AM Client SDK
Hi,
I was wondering what was the requirements to build a client app for AM...
I've built a java app (running on windows) withamclientsdk.jar andAMConfig.properties (configured with the right path toserverconfig.xml) but this doesn't work (java exceptions during runtime)...
I don't understand the utility of the installation of the client SDK (from the JES installer) on the client host (my access manager isn't on the same host)
Does the client app need to be interfaced with a J2EE policy agent (like the one for tomcat)
Thanks!
PS: The client exchange information with the AM Server (connection with the namingservice, then login infos are sent)
[719 byte] By [
sheepsa] at [2007-11-27 4:58:20]
# 1
What are you trying to do with the SDK? Authentication? SSOToken verification? User management?What exception did you receive?I have successfully used the amclientsdk.jar and an AMConfig.properties to do all the above.
# 2
Hi AAron,
I'm tying to do Auth/SSOToken verification: one of the code I'm using is the code sample from de SDK (which isn't installed on the client) with AuthContext and Callback to send amadmin login and password
but i got some exception whereas the login seems successfull cause AM give the iPlanetDirectoryPro cookie:
05/22/2007 11:36:31:421 AM CEST: Thread[main,5,main]
LoginStatus : success
05/22/2007 11:36:31:421 AM CEST: Thread[main,5,main]
WebtopNaming : SecondarySites for 12 is null
05/22/2007 11:36:31:421 AM CEST: Thread[main,5,main]
sending cookies: iPlanetDirectoryPro=AQIC5...Y4Mg==#;amlbcookie=12
But I got these exception (I suppose these one is normal because before the auth success):
AdminTokenAction::getSSOToken Not found AdminDN and AdminPassword.
java.lang.NoClassDefFoundError: com/sun/identity/security/ServerInstanceAction
at com.iplanet.am.util.AdminUtils.<clinit>(AdminUtils.java:82)
at com.sun.identity.security.AdminTokenAction.getSSOToken(AdminTokenAction.java:263)
at com.sun.identity.security.AdminTokenAction.run(AdminTokenAction.java:174)
at java.security.AccessController.doPrivileged(Native Method)
at com.sun.identity.authentication.AuthContext.runLogin(AuthContext.java:561)
at com.sun.identity.authentication.AuthContext.login(AuthContext.java:498)
at com.sun.identity.authentication.AuthContext.login(AuthContext.java:356)
at MaClasse.main(MaClasse.java:77)
and then
AMCommonUtils:Initial: Caught exception in static block
java.lang.NoClassDefFoundError
at com.sun.identity.sm.SMSEntry.<clinit>(SMSEntry.java:169)
at com.sun.identity.sm.ServiceManager.<clinit>(ServiceManager.java:74)
at com.sun.identity.sm.ServiceConfigManager.<init>(ServiceConfigManager.java:94)
at com.iplanet.am.sdk.AMCommonUtils.populateManagedObjects(AMCommonUtils.java:503)
at com.iplanet.am.sdk.AMCommonUtils.<clinit>(AMCommonUtils.java:113)
at com.iplanet.am.sdk.AMStoreConnection.<clinit>(AMStoreConnection.java:143)
at MaClasse.main(MaClasse.java:106)
java.lang.NoClassDefFoundError
at com.iplanet.am.sdk.AMStoreConnection.<clinit>(AMStoreConnection.java:148)
at MaClasse.main(MaClasse.java:106)
Exception in thread "main"
The program is a command line program (simple main() function, no HttpServlet)
I have included AMconfig.properties in the jar and configured the variable com.iplanet.services.configpath to the path of "serverconfig.xml"
The thing I don't understand is what's the requirements on the client host? Do we need to install JES? it wouldn't be logic
Thanks for the assistance
# 3
Hi all,I've installed the tomcat policy agent and the code run without problem ...I don't have any idea what functions or packages the agent add...Any idea? because i need to interface an Apple WebObject application with Access Manager, and I don't know how to
# 4
This code worked fine for me, only servlet.jar and amclientsdk.jar in the classpath
package amauthtest;
import com.iplanet.am.util.SystemProperties;
import com.sun.identity.authentication.AuthContext;
import com.sun.identity.authentication.spi.AuthLoginException;
import java.util.Properties;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.NameCallback;
import javax.security.auth.callback.PasswordCallback;
public class AMLogin {
public static void main(String[] args) {
try {
Properties amEnv=new Properties();
//from AM server's AMConfig.properties
amEnv.setProperty("com.iplanet.am.naming.url","http://amserver.com:80/amserver/namingservice");
amEnv.setProperty("com.iplanet.am.naming.failover.url","");
amEnv.setProperty("com.iplanet.services.debug.level","error");
amEnv.setProperty("com.iplanet.services.debug.directory","D:\\temp\\amDebug");
//amEnv.setProperty("com.iplanet.am.notification.url","");
amEnv.setProperty("com.sun.identity.agents.notification.enabled","false");
//amEnv.setProperty("com.sun.identity.agents.notification.url","");
//amEnv.setProperty("com.sun.identity.agents.app.username","UrlAccessAgent"); //Any Agent
//amEnv.setProperty("com.iplanet.am.service.password","amldapuser");
//from AM server's AMConfig.properties
//amEnv.setProperty("am.encryption.pwd","apassword");
SystemProperties.initializeProperties(amEnv);
String uid="loginid";
String pwd="password";
AuthContext ctx = new AuthContext("/SubRealm");
ctx.login(AuthContext.IndexType.MODULE_INSTANCE, "AD");
Callback callbacks[] = ctx.getRequirements();
for(int i = 0; i < callbacks.length; i++){
if(callbacks[i] instanceof NameCallback) {
NameCallback namecallback = (NameCallback)callbacks[i];
namecallback.setName(uid);
} else
if(callbacks[i] instanceof PasswordCallback) {
PasswordCallback pwdCallback = (PasswordCallback)callbacks[i];
char chars[] = pwd.toCharArray();
pwdCallback.setPassword(chars);
}
}
ctx.submitRequirements(callbacks);
if(ctx.getStatus() == AuthContext.Status.SUCCESS){
System.out.println("Logged in" + ctx.getSSOToken().getTokenID());
}else{
System.out.println("Login failed");
}
} catch (Exception ex) {
ex.printStackTrace();
}
}
}
# 5
Hello Aaron, many thanks for the response!
If i execute your class with servlet.jar and amclientsdk.jar, it works(like my others code snippets) but after the login(success), if i use the ssotoken, i get this error:
Logged in AQIC5wM...
java.lang.NoClassDefFoundError
at com.iplanet.am.util.AdminUtils.getAdminDN(AdminUtils.java:106)
at com.sun.identity.sm.SMSEntry.<clinit>(SMSEntry.java:169)
at com.iplanet.am.sdk.AMStoreConnection.<clinit>(AMStoreConnection.java:148)
at amauthtest.AMLogin.main(AMLogin.java:57)
Exception in thread "main"
The code at amauthtest.AMLogin.main(AMLogin.java:91) is:
AMStoreConnection db = new AMStoreConnection(ctx.getSSOToken());
any suggestions?
thanks
Message was edited by:
sheeps
# 6
If you have Access Manager 7 in realm mode you will need to use the IDM api instead of the deprecated AM 6.x API's
http://docs.sun.com/source/819-2141/com/sun/identity/idm/package-frame.html
...
amEnv.setProperty("com.iplanet.services.debug.directory","D:\\temp\\amDebug");
amEnv.setProperty("com.iplanet.security.encryptor","com.iplanet.services.util.JCEEncryption");
//amEnv.setProperty("com.iplanet.am.notification.url","");...
...
if(ctx.getStatus() == AuthContext.Status.SUCCESS){
System.out.println("Logged in" + ctx.getSSOToken().getTokenID());
AMIdentity identity = IdUtils.getIdentity(ctx.getSSOToken());
System.out.println(identity.getName());
}else{
...
# 7
I've inserted your modifications and now i got this error:
Logged in AQIC5wM2LY4Sfcw+RMa7qXC8tciAGXIJEgHKhxWceweUA+M=@AAJTSQACMDE=#
java.lang.ExceptionInInitializerError
at amauthtest.AMLogin.main(AMLogin.java:62)
Caused by: com.sun.identity.security.AMSecurityPropertiesException: AdminTokenAction: FATAL ERROR: Cannot obtain Application SSO token.
Check AMConfig.properties for the following properties
com.sun.identity.agents.app.username
com.iplanet.am.service.password
at com.sun.identity.security.AdminTokenAction.run(AdminTokenAction.java:243)
at java.security.AccessController.doPrivileged(Native Method)
at com.sun.identity.idm.IdUtils.initialize(IdUtils.java:182)
at com.sun.identity.idm.IdUtils.<clinit>(IdUtils.java:114)
... 1 more
Exception in thread "main"
using this code:
String uid="ed";
String pwd="ed";
AuthContext ctx = new AuthContext("/EnterpriseSample");
So i set the properties:
amEnv.setProperty("com.sun.identity.agents.app.username","ed");
amEnv.setProperty("com.iplanet.am.service.password","ed");
And now i get this error
Logged in AQIC5wM2LY4SfcwgMj1jqwtHvKKETdfXZQC234sbZKozuQw=@AAJTSQACMDE=#
java.lang.ExceptionInInitializerError
at amauthtest.AMLogin.main(AMLogin.java:64)
Caused by: java.lang.NullPointerException
at com.sun.identity.idm.IdUtils.initialize(IdUtils.java:129)
at com.sun.identity.idm.IdUtils.<clinit>(IdUtils.java:114)
... 1 more
Exception in thread "main"
thanks for your assistance...
# 8
Here is code to get a user identity with both the user's token and using an admin token. Again, only the amclientsdk.jar and servlet.jar are in the classpath.
package amauthtest;
import com.iplanet.am.util.SystemProperties;
import com.iplanet.sso.SSOToken;
import com.sun.identity.authentication.AuthContext;
import com.sun.identity.idm.AMIdentity;
import com.sun.identity.idm.AMIdentityRepository;
import com.sun.identity.idm.IdSearchControl;
import com.sun.identity.idm.IdSearchResults;
import com.sun.identity.idm.IdType;
import com.sun.identity.idm.IdUtils;
import com.sun.identity.security.AdminTokenAction;
import java.security.AccessController;
import java.util.Iterator;
import java.util.Map;
import java.util.Properties;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.NameCallback;
import javax.security.auth.callback.PasswordCallback;
public class AMLogin {
static{
setEnv();
}
static String REALM="/EnterpriseSample";
public static void main(String[] args) {
try {
String uid="auser";
SSOToken userToken=authenticate(uid,"apassword",REALM,"LDAP");
if (userToken!=null){
System.out.println("With user token");
printUserAttributes(IdUtils.getIdentity(userToken));
}
SSOToken adminToken=(SSOToken)AccessController.doPrivileged(AdminTokenAction.getInstance());
AMIdentityRepository repo= new AMIdentityRepository(adminToken, REALM);
IdSearchControl controls=new IdSearchControl();
controls.setRecursive(true);
IdSearchResults res=repo.searchIdentities(IdType.USER,uid,controls);
System.out.println("With admin token");
for (Iterator i=res.getSearchResults().iterator();i.hasNext();){
printUserAttributes((AMIdentity)i.next());
}
} catch (Exception ex) {
ex.printStackTrace();
}
}
static void setEnv(){
Properties amEnv=new Properties();
//from AM server's AMConfig.properties
amEnv.setProperty("com.iplanet.am.naming.url","http://amserver.com:80/amserver/namingservice");
amEnv.setProperty("com.iplanet.am.naming.failover.url","");
amEnv.setProperty("com.iplanet.services.debug.level","error");
amEnv.setProperty("com.iplanet.services.debug.directory","D:\\temp\\amDebug");
amEnv.setProperty("com.iplanet.security.encryptor","com.iplanet.services.util.JCEEncryption");
//amEnv.setProperty("com.iplanet.am.notification.url","");
amEnv.setProperty("com.sun.identity.agents.notification.enabled","false");
//amEnv.setProperty("com.sun.identity.agents.notification.url","");
amEnv.setProperty("com.sun.identity.agents.app.username","amadmin"); //Any Agent
amEnv.setProperty("com.iplanet.am.service.password","amadminpassword");
//from AM server's AMConfig.properties
amEnv.setProperty("am.encryption.pwd","encpwd");
SystemProperties.initializeProperties(amEnv);
}
static SSOToken authenticate(String uid,String pwd,String realm,String module) throws Exception{
AuthContext ctx = new AuthContext(realm);
ctx.login(AuthContext.IndexType.MODULE_INSTANCE, module);
Callback callbacks[] = ctx.getRequirements();
for(int i = 0; i < callbacks.length; i++){
if(callbacks[i] instanceof NameCallback) {
NameCallback namecallback = (NameCallback)callbacks[i];
namecallback.setName(uid);
} else
if(callbacks[i] instanceof PasswordCallback) {
PasswordCallback pwdCallback = (PasswordCallback)callbacks[i];
char chars[] = pwd.toCharArray();
pwdCallback.setPassword(chars);
}
}
ctx.submitRequirements(callbacks);
if(ctx.getStatus() == AuthContext.Status.SUCCESS){
System.out.println("Logged in " + ctx.getSSOToken().getTokenID());
return ctx.getSSOToken();
}else{
System.out.println("Login failed");
}
return null;
}
static void printUserAttributes(AMIdentity identity)throws Exception{
if (identity!=null){
System.out.println(identity.getName());
System.out.println(IdUtils.getUniversalId(identity));
for (Iterator i=identity.getAttributes().entrySet().iterator();i.hasNext();){
Map.Entry e=(Map.Entry)i.next();
System.out.println(e);
}
}
}
}
Note that the agent uid is amadmin. UrlAccessAgent, the default agent ID, should work if you are only using the user's token to retrieve the identity attributes. Another agent profile in the /EnterpriseSample realm should work just as well. It appears that if you use the repo search functionality you need an actual administrator account like amadmin.
Your test probably failed because ed was probably only a user and not an agent id.
# 9
Sorry, I forgot to mention, my am server is in legacy mode, but in the first sample, if i use my amadmin login for com.sun.identity.agents.app.username, it doesn't work anyway... like if i use an agent login...
but if I insert a bad password or username in the AuthContext or in the agent properties the login fail (so I suppose the login is effective)
Anyway is the Realm Mode or the Legacy Mode important for the use of the API (like AMStoreConnection)? I have no idea about this error, maybe this isn't the good amclientsdk.jar that i'm using (but I took it from the am server filesystem!)
thanks a lot for your perseverance
ps: your last sample produce an error if I use LDAP dn for the login (uid=ed,ou=People,o=EnterpriseSample,dc=grenet,dc=fr) or simple username (ed):
"com.sun.identity.authentication.spi.AuthLoginException(1):null"
"com.sun.identity.authentication.spi.AuthLoginException(2):null"
"com.sun.identity.authentication.spi.AuthLoginException: Failed to create new Authentication Context: {0}"
"at com.sun.identity.authentication.AuthContext.createAuthContext(AuthContext.java:1340)"
"at com.sun.identity.authentication.AuthContext.createAuthContext(AuthContext.java:1261)"
"at com.sun.identity.authentication.AuthContext.<init>(AuthContext.java:178)"
"at amauthtest.AMLogin.authenticate(AMLogin.java:71)"
"at amauthtest.AMLogin.main(AMLogin.java:30)"
At AMLogin.java:71 :
AuthContext ctx = new AuthContext(realm); // realm == "o=EnterpriseSample,dc=grenet,dc=fr" or realm == "/EnterpriseSample"
# 10
If you have Access Manager installed in legacy mode than you will probably need to use the amclientsdk.jar for 6.3. Make sure you are using the amclientsdk.jar from /opt/SUNWam/lib and not the sdk from any of the 2.2 J2EE agents unless it is the etc/amclientsdk_63.jar
The com.sun.identity.agents.app.username should be an application ID, either the amadmin user or equivalent user with the top level admin role or the UrlAccessAgent built in agent account. I would use the amadmin account just to get it working.
Once you have set the app.username to amadmin try the following code
try {
SSOToken token = (SSOToken) AccessController.doPrivileged((AdminTokenAction.getInstance()));
AMStoreConnection con = new AMStoreConnection(token);
} catch (SSOException se) {
debug.error("unable to connect to store ", se);
}
The /opt/SUNWam/samples/sso sample should also offer you some guidance. Be sure to use the DN format for the authcontext too.
# 11
I am getting this
Caused by: com.sun.identity.security.AMSecurityPropertiesException: AdminTokenAction: FATAL ERROR: Cannot obtain Application SSO token.
Check AMConfig.properties for the following properties
com.sun.identity.agents.app.username
com.iplanet.am.service.password
at com.sun.identity.security.AdminTokenAction.run(AdminTokenAction.java:243)
at java.security.AccessController.doPrivileged1(Native Method)
at java.security.AccessController.doPrivileged(AccessController.java(Compiled Code))
at com.sun.identity.idm.IdUtils.initialize(IdUtils.java:182)
at com.sun.identity.idm.IdUtils.<clinit>(IdUtils.java:114)
... 54 more
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:754)
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:151)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:634)
at java.security.AccessController.doPrivileged1(Native Method)
at java.security.AccessController.doPrivileged(AccessController.java:351)
at javax.security.auth.login.LoginContext.invokeModule(LoginContext.java:631)
at javax.security.auth.login.LoginContext.login(LoginContext.java:557)
at com.ibm.ws.security.auth.JaasLoginHelper.jaas_login(JaasLoginHelper.java:376)
Has anyone been able to fix this ?
lrejua at 2007-7-12 10:14:10 >
# 12
Yes, you can do this:
Properties amEnv=new Properties();
amEnv.setProperty("com.sun.identity.agents.app.username","amAdmin");
amEnv.setProperty("com.iplanet.am.service.password","amadminpass");
SystemProperties.initializeProperties(amEnv);
before your authcontext
for my part, I'm always stuck with the "NullPointerException at DCTreeServicesHelper.isRequired" when I use any code even the last of Aaron_Anderson:
try {
SSOToken token = (SSOToken) AccessController.doPrivileged((AdminTokenAction.getInstance()));
AMStoreConnection con = new AMStoreConnection(token);
} catch (SSOException se) {
debug.error("unable to connect to store ", se);
}
the code work but if I use the AM classes it fail:
try {
SSOToken token = (SSOToken) AccessController.doPrivileged((AdminTokenAction.getInstance()));
AMStoreConnection con = new AMStoreConnection(token);
AMUser user = con.getUser(token.getPrincipal().toString());
Set roles = user.getAllRoleDNs();
} catch (SSOException se) {
System.out.println("unable to connect to store "+ se);
}
the line con.getUser() produce an error (the same method fail if I use the token created with authcontext):
java.lang.NullPointerException
at com.iplanet.am.sdk.common.DCTreeServicesHelper.isRequired(DCTreeServicesHelper.java:108)
at com.iplanet.am.sdk.remote.CachedRemoteServicesImpl.getAttributes(CachedRemoteServicesImpl.java:803)
at com.iplanet.am.sdk.remote.CachedRemoteServicesImpl.getAttributes(CachedRemoteServicesImpl.java:628)
at com.iplanet.am.sdk.remote.RemoteServicesImpl.getAttributesFromDS(RemoteServicesImpl.java:363)
at com.iplanet.am.sdk.AMObjectImpl.getAttributesFromDataStore(AMObjectImpl.java:302)
at com.iplanet.am.sdk.AMUserImpl.getAllRoleDNs(AMUserImpl.java:197)
at amauthtest.AMLogin.main(AMLogin.java:71)
and i have no idea about this... if I replace the jar with old jar, it doesn't work, there is another exception
# 13
If your am server is in legacy mode (6.3) you can use the old version of amclientsdk.
I have some systems working with code based on the samples provided by the product.
You can use the TokenUtils program and execute it with amclientsdk.jar, servlet.jar and AMconfig.properties in your CLASSPATH.
Here is an example that actually runs, and I have not got any problem with it:
-- TokenUtils.java....
public static SSOToken getSessionToken(String orgName, String userId,
String password) throws Exception
{
AuthContext ac = null;
//System.out.println("TokenUtils......Creando el AuthContext con org("+orgName+")");
try {
ac = new AuthContext(orgName);
//System.out.println("TokenUtils......Login el AuthContext");
ac.login();
} catch (LoginException le) {
le.printStackTrace();
return null;
}
//System.out.println("TokenUtils......Crenado los callbacks");
try {
Callback[] callbacks = null;
// Get the information requested by the plug-ins
if (ac.hasMoreRequirements()) {
callbacks = ac.getRequirements();
if (callbacks != null) {
addLoginCallbackMessage(callbacks, userId, password);
ac.submitRequirements(callbacks);
if (ac.getStatus() == AuthContext.Status.SUCCESS) {
System.out.println("Auth success");
} else if (ac.getStatus() == AuthContext.Status.FAILED) {
System.out.println("Authentication has FAILED");
} else {
}
} else {
}
} catch (Exception e) {
e.printStackTrace();
}
SSOTokenManager.getInstance().validateToken(ac.getSSOToken());
//System.out.println(ac.getSSOToken().getPrincipal().getName());
return ac.getSSOToken();
}
static void addLoginCallbackMessage(Callback[] callbacks, String userId,
String password)
throws UnsupportedCallbackException
{
int i = 0;
try {
for (i = 0; i < callbacks.length; i++) {
if (callbacks[i] instanceof NameCallback) {
// prompt the user for a username
NameCallback nc = (NameCallback) callbacks[i];
nc.setName(userId);
} else if (callbacks[i] instanceof PasswordCallback) {
// prompt the user for sensitive information
PasswordCallback pc = (PasswordCallback) callbacks[i];
pc.setPassword(password.toCharArray());
} else {
}
}
} catch (Exception e) {
throw new UnsupportedCallbackException(callbacks[i],
"Callback exception: " + e);
}
}
}
And the login method:
private String login(String userId, String password) {
SSOToken ssoToken = null;
String ssoTokenId = null;
try {
ssoToken = TokenUtils.getSessionToken(DEFAULT_ORG, userId, password);
ssoTokenId = ssoToken.getTokenID().toString();
//System.out.println("TOKEN ID" +ssoTokenId);
}catch (Exception e){
e.printStackTrace();
}
return ssoTokenId;
}
# 14
I am configuring AM policy agent to protect WAS console.
In Chapter 4 Post-Installation Tasks of Policy Agent 2.2 for IBM WebSphere Application Server 6.0
http://docs.sun.com/app/docs/doc/819-5956/6n80l91a5?a=view
Questions
1. Under the section "To Verify Access to the IBM WebSphere Application Server 6.0 Administration Console" Step 2 says "Run Agent for IBM WebSphere Application Server 6.0 in message mode." Does anyone know how to do that?
2. To grant users a role, the doc says I should run agentadmin and add manager role using something like "id=manager,ou=role,dc=iplanet,dc=com"
I have added webshere roles(administrator,operator,configurator,monitor) to AM, added users to the roles, but I kept getting the error
"Authorization failed for wasadmin while invoking GET on admin_host:/ibm/console/, Authorization failed, Not granted any of the required roles: administrator operator configurator monitor"
Does anyone have an idea whats going on ?
lrejua at 2007-7-12 10:14:10 >
# 15
No idea about others problems here,but I've solved mine.If I take amclientsdk.jar from ver.7 and servlet.jar from tomcat 5.5 (this is the difference with old builds) it works, with the properties specified by Aaron_AndersonThanks a lot aaron!
