Creating or Updating an Agent Profile

Since J2EE agents and web agents in the Policy Agent 2.2 software set handle the agent profile differently, the configuration steps can differ. The following table provides information about the agent profile in relationship to the two agent types:

As the preceding table indicates, J2EE agents in the 2.2 release do not provide default credentials for the agent profile. You create an agent profile in Access Manager Console prior to installing the J2EE agent, which allows you to provide information about the agent profile during installation. If you do not create an agent profile, the J2EE agent will not function. Since each successfully installed J2EE agent has a unique agent profile, no further configuration would be required regarding the agent profile credentials.

Web agents, on the other hand, provide default credentials for the agent profile. Be aware that you should not use these web agent default values in an Access Manager deployment configured against cookie hijacking. Instead, create an agent profile for the web agent instance as described in To Create an Agent Profile. For reference purposes, the default credentials for the agent profile of a web agent are provided in the list that follows:

Web agent default agent profile “user ID”

Value. UrlAccessAgent

Location. This user ID is stored in the web agent AMAgent.properties file as the value assigned to the property com.sun.am.policy.am.username.

Web agent default agent profile “password”

Value. The password of the Access Manager internal authentication user. This user is commonly referred to as amldapuser.

Location. This password, which is encrypted, is stored in the web agent AMAgent.properties file as the value assigned to the property com.sun.am.policy.am.password.

The web agent should not use the default agent profile for an Access Manager deployment configured against cookie hijacking. Furthermore, while the J2EE agent installer updates the agent with the agent profile credentials, the web agent installer does not. Therefore, creating an agent profile before installing the web agent, though useful, is not by itself sufficient. You must also configure the web agent AMAgent.properties configuration file by editing the agent profile ID and password as described in To Update the Agent Profile Credentials in the Web Agent.

This document provides guidance for creating or updating agent profiles. However, the steps can vary depending upon the agent type and the status of the agent. While the steps that follow are appropriate for many scenarios, such as for agents that are yet to be installed, the steps are not appropriate for all possible scenarios.

For example, if you are using a J2EE agent that was previously installed, the pre-existing agent profile is appropriate. You would not be required to perform any of the steps presented in this section about creating or updating the agent profile.

However, in terms of a previously installed J2EE agent, if you decide to change the agent profile user ID and password, even though not required, then configuration steps are necessary. Be aware that the steps required in this scenario are not provided in this document. For such a scenario, refer to the Policy Agent 2.2 documentation for information specifically about updating the agent profile.

For more information on creating or updating the agent profile, see the documentation for the specific agent you are using. The individual agent guides are listed along with supported server information in the following chapters of the Sun Java System Access Manager Policy Agent 2.2 User's Guide:

Web Agents

Chapter 2, Access Manager Policy Agent 2.2 Web Agents: Compatibility, Supported Servers, and Documentation, in Sun Java System Access Manager Policy Agent 2.2 User’s Guide

J2EE Agents

Chapter 3, Access Manager Policy Agent 2.2 J2EE Agents: Compatibility, Supported Servers, and Documentation, in Sun Java System Access Manager Policy Agent 2.2 User’s Guide

To Create an Agent Profile

This task is appropriate for web agents and J2EE agents. See the preceding Caution for information about when this task might apply.

Agent profiles apply to specific agents but are created and modified in Access Manager Console. Therefore, tasks related to the agent profile are discussed in Access Manager documentation and Policy Agent documentation, as well as in this document.

Perform the following steps using the Access Manager Console. The key steps of this task involve creating an agent ID and an agent password.

1. With the Access Control tab selected click the name of the realm for which you would like to create an agent profile.

2. Select the Subjects tab.

3. Select the Agent tab.

4. Click New.

5. Enter values for the following fields:

   ID. Enter the name or identity of the agent. This is the agent profile name, which is the name the agent uses to log into Access Manager. Multi-byte names are not accepted.

   Password. Enter the agent password. This password must be different than the LDAP user password used by Access Manager.

   Password (confirm). Confirm the password.

   Device Status. Select the device status of the agent. The default status is Active. If set to Active, the agent will be able to authenticate to and communicate with Access Manager. If set to Inactive, the agent will not be able to authenticate to Access Manager.

6. Click Create.

   The list of agents appears.

7. (Optional) If you desire, add a description to your newly created agent profile:

   1. Click the name of your newly created agent profile from the agent list.

   2. In the Description field, enter a brief description of the agent.

      For example, you can enter the agent instance name or the name of the application it is protecting.

   3. Click Save.

Next Steps

If you performed this task for a web agent, you must also perform the following task about updating the agent profile. If you performed this task for a J2EE agent, you can skip to Configuring the Access Manager Deployment Against Cookie Hijacking.

To Update the Agent Profile Credentials in the Web Agent

This task applies to web agents only, not to J2EE agents. This task description provides alternatives for steps that differ according to platform: UNIX-based systems or Windows systems. For a more thorough explanation about updating the agent profile for a web agent, see the corresponding Policy Agent 2.2 documentation.

1. Update the following property in the web agent AMAgent.properties configuration file:

   com.sun.am.policy.am.username

   Replace the value of this property with the agent profile ID (name) you just updated in Access Manager Console. Therefore, this property would then appear similarly to the following:

   com.sun.am.policy.am.username = agent-profile-ID
   

2. Change directories to the following:

   • UNIX-based Systems

     PolicyAgent-base/bin

   • Windows Systems

     PolicyAgent-base\bin

3. Execute the following script in the command line:

   • UNIX-based Systems

     crypt_util agent-profile-password

   • Windows Systems

     cryptit agent-profile-password

   where agent-profile-password represents the agent profile password you updated in Access Manager Console.

4. Copy the output obtained after issuing the script in the previous step and paste it as the value for the following property:

   com.sun.am.policy.am.password

   This property would appear similarly to the example that follows, where encrypted-password-string is a place holder for the real encrypted password:

   com.sun.am.policy.am.password = encrypted-password-string
   

5. Ensure that protected web resources are accessible.

   1. Restart the web container.

   2. Attempt to access any resource protected by the web agent.

   If the attempt to access a protected resource results in a redirection to Access Manager, then the preceding steps were executed properly.