Chapter 8 Installing and Configuring the Distributed Authentication User Interface
Access Manager provides a remote authentication interface component to enable secure authentication. Installing the Distributed Authentication User Interface on one or more web containers within a non-secure layer eliminates the exposure of service URLs to the end user. This chapter contains the following sections.
-
8.1 Creating an Agent Profile and Custom User for Distributed Authentication User Interface
-
8.2 Installing and Configuring the Distributed Authentication User Interface 1
-
8.3 Installing and Configuring the Distributed Authentication User Interface 2
-
8.4 Configuring the Distributed Authentication User Interface Load Balancer
8.1 Creating an Agent Profile and Custom User for Distributed Authentication User Interface
Before installing and configuring the Distributed Authentication User Interface, you create an agent profile in Access Manager to be used by the Distributed Authentication User Interface to authenticate itself. An agent profile allows Access Manager to store authentication and configuration information regarding the Distributed Authentication User Interface. The agent profile created in this procedure will be stored in the Access Manager configuration data store.
Creating an agent profile also creates a custom user. This custom user will allow the Distributed Authentication User Interface to log into the Access Manager server and therefore must be defined as an Access Manager special user.
Note –
Although the Distributed Authentication User Interface is not an agent, it acts on behalf of Access Manager and therefore must have its own agent profile.
Use the following list of procedures as a checklist for these tasks.
-
To Create an Agent Profile for the Distributed Authentication User Interface
-
To Define Agent Profile User as an Access Manager Special User
To Create an Agent Profile for the Distributed Authentication User Interface
This agent profile will be used by the Distributed Authentication User Interface to authenticate itself to Access Manager. The process includes creation of a special user that will be defined as an Access Manager special user in the next procedure, To Define Agent Profile User as an Access Manager Special User.
-
Access http://LoadBalancer-3.example.com:7070/ from a web browser.
-
Log in to the Access Manager console as the administrator.
- User Name:
-
amadmin
- Password:
-
4m4dmin1
-
Under the Access Control tab, click example, the top-level Realm Name.
-
Click the Subjects tab.
-
Click the Agent tab.
-
Click New to create a new agent profile.
-
Type authuiadmin in the ID field.
-
Type 4uthu14dmin in the Password and Password (confirm) fields, respectively.
-
Click OK.
-
From the list of Agent names, click authuiadmin.
-
Copy the value of the UniversalID and save it to a temporary text file.
You will need this value in To Define Agent Profile User as an Access Manager Special User.
-
Log out of the console.
-
(Optional) Verify that the agents organizational unit was created successfully by logging into a Directory Server host machine and running ldapsearch.
# ldapsearch -b "dc=example,dc=com" -h LoadBalancer-1.example.com -p 389 -D "cn=Directory Manager" -w d1rm4n4ger "ou=agents" version: 1 dn: ou=agents,dc=example,dc=com sunIdentityServerSupportedTypes: agent ou: agents objectClass: sunNameSpace objectClass: iplanet-am-managed-org-unit objectClass: top objectClass: organizationalUnit
This organization unit will hold all agent profiles.
Note –The agents organizational unit is created only after the first agent profile is configured.
To Verify that authuiadmin Was
Created in Directory Server
This is an optional, verification step.
-
Log in to either of the Directory Server host machines.
-
Run ldapsearch to verify that the authuiadmin entry was successfully created.
# ldapsearch -b "dc=example,dc=com" -h LoadBalancer-1.example.com -p 389 -D "cn=Directory Manager" -w d1rm4n4ger "uid=authuiadmin" version: 1 dn: uid=authuiadmin,ou=agents,dc=example,dc=com sunIdentityServerDeviceStatus: Active uid: authuiadmin objectClass: sunIdentityServerDevice objectClass: iplanet-am-user-service objectClass: top objectClass: iPlanetPreferences sunIdentityServerDeviceType: Agent cn: default sunIdentityServerDeviceVersion: 2.2 userPassword: {SSHA}aeEi095TamPnJCOLinRNDzlLC8SDaOsdQ2Nqfw== -
Log out of the Directory Server host machine.
To Define Agent Profile User as an Access Manager Special
User
The agent profile just created includes a user that will now be defined as an Access Manager special administrative user for both Access Manager 1 and Access Manager 2.
Before You Begin
You should have the UniversalID value saved in To Create an Agent Profile for the Distributed Authentication User Interface.
-
Define authuiadmin as a special user in Access Manager 1.
-
As a root user, log in to the AccessManager–1 host machine.
-
Locate AMConfig.properties in the /export/am71adm/config directory.
Tip –Backup AMConfig.properties before you modify it.
-
Add the UniversalID you saved to the end of the list of values for the com.sun.identity.authentication.special.users property in AMConfig.properties.
You saved id=authuiadmin,ou=agent,dc=example, dc=com in To Create an Agent Profile for the Distributed Authentication User Interface.
Tip –Change ou=agent to ou=agents and id to uid before adding it to AMConfig.properties.
-
Restart the Web Server 1 web container to apply the change.
# cd /opt/SUNWwbsvr/https-AccessManager-1.example.com/bin # ./stopserv; ./startserv
-
Log out of the AccessManager–1 host machine.
-
-
Define authuiadmin as a special user in Access Manager 2.
-
As a root user, log in to the AccessManager–2 host machine.
-
Locate AMConfig.properties in the /export/am71adm/config directory.
Tip –Backup AMConfig.properties before you modify it.
-
Add the UniversalID you saved to the end of the list of values for the com.sun.identity.authentication.special.users property in AMConfig.properties.
You saved id=authuiadmin,ou=agent,dc=example, dc=com in To Create an Agent Profile for the Distributed Authentication User Interface.
Tip –Change ou=agent to ou=agents and id to uid before adding it to AMConfig.properties.
-
Restart the Web Server 2 web container to apply the change.
# cd /opt/SUNWwbsvr/https-AccessManager-2.example.com/bin # ./stopserv; ./startserv
-
Log out of the AccessManager–2 host machine.
-
8.2 Installing and Configuring the Distributed Authentication User Interface 1
Use the following list of procedures as a checklist for installing and deploying the Distributed Authentication User Interface 1.
-
To Create a Non-Root User on the Distributed Authentication User Interface 1 Host Machine
-
To Install Sun Java System Web Server for Distributed Authentication User Interface 1
-
To Configure the WAR for Distributed Authentication User Interface 1
-
To Deploy the Distributed Authentication User Interface 1 WAR
-
To Verify that Authentication Through the Distributed Authentication User Interface 1 is Successful
To Create a Non-Root User on the Distributed Authentication User Interface 1
Host Machine
Create a non-root user with the roleadd command in the Solaris Operating Environment on the Distributed Authentication User Interface 1 (AuthenticationUI-1) host machine
-
As a root user, log in to the AuthenticationUI-1 host machine.
-
Use roleadd to create a new user.
# roleadd -s /sbin/sh -m -g staff -d /export/da71adm da71adm
-
(Optional) Verify that the user was created.
# cat /etc/passwd root:x:0:0:Super-User:/:/sbin/sh daemon:x:1:1::/: ... nobody4:x:65534:SunOS 4.x NFS Anonymous Access User:/: da71adm:x:215933:10::/export/da71adm:/sbin/sh
-
(Optional) Verify that the user's directory was created.
# cd /export/da71adm # ls local.cshrc local.profile local.login
-
(Optional) Create a password for the non-root user.
# passwd da71adm New Password: 6a714dm Re-ener new Pasword: 6a714dm passwd: password successfully changed for da71adm
Note –If you do not perform this step, you will not be able to switch user (su) when logged in as the non-root user.
To Install Sun Java System Web Server for Distributed Authentication User Interface 1
Before You Begin
-
This procedure assumes that you have just completed To Create a Non-Root User on the Distributed Authentication User Interface 1 Host Machine.
-
Before beginning the installation, read the Web Server 7.0 Release Notes to determine the latest patches you might need to install.
-
On the AuthenticationUI-1 host machine, install required patches if necessary.
In this case, the Release Notes indicate that based on the hardware and operating system being used, patch 118855-36 and patch 119964–08 are required.
-
Run patchadd to see if the patches are already installed.
# patchadd -p | grep 118855-36
No results are returned which indicates that the patch is not yet installed on the system.
# patchadd -p | grep 119964-08
No results are returned which indicates that the patch is not yet installed on the system.
-
Make a directory for downloading the patches you need and change into it.
# mkdir /export/patches # cd /export/patches
-
Download the patches.
You can search for patches directly at http://sunsolve.sun.com. Navigate to the PatchFinder page, enter the patch number, click Find Patch, and download the appropriate patch.
Note –Signed patches are downloaded as JAR files. Unsigned patches are downloaded as ZIP files.
-
Unzip the patch files.
# unzip 118855–36.zip # unzip 119964-08.zip
-
Run patchadd to install the patches.
# patchadd /export/patches/118855-36 # patchadd /export/patches/119964-08
Tip –You can use the -M option to install all patches at once. See the patchadd man page for more information.
-
After installation is complete, run patchadd to verify that each patch was added successfully.
# patchadd -p | grep 118855–36
In this example, a series of patch numbers are displayed, and the patch 118855–36 is present.
# patchadd -p | grep 119964-08
In this example, a series of patch numbers are displayed, and the patch 119964-08 is present.
-
-
Create a directory into which you can download the Web Server bits and change into it.
# mkdir /export/WS7 # cd /export/WS7
-
Download the Sun Java System Web Server 7.0 software from http://www.sun.com/download/products.xml?id=45ad781d.
Follow the instructions on the Sun Microsystems Product Downloads web site for downloading the software.
-
Unpack the software package.
# gunzip sjsws-7_0-solaris-amd64.tar.gz # tar xvf sjsws-7_0-solaris-amd64.tar
-
Run setup.
# cd /export/WS7 # ./setup --console
-
When prompted, provide the following information.
You are running the installation program for the Sun Java System Web Server 7.0. ... The installation program pauses as questions are presented so you can read the information and make your choice. When you are ready to continue, press Enter.
Press Enter.
Continue to press Enter when prompted.
Have you read the Software License Agreement and do you accept all the terms?
Enter yes.
Sun Java System Web Server 7.0 Installation Directory [/sun/webserver7]
Enter /opt/SUNWwbsvr
Specified directory /opt/SUNWwbsvr does not exist. Create Directory? [Yes/No]
Enter yes.
Select Type of Installation 1. Express 2. Custom 3. Exit What would you like to do? [1]
Enter 2.
Component Selection 1. Server Core 2. Server Core 64-biy Binaries 3. Administration Command Line Interface 4. Sample Applications 5. Language Pack Enter the comma-separated list [1,2,3,4,5]
Enter 1,3,5.
Java Configuration 1. Install Java Standard Edition 1.5.0_09 2. Reuse existing Java SE 1.5.0_09 or greater 3. Exit What would you like to do? [1]
Enter 1.
Administrative Options 1. Create an Administration Server and a Web Server Instance 2. Create an Administration Node Enter your option. [1]
Enter 1.
Start servers during system startup. [yes/no]
Enter no.
Host Name [AuthenticationUI-1.example.com]
Accept the default value.
SSL Port [8989]
Accept the default value.
Create a non-SSL Port? [yes/no]
Enter no.
Runtime User ID [root]
Enter da71adm.
Administrator User Name [admin]
Accept the default value.
Administrator Password:
Enter web4dmin.
Retype Password:
Enter web4dmin.
Server Name [AuthenticationUI-1.example.com]
Accept the default value.
Http Port [8080]
Enter 1080.
Document Root Directory [/opt/SUNWwbsvr/ https-AuthenticationUI-1.example.com/docs]
Accept the default value.
Ready To Install 1. Install Now 2. Start Over 3. Exit Installation What would you like to do?
Enter 1.
When installation is complete, the following message is displayed:
Installation Successful.
-
(Optional) To verify that Web Server was installed with the non-root user, examine the permissions.
# cd /opt/SUNWwbsvr/admin-server # ls -al total 16 drwxr-xr-x 8 root root 512 Jul 19 10:36 . drwxr-xr-x 11 da71adm staff 512 Jul 19 10:36 .. drwxr-xr-x 2 root root 512 Jul 19 10:36 bin drwx------ 2 da71adm staff 512 Jul 19 10:36 config drwx------ 3 da71adm staff 512 Jul 19 11:09 config-store drwx------ 3 da71adm staff 512 Jul 19 10:40 generated drwxr-xr-x 2 da71adm staff 512 Jul 19 10:40 logs drwx------ 2 da71adm staff 512 Jul 19 10:36 sessions
The appropriate files and directories are owned by da71adm.
-
Start the Web Server administration server.
# su da71adm # cd /opt/SUNWwbsvr/admin-server/bin # ./startserv
-
To verify that the non-root user was able to start Web Server, access https://AuthenticationUI-1.example.com:8989 from a web browser.
-
Log out of the AuthenticationUI–1 host machine.
To Configure the WAR for Distributed Authentication User Interface 1
This procedure configures the amauthdistui.war that will be used for deployment in To Deploy the Distributed Authentication User Interface 1 WAR.
-
As a root user, log in to the AuthenticationUI–1 host machine.
-
Switch to the non-root user.
# su da71adm
-
Change to the directory into which you will copy amDistAuth.zip.
# cd /export/da71adm
amDistAuth.zip contains the files you need to install the Distributed Authentication User Interface. It is included in the Access Manager software downloaded in 6.2 Deploying and Configuring Access Manager 1 and Access Manager 2.
-
Copy amDistAuth.zip from the AccessManager–1 host machine.
# ftp AccessManager-1.example.com Connected to AccessManager-1.example.com 220 AccessManager-1.example.com FTP server ready. Name (AccessManager-1.example.com:username):username Password: ******** ... Using binary mode to transfer files ftp> cd /export/AM71/applications CWD command successful ftp> mget amDistAuth.zip? mget amDistAuth.zip? y 200 PORT command successful ftp> bye
-
List the contents of /export/da71adm to verify that amDistAuth.zip was transferred and is owned by the non-root user.
# ls -al total 26496 drwxr-xr-x 5 da71adm staff 512 Jul 19 20:59 . drwxr-xr-x 7 root sys 512 Jul 20 10:13 .. -rw-r--r-- 1 da71adm staff 144 Jul 19 19:53 .profile drwx------ 3 da71adm staff 512 Jul 19 20:41 .sunw -rw-r--r-- 1 da71adm staff 6747654 Jul 19 20:43 amDistAuth.zip
-
Unzip amDistAuth.zip.
# unzip amDistAuth.zip
-
List the contents again to verify the unzip.
# ls -al total 26496 drwxr-xr-x 5 da71adm staff 512 Jul 19 20:59 . drwxr-xr-x 7 root sys 512 Jul 20 10:13 .. -rw-r--r-- 1 da71adm staff 144 Jul 19 19:53 .profile drwx------ 3 da71adm staff 512 Jul 19 20:41 .sunw -rw-r--r-- 1 da71adm staff 572 Jul 19 20:59 .wadmtruststore -rw-r--r-- 1 da71adm staff 6772566 Jul 19 20:56 amauthdistui.war -rw-r--r-- 1 da71adm staff 6747654 Jul 19 20:43 amDistAuth.zip drwxr-xr-x 2 da71adm staff 512 Jul 19 20:52 lib -rw-r--r-- 1 da71adm staff 136 Jul 19 19:53 local.cshrc -rw-r--r-- 1 da71adm staff 157 Jul 19 19:53 local.login -rw-r--r-- 1 da71adm staff 174 Jul 19 19:53 local.profile -rw-r--r-- 1 da71adm staff 10038 Mar 19 15:33 README.distAuthUI -rw-r--r-- 1 da71adm staff 1865 Mar 19 15:31 setup.bat -rw-r--r-- 1 da71adm staff 1865 Mar 19 15:31 setup.sh drwxr-xr-x 3 da71adm staff 512 Jun 25 20:13 WEB-INF
-
Change permissions on setup.sh, the Distributed Authentication User Interface configuration script.
# chmod +x setup.sh
This gives the non-root user permission to run the script that configures the Distributed Authentication User Interface WAR for its deployment.
-
Run setup.sh.
# ./setup.sh
Caution – If using a shell other than sh, you must modify the setup script before running it.
-
Open setup.sh in a text editor.
-
Add #!/bin/sh as the first line of the file.
-
Save and close the file.
-
Run the script.
-
-
Provide the following information.
Debug directory (make sure this directory exists):
Enter /tmp/distAuth
Application username:
Enter authuiadmin
Application password:
Enter 4uthu14dmin
Protocol of the server:
Enter http
Host name of the server:
Enter LoadBalancer-3.example.com
Port of the server:
Enter 7070
Server's deploymen URI:
Enter amserver
Naming URL (hit enter to accept default value, http://LoadBalancer-3.example.com:7070/ amserver/namingservice)
Press Enter to accept the default value.
Protocol of the distauth server:
Enter http
Host name of the distauth server:
Enter AuthenticationUI-1.example.com
Port of the distaut server:
Enter 1080
Distauth Server's deployment URI:
Enter distAuth
Notification URL (hit enter to accept default value, http://AuthenticationUI-1.example.com:1080/ distAuth/notificationservice)
Press Enter to accept the default value.
After running the script, amauthdistui.war is updated with the above values. The next step is To Deploy the Distributed Authentication User Interface 1 WAR.
To Deploy the Distributed Authentication User Interface 1 WAR
Before You Begin
This procedure assumes you just completed To Configure the WAR for Distributed Authentication User Interface 1 and are still logged into the AuthenticationUI–1 host machine as the non-root user.
-
Start the Web Server administration server.
# cd /opt/SUNWwbsvr/admin-server/bin # ./startserv
-
Add the Distributed Authentication User Interface WAR.
# cd /opt/SUNWwbsvr/bin # ./wadm add-webapp --user=admin --host=AuthenticationUI-1.example.com --port=8989 --config=AuthenticationUI-1.example.com --vs=AuthenticationUI-1.example.com --uri=/distAuth /export/da71adm/amauthdistui.war Please enter admin-user-password:web4dmin Do you trust the above certificate? [y|n] y CLI201 Command 'add-webapp' ran successfully
-
Deploy the Distributed Authentication User Interface WAR.
# ./wadm deploy-config --user=admin --host=AuthenticationUI-1.example.com --port=8989 AuthenticationUI-1.example.com Please enter admin-user-password: web4dmin CLI201 Command 'deploy-config' ran successfully
-
Restart the Web Server AuthenticationUI-1 instance.
# cd /opt/SUNWwbsvr/https-AuthenticationUI-1.example.com/bin # ./stopserv; ./startserv
-
Verify that the distAuth web module is loaded.
# cd /opt/SUNWwbsvr/https-AuthenticationUI-1.example.com/ web-app/AuthenticationUI-1.example.com # ls -al total 6 drwxr-xr-x 3 da71adm staff 512 Jul 19 21:00 . drwxr-xr-x 3 da71adm staff 512 Jul 19 21:00 .. drwxr-xr-x 8 da71adm staff 512 Jul 19 21:00 distAuth
-
Log out of the AuthenticationUI–1 host machine.
To Import the Access Manager Load Balancer
Certificate Authority Root Certificate into Distributed Authentication User Interface 1
Import a Certificate Authority (CA) root certificate that enables the Distributed Authentication User Interface to trust the SSL certificate from the Access Manager Load Balancer 3, and establish trust with the certificate chain that is formed from the Certificate Authority to the certificate.
-
As a root user, log in to the AuthenticationUI–1 host machine.
-
Copy the CA root certificate into a directory.
Use the same root certificate installed in To Import a Certificate Authority Root Certificate on the Access Manager Load Balancer. In this example, the file is /export/software/ca.cer.
-
Import the CA root certificate into the Java keystore.
# /opt/SUNWwbsvr/jdk/jre/bin/keytool -import -trustcacerts -alias OpenSSLTestCA -file /export/software/ca.cer -keystore /opt/SUNWwbsvr/jdk/jre/lib/security/cacerts -storepass changeit Owner: EMAILADDRESS=nobody@nowhere.com, CN=OpenSSLTestCA, OU=Sun, O=Sun,L=Santa Clara, ST=California C=US Issuer: EMAILADDRESS=nobody@nowhere.com, CN=OpenSSLTestCA, OU=Sun, O=Sun,L=Santa Clara, ST=California C=US Serial number: 97dba0aa26db6386 Valid from: Tue Apr 18 07:66:19 PDT 2006 until: Tue Jan 13 06:55:19 PST 2009 Certificate fingerprints: MD5: 9f:57:ED:B2:F2:88:B6:E8:0F:1E:08:72:CF:70:32:06 SHA1: 31:26:46:15:C5:12:5D:29:46:2A:60:A1:E5:9E:26:64:36:80:E4:70 Trust this certificate: [no] yes Certificate was added to keystore. -
Verify that the CA root certificate was imported into the keystore.
# /opt/SUNWwbsvr/jdk/jre/bin/keytool -list -keystore /opt/SUNWwbsvr/jdk/jre/lib/security/cacerts -storepass changeit | grep -i open openssltestca, Nov 8, 2006, trustedCertEntry
-
Restart the Web Server AuthenticationUI-1 instance.
# cd /opt/SUNWwbsvr/https-AuthenticationUI-1.example.com/bin # ./stopserv server has been shutdown # ./startserv Sun Java System Web Server 7.0 B12/04/2006 07:59 info: CORE5076: Using [Java HotSpot(TM) Server VM, Version 1.5.0_09] from [Sun Microsystems Inc.] info: WEB0100: Loading web module in virtual server [AuthenticationUI-1.example.com] at [/distAuth] info: HTTP3072: http-listener-1: http://AuthenticationUI-1.example.com:1080 ready to accept requests info: CORE3274: successful server startup
-
Log out of the AuthenticationUI–1 host machine.
To Verify that Authentication Through the Distributed Authentication User Interface 1
is Successful
Find a host that has direct network connectivity to Distributed Authentication User Interface 1 and the external facing load balancer of the Access Manager servers. One natural place is the AuthenticationUI–1 host machine itself.
-
As a root user, log into the AuthenticationUI—1 host machine.
-
Modify AMConfig.properties.
-
Change to the classes directory.
# cd /opt/SUNWwbsvr/https-AuthenticationUI-1.example.com/ web-app/AuthenticationUI-1.example.com/distAuth/WEB-INF/classes
Tip –Backup AMConfig.properties before you modify it.
-
Set the values of the properties as follows.
com.iplanet.am.naming.url=https://LoadBalancer-3. example.com:9443/amserver/namingservice com.iplanet.am.server.protocol=https com.iplanet.am.server.port=9443
-
Save the file and close it.
-
-
Restart the AuthenticationUI-1 host machine.
# cd /opt/SUNWwbsvr/https-AuthenticationUI-1.example.com/bin # ./stopserv; ./startserv
-
Access http://AuthenticationUI-1.example.com:1080/distAuth/UI/Login?goto= http://LoadBalancer-3.example.com:7070 from a web browser.
-
Log in to the Access Manager console as the administrator.
- Username
-
amadmin
- Password
-
4m4dmin1
After successful authentication, you should be redirected to the index page for the Web Server in which Access Manager is deployed.
-
Log out of the Access Manager console.
8.3 Installing and Configuring the Distributed Authentication User Interface 2
Use the following list of procedures as a checklist for installing and configuring the Distributed Authentication User Interface 2.
-
To Create a Non-Root User on the Distributed Authentication User Interface 2 Host
-
To Install Sun Java System Web Server for Distributed Authentication User Interface 2
-
To Configure the WAR for Distributed Authentication User Interface 2
-
To Deploy the Distributed Authentication User Interface 2 WAR
-
To Verify that Authentication Through the Distributed Authentication User Interface 2 is Successful
To Create a Non-Root User on the Distributed Authentication User Interface 2
Host
Create a non-root user with the roleadd command in the Solaris Operating Environment on the Distributed Authentication User Interface (AuthenticationUI–2) host machine
-
As a root user, log in to the AuthenticationUI–2 host machine.
-
Use roleadd to create a new user.
# roleadd -s /sbin/sh -m -g staff -d /export/da71adm da71adm
-
(Optional) Verify that the user was created.
# cat /etc/passwd root:x:0:0:Super-User:/:/sbin/sh daemon:x:1:1::/: ... nobody4:x:65534:SunOS 4.x NFS Anonymous Access User:/: da71adm:x:215933:10::/export/da71adm:/sbin/sh
-
(Optional) Verify that the user's directory was created.
# cd /export/da71adm # ls local.cshrc local.profile local.login
-
(Optional) Create a password for the non-root user.
# passwd da71adm New Password: 6a714dm Re-ener new Pasword:6a714dm passwd: password successfully changed for da71adm
Note –If you do not perform this step, you will not be able to switch user (su) when logged in as the non-root user.
To Install Sun Java System Web Server for Distributed Authentication User Interface 2
Before You Begin
-
This procedure assumes that you have just completed To Create a Non-Root User on the Distributed Authentication User Interface 2 Host.
-
Before beginning the installation, read the Web Server 7.0 Release Notes to determine the latest patches you might need to install.
-
On the AuthenticationUI–2 host machine, install required patches if necessary.
In this case, the Release Notes indicate that based on the hardware and operating system being used, patch 118855-36 and patch 119964–08 are required.
-
Run patchadd to see if the patches are already installed.
# patchadd -p | grep 118855-36
No results are returned which indicates that the patch is not yet installed on the system.
# patchadd -p | grep 119964-08
No results are returned which indicates that the patch is not yet installed on the system.
-
Make a directory for downloading the patches you need and change into it.
# mkdir /export/patches # cd /export/patches
-
Download the patches.
You can search for patches directly at http://sunsolve.sun.com. Navigate to the PatchFinder page, enter the patch number, click Find Patch, and download the appropriate patch.
Note –Signed patches are downloaded as JAR files. Unsigned patches are downloaded as ZIP files.
-
Unzip the patch files.
# unzip 118855–36.zip # unzip 119964-08.zip
-
Run patchadd to install the patches.
# patchadd /export/patches/118855-36 # patchadd /export/patches/119964-08
Tip –You can use the -M option to install all patches at once. See the patchadd man page for more information.
-
After installation is complete, run patchadd to verify that each patch was added successfully.
# patchadd -p | grep 118855–36
In this example, a series of patch numbers are displayed, and the patch 118855–36 is present.
# patchadd -p | grep 119964-08
In this example, a series of patch numbers are displayed, and the patch 119964-08 is present.
-
-
Create a directory into which you can download the Web Server bits and change into it.
# mkdir /export/WS7 # cd /export/WS7
-
Download the Sun Java System Web Server 7.0 software from http://www.sun.com/download/products.xml?id=45ad781d.
Follow the instructions on the Sun Microsystems Product Downloads web site for downloading the software.
-
Unpack the software package.
# gunzip sjsws-7_0-solaris-amd64.tar.gz # tar xvf sjsws-7_0-solaris-amd64.tar
-
Run setup.
# cd /export/WS7 # ./setup --console
-
When prompted, provide the following information.
You are running the installation program for the Sun Java System Web Server 7.0. ... The installation program pauses as questions are presented so you can read the information and make your choice. When you are ready to continue, press Enter.
Press Enter.
Continue to press Enter when prompted.
Have you read the Software License Agreement and do you accept all the terms?
Enter yes.
Sun Java System Web Server 7.0 Installation Directory [/sun/webserver7]
Enter /opt/SUNWwbsvr
Specified directory /opt/SUNWwbsvr does not exist. Create Directory? [Yes/No]
Enter yes.
Select Type of Installation 1. Express 2. Custom 3. Exit What would you like to do? [1]
Enter 2.
Component Selection 1. Server Core 2. Server Core 64-biy Binaries 3. Administration Command Line Interface 4. Sample Applications 5. Language Pack Enter the comma-separated list [1,2,3,4,5]
Enter 1,3,5.
Java Configuration 1. Install Java Standard Edition 1.5.0_09 2. Reuse existing Java SE 1.5.0_09 or greater 3. Exit What would you like to do? [1]
Enter 1.
Administrative Options 1. Create an Administration Server and a Web Server Instance 2. Create an Administration Node Enter your option. [1]
Enter 1.
Start servers during system startup. [yes/no]
Enter no.
Host Name [AuthenticationUI-2.example.com]
Accept the default value.
SSL Port [8989]
Accept the default value.
Create a non-SSL Port? [yes/no]
Enter no.
Runtime User ID [root]
Enter da71adm.
Administrator User Name [admin]
Accept the default value.
Administrator Password:
Enter web4dmin.
Retype Password:
Enter web4dmin.
Server Name [AuthenticationUI-2.example.com]
Accept the default value.
Http Port [8080]
Enter 1080.
Document Root Directory [/opt/SUNWwbsvr/ https-AuthenticationUI-2.example.com/docs]
Accept the default value.
Ready To Install 1. Install Now 2. Start Over 3. Exit Installation What would you like to do?
Enter 1.
When installation is complete, the following message is displayed:
Installation Successful.
-
To verify that Web Server was installed with the non-root user, examine the permissions.
# cd /opt/SUNWwbsvr/admin-server # ls -al total 16 drwxr-xr-x 8 root root 512 Jul 19 10:36 . drwxr-xr-x 11 da71adm staff 512 Jul 19 10:36 .. drwxr-xr-x 2 root root 512 Jul 19 10:36 bin drwx------ 2 da71adm staff 512 Jul 19 10:36 config drwx------ 3 da71adm staff 512 Jul 19 11:09 config-store drwx------ 3 da71adm staff 512 Jul 19 10:40 generated drwxr-xr-x 2 da71adm staff 512 Jul 19 10:40 logs drwx------ 2 da71adm staff 512 Jul 19 10:36 sessions
The appropriate files and directories are owned by da71adm.
-
Start the Web Server administration server.
# su da71adm # cd /opt/SUNWwbsvr/admin-server/bin # ./startserv
-
To verify that the non-root user was able to start Web Server, access https://AuthenticationUI-2.example.com:8989 from a web browser.
-
Log out of the AuthenticationUI–2 host machine.
To Configure the WAR for Distributed Authentication User Interface 2
This procedure configures the amauthdistui.war that will be used for deployment in To Deploy the Distributed Authentication User Interface 2 WAR.
-
As a root user, log in to the AuthenticationUI–2 host machine.
-
Switch to the non-root user.
# su da71adm
-
Change to the directory into which you will copy amDistAuth.zip.
# cd /export/da71adm
amDistAuth.zip contains the files you need to install the Distributed Authentication User Interface. It is included in the Access Manager software downloaded in 6.2 Deploying and Configuring Access Manager 1 and Access Manager 2.
-
Copy amDistAuth.zip from the AccessManager–1 host machine.
# cd /export/da71adm # ftp AccessManager-1.example.com Connected to AccessManager-1.example.com 220 AccessManager-1.example.com FTP server ready. Name (AccessManager-1.example.com:username):username Password: ******** ... Using binary mode to transfer files ftp> cd /export/AM71/applications CWD command successful ftp> mget amDistAuth.zip? mget amDistAuth.zip? y 200 PORT command successful ftp> bye
-
List the contents of /export/da71adm to verify that amDistAuth.zip was transferred and is owned by the non-root user.
# ls -al total 26496 drwxr-xr-x 5 da71adm staff 512 Jul 19 20:59 . drwxr-xr-x 7 root sys 512 Jul 20 10:13 .. -rw-r--r-- 1 da71adm staff 144 Jul 19 19:53 .profile drwx------ 3 da71adm staff 512 Jul 19 20:41 .sunw -rw-r--r-- 1 da71adm staff 6747654 Jul 19 20:43 amDistAuth.zip
-
Unzip amDistAuth.zip.
# unzip amDistAuth.zip
-
List the contents again to verify the unzip.
# ls -al total 26496 drwxr-xr-x 5 da71adm staff 512 Jul 19 20:59 . drwxr-xr-x 7 root sys 512 Jul 20 10:13 .. -rw-r--r-- 1 da71adm staff 144 Jul 19 19:53 .profile drwx------ 3 da71adm staff 512 Jul 19 20:41 .sunw -rw-r--r-- 1 da71adm staff 572 Jul 19 20:59 .wadmtruststore -rw-r--r-- 1 da71adm staff 6772566 Jul 19 20:56 amauthdistui.war -rw-r--r-- 1 da71adm staff 6747654 Jul 19 20:43 amDistAuth.zip drwxr-xr-x 2 da71adm staff 512 Jul 19 20:52 lib -rw-r--r-- 1 da71adm staff 136 Jul 19 19:53 local.cshrc -rw-r--r-- 1 da71adm staff 157 Jul 19 19:53 local.login -rw-r--r-- 1 da71adm staff 174 Jul 19 19:53 local.profile -rw-r--r-- 1 da71adm staff 10038 Mar 19 15:33 README.distAuthUI -rw-r--r-- 1 da71adm staff 1865 Mar 19 15:31 setup.bat -rw-r--r-- 1 da71adm staff 1865 Mar 19 15:31 setup.sh drwxr-xr-x 3 da71adm staff 512 Jun 25 20:13 WEB-INF
-
Change permissions on setup.sh, the Distributed Authentication User Interface configuration script.
# chmod +x setup.sh
This gives the non-root user permission to run the script that configures the Distributed Authentication User Interface WAR for its deployment.
-
Run setup.sh.
# ./setup.sh
Caution – If using a shell other than sh, you must modify the setup script before running it.
-
Open setup.sh in a text editor.
-
Add #!/bin/sh as the first line of the file.
-
Save and close the file.
-
Run the script.
-
-
Provide the following information.
Debug directory (make sure this directory exists):
Enter /tmp/distAuth
Application username:
Enter authuiadmin
Application password:
Enter 4uthu14dmin
Protocol of the server:
Enter http
Host name of the server:
Enter LoadBalancer-3.example.com
Port of the server:
Enter 7070
Server's deploymen URI:
Enter amserver
Naming URL (hit enter to accept default value, http://LoadBalancer-3.example.com:7070/ amserver/namingservice)
Press Enter to accept the default value.
Protocol of the distauth server:
Enter http
Host name of the distauth server:
Enter AuthenticationUI-2.example.com
Port of the distaut server:
Enter 1080
Distauth Server's deployment URI:
Enter distAuth
Notification URL (hit enter to accept default value, http://AuthenticationUI-2.example.com:1080/ distAuth/notificationservice)
Press Enter to accept the default value.
After running the script, amauthdistui.war is updated with the above values. The next step is To Deploy the Distributed Authentication User Interface 2 WAR.
To Deploy the Distributed Authentication User Interface 2 WAR
Before You Begin
This procedure assumes you just completed To Configure the WAR for Distributed Authentication User Interface 2 and are still logged into the AuthenticationUI–2 host machine as the non-root user.
-
Start the Web Server administration server.
# cd /opt/SUNWwbsvr/admin-server/bin # ./startserv
-
Add the Distributed Authentication User Interface WAR.
# cd /opt/SUNWwbsvr/bin # ./wadm add-webapp --user=admin --host=AuthenticationUI-2.example.com --port=8989 --config=AuthenticationUI-2.example.com --vs=AuthenticationUI-2.example.com --uri=/distAuth /export/da71adm/amauthdistui.war Please enter admin-user-password:web4dmin ... Do you trust the above certificate? [y|n] y CLI201 Command 'add-webapp' ran successfully
-
Deploy the Distributed Authentication User Interface WAR.
# ./wadm deploy-config --user=admin --host=AuthenticationUI-2.example.com --port=8989 AuthenticationUI-2.example.com Please enter admin-user-password: web4dmin CLI201 Command 'deploy-config' ran successfully
-
Restart the Web Server AuthenticationUI-2 instance.
# cd /opt/SUNWwbsvr/https-AuthenticationUI-2.example.com/bin # ./stopserv; ./startserv
-
Verify that the distAuth web module is loaded.
# cd /opt/SUNWwbsvr/https-AuthenticationUI-2.example.com/ web-app/AuthenticationUI-2.example.com # ls -al total 6 drwxr-xr-x 3 da71adm staff 512 Jul 19 21:00 . drwxr-xr-x 3 da71adm staff 512 Jul 19 21:00 .. drwxr-xr-x 8 da71adm staff 512 Jul 19 21:00 distAuth
-
Log out of the AuthenticationUI–2 host machine.
To Import the Access Manager Load Balancer
Certificate Authority Root Certificate into the Distributed Authentication User Interface 2
Import a Certificate Authority (CA) root certificate that enables the Distributed Authentication User Interface to trust the SSL certificate from the Access Manager Load Balancer 3, and establish trust with the certificate chain that is formed from the CA to the certificate.
-
As a root user, log in to the AuthenticationUI–2 host machine.
-
Copy the CA root certificate into a directory.
Use the same root certificate installed in To Import a Certificate Authority Root Certificate on the Access Manager Load Balancer. In this example, the file is /export/software/ca.cer.
-
Import the CA root certificate into the Java keystore.
# /opt/SUNWwbsvr/jdk/jre/bin/keytool -import -trustcacerts -alias OpenSSLTestCA -file /export/software/ca.cer -keystore /opt/SUNWwbsvr/jdk/jre/lib/security/cacerts -storepass password Owner: EMAILADDRESS=nobody@nowhere.com, CN=OpenSSLTestCA, OU=Sun, O=Sun,L=Santa Clara, ST=California C=US Issuer: EMAILADDRESS=nobody@nowhere.com, CN=OpenSSLTestCA, OU=Sun, O=Sun,L=Santa Clara, ST=California C=US Serial number: 97dba0aa26db6386 Valid from: Tue Apr 18 07:66:19 PDT 2006 until: Tue Jan 13 06:55:19 PST 2009 Certificate fingerprints: MD5: 9f:57:ED:B2:F2:88:B6:E8:0F:1E:08:72:CF:70:32:06 SHA1: 31:26:46:15:C5:12:5D:29:46:2A:60:A1:E5:9E:26:64:36:80:E4:70 Trust this certificate: [no] yes Certificate was added to keystore. -
Verify that the CA root certificate was imported into the keystore.
# /opt/SUNWwbsvr/jdk/jre/bin/keytool -list -keystore /opt/SUNWwbsvr/jdk/jre/lib/security/cacerts -storepass password | grep -i open openssltestca, Nov 8, 2006, trustedCertEntry
-
Restart the Web Server AuthenticationUI-2 instance.
# cd /opt/SUNWwbsvr/https-AuthenticationUI-2.example.com/bin # ./stopserv server has been shutdown # ./startserv Sun Java System Web Server 7.0 B12/04/2006 07:59 info: CORE5076: Using [Java HotSpot(TM) Server VM, Version 1.5.0_09] from [Sun Microsystems Inc.] info: WEB0100: Loading web module in virtual server [AuthenticationUI-2.example.com] at [/distAuth] info: HTTP3072: http-listener-1: http://AuthenticationUI-2. example.com:1080 ready to accept requests info: CORE3274: successful server startup
-
Log out of the AuthenticationUI–2 host machine.
To Verify that Authentication Through the Distributed Authentication User Interface 2
is Successful
Find a host that has direct network connectivity to Distributed Authentication User Interface 2 and the external facing load balancer of the Access Manager servers. One natural place is the AuthenticationUI–2 host machine itself.
-
As a root user, log into the AuthenticationUI–2 host machine.
-
Modify AMConfig.properties.
-
Change to the classes directory.
# cd /opt/SUNWwbsvr/https-AuthenticationUI-2.example.com/ web-app/AuthenticationUI-2.example.com/distAuth/WEB-INF/classes
Tip –Backup AMConfig.properties before you modify it.
-
Set the values of the properties as follows.
com.iplanet.am.naming.url=https://LoadBalancer-3. example.com:9443/amserver/namingservice com.iplanet.am.server.protocol=https com.iplanet.am.server.port=9443
-
Save the file and close it.
-
-
Restart the AuthenticationUI-2 host machine.
# cd /opt/SUNWwbsvr/https-AuthenticationUI-2.example.com/bin # ./stopserv; ./startserv
-
Access http://AuthenticationUI-2.example.com:1080/distAuth/UI/Login?goto= http://LoadBalancer-3.example.com:7070 from a web browser.
-
Log in to the Access Manager console as the administrator.
- Username
-
amadmin
- Password
-
4m4dmin1
After successful authentication, you should be redirected to the index page for the Web Server in which Access Manager is deployed.
-
Log out of the Access Manager console.
8.4 Configuring the Distributed Authentication User Interface Load Balancer
The following figure illustrates how Load Balancer 4 is configured in front of the two instances of the Distributed Authentication User Interface.
Figure 8–1 Distributed Authentication
Use the following list of procedures as a checklist for configuring the Distributed Authentication User Interface load balancer.
-
To Configure the Distributed Authentication User Interface Load Balancer
-
To Configure Load Balancer Cookies for the Distributed Authentication User Interface
-
To Import a CA Root Certificate on the Distributed Authentication User Interface Load Balancer
-
To Install an SSL Certificate on the Distributed Authentication User Interface Load Balancer
-
To Configure SSL Termination on the Distributed Authentication User Interface Load Balancer
To Configure the Distributed Authentication User Interface Load Balancer
Before You Begin
-
This procedure assumes that you have already installed a load balancer.
-
The load balancer hardware and software used in the lab facility for this deployment is BIG-IP® manufactured by F5 Networks. If you are using different load balancer software, see the documentation that comes with that product for detailed settings information.
-
Contact your network administrator to obtain two available virtual IP addresses.
-
Know the IP address of the load balancer hardware, the URL for the load balancer login page, and a username and password for logging in to the load balancer application.
-
Get the IP addresses for Distributed Authentication User Interface 1 and Distributed Authentication User Interface 2 by running the following command on each host machine:
# ifconfig -a
-
Access https://is-f5.example.com, the Big IP load balancer login page, from a web browser.
-
Log in using the following information.
- User name:
-
username
- Password:
-
password
-
Click Configure your BIG-IP (R) using the Configuration Utility.
-
Create a Pool.
A pool contains all the backend server instances.
-
In the left pane, click Pools.
-
On the Pools tab, click Add.
-
In the Add Pool dialog, provide the following information:
- Pool Name
-
AuthenticationUI-Pool
- Load Balancing Method
-
Round Robin
- Resources
-
Add the IP address and port number of both Distributed Authentication User Interface host machines: AuthenticationUI-1:1080 and AuthenticationUI-2:1080.
-
Click Done.
-
-
Add a Virtual Server.
This step defines instances of the load balancer.
Tip –If you encounter JavaScriptTM errors or otherwise cannot proceed to create a virtual server, try using Internet Explorer.
-
In the left frame, Click Virtual Servers.
-
On the Virtual Servers tab, click Add.
-
In the Add Virtual Server wizard, enter the virtual server IP address and port number.
- Address
-
Enter the IP address for LoadBalancer-4.example.com
- Service
-
90
- Pool
-
AuthenticationUI-Pool
-
Continue to click Next until you reach the Pool Selection dialog box.
-
In the Pool Selection dialog box, assign the AuthenticationUI-Pool Pool.
-
Click Done.
-
-
Add Monitors.
Monitors are required for the load balancer to detect the backend server failures.
-
Configure the load balancer for persistence.
-
To verify that the Distributed Authentication User Interface load balancer is configured properly, access http://LoadBalancer-4.example.com:90/ from a web browser.
If the browser successfully renders the default Web Server document root page, the load balancer has been configured properly.
To Configure Load Balancer Cookies for the Distributed Authentication User Interface
Modify AMconfig.properties on both Distributed Authentication User Interface host machines.
-
Log in as a root user to the AuthenticationUI–1 host machine.
-
Change to the classes directory.
# cd /opt/SUNWwbsvr/https-AuthenticationUI-1.example.com/ web-app/AuthenticationUI-1.example.com/distAuth/WEB-INF/classes
-
Make the following changes to AMconfig.properties.
Tip –Backup AMConfig.properties before you modify it.
-
Save the file and close it.
-
Restart the AuthenticationUI–1 host machine.
-
Log in as a root user to the AuthenticationUI–2 host machine.
-
Change to the classes directory.
# cd /opt/SUNWwbsvr/https-AuthenticationUI-2.example.com/ web-app/AuthenticationUI-2.example.com/distAuth/WEB-INF/classes
-
Make the following changes to AMconfig.properties.
Tip –Backup AMConfig.properties before you modify it.
-
Save the file and close it.
-
Restart the AuthenticationUI–2 host machine.
To Request a Secure Sockets Layer Certificate
for the Distributed Authentication User Interface Load Balancer
Generate a request for a Secure Sockets Layer (SSL) certificate to send to a certificate authority.
-
Access https://is-f5.example.com, the BIG-IP load balancer login page, from a web browser.
-
Log in to the BIG-IP console using the following information.
- User Name:
-
username
- Password:
-
password
-
Click Configure your BIG-IP (R) using the Configuration Utility.
-
In the left pane, click Proxies.
-
Click the Cert-Admin tab.
-
On the SSL Certificate Administration page, click Generate New Key Pair/Certificate Request.
-
On the Create Certificate Request page, provide the following information:
- Key Identifier:
-
LoadBalancer-4.example.com
- Organizational Unit Name:
-
Deployment
- Domain Name:
-
LoadBalancer-4.example.com
- Challenge Password:
-
password
- Retype Password:
-
password
-
Click Generate Key Pair/Certificate Request.
On the SSL Certificate Request page, the request is generated in the Certificate Request field.
-
Save the text contained in the Certificate Request field to a text file.
-
Log out of the console and close the browser.
-
Send the certificate request text you saved to the Certificate Authority of your choice.
A Certificate Authority (CA) is an entity that issues certified digital certificates; VeriSign, Thawte, Entrust, and GoDaddy are just a few. In this deployment, CA certificates were obtained from OpenSSL. Follow the instructions provided by your Certificate Authority to submit a certificate request.
To Import a CA Root Certificate on the Distributed Authentication User Interface Load
Balancer
The CA root certificate proves that the particular CA (such as VeriSign or Entrust) did, in fact, issue a particular SSL certificate. You install the root certificate on Load Balancer 4 to ensure that a link between the Load Balancer 4 SSL certificate can be maintained with the issuing company. CA root certificates are publicly available.
Before You Begin
You should have a CA root certificate.
-
Access https://is-f5.example.com, the Big IP load balancer login page, from a web browser.
-
Log in using the following information:
- User name:
-
username
- Password:
-
password
-
In the BIG-IP load balancer console, click Proxies.
-
Click the Cert-Admin tab.
-
Click Import.
-
In the Import Type field, choose Certificate, and click Continue.
-
Click Browse in the Certificate File field on the Install SSL Certificate page.
-
In the Choose File dialog, choose Browser.
-
Navigate to the file that includes the root CA Certificate and click Open.
-
In the Certificate Identifier field, enter OpenSSL_CA_cert.
-
Click Install Certificate.
-
On the Certificate OpenSSL_CA_Cert page, click Return to Certificate Administration.
The root certificate OpenSSL_CA_Cert is now included in the Certificate ID list.
To Install an SSL Certificate on the Distributed Authentication User Interface Load
Balancer
Before You Begin
This procedure assumes you have received an SSL certificate from a CA and just completed To Import a CA Root Certificate on the Distributed Authentication User Interface Load Balancer.
-
In the BIG-IP load balancer console, click Proxies.
-
Click the Cert-Admin tab.
The key LoadBalancer-4.example.com is in the Key List. This was generated in To Request a Secure Sockets Layer Certificate for the Distributed Authentication User Interface Load Balancer.
-
In the Certificate ID column, click the Install button for LoadBalancer-4.example.com.
-
In the Certificate File field, click Browse.
-
In the Choose File dialog, navigate to the file that contains the certificate text sent to you by the CA and click Open.
-
Click Install Certificate.
-
On the Certificate LoadBalancer-4.example.com page, click Return to Certificate Administration Information.
Verify that the Certificate ID indicates LoadBalancer-4.example.com on the SSL Certificate Administration page.
-
Log out of the load balancer console.
To Configure SSL Termination on the Distributed Authentication User Interface Load
Balancer
Secure Socket Layer (SSL) termination at Load Balancer 4 increases performance on the Access Manager level, and simplifies SSL certificate management. For example, because Load Balancer 4 sends unencrypted data internally neither the Access Manager server nor the Distributed Authentication User Interface has to perform decryption, and the burden on its processor is relieved. Clients send SSL-encrypted data to Load Balancer 4 which, in turn, decrypts the data and sends the unencrypted data to the appropriate Distributed Authentication User Interface. Load Balancer 4 also encrypts responses from the Distributed Authentication User Interface, and sends these encrypted responses back to the client. Towards this end, you create an SSL proxy, the gateway for decrypting HTTP requests and encrypting the reply.
Note –
Load Balancer 4 can intelligently load-balance a request based on unencrypted cookies. This would not be possible with SSL-encrypted cookies because Load Balancer 4 cannot read SSL-encrypted cookies.
Before You Begin
Before creating the SSL proxy, you should have a certificate issued by a recognized CA.
-
Access https://is-f5.example.com, the BIG-IP load balancer login page, in a web browser.
-
Log in using the following information:
- Username
-
username
- Password
-
password
-
Click Configure your BIG-IP using the Configuration Utility.
-
In the left pane, click Proxies.
-
On the Proxies tab, click Add.
-
In the Add Proxy dialog, provide the following information:
- Proxy Type:
-
Check the SSL checkbox.
- Proxy Address:
-
The IP address of Load Balancer 4, the Distributed Authentication User Interface load balancer.
- Proxy Service:
-
9443
The secure port number
- Destination Address:
-
The IP address of Load Balancer 4, the Distributed Authentication User Interface load balancer.
- Destination Service:
-
90
The non-secure port number
- Destination Target:
-
Choose Local Virtual Server.
- SSL Certificate:
-
Choose LoadBalancer-4.example.com.
- SSL Key:
-
Choose LoadBalancer-4.example.com.
- Enable ARP:
-
Check this checkbox.
-
Click Next.
-
In the Rewrite Redirects field, choose All.
-
Click Done.
The new proxy server is now added to the Proxy Server list.
-
Log out of the load balancer console.
-
Access https://LoadBalancer-4.example.com:9443/distAuth/UI/Login?goto= https://LoadBalancer-3.example.com:9443 from a web browser.
Tip –A message may be displayed indicating that the browser doesn't recognize the certificate issuer. If this happens, install the CA root certificate in the browser so that the browser recognizes the certificate issuer. See your browser's online help system for information on installing a root CA certificate.
-
Log in to the Access Manager console as the administrator.
- Username
-
amadmin
- Password
-
4m4dmin1
If you can successfully log in to Access Manager, the SSL certificate is installed and the proxy service is configured properly.
-
Log out of Access Manager, and close the browser.
- © 2010, Oracle Corporation and/or its affiliates