Access Manager training class in Burlington, MA

There are a small number of places available on the Sun Java System Access Manager: Configuration and Customization (AM-3480) at Sun’s training center in Burlington, MA the week of Dec 4. This presentation of the course is taught by the most excellent Allan Foster; Allan taught the recent Federation Manager Boot Camp course on which Hubert heaped lavish praise, so you know you’re in good hands.

If you’re in the North-East and you feel your AM knowledge is lacking, then take a look and consider signing up – your department may well have some training budget that needs to be used or lost before the end of the year…

New Access Manager articles on BigAdmin

Normal blogging service was disrupted somewhat by last week’s DIDW and IOS. Among many snippets in my ‘to blog’ pile, here are links to a couple of recent ‘hands-on’ articles from Sun’s BigAdmin site:

If this sort of stuff lights your fire, then you probably want to subscribe to the monthly BigAdmin newsletter.

Sun Developer Network Channel – Identity Management Month

Sun Developer Network‘s SDN Channel this month focuses on Identity Management. There’s a cool video featuring my esteemed colleague – Identity Guru Aravindan Ranganathan. Aravindan looks at some of the latest web services security features in Sun Java System Access Manager 7.1, bringing a new twist to that old staple web service sample – the stock ticker – by allowing only authenticated users to obtain real-time quotes. If you want to try this at home, the beta of Access Manager 7.1 is available now in the Java EE SDK download.

There’s a whole load more useful information (and a link to a short article I wrote on open source identity at Sun) in the SDN Show Notes.

Fresh out of college? Coding hero? Looking for a challenge?

Access Manager is hiring!

Are you a recent graduate? Know some Java? Interested in working in identity management – one of the most dynamic sectors of the software industry? Ready to show your coding skills to the world in an open source project?

Sun’s Identity Management engineering group has a vacancy for an entry-level coder. Click here, and tell ’em Pat sent you.

We’re looking for more experienced code wranglers, too!

Quick Guide to Access Manager 7.0 Site Configuation

This came across the internal Access Manager mailing list today. It’s too good not to post. Many thanks to David, Beomsuk and Subash for compiling this.


Site configuration in AM 7.0 provides a facility that lets Access Manager clients communicate with load-balanced Access Manager instances. While this was possible in Access Manager 6.x, site configuration provides several advantages:

  • Access Manager instance URLs are not held in state by Access Manager clients
  • Configuration is far easier and less error-prone than with Access Manager 6.x
  • Site configuration supports deployments with multiple load balancers, and with firewalls around each site, with no changes required to firewall configuration

Access Manager 6.x Naming Table on Client Side

All Access Manager clients use a naming URL stored in the client configuration (usually to retrieve a client-side naming table, which is held in state on the client. For 6.x clients, the client-side naming table holds the URLs of needed Access Manager services for each Access Manager instance. The URLs refer to the Access Manager instances. Thus, information about servers that are likely secured behind firewalls are held in client state, which is a potential security problem.

Client to Access Manager Instance Access in AM 6.x

When a 6.x Access Manager client accesses an Access Manager instance on behalf of a user attempting to access a web app, it accesses the instance directly (assuming the user has a valid SSO token). Depending on the Access Manager service required, the client dynamically build the URL for the service based on the instance ID stored in the session token and the URLs in the naming service table. A load balancer fronting the Access Manager instances is ignored in this scenario.

This works fine as long as there is not a firewall in between the client and Access Manager instances. In this case, the client is not able to get through the firewall to the required URL on the Access Manager.

So in the scenario in which multiple Access Manager instances are fronted by a load balancer, with a firewall somewhere in the mix, it is necessary for the Access Manager client to go to the load balancer instead of directly to the Access Manager instance.

You can force an Access Manager client to do this either by setting up the /etc/hosts file so that all the FQDNs of the Access Manager instances point to the IP address of the load balancer, or by setting the naming.ignoreNamingService property to true.

Therefore, each client has to have this property set, and whether the property should be set or not is dependent on the location of firewalls and load balancers in the topology.

Access Manager 7.0 Naming Table on Client Side with Sites Defined on Access Manager

For 7.0 clients, if a site is defined in the platform service, the client-side naming table holds the URLs of needed Access Manager services for each Access Manager site. The URLs refer to the Access Manager sites – load balancers – and not instances. Thus, information about servers that are likely secured behind firewalls are not held in client state, eliminating the potential security problem from 6.x.

Client to Access Manager Instance Access in AM 7.0 with Sites Defined on Access Manager

When a 7.0 Access Manager client accesses an Access Manager instance on behalf of a user attempting to access a web app, it accesses the Access Manager site (assuming the user has a valid SSO token). Depending on the Access Manager service required, the client dynamically builds the URL for the service based on the site ID stored in the session token and the URLs in the naming service table. Therefore, all requests go through a load balancer.

If there is not a firewall in between the client and Access Manager instances, it is not a problem, because the client should be able to get to the load balancer.

There is no need for any special configuration on the client to make this all work. As long as the nameing URL points to the load balancer, all is well.

Multiple Site Support in 7.0

Consider the case where you have multiple sites. Suppose you have:

  • A Web Server in San Francisco with a protected URL
  • A Web Server in Tampa with a protected URL
  • An Access Manager site with a load balancer and multiple firewalled AM instances in San Francisco
  • An Access Manager site with a load balancer and multiple firewalled AM instances in Tampa

You want an end user who has authenticated with the San Francisco site to be able to access the protected URL in the Tampa without re-authenticating.

In 7.0, with sites configured in the Platform Service, an Access Manager instance in San Francisco is able to perform session validation on an Access Manager instance in Tampa by referencing the Tampa load balancer.

In 6.3, although enabling the naming.ignoreNamingService property might let the San Francisco *agent* get to the Tampa load balancer, there is no way for an Access Manager instance in San Francisco to get to the Tampa load balancer for session validation. An Access Manager instance in San Francisco can only reference the Access Manager instances in Tampa defined in the platform service. So, if these instances are firewalled, the SFO AM instance cannot reach the Tampa instance.

Making a multiple site deployment work in 6.3 requires firewall configuration in ways that are likely to be unacceptable to users.

If No Sites Are Defined in 7.0

Access Manager should work identically to how it worked in 6.x. You can define configurations with multiple instances in the platform service, configure the fqdnMap, and add realm DNS aliases as needed. But if there is a firewall behind the load balancer, the deployment will fail.

Server-Side Configuration in Access Manager 7.0

To configure Access Manager 7.0 to support sites, you need only do the following:

  • Define the site and instance lists in the platform service
  • Add realm DNS aliases as required in the realm properties for the top-level realm

Server-Side Configuration in Access Manager 6.x

To configure Access Manager 6.x to support multiple instances, do the following:

  • Define instances in the Platform Service
  • Define the fqdnMap property in the file
  • Add realm DNS aliases as required in the realm properties for the top-level realm
  • Configure clients as necessary, depending on firewall locations


The 7.0 site configuration capability provides enhancements to Access Manager security and ease of configuration.

Access Manager 7.1 Beta in Java EE Tools/NetBeans 5.5 Enterprise Pack

If you’ve been following Eric Leach’s blog, you’ll know that, just before JavaOne, we released a beta version of Sun Java System Access Manager 7.1 via a couple of bundles:

The former download is 132 MB, the latter 89 MB. The main difference between them seems to be that the Java EE 5 Tools Bundle includes NetBeans; NB EP 5.5 assumes you already have it.

Access Manager’s role in this bundle is to secure web services. If you’re thinking “Uh oh – this is that Liberty stuff they keep pushing at me; I’ve barely got my head around basic SAML assertions, let alone ID-WSF.”, well – relax. We did show Access Manager working with Java Studio Enterprise and JSR 196 (Java Authentication Service Provider Interface for Containers) to secure web services via Liberty ID-WSF at last year’s JavaOne (there’s also a technical article on the topic); since then we have implemented WS-I BSP to secure ‘plain vanilla’ web services.

Here are my notes from installing the Java EE 5 Tools Bundle Beta and working through the Securing Web Services tutorial. I’m running Ubuntu 6.06 ‘Dapper Drake’ Beta. Not an officially supported platform, but I like to surf the bleeding edge

  • Let’s get started. I downloaded the Java EE 5 Tools Bundle Beta, chmod +x; ./ and I’m into the installer. I need to tell the installer where I’ve put Java – it doesn’t seem to know. Fair enough – this is not a standard system – I have at least three versions of Java floating around.
  • The installer prompts me for ports, passwords and trundles away for a while. On completion it reports that there were some warnings. I check /tmp/netbeans-5_5-installation-20060523143837.41310.log and it looks like the installer was not able to get to Access Manager (AM) at http://myhostname:8080/amserver/configurator.jsp. Ah – that’s probably because it likes your system to have a fully qualified domain name (FQDN), e.g. and I don’t have a domain set. This is documented in the release notes – it doesn’t seem to be a big deal, and I can get to that URL in Firefox, so we’ll just carry on.
  • OK – surf to http://myhostname:8080/amserver/configurator.jsp and I get a nice configuration page:

    Those are the 5 parameters you need to set to configure AM. I left everything as default and (as expected from the release notes) got a server error. Putting a dummy domain on the end of the hostname did the trick and I’m at an Access Manager login screen.

    Cool! The simplest ever AM install/config
  • Login with the default amadmin/admin123 (we’ll have to change that – I hate default passwords. We should add ‘amadmin password’ to the 5 configuration parameters) and I’m in the now familiar AM 7.x admin UI:
  • Ok – install and config done. On to the Securing Web Services tutorial. The tutorial notes are a little sketchy – I’ll fill in the gaps here as I go along.
  • Grab the sample source and put it somewhere sensible, as suggested in the tutorial. I get two directories, stockclient and stockservice. Cool.
  • Tutorial step 2 is missing an initial steplet – you need to go to the App Server admin console at http://myhostname:4848/ and login as admin with whatever AS password you selected at install. Hmm – I don’t see a ‘Runtime’ tab, but I can see a running App Server (in fact, I already checked that it was running by browsing http://myhostname:8080/ and, of course, I wouldn’t have been able to configure AM if it wasn’t running. So, according to step 2c, I can safely skip forward to step 5 in the tutorial. Except that it seems like the next thing I have to do is in step 3.
  • Tutorial step 3 – yes – done this already.
  • Step 4 – ah – you will definitely want to do this – set AM to full message debug logging. On my system, the config file was at /home/pat/SUNWappserver/addons/amserver/ Beware – there is another file for the AM server – on my machine it’s at /home/pat/ If you set message debug logging at the AM server but not in the AS addons, you won’t get any of the diagnostic output described below. I know – I did exactly this first time round and spent several hours trying to figure out what was wrong. Change to message and restart the App Server. Just go to wherever_you_installed_it/SUNWappserver/bin and do ./asadmin stop-domain; ./asadmin start-domain.
  • Step 5 – Run NetBeans and disable proxies as directed in the tutorial, since we’ll be interacting with local services.
  • OK – now for some secure web service action… Start NetBeans and… Oh. NetBeans just shows me a blank window. That’s not good. Google Google Google… Ah. I have XGL and Compiz eye candy installed. This forum post gives the answer – run the Xnest nested X server, the icewm window manager and then run NetBeans in the nested X session. Fair enough. Ubuntu recommends Xephyr rather than Xnest, so I grab that, icewm and.. great – we have NetBeans! [UPDATE: See this comment for a handy little script I wrote to run NetBeans in a nested X session.] Back to the tutorial…
  • Open the two projects. Cool – Web Service Provider (WSP) Security Configuration property page. Enable security, select SAML-HolderOfKey, sign reponses. Don’t forget to change the password if you overrode the default AS ‘adminadmin’ password. Ooh – we’ll have to fix that password entry field. This is beta, don’t forget.
  • We can go look in the keystore, just to check that we are supplying the right password here, and that the s1as cert is there:
    pat@patlinux:~/SUNWappserver/domains/domain1/config$ keytool -list
    -keystore ./keystore.jks -storepass password
    Keystore type: jks
    Keystore provider: SUN
    Your keystore contains 1 entry
    s1as, May 23, 2006, keyEntry,
  • Now to the client… Web Service Client (WSC) Security Configuration, enable security, SAML-HolderOfKey, verify response. Check that password again. And we’re ready to run. Build and deploy stockservice as described in the tutorial. Build and run stockclient and we have a JSP ready for input. I had to copy the URL into the browser in my main X session, since Firefox wasn’t happy running a second instance in the nested X session. I also had to change ‘localhost’ in the URL to my real hostname.
  • Now I just press enter to get a quote for SUNW and… I get a page of canned price data. It works!!! On my machine, ClientModule and ServerModule are in /tmp/amserver/, I can see real, honest to goodness WS-I BSP SOAP messages with SAML assertions in the headers. I’ve indented for clarity and elided most of the base 64 encoded signature and key info.
  • Here’s the raw SOAP message as it leaves the client code (don’t forget, the whole point of this is to abstract the security stuff out of the client/server code):
  • <env:Envelope xmlns:env="" xmlns:enc="" xmlns:ns0="" xmlns:xsd="" xmlns:xsi="">
  • And here is the secured SOAP message as it goes onto the wire:
  • <env:Envelope xmlns:env="" xmlns:enc="" xmlns:ns0="" xmlns:wsu="" xmlns:xsd="" xmlns:xsi="">
    <wsse:Security xmlns:wsse="">
    <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" AssertionID="s69f7e258e30da2b9b9f5799d4eb0c548782432bf" IssueInstant="2006-05-24T05:52:32Z" Issuer="patlinux" MajorVersion="1" MinorVersion="1">
    <saml:AuthenticationStatement AuthenticationInstant="2006-05-24T05:52:30Z" AuthenticationMethod="urn:com:sun:identity:Application">
    <KeyInfo xmlns="">
    <KeyName>CN=patlinux, OU=Sun Java System Application Server, O=Sun Microsystems, L=Santa Clara, ST=California, C=US</KeyName>
    <Signature xmlns="">
    <CanonicalizationMethod Algorithm=""/>
    <SignatureMethod Algorithm=""/>
    <Reference URI="#s69f7e258e30da2b9b9f5799d4eb0c548782432bf">
    <Transform Algorithm=""/>
    <Transform Algorithm=""/>
    <DigestMethod Algorithm=""/>
    <Signature xmlns="">
    <CanonicalizationMethod Algorithm=""/>
    <SignatureMethod Algorithm=""/>
    <Reference URI="#se0ffabd98ecfdf194adc0c8ac8fb4edabf65cd3a">
    <Transform Algorithm=""/>
    <DigestMethod Algorithm=""/>
    <SecurityTokenReference xmlns="" wsu:Id="STR1">
    <KeyIdentifier ValueType="" wsu:Id="sbee70b80d8b330875655b8956d13ff5a4199ca1d">s69f7e258e30da2b9b9f5799d4eb0c548782432bf</KeyIdentifier>
    <env:Body wsu:Id="se0ffabd98ecfdf194adc0c8ac8fb4edabf65cd3a">

So – in the next thrilling installment, we’ll walk through that secure SOAP message and see what each bit actually does.

UPDATEhere is that next installment.

Welcome… To the blog world.

You have to imagine the title in a Morpheus voice. Anyway – welcome, Eric Leach, to the blogosphere. I guess this is going to turn into another ‘great people I work with at Sun’ post now

Eric is Product Line Manager for Federated Identity Management here at Sun, which kind of sounds like a tongue twister, but it is his real job, honest. Eric takes the customer requirements, engineering’s hare-brained schemes, the specifications and standards appearing from various august (or not) bodies and, somehow, magically, orchestrates the production of Access Manager, Federation Manager and OpenSSO.

Yup – Eric is just about the busiest guy I know. Go read his thoughts, and leave lots of comments. Eric really needs the notification email to fill out his inbox. Honest

Customer Sabotage – Just What You Need in a Proof of Concept!

We conducted a proof-of-concept this week for a ‘major manufacturer’ (let’s call them MM for short), showing Access Manager integrating with Active Directory Federation Services (ADFS) via WS-Federation. Briefly, the mechanism is that you attempt to access a protected resource and, if you don’t have Access Manager‘s SSO token (as a cookie), you are redirected to ADFS for authentication. ADFS authenticates you then sends a SAML assertion back to a servlet at Access Manager via the HTML form POST/Javascript/onLoad trick*. The servlet validates the SAML assertion and, if all is well, issues an Access Manager SSO token as a cookie and redirects back to the originally requested resource and all proceeds according to the regular Access Manager logic. The neat thing is that, if you’re logged into a Windows domain, ADFS can authenticate you without any interaction, so all of the above magically happens in the blink of an eye, and you get the resource you asked for according to the AM policy in force. Kind of like the SPNEGO we all know and love, but all at a higher level, so it works better in large, complex multi-forest environments.

So – we get this all working (I’m remote at Sun’s offices in Santa Clara, the PoC is at – uh – a secret location) and everyone there breaks for lunch. After lunch I get a slightly panicky call from the SE onsite (Hi, Bob!) saying that, inexplicably, it’s no longer working. The browser isn’t being forwarded to ADFS via AM’s WS-Fed servlet – it’s just going to the regular AM login page instead. Weird. I tail -f the logs, have them try again, and sure enough, the WS-Fed servlet is unmolested by traffic. I turn on the debug flag on the agent, tail -f the logs again and have them click the link. Whah!? The agent on the protected web server is redirecting to the CDSSO servlet? Why? A glance in the agent config shows that, somehow, magically, CDSSO has been enabled.

As Bob and I try to figure out just what has happened, I hear a voice in the background saying something like “Uh – Oh – Um”. One of MM’s senior technical staff is ex-Sun. He’s had a little tinker over lunch, applying his AM knowledge and trying one or two things out. And left CDSSO enabled. Which tells the agent to redirect to the CDSSO servlet instead of my nifty new WS-Federation servlet. s/true/false/ on the ‘enable CDSSO’ property and all is working again. Phew!

Moral of the story. Never leave the customer alone in the PoC room with a logged in machine. Especially if they know enough to be dangerous!

* In case you don’t know this one, it goes like this. Server A returns an HTML page with a form containing one or more hidden elements – one might be, for instance, an XML document – and whose action is to POST to Server B. The page also contains a JavaScript onLoad event handler that submits the form. The result is a little like a 302 redirect, except that you get to send a bunch more data than you can cram into a URL.

Configuring Solaris to Authenticate against a Sun Java System Access Manager’s Directory Server

Solaris (and other *nix operating systems) can authenticate users against an LDAP compliant directory server, such as Sun Java System Directory Server, for log in. Sun Java System Access Manager can also authenticate users against an LDAP directory server for web single sign-on, access control and federation. There is an issue in that, by default, Access Manager locks down its Directory Server instance, removing the capability to do anonymous LDAP search and read operations. Unfortunately, this removes the ability for Solaris to authenticate users.

Jeff Nester, a Senior Identity Management Specialist at inSolutions (Dig the retro iPlanet favicon at, Jeff!) recently wrote a paper explaining how to configure Directory Server and Access Manager so that Solaris and AM authentication co-exist. This allows you to create a single directory entry that enables access to both Solaris and web applications protected by AM.

Useful stuff if you’re trying to consolidate directories and keep passwords consistent across desktop login and web applications. Lots of other goodies at Jeff’s site too – must try the tips for getting a video projector to work on a Toshiba Tecra M2 in Java Desktop System. If that works, I definitely owe you a beer, Jeff

Interested in working on the next generation of identity management at Sun?

Access Manager is hiring! We are looking for software engineers with 3-5 years experience in Java, J2EE and servlets to join the AM engineering team at Sun’s Santa Clara campus. You can read through my blog to get an idea of some of the technologies used in Access Manager – web services, identity federation, kerberos – you might even get to work on the OpenSSO project.
If this sounds like you, then see the job specs here and here. Oh – and tell them Pat sent you