eTrust SiteMinder - Active Response

Normally we use SiteMinder generated attributes (like SM_USER, SM_USERDN...) as Response attributes. Sometimes we need customized response values in our Application’s Response. So Active Response gives the answer for this requirement. We can call it as Custom Response.


Active Response is based on the SiteMinder Authorization API which returns response values from the custom Java class. We can use C, Java and Perl scripts to write the Active Responses. This article talks about how to write an Active Response using Java to parse the Impersonators CN value from the DN.



Necessity of Active Response:

Let us consider the CSR Impersonation. It has two kinds of users namely Impersonators and Impersonatee’s. In some scenarios Impersonator performs some tasks on behalf of Impersonatee’s, For auditing purpose if we want to track that which task done by whom, then the simplest solution would be capturing the user’s CN value and store or use in your application as required. So throughout the application we need to pass both Impersonator and Impersonatee's CN value as Response.


If we specify the response attribute like CN=< %userattr = "cn" % >, it will have Impersonators CN value, (i.e. after Impersonator Authentication and before starting the Impersonation). On successful Impersonation, Impersonatee’s CN value will replace the Impersonators CN value in the SiteMinder Response. So we want to have both the Impersonator and Impersonatee’s CN value in SiteMinder Response.


To overcome this issue, we write an Active Response using JAVA to parse the Impersonators CN value from the DN value and put this CN value into the SiteMinder’s Response.



Java Code to Parse the CN value from the DN:



There is a response attribute called SM_USERIMPERSONATORNAME which returns the Impersonators DN value as SiteMinder Response.


The following java class parses the Impersonators CN value from the SiteMinder’s default attribute SM_USERIMPERSONATORNAME.


public class ParseCNFromImpersonatorDN

implements ActiveExpression

{

public int init(APIContext context)

throws Exception

{

// This example needs no initialization so just return "success"

return 0;

}

public String invoke(ActiveExpressionContext context ,String param)

throws Exception

{

int indexOfChar = -1;

if (context == null)

{

// should never happen

throw new IllegalArgumentException("ActiveResponseSample invoked without context");

}

// the User Context is required to use the methods like getProp, setProp.

UserContext theUserContext = context.getUserContext();

if (theUserContext == null)

{

//context.setErrorText("No User Context.");

return null;

}

String csrdn = theUserContext.getProp("SM_USERIMPERSONATORNAME");

if ("".equals(csrdn) csrdn == null )

{

return null;

}

indexOfChar = csrdn.indexOf("=");

if(-1 == indexOfChar)

{

//context.setErrorText("Param is not Impersonator DN "+csrdn);

return null;

}

String csrUserName = csrdn.substring(indexOfChar+1);

indexOfChar = csrUserName.indexOf(",");

if(-1 == indexOfChar)

{

//context.setErrorText("Param is not Impersonator DN "+csrUserName);

return null;

}

csrUserName = csrUserName.substring(0,indexOfChar);

return csrUserName;

}

Public int release (APIContext context)

throws Exception

{

// This example needs no shutdown so just return "success"

return 0;

}

}


Steps to implement the Active Response in SiteMinder Policy Server:



1. Compile the ParseCNFromImpersonatorDN.java file and create CNFromDN.jar file.



2. Copy the jar file CNFromDN.jar into the following Location in your SiteMinder server.:\apps\netegrity\siteminder\bin\jars


3. Add the location of CNFromDN.jar file in the JVMOptions.txt file as follows:
:/apps/netegrity/siteminder/bin/jars/CNFromDN.jar;


4. Add the CSRCN response attribute in your SiteMinder Response as below.
Create a new Response attribute as follows (either HTTP Header or Cookie):
Attribute: WebAgent-HTTP-Header-Variable

Attribute Setup:

Attribute Kind : Active Response

Variable Name : CSRCN

Library Name : smjavaapi

Function Name : JavaActiveExpression

Parameters : com.sample.ActiveResponse.ParseCNFromImpersonatorDN


5. It requires Restart of your SiteMinder Policy Server to take effect of this Active Response.


On successful Implementation of this Active Response you will have both Impersonator and Impersonatee’s CN value in your application’s response.



Abbreviation:
DN – Domain Name
CN – Common Name
CSR – Customer Service Representative

Reference:
http://www.ca.com/

CSR Impersonation - eTrust SiteMinder

Introduction :

eTrust SiteMinder supports Impersonation, where one authorized user can access what another user can access. With impersonation, a customer service representative (CSR), for example, can act on behalf of users to run tasks for them that they otherwise might not want to, or know how to, run themselves.

The CSR may require to login to a customer’s account, in order to help, or solve a problem for the customer. But as a CSR cannot be in possession of the customer’s password, SiteMinder has a mechanism that allows a CSR to login using the customer’s username only. In this way customer’s credentials are private to the customer only.

eTrust SiteMinder makes sure that impersonation is a secure operation that only entitled users can impersonate other users.

This feature facilitates the following:
1. Customer service representatives (CSRs) impersonate customers to investigate access problems.
2. Helpdesk representatives impersonate employees to investigate access problems.
3. Employees impersonate co-workers who are on vacation or out of the office.
4. Any other situation in which one user must temporarily assume the identity, of another user.

Administrators set up impersonation as an eTrust SiteMinder rule in a policy. In this way, impersonation can be very finely controlled because policies can define exactly who can impersonate whom for which resources within a realm.

This chapter explains about eTrust SiteMinder CSR Impersonation and the sequence for implementing the CSR Impersonation which includes configuring Authentication Scheme, Realms, Rules and Policies.

Pre-Requisite :
There are two independent applications available; one is for Impersonators (Administrator Application) and another is for Impersonatees (End user Application). The Impersonation task/link is available in Administrator Application.

Administrator Application and End user Application has been already deployed and protected using their own Authentication schemes.

To Impersonate an End User, the CSR logs into the Administrator Application with his credentials from here he navigates to the Impersonation task/link (/impersonation/start_imp.fcc) and reaches the Impersontee’s Login page (start_imp.fcc). Here he enters the Impersonatees userid/Login name on the provided text box. On success of Impersonation control goes to the target.jsp page which will have link to End user Application else displays the respective customized error message.

Implementation :
Proxy Server / Web Agent Configurations:
1.Copy the impersonation & impersonationtarget folder into your web server’s virtual host location and Restart your web server.

1. For Apache web server paste into Installed Location:\DocumentRoot\
2. For IIS web server paste into Installed Location:\Inetpub\wwwroot\

File Details:
•impersonation folder will have the following two files which are protected by using your Administrator Application Auth scheme or as per your requirement.

i.start_imp.fcc
This is the page where CSR has to enter the Impersonatee’s userid/Login name to impersonate the user. On success of Impersoantion control will go to the target.jsp which has the link for End user Application. If not you can display the customized error message with specific reason.

ii.end.html
It will just display the message like Impersonation session has ended and will have link to the Admin application.

•impersonationtarget folder will have only one jsp and it should be protected by using Impersonation Authentication scheme.
i.target.jsp
It will have link to the End user application and end.html. If CSR clicks on the End User Application URL control will go to the End user application directly without prompting for user’s credentials and CSR can act on behalf of users to run tasks . If CSR doesn’t want to access the End user application then he has to click on the end.html link. It will take CSR to the Admin application.

SiteMinder configurations :
1.Under the “System” tab, Modify your Agent Configuration Object as follows:
FCCCompatMode - yes
FCCExt - .fcc (If you want to use some other file extension like .sec instead of .fcc, please specify here)
IgnoreExt – Please specify your file extension If you don’t want to apply SiteMinder Policies to this file extension.

2.Under the “System” tab, create a new authentication scheme with the following details:
Name: ImpAuthscheme
Description: Impersonation Authentication Scheme
Authentication Scheme Type: Impersonation Template
Authentication Level: 5 or as per your requirement

Scheme Setup
Web Server Name: your webserver name
Target: /impersonation/start_imp.fcc

3.Click on the domains tab, under your End user Application domain, create two new realms as below.
1. /impersonation realm
Name: /impersonation
Agent: Your agent name
Resource Filter: /impersonation
Authentication Scheme: Your Administrator Application Auth scheme or as per your requirement

2. /impersonationtarget realm
Name: /impersonationtarget
Agent: Your agent name
Resource Filter: /impersonationtarget
Authentication Scheme: ImpAuthscheme

4.Under the /impersonation realm, create getpostall, impStartRule and impStartUserRule rules as below.
•Name : getpostall
Resource: *
Web agent Action: Get, Post
•Name : impStartRuleResource: *
Action:
Impersonation events: ImpersonateStart
•Name : impStartUserRule
Resource: *
Action:
Impersonation events: ImpersonateStartUser

5.Under the /impersonationtarget realm, create getpostall, impStartRule and impStartUserRule rules as below.
•Name : getpostall
Resource: *Web agent
Action: Get, Post
•Name : impStartRuleResource: *
Action:
Impersonation events: ImpersonateStart
•Name : impStartUserRule
Resource: *
Action:
Impersonation events: ImpersonateStartUser

6.Under Your End user Application realm, create impStartRule and impStartUserRule as below.
•Name : impStartRule
Resource: *
Action:
Impersonation events: ImpersonateStart
•Name : impStartUserRule
Resource: *
Action:
Impersonation events: ImpersonateStartUser

Note:If you have more than one realm for your End user Application, create impStartRule and impStartUserRule under all the realms whichever comes under your Impersonation track.

7.Create a policy ImpersonationGetPostAll. This policy will be applied to both Impersonator and impersonatees.
Modify this policy to include the following
rule:•
getpostall (from /impersonation realm)

8.Create a policy ImpersonationStartImp. This policy will be applied to Impersonator only.Modify this policy to include the following
rule:•
impStartRule (from /impersonation realm)

9.Create a policy ImpersonationStartUser. This policy will be applied to impersonatees only. Modify this policy to include the following
rule:•
impStartUserRule (from /impersonation realm)

10.Create a policy TargetAppGetPostAll. This policy will be applied to both Impersonator and impersonatees.
Modify this policy to include the following
rules:•
getpostall (from /impersonationtarget realm)

11.Create a policy TargetAppStartImp. This policy will be applied to impersonatees only. Modify this policy to include the following
rules:•
impStartRule (from /impersonationtarget realm)
•impStartRule (from /impersonation realm)
•impStartRule (from /your End user Application realm)
(If you have more than one end user application Realms, then add all the ImpStartRule from your respective realms into this policy)

12.Create a policy TargetAppStartImpUser; this policy will be applied to impersonatees only.Modify this policy to include the following
rules:
•impStartUserRule (from /impersonationtarget realm)
•impStartUserRule (from /impersonation realm)
•impStartUserRule (from /your End user Application realm)

(If you have more than one end user application Realms, then add all the ImpStartUserRule from your respective realms into this policy)

Best practices:
If you copy Impersonation related files from a Windows host to a Unix systems results in the appending of ^M (control M) characters in end of each line. So convert all the windows compatible files to Unix compatible files before copying.

References :
http://www.ca.com/

SiteMinder - Forms Credential Collector (FCC)

SiteMinder credential collector is an application within the Web agent that gathers specific user credentials to authenticate a user. The credentials gathered by the credential collector are based on the type of authentication scheme configured for a particular group of protected resources. For forms-based authentication, credentials are collected by the Forms Credential Collector (FCC) process. The default extension for FCC files is (naturally enough) 'FCC'. The FCC process files are composed in a simple mark-up language that includes HTML and some custom notation. This file contains the custom form definition and additional information that the FCC uses to process HTML forms-based authentication. The FCC extracts credentials that a user enters in the custom form generated from the FCC file. For example, the Web agent is installed with a form called login.fcc, which we can customize and use for login purposes.

SiteMinder displays the contents of the .unauth file to users who exceed the maximum number of failed authentication attempts specified by the authentication scheme. One .unauth file should exist for each FCC file. For example, if you have a login.fcc file on a Web server, you should also have a login.unauth file in the same location. If a smerrorpage variable has been defined in the FCC file, the .unauth file is not required.

FCC attribute name/value pairs:

Smenc - contains information that tells the browser what language encoding to use.
smlocale - is the language used in the HTML forms that collect user information or display status messages.
Username - is the name to use as the login user name.
password - is the password to use to perform the login.
target - is the resource to access after login.
smauthreason - is the reason code associated with a login failure.
smusrmsg - contains the text that describes why the user was challenged or failed to login.
Smagentname - is the agent name used for logging the user in.
postpreservationdata - is the data that a user submits through a post request.
smerrorpage - is the page to which the user's browser will be redirected if there is an error on a post to the custom form.
smretries - defines the maximum number of allowed failures when attempting to login.

4 A's of Information Security

1. Authentication - Who are you?

1. Validating the identity of a user.
2. Authentication schemes provide for the various ways of collecting credential information.

• Password
• Certificate
• Biometrics

3. Credentials are stored in ODBC data-source or LDAP servers.

2. Authorization - What can you do?

1. Authorization based on

• User groups
• User roles
• IP address
• Time based
  

3. Administration - How do we manage all of this…?

1. The main admin task is to add new users to enterprise so as to access the various application.
2. One way of managing this is to delegate the work to the users in order to reduce the desktop services
   
   

4. Audit - What has Actually happened?

1. Security Auditing

• Logging of Security related activities of the all the users in the system and generating automated Incident Response.
• Events like Login,change password, self registration , access rights , access of users for any secure resource etc.
• All administrative Events.
• Critical Business transaction.
  
  
  
  

RETRIEVING DATA FROM LDAP SERVERS

INTRODUCTION

The LDAP class library is designed to provide powerful, yet simple, access to a LDAP directory services. It defines both asynchronous and synchronous interfaces (explained later) to LDAP, with support for partial results on searching, to suit a wide variety of applications. Roughly speaking, an LDAP library session corresponds to a single connection to an LDAP directory server. The LDAP library hides most of the connection-related details.

The general sequence for retrieving the data is as follows:

STEP I : Initialize the library and obtain an LDAP session handle
STEP II : Initiate an LDAP operation, and wait for any result(s)
STEP III: Process the result(s)
STEP IV: Dispose of the LDAP session handle obtained in STEP I

SYNCHRONOUS VS ASYNCHRONOUS CONNECTIONS

The synchronous functions combine initiating a request and waiting for the server’s response. A connection is established, a request is sent, the results are returned, and the application resumes. Though it can deliver one search result at a time, other operations block until completion when accessing an LDAP server. Synchronous methods wait for response messages from a server and then process them.

Asynchronous methods require you to check for the messages and perform the processing in your code. This allows you to make additional LDAP requests while waiting for results to return. The LDAP protocol is completely asynchronous in that multiple operations can be underway at the same time and the directory server can perform the operations and return results in any order. Each message that is passed in the protocol is tagged with a number called the “message ID”, that is unique for a given session. This feature of LDAP supports complex applications that want to initiate several operations at once, without opening multiple connections to the server.

APIs FOR RETRIEVING THE DATA

I JNDI API:
The Java Naming and Directory Interface (JNDI) allows Java applications to use a single set of methods to access multiple naming and directory services such as LDAP. JNDI is a Java API that provides a common way for programmers to access a variety of naming and directory services.

JNDI operates through a layer of software called a Service Provider. The Service Provider implements the JNDI operations in terms of a particular underlying protocol. JNDI’s Service Provider Interface (SPI) allows you to select Service Providers (Example: Netscape’s LDAP service provider) at runtime. In many cases you can use the same JNDI methods regardless of whether the Service Provider is talking to an LDAP server or using another protocol.

ARCHITECTURE: The JNDI architecture consists of the JNDI API and the JNDI SPI. The JNDI API allows Java applications to access a variety of naming and directory services. The JNDI SPI is designed to be used by arbitrary service providers including directory service providers. This enables a variety of directory and naming services to be plugged in transparently to the Java application (which uses only the JNDI API). Figure shows the JNDI architecture and includes a few service providers of directory and naming contexts as examples.



INTERFACE:

The JNDI API is contained in four packages:
Ø javax.naming contains classes and interfaces for accessing naming services
Ø javax.naming.directory extends the core javax.naming package to provide access to directories
Ø javax.naming.event contains classes and interfaces for supporting event notification in naming and directory services
Ø javax.naming.ldap contains classes and interfaces for supporting LDAP v3 extensions and controls

The JNDI SPI (service provider interface) is contained in one package:
Ø javax.naming.spi contains classes and interfaces that allow various naming and directory service providers to be dynamically plugged in beneath the JNDI API

The idea is that each package contains the interfaces and classes required for a particular category of applications. For example, an application that just wants to perform name-lookups only needs to use the javax.naming package. An application that wants to examine/modify attributes associated with an object uses the javax.naming and javax.naming.directory packages. An application that needs to use LDAP-specific controls or extended operations uses the javax.naming.ldap package.


II LDAP API

The LDAP programmer’s API includes more than 50 distinct functions. One way to categorize the LDAP API is by separating the functions that are used to initiate LDAP protocol operations and receives results over the network from those that do other things.

STEP I: Initialize the Library and obtain A Session Handle:

The LDAP session handle is of type LDAP * and is the first parameter passed to nearly all of the LDAP API functions. All applications that access an LDAP directory server will need to call one of two initialization functions:
Ø ldap_init( ): Initializes the LDAP library and returns a session handle for use in subsequent calls.
Ø ldap_open ( ): Initializes the LDAP library, connects to a directory server and returns a session handle for use in subsequent calls.

These functions return an LDAP session handle, which must be passes as the first argument to most of the other LDAP API calls. The above functions do not actually open a network connection to the server – this will be done by the LDAP library when the first call is made that actually needs to communicate with the server. They only allocate a data structure called the LDAP session handle and returns a pointer to it to the caller. Even though ldap_open is sometimes used, the preferred method of obtaining an LDAP session handle is to use the ldap_init( ) call.

STEP II: Initiate an LDAP Operation and Wait for Results:

This is where the network action occurs. One of the core LDAP functions is called to send an LDAP request to the directory server.
Ø ldap_search ( ) : Searches the directory entries
Ø ldap_compare ( ): sees if an entry contains a given attribute value
Ø ldap_bind ( ): Authenticates to a directory server
Ø ldap_modify ( ): Makes changes to an existing directory entry
Ø ldap_add ( ): Adds a new directory entry
Ø ldap_delete ( ): Deletes an existing directory entry
Ø ldap_modrdn ( ): renames an existing directory entry
Ø ldap_result ( ): retrieves the result(s) of one of the previous operations

The result includes a result code (typically, ldap_success, if all went well) and may include other error-related information. For an LDAP search operation, one or more entries may also be returned by the server before the LDAP result. This process of initiating the LDAP operation and receiving entries and the result may be done synchronously (in which case a single LDAP API function is called) or it may be done asynchronously (in which case several simple functions are called).
Most directory servers will allow searching of non-confidential information when you are bound as the anonymous user, but they will probably disallow access to sensitive information and will almost certainly not allow changes to be made to directory information unless you identify yourself.

STEP III: Process the Result(s):

This is where the application makes use of the data that was returned. For all operations except search, there is probably very little work to do. Depending on the purpose of the ldap_search call, further functions need to be called.
Ø ldap_get_values ( ): to obtain attribute value form the entry.
Ø ldap_first_entry ( ) : to obtain the first entry
Ø ldap_next_entry ( ): to step through the entries
Ø ldap_get_dn ( ): to retrieve the name of each entry

Once the results are obtained back from a search, the API allows to parse the results and extract particular pieces of information from each entry returned, including the entry’s name and associated attributes and values.

STEP IV: Dispose of the LDAP Session Handle:

This is done when you are completely finished with an LDAP session.
Ø Ldap_unbind ( ): Terminates an LDAP session

It is an error to reference an LDAP session handle after it has been disposed off.


CONCLUSION:

Directories have a bright future on the Internet, and LDAP promises to make life easier for both users and application developers. From a central place to store and find information about yourself and other users, to a general configuration, preference, and management store for enterprise-wide administration, LDAP clearly has the potential to deliver on the promise of a distributed computing environment.

Of course, integration with applications is the key to unlocking this potential. It is relatively easy to write applications to search and retrieve the data from LDAP. This can be done either using the JNDI API or the LDAP API. While the JNDI API accesses multiple naming and directory services other than LDAP, the functions in the LDAP API is specifically meant for accessing the LDAP Directory Sever.

Sun One Identity Management framework

Sun One Identity Management framework:

Sun Microsystems provides a number of products which interact with each other to complete an identity management solution for the enterprise. The products used to implement the same are:

Sun One Identity Server.
Sun One Directory Server
Sun One Directory Proxy &
Sun One Meta Directory.
Of these the first two are the required components to implement a identity management solution with all the important features like: user identity administration, LDAP data repository, access management etc.
Each of these are briefly discussed below.

1.Sun One Identity Server:
Formerly known as iPlanet Directory Server Access Management Edition, is a product to help an organization manage secure access to the web-based resources. Its access management enables the web SSO (Single Sign On), identity administration and directory services. It simplifies the creation and administration of identities, management and enforcement of authentication and policies for accessing the web-based applications and services. The identity management console included with the product helps in achieving the above mentioned features along with the user self-service for account management. The same can also be used to administer the roles and policies and thus helping the enterprise to secure and protect the assets and provide web-based services from the internet.

2.Sun One Directory Server:

Formerly known as iPlanet Directory Server provides a storage and management of identity profiles, access privileges, application & network resource information. The framework uses the information stored in the directory server to authenticate and authorize the users to provide access to the secure resources and applications.
The directory server comes with an administration console which simplifies the management of the data stored in the LDAP.

3.Sun One Directory Proxy Server:
The Sun One Directory Proxy server, formerly known as iPlanet Directory Access Router, is a product which provides secure firewall like services for directory server access control, query filtering and query routing. It works with the directory server to provide protection against directory “denial of service” attacks to provide the availability of the directory services at all times. It automatically routes the client requests to the appropriate directory server through referral mechanism. It also provide a load balancing feature so as to avoid the overloading of a particular directory server and makes sure that the clients requests are serviced in real time. If one or more directory servers become unavailable, the load is proportionally distributed among the remaining servers, again when the server comes back online, the load is proportionally and dynamically reallocated.

4.Sun One Meta-Directory:
Formerly part of the iPlanet Directory Server Integration Edition, it consolidates and integrates identity information which is spread throughout the enterprise into a single profile. Since a single profile is maintained, it helps in improving the quality of information through bidirectional synchronization. So if the information of the identity in one application is changed, the change is effected in other applications too.

The Join engine applies an extensive set of rules to determine how to combine the user data from the different applications. These rules also control the direction of updates, define the definitive sources for different types of user data and delegate administration of the user base.

Sun One Identity Server Components :
The major components which form the Identity server are as shown in the figure:1 and are briefly discussed below:

1. Identity management:

The Identity Management component provides GUI and command line tools to create and manage identity-related objects. User, role, group, policies, organization, suborganization and container objects can be defined, modified or deleted using either the Identity Server console or the command line interface. The console has default administrators with varying degrees of privileges used to create and manage the organizations, groups, containers, users, services, and policies. The administrators are defined within the Directory Server when installed with Identity Server. The identity management console presents two basic types of views depending on the role of the user logging in.
When a user with an administrative role authenticates to the Identity Server, the default view is the Identity Management view. In this view the administrator can perform administrative tasks. Depending on the role of the administrator, this can include, but is not limited to, creating objects (users, organizations, policies, and so forth), and configuring services.
When a user who has not been assigned an administrative role authenticates to the Identity Server, the default view is their own User Profile. In this view the user can modify the values of the attributes particular to their personal profile. This can include, but is not limited to, name, home address and password.

2. Service management

A service in identity server is a group of attributes defined under a common name like mail, calender etc.. The attributes define the parameters that the service provides to an organization. For example, in developing a mail service, one can decide to include attributes for employee’s organization name, a VoIP extension and the supervisor name. When the service is registered to an organization, the organization can use these attributes in the configuration of its entries.
The services in the Identity Server are defined using Extensible Markup Language (XML). The Service Management Services Document Type Definition (sms.dtd) defines the structure of a service XML file. This file can be found in the following directory:
Identity_Server_root/SUNWam/web-apps/services/dtd/
Identity server comes with some default services which are defined by XML files located in the following directory:
Identity_Server_root/SUNWam/web-apps/services/WEB-INF/config/xml
Service management component provides the interface (using the identity server console GUI) to configure and register these services and service attributes.

3.Access management

The identity server provides a common authentication & authorization platform which the administrators can use to implement access to multiple servers using one single account for each user. The users can access all the web resources which they are entitled using the SSO authorization services. The users can do this in different DNS domains without authenticating again & again.

Identity Server provides a plug-in solution for user authentication. The criteria needed to authenticate a particular user is based on the authentication service configured for each organization in the Identity Server enterprise. It also supports multi-level authentication which enforces the users to pass through multiple levels of authentication successfully in order to access the resources. Each authentication level maps to one or more authentication mechanisms. Once a user has been authenticated at a prticular level, he can access all the resources which require lower level of authentication. This way he can avoid the process of the re-authentication while accessing the other resources.

A set of rules combine to form a policy. These define who has access to resources and which users can perform what tasks when the appropriate conditions are met. A single policy can define either binary or non-binary decisions. A binary decision is yes/no, true/false or allow/deny and most policies are of this type. A non-binary decision represents the value of an attribute. For example, a mail service might include a mailbox Quota attribute with a maximum storage value set for each user. A policy service administers this restriction ensuring that each user’s quota is not exceeded.

Identity server provides policy APIs, comman line tools(amadmin) and the identity server console to create, modify and administer the policies.
Identity server uses SSO (Single Sign On) to authenticate the user once in order to get him the access to multiple resources. Each time the authenticated user tries to access a protected page, the SSO API determines whether the user has the permissions required based on their authentication credentials. If the user is valid, access to the page is given without additional authentication. If not, the user will be prompted to authenticate again. This is achieved by creating a SSO token with a session identifier.

The Cross Domain Single Sign-On (CDSSO) feature makes it possible for users to authenticate once in a DNS domain in your enterprise, and then access Identity Server services running on other domains. This service is implemented through the use of a controller plus any number of CDSSO components that you install on the participating domains.

The Cross-Domain Controller (CDC) component is automatically installed when you install Identity Services. The controller is responsible for appropriately directing authentication requests. If a request contains no Single Sign-On (SSO) information, the controller directs the request to the Authentication service. If a request contains SSO information the request is directed to the appropriate CDSSO component with the SSO information appended to the query string.

Identity server makes the use of Policy agents to implement the web SSO and protect the access to the restricted web reources. If a user tries to access a protected resource and there is valid SSO token found, the request is redirected to the Identity server and the user has to pass through the SSO authentication process. Once a valid SSO token is generated the policy agent checks for the access rights of the user and the user is then redirected to the requested web resource. The access is provided depending upon the access privileges.

The Session Management module provides a solution for viewing user session information and managing user sessions. It keeps track of various session times. The adminstrators can use this to view & terminate the authenticated user sessions which are currently active .

4.Federation management

Today a user on the internet usually has a number of accounts to access various business, community and personal service providers. The user might have different names, passwords & preferences for his bank account, email account, utility providers, news portals etc. A local identity refers to the set of attributes that an individual might set up with one service provider. These attributes serve to uniquely identify the individual with that provider.

Its becoming increasing important to develop and implement systems system for the online users to aggregate their local identities, enabling them to have one network identity. This system is identity federation. Identity federation allows a user to associate, connect or bind multiple internet service provider’s local identities. A network identity allows users to login at one service provider’s site and then go to an affiliated site without having to re-authenticate or re-establish their identity.
Liberty alliance is one such project which is trying to make this concept a reality.
The purpose of Liberty is to develop technical specifications for network identity in a federated environment. It is a project of the Liberty Alliance, a group organized to establish open standards for network-based identity interactions.

The key features of Liberty are:

The Liberty user: The user who interacts with two types of entities:

Service Providers: Businesses and information providers of the on-line world

Identity Providers: Entities that maintain and manage identity information. Both the Service and Identity providers could be either remote or hosted providers.

Single sign-on: The ability of the user to authenticate himself once per session with an identity provider and then use that authentication to create sessions with various service providers and perhaps even other identity providers without having to re-authenticate himself.

Federated Identity: Federation allows the user to keep his existing accounts with different service providers on one hand and to establish a connection between those accounts on the other hand.

Single Logout: When a user logs out from an identity provider, the user will effectively be logged out from all affiliated service providers within an authentication domain. Logout information is sent to the identity provider when it is initiated from a service provider. Users can initiate logout from either a service provider or the identity provider

Liberty does not limit Identity Providers to a particular scheme of authentication. It could be something simple like prompting the user for the username & password or more complex and secure mechanisms involving cryptographic signatures, certificates, or challenge/responses protocols. Liberty is friendly in the sense that the re-direction for these operations is done by the system and not by the user

Liberty protocols exchange identity information through pre-existing protocols and languages (SOAP and SAML respectively) as well as Web redirects. .Liberty protocols use SSL to encrypt these web communications and provide user confidentiality

SOAP (Simple Object Access Protocol) is a peer-to-peer protocol for exchanging structured and typed information between peers in a distributed environment. The SOAP envelope is a framework for expressing what is in a message, who should handle it, and whether it is optional or mandatory. SOAP also has encoding rules for exchanging application-defined datatypes, exactly what is needed in Liberty.

SAML (Security Assertion Markup Language) is an XML-based security assertion framework SAML defines three types of assertions: authentication, attribute, and authorization decision. Liberty uses authentication assertions, which state that subject S was authenticated at time T by means M.

In the Sun One Identity Server the administrator can use the provided tools like the GUI or the command line to enable Liberty. Now if the user or an application tries to access a protected resource, the user is redirected to a Pre-Login page which invokes the Federation Management Service’s Pre-Login servlet instead of the authentication service. This servlet searches for either a valid Identity Server single sign-on token or a valid Federation Cookie (which indicates that a user has federated his account using this Identity Server provider). If an SSO token is found, the user’s federation information is retrieved, and the user is authenticated; a Federation Cookie is also set and the user is returned to the target resource. If a Federation Cookie is found, the user is directed to the Federation Single Sign-On Service which provides an Authentication Assertion allowing the user access to the target resource. If neither of these items is found, the user is redirected to the Identity Server Authentication Service where, upon successful authentication, the user is directed to the Post-Login page which invokes the Post-Login servlet. This servlet processes the user’s Identity Server authentication and initiates the Federation Management Single Sign-On Service which, once again, provides an Authentication Assertion to allow the user access to the target resource.

The IS console can be used to adminster the Authentication Domains and the providers.

5.Directory server
Sun ONE Directory Server provides global directory services. A global directory service provids a single, centralized repository of directory information that any application can access. Offering a wide variety of applications access to the directory requires that those applications be able to communicate with the directory over the network in a standard way. Sun ONE Directory Server provides two standard protocols through which applications can access its global directory: Lightweight Directory Access Protocol (LDAP), and Directory Services Markup Language (DSML).
Directory server acts as the primary layer on which the Identity server is built. All the users, policies, organizations etc which are created through the identity console are finally stored in the directory server database. The information in the directory can also be administered through the Directory Server Console (GUI).

By,
Ashokkumar.

Sun one Directory server backup and Recovery

1.1 IntroductionThe Sun ONE Directory Server product provides several backup and recovery tools. However, these tools need to be utilized in a way that provides the best strategy for backing up all LDAP servers associated with a directory service.

1.2 Levels of Backup
Following are few different levels we take backups on the directory services
 Database level data backups

 Configuration backups by server and configuration suffix (e.g., o=NetscapeRoot, cn=config, etc.)

 The ability to recover any directory server by type (i.e., master, replica hub, consumer, or backup)

1.3 SunONE Directory Backup UtilitiesTo accomplish the Backup & Recovery, SunONE Directory Services Provides
different tools.

 Bulk Import with ldapmodify

 Binary Restore with bak2db.pl

 Import with ldif2db.pl

 Binary Restore with bak2db

 Import with ldif2db

 Manual Restore

1.3.1 Bulk Import With ldapmodify
 SunONE Directory 5.x provides a new optional flag called the bulk
import flag (-B ) which represents the Base DN.

 The bulk import replaces all the data of a local or remote directory server backend database according to the suffix name passed as input to the “-B” flag.

 The bulk load is much faster than a standard ldapmodify operation because it does not perform the standard entry checks per entry as the data is loaded into the database.

 It overwrites all data in the database.

 This recovery is based on an LDIF file and not on binary backup
files.

Ex: We want to restore ou=people tree under dc=wipro,dc=com DIT

$ ldapmodify -h hostname -a -f people.ldif -D "cn=directory manager" -w bindPassword –B “dc=wipro,dc=com”

1.3.2 Binary Restore with bak2db.pl The bak2db.pl script overwrites the contents of an entire directory server instance using the backup created by db2bak.pl.

 The overwritten data includes the directory server instance configuration data and suffix databases.

 The input directory name passed to the “-a ” option must be the name of the backup directory on the server to be restored.

 It should also be noted that the recovery process invoked by the restore task takes the destination server’s backend database offline during the restore and then brings it back online upon completion.

Ex: To backup/restore the complete directory services

$ db2bak.pl –v –D “cn=directory manager” –w password –a BackUp Directory –t ldbm

Restoring the complete directory:

$ bak2db.pl –v –D “cn=directory manager” –w password –a BackUp Directory –t ldbm


1.3.3 Import with ldif2db.pl The ldif2db.pl perl script overwrites the contents of a directory server database.

 This script imports LDAP data from one or more LDIF input files into a single LDAP database.

 This task tells the directory server instance that it is about to overwrite the existing data with the contents of an input file through the import method.

 It should be noted that the recovery process, invoked by using the restore task, takes the destination server’s backend database offline during the restore and then brings it back online upon completion.

Ex: Backing up and restoring the directory database

$ ldif2db.pl –D “cn=directory manager” –w password -n -s -x -a

Backing up dc=wipro,dc=com DIT where the backend database name is “userRoot”

$ ldif2db.pl –D “cn=directory manager” –w password -n userRoot –a people.ldif

Restoring the People subtree from the backup

$ db2ldif –D “cn=directory manager” –w password –n userRoot -i people,ldif

1.3.4 Binary Restore with bak2db bak2db restores a binary backup of an entire directory server instance.

 The bak2db utility cannot be used to restore individual suffix backend databases.

 This is the fastest method of restoring a database but the server must be taken offline before it can be run.

Ex. To backup/restore the directory DATABASE using from db2bak/db2bak
Backup the slapd-syncmaster instance using db2bak

$ /slapd-syncmaster/db2bak

Restore the slap-syncmaster instance bak2db

>> Stop the running directory server instance

$ /slapd-syncmaster/bak2db

1.3.5 Import with ldif2db
 ldif2db overwrites an existing suffix backend database with the contents of an LDIF import file.

 If the contents of the LDIF file includes the directory server configuration information stored in o=NetscapeRoot, the script first saves and then merges any existing o=NetscapeRoot configuration information with the o=NetscapeRoot configuration
information in the files being imported.

 This method of recovery is extremely flexible and is the preferred method for directory servers to initialize individual suffix backend databases, it requires that the server is offline for the duration of the import and it cannot be run remotely.

Ex. To backup/restore the directory server

Backup the directory using db2ldif

$ db2ldif –n -a

Restore the directory using ldif2db

>> Stop the running Directory server and run ldif2db

$ ldif2db –n -i

1.3.6 Manual Restore The offline manual restore simply overwrites the existing database files with those from a binary backup.

 The binary backup could have been made through db2bak or by manually copying1 the “db” or “db/” directories to a backup directory.

 This method is very straightforward and it also requires that the server to be offline for the duration of the copy.

 The restore can be performed remotely using rcp, scp, ftp, or sftp.


by,
Ashokkumar.

eDirectory Error Codes

******************** All Error Codes ************
eDirectory or NDS Error Code List

This section includes the following error codes and topics:

eDirectory or NDS Operating System Error Code List

-001 FFFFFFFF INSUFFICIENT SPACE
-119 FFFFFF89 BUFFER TOO SMALL
-120 FFFFFF88 VOLUME FLAG NOT SET
-121 FFFFFF87 NO ITEMS FOUND
-122 FFFFFF86 CONN ALREADY TEMPORARY
-123 FFFFFF85 CONN ALREADY LOGGED IN
-124 FFFFFF84 CONN NOT AUTHENTICATED
-125 FFFFFF83 CONN NOT LOGGED IN
-126 FFFFFF82 NCP BOUNDARY CHECK FAILED
-127 FFFFFF81 LOCK WAITING
-128 FFFFFF80 LOCK FAIL
-129 FFFFFF7F OUT OF HANDLES
-130 FFFFFF7E NO OPEN PRIVILEGE
-131 FFFFFF7D HARD IO ERROR
-132 FFFFFF7C NO CREATE PRIVILEGE
-133 FFFFFF7B NO CREATE DELETE PRIV
-134 FFFFFF7A R O CREATE FILE
-135 FFFFFF79 CREATE FILE INVALID NAME
-136 FFFFFF78 INVALID FILE HANDLE
-137 FFFFFF77 NO SEARCH PRIVILEGE
-138 FFFFFF76 NO DELETE PRIVILEGE
-139 FFFFFF75 NO RENAME PRIVILEGE
-140 FFFFFF74 NO SET PRIVILEGE
-141 FFFFFF73 SOME FILES IN USE
-142 FFFFFF72 ALL FILES IN USE
-143 FFFFFF71 SOME READ ONLY
-144 FFFFFF70 ALL READ ONLY
-145 FFFFFF6F SOME NAMES EXIST
-146 FFFFFF6E ALL NAMES EXIST
-147 FFFFFF6D NO READ PRIVILEGE
-148 FFFFFF6C NO WRITE PRIVILEGE
-149 FFFFFF6B FILE DETACHED
-150 FFFFFF6A INSUFFICIENT MEMORY
-150 FFFFFF6A NO ALLOC SPACE
-150 FFFFFF6A TARGET NOT A SUBDIR
-151 FFFFFF69 NO SPOOL SPACE
-152 FFFFFF68 INVALID VOLUME
-153 FFFFFF67 DIRECTORY FULL
-154 FFFFFF66 RENAME ACROSS VOLUME
-155 FFFFFF65 BAD DIR HANDLE
-156 FFFFFF64 INVALID PATH
-156 FFFFFF64 NO SUCH EXTENSION
-157 FFFFFF63 NO DIR HANDLES
-158 FFFFFF62 BAD FILE NAME
-159 FFFFFF61 DIRECTORY ACTIVE
-160 FFFFFF60 DIRECTORY NOT EMPTY
-161 FFFFFF5F DIRECTORY IO ERROR
-162 FFFFFF5E IO LOCKED
-163 FFFFFF5D TRANSACTION RESTARTED
-164 FFFFFF5C RENAME DIR INVALID
-165 FFFFFF5B INVALID OPENCREATE MODE
-166 FFFFFF5A ALREADY IN USE
-167 FFFFFF59 INVALID RESOURCE TAG
-168 FFFFFF58 ACCESS DENIED
-188 FFFFFF44 DSERR LOGIN SIGNING REQUIRED
-189 FFFFFF43 DSERR LOGIN ENCRYPT REQUIRED
-190 FFFFFF42 INVALID DATA STREAM
-191 FFFFFF41 INVALID NAME SPACE
-192 FFFFFF40 NO ACCOUNTING PRIVILEGES
-193 FFFFFF3F NO ACCOUNT BALANCE
-194 FFFFFF3E CREDIT LIMIT EXCEEDED
-195 FFFFFF3D TOO MANY HOLDS
-196 FFFFFF3C ACCOUNTING DISABLED
-197 FFFFFF3B LOGIN LOCKOUT
-198 FFFFFF3A NO CONSOLE RIGHTS
-208 FFFFFF30 Q IO FAILURE
-209 FFFFFF2F NO QUEUE
-210 FFFFFF2E NO Q SERVER
-211 FFFFFF2D NO Q RIGHTS
-212 FFFFFF2C Q FULL
-213 FFFFFF2B NO Q JOB
-214 FFFFFF2A NO Q JOB RIGHTS
-214 FFFFFF2A UNENCRYPTED NOT ALLOWED
-215 FFFFFF29 DUPLICATE PASSWORD
-215 FFFFFF29 Q IN SERVICE
-216 FFFFFF28 PASSWORD TOO SHORT
-216 FFFFFF28 Q NOT ACTIVE
-217 FFFFFF27 MAXIMUM LOGINS EXCEEDED
-217 FFFFFF27 Q STN NOT SERVER
-218 FFFFFF26 BAD LOGIN TIME
-218 FFFFFF26 Q HALTED
-219 FFFFFF25 NODE ADDRESS VIOLATION
-220 FFFFFF24 LOG ACCOUNT EXPIRED
-222 FFFFFF22 BAD PASSWORD
-223 FFFFFF21 PASSWORD EXPIRED
-224 FFFFFF20 NO LOGIN CONN AVAILABLE
-232 FFFFFF18 WRITE TO GROUP PROPERTY
-233 FFFFFF17 MEMBER ALREADY EXISTS
-234 FFFFFF16 NO SUCH MEMBER
-235 FFFFFF15 PROPERTY NOT GROUP
-236 FFFFFF14 NO SUCH VALUE SET
-237 FFFFFF13 PROPERTY ALREADY EXISTS
-238 FFFFFF12 OBJECT ALREADY EXISTS
-239 FFFFFF11 ILLEGAL NAME
-240 FFFFFF10 ILLEGAL WILDCARD
-241 FFFFFF0F BINDERY SECURITY
-242 FFFFFF0E NO OBJECT READ RIGHTS
-243 FFFFFF0D NO OBJECT RENAME RIGHTS
-244 FFFFFF0C NO OBJECT DELETE RIGHTS
-245 FFFFFF0B NO OBJECT CREATE RIGHTS
-246 FFFFFF0A NO PROPERTY DELETE RIGHTS
-247 FFFFFF09 NO PROPERTY CREATE RIGHTS
-248 FFFFFF08 NO PROPERTY WRITE RIGHTS
-249 FFFFFF07 NO PROPERTY READ RIGHTS
-250 FFFFFF06 TEMP REMAP
-251 FFFFFF05 NO SUCH PROPERTY
-251 FFFFFF05 UNKNOWN REQUEST
-252 FFFFFF04 MESSAGE QUEUE FULL
-252 FFFFFF04 NO SUCH OBJECT
-252 FFFFFF04 TARGET ALREADY HAS MSG
-253 FFFFFF03 BAD STATION NUMBER
-254 FFFFFF02 BINDERY LOCKED
-254 FFFFFF02 DIR LOCKED
-254 FFFFFF02 DSERR TIMEOUT
-254 FFFFFF02 LOGIN DISABLED
-254 FFFFFF02 SPOOL DELETE
-254 FFFFFF02 TRUSTEE NOT FOUND
-255 FFFFFF01 BAD PARAMETER
-255 FFFFFF01 BAD SPOOL PRINTER
-255 FFFFFF01 CLOSE FCB
-255 FFFFFF01 ERR OF SOME SORT
-255 FFFFFF01 FILE EXISTS
-255 FFFFFF01 FILE NAME
-255 FFFFFF01 HARD FAILURE
-255 FFFFFF01 IO BOUND
-255 FFFFFF01 MUST FORCE DOWN
-255 FFFFFF01 NO FILES FOUND
-255 FFFFFF01 NO SPOOL FILE
-255 FFFFFF01 NO TRUSTEE CHANGE PRIV
-255 FFFFFF01 TARGET NOT ACCEPTING MSGS
-255 FFFFFF01 TARGET NOT LOGGED IN

eDirectory or NDS Client Error Code List
----------------------------------------

-301 FFFFFED3 NOT ENOUGH MEMORY
-302 FFFFFED2 BAD KEY
-303 FFFFFED1 BAD CONTEXT
-304 FFFFFED0 BUFFER FULL
-305 FFFFFECF LIST EMPTY
-306 FFFFFECE BAD SYNTAX
-307 FFFFFECD BUFFER EMPTY
-308 FFFFFECC BAD VERB
-309 FFFFFECB EXPECTED IDENTIFIER
-310 FFFFFECA EXPECTED EQUALS
-311 FFFFFEC9 ATTR TYPE EXPECTED
-312 FFFFFEC8 ATTR TYPE NOT EXPECTED
-313 FFFFFEC7 FILTER TREE EMPTY
-314 FFFFFEC6 INVALID OBJECT NAME
-315 FFFFFEC5 EXPECTED RDN DELIMITER
-316 FFFFFEC4 TOO MANY TOKENS
-317 FFFFFEC3 INCONSISTENT MULTIAVA
-318 FFFFFEC2 COUNTRY NAME TOO LONG
-319 FFFFFEC1 SYSTEM ERROR
-320 FFFFFEC0 CANT ADD ROOT
-321 FFFFFEBF UNABLE TO ATTACH
-322 FFFFFEBE INVALID HANDLE
-323 FFFFFEBD BUFFER ZERO LENGTH
-324 FFFFFEBC INVALID REPLICA TYPE
-325 FFFFFEBB INVALID ATTR SYNTAX
-326 FFFFFEBA INVALID FILTER SYNTAX
-328 FFFFFEB8 CONTEXT CREATION
-329 FFFFFEB7 INVALID UNION TAG
-330 FFFFFEB6 INVALID SERVER RESPONSE
-331 FFFFFEB5 NULL POINTER
-332 FFFFFEB5 NO SERVER FOUND
-333 FFFFFEB3 NO CONNECTION
-334 FFFFFEB2 RDN TOO LONG
-335 FFFFFEB1 DUPLICATE TYPE
-336 FFFFFEB0 DATA STORE FAILURE
-337 FFFFFEAF NOT LOGGED IN
-338 FFFFFEAE INVALID PASSWORD CHARS
-339 FFFFFEAD FAILED SERVER AUTHENT
-340 FFFFFEAC TRANSPORT
-341 FFFFFEAB NO SUCH SYNTAX
-342 FFFFFEAA INVALID NDS NAME
-343 FFFFFEA9 ATTR NAME TOO LONG
-344 FFFFFEA8 INVALID TDS
-345 FFFFFEA7 INVALID DS VERSION
-346 FFFFFEA6 UNICODE TRANSLATION
-347 FFFFFEAS SCHEMA NAME TOO LONG
-348 FFFFFEA4 UNICODE FILE NOT FOUND
-349 FFFFFEA3 UNICODE ALREADY LOADED
-350 FFFFFEA2 NOT CONTEXT OWNER
-351 FFFFFEA1 ATTEMPT TO AUTHENTICATE 0
-352 FFFFFEA0 NO WRITABLE REPLICAS
-353 FFFFFE9F DN TOO LONG
-354 FFFFFE9E RENAME NOT ALLOWED
-355 FFFFFE9D ERR NOT NDS FOR NT
-356 FFFFFE9C ERR NDS FOR NT NO DOMAIN
-357 FFFFFE9B ERR NDS FOR NT SYNC DISABLED
-358 FFFFFE9A ERR ITR INVALID HANDLE
-359 FFFFFE99 ERR ITR INVALID POSITION
-360 FFFFFE98 ERR ITR INVALID SEARCH DATA
-361 FFFFFE97 ERR ITR INVALID SCOPE
-362 FFFFFE96 ERR ITR MAX COUNT

eDirectory or NDS Unicode Error Code List
-----------------------------------------

-489 FFFFFE17 UNI ALREADY LOADED
-490 FFFFFE16 UNI FUTURE OPCODE
-491 FFFFFE15 UNI NO SUCH FILE
-492 FFFFFE14 UNI TOO MANY FILES
-493 FFFFFE13 UNI NO PERMISSION
-494 FFFFFE12 UNI NO MEMORY
-495 FFFFFE11 UNI LOAD FAILED
-496 FFFFFE10 UNI HANDLE BAD
-497 FFFFFE0F UNI HANDLE MISMATCH
-498 FFFFFE0E UNI RULES CORRUPT
-499 FFFFFE0D UNI NO DEFAULT
-500 FFFFFE0C UNI INSUFFICIENT BUFFER
-501 FFFFFE0B UNI OPEN FAILED
-502 FFFFFE0A UNI NO LOAD DIR
-503 FFFFFE09 UNI BAD FILE HANDLE
-504 FFFFFE08 UNI READ FAILED
-505 FFFFFE07 UNI TRANS CORRUPT

eDirectory or NDS Agent Error Code List
---------------------------------------

-601 FFFFFDA7 NO SUCH ENTRY
-602 FFFFFDA6 NO SUCH VALUE
-603 FFFFFDA5 NO SUCH ATTRIBUTE
-604 FFFFFDA4 NO SUCH CLASS
-605 FFFFFDA3 NO SUCH PARTITION
-606 FFFFFDA2 ENTRY ALREADY EXISTS
-607 FFFFFDA1 NOT EFFECTIVE CLASS
-608 FFFFFDA0 ILLEGAL ATTRIBUTE
-609 FFFFFD9F MISSING MANDATORY
-610 FFFFFD9E ILLEGAL NDS NAME
-611 FFFFFD9D ILLEGAL CONTAINMENT
-612 FFFFFD9C CANT HAVE MULTIPLE VALUES
-613 FFFFFD9B SYNTAX VIOLATION
-614 FFFFFD9A DUPLICATE VALUE
-615 FFFFFD99 ATTRIBUTE ALREADY EXISTS
-616 FFFFFD98 MAXIMUM ENTRIES EXIST
-617 FFFFFD97 DATABASE FORMAT
-618 FFFFFD96 INCONSISTENT DATABASE
-619 FFFFFD95 INVALID COMPARISON
-620 FFFFFD94 COMPARISON FAILED
-621 FFFFFD93 TRANSACTIONS DISABLED
-622 FFFFFD92 INVALID TRANSPORT
-623 FFFFFD91 SYNTAX INVALID IN NAME
-624 FFFFFD90 REPLICA ALREADY EXISTS
-625 FFFFFD8F TRANSPORT FAILURE
-626 FFFFFD8E ALL REFERRALS FAILED
-627 FFFFFD8D CANT REMOVE NAMING VALUE
-628 FFFFFD8C OBJECT CLASS VIOLATION
-629 FFFFFD8B ENTRY IS NOT LEAF
-630 FFFFFD8A DIFFERENT TREE
-631 FFFFFD89 ILLEGAL REPLICA TYPE
-632 FFFFFD88 SYSTEM FAILURE
-633 FFFFFD87 INVALID ENTRY FOR ROOT
-634 FFFFFD86 NO REFERRALS
-635 FFFFFD85 REMOTE FAILURE
-636 FFFFFD84 UNREACHABLE SERVER
-637 FFFFFD83 PREVIOUS MOVE IN PROGRESS
-638 FFFFFD82 NO CHARACTER MAPPING
-639 FFFFFD81 INCOMPLETE AUTHENTICATION
-640 FFFFFD80 INVALID CERTIFICATE
-641 FFFFFD7F INVALID REQUEST
-642 FFFFFD7E INVALID ITERATION
-643 FFFFFD7D SCHEMA IS NONREMOVABLE
-644 FFFFFD7C SCHEMA IS IN USE
-645 FFFFFD7B CLASS ALREADY EXISTS
-646 FFFFFD7A BAD NAMING ATTRIBUTES
-647 FFFFFD79 NOT ROOT PARTITION
-648 FFFFFD78 INSUFFICIENT STACK
-649 FFFFFD77 INSUFFICIENT BUFFER
-650 FFFFFD76 AMBIGUOUS CONTAINMENT
-651 FFFFFD75 AMBIGUOUS NAMING
-652 FFFFFD74 DUPLICATE MANDATORY
-653 FFFFFD73 DUPLICATE OPTIONAL
-654 FFFFFD72 PARTITION BUSY
-655 FFFFFD71 MULTIPLE REPLICAS
-656 FFFFFD70 CRUCIAL REPLICA
-657 FFFFFD6F SCHEMA SYNC IN PROGRESS
-658 FFFFFD6E SKULK IN PROGRESS
-659 FFFFFD6D TIME NOT SYNCHRONIZED
-660 FFFFFD6C RECORD IN USE
-661 FFFFFD6B DS VOLUME NOT MOUNTED
-662 FFFFFD6A DS VOLUME IO FAILURE
-663 FFFFFD69 DS LOCKED
-664 FFFFFD68 OLD EPOCH
-665 FFFFFD67 NEW EPOCH
-666 FFFFFD66 INCOMPATIBLE NDS VERSION
-667 FFFFFD65 PARTITION ROOT
-668 FFFFFD64 ENTRY NOT CONTAINER
-669 FFFFFD63 FAILED AUTHENTICATION
-670 FFFFFD62 INVALID CONTEXT
-671 FFFFFD61 NO SUCH PARENT
-672 FFFFFD60 NO ACCESS
-673 FFFFFD5F REPLICA NOT ON
-674 FFFFFD5E INVALID NAME SERVICE
-675 FFFFFD5D INVALID TASK
-676 FFFFFD5C INVALID CONN HANDLE
-677 FFFFFD5B INVALID IDENTITY
-678 FFFFFD5A DUPLICATE ACL
-679 FFFFFD59 PARTITION ALREADY EXISTS
-680 FFFFFD58 TRANSPORT MODIFIED
-681 FFFFFD57 ALIAS OF AN ALIAS
-682 FFFFFD56 AUDITING FAILED
-683 FFFFFD55 INVALID API VERSION
-684 FFFFFD54 SECURE NCP VIOLATION
-685 FFFFFD53 MOVE IN PROGRESS
-686 FFFFFD52 NOT LEAF PARTITION
-687 FFFFFD51 CANNOT ABORT
-688 FFFFFD50 CACHE OVERFLOW
-689 FFFFFD4F INVALID SUBORDINATE COUNT
-690 FFFFFD4E INVALID RDN
-691 FFFFFD4D MOD TIME NOT CURRENT
-692 FFFFFD4C INCORRECT BASE CLASS
-693 FFFFFD4B MISSING REFERENCE
-694 FFFFFD4A LOST ENTRY
-695 FFFFFD49 AGENT ALREADY REGISTERED
-696 FFFFFD48 DS LOADER BUSY
-697 FFFFFD47 DS CANNOT RELOAD
-698 FFFFFD46 REPLICA IN SKULK
-699 FFFFFD45 FATAL
-700 FFFFFD44 OBSOLETE API
-701 FFFFFD43 SYNCHRONIZATION DISABLED
-702 FFFFFD42 INVALID PARAMETER
-703 FFFFFD41 DUPLICATE TEMPLATE
-704 FFFFFD40 NO MASTER REPLICA
-705 FFFFFD3F DUPLICATE CONTAINMENT
-706 FFFFFD3E NOT SIBLING
-707 FFFFFD3D INVALID SIGNATURE
-708 FFFFFD3C INVALID RESPONSE
-709 FFFFFD3B INSUFFICIENT SOCKETS
-710 FFFFFD3A DATABASE READ FAIL
-711 FFFFFD39 INVALID CODE PAGE
-712 FFFFFD38 INVALID ESCAPE CHAR
-713 FFFFFD37 INVALID DELIMITERS
-714 FFFFFD36 NOT IMPLEMENTED
-715 FFFFFD35 CHECKSUM FAILURE
-716 FFFFFD34 CHECKSUMMING NOT SUPPORTED
-717 FFFFFD33 CRC FAILURE
-718 FFFFFD32 INVALID ENTRY HANDLE
-719 FFFFFD31 INVALID VALUE HANDLE
-720 FFFFFD30 CONNECTION DENIED
-721 FFFFFD2F NO SUCH FEDERATION LINK
-722 FFFFFD2E OP SCHEMA MISMATCH
-723 FFFFFD2D STREAM NOT FOUND
-724 FFFFFD2C DCLIENT UNAVAILABLE
-725 FFFFFD2B MASV NO ACCESS
-726 FFFFFD2A MASV INVALID REQUEST
-727 FFFFFD29 MASV FAILURE
-728 FFFFFD28 MASV ALREADY EXISTS
-729 FFFFFD27 MASV NOT FOUND
-730 FFFFFD26 MASV BAD RANGE
-731 FFFFFD25 VALUE DATA
-732 FFFFFD24 DATABASE LOCKED
-733 FFFFFD23 DATABASE ALREADY EXISTS
-734 FFFFFD22 DATABASE NOT FOUND
-735 FFFFFD21 NOTHING TO ABORT
-736 FFFFFD20 END OF STREAM
-737 FFFFFD1F NO SUCH TEMPLATE
-738 FFFFFD1E SAS LOCKED
-739 FFFFFD1D INVALID SAS VERSION
-740 FFFFFD1C SAS ALREADY REGISTERED
-741 FFFFFD1B NAME TYPE NOT SUPPORTED
-742 FFFFFD1A WRONG NDS VERSION
-743 FFFFFD19 INVALID CONTROL FUNCTION
-744 FFFFFD18 INVALID CONTROL STATE
-745 FFFFFD17 ERR CACHE IN USE
-746 FFFFFD16 ERR ZERO CREATION TIME
-747 FFFFFD15 ERR WOULD BLOCK
-748 FFFFFD14 ERR CONN TIMEOUT
-749 FFFFFD13 ERR TOO MANY REFERRALS
-750 FFFFFD12 ERR OPERATION CANCELLED
-751 FFFFFD11 ERR UNKNOWN TARGET
-752 FFFFFD10 ERR GUID FAILURE
-753 FFFFFD0F ERR INCOMPATIBLE OS
-754 FFFFFD0E ERR CALLBACK CANCEL
-755 FFFFFD0D ERR INVALID SYNC DATA
-756 FFFFFD0C ERR STREAM EXISTS
-757 FFFFFD0B ERR AUXILIARY HAS CONTAINMENT
-758 FFFFFD0A ERR AUXILIARY NOT CONTAINER
-759 FFFFFD09 ERR AUXILIARY NOT EFFECTIVE
-760 FFFFFD08 ERR AUXILIARY ON ALIAS
-761 FFFFFD07 ERR HAVE SEEN STATE
-762 FFFFFD06 ERR VERB LOCKED
-763 FFFFFD05 ERR VERB EXCEEDS TABLE LENGTH
-764 FFFFFD04 ERR BOF HIT
-765 FFFFFD03 ERR EOF HIT
-766 FFFFFD02 ERR INCOMPATIBLE REPLICA VER
-767 FFFFFD01 ERR QUERY TIMEOUT
-768 FFFFFD00 ERR QUERY MAX COUNT
-769 FFFFFCFF ERR DUPLICATE NAMING
-770 FFFFFCFE ERR NO TRANS ACTIVE
-771 FFFFFCFD ERR TRANS ACTIVE
-772 FFFFFCFC ERR ILLEGAL TRANS OP
-773 FFFFFCFB ERR ITERATOR SYNTAX
-774 FFFFFCFA ERR REPAIRING DIB
-775 FFFFFCF9 ERR INVALID OID FORMAT
-776 FFFFFCF8 ERR NDS AGENT CLOSING
-777 FFFFFCF7 ERR SPARSE FILTER VIOLATION
-778 FFFFFCF6 ERR VPVECTOR CORRELATION ERR
-779 FFFFFCF5 ERR CANNOT GO REMOTE
-780 FFFFFCF4 ERR REQUEST NOT SUPPORTED
-781 FFFFFCF3 ERR ENTRY NOT LOCAL
-782 FFFFFCF2 ERR ROOT UNREACHABLE
-783 FFFFFCF1 ERR VRDIM NOT INITIALIZED
-784 FFFFFCF0 ERR WAIT TIMEOUT
-785 FFFFFCEF ERR DIB ERROR
-786 FFFFFCEE ERR DIB IO FAILURE
-787 FFFFFCED ERR ILLEGAL SCHEMA ATTRIBUTE
-788 FFFFFCEC ERR SCHEMA PARTITION
-789 FFFFFCEB ERR INVALID TEMPLATE
-790 FFFFFCEA ERR OPENING FILE
-791 FFFFFCE9 ERR DIRECT OPENING FILE
-792 FFFFFCE8 ERR CREATING FILE
-793 FFFFFCE7 ERR DIRECT CREATING FILE
-794 FFFFFCE6 ERR READING FILE
-795 FFFFFCE5 ERR DIRECT READING FILE
-796 FFFFFCE4 ERR WRITING FILE
-797 FFFFFCE3 ERR DIRECT WRITING FILE
-798 FFFFFCE2 ERR POSITIONING IN FILE
-799 FFFFFCE1 ERR GETTING FILE SIZE
-6001 FFFFE88F ERR TRUNCATING FILE
-6002 FFFFE88E ERR PARSING FILE NAME
-6003 FFFFE88D ERR CLOSING FILE
-6004 FFFFE88C ERR GETTING FILE INFO
-6005 FFFFE88B ERR EXPANDING FILE
-6006 FFFFE88A ERR GETTING FREE BLOCKS
-6007 FFFFE889 ERR CHECKING FILE EXISTENCE
-6008 FFFFE888 ERR DELETING FILE
-6009 FFFFE887 ERR RENAMING FILE
-6010 FFFFE886 ERR INITIALIZING IO SYSTEM
-6011 FFFFE885 ERR FLUSHING FILE
-6012 FFFFE884 ERR SETTING UP FOR READ
-6013 FFFFE883 ERR SETTING UP FOR WRITE
-6014 FFFFE882 ERR OLD VIEW
-6015 FFFFE881 ERR SERVER IN SKULK
-6016 FFFFE880 ERR RETURNING PARTIAL RESULTS
-6017 FFFFE87F ERR NO SUCH SCHEMA
-6018 FFFFE87E ERR SERIAL NUM MISMATCH
-6019 FFFFE87D ERR BAD RFL DB SERIAL NUM
-6020 FFFFE87C ERR BAD RFL SERIAL NUM
-6021 FFFFE87B ERR INVALID FILE SEQUENCE
-6022 FFFFE87A ERR RFL TRANS GAP
-6023 FFFFE879 ERR BAD RFL FILE NUMBER
-6024 FFFFE878 ERR RFL FILE NOT FOUND
-6025 FFFFE877 ERR BACKUP ACTIVE
-6026 FFFFE876 ERR RFL DEVICE FULL
-6027 FFFFE875 ERR UNSUPPORTED VERSION
-6028 FFFFE874 ERR MUST WAIT CHECKPOINT
-6029 FFFFE873 ERR ATTR MAINT IN PROGRESS
-6030 FFFFE872 ERR ABORT TRANSACTION
-6031 FFFFE871 ERR SETTING FILE INFO
-6032 FFFFE870 ERR REPLICA RING CHANGED
-6033 FFFFE86F ERR NOT PARTITION ROOT
-6034 FFFFE86E ERR SERVER NOT UP TO DATE
-6035 FFFFE86D ERR INCONSISTENT BACKUP
-6036 FFFFE86C ERR NO SUCH INDEX
-6037 FFFFE86B ERR INDEX OFFLINE
-6038 FFFFE86A ERR CLOSING DATABASE
-6039 FFFFE869 ERR OBJECT OP DISABLED
-6040 FFFFE868 ERR OP STARTED
-6041 FFFFE867 ERR OP ABORTED
-6042 FFFFE866 ERR OP FAILED
-6043 FFFFE865 ERR OP IN PROGRESS
-6044 FFFFE864 ERR NO VALUE
-6045 FFFFE863 ERR PARAM NOT FOUND
-6046 FFFFE862 ERR VALUE TOO LARGE
-6048 FFFFE860 ERR NICI CONTEXT
-6049 FFFFE85F ERR NICI FIND INIT
-6050 FFFFE85E ERR NICI FIND OBJECT
-6051 FFFFE85D ERR NICI WRAPKEY NOT FOUND
-6052 FFFFE85C ERR NICI ATTRIBUTE VALUE
-6053 FFFFE85B ERR NICI BAD ATTRIBUTE
-6054 FFFFE85A ERR NICI BAD RANDOM
-6056 FFFFE858 ERR NICI WRAPKEY FAILED
-6057 FFFFE857 ERR NICI GENKEY FAILED
-6058 FFFFE856 ERR REQUIRE PASSWD
-6061 FFFFE853 ERR NICI UNWRAPKEY FAILED
-6062 FFFFE852 ERR NICI ENC INIT FAILED
-6063 FFFFE851 ERR NICI ENCRYPT FAILED
-6064 FFFFE850 ERR NICI DECRYPT INIT FAILED
-6065 FFFFE84F ERR NICI DECRYPT FAILED
-6066 FFFFE84E ERR NICI INIT FAILED
-6067 FFFFE84D ERR NICI KEY NOT FOUND
-6068 FFFFE84C ERR NICI INVALID ALGORITHM
-6069 FFFFE84B ERR FLD NOT ENCRYPTED
-6070 FFFFE84A ERR CANNOT SET KEY
-6071 FFFFE849 ERR MISSING ENC TYPE
-6072 FFFFE848 ERR CANNOT MOD ENC TYPE
-6073 FFFFE847 ERR MISSING ENC KEY
-6074 FFFFE846 ERR CANNOT CHANGE KEY
-6075 FFFFE845 ERR BAD ENC KEY
-6076 FFFFE844 ERR CANNOT MOD ENC STATE
-6077 FFFFE843 ERR DATA SIZE MISMATCH
-6078 FFFFE842 ERR ENCRYPTION UNAVAILABLE
-6079 FFFFE841 ERR PURGED ENCDEF FOUND
-6080 FFFFE840 ERR FLD NOT DECRYPTED
-6081 FFFFE83F ERR BAD ENCDEF ID
-6082 FFFFE83E ERR PBE ENCRYPT FAILED
-6083 FFFFE83D ERR DIGEST FAILED
-6084 FFFFE83C ERR DIGEST INIT FAILED
-6085 FFFFE83B ERR EXTRACT KEY FAILED
-6086 FFFFE83A ERR INJECT KEY FAILED
-6087 FFFFE839 ERR PBE DECRYPT FAILED
-6089 FFFFE837 ERR REQUIRE SECURE ACCESS
-6090 FFFFE836 ERR ER DISABLED

IAM Group - Please join in this

Hi Guys,

I have started a group in Identity and Access Management.I need your support to grow this community.

I hope this will be a good mediator for expressing and sharing our thoughts and doubts.

please visit this url and join in this:

http://groups.google.co.in/group/iampearl

regards,
ashok.

Definition of eTrust® TransactionMinder

eTrust® TransactionMinder:

eTrust™ TransactionMinder® is an identity-based Web services security product that secures access to Web services by inspecting the security information contained in the XML documents submitted by Web service consumers. By leveraging a core set of Web services standards, eTrust TransactionMinder utilizes centralized security policies bound to user identities for authentication, authorization, federation, session management and audit.

URL for more information:

http://www3.ca.com/solutions/Product.aspx?...

Vendor:

http://www3.ca.com/Solutions/Product.asp?I...

Definition of SiteMinder

The user authentication and authorization component of an access management suite from Netegrity , a division of Computer Associates. SiteMinder provides policy-based authentication as well as single sign-on for all Web-based applications. SiteMinder is used in conjunction with IdentityMinder, which manages detailed user profiles, and TransactionMinder, which provides access to Web services.