Sun Java logo     Previous      Contents      Next     

Sun logo
Sun Java System Identity Manager 6.0 Resources Reference 2005Q4M3 

SQL Server

The SQL Server resource adapter has been deprecated. Use the MS SQL Server resource adapter instead.

Sun ONE Identity Server

The Sun ONE Identity Server resource adapter has been deprecated. Use the Sun Java System Access Manager resource adapter instead.

Sample Forms

Support for the following Identity Server sample forms will be continued for this release:

The SunISUserForm.xml form will also be available.

Sun Java System Access Manager

The Sun Java System Access Manager resource adapter is defined in the com.waveset.adapter.SunAccessManagerResourceAdapter class. This adapter supports the following versions:

Resource Configuration Notes

This resource adapter works with the following products:

The Policy Agent is an optional module that you can use to enable single sign-on (SSO). Do not attempt to follow Policy Agent configuration or installation procedures if this product is not being used in your environment.

Note  See http://docs.sun.com/db?p=doc%2F816-6772-10 for more information about Policy Agents.

The following sections describe how to install and configure Sun Java System Access Manager and Policy Agent.

Installing and Configuring Sun Java System Access Manager

If you install Sun Java System Access Manager on the same system as the Identity Manager server, see Sun Java System Access Manager Resource Adapter on page 1-347 for information about configuration. If you are using the Policy Agent, go to Installing and Configuring the Policy Agent on page 1-346 for additional information.

If Sun Java System Access Manager is installed on a different system than the Identity Manager server, then perform the following steps on the Identity Manager system.

  1. Create a directory to place files that will be copied from the Sun Java System Access Manager server. This directory will be called CfgDir in this procedure. The location of the Sun Java System Access Manager will be called AccessMgrHome.
  2. Copy the following files from AccessMgrHome to CfgDir. Do not copy the directory structure.
    • lib/*.*
    • locale/*.properties
    • config/serverconfig.xml
    • config/SSOConfig.properties (Identity Server 2004Q2 and later)
    • config/ums/ums.xml
  3. On UNIX, it may be necessary to change the permissions of the jar files in the CfgDir to allow universal read access. Run the following command to change permissions:

    4. chmod a+r CfgDir/*.jar

  4. Append the JAVA classpath with the following:
    • Windows: CfgDir;CfgDir/am_sdk.jar;CfgDir/am_services.jar;
      CfgDir/am_logging.jar
    • UNIX: CfgDir:CfgDir/am_sdk.jar:CfgDir/am_services.jar:
      CfgDir/am_logging.jar
  5. If you are using version 6.0, set the Java system property to point to your CfgDir. Use a command similar to the following:

    6. java -Dcom.iplanet.coreservices.configpath=CfgDir

  6. If you are using version 6.1, add or edit the following lines in the CfgDir/AMConfig.properties file:

    7. com.iplanet.services.configpath=CfgDir
    com.iplanet.security.SecureRandomFactoryImpl=com.iplanet.am.util.
    SecureRandomFactoryImpl

    com.iplanet.security.SSLSocketFactoryImpl=netscape.ldap.factory.
    JSSESocketFactory

    com.iplanet.security.encryptor=com.iplanet.services.util.
    JCEEncryption

    The first line sets the configpath. The last three lines change security settings.

  7. Copy the CfgDir/am_*.jar files to $WSHOME/WEB-INF/lib. If you are using version 6.0, also copy the jss311.jar file to the $WSHOME/WEB-INF/lib directory.
  8. If Identity Manager is running on Windows and you are using Identity Server 6.0, copy IdServer\lib\jss\*.dll to CfgDir and add CfgDir to your system path.

    9. Note  In an environment where Identity Manager is installed on a different system from Sun Java System Access Manager check the following error conditions. If an error java.lang.ExceptionInInitializerError, followed by java.lang.NoClassDefFoundError, on subsequent attempts, is returned when attempting to connect to the Sun Java System Access Manager resource, then check for incorrect or missing configuration data.

Check that the CfgDir contains all the data outlined in Step 6 and that all the configuration properties have been assigned correctly.

See Sun Java System Access Manager Resource Adapter on page 1-347 for more information about preparing Identity Manager for this resource.

Installing and Configuring the Policy Agent

You must install the Identity Server Policy Agent 2.1 must be installed on the Identity Manager server. The Policy Agent can be obtained from the following location:

http://wwws.sun.com/software/download/inter_ecom.html#dirserv

Follow the installation instructions provided with the Policy Agent. Then perform the following tasks.

Edit the AMAgent.properties File

The AMAgent.properties file must be modified so that Identity Manager can be protected. It is located the following directory:

Be sure to use the files located the preceding directories. Do not use the copy located in the AgentInstallDir\config directory.

  1. Add or edit the following lines:

    2. com.sun.am.policy.am.fetchHeaders=true

    com.sun.am.policy.am.headerAttributes=entrydn|sois_user

    com.sun.am.policy.agents.fqdnDefault = FullyQualifiedIDMgrServer

    Note  There can be values lines defining headerAttributes and fqdnDefault values.

  2. Restart the web server so that the changes to the AMAgent.properties files can take effect.
Create a Policy in Sun Java System Access Manager
  1. From within the Sun Java System Access Manager application, create a new policy named IDMGR (or something similar) with the following rules:

Service Type

Resource Name

Actions

URL Policy Agent

http://server:port/idm

Allow GET and POST actions

URL Policy Agent

http://server:port/idm/*

Allow GET and POST actions

  1. Assign one or more subjects to the IDMGR policy.

Identity Manager Installation Notes

This section provides installation and configuration notes for the Sun Java System Access Manager resource adapter and the Policy Agent.

Sun Java System Access Manager Resource Adapter

If the Sun Java System Access Manager is installed on a different system than the Identity Manager server, then perform the procedure described in Installing and Configuring Sun Java System Access Manager on page 1-344.

Otherwise, copy the AccessMgrHome/lib/am_*.jar files to $WSHOME/WEB-INF/lib. If you are using version 6.0, also copy the jss311.jar file to the $WSHOME/WEB-INF/lib directory.

After the files have been copied, add the Sun Java System Access Manager resource to the Identity Manager resources list, you must add the following value in the Custom Resources section of the Configure Managed Resources page.

com.waveset.adapter.SunAccessManagerResourceAdapter

Policy Agent

You must modify the administrator and user login modules so that the Sun Java System Access Manager login modules are listed first.

Note  A Sun Java System Access Manager resource must be configured before performing this procedure:

  1. From the Identity Manager Administrator Interface menu bar, click Configure.
  2. Click Login.
  3. Click the Administrator Interface link.
  4. Select the Sun Java System Access Manager Login Module from the drop-down list.
  5. Configure the module as desired and click the Save button.
  6. Click the check box to the left of the Sun Java System Access Manager Login Module option and click the Move Up button.
  7. Save your changes and repeat this procedure for the User Interface.

Usage Notes

If you are running Identity Manager under WebLogic, and native changes made in Sun Java System Access Manager do not appear in Identity Manager, add am_services.jar in the classpath before weblogic.jar.

To set the protocol handler when you have more than one:

java.protocol.handler.pkgs=com.iplanet.services.comm|sun.net.
www.protocol

Security Notes

This section provides information about supported connections and authorization requirements needed to perform basic tasks.

Supported Connections

Identity Manager uses JNDI over SSL to communicate with this adapter.

Required Administrative Privileges

The user name that connects to the Sun Java System Access Manager must be assigned permissions to add or modify user accounts.

Provisioning Notes

This section contains a table that summarizes the provisioning capabilities of the adapter.

Feature

Supported?

Enable/disable account

Yes

Rename account

No

Pass-through authentication

Yes.

The Web Proxy Agent is required for single sign-on.

Before/after actions

No

Data loading methods

  Import directly from resource

  Reconcile with resource

Account Attributes

The following table lists the Sun Java System Access Manager user account attributes supported by default. All attributes are optional, unless noted in the description.

Resource User Attribute

Resource Attribute Type

Description

cn

String

Required. The user’s full name.

dynamicSubscriptionGroups

String

A list of dynamic groups to which the user is subscribed.

employeeNumber

Number

The user’s employee number.

givenname

String

The user’s first name.

iplanet-am-user-account-life

Date

The date and time the user account expires. The account does not expire if this value is not set.

iplanet-am-user-alias-list

String

A list of aliases that may be applied to the user.

iplanet-am-user-failure-url

String

The URL that the user will be redirected to upon unsuccessful authentication.

iplanet-am-user-success-url

String

The URL that the user will be redirected to upon successful authentication.

mail

Email

The user’s e-mail address.

postalAddress

String

The user’s home address.

roles

String

A list of roles assigned to the user.

sn

String

The user’s last name.

staticSubscriptionGroups

String

A list of static groups to which the user is subscribed.

telephoneNumber

String

The user’s telephone number.

uid

String

Required. A unique user ID for the user.

userPassword

Password

Required. The user’s password.

Resource Object Management

Identity Manager supports the following Sun Java System Access Manager objects:

Resource Object

Features Supported

Attributes Managed

Role

List, update, delete

cn, iplanet-am-role-aci-description,
iplanet-am-role-description,
iplanet-am-role-type, accountMembers

Static subscription group

List, create, update, delete, save as

cn, iplanet-am-group-subscribable, uniqueMember

Filtered group

List, create, update, delete, save as

cn, accountMembers, membershipFilter

Dynamic subscription group

List, create, update, delete, save as

cn, accountMembers,
iplanet-am-group-subscribable

Organization

List, create, delete,
save as, find

o

Identity Template

The default identity template is

uid=$uid$,ou=People,dc=MYDOMAIN,dc=com

The default template must be replaced with a valid value.

Sample Forms

This section lists the sample forms that are built-in and available for the Sun Java System Access Manager resource adapter.

Built-In

Also Available

SunAMUserForm.xml

Troubleshooting

Use the Identity Manager debug pages to set trace options on the following class:

com.waveset.adapter.SunAccessManagerResourceAdapter



Previous      Contents      Next     

Copyright 2006 Sun Microsystems, Inc. All rights reserved.