Using SSL With the Web Server 7.0 Agent (Optional)

If you specify the https protocol for the OpenSSO Enterprise server during the Web Server 7.0 agent installation, the agent is automatically configured and ready to communicate to the OpenSSO Enterprise server over Secure Sockets Layer (SSL). However, to ensure that the Web Server 7.0 agent is configured for SSL communication to the server, follow these tasks:

• To Install the OpenSSO Enterprise Root CA Certificate on a Remote Web Server 7.0 Instance

• To Configure Notifications For the Web Server 7.0 Agent

• To Disable the Trust Behavior of the Web Server 7.0 Agent

To Install the OpenSSO Enterprise Root CA Certificate on a Remote Web Server 7.0 Instance

1. The root CA certificate that you install on the remote Web Server 7.0 instance must be the same certificate that is installed on the OpenSSO Enterprise server.

   To install the OpenSSO Enterprise root CA certificate on Web Server 7.0, see the Web Server 7.0 Update 3 documentation: http://docs.sun.com/coll/1653.3

To Configure Notifications For the Web Server 7.0 Agent

1. Add the Web Server 7.0 root CA certificate to the OpenSSO Enterprise certificate database.

2. Mark the root CA certificate as trusted to enable OpenSSO Enterprise to successfully send notifications to the Web Server 7.0 agent.

To Disable the Trust Behavior of the Web Server 7.0 Agent

By default, an agent installed on a remote Web Server 7.0 instance trusts any server certificate presented over SSL by the OpenSSO Enterprise host. The web agent does not check the root CA certificate. If the OpenSSO Enterprise host is SSL-enabled and you want the Web Server 7.0 agent to perform certificate checking, you can disable this behavior.

1. In the Web Server 7.0 agent's OpenSSOAgentBootstrap.properties file, set the following properties, depending on the requirements for your deployment.

   Note: These properties have new names for version 3.0 web agents.

   • Disable the option to trust server certificate sent over SSL by the OpenSSO Enterprise host:

     com.sun.identity.agents.config.trust.server.certs = false

   • Set the certificate database directory. For example:

     com.sun.identity.agents.config.sslcert.dir = /var/opt/SUNWwbsvr7/https-agent-host.example.com/config

   • If the certificate database directory has multiple certificate databases, set the following property to the prefix of the database you want to use. For example:

     com.sun.identity.agents.config.certdb.prefix = https-agent-host.example.com.host-

   • Set the certificate database password:

     com.sun.identity.agents.config.certdb.password = password

   • Set the certificate database alias:

     com.sun.identity.agents.config.certificate.alias = alias-name