Sun Java System Access Manager 7 2005Q4 Deployment Planning Guide

Configuring Access Manager for Session Failover

To configure Access Manager for session failover, follow these steps:

Each step is described in detail in the following sections.

To determine if session failover is enabled for a deployment, change the property from error to message in the file. Then, check the amSession logs in the /var/opt/SUNWam/debug directory on Solaris systems or the /var/opt/sun/identity/debug directory on Linux systems.

1–Disable Cookie Encoding

On each host server that is running an Access Manager instance, disable cookie encoding:

The Access Manager client should not do any cookie encoding or decoding. A remote SDK client must be in sync with the Access Manager server side settings, either in the file or the web container’s sun-web.xml file.

2–Edit the Web Container server.xml File

On each host server that is running an Access Manager instance, add the installed locations of imq.jar and jms.jar in the server.xml (or equivalent) configuration file for the Access Manager web container. For example, on Solaris systems:

<JAVA javahome="/usr/jdk/entsys-j2se" serverclasspath=

3–Add a New User in the Message Queue Server

If you don’t want to use the guest user as the Message Queue user name and password, add a new user and password to connect to the Message Queue broker on servers where Message Queue is installed. For example, on Solaris systems, to add a new user named amsvrusr:

# /usr/bin/imqusermgr add -u amsvrusr -p password

Then, make the guest user inactive by issuing the following command:

# /usr/bin/imqusermgr update -u guest -a false

4–Edit the amsessiondb Script (if Needed)

The amsessiondb script is called by the amsfo script to start the Berkeley DB client (amsessiondb), create the database, and set specific database values. The script contains variables that specify various default paths and directories:


If any of these components are not installed in their default directories, edit the amsessiondb script and set the variables, as needed, to the correct locations.

5–Run the amsfoconfig Script

Access Manager 7 2005Q4 provides the amsfoconfig script to configure an Access Manager deployment for session failover.

Requirements to Run the amsfoconfig Script

To run the amsfoconfig script, an Access Manager deployment must meet the following requirements:

Functions of the amsfoconfig Script

The amsfoconfig script reads the amsfo.conf configuration file and then configures an Access Manager deployment for session failover by performing these functions:

The following table lists the Access Manager session failover scripts and configuration files.

Table 6–2 Access Manager Session Failover Scripts and Configuration Files


Description and Location 


Script to configure Access Manager for session failover.  

Solaris systems: AccessManager-base/SUNWam/bin

Linux systems: AccessManager-base/identity/bin


Script to start and stop the Message Queue broker and amsessiondb client.

Solaris systems: AccessManager-base/SUNWam/bin

Linux systems: AccessManager-base/identity/bin


Script to generate the encrypted Message Queue broker user password. 

Solaris systems: AccessManager-base/SUNWam/bin

Linux systems: AccessManager-base/identity/bin


Session failover configuration file. 

Solaris systems: AccessManager-base/SUNWam/lib

Linux systems: AccessManager-base/sun/identity/lib


Session failover environment file. 

Solaris systems: etc/opt/SUNWam/config

Linux systems: etc/opt/sun/identity/config

AccessManager-base represents the base installation directory for Access Manager. The default values are:

Solaris systems: /opt

Linux systems: /opt/sun

Running the amsfoconfig Script

To run the amsfoconfig script to configure Access Manager for session failover, follow these steps.

  1. Log in as or become superuser (root).

  2. Set the variables in the amsfo.conf file, as described in Table 6–3.

  3. Run the script. For example, on a Solaris system with Access Manager installed in the default directory:

    # cd /opt/SUNWam/bin 
    # ./amsfoconfig

    The script displays status information as it runs.

  4. When the amsfoconfig script prompts you, enter the following passwords:

    • Access Manager administrator (amAdmin) password

    • Message Queue broker user password

  5. To check the results, see the /var/tmp/amsfoconfig.log file.

The following table describes the variables in the amsfo.conf file that are used by the amsfoconfig script. Set these variables as needed for your deployment before you run the amsfoconfig script.

Table 6–3 Variables in the amsfo.conf File Used by the amsfoconfig Script




Message Queue broker list participating in the cluster. The format is:  


For example:,,

There is no default.  


Port for the load balancer. The default is 80.  


Protocol (http or https) used to access the load balancer. The default is http.


Name of the load balancer.  

For example:


Identifier for the new site (and the load balancer) that the amsfoconfig script will create.

SiteID can be any value greater than the Server IDs that already exist in the platform server list.

The default is 10. 

amsfoconfig Script Sample Run

The following example shows a sample run of the amsfoconfig script.

Welcome to Sun Java System Access Manager 7 2005Q4

Session Failover Configuration Setup script.
Checking if the required files are present...

Running with the following Settings.
Environment file: /etc/opt/SUNWam/config/amProfile.conf
Resource file: /opt/SUNWam/lib/amsfo.conf
Using /opt/SUNWam/bin/amadmin

Validating configuration information.

Please enter the LDAP Admin password: 
(nothing will be echoed): password1
Verify: password1
Please enter the JMQ Broker User password: 
(nothing will be echoed): password2
Verify: password2

Retrieving Platform Server list...
Validating server entries.

Retrieving Site list...
Validating site entries.

Validating host:|02
Validating host:|01

Creating Platform Server XML File...
Platform Server XML File created successfully.

Creating Session Configuration XML File...
Session Configuration XML File created successfully.

Creating Organization Alias XML File...
Organization Alias XML File created successfully.

Loading Session Configuration schema File...
Session Configuration schema loaded successfully.

Loading Platform Server List File...
Platform Server List server entries loaded successfully.

Loading Organization Alias List File...
Organization Alias List loaded successfully.

Please refer to the log file /var/tmp/amsfoconfig.log for additional
Session Failover Setup Script. Execution end time 10/05/05 13:34:44