Sun Java System Access Manager Policy Agent 2.2 Guide for IBM WebSphere Application Server 6.0

Previous: Chapter 2 Vital Installation Information for a J2EE Agent in Policy Agent 2.2
Next: Chapter 4 Post-Installation Tasks of Policy Agent 2.2 for IBM WebSphere Application Server 6.0

Chapter 3 Installing Policy Agent 2.2 for IBM WebSphere Application Server 6.0

Sun Java^TM System Access Manager Policy Agent 2.2 for IBM WebSphere Application Server 6.0, as with all J2EE agents in the 2.2 release of Policy Agent, is installed from the command line using the agentadmin program. For more information about the tasks you can perform with the agentadmin program, see Role of the agentadmin Program in a J2EE Agent for Policy Agent 2.2.

Before reading this chapter or performing any of the tasks described within, thoroughly review Chapter 2, Vital Installation Information for a J2EE Agent in Policy Agent 2.2 since various key concepts are introduced in that chapter.

This chapter is organized into the following sections:

Before describing any task, this chapter provides you with installation-related information specific to IBM WebSphere Application Server 6.0. The subsequent sections lead you through the pre-installation and installation steps and describe how to view the installation log files. First, perform the pre-installation (preparation) steps. Then, perform the installation, itself. The installation process has two phases. The first phase of the installation includes launching the installation program, which requires a directory to already have been selected for the agent files. The second phase of the installation involves interacting with the installation program. During this phase, the program prompts you step by step to enter information. Accompanying the prompts, are explanations of the type of information to enter. After you complete the installation, you can look at the installation log files.

Once you have completed the steps described in this chapter, complete the applicable post-installation tasks described in Chapter 4, Post-Installation Tasks of Policy Agent 2.2 for IBM WebSphere Application Server 6.0.

Installation Related Information About Agent for IBM WebSphere Application Server 6.0

The following sections provide important information about Policy Agent 2.2 for IBM WebSphere Application Server 6.0 required before you install the agent.

Supported Platforms and Compatibility of Agent for IBM WebSphere Application Server 6.0

The following sections provide information about the supported platforms of Policy Agent 2.2 for IBM WebSphere Application Server 6.0 as well as the compatibility of this agent with Access Manager.

Platform and Version Support of Agent for IBM WebSphere Application Server 6.0

The following table presents the platforms supported by Policy Agent 2.2 for IBM WebSphere Application Server 6.0.

Table 3–1 Platform and Version Support of Agent for IBM WebSphere Application Server 6.0


Agent for	Supported Policy Agent Version	Supported Access Manager Versions	Supported Platforms
IBM WebSphere Application Server 6.0	Version 2.2	Version 6.3 Patch 1 or greater Version 7	Solaris^TM Operating System (OS) for the SPARC® platform, versions 8, 9, and 10 Red Hat Enterprise Linux Advanced Server 3.0 AIX 5L version 5.2 Windows 2003, Enterprise Edition Windows 2003, Standard Edition

Compatibility of Agent for IBM WebSphere Application Server 6.0 With Access Manager

Compatibility of Policy Agent 2.2 With Access Manager 7

All agents in the Policy Agent 2.2 release are compatible with Access Manager 7. Compatibility applies to both of the available modes of Access Manager: Realm Mode and Legacy Mode.

Install the latest Access Manager 7 patches to ensure that all enhancements and fixes are applied. For information about the latest Access Manager 7 patches, see the compatibility information discussed in Sun Java System Access Manager Policy Agent 2.2 Release Notes.

Compatibility of Policy Agent 2.2 With Access Manager 6.3

All agents in Policy Agent 2.2 are also compatible with Access Manager 6.3 Patch 1 or greater. However, certain limitations apply. For more information, see J2EE Agent Backward Compatibility With Access Manager 6.3.

High-Level Architecture of Agent for IBM WebSphere Application Server 6.0

Agent for IBM WebSphere Application Server 6.0 functions in a similar manner to all Access Manager J2EE agents in the Policy Agent 2.2 release. However, this agent, as with all agents, functions in accordance to the architecture of the underlying deployment container, which in this case is IBM WebSphere Application Server 6.0. This section describes the key components of this particular agent that enable it to interact with IBM WebSphere Application Server 6.0.

Caution –

The following information is an overview of the architecture of this agent, which corresponds to the architecture of IBM WebSphere Application Server 6.0. However, you should have a solid understanding of the concepts related to IBM WebSphere Application Server 6.0 before installing and configuring the agent for this deployment container.

Key Functionality of Agent for IBM WebSphere Application Server 6.0

Agent for IBM WebSphere Application Server 6.0 is designed to facilitate Single Sign-On (SSO) and enforce access control for application resources hosted by IBM WebSphere Application Server 6.0. When a user requests access to a hosted and protected application resource, the agent ensures the following:

The user has already been authenticated. If not, the agent coordinates with Access Manager Authentication Service to ensure successful user authentication by participating in a choreographed sequence of HTTP interactions. Once authenticated, the user's identity is established within IBM WebSphere Application Server's J2EE container. This identity is further propagated to any down-stream EJB container if the request processing results in access to a resource within that container.

Note –
The propagation of the security identity information of a particular user to a down-stream EJB container might require additional configuration changes in some cases. Such cases typically include clustered deployments and other specialized configurations.
The user's privileged attributes are available for membership evaluation of roles and other constraints as required to enforce any declarative or programmatic security policies within the application.

Note –
Privileged attributes for a user in an Access Manager environment can range from simple LDAP Role membership information to highly customized attribute information provided via protected session properties. Other examples include custom identity types configured within the Access Manager Identity Repository Service.
Any URL Policies defined within Access Manager Policy Service for securing access to the requested URLs are enforced as necessary.

Agent for IBM WebSphere Application Server 6.0 provides per instance configuration that allows you to enable or disable a part of the above functionality as necessary in certain deployment scenarios. For instance, the agent allows you to choose if the identity of the user should be established within Agent for IBM WebSphere Application Server's J2EE container. Furthermore, the agent provides a great deal of other functionality that allows you to customize its behavior in the most appropriate way to suit your site's deployment.

Components of Agent for IBM WebSphere Application Server 6.0

Agent for IBM WebSphere Application Server 6.0 is composed of three components that interact with each other, directly or indirectly via the IBM WebSphere Application Server 6.0 infrastructure, to facilitate the implementation of key agent functionality. The following is a brief description of each component:

Trust Association Interceptor implementation: This component uses a standard interface to facilitate SSO and propagate the user membership information to IBM WebSphere Application Server 6.0.
Custom User Registry implementation: This component uses a standard interface to facilitate the assertion of user membership information within the IBM WebSphere Application Server 6.0 security infrastructure as provided by the front-ending Trust Association Interceptor implementation.
Custom Servlet Filter implementation: This component uses a standard interface to facilitate advanced functionality such as URL Policy enforcement, logout synchronization, and such, to further secure the application resources and provide a seamless user experience.

Component Interaction in Agent for IBM WebSphere Application Server 6.0

During runtime, the agent components interact directly or indirectly via the IBM WebSphere Application Server 6.0 infrastructure to accomplish their functional requirements. In a typical scenario, a client request for a protected application resource will in some way invoke each of these three components and the outcome of this invocation will largely govern the overall success of request processing. The following sequence illustrates how each of these components come into play during various stages of request processing:

The client makes a web request to access a hosted application resource protected by Agent for IBM WebSphere Application Server 6.0.
If the protected resource is protected by a role-based constraint and the user's identity is not yet established, the security infrastructure of IBM WebSphere Application Server 6.0 invokes the Agent's Trust Association Interceptor implementation.
The Trust Association Interceptor implementation ensures that the user is authenticated and populates the corresponding subject with appropriate credentials that are validated by the agent's Custom User Registry implementation. This results in the establishment of the user's security principal in the web tier and allows the security infrastructure to evaluate any membership information for that user as required.
If all the necessary requirements are satisfied, the security infrastructure allows the request to proceed to the application resource being protected. At this stage, the agent's Custom Servlet Filter implementation intercepts the request and enforces the applicable URL Policies. If the request bypassed the last two stages, the Custom Servlet Filter implementation assumes the task of authenticating the user and then performing the required processing. Note that the Custom Servlet Filter implementation does not establish or alter the Subject information associated with the user.

Preparing to Install Agent for IBM WebSphere Application Server 6.0

Detailed information about unpacking the distribution files for J2EE agents in Policy Agent 2.2 is covered in Chapter 2, Vital Installation Information for a J2EE Agent in Policy Agent 2.2. The best practice is to follow the detailed steps outlined in that chapter before you implement any steps outlined in this chapter.

The following examples provide quick details about the unpacking process. Furthermore, this section provides the opportunity to present again the cautionary note that follows about the GNU_tar program.

Caution –

For .tar.gz archives, do not use a program other than GNU_tar to untar the contents of the J2EE agent deliverables. Using a different program, such as another tar program, can result in some files not being extracted properly. To learn more about the GNU_tar program, visit the following web site:

http://www.gnu.org/software/tar/tar.html

Example 3–1 Format of the Distribution Files of Agent for IBM WebSphere Application Server 6.0

SJS_WebSphere_60_agent_2.2.tar.gz
SJS_WebSphere_60_agent_2.2.zip
SJS_WebSphere_60_agent_2.2_SUNWamwas.tar.gz

For detailed information on the format of the distribution files, see Format of the Distribution Files for a J2EE Agent Installation in Policy Agent 2.2.

Example 3–2 Unpacking Non-Package Formatted Deliverables of Agent for IBM WebSphere Application Server 6.0

# gzip -dc SJS_WebSphere_60_agent_2.2.tar.gz | tar xvf -

For detailed information about this command, see To Unpack Non-Package Formatted Deliverables of a J2EE Agent in Policy Agent 2.2.

Example 3–3 Unpacking Package Formatted Deliverables of Agent for IBM WebSphere Application Server 6.0

# gzip -dc SJS_WebSphere_60_agent_2.2_SUNWamwas.tar.gz | tar xvf -

For detailed information about this command, see To Unpack Package Formatted Deliverables of a J2EE Agent in Policy Agent 2.2.

Example 3–4 Unpacking a `.zip` Compressed file of Agent for IBM WebSphere Application Server 6.0

unzip SJS_WebSphere_60_agent_2.2.zip

For detailed information about this command, see To Unpack a .zip Compressed file of a J2EE Agent in Policy Agent 2.2.

Follow the specific steps outlined in the following section before you install the agent to reduce the chance of complications occurring during and after the installation.

To Prepare to Install Agent for IBM WebSphere Application Server 6.0

Perform the following pre-installation tasks:

Ensure that the Policy Agent 2.2 for IBM WebSphere Application Server 6.0 is supported on the desired platform as listed in Supported Platforms and Compatibility of Agent for IBM WebSphere Application Server 6.0.

Install IBM WebSphere Application Server 6.0 if not already installed.

You can visit http://www.ibm.com to download the IBM WebSphere Application Server 6.0 software.

Ensure that the IBM WebSphere Application Server 6.0 instance that will be protected by the agent is shut down.

The following is an example command for shutting down this server:
```
DeployContainer-base/WebSphere/Appserver/bin/stopServer.bat instanceName
```
DeployContainer-base

represents the directory within which the IBM WebSphere Application Server 6.0 instance was installed.

instanceName

represents the IBM WebSphere Application Server 6.0 instance the agent will protect.

Create a valid agent profile in Access Manager Console if one has not already been created.

For information on how to create an agent profile, see Creating a J2EE Agent Profile.

To avoid a misconfiguration of the agent, ensure that you know the exact ID and password used to create the agent profile. You must enter the agent profile password correctly in the next step and you must enter the agent profile ID correctly when installing the agent.

Create a text file and add the agent profile password to that file.

Ensure that this file is located in a secure directory of your choice. You will refer to this file during the agent installation process.

With the agent profile password in this file, stored in a secure location, you are not required to enter sensitive information in the console. A valid password file can have only one line that contains the agent profile password.

Launching the Installation Program of Agent for IBM WebSphere Application Server 6.0

Once you have performed all the pre-installation steps, you can launch the installation program as described in the following subsection.

To Launch the Installation Program of Agent for IBM WebSphere Application Server 6.0

To launch the installation program, perform the following steps:

Change to the following directory:
PolicyAgent-base/bin
This directory contains the agentadmin program, which is used for installing a J2EE agent and for performing other tasks. For more information on the agentadmin program, see Role of the agentadmin Program in a J2EE Agent for Policy Agent 2.2.

Issue the following command:
./agentadmin --install

(Conditional) If you receive license agreement information, accept or reject the agreement prompts. If you reject any portion of the agreement, the program will end.

The license agreement is displayed only during the first run of the agentadmin program.

Using the Installation Program of Agent for IBM WebSphere Application Server 6.0

After you issue the agentadmin command and accept the license agreement (if necessary) the installation program appears, prompting you for information.

The steps in the installation program are displayed in this section in an example interaction. Your answers to prompts can differ slightly or greatly from this example depending upon your site's specific deployment. In the example, most of the defaults have been accepted. This example is provided for your reference and does not necessarily indicate the precise information you should enter.

The following bulleted list provides key points about the installation program.

Each step in the installation program includes an explanation that is followed by a more succinct prompt.
For most of the steps you can type any of the following characters to get the results described:

?

Type the question mark to display Help information for that specific step.

<

Type the left arrow symbol to go back to the previous interaction.

!

Type the exclamation point to exit the program.
Most of the steps provide a default value that can be accepted or replaced. If a default value is correct for your site, accept it. If it is not correct, enter the correct value.

About Installation Prompts in Agent for IBM WebSphere Application Server 6.0

The following list provides information about specific prompts in the installation. Often the prompt is self explanatory. However, at other times you might find the extra information presented here to be very helpful. This extra information is often not obvious. Study this section carefully before issuing the agentadmin --install command.

The Deployment URI for the Agent Application

The deployment URI for the agent application is required for the agent to perform necessary housekeeping tasks such as registering policy and session notifications, legacy browser support, and CDSSO support. Accept /agentapp as the default value for this interaction. Once the installation is completed, browse the directory PolicyAgent-base/etc. Use the agentapp.war file to deploy the agent application in the application container. Please note that the deployment URI for agent application during install time should match the deployment URI for the same application when deployed in the J2EE container.

The Encryption Key

This key is used to encrypt sensitive information such the passwords. The key should be at least 12 characters long. A key is generated randomly and provided as the default. You can accept the random key generated by the installer or create one using the .agentadmin --getEncryptKey command.

For information about creating a new encryption key, see agentadmin --getEncryptKey.

The Agent Profile Name

An agent profile should have been created as a pre-installation step. The creation of the agent profile is mentioned in that section. For the pre-installation steps, see Preparing to Install Agent for IBM WebSphere Application Server 6.0. For the actual information on creating an agent profile, see Creating a J2EE Agent Profile.

In summary, the J2EE agent communicates with Access Manager with a specific ID and password created through an agent profile using Access Manager Console. For J2EE agents, the creation of an agent profile is mandatory. Access Manager uses the agent profile to authenticate an agent. This is part of the security infrastructure.

The J2EE Password File

The J2EE password file should have been created as a pre-installation step. For the pre-installation steps, see Preparing to Install Agent for IBM WebSphere Application Server 6.0.

When the installation program prompts you for the password for the agent, enter the fully qualified path to this password file.

After you have completed all the steps, a summary of your responses appears followed by options that allow you to navigate through those responses to accept or reject them.

When the summary appears, note the agent instance name, such as agent-001. You might be prompted for this name during the configuration process.

About the options, the default option is 1, Continue with Installation.

If you are satisfied with the summary, choose 1 (the default).
If you want to edit input from the last interaction, choose 2.
If you want to edit input starting at the beginning of the installation program, choose 3.
If you want to exit the installation program without installing, choose 4.

You can edit your responses as necessary, return to the options list, and choose option 1 to finally process your responses.

Example of Installation Program Interaction in Agent for IBM WebSphere Application Server 6.0

The following example is a sample installation snapshot of Policy Agent 2.2 for IBM WebSphere Application Server 6.0. By no means does this sample represent a real deployment scenario.

The section following this example, Implications of Specific Deployment Scenarios in Agent for IBM WebSphere Application Server 6.0, explains specific deployment scenarios, such as installing the agent on the Access Manager host. If any of these deployment scenarios apply to your site's deployment, you might be required to respond to prompts in a specified manner during the installation as explained in that section. Review the explanations in that section before proceeding with the installation. Those explanations are divided into subsections as follows:

The following install interaction example is specific to Windows systems. A different, but similar, set of interactions have to be executed for the other supported platforms.

************************************************************************
Welcome to the Access Manager Policy Agent for IBM WebSphere Application Server
6.0 If the Policy Agent is used with Federation Manager services, User needs
to enter information relevant to Federation Manager.

************************************************************************


Enter the fully qualified path to the configuration directory of the Server
Instance for the WebSphere node.
[ ? : Help, ! : Exit ]
Enter the Instance Config Directory [C:\Program
Files\IBM\WebSphere\AppServer\profiles\default\config\cells\<Hostname>Node01Cell\nodes\
<Hostname>Node01\servers\server1]:
C:\Program Files\IBM\WebSphere\AppServer\profiles\default\config\cells\<Hostname>
Node01Cell\nodes\<Hostname>Node01\servers\server1

Enter the Server Instance name.
[ ? : Help, < : Back, ! : Exit ]
Enter the Server Instance name [server1]:


Enter the WebSphere Install Root directory.
[ ? : Help, < : Back, ! : Exit ]
Enter the WebSphere Install Root directory [C:\Program
Files\IBM\WebSphere\AppServer]:C:\ProgramFiles\IBM\WebSphere\AppServer


Enter the fully qualified host name of the server where Access Manager
Services are installed.
[ ? : Help, < : Back, ! : Exit ]
Access Manager Services Host: AMhostname.test.domain.com


Enter the port number of the Server that runs Access Manager Services.
[ ? : Help, < : Back, ! : Exit ]
Access Manager Services port [80]:


Enter http/https to specify the protocol used by the Server that runs Access
Manager services.
[ ? : Help, < : Back, ! : Exit ]
Access Manager Services Protocol [http]:


Enter the Deployment URI for Access Manager Services.
[ ? : Help, < : Back, ! : Exit ]
Access Manager Services Deployment URI [/amserver]:


Enter the fully qualified host name on which the Application Server
protected by the agent is installed.
[ ? : Help, < : Back, ! : Exit ]
Enter the Agent Host name: AgentHostName.test.domain.com


Enter the preferred port number on which the application server provides its
services.
[ ? : Help, < : Back, ! : Exit ]
Enter the port number for Application Server instance [80]: 9080


Select http or https to specify the protocol used by the Application server
instance that will be protected by Access Manager Policy Agent.
[ ? : Help, < : Back, ! : Exit ]
Enter the Preferred Protocol for Application Server instance [http]:


Enter the deployment URI for the Agent Application. This Application is used
by the agent for internal housekeeping.
[ ? : Help, < : Back, ! : Exit ]
Enter the Deployment URI for the Agent Application [/agentapp]:


Enter a valid Encryption Key.
[ ? : Help, < : Back, ! : Exit ]
Enter the Encryption Key [bFa6Euq9fAI0gVK+jnxyE2aNvwySJ42f]:


Enter a valid Agent profile name. Before proceeding with the agent
installation, please ensure that a valid Agent profile exists in Access
Manager.
[ ? : Help, < : Back, ! : Exit ]
Enter the Agent Profile name: agentprofilename


Enter the path to a file that contains the password to be used for identifying
the Agent.
[ ? : Help, < : Back, ! : Exit ]
Enter the path to the password file: C:\tmp\passfile


Enter true if the Agent is being installed on the same instance of Application
Server on which Access Manager is deployed. Enter false if that is not the
case.
[ ? : Help, < : Back, ! : Exit ]
Are the Agent and Access Manager installed on the same instance of
Application Server ? [false]:


-----------------------------------------------
SUMMARY OF YOUR RESPONSES
-----------------------------------------------
Instance Config Directory :
C:\Program Files\IBM\WebSphere\AppServer\profiles\default\config\cells\
<Hostname>Node01Cell\nodes\<Hostname>Node01\servers\server1
Instance Server name : server1
WebSphere Install Root Directory : C:\ProgramFiles\IBM\WebSphere\AppServer
Access Manager Services Host : AMhostname.test.domain.com
Access Manager Services Port : 80
Access Manager Services Protocol : http
Access Manager Services Deployment URI : /amserver
Agent Host name : AgentHostName.test.domain.com
Application Server Instance Port number : 9080
Protocol for Application Server instance : http
Deployment URI for the Agent Application : /agentapp
Encryption Key : bFa6Euq9fAI0gVK+jnxyE2aNvwySJ42f
Agent Profile name : agentprofilename
Agent Profile Password file name : C:\tmp\passfile
Agent and Access Manager on same application server instance : false

Verify your settings above and decide from the choices below.
1. Continue with Installation
2. Back to the last interaction
3. Start Over
4. Exit
Please make your selection [1]:

Please make your selection [1]: 1

Copy agent.jar,amclientsdk.jar to
C:\WAS60\IBM\WebSphere\AppServer/lib/ext...DONE.

Creating directory layout and configuring AMAgent.properties file for
agent_001 instance ...DONE.

Reading data from file C:\export\pass and encrypting it ...DONE.

Generating audit log file name ...DONE.

Creating tag swapped AMAgent.properties file for instance agent_001 ...DONE.

Creating a backup for file
C:\WAS60\IBM\WebSphere\AppServer\profiles\default\config\cells\<HostName>Node01Cell\nodes\
<HostName>Node01\servers\server1/server.xml
...DONE.

Configure server.xml file
C:\WAS60\IBM\WebSphere\AppServer\profiles\default\config\cells\<HostName>Node01Cell\nodes\
<HostName>Node01\servers\server1/server.xml...DONE.


SUMMARY OF AGENT INSTALLATION
-----------------------------
Agent instance name: agent_001
Agent Configuration file location:
C:/exportwas60/j2ee_agents/am_websphere_agent/agent_001/config/AMAgent.properties
Agent Audit directory location:
C:/exportwas60/j2ee_agents/am_websphere_agent/agent_001/logs/audit
Agent Debug directory location:
C:/exportwas60/j2ee_agents/am_websphere_agent/agent_001/logs/debug


Install log file location:
C:/exportwas60/j2ee_agents/am_websphere_agent/logs/audit/install.log

Thank you for using Access Manager Policy Agent

6.0 Uninstall -


************************************************************************
Welcome to the Access Manager Policy Agent for IBM WebSphere Application Server
6.0 If the Policy Agent is used with Federation Manager services, User needs
to enter information relevant to Federation Manager.

************************************************************************


Enter the fully qualified path to the configuration directory of the Server
Instance for the WebSphere node.
[ ? : Help, ! : Exit ]
Enter the Instance Config Directory [C:\Program
Files\IBM\WebSphere\AppServer\profiles\default\config\cells\<Hostname>Node01Cell\nodes\
<Hostname>Node01\servers\server1]: C:\Program
Files\IBM\WebSphere\AppServer\profiles\default\config\cells\<Hostname>Node01Cell\nodes\
<Hostname>Node01\servers\server1


Enter the Server Instance name.
[ ? : Help, < : Back, ! : Exit ]
Enter the Server Instance name [server1]:


Enter the WebSphere Install Root directory.
[ ? : Help, < : Back, ! : Exit ]
Enter the WebSphere Install Root directory [C:\Program
Files\IBM\WebSphere\AppServer]: C:\WAS60\IBM\WebSphere\AppServer


-----------------------------------------------
SUMMARY OF YOUR RESPONSES
-----------------------------------------------
Instance Config Directory :
C:\Program
Files\IBM\WebSphere\AppServer\profiles\default\config\cells\<Hostname>Node01Cell\nodes\
<Hostname>Node01\servers\server1

Instance Server name : server1
WebSphere Install Root Directory : C:\WAS60\IBM\WebSphere\AppServer

Verify your settings above and decide from the choices below.
1. Continue with Uninstallation
2. Back to the last interaction
3. Start Over
4. Exit
Please make your selection [1]: 1

Remove agent.jar,amclientsdk.jar from
C:\WAS60\IBM\WebSphere\AppServer/lib/ext...DONE.

Deleting the config directory
C:/exportwas60/j2ee_agents/am_websphere_agent/agent_001/config ...DONE.

Unconfigure server.xml file
C:\Program
Files\IBM\WebSphere\AppServer\profiles\default\config\cells\<Hostname>Node01Cell\nodes\
<Hostname>Node01\servers\server1
\server.xml
...DONE.


Uninstall log file location:
C:/exportwas60/j2ee_agents/am_websphere_agent/logs/audit/uninstall.log

Thank you for using Access Manager Policy Agent

Implications of Specific Deployment Scenarios in Agent for IBM WebSphere Application Server 6.0

The following sections refer to specific deployment scenarios involving Policy Agent 2.2 for IBM WebSphere Application Server 6.0. These scenarios are likely to affect how you respond to prompts during the installation process. You might also be required to perform additional configurations.

Installing a J2EE Agent on Multiple IBM WebSphere Application Server 6.0 Instances

Once a J2EE agent is installed for a particular IBM WebSphere Application Server 6.0 instance, you can install the agent on another instance on the same machine by running the agentadmin --install command. Once prompted to enter the appropriate server instance name, enter the server configuration directory and unique instance name that will enable the agent to distinguish the first instance from consecutive instances.

Installing Agent for IBM WebSphere Application Server 6.0 on the Access Manager Host

If a J2EE agent and Access Manager are collocated on the same container, enter true for the following question:

Enter true if the Agent is being installed on the same instance of Application
Server on which Access Manager is deployed. Enter false if that is not the
case.
[ ? : Help, < : Back, ! : Exit ]
Are the Agent and Access Manager installed on the same instance of
Application Server ? [false]: true

In this case, the agentadmin program will make the necessary changes to install and configure the agent on the same IBM WebSphere Application Server 6.0 instance that hosts Access Manager.

However, this deployment scenario changes the agent configuration in a manner that requires your attention. For details, see Combining J2EE Agents With Access Manager.

Summary of a J2EE Agent Installation in Policy Agent 2.2

At the end of the installation process, the installation program prints the status of the installation along with the installed J2EE agent information. The information that the program displays can be very useful. For example, the program displays the agent instance name, which is required when configuring a remote instance. The program also displays the location of specific files, which can be of great importance. In fact, you might want to view the installation log file once the installation is complete, before performing the post-installation steps as described in Chapter 4, Post-Installation Tasks of Policy Agent 2.2 for IBM WebSphere Application Server 6.0.

The location of directories displayed by the installer are specific. However, throughout this guide and specifically in Summary of Agent Installation shown in this section, PolicyAgent-base is used to describe the directory where the distribution files are stored for a specific J2EE agent.

The following example serves as a quick description of the location of the J2EE agent base directory (PolicyAgent-base) of Policy Agent 2.2 for IBM WebSphere Application Server 6.0.

Example 3–5 Policy Agent Base Directory of Agent for IBM WebSphere Application Server 6.0

The following directory represents PolicyAgent-base of Agent for IBM WebSphere Application Server 6.0:

Agent-HomeDirectory/j2ee_agents/am_websphere_agent

where Agent-HomeDirectory is the directory you choose in which to unpack the J2EE agent binaries.

Information regarding the location of the J2EE agent base directory is explained in detail in Location of the J2EE Agent Base Directory in Policy Agent 2.2.

The following type of information is printed by the installer:

SUMMARY OF AGENT INSTALLATION
-----------------------------
Agent instance name: agent_001
Agent Configuration file location:
PolicyAgent-base/agent_001/config/AMAgent.properties
Agent Audit directory location:
PolicyAgent-base/agent_001/logs/audit
Agent Debug directory location:
PolicyAgent-base/agent_001/logs/debug

Install log file location:
PolicyAgent-base/logs/audit/install.log

Thank you for using Access Manager Policy Agent

Once the agent is installed, the directories shown in the preceding example are created in the agent_00x directory, which for this example is specifically agent_001. Those directories and files are briefly described in the following paragraphs.

PolicyAgent-base/agent_001/config/AMAgent.properties

Location of the J2EE agent AMAgent.properties configuration file for the agent instance. Every instance of a J2EE agent has a unique copy of this file. You can configure this file to meet your site's requirements. For more information, see the following sections:

PolicyAgent-base/agent_001/logs/audit

Location of the J2EE agent local audit trail.

PolicyAgent-base/agent_001/logs/debug

Location of all debug files required to debug an agent installation or configuration issue.

PolicyAgent-base/logs/audit/install.log

Location of the file that has the agent install file location. If the installation failed for any reason, you can look at this file to diagnose the issue.