test

Deployment Example 1: Access Manager 7.0 Load Balancing, Distributed Authentication UI, and Session Failover

8.10 Configuring Access Manager to Communicate Over SSL

Use the following as your checklist for configuring Access Manager to communicate over SSL:

  1. Configure the J2EE Policy Agent for SSL.

  2. Import a root CA certificate into the Application Server 2 key store.

  3. Verify that J2EE Policy Agent 2 is configured properly.

  4. Configure the J2EE Policy Agents to access the Distributed Authentication UI server.

ProcedureTo Configure the J2EE Policy Agent for SSL

  1. Log in as a root user to Protected Resource 2.

    # cd /opt/j2ee_agents/am_wl9_agent/agent_001/config

  2. Make a backup of the AMAgent.properties file.

  3. In the AMAgent.properties, set the following properties:

    com.sun.identity.agents.config.login.url[0] = 
https://LoadBalancer-3.example.com:9443/amserver/UI/Login?realm=users 
com.sun.identity.agents.config.cdsso.cdcservlet.url[0] = 
https://LoadBalancer-3.example.com:9443/amserver/cdcservlet 
com.sun.identity.agents.config.cdsso.trusted.id.provider[0] = 
https://LoadBalancer-3.example.com:9443/amserver/cdcservlet 
com.iplanet.am.naming.url=
https://LoadBalancer-3.example.com:9443/amserver/namingservice 
com.iplanet.am.server.protocol=https 
com.iplanet.am.server.port=9443

  4. Save the AMAgent.properties file.

ProcedureTo Import a Root CA Certificate into the Application Server 2 Key Store

  1. Log in as a root user to Protected Resource 2 and go to the following directory:

    /usr/local/bea/jdk150_04/jre/lib/security/

  2. Make a backup of cacerts.

  3. Import the certificate.

    # /usr/local/bea/jdk150_04/bin/keytool -import -trustcacerts 
-alias OpenSSLTestCA -file /export/software/ca.cer -keystore / 
usr/local/bea/jdk150_04/jre/lib/security/cacerts -storepass changeit 
Owner: EMAILADDRESS=nobody@nowhere.com, CN=OpenSSLTestCA, OU=Sun, 
O=Sun, L=Santa Clara, ST=California, C=US 
Issuer: EMAILADDRESS=nobody@nowhere.com, CN=OpenSSLTestCA, OU=Sun, 
O=Sun, L=Santa Clara, ST=California, C=US 
Serial number: 97dba0aa26db6386 
Valid from: Tue Apr 18 07:55:19 PDT 2006 until: Tue Jan 13 06:55:19 PST 2009 
Certificate fingerprints: 
			MD5:  9F:57:ED:B2:F2:88:B6:E8:0F:1E:08:72:CF:70:32:06 
			SHA1: 31:26:46:15:C5:12:5D:29:46:2A:60:A1:E5:9E:28:64:36:80:E4:70 
Trust this certificate? [no]:  yes 
Certificate was added to keystore

  4. Verify the certificate was added to the key store. 

    # /usr/local/bea/jdk150_04/bin/keytool -list 
-keystore /usr/local/bea/jdk150_04/jre/lib/security/cacerts 
-storepass changeit | grep i openssl
openssltestca, Oct 2, 2006, trustedCertEntry,

  5. Stop Application Server 2 .

    # cd /usr/local/bea/user_projects/domains/ProtectedResource-2/bin
# ./stopManagedWebLogic.sh ApplicationServer-2 t3://localhost:7001

  6. Stop the administration server.

    # ./stopWebLogic.sh

  7. Start the administration server.

    # nohup ./startWebLogic.sh &
# tail -f nohup.out

  8. Start Application Server 2.

    # nohup ./startManagedWebLogic.sh ApplicationServer-2 
http://ProtectedResource-2.example.com:7001 &

ProcedureTo Verify that J2EE Policy Agent 2 is Configured Properly

  1. Go to the Sample Application URL:

    http://protectedresource-2.example.com:1081/agentsample/index.html

    The Sample Application welcome page is displayed.

  2. Click J2EE Declarative Security > “Invoke the Protected Servlet”

    The Policy Agent redirects to the Access Manager login page.

  3. Log in to the Access Manager console using the following information:

    Username

    testuser1

    Password

    password

    If you can successfully log in as testuser1, and the J2EE Policy Agent Sample Application page is displayed, then this part of the test succeeded and authentication is working as expected.

  4. Click the “J2EE Declarative Security” link.

  5. On the J2EE Declarative Security page, click the “Invoke the Protected Servlet link”.

    If the Success Invocation message is displayed, then this part of the test succeeded , and the sample policy for the manager role has been enforced as expected.

  6. Click the “J2EE Declarative Security” link to go back.

  7. Click the “Invoke the Protected EJB via an Unprotected Servlet” link.

    If the Failed Invocation message is displayed, then this part of the test succeeded, and the sample policy for the employee role has been enforced as expected.

  8. Close the browser.

  9. In a new browser session, go to the Sample Application URL:

    http://protectedresource-2.example.com:1081/agentsample/index.html

    The Policy Agent redirects to the Access Manager login page.

  10. Log in to the Access Manager console using the following information:

    Username

    testuser2

    Password

    password

    The Failed Invocation message is displayed.

  11. Click the “J2EE Declarative Security” link.

  12. On the J2EE Declarative Security page, click the “Invoke the Protected EJB via an Unprotected Servlet” link.

    The Successful Invocation message is displayed. The sample policy for the employee role has been enforced as expected.

  13. Click the “J2EE Declarative Security” link to go back.

  14. Click the “Invoke the Protected Servlet” link.

    If the Access to Requested Resource Denied message is displayed, then this part of the test is successful. The sample policy for the manager role has been enforced as expected.

ProcedureTo Configure the J2EE Policy Agents to Access the Distributed Authentication UI Server

  1. Log in as a root user to Protected Resource 2.

    # cd /opt/j2ee_agents/am_wl9_agent/agent_001/config

  2. Make a backup of the file AMAgent.properties.

  3. In the AMAgent.properties file, set the following properties:


    com.sun.identity.agents.config.login.url[0] = 
https://LoadBalancer-4.example.com:9443/distAuth/UI/Login?realm=users

  4. Save the file.

  5. Restart the Application Server.

    1. Stop Application Server 2.

      # cd /usr/local/bea/user_projects/domains/ProtectedResource-2/bin
# ./stopManagedWebLogic.sh ApplicationServer-2 t3://localhost:7001

    2. Stop the administration server.

      #cd /usr/local/bea/user_projects/domains/ProtectedResource-2/bin 
./stopWebLogic.sh

    3. Start the administration server.

      # nohup ./startWebLogic.sh &
# tail -f nohup.out

      Watch for startup errors.

    4. Start Application Server 2.

      # nohup ./startManageWebLogic.sh
ApplicatoinServer-2 http://ProtectedResource-2.example.com:7001 &
tail -f nohup.out

  6. Verify that the agents are configured properly.

    1. Go to the sample application URL:

      http://ProtectedResource-2.example.com:1081/agentsample/index.html

    2. In the left navigation bar, click “Invoke the Protected Servlet.”

      You are redirected to the Distributed Authentication UI server URL https://loadbalancer-4.example.com:9443/distAuth/UI/login. The Access Manager login page is displayed.

    3. Double-click the gold lock in the lower left corner of the browser.

      In the Properties page, you see certificate for LoadBalancer–4.example.com.

    4. Log in to the Access Manager console using the following information:

      Username

      testuser1

      Password

      password

      You are redirected to the protected servlet of the Sample Application, and a success message is displayed. This indicates that authentication through the Distributed Authentication UI server was successful.