Sun Java System Access Manager Policy Agent 2.2 Guide for Microsoft Internet Information Services 6.0

ProcedureMicrosoft SharePoint and Outlook Web Access: To Prepare for Installation

The steps described in this task are required after you perform the pre-installation steps for the basic installation on Microsoft IIS 6.0 as described in Preparing To Install Agent for Microsoft IIS 6.0.

These additional pre-installation steps are necessary to deploy a post-authentication module on Access Manager. In order to achieve SSO with Microsoft SharePoint or Outlook Web Access using Agent for Microsoft IIS 6.0, Access Manager must send the password to the agent. This requires a post-authentication module to be deployed on Access Manager. The post-authentication module encrypts users' passwords and sends them to Agent for Microsoft IIS 6.0.

Perform the steps in this task on the Access Manager host.

Before You Begin

Caution – Caution –

If you are installing Agent for Microsoft IIS 6.0 to protect Outlook Web Access, prior to installing the agent, ensure that the user repositories in Access Manager and Microsoft Exchange Server are synchronized. For this scenario, Microsoft Exchange Server and the Access Manager LDAP v3 plug-in can point to the same Active Directory.


The following information about Access Manager is helpful for this task:

AccessManager-base represents the Access Manager base installation directory. On Solaris systems, the default base installation directory is /opt/SUNWam.

The following is the default location of the AMConfig.properties file:

/etc/opt/SUNWam/config

  1. Set the JAVA_HOME variable to the location used to install Access Manager.

  2. (Conditional) If the files DESGenKey.java and ReplayPasswd.java are not bundled with the Access Manager binaries (see the explanation within this step for details) obtain and compile them. Otherwise, skip to the next step.

    The DESGenKey.java file is a key generator while the ReplayPasswd.java file is a plug-in.

    The availability of DESGenKey.class and ReplayPasswd.class varies according to the Access Manager version. The following list indicates which versions of Access Manager have these classes bundled with them and which versions do not.

    Bundled with
    • Access Manager 7.0 series from Patch 5 forward

    • Access Manager 7.1 series from Patch 1 forward

    Not bundled with
    • Any version of the Access Manager 7.0 series prior to patch 5

    • Access Manager 7.1

    You can obtain the files DESGenKey.java and ReplayPasswd.java by contacting Sun technical support.

    1. Download the files DESGenKey.java and ReplayPasswd.java to the following directory:

      AccessManager-base/lib
    2. Change to the following directory:

      AccessManager-base/lib
    3. Compile ReplayPasswd.java and DESGenKey.java as follows

      # javac -classpath
      AccessManager-base/lib/am_services.jar:AccessManager-base/lib/am_sdk.jar:
      AccessManager-base/lib/servlet.jar
      ReplayPasswd.java DESGenKey.java
  3. Execute DESgenKey.class as follows:

    Access Manager 7.0 series from Patch 5 forward and Access Manager 7.1 series from Patch 1 forward

    # java com.sun.identity.common.DESGenKey

    Any version of the Access Manager 7.0 series prior to patch 5 and Access Manager 7.1

    # java DESGenKey

    Executing the DESgenKey.class returns a string output.

  4. Add the string produced in the previous step to a newly created text file as described in the substeps that follow.

    1. Copy the string produced in the previous step.

    2. Create a file, which for this example is named des_key.txt, in a directory of your choosing.

      The des_key.txt name is used in this guide as an example. Name the file differently if you wish.

    3. Save the copied string in the des_key.txt file.

  5. Configure the com.sun.am.replaypasswd.key property in the AMConfig.properties configuration file as described in the substeps that follow.

    1. Open the AMConfig.properties configuration file.

    2. Add the following property to the file:

      com.sun.am.replaypasswd.key
    3. Copy the string from the des_key.txt file.

    4. Add the copied string as the value of the com.sun.am.replaypasswd.key property.

      For example, if the string in the des_key.txt file is wuqUJyr=5Gc=, then the new property would be set as follows:

      com.sun.am.replaypasswd.key = wuqUJyr=5Gc=
  6. Configure a property specific to Microsoft Office SharePoint or Outlook Web Access in the AMConfig.properties file as described in the substeps that follow.

    1. Add the respective property and corresponding value to the file as indicated:

      • Microsoft Office SharePoint:

        Add the following property and value if you are installing the agent for Microsoft Office SharePoint:

        com.sun.am.sharepoint_login_attr_name = SharePoint-login-value
        

        where SharePoint-login-value is a place holder that you must replace with an LDAP attribute login name that is created in both Access Manager and Microsoft Office SharePoint Server.

        For example if the actual value of SharePoint-login-value is login, the following would be the setting for this property:

        com.sun.am.sharepoint_login_attr_name = login
      • Outlook Web Access

        Add the following property and value if you are installing the agent for Outlook Web Access.

        com.sun.am.iis_owa_enabled = true
    2. Save and close the AMConfig.properties file.

  7. Restart Access Manager.

  8. Deploy the post-authentication plug-in, ReplayPasswd, as described in the substeps that follow.

    This step requires the use of Access Manager Console.

    1. Log in to Access Manager as amadmin.

    2. With the Access Control tab selected, click the name of the realm you wish to configure.

    3. Click the Authentication tab.

    4. Click Advanced Properties.

      The Advanced Properties button is in the General section.

    5. Scroll down to the Authentication Post Processing Classes field.

    6. In the Authentication Post Processing Classes field, enter the appropriate text depending upon the Access Manager version:

      For Access Manager 7.0 series from Patch 5 forward and Access Manager 7.1 series from Patch 1 forward

      Enter the following: com.sun.identity.authentication.spi.ReplayPasswd

      For Any version of the Access Manager 7.0 series prior to patch 5 and Access Manager 7.1

      Enter the following: ReplayPasswd

    7. Scroll up to click Save.

    8. Click Log Out to log out of the Access Manager Console.

  9. Verify the deployment of the post-authentication plug-in, ReplayPasswd, as described in the substeps that follow.

    1. Stop Access Manager.

    2. Access the AMConfig.properties configuration file.

    3. Note the value of the following property before changing it to message, as indicated:

      com.iplanet.services.debug.level = message

      You must change this value back to its original value at the completion of this step.

    4. Save and close the file.

    5. Start Access Manager.

    6. Log in to Access Manager Console.

      Again use amadmin.

    7. Click Log Out to immediately log out of the Access Manager Console.

    8. Change directories to the Access Manager debug log files.

      The default location of the debug log files is /var/opt/SUNWam/debug.

    9. Verify the existence of a file named ReplayPasswd.

      The existence of this file indicates the successful deployment of the post-authentication plug-in.

    10. Reset the debug value to its original value.

    11. Restart Access Manager.

  10. (Conditional) If you are installing this agent to protect Outlook Web Access, edit the idle session timeout page as described in the substeps that follow.


    Note –

    This step is implemented for deployments where the agent establishes SSO with Outlook Web Access. It does not apply to Microsoft Office SharePoint. Outlook Web Access runs in multiple frames. If this step is not implemented and a session timeout occurs, the session timeout page fills the entire browser window instead of just a single frame. Implementing this step directs the session timeout page, when issued, to fill only a single frame.


    1. Make a backup copy of the idle session timeout page.

      The idle session timeout page is typically the session_timeout.jsp file. You must locate the file in the Access Manager host. Be aware that the name and location of this file can vary. For example, for Access Manager 7.0, this file is located in the following directory:

      /opt/SUNWwbsvr/https-FQDN/is-webapps/services/config/auth/default

      where FQDN is a place holder that will actually be the fully qualified domain name of the Access Manager instance you are configuring.

    2. Open the idle session timeout page.

    3. Add the script that follows between the tags <head> and </head>:

      <script type="text/javascript">
      function redirect() {
      location.replace(location.href);
      }
      </script>
    4. Search and replace a snippet of code as indicated by the following example:

      Find and delete the following snippet of code:

      <auth:href name="LoginURL" fireDisplayEvents='true'><jato:text name="txtGotoLoginAfterFail" /></auth:href>

      Enter the following snippet of code:

      <a href="#" onClick="redirect(); return false;"><jato:text name="txtGotoLoginAfterFail" /></a>

  11. Restart Access Manager.