For Access Manager 7 and later, this adapter supports legacy mode only. Realms are not supported.
You can configure only one Access Manager server (whether in Realm mode or in Legacy mode).
The Policy Agent is an optional module that you can use to enable single sign-on (SSO). Do not attempt to follow Policy Agent configuration or installation procedures if this product is not being used in your environment.
See http://docs.sun.com/app/docs/coll/1322.1 for more information about Policy Agents.
To install the Policy Agent, follow the installation instructions provided with the Policy Agent, and then perform the following tasks:
You must modify the AMAgent.properties file to protect Identity Manager. This file is located in the AgentInstallDir/config directory.
Locate the following lines in the AMAgent.properties file.
com.sun.identity.agents.config.cookie.reset.enable = false com.sun.identity.agents.config.cookie.reset.name[0] = com.sun.identity.agents.config.cookie.reset.domain[] = com.sun.identity.agents.config.cookie.reset.path[] = |
Edit these lines as follows.
com.sun.identity.agents.config.cookie.reset.enable = true com.sun.identity.agents.config.cookie.reset.name[0] = AMAuthCookie com.sun.identity.agents.config.cookie.reset.domain[0] = .example.com com.sun.identity.agents.config.cookie.reset.path[0] = / |
Add the following lines.
com.sun.identity.agents.config.cookie.reset.name[1] = iPlanetDirectoryPro com.sun.identity.agents.config.cookie.reset.domain[1] = .example.com com.sun.identity.agents.config.cookie.reset.path[1] = / |
Locate the following lines.
com.sun.identity.agents.config.profile.attribute.fetch.mode = NONE com.sun.identity.agents.config.profile.attribute.mapping[] = |
Edit these lines as follows
com.sun.identity.agents.config.profile.attribute.fetch.mode = HTTP_HEADER com.sun.identity.agents.config.profile.attribute.mapping[uid] = sois_user |
You must restart the web server for your changes to take effect.
From within the Sun Java System Access Manager application, create a new policy named IDMGR (or something similar) with the following rules:
Service Type |
Resource Name |
Actions |
---|---|---|
URL Policy Agent |
http://server:port/idm | |
URL Policy Agent |
http://server:port/idm/* |
Allow GET and POST actions |
Assign one or more subjects to the IDMGR policy.
The following sections describe how to install and configure Sun Java System Access Manager and Policy Agent. If you install Sun Java System Access Manager on the same system as the Identity Manager server, see Sun Access Manager Resource Adapter for information about configuration. If you are using the Policy Agent, go to Installing and Configuring the Policy Agent for additional information.
If Access Manager is installed on a different system than the Identity Manager server, then perform the following steps on the Identity Manager system.
Create a directory to place files that will be copied from the Sun Java System Access Manager server. This directory will be called CfgDir in this procedure. The location of Access Manager will be called AccessMgrHome.
Copy the following files from AccessMgrHome to CfgDir. Do not copy the directory structure.
On UNIX, it may be necessary to change the permissions of the jar files in the CfgDir to allow universal read access. Run the following command to change permissions:
chmod a+r CfgDir/*.jar
Prepend the JAVA classpath with the following:
If you are using version 6.0, set the Java system property to point to your CfgDir. Use a command similar to the following:
java -Dcom.iplanet.coreservices.configpath=CfgDir |
If you are using version 6.1 or later, add or edit the following lines in the CfgDir/AMConfig.properties file:
com.iplanet.services.configpath=CfgDir com.iplanet.security.SecureRandomFactoryImpl=com.iplanet.am.util. SecureRandomFactoryImpl com.iplanet.security.SSLSocketFactoryImpl=netscape.ldap.factory. JSSESocketFactory com.iplanet.security.encryptor=com.iplanet.services.util. JCEEncryption |
The first line sets the configpath. The last three lines change security settings.
Copy the CfgDir/am_*.jar files to $WSHOME/WEB-INF/lib. If you are using version 6.0, also copy the jss311.jar file to the $WSHOME/WEB-INF/lib directory.
If Identity Manager is running on Windows and you are using Identity Server 6.0, copy IdServer\lib\jss\*.dll to CfgDir and add CfgDir to your system path.
In an environment where Identity Manager is installed on a different system from Access Manager check the following error conditions. If an error java.lang.ExceptionInInitializerError, followed by java.lang.NoClassDefFoundError, on subsequent attempts, is returned when attempting to connect to the Access Manager resource, then check for incorrect or missing configuration data.
Also, check the jar file for the class indicated by the java.lang.NoClassDefFoundError. Prepend the classpath of the jar file containing the class to the JAVA classpath on the application server.
Check that the CfgDir contains all the data outlined in Installing and Configuring Sun Java System Access Manager (Versions Prior to Access Manager 7.0) and that all the configuration properties have been assigned correctly.
You must install the appropriate Access Manager Policy Agent on the Identity Manager server. The Policy Agent can be obtained from the following location:
http://wwws.sun.com/software/download/inter_ecom.html#dirserv
Follow the installation instructions provided with the Policy Agent. Then perform the following tasks.
The AMAgent.properties file must be modified so that Identity Manager can be protected. It is located the following directory:
Windows: \AgentInstallDir\es6\config\_PathInstanceName\
UNIX: /etc/opt/SUNWam/agents/es6/config/_PathInstanceName/
Be sure to use the files located the preceding directories. Do not use the copy located in the AgentInstallDir\config directory.
Locate the following lines in the AMAgent.properties file.
com.sun.identity.agents.config.cookie.reset.enable = false com.sun.identity.agents.config.cookie.reset.name[0] = com.sun.identity.agents.config.cookie.reset.domain[] = com.sun.identity.agents.config.cookie.reset.path[] = |
Edit these lines as follows.
com.sun.identity.agents.config.cookie.reset.enable = true com.sun.identity.agents.config.cookie.reset.name[0] = AMAuthCookie com.sun.identity.agents.config.cookie.reset.domain[0] = .example.com com.sun.identity.agents.config.cookie.reset.path[0] = / |
Add the following lines.
com.sun.identity.agents.config.cookie.reset.name[1] = iPlanetDirectoryPro com.sun.identity.agents.config.cookie.reset.domain[1] = .example.com com.sun.identity.agents.config.cookie.reset.path[1] = / |
Locate the following lines.
com.sun.identity.agents.config.profile.attribute.fetch.mode = NONE com.sun.identity.agents.config.profile.attribute.mapping[] = |
Edit these lines as follows
com.sun.identity.agents.config.profile.attribute.fetch.mode = HTTP_HEADER com.sun.identity.agents.config.profile.attribute.mapping[uid] = sois_user |
You must restart the web server for your changes to take effect.
From within the Access Manager application, create a new policy named IDMGR (or something similar) with the following rules:
Service Type |
Resource Name |
Actions |
---|---|---|
URL Policy Agent |
http://server:port/idm | |
URL Policy Agent |
http://server:port/idm/* |
Allow GET and POST actions |
Assign one or more subjects to the IDMGR policy.