In this section, you configure the policy agent to point to the SSL port for the Access Manager load balancer.
Use the following as your checklist for configuring Access Manager to communicate over SSL:
Import the root CA certificate into the Application Server keystore.
Configure the Policy Agents to access the Distributed Authentication UI server.
In this procedure, you import a Certificate Authority (CA) certificate. The certificate enables the Authentication UI server to trust the certificate from the Access Manager load balancer (Load Balancer 3), and to establish trust with the certificate chain that is formed from the CA to the certificate.
Go to the directory where the keystore ( the cacerts file) is located:
#cd /usr/local/bea/jdk150_04/jre/lib/security/ |
Make a backup of the cacerts file.
Copy the CA certificate that you obtained from your Certificate Authority into a temporary directory. Example:
/export/software/ca.cer |
Import the certificate:
# /usr/local/bea/jdk150_04/bin/keytool -import -trustcacerts -alias OpenSSLTestCA -file /export/software/ca.cer -keystore /usr/local/bea/jdk150_04/jre/lib/security/cacerts -storepass changeit Owner: EMAILADDRESS=nobody@nowhere.com, CN=OpenSSLTestCA, OU=Sun, O=Sun, L=Santa Clara, ST=California, C=US Issuer: EMAILADDRESS=nobody@nowhere.com, CN=OpenSSLTestCA, OU=Sun, O=Sun, L=Santa Clara, ST=California, C=US Serial number: 97dba0aa26db6386 Valid from: Tue Apr 18 07:55:19 PDT 2006 until: Tue Jan 13 06:55:19 PST 2009 Certificate fingerprints: MD5: 9F:57:ED:B2:F2:88:B6:E8:0F:1E:08:72:CF:70:32:06 SHA1: 31:26:46:15:C5:12:5D:29:46:2A:60:A1:E5:9E:28:64:36: 80:E4:70 Trust this certificate? [no]: yes Certificate was added to keystore |
Verify that the certificate was imported successfully:
# /usr/local/bea/jdk150_04/bin/keytool -list -keystore /usr/local/bea/jdk150_04/jre/lib/security/cacerts -storepass changeit | grep openssl openssltestca, Oct 2, 2006, trustedCertEntry, |
As a root user, log into host ProtectedResource–1.
# cd /opt/j2ee_agents/am_wl9_agent/agent_001/config
Make a backup of the AMAgent.properties file.
In the AMAgent.properties, set the following properties:
com.sun.identity.agents.config.login.url[0] = https://LoadBalancer-3.example.com:9443/amserver/UI/Login?realm=users com.sun.identity.agents.config.cdsso.cdcservlet.url[0] = https://LoadBalancer-3.example.com:9443/amserver/cdcservlet com.sun.identity.agents.config.cdsso.trusted.id.provider[0] = https://LoadBalancer-3.example.com:9443/amserver/cdcservlet com.iplanet.am.naming.url= https://LoadBalancer-3.example.com:9443/amserver/namingservice com.iplanet.am.server.protocol=https com.iplanet.am.server.port=9443
Save the file.
Stop Application Server 1 .
# cd /usr/local/bea/user_projects/domains/ProtectedResource-1/bin # ./stopManagedWebLogic.sh ApplicationsServer-1 t3://localhost:7001
Stop the administration server.
# ./stopWebLogic.sh
Start the administration server.
# nohup ./startWebLogic.sh & # tail -f nohup.out
Start Application Server 1.
# nohup ./startManagedWebLogic.sh ApplicationServer-1 http://ProtectedResource-1.example.com:7001 &
Use these steps to access the agent sample application, and then test policies against that sample application.
Go to the Sample Application URL:
http://protectedresource-1.example.com:1081/agentsample/index.html
The Sample Application welcome page is displayed.
Click J2EE Declarative Security > “Invoke the Protected Servlet”
The Policy Agent redirects to the Access Manager login page.
Log in to the Access Manager console using the following information:
testuser1
password
If you can successfully log in as testuser1, and the J2EE Policy Agent Sample Application page is displayed, then this part of the test succeeded and authentication is working as expected.
Click the “J2EE Declarative Security” link.
On the J2EE Declarative Security page, click the “Invoke the Protected Servlet link”.
If the Success Invocation message is displayed, then this part of the test succeeded , and the sample policy for the manager role has been enforced as expected.
Click the “J2EE Declarative Security” link to go back.
Click the “Invoke the Protected EJB via an Unprotected Servlet” link.
If the Failed Invocation message is displayed, then this part of the test succeeded, and the sample policy for the employee role has been enforced as expected.
Close the browser.
In a new browser session, go to the Sample Application URL:
http://protectedresource-1.example.com:1081/agentsample/index.html
The Policy Agent redirects to the Access Manager login page.
Log in to the Access Manager console using the following information:
testuser2
password
The Failed Invocation message is displayed.
Click the “J2EE Declarative Security” link.
On the J2EE Declarative Security page, click the “Invoke the Protected EJB via an Unprotected Servlet” link.
The Successful Invocation message is displayed. The sample policy for the employee role has been enforced as expected.
Click the “J2EE Declarative Security” link to go back.
Click the “Invoke the Protected Servlet” link.
If the Access to Requested Resource Denied message is displayed, then this part of the test is successful. The sample policy for the manager role has been enforced as expected.
Log in as a root user to Protected Resource 1.
# cd /opt/j2ee_agents/am_wl9_agent/agent_001/config
Make a backup of the file AMAgent.properties.
In the AMAgent.properties file, set the following properties:
com.sun.identity.agents.config.login.url[0] = https://LoadBalancer-4.example.com:9443/distAuth/UI/Login?realm=users
Save the file.
Restart the Application Server.
Stop Application Server 1.
# cd /usr/local/bea/user_projects/domains/ProtectedResource-1/bin # ./stopManagedWebLogic.sh ApplicationServer-1 t3://localhost:7001
Stop the administration server.
#cd /usr/local/bea/user_projects/domains/ProtectedResource-1/bin ./stopWebLogic.sh
Start the administration server.
# nohup ./startWebLogic.sh & # tail -f nohup.out
Watch for startup errors.
Start Application Server 1.
# nohup ./startManageWebLogic.sh ApplicatoinServer-1 http://ProtectedResource-1.example.com:7001 & tail -f nohup.out
Verify that the agents are configured properly.
Go to the sample application URL:
http://ProtectedResource-1.example.com:1081/agentsample/index.html
In the left navigation bar, click “Invoke the Protected Servlet.”
You are redirected to the Distributed Authentication UI server URL https://loadbalancer-4.example.com:9443/distAuth/UI/login. The Access Manager login page is displayed.
Double-click the gold lock in the lower left corner of the browser.
In the Properties page, you see certificate for LoadBalancer–4.example.com.
Log in to the Access Manager console using the following information:
testuser1
password
You are redirected to the protected servlet of the Sample Application, and a success message is displayed. This indicates that authentication through the Distributed Authentication UI server was successful.