Monday Feb 15, 2010

Web Server 7.0 appears to be consuming more CPU than Web Server 6.1

The increase in memory usage could be due to the 'auto-tuning' 
    functionality that was introduced in Web Server 7.0U2. (But not yet documented)
    This feature will set some of the servers parameters based on number of CPU's, 
    file descriptors, etc of the actual machines.
    It is possible to see what these are being auto-tuned to by setting the 
    log level to finest, and restarting each server.

    They should see differences between the two boxes.

    The one best thing that can be done is run perfdump to see how much of 
    the set resources are actually being used.  Once you have those figures, you
    can then manually set these values in the server.xml file, which will 
    override any auto-tuning values.

    Web Server 7.0 will definitely require more memory than 6.0, 
    basically because it's architecture is very different.

    So in recap you would want to start by setting the log level to finest 
    on both servers, enabling perfump and restarting them. Then gathering 
    some perfdump data as the memory usage reaches its high levels.  This should 
    allow some thoughts for settingl initial values you might want to set 
    these parameters to.

How to establish NTLM based authentication to a Microsoft based system such as Sharepoint or Outlook Express with Proxy Server 4.0

    Firstly, Ensure that you are running with Proxy Server Version 4.0.13 or higher
(if available). A bug was noted in earlier releases which limited the functionality
of operation of the proxy server within an NTLM authentication scheme.

The bug id is: 6897536

The bug says that the proxy should present the following in the request header:

A proxy that correctly honors client to server
authentication integrity will supply the "Proxy-support: Session-
Based-Authentication" HTTP header to the client in HTTP responses
from the proxy.

Additionally, in order to configure the proxy to work with NTLM authentication,
it will ALSO be necessary to ensure the following configurations are set:

- This feature is disabled by default, and needs to be enabled using
the "PairedConnections" boolean flag in magnus.conf. Set this to TRUE

- The proxy will issue a "Proxy-support: ..." header only if the server's response headers contain a "WWW-Authenticate: NTLM" header.

Wednesday Dec 02, 2009

If Datastore notifications are disabled in OpenSSO, will these changes be immediately reflected?

If one has Sun Identity Manager making changes to the user datastore, if one disables datastore notifications will these changes be reflected in Opensso?

No, if datastore notifications are disabled through OpenSSO, then changes made to the user datastore via the Identity Manager would not be reflected in OpenSSO until OpenSSO is restarted.  The "Server Properties" section of, may provide an alternate to use of datastore notifications for updating the server's cache.  

Tuesday Jun 30, 2009

Want an easy way to determine the version of OpenSSO you are running?

A simple way to get version and patch information from OpenSSO 8 is from the browser itself.

A built in application allows for this operation simply by entering the following:


You will receive a response back similar to the following:

Enterprise 8.0 Build 6(2008-October-31 09:07)

Wednesday Jan 28, 2009

How to truncate the request URL written to the Web Server 6.1 access log.

Q:  How can I trim the request line written to the access logs so that the whole
    URL is not written but only a piece?

    This can be an important consideration where there is the possibilit that
    sensitive data such as a password may be written to the log files in
    clear text.

example line written to access log: - - [26/Jan/2009:20:53:04 -0500] "GET

and here is what we would like to see:


A:  To accomplish this for a single particular URL as is listed the following
    can be performed:

<Object ppath="\*(\*/ABC/sign/\*)">
AuthTrans fn="set-variable" set-reqpb="clf-request=/ABC/sign/"

The above has the effect of rewriting the clf-request in the access logs
to change it to just /JSO/sign/

This solution will work for one particular URL but to do this for all URL's
it would require the creation of an NSAPI filter.

Thursday Jan 15, 2009

Unable to log in as Admin to the AM 7.1 Console

Q:  I am seeing the following: when trying to login
via amAdmin/passwd to the AM 7.1 sp1 console:

Here is what was written to amAuthentication.error when i tried to login to the
Access Manager admin console:

bash-3.00# more amAuthentication.error
"2008-12-29 14:47:31"   "Login Failed"  amAuthentication.error  AUTHENTICATION-2
00      dc=sysops,dc=iimage,dc=com       "Not Available" INFO    uid=amadmin,ou=
people,dc=sysops,dc=iimage,dc=com    "cn=dsameuser,ou=DSAME
"2008-12-29 14:47:31"   "Authentication Module Denied"  LDAP    AUTHENTICATION-2
00      dc=sysops,dc=iimage,dc=com       "Not Available" INFO    uid=amadmin,ou=
people,dc=sysops,dc=iimage,dc=com    "cn=dsameuser,ou=DSAME

A:  Here are the things to check... 

1) confirm that AMSDK could talk to the DS via:

/amadmin -u amadmin -w  -m

2) Make sure that the user amAdmin is in the people container

This problem can crop up if you use the tools on DS to create
the amAdmin users and others.

In this case it is best to use the installer and allow
the JES installer to take the defaults with the exception
of the port numbers and URL's for AM 7.1 sp 1 and DS and
then try the login.

These action require a reinstall of the product.

Tuesday Dec 30, 2008

Is there a way to dynamically set the "Expires" header using WebServer 6.1?

Q: Is there a way to dynamically set the "Expires" header using WebServer 6.1?

A; The answer is "yes" and "no".  Out of the box, this functionality
   is not available for Web Server Version 6.1 (or earlier releases
   for that matter).  A blog site at SUN however does reference some
   other sites that outline how to do this via a customized approach.
   Please see:

   <a href=""> </a>

   ...and note that any undertaking based upon these notes is entirely
   at the risk of the person doing so.  SUN does not support this officially.

   It is possible to also set the expiry header to a static date under
   Web Server 6.1 by doint the following in obj.conf file under default object:

   Output type="image/\*" fn="set-variable" set-srvhdrs="Expires: Mon, 29 Dec 2008 0:00:00 GMT"

   Important Note:

   At Web Server release 7.x this functionality is built in to the webserver!

   For reference, please see the following link:

   <a href=""> </a>

Monday Dec 15, 2008

Errors when attempting to deploy OpenSSO8 with Tomcat

If you keep getting the following error on the first screen of the config wizard just after entering the amAdmin and Agent passwords: "Base directory specified :/opensso cannot be used - has preexisting config data., refer to install.log under /opensso for more information."

 Try the following to resolve:

1) Stop Tomcat.
2) Remove the /opensso directory, the default configuration directory of OpenSSO where the bootstrap file is created.
3) Remove the /.openssocfg/AMConfig_\* entry which corresponds to your existing installation.
4) Start Tomcat.
5) Attempt to reconfigure OpenSSO.

Tuesday Dec 02, 2008

pkgapp - version 3.0 is finally here!

For everyone out there that may find themselves with a situation where they may need to send a core file to sun for analysis, it's great news to hear that the latest version of pkgapp - 3.0 - has been released.

This script will extract all the needed information relevant for a Sun Employee (or anyone for that matter) to be able to load the core file using dbx on his or her own system.  Very cool indeed!

Check it out at:

Monday Nov 24, 2008

Default deployment of OpenSSO8 War file on WS 7.0U3 is to the "/" directory - How to get around this

Upon trying to deploy the opensso.war file for OpenSSO8 onto Java Sun WebServer 7.0u3, I found that the default deployment was to the "/" directory.  Basically I was following along with the instructions for deployment found here:

The only possible recourse would be to unjar the jar file, modify the configuration and rejar it. 

Once you unjar this, set the configuration.dir to be a directory which is within the scope of the root of the webserver (in my case that is /opt/nes7) and make sure that this directory is owned and grouped by the owner of the webserver process (in my case, and for most, that is webservd)

Below, you can see that I unjarred the opensso.jar

# cd  /opt/installs/opensso8/opensso/deployable-war

# cp opensso.war opensso.war.orig

# mkdir unjar

# cp opensso.war unjar

# cd unjar

# jar xvf opensso.war   <- which now creates a whole subset of unjarred directories....)

# pwd
# tail -f
# This property should be used for application servers like
# JBoss where the ServletContext.getRealPath() method does
# not always return the same value after the server is restarted.
# This property should also be used when the system user that
# is running the web/application server process does not have
# a home directory. i.e. System.getProperty("user.home") returns
# null.
configuration.dir=/opt/nes7/sso8  <- put a value in here....

Now just rejar the thing and deploy using this modified jar file.

Aditionally - Make sure that the webservd user has a home directory specified that is owned and grouped by that user!  Mine originally looked like this:

 webservd:x:80:80:WebServer Reserved UID:/:

 So if yours looks like that - then change the home directory to be the webserver installation root similar to as you see here:

 webservd:x:80:80:WebServer Reserved UID:/opt/nes7:

Remember to restart both the webserver administrative server AND the server instance before now doing the deploy!

Wednesday Nov 19, 2008

WebServer can log the end client browser's ssl capabilities in the log file

This is pretty nifty....

Apparently, the Sun WebServer can log what the end client browser's encryption capabilities.  The information is picked up during the SSL Handshake.

The %Ses->client.secret-keysize% logs the browsers encryption capablity in the access log.  This would be added to the format line of the access log (its the top line).

Friday Nov 14, 2008

How to extract and log client IP addresses to SUN WebServer when requests forward through a proxy server.

A question arose with a client site in which they wanted to know how
they could extract and log the client ip when the request forwards 
through a reverse proxy.

The situation looked liked this:

Client ------------> Reverse Proxy ------------> Web Server
Client <------------ Reverse Proxy <----------- Web Server

In order to find the IP address of the original client, they wanted to capture the
"X-Forwarded-For" header in web server access log and error log.

The way to do this is by using the custom log format available on the Sun WebServer.

If the reverse proxy is adding:

X-Forwarded-For: header to the request, the Web Server can be configured
to log that header field by adding %Req->headers.x-forwarded-for% to the access log format. 
(Note that the Web Server doesn't add an X-Forwarded-For: header when it reverse proxies requests. 
It does, however, add a Proxy-ip: header).

Monday Nov 10, 2008

Using Libumem to examine a process for Memory Leaks

I recently came across a short TOI I presented some time back regarding the basics of establishing libumem as a tool for examining a process that might be suspected of a potential memory leak.  At the time, I was working on an issue with the browser as the potential (and ultimately proven) candidate for the memory leak.  The TOI was based upon what I learned from this experience.


Monday Sep 22, 2008

Troubleshooting installation problems of Microsoft IIS 5.0 Policy Agent on a WIndows Box

I had run into this problem a while back with a customer while trying to install Microsoft IIs 5.0 Policy Agent on a windows box.

 Here is what you need to know when attempting this for yourself!

Troubleshooting Microsoft IIS 5.0 Policy Agent 

If you are experiencing problems with your installation, try the following: 

Check the installation log file for errors: 

Re-install the agent by uninstalling and then installing.
Verify agent loading in IIS:
Launch Internet Services Manager.
From the Start menu, choose Programs > Administrative Tools > Internet Services Manager.

Open the properties for the host computer in the Tree Pane of the Internet Services Manager window that is titled Internet Information Services.
The host computer name should appear in the tree underneath the Internet Information Services root.

Click Edit in the Master Properties section of the Internet Information Services tab.

Select the ISAPI Filters tab in the WWW Service Master Properties dialog that appears.

Look for the filter name “Sun ONE Identity Server agent.�

If the Filter name “Sun ONE Identity Server Agent� does not appear at all, then check that the installation program was run, and look for any errors during installation. The install log is located at: 


A green arrow pointing up in the Status column to the right of the “Sun ONE Identity Server Agent� indicates the agent loaded successfully into IIS. A red arrow pointing down indicates that the filter failed to load. The most likely cause of the filter not loading successfully (red arrow) is that it cannot locate the required dll files. 

Check your system path to ensure that the following directory is present: 

If the filter did not load successfully check the following:
Check the path of the Agent DLL by clicking “Sun ONE Identity Server Agent� and then Edit. Ensure that the path in the text box labeled Executable is valid.
The agent also needs several DLL files. Check that the following exist in the directory Agents\\bin:








If the libraries are in your system path try rebooting the system.
IIS logs filter loading errors in the System Event Log. To check the event log:
From the Start menu, choose Programs > Administrative Tools > Event Viewer.
Select the System Log.
Check for Error messages with Source W3SVC.
If the agent loads but returns HTTP 500 Internal Server Error for all URL requests to the IIS web server.
This indicates that the agent has loaded but did not properly initialize. Returning HTTP 500 Internal Server Error for all HTTP requests is a fail-safe to protect URL resources when the agent cannot initialize. The most likely cause is a Sun ONE Identity Server agent or server misconfiguration or unavailability. 

Check the agent debug log.
The log is located by default at the Agent_Install_Dir directory. This is the best source of debug information for resolving initialization and agent operation issues. The log file directory is specified by the property: in the file located in the directory: 


The property controls the verbosity of the log information. Set the logging level for the specified logging categories. 

The format of the values is: 


The currently used module names are AuthService, NamingService, PolicyService, SessionService, PolicyEngine, ServiceEngine, Notification, PolicyAgent, RemoteLog and all. If the level is omitted, then the logging module will be created with the default logging level, which is the logging level associated with the 'all' module. 

The all module can be used to set the logging level for all modules. This will also establish the default level for all subsequently created modules.The meaning of the 'Level' value is described below: 

0 = Disable logging from specified module 

1 = Log error messages 

2 = Log warning and error messages 

3 = Log info, warning, and error messages 

4 = Log debug, info, warning, and error messages 

5 = Like level 4, but with even more debugging messages. 

Check that the agent can locate the configuration file.
The agent uses the registry key HKEY_LOCAL_MACHINE\\Software\\Sun Microsystems\\Identity Server IIS Agent to locate the file. The file is located at: 


The agent uses the Application Event Log to log errors that occur before the debug log file specified in is started.
From the Start menu, choose Programs > Administrative Tools > Event Viewer.
Select the Application Log.
Check for agentError messages with source as Sun ONE Identity Server IIS agent.

More info in troubleshooting section of:

Have fun!


Gregory Bedigian


« July 2016