Create a user in Access Manager.
Example user: wasagentuser
This user is the user ID to use while installing the agents and adding the custom user registry in the Deployment Manager (In this scenario, serverId would be wasagentuser). For more information on creating a user, see To Create or Modify a User in Sun Java System Access Manager 7.1 Administration Guide.
When you install the agent for IBM WebSphere Application Server, enter the same name in the agent-profile-name prompt that you have created for the user in this step. For example, wasagentuser. The following example prompt is from the agent installer and illustrates the proper response in this scenario:
Enter a valid agent profile name. Before proceeding with the agent installation, please ensure that a valid Agent profile exists in Access Manager. [ ? : Help, < : Back, ! : Exit ] Enter the Agent Profile name: wasagentuser
Create a role in Access Manager.
Example role: WasAgentRole
For more information on creating a role, see To Create or Modify a Role in Sun Java System Access Manager 7.1 Administration Guide.
Add the newly created user (wasagentuser) to the newly created role (WasAgentRole).
For more information about adding users to roles, see To Add Users to a Role or Group in Sun Java System Access Manager 7.1 Administration Guide.
Add the appropriate privilege to the newly created role (WasAgentRole).
The privilege to use varies according to the Access Manager version as follows:
Access Manager 7.0:
Assign the “Read only access to data stores” privilege to the newly created role (WasAgentRole).
Access Manager 7.1:
Assign the “Read and write access only for policy properties” privilege to the newly created role (WasAgentRole).
For more information about adding privileges to roles for Access Manager 7.1, see Defining Privileges for Access Manager 7.1 in Sun Java System Access Manager 7.1 Administration Guide or Defining Privileges for an Access Manager 7.0 to 7.1 Upgrade in Sun Java System Access Manager 7.1 Administration Guide.
Edit the Access Manager AMConfig.properties file to allow the agent to get a non-expiring SSO token to Access Manager
This step is required to get a non-expiring SSO token for the agent's self authentication to Access Manager.
You must edit the following property to include the distinguished name (DN) of the user (wasagentuser):
If you have a server farm, you must perform this step on all servers.
Use the legacy SDK DN not the universal UID of the user. For the example presented in this task, the appropriate setting is as follows:
com.sun.identity.authentication.special.users = cn=dsameuser, ou=DSAME Users, ROOT_SUFFIX|cn=amService-UrlAccessAgent, ou=DSAME Users, ROOT_SUFFIX|uid=dmgr,ou=people,ROOT_SUFFIX| uid=wasagentuser,ou=people,ROOT_SUFFIX
Where ROOT_SUFFIX is a place holder that represents the root suffix of the directory user management node. For example, dc=example, dc=com. Ensure that this suffix exists in the instance of the directory server you are using.
To find the DN of the user, you can issue an ldapsearch command with the following base:
And with the following filter:
Restart Access Manager.
Add the following properties and corresponding values to the J2EE agent AMAgent.properties configuration file:
com.sun.identity.agents.config.privileged.attribute.type = Group com.sun.identity.agents.config.privileged.attribute.tolowercase[Group] = false
This step has to be performed on all instances of Agent for IBM WebSphere Application Server that are participating in an agent farm or cluster.
Restart WebSphere Deployment Manager.
Synchronize all the nodes.
Now you can log in to the IBM WebSphere Network Deployment Server's Administration Console to allow authorization to Access Manager that would enable access to the applications deployed in an IBM WebSphere cluster.