Sun logo      Previous      Contents      Index      Next     

J2EE Policy Agents Guide

Chapter 6
Securing Identity Manager Software With a Policy Agent

This chapter applies to deployment scenarios where a J2EE policy agent protects Sun Java™ System Identity Manager software 5.0 SP2 and establishes single sign-on (SSO) with Sun™ ONE Identity Server 6.0 and higher software.

Topics in this chapter include:

"Deployment Facts and Considerations"

"The Policy Agent Installation"

"Configuring the Agent"

"Configuring the Identity Manager Software"

"Provisioning Users Using Identity Manager Software"

"Protecting Identity Manager Using URL Policies"

"How to Troubleshoot the Agent Configuration"

Deployment Facts and Considerations

A deployment that uses a Sun ONE Identity Server policy agent to secure Sun Java System Identity Manager software provides various benefits. Foremost, this type of deployment allows single sign-on (SSO) integration between Sun Java System Identity Manager software and Sun ONE Identity Server software. Furthermore, you can use Identity Server to define URL policies that govern access to Identity Manager software web resources.

To understand this chapter, you are expected to have familiarity with Identity Manager software and the application server or J2EE container on which the Identity Manager is installed. While this chapter provides guidance for deploying Sun Java System Identity Manager software with Sun ONE Identity Server software using a policy agent, you need to consult other sources of documentation. For example, refer to other sections of this guide, especially Chapter 2, "Installing the Agent." Moreover, refer to the Sun Java System Identity Manager software documentation that comes with that product.

The Policy Agent Installation

This section presents areas to consider about policy agent installation. Even if the agent has already been installed, this section provides important information about specific settings.

Ensure that application server you are using is supported by both Identity Manager software and by Identity Server software. For example, Sun ONE Application Server 7.0 is supported by both. A list of supported application servers for Identity Manager software, can be found in the Identity Manager documentation. For Identity server, see "Supported Servers".

To install the agent, refer to the proper section of Chapter 2, "Installing the Agent," for your specific agent. Settings of importance for the installation are as follows:

Configuring the Agent

After you have completed the post-installation tasks, configure the policy agent to set up an HTTP header named sois_user. Identity Manager uses this HTTP header to identify the authenticated user and then maps that authenticated user to a user in its repository.

To enable the policy agent to set up HTTP headers

  1. Update the AMAgent.properites file by editing two properties as follows:
    • LDAP Attribute Map property

      com.sun.am.policy.amFilter.ldapattribute.map[entrydn] = sois_user

    • LDAP Attribute Fetch Mode property

      com.sun.am.policy.amFilter.ldapattribute.mode = HEADER

  2. (Conditional) Only perform this step if the hotswap mechanism of the policy agent is disabled. If the hotswap mechanism is disabled, the Configuration Reload Interval property is set as follows:

    3. com.sun.am.policy.config.load.interval = 0

    If the hotswap mechanism is disabled, restart the application server.

Configuring the Identity Manager Software

After you have completed the installation of the policy agent, configure the Identity Manager software to allow SSO with the Sun ONE Identity Server software by performing the following general tasks:

Adding the Resource Adapter

The SunONEIdentityServer resource adapter provides a login module that enables SSO between the policy agent and Identity Manager. The first task is to add the adapter, using the Identity Manager administrative console.

To add the resource adapter

  1. Using an Internet browser, go to:

    2. http://hostname:port/idm-context-root/login.jsp

    For example:

    http://example.com:8080/idm/login.jsp

    Since the agent is already installed and configured, the Identity Server Login Page displays in the browser.

  2. Enter a valid user ID and password. For example, the credentials for amAdmin or any Identity Server software user work for this step.

    3. The Identity Manager administrative login page appears.

  3. Log in as Identity Manager Configurator user.

    4. The Identity Manager administrative console appears.

  4. Select the Configure tab.
  5. In the left-hand menu, select Managed Resources.

    6. The Configure Managed Resources page appears.

  6. Under the Custom Resources heading and the Resource Class Path subheading, add the following string:

    7. com.waveset.adapter.SunISResourceAdapter

  7. Click Add Custom Resource.
  8. Click Save.

Configuring the Resource Instance

At this point, the resource adapter has been added.

To configure a resource instance

  1. Using the Identity Manager administrative console, select the Resources tab.
  2. In the left-hand menu, select List Resources.

    3. A box appears that contains a directory tree of resources.

  3. Under the box, in the drop-down list, select Sun ONE Identity Server if it is not already selected.
  4. If necessary, click Edit.

    5. The SunONEIdentityServer resource wizard appears.

  5. Click Next.

    6. The Resource Parameters page appears.

  6. Enter the details for the directory server. Here, directory server refers to the directory server used by the Identity Server software to which the policy agent will communicate. Enter the following information.

    7. Resource

    Parameters

    Host

    DirectoryServer-hostname

    TCP Port

    DirectoryServer-port

    User

    amAdmin

    Password

    amAdmin-password

    Base Context

    IdentityServer-root-suffix

  7. Click Test Configuration to test for a successful connection.
    • If the test was successful, continue.  
    • If the test was unsuccessful, return to Step 6, and enter the correct information.
  8. Click Next.

    9. The Account Attributes page of the wizard appears.

  9. Select the defaults.
  10. Click Next.

    11. The Identity Template page of the wizard appears.

  11. Update the template by entering information in the Identity Template field that reflects a user DN of Identity Server.

    12. For example:

    uid=$uid$,ou=People,dc=example,dc=com

  12. Click Next.

    13. The Identity Manager Parameters page appears.

  13. In the Display Name Attribute drop-down list, select a display name. For example, firstname.
  14. Locate the item named Top inside the Organizations box and move it to the Available To box.
  15. For the other options on this page, keep the defaults or update the information according to your requirements.
  16. Click Next

Creating a Login Module Group

To create a new Identity Server software login module group

  1. Using the Identity Manager administrative console, select the Configure tab.
  2. In the left-hand menu, select Login.

    3. The Login page appears.

  3. Click Manage Login Module Groups.

    4. The Login Module Groups page appears.

  4. Click New.

    5. The Create Login Module Group page appears.

  5. In the Login Manager Group Name field, enter a name for the new login module group.

    6. For example:

    Access Manager Login Module Group

  6. Locate the item Top inside the Organizations box and move it to the Available To box.
  7. From the Assign Login Module drop down list, select Sun ONE Identity Server Login Module.

    8. The Create Login Module Group page reappears, but with a new drop-down list available.

  8. In the newly available drop-down list, select SunONEIdentityServer.

    9. The Modify Login Group page appears.

  9. From the Login success requirement drop-down list, select sufficient.
  10. Click Save.

    11. The Create Login Module Group page reappears.

  11. In the Assign Login Module Groups drop-down list, select the Identity Manager User Id/Password Login Module.

    12. The Modify Login Module page appears.

  12. In the Login success requirement drop-down list, select sufficient.
  13. Click Save.

    14. The Create Login Module page reappears with a list of two login modules:

    • The Sun ONE Identity Server Login module
    • The Identity Manager User Id/Password Login module
  14. Click Save to save the configuration.
  15. Verify the creation of the Identity Server Login Module group in the Manage Login Module Group page, which you can access by repeating steps 1—3.

    16. Note

    Assigning both modules, Identity Server Login module and Identity Manager User Id/Password Login module increases the availability of protected resources. Thereafter, even if the Sun ONE Identity Server Login module fails, users can log in to the Identity Manager software using the Identity Manager User Id/Password Login module.

Assigning the Login Module Group to Login Applications

You need to configure two interface login applications, the User Interface Login Application and the Administrative Interface Login Application.

Configuring the User Interface Login Application

  1. Using the Identity Manager administrative console, click the Configure tab.
  2. In the left-hand menu, click Login.

    3. The Login page appears.

  3. Click the User Interface login application.

    4. The Modify Login Application page appears.

  4. Select the newly created Identity Server Login Module Group from the Assign Login Module Groups drop-down list.

    5. The Modify Login Application page reappears with the newly created group added to the list of login module groups.

  5. Remove the old Login Module group from the list as follows:
    1. Select that module
    2. Click delete.
    3. Click Save.

The new login module group for the user interface login application has now been configured.

Configuring the Administrative Interface Login Application

The steps to assign the Identity Server Login Module Group to Administrative Interface are the same as those described in "Configuring the User Interface Login Application", except instead of choosing User Interface Login Application, choose the Administrator Interface login application.

Provisioning Users Using Identity Manager Software

To provision users using Identity Manager software

  1. Using the Identity Manager administrative console, click the Accounts tab.
  2. In the left-hand menu, select List Accounts if it is not already selected.

    3. A box appears that contains user names.

  3. Select a user name:

    4. Select an existing Identity Manager software user or create a new user:

    • For an existing Identity Manager software user, perform the following:
    • Select the user.
    • Select Edit.
    • For a new Identity Manager software user, perform the following:

      • Select User from the New drop down list.

      After you perform one of the preceding tasks, the Create User or Edit User page appears. These pages have four tabs: Identity, Assignments, Security, and Attributes. You can navigate between these tabs without losing newly added data. However, select Save after all information is added.

  4. Select the Assignments tab.
  5. Locate the item SunONEIdentityServer inside the Available Resources list box and move it to the Current Resources list box.
  6. Select the Attributes tab.
  7. Enter the value for the uid (The uid is called user ID in Identity Server software).
  8. (Conditional) This step only applies if you are creating a new user. Select the Identity tab.
  9. (Conditional) This step only applies if you are creating a new user. Specify the user Account ID and password.
  10. Click Save.
  11. (Conditional) This step only applies if you are editing an existing user. In which case, the Update user_name Resource Accounts page is currently available in your browser. Review the information about the accounts that will be updated and click Save.
  12. Now that you are in the Create User Results page or the Update Resource Account Results page, click OK.

    13. You are returned to the List Accounts page.

After successfully creating or updating a user, perform a simple test as explained in "Testing SSO Integration With Identity Server" to verify that SSO functions properly.

Note

When managing users who were created using Identity Server software, ensure that passwords are synchronized through Identity Manager software.

Testing SSO Integration With Identity Server

Testing SSO for users with administrative capabilities differs slightly from testing SSO for users without administrative capabilities as explained in the following subsections.

Testing SSO for Users With Administrative Capabilities

The best method for testing SSO is to keep your original browser instance open. This method maintains user sessions. Therefore, keep your browser connected to the Identity Manager administrative console. Then open a new browser window using a different browser (for example: open a new Mozilla/Firefox instance if you are currently using the IE instance).

  1. Using an Internet browser, go to:

    2. http://hostname:port/application-context-root/login.jsp

    For example:

    http://example.com:8080/idm/login.jsp

    The browser presents the Identity Server Login Page.

  2. Enter the user ID and password for the newly created user.

    3. You should be presented with the Identity Manager administrative console.

    If you are able to directly access the Identity Manager software Administrator page, then SSO is working and the test is successful.

Testing SSO for Users Without Administrative Capabilities

The best method for testing the SSO connection is to keep your original browser instance open. This method maintains user sessions. Therefore, keep your browser connected to the Identity Manager administrative console. Then open a new browser window using a different browser (for example: open a new Mozilla/Firefox instance if you are currently using the IE instance).

  1. Using an Internet browser, go to:

    2. http://hostname:port/application-context-root/user/login.jsp

    For example:

    http://example.com:8080/idm/user/login.jsp

    The browser presents the Identity Server Login Page.

  2. Enter the user ID and password for the newly created user.

    3. The Identity Manager user profile page appears.

    If you are able to directly access the user profile page, which displays links to Change Password and Change Other Account Attributes, then SSO is working and the test is successful.

Protecting Identity Manager Using URL Policies

Depending upon your environment needs, you might want to use Identity Server software to define URL policies that protect Identity Manager software. For example, you could assign authorization to specific users to access Identity Manager software.

The following procedure is an overview of the steps for creating a URL Policy. However, consult the administration guide for Sun ONE Identity Server software or the administration guide for Sun Java™ System Access Manager for detailed information about creating policies.

To create a simple URL policy based enforcement

  1. Log in to the Identity Server software as Administrator.
  2. Create a new policy.

    3. The following are guidelines for that policy

    • Give the policy a relevant name, such as IDMGR.
    • Apply the following rules:
      • http://hostname:port/application-context-root

        • where hostname and port refer to the Identity Manager software

        where actions are set to allow GET and POST commands.

      • http://hostname:port/application-context-root/*

        • where hostname and port refer to the Identity Manager software

        where actions are set to allow GET and POST commands.

  3. Assign one or more subjects to the IDMGR policy.
  4. Set the Agent Filter Mode property in the AMAgent.properties file to the following:

    5. com.sun.am.policy.amFilter.mode = URL_POLICY

  5. (Conditional) If the hotswap mechanism is disabled, restart the application server.

How to Troubleshoot the Agent Configuration

If the agent does not operate as expected, you can follow the troubleshooting steps described in this section. You can set trace options to help you troubleshoot problems in Identity Manager software. However, refer to the Identity Manager Technical Reference for detailed information.

  1. Use the Identity Manager software debug pages to set trace options on the following class:

    2. com.waveset.adapter.SunISResourceAdapter

  2. Also, set the debug level to “message” in the amagent.properties
  3. Restart the application Server
  4. Inspect the debug logs of the Policy Agent for troubleshooting information.


Previous      Contents      Index      Next     

Copyright 2004 Sun Microsystems, Inc. All rights reserved.