The steps described in this task are required after you perform the pre-installation steps for the basic installation on Microsoft IIS 6.0 as described in Preparing To Install Agent for Microsoft IIS 6.0.
These additional pre-installation steps are necessary to deploy a post-authentication module on Access Manager. In order to achieve SSO with Microsoft SharePoint or Outlook Web Access using Agent for Microsoft IIS 6.0, Access Manager must send the password to the agent. This requires a post-authentication module to be deployed on Access Manager. The post-authentication module encrypts users' passwords and sends them to Agent for Microsoft IIS 6.0.
Perform the steps in this task on the Access Manager host.
If you are installing Agent for Microsoft IIS 6.0 to protect Outlook Web Access, prior to installing the agent, ensure that the user repositories in Access Manager and Microsoft Exchange Server are synchronized. For this scenario, Microsoft Exchange Server and the Access Manager LDAP v3 plug-in can point to the same Active Directory.
The following information about Access Manager is helpful for this task:
AccessManager-base represents the Access Manager base installation directory. On Solaris systems, the default base installation directory is /opt/SUNWam.
The following is the default location of the AMConfig.properties file:
Set the JAVA_HOME variable to the location used to install Access Manager.
(Conditional) If the files DESGenKey.java and ReplayPasswd.java are not bundled with the Access Manager binaries (see the explanation within this step for details) obtain and compile them. Otherwise, skip to the next step.
The DESGenKey.java file is a key generator while the ReplayPasswd.java file is a plug-in.
The availability of DESGenKey.class and ReplayPasswd.class varies according to the Access Manager version. The following list indicates which versions of Access Manager have these classes bundled with them and which versions do not.
Access Manager 7.0 series from Patch 5 forward
Access Manager 7.1 series from Patch 1 forward
Any version of the Access Manager 7.0 series prior to patch 5
Access Manager 7.1
You can obtain the files DESGenKey.java and ReplayPasswd.java by contacting Sun technical support.
Download the files DESGenKey.java and ReplayPasswd.java to the following directory:
Change to the following directory:
Compile ReplayPasswd.java and DESGenKey.java as follows
# javac -classpath AccessManager-base/lib/am_services.jar:AccessManager-base/lib/am_sdk.jar: AccessManager-base/lib/servlet.jar ReplayPasswd.java DESGenKey.java
Execute DESgenKey.class as follows:
# java com.sun.identity.common.DESGenKey
# java DESGenKey
Executing the DESgenKey.class returns a string output.
Add the string produced in the previous step to a newly created text file as described in the substeps that follow.
Configure the com.sun.am.replaypasswd.key property in the AMConfig.properties configuration file as described in the substeps that follow.
Open the AMConfig.properties configuration file.
Add the following property to the file:
Copy the string from the des_key.txt file.
Add the copied string as the value of the com.sun.am.replaypasswd.key property.
For example, if the string in the des_key.txt file is wuqUJyr=5Gc=, then the new property would be set as follows:
com.sun.am.replaypasswd.key = wuqUJyr=5Gc=
Configure a property specific to Microsoft Office SharePoint or Outlook Web Access in the AMConfig.properties file as described in the substeps that follow.
Add the respective property and corresponding value to the file as indicated:
Microsoft Office SharePoint:
Add the following property and value if you are installing the agent for Microsoft Office SharePoint:
com.sun.am.sharepoint_login_attr_name = SharePoint-login-value
where SharePoint-login-value is a place holder that you must replace with an LDAP attribute login name that is created in both Access Manager and Microsoft Office SharePoint Server.
For example if the actual value of SharePoint-login-value is login, the following would be the setting for this property:
com.sun.am.sharepoint_login_attr_name = login
Outlook Web Access
Add the following property and value if you are installing the agent for Outlook Web Access.
com.sun.am.iis_owa_enabled = true
Save and close the AMConfig.properties file.
Restart Access Manager.
Deploy the post-authentication plug-in, ReplayPasswd, as described in the substeps that follow.
This step requires the use of Access Manager Console.
Log in to Access Manager as amadmin.
With the Access Control tab selected, click the name of the realm you wish to configure.
Click the Authentication tab.
Click Advanced Properties.
The Advanced Properties button is in the General section.
Scroll down to the Authentication Post Processing Classes field.
In the Authentication Post Processing Classes field, enter the appropriate text depending upon the Access Manager version:
Enter the following: com.sun.identity.authentication.spi.ReplayPasswd
Enter the following: ReplayPasswd
Scroll up to click Save.
Click Log Out to log out of the Access Manager Console.
Verify the deployment of the post-authentication plug-in, ReplayPasswd, as described in the substeps that follow.
Stop Access Manager.
Access the AMConfig.properties configuration file.
Note the value of the following property before changing it to message, as indicated:
com.iplanet.services.debug.level = message
You must change this value back to its original value at the completion of this step.
Save and close the file.
Start Access Manager.
Log in to Access Manager Console.
Again use amadmin.
Click Log Out to immediately log out of the Access Manager Console.
Change directories to the Access Manager debug log files.
The default location of the debug log files is /var/opt/SUNWam/debug.
Verify the existence of a file named ReplayPasswd.
The existence of this file indicates the successful deployment of the post-authentication plug-in.
Reset the debug value to its original value.
Restart Access Manager.
(Conditional) If you are installing this agent to protect Outlook Web Access, edit the idle session timeout page as described in the substeps that follow.
This step is implemented for deployments where the agent establishes SSO with Outlook Web Access. It does not apply to Microsoft Office SharePoint. Outlook Web Access runs in multiple frames. If this step is not implemented and a session timeout occurs, the session timeout page fills the entire browser window instead of just a single frame. Implementing this step directs the session timeout page, when issued, to fill only a single frame.
Make a backup copy of the idle session timeout page.
The idle session timeout page is typically the session_timeout.jsp file. You must locate the file in the Access Manager host. Be aware that the name and location of this file can vary. For example, for Access Manager 7.0, this file is located in the following directory:
where FQDN is a place holder that will actually be the fully qualified domain name of the Access Manager instance you are configuring.
Open the idle session timeout page.
Add the script that follows between the tags <head> and </head>:
Search and replace a snippet of code as indicated by the following example:
<auth:href name="LoginURL" fireDisplayEvents='true'><jato:text name="txtGotoLoginAfterFail" /></auth:href>
<a href="#" onClick="redirect(); return false;"><jato:text name="txtGotoLoginAfterFail" /></a>
Restart Access Manager.