Install Sun Java System Web Server and a web policy agent on the ProtectedResource–1 host machine as well as supporting configurations. Use the following list of procedures as a checklist.
To Install Sun Java System Web Server as Web Container 1 on Protected Resource 1
To Install and Configure Web Policy Agent 1 on Protected Resource 1
To Import the Certificate Authority Root Certificate into the Web Server 1 Keystore
To Configure Policy for Web Policy Agent 1 on Protected Resource 1
Create an agent profile in Access Manager to store authentication and configuration information that will be used by the policy agent to authenticate itself to Access Manager. Creating an agent profile also creates a custom user. The policy agent will, by default, use the account with the user identifier UrlAccessAgent to authenticate to Access Manager.
Creating an agent profile is not a requirement for web policy agents. You can use the agent's default values and not change the user name; however, in certain cases, you might want to change these default values. For example, if you want to audit the interactions between multiple agents and Access Manager, you want be able to distinguish one agent from another. This would not be possible if all the agents used the same default agent user account. For more information, see the Sun Java System Access Manager Policy Agent 2.2 User’s Guide.
Access http://AccessManager-1.example.com:1080/amserver/UI/Login from a web browser.
Log in to the Access Manager console as the administrator.
amadmin
4m4dmin1
Under the Access Control tab, click example, the top-level Realm Name.
Click the Subjects tab.
Click the Agents tab.
Click New to create a new agent profile.
On the resulting page, enter the following and click OK.
webagent-1
web4gent1
web4gent1
Choose Active.
The new agent webagent-1 is displayed in the list of agent users.
Log out of the console.
Download the Sun Java System Web Server bits and install the software on the ProtectedResource–1 host machine.
As a root user, log into the ProtectedResource–1 host machine.
Install required patches if necessary.
Results for your machines might be different. Read the latest version of the Web Server 7.0 Release Notes to determine if you need to install patches and, if so, what they might be. In this case, the Release Notes indicate that based on the hardware and operating system being used, patch 117461–08 is required.
Run patchadd to see if the patch is installed.
# patchadd -p | grep 117461–08 |
No results are returned which indicates that the patch is not yet installed on the system.
Make a directory for downloading the patch you need and change into it.
# mkdir /export/patches # cd /export/patches |
Download the patches.
You can search for patches directly at http://sunsolve.sun.com. Navigate to the PatchFinder page, enter the patch number, click Find Patch, and download the appropriate patch.
Signed patches are downloaded as JAR files. Unsigned patches are downloaded as ZIP files.
Unzip the patch file.
# unzip 117461–08.zip |
Run patchadd to install the patches.
# patchadd /export/patches/117461–08 |
After installation is complete, run patchadd to verify that the patch was added successfully.
# patchadd -p | grep 117461–08 |
In this example, a series of patch numbers are displayed, and the patch 117461–08 is present.
Create a directory into which you can download the Web Server bits and change into it.
# mkdir /export/ws7 # cd /export/ws7 |
Download the Sun Java System Web Server 7.0 software from http://www.sun.com/download/products.xml?id=45ad781d.
Follow the instructions on the Sun Microsystems Product Downloads web site for downloading the software. In this example, the software was downloaded to the /export/WS7 directory.
# ls -al total 294548 drwxr-xr-x 2 root root 512 Aug 7 13:23 . drwxr-xr-x 3 root sys 512 Aug 7 13:16 .. -rw-r--r-- 1 root root 150719523 Aug 7 13:24 sjsws-7_0-solaris-sparc.tar.gz |
Unpack the Web Server bits.
# gunzip sjsws-7_0-solaris-sparc.tar.gz # tar xvf sjsws-7_0-solaris-sparc.tar |
Run setup.
# ./setup --console |
When prompted, provide the following information.
|
Press Enter. Continue to press Enter when prompted. |
|
|
Enter yes. |
|
|
Enter /opt/SUNWwbsvr |
|
|
Enter yes. |
|
|
Enter 2. |
|
|
Enter 1,3,5. |
|
|
Enter 1. |
|
|
Enter 1. |
|
|
Enter no. |
|
|
Accept the default value. |
|
|
Accept the default value. |
|
|
Enter no. |
|
|
Enter root. |
|
|
Accept the default value. |
|
|
Enter web4dmin. |
|
|
Enter web4dmin. |
|
|
Accept the default value. |
|
|
Enter 1080. |
|
|
Accept the default value. |
|
|
Enter1. |
When installation is complete, the following message is displayed:
Installation Successful. |
Start the Web Server administration server.
# cd /opt/SUNWwbsvr/admin-server/bin # ./startserv server not running Sun Java System Web Server 7.0 B12/04/2006 10:15 info: CORE3016: daemon is running as super-user info: CORE5076: Using [Java HotSpot(TM) Server VM, Version 1.5.0_09] from [Sun Microsystems Inc.] info: WEB0100: Loading web module in virtual server [admin-server] at [/admingui ] info: WEB0100: Loading web module in virtual server [admin-server] at [/jmxconne ctor] info: HTTP3072: admin-ssl-port: https://protectedresource-1.example.com:8989 ready to accept requests info: CORE3274: successful server startup |
Run netstat to verify that the port is open and listening.
# netstat -an | grep 8989 *.8989 *.* 0 0 49152 0 LISTEN |
(Optional) Login to the Web Server administration console at https://protectedresource-1.example.com:8989.
admin
web4dmin
You should see the Web Server console.
Log out of the Web Server console.
Start the Protected Resource 1 Web Server instance.
# cd /opt/SUNWwbsvr/https-ProtectedResource-1.example.com/bin # ./startserv server not running Sun Java System Web Server 7.0 B12/04/2006 10:15 info: CORE3016: daemon is running as super-user info: CORE5076: Using [Java HotSpot(TM) Server VM, Version 1.5.0_09] from [Sun Microsystems Inc.] info: HTTP3072: http-listener-1: http://ProtectedResource-1.example.com:1080 ready to accept requests info: CORE3274: successful server startup |
Run netstat to verify that the port is open and listening.
# netstat -an | grep 1080 *.1080 *.* 0 0 49152 0 LISTEN |
(Optional) Access the Protected Resource 1 instance at https://ProtectedResource-1.example.com:1080 using a web browser.
You should see the default Web Server index page.
Log out of the ProtectedResource–1 host machine.
Due to a known problem with this version of the Web Policy Agent, you must start an X-display session on the server host using a program such as Reflections X or VNC, even though you use the command-line installer. For more information about this known problem, see On UNIX-based machines, all web agents require that the X11 DISPLAY variable be set properly. in Sun Java System Access Manager Policy Agent 2.2 Release Notes.
As a root user, log into the ProtectedResource–1 host machine.
Create a directory into which you can download the Web Server agent bits and change into it.
# mkdir /export/WebPA1 # cd /export/WebPA1 |
Download the web policy agent for Web Server from http://www.sun.com/download/.
# ls -al total 294548 drwxr-xr-x 2 root root 512 Aug 7 13:23 . drwxr-xr-x 3 root sys 512 Aug 7 13:16 .. -rw-r--r-- 1 root root 150719523 Aug 7 13:24 sjsws_v70_SunOS_agent.zip |
Unzip the downloaded file.
# unzip sjsws_v70_SunOS_agent.zip |
Change the permissions for the resulting agentadmin binary.
# cd /export/WebPA1/web_agents/sjsws_agent/bin # chmod +x agentadmin |
Verify that crypt_util has execute permission before running the installer.
# cd /export/WebPA1/web_agents/sjsws_agent/bin # chmod +x crypt_util |
Create a temporary file for the password that will be required later during agent installation.
# echo web4gent1 > /export/WebPA1/pwd.txt # cat /export/WebPA1/pwd.txt |
Run the agent installer.
# ./agentadmin --install |
When prompted, do the following.
|
Type yes and press Enter. |
|
| ||
|
Type /opt/SUNWwbsvr/https-ProtectedResource-1.example.com/config and press Enter. |
|
|
Type LoadBalancer-3.example.com and press Enter. |
|
|
Type 9443 and press Enter. |
|
|
Type https and press Enter. |
|
|
Press Enter to accept the default /amserver. |
|
|
Type ProtectedResource-1.example.com and press Enter. |
|
|
Type 1080 and press Enter. |
|
|
Press Enter to accept the default http. |
|
|
Type webagent-1 and press Enter. |
|
|
Type /export/WebPA1/pwd.txt and press Enter. |
|
|
Type 1 and press Enter. |
|
|
Modify the AMAgent.properties file.
Backup AMAgent.properties before you modify it.
Change to the config directory.
# cd /export/WebPA1/web_agents/sjsws_agent/Agent_001/config |
Set the values of the following properties as shown.
com.sun.am.policy.am.login.url = https://LoadBalancer-3. example.com:9443/amserver/UI/Login?realm=users com.sun.am.load_balancer.enable = true
Save the file and close it.
Restart the Protected Resource 1 Web Server instance.
# cd /opt/SUNWwbsvr/https-ProtectedResource-1.example.com/bin # ./stopserv; ./startserv server has been shutdown Sun Java System Web Server 7.0 B12/04/2006 10:15 info: CORE3016: daemon is running as super-user info: CORE5076: Using [Java HotSpot(TM) Server VM, Version 1.5.0_09] from [Sun Microsystems Inc.] info: HTTP3072: http-listener-1: http://ProtectedResource-1.example.com:1080 ready to accept requests |
Log out of the ProtectedResource–1 host machine.
The web policy agent on Protected Resource 1 connects to Access Manager through Load Balancer 3. The load balancer is SSL-enabled, so the agent must be able to trust the load balancer SSL certificate to establish the SSL connection. For this reason, import the root certificate of the Certificate Authority (CA) that issued the Load Balancer 3 SSL server certificate into the policy agent keystore.
Import the same CA root certificate used in To Import a Certificate Authority Root Certificate on the Access Manager Load Balancer.
As a root user, log into the ProtectedResource–1 host machine.
Copy the CA root certificate into a directory.
In this example, the file is /export/software/ca.cer.
Import the CA root certificate into the Java keystore.
# /opt/SUNWwbsvr/jdk/jre/bin/keytool -import -trustcacerts -alias OpenSSLTestCA -file /export/software/ca.cer -keystore /opt/SUNWwbsvr/jdk/jre/lib/security/cacerts -storepass changeit Owner: EMAILADDRESS=nobody@nowhere.com, CN=OpenSSLTestCA, OU=Sun, O=Sun,L=Santa Clara, ST=California C=US Issuer: EMAILADDRESS=nobody@nowhere.com, CN=OpenSSLTestCA, OU=Sun, O=Sun,L=Santa Clara, ST=California C=US Serial number: 97dba0aa26db6386 Valid from: Tue Apr 18 07:66:19 PDT 2006 until: Tue Jan 13 06:55:19 PST 2009 Certificate fingerprints: MD5: 9f:57:ED:B2:F2:88:B6:E8:0F:1E:08:72:CF:70:32:06 SHA1: 31:26:46:15:C5:12:5D:29:46:2A:60:A1:E5:9E:26:64:36:80:E4:70 Trust this certificate: [no] yes Certificate was added to keystore. |
Verify that the CA root certificate was imported.
# /opt/SUNWwbsvr/jdk/jre/bin/keytool -list -keystore /opt/SUNWwbsvr/jdk/jre/lib/security/cacerts -storepass changeit | grep -i open openssltestca, Sep 10, 2007, trustedCertEntry, |
Restart the Web Server 1 instance.
# cd /opt/SUNWwbsvr/https-ProtectedResource-1.example.com/bin # ./stopserv; ./startserv server has been shutdown Sun Java System Web Server 7.0 B12/04/2006 10:15 info: CORE3016: daemon is running as super-user info: CORE5076: Using [Java HotSpot(TM) Server VM, Version 1.5.0_09] from [Sun Microsystems Inc.] info: HTTP3072: http-listener-1: http://ProtectedResource-1. example.com:1080 ready to accept requests info: CORE3274: successful server startup |
Log out of the ProtectedResource–1 host machine.
Use the Access Manager console to configure policy for Web Policy Agent 1. This policy will be used to verify that Web Policy Agent 1 is working properly.
You will modify this policy later when we add a load balancer in front of it.
Access http://AccessManager-1.example.com:1080/amserver/UI/Login from a web browser.
Log in to the Access Manager console as the administrator.
amadmin
4m4dmin1
Create a referral policy in the top-level realm.
Under the Access Control tab, click the top-level realm, example.
Click the Policies tab.
Click New Referral.
On the New Policy page, provide the following information.
Referral URL Policy for users realm
Mark the Yes checkbox.
On the same page, in the Rules section, click New.
On the resulting page, select URL Policy Agent (with resource name) as a Service Type and click Next.
Provide the following information on the resulting page:
URL Rule for ProtectedResource-1
http://ProtectedResource-1.example.com:1080/*
Click Finish.
Back on the New Policy page, under the Referrals section, click New.
Provide the following information on the New Referral — Sub Realm page.
Sub-Realm users
Type an asterisk (*), and click Search.
In the list, choose users.
Click Finish.
Back on the New Policy page, click OK.
Under the Policies tab for the example realm, you should see the policy named Referral URL Policy for users realm.
Create a policy in the users realm.
The users realm was previously created in 7.2 Creating and Configuring a Realm for Test Users.
Click the Access Control tab.
Under Realms, click users.
Click the Policies tab.
Click New Policy.
On the New Policy page, provide the following information:
URL Policy for ProtectedResource-1
Mark the Yes checkbox.
On the same page, in the Rules section, click New.
Select a Service Type for the rule and click Next.
URL Policy Agent (with resource name) is the only choice.
On the resulting page, provide the following information:
URL Rule for ProtectedResource-1
Click http://ProtectedResource-1.example.com:1080/*, listed in the Parent Resource Name list, to add it to the Resource Name field.
Mark this checkbox, and select Allow.
Mark this checkbox, and select Allow.
Click Finish.
Create a new subject in the users realm for testing.
On the New Policy page, in the Subjects section, click New.
Select Access Manager Identity Subject as the subject type and click Next.
Provide the following information on the resulting page.
Test Subject
Choose User and click Search. Two users are added to the Available list.
In the list, select Test User1 and click Add.
Click Finish.
Back on the New Policy page, click Create.
Under the Policies tab, you should see the policy named URL Policy for ProtectedResource-1.
Log out of the console.
Access http://ProtectedResource-1.example.com:1080 from a web browser.
Log in to Access Manager as testuser1.
testuser1
password
You should see the default index page for Web Server 1 as testuser1 was configured in the test policy to be allowed to access Protected Resource 1.
Log out and close the browser.
Once again, access http://ProtectedResource-1.example.com:1080 from a web browser.
If you are not redirected to the Access Manager login page for authentication, clear your browser's cache and cookies and try again.
Log in to Access Manager as testuser2.
testuser2
password
You should see the message, You're not authorized to view this page, (or Your client is not allowed to access the requested object) as testuser2 was not included in the test policy that allows access to Protected Resource 1.