Optional Post-Installation Tasks for the WebSphere Application Server/Portal Server Agent
Changing the Password for an Agent Profile
After you install the agent, you can change the agent profile password, if required for your deployment.
To Change the Password for an Agent Profile
-
On the OpenSSO Enterprise server:
-
On the server where the WebSphere Application Server/Portal Server agent is installed:
-
In the agent profile password file, replace the old password with the new unencrypted password.
-
Change to the PolicyAgent-base/bin directory.
-
Encrypt the new password using the agentadmin --encrypt command following this syntax.
agentadmin --encrypt agent-instance password-file
For example:
# ./agentadmin --encrypt Agent_001 wsasagentpw
The agentadmin --encrypt command returns the new encrypted password. For example:
ASEWEJIowNBJHTv1UGD324kmT==
-
In the agent-instance/config/OpenSSOAgentBootstrap.properties file, set the following property to the new encrypted password from the previous step. For example:
com.iplanet.am.service.secret=ASEWEJIowNBJHTv1UGD324kmT==
-
Restart the WebSphere Application Server 6.1/7.0 instance that is being protected by the policy agent.
-
Creating the Necessary URL Policies
If the WebSphere Application Server/Portal Server agent is configured to operate in the URL_POLICY or ALL filter mode, you must create the appropriate URL policies. For instance, if WebSphere Application Server/Portal Server is available on port 8080 using the HTTP protocol, you must create at minimum, a policy to allow access to the following resource:
http://myhost.mydomain.com:8080/agentsample |
where agentsample is the context URI for the sample application.
If no policies are defined and the agent is configured to operate in the URL_POLICY or ALL filter mode, then no user is allowed access to the resources protected by the WebSphere Application Server/Portal Server agent.
For information about how to create these policies using the OpenSSO Enterprise Console or command-line utilities, see the Sun OpenSSO Enterprise 8.0 Administration Guide.
Configuring Web Services Security for the WebSphere Application Server/Portal Server Agent
The WebSphere Application Server/Portal Server agent supports Web Services Security (WSS) for web service providers. A web service provider (WSP) deployed on WebSphere Application Server 6.1/7.0 protected by the agent can have additional security provided by the agent. For example, you can configure the WebSphere Application Server/Portal Server agent and OpenSSO Enterprise server to support various Web Services Security profiles, including Username token, X509 token, and SAML2 token.
Configuring the WebSphere Application Server/Portal Server agent to use Web Services Security with OpenSSO Enterprise is similar to configuring other Java EE policy agents. For information and the general configuration steps, see Web Services Security Support for J2EE Agents in Policy Agent 3.0 in Sun OpenSSO Enterprise Policy Agent 3.0 User’s Guide for J2EE Agents.
In addition to the general steps, perform the following additional steps depending on the version of WebSphere Application Server you are using:
-
Configuring Web Services Security on WebSphere Application Server 6.1
-
Configuring Web Services Security on WebSphere Application Server 7.0
Configuring Web Services Security on WebSphere Application Server 6.1
To Configure Web Services Security on WebSphere Application
Server 6.1
-
Perform the general steps, as described in Web Services Security Support for J2EE Agents in Policy Agent 3.0 in Sun OpenSSO Enterprise Policy Agent 3.0 User’s Guide for J2EE Agents.
-
Stop WebSphere Application Server 6.1.
-
Install the WebSphere Application Server 6.1 Feature Pack for Web Services onto WebSphere Application Server 6.1.
For information, see http://www-01.ibm.com/software/webservers/appserv/was/featurepacks/.
-
Copy the xmlsec.jar, xercesImpl.jar and xalan.jar files from the OpenSSO Enterprise server deployment to the WebSphereInstallDirectory/AppServer/lib/ext directory.
For example: /opt/IBM/WebSphere/AppServer/lib/ext
-
Download bcprov-jdk15-141.jar from http://bouncycastle.org and copy it to the WebSphereInstallDirectory/AppServer/java/jre/lib/ext directory.
-
Add the Bouncy Castle provider to the WebSphereInstallDirectory/AppServer/java/jre/lib/security/java.security file. For example:
security.provider.9=org.bouncycastle.jce.provider.BouncyCastleProvider
Change the provider number accordingly.
-
Start WebSphere Application Server 6.1
Configuring Web Services Security on WebSphere Application Server 7.0
To Configure Web Services Security on WebSphere Application
Server 7.0
-
Perform the general steps, as described in Web Services Security Support for J2EE Agents in Policy Agent 3.0 in Sun OpenSSO Enterprise Policy Agent 3.0 User’s Guide for J2EE Agents.
-
Stop WebSphere Application Server 7.0.
-
Copy the xmlsec.jar, xercesImpl.jar, and xalan.jar files from the OpenSSO Enterprise server deployment to the WebSphereInstallDirectory/AppServer/lib/ext directory.
For example: /opt/IBM/WebSphere/AppServer/lib/ext
-
Start WebSphere Application Server 7.0.
Deploying the Java EE Policy Agent Sample Application
Deploying the policy agent sample application is optional. However. after you install the WebSphere Application Server/Portal Server agent, consider deploying the sample application to help you better understand the key features, functions, and configuration options of Java EE agents, including:
-
Single sign-on (SSO)
-
Web-tier declarative security
-
Programmatic security
-
URL policy evaluation
-
Session, policy, and profile attribute fetch
The sample application can be especially useful if you are writing a custom agent application.
After you install the WebSphere Application Server/Portal Server agent, the sample application is available as:
PolicyAgent-base/sampleapp/dist/agentsample.ear
For information about compiling, deploying, and running the sample application, see the readme.txt file in the /sampleapp directory.
- © 2010, Oracle Corporation and/or its affiliates