Sun Java System Access Manager 7 2005Q4 Developer's Guide

Chapter 1 Using the Client SDK

The Sun JavaTM System Access Manager 7 2005Q4 Client SDK package provides Access Management Java libraries for implementing stand-alone applications and web applications. You can use the Client SDK interfaces in your applications to take advantage of Access Manger services such as authentication, Single Sign-On (SSO), authorization, auditing and logging, user management, and Security Assertion Markup Language (SAML). The client SDK libraries communicate with Access Manager using XML (SOAP) over HTTP or HTTPS.

How the Client SDK Works

The Client SDK is different from the SDK packages provided in pre-6.3 versions of Access Manager. The Access Manager 6.3 Client SDK was streamlined to include only the client-side classes and configuration properties you need to connect to Access Manager services. These changes resulted in a smaller jar file, and eliminate the dependency on connections to Directory Server when developing and deploying client applications. In the Access Manager 6.3 and 7.0 architecture, the Client SDK and client applications communicate with the Access Manager server. Only the Access Manager server communicates directly with the Directory Server.

When you install the Access Manager server, the Client SDK is contained in the following file:


The following table summarizes items included in the Client SDK.

Table 1–1 Contents ofAccessManager-base/SUNWam/amclientsdk.jar




ASCII version of this chapter. Contains information on installing and using Access Manager client SDK. 


Client SDK for stand-alone applications. 


Archive of Access Manager samples, web applications, and Javadoc. 


Defines objects and parameters for building sample properties, stand-alone samples and web applications. 

JDK and CLASSPATH Requirements

The Client SDK can be used with JDK version 1.4.2. Both amclientsdk.jar and servlet.jar are required in the CLASSPATH.

Installing the Client SDK

You can obtain the Client SDK from the Access Manager compact disc, and then complete the following steps:

ProcedureTo Install the Client SDK

Before You Begin
  1. Create a package administration file. .

    Using a text editor, add the following contents to this file.


    In this example, the package administration file is named /usr/tmp/pkgadmin.

    The value for basediris the directory in which you want to install the Access Manager client SDK.

  2. Create a package response file named /usr/tmp/pkgresp.

    Using a text editor, place the following three lines (a single y on each line) in this file.

  3. In the Access Manager package directory, use the pkgadd utility to install the SUNWamclnt package:

    cd JES2005Q4-Image-root/OperatingSystem-Architecture/Product/identity_svr/Packages

    pkgadd -n -a /usr/tmp/pkgadmin -d . -r /usr/tmp/pkgresp -R / SUNWamclnt

  4. In the directory in which you installed the Access Manager client SDK package, make a copy of the file Makefile.clientsdk.

    The directory in which you installed the Access Manager client SDK package should be the same as the value you used for basedir in the package administration file in step 1a.

    On Solaris:

    cd ClientSDK-base-directory/SUNWam

    cp Makefile.clientsdk Makefile.clientsdk.orig

    On Linux:

    cd ClientSDK-base-directory/identity

    cp Makefile.clientsdk Makefile.clientsdk.orig

ProcedureTo Configure the Client SDK

  1. In Makefile.clientsdk, edit the following parameters:


    Use the following path: /usr/jdk/entsys-j2se


    The fully-qualified domain name of the Access Manager server.


    If the Access Manager server is SSL-enabled, change this value to HTTPS.


    The port number on which the Access Manager server is running.


    This value must be the same value used for the Access Manager server. You can obtain the value by running one of the following commands on the Access Manager server:

    On Solaris

    grep pwd /etc/opt/SUNWam/config/

    On Linux

    grep pwd /etc/opt/sun/identity/config/


    (Optional) If you don't want the debug logs stored in the tmp directory, then change this value to the directory where you want debug logs to be created.

  2. Run the make or gmake command:

    make -f Makefile.clientsdk

    This step generates a sample properties file in the directory temp, standalone samples in the directory clientsdk-samples and a deployable war file, amclientwebapps.war.The following table summarizes the items included in the WAR file.




    Instructions for installing and using the Client SDK packages 


    Client SDK for stand-alone applications 


    Archive of Access Manager samples, web applications, and Javadoc 


    File for building stand-alone samples and web applications 


    Javadoc (Public Client SDK APIs) 


    Sample stand-alone programs 


    Sample web applications 

ProcedureTo Deploy amclientwebapps.war

  1. Create a deployment directory for amclientwebapps.war.

    On Solaris

    mkdir -p ClientSDK-base-directory/SUNWam/web-src/clientsdk

    On Linux

    mkdir -p ClientSDK-base-directory/identity/web-src/clientsdK

  2. On the web container instance where you want to use the Access Manager client SDK, deploy the amclientwebapps.war file. See the following examples:

    Sun Java Enterprise Web Server on Solaris or Linux

    Use the wdeploy command to deploy amclientwebapps.war with a URI of /amcilentwebapps on the Web Server instance https-clientSDKinstance. Example:

    WebServer-base-directory/bin/https/httpadmin/bin/wdeploy deploy -u /amclientwebapps -i https-clientSDKinstance -v https-clientsdkinstance -d ClientSDK-base-directory/SUNWam/web-src/clientsdk clientSDK-base-directory/SUNWam/amclientwebapps.war

    Sun Java Enterprise Application Server on Solaris

    Using the asadmin command to deploy amclientwebapps.war with a URI of /amclientwebapps on the application server instance clientsSDKinstance. Example:

    ApplicationServer-base-directory/appserver/bin/asadmin deploy -user Admin-User-ID --host ApplicationServer-instanceHost --port ApplicationServer-Admin-Port --contextroot amclientwebapps -name amcilentwebapps -target clientSDKinstance ClientSDK-base-directory/SUNWam/amclientwebapps.war

    Be sure to use the fully qualified host name for ApplicationServer-instanceHost.

    Enter the Application Server administration password when prompted.

    Sun Java Enterprise Application Server on Linux

    Using the asadmin command to deploy amclientwebapps.war with a URI of /amclientwebapps on the application server instance clientsSDKinstance. Example:

    ApplicationServer-base-directory/bin/asadmin deploy -user Admin-User-ID --host ApplicationServer-instanceHost --port ApplicationServer-Admin-Port --contextroot amclientwebapps -name amcilentwebapps -target clientSDKinstance ClientSDK-base-directory/SUNWam/amclientwebapps.war

    Be sure to use the fully qualified host name for ApplicationServer-instanceHost.

    Enter the Application Server administration password when prompted.

    If you are deploying the client SDK on a third-party web container such as BEA WebLogic Server or IBM WebSphere Application Server, then see the documentation that comes with that product.

  3. Restart the web container instance on which the Access Manager client SDK was deployed.

    If the full server instance being accessed by the client SDK is SSL-enabled, then you must install the root CA certificate of the server's certificate in the web container's JVM-wide cacerts keystore. Alternatively, you can create a keystore on the client SDK machine to contain the server's root CA certificate. Then add the necessary JVM options to the client SDK's web container instance to locate the newly created keystore.

Initializing the Client SDK

Before Access Manager Client SDK can communicate with Access Manager Server, you must initialize some properties in the client SDK. You can set these properties in one of three ways:

Using a Properties File

You can set properties in a properties file and then provide a path to it at runtime. The properties files must be in the CLASSPATH. The default properties file name is and is always read at start-up.

ProcedureTo Set ClientSDK Properties in a Properties File

  1. Generate a sample by running the following command:

    make -f Makefile.clientsdk properties

    The will be present in the temp directory.

  2. Edit properties to suit your environment.

  3. At runtime if the file name is different from AMConfig, provide the edited properties filename (without the .properties extension, and also with the path. The path should be in the CLASSPATH) by declaring the JVM option:


Using the Java API

The ClientSDK properties can also be set programmatically using the class: See Using the Java API.

Example 1–1 Setting ClientSDK Properties

import java.util.Properties;
public static void main(String[] args) {
        // To initialize a set of properties
        Properties props = new Properties();
        props.setProperty(”’, ”amAdmin’);
        props.setProperty(”’, ”11111111’);
        SystemProperties.initializeProperties(props) ;

        // To initialize a single property
    // Application specific code ...


Setting Individual Properties

You can set properties one at a time. For example, you can declare the following JVM option at run time to assign a value to a particular property:


The following sections describe the properties expected by Access Manager Client SDK. A client application deployed within a servlet container can register for changes to session, user attributes and policy decisions. These properties must be set to receive such notifications.

Naming URL Properties This is a required property. The value of this property represents the URL where the Client SDK would retrieve the URLs of Access Manager internal services. This is the URI for the Naming Service. Example:
		port/ amserver/namingservice This property can be used by any remote SDK application that wants failover in, for example, session validation or getting the service URLs. Example: http:// 
		AcceessManager-HostName.domain_name:port/		amserver/failover

Debug Properties

Specifies the debug level. Possible values are levels are: off, error , warning, or message.

The value of this property is the output directory for the debug information. This directory should be writable by the server process. Example:


Notification URL Properties

The value of this property is the URI of the Notification Service running on the host machine where you installed the Client SDK. Example: http://clientSDK_host.domain_name:

This property enables or disables notifications for remote policy API. Example:



This property defines the notification URL for remote policy API.

Setting Up a Client Identity

Some of the Access Manager components such as SAML, User Management, Policy, require an identity for the client. The client application reads configuration data to identify the client. You can set up the identity for the client in one of two ways:

Note –

Some of the configuration attributes (such as password) are encrypted and stored in the data store as an Encryption/Decryption Key. If such attributes have to be decrypted by the client, the property must be set, and must be the same as that of the Access Manager Server.

This value is generated at installation time and stored in /AccessManager-base/SUNWam/lib/ .

To Set Username and Password Properties

The following properties can be used to set the username and password that can be used by client SDK to obtain the configuration parameters. The authenticated username should have permissions to read the configuration data for SAML and User Management.

For scenarios where plain text password would be security concern, an encrypted password can be provided using the property:

If an encrypted password is provided, the encryption key must also be provided using the property: am.encryption.pwd.

To Set an SSO Token Provider

Set the following property:

This provides an implementation for the interface, which returns the following single-sign-on (SSO) token:

Building Custom Web Applications

The Client SDK package contains Makefile.clientsdk that you can use to generate and build samples and web applications. The makefile defines targets to build configuration properties, samples and web applications.

Building Stand-Alone Applications

Use these steps a template for building their identity-enabled web applications.

ProcedureTo Build a Stand-Alone Application

  1. Install the Client SDK.

    See Installing the Client SDK.

  2. Copy servlet.jar to lib directory.

  3. If using JDK 1.3, follow these steps:

    1. copy the following jars to the lib directory:

      • jaas.jar

      • jsse.jar jce1_2_1.jar

      • jdk_logging.jar

    2. Add the jar files the CLASSPATH definition in the file clientsdk-samples/

  4. Run the stand-alone application.

    Change directory to respective components within clientsdk-samples. Each has a Readme.html file explaining the changes to done and a Makefile to rebuild and run the program.

Targets Defined in clientsdk

For web deployment, amclientwebapps.war is ready to be deployed. However, you can make changes in clientsdk-webapps directory and the war file can be recreated.

Custom web applications can use the following as a template to build their identity enabled web application.

properties: Generates in the temp directory that can used as a template for setting AM SDK’s properties

samples: Copies standalone samples and corresponding Makefiles to samples directory.

webapp: Generates amclientwebapps.war that can be deployed on any Servlet 2.3 compliant web container.

About the Client SDK Samples

Sample files are included in the Client SDK. These demonstrate how to write stand-alone programs and how to write web applications. The samples are located under the directory where you generated the Makefile.clientsdk, and in the following subdirectories:



Clientsdk-samples includes samples for authentication, logging, policy and SAML stand-alone programs.Clientsdk-webapps includes samples for user management, service management, and policy programs. Each sample has a Readme.html file with instructions on compiling and running the sample program.