Policy Agent Administrative Users

A Policy Agent in the Access Manager Policy Agent 2.2 software set authenticates to Access Manager using a user name and password stored in its AMAgent.properties file. The process is similar but slightly different for Web Agents and J2EE Agents.

Web Agents

A Web Agent uses the following properties in the AMAgent.properties file to store its user name and password used to authenticate to Access Manager:

• com.sun.am.policy.am.username contains the name of the user that the Web Agent uses to login to Access Manager. The default name is UrlAccessAgent.

• com.sun.am.policy.am.password contains the encrypted password of the user that the Web Agent uses to login to Access Manager. The password must be encrypted using the crypt_util utility.

When an Access Manager instance is initially configured, the Java ES installer or the amconfig script creates the amService-UrlAccessAgent user in the top-level realm with the same password as the amldapuser user.

By default, all Web Agents use the same user name and password to authenticate to an Access Manager instance. To improve security and to allow each Web Agent to use a unique name and password, you can create an agent profile in the Access Manager Administration Console for a Web Agent to use for authentication. For more information, see Using an Agent Profile for Authentication.

J2EE Agents

A J2EE Agent communicates with Access Manager with a user name (agent ID) and password through an agent profile created in the Access Manager Administration Console. After the agent profile is created, the J2EE Agent then uses the following properties in its AMAgent.properties file to store the user name (agent ID) and password:

• com.sun.identity.agents.app.username contains the user name (agent ID) that the J2EE Agent uses to login to Access Manager.

• com.iplanet.am.service.secret contains the encrypted password of the user name (agent ID) that the J2EE Agent uses to login to Access Manager. The password must be encrypted using the agentadmin utility with the --encrypt option.

See the next section for information about agent profiles.

Using an Agent Profile for Authentication

To authenticate to Access Manager, a J2EE Agent requires that you create an agent profile in the Access Manager Administration Console. A Web Agent can also use an agent profile, which allows each Web Agent to have a unique user name (agent ID) and password. For the steps to create an agent profile, see the Access Manager Console online Help.

An agent profile also allows you to change the password and user name (agent ID) for a Policy Agent, as required by your deployment. To change a password and user name (if required), follow these general steps:

1. Log in to the Access Manager Console as the Access Manager administrator (amadmin).

2. In the agent profile for the Policy Agent, change the password and user name (agent ID), if required. Save the profile.

3. Encrypt the new agent password from Step 2 using the crypt_util utility for Web Agents or the agentadmin utility with the --encrypt option for J2EE Agents.

4. Set the following properties in the Policy Agent's AMAgent.properties file:

   • For Web Agents: Set the com.sun.am.policy.am.password property to the new encrypted password from Step 3. If you also changed the user name (agent ID), set the com.sun.am.policy.am.username property to the new user name (agent ID) from Step 2.

   • For J2EE Agents: Set the com.iplanet.am.service.secret property to the new encrypted password from Step 3. If you also changed the user name (agent ID), set the com.sun.identity.agents.app.username property to the new user name (agent ID) from Step 2.

5. Restart the Web Agent web container for the new password (and user name if you changed it) to take effect.

For more detailed information about creating and configuring agent profiles and encrypting passwords, see the Access Manager Policy Agent 2.2 documentation collection:

http://docs.sun.com/coll/1322.1