Sun Identity Manager 8.1 Resources Reference

Adapter Details

This adapter is defined in the com.waveset.adapter.SunAccessManagerResourceAdapter class.


Note –

Resource Configuration Notes


Note –

For Access Manager 7 and later, this adapter supports legacy mode only. Realms are not supported.


You can configure only one Access Manager server (whether in Realm mode or in Legacy mode).

The Policy Agent is an optional module that you can use to enable single sign-on (SSO). Do not attempt to follow Policy Agent configuration or installation procedures if this product is not being used in your environment.

See http://docs.sun.com/app/docs/coll/1322.1 for more information about Policy Agents.

To install the Policy Agent, follow the installation instructions provided with the Policy Agent, and then perform the following tasks:

ProcedureSetting Up Policy Agent

  1. Edit the AMAgent.properties file.

  2. Create a policy in Sun Java System Access Manager.

Editing the AMAgent.properties File

You must modify the AMAgent.properties file to protect Identity Manager. This file is located in the AgentInstallDir/config directory.

ProcedureTo Edit the AMAgent.properties File

  1. Locate the following lines in the AMAgent.properties file.


    com.sun.identity.agents.config.cookie.reset.enable = false
    com.sun.identity.agents.config.cookie.reset.name[0] =
    com.sun.identity.agents.config.cookie.reset.domain[] =
    com.sun.identity.agents.config.cookie.reset.path[] =

    Edit these lines as follows.


    com.sun.identity.agents.config.cookie.reset.enable = true
    com.sun.identity.agents.config.cookie.reset.name[0] = AMAuthCookie
    com.sun.identity.agents.config.cookie.reset.domain[0] = .example.com
    com.sun.identity.agents.config.cookie.reset.path[0] = /
  2. Add the following lines.


    com.sun.identity.agents.config.cookie.reset.name[1] = iPlanetDirectoryPro
    com.sun.identity.agents.config.cookie.reset.domain[1] = .example.com
    com.sun.identity.agents.config.cookie.reset.path[1] = /
  3. Locate the following lines.


    com.sun.identity.agents.config.profile.attribute.fetch.mode = NONE
    com.sun.identity.agents.config.profile.attribute.mapping[] =

    Edit these lines as follows


    com.sun.identity.agents.config.profile.attribute.fetch.mode = HTTP_HEADER
    com.sun.identity.agents.config.profile.attribute.mapping[uid] = sois_user
  4. You must restart the web server for your changes to take effect.

Creating a Policy in Sun Java System Access Manager

ProcedureTo Create a Policy

  1. From within the Sun Java System Access Manager application, create a new policy named IDMGR (or something similar) with the following rules:

    Service Type  

    Resource Name  

    Actions  

    URL Policy Agent 

    http://server:port/idm

    Allow GET and POST actions

    URL Policy Agent 

    http://server:port/idm/*

    Allow GET and POST actions

  2. Assign one or more subjects to the IDMGR policy.

Installing and Configuring Sun Java System Access Manager (Versions Prior to Access Manager 7.0)

The following sections describe how to install and configure Sun Java System Access Manager and Policy Agent. If you install Sun Java System Access Manager on the same system as the Identity Manager server, see Sun Access Manager Resource Adapter for information about configuration. If you are using the Policy Agent, go to Installing and Configuring the Policy Agent for additional information.

If Access Manager is installed on a different system than the Identity Manager server, then perform the following steps on the Identity Manager system.

ProcedureWhen Access Manager is Installed on a Different System...

  1. Create a directory to place files that will be copied from the Sun Java System Access Manager server. This directory will be called CfgDir in this procedure. The location of Access Manager will be called AccessMgrHome.

  2. Copy the following files from AccessMgrHome to CfgDir. Do not copy the directory structure.

    • lib/*.*

      • locale/*.properties

      • config/serverconfig.xml

      • config/SSOConfig.properties (Identity Server 2004Q2 and later)

      • config/ums/ums.xml

  3. On UNIX, it may be necessary to change the permissions of the jar files in the CfgDir to allow universal read access. Run the following command to change permissions:

    chmod a+r CfgDir/*.jar

  4. Prepend the JAVA classpath with the following:

    • Windows: CfgDir;CfgDir/am_sdk.jar;CfgDir/am_services.jar;CfgDir/am_logging.jar

      • UNIX: CfgDir:CfgDir/am_sdk.jar:CfgDir/am_services.jar:CfgDir/am_logging.jar

  5. If you are using version 6.0, set the Java system property to point to your CfgDir. Use a command similar to the following:


    java -Dcom.iplanet.coreservices.configpath=CfgDir
  6. If you are using version 6.1 or later, add or edit the following lines in the CfgDir/AMConfig.properties file:


    com.iplanet.services.configpath=CfgDir
    com.iplanet.security.SecureRandomFactoryImpl=com.iplanet.am.util.
    SecureRandomFactoryImpl
    com.iplanet.security.SSLSocketFactoryImpl=netscape.ldap.factory.
    JSSESocketFactory
    com.iplanet.security.encryptor=com.iplanet.services.util.
    JCEEncryption

    The first line sets the configpath. The last three lines change security settings.

  7. Copy the CfgDir/am_*.jar files to $WSHOME/WEB-INF/lib. If you are using version 6.0, also copy the jss311.jar file to the $WSHOME/WEB-INF/lib directory.

  8. If Identity Manager is running on Windows and you are using Identity Server 6.0, copy IdServer\lib\jss\*.dll to CfgDir and add CfgDir to your system path.


    Note –

    In an environment where Identity Manager is installed on a different system from Access Manager check the following error conditions. If an error java.lang.ExceptionInInitializerError, followed by java.lang.NoClassDefFoundError, on subsequent attempts, is returned when attempting to connect to the Access Manager resource, then check for incorrect or missing configuration data.

    Also, check the jar file for the class indicated by the java.lang.NoClassDefFoundError. Prepend the classpath of the jar file containing the class to the JAVA classpath on the application server.


    Check that the CfgDir contains all the data outlined in Installing and Configuring Sun Java System Access Manager (Versions Prior to Access Manager 7.0) and that all the configuration properties have been assigned correctly.

Installing and Configuring the Policy Agent

You must install the appropriate Access Manager Policy Agent on the Identity Manager server. The Policy Agent can be obtained from the following location:

http://wwws.sun.com/software/download/inter_ecom.html#dirserv

Follow the installation instructions provided with the Policy Agent. Then perform the following tasks.

Edit the AMAgent.properties File

The AMAgent.properties file must be modified so that Identity Manager can be protected. It is located the following directory:

Be sure to use the files located the preceding directories. Do not use the copy located in the AgentInstallDir\config directory.

ProcedureEditing the AMAgent.properties File

  1. Locate the following lines in the AMAgent.properties file.


    com.sun.identity.agents.config.cookie.reset.enable = false
    com.sun.identity.agents.config.cookie.reset.name[0] =
    com.sun.identity.agents.config.cookie.reset.domain[] =
    com.sun.identity.agents.config.cookie.reset.path[] =

    Edit these lines as follows.


    com.sun.identity.agents.config.cookie.reset.enable = true
    com.sun.identity.agents.config.cookie.reset.name[0] = AMAuthCookie
    com.sun.identity.agents.config.cookie.reset.domain[0] = .example.com
    com.sun.identity.agents.config.cookie.reset.path[0] = /
  2. Add the following lines.


    com.sun.identity.agents.config.cookie.reset.name[1] = iPlanetDirectoryPro
    com.sun.identity.agents.config.cookie.reset.domain[1] = .example.com
    com.sun.identity.agents.config.cookie.reset.path[1] = /
  3. Locate the following lines.


    com.sun.identity.agents.config.profile.attribute.fetch.mode = NONE
    com.sun.identity.agents.config.profile.attribute.mapping[] =

    Edit these lines as follows


    com.sun.identity.agents.config.profile.attribute.fetch.mode = HTTP_HEADER
    com.sun.identity.agents.config.profile.attribute.mapping[uid] = sois_user
  4. You must restart the web server for your changes to take effect.

ProcedureCreate a Policy in Access Manager

  1. From within the Access Manager application, create a new policy named IDMGR (or something similar) with the following rules:

    Service Type

    Resource Name

    Actions

    URL Policy Agent 

    http://server:port/idm

    Allow GET and POST actions

    URL Policy Agent 

    http://server:port/idm/*

    Allow GET and POST actions 

  2. Assign one or more subjects to the IDMGR policy.

Identity Manager Installation Notes

This section provides installation and configuration notes for the Sun Access Manager resource adapter and the Policy Agent.

Sun Access Manager Resource Adapter

Use the following procedure to install and configure the resource adapter.

ProcedureInstalling and Configuring the Access Manager Resource Adapter

  1. Follow the instructions provided in the appropriate version of the Sun JavaTM System Access Manager Developer’s Guide to build the client SDK from the Sun Access Manager installation.

  2. Extract the AMConfig.properties and amclientsdk.jar files from the war file that is produced.

  3. Put a copy of the AMConfig.properties in the following directory:


    $WSHOME/WEB-INF/classes
  4. Place a copy of amclientsdk.jar in the following directory:


    $WSHOME/WEB-INF/lib
  5. Add the amclientsdk.jar file to the server class path.

  6. Restart the Identity Manager application server.

  7. After copying the files, you must add the Sun Java System Access Manager resource to the Identity Manager resources list. Add the following value in the Custom Resources section of the Configure Managed Resources page.


    com.waveset.adapter.SunAccessManagerRealmResourceAdapter

Policy Agent

You must modify the administrator and user login modules so that the Access Manager login modules are listed first.


Note –

An Access Manager resource must be configured before performing this procedure:


ProcedureModifying the Administrator and User Login Modules

  1. From the Identity Manager Administrator Interface menu bar, select Security.

  2. Click the Login tab.

  3. Click the Manage Login Module Groups button, located at the bottom of the page.

  4. Select the Login Module to modify. For example, select Default Identity System ID/Pwd Login Module Group.

  5. In the Assign Login Module select box, select Sun Access Manager Login Module.

  6. When a new Select option displays next to the Assign Login Module option, select the appropriate resource.

  7. When the Modify Login Module page displays, edit the displayed fields as needed, and then click Save. The Modify Login Module Group is displayed again.

  8. Specify Sun Access Manager Login Module as the first resource in the module group, and then click Save.

Usage Notes

If you are running Identity Manager under WebLogic, and native changes made in Access Manager do not appear in Identity Manager, add am_services.jar in the classpath before weblogic.jar.

To set the protocol handler when you have more than one:

java.protocol.handler.pkgs=com.iplanet.services.comm|sun.net.www.protocol

Security Notes

This section provides information about supported connections and authorization requirements needed to perform basic tasks.

Supported Connections

Identity Manager uses JNDI over SSL to communicate with this adapter.

Required Administrative Privileges

The user name that connects to Access Manager must be assigned permissions to add or modify user accounts.

Provisioning Notes

This section contains a table that summarizes the provisioning capabilities of the adapter.

Feature  

Supported?  

Enable/disable account 

Yes 

Rename account 

No 

Pass-through authentication 

Yes. 

The Web Proxy Agent is required for single sign-on. 

Before/after actions 

No 

Data loading methods 

  • Import directly from resource

  • Reconcile with resource

Account Attributes

The following table lists the Access Manager user account attributes supported by default. All attributes are optional, unless noted in the description.

Resource User Attribute

Resource Attribute Type

Description

cn

String 

Required. The user’s full name. 

dynamicSubscriptionGroups

String 

A list of dynamic groups to which the user is subscribed. 

employeeNumber

Number 

The user’s employee number. 

givenname

String 

The user’s first name. 

iplanet-am-user-account-life

Date 

The date and time the user account expires. The account does not expire if this value is not set. 

iplanet-am-user-alias-list

String 

A list of aliases that may be applied to the user. 

iplanet-am-user-failure-url

String 

The URL that the user will be redirected to upon unsuccessful authentication. 

iplanet-am-user-success-url

String 

The URL that the user will be redirected to upon successful authentication. 

mail

Email 

The user’s e-mail address. 

postalAddress

String 

The user’s home address. 

roles

String 

A list of roles assigned to the user. 

sn

String 

The user’s last name. 

staticSubscriptionGroups

String 

A list of static groups to which the user is subscribed. 

telephoneNumber

String 

The user’s telephone number. 

uid

String 

Required. A unique user ID for the user. 

userPassword

Password 

Required. The user’s password. 

Resource Object Management

Identity Manager supports the following Access Manager objects:

Resource Object  

Features Supported  

Attributes Managed  

Role 

List, update, delete 

cn, iplanet-am-role-aci-description, iplanet-am-role-description, iplanet-am-role-type, accountMembers

Static subscription group 

List, create, update, delete, save as 

cn, iplanet-am-group-subscribable, uniqueMember

Filtered group 

List, create, update, delete, save as 

cn, accountMembers, membershipFilter

Dynamic subscription group 

List, create, update, delete, save as 

cn, accountMembers, iplanet-am-group-subscribable

Organization 

List, create, delete, save as, find 

o

Identity Template

The default identity template is

uid=$uid$,ou=People,dc=MYDOMAIN,dc=com

The default template must be replaced with a valid value.

Sample Forms

This section lists the sample forms that are built-in and available for the Sun Access Manager resource adapter.

Built-In

Also Available

SunAMUserForm.xml

Troubleshooting

Use the Identity Manager debug pages to set trace options on the following class:

com.waveset.adapter.SunAccessManagerResourceAdapter