Check out the recently released book - "Sun Web Server: The Essential Guide". In my opinion, this book is a must have for all Sun Web Server administrators. Reading product documentation from docs.sun.com is always a good thing but in my view this can sometimes become somewhat monotonous when compared to reading a well written book that captivates and gets your attention. This Sun Web Server book has been carefully thought of and is very well written. It has concrete and easy to understand examples with good explanations about web server internals. Apart from web administrators, I think this book will also be useful for developers and architects interested in understanding Sun Web Server internals and extending the server functionality. So go ahead and check this book out, I bet you will like it!

If Sun Identity Manager version 8.1 is deployed with a Load Balancer or Reverse HTTP Proxy server in front of it and you need to log the IP address of the actual client in Audit logs then you need to configure Identity Manager (IdM) to pick the client IP address from the HTTP request headers. For example, if the Load Balancer sends the actual client IP address in the "X-Forwarded-For" HTTP request header then you would have to modify the IdM “Waveset.properties” file to make it read this header and log the client IP address from this header. To do this, edit the "Waveset.properties" file and set "client.headerIPVariable" as follows:

client.headerIPVariable=X-Forwarded-For

Save the “Waveset.properties” file and restart IdM server. Now when a user logs in to IdM, you should see the actual IP address of the actual client rather than the Load Balancer IP address being logged in IdM Audit logs. Some times the "X-Forwarded header" of an incoming HTTP request can contain multiple IP addresses like "<Client IP>, <Proxy IP>, <Load Balancer IP>". In this case, I noticed that IdM 8.1 logs all three IP addresses, which is nice.

I have come across many customers trying to integrate Sun Identity Manager (IdM) and Sun Role Manager (SRM) products and I thought this will be a good topic to write about. In an environment where Sun IdM is already deployed, Sun Role Manager (SRM) can connect to IdM using SPML interface and then it can be used to import user data. In such integration, Sun IdM and SRM need to be configured to allow using SPML as the way of exchanging provisioning information.

Here are the high level steps to configure this integration between SRM and IdM:

1. Log in to SRM and navigate to Administration->Configuration->Provisioning Servers. Click on the New Provisioning Server Connection button and select Sun from the list.


2. Enter the following information on "New Provisioning Server Connection" screen -
 Connection Name - Enter a name for the new connection being created with the Sun IdM. This connection name is used during import process instead of the Host Name and Port, which is difficult to remember. e.g. "Sun IDM Connection"
 SPML URL - Here, SPML URL pattern is - http://host:port/idm/servlet/rpcrouter2
 e.g. http://localhost:8080/idm/servlet/rpcrouter2
    * User Name - “configurator”
    * Password - “**********”
    * Check Role Consumer if you want to enable ad-hoc roles transfer and update between SRM and Sun IdM


3. Log in to Sun IdM as "configurator" and navigate to Configure->Import Exchange File and import "rm_idm_init.xml" and "spml.xml" files. The "rm_idm_init.xml" file can be obtained from SRM installation(look under $SRM_HOME/conf/spml directory). This completes the SRM-IdM integration configuration.


4. To import users or accounts from Sun IDM, log in to SRM and navigate to Administration->Configuration->Import/Export Click on Schedule Job and Select the Sun IDM connection that was set up in step 2 and click on Next. You can check the "Run Job Now?" check box to trigger the user import job immediately. Or you can schedule the user import job on a future date. Similarly, you can import accounts by clicking on the Import Accounts link in the schedule job window.