Sun Java System Access Manager Policy Agent 2.2 Guide for IBM WebSphere Application Server 6.0

Installation Related Information About Agent for IBM WebSphere Application Server 6.0

The following sections provide important information about Policy Agent 2.2 for IBM WebSphere Application Server 6.0 required before you install the agent.

Supported Platforms and Compatibility of Agent for IBM WebSphere Application Server 6.0

The following sections provide information about the supported platforms of Policy Agent 2.2 for IBM WebSphere Application Server 6.0 as well as the compatibility of this agent with Access Manager.

Platform and Version Support of Agent for IBM WebSphere Application Server 6.0

The following table presents the platforms supported by Policy Agent 2.2 for IBM WebSphere Application Server 6.0.

Table 3–1 Platform and Version Support of Agent for IBM WebSphere Application Server 6.0

Agent for 

Supported Policy Agent Version 

Supported Access Manager Versions 

Supported Platforms 

IBM WebSphere Application Server 6.0 

Version 2.2 

Version 6.3 Patch 1 or greater 

Version 7 

SolarisTM Operating System (OS) for the SPARC® platform, versions 8, 9, and 10

Red Hat Enterprise Linux Advanced Server 3.0 

AIX 5L version 5.2 

Windows 2003, Enterprise Edition 

Windows 2003, Standard Edition 

Compatibility of Agent for IBM WebSphere Application Server 6.0 With Access Manager

Compatibility of Policy Agent 2.2 With Access Manager 7

All agents in the Policy Agent 2.2 release are compatible with Access Manager 7. Compatibility applies to both of the available modes of Access Manager: Realm Mode and Legacy Mode.

Install the latest Access Manager 7 patches to ensure that all enhancements and fixes are applied. For information about the latest Access Manager 7 patches, see the compatibility information discussed in Sun Java System Access Manager Policy Agent 2.2 Release Notes.

Compatibility of Policy Agent 2.2 With Access Manager 6.3

All agents in Policy Agent 2.2 are also compatible with Access Manager 6.3 Patch 1 or greater. However, certain limitations apply. For more information, see J2EE Agent Backward Compatibility With Access Manager 6.3.

High-Level Architecture of Agent for IBM WebSphere Application Server 6.0

Agent for IBM WebSphere Application Server 6.0 functions in a similar manner to all Access Manager J2EE agents in the Policy Agent 2.2 release. However, this agent, as with all agents, functions in accordance to the architecture of the underlying deployment container, which in this case is IBM WebSphere Application Server 6.0. This section describes the key components of this particular agent that enable it to interact with IBM WebSphere Application Server 6.0.


Caution – Caution –

The following information is an overview of the architecture of this agent, which corresponds to the architecture of IBM WebSphere Application Server 6.0. However, you should have a solid understanding of the concepts related to IBM WebSphere Application Server 6.0 before installing and configuring the agent for this deployment container.


Key Functionality of Agent for IBM WebSphere Application Server 6.0

Agent for IBM WebSphere Application Server 6.0 is designed to facilitate Single Sign-On (SSO) and enforce access control for application resources hosted by IBM WebSphere Application Server 6.0. When a user requests access to a hosted and protected application resource, the agent ensures the following:

Agent for IBM WebSphere Application Server 6.0 provides per instance configuration that allows you to enable or disable a part of the above functionality as necessary in certain deployment scenarios. For instance, the agent allows you to choose if the identity of the user should be established within Agent for IBM WebSphere Application Server's J2EE container. Furthermore, the agent provides a great deal of other functionality that allows you to customize its behavior in the most appropriate way to suit your site's deployment.

Components of Agent for IBM WebSphere Application Server 6.0

Agent for IBM WebSphere Application Server 6.0 is composed of three components that interact with each other, directly or indirectly via the IBM WebSphere Application Server 6.0 infrastructure, to facilitate the implementation of key agent functionality. The following is a brief description of each component:

Trust Association Interceptor implementation

This component uses a standard interface to facilitate SSO and propagate the user membership information to IBM WebSphere Application Server 6.0.

Custom User Registry implementation

This component uses a standard interface to facilitate the assertion of user membership information within the IBM WebSphere Application Server 6.0 security infrastructure as provided by the front-ending Trust Association Interceptor implementation.

Custom Servlet Filter implementation

This component uses a standard interface to facilitate advanced functionality such as URL Policy enforcement, logout synchronization, and such, to further secure the application resources and provide a seamless user experience.

Component Interaction in Agent for IBM WebSphere Application Server 6.0

During runtime, the agent components interact directly or indirectly via the IBM WebSphere Application Server 6.0 infrastructure to accomplish their functional requirements. In a typical scenario, a client request for a protected application resource will in some way invoke each of these three components and the outcome of this invocation will largely govern the overall success of request processing. The following sequence illustrates how each of these components come into play during various stages of request processing:

  1. The client makes a web request to access a hosted application resource protected by Agent for IBM WebSphere Application Server 6.0.

  2. If the protected resource is protected by a role-based constraint and the user's identity is not yet established, the security infrastructure of IBM WebSphere Application Server 6.0 invokes the Agent's Trust Association Interceptor implementation.

  3. The Trust Association Interceptor implementation ensures that the user is authenticated and populates the corresponding subject with appropriate credentials that are validated by the agent's Custom User Registry implementation. This results in the establishment of the user's security principal in the web tier and allows the security infrastructure to evaluate any membership information for that user as required.

  4. If all the necessary requirements are satisfied, the security infrastructure allows the request to proceed to the application resource being protected. At this stage, the agent's Custom Servlet Filter implementation intercepts the request and enforces the applicable URL Policies. If the request bypassed the last two stages, the Custom Servlet Filter implementation assumes the task of authenticating the user and then performing the required processing. Note that the Custom Servlet Filter implementation does not establish or alter the Subject information associated with the user.