8.9 Setting Up a Test for the J2EE Policy Agent 2

Use the following as your checklist for setting up a test for the J2EE Policy Agent 2:

1. Deploy the sample application.

2. Restart the Application Server.

3. Create a test referral policy in the base suffix.

4. Create a test policy in the user realm.

5. Configure J2EE properties for the sample application.

6. Verify that J2EE Policy Agent 2 is configured properly.

To Deploy the Sample Application

Deploy the sample application on Application Server 1.

1. Go to the Application Server 1 URL:

   http://ProtectedResource-1.example.com:7001/console

2. Log in to the Application Server using the following information:

   Username:

   weblogic

   Password:

   w3bl0g1c

3. In the Application Server console, on the Summary of Deployments page, click “Lock & Edit.”

4. Under Domain Structure, click Deployments.

5. Under Deployments, click Install.

6. On the Install Application Assistant page, click the protectedresource-1.example.com link.

7. In the list for Location: protectedresource-2.example.com, click the root directory.

   Navigate to the application directory: /opt/j2ee_agents/am_wl9_agent/sampleapp/dist

8. Select agentsample.ear, and then click Next.

9. In the Install Application Assistant page, choose “Install this deployment as an application,” and then click Next.

10. In the list of Servers, mark the checkbox for ApplicationServer-1, and then click Next.

11. On the “Optional Settings” page, click Next to accept the default settings.

12. On the Review Your Choices” page, click Finish.

    The Target Summary section indicates that the module agentsample will be installed on the target ApplicationServer-1.

13. In the “Settings for agentsample” page, click Activate Changes.

14. Under Domain Structure, click Deployments.

15. In the Deployments list, mark the checkbox for agentsample, and then click Start > Servicing All Requests.

16. On the Start Deployments page, click Yes.

    The state of the deployment changes from Prepared to Active.

17. Log out of the Application Server 1 console.

To Restart the Application Server

1. Go to the following Protected Resource 1 directory:

   /usr/local/bea/user_projects/domains/ProtectedResource-1/bin

2. Stop Application Server 1.

   # cd /usr/local/bea/user_projects/domains/ProtectedResource-1/bin
   # ./stopManagedWebLogic.sh ApplicationServer-1 t3://localhost:7001 

3. Stop the administration server.

   #cd /usr/local/bea/user_projects/domains/ProtectedResource-1/bin 
   ./stopWebLogic.sh

4. Start the administration server.

   # nohup ./startWebLogic.sh &
   # tail -f nohup.out

   Watch for startup errors.

5. Start Application Server 1.

   # nohup ./startManageWebLogic.sh
   ApplicatoinServer-2 http://ProtectedResource-1.example.com:7001 &
   tail -f nohup.out

6. Run the netstat command to verify that Application Server 1 is up and listening.

   # netstat -an | grep 1081
   xxx.xx.72.151.1081		*.*		0		0	49152		0	LISTEN
   127.0.0.01.1081				*.*		0		0	49152		0	LISTEN

To Create a Test Referral Policy in the Base Suffix

1. In the Access Manager 1 console, on the Access Control tab, click the example.com link.

2. Click the Policies tab.

3. Under Policies, click the “Referral URL Policy for users realm” link.

   This is the policy that was created when setting up the Web Policy Agent.

4. On the Edit Policy page, under Rules, click New.

5. On the page “Step 1 of 2: Select Service Type for the Rule,” select “URL Policy Agent (with resource name),” and then click Next.

6. On the page “Step 2 of 2: New Rule,” provide the following information, and then click Next:

   Name:

   URL Policy for ApplicationServer-2

   Resource Name:

   http://ProtectedResource-2.example.com:1081/agentsample/*

7. Click Finish.

To Create a Test Policy in the User Realm

1. In the Access Manager 1 console, on the Access Control tab, click the users link.

2. Click the Policies tab.

3. Under Policies, click New Policy.

4. In the Name field, enter URL Policy for ApplicationServer-2.

5. Under Rules, click New.

6. On the page “Step 1 of 2: Select Service Type for the Rule,” click Next.

   The default “URL Policy Agent (with resource name)” should be selected.

7. On the page “Step 2 of 2: New Rule,” provide the following information:

   Name:

   agentsample

   Parent Resource Name:

   Choose http://ProtectedResource-2.example.com:1081/agentsample/*

   Resource Name:

   The following is automatically entered when you select the Parent Resource Name above:

   http://ProtectedResource-2.example.com:1081/agentsample/*

   GET

   Mark this check box, and verify that the Allow value is selected.

   POST

   Mark this check box, and verify that the Allow value is selected.

8. Click Finish.

   The rule agentsample is now added to the list of Rules.

9. Under Subjects, click New.

10. On the page “Step 1 of 2: Select Subject Type,” select Access Manager Identity Subject, then click Next.

11. On the page “ Step 2 of 2: New Subject — Access Manager Identity Subject,” provide the following information:

    Name:

    agentsampleRoles

    Filter:

    Select role.

12. Click Search.

13. In the Available list, the select manager and employee roles, and then click Add.

    The roles are now displayed in the Selected list.

14. Click Finish.

15. Click Create.

    The new policy is included in the list of Policies.

To Configure J2EE Properties for the Sample Application

1. Log in as a root user to Protected Resource 2.

   # cd /opt/j2ee_agents/am_wl9_agent/agent_001/config

2. Make a back up the AMAgent.properties file.

3. Set the following properties:

   com.sun.identity.agents.config.notenforced.uri[0] = /agentsample/public/* com.sun.identity.agents.config.notenforced.uri[1] = /agentsample/images/* com.sun.identity.agents.config.notenforced.uri[2] = /agentsample/styles/* com.sun.identity.agents.config.notenforced.uri[3] = /agentsample/index.html com.sun.identity.agents.config.notenforced.uri[4] = /agentsample com.sun.identity.agents.config.access.denied.uri = /agentsample/authentication/accessdenied.html com.sun.identity.agents.config.login.form[0] = /agentsample/authentication/login.html com.sun.identity.agents.config.login.url[0] = http://LoadBalancer-3.example.com:7070/amserver/UI/Login?realm=users

4. Save the file.

5. Restart the Application Server 2.

   1. Stop Application Server 2 .

      # cd /usr/local/bea/user_projects/domains/
      ProtectedResource-2/bin
      # ./stopManagedWebLogic.sh ApplicationsServer-2 
      t3://localhost:7001 

   2. Stop the administration server.

      # ./stopWebLogic.sh

   3. Start the administration server.

      # nohup ./startWebLogic.sh &
      # tail -f nohup.out

   4. Start Application Server 2.

      # nohup ./startManagedWebLogic.sh ApplicationServer-2 
      http://ProtectedResource-2.example.com:7001 &

To Verify that J2EE Policy Agent 2 is Configured Properly

1. Go to the Sample Application URL:

   http://protectedresource-2.example.com:1081/agentsample/index.html

   The Sample Application welcome page is displayed.

2. Click J2EE Declarative Security > “Invoke the Protected Servlet”

   The Policy Agent redirects to the Access Manager login page.

3. Log in to the Access Manager console using the following information:

   Username

   testuser1

   Password

   password

   If you can successfully log in as testuser1, and the J2EE Policy Agent Sample Application page is displayed, then this part of the test succeeded and authentication is working as expected.

4. Click the “J2EE Declarative Security” link.

5. On the J2EE Declarative Security page, click the “Invoke the Protected Servlet link”.

   If the Success Invocation message is displayed, then this part of the test succeeded , and the sample policy for the manager role has been enforced as expected.

6. Click the “J2EE Declarative Security” link to go back.

7. Click the “Invoke the Protected EJB via an Unprotected Servlet” link.

   If the Failed Invocation message is displayed, then this part of the test succeeded, and the sample policy for the employee role has been enforced as expected.

8. Close the browser.

9. In a new browser session, go to the Sample Application URL:

   http://protectedresource-2.example.com:1081/agentsample/index.html

   The Sample Application welcome page is displayed.

10. Click the “J2EE Declarative Security” link.

11. On the J2EE Declarative Security page, click the “Invoke the Protected EJB via an Unprotected Servlet” link.

    The Policy Agent redirects to the Access Manager login page.

12. Log in to the Access Manager console using the following information:

    Username

    testuser2

    Password

    password

    If you can successfully log in as testuser2, and the J2EE Policy Agent Sample Application page is displayed, then this part of the test succeeded and authentication is working as expected.

13. Click the “J2EE Declarative Security” link to go back.

14. On the J2EE Declarative Security page, click the “Invoke the Protected EJB via an Uprotected Servlet” link.

    The Successful Invocation message is displayed. The sample policy for the employee role has been enforced as expected.