Chapter 3 Deploying Multiple Access Manager Instances

Deploying multiple Access Manager instances on different host servers, with each instance accessing the same Directory Server, includes these steps:

• Running the Java Enterprise System (Java ES) Installer

• Configuring Access Manager Using the amconfig Script

• Adding Additional Instances to the Platform Server List and Realm/DNS Aliases

Running the Java Enterprise System (Java ES) Installer

Install the first Access Manager instance on a host server by running the Java ES installer. Considerations for running the installer include:

• When you run the installer, you can also install other Java ES components such as Directory Server, Message Queue, and either Web Server or Application Server as the Access Manager web container.

• After installation, the amconfig script and the amsamplesilent configuration file are available in the following directory, depending on your platform:

  • Solaris systems: AccessManager-base /SUNWam/bin

  • Linux systems: AccessManager-base/identity/bin

  Where: AccessManager-base represents the Access Manager base installation directory. On Solaris systems, the default base installation directory is /opt, and on Linux systems, it is /opt/sun.

  On Windows systems, the amconfig.bat and AMConfigurator.properties files are available in the default installation directory: C:\Program files\Sun\JavaES5.

• When you run the installer, specify either the Configure Now or Configure Later option.

  • Configure Now: You configure Access Manager and the various Java ES components when you run the installer by choosing options (or default values). Not all Java ES components support this option.

  • Configure Later: When you run the Java ES installer, you specify only minimal configuration values. Then, you later configure the specific components by running a script or using an administration console. Access Manager provides the amconfig script and amsamplesilent file for postinstallation configuration.

• If you want to use an existing Directory Server that already contains user data, check ”Yes” for “Is Directory Server provisioned with user data?”.

• To use BEA WebLogic Server or IBM WebSphere Application Server as the web container, you must choose the Configure Later option when you install Access Manager, as follows:

  1. Install BEA WebLogic Server or IBM WebSphere Application Server by following the respective BEA or IBM product documentation.

  2. Install Access Manager by running the installer with the Configure Later option.

  3. Configure Access Manager for the web container by setting variables in the amsamplesilent configuration file (or a copy of the file) and then running the amconfig script.

For information about running the installer, see the Sun Java Enterprise System 5 Installation Guide for UNIX or the Sun Java Enterprise System 5 Installation Guide for Microsoft Windows.

Running the Java ES Installer on UNIX and Linux Systems

Considerations for running the Java ES installer on Solaris, HP-UX, and Linux systems to install an Access Manager instance include:

• When you run the installer, you can also install other Java ES components such as Directory Server, Message Queue, and either Web Server or Application Server as the Access Manager web container.

• After installation, the amconfig script and the amsamplesilent configuration file are available in the following directory, depending on your platform:

  • Solaris systems: AccessManager-base /SUNWam/bin

  • Linux systems: AccessManager-base/identity/bin

  Where: AccessManager-base represents the Access Manager base installation directory. On Solaris systems, the default base installation directory is /opt, and on Linux systems, it is /opt/sun.

• When you run the installer, specify either the Configure Now or Configure Later option.

  • Configure Now: You configure Access Manager and the various Java ES components when you run the installer by choosing options (or default values). Not all Java ES components support this option.

  • Configure Later: When you run the Java ES installer, you specify only minimal configuration values. Then, you later configure the specific components by running a script or using an administration console. Access Manager provides the amconfig script and amsamplesilent file for postinstallation configuration.

• If you want to use an existing Directory Server that already contains user data, check ”Yes” for “Is Directory Server provisioned with user data?”.

• To use BEA WebLogic Server or IBM WebSphere Application Server as the web container, you must choose the Configure Later option when you install Access Manager, as follows:

  1. Install BEA WebLogic Server or IBM WebSphere Application Server by following the respective BEA or IBM product documentation.

  2. Install Access Manager by running the installer with the Configure Later option.

  3. Configure Access Manager for the web container by setting variables in the amsamplesilent configuration file (or a copy of the file) and then running the amconfig script.

For information about running the installer, see the Sun Java Enterprise System 5 Installation Guide for UNIX or the Sun Java Enterprise System 5 Installation Guide for Microsoft Windows.

Running the Java ES Installer on Windows Systems

Considerations for running the Java ES installer on Windows systems to install an Access Manager instance include:

• When you run the installer, you can also install other Java ES components such as Directory Server, Message Queue, and either Web Server or Application Server as the Access Manager web container.

• After installation, the amconfig.bat and AMConfigurator.properties files are available in the following default installation directory: C:\Program files\sun\JavaES.

• When you run the installer, specify either the “Configure Automatically during install” or “Configure Manually after install” option.

  • Configure Automatically during install: You configure Access Manager and the various Java ES components when you run the installer by choosing options (or default values). Not all Java ES components support this option.

  • Configure Manually after install: When you run the Java ES installer, you specify only minimal configuration values. Then, you later configure the specific components by running a batch file or using an administration console. Access Manager provides the amconfig.bat and AMConfigurator.properties files for postinstallation configuration.

• If you want to use an existing Directory Server that already contains user data, check ”Yes” for “Is Directory Server provisioned with user data?”.

• To use BEA WebLogic Server or IBM WebSphere Application Server as the web container, you must choose the “Configure Manually after install” option when you install Access Manager, as follows:

  1. Install BEA WebLogic Server or IBM WebSphere Application Server by following the respective BEA or IBM product documentation.

  2. Install Access Manager by running the installer with the “Configure Manually after install” option.

  3. Configure Access Manager for the web container by setting variables in the AMConfigurator.properties configuration file (or a copy of the file) and then running amconfig.bat.

For information about running the installer, see the Sun Java Enterprise System Installation Guide for Windows.

Configuring Access Manager Using the amconfig Script

To configure or re-configure an Access Manager instance, set variables in the amsamplesilent file (or a copy of the file) and run the amconfig script.

To Configure Access Manager Using the amconfig Script

1. Login as (or become) superuser (root).

2. Copy and edit the amsamplesilent file.

   1. Copy the amsamplesilent file to a writable directory and make that directory your current directory.

      For example, you might create a directory named /newinstances.

   2. Rename the copy of the amsamplesilent file to describe the new instance you want to configure.

      For example, if you plan to create a new Access Manager instance for Web Server 7, you might rename the file to amwebsvr7.

   3. Set the variables in the amwebsvr7 file to configure or reconfigure the new instance.

      For example, to configure Access Manager in Realm Mode:

      AM_REALM=enabled
      DEPLOY_LEVEL=1
      NEW_INSTANCE=false
      WEB_CONTAINER=WS # Web Server 7 is the web container
      DIRECTORY_MODE=4  # Directory Server is provisioned with user data
      AM_ENC_PW=password-encryption-key-value-from-the-first-Access-Manager-instance
      ...

   Considerations for setting variables in the amsamplesilent file:

   • If you are using non-default naming attributes and object classes, specify the custom values as appropriate for the user naming and organization naming attributes and object classes. Also, all deploy URIs (SERVER_DEPLOY_URI, CONSOLE_DEPLOY_URI, PASSWORD_DEPLOY_URI, and COMMON_DEPLOY_URI) for the web applications must match the previous installation.

   • Use the same password encryption key as the first instance, as described in following Caution.

     ---

     Caution –

     In a multiple server deployment that shares the same Directory Server, all Access Manager instances must use the same value for the password encryption key.

     If you run the Java ES installer to install Access Manager on subsequent (second, third, and so on) servers in a multiple server deployment, the installer generates a new random password encryption key for each server. Therefore, when you run the installer on a subsequent server, use the encryption key value from the first Access Manager instance, which you can copy from the am.encryption.pwd attribute in the AMConfig.properties file and set as follows:

     • Configure Now option. Replace the new random encryption key generated by the installer with the encryption key value from the first instance.

     • Configure Later option. Set the AM_ENC_PWD variable in the copy of the amsamplesilent file with the encryption key value from the first instance before you run the amconfig script.

     However, if you need to change the password encryption key for an Access Manager instance, see Chapter 13, Changing the Password Encryption Key.

     ---

3. Run the amconfig script.

   For example, on Solaris systems with Access Manager installed in the default directory, run amconfig using the new amwebsvr7 file as the configuration input file:

   # cd /opt/SUNWam/bin/
   # ./amconfig -s ./newinstances/amwebsvr7

   Specify the full path to the amsamplesilent file (or copy of the file).

   The amconfigscript reads the variables in the amwebsvr7 file and then runs in silent mode (-s option) to configure Access manager for the web container.

   For more information about the amsamplesilent file and running the amconfig script, see Chapter 2, Running the Access Manager amconfig Script.

4. In case you might need to reconfigure or uninstall this instance later, save the new amwebsvr7 file.

Adding Additional Instances to the Platform Server List and Realm/DNS Aliases

When you install multiple instances of Access Manager on different host servers, the additional instances are not added to the Platform Server list or the Realm/DNS Aliases list (or the DNS Alias list in Legacy Mode). You must explicitly add these values for additional Access Manager instances.

If you are using Access Manager in Legacy Mode, see Adding Additional Instances to the Platform Server List and DNS Alias List in Legacy Mode.

To Add Additional Instances to the Platform Server List and Realm/DNS Aliases in Realm Mode

1. Log in to the Access Manager 7.1 Console as amadmin on the first Access Manager host server.

2. In the Access Manager Console, click Configuration, System Properties, and then Platform.

3. Add each additional Access Manager instance to the Platform Server List under Instance Name:

   1. In the Platform Server List under Instance Name Name, click New.

   2. In New Server Instance, add the Server and Instance Name. For example:

      • Server: http://amserver2.example.com:80

      • Instance Name: 02

   3. Click OK to add the instance.

   4. After you have added all instances, click Save.

4. Add the Realm/DNS alias for each additional Access Manager instance:

   1. In the Access Manager Console, click Access Control and then the root (top-level) realm under Realm Name.

   2. Under Realm Attributes, add the Access Manager instance to Realm/DNS Aliases and then click Add. For example: amserver2.example.com

   3. After you have added all instances, click Save.

Adding Additional Instances to the Platform Server List and DNS Alias List in Legacy Mode

The following procedure refers to the Access Manager 7.1 in Legacy Mode.

To Add Additional Instances to the Platform Server List and DNS Alias List in Legacy Mode

1. Log in to the Access Manager Legacy Console as amadmin on the first Access Manager host server.

2. Add each additional instance to the Platform Server List:

   1. Click Service Configuration.

   2. In the left pane, click the Platform link.

   3. Under the Server List, add each additional host server. For example:

      http://amserver2.example.com:58080|02
      http://amserver3.example.com:58080|03

   4. After you have added all instances, click Save.

3. Add each additional instance to the DNS Alias List:

   1. Click Identity Management.

   2. Make sure that View: Organizations is selected in the left pane.

   3. In the DNS Alias Name field in the right pane, add each additional host server name. For example:

      amserver2.example.com
      amserver3.example.com

   4. After you have added all instances, click Save.