test

Sun Java System Access Manager Policy Agent 2.2 Guide for BEA WebLogic Server/Portal 9.2

Conditional Post-Installation Steps for J2EE Agents in Policy Agent 2.2

Steps described in this section might be required, depending on your site's specific deployment.

Creating the Necessary URL Policies

Note –

This section is not applicable for BEA WebLogic Portal 9.2. The manner in which the settings for the agent filter mode are applied to BEA WebLogic Server 9.2 differs from BEA WebLogic Portal 9.2. For BEA WebLogic Portal 9.2, creating a policy to protect a resource requires you to set the filter mode to ALL as described in To Configure Agent Filter Modes Applicable to BEA WebLogic Portal 9.2.

If the agent is installed and configured to operate in the URL_POLICY mode or ALL mode, the appropriate URL policies must be created. For instance, if BEA WebLogic Server 9.2 is available on port 7001 using HTTP protocol, at least a policy must be created to allow access to the following resource:


http://myhost.mydomain.com:7001/sampleApp/

where sampleApp is the context URI for the sample application.

If no policies are defined and the agent is configured to operate in the URL_POLICY mode or ALL mode, then no user is allowed access to BEA WebLogic Server/Portal 9.2 resources. See Sun Java System Access Manager 7 2005Q4 Administration Guide to learn how to create these policies using the Access Manager Console or command-line utilities.

Mapping Access Manager Roles to Principal Names

Note –

This section is not applicable for BEA WebLogic Portal 9.2.

If you are using this agent for BEA WebLogic Server 9.2 (not BEA WebLogic Portal 9.2) and the agent is set to the J2EE_POLICY filter mode, map Access Manager roles to the principal names in the respective application's deployment descriptor file (or files):

Access Manager roles are represented in UUIDs. For more information on UUIDs, see the following:

A UUID for an Access Manager role is mapped to the respective principal name in the weblogic.xml file or the weblogic-ejb-jar.xml file. Specifically, the principal name is located within the <principal-name> element.

Mapping is established by setting the property com.sun.identity.agents.config.privileged.attribute.mapping[] in the J2EE agent AMAgent.properties configuration file.

Note –

Ensure that the keys in the mapping are UUIDs corresponding to your site's Access Manager installation. The values are the principal names in the weblogic.xml file or the weblogic-ejb-jar.xml file.

In previous releases of BEA WebLogic, this mapping is not required. The UUIDs representing Access Manager roles are used directly in the weblogic.xml file or the weblogic-ejb-jar.xml file as principal names.

However, starting with BEA WebLogic 9.0, a principal name within the weblogic.xml file or the weblogic-ejb-jar.xml file must be of the NMTOKEN format. This format is mandated by the corresponding schema files.

Access Manager UUIDs include the following characters (equal sign, comma, and ampersand):

These characters are not in NMTOKEN character sets. Therefore, the UUIDs representing Access Manager roles cannot be used directly as principal names. Instead, they must be mapped to characters in the NMTOKEN character set, which includes letters and digits as well as the following characters (period, hyphen, underscore, and colon):

The following examples, which use “\” as an escape character before the special character “=,” illustrate how this property can be set:

com.sun.identity.agents.config.privileged.attribute.mapping[id\=manager,ou\=role,
dc\=iplanet,dc\=com] = am_manager_role
com.sun.identity.agents.config.privileged.attribute.mapping[id\=manager,ou\=role,
dc\=iplanet,dc\=com] = am_employee_role

For more information on this property, see the mapping-related attributes in Privileged Attribute Processing Properties.