About the Agent Authenticator in Policy Agent 3.0

An agent authenticator is a special type of agent that, once authenticated, can have access to agent profiles that have been selected for the agent authenticator to read. Therefore, the agent authenticator has read-only access to these other agents profiles. In this case, agent profiles refer to a broad range of “agent” types (Web, J2EE, WSP, Discovery, and so forth). These agent profiles must exist in the same realm as the agent authenticator.

Users who have the agent authenticator's credentials (user name and password) can read the agent profile data, but do not have the create, update, or delete permissions of the agent administrator.

An advantage of creating an agent authenticator is that you can configure the agent authenticator to have access (read-only access) to a variety of other agents. Therefore, using a single user name and password to access the agent authenticator, you then have access to all the agents to which the agent authenticator has access.

The agent authenticator is also used when configuring the agent to support web services security. For more information, see Web Services Security Support for J2EE Agents in Policy Agent 3.0

For more information about the agent authenticator see the following guides:

• Sun OpenSSO Enterprise 8.0 Administration Guide

• Sun OpenSSO Enterprise 8.0 Administration Reference

The two tasks that follow describe how to create an agent authenticator, assign one or more agent profiles to the agent authenticator, and then edit the respective bootstrap files to configure the agent instances that correspond to those agent profiles.

To Create an Agent Authenticator To Access Other Agent Profiles

This task details how to use OpenSSO Enterprise Console to create an agent authenticator.

Before You Begin

The instructions that follow start with the assumption that OpenSSO Enterprise server and at least one agent instance have been properly installed and configured.

1. Log in to OpenSSO Enterprise Console as a user with AgentAdmin privileges, such as amadmin.

2. Click the Access Control tab.

3. Click the name of the appropriate realm, such as the following: /(Top Level Realm).

4. Click the Agents tab.

5. Click on Agent Authenticator tab.

6. Click the New button.

7. Enter an agent authenticator name and password.

8. Click the Create button.

9. On the Agent Authenticator page, click the link for the newly created agent authenticator.

   The agent authenticator page is displayed. In the section labeled "Agent Profiles allowed to Read," two lists exist: Available and Selected. The Available list has all the available agents in the system, and the Selected list has all the agents whose configurations can be read by this agent authenticator.

10. From the available list, select one or more agent profile names.

    The agent authenticator can access any of the various agent types. Select all the agent profiles to which you would like the agent authenticator to have access.

11. Click Add to move the selected item from the Available list to the Selected list.

12. Click Save.

To Enable the Agent Authenticator to Access Other Agent Instances

This task describes how to edit the bootstrap file of each agent instance that corresponds to an agent profile you added to the Selected list of the agent authenticator. Therefore, if you added four agents profiles (for example, a combination of J2EE agent and Web agent instances) to the agent authenticator, you must perform this task four times if you want each of those agent instances to be readable by the agent authenticator. In such a scenario, all four agent instances would then use the same user name and password to authenticate to OpenSSO Enterprise server.

Agents in Policy Agent 3.0 have the two following properties in the OpenSSOAgentBootstrap.properties file that enable the agent to communicate with OpenSSO Enterprise server:

• com.sun.identity.agents.app.username

• com.sun.identity.agents.config.profilename

The first property, the user name property, enables the agent to authenticate with the OpenSSO Enterprise server. The second property, the profile name property, enables the agent to retrieve its configuration data from the OpenSSO Enterprise server. By default, the value assigned to these two properties is the same. However, for the agent authenticator, these properties should have different values. Therefore, the user name property must be changed as indicated in this task.

1. Stop the agent container.

2. Edit the OpenSSOAgentBootstrap.properties file as described in the substeps that follow.

   The bootstrap file is located at the following location:

   PolicyAgent-base/AgentInstance-Dir/config
   

   For information about this location, see Table P–6

   1. Using your text editor of choice, open the OpenSSOAgentBootstrap.properties file.

   2. Change the value for the property named com.sun.identity.agents.app.username to the agent authenticator name.

      Therefore, the setting would be as such:

      com.sun.identity.agents.app.username = AgentAuthenticatorName
      

      where AgentAuthenticatorName represents the name provided for the agent authenticator.

   3. Change the value for the property named com.iplanet.am.service.secret to the agent authenticator password.

      Therefore, the setting would be as such:

      com.iplanet.am.service.secret = EncryptedAgentAuthenticatorPassword
      

      where EncryptedAgentAuthenticatorPassword represents the encrypted version of the password provided for the agent authenticator as demonstrated previously in this task.

      ---

      Note –

      To encrypt the password, use the agentadmin --encrypt command as described in agentadmin --encrypt.

      ---

   4. Save and close the bootstrap file.

3. Restart the agent container.