Sun Java Enterprise System 5 Update 1 Installation Reference for UNIX

Access Manager Configuration Information

The Java ES installer supports the installation of these subcomponents of Access Manager:

Note –

Access Manager SDK is automatically installed as part of Identity Management and Policy Services Core, but the SDK can also be installed separately on a remote host. For information about separate installation of Access Manager SDK, refer to Access Manager SDK Configuration Information

Access Manager Administration Information

Table 3–3 Access Manager Administration Information


Label and State File Parameter	Description
Install type `AM_REALM`	Indicates whether or not to use Realm mode as the install type for the installation. The install type indicates the level of interoperability with other components. You have a choice of Realm mode (version 7.x style) or Legacy mode (version 6.x style). The default value is disabled, which means Legacy mode will be used. (`AM_REALM` should be set to Enabled for Realm mode and should be set to Disabled for Legacy mode.) Note: When you are installing Access Manager with Portal Server, you can select either Realm (Access Manager 7.x compatible) mode or Legacy (6.x compatible) mode for Access Manager. If installing Portal Server, you may use Realm mode only if Directory Server and Access Manager SDK are already installed and configured. If you are using Communications products, Legacy mode is required.
Administrator User ID `IS_ADMIN_USER_ID`	Access Manager top-level administrator. This user has unlimited access to all entries managed by Access Manager. The default name, `amadmin`, cannot be changed. This ensures that the Access Manager administrator role and its privileges are created and mapped properly in Directory Server, allowing you to log onto Access Manager immediately after installation.
Administrator Password `IS_ADMINPASSWD`	Password of the `amadmin` user. The value must have at least eight characters.
LDAP User ID `IS_LDAP_USER`	Bind DN user for LDAP, Membership, and Policy services. This user has read and search access to all Directory Server entries. The default user name, `amldapuser`, cannot be changed.
LDAP Password `IS_LDAPUSERPASSWD`	Password of the `amldapuser` user. This password must be different from the password of the `amadmin` user. It can be any valid Directory Service password.
Password Encryption Key `AM_ENC_PWD`	A string that Access Manager uses to encrypt user passwords. The interactive installer generates a default password encryption key. You can accept the default value or specify any key produced by a J2EE random number generator. The password encryption key can be blank or at least 12 characters long. During Access Manager installation, its property file is updated and the property `am.encryption.pwd` is set to this value. The property file is `AMConfig.properties` . Location is: Solaris OS: `/etc/opt/SUNWam/config` Linux : `/etc/opt/sun/identity/config` All Access Manager subcomponents must use the same encryption key that the Identity Management and Policy Services Core uses. If you are distributing Access Manager subcomponents across hosts and installing Administration Console or Common Domain Services for Federation Management, copy the value for `am.encryption.pwd` as generated by the installation of the core, and paste the value into this field.

Access Manager Web Container Information

The Identity Management and Policy Services Core subcomponent of Access Manager runs in a web container, usually Web Server or Application Server.

Note –

Access Manager can also run in a third-party web container, specifically IBM WebSphere Application Server or BEA WebLogic Server. After installing Access Manager with the Configure Later option, you then run the amconfig script to do postinstallation configuration. You must follow the IBM or BEA documentation to install and configure the third-party web container.

The information that the installer needs is different for each web container:

Access Manager With Application Server

This section describes the information that the installer needs when Application Server is the web container for the Identity Management and Policy Services Core subcomponent of Access Manager.

Table 3–4 Access Manager With Application Server as Web Container


Label and State File Parameter	Description
Secure Server Instance Port `IS_IAS81INSTANCE_PORT`	Port on which Application Server listens for connections to the instance. The default value is `8080`. If you make a selection that does not correspond to the protocol set earlier for Application Server, an error is displayed. You must resolve the situation before continuing.
Secure Administrator Server Port `IS_IAS81_ADMINPORT`	Port on which the administration server for Application Server listens for connections. The default value is `4849`.
Administrator User ID `IS_IAS81_ADMIN`	User ID of the Application Server administrator. The default value is the administrator user ID you provided under Common Server settings. Note: If you chose to use a single administrator account, this field is not present.
Administrator Password `IS_IAS81_ADMINPASSWORD`	The default value is the administrator password you provided under Common Server settings. Note: If you chose to use a single administrator account, this field is not present. Note: In the Java ES installer, white space cannot be used in admin passwords, nor can the following symbols: `; & ( ) ! \| < > ' “ $ ^ \ # / , @ %`

Access Manager With Web Server

This section describes the information that the installer needs when Web Server is the web container for the Identity Management and Policy Services Core subcomponent of Access Manager.

Table 3–5 Access Manager With Web Server as Web Container


Label and State File Parameter	Description
Host Name `IS_WS_HOST_NAME`	The fully qualified domain name for the host. For example, if this host is `siroe.example.com`, this value is `siroe.example.com`. The default value is the fully qualified domain name for the current host.
Administrator User ID `IS_WS_ADMIN_ID`	User ID of the Web Server administrator. The default value is the administrator user ID you provided under Common Server settings. Note: If you chose to use a single administrator account, this field is not present.
Administrator Password `IS_WS_ADMIN_PASSWORD`	Password of the Web Server master administrator. The default value is the administrator password you provided under Common Server settings. Note: If you chose to use a single administrator account, this field is not present. Note: In the Java ES installer, white space cannot be used in admin passwords, nor can the following symbols: `; & ( ) ! \| < > ' “ $ ^ \ # / , @ %`
Document Root Directory `IS_WS_DOC_DIR`	Directory where Web Server stores content documents. Solaris OS: `/var/opt/SUNWwbsvr7/https-hostname.domain/docs` Linux : `/var/opt/sun/webserver7/https-hostname.domain/docs`
Web Server Port `IS_WS_INSTANCE_PORT`	Port on which Web Server administration instance listens for HTTPS connections. If this port is in use, you are presented with a choice of available ports. Default value is 80.
Web Server Instance Directory `IS_WS_INSTANCE_DIR`	Path to the directory where an instance of Web Server is installed, using the following syntax: `WebServer-base/https-webserver-instancename` If you are installing Web Server in this session, the default value for `WebServer-base` is the Web Server instance directory: Solaris OS: `/var/opt/SUNWwbsvr7` Linux : `/var/opt/sun/webserver7`
Web Server Protocol `IS_WS_PROTOCOL`	Protocol specified for Web Server to listen on the Web Server port. A secure port uses the HTTPS protocol. A non-secure port uses HTTP. The default value is HTTP.

Access Manager Services

The installer needs different information about Access Manager services for the following Access Manager subcomponents.

Access Manager Web Container Information

This section describes the services information that the installer needs when you are specifying web container details.

Table 3–6 Access Manager Services Information for Specifying Web Container


Label and State File Parameter	Description
Host Name `IS_SERVER_HOST`	Fully qualified domain name of the host on which you are installing Java ES. The default value is the fully qualified domain name of the local host.
Services Deployment URI `SERVER_DEPLOY_URI`	Uniform Resource Identifier (URI) prefix for accessing the HTML pages, classes, and JAR files associated with the Identity Management and Policy Services Core subcomponent. This URI is used to access the realm (Access Manager 7.x compatible) console. The default value is `amserver`. Do not enter a leading slash.
Common Domain Deployment URI `CDS_DEPLOY_URI`	URI prefix for accessing the common domain services on the web container. The default value is `amcommon`. Do not enter a leading slash.
Cookie Domain `COOKIE_DOMAIN_LIST`	The names of the trusted DNS domains that Access Manager returns to a browser when Access Manager grants a session ID to a user. You can scope this value to a single top-level domain, such as `example.com` . The session ID will provide authentication for all subdomains of example.com. Alternatively, you can scope the value to a comma-separated list of subdomains, such as `.corp.example.com,.sales.example.com`. The session ID will provide authentication for all subdomains in the list. A leading dot (`.`) is required for each domain in the list. The default value is the current domain, prefixed by a dot (`.`).
Password Deployment URI `PASSWORD_SERVICE_DEPLOY_URI`	URI that determines the mapping that the web container running Access Manager will use between a string you specify and a corresponding deployed application. This is the URI for the Access Manager password reset service. The default value is `ampassword`. Do not enter a leading slash.
Console Protocol `CONSOLE_PROTOCOL`	Protocol specified for Web Server to listen on the Web Server port. A secure port uses the HTTPS protocol. A non-secure port uses HTTP. The default value is HTTP.

Access Manager Console Information for Services

This section describes the services information the installer needs for the Access Manager console.

Table 3–7 Access Manager Services Information for Access Manager Console


Label and State File Parameter	Description
Administration Console: Deploy new console or use existing console `USE_DSAME_SERVICES_WEB_CONTAINER` `CONSOLE_REMOTE`	Choose Deploy new console to deploy the console into the web container of the host on which Access Manager is being installed. Choose Use existing console to use an existing console that is, or will be, deployed on a remote host in Realm mode. The default value is False. In both cases, you specify the Console Deployment URI and Password Deployment URI. If you choose to use an existing console, you must also specify the Console Host Name and Console Port.
Console Deployment URI `CONSOLE_DEPLOY_URI`	URI prefix for accessing the HTML pages, classes, and JAR files associated with the Access Manager Legacy mode (Access Manager 6.x compatible) console. Only applies to Legacy mode. The default value is `amconsole`. Note: If `AM_REALM` is enabled (setting Realm mode 7.x), then `CONSOLE_DEPLOY_URI` is ignored.
Console Host Name `CONSOLE_HOST`	Fully qualified domain name for the server hosting the existing console. This value is not needed if you are deploying a new console. In graphical installation mode, you can edit the field only if you are using an existing console. The default value contains the value that you provided for Host (`IS_SERVER_HOST` ), a dot, and then the value that you provided for DNS Name in the Common Server Settings. For example, if the host is `siroe` and the domain is `example.com`, the default value is `siroe`.`example` .`com`.
Console Port `CONSOLE_PORT`	Port on which the existing console is listening or will listen for connections. Permitted values are any valid and unused port number, in the range 0 (zero) through 65535. This value is not needed if you are deploying a new console. In graphical installation mode, you can edit the field only if you are using an existing console. The default value is the value you provided for one of the following web container ports: Web Server default value is `80.` Application Server default value is `8080.`

Installing Access Manager Console (Core Already Installed)

This section describes the services information the installer needs when the following are both true:

You are installing only the Access Manager Administration Console subcomponent.
The Identity Management and Policy Services Core subcomponent is already installed on the same host.

Note –

You can only install AM Console by itself in Realm mode (Access Manager 7.x compatible). This cannot be done in Legacy mode (6.x compatible).

Table 3–8 Access Manager Services Information for Installing Console Only (Core Already Installed)


Label and State File Parameter	Description
Console Deployment URI `CONSOLE_DEPLOY_URI`	URI prefix for accessing the HTML pages, classes and JAR files associated with the Access Manager Legacy mode (Access Manager 6.x compatible) console. Only applies to Legacy mode. The default value is `amconsole`. If `AM_REALM` is enabled (setting Realm mode 7.x), then `CONSOLE_DEPLOY_URI` is ignored.
Password Services Deployment URI `PASSWORD_SERVICE_DEPLOY_URI`	URI that determines the mapping that the web container running Access Manager will use between a string you specify and a corresponding deployed application. This is the URI for the Access Manager password reset service. The default value is `ampassword`. Do not enter a leading slash.

Installing Access Manager Console (Core Not Already Installed)

This section describes the services information the installer needs when the following are both true:

You are installing only the Access Manager Administration Console subcomponent.
The Identity Management and Policy Services Core subcomponent is not installed on the same host.

Table 3–9 Access Manager Services Information for Installing Console (Core Not Already Installed)


Label and State File Parameter	Description
Web Container for Access Manager Administration Console
Console Host Name `CONSOLE_HOST`	Fully qualified domain name for the host on which you are installing.
Console Deployment URI `CONSOLE_DEPLOY_URI`	URI prefix for accessing the HTML pages, classes and JAR files associated with the Access Manager Legacy mode (Access Manager 6.x compatible) Console. Only applies to Legacy mode. The default value is `amconsole`. If `AM_REALM` is enabled (setting Realm mode 7.x), then `CONSOLE_DEPLOY_URI` is ignored.
Password Services Deployment URI `PASSWORD_SERVICE_DEPLOY_URI`	Deployment URI for the password service. The default value is `ampassword`. Do not enter a leading slash.
Web Container for Access Manager Services
Services Host Name `IS_SERVER_HOST`	Fully qualified domain name of the host where the Identity Management and Policy Services Core subcomponent is installed. The default value is the fully qualified domain name of this host. Use the default value as an example of format only, and edit the value to supply the correct remote host name. In a state file, supply the fully qualified domain name of a remote host.
Port `CONSOLE_PORT`	Port on which the Identity Management and Policy Services Core subcomponent listens for connections. This port is the HTTP or HTTPS port used by the web container.
Services Deployment URI `SERVER_DEPLOY_URI`	URI prefix for accessing the HTML pages, classes, and JAR files associated with the Identity Management and Policy Services Core subcomponent. This URI is used to access the realm (Access Manager 7.x compatible) console. The default value is `amserver`. Do not enter a leading slash.
Cookie Domain `COOKIE_DOMAIN_LIST`	The names of the trusted DNS domains that Access Manager returns to a browser when Access Manager grants a session ID to a user. You can scope this value to a single top-level domain, such as `example.co` m. The session ID will provide authentication for all subdomains of example.com. Alternatively, you can scope the value to a comma-separated list of subdomains, such as `.corp.example.com`. The session ID will provide authentication for all subdomains in the list. A leading dot (`.`) is required for each domain. The default value is the current domain, prefixed by a dot (`.`).

Installing Federation Management (Core Already Installed)

This section describes the services information the installer needs when you are installing only the Common Domain Services for Federation Management subcomponent.

Table 3–10 Access Manager Services Information for Installing Federation Management (Core Already Installed)


Label and State File Parameter	Description
Common Domain Deployment URI `CDS_DEPLOY_URI`	URI prefix for accessing the common domain services on the web container. The default value is `amcommon`. Do not enter a leading slash.

Access Manager Directory Server Information

The installer needs the following information if you are installing Identity Management and Policy Services Core.

Table 3–11 Directory Server Information for Access Manager


Label and State File Parameter	Description
Directory Server Host `IS_DS_HOSTNAME`	A host name or value that resolves to the host on which Directory Server resides. The default value is the fully qualified domain name of the local host. For example, if the local host is `siroe.example.com`, the default value is `siroe.example.com`.
Directory Server Port `IS_DS_PORT`	Port on which Directory Server listens for client connections. The default value is `389`.
Access Manager Directory Root Suffix `IS_ROOT_SUFFIX`	Distinguished name (DN) to set as the Access Manager root suffix. The default value is based on the fully qualified domain name for this host, minus the host name. For example, if this host is `siroe.subdomain.example.com`, the value is `dc=subdomain,dc=example,dc=com.`
Directory Manager DN `IS_DIRMGRDN`	DN of the user who has unrestricted access to Directory Server. The default value is `cn=Directory Manager`.
Directory Manager Password `IS_DIRMGRPASSWD`	Password for the Directory Manager.

Access Manager Provisioned Directory Information

The information needed to configure a provisioned directory depends on whether the installer detects an existing provisioned directory on your host. When the installer is generating a state file, IS_EXISTING_DIT_SCHEMA=y is written to the state file if the installer finds an existing provisioned directory. The installer writes IS_EXISTING_DIT_SCHEMA=n to the state file if the installer does not find an existing provisioned directory.

Existing Provisioned Directory Found

If the installer finds an existing provisioned directory, you provide the following information.

Table 3–12 Existing Provisioned Directory Information for Access Manager


Label and State File Parameter	Description
User Naming Attribute `IS_USER_NAMING_ATTR`	Naming attribute used for users in the provisioned directory. The default value is `uid`.

No Existing Provisioned Directory Found

If the installer does not find an existing provisioned directory, you can choose whether to use an existing provisioned directory. If you answer yes to the first question in this table, you must answer the remaining questions in the table.

Table 3–13 No Existing Provisioned Directory Information for Access Manager


Label and State File Parameter	Description
Is Directory Server provisioned with user data? `IS_LOAD_DIT`	Specifies whether you want to use an existing provisioned directory. Permitted values are `y` or `n`. The default value is `n`.
Organization Marker Object Class `IS_ORG_OBJECT_CLASS`	Object class defined for the organization in the existing provisioned directory. This value is used only if the value for the first item in this table is `y`. The default value is `SunISManagedOrganization`.
Organization Naming Attribute `IS_ORG_NAMING_ATTR`	Naming attribute used to define organizations in the existing provisioned directory. This value is used only if the value for the first item in this table is `y`. The default value is `o`.
User Marker Object Class `IS_USER_OBJECT_CLASS`	Object class defined for users in the existing provisioned directory. This value is used only if the value for the first item in this table is `y`. The default value is `inetorgperson`.
User Naming Attribute `IS_USER_NAMING_ATTR`	Naming attribute used for users in the existing provisioned directory. This value is used only if the value for the first item in this table is `y`. The default value is `uid`.