You will download the BEA WebLogic Server bits and install this application server on the ProtectedResource–1 host machine. Additionally, you will download and install the appropriate J2EE policy agent, deploy the policy agent application, setup up an authentication provider, and modify the Bypass Principal List. All of these tasks must be completed before the agent can do its job. Use the following list of procedures as a checklist for installing Application Server 1 and the J2EE Policy Agent 1.
To Create Manager and Employee Groups Using Access Manager for J2EE Policy Agent Test
To Install BEA WebLogic Server as J2EE Container 1 on Protected Resource 1
To Configure BEA WebLogic Server as J2EE Container 1 on Protected Resource 1
This new agent profile will be used by J2EE Policy Agent 1 to authenticate to Access Manager.
Access http://LoadBalancer-3.example.com:7070/amserver/UI/Login, the Access Manage load balancer, from a web browser.
Log in to the Access Manager console as the administrator.
amadmin
4m4dmin1
On the Access Control tab, click the top-level realm, example.
Click the Subjects tab.
Click the Agents tab.
On the Agent page, click New.
On the New Agent page, provide the following information and click OK.
j2eeagent-1
j2ee4gent1
j2ee4gent1
Choose Active.
The new agent j2eeagent–1 is displayed in the list of Agent Users.
Log out of the Access Manager console.
As a root user, log into the ProtectedResource–1 host machine.
Create a directory into which you can download the J2EE policy agent bits and change into it.
# mkdir /export/J2EEPA1 # cd /export/J2EEPA1 |
Create a text file that contains the Agent Profile password.
The J2EE Policy Agent installer requires this file for installation.
# cat > agent.pwd j2ee4gent1 Hit Control D to terminate the command ^D |
Log out of the ProtectedResource–1 host machine.
A group represents a collection of users with a common function, feature, or interest. The groups created in this section will be used to test the policy agent after installation.
Access http://LoadBalancer-3.example.com:7070/amserver/UI/Login, the Access Manage load balancer, from a web browser.
Log in to the Access Manager console as the administrator.
amadmin
4m4dmin1
On the Access Control tab, click the users realm.
Click the Subjects tab.
Click the Groups tab.
Create a manager group for the Users realm.
On the Groups page, click New.
On the New Group page, enter Manager-Group as the ID and click OK.
The Manager-Group is displayed in the list of Groups.
Click Manager-Group in the list of Groups.
Copy the value of the Universal ID and save it to a text file.
You will need this value in To Configure Properties for the J2EE Policy Agent 1 Sample Application.
Click the Users tab.
You should see the users that were created in Chapter 7, Configuring an Access Manager Realm for User Authentication.
Select Test User1 from the list and click Add.
Click Save.
Click Back to Subjects.
Create an employee group for the Users realm.
On the Groups page, click New.
On the New Group page, enter Employee-Group as the ID and click OK.
The Employee-Group is displayed in the list of Groups.
Click Employee-Group in the list of Groups.
Copy the value of the Universal ID and save it to a text file.
You will need this value in To Configure Properties for the J2EE Policy Agent 1 Sample Application.
Click the Users tab.
You should see the users that were created in Chapter 7, Configuring an Access Manager Realm for User Authentication.
Select Test User2 from the list and click Add.
Click Save.
Click Back to Subjects.
Log out of the Access Manager console.
BEA WebLogic Server is the application server used as the J2EE container on Protected Resource 1. After installing the bits in this procedure, see To Configure BEA WebLogic Server as J2EE Container 1 on Protected Resource 1.
As a root user, log into the ProtectedResource–1 host machine.
Ensure that your system is properly patched.
Refer to the BEA web site to make sure that your system has the recommended patches.
Create a directory into which you can download the WebLogic Server bits and change into it.
# mkdir /export/BEAWL92 # cd /export/BEAWL92 |
Download the WebLogic Server bits from http://commerce.bea.com/.
For this deployment, we download the Solaris version.
# ls -al total 294548 drwxr-xr-x 2 root root 512 Aug 7 13:23 . drwxr-xr-x 3 root sys 512 Aug 7 13:16 .. -rw-r--r-- 1 root root 722048346 Aug 7 13:24 portal920_solaris32.bin |
Run the installer.
# ./portal920_solaris32.bin |
When prompted, do the following:
|
Select Yes and click Next. |
|
|
Type /usr/local/bea and click Next. |
|
|
Click Next. |
|
|
Click Next. |
|
|
Type /usr/local/bea/weblogic92 and click Next. |
|
|
Deselect Run Quickstart and click Done. |
Verify that the application was correctly installed.
# cd /usr/local/bea # ls -al total 34 drwxr-xr-x 6 root root 512 Sep 13 14:26 . drwxr-xr-x 3 root root 512 Sep 13 14:22 .. -rwxr-xr-x 1 root root 851 Sep 13 14:26 UpdateLicense.sh -rw-r--r-- 1 root root 14 Sep 13 14:26 beahomelist drwxr-xr-x 6 root root 512 Sep 13 14:26 jdk150_04 -rw-r--r-- 1 root root 7818 Sep 13 14:26 license.bea drwxr-xr-x 2 root root 512 Sep 13 14:26 logs -rw-r--r-- 1 root root 947 Sep 13 14:26 registry.xml drwxr-xr-x 3 root root 512 Sep 13 14:26 utils drwxr-xr-x 10 root root 512 Sep 13 14:26 weblogic92 |
After installing the bits, WebLogic Server must be configured.
This procedure assumes you have just completed To Install BEA WebLogic Server as J2EE Container 1 on Protected Resource 1.
Run the WebLogic Server configuration script.
# cd /usr/local/bea/weblogic92/common/bin # ./config.sh |
When prompted, do the following:
Start the WebLogic administration server.
# cd /usr/local/bea/user_projects/domains/ProtectedResource-1 # ./startWebLogic.sh |
When prompted, type the following credentials.
weblogic
w3bl0g1c
Run the netstat command to verify that the port is open and listening.
# netstat -an | grep 7001 XXX.XX.XX.151.7001 *.* 0 0 49152 0 LISTEN XXX.X.X.1.7001 *.* 0 0 49152 0 LISTEN |
You can also access the administration console by pointing a web browser to http://protectedresource-1.example.com:7001/console.
Change to the AdminServer directory.
# cd /usr/local/bea/user_projects/domains/ProtectedResource-1/servers/AdminServer |
Create a security directory and change into it.
# mkdir security # cd security |
Create a boot.properties file for the WebLogic Server administration server administrator credentials.
The administrative user and password are stored in boot.properties. Application Server 1 uses this information during startup. WebLogic Server encrypts the file, so there is no security risk even if you enter the user name and password in clear text.
# cat > boot.properties username=weblogic password=w3bl0g1c Hit Control D to terminate the command ^D |
Restart WebLogic to encrypt the username and password in boot.properties.
# cd /usr/local/bea/user_projects/domains/ProtectedResource-1/bin # ./stopWebLogic.sh # ./startWebLogic.sh |
Start the managed servers.
# cd /usr/local/bea/user_projects/domains/ProtectedResource-1/bin # ./startManagedWebLogic.sh ApplicationServer-1 t3://localhost:7001 |
You will be prompted for the administrative user credentials.
weblogic
w3bl0g1c
Change to the ApplicationServer-1 directory.
# cd /usr/local/bea/user_projects/domains/ProtectedResource-1/ servers/ApplicationServer-1 |
Create a security directory and change into it.
# mkdir security # cd security |
Create a boot.properties file for the WebLogic Server managed server administrator credentials.
The administrative user and password are stored in boot.properties. The ApplicationServer–1 managed server uses this information during startup. WebLogic Server encrypts the file, so there is no security risk even if you enter the user name and password in clear text.
# cat > boot.properties username=weblogic password=w3bl0g1c Hit Control D to terminate the command ^D |
Restart the managed server.
# cd /usr/local/bea/user_projects/domains/ ProtectedResource-1/bin # ./stopManagedWebLogic.sh ApplicationServer-1 t3://localhost:7001 # ./startManagedWebLogic.sh ApplicationServer-1 t3://localhost:7001 |
Run the netstat command to verify that the port is open and listening.
# netstat -an | grep 1081 XXX.X.X.1.1081 *.* 0 0 49152 0 LISTEN XXX.XX.XX.151.1081 *.* 0 0 49152 0 LISTEN |
Access http://ProtectedResource-1.example.com:7001/console from a web browser.
Login to the BEA WebLogic Server as the administrator.
weblogic
w3bl0g1c
Click servers.
On the Summary of Servers page, verify that both AdminServer (admin) and ApplicationServer-1 are running and OK.
Log out of the console.
Log out of the ProtectedResource–1 host machine.
You must stop both the WebLogic Server 1 instance and the WebLogic Server 1 administration server before beginning the installation process.
As a root user, log into the ProtectedResource–1 host machine.
Stop the WebLogic Server 1 administration server and the WebLogic Server 1 instance.
# cd /usr/local/bea/user_projects/domains/ProtectedResource-1/bin # ./stopManagedWebLogic.sh ApplicationServer-1 t3://localhost:7001 # ./stopWebLogic.sh |
Ensure that your system is properly patched.
Read the appropriate policy agent Release Notes for your web container to determine the latest patches you might need to install before beginning installation. In this case, no patch is required.
You can search for patches directly at http://sunsolve.sun.com. Navigate to the PatchFinder page, enter the patch number, click Find Patch, and download the appropriate patch.
Change into the J2EEPA1 directory.
# cd /export/J2EEPA1 |
Download the J2EE policy agent bits for WebLogic Server from http://www.sun.com/download/index.jsp.
# ls -al total 8692 drwxr-xr-x 2 root root 512 Sep 13 13:19 . drwxr-xr-x 5 root sys 512 Aug 13 17:08 .. -rw-r--r-- 1 root root 4433920 Sep 13 13:19 SJS_Weblogic_92_agent_2.2.tar |
Unpack the J2EE policy agent bits.
# /usr/sfw/bin/gtar -xvf /export/J2EEPA1/SJS_Weblogic_92_agent_2.2.tar |
Use the gtar command and not the tar command.
Run the J2EE policy agent installer.
# cd /export/J2EEPA1/j2ee_agents/am_wl92_agent/bin # ./agentadmin --install |
When prompted, provide the following information.
|
Press Enter to continue. Continue to press Enter until you reach the end of the License Agreement. |
|
|
Enter /usr/local/bea/user_projects/domains/ ProtectedResource-1/bin/ startwebLogic.sh |
|
|
Enter ApplicationServer-1 |
|
|
Enter LoadBalancer-3.example.com |
|
|
Enter 7070 |
|
|
Accept the default value. |
|
|
Accept the default value. |
|
|
Enter ProtectedResource-1.example.com |
|
|
Accept the default value. |
|
|
Accept false, the default value. |
|
|
Enter 1081 |
|
|
Accept the default value. |
|
|
Accept the default value. |
|
|
Accept the default value. |
|
|
j2eeagent-1 |
|
|
Enter /export/J2EEPA1/agent.pwd |
|
|
Accept the default value. |
|
|
Accept the default value. |
The installer runs and, when finished, creates a new file in the bin directory called setAgentEnv_ApplicationServer-1.sh.
Modify the startup script setDomainEnv.sh to reference setAgentEnv_ApplicationServer-1.sh.
Backup setDomainEnv.sh before you modify it.
Change permissions for setAgentEnv_ApplicationServer-1.sh.
# chmod 755 setAgentEnv_ApplicationServer-1.sh |
Start the WebLogic Server administration server.
# ./startWebLogic.sh & |
Watch for startup errors.
The agent application is a housekeeping application bundled with the agent binaries and used by the agent for notifications and other internal functionality. In order for the agent to function correctly, this application must be deployed on the agent-protected deployment container instance using the same URI that was supplied during the agent installation process. For example, during the installation process, if you entered /agentapp as the deployment URI for the agent application, use that same context path in the deployment container.
Access http://ProtectedResource-1.example.com:7001/console from a web browser.
Log in to the WebLogic Server console as the administrator.
weblogic
w3bl0g1c
Under Domain Structure, click Deployments.
On the Summary of Deployments page, in the Change Center, click Lock & Edit.
Under Deployments, click Install.
On the Install Application Assistant page, click the protectedresource-1.example.com link.
In the field named Location: protectedresource-1.example.com, click the root directory.
Navigate to /export/J2EEPA1/j2ee_agents/am_wl92_agent/etc, the application directory.
Select agentapp.war and click Next.
In the Install Application Assistant page, choose Install this deployment as an application and click Next.
In the list of Servers, mark the checkbox for ApplicationServer-1 and click Next.
In the Optional Settings page, click Next.
Click Finish.
On the Settings for agentapp page, click Save.
In the Change Center, click Activate Changes.
This procedure assumes that you have just completed To Deploy the J2EE Policy Agent 1 Application.
In the WebLogic Server console, on the Settings for agentapp page, click Deployments.
On the Summary of Deployments page, mark the agentapp checkbox and click Start > Servicing all requests.
On the Start Application Assistant page, click Yes.
You may encounter a JavaScriptTM error as the agent application will not start until you start the WebLogic Server instance. In this case start the ApplicationServer-1 and perform the steps again.
This procedure assumes that you have just completed To Start the J2EE Policy Agent 1 Application.
In the WebLogic Server console, on the Summary of Deployments page, under Domain Structure, click Security Realms.
On the Summary of Security Realms page, click Lock & Edit.
Click the myrealm link.
On the Settings for myrealm page, click the Providers tab.
Under Authentication Providers, click New.
On the Create a New Authentication Provider page, provide the following information and click OK.
Agent-1
Select AgentAuthenticator from the drop down list.
Agent-1 is now included in the list of Authentication Providers.
In the list of Authentication Providers, click Agent-1.
In the Settings for Authentication Providers page, verify that the Control Flag is set to OPTIONAL.
In the navigation tree near the top of the page, click Providers.
In the list of Authentication Providers, click DefaultAuthenticator.
In the Settings for DefaultAuthenticator page, set the Control Flag to OPTIONAL and click Save.
In the navigation tree near the top of the page, click Providers again.
In the Change Center, click Activate Changes.
If indicated by the console, restart the servers.
Log out of the WebLogic Server console.
As a root user, log into the ProtectedResource–1 host machine.
Restart the administration server and the managed instance.
# cd /usr/local/bea/user_projects/domains/ProtectedResource-1/bin # ./stopManagedWebLogic.sh ApplicationServer-1 t3://localhost:7001 # ./stopWebLogic.sh # ./startWebLogic.sh # ./startManagedWebLogic.sh ApplicationServer-1 t3://localhost:7001 |
Log out of the ProtectedResource–1 host machine.
As a root user, log into the ProtectedResource–1 host machine.
Change to the directory that contains the AMAgent.properties file.
# cd /export/J2EEPA1/j2ee_agents/am_wl92_agent/agent_001/config |
Backup AMAgent.properties before you modify it.
Make the following modifications to AMAgent.properties.
Set the following property.
com.sun.identity.agents.config.bypass.principal[0] = weblogic
This ensures that the WebLogic administrator will be authenticated against WebLogic itself and not Access Manager.
At end of the file, insert the following new property.
com.sun.identity.session.resetLBCookie=true
You must add this property if session failover has been configured for Access Manager. If session failover is not configured and this property is added, it could negatively impact performance. If session failover is enabled for Access Manager and this property is not added, the session failover functionality will work properly but, the stickiness to the Access Manager server will not be maintained after failover occurs. This property is not required for web policy agents.
This property must be also be added to the Access Manager file, AMConfig.properties if added here.
Save and close the file.
Log out of the ProtectedResource–1 host machine.