Deployment Example 1: Access Manager 7.1 Load Balancing, Distributed Authentication UI, and Session Failover

9.2.3 Setting Up a Test for the J2EE Policy Agent 2

Use the following list of procedures as a checklist for setting up a test for the J2EE Policy Agent 2.

  1. To Deploy the J2EE Policy Agent 2 Sample Application

  2. To Create a Test Referral Policy in the Access Manager Root Realm

  3. To Create a Test Policy in the Access Manager User Realm

  4. To Configure Properties for the J2EE Policy Agent 2 Sample Application

  5. To Verify that J2EE Policy Agent 2 is Configured Properly

ProcedureTo Deploy the J2EE Policy Agent 2 Sample Application

The BEA Policy Agent comes with a sample application created to help test policies. For more information, see the file readme.txt in the /export/J2EEPA2/j2ee_agents/am_wl92_agent/sampleapp directory.

  1. Access http://ProtectedResource-2.example.com:7001/console from a web browser.

  2. Log in to the WebLogic Server console as the administrator.

    Username

    weblogic

    Password

    w3bl0g1c

  3. On the Summary of Deployments page, click Lock & Edit.

  4. Under Domain Structure, click Deployments.

  5. Under Deployments, click Install.

  6. On the Install Application Assistant page, click the protectedresource-2.example.com link.

  7. In the list for Location: protectedresource-2.example.com, click the root directory.

  8. Navigate to the application directory (/export/J2EEPA2/j2ee_agents/am_wl9_agent/sampleapp/dist), select agentsample and click Next.

  9. In the Install Application Assistant page, choose Install this deployment as an application and click Next.

  10. In the list of Servers, mark the checkbox for ApplicationServer-2 and click Next.

  11. On the Optional Settings page, click Next to accept the default settings.

  12. On the Review Your Choices page, click Finish.

    The Target Summary section indicates that the module agentsample will be installed on the target ApplicationServer-2.

  13. On the Settings for agentsample page, click Save.

  14. On the Settings for agentsample page, click Activate Changes.

  15. Under Domain Structure, click Deployments.

  16. In the Deployments list, mark the checkbox for agentsample and click Start > Servicing All Requests.

  17. On the Start Application Assistant page, click Yes.

    The state of the deployment changes from Prepared to Active.

  18. Log out of the console.

ProcedureTo Create a Test Referral Policy in the Access Manager Root Realm

  1. Access http://LoadBalancer-3.example.com:7070/amserver/UI/Login, the Access Manager load balancer, from a web browser.

  2. Log in to the Access Manager console as the administrator.

    Username

    amadmin

    Password

    4m4dmin1

  3. Under the Access Control tab, click the example realm link.

  4. Click the Policies tab.

  5. Under Policies, click the Referral URL Policy for users realm link.

  6. On the Edit Policy page, under Rules, click New.

  7. On the resulting page, select URL Policy Agent (with resource name) and click Next.

  8. On the resulting page, provide the following information and click Finish.

    Name:

    URL Policy for ApplicationServer-2

    Resource Name:

    http://protectedresource-2.example.com:1081/agentsample/*


    Note –

    Make sure the hostname is typed in lowercase.


  9. On the resulting page, click Save.

ProcedureTo Create a Test Policy in the Access Manager User Realm

Before You Begin

This procedure assumes you have just completed To Create a Test Referral Policy in the Access Manager Root Realm.

  1. In the Access Manager console, under the Access Control tab, click the users realm link.

  2. Click the Policies tab.

  3. Under Policies, click New Policy.

  4. In the Name field, enter URL Policy for ApplicationServer-2.

  5. Under Rules, click New.

  6. On the resulting page, make sure the default URL Policy Agent (with resource name) is selected and click Next.

  7. On the resulting page, provide the following information and click Finish.

    Name:

    agentsample

    Parent Resource Name:

    From the list, select http://protectedresource-2.example.com:1081/agentsample/*

    Resource Name:

    The value of this property is populated when you select the Parent Resource Name. It should read http://protectedresource-2.example.com:1081/agentsample/*.

    GET

    Mark this check box and verify that Allow is selected.

    POST

    Mark this check box and verify that Allow is selected.

    The rule agentsample is now added to the list of Rules.

  8. Under Subjects, click New.

  9. On the resulting page, select Access Manager Identity Subject and click Next.

  10. On the resulting page, provide the following information and click Search.

    Name:

    agentsampleGroup

    Filter:

    Select Group.

    Manager-Group and Employee-Group are displayed in the Available list.

  11. Select Manager-Group and Employee-Group and click Add.

    The groups are now displayed in the Selected list.

  12. Click Finish.

  13. Click OK.

    The new policy subject is included in the list of Policies.

  14. Log out of the Access Manager console.

ProcedureTo Configure Properties for the J2EE Policy Agent 2 Sample Application

Modify AMAgent.properties.

  1. Log in as a root user to the ProtectedResource–2 host machine.

  2. Change to the config directory.


    # cd /export/J2EEPA2/j2ee_agents/am_wl92_agent/agent_001/config
    

    Tip –

    Backup AMAgent.properties before you modify it.


  3. Modify these properties in AMAgent.properties as follows.


    com.sun.identity.agents.config.notenforced.uri[0] =
       /agentsample/public/*
    com.sun.identity.agents.config.notenforced.uri[1] =
       /agentsample/images/*
    com.sun.identity.agents.config.notenforced.uri[2] =
       /agentsample/styles/*
    com.sun.identity.agents.config.notenforced.uri[3] =
       /agentsample/index.html
    com.sun.identity.agents.config.notenforced.uri[4] = 
       /agentsample
    com.sun.identity.agents.config.access.denied.uri =
       /agentsample/authentication/accessdenied.html
    com.sun.identity.agents.config.login.form[0] =
       /agentsample/authentication/login.html
    com.sun.identity.agents.config.login.url[0] = 
       http://LoadBalancer-3.example.com:7070/
       amserver/UI/Login?realm=users
    com.sun.identity.agents.config.privileged.attribute.
       type[0] = group
    com.sun.identity.agents.config.privileged.attribute.
       tolowercase[group] = false
  4. Set these remaining properties as follows.


    Note –

    This is specific to this deployment example. For more information see The agentadmin -getUuid command fails for amadmin user on Access Manager 7 with various agents (6452713) in Sun Java System Access Manager Policy Agent 2.2 Release Notes.


    1. Retrieve the Universal IDs.

      They were saved in To Create Manager and Employee Groups Using Access Manager for J2EE Policy Agent Test.

    2. Convert all uppercase to lowercase and append a back slash (\) in front of each equal sign (=).

      • Change id=Manager-Group,ou=group,o=users,ou=services,dc=example,dc=com to id\=manager-group,ou\=group,o\=users,ou\=services,dc\=example,dc\=com.

      • Change id=Employee-Group,ou=group,o=users,ou=services,dc=example,dc=com to id\=employee-group,ou\=group,o\=users,ou\=services,dc\=example,dc\=com.

    3. Set the properties.


      com.sun.identity.agents.config.privileged.attribute.
         mapping[id\=manager-group,ou\=group,o\=users,ou\=services,
         dc\=example,dc\=com] = am_manager_role
      com.sun.identity.agents.config.privileged.attribute.
         mapping[id\=employee-group,ou\=group,o\=users,ou\=services,
         dc\=example,dc\=com] = am_employee_role
  5. Save AMAgent.properties and close the file.

  6. Restart the Application Server 2 administration server and managed server.

    1. Change to the bin directory.


      # cd /usr/local/bea/user_projects/domains/ProtectedResource-2/bin
      
    2. Stop the managed server.


      # ./stopManagedWebLogic.sh ApplicationsServer-2 t3://localhost:7001
      
    3. Stop the administration server.


      # ./stopWebLogic.sh
      
    4. Start the administration server.


      # ./startWebLogic.sh &
      
    5. Start the managed server.


      # ./startManagedWebLogic.sh ApplicationServer-2 t3://localhost:7001 &
      
  7. Log out of the ProtectedResource–2 host machine.

ProcedureTo Verify that J2EE Policy Agent 2 is Configured Properly

Use these steps to access the agent sample application and test policies against it.

  1. Access http://ProtectedResource-2.example.com:1081/agentsample/index.html, the sample application URL, from a web browser.

    The Sample Application welcome page is displayed.

  2. Click the J2EE Declarative Security link.

  3. On the resulting page, click Invoke the Protected Servlet.

    You are redirected to the Access Manager login page.

  4. Log in to the Access Manager console as testuser1.

    Username

    testuser1

    Password

    password

    If you can successfully log in as testuser1 and the J2EE Policy Agent Sample Application page is displayed, the first part of the test has succeeded and authentication is working as expected.

  5. Click the J2EE Declarative Security link again.

  6. On the resulting page, click Invoke the Protected Servlet.

    If the Success Invocation message is displayed, the second part of the test has succeeded as the sample policy for the manager role has been enforced as expected.

  7. Click the J2EE Declarative Security link to return.

  8. On the resulting page, click Invoke the Protected EJB via an Unprotected Servlet.

    If the Failed Invocation message is displayed, the third part of the test has succeeded as the sample policy for the employee role has been enforced as expected.

  9. Log out and close the browser.

  10. In a new browser session, access http://ProtectedResource-2.example.com:1081/agentsample/index.html, the sample application URL, again.

    The Sample Application welcome page is displayed.

  11. Click the J2EE Declarative Security link.

  12. On the resulting page, click Invoke the Protected EJB via an Unprotected Servlet.

    You are redirected to the Access Manager login page.


    Tip –

    If you are not redirected to the Access Manager login page for authentication, clear your browser's cache and cookies and try again.


  13. Log in to the Access Manager console as testuser2

    Username

    testuser2

    Password

    password

    The Failed Invocation message is displayed. This is a known issue.

  14. Click the J2EE Declarative Security link.

  15. On the resulting page, click Invoke the Protected EJB via an Unprotected.

    The Successful Invocation message is displayed as the sample policy for the employee role has been enforced as expected.

  16. Click the J2EE Declarative Security link to return.

  17. On the resulting page, click Invoke the Protected Servlet.

    If the Access to Requested Resource Denied message is displayed, this part of the test has succeeded as the sample policy for the manager role has been enforced as expected.

  18. Log out and close the browser.