Deployment Example 1: Access Manager 7.0 Load Balancing, Distributed Authentication UI, and Session Failover

8.3 Completing the J2EE Policy Agent 1 Installation

The J2EE Policy Agent is not yet ready to begin working. In the following procedures, you deploy the policy agent application , setup up an authentication provider, and modify the Bypass Principal List. All of these tasks must be completed before the agent can do its job.

Use the following as your checklist for completing the J2EE Policy Agent 1 installation:

To Modify the Application Server Startup File

Go to the following Protected Resource 1 directory.

The J2EE Policy Agent installer creates a new file in the Application Server bin directory:

# cd /usr/local/bea/user_projects/domains/ProtectedResource-1/bin

Make a backup of the file setDomainEnv.sh.

In the setDomainEnv.sh file, at the end of the file append the following:
echo "Setting Policy Agent Env..." . /usr/local/bea/user_projects/domains/ProtectedResource-1/bin/ setAgentEnv_ApplicationServer-1.sh
This command references the file the installer created in the Application Server bin directory.

Save the setDomainEnv.sh file.

Change permissions for the setAgentEnv_ApplicationServer-1.sh file:
# cdmod 755 setAgentEnv_ApplicationServer-1.sh

Stop Application Server 1.

# cd /usr/local/bea/user_projects/domains/ProtectedResource-1/bin
# ./stopManagedWebLogic.sh ApplicationServer-1 t3://localhost:7001

Stop the administration server.

#cd /usr/local/bea/user_projects/domains/ProtectedResource-1/bin 
./stopWebLogic.sh

Start the administration server.
```
# nohup ./startWebLogic.sh &
# tail -f nohup.out
```
Watch for startup errors.

Start Application Server 1.

# nohup ./startManageWebLogic sh ApplicatoinServer-1 
http://ProtectedResource-1.example.com:7001 &
tail -f nohup.out

Run the netstat command to verify that Application Server 1 is up and listening.

# netstat -an | grep 1081
xxx.xx.72.151.1081		*.*		0		0	49152		0	LISTEN
127.0.0.01.1081			*.*		0		0	49152		0	LISTEN

To Deploy the J2EE Policy Agent Application

Go to the following Application Server URL:

http://ProtectedResource-1.example.com:7001/console

Log in to the Application Server console using the following information:

Username

weblogic

Password

w3bl0g1c

In the Application Server console, under Domain Structure, click Deployments.

On the Summary of Deployments page, in the Change Center, click “Lock & Edit.”

Under Deployments, click Install.

On the Install Application Assistant page, click the protectedresource-1.example.com link.

In the field named Location: protectedresource-1.example.com, click the root directory.

Navigate to the application directory: /opt/j2ee_agents/am_wl9_agent/etc/

Select agentapp.war, and then click Next.

In the Install Application Assistant page, choose “Install this deployment as an application,” and then click Next.

In the list of Servers, mark the checkbox for ApplicationServer-1, and then click Next.

In the Optional Settings page, click Next.

Click Finish.

On the “Settings for agentapp” page, click Save.

In the Change Center, click Activate Changes.

To Start the Agent Application

On the “Settings for agentapp” page, click Deployments.

On the Summary of Deployments page, mark the agentapp checkbox, and then click Start > “Servicing all requests.”

On the Start Deployments page, click Start.

You may encounter a Javascript error. The agent application will not start until you start the Application Server.

To Set Up the Agent Authentication Provider

In the console, on the Summary of Deployments page, under Domain Structure, click Security Realms.

On the Summary of Security Realms page, click “Lock & Edit.”

Click the Realm name myrealm link.

On the “Settings for myrealm” page, click the Providers tab.

On the Providers tab, under Authentication Providers, click New.

On the Create a New Authentication Provider page, provide the following information:

Name:

Agent-1

Type:

AgentAuthenticator

Click OK.

Agent-1 is now included in the list of Authentication Providers.

In the list of Authentication Providers, click Agent-1.

In the Settings for Authentication Providers page, verify that the Control Flag is set for OPTIONAL.

On the Settings for Agent-1 page, in the list of Authentication Providers, click DefaultAuthenticator.

On the Settings for DefaultAuthenticator page, set the Control Flag to OPTIONAL, and then click Save.

Return to the Providers page.

In the navigation tree near the top of the page, click Providers.

In the Change Center, click Activate Changes.

To Edit the AMAgent.properties File

Make a backup of the following file:

/opt/j2ee_agents/am_wl9_agent/agent_001/config/AMAgent.properties

In the AMAgent.properties file, set the following property:

com.sun.identity.agents.config.bypass.principal[0] = weblogic

At end of the file, insert a new property.

com.sun.identity.session.resetLBCookie='true'

The default value for this property is false. You must add this property only if session failover has been configured for Access Manager. If session failover is not configured for Access Manager, and this property is added, it could impact performance negatively. If session failover is enabled for Access Manager, and this property is not added, then Access Manager sessions will still fail over, and the session failover functionality will work properly. However, the stickiness to the Access Manager server will not be maintained after failover occurs. Session stickiness to the Access Manager server helps performance. This property must be added to the AMConfig.properties file on the Access Manager servers, as well as to the AMAgent.properties for the J2EE Policy Agent servers. This property is not required for the Web Policy Agent servers. The Access Manager 7 2005Q4 Patch 3 in Sun Java System Access Manager 7 2005Q4 Release Notes Release Notes also references this property. See the sectionCR# 6440651: Cookie replay requires com.sun.identity.session.resetLBCookie property in Sun Java System Access Manager 7 2005Q4 Release Notes.

Save the file.