Wednesday Oct 03, 2007

Proxy setting for Application Server to contact Internet content

Lots of portlets available in Sun Java System Portal Server render content from the internet. As portal server is deployed on Application Server or Web Server, below settings can be done in the server configuration file. 

For Application Server its domain.xml and for Web Server it is server.xml


 You will also need to modify the startup script for the app server i.e asenv.conf


Updating platform server list from command line

Sometimes during complex portal deployment scenarios there are chances that we might make mistakes in updating Platform Server List in Access Manager and as a result we may not be able to login to Access Manager anymore. We can update the Platform Server List from command line as below.

1) Remove the iplanetamplatformservice

  • amadmin -u amadmin - w passwd -r iplanetamplatformservice

2) Edit the /etc/opt/SUNWam/config/xml/amPlatform.xml to include the correct  server name(s) for the property iplanet-am-platform-server-list

3) Load the updated xml schema

  • amadmin -u amadmin - w passwd -s /etc/opt/SUNWam/config/xml/amPlatform.xml
  • restart server

Sunday Sep 30, 2007

SSL termination at Load Balancer between Gateway and Portal Server


SSL Termination at Load Balancer between Gateway and Portal Server means that SSL traffic between Gateway and the Portal Server is terminated at the Load Balancer. SSL has an overhead of encryption/decryption which affects performance. This article provides steps to install this scenario.

There might be other ways to install this scenario but this is the simplest approach to achieve this. 

Assume there are two instances of Portal PS1 and PS2 on Node1 and Node2 respectively. Gateway is on Node3 and Load Balancer on Node4  between Gateway and Portal Server Instances

Access Manager(AM) instances are on Portal Server (PS) instances. Assume there are two instances for AM and PS.

Gateway ---------> LB ---------------> PS instances (PS1, PS2 .......)

1)  Install  PS, AM and Directory Server (DS) on Node1 where AM and DS are from JES5 or JES5u1 RR build. Portal is OpenPortal PS7.2 on top of AS9.1

2) Start the Container and Access /portal to make sure everything is installed fine on Node1

3) On Node3, install Gateway and AM-SDK and point to PS1. Make sure that one can login via gateway to PS1. Now we have basic set-up ready for with single Gateway and Portal Server without a Load Balancer. Now we are going to add complexity to it.

4) On Node2, install AS9.1. This is for creating AM and PS instances i.e AM2 and PS2

5) Login to AM1 amconsole via browser. As soon as you login to amconsole, you will see "Organization Aliases" listbox on the right side with entries <> and <domain>. In this listbox add  <>.

6) Now click on Service Configuration -> Platform. On the right hand side there will be "Platform Server List" with entry <>. To this add one more entry <>

7) Install AM2 on Node2. Point to DS on Node1. Restart AS9.1 on Node2 and access amconsole to make sure that one can successfully login.

8) Now create portal instance PS2 on Node2. Install PS2 in config later mode. Modify and run the below command

  • ./psadmin create-instance -u amadmin -f ps_password -p <portal-id> -w /opt/SUNWportal/template/

9) Restart AS9.1 on Node2 and access /portal for successful login.

10) Install Load Balancer on Node4. This can be software or a hardware load balancer. You should know about how to make it SSL  with certificates signed from Certificate Authority. Make sure that one can loadbalance AM and PS uris via this SSL instance of Load Balancer.

11) Access psconsole either on Node1 or Node2. Go to Secure Remote Access -> default.  There is a listbox for "Portal Servers". Remove the existing entry in this listbox and add <>. Below that there is listbix for " URLs to which User Session Cookie is Forwarded". In this add below URLs and Save .


12. Click on security Tab. In the Non-Authenticated URL list below entries will be there.,

Add below set of entries also,,

13. Now run below command from Node1 AND Node2

  • ./psadmin provision-sra -u amadmin -f ps_password -p portal1 --gateway-profile default --enable
  • ./psadmin provision-sra -u amadmin -f ps_password  --loadbalancer-url --console --console-url --gateway-profile default --enable

This will populate Non-Authenticated URL list under the default gateway profile.

14. On Node1, open /etc/opt/SUNWam/config/ and edit following

  • Add line: com.sun.identity.server.fqdnMap[]
  • Edit line: com.sun.identity.loginurl=

15. Add Certificate Authority Root CA certificate to JVM keystore  as follows on Node1 and Node2

  • cd /usr/jdk/entsys-j2se/jre/lib security
  • /usr/jdk/entsys-j2se/jre/bin/keytool -keystore cacerts -keyalg RSA -import -trustcacerts -alias "" -storepass changeit -file <path-to-rootca-certificate>

16. Run below command on both the Nodes

  • ./psadmin set-attribute -u amadmin -f ps_password  -p portal1 -m desktop -a AccessURL  ""

17. Repeat above step on Node2. Restart AS9.1 and cacao on both the nodes.

18. Install server certificate and Root CA certificate on Gateway Node from the same Certificate Authority from where Load Balancer was asigned certificate.

19 Now we have to point the gateway to LB instead of PS1 and AM1. Do the following on Gateway Node

  • In the platform.conf.default file change gateway.ignoreServerList=true
  • In the platform.conf.default file change gateway.dsame.agent=https\\://\\:port/portal/RemoteConfigServlet
  • In the and change the AM related information as shown below


20. Restart the Gateway and access it via browser. 




Ajit Kamble


« February 2017