Appendix E Configuring the IIS 6.0 64-bit Agent With IIS 7.x With Office SharePoint Server 2007 on Windows Server 2008

The IIS 6.0 64-bit agent is supported on Microsoft® IIS 7.0 and IIS 7.5 with Office SharePoint Server 2007 on Windows Server 2008, 64-bit systems. To protect Office With SharePoint Server 2007, the IIS 6.0 64-bit agent is deployed as an ISAPI filter.

You can deploy the IIS 6.0 64-bit agent with the following releases:

• OpenSSO Enterprise 8.0 and later

• Access Manager 7.1 patch 1 and later

• Access Manager 7 2005Q4 patch 7 and later

Contents

• Downloading the IIS 6.0 64-bit Agent

• Configuring the IIS 6.0 64-bit Agent with IIS 7.x With Office SharePoint Server 2007

Downloading the IIS 6.0 64-bit Agent

To Download the IIS 6.0 64-bit Agent

1. Login to the server where you want to install the IIS 6.0 64-bit agent.

2. Download the agent distribution file from the following site:

   • Download site: http://www.oracle.com/technology/software/sun_az_index.html

   • Agent name: Access Manager Policy Agent 2.2-04 for Microsoft IIS 6.0/7.0

   • Agent distribution file: iis_v6_x64_WINNT_agent.zip

3. Unzip the agent distribution file. The unzipped files are in the following directory:

   AgentHome/web_agents/iis6_agent, where AgentHome is where you unzipped the file.

   For example: /opt/web_agents/iis6_agent

Configuring the IIS 6.0 64-bit Agent with IIS 7.x With Office SharePoint Server 2007

To configure the agent, you run the new CreateConfig.vbs script (rather than the IIS6CreateConfig.vbs script). The following configuration procedure enables the IIS 6.0 Authentication Filter to work with IIS 7.x on Windows 2008 64-bit systems.

To Configure the IIS 6.0 Agent with Office SharePoint Server 2007

1. Enable the IIS 6.0 compatibility features in IIS 7.x.

   If IIS 7.x is already installed and running, execute Server Manager > Select IIS Web Server Role > Add Role Services, and Enable the following options. Or, if IIS 7.x is not installed, execute Server Manager > Add Role > Select Web Server (IIS), and then in the Web Server window, select these options:

   • IIS Web server role > Application Development > ISAPI Extensions

   • IIS Web server role > Application Development > ISAPI Filters

   • IIS Web server role > IIS 6 Management Compatibility > IIS 6 Metabase Compatibility

2. Run the CreateConfig.vbs script to generate the agent configuration file.

   The CreateConfig.vbs script is in the PolicyAgent-base\bin directory. This script works similar to the IIS6CreateConfig.vbs script, except that the new configuration file has an empty value for @AGENT_ENCRYPTED_PASSWORD@. You must generate the password as described in the next step.

   For example, to run the IIS6CreateConfig.vbs script:

   cscript CreateConfig.vbs configuration-file-name
   

   When the script prompts you, provide the following values (or accept the default values):

   Policy Agent Prompts

   • Agent Resource File Name. Default: IIS6Resource.en

   • Fully Qualified Host Name. For example: agent-host.example.com

   • Site Name (Site Id). Default Web Site (1)

   • Agent Protocol. Default: http

   • Agent Port Number. Default: 80

   • Agent Deployment URI. Default: /amagent

   Access Manager or OpenSSO Enterprise Prompts

   • Primary Server Host. For example: amhost.example.com

   • Primary Server Protocol. Default: http

   • Primary Server Port Number. Default: 58080

   • Primary Server Deployment URI. Default: /amserver

   • Primary Server Console URI. Default: /amconsole

3. Generate the encrypted agent profile password:

   1. Encrypt the plain text password using the cryptit.exe utility.

      The cryptit.exe utility is in the PolicyAgent-base\bin directory. For example:

      cryptit.exe agent-profile-password-in-plain-text
      

   2. Copy the encrypted password generated in Step 2 into the agent configuration file:

      @AGENT_ENCRYPTED_PASSWORD@ = encrypted-agent-profile-password
      

4. Also, in the agent configuration file, set the agent profile name by replacing UrlAccessAgent with the actual agent profile name. For example:

   @AGENT_PROFILE_NAME@ = agent-profile-name
   

5. Run the SPAdmin.vbs script using the configuration file to install the SharePoint Server 2007 filter.

   The SPAdmin.vbs script is in the PolicyAgent-base\bin directory. For example:

   cscript SPAdmin.vbs -config configuration-file-name
   

6. Generate the replay password key using DESgenKey.class.

   • For Access Manager 7.x deployments:

     # java -classpath am_sdk.jarPath/am_sdk.jar com.sun.identity.common.DESGenKey

     where am_sdk.jarPath is the complete path to the am_sdk.jar file.

   • For OpenSSO Enterprise deployments:

     # java -classpath amserver.jarPath/amserver.jar com.sun.identity.common.DESGenKey

     where amserver.jarPath is the complete path to the amserver.jar file.

   Executing the DESgenKey.class returns a string as output. For example: c1QBAWv7vHk=

7. If you are using the agent with Access Manager, add the replay password key to the AMConfig.properties file. For example:

   com.sun.am.replaypasswd.key = c1QBAWv7vHk=

   If you are using the agent with OpenSSO Enterprise, add the key in the OpenSSO Administration console:

   1. Log in to the OpenSSO Administration console.

   2. Click Configuration, Servers and Sites, and then the server-name.

   3. Click Advanced and add the following properties:

      • com.sun.am.replaypasswd.key with the replay password key value. For example:

        com.sun.am.replaypasswd.key = c1QBAWv7vHk=

      • com.sun.am.sharepoint_login_attr_name with an attribute name in the user repository used by SharePoint Server 2007 to authenticate. For example:

        com.sun.am.sharepoint_login_attr_name = displayName

      Note. Ignore any warnings after you add these keys.

   4. Click Save.

8. Configure the post-authentication plug-in as follows:

   1. Log in to Access Manager or OpenSSO Administration Console as amadmin.

   2. Access the Authentication Post Processing Classes field, depending on the version you are using:

      • Access Manager 7.x: Click Access Control, realm-name, Authentication, Advanced Properties, and then scroll down to Authentication Post Processing Classes.

      • OpenSSO Enterprise 8.0: Click Access Control, Top Level Realm, Authentication, Advance Properties, and then scroll down to Authentication Post Processing Classes.

   3. Add com.sun.identity.authentication.spi.ReplayPasswd to the Authentication Post Processing Classes.

   4. Click Save and log out of the Console.

9. Restart the Access Manager or OpenSSO Enterprise server.

10. In the agent's AMAgent.properties file, add the com.sun.am.replaypasswd.key property. For example:

    com.sun.am.replaypasswd.key = c1QBAWv7vHk=

11. For IIS 7.x web sites where the filter is configured, set the authentication method as Basic Authentication.

12. If required for you deployment, set the NSPR_NATIVE_THREADS_ONLY system environment variable to 1 for NSPR threads.

13. Restart the IIS 7.x server.