The Java ES installer supports the installation of these subcomponents of Access Manager:
Identity Management and Policy Services Core
Access Manager Administration Console
Common Domain Services for Federation Management
Access Manager SDK
Access Manager SDK is automatically installed as part of Identity Management and Policy Services Core, but the SDK can also be installed separately on a remote host. For information about separate installation of Access Manager SDK, refer to Access Manager SDK Configuration Information
The installer needs different information depending on which subcomponents you are installing, as the following table indicates. The table also refers you to the tables where the relevant information is described.
Table 1–2 Information Needed to Install Subcomponents of Access Manager
Components |
Information Needed |
Relevant Material |
---|---|---|
Identity Management and Policy Services Core |
Web container information | |
Directory Server information | ||
Provisioned directory information |
Existing Provisioned Directory Found and No Existing Provisioned Directory Found |
|
Common Domain Services for Federation Management |
Services information |
Installing Access Manager Federation Management (Core Already Installed) |
Access Manager Administration Console |
Administration information | |
Services information |
The installer needs the following information if you are installing Access Manager Administration Console.
Table 1–3 Administration Information for Access Manager
Label and State File Parameter |
Description |
---|---|
Administrator User ID |
Access Manager top-level administrator. This user has unlimited access to all entries managed by Access Manager. The default name, amadmin, cannot be changed. This ensures that the Access Manager administrator role and its privileges are created and mapped properly in Directory Server, allowing you to log onto Access Manager immediately after installation. |
Administrator Password |
Password of the amadmin user. The value must have at least eight characters. The default value is the Administrator Password (CMN_ADMIN_PASSWORD ) you provided under Common Server Settings. Refer to Common Server Settings. |
LDAP User ID |
Bind DN user for LDAP, Membership, and Policy services. This user has read and search access to all Directory Server entries. The default user name, amldapuser, cannot be changed. |
LDAP Password |
Password of the amldapuser user. This password must be different from the password of the amadmin user. It can be any valid Directory Service password. |
Password Encryption Key |
A string that Access Manager uses to encrypt user passwords. Note: For security purposes, it is recommended that the password encryption key be 12 characters or longer. The interactive installer generates a default password encryption key. You can accept the default value or specify any key produced by a J2EE random number generator. During Access Manager installation, its property file is updated and the property am.encryption.pwd is set to this value. The property file is AMConfig.properties . Location is: Solaris OS: /etc/opt/SUNWam/config Linux: /etc/opt/sun/identity/config All Access Manager subcomponents must use the same encryption key that the Identity Management and Policy Services Core uses. If you are distributing Access Manager subcomponents across hosts and installing Administration Console or Common Domain Services for Federation Management, copy the value for am.encryption.pwd as generated by the installation of the core, and paste the value into this field. In a state file, the default is LOCK. Any character combination is permitted. |
Install type AM_REALM |
Indicates the level of interoperability with other components. Choice of Realm mode (version 7.x style) or Legacy mode (version 6.x style). You must use Legacy mode if you are installing Access Manager with Portal Server, Messaging Server, Calendar Server, Delegated Administrator, or Instant Messaging. Accepted values for AM_REALM are Enabled (for Realm 7.x mode) and Disabled (for Legacy 6.x mode). |
The Identity Management and Policy Services Core subcomponent of Access Manager runs in Web Server or Application Server.
This component also runs in a third-party web container, however, you must install AM using the Configure Later option. In this case, configuration is done after installation.
The information that the installer needs is different for each web container:
For Web Server, see Web Container Information: Access Manager with Web Server
For Application Server, see Web Container Information: Access Manager with Application Server
This section describes the information that the installer needs when Web Server is the web container for the Identity Management and Policy Services Core subcomponent of Access Manager.
Table 1–4 Web Container Information for Access Manager with Web Server
Label and State File Parameter |
Description |
---|---|
Host Name |
The fully qualified domain name for the host. For example, if this host is siroe.example.com, this value is siroe.example.com. The default value is the fully qualified domain name for the current host. |
Web Server Port |
Port on which Web Server listens for HTTP connections. The default value is 80. If you are installing Web Server in this installer session, the default value is the Web Server HTTP Port (WS_ADMIN_PORT) value. Refer to Web Server: Default Web Server Instance Information. |
Web Server Instance Directory |
Path to the directory where an instance of Web Server is installed. The path must have the following syntax: WebServer-base/https-webserver-instancename If you are installing Web Server in this session, the default value for WebServer-base is the Web Server installation directory: Solaris OS: /opt/SUNWwbsvr Linux: /opt/sun/webserver |
Document Root Directory IS_WS_DOC_DIR |
Directory where Web Server stores content documents. If you are installing Web Server in this installer session, the default value is the Web Server value Document Root Directory (WS_INSTANCE_CONTENT_ROOT ). Refer to Web Server: Default Web Server Instance Information. If you are not installing Web Server, the default location is WebServer-base/docs. The default value for WebServer-base is the Web Server installation directory: Solaris OS: /opt/SUNWwbsvr Linux: /opt/sun/webserver |
Secure Server Instance Port IS_SERVER_PROTOCOL |
Specify whether the port for the Web Server instance is a secure port. A secure port uses the HTTPS protocol. A non-secure port uses HTTP. In a state file, specify https for a secure port or http for a non-secure port. The default value is http. |
This section describes the information that the installer needs when Application Server is the web container for the Identity Management and Policy Services Core subcomponent of Access Manager.
Table 1–5 Web Container Information for Access Manager with Application Server
Label and State File Parameter |
Description |
---|---|
Installation Directory |
Path to the directory where Application Server is installed. If you are installing Application Server, this value defaults to the value you specified for the Application Server installation directory. The default value is: Solaris OS: /opt/SUNWappserver/appserver Linux: /opt/sun/appserver |
Access Manager Runtime Instance |
Name of the Application Server instance that will run Access Manager. The default value is server. |
Instance Directory |
Path to the directory where Application Server stores files for the instance. Default value: Solaris OS: /var/opt/SUNWappserver/domains Linux: /var/opt/sun/appserver/domains |
Access Manager Instance Port |
Port on which Application Server listens for connections to the instance. The default value is 8080. |
Document Root |
Directory where Application Server stores content documents. The default document root is the instance directory specified by IS_IAS81INSTANCEDIR , with domainname/docroot appended at the end. For example: IS_IAS81INSTANCEDIR/domainname /docroot |
Administrator User ID |
User ID of the Application Server administrator. The default value is the Administrator User ID you provided under Common Server Settings. Refer to Common Server Settings. |
Administrator Password |
Password of the Application Server administrator. The default value is the Administrator User password you provided under Common Server Settings. Refer to Common Server Settings. |
Administrator Port |
Port on which the Administration Server for Application Server listens for connections. The default value is 4849. |
Secure Server Instance Port IS_SERVER_PROTOCOL |
Specify whether the value for Instance Port (IS_IAS81INSTANCE_PORT) refers to a secure port. A secure port uses the HTTPS protocol. A non-secure port uses HTTP. In a state file, specify https for a secure port or http for a non-secure port. The default value is http. |
Secure Administration Server Port ASADMIN_PROTOCOL |
Specify whether the value for Administrator Port (IS_IAS81_ADMINPORT) is a secure port. A secure port uses the HTTPS protocol. A non-secure port uses HTTP. In a state file, specify https for a secure port or http for a non-secure port. The default value is https. |
The installer needs different information about Access Manager services for different Access Manager subcomponents.
Installing Access Manager Console (Core Not Already Installed)
Installing Access Manager Federation Management (Core Already Installed)
This section describes the services information that the installer needs when you are installing the Identity Management and Policy Services Core and the Access Manager Administration Console subcomponents.
In this scenario, you can deploy a new console or use a previously deployed console. If you deploy a new console, some information in Installing Access Manager Core and Console is not needed, as the Description column indicates.
Table 1–6 Access Manager Services Information for Installing Core and Console
Label and State File Parameter |
Description |
---|---|
Host Name |
Fully qualified domain name of the host on which you are installing. The default value is the fully qualified domain name of the local host. |
Services Deployment URI |
Uniform Resource Identifier (URI) prefix for accessing the HTML pages, classes, and JAR files associated with the Identity Management and Policy Services Core subcomponent. The default value is amserver. Do not enter a leading slash. |
Common Domain Deployment URI |
URI prefix for accessing the common domain services on the web container. The default value is amcommon. Do not enter a leading slash. |
Cookie Domain |
The names of the trusted DNS domains that Access Manager returns to a browser when Access Manager grants a session ID to a user. You can scope this value to a single top-level domain, such as example.com . The session ID will provide authentication for all subdomains of example.com. Alternatively, you can scope the value to a comma-separated list of subdomains, such as .corp.example.com,.sales.example.com. The session ID will provide authentication for all subdomains in the list. A leading dot (.) is required for each domain in the list. The default value is the current domain, prefixed by a dot (.). |
Administration Console: Deploy new console and Use existing console USE_DSAME_SERVICES_WEB_CONTAINER |
Choose Deploy new console to deploy the console into the web container of the host on which Access Manager is being installed. Choose Use existing console to use an existing console that is deployed on another host. In both cases, you specify the Console Deployment URI and Password Deployment URI. If you choose to use an existing console, you must also specify the Console Host Name and Console Port. In a state file, specify true to deploy a new console or false to use an existing console. |
Console Deployment URI |
URI prefix for accessing the HTML pages, classes and JAR files associated with the Access Manager Administration Console subcomponent. Depends on the Access Manager mode: Legacy mode (6.x): /amconsole or /amserver Realm mode (7.x): /amserver The default value is amconsole. Do not enter a leading slash. |
Password Deployment URI |
URI that determines the mapping that the web container running Access Manager will use between a string you specify and a corresponding deployed application. The default value is ampassword. Do not enter a leading slash. |
Console Host Name |
Fully qualified domain name for the server hosting the existing console. This value is not needed if you are deploying a new console. In graphical installation mode, you can edit the field only if you are using an existing console. The default value contains the value that you provided for Host (IS_SERVER_HOST ), a dot, and then the value that you provided for DNS Name in the Common Server Settings. Refer to Common Server Settings. As an example, if the host is siroe and the domain is example.com, the default value is siroe.example .com. |
Console Port |
Port on which the existing console listens for connections. Permitted values are any valid and unused port number, in the range 0 (zero) through 65535. This value is not needed if you are deploying a new console. In graphical installation mode, you can edit the field only if you are using an existing console. The default value is the value you provided for one of the following web container ports:
|
This section describes the services information the installer needs when the following are both true:
You are installing only the Access Manager Administration Console subcomponent.
The Identity Management and Policy Services Core subcomponent is already installed on the same host.
You can only install AM Console by itself in Realm mode (7.x). This cannot be done in Legacy mode (6.x).
Label and State File Parameter |
Description |
---|---|
Console Deployment URI |
URI prefix for accessing the HTML pages, classes and JAR files associated with the Access Manager Administration Console subcomponent. Depends on the Access Manager mode: Realm mode (6.x): /amconsole or /amserver Legacy mode (7.x): /amserver |
Password Services Deployment URI |
URI that determines the mapping that the web container running Access Manager will use between a string you specify and a corresponding deployed application. The default value is ampassword. Do not enter a leading slash. |
This section describes the services information the installer needs when the following are both true:
You are installing only the Access Manager Administration Console subcomponent.
The Identity Management and Policy Services Core subcomponent is not installed on the same host.
Label and State File Parameter |
Description |
---|---|
Web Container for Access Manager Administration Console | |
Console Host Name |
Fully qualified domain name for the host on which you are installing. |
Console Deployment URI |
URI prefix for accessing the HTML pages, classes and JAR files associated with the Access Manager Administration Console subcomponent. Depends on the Access Manager mode: Legacy mode (6.x): /amconsole or /amserver Realm mode (7.x): /amserver |
Password Services Deployment URI |
Deployment URI for the password service. The default value is ampassword. Do not enter a leading slash. |
Web Container for Access Manager Services | |
Services Host Name |
Fully qualified domain name of the host where the Identity Management and Policy Services Core subcomponent is installed. The default value is the fully qualified domain name of this host. Use the default value as an example of format only, and edit the value to supply the correct remote host name. In a state file, supply the fully qualified domain name of a remote host. |
Port |
Port on which the Identity Management and Policy Services Core subcomponent listens for connections. This port is the HTTP or HTTPS port used by the web container. |
Services Deployment URI |
URI prefix for accessing the HTML pages, classes, and JAR files associated with the Identity Management and Policy Services Core subcomponent. The default value is amserver. Do not enter a leading slash. |
Cookie Domain |
The names of the trusted DNS domains that Access Manager returns to a browser when Access Manager grants a session ID to a user. You can scope this value to a single top-level domain, such as example.co m. The session ID will provide authentication for all subdomains of example.com. Alternatively, you can scope the value to a comma-separated list of subdomains, such as .corp.example.com,.sales.example.com. The session ID will provide authentication for all subdomains in the list. A leading dot (.) is required for each domain. The default value is the current domain, prefixed by a dot (.). |
This section describes the services information the installer needs when you are installing only the Common Domain Services for Federation Management subcomponent.
Table 1–9 Access Manager Services Information for Installing Federation Management (Core Already Installed)
Label and State File Parameter |
Description |
---|---|
Common Domain Deployment URI |
URI prefix for accessing the common domain services on the web container. The default value is amcommon. Do not enter a leading slash. |
The installer needs the following information if you are installing Identity Management and Policy Services Core.
Table 1–10 Directory Server Information for Access Manager
Label and State File Parameter |
Description |
---|---|
Directory Server Host |
A host name or value that resolves to the host on which Directory Server resides. The default value is the fully qualified domain name of the local host. For example, if the local host is siroe.example.com, the default value is siroe.example.com. |
Directory Server Port |
Port on which Directory Server listens for client connections. The default value is 389. |
Access Manager Directory Root Suffix |
Distinguished name (DN) to set as the Access Manager root suffix. The default value is based on the fully qualified domain name for this host, minus the host name. For example, if this host is siroe.subdomain.example.com , the value is dc=subdomain,dc=example,dc=com |
Directory Manager DN IS_DIRMGRDN |
DN of the user who has unrestricted access to Directory Server. The default value is cn=Directory Manager. |
Directory Manager Password |
Password for the directory manager. |
The information needed to configure a provisioned directory depends on whether the installer detects an existing provisioned directory on your host.
When the installer is generating a state file, IS_EXISTING_DIT_SCHEMA=y is written to the state file if the installer finds an existing provisioned directory. The installer writes IS_EXISTING_DIT_SCHEMA=n to the state file if the installer does not find an existing provisioned directory.
If the installer finds an existing provisioned directory, you provide the following information.
Table 1–11 Existing Provisioned Directory Information for Access Manager
Label and State File Parameter |
Description |
---|---|
User Naming Attribute IS_USER_NAMING_ATTR |
Naming attribute used for users in the provisioned directory. The default value is uid. |
If the installer does not find an existing provisioned directory, you can choose whether to use an existing provisioned directory. If you answer Yes to the first question in this table, you must answer the remaining questions in the table.
Table 1–12 No Existing Provisioned Directory Information for Access Manager
Label and State File Parameter |
Description |
---|---|
Is Directory Server provisioned with user data? |
Specifies whether you want to use an existing provisioned directory. The default value is No. In a state value, permitted values are y or n. The default value is n. |
Organization Marker Object Class |
Object class defined for the organization in the existing provisioned directory. This value is used only if the value for the first item in this table is Yes. The default value is SunISManagedOrganization. |
Organization Naming Attribute |
Naming attribute used to define organizations in the existing provisioned directory. This value is used only if the value for the first item in this table is Yes. The default value is o. |
User Marker Object Class |
Object class defined for users in the existing provisioned directory. This value is used only if the value for the first item in this table is Yes. The default value is inetorgperson. |
User Naming Attribute |
Naming attribute used for users in the existing provisioned directory. This value is used only if the value for the first item in this table is Yes. The default value is uid. |