The Sun JavaTM System Access Manager 7.1 Client SDK package provides Access Management Java libraries for implementing stand-alone applications and web applications. You can use the Client SDK interfaces in your applications to take advantage of Access Manger services such as authentication, Single Sign-On (SSO), authorization, auditing and logging, user management, and Security Assertion Markup Language (SAML). The client SDK libraries communicate with Access Manager using XML (SOAP) over HTTP or HTTPS.
This chapter contains the following topics:
The Access Manager Client SDK is a streamlined version of the Access Manager SDK, and includes only the client-side classes and configuration properties you need to connect to Access Manager services. The Client SDK is contained in a smaller jar file, and eliminate the dependency on connections to Directory Server when developing and deploying client applications. The Client SDK and client applications communicate with the Access Manager server. Only the Access Manager server communicates directly with the Directory Server.
When you install the Access Manager server, the Client SDK is contained in the following file:
AccessManager-base/SUNWam/lib/amclientsdk.jar
The following table summarizes items included in the Client SDK.
Table 1–1 Contents ofAccessManager-base/SUNWam/amclientsdk.jar
File |
Description |
---|---|
README.clientsdk |
ASCII version of this chapter. Contains information on installing and using Access Manager client SDK. |
lib/amclientsdk.jar |
Client SDK for stand-alone applications. |
amclient.war |
Archive of Access Manager samples, web applications, and Javadoc. |
Makefile.clientsdk |
Defines objects and parameters for building sample properties, stand-alone samples and web applications. |
The Client SDK requires J2SE 1.4.2 .
Both amclientsdk.jar and servlet.jar are required in the CLASSPATH.
Before you can install the Access Manager Client SDK, the Access Manager server must be running on a remote server. You will also need to have ready the following information about the remote installation:
Protocol used by the web contain instance on which the Access Manager server is deployed.
Fully qualified domain name of the host on which Access Manager server is deployed.
Port on which the Access Manager server is running.
Deployment URI for the services web application (by default amserver).
Password encryption key used by the Access Manager server.
Two methods exist for installing the Client SDK. You can automatically install the Client SDK using the Java Enterprise System 5 installer, or you can manually deploy the Client SDK WAR file.
If you install the Access Manager Client SDK by running the Java Enterprise System 5 installer, you must choose the Access Manager Client SDK install option. For detailed information, see Chapter 10, Deploying the Client SDK, in Sun Java System Access Manager 7.1 Postinstallation Guide.
On the Windows platform, you must use the “Configure Manually After Installation” option in the Java Enterprise System 5 installer. For detailed information, see To Install and Configure the Access Manager Client SDK in Sun Java System Access Manager 7.1 Postinstallation Guide. The following is an overview of the steps you must follow
Invoke the Java Enterprise System 5 installer.
Configure and start the Web container.
Edit the file AccessManager-base\identity\setup\AMConfigurator.properties.
See To Install and Configure the Access Manager Client SDK in Sun Java System Access Manager 7.1 Postinstallation Guidefor detailed information.
Run the amconfig.bat command:
# AccessManager-base\identity\setup\amconfig.bat
The following is an overview of the steps you must follow. For detailed information, see Chapter 10, Deploying the Client SDK, in Sun Java System Access Manager 7.1 Postinstallation Guide.
Invoke the JES installer.
Select the web container (Web Server or Application Server) and Access Manager client SDK.
Choose "Configure Now.”
Answer the questions provided by the installer.
After the installation is complete, restart the web container.
The third party web container should already be installed and started.
The following is an overview of the steps you must follow. For detailed information, see Chapter 10, Deploying the Client SDK, in Sun Java System Access Manager 7.1 Postinstallation Guide.
Invoke the JES installer.
Select Access Manager client SDK.
Choose "Configure Later."
After the installation, edit the amsamplesilent file.
Run amconfig with the edited amsamplesilent file.
After the configuration is complete, restart the web container.
The Access Manager server which will be used by the client SDK must be up and running, and you must know the URL for accessing this server.
The machine where the client SDK will be installed must have an Access Manager supported web container installed. Examples of Access Manager supported web containers are Sun Java System Web Server 6.1 sp5, Sun Java System Application Server 8.1, BEA WebLogic Server 8.1 sp4, and IBM Websphere Application Server 5.1.1.5.
The web container instance on which the client SDK will be deployed must be up and running.
The client SDK machine must have access to the Access Manager client SDK package SUNWamclnt through the Java Enterprise System 5 bits or through some other means.
Create a package administration file.
Using a text editor, add the following contents to this file.
mail= instance=unique partial=nocheck runlevel=nocheck idepend=nocheck rdepend=nocheck space=nocheck setuid=nocheck conflict=nocheck action=nocheck basedir=ClientSDK-base-directory
In this example, the package administration file is named /usr/tmp/pkgadmin.
The value for basediris the directory in which you want to install the Access Manager client SDK.
Create a package response file named /usr/tmp/pkgresp.
Using a text editor, place the following three lines (a single y on each line) in this file.
y y y
In the Access Manager package directory, use the pkgadd utility to install the SUNWamclnt package:
cd JES5-Image-root/OperatingSystem-Architecture/Product/identity_svr/Packages
pkgadd -n -a /usr/tmp/pkgadmin -d . -r /usr/tmp/pkgresp -R / SUNWamclnt
In the directory in which you installed the Access Manager client SDK package, make a copy of the file Makefile.clientsdk.
The directory in which you installed the Access Manager client SDK package should be the same as the value you used for basedir in the package administration file in step 1a.
cd ClientSDK-base-directory/SUNWam
cp Makefile.clientsdk Makefile.clientsdk.orig
cd ClientSDK-base-directory/identity
cp Makefile.clientsdk Makefile.clientsdk.orig
In Makefile.clientsdk, edit the following parameters:
Use the following path: /usr/jdk/entsys-j2se
The fully-qualified domain name of the Access Manager server.
If the Access Manager server is SSL-enabled, change this value to HTTPS.
The port number on which the Access Manager server is running.
This value must be the same value used for the Access Manager server. You can obtain the value by running one of the following commands on the Access Manager server:
grep pwd /etc/opt/SUNWam/config/AMConfig.properties
grep pwd /etc/opt/sun/identity/config/AMConfig.properties
(Optional) If you don't want the debug logs stored in the tmp directory, then change this value to the directory where you want debug logs to be created.
Run the make or gmake command:
make -f Makefile.clientsdk
This step generates a sample properties file in the directory temp, standalone samples in the directory clientsdk-samples and a deployable war file, amclientwebapps.war.The following table summarizes the items included in the WAR file.
File |
Description |
---|---|
index.html |
Instructions for installing and using the Client SDK packages |
WEB-INF/web.xml |
Client SDK for stand-alone applications |
WEB-INF/classes/AMClient.properties |
Archive of Access Manager samples, web applications, and Javadoc |
WEB-INF/classes/*.classes |
File for building stand-alone samples and web applications |
WEB-INF/docs |
Javadoc (Public Client SDK APIs) |
WEB-INF/samples |
Sample stand-alone programs |
WEB-INF/webapps |
Sample web applications |
Create a deployment directory for amclientwebapps.war.
mkdir -p ClientSDK-base-directory/SUNWam/web-src/clientsdk
mkdir -p ClientSDK-base-directory/identity/web-src/clientsdK
On the web container instance where you want to use the Access Manager client SDK, deploy the amclientwebapps.war file. See the following examples:
Use the wdeploy command to deploy amclientwebapps.war with a URI of /amcilentwebapps on the Web Server instance https-clientSDKinstance. Example:
WebServer-base-directory/bin/https/httpadmin/bin/wdeploy deploy -u /amclientwebapps -i https-clientSDKinstance -v https-clientsdkinstance -d ClientSDK-base-directory/SUNWam/web-src/clientsdk clientSDK-base-directory/SUNWam/amclientwebapps.war
Using the asadmin command to deploy amclientwebapps.war with a URI of /amclientwebapps on the application server instance clientsSDKinstance. Example:
ApplicationServer-base-directory/appserver/bin/asadmin deploy -user Admin-User-ID --host ApplicationServer-instanceHost --port ApplicationServer-Admin-Port --contextroot amclientwebapps -name amcilentwebapps -target clientSDKinstance ClientSDK-base-directory/SUNWam/amclientwebapps.war
Be sure to use the fully qualified host name for ApplicationServer-instanceHost.
Enter the Application Server administration password when prompted.
Using the asadmin command to deploy amclientwebapps.war with a URI of /amclientwebapps on the application server instance clientsSDKinstance. Example:
ApplicationServer-base-directory/bin/asadmin deploy -user Admin-User-ID --host ApplicationServer-instanceHost --port ApplicationServer-Admin-Port --contextroot amclientwebapps -name amcilentwebapps -target clientSDKinstance ClientSDK-base-directory/SUNWam/amclientwebapps.war
Be sure to use the fully qualified host name for ApplicationServer-instanceHost.
Enter the Application Server administration password when prompted.
If you are deploying the client SDK on a third-party web container such as BEA WebLogic Server or IBM WebSphere Application Server, then see the documentation that comes with that product.
Restart the web container instance on which the Access Manager client SDK was deployed.
If the full server instance being accessed by the client SDK is SSL-enabled, then you must install the root CA certificate of the server's certificate in the web container's JVM-wide cacerts keystore. Alternatively, you can create a keystore on the client SDK machine to contain the server's root CA certificate. Then add the necessary JVM options to the client SDK's web container instance to locate the newly created keystore.
Before Access Manager Client SDK can communicate with Access Manager Server, you must initialize some properties in the client SDK. You can set these properties in one of three ways:
Access Manager properties are contained in the AMConfig.properties file. Generate the AMConfig.properties for the Client SDK by running the following command:
# make -f Makefile.clientsdk properties
The following sections describe the properties expected by the Access Manager Client SDK. A client application deployed within a servlet container can register for changes to session, user attributes and policy decisions. These properties must be set to receive such notifications.
This is a required property. The value of this property represents the URL where the Client SDK would retrieve the URLs of Access Manager internal services. This is the URI for the Naming Service. Example:
com.iplanet.am.naming.url=http://AcceessManager-HostName.domain_name:port/amserver/namingservice
This property can be used by any remote SDK application that wants failover in, for example, session validation or getting the service URLs. Example:
com.iplanet.am.naming.failover.url=http://AcceessManager-HostName.domain_name: port/amserver/failover
Specifies the debug level. Possible values are levels are: off, error , warning, or message.
The value of this property is the output directory for the debug information. This directory should be writable by the server process. Example:
com.iplanet.services.debug.directory=/var/opt/SUNWam/debug
The value of this property is the URI of the Notification Service running on the host machine where you installed the Client SDK. Example:
com.iplanet.am.notification.url= http://clientSDK_host.domain_name:port/amserver/notificationservice |
Enables or disables notifications for remote policy API. Example:
com.sun.identity.agents.notification.enabled=false
Defines the notification URL for remote policy API.
Reads configuration data. Example:
com.sun.identity.agents.app.username=APPLICATION_USER
Reads configuration data. Example:
com.iplanet.am.service.password=APPLICATION_PASSWD
Contains the encrypted value of the password. . Example:
com.iplanet.am.service.secret=ENCRYPTION_KEY
This key is needed to decrypt passwords stored in the SMS configuration. Example:
am.encryption.pwd=ENCRYPTION_KEY
Encryption key that will be used to encrypt and decrypt data used locally within the client. Example:
com.sun.identity.client.encryptionKey=ENCRYPTION_KEY_LOCAL
Property to set JCE as the default encryption classes.
com.iplanet.security.encryptor=com.iplanet.services.util.JCEEncryption
Cache update time (in minutes) for service configuration data if notification URL is not provided. Example:
com.sun.identity.sm.cacheTime=1
Cache update time (in minutes) for user management cache if notification URL is not provided. Example: com.iplanet.am.sdk.remote.pollingTime=1
Server protocol to be used by Authentication Service. Example:
com.iplanet.am.server.protocol=SERVER_PROTOCOL
Server host to be used by Authentication Service. Example:
com.iplanet.am.server.host=SERVER_HOST
Server port to be used by Authentication Service. Example:
com.iplanet.am.server.port=SERVER_PORT
Indicates the Access Manager cookie name. Example:
com.iplanet.am.cookie.name=AM_COOKIE_NAME
Example:
com.iplanet.am.session.client.polling.enable=true
Example:
com.iplanet.am.session.client.polling.period=180
Identifies the certificate database directory path for initializing the JSS Socket Factory when the Access Manager web container is configured for SSL. Example:
com.iplanet.am.admin.cli.certdb.dir= CONTAINER_CERTDB_DIR |
Identifies the certificate database password file for initializing the JSS Socket Factory when the Access Manager web container is configured for SSL. Example:
com.iplanet.am.admin.cli.certdb.passfile= BASEDIR/PRODUCT_DIR/config/.wtpass |
Identifies the certificate database prefix for initializing the JSS Socket Factory when the Access Manager web container is configured for SSL. Example:
com.iplanet.am.admin.cli.certdb.prefix= CONTAINER_CERTDB_PREFIX |
Specifies file name for the policy decision log file. Example:
com.sun.identity.agents.server.log.file.name=amRemotePolicyLog
Possible values for policy decision logging level are NONE, ALLOW, DENY, BOTH, and DECISION.
Enables Notification URL for updating cache. Default value is false.
Specifies use of Notification URL for updating cache. Example:com.sun.identity.agents.notification.url=NOTIFICATION_URL
Cache time in minutes. Example:
com.sun.identity.agents.polling.interval=3
Information to cache. Possible value are subtree or self.
Define and set this property to false if you do not want to use Boolean values. The default value is true if the property is not defined.
Explicitly disables Java Enterprise System (JES) monitoring services in the sample client applications.
If you want to use a remote instance of the Client SDK, set the value of this property as follows:
com.iplanet.amsdk.package=remote |
The default value is ldap if the property is not defined.
The following properties are used to configure interactions in a federated environment. These properties are not automatically generated and placed in the AMConfig.properties file when you run the make -f Makefile.clientsdk properties command. You must manually add the properties to the file as needed.
Supported SOAP actors. Each actor must be separated by a pipe (|). Example:
com.sun.identity.liberty.ws.soap.supportedActors= http://schemas.xmlsoap.org/soap/actor/next |
Indicates the URL for WSPRedirectHandlerServlet to handle Liberty the WSF web service provider-resource owner. Interactions are based on user agent redirects. The servlet should be running in the same JVM where the Liberty service provider is running.
Indicates whether the web service client should participate in an interaction. Valid values are interactIfNeeded | doNotInteract | doNotInteractForData . Default value is interactIfNeeded. Default value is used if an invalid value is specified.
Indicates whether the web service client should include userInteractionHeader. Valid values are yes and no (case ignored). Default value is yes. Default value is used if no value is specified.
Indicates whether the web service client will redirect user for an interaction. Valid values are yes and no. Default value is yes. Default value is used if no value is specified.
Indicates the web service client preference for acceptable duration (in seconds) for an interaction. If the value is not specified or if a non-integer value is specified, then the default value is 60.
Indicates whether the web service client enforces that redirected to URL is HTTPS. Valid values are yes and no (case ignored). The Liberty specification requires the value to be yes. Default value is yes. Default value is used if no value is specified.
Indicates whether the web service provider redirects the user for an interaction. Valid values are yes and no (case ignored). Default value is yes. Default value is if no value is specified.
Indicates whether the web service provider redirects the user for an interaction for data. Valid values are yes and no. Default value is yes. If no value is specified, the value is yes.
Web service provider expected duration (in seconds) for an interaction. Default value if the value is not specified or is a non-integer value is 30.
Indicates whether the web service client enforces that returnToURL is HTTP. Valid values are yes and no (case ignored). Liberty specification requires the value to be yes. Default value is yes. If no value is specified, then the value used is yes.
Indicates whether the web services client enforces that returnToHost and requestHost are the same. Valid values are yes and no. Liberty specification requires the value to be yes.
Indicates the path to the style sheet used to render the interaction page in HTML.
Indicates the path to the style sheet used to render the interaction page in WML.
Example: com.sun.identity.liberty.interaction.wmlStyleSheetLocation=/opt/SUNWam/lib/is-wml.xsl
Default value is false.
Used by the web services provider to determine the plug-in that will be used to store the configuration.
Example: com.sun.identity.wss.provider.config.plugin=com.sun.identity.wss.provider.plugins.AgentProvider
Used by the web services clients in ClientSDK mode. Example:
com.sun.identity.loginurl=https://hostName:portNumber/amserver/UI/Login
Indicates the Liberty authentication service URL.
Used to determine which version of the Liberty identity web services framework is to be used when the framework can not determine from the inbound message or from the resource offering. This property is used when Access Manager is acting as the web service client. The default version is 1.1. The possible values are 1.0 or 1.1.
Value is set during installation. Client certificate alias that will be used in SSL connection for Liberty SOAP Binding.
Default value is 60000. Specifies the number of milliseconds to elapse before cache cleanup events begin. Each message is stored in a cache with its ownmessageID to avoid duplicate messages. When a message's current time less the received time exceeds thestaleTimeLimit value, the message is removed from the cache.
Default value is 300000. Determines if a message is stale and thus no longer trustworthy. If the message timestamp is earlier than the current timestamp by the specified number of milliseconds, the message the considered to be stale.
Value is set during installation. Specifies default certificate alias for issuing web service security token for this web service client.
Value is set during installation. Specifies certificate aliases for trusted CA. SAML or SAML BEARER token of incoming request. Message must be signed by a trusted CA in this list. The syntax is cert alias 1[:issuer 1]|cert alias 2[:issuer 2]|..... Example: myalias1:myissuer1|myalias2|myalias3:myissuer3. The value issuer is used when the token doesn't have a KeyInfo inside the signature. The issuer of the token must be in this list, and the corresponding certificate alias will be used to verify the signature. If KeyInfo exists, the keystore must contain a certificate alias that matches the KeyInfo and the certificate alias must be in this list.
You can set properties in a properties file and then provide a path to it at runtime. The properties files must be in the CLASSPATH. The default properties file name is AMConfig.properties and is always read at start-up.
Generate a sample AMConfig.properties by running the following command:
make -f Makefile.clientsdk properties
The AMConfig.properties will be present in the temp directory.
Edit properties to suit your environment.
At runtime, if the file name is different from AMConfig, provide the file name (without the .properties extension) and path. The path should be in the CLASSPATH by declaring the JVM option:
-Damconfig=filname
The ClientSDK properties can also be set programmatically using the class: com.iplanet.am.util.SystemProperties. See the following example.
import com.iplanet.am.util.SystemProperties; import java.util.Properties; public static void main(String[] args) { // To initialize a set of properties Properties props = new Properties(); props.setProperty(”com.iplanet.am.naming.url’, ”http://sample.com/amserver/namingservice’); props.setProperty(”com.sun.identity.agents.app.username’, ”amAdmin’); props.setProperty(”com.iplanet.am.service.password’, ”11111111’); SystemProperties.initializeProperties(props) ; // To initialize a single property SystemProperties.initializeProperties(“com.iplanet.am.naming.url’, ”http://sample.com/amserver/namingservice’); // Application specific code ... } |
You can set properties one at a time. For example, you can declare the following JVM option at run time to assign a value to a particular property:
-DpropertyName=propertyValue
Some of the Access Manager components such as SAML, User Management, Policy, require an identity for the client. The client application reads configuration data to identify the client. You can set up the identity for the client in one of two ways:
Set username and password properties can be authenticated
Set an SSO Token Provider
Some of the configuration attributes (such as password) are encrypted and stored in the data store as an Encryption/Decryption Key. If such attributes have to be decrypted by the client, the property must be set, and must be the same as that of the Access Manager Server.
This value is generated at installation time and stored in the following file:
/etc/opt/SUNWam/config/AMConfig.properties
/etc/opt/sun/identity/AMConfig.properties
AccessManager-base\identity\config\AMConfig.properties
/etc/opt/sun/identity/config/AMConfig.properties
The following properties can be used to set the username and password that can be used by client SDK to obtain the configuration parameters. The authenticated username should have permissions to read the configuration data for SAML and User Management.
The property to provide the user name is: com.sun.identity.agents.app.username
The property to provide the plain text password is: com.iplanet.am.service.password
For scenarios where plain text password would be security concern, an encrypted password can be provided using the property: com.iplanet.am.service.secret.
If an encrypted password is provided, the encryption key must also be provided using the property: am.encryption.pwd.
Set the following property: com.sun.identity.security.AdminToken
This provides an implementation for the interface, which returns the following single sign-on (SSO) token: com.sun.identity.security.AppSSOTokenProvider.
The Client SDK package contains Makefile.clientsdk that you can use to generate and build samples and web applications. The makefile defines targets to build configuration properties, samples and web applications.
Use these steps a template for building their identity-enabled web applications.
Install the Client SDK.
Copy servlet.jar to lib directory.
Run the stand-alone application.
Change directory to respective components within clientsdk-samples. Each has a Readme.html file explaining the changes to done and a Makefile to rebuild and run the program.
For web deployment, amclientwebapps.war is ready to be deployed. However, you can make changes in clientsdk-webapps directory and the war file can be recreated.
Custom web applications can use the following as a template to build their identity enabled web application.
properties: Generates AMConfig.properties in the temp directory that can used as a template for setting AM SDK’s properties
samples: Copies standalone samples and corresponding Makefiles to samples directory.
webapp: Generates amclientwebapps.war that can be deployed on any Servlet 2.3 compliant web container.
Sample files are included in the Client SDK. These demonstrate how to write stand-alone programs and how to write web applications. After you deploy the Client SDK using either the Java ES installer or the amconfig script with DEPLOY_LEVEL=9, the Client SDK samples are available in the following directory:
AccessManager-base/SUNWam/war/
AccessManager-base/identity/war/
AccessManager-base\identity\war\
|
The subdirectory clientsdk-samples includes samples for authentication, logging, policy and SAML stand-alone programs. The subdirectoryclientsdk-webapps includes samples for user management, service management, and policy programs. Each sample has a Readme.html file with instructions on compiling and running the sample program.
If the client program receives a “New Generic Exception” message, one possible cause is that the session has expired. As a workaround, you can increase values of the Session Idle Timeout and Max Session Time attributes. In the Access Manager administration console, click Configuration > Global > Session. See "Maximum Session Time" and "Maximum Idle Time" in the section Resulting Behavior If Session Quota Exhausted in Sun Java System Access Manager 7.1 Administration Reference for attribute descriptions.
When attempting to authenticate against Access Manager, if the client program receives a “NullPointerException” message, one possible cause is that the client identity username, secret, or password properties are not set correctly. For more information, see Security Credentials Properties and Using the Java API.