Part V Setting Up Policy Agents in the Service Provider Site

Chapter 13 Installing and Configuring J2EE Policy Agents

This chapter contains detailed information about the following groups of tasks:

• 13.1 Creating J2EE Policy Agent Profiles on the Federation Manager Servers

• 13.2 Installing Application Server 3 and J2EE Policy Agent 3

• 13.3 Completing the J2EE Policy Agent 3 Installation

• 13.4 Installing Application Server 4 and J2EE Policy Agent 4

• 13.5 Completing the J2EE Policy Agent 4 Installation

• 13.6 Configuring the J2EE Policy Agents Load Balancer

• 13.8 Configuring the J2EE Policy Agents to Work with the J2EE Policy Agents Load Balancer

• 13.9 Configuring the J2EE Policy Agents Load Balancer to Participate in SAMLv2 Protocols

13.1 Creating J2EE Policy Agent Profiles on the Federation Manager Servers

When you install the J2EE Policy Agent, the agent profile is used to retrieve the J2EE Policy Agent user password. At this point, the J2EE Policy Agent authentication still occurs through flat files. This new account will be used by J2EE Policy Agent to authenticate to the Federation Manager servers.

Use the following as your checklist for creating J2EE Policy Agent profiles on the Federation Manager Servers:

1. Create an Agent Profile on Federation Manager 1.

2. Create an Agent Profile on Federation Manager 2.

To Create a J2EE Policy Agent Profile on Protected Resource 3

1. As a root user, log into the Protected Resource 3 host.

2. Create an agent profile.

   Create a text file named agent_profile_password, and add to it a name for the new agent profile. Example:

   # cd /export # vi agent_profile_password asagent

   Save the file.

3. Generate an encrypted password for the new agent profile.

   # cd /var/opt/SUNWam/fm/federation/users # /opt/SUNWam/fm/bin/ampassword -i /var/opt/SUNWam/fm/war_staging --hash asagent EW1Ck/Yw4kpyYs9jbu5Dx5pJaH8=

4. Create a text file named asagent.properties, and add the agent profile password to the file.

   The J2EE Policy Agent installer requires this file for installation.

   # vi asagent.properties password=EW1Ck/Yw4kpyYs9jbu5Dx5pJaH8=

   Save the file.

To Create an J2EE Policy Agent Profile on Protected Resource 4

1. As a root user, log into the Protected Resource 4 host.

2. Create an agent profile.

   Create a text file named agent_profile_password, and add to it a name for the new agent profile. Example:

   # cd /export # vi agent_profile_password asagent

   Save the file.

3. Generate an encrypted password for the new agent profile.

   # cd /var/opt/SUNWam/fm/federation/users # /opt/SUNWam/fm/bin/ampassword -i /var/opt/SUNWam/fm/war_staging --hash asagent EW1Ck/Yw4kpyYs9jbu5Dx5pJaH8=

4. Create a text file named asagent.properties, and add the agent profile password to the file.

   The J2EE Policy Agent installer requires this file for installation.

   # vi asagent.properties password=EW1Ck/Yw4kpyYs9jbu5Dx5pJaH8=

   Save the file.

13.2 Installing Application Server 3 and J2EE Policy Agent 3

You must have the Sun Java System Application Server installer and the Sun J2EE Policy Agent installer mounted on Protected Resource 1. See Chapter 2, Before You Beginat the beginning of this manual.

To Install Application Server 3 on Protected Resource 3

1. As a root user, log into the Application Server 3 host.

2. Start the Java Enterprise System installer with the -nodisplay option.

   # cd /mnt/Solaris_sparc # ./installer -nodisplay

3. When prompted, provide the following information:

   Welcome to the Sun Java(TM) Enterprise System; serious software made simple... <Press ENTER to Continue>	Press Enter.
   <Press ENTER to display the Software License Agreement>	Press Enter.
   Have you read, and do you accept, all of the termsof the preceding Software License Agreement [No]	Enter y.
   Please enter a comma separated list of languages you would like supported with this installation [8]	Enter 8 for “English only.”
   Do you want to install the full set of Sun Java (TM) Enterprise System Products and Services? [Yes]	Enter No.
   Enter a comma separated list of products to install,or press R to refresh the list []	Enter 14 to install Sun Java (TM) Application Server Enterprise Edition 8.1 2005Q4.
   Component Selection — Selected Product Sun Java (TM) Application Server Enterprise Edition 8.1 2005Q4. Enter a comma separated list of productsto install,or press R to refresh the list []	Enter 1,3,5,6 to install Domain Administration Server, Command Line Administration Tool, PointBase Database, and the Sample Applications.
   Press "Enter" to Continue or Enter a comma separated list of products to deselect... [1]	Press Enter.
   Enter 1 to upgrade these shared components and 2 to cancel [1]	You are prompted to upgrade shared components only if the installer detects that an upgrade is required.  Enter 1 to upgrade shared components.
   Enter the name of the target installation directory for each product: Web Server [/opt/SUNWappserver] :	Accept the default value.
   Data and Server Configuration [/var/opt/SUNWappserver]	Accept the default value.
   System ready for installation Enter 1 to continue [1]	Enter 1.
   1. Configure Now - Selectively override defaults or express through 2. Configure Later - Manually configure following installation Select Type of Configuration [1]	Enter 1.
   Common Server Settings Enter Host Name [ProtectedResource-3]	Accept the default value.
   Enter DNS Domain Name [siroe.com]	Accept the default value.
   Enter IP Address [192.18.72.151]	Accept the default value.
   Enter Server admin User ID [admin]	Accept the default value.
   Enter Admin User's Password (Password cannot be less than 8 characters) []	For this example, enter 11111111.
   Confirm Admin User's Password []	Enter the same password to confirm it.
   Enter System User [root]	Accept the default value.
   Enter System Group [root]	Accept the default value.
   Admin User Name: [admin]	Accept the default value.
   Password (min. 8 characters) []	For this example, enter 11111111.
   Re-enter Password []	For this example, enter 11111111.
   Admin Port [4849]	Accept the default value.
   JMX Port [8686]	Accept the default value.
   HTTP Port [8080]	Accept the default value.
   HTTPS Port [8181]	Accept the default value.
   Master Password (min. 8 characters) [ ]	For this example, enter 11111111.
   Re-enter Master Password (min. 8 characters) [ ]	For this example, enter 11111111.
   Ready to Install 1. Install 2. Start Over 3. Exit Installation What would you like to do [1]	When ready to install, enter 1.

4. After you have exited the installer, start Application Server 3:

   # cd /opt/SUNWappserver/appserver/bin # ./asadmin start-domain --user admin --password 11111111 Starting Domain domain1, please wait. Log redirected to /var/opt/SUNWappserver/domains/domain1/logs/server.log. Domain domain1 started.

5. To verify that the Application Server 3 is successfully installed, go to the Application Server URL:

   http://ProtectedResource-3:8080/index.html

   The default Application Server page is displayed and contains the following message: “Your server is up and running!”

To Run the J2EE Policy Agent Installer on Application Server 3

Before You Begin

You must obtain and unpack the J2EE Policy Agent software from the following Sun Microsystems web page: http://www.sun.com/download/products.xml?id=43543381.

1. In the directory where you downloaded the J2EE Policy Agent TAR file, unpack the J2EE Policy Agent bits using the GNU untar utility. Example:

   # cd /export # gunzip SJS_Appserver_81_agent_2.2.tar.zip # gtar -xvf /usr/sfw/bin/SJS_Appserver_81_agent_2.2.tar

   ---

   Note –

   For .tar.gz archives, do not use a program other than GNU_tar to untar the contents of the J2EE agent deliverables. Using a different program, such as another tar program, can result in some files not being extracted properly. To learn more about the GNU_tar program, visit the following web site: http://www.gnu.org/software/tar/tar.html

   ---

2. Start the J2EE Policy Agent installer.

   # cd /export/j2ee_agents/am_as81_agent/bin
   # ./agentadmin --install

3. When prompted, provide the following information:

   Enter the Application Server Config Directory Path [/var/opt/SUNWappserver/ domains/domain1/config]	Accept the default value.
   Enter the Application Server Instance name: [server]	Accept the default value.
   Access Manager Services Host:	Enter LoadBalancer-9.siroe.com.
   Access Manager Services port: [80]	Enter 3443.
   Access Manager Services Protocol: [http]	Enter https.
   Access Manager Services Deployment URI: [/amserver]	Enter /federation.
   Enter the Agent Host name:	ProtectedResource-3.siroe.com
   Is the Domain administration server host remote? [false]	Accept the default value.
   Enter the port number for Application Server instance [80]:	Enter 8080.
   Enter the Preferred Protocol for Application instance [http]:	Accept the default value.
   Enter the Deployment URI for the Agent Application [/agentapp]	Accept the default value.
   Enter the Encryption Key [d1ui072LoDGSD5ZEz0Z4e3bvaJN2f3wz]:	Accept the default value.
   Enter the Agent Profile name:	Enter asagent.
   Enter the path to the password file:	Enter /export/agent_profile_password.
   Is the agent being installed on the DAS host for a remote instant [false]	Accept the default value.
   Are the Agent and Access Manager installed on the same instance of Application Server? [false]:	Accept the default value.
   Verify your settings and decide from the choices below: 1. Continue with Installation 2. Back to the last interaction 3. Start Over 4. Exit Please make your selection [1]:	Accept the default value.

4. After the installer has finished installing the agent, verify that installation was successful. You check can for installation errors in the following log file:

   /export/j2ee_agents/am_as81_agent/logs/audit/install.log

13.3 Completing the J2EE Policy Agent 3 Installation

The J2EE Policy Agent is not yet ready to begin working. A number of these tasks must be completed before the agent can do its job. Use the following as your checklist for completing the J2EE Policy Agents installation and configuration:

1. Deploy the J2EE Policy Agent housekeeping application.

2. Enable the J2EE Policy Agent 3 to run in SSO-Only mode.

3. Initialize the Application Server 3 certificate database.

4. Deploy the sample agent application on Application Server 3.

5. Verify the use of the sample agent application on Application Server 3.

To Deploy the J2EE Policy Agent Housekeeping Application

The J2EE Policy Agent uses the agent housekeeping application for notifications and other internal functionality. This application is bundled with the agent binaries.

1. As a root user, log into the Application Server 1 host.

2. Go to the following directory:

   /export/j2ee-agents/am_as81_agent/etc

3. Run the following command:

   # /opt/SUNWappserver/appserver/bin/asadmin deploy --user admin --password 11111111 --contextroot /agentapp agentapp.war Command deploy executed successfully.

To Enable the J2EE Policy Agent 3 to Run in SSO-Only Mode

1. Go to the following directory:

   /export/j2ee_agents/am_as81_agent/agent_001/config

   Make a backup copy of AMagent.properties, and then modify the original AMAgent.properties file.

2. Set the following property as in the example:

   com.sun.identity.agents.config.filter.mode = SSO_ONLY

   Federation Manager can run only in SSO-Only mode. In order to communicate with Federation Manager, the policy agent must also run in SSO-Only mode.

3. Add the following property

   com.iplanet.am.naming.ignoreNamingService=true

   When set to true, the policy agent ignores the Federation Manager naming service for session validation purposes. Instead, the policy agent uses the local naming service URL defined in the com.iplanet.am.naming.url property elsewhere in this file.

   Save the file.

To Initialize the Application Server 3 Certificate Database

Before You Begin

You must have access to the certutil command to complete this task. See 2.11 Obtaining and Using the Certificate Database Tool.

1. Log into the Protected Resource 3 host.

2. Copy into a temporary directory the root CA certificate from the Federation Manager load balancer.

   For example, in this deployment example, the JDK keystore is in the following directory:

   /usr/jdk/entsys-j2se/jre/lib/security

   This directory contains the Federation Manager trusted CA files, including cacert.

3. Go to the following directory:

   /var/opt/SUNWappserver/domains/domain1/config

   This directory contains two files you will need. The files are named cert8.db and key3.db, and are installed by default with Application Server 8.1. By default, Application Server 8.1 uses the NSS certificate databases for SSL purposes. You must import the Federation Manager load balancer root CA certificate to this Application Server certificate database.

4. Obtain a copy of the Federation Manager 1 root CA certificate.

   You can obtain a copy from the certificate issuer. Or you can copy the certificate stored on the Federation Manager 1 host.

   In this deployment example, the Federation Manager 1 root CA certificate has already been copied to the following directory on Protected Resource 3:

   /net/slapd/export/share/cacert

5. In the directory where you have deployed the certutil utility, run the certutil command. Example:

   # certutil -A -n rootCA -t T,c,c -i /net/slapd/export/share/cacert -d .

6. To verify that the certificate was properly initialized, list the certificates in the database:

   # certutil -L -n rootCA -d .

   A list of certificates is displayed, and the initialized certificate file is included in the list.

To Deploy the Sample Agent Application on Application Server 3

1. As a root user, log into the Protected Resource 3 host.

2. Go to the following directory:

   /export/j2ee_agents/am_as81_agent/sampleapp/dist

3. Run the deploy command:

   //opt/SUNWappserver/appserver/bin/asadmin deploy --host localhost --port 4849 --user admin --password 11111111 --contextroot /agentsample --name agentsample agentsample.ear Command deploy executed successfully.

4. Restart Application Server 3.

   # cd /opt/SUNWappserver/appserver/bin # ./asadmin stop-domain Domain domain1 stopped. # ./asadmin start-domain --user admin --password 11111111 Domain domain1 started.

To Verify the Use of the Sample Agent Application on Application Server 3

1. Go to the Application Server 3 URL:

   http://ProtectedResource-3.siroe.com:8080/agentsample/index.html

2. Log in to the Federation Manager console using the following information:

   User Name:

   spuser

   Password:

   spuser

   The Sample Application welcome page is displayed.

13.4 Installing Application Server 4 and J2EE Policy Agent 4

You must have the Sun Java System Application Server installer and the Sun J2EE Policy Agent installer mounted on Protected Resource 1. See Chapter 2, Before You Beginat the beginning of this manual.

To Install Application Server 4 on Protected Resource 4

1. As a root user, log into the Application Server 4 host.

2. Start the Java Enterprise System installer with the -nodisplay option.

   # cd /mnt/Solaris_sparc # ./installer -nodisplay

3. When prompted, provide the following information:

   Welcome to the Sun Java(TM) Enterprise System; serious software made simple... <Press ENTER to Continue>	Press Enter.
   <Press ENTER to display the Software License Agreement>	Press Enter.
   Have you read, and do you accept, all of the termsof the preceding Software License Agreement [No]	Enter y.
   Please enter a comma separated list of languages you would like supported with this installation [8]	Enter 8 for “English only.”
   Do you want to install the full set of Sun Java (TM) Enterprise System Products and Services? [Yes]	Enter No.
   Enter a comma separated list of products to install,or press R to refresh the list []	Enter 14 to install Sun Java (TM) Application Server Enterprise Edition 8.1 2005Q4.
   Component Selection — Selected Product Sun Java (TM) Application Server Enterprise Edition 8.1 2005Q4. Enter a comma separated list of productsto install,or press R to refresh the list []	Enter 1,3,5,6 to install Domain Administration Server, Command Line Administration Tool, PointBase Database, and the Sample Applications.
   Press "Enter" to Continue or Enter a comma separated list of products to deselect... [1]	Press Enter.
   Enter 1 to upgrade these shared components and 2 to cancel [1]	You are prompted to upgrade shared components only if the installer detects that an upgrade is required.  Enter 1 to upgrade shared components.
   Enter the name of the target installation directory for each product: Web Server [/opt/SUNWappserver] :	Accept the default value.
   Data and Server Configuration [/var/opt/SUNWappserver]	Accept the default value.
   System ready for installation Enter 1 to continue [1]	Enter 1.
   1. Configure Now - Selectively override defaults or express through 2. Configure Later - Manually configure following installation Select Type of Configuration [1]	Enter 1.
   Common Server Settings Enter Host Name [ProtectedResource-4]	Accept the default value.
   Enter DNS Domain Name [siroe.com]	Accept the default value.
   Enter IP Address [192.18.72.152]	Accept the default value.
   Enter Server admin User ID [admin]	Accept the default value.
   Enter Admin User's Password (Password cannot be less than 8 characters) []	For this example, enter 11111111.
   Confirm Admin User's Password []	Enter the same password to confirm it.
   Enter System User [root]	Accept the default value.
   Enter System Group [root]	Accept the default value.
   Admin User Name: [admin]	Accept the default value.
   Password (min. 8 characters) []	For this example, enter 11111111.
   Re-enter Password []	For this example, enter 11111111.
   Admin Port [4849]	Accept the default value.
   JMX Port [8686]	Accept the default value.
   HTTP Port [8080]	Accept the default value.
   HTTPS Port [8181]	Accept the default value.
   Master Password (min. 8 characters) [ ]	For this example, enter 11111111.
   Re-enter Master Password (min. 8 characters) [ ]	For this example, enter 11111111.
   Ready to Install 1. Install 2. Start Over 3. Exit Installation What would you like to do [1]	When ready to install, enter 1.

4. After you have exited the installer, start Application Server 4:

   # cd /opt/SUNWappserver/appserver/bin # ./asadmin start-domain --user admin --password 11111111 Starting Domain domain1, please wait. Log redirected to /var/opt/SUNWappserver/domains/domain1/logs/server.log. Domain domain1 started.

5. To verify that the Application Server 4 is successfully installed, go to the Application Server URL:

   http://ProtectedResource-4:8080/index.html

   The default Application Server page is displayed and contains the following message: “Your server is up and running!”

To Run the J2EE Policy Agent Installer on Application Server 4

Before You Begin

You must obtain and unpack the J2EE Policy Agent software from the following Sun Microsystems web page: http://www.sun.com/download/products.xml?id=43543381

1. In the directory where you downloaded the J2EE Policy Agent TAR file, unpack the J2EE Policy Agent bits using the GNU untar utility. Example:

   # cd /export # gunzip SJS_Appserver_81_agent_2.2.tar.zip # gtar -xvf /usr/sfw/bin/SJS_Appserver_81_agent_2.2.tar

   ---

   Note –

   For .tar.gz archives, do not use a program other than GNU_tar to untar the contents of the J2EE agent deliverables. Using a different program, such as another tar program, can result in some files not being extracted properly. To learn more about the GNU_tar program, visit the following web site: http://www.gnu.org/software/tar/tar.html

   ---

2. Start the J2EE Policy Agent installer.

   # cd /export/j2ee_agents/am_as81_agent/bin
   # ./agentadmin --install

3. When prompted, provide the following information:

   Enter the Application Server Config Directory Path [/var/opt/SUNWappserver/ domains/domain1/config]	Accept the default value.
   Enter the Application Server Instance name: [server]	Accept the default value.
   Access Manager Services Host:	Enter LoadBalancer-9.siroe.com.
   Access Manager Services port: [80]	Enter 3443.
   Access Manager Services Protocol: [http]	Enter https.
   Access Manager Services Deployment URI: [/amserver]	Enter /federation.
   Enter the Agent Host name:	ProtectedResource-4.siroe.com
   Is the Domain administration server host remote? [false]	Accept the default value.
   Enter the port number for Application Server instance [80]:	Enter 8080.
   Enter the Preferred Protocol for Application instance [http]:	Accept the default value.
   Enter the Deployment URI for the Agent Application [/agentapp]	Accept the default value.
   Enter the Encryption Key [d1ui072LoDGSD5ZEz0Z4e3bvaJN2f3wz]:	Accept the default value.
   Enter the Agent Profile name:	Enter asagent.
   Enter the path to the password file:	Enter /export/agent_profile_password.
   Is the agent being installed on the DAS host for a remote instant [false]	Accept the default value.
   Are the Agent and Access Manager installed on the same instance of Application Server? [false]:	Accept the default value.
   Verify your settings and decide from the choices below: 1. Continue with Installation 2. Back to the last interaction 3. Start Over 4. Exit Please make your selection [1]:	Accept the default value.

4. After the installer has finished installing the agent, verify that installation was successful. You can check for installation errors in the following log file:

   /export/j2ee_agents/am_as81_agent/logs/audit/install.log

13.5 Completing the J2EE Policy Agent 4 Installation

The J2EE Policy Agent is not yet ready to begin working. A number of these tasks must be completed before the agent can do its job. Use the following as your checklist for completing the J2EE Policy Agents installation and configuration:

1. Deploy the J2EE Policy Agent housekeeping application.

2. Enable the J2EE Policy Agent 4 to run in SSO-Only mode.

3. Initialize the Application Server 4 certificate database.

4. Deploy the sample agent application on Application Server 4.

5. Verify the use of the sample agent application on Application Server 4.

To Deploy the J2EE Policy Agent Housekeeping Application

The J2EE Policy Agent uses the agent housekeeping application for notifications and other internal functionality. This application is bundled with the agent binaries.

1. As a root user, log into the Application Server 4 host.

2. Go to the following directory:

   /export/j2ee-agents/am_as81_agent/etc

3. Run the following command:

   # /opt/SUNWappserver/appserver/bin/asadmin deploy --user admin --password 11111111 --contextroot /agentapp agentapp.war Command deploy executed successfully.

To Enable the J2EE Policy Agent 4 to Run in SSO-Only Mode

1. Go to the following directory:

   /export/j2ee_agents/am_as81_agent/agent_001/config

   Make a backup copy of AMagent.properties, and then modify the original AMagent.properties file.

2. Set the following property as in the example:

   com.sun.identity.agents.config.filter.mode = SSO_ONLY

   Federation Manager can run only in SSO-Only mode. In order to communicate with Federation Manager, the policy agent must also run in SSO-Only mode.

3. Add the following property

   com.iplanet.am.naming.ignoreNamingService=true

   When set to true, the policy agent ignores the Federation Manager naming service for session validation purposes. Instead, the policy agent uses the local naming service URL defined in the com.iplanet.am.naming.url property elsewhere in this file.

   Save the file.

To Initialize the Application Server 4 Certificate Database

Before You Begin

You must have access to the certutil command to complete this task. See 2.11 Obtaining and Using the Certificate Database Tool.

1. Log into the Protected Resource 4 host.

2. Copy into a temporary directory the root CA certificate from the Federation Manager load balancer.

   For example, in this deployment example, the JDK keystore is in the following directory:

   /usr/jdk/entsys-j2se/jre/lib/security

   This directory contains the Federation Manager trusted CA files, including cacert.

3. Go to the following directory:

   /var/opt/SUNWappserver/domains/domain1/config

   This directory contains two files you will need. The files are named cert8.db and key3.db, and are installed by default with Application Server 8.1. By default, Application Server 8.1 uses the NSS certificate databases for SSL purposes. You must import the Federation Manager load balancer root CA certificate to this Application Server certificate database.

4. Obtain a copy of the Federation Manager 1 root CA certificate.

   You can obtain a copy from the certificate issuer. Or you can copy the certificate stored on the Federation Manager 1 host.

   In this deployment example, the Federation Manager 1 root CA certificate has already been copied to the following directory on Protected Resource 4:

   /net/slapd/export/share/cacert

5. In the directory where you deployed the certutil utility, run the certutil command. Example:

   # certutil -A -n rootCA -t T,c,c -i /net/slapd/export/share/cacert -d .

6. To verify that the certificate was properly initialized, list the certificates in the database:

   # certutil -L -n rootCA -d .

   A list of certificates is displayed, and the initialized certificate file is included in the list.

To Deploy the Sample Agent Application on Application Server 4

1. As a root user, log into the Protected Resource 4 host.

2. Go to the following directory:

   /export/j2ee_agents/am_as81_agent/sampleapp/dist

3. Run the deploy command:

   //opt/SUNWappserver/appserver/bin/asadmin deploy --host localhost --port 4849 --user admin --password 11111111 --contextroot /agentsample --name agentsample agentsample.ear Command deploy executed successfully.

4. Restart Application Server 4.

   # cd /opt/SUNWappserver/appserver/bin # ./asadmin stop-domain Domain domain1 stopped. # ./asadmin start-domain --user admin --password 11111111 Domain domain1 started.

To Verify the Use of the Sample Agent Application on Application Server 4

1. Go to the Application Server 4 URL:

   http://ProtectedResource-4.siroe.com:8080/agentsample/index.html

2. Log in to the Federation Manager console using the following information:

   User Name:

   spuser

   Password:

   spuser

   The Sample Application welcome page is displayed.

13.6 Configuring the J2EE Policy Agents Load Balancer

Load Balancer 10 can be located in a less-secured zone, and handles traffic for the J2EE Policy Agents.

Load Balancer 10 is configured for simple persistence so that browser requests from the same IP address will always be directed to the same J2EE Policy Agent instance . This guarantees that the requests from the same user session will always be sent to the same J2EE Policy Agent instance. This is important from the performance perspective. Each J2EE Policy Agent must validate the user session and evaluate applicable policies. The results are subsequently cached on the individual J2EE Policy Agent to improve the performance. If no load balancer persistence is set, and the same user's requests are spread across two agents, then each agent must build up its own cache. To do so, both agents must validate the session and evaluate policies. This effectively doubles the workload on the Access Manager servers, and cuts the overall system capacity by half. The problem becomes even more acute as the number of J2EE Policy Agents increases further.

As a general rule, in situations where each J2EE Policy Agent instance is protecting identical resources, some form of load balancer persistence is highly recommended for the performance reasons. The actual type of persistence may vary when a different load balancer is used, as long as it achieves the goal of sending the requests from the same user session to the same J2EE Policy Agent instance.

Use the following as your checklist for Configuring the J2EE Policy Agents load balancer:

1. Configure the J2EE Policy Agents load balancer.

2. Terminate SSL at the J2EE Policy Agents load balancer.

To Configure the J2EE Policy Agents Load Balancer

1. Go to URL for the Big IP load balancer login page and log in.

   https://ls-f5.siroe.com

   User name:

   username

   Password:

   password

2. Request an SSL Certificate for Load Balancer 10.

   1. Log in to the BIG-IP load balancer.

   2. Click Proxies in the left pane.

   3. Click the Cert Admin tab, and then click the “Generate New Key Pair/ Certificate Request” button.

   4. In the Create Certificate Request page, provide the following information:

      Key Identifier:

      LoadBalancer-10.siroe.com

      Organization:

      siroe.com

      Domain Name:

      LoadBalancer-10.siroe.com

      Email Address:

      jdoe@siroe.com

   5. Click the Generate Request button.

   6. In the Generate Request page, copy the request that looks similar to this:

      -----BEGIN CERTIFICATE REQUEST----- UbM77e50M63v1Z2A/5O5MA0GCSqGSIb3DQEOBAU AMF8xCzAJBgNVBAYTAlVTMSAwHgYDVQQKExdSU0 EgRGF0YSBTZWN1cml0eSwgSW5jLjEuMCwGA1UEC xMlU2VjdXJlIFNlcnZlciBDZXJ0aWZpY2F0aW9u IEF1dGhvcml0eTAeFw0wMTA4MDIwMDAwMDBaFw0 wMzA4MDIyMzU5NTlaMIGQMQswCQYDVQQGEwJVUz ERMA8GA1UECBMIVmlyZ2luaWExETAPBgNVBAcUC FJpY2htb25kMSAwHgYDVQQKFBdDYXZhbGllciBU ZWxlcGhvYm9uZGluZy5jYXZ0ZWwuY29tMIGfMA0 GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC8x/1dxo 2YnblilQLmpiEziOqb7ArVfI1ymXo/MKcbKjnY2 -----END CERTIFICATE REQUEST-----

   7. Paste this text into a request form provided by a root certificate authority (CA) such as Verisign or Thwarte.

      See the certificate authority website such as http://www.verisign.com/ or http://www.thawte.com/ for detailed instructions on submitting a certificate request.

3. After you receive the certificate from the issuer, install the SSL Certificate.

   1. In the BIG-IP load balancer console, click the Cert Admin tab.

   2. On the Cert Admin tab, click Install Certificate.

   3. In the Install SSL Certificate page, paste the certificate text you received from the certificate issuer. Example:

      -----BEGIN CERTIFICATE REQUEST----- UbM77e50M63v1Z2A/5O5MA0GCSqGSIb3DQEOBAU AMF8xCzAJBgNVBAYTAlVTMSAwHgYDVQQKExdSU0 EgRGF0YSBTZWN1cml0eSwgSW5jLjEuMCwGA1UEC xMlU2VjdXJlIFNlcnZlciBDZXJ0aWZpY2F0aW9u IEF1dGhvcml0eTAeFw0wMTA4MDIwMDAwMDBaFw0 wMzA4MDIyMzU5NTlaMIGQMQswCQYDVQQGEwJVUz ERMA8GA1UECBMIVmlyZ2luaWExETAPBgNVBAcUC FJpY2htb25kMSAwHgYDVQQKFBdDYXZhbGllciBU ZWxlcGhvYm9uZGluZy5jYXZ0ZWwuY29tMIGfMA0 GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC8x/1dxo 2YnblilQLmpiEziOqb7ArVfI1ymXo/MKcbKjnY2 -----END CERTIFICATE REQUEST-----

   4. Click Install Certificate.

4. Create a Pool.

   A pool contains all the backend server instances.

   1. Open the Configuration Utility.

      Click “Configure your BIG-IP (R) using the Configuration Utility.”

   2. In the left pane, click Pools.

   3. On the Pools tab, click the Add button.

   4. In the Add Pool dialog, provide the following information:

      Pool Name

      federation _j2ee_agents

      Load Balancing Method

      Round Robin

      Resources

      Add the IP address of both Application Server hosts. In this example:

      192.18.72.152:8080 (for Application Server 3)

      192.18.72.151:8080 (for Application Server 4)

   5. Click the Done button.

   6. In the List of Pools, click the name of the pool you just created (federation_j2ee_agents).

5. Add a Virtual Server.

   If you encounter Javascript errors or otherwise cannot proceed to create a virtual server, try using Microsoft Internet Explorer for this step.

   1. In the left frame, Click Virtual Servers.

   2. On the Virtual Servers tab, click the Add button.

   3. In the Add a Virtual Server dialog box, provide the following information:

      Address

      192.18.69.14 (for LoadBalancer-10.siroe.com )

      Services Port

      1080

      Pool

      federation_j2ee_agents

   4. Continue to click Next until you reach the Pool Selection dialog box.

   5. Click the Done button.

To Terminate SSL at the J2EE Policy Agents Load Balancer

You should still be logged into the BigIP load balancer program after the last task.

1. Create an SSL Proxy.

2. Click the Proxies tab, and then click the Add button.

3. In the Add Proxy page, provide the following information:

   Proxy Type:

   Mark the SSL box.

   Proxy Address:

   192.18.49.14

   Proxy Service:

   4443

   Destination Address:

   192.18.69.14

   Destination Service:

   4080

   SSL Certificate:

   LoadBalancer-10.siroe.com

   SSL Key:

   LoadBalancer-10.siroe.com

   Server SSL Certificate:

   LoadBalancer-10.siroe.com

   Server SSL Key:

   LoadBalancer-10.siroe.com

   Click Next.

   Rewrite Redirects:

   Matching

   Click Done.

13.7 Configuring the Application Servers for SSL Termination

Download the Sun Java System Application Server Enterprise Ed 8.1 2005Q1 Patch to the Application Server 3 host and to the Application 4 host using one of the following URLs:

Solaris (sparc) 119166-22

http://sunsolve.sun.com/search/document.do?assetkey=1-21-119166

Solaris (x86) 119170-14

http://sunsolve.sun.com/search/document.do?assetkey=1-21-119170-14

Linux 119171-14

http://sunsolve.sun.com/search/document.do?assetkey=1-21-119171-14

Use the following as you checklist for configuring the Application Servers for SSL Termination:

1. Configure Application Server 3 for SSL termination.

2. Configure Application Server 4 for SSL termination.

To Configure Application Server 3 for SSL Termination

1. As a root user, log into the Application Server 3 host.

2. Stop Application Server 3.

   # cd /opt/SUNWappserver/appserver/bin/ # ./asadmin stop-domain

3. Install Patch 119166-22 as described in the file README.119166-22.

   Be sure to complete the patch post-installation instructions as described in that file.

   # cd /tmp # unzip 119166-21.zip # patchadd -G /tmp/119166-22

4. Verify that the patch was indeed installed successfully.

   # showrev -p | grep 119166-22 Patch: 119166-22 Obsoletes: Requires: Incompatibles: Packages: SUNWasuee, SUNWaswbcr, SUNWascmnse, SUNWasacee, SUNWasdemdb, SUNWashdm, SUNWasdem, SUNWascmn, SUNWasac, SUNWascml, SUNWasu, SUNWasjdoc, SUNWasman, SUNWasut, SUNWasmanee

5. Edit the following file:

   /var/opt/SUNWappserver/domains/domain1/applications/j2ee-apps/ agentsample/agentservlets_war/WEB-INF/sun-web.xml

   Append the following directive to the end of the file:

   ... <property name="relativeRedirectAllowed" value="true"/> </sun-web-app>

   Save the file and exit.

6. Edit the following file:

   /var/opt/SUNWappserver/domains/domain1/applications/j2ee-modules/ agentapp/WEB-INF/sun-web.xml

   Append this directive to the end of the file:

   ... <property name="relativeRedirectAllowed" value="true"/> </sun-web-app>

   Save the file and exit.

7. Start the Application Server.

   # cd /opt/SUNWappserver/appserver/bin/ # ./asadmin start-domain --user admin --password 11111111

To Configure Application Server 4 for SSL Termination

1. As a root user, log into the Application Server 4 host.

2. Stop Application Server 4.

   # cd /opt/SUNWappserver/appserver/bin/ # ./asadmin stop-domain

3. Install Patch 119166-22 as described in the file README.119166-22.

   Be sure to complete the patch post-installation instructions as described in that file.

   # cd /tmp # unzip 119166-21.zip # patchadd -G /tmp/119166-22

4. Verify that the patch was indeed installed successfully.

   # showrev -p | grep 119166-22 Patch: 119166-21 Obsoletes: Requires: Incompatibles: Packages: SUNWasuee, SUNWaswbcr, SUNWascmnse, SUNWasacee, SUNWasdemdb, SUNWashdm, SUNWasdem, SUNWascmn, SUNWasac, SUNWascml, SUNWasu, SUNWasjdoc, SUNWasman, SUNWasut, SUNWasmanee

5. Edit the following file:

   /var/opt/SUNWappserver/domains/domain1/applications/j2ee-apps/ agentsample/agentservlets_war/WEB-INF/sun-web.xml

   Append the following directive to the end of the file:

   ... <property name="relativeRedirectAllowed" value="true"/> </sun-web-app>

   Save the file and exit.

6. Edit the following file:

   /var/opt/SUNWappserver/domains/domain1/applications/j2ee-modules/ agentapp/WEB-INF/sun-web.xml

   Append this directive to the end of the file:

   ... <property name="relativeRedirectAllowed" value="true"/> </sun-web-app>

   Save the file and exit.

7. Start Application Server 4.

   # cd /opt/SUNWappserver/appserver/bin/ # ./asadmin start-domain --user admin --password 11111111

13.8 Configuring the J2EE Policy Agents to Work with the J2EE Policy Agents Load Balancer

Use the following as your checklist for configuring the J2EE policy agents to work with the agents load balancer.

1. Configure J2EE Policy Agent 3 to work with the J2EE Policy Agents load balancer.

2. Configure J2EE Policy Agent 4 to work with the J2EE Policy Agents load balancer.

3. Verify that the J2EE Policy Agents load balancer works properly.

To Configure J2EE Policy Agent 3 to Work with the J2EE Policy Agents Load Balancer

1. As a root user, log into the Protected Resource 3 host.

2. Go to the following directory:

   # cd /export/j2ee_agents/am_as81_agent/agent_001/config

3. Update the AMagents.properties file.

   Set the following properties as in this example:

   # vi AMAgent.properties com.sun.identity.agents.config.fqdn.mapping[LoadBalancer-10.siroe.com] = LoadBalancer-10.siroe.com com.sun.identity.agents.config.agent.host = LoadBalancer-10.siroe.com com.sun.identity.agents.config.agent.port = 4443 com.sun.identity.agents.config.agent.protocol = https

   Save the file.

4. Restart Application Server 3.

   # cd /opt/SUNWappserver/appserver/bin #./asadmin stop-domain Domain domain1 stopped. # ./asadmin start-domain --user admin --password 11111111 Starting Domain domain1, please wait. Log redirected to /var/opt/SUNWappserver/domains/domain1/logs/server.log. Domain domain1 started.

To Configure J2EE Policy Agent 4 to Work with the J2EE Policy Agents Load Balancer

1. As a root user, log into the Protected Resource 4 host.

2. Go to the following directory:

   # cd /export/j2ee_agents/am_as81_agent/agent_001/config

3. Update the AMagents.properties file.

   Set the following properties as in this example:

   # vi AMAgent.properties com.sun.identity.agents.config.fqdn.mapping[LoadBalancer-10.siroe.com] = LoadBalancer-10.siroe.com com.sun.identity.agents.config.agent.host = LoadBalancer-10.siroe.com com.sun.identity.agents.config.agent.port = 4443 com.sun.identity.agents.config.agent.protocol = https

   Save the file.

4. Restart Application Server 4.

   # cd /opt/SUNWappserver/appserver/bin #./asadmin stop-domain Domain domain1 stopped. # ./asadmin start-domain --user admin --password 11111111 Starting Domain domain1, please wait. Log redirected to /var/opt/SUNWappserver/domains/domain1/logs/server.log. Domain domain1 started.

To Verify that the J2EE Policy Agents Load Balancer Works Properly

1. Open a new browser.

2. Go the to J2EE Policy Agents load balancer URL:

   https://LoadBalancer-10.siroe.com:4443/agentsample

   The Federation Manager login page is displayed.

3. Log in to the Federation Manager console using the following information:

   User Name:

   spuser

   Password:

   spuser

   The J2EE Policy Agent Sample Application welcome page is displayed.

13.9 Configuring the J2EE Policy Agents Load Balancer to Participate in SAMLv2 Protocols

Use the following as your checklist for configuring the J2EE Policy Agents load balancer to participate in SAMLv2 Protocols:

1. Configure the J2EE Policy Agents load balancer to participate in SAMLv2 protocols.

2. Verify that the J2EE Policy Agents load balancer uses SAMLv2 protocols.

To Configure the J2EE Policy Agents Load Balancer to Participate in SAMLv2 Protocols

1. As a root user, log into the Protected Resource 3 host.

2. Go to the following directory:

   /export/j2ee_agents/am_as81_agent/agent_001/config

3. Make a backup of the AMagent.properties file, and then set the following properties:

   # vi AMagent.properties com.sun.identity.agents.config.login.url[0] = https://LoadBalancer-9.siroe.com:3443/federation/saml2/ jsp/spSSOInit.jsp?metaAlias=/sp&idpEntitityID=loadbalancer-3.example.com com.sun.identity.agents.config.redirect.param = RelayState

   Save the file.

4. Restart Application Server 3.

   # cd /opt/SUNWappserver/appserver/bin #./asadmin stop-domain Domain domain1 stopped. # ./asadmin start-domain --user admin --password 11111111 Starting Domain domain1, please wait. Log redirected to /var/opt/SUNWappserver/domains/domain1/logs/server.log. Domain domain1 started.

5. As a root user, log into the Protected Resource 4 host.

6. Go to the following directory:

   /export/j2ee_agents/am_as81_agent/agent_001/config

7. Make a backup of the AMagent.properties file, and then set the following properties:

   # vi AMagent.properties com.sun.identity.agents.config.login.url[0] = https://LoadBalancer-9.siroe.com:3443/federation/saml2/ jsp/spSSOInit.jsp?metaAlias=/sp&idpEntitityID=loadbalancer-3.example.com com.sun.identity.agents.config.redirect.param = RelayState

   Save the file.

8. Restart Application Server 4.

   # cd /opt/SUNWappserver/appserver/bin #./asadmin stop-domain Domain domain1 stopped. # ./asadmin start-domain --user admin --password 11111111 Starting Domain domain1, please wait. Log redirected to /var/opt/SUNWappserver/domains/domain1/logs/server.log. Domain domain1 started.

To Verify that the J2EE Policy Agents Load Balancer Uses SAMLv2 Protocols

1. Go to the following URL:

   https://LoadBalancer-10.siroe.com:4443/agentssample

   The Access Manager login is displayed.

2. Log in to the Access Manager console using the following information:

   User Name:

   idp

   Password:

   idp

   The J2EE Policy Agent Sample Application welcome page is displayed.

Chapter 14 Installing and Configuring Web Policy Agents

This chapter contains detailed information about the following groups of tasks:

• 14.1 Creating Web Agent Profiles on the Federation Manager Servers

• 14.2 Installing Web Server 3 and Web Policy Agent 3

• 14.3 Completing the Web Policy Agent 3 Installation

• 14.4 Installing Web Server 4 and Web Policy Agent 4

• 14.5 Completing the Web Policy Agent 4 Installation

• 14.6 Configuring the Web Policy Agents Load Balancer

• 14.7 Configuring the Web Policy Agents Load Balancer to Participate in SAMLv2 Protocols

14.1 Creating Web Agent Profiles on the Federation Manager Servers

Use the following as your check list for creating Web Agent profiles on the Federation Manager servers:

1. Create the UrlAccessAgent.properties file on Federation Manager 1.

2. Create the UrlAccessAgent.properties file on Federation Manager 2.

To Create the UrlAccessAgent.properties File on Federation Manager 1

1. Log into the Federation Manager 1 host.

2. Generate an encrypted password:

   # /opt/SUNWam/fm/bin/ampassword -i /var/opt/SUNWam/fm/war_staging --hash 11111111 BeUPgddAimR404ivWY6HPQ==

   Make note of this encrypted password. You will use this password as the UrlAccessAgent encrypted password which is similar to a shared secret used by other web containers.

3. Go to the following directory:

   /var/opt/SUNWam/fm/federation/users

4. Create a file that contains the UrlAccessAgent encrypted password.

   # vi UrlAccessAgent.properties password=BeUPgddAimR404ivWY6HPQ==

   Save the file.

5. Restart the Federation Manager 1 server.

   # /opt/SUNWwbsvr/https-FederationManager-1.siroe.com # ./stop; ./start

To Create the UrlAccessAgent.properties File on Federation Manager 2

1. Log into the Federation Manager 2 host.

2. Generate an encrypted password:

   # /opt/SUNWam/fm/bin/ampassword -i /var/opt/SUNWam/fm/war_staging --hash 11111111 BeUPgddAimR404ivWY6HPQ==

   Make note of this encrypted password. You will use this password as the UrlAccessAgent encrypted password which is similar to a shared secret used by other web containers.

3. Go to the following directory:

   /var/opt/SUNWam/fm/federation/users

4. Create a file that contains the UrlAccessAgent encrypted password.

   # vi UrlAccessAgent.properties password=BeUPgddAimR404ivWY6HPQ==

   Save the file.

5. Restart the Federation Manager 2 server.

   # /opt/SUNWwbsvr/https-FederationManager-2.siroe.com # ./stop; ./start

14.2 Installing Web Server 3 and Web Policy Agent 3

For this part of the deployment, you must have the JES 5 installer and Web Policy Agent installer mounted on the host Protected Resource 1. See the section 2.2 Downloading and Mounting the Java Enterprise System 2005Q4 Installer in this manual.

Use the following as your checklist for installing Web Server 3 and Web Policy Agent 3:

1. Install Web Server 3 on Protected Resource 3.

2. Install Web Policy Agent 3.

To Install Web Server 3 on Protected Resource 3

1. As a root user, log into the Protected Resource 3 host.

2. Start the Java Enterprise System installer with the -nodisplay option.

   # cd /mnt/Solaris_sparc # ./installer -nodisplay

3. When prompted, provide the following information:

   Welcome to the Sun Java(TM) Enterprise System; serious software made simple... <Press ENTER to Continue>	Press Enter.
   <Press ENTER to display the Software License Agreement>	Press Enter.
   Have you read, and do you accept, all of the termsof the preceding Software License Agreement [No]	Enter y.
   Please enter a comma separated list of languages you would like supported with this installation [8]	Enter 8 for “English only.”
   Enter a comma separated list of products to install,or press R to refresh the list []	Enter 3 to select Web Server.
   Press "Enter" to Continue or Enter a comma separated list of products to deselect... [1]	Press Enter.
   Enter 1 to upgrade these shared components and 2 to cancel [1]	You are prompted to upgrade shared components only if the installer detects that an upgrade is required.  Enter 1 to upgrade shared components.
   Enter the name of the target installation directory for each product: Web Server [/opt/SUNWwbsvr] :	Accept the default value.
   System ready for installation Enter 1 to continue [1]	Enter 1.
   1. Configure Now - Selectively override defaults or express through 2. Configure Later - Manually configure following installation Select Type of Configuration [1]	Enter 1.
   Common Server Settings Enter Host Name [ProtectedResource-3]	Accept the default value.
   Enter DNS Domain Name [siroe.com]	Accept the default value.
   Enter IP Address [192.18.72.151]	Accept the default value.
   Enter Server admin User ID [admin]	Accept the default value.
   Enter Admin User's Password (Password cannot be less than 8 characters) []	For this example, enter 11111111.
   Confirm Admin User's Password []	Enter the same password to confirm it.
   Enter System User [root]	Accept the default value.
   Enter System Group [root]	Accept the default value.
   Enter Server Admin User ID [admin]	Accept the default value.
   Enter Admin User's Password []	For this example, enter 11111111.
   Enter Host Name [ProtectedResource-3.siroe.com]	Accept the default value.
   Enter Administration Port [8888]	Accept the default value.
   Enter Administration Server User ID [root]	Accept the default value.
   Enter System User ID [webservd]	Enter root.
   Enter System Group [webservd]	Enter root.
   Enter HTTP Port [80]	Enter 2080.
   Enter content Root [/opt/SUNWwbsvr/docs]	Accept the default value.
   Do you want to automatically start Web Serverwhen system re-starts.(Y/N) [N]	Accept the default value.
   Ready to Install 1. Install 2. Start Over 3. Exit Installation What would you like to do [1]	First, see the next numbered (Optional) step. When ready to install, enter 1.

4. (Optional) During installation, you can monitor the log to watch for installation errors. Example:

   # cd /var/sadm/install/logs

   # tail —f Java_Enterprise_System_install.B xxxxxx

5. Upon successful installation, enter ! to exit.

6. Verify that the Web Server is installed properly.

   1. Start the Web Server administration server to verify it starts with no errors.

      # cd /opt/SUNWwbsvr/https-admserv

      # ./stop; ./start

   2. Run the netstat command to verify that the Web Server ports are open and listening.

      # netstat -an | grep 8888 *.8888 *.* 0 0 49152 0 LISTEN

   3. Go to the Web Server URL.

      http://ProtectedResource-3.siroe.com:8888

   4. Log in to the Web Server using the following information:

      Username

      admin

      Password

      11111111

      You should be able to see the Web Server console. You can log out of the console now.

   5. Start the Protected Resource 3 instance.

      # cd /opt/SUNWwbsvr/https-ProtectedResource-3.siroe.com # ./stop; ./start

   6. Run the netstat command to verify that the Web Server ports are open and listening.

      # netstat -an | grep 2080 *.2080 *.* 0 0 49152 0 LISTEN

   7. Go to the instance URL.

      http://ProtectedResource-3.siroe.com:1080

      You should see the default Web Server index page.

To Install Web Policy Agent 3

Before You Begin

---

Caution –

If the Web Policy Agent installer is hosted on the same system where you are installing the Web Policy Agent, you can disregard this warning.

If the installer is hosted on a system other than the local system where you are installing the Web Policy Agent, you must start an X-display session on the system that hosts the installer. You must use an X-display program such as Reflections X or VNC even though you use the command-line installer. This is a known problem with this version of the Web Policy Agent. For more information about this known problem, see http://docs.sun.com/app/docs/doc/819-2796/6n52flfoq?a=view#adtcd.

---

1. As a root user, log into the Protected Resource 3 host.

2. Download the Java System Web Policy Agents 2.2 package from the following website:

   http://www.sun.com/download/products.xml?id=434ed995

3. Unpack the downloaded package.

   In this example, the package was downloaded into the directory /temp.

   # cd /temp # gunzip sun-one-policy-agent-2.2-es6-solaris_sparc.tar.gz # tar —xvof sun-one-policy-agent-2.2-es6-solaris_sparc.tar

4. Start the Web Policy Agents installer.

   # ./setup -nodisplay

5. When prompted, provide the following information:

   When you are ready, press Enter to continue. <Press ENTER to Continue>	Press Enter.
   Press ENTER to display the Sun Software License Agreement	Press Enter.
   Have you read, and do you accept, all of the terms of the preceding Software License Agreement [no] y	Enter y.
   Install the Sun Java(tm) System Access Manager Policy Agent in this directory [/opt] :	Accept the default value.
   Enter information about the server instance this agent will protect. Host Name [ProtectedResource-3.siroe.com]:	Accept the default value.
   Web Server Instance Directory []:	Enter   /opt/SUNWwbsvr/ https-ProtectedResource-9.siroe.com
   Web Server Port [80]: :	Enter 2080.
   Web Server Protocol [http]	Enter https.
   Agent Deployment URI [/amagent]:	Accept the default value.
   Enter the Sun Java(tm) System Access Manager Information for this Agent. Primary Server Host [ProtectedResource-3.siroe.com] :	For this example, enter the external-facing load balancer host name. Example: LoadBalancer-3.example.com
   Primary Server Port [1080]	Enter the load balancer HTTP port number. For this example, enter 3443.
   Primary Server Protocol [http]:	Enter https.
   Primary Server Deployment URI [/amserver]:	Enter /federation.
   Primary Console Deployment URI [/amconsole] :	Enter /federation.
   Failover Server Host [] :	Accept the default value.
   Agent-Access Manager Shared Secret:	Enter the amldapuser password that was entered when Access Manager was installed. For this example, enter 11111111 .
   Re-enter Shared Secret:	Enter the 11111111 password again to confirm it.
   CDSSO Enabled [false]:	Accept the default value.
   Press "Enter" when you are ready to continue.	First, see the next (Optional) numbered step. When you are ready to start installation, press Enter.

6. (Optional) During installation, you can monitor the log to watch for installation errors. Example:

   # cd /var/sadm/install/logs # tail —f var/sadm/install/logs/ Sun_Java_tm__System_Access_Manager_Policy_Agent_install.Bxxxxxxxx

7. Restart the Web Server.

   # cd /opt/SUNWwbsvr/https-ProtectedResource-3.siroe.com # cd ./stop; ./start

   Examine the Web Server log for startup errors.

   # /opt/SUNWwbsvr/https-ProtectedResource-3.siroe.com/logs # vi errors

14.3 Completing the Web Policy Agent 3 Installation

Use the following as your checklist for completing the Web Policy Agent 3 installation:

1. Edit the AMAgent.Properties file.

2. Verify that Web Policy Agent 3 is working properly.

3. Import the root CA certificate into the Web Server 3 key store.

4. Verify that Web Policy Agent 3 can access the Federation Manager load balancer.

To Edit the AMAgent.Properties File

1. Log in to as a root user to Federation Manager 1 host.

2. Edit the AMAgent.properties file.

   # cd /etc/opt/SUNWam/agents/es6/ config/_opt_SUNWwbsvr_https-ProtectedResource-3.siroe.com

   1. Make a backup of AMAgent.properties, and then set the following properties:

      com.sun.am.policy.am.username = UrlAccessAgent com.sun.am.policy.am.password = BeVPgddAimR404ivWY6HPQ== com.sun.am.policy.agents.config.do_sso_only = true

   2. Add the following properties to the original file:

      com.sun.am.ignore.naming.service = true

   3. (Optional) Set the debug property as in this example:

      com.sun.am.log.level = all:5

      Save the file.

3. Restart Web Server 3.

   # cd /opt/SUNWwbsvr/https-ProtectedResource-3.siroe.com
    #./stop; ./start

To Verify that Web Policy Agent 3 is Working Properly

1. Go to the following URL:

   http://ProtectedResource-3.siroe.com:2080

2. Log in to Access Manager using the following information:

   Username

   spuser

   Password

   spuser

   You should see the default index.html page for Web Server 3.

To Import the Root CA Certificate into the Web Server 3 Key Store

The Web Policy Agent on Protected Resource 3 connects to Federation Manager servers through Load Balancer 9. The load balancer is SSL-enabled, so the agent must be able to trust the load balancer SSL certificate in order to establish the SSL connection. To do this, import the root CA certificate that issued the Load Balancer 3 SSL server certificate into the Web Policy Agent certificate store.

Before You Begin

Obtain the root CA certificate, and copy it to the Protected Resource 3 host . Copy the certificate into the file /export/software/ca.cert.

1. Copy the root CA certificate to Protected Resource 3.

2. Open a browser, and go to the Web Server 3 administration console.

   http://ProtectedResource-3.siroe.com:8888

3. Log in to the Web Server 3 console using the following information:

   User Name:

   admin

   Password:

   11111111

4. In the Select a Server field, select ProtectedResource-3.siroe.com, and then click Manage.

   ---

   Tip –

   If a “Configuration files have not been loaded” message is displayed, it may be because the Web Server instance that is being accessed through the administration server has had its configuration files manually edited. This is the case when the Web Policy Agent is installed. The mirror configuration files are different from the current configuration files. In order to be sure the changes are not lost, you must apply the changes. First click Apply, and then click Apply Changes. The configuration files are read, and the server is stopped and restarted.

   ---

5. Click the Security tab.

6. On the Initialize Trust Database page, enter a Database Password.

   Enter the password again to confirm it, and then click OK.

7. In the left frame, click Install Certificate and provide the following information, and then click OK:

   Certificate For:

   Choose Trusted Certificate Authority (CA).

   Key Pair File Password:

   password

   Certificate Name:

   rootCA.cert

   Message in this File:

   /export/software/ca.cert

8. Click Add Server Certificate.

9. Click Manage Certificates.

   The root CA Certificate name rootCA.cert is included in the list of certificates.

10. Click the Preferences tab.

11. Restart Web Server 3.

    On the Server On/Off page, click Server Off. When the server indicates that the administration server is off, click Server On.

12. Restart Web Server 3.

    # cd /opt/SUNWwbsvr/https-ProtectedResource-3.siroe.com
    # ./stop; ./start

To Verify that Web Policy Agent 3 Can Access the Federation Manager Load Balancer

1. Go to the Protected Resource 3 URL:

   http://ProtectedResource-3.siroe.com:2080/index.html

2. Log into the Federation Manager console using the following information:

   User Name:

   spuser

   Password:

   spuser

   The policy agent redirects the request, and the URL changes to https://LoadBalancer-9.siroe.com:3443/federation/UI/Login. The default Sun ONE Web Server page is displayed. This verifies that the web policy agent is properly configured to access the Federation Manager load balancer.

14.4 Installing Web Server 4 and Web Policy Agent 4

For this part of the deployment, you must have the JES 5 installer and Web Policy Agent installer mounted on the host Protected Resource 1. See the section 2.2 Downloading and Mounting the Java Enterprise System 2005Q4 Installer in this manual.

Use the following as you checklist for installing Web Server 4 and Web Policy Agent 4:

1. Install Web Server 4 on Protected Resource 4.

2. Install Web Policy Agent 4.

To Install Web Server 4 on Protected Resource 4

1. As a root user, log into the Protected Resource 4 host.

2. Start the Java Enterprise System installer with the -nodisplay option.

   # cd /mnt/Solaris_sparc # ./installer -nodisplay

3. When prompted, provide the following information:

   Welcome to the Sun Java(TM) Enterprise System; serious software made simple... <Press ENTER to Continue>	Press Enter.
   <Press ENTER to display the Software License Agreement>	Press Enter.
   Have you read, and do you accept, all of the termsof the preceding Software License Agreement [No]	Enter y.
   Please enter a comma separated list of languages you would like supported with this installation [8]	Enter 8 for “English only.”
   Enter a comma separated list of products to install,or press R to refresh the list []	Enter 3 to select Web Server.
   Press "Enter" to Continue or Enter a comma separated list of products to deselect... [1]	Press Enter.
   Enter 1 to upgrade these shared components and 2 to cancel [1]	You are prompted to upgrade shared components only if the installer detects that an upgrade is required.  Enter 1 to upgrade shared components.
   Enter the name of the target installation directory for each product: Web Server [/opt/SUNWwbsvr] :	Accept the default value.
   System ready for installation Enter 1 to continue [1]	Enter 1.
   1. Configure Now - Selectively override defaults or express through 2. Configure Later - Manually configure following installation Select Type of Configuration [1]	Enter 1.
   Common Server Settings Enter Host Name [ProtectedResource-4]	Accept the default value.
   Enter DNS Domain Name [siroe.com]	Accept the default value.
   Enter IP Address [192.18.72.152]	Accept the default value.
   Enter Server admin User ID [admin]	Accept the default value.
   Enter Admin User's Password (Password cannot be less than 8 characters) []	For this example, enter 11111111.
   Confirm Admin User's Password []	Enter the same password to confirm it.
   Enter System User [root]	Accept the default value.
   Enter System Group [root]	Accept the default value.
   Enter Server Admin User ID [admin]	Accept the default value.
   Enter Admin User's Password []	For this example, enter 11111111.
   Enter Host Name [ProtectedResource-4.siroe.com]	Accept the default value.
   Enter Administration Port [8888]	Accept the default value.
   Enter Administration Server User ID [root]	Accept the default value.
   Enter System User ID [webservd]	Enter root.
   Enter System Group [webservd]	Enter root.
   Enter HTTP Port [80]	Enter 2080.
   Enter content Root [/opt/SUNWwbsvr/docs]	Accept the default value.
   Do you want to automatically start Web Serverwhen system re-starts.(Y/N) [N]	Accept the default value.
   Ready to Install 1. Install 2. Start Over 3. Exit Installation What would you like to do [1]	First, see the next numbered (Optional) step. When ready to install, enter 1.

4. (Optional) During installation, you can monitor the log to watch for installation errors. Example:

   # cd /var/sadm/install/logs

   # tail —f Java_Enterprise_System_install.B xxxxxx

5. Upon successful installation, enter ! to exit.

6. Verify that the Web Server is installed properly.

   1. Start the Web Server administration server to verify it starts with no errors.

      # cd /opt/SUNWwbsvr/https-admserv

      # ./stop; ./start

   2. Run the netstat command to verify that the Web Server ports are open and listening.

      # netstat -an | grep 8888 *.8888 *.* 0 0 49152 0 LISTEN

   3. Go to the Web Server URL.

      http://ProtectedResource-4.siroe.com:8888

   4. Log in to the Web Server using the following information:

      Username

      admin

      Password

      11111111

      You should be able to see the Web Server console. You can log out of the console now.

   5. Start the Protected Resource 4 instance.

      # cd /opt/SUNWwbsvr/https-ProtectedResource-4.siroe.com # ./stop; ./start

   6. Run the netstat command to verify that the Web Server ports are open and listening.

      # netstat -an | grep 2080 *.2080 *.* 0 0 49152 0 LISTEN

   7. Go to the instance URL.

      http://ProtectedResource-4.siroe.com:1080

      You should see the default Web Server index page.

To Install Web Policy Agent 4

Before You Begin

---

Caution –

If the Web Policy Agent installer is hosted on the same system where you are installing the Web Policy Agent, you can disregard this warning.

If the installer is hosted on a system other than the local system where you are installing the Web Policy Agent, you must start an X-display session on the system that hosts the installer. You must use an X-display program such as Reflections X or VNC even though you use the command-line installer. This is a known problem with this version of the Web Policy Agent. For more information about this known problem, see http://docs.sun.com/app/docs/doc/819-2796/6n52flfoq?a=view#adtcd.

---

1. As a root user, log into the Protected Resource 4 host.

2. Download the Java System Web Policy Agents 2.2 package from the following website:

   http://www.sun.com/download/products.xml?id=434ed995

3. Unpack the downloaded package.

   In this example, the package was downloaded into the directory /temp.

   # cd /temp # gunzip sun-one-policy-agent-2.2-es6-solaris_sparc.tar.gz # tar —xvof sun-one-policy-agent-2.2-es6-solaris_sparc.tar

4. Start the Web Policy Agents installer.

   # ./setup -nodisplay

5. When prompted, provide the following information:

   When you are ready, press Enter to continue. <Press ENTER to Continue>	Press Enter.
   Press ENTER to display the Sun Software License Agreement	Press Enter.
   Have you read, and do you accept, all of the terms of the preceding Software License Agreement [no] y	Enter y.
   Install the Sun Java(tm) System Access Manager Policy Agent in this directory [/opt] :	Accept the default value.
   Enter information about the server instance this agent will protect. Host Name [ProtectedResource-4.siroe.com]:	Accept the default value.
   Web Server Instance Directory []:	Enter   /opt/SUNWwbsvr/ https-ProtectedResource-4.siroe.com
   Web Server Port [80]: :	Enter 2080.
   Web Server Protocol [http]	Accept the default value.
   Agent Deployment URI [/amagent]:	Accept the default value.
   Enter the Sun Java(tm) System Access Manager Information for this Agent. Primary Server Host [ProtectedResource-9.siroe.com] :	For this example, enter the load balancer host name. Example: LoadBalancer-9.siroe.com
   Primary Server Port [1080]	Enter the load balancer HTTP port number. For this example, enter 3443.
   Primary Server Protocol [http]:	Enter https.
   Primary Server Deployment URI [/amserver]:	Enter /federation.
   Primary Console Deployment URI [/amconsole] :	Enter /federation.
   Failover Server Host [] :	Accept the default value.
   Agent-Access Manager Shared Secret:	Enter the amldapuser password that was entered when Access Manager was installed. For this example, enter 11111111 .
   Re-enter Shared Secret:	Enter the 11111111 password again to confirm it.
   CDSSO Enabled [false]:	Accept the default value.
   Press "Enter" when you are ready to continue.	First, see the next (Optional) numbered step. When you are ready to start installation, press Enter.

6. (Optional) During installation, you can monitor the log to watch for installation errors. Example:

   # cd /var/sadm/install/logs # tail —f var/sadm/install/logs/ Sun_Java_tm__System_Access_Manager_Policy_Agent_install.Bxxxxxxxx

7. Restart the Web Server.

   # cd /opt/SUNWwbsvr/https-ProtectedResource-4.siroe.com # cd ./stop; ./start

   Examine the Web Server log for startup errors.

   # /opt/SUNWwbsvr/https-ProtectedResource-4.siroe.com/logs # vi errors

14.5 Completing the Web Policy Agent 4 Installation

Use the following as your checklist for completing the Web Policy Agent 4 installation:

1. Edit the AMAgent.Properties file.

2. Verify that Web Policy Agent 4 is working properly.

3. Import the root CA certificate into the Web Server 4 key store.

4. Verify that Web Policy Agent 4 can access the Federation Manager load balancer.

To Edit the AMAgent.Properties File

1. Log in to as a root user to Federation Manager 1 host.

2. Edit the AMAgent.properties file.

   # cd /etc/opt/SUNWam/agents/es6/ config/_opt_SUNWwbsvr_https-ProtectedResource-4.siroe.com

   1. Make a backup of AMAgent.properties, and then set the following properties:

      com.sun.am.policy.am.username = UrlAccessAgent com.sun.am.policy.am.password = BeVPgddAimR404ivWY6HPQ== com.sun.am.policy.agents.config.do_sso_only = true

   2. Add the following properties to the original file:

      com.sun.am.ignore.naming.service = true

   3. (Optional) Set the debug property as in this example:

      com.sun.am.log.level = all:5

      Save the file.

3. Restart Web Server 4.

   # cd /opt/SUNWwbsvr/https-ProtectedResource-4.siroe.com
    #./stop; ./start

To Verify that Web Policy Agent 4 is Working Properly

1. Go to the following URL:

   http://ProtectedResource-4.siroe.com:2080

2. Log in to Access Manager using the following information:

   Username

   spuser

   Password

   spuser

   You should see the default index.html page for Web Server 4.

To Import the Root CA Certificate into the Web Server 4 Key Store

The Web Policy Agent on Protected Resource 4 connects to Federation Manager servers through Load Balancer 9. The load balancer is SSL-enabled, so the agent must be able to trust the load balancer SSL certificate in order to establish the SSL connection. To do this, import the root CA certificate that issued the Load Balancer 3 SSL server certificate into the Web Policy Agent certificate store.

Before You Begin

Obtain the root CA certificate, and copy it to the Protected Resource 4 host. Copy the certificate into the file /export/software/ca.cert.

1. Copy the root CA certificate to Protected Resource 4.

2. Open a browser, and go to the Web Server 4 administration console.

   http://ProtectedResource-4.siroe.com:8888

3. Log in to the Web Server 4 console using the following information:

   User Name:

   admin

   Password:

   11111111

4. In the Select a Server field, select ProtectedResource-4.siroe.com, and then click Manage.

   ---

   Tip –

   If a “Configuration files have not been loaded” message is displayed, it may be because the Web Server instance that is being accessed through the administration server has had its configuration files manually edited. This is the case when the Web Policy Agent is installed. The mirror configuration files are different from the current configuration files. In order to be sure the changes are not lost, you must apply the changes. First click Apply, and then click Apply Changes. The configuration files are read, and the server is stopped and restarted.

   ---

5. Click the Security tab.

6. On the Initialize Trust Database page, enter a Database Password.

   Enter the password again to confirm it, and then click OK.

7. In the left frame, click Install Certificate and provide the following information, and then click OK:

   Certificate For:

   Choose Trusted Certificate Authority (CA).

   Key Pair File Password:

   password

   Certificate Name:

   rootCA.cert

   Message in this File:

   /export/software/ca.cert

8. Click Add Server Certificate.

9. Click Manage Certificates.

   The root CA Certificate name rooCA.cert is included in the list of certificates.

10. Click the Preferences tab.

11. Restart Web Server 4.

    On the Server On/Off page, click Server Off. When the server indicates that the administration server is off, click Server On.

12. Restart Web Server 4.

    # cd /opt/SUNWwbsvr/https-ProtectedResource-4.siroe.com
    # ./stop; ./start

To Verify that Web Policy Agent 4 Can Access the Federation Manager Load Balancer

1. Go to the Protected Resource 4 URL:

   http://ProtectedResource-4.siroe.com:2080/index.html

2. Log into the Federation Manager console using the following information:

   User Name:

   spuser

   Password:

   spuser

   The policy agent redirects the request, and the URL changes to https://LoadBalancer-9.siroe.com:3443/federation/UI/Login. The default Sun ONE Web Server page is displayed. This verifies that the web policy agent is properly configured to access the Federation Manager load balancer.

14.6 Configuring the Web Policy Agents Load Balancer

Load Balancer 11 can be located in a less-secured zone, and handles traffic for the Web Policy Agents.

Load Balancer 11 is configured for simple persistence so that browser requests from the same IP address will always be directed to the same Web Policy Agent instance . This guarantees that the requests from the same user session will always be sent to the same Web Policy Agent instance. This is important from the performance perspective. Each Web Policy Agent must validate the user session and evaluate applicable policies. The results are subsequently cached on the individual Web Policy Agent to improve the performance. If no load balancer persistence is set, and the same user's requests are spread across two agents, then each agent must build up its own cache. To do so, both agents must validate the session and evaluate policies. This effectively doubles the workload on the Access Manager servers, and cuts the overall system capacity by half. The problem becomes even more acute as the number of Web Policy Agents increases further.

As a general rule, in situations where each Web Policy Agent instance is protecting identical resources, some form of load balancer persistence is highly recommended for the performance reasons. The actual type of persistence may vary when a different load balancer is used, as long as it achieves the goal of sending the requests from the same user session to the same Web Policy Agent instance.

Use the following as your checklist for configuring the Web Policy Agents load balancer:

• To Configure the Web Policy Agents Load Balancer

• To Configure the Web Policy Agents to Work with the Web Policy Agents Load Balancer

• To Verify that the Web Policy Agents Load Balancer is Working Properly

To Configure the Web Policy Agents Load Balancer

1. Go to URL for the Big IP load balancer login page and log in.

   https://ls-f5.siroe.com

2. Log in using the following information:

   User name:

   username

   Password:

   password

3. Request an SSL Certificate for Load Balancer 11.

   1. Log in to the BIG-IP load balancer.

   2. Click Proxies in the left pane.

   3. Click the Cert Admin tab, and then click the “Generate New Key Pair/ Certificate Request” button.

   4. In the Create Certificate Request page, provide the following information:

      Key Identifier:

      LoadBalancer-11.siroe.com

      Organization:

      siroe.com

      Domain Name:

      LoadBalancer-11.siroe.com

      Email Address:

      jdoe@siroe.com

   5. Click the Generate Request button.

   6. In the Generate Request page, copy the request that looks similar to this:

      -----BEGIN CERTIFICATE REQUEST----- UbM77e50M63v1Z2A/5O5MA0GCSqGSIb3DQEOBAU AMF8xCzAJBgNVBAYTAlVTMSAwHgYDVQQKExdSU0 EgRGF0YSBTZWN1cml0eSwgSW5jLjEuMCwGA1UEC xMlU2VjdXJlIFNlcnZlciBDZXJ0aWZpY2F0aW9u IEF1dGhvcml0eTAeFw0wMTA4MDIwMDAwMDBaFw0 wMzA4MDIyMzU5NTlaMIGQMQswCQYDVQQGEwJVUz ERMA8GA1UECBMIVmlyZ2luaWExETAPBgNVBAcUC FJpY2htb25kMSAwHgYDVQQKFBdDYXZhbGllciBU ZWxlcGhvYm9uZGluZy5jYXZ0ZWwuY29tMIGfMA0 GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC8x/1dxo 2YnblilQLmpiEziOqb7ArVfI1ymXo/MKcbKjnY2 -----END CERTIFICATE REQUEST-----

   7. Paste this text into a request form provided by a root certificate authority (CA) such as Verisign or Thwarte.

      See the certificate authority website such as http://www.verisign.com/ or http://www.thawte.com/ for detailed instructions on submitting a certificate request.

4. After you receive the certificate from the issuer, install the SSL Certificate.

   1. In the BIG-IP load balancer console, click the Cert Admin tab.

   2. On the Cert Admin tab, click Install Certificate.

   3. In the Install SSL Certificate page, paste the certificate text you received from the certificate issuer. Example:

      -----BEGIN CERTIFICATE REQUEST----- UbM77e50M63v1Z2A/5O5MA0GCSqGSIb3DQEOBAU AMF8xCzAJBgNVBAYTAlVTMSAwHgYDVQQKExdSU0 EgRGF0YSBTZWN1cml0eSwgSW5jLjEuMCwGA1UEC xMlU2VjdXJlIFNlcnZlciBDZXJ0aWZpY2F0aW9u IEF1dGhvcml0eTAeFw0wMTA4MDIwMDAwMDBaFw0 wMzA4MDIyMzU5NTlaMIGQMQswCQYDVQQGEwJVUz ERMA8GA1UECBMIVmlyZ2luaWExETAPBgNVBAcUC FJpY2htb25kMSAwHgYDVQQKFBdDYXZhbGllciBU ZWxlcGhvYm9uZGluZy5jYXZ0ZWwuY29tMIGfMA0 GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC8x/1dxo 2YnblilQLmpiEziOqb7ArVfI1ymXo/MKcbKjnY2 -----END CERTIFICATE REQUEST-----

   4. Click Install Certificate.

5. Create a Pool.

   A pool contains all the backend server instances.

   1. Open the Configuration Utility.

      Click “Configure your BIG-IP (R) using the Configuration Utility.”

   2. In the left pane, click Pools.

   3. On the Pools tab, click the Add button.

   4. In the Add Pool dialog, provide the following information:

      Pool Name

      federation_web_agents

      Load Balancing Method

      Round Robin

      Resources

      192.18.72.151:2080 (for Protected Resource 3)

      192.18.72.152:2080 (for Protected Resource 4)

      Click Done.

6. Configure the load balancer for simple persistence.

   1. In the left frame, click Pools.

   2. Click the name of the pool you want to configure.

      In this example, federation_web_agents.

   3. Click the Persistence tab.

   4. On the Persistence tab, under Persistence Type, select the Simple.

   5. Set the timeout interval.

      In the Timeout field, enter 300 seconds.

      Click Apply.

7. Add a Virtual Server.

   If you encounter Javascript errors or otherwise cannot proceed to create a virtual server, try using Microsoft Internet Explorer for this step.

   1. In the left frame, Click Virtual Servers.

   2. On the Virtual Servers tab, click the Add button.

   3. In the Add Virtual Server dialog box, provide the following information:

      Address

      192.18.69.14 (for LoadBalancer-11.siroe.com )

      Service

      5080

      Click Next.

   4. Continue to click Next until you reach the Select Physical Resources dialog box.

      Pool

      federation_web_agents

   5. In the Pool Selection dialog box, assign the Pool (federation_web_agents) that you have just created.

   6. Click the Done button.

8. Create proxies.

   1. In the left frame, click Proxies.

   2. On the Proxies tab, click Add.

   3. In the Add Proxy page, provide the following information:

      Proxy Type:

      Mark the SSL checkbox.

      Proxy Address:

      192.18.69.14

      Proxy Service:

      6443

      Destination Address:

      192.18.69.14

      Destination Service:

      5080

      SSL Certificate:

      LoadBalancer-11.siroe.com

      SSL Key:

      LoadBalancer-11.siroe.com

      Server SSL Certificate:

      LoadBalancer-11.siroe.com

      Server SSL Key:

      LoadBalancer-11.siroe.com

      Click Done.

9. Add Monitors.

   1. Click the Monitors tab, and then click the Add button.

      In the Add Monitor dialog provide the following information:

      Name:

      WebAgent-http

      Inherits From:

      Choose http.

   2. Click Next.

      In the Configure Basic Properties page, click Next.

   3. In the Configure ECV HTTP Monitor, in the Send String field, enter the following:

      GET /launch.html

      Click Next.

   4. In the Destination Address and Service (Alias) page, click Done.

      On the Monitors tab, the monitor you just added is now contained in the list of monitors.

   5. Click the Basic Associations tab.

      Look for the IP addresses for ProtectedResource-3:2080 and ProtectedResourece-4:1080.

   6. Mark the Add checkbox for ProtectedResource-3 and ProtectedResource-4.

   7. At the top of the Node column, choose the monitor that you just added, WebAgent-http.

   8. Click Apply.

To Configure the Web Policy Agents to Work with the Web Policy Agents Load Balancer

In this procedure you modify the AMAgent.properties file. Map Protected Resource 3 and Protected Resource 4 to Load Balancer 11.

1. Log in as a root user to Protected Resource 3.

   # cd etc/opt/SUNWam/agents/es6/ config/_opt_SUNWwbsvr_https-ProtectedResource-3.siroe.com

2. Use a text editor to modify the AMAgent.properties file.

   For this property:

   com.sun.am.policy.agents.config.notenforced_list

   append the following to the end of the value string :

   http://ProtectedResource-3.siroe.com:1080/launch.html http://LoadBalancer-11.siroe.com:90/launch.html

3. Set the following properties:

   com.sun.am.load_balancer.enable = true com.sun.am.policy.agents.config.override_protocol = true com.sun.am.policy.agents.config.override_host = true com.sun.am.policy.agents.config.override_port = true com.sun.am.policy.agents.config.agenturi.prefix = https://LoadBalancer-11.siroe.com:6443/amagent com.sun.am.policy.agents.config.fqdn.map = [LoadBalancer-11.siroe.com|LoadBalancer-11.siroe.com] com.sun.am.policy.agents.config.fqdn.default = LoadBalancer-11.siroe.com

   Save the file.

4. Restart Web Server 3 on Protected Resource 3.

   #cd /opt/SUNWwbsvr/https-ProtectedResource-3.siroe.com ./stop; ./start

5. Log in as a root user to Protected Resource 4.

   # cd etc/opt/SUNWam/agents/es6/ config/_opt_SUNWwbsvr_https-ProtectedResource-4.siroe.com

6. Use a text editor to modify the AMAgent.properties file.

   For this property:

   com.sun.am.policy.agents.config.notenforced_list

   append the following to the end of the value string :

   http://ProtectedResource-4.siroe.com:1080/launch.html http://LoadBalancer-11.siroe.com:90/launch.html

7. Set the following properties:

   com.sun.am.load_balancer.enable = true com.sun.am.policy.agents.config.override_protocol = true com.sun.am.policy.agents.config.override_host = true com.sun.am.policy.agents.config.override_port = true com.sun.am.policy.agents.config.agenturi.prefix = https://LoadBalancer-11.siroe.com:6443/amagent com.sun.am.policy.agents.config.fqdn.map = [LoadBalancer-11.siroe.com|LoadBalancer-11.siroe.com] com.sun.am.policy.agents.config.fqdn.default = LoadBalancer-11.siroe.com

   Save the file.

8. Restart Web Server 4 on Protected Resource 4.

   #cd /opt/SUNWwbsvr/https-ProtectedResource-4.siroe.com ./stop; ./start

To Verify that the Web Policy Agents Load Balancer is Working Properly

1. In a browser, go to the following URL:

   https://LoadBalancer-11.siroe.com:6443/index.html

   The load balancer redirects the request to the Access Manager login page.

2. Log in to the Access Manager console using the following information:

   Username

   spuser

   Password

   spuser

   If the default Web Server index.html page is displayed, then the load balancer is configured properly.

3. Verify that Load Balancer 11 monitors are monitoring the Web Servers properly.

   1. Log in as a root user to Protected Resource 3.

   2. Run the tail command.

      # cd /opt/SUNWwbsvr/https-ProtectedResource-3.siroe.com/logs # tail -f access

      If you see frequent entries similar to this one:

      192.18.69.18 - - [06/Oct/2006:13:53:07 -0700] "GET /launch.html" 200 8526

      then the custom monitor is configured properly. If you do not see "GET /launch.html", then you must troubleshoot the load balancer configuration.

   3. Log in as root to Protected Resource 4.

   4. Run the tail command.

      # cd /opt/SUNWwbsvr/https-ProtectedResource-4.siroe.com/logs # tail -f access

      If you see frequent entries similar to this one:

      192.18.69.18 - - [06/Oct/2006:13:53:07 -0700] "GET /launch.html" 200 8526

      then the custom monitor is configured properly. If you do not see "GET /launch.html", then you must troubleshoot the load balancer configuration.

14.7 Configuring the Web Policy Agents Load Balancer to Participate in SAMLv2 Protocols

Use the following as your checklist for configuring the Web Policy Agents load balancer to participate in SAMLv2 protocols:

1. Enable the Web Policy Agents load balancer to use SAMLv2 protocols.

2. Verify that the Web Policy Agents load balancer uses SAMLv2 protocols.

To Enable the Web Policy Agents Load Balancer to Use SAMLv2 Protocols

1. As a root user, log in to the Protected Resource 3 host.

2. Go to the following directory:

   /etc/opt/SUNWam/agents/es6/config/ _opt_SUNWwbsvr_https-ProtectedResource-3.siroe.com

3. Make a backup of AMAgent.properties, and then set the following properties:

   com.sun.am.policy.am.login.url = https://LoadBalancer-9.siroe.com:3443/federation/saml2/ jsp/spSSOInit.jsp?metaAlias=/sp&idpEntityID=loadbalancer-3.example.com

4. Add the following property:

   com.sun.am.policy.agents.config.url.redirect.param = RelayState

   Save the file.

5. As a root user, log in to the Protected Resource 4 host.

6. Go to the following directory:

   /etc/opt/SUNWam/agents/es6/config/ _opt_SUNWwbsvr_https-ProtectedResource-4.siroe.com

7. Make a backup of AMAgent.properties, and then set the following properties:

   com.sun.am.policy.am.login.url = https://LoadBalancer-9.siroe.com:3443/federation/saml2/ jsp/spSSOInit.jsp?metaAlias=/sp&idpEntityID=loadbalancer-3.example.com

8. Add the following property:

   com.sun.am.policy.agents.config.url.redirect.param = RelayState

   Save the file.

9. Restart the Protected Resource 3 host.

   # cd /opt/SUNWwbsvr/https-ProtectedResource-3.siroe.com # ./stop; ./start

10. Restart the Protected Resource 4 host.

    # cd /opt/SUNWwbsvr/https-ProtectedResource-4.siroe.com # ./stop; ./start

To Verify that the Web Policy Agents Load Balancer Uses SAMLv2 Protocols

1. Go to the following URL:

   https://LoadBalancer-11.siroe.com:6443/index.html

2. Log into the Access Manager console using the following information:

   User Name:

   idpuser

   Password:

   idpuser

   The Web Server default index.html page is displayed.