6.2 Deploying and Configuring Access Manager 1 and Access Manager 2

An Access Manager WAR will be deployed in the installed Web Server containers on both the Access Manager host machines. Additionally, you will configure the installations and back up the Access Manager configuration data. Use the following list of procedures as a checklist for completing the tasks.

1. To Generate an Access Manager WAR File on the Access Manager 1 Host Machine

2. To Deploy the Access Manager WAR File as Access Manager 1

3. To Copy the Access Manager WAR File to Access Manager 2

4. To Deploy the Access Manager WAR File as Access Manager 2

5. To Configure Access Manager 1

6. To Configure Access Manager 2

7. To Back Up the Access Manager Configuration Data from Directory Server 1

To Generate an Access Manager WAR File on the Access Manager 1 Host Machine

1. As a root user, log in to the AccessManager–1 host machine.

2. Create a directory into which the Access Manager WAR file can be downloaded and change into it.

   # mkdir /export/AM71 # cd /export/AM71

3. Download the Access Manager 7.1 WAR file from http://www.sun.com/download/products.xml?id=460d5c8e.

4. Unzip the Access Manager download.

   # unzip AccessManager7_1RTM.zip # ls -al total 228716 drwxr-xr-x 6 root root 512 Jul 11 20:00 . drwxr-xr-x 5 root sys 512 Jul 19 10:30 .. -rw-r--r-- 1 root root 117008919 Jul 10 15:00 AccessManager7_1RTM.zip drwxr-xr-x 4 root root 512 Jun 25 20:16 applications drwxr-xr-x 2 root root 1536 Jun 25 20:16 legal -rw-r--r-- 1 root root 3018 Jun 25 20:16 README drwxr-xr-x 2 root root 512 Jun 25 20:16 samples -r--r--r-- 1 root root 11934 Jun 25 20:16 Software_License_Agt_SLA.txt drwxr-xr-x 2 root root 512 Jun 25 20:16 tools

5. Switch to the non-root user.

   # su am71adm

6. Create a staging area in which the WAR will be exploded.

   # cd /export/am71adm # mkdir am-staging

   ---

   Tip –

   In the staging area, after exploding the WAR, you can modify the WAR contents to suit your needs, generate a new WAR, and deploy it on any number of remote host computers. Whenever you need to make changes to the WAR, you maintain the changes in this one staging area, and redeploy the modified WAR as many times as you want, on as many host machines as you need.

   ---

7. Explode the WAR file.

   # cd am-staging # jar xvf /export/AM71/applications/jdk15/amserver.war

8. Add the following context parameter to the web.xml file.

   By default, during the WAR deployment, Access Manager creates a bootstrap file in the user's home directory. The bootstrap file points to the directory where all the Access Manager configurations will be created. By specifying this new context parameter, Access Manager will create the bootstrap file in the directory you specify; in this case, /export/am71adm/bootstrap. web.xml is located in /export/am71adm/am-staging/WEB-INF/.

   <context-param> <param-name>com.sun.identity.bootClassPath</param-name> <param-value>/export/am71adm/bootstrap</param-value> </context-param>

9. Regenerate the Access Manager WAR file.

   # cd /export/am71adm/am-staging # jar cvf ../amserver.war *

   A new WAR file is created, including the modified web.xml.

10. Verify that the new WAR file was created in the proper location and with the appropriate permissions.

    # cd /export/am71adm # ls -al total 62262 drwxr-xr-x 6 am71adm staff 512 Jul 19 11:46 . drwxr-xr-x 5 root sys 512 Jul 19 10:30 .. -rw-r--r-- 1 am71adm staff 144 Jul 19 10:30 .profile drwx------ 3 am71adm staff 512 Jul 19 10:40 .sunw -rw-r--r-- 1 am71adm staff 566 Jul 19 11:06 .wadmtruststore drwxr-xr-x 16 am71adm staff 512 Jul 19 10:47 am-staging -rw-r--r-- 1 am71adm staff 31834862 Jul 19 10:56 amserver.war -rw-r--r-- 1 am71adm staff 136 Jul 19 10:30 local.cshrc -rw-r--r-- 1 am71adm staff 157 Jul 19 10:30 local.login -rw-r--r-- 1 am71adm staff 174 Jul 19 10:30 local.profile

    ---

    Note –

    The amserver.war file is owned by am71adm.

    ---

To Deploy the Access Manager WAR File as Access Manager 1

Before You Begin

This procedure assumes you have just completed To Generate an Access Manager WAR File on the Access Manager 1 Host Machine.

1. On the AccessManager-1 host machine, start the Web Server administration server.

   # cd /opt/SUNWwbsvr/admin-server/bin # ./startserv

2. Change to the non-root user am71adm.

   # cd /opt/SUNWwbsvr/bin # su am71adm

3. Start the Web Server AccessManager-1 instance.

   # cd /opt/SUNWwbsvr/https-AccessManager-1.example.com/bin # ./startserv

4. Run wadm add-webapp to add the Access Manager WAR file to the Web Server.

   # ./wadm add-webapp --user=admin --host=AccessManager-1.example.com --port=8989 --config=AccessManager-1.example.com --vs=AccessManager-1.example.com --uri=/amserver /export/am71adm/amserver.war Please enter admin-user-password> web4dmin ... Do you trust the above certificate? [yes/no] yes CLI201 Command 'add-webapp' ran successfully.

5. Run wadm deploy-config to deploy the Access Manager WAR file.

   # ./wadm deploy-config --user=admin --host=AccessManager-1.example.com --port=8989 AccessManager-1.example.com Please enter admin-user-password> web4dmin CLI201 Command 'deploy-config' ran successfully.

6. To verify that the Access Manager WAR file was successfully deployed, list the contents of the Web Server instance directory.

   # cd /opt/SUNWwbsvr/https-AccessManager-1.example.com/ web-app/AccessManager-1.example.com # ls -al total 6 drwxr-xr-x 3 am71adm staff 512 Jul 19 11:08 . drwxr-xr-x 3 am71adm staff 512 Jul 19 11:08 .. drwxr-xr-x 16 am71adm staff 512 Jul 19 11:09 amserver

   amserver exists in the directory and is owned by the non-root user am71adm.

7. Restart the Web Server instance.

   # cd /opt/SUNWwbsvr/https-AccessManager-1.example.com/bin # ./stopserv; ./startserv

8. Log out of the AccessManager–1 host machine.

To Copy the Access Manager WAR File to Access Manager 2

Before You Begin

This procedure assumes you have completed To Generate an Access Manager WAR File on the Access Manager 1 Host Machine.

1. As a root user, log in to the AccessManager–2 host machine.

2. Change to the non-root user am71adm.

   # su am71adm

3. Change into the am71adm directory.

   # cd /export/am71adm

4. Copy amserver.war from the AccessManager–1 host machine to the am71adm directory.

5. Verify that the WAR file was copied into the proper location and with the appropriate permissions.

   # ls -al total 62260 drwxr-xr-x 5 am71adm staff 512 Jul 19 12:10 . drwxr-xr-x 6 root sys 512 Jul 19 11:53 .. -rw-r--r-- 1 am71adm staff 144 Jul 19 11:53 .profile drwx------ 3 am71adm staff 512 Jul 19 11:57 .sunw -rw-r--r-- 1 am71adm staff 566 Jul 19 12:05 .wadmtruststore -rw-r--r-- 1 am71adm staff 31834862 Jul 19 12:01 amserver.war -rw-r--r-- 1 am71adm staff 136 Jul 19 11:53 local.cshrc -rw-r--r-- 1 am71adm staff 157 Jul 19 11:53 local.login -rw-r--r-- 1 am71adm staff 174 Jul 19 11:53 local.profile

   The amserver.war files are owned by am71adm.

To Deploy the Access Manager WAR File as Access Manager 2

Before You Begin

This procedure assumes you have just completed To Copy the Access Manager WAR File to Access Manager 2.

1. On the AccessManager-2 host machine, start the Web Server administration server.

   # cd /opt/SUNWwbsvr/admin-server/bin # ./startserv

2. Change to the non-root user am71adm.

   # cd /opt/SUNWwbsvr/bin # su am71adm

3. Start the Web Server AccessManager-2 instance.

   # cd /opt/SUNWwbsvr/https-AccessManager-2.example.com/bin # ./startserv

4. Run wadm add-webapp to add the Access Manager WAR file to the Web Server container.

   # ./wadm add-webapp --user=admin --host=AccessManager-2.example.com --port=8989 --config=AccessManager-2.example.com --vs=AccessManager-2.example.com --uri=/amserver /export/am71adm/amserver.war Please enter admin-user-password> web4dmin ... Do you trust the above certificate? [yes/no] yes CLI201 Command 'add-webapp' ran successfully.

5. Run wadm deploy-config to deploy the Access Manager WAR file.

   # ./wadm deploy-config --user=admin --host=AccessManager-2.example.com --port=8989 AccessManager-2.example.com Please enter admin-user-password> web4dmin CLI201 Command 'deploy-config' ran successfully.

6. To verify that the Access Manager WAR file was successfully deployed, list the contents of the Web Server instance directory.

   # cd /opt/SUNWwbsvr/https-AccessManager-2.example.com/ web-app/AccessManager-2.example.com # ls -al total 6 drwxr-xr-x 3 am71adm staff 512 Jul 19 12:07 . drwxr-xr-x 3 am71adm staff 512 Jul 19 12:07 .. drwxr-xr-x 16 am71adm staff 512 Jul 19 12:07 amserver

   amserver exists in the directory and is owned by the non-root user am71adm.

7. Restart the Web Server instance.

   # cd /opt/SUNWwbsvr/https-AccessManager-2.example.com/bin # ./stopserv; ./startserv

8. Log out of the AccessManager–2 host machine.

To Configure Access Manager 1

Before You Begin

The encryption key used in this procedure must be identical to the encryption key used in the procedure To Configure Access Manager 2. You should therefore save the encryption key from this procedure for easy access when you are configuring Access Manager 2.

This constraint is particular to this deployment example only.

1. Access http://AccessManager-1.example.com:1080/amserver from a web browser.

   The Access Manager Configurator page is displayed for first time access.

2. Provide the following information on the Configurator page.

   Administrator: Password

   4m4dmin1

   Administrator: Retype Password:

   4m4dmin1

   General Settings: Configuration Directory:

   /export/am71adm/config

   General Settings: Encryption Key

   The value is PXXdT8Sf+ubQwxUhB+/R37LVBrJFYNnhR.

   ---

   Tip –

   Copy the value from this field, and save it for use in To Configure Access Manager 2.

   ---

   Configuration Store Settings: Type:

   Choose Directory Server.

   ---

   Caution –

   It is a common mistake to accept the default value here. Be sure to choose Directory Server.

   ---

   Server Settings: Name:

   LoadBalancer-1.example.com

   Server Settings: Port:

   389

   Server Settings: Suffix to store configuration data:

   dc=example,dc=com

   Directory Server Administrator: Directory Administrator DN:

   cn=Directory Manager

   Directory Server Administrator: Password:

   d1rm4n4ger

   Directory Server Administrator: Retype Password:

   d1rm4n4ger

   Load User Management Schema:

   Click the box to mark it.

3. Click Configure.

   When configuration is complete, you are redirected to the Access Manager login page.

4. Log in to the Access Manager console as the administrator.

   User Name:

   amadmin

   Password:

   4m4dmin1

   If authentication succeeds, Access Manager has successfully accessed the Directory Server load balancer. You should see the example realm in the Realm page.

5. Log out of the Access Manager console.

6. (Optional) To verify that the Access Manager schema was successfully loaded into the configuration data instance on the DirectoryServer–1 host machine do the following.

   1. As a root user, log in to the DirectoryServer–1 host machine.

   2. Run ldapsearch.

      # ldapsearch -p 1389 -b "dc=example,dc=com" -D "cn=Directory Manager" -w d1rm4n4ger "(objectclass=*)"

      You should see a number of entries for Access Manager administrators and special users.

   3. Log out of the DirectoryServer–1 host machine.

7. (Optional) To verify that the config directory and the supporting bootstrap directory have been created with the proper permissions, do the following.

   1. As a root user, log in to the AccessManager–1 host machine.

   2. Examine the file system.

      # cd /export/am71adm # ls -al total 62262 drwxr-xr-x 6 am71adm staff 512 Jul 19 11:46 . drwxr-xr-x 5 root sys 512 Jul 19 10:30 .. -rw-r--r-- 1 am71adm staff 144 Jul 19 10:30 .profile drwx------ 3 am71adm staff 512 Jul 19 10:40 .sunw -rw-r--r-- 1 am71adm staff 566 Jul 19 11:06 .wadmtruststore drwxr-xr-x 16 am71adm staff 512 Jul 19 10:47 am-staging -rw-r--r-- 1 am71adm staff 31834862 Jul 19 10:56 amserver.war drwxr-xr-x 3 am71adm staff 512 Jul 19 11:46 bootstrap drwxr-xr-x 3 am71adm staff 512 Jul 19 11:46 config -rw-r--r-- 1 am71adm staff 136 Jul 19 10:30 local.cshrc -rw-r--r-- 1 am71adm staff 157 Jul 19 10:30 local.login -rw-r--r-- 1 am71adm staff 174 Jul 19 10:30 local.profile

      The config directory and the bootstrap directory were created, and are owned by non-root user am71adm.

   3. Log out of the AccessManager–1 host machine.

Troubleshooting

If you cannot login successfully, try the fully qualified name for the user amadmin. If you can authenticate using the fully qualified name, you can focus on issues other than authentication and login. In the /export/am71adm/config/AMConfig.properties file, the value of com.sun.identity.authentication.super.user is the fully qualified name for amadmin; in this example, uid=amAdmin,ou=People,dc=example,dc=com.

To Configure Access Manager 2

The encryption key used in this procedure must be identical to the encryption key used in the procedure To Configure Access Manager 1. If you did not save the encryption key, it can be found as the value of the am.encryption.pwd property in the /export/am71adm/config/AMConfig.properties file on the Access Manager 1 host machine.

This constraint is particular to this deployment example only.

1. Access http://AccessManager-2.example.com:1080/amserver from a web browser.

   The Access Manager Configurator page is displayed for first time access.

2. Provide the following information on the Configurator page.

   Administrator: Password

   4m4dmin1

   Administrator: Retype Password:

   4m4dmin1

   General Settings: Configuration Directory:

   /export/am71adm/config

   General Settings: Encryption Key:

   PXXdT8Sf+ubQwxUhB+/R37LVBrJFYNnhR

   ---

   Caution –

   Be sure this value is copied from Access Manager 1. See To Configure Access Manager 1.

   ---

   Configuration Store Settings: Type:

   Choose Directory Server.

   ---

   Caution –

   It is a common mistake to accept the default value here. Be sure to choose Directory Server.

   ---

   Server Settings: Name:

   LoadBalancer-1.example.com

   Server Settings: Port:

   389

   Server Settings: Suffix to store configuration data:

   dc=example,dc=com

   Directory Server Administrator: Directory Administrator DN:

   cn=Directory Manager

   Directory Server Administrator: Password:

   d1rm4n4ger

   Directory Server Administrator: Retype Password:

   d1rm4n4ger

   Load User Management Schema:

   ---

   Caution –

   Do not mark the box with a check. The user management schema was loaded into Directory Server when you configured Access Manager 1.

   ---

3. Click Configure.

   When configuration is complete, you are redirected to the Access Manager login page.

4. Log in to the Access Manager console as the administrator.

   User Name:

   amadmin

   Password:

   4m4dmin1

   If authentication succeeds, Access Manager has successfully accessed the Directory Server load balancer. You should see the example realm in the Realm page.

5. Click the example realm name.

   You should see three values in the Realms/DNS Aliases List.

   • accessmanager-1.example.com

   • accessmanager-2.example.com

   • example

6. Log out of the Access Manager console.

7. (Optional) To verify that the config directory and the supporting bootstrap directory have been created with the proper permissions, do the following.

   1. As a root user, log in to the AccessManager–2 host machine.

   2. Examine the file system.

      # cd /export/am71adm # ls -al total 62262 drwxr-xr-x 6 am71adm staff 512 Jul 19 11:46 . drwxr-xr-x 5 root sys 512 Jul 19 10:30 .. -rw-r--r-- 1 am71adm staff 144 Jul 19 10:30 .profile drwx------ 3 am71adm staff 512 Jul 19 10:40 .sunw -rw-r--r-- 1 am71adm staff 566 Jul 19 11:06 .wadmtruststore -rw-r--r-- 1 am71adm staff 31834862 Jul 19 10:56 amserver.war drwxr-xr-x 3 am71adm staff 512 Jul 19 11:46 bootstrap drwxr-xr-x 3 am71adm staff 512 Jul 19 11:46 config -rw-r--r-- 1 am71adm staff 136 Jul 19 10:30 local.cshrc -rw-r--r-- 1 am71adm staff 157 Jul 19 10:30 local.login -rw-r--r-- 1 am71adm staff 174 Jul 19 10:30 local.profile

      amserver.war and the bootstrap and config files are all in this directory, and owned by non-root user am71adm.

   3. Log out of the AccessManager–2 host machine.

Troubleshooting

If you cannot login successfully, try the fully qualified name for the user amadmin. If you can authenticate using the fully qualified name, you can focus on issues other than authentication and login. In the /export/am71adm/config/AMConfig.properties file, the value of com.sun.identity.authentication.super.user is the fully qualified name for amadmin; in this example, uid=amAdmin,ou=People,dc=example,dc=com.

To Back Up the Access Manager Configuration Data from Directory Server 1

Backing up your Access Manager configuration data ensures that if you run into problems later, you can revert to this configuration without having to reinstall Access Manager. In this procedure, we will back up the configuration data from Directory Server 1.

1. As a root user, log in to the DirectoryServer–1 host machine.

2. Stop the configuration data instance on Directory Server 1.

   # cd /var/opt/mps/serverroot/ds6/bin # ./dsadm stop /var/opt/mps/am-config Server stopped

   ---

   Note –

   The backup utility db2ldif can only be used if the slapd process has been shutdown.

   ---

3. Change to the am-config directory.

   # cd /var/opt/mps/am-config

4. Run db2ldif from within the am-config directory.

   # ./db2ldif -n dbExample ldiffile: /var/opt/mps/am-config/ldif/2007_06_27_132405.ldif [27/Jun/2007:13:24:06 -0700] - export dbExample: Processed n entries (100%).

5. (Optional) Create a README that describes the contents of the new LDIF file.

   # cd /var/opt/mps/am-config/ldif # ls 2007_06_27_132405.ldif # cat > README Hit ENTER and type the following: 2007_06_27_132405.ldif: backup after post-am install, pre-patch application Hit Control D to terminate the cat command ^D # ls 2007_06_27_132405.ldif README

6. Start the configuration data instance on Directory Server 1.

   # cd /var/opt/mps/serverroot/ds6/bin # ./dsadm start /var/opt/mps/am-config

7. Log out of the DirectoryServer–1 host machine.