Use the following as your checklist for installing Web Server 2 and Web Policy Agent 2:
Import the root CA certificate into the Web Server 2 key store.
Configure the Web Policy Agent to use the new agent profile.
As root, log in to host ProtectedResource-2.
Start the Java Enterprise System installer with the -nodisplay option.
# cd /mnt/Solaris_sparc # ./installer -nodisplay |
When prompted, provide the following information:
(Optional) During installation, you can monitor the log to watch for installation errors. Example:
# cd /var/sadm/install/logs # tail —f Java_Enterprise_System_install.B xxxxxx |
Upon successful installation, enter ! to exit.
Verify that the Web Server is installed properly.
Start the Web Server administration server to verify it starts with no errors.
# cd /opt/SUNWwbsvr/https-admserv
# ./stop; ./start
Run the netstat command to verify that the Web Server ports are open and listening.
# netstat -an | grep 8888 *.8888 *.* 0 0 49152 0 LISTEN |
Go to the Web Server URL.
http://ProtectedResource-2.example.com:8888
Log in to the Web Server using the following information:
admin
web4dmin
You should be able to see the Web Server console. You can log out of the console now.
Start the Protected Resource 2 instance.
#cd /opt/SUNWwbsvr/https-ProtectedResource-2.example.com # ./stop; ./start |
Run the netstat command to verify that the Web Server ports are open and listening.
# netstat -an | grep 1080 *.1080 *.* 0 0 49152 0 LISTEN |
Go to the instance URL.
http://ProtectedResource-2.example.com:1080
You should see the default Web Server index page.
The Java System Web Policy Agents 2.2 package must be downloaded to each Protected Resource that will host a Web Policy Agent. You can download the package from the following website: http://www.sun.com/download
Due to a known problem with this version of the Web Policy Agent, you must start an X-display session on the server host using a program such as Reflections X or VNC, even though you use the command-line installer. For more information about this known problem, see http://docs.sun.com/app/docs/doc/819-2796/6n52flfoq?a=view#adtcd.
Log in as a root user to host ProtectedResource-2.
Download the Java System Web Policy Agents 2.2 package from the following website:
Unpack the downloaded package.
In this example, the package was downloaded into the directory /temp.
# cd /temp
# gunzip sun-one-policy-agent-2.2-es6-solaris_sparc.tar.gz
# tar —xvof sun-one-policy-agent-2.2-es6-solaris_sparc.tar
Start the Web Policy Agents installer.
# ./setup -nodisplay
When prompted, provide the following information:
|
Press Enter. |
||
|
Press Enter. |
||
|
Enter y. |
||
|
Accept the default value. |
||
|
Accept the default value. |
||
|
Enter .
|
||
|
Enter 1080. |
||
|
Accept the default value. |
||
|
Accept the default value. |
||
|
For this example, enter the external-facing load balancer host name. Example: LoadBalancer-3.example.com |
||
|
Enter the load balancer HTTP port number. For this example, enter 90. |
||
|
Accept the default value. |
||
|
Accept the default value. |
||
|
Accept the default value. |
||
|
Accept the default value. |
||
|
Enter the amldapuser password that was entered when Access Manager was installed. For this example, enter 4mld4puser . |
||
|
Enter the 4mld4puser password again to confirm it. |
||
|
Accept the default value. |
||
|
First, see the next (Optional) numbered step. When you are ready to start installation, press Enter. |
(Optional) During installation, you can monitor the log to watch for installation errors. Example:
# cd /var/sadm/install/logs # tail —f /var/sadm/install/logs/ Sun_Java_tm__System_Access_Manager_Policy_Agent_install.Bxxxxxx |
Modify the AMAgent.properties file.
# cd /etc/opt/SUNWam/agents/es6/ config/_opt_SUNWwbsvr_https-ProtectedResource-2.example.com |
Make a backup of AMAgent.properties before setting the following property:
com.sun.am.policy.am.login.url = https://LoadBalancer-4.example.com:9443/distAuth/UI/Login?realm=users
Restart the Web Server.
Watch for errors as the server starts up.
# cd /opt/SUNWwbsvr/https-ProtectedResource-2.example.com
# ./stop; ./start
Start a new browser and go to the Access Manager URL.
Example: https://loadbalancer-3.example.com:9443/amserver/console
Log in to Access Manager using the following information:
amadmin
4m4dmin1
Create a referral policy in the top-level realm.
On the Access Control tab, under Realms, click example.com.
Click the Policies tab.
On the Policies tab for example.com-Policies, click the “Referral URL Policy for users realm” link.
In the Edit Policy page, under Rules, click New.
In the Edit Rule page, provide the following information.
On the same page, in the Rules section, click New.
Select a Service Type.
On the page “Step 1 of 2: Select Service Type for the Rule,” select URL Policy Agent (with resource name)
Click Next.
On the page “Step 2 of 2: New Rule,” provide the following information:
URL Rule for ProtectedResource-2
http://ProtectedResource-2.example.com:1080/*
Click Finish.
On the Edit Policy page, click Save.
In the Policies tab for example.com — Policies, you should see the policy named Referral URL Policy for users realm.
Create a policy in the users realm.
Click Realms.
On the Access Control tab, under Realms, click the Realm Name users.
Click the Policies tab.
On the Policies tab for users-Policies, click New Policy.
In the New Policy page, provide the following information:
URL Policy for ProtectedResource-2
Verify that the checkbox is marked.
On the same page, in the Rules section, click New.
On the page “Step 1 of 2: Select Service Type for the Rule,” click Next.
The Service Type “URL Policy Agent (with resource name) is the only choice.
On the page “Step 2 of 2: New Rule,” provide the following information:
URL Rule for ProtectedResource-2
Click the URL listed in the Parent Resource Name list: http://ProtectedResource-2.example.com:1080/*
The URL is automatically added to the Resource Name field.
Mark this checkbox, and select the Allow value.
Mark this checkbox, and select the Allow value.
Click Finish.
On the Policy page, in the Subjects section, click New.
Select the subject type.
On the page “Step 1 of 2: Select Subject Type,” select the Access Manager Identity Subject type.
On the page “Step 2 of 2: New Subject — Access Manager Identity Subject,” provide the following information:
Test Subject
Choose User, and then click Search. Four users are added to the Available list.
In the list, select testuser1, and then click Add.
The user testuser1 is added to the Selected list.
Click Finish.
In the New Policy page, click Create.
On the Policies tab for users-Policies, the new policy “URL Policy for ProtectedResource-2” is now in the Policies list.
Verify that the new policy works with Web Policy Agent 2.
The Web Policy Agent on Protected Resource 1 connects to Access Manager servers through Load Balancer 3. The load balancer is SSL-enabled, so the agent must be able to trust the load balancer SSL certificate in order to establish the SSL connection. To do this, import the root CA certificate that issued the Load Balancer 3 SSL server certificate into the Web Policy Agent certificate store.
Obtain the root CA certificate, and copy it to ProtectedResource-2.
Copy the root CA certificate to Protected Resource 2.
Open a browser, and go to the Web Server 2 administration console.
http://ProtectedResource-2.example.com:8888
Log in to the Web Server 2 console using the following information:
admin
web4dmin
In the Select a Server field, select ProtectedResource-2.example.com, and then click Manage.
If a “Configuration files have not been loaded” message is displayed, it may be that the administration server has never been accessed, and so the configuration files have never been loaded. First click Apply, and then click Apply Changes. The configuration files are read, and the server is stopped and restarted.
Click the Security tab.
On the Initialize Trust Database page, enter a Database Password.
Enter the password again to confirm it, and then click OK.
In the left frame, click Install Certificate and provide the following information, and then click OK:
Choose Trusted Certificate Authority (CA)
password
OpenSSL_CA_Cert
/export/software/ca.cert
Click Add Server Certificate.
Click Manage Certificates.
The root CA Certificate name OpenSSL_CA_Cert is included in the list of certificates.
Click the Preferences tab.
Restart Web Server 2.
On the Server On/Off page, click Server Off. When the server indicates that the administration server is off, click Server On.
Configure the Web Policy Agent 2 to point to the Access Manager SSL port.
Edit the AMAgent.properties file.
# cd /opt/SUNWam/agents/es5/config/ _optSUNWwbsvr_https=ProtectedResource-2.example.com
Make a backup of the AMAgent.properties file before setting the following property:
# com.sun.am.naming.url = https://LoadBalancer-3.example.com:9443/amserver/namingservice
Save the file.
Restart Web Server 2.
# cd /opt/SUNWwbsvr/https-ProtectedResource-2.example.com # ./stop; ./start
This new account will be used by J2EE Policy Agent 2 to access the Access Manager server.
Create an agent profile on Access Manager.
Go to Access Manage load balancer URL:
https://LoadBalancer-3.example.com:9443/amserver/UI/Login
Log in to the Access Manager console using the following information:
amadmin
4m4dmin1
On the Access Control tab, under Realms, click the realm name example.com.
Click the Subjects tab.
Click the Agents tab.
On the Agent page, click New.
On the New Agent page, provide the following information:
webagent-2
web4gent2
web4gent2
Choose Active.
Click Create.
The new agent webagent–2 is now display in the list of Agent Users.
Log in to as a root user to Protected Resource 2.
Run the cypt_util utility.
The utility encrypts the password.
# cd /opt/SUNWam/agents/bin # ./crypt_util web4gent2 BXxzBswD+PZdMRDRMXQQA==
Copy the encrypted password, and save it in a text file.
Edit the AMAgent.properties file.
# cd /etc/opt/SUNWam/agents/es6/ config/_opt_SUNWwbsvr_https-ProtectedResource-2.example.com |
Make a backup of AMAgent.properties you make the following change in the file:
com.sun.am.policy.am.password = webagent-2 com.sun.am.policy.am.password = BXxzBswD+PZdMRDRMXQQA==
Use the encrypted password obtained in the previous step.
Save the file.
Restart Web Server 2.
# cd /opt/SUNWwbsvr/https-ProtectedResource-2.example.com # ./stop; ./start