Chapter 4 Relationship Between the Agent Profile and Web Agents in Policy Agent 2.2

A web agent uses an agent profile to communicate with Access Manager server. The web agent uses the profile name and associated password as credentials to authenticate with Access Manager. You can use the default values for these credentials, or you can create an agent profile in the Access Manager Console and specify new credentials.

In web agents, the term for the default user name is agent user name. The default value of the agent user name is UrlAccessAgent. The term for the default password is shared secret. The default value of the shared secret is the password of the Access Manager internal LDAP authentication user, commonly referred to as amldapuser.

Creating an agent profile is not a requirement for web agents. You can use the default values and never change the agent user name or shared secret. However, in certain situations you might want to change these default values. Changing the default values of the agent user name and shared secret involves creating an agent profile using the Access Manager Console.

The terms used for the credentials are different once you create them in the agent profile. Agent user name is then called agent profile name. Shared secret is then called agent profile password. After you create the agent profile, you must assign the values of the agent profile name and the agent profile password to the correct properties in the web agent AMAgent.properties configuration file.

This section describes how to create or update an agent profile in the Access Manager Console and then how to make the corresponding changes in the web agent AMAgent.properties configuration file, including:

• Creating or Updating a Web Agent Profile in the Access Manager Console

• Updating the Web Agent Profile Name and Password

If you want to change only the shared secret in the web agent and not the agent profile name, see Resetting the Shared Secret Password. A common reason to change only the shared secret is that it was entered incorrectly during the web agent installation.

Creating or Updating a Web Agent Profile in the Access Manager Console

To Create or Update an Agent Profile in the Access Manager Console

The follow task describes how to create a new agent profile. If you are updating an existing agent profile, the steps are similar, except that you select an existing agent profile name in the Console.

1. Log in to the Access Manager Admin Console.

2. Click Access Control and then the name of the realm for which you would like to create the agent profile.

3. Select Subjects and then Agent.

4. Click New and enter values for the following fields.

   ID. Enter the agent profile name or identity of the agent.

   The agent uses this name to authenticate (with the following password) and communicate with Access Manager server. Multi-byte names are not accepted. Do not use the web agent default value of UrlAccessAgent.

   Password. Enter and confirm the agent profile password.

   Do not use the web agent default value of this password. The web agent default value of this password is the password of the internal LDAP authentication user, commonly referred to as amldapuser.

   Device Status. The default status is Active, which allows the agent to authenticate and communicate with Access Manager server.

5. Click Create.

   The list of agents appears.

6. (Optional) If you desire, add a description to your newly created agent profile:

   1. Click the name of your newly created agent profile in the agent list.

   2. In the Description field, enter a brief description of the agent.

      For example, you can enter the agent instance name or the name of the application it is protecting.

   3. Click Save.

Updating the Web Agent Profile Name and Password

If you change the agent profile name and/or password in the Access Manager Console, you must assign the new value(s) to the corresponding properties in the web agent's AMAgent.properties configuration file.

Important. The values for the agent profile name and password must be the same for Access Manager server and in the web agent's AMAgent.properties configuration file

This task involves these basic steps:

1. If you changed the agent profile name in the Console, add the new name to the com.sun.am.policy.am.username property in the web agent's AMAgent.properties configuration file.

2. If you changed the agent profile password in the Console, encrypt the agent profile password using the encryption utility.

3. Add the new encrypted agent profile password from the previous step to the com.sun.am.policy.am.password property in the web agent's AMAgent.properties configuration file.

Follow these steps, depending on your platform:

• To Update the Agent Profile Name and Agent Profile Password on UNIX and Linux Systems

• To Update the Agent Profile Name and Agent Profile Password on Windows Systems

To Update the Agent Profile Name and Agent Profile Password on UNIX and Linux Systems

This task applies to Solaris, Linux, and AIX systems.

1. If you changed the agent profile name in the Console, update the following property in the web agent's AMAgent.properties configuration file:

   com.sun.am.policy.am.username=profile-name
   

   Replace the value of this property with the agent profile name you just updated in the Access Manager Console.

2. If you changed the agent profile password in the Console, follow these steps:

   1. Change to the PolicyAgent-base/bin directory.

   2. Encrypt the agent profile password. For example:

      # ./crypt_util agent-profile-password

      where agent-profile-password represents the agent profile password you just updated in the Access Manager Console.

   3. Copy the output from the crypt_util command and use it as the value for the following property in the web agent's AMAgent.properties configuration file:

      com.sun.am.policy.am.password=encrypted-password
      

3. Restart the IBM Lotus Domino 7.0 container.

Next Steps

To test the new password, try accessing a resource protected by the agent. If the agent is redirected to Access Manager, the password was changed properly.

To Update the Agent Profile Name and Agent Profile Password on Windows Systems

1. If you changed the agent profile name in the Console, update the following property in the web agent's AMAgent.properties configuration file:

   com.sun.am.policy.am.username=profile-name
   

   Replace the value of this property with the agent profile name you just updated in the Access Manager Console.

2. If you changed the agent profile password in the Console, follow these steps:

   1. Change to the PolicyAgent-base/bin directory.

   2. Encrypt the agent profile password. For example:

      cryptit agent-profile-password

      where agent-profile-password represents the agent profile password you just updated in the Access Manager Console.

   3. Copy the output from the cryptit command and use it as the value for the following property in the web agent's AMAgent.properties configuration file:

      com.sun.am.policy.am.password=encrypted-password
      

3. Restart the IBM Lotus Domino 7.0 container.

Next Steps

To test the new password, try accessing a resource protected by the agent. If the agent is redirected to Access Manager, the password was changed properly.