Sun Java System Access Manager Policy Agent 2.2 Guide for BEA WebLogic Server 9.0/9.1

Previous: Post-Installation Steps Specific to Agent for BEA WebLogic Server 9.0/9.1
Next: Chapter 5 Installing and Configuring Policy Agent 2.2 for BEA WebLogic Server 9.0/9.1: Cluster

Conditional Post-Installation Steps for J2EE Agents in Policy Agent 2.2

Steps described in this section might be required, depending on your site's specific deployment.

Creating the Necessary URL Policies

If the agent is installed and configured to operate in the URL_POLICY mode or ALL mode, the appropriate URL policies must be created. For instance, if BEA WebLogic Server 9.0/9.1 is available on port 7001 using HTTP protocol, at least a policy must be created to allow access to the following resource:

http://myhost.mydomain.com:7001/sampleApp/

where sampleApp is the context URI for the sample application.

If no policies are defined and the agent is configured to operate in the URL_POLICY mode or ALL mode, then no user is allowed access to BEA WebLogic Server 9.0/9.1 resources. See Sun Java System Access Manager 7 2005Q4 Administration Guide to learn how to create these policies using the Access Manager Console or command-line utilities.

Combining J2EE Agents With Access Manager

This is a conditional post-installation step that must be performed when the J2EE agent is installed on the same deployment container that hosts Access Manager. Note that Access Manager should be installed prior to the agent being installed. Therefore, the order to install these servers on the same machine is as follows:

Deployment container
Access Manager
J2EE agent

This type of deployment not only requires that you perform a post-installation configuration step as described in the next subsection, this type of deployment also changes where J2EE agent debug log files are stored. For more information, see Locating the J2EE Agent Debug Log Files for Policy Agent 2.2.

Configuring the J2EE Agent in Policy Agent 2.2 to Use the Remote Client SDK of Access Manager

After the J2EE agent is installed, it must use the Remote Client SDK provided by the Access Manager installation.

Modify the Access Manager configuration file, AMConfig.properties, by specifically adding the following entry, which contains the agent configuration location information:

com.sun.identity.agents.config.location =
 PolicyAgent-base/AgentInstance-Dir/config/AMAgent.properties

Locating the J2EE Agent Debug Log Files for Policy Agent 2.2

Installing the J2EE agent and Access Manager on the same deployment container changes the file to which the J2EE agent debug log entries are written. This change occurs because the location of the debug files is set in the properties configuration file. In this type of deployment, two configuration files exist on the same host. However, the Access Manager AMConfig.properties configuration file takes precedence over the J2EE agent AMAgent.properties configuration file.

When the J2EE agent and the Access Manager are installed on separate hosts the debug information is stored in the following directory:

PolicyAgent-base/AgentInstance-Dir/logs/debug

However, when the J2EE agent and Access Manager are installed on the same host, the agent-specific debug information is stored in the following Access Manager directory:

/var/opt/SUNWam/debug

Mapping Access Manager Roles to Principal Names

If you run this agent in J2EE_POLICY mode, map Access Manager roles to the principal names in the respective application's deployment descriptor file (or files):

weblogic.xml
weblogic-ejb-jar.xml

Access Manager roles are represented in UUIDs. For more information on UUIDs, see the following:

A UUID for an Access Manager role is mapped to the respective principal name in the weblogic.xml file or the weblogic-ejb-jar.xml file. Specifically, the principal name is located within the <principal-name> element.

Mapping is established by setting the property com.sun.identity.agents.config.privileged.attribute.mapping[] in the J2EE agent AMAgent.properties configuration file.

Note –

Ensure that the keys in the mapping are UUIDs corresponding to your site's Access Manager installation. The values are the principal names in the weblogic.xml file or the weblogic-ejb-jar.xml file.

In previous releases of BEA WebLogic, this mapping is not required. The UUIDs representing Access Manager roles are used directly in the weblogic.xml file or the weblogic-ejb-jar.xml file as principal names.

However, in BEA WebLogic 9.0, a principal name within the weblogic.xml file or the weblogic-ejb-jar.xml file must be of the NMTOKEN format. This format is mandated by the corresponding schema files.

Access Manager UUIDs contain characters, such as the following:

=

,

&

These characters are not in NMTOKEN character sets. Therefore, the UUIDs representing Access Manager roles cannot be used directly as principal names. Instead, they must be mapped to characters in the NMTOKEN character set, which includes letters and digits as well as the following characters (period, hyphen, underscore, and colon):

.

-

_

:

The following examples, which use “\” as an escape character before the special character “=,” illustrate how this property can be set:

com.sun.identity.agents.config.privileged.attribute.mapping[id\=manager,ou\=role,
dc\=iplanet,dc\=com] = am_manager_role

com.sun.identity.agents.config.privileged.attribute.mapping[id\=manager,ou\=role,
dc\=iplanet,dc\=com] = am_employee_role

For more information on this property, see the mapping-related attributes in Privileged Attribute Processing Properties.