Chapter 3 Using the Access Manager Policy Agent 2.2 for Application Server 9.0 / Web Services

Sun Java™ System Access Manager Policy Agent 2.2 for Sun Java System Application Server 9.0 / Web Services is installed with Java BluePrints. This chapter contains information regarding these BluePrints and other administrative procedures. It includes the following sections:

• Java BluePrints

• Keystores

Java BluePrints

Access Manager Policy Agent 2.2 for Sun Java System Application Server 9.0 / Web Services is installed with Sun Microsystems' best practice applications called Java BluePrints. The Java BluePrints program defines the application programming model for the Java Enterprise Edition (Java EE) platform. The following sections describe the included BluePrints which focus on web services security.

Stock Service BluePrint

This BluePrint focuses on building a web service provider (WSP) and a web service client (WSC), authenticating the WSC before access to the service is given, and guaranteeing the integrity of the authentication data. This is accomplished by using Web Services Interoperability Basic Security Profile (WS-I BSP) tokens to secure communications between the participants. The BluePrint encompasses a web service that provides details for a given stock symbol. The instructions for the Stock Service BluePrint is the index.html file found in /javaee.home/blueprints/ws-security/stock-jaxrpc/ directory.

Calendar Service BluePrint

This BluePrint focuses on securing an identity-based WSP. Identity-based web services must know the identity of the user accessing the service. The Calendar Service BluePrint is a calendar service which uses the identity of the user to enforce permission checks on the event(s) being accessed. In securing an identity-based WSP, the identity accessing the service (via the WSC) is authenticated before being given access. Additionally, the WSC would also be authenticated by the WSP before being given access. The instructions for the Calendar Service BluePrint is the index.html file found in /javaee.home/blueprints/ws-security/calendar-jaxrpc/ directory.

Keystores

J2EE agents work with Access Manager to protect resources. However, for security purposes, these two pieces of software can only interact with each other after the J2EE agent authenticates with Access Manager by supplying an agent profile name and password. The agent profiles we are using (wscWSC, LibertyBearerToken, etc.) are configured to use the following keystores, by default:

• The Access Manager Policy Agent 2.2 for Application Server 9.0 / Web Services uses the client keystore shipped with the Java EE SDK, amclientkeystore.jks, as its default client keystore. It is located in javaee.home/addons/accessmanager for installations of Java Application Platform SDK (when Download or Download with JDK is selected), and in javaee.home/addons/amserver for installations of Java Application Platform SDK or Java EE 5 SDK Update 1 (when Download with Tools is selected), and NetBeans Enterprise Pack 5.5

• The single WAR instance of Access Manager uses the server keystore shipped with the Java EE SDK, keystore.jks, for its default keystore. It is located in javaee.home/domains/domain_name/config/amflatfiledir/amserver for installations of Java Application Platform SDK (all downloads), Java EE 5 SDK Update 1 (only when Download with Tools is selected), and NetBeans Enterprise Pack 5.5.

You can configure for a custom keystore, though. The following procedure describes the necessary steps.

For more information on agent profiles, see Agents in Sun Java System Access Manager 7 2005Q4 Administration Guide in the Sun Java System Access Manager 7 2005Q4 Administration Guide

During the installation of the J2EE agent, you must provide a valid agent profile name and the respective password to enable authentication attempts to succeed.

To Configure for a Custom Keystore

1. Export the certificate for the alias amserver using the following command:

   keytool -list -keystore keystore_file -alias amserver -rfc

2. Store the exported X509 certificate, using the RFC format, in a file named server.txt.

3. Export the certificate from your custom keystore using the following command:

   keytool -list -keystore custom_keystore_file -alias key alias -rfc

   key alias is the alias of the private key used by the WSC to sign SOAP messages.

4. Store the exported X509 certificate, using the RFC format, in a file named client.txt.

5. Import the stored amserver certificate into the agent's custom keystore file using the following command:

   keytool -import -keystore custom_keystore_file -alias custom_alias -file server.txt

6. Import the stored custom keystore's certificate into the Access Manager keystore file using the following command:

   keytool -import -keystore custom_keystore_file -alias custom_alias -file client.txt

7. Generate a Discovery Service token for the WSC that will use the custom keystore with the following command:

   keytool -import -keystore custom_keystore.jks -alias amserver -file server.txt

   This allows the WSP which uses the custom keystore to trust the Access Manager Discovery Service.

8. Edit the following properties in the client's AMConfig.properties:

   • com.sun.identity.liberty.ws.wsc.certalias=alias_of_private_key_in_custom_client_keystore

     This certificate is used by the Liberty X509/SAML profiles for signing the SOAP messages.

   • com.sun.identity.liberty.ws.trustedca.certaliases=alias_of_private_key_in_custom_server_keystore:AM_host_name

   AMConfig.properties is located in javaee.home/domains/domain_name/config when the Java Platform, Enterprise Edition (Java EE) 5 SDK is installed and in javaee.home/addons/amserver when the Java EE 5 Tools Bundle is installed.