Post-Installation Tasks for the WebSphere Application Server/Portal Server Agent in a Single WebSphere Portal Server 6.1 Environment (Sun OpenSSO Enterprise Policy Agent 3.0 Guide for IBM WebSphere Application Server 6.1/7.0 and WebSphere Portal Server 6.1)

Sun OpenSSO Enterprise Policy Agent 3.0 Guide for IBM WebSphere Application Server 6.1/7.0 and WebSphere Portal Server 6.1

Previous: Installing the WebSphere Application Server/Portal Server Agent in a Single WebSphere Portal Server 6.1 Environment
Next: Managing the WebSphere Application Server/Portal Server Agent

Post-Installation Tasks for the WebSphere Application Server/Portal Server Agent in a Single WebSphere Portal Server 6.1 Environment

Some of the following post-installation tasks are unique to WebSphere Portal Server 6.1, while other tasks are identical to the same task for WebSphere Application Server:

WebSphere Portal Server: Creating the Primary Administrative User in OpenSSO Enterprise

Perform this task once for all agent instances. This user (for example, wasadmin) is either the administrative user who installs WebSphere Portal Server or an administrative user designated after the WebSphere Portal Server installation is finished.

Note: You can skip this task if this administrative user or an equivalent has already been configured to authenticate with OpenSSO Enterprise.

Otherwise, by default, create wasadmin in the OpenSSO embedded Configuration Data Store. This data store needs to be involved in authentication with OpenSSO Enterprise (for example, via an authentication chain).

Follow the steps in Creating the Primary Administrative User in OpenSSO Enterprise.

WebSphere Portal Server: Deploying the Agent Application

Perform this task for each WebSphere Application Server instance, including the Application Server server1 instance and the Portal Server WebSphere_Portal instance.

Follow the steps in Deploying the Agent Application.

WebSphere Portal Server: Performing Global Configuration Tasks

Perform the following tasks only if you are also Performing Global Configuration Tasks for WebSphere Application Server 6.1/7.0:

WebSphere Portal Server: Adding an OpenSSO Enterprise Trust Association Interceptor to WebSphere Application Server

Follow the steps in Adding an OpenSSO Enterprise Trust Association Interceptor to WebSphere Application Server 6.1/7.0.

WebSphere Portal Server: Changing the Logout Link Actions for WebSphere Portal Server 6.1

This task provides a seamless user experience of single sign-off with OpenSSO Enterprise.

To Change the Logout Link Actions for WebSphere Portal Server 6.1

Ensure that the WebSphere Application Server and WebSphere Portal Server 6.1 instances are running.
Access the WebSphere administrative console by entering the following URL in the location field of a Web browser:

http://example.com:admin_port/ibm/console

where example.com is the name of the server and admin_port is the port assigned to the administrative console.
Click Resources > Resources Environment > Resource Environment Providers.
On the Resource Environment Providers page, make the appropriate selection, depending on your version of WebSphere Application Server and your portal environment:
- For WebSphere Application Server Version 6.1, select the appropriate node or cluster from the scopes pull-down list, depending on your portal environment.
- For WebSphere Application Server Version 7.0, select the appropriate node or cluster from the scopes pull-down list. Or uncheck the Show Scope selection drop-down checkbox and select one of the following options, depending on your portal environment:
  - If your portal is running as a single server, select Browse Nodes and select the node.
  - If your portal is installed in a cluster, select Browse Clusters and select the portal cluster.
Select the “WP ConfigService” service.
Click Custom Properties.
Do the following, as required:
- Set redirect.logout to true.
- Set redirect.logout.ssl to true or false, depending upon the environment.
- Set redirect.logout.url to the OpenSSO Enterprise logout URL. For example:
  
  http://opensso-host.example.com:8080/opensso/UI/Logout
- When you are done, click Save at the top of the screen under Message(s).
If you are running a cluster configuration, replicate your changes to the cluster.

WebSphere Portal Server: Enabling Global Security for WebSphere Application Server

If Global Security is not enabled, follow the steps in Enabling Global Security for WebSphere Application Server 6.1/7.0.

WebSphere Portal Server: Setting the Application Logout URI For the IBM Console

For each agent profile, including the agent profile for the WebSphere Application Server server1 instance and the WebSphere Portal Server WebSphere_Portal instance, perform the steps in Setting the Application Logout URI For the IBM Console.

WebSphere Portal Server: Enabling Cookie Reset for the Agent Profile

WebSphere Portal Server: Installing the Agent Filter for the WebSphere Application Server Administration Console

Perform the steps in Installing the Agent Filter for the WebSphere Application Server 6.1/7.0 Administration Console.

Adding the Agent Filter to the WebSphere Portal Server 6.1 Application

This required task integrates the WebSphere Portal Server 6.1 instance with the OpenSSO Enterprise environment.

Note: Perform this task only once per WebSphere Portal Server 6.1 instance for a given host.

The WebSphere Application Server/Portal Server agent provides a servlet filter that you can add to the WebSphere Portal Server 6.1 application. This filter allows the enforcement of coarse grained URL policies defined within OpenSSO Enterprise server to further control the access to protected resources on the WebSphere Portal Server 6.1 instance. The filter can also be configured to provide additional personalization information in the form of HTTP headers, cookies, or HTTP request attributes that can be used to further enhance the functionality of the protected components.

To Add the Agent Filter to the WebSphere Portal Server 6.1 Application

Ensure that the WebSphere Portal Server 6.1 environment is down.

Locate the wps.war/WEB-INF/web.xml file, which contains the deployment descriptors for WebSphere Portal Server 6.1.

WebSphere Application Server can read this file at runtime from either of the following directories:
- WAS-base/wp_profile/installedApps/Cell-Name/wps.ear/wps.war/WEB-INF
- WAS-base/wp_profile/config/cells/Cell-Name/applications/wps.ear/deployments/wps/wps.war/WEB-INF
where:
- WAS-base represents the directory where WebSphere Portal Server 6.1 was installed
- Cell-Name represents the WebSphere Portal Server 6.1 cell protected by the agent. The default is hostname.

Backup the two web.xml files before modifying the deployment descriptors.

Since you will modify the deployment descriptor in the next step, creating backup files is important, especially if you need to uninstall the agent in the future.

Edit both web.xml files from the previous step, as follows:

<display-name>WebSphere Portal Server</display-name>

<filter id="Filter_PolicyAgent">
<filter-name>Policy Agent</filter-name>
<filter-class>
  com.sun.identity.agents.filter.AmAgentFilter
</filter-class>
</filter>

... //other filter definitions

<filter-mapping id="FilterMapping_PolicyAgent">
  <filter-name>Policy Agent</filter-name>
  <url-pattern>/*</url-pattern>
</filter-mapping>

... //other filter mappings

</web-app>

WebSphere Portal Server: Creating the Necessary URL Policies

If the WebSphere Application Server/Portal Server agent is installed and configured to operate in ALL mode, you must create the appropriate URL policies.

Note: Since WebSphere Portal Server is protected by J2EE declarative security, the agent should operate in J2EE_POLICY or ALL mode.

For example, if WebSphere Application Server with the Administration Console is listening on ports 10027 (http) and 10041 (https), respectively, and WebSphere Portal Server is listening on port 10040 (http), create the following polices for the WebSphere Administrative user ID (wasadmin or wpsadmin) to allow the user access to the WebSphere Administration Console and Portal Server URLs:

URLs for the Portal Server `WebSphere_Portal` Instance

http://agenthost.example.com:10027/*
https://agenthost.example.com:10041/*
http://agenthost.example.com:10040/*
https://agenthost.example.com:10041/*?*
http://agenthost.example.com:10040/*?*

Notes:

These examples assume that http://agenthost.example.com:10027/ibm/console is the Administration console URL on WebSphere_Portal and http://agenthost.example.com:10040/wps/myportal is the Portal Server URL.
Port 10041 is the corresponding https port of http port 10027. When an http request comes to port 10027, it will be redirected to 10041 as an https request.
Only the protected portal http://agenthost.example.com:10040/wps/myportal is supported by the agent. The non-protected portal http://agenthost.example.com:10040/wps/portal is not supported.

URLs for the Application Server `server1` Instance

http://agenthost.example.com:10001/*
https://agenthost.example.com:10003/*
http://agenthost.example.com:10000/*
https://agenthost.example.com:10003/*?*
http://agenthost.example.com:10000/*?*

Notes:

These examples assume that http://agenthost.example.com:10001/ibm/console is the Administration console URL on server1and http://agenthost.example.com:10000 is the server1 server URL.
Port 10003 is the corresponding https port of http port 10001. When an http request comes to port 10001, it will be redirected to 10003 as an https request.

WebSphere Portal Server: Considering Optional Tasks

Consider the other Optional Post-Installation Tasks for the WebSphere Application Server/Portal Server Agent.

WebSphere Portal Server: Restarting WebSphere Portal Server 6.1

After you are finished performing all post-installation tasks, restart the WebSphere Portal Server 6.1 environment.