Sun Java System Access Manager Policy Agent 2.2 Guide for Sun Java System Application Server 8.2/9.0/9.1

Previous: Chapter 3 Installing the Policy Agent for Application Server 8.2/9.0/9.1
Next: Chapter 5 Managing Policy Agent 2.2 for Application Server 8.2/9.0/9.1

Chapter 4 Post-Installation Tasks for the Application Server 8.2/9.0/9.1 Agent

This chapter describes post-installation considerations and tasks, including:

After completing the applicable tasks described in this chapter, perform the tasks to configure the agent to your site's specific needs as explained in Chapter 5, Managing Policy Agent 2.2 for Application Server 8.2/9.0/9.1.

Deploying the Agent Application

The task described in this section is required. Deploy the URI for the agent application using the deployment container. The agent application is a housekeeping application used by the agent for notifications and other internal functionality. This application is bundled with the agent binaries and can be found at the following location:

PolicyAgent-base/etc/agentapp.war

For more information about base directory (PolicyAgent-base), see Application Server 8.2/9.0/9.1 Agent Directory Structure.

The agentapp application is deployed as a post-installation step. In order for the agent to function correctly, this application must be deployed on the agent-protected deployment container instance using the same URI that was supplied during the agent installation process. For example during the installation process, if you entered /agentapp as the deployment URI for the agent application, then use that same context path to deploy the .war file in the deployment container.

Using the administration console or command-line utilities of your deployment container, deploy this application using the Application Context Path as the URI specified during agent installation.

Post-Installation Steps for the Application Server 8.2/9.0/9.1 Agent

Once you have installed Policy Agent 2.2 for Application Server 8.2/9.0/9.1 and you have performed the post-installation steps that apply to all J2EE agents in the Policy Agent 2.2 release, complete the following agent-specific steps.

Installing the Agent Filter for the Application Server 8.2/9.0/9.1 Agent

The agent filter must be installed by modifying the deployment descriptor of each application to be protected.

To Install the Agent Filter for the Deployed Application on Agent for Application Server 8.2/9.0/9.1

The following steps explain how to install the agent filter for an application you want the agent to protect.

Ensure that the application is not currently deployed on Application Server 8.2/9.0/9.1.

If it is currently deployed, undeploy it before proceeding any further.

Create the necessary backups before proceeding to modify these descriptors.

Since you will modify the deployment descriptor in the next step, creating backup files at this point is important.

Edit the application's web.xml descriptor as follows:

Set the <DOCTYPE> element as shown in the following code example:

<!DOCTYPE web-app version="2.4"
 xmlns="http://java.sun.com/xml/ns/j2ee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee 
http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd">

Application Server 8.2/9.0/9.1 supports the Java Servlet Specification version 2.4.

Note that Servlet API version 2.4 is fully backward compatible with version 2.3. Therefore, all existing servlets should work without modification or recompilation. For more information, see, the Sun Java System Application Server Developer's Guide.

Edit the application's web.xml descriptor.

Add the <filter> elements in the deployment descriptor. Do this by specifying the <filter>, <filter-mapping>, and <dispatcher> elements immediately following the description element of the <web-app> element in the descriptor web.xml. The following code example displays a sample web.xml descriptor with the <filter>, <filter-mapping>, and <dispatcher> elements added.

<web-app>
..
..	
    <filter>
        <filter-name>Agent</filter-name>
        <filter-class> com.sun.identity.agents.filter.AmAgentFilter </filter-class>
    </filter>
    <filter-mapping>
        <filter-name>Agent</filter-name>
        <url-pattern>/*</url-pattern>
        <dispatcher>REQUEST</dispatcher>
        <dispatcher>INCLUDE</dispatcher>
        <dispatcher>FORWARD</dispatcher>
        <dispatcher>ERROR</dispatcher>
    </filter-mapping>
..
..
</web-app>

Next Steps

You have the option of protecting your application with J2EE declarative security. For more information, seeEnabling Web-Tier Declarative Security in J2EE Agents.

Furthermore, you can learn more about protecting your application with J2EE declarative security by deploying the sample application. Visit the PolicyAgentBase/sampleapp directory to learn how to build and deploy an application. The sampleapp application is not a full fledged J2EE application. Rather it is a simple application that provides you with a quick reference to application specific deployment descriptors and various deployment modes of a J2EE agent. Once you successfully deploy sampleapp and test all of its features, you can use it as a reference to other applications that will be protected by the J2EE agent.

Once the web.xml deployment descriptor is modified to reflect the new <DOCTYPE> and <filter> elements, the agent filter is added to the application. You can now redeploy your application on Application Server 8.2/9.0/9.1.

Note –

Ensure that role-to-principal mappings in container specific deployment descriptors are replaced with Access Manager roles or principals. You can retrieve Access Manager roles or principals for Access Manager 7.1 by issuing the agentadmin --getUuid command. For more information on the agentadmin --getUuid command, see agentadmin --getUuid.

You can also retrieve the universal ID for the user (UUID) using Access Manager 7.1 Console to browse the user profile.

Conditional Post-Installation Steps for the Application Server 8.2/9.0/9.1 Agent

The following steps might be required, depending on your site's specific deployment:

Updating the Agent Profile

The agent profile is created and updated in Access Manager Console. The agent profile should originally be created prior to installing an agent. However, after you install a J2EE agent, you can update the agent profile at anytime. If you do update the agent profile in Access Manager Console, you must then configure the J2EE agent accordingly as described in this section.

To Update the Agent Profile for J2EE Agents in Policy Agent 2.2

Before You Begin

Change the agent profile in Access Manager using Access Manager Console. For more information about the agent profile, see Creating a J2EE Agent Profile.

Change the password in the password file to match the new password you just created in Access Manager Console as a part of the agent profile.

The password file should originally have been created as a J2EE agent pre-installation task. For more information about pre-installation, seePreparing to Install the Application Server 8.2/9.0/9.1 Agent.

In the command line, issue the agentadmin --encrypt command to encrypt the new password.

For more information on this command, see agentadmin --encrypt.

Access the J2EE agent AMAgent.properties configuration file at the following location:
```
PolicyAgent-base/AgentInstance-Dir/config
```

In this configuration file, edit the property for the agent ID to match the new ID in the agent profile as follows:
```
com.sun.identity.agents.app.username = agentID
```
where agentID represents the new agent ID that you created for the agent profile in Access Manager Console.

Edit the property for the agent password as follows:
```
com.iplanet.am.service.secret = encryptedPassword
```
where encryptedPassword represents the new encrypted password you created when you issued the agentadmin --encrypt command.

Restart the J2EE agent container.

The container needs to be restarted because neither property that you edited in this task is hot-swap enabled.

Creating the Necessary URL Policies

If the agent is installed and configured to operate in the URL_POLICY mode or ALL mode, the appropriate URL policies must be created. For instance, if Application Server 8.2/9.0/9.1 is available on port 8080 using HTTP protocol, at least a policy must be created to allow access to the following resource:

http://myhost.mydomain.com:8080/sampleApp/

where sampleApp is the context URI for the sample application.

If no policies are defined and the agent is configured to operate in the URL_POLICY mode or ALL mode, then no user is allowed access to Application Server 8.2/9.0/9.1 resources. See Sun Java System Access Manager 7.1 Administration Guide to learn how to create these policies using the Access Manager Console or command-line utilities.