Configuring Access Manager with a Secure Sun Java System Application Server

Setting up Access Manager to run on an SSL-enabled Application server is a two-step process. First, secure the Application Server instance to the installed Access Manager, then configure Access Manager itself.

Setting Up Application Server 6.2 With SSL

This section describes the steps to set up Application Server 6.2 in SSL mode.

To Secure the Application Server Instance

1. Log into the Sun Java System Application Server console as an administrator by entering the following address in your browser:

   http://fullservername:port

   The default port is 4848.

2. Enter the username and password you entered during installation.

3. Select the Application Server instance on which you installed (or will install) Access Manager. The right frame displays that the configuration has changed.

4. Click Apply Changes.

5. Click Restart. The Application Server should automatically restart.

6. In the left frame, click Security.

7. Click the Manage Database tab.

8. Click Create Database, if it is not selected.

9. Enter the new database password and confirm, then click the OK button. Make sure that you write down the database password for later use.

10. Once the Certificate Database has been created, click the Certificate Management tab.

11. Click the Request link, if it is not selected.

12. Enter the following Request data for the certificate

    1. Select it if this is a new certificate or a certificate renewal. Many certificates expire after a specific period of time and some certificate authorities (CA) will automatically send you renewal notification.

    2. Specify the way in which you want to submit the request for the certificate.

       If the CA expects to receive the request in an E-mail message, check CA E-mail and enter the E-mail address of the CA. For a list of CAs, click List of Available Certificate Authorities.

       If you are requesting the certificate from an internal CA that is using the Certificate Server, click CA URL and enter the URL for the Certificate Server. This URL should point to the certificate server’s program that handles certificate requests.

    3. Enter the password for your key-pair file (this is the password you specified in step 9).

    4. Enter the following identification information:

       Common Name. The full name of the server including the port number.

       Requestor Name. The name of the requestor.

       Telephone Number. The telephone number of the requestor

       Common Name . The fully qualified name of the Sun Java System Application Server on which the digital certificate will be installed.

       E-mail Address. The E-mail address of the administrator.

       Organization Name. The name of your organization. The certificate authority may require any host names entered in this attribute belong to a domain registered to this organization.

       Organizational Unit Name. The name of your division, department, or other operational unit of your organization.

       Locality Name (city). The name of your city or town.

       State Name. The name of the state or province in which your organization operates if your organization is in the United States or Canada, respectively. Do not abbreviate.

       Country Code. The two-letter ISO code for your country. For example, the code for the United States is US.

13. Click the OK button. A message will be displayed, for example:

    --BEGIN NEW CERTIFICATE REQUEST--- afajsdllwqeroisdaoi234rlkqwelkasjlasnvdknbslajowijalsdkjfalsdfla alsfjawoeirjoi2ejowdnlkswnvnwofijwoeijfwiepwerfoiqeroijeprwpfrwl --END NEW CERTIFICATE REQUEST--

14. Copy all of this text to a file and click OK. Make sure that you get the Root CA certificate.

15. Select a CA and follow the instructions on that authority’s web site to get a digital certificate. You can get the certificate from CMS, Verisign or Entrust.net

16. After you receive your digital certificate from the certificate authority, you can copy the text into your clipboard, or save the text into a file.

17. Go to the Application Server console and click on the Install link.

18. Select Certificate For This Server.

19. Enter the Certificate Database password in the Key Pair File Password field.

20. Paste the certificate into the provided text field, Message text (with headers), or enter the filename in the Message that is in this file text box. Select the appropriate radio button.

21. Click OK button. The browser displays the certificate, and provides a button to add the certificate.

22. Click Add Server Certificate.

23. Install the Root CA Certificate in the same manner described above. However, select Certificate for Trusted Certificate Authority.

24. Once you have completed installing both certificates, expand the HTTP Server node in the left frame

25. Select HTTP Listeners under HTTP Server.

26. Select http-listener-1. The browser displays the socket information.

27. Change the value of the port used by http-listener-1 from the value entered while installing application server, to a more appropriate value such as 443.

28. Select SSL/TLS Enabled.

29. Select Certificate Nickname.

30. Specify the Return server. This should match the common name specified in Step 12.

31. Click Save.

32. Select the Application Server instance on which you will install the Access Manager software. The right frame shows that the configuration has changed.

33. Click Apply Changes.

34. Click Restart. The application server should automatically restart.

Configuring Application Server 8.1 With SSL

The basic steps to configure Application Server 8.1 with SSL are as follows. See the Application Server 8.1 documentation for detailed instructions.

1. Create a secure port on the Application server through the Application Server Administration console. For more information, see “Configuring Security” in the Sun Java System Application Server Enterprise Edition 8.1 Administration Guide at the following location:

   http://docs.sun.com/app/docs/coll/1310.1

2. Verify that the certificate authority (CA) that trusts the server's certificate is present in the web container's trust database. Then, obtain and install a server certificate for the web container. For more information, see “Working with Certificates and SSL” in the Sun Java System Application Server Enterprise Edition 8.1 Administration Guide at the following location:

   http://docs.sun.com/app/docs/coll/1310.1

3. Restart the web container.

Configuring Access Manager in SSL Mode

This section describes the steps to configure Access Manager in SSL mode. Before you set up SSL for Access Manager, make sure that you configured the web container for your deployment.

To Configure Access Manager in SSL Mode

1. In the Access Manager console, go to the Service Configuration module and select the Platform service. In the Server List attribute, add the same URL with the HTTPS protocol and an SSL-enabled port number. Click Save.

   ---

   Note –

   If a single instance of Access Manager is listening on two ports (one in HTTP and one in HTTPS) and you try to access Access Manager with a stalled cookie, Access Manager will become unresponsive. This is not a supported configuration.

   ---

2. Open the AMConfig.properties file from the following default location:

   /etc/opt/SUNWam/config.

3. Replace all of the protocol occurrences of http:// to https:// and change the port number to an SSL-enabled port number.

4. Save the AMConfig.properties file.

5. Restart the Application Server.