Copyright      Index      Next
Sun Java System Access Manager 6 2005Q1 Deployment Planning Guide

Contents

List of Figures

List of Tables

List of Code Examples

Preface

Who Should Use This Book

Before You Read This Book

How This Book Is Organized

Conventions Used in This Book

Typographic Conventions

Symbols

Default Paths and File Names

Shell Prompts

Related Documentation

Books in This Documentation Set

Access Manager Policy Agent Documentation

Other Server Documentation

Accessing Sun Resources Online

Contacting Sun Technical Support

Related Third-Party Web Site References

Sun Welcomes Your Comments

Chapter 1   Introduction

What is Identity Management?

The Identity Management Infrastructure

The Life Cycle of an Identity Profile

Sun Java System Access Manager

Access Management

Single Sign-On (SSO)

Pluggable Authentication

Policy Evaluation

Federation Management

Liberty Alliance Project

Security Assertion Markup Language (SAML)

Identity Management

User Profile Management

Policy Configuration

Service Management

Auditing

Policy Agents

Access Manager Console

Programmatic Interfaces

Sun Java System Directory Server

Deploying Access Manager

Integrating Access Manager Using a Policy Agent

Deployment Road Map

Deployment Planning Guide Chapters

Related Access Manager Documentation

Chapter 2   Planning The Deployment

Defining Resources

Human Resources

Executive Sponsors

Team Lead

Project Management

Systems Analyst

LOB Application Administrators

System Administrators

Independent Software Vendors

Third Party Affiliates

Funding

Setting Goals

Gathering Information

Business Processes

IT Infrastructure

Virtual Data

Evaluating Applications

Platform Information

Security Models

Lifecycle of a Session

Customization and Branding

Categorizing Data

Mapping To Authentication

Mapping To Authorization

Building Timelines

Deployment Design

Proof-of-Concept

Early Adoption

General Participation

Production Environment

Tuning Your Deployment

Chapter 3   Access Manager Architecture

Overview

Integration Points

Policy Agents

Web and Proxy Server Agents

J2EE Agents

Access Manager SDK

Identity Management SDK

Service Management SDK

Authentication API and Authentication SPI

Utility API

Logging API and Logging SPI

Client Detection API

SSO API

Policy API

SAML SDK

Federation Management API

Functional Processes

Authentication and User Sessions

HTML Over HTTP(S) Interface

XML Over HTTP(S) Interface

Integrated Policy

Integrated Client Detection

CDSSO, SAML and Federation

CDSSO

SAML

Federation

Extending Access Manager

Web Containers

Multiple Directory Server Instances

LDAP Load Balancers

Chapter 4   Pre-Deployment Considerations

Deployment Options

Security

High Availability

Clustering

Scalability

Hardware Requirements

Software Requirements

Operating System Requirements

Patch Clusters for Solaris

JDK Software Requirements

Web Container Requirements

Directory Server Requirements

Web Browser Requirements

Understanding the Access Manager Schema

Marker Object Classes

Administrative Roles

Administrator Passwords

Schema Limitations

Only One Type of Entry Can be Marked as an Organization

People Containers Must be Parent Entries for Users

Only One Organization Description is Allowed in the Access Manager XML

Examples of Unsupported DITs

Chapter 5   Deployment Scenarios

Multiple Servers Scenario

Installing Multiple Access Manager Instances

Changing the Password Encryption Key for an Installation

Why change the password encryption key?

What else needs to be changed if you change the password encryption key?

To change the password encryption key

Web Deployment

Java Application Deployment

Multiple JVM Environment

Replication Considerations

Configuring For Replication

Configuring With a Load Balancer

Replication Caveats

Directory Server With a Firewall

Setting the Global Timeout Attribute

Setting the Timeout for Individual Client Connections

Access Manager and Portal Server Deployment

Installation on a Single Server

Installation on Multiple Servers

Session Failover

Overview of Access Manager Session Failover

Hardware and Software Requirements

Deployment Scenarios

Installation of Session Failover Components

Configuration of Session Failover

Modify the AMConfig.properties Files

Disable Cookie Encoding

Edit the Web Container server.xml File

Add a New User in the Message Queue Server

Create a Secondary Configuration Instance for the Load Balancer

Edit the amsessiondb Script (if Needed)

Access Manager Session Failover Scripts

amsessiondb

amsfopasswd

Startup of Session Failover Components

Start the Message Queue Brokers

Start the Berkeley DB Client (amsessiondb)

Start Each Access Manager Instance

Federation Management

Appendix A   Installed Product Layout

Base Installation Directory

Product Directory

/bin Directory

/amtune Directory

/docs Directory

/dtd Directory

/include Directory

/ldaplib/ Directory

/lib Directory

/locale Directory

/migration Directory

/public_html Directory

/samples Directory

/share Directory

/upgrade Directory

/web-src Directory

/debug, /logs, and /tmp Directories

Configuration (/config) Directory

Appendix B   The User Session Life Cycle

Overview

The Request

The Authentication

The Session Token

The Policy

The Requested Page

Single Sign-On Requests

Thread One: Single Sign-On

Thread Two: Cross Domain Single Sign-On

Terminating a Session

Appendix C   Authenticate Against Active Directory

Overview

Point to Existing LDAP Authentication Module

Create New Active Directory Authentication Module

Multiple LDAP Sub-Configurations

Setting Up Active Directory Authentication

Troubleshooting

Quick Access To Access Manager

Reconfigure Using Directory Server

Appendix D   Installing in a chroot Environment
Appendix E   Load Balancer Configuration

Load Balancer Overview

Sticky Sessions

Resonate Central Dispatch Installation

Configuring the Load Balancer

To Configure Central Dispatch for setcookie

To Configure Access Manager for setcookie

To Configure Central Dispatch with Load Balancer Cookies

To Configure Access Manager with Load Balancer Cookies

Confirming The Configuration

Configuring SSL Termination for a Load Balancer

To configure SSL termination for a load balancer

Appendix F   Authenticate Against RADIUS Servers

Overview

RADIUS Server Configuration

Access Manager Configuration

Glossary

Index

Copyright      Index      Next

---

Part No: 817-7644-10.   Copyright 2005 Sun Microsystems, Inc. All rights reserved.