Wednesday Nov 25, 2009

Role Manager and Directory Server Integration

Last week at work there were some discussions about Sun Role Manager (SRM) and its use of LDAP Server for authentication. I tested this Role Manager integration with Sun Directory Sever version 6.3 as my LDAP server and I am sharing some information about this setup. The high level steps for this integration are as follows:

1) Configure the Role Manager (SRM) "" file to reflect your Directory Server (DS) settings. The following document discusses the "" file settings:

2) For the users that you want to allow access to SRM, create corresponding users with "uid" in DS same as "username" of SRM (RBACx) users. We are assuming that "uid" attribute will be used for authentication to directory server.

3) To verify that the setup is working correctly, edit the of your SRM installation and add the following property:
Restart the application server after adding the above line. This DEBUG setting is only being added for verification purposes and should be removed once the setup is working correctly.

4) Login to SRM GUI using credentials of a valid Sun Directory Server user that also has a SRM(RBACx) user account. In my example below, DS "uid" of "manish" is used for authentication and for this "uid" there is a corresponding SRM(RBACx) "username" in SRM. If you have this setup correctly, you should expect to see logs similar to following lines in rbacx.log file:

21:19:18,125 DEBUG [MultipleChainablePasswordDaoAuthenticationProvider] ----> using authentication dao []
21:19:18,125 DEBUG [PasswordDaoAuthenticationProvider] ---> attempting authentication for user 'manish'
21:19:18,125 DEBUG [PasswordDaoAuthenticationProvider] ------> looking for user 'manish' in cache
21:19:18,125 DEBUG [PasswordDaoAuthenticationProvider] ------> loading user 'manish' from backend
21:19:18,125 DEBUG [LdapPasswordAuthenticationDao] Connecting to ldap://,dc=com/null as manish
21:19:18,130 DEBUG [LdapPasswordAuthenticationDao] keeping ldap context prefix
21:19:18,212 DEBUG [LdapPasswordAuthenticationDao] Returning user: Username: manish; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_ACCESS_IDC_VIEW, ROLE_AUTHENTICATED_PRINCIPAL: Internal RbacxUser: Last name: kapur; First name: manish; Email: manish@example-DOT-com
21:19:18,214 DEBUG [PasswordDaoAuthenticationProvider] ------> loaded user 'manish' from backend
21:19:18,214 DEBUG [PasswordDaoAuthenticationProvider] ------> putting user 'manish' in cache
21:19:18,215 DEBUG [PasswordDaoAuthenticationProvider] ---> successful authentication for user 'manish'

Now let's try logging in to SRM GUI with a valid LDAP user who does not have a SRM(RBACx) account.  When using a DS "uid" that does not have a corresponding SRM(RBACx) "username" the access to SRM GUI should not be allowed. In my example, I used "uid" of "denck" and made sure that "denck" "username" does not exist in my SRM setup. The rbacx.log entries in this case should look like follows:

11:59:25,598 DEBUG [MultipleChainablePasswordDaoAuthenticationProvider] ----> using authentication dao []
11:59:25,598 DEBUG [PasswordDaoAuthenticationProvider] ---> attempting authentication for user 'denck'
11:59:25,598 DEBUG [PasswordDaoAuthenticationProvider] ------> looking for user 'denck' in cache
11:59:25,598 DEBUG [PasswordDaoAuthenticationProvider] ------> loading user 'denck' from backend
11:59:25,598 DEBUG [LdapPasswordAuthenticationDao] Connecting to ldap://,dc=com/null as denck
11:59:25,601 DEBUG [LdapPasswordAuthenticationDao] keeping ldap context prefix
11:59:25,602 DEBUG [CacheModel] Cache 'RbacxUser.rbacxUserCache': cache miss
11:59:25,603 DEBUG [CacheModel] Cache 'RbacxUser.rbacxUserCache': stored object '[B@1792c41'
11:59:25,603 WARN  [UserManagerImpl] RbacxUser with username: 'denck' not found
11:59:25,604 ERROR [MultipleChainablePasswordDaoAuthenticationProvider] ERROR: Bad Credentials User does not have RBACx account!

That's it! Wasn't it easy? Once you have this integration working, remember to remove the DEBUG log property that was added in step 3 above.

Friday Oct 23, 2009

Identity Manager and Password Policy Special Characters

This question has come up a couple of times so I thought I will write a quick blog about it. In Sun Identity Manager (IdM), the password policy can be setup with character type rules that apply to the policy. What is the list of Special Characters in the password policy?

The list of Special Characters that is used by IdM password policy is in the UserUIConfig object. You can look at this using /idm/debug page and find this list in Configuration->UserUIConfig object. There is a tag called <PolicySpecialChars> in this UserUIConfig Configuration object where these characters are defined.

Friday Aug 28, 2009

Sun Web Server: The Essential Guide

Check out the recently released book - "Sun Web Server: The Essential Guide". In my opinion, this book is a must have for all Sun Web Server administrators. Reading product documentation from is always a good thing but in my view this can sometimes become somewhat monotonous when compared to reading a well written book that captivates and gets your attention. This Sun Web Server book has been carefully thought of and is very well written. It has concrete and easy to understand examples with good explanations about web server internals. Apart from web administrators, I think this book will also be useful for developers and architects interested in understanding Sun Web Server internals and extending the server functionality. So go ahead and check this book out, I bet you will like it!

Friday Aug 14, 2009

Logging Client IP Address instead of Load Balancer IP Address

If Sun Identity Manager version 8.1 is deployed with a Load Balancer or Reverse HTTP Proxy server in front of it and you need to log the IP address of the actual client in Audit logs then you need to configure Identity Manager (IdM) to pick the client IP address from the HTTP request headers. For example, if the Load Balancer sends the actual client IP address in the "X-Forwarded-For" HTTP request header then you would have to modify the IdM “” file to make it read this header and log the client IP address from this header. To do this, edit the "" file and set "client.headerIPVariable" as follows:


Save the “” file and restart IdM server. Now when a user logs in to IdM, you should see the actual IP address of the actual client rather than the Load Balancer IP address being logged in IdM Audit logs. Some times the "X-Forwarded header" of an incoming HTTP request can contain multiple IP addresses like "<Client IP>, <Proxy IP>, <Load Balancer IP>". In this case, I noticed that IdM 8.1 logs all three IP addresses, which is nice.

Monday Aug 03, 2009

Integrating Sun Role Manager and IdM using SPML

I have come across many customers trying to integrate Sun Identity Manager (IdM) and Sun Role Manager (SRM) products and I thought this will be a good topic to write about. In an environment where Sun IdM is already deployed, Sun Role Manager (SRM) can connect to IdM using SPML interface and then it can be used to import user data. In such integration, Sun IdM and SRM need to be configured to allow using SPML as the way of exchanging provisioning information.

Here are the high level steps to configure this integration between SRM and IdM:
  1. Log in to SRM and navigate to Administration->Configuration->Provisioning Servers. Click on the New Provisioning Server Connection button and select Sun from the list.

  2. Enter the following information on "New Provisioning Server Connection" screen -
  3.  Connection Name - Enter a name for the new connection being created with the Sun IdM. This connection name is used during import process instead of the Host Name and Port, which is difficult to remember. e.g. "Sun IDM Connection"
     SPML URL - Here, SPML URL pattern is - http://host:port/idm/servlet/rpcrouter2
     e.g. http://localhost:8080/idm/servlet/rpcrouter2
        \* User Name - “configurator”
        \* Password - “\*\*\*\*\*\*\*\*\*\*”
        \* Check Role Consumer if you want to enable ad-hoc roles transfer and update between SRM and Sun IdM

  4. Log in to Sun IdM as "configurator" and navigate to Configure->Import Exchange File and import "rm_idm_init.xml" and "spml.xml" files. The "rm_idm_init.xml" file can be obtained from SRM installation(look under $SRM_HOME/conf/spml directory). This completes the SRM-IdM integration configuration.

  5. To import users or accounts from Sun IDM, log in to SRM and navigate to Administration->Configuration->Import/Export Click on Schedule Job and Select the Sun IDM connection that was set up in step 2 and click on Next. You can check the "Run Job Now?" check box to trigger the user import job immediately. Or you can schedule the user import job on a future date. Similarly, you can import accounts by clicking on the Import Accounts link in the schedule job window.
NOTE: The above blog entry was originally written back in August 2009 for older SRM 4.x and Sun IdM 8.0 releases. Since then there have been several enhancements and improvements made to better integrate these two products. There is also newer documentation available for this integration which covers more details. Please refer to the following newer document that covers all the new use cases for this integration: .

Tuesday Jan 23, 2007

Web Server 7 unleashed

The all new Sun Java System Web Server 7.0 in standalone form has been released and is now available for download. This release features an entirely re-designed Administration interface designed around clusters, easy access to frequently performed tasks, simplification of frequently performed tasks, and a fully scriptable command line interface(CLI) featuring functional parity with the browser-based interface.

Here's my top 10 list of what's cool in this release:
  •  Full 64-bit support for Solaris SPARC and Solaris AMD64 platforms
  •  Regular expression pattern matching for URL re-writing and mass hosting
  •  Elliptic Curve Cryptography (ECC)
  •  Built in request mapping for protection against abnormal load patterns and Denial of Service protection
  •  Out-of-box Java support for Servlets 2.4, JSP 2.0, JSF 1.1, JSTL 1.1, JWSDP 2.0 based web services
  •  Java session failover and recovery within a cluster of peers
  •  Integrated HTTP reverse proxy User-Agent
  •  Bundled FastCGI client for use with third party scripting environments like Perl, PHP, Ruby on Rails etc
  •  If/Then/Else constructs within request processing
  •  Advanced sed based input and output filters

For additional information, check out the Product Documentation. Download this release and send us your feedback. To discuss any features or if you have any questions, you can post to the web server forum.

Wednesday Nov 29, 2006

JDK US DST Timezone Update Tool -TZupdater

Java SE team has come out with the TZupdater tool some time back. This TZupdater tool is provided to allow the updating of installed JDK/JRE images with more recent timezone data in order to accommodate the U.S. 2007 daylight saving time changes (US2007DST) originating with the U.S. Energy Policy Act of 2005.
This tool is available now for download from the Sun Java SE download site.
For more information, check out the README file.
Note: This tool is currently a Beta release.

Sunday May 21, 2006

Thanks for attending JavaOne 2006

There is nothing quite like JavaOne conference, its one event that I look forward to every year. Thanks for stopping by at the Sun Java System Web Server booth last week at JavaOne. It was good talking and meeting you all. We received very encouraging feedback. For those who were not able to visit us at Booth 702, the Sun Java System Web Server 7 Technology Preview release is out now, and it's \*free\*. Check it out and send us your feedback!



Saturday May 13, 2006

PHP on Sun Java System Web Server 6.1

Joe McCabe has written an excellent article about using PHP on Sun Java System Web Server. The PHP engine can run with Web Server 6.1 as a CGI program, as a FastCGI server, or as a plugin using the Web Server's NSAPI and this article covers all this in great details.

Wednesday Sep 07, 2005

x64 Factor: Faster, Smarter, Simpler

The NC05Q3 Web Event is coming up on Monday, September 12, 2005.
Sign up for e-mail reminder and stay tuned for some big announcements about new x64-based systems!

Friday Aug 19, 2005

Installing TWiki on Sun Java System Web Server

I recently helped a customer migrate their TWiki setup. They were using TWiki on Apache Web Server and wanted to migrate to TWiki on Sun Java System Web Server running on Solaris 9.
The migration went through fine without any major hicups. Since the TWiki documentation does not discuss TWiki installation on Sun Java System Web Server, I thought of sharing the high level steps based on my experience.
Installation Steps:
- Install Revision Control System(RCS 5.7) from on Solaris 9
- Install GNU diff utilities(diffutils-2.8.1) from on Solaris 9
( The above two packages are needed for TWiki software to run)
- Ensure that you have Perl version 5.005_03 or higher(Solaris 9 by default ships with perl and it can be used by TWiki)
- Download Twiki Software(TWiki20040902.tar.gz - production release of 02 Sep 2004)
- Install Sun Java System Web Server 6.1sp4 on the Solaris 9 machine
- Install Twiki software by untarring it to doc_root of Web Server instance
- Enable CGI on the web server instance to be used for Twiki
- Configure the Twiki CFG files(setlib.cfg and TWiki.cfg) as per TWiki Docs
- Create a link to “sendmail” binary(using "ln") as "sendmail" on Solaris by default resides in /usr/lib directory
- Fix ownership/permissions issues of the Twiki install(if needed) to be same as the user id chosen during web server install.
- Edit the TWikiPreferences topic as discussed in TWiki Configuration docs.
- Enable htaccess on the instance (recommended but not mandatory)
- Test Twiki install using the "testenv" script provided by TWiki and fix the warnings if you see any.

That's it! Go to http://host.domainame/twiki/bin/view and start TWiki-ing away!

Sunday Aug 07, 2005

Software Solution and Support Services

Buying the best of breed software and a ton of hardware does not always guarantee the creation of a successful software solution. While it is important to choose the right software and hardware to meet the needs of your solution, there are other important factors that play a vital role in the creation of a successful solution. Among other things, the design of a software solution should be done considering availability, scalability, performance, security and integration of software modules. A successful software solution deployment is one that is carefully planned, architected, designed, implemented and backed up with comprehensive hardware and software support. Here at Sun, we have a full range of Solutions and Services offerings available to you. In fact, we have Solution Support Services that will help you in design, development, testing and production phases of the solution lifecycle. Using Solution Support Services will also help improve predictability by increasing availability, decreasing unplanned outages and maximizing efficiencies.

Friday Jul 01, 2005

JavaOne - SOA, and Bono's ONE Campaign

I could not get a chance to attend the technical sessions at JavaOne 2005 this time, but I did get a Pavillion Pass to assist with booth duty at Booth 900. Sun architected, built, tested and deployed a solution to enable Bono to call on his fans to join him in his fight against AIDS and poverty. An initiative called the ONE Campaign. This solution is being deployed in real time from the U2 concert venues. Dany is the chief architect and technical lead of all the work we've done with the ONE Campaign initaitive. This demo was built on the web infrastructure suite, Solaris 10 Operating System, and SunFire servers was deployed to create a pragmatic Service-Oriented Architecture (SOA) solution for Bono. You can check out Mary's blogs to know more about this solution.

Friday Jun 24, 2005

JavaOne 2005

Yes, I know most of us here at Sun have been blogging about 2005 JavaOne Conference, but believe me the excitement is in the air and we just can't just stop this wave of enthusiasm and exuberance. Its like the Power of Java has cast a magical spell on all of us. And why not? Its one of the world's largest gatherings of developers, and IT managers who are focused on Java technology. Its just a few more hours before the show begins, don't miss it, be there.

Monday Jun 13, 2005

New Web Proxy Server Release

Yeah, I know I've been slacking and I don't want to give excuses for being lazy in blogging. I will get straight to my topic. Sun released the all new Sun Java System Web Proxy Server 4.0 a few days back. The Sun Java™ System Web Proxy Server (formerly Sun ONE Web Proxy Server) is a powerful system for caching and filtering Web content as well as boosting network performance. Its a major upgrade release based on a modern HTTP core engine that is HTTP/1.1 compliant and suports IPv6 notation for IP addresses. For additional information, here's the Product Documentation. "Try and Buy" download is available here.



« August 2016