�� 5 �� ޲z

��y�z Sun Java™ System Access Manager 6 2005Q1 ��޲z�\��CAccess Manager ��޲z��ѥ\�঳�G��h�޲z��γ��h��޲z��˵�B�إߡB�R��M�ק�i�b�Ҧ��´��ϥΪ��S�w�A�Ȫ��C�]��´�Τl��´�޲z��ε��޲z��˵�B�إߡB�R��M�ק�Ӳ�´�S�w�γ~��C

²��

���|�w�q�W�h�A�H��w��´�O�@�귽��s��v��C��q�֦��ݭn�O�@�B�޲z�M�ʵ�귽�B3�ε{��M�A�ȡC��z�L�w�q�ϥΪ̹�S�w�귽��ʪ��ɾ�M��k�A��s��v��H�γo�Ǹ귽��γ~�C��M�ε��쪫��W�ɡA�i�w�q�S�w��i�H�s��귽�C


�Ƶ�	��󬰥D��C�D��i�H�O��@�Ӿ֦��B��q�B��θs�աC��L��T�A�аѾ\�uJava™ 2 Platform Standard Edition Javadocs�v�C

��@��i�H�w�q�G�i��ΫD�G�i��M��C�G�i��M�� yes/no�Btrue/false �� allow/deny�C�D�G�i��M��N��ݩʭȡC�Ҧp�A�l��A�ȥi��]�t�@�� mailboxQuota �ݩʡA�C�ӨϥΪ֦̾��̤j�x�s�ȶ��C�@��ӻ��A��O�t�m��w�q��i�H�b��򱡪p�U��@�Ӹ귽�i�椰��ʧ@�C

��޲z�\��

��޲z�\�ണ�ѫإߥH�κ޲z����A���C��A�ȴ��Ѻ޲z��w�q�B�ק�B��o�B��ΧR��v��A�H�O�@�b Access Manager �t�m��귽�C�q�`�A��A�ȥ]�t��x�s�B�i�ѫإߡB�޲z�ε��Ϊ��{��w�A�H�ε��{����N�z�{���CAccess Manager �ϥ� Sun Java System Directory Server �@��x�s�A�ô�� Java �H�� C API �@��H�ε��A�Ȧۭq�C(��L��T�аѾ\�uAccess Manager Developer’s Guide�v) �t�i�Ѻ޲z��ϥ� Access Manager �D��x�i�浦��޲z�CAccess Manager ��Ѥ@�ӵ��A�ȡA�Y URL ��N�z�{��A�ȡA�ϥΥi�U��N�z�{��H��浦��C

URL ��N�z�{��A��

��~�AAccess Manager �� URL ��N�z�{��A�ȥH��浦��C��A�ȥi�Ѻ޲z��z�L��{����N�z�{���إߤκ޲z��C

��N�z�{��

��N�z�{��x�s��~�귽��A��u��I (PEP)�v�C��N�z�{��P Access Manager �w�˦b��P�� Web ��A��W�A�B��ϥΪ̵o�X��O�@�� Web ��A��W��귽��ШD�ɡA�@��@��B�~��{�ҨB�J�C��{�Ҧb��귽��ϥΪ̻{�ҽШD��~�C��N�z�{��O�@��A��A�ø귽�̧Ǩ��{�ҥ~��{��O�@�C

�Ҧp�A��ݦw�˪� Access Manager �O�@��H�O�귽��A��i��w�w�ˤ@�ӥN�z�{��C��N�z�{��i�H��S��A�?��H��˵��K�~��T�Ψ�L�ӷP��ơC�� Access Manager �޲z��w�q�A�x�s�b Access Manager �t�m��B�ѵ��N�z�{��ϥΡA�H�K��\�Ωڵ��ϥΪ̦s�� Web ��A��e�C

�̷s�� Sun Java System Access Manager ��N�z�{��i�H�q Sun Microsystems �U��U��C


�Ƶ�	�H�@�붶�ǵ��A��b��ɡA�p�G�@�Ӱʧ@�ȵ�� deny�A�h��򵦲��A��D��t�m�A�Ȥ��w�g�ҥ� [��^�M��~��] �ݩʡC�p�ݧ�h��T�A�аѾ\��t�m�A��ݩ��C

��N�z�{��Ȱ��b�� URL (http://...) �W��M��C��L�A�i�H�ϥ� Java �M C Policy Evaluation API �s�g�N�z�{��A�H�b��L�귽�W��浦��C

��~�A��t�m�A�Ȥ�� [�귽��{��] �i��]�ݭn�q�w�]�t�m�ܧ󬰡G

serviceType=Name_of_LDAPService|class=com.sun.identity.policy.plugins.SuffixResourceName|wildcard=*|delimiter=,|caseSensitive=false

�Ϊ̡A�� LDAPResourceName �H��I com.sun.identity.policy.interfaces.ResourceName�A�Υ��T�t�m [�귽��{��] �]�i�H�C

��N�z�{��{��

��s��ШD�@�Ӿn�d�b��N�z�{��O�@��A�� URL �ɡA�O�@��귽��{�ǧY�}�l�C�w�˵��N�z�{��A��I��ӽШD�A��ˬd�{��{�Ҿ�� (�@�Ӷ��q�@�~�O��)�C

�p�G�N�z�{��I��ШD��Ҳ{��q�@�~�O��A�N��`�U�C�{�ǡC


�Ƶ�	[�귽��{��] ��컡��t�m�A��ݩ��C

�p�G��q�@�~�O��ġA��\�Ωڵ��ϥΪ̦s��C�p�G�O��L�ġA�ϥΪ̶ȭ��{�ҪA�ȡA�p�U�C�B�J�ҭz�C

�{�ҪA�ȥi��Ҿ��ҥ禳�Ĩõo��@�ӰO��C

�@��ϥΪ̾��Ҹg�A��{�ҡA�N�z�{�� [�R�W�A��] �o�X�@�ӽШD�A��A�ȩw�q�ΨӦs�� Access Manager ��A�Ȫ� URL�C

�R�W�A�ȶǦ^��A�Ȫ��w�쾹�A�N�z�{��ﵦ��A�ȵo�X�ШD�A�H��o�A�ΨϥΪ̪��M��C

��s��귽��M��A�M�w�ϥΪ̬O�_�i�H�s��C�p�G��M��ĳ��P��{�Ҽh�ũλ{�Ҿ��A�N�z�{��N��s�ɦV�ШD��{�ҪA�ȡA��ҩҦ��ǫh��C

��]�N�z�{��I��@�ӨS��{�s��q�@�~�O��ШD�A�N�z�{��N��s�ɦV�ϥΪ̨�w�]��n�J��A��׸Ӹ귽�O�_�w�g�ϥΤ��P��{�Ҥ�k�O�@�C


�Ƶ�	��D��귽�{�ҥH�ΨϥΪ̻{�Ҭ��P��{��C�p�ݦ��@�~��A�аѾ\��Ǹ귽�޲z�C

��

�ϥ� Access Manager �t�m��ءG�@���Ѧ���C�@�뵦���W�h�B�D��P��զ��C�Ѧҵ��Ѳ�´���W�h�P�Ѧ��զ��C

�@�뵦��

�b Access Manager ��A�w�q�s��v��O���@����C�@�뵦���W�h�B�D��P��զ��C

�W�h

�W�h�]�t�@�Ӹ귽�B�@�Φh�Ӱʧ@�A�H�Τ@�ӭȡC�򥻤W�A�W�h�w�q��C

�귽�w�q��O�@��S�w��F�Ҧp�@�ӨϥΤH�O�귽�A�Ȧs�� HTML ��ΨϥΪ��~��T�C

�ʧ@��@��i�H�b�귽�W��檺�@�~��W�١F��A��ʧ@�d�Ҧ� POST �� GET�C�H�O�귽�A�Ȥ��\��ʧ@�i��O canChangeHomeTelephone�C

��w�q�ʧ@��v��A�Ҧp��\�Ωڵ��C



�Ƶ�	�b�S��귽��p�U�A�w�q�ʧ@�O�i��C

�D��

�D���w�q��v�T��ϥΪ̡A�ΨϥΪ̶��X (�p�@�Ӿ֦��S�w��⪺�s��)�C��w�D��쵦��C�D��@��h�O�A�u��ϥΪ̬��ܤ֤@�ӥD��ɡA��~�A�ΡC�w�]�D��G

�ϥΪ̤w�g�L�{��

Access Manager��

LDAP �s��

LDAP ��

LDAP �ϥΪ�

��´

Web �A�ȥΤ��

Access Manager ��P LDAP ��

Access Manager��O�ϥ� Access Manager �إߪ��C�o�Ǩ��㦳 Access Manager �U�ު��O�CLDAP ��O�ϥ� Directory Server ��\��w�q��󨤦�C�o�Ǩ��㦳 Directory Server ��w�q�U�ު��O�C�Ҧ� Access Manager �i�Χ@ Directory Server ��C��L�A�Ҧ� Directory Server ��⤣�@�w�O Access Manager ��CLDAP ��i�H�q�{��ؿ�z�L�t�m��t�m�A��ӨӡCAccess Manager ��ȥi�z�L�U�� Access Manager ��A�Ȧs��C�ѩ�s��O Access Manager SDK �P�֨�A�]��b Access Manager ��⤤��N��֡C�i�H�b��t�m�A�Ȥ��ק� LDAP ��j�M�z��A�H�Y�p�d��M�ﵽ�į�C

�_��

��

��󤹳\�z�w�q�ﵦ��C�Ҧp�A�p�G�z�b��~�z3�ε{��w�q��A�i�H�w�q�Ȧb�S�w�X�p�ɭ���ʧ@�s��3�ε{��C�Ϊ̡A�p�G�ШD�Ӧ۵��w IP ��}��Υ�~��A�i��Ʊ�w�q�Ȥ��\��ʧ@�s��C

��i��٥Ω�b�P�@��쪺��P URL ��t�m��P��C�Ҧp�Ahttp://org.example.com/hr/*jsp �ȥi�H�b�W�� 9 �ɦܤU�� 5 �ɤ�� org.example.net �s��A�� http://org.example.com/finance/*.jsp �i�H�b�W�� 5 �ɦܱߤW 11 �ɤ�� org.example2.net �s��C�t�X�ϥ� IP ��P�ɶ��N�i�H�F��o�@�ت��C�N�W�h�귽��w�� http://org.example.com/hr/*.jsp�A��|�M�Ω� http://org.example.com/hr �U��Ҧ� JSP (�]�A�l�ؿ� JSP)�C

��ĳ

�p�G�L�k�ھڱ�󪺨M�w�ӮM�ε��A��i��|��ͫ�ĳ�T��A��X�L�k�N��M�ΦܽШD��]�C�o�ǫ�ĳ�T��|�b��M��Ǽ�� [��I]�C[��I] �i�H�^��ĳ�A�ùxձĨ�A�?��ʡA�Ҧp�N�ϥΪ̭��s�ɦV�^�{�Ҿ��A�H�K�i��󰪼h�Ż{�ҡC�Ĩ��ĳ��A��ʫ�A��ۡA�ϥΪ̥i��|��󰪼h�Ż{�Ҫ��ܡA�u�n��ϥε��A�ϥΪ̥i��i�H�s��귽�C


�Ƶ�	�N�y�ѦҡB�W�h�B�귽�B�D��B��B�ʧ@�M�Ȥ'O��3 policy.dtd �� Referral�BRule�BResourceName�BSubject�BCondition�BAttribute �M Value�C

�p�G��ŦX��A�u�� AuthLevelCondiiton �M AuthSchemeCondition �|��ѫ�ĳ�C

�ۭq��]�|��ͫ�ĳ�C��O�AAccess Manager ��N�z�{��Ȧ^3�{�Ҽh�Ż{�ҩM�{�Һ�ث�ĳ�C�i�H�g�J�ۭq�N�z�{��A�ѤΦ^3��L��ĳ�A�Ӳ{�� Access Manager �N�z�{��i�H��A�ѤΦ^3��L��ĳ�C�p�ݧ�h��T�A�аѾ\��H�U��m��N�z�{��G

�Ѧҵ��

�޲z��i��ݭn�N�@�Ӳ�´��w�q�M�M��e�U��t�@�Ӳ�´�C(�Ϊ̡A�i�H�N�귽��M��e�U��L��~�C) �Ѧ���إ߻P��e�U�C��Ѥ@��Φh���W�h�P�@�өΦh���Ѧ��զ��C

�W�h

�Ѧ�

�Ѧҩw�q��b�ѦҪ��´�C�̹w�]�A��ѦҡG�P�Ų�´�P�l��´��̤'O�e�U��P�h�Ų�´�P�l�h�Ų�´�C�аѾ\��P�Ų�´�M�l��´�إߵ��A�H��o��h��T�C


�Ƶ�	�Q�ѦҲ�´�i�H�Ȭ��Ǥw�ѦҤF�Ӳ�´��귽 (�Τl�귽) �w�q�ε��C��O�A���A�Ω�ڲ�´�C

��w�q��

�@��إߨðt�m��A�i�H XML �榡�x�s�b Directory Server�C�� Directory Server ��AXML �s�X��x�s�b�@�B�C��M��O�ϥ� amadmin.dtd (�ΥD��x) �w�q�M�t�m�A��ڤW�O�H�ھ� policy.dtd �� XML �x�s�b Directory Server�Cpolicy.dtd �]�t�q amadmin.dtd (��t��إ߼��) ��^��<��ҡC�]��A�?��A�ȱq Directory Server ��J��ɡA�N�ھ� policy.dtd ��R XML�C�u��b�H��O��إߵ��ɤ~�ϥ� amadmin.dtd�C��`�N�|�� policy.dtd ��c�Cpolicy.dtd ��U�C��m�G

��


�Ƶ�	��L��6ȴ�� Solaris �ؿ��T�C�Ъ`�N�ALinux ��ؿ�c�ä��ۦP�C�p�ݧ�h��T�A�аѾ\��󥻫�n�C

���O�ڤ��!A�w�q��v���W�h�A�H�γW�h�M�ι�H���D���C�t�w�q��O�_���Ѧ� (�e�U��) ��A�H�θӵ��O�_��󭭨� (����)�C�i��]�t�U�C�@�Φh�Ӥl��!G�W�h�B��B�D���Ѧ��C��n�� XML �ݩʬ� name�A��w��W�١CreferralPolicy �ݩʿ��ѵ��O�_��Ѧҵ��F�Y��w�q�A�w�]��@�뵦��C�i��ܪ� XML �ݩʥ]�t�W���y�z�C

�W�h��


�Ƶ�	�N��Хܬ��Ѧ��ɡA��v��N��L�D��M��C�۹諸�A�N��Хܬ��@���ɡA��v��N��L�ѦҡC

�W�h��)w�q��S�ʨåi��T�Ӥl��!GServiceName�BResourceName �� AttributeValuePair�C�i�w�q��إߵ��A��3�ε{��A�H�Ω�䤤��檺�귽�M�ʧ@�C�@�ӳW�h�i�H�S��ʧ@�Y�i�w�q�F�Ҧp�Ѧҵ��W�h�S��ʧ@�C

ServiceName ��


�Ƶ�	�i�H�w�q�@�Ӥ��]�t�w�w�q ResourceName ��*��C

ServiceName ��)w�q�M�ε��A�Ȥ��W�١C��%N��A��C��]�t��L��!C��ȻP�A�� XML �ɮפ��w�q�� (�ھ� sms.dtd) ��ۦP�CServiceName ��*� XML �A��ݩʬ��A�Ȫ��W�� (�r��)�C

ResourceName ��

ResourceName ��)w�q��ʮھڪ��C��w�g�S�O�t�m��O�@�o�Ӫ��C��]�t��L��!CResourceName ��*� XML �A��ݩʬ��󪺦W�١CResourceName �d�ҥi��O��A��W�� http://www.sunone.com:8080/images�A�Υؿ��A��W�� ldap://sunone.com:389/dc=example,dc=com�C��S�O��귽�i��O salary://uid=jsmith,ou=people,dc=example,dc=com�A�䤤��󪺰�Ǭ� John Smith ��~��ԸߡC

AttributeValuePair ��

Attribute ��

�ݩ���)w�q�ʧ@��W�١C�@�Ӱʧ@��b�귽�W��檺�@�~�Ψƥ�CPOST �� GET ��A��귽�W��檺�ʧ@�AREAD �� SEARCH ��ؿ��A��W��檺�ʧ@�C�ݩ��%��P��0t��ϥΡC�ݩ��%��]�t��L��!C�ݩ��*� XML �A��ݩʬ��ʧ@��W�١C

�Ȥ��

��)w�q�ʧ@�ȡC��\/�ڵ��άO/�_��ʧ@�Ƚd�ҡC��L�ʧ@�ȥi�H�O��L�ȡB�Ʀr�Φr��C��ȩ��A�� XML �ɮפ� (�ھ� sms.dtd) �w�q�C��$��]�t��L��%B��]�t XML �A��ݩʡC

�D�D��


ĵ�i	�ڵ��W�h�û��u��󤹳\�W�h�C�Ҧp�A�p�G�@�ӵ��O�ڵ��A�t�@�جO��\�A�h��G�O�ڵ� (��p�P�ɺ��o��ص��)�C�ѩ�ڵ��i��ɭP�o��ص��ͼ�b��Ĭ�A�]��ĳ�z�ϥΩڵ��ɭn�D�`�ԷV�C�p�G�ϥΩ�T��ڵ��W�h�A�z�L��P�D�� (�p��M/�θs�զ��) ��w�ϥΪ̫�w��]�i��\|�ɭP�ڵ��귽�s��C�q�`�A��w�q�{��3�ӶȨϥΤ��\�W�h�C�p�G��M�Ψ�L��h�i��ϥιw�]��ڵ��C

�D�D�l��?��ѵ��M�Ϊ��󶰡F��²��ھڨ��έӧO�ϥΪ̸s�աB�Ҧ��v��ܪ��󶰡C���D�D�l��!CXML �ݩʥi�w�q��G

�D��

�D�D�l��?��ѵ��M�Ϊ��󶰡F��󶰫�X�D��)ҩw�q��X��S�O��C��i�H�ھڨ��B�s�զ��Υu�O�@�ǭӧO�ϥΪ̡C�]�t�l��!AAttributeValuePair ��C��n�� XML �ݩʬ� type�A�i�q��o�S��w�q�D��B��Ѥ@�몫�󶰡C��L XML �ݩʥ]�t�w�q��󶰪� name�A�H�Ωw�q�O�_�w�g�w�q��󶰡A�w�M�w��O�_�A�ΫD�D��ϥΪ̪� includeType�C

�ѦҤ��


�Ƶ�	�w�q�h��D��ɡA�ܤ֤@��D��M�Ψ�ϥΪ̡A�~��M�ε��C��N includeType �]��H�w�q�D��ɡA�ϥΪ̤�3�ӬO�ӥD��@��C

�Ѧ��l��?��ѵ��ѦҶ��C���Ѧ��l��!C�i�H�w�q�� XML �ݩʬ� name (�w�q��󶰦W��)�A�H�� description (��y�z)�C

�ѦҤ��

�Ѧ��l��?��ѯS�w��ѦҡC��l�� AttributeValuePair ��C�䥲�n�� XML �ݩʬ� type�A�i�q��o�S��w�q�ѦҳB��Ѥ@��w��C�]�]�t�w�q��w��W�٪� name �ݩʡC

��󤸯�

���l��?��ѵ��ѦҶ� (�ɶ��d��B�{�Ҽh�ŵ��)�C��]�t�U�C�@�Φh�����l��!G�i�H�w�q�� XML �ݩʬ� name (�w�q��󶰦W��)�A�H�� description (��y�z)�C

��󤸯�


�Ƶ�	��󤸯,��ܩʤ��!C

���l��?��ѯS�w�� (�ɶ��d��B�{�Ҽh�ŵ��)�C��l�� AttributeValuePair ��C�䥲�n�� XML �ݩʬ� type�A�i�q��o�S��w�q��B��Ѥ@�뭭��C�]�]�t�w�q��w��W�٪� name �ݩʡC

�s�W��A��

�̹w�]�AAccess Manager �� URL ��N�z�{��A�� (iPlanetAMWebAgentService)�C��A�ȩ�U�C�ؿ� XML �ɮפ��w�q�G

��L�z�i�H�W�[��L��A�Ȩ� Access Manager�C�@��إߵ��A�ȡA�z�i�H�z�L amadmin ��O�椽�ε{��N��s�W�� Access Manager�C

�Y�n�s�W�s��A��

�b�ھ� sms.dtd �� XML �ɮפ��o��s��A�ȡCAccess Manager ��Ѩ�ӵ��A�� XML �ɮסA�z�i�H�Χ@�s��A��ɮת��¦�G

amWebAgent.xml - ��w�] URL ��N�z�{��A�Ȫ� XML �ɮסC�� etc/opt/SUNWam/config/xml/�C

SampleWebService.xml - �o�O�� etc/opt/SUNWam/samples/policy ��d�ҵ��A��ɮסC

�N XML �ɮ��x�s��z�Y�N�q�䤤��J�s��A�Ȫ��ؿ�C�Ҧp�G

etc/opt/SUNWam/config/xml/newPolicyService.xml

�H amadmin ��O�椽�ε{��J�s��A�ȡC�Ҧp�G

AccessManager-base/SUNWam/bin/amadmin

--runasdn “uid=amAdmin,ou=People,default_org,root_suffix

--password password

--schema etc/opt/SUNWam/config/xml/newPolicyService.xml

��J�s��A�ȫ�A�z�i�H�z�L Access Manager �D��x�B�γz�L amadmin ��J�s��A�өw�q��w�q��W�h�C

�إߵ��

�z�i�H�z�L�� API �H�� Access Manager �D��x�إߡB�ק�M�R��A�óz�L amadmin ��O��u��إߩM�R��C��`��I�b��z�L amadmin ��O��u��H�� Access Manager �D��x�إߵ��C�� API ��L��T�A�аѾ\�uAccess Manager Developer’s Guide�v�C

�@��O�z�L XML �ɮ׫إߵ��A�óz�L amadmin ��O��u��s�W�� Access Manager�A�M��z�L Access Manager �D��x�޲z (�]�i�z�L�D��x�إߵ��)�C�o�O�]��ઽ��ϥ� amadmin �ק�C�Y�n�קﵦ��A��q Access Manager �R��A�M��ϥ� amadmin �[�J�ק�᪺��C

�@��Ө��A��إߩ��´ (�Τl��´) �h�šA�Ω��Ӳ�´��C

�ϥ� amadmin �إߵ��

�إ߮ھ� policy.dtd. �� XML �ɮסC��ɮצ��H�U�ؿ�G

AccessManager-base/SUNWam/dtd

�}�o�F�� XML �ɮ׫�A�z�i�H�ϥΥH�U��O��J��ɮסG

AccessManager-base/SUNWam/bin/amadmin

--runasdn "uid=amAdmin,ou=People,default_org,root_suffix"

--password password

--data policy.xml

�Y�n�P�ɥ[�J�h��A�бN�o�ǵ��b�@�� XML �ɮפ��A�o�@�I�P�b�C�� XML �ɮפ��@�ӵ��ۤϡC�p�G�ϥΦh�� XML �ɮ׳s��ֳt��J��A�h��dޥi��|�l��A�ӥB�Y�ǵ��i�ण�ѻP��C

�z�L amadmin �إߵ��ɡA�нT�O�إ߻{�Һ�ر��ɱN�{�ҼҲյ�U��´�F�إ߲�´�BLDAP �s�աBLDAP ��H�� LDAP �ϥΪ̪��D��ɡA��3�� LDAP �� (��´�B�s�աB��M�ϥΪ�) �w�s�b�F�إ� IdentityServerRoles �D��ɡAAccess Manager ��w�s�b�F�H�Ϋإߤl��´�ѦҩΦP�Ų�´�ѦҮɬ��´�w�s�b�C

�Ъ`�N�ASubOrgReferral�BPeerOrgReferral�BOrganization �D��BIdentityServerRoles �D��BLDAPGroups �D��BLDAPRoles �D��M LDAPUsers �D��Ȥ��*��r�ݭn�O��㪺 DN�C

�Y�n�H Access Manager �D��x�إߵ��

�s�� [�ѧO�޲z] ��C

��ܱz�n��إߵ��´�C

�нT�w [��޲z] ��m�O�z��´��T��m�C

�q [�˵�] �\�� [��]�C

�̹w�]�A�b [�˵�] �\��?�i�H�ݨ� [��´] �˵�C�Ҧ��t�m��l��´ (�p�G��) ��|��ܦb��˵�U��C�p�G�إߤl��´��A�п�ܦ��l��´�A�M��q [�˵�] �\�� [��]�C

�b�s��ج[��@�U [�s��]�C�N�}�� [�s�ص��] ��C

��z�n�إߪ�� (�@��ΰѦ�)�C

�p�G�ѦҤl��´��Ѧҵ��s�b�A�h�L�k��Ӥl��´�إߥ�󵦲��C

�åB��ɡA�L�ݩw�q�@�뵦��ΰѦҵ��Ҧ��C�z�i�H�إߵ��A�H��A�[�J�W�h�B�D��B�Ѧҵ��C

��J��W�١A�M��@�U [�T�w] �C

�̹w�]�A�|�� [�@��] �˵�C

[�@��] �˵��ܵ��W�١A��\�z��J�n�إߪ��y�z�C

��@�U [�x�s] �H��t�m�C

��P�Ų�´�M�l��´�إߵ��

�n��P�Ų�´�Τl��´�إߵ��A��b��t��´ (�Υt�@�ӦP�Ų�´) ��إ߰Ѧҵ��C��3�Ӧb�l��´��U��t�m�A�Ȩëإ߽d��C�Ѧҵ��b��W�h�w�q��]�t��Ѥl��´�޲z��귽�r��C�b��t��´ (�Υt�@�ӦP�Ų�´) ��إ߰Ѧҵ��A�K�i�b�l��´ (�ΦP�Ų�´) ��إߤ@�뵦��C

�b��d�Ҥ��Ao=isp ��t��´�Ao=example.com ��l��´�ú޲z http://www.example.com ��귽�M�l�귽�C

��l��´�إߵ��

�b o=isp �إ߰Ѧҵ��C�p�ݦ��Ѧҵ��T�A�аѾ\�{��ק�Ѧҵ��C

�Ѧҵ��N http://www.example.com �w�q��W�h��귽�A�B��]�t SubOrgReferral (example.com �@��ѦҤ��)�C

�� [��´] �˵�A��s��ܤl��´ example.com�C

�T�O��t�m�A�Ȥw�b�l��´�h�� example.com ��U�C�p�ݦ��T�A�аѾ\�[�J��t�m�A��C

�귽�J�M�Q isp �٬� sun.com�A�K�i�H��귽 http://www.example.com �ΥH http://www.example.com �_�l��귽�إߤ@�뵦��C

�аѾ\�{��ק�@�뵦��A�H��o��إߤ@�뵦��T�C

�Y�n�� example.com �޲z��L�귽�w�q��A�h��b o=isp �إߨ�L�Ѧҵ��C

�޲z��

�إߤ@�뵦��ΰѦҵ��å[�J Access Manager ��A�z�Y�i�z�L Access Manager �D��x�޲z��A��k�O�ק�W�h�B�D��B��P�ѦҡC

�ק�@�뵦��

�i�z�L [�ѧO�޲z] ��إߩw�q�s��v��C�o�ص��Y���@����C�@�뵦��i�Ѧh�ӳW�h�B��M��զ��C��`�C�X�éw�q�إߤ@�뵦��ɥi��w��w�]��C

�Y�n�ק�W�h

�q [�ѧO�޲z] �� [�˵�] �\��A�� [��]�C

�N��ܬ��Ӳ�´�إߪ��C

��ܱz�n�ק諸��A�M��@�U [�S��] �b�Y�C[�s�赦��] ��|�b [��] �ج[��}�ҡC

�̹w�]�A�|�� [�@��] �˵�C�إߵ��y�z�F [�@��] �˵�]�t��ݩʡC

�q [�˵�] �\�� [��]�A�ë�@�U [�s�W]�C

�p�G�s�b�h�تA�ȡA�|�b [��] ��椤�C�X�C��ܭn��إߵ��A�ȡA�M��@�U [�U�@�B]�C�|�� [�s�سW�h] ��C

�w�q [�W�h] ��줤��귽�B�ʧ@�P�ʧ@�ȡC�o��]�A�G

[��]�C��ܭn�إߵ��A�ȡC�w�]�� URL ��N�z�{��C

[�W�h�W��]�C��J��W�h��W�١C

[�귽�W��]�C��J�귽��W�١C�Ҧp�G

http://www.example.com

�ثe�A��N�z�{��Ȥ䴩 http://�M https://�귽�A�Ӥ��䴩�� IP ��}��N�D��W�١C

�귽�W�١B�s��𸹩M��w�i�H�ϥθU�Φr��C�Ҧp�G

http*://*:*/*.html

�� URL ��N�z�{��A�ȡA�p�G��J�s��𸹡A�h http://��w�]�s��𸹬� 80�Ahttps://. ��w�]�s��𸹬� 443�C

�Y�n��\��w�˦b�S�w��W��Ҧ��A��귽�i��޲z�A�z�i�H�N�귽�w�q�� http://host*:*�C��~�A�z�i�H�w�q�H�U�귽�A�H�»P�Ӳ�´��Ҧ��A�Ȫ��S�w��´��v��޲z��v��C

http://*.subdomain.domain.topleveldomain

[��ʧ@]�C�� URL ��N�z�{��A�ȡA�z�i�H��H�U�@�عw�]�ʧ@�Ψ�̬ҿ�G

GET

POST

[��ʧ@��]�C�� URL ��N�z�{��A�ȡA�z�i�H��ܥH�U�@�ذʧ@�ȡG

Allow ��\�z�s��P�W�h��ҩw�q�귽�۲Ū��귽�C

Deny ��\�z�s��P�W�h��ҩw�q�귽�۲Ū��귽�C

��ڵ��W�h�`�O�n�u��󤹳\�W�h�C�Ҧp�A�p�G��w��귽��ص��A�@�جO�ڵ��s��A�t�@�جO��\�s��A�h��G�O�ڵ��s�� (��p�P�ɺ��o��ص��)�C�ѩ�ڵ��i��ɭP�o��ص��ͼ�b��Ĭ�A�]��ĳ�z�ϥΩڵ��ɭn�D�`�ԷV�C�q�`�A��w�q�{��3�ӶȨϥΤ��\�W�h�A�b�Ҧ��A�󧹦��ڵ��s��ɤ~�ϥιw�]�ڵ��W�h�C

�p�G�ϥΩ�T��ڵ��W�h�A�Y�Ϧ��@�өΦh�ӵ��\�s��A�z�L��P�D�� (�p��M/�θs�զ��) ��w�ϥΪ̫�w��]�i��|�ɭP�ڵ��귽�s��C�Ҧp�A�p�G�s�b�@�ӾA�Ω��u��⤧�귽��ڵ��A�٦s�b�t�@�ӾA�Ω�޲z��⤧�ۦP�귽��\��A�t�αN�|�ڵ��w��ϥΪ� (��u��M�޲z��) ��M��C

�ѨM��D��@�ؤ�k��ϥα��~��{��]�p��C�b�W�z��p��A�u��v(�N�ڵ��M�Ω�Q�{�Ҭ��u��⪺�ϥΪ̡A�ñN��\��M�Ω�Q�{�Ҭ��޲z��⪺�ϥΪ�) ��U�Ϥ3o��ص��C�t�@�ؤ�k��ϥ� authentication level ��A�b��󤤺޲z��b��{�Ҽh�Ŷi��{�ҡC�аѾ\�Y�n�s�W�έק��A�H��o��h��T�C



�Ƶ�	�p�G�w�q�F�A�ȡA�ϰʧ@��ݭn�귽�w�q�A�h��\|��ܸ귽��C�p�G��A�ȥ]�t��ʧ@ (�Y�ǻݭn�귽�A�Y�Ǥ��ݭn�귽)�A�h�\|��ܤ@�ӿﶵ�A�i�H��]�t�L�ݸ귽��ʧ@�W�h�λݭn�귽��ʧ@�W�h�C

��@�U [��]�A�H�x�s��W�h�C�o�ȷ|�N�t�m�x�s�b�O��餤�C�Ш̴`�B�J 7�A�H��{�ǡC

��ƨB�J 1 �� 5�A�H�إߨ�L�W�h�C

��إߪ��Ҧ��W�h��ܦb [�W�h] �˵��椤�C��@�U [�x�s]�A�H�N�o�ǳW�h�[�J�ܵ��C

�Y�n�q��Y�ӳW�h�A�п��W�h�A�M��@�U [��]�C

�i�H�z�L��@�U�W�h�W�ٮ��䪺 [�s��] �s��A�s��W�h�w�q�C

�n�ק�D��

�Y�n�w�q��D��A�бq [�˵�] �\�� [�D��]�A�M��@�U [�s��]�C

��䤤�@�ӹw�]�D��G

[�w�{�Ҫ��ϥΪ�]�C��D��ܨ㦳�� SSOToken ��ϥΪ̧��D��C

�Ҧ��{�Ҫ��ϥΪ̱N��D��A�Y�ϳo�ǨϥΪ̳Q�{�Ҩ�P�w�q��´��P��´�C�p�G�귽�Ҧ��̷Q�n�N�s��v��»P��L��´��ϥΪ̩Һ޲z��귽�A�o�ӥ\��ܦ��ΡC�Y�n��S�w��´��s��O�@��귽�A�Шϥβ�´�D��C

[Access Manager �W�h]�C��D�� Access Manager ��⪺��󦨭��D��CAccess Manager ��O�ϥ� Access Manager �إߪ��C�o�Ǩ��㦳 Access Manager �U�ު��O�CAccess Manager ��ȥi�z�L�U�� Access Manager ��A�Ȧs��C

[LDAP �s��]�C��D�� LDAP �s�ժ��󦨭��D��C

[LDAP ��]�C��D�� LDAP ��⪺��󦨭��D��CLDAP ��O�ϥ� Directory Server ��\��w�q��󨤦�C�o�Ǩ��㦳 Directory Server ��w�q�U�ު��O�C�i�H�b��t�m�A�Ȥ��ק� LDAP ��j�M�z��A�H�Y�p�d��M�ﵽ�į�C

[LDAP �ϥΪ�]�C��D��ܥ�� LDAP �ϥΪ̧��D��C

[��´]�C��D��ܲ�´��󦨭��D��C

[Web �A�ȥΤ��]�C��D��ܡA�p�G�]�t�b SSOToken ��D�餧 DN �P��D��N�ҿ�Ȭ۲šA�h�� SSOToken �ѧO�� Web �A�ȥΤ�� (WSC) ��D��C��ĭȬ�� JKS ��x�s�Ϥ��i�H��Ҫ� DN (�P�i�H�� WSC ��Ҭ۹�3)�C��D��M��ۥ� Web �A�Ȭ[�c�A�åB��3�ӥѦۥѪA�ȴ��Ѫ̥Ψӱ��v WSC�C

�T�w�إ��x�s�ϫ�A�N��D��[�J��C�H�U��m�i�H��]�w��x�s�Ϫ��T�G

AcessManager-base/SUNWam/samples/saml/xmlsig/keytool.html

��@�U [�U�@�B] �H�~��C

��J��D��W�١C

��Ψ�� [�M��] ��C

�p�G�� (�w�])�A�h��N�M�Ω��ݩ󦹥D��C�p�G��A�h��N�M�Ω��ݩ󦹥D��C

�p�G��s�b�h��D��A�åB�ܤ֤@�ӥD��ܵ��M�Ω󵹩w��A�h��N�M�Ω󦹨��C

��j�M�A�H�K��ܭn�[�J�ܦ��D��C��B�J��A�Ω� [�w�{�Ҫ��ϥΪ�] �D�� [Web �A�ȥΤ��] �D��C

�w�] (*) �j�M��˱N��ܩҦ��X�檺��ءC

��n��D��[�J��ӧO��A�Ϋ�@�U [��[�J] �H�ߧY�[�J�Ҧ��C��@�U [�[�J]�A�H�N�� [��] �M��C��B�J��A�Ω� [�w�{�Ҫ��ϥΪ�] �D�� [Web �A�ȥΤ��] �D��C

��@�U [��]�C

��D��W�١B��P�M�Ϊ��A��|��ܦb [�D��] �˵��椤�C��@�U [�x�s]�C

�Y�n�q��Y�D��A�п��D��A��@�U [�R��]�A�M��@�U [�x�s]�C

�i�H�z�L��@�U�D��W�ٮ��䪺 [�s��] �s��A�s��D��w�q�C

�Y�n�s�W�έק��

�q [�˵�] �\�� [��]�C��@�U [�s��] �H�[�J�s��A�Ϊ̫�@�U [�s��] �s��H�s��{��C

��H�U�䤤�@�ӹw�]��G

�{�үŧO

�{�Ҥ��

IP ��}

LE �{�үŧO

��q�@�~

�ɶ�

��{�Ҽh�šA�p�G�ϥΪ̪��{�Ҽh�Ű��ε��󤤳]�w��{�Ҽh�šA�h��|�M�ΡC�� LE �{�Ҽh�šA�p�G�ϥΪ̪��{�Ҽh�ŧC��ε��󤤳]�w��{�Ҽh�šA�h��|�M�ΡC

��@�U [�U�@�B]�C

��w��w�q�ȡC�o��]�A�G

[�W��]�C��J��󪺦W�١C

�{�үŧO

[�{�Ҽh��]�C��ܻ{�Ҫ��i�H�סC�i�λ{�Ҽh��ܦb�{�Ҽh�ũM�{�ҼҲժ�椤�C

�{�Ҽh�ű��i�Ψӫ�w�Ӳ�´��w��U�{�Ҽh�ťH�~��h�šC�n�N��M�Ψ��L��´�{�Ҫ��ϥΪ̮ɡA�o�|�ܦ��ΡC

�{�Ҥ��

[�{�Ҥ��]�C�q�U�Ԧ��\��A��ܦ��󪺻{�Ҥ�סC�o�ǻ{�Ҥ�ק��۲�´�{�ҼҲդ��֤ߪA�Ƚd��C

IP ��}

[IP ��}��/��]�C��w IP ��}��d��C

[DNS �W��]�C��w DNS �W�١C��i�H��㪺�D��W�٩ΥH�U��@�榡��r��G

��W��

*.domainname

�ɶ�

[��f�/��]�C��w��}d��C

[�ɶ�]�C��w�@�Ѥ��ɶ��d��C

[��]�C��w�Ѽƽd��C

[�ɰ�]�C��w�ɰ� (�зǩΦۭq)�C�ۭq�ɰ϶ȥi�� Java �ѧO��ɰ� ID (�Ҧp PST)�C�p�G��w�ȡA�h�w�]�Ȭ� Access Manager JVM ��]�w��ɰϡC

��q�@�~

[�̪�q�@�~�ɶ�]�C��w�M�ε��ɨϥΪ̶��q�@�~��̤j�ɶ��C

[�פ�q�@�~]�C��ɡA�p�G��q�@�~�ɶ��W�L [�̪�q�@�~�ɶ�] ��줤�w�q�Ҥ��\��̤j�ɶ��A�h�ϥΪ̶��q�@�~�N�Q�פ�C

�w�q�F��A�Y��@�U [��]�C

��إߪ��Ҧ��ܦb [��] �˵��椤�C

��@�U [�x�s]�C

�Y�n�q��Y�ӱ��A�п��A�M��@�U [�R��]�C

�i�H�z�L��@�U��W�ٮ��䪺 [�s��] �s��A�s��w�q�C

�ק�Ѧҵ��

�z�L [�ѧO�޲z] ��A�z�i�H�N�@�Ӳ�´��w�q�P�M��e�U��t�@�Ӳ�´�C(�٥i�N�귽��M��e�U��L��~�C) �Ѧ���إ߻P��e�U�C���W�h�M�Ѧ��զ��C

�n�ק�W�h

�q [�˵�] �\�� [�W�h]�C��@�U [�s�W] �H�[�J�s�W�h�A�Ϋ�@�U [�s��] �s��H�s��{��W�h�C

��A��C�Y�Q�إ߷s�W�h�A�Ы�@�U [�U�@�B]�C

�w�q [�W�h] ��줤��귽�C�o��]�A�G

[��]�C��ܭn�إߪ��A�ȡC

[�W�h�W��]�C��J��W�h��W�١C

[�귽�W��]�C��J�귽��W�١C�Ҧp�G

http://www.sunone.com

�ثe�A��N�z�{��Ȥ䴩 http:// �M https:// �귽�A�Ӥ��䴩�� IP ��}��N�D��W�١C

�귽�W�١B�s��𸹩M��w�i�H�ϥθU�Φr��C

�� URL ��N�z�{��A�ȡA�p�G��J�s��𸹡A�h http:// ��w�]�s��𸹬� 80�Ahttps:// ��w�]�s��𸹬� 443�C

http://*.subdomain.domain.topleveldomain

��@�U [��]�C

��ƨB�J 1 - 4�A�H�إߨ�L�W�h�C

��إߪ��Ҧ��W�h��ܦb [�W�h] �˵��椤�C

��@�U [�x�s]�C

�Y�n�q��Y�ӳW�h�A�п��W�h�A�M��@�U [�R��]�C

�i�H�z�L��@�U�W�h�W�ٮ��䪺 [�s��] �s��A�s��W�h�w�q�C

�Y�n�[�J�Ѧ�

�q [�˵�] �\�� [�Ѧ�]�C��@�U [�s��] �H�[�J�s��ѦҡA�Ϊ̫�@�U [�s��] �s��H�s��{��ѦҡC

�w�q [�W�h] ��줤��귽�C�o��]�A�G

[�Ѧ�]�C��ܥثe��Ѧ��C

[�W��]�C��J��ѦҪ��W�١C

[�]�t]�C��w�N�n��ܦb [��] ��줤��´�W�٤��z�ﾹ�C�̹w�]�A��N��ܩҦ��´�W�١C

[��]�C��ѦҪ��´�W�١C

��@�U [�T�w] �M [�x�s]�C

�Y�n�q��Y�ӰѦҡA�п��ѦҡA�M��@�U [�R��]�C

�i�H�z�L��@�U�ѦҦW�ٮ��䪺 [�s��] �s��A�s��Ѧҩw�q�C

��t�m�A��

��t�m�A�ȥΨӦ�C�Ӳ�´�z�L Access Manager �D��x�t�m�C�ӵ��ݩʡC�z�]�i�H�w�q�귽�W�ٹ�I�A�H�� Directory Server ��x�s�H�Ω� Access Manager �{�ҪA�ȡC

�֨�D��

�Y�n�ﵽ��{�A�D��N�֨�X�� (�H��t�m�A�Ȥ� [��򪺥D��G�ɶ�] �ݩʤ��w�q��ɶ��)�C�o�ǧ֨��M��F [��򪺥D��G�ɶ�] �ݩʩҫ�ɶ��g�L�ɶ��C��F�o�Ӯɶ��A�U�@��M��ɶ��N�A�ɤ�3�ϥΪ̪��ܧ󪬺A (�Ҧp�A�p�G�q�s�դ��ϥΪ�)�C

amldapuser �w�q

amldapuser �ѨϥΪ̩�w�˴v��إߡA�Ψө� LDAP �M��Y�{�Үɳs��÷j�M Directory Server�C�]�Ω󵦲��t�m�A�Ȥ��C�@��N LDAP�B��Y�ε��t�m�A�ȵ�U��´�A�N��J�ӨϥΪ� (��w�ˮɰt�m) ��K�X�C�p�ݧ�h��T�A�аѾ\�u Sun Java System Access Manager Migration Guide �v�C

�[�J��t�m�A��

�[�J��t�m�A�ȻP�[�J��@��A�ȬۦP�A�i�b [�ѧO�޲z] ��C�̹w�]�A[��t�m] �A�ȷ|�۰ʥ[�J�쳻�h��´�C�z�إߪ��@��A�ȥ��[�J��Ҧ��´�C�L�ױz��ɥ[�J��t�m�A�ȡA��b�d��J LDAP �s��K�X�C

�Y�n�s�W��t�m�A��

�s�� [�ѧO�޲z] ��C

�D��x�}�ҮɡA�w�]��O [�ѧO�޲z]�C

��ܱz�n�إߵ��´�C

�p�G�H��h�޲z��n�J�A�нT�w�ѧO�޲z�Ҳզ��i��ܩҦ��w�t�m��´��h��´�C�w�]��h��´�b�w�˴v��w�q�C

�q [�˵�] �\�� [�A��]�C

�p�G��´�w��U�A�ȡA�h�o�ǪA�ȱN�|��ܦb�s��ج[��C

�b�s��ج[��@�U [�[�J]�C

�|��U��Ӳ�´��A�Ȫ��M��|��ܦb��Ʈج[��C

�q [�[�J�A��] �� (�b��Ʈج[��}��) �� [��t�m] �ë�@�U [�T�w]�C

��t�m�A�ȧY�|�Q�[�J�s��ج[��A�ȲM�椤�C

��@�U [�S��] �b�Y�H�t�m��A�ȡC

�p�G�|��t�m��d��A�h�ݭn��s��U��A�ȫإߪA�Ƚd��C

�Y�n�t�m��A�ȡA�Ы�@�U [�إ�]�C

�קﵦ��t�m�ݩʡC�аѾ\��t�m�A��ݩ��A�H��o�o��ݩʪ��y�z�C

��@�U [�x�s]�C

�{�b�A��t�m�A�Ȥw�[�J��ҿ��´�C



�Ƶ�	�l��´��W�ߩ��t��´��U�䵦��A�ȡC��A�l��´ o=suborg,dc=sun,dc=com �N��\|�q��t��´ dc=sun,dc=com �~�ӵ��t�m�A�ȡC

��Ǹ귽�޲z

��ǲ�´�ݭn��i��{�Ҥ�סA�ϥΪ̥i�ھگS�w�ҲաB�ھڸչϦs��귽�i��{�ҡC��¦��귽�޲z�O Access Manager ��@�ӥ\��A�䤤�ϥΪ̤��ݭn�ǻ��U�]�{�ҼҲէY�i�s��귽�C

��

�Ҧ��A�θ귽��ݭn��ۦP��{�Һ�ةλ{�Ҽh�šC�Ҧp�A�p�G�� LDAP �{�ҼҲզb��w�q abc.html�A�h��ର�H��Ҭ��¦��{�ҼҲդ��w�q�C

��h�M��جO�ߤ@�i�H��w�q��C

��\�ण��󤣦P DNS ��B�@�C

�Y�n�t�m�H��¦��귽�޲z

�w�� Access Manager �M��N�z�{��A�Y�i�t�m�H��¦��귽�޲z�C�n�o�˰��A��N Access Manager ��V Gateway servlet�C

�W�@�� ؿ� �d� �U�@��
Sun Java System Access Manager 6 2005Q1 �޲z��n

�� 5 �� �����޲z

²��

�����޲z�\��

URL �����N�z�{���A��

�����N�z�{��

�����N�z�{���{��

��������

�@�뵦��

�W�h

�D��

Access Manager ����P LDAP ����

�_������

���

������ĳ

�Ѧҵ���

�W�h

�Ѧ�

�����w�q�������

��������

�W�h����

ServiceName ����

ResourceName ����

AttributeValuePair ����

Attribute ����

�Ȥ���

�D�D����

�D������

�ѦҤ���

�ѦҤ���

��󤸯�

��󤸯�

�s�W�����A��

�Y�n�s�W�s�����A��

�إߵ���

�ϥ� amadmin �إߵ���

�Y�n�H Access Manager �D���x�إߵ���

���P�Ų�´�M�l��´�إߵ���

���l��´�إߵ���

�޲z����

�ק�@�뵦��

�Y�n�ק�W�h

�n�ק�D��

�Y�n�s�W�έק���

�ק�Ѧҵ���

�n�ק�W�h

�Y�n�[�J�Ѧ�

�����t�m�A��

�֨�D�����

amldapuser �w�q

�[�J�����t�m�A��

�Y�n�s�W�����t�m�A��

������Ǹ귽�޲z

����

�Y�n�t�m�H��������¦���귽�޲z

�� 5 ��
��޲z

��޲z�\��

URL ��N�z�{��A��

��N�z�{��

��N�z�{��{��

��

Access Manager ��P LDAP ��

�_��

��

��ĳ

�Ѧҵ��

��w�q��

��

�W�h��

ServiceName ��

ResourceName ��

AttributeValuePair ��

Attribute ��

�Ȥ��

�D�D��

�D��

�ѦҤ��

�ѦҤ��

�s�W��A��

�Y�n�s�W�s��A��

�إߵ��

�ϥ� amadmin �إߵ��

�Y�n�H Access Manager �D��x�إߵ��

��P�Ų�´�M�l��´�إߵ��

��l��´�إߵ��

�޲z��

�Y�n�s�W�έק��

�ק�Ѧҵ��

��t�m�A��

�֨�D��

�[�J��t�m�A��

�Y�n�s�W��t�m�A��

��Ǹ귽�޲z

��

�Y�n�t�m�H��¦��귽�޲z