Chapter 1 Using the Client SDK

The Sun Java^TM System Access Manager 7.1 Client SDK package provides Access Management Java libraries for implementing stand-alone applications and web applications. You can use the Client SDK interfaces in your applications to take advantage of Access Manger services such as authentication, Single Sign-On (SSO), authorization, auditing and logging, user management, and Security Assertion Markup Language (SAML). The client SDK libraries communicate with Access Manager using XML (SOAP) over HTTP or HTTPS.

This chapter contains the following topics:

• How the Client SDK Works

• JDK and CLASSPATH Requirements

• Installing the Client SDK

• Initializing the Client SDK

• Setting Up a Client Identity

• Building Custom Web Applications

How the Client SDK Works

The Access Manager Client SDK is a streamlined version of the Access Manager SDK, and includes only the client-side classes and configuration properties you need to connect to Access Manager services. The Client SDK is contained in a smaller jar file, and eliminate the dependency on connections to Directory Server when developing and deploying client applications. The Client SDK and client applications communicate with the Access Manager server. Only the Access Manager server communicates directly with the Directory Server.

When you install the Access Manager server, the Client SDK is contained in the following file:

AccessManager-base/SUNWam/lib/amclientsdk.jar

The following table summarizes items included in the Client SDK.

JDK and CLASSPATH Requirements

The Client SDK requires J2SE 1.4.2 .

Both amclientsdk.jar and servlet.jar are required in the CLASSPATH.

Installing the Client SDK

Before you can install the Access Manager Client SDK, the Access Manager server must be running on a remote server. You will also need to have ready the following information about the remote installation:

• Protocol used by the web contain instance on which the Access Manager server is deployed.

• Fully qualified domain name of the host on which Access Manager server is deployed.

• Port on which the Access Manager server is running.

• Deployment URI for the services web application (by default amserver).

• Password encryption key used by the Access Manager server.

Two methods exist for installing the Client SDK. You can automatically install the Client SDK using the Java Enterprise System 5 installer, or you can manually deploy the Client SDK WAR file.

Using the Java Enterprise System 5 Installer

If you install the Access Manager Client SDK by running the Java Enterprise System 5 installer, you must choose the Access Manager Client SDK install option. For detailed information, see Chapter 10, Deploying the Client SDK, in Sun Java System Access Manager 7.1 Postinstallation Guide.

To Install the Client SDK on the Windows Platform

On the Windows platform, you must use the “Configure Manually After Installation” option in the Java Enterprise System 5 installer. For detailed information, see To Install and Configure the Access Manager Client SDK in Sun Java System Access Manager 7.1 Postinstallation Guide. The following is an overview of the steps you must follow

1. Invoke the Java Enterprise System 5 installer.

   1. When prompted for Setup Type, choose Custom.

   2. When prompted for Product Configuration, choose “Configure manually after install.”

   3. When prompted for Products to Install, select the web container (Web Server or Application Server) and Access Manager Client SDK.

2. Configure and start the Web container.

3. Edit the file AccessManager-base\identity\setup\AMConfigurator.properties.

   See To Install and Configure the Access Manager Client SDK in Sun Java System Access Manager 7.1 Postinstallation Guidefor detailed information.

4. Run the amconfig.bat command:

   # AccessManager-base\identity\setup\amconfig.bat

To Install the Client SDK on Sun Java System Web Server and Sun Java System Application Server

The following is an overview of the steps you must follow. For detailed information, see Chapter 10, Deploying the Client SDK, in Sun Java System Access Manager 7.1 Postinstallation Guide.

1. Invoke the JES installer.

2. Select the web container (Web Server or Application Server) and Access Manager client SDK.

3. Choose "Configure Now.”

4. Answer the questions provided by the installer.

5. After the installation is complete, restart the web container.

To Install the Client SDK on BEA WebLogic Server and IBM WebSphere Server

The third party web container should already be installed and started.

The following is an overview of the steps you must follow. For detailed information, see Chapter 10, Deploying the Client SDK, in Sun Java System Access Manager 7.1 Postinstallation Guide.

1. Invoke the JES installer.

2. Select Access Manager client SDK.

3. Choose "Configure Later."

4. After the installation, edit the amsamplesilent file.

   1. Change the DEPLOY_LEVEL value to 9.

   2. Supply values for all the commented settings.

   3. Change the value for BASEDIR if needed.

   4. Edit the web container value (for example, WL8_* or WAS51*) to perform the deployment.

5. Run amconfig with the edited amsamplesilent file.

6. After the configuration is complete, restart the web container.

To Manually Install the Client SDK

Before You Begin

• The Access Manager server which will be used by the client SDK must be up and running, and you must know the URL for accessing this server.

• The machine where the client SDK will be installed must have an Access Manager supported web container installed. Examples of Access Manager supported web containers are Sun Java System Web Server 6.1 sp5, Sun Java System Application Server 8.1, BEA WebLogic Server 8.1 sp4, and IBM Websphere Application Server 5.1.1.5.

• The web container instance on which the client SDK will be deployed must be up and running.

• The client SDK machine must have access to the Access Manager client SDK package SUNWamclnt through the Java Enterprise System 5 bits or through some other means.

1. Create a package administration file.

   Using a text editor, add the following contents to this file.

   mail=
   instance=unique
   partial=nocheck
   runlevel=nocheck
   idepend=nocheck
   rdepend=nocheck
   space=nocheck
   setuid=nocheck
   conflict=nocheck
   action=nocheck
   basedir=ClientSDK-base-directory
   

   In this example, the package administration file is named /usr/tmp/pkgadmin.

   The value for basediris the directory in which you want to install the Access Manager client SDK.

2. Create a package response file named /usr/tmp/pkgresp.

   Using a text editor, place the following three lines (a single y on each line) in this file.

   y
   y
   y
   

3. In the Access Manager package directory, use the pkgadd utility to install the SUNWamclnt package:

   cd JES5-Image-root/OperatingSystem-Architecture/Product/identity_svr/Packages

   pkgadd -n -a /usr/tmp/pkgadmin -d . -r /usr/tmp/pkgresp -R / SUNWamclnt

4. In the directory in which you installed the Access Manager client SDK package, make a copy of the file Makefile.clientsdk.

   The directory in which you installed the Access Manager client SDK package should be the same as the value you used for basedir in the package administration file in step 1a.

   On Solaris:

   cd ClientSDK-base-directory/SUNWam

   cp Makefile.clientsdk Makefile.clientsdk.orig

   On Linux:

   cd ClientSDK-base-directory/identity

   cp Makefile.clientsdk Makefile.clientsdk.orig

To Configure the Client SDK

1. In Makefile.clientsdk, edit the following parameters:

   JAVA_HOME

   Use the following path: /usr/jdk/entsys-j2se

   SERVER_HOSTNAME

   The fully-qualified domain name of the Access Manager server.

   SERVER_PROTOCOL

   If the Access Manager server is SSL-enabled, change this value to HTTPS.

   SERVER_PORT

   The port number on which the Access Manager server is running.

   ENCRYPTION_KEY

   This value must be the same value used for the Access Manager server. You can obtain the value by running one of the following commands on the Access Manager server:

   On Solaris

   grep pwd /etc/opt/SUNWam/config/AMConfig.properties

   On Linux

   grep pwd /etc/opt/sun/identity/config/AMConfig.properties

   DEBUG_DIR

   (Optional) If you don't want the debug logs stored in the tmp directory, then change this value to the directory where you want debug logs to be created.

2. Run the make or gmake command:

   make -f Makefile.clientsdk

   This step generates a sample properties file in the directory temp, standalone samples in the directory clientsdk-samples and a deployable war file, amclientwebapps.war.The following table summarizes the items included in the WAR file.

   File	Description
   index.html	Instructions for installing and using the Client SDK packages
   WEB-INF/web.xml	Client SDK for stand-alone applications
   WEB-INF/classes/AMClient.properties	Archive of Access Manager samples, web applications, and Javadoc
   WEB-INF/classes/*.classes	File for building stand-alone samples and web applications
   WEB-INF/docs	Javadoc (Public Client SDK APIs)
   WEB-INF/samples	Sample stand-alone programs
   WEB-INF/webapps	Sample web applications

To Deploy amclientwebapps.war

1. Create a deployment directory for amclientwebapps.war.

   On Solaris

   mkdir -p ClientSDK-base-directory/SUNWam/web-src/clientsdk

   On Linux

   mkdir -p ClientSDK-base-directory/identity/web-src/clientsdK

2. On the web container instance where you want to use the Access Manager client SDK, deploy the amclientwebapps.war file. See the following examples:

   Sun Java Enterprise Web Server on Solaris or Linux

   Use the wdeploy command to deploy amclientwebapps.war with a URI of /amcilentwebapps on the Web Server instance https-clientSDKinstance. Example:

   WebServer-base-directory/bin/https/httpadmin/bin/wdeploy deploy -u /amclientwebapps -i https-clientSDKinstance -v https-clientsdkinstance -d ClientSDK-base-directory/SUNWam/web-src/clientsdk clientSDK-base-directory/SUNWam/amclientwebapps.war

   Sun Java Enterprise Application Server on Solaris

   Using the asadmin command to deploy amclientwebapps.war with a URI of /amclientwebapps on the application server instance clientsSDKinstance. Example:

   ApplicationServer-base-directory/appserver/bin/asadmin deploy -user Admin-User-ID --host ApplicationServer-instanceHost --port ApplicationServer-Admin-Port --contextroot amclientwebapps -name amcilentwebapps -target clientSDKinstance ClientSDK-base-directory/SUNWam/amclientwebapps.war

   Be sure to use the fully qualified host name for ApplicationServer-instanceHost.

   Enter the Application Server administration password when prompted.

   Sun Java Enterprise Application Server on Linux

   Using the asadmin command to deploy amclientwebapps.war with a URI of /amclientwebapps on the application server instance clientsSDKinstance. Example:

   ApplicationServer-base-directory/bin/asadmin deploy -user Admin-User-ID --host ApplicationServer-instanceHost --port ApplicationServer-Admin-Port --contextroot amclientwebapps -name amcilentwebapps -target clientSDKinstance ClientSDK-base-directory/SUNWam/amclientwebapps.war

   Be sure to use the fully qualified host name for ApplicationServer-instanceHost.

   Enter the Application Server administration password when prompted.

   If you are deploying the client SDK on a third-party web container such as BEA WebLogic Server or IBM WebSphere Application Server, then see the documentation that comes with that product.

3. Restart the web container instance on which the Access Manager client SDK was deployed.

   If the full server instance being accessed by the client SDK is SSL-enabled, then you must install the root CA certificate of the server's certificate in the web container's JVM-wide cacerts keystore. Alternatively, you can create a keystore on the client SDK machine to contain the server's root CA certificate. Then add the necessary JVM options to the client SDK's web container instance to locate the newly created keystore.

Initializing the Client SDK

Before Access Manager Client SDK can communicate with Access Manager Server, you must initialize some properties in the client SDK. You can set these properties in one of three ways:

• Using a Properties File

• Using the Java API

• Setting Individual Properties

Properties Used by the ClientSDK

Access Manager properties are contained in the AMConfig.properties file. Generate the AMConfig.properties for the Client SDK by running the following command:

# make -f Makefile.clientsdk properties

The following sections describe the properties expected by the Access Manager Client SDK. A client application deployed within a servlet container can register for changes to session, user attributes and policy decisions. These properties must be set to receive such notifications.

Naming URL Properties

com.iplanet.am.naming.url

This is a required property. The value of this property represents the URL where the Client SDK would retrieve the URLs of Access Manager internal services. This is the URI for the Naming Service. Example:

com.iplanet.am.naming.url=http://AcceessManager-HostName.domain_name:port/amserver/namingservice

com.iplanet.am.naming.failover.url

This property can be used by any remote SDK application that wants failover in, for example, session validation or getting the service URLs. Example:

com.iplanet.am.naming.failover.url=http://AcceessManager-HostName.domain_name:
port/amserver/failover

Debug Properties

com.iplanet.services.debug.level

Specifies the debug level. Possible values are levels are: off, error , warning, or message.

com.iplanet.services.debug.directory

The value of this property is the output directory for the debug information. This directory should be writable by the server process. Example:

com.iplanet.services.debug.directory=/var/opt/SUNWam/debug

Notification URL Properties

com.iplanet.am.notification.url

The value of this property is the URI of the Notification Service running on the host machine where you installed the Client SDK. Example:

com.iplanet.am.notification.url= http://clientSDK_host.domain_name:port/amserver/notificationservice

com.sun.identity.agents.notification.enabled

Enables or disables notifications for remote policy API. Example:

com.sun.identity.agents.notification.enabled=false

com.sun.identity.agents.notification.url

Defines the notification URL for remote policy API.

Security Credentials Properties

com.sun.identity.agents.app.username

Reads configuration data. Example:

com.sun.identity.agents.app.username=APPLICATION_USER

com.iplanet.am.service.password

Reads configuration data. Example:

com.iplanet.am.service.password=APPLICATION_PASSWD

com.iplanet.am.service.secret

Contains the encrypted value of the password. . Example:

com.iplanet.am.service.secret=ENCRYPTION_KEY

Encryption Properties

am.encryption.pwd

This key is needed to decrypt passwords stored in the SMS configuration. Example:

am.encryption.pwd=ENCRYPTION_KEY

com.sun.identity.client.encryptionKey

Encryption key that will be used to encrypt and decrypt data used locally within the client. Example:

com.sun.identity.client.encryptionKey=ENCRYPTION_KEY_LOCAL

com.iplanet.security.encryptor

Property to set JCE as the default encryption classes.

com.iplanet.security.encryptor=com.iplanet.services.util.JCEEncryption

Cache Update Properties

com.sun.identity.sm.cacheTime

Cache update time (in minutes) for service configuration data if notification URL is not provided. Example:

com.sun.identity.sm.cacheTime=1

com.iplanet.am.sdk.remote.pollingTime

Cache update time (in minutes) for user management cache if notification URL is not provided. Example: com.iplanet.am.sdk.remote.pollingTime=1

Authentication Service Properties

com.iplanet.am.server.protocol

Server protocol to be used by Authentication Service. Example:

com.iplanet.am.server.protocol=SERVER_PROTOCOL

com.iplanet.am.server.host

Server host to be used by Authentication Service. Example:

com.iplanet.am.server.host=SERVER_HOST

com.iplanet.am.server.port

Server port to be used by Authentication Service. Example:

com.iplanet.am.server.port=SERVER_PORT

Cookie Property

com.iplanet.am.cookie.name

Indicates the Access Manager cookie name. Example:

com.iplanet.am.cookie.name=AM_COOKIE_NAME

Session Service Properties

com.iplanet.am.session.client.polling.enable

Example:

com.iplanet.am.session.client.polling.enable=true

com.iplanet.am.session.client.polling.period

Example:

com.iplanet.am.session.client.polling.period=180

Certificate Database Properties

com.iplanet.am.admin.cli.certdb.dir

Identifies the certificate database directory path for initializing the JSS Socket Factory when the Access Manager web container is configured for SSL. Example:

com.iplanet.am.admin.cli.certdb.dir= CONTAINER_CERTDB_DIR

com.iplanet.am.admin.cli.certdb.passfile

Identifies the certificate database password file for initializing the JSS Socket Factory when the Access Manager web container is configured for SSL. Example:

com.iplanet.am.admin.cli.certdb.passfile= BASEDIR/PRODUCT_DIR/config/.wtpass

com.iplanet.am.admin.cli.certdb.prefix

Identifies the certificate database prefix for initializing the JSS Socket Factory when the Access Manager web container is configured for SSL. Example:

com.iplanet.am.admin.cli.certdb.prefix= CONTAINER_CERTDB_PREFIX

Policy Client Properties

com.sun.identity.agents.server.log.file.name

Specifies file name for the policy decision log file. Example:

com.sun.identity.agents.server.log.file.name=amRemotePolicyLog

com.sun.identity.agents.logging.level

Possible values for policy decision logging level are NONE, ALLOW, DENY, BOTH, and DECISION.

com.sun.identity.agents.notification.enabled

Enables Notification URL for updating cache. Default value is false.

com.sun.identity.agents.notification.url

Specifies use of Notification URL for updating cache. Example:com.sun.identity.agents.notification.url=NOTIFICATION_URL

com.sun.identity.agents.polling.interval

Cache time in minutes. Example:

com.sun.identity.agents.polling.interval=3

com.sun.identity.policy.client.cacheMode

Information to cache. Possible value are subtree or self.

com.sun.identity.policy.client.usePre22BooleanValues

Define and set this property to false if you do not want to use Boolean values. The default value is true if the property is not defined.

Monitoring Framework Property

com.sun.identity.monitoring=off

Explicitly disables Java Enterprise System (JES) monitoring services in the sample client applications.

Remote Client SDK Property

com.iplanet.amsdk.package

If you want to use a remote instance of the Client SDK, set the value of this property as follows:

com.iplanet.amsdk.package=remote

The default value is ldap if the property is not defined.

Federation Properties

The following properties are used to configure interactions in a federated environment. These properties are not automatically generated and placed in the AMConfig.properties file when you run the make -f Makefile.clientsdk properties command. You must manually add the properties to the file as needed.

com.sun.identity.liberty.ws.soap.supportedActor

Supported SOAP actors. Each actor must be separated by a pipe (|). Example:

com.sun.identity.liberty.ws.soap.supportedActors= http://schemas.xmlsoap.org/soap/actor/next

com.sun.identity.liberty.interaction.wspRedirectHandler

Indicates the URL for WSPRedirectHandlerServlet to handle Liberty the WSF web service provider-resource owner. Interactions are based on user agent redirects. The servlet should be running in the same JVM where the Liberty service provider is running.

com.sun.identity.liberty.interaction.wscSpecifiedInteractionChoice

Indicates whether the web service client should participate in an interaction. Valid values are interactIfNeeded | doNotInteract | doNotInteractForData . Default value is interactIfNeeded. Default value is used if an invalid value is specified.

com.sun.identity.liberty.interaction.wscWillInlcudeUserInteractionHeader

Indicates whether the web service client should include userInteractionHeader. Valid values are yes and no (case ignored). Default value is yes. Default value is used if no value is specified.

com.sun.identity.liberty.interaction.wscWillRedirect

Indicates whether the web service client will redirect user for an interaction. Valid values are yes and no. Default value is yes. Default value is used if no value is specified.

com.sun.identity.liberty.interaction.wscSpecifiedMaxInteractionTime

Indicates the web service client preference for acceptable duration (in seconds) for an interaction. If the value is not specified or if a non-integer value is specified, then the default value is 60.

com.sun.identity.liberty.interaction.wscWillEnforceHttpsCheck

Indicates whether the web service client enforces that redirected to URL is HTTPS. Valid values are yes and no (case ignored). The Liberty specification requires the value to be yes. Default value is yes. Default value is used if no value is specified.

com.sun.identity.liberty.interaction.wspWillRedirect

Indicates whether the web service provider redirects the user for an interaction. Valid values are yes and no (case ignored). Default value is yes. Default value is if no value is specified.

com.sun.identity.liberty.interaction.wspWillRedirectForData

Indicates whether the web service provider redirects the user for an interaction for data. Valid values are yes and no. Default value is yes. If no value is specified, the value is yes.

com.sun.identity.liberty.interaction.wspRedirectTime

Web service provider expected duration (in seconds) for an interaction. Default value if the value is not specified or is a non-integer value is 30.

com.sun.identity.liberty.interaction.wspWillEnforceHttpsCheck

Indicates whether the web service client enforces that returnToURL is HTTP. Valid values are yes and no (case ignored). Liberty specification requires the value to be yes. Default value is yes. If no value is specified, then the value used is yes.

com.sun.identity.liberty.interaction.wspWillEnforceReturnToHostEqualsRequestHost

Indicates whether the web services client enforces that returnToHost and requestHost are the same. Valid values are yes and no. Liberty specification requires the value to be yes.

com.sun.identity.liberty.interaction.htmlStyleSheetLocation

Indicates the path to the style sheet used to render the interaction page in HTML.

com.sun.identity.liberty.interaction.wmlStyleSheetLocation

Indicates the path to the style sheet used to render the interaction page in WML.

Example: com.sun.identity.liberty.interaction.wmlStyleSheetLocation=/opt/SUNWam/lib/is-wml.xsl

com.sun.identity.liberty.ws.interaction.enable

Default value is false.

com.sun.identity.wss.provider.config.plugin=com.sun.identity.wss.provider.plugins.AgentProvider

Used by the web services provider to determine the plug-in that will be used to store the configuration.

Example: com.sun.identity.wss.provider.config.plugin=com.sun.identity.wss.provider.plugins.AgentProvider

com.sun.identity.loginurl

Used by the web services clients in ClientSDK mode. Example:

com.sun.identity.loginurl=https://hostName:portNumber/amserver/UI/Login

com.sun.identity.liberty.authnsvc.url

Indicates the Liberty authentication service URL.

com.sun.identity.liberty.wsf.version

Used to determine which version of the Liberty identity web services framework is to be used when the framework can not determine from the inbound message or from the resource offering. This property is used when Access Manager is acting as the web service client. The default version is 1.1. The possible values are 1.0 or 1.1.

com.sun.identity.liberty.ws.soap.certalias

Value is set during installation. Client certificate alias that will be used in SSL connection for Liberty SOAP Binding.

com.sun.identity.liberty.ws.soap.messageIDCacheCleanupInterval

Default value is 60000. Specifies the number of milliseconds to elapse before cache cleanup events begin. Each message is stored in a cache with its ownmessageID to avoid duplicate messages. When a message's current time less the received time exceeds thestaleTimeLimit value, the message is removed from the cache.

com.sun.identity.liberty.ws.soap.staleTimeLimit

Default value is 300000. Determines if a message is stale and thus no longer trustworthy. If the message timestamp is earlier than the current timestamp by the specified number of milliseconds, the message the considered to be stale.

com.sun.identity.liberty.ws.wsc.certalias

Value is set during installation. Specifies default certificate alias for issuing web service security token for this web service client.

com.sun.identity.liberty.ws.trustedca.certaliases

Value is set during installation. Specifies certificate aliases for trusted CA. SAML or SAML BEARER token of incoming request. Message must be signed by a trusted CA in this list. The syntax is cert alias 1[:issuer 1]|cert alias 2[:issuer 2]|..... Example: myalias1:myissuer1|myalias2|myalias3:myissuer3. The value issuer is used when the token doesn't have a KeyInfo inside the signature. The issuer of the token must be in this list, and the corresponding certificate alias will be used to verify the signature. If KeyInfo exists, the keystore must contain a certificate alias that matches the KeyInfo and the certificate alias must be in this list.

Using a Properties File

You can set properties in a properties file and then provide a path to it at runtime. The properties files must be in the CLASSPATH. The default properties file name is AMConfig.properties and is always read at start-up.

To Set Client SDK Properties in a Properties File

1. Generate a sample AMConfig.properties by running the following command:

   make -f Makefile.clientsdk properties

   The AMConfig.properties will be present in the temp directory.

2. Edit properties to suit your environment.

   ---

   Note –

   At runtime, if the file name is different from AMConfig, provide the file name (without the .properties extension) and path. The path should be in the CLASSPATH by declaring the JVM option:

   -Damconfig=filname

   ---

Using the Java API

The ClientSDK properties can also be set programmatically using the class: com.iplanet.am.util.SystemProperties. See the following example.

Example 1–1 Setting Client SDK Properties

import com.iplanet.am.util.SystemProperties;
import java.util.Properties;
public static void main(String[] args) {
        // To initialize a set of properties
        Properties props = new Properties();
        props.setProperty(”com.iplanet.am.naming.url’, 
					”http://sample.com/amserver/namingservice’);
        props.setProperty(”com.sun.identity.agents.app.username’, ”amAdmin’);
        props.setProperty(”com.iplanet.am.service.password’, ”11111111’);
        SystemProperties.initializeProperties(props) ;

        // To initialize a single property
        SystemProperties.initializeProperties(“com.iplanet.am.naming.url’, 
					”http://sample.com/amserver/namingservice’);
    // Application specific code ...
}
          

Setting Individual Properties

You can set properties one at a time. For example, you can declare the following JVM option at run time to assign a value to a particular property:

-DpropertyName=propertyValue

Setting Up a Client Identity

Some of the Access Manager components such as SAML, User Management, Policy, require an identity for the client. The client application reads configuration data to identify the client. You can set up the identity for the client in one of two ways:

• Set username and password properties can be authenticated

• Set an SSO Token Provider

Some of the configuration attributes (such as password) are encrypted and stored in the data store as an Encryption/Decryption Key. If such attributes have to be decrypted by the client, the property must be set, and must be the same as that of the Access Manager Server.

This value is generated at installation time and stored in the following file:

Solaris

/etc/opt/SUNWam/config/AMConfig.properties

Linux

/etc/opt/sun/identity/AMConfig.properties

Windows

AccessManager-base\identity\config\AMConfig.properties

HP-UX

/etc/opt/sun/identity/config/AMConfig.properties

To Set Username and Password Properties

The following properties can be used to set the username and password that can be used by client SDK to obtain the configuration parameters. The authenticated username should have permissions to read the configuration data for SAML and User Management.

• The property to provide the user name is: com.sun.identity.agents.app.username

• The property to provide the plain text password is: com.iplanet.am.service.password

For scenarios where plain text password would be security concern, an encrypted password can be provided using the property: com.iplanet.am.service.secret.

If an encrypted password is provided, the encryption key must also be provided using the property: am.encryption.pwd.

To Set an SSO Token Provider

Set the following property: com.sun.identity.security.AdminToken

This provides an implementation for the interface, which returns the following single sign-on (SSO) token: com.sun.identity.security.AppSSOTokenProvider.

Building Custom Web Applications

The Client SDK package contains Makefile.clientsdk that you can use to generate and build samples and web applications. The makefile defines targets to build configuration properties, samples and web applications.

Building Stand-Alone Applications

Use these steps a template for building their identity-enabled web applications.

To Build a Stand-Alone Application

1. Install the Client SDK.

   See Installing the Client SDK.

2. Copy servlet.jar to lib directory.

3. Run the stand-alone application.

   Change directory to respective components within clientsdk-samples. Each has a Readme.html file explaining the changes to done and a Makefile to rebuild and run the program.

Targets Defined in clientsdk

For web deployment, amclientwebapps.war is ready to be deployed. However, you can make changes in clientsdk-webapps directory and the war file can be recreated.

Custom web applications can use the following as a template to build their identity enabled web application.

properties: Generates AMConfig.properties in the temp directory that can used as a template for setting AM SDK’s properties

samples: Copies standalone samples and corresponding Makefiles to samples directory.

webapp: Generates amclientwebapps.war that can be deployed on any Servlet 2.3 compliant web container.

About the Client SDK Samples

Sample files are included in the Client SDK. These demonstrate how to write stand-alone programs and how to write web applications. After you deploy the Client SDK using either the Java ES installer or the amconfig script with DEPLOY_LEVEL=9, the Client SDK samples are available in the following directory:

Solaris

AccessManager-base/SUNWam/war/

Linux and HP-UX

AccessManager-base/identity/war/

Windows systems

AccessManager-base\identity\war\

The subdirectory clientsdk-samples includes samples for authentication, logging, policy and SAML stand-alone programs. The subdirectoryclientsdk-webapps includes samples for user management, service management, and policy programs. Each sample has a Readme.html file with instructions on compiling and running the sample program.

Troubleshooting

If the client program receives a “New Generic Exception” message, one possible cause is that the session has expired. As a workaround, you can increase values of the Session Idle Timeout and Max Session Time attributes. In the Access Manager administration console, click Configuration > Global > Session. See "Maximum Session Time" and "Maximum Idle Time" in the section Resulting Behavior If Session Quota Exhausted in Sun Java System Access Manager 7.1 Administration Reference for attribute descriptions.

When attempting to authenticate against Access Manager, if the client program receives a “NullPointerException” message, one possible cause is that the client identity username, secret, or password properties are not set correctly. For more information, see Security Credentials Properties and Using the Java API.