Sun ONE logo     Previous      Contents      Index      Next     
Sun ONE Identity Server Policy Agent Guide



Chapter 3   Policy Agents for Windows 2000

Sun ONE Identity Server Policy Agents work in tandem with Sun ONE Identity Server to grant or deny user access to web servers in an enterprise. This chapter explains how policy agents can be configured for various web servers running on the Windows 2000 operating system.

Topics include:

Before You Begin

Be sure that your are familiar with the concepts presented in Chapter 1 "Read This First." The chapter includes brief but important information on the following topics:

Supported Windows Web Servers

The Sun ONE Identity Server Policy Agents support the following web servers on the Windows 2000 server operating system:

  • Microsoft IIS 5.0
  • Sun ONE Web Server 6.0 SPx
  • Lotus Domino 5.0.10

Installing the Policy Agent for Microsoft IIS

The IIS agent enforces policy on URL access for Microsoft's Internet Information Services (IIS) web server. The agent is an IIS ISAPI filter installed at the IIS web service level that will enforce policy on all IIS web sites. Technical considerations prevent the agent from being installed at the web site level.

Prior to installation, be sure that the entry for the system where the agent will be installed has a domain name set. If the web server that runs Sun ONE Identity Server 6.0 is running on a separate system, make sure the server is also in the DNS query list.

Installation Using the GUI

Use the following instructions for installing agents on the Microsoft Windows 2000 operating system:

To Install the Policy Agent

You must have administrator privileges to run the installation program.

  1. Unzip the product binaries.
  2. For Microsoft IIS

    • Unzip agent_WINNT_iis.zip

    For Sun ONE Web Server 6.0 SPx

    • Unzip agent_WINNT_es6.zip

    For Lotus Domino 5.0.10

    • Unzip agent_WINNT_domino.zip

  3. Run the Installation program by double-clicking setup.exe.
  4. In the Welcome window, click Next.
  5. Read the License Agreement. Click Yes to accept the license agreement.
  6. To search for the directory where you would like to install the agent, click Browse. To accept the default, click Next.

  7. Enter the information about the web server where this agent will be installed:
  8. Host Name: Enter the FQDN of the system where the agent web server is installed. For example, mycomputer.siroe.com.

    IIS Document Root: Enter the document root directory. This directory needs to accessible by the web server root w3svc. This field is available only if you are installing the Policy Agent for Microsoft IIS.

    Web Server Instance Directory: Enter the full path to the directory where the Sun ONE Web Server instance is located. This is the web server instance that the agent will protect. For example,

    /web_server_root/https-mycomputer.siroe.com

    This field is available only if you are installing the Policy Agent for Sun ONE Web Server.

    Lotus Domino Data directory: Enter the full path to the directory where the Domino data is located. The default path is c:\Lotus\Domino. This field is applicable only if you are installing the Policy Agent for Lotus Domino 5.0.10.

    Server Port: Enter the port number for the web server that will be protected by the agent.

    Server Protocol: If your web server has been configured for SSL, then select HTTPS; otherwise select HTTP.

    Agent Deployment URI: Enter a directory name. The default Universal Resource Identifier (URI) is /amagent.



    Note

    Agent uses the value of com.sun.am.policy.agents.agenturiprefix property to support some essential functions such as notification and post data preservation. It is important to set a valid URL for this property. Its default value is:

    http://host.domain:port/agent_deployment_uri

    where host, domain and port are the FQDN and port number of the server where agent is installed. agent_deployment_uri is the URI using which the web server will access the agent's HTML pages. Its default value is amagent.



    When all the information is entered correctly, click Next.

  9. Provide the following information about the web server that runs Sun ONE Identity Server:
  10. Primary Server Host: Enter the FQDN of the system where the primary web server that runs Sun ONE Identity Server is installed. For example, myserver.siroe.com.

    Primary Server Port: Enter the port number for the web server that runs Sun ONE Identity Server.

    Primary Server Protocol: If the web server that runs Sun ONE Identity Server is SSL-enabled, select HTTPS; otherwise select HTTP.

    Primary Server Deployment URI: Enter the location that was specified when Sun ONE Identity Server was installed. The default URI for Sun ONE Identity Server is /amserver.

    Primary Console Deployment URI: Enter the location that was specified when Sun ONE Identity Server console was installed. The default URI for Sun ONE Identity Server is /amconsole.

    Failover Server Host: Enter the FQDN for the secondary web server that will run Sun ONE Identity Server if the primary web server becomes unavailable. If no failover host exists, then leave this field blank.

    Failover Server Port: Enter the port number of the secondary web server that runs Sun ONE Identity Server. If no failover host exists, then leave this field blank.

    Failover Server Deployment URI: Enter the location that was specified when Sun ONE Identity Server was installed. The default URI for Sun ONE Identity Server is /amserver. If no failover host exists, then leave this field blank.

    Agent Identity Server Shared Secret: Enter the password for the Identity Server internal LDAP authentication user.

    Re-enter Shared secret: Re-enter the password for the Identity Server internal LDAP authentication user.

    CDSSO Enabled: Check this box if you want to enable the CDSSO feature.

    CDSSO Component URL: Enter the CDSSO Component URL.

  11. If all the information entered is correct, click Next.
  12. Review the Installation Summary to be sure that the information you've entered is correct. If you want to make changes, click Back. If all the information is correct, click Next.
  13. In the Ready to Install page, click Install Now.
  14. When the installation is complete, you can click Details to view details about the installation, or click Close to end the Installation program.
  15. If you are installing the Policy Agent for Lotus Domino 5.0.10, you should configure the Domino DSAPI filter. For steps to do this, see "Configuring the Domino DSAPI Filter".

    The installation modifies the system path by appending to it the location of the Agent libraries. In order for the change to take effect and for the Agent to work properly, you must reboot your computer.



    Note

    If the IIS 5.0 or the Lotus Domino 5.0.10 Policy agent was previously installed and uninstalled on your machine, you do not need to reboot if you are installing the same agent in the same directory.



Installation Using the Command-Line

The command-line version of the Installation program provides you an alternative to the GUI-based installation.

Installing an Agent Using the Command-Line

  1. In the directory where you unzipped the binaries, at the command line, enter the following command:
  2. # setup.bat -nodisplay

  3. When prompted, provide the following information:
  4. Have you read, and do you accept, all of the terms of the preceding Software License Agreement?

    Install Sun ONE Identity Server Policy Agent in this directory: Specify the directory where you want the agent to be installed. To accept the default directory that is displayed in brackets, press Enter. Otherwise, enter the full path.

  5. When prompted, provide the following information about the web server instance this Agent will protect:
    • Host Name
    • IIS Document Root, Web Server Instance Directory, or Lotus Domino Data Directory depending on the agent you are installing.
    • Server Port
    • Server Protocol
    • Agent Deployment URI

    For details on these items, see "Installation Using the GUI."

  6. When prompted, provide the following information about the web server that runs Sun ONE Identity Server Services:
    • Primary Server Host
    • Primary Server Port
    • Primary Server Protocol
    • Primary Server Deployment URI
    • Primary Console Deployment URI
    • Failover Server Host
    • Failover Server Port
    • Failover Server Deployment URI
    • Secondary Console Deployment URI
    • Agent-Identity Server Shared Secret
    • Re-enter Shared secret
    • CDSSO feature enabled
    • CDSSO component URL

    For details on these items, see "Installation Using the GUI."

  7. When displayed, review the summary of installation information you've specified. Press Enter to continue, or enter exclamation mark (!) to exit the program.
  8. The following text is displayed:


    Ready to Install

    1. Install Now
    2. Start Over
    3. Exit Installation

    What would you like to do

  9. When prompted, What would you like to do?, enter 1 to start the installation.
  10. The following text is displayed:


    Product                            Result     More Information
    1.  Sun ONE Identity Server Agent  Installed  Available
    2.  Done

  11. To see log information, enter 1. To exit the Installation program, enter 2.
  12. The installation modifies the system path by appending to it the location of the Agent libraries. In order for the change to take effect and for the Agent to work properly, you must reboot your computer.



    Note

    If the IIS 5.0 or the Lotus Domino 5.0.10 Policy agent was previously installed and uninstalled on your machine, you do not need to reboot if you are installing the same agent in the same directory.



    If you are installing the Policy Agent for Lotus Domino 5.0.10, you should configure the Domino DSAPI filter. For steps to do this, see the section "Configuring the Domino DSAPI Filter."

Configuring the Domino DSAPI Filter

Use the following procedure to configure DSAPI filter.

  1. In Lotus Domino Administrator, choose Administrator Tab > Server > All Server Documents.
  2. From the listed servers, select the server you want to configure.
  3. Click Internet Protocols > HTTP tab.
  4. At the DSAPI Filter File names field, enter Agent_Install_Dir\domino\bin\amdomino.dll.
  5. Save the changes and close the window.
  6. Open Domino console and restart the server by entering the following commands:
  7. tell http quit

    load http

Configuring Domino DSAPI Filter for Multiple Server Partitions

If you are configuring Domino DSAPI Filter for multiple server partitions, you must:

  • Use the same AMAgent.properties file for all the supported partitions.
  • Configure the filter for each of the server partitions you want to support.

You can configure the filter for the different partitions by performing the following tasks:

  1. In Lotus Domino Administrator, choose Administrator Tab > Server > All Server Documents.
  2. From the listed servers, select the required server.
  3. Now go to Internet Protocols > HTTP.
  4. At the DSAPI Filter File names field, enter Agent_Install_Dir\domino\bin\amdomino.dll.
  5. Save the changes and close the window.
  6. Open Domino console and restart the server by entering the following commands:
  7. tell http quit

    load http

Using Secure Sockets Layer (SSL) with an Agent

During installation, if you choose the HTTPS protocol, the agent is automatically configured and ready to communicate over SSL.



Note

Before proceeding with the following steps, ensure that the Web Server is configured for SSL.

You should have a solid understanding of SSL concepts and the security certificates required to enable communication over the HTTPS protocol. See the documentation that comes with your web server. If you're using Sun ONE Web Server, you can access the following documentation on the Internet:

http://docs.sun.com/source/816-5682-10/esecurty.htm#1011961



The Agent's Default Trust Behavior

By default, the policy agent installed on a remote Sun ONE Web Server 6.0 or Microsoft IIS 5.0 will trust any server certificate presented over SSL by the web server that runs Sun ONE Identity Server; the agent does not check the root Certificate Authority (CA) certificate. If the web server that runs Sun ONE Identity Server is SSL-enabled, and you want the policy agent to perform certificate-checking, you must do two things:

  1. Disable the agent's default trust behavior.
  2. Install a root CA certificate on the remote web server where the agent is installed. The root CA certificate must the be same one that is installed on the web server that runs Sun ONE Identity Server.

Disabling the Agent's Default Trust Behavior

The following property exists in the AMAgent.properites file, and by default it is set to true:

com.sun.am.policy.agents.trustServerCerts=true

This means that the agent does not perform certificate checking.

To Disable the Default Behavior

The following property must be set to false:

com.sun.am.policy.agents.trustServerCerts=false

Installing the Root CA Certificate on the Remote Web Server

The root CA certificate that you install on the remote web server must be the same one that is installed on the web server that runs Sun ONE Identity Server.

To Install the Root CA Certificate on Sun ONE Web Server

See the instructions for installing a root CA Certificate in the documentation that comes with the web server. Generally, this is done through the web server's Administration console. Access the documentation for Sun ONE Web Server 6.0 on the Internet at the following URL: http://docs.sun.com/source/816-5682-10/esecurty.htm#1011961

To Install the Root CA Certificate on Microsoft IIS

  1. Go to the following directory:
  2. Agent_Install_Dir\iis\cert

  3. Add the same root certificate that is installed on the web server that runs Sun ONE Identity Server into the existing certificate database. At the command line, enter the following command:
  4. \Agent_Install_Dir\bin\certutil -A -n cert-name -t "C,C,C" -d cert-dir -i cert-file

    using the following variables:

    • cert-name can be any name for this root certificate.
    • cert-dir is directory where the certificate-related files are located. On Windows the location is:
    • Agent_Install_Dir\bin

    • cert-file is the base-64 encoded root certificate file.
    • For more information on certutil, type certutil -H

    To verify that the root certificate was installed properly in the certificate database, enter the following command:

    Agent_Install_Dir\bin\certutil -L -d .

    You should see the root certificate added and listed in the output of the command.

  5. Restart IIS.

To Install the CA Certificate on Domino Web Server

The CA certificate that you install on the Domino Web server must be the same one that is installed on the web server that runs Identity Server services.

See the instructions for installing a CA Certificate in the documentation that comes with the web server. Generally, this is done through the web server's Administration console.

  1. Go to the following directory:
  2. Agent_Install_Dir\Agents\domino\utils

  3. Add the same certificate that is installed on the web server that runs Identity Server services into the existing certificate database. At the command line, enter the following command:
  4. certutil -A -n cert-name -t "C,C,C" -d cert-dir -i cert-file

    using the following variables:

    • cert-name can be any name for this certificate.
    • cert-dir is directory where the certificate-related files are located. On Windows the locations is:
    • Agent_Install_Dir\Agents\domino\cert

    • cert-file is the base-64 encoded certificate file.

For more information on certutil, type certutil -H

  1. Restart Domino Web Server.

Setting the REMOTE_USER Server Variable

The REMOTE_USER server environment variable can be set to a Sun ONE Identity Server authenticated user or an anonymous user. By setting this variable to a specific user, the user becomes available to web applications (such as a CGI, servlet, or an ASP program). This feature makes it possible to personalize the content of displayed HTML pages to specific users.

Performing these steps will set REMOTE_USER for allowed URLs.

To enable the REMOTE_USER setting for globally not-enforced URLs as specified in the AMAgent.properties file (these are URLs that can be accessed by unauthenticated users), you must set the following property in the AMAgent.properties file to TRUE (by default, this value is set to FALSE):

com.sun.am.policy.agents.anonRemoteUserEnabled=TRUE

When you set this property value to TRUE, the value of REMOTE_USER will be set to the value contained in the following property in the AMAgent.properties file (by default, this value is set to anonymous):

com.sun.am.policy.agents.unauthenticatedUser=anonymous

To enable the REMOTE_USER feature for an IIS 5.0 agent, perform the following steps:

  1. From the Windows Start menu, select Programs > Administrative Tools > Internet Services Manager.
  2. This will launch the Internet Information Services console.

  3. On the web site that you want the Sun ONE Identity Server agent to protect, select Properties.
  4. Select the Directory Security tab.
  5. In the Anonymous Access and Authentication Control section, click Edit.
  6. In the dialog that displays, select Anonymous Access and Basic Authentication, then deselect Integrated Windows Authentication.

Validating Client IP Addresses

This feature can be used to enhance security by preventing the stealing or hijacking of SSO tokens.

The AMAgent.properties file contains a property titled com.sun.am.policy.agents.client_ip_validation_enable, which by default, is set to false.

If you set this property value to true, client IP address validation will be enabled for each in-coming request that contains an SSO token. If the IP address from which request was generated does not match the IP address issued for the SSO token, the request will be denied. This is essentially the same as enforcing a deny policy.

This feature should not be used, however, if the client browser uses a web proxy or if there is a load-balancing application somewhere between the client browser and the agent-protected web server. In such cases, the IP address appearing in the request will not reflect the real IP address on which the client browser runs.

POST Data Preservation

POST data preservation is supported on Sun ONE Web Server 6.0 SPx agent. Users can preserve POST data which are submitted to web servers through html forms before users login to the Identity server. Presumably the html page containing the form should be in global not enforced list. By default, this feature is turned off.

This feature is configurable through two properties in AMAgent.properties file. To turn off this feature, use the following AMAgent.properties file property and change the value of the property from true to false:

com.sun.am.policy.agents.is_postdatapreserve_enabled=true

The second property decides how long any POST data can stay valid in the web server cache. After the specified interval, a reaper thread will wake up and clean up any POST cache entries that have lived beyond the specified life time. The following property helps the administrator to configure this time interval. By default this property is set to 10 minutes.

com.sun.am.policy.agents.postcacheentrylifetime=10



Note

This feature is not available for the IIS 5.0 agent on win2k.



Shared Secret Encryption Utility

The Policy Agent stores the shared secret in the AMAgent.properties file. By default, this password is the Identity Server internal LDAP authentication user password. This can be changed on the server side by editing the AMConfig.Properties file.

The property com.sun.am.policy.am.password in the AMAgent.properties file is set with the encrypted shared secret while installing the agent.

To reset or change the shared secret, you can use the following utility and set the value in the property.

  1. Go to the following directory:
  2. Agent_Install_Dir\bin

  3. Execute the following script from the command line
  4. cryptit shared_secret

  5. Cut and paste the output from Step 2 in the property:
  6. com.sun.am.policy.am.password

  7. Restart the Web Server and try accessing any resource protected by the agent.

Uninstalling and Disabling Policy Agent

When you no longer require the policy agent, you can uninstall it or disable it.

Uninstalling a Policy Agent

  1. From the Windows Start menu, choose Settings > Control Panel.
  2. In the Control Panel, open Add / Remove Programs.
  3. In the Add/Remove Programs window, choose Sun ONE Identity Server Policy Agent.
  4. Click Change/Remove.
  5. Click Next on Welcome panel.
  6. Click Uninstall Now.
  7. Click Exit after uninstallation is complete.

Disabling a Policy Agent Installed on Microsoft IIS

Use the following steps to disable an agent installed on Microsoft IIS:

  1. Launch Internet Services Manager.
    • From the Start menu, choose Programs > Administrative Tools > Internet Services Manager.

  2. Check the filter status.
    1. Open properties for the host computer in the tree pane of the Internet Services Manager window which is titled "Internet Information Services."
    2. The host computer name should appear in the tree underneath the Internet Information Services root.
    3. Click Edit in the Master Properties section of the Internet Information Services tab.
    4. Select the ISAPI Filters tab in the WWW Service Master Properties dialog that appears.
    5. Highlight the filter named "Sun ONE Identity Server Agent."
    6. You can click Edit to view the filter name and executable path. You'll need this information when you want to re-enable the agent. Click Cancel to return to the program.

    7. Click Remove.
    8. Click Apply and exit from the WWW Service Master Properties dialog.
    9. Restart Microsoft IIS.

Uninstalling the Policy Agent for Lotus Domino 5.0.10

Before you uninstall the Policy Agent for Lotus Domino 5.0.10, you should perform the following steps on the Lotus Domino Administrator client from a Windows machine.

  1. Launch Lotus Domino Administrator.
  2. Choose Administrator Tab > Server > All Server Documents.
  3. From the listed servers, select the server you want to uninstall.
  4. Click Internet Protocols > HTTP tab.
  5. Remove the DSAPI filter file name specified for the agent and leave this field blank.
  6. Click the Save and Close button to save the changes.
  7. Open Domino console and restart the server by entering the following commands:
  8. tell http quit

    load http

  9. From the Start Menu, choose Settings > Control Panel.
  10. In the Control Panel, double-click Add / Remove Programs.
  11. In the Add/Remove Programs window, choose Sun ONE Identity Server Policy Agent and click on Change/Remove.
  12. In the Welcome Panel, click Next.
  13. In the Ready to Uninstall Panel, click Uninstall Now.
  14. Click Exit after uninstallation is complete.

Uninstalling an Agent Using the Command-Line

  1. In the Agent_Install_Dir directory, at the command line, enter the following command:
  2. java uninstall_Sun_ONE_Identity_Server_Policy_Agent -nodisplay

  3. The following text is displayed:

    1. Uninstall Now
    2. Start Over
    3. Exit Uninstallation
    What would you like to do?

  4. When prompted, What would you like to do?, enter 1 to start the installation.

  5. The following text is displayed:

    Product                            Result     More Information
    1.  Sun ONE Identity Server Agent  Full       Available
    2.  Done

  6. To see log information, enter 1. To exit the uninstallation program, enter 2.

  7. When the uninstallation is completed, you must reboot the system.
  8. If you want to see more details of the uninstallation, a log file is written in the following location:

    %TEMP%\Sun_ONE_Identity_Server_Policy_Agent_uninstall*

Troubleshooting the Installation

IIS Policy Agent

If you are experiencing problems with your installation try the following:

  • Check the installation log file for errors:
  • %TEMP%\Sun_ONE_Identity_Server_Policy_Agent_uninstall.nnnn

  • Re-install by uninstalling and then installing.
  • Verify agent loading in IIS:
    1. Launch Internet Services Manager.
    2. From the Start menu, choose Programs > Administrative Tools > Internet Services Manager.
    3. Open the properties for the host computer in the Tree Pane of the Internet Services Manager window that is titled Internet Information Services.
    4. The host computer name should appear in the tree underneath the Internet Information Services root.
    5. Click Edit in the Master Properties section of the Internet Information Services tab.
    6. Select the ISAPI Filters tab in the WWW Service Master Properties dialog that appears.
    7. Look for the filter name "Sun ONE Identity Server agent."
    8. If the Filter name "Sun ONE Identity Server Agent" does not appear at all, then check that the installer was run, and look for any errors during installation. The install log is located at:

      %TEMP%\Sun_ONE_Identity_Server_Policy_Agent_uninstall.nnnn

      A green arrow pointing up in the Status column to the right of the "Sun ONE Identity Server Agent" indicates the agent loaded successfully into IIS. A red arrow pointing down indicates that the filter failed to load. The most likely cause of the filter not loading successfully (red arrow) is that it cannot locate the required dll files.

    9. Check your system path to ensure that the following directory is present:
    10. Agent_Install_Dir\bin

    11. If the filter did not load successfully check the following:
      • Check the path of the Agent DLL by clicking "Sun ONE Identity Server Agent" and then Edit. Ensure that the path in the text box labeled Executable is valid.
      • The agent also needs several DLL files. Check that the following exist in the directory Agents\bin:
      • amsdk.dll

        ames6.dll

        libnspr4.dll

        libplc4.dll

        libplds4.dll

        libxml2.dll

        nss3.dll

        ssl3.dll

    12. If the libraries are in your system path try rebooting the system.

  • IIS logs filter loading errors in the System Event Log. To check the event log:
    1. From the Start menu, choose Programs > Administrative Tools > Event Viewer.
    2. Select the System Log.
    3. Check for Error messages with Source W3SVC.

  • If the agent loads but returns HTTP 500 Internal Server Error for all URL requests to the IIS web server.
  • This indicates that the agent has loaded but did not properly initialize. Returning HTTP 500 Internal Server Error for all HTTP requests is a fail-safe to protect URL resources when the Agent cannot initialize. The most likely cause is a Sun ONE Identity Server agent or server misconfiguration or unavailability.

  • Check the agent debug log.
  • The log is located by default at the Agent_Install_Dir directory. This is the best source of debug information for resolving initialization and agent operation issues. The log file directory is specified by the property:

    com.sun.am.policy.am.logFile in the AMAgent.properties file located in the directory:

    Agent_Install_Dir\iis\config\_PathInstanceName

    The property com.sun.am.policy.am.loglevels controls the verbosity of the log information. Set the logging level for the specified logging categories.

    The format of the values is:

    ModuleName[:Level],ModuleName[:Level]]*

    The currently used module names are AuthService, NamingService, PolicyService, SessionService, PolicyEngine, ServiceEngine, Notification, PolicyAgent, RemoteLog and all. If the level is omitted, then the logging module will be created with the default logging level, which is the logging level associated with the 'all' module.

    The all module can be used to set the logging level for all modules. This will also establish the default level for all subsequently created modules.The meaning of the 'Level' value is described below:

    0 = Disable logging from specified module

    1 = Log error messages

    2 = Log warning and error messages

    3 = Log info, warning, and error messages

    4 = Log debug, info, warning, and error messages

    5 = Like level 4, but with even more debugging messages.

  • Check that the agent can locate the AMAgent.properties configuration file.
  • The agent uses the registry key HKEY_LOCAL_MACHINE\Software\Sun Microsystems\Identity Server IIS Agent to locate the AMAgent.properties file. The AMAgent.properties file is located at:

    Agent_Install_Dir\iis\config\_PathInstanceName

  • The agent uses the Application Event Log to log errors that occur before the debug log file specified in AMAgent.properties is started.
    1. From the Start menu, choose Programs > Administrative Tools > Event Viewer.
    2. Select the Application Log.
    3. Check for Error messages with Source Sun ONE Identity Server IIS Agent.

Cannot install Agent after previous installation is removed

The following is an example message displayed when you run the Agent installer:



"Sun ONE Identity Server Policy Agent 2.0 for Sun ONE Web Server 6.0 SPx is installed. Please refer to installation manual to configure this agent for another web server instance. Or uninstall it before installing another agent."


Possible Causes:

  • You might have an existing installation of Agent;
  • You might have a previously installed Agent and did not use Agent's uninstallation program to uninstall the Agent
  • The installer's productregistry file may be corrupted.

Solution:

  • Check that you have uninstalled any existing installation of Agent.
  • The productregistry file may be corrupted if there is no existing installation of Agent. This file is used by the installer to track installed products. It is found in C:\WINNT\system32 directory.


  • Note

    Make a backup copy of this file before you make changes.



    Remove the Agent product entry in this file. This entry starts with the following lines:



    <compversion>2.0
    <uniquename>SUNWamcom</uniquename>
    <vendor></vendor>
    ......
    </compid>
    <compid>Agent uninstall script
    <compversion>2.0
    <uniquename>Agent uninstall script</uniquename>
    <vendor>Sun Microsystems, Inc.</vendor>
    ......
    </compid>
    <compid>Agent installer resource bundle
    <compversion>2.0
    <uniquename>Agent installer resource bundle</uniquename>
    <vendor>Sun Microsystems, Inc.</vendor>
    ......
    </compid>
    <compid>Agent Common Core and SDK
    <compversion>2.0
    <uniquename>Agent Common Core and SDK</uniquename>
    <vendor></vendor>
    ......
    </compid>
    <compid>SUNWames6
    <compversion>2.0
    <uniquename>SUNWames6</uniquename>
    <vendor></vendor>
    ......
    </compid>
    <compid>Agent for ...
    <compversion>2.0
    <uniquename>Agent for ...</uniquename>
    <vendor></vendor>
    ......
    </compid>
    <compid>Sun ONE Identity Server Policy Agent
    <compversion>2.0
    <uniquename>Sun ONE Identity Server Policy Agent</uniquename>
    </compid>


Unable to uninstall Agent from Windows Start menu > Settings > Control Panel > Add/Remove Programs.

Possible Cause: Java's classpath may not be set correctly on the machine.

Solution: Use the following steps to uninstall the Agent.

  1. Open Command Prompt Window.
  2. Go to Agent_Install_Dir
  3. Execute command:
  4. java uninstall_Sun_ONE_Identity_Server_Policy_Agent

Lotus Domino 5.0.10

Domino Web Server starts with an error message "Unable to load filter".

Ensure that you have set the Domino DSAPI filter correctly. For steps on configuring the Domino DSAPI filter, see the section Configuring the Domino DSAPI Filter.

Domino DSAPI Filter is not functioning properly on the partitioned server.

Possible Cause: The database you have selected while configuring the DSAPI Filter may be wrong.

Solution: Ensure that you have selected the correct database while configuring the DSAPI filter.

Possible Cause: The partitioned database might not have been updated.

Solution: You might have to replicate the database from the Domino Admin Server.

Known Problems

IIS 5.0 Agent

After installing a Policy Agent on IIS 5.0, stopping individual web sites may occasionally lead to memory corruption messages. You can ignore these messages and restart the IIS server.

Agents are not effective after modification of Sun ONE Web Server configuration using the admin console.

The changes made by the agent installation to the server configuration files are overwritten by saving the changes in admin console.

The right procedure when using the admin console should be to load configuration first (from disk file to memory), then make modification, and save the changes (from memory to disk) by clicking the Apply button.


Previous      Contents      Index      Next     
Copyright 2003 Sun Microsystems, Inc. All rights reserved.