This section applies to both WebLogic Server 10 and WebLogic Portal 10. After you install the agent, you can change the agent profile password, if required for your deployment.
 To Change the Password for an Agent Profile
To Change the Password for an Agent ProfileOn the OpenSSO Enterprise server:
On the server where the WebLogic Server/Portal 10 agent is installed:
In the agent profile password file, replace the old password with the new unencrypted password.
Change to the PolicyAgent-base/bin directory.
Encrypt the new password using the agentadmin --encrypt command following this syntax.
agentadmin --encrypt agent-instance password-file
For example:
# ./agentadmin --encrypt Agent_001 /tmp/wl10agentpw
The agentadmin --encrypt command returns the new encrypted password. For example:
ASEWEJIowNBJHTv1UGD324kmT==
In the agent-instance/config/OpenSSOAgentBootstrap.properties file, set the following property to the new encrypted password from the previous step. For example:
com.iplanet.am.service.secret=ASEWEJIowNBJHTv1UGD324kmT==
Restart the WebLogic Server/Portal 10 container.
This section applies only to WebLogic Server 10. For instructions specific to WebLogic Portal 10, see Post-Installation Tasks for the WebLogic Server/Portal 10 Agent on WebLogic Portal 10.
If the WebLogic Server 10 agent is configured to operate in the URL_POLICY or ALL filter mode, you must create the appropriate URL policies. For instance, if WebLogic Server 10 is available on port 8080 using the HTTP protocol, you must create at minimum, a policy to allow access to the sample application. For example:
| http://agenthost.example.com:8090/agentsample | 
where agentsample is the context URI for the sample application.
If no policies are defined and the agent is configured to operate in the URL_POLICY or ALL filter mode, then no user is allowed access to the resources protected by the WebLogic Server 10 agent.
For information about how to create these policies using the OpenSSO Enterprise Console or ssoadm utility, see the Sun OpenSSO Enterprise 8.0 Administration Guide.
This section applies to both WebLogic Server 10 and WebLogic Portal 10.
After you install the WebLogic Server/Portal 10 agent, consider deploying the J2EE policy agent sample application to help you better understand the key features, functions, and configuration options of J2EE agents, including:
Single sign-on (SSO)
Web-tier declarative security
Programmatic security
URL policy evaluation
Session, policy, and profile attribute fetch
The sample application can be especially useful if you are writing a custom agent application.
After you install the WebLogic Server/Portal 10 agent, the sample application is available as:
PolicyAgent-base/sampleapp/dist/agentsample.ear
For information about compiling, deploying, and running the sample application, see the readme.txt file in the /sampleapp directory.
This section applies only to WebLogic Server 10. If the agent is set to the J2EE_POLICY filter mode, map OpenSSO Enterprise roles to the principal names in the respective application's deployment descriptor file(s):
weblogic.xml
weblogic-ejb-jar.xml
OpenSSO Enterprise roles are represented in UUIDs. Ensure that the keys in the mapping are UUIDs corresponding to your site's OpenSSO Enterprise installation. A UUID for a OpenSSO Enterprise role is mapped to the respective principal name in the weblogic.xml or weblogic-ejb-jar.xml file. Specifically, the principal name is located within the <principal-name> element.
To configure the WebLogic Server/Portal 10 agent to use privileged attribute mapping. use one of these methods:
In the OpenSSO Enterprise Administration Console:
Login to the Console as amadmin.
Under Access Control, realm-name, Agents, and J2EE, click the name of the agent profile you want to update.
The Console displays the Edit page for the agent profile.
Under Application, click Privilege Attributes Processing.
For Enable Privileged Attribute Mapping, check Enabled.
In the Privileged Attribute Mapping list, Add the mapping entries.
When you are finished, click Save.
or
Use the ssoadm utility to set the these properties:
com.sun.identity.agents.config.privileged.attribute.mapping.enable=true com.sun.identity.agents.config.privileged.attribute.mapping[id=manager, ou=group,dc=example,dc=com]=am_manager_role
Starting with WebLogic Server 9.0, a principal name in the weblogic.xml file or weblogic-ejb-jar.xml file must use the NMTOKEN format, which is mandated by the corresponding schema files. Access Manager UUIDs include the following characters: equal sign (=), comma (,), and ampersand (&).
The WebLogic Server/Portal 10 agent supports Web Services Security (WSS) for web service providers on WebLogic Server 10 (but not on WebLogic Portal 10).
A web service provider (WSP) deployed on WebLogic Server 10 protected by the agent can have additional security. For example, you can configure the WebLogic Server/Portal 10 agent and OpenSSO Enterprise server to support various Web Services Security profiles, including Username token, X509 token, and SAML2 token.
Configuring the WebLogic Server/Portal 10 agent to use Web Services Security with OpenSSO Enterprise is similar to configuring other Java EE policy agents, with several additional steps specific to WebLogic Server 10.
 To Configure Web Services Security for the WebLogic Server/Portal 10 Agent
To Configure Web Services Security for the WebLogic Server/Portal 10 AgentPerform the general steps, as described in Web Services Security Support for J2EE Agents in Policy Agent 3.0 in Sun OpenSSO Enterprise Policy Agent 3.0 User’s Guide for J2EE Agents.
Stop the WebLogic Server 10 instance.
Copy the xmlsec.jar file from the OpenSSO Enterprise server deployment to the PolicyAgent-base/lib directory.
PolicyAgent-base is AgentHome/j2ee_agents/weblogic_v10_agent, where AgentHome is where you unzipped the agent distribution file.
For example: /opt/j2ee_agents/weblogic_v10_agent/lib
Add the xmlsec.jar file to the AGENT_CLASSPATH variable:
Find the setAgentEnv_weblogic-server-name.sh script.
For example, if WebLogic Server 10 is installed at /usr/local/bea, change to the /usr/local/bea/user_projects/domains/base_domain directory.
In setAgentEnv_weblogic-server-name.sh, add the PolicyAgent-base/lib/xmlsec.jar at the beginning of the AGENT_CLASSPATH variable.
Save the change.
Edit the setDomainEnv.sh script as follows:
Change to the /usr/local/bea/user_projects/domains/base_domain/bin directory.
In setDomainEnv.sh, near the end of the file, find the following lines:
JAVA_OPTIONS="${JAVA_OPTIONS}"
export JAVA_OPTIONS
Change the JAVA_OPTIONS="${JAVA_OPTIONS}" line to:
JAVA_OPTIONS="${JAVA_OPTIONS}
-Djavax.xml.soap.MessageFactory=com.sun.xml.messaging.saaj.soap.ver1_1.SOAPMessageFactory1_1Impl
-Dcom.sun.xml.namespace.QName.useCompatibleSerialVersionUID=1.0"
Note: The above entry must be on one line in the setDomainEnv.sh file.
Save the change.
Make the following configuration change in the Security Token Service.
Start the WebLogic Server 10 instance.