Chapter 8 Installing and Configuring the Protected Resources with Policy Agents

This chapter contains detailed instructions for the following tasks:

• 8.1 Installing Web Server 1 and Web Policy Agent 1

• 8.2 Installing Application Server 1 and J2EE Policy Agent 1

• 8.3 Completing the J2EE Policy Agent 1 Installation

• 8.4 Setting Up a Test for the J2EE Policy Agent 1

• 8.5 Configuring Access Manager to Communicate Over SSL

• 8.6 Installing Web Server 2 and Web Policy Agent 2

• 8.7 Installing Application Server 2 and J2EE Policy Agent 2

• 8.8 Completing the J2EE Policy Agent 2 Installation

• 8.9 Setting Up a Test for the J2EE Policy Agent 2

• 8.10 Configuring Access Manager to Communicate Over SSL

8.1 Installing Web Server 1 and Web Policy Agent 1

Use the following as your checklist for installing Web Server 1 and Web Policy Agent 1:

1. Install Web Server 1 on Protected Resource 1.

2. Install Web Policy Agent 1.

3. Verify that Web Policy Agent 1 works properly.

4. Import the root CA certificate into the Web Server 1 key store.

5. Verify that the Web Policy Agent is working properly.

6. Create an agent profile on Access Manager.

7. Configure the Web Policy Agent to use the new agent profile.

8. Verify that the Web Policy Agent is working properly.

For this part of the deployment, you must have the JES 5 installer and Web Policy Agent installer mounted on the host Protected Resource 1. See 3.2 Downloading and Mounting the Java Enterprise System 2005Q4 Installer at the beginning of this manual.

Figure 8–1 Protected Resources and Policy Agents

To Install Web Server 1 on Protected Resource 1

1. As a root user, log into host ProtectedResource-1.

2. Start the Java Enterprise System installer with the -nodisplay option.

   # cd /mnt/Solaris_sparc # ./installer -nodisplay

3. When prompted, provide the following information:

   Welcome to the Sun Java(TM) Enterprise System; serious software made simple... <Press ENTER to Continue>	Press Enter.
   <Press ENTER to display the Software License Agreement>	Press Enter.
   Have you read, and do you accept, all of the termsof the preceding Software License Agreement [No]	Enter y.
   Please enter a comma separated list of languages you would like supported with this installation [8]	Enter 8 for “English only.”
   Enter a comma separated list of products to install,or press R to refresh the list []	Enter 3 to select Web Server.
   Press "Enter" to Continue or Enter a comma separated list of products to deselect... [1]	Press Enter.
   Enter 1 to upgrade these shared components and 2 to cancel [1]	You are prompted to upgrade shared components only if the installer detects that an upgrade is required.  Enter 1 to upgrade shared components.
   Enter the name of the target installation directory for each product: Web Server [/opt/SUNWwbsvr] :	Accept the default value.
   System ready for installation Enter 1 to continue [1]	Enter 1.
   1. Configure Now - Selectively override defaults or express through 2. Configure Later - Manually configure following installation Select Type of Configuration [1]	Enter 1.
   Common Server Settings Enter Host Name [ProtectedResource-1]	Accept the default value.
   Enter DNS Domain Name [example.com]	Accept the default value.
   Enter IP Address [xxx.xx.87.180]	Accept the default value.
   Enter Server admin User ID [admin]	Enter admin.
   Enter Admin User's Password (Password cannot be less than 8 characters) []	For this example, enter web4dmin.
   Confirm Admin User's Password []	Enter the same password to confirm it.
   Enter System User [root]	Accept the default value.
   Enter System Group [root]	Accept the default value.
   Enter Server Admin User ID [admin]	Accept the default value.
   Enter Admin User's Password []	For this example, enter web4dmin.
   Enter Host Name [ProtectedResource-1.example.com]	Accept the default value.
   Enter Administration Port [8888]	Accept the default value.
   Enter Administration Server User ID [root]	Accept the default value.
   Enter System User ID [webservd]	Enter root.
   Enter System Group [webservd]	Enter root.
   Enter HTTP Port [80]	Enter 1080.
   Enter content Root [/opt/SUNWwbsvr/docs]	Accept the default value.
   Do you want to automatically start Web Serverwhen system re-starts.(Y/N) [N]	Accept the default value.
   Ready to Install 1. Install 2. Start Over 3. Exit Installation What would you like to do [1]	First, see the next numbered (Optional) step. When ready to install, enter 1.

4. (Optional) During installation, you can monitor the log to watch for installation errors. Example:

   # cd /var/sadm/install/logs

   # tail —f Java_Enterprise_System_install.B xxxxxx

5. Upon successful installation, enter ! to exit.

6. Verify that the Web Server is installed properly.

   1. Start the Web Server administration server to verify it starts with no errors.

      # cd /opt/SUNWwbsvr/https-admserv

      # ./stop; ./start

   2. Run the netstat command to verify that the Web Server ports are open and listening.

      # netstat -an | grep 8888 *.8888 *.* 0 0 49152 0 LISTEN

   3. Go to the Web Server URL.

      http://ProtectedResource-1.example.com:8888

   4. Log in to the Web Server using the following information:

      Username

      admin

      Password

      web4dmin

      You should be able to see the Web Server console. You can log out of the console now.

   5. Start the Protected Resource 1 instance.

      # cd /opt/SUNWwbsvr/https-ProtectedResource-1.example.com # ./stop; ./start

   6. Run the netstat command to verify that the Web Server ports are open and listening.

      # netstat -an | grep 1080 *.1080 *.* 0 0 49152 0 LISTEN

   7. Go to the instance URL.

      http://ProtectedResource-1.example.com:1080

      You should see the default Web Server index page.

To Install Web Policy Agent 1

Before You Begin

Due to a known problem with this version of the Web Policy Agent, you must start an X-display session on the server host using a program such as Reflections X or VNC, even though you use the command-line installer. For more information about this known problem, see http://docs.sun.com/app/docs/doc/819-2796/6n52flfoq?a=view#adtcd.

1. As a root user, log into to host ProtectedResource–1.

2. Download the Java System Web Policy Agents 2.2 package from the following website:

   http://www.sun.com/download

3. Unpack the downloaded package.

   In this example, the package was downloaded into the directory /temp.

   # cd /temp # gunzip sun-one-policy-agent-2.2-es6-solaris_sparc.tar.gz # tar —xvof sun-one-policy-agent-2.2-es6-solaris_sparc.tar

4. Start the Web Policy Agents installer.

   # ./setup -nodisplay

5. When prompted, provide the following information:

   When you are ready, press Enter to continue. <Press ENTER to Continue>	Press Enter.
   Press ENTER to display the Sun Software License Agreement	Press Enter.
   Have you read, and do you accept, all of the terms of the preceding Software License Agreement [no] y	Enter y.
   Install the Sun Java(tm) System Access Manager Policy Agent in this directory [/opt] :	Accept the default value.
   Enter information about the server instance this agent will protect. Host Name [ProtectedResource-2.example.com]:	Accept the default value.
   Web Server Instance Directory []:	Enter   /opt/SUNWwbsvr/ https-ProtectedResource-1.example.com
   Web Server Port [80]: :	Enter 1080.
   Web Server Protocol [http]	Accept the default value.
   Agent Deployment URI [/amagent]:	Accept the default value.
   Enter the Sun Java(tm) System Access Manager Information for this Agent. Primary Server Host [ProtectedResource-2.example.com] :	For this example, enter the external-facing load balancer host name. Example: LoadBalancer-3.example.com
   Primary Server Port [1080]	Enter the load balancer HTTP port number. For this example, enter 90.
   Primary Server Protocol [http]:	Accept the default value.
   Primary Server Deployment URI [/amserver]:	Accept the default value.
   Primary Console Deployment URI [/amconsole] :	Accept the default value.
   Failover Server Host [] :	Accept the default value.
   Agent-Access Manager Shared Secret:	Enter the amldapuser password that was entered when Access Manager was installed. For this example, enter 4mld4puser .
   Re-enter Shared Secret:	Enter the 4mld4puser password again to confirm it.
   CDSSO Enabled [false]:	Accept the default value.
   Press "Enter" when you are ready to continue.	First, see the next (Optional) numbered step. When you are ready to start installation, press Enter.

6. (Optional) During installation, you can monitor the log to watch for installation errors. Example:

   # cd /var/sadm/install/logs # tail —f var/sadm/install/logs/ Sun_Java_tm__System_Access_Manager_Policy_Agent_install.Bxxxxxxxx

7. Modify the AMAgent.properties file.

   # cd /etc/opt/SUNWam/agents/es6/ config/_opt_SUNWwbsvr_https-ProtectedResource-1.example.com

   Make a backup of AMAgent.properties before setting the following property:

   com.sun.am.policy.am.login.url = https://LoadBalancer-4.example.com:9443/distAuth/UI/Login?realm=users

8. Restart the Web Server.

   # cd /opt/SUNWwbsvr/https-ProtectedResource-1.example.com # ./stop; ./start

   Examine the Web Server log for startup errors.

   # /opt/SUNWwbsvr/https-ProtectedResource-1.example.com/logs # vi errors

To Verify that Web Policy Agent 1 Works Properly

1. Start a new browser and go to the Access Manager URL.

   Example: https://loadbalancer-3.example.com:9443/amserver/console

2. Log in to the Access Manager console using the following information:

   Username

   amadmin

   Password

   4m4dmin1

3. Create a referral policy in the top-level realm.

   1. On the Access Control tab, under Realms, click example.com.

   2. Click the Policies tab.

   3. On the Policies tab for example.com-Policies, click New Referral.

   4. In the New Policy page, provide the following information:

      Name:

      Referral URL Policy for users realm.

      Active:

      Mark the Yes checkbox.

   5. On the same page, in the Rules section, click New.

   6. Select a Service Type.

      On the page “Step 1 of 2: Select Service Type for the Rule,” select URL Policy Agent (with resource name)

   7. Click Next.

   8. On the page “Step 2 of 2: New Rule,” provide the following information:

      Name:

      URL Rule for ProtectedResource-1

      Resource Name:

      http://ProtectedResource-1.example.com:1080/*

   9. Click Finish.

   10. On the same page, in the Referrals section, click New.

   11. In the New Referral — Sub Realm page, provide the following information:

       Name:

       Sub-Realm users

       Filter:

       Type an asterisk (*), and then click Search.

       Value:

       In the list, choose users.

   12. Click Finish.

   13. On the New Policy page, click Create.

       In the Policies tab for example.com — Policies, you should see the policy named “Referral URL Policy for users realm.”

4. Create a policy in the users realm.

   1. Click Realms.

   2. On the Access Control tab, under Realms, click the Realm Name users.

   3. Click the Policies tab.

   4. On the Policies tab for users-Policies, click New Policy.

   5. In the New Policy page, provide the following information:

      Name:

      URL Policy for ProtectedResource-1

      Active:

      Mark the Yes checkbox.

   6. On the same page, in the Rules section, click New.

   7. On the page “Step 1 of 2: Select Service Type for the Rule,” click Next.

      The Service Type “URL Policy Agent (with resource name) is the only choice.

   8. On the page “Step 2 of 2: New Rule,” provide the following information:

      Name:

      URL Rule for ProtectedResource-1

      Resource Name:

      Click the URL listed in the Parent Resource Name list: http://ProtectedResource-1.example.com:1080/*

      The URL is automatically added to the Resource Name field.

      GET:

      Mark this checkbox, and select the Allow value.

      POST:

      Mark this checkbox, and select the Allow value.

   9. Click Finish.

5. Create a new subject.

   On the New Policy page, in the Subjects section, click New.

   1. Select the subject type and then click Next.

      On the page “Step 1 of 2: Select Subject Type,” select the “Access Manager Identity Subject” type.

   2. On the page “Step 2 of 2: New Subject — Access Manager Identity Subject,” provide the following information:

      Name:

      Enter Test Subject.

      Filter:

      Choose User, and then click Search. Four users are added to the Available list.

      Available:

      In the list, selecttestuser1, and then click Add.

      The user testuser1 is added to the Selected list.

   3. Click Finish.

6. In the New Policy page, click Create.

   On the Policies tab for users-Policies, the new policy “URL Policy for ProtectedResource-1” is now in the Policies list.

7. Log out of the console.

8. Verify that an authorized user can access the Web Server 1.

   1. Go to the following URL:

      http://ProtectedResource-1.example.com:1080

   2. Log in to Access Manager using the following information:

      Username

      testuser1

      Password

      password

      You should see the default index.html page for Web Server 1.

      The user testuser1 was configured in the test policy to be allowed to access Protected Resource 1.

9. Verify that an unauthorized user cannot access the Web Server 1.

   1. Go to the following URL:

      http://ProtectedResource-1.example.com:1080

   2. Log in to Access Manager using the following information:

      Username

      testuser2

      Password

      password

      You should see the message, “You're not authorized to view this page.”

      The user testuser2 was not included in the test policy tat allows access to Protected Resource 1.

To Import the Root CA Certificate into the Web Server 1 Key Store

The Web Policy Agent on Protected Resource 1 connects to Access Manager servers through Load Balancer 3. The load balancer is SSL-enabled, so the agent must be able to trust the load balancer SSL certificate in order to establish the SSL connection. To do this, import the root CA certificate that issued the Load Balancer 3 SSL server certificate into the Web Policy Agent certificate store.

Before You Begin

Obtain the root CA certificate, and copy it to ProtectedResource-1.

1. Copy the root CA certificate to Protected Resource 1.

2. Open a browser, and go to the Web Server 1 administration console.

   http://ProtectedResource-1.example.com:8888

3. Log in to the Web Server 2 console using the following information:

   User Name:

   admin

   Password:

   web4dmin

4. In the Select a Server field, select ProtectedResource-1.example.com, and then click Manage.

   ---

   Tip –

   If a “Configuration files have not been loaded” message is displayed, it may be that the administration server has never been accessed, and so the configuration files have never been loaded. First click Apply, and then click Apply Changes. The configuration files are read, and the server is stopped and restarted.

   ---

5. Click the Security tab.

6. On the Initialize Trust Database page, enter a Database Password.

   Enter the password again to confirm it, and then click OK.

7. In the left frame, click Install Certificate and provide the following information, and then click OK:

   Certificate For:

   Choose Trusted Certificate Authority (CA).

   Key Pair File Password:

   password

   Certificate Name:

   OpenSSL_CA_Cert

   Message in this File:

   /export/software/ca.cert

8. Click Add Server Certificate.

9. Click Manage Certificates.

   The root CA Certificate name OpenSSL_CA_Cert is included in the list of certificates.

10. Click the Preferences tab.

11. Restart Web Server 2.

    On the Server On/Off page, click Server Off. When the server indicates that the administration server is off, click Server On.

12. Configure the Web Policy Agent 1 to point to the Access Manager SSL port.

    1. Edit the AMAgent.properties file.

       # cd /opt/SUNWam/agents/es5/config/
       _optSUNWwbsvr_https=ProtectedResource-1.example.com

       Make a backup of the AMAgent.properties file before setting the following property:

       # com.sun.am.naming.url = 
       https://LoadBalancer-3.example.com:9443/amserver/namingservice

    2. Save the file.

13. Restart Web Server 1.

    # cd /opt/SUNWwbsvr/https-ProtectedResource-1.example.com
    # ./stop; ./start

To Verify that the Web Policy Agent is Working Properly

1. Verify that an authorized user can access the Web Server 1.

   1. Go to the following URL:

      http://ProtectedResource-1.example.com:1080

   2. Log in to Access Manager using the following information:

      Username

      testuser1

      Password

      password

      You should see the default index.html page for Web Server 1.

      The user testuser1 was configured in the test policy to be allowed to access Protected Resource 1.

2. Verify that an unauthorized user cannot access the Web Server 1.

   1. Go to the following URL:

      http://ProtectedResource-1.example.com:1080

   2. Log in to Access Manager using the following information:

      Username

      testuser2

      Password

      password

      You should see the message, “You're not authorized to view this page.”

      The user testuser2 was not included in the test policy tat allows access to Protected Resource 1.

To Create an Agent Profile on Access Manager

The web agent will, by default, use the account with the uid UrlAccessAgent to authenticate to Access Manager. Creating an agent profile is not a requirement for Web Policy Agents. You can use the default values and never change the Web Policy Agent user name. However, in certain cases, you might want to change these default values. For example, if you want to audit the interactions between multiple agents and the Access Manager server, you want be able to distinguish one agent from another. This would not be possible if all the agents used the same default agent user account. For more information, see the Sun Java System Access Manager Policy Agent 2.2 User’s Guide.

1. Create an agent profile on Access Manager.

   This new account will be used by Web Policy Agent 1 to access the Access Manager server.

   1. Go to Access Manage load balancer URL:

      https://LoadBalancer-3.example.com:9443/amserver/UI/Login

   2. Log in to the Access Manager console using the following information:

      Username

      amadmin

      Password

      4m4dmin1

   3. On the Access Control tab, under Realms, click the realm name example.com.

   4. Click the Subjects tab.

   5. Click the Agents tab.

   6. On the Agent page, click New.

   7. On the New Agent page, provide the following information:

      ID:

      webagent-1

      Password:

      web4gent1

      Password Confirm:

      web4gent1

      Device State:

      Choose Active.

   8. Click Create.

      The new agent webagent–1 is now display in the list of Agent Users.

To Configure the Web Policy Agent to Use the New Agent Profile

1. Log in to as a root user to Protected Resource 1.

2. Run the cypt_util utility.

   The utility encrypts the password.

   # cd /opt/SUNWam/agents/bin
   # ./crypt_util web4gent1
   BXxzBswD+PZdMRDRMXQQA==

   Copy the encrypted password, and save it in a text file.

3. Edit the AMAgent.properties file.

   # cd /etc/opt/SUNWam/agents/es6/ config/_opt_SUNWwbsvr_https-ProtectedResource-1.example.com

   Make a backup of AMAgent.properties you make the following change in the file:

   com.sun.am.policy.am.password = webagent-1
   com.sun.am.policy.am.password = BXxzBswD+PZdMRDRMXQQA==

   Use the encrypted password obtained in the previous step.

   Save the file.

4. Restart Web Server 1.

   # cd /opt/SUNWwbsvr/https-ProtectedResource-1.example.com
    # ./stop; ./start

To Verify that the Web Policy Agent is Working Properly

1. Verify that an authorized user can access the Web Server 1.

   1. Go to the following URL:

      http://ProtectedResource-1.example.com:1080

   2. Log in to Access Manager using the following information:

      Username

      testuser1

      Password

      password

      You should see the default index.html page for Web Server 1.

      The user testuser1 was configured in the test policy to be allowed to access Protected Resource 1.

2. Verify that an unauthorized user cannot access the Web Server 1.

   1. Go to the following URL:

      http://ProtectedResource-1.example.com:1080

   2. Log in to Access Manager using the following information:

      Username

      testuser2

      Password

      password

      You should see the message, “You're not authorized to view this page.”

      The user testuser2 was not included in the test policy tat allows access to Protected Resource 1.

8.2 Installing Application Server 1 and J2EE Policy Agent 1

You must have the WebLogic Application Server installer and the Sun J2EE Policy Agent installer mounted on Protected Resource 1.

Use the following as your checklist for installing Application Server 1 and the J2EE Policy Agent 1:

1. Install Application Server 1 on Protected Resource 1.

2. Create an agent profile on Access Manager.

3. Run the J2EE Policy Agent installer on Application Server 1.

To Install Application Server 1 on Protected Resource 1

1. Obtain the Application Server installer from the BEA .

2. Start the installer.

   # /download_directory/export/weblogic/server910_solaris32.bin

3. Provide the following information when prompted:

   Welcome... You may quit the installer at any time by typing "Exit." Enter [Exit][Next]	Enter Next.
   Select Option: 1. Yes, I agree with the terms of the license. 2. No, I do not agree with the terms of the license.	Enter 1.
   Choose BEA Home Directory [/usr/local/bea]:	Press Enter to accept the default value and continue.
   Choose Install Type : ->1|Complete 2|Custom	Enter 2.
   Release 9.1.0.0 WebLogic Server [1] Server [1.1] Server Examples [1.2] Web Server Plug-ins [1.3] Choose Componenets to install:	Press Enter to continue.
   Choose Product Directory [/usr/local/bea/weblogic91]:	Press Enter to accept the default value and continue.
   Choose Product Directory [Yes, use this product directory]: ->|Yes |No	Press Enter to confirm the default value and continue.
   Installation Complete Press [Enter] to continue...	Press Enter.

4. Create a new domain.

   1. Start the BEA WebLogic Configuration Wizard.

      # cd /usr/local/bea/weblogic91/common/bin # ./config.sh

   2. Provide the following information:

      Welcome... ->1| Create a new WebLogic domain. 2| Extend an existing WebLogic domain.	Press Enter to accept the default value 1.
      Select Domain Source: ->1| Choose WebLogic Platform components 2| Choose custom template	Press Enter to accept the default value 1.
      Application Template Selection: Avaliable Templates WebLogic Server (Required)x Appache Behive [2]	Press Enter to accept the default value and continue.
      Configure Administrator Username and Password: Select Option: 1- Modify "user name" 2- Modify "user password" 3- Modify "Confirm user password" 4- Modify "Description' 5- Discard changes	Enter 2 to modify the user password.
      Input User password :	Enter w3bl0g1c.
      Configure Adminstrator Username and Password: 1- *User name: weblogic 2- *User password: ******** 3- *Confirm user password: ****** 4- Description: This user is the default administrator Select Option: 1- Modify "user name" 2- Modify "user password" 3- Modify "Confirm user password" 4- Modify "Description' 5- Discard changes	Enter 3 to confirm user password.
      Confirm user password:	Enter w3bl0g1c.
      Configure Adminstrator Username and Password: 1- *User name: weblogic 2- *User password: ******** 3- *Confirm user password: ******** 4- Description: This user is the default administrator Select Option: 1- Modify "user name" 2- Modify "user password" 3- Modify "Confirm user password" 4- Modify "Description' 5- Discard changes	Press Enter to accept the values and continue.
      Domain Mode Configuration: ->1| Development Mode 2| Production Mode	Enter 2 to select Production Mode.
      Java SDK Selection: ->1| Sun SDK 1.5.0_04 @ /usr/local/bea/jdk150_04 2| Other Java SDK	Press Enter to accept the default value and continue.
      Choose Configuration Option: 1|Yes ->2|No	Enter 1 .
      Configure the Adminstration Server: Select Option: 1- *Name: AdminServer 2- Listen address: All Local Addresses 3- Listen port: 7001 4- SSL listen port : N/A 5- SSl enabled: false Select Option: 1- Modify "Name" 2- Modify "Listen address" 3- Modify "Listen port" 4- Modify "SSL enabled"	Press Enter to Continue.
      Configure Managed Servers: Add or delete configuration information for Managed Servers... Enter name for a new...	Enter ApplicationServer-1.
      Configure Managed Servers: Add or delete configuration information for Managed Servers... Name: ApplicationServer-1 Listen address: All Local Addresses Listen port: 7001 SSL listen port: N/A SSL enabled: false Select Option: 1- Modify "Name" 2- Modify "Listen address" 3- Modify "Listen port" 4- Modify "SSL enabled" 5- Done	Enter 3 to modify the Listen port.
      Modify “Listen port.”	Enter 1081.
      Configure Managed Servers: Add or delete configuration information for Managed Servers... Name: ApplicationServer-1 Listen address: All Local Addresses Listen port: 1081 SSL listen port: N/A SSL enabled: false Select Option: 1- Modify "Name" 2- Modify "Listen address" 3- Modify "Listen port" 4- Modify "SSL enabled" 5- Done	Press Enter to continue.
      Configure Clusters: Enter name for a new Cluster	Press Enter to continue.
      Configure Machines: Enter name for a new Machine	Press Enter to continue.
      Configure Unix Machines: Enter name for a new Unix Machine	Enter ProtectedResource-1.
      Configure Unix Machines: Add or delete configuration information for machines: 1- Name: ProtectedResource-1 2- Post bind GID enabled: false 3- Post bind GID: nobody 4- Post bind UID enabled: false 5- Post bind UID: nobody 6- Node manager listen address: localhost 7- Node manager listen port: 5556	Press Enter to accept these values.
      Configure Unix machines: Name: ProtectedResource-1 Select Option: 1- Add Unix machine 2- Modify Unix machine 3- Delete unix machine 4- Discar Changes	Enter 1 to add a Unix machine.
      Enter name for a new Unix Machine.	Enter ProtectedResource-2.
      Configure Unix Machines: 1- Name: ProtectedResource-2 2- Post bind GID enbled: false 2- Post bind GID: nobody 4- Post bind UID enabled: false 5- Post bind UID: nobody 6- Node manager listen address: localhost 7- Node manager listen port: 5556	Press Enter to accept these values.
      Assign Servers to Machines: Machine Unix Machine ProtectedResource-1 [1.1] ProtectedResource-2 [1.2]	Press Enter to continue.
      Select the target domain directory for this domain:	Press Enter to continue.
      Edit Domain Information: Enter value for "Name."	Enter ProtectedResource-1.
      Edit Domain Information: 1- Name: ProtectedResource-1 Select Option: 1- Modify "Name" 2- Discard Changes	Press Enter to continue.
      Installation Complete Press [Enter] to continue...	Press Enter.

5. Create two files necessary to automate Application Server 1 startup.

   Create one file in the directory for the Application Server 1 administration server, and create one file in the Application Server 1 instance directory. The administrative user and password are stored in each file. Application Server 1 uses this information during server start-up. Without these files, Application Server 1 will fail to start. Application Server 1 encrypts the file, so there is no security risk even though you enter the user name and password in clear text.

   # cd /usr/local/bea/user_projects/domains/ ProtectedResource-1/servers/AdminServer # mkdir security # cd security/ # cat > boot.properties username=weblogic password=w3bl0g1c ^D # cd /usr/local/bea/user_projects/domains/ ProtectedResource-1/servers/ApplicationServer-1/ # mkdir security # cd security/ # cat > boot.properties username=weblogic password=w3bl0g1c ^D

6. Start the servers.

   # cd /usr/local/bea/user_projects/domains/ ProtectedResource-1/bin/ # nohup ./startWebLogic.sh & #tail -f nohup.out ... # netstat -an | grep 7001 xxx.xx.72.151.7001 *.* 0 0 49152 0 LISTEN 127.0.0.1.7001 *.* 0 0 49152 0 LISTEN # # cd /usr/local/bea/user_projects/domains/ProtectedResource-1/bin/ # nohup ./startManagedWebLogic.sh ApplicationServer-1 http://ProtectedResource-1.example.com:7001 & # cd /usr/local/bea/user_projects/domains/ ProtectedResource-1/bin/ # netstat -an | grep 1081 xxx.xx.72.151.1081 *.* 0 0 49152 0 LISTEN 127.0.0.1.1081 *.* 0 0 49152 0 LISTEN xxx.xx.72.151.33425 xxx.xx.72.151.1081 49152 0 49152 0 ESTABLISHED xxx.xx.72.151.1081 xxx.xx.72.151.33425 49152 0 49152 0 ESTABLISHED

7. Verify that Application Server 1 is up and running.

   1. Go to the following URL:

      http://ProtectedResource-1.example.com:7001/console

   2. Log in to the Application Server 1 console using the following information:

      Username

      weblogic

      Password

      w3bl0g1c

      Verify that you can successfully log into the console.

   3. Under Domain Structure , expand the Environment object

   4. Click Servers.

      On the Summary of Servers page, verify that both AdminServer(admin) and ApplicationServer-1 are running and OK.

To Create an Agent Profile on Access Manager

This new account will be used by J2EE Policy Agent 1 to authenticate to the Access Manager server.

1. Go to Access Manage load balancer URL:

   https://LoadBalancer-3.example.com:9443/amserver/UI/Login

2. Log in to the Access Manager console using the following information:

   Username

   amadmin

   Password

   4m4dmin1

3. On the Access Control tab, under Realms, click the realm name example.com.

4. Click the Subjects tab.

5. Click the Agents tab.

6. On the Agent page, click New.

7. On the New Agent page, provide the following information:

   ID:

   j2eeagent-1

   Password:

   j2ee4gent1

   Password Confirm:

   j2ee4gent1

   Device State:

   Choose Active.

8. Click Create.

   The new agent j2eeagent–1 is now display in the list of Agent Users.

9. Log out of the Access Manager console.

10. Create a text file, and add the Agent Profile password to the file.

    The J2EE Policy Agent installer requires this file for installation.

    # cd /opt/j2ee_agents/amwl9_agent
    # cat > agent_pwd
    j2ee4gent1 
    ^D

To Run the J2EE Policy Agent Installer on Application Server 1

Before You Begin

Application Server 1 must be stopped when you install J2EE Policy Agent 1.

You must stop both the Application Server 1 instance and the administration server before installing J2EE Policy Agent 1.

# cd /usr/local/bea/user_projects/domains/ProtectedResource-1/bin/
# ./stopManagedWebLogic.sh ApplicationServer-1  t3://localhost:7001 
# cd /usr/local/bea/user_projects/domains/ProtectedResource-1/bin
# ./stopWebLogic.sh

1. Unpack the J2EE Policy Agent bits.

   # cd /opt # /usr/sfw/bin/gtar -xvf /export/software/SJS_Weblogic_9_agent_2.2.tar

2. Start the J2EE Policy Agent installer.

   # cd /opt/j2ee_agents/am_wl9_agent/bin
   # ./agentadmin --install

3. When prompted, provide the following information:

   Please read the following License Agreement carefully:	Press Enter to continue. Continue to press Enter until you reach the end of the License Agreement.
   Enter startup script location.	Enter .  /usr/local/bea/user_projects/domains/ ProtectedResource-1/bin/ startwebLogic.sh
   Enter the WebLogic Server instance name: [myserver]	Enter ApplicationServer-1.
   Access Manager Services Host:	Enter LoadBalancer-3.example.com.
   Access Manager Services port: [80]	Enter 90.
   Access Manager Services Protocol: [http]	Enter http.
   Access Manager Services Deployment URI: [/amserver]	Accept the default value.
   Enter the Agent Host name:	ProtectedResource-1.example.com
   Enter the WebLogic home directory: [usr/local/bea/weblogic90]	Enter /usr/loca/bea/weblogic91.
   Enter the port number for Application Server instance [80]:	Enter 1081.
   Enter the Preferred Protocol for Application instance [http]:	Accept the default value.
   Enter the Deployment URI for the Agent Application [/agentapp]	Accept the default value.
   Enter the Encryption Key [Q558gNigkno4dGZmPtgGs4K1HL1153QD]:	Accept the default value.
   Enter the Agent Profile name:	Enter j2eeagent-1.
   Enter the path to the password file:	Enter /opt/j2ee_agent/am_w19_agent/agent_pwd.
   Are the Agent and Access Manager installed on the same instance of Application Server? [false]:	Accept the default value.
   Verify your settings and decide from the choices below: 1. Continue with Installation 2. Back to the last interaction 3. Start Over 4. Exit Please make your selection [1]:	Accept the default value.

   The J2EE Policy Agent installer creates a new file in the Application Server bin directory:

   /usr/local/bea/user_projects/domains/ProtectedResource-1/bin/ setAgentEnv_ApplicationServer-1.sh

4. Modify the Application Server startup script to reference the new file.

   1. As a root user, log into ProtectedResource–1.

      # cd /usr/local/bea/user_projects/domains/ProtectedResource-1/bin/

   2. Make a backup of setDomainEnv.sh.

   3. In setDomainEnv.sh, insert the following line at the end of the file:

      . /usr/local/bea/user_projects/domains/ProtectedResource-1/ bin/setAgentEnv_ApplicationServer-1.sh

      This command references the file the installer created in the Application Server bin directory.

   4. Save the setDomainEnv.shfile.

   5. Change permissions for the setAgentEnv_ApplicationServer-1.sh file:

      # chmod 755 setAgentEnv_ApplicationServer-1.sh

5. Start the Application Server administration server.

   # cd /usr/local/bea/user_projects/domains/ProtectedResource-1/bin # nohup ./startWebLogic.sh & # tail -f nohup.out

   Watch for startup errors.

8.3 Completing the J2EE Policy Agent 1 Installation

The J2EE Policy Agent is not yet ready to begin working. In the following procedures, you deploy the policy agent application , setup up an authentication provider, and modify the Bypass Principal List. All of these tasks must be completed before the agent can do its job.

Use the following as your checklist for completing the J2EE Policy Agent 1 installation:

1. Modify the Application Server startup file.

2. Deploy the J2EE Policy agent application .

3. Start the agent application.

4. Set Up the agent authentication provider.

5. Edit the AMAgent.properties file.

To Modify the Application Server Startup File

1. Go to the following Protected Resource 1 directory.

   The J2EE Policy Agent installer creates a new file in the Application Server bin directory:

   # cd /usr/local/bea/user_projects/domains/ProtectedResource-1/bin

2. Make a backup of the file setDomainEnv.sh.

3. In the setDomainEnv.sh file, at the end of the file append the following:

   echo "Setting Policy Agent Env..." . /usr/local/bea/user_projects/domains/ProtectedResource-1/bin/ setAgentEnv_ApplicationServer-1.sh

   This command references the file the installer created in the Application Server bin directory.

4. Save the setDomainEnv.sh file.

5. Change permissions for the setAgentEnv_ApplicationServer-1.sh file:

   # cdmod 755 setAgentEnv_ApplicationServer-1.sh

6. Stop Application Server 1.

   # cd /usr/local/bea/user_projects/domains/ProtectedResource-1/bin
   # ./stopManagedWebLogic.sh ApplicationServer-1 t3://localhost:7001 

7. Stop the administration server.

   #cd /usr/local/bea/user_projects/domains/ProtectedResource-1/bin 
   ./stopWebLogic.sh

8. Start the administration server.

   # nohup ./startWebLogic.sh &
   # tail -f nohup.out

   Watch for startup errors.

9. Start Application Server 1.

   # nohup ./startManageWebLogic sh ApplicatoinServer-1 
   http://ProtectedResource-1.example.com:7001 &
   tail -f nohup.out

10. Run the netstat command to verify that Application Server 1 is up and listening.

    # netstat -an | grep 1081
    xxx.xx.72.151.1081		*.*		0		0	49152		0	LISTEN
    127.0.0.01.1081			*.*		0		0	49152		0	LISTEN

To Deploy the J2EE Policy Agent Application

1. Go to the following Application Server URL:

   http://ProtectedResource-1.example.com:7001/console

2. Log in to the Application Server console using the following information:

   Username

   weblogic

   Password

   w3bl0g1c

3. In the Application Server console, under Domain Structure, click Deployments.

4. On the Summary of Deployments page, in the Change Center, click “Lock & Edit.”

5. Under Deployments, click Install.

6. On the Install Application Assistant page, click the protectedresource-1.example.com link.

7. In the field named Location: protectedresource-1.example.com, click the root directory.

   Navigate to the application directory: /opt/j2ee_agents/am_wl9_agent/etc/

8. Select agentapp.war, and then click Next.

9. In the Install Application Assistant page, choose “Install this deployment as an application,” and then click Next.

10. In the list of Servers, mark the checkbox for ApplicationServer-1, and then click Next.

11. In the Optional Settings page, click Next.

12. Click Finish.

13. On the “Settings for agentapp” page, click Save.

14. In the Change Center, click Activate Changes.

To Start the Agent Application

1. On the “Settings for agentapp” page, click Deployments.

2. On the Summary of Deployments page, mark the agentapp checkbox, and then click Start > “Servicing all requests.”

3. On the Start Deployments page, click Start.

   You may encounter a Javascript error. The agent application will not start until you start the Application Server.

To Set Up the Agent Authentication Provider

1. In the console, on the Summary of Deployments page, under Domain Structure, click Security Realms.

2. On the Summary of Security Realms page, click “Lock & Edit.”

3. Click the Realm name myrealm link.

4. On the “Settings for myrealm” page, click the Providers tab.

5. On the Providers tab, under Authentication Providers, click New.

6. On the Create a New Authentication Provider page, provide the following information:

   Name:

   Agent-1

   Type:

   AgentAuthenticator

7. Click OK.

   Agent-1 is now included in the list of Authentication Providers.

8. In the list of Authentication Providers, click Agent-1.

9. In the Settings for Authentication Providers page, verify that the Control Flag is set for OPTIONAL.

10. On the Settings for Agent-1 page, in the list of Authentication Providers, click DefaultAuthenticator.

11. On the Settings for DefaultAuthenticator page, set the Control Flag to OPTIONAL, and then click Save.

12. Return to the Providers page.

    In the navigation tree near the top of the page, click Providers.

13. In the Change Center, click Activate Changes.

To Edit the AMAgent.properties File

1. Make a backup of the following file:

   /opt/j2ee_agents/am_wl9_agent/agent_001/config/AMAgent.properties

2. In the AMAgent.properties file, set the following property:

   com.sun.identity.agents.config.bypass.principal[0] = weblogic

3. At end of the file, insert a new property.

   com.sun.identity.session.resetLBCookie='true'

   The default value for this property is false. You must add this property only if session failover has been configured for Access Manager. If session failover is not configured for Access Manager, and this property is added, it could impact performance negatively. If session failover is enabled for Access Manager, and this property is not added, then Access Manager sessions will still fail over, and the session failover functionality will work properly. However, the stickiness to the Access Manager server will not be maintained after failover occurs. Session stickiness to the Access Manager server helps performance. This property must be added to the AMConfig.properties file on the Access Manager servers, as well as to the AMAgent.properties for the J2EE Policy Agent servers. This property is not required for the Web Policy Agent servers. The Access Manager 7 2005Q4 Patch 3 in Sun Java System Access Manager 7 2005Q4 Release Notes Release Notes also references this property. See the sectionCR# 6440651: Cookie replay requires com.sun.identity.session.resetLBCookie property in Sun Java System Access Manager 7 2005Q4 Release Notes.

4. Save the file.

8.4 Setting Up a Test for the J2EE Policy Agent 1

Use the following as your checklist for setting up a test for the J2EE Policy Agent 1:

1. Deploy the sample application.

2. Create roles in the external data store.

3. Create a test referral policy in the base suffix.

4. Create a test policy in the user realm.

5. Configure J2EE properties for the sample application.

6. Verify that J2EE Policy Agent 1 is configured properly.

To Deploy the Sample Application

The BEA Policy Agent comes with a sample application specifically created to help you test your access policies. Locate the sample application file here: opt/j2ee_agents/am_wl9_agent/sampleapp. For more information, see the file /opt/j2ee_agents/am_wl9_agent/sampleapp/readme.txt.

1. Go to the Application Server 1 URL:

   http://ProtectedResource-1.example.com:7001/console

2. Log in to the Application Server using the following information:

   Username

   weblogic

   Password

   w3bl0g1c

3. In the Application Server console, on the Summary of Deployments page, click “Lock & Edit.”

4. Under Domain Structure, click Deployments.

5. Under Deployments, click Install.

6. On the Install Application Assistant page, click the protectedresource-1.example.com link.

7. In the list for Location: protectedresource-1.example.com, click the root directory.

   Navigate to the application directory: /opt/j2ee_agents/am_wl9_agent/sampleapp/dist

8. Select agentsample, and then click Next.

9. In the Install Application Assistant page, choose “Install this deployment as an application,” and then click Next.

10. In the list of Servers, mark the checkbox for ApplicationServer-1, and then click Next.

11. On the “Optional Settings” page, click Next to accept the default settings.

12. On the Review Your Choices” page, click Finish.

    The Target Summary section indicates that the module agentsample will be installed on the target ApplicationServer-1.

13. In the “Settings for agentsample” page, click Activate Changes.

14. Under Domain Structure, click Deployments.

15. In the Deployments list, mark the checkbox for agentsample, and then click Start > Servicing All Requests.

16. On the Start Deployments page, click Yes.

    The state of the deployment changes from Prepared to Active.

17. Log out of the Application Server 1 console.

To Create Roles in the External Data Store

You will use these roles to verify that the sample application has been successfully installed and configured.

1. Start the Directory Server 1 console, and log in:

   Username

   cn=Directory Manager

   Password

   d1rm4n4ger

   Administration URL

   http://DirectoryServer-1.example.com:1391

2. In the Directory Server console, expand the example.com suffix.

3. Click Server Group > am-users, and then click Open.

4. Click the Directory tab.

5. Right-click dc=company, dc=com, and then click New > Role.

6. In the Create New Role page, in the Role Name field, enter manager, and then click OK.

7. Right-click dc=company, dc=com, and then click New > Role.

8. In the Create New Role page, in the Role Name field, enter employee, and then click OK.

   On the Directory Tab, for the suffix dc=company, dc=com, you should see the two users you just added: manager and employee.

9. Double-click the manager role.

10. In the Edit Role page, click Members and then click Add.

11. In the Search Users and Groups dialog, click Search.

    In the list of results, select Test User 1 and then click OK.

12. In the Edit Role page, click OK.

13. Double-click the employee role.

14. In the Edit Role page, click Members and then click Add.

15. In the Search Users and Groups dialog, click Search.

    In the list of results, select Test User 2 and then click OK.

16. In the Edit Role page, click OK.

17. Log out of the Directory Server console.

To Create a Test Referral Policy in the Base Suffix

1. In the Access Manager 1 console, on the Access Control tab, click the example.com link.

2. Click the Policies tab.

3. Under Policies, click the “Referral URL Policy for users realm” link.

   This is the policy that was created when setting up the Web Policy Agent.

4. On the Edit Policy page, under Rules, click New.

5. On the page “Step 1 of 2: Select Service Type for the Rule,” select “URL Policy Agent (with resource name),” and then click Next.

6. On the page “Step 2 of 2: New Rule,” provide the following information, and then click Next:

   Name:

   URL Policy for ApplicationServer-1

   Resource Name:

   http://ProtectedResource-1.example.com:1081/agentsample/*

7. Click Finish.

To Create a Test Policy in the User Realm

1. In the Access Manager 1 console, on the Access Control tab, click the users link.

2. Click the Policies tab.

3. Under Policies, click New Policy.

4. In the Name field, enter URL Policy for ApplicationServer-1.

5. Under Rules, click New.

6. On the page “Step 1 of 2: Select Service Type for the Rule,” click Next.

   The default “URL Policy Agent (with resource name)” should be selected.

7. On the page “Step 2 of 2: New Rule,” provide the following information:

   Name:

   agentsample

   Parent Resource Name:

   In the list, select http://ProtectedResource-1.example.com:1081/agentsample/*

   Resource Name:

   The following is automatically entered when you select the Parent Resource Name above:

   http://ProtectedResource-1.example.com:1081/agentsample/*

   GET

   Mark this check box, and verify that the Allow value is selected.

   POST

   Mark this check box, and verify that the Allow value is selected.

8. Click Finish.

   The rule agentsample is now added to the list of Rules.

9. Under Subjects, click New.

10. On the page “Step 1 of 2: Select Subject Type,” select Access Manager Identity Subject, then click Next.

11. On the page “ Step 2 of 2: New Subject — Access Manager Identity Subject,” provide the following information:

    Name:

    agentsampleRoles

    Filter:

    Select role.

12. Click Search.

13. In the Available list, the select manager and employee roles, and then click Add.

    The roles are now displayed in the Selected list.

14. Click Finish.

15. Click Create.

    The new policy is included in the list of Policies.

To Configure J2EE Properties for the Sample Application

1. Log in as a root user to Protected Resource 2.

   # cd /opt/j2ee_agents/am_wl9_agent/agent_001/config

2. Make a back up the AMAgent.propertiesfile.

3. In the AMAgent.properties file, set the following properties:

   com.sun.identity.agents.config.notenforced.uri[0] = /agentsample/public/* com.sun.identity.agents.config.notenforced.uri[1] = /agentsample/images/* com.sun.identity.agents.config.notenforced.uri[2] = /agentsample/styles/* com.sun.identity.agents.config.notenforced.uri[3] = /agentsample/index.html com.sun.identity.agents.config.notenforced.uri[4] = /agentsample com.sun.identity.agents.config.access.denied.uri = /agentsample/authentication/accessdenied.html com.sun.identity.agents.config.login.form[0] = /agentsample/authentication/login.html com.sun.identity.agents.config.login.url[0] = http://LoadBalancer-3.example.com:7070/amserver/UI/Login?realm=users

4. Save the file.

5. Restart the Application Server 2.

   1. Stop Application Server 2 .

      # cd /usr/local/bea/user_projects/domains/
      ProtectedResource-2/bin
      # ./stopManagedWebLogic.sh ApplicationsServer-2 
      t3://localhost:7001 

   2. Stop the administration server.

      # ./stopWebLogic.sh

   3. Start the administration server.

      # nohup ./startWebLogic.sh &
      # tail -f nohup.out

   4. Start Application Server 2.

      # nohup ./startManagedWebLogic.sh 
      ApplicationServer-1 http://ProtectedResource-1.example.com:7001 &

To Verify that J2EE Policy Agent 1 is Configured Properly

Use these steps to access the agent sample application, and then test policies against that sample application.

1. Go to the Sample Application URL:

   http://protectedresource-1.example.com:1081/agentsample/index.html

   The Sample Application welcome page is displayed.

2. Click J2EE Declarative Security > “Invoke the Protected Servlet”

   The Policy Agent redirects to the Access Manager login page.

3. Log in to the Access Manager console using the following information:

   Username

   testuser1

   Password

   password

   If you can successfully log in as testuser1, and the J2EE Policy Agent Sample Application page is displayed, then this part of the test succeeded and authentication is working as expected.

4. Click the “J2EE Declarative Security” link.

5. On the J2EE Declarative Security page, click the “Invoke the Protected Servlet link”.

   If the Success Invocation message is displayed, then this part of the test succeeded , and the sample policy for the manager role has been enforced as expected.

6. Click the “J2EE Declarative Security” link to go back.

7. Click the “Invoke the Protected EJB via an Unprotected Servlet” link.

   If the Failed Invocation message is displayed, then this part of the test succeeded, and the sample policy for the employee role has been enforced as expected.

8. Close the browser.

9. In a new browser session, go to the Sample Application URL:

   http://protectedresource-1.example.com:1081/agentsample/index.html

   The Sample Application welcome page is displayed.

10. Click the “J2EE Declarative Security” link.

11. On the J2EE Declarative Security page, click the “Invoke the Protected EJB via an Unprotected Servlet” link.

    The Policy Agent redirects to the Access Manager login page.

12. Log in to the Access Manager console using the following information:

    Username

    testuser1

    Password

    password

    If you can successfully log in as testuser1, and the J2EE Policy Agent Sample Application page is displayed, then this part of the test succeeded and authentication is working as expected.

13. Click the “J2EE Declarative Security” link to go back.

14. On the J2EE Declarative Security page, click the “Invoke the Protected EJB via an Uprotected Servlet” link.

    The Successful Invocation message is displayed. The sample policy for the employee role has been enforced as expected.

8.5 Configuring Access Manager to Communicate Over SSL

In this section, you configure the policy agent to point to the SSL port for the Access Manager load balancer.

Use the following as your checklist for configuring Access Manager to communicate over SSL:

1. Import the root CA certificate into the Application Server keystore.

2. Configure the J2EE Policy Agent for SSL.

3. Verify that J2EE Policy Agent 1 is configured properly.

4. Configure the Policy Agents to access the Distributed Authentication UI server.

To Import the Root CA Certificate into the Application Server Keystore

In this procedure, you import a Certificate Authority (CA) certificate. The certificate enables the Authentication UI server to trust the certificate from the Access Manager load balancer (Load Balancer 3), and to establish trust with the certificate chain that is formed from the CA to the certificate.

1. Go to the directory where the keystore ( the cacerts file) is located:

   #cd /usr/local/bea/jdk150_04/jre/lib/security/

2. Make a backup of the cacerts file.

3. Copy the CA certificate that you obtained from your Certificate Authority into a temporary directory. Example:

   /export/software/ca.cer

4. Import the certificate:

   # /usr/local/bea/jdk150_04/bin/keytool -import -trustcacerts -alias OpenSSLTestCA -file /export/software/ca.cer -keystore /usr/local/bea/jdk150_04/jre/lib/security/cacerts -storepass changeit Owner: EMAILADDRESS=nobody@nowhere.com, CN=OpenSSLTestCA, OU=Sun, O=Sun, L=Santa Clara, ST=California, C=US Issuer: EMAILADDRESS=nobody@nowhere.com, CN=OpenSSLTestCA, OU=Sun, O=Sun, L=Santa Clara, ST=California, C=US Serial number: 97dba0aa26db6386 Valid from: Tue Apr 18 07:55:19 PDT 2006 until: Tue Jan 13 06:55:19 PST 2009 Certificate fingerprints: MD5: 9F:57:ED:B2:F2:88:B6:E8:0F:1E:08:72:CF:70:32:06 SHA1: 31:26:46:15:C5:12:5D:29:46:2A:60:A1:E5:9E:28:64:36: 80:E4:70 Trust this certificate? [no]: yes Certificate was added to keystore

5. Verify that the certificate was imported successfully:

   # /usr/local/bea/jdk150_04/bin/keytool -list -keystore /usr/local/bea/jdk150_04/jre/lib/security/cacerts -storepass changeit | grep openssl openssltestca, Oct 2, 2006, trustedCertEntry,

To Configure the J2EE Policy Agent for SSL

1. As a root user, log into host ProtectedResource–1.

   # cd /opt/j2ee_agents/am_wl9_agent/agent_001/config

2. Make a backup of the AMAgent.properties file.

3. In the AMAgent.properties, set the following properties:

   com.sun.identity.agents.config.login.url[0] = 
   https://LoadBalancer-3.example.com:9443/amserver/UI/Login?realm=users 
   com.sun.identity.agents.config.cdsso.cdcservlet.url[0] = 
   https://LoadBalancer-3.example.com:9443/amserver/cdcservlet 
   com.sun.identity.agents.config.cdsso.trusted.id.provider[0] = 
   https://LoadBalancer-3.example.com:9443/amserver/cdcservlet 
   com.iplanet.am.naming.url=
   https://LoadBalancer-3.example.com:9443/amserver/namingservice 
   com.iplanet.am.server.protocol=https 
   com.iplanet.am.server.port=9443

4. Save the file.

5. Stop Application Server 1 .

   # cd /usr/local/bea/user_projects/domains/ProtectedResource-1/bin
   # ./stopManagedWebLogic.sh ApplicationsServer-1 t3://localhost:7001 

6. Stop the administration server.

   # ./stopWebLogic.sh

7. Start the administration server.

   # nohup ./startWebLogic.sh &
   # tail -f nohup.out

8. Start Application Server 1.

   # nohup ./startManagedWebLogic.sh 
   ApplicationServer-1 http://ProtectedResource-1.example.com:7001 &

To Verify that J2EE Policy Agent 1 is Configured Properly

Use these steps to access the agent sample application, and then test policies against that sample application.

1. Go to the Sample Application URL:

   http://protectedresource-1.example.com:1081/agentsample/index.html

   The Sample Application welcome page is displayed.

2. Click J2EE Declarative Security > “Invoke the Protected Servlet”

   The Policy Agent redirects to the Access Manager login page.

3. Log in to the Access Manager console using the following information:

   Username

   testuser1

   Password

   password

   If you can successfully log in as testuser1, and the J2EE Policy Agent Sample Application page is displayed, then this part of the test succeeded and authentication is working as expected.

4. Click the “J2EE Declarative Security” link.

5. On the J2EE Declarative Security page, click the “Invoke the Protected Servlet link”.

   If the Success Invocation message is displayed, then this part of the test succeeded , and the sample policy for the manager role has been enforced as expected.

6. Click the “J2EE Declarative Security” link to go back.

7. Click the “Invoke the Protected EJB via an Unprotected Servlet” link.

   If the Failed Invocation message is displayed, then this part of the test succeeded, and the sample policy for the employee role has been enforced as expected.

8. Close the browser.

9. In a new browser session, go to the Sample Application URL:

   http://protectedresource-1.example.com:1081/agentsample/index.html

   The Policy Agent redirects to the Access Manager login page.

10. Log in to the Access Manager console using the following information:

    Username

    testuser2

    Password

    password

    The Failed Invocation message is displayed.

11. Click the “J2EE Declarative Security” link.

12. On the J2EE Declarative Security page, click the “Invoke the Protected EJB via an Unprotected Servlet” link.

    The Successful Invocation message is displayed. The sample policy for the employee role has been enforced as expected.

13. Click the “J2EE Declarative Security” link to go back.

14. Click the “Invoke the Protected Servlet” link.

    If the Access to Requested Resource Denied message is displayed, then this part of the test is successful. The sample policy for the manager role has been enforced as expected.

To Configure the Policy Agents to Access the Distributed Authentication UI Server

1. Log in as a root user to Protected Resource 1.

   # cd /opt/j2ee_agents/am_wl9_agent/agent_001/config

2. Make a backup of the file AMAgent.properties.

3. In the AMAgent.properties file, set the following properties:

   com.sun.identity.agents.config.login.url[0] = https://LoadBalancer-4.example.com:9443/distAuth/UI/Login?realm=users

4. Save the file.

5. Restart the Application Server.

   1. Stop Application Server 1.

      # cd /usr/local/bea/user_projects/domains/ProtectedResource-1/bin
      # ./stopManagedWebLogic.sh ApplicationServer-1 t3://localhost:7001 

   2. Stop the administration server.

      #cd /usr/local/bea/user_projects/domains/ProtectedResource-1/bin 
      ./stopWebLogic.sh

   3. Start the administration server.

      # nohup ./startWebLogic.sh &
      # tail -f nohup.out

      Watch for startup errors.

   4. Start Application Server 1.

      # nohup ./startManageWebLogic.sh
      ApplicatoinServer-1 http://ProtectedResource-1.example.com:7001 &
      tail -f nohup.out

6. Verify that the agents are configured properly.

   1. Go to the sample application URL:

      http://ProtectedResource-1.example.com:1081/agentsample/index.html

   2. In the left navigation bar, click “Invoke the Protected Servlet.”

      You are redirected to the Distributed Authentication UI server URL https://loadbalancer-4.example.com:9443/distAuth/UI/login. The Access Manager login page is displayed.

   3. Double-click the gold lock in the lower left corner of the browser.

      In the Properties page, you see certificate for LoadBalancer–4.example.com.

   4. Log in to the Access Manager console using the following information:

      Username

      testuser1

      Password

      password

      You are redirected to the protected servlet of the Sample Application, and a success message is displayed. This indicates that authentication through the Distributed Authentication UI server was successful.

8.6 Installing Web Server 2 and Web Policy Agent 2

Use the following as your checklist for installing Web Server 2 and Web Policy Agent 2:

1. Install Web Server 2 on Protected Resource 2.

2. Install Web Policy Agent 2.

3. Verify that Web Policy Agent 2 works properly.

4. Import the root CA certificate into the Web Server 2 key store.

5. Create an agent profile on Access Manager.

6. Configure the Web Policy Agent to use the new agent profile.

To Install Web Server 2 on Protected Resource 2

1. As root, log in to host ProtectedResource-2.

2. Start the Java Enterprise System installer with the -nodisplay option.

   # cd /mnt/Solaris_sparc # ./installer -nodisplay

3. When prompted, provide the following information:

   Welcome to the Sun Java(TM) Enterprise System; serious software made simple... <Press ENTER to Continue>	Press Enter.
   <Press ENTER to display the Software License Agreement>	Press Enter.
   Have you read, and do you accept, all of the termsof the preceding Software License Agreement [No]	Enter y.
   Please enter a comma separated list of languages you would like supported with this installation [8]	Enter 8 for “English only.”
   Enter a comma separated list of products to install,or press R to refresh the list []	Enter 3 to select Web Server.
   Press "Enter" to Continue or Enter a comma separated list of products to deselect... [1]	Press Enter.
   Enter 1 to upgrade these shared components and 2 to cancel [1]	You are prompted to upgrade shared components only if the installer detects that an upgrade is required.  Enter 1 to upgrade shared components.
   Enter the name of the target installation directory for each product: Web Server [/opt/SUNWwbsvr] :	Accept the default value.
   System ready for installation Enter 1 to continue [1]	Enter 1.
   1. Configure Now - Selectively override defaults or express through 2. Configure Later - Manually configure following installation Select Type of Configuration [1]	Enter 1.
   Common Server Settings Enter Host Name [ProtectedResource-2]	Accept the default value.
   Enter DNS Domain Name [example.com]	Accept the default value.
   Enter IP Address [xxx.xx.87.180]	Accept the default value.
   Enter Server admin User ID [admin]	Enter admin.
   Enter Admin User's Password (Password cannot be less than 8 characters) []	For this example, enter web4dmin.
   Confirm Admin User's Password []	Enter the same password to confirm it.
   Enter System User [root]	Accept the default value.
   Enter System Group [root]	Accept the default value.
   Enter Server Admin User ID [admin]	Accept the default value.
   Enter Admin User's Password []	For this example, enter web4dmin.
   Enter Host Name [ProtectedResource-2.example.com]	Accept the default value.
   Enter Administration Port [8888]	Accept the default value.
   Enter Administration Server User ID [root]	Accept the default value.
   Enter System User ID [webservd]	Enter root.
   Enter System Group [webservd]	Enter root.
   Enter HTTP Port [80]	Enter 1080.
   Enter content Root [/opt/SUNWwbsvr/docs]	Accept the default value.
   Do you want to automatically start Web Serverwhen system re-starts.(Y/N) [N]	Accept the default value.
   Ready to Install 1. Install 2. Start Over 3. Exit Installation What would you like to do [1]	First, see the next numbered (Optional) step. When ready to install, enter 1.

4. (Optional) During installation, you can monitor the log to watch for installation errors. Example:

   # cd /var/sadm/install/logs # tail —f Java_Enterprise_System_install.B xxxxxx

5. Upon successful installation, enter ! to exit.

6. Verify that the Web Server is installed properly.

   1. Start the Web Server administration server to verify it starts with no errors.

      # cd /opt/SUNWwbsvr/https-admserv

      # ./stop; ./start

   2. Run the netstat command to verify that the Web Server ports are open and listening.

      # netstat -an | grep 8888 *.8888 *.* 0 0 49152 0 LISTEN

   3. Go to the Web Server URL.

      http://ProtectedResource-2.example.com:8888

   4. Log in to the Web Server using the following information:

      User Name:

      admin

      Password:

      web4dmin

      You should be able to see the Web Server console. You can log out of the console now.

   5. Start the Protected Resource 2 instance.

      #cd /opt/SUNWwbsvr/https-ProtectedResource-2.example.com # ./stop; ./start

   6. Run the netstat command to verify that the Web Server ports are open and listening.

      # netstat -an | grep 1080 *.1080 *.* 0 0 49152 0 LISTEN

   7. Go to the instance URL.

      http://ProtectedResource-2.example.com:1080

      You should see the default Web Server index page.

To Install Web Policy Agent 2

Before You Begin

The Java System Web Policy Agents 2.2 package must be downloaded to each Protected Resource that will host a Web Policy Agent. You can download the package from the following website: http://www.sun.com/download

Due to a known problem with this version of the Web Policy Agent, you must start an X-display session on the server host using a program such as Reflections X or VNC, even though you use the command-line installer. For more information about this known problem, see http://docs.sun.com/app/docs/doc/819-2796/6n52flfoq?a=view#adtcd.

1. Log in as a root user to host ProtectedResource-2.

2. Download the Java System Web Policy Agents 2.2 package from the following website:

   http://www.sun.com/download

3. Unpack the downloaded package.

   In this example, the package was downloaded into the directory /temp.

   # cd /temp

   # gunzip sun-one-policy-agent-2.2-es6-solaris_sparc.tar.gz

   # tar —xvof sun-one-policy-agent-2.2-es6-solaris_sparc.tar

4. Start the Web Policy Agents installer.

   # ./setup -nodisplay

5. When prompted, provide the following information:

   When you are ready, press Enter to continue. <Press ENTER to Continue>	Press Enter.
   Press ENTER to display the Sun Software License Agreement	Press Enter.
   Have you read, and do you accept, all of the terms of the preceding Software License Agreement [no] y	Enter y.
   Install the Sun Java(tm) System Access Manager Policy Agent in this directory [/opt] :	Accept the default value.
   Enter information about the server instance this agent will protect. Host Name [ProtectedResource-2.example.com]:	Accept the default value.
   Web Server Instance Directory [] {	Enter .  /opt/SUNWwbsvr/ https-ProtectedResource-2.example.com
   Web Server Port [80]: :	Enter 1080.
   Web Server Protocol [http]	Accept the default value.
   Agent Deployment URI [/amagent]:	Accept the default value.
   Enter the Sun Java(tm) System Access Manager Information for this Agent. Primary Server Host [ProtectedResource-1.example.com] :	For this example, enter the external-facing load balancer host name. Example: LoadBalancer-3.example.com
   Primary Server Port [1080]	Enter the load balancer HTTP port number. For this example, enter 90.
   Primary Server Protocol [http]:	Accept the default value.
   Primary Server Deployment URI [/amserver]:	Accept the default value.
   Primary Console Deployment URI [/amconsole] :	Accept the default value.
   Failover Server Host :	Accept the default value.
   Agent-Access Manager Shared Secret:	Enter the amldapuser password that was entered when Access Manager was installed. For this example, enter 4mld4puser .
   Re-enter Shared Secret:	Enter the 4mld4puser password again to confirm it.
   CDSSO Enabled [false]:	Accept the default value.
   Press "Enter" when you are ready to continue.	First, see the next (Optional) numbered step. When you are ready to start installation, press Enter.

6. (Optional) During installation, you can monitor the log to watch for installation errors. Example:

   # cd /var/sadm/install/logs # tail —f /var/sadm/install/logs/ Sun_Java_tm__System_Access_Manager_Policy_Agent_install.Bxxxxxx

7. Modify the AMAgent.properties file.

   # cd /etc/opt/SUNWam/agents/es6/ config/_opt_SUNWwbsvr_https-ProtectedResource-2.example.com

   Make a backup of AMAgent.properties before setting the following property:

   com.sun.am.policy.am.login.url = https://LoadBalancer-4.example.com:9443/distAuth/UI/Login?realm=users

8. Restart the Web Server.

   Watch for errors as the server starts up.

   # cd /opt/SUNWwbsvr/https-ProtectedResource-2.example.com

   # ./stop; ./start

   1. Examine the Web Server log for startup errors.

      # /opt/SUNWwbsvr/https-ProtectedResource-2.example.com/logs

      # vi errors

To Verify that Web Policy Agent 2 Works Properly

1. Start a new browser and go to the Access Manager URL.

   Example: https://loadbalancer-3.example.com:9443/amserver/console

2. Log in to Access Manager using the following information:

   Username

   amadmin

   Password

   4m4dmin1

3. Create a referral policy in the top-level realm.

   1. On the Access Control tab, under Realms, click example.com.

   2. Click the Policies tab.

   3. On the Policies tab for example.com-Policies, click the “Referral URL Policy for users realm” link.

   4. In the Edit Policy page, under Rules, click New.

   5. In the Edit Rule page, provide the following information.

   6. On the same page, in the Rules section, click New.

   7. Select a Service Type.

      On the page “Step 1 of 2: Select Service Type for the Rule,” select URL Policy Agent (with resource name)

   8. Click Next.

   9. On the page “Step 2 of 2: New Rule,” provide the following information:

      Name:

      URL Rule for ProtectedResource-2

      Resource Name:

      http://ProtectedResource-2.example.com:1080/*

   10. Click Finish.

   11. On the Edit Policy page, click Save.

       In the Policies tab for example.com — Policies, you should see the policy named Referral URL Policy for users realm.

4. Create a policy in the users realm.

   1. Click Realms.

   2. On the Access Control tab, under Realms, click the Realm Name users.

   3. Click the Policies tab.

   4. On the Policies tab for users-Policies, click New Policy.

   5. In the New Policy page, provide the following information:

      Name:

      URL Policy for ProtectedResource-2

      Active:

      Verify that the checkbox is marked.

   6. On the same page, in the Rules section, click New.

   7. On the page “Step 1 of 2: Select Service Type for the Rule,” click Next.

      The Service Type “URL Policy Agent (with resource name) is the only choice.

   8. On the page “Step 2 of 2: New Rule,” provide the following information:

      Name:

      URL Rule for ProtectedResource-2

      Resource Name:

      Click the URL listed in the Parent Resource Name list: http://ProtectedResource-2.example.com:1080/*

      The URL is automatically added to the Resource Name field.

      GET:

      Mark this checkbox, and select the Allow value.

      POST:

      Mark this checkbox, and select the Allow value.

   9. Click Finish.

   10. On the Policy page, in the Subjects section, click New.

       1. Select the subject type.

          On the page “Step 1 of 2: Select Subject Type,” select the Access Manager Identity Subject type.

       2. On the page “Step 2 of 2: New Subject — Access Manager Identity Subject,” provide the following information:

          Name:

          Test Subject

          Filter:

          Choose User, and then click Search. Four users are added to the Available list.

          Available:

          In the list, select testuser1, and then click Add.

          The user testuser1 is added to the Selected list.

       3. Click Finish.

   11. In the New Policy page, click Create.

       On the Policies tab for users-Policies, the new policy “URL Policy for ProtectedResource-2” is now in the Policies list.

5. Verify that the new policy works with Web Policy Agent 2.

   1. Verify that an authorized user can access the Web Server 2.

      1. Go to the following URL:

         http://ProtectedResource-2.example.com:1080

      2. Log in to Access Manager using the following information:

         Username

         testuser1

         Password

         password

         You should see the default index.html page for Web Server 2.

   2. Verify that an unauthorized user cannot access the Web Server 2.

      1. Go to the following URL:

         http://ProtectedResource-2.example.com:1080

      2. Log in to Access Manager using the following information:

         Username

         testuser2

         Password

         password

         You should see the message, “You're not authorized to view this page.”

To Import the Root CA Certificate into the Web Server 2 Key Store

The Web Policy Agent on Protected Resource 1 connects to Access Manager servers through Load Balancer 3. The load balancer is SSL-enabled, so the agent must be able to trust the load balancer SSL certificate in order to establish the SSL connection. To do this, import the root CA certificate that issued the Load Balancer 3 SSL server certificate into the Web Policy Agent certificate store.

Before You Begin

Obtain the root CA certificate, and copy it to ProtectedResource-2.

1. Copy the root CA certificate to Protected Resource 2.

2. Open a browser, and go to the Web Server 2 administration console.

   http://ProtectedResource-2.example.com:8888

3. Log in to the Web Server 2 console using the following information:

   User Name:

   admin

   Password:

   web4dmin

4. In the Select a Server field, select ProtectedResource-2.example.com, and then click Manage.

   ---

   Tip –

   If a “Configuration files have not been loaded” message is displayed, it may be that the administration server has never been accessed, and so the configuration files have never been loaded. First click Apply, and then click Apply Changes. The configuration files are read, and the server is stopped and restarted.

   ---

5. Click the Security tab.

6. On the Initialize Trust Database page, enter a Database Password.

   Enter the password again to confirm it, and then click OK.

7. In the left frame, click Install Certificate and provide the following information, and then click OK:

   Certificate For:

   Choose Trusted Certificate Authority (CA)

   Key Pair File Password:

   password

   Certificate Name:

   OpenSSL_CA_Cert

   Message in this File:

   /export/software/ca.cert

8. Click Add Server Certificate.

9. Click Manage Certificates.

   The root CA Certificate name OpenSSL_CA_Cert is included in the list of certificates.

10. Click the Preferences tab.

11. Restart Web Server 2.

    On the Server On/Off page, click Server Off. When the server indicates that the administration server is off, click Server On.

12. Configure the Web Policy Agent 2 to point to the Access Manager SSL port.

    1. Edit the AMAgent.properties file.

       # cd /opt/SUNWam/agents/es5/config/
       _optSUNWwbsvr_https=ProtectedResource-2.example.com

       Make a backup of the AMAgent.properties file before setting the following property:

       # com.sun.am.naming.url = 
       https://LoadBalancer-3.example.com:9443/amserver/namingservice

    2. Save the file.

13. Restart Web Server 2.

    # cd /opt/SUNWwbsvr/https-ProtectedResource-2.example.com
    # ./stop; ./start

To Create an Agent Profile on Access Manager

This new account will be used by J2EE Policy Agent 2 to access the Access Manager server.

1. Create an agent profile on Access Manager.

   1. Go to Access Manage load balancer URL:

      https://LoadBalancer-3.example.com:9443/amserver/UI/Login

   2. Log in to the Access Manager console using the following information:

      Username

      amadmin

      Password

      4m4dmin1

   3. On the Access Control tab, under Realms, click the realm name example.com.

   4. Click the Subjects tab.

   5. Click the Agents tab.

   6. On the Agent page, click New.

   7. On the New Agent page, provide the following information:

      ID:

      webagent-2

      Password:

      web4gent2

      Password Confirm:

      web4gent2

      Device State:

      Choose Active.

   8. Click Create.

      The new agent webagent–2 is now display in the list of Agent Users.

To Configure the Web Policy Agent to Use the New Agent Profile

1. Log in to as a root user to Protected Resource 2.

2. Run the cypt_util utility.

   The utility encrypts the password.

   # cd /opt/SUNWam/agents/bin
   # ./crypt_util web4gent2
   BXxzBswD+PZdMRDRMXQQA==

   Copy the encrypted password, and save it in a text file.

3. Edit the AMAgent.properties file.

   # cd /etc/opt/SUNWam/agents/es6/ config/_opt_SUNWwbsvr_https-ProtectedResource-2.example.com

   Make a backup of AMAgent.properties you make the following change in the file:

   com.sun.am.policy.am.password = webagent-2
   com.sun.am.policy.am.password = BXxzBswD+PZdMRDRMXQQA==

   Use the encrypted password obtained in the previous step.

   Save the file.

4. Restart Web Server 2.

   # cd /opt/SUNWwbsvr/https-ProtectedResource-2.example.com
    # ./stop; ./start

8.7 Installing Application Server 2 and J2EE Policy Agent 2

Use the following as your checklist for installing Application Server 2 and the J2EE Policy Agent 2:

1. Install Application Server 2 on Protected Resource 2.

2. Create an agent profile on Access Manager.

3. Run the J2EE Policy Agent installer on Application Server 2.

To Install Application Server 2 on Protected Resource 2

1. Download the BEA WebLogic Server installer onto Protected Resource 2.

   Follow the instructions provided by BEA for obtaining and using the software.

2. Extract the installer files:

   # /download_directory/export/weblogic/server910_solaris32.bin

   Welcome... You may quit the installer at any time by typing "Exit." Enter [Exit][Next]	Enter Next.
   Select Option: 1. Yes, I agree with the terms of the license. 2. No, I do not agree with the terms of the license.	Enter 1.
   Choose BEA Home Directory [/usr/local/bea]:	Press Enter to accept the default value and continue.
   Choose Install Type [Complete]:	Enter 2 to choose custom install.
   Release 9.1.0.0 WebLogic Server [1] Server [1.1] Server Examples [1.2] Web Server Plug-ins [1.3] Choose Componenets to install:	Enter Next.
   Choose Product Directory [/usr/local/bea/weblogic91]:	Press Enter to accept the default value and continue.
   Choose Product Directory [Yes, use this product directory]:	Press Enter to confirm the default value and continue.
   Installation Complete Press [Enter} to continue...	Press Enter.

3. Create a new domain.

   1. Start the BEA WebLogic Configuration Wizard.

      # cd /usr/local/bea/weblogic91/common/bin # ./config.sh

   2. Provide the following information:

      Welcome... ->1| Create a new WebLogic domain. 2| Extend an existing WebLogic domain.	Press Enter to accept the default value 1.
      Select Domain Source: ->1| Choose WebLogic Platform components 2| Choose custom template	Press Enter to accept the default value 1.
      Application Template Selection: Avaliable Templates WebLogic Server (Required)x Appache Behive [2]	Press Enter to accept the default value and continue.
      Configure Administrator Username and Password: Select Option: 1- Modify "user name" 2- Modify "user password" 3- Modify "Confirm user password" 4- Modify "Description' 5- Discard changes	Enter 2 to modify the user password.
      Input User password :	Enter w3bl0g1c.
      Configure Adminstrator Username and Password: 1- *User name: weblogic 2- *User password: ******** 3- *Confirm user password: ****** 4- Description: This user is the default administrator Select Option: 1- Modify "user name" 2- Modify "user password" 3- Modify "Confirm user password" 4- Modify "Description' 5- Discard changes	Enter 3 to confirm user password.
      Confirm user password:	Enter w3bl0g1c.
      Configure Adminstrator Username and Password: 1- *User name: weblogic 2- *User password: ******** 3- *Confirm user password: ******** 4- Description: This user is the default administrator Select Option: 1- Modify "user name" 2- Modify "user password" 3- Modify "Confirm user password" 4- Modify "Description' 5- Discard changes	Press Enter to accept the values and continue.
      Domain Mode Configuration: ->1| Development Mode 2|	Enter 2 to select Production Mode.
      Java SDK Selection: ->1| Sun SDK 1.5.0_04 @ /usr/local/bea/jdk150_04 2| Other Java SDK	Press Enter to accept the default value and continue.
      Choose Configuration Option: 1|Yes ->2| No	Enter 1 .
      Configure the Adminstration Server: Select Option: 1- *Name: AdminServer 2- Listen address: All Local Addresses 3- Listen port: 7001 4- SSL listen port: N/A 5- SSl enabled: false Select Option: 1- Modify "Name" 2- Modify "Listen address" 3- Modify "Listen port" 4- Modify "SSL enabled"	Press Enter to Continue.
      Configure Managed Servers: Add or delete configuration information for Managed Servers... Enter name for a new...	Enter ApplicationServer-2.
      Configure Managed Servers: Add or delete configuration information for Managed Servers... Name: ApplicationServer-2 Listen address: All Local Addresses Listen port: 7001 SSL listen port: N/A SSL enabled: false Select Option: 1- Modify "Name" 2- Modify "Listen address" 3- Modify "Listen port" 4- Modify "SSL enabled" 5- Done	Enter 3 to modify the Listen port.
      Modify “Listen port.”	Enter 1081.
      Configure Managed Servers: Add or delete configuration information for Managed Servers... Name: ApplicationServer-2 Listen address: All Local Addresses Listen port: 1081 SSL listen port: N/A SSL enabled: false Select Option: 1- Modify "Name" 2- Modify "Listen address" 3- Modify "Listen port" 4- Modify "SSL enabled" 5- Done	Press Enter to continue.
      Configure Clusters: Enter name for a new Cluster	Press Enter to continue.
      Configure Machines: Enter name for a new Machine	Press Enter to continue.
      Configure Unix Machines: Enter name for a new Unix Machine	Enter ProtectedResource-2.
      Configure Unix Machines: Add or delete configuration information for machines: 1- Name: ProtectedResource-2 2- Post bind GID enabled: false 3- Post bind GID: nobody 4- Post bind UID enabled: false 5- Post bind UID: nobody 6- Node manager listen address: localhost 7- Node manager listen port: 5556	Press Enter to accept these values.
      Enter name for a new Unix Machine.	Enter ProtectedResource-2.
      Configure Unix Machines: 1- Name: ProtectedResource-2 2- Post bind GID enbled: false 2- Post bind GID: nobody 4- Post bind UID enabled: false 5- Post bind UID: nobody 6- Node manager listen address: localhost 7- Node manager listen port: 5556	Press Enter to accept these values.
      Configure Unix machines: Name: ProtectedResource-2 Select Option: 1- Add Unix machine 2- Modify Unix machine 3- Delete unix machine 4- Discar Changes	Enter 1 to add a Unix machine.
      Assign Servers to Machines: Machine Unix Machine ProtectedResource-1 [1.1] ProtectedResource-2 [1.2]	Press Enter to continue.
      Select the target domain directory for this domain:	Press Enter to continue.
      Edit Domain Information: Enter value for "Name."	Enter ProtectedResource-2.
      Edit Domain Information: 1- Name: ProtectedResource-2 Select Option: 1- Modify "Name" 2- Discard Changes	Press Enter to continue.
      Installation Complete Press [Enter] to continue...	Press Enter.

4. Create two files necessary to automate Application Server 2 startup.

   Create one file in the directory for the Application Server 2 administration server, and create one file in the Application Server 2 instance directory. The administrative user and password are stored in each file. Application Server 2 uses this information during server start-up. Without these files, Application Server 2 will fail to start. Application Server 2 encrypts the file, so there is no security risk even though you enter the user name and password in clear text.

   # cd /usr/local/bea/user_projects/domains/ ProtectedResource-2/servers/AdminServer # cat > boot.properties username=weblogic password=w3bl0g1c ^D # cd /usr/local/bea/user_projects/domains/ ProtectedResource-2/servers/ApplicationServer-2/ # mkdir security # cd security/ # cat > boot.properties username=weblogic password=w3bl0g1c ^D

5. Start the servers.

   # cd /usr/local/bea/user_projects/ domains/ProtectedResource-2/bin/ # ./startWebLogic.sh & # # netstat -an | grep 7001 xxx.xx.72.151.7001 *.* 0 0 49152 0 LISTEN 127.0.0.1.7001 *.* 0 0 49152 0 LISTEN # # cd /usr/local/bea/user_projects/domains/ProtectedResource-2/bin/ # ./startManagedWebLogic.sh ApplicationServer-2 http://ProtectedResource-2.example.com:7001 & # # ./startManagedWebLogic.sh ApplicationServer-2 http://ProtectedResource-2.example.com:7001 # cd /usr/local/bea/user_projects/domains/ ProtectedResource-1/bin/ # netstat -an | grep 7001 xxx.xx.72.151.1081 *.* 0 0 49152 0 LISTEN 127.0.0.1.1081 *.* 0 0 49152 0 LISTEN xxx.xx.72.151.33425 xxx.xx.72.151.1081 49152 0 49152 0 ESTABLISHED xxx.xx.72.151.1081 xxx.xx.72.151.33425 49152 0 49152 0 ESTABLISHED

6. Verify that Application Server 2 is up and running.

   1. Go to the following URL:

      http://ProtectedResource-2.example.com:7001/console

   2. Log in to Application Server 2 using the following information:

      User Name:

      weblogic

      Password:

      w3bl0g1c

      Verify that you can successfully log into the console.

   3. Under Domain Structure > ProtectedResource-2, expand the Environment object.

   4. Click Servers.

      On the Summary of Servers page, verify that both AdminServer(admin) and ApplicationServer-2 are running and OK.

To Create an Agent Profile on Access Manager

This new account will be used by J2EE Policy Agent 2 to authenticate to the Access Manager server.

1. Go to Access Manage load balancer URL:

   https://LoadBalancer-3.example.com:9443/amserver/UI/Login

2. Log in to the Access Manager console using the following information:

   Username

   amadmin

   Password

   4m4dmin1

3. On the Access Control tab, under Realms, click the realm name example.com.

4. Click the Subjects tab.

5. Click the Agents tab.

6. On the Agent page, click New.

7. On the New Agent page, provide the following information:

   ID:

   j2eeagent-2

   Password:

   j2ee4gent2

   Password Confirm:

   j2ee4gent2

   Device State:

   Choose Active.

8. Click Create.

   The new agent j2eeagent–2 is now display in the list of Agent Users.

9. Log out of the Access Manager console.

10. Create a text file, and add the Agent Profile password to the file.

    The J2EE Policy Agent installer requires this file for installation.

    # cd /opt/j2ee_agents/amwl9_agent
    # cat > agent_pwd
    j2ee4gent2
    ^D

To Run the J2EE Policy Agent Installer on Application Server 2

Before You Begin

Application Server 2 must not be running when you install J2EE Policy Agent 2.

You must stop both the Application Server 2 instance and the administration server before installing J2EE Policy Agent 2.

# cd /usr/local/bea/user_projects/domains/ProtectedResource-2/bin/
# ./stopManagedWebLogic.sh ApplicationServer-2  t3://localhost:7001 
# cd /usr/local/bea/user_projects/domains/ProtectedResource-2/bin
# ./stopWebLogic.sh

1. Unpack the J2EE Policy Agent bits.

   cd /opt # /usr/sfw/bin/gtar -xvf /export/software/SJS_Weblogic_9_agent_2.2.tar # gunzip ../SJS_Weblogic_9_agent_2.2.tar.gz # /usr/sfw/bin/gtar -xvf ../SJS_Weblogic_9_agent_2.2.tar

2. Start the J2EE Policy Agent installer.

   # cd /opt/j2ee_agents/am_wl9_agent/bin
   # ./agentadmin --install

3. When prompted, provide the following information:

   Please read the following License Agreement carefully:	Press Enter to continue. Continue to press Enter until you reach the end of the License Agreement.
   Enter startup script location.	Enter   /usr/local/bea/user_projects/ domains/ProtectedResource-1/ bin/startwebLogic.sh .
   Enter the WebLogic Server instance name: [myserver]	Enter ApplicationServer-2.
   Access Manager Services Host:	Enter LoadBalancer-3.example.com.
   Access Manager Services port: [80]	Enter 90.
   Access Manager Services Protocol: [http]	Enter http.
   Access Manager Services Deployment URI: [/amserver]	Accept the default value.
   Enter the Agent Host name:	ProtectedResource-2.example.com
   Enter the WebLogic home directory: [usr/local/bea/weblogic90]	Enter /usr/loca/bea/weblogic91.
   Enter the port number for Application Server instance [80]:	Enter 1081.
   Enter the Preferred Protocol for Application instance [http]:	Accept the default value.
   Enter the Deployment URI for the Agent Application [/agentapp]	Accept the default value.
   Enter the Encryption Key [Q558gNigkno4dGZmPtgGs4K1HL1153QD]:	Accept the default value.
   Enter the Agent Profile name:	Enter j2eeagent-1.
   Enter the path to the password file:	Enter   /opt/j2ee_agent/ am_w19_agent/agent_pwd .
   Are the Agent and Access Manager installed on the same instance of Application Server? [false]:	Accept the default value.
   Verify your settings and decide from the choices below: 1. Continue with Installation 2. Back to the last interaction 3. Start Over 4. Exit Please make your selection [1]:	Accept the default value.

4. Check the installation log to make sure there are no problems reported.

8.8 Completing the J2EE Policy Agent 2 Installation

Use the following as your checklist for completing the J2EE Policy Agent 2 installation:

1. Modify the Application Server startup script.

2. Deploy the agent application.

3. Start the agent application.

4. Set up the agent authentication provider.

5. Edit the AMAgent.properties file.

To Modify the Application Server Startup Script

The J2EE Policy Agent installer creates a new file in the Application Server bin directory:

/usr/local/bea/user_projects/domains/ProtectedResource-2/
bin/setAgentEnv_ApplicationServer-2.sh

1. Make a backup of setDomainEnv.sh.

   # cd /usr/local/bea/user_projects/domains/ProtectedResource-2/bin/

2. In setDomainEnv.sh, insert the following at the end of the file:

   . /usr/local/bea/user_projects/domains/ProtectedResource-2/ bin/setAgentEnv_ApplicationServer-2.sh

   This command references the file the installer created in the Application Server bin directory.

3. Save the file.

4. Change permissions for the setAgentEnv_ApplicationServer-2.sh file:

   # chmod 755 setAgentEnv_ApplicationServer-2.sh

5. Start the Application Server administration server.

   # cd /usr/local/bea/user_projects/domains/ProtectedResource-2/bin # nohup ./startWebLogic.sh & # tail -f nohup.out

   Watch for startup errors.

To Deploy the Agent Application

1. Go to the following Application Server URL:

   http://ProtectedResource-2.example.com:7001/console

2. Log in to the Application Server console using the following information:

   Username:

   weblogic

   Password:

   w3bl0g1c

3. In the Application Server console, under Domain Structure, click Deployments.

4. On the Summary of Deployments page, click “Lock & Edit.”

5. Under Deployments, click Install.

6. On the Install Application Assistant page, click the protectedresource-2.example.com link.

7. In the list for Location: protectedresource-2.example.com, click the root directory.

   Navigate to the application directory: /opt/j2ee_agents/am_wl9_agent/etc/

8. Select agentapp.war, and then click Next.

9. In the Install Application Assistant page, choose “Install this deployment as an application,” and then click Next.

10. In the list of Servers, mark the checkbox for ApplicationServer-2, and then click Next.

11. In the Optional Settings page, click Next.

12. On the Summary of Deployments page, click Finish.

13. In the Change Center, click Activate Changes.

To Start the Agent Application

1. On the “Settings for agentapp” page, under Domain Structure, click Deployments.

2. On the Summary of Deployments page, mark the agentapp checkbox, and then click Start > Servicing All Requests.

3. On the Start Deployments page, clickYes.

   You may encounter a Javascript error. The agent application will not start until you start the Application Server.

To Set Up the Agent Authentication Provider

1. In the console, on the Summary of Deployments page, under Domain Structure, click Security Realms.

2. On the Summary of Security Realms page, in the Change Center click “Lock & Edit.”

3. Click the Realm name myrealm link.

4. On the “Settings for myrealm” page, click the Providers tab.

5. On the Providers tab, under Authentication Providers, click New.

6. On the Create a New Authentication Provider page, provide the following information:

   Name:

   Agent-1

   Type:

   AgentAuthenticator

7. Click OK.

   Agent-1 is now included in the list of Authentication Providers.

8. In the list of Authentication Providers, click Agent-1.

9. In the Settings for Authentication Providers page, verify that the Control Flag is set for OPTIONAL.

10. On the Settings for Agent-1 page, in the list of Authentication Providers, click DefaultAuthenticator.

11. On the Settings for DefaultAuthenticator page, set the Control Flag to OPTIONAL, and then click Save.

12. Return to the Providers page.

    In the navigation tree near the top of the page, click Providers.

13. Click Activate Changes.

To Edit the AMAgent.properties File

1. Make a backup of the following file:

   /opt/j2ee_agents/am_wl9_agent/agent_001/config/AMAgent.properties

2. In the AMAgent.properties file, set the following property:

   com.sun.identity.agents.config.bypass.principal[0] = weblogic

3. At end of the file, insert a new property.

   com.sun.identity.session.resetLBCookie='true'

   The default value for this property is false. You must add this property only if session failover has been configured for Access Manager. If session failover is not configured for Access Manager, and this property is added, it could impact performance negatively. If session failover is enabled for Access Manager, and this property is not added, then Access Manager sessions will still fail over, and the session failover functionality will work properly. However, the stickiness to the Access Manager server will not be maintained after failover occurs. Session stickiness to the Access Manager server helps performance. This property must be added to the AMConfig.properties file on the Access Manager servers, as well as to the AMAgent.properties for the J2EE Policy Agent servers. This property is not required for the Web Policy Agent servers. The Access Manager 7 2005Q4 Patch 3 in Sun Java System Access Manager 7 2005Q4 Release Notes Release Notes also references this property. See the sectionCR# 6440651: Cookie replay requires com.sun.identity.session.resetLBCookie property in Sun Java System Access Manager 7 2005Q4 Release Notes.

4. Save the file.

8.9 Setting Up a Test for the J2EE Policy Agent 2

Use the following as your checklist for setting up a test for the J2EE Policy Agent 2:

1. Deploy the sample application.

2. Restart the Application Server.

3. Create a test referral policy in the base suffix.

4. Create a test policy in the user realm.

5. Configure J2EE properties for the sample application.

6. Verify that J2EE Policy Agent 2 is configured properly.

To Deploy the Sample Application

Deploy the sample application on Application Server 1.

1. Go to the Application Server 1 URL:

   http://ProtectedResource-1.example.com:7001/console

2. Log in to the Application Server using the following information:

   Username:

   weblogic

   Password:

   w3bl0g1c

3. In the Application Server console, on the Summary of Deployments page, click “Lock & Edit.”

4. Under Domain Structure, click Deployments.

5. Under Deployments, click Install.

6. On the Install Application Assistant page, click the protectedresource-1.example.com link.

7. In the list for Location: protectedresource-2.example.com, click the root directory.

   Navigate to the application directory: /opt/j2ee_agents/am_wl9_agent/sampleapp/dist

8. Select agentsample.ear, and then click Next.

9. In the Install Application Assistant page, choose “Install this deployment as an application,” and then click Next.

10. In the list of Servers, mark the checkbox for ApplicationServer-1, and then click Next.

11. On the “Optional Settings” page, click Next to accept the default settings.

12. On the Review Your Choices” page, click Finish.

    The Target Summary section indicates that the module agentsample will be installed on the target ApplicationServer-1.

13. In the “Settings for agentsample” page, click Activate Changes.

14. Under Domain Structure, click Deployments.

15. In the Deployments list, mark the checkbox for agentsample, and then click Start > Servicing All Requests.

16. On the Start Deployments page, click Yes.

    The state of the deployment changes from Prepared to Active.

17. Log out of the Application Server 1 console.

To Restart the Application Server

1. Go to the following Protected Resource 1 directory:

   /usr/local/bea/user_projects/domains/ProtectedResource-1/bin

2. Stop Application Server 1.

   # cd /usr/local/bea/user_projects/domains/ProtectedResource-1/bin
   # ./stopManagedWebLogic.sh ApplicationServer-1 t3://localhost:7001 

3. Stop the administration server.

   #cd /usr/local/bea/user_projects/domains/ProtectedResource-1/bin 
   ./stopWebLogic.sh

4. Start the administration server.

   # nohup ./startWebLogic.sh &
   # tail -f nohup.out

   Watch for startup errors.

5. Start Application Server 1.

   # nohup ./startManageWebLogic.sh
   ApplicatoinServer-2 http://ProtectedResource-1.example.com:7001 &
   tail -f nohup.out

6. Run the netstat command to verify that Application Server 1 is up and listening.

   # netstat -an | grep 1081
   xxx.xx.72.151.1081		*.*		0		0	49152		0	LISTEN
   127.0.0.01.1081				*.*		0		0	49152		0	LISTEN

To Create a Test Referral Policy in the Base Suffix

1. In the Access Manager 1 console, on the Access Control tab, click the example.com link.

2. Click the Policies tab.

3. Under Policies, click the “Referral URL Policy for users realm” link.

   This is the policy that was created when setting up the Web Policy Agent.

4. On the Edit Policy page, under Rules, click New.

5. On the page “Step 1 of 2: Select Service Type for the Rule,” select “URL Policy Agent (with resource name),” and then click Next.

6. On the page “Step 2 of 2: New Rule,” provide the following information, and then click Next:

   Name:

   URL Policy for ApplicationServer-2

   Resource Name:

   http://ProtectedResource-2.example.com:1081/agentsample/*

7. Click Finish.

To Create a Test Policy in the User Realm

1. In the Access Manager 1 console, on the Access Control tab, click the users link.

2. Click the Policies tab.

3. Under Policies, click New Policy.

4. In the Name field, enter URL Policy for ApplicationServer-2.

5. Under Rules, click New.

6. On the page “Step 1 of 2: Select Service Type for the Rule,” click Next.

   The default “URL Policy Agent (with resource name)” should be selected.

7. On the page “Step 2 of 2: New Rule,” provide the following information:

   Name:

   agentsample

   Parent Resource Name:

   Choose http://ProtectedResource-2.example.com:1081/agentsample/*

   Resource Name:

   The following is automatically entered when you select the Parent Resource Name above:

   http://ProtectedResource-2.example.com:1081/agentsample/*

   GET

   Mark this check box, and verify that the Allow value is selected.

   POST

   Mark this check box, and verify that the Allow value is selected.

8. Click Finish.

   The rule agentsample is now added to the list of Rules.

9. Under Subjects, click New.

10. On the page “Step 1 of 2: Select Subject Type,” select Access Manager Identity Subject, then click Next.

11. On the page “ Step 2 of 2: New Subject — Access Manager Identity Subject,” provide the following information:

    Name:

    agentsampleRoles

    Filter:

    Select role.

12. Click Search.

13. In the Available list, the select manager and employee roles, and then click Add.

    The roles are now displayed in the Selected list.

14. Click Finish.

15. Click Create.

    The new policy is included in the list of Policies.

To Configure J2EE Properties for the Sample Application

1. Log in as a root user to Protected Resource 2.

   # cd /opt/j2ee_agents/am_wl9_agent/agent_001/config

2. Make a back up the AMAgent.properties file.

3. Set the following properties:

   com.sun.identity.agents.config.notenforced.uri[0] = /agentsample/public/* com.sun.identity.agents.config.notenforced.uri[1] = /agentsample/images/* com.sun.identity.agents.config.notenforced.uri[2] = /agentsample/styles/* com.sun.identity.agents.config.notenforced.uri[3] = /agentsample/index.html com.sun.identity.agents.config.notenforced.uri[4] = /agentsample com.sun.identity.agents.config.access.denied.uri = /agentsample/authentication/accessdenied.html com.sun.identity.agents.config.login.form[0] = /agentsample/authentication/login.html com.sun.identity.agents.config.login.url[0] = http://LoadBalancer-3.example.com:7070/amserver/UI/Login?realm=users

4. Save the file.

5. Restart the Application Server 2.

   1. Stop Application Server 2 .

      # cd /usr/local/bea/user_projects/domains/
      ProtectedResource-2/bin
      # ./stopManagedWebLogic.sh ApplicationsServer-2 
      t3://localhost:7001 

   2. Stop the administration server.

      # ./stopWebLogic.sh

   3. Start the administration server.

      # nohup ./startWebLogic.sh &
      # tail -f nohup.out

   4. Start Application Server 2.

      # nohup ./startManagedWebLogic.sh ApplicationServer-2 
      http://ProtectedResource-2.example.com:7001 &

To Verify that J2EE Policy Agent 2 is Configured Properly

1. Go to the Sample Application URL:

   http://protectedresource-2.example.com:1081/agentsample/index.html

   The Sample Application welcome page is displayed.

2. Click J2EE Declarative Security > “Invoke the Protected Servlet”

   The Policy Agent redirects to the Access Manager login page.

3. Log in to the Access Manager console using the following information:

   Username

   testuser1

   Password

   password

   If you can successfully log in as testuser1, and the J2EE Policy Agent Sample Application page is displayed, then this part of the test succeeded and authentication is working as expected.

4. Click the “J2EE Declarative Security” link.

5. On the J2EE Declarative Security page, click the “Invoke the Protected Servlet link”.

   If the Success Invocation message is displayed, then this part of the test succeeded , and the sample policy for the manager role has been enforced as expected.

6. Click the “J2EE Declarative Security” link to go back.

7. Click the “Invoke the Protected EJB via an Unprotected Servlet” link.

   If the Failed Invocation message is displayed, then this part of the test succeeded, and the sample policy for the employee role has been enforced as expected.

8. Close the browser.

9. In a new browser session, go to the Sample Application URL:

   http://protectedresource-2.example.com:1081/agentsample/index.html

   The Sample Application welcome page is displayed.

10. Click the “J2EE Declarative Security” link.

11. On the J2EE Declarative Security page, click the “Invoke the Protected EJB via an Unprotected Servlet” link.

    The Policy Agent redirects to the Access Manager login page.

12. Log in to the Access Manager console using the following information:

    Username

    testuser2

    Password

    password

    If you can successfully log in as testuser2, and the J2EE Policy Agent Sample Application page is displayed, then this part of the test succeeded and authentication is working as expected.

13. Click the “J2EE Declarative Security” link to go back.

14. On the J2EE Declarative Security page, click the “Invoke the Protected EJB via an Uprotected Servlet” link.

    The Successful Invocation message is displayed. The sample policy for the employee role has been enforced as expected.

8.10 Configuring Access Manager to Communicate Over SSL

Use the following as your checklist for configuring Access Manager to communicate over SSL:

1. Configure the J2EE Policy Agent for SSL.

2. Import a root CA certificate into the Application Server 2 key store.

3. Verify that J2EE Policy Agent 2 is configured properly.

4. Configure the J2EE Policy Agents to access the Distributed Authentication UI server.

To Configure the J2EE Policy Agent for SSL

1. Log in as a root user to Protected Resource 2.

   # cd /opt/j2ee_agents/am_wl9_agent/agent_001/config

2. Make a backup of the AMAgent.properties file.

3. In the AMAgent.properties, set the following properties:

   com.sun.identity.agents.config.login.url[0] = 
   https://LoadBalancer-3.example.com:9443/amserver/UI/Login?realm=users 
   com.sun.identity.agents.config.cdsso.cdcservlet.url[0] = 
   https://LoadBalancer-3.example.com:9443/amserver/cdcservlet 
   com.sun.identity.agents.config.cdsso.trusted.id.provider[0] = 
   https://LoadBalancer-3.example.com:9443/amserver/cdcservlet 
   com.iplanet.am.naming.url=
   https://LoadBalancer-3.example.com:9443/amserver/namingservice 
   com.iplanet.am.server.protocol=https 
   com.iplanet.am.server.port=9443

4. Save the AMAgent.properties file.

To Import a Root CA Certificate into the Application Server 2 Key Store

1. Log in as a root user to Protected Resource 2 and go to the following directory:

   /usr/local/bea/jdk150_04/jre/lib/security/

2. Make a backup of cacerts.

3. Import the certificate.

   # /usr/local/bea/jdk150_04/bin/keytool -import -trustcacerts 
   -alias OpenSSLTestCA -file /export/software/ca.cer -keystore / 
   usr/local/bea/jdk150_04/jre/lib/security/cacerts -storepass changeit 
   Owner: EMAILADDRESS=nobody@nowhere.com, CN=OpenSSLTestCA, OU=Sun, 
   O=Sun, L=Santa Clara, ST=California, C=US 
   Issuer: EMAILADDRESS=nobody@nowhere.com, CN=OpenSSLTestCA, OU=Sun, 
   O=Sun, L=Santa Clara, ST=California, C=US 
   Serial number: 97dba0aa26db6386 
   Valid from: Tue Apr 18 07:55:19 PDT 2006 until: Tue Jan 13 06:55:19 PST 2009 
   Certificate fingerprints: 
   			MD5:  9F:57:ED:B2:F2:88:B6:E8:0F:1E:08:72:CF:70:32:06 
   			SHA1: 31:26:46:15:C5:12:5D:29:46:2A:60:A1:E5:9E:28:64:36:80:E4:70 
   Trust this certificate? [no]:  yes 
   Certificate was added to keystore 

4. Verify the certificate was added to the key store.

   # /usr/local/bea/jdk150_04/bin/keytool -list 
   -keystore /usr/local/bea/jdk150_04/jre/lib/security/cacerts 
   -storepass changeit | grep i openssl
   openssltestca, Oct 2, 2006, trustedCertEntry, 

5. Stop Application Server 2 .

   # cd /usr/local/bea/user_projects/domains/ProtectedResource-2/bin
   # ./stopManagedWebLogic.sh ApplicationServer-2 t3://localhost:7001 

6. Stop the administration server.

   # ./stopWebLogic.sh

7. Start the administration server.

   # nohup ./startWebLogic.sh &
   # tail -f nohup.out

8. Start Application Server 2.

   # nohup ./startManagedWebLogic.sh ApplicationServer-2 
   http://ProtectedResource-2.example.com:7001 &

To Verify that J2EE Policy Agent 2 is Configured Properly

1. Go to the Sample Application URL:

   http://protectedresource-2.example.com:1081/agentsample/index.html

   The Sample Application welcome page is displayed.

2. Click J2EE Declarative Security > “Invoke the Protected Servlet”

   The Policy Agent redirects to the Access Manager login page.

3. Log in to the Access Manager console using the following information:

   Username

   testuser1

   Password

   password

   If you can successfully log in as testuser1, and the J2EE Policy Agent Sample Application page is displayed, then this part of the test succeeded and authentication is working as expected.

4. Click the “J2EE Declarative Security” link.

5. On the J2EE Declarative Security page, click the “Invoke the Protected Servlet link”.

   If the Success Invocation message is displayed, then this part of the test succeeded , and the sample policy for the manager role has been enforced as expected.

6. Click the “J2EE Declarative Security” link to go back.

7. Click the “Invoke the Protected EJB via an Unprotected Servlet” link.

   If the Failed Invocation message is displayed, then this part of the test succeeded, and the sample policy for the employee role has been enforced as expected.

8. Close the browser.

9. In a new browser session, go to the Sample Application URL:

   http://protectedresource-2.example.com:1081/agentsample/index.html

   The Policy Agent redirects to the Access Manager login page.

10. Log in to the Access Manager console using the following information:

    Username

    testuser2

    Password

    password

    The Failed Invocation message is displayed.

11. Click the “J2EE Declarative Security” link.

12. On the J2EE Declarative Security page, click the “Invoke the Protected EJB via an Unprotected Servlet” link.

    The Successful Invocation message is displayed. The sample policy for the employee role has been enforced as expected.

13. Click the “J2EE Declarative Security” link to go back.

14. Click the “Invoke the Protected Servlet” link.

    If the Access to Requested Resource Denied message is displayed, then this part of the test is successful. The sample policy for the manager role has been enforced as expected.

To Configure the J2EE Policy Agents to Access the Distributed Authentication UI Server

1. Log in as a root user to Protected Resource 2.

   # cd /opt/j2ee_agents/am_wl9_agent/agent_001/config

2. Make a backup of the file AMAgent.properties.

3. In the AMAgent.properties file, set the following properties:

   com.sun.identity.agents.config.login.url[0] = https://LoadBalancer-4.example.com:9443/distAuth/UI/Login?realm=users

4. Save the file.

5. Restart the Application Server.

   1. Stop Application Server 2.

      # cd /usr/local/bea/user_projects/domains/ProtectedResource-2/bin
      # ./stopManagedWebLogic.sh ApplicationServer-2 t3://localhost:7001 

   2. Stop the administration server.

      #cd /usr/local/bea/user_projects/domains/ProtectedResource-2/bin 
      ./stopWebLogic.sh

   3. Start the administration server.

      # nohup ./startWebLogic.sh &
      # tail -f nohup.out

      Watch for startup errors.

   4. Start Application Server 2.

      # nohup ./startManageWebLogic.sh
      ApplicatoinServer-2 http://ProtectedResource-2.example.com:7001 &
      tail -f nohup.out

6. Verify that the agents are configured properly.

   1. Go to the sample application URL:

      http://ProtectedResource-2.example.com:1081/agentsample/index.html

   2. In the left navigation bar, click “Invoke the Protected Servlet.”

      You are redirected to the Distributed Authentication UI server URL https://loadbalancer-4.example.com:9443/distAuth/UI/login. The Access Manager login page is displayed.

   3. Double-click the gold lock in the lower left corner of the browser.

      In the Properties page, you see certificate for LoadBalancer–4.example.com.

   4. Log in to the Access Manager console using the following information:

      Username

      testuser1

      Password

      password

      You are redirected to the protected servlet of the Sample Application, and a success message is displayed. This indicates that authentication through the Distributed Authentication UI server was successful.