Sun Java Solaris Communities My SDN Account Join SDN
» search tips 
Sun Developer Network
Developers Home > Identity Management
 
Sun Java System Access Manager and Sun Java System Federation Manager FAQ
Sun Identity Management
Solutions for authentication, authorization, provisioning, and auditing   » Download Now
 
Begin Product Tab Sub Links At a Glance What's New Active Sub LinkFAQs

This is a series of answers to frequently asked questions about Sun Java System Access Manager and Sun Java System Federation Manager. The sections are being published in installments. More will follow.

In the FAQs, Sun Java System Access Manager is referred to as Access Manager; Sun Java System Federation Manager as Federation Manager.

Sun Java System Access Manager and Sun Java System Federation Manager FAQ: General

Q: How are conformance, compliance, and interoperability of Access Manager tested with other vendor products?

Access Manager is regularly tested for conformance, compliance, and interoperability with other vendor products at Interop events, such as those on SAML, Web Services Framework (WSF), WS Security, and WS-Trust.

In addition, Sun collaborates with customers to implement proof of concepts (POCs) and production deployments that interoperate or coexist with other federation and Web access management (WAM) products. Deployments that demonstrate federation-to-federation interoperability, federation-to-WAM interoperability, and WAM-to-WAM coexistence abound.

Sun also conducts interoperability testing of Access Manager and Federation Manager with other products, such as Oracle Access Manager and CA SiteMinder. This effort is architecture-agnostic and works effectively with the identity infrastructure at various enterprises.

Q: How does Federation Manager interface with users?

Federation Manager offers a customizable Web user interface for federation-related operations, such as login, account linking and unlinking, and the ID-WSF Interaction Service. In addition, users can access their profiles and manage their own accounts, for example, delete account links.

In all cases, the default implementation is in the form of JavaServer Pages (JSP) files. During deployment, you can customize the look and feel of the JSP pages to suit your needs.

Q: How does Federation Manager interface with partners with respect to administration delegation, and for what federation protocols is partner delegation permitted?

For each partner in a realm, Federation Manager enables delegated administration. In a particular realm, you can create and manage partner-specific configurations, such as the definitions of partner entities, metadata information, and circle of trust.

Federation Manager supports partner delegation for major federation protocols, such as Liberty Identity Federation Framework (ID-FF), SAML 2.0, and WS-Federation.

Q: Are there any dependencies for the application integrations supported by Federation Manager?

No. To implement federated single sign-on (SSO), you must protect applications. Such protection is supported by Federation Manager and other similar third-party products. Sun's federation services can interoperate with Policy Agents, proxies, and programmatic communications.

Currently, several Sun customers are using Federation Manager along with other WAM and federation products. As a priority, Sun ensures that the products can interoperate heterogeneously and meet customer requirements regardless of the WAM and federation infrastructure that's in place.

Q: Where can I find the product documentation and white papers on Access Manager?

For product documentation go to the Access Manager-Federation Manager documentation center.

Also, visit Sun Developer Network's identity hub, which regularly publishes technical articles and tips, such as implementing single logout and securing Web services.

OpenSSO, Access Manager's open-source site, points you to development builds and documentation. Since the OpenSSO code base is that for future Access Manager releases, there is complete transparency around the latter's evolution. You can access specifications, wireframes, and architecture documents, also download and deploy early versions. Community members can send feedback; key stakeholders and partners, such as OEMs and corporate security groups, can browse the code base and better plan for their infrastructures and development needs.

Q: How does Access Manager perform SSO, desktop SSO, and WAM?

Access Manager enables Web SSO, desktop SSO, and federated SSO (Liberty Alliance), and SAML.

You establish SSO in Access Manager by enforcing agent-based or proxy-based policies that match your security requirements evaluated on Access Manager's server environment and hosted on standard platform components, such as LDAP directories and Web or application servers. Access Manager Policy Agents enforce access policies so that users can log in to only those systems, URLs, or objects they are authorized to access. For example, with Windows Desktop SSO, a Kerberos-based authentication plug-in module for Windows 2000, users who are authenticated with a key distribution center present the Kerberos tokens to Access Manager through the Simple and Protected GSS-API Negotiation Mechanism (SPNEGO) protocol. Those users are then authenticated by Access Manager without having to log in again.

To implement Kerberos-based SSO in Access Manager through this authentication module, the client must use SPNEGO to authenticate itself. In general, any browser that supports this protocol can authenticate to Access Manager with this module. Most popular browsers, such as Internet Explorer and Firefox, support SPNEGO over HTTP.

Q: How does Access Manager support dynamic access control, that is, render complex decisions based on real-time data or application knowledge?

A highly extensible policy framework in Access Manager supports plug-ins in the identity repository. Subsequently, Access Manager can retrieve user data from other systems at runtime. You can also add policy-based response attributes to responses through response providers.

Furthermore, you can extend Access Manager with the APIs to integrate with other applications for dynamic access control. A new capability in Access Manager enables the retrieval of user profiles at policy decision time. User profile attributes can be either static or dynamic. You define the static attributes within the policy and retrieve the dynamic ones at policy evaluation time, thus enabling attribute-based access control (ABAC).

In addition, you can create referral policies that delegate policy management privileges to another entity, such as a peer realm, a subrealm, or even a third-party product. Finally, Access Manager supports elevated (step-up) authentication according to the resources being accessed and their configurable session timeouts.

Q: Does Access Manager support non-Web targets?

Yes, Access Manager supports non-Web targets such as thick clients written in C or the Java programming language. For other such targets, Sun has established strong partnerships with eSSO vendors. Additionally, Sun has exposed the APIs for all of Access Manager's core components to enable integration with proprietary applications.

With the industry's move toward service-oriented architecture (SOA), enterprises can apply Access Manager's infrastructure for Web services, called identity services, to non-Web applications. Identity services enable platform-independent integration of Access Manager with clients to manage access for both Web and non-Web targets. An upcoming release of Access Manager will enable for federation those applications written in Java, C, and C# programming languages.

Q: Does Access Manager work in agent or proxy mode?

Access Manager works in both agent and proxy modes. We recommend agent mode because it accommodates high availability, scalability, and reliability in Policy Agents, which offer failover and robust session management capabilities.

Q: Does Access Manager support mobile Web access?

Yes. An initial step in authentication is to identify the type of client that's making the request—a task called client detection. Through the URL, Access Manager retrieves the client's characteristics and then returns the authentication page according to those characteristics. For example, once Access Manager determines if a user requested access from a desktop browser or from a cell phone, Access Manager displays the appropriate interface for authentication. After successful authentication, the client type travels with the user's session and informs other participating applications.

Out of box, Access Manager supports MSISDN-based authentication and authorization. When a mobile user accesses a protected resource, Access Manager determines the extent of privileges to accord that user by means of the mobile device's authentication-based MSISDN. Thanks to Access Manager's support for Web access management, federation, and security for Web services, you can extend both the authentication and authorization mechanisms.

Q: Can I integrate Access Manager with enterprise applications and platforms?

Yes. By virtue of its open and standards-based design and resource adapters that enable integration in heterogeneous IT environments, Access Manager is ideal as a single point of authentication and authorization for enterprise applications. With Access Manager's authorization framework, applications can adopt a single, centralized policy decision point for granting user access through role- and rule-based access control. Depending on the values of the protected resources, Access Manager determines the appropriate authentication credentials required of users and allows only authorized users to access specific resources.

Q: Does Access Manager manage authentication and authorization caches? Does it use multilevel caching?

Access Manager uses caches at the level of Policy Agents, which resides in the protected site or application, and at the policy server. The latter occurs only rarely, however. Read on for an explanation.

Access Manager Policy Agents contains two caches: a session cache and a policy cache. When a user accesses a protected site, the following process takes place:

  1. The Policy Agent intercepts the request, determines whether the URL requires policy enforcement, and, if so, verifies that the user's session is valid by reading the session cookie.

    If the session is invalid, Access Manager redirects the user for authentication.

  2. If the Policy Agent cannot find the user's information in the session cache, the Policy Agent validates the session with the session cookie. Assuming that the session is valid, Access Manager caches the session data for the configured timeout period, which defaults to three minutes.

    Any subsequent requests that occur within the timeout period do not cause the Policy Agent to interact with the policy server; the Policy Agent trusts the cache.

  3. If the user's session information changes before the cache timeout expires, the policy server for that session directs all the related Policy Agents through a notification service to invalidate their caches immediately. For example, if a session is terminated before the cache expires, the Policy Agent immediately blocks any attempt to continue to access the protected application—regardless of the cache configuration or cache state.

Some networks contain a firewall that protects the secured site and the policy server—a firewall that does not allow the policy server to initiate connections to the Policy Agent. In those cases, you can set the Policy Agent to use polling mode to poll for cache changes at a more frequent interval than the normal cache expiration time.

Additionally, the Policy Agent contains a separate policy cache. When users attempt to access specific resources, the Policy Agent verifies the policies through the policy server. The decision is cached at the Policy Agent so that subsequent attempts to access the same resource do not require additional network traffic between the Policy Agent and policy server. The expiration service for the session cache also applies to the policy cache. For example, if you update a policy on the policy server, the latter directs the Policy Agent to immediately flush the policy from the cache through the notification service (or the polling service if notification is not allowed by firewalls)—even if the cache has not yet expired.

The other level of caching exists at the policy servers and is seldom used in properly configured networks and content switches. Here, Access Manager manages caching through "sticky" sessions. In an environment in which multiple servers collaborate for scaling and availability, the user's SSO token contains information that reveals which Access Manager policy server created the session. Rather than randomly balancing the servers with a content switch (load balancer), the Policy Agent contacts the Policy Server in question to query the session state.

If the Policy Agent is directed to an incorrect server, such as in the case of a misconfigured content switch, that server inspects the session token to determine the correct server and forwards the request by proxy there on behalf of the user or Policy Agent. When the correct server responds, the incorrect one sends the response back to the Policy Agent and retains a copy of the information in its own local cache—in case the content switch that incorrectly forwarded the request errs again.

To optimize scalability and performance, Access Manager does not synchronize or replicate user sessions across all policy servers within a cluster of servers. Instead, Access Manager uses sticky session balancing as described above and caches or replicates sessions only when necessary to ensure session recovery and continued availability.

Note: Access Manager does include a session failover scheme that relies on redundant, lightweight session databases—not part of the policy servers—connected through messages queues. You can enable or disable this scheme.

Q: Does Access Manager support multifactor authentication technologies (tokens, certificates, and biometrics)?

Yes, Access Manager supports multifactor authentication by numerous means, including tokens, certificates, and smart cards. Authentication modules are plug-ins, which you can customize, develop, and deploy through the software development kit (SDK). That means you can adapt Access Manager to perform custom authentication, integrate with third-party authentication products that contain no modules, implement cross-product SSO, and extend federation to custom mechanisms.

Q: Can I "silently" install on Access Manager components or supporting systems, such as directories, Web servers, and application servers?

Access Manager, Sun Java System Directory Server (henceforth, Directory Server), and their components allow silent installation, which enables responses to all installation-related questions to be configured in a file. Installation is then automatic with no administrator intervention. So, besides being handy for sites that require many instances, silent installation simplifies disaster recovery by replicating a previously installed configuration.

You can also direct the install wizard to perform an interactive installation and to save all the responses to a file. That way, subsequent silent installations can occur seamlessly.

Q: What hardware does Access Manager require?

The minimum configuration for a deployment is a single host server that runs Access Manager and a Web container, such as Sun Java System Web Server. You can run Directory Server on the same server or a different one; usually, you install Directory Server and Access Manager on different servers. For optimum performance, run Access Manager on an Ethernet network that is 100 Mbytes or greater.

For multiple deployments, install Access Manager instances and their respective Web containers on different servers with a load balancer that distributes client requests to the Access Manager instances.

A minimum Access Manager deployment must contain one or more CPUs, with greatly diminishing returns on processor performance after four CPUs. Two to four CPUs per server are recommended.

A minimum of 512 Mbytes of RAM is required for basic testing. For actual deployments, 1 Gbyte of RAM is recommended for threads, the Access Manager SDK, the HTTP server, and other internals; 2 Gbytes for basic operation and object allocation space; and 100 Mbytes per 10,000 concurrent sessions. We recommend that each Access Manager instance be limited to 100,000 concurrent sessions. Beyond that limit, assuming a 4-Gbyte memory limitation of 32-bit applications, we recommend that you apply horizontal load balancing.

Q: Can you provide any benchmarking data for federation?

Several customers who adopt Sun's federation solution have deployments in excess of 1 million users each. Sun can provide benchmarking results from federation with Access Manager and Federation Manager upon request.

Q: How do I secure administrative and management tasks on Access Manager?

You can protect administration and management operations on the Access Manager Web interface (Administration Console) by means of SSL-encryption for the HTTP traffic and through strong authentication for administrators.

For operating-system administration and operations, use standard OS-level protection mechanisms. Examples are Secure Shell (SSH), prohibition of root logins, restricted access, and access monitoring.

Q: Does Access Manager support distributed administration through a Web interface?

You can perform all standard management and configuration tasks—managing authentication domains and entities, managing Web services, administering SAML, customizing authentication—with the same interfaces on Access Manager: the Web-based GUI (Administration Console) or the command line.

Q: What federation-related monitoring tools are available in Access Manager? What activities does Access Manager log?

Both Access Manager and Federation Manager record all event data in order to meet specific requirements for auditability and to ensure regulatory compliance. Federation Manager writes the log to a file system or database and can generate reports from third-party tools.

Q: Does Access Manager enforce centralized security policies of user entitlements by leveraging role- and rule-based access control?

Yes, Access Manager supports role-based access control (RBAC) as established, that is, the assignment and removal of role-based privileges that you can collect in the Policy Store for policy enforcements or SAML assertion exchanges. You can also store the privileges in native stores for policy enforcement by native applications.

In addition, you can set rules on roles (users, groups, organizations, resources) and eliminate hard requirements for roles. To better serve Web-based intranets, make policies resource-centric instead of user-centric. For a given resource, you can define who can access that resource and in what way. Out of the box, Access Manager can handle non-Boolean decisions, for example, "What access level is allowed for this user?" Furthermore, you can delegate policy administration to the account holder or a help-desk assistant.

Q: Can I integrate other platforms with Access Manager and can I customize services?

Yes. Access Manager is based on the Java 2 Platform, Enterprise Edition (J2EE platform) architecture, which you can extend and integrate with enterprise applications. Because Access Manager is a J2EE application and runs in a servlet engine, you have many choices in deployment platform: IBM WebSphere, BEA WebLogic, Sun Java System Web Server, or Sun Java System Application Server.

You can replicate Access Manager's operational services (authentication, authorization, session management, logging, and naming service) for scalability, failover, and enhanced performance. You can also secure applications by Policy Agents or reverse proxy.

Q: How do I determine if my Access Manager 7.x installation is running in realm mode or legacy mode?

On your browser, go to protocol://FQDN:portnumber/amserver/SMSServlet?method=isRealmEnabled

For example: http://yourhost.domain:8080/amserver/SMSServlet?method=isRealmEnabled

If the server returns true, Access Manager is running in realm mode; otherwise, it's running in legacy mode.

Q: How do I change the password for amadmin?

Use the ampassword utility at /opt/SUNWam/bin/. For details, see the related documentation.

Q: Where can I download Access Manager?

Download from the Access Manager download site.

Alternatively, download the Sun Java Enterprise System bundle, which includes Access Manager.

 

Back to top

Java EE SDK Fuels Efficiency - Get it Now

Related Links
Downloads
Access Manager
Directory Server
Federation Manager
Identity Manager
See all
 
Sun Resources
Access Manager
Directory Server
Federation Manager
Identity Manager
Identity Management Solutions
Identity Management Training
Identity Management Professional Services
Identity Management Support Services
Identity Standards
Identity Management for Industries
Sun Security
Service-Oriented Architecture
System Administration
 
Related Sites
Identity Management Community
OpenDS
OpenSSO
 
About Sun  |  About This Site  |  Newsletters  |  Contact Us  |  Employment  |  How to Buy  |  Licensing  |  Terms of Use  |  Privacy  |  Trademarks
 

 
Copyright Sun Microsystems, Inc.
A Sun Developer Network Site

Unless otherwise licensed, code in all technical manuals herein (including articles, FAQs, samples) is provided under this License.
 
XML Sun Developer RSS Feeds