Chapter 8 Configuring the Protected Resource Host Machines

Each machine on which the protected resources will be hosted contain two installed web containers (one Sun Java™ System Web Server and one BEA WebLogic Server application server) and the appropriate policy agent for each (a web policy agent and a J2EE policy agent, respectively). The policy agents are configured to access Load Balancer 2. This chapter contains the following sections:

• 8.1 Configuring the Protected Resource Host Machines with a J2EE Policy Agent

• 8.2 Configuring the Protected Resource Host Machines with a Web Policy Agent

8.1 Configuring the Protected Resource Host Machines with a J2EE Policy Agent

We will install BEA WebLogic Server and a J2EE policy agent on the Protected Resource 1 host machine (pr-1) and on the Protected Resource 2 host machine (pr-2). The policy agents are then configured to access Load Balancer 2. Use the following list of procedures as a checklist for completing the task.

1. 8.1.1 Installing and Configuring the J2EE Container and J2EE Policy Agent on Protected Resource 1

2. 8.1.2 Installing and Configuring the J2EE Container and J2EE Policy Agent on Protected Resource 2

3. 8.1.3 Creating Groups Using the OpenSSO Enterprise Console

4. 8.1.4 Setting Up a Test for the J2EE Policy Agent 1

5. 8.1.5 Setting Up a Test for the J2EE Policy Agent 2

6. 8.1.6 Configuring the J2EE Policy Agents to Access the Distributed Authentication User Interface

8.1.1 Installing and Configuring the J2EE Container and J2EE Policy Agent on Protected Resource 1

Download the BEA WebLogic Server bits to the pr-1 host machine and install the application server. Additionally, download, install and configure the appropriate J2EE policy agent. Use the following list of procedures as a checklist for completing this task.

1. To Install BEA WebLogic Server as J2EE Container 1 on Protected Resource 1

2. To Configure BEA WebLogic Server as J2EE Container 1 on Protected Resource 1

3. To Import the Certificate Authority Root Certificate into Application Server 1

4. To Install the J2EE Policy Agent 1 on Application Server 1

5. To Deploy the J2EE Policy Agent 1 Application

6. To Start the J2EE Policy Agent 1 Application

7. To Set Up the J2EE Policy Agent 1 Authentication Provider

8. To Deploy the J2EE Policy Agent 1 Sample Application

9. To Modify the J2EE Policy Agent 1 Configuration

To Install BEA WebLogic Server as J2EE Container 1 on Protected Resource 1

BEA WebLogic Server is the application server used as the J2EE container on Protected Resource 1.

1. As a root user, log into the pr-1 host machine.

2. Ensure that your system is properly patched.

   Refer to the BEA web site to make sure that your system has the recommended patches.

3. Create a directory into which you can download the WebLogic Server bits and change into it.

   # mkdir /export/BEAWL10 # cd /export/BEAWL10

4. Download the WebLogic Server bits from http://commerce.bea.com/.

   For this deployment, we download the Solaris version.

   # ls -al total 294548 drwxr-xr-x 2 root root 512 Aug 7 13:23 . drwxr-xr-x 3 root sys 512 Aug 7 13:16 .. -rw-r--r-- 1 root root 656834948 Aug 7 13:24 server100_solaris32.bin

5. Run the installer.

   # ./server100_solaris32.bin

6. When prompted, do the following:

   The Welcome screen is displayed.	Click Next.
   Accept the License agreement	Select Yes and click Next.
   Create a new BEA Home	Type /usr/local/bea and click Next.
   Select "Custom"	Click Next.
   Deselect the following: - Workshop for WebLogic Platform	Click Next.
   Choose Product Installation Directories	Type /usr/local/bea/weblogic10 and click Next.
   Installation Complete	Deselect Run Quickstart and click Done.

7. Verify that the application was correctly installed.

   # cd /usr/local/bea # ls -al total 90 drwxr-xr-x 7 root root 512 Jul 15 11:59 . drwxr-xr-x 4 root root 512 Jul 15 11:58 .. -rwxr-xr-x 1 root root 826 Jul 15 11:59 UpdateLicense.sh -rw-r--r-- 1 root root 14 Jul 15 11:59 beahomelist drwxr-xr-x 6 root root 512 Jul 15 11:59 jdk150_06 -rw-r--r-- 1 root root 12447 Jul 15 11:59 license.bea drwxr-xr-x 2 root root 512 Jul 15 11:59 logs drwxr-xr-x 6 root root 6656 Jul 15 11:58 modules -rw-r--r-- 1 root root 15194 Jul 15 11:59 registry.dat -rw-r--r-- 1 root root 1077 Jul 15 11:59 registry.xml drwxr-xr-x 4 root root 512 Jul 15 12:01 utils drwxr-xr-x 10 root root 512 Jul 15 11:59 weblogic10

To Configure BEA WebLogic Server as J2EE Container 1 on Protected Resource 1

After installing the bits, WebLogic Server must be configured.

Before You Begin

This procedure assumes you have just completed To Install BEA WebLogic Server as J2EE Container 1 on Protected Resource 1 and are still logged into the host machine as the root user.

1. Run the WebLogic Server configuration script.

   # cd /usr/local/bea/weblogic10/common/bin # ./config.sh

2. When prompted, do the following:

   Select "Create a new Weblogic domain"	Click Next.
   Select "Generate a domain configured automatically to support the following BEA products:"	Click Next.
   Configure Administrator Username and Password	Enter the following and click Next.  Username: weblogic Password: bea10admin Confirm Password: bea10admin
   Select "Prduction Mode" and "BEA Supplied JDK's" (Sun SDK 1.5.0_06@/usr/local/bea/jdk150_06)	Click Next.
   Customize Environment and Services Settings	Select yes and click Next.
   Configure the Administration Server	Accept the default values and click Next.
   Configure Managed Servers	Select Add, enter the following values, and click Next.  Name: ApplicationServer-1 Listen Port: 1081
   Configure Clusters	Accept the default values and click Next.
   Configure Machines	Select the Unix Machine tab, then select Add, type pr-1 and click Next.
   Assign Servers to Machines	From the left panel select AdminServer and ApplicationServer-1. From the right panel select pr-1. Click --> and then click Next.
   Review WebLogic Domain	Click Next.
   Create WebLogic Domain	Add the following and click Create.  Domain name: pr-1 Domain Location: /usr/local/bea/user_projects/domains (default)
   Creating Domain	Click Done.

3. Start the WebLogic administration server.

   # cd /usr/local/bea/user_projects/domains/pr-1 # ./startWebLogic.sh

   When prompted, type the following credentials.

   Username

   weblogic

   Password

   bea10admin

4. Run the netstat command to verify that the port is open and listening.

   # netstat -an | grep 7001 XXX.XX.XX.101.7001 *.* 0 0 49152 0 LISTEN XXX.X.X.1.7001 *.* 0 0 49152 0 LISTEN

   ---

   Note –

   You can also access the administration console by pointing a web browser to http://pr-1.example.com:7001/console.

   ---

5. Change to the AdminServer directory.

   # cd /usr/local/bea/user_projects/domains/pr-1/servers/AdminServer

6. Create a security directory and change into it.

   # mkdir security # cd security

7. Create a boot.properties file for the WebLogic Server administration server administrator credentials.

   The administration server administrative user and password are stored in boot.properties. Application Server 1 uses this information during startup. WebLogic Server encrypts the file, so there is no security risk even if you enter the user name and password in clear text.

   # cat > boot.properties username=weblogic password=bea10admin Hit Control D to terminate the command ^D

8. Restart WebLogic to encrypt the username and password in boot.properties.

   # cd /usr/local/bea/user_projects/domains/pr-1/bin # ./stopWebLogic.sh # ./startWebLogic.sh

9. Start the managed servers.

   # cd /usr/local/bea/user_projects/domains/pr-1/bin # ./startManagedWebLogic.sh ApplicationServer-1 t3://localhost:7001

   You will be prompted for the administrative user credentials.

   Username

   weblogic

   Password

   bea10admin

10. Change to the ApplicationServer-1 directory.

    # cd /usr/local/bea/user_projects/domains/pr-1/ servers/ApplicationServer-1

11. Create a security directory and change into it.

    # mkdir security # cd security

12. Create a boot.properties file for the WebLogic Server managed server administrator credentials.

    The managed server administrative user and password are stored in boot.properties. The Application Server 1 managed server uses this information during startup. WebLogic Server encrypts the file, so there is no security risk even if you enter the user name and password in clear text.

    # cat > boot.properties username=weblogic password=bea10admin Hit Control D to terminate the command ^D

13. Restart the managed server.

    # cd /usr/local/bea/user_projects/domains/ pr-1/bin # ./stopManagedWebLogic.sh ApplicationServer-1 t3://localhost:7001 # ./startManagedWebLogic.sh ApplicationServer-1 t3://localhost:7001

14. Run the netstat command to verify that the port is open and listening.

    # netstat -an | grep 1081 XXX.XX.XX.101.1081 *.* 0 0 49152 0 LISTEN XXX.X.X.1.1081 *.* 0 0 49152 0 LISTEN

15. Access http://pr-1.example.com:7001/console from a web browser.

16. Login to the BEA WebLogic Server as the administrator.

    Username

    weblogic

    Password

    bea10admin

17. Click servers under Domain Structure —>Environment.

    On the Summary of Servers page, verify that both AdminServer (admin) and ApplicationServer-1 are running and OK.

18. Log out of the console.

19. Log out of the pr–1 host machine.

To Import the Certificate Authority Root Certificate into Application Server 1

The Certificate Authority (CA) root certificate enables the J2EE policy agent to trust the certificate from the OpenSSO Enterprise Load Balancer 2, and to establish trust with the certificate chain that is formed from the CA to the certificate.

Before You Begin

Copy the same CA root certificate used in To Install a CA Root Certificate to the OpenSSO Enterprise Load Balancer to the /export/software directory on the pr-1 host machine.

1. As a root user, log into the pr–1 host machine.

2. Change to the directory where cacerts, the certificate store is located.

   # cd /usr/local/bea/jdk150_06/jre/lib/security.

   ---

   Tip –

   Backup cacerts before modifying it.

   ---

3. Import ca.cer, the CA root certificate.

   # /usr/local/bea/jdk150_06/bin/keytool -import -trustcacerts -alias OpenSSLTestCA -file /export/software/ca.cer -keystore /usr/local/bea/jdk150_06/jre/lib/security/cacerts -storepass changeit Owner: EMAILADDRESS=nobody@nowhere.com, CN=OpenSSLTestCA, OU=Sun, O=Sun,L=Santa Clara, ST=California C=US Issuer: EMAILADDRESS=nobody@nowhere.com, CN=OpenSSLTestCA, OU=Sun, O=Sun,L=Santa Clara, ST=California C=US Serial number: 97dba0aa26db6386 Valid from: Tue Apr 18 07:66:19 PDT 2006 until: Tue Jan 13 06:55:19 PST 2009 Certificate fingerprints: MD5: 9f:57:ED:B2:F2:88:B6:E8:0F:1E:08:72:CF:70:32:06 SHA1: 31:26:46:15:C5:12:5D:29:46:2A:60:A1:E5:9E:26:64:36:80:E4:70 Trust this certificate: [no] yes Certificate was added to keystore.

4. Verify that ca.cer was successfully imported.

   # /usr/local/bea/jdk150_06/bin/keytool -list -keystore /usr/local/bea/jdk150_06/jre/lib/security/cacerts -storepass changeit | grep -i openssl OpenSSLTestCA, Sep 15, 2008, trustedCertEntry,

5. Log out of the pr–1 host machine.

To Install the J2EE Policy Agent 1 on Application Server 1

Before You Begin

Set JAVA_HOME to /usr/local/bea/jdk150_06.

1. As a root user, log into the pr-1 host machine.

2. Stop the WebLogic Server 1 administration server and the WebLogic Server 1 managed instance.

   # cd /usr/local/bea/user_projects/domains/pr-1/bin # ./stopManagedWebLogic.sh ApplicationServer-1 t3://localhost:7001 # ./stopWebLogic.sh

3. Create a directory into which you will download the J2EE Policy Agent bits and change into it.

   # mkdir /export/J2EEPA1 # cd /export/J2EEPA1

4. Create a text file that contains a password for the Agent Profile created during installation.

   The J2EE Policy Agent installer requires this.

   # cat > agent.pwd j2eeagent1 Hit Control D to terminate the command ^D

5. Create a text file that contains the Agent Administrator password.

   This text file should contain the password of the OpenSSO Enterprise administrator (by default, amadmin).

   # cat > agentadm.pwd ossoadmin Hit Control D to terminate the command ^D

6. Download the J2EE policy agent bits for WebLogic Server from http://www.sun.com/download/index.jsp.

   # ls -al total 18824 drwxr-xr-x 2 root root 512 Jul 17 16:02 . drwxr-xr-x 8 root root 512 Jul 17 15:58 .. -rw-r--r-- 1 root root 11 Jul 17 15:59 agent.pwd -rw-r--r-- 1 root root 9 Jul 17 16:01 agentadm.pwd -rw-r--r-- 1 root root 9623704 Jul 17 16:02 weblogic_v10_agent_3.zip

7. Unpack the J2EE policy agent bits.

   # unzip weblogic_v10_agent_3.zip

8. Run the J2EE policy agent installer.

   # cd /export/J2EEPA1/j2ee_agents/weblogic_v10_agent/bin # chmod 755 agentadmin # ./agentadmin --custom-install

9. When prompted, provide the following information.

   The following information is to configure the J2EE Policy Agent against the OpenSSO Enterprise secure port.

   Please read the following License Agreement carefully:	Press Enter to continue. Continue to press Enter until you reach the end of the License Agreement and the installer's Welcome page is displayed.
   Enter startup script location.	Enter /usr/local/bea/user_projects/domains/pr-1/bin/startwebLogic.sh
   Enter the WebLogic Server instance name: [AdminServer]	Enter the name of the WebLogic Server instance secured by the agent ApplicationServer-1
   Enter the WebLogic home directory: [/usr/local/bea/wlserver_10.0]	Enter /usr/local/bea/weblogic10.
   OpenSSO Enterprise URL	Enter the URL where OpenSSO Enterprise is running (including the URI): https://lb-2.example.com:1081/opensso
   Is the agent being deployed on a Portal domain [false]	Accept the default value.
   Agent URL:	Enter the URL where the policy agent is running (including the URI): http://pr-1.example.com:1081/agentapp
   Enter the Encryption Key [+Yr3K4K1/lWFe4H17SBHMNIUzLNRut7H]:	Accept the default value.
   Enter the Agent Profile Name:	j2eeagent-1
   Enter the path to the password file:	Enter the path to a file that contains the password to be used for identifying the policy agent: /export/J2EEPA1/agent.pwd. Note – A warning message is displayed regarding the existence of the agent profile.
   This Agent Profile does not exist in OpenSSO Enterprise. Will it be created by the installer? (Agent Administrator name and password are required) [true]:	Accept the default value to create the Agent Profile during installation.
   Enter the Agent Administrator's name:	Enter amadmin
   Enter the path to the password file that contains the password of Agent Administrator:	Enter /export/J2EEPA1/agentadm.pwd
   ----------------------------------------------- SUMMARY OF YOUR RESPONSES ----------------------------------------------- Startup script location : /usr/local/bea/user_projects/domains/ pr-1/bin/startWebLogic.sh WebLogic Server instance name : ApplicationServer-1 WebLogic home directory : /usr/local/bea/weblogic10 OpenSSO Server URL : https://lb-2.example.com:1081/opensso Agent Installed on Portal domain : false Agent URL : http://pr-1.example.com:1081/agentapp Encryption Key : +Yr3K4K1/lWFe4H17SBHMNIUzLNRut7H Agent Profile name : j2eeagent-1 Agent Profile Password file name : /export/J2EEPA1/agent.pwd Agent Profile will be created right now by agent installer : true Agent Administrator : amadmin Agent Administrator's password file name : /export/J2EEPA1/agentadm.pwd Verify your settings and decide from the choices below: 1. Continue with Installation 2. Back to the last interaction 3. Start Over 4. Exit Please make your selection [1]:	Accept the default value.
   --------------------------------------------- SUMMARY OF AGENT INSTALLATION ----------------------------- Agent instance name: Agent_001 Agent Bootstrap file location: /export/J2EEPA1/j2ee_agents/ weblogic_v10_agent/Agent_001/ config/FAMAgentBootstrap.properties Agent Configuration file location /export/J2EEPA1/j2ee_agents/ weblogic_v10_agent/Agent_001/ config/FAMAgentConfiguration.properties Agent Audit directory location: /export/J2EEPA1/j2ee_agents/ weblogic_v10_agent/Agent_001/logs/audit Agent Debug directory location: /export/J2EEPA1/j2ee_agents/ weblogic_v10_agent/Agent_001/logs/debug Install log file location: /export/J2EEPA1/j2ee_agents/ weblogic_v10_agent/installer-logs /audit/custom.log	Accept the default value.

   When the installer is finished, a new file is in the bin directory called setAgentEnv_ApplicationServer-1.sh.

10. Modify the startup script setDomainEnv.sh to reference setAgentEnv_ApplicationServer-1.sh with the following sub procedure.

    ---

    Tip –

    Backup setDomainEnv.sh before you modify it.

    ---

    1. Change to the bin directory.

       # cd /usr/local/bea/user_projects/domains/pr-1/bin

    2. Insert the following line at the end of setDomainEnv.sh.

       . /usr/local/bea/user_projects/domains/pr-1/ bin/setAgentEnv_ApplicationServer-1.sh

    3. Save setDomainEnv.sh and close the file.

11. Change permissions for setAgentEnv_ApplicationServer-1.sh.

    # chmod 755 setAgentEnv_ApplicationServer-1.sh

12. Start the WebLogic Server administration server and managed instance.

    # ./startWebLogic.sh & # ./startManagedWebLogic.sh ApplicationSever-1 t3://localhost:7001

    Watch for startup errors.

13. Verify that the J2EE Policy Agent 1 was successfully created on the server using the following sub procedure.

    1. Access https://osso-1.example.com:1081/opensso/console from a web browser.

    2. Log in to the OpenSSO Enterprise console as the administrator.

       User Name:

       amadmin

       Password:

       ossoadmin

    3. Under the Access Control tab, click / (Top Level Realm).

    4. Click the Agents tab.

    5. Click the J2EE tab.

       j2eeagent-1 is displayed under the Agent table.

    6. Click j2eeagent-1.

       The j2eeagent-1 properties page is displayed.

    7. Log out of the OpenSSO Enterprise console and close the browser.

14. Remove the password files.

    # cd /export/J2EEPA1 # rm agent.pwd # rm agentadm.pwd

15. Log out of the pr-1 host machine.

To Deploy the J2EE Policy Agent 1 Application

The agent application is a housekeeping application bundled with the binaries and used by the agent for notifications and other internal functionality. This application must be deployed to the agent-protected web container using the same URI that was supplied during the agent installation process. For example, during the installation process, if you entered /agentapp as the deployment URI for the agent application, use that same context path in this procedure.

1. Access http://pr-1.example.com:7001/console from a web browser.

2. Log in to the WebLogic Server console as the administrator.

   Username

   weblogic

   Password

   bea10admin

3. Under Domain Structure, click Deployments.

4. On the Summary of Deployments page, in the Change Center, click Lock & Edit.

5. Under Deployments, click Install.

6. On the Install Application Assistant page, click the pr-1.example.com link.

7. In the field named Location: pr-1.example.com, click the root directory.

8. Navigate to /export/J2EEPA1/j2ee_agents/weblogic_v10_agent/etc, the application directory.

9. Select agentapp.war and click Next.

10. In the Install Application Assistant page, choose Install this deployment as an application and click Next.

11. In the list of Servers, mark the checkbox for ApplicationServer-1 and click Next.

12. In the Optional Settings page, click Next.

13. Click Finish.

14. On the Settings for agentapp page, click Save.

15. In the Change Center, click Activate Changes.

To Start the J2EE Policy Agent 1 Application

Before You Begin

This procedure assumes that you have just completed To Deploy the J2EE Policy Agent 1 Application and are still logged in to the WebLogic Server console as the administrator.

1. In the WebLogic Server console, on the Settings for agentapp page, click Deployments.

2. On the Summary of Deployments page, mark the agentapp checkbox and click Start > Servicing all requests.

3. On the Start Application Assistant page, click Yes.

   ---

   Tip –

   If you encounter a JavaScript^TM error, start the WebLogic Server instance and perform the steps again.

   ---

To Set Up the J2EE Policy Agent 1 Authentication Provider

Before You Begin

This procedure assumes that you have just completed To Start the J2EE Policy Agent 1 Application and are still logged in to the WebLogic Server console as the administrator.

1. In the WebLogic Server console, on the Summary of Deployments page, under Domain Structure, click Security Realms.

2. On the Summary of Security Realms page, click Lock & Edit.

3. Click the myrealm link.

4. On the Settings for myrealm page, click the Providers tab.

5. Under Authentication Providers, click New.

6. On the Create a New Authentication Provider page, provide the following information and click OK.

   Name:

   Agent-1

   Type:

   Select AgentAuthenticator from the drop down list.

   Agent-1 is now included in the list of Authentication Providers.

7. In the list of Authentication Providers, click Agent-1.

8. In the Settings for Authentication Providers page, verify that the Control Flag is set to OPTIONAL.

9. In the navigation tree near the top of the page, click Providers.

10. In the list of Authentication Providers, click DefaultAuthenticator.

11. In the Settings for DefaultAuthenticator page, set the Control Flag to OPTIONAL and click Save.

12. In the navigation tree near the top of the page, click Providers again.

13. In the Change Center, click Activate Changes.

14. If indicated by the console, restart the servers with the following sub procedure.

    1. Log out of the WebLogic Server console.

    2. As a root user, log into the pr–1 host machine.

    3. Restart the administration server and the managed instance.

       # cd /usr/local/bea/user_projects/domains/pr-1/bin # ./stopManagedWebLogic.sh ApplicationServer-1 t3://localhost:7001 # ./stopWebLogic.sh # ./startWebLogic.sh # ./startManagedWebLogic.sh ApplicationServer-1 t3://localhost:7001

    4. Log out of the pr–1 host machine.

To Deploy the J2EE Policy Agent 1 Sample Application

1. Access Application Server 1 at http://pr-1.example.com:7001/console.

2. Log in to the WebLogic Server console as the administrator.

   Username

   weblogic

   Password

   bea10admin

3. On the Change Center, click Lock & Edit.

4. Under Domain Structure, click Deployments.

5. Under Deployments, click Install.

6. On the Install Application Assistant page, click the pr-1.example.com link.

7. In the list for Location: pr-1.example.com, click the root directory.

8. Navigate to the application directory (/export/J2EEPA1/j2ee_agents/weblogic_v10_agent/sampleapp/dist), select agentsample.ear and click Next.

9. In the Install Application Assistant page, choose Install this deployment as an application and click Next.

10. In the list of Servers, mark the checkbox for ApplicationServer-1 and click Next.

11. On the Optional Settings page, click Next to accept the default settings.

12. On the Review Your Choices page, click Finish.

    The Target Summary section indicates that the module agentsample will be installed on the target ApplicationServer-1.

13. On the Settings for agentsample page, click Save.

14. On the Settings for agentsample page, click Activate Changes.

15. Under Domain Structure, click Deployments.

16. In the Deployments list, mark the checkbox for agentsample and click Start > Servicing All Requests.

17. On the Start Application Assistant page, click Yes.

    The state of the deployment changes from Prepared to Active.

18. Log out of the Application Server 1 console.

To Modify the J2EE Policy Agent 1 Configuration

The J2EE policy agent can operate in local or centralized mode. The centralized option was selected during the custom installation of the agent. Centralized agent configuration stores agent configuration data in a data store managed by OpenSSO Enterprise. In this deployment, J2EE policy agents are configured in centralized mode meaning that any configuration changes must be made using the OpenSSO Enterprise server. For more information, see Centralized Agent Configuration in Sun OpenSSO Enterprise 8.0 Technical Overview.

1. Access https://osso-1.example.com:1081/opensso/console from a web browser.

2. Log in to the OpenSSO Enterprise console as the administrator.

   User Name:

   amadmin

   Password:

   ossoadmin

3. Under the Access Control tab, click / (Top Level Realm).

4. Click the Agents tab.

5. Click the J2EE tab.

   j2eeagent-1 is displayed under the Agent table.

6. Click j2eeagent-1.

   The j2eeagent-1 properties page is displayed.

7. Click the Miscellaneous tab.

   The Miscellaneous properties page is displayed.

8. Provide the user name of the Application Server administrator in the Bypass Principal List and click Add.

   Enter weblogic to ensure that the administrator will be authenticated against WebLogic itself and not OpenSSO Enterprise.

9. Click Save.

10. Exit the console and close the browser.

8.1.2 Installing and Configuring the J2EE Container and J2EE Policy Agent on Protected Resource 2

Download the BEA WebLogic Server bits to the pr-2 host machine and install the application server. Additionally, download, install and configure the appropriate J2EE policy agent. Use the following list of procedures as a checklist for completing this task.

1. To Install BEA WebLogic Server as J2EE Container 2 on Protected Resource 2

2. To Configure BEA WebLogic Server as J2EE Container 2 on Protected Resource 2

3. To Import the Certificate Authority Root Certificate into Application Server 2

4. To Install the J2EE Policy Agent 2 on Application Server 2

5. To Deploy the J2EE Policy Agent 2 Application

6. To Start the J2EE Policy Agent 2 Application

7. To Set Up the J2EE Policy Agent 2 Authentication Provider

8. To Deploy the J2EE Policy Agent 2 Sample Application

9. To Modify the J2EE Policy Agent 2 Configuration

To Install BEA WebLogic Server as J2EE Container 2 on Protected Resource 2

BEA WebLogic Server is the application server used as the J2EE container on Protected Resource 2.

1. As a root user, log into the pr-2 host machine.

2. Ensure that your system is properly patched.

   Refer to the BEA web site to make sure that your system has the recommended patches.

3. Create a directory into which you can download the WebLogic Server bits and change into it.

   # mkdir /export/BEAWL10 # cd /export/BEAWL10

4. Download the WebLogic Server bits from http://commerce.bea.com/.

   For this deployment, we download the Solaris version.

   # ls -al total 294548 drwxr-xr-x 2 root root 512 Aug 7 13:23 . drwxr-xr-x 3 root sys 512 Aug 7 13:16 .. -rw-r--r-- 1 root root 656834948 Aug 7 13:24 server100_solaris32.bin

5. Run the installer.

   # ./server100_solaris32.bin

6. When prompted, do the following:

   The Welcome screen is displayed.	Click Next.
   Accept the License agreement	Select Yes and click Next.
   Create a new BEA Home	Type /usr/local/bea and click Next.
   Select "Custom"	Click Next.
   Deselect the following: - Workshop for WebLogic Platform	Click Next.
   Choose Product Installation Directories	Type /usr/local/bea/weblogic10 and click Next.
   Installation Complete	Deselect Run Quickstart and click Done.

7. Verify that the application was correctly installed.

   # cd /usr/local/bea # ls -al total 90 drwxr-xr-x 7 root root 512 Jul 15 11:59 . drwxr-xr-x 4 root root 512 Jul 15 11:58 .. -rwxr-xr-x 1 root root 826 Jul 15 11:59 UpdateLicense.sh -rw-r--r-- 1 root root 14 Jul 15 11:59 beahomelist drwxr-xr-x 6 root root 512 Jul 15 11:59 jdk150_06 -rw-r--r-- 1 root root 12447 Jul 15 11:59 license.bea drwxr-xr-x 2 root root 512 Jul 15 11:59 logs drwxr-xr-x 6 root root 6656 Jul 15 11:58 modules -rw-r--r-- 1 root root 15194 Jul 15 11:59 registry.dat -rw-r--r-- 1 root root 1077 Jul 15 11:59 registry.xml drwxr-xr-x 4 root root 512 Jul 15 12:01 utils drwxr-xr-x 10 root root 512 Jul 15 11:59 weblogic10

To Configure BEA WebLogic Server as J2EE Container 2 on Protected Resource 2

After installing the bits, WebLogic Server must be configured.

Before You Begin

This procedure assumes you have just completed To Install BEA WebLogic Server as J2EE Container 2 on Protected Resource 2 and are still logged into the host machine as the root user.

1. Run the WebLogic Server configuration script.

   # cd /usr/local/bea/weblogic10/common/bin # ./config.sh

2. When prompted, do the following:

   Select "Create a new Weblogic domain"	Click Next.
   Select "Generate a domain configured automatically to support the following BEA products:"	Click Next.
   Configure Administrator Username and Password	Enter the following and click Next.  Username: weblogic Password: bea10admin Confirm Password: bea10admin
   Select "Prduction Mode" and "BEA Supplied JDK's" (Sun SDK 1.5.0_06@/usr/local/bea/jdk150_06)	Click Next.
   Customize Environment and Services Settings	Select yes and click Next.
   Configure the Administration Server	Accept the default values and click Next.
   Configure Managed Servers	Select Add, enter the following values, and click Next.  Name: ApplicationServer-2 Listen Port: 1081
   Configure Clusters	Accept the default values and click Next.
   Configure Machines	Select the Unix Machine tab, then select Add, type pr-2 and click Next.
   Assign Servers to Machines	From the left panel select AdminServer and ApplicationServer-2. From the right panel select pr-2. Click --> and then click Next.
   Review WebLogic Domain	Click Next.
   Create WebLogic Domain	Add the following and click Create.  Domain name: pr-2 Domain Location: /usr/local/bea/user_projects/domains (default)
   Creating Domain	Click Done.

3. Start the WebLogic administration server.

   # cd /usr/local/bea/user_projects/domains/pr-2 # ./startWebLogic.sh

   When prompted, type the following credentials.

   Username

   weblogic

   Password

   bea10admin

4. Run the netstat command to verify that the port is open and listening.

   # netstat -an | grep 7001 XXX.XX.XX.101.7001 *.* 0 0 49152 0 LISTEN XXX.X.X.1.7001 *.* 0 0 49152 0 LISTEN

   ---

   Note –

   You can also access the administration console by pointing a web browser to http://pr-2.example.com:7001/console.

   ---

5. Change to the AdminServer directory.

   # cd /usr/local/bea/user_projects/domains/pr-2/servers/AdminServer

6. Create a security directory and change into it.

   # mkdir security # cd security

7. Create a boot.properties file for the WebLogic Server administration server administrator credentials.

   The administration server administrative user and password are stored in boot.properties. Application Server 2 uses this information during startup. WebLogic Server encrypts the file, so there is no security risk even if you enter the user name and password in clear text.

   # cat > boot.properties username=weblogic password=bea10admin Hit Control D to terminate the command ^D

8. Restart WebLogic to encrypt the username and password in boot.properties.

   # cd /usr/local/bea/user_projects/domains/pr-2/bin # ./stopWebLogic.sh # ./startWebLogic.sh

9. Start the managed servers.

   # cd /usr/local/bea/user_projects/domains/pr-2/bin # ./startManagedWebLogic.sh ApplicationServer-2 t3://localhost:7001

   You will be prompted for the administrative user credentials.

   Username

   weblogic

   Password

   bea10admin

10. Change to the ApplicationServer-2 directory.

    # cd /usr/local/bea/user_projects/domains/pr-2/ servers/ApplicationServer-2

11. Create a security directory and change into it.

    # mkdir security # cd security

12. Create a boot.properties file for the WebLogic Server managed server administrator credentials.

    The managed server administrative user and password are stored in boot.properties. The Application Server 2 managed server uses this information during startup. WebLogic Server encrypts the file, so there is no security risk even if you enter the user name and password in clear text.

    # cat > boot.properties username=weblogic password=bea10admin Hit Control D to terminate the command ^D

13. Restart the managed server.

    # cd /usr/local/bea/user_projects/domains/ pr-2/bin # ./stopManagedWebLogic.sh ApplicationServer-2 t3://localhost:7001 # ./startManagedWebLogic.sh ApplicationServer-2 t3://localhost:7001

14. Run the netstat command to verify that the port is open and listening.

    # netstat -an | grep 1081 XXX.XX.XX.101.1081 *.* 0 0 49152 0 LISTEN XXX.X.X.1.1081 *.* 0 0 49152 0 LISTEN

15. Access http://pr-2.example.com:7001/console from a web browser.

16. Login to the BEA WebLogic Server as the administrator.

    Username

    weblogic

    Password

    bea10admin

17. Click servers under Domain Structure —>Environment.

    On the Summary of Servers page, verify that both AdminServer (admin) and ApplicationServer-2 are running and OK.

18. Log out of the console.

19. Log out of the pr–2 host machine.

To Import the Certificate Authority Root Certificate into Application Server 2

The CA root certificate enables the J2EE policy agent to trust the certificate from the OpenSSO Enterprise Load Balancer 2, and to establish trust with the certificate chain that is formed from the CA to the certificate.

Before You Begin

Copy the same CA root certificate used in To Install a CA Root Certificate to the OpenSSO Enterprise Load Balancer to the /export/software directory on the pr-2 host machine.

1. As a root user, log into the pr–2 host machine.

2. Change to the directory where the cacerts certificate store is located.

   # cd /usr/local/bea/jdk150_06/jre/lib/security.

   ---

   Tip –

   Backup cacerts before modifying it.

   ---

3. Import ca.cer, the CA root certificate.

   # /usr/local/bea/jdk150_06/bin/keytool -import -trustcacerts -alias OpenSSLTestCA -file /export/software/ca.cer -keystore /usr/local/bea/jdk150_06/jre/lib/security/cacerts -storepass changeit Owner: EMAILADDRESS=nobody@nowhere.com, CN=OpenSSLTestCA, OU=Sun, O=Sun,L=Santa Clara, ST=California C=US Issuer: EMAILADDRESS=nobody@nowhere.com, CN=OpenSSLTestCA, OU=Sun, O=Sun,L=Santa Clara, ST=California C=US Serial number: 97dba0aa26db6386 Valid from: Tue Apr 18 07:66:19 PDT 2006 until: Tue Jan 13 06:55:19 PST 2009 Certificate fingerprints: MD5: 9f:57:ED:B2:F2:88:B6:E8:0F:1E:08:72:CF:70:32:06 SHA1: 31:26:46:15:C5:12:5D:29:46:2A:60:A1:E5:9E:26:64:36:80:E4:70 Trust this certificate: [no] yes Certificate was added to keystore.

4. Verify that ca.cer was successfully imported.

   # /usr/local/bea/jdk150_06/bin/keytool -list -keystore /usr/local/bea/jdk150_06/jre/lib/security/cacerts -storepass changeit | grep -i openssl OpenSSLTestCA, Sep 15, 2008, trustedCertEntry,

5. Log out of the pr–2 host machine.

To Install the J2EE Policy Agent 2 on Application Server 2

Before You Begin

Set JAVA_HOME to /usr/local/bea/jdk150_06.

1. As a root user, log into the pr-2 host machine.

2. Stop the WebLogic Server 2 administration server and the WebLogic Server 2 managed server.

   # cd /usr/local/bea/user_projects/domains/pr-2/bin # ./stopManagedWebLogic.sh ApplicationServer-2 t3://localhost:7001 # ./stopWebLogic.sh

3. Create a directory into which you will download the J2EE policy agent bits and change into it.

   # mkdir /export/J2EEPA2 # cd /export/J2EEPA2

4. Create a text file that contains a password for the Agent Profile created during installation.

   The J2EE Policy Agent installer requires this.

   # cat > agent.pwd j2eeagent2 Hit Control D to terminate the command ^D

5. Create a text file that contains the Agent Administrator password.

   This text file should contain the password of the OpenSSO Enterprise administrator (by default, amadmin).

   # cat > agentadm.pwd ossoadmin Hit Control D to terminate the command ^D

6. Download the J2EE policy agent bits for WebLogic Server from http://www.sun.com/download/index.jsp.

   # ls -al total 18824 drwxr-xr-x 2 root root 512 Jul 17 16:02 . drwxr-xr-x 8 root root 512 Jul 17 15:58 .. -rw-r--r-- 1 root root 11 Jul 17 15:59 agent.pwd -rw-r--r-- 1 root root 9 Jul 17 16:01 agentadm.pwd -rw-r--r-- 1 root root 9623704 Jul 17 16:02 weblogic_v10_agent_3.zip

7. Unpack the J2EE policy agent bits.

   # unzip weblogic_v10_agent_3.zip

8. Run the J2EE policy agent installer.

   # cd /export/J2EEPA2/j2ee_agents/weblogic_v10_agent/bin # chmod 755 agentadmin # ./agentadmin --custom-install

9. When prompted, provide the following information.

   The following information is to configure the J2EE Policy Agent against the OpenSSO Enterprise secure port.

   Please read the following License Agreement carefully:	Press Enter to continue. Continue to press Enter until you reach the end of the License Agreement and the installer's Welcome page is displayed.
   Enter startup script location.	Enter /usr/local/bea/user_projects/domains/pr-2/bin/startwebLogic.sh
   Enter the WebLogic Server instance name: [AdminServer]	Enter the name of the WebLogic Server instance secured by the agent ApplicationServer-2
   Enter the WebLogic home directory: [/usr/local/bea/wlserver_10.0]	Enter /usr/local/bea/weblogic10.
   OpenSSO Enterprise URL	Enter the URL where OpenSSO Enterprise is running (including the URI): https://lb-2.example.com:1081/opensso
   Is the agent being deployed on a Portal domain [false]	Accept the default value.
   Agent URL:	Enter the URL where the policy agent is running (including the URI): http://pr-2.example.com:1081/agentapp
   Enter the Encryption Key [+Yr3K4K1/lWFe4H17SBHMNIUzLNRut7H]:	Accept the default value.
   Enter the Agent Profile Name:	j2eeagent-2
   Enter the path to the password file:	Enter the path to a file that contains the password to be used for identifying the policy agent: /export/J2EEPA2/agent.pwd. Note – A warning message is displayed regarding the existence of the agent profile.
   This Agent Profile does not exist in OpenSSO Enterprise. Will it be created by the installer? (Agent Administrator name and password are required) [true]:	Accept the default value to create the Agent Profile during installation.
   Enter the Agent Administrator's name:	Enter amadmin
   Enter the path to the password file that contains the password of Agent Administrator:	Enter /export/J2EEPA2/agentadm.pwd
   ----------------------------------------------- SUMMARY OF YOUR RESPONSES ----------------------------------------------- Startup script location : /usr/local/bea/user_projects/domains/ pr-2/bin/startWebLogic.sh WebLogic Server instance name : ApplicationServer-2 WebLogic home directory : /usr/local/bea/weblogic10 OpenSSO Server URL : https://lb-2.example.com:1081/opensso Agent Installed on Portal domain : false Agent URL : http://pr-2.example.com:1081/agentapp Encryption Key : +Yr3K4K1/lWFe4H17SBHMNIUzLNRut7H Agent Profile name : j2eeagent-2 Agent Profile Password file name : /export/J2EEPA2/agent.pwd Agent Profile will be created right now by agent installer : true Agent Administrator : amadmin Agent Administrator's password file name : /export/J2EEPA2/agentadm.pwd Verify your settings and decide from the choices below: 1. Continue with Installation 2. Back to the last interaction 3. Start Over 4. Exit Please make your selection [1]:	Accept the default value.
   ----------------------------------------------- SUMMARY OF AGENT INSTALLATION ----------------------------- Agent instance name: Agent_001 Agent Bootstrap file location: /export/J2EEPA2/j2ee_agents/ weblogic_v10_agent/Agent_001/ config/FAMAgentBootstrap.properties Agent Configuration file location /export/J2EEPA2/j2ee_agents/ weblogic_v10_agent/Agent_001/ config/FAMAgentConfiguration.properties Agent Audit directory location: /export/J2EEPA2/j2ee_agents/ weblogic_v10_agent/Agent_001/logs/audit Agent Debug directory location: /export/J2EEPA2/j2ee_agents/ weblogic_v10_agent/Agent_001/logs/debug Install log file location: /export/J2EEPA2/j2ee_agents/ weblogic_v10_agent/installer-logs /audit/custom.log	Accept the default value.

   When the installer is finished, a new file is in the bin directory called setAgentEnv_ApplicationServer-2.sh.

10. Modify the startup script setDomainEnv.sh to reference setAgentEnv_ApplicationServer-2.sh using the following sub procedure.

    ---

    Tip –

    Backup setDomainEnv.sh before you modify it.

    ---

    1. Change to the bin directory.

       # cd /usr/local/bea/user_projects/domains/pr-2/bin

    2. Insert the following line at the end of setDomainEnv.sh.

       . /usr/local/bea/user_projects/domains/pr-2/ bin/setAgentEnv_ApplicationServer-2.sh

    3. Save setDomainEnv.sh and close the file.

11. Change permissions for setAgentEnv_ApplicationServer-2.sh.

    # chmod 755 setAgentEnv_ApplicationServer-2.sh

12. Start the WebLogic Server administration server and managed instance.

    # ./startWebLogic.sh & # ./startManagedWebLogic.sh ApplicationSever-2 t3://localhost:7001

    Watch for startup errors.

13. Verify that the J2EE Policy Agent 2 was successfully created on the server using the following sub-procedure.

    1. Access https://osso-1.example.com:1081/opensso/console from a web browser.

    2. Log in to the OpenSSO Enterprise console as the administrator.

       User Name:

       amadmin

       Password:

       ossoadmin

    3. Under the Access Control tab, click / (Top Level Realm).

    4. Click the Agents tab.

    5. Click the J2EE tab.

       j2eeagent-2 is displayed under the Agent table.

    6. Click j2eeagent-2.

       The j2eeagent-2 properties page is displayed.

    7. Log out of the OpenSSO Enterprise console and close the browser.

14. Remove the password files.

    # cd /export/J2EEPA2 # rm agent.pwd # rm agentadm.pwd

15. Log out of the pr-2 host machine.

To Deploy the J2EE Policy Agent 2 Application

The agent application is a housekeeping application bundled with the binaries and used by the agent for notifications and other internal functionality. This application must be deployed to the agent-protected web container using the same URI that was supplied during the agent installation process. For example, during the installation process, if you entered /agentapp as the deployment URI for the agent application, use that same context path in this procedure.

1. Access http://pr-2.example.com:7001/console from a web browser.

2. Log in to the WebLogic Server console as the administrator.

   Username

   weblogic

   Password

   bea10admin

3. Under Domain Structure, click Deployments.

4. On the Summary of Deployments page, in the Change Center, click Lock & Edit.

5. Under Deployments, click Install.

6. On the Install Application Assistant page, click the pr-2.example.com link.

7. In the field named Location: pr-2.example.com, click the root directory.

8. Navigate to /export/J2EEPA2/j2ee_agents/weblogic_v10_agent/etc, the application directory.

9. Select agentapp.war and click Next.

10. In the Install Application Assistant page, choose Install this deployment as an application and click Next.

11. In the list of Servers, mark the checkbox for ApplicationServer-2 and click Next.

12. In the Optional Settings page, click Next.

13. Click Finish.

14. On the Settings for agentapp page, click Save.

15. In the Change Center, click Activate Changes.

To Start the J2EE Policy Agent 2 Application

Before You Begin

This procedure assumes that you have just completed To Deploy the J2EE Policy Agent 2 Application and are still logged in to the WebLogic Server console as the administrator.

1. In the WebLogic Server console, on the Settings for agentapp page, click Deployments.

2. On the Summary of Deployments page, mark the agentapp checkbox and click Start > Servicing all requests.

3. On the Start Application Assistant page, click Yes.

   ---

   Tip –

   If you encounter a JavaScript error, start the WebLogic Server instance and perform the steps again.

   ---

To Set Up the J2EE Policy Agent 2 Authentication Provider

Before You Begin

This procedure assumes that you have just completed To Start the J2EE Policy Agent 2 Application and are still logged in to the WebLogic Server console as the administrator.

1. In the WebLogic Server console, on the Summary of Deployments page, under Domain Structure, click Security Realms.

2. On the Summary of Security Realms page, click Lock & Edit.

3. Click the myrealm link.

4. On the Settings for myrealm page, click the Providers tab.

5. Under Authentication Providers, click New.

6. On the Create a New Authentication Provider page, provide the following information and click OK.

   Name:

   Agent-2

   Type:

   Select AgentAuthenticator from the drop down list.

   Agent-2 is now included in the list of Authentication Providers.

7. In the list of Authentication Providers, click Agent-2.

8. In the Settings for Authentication Providers page, verify that the Control Flag is set to OPTIONAL.

9. In the navigation tree near the top of the page, click Providers.

10. In the list of Authentication Providers, click DefaultAuthenticator.

11. In the Settings for DefaultAuthenticator page, set the Control Flag to OPTIONAL and click Save.

12. In the navigation tree near the top of the page, click Providers again.

13. In the Change Center, click Activate Changes.

14. If indicated by the console, restart the servers.

    1. Log out of the WebLogic Server console.

    2. As a root user, log into the pr–2 host machine.

    3. Restart the administration server and the managed instance.

       # cd /usr/local/bea/user_projects/domains/pr-2/bin # ./stopManagedWebLogic.sh ApplicationServer-2 t3://localhost:7001 # ./stopWebLogic.sh # ./startWebLogic.sh # ./startManagedWebLogic.sh ApplicationServer-2 t3://localhost:7001

    4. Log out of the pr–2 host machine.

To Deploy the J2EE Policy Agent 2 Sample Application

1. Access Application Server 2 at http://pr-2.example.com:7001/console.

2. Log in to the WebLogic Server console as the administrator.

   Username

   weblogic

   Password

   bea10admin

3. On the Change Center, click Lock & Edit.

4. Under Domain Structure, click Deployments.

5. Under Deployments, click Install.

6. On the Install Application Assistant page, click the pr-2.example.com link.

7. In the list for Location: pr-2.example.com, click the root directory.

8. Navigate to the application directory (/export/J2EEPA2/j2ee_agents/weblogic_v10_agent/sampleapp/dist), select agentsample.ear and click Next.

9. In the Install Application Assistant page, choose Install this deployment as an application and click Next.

10. In the list of Servers, mark the checkbox for ApplicationServer-2 and click Next.

11. On the Optional Settings page, click Next to accept the default settings.

12. On the Review Your Choices page, click Finish.

    The Target Summary section indicates that the module agentsample will be installed on the target ApplicationServer-2.

13. On the Settings for agentsample page, click Save.

14. On the Settings for agentsample page, click Activate Changes.

15. Under Domain Structure, click Deployments.

16. In the Deployments list, mark the checkbox for agentsample and click Start > Servicing All Requests.

17. On the Start Application Assistant page, click Yes.

    The state of the deployment changes from Prepared to Active.

18. Log out of the Application Server 2 console.

To Modify the J2EE Policy Agent 2 Configuration

The J2EE policy agent can operate in local or centralized mode. The centralized option was selected during the custom installation of the agent. Centralized agent configuration stores agent configuration data in a data store managed by OpenSSO Enterprise. In this deployment, J2EE policy agents are configured in centralized mode meaning that any configuration changes must be made using the OpenSSO Enterprise server. For more information, see Centralized Agent Configuration in Sun OpenSSO Enterprise 8.0 Technical Overview.

1. Access https://osso-1.example.com:1081/opensso/console from a web browser.

2. Log in to the OpenSSO Enterprise console as the administrator.

   User Name:

   amadmin

   Password:

   ossoadmin

3. Under the Access Control tab, click / (Top Level Realm).

4. Click the Agents tab.

5. Click the J2EE tab.

   j2eeagent-2 is displayed under the Agent table.

6. Click j2eeagent-2.

   The j2eeagent-2 properties page is displayed.

7. Click the Miscellaneous tab.

   The Miscellaneous properties page is displayed.

8. Provide the user name of the Application Server administrator in the Bypass Principal List and click Add.

   Enter weblogic to ensure that the administrator will be authenticated against WebLogic itself and not OpenSSO Enterprise.

9. Click Save.

10. Exit the console and close the browser.

8.1.3 Creating Groups Using the OpenSSO Enterprise Console

A group represents a collection of users with a common function, feature or interest. The groups created with this procedure will be replicated to OpenSSO Enterprise 2 and used in 8.1.4 Setting Up a Test for the J2EE Policy Agent 1 and 8.1.5 Setting Up a Test for the J2EE Policy Agent 2.

To Create Manager and Employee Groups with OpenSSO Enterprise

1. Access https://osso-1.example.com:1081/opensso/console from a web browser.

2. Log in to the OpenSSO Enterprise console as the administrator.

   Username

   amadmin

   Password

   ossoadmin

3. Under the Access Control tab, click / (Top Level Realm).

4. Click the Subjects tab.

5. Click the Group tab.

   The Group page is displayed.

6. Create a manager group using the following sub procedure.

   1. Click New on the Group page.

      The New Group properties page is displayed.

   2. Enter Manager-Group as the ID and click OK.

      The Group page is displayed.

   3. Click Manager-Group in the list.

   4. Click the User tab.

      The test users are displayed.

   5. Select Test User 1 from the list and click Add.

   6. Click Save.

   7. Click Back to Subjects.

7. Create an employee group using the following sub procedure.

   1. Click New on the Group page.

      The New Group properties page is displayed.

   2. Enter Employee-Group as the ID and click OK.

      The Group page is displayed.

   3. Click Employee-Group in the list.

   4. Click the User tab.

      The test users are displayed.

   5. Select Test User 2 from the list and click Add.

   6. Click Save.

   7. Click Back to Subjects.

8. Log out of the OpenSSO Enterprise console.

8.1.4 Setting Up a Test for the J2EE Policy Agent 1

The BEA Policy Agent comes with a sample application that was deployed in To Deploy the J2EE Policy Agent 1 Sample Application and To Deploy the J2EE Policy Agent 2 Sample Application. The application was created to help test policies and will be used for that purpose in this section. Use the following list as a checklist for this task.

• To Create a Test Policy in the OpenSSO Enterprise Root Realm

• To Configure OpenSSO Enterprise Properties for the J2EE Policy Agent 1 Sample Application

• To Verify that J2EE Policy Agent 1 is Configured Properly

---

Note –

For more information on the sample application, see readme.txt in the /export/J2EEPA1/j2ee_agents/weblogic_v10_agent/sampleapp directory.

---

To Create a Test Policy in the OpenSSO Enterprise Root Realm

1. Access https://osso-1.example.com:1081/opensso/console from a web browser.

2. Log in to the OpenSSO Enterprise console as the administrator.

   Username

   amadmin

   Password

   ossoadmin

3. Under the Access Control tab, click / (Top Level Realm).

4. Click the Policies tab.

   The Policies page is displayed.

5. Click New Policy.

6. Enter URL Policy for Application Server-1 in the Name field.

7. Under Rules, click New.

8. On the resulting page, select URL Policy Agent (with Resource Name) and click Next.

9. On the resulting page, provide the following information and click Finish.

   Name:

   agentsample

   Resource Name:

   http://pr-1.example.com:1081/agentsample/*

   ---

   Note –

   Make sure the hostname is typed in lowercase.

   ---

   GET

   Mark this check box and verify that Allow is selected.

   POST

   Mark this check box and verify that Allow is selected.

   The rule agentsample is now added to the list of Rules.

10. Under Subjects, click New.

11. On the resulting page, select Access Manager Identity Subject and click Next.

12. On the resulting page, provide the following information and click Search.

    Name:

    agentsampleGroup

    Filter:

    Select Group.

    Manager-Group and Employee-Group are displayed in the Available list.

13. Select Manager-Group and Employee-Group and click Add.

    Manager-Group and Employee-Group are displayed in the Selected list.

14. Click Finish.

15. Click OK.

    The new policy is displayed in the list of policies.

16. Click Back to Access Control.

17. Log out of the OpenSSO Enterprise console.

To Configure OpenSSO Enterprise Properties for the J2EE Policy Agent 1 Sample Application

1. Access https://osso-1.example.com:1081/opensso/console from a web browser.

2. Log in to the OpenSSO Enterprise console as the administrator.

   Username

   amadmin

   Password

   ossoadmin

3. Under the Access Control tab, click / (Top Level Realm).

4. Click the Agents tab.

5. Click the J2EE tab.

   j2eeagent-1 is displayed under the Agent table.

6. Click j2eeagent-1.

   The j2eeagent-1 properties page is displayed.

7. Click the Application tab.

   The Application properties page is displayed.

8. Provide the following information.

   Login Form URI:

   Enter the following and click Add.

   /agentsample/authentication/login.html

   Not Enforced URI Processing:

   Enter each of the following and click Add.

   /agentsample/public/*

   /agentsample/images/*

   /agentsample/styles/*

   /agentsample/index.html

   /agentsample

   Resource Access Denied URI:

   Enter each of the following and click Add.

   Map Key: agentsample

   Corresponding Map Value: /agentsample/authentication/accessdenied.html

9. Click Save.

   The j2eeagent-1 properties page is displayed.

10. Map the attributes from the OpenSSO Enterprise embedded data store to those used by the Application Server with the following sub procedure.

    1. From the j2eeagent-1 properties page, click Back to Main Page.

    2. Click the Subjects tab.

    3. Click the Group tab.

    4. Click Employee-Group in the list of Groups.

    5. Copy and save id=Employee-Group,ou=group,dc=opensso,dc=java,dc=net, the value of the Universal ID attribute.

    6. Click Back to Subjects.

       You are returned to the Group tab.

    7. Click Manager-Group in the list of Groups.

    8. Copy and save id=Manager-Group,ou=group,dc=opensso,dc=java,dc=net, the value of the Universal ID attribute.

    9. Click Back to Subjects.

    10. Click the Agents tab.

    11. Click the J2EE tab.

        j2eeagent-1 is displayed under the Agent table.

    12. Click j2eeagent-1.

        The j2eeagent-1 properties page is displayed.

    13. Click the Application tab.

        The Application properties page is displayed.

    14. Provide the identifiers previously saved as the manager and employee map keys and corresponding map values for Privileged Attribute Mapping and click Save.

        Map Key: [id=Manager-Group,ou=group,dc=opensso,dc=java,dc=net] Corresponding Map Value: am_manager_role

        Map Key: [id=Employee-Group,ou=group,dc=opensso,dc=java,dc=net] Corresponding Map Value: am_employee_role

11. Log out of the OpenSSO Enterprise console.

To Verify that J2EE Policy Agent 1 is Configured Properly

Use these steps to access the agent sample application and test policies against it.

1. Access http://pr-1.example.com:1081/agentsample/index.html, the sample application URL, from a web browser.

   The Sample Application welcome page is displayed.

2. Click the J2EE Declarative Security link.

3. On the resulting page, click Invoke the Protected Servlet.

   You are redirected to the OpenSSO Enterprise login page.

4. Log in to OpenSSO Enterprise as testuser1.

   Username

   testuser1

   Password

   password

   If you can successfully log in as testuser1 and the J2EE Policy Agent Sample Application page is displayed, the first part of the test has succeeded and authentication is working as expected.

5. Click the J2EE Declarative Security link again.

6. On the resulting page, click Invoke the Protected Servlet.

   If the Success Invocation message is displayed, the second part of the test has succeeded as the sample policy for the manager role has been enforced as expected.

7. Click the J2EE Declarative Security link to return.

8. On the resulting page, click Invoke the Protected EJB via an Unprotected Servlet.

   If the Failed Invocation message is displayed, the third part of the test has succeeded as the sample policy for the employee role has been enforced as expected.

9. Close the browser.

10. In a new browser session, access http://pr-1.example.com:1081/agentsample/index.html, the sample application URL, again.

    The Sample Application welcome page is displayed.

11. Click the J2EE Declarative Security link.

12. On the resulting page, click Invoke the Protected EJB via an Unprotected Servlet.

    You are redirected to the OpenSSO Enterprise login page.

13. Log in to OpenSSO Enterprise as testuser2.

    Username

    testuser2

    Password

    password

    ---

    Note –

    The Failed Invocation message is displayed. This is a known issue.

    ---

14. Click the J2EE Declarative Security link.

15. On the resulting page, click Invoke the Protected EJB via an Unprotected Servlet.

    The Successful Invocation message is displayed as the sample policy for the employee role has been enforced as expected.

16. Click the J2EE Declarative Security link to return.

17. On the resulting page, click Invoke the Protected Servlet.

    If the Access to Requested Resource Denied message is displayed, this part of the test has succeeded as the sample policy for the manager role has been enforced as expected.

18. Close the browser.

8.1.5 Setting Up a Test for the J2EE Policy Agent 2

The BEA Policy Agent comes with a sample application that was deployed in To Deploy the J2EE Policy Agent 1 Sample Application and To Deploy the J2EE Policy Agent 2 Sample Application. The application was created to help test policies and will be used for that purpose in this section. Use the following list as a checklist for this task.

• To Create a Test Policy in the OpenSSO Enterprise Root Realm

• To Configure OpenSSO Enterprise Properties for the J2EE Policy Agent 2 Sample Application

• To Verify that J2EE Policy Agent 2 is Configured Properly

---

Note –

For more information on the sample application, see readme.txt in the /export/J2EEPA2/j2ee_agents/weblogic_v10_agent/sampleapp directory.

---

To Create a Test Policy in the OpenSSO Enterprise Root Realm

1. Access https://osso-1.example.com:1081/opensso/console from a web browser.

2. Log in to the OpenSSO Enterprise console as the administrator.

   Username

   amadmin

   Password

   ossoadmin

3. Under the Access Control tab, click / (Top Level Realm).

4. Click the Policies tab.

   The Policies page is displayed.

5. Click New Policy.

6. Enter URL Policy for Application Server-2 in the Name field.

7. Under Rules, click New.

8. On the resulting page, select URL Policy Agent (with Resource Name) and click Next.

9. On the resulting page, provide the following information and click Finish.

   Name:

   agentsample

   Resource Name:

   http://pr-2.example.com:1081/agentsample/*

   ---

   Note –

   Make sure the hostname is typed in lowercase.

   ---

   GET

   Mark this check box and verify that Allow is selected.

   POST

   Mark this check box and verify that Allow is selected.

   The rule agentsample is now added to the list of Rules.

10. Under Subjects, click New.

11. On the resulting page, select Access Manager Identity Subject and click Next.

12. On the resulting page, provide the following information and click Search.

    Name:

    agentsampleGroup

    Filter:

    Select Group.

    Manager-Group and Employee-Group are displayed in the Available list.

13. Select Manager-Group and Employee-Group and click Add.

    Manager-Group and Employee-Group are displayed in the Selected list.

14. Click Finish.

15. Click OK.

    The new policy is displayed in the list of policies.

16. Click Back to Access Control.

17. Log out of the OpenSSO Enterprise console.

To Configure OpenSSO Enterprise Properties for the J2EE Policy Agent 2 Sample Application

1. Access https://osso-1.example.com:1081/opensso/console from a web browser.

2. Log in to the OpenSSO Enterprise console as the administrator.

   Username

   amadmin

   Password

   ossoadmin

3. Under the Access Control tab, click / (Top Level Realm).

4. Click the Agents tab.

5. Click the J2EE tab.

   j2eeagent-2 is displayed under the Agent table.

6. Click j2eeagent-2.

   The j2eeagent-2 properties page is displayed.

7. Click the Application tab.

   The Application properties page is displayed.

8. Provide the following information.

   Login Form URI:

   Enter the following and click Add.

   /agentsample/authentication/login.html

   Not Enforced URI Processing:

   Enter each of the following and click Add.

   /agentsample/public/*

   /agentsample/images/*

   /agentsample/styles/*

   /agentsample/index.html

   /agentsample

   Resource Access Denied URI:

   Enter each of the following and click Add.

   Map Key: agentsample

   Corresponding Map Value: /agentsample/authentication/accessdenied.html

9. Click Save.

   The j2eeagent-2 properties page is displayed.

10. Map the attributes from the OpenSSO Enterprise embedded data store to those used by the Application Server with the following sub procedure.

    1. From the j2eeagent-2 properties page, click Back to Main Page.

    2. Click the Subjects tab.

    3. Click the Group tab.

    4. Click Employee-Group in the list of Groups.

    5. Copy and save id=Employee-Group,ou=group,dc=opensso,dc=java,dc=net, the value of the Universal ID attribute.

    6. Click Back to Subjects.

       You are returned to the Group tab.

    7. Click Manager-Group in the list of Groups.

    8. Copy and save id=Manager-Group,ou=group,dc=opensso,dc=java,dc=net, the value of the Universal ID attribute.

    9. Click Back to Subjects.

    10. Click the Agents tab.

    11. Click the J2EE tab.

        j2eeagent-2 is displayed under the Agent table.

    12. Click j2eeagent-2.

        The j2eeagent-2 properties page is displayed.

    13. Click the Application tab.

        The Application properties page is displayed.

    14. Provide the identifiers previously saved as the manager and employee map keys and corresponding map values for Privileged Attribute Mapping and click Save.

        Map Key: [id=Manager-Group,ou=group,dc=opensso,dc=java,dc=net] Corresponding Map Value: am_manager_role

        Map Key: [id=Employee-Group,ou=group,dc=opensso,dc=java,dc=net] Corresponding Map Value: am_employee_role

11. Log out of the OpenSSO Enterprise console.

To Verify that J2EE Policy Agent 2 is Configured Properly

Use these steps to access the agent sample application and test policies against it.

1. Access http://pr-2.example.com:1081/agentsample/index.html, the sample application URL, from a web browser.

   The Sample Application welcome page is displayed.

2. Click the J2EE Declarative Security link.

3. On the resulting page, click Invoke the Protected Servlet.

   You are redirected to the OpenSSO Enterprise login page.

4. Log in to OpenSSO Enterprise as testuser1.

   Username

   testuser1

   Password

   password

   If you can successfully log in as testuser1 and the J2EE Policy Agent Sample Application page is displayed, the first part of the test has succeeded and authentication is working as expected.

5. Click the J2EE Declarative Security link again.

6. On the resulting page, click Invoke the Protected Servlet.

   If the Success Invocation message is displayed, the second part of the test has succeeded as the sample policy for the manager role has been enforced as expected.

7. Click the J2EE Declarative Security link to return.

8. On the resulting page, click Invoke the Protected EJB via an Unprotected Servlet.

   If the Failed Invocation message is displayed, the third part of the test has succeeded as the sample policy for the employee role has been enforced as expected.

9. Close the browser.

10. In a new browser session, access http://pr-2.example.com:1081/agentsample/index.html, the sample application URL, again.

    The Sample Application welcome page is displayed.

11. Click the J2EE Declarative Security link.

12. On the resulting page, click Invoke the Protected EJB via an Unprotected Servlet.

    You are redirected to the OpenSSO Enterprise login page.

13. Log in to OpenSSO Enterprise as testuser2.

    Username

    testuser2

    Password

    password

    ---

    Note –

    The Failed Invocation message is displayed. This is a known issue.

    ---

14. Click the J2EE Declarative Security link.

15. On the resulting page, click Invoke the Protected EJB via an Unprotected Servlet.

    The Successful Invocation message is displayed as the sample policy for the employee role has been enforced as expected.

16. Click the J2EE Declarative Security link to return.

17. On the resulting page, click Invoke the Protected Servlet.

    If the Access to Requested Resource Denied message is displayed, this part of the test has succeeded as the sample policy for the manager role has been enforced as expected.

18. Close the browser.

8.1.6 Configuring the J2EE Policy Agents to Access the Distributed Authentication User Interface

Configure the J2EE policy agent to point to the secure port of the Distributed Authentication User Interface Load Balancer 3. Use the following list as a checklist to complete this task.

1. To Configure the J2EE Policy Agent 1 to Access the Distributed Authentication User Interface

2. To Configure the J2EE Policy Agent 2 to Access the Distributed Authentication User Interface

To Configure the J2EE Policy Agent 1 to Access the Distributed Authentication User Interface

1. Access https://osso-1.example.com:1081/opensso/console from a web browser.

2. Log in to the OpenSSO Enterprise console as the administrator.

   Username

   amadmin

   Password

   ossoadmin

3. Under the Access Control tab, click / (Top Level Realm).

4. Click the Agents tab.

5. Click the J2EE tab.

   j2eeagent-1 is displayed under the Agent table.

6. Click j2eeagent-1.

   The j2eeagent-1 properties page is displayed.

7. Click the OpenSSO Services tab.

   The Services properties page is displayed.

8. Make the following changes to the OpenSSO Login URL property value and click Save.

   • Select https://lb-2.example.com:1081/opensso/UI/Login and click Remove.

   • Enter https://lb-3.example.com:1443/distAuth/UI/Login and click Add.

9. Log out of the OpenSSO Enterprise console.

10. Verify that the agent is configured properly using the following sub procedure.

    1. Access http://pr-1.example.com:1081/agentsample/index.html, the sample application URL, from a web browser.

       The Sample Application Welcome page is displayed.

    2. Click the J2EE Declarative Security link.

    3. On the resulting page, click Invoke the Protected Servlet.

       You are redirected to the Distributed Authentication User Interface at https://lb-3.example.com:1443/distAuth/UI/Login.

    4. (Optional) Double-click the gold lock in the lower left corner of the browser.

       In the Properties page, you see the certificate for lb-3.example.com.

    5. Log in to OpenSSO Enterprise as testuser1.

       Username

       testuser1

       Password

       password

       If you can successfully log in as testuser1 and the J2EE Policy Agent Sample Application page is displayed, user authentication worked through the Distributed Authentication User Interface and the agent is configured properly.

    6. Close the browser.

To Configure the J2EE Policy Agent 2 to Access the Distributed Authentication User Interface

1. Access https://osso-1.example.com:1081/opensso/console from a web browser.

2. Log in to the OpenSSO Enterprise console as the administrator.

   Username

   amadmin

   Password

   ossoadmin

3. Under the Access Control tab, click / (Top Level Realm).

4. Click the Agents tab.

5. Click the J2EE tab.

   j2eeagent-2 is displayed under the Agent table.

6. Click j2eeagent-2.

   The j2eeagent-2 properties page is displayed.

7. Click the OpenSSO Services tab.

   The Services properties page is displayed.

8. Make the following changes to the OpenSSO Login URL value and click Save.

   • Select https://lb-2.example.com:1081/opensso/UI/Login and click Remove.

   • Enter https://lb-3.example.com:1443/distAuth/UI/Login and click Add.

9. Log out of the OpenSSO Enterprise console.

10. Verify that the agent is configured properly using the following sub procedure.

    1. Access http://pr-2.example.com:1081/agentsample/index.html, the sample application URL, from a web browser.

       The Sample Application Welcome page is displayed.

    2. Click the J2EE Declarative Security link.

    3. On the resulting page, click Invoke the Protected Servlet.

       You are redirected to the Distributed Authentication User Interface at https://lb-3.example.com:1443/distAuth/UI/Login.

    4. (Optional) Double-click the gold lock in the lower left corner of the browser.

       In the Properties page, you see the certificate for lb-3.example.com.

    5. Log in to OpenSSO Enterprise as testuser1.

       Username

       testuser1

       Password

       password

       If you can successfully log in as testuser1 and the J2EE Policy Agent Sample Application page is displayed, user authentication worked through the Distributed Authentication User Interface and the agent is configured properly.

    6. Close the browser.

8.2 Configuring the Protected Resource Host Machines with a Web Policy Agent

We will install Sun Java System Web Server and a Web policy agent on the Protected Resource 1 host machine (pr-1) and on the Protected Resource 2 host machine (pr-2). The policy agents are then configured to access Load Balancer 2. Use the following list of procedures as a checklist for completing the task.

1. 8.2.1 Installing and Configuring the Web Container and Web Policy Agent on Protected Resource 1

2. 8.2.2 Installing Web Server and a Web Policy Agent on Protected Resource 2

3. 8.2.3 Configuring the Web Policy Agents to Access the Distributed Authentication User Interface

8.2.1 Installing and Configuring the Web Container and Web Policy Agent on Protected Resource 1

Download the Sun Java System Web Server bits to the pr-1 host machine and install it. Additionally, download, install and configure the appropriate web policy agent. Use the following list of procedures as a checklist for completing the task.

1. To Install and Configure Sun Java System Web Server as Web Container 1 on Protected Resource 1

2. To Import the Certificate Authority Root Certificate into Web Server 1

3. To Install and Configure Web Policy Agent 1 on Protected Resource 1

4. To Configure Policy for Web Policy Agent 1 on Protected Resource 1

5. To Verify that Web Policy Agent 1 is Working Properly

To Install and Configure Sun Java System Web Server as Web Container 1 on Protected Resource 1

Sun Java System Web Server is the web container used on the pr-1 host machine.

Before You Begin

Read the latest version of the Web Server 7.0 Release Notes to determine if you need to install patches on your host machine. In this case, the Release Notes indicate that based on the hardware and operating system being used, patch 119963–08, patch 120011–14, and patch 117461–08 are required.

1. As a root user, log into the pr-1 host machine.

2. Install the required patches if necessary.

   Patch results for your machines might be different.

   1. Run patchadd to see if the patch is installed.

      # patchadd -p | grep 117461–08

      A list of patch numbers is displayed. On our lab machine, the required patch 117461–08 is present so there is no need to install it.

      # patchadd -p | grep 119963–08

      No results are returned which indicates that the patch is not yet installed on the system.

      # patchadd -p | grep 120011-14

      No results are returned which indicates that the patch is not yet installed on the system.

   2. Make a directory for downloading the patch you need and change into it.

      # mkdir /export/patches # cd /export/patches

   3. Download the patches.

      You can search for patches directly at http://sunsolve.sun.com. Navigate to the PatchFinder page, enter the patch number, click Find Patch, and download the appropriate patch.

      ---

      Note –

      Signed patches are downloaded as JAR files. Unsigned patches are downloaded as ZIP files.

      ---

   4. Unzip the patch file.

      # unzip 119963–08.zip # unzip 120011–14.zip

   5. Run patchadd to install the patches.

      # patchadd /export/patches/119963–08 # patchadd /export/patches/120011–14

   6. After installation is complete, run patchadd to verify that the patch was added successfully.

      # patchadd -p | grep 119963–08

      In this example, a series of patch numbers are displayed, and the patch 119963–08 is present.

      # patchadd -p | grep 120011-14

      In this example, a series of patch numbers are displayed, and the patch 120011–14 is present.

3. Create a directory into which you can download the Web Server bits and change into it.

   # mkdir /export/WS7 # cd /export/WS7

4. Download the Sun Java System Web Server 7.0 Update 3 software from http://www.sun.com/download/products.xml?id=45ad781d.

   Follow the instructions on the Sun Microsystems Product Downloads web site for downloading the software.

5. Unpack the Web Server package.

   # gunzip sjsws-7_0u3-solaris-sparc.tar.gz # tar xvf sjsws-7_0u3-solaris-sparc.tar

6. Run setup.

   # cd /export/WS7 # ./setup --console

7. When prompted, provide the following information.

   Welcome to the Sun Java System Web Server 7.0u3 installation wizard. ... You will be asked to specify preferences that determine how Sun Java System Web Server 7.0U3 is installed and configured. The installation program pauses as questions are presented so you can read the information and make your choice. When you are ready to continue, press Enter. (Return on some keyboards.)	Press Enter. Continue to press Enter when prompted.
   Have you read the Software License Agreement and do you accept all terms [no] {"," goes back, "!" exits}?	Enter yes.
   Sun Java System Web Server 7.0 Installation Directory [/sun/webserver7] {"," goes back, "!" exits} :	Enter /opt/SUNWwbsvr
   Specified directory /opt/SUNWwbsvr does not exist. Create Directory? [Yes/No] [yes] {"," goes back, "!" exits}	Enter yes.
   Select Type of Installation 1. Express 2. Custom 3. Exit What would you like to do? [1] {"," goes back, "!" exits}	Enter 2.
   Component Selection 1. Server Core 2. Server Core 64-biy Binaries 3. Administration Command Line Interface 4. Sample Applications 5. Language Pack Enter the comma-separated list [1,2,3,4,5] {"," goes back, "!" exits}	Enter 1,3,5.
   Java Configuration Sun Java System Web Server 7.0 requires Java Se Development Kit (JDK). Provide the path to a JDK 1.5.0_15 or greater. 1. Install Java SE Development Kit (JDK) 1.5.0_15 2. Reuse existing Java SE Development Kit (JDK) 1.5.0_15 3. Exit What would you like to do? [1] {"," goes back, "!" exits}	Enter 1.
   Administrative Options 1. Create an Administration Server and a Web Server Instance 2. Create an Administration Node Enter your option. [1] {"," goes back, "!" exits}	Enter 1.
   Create SMF services for server instances [yes/no] [no] {"," goes back, "!" exits}	Accept the default value.
   Host Name [pr-1.example.com] {"," goes back, "!" exits}	Accept the default value.
   SSL Port [8989] {"," goes back, "!" exits}	Accept the default value.
   Create a non-SSL Port? [yes/no] [no] {"," goes back, "!" exits}	Enter no.
   Runtime User ID [root] {"," goes back, "!" exits}	Accept the default value (for the administration server).
   Administrator User Name [admin] {"," goes back, "!" exits}	Accept the default value.
   Administrator Password:	Enter web4dmin.
   Retype Password:	Enter web4dmin.
   Server Name [pr-1.example.com] {"," goes back, "!" exits}	Accept the default value.
   Http Port [8080] {"," goes back, "!" exits}	Enter 1080.
   Runtime User ID [webserverd] {"," goes back, "!" exits}	Enter root (for the instance).
   Document Root Directory [/opt/SUNWwbsvr/ https-pr-1.example.com/docs] {"," goes back, "!" exits}	Accept the default value.
   Start Administration Server [yes/no] [yes] {"," goes back, "!" exits}	Enter no.
   Ready To Install 1. Install Now 2. Start Over 3. Exit Installation What would you like to do [1] {"," goes back, "!" exits}?	Enter1.

   When installation is complete, the following message is displayed:

   Installation Successful.

8. Start the Web Server administration server.

   # cd /opt/SUNWwbsvr/admin-server/bin # ./startserv

9. Run netstat to verify that the port is open and listening.

   # netstat -an | grep 8989 *.8989 *.* 0 0 49152 0 LISTEN

10. (Optional) Login to the Web Server administration console at https://pr-1.example.com:8989 as the administrator.

    Username

    admin

    Password

    web4dmin

    You should see the Web Server administration console.

11. (Optional) Log out of the Web Server console and close the browser.

12. Start the Protected Resource 1 Web Server instance.

    # cd /opt/SUNWwbsvr/https-pr-1.example.com/bin # ./startserv Sun Java System Web Server 7.0U3 B06/16/2008 12:00 info: CORE5076: Using [Java HotSpot(TM) Server VM, Version 1.5.0_15] from [Sun Microsystems Inc.] info: HTTP3072: http-listener-1: http://pr-1.example.com:1080 ready to accept requests info: CORE3274: successful server startup

13. Run netstat to verify that the port is open and listening.

    # netstat -an | grep 1080 *.1080 *.* 0 0 49152 0 LISTEN

14. (Optional) Access the Protected Resource 1 instance at http://pr-1.example.com:1080 using a web browser.

    You should see the default Web Server index page.

15. Log out of the pr–1 host machine.

To Import the Certificate Authority Root Certificate into Web Server 1

The Certificate Authority (CA) root certificate enables the web policy agent to trust the certificate from the OpenSSO Enterprise Load Balancer 2, and to trust the certificate chain that is formed from the CA to the server certificate.

Before You Begin

• Copy the same CA root certificate used in To Install a CA Root Certificate to the OpenSSO Enterprise Load Balancer to the pr-1 host machine. In this example, the file is /export/software/ca.cer.

• Backup cacerts before modifying it.

1. As a root user, log into the pr-1 host machine.

2. Import the CA root certificate into cacerts, the certificate store.

   # /opt/SUNWwbsvr/jdk/jre/bin/keytool -import -trustcacerts -alias OpenSSLTestCA -file /export/software/ca.cer -keystore /opt/SUNWwbsvr/jdk/jre/lib/security/cacerts -storepass changeit Owner: EMAILADDRESS=nobody@nowhere.com, CN=OpenSSLTestCA, OU=Sun, O=Sun,L=Santa Clara, ST=California C=US Issuer: EMAILADDRESS=nobody@nowhere.com, CN=OpenSSLTestCA, OU=Sun, O=Sun,L=Santa Clara, ST=California C=US Serial number: f59cd13935f5f498 Valid from: Thu Sep 20 11:14:51 PDT 2008 18 07:66:19 PDT 2006 until: Thu Jun 17 11:41:51 PDT 2010 Certificate fingerprints: MD5: 78:7D:F0:04:8A:5B:5D:63:F5:EC:5B:21:14:9C:8A:B9 SHA1: A4:27:8A:B0:45:7A:EE:16:31:DC:E5:32:46:61:9E:B8:A3:20:8C:BA Trust this certificate: [no] yes Certificate was added to keystore.

3. Verify that the CA root certificate was imported.

   # /opt/SUNWwbsvr/jdk/jre/bin/keytool -list -keystore /opt/SUNWwbsvr/jdk/jre/lib/security/cacerts -storepass changeit | grep -i open openSSLTestCA, Sep 20, 2008, trustedCertEntry,

4. Log out of the pr-1 host machine.

To Install and Configure Web Policy Agent 1 on Protected Resource 1

Before You Begin

The JAVA_HOME environment variable should be set to /opt/SUNWwbsvr/jdk/jre.

1. As a root user, log into the pr–1 host machine.

2. Create a directory into which you can download the Web Server agent bits and change into it.

   # mkdir /export/WebPA1 # cd /export/WebPA1

3. Create a text file that contains the Agent Profile password.

   The Web Policy Agent installer requires this for installation.

   # cat > agent.pwd webagent1 Hit Control D to terminate the command ^D

4. Create a text file that contains the Agent Administrator password.

   This text file should contain the OpenSSO Enterprise administrator (by default, amadmin) password. The Web policy agent installer requires this to create the agent profile on the server.

   # cat > agentadm.pwd ossoadmin Hit Control D to terminate the command ^D

5. Download the web policy agent for Web Server from http://www.sun.com/download/.

   # ls -al total 7512 drwxr-xr-x 2 root root 512 Jul 24 14:48 . drwxr-xr-x 11 root root 512 Jul 24 14:41 .. -rw-r--r-- 1 root root 10 Jul 24 14:42 agent.pwd -rw-r--r-- 1 root root 9 Jul 24 14:42 agentadm.pwd -rw-r--r-- 1 root root 3826794 Jul 24 14:48 sjsws_v70_SunOS_sparc_agent_3.zip

6. Unzip the downloaded file.

   # unzip sjsws_v70_SunOS_sparc_agent_3.zip

7. Run the agent installer.

   # cd /export/WebPA1/web_agents/sjsws_agent/bin # ./agentadmin --custom-install

8. When prompted, do the following.

   Please read the following License Agreement carefully:	Press Enter and continue to press Enter until you have reached the end of the License Agreement.
   Do you completely agree with all the terms and conditions of this License Agreement (yes/no): [no]:	Type yes and press Enter.
   Enter the Sun Java System Web Server Config Directory Path [/var/opt/SUNWwbsvr7/ https-pr-1.example.com/config]:	Type /opt/SUNWwbsvr/https-pr-1.example.com/config and press Enter.
   Enter the OpenSSO Enterprise URL including the deployment URI (http://opensso.sample.com:58080/opensso)	Type https://lb-2.example.com:1081/opensso and press Enter.
   Enter the Agent URL: (http://agent1.sample.com:1234)	Type http://pr-1.example.com:1080 and press Enter.
   Enter the Encryption Key[WSpf7aqc3AFIGvf2mCqvNBOsf44cDrf3].	Accept the default value.
   Enter the Agent profile name [UrlAccessAgent]:	Type webagent-1 and press Enter.
   Enter the path to a file that contains the password to be used for identifying the Agent.	Type /export/WebPA1/agent.pwd and press Enter. Note – A warning message is displayed regarding the existence of the agent profile.
   This Agent Profile does not exist in OpenSSO Enterprise, will it be created by the installer? (Agent Administror's name and password are required) [true)	Press Enter to accept the default and have the installer create the Agent Profile.
   Enter the Agent Administrator's name:	Type amadmin and press Enter.
   Enter the path to the password file that contains the password of the Agent Administrator.	Type /export/WebPA1/agentadm.pwd and press Enter.
   ----------------------------------------- SUMMARY OF YOUR RESPONSES ----------------------------------------------- Sun Java System Web Server Config Directory : /opt/SUNWwbsvr/https-pr-1.example.com/config OpenSSO Server URL : https://lb-2.example.com:1081/opensso Agent URL : http://pr-1.example.com:1080 Encryption Key : WSpf7aqc3AFIGvf2mCqvNBOsf44cDrf3 Agent Profile name : webagent-1 Agent Profile Password file name : /export/WebPA1/agent.pwd Agent Profile will be created right now by agent installer : true Agent Administrator : amadmin Agent Administrator's password file name : /export/WebPA1/agentadm.pwd Verify your settings above and decide from the choices below. 1. Continue with Installation 2. Back to the last interaction 3. Start Over 4. Exit Please make your selection [1]:	Type 1 and press Enter.

9. Restart the Web Server 1 instance.

   # cd /opt/SUNWwbsvr/https-pr-1.example.com/bin # ./stopserv; ./startserv server has been shutdown Sun Java System Web Server 7.0U3 B06/16/2008 12:00 info: CORE3016: daemon is running as super-user info: CORE5076: Using [Java HotSpot(TM) Server VM, Version 1.5.0_15] from [Sun Microsystems Inc.] info: HTTP3072: http-listener-1: http://pr-1.example.com:1080 ready to accept requests info: CORE3274: successful server startup

10. Use the following sub-procedure to verify that the Web Policy Agent 1 was successfully created.

    1. Access https://osso-1.example.com:1081/opensso/console from a web browser.

    2. Log in to the OpenSSO Enterprise console as the administrator.

       User Name:

       amadmin

       Password:

       ossoadmin

    3. Under the Access Control tab, click / (Top Level Realm).

    4. Click the Agents tab.

       By default, the Web tab is displayed. You should see webagent-1 under the Agent table.

    5. Click webagent-1.

       The webagent-1 properties page is displayed.

    6. Log out of the console and close the browser.

11. Remove the password files.

    # cd /export/WebPA1 # rm agent.pwd # rm agentadm.pwd

12. Log out of the pr-2 host machine.

To Configure Policy for Web Policy Agent 1 on Protected Resource 1

Use the OpenSSO Enterprise console to configure policy for Web Policy Agent 1 that will be used to verify that the agent is working properly.

---

Note –

You will add additional policies later when we add a load balancer in front of the Protected Resource 1 host machine.

---

1. Access https://osso-1.example.com:1081/opensso/console from a web browser.

2. Log in to the OpenSSO Enterprise console as the administrator.

   Username

   amadmin

   Password

   ossoadmin

3. Under the Access Control tab, click / (Top Level Realm).

4. Click the Policies tab.

5. Click New Policy.

6. Enter URL Policy for Protected Resource 1 in the Name field.

7. Under Rules, click New.

   The Rules properties page is displayed.

8. Select URL Policy Agent (with resource name) and click Next.

9. Provide the following information on the resulting page and click Finish.

   Name:

   URL Rule for Protected Resource 1

   Resource Name:

   http://pr-1.example.com:1080/*

   GET

   Mark this check box and verify that Allow is selected.

   POST

   Mark this check box and verify that Allow is selected.

   The rule URL Rule for Protected Resource 1 is added to the list of Rules.

10. Under Subjects, click New.

    The Subjects properties page is displayed.

11. Select Access Manager Identity Subject and click Next.

12. On the resulting page, provide the following information and click Search.

    Name:

    Test Subject

    Filter:

    Choose User and click Search to display a list of available users.

    Available:

    From the available users, select testuser1 and click Add.

13. Click Finish.

14. Click OK.

    The new policy is included in the list of Policies.

15. Click Back to Access Control.

16. Log out of the console.

To Verify that Web Policy Agent 1 is Working Properly

1. Access http://pr-1.example.com:1080/index.html from a web browser.

2. Log in to OpenSSO Enterprise as testuser1.

   Username

   testuser1

   Password

   password

   You should see the default index page for Web Server 1 as testuser1 was configured in the test policy to be allowed to access Protected Resource 1.

3. Log out and close the browser.

4. Once again, access http://pr-1.example.com:1080/index.html from a web browser.

   ---

   Tip –

   If you are not redirected to the OpenSSO Enterprise login page for authentication, clear your browser's cache and cookies and try again.

   ---

5. Log in to OpenSSO Enterprise as testuser2.

   Username

   testuser2

   Password

   password

   You should see the message, You're not authorized to view this page, (or Your client is not allowed to access the requested object) as testuser2 was not included in the test policy that allows access to Protected Resource 1.

8.2.2 Installing Web Server and a Web Policy Agent on Protected Resource 2

Download the Sun Java System Web Server bits to the pr-2 host machine and install it. Additionally, download, install and configure the appropriate web policy agent. Use the following list of procedures as a checklist for completing the task.

1. To Install Web Server as Web Container 2 on Protected Resource 2

2. To Import the Certificate Authority Root Certificate into Web Server 2

3. To Install and Configure Web Policy Agent 2 on Protected Resource 2

4. To Configure Policy for Web Policy Agent 2 on Protected Resource 2

5. To Verify that Web Policy Agent 2 is Working Properly

To Install Web Server as Web Container 2 on Protected Resource 2

Sun Java System Web Server is the web container used on the pr-2 host machine.

Before You Begin

Read the latest version of the Web Server 7.0 Release Notes to determine if you need to install patches on the host machine. In this case, the Release Notes indicate that based on the hardware and operating system being used, patch 119963–08, patch 120011–14, and patch 117461–08 are required.

1. As a root user, log into the pr-2 host machine.

2. Install the required patches if necessary.

   Patch results for your machines might be different.

   1. Run patchadd to see if the patch is installed.

      # patchadd -p | grep 117461–08

      A list of patch numbers is displayed. On our lab machine, the required patch 117461–08 is present so there is no need to install it.

      # patchadd -p | grep 119963–08

      No results are returned which indicates that the patch is not yet installed on the system.

      # patchadd -p | grep 120011-14

      No results are returned which indicates that the patch is not yet installed on the system.

   2. Make a directory for downloading the patch you need and change into it.

      # mkdir /export/patches # cd /export/patches

   3. Download the patches.

      You can search for patches directly at http://sunsolve.sun.com. Navigate to the PatchFinder page, enter the patch number, click Find Patch, and download the appropriate patch.

      ---

      Note –

      Signed patches are downloaded as JAR files. Unsigned patches are downloaded as ZIP files.

      ---

   4. Unzip the patch file.

      # unzip 119963–08.zip # unzip 120011–14.zip

   5. Run patchadd to install the patches.

      # patchadd /export/patches/119963–08 # patchadd /export/patches/120011–14

   6. After installation is complete, run patchadd to verify that the patch was added successfully.

      # patchadd -p | grep 119963–08

      In this example, a series of patch numbers are displayed, and the patch 119963–08 is present.

      # patchadd -p | grep 120011-14

      In this example, a series of patch numbers are displayed, and the patch 120011–14 is present.

3. Create a directory into which you can download the Web Server bits and change into it.

   # mkdir /export/WS7 # cd /export/WS7

4. Download the Sun Java System Web Server 7.0 Update 3 software from http://www.sun.com/download/products.xml?id=45ad781d.

   Follow the instructions on the Sun Microsystems Product Downloads web site for downloading the software.

5. Unpack the Web Server package.

   # gunzip sjsws-7_0u3-solaris-sparc.tar.gz # tar xvf sjsws-7_0u3-solaris-sparc.tar

6. Run setup.

   # cd /export/WS7 # ./setup --console

7. When prompted, provide the following information.

   Welcome to the Sun Java System Web Server 7.0u3 installation wizard. ... You will be asked to specify preferences that determine how Sun Java System Web Server 7.0U3 is installed and configured. The installation program pauses as questions are presented so you can read the information and make your choice. When you are ready to continue, press Enter. (Return on some keyboards.)	Press Enter. Continue to press Enter when prompted.
   Have you read the Software License Agreement and do you accept all terms [no] {"," goes back, "!" exits}?	Enter yes.
   Sun Java System Web Server 7.0 Installation Directory [/sun/webserver7] {"," goes back, "!" exits} :	Enter /opt/SUNWwbsvr
   Specified directory /opt/SUNWwbsvr does not exist. Create Directory? [Yes/No] [yes] {"," goes back, "!" exits}	Enter yes.
   Select Type of Installation 1. Express 2. Custom 3. Exit What would you like to do? [1] {"," goes back, "!" exits}	Enter 2.
   Component Selection 1. Server Core 2. Server Core 64-biy Binaries 3. Administration Command Line Interface 4. Sample Applications 5. Language Pack Enter the comma-separated list [1,2,3,4,5] {"," goes back, "!" exits}	Enter 1,3,5.
   Java Configuration Sun Java System Web Server 7.0 requires Java Se Development Kit (JDK). Provide the path to a JDK 1.5.0_15 or greater. 1. Install Java SE Development Kit (JDK) 1.5.0_15 2. Reuse existing Java SE Development Kit (JDK) 1.5.0_15 3. Exit What would you like to do? [1] {"," goes back, "!" exits}	Enter 1.
   Administrative Options 1. Create an Administration Server and a Web Server Instance 2. Create an Administration Node Enter your option. [1] {"," goes back, "!" exits}	Enter 1.
   Create SMF services for server instances [yes/no] [no] {"," goes back, "!" exits}	Accept the default value.
   Host Name [pr-2.example.com] {"," goes back, "!" exits}	Accept the default value.
   SSL Port [8989] {"," goes back, "!" exits}	Accept the default value.
   Create a non-SSL Port? [yes/no] [no] {"," goes back, "!" exits}	Enter no.
   Runtime User ID [root] {"," goes back, "!" exits}	Accept the default value (for the administration server).
   Administrator User Name [admin] {"," goes back, "!" exits}	Accept the default value.
   Administrator Password:	Enter web4dmin.
   Retype Password:	Enter web4dmin.
   Server Name [pr-2.example.com] {"," goes back, "!" exits}	Accept the default value.
   Http Port [8080] {"," goes back, "!" exits}	Enter 1080.
   Runtime User ID [webserverd] {"," goes back, "!" exits}	Enter root (for the instance).
   Document Root Directory [/opt/SUNWwbsvr/ https-pr-2.example.com/docs] {"," goes back, "!" exits}	Accept the default value.
   Start Administration Server [yes/no] [yes] {"," goes back, "!" exits}	Enter no.
   Ready To Install 1. Install Now 2. Start Over 3. Exit Installation What would you like to do [1] {"," goes back, "!" exits}?	Enter1.

   When installation is complete, the following message is displayed:

   Installation Successful.

8. Start the Web Server administration server.

   # cd /opt/SUNWwbsvr/admin-server/bin # ./startserv

9. Run netstat to verify that the port is open and listening.

   # netstat -an | grep 8989 *.8989 *.* 0 0 49152 0 LISTEN

10. (Optional) Login to the Web Server administration console at https://pr-2.example.com:8989 as the administrator.

    Username

    admin

    Password

    web4dmin

    You should see the Web Server administration console.

11. (Optional) Log out of the Web Server console and close the browser.

12. Start the Protected Resource 2 Web Server instance.

    # cd /opt/SUNWwbsvr/https-pr-2.example.com/bin # ./startserv Sun Java System Web Server 7.0U3 B06/16/2008 12:00 info: CORE5076: Using [Java HotSpot(TM) Server VM, Version 1.5.0_15] from [Sun Microsystems Inc.] info: HTTP3072: http-listener-1: http://pr-2.example.com:1080 ready to accept requests info: CORE3274: successful server startup

13. Run netstat to verify that the port is open and listening.

    # netstat -an | grep 1080 *.1080 *.* 0 0 49152 0 LISTEN

14. (Optional) Access the Protected Resource 2 instance at http://pr-2.example.com:1080 using a web browser.

    You should see the default Web Server index page.

15. Log out of the pr–2 host machine.

To Import the Certificate Authority Root Certificate into Web Server 2

The web policy agent on Protected Resource 2 connects to OpenSSO Enterprise through Load Balancer 2. The load balancer is SSL-enabled, so the agent must be able to trust the load balancer SSL certificate to establish the SSL connection. For this reason, import the root certificate of the Certificate Authority (CA) that issued the Load Balancer 2 SSL server certificate into the policy agent certificate store.

Before You Begin

• Copy the same CA root certificate used in To Install a CA Root Certificate to the OpenSSO Enterprise Load Balancer to the pr-2 host machine. In this example, the file is /export/software/ca.cer.

• Backup cacerts before modifying it.

1. As a root user, log into the pr-2 host machine.

2. Import ca.cer, the CA root certificate, into cacerts, the certificate store.

   # /opt/SUNWwbsvr/jdk/jre/bin/keytool -import -trustcacerts -alias OpenSSLTestCA -file /export/software/ca.cer -keystore /opt/SUNWwbsvr/jdk/jre/lib/security/cacerts -storepass changeit Owner: EMAILADDRESS=nobody@nowhere.com, CN=OpenSSLTestCA, OU=Sun, O=Sun,L=Santa Clara, ST=California C=US Issuer: EMAILADDRESS=nobody@nowhere.com, CN=OpenSSLTestCA, OU=Sun, O=Sun,L=Santa Clara, ST=California C=US Serial number: f59cd13935f5f498 Valid from: Thu Sep 20 11:14:51 PDT 2008 18 07:66:19 PDT 2006 until: Thu Jun 17 11:41:51 PDT 2010 Certificate fingerprints: MD5: 78:7D:F0:04:8A:5B:5D:63:F5:EC:5B:21:14:9C:8A:B9 SHA1: A4:27:8A:B0:45:7A:EE:16:31:DC:E5:32:46:61:9E:B8:A3:20:8C:BA Trust this certificate: [no] yes Certificate was added to keystore.

3. Verify that ca.cer was imported.

   # /opt/SUNWwbsvr/jdk/jre/bin/keytool -list -keystore /opt/SUNWwbsvr/jdk/jre/lib/security/cacerts -storepass changeit | grep -i open openSSLTestCA, Sep 20, 2008, trustedCertEntry,

4. Log out of the pr-2 host machine.

To Install and Configure Web Policy Agent 2 on Protected Resource 2

Before You Begin

The JAVA_HOME environment variable should be set to /opt/SUNWwbsvr/jdk/jre.

1. As a root user, log into the pr–2 host machine.

2. Create a directory into which you can download the Web Server agent bits and change into it.

   # mkdir /export/WebPA2 # cd /export/WebPA2

3. Create a text file that contains the Agent Profile password.

   The Web Policy Agent installer requires this for installation.

   # cat > agent.pwd webagent2 Hit Control D to terminate the command ^D

4. Create a text file that contains the Agent Administrator password.

   This text file should contain the OpenSSO Enterprise administrator (by default, amadmin) password. The Web Policy Agent installer requires this to create the agent profile on the server.

   # cat > agentadm.pwd ossoadmin Hit Control D to terminate the command ^D

5. Download the web policy agent for Web Server from http://www.sun.com/download/.

   # ls -al total 7512 drwxr-xr-x 2 root root 512 Jul 24 14:48 . drwxr-xr-x 11 root root 512 Jul 24 14:41 .. -rw-r--r-- 1 root root 10 Jul 24 14:42 agent.pwd -rw-r--r-- 1 root root 9 Jul 24 14:42 agentadm.pwd -rw-r--r-- 1 root root 3826794 Jul 24 14:48 sjsws_v70_SunOS_sparc_agent_3.zip

6. Unzip the downloaded file.

   # unzip sjsws_v70_SunOS_sparc_agent_3.zip

7. Run the agent installer.

   # cd /export/WebPA2/web_agents/sjsws_agent/bin # ./agentadmin --custom-install

8. When prompted, do the following.

   Please read the following License Agreement carefully:	Press Enter and continue to press Enter until you have reached the end of the License Agreement.
   Do you completely agree with all the terms and conditions of this License Agreement (yes/no): [no]:	Type yes and press Enter.
   Enter the Sun Java System Web Server Config Directory Path [/var/opt/SUNWwbsvr7/ https-pr-2.example.com/config]:	Type /opt/SUNWwbsvr/https-pr-2.example.com/config and press Enter.
   Enter the OpenSSO Enterprise URL including the deployment URI (http://opensso.sample.com:58080/opensso)	Type https://lb-2.example.com:1081/opensso and press Enter.
   Enter the Agent URL: (http://agent2.sample.com:1234)	Type http://pr-2.example.com:1080 and press Enter.
   Enter the Encryption Key [WSpf7aqc3AFIGvf2mCqvNBOsf44cDrf3].	Accept the default value.
   Enter the Agent profile name [UrlAccessAgent]:	Type webagent-2 and press Enter.
   Enter the path to a file that contains the password to be used for identifying the Agent.	Type /export/WebPA2/agent.pwd and press Enter. Note – A warning message is displayed regarding the existence of the agent profile.
   This Agent Profile does not exist in OpenSSO Enterprise, will it be created by the installer? (Agent Administror's name and password are required) [true)	Press Enter to accept the default and have the installer create the Agent Profile.
   Enter the Agent Administrator's name:	Type amadmin and press Enter.
   Enter the path to the password file that contains the password of the Agent Administrator.	Type /export/WebPA2/agentadm.pwd and press Enter.
   ----------------------------------------- SUMMARY OF YOUR RESPONSES ----------------------------------------------- Sun Java System Web Server Config Directory : /opt/SUNWwbsvr/https-pr-2.example.com/config OpenSSO Server URL : https://lb-2.example.com:1081/opensso Agent URL : http://pr-2.example.com:1080 Encryption Key : WSpf7aqc3AFIGvf2mCqvNBOsf44cDrf3 Agent Profile name : webagent-2 Agent Profile Password file name : /export/WebPA2/agent.pwd Agent Profile will be created right now by agent installer : true Agent Administrator : amadmin Agent Administrator's password file name : /export/WebPA2/agentadm.pwd Verify your settings above and decide from the choices below. 1. Continue with Installation 2. Back to the last interaction 3. Start Over 4. Exit Please make your selection [1]:	Type 1 and press Enter.

9. Restart the Web Server 2 instance.

   # cd /opt/SUNWwbsvr/https-pr-2.example.com/bin # ./stopserv; ./startserv server has been shutdown Sun Java System Web Server 7.0U3 B06/16/2008 12:00 info: CORE3016: daemon is running as super-user info: CORE5076: Using [Java HotSpot(TM) Server VM, Version 1.5.0_15] from [Sun Microsystems Inc.] info: HTTP3072: http-listener-1: http://pr-2.example.com:1080 ready to accept requests info: CORE3274: successful server startup

10. Use the following sub-procedure to verify that the Web Policy Agent 2 was successfully created.

    1. Access https://osso-1.example.com:1081/opensso/console from a web browser.

    2. Log in to the OpenSSO Enterprise console as the administrator.

       User Name:

       amadmin

       Password:

       ossoadmin

    3. Under the Access Control tab, click / (Top Level Realm).

    4. Click the Agents tab.

       By default, the Web tab is displayed. You should see webagent-2 under the Agent table.

    5. Click webagent-2.

       The webagent-2 properties page is displayed.

    6. Log out of the console and close the browser.

11. Remove the password files.

    # cd /export/WebPA2 # rm agent.pwd # rm agentadm.pwd

12. Log out of the pr-2 host machine.

To Configure Policy for Web Policy Agent 2 on Protected Resource 2

Use the OpenSSO Enterprise console to configure policy for Web Policy Agent 2 that will be used to verify that the agent is working properly.

---

Note –

You will add additional policies later when we add a load balancer in front of the Protected Resource 2 host machine.

---

1. Access https://osso-1.example.com:1081/opensso/console from a web browser.

2. Log in to the OpenSSO Enterprise console as the administrator.

   Username

   amadmin

   Password

   ossoadmin

3. Under the Access Control tab, click / (Top Level Realm).

4. Click the Policies tab.

5. Click New Policy.

6. Enter URL Policy for Protected Resource 2 in the Name field.

7. Under Rules, click New.

   The Rules properties page is displayed.

8. Select URL Policy Agent (with resource name) and click Next.

9. Provide the following information on the resulting page and click Finish.

   Name:

   URL Rule for Protected Resource 2

   Resource Name:

   http://pr-2.example.com:1080/*

   GET

   Mark this check box and verify that Allow is selected.

   POST

   Mark this check box and verify that Allow is selected.

   The rule URL Rule for Protected Resource 2 is added to the list of Rules.

10. Under Subjects, click New.

    The Subjects properties page is displayed.

11. Select Access Manager Identity Subject and click Next.

12. On the resulting page, provide the following information and click Search.

    Name:

    Test Subject

    Filter:

    Choose User and click Search to display a list of available users.

    Available:

    From the available users, select testuser1 and click Add.

13. Click Finish.

14. Click OK.

    The new policy is included in the list of Policies.

15. Click Back to Access Control.

16. Log out of the console.

To Verify that Web Policy Agent 2 is Working Properly

1. Access http://pr-2.example.com:1080/index.html from a web browser.

2. Log in to OpenSSO Enterprise as testuser1.

   Username

   testuser1

   Password

   password

   You should see the default index page for Web Server 2 as testuser1 was configured in the test policy to be allowed to access Protected Resource 2.

3. Log out and close the browser.

4. Once again, access http://pr-2.example.com:1080/index.html from a web browser.

   ---

   Tip –

   If you are not redirected to the OpenSSO Enterprise login page for authentication, clear your browser's cache and cookies and try again.

   ---

5. Log in to OpenSSO Enterprise as testuser2.

   Username

   testuser2

   Password

   password

   You should see the message, You're not authorized to view this page, (or Your client is not allowed to access the requested object) as testuser2 was not included in the test policy that allows access to Protected Resource 2.

8.2.3 Configuring the Web Policy Agents to Access the Distributed Authentication User Interface

Configure the web policy agents to point to the secure port of the Distributed Authentication User Interface Load Balancer 3. Use the following list of procedures as a checklist to complete the task.

1. To Configure the Web Policy Agent 1 to Access the Distributed Authentication User Interface

2. To Configure the Web Policy Agent 2 to Access the Distributed Authentication User Interface

To Configure the Web Policy Agent 1 to Access the Distributed Authentication User Interface

1. Access https://osso-1.example.com:1081/opensso/console from a web browser.

2. Log in to the OpenSSO Enterprise console as the administrator.

   Username

   amadmin

   Password

   ossoadmin

3. Under the Access Control tab, click / (Top Level Realm).

4. Click the Agents tab.

5. Click the Web tab.

   webagent-1 is displayed under the Agent table.

6. Click webagent-1.

   The webagent-1 properties page is displayed.

7. Click the OpenSSO Services tab.

   The Services properties page is displayed.

8. Make the following changes to the OpenSSO Login URL value and click Save.

   • Select https://lb-2.example.com:1081/opensso/UI/Login and click Remove.

   • Enter https://lb-3.example.com:1443/distAuth/UI/Login and click Add.

9. Log out of the OpenSSO Enterprise console.

10. Verify that the agent is configured properly using the following sub procedure.

    1. Access http://pr-1.example.com:1080/index.html from a web browser.

       You are redirected to the Distributed Authentication User Interface at https://lb-3.example.com:1443/distAuth/UI/Login.

    2. (Optional) Double-click the gold lock in the lower left corner of the browser.

       In the Properties page, you see the certificate for lb-3.example.com.

    3. Log in to OpenSSO Enterprise as testuser1.

       Username

       testuser1

       Password

       password

       The default index page for Web Server 1 is displayed as testuser1 is defined in the test policy as having permission to access Protected Resource 1.

    4. Close the browser.

To Configure the Web Policy Agent 2 to Access the Distributed Authentication User Interface

1. Access https://osso-1.example.com:1081/opensso/console from a web browser.

2. Log in to the OpenSSO Enterprise console as the administrator.

   Username

   amadmin

   Password

   ossoadmin

3. Under the Access Control tab, click / (Top Level Realm).

4. Click the Agents tab.

5. Click the Web tab.

   webagent-2 is displayed under the Agent table.

6. Click webagent-2.

   The webagent-2 properties page is displayed.

7. Click the OpenSSO Services tab.

   The Services properties page is displayed.

8. Make the following changes to the OpenSSO Login URL value and click Save.

   • Select [0]=https://lb-2.example.com:1081/opensso/UI/Login and click Remove.

   • Enter [0]=https://lb-3.example.com:1443/distAuth/UI/Login and click Add.

9. Log out of the OpenSSO Enterprise console.

10. Verify that the agent is configured properly using the following sub procedure.

    1. Access http://pr-2.example.com:1080/index.html from a web browser.

       You are redirected to the Distributed Authentication User Interface at https://lb-3.example.com:1443/distAuth/UI/Login.

    2. (Optional) Double-click the gold lock in the lower left corner of the browser.

       In the Properties page, you see the certificate for lb-3.example.com.

    3. Log in to OpenSSO Enterprise as testuser1.

       Username

       testuser1

       Password

       password

       The default index page for Web Server 2 is displayed as testuser1 is defined in the test policy as having permission to access Protected Resource 2.

    4. Close the browser.