8.5 Configuring Access Manager to Communicate Over SSL

In this section, you configure the policy agent to point to the SSL port for the Access Manager load balancer.

Use the following as your checklist for configuring Access Manager to communicate over SSL:

1. Import the root CA certificate into the Application Server keystore.

2. Configure the J2EE Policy Agent for SSL.

3. Verify that J2EE Policy Agent 1 is configured properly.

4. Configure the Policy Agents to access the Distributed Authentication UI server.

To Import the Root CA Certificate into the Application Server Keystore

In this procedure, you import a Certificate Authority (CA) certificate. The certificate enables the Authentication UI server to trust the certificate from the Access Manager load balancer (Load Balancer 3), and to establish trust with the certificate chain that is formed from the CA to the certificate.

1. Go to the directory where the keystore ( the cacerts file) is located:

   #cd /usr/local/bea/jdk150_04/jre/lib/security/

2. Make a backup of the cacerts file.

3. Copy the CA certificate that you obtained from your Certificate Authority into a temporary directory. Example:

   /export/software/ca.cer

4. Import the certificate:

   # /usr/local/bea/jdk150_04/bin/keytool -import -trustcacerts -alias OpenSSLTestCA -file /export/software/ca.cer -keystore /usr/local/bea/jdk150_04/jre/lib/security/cacerts -storepass changeit Owner: EMAILADDRESS=nobody@nowhere.com, CN=OpenSSLTestCA, OU=Sun, O=Sun, L=Santa Clara, ST=California, C=US Issuer: EMAILADDRESS=nobody@nowhere.com, CN=OpenSSLTestCA, OU=Sun, O=Sun, L=Santa Clara, ST=California, C=US Serial number: 97dba0aa26db6386 Valid from: Tue Apr 18 07:55:19 PDT 2006 until: Tue Jan 13 06:55:19 PST 2009 Certificate fingerprints: MD5: 9F:57:ED:B2:F2:88:B6:E8:0F:1E:08:72:CF:70:32:06 SHA1: 31:26:46:15:C5:12:5D:29:46:2A:60:A1:E5:9E:28:64:36: 80:E4:70 Trust this certificate? [no]: yes Certificate was added to keystore

5. Verify that the certificate was imported successfully:

   # /usr/local/bea/jdk150_04/bin/keytool -list -keystore /usr/local/bea/jdk150_04/jre/lib/security/cacerts -storepass changeit | grep openssl openssltestca, Oct 2, 2006, trustedCertEntry,

To Configure the J2EE Policy Agent for SSL

1. As a root user, log into host ProtectedResource–1.

   # cd /opt/j2ee_agents/am_wl9_agent/agent_001/config

2. Make a backup of the AMAgent.properties file.

3. In the AMAgent.properties, set the following properties:

   com.sun.identity.agents.config.login.url[0] = 
   https://LoadBalancer-3.example.com:9443/amserver/UI/Login?realm=users 
   com.sun.identity.agents.config.cdsso.cdcservlet.url[0] = 
   https://LoadBalancer-3.example.com:9443/amserver/cdcservlet 
   com.sun.identity.agents.config.cdsso.trusted.id.provider[0] = 
   https://LoadBalancer-3.example.com:9443/amserver/cdcservlet 
   com.iplanet.am.naming.url=
   https://LoadBalancer-3.example.com:9443/amserver/namingservice 
   com.iplanet.am.server.protocol=https 
   com.iplanet.am.server.port=9443

4. Save the file.

5. Stop Application Server 1 .

   # cd /usr/local/bea/user_projects/domains/ProtectedResource-1/bin
   # ./stopManagedWebLogic.sh ApplicationsServer-1 t3://localhost:7001 

6. Stop the administration server.

   # ./stopWebLogic.sh

7. Start the administration server.

   # nohup ./startWebLogic.sh &
   # tail -f nohup.out

8. Start Application Server 1.

   # nohup ./startManagedWebLogic.sh 
   ApplicationServer-1 http://ProtectedResource-1.example.com:7001 &

To Verify that J2EE Policy Agent 1 is Configured Properly

Use these steps to access the agent sample application, and then test policies against that sample application.

1. Go to the Sample Application URL:

   http://protectedresource-1.example.com:1081/agentsample/index.html

   The Sample Application welcome page is displayed.

2. Click J2EE Declarative Security > “Invoke the Protected Servlet”

   The Policy Agent redirects to the Access Manager login page.

3. Log in to the Access Manager console using the following information:

   Username

   testuser1

   Password

   password

   If you can successfully log in as testuser1, and the J2EE Policy Agent Sample Application page is displayed, then this part of the test succeeded and authentication is working as expected.

4. Click the “J2EE Declarative Security” link.

5. On the J2EE Declarative Security page, click the “Invoke the Protected Servlet link”.

   If the Success Invocation message is displayed, then this part of the test succeeded , and the sample policy for the manager role has been enforced as expected.

6. Click the “J2EE Declarative Security” link to go back.

7. Click the “Invoke the Protected EJB via an Unprotected Servlet” link.

   If the Failed Invocation message is displayed, then this part of the test succeeded, and the sample policy for the employee role has been enforced as expected.

8. Close the browser.

9. In a new browser session, go to the Sample Application URL:

   http://protectedresource-1.example.com:1081/agentsample/index.html

   The Policy Agent redirects to the Access Manager login page.

10. Log in to the Access Manager console using the following information:

    Username

    testuser2

    Password

    password

    The Failed Invocation message is displayed.

11. Click the “J2EE Declarative Security” link.

12. On the J2EE Declarative Security page, click the “Invoke the Protected EJB via an Unprotected Servlet” link.

    The Successful Invocation message is displayed. The sample policy for the employee role has been enforced as expected.

13. Click the “J2EE Declarative Security” link to go back.

14. Click the “Invoke the Protected Servlet” link.

    If the Access to Requested Resource Denied message is displayed, then this part of the test is successful. The sample policy for the manager role has been enforced as expected.

To Configure the Policy Agents to Access the Distributed Authentication UI Server

1. Log in as a root user to Protected Resource 1.

   # cd /opt/j2ee_agents/am_wl9_agent/agent_001/config

2. Make a backup of the file AMAgent.properties.

3. In the AMAgent.properties file, set the following properties:

   com.sun.identity.agents.config.login.url[0] = https://LoadBalancer-4.example.com:9443/distAuth/UI/Login?realm=users

4. Save the file.

5. Restart the Application Server.

   1. Stop Application Server 1.

      # cd /usr/local/bea/user_projects/domains/ProtectedResource-1/bin
      # ./stopManagedWebLogic.sh ApplicationServer-1 t3://localhost:7001 

   2. Stop the administration server.

      #cd /usr/local/bea/user_projects/domains/ProtectedResource-1/bin 
      ./stopWebLogic.sh

   3. Start the administration server.

      # nohup ./startWebLogic.sh &
      # tail -f nohup.out

      Watch for startup errors.

   4. Start Application Server 1.

      # nohup ./startManageWebLogic.sh
      ApplicatoinServer-1 http://ProtectedResource-1.example.com:7001 &
      tail -f nohup.out

6. Verify that the agents are configured properly.

   1. Go to the sample application URL:

      http://ProtectedResource-1.example.com:1081/agentsample/index.html

   2. In the left navigation bar, click “Invoke the Protected Servlet.”

      You are redirected to the Distributed Authentication UI server URL https://loadbalancer-4.example.com:9443/distAuth/UI/login. The Access Manager login page is displayed.

   3. Double-click the gold lock in the lower left corner of the browser.

      In the Properties page, you see certificate for LoadBalancer–4.example.com.

   4. Log in to the Access Manager console using the following information:

      Username

      testuser1

      Password

      password

      You are redirected to the protected servlet of the Sample Application, and a success message is displayed. This indicates that authentication through the Distributed Authentication UI server was successful.