azlabs

Policy Agent 2.2 in CDSSO mode connecting to OpenAM Issue

2012-01-04T18:17:00.003+08:00

One of my customers has a legacy Policy Agent 2.2 configured in CDSSO mode. It needs to connect to the newly installed OpenAM 9.5.3 server.

No luck... It was not a breeze porting over... We kept getting the following error:
WARNING: LdapSPValidator.validateAndGetRestriction: Invalid agent ID: http://stqa.as.com.sg:80/

See here.

Finally after much research, I found a link from Oracle. Not exactly the same deployment, but similar sympton.

The Web Proxy Agent 2.2-01 in Cross Domain Single Sign-on mode does not work with Access Manager 7.1 Patch . The agentRootURL requirement was added as a security measure to ensure that CDC is handing off ssotoken cookie to trusted agents running at known URLs.

Workaround

Go to Access Control > / (Top Level Realm) > Agents > 2.2 Agents > UrlAccessAgent
Key in agentRootURL=http://stqa.as.com.sg:80/ to Agent Key Value(s).

Jackpot!

.

OpenAM: #403x error

2012-01-04T12:17:00.002+08:00

Sometimes, when a Policy Agent is configured and this very not-so-helpful error #403x appears on the browser, one needs to investigate further...

Usually, I systematically scan through the following log files:
1. Agent debug log files (at node where PA is installed)
2. OpenAM debug log files (usually Authentication will reveal what's wrong)

In this particular case, the Policy Agent was not defined properly in OpenAM.

amCDC:01/04/2012 12:07:36:371 PM SGT: Thread[http-2020-4,5,main] WARNING: LdapSPValidator.validateAndGetRestriction: Invalid agent ID: http://stqa.as.com.sg:80/ amCDC:01/04/2012 12:07:36:371 PM SGT: Thread[http-2020-4,5,main] ERROR: Invalid Agent: Could not get agent for the realm java.lang.Exception: Invalid Agent: Not configured in directory at com.iplanet.services.cdc.LdapSPValidator.validateAndGetRestriction(LdapSPValidator.java:160) at com.iplanet.services.cdc.CDCServlet.redirectWithAuthNResponse(CDCServlet.java:394) at com.iplanet.services.cdc.CDCServlet.doGetPost(CDCServlet.java:355) at com.iplanet.services.cdc.CDCServlet.doGet(CDCServlet.java:270) at javax.servlet.http.HttpServlet.service(HttpServlet.java:617) at javax.servlet.http.HttpServlet.service(HttpServlet.java:717) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at com.sun.identity.setup.AMSetupFilter.doFilter(AMSetupFilter.java:91) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298) at org.apache.coyote.http11.Http11AprProcessor.process(Http11AprProcessor.java:864) at org.apache.coyote.http11.Http11AprProtocol$Http11ConnectionHandler.process(Http11AprProtocol.java:579) at org.apache.tomcat.util.net.AprEndpoint$Worker.run(AprEndpoint.java:1665) at java.lang.Thread.run(Thread.java:662)

amCDC:01/04/2012 12:07:36:371 PM SGT: Thread[http-2020-4,5,main] ERROR: CDCServlet.doGetPost java.lang.Exception: Invalid Agent: Could not get agent for the realm at com.iplanet.services.cdc.LdapSPValidator.validateAndGetRestriction(LdapSPValidator.java:229) at com.iplanet.services.cdc.CDCServlet.redirectWithAuthNResponse(CDCServlet.java:394) at com.iplanet.services.cdc.CDCServlet.doGetPost(CDCServlet.java:355) at com.iplanet.services.cdc.CDCServlet.doGet(CDCServlet.java:270) at javax.servlet.http.HttpServlet.service(HttpServlet.java:617) at javax.servlet.http.HttpServlet.service(HttpServlet.java:717) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at com.sun.identity.setup.AMSetupFilter.doFilter(AMSetupFilter.java:91) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298) at org.apache.coyote.http11.Http11AprProcessor.process(Http11AprProcessor.java:864) at org.apache.coyote.http11.Http11AprProtocol$Http11ConnectionHandler.process(Http11AprProtocol.java:579) at org.apache.tomcat.util.net.AprEndpoint$Worker.run(AprEndpoint.java:1665) at java.lang.Thread.run(Thread.java:662)

.

OpenDJ Replication Server error during handshake phase

2011-12-21T13:02:00.003+08:00

I have a pair of OpenDJ servers running in MMR mode. Customer has a sudden requirement to change IP addresses.

Simple request.. So I went ahead to modify the /etc/hosts. As simple as that.

No. The following error is observed in OpenDJ errors logs on both nodes:

[21/Dec/2011:12:46:32 +0800] category=SYNC severity=SEVERE_ERROR msgID=14942387 msg=Replication server 30809 was attempting to connect to replication server a125.az.com/172.8.8.125:8888 but has disconnected in handshake phase

[21/Dec/2011:12:46:32 +0800] category=SYNC severity=SEVERE_ERROR msgID=14942263 msg=In Replication server Replication Server 8888 30809: replication servers 200.2.2.125:8888 and 172.8.8.125:8888 have the same ServerId : 20398

:
:

[21/Dec/2011:12:46:36 +0800] category=SYNC severity=SEVERE_ERROR msgID=14942316 msg=Unable to send monitor data request for domain "cn=admin data" to replication server RS(30809) due to the following error: Socket closed

I resolved this by restarting both nodes.

.

OpenAM Fedlet

2011-12-20T23:12:00.003+08:00

A customer asked me what's a OpenAM Fedlet and its usage.

There isn't a lot of detailed document on OpenAM Fedlet. But this article from Oracle is great!

ForgeRock's documentation only has a section on Using Fedlets in Java Web Applications.

In layman term, this is my interpretation of Fedlet:

Basically, big organizations with budget will be using OpenAM Federation service.

e.g. One organization will install OpenAM to act as IdP (Identity Provider), while the rest of the organizations will enable their applications to be SAMLv2 -ready. These applications will then act as SP (Service Provider).

However, this takes time and effort and money.

Smaller organizations will definitely not be able to overhaul their applications to be SAMLv2-ready, as it is not cost-effective. So the way to go is to just deploy Fedlets (generated from OpenAM servers).

The Fedlet will act like a bridge between the OpenAM server (acting as IdP) and the applications.

It's simple and neat.

.

Overriding OpenAM classes

2011-12-09T20:49:00.001+08:00

I was trying to change some behavior in OpenAM core components and I find the easiest way to do it is:

Modify the OpenAM source code
Compile the Java class
Deploy the compiled class in ../WEB-INF/classes
Restart OpenAM

The application container will let /WEB-INF/classes take priority over the class in the jar file residing in the /WEB-INF/lib directory. Nice!

In fact, it's not recommended to put back the modified class into the original jar file. I find that ugly in practice.

.

APR based Apache Tomcat Native Library

2011-11-30T16:12:00.001+08:00

I want better performance running OpenAM on Tomcat application server, thus I spent the effort to configure APR (Apache Portable Runtime) for Tomcat.

As usual (this is not my 1st time), I always encounter this error whenever I start Tomcat after configuration:

Nov 30, 2011 4:01:23 PM org.apache.catalina.core.AprLifecycleListener init

INFO: The APR based Apache Tomcat Native library which allows optimal performance in production environments was not found on the java.library.path: /am/bin/jdk1.6.0_27/jre/lib/amd64/server:/am/bin/jdk1.6.0_27/jre/lib/amd64:/am/bin/jdk1.6.0_27/jre/../lib/amd64:/usr/java/packages/lib/amd64:/usr/lib64:/lib64:/lib:/usr/lib

This is a very silly mistake for not following the instruction carefully.

The resolution is to add the following to catalina.sh:

[am@testMachine bin]$ vi catalina.sh

JAVA_OPTS="-server -Xms2048M -Xmx2048M -Djava.library.path=/usr/local/apr/lib"

.

Agent-less SSO

2011-11-14T16:03:00.001+08:00

Sometimes, legacy or COTS (commerical off the shelf) web applications cannot be customized to integrate with Policy Agent. That's where ESSO comes into play (and that explains why ESSO solution is never cheap, besides being cumbersome to deploy. of course, my opinion).

BitKoo and OpenIG have solutions that attempt to resolve this issue.

Basically, a Proxy/Gateway is introduced. This is where the access to the actual application is intercepted and password being replayed securely.

In the case of BitKoo, user credential is stored securely in a keystore.

On the other hand, OpenIG (aka ApexIdentity Gateway) integrates, out-of-the-box, with all 3rd party web access management solutions (e.g. OpenAM).

The key point is any web application can come on-board without ever modifying the target application again.

.

Policy Agent debugging

2011-11-11T13:36:00.001+08:00

If you have deployed Policy Agent in Centralized mode and have set the debug level to Message, yet when the policy agent container is started and you only see the following:

=======================================
2011-10-31 09:56:35.408 -1 20816:1f8957d0 all: Version: 3.0-04
2011-10-31 09:56:35.408 -1 20816:1f8957d0 all:
2011-10-31 09:56:35.408 -1 20816:1f8957d0 all: Build Date: Fri Jul 29 00:05:09 BST 2011
2011-10-31 09:56:35.408 -1 20816:1f8957d0 all: Build Machine: constable.internal.forgerock.com
2011-10-31 09:56:35.408 -1 20816:1f8957d0 all: =======================================

The log is very verbose when the debug level is set to Message. Then definitely there is something wrong.

There is one more tweak to it...

Go to the ../Agent_001/config directory and amend the following 2 properties files:

1. OpenSSOAgentBootstrap.properties
2. OpenSSOAgentConfiguration.properties

Look for the following:

# AGENT DEBUG LOG LEVEL
com.sun.identity.agents.config.debug.level = all:5 (default is empty)

Restart your policy agent container. You'll see more log statements.

This method was helpful to me when there was some misconfiguration in the network or load-balancer stickiness issues. Of course, there are many more scenarios that could potentially happen.

.

BlackBerry Desktop Software for Mac

2011-11-09T23:32:00.002+08:00

With BlackBerry Desktop Software for Mac, synchronizing musics from my iTunes to the smartphone has become a breeze!

Of course, there are Calendar, Contacts, Notes and Tasks sync. But I'm using Google Calendar and not Exchange, so that's not useful for me.

.

2011-11-09T00:27:00.001+08:00

If you are deploying SharePoint, this link is very helpful for your pre-sales activities.

There are Foundation, Standard and Enterprise editions. You need to be careful which edition to choose. Otherwise, some features might not be available.

.

OpenAM Policy Agent - Life Cycle

2011-11-06T10:01:00.003+08:00

I always prefer diagram to wordings. Below is an illustration on how a Centralized Agent Configuration works:

When an agent starts up, it reads its bootstrapping file to initialize itself.

OpenSSOAgentBootstrap.properties is stored on the agent machine and indicates the location from where the configuration properties need to be retrieved. Based on the repository setting in OpenSSOAgentBootstrap.properties, it retrieves the rest of its configuration properties. It fetches its configuration from OpenAM Server.

An agent fetches its configuration properties periodically to determine if there have been any configuration changes. Any agent configuration changes made centrally are conveyed to the affected agents, which will react accordingly based on the nature of the updated properties. If the properties affected are hot swappable, the agent can start using the new values without a restart of the underlying agent web container. Notification of the agent when configuration data changes and polling by the agent for configuration changes can be enabled. Agents can also receive notifications of session and policy changes.

Note:

For Apache Policy Agent, do not enable notification.

.

Cluster initialization failed. Disabling the cluster service.

2011-11-05T09:51:00.000+08:00

Switching from Solaris to Linux OS can be a challenge to me, at times.

I was installing and configuring Glassfish Message Queue for OpenAM Session Failover a month back and was not able to make it work initially.

The configuration was made exactly the same as what I would have done on a Solaris box. I have done that far too many times to have miss out anything. But.... the MQ just would not start on a Linux box!

So debugging was needed... In the end, I found the issue - "Invalid broker address for this broker to run in cluster: Loopback IP address is not allowed in broker address mq://127.0.0.1:7676/..."

I found out that in Linux OS, loopback IP is not allowed.

The resolution is to add imq.hostname in the BROKER_OPTIONS:

[lx123 ]$ cd /am/bin/sfo/bin
[lx123 bin]$ vi amsfo
BROKER_OPTIONS="-silent -Dimq.hostname=am1.lx.com"

.

no sso token, setting status to invalid session

2011-10-26T23:07:00.001+08:00

I rebuilt the development environment for my customer the other day. It was a fairly simple job since it's only a single box setup.

In this development, we have specifically named the Cookie Name as "dsiPlanetDirectoryPro", instead of the default "iPlanetDirectoryPro".

Nothing special.

So I had the following set up for the agent. I renamed the default cookie name to "dsiPlanetDirectoryPro".

But I hit the following error when the agent container is started. The agent debug logs as follows:

2011-10-21 20:01:02.151MaxDebug 29740:16af2ab0 AM_POLICY_SERVICE: am_policy_compare_urls: Comparison of "https://dsxxx.xxx.com:443/RA/MainMenu.html" and "https://dsxxx.xxx.com:443/am/UI/Logout" returned AM_NO_MATCH (usePatterns=false)

2011-10-21 20:01:02.151MaxDebug 29740:16af2ab0 all: is_url_not_enforced(): URL https://dsxxx.xxx.com:443/RA/MainMenu.html is enforced.

2011-10-21 20:01:02.151 Debug 29740:16af2ab0 all: am_web_get_parameter_value(): Param Name = dsiPlanetDirectoryPro, & Param Value = NULL, status not found

2011-10-21 20:01:02.151 Debug 29740:16af2ab0 all: am_web_is_access_allowed()(https://dsxxx.xxx.com:443/RA/MainMenu.html,GET): no sso token, setting status to invalid session.

2011-10-21 20:01:02.151 Info 29740:16af2ab0 all: am_web_is_access_allowed()(https://dsxxx.xxx.com:443/RA/MainMenu.html, GET) returning status: invalid session.

2011-10-21 20:01:02.151 Info 29740:16af2ab0 all: process_request(): Access check for URL https://dsxxx.xxx.com:443/RA/MainMenu.html returned invalid session.

2011-10-21 20:01:02.151 Debug 29740:16af2ab0 all: process_request(): AM_INVALID_SESSION, will redirect (post data: (null))

2011-10-21 20:01:02.151MaxDebug 29740:16af2ab0 all: am_web_get_url_to_redirect: goto URL is https://dsxxx.xxx.com:443/RA/MainMenu.html

The behavior at the browser is the user is being redirected recursively until it gives up!

I spent a considerable amount of effort debugging. It's very strange because production site is working fine. So, some settings must have been wrong in this new development server.

In the end, I realized it was a careless mistake of mine - I have forgotten to rename the cookie name for the default server settings!!

The cookie name was still "iPlanetDirectoryPro", which is wrong for our development environment.

.

Install OpenAM Core Only

2011-09-17T12:19:00.000+08:00

For production deployment, most customers prefer the OpenAM Administration Console not to be exposed to the Internet. Instead, they'll like the Admin Console to be accessible within the Intranet.

The solution is to deploy a OpenAM Core Only distribution in the Internet; while deploying a OpenAM Console Only distribution in the Intranet.

After deploying OpenAM Core Only, you'll still get the Login Page. There's no difference in behavior from the out-of-the-box installation.

The only difference is when you attempt to login. Once you have successfully authenticated, you'll be shown the following page.

The JSPs for the console pages have been stripped off. As such, the requested resource is not available.

This type of deployment is useful if the OpenAM Login Page is not utilized for end-users' authentication purpose.

.

OpenAM : Why is Login Page missing after reboot?

2011-09-09T13:39:00.003+08:00

I came across this question before. Today, I encountered this scenario after my VM hung and I needed to reboot the server.

Very strange. Everything was running fine for so many days. I panicked when I have to re-configure again.

Well, after I cooled down, I then realized my OpenDJ was not started yet!! I had my OpenAM installed with configuration and user data stores in the external OpenDJ. (I did not use the embedded OpenDJ that was bundled with OpenAM)

Ok, so I shutdown OpenAM. Started OpenDJ, followed by OpenAM.

Everything is now back to normal. Phew!

Anyway, I would expect OpenAM to be smarter. At least, it should check whether or not there is an existing instance installed by looking into the .openssocfg directory.

If existing instance(s) found, then it should not redirect users to the Configuration Page.

LDAP Error 21: The request contains invalid syntax.

2011-09-09T12:29:00.002+08:00

In my test environment, I have configured an external data store which is connected to OpenDJ 2.4.3. My OpenAM configuration store is connected to the same OpenDJ instance.

I was trying to perform a simple load-test and needed some test users. As such, I tried to create new users via the OpenAM Administration Console. Since "First Name" is not compulsory, I skipped that field.

No good. I encountered "LDAP Error 21: The request contains invalid syntax.".

Very strange. How can this be? When my external data store was Sun DSEE, I have never encountered the same issue before.

A look at the OpenDJ access log revealed the following:

[08/Sep/2011:14:54:43 +0800] ADD REQ conn=71 op=3 msgID=278 dn="uid=test001,ou=people,o=st701" [08/Sep/2011:14:54:43 +0800] ADD RES conn=71 op=3 msgID=278 result=21 message="Entry "uid=test001,ou=people,o=st701" contains a value "" for attribute givenName that is invalid according to the syntax for that attribute: The operation attempted to assign a zero-length value to an attribute with the directory string syntax" etime=4

A check with OpenDJ indicated that "Directory String" has a property "allow-zero-length-values" set to false by default.

How to resolve?

$ bin/dsconfig -h am1.sg.azlabs -p 888 -D "cn=Directory Manager" -w [password] set-attribute-syntax-prop \
-n --syntax-name "Directory String" --set allow-zero-length-values:true

PS: The 2 product teams (OpenAM vs OpenDJ) have to talk to each other. Both products have to work seamlessly out-of-the-box. One team has to give in to another at times. My thought.

OpenAM : Extending to a Dual Instance Deployment

2011-09-07T23:41:00.001+08:00

If you are using the web-based GUI to install your 2nd OpenAM instance, you'll come to Step 3 wizard page (Configuration Data Store Settings).

Since this is the 2nd instance, we should select "Add to Existing Deployment?". Then we should key in the "Server URL" - which points to the 1st OpenAM instance.

Once the Server URL is entered, the LDAP Server will be auto-populated. Strange thing is the Port is populated with "null".

So is this going to work or not? I went ahead to continue with the installation.

The installation completed without any error! After installation, I logged into OpenAM Admin Console to double check. Everything is good. The LDAP port for my 2nd instance is reflected as "1389" - which is correct.

It's still a mystery why "null" was displayed in the installation wizard.

AM SFO: Dual instances on single machine

2011-09-06T15:38:00.002+08:00

We have just won a project to migrate from Sun Access Manager 7 to ForgeRock OpenAM 9.5.3. This site has high concurrent access and many Policy Agents. It also needs to support Session Failover.

There are many ways to scale OpenAM and the corresponding AMSFO.

In my test labs, I was trying to get 2 instances of AMSFO to run concurrently. I followed this Wiki (Extending to a Dual Instance Deployment) from OpenAM.

Everything runs fine for the 1st instance (port 7777). I just could not get the 2nd instance (port 8777) to start up properly on the same physical machine.

It kept throwing the following error:

Sep 6, 2011 3:06:08 PM com.sun.messaging.jmq.jmsclient.ExceptionHandler throwConnectionException
WARNING: [C4003]: Error occurred on connection creation [am2.sg.azlabs:8777]. - cause: java.net.ConnectException: Connection refused

I think there must be a mis-configuration in the Java Message Queue. OpenAM 9.5.3 uses Sun GlassFish(tm) Message Queue 4.4.

So I searched Google and located this document. I think what was missing is to instruct each MQ to bind to its own dedicated IP address ( imq.hostname - Default host name or IP address for all connection services ).

I also learnt that there are many other listening ports when AMSFO is started, besides the broker port 7777.

Before AMSFO is started:

After AMSFO is started:

So, it's very obvious there was a clash in ports when the 2nd instance was trying to start. (e.g. 50722, 55044 etc.. It's random port numbers.. But so lucky of me to keep clashing on used ports)

Resolution?

In the start-up script amsfo, edit the following:

#BROKER_OPTIONS="-silent"

BROKER_OPTIONS="-silent -Dimq.hostname=am1.sg.azlabs"

Apply the same to the start-up script in the 2nd instance, but change the imq.hostname to am2.sg.azlabs.

Solved!

OpenSSO/OpenAM : Session Timeout for Login Page

2011-08-12T19:25:00.062+08:00

The following is the page most customers hate.

Unlike other web-based applications, the OpenSSO/OpenAM login page itself has a timeout value. The clock starts ticking when users land on this page. If users do not login before the timeout, the "Your session has timed out" will be displayed. The default value is 120 seconds.

How can we increase this value? This is the most common question from customer.

[openam953]$ cd /home/openam953/opt3/tomcat/webapps/openam953/config/auth/default_en

[openam953]$ vi DataStore.xml

Change timeout from 120 to 300. I personally think 5 minutes is a reasonable value. Why would one come to a Central Single Sign-On page to do nothing? Most probably, one would want to authenticate and be quickly redirected to the intended application.

I somehow had this impression that a timeout value of 0 implies there will be no session timeout. With this impression, I implemented this solution for one of my customer in one of the local ministries. The feedback was the Login Page times out even faster. Strange! :)

After much debug, I then realized 0 is not an accepted value. If 0 is input, a default value of 60 seconds will be applied.

[openam953]$ tail -f Authentication | grep -i "timeout"

Setting page timeout :60
Returning page timeout :60
Setting page timeout :120 <- Default Login Page value

Setting page timeout :60
Returning page timeout :60
Setting page timeout :600 <- This was when I set the timeout value to 600

Setting page timeout :60
Returning page timeout :60
Setting page timeout :60 <- If 0 is input, it will be replaced by 60

This default value can be found in PagePropertiesCallback.

And also, do take note of Invalidate Session Max Time in Session Limits.

The default value is 3 mins. In my case, I should set it to 6 mins instead.

.

Weird behavior in OpenAM 9.5.3 RC1 when configured with external configuration data store

2011-08-02T19:19:00.000+08:00

OpenAM 9.5.3 stable release was released today. The download link is here.

Prior to this stable release, I was using 9.5.3 RC1 for a demo and discovered a weird behavior. Luckily, it's gone in 9.5.3 stable release.

The issue only happened when an external configuration data store is used. In my case, I was using OpenDJ 2.4.2.

As with any default OpenAM installation, the log level was set to ERROR. I wanted to debug my deployment, thus I went ahead to set the log level from ERROR to MESSAGE via the OpenAM Administration Console.

Set Debug Level to "Message".

Everything ran fine. The verbose logging was output. However, once I restarted the web container, I'll not be able to get to the Login page anymore.

The Session log threw the following error:

**********************************************
amSSOProvider:08/02/2011 04:48:45:718 PM SGT: Thread[main,5,main]
SSO token ldap auth successful for AuthPrincipal: cn=dsameuser,ou=DSAME Users,dc=opensso,dc=java,dc=net
amSession:08/02/2011 04:48:45:777 PM SGT: Thread[main,5,main]
ERROR: SessionService.SessionService(): Initialization Failed
com.iplanet.services.naming.ServerEntryNotFoundException
at com.iplanet.services.naming.WebtopNaming.getServerID(WebtopNaming.java:730)
at com.iplanet.services.naming.WebtopNaming.getServerID(WebtopNaming.java:618)
at com.iplanet.dpro.session.service.SessionService.(SessionService.java:1772)
at com.iplanet.dpro.session.service.SessionService.getSessionService(SessionService.java:448)
at com.sun.identity.authentication.service.AuthD.getSS(AuthD.java:905)
at com.sun.identity.authentication.service.AuthD.initAuthSessions(AuthD.java:938)
at com.sun.identity.authentication.service.AuthD.(AuthD.java:273)
at com.sun.identity.authentication.service.AuthD.getAuth(AuthD.java:560)
at com.sun.identity.authentication.UI.LoginLogoutMapping.initializeAuth(LoginLogoutMapping.java:100)
at com.sun.identity.authentication.UI.LoginLogoutMapping.init(LoginLogoutMapping.java:75)

The fastest workaround was to change the LDAP value in the external configuration data store from MESSAGE back to ERROR.

Change to "ERROR".

Restarted web container. Solved. Everything back to normal. Very weird. ( I tried Tomcat 6 and Glassfish 2.1, both threw the same error if external configuration data store is used )

Today, I tried OpenAM 9.5.3 with embedded and external config data store. Both work!

Out of curiousity, I tried OpenAM 9.5.3 RC1 with embedded config data store. It works! So it's only with external config data store, then it fails. Hmmmm....

Permission to perform the edit operation denied

2011-07-27T14:28:00.000+08:00

In one of the OpenSSO projects I'm currently in, we have customized attributes defined in Sun DSEE 7. These attributes extend from inetorgperson.

In the Post Authentication Processing module, we would want to update one of the attributes if a certain condition is met.

So I have the following code segment:

AMIdentity amIdentity = new AMIdentity(ssoToken);

:
Map attrs = new HashMap();
Set values = new HashSet(1);
values.add (valueToSet);
attrs.put (SUNLDAPUser.ATTRIBUTE_MUSTCHGPWD, values);
amIdentity.setAttributes(attrs);
amIdentity.store();

Looks good! But when we run it, we encountered the following error:
"Permission to perform the edit operation denied ..."

Strange! Why?

After much investigation, I then realized we need to loosen the policy in the embedded OpenDS store.

There is a xmlpolicy attribute in ou=SelfWriteAttributes,ou=Policies,ou=default,ou=OrganizationConfig,ou=1.0,ou=iPlanetAMPolicyService,ou=services,o=sunamhiddenrealmdelegationservicepermissions,ou=services,....

So, the trick is to add the attribute that we want to modify into the UserSelfCheckCondition.

Restart OpenSSO. Test. Done.

.

Incompatible Sun Message Queue Version

2011-07-04T18:04:00.001+08:00

I have been trying to scale a old Sun Access Manager deployment from 2 nodes to 4 nodes.

In trying to yield better performance, I made some minor upgrade to each dependent components. I knew that Sun Message Queue 4.x has better performance than the old 3.6 version.

So, I made a weird decision to deploy a hybrid of Sun Message Queues - 3.6 mixed with 4.4.

No good. You'll see this error in the MQ log during startup of AM SFO:

[29/Jun/2011:14:21:36 SGT] ERROR [B3098]: Configuration mismatch: Aborting connection with broker [ mq://10.10.10.15:7878/?instName=imqbroker&brokerSessionUID=null ] because following configuration properties do not match -
imq.queue.deliverypolicy=round-robin,single

[29/Jun/2011:14:21:36 SGT] ERROR [B3098]: Configuration mismatch: Aborting connection with broker [ mq://10.10.10.16:7878/?instName=imqbroker&brokerSessionUID=null ] because following configuration properties do not match -
imq.queue.deliverypolicy=round-robin,single

Update on 27th Jul 2011:

I realized hybrid deployment of Sun MQ works! In fact, the new deployment of different version of MQ has been running LIVE for a few weeks without any problem. (will continue to monitor though ...)

.

2011-06-28T23:54:00.001+08:00

I talked about the wonderful ESSO solution from PasswordBank some time back. Read here.

This product differentiates itself by being able to support Desktop Platforms like Windows, Linux and Mac OS. This is something great! ESSO product has always been very Windows driven.

It has caught the attention of Oracle. PasswordBank is now Oracle's partner of choice for heterogeneous environment deployment.

This is something Passlogix v-GO SSO was not able to provide. By the way, Passlogix was aquired by Oracle just some months back. Read here.

Will PasswordBank be Oracle's next target? :)

.

SaaS SSO Vendors

2011-06-28T23:46:00.000+08:00

The following is a list of SSO vendors that provides SaaS:

How about OpenAM?

Not so soon ... Still on the roadmap... we need to wait a little longer...

Replication over WAN

2011-06-21T10:04:00.001+08:00

I have a customer that has a server farm of Directory Servers. These directories are deployed in multiple sites, thus WAN replication is required to keep data in-sync.

In one of the directory instances, binary data are stored. Thus resulting in huge entries (some are as huge as 20MB per attribute value).

They were using Sun Directory Server 5.x happily before they were switched to Sun DSEE 6.x due to EOL of DS 5.2. Replication starts to break for those instances with huge entries.

In this particular case, customer was trying to replicate from a Wins2k3 box to a Solaris Sparc box.

We raised a Support Case with Oracle Support and were told the following:

I would consider your customer setup as a corner case which is a mixture of all the following:

* replication over SSL
* replication over a slow WAN link
* replication of huge entries
* replication topology mixing different versions
* replication not using compression
* replication timeouts not correctly set

AFAIK, the best performance of the Directory Server is obtained with the following combination:

* DS 7.0.1
* Solaris x86
* ZFS

Oracle kept suggesting getting Professional Services people to "take a look and make suggestion".

But to the customer, the equation is so simple:
* There were no change in topology, OS, and data
* DS 5.x works
* Why would DSEE 6.x breaks? Shouldn't 6.x be a enhanced version of 5.x?

It's definitely a limitation in DSEE 6.x which Oracle refuses to admit.

By the way, we always do our own homework and below are some findings:

1. 5.2 SP6 (wins 2k) -> 5.2 SP6 (solaris sparc) ==> OK
2. 5.2 SP6 (wins 2k) -> 6.3.1 (solaris sparc) ==> NOT OK
3. 6.3.1 (windows) -> 6.3.1 (solaris sparc) ==> NOT OK
4. 6.3.1 (solaris) -> 6.3.1 (solaris sparc) ==> NOT OK
5. 7.0.1 (solaris) -> 6.3.1 (solaris sparc) ==> NOT OK
6. 7.0.1 (solaris) -> 7.0.1 (solaris sparc) ==> NOT OK

In the end, I called upon my friend (OpenDJ) for help. Looks good!

To the customer, slow is not important as long as the data is kept in-sync. Simple requirement.

The next step is to deploy a test-bed in the customer's environment to confirm replication over WAN works using OpenDJ. The past few months have been very miserable, especially talking to those people.

OpenDJ: Replication Setup Error Message

2011-05-30T14:07:00.002+08:00

Today, I hit into some issues with OpenOSSO multi-servers setup. I am suspecting there's something not correct with the OpenDS configuration in a multi-servers deployment. Nothing concrete yet, am still investingating.

In order to provide some facts, I think setting 2 instances of OpenDJ in MMR mode would be good. At least, I have something to compare with.

So, the installation of OpenDJ was a breeze. (Do I re-broadcast so many times on this fact? :>)

Setting up replication is not hard if you have the following command line as a template. (No GUI yet to set up replication.)

[opendj@think bin]$ ./dsreplication enable --host1 think.sg.forgerock --port1 8888 --bindDN1 "cn=directory manager" --bindPassword1 password --replicationPort1 8989 --host2 think.sg.forgerock --port2 7888 --bindDN2 "cn=directory manager" --bindPassword2 password --replicationPort2 8989 --adminUID admin --adminPassword password --baseDN "dc=sg,dc=forgerock" -X -n

Establishing connections ..... Done.

You have provided the same replication port (8989) for two servers located on the same machine (think.sg.forgerock).

So, am I done or not done? Initially, I thought I'm done. But ... actually, it's not done.

Wouldn't the following be better?

ERROR: You have provided the same replication port (8989) for two servers located on the same machine (think.sg.forgerock).

.

java.lang.OutOfMemoryError: unable to create new native thread

2011-05-24T23:17:00.001+08:00

I have been driven crazy for the past 2 weeks performing load tests for the Single Sign-On infrastructure in a local ministry.

Today, one of the customized application threw the following error:

java.lang.OutOfMemoryError: unable to create new native thread

While searching for a solution, I came across the following diagram. I think it's good to share as it's very clear in illustrating how to tune a 32-bit JVM.

I had set the request processing thread (thread-count) to a high number of 500. (Ya! I was crazy to do that) At the same time, I set the Xmx and Xms to 2GB.

So the math was rather bad (if you can follow the diagram above). Ha!

In the end, we settled for Xmx and Xms to 512MB with thread-count being 200. The application flies!

.

Goodbye, Sun Messaging Server!

2011-05-16T10:50:00.000+08:00

Last Saturday, we finally decommissioned the Sun Messaging Server in our data center.

As everyone knows, Sun's software used to be free to use, even in production. Customers only need to pay if they require support. Well, that was yesterday and history. :)

Salute to Sun Messaging Server!

SSL handshake

2011-05-06T17:25:00.000+08:00

There has been a lot of discussions on how to configure SSL-enabled OpenAM servers to communicate with one another via self-signed certificates.

Actually, honestly speaking, it's not an OpenAM issue. It's a JDK key-store issue. One needs to understand how SSL works. As mentioned in my blog some times back, I found this link a good start.

These days, I am using SSLPoke pretty often. This is the most wonderful tool to have. I'll make sure SSLPoke pass before I continue to configure the 2nd and subsequent OpenAM server.

Or you can set the following JVM-option:
"-Djavax.net.debug=SSL,handshake,trustmanager"

This will show why SSL handshake fails.

.

Sun Java System Web Server 7 Policy Agent Issue

2011-04-15T17:20:00.002+08:00

I spent almost 1.5 weeks trying to resolve a Policy Agent issue in one of my customers' environment.

Even though they have Sun Java System Web Server 7, their configuration is "ancient" type. We know that there is a modern in-built Reverse Proxy plugin in Web Server 7. But the customer is still using the legacy Glassfish Load-Balancer plugin.

Cross-Domain Single Sign-On

There is this scenario where the Web Server is residing in a different domain from OpenSSO Server.

In CDSSO mode, the agent for SJSWS does not reset the protocol version to the one from POST-request [HTTP/1.1] (received from the CDCServlet), but to a HTTP-Request version 0.9 [HTTP]. This scenario only happens in CDSSO mode due to the handling of the assertion the agent got from the CDCServlet.

Step-by-Step

1. Policy Agent intercept "GET /hello/ HTTP/1.1"
2. Since this is CDSSO, Policy Agent attempts to reset protocol version ( from HTTP/1.1 to HTTP )
3. Policy Agent then allow the request to pass to the plugin

Note: A HTTP without any version should be interpreted as HTTP 0.9, according to W3C.

This is what W3C has to say with regard to HTTP Protocol Version:

The Protocol/Version field defines the format of the rest of the request.. At the moment only HTRQ is defined. If the protocol version is not specified, the server assumes that the browser uses HTTP version 0.9.

So, what's the issue then?

Load Balancer Plugin (Web Server Access Log)

192.168.1.47 - - [13/Apr/2011:17:30:55 +0800] "GET /hello/ HTTP/1.1" 302 0
192.168.1.47 - admin [13/Apr/2011:17:31:02 +0800] "GET /hello/ HTTP" 505 0

Reverse Proxy Plugin (Web Server Access Log)

192.168.1.47 - - [14/Apr/2011:10:28:48 +0800] "GET /hello/ HTTP/1.1" 302 0
192.168.1.47 - admin [14/Apr/2011:10:28:55 +0800] "GET /hello/ HTTP" 200 327

The issue is:

a. LB-plugin: Not able to respect HTTP version 1.0 and below ("HTTP Error 505 HTTP version not supported' error)

b. RP-plugin: Able to respect HTTP version 1.0 and below

Clearly, there is something wrong with the Load-Balancer plugin. According to W3C, it has to honor HTTP and let the request to pass-through.

And, although it is fairly rare that any software/application will send a HTTP with protocol version lower than 1.0 these days, it is totally "legal" to do so.

In this case, the Policy Agent chooses to swallow a request with HTTP/1.1, but passes a request HTTP to the plugin. Rightfully, it would be ideal to swallow HTTP/1.1, and passes the same HTTP/1.1 to the plugin.

PS: Btw, I need to thank Bernhard for helping me with this issue. Thanks, Bernhard!
.

OpenDJ Directory Server

2011-04-15T00:03:00.001+08:00

ForgeRock has done a great job with OpenDJ Directory Server so far.

So what does OpenDJ provides, in a nutshell? A diagram will be best for illustration.

For anyone interested in the details of OpenDJ, here is the latest product sheet for your reference.

.

Web Agent Caching Behavior

2011-04-14T15:13:00.001+08:00

I have been asked a few times by customers on how Policy Agent manages its internal cache. I think I might as well make a note of this so that I can make reference to this question again much easier next time.

There is actually a documentation on this topic here.

Summary

Policy agent caches users' policies
2 mechanism are utilized: notification and/or polling
Each cache entry expires in 3 minutes, by default

Firewall Consideration

The challenge comes when there is a firewall between the Policy Agent and OpenSSO Enterprise Server. In such circumstance, notification should be turned off. (Otherwise, you'll get a lot of error on the OpenSSO debug log complaining about non-contactable agents.)

Production Scalability Consideration

Policy changes are frequent
Sites need to accept the fact that there will always be latency to reflect policy changes
No hard rule on this latency time as long as it's acceptable for the site's specific needs

The guideline when setting the Policy Cache Polling Period property is to set it to the lower of the two:

The session idle timeout period
Site’s accepted latency time for policy changes

Unable to find active Access Manager Auth server

2011-04-12T18:10:00.000+08:00

If a protected application is running (with Policy Agent), but the backend OpenAM/OpenSSO server is down, you'll get "Forbidden" error on the web browser.

"Your client is not allowed to access the requested object"

The following will be captured in the amAgent log:

am_web_get_url_to_redirect: unable to find active Access Manager Auth server.

ERROR: Invalid Agent: Could not get agent for the realm

2011-04-11T12:18:00.000+08:00

Sometimes, when CDSSO is configured, one will encounter HTTP Status 500 after a successful login.

1. Access protected application

2. Redirect to OpenSSO Login Page

3. Upon successful login, redirect back to protected application

Step 3 is not happening. Instead, user encounters HTTP Status 500.

If you take a look at the amAgent log on the protected application side, there is nothing unusual. All seems good.

Something is definitely wrong on the OpenSSO server end.

The problem is "Unknown Host Exception". Add the FQDN to the /etc/hosts resolves the issue!

OpenAM 9.5.2 CLI Configuration

2011-04-04T17:58:00.002+08:00

I was trying to install a new install of OpenAM 9.5.2 for a POC using the GUI Configurator. (Read here)

The problem then was the embedded OpenDS 2.3 will always create a Administrator Connector Self-Signed Certificate using the hostname. If this hostname is not defined in /etc/hosts, configuration will bomb.

ERROR: AMSetupServlet.configure: error
org.opends.server.types.InitializationException: The administration connector self-signed certificate cannot be generated because the following error occurred: openam: openam
at org.opends.server.admin.AdministrationConnector.handleCertifExceptions(AdministrationConnector.java:776)
at org.opends.server.admin.AdministrationConnector.createSelfSignedCertifIfNeeded(AdministrationConnector.java:757)
at org.opends.server.admin.AdministrationConnector.initializeAdministrationConnector(AdministrationConnector.java:181)

Today, I tried to find out whether or not this can be workaround by using CLI configuration.

SERVER_URL=http://openam.sg.azlabs:9080
DEPLOYMENT_URI=/openam71
BASE_DIR=/home/openam952/openam71
locale=en_US
PLATFORM_LOCALE=en_US
AM_ENC_KEY=wKO7mExvCqVXETTtsgU4HgtvqBXrFzSW
ADMIN_PWD=password
AMLDAPUSERPASSWD=amldapuser
COOKIE_DOMAIN=.sg.azlabs

DATA_STORE=embedded
DIRECTORY_SSL=SIMPLE
DIRECTORY_SERVER=openam.sg.azlabs
DIRECTORY_PORT=51389
DIRECTORY_ADMIN_PORT=8888
DIRECTORY_JMX_PORT=1689
ROOT_SUFFIX=dc=opensso,dc=java,dc=net
DS_DIRMGRDN=cn=Directory Manager
DS_DIRMGRPASSWD=password

## Leave (blank) will default to embedded DATA_STORE
USERSTORE_TYPE=

No use.

The OpenDS is still trying to create the Administrator Connector Self-Signed Certificate using the hostname.

By the way, in OpenAM 9.5.2, with the upgrade of OpenDS from 1.x to 2.3, the following 2 attribute-value pairs are required:

DIRECTORY_ADMIN_PORT=8888

DIRECTORY_JMX_PORT=1689

Quite a painful experience as the documentation wasn't there. I had to read the source code and trace what was required by the configurator.

For those interested, I was looking at the method runOpenDSSetup (...) in EmbeddedOpenDS.java

setupCmd[2] = (String) map.get(SetupConstants.CONFIG_VAR_DIRECTORY_ADMIN_SERVER_PORT);
setupCmd[4] = (String) map.get(SetupConstants.CONFIG_VAR_ROOT_SUFFIX);
setupCmd[6] = (String) map.get(SetupConstants.CONFIG_VAR_DS_MGR_DN);
setupCmd[8] = (String) map.get(SetupConstants.CONFIG_VAR_DIRECTORY_SERVER_PORT);
setupCmd[13] = (String) map.get(SetupConstants.CONFIG_VAR_DIRECTORY_JMX_SERVER_PORT);

Then I went to SetupConstants.java to find out what attribute names are required:

/**
* Configuration Variable for directory server admin port.
*/
String CONFIG_VAR_DIRECTORY_ADMIN_SERVER_PORT = "DIRECTORY_ADMIN_PORT";

/**
* Configuration Variable for directory server jmx port.
*/
String CONFIG_VAR_DIRECTORY_JMX_SERVER_PORT = "DIRECTORY_JMX_PORT";

.

Policy Configuration in OpenSSO 8.0 U2 Patch 1 still not working

2011-03-28T10:15:00.001+08:00

This is a follow up to my post in Feb. I was trying to configure my authentication sources in a failover/load-balanced manner. It was not successful in OpenSSO 8.0 U2, but that was fine since I wrote my own authentication module. Thus was able to fix the bug within my own module.

However, there is another section in OpenSSO which we need to configure the same way - Policy Configuration. We have since upgraded to OpenSSO 8.0 U2 Patch 1. However, the same bug exist.

As long as the format is "local server name|host name:port", the OpenSSO server will get confused and will not parse the string properly.

What's the workaround?

The best we can do is to configure OpenSSO in a load-balanced manner (point to localhost). Failover is not possible in this configuration.

.

OpenSSO 8.0 U2 Patch 2 available

2011-03-25T12:11:00.001+08:00

OpenSSO 8.0 U2 Patch 2 has just been released on 12th March 2011. That's a pretty fast release since the last patch release (U2 Patch 1) was just in Jan 2011.

(from 141655-06) U2 Patch 2
Problem Description:
7002787 OpenSSO 8.0 u2 & u2p1 not working with Active Directory DataStore
6987837 OpenSSO8U1P3 - SystemTimerPool - Throws ArrayIndexOutOfBoundsException message regularily
7006491 ERROR: "Not a supported type: FILTEREDROLE" following opensso upgrade when assigning privileges
6994715 OpenSSO update 1 patch 3 oracle db logging error: ORA-01704: String Literal Too Long
7000981 Upgrading Am 7.1 patch3 deployment as a site to OpenSSO 8 U1 patch3 Servers and sites tab dissapear
7005627 Opensso8.0U1P3-sfo enabled attribute in the Secondary instance was missing
6993122 SPNameQualifier element should be removed from NameIDPolicy in SAML AuthnRequest
6935201 OpenSSO U1P3: DAUI sends errors after user reloads DAUI login url thrice
6677966 HttpServletRequest/HttpServletResponse not available in AMLoginModule when using Dist AuthUI
6982882 Browser goes into loop condition for an OpenSSO login when a policy requires realm authentication
6982149 OpenSSO - Null Pointer Exception during session upgrade
6979889 8.0u2 patch 1: Update version of jss4.jar in opensso
6996134 OpenSSO Authentication allows access to users to a Realm to which Users who do not belong to
6986916 problem with AM 7.1 patch 4 DAUI
6992299 problem with AM 7.1 patch 4
6982233 Migrate AM7.0p11 to OpenSSO 8.0u2: legacy agent profiles are still not shown on the console properly
7003167 CDCClientServlet regression with bugfix 6896456 using distauth
7007659 ssopreupgrade.bat stop in initialize with Can't find bundle for name ssoUpgrade
7012182 URI is considered as URL in the goto parameter when it is URL-encoded
7018596 AM 7.1 patch3 to OpenSSO 8.0 update2 upgrade displays configuration page post upgrade
7019578 After Upgrade from AM7.1p3 to OpenSSO 8.0:"Server error" while hitting "platform" button on admin console
7016248 problem with Accessmanager

The Jan release (U2 Patch 1) was a major for us in the project I am currently in for the local Education ministry.

There was a bug in the SJSWS 7 Policy Agent which happily redirecting a POST request as a GET request. This broke our single sign-on integration with Sun IdM. In this particular case, the Forget Password Wizard broke.

We tested U2 Patch 1 and the bug was resolved. What was fixed? I do not know since it's a closed source now.

.

The administration connector self-signed certificate cannot be generated

2011-03-22T10:42:00.000+08:00

I was trying to setup OpenAM on a new VM for POC.

In customer environment, the trend these days is to move away from Solaris OS (which I am very familiar with for the past 7 years) and to adopt Linux as much as possible. Nothing wrong with the OS, just that the physical boxes have got more and more expensive.

So for this new VM, I have CentOS 5.5 installed (since most customers will be installing RHEL).

It shouldn't be too difficult to install, I thought. I was wrong! I kept getting the following error:

The administration connector self-signed certificate cannot be generated because the following error occurred: openam: openam.

I checked the Network Configuration and found that I have a matching Hostname: openam.

In the end, I found out that I need a matching entry in /etc/hosts.

The last entry "openam" is required.

Very strange! How come in "Configuration Store Details", the Host Name is "localhost" and is non-editable? How does that "localhost" get mapped to "openam"? Kind of confused and distracted during debugging.

.

Sun IdM reconciliation of Sun OpenSSO accounts

2011-03-14T12:37:00.000+08:00

In the project that I am currently onboard, besides Single Sign-On, we have Identity Management in place.
Sun OpenSSO + Sun Identity Manager (aka Oracle OpenSSO + Oracle Waveset)

As OpenSSO is one of the Identity resources, we need to reconcile large number of accounts ( >40,000 in development ) into OpenSSO, but the reconciliation process always fail.

It took us pretty long to discover what is causing - do remember to turn off debugging in OpenSSO.

The debug log IdRepo was too verbose (I turned to message logging in development) and was spending too much time logging, than trying to help in reconciliation.

.

amtune Issue

2011-03-14T11:26:00.001+08:00

The Single Sign-On infrastructure which I helped to architect for the local ministry is about to go LIVE. I'm trying to tune the OpenSSO server before it's launched - amtune comes to mind. It's a built-in tool.

However, when I run the utility, I kept hanging at the following stage:

"Checking Application Server JVM mode (32-bit or 64-bit) for AS 9/Glassfish v2"

It's not moving. I waited for as long as 15 minutes. This can't be normal as I have used amtune in previous version of Sun Access Manager.

So I debugged the error log file. Nothing unusual. I realized the error shown on my shell prompt mapped to the following line in the error log file:

# /sso/opt/gf211/bin/asadmin generate-jvm-report --user admin --passwordfile /tmp/asadminpass --host localhost --port 8888 --secure --interactive=false

Being curious, I copied the line and tried to execute it manually. Found it!

The OpenSSO servers are SSL-enabled and the keystore in the system's JVM has not trusted the certificate yet. I answered "y" to the above.

Re-executed amtune again. Everything goes smoothly after that!

.

Sun DS with OpenSSO schema - High Available Connections

2011-03-11T14:18:00.000+08:00

In a highly-available setup, each OpenSSO server is recommended to connect to a dedicated Sun Directory Server for its Data Store. The other Directory Server will be configured as the secondary server (dotted lines). This ideal setup will yield better performance.

How to do achieve that in OpenSSO/OpenAM via the AM Console?

The above setup is wrong. It means both OpenSSO servers will connect to LDAP1 always. And only when LDAP1 is down, will both of them redirect to LDAP2.

This is not what we want to achieve. We want the setup to be highly available and efficient. (aka good performance)

So, we need to play with Format: LDAP server host name:port | server_ID | site_ID.

Problem is how do we know what is the value for server_ID and what is the value for site_ID?

As usual, I whack the OpenDS directly. The configuration data for the above screen is stored in ou=iPlanetAMPlatformService.

The configuration for Site is stored in ou=com-sun-identity-sites.

The configuration for Servers is stored in ou=com-sun-identity-servers.

So, the configuration should be as follows:

Nice!

.

Backing up configuration data -- Part II

2011-03-08T08:53:00.005+08:00

The configuration data which is stored in the embedded OpenDS/OpenDJ can be dumped out into a XML file.

This little script can do the job:

/sso/bin/tools/ossotools/opensso/bin/ssoadm export-svc-cfg -u amadmin -f /tmp/.admin.pwd -e secretkeytoencryptpassword -o /tmp/svc-config-bkup.xml
echo "Configuration dumped to /tmp/svc-config-bkup.xml"

.

Backing up configuration data

2011-03-07T15:54:00.001+08:00

Before a project goes LIVE, what do we usually do? Make sure backup is in place in case disaster kicks in.

So, this is what I am doing this week. I need to have a backup mechanism for the Single Sign-On infrastructure which I have set up for the local education ministry.

This book comes in handy - OpenAM by Indira. There's this chapter on Backup, Recovery and Logging.

The safest way to backup OpenSSO/OpenAM configuration data is non other than filesystem backup. (not mentioned in Sun's documentation)

The critical files and directories that need to be backed up are as follows:
• bootstrap
• OpenDS (whole directory)
• .version
• .configParam
• certificate stores
• config/xml (whole directory; if there is customized service schema)

ssoadmin@node01 $ /usr/sfw/bin/gtar -cvf opensso-bak.tar --exclude "opensso/opends/logs" opensso/bootstrap opensso/opends opensso/.configParam opensso/.version opensso/.configParam opensso/opensso/.keypass opensso/opensso/.storepass opensso/opensso/keystore.jks

If you are lazy, backup the whole configuration directory. But I would suggest discarding the debug and log directories.

That can take up a huge amount of space if the log is verbose.

Unexpected LDAP error - ssoadm

2011-02-25T15:07:00.000+08:00

The project I am currently on requires High Availability for Single Sign-On in the production environment. A site is configured for this purpose having 2 nodes.

Today, I was debugging something and shut down Node 2 and used ssoadm.jsp to update a service (update-svc) which I previously created.

When I tried to save, I get Unexpected LDAP error on the UI.

I found out why when I saw the following in Configuration log file:

ERROR: SMSLdapObject.modify(): Error in modifying entry: ou=1.0,ou=sunAMAuthXXXAuthService,ou=services,o=XXX,c=sg
By Principal: id=amadmin,ou=user,o=XXX,c=sg
com.sun.identity.shared.ldap.LDAPException: error result (53); The Replication is configured for suffix o=Ministry of Education,c=SG but was not able to connect to any Replication Server
   at com.sun.identity.shared.ldap.LDAPConnection.checkMsg(LDAPConnection.java:4875)
   at com.sun.identity.shared.ldap.LDAPConnection.modify(LDAPConnection.java:3163)
   at com.sun.identity.shared.ldap.LDAPConnection.modify(LDAPConnection.java:3102)
   at com.sun.identity.shared.ldap.LDAPConnection.modify(LDAPConnection.java:3111)
   at com.sun.identity.shared.ldap.LDAPConnection.modify(LDAPConnection.java:3077)
   at com.sun.identity.sm.ldap.SMSLdapObject.modify(SMSLdapObject.java:435)

Hmm... any configuration change requires both nodes in the site to be up! Is this built by design? I need to find out more ...

.

Model must not be null in CCPropertySheet()

2011-02-25T14:51:00.000+08:00

The project I am currently on requires High Availability for Single Sign-On in the production environment. (we have 2 nodes) The Authentication module is customized as we have special business logic to handle during users' login process.

So to plug in a new Authentication module is easy.
1. Deploy the jar
2. Dump the properties file in classes directory
3. Add in the XML file in config/auth/default directory
4. Create the new service
5. Register the authentication module

All went well with Node 1. However, I kept getting Model must not be null in CCPropertySheet() error on Node 2. I have restarted Node 2 more than once. Strange!

So what really happened?

I have forgotten to apply Step 1 - 3 on node 2. Ha!

(Note: Step 4 - 5 are only done once via the ssoadm.jsp UI)

Problems Solved By OpenSSO

2011-02-21T11:09:00.000+08:00

I was reading the newly released OpenAM book by Indira Thangasamy and came across this diagram in the overview section.

Great stuff! I always salute those who can illustrate the capability of their products in a diagram.

This diagram is able to show the 4 types of problems that OpenSSO/OpenAM is built for:

1. Access management
2. Federation
3. Securing web services
4. Entitlements

.

How to decode CSR?

2011-02-16T11:20:00.000+08:00

After generating CSR (Certificate Signing Request) and before submitting to a CA to generate a Server certificate, it would be good if we can double check what has been generated.

If OpenSSL is installed, the following command can be used:

openssl req -in mycsr.csr -noout -text

I'm lazy. :) Thanks to SSLShopper. Here's the link.

.

Failed to establish chain from reply

2011-02-14T09:32:00.011+08:00

If your server certificate (end-entity certificate) is signed by a Intermediate CA, then it is important to take note to import both Root CA and Intermediate CA certificates into your keystore (certificate store) before importing the server certificate.

Importing only Root CA certificate into the keystore is not sufficient. Otherwise, you'll get the following error when you import the Server certificate without the Intermediate CA certificate - "Failed to establish chain from reply".

Active Directory Primary Server Configuration for Multiple OpenSSO Servers

2011-02-10T14:49:00.002+08:00

In a large scale IAMS infrastructure setup, it would be better if each OpenSSO server is configured to authenticate against a dedicated authentication source (in my case, Microsoft Active Directory).

Is this feature available in OpenSSO 8.0 U2? Yes, as far as the OpenSSO Admin Console is concerned. (see digram below)

However, you need to first figure out what does "local server name" means?

I had a hard time figuring out what this really mean. In the end, I had to read the source codes from OpenAM 9.5 (forgerock.com) to figure out. The code refers "local server name" to AM_SERVER_HOST.

private static final String localDsameServer = SystemPropertiesManager.get(

Constants.AM_SERVER_HOST);

OK, AM_SERVER_HOST should then be FQDN of the OpenSSO server.

Server Name is protocol://FQDN:port/opensso-uri

So, I'm up and running. I have the following in my Active Directory Primary Server:
osso1.xxx.xxx.xxx.sg|ad1.xxx.xxx.sg:636
osso2.xxx.xxx.xxx.sg|ad2.xxx.xxx.sg:636

I configured the reverse for my Active Directory Secondary Server:

osso1.xxx.xxx.xxx.sg|ad2.xxx.xxx.sg:636

osso2.xxx.xxx.xxx.sg|ad1.xxx.xxx.sg:636

Theoretically, this will definitely work. I was wrong! There is a bug in OpenSSO 8.0 U2.

The method getServerMapAttr() in CollectionHelper class is not able to detect that there are multiple entries. What's worse is it is not able to parse the String with the "|" to return the appropriate Active Directory server.

The code simply gets the first entry without any parsing and tries to connect. And of course, "Unknown host" is thrown.

Luckily, the code for this method in OpenAM 9.5 looks good. I copied and finally fixed the issue.

Thank you, OpenAM!

An internal authentication error has occurred

2011-02-09T14:34:00.000+08:00

I am near the final milestone of this IAMS project - deploying the Production environment.

We have a custom Authentication Module for this enterprise Single Sign-On infrastructure. I have done it many times in the development and staging environment and they worked!

However, I keep getting "An internal authentication error has occurred" when this custom Authentication module is turned on.

No choice. I need to turn on the verbose logging and this is what is been captured in Authentication debug log - "unable to find LoginModule class"

Ok, I must have made a mistake during the registration of the auth module via ssoadm.jsp. I think I must have key in only the Java class name without the full package path.

So I went ahead with ssoadm.jsp again to register with a full package Java class name.

Restarted OpenSSO server just to play safe. No luck!

Hmmm.... I recalled that in the days of Sun Access Manager 6.x and 7.x, there was no such thing as registering an authentication module via ssoadm.jsp. We did it manually and one of the steps was to add in the Pluggable Authentication Module Classes in Configuration > Core.

So I went ahead to verify the entries. Jackpot!

Removing the last entry resolved the issue.

.

GlassFish + PostgreSQL server bundles

2011-01-26T23:41:00.001+08:00

I'm pretty curious about the Take-Up Rate of GlassFish with PostgreSQL database bundle. Download here.

It has been a long while since I last worked on PostgreSQL database. Ever since I grabbed a copy MySQL, I have never turned back. Ha!

.

Pain upgrading to Oracle iPlanet Web Server 7.0.10

2011-01-18T16:17:00.000+08:00

As part of the security/hardening measures of my current project, we are required to update every software component to the latest with patches.

It's time to say bye-bye to Sun Java System Web Server branding.

However, the upgrade experience wasn't pleasant... *Sigh*

Very strange - "Cannot upgrade the product from version 7.0U8 to 7.0.10"

How can it be? This is not how Sun product works ... Every release should have a proper upgrade path. It has always been so.

What's the hack then?

Step 1: Go to /appl/opt/webserver7/setup
Step 2: Edit WebServer.inf

Step 3: Remove 8 from PRODUCT_SP_VERSION

Step 4: Remove U8 from PRODUCT_FULL_VERSION

Step 5: Done

Welcome to Oracle iPlanet Web Server 7.0.10!

ESSO product from PasswordBank

2011-01-17T08:06:00.029+08:00

I have been involved with numerous SSO (Single Sign-On) projects - some of which are complemented by ESSO (Enterprise Single Sign-On) product.

Passlogix v-GO SSO was pretty popular. So popular that it's now being bought over by Oracle. So far, I have participated in 2 projects using Passlogix v-GO SSO. Pretty easy to configure if the user source is Microsoft Active Directory. A lot harder if Sun Directory Server is used as the user source. It's basically a Microsoft-centric product (my personal opinion).

Today, I came across a ESSO product from PasswordBank. Started in 2008, still a pretty young company.

This product differentiates itself by being able to support Desktop Platforms like Windows, Linux and Mac OS. This is something great! ESSO product has always been very Windows driven.

OpenSSO - Agents and Policies Entries in OpenDS

2011-01-14T14:27:00.000+08:00

For this on-going project which I have been in-charge of since last August, I have been playing around with Agents and Policies more often than my previous projects.

Ever wonder where the configuration for the Agents is in OpenDS?

Answer is ou=AgentService, ou=services, ... :

How about the Policies? Where are they stored?

Answer is ou=iPlanetAMPolicyService, ou=services, ... :

I find the latter most useful for me. Instead of creating policies via the OpenSSO Admin Console (which to me is pretty tedious), I'll go direct to OpenDS and edit the sunKeyValue for the xmlpolicy.

I'm lazy, maybe. :)

.

Active Directory Authentication Error via OpenSSO

2010-12-30T12:43:00.000+08:00

We have configured OpenSSO Authentication Service to perform authentication via Microsoft Active
Directory.

We know that Microsoft Active Directory is able to detect first-time-login, password expired, account locked, account disabled etc ...

However, by using the in-built Active Directory Authentication module in OpenSSO, it keeps displaying the same error "Invalid credentials" whenever any of the errors is encountered. This confuses the users a lot. It also gives administrator wrong impression of what exactly is the error.

If a manual search is performed, the following is what we get:

bash-3.00# ldapsearch -h 192.168.131.50 -p 389 -D "cn=cclow,cn=users,dc=central,dc=sg,dc=sun" -b "dc=central,dc=sg,dc=sun" -s sub "objectclass=*"
Enter bind password:
ldap_simple_bind: Invalid credentials
ldap_simple_bind: additional info: 80090308: LdapErr: DSID-0C0903AA, comment: AcceptSecurityContext error, data 773, v1771

bash-3.00# ldapsearch -h 192.168.131.50 -p 389 -D "cn=cclow,cn=users,dc=central,dc=sg,dc=sun" -b "dc=central,dc=sg,dc=sun" -s sub "objectclass=*"
Enter bind password:
ldap_simple_bind: Invalid credentials
ldap_simple_bind: additional info: 80090308: LdapErr: DSID-0C0903AA, comment: AcceptSecurityContext error, data 533, v1771

Microsoft Active Directory has this habit of sending back error messages in 2 lines. The 1st contains what I call it General Error Message. The 2nd will contain the Actual Error Message ("additional info").

In this 2nd line, you need to tokenizes the message to grab the part that contains ", data xxx,". This will give you the Exact Error Message.

ldap_simple_bind: additional info: 80090308: LdapErr: DSID-0C0903AA, comment: AcceptSecurityContext error, data 533, v1771

So we went ahead to develop our own custom Active Directory Authentication module, and we have the following mapping:

public static final String ERROR_FIRSTTIME = "773";
public static final String ERROR_PASSWORDEXPIRED = "532";
public static final String ERROR_ACCOUNTLOCKED = "775";
public static final String ERROR_ACCOUNTDISABLED = "533";
public static final String ERROR_ACCOUNTEXPIRED = "701";

.

To Configure the OpenSSO Enterprise Deployment Against Cookie Hijacking

2010-12-07T08:54:00.031+08:00

The OpenSSO Infrastructure which I had setup has just been configured to prevent Cookie Hijacking.

With this change, all my Policy Agents have to be re-configured. There's again this standard document from Sun. And once again, it disappoints me.

If your Policy Agents are deployed behind a load-balancer, then the above steps are not sufficient enough.

You'll get the following errors:

ERROR: Invalid Agent: Could not get agent for the realm

What's the complete steps to configure for Cookie Hijacking Prevention?

Step a and b:

Step c:

Change Agent Root URL for CDSSO from host-based FQDN to load-balancer FQDN.

Yahoo Mail Filter is back!

2010-12-04T12:07:00.000+08:00

I mentioned in my blog in February that I'm saying Goodbye to Yahoo Mail.

It has been a long while since I went into Yahoo Mail. I did that just.

The Filter feature is available now! Cool!

Backup OpenSSO Configuration Data in Embedded OpenDS

2010-12-01T17:26:00.001+08:00

OpenSSO 8.0 U2 comes bundled with a super old embedded OpenDS. (Version 1.0.2)

The current version of OpenDS is 2.2.

Anyway, that aside, the embedded OpenDS comes with a number of sub-folders left empty.

E.g. bin, classes, lib

Without the executables in bin directory, there is no way to backup the configuration data which are all stored in the OpenDS.

What's the workaround?

1. Go to the j2ee-modules in GlassFish application deployment directory

.../j2ee-modules/opensso/WEB-INF/lib

2. Copy OpenDS.jar and je.jar to lib directory in OpenDS

3. Go to OpenDS 1.0 website

4. Download the zip file (Note: Do not download the latest OpenDS 2.2 zip file. It will bomb.)

5. Upload _mixed-script.sh, _server-script.sh, _client-script.sh and _script-util.sh to lib directory in OpenDS

6. Upload to executables to bin directory in OpenDS

For me, I'm only interested in backup, export-ldif and status since my environment is going LIVE soon.

.

Load Balancer in Front of the Web Agent

2010-12-01T11:01:00.002+08:00

I continue to play with OpenSSO Policy Agent 3. This time round, I have 2 x Policy Agents deployed behind a load balancer. The Sun Web Server 7 acts as a Reverse Proxy to the backend GlassFish Application Server 2.1 running Sun Identity Manager.

Naturally, I'll follow the steps from Sun OpenSSO Enterprise Policy Agent 3.0 User's Guide for Web Agents. (Read here)

Oh mine!

The instruction was wrong and I spent a long time debugging the configuration steps. In the end, I had to read the source code for the Policy Agent for Sun Web Server 7.

The source was in C and C++. I'm never a C person. :) Another struggle.

The instruction to configure FQDN is OK.

Problems come when you start to read further down ...

If you map the above instruction to the UI in OpenSSO console (see below), you will never be able to find a way to configure the last property.

In fact, the instruction should simply be Enabled or Not enabled.

The last property is supposed to be "Enabled".

That's not all. There is another place where you need to make slight change:

The Agent Deployment URI Prefix should change from "Host-url/amagent" to "LB-url/amagent".

.

Confusing Oracle/Sun Solaris OS Versioning

2010-11-28T16:49:00.001+08:00

I'm always confused when I want to find out the exact release of the Solaris OS which I am working on.
If you do a "$ more /etc/release", you get something like below:

It's still very hard to relate 9/10 belongs to which release. I can relate more to U1, U2, etc... It's easier to track, at least for me.

Luckily, Wikipedia tracks it here.

Solaris 10 1/06 ("U1")
Solaris 10 6/06 ("U2")
Solaris 10 11/06 ("U3")
Solaris 10 8/07 ("U4")
Solaris 10 5/08 ("U5")
Solaris 10 10/08 ("U6")
Solaris 10 5/09 ("U7")
Solaris 10 10/09 ("U8")
Solaris 10 9/10 ("U9")

OpenSSO - Installing Policy Agent on Oracle/Sun Web Server 7

2010-11-26T11:29:00.000+08:00

I'm deploying a large-scale Single Sign-On infrastructure using OpenSSO for the local education ministry.

There is a Sun Web Server 7 performing a Reverse Proxy to a backend application, and we intend to deploy the OpenSSO Policy Agent on the web server.

There is a certain sequence to follow to ensure the Policy Agent works:

1. Install Sun Web Server 7

2. Install OpenSSO Policy Agent for Sun Web Server 7

3. Configure Reverse Policy to backend application

If you swap 2 with 3, the Policy Agent will not be able to intercept user access via the reverse proxy, thus render the Policy Agent useless.

Why?

Take a look at the object configuration file in the Web Server config directory.
(Note: Not obj.conf, but -obj.conf)

The /UpdateAgentCacheServlet and /dummypost/sunpostpreserve must precede reverse-proxy-/.

If you swap 2 with 3, you'll find that

reverse-proxy-/ precedes /UpdateAgentCacheServlet and /dummypost/sunpostpreserve.

If you to manually swap the sequence to make Policy Agent to work.

.

OpenSSO - Weird Policy Agent Naming Convention

2010-11-22T17:18:00.001+08:00

I have been playing around with OpenSSO Policy Agent for a few weeks - installing and uninstalling many times.

Policy Agent installer uses the convention Agent_nnn as the Agent instance name. The 1st instance will be named Agent_001; 2nd instance will be named Agent_002.

The weird behavior happens when you uninstall the 2nd instance and then you install again. Logically, one would want this re-installed instance to be named as Agent_002 again. (since this is really the 2nd instance on the same server)

Logical, no?

Sadly enough, the Policy Agent installer will skip Agent_002. It will rename this new instance as Agent_003, which is not acceptable to me!

What's the trick then?

Look for this hidden file in /sjsws_agent/data/.amAgentLookup

Before uninstall,

# Product Instances Translation Lookup File
Product_Instance_Count= 2
/opt/webserver7/https-ams.sso.mo.sg-1/config|= Agent_001
/opt/webserver7/https-ams.sso.mo.sg-2/config|= Agent_002

After uninstall,

# Product Instances Translation Lookup File
Product_Instance_Count= 2
/opt/webserver7/https-ams.sso.mo.sg-1/config|= Agent_001

The Policy Agent installer program was able to remove the line ending with "Agent_002", but was just to lazy to decrement the Product_Instance_Count from 2 to 1. I feel like kicking the developer who wrote this piece of code.

Nevertheless, to resolve the issue, manually set the value to 1 prior to re-install again.

.

OpenAM from ForgeRock

2010-11-14T12:49:00.000+08:00

I have been wanting to install OpenAM for a while, but didn't have the time to do so until now.

Nothing much have changed except the color scheme. It's now orange, instead of the blue which we are used to for a while. :)

A slight difference in one of the OpenAM Configurator steps - User Data Store Settings.

There are now 6 types of supportable User Data Store Types to choose from.

Once configuration is done, we are redirected to the Login Page as usual.

It's a nicer page! Welcome to OpenAM!

.

MySQL Latest Price List

2010-11-12T20:18:00.001+08:00

Oracle is giving you more support options, thus they need to collect more $ from you.

It's for your own good, my friend.

Oracle knows better than you.

.

Algorithm DES/ECB is not available from provider Cryptix

2010-11-11T14:06:00.001+08:00

I was tasked to port a very old Web Services application to Sun Glassfish Enterprise Server 2.1.1. This application uses a cryptography library from Cryptix. (Cryptix has been dead since 2005.)

On my development environment on MacBook, everything runs fine on Glassfish with JDK 1.6.0_16. However, when I ported to the production environment on Solaris 10, I kept getting the following error:

java.security.NoSuchAlgorithmException: algorithm DES/ECB is not available from provider Cryptix
at xjava.security.IJCE.getClassCandidate(IJCE.java:457)
at xjava.security.IJCE.getImplementationClass(IJCE.java:410)
at xjava.security.IJCE.getImplementation(IJCE.java:367)
at xjava.security.Cipher.getInstance(Cipher.java:489)
at xjava.security.Cipher.getInstance(Cipher.java:452)
at com.sun.moe.security.DESEncryptor.decrypt(DESEncryptor.java:133)
at com.sun.moe.login.AppLogin.main(AppLogin.java:80)

Very strange! After a long debugging session, I found the issue was with the JDK 1.6.x version.

I downgraded the JDK to 1.5.0_20 that shipped default with Solaris 10. It works!

I believe there must be some "tightening" done in this file in JRE, but I just cannot figure how to resolve it.

-bash-3.00$ cat /jdk/jdk1.6.0_16/jre/lib/security/sunpkcs11-solaris.cfg

#
# Configuration file to allow the SunPKCS11 provider to utilize
# the Solaris Cryptographic Framework, if it is available
#

name = Solaris

description = SunPKCS11 accessing Solaris Cryptographic Framework

library = /usr/lib/$ISA/libpkcs11.so

handleStartupErrors = ignoreAll

attributes = compatibility

disabledMechanisms = {
CKM_MD2
CKM_MD5
CKM_SHA_1
CKM_SHA256
CKM_SHA384
CKM_SHA512
CKM_DSA_KEY_PAIR_GEN
# KEY_AND_MAC_DERIVE disabled due to Solaris bug 6306708
CKM_SSL3_KEY_AND_MAC_DERIVE
CKM_TLS_KEY_AND_MAC_DERIVE
# the following mechanisms are disabled due to performance issues (Solaris bug 6337157)
CKM_DSA_SHA1
CKM_MD5_RSA_PKCS
CKM_SHA1_RSA_PKCS
CKM_SHA256_RSA_PKCS
CKM_SHA384_RSA_PKCS
CKM_SHA512_RSA_PKCS
# the following mechanisms are disabled to ensure backward compatibility (Solaris bug 6545046)
CKM_DES_CBC_PAD
CKM_DES3_CBC_PAD
CKM_AES_CBC_PAD
}

Anyone has an idea?

.

OpenSSO - High-Available Data Stores

2010-11-10T17:48:00.000+08:00

In a highly available setup, the OpenSSO Enterprise Server should connect to at least a pair of Data Stores.

When a failover kicks in, the following will be captured in IdRepo log file:

IdCachedServicesImpl.getAttributes(): null found all attributes in Cache.
LDAPv3EventService:11/10/2010 02:50:10:642 PM SGT: Thread[LDAPv3EventService,5,main]
WARNING: LDAPv3EventService.run() LDAPException received: randomID=1490605490
com.sun.identity.shared.ldap.LDAPException: Server or network error (81)
at com.sun.identity.shared.ldap.LDAPConnThread.networkError(LDAPConnThread.java:782)
at com.sun.identity.shared.ldap.LDAPConnThread.run(LDAPConnThread.java:567)
at java.lang.Thread.run(Thread.java:619)

LDAPv3EventService:11/10/2010 02:50:10:651 PM SGT: Thread[LDAPv3EventService,5,main]
LDAPv3EventService.dispatchAllEntriesChangedEvent() psIdKey=ds2.sso.mo.sg:1389 ds1.sso.mo.sg:1389o=Edu,c=SGo=Edu,c=SG(objectclass=*)
LDAPv3Repo:11/10/2010 02:50:10:651 PM SGT: Thread[LDAPv3EventService,5,main]
LDAPv3Repo.objectChanged: dn=null; changeType4; psIdKey=ds2.sso.mo.sg:1389 ds1.sso.mo.sg:1389o=Edu,c=SGo=Edu,c=SG(objectclass=*); allObjChanged=true; clearCache=true
idrepoListener:11/10/2010 02:50:10:652 PM SGT: Thread[LDAPv3EventService,5,main]
**********************************************
idrepoListener:11/10/2010 02:50:10:652 PM SGT: Thread[LDAPv3EventService,5,main]
IdRepoListener: allObjectsChanged Called!
amIdmJAXRPCServer:11/10/2010 02:50:10:679 PM SGT: Thread[LDAPv3EventService,5,main]
**********************************************

The failover works! Cool!

However, when the primary Data Store is up again, the OpenSSO Enterprise Server does not switch back from the secondary Data Store.

.

OpenSSO - Policy Agent Issue with Time Sync

2010-11-09T16:50:00.000+08:00

I was debugging a OpenSSO Policy Agent issue for a customer. He has deployed the Policy Agent for Sun Java Systems Web Server 7.

The application which resides on the Web Server 7 gets protected Policy Agent and redirected to the OpenSSO Login Page. However, when he keyed in valid username and password, the browser kept hanging on the OpenSSO Login Page.

From the Policy log in OpenSSO Enterprise Server, I noticed that there was lot of communications between the agent and the server (even though the browser looks "hang" on the Login Page). The following segment keeps repeating.

From the amAgent log, I noticed the following:

2010-11-09 14:41:47.618 Warning 25919:815c858 ServiceEngine: Service::getPolicyResult():Result size is 0,tree not present for http://ok.sso.mo.sg:8080/index.html

2010-11-09 14:41:47.618MaxDebug 25919:815c858 AM_POLICY_SERVICE: am_policy_compare_urls(): compare usePatterns=true returned 0
2010-11-09 14:41:47.618MaxDebug 25919:815c858 AM_POLICY_SERVICE: am_policy_compare_urls(): compare usePatterns=true returned 4
2010-11-09 14:41:47.618 Debug 25919:815c858 all: Policy time stamp for resource http://ok.sso.mo.sg:8080/* is (1289284876056000)2010-11-09 14:41:16.056.
2010-11-09 14:41:47.618 Info 25919:815c858 all: Policy node http://ok.sso.mo.sg:8080/* marked stale due to time out.

Something is fishy. This has something to do with time sync.

I checked and confirmed that the 2 servers (OpenSSO Enterprise Server and the Web Server) were in different time zone. I tweaked with NTP and made them sync with the same clock.

Re-run and the policy agent works like a charm!

.

Sun Access Manager 7.1 - Password Retries Exceeded Issue

2010-10-30T10:22:00.001+08:00

I have a customer in Thailand asking me for help with regard to a weird error message when he tries to login after his password retries have exceeded.

He was warned of account lockout prior to his max password retries count. This is what he expected. Good.

However, "Authentication failed" error message is shown when he really exceeded his max password retries count. He was expecting "Password retry limit exceeded". No Good.

I did a search in amAuthLDAP.properties:

#ExceedRetryLimit=Exceed password retry limit. Please try later.
ExceedRetryLimit=Authentication failed.

That explains why. This is more for security/auditing purpose. These days, auditors advise customers not to reveal too much to end-users when they encounter login failure.

.

OpenSSO - WebtopNaming Error

2010-10-28T11:11:00.002+08:00

I was trying to configure a Site for my 2 OpenSSO Enterprise Servers and I hit the famous WebtopNaming error as shown below:

Servlet /opensso threw load() exception
java.lang.StackOverflowError
:
at java.util.concurrent.locks.ReentrantReadWriteLock$ReadLock.lock(ReentrantReadWriteLock.java:594)
at com.iplanet.am.util.SystemProperties.get(SystemProperties.java:252)
at com.iplanet.am.util.SystemProperties.get(SystemProperties.java:329)
at com.iplanet.services.naming.WebtopNaming.getServerID(WebtopNaming.java:620)
at com.iplanet.services.naming.WebtopNaming.getServerID(WebtopNaming.java:594)
at com.iplanet.services.naming.WebtopNaming.updatePlatformServerIDs(WebtopNaming.java:1186)
at com.iplanet.services.naming.WebtopNaming.updateNamingTable(WebtopNaming.java:1111)
at com.iplanet.services.naming.WebtopNaming.getNamingProfile(WebtopNaming.java:995)
at com.iplanet.services.naming.WebtopNaming.getServerID(WebtopNaming.java:658)
at com.iplanet.services.naming.WebtopNaming.getServerID(WebtopNaming.java:594)

There could be many scenarios that can cause this problem. Mine is kind of stupid today.

I was careless in appending an additional "/" to "/opensso". Be careful!

OpenSSO - Manual configuration

2010-10-25T18:51:00.000+08:00

I was trying to configure OpenSSO Enterprise Server manually without using the GUI Configurator.

The following error was encountered:

-bash-3.00$ java -jar /dist/osso/tools/config/configurator.jar -f /dist/osso/tools/config/osso1-config

Not Found

Configuration failed!

What an unfriendly error message! What is "Not Found"?

It was only after a while then I realized I have forgotten to deploy the opensso.war into my Glassfish container. How careless I was!

So here we go again:

-bash-3.00$ opt/gf211/bin/asadmin deploy --user admin --port 7878 --secure /dist/osso/opensso.war
Command deploy executed successfully.

-bash-3.00$ java -jar /dist/osso/tools/config/configurator.jar -f /dist/osso/tools/config/osso1-config
Checking configuration directory /sso/var/opensso....Success.
Installing OpenSSO configuration store...Success RSA/ECB/OAEPWithSHA1AndMGF1Padding.
Installing OpenSSO configuration store in /sso/var/opensso/opends...Success.
Creating OpenSSO suffix...Success.
Tag swapping schema files....Success.
Loading Schema am_sm_ds_schema.ldif...Success.
Loading Schema am_remote_opends_schema.ldif...Success.
Loading Schema fam_sds_schema.ldif...Success.
Reinitializing system properties....Done
Registering service amEntrySpecific.xml...Success.
:
:
Configuring system....Done
Configuring server instance....Done
Creating Web Service Security Agents....Done
Setting up registration files....Done
Configuration complete!

Nevertheless, I still think that we can do better with a friendlier error message.

How to import SSL certificates into JVM trust store?

2010-10-18T22:42:00.001+08:00

I was trying to set up OpenSSO Distributed Authentication UI (DAUI) server on Sun Web Server 7 (aka Oracle iPlanet Server) to communicate with my backend OpenSSO Enterprise Server. The OpenSSO Enterprise Server is SSL-enabled for security reason.

In our development environment, we install self-signed certificate onto the Glassfish Application Server that hosts the OpenSSO Enterprise Server.

In order for DAUI to communicate securely with the OpenSSO Enterprise Server, we need to import the self-signed CA certificate into the Sun Web Server JVM.

The task can be daunting for people who do not play with SSL day-in-day-out.

Luckily, I found a very useful blog. Amazing! Wrote in 2006, still works like a charm in 2010!

Thank you, Andreas!

Alternative SyncML Client

2010-10-11T21:51:00.000+08:00

Besides Synchronica and NotifyLink, there is now another SyncML client alternative from Synthesis AG.

Synthesis SyncML Clients for mobile devices (PDA) bring SyncML compatibility to widespread mobile OS platforms like iOS (iPhone, iPad, iPod touch), Android, PalmOS and Windows Mobile.

This allows mobile over-the-air (OTA) synchronisation with any compliant SyncML server (such as GooSync.com, SyncWise, Oracle Calendar and Beehive, eGroupware, Horde, WinFonie, SyncEvolution, MDaemon, OpenXchange, DeskNow, ScheduleWorld.com, O-Sync and many many more)

It offers free evaluation copy. I have not personally tried it yet, but will do so when I have the bandwidth.
Anyone has any review on this product? I would like to hear from you.

.

Gmail Priority Inbox

2010-09-22T19:34:00.000+08:00

When Gmail launched Priority Inbox, I was initially not interested. That's why I did not enable the feature until today.

To know more about how Priority Inbox works, read here.

I just enabled it while having a lengthly meeting in a customer's site. I'm just impressed!

With Priority Inbox, there is this little section right at the top of your inbox (highlighted in RED). To me, it looks like a simple Executive Summary. So simple, so convenient.

Blackberry Email & Calendar Sync with Sun Communications Suite

2010-09-15T13:51:00.001+08:00

I just finished installing Sun Calendar Server to a customer's existing Sun Messaging Server infrastructure over the weekend in the Philippines.

Some of their directors use Blackberry. With the newly installed Calendar Server, they hope to sync their Blackberry devices.

I told them there are 2 approaches.

Approach 1: Blackberry sync with Outlook via USB

a. Install Sun Java System Connector for Microsoft Outlook
b. Sync Mail & Calendar from Sun Comms Suite 6u2 (Mail & Calendar) with Outlook
c. Sync Blackberry with Outlook via USB

Supported OS
Runs on Microsoft Windows 2000 (SP3 or higher), Windows XP (SP1 or higher), Windows 2003 Terminal Server, and Windows Vista

Supported Outlook
Supports Microsoft Outlook 2003 and 2007

Read here.

Approach 2: Blackberry sync over-the-air

a. Purchase NotifyLink Enterprise Server
b. Install and Configure to connect to Sun Comms Suite 6u2 (Mail & Calendar)
c. Blackberry sync with NotifyLink over-the-air

Read here.

Note: If users only want to "sync" email with Sun Messaging Server with Outlook, no connector is required. It works out-of-the-box via POP or IMAP protocol.

.

OpenSSO Identity Services

2010-09-08T17:46:00.000+08:00

Besides Policy Agent that performs authentication and authorization, OpenSSO offers Identity Services to helps authenticate users who access protected applications.

The Identity Services are accessible via SOAP/WSDL and REST.

Basically, no difference from those offered by Policy Agent:

Authentication and Single Sign-on — Verification of user credentials
Authorization — Permission for authenticated users to access secured resources
Provisioning — Creation, deletion, search, and editing
Log — Ability to audit and record operations

The only difference is developers have to code by themselves to achieve the above 4 functionalities.
More flexibility if you look at it positively. Of course, more effort required.

.

OpenSSO Data Stores

2010-08-30T22:00:00.000+08:00

There are a few data stores which we need to configure in OpenSSO.

1. Authentication Data Store assists in users' authentication

2. Identity Data Store holds the users' profiles

Usually, there is a 1-to-1 mapping between a user in the authentication data store and a user in the identity data store
Authentication data can also be stored together with Identity Data Store
i.e. The Sun LDAP is used for both Authentication and Identity
The reserve is also true: Active Directory can be configured for both purposes

3. Configuration Data Store is used for storing service configuration data and other information pertinent to the server's operation. Policies are also stored here.

We used to store Configuration data in Sun LDAP as well
However, since version Access Manager 8.x (aka OpenSSO 8.x), these data is now stored in the embedded OpenDS.
This embedded OpenDS makes configuration for high-availability easier - less work to do

Difference between Web and J2EE Policy Agents

2010-08-29T11:42:00.000+08:00

In OpenSSO, there are 2 types of Policy Agent to choose. Customers always get confused on which type and on which tier to deploy in their environment.

The following diagrams illustrates clearly. Based on the Selection Criteria, Web Policy Agent will be deployed on the Web tier.

J2EE Policy Agent will be deployed on the Application tier.

PS: If J2EE Policy Agent is deployed on the Application tier, there is no need for Web Policy Agent to be deployed on the Web tier. Simply allow the pass-through on the web server and let the Policy Evaluation be carried out on the Application tier.

.

OpenSSO and Enterprise SSO Selection Criteria

2010-08-26T12:34:00.003+08:00

I have been busy involving in the design of a Single Sign-On (SSO) and Enterprise Single Sign-On (ESSO) solution for a local ministry.

They have a few hundreds applications (web-based and non web-based). Thus we need to have a concise selection criteria for them.

There are 2 types of policy agents available from OpenSSO:

1. Web Policy Agent

2. J2EE Policy Agent

In order to integrate applications for Single Sign-On with OpenSSO, they must be:

1. web-based

2. authenticate with a common authentication repository

3. supported by available policy agents from OpenSSO

If applications are customizable, Web Policy Agent will be chosen. Otherwise, if applications are pure J2EE-based that utilize the Java Authentication and Authorization Service (JAAS), then J2EE Policy Agent will be chosen.

If the above 2 criteria cannot be met, then ESSO will be chosen.

Automatic spam detection for comments

2010-08-26T08:20:00.000+08:00

Salute to Blogger! There is now a feature to automatically detect spam for comments ...

I love this feature since I have been spending time manually removing spammed comments for the past months.

.

Oracle Directory Services Directory Server Enterprise Edition 11gR1

2010-08-13T01:48:00.000+08:00

Sun Directory Server Enterprise Edition (DSEE 7.0) has now been rebranded as Oracle Directory Services Directory Server Enterprise Edition 11gR1. It is now part under the Oracle Fusion Middleware umbrella.

Read here.

.

OpenSSO Distributed UI Server & Windows Desktop SSO

2010-08-10T20:12:00.001+08:00

For security reason, OpenSSO Distributed Authentication UI Server is recommended to "front" the OpenSSO Server that sits behind the firewall. For better performance, you can deploy multiple DAUI Servers with multiple OpenSSO Servers.

However, do note that if you deploy a Distributed Authentication UI Server in front of your protected OpenSSO Server, then Windows Desktop SSO is not supported.

Read here.

.

How to disable SSL on Sun Directory Server?

2010-07-23T08:29:00.011+08:00

I got a call from my customer asking how to manually disable the SSL on his faulty Directory Server.

Edit dse.ldif. Locate dn: cn=config:

nsslapd-security: on
nsslapd-secureport: 636

Solution:

1. Stop Directory Server

2. Remove the above 2 lines

3. Add the following line:

nsslapd-security: off

4. Start Directory Server

Done!

Why a Directory Consumer is not read-only? - Part II

2010-07-22T08:31:00.002+08:00

Continue from my previous post ...

Master: ds-master.singapore.sun.com:389
Consumer: ds-slave.singapore.sun.com:1389

Let's perform a modification operation on the Consumer. I modified the entry for CLow2.

Below is what you'll observe in the access log of the Consumer:

[20/Jul/2010:02:26:28 +0800] conn=0 op=99 msgId=2098 - MOD dn="uid=CLow2,ou=People,dc=singapore,dc=sun,dc=com"
[20/Jul/2010:02:26:28 +0800] conn=0 op=99 msgId=2098 - RESULT err=10 tag=103 nentries=0 etime=0

The consumer rejects modification operation (err=10). It kicks started the referral process to redirect the MOD request to the master.

Below is what you'll observe in the access log of the Master:

[20/Jul/2010:02:26:28 +0800] conn=63 op=1 msgId=2100 - MOD dn="uid=CLow2,ou=People,dc=singapore,dc=sun,dc=com"

[20/Jul/2010:02:26:28 +0800] conn=63 op=1 msgId=2100 - RESULT err=0 tag=103 nentries=0 etime=0

The master process the modification request successfully (err=0).

Below is the dse.ldif file on the Consumer:

dn: cn="dc=singapore,dc=sun,dc=com",cn=mapping tree,cn=config

objectClass: top

objectClass: extensibleObject

objectClass: nsMappingTree

cn: "dc=singapore,dc=sun,dc=com"

nsslapd-backend: userRoot

nsslapd-referral: ldap://ds-master.singapore.sun.com:389/dc%3Dsingapore,dc%3Dsun,dc%3Dcom

nsslapd-state: referral on update

modifiersName: cn=server,cn=plugins,cn=config

modifyTimestamp: 20090923115909Z

numSubordinates: 1

Below is the dse.ldif file on the Master:

dn: cn="dc=singapore,dc=sun,dc=com",cn=mapping tree,cn=config

objectClass: top

objectClass: extensibleObject

objectClass: nsMappingTree

cn: "dc=singapore,dc=sun,dc=com"

nsslapd-state: backend

nsslapd-backend: userRoot

Why a Directory Consumer is not read-only?

2010-07-21T14:16:00.001+08:00

This is an interesting question.

In my customer's environment, he has a pair of Sun Directory Servers acting as Masters. The data in the pair is kept in-sync via Multi-Master Replication (MMR).

There are 4 Sun Directory Servers acting as consumers. The data are replicated from the 2 Masters.

Recently, he found out that when he modifies entries on any of the Consumers, the modified entries are updated to the Masters!

This violates the concept of a Consumer, according to what he understands of the term.

Well, let's take a close look at the following diagram:

The diagram illustrates a Master-Consumer deployment architecture.

Did you notice there is a dotted arrow pointing from the Consumer back to the Master? This is the Referral that is causing the "side-effect".

Ok, it's not "side-effect". It's a product feature of Sun Directory Server.

Whenever there is a modification request on the Consumer, the Referral will redirect the request back to the Master. The Master will be the one that actually updates the entries. The Consumer can never process a modification request, it can only perform a search request.

OpenSSO Multi-Servers Mode

2010-07-17T08:29:00.022+08:00

There are at least 2 data stores in OpenSSO - Configuration and User data stores.

The older version of OpenSSO, which is Sun Java System Access Manager, does not utilize an embedded Configuration Data Store. As such, we usually utilize the same Sun Java System Directory Server to store both the configuration and users information. (unless, the users information are stored in Active Directory)

In OpenSSO, OpenDS is embedded to store Configuration information. It comes pre-installed with every OpenSSO bundle.

In fact, the recommended deployment approach is not to change this embedded data store.

Using the OpenSSO Enterprise embedded configuration data store can lower response time and ensure service availability when machine failure occurs.

What I like about this embedded data store is: if you scale by adding another node, there is nothing you need to do to ensure the configuration information are replicated and always in-sync. Replication is taken care of, transparently.

Nice!

.

OpenSSO Authentication and Authorization Interactions

2010-07-11T08:22:00.011+08:00

While refreshing myself with OpenSSO, I came across this diagram that illustrates very clearly how OpenSSO and Policy Agent operates in a Access Control environment.

I love diagram that is simply, yet tells a complete story of a product's capability.

How to reset DSCC Directory Service Manager password?

2010-07-09T08:08:00.088+08:00

I was with a customer the other day. He has another Sun Directory Server setup by another vendor long time ago. He attempted to login to DSCC, but he was not able to remember the "admin" (Directory Service Manager) password.

Some forums I searched talked about resetting the Service Manager password via the DSCC console. What a joke! :) I can't even login, how am I able to reset password via DSCC console?

Changing password via DSCC console

There are 2 ways to resolve this issue:

1. To dismantle and initialize DSCC again

bash-3.00# ./dsccsetup dismantle
:
bash-3.00# ./dsccsetup initialize
:
Registration is on-going. Please wait...
DSCC is registered in Sun Java(TM) Web Console
:
DSCC agent has been successfully registered in Cacao.
***
Choose password for Directory Service Manager:
Confirm password for Directory Service Manager:
Creating DSCC registry...
DSCC Registry has been created successfully
***

Simple. But of course, previous configuration of registered servers are gone. You need to register again.

2. Change password via CLI

Some basic concepts first.

bash-3.00# ./dsccsetup status

***

DSCC Registry has been created

Path of DSCC registry is /var/opt/SUNWdsee/dscc6/dcc/ads

Port of DSCC registry is 3998

***

DSCC configuration are stored in a LDAP database at port 3998
Service Manager is known as cn=admin,cn=Administrators,cn=dscc in this LDAP database (see screenshot above)
"cn=Directory Manager" credential is required to modify the Service Manager password
The funny thing is the default password for "cn=Directory Manager" is the same as Directory Service Manager. (see dsccsetup initialize above. the steps are so simple. it assumes both to have the same password)

So we need to perform 2 steps:

Step 1 - Change the Directory Manager password

bash-3.00# /opt/SUNWdsee/ds6/bin/pwdhash -D /var/opt/SUNWdsee/dscc6/dcc/ads -s SHA password2
{SSHA}qFcXDQCKZ4u4GyrM8Uw4uGOHdsnVPP9MaC0WeQ==

bash-3.00# cd /var/opt/SUNWdsee/dscc6/dcc/ads/
bash-3.00# ./stop-slapd
bash-3.00# cd /var/opt/SUNWdsee/dscc6/dcc/ads/config
bash-3.00# cp dse.ldif dse.ldif.OLD
bash-3.00# vi dse.ldif
At dn: cn=config
Replace:
nsslapd-rootpw: {SSHA}guaZfnFtTHeT8EpWpBhuRlBCMLWpdgt0tBvfBw==
with:
nsslapd-rootpw: {SSHA}qFcXDQCKZ4u4GyrM8Uw4uGOHdsnVPP9MaC0WeQ==

bash-3.00# ./start-slapd

Step 2 - Change the Service Manager password

bash-3.00# ldapmodify -p 3998 -D "cn=Directory Manager"
Enter bind password:
dn: cn=admin,cn=Administrators,cn=dscc
changetype: modify
replace: userPassword
userPassword: password2 <-- Rest assured. This password will be hashed during modification.

modifying entry cn=admin,cn=Administrators,cn=dscc

Done!

.

DSCC deployment with firewall

2010-07-08T08:43:00.026+08:00

In a production environment, there are always firewalls. This is for sure.

Below is a typical deployment of a pair of Sun Directory Servers deployed in 2 data centers. They are configured for Multi-Master Replication (MMR).

This deployment is simple. Only port 389 (bi-directional) is required to be enabled on the firewall.

Now, if the Administrators are all stationed in Data Center 1 where DS 1 is and they would like to manage all Directory Servers via DSCC (Directory Server Control Control), we have a challenge.

We need to understand how DSCC, Cacao and Directory Server works.

Basically, DSCC manages Directory Server instances through Cacao agent. On each physical server where Directory Server is installed, we need a Cacao agent installed as well. This agent runs on port 11162 by default.

Now, if we make changes to the Directory Server configuration, there is a need to update the DSCC registry. This ensures the states are kept intact. DSCC registry runs on port 3998 and 3999 (SSL) by default.

So, what do we need to configure on the firewall?

Port 11162 (uni-directional) from DS1 to DS2
Port 3998 and 2999 (uni-directional) from DS2 to DS1
Port 636 (bi-directional) <- for starting/stopping Directory Server via DSCC (Thanks, Teck Meng!)

Bind to specific IP address for Sun Directory Server

2010-07-07T13:29:00.001+08:00

Some customers have powerful machines. It would be a waste to install a single instance of Sun Directory Server on each machine.

When you have more than 1 instance of Directory Server running, you'll end-up having the following architecture most of the time. Port 389 will be assigned to the 1st instance; while Port 1389 will be assigned to the 2nd instance.

Some application developers do not like to use port other than 389. Or corporate policy does not encourage that. I have encountered customers who dictate Directory Service to be only served via port 389, and nothing else.

So, we'll end up having to redesign the architecture to be the one shown below:

Now, the prerequisite is that the machine has to either support multi-home or have more than 1 NIC interface. This is to ensure that port 389 will not clash when both instances attempt to start.

In addition, we need to add the following entries into the dse.ldif for DS1 and DS2.

nsslapd-listenhost: ip-address-[1,2]
nsslapd-securelistenhost: ip-address-[1,2]

Remember to stop DS first; add entries; start DS.

Note: By default, both entries are missing from dse.ldif, which implies 0.0.0.0 is taken as default value.

.

Disallow anonymous access to Sun Directory Server

2010-06-25T08:02:00.033+08:00

I received an email from my customer a week ago.

Even when a new instance is created, the default ACI allows anonymous to access this? Any ideas?

My reply below:

Yes, Sun Directory Server is built as-such. It behaves like a "Yellow Pages" sort-of. E.g. In a corporate directory server, anyone can search for anyone by default, with the exception of password.

This site from IBM explains better than me.

Searching a directory is similar to looking up a name in the white or yellow pages of a telephone directory. If the name of a particular individual object is not known, the directory can be searched for a list of objects that meet a certain requirement.

So we know that, by default, the Directory Server is accessible anonymously.

How can we disable this function?

Very easy. I did the following for another customer of mine in Thailand.

Remove the following segment in 99user.ldif in the config/schema directory

dn: o=XXX aci: (target ="ldap:///o=XXX")(targetattr !="userPassword")
(version 3.0;acl "Anonymous read-search access"; allow (read, search, compare) (userdn = "ldap:///anyone");)

Easy. But do remember to stop/start the Directory Server.

.

Oracle Directory Server in YOG

2010-06-24T15:54:00.000+08:00

I just received a call from my counterpart in Oracle (ex-Sun) asking for my availability in AUG to support a critical Directory Services infrastructure.

I was curious and probed further...

... and I was told that the YOG (Youth Olympic Games) that is going to be held in Singapore is using Oracle Directory Server (aka. Sun Java System Directory Server) and my service might be required.

It's my honor definitely.

However, I have a national obligation (aka Reservist) during that period of time. If time permits and the money is right, I'll try to make myself available. I'll talk to my boss in the Army. Ha. :)

.

Sun Software Product Map - Part III

2010-06-21T09:33:00.000+08:00

If you take a good look at the list, you'll notice that OpenDS is missing.

FYI, there is a commercial version of OpenDS - Sun OpenDS Standard Edition.

From what I know, Oracle is still defining the strategy for OpenDS. Until then, we do not know what will happen to OpenDS.

A lot of development work has been poured into OpenDS. It's a total rewrite in Java from Sun Java System Directory Server. I'm keeping my fingers crossed.

By the way, Directory Service is another strength of us. So we'll be watching closely on the development of OpenDS.

.

Sun Software Product Map - Part II

2010-06-19T08:45:00.049+08:00

Sun Java System Portal Server

Sun Java System Portal Server is completed discontinued.

Sun Portal Server brings me very good memory. This is the very first product we deployed in Philippines when we become Sun Partner 6 years back. Subsequently, we deployed many more instances. It's selling well in Philippines.

In Singapore, we still have a few Sun Portal Servers running. I deployed 2 instances in S'pore and am currently supporting one of them.

Goodbye, my dear friend.

Sun Java System Web Server

Sun Java System Web Server and Web Proxy Server have been rebranded to Oracle iPlanet Web Server and Oracle iPlanet Web Proxy Server.

Welcome back, iPlanet! History of iPlanet here.

iPlanet has come a long way ...

iPlanet ... Sun ONE ... Java Enterprise System ... Sun Java System ... iPlanet

Sun Java System Identity Manager

Sun Java System Identity Manager is now Oracle Waveset. (Waveset IdM was bought over by Sun)

Oracle is keen on pushing it's own Oracle Identity Manager. Thus there is no choice but to discard Sun Identity Manager. Sun Role Manager (bought over from Vaau), which was supposed to be integrated with Sun Identity Manager, is now rebranded as Oracle Identity Analytics. Most likely it will be used to integrate/complement Oracle Identity Manager.

Unlike Sun Portal Server, Oracle Waveset is kept. I can only guess that we have a few local banks currently using it. A huge ministry has just awarded a tender and the key component is Oracle Waveset.

In the Asia region, a few Thai banks are also customers of Oracle Waveset to my knowledge.

.

Sun Software Product Map

2010-06-18T16:11:00.001+08:00

The name "Sun Java Systems Communications Suite" is now history.

Communications Suite is one of the products we are very strong in.

I just find it weird that Sun Messaging Server has been rebranded as Oracle Communications Messaging Exchange Server.

Do we really need that word?

PS: The full listing here.

Red Condor Archive

2010-06-16T13:41:00.004+08:00

It has been a while since I last looked at Red Condor. (Read here)

Red Condor released a new product offering last October - Red Condor Archive.

A secure message archiving service that helps organizations meet compliance regulations, e-discovery support requirements, and data storage and management best practices.

Key benefits of Red Condor Archive include:
* Archiving of all inbound and outbound messages, internal and external
* Unlimited storage at no additional cost
* All data searchable at all times
* Preservation of data
* Easy to use interface
* Instant set-up
* Replication to multiple data centers
* Role-based Administration Dashboard
* Individual End User search

Read more here.

I am always curious how a company can sustain its business by providing unlimited service/storage at no additional cost.

There can only be 2 explanations:
1. My maths is poor;
2. I have not been in this business long enough

PS: Red Condor is not the only company offering unlimited storage at no additional cost.

.

One inbox for every citizen

2010-06-15T14:25:00.004+08:00

My colleague brought me to attention a grand vision made by the Singapore Government:

ALL residents will have an online mailbox to which various Government agencies will send statements and bills from tax statements to TV license renewals and service and conservancy bills. Called OneInbox, this service will be launched by 2012.

The Straits Times 14-Jun-2010

It is indeed very daring - imagine all the old uncles and aunties having to learn how to use computers to read emails, just in case they get penalized for late payments. :)

Joke aside, I am more curious on which software vendor will get chosen for this tender?

Will it be Microsoft for it's Exchange Server again? (Since the Singapore government is pretty pro with anything Microsoft)

Will it be IBM for it's Lotus Notes? (I doubt so as it is pretty costly)

Will it be Oracle/Sun for it's Sun Java System Messaging Server? ( SJS MS used to be relatively cheap under Sun. The pricing is slightly different now though :> Technically wise, it is a ISP-grade software, thus making it very suitable for this deployment )

I personally do not think the Government will go for any cloud service like Goggle Gmail, Microsoft BPOS, or IBM LotusLive. I'll be surprised if one of these 3 wins the deal.

jQuery should be easy to implement

2010-06-10T08:15:00.063+08:00

The social-network-driven portal based on LifeRay is still under development. (Read here and here)

LifeRay uses jQuery intensively. I was tidying up the Contact Us page yesterday. This page is a static HTML page and has nothing to do with LifeRay.

But in the pursuit for consistent look-and-feel, I decided that validation of the form and display of success/error messages should be the same as what one will experience when he logs into LifeRay portal. So jQuery is the way to go!

The Contact Us form is so simple, yet it took me a long while to make it work using jQuery.

Maybe I'm too old for new technology. Ha! :) I could not find a good example on the web of the 2 things I want to achieve.

The 2 things are so simple, mind you.

1. Validate fields once "Submit" button is clicked

2. If the fields are valid, perform a form submission

Difficult?

I struggled for quite some time and finally found the solution.

The codes below should be good enough for 80% of JavaScript developers and should be able to digest and implement in 5 mins.

1. jQuery Scripts Download

Download the latest copy of jQuery from here. (rename the script as jquery-latest.js)
Download the latest copy of jQuery plugin: Validation from here. (rename the script as jquery.validate.js)

2. Insert the following script between the head HTML tags

That's it. Done!

Do you need to write special code in the form section for jQuery to kick into effect? No.

Take a look at my form. There is no reference to jQuery at all.

The following is what you will see if there is an error.

PS: The tricky part for me is how to perform a form submission. Should be form.submit(); and not $("#myForm").submit();

.