Sun Java Enterprise System 2005Q4 Installation Reference

Access Manager Configuration Information

The Java ES installer supports the installation of these subcomponents of Access Manager:


Note –

Access Manager SDK is automatically installed as part of Identity Management and Policy Services Core, but the SDK can also be installed separately on a remote host. For information about separate installation of Access Manager SDK, refer to Access Manager SDK Configuration Information


The installer needs different information depending on which subcomponents you are installing, as the following table indicates. The table also refers you to the tables where the relevant information is described.

Table 1–2 Information Needed to Install Subcomponents of Access Manager

Components 

Information Needed 

Relevant Material 

Identity Management and Policy Services Core 

Web container information 

Access Manager: Web Container Information

Directory Server information 

Access Manager: Directory Server Information

Provisioned directory information 

Existing Provisioned Directory Found and No Existing Provisioned Directory Found

Common Domain Services for Federation Management 

Services information 

Installing Access Manager Federation Management (Core Already Installed)

Access Manager Administration Console 

Administration information 

Access Manager: Administration Information

Services information 

Installing Access Manager Console (Core Already Installed)

Access Manager: Administration Information

The installer needs the following information if you are installing Access Manager Administration Console.

Table 1–3 Administration Information for Access Manager

Label and State File Parameter 

Description 

Administrator User ID 

IS_ADMIN_USER_ID

Access Manager top-level administrator. This user has unlimited access to all entries managed by Access Manager. 

The default name, amadmin, cannot be changed. This ensures that the Access Manager administrator role and its privileges are created and mapped properly in Directory Server, allowing you to log onto Access Manager immediately after installation.

Administrator Password 

IS_ADMINPASSWD

Password of the amadmin user. The value must have at least eight characters.

The default value is the Administrator Password (CMN_ADMIN_PASSWORD ) you provided under Common Server Settings. Refer to Common Server Settings.

LDAP User ID 

IS_LDAP_USER

Bind DN user for LDAP, Membership, and Policy services. This user has read and search access to all Directory Server entries. 

The default user name, amldapuser, cannot be changed.

LDAP Password 

IS_LDAPUSERPASSWD

Password of the amldapuser user. This password must be different from the password of the amadmin user. It can be any valid Directory Service password.

Password Encryption Key 

AM_ENC_PWD

A string that Access Manager uses to encrypt user passwords. 

Note: For security purposes, it is recommended that the password encryption key be 12 characters or longer. 

The interactive installer generates a default password encryption key. You can accept the default value or specify any key produced by a J2EE random number generator. During Access Manager installation, its property file is updated and the property am.encryption.pwd is set to this value. The property file is AMConfig.properties . Location is:

Solaris OS: /etc/opt/SUNWam/config

Linux: /etc/opt/sun/identity/config

All Access Manager subcomponents must use the same encryption key that the Identity Management and Policy Services Core uses. If you are distributing Access Manager subcomponents across hosts and installing Administration Console or Common Domain Services for Federation Management, copy the value for am.encryption.pwd as generated by the installation of the core, and paste the value into this field.

In a state file, the default is LOCK. Any character combination is permitted.

Install type 

AM_REALM

Indicates the level of interoperability with other components. Choice of Realm mode (version 7.x style) or Legacy mode (version 6.x style). You must use Legacy mode if you are installing Access Manager with Portal Server, Messaging Server, Calendar Server, Delegated Administrator, or Instant Messaging. 

Accepted values for AM_REALM are Enabled (for Realm 7.x mode) and Disabled (for Legacy 6.x mode).

The default value for Legacy mode is Disabled.

Access Manager: Web Container Information

The Identity Management and Policy Services Core subcomponent of Access Manager runs in Web Server or Application Server.


Note –

This component also runs in a third-party web container, however, you must install AM using the Configure Later option. In this case, configuration is done after installation.


The information that the installer needs is different for each web container:

Web Container Information: Access Manager with Web Server

This section describes the information that the installer needs when Web Server is the web container for the Identity Management and Policy Services Core subcomponent of Access Manager.

Table 1–4 Web Container Information for Access Manager with Web Server

Label and State File Parameter 

Description 

Host Name 

IS_WS_HOST_NAME

The fully qualified domain name for the host. 

For example, if this host is siroe.example.com, this value is siroe.example.com.

The default value is the fully qualified domain name for the current host. 

Web Server Port 

IS_WS_INSTANCE_PORT

Port on which Web Server listens for HTTP connections. 

The default value is 80.

If you are installing Web Server in this installer session, the default value is the Web Server HTTP Port (WS_ADMIN_PORT) value. Refer to Web Server: Default Web Server Instance Information.

Web Server Instance Directory 

IS_WS_INSTANCE_DIR

Path to the directory where an instance of Web Server is installed. The path must have the following syntax: 

WebServer-base/https-webserver-instancename

If you are installing Web Server in this session, the default value for WebServer-base is the Web Server installation directory:

Solaris OS: /opt/SUNWwbsvr

Linux: /opt/sun/webserver

Document Root Directory 

IS_WS_DOC_DIR

Directory where Web Server stores content documents. 

If you are installing Web Server in this installer session, the default value is the Web Server value Document Root Directory (WS_INSTANCE_CONTENT_ROOT ). Refer to Web Server: Default Web Server Instance Information.

If you are not installing Web Server, the default location is WebServer-base/docs.

The default value for WebServer-base is the Web Server installation directory:

Solaris OS: /opt/SUNWwbsvr

Linux: /opt/sun/webserver

Secure Server Instance Port 

IS_SERVER_PROTOCOL

Specify whether the port for the Web Server instance is a secure port. A secure port uses the HTTPS protocol. A non-secure port uses HTTP. 

In a state file, specify https for a secure port or http for a non-secure port. The default value is http.

Web Container Information: Access Manager with Application Server

This section describes the information that the installer needs when Application Server is the web container for the Identity Management and Policy Services Core subcomponent of Access Manager.

Table 1–5 Web Container Information for Access Manager with Application Server

Label and State File Parameter 

Description 

Installation Directory 

IS_APPSERVERBASEDIR

Path to the directory where Application Server is installed. 

If you are installing Application Server, this value defaults to the value you specified for the Application Server installation directory. The default value is: 

Solaris OS: /opt/SUNWappserver/appserver

Linux: /opt/sun/appserver

Access Manager Runtime Instance 

IS_IAS81INSTANCE

Name of the Application Server instance that will run Access Manager. 

The default value is server.

Instance Directory 

IS_IAS81INSTANCEDIR

Path to the directory where Application Server stores files for the instance. Default value: 

Solaris OS: /var/opt/SUNWappserver/domains

Linux: /var/opt/sun/appserver/domains

Access Manager Instance Port 

IS_IAS81INSTANCE_PORT

Port on which Application Server listens for connections to the instance. 

The default value is 8080.

Document Root 

IS_SUNAPPSERVER_DOCS_DIR

Directory where Application Server stores content documents. 

The default document root is the instance directory specified by IS_IAS81INSTANCEDIR , with domainname/docroot appended at the end. For example: IS_IAS81INSTANCEDIR/domainname /docroot

Administrator User ID 

IS_IAS81_ADMIN

User ID of the Application Server administrator. 

The default value is the Administrator User ID you provided under Common Server Settings. Refer to Common Server Settings.

Administrator Password 

IS_IAS81_ADMINPASSWD

Password of the Application Server administrator. 

The default value is the Administrator User password you provided under Common Server Settings. Refer to Common Server Settings.

Administrator Port 

IS_IAS81_ADMINPORT

Port on which the Administration Server for Application Server listens for connections. 

The default value is 4849.

Secure Server Instance Port 

IS_SERVER_PROTOCOL

Specify whether the value for Instance Port (IS_IAS81INSTANCE_PORT) refers to a secure port. A secure port uses the HTTPS protocol. A non-secure port uses HTTP.

In a state file, specify https for a secure port or http for a non-secure port. The default value is http.

Secure Administration Server Port 

ASADMIN_PROTOCOL

Specify whether the value for Administrator Port (IS_IAS81_ADMINPORT) is a secure port. A secure port uses the HTTPS protocol. A non-secure port uses HTTP.

In a state file, specify https for a secure port or http for a non-secure port. The default value is https.

Access Manager: Services Information

The installer needs different information about Access Manager services for different Access Manager subcomponents.

Installing Access Manager Core and Console

This section describes the services information that the installer needs when you are installing the Identity Management and Policy Services Core and the Access Manager Administration Console subcomponents.

In this scenario, you can deploy a new console or use a previously deployed console. If you deploy a new console, some information in Installing Access Manager Core and Console is not needed, as the Description column indicates.

Table 1–6 Access Manager Services Information for Installing Core and Console

Label and State File Parameter 

Description 

Host Name 

IS_SERVER_HOST

Fully qualified domain name of the host on which you are installing. 

The default value is the fully qualified domain name of the local host. 

Services Deployment URI 

SERVER_DEPLOY_URI

Uniform Resource Identifier (URI) prefix for accessing the HTML pages, classes, and JAR files associated with the Identity Management and Policy Services Core subcomponent. 

The default value is amserver. Do not enter a leading slash.

Common Domain Deployment URI 

CDS_DEPLOY_URI

URI prefix for accessing the common domain services on the web container. 

The default value is amcommon. Do not enter a leading slash.

Cookie Domain 

COOKIE_DOMAIN_LIST

The names of the trusted DNS domains that Access Manager returns to a browser when Access Manager grants a session ID to a user. 

You can scope this value to a single top-level domain, such as example.com . The session ID will provide authentication for all subdomains of example.com.

Alternatively, you can scope the value to a comma-separated list of subdomains, such as .corp.example.com,.sales.example.com. The session ID will provide authentication for all subdomains in the list.

A leading dot (.) is required for each domain in the list.

The default value is the current domain, prefixed by a dot (.).

Administration Console: 

Deploy new console and

Use existing console 

USE_DSAME_SERVICES_WEB_CONTAINER

Choose Deploy new console to deploy the console into the web container of the host on which Access Manager is being installed. Choose Use existing console to use an existing console that is deployed on another host. 

In both cases, you specify the Console Deployment URI and Password Deployment URI. If you choose to use an existing console, you must also specify the Console Host Name and Console Port. 

In a state file, specify true to deploy a new console or false to use an existing console.

Console Deployment URI 

CONSOLE_DEPLOY_URI

URI prefix for accessing the HTML pages, classes and JAR files associated with the Access Manager Administration Console subcomponent. Depends on the Access Manager mode:  

Legacy mode (6.x): /amconsole or /amserver

Realm mode (7.x): /amserver

The default value is amconsole. Do not enter a leading slash.

Password Deployment URI 

PASSWORD_SERVICE_DEPLOY_URI

URI that determines the mapping that the web container running Access Manager will use between a string you specify and a corresponding deployed application. 

The default value is ampassword. Do not enter a leading slash.

Console Host Name 

CONSOLE_HOST

Fully qualified domain name for the server hosting the existing console. 

This value is not needed if you are deploying a new console. In graphical installation mode, you can edit the field only if you are using an existing console. 

The default value contains the value that you provided for Host (IS_SERVER_HOST ), a dot, and then the value that you provided for DNS Name in the Common Server Settings. Refer to Common Server Settings.

As an example, if the host is siroe and the domain is example.com, the default value is siroe.example .com.

Console Port 

CONSOLE_PORT

Port on which the existing console listens for connections. Permitted values are any valid and unused port number, in the range 0 (zero) through 65535. 

This value is not needed if you are deploying a new console. In graphical installation mode, you can edit the field only if you are using an existing console. 

The default value is the value you provided for one of the following web container ports: 

Installing Access Manager Console (Core Already Installed)

This section describes the services information the installer needs when the following are both true:


Note –

You can only install AM Console by itself in Realm mode (7.x). This cannot be done in Legacy mode (6.x).


Table 1–7 Access Manager Services Information for Installing Console Only (Core Already Installed)

Label and State File Parameter 

Description 

Console Deployment URI 

CONSOLE_DEPLOY_URI

URI prefix for accessing the HTML pages, classes and JAR files associated with the Access Manager Administration Console subcomponent. Depends on the Access Manager mode:  

Realm mode (6.x): /amconsole or /amserver

Legacy mode (7.x): /amserver

Password Services Deployment URI 

PASSWORD_SERVICE_DEPLOY_URI

URI that determines the mapping that the web container running Access Manager will use between a string you specify and a corresponding deployed application. 

The default value is ampassword. Do not enter a leading slash.

Installing Access Manager Console (Core Not Already Installed)

This section describes the services information the installer needs when the following are both true:

Table 1–8 Access Manager Services Information for Installing Console (Core Not Already Installed)

Label and State File Parameter 

Description 

Web Container for Access Manager Administration Console

 

Console Host Name 

CONSOLE_HOST

Fully qualified domain name for the host on which you are installing. 

Console Deployment URI 

CONSOLE_DEPLOY_URI

URI prefix for accessing the HTML pages, classes and JAR files associated with the Access Manager Administration Console subcomponent. Depends on the Access Manager mode:  

Legacy mode (6.x): /amconsole or /amserver

Realm mode (7.x): /amserver

Password Services Deployment URI 

PASSWORD_SERVICE_DEPLOY_URI

Deployment URI for the password service. 

The default value is ampassword. Do not enter a leading slash.

Web Container for Access Manager Services

 

Services Host Name 

IS_SERVER_HOST

Fully qualified domain name of the host where the Identity Management and Policy Services Core subcomponent is installed. 

The default value is the fully qualified domain name of this host. Use the default value as an example of format only, and edit the value to supply the correct remote host name. 

In a state file, supply the fully qualified domain name of a remote host. 

Port 

CONSOLE_PORT

Port on which the Identity Management and Policy Services Core subcomponent listens for connections. This port is the HTTP or HTTPS port used by the web container. 

Services Deployment URI 

SERVER_DEPLOY_URI

URI prefix for accessing the HTML pages, classes, and JAR files associated with the Identity Management and Policy Services Core subcomponent. 

The default value is amserver. Do not enter a leading slash.

Cookie Domain 

COOKIE_DOMAIN_LIST

The names of the trusted DNS domains that Access Manager returns to a browser when Access Manager grants a session ID to a user. 

You can scope this value to a single top-level domain, such as example.co m. The session ID will provide authentication for all subdomains of example.com.

Alternatively, you can scope the value to a comma-separated list of subdomains, such as .corp.example.com,.sales.example.com. The session ID will provide authentication for all subdomains in the list.

A leading dot (.) is required for each domain.

The default value is the current domain, prefixed by a dot (.).

Installing Access Manager Federation Management (Core Already Installed)

This section describes the services information the installer needs when you are installing only the Common Domain Services for Federation Management subcomponent.

Table 1–9 Access Manager Services Information for Installing Federation Management (Core Already Installed)

Label and State File Parameter 

Description 

Common Domain Deployment URI 

CDS_DEPLOY_URI

URI prefix for accessing the common domain services on the web container. 

The default value is amcommon. Do not enter a leading slash.

Access Manager: Directory Server Information

The installer needs the following information if you are installing Identity Management and Policy Services Core.

Table 1–10 Directory Server Information for Access Manager

Label and State File Parameter 

Description 

Directory Server Host 

IS_DS_HOSTNAME

A host name or value that resolves to the host on which Directory Server resides. 

The default value is the fully qualified domain name of the local host. For example, if the local host is siroe.example.com, the default value is siroe.example.com.

Directory Server Port 

IS_DS_PORT

Port on which Directory Server listens for client connections. 

The default value is 389.

Access Manager Directory Root Suffix 

IS_ROOT_SUFFIX

Distinguished name (DN) to set as the Access Manager root suffix. 

The default value is based on the fully qualified domain name for this host, minus the host name. For example, if this host is siroe.subdomain.example.com , the value is dc=subdomain,dc=example,dc=com

Directory Manager DN 

IS_DIRMGRDN

DN of the user who has unrestricted access to Directory Server. 

The default value is cn=Directory Manager.

Directory Manager Password 

IS_DIRMGRPASSWD

Password for the directory manager. 

Access Manager: Provisioned Directory Information

The information needed to configure a provisioned directory depends on whether the installer detects an existing provisioned directory on your host.

When the installer is generating a state file, IS_EXISTING_DIT_SCHEMA=y is written to the state file if the installer finds an existing provisioned directory. The installer writes IS_EXISTING_DIT_SCHEMA=n to the state file if the installer does not find an existing provisioned directory.

Existing Provisioned Directory Found

If the installer finds an existing provisioned directory, you provide the following information.

Table 1–11 Existing Provisioned Directory Information for Access Manager

Label and State File Parameter 

Description 

User Naming Attribute 

IS_USER_NAMING_ATTR

Naming attribute used for users in the provisioned directory. 

The default value is uid.

No Existing Provisioned Directory Found

If the installer does not find an existing provisioned directory, you can choose whether to use an existing provisioned directory. If you answer Yes to the first question in this table, you must answer the remaining questions in the table.

Table 1–12 No Existing Provisioned Directory Information for Access Manager

Label and State File Parameter 

Description 

Is Directory Server provisioned with user data? 

IS_LOAD_DIT

Specifies whether you want to use an existing provisioned directory. 

The default value is No. 

In a state value, permitted values are y or n. The default value is n.

Organization Marker Object Class 

IS_ORG_OBJECT_CLASS

Object class defined for the organization in the existing provisioned directory. 

This value is used only if the value for the first item in this table is Yes.

The default value is SunISManagedOrganization.

Organization Naming Attribute 

IS_ORG_NAMING_ATTR

Naming attribute used to define organizations in the existing provisioned directory. 

This value is used only if the value for the first item in this table is Yes.

The default value is o.

User Marker Object Class 

IS_USER_OBJECT_CLASS

Object class defined for users in the existing provisioned directory. 

This value is used only if the value for the first item in this table is Yes.

The default value is inetorgperson.

User Naming Attribute 

IS_USER_NAMING_ATTR

Naming attribute used for users in the existing provisioned directory. 

This value is used only if the value for the first item in this table is Yes.

The default value is uid.