This section of the Readme contains late-breaking information related to using Access Manager with other components of the solution.
If you are using namespace versions 15.2 and 16.0 with a client application and have the property Services.Access Manager - Runtime.Authentication Source.Directory Server.Local Cache Enabled set to Yes in Configuration Manager, you may encounter the following error message
"The namespace version must be equal for this operation. Upgrade the appropriate namespace and try again."
When local cache is enabled, Access Manager stores namespace information in the local cache file. Access Manager can only store information on namespaces with the same version in one file.
If you do not need to use the local cache capability, set the property to No before doing any more operations. If you want to use this capability, delete your current local cache file and recreate it. To recreate the cache file, access a client application that is secured against the namespace that you want to use when the directory server is not running.
If you try to add more than one object, such as namespaces, users, or user classes, that contain the same basic letter configuration and you are using Active Directory as your directory server, you may receive the following error message in Access Manager - Administration:
An internal error has occurred in Access Manager.
Active Directory does not allow two objects to contain the same basic letter configuration. For example, you cannot add a user named "coté" and one named "cote".
When you use Access Manager Server Authentication Services with SSL enabled, you may receive the following error messages:
The solutions for these two problems are as follows:
If you enable audit logging for an Access Manager namespace, changes to userclass membership will be recorded using the Trusted Services Audit Logging service. Changes that are recorded include any users you add or remove from userclasses, but does not include changes that result from renaming a user or a userclass.
If you have audit logging enabled with the Stop on Failure option set (the default) and a failure occurs when you are making modifications to a namespace, Access Manager will not save any of the auditable changes. If your modifications included changes that are not auditable (for example, to datasource memberships), some changes may be saved while others are reverted.
For example, if you are deleting a user with userclass memberships and access to various datasources, Access Manager removes the user from the userclasses, an auditable event, and from the datasource memberships, a non-auditable event. If audit logging fails during the deletion from the userclasses, Access Manager reverses the action, and the user will still belong to the userclasses. However, the user will no longer have access to the various datasources, because Access Manager has deleted the user from the datasource memberships in the directory server, and they cannot be restored.
Your security administrator should investigate why the audit logging failed, repair the problem, and then continue with the modifications to the namespace.
Note: Access Manager does not leave the namespace in a corrupted state.
You will be unable to authenticate to Windows client applications using single signon if you use an OS signon that does not include a domain qualification ("domain\userid").
To avoid this situation, you must update your OS signon to include the domain qualification. You can update your OS signon using either Access Manager - Administration or Access Manager - Batch Maintenance.
For more information, see the Access Manager Administrator Guide or the Access Manager Batch Maintenance Guide.
You may encounter a "kSecurityErrorNamespaceNameNotFound" error when logging into Upfront. This may occur when all of the following conditions apply to your environment:
To avoid this situation, add the certificate authority (CA) certificate for the LDAP server to both the Access Manager cert7.db file and the SunOne Web Server cert8.db file.
If you update a directory server namespace via a batch maintenance process when external user support is enabled, the namespace may be identified as corrupt when exported to an LAE file.
The corruption detection may be incorrect. To determine if the namespace is corrupt, run the AM_NamespaceCorruptionDetect utility. The AM_NamespaceCorruptionDetect utility, AM_NamespaceCorruptionDetect.exe, is installed in the installation_location/cern/bin directory.
If the AM_NamespaceCorruptionDetect utility reports a problem, contact customer support to resolve the problem.
You cannot configure the directory server for Series 7 via a secured port. You must first configure the directory server for Series 7 via a standard unsecured port and then secure the connection using SSL.