Sun Java System Access Manager 7.1 Administration Guide

Agents Profile

Access Manager Policy Agents protect content on web servers and web proxy servers from unauthorized intrusions. They control access to services and web resources based on the policies configured by an administrator.

The agent object defines a Policy Agent profile, and allows Access Manager to store authentication and other profile information about a specific agent that is protecting an Access Manager resource. Through the Access Manager console, administrators can view, create, modify and delete agent profiles.

the agent object creation page is the location where you can define the UID/password with which the agent authenticated to Access Manager. If you have a multiple web containers set up using the same Access Manager, this gives you the option of enabling multiple IDs for different agents and to enable and disable them independently of Access Manager. You can also manage some preference values for the agents centrally, rather than editing the AMAgent.properties on each machine.

ProcedureTo Create or Modify an Agent

  1. Click the Agents tab.

  2. Click New.

  3. Enter the values for the following fields:

    Name. Enter the name or identity of the agent. This is the name that the agent will use to log into Access Manager. Multi-byte names are not accepted.

    Password. Enter the agent password. This password must be different than the password used by the agent during LDAP authentication.

    Confirm Password. Confirm the password.

    Device Status. Enter the device status of the agent. If set to Active, the agent will be able to authenticate to and communicate with Access Manager. If set to Inactive, the agent will not be able to authenticate to Access Manager.

  4. Click Create.

  5. Once you have crated the agent, you can additionally edit the following fields:

    Description. Enter a brief description of the agent. For example, you can enter the agent instance name or the name of the application it is protecting.

    Agent Key Value. Set the agent properties with a key/value pair. This property is used by Access Manager to receive agent requests for credential assertions about users. Currently, only one property is valid and all other properties will be ignored. Use the following format:

    agentRootURL=protocol:// hostname:port/

    The entry must be precise and agentRootURL is case sensitive.

    protocol

    Represents the protocol used, either HTTP or HTTPS.

    hostname

    Represents the host name of the machine on which the agent resides. This machine also hosts the resources that the agent protects.

    port

    Represents the port number on which the agent is installed. The agent listens to incoming traffic on this port and intercepts all requests to access resources on the host.

Configuring Access Manager to Protect Against Cookie Hijacking

Cookie hijacking refers to a situation where an imposter (a hacker, perhaps using an untrusted application) gains unauthorized access to cookies. When the cookies being hijacked are session cookies, cookie hijacking can potentially increase the threat of unauthorized access to protected web resources, depending on how the system is configured.

Sun documentation provides a technical note entitled, “Precautions Against Session-Cookie Hijacking in an Access Management Deployment” which provides information about precautions you can take to against specific security threats related to session-cookie hijacking. See the following document:

Technical Note: Precautions Against Cookie Hijacking in an Access Manager Deployment