9.2.4 Configuring the J2EE Policy Agent 2 to Communicate Over SSL (Deployment Example 1: Access Manager 7.1 Load Balancing, Distributed Authentication UI, and Session Failover)

Deployment Example 1: Access Manager 7.1 Load Balancing, Distributed Authentication UI, and Session Failover

9.2.4 Configuring the J2EE Policy Agent 2 to Communicate Over SSL

Use the following list of procedures as a checklist to configure the policy agent to point to the secure port of the Access Manager Load Balancer 3.

To Configure the J2EE Policy Agent 2 for SSL Communication

Change to the config directory.
# cd /export/J2EEPA2/j2ee_agents/am_wl92_agent/agent_001/config
Tip –
Backup AMAgent.properties before you modify it.

Modify these properties in AMAgent.properties as follows.

com.sun.identity.agents.config.login.url[0] =
   https://LoadBalancer-3.example.com:9443/amserver/UI/Login?realm=users
com.sun.identity.agents.config.cdsso.cdcservlet.url[0] =
   https://LoadBalancer-3.example.com:9443/amserver/cdcservlet
com.sun.identity.agents.config.cdsso.trusted.id.provider[0] =
   https://LoadBalancer-3.example.com:9443/amserver/cdcservlet
com.iplanet.am.naming.url=
   https://LoadBalancer-3.example.com:9443/amserver/namingservice
com.iplanet.am.server.protocol=https
com.iplanet.am.server.port=9443

Save AMAgent.properties and close the file.

To Import the CA Root Certificate into the Application Server 2 Keystore

The Certificate Authority (CA) root certificate enables the J2EE policy agent to trust the certificate from the Access Manager Load Balancer 3, and to establish trust with the certificate chain that is formed from the CA to the certificate. Import the same CA root certificate used in To Import a Certificate Authority Root Certificate on the Access Manager Load Balancer.

Before You Begin

This procedure assumes you have just completed To Configure the J2EE Policy Agent 2 for SSL Communication. In this example, the root certificate is a file named /export/software/ca.cer.

Change to the directory where the cacerts keystore is located.
# cd /usr/local/bea/jdk150_04/jre/lib/security
Tip –
Backup cacerts before you modify it.

Import the root certificate.

# /usr/local/bea/jdk150_04/bin/keytool -import 
  -trustcacerts -alias OpenSSLTestCA -file /export/software/ca.cer 
  -keystore /usr/local/bea/jdk150_04/jre/lib/security/cacerts 
  -storepass changeit

Owner: EMAILADDRESS=nobody@nowhere.com, CN=OpenSSLTestCA, OU=Sun,
 O=Sun, L=Santa Clara, ST=California, C=US 
Issuer: EMAILADDRESS=nobody@nowhere.com, CN=OpenSSLTestCA, OU=Sun,
 O=Sun, L=Santa Clara, ST=California, C=US 
Serial number: 97dba0aa26db6386 
Valid from: Tue Apr 18 07:55:19 PDT 2006 
 until: Tue Jan 13 06:55:19 PST 2009 
Certificate fingerprints: 
	MD5: 9F:57:ED:B2:F2:88:B6:E8:0F:1E:08:72:CF:70:32:06
	SHA1: 31:26:46:15:C5:12:5D:29:46:2A:60:A1:E5:9E:28:64:36:80:E4:70 
Trust this certificate? [no]: yes
Certificate was added to keystore

Verify that the certificate was successfully added to the keystore.

# /usr/local/bea/jdk150_04/bin/keytool -list 
  -keystore /usr/local/bea/jdk150_04/jre/lib/security/cacerts 
  -storepass changeit | grep -i openssl

openssltestca, Sept 19, 2007, trustedCertEntry,

Restart the Application Server 1 administration server and managed instance.

Change to the bin directory.

# cd /usr/local/bea/user_projects/domains/ProtectedResource-2/bin

Stop the managed instance.

# ./stopManagedWebLogic.sh ApplicationsServer-2 t3://localhost:7001

Stop the administration server.
# ./stopWebLogic.sh

Start the administration server.
# ./startWebLogic.sh &

Start the managed instance.

# ./startManagedWebLogic.sh ApplicationServer-2 t3://localhost:7001 &

Log out of the ProtectedResource–2 host machine.

To Verify that J2EE Policy Agent 2 is Configured Properly

Use these steps to access the agent sample application and test policies against it.

Access http://ProtectedResource-2.example.com:1081/agentsample/index.html, the sample application URL, from a web browser.

The Sample Application welcome page is displayed.

Click the J2EE Declarative Security link.

On the resulting page, click Invoke the Protected Servlet.

You are redirected to the Access Manager login page.

Log in to the Access Manager console as testuser1.

Username

testuser1

Password

password

If you can successfully log in as testuser1 and the J2EE Policy Agent Sample Application page is displayed, this first part of the test has succeeded and authentication is working as expected.

Click the J2EE Declarative Security link to return.

On the resulting page, click Invoke the Protected Servlet.

If the Success Invocation message is displayed, this second part of the test has succeeded as the sample policy for the manager role has been enforced as expected.

Click the J2EE Declarative Security link to go back.

On the resulting page, click Invoke the Protected EJB via an Unprotected Servlet.

If the Failed Invocation message is displayed, this third part of the test succeeded as the sample policy for the employee role has been enforced as expected.

Log out and close the browser.

In a new browser session, access http://ProtectedResource-2.example.com:1081/agentsample/index.html, the sample application URL.

The Sample Application welcome page is displayed.

Click the J2EE Declarative Security link.

On the resulting page, click Invoke the Protected EJB via an Unprotected Servlet.

You are redirected to the Access Manager login page.

Tip –
If you are not redirected to the Access Manager login page for authentication, clear your browser's cache and cookies and try again.

Log in to the Access Manager console as testuser2.

Username

testuser2

Password

password

The Failed Invocation message is displayed. This is a known issue.

Click the J2EE Declarative Security link.

On the resulting page, click Invoke the Protected EJB via an Unprotected Servlet.

The Successful Invocation message is displayed. The sample policy for the employee role has been enforced as expected.

Click the J2EE Declarative Security link to return.

On the resulting page, click Invoke the Protected Servlet.

If the Access to Requested Resource Denied message is displayed, this part of the test is successful as the sample policy for the manager role has been enforced as expected.

Log out and close the browser.

To Configure the J2EE Policy Agent 2 to Access the Distributed Authentication User Interface

Modify AMAgent.properties.

Change to the config directory.
# cd /export/J2EEPA2/j2ee_agents/am_wl92_agent/agent_001/config
Tip –
Backup AMAgent.properties before you modify it.

Set the following property.

com.sun.identity.agents.config.login.url[0] =
   https://LoadBalancer-4.example.com:9443/distAuth/UI/Login?realm=users

Save AMAgent.properties and close the file.

Restart the Application Server 1 managed server.

Change to the bin directory.

# cd /usr/local/bea/user_projects/domains/ProtectedResource-2/bin

Stop the managed server.

# ./stopManagedWebLogic.sh ApplicationsServer-2 t3://localhost:7001

Start the managed server.

# ./startManagedWebLogic.sh ApplicationServer-2 t3://localhost:7001

Log out of the ProtectedResource–2 host machine.

Verify that the agent is configured properly.
1. Access http://ProtectedResource-2.example.com:1081/agentsample/index.html, the sample application URL, form a web browser.
  
  The Sample Application Welcome page is displayed.
2. Click the J2EE Declarative Security link.
3. On the resulting page, click Invoke the Protected Servlet.
  
  You are redirected to the Distributed Authentication User Interface at https://loadbalancer-4.example.com:9443/distAuth/UI/Login.
4. (Optional) Double-click the gold lock in the lower left corner of the browser.
  
  In the Properties page, you see the certificate for LoadBalancer–4.example.com.
5. Log in to the Access Manager console as testuser1.
  
  Username
  
  testuser1
  
  Password
  
  password
  
  If you can successfully log in as testuser1 and the J2EE Policy Agent Sample Application page is displayed, user authentication worked through the Distributed Authentication User Interface.
6. Log out of the console.