Tuesday Sep 28, 2010

Install JDeveloper on Mac

There is a very important trick to play before installing Oracle JDeveloper on a Mac. Basically you need to fool the JDEV installer to believe the java on your Mac is like those on Unix/Linux box.

cd /System/Library/Frameworks/JavaVM.framework/Versions/1.6.0/Home/
sudo mkdir -p jre/lib
cd jre/lib
sudo ln -s ../../../Classes/classes.jar rt.jar

This step was actually on Installation Guide for Oracle JDeveloper

Saturday Feb 06, 2010

Notifications to OpenSSO Client

Someone found that distauth of Opensso cannot recieve session notifications from opensso server. My investigation showed that a new property "com.sun.identity.client.notification.url" was not set in AMConfig.properties of the distauth. This property is new to Opensso, somehow it was not there by default. If you want your opensso client to receive notifications from the session service, policy service and UM on the server, you need to add it.

See more details on DocTeger's blog.

Wednesday Dec 02, 2009

Debug xmlsec

OpenSSO uses xmlsec API to verify digital signature. In case the API returns a false, but you have no idea about the cause when just looking at the XML doc, you may want see debug messages printed out from the xmlsec APIs.

[Read More]

Thursday Oct 29, 2009

CHP With Multiple Agents Instances

Recently a bug was identified in OpenSSO8.0 code related to Cookie Hijack Prevention (CHP). There are multiple policy agent instances with a Load Balancer (LB) in front. In this case, agent profiles must have LB URL added in the agent root URL list (CDSSO + CHP). However, a strange behavior could be observed. Only one agent works, you could see your browser spinning when accessing other agents. This is OpenSSO issue 5707.

Monday Oct 05, 2009

Reset Amadmin Password (2)

In my previous post (09/11) on this topic, I asked to have jss4.jar in the classpath and have corresponding library files in the environment. Actually it is not required. Otherwise, one will have a hard time to find and install them on a windows box. All you need to do is to set the value of property com.iplanet.security.encryptor to be "com.iplanet.services.util.JCEEncryption". The default is "com.iplanet.services.util.JSSEncryption" if you don't specify, which requires JSS.

So the command to generate new password could be looked like
/usr/bin/java -Dcom.iplanet.security.encryptor=com.iplanet.services.util.JCEEncryption -Dam.encryption.pwd=sZ6rTm4Dp1xp6MuXpwyQ3h0RsdcMK5eQ -cp .:/opt/sun/identity/lib/am_sdk.jar:/opt/sun/identity/lib/am_services.jar PasswordHashEncryption password

Tuesday Sep 15, 2009

Change Amadmin Password On File Based AM7.1

Last week, I provided the steps to change amadmin password on AM7.1. Someone had question on how to do it on file based AM7.1. The java code PasswordHashEncryption.java is still required to encrypt and hash the new password. Actually you don't need the whole AMConfig.properties, only one property am.encryption.pwd. You can pass the value as jvm option.

[Read More]

Friday Sep 11, 2009

Reset Amadmin Password

It is not straight forward to change amadmin password on an Access Manager 7.1 setup. If you simply change it on subject tab of AM console, you would fail to login once you logout.

This is due to the factor that amadmin's password is saved in a separate entry of Directory Server. You need to save the new password into this entry after changing it on the console. But the password is not saved as is but needs both encrypted and hashed. Unfortunately, the current cli tool ampassword does not help.

[Read More]

Friday Aug 28, 2009

Session Idle Timeout

When using Access Manager, people expects to set different session idle timeout or max session time for different orgs/groups/roles. This can be easily configured with older AM versions, 6.x or even older 5.x. But it is tricky to do so with the newer version 7.x. Lots of people noticed that the changes they made to the role level didn't take any effect even after restarting both AM and DS.

[Read More]

Monday Aug 17, 2009

Using Persistent Cookie on AM/OpenSSO

Haven't used the feature of persistent cookie on AM/OpenSSO for a long time. Today when verifying a code change, I need to check the httponly flag of persistent cookie. Somehow I couldn't find this cookie on the browser. I did enable it in authentication core service though.

[Read More]

Thursday Jul 23, 2009

Change Amadmin Password

Someone might want to change the super user amadmin's password of Access Manager (AM) 7.0 or 7.1 for various reasons. Be careful. It is tricky. If you try to change it directly on Directory Server (DS), you would find that you can not login as amadmin any more.

[Read More]

Wednesday May 20, 2009

OpenSSO 8.0 update1 Release

The first official patch of OpenSSO Enterprise 8.0 - update1 - had been released. It is placed on sunsolve since last Friday May 15. The patch ID is 141655-01.

The release notes of OpenSSO 8.0 had been published on wikis.sun.com. Unlike Access Manager 7.x/6.x, OpenSSO 8.0 has no platform dependent packages, but a single war. The way of installing the patch is also changed a lot. The installation instruction is a must read. But one step is similar to old releases though, you need to run updateschema.sh script (updateschema.bat for windows) at the end.

Thursday Apr 09, 2009

Access Manager SM Cache

We all know that configuration of Access Manager (AM, called OpenSSO for 8.0 release) is very sophisticated. It is nice to have fine granular control of this product. But some configuration property names are confusing and even the comments are not clear enough. Here I just want to share what I learned recently on those properties controlling the cache SM (Service Management).

[Read More]

Saturday Mar 21, 2009

Java Class Version Problem

Class com.iplanet.services.naming.WebtopNaming has unsupported major or minor version numbers, which are greater than those found in the Java Runtime Environment version 1.5.0_15

What do you think about the above error? The first reaction would be WebtopNaming class must be compiled by JDK1.6 or later.

[Read More]

Tuesday Dec 16, 2008

Removing Authentication Module From Auth Chain On Command Line

Someone asked me for help to correct an Access Manager 7.1 environment. The default auth chain "ldapService" was modified on this AM7.1 instance by adding anonymous module as required. However, the anonymous module was not configured right to include amadmin in the user list. After this change, amadmin can not login any more to the default auth chain.

[Read More]

Tuesday Nov 11, 2008

Sun OpenSSO Enterprise 8.0 RR

Sun OpenSSO Enterprise 8.0 RR is officially released today, three days earlier than the latest schedule.

This bits are here:

The docs are here:

Want to know more about OpenSSO, go to this site




« July 2016