|
|  以 PDF 格式下載這本書 (1748 KB)
Part III Reference: Summaries of Server and Component Configurations
Appendix A Directory Servers
Table A–1 Directory Server 1 Configuration
|
Component
|
Description
|
|
|
Host
|
Computer system that hosts the Directory Server.
|
|
|
Host Name
|
DirectoryServer–1.example.com
|
|
Directory Server Administration Instance
|
Administration server that manages Directory Server and all
its instances.
|
|
|
Port Number
|
1391
|
|
|
Service URL
|
http://DirectoryServer–1.example.com:1391
|
|
|
Instance Directory
|
/var/opt/mps/serverroot/admin-serv
|
|
Directory Server Configuration Instance
|
Instance that stores Directory Server configuration data.
|
|
|
Instance name
|
ds-config
|
|
|
Port Number
|
1390
|
|
|
Service URL
|
http://DirectoryServer-1.example.com:1390
|
|
|
Base suffix
|
dc=example,dc=com
|
|
|
Super User
|
cn=Directory Manager
|
|
|
Super User password
|
d1rm4n4ger
|
|
|
Administrative User
|
admin
|
|
|
Administrative User Password
|
d1r4dmin
|
|
|
Instance Directory
|
/var/opt/mps/serverroot/slapd-ds-config
|
|
Access Manager Configuration Instance
|
Stores Access Manager configuration data.
|
|
|
Instance name
|
am-config
|
|
|
Port Number
|
1389
|
|
|
Service URL
|
|
|
|
Base Suffix
|
o=example.com
|
|
|
Replication Manager
|
cn=replication manager,cn=replication,cn=config
|
|
|
Replication Manager Password
|
replm4n4ger
|
|
|
Instance Directory
|
/var/opt/mps/serverroot/slapd-am-config
|
|
User Data Store
|
Stores Access Manager user data. In this deployment example,
the user data store is located on the same computer system as the
Access Manager configuration data store. The user data store could
also be installed on a different computer system.
|
|
|
Instance Name
|
am-users
|
|
|
Port Number
|
1489
|
|
|
Service URL
|
http://DirectoryServer-1.example.com:1489
|
|
|
Base Suffix
|
dc=company, dc=com
|
|
|
Users Suffix
|
ou=users,dc=company,dc=com
|
|
|
Replication Manager
|
cn=replication manager, cn=replication,cn=config
|
|
|
Replication Manager Password
|
replm4n4ger
|
|
|
Instance Directory
|
/var/opt/mps/serverroot/slapd-am-users
|
Table A–2 Directory Server 2 Configuration
|
Component
|
Description
|
|
|
Host
|
Computer system that hosts the Directory Server.
|
|
|
Host Name
|
DirectoryServer–2.example.com
|
|
Directory Server Administration Instance
|
Administration server that manages Directory Server and all
its instances.
|
|
|
Port Number
|
1391
|
|
|
Service URL
|
http://DirectoryServer–2.example.com:1391
|
|
|
Instance Directory
|
/var/opt/mps/serverroot/admin-serv
|
|
Directory Server Configuration Instance
|
Instance that stores Directory Server configuration data.
|
|
|
Instance name
|
ds-config
|
|
|
Port Number
|
1390
|
|
|
Service URL
|
http://DirectoryServer-2.example.com:1390
|
|
|
Base suffix
|
dc=example,dc=com
|
|
|
Super User
|
cn=Directory Manager
|
|
|
Super User password
|
d1rm4n4ger
|
|
|
Administrative User
|
admin
|
|
|
Administrative User Password
|
d1r4dmin
|
|
|
Instance Directory
|
/var/opt/mps/serverroot/slapd-ds-config
|
|
Access Manager Configuration Instance
|
Stores Access Manager configuration data.
|
|
|
Instance name
|
am-config
|
|
|
Port Number
|
1389
|
|
|
Service URL
|
|
|
|
Base Suffix
|
o=example.com
|
|
|
Replication Manager
|
cn=replication manager,cn=replication,cn=config
|
|
|
Replication Manager Password
|
replm4n4ger
|
|
|
Instance Directory
|
/var/opt/mps/serverroot/slapd-am-config
|
|
User Data Store
|
Stores Access Manager user data. In this deployment example,
the user data store is located on the same computer system as the
Access Manager configuration data store. The user data store could
also be installed on a different computer system.
|
|
|
Instance Name
|
am-users
|
|
|
Port Number
|
1489
|
|
|
Service URL
|
http://DirectoryServer-2.example.com:1489
|
|
|
Base Suffix
|
dc=company, dc=com
|
|
|
Users Suffix
|
ou=users,dc=company,dc=com
|
|
|
Replication Manager
|
cn=replication manager, cn=replication,cn=config
|
|
|
Replication Manager Password
|
replm4n4ger
|
|
|
Instance Directory
|
/var/opt/mps/serverroot/slapd-am-users
|
Table A–3 User Data Store Accounts
|
UserID
|
Description
|
|
|
userdbadmin
|
Used by the Access Manager servers to connect to the user data
store for data management purposes.
|
|
|
Password
|
4serd84dmin
|
|
|
DN
|
uid=userdbadmin,ou=users,dc=company,dc=com
|
|
userdbauthadmin
|
Used by the Access Manager servers to authenticate users to
the user data store.
|
|
|
Password
|
4serd84uth4dmin
|
|
|
DN
|
uid=userdbauthadmin,ou=users,dc=company,dc=com
|
|
testuser1
|
Used to verify that the policy agents work properly.
|
|
|
Password
|
password
|
|
|
DN
|
uid=testuser1,ou=users,dc=company,dc=com
|
|
testuser2
|
Used to verify that the policy agents work properly.
|
|
|
Password
|
password
|
|
|
DN
|
uid=testuser2,ou=users,dc=company,dc=com
|
Appendix B Access Manager Servers
Table B–1 Access Manager 1 Configuration
|
Component
|
Description
|
|
|
Host
|
Computer system that hosts the Access Manager server.
|
|
|
Host Name
|
AccessManager-1.example.com
|
|
Web Server Administration
|
Manages the entire Web Server an all its instances.
|
|
|
Instance name
|
admserv
|
|
|
Port Number
|
8888
|
|
|
Service URL
|
http://AccessManager–1.example.com:8888
|
|
|
Administrative User
|
admin
|
|
|
Administrative User Password
|
web4dmin
|
|
|
Instance Directory
|
/opt/SUNWwbsvr/https-admserv
|
|
Access Manager Web Server
|
Contains the Access Manager applications
|
|
|
Instance name
|
AccessManager-1.example.com
|
|
|
Port Number
|
1080
|
|
|
Service URL
|
http://AccessManager-1.example.com:1080
|
|
|
Administrative User
|
amadmin
|
|
|
Administrative User Password
|
4m4dmin1
|
|
|
amLDAP user
|
amldapuser
|
|
|
amLDAP user Password
|
4mld4puser
|
|
|
Instance Directory
|
/opt/SUNWwbsvr/https-AccessManager-1.example.com
|
Table B–2 Access Manager 2 Configuration
|
Component
|
Description
|
|
|
Host
|
Computer system that hosts the Access Manager server.
|
|
|
Host Name
|
AccessManager-2.example.com
|
|
Web Server Administration
|
Manages the entire Web Server an all its instances.
|
|
|
Instance name
|
admserv
|
|
|
Port Number
|
8888
|
|
|
Service URL
|
http://AccessManager–2.example.com:8888
|
|
|
Administrative User
|
admin
|
|
|
Administrative User Password
|
web4dmin
|
|
|
Instance Directory
|
/opt/SUNWwbsvr/https-admserv
|
|
Access Manager Web Server
|
Contains the Access Manager applications
|
|
|
Instance name
|
AccessManager-2.example.com
|
|
|
Port Number
|
1080
|
|
|
Service URL
|
http://AccessManager-2.example.com:1080
|
|
|
Administrative User
|
amadmin
|
|
|
Administrative User Password
|
4m4dmin1
|
|
|
amLDAP user
|
amldapuser
|
|
|
amLDAP user Password
|
4mld4puser
|
|
|
Instance Directory
|
/opt/SUNWwbsvr/https-AccessManager-1.example.com
|
Appendix C Distributed Authentication UI Servers
Table C–1 Distributed Authentication
UI 1 Configuration
|
Component
|
Description
|
|
|
Host
|
Computer system that hosts the Access Manager server.
|
|
|
Host Name
|
AuthenticationUI-1.example.com
|
|
Web Server Administration
|
Manages the entire Web Server an all its instances.
|
|
|
Instance name
|
admserv
|
|
|
Port Number
|
8888
|
|
|
Service URL
|
http://AuthenticationUI-1..example.com:8888
|
|
|
Administrative User
|
admin
|
|
|
Administrative User Password
|
web4dmin
|
|
|
Instance Directory
|
/opt/SUNWwbsvr/https-admserv
|
|
Distributed Authentication UI Server
|
Contains the Distributed Authentication UI module.
|
|
|
Instance name
|
AuthenticationUI-1.example.com
|
|
|
Port Number
|
1080
|
|
|
Service URL
|
http://AuthenticaitonUI-1.example.com:1080
|
|
|
Instance Directory
|
/opt/SUNWwbsvr/https-AuthenticationUI-1.example.com
|
|
User Profile
|
Administrative User
|
authuiadmin
|
|
|
Administrative User Password
|
4uthu14dmin
|
Table C–2 Distributed Authentication
UI 2 Configuration
|
Component
|
Description
|
|
|
Host
|
Computer system that hosts the Access Manager server.
|
|
|
Host Name
|
AuthenticationUI-2.example.com
|
|
Web Server Administration
|
Manages the entire Web Server an all its instances.
|
|
|
Instance name
|
admserv
|
|
|
Port Number
|
8888
|
|
|
Service URL
|
http://AuthenticationUI-2..example.com:8888
|
|
|
Administrative User
|
admin
|
|
|
Administrative User Password
|
web4dmin
|
|
|
Instance Directory
|
/opt/SUNWwbsvr/https-admserv
|
|
Distributed Authentication UI Server
|
Contains the Distributed Authentication UI module.
|
|
|
Instance name
|
AuthenticationUI-2.example.com
|
|
|
Port Number
|
1080
|
|
|
Service URL
|
http://AuthenticaitonUI-2.example.com:1080
|
|
|
Instance Directory
|
/opt/SUNWwbsvr/https-AuthenticationUI-2.example.com
|
|
User Profile
|
Administrative User
|
authuiadmin
|
|
|
Administrative User Password
|
4uthu14dmin
|
Appendix D Sun Java System Web Servers and Web Policy
Agents
Table D–1 Protected Resource
1 Web Server and Web Policy Agent 1 Configurations
|
Component
|
Description
|
|
|
Host
|
Computer system that hosts Web Server 1
|
|
|
Host Name
|
ProtectedResource-1.example.com
|
|
Web Server Administration Server
|
Manages the entire Web Server and all its instancces.
|
|
|
Instance Name
|
admserv
|
|
|
Port Number
|
8888
|
|
|
Administrative User
|
admin
|
|
|
Administrative User Password
|
web4dmin
|
|
|
Instance Directory
|
/opt/SUNWwbsvr/https-admserv
|
|
Web Policy Agent Instance
|
Server instance that contains the web server and web policy
agent.
|
|
|
Instance Name
|
ProtectedResource-1.example.com
|
|
|
Port Number
|
1080
|
|
|
Instance Directory
|
/opt/SUNWwbsvr/https-ProtectedResource-1.example.com
|
|
Web Agent Profile
|
|
|
|
Administrative User
|
webagent-1
|
|
|
Administrative User Password
|
web4gent1
|
Table D–2 Protected Resource
2 Web Server and Web Policy Agent 2 Configurations
|
Component
|
Description
|
|
|
Host
|
Computer system that hosts Web Server 2
|
|
|
Host Name
|
ProtectedResource-2.example.com
|
|
Web Server Administration Server
|
Manages the entire Web Server and all its instances.
|
|
|
Instance Name
|
admserv
|
|
|
Port Number
|
8888
|
|
|
Administrative User
|
admin
|
|
|
Administrative User Password
|
web4dmin
|
|
|
Instance Directory
|
/opt/SUNWwbsvr/https-admserv
|
|
Web Policy Agent Instance
|
Server instance which contains the web server and web policy
agent.
|
|
|
Instance Name
|
ProtectedResource-2.example.com
|
|
|
Port Number
|
1080
|
|
|
Instance Directory
|
/opt/SUNWwbsvr/https-ProtectedResource-2.example.com
|
|
Web Agent Profile
|
|
|
|
Administrative User
|
admin
|
|
|
Administrative User Password
|
web4dmin
|
Appendix E WebLogic Application Servers and J2EE
Policy Agents
Table E–1 Protected Resource
1 Application Server and J2EE Policy Agent 1 Configurations
|
Component
|
Description
|
|
|
Host
|
Computer system that hosts Application Server 1
|
|
|
Host Name
|
ProtectedResource-1.example.com
|
|
WebLogic Administration Server
|
Manages the entire Application Server and all its instances
|
|
|
Instance Name
|
AdminServer
|
|
|
Port Number
|
7001
|
|
|
Administrative User
|
weblogic
|
|
|
Administrative User Password
|
w3bl0g1c
|
|
|
Instance Directory
|
/usr/local/bea/user_projects/domains/ProtectedResource-1/servers/AdminServer
|
|
WebLogic Domain
|
Stores configuration information for this Application Server
instance.
|
|
|
Instance Name
|
ProtectedResource-1
|
|
|
Instance Directory
|
/usr/local/bea/user_projects/domains/ProtectedResource-1
|
|
J2EE Policy Agent Instance
|
Server instance which contains the Application Server and J2EE
policy agent.
|
|
|
Instance Name
|
ApplicationServer-1
|
|
|
Port Number
|
1081
|
|
|
Instance Directory
|
/usr/local/bea/user_projects/domains/ProtectedResource-1/servers/ApplicationServer-1
|
|
J2EE Policy Agent Profile
|
|
|
|
Administrative User
|
j2eeagent-1
|
|
|
Administrative User Password
|
j2ee4gent1
|
Table E–2 Protected Resource
2 Application Server and J2EE Policy Agent 2 Configurations
|
Component
|
Description
|
|
|
Host
|
Computer system that hosts Application Server 2
|
|
|
Host Name
|
ProtectedResource-2.example.com
|
|
WebLogic Administration Server
|
Manages the entire Application Server an all its instances.
|
|
|
Instance Name
|
AdminServer
|
|
|
Port Number
|
7001
|
|
|
Administrative User
|
weblogic
|
|
|
Administrative User Password
|
w3bl0g1c
|
|
|
Instance Directory
|
/usr/local/bea/user_projects/domains/ProtectedResource-2/servers/AdminServer
|
|
WebLogic Domain
|
Stores configuration information for this Application Server
instance.
|
|
|
Instance Name
|
ProtectedResource-2
|
|
|
Instance Directory
|
/usr/local/bea/user_projects/domains/ProtectedResource-2
|
|
J2EE Policy Agent Instance
|
Server instances which contains the Application Server and J2EE
web policy agent.
|
|
|
Instance Name
|
ApplicationServer-2
|
|
|
Port Number
|
1081
|
|
|
Instance Directory
|
/usr/local/bea/user_projects/domains/ProtectedResource-2/servers/ApplicationServer-2
|
|
J2EE Policy Agent Profile
|
|
|
|
Administrative User
|
j2eeagent-2
|
|
|
Administrative User Password
|
j2ee4gent2
|
Appendix F Load Balancers
Table F–1 Load Balancer Configurations
|
Component
|
Description
|
|
|
Host
|
Computer system that hosts all virtual servers in this deployment
example.
|
|
|
Host Name
|
is-f5.example.com
|
|
Load Balancer 1
Access Manager Configuration Stores
|
Virtual Service Address for the Access Manager configuration
store.
Configured for cookie and IP-based stickiness and TCP (HTTP
and LDAP) load balancing.
|
|
|
Instance Name
|
LoadBalancer-1
|
|
|
Port Number
|
389
|
|
|
Pool Name
|
AccessManager-Pool
|
|
|
Virtual Server and Port Number
|
LoadBalancer-1.example.com:389
|
|
|
Monitor
|
ldap-tcp
|
|
Load Balancer 2
Directory Server User Data Stores
|
Virtual Service Address for the User Data store.
|
|
|
Instance Name
|
LoadBalancer-2
|
|
|
Port Number
|
489
|
|
|
Pool Name
|
DirectoryServer-UserData-Pool
|
|
|
Virtual Server and Port Number
|
LoadBalancer-2.example.com:489
|
|
|
Monitor
|
ldap-tcp
|
|
Load Balancer 3
Access Manager Servers
|
Virtual Service Address for the Access Manager Web Server instances.
SSL is terminated at this at this load balancer before the request
is forwarded to the Access Manager Servers. This load-balancer is
the single point-of-failure for Access Manager and can be considered
a limitation of this deployment example.
Configured for cookie and IP— based stickiness and TCP
(HTTP and LDAP) load balancing.
External users access port 9443, while internal users will access
port 90.
|
|
|
Instance Name
|
LoadBalancer-3
|
|
|
Port Number
|
90 and 9443
|
|
|
Pool Name
|
AccessManager-Pool
|
|
|
Virtual Server and Port Number
|
LoadBalancer-3.example.com:90
|
|
|
Monitor
|
AccessManager-http
|
|
Load Balancer 4
Distributed Authentication UI Servers
|
Virtual Service Address for the Distributed Authentication UI
web server instances.
SSL is terminated at this load balancer before the request is
forwarded to the Distributed Authentication UI servers.
Configured for cookie and IP-based stickiness and TCP (HTTP
and LDAP) load balancing.
|
|
|
Instance Name
|
LoadBalancer-4
|
|
|
Port Number
|
90 and 9443
|
|
|
Pool Name
|
AuthenticationUI-Pool
|
|
|
Virtual Server and Port Number
|
LoadBalancer-4.example.com:90
|
|
|
Monitor
|
http-monitor
|
|
Load Balancer 5
Web Policy Agents
|
Virtual Service Address for Web Policy Agents.
Configured for cookie and IP— based stickiness and TCP
(HTTP and LDAP) load balancing.
|
|
|
Instance Name
|
LoadBalancer-5
|
|
|
Port Number
|
90
|
|
|
Pool Name
|
WebAgent-Pool
|
|
|
Virtual Server and Port Number
|
LoadBalancer-5.example.com:90
|
|
|
Monitor
|
WebAgent-http
|
|
Load Balancer 6
J2EE Policy Agents
|
Virtual Service Address for J2EE Policy Agents
Configured for cookie and IP-based stickiness and TCP (HTTP
and LDAP) load balancing.
|
|
|
Instance Name
|
LoadBalancer-6
|
|
|
Port Number
|
91
|
|
|
Pool Name
|
J2EEAgent-Pool
|
|
|
Virtual Server and Port Number
|
LoadBalancer-6.example.com:91
|
|
|
Monitor
|
tcp
|
Appendix G Message Queue Servers
Table G–1 Message Queue 1 Configuration
|
Component
|
Description
|
|
|
Host
|
Computer system that hosts the Message Queue server.
|
|
|
Host Name
|
MessageQueue-1.example.com
|
|
Message Queue 1
|
Serves as a communications broker that enables Access Manager
to communicate data with the session store.
|
|
|
Instance Name
|
msgqbroker
|
|
|
Port Number
|
7777
|
|
|
Administrative User
|
msgquser
|
|
|
Administrative User Password
|
m5gqu5er
|
|
|
Instance Directory
|
/opt/SUNWam
|
Table G–2 Message Queue 2 Configuration
|
Component
|
Description
|
|
|
Host
|
Computer system that hosts the Message Queue server.
|
|
|
Host Name
|
MessageQueue-2.example.com
|
|
Message Queue 2
|
Serves as a communications broker that enables Access Manager
to communicate data with the session store.
|
|
|
Instance Name
|
msgqbroker
|
|
|
Port Number
|
7777
|
|
|
Administrative User
|
msgquser
|
|
|
Administrative User Password
|
m5gqu5er
|
|
|
Instance Directory
|
/opt/SUNWam
|
Appendix H Known Issues and Limitations
The information in this appendix will be updated as more information
becomes available.
Table H–1 Known Issues and Limitations
|
Reference Number
|
Description
|
|
6490164
|
Installing Access Manager with upper
case results in “No Such Orrganization” error.
If you install Access Manager with the server host name and
domain name in mixed-case letters, you may not be able to access the
Access Manager console. A “No Such Organization” or “No
Such Domain” message is displayed.
Workaround: Log in to the
Access Manager console using the fully-qualified DN of the amadmin
such asuid=amAdmin,ou=People,o=example.com, then
add you fully-qualified server name in all-lowercase letters to the
Realm/DNS Alias list of the top-level realm. Click the top-level realm
to see the realm properties, and you will see the list of Realm/DNS
Aliases.
|
|
6477741
|
Exception is thrown when you run the
agentadmin utility.
The following exception is thrown when you run the agentadmin
utility from the J2EE Policy Agent2.2 server (Hotpatch 3 for BEA Appserver
9.1).
# ./agentadmin --getUuid amadmin user example.com
Failed to create debug directory
Failed to create debug directory
Failed to create debug directory
Failed to create debug directory
Failed to create debug directory
|
|
|
6476271
|
BEA servers do not start up when startup
script is not configured properly.
The BEA administration server and managed server will not start
up if the start up script is not configured properly. When using J2EE
Policy Agent 2.2 (Hotpatch-3) on BEA Application Server 9.1, you must
append the following to the end of the file setDomainEnv.sh file:
. /usr/local/bea/user_projects/domains/mydomain/setAgentEnv_server1.sh
|
The setDomainEnv.sh file contains the call
to commEnv.sh.
|
|
6472662
|
When SSL terminates at the Access Manager
load balancer, the console application changes protocol from HTTPS
to HTTP.
When you try to access the Access Manager load balancer with
a URL such as https://loadbalancerURL:port/amserver/console, you cannot access
log in page because the console application changes the protocol from
HTTPS to HTTP.
Workaround:When you access
the Access Manager load balancer, manually modify the URL to the following: https://loadbalancerURL:port/amserver/UI/Login.
|
|
6482952
|
J2EE policy agent redirects to the context
root in the goto URL .
The problem occurs when testing the sample application for the
J2EE Policy Agent 2.2 for BEA Weblogic 9.1 Application Server.
If you access a URL such as http://agentLoadBalancerURL:port/agentsample/protectedservlet, you are redirected to the Access Manager login page, but
the goto part of the URL contains only this: =http%3A%2F%2FagentLoadBalancerURL%3Aport%2Fagentsample.
The result is that after successful authentication, you are redirected
to the index page of the application, and not the page that you had
requested.
Workaround: There is no workaround
at this time.
|
|
6363157
|
Performance is impacted due to unnecessary
persistent searches.
The problem can occur, for example, when Access Manager uses
LDAP roles. Persistent search is not necessary in this case, and one
should be able to disable persistent searches without introducing
additional risks to the system.
Workaround: There is no workaround
at this time.
|
|
6489403
|
Login to a sub-realm fails when using
the Distributed Authentication UI.
The problem occurs when you attempt to access a sub-realm using
a URL such as the following:
http://AuthenticationUIserver:1080/distAuth/UI/Login?realm=users&goto=http://hostName.domainName.com:1080
Instead of a login page, the following message is displayed:
"No such Organization found.”
Workaround: There is no workaround
at this time.
|
|
6467562
|
Filtered role name missing ou=service
in the container JAAS Subject.
When trying to use declarative security with J2EE agents, for
any user in a sub-realm the role membership is not populated properly
within the container JAAS Subject. It is missing ou=services in
the jaas_subject role names. There is a mismatch
between the role name returned from the Access Manager server and
what is seen in the JAAS Subject.
Workaround: In the AMAgent.properties file, remove the ou=services part in
the mapping key com.sun.identity.agents.config.privileged.attribute.mapping . For example, change this:
com.sun.identity.agents.config.privileged.attribute.mapping
[id\=manager,ou\=role,o\=users,ou\=services,o\=example.com] = am_manager_role
|
to
com.sun.identity.agents.config.privileged.attribute.mapping
[id\=manager,ou\=role,o\=users,o\=example.com] = am_manager_role
|
|
|
