Copyright      Index      Next
Sun Java System Access Manager 6 2005Q1 Developer's Guide

Contents

List of Figures

List of Tables

List of Procedures

List of Code Examples

Preface

Who Should Use This Book

Before You Read This Book

Conventions Used in This Book

Typographic Conventions

Symbols

Default Paths and File Names

Shell Prompts

Related Documentation

Books in This Documentation Set

Access Manager Policy Agent Documentation

Other Server Documentation

Accessing Sun Resources Online

Contacting Sun Technical Support

Related Third-Party Web Site References

Sun Welcomes Your Comments

Chapter 1   Introduction

Access Manager Overview

Data Management Components

Access Manager Management Services

Managing Access

Web Access

Application Access

Extending Access Manager

Service Definition With XML

Console Customization

Access Manager SDK

Identity Management SDK

Service Management SDK

Authentication Programming Interfaces

Utility API

Logging API And Logging SPI

Client Detection API

SSO API

Policy SDK

SAML SDK

Federation Management API

Access Manager File System

Client Browser Support

Chapter 2   Using the Client SDK

How the Client SDK Works

JDK and CLASSPATH Requirements

Configuring the Client SDK

To Configure the Client SDK

Initializing the Client SDK

Using a Properties File

To Set ClientSDK Properties in a Properties File

Using the Java API

Setting Individual Properties

Naming URL Properties

Debug Properties

Notification URL Properties

Setting Up a Client Identity

To Set Username and Password Properties

To Set an SSO Token Provider

Building Custom Web Applications

Building Stand-Alone Applications

To Build a Stand-Alone Application

Targets Defined in clientsdk

About the Client SDK Samples

Chapter 3   The Access Manager Console

Overview

Console Interface

Generating The Console Interface

Plug-In Modules

Accessing The Console

Customizing The Console

The Default Console Files

Creating Custom Organization Files

To Create Custom Organization Files

Alternate Customization Procedure

Miscellaneous Customizations

To Modify The Service Configuration Display

To Modify The User Profile View

Display Options For The User Profile Page

To Localize The Console

To Display Service Attributes

To Customize Interface Colors

To Change The Default Attribute Display Elements

To Add A Module Tab

To Display Container Objects

Console API

Precompiling The Console JSP

Console Samples

Modify User Profile Page

Create A Tabbed Identity Management Display

ConsoleEventListener

Add Administrative Function

Add A New Module Tab

Create A Custom User Profile View

Chapter 4   Single Sign-On And Sessions

Overview

Session Service Concepts

Session

Session ID

SSOToken

Single Sign-On Process

Contacting A Protected Resource

Providing User Credentials

Cookies and Sessions

Session Structure

Fixed Attributes

Protected And Custom Properties

Protected Properties

Custom Properties

Cross-Domain Support For SSO

Policy Agents

Cross-Domain Controller

A Cross-Domain SSO Scenario

Enabling Cross-Domain Single Sign-On

SSO API

Java API Overview

SSOTokenManager Class

SSOTokenID Interface

SSOToken Interface

SSOTokenEvent

SSOTokenListener

Sample SSO Java Files

C API Overview

C SSO Include Files

C SSO Properties

C SSO interfaces

C SSO Sample

Java versus C API

Non-Web-Based Applications

SSO Samples

Chapter 5   Customizing the Authentication User Interface

User Interface Files You Can Modify

services.war File

Java Server Pages

Customizing the Login Page

Customizing JSP Templates

XML Files

Callbacks Element

ConfirmationCallback Element

JavaScript Files

Cascading Style Sheets

Images

Localization Files

Customizing Branding and Functionality

To Modify Branding and Functionality

Customizing the Self-Registration Page

To Modify the Self-Registration Page

Updating and Redeploying services.war

To Update services.war

To Redeploy services.war

On BEA WebLogic

On Sun ONE Application Server

On IBM WebSphere

Chapter 6   Using Authentication APIs and SPIs

Overview of Authentication APIs and SPIs

How the Authentication Java APIs Work

How the Authentication C-APIs Work

XML/HTTP Interface for Other Applications

Examples of XML Messages

How the Authentication SPIs Work

Extending the AMLoginModule Class

Pluggable JAAS Module

Authentication Post Processing

Using Authentication APIs

Running the Sample Authentication Programs

Java API Code Samples and Their Locations

To Compile and Execute the Java API Samples

To Configure SSL for Java API Samples

LDAPLogin Example

CertLogin Example

JCDI Module Example

C-API Sample

Using Authentication SPIs

Implementing a Custom Authentication Module

About the Login Module Sample

Writing a Sample Login Module

Compiling and Deploying the LoginModule program

Loading the Login Module Sample into Access Manager

Running the LoginModule Sample Program

Deploying the Login Module Sample Program

Implementing Authentication PostProcessing SPI

About the PostProcessing SPI Sample

To Compile the ISAuthPostProcessSample Program on Solaris Sparc/x86 or Linux

Configuring the Authentication Post Processing SPI

Compiling On Windows2000

Generating an Authentication User ID

To Compile the UserIDGeneratorSample on Solaris Sparc/x86, Linux

To Deploy the UserIDGeneratorSample program

Configuring the UserIDGeneratorSample Program

Compiling the UserIDGeneratorSample Program on Windows 2000

Implementing A Pure JAAS Module

Conventions Used in the Samples

To Run the Sample on Solaris Sparc x86 or Linux:

To Run the Sample on Windows 2000

Chapter 7   Identity Management

Overview

Access Manager Console

ums.xml

Identity Management Software Development Kit (SDK)

Identity-related Objects

Marker Object Classes

Identity-related Objects As LDAP Entries

Organizations

Containers

Users

Groups

Roles

Object Templates And ums.xml

Structure Of ums.xml

Structure Templates

Creation Templates

Search Templates

Modifying ums.xml

Adding Custom Object Classes

DAI Service

amEntrySpecific.xml

Identity Management SDK

Interfaces

AMAssignableDynamicGroup

AMCallback

AMConstants

AMDynamicGroup

AMEventListener

AMFilteredRole

AMGroup

AMGroupContainer

AMObject

AMOrganization

AMOrganizationalUnit

AMPeopleContainer

AMRole

AMSearchControl

AMStaticGroup

AMStoreConnection

AMTemplate

AMUser

AMUserPasswordValidation

Search Methods In The SDK

Search Method Parameters

searchUsers Sample Code

Search Groups Sample Code

Email Notification And The SDK

Caching And The SDK

Installing The SDK Remotely

Management Function Samples

Creating Objects

Retrieve Templates

Identity Management Samples

Adding User Attributes

Creating Objects With The SDK

Chapter 8   Service Management

Overview

XML Service Files

Document Type Definition Structure Files

Service Management SDK

Defining A Custom Service

Creating A Service File

Service File Naming Conventions

Service Attributes

Attribute Inheritance

Extending The Directory Server Schema

To Extend The Directory Server LDAP Schema

Adding Access Manager Object Classes To Existing Users

Importing The XML Service File

Configuring Console Localization Properties

Localizing With Two Languages

Updating Files For Abstract Objects

Registering The Service

DTD Files

The sms.dtd Structure

ServicesConfiguration Element

Service Element

Schema Element

Service Attribute Elements

SubSchema Element

AttributeSchema Element

The amAdmin.dtd Structure

Requests Element

OrganizationRequests Element

ContainerRequests Element

PeopleContainerRequests Element

RoleRequests Element

GroupRequests Element

UserRequests Element

ServiceConfigurationRequests Element

AttributeValuePair Element

CreateObject Elements

DeleteObject Elements

ModifyObject Elements

GetObject Elements

GetService Elements

ActionServiceTemplate Element

ActionServiceTemplateAttributeValues Element

ActionServices Elements

SchemaRequests Element

Federation Management Elements

XML Service Files

Default XML Service Files

Modifying A Default XML Service File

Batch Processing With XML Templates

XML Templates

Modifying A Batch Processing XML Template

Customizing User Pages

Creating Users Using A Modified Directory Server Schema

Service Management SDK

ServiceSchemaManager Class

Retrieve Logging Location

Retrieve User Or Dynamic Attributes

Retrieve Attribute Values

Chapter 9   Policy Management

Policy SDK

Java SDK For Policy

Policy API For Java

Policy Plugin API For Java

C Library For Policy

Policy Evaluation API for C

Extending the Policy Management Feature

Compiling the Policy Samples

Adding the Policy Service to Access Manager

Developing Custom Subjects, Conditions and Referrals

To Load the Modified Services

Creating Policies for the Service

Developing and Running Policy Evaluation Programs

To Run the Policy Evaluation Program

Constructing Policies Programmatically

To Run PolicyCreator.java

PolicyCreator.java

Chapter 10   Using the JAAS Authorization Framework

Overview of JAAS Authorization

How Policy Enforcement Works

How the JS2E Access Controller Works

JAAS Authorization in Access Manager

Custom APIs

User Interface

Enabling the JAAS Authorization Framework

Chapter 11   SAML Service

Overview

Accessing The SAML Service

SAML Component Details

Profile Types

Web Browser Artifact Profile

Web Browser POST Profile

Assertion Types

SAML SOAP Receiver

SOAP Messages

Protecting The SOAP Receiver

amSAML.xml

SAML SDK

com.sun.identity.saml

com.sun.identity.saml.assertion

com.sun.identity.saml.common

com.sun.identity.saml.plugins

com.sun.identity.saml.protocol

AuthenticationQuery

AttributeQuery

AuthorizationDecisionQuery

com.sun.identity.saml.xmlsig

SAML Samples

Chapter 12   Auditing Features

Logging Service Overview

Logging Architecture

amLogging.xml

Log Files

Recorded Events

Time

Data

ModuleName

Domain

Log Level

Login ID

IP Address

Logged By

Host Name

Log File Formats

Flat File Format

Relational Database Format

Java Enterprise System Installation Logs

Access Manager Service Logs

Session Logs

Console Logs

Authentication Logs

Federation Logs

Policy Logs

Agent Logs

SAML Logs

amAdmin Logs

Logging Features

To Enable Secure Logging

Command Line Logging

Remote Logging

Using Remote Logging

Enabling Remote Logging

Logging API

Setting Environment Variables

If Client Can Execute in the Local Access Manager Server

If Client Executes Only in a Remote Server

If SSL is Enabled

Logger Class

LogRecord Class

Adding Log Data

Caching Log Records

Flushing Log Records

Sample Logging Code

Logging SPI

Log Verifier Plugin

Log Authorization Plugin

Debug Files

Debug Levels

Debug Output Files

Using Debug Files

Multiple Access Manager Instances And Debug Files

Chapter 13   Client Detection Service

Overview

Client Detection Process

Enabling Client Detection

Client Data

HTML

genericHTML

Client Detection API

Chapter 14   Access Manager Utilities

Utility API

AdminUtils

AMClientDetector

AMPasswordUtil

Debug

Locale

SystemProperties

ThreadPool

Password API Plug-Ins

Notify Password Sample

Password Generator Sample

Appendix A   AMConfig.properties File

Overview

Deployment Properties

Access Manager

Installation

Console

Cookies

Miscellaneous

Directory Server

Installation

Directory Server Tree

Configuration Properties

Debug Service

Stats Service

Notification Service

SDK Caching

Online Certificate Status Protocol (OCSP)

Identity Object Processing

Security

SSL

Certificate Database

Replication

Event And LDAP Connection

Event Connection

LDAP Connection

SAML

Keystore Properties

Miscellaneous Services

Read-Only Properties

Installation

Deployment

Shared Secret

Session Properties

Simple Mail Transfer Protocol (SMTP)

Authentication

LDAP

SecurID

Unix

Security

SecureRandom

SocketFactory

Encryption

IP Address Checking

Remote Policy API

Policy

Federation

FQDN Map

Encryption Key

Appendix B   serverconfig.xml File

Overview

Proxy User

Admin User

server-config Definition Type Document

iPlanetDataAccessLayer Element

ServerGroup Element

Server Element

User Element

DirDN Element

DirPassword Element

BaseDN Element

MiscConfig Element

Failover Or Multimaster Configuration

Appendix C   WAR Files

Overview

Web Components

Packaging Web Components

WARs And Their Contents

console.war

password.war

services.war

Redeploying Modified WARs

BEA WebLogic Server 6.1

To Deploy console.war On WebLogic

To Deploy services.war on WebLogic

To Deploy password.war on WebLogic

Sun Java System Application Server 7.0

To Deploy console.war On Sun Java System Application Server

To Deploy services.war On Sun Java System Application Server

To Deploy password.war on Sun Java System Application Server

IBM WebSphere Application Server

Appendix D   Notification Service

Overview

Appendix E   Directory Server Concepts

Overview

Roles

Managed Roles

Definition Entry

Member Entry

How Access Manager Uses Roles

Role Creation

Role Location

Displaying The Correct Login Start Page

Access Control Instructions

Defining ACIs

iplanet-am-admin-console-role-default-acis

iplanet-am-admin-console-dynamic-aci-list

Format of Predefined ACIs

Default ACIs

Class Of Service

CoS Definition Entry

cosClassicDefinition

CoS Template Entry

Conflicts and CoS

Glossary

Index

Copyright      Index      Next

---

Part No: 817-7649.   Copyright 2005 Sun Microsystems, Inc. All rights reserved.