Post-Installation Steps Specific to Agent for IBM WebSphere Portal Server 5.1.0.2

Once you have installed Policy Agent 2.2 for IBM WebSphere Portal Server 5.1.0.2 and you have performed the post-installation steps that apply to all J2EE agents in the Policy Agent 2.2 release, complete the agent-specific procedures detailed in this section.

A variety of configuration tasks are described in this section.

To Add an Access Manager Trust Association Interceptor to IBM WebSphere Portal Server 5.1.0.2

This task must be performed once per IBM WebSphere Application Server node regardless of how many IBM WebSphere Application Server instances exist within that node.

This task allows the agent to establish SSO with the protected IBM WebSphere Portal Server 5.1.0.2 instance.

1. Ensure that all instances of the underlying IBM WebSphere Application Server are stopped.

2. Start the instance of IBM WebSphere Application Server on which the Administration Console is deployed.

   Typically this instance is named server1

3. Log in to the IBM WebSphere Portal Server 5.1.0.2 Administration Console.

4. Navigate to the Interceptors page.

   1. Expand the Security node.

   2. Expand the Authentication Mechanisms node.

   3. Click LTPA.

      A new page appears.

   4. Click the Trust association link.

   5. Click Interceptors.

5. Click New.

6. Name the new Trust Association Interceptor with the following class name:

   com.sun.identity.agents.websphere.AmTrustAssociationInterceptor

7. Click Apply.

   A new page opens.

8. Save changes.

   1. Click the Save link.

      A new page opens.

   2. Click the Save button.

9. Navigate again to the Interceptors page.

   The navigation steps are explained at the beginning of this task description.

10. Check the Trust Association Enabled checkbox.

11. Click OK.

12. Save and apply changes to Master configuration.

13. Restart all server instances as necessary including the instance on which IBM WebSphere Portal Server 5.1.0.2 is deployed.

    The Policy Agent Trust Association Interceptor is now installed.

To Change the Login and Logout Link Actions for IBM WebSphere Portal Server 5.1.0.2

The Login and Logout actions within IBM WebSphere Portal Server 5.1.0.2 can be changed to better provide a seamless user experience with Single Sign-On using Access Manager. This can be achieved by implementing the steps in this task description.

1. Ensure that the IBM WebSphere Portal Server 5.1.0.2 instance is shut down.

2. Create backups of the applicable ToolBarInclude.jsp files.

   In this scenario, the applicable ToolBarInclude.jsp files are available within the following directory:

   WAS-base/installedApps/node_name/wps.ear/wps.war/themes/html/

   where WAS-base represents the directory within which the IBM WebSphere Portal Server 5.1.0.2 instance was installed. Notice that this task refers to both a WAS-base directory and a WPS-base directory.

3. Modify each applicable ToolBarInclude.jsp file.

   For this task, modify each file as follows:

   Replace the href value associated with the Login link with the following value:.

   <%= wpsBaseURL %>/myportal

   The following example shows modifications that can be made to the ToolBarInclude.jsp file to change the login action:

   <%-- login button --%> <%-- uncomment to allow log in via screen --%> <%-- <wps:if loggedIn="no" notScreen="Login"> <td class="wpsToolBar" valign="middle" nowrap> <a class="wpsToolBarLink" href='<%=wpsBaseURL%>/myportal'> <wps:text key="link.login" bundle="nls.engine"/> </a> </td> </wps:if> --%> <%--comment this to allow login via screen --%> <wps:if loggedIn="no" notSelection="wps.Login" > <wps:urlGeneration contentNode="wps.Login" portletWindowState="Normal"> <td class="wpsToolBar" valign="middle" nowrap> <a href='<%=wpsBaseURL%>/myportal' class="wpsToolBarLink"> <wps:text key="link.login" bundle="nls.engine"/> </a> </td> </wps:urlGeneration> </wps:if>

   For complete details on how best to implement the preceding modification, see documentation for IBM WebSphere Portal Server 5.1.0.2.

4. Create backups of the following file:

   WPS-base/shared/app/config/services/ConfigService.properties

   where WPS-base represents the directory within which the IBM WebSphere Portal Server 5.1.0.2 instance was installed.

5. Modify the ConfigService.properties file as follows:

   redirect.logout

   Set the value to true.

   redirect.logout.ssl

   Set the value to true or false, depending upon the environment.

   redirect.logout.url

   Set the value to the Access Manager logout URL (AMlogout-URL).

   where AMlogout-URL represents the Access Manager logout URL. The following is a conceivable logout URL:

   http://amhost.domain.com:AMport/amserver/UI/Logout

   where AMport represents the port number of the Access Manager host.

6. Restart the IBM WebSphere Portal Server 5.1.0.2 instance for these changes to take effect.

To Add the Agent Filter to the IBM WebSphere Portal Server 5.1.0.2 Application

This required task more tightly integrates the IBM WebSphere Portal Server 5.1.0.2 instance with the Access Manager environment.

This task is only required once per IBM WebSphere Portal Server 5.1.0.2 instance for a given host.

Agent for IBM WebSphere Portal Server 5.1.0.2 provides a servlet filter that can be added to the IBM WebSphere Portal Server 5.1.0.2 application. This filter allows the enforcement of coarse grained URL policies defined within Access Manager to further control the access to protected resources on the IBM WebSphere Portal Server 5.1.0.2 instance. The filter can also be configured to provide additional personalization information in the form of HTTP Headers, cookies, or HTTP Request Attributes that can be used to further enhance the functionality of protected components. The following steps detail how this filter can be installed.

1. Ensure that the instance of IBM WebSphere Application Server on which the IBM WebSphere Portal Server 5.1.0.2 is deployed is stopped.

2. Locate the wps.war/WEB-INF/web.xml file that contains the deployment descriptors for IBM WebSphere Portal Server 5.1.0.2.

   The IBM WebSphere Application Server runtime can read this file from either of the following directories:

   • WPS-base/installedApps/Cell-Name/wps.ear/wps.war/WEB-INF

   • WPS-base/config/cells/Cell-Name/applications/wps.ear/deployments/wps/wps.war/WEB-INF

   WPS-base

   represents the directory within which the IBM WebSphere Portal Server 5.1.0.2 instance was installed.

   Cell-Name

   represents the IBM WebSphere Portal Server 5.1.0.2 cell protected by the agent.

3. Create the necessary backups before proceeding to modify these descriptors.

   Since you will modify the deployment descriptor in the next step, creating backup files at this point is important.

4. Edit both of the web.xml files referred to in this task.

   The two web.xml files should be edited as follows:

   <web-app id="IBM_WPS"> <display-name>WebSphere Portal Server</display-name> <filter id="Filter_PolicyAgent"> <filter-name>Policy Agent</filter-name> <filter-class> com.sun.identity.agents.filter.AmAgentFilter </filter-class> </filter> ... //other filter definitions <filter-mapping id="FilterMapping_PolicyAgent"> <filter-name>Policy Agent</filter-name> <url-pattern>/*</url-pattern> </filter-mapping>... //other filter mappings </web-app>