This chapter introduces Policy Agent 3.0. The 8.0 release of OpenSSO Enterprise server and the 3.0 release of Policy Agent software were developed simultaneously and, therefore, are closely integrated. In fact, the Policy Agent 3.0 software set is more closely connected to the server (OpenSSO Enterprise) than ever before, making for a simplified administrative experience.
The sections that follow in this chapter highlight what is new in Policy Agent for the 3.0 release while also discussing the topic of compatibility as related to Policy Agent 3.0.
Policy Agent 3.0 has the following new features and improvements:
Centralized agent configuration
The centralized agent configuration feature moves most of the agent configuration properties from a local agent properties file (formerly referred to as AMAgent.properties file) to the OpenSSO Enterprise central data repository. An agent administrator can then manage the multiple agent configurations from a central server location, using either the OpenSSO Enterprise Administration Console or the ssoadm command-line utility.
The centralized agent configuration feature separates the Policy Agent 3.0 configuration data into two sets:
The properties required for the agent to start up and initialize itself are stored in the OpenSSOAgentBootstrap.properties file locally on the system where the agent is installed. For example, the agent profile name and password used to authenticate to the OpenSSO Enterprise server are stored in the bootstrap file.
The rest of the agent properties are stored either centrally in the OpenSSO Enterprise data repository (centralized configuration option) or locally in the OpenSSOAgentConfiguration.properties file (local configuration option).
Agent groups
You can assign agents of the same type (J2EEAgent or WebAgent) from the Policy Agent 3.0 software set to an agent group. All agents in a group then selectively share a common set of configuration properties. Thus, the agent configuration and management are simplified because an administrator can manage all of the agents within a group as a single entity.
Although all agents in the same group can share the same properties, defining a few specific properties (for example, the notification URL or agent URI properties) for individual agents is probably necessary. For more information about agent groups, see Creating an Agent Group and Enabling Agents to Inherit Properties From That Group.
More hot-swappable agent configuration properties
Agents in the Policy Agent 3.0 software set have more hot-swappable configuration properties. An administrator can change a hot-swappable configuration property value for an agent without having to restart the agent's deployment container for the new value to take effect. Properties in the OpenSSOAgentBootstrap.properties file are not hot-swappable.
One-level wildcard support for policy-related configurations (such as when creating a policy or adding entries to the not-enforced list)
While the regular wildcard support applies to multiple levels in a resource, the one-level wildcard applies to only the level where it appears in a resource. For more information, see Appendix C, Wildcard Matching in Policy Agent 3.0 J2EE Agents
Default agent installation option with minimal questions asked during the installation
Default or custom installation:
Default (agentadmin --install): The agentadmin program displays a minimal number of prompts and uses default values for the other options. Use the default install option when the default option meets your deployment requirements. For more information on the agentadmin --install command, see agentadmin --install.
Custom (agentadmin --custom-install): The agentadmin program displays a full set of prompts, similar to those presented by the Policy Agent 2.2 installer. Use the custom install option when you want to specify values other than the default options. For more information on the agentadmin --custom-install command, see agentadmin --custom-install.
Option to create the agent profile in the server during installation
The Policy Agent 3.0 installer supports an option to create the agent profile in the OpenSSO Enterprise server during the agent installation so you don't have to create the profile manually using the OpenSSO Enterprise Console or the ssoadm utility. This option is available when you use the agentadmin --custom-install command.
Option to lock the agent configuration properties
Changing configuration properties can have unexpected results. Furthermore, hot-swappable properties take effect immediately. Therefore, configuration mistakes are instantly implemented. In the Policy Agent 3.0 release, you have a method for locking the configuration to help prevent such accidental changes. For more information about this option, see Locking J2EE Agent Properties.
Automated migration support
You can migrate Policy Agent 2.2 to the 3.0 version using the agentadmin program with the --migrate option. For more information about this option, see agentadmin --migrate.
Note: OpenSSO Enterprise does not support version 2.1 policy agents.
This section consists of information about the compatibility and coexistence of the J2EE agents in the Policy Agent 3.0 software set with previous releases of both Access Manager and Policy Agent.
J2EE Agents in the Policy Agent 3.0 release are compatible with versions of Access Manager as described in this section.
Access Manager 7.1 and Access Manager 7 2005Q4 are compatible with Policy Agent 3.0. However, because Access Manager does not support centralized agent configuration, an agent in the 3.0 release deployed with Access Manager must store the core of its configuration data locally in the OpenSSOAgentConfiguration.properties file.
local: Configuration data is stored locally in the OpenSSOAgentConfiguration.properties file on the server where the agent is deployed.
centralized: Configuration data is stored in the OpenSSO Enterprise centralized data repository.
For both configurations, the OpenSSOAgentBootstrap.properties file on the server where the agent is deployed contains the information required for the agent to start and initialize itself.
OpenSSO Enterprise supports both Policy Agent 3.0 and Policy Agent 2.2 in the same deployment.
Be aware that while Policy Agent 3.0 and Policy Agent 2.2 can exist in the same deployment, they cannot exist on the same container.
However, agents in the 2.2 release only have the option to store their configuration data locally in the AMAgent.properties file. Therefore, the OpenSSO Enterprise centralized agent configuration option is not supported. To configure an agent in the Policy Agent 2.2 release, you must edit the AMAgent.properties file.
For more information about Policy Agent 2.2, see the documentation collection: http://docs.sun.com/coll/1322.1