Sun[TM] Identity Manager 8.0 Resources Reference |
Sun Access ManagerIdentity Manager provides the Sun Access Manager resource adapter to support Sun Java System Access Manager running in Legacy mode.
This adapter is defined in the com.waveset.adapter.SunAccessManagerResourceAdapter class.
NoteS
- Use the Sun Access Manager resource adapter for resources running in Legacy mode.
- Use the Sun Access Manager Realm resource adapter for resources running in Realm mode. See Sun Access Manager Realm for information about this adapter.
Resource Configuration Notes
Note
For Access Manager 7 and later, this adapter supports legacy mode only. Realms are not supported. However, refer to the “Resource Configuration Notes” and “Identity Manager Installation Notes” sections of the Sun Access Manager Realm adapter (more...) for information about setting up an adapter that supports Access Manager 7 in legacy mode.
The Policy Agent is an optional module that you can use to enable single sign-on (SSO). Do not attempt to follow Policy Agent configuration or installation procedures if this product is not being used in your environment.
See http://docs.sun.com/app/docs/coll/1322.1 for more information about Policy Agents.
The following sections describe how to install and configure Sun Java System Access Manager and Policy Agent.
Installing and Configuring Sun Java System Access Manager (Versions Prior to Access Manager 7.0)
If you install Sun Java System Access Manager on the same system as the Identity Manager server, see Sun Access Manager Resource Adapter for information about configuration. If you are using the Policy Agent, go to Installing and Configuring the Policy Agent for additional information.
If Access Manager is installed on a different system than the Identity Manager server, then perform the following steps on the Identity Manager system.
- Create a directory to place files that will be copied from the Sun Java System Access Manager server. This directory will be called CfgDir in this procedure. The location of Access Manager will be called AccessMgrHome.
- Copy the following files from AccessMgrHome to CfgDir. Do not copy the directory structure.
- On UNIX, it may be necessary to change the permissions of the jar files in the CfgDir to allow universal read access. Run the following command to change permissions:
chmod a+r CfgDir/*.jar
- Prepend the JAVA classpath with the following:
- If you are using version 6.0, set the Java system property to point to your CfgDir. Use a command similar to the following:
java -Dcom.iplanet.coreservices.configpath=CfgDir
- If you are using version 6.1 or later, add or edit the following lines in the CfgDir/AMConfig.properties file:
com.iplanet.services.configpath=CfgDir
com.iplanet.security.SecureRandomFactoryImpl=com.iplanet.am.util.
SecureRandomFactoryImplcom.iplanet.security.SSLSocketFactoryImpl=netscape.ldap.factory.
JSSESocketFactorycom.iplanet.security.encryptor=com.iplanet.services.util.
JCEEncryptionThe first line sets the configpath. The last three lines change security settings.
- Copy the CfgDir/am_*.jar files to $WSHOME/WEB-INF/lib. If you are using version 6.0, also copy the jss311.jar file to the $WSHOME/WEB-INF/lib directory.
- If Identity Manager is running on Windows and you are using Identity Server 6.0, copy IdServer\lib\jss\*.dll to CfgDir and add CfgDir to your system path.
Check that the CfgDir contains all the data outlined in Step 6 and that all the configuration properties have been assigned correctly.
See Sun Access Manager Resource Adapter for more information about preparing Identity Manager for this resource.
Installing and Configuring Sun Java System Access Manager (Versions 7.0 and Later)
Refer to the “Resource Configuration Notes” and “Identity Manager Installation Notes” sections of the Sun Access Manager Realm adapter (more...) for information about setting up an adapter that supports Access Manager 7 in legacy mode.
Installing and Configuring the Policy Agent
You must install the appropriate Access Manager Policy Agent on the Identity Manager server. The Policy Agent can be obtained from the following location:
http://wwws.sun.com/software/download/inter_ecom.html#dirserv
Follow the installation instructions provided with the Policy Agent. Then perform the following tasks.
Edit the AMAgent.properties File
The AMAgent.properties file must be modified so that Identity Manager can be protected. It is located the following directory:
Be sure to use the files located the preceding directories. Do not use the copy located in the AgentInstallDir\config directory.
- Locate the following lines in the AMAgent.properties file.
com.sun.identity.agents.config.cookie.reset.enable = false
com.sun.identity.agents.config.cookie.reset.name[0] =
com.sun.identity.agents.config.cookie.reset.domain[] =
com.sun.identity.agents.config.cookie.reset.path[] =Edit these lines as follows.
com.sun.identity.agents.config.cookie.reset.enable = true
com.sun.identity.agents.config.cookie.reset.name[0] = AMAuthCookie
com.sun.identity.agents.config.cookie.reset.domain[0] = .example.com
com.sun.identity.agents.config.cookie.reset.path[0] = /- Add the following lines.
com.sun.identity.agents.config.cookie.reset.name[1] = iPlanetDirectoryPro
com.sun.identity.agents.config.cookie.reset.domain[1] = .example.com
com.sun.identity.agents.config.cookie.reset.path[1] = /- Locate the following linesl.
com.sun.identity.agents.config.profile.attribute.fetch.mode = NONE
com.sun.identity.agents.config.profile.attribute.mapping[] =Edit these lines as follows
com.sun.identity.agents.config.profile.attribute.fetch.mode = HTTP_HEADER
com.sun.identity.agents.config.profile.attribute.mapping[uid] = sois_user- You must restart the web server for your changes to take effect.
Create a Policy in Access Manager
- From within the Access Manager application, create a new policy named IDMGR (or something similar) with the following rules:
Service Type
Resource Name
Actions
URL Policy Agent
http://server:port/idm
Allow GET and POST actions
URL Policy Agent
http://server:port/idm/*
Allow GET and POST actions
- Assign one or more subjects to the IDMGR policy.
Identity Manager Installation Notes
This section provides installation and configuration notes for the Sun Access Manager resource adapter and the Policy Agent.
Sun Access Manager Resource Adapter
If the Access Manager is installed on a different system than the Identity Manager server, then perform the procedure described in Installing and Configuring Sun Java System Access Manager (Versions Prior to Access Manager 7.0).
Otherwise, copy the AccessMgrHome/lib/am_*.jar files to $WSHOME/WEB-INF/lib. If you are using version 6.0, also copy the jss311.jar file to the $WSHOME/WEB-INF/lib directory.
After the files have been copied, add the Access Manager resource to the Identity Manager resources list, you must add the following value in the Custom Resources section of the Configure Managed Resources page.
com.waveset.adapter.SunAccessManagerResourceAdapter
Policy Agent
You must modify the administrator and user login modules so that the Access Manager login modules are listed first.
- From the Identity Manager Administrator Interface menu bar, select Security.
- Click the Login tab.
- Click the Manage Login Module Groups button, located at the bottom of the page.
- Select the Login Module to modify. For example, select Default Identity System ID/Pwd Login Module Group.
- In the Assign Login Module select box, select Sun Access Manager Login Module.
- When a new Select option displays next to the Assign Login Module option, select the appropriate resource.
- When the Modify Login Module page displays, edit the displayed fields as needed, and then click Save. The Modify Login Module Group is displayed again.
- Specify Sun Access Manager Login Module as the first resource in the module group, and then click Save.
Usage Notes
If you are running Identity Manager under WebLogic, and native changes made in Access Manager do not appear in Identity Manager, add am_services.jar in the classpath before weblogic.jar.
To set the protocol handler when you have more than one:
java.protocol.handler.pkgs=com.iplanet.services.comm|sun.net.
www.protocolSecurity Notes
This section provides information about supported connections and authorization requirements needed to perform basic tasks.
Supported Connections
Identity Manager uses JNDI over SSL to communicate with this adapter.
Required Administrative Privileges
The user name that connects to Access Manager must be assigned permissions to add or modify user accounts.
Provisioning Notes
This section contains a table that summarizes the provisioning capabilities of the adapter.
Feature
Supported?
Enable/disable account
Yes
Rename account
No
Pass-through authentication
Yes.
The Web Proxy Agent is required for single sign-on.
Before/after actions
No
Data loading methods
Account Attributes
The following table lists the Access Manager user account attributes supported by default. All attributes are optional, unless noted in the description.
Resource Object Management
Identity Manager supports the following Access Manager objects:
Identity Template
The default identity template is
uid=$uid$,ou=People,dc=MYDOMAIN,dc=com
The default template must be replaced with a valid value.
Sample Forms
This section lists the sample forms that are built-in and available for the Sun Access Manager resource adapter.
Built-In
- Sun Java System Access Manager Update Static Group Form
- Sun Java System Access Manager Update Role Form
- Sun Java System Access Manager Update Organization Form
- Sun Java System Access Manager Update Filtered Group Form
- Sun Java System Access Manager Update Dynamic Group Form
- Sun Java System Access Manager Create Static Group Form
- Sun Java System Access Manager Create Role Form
- Sun Java System Access Manager Create Organization Form
- Sun Java System Access Manager Create Filtered Group Form
- Sun Java System Access Manager Create Dynamic Group Form
Also Available
SunAMUserForm.xml
Troubleshooting
Use the Identity Manager debug pages to set trace options on the following class:
com.waveset.adapter.SunAccessManagerResourceAdapter