Deployment Example 1: Access Manager 7.1 Load Balancing, Distributed Authentication UI, and Session Failover

8.1 Creating an Agent Profile and Custom User for Distributed Authentication User Interface

Before installing and configuring the Distributed Authentication User Interface, you create an agent profile in Access Manager to be used by the Distributed Authentication User Interface to authenticate itself. An agent profile allows Access Manager to store authentication and configuration information regarding the Distributed Authentication User Interface. The agent profile created in this procedure will be stored in the Access Manager configuration data store.

Creating an agent profile also creates a custom user. This custom user will allow the Distributed Authentication User Interface to log into the Access Manager server and therefore must be defined as an Access Manager special user.


Note –

Although the Distributed Authentication User Interface is not an agent, it acts on behalf of Access Manager and therefore must have its own agent profile.


Use the following list of procedures as a checklist for these tasks.

  1. To Create an Agent Profile for the Distributed Authentication User Interface

  2. To Define Agent Profile User as an Access Manager Special User

  3. To Verify that authuiadmin Was Created in Directory Server

ProcedureTo Create an Agent Profile for the Distributed Authentication User Interface

This agent profile will be used by the Distributed Authentication User Interface to authenticate itself to Access Manager. The process includes creation of a special user that will be defined as an Access Manager special user in the next procedure, To Define Agent Profile User as an Access Manager Special User.

  1. Access http://LoadBalancer-3.example.com:7070/ from a web browser.

  2. Log in to the Access Manager console as the administrator.

    User Name:

    amadmin

    Password:

    4m4dmin1

  3. Under the Access Control tab, click example, the top-level Realm Name.

  4. Click the Subjects tab.

  5. Click the Agent tab.

  6. Click New to create a new agent profile.

  7. Type authuiadmin in the ID field.

  8. Type 4uthu14dmin in the Password and Password (confirm) fields, respectively.

  9. Click OK.

  10. From the list of Agent names, click authuiadmin.

  11. Copy the value of the UniversalID and save it to a temporary text file.

    You will need this value in To Define Agent Profile User as an Access Manager Special User.

  12. Log out of the console.

  13. (Optional) Verify that the agents organizational unit was created successfully by logging into a Directory Server host machine and running ldapsearch.


    # ldapsearch -b "dc=example,dc=com" -h LoadBalancer-1.example.com 
      -p 389 -D "cn=Directory Manager" -w d1rm4n4ger "ou=agents"
    
    version: 1
    dn: ou=agents,dc=example,dc=com
    sunIdentityServerSupportedTypes: agent
    ou: agents
    objectClass: sunNameSpace
    objectClass: iplanet-am-managed-org-unit
    objectClass: top
    objectClass: organizationalUnit

    This organization unit will hold all agent profiles.


    Note –

    The agents organizational unit is created only after the first agent profile is configured.


ProcedureTo Verify that authuiadmin Was Created in Directory Server

This is an optional, verification step.

  1. Log in to either of the Directory Server host machines.

  2. Run ldapsearch to verify that the authuiadmin entry was successfully created.


    # ldapsearch -b "dc=example,dc=com" -h LoadBalancer-1.example.com 
      -p 389 -D "cn=Directory Manager" -w d1rm4n4ger "uid=authuiadmin"
    
    version: 1
    dn: uid=authuiadmin,ou=agents,dc=example,dc=com
    sunIdentityServerDeviceStatus: Active
    uid: authuiadmin
    objectClass: sunIdentityServerDevice
    objectClass: iplanet-am-user-service
    objectClass: top
    objectClass: iPlanetPreferences
    sunIdentityServerDeviceType: Agent
    cn: default
    sunIdentityServerDeviceVersion: 2.2
    userPassword: {SSHA}aeEi095TamPnJCOLinRNDzlLC8SDaOsdQ2Nqfw==
  3. Log out of the Directory Server host machine.

ProcedureTo Define Agent Profile User as an Access Manager Special User

The agent profile just created includes a user that will now be defined as an Access Manager special administrative user for both Access Manager 1 and Access Manager 2.

Before You Begin

You should have the UniversalID value saved in To Create an Agent Profile for the Distributed Authentication User Interface.

  1. Define authuiadmin as a special user in Access Manager 1.

    1. As a root user, log in to the AccessManager–1 host machine.

    2. Locate AMConfig.properties in the /export/am71adm/config directory.


      Tip –

      Backup AMConfig.properties before you modify it.


    3. Add the UniversalID you saved to the end of the list of values for the com.sun.identity.authentication.special.users property in AMConfig.properties.

      You saved id=authuiadmin,ou=agent,dc=example, dc=com in To Create an Agent Profile for the Distributed Authentication User Interface.


      Tip –

      Change ou=agent to ou=agents and id to uid before adding it to AMConfig.properties.


    4. Restart the Web Server 1 web container to apply the change.


      # cd /opt/SUNWwbsvr/https-AccessManager-1.example.com/bin
      # ./stopserv; ./startserv
      
    5. Log out of the AccessManager–1 host machine.

  2. Define authuiadmin as a special user in Access Manager 2.

    1. As a root user, log in to the AccessManager–2 host machine.

    2. Locate AMConfig.properties in the /export/am71adm/config directory.


      Tip –

      Backup AMConfig.properties before you modify it.


    3. Add the UniversalID you saved to the end of the list of values for the com.sun.identity.authentication.special.users property in AMConfig.properties.

      You saved id=authuiadmin,ou=agent,dc=example, dc=com in To Create an Agent Profile for the Distributed Authentication User Interface.


      Tip –

      Change ou=agent to ou=agents and id to uid before adding it to AMConfig.properties.


    4. Restart the Web Server 2 web container to apply the change.


      # cd /opt/SUNWwbsvr/https-AccessManager-2.example.com/bin
      # ./stopserv; ./startserv
      
    5. Log out of the AccessManager–2 host machine.