Chapter 2 Installing the Access Manager Policy Agent 2.2 for Application Server 9.0 / Web Services

The Sun Java™ System Access Manager Policy Agent 2.2 for Sun Java System Application Server 9.0 / Web Services is installed in a Java 2 Enterprise Edition (Java EE) container (for example, Sun Java System Application Server), and used in conjunction with Sun Java System Access Manager. This chapter contains installation instructions and includes the following sections:

• Installation Overview

• Installing Access Manager

• Installing the Policy Agent 2.2 for Sun Java System Application Server 9.0 / Web Services

• Uninstallation

Installation Overview

The Access Manager Policy Agent 2.2 for Sun Java System Application Server 9.0 / Web Services is installed when installing any of the following bundles.

• Java EE 5 SDK Update 3 Preview

  Download the bits by clicking either Download, Download with JDK, or Download with Tools. This is the most recent bundle which includes the full version of Access Manager 7.1.

• Java Application Platform SDK Update 2

  Download the bits by clicking either Download, Download with JDK, or Download with Tools. This bundle includes the beta version of Access Manager 7.1.

• Java EE 5 SDK Update 2

  Download the bits by clicking Download with Tools only. This bundle includes the beta version of Access Manager 7.1.

• NetBeans™ Enterprise Pack 5.5

  Download the bits by clicking Download. This bundle includes the beta version of Access Manager 7.1.

Additionally, the Sun Java System Access Manager 7.1 web archive (WAR) will be generated and deployed. Although this deployment process has been automated by the installers of the respective products, information on the Access Manager 7.1 WAR itself can be found in Chapter 12, Deploying Access Manager as a Single WAR File, in Sun Java System Access Manager 7.1 Postinstallation Guide.

If you have already installed Access Manager 7.1 and the Policy Agent 2.2 for Sun Java System Application Server 9.0 / Web Services, you can move on to Chapter 3, Using the Access Manager Policy Agent 2.2 for Application Server 9.0 / Web Services.

The installation procedures documented in this chapter are also performed by the installers of the respective products. They are documented here for use with third-party Java EE containers and for informational purposes.

Installing Access Manager

The initial step in installing Access Manager 7.1 is to deploy the Access Manager WAR as a web application using the Application Server administration console. Instructions on how to do this can be found in Downloading an Access Manager 7.1 WAR File in Sun Java System Access Manager 7.1 Postinstallation Guide. Following is the procedure to complete the installation of Access Manager 7.1.

To Complete the Installation of Access Manager 7.1

The following configurations will complete the installation of Access Manager 7.1.

Before You Begin

These instructions assume that Sun Java System Application Server Platform Edition 9.0 has already been installed and the Access Manager WAR has already been deployed. For more information, see Sun Java System Application Server Platform Edition 9 Installation Guide and Downloading an Access Manager 7.1 WAR File in Sun Java System Access Manager 7.1 Postinstallation Guide respectively.

1. Add the following as Java security permissions to the server.policy file of the Application Server.

   Each Application Server domain has its own standard J2SE policy file named server.policy. It is located in the domain-dir/config directory. More information can be found in The server.policy File in Sun Java System Application Server Platform Edition 9 Developer’s Guide.

   // ADDITIONS FOR Access Manager
    grant codeBase "file:\${com.sun.aas.instanceRoot}/applications/j2ee-modules/amserver/-" {
         permission java.net.SocketPermission "*", "connect,accept,resolve";
         permission java.util.PropertyPermission "*", "read, write";
         permission java.lang.RuntimePermission "modifyThreadGroup";
         permission java.lang.RuntimePermission "setFactory";
         permission java.lang.RuntimePermission "accessClassInPackage.*";
         permission java.util.logging.LoggingPermission "control";
         permission java.lang.RuntimePermission "shutdownHooks";
         permission javax.security.auth.AuthPermission "insertProvider.Mozilla-JSS";
         permission java.security.SecurityPermission "putProviderProperty.Mozilla-JSS";
         permission javax.security.auth.AuthPermission "getLoginConfiguration";
         permission javax.security.auth.AuthPermission "setLoginConfiguration";
         permission javax.security.auth.AuthPermission "modifyPrincipals";
         permission javax.security.auth.AuthPermission "createLoginContext.*";
         permission java.security.SecurityPermission "insertProvider.Mozilla-JSS";
         permission javax.security.auth.AuthPermission "putProviderProperty.Mozilla-JSS";
         permission java.io.FilePermission "<<ALL FILES>>", "execute,delete";
         permission java.util.PropertyPermission "java.util.logging.config.class", "write";
         permission java.security.SecurityPermission "removeProvider.SUN";
         permission java.security.SecurityPermission "insertProvider.SUN";
         permission java.security.SecurityPermission "removeProvider.Mozilla-JSS";
         permission javax.security.auth.AuthPermission "doAs";
         permission java.util.PropertyPermission "java.security.krb5.realm", "write";
         permission java.util.PropertyPermission "java.security.krb5.kdc", "write";
         permission java.util.PropertyPermission "java.security.auth.login.config", "write";
         permission java.util.PropertyPermission "user.language", "write";
         permission javax.security.auth.kerberos.ServicePermission "*", "accept";
         permission javax.net.ssl.SSLPermission "setHostnameVerifier";
         permission java.security.SecurityPermission "putProviderProperty.IAIK";
         permission java.security.SecurityPermission "removeProvider.IAIK";
         permission java.security.SecurityPermission "insertProvider.IAIK";
         
      };
      // END OF ADDITIONS FOR Access Manager

2. Auto POST the following configuration data to configurator.jsp.

   configurator.jsp is the dynamic configuration page for the Access Manager single WAR application. It is used after deploying the WAR. When you launch Access Manager 7.1, if you have not yet configured the application, you will be directed to configurator.jsp. If Access Manager 7.1 is already configured, you will be directed to the Access Manager Console login page. configurator.jsp is located in the Access Manager_protocol://Access Manager_host:Access Manager_port/amserver/ directory. The required request parameters in configurator.jsp and accompanying values are:

   • SERVER_URL: The fully qualified name and port of the host on which Access Manager is installed. Use the format:

     Access Manager_protocol://Access Manager_host:Access Manager_port

   • SERVER_URI: By default, the value is /amserver.

   • BASE_DIR: The path to the directory in which Access Manager will create its flat file database. By default, /tmp/amserver.

   • ADMIN_PWD: The password of the top-level administrator; by default, admin123.

   • ADMIN_CONFIRM_PWD: Confirmation of the password defined in ADMIN_PWD.

   More information on the configurator.jsp can be found in Chapter 12, Deploying Access Manager as a Single WAR File, in Sun Java System Access Manager 7.1 Postinstallation Guide.

   ---

   Note –

   Auto POST means to use an HTTP POST of the required request parameters for this JavaServer Page (JSP) programmatically (from the installer code itself) without showing these parameters or prompting the user.

   ---

3. Check that the Access Manager server is running using the following URL:

   Access Manager_protocol://Access Manager_host:Access Manager_port/amserver/isAlive.jsp

4. Log in to Access Manager as the top-level administrator using the following URL:

   Access Manager_protocol://Access Manager_host:Access Manager_port/amserver

   By default, the top-level administrator is amadmin, and the amadmin password is admin123.

Installing the Policy Agent 2.2 for Sun Java System Application Server 9.0 / Web Services

Following is the procedure to complete the installation of the Policy Agent 2.2 for Sun Java System Application Server 9.0 / Web Services.

To Complete the Installation of the Policy Agent 2.2 for Sun Java System Application Server 9.0 / Web Services

Before You Begin

The initial step in installing the Policy Agent 2.2 for Sun Java System Application Server 9.0 / Web Services is to deploy the Access Manager WAR as a web application using the Application Server administration console. See Installing Access Manager if this has not been done.

javaee.home is a variable that should be replaced with the installation directory of the Java EE 5 SDK.

1. Note the directory name and the path to the directory into which the following files are placed:

   • amWebServicesProvider.jar

   • amclientsdk.jar

   • AMConfig.properties

   • amclientkeystore.jks

   • .storepass

   • .keypass

   If you used one of the installers, the files were put in a particular directory: /javaee.home/addons/accessmanager for installations of Java Application Platform SDK (when Download or Download with JDK is selected), and /javaee.home/addons/amserver for installations of Java Application Platform SDK or Java EE 5 SDK Update 1 (when Download with Tools is selected), and NetBeans Enterprise Pack 5.5. Be sure to make a note of this directory and path. Otherwise, put the files in a directory and make a note of the directory and path in which they were placed.

2. Modify the global Java Virtual Machine (JVM) settings in Application Server by adding the following to the classpath suffix:

   • amwebServiceProvider.jar (including the complete path)

   • amclientsdk.jar (including the complete path)

   • The complete path to the directory which contains the client's AMConfig.properties:

     • /javaee.home/domains/domain_name/config for installations of Java Application Platform SDK (when Download or Download with JDK is selected).

     • /javaee.home/addons/amserver for installations of Java Application Platform SDK or Java EE 5 SDK Update 1 (when Download with Tools is selected) and NetBeans Enterprise Pack 5.5.

3. Add the following web services security providers configurations to the domain.xml file as per Application Server guidelines.

   domain.xml is located in the /ApplicationServer-install/domains/domain1/config directory and contains most of the Application Server configuration information.

   ---

   Note –

   More information can be found in Chapter 1, The domain.xml File, in Sun Java System Application Server Platform Edition 9 Administration Reference.

   ---

   The following provider code fragment needs to be added under the <message-security-config auth-layer="HttpServlet"> tag:

   <provider-config class-name="com.sun.identity.agents.jsr196.as9soap.AMHttpAuthModule" provider-id="AMHttpProvider" provider-type="server"> <request-policy auth-source="content"/> <response-policy auth-source="content"/> </provider-config>

   The following provider code fragments need to be added under the <message-security-config auth-layer="SOAP"> tag:

   <provider-config class-name="com.sun.identity.agents.jsr196.as9soap.AMServerAuthModule" provider-id="AMServerProvider-SAML-HolderOfKey" provider-type="server"> <request-policy auth-source="content"/> <response-policy auth-source="content"/> <property name="providername" value="SAML-HolderOfKey"/> </provider-config>

   <provider-config class-name="com.sun.identity.agents.jsr196.as9soap.AMServerAuthModule" provider-id="AMServerProvider-SAML-SenderVouches" provider-type="server"> <request-policy auth-source="content"/> <response-policy auth-source="content"/> <property name="providername" value="SAML-SenderVouches"/> </provider-config>

   <provider-config class-name="com.sun.identity.agents.jsr196.as9soap.AMServerAuthModule" provider-id="AMServerProvider-X509Token" provider-type="server"> <request-policy auth-source="content"/> <response-policy auth-source="content"/> <property name="providername" value="X509Token"/> </provider-config>

   <provider-config class-name="com.sun.identity.agents.jsr196.as9soap.AMServerAuthModule" provider-id="AMServerProvider-LibertySAMLToken" provider-type="server"> <request-policy auth-source="content"/> <response-policy auth-source="content"/> <property name="providername" value="LibertySAMLToken"/> </provider-config>

   <provider-config class-name="com.sun.identity.agents.jsr196.as9soap.AMClientAuthModule" provider-id="AMClientProvider" provider-type="client"> <request-policy auth-source="content"/> <response-policy auth-source="content"/> <property name="providername" value="wsc"/> </provider-config>

   <provider-config class-name="com.sun.identity.agents.jsr196.as9soap.AMServerAuthModule" provider-id="AMServerProvider-UserNameToken" provider-type="server"> <request-policy auth-source="content"/> <response-policy auth-source="content"/> <property name="providername" value="UserNameToken"/> </provider-config>

   <provider-config class-name="com.sun.identity.agents.jsr196.as9soap.AMServerAuthModule" provider-id="AMServerProvider-LibertyX509Token" provider-type="server"> <request-policy auth-source="content"/> <response-policy auth-source="content"/> <property name="providername" value="LibertyX509Token"/> </provider-config>

   <provider-config class-name="com.sun.identity.agents.jsr196.as9soap.AMServerAuthModule" provider-id="AMServerProvider-LibertyBearerToken" provider-type="server"> <request-policy auth-source="content"/> <response-policy auth-source="content"/> <property name="providername" value="LibertyBearerToken"/> </provider-config>

   <provider-config class-name="com.sun.identity.agents.jsr196.as9soap.AMServerAuthModule" provider-id="AMServerProvider" provider-type="server"> <request-policy auth-source="content"/> <response-policy auth-source="content"/> <property name="providername" value="wsp"/> </provider-config>

4. Modify AMConfig.properties as follows:

   JAVA_HOME=/usr/java
   
   # AM Server Information
   # Protocol can be either http or https
   SERVER_PROTOCOL=amserver_protocol
   SERVER_HOSTNAME=amserver_host
   SERVER_PORT=amserver_port
   
   # Application username and password
   APPLICATION_USERNAME=amadmin
   APPLICATION_PASSWORD=admin123
   
   NAMING_URL=amserver_protocol://amserver_host:amserver_port/amserver/namingservice
   
   # Debug information
   DEBUG_LEVEL=error
   DEBUG_DIR=/tmp/amclient
   
   # Cookie information
   AM_COOKIE_NAME=iPlanetDirectoryPro
   
   # SAML xml signature keystore file, keystore password file,
   # key password file and Liberty trusted CA aliases.
   # path_to_file should be replaced by the appropriate value as below:
   # /javaee.home/addons/accessmanager for installations of Java Application Platform SDK 
   # (when Download or Download with JDK is selected), and /javaee.home/addons/amserver 
   # for installations of Java Application Platform SDK or Java EE 5 SDK Update 1 
   # (when Download with Tools is selected), and NetBeans Enterprise Pack 5.5 (when Download is selected).
   SAML_KEYSTORE=/path_to_file/amclientkeystore.jks
   SAML_STOREPASS=/path_to_file/.storepass
   SAML_KEYAPSS=/path_to_file/.keypass
   LIBERTY_TRUSTEDCA_ALIASES=amserver:<amserver_host>
   
   # Login URL and Authentication service URL for Liberty use case
   LOGIN_URL=amserver_protocol://amserver_host:amserver_port/amserver/UI/Login
   LIBERTY_AUTHSVC_URL=amserver_protocol://amserver_host:amserver_port/amserver/Liberty/authnsvc

   ---

   Note –

   The directory specified as a value for DEBUG_DIR in AMConfig.properties should be different than the one specified as the value for BASE_DIR in Installing Access Manager.

   ---

5. Restart the Application Server.

Uninstallation

The following procedure is to uninstall Access Manager 7.1 and the Policy Agent 2.2 for Sun Java System Application Server 9.0 / Web Services.

To Uninstall Access Manager 7.1 and the Policy Agent 2.2 for Sun Java System Application Server 9.0 / Web Services

1. Undeploy the amserver web application using the Application Server administration console.

2. Note the path to the Access Manager flat file directory from the AccessManager/AMConfig_ApplicationServer-base_domains_Domain name_applications_j2ee-modules_amserver_ file located under the home directory of the user who has installed and configured Access Manager.

   For example, the AccessManager/AMConfig_opt_SUNWappserver_domains_domain1_applications_j2ee-modules_amserver_ file under the user's home directory.

   ---

   Note –

   The location of the user's directory depends on the user and operating system. For example, on a UNIX system, if the user is root, the user's home directory is /. If the user is xyz, the user's home directory is /home/xyz.

   ---

3. Delete the Access Manager flat file directory.

4. Delete the AccessManager/AMConfig_ApplicationServer-base_domains_Domain name_applications_j2ee-modules_amserver_ file under the user's home directory.

5. Restart the Application Server.