Use the following as your checklist for configuring Access Manager to communicate over SSL:
Import a root CA certificate into the Application Server 2 key store.
Configure the J2EE Policy Agents to access the Distributed Authentication UI server.
Log in as a root user to Protected Resource 2.
# cd /opt/j2ee_agents/am_wl9_agent/agent_001/config
Make a backup of the AMAgent.properties file.
In the AMAgent.properties, set the following properties:
com.sun.identity.agents.config.login.url[0] = https://LoadBalancer-3.example.com:9443/amserver/UI/Login?realm=users com.sun.identity.agents.config.cdsso.cdcservlet.url[0] = https://LoadBalancer-3.example.com:9443/amserver/cdcservlet com.sun.identity.agents.config.cdsso.trusted.id.provider[0] = https://LoadBalancer-3.example.com:9443/amserver/cdcservlet com.iplanet.am.naming.url= https://LoadBalancer-3.example.com:9443/amserver/namingservice com.iplanet.am.server.protocol=https com.iplanet.am.server.port=9443
Save the AMAgent.properties file.
Log in as a root user to Protected Resource 2 and go to the following directory:
/usr/local/bea/jdk150_04/jre/lib/security/
Make a backup of cacerts.
Import the certificate.
# /usr/local/bea/jdk150_04/bin/keytool -import -trustcacerts -alias OpenSSLTestCA -file /export/software/ca.cer -keystore / usr/local/bea/jdk150_04/jre/lib/security/cacerts -storepass changeit Owner: EMAILADDRESS=nobody@nowhere.com, CN=OpenSSLTestCA, OU=Sun, O=Sun, L=Santa Clara, ST=California, C=US Issuer: EMAILADDRESS=nobody@nowhere.com, CN=OpenSSLTestCA, OU=Sun, O=Sun, L=Santa Clara, ST=California, C=US Serial number: 97dba0aa26db6386 Valid from: Tue Apr 18 07:55:19 PDT 2006 until: Tue Jan 13 06:55:19 PST 2009 Certificate fingerprints: MD5: 9F:57:ED:B2:F2:88:B6:E8:0F:1E:08:72:CF:70:32:06 SHA1: 31:26:46:15:C5:12:5D:29:46:2A:60:A1:E5:9E:28:64:36:80:E4:70 Trust this certificate? [no]: yes Certificate was added to keystore
Verify the certificate was added to the key store.
# /usr/local/bea/jdk150_04/bin/keytool -list -keystore /usr/local/bea/jdk150_04/jre/lib/security/cacerts -storepass changeit | grep i openssl openssltestca, Oct 2, 2006, trustedCertEntry,
Stop Application Server 2 .
# cd /usr/local/bea/user_projects/domains/ProtectedResource-2/bin # ./stopManagedWebLogic.sh ApplicationServer-2 t3://localhost:7001
Stop the administration server.
# ./stopWebLogic.sh
Start the administration server.
# nohup ./startWebLogic.sh & # tail -f nohup.out
Start Application Server 2.
# nohup ./startManagedWebLogic.sh ApplicationServer-2 http://ProtectedResource-2.example.com:7001 &
Go to the Sample Application URL:
http://protectedresource-2.example.com:1081/agentsample/index.html
The Sample Application welcome page is displayed.
Click J2EE Declarative Security > “Invoke the Protected Servlet”
The Policy Agent redirects to the Access Manager login page.
Log in to the Access Manager console using the following information:
testuser1
password
If you can successfully log in as testuser1, and the J2EE Policy Agent Sample Application page is displayed, then this part of the test succeeded and authentication is working as expected.
Click the “J2EE Declarative Security” link.
On the J2EE Declarative Security page, click the “Invoke the Protected Servlet link”.
If the Success Invocation message is displayed, then this part of the test succeeded , and the sample policy for the manager role has been enforced as expected.
Click the “J2EE Declarative Security” link to go back.
Click the “Invoke the Protected EJB via an Unprotected Servlet” link.
If the Failed Invocation message is displayed, then this part of the test succeeded, and the sample policy for the employee role has been enforced as expected.
Close the browser.
In a new browser session, go to the Sample Application URL:
http://protectedresource-2.example.com:1081/agentsample/index.html
The Policy Agent redirects to the Access Manager login page.
Log in to the Access Manager console using the following information:
testuser2
password
The Failed Invocation message is displayed.
Click the “J2EE Declarative Security” link.
On the J2EE Declarative Security page, click the “Invoke the Protected EJB via an Unprotected Servlet” link.
The Successful Invocation message is displayed. The sample policy for the employee role has been enforced as expected.
Click the “J2EE Declarative Security” link to go back.
Click the “Invoke the Protected Servlet” link.
If the Access to Requested Resource Denied message is displayed, then this part of the test is successful. The sample policy for the manager role has been enforced as expected.
Log in as a root user to Protected Resource 2.
# cd /opt/j2ee_agents/am_wl9_agent/agent_001/config
Make a backup of the file AMAgent.properties.
In the AMAgent.properties file, set the following properties:
com.sun.identity.agents.config.login.url[0] = https://LoadBalancer-4.example.com:9443/distAuth/UI/Login?realm=users |
Save the file.
Restart the Application Server.
Stop Application Server 2.
# cd /usr/local/bea/user_projects/domains/ProtectedResource-2/bin # ./stopManagedWebLogic.sh ApplicationServer-2 t3://localhost:7001
Stop the administration server.
#cd /usr/local/bea/user_projects/domains/ProtectedResource-2/bin ./stopWebLogic.sh
Start the administration server.
# nohup ./startWebLogic.sh & # tail -f nohup.out
Watch for startup errors.
Start Application Server 2.
# nohup ./startManageWebLogic.sh ApplicatoinServer-2 http://ProtectedResource-2.example.com:7001 & tail -f nohup.out
Verify that the agents are configured properly.
Go to the sample application URL:
http://ProtectedResource-2.example.com:1081/agentsample/index.html
In the left navigation bar, click “Invoke the Protected Servlet.”
You are redirected to the Distributed Authentication UI server URL https://loadbalancer-4.example.com:9443/distAuth/UI/login. The Access Manager login page is displayed.
Double-click the gold lock in the lower left corner of the browser.
In the Properties page, you see certificate for LoadBalancer–4.example.com.
Log in to the Access Manager console using the following information:
testuser1
password
You are redirected to the protected servlet of the Sample Application, and a success message is displayed. This indicates that authentication through the Distributed Authentication UI server was successful.