Installing the Application Server 9.1 / GlassFish 2.1 Agent on the Domain Administration Server (DAS) (Sun OpenSSO Enterprise Policy Agent 3.0 Guide for Sun Java System Application Server 8.1/8.2/9.0/9.1 and GlassFish)

Sun OpenSSO Enterprise Policy Agent 3.0 Guide for Sun Java System Application Server 8.1/8.2/9.0/9.1 and GlassFish

Previous: Application Server 9.1 or Sun GlassFish 2.1 Cluster Deployment Scenario
Next: Configuring the Application Server 9.1 / GlassFish 2.1 Agent in the Cluster

Installing the Application Server 9.1 / GlassFish 2.1 Agent on the Domain Administration Server (DAS)

The Domain Administration Server (DAS) manages the cluster.

To Install the Application Server 9.1 / GlassFish 2.1 Agent on the DAS

Download and unzip the appserver_v9_agent_3.zip distribution file in a directory that can be accessed by the DAS instance.

Follow the instructions described in Downloading and Unzipping the appserver_v9_agent.zip Distribution File.

Create an agent password file, as described in Creating a Password File.

Stop all GlassFish domains, instances, and node agents before starting the installation process.

Otherwise, you might lose the OpenSSO policy agent installation changes in the DAS domain.xml file.

Install the agent using the agentadmin --custom-install option, as described in Installing the Application Server and GlassFish Agent. The installer prompts you for the following values:
- CONFIG_DIR is the path to the GlassFish configuration directory.
- INSTANCE_NAME should be the default value server.
- AM_SERVER_URL is URL where OpenSSO server is running. For example: http://openssohost.example.com:8080/opensso
- DAS_HOST_IS_REMOTE should be false.
- AGENT_URL is the agent URL. For example: http://agenthost.example.com:8090/agentapp
- AGENT_ENCRYPT_KEY is the key used to encrypt the agent profile password. Use the default value or specify a new value as described in Table 1.
- AGENT_PROFILE_NAME is the agent profile name. This guide uses remotecluster as the name.
- AGENT_PASSWORD_FILE is the agent profile password file, which is an ASCII text file with only one line specifying the agent profile password in plain text.
- CREATE_AGENT_PROFILE_NAME should be false in this scenario.
- AGENT_ADMINISTRATOR_NAME should be blank, unless you have created an agent administrator.
- AGENT_ADMINISTRATOR_PASSWORD_FILE should be blank, unless you have created an agent administrator and corresponding password file.
- REMOTE_INSTANCE_LOCAL_DAS should be false.
- AGENT_INSTANCE_NAME should be blank.
- REMOTE_AGENT_INSTALL_DIR should be blank.
For an example response file for a silent installation, see Silent Agent Installation and Configuration Response File.

In the OpenSSO Console, create an agent profile, as described in Creating an Agent Profile.

For the agent profile Name (remotecluster used in examples), Password, Server URL, and Agent URL, use same values you specified during the agent installation in the previous step. For Configuration, specify Centralized (the default).

Silent Agent Installation and Configuration Response File

The following example shows a response file named agentinstall.inf that you could use as input for a silent installation and configuration of the agent to the DAS instance. To use this file, invoke the following command:

./agentadmin custom-install useResponse agentinstall.inf

## Agent User Response File START OF FILE 
CONFIG_DIR= /export/sun/gf2.1/domains/telco/config 
INSTANCE_NAME= server 
AM_SERVER_URL= http://openssohost.example.com:8080/opensso
DAS_HOST_IS_REMOTE= false 
AGENT_URL= http://is-lb-2.example.com:38181/agentapp 
AGENT_ENCRYPT_KEY= cW18Pj2R9Mt7mdvzDUL5+LMMUhm+qeIp 
AGENT_PROFILE_NAME= remotecluster 
AGENT_PASSWORD_FILE= /tmp/pass 
CREATE_AGENT_PROFILE_NAME= false 
AGENT_ADMINISTRATOR_NAME= 
AGENT_ADMINISTRATOR_PASSWORD_FILE= 
REMOTE_INSTANCE_LOCAL_DAS= false 
AGENT_INSTANCE_NAME= 
REMOTE_AGENT_INSTALL_DIR= 
##Agent User Response File END OF FILE

Changes Made by the Agent Installer

The policy agent installer (agentadmin) makes following changes in the DAS instance:

Adds the Java Class Path Suffix with the JAR and locale files of the agent to the domain.xml file for the server-config target only (because server was the instance name specified during the installation). This change is not made to the default-config or the agents30-config targets. This distinction is critical to make sure you properly configure the agent to protect the applications deployed on the target agents30-config. For example:
```
${path.separator}/export/sun/j2ee_agents/appserver_v9_agent/lib/agent.jar\$
{path.separator}/export/sun/j2ee_agents/appserver_v9_agent/lib/openssoclientsdk.-
jar\${path.separator}/export/sun/j2ee_agents/appserver_v9_agent/locale\$
{path.separator}/export/sun/j2ee_agents/appserver_v9_agent/Agent_001/config
```
where:
- /export/sun is the base directory (BASE_DIR) where you unzipped the agent distribution file (appserver_v9_agent_3.zip).
- Agent_001 identifies the agent instance that was created during installation.

Adds the JVM option for the target server-config to enable the policy agents logging:

- Djava.util.logging.config.file=<BASE_DIR>/j2ee_agents/appserver_v9_agent/config/
OpenSSOAgentLogConfig.properties

Adds the following J2EE permissions to read the agent JAR files in the server.policy file:

grant codeBase "file:<BASE_DIR>/j2ee_agents/appserver_v9_agent/lib/*" { 
permission java.security.AllPermission; 
};

Adds the agent realm in config/login.conf as follows:

agentRealm {
com.sun.identity.agents.appserver.v81.AmASLoginModule required;
};

Creates a new default authentication realm named agentRealm for the server instance.

Now, you must apply these changes to the cluster configuration so the applications deployed on the cluster can be protected by the agent.