test

Sun OpenSSO Enterprise Policy Agent 3.0 Guide for Apache HTTP Server 2.2.x

Oracle OpenSSO Policy Agent 3.0 Guide for Apache HTTP Server 2.2.x

Last updated November 22, 2010

The Apache HTTP Server 2.2.x policy agent is a version 3.0 web agent that functions with Oracle OpenSSO to protect resources on Apache HTTP Server 2.2.x.

Contents

For general information about web policy agents, including the new features for version 3.0 agents, see Sun OpenSSO Enterprise Policy Agent 3.0 User’s Guide for Web Agents.

Note –

A version 2.2 web agent also exists for Apache HTTP Server 2.2.x. However, to use the new version 3.0 agent features, you must deploy the version 3.0 agent described in this guide.

Supported Platforms, Compatibility, and Coexistence for the Apache HTTP Server 2.2.x Agent

Supported Platforms for the Apache HTTP Server 2.2.x Agent

Table 1 Supported Platforms for the Apache HTTP Server 2.2.x Agent

Agent For 

Support Platforms 

Apache HTTP Server 2.2.x 

  • Solaris OS on SPARC and x86 platforms, versions 9 and 10, 32–bit and 64–bit

  • Red Hat Enterprise Linux Advanced Server 4.0 and 5.0, 32–bit and 64–bit

  • Microsoft Windows Server 2003, 32–bit only

  • Microsoft Windows Server 2008, 64–bit only

    Note: Apache HTTP Server 2.2.x, 32–bit agent only

  • Ubuntu 8.x Server Edition, 32-bit and 64-bit

  • SuSE Linux 9.x, 32-bit and 64-bit

  • Debian 4.x, 32-bit and 64-bit

  • IBM AIX 5.x and 6.1, 32–bit only

  • HP-UX 11i v2 or later, 32–bit with the integrated (built-in) Apache 2.2.x server only

    Note. The Apache HTTP Server 2.2.x agent is not supported on the Apache 2.2.x server manually installed on HP-UX.

  • Minor versions of the Apache HTTP Server 2.2.x web container are supported.

  • Minor versions of the supported platforms, including updates, service packs, and patches, are also supported.

  • Required libstdc++.so.5 library on Linux. The Apache HTTP Server 2.2.x agent requires libstdc++.so.5 to start properly on Linux systems. If necessary, install libstdc++.so.5 using the compat-libstdc++-33 package.

Compatibility With Access Manager 7.1 and Access Manager 7 2005Q4

Access Manager 7.1 and Access Manager 7 2005Q4 are compatible with version 3.0 policy agents. However, because Access Manager 7.1 and Access Manager 7 2005Q4 do not support centralized agent configuration, a version 3.0 agent deployed with Access Manager must store its configuration data locally in the OpenSSOAgentBootstrap.properties and OpenSSOAgentConfiguration.properties files. The OpenSSOAgentBootstrap.properties file contains the information required for the agent to start and initialize itself.

A version 3.0 agent automatically detects the host server it is accessing. In the case of Access Manager 7.1 or Access Manager 7 2005Q4, a version 3.0 agent will switch to local mode and use the properties from the agent's OpenSSOAgentConfiguration.properties file.

Coexistence With Version 2.2 Policy Agents

Oracle OpenSSO supports both version 3.0 and version 2.2 agents in the same deployment. The version 2.2 agents, however, must continue to store their configuration data locally in the AMAgent.properties file. Because the version 2.2 agent configuration data is local to the agent, the Oracle OpenSSO centralized agent configuration is not supported for version 2.2 agents. To configure a version 2.2 agent, you must continue to edit the agent's AMAgent.properties file.

For documentation about version 2.2 agents, see http://docs.sun.com/coll/1322.1.

Unsupported Oracle OpenSSO Features

The Apache HTTP Server 2.2.x agent does not support the following features:

Log File Rotation

The Apache HTTP Server 2.2.x agent does not support log file rotation, because the multi-process environment impairs the agent's capability to obtain the correct size of the log file. Without the correct log file size, the agent cannot rotate the file as intended.

Therefore, do not enable log rotation for the Apache HTTP Server 2.2.x agent, either in the OpenSSO Administration Console or by setting the com.sun.am.policy.agents.config.local.log.rotate property to true. Enabling log rotation can cause inconsistent and unpredictable results for the agent.

Notifications

The Apache HTTP Server 2.2.x agent does not support notifications, so maintaining the agent's SSO, policy, and configuration caches through a notification mechanism is not available.

Therefore, do not enable notifications for the Apache HTTP Server 2.2.x agent, either in the OpenSSO Administration Console or by setting the com.sun.identity.agents.config.notification.enable property to true. Enabling notifications can cause unpredictable behavior for the agent.

POST Data Preservation

The Apache HTTP Server 2.2.x agent does not support POST data preservation, where POST data is submitted to the server through HTML forms before users log in to Oracle OpenSSO.

Pre-Installation Tasks for the Apache HTTP Server 2.2.x Agent

Meeting the Requirements for the Apache HTTP Server 2.2.x Agent

Before you install the Apache HTTP Server 2.2.x agent, your deployment must meet these requirements:

Setting Your JAVA_HOME Environment Variable

The agent installation program requires the Java Runtime Environment (JRE) 1.5 or later. Before you install the agent , set your JAVA_HOME environment variable to point to the JDK installation directory for the JDK version you are using. If you have not set this variable (or if you set it incorrectly), the program will prompt you for the correct path.

Downloading and Unzipping the Agent Distribution File

ProcedureTo Download and Unzip the Agent Distribution File

  1. Login into the server where you want to install the Apache HTTP Server 2.2.xagent.

  2. Create a directory to unzip the agent distribution file.

  3. Download and unzip the agent distribution file, depending on your platform:

    Platform 

    Distribution File 

    Solaris SPARC systems, 64–bit 

    apache_v22_SunOS_sparc_64_agent_3.zip

    Solaris SPARC systems, 32–bit 

    apache_v22_SunOS_sparc_agent_3.zip

    Solaris x86 systems, 64–bit 

    apache_v22_SunOS_x86_64_agent_3.zip

    Solaris x86 systems, 32–bit 

    apache_v22_SunOS_x86_agent_3.zip

    Linux systems, 64–bit 

    apache_v22_Linux_64_agent_3.zip

    Linux systems, 32–bit 

    apache_v22_Linux_agent_3.zip

    Windows systems 

    apache_v22_WINNT_agent_3.zip

    IBM AIX systems 

    apache_v22_AIX_agent_3.zip

    HP-UX systems 

    apache_v22_HP-UX_agent_3.zip

    These distribution files are available from the Oracle E-Delivery Web site:

    http://edelivery.oracle.com/

    The following table shows the files and directories after you unzip the agent distribution file. These files are in the following directory:

    AgentHome/web_agents/apache22_agent, where AgentHome is where you unzipped the agent distribution file.

    For example: /opt/web_agents/apache22_agent

    File or Directory 

    Description 

    README.txt and license.txt

    Readme and license files 

    /bin

    • UNIX, Linux, and AIX systems: agentadmin, certutil, and crypt_util

    • Windows systems: agentadmin.bat, certutil.exe, and cryptit.exe

    /config

    Template, properties, and XML files 

    /data

    license.log file (Do not edit this file.)

    /etc

    dsame.template file

    /lib

    Library and JAR files 

    /locale

    Properties files 

    /installer-logs

    Log files after you install the agent 

Creating a Password File

A password file is an ASCII text file with only one line specifying the password in clear text. By using a password file, you are not forced to expose a password at the command line during the agent installation. When you install the Apache HTTP Server agent using the agentadmin program, you are prompted to specify paths to following password files:

ProcedureTo Create a Password File

  1. Create an ASCII text file for the password file. For example: /tmp/apache22agentpw

  2. If you want the agentadmin program to automatically create the agent profile in Oracle OpenSSO server during the installation, create another password file for the agent administrator. For example: /tmp/agentadminpw

  3. Using a text editor, enter the appropriate password in clear text on the first line in each file.

  4. Secure each password file appropriately, depending on the requirements for your deployment.

Creating an Agent Profile

A web agent uses an agent profile to communicate with Oracle OpenSSO server. For a version 3.0 agent, however, you must create an agent profile using any of these three methods:

ProcedureTo Create an Agent Profile in the Oracle OpenSSO Console

  1. Login into the Oracle OpenSSO Administration Console as amAdmin.

  2. Click Access Control, realm-name, Agents, and Web.

  3. Under Agent, click New.

  4. In the Name field, enter the name for the new agent profile.

  5. Enter and confirm the Password.

    Important: This password must be the same password that you enter in the agent profile password file that you specify when you run the agentadmin program to install the agent.

  6. In the Configuration field, check the location where the agent configuration properties are stored:

    • Local: In the OpenSSOAgentConfiguration.properties file on the server where the agent is installed.

    • Centralized: In the Oracle OpenSSO server central configuration data repository.

  7. In the Server URL field, enter the Oracle OpenSSO server URL.

    For example: http://openssohost.example.com:8080/opensso

  8. In the Agent URL field, enter the URL for the agent.

    For example: http://agenthost.example.com:8090/

  9. Click Create.

    The console creates the agent profile and displays the WebAgent page again with a link to the new agent profile.

    To do additional configuration for the agent, click this link to display the Edit agent page. For information about the agent configuration fields, see the Console online Help.

    If you prefer, you can also use the ssoadm command-line utility to edit the agent profile. For more information, see the Sun OpenSSO Enterprise 8.0 Administration Reference.

Setting the IBM JDK/JRE for IBM AIX Systems

ProcedureTo Set the IBM JDK/JRE for IBM AIX Systems

Perform this task only if you are installing the Apache HTTP Server 2.2.x agent on an IBM AIX system and you are using the IBM JDK/JRE.

  1. After you download and unzip the Apache HTTP Server 2.2.x agent distribution file for AIX, locate the agentadmin script in the following directory:

    AgentHome/web_agents/apache22_agent/bin, where AgentHome is where you unzipped the agent distribution file.

  2. In the agentadmin script, comment out the following line, which sets the regular JDK/JRE classpath:

    $JAVA_VM -classpath "$AGENT_CLASSPATH" 
com.sun.identity.install.tools.launch.AdminToolLauncher $*

  3. In the agentadmin script, uncomment the following line at the end of the file, which sets the IBM JDK/JRE classpath:

    #$JAVA_VM -DamKeyGenDescriptor.provider=IBMJCE -DamCryptoDescriptor.provider=IBMJCE 
-DamRandomGenProvider=IBMJCE -classpath "$AGENT_CLASSPATH" 
com.sun.identity.install.tools.launch.AdminToolLauncher $*

  4. Save your changes.

Creating an Agent Administrator (Optional)

Creating an agent administrator is optional. An agent administrator can manage agents in Oracle OpenSSO, including:

ProcedureTo Create an Agent Administrator

  1. Login to Oracle OpenSSO Console as amadmin.

  2. Create a new agents administrator group:

    1. Click Access Control, realm-name, Subjects, and then Group.

    2. Click New.

    3. In ID, enter the name of the group. For example: agentadmingroup

    4. Click OK.

  3. Create a new agent administrator user and add the agent administrator user to the agents administrator group:

    1. Click Access Control, realm-name, Subjects, and then User.

    2. Click New and provide the following values:

      • ID: Name of the agent administrator. For example: agentadminuser

        This is the name you will use to login to the Oracle OpenSSO Console .

      • First Name (optional), Last Name, and Full Name.

        For simplicity, use the same name for each of these values that you specified in the previous step for ID.

      • Password (and confirmation)

      • User Status: Active

    3. Click OK.

    4. Click the new agent administrator name.

    5. On the Edit User page, click Group.

    6. Add the agents administrator group from Available to Selected.

    7. Click Save.

  4. Assign read and write access to the agents administrator group:

    1. Click Access Control, realm-name, Privileges and then on the new agents administrator group link.

    2. Check Read and write access to all configured Agents.

    3. Click Save.

Next Steps

Login into the Oracle OpenSSO Console as the new agent administrator. The only available top-level tab is Access Control. Under realm-name, you will see only the Agents tab and sub tabs.

Installing the Apache HTTP Server 2.2.x Agent

Gathering Information to Install the Apache HTTP Server 2.2.x Agent

The following table describes the information you will need to provide when you run the agentadmin program to install Apache HTTP Server 2.2.x agent. For some agentadmin prompts, you can accept the default value displayed by the program, if you prefer.

Table 2 Information Required to Install the Apache HTTP Server 2.2.x Agent

Prompt Request 

Description 

Apache Server Config Directory Path 

Path to the configuration directory used by the Apache HTTP Server instance. 

For example: /opt/apache-2.2.11/conf

OpenSSO server URL 

URL for Oracle OpenSSO server. 

For example: http://openssohost.example.com:8080/opensso

Agent URL 

URL for the Apache HTTP Server 2.2.x agent. 

For example: http://agenthost.example.com:8090

Agent Profile Name 

Name of the agent profile. For example: Apache22Agent

For information, see Creating an Agent Profile.

Agent Profile Password File 

Path to the agent profile password file. For example: /tmp/apache22agentpw

For information, see Creating a Password File.

Option for the installer to create the agent profile 

The agentadmin program displays the following prompt if the agent profile previously specified for the Agent Profile Name prompt does not already exist in Oracle OpenSSO:

Enter true if the Agent Profile is being created into OpenSSO server by the installer. Enter false if it will be not be created by installer.

To have the installation program create the agent profile, enter true. The program then prompts you for:

  • Agent administrator who can create, update, or delete the agent profile. For example: agentadmin

    Important: To use this option, the agent administrator must already exist in Oracle OpenSSO server and must have agent administrative privileges. If you prefer, you can specify amadmin as this user.

    For information see, Creating an Agent Administrator (Optional).

  • Path to the agent administrator password file. For example: /tmp/agentadminpw

    For information, see Creating a Password File.

Installing the Apache HTTP Server 2.2.x Agent Using the agentadmin Program

Procedure To Install the Apache HTTP Server 2.2.x Agent Using the agentadmin Program

  1. Login into the server where you want to install the agent.

    Important: To install the agent, you must have write permission to the files and directories for the Apache HTTP Server instance.

  2. Stop the Apache HTTP Server instance.

  3. Change to the PolicyAgent-base/bin directory. For example:

    # cd /opt/web_agents/apache22_agent/bin

  4. Start the agent installation. For example:

    # ./agentadmin --custom-install

    On Windows systems, run the agentadmin.bat program.

  5. Enter information as requested by the agentadmin program, or accept the default values displayed by the program.

    After you have made your choices, the agentadmin program displays a summary of your responses. For example:

    -----------------------------------------------
SUMMARY OF YOUR RESPONSES
-----------------------------------------------
Apache Server Config Directory : /opt/apache-2.2.11/conf
OpenSSO server URL : http://opensshost.example.com:8080/opensso
Agent URL : http://agenthost.example.com:8090
Agent Profile name : Apache22Agent
Agent Profile Password file name : /tmp/apache22agentpw
Verify your settings above and decide from the choices below.
1. Continue with Installation
2. Back to the last interaction
3. Start Over
4. Exit
Please make your selection [1]: 1

  6. Verify your choices and either continue with the installation (selection 1, the default) , or make any necessary changes.

    If you continue, the program installs the agent and displays a summary of the installation. For example:

    SUMMARY OF AGENT INSTALLATION
-----------------------------
Agent instance name: Agent_001
Agent Bootstrap file location:
/opt/web_agents/apache22_agent/Agent_001/config/OpenSSOAgentBootstrap.properties
Agent Configuration Tag file location
/opt/web_agents/apache22_agent/Agent_001/config/OpenSSOAgentConfiguration.propertie
s
Agent Audit directory location:
/opt/web_agents/apache22_agent/Agent_001/logs/audit
Agent Debug directory location:
/opt/web_agents/apache22_agent/Agent_001/logs/debug
Install log file location:
/opt/web_agents/apache22_agent/installer-logs/audit/install.log

  7. After the installation finishes successfully, if you wish, check the installation log file in the /installer-logs/audit directory

  8. Restart the Apache HTTP Server instance for the agent.

Agent Installation Program Functions

The agent installation program performs these functions:

Considering Specific Deployment Scenarios for the Apache HTTP Server 2.2.x Agent

Installing the Apache HTTP Server 2.2.x Agent on Multiple Apache HTTP Server Instances

After you install the Apache HTTP Server 2.2.x agent on a specific Apache HTTP Server instance, you can install the agent on another Apache HTTP Server instance by executing the agentadmin program again for that instance.

Installing Apache HTTP Server 2.2.x Agent on the Oracle OpenSSO Host Server

Oracle OpenSSO is not supported on the Apache HTTP Server 2.2.x web container. Therefore, installing the Apache HTTP Server 2.2.x agent and Oracle OpenSSO on the same server instance is not supported.

Post-Installation Tasks for the Apache HTTP Server 2.2.x Agent

Using SSL With the Apache HTTP Server 2.2.x Agent (Optional)

If you specify the https protocol for the Oracle OpenSSO server during the Apache HTTP Server 2.2.x agent installation, the agent is automatically configured and ready to communicate to the Oracle OpenSSO server over Secure Sockets Layer (SSL). However, to ensure that the Apache HTTP Server 2.2.x agent is configured for SSL communication to the server, follow these tasks:

Disabling the Trust Behavior of the Apache HTTP Server Agent

By default, the Apache HTTP Server 2.2.x agent installed on a remote Apache HTTP Server instance trusts any server certificate presented over SSL by the Oracle OpenSSO host server. For the Apache HTTP Server 2.2.x agent to perform certificate checking, you must disable this behavior.

ProcedureTo Disable the Trust Behavior of the Apache HTTP Server Agent

  1. Find the Apache HTTP Server 2.2.x agent's OpenSSOAgentBootstrap.properties file in the agent's /config directory. For example:

    /opt/web_agents/apache22_agent/Agent_001/config/OpenSSOAgentBootstrap.properties

  2. In the OpenSSOAgentBootstrap.properties file, set the SSL-related properties, depending on your specific deployment.

    Note: These properties have new names for version 3.0 web agents.

    • Disable the option to trust the server certificate sent over SSL by the Oracle OpenSSO host server:

      com.sun.identity.agents.config.trust.server.certs = false

    • Specify the certificate database directory. For example:

      com.sun.identity.agents.config.sslcert.dir = /opt/apache-2.2.11/conf/certdb

    • If the certificate database directory has multiple certificate databases, set the following property to the prefix of the database you want to use. For example:

      com.sun.identity.agents.config.certdb.prefix = prefix-

    • Specify the certificate database password:

      com.sun.identity.agents.config.certdb.password = password

    • Specify the certificate database alias:

      com.sun.identity.agents.config.certificate.alias = alias-name

  3. Save the changes to the OpenSSOAgentBootstrap.properties file.

    The agent uses information in the OpenSSOAgentBootstrap.properties file to start and initialize itself and to communicate with Oracle OpenSSO server.

Installing the Oracle OpenSSO Root CA Certificate on the Apache HTTP Server Instance

The root CA certificate that you install on the Apache HTTP Server instance must be the same certificate that is installed on the Oracle OpenSSO host server.

Oracle provides the Certificate Database Tool, certutil, in the Apache HTTP Server agent distribution file, to manage the root CA certificate and the certificate database.

For information about using certutil, see http://www.mozilla.org/projects/security/pki/nss/tools/certutil.html.

ProcedureTo Install the Oracle OpenSSO Root CA Certificate on the Apache HTTP Server Instance

  1. Obtain the root CA certificate file that is installed on the Oracle OpenSSO host server.

  2. On the Apache HTTP Server instance, locate the certutil utility.

    After you unzip the Apache HTTP Server agent distribution file, certutil is available in the PolicyAgent-base/bin directory.

    For example: /opt/web_agents/apache22_agent/bin/certutil

  3. Before you use certutil, set the LD_LIBRARY_PATH environment variable to the location of the certutil library files.

    After you unzip the Apache HTTP Server agent distribution file, these library files are available in the PolicyAgent-base/lib directory.

    For example: /opt/web_agents/apache22_agent/lib

  4. If necessary, create the certificate database using certutil. For example:

    # cd /opt/web_agents/apache22_agent/bin
# mkdir /opt/apache-2.2.11/conf/certdb
# ./certutil -N -d /opt/apache-2.2.11/conf/certdb

  5. Install the Oracle OpenSSO root CA certificate using certutil. For example:

    # ./certutil -A -n cert-name -t "C,C,C" -d /opt/apache-2.2.11/conf/certdb -i cert-request-file

    where:

    • cert-name is the name of the Oracle OpenSSO root CA certificate.

    • cert-request-file is the binary root CA certificate request file.

  6. To verify that the root CA certificate is installed correctly, use certutil with the -L option. For example:

    # ./certutil -L -d /opt/apache-2.2.11/conf/certdb

    You should see the name of the root CA certificate.

  7. Restart the Apache HTTP Server instance.

Changing the Password for an Agent Profile (Optional)

This task is optional. After you install the agent, you can change the agent profile password, if required for your deployment.

ProcedureTo Change the Password for an Agent Profile

  1. On the Oracle OpenSSO server:

    1. Login into the Administration Console.

    2. Click Access Control, realm-name, Agents, Web, and then the name of the agent you want to configure.

      The Console displays the Edit page for the agent profile.

    3. Enter and confirm the new unencrypted password.

    4. Click Save.

  2. On the server where the Apache HTTP Server 2.2.x agent is installed:

    1. In the agent profile password file, replace the old password with the new unencrypted password.

    2. Change to the PolicyAgent-base/bin directory. For example:

      # cd /opt/web_agents/apache22_agent/bin

    3. Encrypt the new password using the agentadmin program. For example:

      #./agentadmin --encrypt Agent_001 /tmp/apache22agentpw

      Agent_001 is the agent instance whose password you want to encrypt.

      passwd is the password file in the /tmp directory.

      The agentadmin program returns the new encrypted password. For example:

      The encrypted value is: /54GwN432q+MEnfh/AHLMA==

    4. In the agent-instance/config/OpenSSOAgentBootstrap.properties file, set the following property to the new encrypted password from the previous step. For example:

      com.sun.identity.agents.config.password=/54GwN432q+MEnfh/AHLMA==

    5. Restart the Apache HTTP Server instance that is being protected by the policy agent.

Configuring the Apache HTTP Server 2.2.x Agent on IBM AIX Systems

Perform this task only if you are installing the Apache HTTP Server 2.2.x agent on an IBM AIX system.

ProcedureTo Configure the Apache HTTP Server 2.2.x Agent on IBM AIX Systems

  1. Set the LIBPATH variable to the agent's lib directory. For example:

    setenv LIBPATH /opt/web_agents/apache22_agent/lib:/usr/lib:/lib

  2. As required, modify the libxml2.so.2 library file to libxml2.so in the agent's lib directory, which is in the following directory:

    AgentHome/web_agents/apache22_agent/lib, where AgentHome is where you unzipped the agent distribution file.

Setting the SHLIB_PATH Environment Variable on HP-UX Systems

ProcedureTo Set the SHLIB_PATH Environment Variable on HP-UX Systems

  1. Before you start the Apache HTTP Server 2.2.x server, set the SHLIB_PATH environment variable to the agent's lib directory. For example:

    setenv SHLIB_PATH /opt/web_agents/apache22_agent/lib:/usr/lib:/lib

Managing the Apache HTTP Server 2.2.x Agent

Managing a Version 3.0 Agent With a Centralized Configuration

By default, Oracle OpenSSO stores version 3.0 policy agent configuration data (as well as server configuration data) in a centralized data repository. You manage this configuration data using these options:

Managing a Version 3.0 Agent With a Local Configuration

In some scenarios, you might need to deploy a version 3.0 agent using a local configuration. For example, if you deploy the agent with Access Manager 7.1 or Access Manager 7 2005Q4, which do not support centralized agent configuration, you must use a local configuration.

With a local configuration, you manage the version 3.0 agent by editing properties in the agent's local OpenSSOAgentConfiguration.properties file (in the same manner that you edit the AMAgent.properties file for version 2.2 agents).

If you are creating a new agent profile in the OpenSSO Console, set Configuration to Local.

To specify a local configuration for an existing agent profile with a centralized configuration, edit the agent profile in the OpenSSO Console:

  1. Log in to the Console as amadmin.

  2. Click Access Control, realm-name, Agents, Web, and then the name of the agent profile you want to edit.

    The Console displays the Edit page for the agent profile.

  3. On the Edit page, check Local for Location of Agent Configuration Repository.

  4. Click Save.

A version 3.0 agent also stores configuration information in the local OpenSSOAgentBootstrap.properties file. The agent uses information in the bootstrap file to start and initialize itself and to communicate with Oracle OpenSSO server. In most cases, you won't need to edit the bootstrap file; however, if you do edit the file, be careful or the agent might not function properly.

Uninstalling the Apache HTTP Server 2.2.x Agent

Preparing to Uninstall the Apache HTTP Server 2.2.x Agent

ProcedureTo Prepare to Uninstall Apache HTTP Server 2.2.x Agent

  1. Undeploy any applications protected by the Apache HTTP Server 2.2.x agent.

  2. Stop the Apache HTTP Server instance, if it is running.

Uninstalling the Apache HTTP Server 2.2.x Agent Using the agentadmin Program

ProcedureTo Uninstall the Apache HTTP Server 2.2.x Agent

  1. Change to the PolicyAgent-base/bin directory. For example:

    For example: cd /opt/web_agents/apache22_agent/bin

  2. Issue one of the following commands:

    # ./agentadmin --uninstall

    or

    # ./agentadmin --uninstallAll

    The --uninstall option removes only one instance of the agent, while the --uninstallAll option prompts you to remove all configured instances of the agent.

  3. The uninstall program prompts you for the Apache HTTP Server configuration directory path.

    For example: /opt/apache-2.2.11/conf

  4. The uninstall program displays the path and then asks if you want to continue:

    To continue with the uninstallation, select 1 (the default).

    The uninstall program uninstalls the agent (or all configured instances, if specified).

    /opt/web_agents/apache22_agent/installer-logs/audit/uninstall.log

After You Finish the Uninstall

Migrating a Version 2.2 Apache HTTP Server Policy Agent

The version 3.0 agentadmin program includes the new --migrate option to migrate a version 2.2 agent to version 3.0. After you migrate a version 2.2 agent, the agent can use the new version 3.0 agent features.

The migration process migrates the agent's binary files, updates the agent's deployment container configuration, and converts the agent's AMAgent.properties file to the new version 3.0 OpenSSOAgentBootstrap.properties and OpenSSOAgentConfiguration.properties files.

Migrating a version 2.2 agent involves these general steps:

  1. On the server where the version 2.2 agent is installed, run the version 3.0 agentadmin program with the --migrate option.

    To get the version 3.0 agentadmin program, you must download the version 3.0 agent that corresponds to the version 2.2 agent you are migrating. For example, if you are migrating the version 2.2 Apache HTTP Server agent, download the version 3.0 Apache HTTP Server 2.2.x agent.

  2. On the Oracle OpenSSO server, run the ssoadm utility to create the new version 3.0 agent configuration in the centralized agent configuration repository.

    Therefore, the ssoadm utility must be installed from the openssoAdminTools.zip file on the Oracle OpenSSO server. For information, see Chapter 6, Installing the OpenSSO Enterprise Utilities and Scripts, in Sun OpenSSO Enterprise 8.0 Installation and Configuration Guide.

The agentadmin program creates a new deployment directory for the migrated agent, starting with Agent_001. The program does not modify the version 2.2 agent deployment directory files, in case you need these files after you migrate.

The following procedure, the migrated version 3.0 agent instance uses a new agent profile name, which is v3ApacheAgent in the examples. The old version 2.2 and new version 3.0 agent profile passwords are the same. If you need to change the password for the new version 3.0 agent profile, see Changing the Password for an Agent Profile (Optional).

ProcedureTo Migrate a Version 2.2 Agent:

  1. Login to the server where the version 2.2 agent is installed.

    To migrate the agent, you must have write permission to the version 2.2 agent's deployment container files and directories.

  2. Stop the Apache HTTP Server instance for the version 2.2 agent.

  3. Create a directory to download and unzip the version 3.0 agent. For example: v30agent

  4. Download and unzip the version 3.0 agent that corresponds to the version 2.2 agent you are migrating.

    The version 3.0 agents are available from the OpenSSO project site: https://opensso.dev.java.net/public/use/index.html

  5. Change to the version 3.0 agent's /bin directory.

    For example, if you downloaded and unzipped the version 3.0 Apache HTTP Server 2.2.x agent in the v30agent directory:

    cd /v30agent/web_agents/apache22_agent/bin

  6. Run the version 3.0 agentadmin program with the --migrate option. For example:

    ./agentadmin --migrate

  7. When the agentadmin program prompts you, enter the path to the version 2.2 agent's deployment directory. For example:

    /opt/v22/web_agents/apache22_agent

    In this example, /opt/v22 is the directory where you downloaded and unzipped the version 2.2 agent.

    The agentadmin program migrates the version 2.2 agent.

  8. Copy the Agent_nnn/config/OpenSSOAgentConfiguration.properties file to the /bin directory where ssoadm is installed on the Oracle OpenSSO server.

  9. In OpenSSOAgentConfiguration.properties, add the un-encrypted version 2.2 agent profile password at the end of the file, as follows:

    userpassword=v2.2–agent-profile-password

  10. On Oracle OpenSSO server, create a password file for the Oracle OpenSSO administrator (amadmin).

    This password file is an ASCII text file with only one line specifying the amadmin password in plain text. For example: /tmp/amadminpw

  11. On Oracle OpenSSO server, run ssoadm to create a new agent configuration in the Oracle OpenSSO centralized agent configuration repository. For example:

    cd tools_zip_root/opensso/bin
./ssoadm create-agent -b v3ApacheAgent -t WebAgent -u amadmin 
-f /tmp/amadminpw -D ./OpenSSOAgentConfiguration.properties

    In this example:

    • tools_zip_root is the directory where you unzipped openssoAdminTools.zip.

    • v3ApacheAgent is the version 3.0 agent profile name.

    • WebAgent is the agent type for web agents.

    • /tmp/amadminpw is the path to the amadmin password file.

    Caution: After you run ssoadm, you might want to delete OpenSSOAgentConfiguration.properties from the /bin directory. This file contains sensitive information, including as the agent profile password, and the original file is maintained on the server where the agent is installed.

  12. Restart the Apache HTTP Server instance for the migrated agent.

Next Steps

After you migrate the agent, you can manage the new 3.0 agent configuration using the Oracle OpenSSO Administration Console or the ssoadm utility, as described in Managing the Apache HTTP Server 2.2.x Agent.

Related Information

Additional Resources

You can find additional useful information and resources at the following locations:

Oracle's Accessibility Program

For information about Oracle's commitment to accessibility, see the following site:

http://www.oracle.com/us/corporate/accessibility/index.html

Related Third-Party Web Sites

Third-party URLs are referenced in this document and provide additional, related information.

Note –

Oracle is not responsible for the availability of third-party Web sites mentioned in this document. Oracle does not endorse and is not responsible or liable for any content, advertising, products, or other materials that are available on or through such sites or resources. Oracle will not be responsible or liable for any actual or alleged damage or loss caused by or in connection with the use of or reliance on any such content, goods, or services that are available on or through such sites or resources.

How to Report Problems and Provide Feedback

If you have questions or issues, contact Oracle as follows:

So that we can best assist you in resolving problems, please have the following information available when you contact support:

If you are requesting help for a problem, please include the following information:

Oracle Welcomes Your Comments

Oracle is interested in improving its documentation and welcomes your comments and suggestions. To share your comments, go to http://docs.sun.com/ and click Feedback. In the online form, provide the full document title and part number. The part number is a 7-digit or 9-digit number that can be found on the title page or in the document's URL. For example, the title of this guide is Sun OpenSSO Policy Agent 3.0 Guide for Apache HTTP Server 2.2.x, and the part number is 821-0266.

Revision History

Part Number 

Date 

Description 

821-0266–13 

November 22, 2010 

  • Added support for 32–bit Apache HTTP Server 2.2.x agent on Microsoft Windows Server 2008, 64–bit systems.

  • Revised outdated URLs.

821-0266–12 

December 22, 2009 

Added support for HP-UX systems. 

821-0266–11 

October 19, 2009 

Added support for IBM AIX systems. 

821-0266–10 

August 7, 2009 

Initial release.