J2EE Policy Agents Guide |
Chapter 6
Securing Identity Manager Software With a Policy AgentThis chapter applies to deployment scenarios where a J2EE policy agent protects Sun Java System Identity Manager software 5.0 SP2 and establishes single sign-on (SSO) with Sun ONE Identity Server 6.0 and higher software.
Topics in this chapter include:
"Deployment Facts and Considerations"
"The Policy Agent Installation"
"Configuring the Identity Manager Software"
"Provisioning Users Using Identity Manager Software"
"Protecting Identity Manager Using URL Policies"
"How to Troubleshoot the Agent Configuration"
Deployment Facts and ConsiderationsA deployment that uses a Sun ONE Identity Server policy agent to secure Sun Java System Identity Manager software provides various benefits. Foremost, this type of deployment allows single sign-on (SSO) integration between Sun Java System Identity Manager software and Sun ONE Identity Server software. Furthermore, you can use Identity Server to define URL policies that govern access to Identity Manager software web resources.
To understand this chapter, you are expected to have familiarity with Identity Manager software and the application server or J2EE container on which the Identity Manager is installed. While this chapter provides guidance for deploying Sun Java System Identity Manager software with Sun ONE Identity Server software using a policy agent, you need to consult other sources of documentation. For example, refer to other sections of this guide, especially Chapter 2, "Installing the Agent." Moreover, refer to the Sun Java System Identity Manager software documentation that comes with that product.
The Policy Agent InstallationThis section presents areas to consider about policy agent installation. Even if the agent has already been installed, this section provides important information about specific settings.
Ensure that application server you are using is supported by both Identity Manager software and by Identity Server software. For example, Sun ONE Application Server 7.0 is supported by both. A list of supported application servers for Identity Manager software, can be found in the Identity Manager documentation. For Identity server, see "Supported Servers".
To install the agent, refer to the proper section of Chapter 2, "Installing the Agent," for your specific agent. Settings of importance for the installation are as follows:
- For the agent filter mode, choose SSO_ONLY. If you later want to create URL policies, at that time, update the AMAgent.properties file by changing the agent filter mode to URL_POLICY mode.
- For the primary application context path, specify the context root for Identity Manager software.
- Skip the creation of Role-to-Principal mapping section in the install.
Configuring the AgentAfter you have completed the post-installation tasks, configure the policy agent to set up an HTTP header named sois_user. Identity Manager uses this HTTP header to identify the authenticated user and then maps that authenticated user to a user in its repository.
To enable the policy agent to set up HTTP headers
- Update the AMAgent.properites file by editing two properties as follows:
- (Conditional) Only perform this step if the hotswap mechanism of the policy agent is disabled. If the hotswap mechanism is disabled, the Configuration Reload Interval property is set as follows:
com.sun.am.policy.config.load.interval = 0
If the hotswap mechanism is disabled, restart the application server.
Configuring the Identity Manager SoftwareAfter you have completed the installation of the policy agent, configure the Identity Manager software to allow SSO with the Sun ONE Identity Server software by performing the following general tasks:
Adding the Resource Adapter
The SunONEIdentityServer resource adapter provides a login module that enables SSO between the policy agent and Identity Manager. The first task is to add the adapter, using the Identity Manager administrative console.
To add the resource adapter
- Using an Internet browser, go to:
http://hostname:port/idm-context-root/login.jsp
For example:
http://example.com:8080/idm/login.jsp
Since the agent is already installed and configured, the Identity Server Login Page displays in the browser.
- Enter a valid user ID and password. For example, the credentials for amAdmin or any Identity Server software user work for this step.
The Identity Manager administrative login page appears.
- Log in as Identity Manager Configurator user.
The Identity Manager administrative console appears.
- Select the Configure tab.
- In the left-hand menu, select Managed Resources.
The Configure Managed Resources page appears.
- Under the Custom Resources heading and the Resource Class Path subheading, add the following string:
com.waveset.adapter.SunISResourceAdapter
- Click Add Custom Resource.
- Click Save.
Configuring the Resource Instance
At this point, the resource adapter has been added.
To configure a resource instance
- Using the Identity Manager administrative console, select the Resources tab.
- In the left-hand menu, select List Resources.
A box appears that contains a directory tree of resources.
- Under the box, in the drop-down list, select Sun ONE Identity Server if it is not already selected.
- If necessary, click Edit.
The SunONEIdentityServer resource wizard appears.
- Click Next.
The Resource Parameters page appears.
- Enter the details for the directory server. Here, directory server refers to the directory server used by the Identity Server software to which the policy agent will communicate. Enter the following information.
Resource
Parameters
Host
DirectoryServer-hostname
TCP Port
DirectoryServer-port
User
amAdmin
Password
amAdmin-password
Base Context
IdentityServer-root-suffix
- Click Test Configuration to test for a successful connection.
- If the test was successful, continue.
- If the test was unsuccessful, return to Step 6, and enter the correct information.
- Click Next.
The Account Attributes page of the wizard appears.
- Select the defaults.
- Click Next.
The Identity Template page of the wizard appears.
- Update the template by entering information in the Identity Template field that reflects a user DN of Identity Server.
For example:
uid=$uid$,ou=People,dc=example,dc=com
- Click Next.
The Identity Manager Parameters page appears.
- In the Display Name Attribute drop-down list, select a display name. For example, firstname.
- Locate the item named Top inside the Organizations box and move it to the Available To box.
- For the other options on this page, keep the defaults or update the information according to your requirements.
- Click Next
Creating a Login Module Group
To create a new Identity Server software login module group
- Using the Identity Manager administrative console, select the Configure tab.
- In the left-hand menu, select Login.
The Login page appears.
- Click Manage Login Module Groups.
The Login Module Groups page appears.
- Click New.
The Create Login Module Group page appears.
- In the Login Manager Group Name field, enter a name for the new login module group.
For example:
Access Manager Login Module Group
- Locate the item Top inside the Organizations box and move it to the Available To box.
- From the Assign Login Module drop down list, select Sun ONE Identity Server Login Module.
The Create Login Module Group page reappears, but with a new drop-down list available.
- In the newly available drop-down list, select SunONEIdentityServer.
The Modify Login Group page appears.
- From the Login success requirement drop-down list, select sufficient.
- Click Save.
The Create Login Module Group page reappears.
- In the Assign Login Module Groups drop-down list, select the Identity Manager User Id/Password Login Module.
The Modify Login Module page appears.
- In the Login success requirement drop-down list, select sufficient.
- Click Save.
The Create Login Module page reappears with a list of two login modules:
- Click Save to save the configuration.
- Verify the creation of the Identity Server Login Module group in the Manage Login Module Group page, which you can access by repeating steps 1—3.
Assigning the Login Module Group to Login Applications
You need to configure two interface login applications, the User Interface Login Application and the Administrative Interface Login Application.
Configuring the User Interface Login Application
- Using the Identity Manager administrative console, click the Configure tab.
- In the left-hand menu, click Login.
The Login page appears.
- Click the User Interface login application.
The Modify Login Application page appears.
- Select the newly created Identity Server Login Module Group from the Assign Login Module Groups drop-down list.
The Modify Login Application page reappears with the newly created group added to the list of login module groups.
- Remove the old Login Module group from the list as follows:
The new login module group for the user interface login application has now been configured.
Configuring the Administrative Interface Login Application
The steps to assign the Identity Server Login Module Group to Administrative Interface are the same as those described in "Configuring the User Interface Login Application", except instead of choosing User Interface Login Application, choose the Administrator Interface login application.
Provisioning Users Using Identity Manager SoftwareTo provision users using Identity Manager software
- Using the Identity Manager administrative console, click the Accounts tab.
- In the left-hand menu, select List Accounts if it is not already selected.
A box appears that contains user names.
- Select a user name:
Select an existing Identity Manager software user or create a new user:
- For an existing Identity Manager software user, perform the following:
- Select the user.
- Select Edit.
- For a new Identity Manager software user, perform the following:
Select User from the New drop down list.
After you perform one of the preceding tasks, the Create User or Edit User page appears. These pages have four tabs: Identity, Assignments, Security, and Attributes. You can navigate between these tabs without losing newly added data. However, select Save after all information is added.
- Select the Assignments tab.
- Locate the item SunONEIdentityServer inside the Available Resources list box and move it to the Current Resources list box.
- Select the Attributes tab.
- Enter the value for the uid (The uid is called user ID in Identity Server software).
- (Conditional) This step only applies if you are creating a new user. Select the Identity tab.
- (Conditional) This step only applies if you are creating a new user. Specify the user Account ID and password.
- Click Save.
- (Conditional) This step only applies if you are editing an existing user. In which case, the Update user_name Resource Accounts page is currently available in your browser. Review the information about the accounts that will be updated and click Save.
- Now that you are in the Create User Results page or the Update Resource Account Results page, click OK.
You are returned to the List Accounts page.
After successfully creating or updating a user, perform a simple test as explained in "Testing SSO Integration With Identity Server" to verify that SSO functions properly.
Note
When managing users who were created using Identity Server software, ensure that passwords are synchronized through Identity Manager software.
Testing SSO Integration With Identity Server
Testing SSO for users with administrative capabilities differs slightly from testing SSO for users without administrative capabilities as explained in the following subsections.
Testing SSO for Users With Administrative Capabilities
The best method for testing SSO is to keep your original browser instance open. This method maintains user sessions. Therefore, keep your browser connected to the Identity Manager administrative console. Then open a new browser window using a different browser (for example: open a new Mozilla/Firefox instance if you are currently using the IE instance).
- Using an Internet browser, go to:
http://hostname:port/application-context-root/login.jsp
For example:
http://example.com:8080/idm/login.jsp
The browser presents the Identity Server Login Page.
- Enter the user ID and password for the newly created user.
You should be presented with the Identity Manager administrative console.
If you are able to directly access the Identity Manager software Administrator page, then SSO is working and the test is successful.
Testing SSO for Users Without Administrative Capabilities
The best method for testing the SSO connection is to keep your original browser instance open. This method maintains user sessions. Therefore, keep your browser connected to the Identity Manager administrative console. Then open a new browser window using a different browser (for example: open a new Mozilla/Firefox instance if you are currently using the IE instance).
- Using an Internet browser, go to:
http://hostname:port/application-context-root/user/login.jsp
For example:
http://example.com:8080/idm/user/login.jsp
The browser presents the Identity Server Login Page.
- Enter the user ID and password for the newly created user.
The Identity Manager user profile page appears.
If you are able to directly access the user profile page, which displays links to Change Password and Change Other Account Attributes, then SSO is working and the test is successful.
Protecting Identity Manager Using URL PoliciesDepending upon your environment needs, you might want to use Identity Server software to define URL policies that protect Identity Manager software. For example, you could assign authorization to specific users to access Identity Manager software.
The following procedure is an overview of the steps for creating a URL Policy. However, consult the administration guide for Sun ONE Identity Server software or the administration guide for Sun Java System Access Manager for detailed information about creating policies.
To create a simple URL policy based enforcement
- Log in to the Identity Server software as Administrator.
- Create a new policy.
The following are guidelines for that policy
- Give the policy a relevant name, such as IDMGR.
- Apply the following rules:
- http://hostname:port/application-context-root
where hostname and port refer to the Identity Manager software
where actions are set to allow GET and POST commands.
- http://hostname:port/application-context-root/*
where hostname and port refer to the Identity Manager software
where actions are set to allow GET and POST commands.
- Assign one or more subjects to the IDMGR policy.
- Set the Agent Filter Mode property in the AMAgent.properties file to the following:
com.sun.am.policy.amFilter.mode = URL_POLICY
- (Conditional) If the hotswap mechanism is disabled, restart the application server.
How to Troubleshoot the Agent ConfigurationIf the agent does not operate as expected, you can follow the troubleshooting steps described in this section. You can set trace options to help you troubleshoot problems in Identity Manager software. However, refer to the Identity Manager Technical Reference for detailed information.
- Use the Identity Manager software debug pages to set trace options on the following class:
com.waveset.adapter.SunISResourceAdapter
- Also, set the debug level to “message” in the amagent.properties
- Restart the application Server
- Inspect the debug logs of the Policy Agent for troubleshooting information.