test

Sun OpenSSO Enterprise 8.0 Administration Guide

Chapter 6 Storing Policy Agent and Web Services Security Agent Profiles

OpenSSO Enterprise offers a centralized configuration interface for remote policy agent profiles and web services security related information. The profiles are stored in the embedded configuration data store and managed by an administrator using the OpenSSO Enterprise console. This chapter contains the following sections:

Centralizing Agent Profiles

OpenSSO Enterprise leverages its embedded configuration data store for centralizing the storage of remote policy agent profiles and web services security related information. By moving this configuration data to OpenSSO Enterprise, an administrator can use the console or the command line interface tools to manage the properties and values. Any configuration changes to the hot-swappable properties are conveyed immediately. The following sections have more infomration on the agent profiles that can be configured.

Attribute descriptions for the agent profiles are in Chapter 5, Centralized Agent Configuration Attributes, in Sun OpenSSO Enterprise 8.0 Administration Reference.

Web Policy Agent Profile

Values for the configuration properties of a web policy agent can be defined using OpenSSO Enterprise if, during the web policy agent profile creation, centralized configuration was chosen. If local configuration was selected, the properties related to this policy agent profile must be modified directly in the OpenSSOAgentConfiguration.properties file in the agent installation directory on the agent's host machine. For detailed information on web policy agents, see the Sun OpenSSO Enterprise Policy Agent 3.0 User’s Guide for Web Agents

J2EE Policy Agent Profile

Values for the configuration properties of a J2EE policy agent can be defined using OpenSSO Enterprise if, during the J2EE policy agent profile creation, centralized configuration was chosen. If local configuration was selected, the properties related to this agent must be modified directly in the OpenSSOAgentConfiguration.properites file in the agent installation directory on the agent's host machine. For detailed information on J2EE policy agents, see the Sun OpenSSO Enterprise Policy Agent 3.0 User’s Guide for J2EE Agents.

Web Service Provider Security Agent Profile

The Web Service Provider (WSP) security agent profile stores the configuration data related to validating a request from a web service client and securing the response returned by the WSP. The data includes the WSP's supported security mechanisms, keystore locations, SAML configurations and endpoints. The WSP agent profile also has a mechanism to authenticate against OpenSSO Enterprise to generate a session for the WSP. For more information, see Part IV, The Web Services Stack, Identity Services, and Web Services Security, in Sun OpenSSO Enterprise 8.0 Technical Overview.

Out of the box, wsp is the default WSP security agent profile. Additional profiles can be defined with the profile name dependant on the endpoint of the service defined in the web service provider's WSDL file. (The security agent searches based on the endpoint.) This allows multiple web service providers to use the same configuration data store. The name of the web service provider must be unique across all agents.

Caution – Caution –

The Group functionality is not supported with the Web Service Provider Security Agent Profile.

Web Service Client Security Agent Profile

The Web Service Client (WSC) security agent profile stores the configuration data related to securing a request from a WSC and validating the request when received by the WSP. The data includes the WSP's supported security mechanisms, keystore locations, SAML configurations, signing and encryption instructions, and endpoints. It also defines whether an end user token should be generated. For more information, see Part IV, The Web Services Stack, Identity Services, and Web Services Security, in Sun OpenSSO Enterprise 8.0 Technical Overview.

Out of the box, wsc is the default WSC security agent profile. Additional profiles can be defined with the profile name dependant on the service name defined in the web service client's WSDL file. (The security agent searches based on the service name.) This allows multiple web service clients to use the same configuration data store. The name of the web service client must be unique across all agents.

Caution – Caution –

The Group functionality is not supported with the Web Service Client Security Agent Profile.

STS Client Agent Profile

The Security Token Service (STS) Client agent profile stores the configuration data related to securing an outbound request to the OpenSSO Enterprise Security Token Service or Discovery Service to obtain a security token. The data includes the supported security mechanisms, keystore locations, signing and encryption instructions, and endpoints.

For more information, see Part IV, The Web Services Stack, Identity Services, and Web Services Security, in Sun OpenSSO Enterprise 8.0 Technical Overview.

Caution – Caution –

The Group functionality is not supported with the STS Client Agent Profile.

2.2 Agents

OpenSSO Enterprise is backward compatible with OpenSSO Enterprise web and J2EE Policy Agents 2.2. Policy Agents 2.2 must be configured local to the deployment container on which it is installed thus, from the OpenSSO Enterprise console, there are a limited number of options that can be configured. For more information, see Sun Java System Access Manager Policy Agent 2.2 User’s Guide.

Agent Authenticator

An agent authenticator is a type of agent that, once it is authenticated, can obtain the read-only data of agent profiles of any type (policy, security or token) for purposes of authenticating the agent. The agent profiles must be defined in the Agent Authenticator profile and exist in the same realm. Users that have the Agent Authenticator's username and password can read agent profile data, but do not have the create, update, or delete permissions of the Agent Administrator.

Creating New Agent Profiles and Groups

This section contains the following procedures.

ProcedureTo Create a New Agent Profile

You can create a new agent profile using the OpenSSO Enterprise console. Some of the individual steps documented do not apply to all agent profile types.

Before You Begin

This procedure assumes you are logged into the OpenSSO Enterprise console as the administrator; by default, amadmin.

  1. Under the Access Control tab, click the name of the realm in which you are creating the agent profile.

  2. Click the Agents tab.

  3. Select the tab for the appropriate agent type.

    • Web Agents

    • J2EE Agents

    • Web Service Provider Agents

    • Web Service Client Agents

    • STS Client Agent

    • 2.2 Agents

    • Agent Authenticator

  4. In the Agent section, click New.

    The STS Client agent profile displays a pop-up from which you choose the token agent type: Discovery or STS. For more information, see STS Client in Sun OpenSSO Enterprise 8.0 Administration Reference.

  5. In the Name field, enter the name for the new agent profile.

  6. Enter and confirm the Password.

    Caution – Caution –

    For web policy agents only, this password must be the same password that you enter in the agent profile password file that you specify when you run the agentadmin program to install the agent.

    Steps 7–9 Apply to Web and J2EE policy agents only.

  7. For Web and J2EE policy agents only, configure using the following sub procedure.

    For other agent profile types, configure the attributes as documented in Chapter 5, Centralized Agent Configuration Attributes, in Sun OpenSSO Enterprise 8.0 Administration Reference.

    1. Select Local or Centralized configuration.

      When local configuration is selected, the properties related to this agent cannot be edited using the console. In such a scenario, the agent retrieves configuration data from the local (to the installed agent) OpenSSOAgentBootstrap.properties and OpenSSOAgentConfiguration.properties files in the agent installation directory. Property values for the locally configured agents are modified directly in the OpenSSOAgentConfiguration.properties file.

    2. In the Server URL field, enter the OpenSSO Enterprise server URL.

      For example:

      http://OpenSSO-Host.example.com:8080/OpenSSO

    3. In the Agent URL field, enter the URL for the agent application, agentapp.

      • For a web policy agent: http://Agent-Host.example.com:8090

      • For a J2EE policy agent: http://Agent-Host.example.com:8090/agentapp

  8. Click Create.

    The agent profile is created. To do additional configurations for the agent profile, click the profile name to display the Edit agent page. Agent attribute descriptions are listed and defined in Chapter 5, Centralized Agent Configuration Attributes, in Sun OpenSSO Enterprise 8.0 Administration Reference.

ProcedureTo Create a New Group

Agents can inherit properties from their group. For example, web policy agents can inherit properties from a web policy agent group.

Caution – Caution –

The Group functionality is not supported with the web services and STS Client Agent Profiles.

Before You Begin

This procedure assumes you are logged into the OpenSSO Enterprise console as the administrator; by default, amadmin.

  1. Under the Access Control tab, click the name of the realm to which the group will belong.

  2. Click the Agents tab.

  3. Select the tab for the appropriate agent type.

  4. In the Group section, click New.

  5. Enter a name for the new group.

  6. Enter the OpenSSO Enterprise Server URL (for Web and J2EE policy agents only).

    For example, http://OpenSSO-Host.example.com:8080/OpenSSO Enterprise. For other agent profile types, configure the attributes as documented in Chapter 5, Centralized Agent Configuration Attributes, in Sun OpenSSO Enterprise 8.0 Administration Reference.

  7. Click Create.

    The agent group is created. To do additional configurations for the agent group, click the group name to display the Edit Group page. Attribute descriptions are listed and defined in Chapter 5, Centralized Agent Configuration Attributes, in Sun OpenSSO Enterprise 8.0 Administration Reference. (The properties you can set for a group are almost the same as those for an individual agent; the Group, Password, and Password Confirm properties are not available at the group level.)

    Caution – Caution –

    Some group properties have variable values assigned that, in most cases, should not be changed. @AGENT_PROTO@://@AGENT_HOST@:@AGENT_PORT@/amagent is an example of such a value.

ProcedureTo Modify an Agent Profile to Inherit Properties From a Group

The Group functionality is not supported with the web services and STS Client Agent Profiles.

Before You Begin

This procedure assumes you are logged into the OpenSSO Enterprise console as the administrator (by default, amadmin) and the group has been created. See To Create a New Group.

  1. Under the Access Control tab, click the name of the realm to which the agent belongs.

  2. Click the Agents tab.

  3. Select the tab for the appropriate agent type.

  4. Click the name of the agent profile you want to modify.

  5. elect the name of the group from which you want the agent to inherit properties as a value for the Group attribute under the Global tab.

  6. Click Save.

    At the top of the page, the Inheritance Settings button becomes active.

  7. Click Inheritance Settings.

    A list of inheritance settings for the Global tab appears in alphabetical order.

  8. Select the properties that you want the agent to inherit from the group.

    At the top of the page, the Inheritance Settings button becomes active.

  9. Click Save.

Next Steps

This task just describes how to change the inheritance settings for properties listed in the Global tab. For the inheritance settings of properties listed in the other tabs (such as Application and SSO), click the desired tab and edit the inheritance settings in the same manner described in the preceding steps.