Sun Java logo     Copyright      Index      Next     

Sun logo
Sun Java System Access Manager 6 2005Q1 Administration Guide 


Who Should Use this Book
Before You Read This Book
Conventions Used in This Book
Typographic Conventions
Default Paths and File Names
Shell Prompts
Related Documentation
Books in This Documentation Set
Access Manager Policy Agent Documentation
Other Server Documentation
Accessing Sun Resources Online
Contacting Sun Technical Support
Related Third-Party Web Site References
Sun Welcomes Your Comments

Part I Access Manager Configuration

Chapter 1   Access Manager 2005Q1 Configuration Scripts
Access Manager 2005Q1 Installation Overview
Access Manager amconfig Script Operations
Access Manager Sample Configuration Script Input File
Deployment Mode Variable
Access Manager Configuration Variables
Web Container Configuration Variables
Sun Java System Web Server 6.1 SP4
Sun Java System Application Server 7.0 Update 3
Sun Java System Application Server 8.1.x
BEA WebLogic Server 6.1 SP4 and SP5
BEA WebLogic Server 8.1
IBM WebSphere 5.1
Directory Server Configuration Variables
Access Manager amconfig Script
Access Manager Deployment Scenarios
Deploying Additional Instances of Access Manager
To Deploy an Additional Access Manager Instance
Configuring and Reconfiguring an Instance of Access Manager
Uninstalling an Access Manager Instance
Uninstalling All Access Manager Instances
Example Configuration Script Input File

Chapter 2   Installing and Configuring Third-Party Web Containers
Installing and Configuring BEA WebLogic 8.1
To Install and Configure WebLogic 8.1
Installing and Configuring IBM WebSphere 5.1
To Install and Configure WebSphere 5.1
Using Java ES to Install Directory Server and Access Manager
Configuring Access Manager
Creating the Configuration Script Input File
BEA WebLogic and IBM WebSphere
BEA WebLogic only
IBM WebSphere only
Running the Configuration Script
Restarting the Web Container

Chapter 3   Configuring Access Manager in SSL Mode
Configuring Access Manager With a Secure Sun Java System Web Server
Configuring Access Manager with a Secure Sun Java System Application Server
Setting Up Application Server 6.2 With SSL
Setting Up Application Server 8.1 With SSL
Configuring Access Manager in SSL Mode Using JSS
Configuring AMSDK with a Secure BEA WebLogic Server
Configuring AMSDK with a Secure IBM WebSphere Application Server
Configuring Access Manager to Directory Server in SSL Mode
Configuring Directory Server in SSL Mode
Connecting Access Manager to the SSL-enabled Directory Server

Part II Managing Access Manager Through the Console

Chapter 4   Identity Management
The Access Manager Console
Header Pane
Navigation Pane
Data Pane
Identity Management View
User Profile View
Properties Function
The Identity Management Interface
Managing Access Manager Objects
To Add an Organization to a Policy
To Add or Remove Members to a Static Group
To Create a Filtered Group
To Add a Group to a Policy
To Add a User to a Policy
To Add a Role to a Policy
Customizing a Service to a Role
To Add a Role to a Policy
To Create an Agent
Creating a Unique Policy Agent Identity
People Containers
Group Containers
Display Options
To Change the Display Options
Available Actions
To Set Available Actions for Users

Chapter 5   Current Sessions
The Current Sessions Interface
Session Management Frame
Session Information Window
Terminating a Session

Chapter 6   Policy Management
Policy Management Feature
URL Policy Agent Service
Policy Agents
The Policy Agent Process
Policy Types
Normal Policy
Referral Policy
Policy Definition Type Document
Policy Element
Rule Element
ServiceName Element
ResourceName Element
AttributeValuePair Element
Attribute Element
Value Element
Subjects Element
Subject Element
Referrals Element
Referral Element
Conditions Element
Condition Element
Adding a Policy Service
To Add a New Policy Service
Creating Policies
Creating Policies With amadmin
To Create Policies With the Access Manager Console
Creating Policies for Peer Organizations and Suborganizations
To Create a Policy for a Suborganization
Managing Policies
Modifying a Normal Policy
Modifying a Referral Policy
Policy Configuration Service
Caching Subject Evaluations
amldapuser Definition
Adding Policy Configuration Services
To Add the Policy Configuration Service
Policy-Based Resource Management

Chapter 7   Managing Authentication
The User Interface Login URL
Login URL Parameters
goto Parameter
gotoOnFail Parameter
org Parameter
user Parameter
role Parameter
locale Parameter
module Parameter
service Parameter
arg Parameter
authlevel Parameter
domain Parameter
iPSPCookie Parameter
IDTokenN Parameters
Authentication Types
How Authentication Types Determine Access
URL Redirection
Organization-based Authentication
Organization-based Authentication Login URLs
Organization-based Authentication Redirection URLs
To Configure Organization-Based Authentication
Role-based Authentication
Role-based Authentication Login URLs
Role-based Authentication Redirection URLs
To Configure Role-Based Authentication
Service-based Authentication
Service-based Authentication Login URLs
Service-based Authentication Redirection URLs
To Configure Service-Based Authentication
User-based Authentication
User-based Authentication Login URLs
User-based Authentication Redirection URLs
To Configure User-Based Authentication
Authentication Level-based Authentication
Authentication Level-based Authentication Login URLs
Authentication Level-based Authentication Redirection URLs
Module Based Authentication
Module-based Authentication Login URLs
Module-based Authentication Redirection URLs
Authentication Configuration
Authentication Configuration User Interface
Authentication Module Chaining
Authentication Configuration for Organizations
Authentication Configuration for Roles
Authentication Configuration for Services
Authentication Configuration for Users
Account Locking
Physical Locking
Memory Locking
Authentication Service Failover
Fully Qualified Domain Name Mapping
Possible Uses For FQDN Mapping
Persistent Cookie
Multi-LDAP Authentication Module Configuration
Session Upgrade
Validation Plug-in Interface
JAAS Shared State
Enabling JAAS Shared State
JAAS Shared State Store Option

Chapter 8   Authentication Options
Core Authentication
Adding and Enabling the Core Service
Active Directory Authentication
Adding and Enabling Active Directory Authentication
Logging In Using Active Directory Authentication
Anonymous Authentication
Adding and Enabling Anonymous Authentication
Logging In Using Anonymous Authentication
Certificate-based Authentication
Adding and Enabling Certificate-based Authentication
Adding a Server URL in Platform Server List for Certificate-based Authentication
Logging In Using Certificate-based Authentication
HTTP Basic Authentication
Adding and Enabling HTTP Basic Authentication
Logging In Using HTTP Basic Authentication
JDBC Authentication
Adding and Enabling JDBC Authentication
Logging In Using JDBC Authentication
LDAP Directory Authentication
Adding and Enabling LDAP Authentication
Logging In Using LDAP Authentication
Enabling LDAP Authentication Failover
Multiple LDAP Configuration
Membership Authentication
Adding and Enabling Membership Authentication
Logging In Using Membership Authentication
MSISDN Authentication
Adding and Enabling MSISDN Authentication
Logging In Using MSISDN Authentication
Windows NT Authentication
Installing the Samba Client
Adding and Enabling Windows NT Authentication
Logging In Using Windows NT Authentication
RADIUS Server Authentication
Adding and Enabling RADIUS Authentication
Logging In Using RADIUS Authentication
SafeWord Authentication
Adding and Enabling SafeWord Authentication
Logging In Using SafeWord Authentication
Configuring SafeWord with Sun ONE Application Server
SAML Authentication
Adding and Enabling SAML Authentication
Logging In Using SAML Authentication
SecurID Authentication
Adding and Enabling SecurID Authentication
Logging In Using SecurID Authentication
Unix Authentication
Adding and Enabling Unix Authentication
Logging In Using Unix Authentication
Windows Desktop SSO Authentication
Known Restriction with Internet Explorer
Adding and Enabling Windows Desktop SSO Authentication
To Create a User in the Windows 2000 Domain Controller
To Set Up Internet Explorer
Known Restriction with Internet Explorer
To Add and Configure Windows Desktop SSO Authentication
Logging In Using Windows Desktop SSO Authentication

Chapter 9   Password Reset Service
Registering the Password Reset Service
To Register Password Reset for Users in a Different Organization
Configuring the Password Reset Service
To Configure the Service
Password Reset Lockout
Memory Lockout
Physical Lockout
Password Reset for End Users
Customizing Password Reset
Resetting Forgotten Passwords
Password Policies

Part III Command Line Reference Guide

Chapter 10   The amadmin Command Line Tool
The amadmin Command Line Executable
The amadmin Syntax
amadmin Options
Using amadmin for Federation Management
Loading the Liberty meta compliance XML into Directory Server
Exporting an Entity to an XML File (Without XML Digital Signing)
--entityname (--e)
--export (-o)
Exporting an Entity to an XML File (With XML Digital Signing)
--entityname (--e)
--exportwithsig (-o)
Using amadmin for Resource Bundles
Add resource bundle.
Get resource strings.
Remove resource bundle.

Chapter 11   The amserver Command Line Tool
The amserver Command Line Executable
amserver Syntax

Chapter 12   The am2bak Command Line Tool
The am2bak Command Line Executable
The am2bak Syntax
am2bak Options
Backup Procedure

Chapter 13   The bak2am Command Line Tool
The bak2am Command Line Executable
The bak2am Syntax
bak2am Options

Chapter 14   The ampassword Command Line Tool
The ampassword Command Line Executable
The ampassword Syntax
ampassword Options
Running ampassword on SSL

Chapter 15   The VerifyArchive Command Line Tool
The VerifyArchive Command Line Executable
VerifyArchive Syntax
VerifyArchive Options

Chapter 16   The amsecuridd Helper
The amsecuridd Helper Command Line Executable
amsecuridd Syntax
amsecuridd Options
Running the amsecuridd helper
Required Libraries

Part IV Attribute Reference

Chapter 17   Administration Service Attributes
Global Attributes
Enable Federation Management
Enable User Management
Show People Containers
Show Containers In View Menu
Show Group Containers
Managed Group Type
Default Role Permissions
No Permissions
Organization Admin
Organization Help Desk Admin
Organization Policy Admin
Enable Domain Component Tree
Enable Administrative Groups
Enable Compliance User Deletion
Dynamic Administrative Roles ACIs
Container Help Desk Admin
Organization Help Desk Admin
Container Admin
Organization Policy Admin
People Container Admin
Group Admin
Top-level Admin
Organization Admin
User Profile Service Classes
DC Node Attribute List
Search Filters for Deleted Objects
Default People Container
Default Groups Container
Default Agents Container
Organization Attributes
Groups Default People Container
Groups People Container List
User Profile Display Class
End User Profile Display Class
Show Roles on User Profile Page
Show Groups on User Profile Page
Enable User Self Subscription to Group
User Profile Display Options
User Creation Default Roles
Administrative Console Tabs
Maximum Results Returned From Search
Timeout For Search
JSP Directory Name
Online Help Documents
Required Services
User Search Key
User Search Return Attribute
User Creation Notification List
User Deletion Notification List
User Modification Notification List
Maximum Entries Displayed per Page
Event Listener Classes
Pre and Post Processing Classes
Enable External Attributes Fetch
Invalid User ID Characters
UserID and Password Validation Plugin Class

Chapter 18   Active Directory Authentication Attributes
Primary Active Directory Server
Secondary Active Directory Server
DN to Start User Search
DN for Root User Bind
Password for Root User Bind
Password For Root User Bind (Confirm)
Active Directory Attribute Used to Retrieve User Profile
Active Directory Attributes Used to Search for a User to be Authenticated
User Search Filter
Search Scope
Enable SSL Access to Active Directory Server
Return User DN To Authenticate
Active Directory Server Check Interval
User Creation Attributes List
Authentication Level

Chapter 19   Anonymous Authentication Attributes
Valid Anonymous User List
Default Anonymous User Name
Enable Case Sensitive User IDs
Authentication Level

Chapter 20   Certificate Authentication Attributes
Match Certificate in LDAP
Subject DN Attribute Used to Search LDAP for Certificates
Match Certificate to CRL
Issuer DN Attribute Used to Search LDAP for CRLs
HTTP Parameters for CRL Update
Enable OCSP Validation
LDAP Server Where Certificates Are Stored
LDAP Search Start DN
LDAP Server Principal User
LDAP Server Principal Password
LDAP Attribute for Profile ID
Use SSL for LDAP Access
Certificate Field Used to Access User Profile
Other Certificate Field Used to Access User Profile
Trusted Remote Hosts
SSL Port Number
Authentication Level

Chapter 21   Core Authentication Attributes
Global Attributes
Pluggable Authentication Module Classes
Supported Authentication Modules for Clients
LDAP Connection Pool Size
Default LDAP Connection Pool Size
Organization Attributes
Organization Authentication Modules
User Profile
Administrator Authentication Configuration
User Profile Dynamic Creation Default Roles
Enable Persistent Cookie Mode
Persistent Cookie Maximum Time
People Container For All Users
Alias Search Attribute Name
User Naming Attribute
Default Authentication Locale
Organization Authentication Configuration
Enable Login Failure Lockout Mode
Login Failure Lockout Count
Login Failure Lockout Interval
Email Address to Send Lockout Notification
Warn User After N Failures
Login Failure Lockout Duration
Lockout Attribute Name
Lockout Attribute Value
Default Success Login URL
Default Failure Login URL
Authentication PostProcessing Class
Enable Generate UserID Mode
Pluggable User Name Generator Class
Default Authentication Level

Chapter 22   HTTP Basic Authentication Attributes
Authentication Level

Chapter 23   JDBC Authentication Attributes
Connection Type
Connection Pool JNDI Name
JDBC Driver
User to Connect to Database
Password to Connect to Database
Password to Connect to Database (Confirm)
Password Column in Database
Prepared Statement
Class to Transform Password Syntax
Authentication Level

Chapter 24   LDAP Authentication Attributes
Primary LDAP Server
Secondary LDAP Server
DN to Start User Search
DN for Root User Bind
Password for Root User Bind
Password For Root User Bind (Confirm)
LDAP Attribute Used to Retrieve User Profile
LDAP Attributes Used to Search for a User to be Authenticated
User Search Filter
Search Scope
Enable SSL Access to LDAP Server
Return User DN To Authenticate
LDAP Server Check Interval
User Creation Attributes List
Authentication Level

Chapter 25   Membership Authentication Attributes
Minimum Password Length
Default User Roles
User Status After Registration
Primary LDAP Server
Secondary LDAP Server
DN to Start User Search
DN for Root User Bind
Password for Root User Bind
Password for Root User Bind (Confirm)
LDAP Attribute Used to Retrieve User Profile
LDAP Attributes Used to Search for a User to be Authenticated
User Search Filter
Search Scope
Enable SSL Access to LDAP Server
Return User DN To Authenticate
Authentication Level

Chapter 26   MSISDN Authentication Attributes
Trusted Gateway IP Address
MSISDN Number Argument
LDAP Server and Port
LDAP Start Search DN
Attribute To Use To Search LDAP
LDAP Server Principal User
LDAP Server Principal Password
LDAP Server Principal Password (confirm)
SSL On For LDAP Access
MSISDN Header Search Attribute
Authentication Level

Chapter 27   NT Authentication Attributes
NT Authentication Domain
NT Authentication Host
NT Samba Configuration File Name
Authentication Level

Chapter 28   RADIUS Authentication Attributes
RADIUS Server 1
RADIUS Server 2
RADIUS Shared Secret
RADIUS Shared Secret (Confirm)
RADIUS Server’s Port
Authentication Level

Chapter 29   SafeWord Authentication Attributes
SafeWord Server
SafeWord Server Verification Files Directory
SafeWord Logging Enable
SafeWord Logging Level
SafeWord Log File
SafeWord Authentication Connection Timeout
SafeWord Client Type
SafeWord eassp Version
Minimum SafeWord Authenticator Strength
Authentication Level

Chapter 30   SAML Authentication Attributes
Authentication Level

Chapter 31   SecurID Authentication Attributes
SecurID ACE/Server Configuration Path
SecurID Helper Configuration Port
SecurID Helper Authentication Port
Authentication Level

Chapter 32   Unix Authentication Attributes
Global Attributes
Unix Helper Configuration Port
Unix Helper Authentication Port
Unix Helper Timeout
Unix Helper Threads
Organization Attribute
Authentication Level

Chapter 33   Windows Desktop SSO Authentication Attributes
Service Principal
Keytab Filename
Kerberos Realm
Kerberos Server Name
Return Principal With Domain Name
Authentication Level

Chapter 34   Authentication Configuration Service Attributes
Authentication Configuration
Login Success URL
Login Failure URL
Authentication Post Processing Class
Conflict Resolution Level

Chapter 35   Client Detection Service Attributes
Client Types
Client Manager
Default Client Type
Client Detection Class
Enable Client Detection

Chapter 36   Globalization Setting Service Attributes
Charsets Supported By Each Locale
Charset Aliases
Auto Generated Common Name Format

Chapter 37   Logging Service Attributes
Maximum Log Size
Number of History Files
Log File Location
Logging Type
Database User Name
Database User Password
Database User Password (Confirm)
Database Driver Name
Configurable Log Fields
Log Verification Frequency
Log Signature Time
Enable Secure Logging
Maximum Number of Records
Number Of Files Per Archive
Buffer Size
DB Failure Memory Buffer Size
Buffer Time
Enable Time Buffering

Chapter 38   Naming Service Attributes
Profile Service URL
Session Service URL
Logging Service URL
Policy Service URL
Auth Service URL
SAML Web Profile/Artifact Service URL
SAML Web Profile/POST Service URL
SAML Assertion Manager Service URL
Federation Assertion Manager Service URL
Identity SDK Service URL
Security Token Manager URL

Chapter 39   Password Reset Service Attributes
User Validation
Secret Question
Search Filter
Base DN
Bind DN
Bind Password
Password Reset Option
Password Change Notification Option
Enable Password Reset
Enable Personal Question
Maximum Number of Questions
Force Change Password on Next Login
Enable Password Reset Failure Lockout
Password Reset Failure Lockout Count
Password Reset Failure Lockout Interval
Email Address to Send Lockout Notification
Warn User After N Failure
Password Reset Failure Lockout Duration
Password Reset Lockout Attribute Name
Password Reset Lockout Attribute Value

Chapter 40   Platform Service Attributes
Server List
Platform Locale
Cookie Domains
Login Service URL
Logout Service URL
Available Locales
Client Char Sets

Chapter 41   Policy Configuration Service Attributes
Global Attributes
Resource Comparator
Continue Evaluation On Deny Decision
Organization Attributes
LDAP Server and Port
LDAP Users Base DN
Access Manager Roles Base DN
LDAP Bind Password
LDAP Bind Password (Confirm)
LDAP Organization Search Filter
LDAP Organization Search Scope
LDAP Groups Search Filter
LDAP Groups Search Scope
LDAP Users Search Filter
LDAP Users Search Scope
LDAP Roles Search Filter
LDAP Roles Search Scope
Access Manager Roles Search Scope
LDAP Organization Search Attribute
LDAP Groups Search Attribute
LDAP Users Search Attribute
LDAP Roles Search Attribute
Maximum Results Returned From Search
Timeout For Search
LDAP Connection Pool Minimal Size
LDAP Connection Pool Maximum Size
Selected Policy Subjects
Selected Policy Conditions
Selected Policy Referrals
Subjects Result Time To Live
User Alias Enabled

Chapter 42   SAML Service Attributes
Site ID And Site Issuer Name
Sign SAML Request
Sign SAML Response
Sign Assertion
SAML Artifact Name
Target Specifier
Artifact Timeout
Assertion Skew Factor For notBefore Time
Assertion Timeout
Trusted Partner Sites
POST To Target URLs

Chapter 43   Session Service Attributes
Secondary Configuration Instance
Instance Name
Session Store User
Session Store Password
Session Store Password (Confirm)
Session Cluster Server List
Maximum Wait Time
JDBC Driver Implementation Class
Minimum Pool Size
Maximum Pool Size
Global Attributes
Maximum Number of Search Results
Timeout For Search (Seconds)
Dynamic Attributes
Max Session Time (Minutes)
Max Idle Time (Minutes)
Max Caching Time (Minutes)

Chapter 44   SOAP Binding Service Attributes
Request Handler List
Web Service Authenticator
Supported Authentication Mechanisms

Chapter 45   User Attributes
User Service Attributes
User Preferred Language
User Preferred Timezone
Inherited Locale
Administrator DN Starting View
Default User Status
User Profile Attributes
First Name
Last Name
Full Name
Password (Confirm)
Email Address
Employee Number
Telephone Number
Home Address
User Status
Account Expiration Date
User Authentication Configuration
User Alias List
Preferred Locale
Success URL
Failure URL
Unique User IDs

Appendix A   Error Codes
Access Manager Console Errors
Authentication Error Codes
Policy Error Codes
amadmin Error Codes


Copyright      Index      Next     

Part No: 817-7647-11.   Copyright 2005 Sun Microsystems, Inc. All rights reserved.