OpenSSO Enterprise offers a centralized configuration interface for remote policy agent profiles and web services security related information. The profiles are stored in the embedded configuration data store and managed by an administrator using the OpenSSO Enterprise console. This chapter contains the following sections:
OpenSSO Enterprise leverages its embedded configuration data store for centralizing the storage of remote policy agent profiles and web services security related information. By moving this configuration data to OpenSSO Enterprise, an administrator can use the console or the command line interface tools to manage the properties and values. Any configuration changes to the hot-swappable properties are conveyed immediately. The following sections have more infomration on the agent profiles that can be configured.
Attribute descriptions for the agent profiles are in Chapter 5, Centralized Agent Configuration Attributes, in Sun OpenSSO Enterprise 8.0 Administration Reference.
Values for the configuration properties of a web policy agent can be defined using OpenSSO Enterprise if, during the web policy agent profile creation, centralized configuration was chosen. If local configuration was selected, the properties related to this policy agent profile must be modified directly in the OpenSSOAgentConfiguration.properties file in the agent installation directory on the agent's host machine. For detailed information on web policy agents, see the Sun OpenSSO Enterprise Policy Agent 3.0 User’s Guide for Web Agents
Values for the configuration properties of a J2EE policy agent can be defined using OpenSSO Enterprise if, during the J2EE policy agent profile creation, centralized configuration was chosen. If local configuration was selected, the properties related to this agent must be modified directly in the OpenSSOAgentConfiguration.properites file in the agent installation directory on the agent's host machine. For detailed information on J2EE policy agents, see the Sun OpenSSO Enterprise Policy Agent 3.0 User’s Guide for J2EE Agents.
The Web Service Provider (WSP) security agent profile stores the configuration data related to validating a request from a web service client and securing the response returned by the WSP. The data includes the WSP's supported security mechanisms, keystore locations, SAML configurations and endpoints. The WSP agent profile also has a mechanism to authenticate against OpenSSO Enterprise to generate a session for the WSP. For more information, see Part IV, The Web Services Stack, Identity Services, and Web Services Security, in Sun OpenSSO Enterprise 8.0 Technical Overview.
Out of the box, wsp is the default WSP security agent profile. Additional profiles can be defined with the profile name dependant on the endpoint of the service defined in the web service provider's WSDL file. (The security agent searches based on the endpoint.) This allows multiple web service providers to use the same configuration data store. The name of the web service provider must be unique across all agents.
The Group functionality is not supported with the Web Service Provider Security Agent Profile.
The Web Service Client (WSC) security agent profile stores the configuration data related to securing a request from a WSC and validating the request when received by the WSP. The data includes the WSP's supported security mechanisms, keystore locations, SAML configurations, signing and encryption instructions, and endpoints. It also defines whether an end user token should be generated. For more information, see Part IV, The Web Services Stack, Identity Services, and Web Services Security, in Sun OpenSSO Enterprise 8.0 Technical Overview.
Out of the box, wsc is the default WSC security agent profile. Additional profiles can be defined with the profile name dependant on the service name defined in the web service client's WSDL file. (The security agent searches based on the service name.) This allows multiple web service clients to use the same configuration data store. The name of the web service client must be unique across all agents.
The Group functionality is not supported with the Web Service Client Security Agent Profile.
The Security Token Service (STS) Client agent profile stores the configuration data related to securing an outbound request to the OpenSSO Enterprise Security Token Service or Discovery Service to obtain a security token. The data includes the supported security mechanisms, keystore locations, signing and encryption instructions, and endpoints.
The Discovery Agent allows you to store data used to communicate with the Discovery Service to obtain a security token based on the Liberty Alliance Project specifications. The token secures communications between the client and the Discovery Service end point. This option is defined as the value of the Discovery Configuration attribute in the WSC security agent profile.
The STS Agent allows you to store data used to communicate with the Security Token Service to obtain a security token based on the WS-Trust specifications. The token secures communications between the client and the Security Token Service end point. This option is defined as the value of the STS Configuration attribute in the WSC security agent profile. Out of the box, SecurityTokenService is the default token agent profile for the Security Token Service. Additional profiles can be defined with the profile name dependant on the service name defined in the security token service's WSDL file. (The security agent searches based on the service name.) This allows multiple security token services to use the same configuration data store. The name of the security token service must be unique across all agents.
For more information, see Part IV, The Web Services Stack, Identity Services, and Web Services Security, in Sun OpenSSO Enterprise 8.0 Technical Overview.
The Group functionality is not supported with the STS Client Agent Profile.
OpenSSO Enterprise is backward compatible with OpenSSO Enterprise web and J2EE Policy Agents 2.2. Policy Agents 2.2 must be configured local to the deployment container on which it is installed thus, from the OpenSSO Enterprise console, there are a limited number of options that can be configured. For more information, see Sun Java System Access Manager Policy Agent 2.2 User’s Guide.
An agent authenticator is a type of agent that, once it is authenticated, can obtain the read-only data of agent profiles of any type (policy, security or token) for purposes of authenticating the agent. The agent profiles must be defined in the Agent Authenticator profile and exist in the same realm. Users that have the Agent Authenticator's username and password can read agent profile data, but do not have the create, update, or delete permissions of the Agent Administrator.
This section contains the following procedures.
You can create a new agent profile using the OpenSSO Enterprise console. Some of the individual steps documented do not apply to all agent profile types.
This procedure assumes you are logged into the OpenSSO Enterprise console as the administrator; by default, amadmin.
Under the Access Control tab, click the name of the realm in which you are creating the agent profile.
Click the Agents tab.
Select the tab for the appropriate agent type.
In the Agent section, click New.
The STS Client agent profile displays a pop-up from which you choose the token agent type: Discovery or STS. For more information, see STS Client in Sun OpenSSO Enterprise 8.0 Administration Reference.
In the Name field, enter the name for the new agent profile.
Enter and confirm the Password.
For web policy agents only, this password must be the same password that you enter in the agent profile password file that you specify when you run the agentadmin program to install the agent.
Steps 7–9 Apply to Web and J2EE policy agents only.
For Web and J2EE policy agents only, configure using the following sub procedure.
For other agent profile types, configure the attributes as documented in Chapter 5, Centralized Agent Configuration Attributes, in Sun OpenSSO Enterprise 8.0 Administration Reference.
Select Local or Centralized configuration.
When local configuration is selected, the properties related to this agent cannot be edited using the console. In such a scenario, the agent retrieves configuration data from the local (to the installed agent) OpenSSOAgentBootstrap.properties and OpenSSOAgentConfiguration.properties files in the agent installation directory. Property values for the locally configured agents are modified directly in the OpenSSOAgentConfiguration.properties file.
In the Server URL field, enter the OpenSSO Enterprise server URL.
For example:
http://OpenSSO-Host.example.com:8080/OpenSSO
In the Agent URL field, enter the URL for the agent application, agentapp.
For a web policy agent: http://Agent-Host.example.com:8090
For a J2EE policy agent: http://Agent-Host.example.com:8090/agentapp
Click Create.
The agent profile is created. To do additional configurations for the agent profile, click the profile name to display the Edit agent page. Agent attribute descriptions are listed and defined in Chapter 5, Centralized Agent Configuration Attributes, in Sun OpenSSO Enterprise 8.0 Administration Reference.
Agents can inherit properties from their group. For example, web policy agents can inherit properties from a web policy agent group.
The Group functionality is not supported with the web services and STS Client Agent Profiles.
This procedure assumes you are logged into the OpenSSO Enterprise console as the administrator; by default, amadmin.
Under the Access Control tab, click the name of the realm to which the group will belong.
Click the Agents tab.
Select the tab for the appropriate agent type.
In the Group section, click New.
Enter a name for the new group.
Enter the OpenSSO Enterprise Server URL (for Web and J2EE policy agents only).
For example, http://OpenSSO-Host.example.com:8080/OpenSSO Enterprise. For other agent profile types, configure the attributes as documented in Chapter 5, Centralized Agent Configuration Attributes, in Sun OpenSSO Enterprise 8.0 Administration Reference.
Click Create.
The agent group is created. To do additional configurations for the agent group, click the group name to display the Edit Group page. Attribute descriptions are listed and defined in Chapter 5, Centralized Agent Configuration Attributes, in Sun OpenSSO Enterprise 8.0 Administration Reference. (The properties you can set for a group are almost the same as those for an individual agent; the Group, Password, and Password Confirm properties are not available at the group level.)
Some group properties have variable values assigned that, in most cases, should not be changed. @AGENT_PROTO@://@AGENT_HOST@:@AGENT_PORT@/amagent is an example of such a value.
The Group functionality is not supported with the web services and STS Client Agent Profiles.
This procedure assumes you are logged into the OpenSSO Enterprise console as the administrator (by default, amadmin) and the group has been created. See To Create a New Group.
Under the Access Control tab, click the name of the realm to which the agent belongs.
Click the Agents tab.
Select the tab for the appropriate agent type.
Click the name of the agent profile you want to modify.
elect the name of the group from which you want the agent to inherit properties as a value for the Group attribute under the Global tab.
Click Save.
At the top of the page, the Inheritance Settings button becomes active.
Click Inheritance Settings.
A list of inheritance settings for the Global tab appears in alphabetical order.
Select the properties that you want the agent to inherit from the group.
At the top of the page, the Inheritance Settings button becomes active.
Click Save.
This task just describes how to change the inheritance settings for properties listed in the Global tab. For the inheritance settings of properties listed in the other tabs (such as Application and SSO), click the desired tab and edit the inheritance settings in the same manner described in the preceding steps.