OpenSSO and glassfish server.<br /><br />Trouble shooting tips:<br />----------------------<br />1. Do not add /agentapp/sunwCDSSORedirectURI to not-enforced-list. This has been discussed some places in a google search.<br /><br />*************<br />Related docs:<br />*************<br /><a href="http://docs.sun.com/app/docs/doc/820-5816/aeabl?a=view">CDSSO Config</a> <br /><a href="http://docs.sun.com/app/docs/doc/820-3740/adrbn?l=en&a=view&q=cdsso">CDSSO Block Diagram</a><br /><a href="http://developers.sun.com/identity/reference/techart/policyagents.html">Mini agent sample deployment</a><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/8148124388771860313-4653813918050405409?l=sunjavaidm.blogspot.com' alt='' /></div> <p><a href="http://feedads.g.doubleclick.net/~a/j_2YC64OIRZtVVGckUG22N-P8xQ/0/da"><img src="http://feedads.g.doubleclick.net/~a/j_2YC64OIRZtVVGckUG22N-P8xQ/0/di" border="0" ismap="true"></img></a><br/> <a href="http://feedads.g.doubleclick.net/~a/j_2YC64OIRZtVVGckUG22N-P8xQ/1/da"><img src="http://feedads.g.doubleclick.net/~a/j_2YC64OIRZtVVGckUG22N-P8xQ/1/di" border="0" ismap="true"></img></a></p><img src="http://feeds.feedburner.com/~r/SunIdentityManagementProducts/~4/4nG8SdHVNJo" height="1" width="1"/>Lakshman Abburihttp://www.blogger.com/profile/16622225315502007403noreply@blogger.com2http://sunjavaidm.blogspot.com/2010/04/steps-to-configure-cdsso-in-opensso.htmltag:blogger.com,1999:blog-8148124388771860313.post-79597044599959544962010-03-24T16:24:00.001-07:002010-04-02T12:50:10.170-07:002010-04-02T12:50:10.170-07:00This example uses:<br />Active Directory on Windows Server 2003 Standard Edition Service Pack 2<br />AD Domain name : SUST.IDM.COM<br />Windows Server machine name: parrot<br />IE Version : 7.0.5730.13<br />OpenSSO update-1 Patch-2<br />OpenSSO host name : avatar.red.iplanet.com<br /><br />*****************************************************<br />Step-1: Active Directory Configuration:<br />*****************************************************<br />1. Login as administrator to the Windows Server.<br /><br />2. Open "Manage Your Server" wizard<br /> (Start Menu -> Administrative tools -> Manager Your Server)<br /><br />3. Choose "Add or remove a role" option<br /><br />4. Navigate to next screen "Configure Your Server Wizard".<br /> (In the navigation process, if you run into any network connection warnings, <br /> click continue and go ahead")<br /><br />5. Choose "Domain Controller (Active Directory)" option<br /><br />6. In the new wizard that pops up, choose default values.<br /><br />7. Continue navigating. When you get a screen to enter Domain name, enter<br /> SUST.IDM.COM - all capital letters. NetBIOS name as SUST (default value).<br /><br />8. Navigate till you get an error for DNS. <br /> Accept "Install and configure DNS on this server" option.<br /><br />9. Complete installation process, restart the machine.<br /><br />10. Login to the new domain just created SUST as Administrator<br /><br />*****************************************************<br />Step-2: Create user account for OpenSSO server in AD<br />*****************************************************<br />1. Open "Manage Your Server" wizard. <br /><br />2. Choose "Manage users and computers in Active Directory" option under Domain Controller role.<br /><br />3. Go to "Users" menu under SUST.IDM.COM domain<br /><br />4. Create a new user object with first name, last name, full name, logon name as: avatar<br /> This is the name of the opensso host name so that you can easily remember.The default <br /> password policy in Windows enforces atleast one capital letter and atleast one number. So<br /> choose Password123 for simplicity. <br /> NOTE: Do not have spaces in "Full Name" or logon name. <br /> Else you will get DnsCrack error in the next configuration steps.<br /><br />5. Open command prompt<br /><br />6. CD to the directory where you want to have keytab file.<br /><br />7. Run the following ktpass command:<br />C:\userData\lakshman>ktpass /princ HTTP/avatar.red.iplanet.com@SUST.IDM.COM /pass Password123 +DesOnly /crypto DES-CBC-CRC /ptype KRB5_NT_PRINCIPAL /mapuser avatar /out avatar.HTTP.keytab<br /><br />Expected output in command prompt:<br />Targeting domain controller: parrot.SUST.IDM.COM<br />Successfully mapped HTTP/avatar.red.iplanet.com to avatar.<br />Key created.<br />Output keytab to avatar.HTTP.keytab:<br />Keytab version: 0x502<br />keysize 67 HTTP/avatar.red.iplanet.com@SUST.IDM.COM ptype 1 (KRB5_NT_PRINCIPAL)<br />vno 3 etype 0x1 (DES-CBC-CRC) keylength 8 (0x98628cd615045bc8)<br />Account avatar has been set for DES-only encryption.<br /><br />8. ftp (in binary format) this keytab (avatar.HTTP.keytab) file to OpenSSO machine. In this example, ftp to the machine avatar.red.iplanet.com to the directory: /work/installations/opensso/patch/ad/<br /><br />*****************************************************<br />Step-3: Validate keytab file on OpenSSO host name<br />*****************************************************<br /><br />Command-1:<br />bash-3.00# klist -ek -t avatar.HTTP.keytab<br /><br />Expected output in bash shell is:<br /><br />Keytab name: FILE:avatar.HTTP.keytab<br />KVNO Timestamp Principal<br />---- ----------------- ---------------------------------------------------------<br /> 3 12/31/69 16:00:00 HTTP/avatar.red.iplanet.com@SUST.IDM.COM (DES cbc mode with CRC-32)<br /><br /><br />Command-2:<br />In "Active Directory Users and Computer" wizard on Windows Server 2003 machine, open user profile for avatar. Click on Account sub tab. Check that the value of field "User logon name as:<br />HTTP/avatar.red.iplanet.com<br /><br />********************************************************<br />Step-4: Configure windows desktop SSO module in OpenSSO<br />********************************************************<br />1. Create a new authentication module - winsso. The parameters are:<br /><br />Service Principal: HTTP/avatar.red.iplanet.com@SUST.IDM.COM<br /> <br />Keytab File Name: /work/installations/opensso/patch/ad/avatar.HTTP.keytab<br /> <br />Kerberos Realm: SUST.IDM.COM<br /> <br />Kerberos Server Name: parrot.red.iplanet.com<br /> <br />Return Principal with Domain Name: Disable check box<br /> <br />Authentication Level: 0<br /><br />********************************************************<br />Step-6: Create Administrator profile in OpenSSO<br />********************************************************<br />1. Create a profile for Administrator in OpenSSO under Realm -> Subjects<br /> For simplicity fill all name fields as Administrator and a password of your choice.<br /><br />********************************************************<br />Step-7: Synchronize time & Restart<br />********************************************************<br />1. Synchronize time on both Windows Server 2003 machine and OpenSSO host name.<br />Seconds difference is acceptable in the synch process.<br /><br />2. Restart container hosting OpenSSO war application - I mean OpenSSO server.<br /><br />********************************************************<br />Step-8: Configure browser on Windows Server 2003 machine<br />********************************************************<br />1. This test scenario will use browser on Windows Server 2003 Domain Controller to test Windows Desktop SSO feature. <br /><br />2. IE Browser (above 6.0 version):<br />a. Go to: Tools Menu -> Internet Options -> Security<br />b. Choose Local Intranet.<br />c. Click on Sites<br />d. Add OpenSSO machine name URL to the list. In this example<br />http://avatar.red.iplanet.com<br /><br />3. Mozilla Firefox:<br />a. Open browser, enter about:config<br />b. Accept warnings, promises.<br />c. Double click the Preference Name network.negotiate-auth.trusted-uris.<br />d. In the values text box that pops up, enter http://,https://<br /><br />********************************************************<br />Step-9: Testing<br />*******************************************************<br />1. Login as Administrator to SUST.IDM.COM domain on Windows Server 2003 machine.<br />2. Open IE browser. Enter http://avatar.red.iplanet.com:8080/opensso/UI/Login?module=winsso<br />3. You should see end user profile page for administrator in OpenSSO<br />4. Repeat test with Mozilla firefox and verify.<br /><br /><br />*******<br />NOTES:<br />*******<br /><br />Expected OpenSSO debug file output:<br />------------------------------------<br />The debug file Authentication on OpenSSO should have the following snippet in "message" mode.<br />amAuthWindowsDesktopSSO:03/24/2010 04:15:20:351 PM PDT: Thread[httpSSLWorkerThread-8080-1,10,Grizzly]<br />New Service Login ...<br />amAuthWindowsDesktopSSO:03/24/2010 04:15:20:423 PM PDT: Thread[httpSSLWorkerThread-8080-1,10,Grizzly]<br />Service login succeeded.<br />amAuthWindowsDesktopSSO:03/24/2010 04:15:20:430 PM PDT: Thread[httpSSLWorkerThread-8080-1,10,Grizzly]<br />SPNEGO token:<br />60 82 04 f1 06 06 2b 06 01 05 05 02 a0 82 04 e5<br />30 82 04 e1 a0 24 30 22 06 09 2a 86 48 82 f7 12<br />01 02 02 06 09 2a 86 48 86 f7 12 01 02 02 06 0a<br />2b 06 01 04 01 82 37 02 02 0a a2 82 04 b7 04 82<br />.... REALLY BIG BLOB ...<br />d0 f1 bc e3 fc d0 2c 7a 59 a3 c8 2a 35 cc 71 f6<br />d9 cd e6 c0 2e bb 7e 37 c9 6e fd 1a bc 14 82 7e<br />fe a0 29 3b a7<br />amAuthWindowsDesktopSSO:03/24/2010 04:15:20:431 PM PDT: Thread[httpSSLWorkerThread-8080-1,10,Grizzly]<br />token tag:60<br />amAuthWindowsDesktopSSO:03/24/2010 04:15:20:431 PM PDT: Thread[httpSSLWorkerThread-8080-1,10,Grizzly]<br />SPNEGO OID found in the Auth Token<br />amAuthWindowsDesktopSSO:03/24/2010 04:15:20:431 PM PDT: Thread[httpSSLWorkerThread-8080-1,10,Grizzly]<br />DerValue: found init token<br />amAuthWindowsDesktopSSO:03/24/2010 04:15:20:431 PM PDT: Thread[httpSSLWorkerThread-8080-1,10,Grizzly]<br />DerValue: 0x30 constructed token found<br />amAuthWindowsDesktopSSO:03/24/2010 04:15:20:435 PM PDT: Thread[httpSSLWorkerThread-8080-1,10,Grizzly]<br />Kerberos token retrieved from SPNEGO token:<br />60 82 04 af 06 09 2a 86 48 86 f7 12 01 02 02 01<br />00 6e 82 04 9e 30 82 04 9a a0 03 02 01 05 a1 03<br />02 01 0e a2 07 03 05 00 20 00 00 00 a3 82 03 c2<br />.... REALLY BIG BLOB ...<br />bc e3 fc d0 2c 7a 59 a3 c8 2a 35 cc 71 f6 d9 cd<br />e6 c0 2e bb 7e 37 c9 6e fd 1a bc 14 82 7e fe a0<br />29 3b a7<br />amAuthWindowsDesktopSSO:03/24/2010 04:15:20:435 PM PDT: Thread[httpSSLWorkerThread-8080-1,10,Grizzly]<br />In authenticationToken ...<br />amAuthWindowsDesktopSSO:03/24/2010 04:15:20:452 PM PDT: Thread[httpSSLWorkerThread-8080-1,10,Grizzly]<br />Context created.<br />amAuthWindowsDesktopSSO:03/24/2010 04:15:20:489 PM PDT: Thread[httpSSLWorkerThread-8080-1,10,Grizzly]<br />Token returned from acceptSecContext:<br />60 68 06 09 2a 86 48 86 f7 12 01 02 02 02 00 6f<br />59 30 57 a0 03 02 01 05 a1 03 02 01 0f a2 4b 30<br />49 a0 03 02 01 03 a2 42 04 40 04 60 a6 63 ef 08<br />b8 98 b6 69 f6 8a c5 7a 14 af b6 c3 03 1f 92 96<br />26 84 28 03 5e f8 6d 13 30 1b a4 d3 8d 17 4d 55<br />23 eb eb 8d c8 2e 56 46 a9 d2 a1 4f ec 10 3c 59<br />4b e9 34 15 ea 18 6a 40 68 7e<br />amAuthWindowsDesktopSSO:03/24/2010 04:15:20:489 PM PDT: Thread[httpSSLWorkerThread-8080-1,10,Grizzly]<br />Context establised !<br />amAuthWindowsDesktopSSO:03/24/2010 04:15:20:490 PM PDT: Thread[httpSSLWorkerThread-8080-1,10,Grizzly]<br />User authenticated: Administrator@SUST.IDM.COM<br />amAuthWindowsDesktopSSO:03/24/2010 04:15:20:493 PM PDT: Thread[httpSSLWorkerThread-8080-1,10,Grizzly]<br />WindowsDesktopSSO authentication succeeded.<br />amLoginModule:03/24/2010 04:15:20:493 PM PDT: Thread[httpSSLWorkerThread-8080-1,10,Grizzly]<br />Login NEXT State : -1<br />amLoginModule:03/24/2010 04:15:20:493 PM PDT: Thread[httpSSLWorkerThread-8080-1,10,Grizzly]<br />amLoginModule:03/24/2010 04:15:20:493 PM PDT: Thread[httpSSLWorkerThread-8080-1,10,Grizzly]<br />SETTING Module name.... :winsso<br />amAuth:03/24/2010 04:15:20:493 PM PDT: Thread[httpSSLWorkerThread-8080-1,10,Grizzly]<br />Module name is .. winsso<br />amAuth:03/24/2010 04:15:20:493 PM PDT: Thread[httpSSLWorkerThread-8080-1,10,Grizzly]<br />successModuleSet is : [winsso]<br />amJAAS:03/24/2010 04:15:20:493 PM PDT: Thread[httpSSLWorkerThread-8080-1,10,Grizzly]<br />login success<br />amLoginModule:03/24/2010 04:15:20:494 PM PDT: Thread[httpSSLWorkerThread-8080-1,10,Grizzly]<br />AMLoginModule.commit():Succeed,principal=WindowsDesktopSSOPrincipal: Administrator<br />amLoginModule:03/24/2010 04:15:20:494 PM PDT: Thread[httpSSLWorkerThread-8080-1,10,Grizzly]<br />Done added user to principal<br />amJAAS:03/24/2010 04:15:20:494 PM PDT: Thread[httpSSLWorkerThread-8080-1,10,Grizzly]<br />commit success<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/8148124388771860313-7959704459995954496?l=sunjavaidm.blogspot.com' alt='' /></div> <p><a href="http://feedads.g.doubleclick.net/~a/o0T6pMa_3WTEPcQ7L63gHhwxUSM/0/da"><img src="http://feedads.g.doubleclick.net/~a/o0T6pMa_3WTEPcQ7L63gHhwxUSM/0/di" border="0" ismap="true"></img></a><br/> <a href="http://feedads.g.doubleclick.net/~a/o0T6pMa_3WTEPcQ7L63gHhwxUSM/1/da"><img src="http://feedads.g.doubleclick.net/~a/o0T6pMa_3WTEPcQ7L63gHhwxUSM/1/di" border="0" ismap="true"></img></a></p><img src="http://feeds.feedburner.com/~r/SunIdentityManagementProducts/~4/mte1X5mgCZU" height="1" width="1"/>Lakshman Abburihttp://www.blogger.com/profile/16622225315502007403noreply@blogger.com1http://sunjavaidm.blogspot.com/2010/03/basic-deployment-test-case-for-windows.htmltag:blogger.com,1999:blog-8148124388771860313.post-72243161266659041592010-03-24T15:43:00.000-07:002010-03-24T17:50:37.241-07:002010-03-24T17:50:37.241-07:00************<br />Problem-1:<br />************<br />Type:<br />----- <br />ktpass configuration on Windows Domain Controller.<br /><br />Error: <br />-------<br />ktpass command gives error "Failed to retrieve user info if you configure it in two stages"<br /><br />Solution:<br />----------<br />Use the following syntax to do both mapping and keytab generation in one step:<br /><br />C:\userData\lakshman>ktpass /princ HTTP/avatar.red.iplanet.com@SUST.IDM.COM /pas<br />s Password123 +DesOnly /crypto DES-CBC-CRC /ptype KRB5_NT_PRINCIPAL /mapuser avata<br />r /out avatar.HTTP.keytab<br />Targeting domain controller: parrot.SUST.IDM.COM<br />Successfully mapped HTTP/avatar.red.iplanet.com to avatar.<br />Key created.<br />Output keytab to avatar.HTTP.keytab:<br />Keytab version: 0x502<br />keysize 67 HTTP/avatar.red.iplanet.com@SUST.IDM.COM ptype 1 (KRB5_NT_PRINCIPAL)<br />vno 3 etype 0x1 (DES-CBC-CRC) keylength 8 (0x98628cd615045bc8)<br />Account avatar has been set for DES-only encryption.<br /><br />************<br />Problem-2:<br />************<br />Type:<br />----- <br />ktpass configuration on Windows Domain Controller.<br /><br />Error: <br />-------<br />Executing ktpass command gives "DnsCrack error"<br /><br />Solution:<br />---------<br />Do not have spaces in user name that you are trying to map. Make sure "Full Name" and Logon name does not have any spaces.<br /><br />************<br />Problem-3:<br />************<br />Type:<br />----- <br />Specifying correct algorithm while running ktpass command.<br /><br />Solution:<br />---------<br />If AM is using Java 1.5_08 or below, must use DesOnly and crypto as DES-CBC-CRC.<br />To avoid running into this algorith problems, always use DesOnly and DES-CBC-CRC for testing. This is supported on all java versions above and below 1.5_08.<br /><br />************<br />Problem-4:<br />************<br />Type:<br />----- <br />Domain name on AD is not all capital letters like SUST.IDM.COM Instead it is sust.idm.com<br /><br />Solution:<br />---------<br />This is acceptable and will work. Use capital letters as in example below while running ktpass command if domain name is small letters.<br />C:\userData\lakshman>ktpass /princ HTTP/avatar.red.iplanet.com@SUST.IDM.COM /pas<br />s Password123 +DesOnly /crypto DES-CBC-CRC /ptype KRB5_NT_PRINCIPAL /mapuser avata<br />r /out avatar.HTTP.keytab<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/8148124388771860313-7224316126665904159?l=sunjavaidm.blogspot.com' alt='' /></div> <p><a href="http://feedads.g.doubleclick.net/~a/01RIOLLvl1PO58_WOhK_4IXvi1U/0/da"><img src="http://feedads.g.doubleclick.net/~a/01RIOLLvl1PO58_WOhK_4IXvi1U/0/di" border="0" ismap="true"></img></a><br/> <a href="http://feedads.g.doubleclick.net/~a/01RIOLLvl1PO58_WOhK_4IXvi1U/1/da"><img src="http://feedads.g.doubleclick.net/~a/01RIOLLvl1PO58_WOhK_4IXvi1U/1/di" border="0" ismap="true"></img></a></p><img src="http://feeds.feedburner.com/~r/SunIdentityManagementProducts/~4/uxKKKleiejQ" height="1" width="1"/>Lakshman Abburihttp://www.blogger.com/profile/16622225315502007403noreply@blogger.com0http://sunjavaidm.blogspot.com/2010/03/ktpass-command-syntax-for-windows.htmltag:blogger.com,1999:blog-8148124388771860313.post-27927648391688262682010-03-12T17:21:00.000-08:002010-03-12T18:10:51.259-08:002010-03-12T18:10:51.259-08:00<a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="http://4.bp.blogspot.com/_Uxus1TITMLE/S5rpIy8QBPI/AAAAAAAAC3U/-Kp0tMEegQk/s1600-h/ms995329.http-sso-1-fig02(en-us,MSDN.10).gif"><img style="cursor:pointer; cursor:hand;width: 320px; height: 231px;" src="http://4.bp.blogspot.com/_Uxus1TITMLE/S5rpIy8QBPI/AAAAAAAAC3U/-Kp0tMEegQk/s320/ms995329.http-sso-1-fig02(en-us,MSDN.10).gif" border="0" alt=""id="BLOGGER_PHOTO_ID_5447923036580742386" /></a><br /><br />1. When the logged-on user requests a resource from the Web server, it sends the initial HTTP GET verb.<br /><br />2. The Web server, running the SPNEGO Token Handler code, requires authentication and issues a 401 Access Denied, WWW-Authenticate: Negotiate response.<br /><br />3. The client calls AcquireCredentialsHandle()and InitializeSecurityContext() with the SPN to build the Security Context that requests the session ticket from the TGS(KDC).<br /><br />4. The TGS/KDC supplies the client with the necessary Kerberos Ticket (assuming the client is authorized) wrapped in a SPNEGO Token.<br /><br />5. The client re-sends the HTTP GET request + the Negotiate SPNEGO Token in an Authorization: Negotiate base64(token) header.<br /><br />6. The Web server's SPNEGO Token Handler code accepts and processes the token through GSS API, authenticates the user and responds with the requested URL.<br /><br /><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="http://1.bp.blogspot.com/_Uxus1TITMLE/S5rpzKlwySI/AAAAAAAAC3k/hc4VVGXDnzA/s1600-h/ms995329.http-sso-1-fig03(en-us,MSDN.10).gif"><img style="cursor:pointer; cursor:hand;width: 320px; height: 171px;" src="http://1.bp.blogspot.com/_Uxus1TITMLE/S5rpzKlwySI/AAAAAAAAC3k/hc4VVGXDnzA/s320/ms995329.http-sso-1-fig03(en-us,MSDN.10).gif" border="0" alt=""id="BLOGGER_PHOTO_ID_5447923764483377442" /></a><br /><br /><br />Process flow for Windows Desktop SSO module in AM code<br /><br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="http://1.bp.blogspot.com/_Uxus1TITMLE/S5ruMumqKlI/AAAAAAAAC3s/1cqvGpzb4gY/s1600-h/winsso.JPG"><img style="cursor:pointer; cursor:hand;width: 283px; height: 320px;" src="http://1.bp.blogspot.com/_Uxus1TITMLE/S5ruMumqKlI/AAAAAAAAC3s/1cqvGpzb4gY/s320/winsso.JPG" border="0" alt=""id="BLOGGER_PHOTO_ID_5447928601694054994" /></a><br /><br />1. When the logged-on user (browser client) requests a protected resource from the Web server, it sends the initial HTTP GET verb. <br /><br />2. The policy agent intercepts the request, sees SSO token in cookie is not present. It redirects it to the web server hosting Sun Access Manager which has WinSSO auth module code (SPNEGO Token Handler code).<br /><br />3. The Web server, running the SPNEGO Token Handler code (Access Manager Windows desktop SSO auth module), requires authentication to access that resource. So Access Manager code on web server issues a 401 Access Denied, WWW-Authenticate: Negotiate response to the browser client.<br /><br />4. The browser client calls AcquireCredentialsHandle()and InitializeSecurityContext() with the SPN to build the Security Context. In this process, SPNEGO capable browser requests the session ticket from the Ticket Granting Server (TGS - could be windows domain controller or unix kdc server). This direct interaction between browser and KDC will provide <br />a) Ticket Granting Ticket (TGT - if not already present)<br />b) Kerberos or NTLM ticket depending upon configuration. Note AM works only with Kerberos ticket. AM does not support NTLM ticket.<br />This is wrapped in a SPNEGO token which is presented to AM.<br /><br />5. The TGS/KDC supplies the client (browser) with the necessary Kerberos Ticket (assuming the client is authorized) wrapped in a SPNEGO Token.<br /><br />6. The client re-sends the HTTP GET request + the Negotiate SPNEGO Token in an Authorization: Negotiate base64(token) header to Windows Desktop SSO module of Access Manager running on Unix web server.<br /><br />7. The SPNEGO Token Handler code in Windows Desktop SSO module of Access Manager running on Unix web server accepts and processes the token through GSS API, authenticates the user. After successful authentication, AM prepares SSO Token in a cookie. <br /><br />8. AM sends back response to browser with HTTP code - 200. Now browser has SSO Token wrapped in a cookie.<br /><br />9. Browser sends HTTP Get request to web server hosting policy agent so that it can handle the protected resource request.<br /><br /><br />References:<br />===========<br /><a href="http://msdn.microsoft.com/en-us/library/ms995329.aspx">MSDN Article-1</a><br /><a href="http://msdn.microsoft.com/en-us/library/ms995330.aspx">MSDN Article-2</a><br /><a href="http://msdn.microsoft.com/en-us/library/ms995331.aspx">MSDN Article-3</a><br /><a href="http://docs.sun.com/app/docs/doc/820-3746/gisxh?a=view">OpenSSO doc Article-1</a><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/8148124388771860313-2792764839168826268?l=sunjavaidm.blogspot.com' alt='' /></div> <p><a href="http://feedads.g.doubleclick.net/~a/e7TuRtg89zPSBB_Zy-9BhsFye6k/0/da"><img src="http://feedads.g.doubleclick.net/~a/e7TuRtg89zPSBB_Zy-9BhsFye6k/0/di" border="0" ismap="true"></img></a><br/> <a href="http://feedads.g.doubleclick.net/~a/e7TuRtg89zPSBB_Zy-9BhsFye6k/1/da"><img src="http://feedads.g.doubleclick.net/~a/e7TuRtg89zPSBB_Zy-9BhsFye6k/1/di" border="0" ismap="true"></img></a></p><img src="http://feeds.feedburner.com/~r/SunIdentityManagementProducts/~4/-2laI3_QrwA" height="1" width="1"/>Lakshman Abburihttp://www.blogger.com/profile/16622225315502007403noreply@blogger.com1http://sunjavaidm.blogspot.com/2010/03/windows-cross-platform-authentication.htmltag:blogger.com,1999:blog-8148124388771860313.post-51875105239285376662009-12-22T14:45:00.000-08:002009-12-22T14:49:11.453-08:002009-12-22T14:49:11.453-08:001. Open Sun DS Console or any LDAP browser and connect to backend DS configured for AM Server.<br /><br />2. Browse to following DN :<br />ou=default,ou=OrganizationConfig,ou=1.0,ou=iPlanetAMAuthService,ou=services,dc=sfbay,dc=sun,dc=com<br /><br />3. Edit attribute sunkeyvalue attribute by modifying iplanet-am-auth-allowed-modules from UNIX to LDAP<br />sunkeyvalue: iplanet-am-auth-allowed-modules=LDAP<br /><br />4. Restart AM.<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/8148124388771860313-5187510523928537666?l=sunjavaidm.blogspot.com' alt='' /></div> <p><a href="http://feedads.g.doubleclick.net/~a/5mujZonf4VqvoGHIu8GSYUrYVZ8/0/da"><img src="http://feedads.g.doubleclick.net/~a/5mujZonf4VqvoGHIu8GSYUrYVZ8/0/di" border="0" ismap="true"></img></a><br/> <a href="http://feedads.g.doubleclick.net/~a/5mujZonf4VqvoGHIu8GSYUrYVZ8/1/da"><img src="http://feedads.g.doubleclick.net/~a/5mujZonf4VqvoGHIu8GSYUrYVZ8/1/di" border="0" ismap="true"></img></a></p><img src="http://feeds.feedburner.com/~r/SunIdentityManagementProducts/~4/h2nvmclo-5U" height="1" width="1"/>Lakshman Abburihttp://www.blogger.com/profile/16622225315502007403noreply@blogger.com1http://sunjavaidm.blogspot.com/2009/12/dev-tip-to-change-default-auth-modules.htmltag:blogger.com,1999:blog-8148124388771860313.post-51128930153504164062009-09-03T16:18:00.000-07:002009-09-03T16:32:10.483-07:002009-09-03T16:32:10.483-07:00Step-1: Create a new user identity testuser1 <br /><br />Step-2: Create a new role identity testrole1<br /><br />Step-3: Assign testrole1 to testuser1. <br />Sun AM uses nsRole attribute of DS to store roles for user identity. If you want to verify this, you can do ldapsearch on DS:<br />ldapsearch -b "dc=red,dc=iplanet,dc=com" -D "cn=Directory Manager" -w <password> -h jackal.red.iplanet.com -p 7389 -s sub "uid=testuser1" nsRole<br /><br />Step-4: Delete testrole1, then DS takes care of deleting testrole1 DN in testuser1 - nsRole attribute. This works only if Referential integrity plugin is enabled in DS. You can check if referential integrity is enabled or disabled by using:<br /><br />dsconf get-server-prop -p 7389 -h jackal.red.iplanet.com -D "cn=Directory Manager" -w /opt/pass.txt | grep ref-integrity-enabled<br /><br />ref-integrity-enabled : on<br /><br />where dsconf if a tool obtained from DSEE installation. It is available in the following location:<br />/opt/SUNWdsee/ds6/bin<br />/opt is the default location of Sun DSEE installation.<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/8148124388771860313-5112893015350416406?l=sunjavaidm.blogspot.com' alt='' /></div> <p><a href="http://feedads.g.doubleclick.net/~a/V3yi6-jrWlTRYfZ3BXCT-vVXas8/0/da"><img src="http://feedads.g.doubleclick.net/~a/V3yi6-jrWlTRYfZ3BXCT-vVXas8/0/di" border="0" ismap="true"></img></a><br/> <a href="http://feedads.g.doubleclick.net/~a/V3yi6-jrWlTRYfZ3BXCT-vVXas8/1/da"><img src="http://feedads.g.doubleclick.net/~a/V3yi6-jrWlTRYfZ3BXCT-vVXas8/1/di" border="0" ismap="true"></img></a></p><img src="http://feeds.feedburner.com/~r/SunIdentityManagementProducts/~4/sFj-uGkOU04" height="1" width="1"/>Lakshman Abburihttp://www.blogger.com/profile/16622225315502007403noreply@blogger.com1http://sunjavaidm.blogspot.com/2009/09/nsrole-attribute-for-am-identitites.htmltag:blogger.com,1999:blog-8148124388771860313.post-58905184446982147222009-09-02T17:10:00.000-07:002009-09-03T16:31:34.574-07:002009-09-03T16:31:34.574-07:00dsconf get-server-prop -p 389 -h jackal.red.iplanet.com -D "cn=Directory Manager" -w /opt/pass.txt | grep ref-integrity-enabled<br /><br />where dsconf if a tool obtained from DSEE installation. It is available in the following location:<br />/opt/SUNWdsee/ds6/bin<br />where /opt is the default location.<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/8148124388771860313-5890518444698214722?l=sunjavaidm.blogspot.com' alt='' /></div> <p><a href="http://feedads.g.doubleclick.net/~a/BF958pA8bCIw0ieaylyEBifVLAA/0/da"><img src="http://feedads.g.doubleclick.net/~a/BF958pA8bCIw0ieaylyEBifVLAA/0/di" border="0" ismap="true"></img></a><br/> <a href="http://feedads.g.doubleclick.net/~a/BF958pA8bCIw0ieaylyEBifVLAA/1/da"><img src="http://feedads.g.doubleclick.net/~a/BF958pA8bCIw0ieaylyEBifVLAA/1/di" border="0" ismap="true"></img></a></p><img src="http://feeds.feedburner.com/~r/SunIdentityManagementProducts/~4/gx76e-XlGRM" height="1" width="1"/>Lakshman Abburihttp://www.blogger.com/profile/16622225315502007403noreply@blogger.com0http://sunjavaidm.blogspot.com/2009/09/command-to-check-if-referential.htmltag:blogger.com,1999:blog-8148124388771860313.post-65842015955662563292009-08-26T21:13:00.000-07:002009-12-18T14:09:44.906-08:002009-12-18T14:09:44.906-08:00------------- Step 1 ---------------<br /><br />bash-3.00# /opt/SUNWdsee/dscc6/bin/dsccsetup initialize<br />***<br />DSCC Application is already registered<br />***<br />DSCC Agent is already registered<br />***<br />DSCC Registry has already been created<br />***<br /><br />------------- Step 2 ---------------<br /><br />bash-3.00# /opt/SUNWdsee/dscc6/bin/dsccsetup status<br />***<br />DSCC Application is registered in Sun Java (TM) Web Console<br />***<br />DSCC Agent is registered in Cacao<br />***<br />DSCC Registry has been created<br />Path of DSCC registry is /var/opt/SUNWdsee/dscc6/dcc/ads<br />Port of DSCC registry is 3998<br />DSCC registry is not running. You may start it using:<br /> /opt/SUNWdsee/ds6/bin/dsadm start /var/opt/SUNWdsee/dscc6/dcc/ads<br />***<br /><br />------------- Step 3 ---------------<br /><br />bash-3.00# /opt/SUNWdsee/ds6/bin/dsadm start /var/opt/SUNWdsee/dscc6/dcc/ads<br />Server started: pid=2510<br /><br />------------- Step 4 ---------------<br /><br />bash-3.00# /opt/SUNWdsee/dscc6/bin/dsccsetup status<br />***<br />DSCC Application is registered in Sun Java (TM) Web Console<br />***<br />DSCC Agent is registered in Cacao<br />***<br />DSCC Registry has been created<br />Path of DSCC registry is /var/opt/SUNWdsee/dscc6/dcc/ads<br />Port of DSCC registry is 3998<br />***<br /><br />------------- Step 5 ---------------<br /><br />bash-3.00# cacaoadm status<br />default instance is DISABLED at system startup.<br />default instance is not running.<br /><br />bash-3.00# cacaoadm start<br /><br />------------- Step 6 ---------------<br /><br />bash-3.00# smcwebserver start<br />Access Sun Java Web Console at port 6789 (default)<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/8148124388771860313-6584201595566256329?l=sunjavaidm.blogspot.com' alt='' /></div> <p><a href="http://feedads.g.doubleclick.net/~a/T5EkqffBJE3vq-24JXLMmZUlbsU/0/da"><img src="http://feedads.g.doubleclick.net/~a/T5EkqffBJE3vq-24JXLMmZUlbsU/0/di" border="0" ismap="true"></img></a><br/> <a href="http://feedads.g.doubleclick.net/~a/T5EkqffBJE3vq-24JXLMmZUlbsU/1/da"><img src="http://feedads.g.doubleclick.net/~a/T5EkqffBJE3vq-24JXLMmZUlbsU/1/di" border="0" ismap="true"></img></a></p><img src="http://feeds.feedburner.com/~r/SunIdentityManagementProducts/~4/LY5AKwAmTag" height="1" width="1"/>Lakshman Abburihttp://www.blogger.com/profile/16622225315502007403noreply@blogger.com0http://sunjavaidm.blogspot.com/2009/08/debug-dsee-63-sun-ds-on-machine-restart.htmltag:blogger.com,1999:blog-8148124388771860313.post-18121329099879560192009-05-06T17:41:00.000-07:002009-05-06T17:47:07.415-07:002009-05-06T17:47:07.415-07:00In case of Access Manager session upgrade, a new session is created by copying contents of old session and old session is destroyed. So if you observe the content of iPlanetDirectoryProCookie, it changes its value.<br /><br />In case of Access Manager forceauth, it will be the same session. So, if you observe the content of iPlanetDirectoryProCookie, it does not change its value.<br /><br />How to test this forceauth behavior?<br /><br />1. http://host:port/amserver/UI/Login?module=DataStore. Complete successful authentication.<br /><br />2. http://host:port/amserver/UI/Login?module=LDAP&ForceAuth=true. This will now kick in force auth.<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/8148124388771860313-1812132909987956019?l=sunjavaidm.blogspot.com' alt='' /></div> <p><a href="http://feedads.g.doubleclick.net/~a/9C8xMlfrAJ-98B--xhjdFmuOp8A/0/da"><img src="http://feedads.g.doubleclick.net/~a/9C8xMlfrAJ-98B--xhjdFmuOp8A/0/di" border="0" ismap="true"></img></a><br/> <a href="http://feedads.g.doubleclick.net/~a/9C8xMlfrAJ-98B--xhjdFmuOp8A/1/da"><img src="http://feedads.g.doubleclick.net/~a/9C8xMlfrAJ-98B--xhjdFmuOp8A/1/di" border="0" ismap="true"></img></a></p><img src="http://feeds.feedburner.com/~r/SunIdentityManagementProducts/~4/UNtDIN916ig" height="1" width="1"/>Lakshman Abburihttp://www.blogger.com/profile/16622225315502007403noreply@blogger.com0http://sunjavaidm.blogspot.com/2009/05/cookies-in-case-of-session-upgrade-vs.htmltag:blogger.com,1999:blog-8148124388771860313.post-9939492876526159252009-04-15T10:19:00.000-07:002009-04-19T00:50:57.437-07:002009-04-19T00:50:57.437-07:00It is a painful task. The document provided by <a href="http://web.mit.edu/kerberos/www/krb5-1.2/krb5-1.2.8/doc/install.html#SEC39">MIT</a> does not help at all. <br />We need to use <a href="http://docs.sun.com/app/docs/doc/816-4557/setup-9?l=en&a=view">Solaris security services</a> admin guide to get this working. Thanks to Kerberos team in Sun. <br /><br />The kdcmgr utility mentioned in the document is not available on Solaris-10 by default. For simplicity, use same password in all steps to get this thing working.<br /><br />The step-by-step procedure that I had followed is documented below:<br />-----------------------------------------------------<br />bash-3.00# cat krb5.conf<br />[logging]<br /> default = FILE:/var/log/krb5libs.log<br /> kdc = FILE:/var/log/krb5kdc.log<br /> admin_server = FILE:/var/log/kadmind.log<br /><br />[libdefaults]<br /> dns_lookup_realm = false<br /> dns_lookup_kdc = false<br /> default_keytab_name = /etc/krb5/kadm5.keytab<br /> default_realm = RED.IPLANET.COM<br /> default_tkt_enctypes = des-cbc-md5<br /> default_tgs_enctypes = des-cbc-md5<br /> kdc_timesync = 0<br /> kdc_default_options = 0x40000010<br /> clockskew = 300<br /> check_delegate = 0<br /> ccache_type = 3<br /> kdc_timeout = 60000<br /><br />[realms]<br /> RED.IPLANET.COM = {<br /> kdc = avatar.red.iplanet.com:88<br /> admin_server = avatar.red.iplanet.com:749<br /> default_domain = red.iplanet.com<br /> }<br /><br />[domain_realm]<br /> .red.iplanet.com = RED.IPLANET.COM<br /> red.iplanet.com = RED.IPLANET.COM<br /><br />[appdefaults]<br /> pam = {<br /> debug = true<br /> ticket_lifetime = 36000<br /> renew_lifetime = 36000<br /> forwardable = true<br /> krb4_convert = false<br /> }<br /><br />bash-3.00# cat kdc.conf<br />#<br /># Copyright 1998-2002 Sun Microsystems, Inc. All rights reserved.<br /># Use is subject to license terms.<br />#<br />#ident "@(#)kdc.conf 1.2 02/02/14 SMI"<br /><br />[kdcdefaults]<br /> kdc_ports = 88,750<br /><br />[realms]<br /> RED.IPLANET.COM = {<br /> profile = /etc/krb5/krb5.conf<br /> database_name = /var/krb5/principal<br /> admin_keytab = /etc/krb5/kadm5.keytab<br /> acl_file = /etc/krb5/kadm5.acl<br /> kadmind_port = 749<br /> max_life = 8h 0m 0s<br /> max_renewable_life = 7d 0h 0m 0s<br /> sunw_dbprop_enable = true<br /> sunw_dbprop_master_ulogsize = 1000<br /> }<br /><br /><br />bash-3.00# cat kadm5.acl<br />#<br /># Copyright (c) 1998-2000 by Sun Microsystems, Inc.<br /># All rights reserved.<br />#<br />#pragma ident "@(#)kadm5.acl 1.1 01/03/19 SMI"<br /><br />*/admin@RED.IPLANET.COM *<br /><br /><br />bash-3.00# ./kdb5_util create -s<br />Initializing database '/var/krb5/principal' for realm 'RED.IPLANET.COM',<br />master key name 'K/M@RED.IPLANET.COM'<br />You will be prompted for the database Master Password.<br />It is important that you NOT FORGET this password.<br />Enter KDC database master key:<br />Re-enter KDC database master key to verify:<br /><br />bash-3.00# ./kadmin.local<br />Authenticating as principal root/admin@RED.IPLANET.COM with password.<br /><br />kadmin.local: addprinc kws/admin<br />WARNING: no policy specified for kws/admin@RED.IPLANET.COM; defaulting to no policy<br />Enter password for principal "kws/admin@RED.IPLANET.COM":<br />Re-enter password for principal "kws/admin@RED.IPLANET.COM":<br />Principal "kws/admin@RED.IPLANET.COM" created.<br /><br />kadmin.local: addprinc -randkey kiprop/avatar.red.iplanet.com<br />WARNING: no policy specified for kiprop/avatar.red.iplanet.com@RED.IPLANET.COM; defaulting to no policy<br />Principal "kiprop/avatar.red.iplanet.com@RED.IPLANET.COM" created.<br /><br />kadmin.local: ktadd -k /etc/krb5/kadm5.keytab kadmin/avatar.red.iplanet.com<br />Entry for principal kadmin/avatar.red.iplanet.com with kvno 3, encryption type AES-128 CTS mode with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5/kadm5.keytab.<br />Entry for principal kadmin/avatar.red.iplanet.com with kvno 3, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:/etc/krb5/kadm5.keytab.<br />Entry for principal kadmin/avatar.red.iplanet.com with kvno 3, encryption type ArcFour with HMAC/md5 added to keytab WRFILE:/etc/krb5/kadm5.keytab.<br />Entry for principal kadmin/avatar.red.iplanet.com with kvno 3, encryption type DES cbc mode with RSA-MD5 added to keytab WRFILE:/etc/krb5/kadm5.keytab.<br /><br />kadmin.local: ktadd -k /etc/krb5/kadm5.keytab changepw/avatar.red.iplanet.com<br />Entry for principal changepw/avatar.red.iplanet.com with kvno 3, encryption type AES-128 CTS mode with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5/kadm5.keytab.<br />Entry for principal changepw/avatar.red.iplanet.com with kvno 3, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:/etc/krb5/kadm5.keytab.<br />Entry for principal changepw/avatar.red.iplanet.com with kvno 3, encryption type ArcFour with HMAC/md5 added to keytab WRFILE:/etc/krb5/kadm5.keytab.<br />Entry for principal changepw/avatar.red.iplanet.com with kvno 3, encryption type DES cbc mode with RSA-MD5 added to keytab WRFILE:/etc/krb5/kadm5.keytab.<br /><br />kadmin.local: ktadd -k /etc/krb5/kadm5.keytab kadmin/changepw<br />Entry for principal kadmin/changepw with kvno 3, encryption type AES-128 CTS mode with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5/kadm5.keytab.<br />Entry for principal kadmin/changepw with kvno 3, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:/etc/krb5/kadm5.keytab.<br />Entry for principal kadmin/changepw with kvno 3, encryption type ArcFour with HMAC/md5 added to keytab WRFILE:/etc/krb5/kadm5.keytab.<br />Entry for principal kadmin/changepw with kvno 3, encryption type DES cbc mode with RSA-MD5 added to keytab WRFILE:/etc/krb5/kadm5.keytab.<br /><br />kadmin.local: ktadd -k /etc/krb5/kadm5.keytab kiprop/avatar.red.iplanet.com<br />Entry for principal kiprop/avatar.red.iplanet.com with kvno 3, encryption type AES-128 CTS mode with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5/kadm5.keytab.<br />Entry for principal kiprop/avatar.red.iplanet.com with kvno 3, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:/etc/krb5/kadm5.keytab.<br />Entry for principal kiprop/avatar.red.iplanet.com with kvno 3, encryption type ArcFour with HMAC/md5 added to keytab WRFILE:/etc/krb5/kadm5.keytab.<br />Entry for principal kiprop/avatar.red.iplanet.com with kvno 3, encryption type DES cbc mode with RSA-MD5 added to keytab WRFILE:/etc/krb5/kadm5.keytab.<br /><br />kadmin.local: quit<br /><br />bash-3.00# svcadm enable -r network/security/krb5kdc<br />bash-3.00# svcadm enable -r network/security/kadmin<br /><br />bash-3.00# /usr/sbin/kadmin -p kws/admin<br />Authenticating as principal kws/admin@RED.IPLANET.COM with password.<br />kadmin: Incorrect password while initializing kadmin interface<br />bash-3.00#<br /><br />bash-3.00# cat /etc/resolv.conf<br />domain red.iplanet.com<br />search red.iplanet.com sfbay.sun.com sun.com<br />nameserver 129.145.155.55<br />nameserver 129.145.155.170<br />nameserver 192.18.120.21<br />nameserver 192.18.120.24<br />#nameserver 129.148.9.196<br />#nameserver 129.148.9.197<br />#nameserver 129.147.9.5<br />#nameserver 129.145.155.220<br /><br />avatar# touch /var/log/kadmind.log /var/log/krb5kdc.log<br />> /var/log/krb5libs.log<br />> avatar# svcadm restart krb5kdc<br />> avatar# svcadm restart kadmin<br />> avatar# kadmin -p kws/admin<br />> Authenticating as principal kws/admin@RED.IPLANET.COM with password.<br />> Password for kws/admin@RED.IPLANET.COM:<br />> kadmin: listprincs<br />> K/M@RED.IPLANET.COM<br />> changepw/avatar.red.iplanet.com@RED.IPLANET.COM<br />> kadmin/admin@RED.IPLANET.COM<br />> kadmin/avatar.red.iplanet.com@RED.IPLANET.COM<br />> kadmin/changepw@RED.IPLANET.COM<br />> kadmin/history@RED.IPLANET.COM<br />> kiprop/avatar.red.iplanet.com@RED.IPLANET.COM<br />> krbtgt/RED.IPLANET.COM@RED.IPLANET.COM<br />> kws/admin@RED.IPLANET.COM<br />> kadmin:<br /><br />bash-3.00# ./kadmin -p kws/admin<br />Authenticating as principal kws/admin@RED.IPLANET.COM with password.<br />Password for kws/admin@RED.IPLANET.COM:<br />kadmin: addprinc -randkey host/avatar.red.iplanet.com<br />WARNING: no policy specified for host/avatar.red.iplanet.com@RED.IPLANET.COM; defaulting to no policy<br />Principal "host/avatar.red.iplanet.com@RED.IPLANET.COM" created.<br /><br />kadmin: addprinc clntconfig/admin<br />WARNING: no policy specified for clntconfig/admin@RED.IPLANET.COM; defaulting to no policy<br />Enter password for principal "clntconfig/admin@RED.IPLANET.COM":<br />Re-enter password for principal "clntconfig/admin@RED.IPLANET.COM":<br />Principal "clntconfig/admin@RED.IPLANET.COM" created.<br />kadmin: quit<br /><br />bash-3.00# kadmin -p kws/admin<br />Authenticating as principal kws/admin@RED.IPLANET.COM with password.<br />Password for kws/admin@RED.IPLANET.COM:<br />kadmin: ktadd host/avatar.red.iplanet.com<br />kadmin: Cannot write to specified key table while adding key to keytab<br />kadmin: quit<br /><br />bash-3.00# ./kadmin.local<br />Authenticating as principal root/admin@RED.IPLANET.COM with password.<br />kadmin.local: ktadd -k /etc/krb5/kadm5.keytab host/avatar.red.iplanet.com<br />Entry for principal host/avatar.red.iplanet.com with kvno 4, encryption type AES-128 CTS mode with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5/kadm5.keytab.<br />Entry for principal host/avatar.red.iplanet.com with kvno 4, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:/etc/krb5/kadm5.keytab.<br />Entry for principal host/avatar.red.iplanet.com with kvno 4, encryption type ArcFour with HMAC/md5 added to keytab WRFILE:/etc/krb5/kadm5.keytab.<br />Entry for principal host/avatar.red.iplanet.com with kvno 4, encryption type DES cbc mode with RSA-MD5 added to keytab WRFILE:/etc/krb5/kadm5.keytab.<br />kadmin.local: quit<br /><br />bash-3.00# /usr/sbin/kadmin.local<br />Authenticating as principal root/admin@RED.IPLANET.COM with password.<br />kadmin.local: listprincs<br /> 1 K/M@RED.IPLANET.COM<br /> 2 changepw/avatar.red.iplanet.com@RED.IPLANET.COM<br /> 3 clntconfig/admin@RED.IPLANET.COM<br /> 4 host/avatar.red.iplanet.com@RED.IPLANET.COM<br /> 5 kadmin/admin@RED.IPLANET.COM<br /> 6 kadmin/avatar.red.iplanet.com@RED.IPLANET.COM<br /> 7 kadmin/changepw@RED.IPLANET.COM<br /> 8 kadmin/history@RED.IPLANET.COM<br /> 9 kiprop/avatar.red.iplanet.com@RED.IPLANET.COM<br /> 10 krbtgt/RED.IPLANET.COM@RED.IPLANET.COM<br /> 11 kws/admin@RED.IPLANET.COM<br />kadmin.local: quit<br /><br />bash-3.00# svcs -a | grep secur<br />disabled 20:24:27 svc:/network/security/krb5_prop:default<br />online 20:24:27 svc:/network/security/ktkt_warn:default<br />online 10:15:30 svc:/network/security/krb5kdc:default<br />online 10:15:32 svc:/network/security/kadmin:default<br /><br />************ Configuration on AM ******************<br />kadmin.local: addprinc root<br />kinit root<br />klist<br /><br />kadmin.local: addprinc -randkey HTTP/avatar.red.iplanet.com<br />kadmin.local: ktadd -k /opt/SUNWam/avatar.HTTP.keytab HTTP/avatar.red.iplanet.com<br />kinit -k -t /opt/SUNWam/avatar.HTTP.keytab HTTP/avatar.red.iplanet.com<br />klist -k /opt/SUNWam/avatar.HTTP.keytab<br /><br />mv /opt/SUNWam/avatar.HTTP.keytab /etc/opt/SUNWam/config/<br /><br />Service Principal: HTTP/avatar.red.iplanet.com@RED.IPLANET.COM<br />Keytab File Name: /etc/opt/SUNWam/config/avatar.HTTP.keytab<br />Kerberos Realm: RED.IPLANET.COM<br />Kerberos Server Name: avatar.red.iplanet.com<br />Return Principal with Domain Name: Disabled<br />Authentication Level: 0<br /><br />- Restart AM WebServer<br /><br />The debug file amAuthWindowsDesktopSSO should show the following debug messages if auth succeeded:<br />04/18/2009 11:56:39:944 PM PDT: Thread[service-j2ee-3,5,main]<br />**********************************************<br />04/18/2009 11:56:39:944 PM PDT: Thread[service-j2ee-3,5,main]<br />WindowsDesktopSSO params:<br />principal: HTTP/avatar.red.iplanet.com@RED.IPLANET.COM<br />keytab file: /etc/opt/SUNWam/config/avatar.HTTP.keytab<br />realm : RED.IPLANET.COM<br />kdc server: avatar.red.iplanet.com<br />domain principal: false<br />auth level: 0<br />04/18/2009 11:56:39:944 PM PDT: Thread[service-j2ee-3,5,main]<br />Init WindowsDesktopSSO. This should not happen often.<br />04/18/2009 11:56:39:945 PM PDT: Thread[service-j2ee-3,5,main]<br />New Service Login ...<br />04/18/2009 11:56:40:586 PM PDT: Thread[service-j2ee-3,5,main]<br />Service login succeeded.<br />04/18/2009 11:56:40:704 PM PDT: Thread[service-j2ee-3,5,main]<br />SPNEGO token:<br />60 82 02 79 06 06 2b 06 01 05 05 02 a0 82 02 6d<br />30 82 02 69 a0 0d 30 0b 06 09 2a 86 48 86 f7 12<br />01 02 02 a1 04 03 02 01 02 a2 82 02 50 04 82 02<br />4c 60 82 02 48 06 09 2a 86 48 86 f7 12 01 02 02<br />01 00 6e 82 02 37 30 82 02 33 a0 03 02 01 05 a1<br />03 02 01 0e a2 07 03 05 00 00 00 00 00 a3 82 01<br />4b 61 82 01 47 30 82 01 43 a0 03 02 01 05 a1 11<br />1b 0f 52 45 44 2e 49 50 4c 41 4e 45 54 2e 43 4f<br />4d a2 29 30 27 a0 03 02 01 03 a1 20 30 1e 1b 04<br />48 54 54 50 1b 16 61 76 61 74 61 72 2e 72 65 64<br />2e 69 70 6c 61 6e 65 74 2e 63 6f 6d a3 81 fd 30<br />81 fa a0 03 02 01 11 a1 03 02 01 05 a2 81 ed 04<br />81 ea 8e 55 1d 11 a8 8d 23 ed 34 b5 87 f9 97 0c<br />bb ef ed 30 ee be c7 95 33 77 84 06 97 a5 da 3e<br />b8 8d 25 a0 0c dd 06 b3 b4 02 ba ea 50 22 37 b8<br />29 db 00 40 d3 74 f1 f6 80 1f c9 ff 62 ab 5b 02<br />4a ed be 75 dd 3c d6 cf 63 3a 49 5c d7 24 74 1d<br />2c 3d 3b 2d 7d 94 9e b2 2d 05 3b 8a e1 94 30 9d<br />14 42 9f a1 b4 c4 e7 16 ff 9f c7 3e 89 24 db 13<br />e4 18 fb 8d f5 50 f7 47 59 6e 86 26 a3 3b 33 0c<br />a3 89 de 54 77 e2 fd 99 ba 16 cb 1b f2 5f 31 f1<br />c5 dd 6b 5a e2 d4 d6 23 6e e1 32 a8 ab 83 70 be<br />f6 ef 50 cb fe cd 20 b3 1a 9f 76 fd 55 59 a1 48<br />40 38 87 8e 17 96 18 8e 46 44 18 e9 af 1c 23 9e<br />09 d1 6a b3 55 2e 17 38 1b 9c ae 22 83 04 46 7b<br />92 ed cc d5 df 28 31 1e 15 00 fc 1b 9d 9d a5 64<br />1b b0 3c c8 79 3a 85 45 dc 7c e6 80 a4 81 ce 30<br />81 cb a0 03 02 01 03 a2 81 c3 04 81 c0 51 af 58<br />86 db 73 b8 8b ba 07 cf 8c 40 46 0b b6 46 8c d0<br />6b 4c ad 3f 2a 0d a6 ec e8 8c 29 f6 3c ac a5 27<br />ac 34 95 1f cd d3 cf 78 5b b7 40 2a c3 d4 f8 fb<br />e5 7e d0 f2 d9 41 c3 b6 48 6f fa 8d ee de d0 fc<br />76 d4 48 55 a2 98 9c 88 07 7a 87 18 37 bb ac 16<br />89 17 ee 04 95 5f 58 2d 4e 2f ff da b7 12 2c 2a<br />2a a0 82 ef c6 43 ae 67 f3 e3 31 9a 77 b2 64 51<br />5f f4 28 84 0c be 8a 08 da 2e df 0b 77 33 c7 6a<br />1a 70 8f bd 56 10 bc 5a 6c 8d 82 21 8c be d5 88<br />69 7b 60 81 a1 31 02 60 73 ed a3 bb 5d b1 fc cc<br />86 2f 33 96 a1 6d bb 4a 10 94 07 ff 62 9f c6 7c<br />2c e7 66 89 99 ed 74 69 e8 a3 62 01 14<br />04/18/2009 11:56:40:705 PM PDT: Thread[service-j2ee-3,5,main]<br />token tag:60<br />04/18/2009 11:56:40:705 PM PDT: Thread[service-j2ee-3,5,main]<br />SPNEGO OID found in the Auth Token<br />04/18/2009 11:56:40:705 PM PDT: Thread[service-j2ee-3,5,main]<br />DerValue: found init token<br />04/18/2009 11:56:40:705 PM PDT: Thread[service-j2ee-3,5,main]<br />DerValue: 0x30 constructed token found<br />04/18/2009 11:56:40:712 PM PDT: Thread[service-j2ee-3,5,main]<br />Kerberos token retrieved from SPNEGO token:<br />60 82 02 48 06 09 2a 86 48 86 f7 12 01 02 02 01<br />00 6e 82 02 37 30 82 02 33 a0 03 02 01 05 a1 03<br />02 01 0e a2 07 03 05 00 00 00 00 00 a3 82 01 4b<br />61 82 01 47 30 82 01 43 a0 03 02 01 05 a1 11 1b<br />0f 52 45 44 2e 49 50 4c 41 4e 45 54 2e 43 4f 4d<br />a2 29 30 27 a0 03 02 01 03 a1 20 30 1e 1b 04 48<br />54 54 50 1b 16 61 76 61 74 61 72 2e 72 65 64 2e<br />69 70 6c 61 6e 65 74 2e 63 6f 6d a3 81 fd 30 81<br />fa a0 03 02 01 11 a1 03 02 01 05 a2 81 ed 04 81<br />ea 8e 55 1d 11 a8 8d 23 ed 34 b5 87 f9 97 0c bb<br />ef ed 30 ee be c7 95 33 77 84 06 97 a5 da 3e b8<br />8d 25 a0 0c dd 06 b3 b4 02 ba ea 50 22 37 b8 29<br />db 00 40 d3 74 f1 f6 80 1f c9 ff 62 ab 5b 02 4a<br />ed be 75 dd 3c d6 cf 63 3a 49 5c d7 24 74 1d 2c<br />3d 3b 2d 7d 94 9e b2 2d 05 3b 8a e1 94 30 9d 14<br />42 9f a1 b4 c4 e7 16 ff 9f c7 3e 89 24 db 13 e4<br />18 fb 8d f5 50 f7 47 59 6e 86 26 a3 3b 33 0c a3<br />89 de 54 77 e2 fd 99 ba 16 cb 1b f2 5f 31 f1 c5<br />dd 6b 5a e2 d4 d6 23 6e e1 32 a8 ab 83 70 be f6<br />ef 50 cb fe cd 20 b3 1a 9f 76 fd 55 59 a1 48 40<br />38 87 8e 17 96 18 8e 46 44 18 e9 af 1c 23 9e 09<br />d1 6a b3 55 2e 17 38 1b 9c ae 22 83 04 46 7b 92<br />ed cc d5 df 28 31 1e 15 00 fc 1b 9d 9d a5 64 1b<br />b0 3c c8 79 3a 85 45 dc 7c e6 80 a4 81 ce 30 81<br />cb a0 03 02 01 03 a2 81 c3 04 81 c0 51 af 58 86<br />db 73 b8 8b ba 07 cf 8c 40 46 0b b6 46 8c d0 6b<br />4c ad 3f 2a 0d a6 ec e8 8c 29 f6 3c ac a5 27 ac<br />34 95 1f cd d3 cf 78 5b b7 40 2a c3 d4 f8 fb e5<br />7e d0 f2 d9 41 c3 b6 48 6f fa 8d ee de d0 fc 76<br />d4 48 55 a2 98 9c 88 07 7a 87 18 37 bb ac 16 89<br />17 ee 04 95 5f 58 2d 4e 2f ff da b7 12 2c 2a 2a<br />a0 82 ef c6 43 ae 67 f3 e3 31 9a 77 b2 64 51 5f<br />f4 28 84 0c be 8a 08 da 2e df 0b 77 33 c7 6a 1a<br />70 8f bd 56 10 bc 5a 6c 8d 82 21 8c be d5 88 69<br />7b 60 81 a1 31 02 60 73 ed a3 bb 5d b1 fc cc 86<br />2f 33 96 a1 6d bb 4a 10 94 07 ff 62 9f c6 7c 2c<br />e7 66 89 99 ed 74 69 e8 a3 62 01 14<br />04/18/2009 11:56:40:712 PM PDT: Thread[service-j2ee-3,5,main]<br />In authenticationToken ...<br />04/18/2009 11:56:40:724 PM PDT: Thread[service-j2ee-3,5,main]<br />Context created.<br />04/18/2009 11:56:41:124 PM PDT: Thread[service-j2ee-3,5,main]<br />Token returned from acceptSecContext:<br /><br />04/18/2009 11:56:41:124 PM PDT: Thread[service-j2ee-3,5,main]<br />Context establised !<br />04/18/2009 11:56:41:125 PM PDT: Thread[service-j2ee-3,5,main]<br />User authenticated: HTTP/avatar.red.iplanet.com@RED.IPLANET.COM<br />04/18/2009 11:56:41:127 PM PDT: Thread[service-j2ee-3,5,main]<br />WindowsDesktopSSO authentication succeeded.<br /><br />***********************************************************************<br /><br />bash-3.00# /usr/sbin/kadmin.local<br />Authenticating as principal HTTP/admin@RED.IPLANET.COM with password.<br />kadmin.local: listprincs<br /> 1 HTTP/avatar.red.iplanet.com@RED.IPLANET.COM<br /> 2 K/M@RED.IPLANET.COM<br /> 3 changepw/avatar.red.iplanet.com@RED.IPLANET.COM<br /> 4 clntconfig/admin@RED.IPLANET.COM<br /> 5 demo1@RED.IPLANET.COM<br /> 6 demouser1@RED.IPLANET.COM<br /> 7 host/avatar.red.iplanet.com@RED.IPLANET.COM<br /> 8 kadmin/admin@RED.IPLANET.COM<br /> 9 kadmin/avatar.red.iplanet.com@RED.IPLANET.COM<br /> 10 kadmin/changepw@RED.IPLANET.COM<br /> 11 kadmin/history@RED.IPLANET.COM<br /> 12 kiprop/avatar.red.iplanet.com@RED.IPLANET.COM<br /> 13 krbtgt/RED.IPLANET.COM@RED.IPLANET.COM<br /> 14 kws/admin@RED.IPLANET.COM<br /> 15 root@RED.IPLANET.COM<br />kadmin.local:<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/8148124388771860313-993949287652615925?l=sunjavaidm.blogspot.com' alt='' /></div> <p><a href="http://feedads.g.doubleclick.net/~a/D1Sc5MtRJiUDqfiT-YP0-2syQEk/0/da"><img src="http://feedads.g.doubleclick.net/~a/D1Sc5MtRJiUDqfiT-YP0-2syQEk/0/di" border="0" ismap="true"></img></a><br/> <a href="http://feedads.g.doubleclick.net/~a/D1Sc5MtRJiUDqfiT-YP0-2syQEk/1/da"><img src="http://feedads.g.doubleclick.net/~a/D1Sc5MtRJiUDqfiT-YP0-2syQEk/1/di" border="0" ismap="true"></img></a></p><img src="http://feeds.feedburner.com/~r/SunIdentityManagementProducts/~4/2hIuio7ttc0" height="1" width="1"/>Lakshman Abburihttp://www.blogger.com/profile/16622225315502007403noreply@blogger.com0http://sunjavaidm.blogspot.com/2009/04/configuring-kerberos-on-solaris-10-to.htmltag:blogger.com,1999:blog-8148124388771860313.post-46776684630298882352009-03-20T15:00:00.001-07:002009-03-20T15:01:59.010-07:002009-03-20T15:01:59.010-07:00If you are installing patches and want to know about patches that are already installed on AM 71, check for package AMSDK patch version:<br />pkgparam SUNWamsdk PATCHLIST<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/8148124388771860313-4677668463029888235?l=sunjavaidm.blogspot.com' alt='' /></div> <p><a href="http://feedads.g.doubleclick.net/~a/IdggH-A34O-SHkO5j-Z34iTH75g/0/da"><img src="http://feedads.g.doubleclick.net/~a/IdggH-A34O-SHkO5j-Z34iTH75g/0/di" border="0" ismap="true"></img></a><br/> <a href="http://feedads.g.doubleclick.net/~a/IdggH-A34O-SHkO5j-Z34iTH75g/1/da"><img src="http://feedads.g.doubleclick.net/~a/IdggH-A34O-SHkO5j-Z34iTH75g/1/di" border="0" ismap="true"></img></a></p><img src="http://feeds.feedburner.com/~r/SunIdentityManagementProducts/~4/yiMGNrv0IYI" height="1" width="1"/>Lakshman Abburihttp://www.blogger.com/profile/16622225315502007403noreply@blogger.com0http://sunjavaidm.blogspot.com/2009/03/check-what-patches-installed-on-solaris.htmltag:blogger.com,1999:blog-8148124388771860313.post-67737234525054091732009-03-09T22:00:00.000-07:002009-03-09T22:05:18.462-07:002009-03-09T22:05:18.462-07:00Some useful links related to OAuth standard:<br />OAuth Home Page: <a href="http://oauth.net/">http://oauth.net/</a><br />Getting started doc: <a href="http://oauth.net/documentation/getting-started">http://oauth.net/documentation/getting-started</a><br />Interfacing with Google Apps: <a href="http://code.google.com/apis/accounts/docs/OAuth.html">http://code.google.com/apis/accounts/docs/OAuth.html</a><br />Play ground to try OAuth: <a href="http://googlecodesamples.com/oauth_playground/">http://googlecodesamples.com/oauth_playground/</a><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/8148124388771860313-6773723452505409173?l=sunjavaidm.blogspot.com' alt='' /></div> <p><a href="http://feedads.g.doubleclick.net/~a/bKo9QdNm9xiODXc8-dB9aQMJaGI/0/da"><img src="http://feedads.g.doubleclick.net/~a/bKo9QdNm9xiODXc8-dB9aQMJaGI/0/di" border="0" ismap="true"></img></a><br/> <a href="http://feedads.g.doubleclick.net/~a/bKo9QdNm9xiODXc8-dB9aQMJaGI/1/da"><img src="http://feedads.g.doubleclick.net/~a/bKo9QdNm9xiODXc8-dB9aQMJaGI/1/di" border="0" ismap="true"></img></a></p><img src="http://feeds.feedburner.com/~r/SunIdentityManagementProducts/~4/muh2D1dZ-zo" height="1" width="1"/>Lakshman Abburihttp://www.blogger.com/profile/16622225315502007403noreply@blogger.com0http://sunjavaidm.blogspot.com/2009/03/oauth-standard.htmltag:blogger.com,1999:blog-8148124388771860313.post-21284632857419415392009-03-02T13:44:00.000-08:002009-03-02T13:45:05.734-08:002009-03-02T13:45:05.734-08:00/opt/SUNWappserver/appserver/bin/asadmin deploy --user admin --passwordfile XXXXXXXX --host s-6000b-t6300d-zone7-sca11.sfbay.sun.com --port 4849 --contextroot amserver --name amserver --target domain /opt/SUNWam/amserver.war<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/8148124388771860313-2128463285741941539?l=sunjavaidm.blogspot.com' alt='' /></div> <p><a href="http://feedads.g.doubleclick.net/~a/epGq6wdU74joNASE1PQSpelIriw/0/da"><img src="http://feedads.g.doubleclick.net/~a/epGq6wdU74joNASE1PQSpelIriw/0/di" border="0" ismap="true"></img></a><br/> <a href="http://feedads.g.doubleclick.net/~a/epGq6wdU74joNASE1PQSpelIriw/1/da"><img src="http://feedads.g.doubleclick.net/~a/epGq6wdU74joNASE1PQSpelIriw/1/di" border="0" ismap="true"></img></a></p><img src="http://feeds.feedburner.com/~r/SunIdentityManagementProducts/~4/UwkFKpHztj8" height="1" width="1"/>Lakshman Abburihttp://www.blogger.com/profile/16622225315502007403noreply@blogger.com1http://sunjavaidm.blogspot.com/2009/03/command-to-deploy-war-file-on-sun-app.html