Copyright      Index      Next
Sun Java System Access Manager 6 2005Q1 Administration Guide

Contents

Who Should Use this Book

Before You Read This Book

Conventions Used in This Book

Typographic Conventions

Symbols

Default Paths and File Names

Shell Prompts

Related Documentation

Books in This Documentation Set

Access Manager Policy Agent Documentation

Other Server Documentation

Accessing Sun Resources Online

Contacting Sun Technical Support

Related Third-Party Web Site References

Sun Welcomes Your Comments

Part I Access Manager Configuration

Chapter 1   Access Manager 2005Q1 Configuration Scripts

Access Manager 2005Q1 Installation Overview

Access Manager amconfig Script Operations

Access Manager Sample Configuration Script Input File

Deployment Mode Variable

Access Manager Configuration Variables

Web Container Configuration Variables

Sun Java System Web Server 6.1 SP4

Sun Java System Application Server 7.0 Update 3

Sun Java System Application Server 8.1.x

BEA WebLogic Server 6.1 SP4 and SP5

BEA WebLogic Server 8.1

IBM WebSphere 5.1

Directory Server Configuration Variables

Access Manager amconfig Script

Access Manager Deployment Scenarios

Deploying Additional Instances of Access Manager

To Deploy an Additional Access Manager Instance

Configuring and Reconfiguring an Instance of Access Manager

Uninstalling an Access Manager Instance

Uninstalling All Access Manager Instances

Example Configuration Script Input File

Chapter 2   Installing and Configuring Third-Party Web Containers

Installing and Configuring BEA WebLogic 8.1

To Install and Configure WebLogic 8.1

Installing and Configuring IBM WebSphere 5.1

To Install and Configure WebSphere 5.1

Using Java ES to Install Directory Server and Access Manager

Configuring Access Manager

Creating the Configuration Script Input File

BEA WebLogic and IBM WebSphere

BEA WebLogic only

IBM WebSphere only

Running the Configuration Script

Restarting the Web Container

Chapter 3   Configuring Access Manager in SSL Mode

Configuring Access Manager With a Secure Sun Java System Web Server

Configuring Access Manager with a Secure Sun Java System Application Server

Setting Up Application Server 6.2 With SSL

Setting Up Application Server 8.1 With SSL

Configuring Access Manager in SSL Mode Using JSS

Configuring AMSDK with a Secure BEA WebLogic Server

Configuring AMSDK with a Secure IBM WebSphere Application Server

Configuring Access Manager to Directory Server in SSL Mode

Configuring Directory Server in SSL Mode

Connecting Access Manager to the SSL-enabled Directory Server

Part II Managing Access Manager Through the Console

Chapter 4   Identity Management

The Access Manager Console

Header Pane

Navigation Pane

Data Pane

Identity Management View

User Profile View

Properties Function

The Identity Management Interface

Managing Access Manager Objects

Organizations

To Add an Organization to a Policy

Groups

To Add or Remove Members to a Static Group

To Create a Filtered Group

To Add a Group to a Policy

Users

To Add a User to a Policy

Services

Roles

To Add a Role to a Policy

Customizing a Service to a Role

To Add a Role to a Policy

Policies

Agents

To Create an Agent

Creating a Unique Policy Agent Identity

Containers

People Containers

Group Containers

Display Options

To Change the Display Options

Available Actions

To Set Available Actions for Users

Chapter 5   Current Sessions

The Current Sessions Interface

Session Management Frame

Session Information Window

Terminating a Session

Chapter 6   Policy Management

Overview

Policy Management Feature

URL Policy Agent Service

Policy Agents

The Policy Agent Process

Policy Types

Normal Policy

Rules

Subjects

Referral Policy

Rules

Referrals

Policy Definition Type Document

Policy Element

Rule Element

ServiceName Element

ResourceName Element

AttributeValuePair Element

Attribute Element

Value Element

Subjects Element

Subject Element

Referrals Element

Referral Element

Conditions Element

Condition Element

Adding a Policy Service

To Add a New Policy Service

Creating Policies

Creating Policies With amadmin

To Create Policies With the Access Manager Console

Creating Policies for Peer Organizations and Suborganizations

To Create a Policy for a Suborganization

Managing Policies

Modifying a Normal Policy

Modifying a Referral Policy

Policy Configuration Service

Caching Subject Evaluations

amldapuser Definition

Adding Policy Configuration Services

To Add the Policy Configuration Service

Policy-Based Resource Management

Limitations

Chapter 7   Managing Authentication

The User Interface Login URL

Login URL Parameters

goto Parameter

gotoOnFail Parameter

org Parameter

user Parameter

role Parameter

locale Parameter

module Parameter

service Parameter

arg Parameter

authlevel Parameter

domain Parameter

iPSPCookie Parameter

IDTokenN Parameters

Authentication Types

How Authentication Types Determine Access

URL Redirection

Organization-based Authentication

Organization-based Authentication Login URLs

Organization-based Authentication Redirection URLs

To Configure Organization-Based Authentication

Role-based Authentication

Role-based Authentication Login URLs

Role-based Authentication Redirection URLs

To Configure Role-Based Authentication

Service-based Authentication

Service-based Authentication Login URLs

Service-based Authentication Redirection URLs

To Configure Service-Based Authentication

User-based Authentication

User-based Authentication Login URLs

User-based Authentication Redirection URLs

To Configure User-Based Authentication

Authentication Level-based Authentication

Authentication Level-based Authentication Login URLs

Authentication Level-based Authentication Redirection URLs

Module Based Authentication

Module-based Authentication Login URLs

Module-based Authentication Redirection URLs

Authentication Configuration

Authentication Configuration User Interface

Authentication Module Chaining

Authentication Configuration for Organizations

Authentication Configuration for Roles

Authentication Configuration for Services

Authentication Configuration for Users

Account Locking

Physical Locking

Memory Locking

Authentication Service Failover

Fully Qualified Domain Name Mapping

Possible Uses For FQDN Mapping

Persistent Cookie

Multi-LDAP Authentication Module Configuration

Session Upgrade

Validation Plug-in Interface

JAAS Shared State

Enabling JAAS Shared State

JAAS Shared State Store Option

Chapter 8   Authentication Options

Core Authentication

Adding and Enabling the Core Service

Active Directory Authentication

Adding and Enabling Active Directory Authentication

Logging In Using Active Directory Authentication

Anonymous Authentication

Adding and Enabling Anonymous Authentication

Logging In Using Anonymous Authentication

Certificate-based Authentication

Adding and Enabling Certificate-based Authentication

Adding a Server URL in Platform Server List for Certificate-based Authentication

Logging In Using Certificate-based Authentication

HTTP Basic Authentication

Adding and Enabling HTTP Basic Authentication

Logging In Using HTTP Basic Authentication

JDBC Authentication

Adding and Enabling JDBC Authentication

Logging In Using JDBC Authentication

LDAP Directory Authentication

Adding and Enabling LDAP Authentication

Logging In Using LDAP Authentication

Enabling LDAP Authentication Failover

Multiple LDAP Configuration

Membership Authentication

Adding and Enabling Membership Authentication

Logging In Using Membership Authentication

MSISDN Authentication

Adding and Enabling MSISDN Authentication

Logging In Using MSISDN Authentication

Windows NT Authentication

Installing the Samba Client

Adding and Enabling Windows NT Authentication

Logging In Using Windows NT Authentication

RADIUS Server Authentication

Adding and Enabling RADIUS Authentication

Logging In Using RADIUS Authentication

SafeWord Authentication

Adding and Enabling SafeWord Authentication

Logging In Using SafeWord Authentication

Configuring SafeWord with Sun ONE Application Server

SAML Authentication

Adding and Enabling SAML Authentication

Logging In Using SAML Authentication

SecurID Authentication

Adding and Enabling SecurID Authentication

Logging In Using SecurID Authentication

Unix Authentication

Adding and Enabling Unix Authentication

Logging In Using Unix Authentication

Windows Desktop SSO Authentication

Known Restriction with Internet Explorer

Adding and Enabling Windows Desktop SSO Authentication

To Create a User in the Windows 2000 Domain Controller

To Set Up Internet Explorer

Known Restriction with Internet Explorer

To Add and Configure Windows Desktop SSO Authentication

Logging In Using Windows Desktop SSO Authentication

Chapter 9   Password Reset Service

Registering the Password Reset Service

To Register Password Reset for Users in a Different Organization

Configuring the Password Reset Service

To Configure the Service

Password Reset Lockout

Memory Lockout

Physical Lockout

Password Reset for End Users

Customizing Password Reset

Resetting Forgotten Passwords

Password Policies

Part III Command Line Reference Guide

Chapter 10   The amadmin Command Line Tool

The amadmin Command Line Executable

The amadmin Syntax

amadmin Options

Using amadmin for Federation Management

Loading the Liberty meta compliance XML into Directory Server

Exporting an Entity to an XML File (Without XML Digital Signing)

--entityname (--e)

--export (-o)

Exporting an Entity to an XML File (With XML Digital Signing)

--entityname (--e)

--exportwithsig (-o)

Using amadmin for Resource Bundles

Add resource bundle.

Get resource strings.

Remove resource bundle.

Chapter 11   The amserver Command Line Tool

The amserver Command Line Executable

amserver Syntax

Chapter 12   The am2bak Command Line Tool

The am2bak Command Line Executable

The am2bak Syntax

am2bak Options

Backup Procedure

Chapter 13   The bak2am Command Line Tool

The bak2am Command Line Executable

The bak2am Syntax

bak2am Options

Chapter 14   The ampassword Command Line Tool

The ampassword Command Line Executable

The ampassword Syntax

ampassword Options

Running ampassword on SSL

Chapter 15   The VerifyArchive Command Line Tool

The VerifyArchive Command Line Executable

VerifyArchive Syntax

VerifyArchive Options

Chapter 16   The amsecuridd Helper

The amsecuridd Helper Command Line Executable

amsecuridd Syntax

amsecuridd Options

Running the amsecuridd helper

Required Libraries

Part IV Attribute Reference

Chapter 17   Administration Service Attributes

Global Attributes

Enable Federation Management

Enable User Management

Show People Containers

Show Containers In View Menu

Show Group Containers

Managed Group Type

Default Role Permissions

No Permissions

Organization Admin

Organization Help Desk Admin

Organization Policy Admin

Enable Domain Component Tree

Enable Administrative Groups

Enable Compliance User Deletion

Dynamic Administrative Roles ACIs

Container Help Desk Admin

Organization Help Desk Admin

Container Admin

Organization Policy Admin

People Container Admin

Group Admin

Top-level Admin

Organization Admin

User Profile Service Classes

DC Node Attribute List

Search Filters for Deleted Objects

Default People Container

Default Groups Container

Default Agents Container

Organization Attributes

Groups Default People Container

Groups People Container List

User Profile Display Class

End User Profile Display Class

Show Roles on User Profile Page

Show Groups on User Profile Page

Enable User Self Subscription to Group

User Profile Display Options

User Creation Default Roles

Administrative Console Tabs

Maximum Results Returned From Search

Timeout For Search

JSP Directory Name

Online Help Documents

Required Services

User Search Key

User Search Return Attribute

User Creation Notification List

User Deletion Notification List

User Modification Notification List

Maximum Entries Displayed per Page

Event Listener Classes

Pre and Post Processing Classes

Enable External Attributes Fetch

Invalid User ID Characters

UserID and Password Validation Plugin Class

Chapter 18   Active Directory Authentication Attributes

Primary Active Directory Server

Secondary Active Directory Server

DN to Start User Search

DN for Root User Bind

Password for Root User Bind

Password For Root User Bind (Confirm)

Active Directory Attribute Used to Retrieve User Profile

Active Directory Attributes Used to Search for a User to be Authenticated

User Search Filter

Search Scope

Enable SSL Access to Active Directory Server

Return User DN To Authenticate

Active Directory Server Check Interval

User Creation Attributes List

Authentication Level

Chapter 19   Anonymous Authentication Attributes

Valid Anonymous User List

Default Anonymous User Name

Enable Case Sensitive User IDs

Authentication Level

Chapter 20   Certificate Authentication Attributes

Match Certificate in LDAP

Subject DN Attribute Used to Search LDAP for Certificates

Match Certificate to CRL

Issuer DN Attribute Used to Search LDAP for CRLs

HTTP Parameters for CRL Update

Enable OCSP Validation

LDAP Server Where Certificates Are Stored

LDAP Search Start DN

LDAP Server Principal User

LDAP Server Principal Password

LDAP Attribute for Profile ID

Use SSL for LDAP Access

Certificate Field Used to Access User Profile

Other Certificate Field Used to Access User Profile

Trusted Remote Hosts

SSL Port Number

Authentication Level

Chapter 21   Core Authentication Attributes

Global Attributes

Pluggable Authentication Module Classes

Supported Authentication Modules for Clients

LDAP Connection Pool Size

Default LDAP Connection Pool Size

Organization Attributes

Organization Authentication Modules

User Profile

Administrator Authentication Configuration

User Profile Dynamic Creation Default Roles

Enable Persistent Cookie Mode

Persistent Cookie Maximum Time

People Container For All Users

Alias Search Attribute Name

User Naming Attribute

Default Authentication Locale

Organization Authentication Configuration

Enable Login Failure Lockout Mode

Login Failure Lockout Count

Login Failure Lockout Interval

Email Address to Send Lockout Notification

Warn User After N Failures

Login Failure Lockout Duration

Lockout Attribute Name

Lockout Attribute Value

Default Success Login URL

Default Failure Login URL

Authentication PostProcessing Class

Enable Generate UserID Mode

Pluggable User Name Generator Class

Default Authentication Level

Chapter 22   HTTP Basic Authentication Attributes

Authentication Level

Chapter 23   JDBC Authentication Attributes

Connection Type

Connection Pool JNDI Name

JDBC Driver

JDBC URL

User to Connect to Database

Password to Connect to Database

Password to Connect to Database (Confirm)

Password Column in Database

Prepared Statement

Class to Transform Password Syntax

Authentication Level

Chapter 24   LDAP Authentication Attributes

Primary LDAP Server

Secondary LDAP Server

DN to Start User Search

DN for Root User Bind

Password for Root User Bind

Password For Root User Bind (Confirm)

LDAP Attribute Used to Retrieve User Profile

LDAP Attributes Used to Search for a User to be Authenticated

User Search Filter

Search Scope

Enable SSL Access to LDAP Server

Return User DN To Authenticate

LDAP Server Check Interval

User Creation Attributes List

Authentication Level

Chapter 25   Membership Authentication Attributes

Minimum Password Length

Default User Roles

User Status After Registration

Primary LDAP Server

Secondary LDAP Server

DN to Start User Search

DN for Root User Bind

Password for Root User Bind

Password for Root User Bind (Confirm)

LDAP Attribute Used to Retrieve User Profile

LDAP Attributes Used to Search for a User to be Authenticated

User Search Filter

Search Scope

Enable SSL Access to LDAP Server

Return User DN To Authenticate

Authentication Level

Chapter 26   MSISDN Authentication Attributes

Trusted Gateway IP Address

MSISDN Number Argument

LDAP Server and Port

LDAP Start Search DN

Attribute To Use To Search LDAP

LDAP Server Principal User

LDAP Server Principal Password

LDAP Server Principal Password (confirm)

SSL On For LDAP Access

MSISDN Header Search Attribute

Authentication Level

Chapter 27   NT Authentication Attributes

NT Authentication Domain

NT Authentication Host

NT Samba Configuration File Name

Authentication Level

Chapter 28   RADIUS Authentication Attributes

RADIUS Server 1

RADIUS Server 2

RADIUS Shared Secret

RADIUS Shared Secret (Confirm)

RADIUS Server’s Port

Timeout

Authentication Level

Chapter 29   SafeWord Authentication Attributes

SafeWord Server

SafeWord Server Verification Files Directory

SafeWord Logging Enable

SafeWord Logging Level

SafeWord Log File

SafeWord Authentication Connection Timeout

SafeWord Client Type

SafeWord eassp Version

Minimum SafeWord Authenticator Strength

Authentication Level

Chapter 30   SAML Authentication Attributes

Authentication Level

Chapter 31   SecurID Authentication Attributes

SecurID ACE/Server Configuration Path

SecurID Helper Configuration Port

SecurID Helper Authentication Port

Authentication Level

Chapter 32   Unix Authentication Attributes

Global Attributes

Unix Helper Configuration Port

Unix Helper Authentication Port

Unix Helper Timeout

Unix Helper Threads

Organization Attribute

Authentication Level

Chapter 33   Windows Desktop SSO Authentication Attributes

Service Principal

Keytab Filename

Kerberos Realm

Kerberos Server Name

Return Principal With Domain Name

Authentication Level

Chapter 34   Authentication Configuration Service Attributes

Authentication Configuration

Login Success URL

Login Failure URL

Authentication Post Processing Class

Conflict Resolution Level

Chapter 35   Client Detection Service Attributes

Client Types

Client Manager

Default Client Type

Client Detection Class

Enable Client Detection

Chapter 36   Globalization Setting Service Attributes

Charsets Supported By Each Locale

Charset Aliases

Auto Generated Common Name Format

Chapter 37   Logging Service Attributes

Maximum Log Size

Number of History Files

Log File Location

Logging Type

Database User Name

Database User Password

Database User Password (Confirm)

Database Driver Name

Configurable Log Fields

Log Verification Frequency

Log Signature Time

Enable Secure Logging

Maximum Number of Records

Number Of Files Per Archive

Buffer Size

DB Failure Memory Buffer Size

Buffer Time

Enable Time Buffering

Chapter 38   Naming Service Attributes

Profile Service URL

Session Service URL

Logging Service URL

Policy Service URL

Auth Service URL

SAML Web Profile/Artifact Service URL

SAML SOAP Service URL

SAML Web Profile/POST Service URL

SAML Assertion Manager Service URL

Federation Assertion Manager Service URL

Identity SDK Service URL

Security Token Manager URL

JAXRPC Endpoint URL

Chapter 39   Password Reset Service Attributes

User Validation

Secret Question

Search Filter

Base DN

Bind DN

Bind Password

Password Reset Option

Password Change Notification Option

Enable Password Reset

Enable Personal Question

Maximum Number of Questions

Force Change Password on Next Login

Enable Password Reset Failure Lockout

Password Reset Failure Lockout Count

Password Reset Failure Lockout Interval

Email Address to Send Lockout Notification

Warn User After N Failure

Password Reset Failure Lockout Duration

Password Reset Lockout Attribute Name

Password Reset Lockout Attribute Value

Chapter 40   Platform Service Attributes

Server List

Platform Locale

Cookie Domains

Login Service URL

Logout Service URL

Available Locales

Client Char Sets

Chapter 41   Policy Configuration Service Attributes

Global Attributes

Resource Comparator

Continue Evaluation On Deny Decision

Organization Attributes

LDAP Server and Port

LDAP Base DN

LDAP Users Base DN

Access Manager Roles Base DN

LDAP Bind DN

LDAP Bind Password

LDAP Bind Password (Confirm)

LDAP Organization Search Filter

LDAP Organization Search Scope

LDAP Groups Search Filter

LDAP Groups Search Scope

LDAP Users Search Filter

LDAP Users Search Scope

LDAP Roles Search Filter

LDAP Roles Search Scope

Access Manager Roles Search Scope

LDAP Organization Search Attribute

LDAP Groups Search Attribute

LDAP Users Search Attribute

LDAP Roles Search Attribute

Maximum Results Returned From Search

Timeout For Search

Enable LDAP SSL

LDAP Connection Pool Minimal Size

LDAP Connection Pool Maximum Size

Selected Policy Subjects

Selected Policy Conditions

Selected Policy Referrals

Subjects Result Time To Live

User Alias Enabled

Chapter 42   SAML Service Attributes

Site ID And Site Issuer Name

Sign SAML Request

Sign SAML Response

Sign Assertion

SAML Artifact Name

Target Specifier

Artifact Timeout

Assertion Skew Factor For notBefore Time

Assertion Timeout

Trusted Partner Sites

POST To Target URLs

Chapter 43   Session Service Attributes

Secondary Configuration Instance

Instance Name

Session Store User

Session Store Password

Session Store Password (Confirm)

Session Cluster Server List

Maximum Wait Time

JDBC Driver Implementation Class

JDBC URL

Minimum Pool Size

Maximum Pool Size

Global Attributes

Maximum Number of Search Results

Timeout For Search (Seconds)

Dynamic Attributes

Max Session Time (Minutes)

Max Idle Time (Minutes)

Max Caching Time (Minutes)

Chapter 44   SOAP Binding Service Attributes

Request Handler List

Web Service Authenticator

Supported Authentication Mechanisms

Chapter 45   User Attributes

User Service Attributes

User Preferred Language

User Preferred Timezone

Inherited Locale

Administrator DN Starting View

Default User Status

User Profile Attributes

First Name

Last Name

Full Name

Password

Password (Confirm)

Email Address

Employee Number

Telephone Number

Home Address

User Status

Account Expiration Date

User Authentication Configuration

User Alias List

Preferred Locale

Success URL

Failure URL

Unique User IDs

Appendix A   Error Codes

Access Manager Console Errors

Authentication Error Codes

Policy Error Codes

amadmin Error Codes

Glossary

Copyright      Index      Next

---

Part No: 817-7647-11.   Copyright 2005 Sun Microsystems, Inc. All rights reserved.