Post-Installation Tasks for the Web Server 7.0 Agent
Replicating Configuration Changes to the Administration Server Repository
When you install the Web Server 7.0 agent, the agent installer modifies the Web Server obj.conf configuration file. Whenever changes are made to the Web Server configuration, you should replicate the changes into the Web Server 7.0 Administration server repository.
To Replicate the Web Server Configuration Changes
-
Log in to the Web Server 7.0 Console as an administrator.
By default, the Common Tasks tab is selected.
-
Under Configuration Tasks, if the Web Server configuration you are protecting with the agent is not selected, select it from the drop-down list.
-
Click Edit Configuration.
-
Click the name of the Web Server configuration you are protecting with the agent.
-
In the upper right corner of the window, click the Instance Configuration Modified link.
-
In the Configuration Deployment window, select Pull and deploy configuration from ....
-
Ensure that the correct Web Server configuration is selected.
-
Click OK.
Changing the Password for an Agent Profile (Optional)
After you install the agent, you can change the agent profile password, if required for your deployment.
To Change the Password for an Agent Profile
-
On the OpenSSO Enterprise server:
-
On the server where the Web Server 7.0 agent is installed:
-
In the agent profile password file, replace the old password with the new unencrypted password.
-
Change to the PolicyAgent-base/bin directory.
-
Encrypt the new password using the agentadmin program. For example:
#./agentadmin --encrypt Agent_002 /tmp/ws7agentpw
Agent_002 is the agent instance whose password you want to encrypt.
passwd is the password file in the /tmp directory.
The agentadmin program returns the new encrypted password. For example:
The encrypted value is: /54GwN432q+MEnfh/AHLMA==
-
In the agent-instance/config/OpenSSOAgentBootstrap.properties file, set the following property to the new encrypted password from the previous step. For example:
com.sun.am.policy.am.password=/54GwN432q+MEnfh/AHLMA==
-
Restart the Web Server 7.0 instance that is being protected by the policy agent.
-
Using SSL With the Web Server 7.0 Agent (Optional)
If you specify the https protocol for the OpenSSO Enterprise server during the Web Server 7.0 agent installation, the agent is automatically configured and ready to communicate to the OpenSSO Enterprise server over Secure Sockets Layer (SSL). However, to ensure that the Web Server 7.0 agent is configured for SSL communication to the server, follow these tasks:
To Install the OpenSSO Enterprise Root CA Certificate
on a Remote Web Server 7.0 Instance
-
The root CA certificate that you install on the remote Web Server 7.0 instance must be the same certificate that is installed on the OpenSSO Enterprise server.
To install the OpenSSO Enterprise root CA certificate on Web Server 7.0, see the Web Server 7.0 Update 3 documentation: http://docs.sun.com/coll/1653.3
To Configure Notifications For the Web Server 7.0
Agent
-
Add the Web Server 7.0 root CA certificate to the OpenSSO Enterprise certificate database.
-
Mark the root CA certificate as trusted to enable OpenSSO Enterprise to successfully send notifications to the Web Server 7.0 agent.
To Disable the Trust Behavior of the Web Server 7.0
Agent
By default, an agent installed on a remote Web Server 7.0 instance trusts any server certificate presented over SSL by the OpenSSO Enterprise host. The web agent does not check the root CA certificate. If the OpenSSO Enterprise host is SSL-enabled and you want the Web Server 7.0 agent to perform certificate checking, you can disable this behavior.
-
In the Web Server 7.0 agent's OpenSSOAgentBootstrap.properties file, set the following properties, depending on the requirements for your deployment.
Note: These properties have new names for version 3.0 web agents.
-
Disable the option to trust server certificate sent over SSL by the OpenSSO Enterprise host:
com.sun.identity.agents.config.trust.server.certs = false
-
Set the certificate database directory. For example:
com.sun.identity.agents.config.sslcert.dir = /var/opt/SUNWwbsvr7/https-agent-host.example.com/config
-
If the certificate database directory has multiple certificate databases, set the following property to the prefix of the database you want to use. For example:
com.sun.identity.agents.config.certdb.prefix = https-agent-host.example.com.host-
-
Set the certificate database password:
com.sun.identity.agents.config.certdb.password = password
-
Set the certificate database alias:
com.sun.identity.agents.config.certificate.alias = alias-name
-
Preserving POST Data For Web Server 7.0 (Optional)
Only the Web Server 7.0 agent supports POST data preservation. Other web agents do not support this feature. POST data is submitted to Web Server 7.0 through HTML forms before users log into OpenSSO Enterprise. An HTML page containing the HTML form should be in the not enforced list. By default, POST data preservation is disabled.
To Enable POST Data Preservation for the Web Server
7.0 Agent
-
Login to the OpenSSO Enterprise Console as amadmin.
-
Click Access Control, realm-name, Agents, Web, and then the name of the agent you want to configure.
-
Click Advanced, and then Sun Java System Web Server.
-
For POST Data Preservation, check Enabled.
-
For POST Data Entries Cache Period, specify a value in minutes, if you want a value other than the default value of 10.
This value determines the time in minutes that POST data is valid in the Web Server 7.0 cache.
-
Click Save.
These values are hot-swappable, which means you don't have to restart Web Server 7.0 after you set them. Any changes done in the Console are not reflected in the agent's local configuration file (and vice versa).
- © 2010, Oracle Corporation and/or its affiliates