test

Sun Java System Access Manager Policy Agent 2.2 Guide for SAP Enterprise Portal 6.0 and Web Application Server 6.40

Chapter 4 Post-Installation Tasks of Policy Agent 2.2 for SAP Portal 6.0/Server 6.40

This chapter describes configuration and other post-installation considerations and tasks. The chapter is divided into three broad categories as follows:

After completing the applicable tasks described in this chapter, perform the tasks to configure the agent to your site's specific requirements as explained in Chapter 5, Managing Policy Agent 2.2 for SAP Portal 6.0/Server 6.40.

Common Post-Installation Steps for All J2EE Agents in Policy Agent 2.2

The task described in this section applies to all J2EE agent installations.

Updating the Agent Profile for J2EE Agents in Policy Agent 2.2

This procedure is not required. The agent profile is created and updated in Access Manager Console. The agent profile should originally be created prior to installing an agent. However, after you install a J2EE agent, you can update the agent profile at anytime. If you do update the agent profile in Access Manager Console, you must then configure the J2EE agent accordingly as described in this section.

ProcedureTo Update the Agent Profile for J2EE Agents in Policy Agent 2.2

Before You Begin

Change the agent profile in Access Manager using Access Manager Console. For more information about the agent profile, see Creating a J2EE Agent Profile.

  1. Change the password in the password file to match the new password you just created in Access Manager Console as a part of the agent profile.

    The password file should originally have been created as a J2EE agent pre-installation task. For more information about pre-installation, see Preparing to Install Agent for SAP Portal 6.0/Server 6.40.

  2. In the command line, issue the agentadmin --encrypt command to encrypt the new password.

    For more information on this command, see agentadmin --encrypt.

  3. Access the J2EE agent AMAgent.properties configuration file at the following location:

    PolicyAgent-base/AgentInstance-Dir/config

  4. In this configuration file, edit the property for the agent ID to match the new ID in the agent profile as follows:

    com.sun.identity.agents.app.username = agentID

    where agentID represents the new agent ID that you created for the agent profile in Access Manager Console.

  5. Edit the property for the agent password as follows:

    com.iplanet.am.service.secret = encryptedPassword

    where encryptedPassword represents the new encrypted password you created when you issued the agentadmin --encrypt command.

  6. Restart the J2EE agent container.

    The container needs to be restarted because neither property that you edited in this task is hot-swap enabled.

Post-Installation Steps Specific to Agent for SAP Portal 6.0/Server 6.40

Once you have installed Policy Agent 2.2 for SAP Portal 6.0/Server 6.40 and you have performed the post-installation steps that apply to all J2EE agents in the Policy Agent 2.2 release, complete the tasks in this section that apply to your site's deployment. This section contains the following subsections:

First, perform the task involving the installation of the agent filter, which applies to both supported deployment containers: SAP Enterprise Portal 6.0 and SAP Web Application Server 6.40. Next perform the applicable set of tasks depending upon which deployment container you are configuring. Each set of tasks is required for its corresponding deployment container.

Post-Installation of Agent for SAP Portal 6.0/Server 6.40: Both Deployment Containers

This section applies to both of the deployment containers supported by Agent for SAP Portal 6.0/Server 6.40: SAP Enterprise Portal 6.0 and SAP Web Application Server 6.40. Only the one procedure about installing the agent filter is described in this section.

Installing the Agent Filter for the Deployed Application on Agent for SAP Portal 6.0/Server 6.40

The agent filter can be installed by modifying the deployment descriptor of the application that needs to be protected.

ProcedureTo Install the Agent Filter for the Deployed Application on Agent for SAP Portal 6.0/Server 6.40

The following steps explain how to install the agent filter for the application you want the agent to protect:

  1. To install the agent filter, ensure that the application is not currently deployed on SAP Portal 6.0/Server 6.40.

    If it is currently deployed, remove it before proceeding any further.

  2. Create the necessary backups before proceeding to modify these descriptors.

    Since you will modify the deployment descriptor in the next step, creating backup files at this point is important.

  3. Edit the application's web.xml descriptor as follows:

    1. Set the <DOCTYPE> element as shown in the following code example:


      <!DOCTYPE web-app version="2.4"
 xmlns="http://java.sun.com/xml/ns/j2ee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee 
http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd">

      SAP Portal 6.0/Server 6.40 supports the Java Servlet Specification version 2.4.

      Note that Servlet API version 2.4 is fully backward compatible with version 2.3. Therefore, all existing servlets should work without modification or recompilation.

    2. Edit the application's web.xml descriptor.

      Add the <filter> elements in the deployment descriptor. Do this by specifying the <filter>, <filter-mapping>, and <dispatcher> elements immediately following the description element of the <web-app> element in the descriptor web.xml. The following code example displays a sample web.xml descriptor with the <filter>, <filter-mapping>, and <dispatcher> elements added. 


      <web-app>
..
..	
<filter>
        <filter-name>Agent</filter-name>
        <filter-class> com.sun.identity.agents.filter.AmAgentFilter </filter-class>
    </filter>
    <filter-mapping>
        <filter-name>Agent</filter-name>
        <url-pattern>/*</url-pattern>
        <dispatcher>REQUEST</dispatcher>
        <dispatcher>INCLUDE</dispatcher>
        <dispatcher>FORWARD</dispatcher>
        <dispatcher>ERROR</dispatcher>
    </filter-mapping>
..
..
</web-app>

    If you want to protect your application with J2EE declarative security, refer to the PolicyAgentBase/sampleapp directory to learn how to build and deploy an application. The sampleapp directory is by no means a full fledged J2EE application. Rather it is a simple application that provides you with a quick reference to application specific deployment descriptors and various deployment modes of a J2EE agent. Once you successfully deploy sampleapp and test all of its features, you can use it as a reference to other applications that will be protected by the J2EE agent.

    Once the web.xml deployment descriptor is modified to reflect the new <DOCTYPE> and <filter> elements, the agent filter is added to the application. You can now redeploy your application on SAP Portal 6.0/Server 6.40.

    Note –

    Ensure that role-to-principal mappings in container specific deployment descriptors are replaced with Access Manager roles or principals. You can retrieve Access Manager roles or principals for Access Manager 7 by issuing the agentadmin --getUuid command. For more information on the agentadmin --getUuid command, see agentadmin --getUuid.

    You can also retrieve the universal ID for the user (UUID) using Access Manager 7 Console to browse the user profile.

Post-Installation of Agent for SAP Portal 6.0/Server 6.40: SAP Enterprise Portal 6.0

Perform the tasks in this section if you are configuring Agent for SAP Portal 6.0/Server 6.40 on SAP Enterprise Portal 6.0. This section includes a variety of short configuration tasks that are required for the agent to work on this specific deployment container. Complete all the tasks described in this section before performing the applicable tasks described in Conditional Post-Installation Steps for J2EE Agents in Policy Agent 2.2.

ProcedureTo Deploy the Agent Software Delivery Archive for SAP Enterprise Portal 6.0

This is one of the post-installation tasks required when Agent for SAP Portal 6.0/Server 6.40 has been installed on SAP Enterprise Portal 6.0.

Before You Begin

The following file is the Software Delivery Archive for this agent: AMSAPAgent2.2.sda.

For this task, you must provide the full path name to this Software Delivery Archive, as such:

PolicyAgent-base/etc/AmSAPAgent2.2.sda

Therefore, locate this file and record the full path name for use as part of the task.

  1. (Conditional) If the SAP Enterprise Portal 6.0 is not running, start it now.

  2. Start the Software Deployment Manager (SDM) Remote GUI.

    The following example provides the path to the SDM Remote GUI on UNIX systems:

    /usr/sap/SID/instanceName/SDM/program/RemoteGui.sh
    SID

    represents the SAP system ID.

    instanceName

    represents the SAP Enterprise Portal 6.0 instance.

  3. Log in to the GUI.

  4. Select the Deployment tab.

  5. Add the full path name to the following file:

    PolicyAgent-base/etc/AmSAPAgent2.2.sda

  6. Click the icon of the clipboard with the plus sign.

  7. Click Next until you reach the deployment Start button.

  8. Click Start.

  9. (Conditional) If using the agent with Access Manager 6.3, configure the appropriate library.

    Note –

    This step is similar to the steps required for the general configuration of the agent for Access Manager 6.3. For more information, see To Configure a J2EE Agent With Access Manager 6.3.

    By default, the AmSAPAgent2.2.library library is configured specifically for Access Manager 7. To use the agent with Access Manager 6.3, perform the following substeps.

    1. Stop the J2EE Engine.

    2. Change to the following directory:


      /usr/sap/SID/instanceName/j2ee/cluster/server0/bin/ext/AmSAPAgent2.2
      SID

      represents the SAP system ID.

      instanceName

      represents the SAP Enterprise Portal 6.0 instance.

    3. Create a backup copy of the Access Manager 7 amclientsdk.jar file, giving the copy a name such as amclientsdk70.jar

    4. Copy the amclientsdk63.jar file to the same directory. Again, the directory is as follows:


      /usr/sap/SID/instanceName/j2ee/cluster/server0/bin/ext/AmSAPAgent2.2

      The following is the full path to the amclientsdk63.jar file:

      PolicyAgent-base/etc/amclientsdk63.jar

    5. Restart the J2EE engine.

ProcedureTo Add a Reference From sap.com/irj to the New AmSAPAgent2.2 Library for SAP Enterprise Portal 6.0

This is one of the post-installation tasks required when Agent for SAP Portal 6.0/Server 6.40 has been installed on SAP Enterprise Portal 6.0.

This task description explains how to add a library reference from the sap.com/irj application to the newly deployed AmSAPAgent2.2 library.

Use the command line for this task.

  1. Telnet to the J2EE telnet port by issuing a command such as the following:

    $ telnet j2ee-engine-host instance-port

    j2ee-engine-host

    represents the machine that hosts the SAP Enterprise Portal 6.0 instance.

    instance-port

    represents the port number of the SAP Enterprise Portal 6.0 instance.

    The following example demonstrates the format of the telnet command to issue:


    telnet saphost.example.com 50008

    After you issue a command similar to the preceding command, a message such as the following appears:

    Telnet Administration 
        [SAP J2EE Engine]

        Login:
        Password:

  2. Log in using Administrator as the user and the corresponding Administrator password.

  3. Issue the following command:

    $ jump 0

    A message such as the following appears:

    You jumped on node 56457550

  4. Issue the following command:

    $ add deploy

  5. Issue the following command:

    $ CHANGE_REF -m sap.com/irj library:AmSAPAgent2.2

    The following message appears:

    The reference between application sap.com/irj and 
library:AmSAPAgent2.2 was made!

  6. Stop and start the SAP Enterprise Portal 6.0 instance.

ProcedureTo Provide Access to the New Login Module for SAP Enterprise Portal 6.0

This is one of the post-installation tasks required when Agent for SAP Portal 6.0/Server 6.40 has been installed on SAP Enterprise Portal 6.0.

This task description explains how to add the new login module to the J2EE engine list of login modules.

  1. (Conditional) If the SAP Enterprise Portal 6.0 is not running, start it now.

  2. Start the Visual Administration tool.

    The following example provides the path to the Visual Administration tool on UNIX systems:

    /usr/sap/SID/instanceName/j2ee/admin/go
    SID

    represents the SAP system ID.

    instanceName

    represents the SAP Enterprise Portal 6.0 instance.

  3. Log in to the Visual Administration tool.

  4. Select the Security Provider service.

  5. Select the User Management tab.

  6. Click Manage Security Stores.

  7. Click Add Login Module.

    A dialog box appears.

  8. Click OK.

  9. In the Class Name text field, enter the following:

    com.sun.identity.agents.sap.v640.AmSAPEP6LoginModule

  10. In the Display Name text field, enter the following:

    AmSAPEP6LoginModule

ProcedureTo Modify the Ticket Template to Use the New Login Module for SAP Enterprise Portal 6.0

This is one of the post-installation tasks required when Agent for SAP Portal 6.0/Server 6.40 has been installed on SAP Enterprise Portal 6.0.

This task description explains how to modify the ticket template in order to list the new login module that you just added to the J2EE engine list of login modules.

Before You Begin

If necessary, start and log in to the Visual Administration tool as detailed in the preceding task description.

  1. Select the Security Provider service.

  2. Select the Policy Configurations tab.

  3. In the Components list, select the ticket authentication template.

  4. Delete all login modules, except for the following:

    com.sap.security.core.server.jaas.EvaluteTicketLoginModule
com.sap.security.core.server.jaas.CreateTicketLoginModule

  5. Click Add New.

  6. From the list of modules, select AmSAPEP6LoginModule.

  7. Click Modify.

  8. Move AmSAPEP6LoginModule between the following two remaining login modules:

    com.sap.security.core.server.jaas.EvaluteTicketLoginModule
com.sap.security.core.server.jaas.CreateTicketLoginModule

    The new ticket authentication template appears as such:

    EvaluateTicketLoginModule

    SUFFICIENT

    AmSAPEP6LoginModule

    REQUISITE

    CreateTicketLoginModule

    OPTIONAL

    Caution – Caution –

    Ensure that the ticket authentication template resembles the preceding list in that it follows the same sequence (EvaluateTicketLoginModule, AmSAPEP6LoginModule, and CreateTicketLoginModule) with the same values (SUFFICIENT, REQUISITE, and OPTIONAL).

Next Steps

Save the ticket authentication template configuration.

ProcedureTo Make a Class Loader Reference to the Login Module for SAP Enterprise Portal 6.0

This is one of the post-installation tasks required when Agent for SAP Portal 6.0/Server 6.40 has been installed on SAP Enterprise Portal 6.0.

Before You Begin

If necessary, start and log in to the Visual Administration tool as described in To Provide Access to the New Login Module for SAP Enterprise Portal 6.0.

  1. Select the Security Provider service.

  2. For the value of the LoginModuleClassLoaders property, enter the following:

    library:AmSAPAgent2.2

    If multiple entries are required in this field, separate the entries by commas.

ProcedureTo Modify the SAP Enterprise Portal 6.0 Class Path

This is one of the post-installation tasks required when Agent for SAP Portal 6.0/Server 6.40 has been installed on SAP Enterprise Portal 6.0.

This task description explains how to modify the SAP Enterprise Portal 6.0 class path by adding a locale directory and a config directory.

  1. Start the J2EE Engine configuration tool.

    The following example provides the path to the configuration tool on UNIX systems:

    /usr/sap/SID/instanceName/j2ee/configtool/configtool.sh
    SID

    represents the SAP system ID.

    instanceName

    represents the SAP Enterprise Portal 6.0 instance.

  2. Log in to the configuration tool.

  3. Highlight the SAP Enterprise Portal 6.0 instance server (SID).

  4. In the right panel, in the class path text field, add the locale directory and the config directory to the end of the class path as follows:

    ;PolicyAgent-base/locale;PolicyAgent-base/AgentInstance-Dir/config

    To simplify this step, you might want to access the agentclasspath.txt file within the config directory of the current agent instance. This file contains the exact class path that you must append to the class path of the SAP Enterprise Portal 6.0 instance.

ProcedureTo Modify the SAP Enterprise Portal 6.0 JVM Options (AIX Systems Only)

This task is specific to AIX systems and is necessary because AIX systems come with an IBM JDK which does not come with the Sun Microsystems JCE provider.

  1. Start the J2EE Engine configuration tool.

    The following example provides the path to the configuration tool on UNIX systems:

    /usr/sap/SID/instanceName/j2ee/configtool/configtool.sh
    SID

    represents the SAP system ID.

    instanceName

    represents the SAP Enterprise Portal 6.0 instance.

  2. Log in to the configuration tool.

  3. Highlight the SAP Enterprise Portal 6.0 instance server (SID).

  4. In the right panel, in the Java Parameters field, add the following lines:


    -DamKeyGenDescriptor.provider=IBMJCE
    		 

    -DamCryptoDescriptor.provider=IBMJCE

ProcedureTo Configure the ume.logoff.redirect.url Parameter for SAP Enterprise Portal 6.0

This is one of the post-installation tasks required when Agent for SAP Portal 6.0/Server 6.40 has been installed on SAP Enterprise Portal 6.0.

  1. Start the J2EE Engine configuration tool.

    The following example provides the path to the configuration tool on UNIX systems:

    /usr/sap/SID/instanceName/j2ee/configtool/configtool.sh
    SID

    represents the SAP system ID.

    instanceName

    represents the SAP Enterprise Portal 6.0 instance.

  2. Log in to the configuration tool.

  3. Click the pencil icon to switch to the configuration editor mode.

  4. Click the pencil and glasses icon.

  5. Select cluster_data -> server -> cfg -> services.

    The UME service property sheet appears.

  6. Double click the following property sheet: com.sap.security.core.ume.service.

  7. Add the following custom value to the property named ume.logoff.redirect.uri:

    http://AMServices-host:AMServices-port/amserver/UI/Login?arg=newsession

    AMServices-host

    represents the fully qualified host name of the server where Access Manager Services are installed.

    AMServices-port

    represents the port number of the server where Access Manager Services are installed.

ProcedureTo Deploy the agentapp.war file for SAP Enterprise Portal 6.0

This is one of the post-installation tasks required when Agent for SAP Portal 6.0/Server 6.40 has been installed on SAP Enterprise Portal 6.0.

  1. Start the J2EE engine deploy tool by issuing the following command:

    /usr/sap/SID/instanceName/j2ee.deploying/DeployTool
    SID

    represents the SAP system ID.

    instanceName

    represents the SAP Enterprise Portal 6.0 instance.

    Caution – Caution –

    Create a subdirectory for the agent application in DeployContainer-base. In this scenario, DeployContainer-base represents the directory within which the SAP Enterprise Portal 6.0 instance was installed. Creating a subdirectory ensures that no other directories are affected by the agent application. If you undeploy the agentapp.war file without creating this subdirectory, DeployTool removes other critical content in the DeployContainer-base directory.

  2. Create a new project.

  3. Load the agentapp.war file using the following full path name:

    PolicyAgent-base/etc/agentapp.war

ProcedureTo Add a Reference From sap.com/agentapp to the New AmSAPAgent2.2 Library for SAP Enterprise Portal 6.0

This is one of the post-installation tasks required when Agent for SAP Portal 6.0/Server 6.40 has been installed on SAP Enterprise Portal 6.0.

This task description explains how to add a library reference from the sap.com/agentapp application to the newly deployed AmSAPAgent2.2 library.

Use the command line for this task.

  1. Telnet to the J2EE telnet port by issuing a command such as the following:

    $ telnet j2ee-engine-host instance-port

    j2ee-engine-host

    represents the machine that hosts the SAP Enterprise Portal 6.0 instance.

    instance-port

    represents the port number of the SAP Enterprise Portal 6.0 instance.

    The following example demonstrates the format of the telnet command to issue:


    telnet saphost.example.com 50008

    After you issue a command similar to the preceding command, a message such as the following appears:

    Telnet Administration 
        [SAP J2EE Engine]

        Login:
        Password:

  2. Log in using Administrator as the user and the corresponding Administrator password.

  3. Issue the following command:

    $ jump 0

    A message such as the following appears:

    You jumped on node 56457550

  4. Issue the following command:

    $ add deploy

  5. Issue the following command:

    $ CHANGE_REF -m sap.com/agentapp library:AmSAPAgent2.2

    The following message appears:

    The reference between application sap.com/agentapp and 
library:AmSAPAgent2.2 was made!

  6. Stop and start the SAP Enterprise Portal 6.0 instance.

Deploying the Agent Application for SAP Enterprise Portal 6.0

The task described in this section is required. Deploy the URI for the agent application using the deployment container. This task is the same for SAP Enterprise Portal 6.0 and SAP Web Application Server 6.40. However, this section appears in the post-installation task descriptions for each deployment container to enable a smooth transition from one task to the next.

The agent application is a housekeeping application used by the agent for notifications and other internal functionality. This application is bundled with the agent binaries and can be found at the following location:

PolicyAgent-base/etc/agentapp.extension

where extension refers to the .war extension or the .ear extension. The extension varies depending on the deployment container.

For more information about the Policy Agent base directory (PolicyAgent-base), see J2EE Agent Directory Structure in Policy Agent 2.2.

The agentapp application has to be deployed as a post installation step. In order for the agent to function correctly, this application must be deployed on the agent-protected deployment container instance using the same URI that was supplied during the agent installation process (optionally, you can add a hyper link to and from the relevant prompt). For example during the installation process, if you entered /agentapp as the deployment URI for the agent application, then use that same context path to deploy the .war or .ear file in the deployment container.

Using the administration console or command-line utilities of your deployment container, deploy this application using Application Context Path as the URI specified during agent installation.

Enabling Cookie Reset for SAP Enterprise Portal 6.0

This task enables single logout between the Access Manager instance and the SAP Enterprise Portal 6.0 instance. Otherwise, single logout might fail, potentially creating a security risk.

ProcedureTo Enable Cookie Reset for SAP Enterprise Portal 6.0

  1. Access the J2EE agent AMAgent.properties configuration file.

  2. Change the following properties as shown:

    • com.sun.identity.agents.config.cookie.reset.enable = true

    • com.sun.identity.agents.config.cookie.reset.name[0] = MYSAPSSO2

    • com.sun.identity.agents.config.cookie.reset.domain[MYSAPSSO2] = EP60–DomainName

    where EP60–DomainName represents the name of the domain of the machine where the SAP Enterprise Portal 6.0 instance is installed, such as .example.com.

Post-Installation of Agent for SAP Portal 6.0/Server 6.40: SAP Web Application Server 6.40

Perform the tasks in this section if you are configuring Agent for SAP Portal 6.0/Server 6.40 on SAP Web Application Server 6.40. This section includes a variety of short configuration tasks that are required for the agent to work on this specific deployment container. Complete all the tasks described in this section before performing the applicable tasks described in Conditional Post-Installation Steps for J2EE Agents in Policy Agent 2.2.

ProcedureTo Deploy the Agent Software Delivery Archive for SAP Web Application Server 6.40

This is one of the post-installation tasks required when Agent for SAP Portal 6.0/Server 6.40 has been installed on SAP Web Application Server 6.40.

Before You Begin

The following file is the Software Delivery Archive for this agent: AMSAPAgent2.2.sda.

For this task, you must provide the full path name to this Software Delivery Archive, as such:

PolicyAgent-base/etc/AmSAPAgent2.2.sda

Therefore, locate this file and record the full path name for use as part of the task.

  1. (Conditional) If the SAP Web Application Server 6.40 is not running, start it now.

  2. Start the Software Deployment Manager (SDM) Remote GUI.

    The following example provides the path to the SDM Remote GUI on UNIX systems:

    /usr/sap/SID/instanceName/SDM/program/RemoteGui.sh
    SID

    represents the SAP system ID.

    instanceName

    represents the SAP Web Application Server 6.40 instance.

  3. Log in to the GUI.

  4. Select the Deployment tab.

  5. Add the full path name to the following file:

    PolicyAgent-base/etc/AmSAPAgent2.2.sda

  6. Click the icon of the clipboard with the plus sign.

  7. Click Next until you reach the deployment Start button.

  8. Click Start.

  9. (Conditional) If using the agent with Access Manager 6.3, configure the appropriate library.

    Note –

    This step is similar to the steps required for the general configuration of the agent for Access Manager 6.3. For more information, see To Configure a J2EE Agent With Access Manager 6.3.

    By default, the AmSAPAgent2.2.library library is configured specifically for Access Manager 7. To use the agent with Access Manager 6.3, perform the following substeps.

    1. Stop the J2EE Engine.

    2. Change to the following directory:


      /usr/sap/SID/instanceName/j2ee/cluster/server0/bin/ext/AmSAPAgent2.2
      SID

      represents the SAP system ID.

      instanceName

      represents the SAP Web Application Server 6.40 instance.

    3. Create a backup copy of the Access Manager 7 amclientsdk.jar file, giving the copy a name such as amclientsdk70.jar

    4. Copy the amclientsdk63.jar file to the same directory, which is as follows:


      /usr/sap/SID/instanceName/j2ee/cluster/server0/bin/ext/AmSAPAgent2.2

      The following is the full path to the amclientsdk63.jar file:

      PolicyAgent-base/etc/amclientsdk63.jar

    5. Restart the J2EE engine.

ProcedureTo Deploy the agentapp.war file for SAP Web Application Server 6.40

This is one of the post-installation tasks required when Agent for SAP Portal 6.0/Server 6.40 has been installed on SAP Web Application Server 6.40.

  1. Start the J2EE engine deploy tool by issuing the following command:

    /usr/sap/SID/instanceName/j2ee.deploying/DeployTool
    SID

    represents the SAP system ID.

    instanceName

    represents the SAP Web Application Server 6.40 instance.

    Caution – Caution –

    Create a subdirectory for the agent application in DeployContainer-base. In this scenario, DeployContainer-base represents the directory within which the SAP Web Application Server 6.40 instance was installed. Creating a subdirectory ensures that no other directories are affected by the agent application. If you undeploy the agentapp.war file without creating this subdirectory, DeployTool removes other critical content in the DeployContainer-base directory.

  2. Create a new project.

  3. Load the agentapp.war file using the following full path name:

    PolicyAgent-base/etc/agentapp.war

ProcedureTo Add a Reference From sap.com/irj to the New AmSAPAgent2.2 Library for SAP Web Application Server 6.40

This is one of the post-installation tasks required when Agent for SAP Portal 6.0/Server 6.40 has been installed on SAP Web Application Server 6.40.

This task description explains how to add a library reference from the sap.com/irj application to the newly deployed AmSAPAgent2.2 library.

Use the command line for this task.

  1. Telnet to the J2EE telnet port by issuing a command such as the following:

    $ telnet j2ee-engine-host instance-port

    j2ee-engine-host

    represents the machine that hosts the SAP Web Application Server 6.40 instance.

    instance-port

    represents the port number of the SAP Web Application Server 6.40 instance.

    The following example demonstrates the format of the telnet command to issue:


    telnet saphost.example.com 50008

    After you issue a command similar to the preceding command, a message such as the following appears:

    Telnet Administration 
        [SAP J2EE Engine]

        Login:
        Password:

  2. Log in using Administrator as the user and the corresponding Administrator password.

  3. Issue the following command:

    $ jump 0

    A message such as the following appears:

    You jumped on node 56457550

  4. Issue the following command:

    $ add deploy

  5. Issue the following command:

    $ CHANGE_REF -m sap.com/app-context library:AmSAPAgent2.2

    The following message appears:

    The reference between application sap.com/irj and 
library:AmSAPAgent2.2 was made!

ProcedureTo Provide Access to the New Login Module for SAP Web Application Server 6.40

This is one of the post-installation tasks required when Agent for SAP Portal 6.0/Server 6.40 has been installed on SAP Web Application Server 6.40.

This task description explains how to add the new login module to the J2EE engine list of login modules.

  1. (Conditional) If the SAP Web Application Server 6.40 is not running, start it now.

  2. Start the Visual Administration tool.

    The following example provides the path to the Visual Administration tool on UNIX systems:

    /usr/sap/SID/instanceName/j2ee/admin/go
    SID

    represents the SAP system ID.

    instanceName

    represents the SAP Web Application Server 6.40 instance.

  3. Log in to the Visual Administration tool.

  4. Select the Security Provider service.

  5. Select the User Management tab.

  6. Click Manage Security Stores.

  7. Click Add Login Module.

    A dialog box appears.

  8. Click OK.

  9. In the Class Name text field, enter the following:

    com.sun.identity.agents.sap.v640.AmSAPWASLoginModule

  10. In the Display Name text field, enter the following:

    AmSAPWASLoginModule

ProcedureTo Configure Applications to Use the New Login Module for SAP Web Application Server 6.40

This is one of the post-installation tasks required when Agent for SAP Portal 6.0/Server 6.40 has been installed on SAP Web Application Server 6.40.

This task description explains how to use the new login module that you just added to the J2EE engine list of login modules.

Before You Begin

If necessary, start and log in to the Visual Administration tool as detailed in the preceding task description.

  1. Select the Security Provider service.

  2. Select the User Management tab.

  3. In the Components list, select the application you want to configure.

  4. In the right pane, remove BasicPasswordLoginModule.

    1. Select BasicPasswordLoginModule.

    2. Click Remove

  5. Ensure that no other authentication template is being used at this point.

  6. Click Add New.

  7. From the list of modules, select AmSAPWASLoginModule.

  8. Save the configuration.

ProcedureTo Add a Reference From sap.com/agentapp to the New AmSAPAgent2.2 Library for SAP Web Application Server 6.40

This is one of the post-installation tasks required when Agent for SAP Portal 6.0/Server 6.40 has been installed on SAP Web Application Server 6.40.

This task description explains how to add a library reference from the sap.com/agentapp application to the newly deployed AmSAPAgent2.2 library.

Use the command line for this task.

  1. Telnet to the J2EE telnet port by issuing a command such as the following:

    $ telnet j2ee-engine-host instance-port

    j2ee-engine-host

    represents the machine that hosts the SAP Web Application Server 6.40 instance.

    instance-port

    represents the port number of the SAP Web Application Server 6.40 instance.

    The following example demonstrates the format of the telnet command to issue:


    telnet saphost.example.com 50008

    After you issue a command similar to the preceding command, a message such as the following appears:

    Telnet Administration 
        [SAP J2EE Engine]

        Login:
        Password:

  2. Log in using Administrator as the user and the corresponding Administrator password.

  3. Issue the following command:

    $ jump 0

    A message such as the following appears:

    You jumped on node 56457550

  4. Issue the following command:

    $ add deploy

  5. Issue the following command:

    $ CHANGE_REF -m sap.com/agentapp library:AmSAPAgent2.2

    The following message appears:

    The reference between application sap.com/agentapp and 
library:AmSAPAgent2.2 was made!

  6. Stop and start the SAP Enterprise Portal 6.0 instance.

Deploying the Agent Application for SAP Web Application Server 6.40

The task described in this section is required. Deploy the URI for the agent application using the deployment container. This task is the same for SAP Enterprise Portal 6.0 and SAP Web Application Server 6.40. However, this section appears in the post-installation task descriptions for each deployment container to enable a smooth transition from one task to the next.

The agent application is a housekeeping application used by the agent for notifications and other internal functionality. This application is bundled with the agent binaries and can be found at the following location:

PolicyAgent-base/etc/agentapp.extension

where extension refers to the .war extension or the .ear extension. The extension varies depending on the deployment container.

For more information about the Policy Agent base directory (PolicyAgent-base), see J2EE Agent Directory Structure in Policy Agent 2.2.

The agentapp application has to be deployed as a post installation step. In order for the agent to function correctly, this application must be deployed on the agent-protected deployment container instance using the same URI that was supplied during the agent installation process (optionally, you can add a hyper link to and from the relevant prompt). For example during the installation process, if you entered /agentapp as the deployment URI for the agent application, then use that same context path to deploy the .war or .ear file in the deployment container.

Using the administration console or command-line utilities of your deployment container, deploy this application using Application Context Path as the URI specified during agent installation.

Conditional Post-Installation Steps for J2EE Agents in Policy Agent 2.2

Steps described in this section might be required, depending on your site's specific deployment.

Creating the Necessary URL Policies

If the agent is installed and configured to operate in the URL_POLICY mode or ALL mode, the appropriate URL policies must be created. The following examples demonstrate conceivable locations for resources that would need to have policies created for them.

Example 4–1 Configuring the Necessary URL Policies for SAP Enterprise Portal 6.0

If the agent is protecting SAP Enterprise Portal 6.0 at the /irj context URI using port 50000 with the HTTP protocol, at least one policy must be created to allow access to the following resource:


http://myhost.mydomain.com:50000/irj
Example 4–2 Configuring the Necessary URL Policies for SAP Web Application Server 6.40

If SAP Web Application Server 6.40 is available on port 8080 using HTTP protocol, at least one policy must be created to allow access to the following resource:


http://myhost.mydomain.com:8080/sampleApp/

where sampleApp is the context URI for the sample application.

For either of the preceding deployment containers, if no policies are defined and the agent is configured to operate in the URL_POLICY mode or ALL mode, then no user is allowed access to SAP Portal 6.0/Server 6.40 resources. See Sun Java System Access Manager 7 2005Q4 Administration Guide to learn how to create these policies using the Access Manager Console or command-line utilities.