Sunday Oct 29, 2006

Configuring Novell eDirectory as a LDAPv3 data store for OpenSSO

As our OpenSSO gaining momentum among the developer community, I was asked about the support of eDirectory as a data store for OpenSSO. Though technically it is supported as a generic LDAPv3, I have not had a chance to work with it. This weekend I got some time while babysitting my little daughter. Hence this article, quite frankly I learnt lot of stuff about eDirectory today. Use the procedure described in this at your own risk , neither me nor the organization I am associated with assume responsibility for any damages done to your system or to you:-) You can also download a PDF version of this article[Read More]

Tuesday Oct 24, 2006

Adding IdRepo LDAPv3 instance using amadmin CLI

In this post I  bring you an easy commandline way of creating LDAPv3 Idrepo  plugin  instance on any given Sun Java ES Access Manager 7.0 system. There are many provisions that are supported by Sun Java ES Access Manager to make an administartor life easier. Lot of these details are buried in to the huge documentation. 

[Read More]

Thursday Oct 19, 2006

How Do I know whether the Access Manager runs in realm or legacy mode?

Starting from Sun Java ES Access Manager 7.0, Customers has an option to seperate the configuration data from the identity data store. Access Manager 7.x supports two runtime modes Legacy(compatible with previous Access Manager Versions) Realm. Unless you are very familar with the product it is very hard to figure out runtime mode of the server. In this article you can find an easy scriptical way to quickly determine the runtime mode of given Access Manager service URI. [Read More]

Access Manager change notifications - Persistent search

Sun Java ES Access Manager leverages the persistent search (RFC 3377) mechanism provided by the commercial Directory Servers such as SJS DSEE and MicroSoft's Active Directory. Often times I have noticed customers and field people raising questions on how the persistent search based notification works in the Access Manger and what happens if that(persistent search based notification) breaks. This paper attempts to capture some of the key concepts and how to troubleshoot the system if notification mechanism is broken.

[Read More]

Wednesday Sep 20, 2006

IBM deprecates JACL language support for its wsadmin

IBM anounced deprecation of JACL support for wsadmin utility. Going forward it will support only jython as its primary langugae for automating WAS functions using wsadmin utility. This has been anounced in its WAS 6.1 release, which means JACL will be supported for another 2 major releases of WAS from 6.1 after that (JACL)feature will be completely removed. Read more on here

SAML wins over others

according to this article there will be one billion identities and devices using the SAML 2.0-based Liberty identity standards, Read more

Tuesday Sep 19, 2006

Java Tuning

Lately I have read the Java Tuning white paper, it is an excellent paper, would suggest any one who works on Java EE should take a look at this doc

Tuesday Sep 12, 2006

opensso on Websphere

Recently I tried to build the opensso on the WAS 6.1 environment. The build was successful but when I tried to deploy both from console and using JACL scripts it failed with some exceptions. I have created an issue ticket for this. If you want the latest on the opensso stuff read Pat's blog, He provides regular updates on this product.

Saturday Sep 09, 2006

Finally WebSphere 6.1 supports JDK 5

It's been a good news for folks like me who have been waiting for the JDK 5 support on IBM WAS app servers. As of today I have not tried this version WAS 6.1.[what is new in 6.1] You can find more details here BTW both WAS 6.0.2 and 6.1 support solaris x86 on AMD Opteron

Friday Sep 08, 2006

A tool to locate the jar name of the class

it is not uncommon to run in to a classnotfound exception, the site jarhoo provides the service to locate the jar file of the class. Though it is paid service there is an option to get the service through the google co-op subscribe to

Wednesday Sep 06, 2006 WEB-INF/web.xml

When you deploy the webapp to a WAS container and you see the error some thing like in the title you might want to check the following
  • j2ee dtd, whether 2.3/2.4
  • make sure your webcontainer support that version
  • make sure the web.xml properly reference the DTD
DOCTYPE web-app PUBLIC        "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN"

ensure the file /opt/SUNWam/dtd/web-app_2_3.dtd do exist if still fails replace the file:///opt/SUNWam/dtd/web-app_2_3.dtd with "

Tuesday Sep 05, 2006

Deploying SJES Federation manager web archive file on WAS60

if you are trying to deploy the Sun Java ES federation Manager on IBM websphere 5.1/6.0 through the JACL commands you should use some thing like this
$AdminApp install war-file-loc  {-contextroot /deploy-uri -use
defaultbindings -nopreCompileJSPs -distributeApp -nouseMetaDataFromBinary -node
exampleNode  -cell  ExampleCell  -server server-instance -nodeployejb -appname deploy-uri -createMBeansForReso
urces -noreloadEnabled -reloadInterval 0 -nodeployws}
$AdminConfig save
public has incorrect info as of 09/05/06, a CR has been filed to rectify this issue

What if your federation.war does not deploy on websphere 6.0

you may be running in to this issue

Debugging SecurID auth module in Sun Java ES Access Manager

Background of amsecuridd helper deamon

Access Manager SecurID authentication client is implemented using RSA's ACE/Client API and a helper written in C will communicate between Access Manager SecurId module and the SecurId server

Access Manager SecurId module invokes amsecuridd deamon by opening a socket to localhost:57943 to listent for securid authentication requests. port 57943 is the default port number, if this port number is already occupied different port number can be specified for the SecurID Helper Authentication Port attribute in SecurId service configuration.

The interface to amsecuridd is cleartext through stdin. that's why only localhost connections are permitted to this service. the "backend" of this routine uses the SecurID remote API (v5.\*), which does the appropriate encryption of sensitive data.

amsecuridd helper listens on another port to receive its configuration information. by default on the port 58943. if this port is occupied, you can run it on different port, by changing the securid service properties through Access Manager Console For each organization/realm that communicates with a different ACE/Server (which has a different sdconf.rec file), a separate instance of SecurID helper should be run.

How to run amsecuridd helper

This deamon can be invoked in two ways,
  • Manual invocation
  • Using amserver wrapper script

    Starting it manually

    amsecuridd requires the following shared libararies =>         /opt/SUNWam/lib/
   =>        /lib/
   =>   /lib/
   =>        /lib/
   =>     /lib/
   =>       /lib/
   =>    /lib/
   =>   /lib/
   =>   /lib/
   =>  /lib/
   =>         /lib/
   =>     /lib/
    Most of them can be found in OS.
    you need to set LD_LIBRARY_PATH to //SUNWam/lib/ to find
    amsecuridd: Usage [-v] [-c portnum]
     [-v] turn on verbose mode; you need to create the debug file by  
    touch /var/opt/SUNWam/debug/securid_client.debug 
     [-c portnum]  config listening port number; default 58943.

    Starting amsecuridd using amserver script

    The amserver script can be found in the /SUNWam/bin/ directory
    /opt/SUNWam/bin/amserver start
    stopping auth helpers ...
    starting auth helpers ...
    verify the process has been started
    ps -ef | grep amsecuridd
        root  1725     1   0 10:26:49 pts/3       0:00 /opt/SUNWam/share/bin/amsecuridd -c 58943

    How to disable the amsecuridd deamon from being started

    if you dont want the amsecuridd deamon started everytime when amserver start is issued do the following Remove the securid from following property from for eg: out of box this property will look like this securid after disabling securid


    SecurId Authentication module is supported only on Solaris Sparc hosts, it is not supported on Solaris x86 and Linux

    Troubleshooting SecurID Authentication

    Make sure the amsecuridd deamon is running in verbose mode if not restart it with -v option. then follow these steps on the server where the amsecuridd is running
    telnet localhost 58943
       Connected to localhost.
       Escape character is '\^]'.
       Enter SecurID Helper Listen Port [57943]:
       Enter SecurID Helper Session Timeout [5]:
       Enter SecurID Helper Max Sessions [5]:
       Enter Config Path for Server [/opt/ace/data]:  /var/tmp/ace.iramya
       get_config_info: amsecuridd configured successfully
       Connection closed by foreign host.
     telnet localhost 57943
       Connected to localhost.
       Escape character is '\^]'.
       Enter SecurID login:  fob56
       Enter passcode:  06457646
       System generated PIN? (y/n):  n
       Enter new PIN, containing 4 to 8 digits: 1234
       Wait for the code on your token to change, then connect again with the new
       Connection closed by foreign host.
    telnet localhost 57943
       Connected to localhost.
       Escape character is '\^]'.
       Enter SecurID login:  fob56
       Enter passcode:  123418924721
       Authentication passed
       Connection closed by foreign host.
    The dialog session may be different based on your securid card configuration
    You can find more details about the client communication with ACE server in the /var/opt/SUNWam/debug/securid_client.debug file
    The passcode is computed like this: your PIN for the fob + the digits displayed on the fob
    for example if your fob displayed 18924721 and your PIN for the fob(securid card) is: 1234
    then the passcode will be: 123418924721
    if the above step works fine then it is the problem in the Access Manager SecurId atuhentication configuration. Run the server in debug mode
     In AM 7.0+ you can dynamically enable debug mode by following these steps
    Login as amadmin (or top level admin user) to Access Manager Console
    Access ://server:port//Debug.jsp?category=AUTHENTICATION&level=3
    Try to look into amAuthSecurID file 
  • About

    Indira Thangasamy, I manage the OpenSSO Quality engineering team.


    « June 2016