Sun Java System Access Manager 7 2005Q4 Administration Guide

Creating a Unique Policy Agent Identity

By default, when you create multiple policy agents in a trusted environment, the policy agents contain the same UID and password. Because the UID and passwords are shared, Access Manager cannot distinguish between the agents, which may leave the session cookie open to interception.

The weakness may be present when an Identity Provider provides authentication, authorization and profile information about a user to application(s) (or Service Providers) that are developed by third parties or by unauthorized groups within the enterprise. Possible security issues are:

ProcedureTo Create a Unique Policy Agent Identity

  1. Use the Access Manager administration console to make an entry for each agent.

  2. Run the following command on the password that was entered during the creation of the agent. This command should be invoked on the host where the agent is installed.

    AccessManager-base/SUNWam/agents/bin/crypt_util agent123

    This will give the following output:


  3. Change to reflect the new value, and then and restart the agent. Example:

    # The username and password to use for the Application 
    authentication module. = agent123 = WnmKUCg/y3l404ivWY6HPQ==
    # Cross-Domain Single Sign On URL
    # Is CDSSO enabled.
    # This is the URL the user will be redirected to after successful login
    # in a CDSSO Scenario. =
  4. Change where Access Manager is installed to reflect the new values, and then and restart Access Manager. Example:


  5. In the Access Manager console, choose Configuration>Platform.

  6. In the Cookie Domains list, change the cookie domain name:

    1. Select the default domain, and then click Remove.

    2. Enter the host name of the Access Manager installation, and then click Add.


      You should see two cookies set on the browser:

      • iPlanetDirectoryPro – (hostname)

      • sunIdentityServerAuthNServer – (hostname)