Post-Installation Steps Specific to Agent for BEA WebLogic Server/Portal 9.2

Once you have installed Policy Agent 2.2 for BEA WebLogic Server/Portal 9.2 and you have performed the post-installation steps that apply to all J2EE agents in the Policy Agent 2.2 release, complete the following agent-specific steps.

Configuring BEA WebLogic Server/Portal 9.2 Instance With Agent Classpath and Agent Java Options

This section applies to both BEA WebLogic Server 9.2 and BEA WebLogic Portal 9.2 and provides a lot of background information and explanation. However, if you are interested only in the key information required to configure the agent classpath and agent Java options, see Configuring BEA WebLogic Portal 9.2 Instance With Agent Classpath and Agent Java Options.

During agent installation, the installer creates an environment variable script in domain-directory named as follows:

UNIX Platforms

setAgentEnv_server-instance.sh

Windows Platforms

setAgentEnv_server-instance.cmd

domain-directory

a place holder that represents the domain name associated with the BEA WebLogic Server/Portal 9.2 instance. The following is the default full path name of domain-directory:

/usr/local/bea/user_projects/domains/mydomain

server-instance

a place holder that represents the BEA WebLogic Server/Portal 9.2 instance name entered during installation. For example Server1 or Server2.

The agent environment variable script, setAgentEnv_server-instance.sh, is an environment script which is called up during the server's start up sequence.

This agent environment variable script is associated with Agent for BEA WebLogic Server/Portal 9.2 and is used to set up the environment for the agent. This script is called up during the server's start up sequence and sets the classpath and Java options for the agent. The following instructions describe how to configure the BEA WebLogic Server/Portal 9.2 start up script to call the agent environment variable script.

To Configure BEA WebLogic Server/Portal 9.2 Instance With Agent Classpath and Agent Java Options

This step is required. Agent for BEA WebLogic Server/Portal 9.2 will not work if the agent startup script is added incorrectly to the BEA WebLogic Server/Portal 9.2 instance start up script. If the agent startup script does not get invoked properly from the BEA WebLogic Server/Portal 9.2 start up script, BEA WebLogic Server/Portal 9.2 will not function appropriately after the Agent Authenticator is set.

1. To the BEA WebLogic Server/Portal 9.2 instance start up script, add the path of the agent environment variable script.

   The substeps that follow provide the details of adding the agent-environment-variable-script path to the BEA WebLogic Server/Portal 9.2 start up script.

   ---

   Note –

   Throughout this guide scripting files apply to both UNIX platforms and Windows platforms even when the script for Windows platforms is not expressly mentioned. The difference is that scripts for UNIX platforms have the .sh extension while scripts for Windows platforms have the .cmd extension.

   ---

   1. Using the text editor of your choice, access the applicable BEA WebLogic Server/Portal 9.2 instance start up script.

      The full path to the start up script required for this configuration is as follows:.

      UNIX Platforms

      domain-directory/bin/startWebLogic.sh

      Windows Platforms

      domain-directory\bin\startWebLogic.cmd

      where domain-directory is a place holder that represents the domain name associated with the BEA WebLogic Server/Portal 9.2 instance. Be certain that you provide the full path name of domain-directory.

      ---

      Caution –

      Ensure that you access the startWebLogic file in the bin directory. Do not access the startWebLogic file available directly in domain-directory.

      ---

   2. After the line, . ${DOMAIN_HOME}/bin/setDomainEnv.sh $*, add the path to the agent environment variable script.

      The following examples, for both UNIX platforms and Windows platforms, demonstrate the process of adding the agent-environment-variable-script path by specifying the fully qualified path. See the important explanation that follows these examples about the variables ${SERVER_NAME} and %SERVER_NAME%.

      • UNIX Platforms

        . domain-directory/setAgentEnv_${SERVER_NAME}.sh

        For this scenario, the following is a conceivable line if the domain directory is named mydomain:

        . /usr/local/bea/user_projects/domains/mydomain/setAgentEnv_${SERVER_NAME}.sh

        Therefore, in this scenario, the start up script would then, amongst other lines, contain these two lines as shown:

        . ${DOMAIN_HOME}/bin/setDomainEnv.sh $* . /usr/local/bea/user_projects/domains/mydomain/setAgentEnv_${SERVER_NAME}.sh

      • Windows Platforms

        call "domain-directory\setAgentEnv_%SERVER_NAME%.cmd"

        For this scenario, the following is a conceivable line if the domain directory is named mydomain:

        call "C:\bea\user_projects\domains\mydomain\setAgentEnv_%SERVER_NAME%.cmd"

        Therefore, in this scenario, the start up script would then contain, amongst other lines, these two lines as shown:

        call "%DOMAIN_HOME%\bin\setDomainEnv.cmd" %*
        call "C:\bea\user_projects\domains\mydomain\setAgentEnv_%SERVER_NAME%.cmd"

      ${SERVER_NAME} or %SERVER_NAME%

      a variable for the BEA WebLogic Server/Portal 9.2 instance that is dynamically replaced. Do not replace or modify this variable. Therefore, ensure that the variable is entered and remains character for character as ${SERVER_NAME} for UNIX platforms and %SERVER_NAME% for Windows platforms.

2. Restart the BEA WebLogic Server/Portal 9.2 instance.

   ---

   Caution –

   Restarting the BEA WebLogic Server/Portal 9.2 instance at this point is necessary. Otherwise, upcoming tasks will fail.

   ---

Deploying the Agent Application

If you are configuring BEA WebLogic Server 9.2 (not BEA WebLogic Portal 9.2), deploy the Agent Application at this point in the configuration process by following the steps in Deploying the Agent Application of Agent for BEA WebLogic Server/Portal 9.2.

Configuring the Agent Authentication Provider on Agent for BEA WebLogic Server/Portal 9.2

This section is specific to BEA WebLogic Server 9.2. For instructions specific to BEA WebLogic Portal 9.2, see To Configure the Agent Authentication Provider Specifically for BEA WebLogic Portal 9.2.

Using security service provider API exposed by BEA WebLogic Server/Portal 9.2, the agent plugs its custom security Authenticator into the container. Once the Agent Authenticator is configured, all requests call it. You only need to set the Agent Authenticator once per WebLogic domain. For more information on security service provider architecture visit http://e-docs.bea.com/wls/docs92/dvspisec/intro.html.

The authentication provider can be added by using the BEA WebLogic Server/Portal 9.2 Administration Console. The information provided in this section serves to facilitate the configuration of the Agent Authentication Provider and is in no means a substitute for the information provided in WebLogic Server/Portal documentation. For a detailed discussion on WebLogic Authentication providers, search for the proper WebLogic documentation at http://www.bea.com.

To Configure the Agent Authentication Provider Specifically for BEA WebLogic Server 9.2

This task description is specific to BEA WebLogic Server 9.2 (not BEA WebLogic Portal 9.2). For the task description specific to BEA WebLogic Portal 9.2, start with Portal: Configuring the Agent Authentication Provider on Agent for BEA WebLogic Server/Portal 9.2.

1. Log in to the BEA WebLogic Server 9.2 Administration Console.

2. In the left pane, under Domain Structure and under the host name of the server you are configuring, click “Security realm.”

3. In the right pane, click the name of the realm you are configuring.

4. Click the Providers tab.

5. Click the Authentication tab.

6. In the left pane, click Lock & Edit.

7. In the right pane, click New.

8. Specify Type as AgentAuthenticator.

9. Specify Name with a name of your choice.

10. Click OK.

11. Click the newly created policy agent authentication provider.

12. Change the control flag value to OPTIONAL.

13. Click Save.

14. Click the Providers tab.

    The Authentication Providers Table appears.

15. Click Default Authenticator.

16. Change the control flag to OPTIONAL.

17. Click Save.

18. In the left pane, click Activate changes.

The Default Security Realm

If you choose to create a new security realm instead of using the default security realm to configure the agent, ensure that the control flag value for the Agent Authenticator and any additional authentication providers are set to OPTIONAL.

Adding a WebLogic Administrator to the Bypass List of Agent for BEA WebLogic Server/Portal 9.2

This section is applicable to both BEA WebLogic Server 9.2 and BEA WebLogic Portal 9.2.

The task description that follows involves editing the J2EE agent AMAgent.properties configuration file in order to add the user ID of the WebLogic administrative user to the list of bypassed principals. This administrative user may then bypass the authentication process involving Access Manager realm.

To Add a WebLogic Administrator to the Bypass List of Agent for BEA WebLogic Server/Portal 9.2

1. Using the text editor of your choice, access the J2EE agent AMAgent.properties configuration file.

2. Add the user ID of the WebLogic administrative user to the bypass principal list.

   For example, to add the administrative user whose user ID is weblogic to the bypass principal list, set the following property as shown:

   com.sun.identity.agents.config.bypass.principal[0] = weblogic

3. (Conditional) If you are finished editing the J2EE agent AMAgent.properties configuration file, save and close the file.

Installing the Agent Filter for the Deployed Application on Agent for BEA WebLogic Server/Portal 9.2

Much of the task described subsequently applies to both BEA WebLogic Server 9.2 and BEA WebLogic Portal 9.2. However, the most critical information required for performing this task is also provided separately inPortal: Deploying the Agent Application. If you would prefer to follow the simplified instructions, see that section.

The agent filter can be installed by modifying the deployment descriptor of the application that needs to be protected.

To Install the Agent Filter for the Deployed Application on Agent for BEA WebLogic Server/Portal 9.2

The following steps explain how to install the agent filter for the application you want the agent to protect:

1. (Conditional) If the application is currently deployed on BEA WebLogic Server/Portal 9.2, remove it before proceeding any further.

2. Create the necessary backups before proceeding to modify these descriptors.

   Since you will modify the deployment descriptor in the next step, creating backup files at this point is important.

3. Edit the application’s web.xml descriptor.

   The filters were introduced in Servlet Specification 2.3. For more information about this specification, see http://jcp.org/aboutJava/communityprocess/first/jsr053/index.html.

   The <DOCTYPE> element of the web.xml descriptor must be changed to reflect that the deployment descriptor is, at minimum, a Servlet 2.3 compliant deployment descriptor. To reflect this compliance perform the following substeps.

   1. Set the <DOCTYPE> element as follows:

      <!DOCTYPE web-app PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application2.3//EN" "http://java.sun.com/dtd/web-app_2_3.dtd">

   2. Add the <filter> elements in the deployment descriptor by specifying the <filter> and the <filter-mapping> elements immediately following the description element of the <web-app> element in the descriptor web.xml.

      The following is a sample web.xml descriptor with the <filter> and the <filter-mapping> elements added:

      <web-app> <filter> <filter-name>Agent</filter-name> <filter-class>com.sun.identity.agents.filter.AmAgentFilter</filter-class> </filter> <filter-mapping> <filter-name>Agent</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> </web-app>

   Ensure that the agent filter element precedes all the other <filter> elements. Similarly, the filter mapping element should be before all the other <filter-mapping> elements. In practice, the agent filter should first intercept the request to properly enforce policies on the whole application.

   Once the web.xml deployment descriptor is modified to reflect the new <DOCTYPE> and <filter> elements, the agent filter is added to the application. You can now redeploy your application on BEA WebLogic Server/Portal 9.2.

Focus on BEA WebLogic Server 9.2

The rest of this section focuses on BEA WebLogic Server 9.2, not on BEA WebLogic Portal 9.2. For information specific to the web.xml deployment descriptor regarding BEA WebLogic Portal 9.2, see Portal: Installing the Agent Filter for the Deployed Application on Agent for BEA WebLogic Server/Portal 9.2.

If you want to protect your application with J2EE declarative security or with any other filter modes, such as ALL or URL_POLICY, refer to the PolicyAgent-base/sampleapp directory to learn how to build and deploy an application. The sampleapp directory is by no means a full fledged J2EE application. Rather it is a simple application that provides you with a quick reference to application specific deployment descriptors and various deployment modes of a J2EE agent. Once you successfully deploy sampleapp and test all of its features, you can use it as a reference to other applications that will be protected by the J2EE agent.

If you run this agent in J2EE_POLICY mode, map Access Manager roles to the principal names for the deployed application. The principal names are available in the weblogic.xml file and the weblogic-ejb-jar.xml file. Either or both of these files might exist.

You can retrieve Access Manager roles by issuing the agentadmin --getUuid command. For more information on this command, see agentadmin --getUuid. You can also retrieve the universal ID for the user (UUID) using the Access Manager 7 Console to browse the user profile.

Mapping that converts Access Manager roles to principal names is performed by configuring the following property:

com.sun.identity.agents.config.privileged.attribute.mapping[]

For more information on setting this property, see the following:

• Mapping Access Manager Roles to Principal Names

• Mapping-related attributes in Privileged Attribute Processing Properties