Using SSL With the IIS 6.0 Agent (Optional) (Sun OpenSSO Enterprise Policy Agent 3.0 Guide for Microsoft Internet Information Services (IIS) 6.0)

Sun OpenSSO Enterprise Policy Agent 3.0 Guide for Microsoft Internet Information Services (IIS) 6.0

Using SSL With the IIS 6.0 Agent (Optional)

If you specify the https protocol for the OpenSSO Enterprise server URL during the IIS 6.0 agent installation, the agent is automatically configured and ready to communicate to the OpenSSO Enterprise server over Secure Sockets Layer (SSL). However, to ensure that the IIS 6.0 agent is configured for SSL communication to the server, follow these tasks:

Installing the OpenSSO Enterprise Root CA Certificate on the IIS 6.0 Agent

The root CA certificate that you install on the IIS 6.0 agent must be the same certificate that is installed on the OpenSSO Enterprise host server.

Sun provides the Certificate Database Tool, certutil.exe, in the IIS 6.0 agent distribution file, to manage the root CA certificate and the certificate database.

For information about using certutil.exe, see http://www.mozilla.org/projects/security/pki/nss/tools/certutil.html.

To Install the OpenSSO Enterprise Root CA Certificate on the IIS 6.0 Agent

Obtain the root CA certificate file that is installed on the OpenSSO Enterprise host server. The following examples use root_ca.crt as the name for the root CA certificate file.

On the IIS 6.0 server, locate the certutil.exe utility.

After you unzip the IIS 6.0 agent distribution file, certutil.exe is available in the PolicyAgent-base\bin directory.

For example: C:\Agents\web_agents\iis6_agent\bin\certutil.exe

If necessary, create the certificate database directory and the certificate database in the PolicyAgent-base directory. For example:
```
mkdir C:\Agents\web_agents\iis6_agent\cert
C:\Agents\web_agents\iis6_agent\bin certutil.exe -N -d ..\cert
```
where cert is the name of the certificate database directory.

When prompted, enter and confirm the password that will be used to encrypt your keys.

Install the OpenSSO Enterprise root CA certificate in the database. For example:
```
certutil.exe -A -n am_root_ca_cert -t "C,C,C" -d ..\cert -i ..\cert\root_ca.crt
```
where:
- am_root_ca_cert is the name of the OpenSSO Enterprise root CA certificate.
- root_ca.crt is the binary root CA certificate request file.

To verify that the root CA certificate is installed correctly, use certutil.exe with the -L option. For example:
```
C:\Agents\web_agents\iis6_agent\bin certutil.exe -L -d ..\cert am_root_ca_cert
```
You should see the name of the root CA certificate. For example:
```
am_root_ca_cert                                              C,C,C
```

Disabling the Trust Behavior for the IIS 6.0 Agent

By default, the IIS 6.0 agent installed on a remote IIS 6.0 server trusts any server certificate presented over SSL by the OpenSSO Enterprise host. For the IIS 6.0 agent to perform certificate checking, you must disable this trust behavior.

To Disable the Trust Behavior for the IIS 6.0 Agent

Find the IIS 6.0 agent's OpenSSOAgentBootstrap.properties file in the agent's \config directory. For example:

C:\Agents\web_agents\iis6_agent\config\OpenSSOAgentBootstrap.properties

In the OpenSSOAgentBootstrap.properties file, set the SSL-related properties, depending on your specific deployment.

Note: These properties have new names for version 3.0 web agents.
- Disable the option to trust the server certificate sent over SSL by the OpenSSO Enterprise host server:
  
  com.sun.identity.agents.config.trust.server.certs = false
- Specify the certificate database directory.
  
  com.sun.identity.agents.config.sslcert.dir = path-to-cert-database
  
  For example:
```
com.sun.identity.agents.config.sslcert.dir = C:/Agents/web_agents/iis6_agent/cert
```
- If the certificate database directory has multiple certificate databases, set the following property to the prefix of the database you want to use. For example:
  
  com.sun.identity.agents.config.certdb.prefix = prefix-
- Specify the certificate database password:
  
  com.sun.identity.agents.config.certdb.password = password
- Specify the certificate database alias:
  
  com.sun.identity.agents.config.certificate.alias = alias-name

Save the changes to the OpenSSOAgentBootstrap.properties file.

The agent uses information in the OpenSSOAgentBootstrap.properties file to start and initialize itself and to communicate with OpenSSO Enterprise server.

Restart IIS 6.0 using the iisreset command.