9.1.2 Installing and Configuring the J2EE Container 1 and J2EE Policy Agent 1 on Protected Resource 1

You will download the BEA WebLogic Server bits and install this application server on the ProtectedResource–1 host machine. Additionally, you will download and install the appropriate J2EE policy agent, deploy the policy agent application, setup up an authentication provider, and modify the Bypass Principal List. All of these tasks must be completed before the agent can do its job. Use the following list of procedures as a checklist for installing Application Server 1 and the J2EE Policy Agent 1.

1. To Create an Agent Profile for the J2EE Policy Agent 1

2. To Create Manager and Employee Groups Using Access Manager for J2EE Policy Agent Test

3. To Install BEA WebLogic Server as J2EE Container 1 on Protected Resource 1

4. To Configure BEA WebLogic Server as J2EE Container 1 on Protected Resource 1

5. To Install the J2EE Policy Agent 1 on Application Server 1

6. To Deploy the J2EE Policy Agent 1 Application

7. To Start the J2EE Policy Agent 1 Application

8. To Set Up the J2EE Policy Agent 1 Authentication Provider

9. To Edit the J2EE Policy Agent 1 AMAgent.properties File

To Create an Agent Profile for the J2EE Policy Agent 1

This new agent profile will be used by J2EE Policy Agent 1 to authenticate to Access Manager.

1. Access http://LoadBalancer-3.example.com:7070/amserver/UI/Login, the Access Manage load balancer, from a web browser.

2. Log in to the Access Manager console as the administrator.

   Username

   amadmin

   Password

   4m4dmin1

3. On the Access Control tab, click the top-level realm, example.

4. Click the Subjects tab.

5. Click the Agents tab.

6. On the Agent page, click New.

7. On the New Agent page, provide the following information and click OK.

   ID:

   j2eeagent-1

   Password:

   j2ee4gent1

   Password Confirm:

   j2ee4gent1

   Device State:

   Choose Active.

   The new agent j2eeagent–1 is displayed in the list of Agent Users.

8. Log out of the Access Manager console.

9. As a root user, log into the ProtectedResource–1 host machine.

10. Create a directory into which you can download the J2EE policy agent bits and change into it.

    # mkdir /export/J2EEPA1 # cd /export/J2EEPA1

11. Create a text file that contains the Agent Profile password.

    The J2EE Policy Agent installer requires this file for installation.

    # cat > agent.pwd j2ee4gent1 Hit Control D to terminate the command ^D

12. Log out of the ProtectedResource–1 host machine.

To Create Manager and Employee Groups Using Access Manager for J2EE Policy Agent Test

A group represents a collection of users with a common function, feature, or interest. The groups created in this section will be used to test the policy agent after installation.

1. Access http://LoadBalancer-3.example.com:7070/amserver/UI/Login, the Access Manage load balancer, from a web browser.

2. Log in to the Access Manager console as the administrator.

   Username

   amadmin

   Password

   4m4dmin1

3. On the Access Control tab, click the users realm.

4. Click the Subjects tab.

5. Click the Groups tab.

6. Create a manager group for the Users realm.

   1. On the Groups page, click New.

   2. On the New Group page, enter Manager-Group as the ID and click OK.

      The Manager-Group is displayed in the list of Groups.

   3. Click Manager-Group in the list of Groups.

   4. Copy the value of the Universal ID and save it to a text file.

      You will need this value in To Configure Properties for the J2EE Policy Agent 1 Sample Application.

   5. Click the Users tab.

      You should see the users that were created in Chapter 7, Configuring an Access Manager Realm for User Authentication.

   6. Select Test User1 from the list and click Add.

   7. Click Save.

   8. Click Back to Subjects.

7. Create an employee group for the Users realm.

   1. On the Groups page, click New.

   2. On the New Group page, enter Employee-Group as the ID and click OK.

      The Employee-Group is displayed in the list of Groups.

   3. Click Employee-Group in the list of Groups.

   4. Copy the value of the Universal ID and save it to a text file.

      You will need this value in To Configure Properties for the J2EE Policy Agent 1 Sample Application.

   5. Click the Users tab.

      You should see the users that were created in Chapter 7, Configuring an Access Manager Realm for User Authentication.

   6. Select Test User2 from the list and click Add.

   7. Click Save.

   8. Click Back to Subjects.

8. Log out of the Access Manager console.

To Install BEA WebLogic Server as J2EE Container 1 on Protected Resource 1

BEA WebLogic Server is the application server used as the J2EE container on Protected Resource 1. After installing the bits in this procedure, see To Configure BEA WebLogic Server as J2EE Container 1 on Protected Resource 1.

1. As a root user, log into the ProtectedResource–1 host machine.

2. Ensure that your system is properly patched.

   Refer to the BEA web site to make sure that your system has the recommended patches.

3. Create a directory into which you can download the WebLogic Server bits and change into it.

   # mkdir /export/BEAWL92 # cd /export/BEAWL92

4. Download the WebLogic Server bits from http://commerce.bea.com/.

   For this deployment, we download the Solaris version.

   # ls -al total 294548 drwxr-xr-x 2 root root 512 Aug 7 13:23 . drwxr-xr-x 3 root sys 512 Aug 7 13:16 .. -rw-r--r-- 1 root root 722048346 Aug 7 13:24 portal920_solaris32.bin

5. Run the installer.

   # ./portal920_solaris32.bin

6. When prompted, do the following:

   Accept the License agreement	Select Yes and click Next.
   Create a new BEA Home	Type /usr/local/bea and click Next.
   Select "Custom"	Click Next.
   Deselect the following: - Workshop for WebLogic Platform - WebLogic Portal	Click Next.
   Choose Product Installation Directories	Type /usr/local/bea/weblogic92 and click Next.
   Installation Complete	Deselect Run Quickstart and click Done.

7. Verify that the application was correctly installed.

   # cd /usr/local/bea # ls -al total 34 drwxr-xr-x 6 root root 512 Sep 13 14:26 . drwxr-xr-x 3 root root 512 Sep 13 14:22 .. -rwxr-xr-x 1 root root 851 Sep 13 14:26 UpdateLicense.sh -rw-r--r-- 1 root root 14 Sep 13 14:26 beahomelist drwxr-xr-x 6 root root 512 Sep 13 14:26 jdk150_04 -rw-r--r-- 1 root root 7818 Sep 13 14:26 license.bea drwxr-xr-x 2 root root 512 Sep 13 14:26 logs -rw-r--r-- 1 root root 947 Sep 13 14:26 registry.xml drwxr-xr-x 3 root root 512 Sep 13 14:26 utils drwxr-xr-x 10 root root 512 Sep 13 14:26 weblogic92

To Configure BEA WebLogic Server as J2EE Container 1 on Protected Resource 1

After installing the bits, WebLogic Server must be configured.

Before You Begin

This procedure assumes you have just completed To Install BEA WebLogic Server as J2EE Container 1 on Protected Resource 1.

1. Run the WebLogic Server configuration script.

   # cd /usr/local/bea/weblogic92/common/bin # ./config.sh

2. When prompted, do the following:

   Select "Create a new Weblogic domain"	Click Next.
   Select "Generate a domain configured automatically to support the following BEA products:"	Click Next.
   Configure Administrator Username and Password	Enter the following and click Next.  Username: weblogic Password: w3bl0g1c
   Select "Prduction Mode" and "BEA Supplied JDK's" (Sun SDK 1.5.0_04@/usr/local/bea/jdk150_04)	Click Next.
   Customize Environment and Services Settings	Select yes and click Next.
   Configure the Administration Server	Accept the default values and click Next.
   Configure Managed Servers	Select Add, enter the following values, and click Next.  Name: ApplicationServer-1 Listen Port: 1081
   Configure Clusters	Accept the default values and click Next.
   Configure Machines	Select the Unix Machine tab, then select Add, type ProtectedResource-1, and click Next.
   Assign Servers to Machines	From the left panel select AdminServer ApplicationServer-1. From the right panel select ProtectedResource-1. Click --> and then click Next.
   Review WebLogic Domain	Click Next.
   Create WebLogic Domain	Add the following and click Create.  Domain name: ProtectedResource-1 Domain Location: /usr/local/bea/user_projects/domains (default)
   Creating Domain	Click Done.

3. Start the WebLogic administration server.

   # cd /usr/local/bea/user_projects/domains/ProtectedResource-1 # ./startWebLogic.sh

   When prompted, type the following credentials.

   Username

   weblogic

   Password

   w3bl0g1c

4. Run the netstat command to verify that the port is open and listening.

   # netstat -an | grep 7001 XXX.XX.XX.151.7001 *.* 0 0 49152 0 LISTEN XXX.X.X.1.7001 *.* 0 0 49152 0 LISTEN

   ---

   Note –

   You can also access the administration console by pointing a web browser to http://protectedresource-1.example.com:7001/console.

   ---

5. Change to the AdminServer directory.

   # cd /usr/local/bea/user_projects/domains/ProtectedResource-1/servers/AdminServer

6. Create a security directory and change into it.

   # mkdir security # cd security

7. Create a boot.properties file for the WebLogic Server administration server administrator credentials.

   The administrative user and password are stored in boot.properties. Application Server 1 uses this information during startup. WebLogic Server encrypts the file, so there is no security risk even if you enter the user name and password in clear text.

   # cat > boot.properties username=weblogic password=w3bl0g1c Hit Control D to terminate the command ^D

8. Restart WebLogic to encrypt the username and password in boot.properties.

   # cd /usr/local/bea/user_projects/domains/ProtectedResource-1/bin # ./stopWebLogic.sh # ./startWebLogic.sh

9. Start the managed servers.

   # cd /usr/local/bea/user_projects/domains/ProtectedResource-1/bin # ./startManagedWebLogic.sh ApplicationServer-1 t3://localhost:7001

   You will be prompted for the administrative user credentials.

   Username

   weblogic

   Password

   w3bl0g1c

10. Change to the ApplicationServer-1 directory.

    # cd /usr/local/bea/user_projects/domains/ProtectedResource-1/ servers/ApplicationServer-1

11. Create a security directory and change into it.

    # mkdir security # cd security

12. Create a boot.properties file for the WebLogic Server managed server administrator credentials.

    The administrative user and password are stored in boot.properties. The ApplicationServer–1 managed server uses this information during startup. WebLogic Server encrypts the file, so there is no security risk even if you enter the user name and password in clear text.

    # cat > boot.properties username=weblogic password=w3bl0g1c Hit Control D to terminate the command ^D

13. Restart the managed server.

    # cd /usr/local/bea/user_projects/domains/ ProtectedResource-1/bin # ./stopManagedWebLogic.sh ApplicationServer-1 t3://localhost:7001 # ./startManagedWebLogic.sh ApplicationServer-1 t3://localhost:7001

14. Run the netstat command to verify that the port is open and listening.

    # netstat -an | grep 1081 XXX.X.X.1.1081 *.* 0 0 49152 0 LISTEN XXX.XX.XX.151.1081 *.* 0 0 49152 0 LISTEN

15. Access http://ProtectedResource-1.example.com:7001/console from a web browser.

16. Login to the BEA WebLogic Server as the administrator.

    Username

    weblogic

    Password

    w3bl0g1c

17. Click servers.

    On the Summary of Servers page, verify that both AdminServer (admin) and ApplicationServer-1 are running and OK.

18. Log out of the console.

19. Log out of the ProtectedResource–1 host machine.

To Install the J2EE Policy Agent 1 on Application Server 1

Before You Begin

You must stop both the WebLogic Server 1 instance and the WebLogic Server 1 administration server before beginning the installation process.

1. As a root user, log into the ProtectedResource–1 host machine.

2. Stop the WebLogic Server 1 administration server and the WebLogic Server 1 instance.

   # cd /usr/local/bea/user_projects/domains/ProtectedResource-1/bin # ./stopManagedWebLogic.sh ApplicationServer-1 t3://localhost:7001 # ./stopWebLogic.sh

3. Ensure that your system is properly patched.

   Read the appropriate policy agent Release Notes for your web container to determine the latest patches you might need to install before beginning installation. In this case, no patch is required.

   ---

   Note –

   You can search for patches directly at http://sunsolve.sun.com. Navigate to the PatchFinder page, enter the patch number, click Find Patch, and download the appropriate patch.

   ---

4. Change into the J2EEPA1 directory.

   # cd /export/J2EEPA1

5. Download the J2EE policy agent bits for WebLogic Server from http://www.sun.com/download/index.jsp.

   # ls -al total 8692 drwxr-xr-x 2 root root 512 Sep 13 13:19 . drwxr-xr-x 5 root sys 512 Aug 13 17:08 .. -rw-r--r-- 1 root root 4433920 Sep 13 13:19 SJS_Weblogic_92_agent_2.2.tar

6. Unpack the J2EE policy agent bits.

   # /usr/sfw/bin/gtar -xvf /export/J2EEPA1/SJS_Weblogic_92_agent_2.2.tar

   ---

   Tip –

   Use the gtar command and not the tar command.

   ---

7. Run the J2EE policy agent installer.

   # cd /export/J2EEPA1/j2ee_agents/am_wl92_agent/bin # ./agentadmin --install

8. When prompted, provide the following information.

   Please read the following License Agreement carefully:	Press Enter to continue. Continue to press Enter until you reach the end of the License Agreement.
   Enter startup script location.	Enter /usr/local/bea/user_projects/domains/ ProtectedResource-1/bin/ startwebLogic.sh
   Enter the WebLogic Server instance name: [myserver]	Enter ApplicationServer-1
   Access Manager Services Host:	Enter LoadBalancer-3.example.com
   Access Manager Services port: [80]	Enter 7070
   Access Manager Services Protocol: [http]	Accept the default value.
   Access Manager Services Deployment URI: [/amserver]	Accept the default value.
   Enter the Agent Host name:	Enter ProtectedResource-1.example.com
   Enter the WebLogic home directory: [/usr/local/bea/weblogic92]	Accept the default value.
   Enter true if the agent is being installed on a Portal domain:	Accept false, the default value.
   Enter the port number for Application Server instance [80]:	Enter 1081
   Enter the Preferred Protocol for Application instance [http]:	Accept the default value.
   Enter the Deployment URI for the Agent Application [/agentapp]	Accept the default value.
   Enter the Encryption Key [j8C9QteM1HtC2OhTTDh/f1LhT38wfX1F]:	Accept the default value.
   Enter the Agent Profile Name:	j2eeagent-1
   Enter the path to the password file:	Enter /export/J2EEPA1/agent.pwd
   Are the Agent and Access Manager installed on the same instance of Application Server? [false]:	Accept the default value.
   Verify your settings and decide from the choices below: 1. Continue with Installation 2. Back to the last interaction 3. Start Over 4. Exit Please make your selection [1]:	Accept the default value.

   The installer runs and, when finished, creates a new file in the bin directory called setAgentEnv_ApplicationServer-1.sh.

9. Modify the startup script setDomainEnv.sh to reference setAgentEnv_ApplicationServer-1.sh.

   ---

   Tip –

   Backup setDomainEnv.sh before you modify it.

   ---

   1. Change to the bin directory.

      # cd /usr/local/bea/user_projects/domains/ProtectedResource-1/bin

   2. Insert the following line at the end of setDomainEnv.sh.

      . /usr/local/bea/user_projects/domains/ProtectedResource-1/ bin/setAgentEnv_ApplicationServer-1.sh

   3. Save setDomainEnv.sh and close the file.

10. Change permissions for setAgentEnv_ApplicationServer-1.sh.

    # chmod 755 setAgentEnv_ApplicationServer-1.sh

11. Start the WebLogic Server administration server.

    # ./startWebLogic.sh &

    Watch for startup errors.

To Deploy the J2EE Policy Agent 1 Application

The agent application is a housekeeping application bundled with the agent binaries and used by the agent for notifications and other internal functionality. In order for the agent to function correctly, this application must be deployed on the agent-protected deployment container instance using the same URI that was supplied during the agent installation process. For example, during the installation process, if you entered /agentapp as the deployment URI for the agent application, use that same context path in the deployment container.

1. Access http://ProtectedResource-1.example.com:7001/console from a web browser.

2. Log in to the WebLogic Server console as the administrator.

   Username

   weblogic

   Password

   w3bl0g1c

3. Under Domain Structure, click Deployments.

4. On the Summary of Deployments page, in the Change Center, click Lock & Edit.

5. Under Deployments, click Install.

6. On the Install Application Assistant page, click the protectedresource-1.example.com link.

7. In the field named Location: protectedresource-1.example.com, click the root directory.

8. Navigate to /export/J2EEPA1/j2ee_agents/am_wl92_agent/etc, the application directory.

9. Select agentapp.war and click Next.

10. In the Install Application Assistant page, choose Install this deployment as an application and click Next.

11. In the list of Servers, mark the checkbox for ApplicationServer-1 and click Next.

12. In the Optional Settings page, click Next.

13. Click Finish.

14. On the Settings for agentapp page, click Save.

15. In the Change Center, click Activate Changes.

To Start the J2EE Policy Agent 1 Application

Before You Begin

This procedure assumes that you have just completed To Deploy the J2EE Policy Agent 1 Application.

1. In the WebLogic Server console, on the Settings for agentapp page, click Deployments.

2. On the Summary of Deployments page, mark the agentapp checkbox and click Start > Servicing all requests.

3. On the Start Application Assistant page, click Yes.

   ---

   Note –

   You may encounter a JavaScript^TM error as the agent application will not start until you start the WebLogic Server instance. In this case start the ApplicationServer-1 and perform the steps again.

   ---

To Set Up the J2EE Policy Agent 1 Authentication Provider

Before You Begin

This procedure assumes that you have just completed To Start the J2EE Policy Agent 1 Application.

1. In the WebLogic Server console, on the Summary of Deployments page, under Domain Structure, click Security Realms.

2. On the Summary of Security Realms page, click Lock & Edit.

3. Click the myrealm link.

4. On the Settings for myrealm page, click the Providers tab.

5. Under Authentication Providers, click New.

6. On the Create a New Authentication Provider page, provide the following information and click OK.

   Name:

   Agent-1

   Type:

   Select AgentAuthenticator from the drop down list.

   Agent-1 is now included in the list of Authentication Providers.

7. In the list of Authentication Providers, click Agent-1.

8. In the Settings for Authentication Providers page, verify that the Control Flag is set to OPTIONAL.

9. In the navigation tree near the top of the page, click Providers.

10. In the list of Authentication Providers, click DefaultAuthenticator.

11. In the Settings for DefaultAuthenticator page, set the Control Flag to OPTIONAL and click Save.

12. In the navigation tree near the top of the page, click Providers again.

13. In the Change Center, click Activate Changes.

14. If indicated by the console, restart the servers.

    1. Log out of the WebLogic Server console.

    2. As a root user, log into the ProtectedResource–1 host machine.

    3. Restart the administration server and the managed instance.

       # cd /usr/local/bea/user_projects/domains/ProtectedResource-1/bin # ./stopManagedWebLogic.sh ApplicationServer-1 t3://localhost:7001 # ./stopWebLogic.sh # ./startWebLogic.sh # ./startManagedWebLogic.sh ApplicationServer-1 t3://localhost:7001

    4. Log out of the ProtectedResource–1 host machine.

To Edit the J2EE Policy Agent 1 AMAgent.properties File

1. As a root user, log into the ProtectedResource–1 host machine.

2. Change to the directory that contains the AMAgent.properties file.

   # cd /export/J2EEPA1/j2ee_agents/am_wl92_agent/agent_001/config

   ---

   Tip –

   Backup AMAgent.properties before you modify it.

   ---

3. Make the following modifications to AMAgent.properties.

   1. Set the following property.

      com.sun.identity.agents.config.bypass.principal[0] = weblogic

      This ensures that the WebLogic administrator will be authenticated against WebLogic itself and not Access Manager.

   2. At end of the file, insert the following new property.

      com.sun.identity.session.resetLBCookie=true

      You must add this property if session failover has been configured for Access Manager. If session failover is not configured and this property is added, it could negatively impact performance. If session failover is enabled for Access Manager and this property is not added, the session failover functionality will work properly but, the stickiness to the Access Manager server will not be maintained after failover occurs. This property is not required for web policy agents.

      ---

      Tip –

      This property must be also be added to the Access Manager file, AMConfig.properties if added here.

      ---

4. Save and close the file.

5. Log out of the ProtectedResource–1 host machine.