|Subject:||Re: HELP -- Error with stock Policy Agent 3.0 (HTTP 403)|
|From:||Deepak Pasupunatla (Deep...@Sun.COM)|
|Date:||Nov 16, 2009 11:39:06 am|
When you create the agent profile, you get the option to select local or centralized option. You can select Local configuration for your use case while creating the agent profile. Check this link for steps http://docs.sun.com/app/docs/doc/820-4579/gfxjk?a=view
*UPDATE* -- If I open a browser on a different machine, I get the following error in the browser...
"*Access denied as Agent profile not found in Access Manager.*"
The 3.0 Policy Agent references an Agent Profile in addition to the Agent UserID and Agent Password. It appears that our old version of OpenSSO isn't able to support the web agent request. Based on what I have read about compatibility with Access Manager 7.1, is there a setting on the agent side to define that the web agent properties are "*local configuration*" vs "centralized agent configuration"?
I recognize that the version of OpenSSO we have is very old that we need to upgrade, but we are required to support it for the next six months. This version does not have the setting for local versus central agent configuration, so I need to be able to control this parameter on the web agent side versus the OpenSSO server side. We will be upgrading to newer components shortly, but really need to resolve the existing issue first.
Any help would be greatly appreciated. Thanks in advance.
Hi Madan and Anthony,
I changed the title to reflect the current issue -- inability to install the stock Policy 3.0 web agent with our version of OpenSSO.
Thanks for your responses. I am trying to install and use the stock Policy Agent 3.0 before we attempt to build it, but am getting an error that I don't seem to be able to get past. We are supporting an old version of OpenSSO that may not have the Policy Agent 3.0 functionality on the OpenSSO side. I need to be able to configure the agent to have the agent repository as local (read from Web Agent configuration), but can't figure out how to do this. The current error I am seeing is as follows:
2009-11-15 17:34:20.432 *Error 5176:610c88 Agent Profile Service: parseAgentResponse(): Attribute xml parsing error *2009-11-15 17:34:20.432 *Error 5176:610c88 all: fetchAndUpdateAgentConfigCache():There is an error while fetching attributes by user UrlAccessAgent, using REST service. Status: REST attributes service encountered an error*
Prior to this, the logs show:
2009-11-15 17:34:20.416 Info 5176:610c88 AuthService: AuthService::processLoginStatus() *Successful login of ssoToken* AQIC5wM2LY4SfcxpOLuHSjRfQC7gkvPg0vV0j0inT7eWPrg=@AAJTSQACMDI=# 2009-11-15 17:34:20.416 Debug 5176:610c88 Agent Profile Service: AgentProfileService::agentLogin(): *Successfully logged in as UrlAccessAgent*. 2009-11-15 17:34:20.416MaxDebug 5176:610c88 Agent Profile Service: Number of servers in service:1, 'https://server1.example.com:8181/access/securityhandler/xml/read '. 2009-11-15 17:34:20.416 Debug 5176:610c88 Agent Profile Service: BaseService::doRequest(): Using server: https://server1.example.com:8181/access/securityhandler/xml/read. 2009-11-15 17:34:20.416MaxDebug 5176:610c88 Agent Profile Service: 2009-11-15 17:34:20.416MaxDebug 5176:610c88 Agent Profile Service: BaseService::sendRequest Request line: GET /access/securityhandler/xml/read?name=UrlAccessAgent&attributes_names=realm&attributes_values_realm=%2F&attributes_names=objecttype&attributes_values_objecttype=Agent&admin=AQIC5wM2LY4SfcxpOLuHSjRfQC7gkvPg0vV0j0inT7eWPrg%3D%40AAJTSQACMDI%3D%23 HTTP/1.0
.... <snip> ....
2009-11-15 17:34:20.432MaxDebug 5176:610c88 Agent Profile Service: BaseService::sendRequest(): Total chunks: 0. 2009-11-15 17:34:20.432MaxDebug 5176:610c88 Agent Profile Service: BaseService::sendRequest(): Sent 0 chunks. 2009-11-15 17:34:20.432 Debug 5176:610c88 Agent Profile Service: *HTTP Status = 404 (Not Found) *
.... <snip> ....
The last three lines of the log are as follows:
2009-11-15 17:34:20.448 Info 5176:610c88 AuthService: *AuthService::procesLoginStatus() Login completed.* 2009-11-15 17:34:20.448 Debug 5176:610c88 all: *Initialization of the agent failed: status = failure (1)* 2009-11-15 17:34:20.448 Info 5176:610c88 all: *do_deny() Status code= failure.*
.... < end of log > ....
*RESULT: HTTP 403* when trying to access the protected resource. Also, I never get prompted for credentials.
I have set up a policy and this works with the Policy Agent 2.2. The other thing is that both OpenSSO instance and Apache Agent are on the same server.
Any thoughts or suggestions would be greatly appreciated. Thanks in advance!
-------- Original Message -------- Subject: Re: HELP -- Source Code to build Apache Web Agent 2.2 for Windows 2003 From: Madan M Ranganath <Mada...@Sun.COM> Date: Fri, November 13, 2009 9:54 am To: use...@opensso.dev.java.net
Anthony Swart wrote:
It is a bit unfortunate that you can't retro fit a slightly modified 2.2 agent. That said agent 3 should plugin with relatively few problems. Only if you have made a lot of changes to the default configuration then you will have to spend a bit of time mapping those changes to the new 3.0 entries. The sun docs site (docs.sun.com) has a decent map of 2.2 to 3.0 settings so should give you a good start.
You can also use the "agentadmin --migrate" to migrate the properties from 2.2 to 3.0.
Anyway good luck with the build and testing!
Thanks for your response and for the information. This is really helpful.
The reason I was asking about the 2.2 agents is that we had tested, documented and released our build of OpenSSO with v2.2 Agents to an internal customer. We ran into an issue that we are working to resolve, and were trying to minimize the changes that we make, to reduce the scope of testing and changes in documentation.
Thanks again for your help.
-------- Original Message -------- Subject: Re: HELP -- Source Code to build Apache Web Agent 2.2 for Windows 2003 From: Anthony Swart <Anth...@Sun.COM> Date: Fri, November 13, 2009 3:05 am To: use...@opensso.dev.java.net
As far as I know only 3.0 Agents are open source. Is there a particular reason you need the 2.2 agent? I suspect the 3.0 Agent will be fine for you as it should work on all OpenSSO versions, only older versions of Access Manager are restricted to 2.2 agents.
You can download the source via cvs, instructions are https://opensso.dev.java.net/source/browse/opensso/
Once you have the source the agents are under opensso/products/webagents There is an ant build file in there that you can use to build the agents with.
There is a general readme for all agents https://opensso.dev.java.net/source/browse/opensso/products/webagents/README?rev=1.15&view=markup and specific details for the apache agent on Windows are https://opensso.dev.java.net/source/browse/opensso/products/webagents/docs/WINNT/apache/README.txt?rev=1.7&view=markup
(The readmes are available in the source download, path is the same as the web link after /opensso)
The official agent is support on Windows 2003 for Apache 2.2 so you shouldn't have any issues.
Hope that helps.
Can anyone answer any of the questions below? I thought that these questions could be answered in a couple of minutes by someone in the Sun web agent group. Any help would be greatly appreciated. Thanks.
-------- Original Message -------- Subject: HELP -- Source Code to build Apache Web Agent 2.2 for Windows 2003 From: bam...@sceats.com Date: Wed, November 11, 2009 11:23 pm To: use...@opensso.dev.java.net
We have an older version of OpenSSO and need to use the Web Agent v2.2 for Apache2 and 2.2, to run on Windows2003 Server. We need to build these web agents from source code, since we would like to make a minor change to the agent behavior.
Could someone please point me to the location for the source code, and identify what else (dependencies and/or tools) is needed to successfully build these agents? Any instructions, hints and advice would be greatly appreciated. Thanks in advance!