Creating an Agent Profile and a Policy Agent (Sun GlassFish Web Space Server 10.0 Secure Web Access Add-On Guide)

Sun GlassFish Web Space Server 10.0 Secure Web Access Add-On Guide

Previous: Downloading and Installing a Policy Agent

Creating an Agent Profile and a Policy Agent

As described in the OpenSSO policy agent documents or Access Manager policy agent documents, you need to create an agent profile on am.company.com before you configure the agent.

Install the downloaded J2EE policy agent on the web container where you have deployed the Gateway. The following examples illustrate how to configure the J2EE policy agent to protect the Gateway. The examples assume that you have deployed the Gateway on a web container installed on a host with gateway.company.com as the FQDN (Fully Qualified Datastore Host) name, and that the protocol and port are http and 8080 respectively. An existing OpenSSO or Access Manager installation on am.company.com is assumed, with protocol http and port 80 respectively.

Modify the agent's OpenSSOAgentConfiguration.properties (assuming the agent configuration is local) or the AMAgent.properties file as follows.

In the FILTER OPERATION MODE section, add the following line:

com.sun.identity.agents.config.filter.mode[gateway] = URL_POLICY
In the LOGIN URL section, modify the following line:

com.sun.identity.agents.config.login.url[0] = http://am.company.com:80/opensso/UI/Login
- For OpenSSO:
  
  com.sun.identity.agents.config.login.url[0] = http://gateway.company.com:8080/gateway/http://am.company.com:80/opensso/UI/Login
- For Access Manager:
  
  com.sun.identity.agents.config.login.url[0] = http://gateway.company.com:8080/gateway/http://am.company.com:80/amserver/UI/Login
In the NOT-ENFORCED URI PROCESSING PROPERTIES section, modify the following line:

com.sun.identity.agents.config.notenforced.uri[0] =
- For OpenSSO:
  
  com.sun.identity.agents.config.notenforced.uri[0] = /gateway/http://am.company.com:80/opensso/*
- For Access Manager:
  
  com.sun.identity.agents.config.notenforced.uri[0] = /gateway/http://am.company.com:80/amserver/*
In the NOT-ENFORCED URI PROCESSING PROPERTIES section, add the following line:

com.sun.identity.agents.config.notenforced.uri[1]
- For OpenSSO:
  
  com.sun.identity.agents.config.notenforced.uri[1] = /gateway/http://am.company.com/opensso/*
- For Access Manager:
  
  com.sun.identity.agents.config.notenforced.uri[1] = /gateway/http://am.company.com/amserver/*
If you are using a 3.0 agent, add the following lines:
- com.sun.identity.agents.config.notenforced.uri[2] = /gateway/http://am.company.com:80/opensso/UI/Login?*
- com.sun.identity.agents.config.notenforced.uri[3] = /gateway/http://am.company.com/opensso/UI/Login?*

In the case of OpenSSO and a 3.0 agent, if the agent configuration is centralized on the OpenSSO Enterprise server, navigate to the J2EE Agent Properties page in the OpenSSO Enterprise Console, and perform the following steps. For the steps to navigate in OpenSSO Enterprise 8.0 Console to the J2EE Agent Properties, see http://docs.sun.com/app/docs/doc/820-4803/ghorc?a=view.

In the Global tab, add the following new value to the Agent Filter Mode property:
1. Map Key: gateway
2. Corresponding Map Value: URL_POLICY
Click ALL under Current Values and then click the Remove button.

Restart the container where OpenSSO is installed.
In the OpenSSO Services tab, change the OpenSSO Login URL property from http://am.company.com:80/opensso/UI/Login to http://gateway.company.com:8080/gateway/http://am.company.com:80/opensso/UI/Login

In the Application tab, add the following new values to the Not Enforced URIs property:

/gateway/http://am.company.com:80/opensso/*
    /gateway/http://am.company.com:80/opensso/UI/Login?*
    /gateway/http://am.company.com/opensso/*
    /gateway/http://am.company.com/opensso/UI/Login?*

Create a policy in am.company.com with rules to allow users to access at least the following resources:
- http://gateway.company.com:8080/gateway/
- http://gateway.company.com:8080/gateway/index.jsp
If you are installing the Policy Agent on GlassFish, make use of the workaround described in http://docs.sun.com/app/docs/doc/820-2539/gbbje?a=view

You can add more rules to open up access for the users. For more information about creating policies, see the policy agent documentation for OpenSSO at http://docs.sun.com/app/docs/coll/1767.1, or for Access Manager at http://docs.sun.com/app/docs/coll/1322.1.

Previous: Downloading and Installing a Policy Agent