test

Sun Java System Access Manager 7.1 Postinstallation Guide

Deploying an Access Manager 7.1 WAR File

Deploy the Access Manager 7.1 WAR file, depending on the web container you are using:

Note: Samples and Javadocs are not provided after you deploy the Access Manager 7.1 WAR file.

Deploying an Access Manager 7.1 WAR File in Sun Java System Web Server 7

Before you deploy the Access Manager WAR file, Web Server 7 must be installed and running on the host server.

ProcedureTo Deploy the Access Manager WAR File in Web Server 7

  1. Login as (or become) superuser (root).

  2. Copy the amserver.war file to the host server where you want to deploy Access Manager.

    To get the amserver.war file, see Getting an Access Manager 7.1 War File.

    For example, copy the WAR file to the /opt/SUNWam/amwar_staging directory.

  3. Backup the server.policy file and then add the Java security permissions to the file, as shown in Adding Access Manager Permissions to the Server Policy File.

  4. Restart the Web Server instance for the new entries to take effect.

  5. Deploy the Access Manager amserver.war file using the Web Server Admin Console or CLI command:

    • For example, the following Web Server 7 wadm command deploys the WAR file on Solaris systems:

      cd /opt/SUNWwbsvr7/bin
./wadm add-webapp --user=admin --host=${SERVER_HOST}
--port=${WS_ADMIN_PORT} --config=${WS_CONFIG} 
--vs=${WS_VIRTUAL_SERVER} --uri=/${SERVER_DEPLOY_URI}
/opt/SUNWam/amwar_staging/amserver.war

./wadm deploy-config --user admin --host=${SERVER_HOST}
--port=${WS_ADMIN_PORT} --restart=true ${WS_CONFIG}

      Enter the Web Server administration password when you are prompted.

      For more information about the wadm command, see Chapter 9, Deploying Web Applications, in Sun Java System Web Server 7.0 Developer’s Guide to Java Web Applications.

  6. Depending on your platform, add the following JavaHelp JAR file (jhall.jar) to the classpath so the Access Manager Console online help is accessible:

    • Solaris systems: /usr/jdk/packages/javax.help-2.0/lib/jhall.jar

    • Linux systems: /usr/java/packages/javax.help-2.0/javahelp/lib/jhall.jar

  7. Continue with Configuring Access Manager 7.1 Using the Configurator.

Deploying an Access Manager 7.1 WAR File in Sun Java System Application Server Enterprise Edition 8.2

Before you deploy the Access Manager WAR file, Application Server 8.2 must be installed and running on the host server.

ProcedureTo Deploy the Access Manager 7.1 WAR File in Application Server 8.2

  1. Login as (or become) superuser (root).

  2. Copy the amserver.war file to the host server where you want to deploy Access Manager.

    To get the amserver.war file, see Getting an Access Manager 7.1 War File.

    For example, copy the WAR file to the /opt/SUNWam/amwar_staging directory.

  3. Backup the server.policy file and then add the Java security permissions to the file, as shown in Adding Access Manager Permissions to the Server Policy File.

  4. Restart the Application Server instance for the new entries to take effect.

  5. Create a file containing the Application Server administration password.

    For example, if you use /tmp/pwdfile as the password file:

    echo "AS_ADMIN_PASSWORD=application-server-administration-password" > /tmp/pwdfile

  6. Deploy the amserver.war file using the Application Server Admin Console or the asadmin deploy command.

    For example, the following asadmin deploy command deploys the WAR file on Solaris systems:

    # cd /opt/SUNWappserver/appserver/bin
# ./asadmin deploy --user appserver-admin
--passwordfile /tmp/pwdfile --port 4849
--contextroot amserver --name amserver
--target server /opt/SUNWam/amwar_staging/amserver.war

  7. Continue with Configuring Access Manager 7.1 Using the Configurator.

Deploying the Access Manager WAR File in BEA WebLogic Server

Before you deploy the Access Manager WAR file, WebLogic Server must be installed and running on the host server.

For more information, see the WebLogic Server documentation: http://www.bea.com/.

For the versions of WebLogic Server that are supported as web containers for Access Manager 7.1, see the Sun Java System Access Manager 7.1 Release Notes.

Also, check the Release Notes for any issues and workarounds that apply to WebLogic Server.

ProcedureTo Deploy an Access Manager 7.1 WAR File in WebLogic Server

  1. On the host server where you want to deploy Access Manager, create a staging directory for the WAR file.

    For example, on a Solaris system: /opt/SUNWam/amwar_staging

  2. Copy the amserver.war file to the staging area.

    To get the amserver.war file, see Getting an Access Manager 7.1 War File.

  3. Backup the weblogic.policy file and then add the Java security permissions to this file, as shown in Adding Access Manager Permissions to the Server Policy File.

  4. Restart the WebLogic Server instance for the new entries to take effect.

  5. Deploy the amserver.war file using either the WebLogic Server Admin Console or the CLI.

  6. Depending on your platform, add the following JavaHelp JAR file (jhall.jar) to the CLASSPATH so the Access Manager Console online help is accessible:

    • Solaris systems: /usr/jdk/packages/javax.help-2.0/lib/jhall.jar

    • Linux systems: /usr/java/packages/javax.help-2.0/javahelp/lib/jhall.jar

  7. Continue with Configuring Access Manager 7.1 Using the Configurator.

Deploying an Access Manager 7.1 WAR File in IBM WebSphere Application Server

Before you deploy the Access Manager WAR file, WebSphere Application Server must be installed and running on the host server.

For more information, see the WebSphere Application Server documentation: http://www-306.ibm.com/software/webservers/appserv/was/.

For the versions of WebSphere Application Server that are supported as web containers for Access Manager 7.1, see the Sun Java System Access Manager 7.1 Release Notes.

Also, check the Release Notes for any issues and workarounds that apply to WebSphere Application Server.

ProcedureTo Deploy an Access Manager 7.1 WAR File in WebSphere Application Server

  1. On the host server where you want to deploy Access Manager, create a staging directory for the WAR file.

    For example, on a Solaris system: /opt/SUNWam/amwar_staging

  2. Copy the amserver.war file to the staging area.

    To get the amserver.war file, see Getting an Access Manager 7.1 War File.

  3. Modify the server.xml file as follows:

    1. Add the following JVM entries to allow Access Manager to function:

      genericJvmArguments="-Djava.awt.headless=true 
-DamCryptoDescriptor.provider=IBMJCE -DamKeyGenDescriptor.provider=IBMJCE"/>

    2. If you are using SSL, add the following properties and JVM entry:

      </cacheGroups>
</services>
<properties xmi:id="Property_1120370477732" name="amCryptoDescriptor.provider" 
value="IBMJCE" required="false"/>
<properties xmi:id="Property_1120370511939" name="amKeyGenDescriptor.provider" 
value="IBMJCE" required="false"/>
      genericJvmArguments="-Djava.awt.headless=true 
-Djava.protocol.handler.pkgs=com.ibm.net.ssl.internal.www.protocol 
-DamCryptoDescriptor.provider=IBMJCE -DamKeyGenDescriptor.provider=IBMJCE"/>

  4. Backup the server.policy file and then add the Java security permissions to the file, as shown in Adding Access Manager Permissions to the Server Policy File.

  5. Restart the WebSphere instance for the new entries to take effect.

  6. Deploy the amserver.war file using either the WebSphere Application Server Admin Console or the CLI.

  7. Depending on your platform, add the following JavaHelp JAR file (jhall.jar) to the classpath so the Access Manager Console online help is accessible:

    • Solaris systems: /usr/jdk/packages/javax.help-2.0/lib/jhall.jar

    • Linux systems: /usr/java/packages/javax.help-2.0/javahelp/lib/jhall.jar

  8. Continue with Configuring Access Manager 7.1 Using the Configurator.

Adding Access Manager Permissions to the Server Policy File

If Security Manager is enabled, add the Access Manager 7.1 permissions to the server policy file for the web container on which Access Manager will be deployed. The name of the server policy depends on the web container you are using.

Example 12–1 Access Manager Permissions in the Server Policy File

The following permissions apply to all Access Manager web containers.

// ADDITIONS FOR Access Manager
grant {
  permission java.net.SocketPermission "*", "connect,accept,resolve";
  permission java.util.PropertyPermission "*", "read, write";
  permission java.lang.RuntimePermission "modifyThreadGroup";
  permission java.lang.RuntimePermission "setFactory";
  permission java.lang.RuntimePermission "accessClassInPackage.*";
  permission java.util.logging.LoggingPermission "control";
  permission java.lang.RuntimePermission "shutdownHooks";
  permission javax.security.auth.AuthPermission "getLoginConfiguration";
  permission javax.security.auth.AuthPermission "setLoginConfiguration";
  permission javax.security.auth.AuthPermission "modifyPrincipals";
  permission javax.security.auth.AuthPermission "createLoginContext.*";
  permission java.io.FilePermission "<<ALL FILES>>", "execute,delete";
  permission java.util.PropertyPermission "java.util.logging.config.class", "write";
  permission java.security.SecurityPermission "removeProvider.SUN";
  permission java.security.SecurityPermission "insertProvider.SUN";
  permission javax.security.auth.AuthPermission "doAs";
  permission java.util.PropertyPermission "java.security.krb5.realm", "write";
  permission java.util.PropertyPermission "java.security.krb5.kdc", "write";
  permission java.util.PropertyPermission "java.security.auth.login.config", "write";
  permission java.util.PropertyPermission "user.language", "write";
  permission javax.security.auth.kerberos.ServicePermission "*", "accept";
  permission javax.net.ssl.SSLPermission "setHostnameVerifier";
  permission java.security.SecurityPermission "putProviderProperty.IAIK";
  permission java.security.SecurityPermission "removeProvider.IAIK";
  permission java.security.SecurityPermission "insertProvider.IAIK";
  permission java.security.SecurityPermission "getProperty.ocsp.*";
    };
// END OF ADDITIONS FOR Access Manager

Modifying the Server Policy File For Specific Applications

You can also specify that the permissions apply only to a specific application in a specific web container. For example, the following statement grants security permissions only to Access Manager deployed on Sun Java System Application Server. For other web containers, refer to the respective web container documentation for more information.

Example 12–2 Additions to the Server Policy File For Sun Java System Application Server

// ADDITIONS FOR Access Manager on Sun Java System Application Server
grant codeBase "file:\${com.sun.aas.instanceRoot}/applications/j2ee-modules/amserver/-" 
{

... // Permissions from the previous example 

}

Also, if you deploy Access Manager using a name other than amserver, change that name in the grant statement.