Saturday, October 30, 2010

Sun Access Manager 7.1 - Password Retries Exceeded Issue

I have a customer in Thailand asking me for help with regard to a weird error message when he tries to login after his password retries have exceeded.


He was warned of account lockout prior to his max password retries count. This is what he expected. Good. 


However, "Authentication failed" error message is shown when he really exceeded his max password retries count. He was expecting "Password retry limit exceeded". No Good.




I did a search in amAuthLDAP.properties:

#ExceedRetryLimit=Exceed password retry limit. Please try later.
ExceedRetryLimit=Authentication failed.


That explains why. This is more for security/auditing purpose. These days, auditors advise customers not to reveal too much to end-users when they encounter login failure.

.

Thursday, October 28, 2010

OpenSSO - WebtopNaming Error

I was trying to configure a Site for my 2 OpenSSO Enterprise Servers and I hit the famous WebtopNaming error as shown below:

Servlet /opensso threw load() exception
java.lang.StackOverflowError
:
at java.util.concurrent.locks.ReentrantReadWriteLock$ReadLock.lock(ReentrantReadWriteLock.java:594)
at com.iplanet.am.util.SystemProperties.get(SystemProperties.java:252)
at com.iplanet.am.util.SystemProperties.get(SystemProperties.java:329)
at com.iplanet.services.naming.WebtopNaming.getServerID(WebtopNaming.java:620)
at com.iplanet.services.naming.WebtopNaming.getServerID(WebtopNaming.java:594)
at com.iplanet.services.naming.WebtopNaming.updatePlatformServerIDs(WebtopNaming.java:1186)
at com.iplanet.services.naming.WebtopNaming.updateNamingTable(WebtopNaming.java:1111)
at com.iplanet.services.naming.WebtopNaming.getNamingProfile(WebtopNaming.java:995)
at com.iplanet.services.naming.WebtopNaming.getServerID(WebtopNaming.java:658)
at com.iplanet.services.naming.WebtopNaming.getServerID(WebtopNaming.java:594)


There could be many scenarios that can cause this problem. Mine is kind of stupid today.


I was careless in appending an additional "/" to "/opensso". Be careful! 


.



Monday, October 25, 2010

OpenSSO - Manual configuration

I was trying to configure OpenSSO Enterprise Server manually without using the GUI Configurator.





The following error was encountered:

-bash-3.00$ java -jar /dist/osso/tools/config/configurator.jar -f /dist/osso/tools/config/osso1-config
Not Found
Configuration failed!


What an unfriendly error message! What is "Not Found"?

It was only after a while then I realized I have forgotten to deploy the opensso.war into my Glassfish container. How careless I was!

So here we go again:

-bash-3.00$ opt/gf211/bin/asadmin deploy --user admin --port 7878 --secure /dist/osso/opensso.war
Command deploy executed successfully.


-bash-3.00$ java -jar /dist/osso/tools/config/configurator.jar -f /dist/osso/tools/config/osso1-config
Checking configuration directory /sso/var/opensso....Success.
Installing OpenSSO configuration store...Success RSA/ECB/OAEPWithSHA1AndMGF1Padding.
Installing OpenSSO configuration store in /sso/var/opensso/opends...Success.
Creating OpenSSO suffix...Success.
Tag swapping schema files....Success.
Loading Schema am_sm_ds_schema.ldif...Success.
Loading Schema am_remote_opends_schema.ldif...Success.
Loading Schema fam_sds_schema.ldif...Success.
Reinitializing system properties....Done
Registering service amEntrySpecific.xml...Success.
:
:
Configuring system....Done
Configuring server instance....Done
Creating Web Service Security Agents....Done
Setting up registration files....Done
Configuration complete!


Nevertheless, I still think that we can do better with a friendlier error message.

.

Monday, October 18, 2010

How to import SSL certificates into JVM trust store?

I was trying to set up OpenSSO Distributed Authentication UI (DAUI) server on Sun Web Server 7 (aka Oracle iPlanet Server) to communicate with my backend OpenSSO Enterprise Server. The OpenSSO Enterprise Server is SSL-enabled for security reason.


In our development environment, we install self-signed certificate onto the Glassfish Application Server that hosts the OpenSSO Enterprise Server.

In order for DAUI to communicate securely with the OpenSSO Enterprise Server, we need to import the self-signed CA certificate into the Sun Web Server JVM.

The task can be daunting for people who do not play with SSL day-in-day-out.

Luckily, I found a very useful blog. Amazing! Wrote in 2006, still works like a charm in 2010!

Thank you, Andreas!

Monday, October 11, 2010

Alternative SyncML Client

Besides Synchronica and NotifyLink, there is now another SyncML client alternative from Synthesis AG.



Synthesis SyncML Clients for mobile devices (PDA) bring SyncML compatibility to widespread mobile OS platforms like iOS (iPhone, iPad, iPod touch), Android, PalmOS and Windows Mobile.

This allows mobile over-the-air (OTA) synchronisation with any compliant SyncML server (such as GooSync.com, SyncWise, Oracle Calendar and Beehive, eGroupware, Horde, WinFonie, SyncEvolution, MDaemon, OpenXchange, DeskNow, ScheduleWorld.com, O-Sync and many many more)


It offers free evaluation copy. I have not personally tried it yet, but will do so when I have the bandwidth.
Anyone has any review on this product? I would like to hear from you.


.