Creating the Agent Profile User and Role, WebSphere Primary Administrative User, and WebSphere Administrative Role (Sun Java System Access Manager Policy Agent 2.2 Guide for IBM WebSphere Application Server 6.1)

Sun Java System Access Manager Policy Agent 2.2 Guide for IBM WebSphere Application Server 6.1

Creating the Agent Profile User and Role, WebSphere Primary Administrative User, and WebSphere Administrative Role

Important: Perform the following tasks before you perform any other post-installation tasks for the WebSphere Application Server 6.1 agent:

Creating a New J2EE Agent Profile User

Note –

The process to create an agent profile user for the WebSphere Application Server 6.1agent is different than the process for other J2EE agents. If you have already created an agent profile user in the pre-installation tasks as described in Creating a J2EE Agent Profile, you must remove that user from the Access Manager Console and then recreate the agent profile user using the same user name and password.

Use the new agent profile user to stop WebSphere Application Server 6.1 after WebSphere global security is turned on.

To Create a New J2EE Agent Profile User

With the Access Control tab selected, click the name of the realm for which you would like to create the agent profile.

Select the Subjects tab.

Make sure you are in the User tab.

Click New and enter values for the following fields:
- ID. Enter the name or identity of the agent. This name should be the same name you used in the pre-installation task. For example: agentprofileuser.
- Password. Enter and then confirm the agent password.
  
  This password should be the same password you used in the pre-installation task.
- User Status. Set the device status of the agent to Active.
- Any other required fields.

Click Create.

Creating a New J2EE Agent Profile Role and Assign the Role to the Agent Profile User

This new internal role is specifically for the agent profile user for the WebSphere Application Server 6.1 agent. This role will allow the agent profile user to read user attributes in the user repository.

To Create a New J2EE Agent Profile Role and Assign the Role to the Agent Profile User

With the Access Control tab selected, click the name of the realm for which you would like to create the agent profile role.

Select the Subjects tab and then click the Role tab.

Click New and then enter a value for the agent profile role. For example: agentprofilerole

Click Create.

Under the Role tab, click the agent profile role.

On the new page, click the User tab.

Select the agent profile user (such as agentprofileuser) under the Available field.

Click Add and then Save.

Assigning Read Access to the Agent Profile Role

To Assign Read Access to the Agent Profile Role

With the Access Control tab selected, click the name of the realm where your agent profile role was created.

Click the Privileges tab.

Find and click the agent profile role. For example: agentprofilerole

On the new page, check the “Read only access to data stores” checkbox.

Click Save.

Creating the Primary Administrative User in Access Manager

This user will be able to login to the WebSphere Administration Console when global security is enabled.

To Create the Primary Administrative User in Access Manager

With the Access Control tab selected, click the name of the realm for which you would like to create an agent profile.

Select the Subjects tab.

Make sure you are in the User tab.

Click New and enter values for the following fields:
- ID. Enter the name or identity of the user. For example: wasadmin
- Password. Enter and confirm the user password.
- User Status. Set the device status of the agent to Active.
- Any other required fields.

Click Create.

Creating the WebSphere Administrative Role in Access Manager

Any user with this role, in addition to the primary administrative user, will be able to login to the WebSphere Administration Console.

To Create the WebSphere Administrative Role in Access Manager

With the Access Control tab selected, click the name of the realm for which you would like to create an agent profile role.

Select the Subjects tab and then click the Role tab.

Click New and enter the value for the WebSphere administrative role. For example: wasadminrole

Important: Use all lowercase characters for the role name; otherwise, WebSphere might not recognize the name.

Click Create.

On the returned page, click the WebSphere administrative role under the Role tab. For example: wasadminrole

Click the User tab.

Select the agent profile user (for example: agentprofileuser) and other users who will be able to login into the WebSphere Administration Console.

Click Add and then Save.

Editing the `AMConfig.properties` File to Get a Non-Expiring SSO Token for the New Agent Profile User's SSO Session

To get a non-expiring SSO token for the agent's self authentication to the Access Manager server, you must set the com.sun.identity.authentication.special.users property in the AMConfig.properties file.

To Get a Non-Expiring SSO Token

In the AMConfig.properties file for the Access Manager server, edit the following property to include the distinguished name (DN) of the agent profile user. Use the legacy SDK DN and not the universal UID of the user. For example:
```
com.sun.identity.authentication.special.users= 
cn=dsameuser,ou=DSAME Users,dc=sun, dc=com|cn=amService-UrlAccessAgent,ou=DSAME Users, 
dc=sun,dc=com |uid=dmgr,ou=people,dc=sun,dc=com|uid=agentprofileuser, 
ou=people,dc=sun,dc=com  
```
To find the DN of the user, use ldapsearch with the ou=people,ROOT_SUFFIX base and (|(uid=agentprofileuser)(cn=agentprofileuser)) filter.

After you edit the AMConfig.properties file, restart the Access Manager server.

Next Steps

In a multiple server deployment, you must set the com.sun.identity.authentication.special.users property in the AMConfig.properties file for each Access Manager server in the deployment.