Chapter 13 Installing and Configuring J2EE Policy Agents

This chapter contains detailed information about the following groups of tasks:

• 13.1 Creating J2EE Policy Agent Profiles on the Federation Manager Servers

• 13.2 Installing Application Server 3 and J2EE Policy Agent 3

• 13.3 Completing the J2EE Policy Agent 3 Installation

• 13.4 Installing Application Server 4 and J2EE Policy Agent 4

• 13.5 Completing the J2EE Policy Agent 4 Installation

• 13.6 Configuring the J2EE Policy Agents Load Balancer

• 13.8 Configuring the J2EE Policy Agents to Work with the J2EE Policy Agents Load Balancer

• 13.9 Configuring the J2EE Policy Agents Load Balancer to Participate in SAMLv2 Protocols

13.1 Creating J2EE Policy Agent Profiles on the Federation Manager Servers

When you install the J2EE Policy Agent, the agent profile is used to retrieve the J2EE Policy Agent user password. At this point, the J2EE Policy Agent authentication still occurs through flat files. This new account will be used by J2EE Policy Agent to authenticate to the Federation Manager servers.

Use the following as your checklist for creating J2EE Policy Agent profiles on the Federation Manager Servers:

1. Create an Agent Profile on Federation Manager 1.

2. Create an Agent Profile on Federation Manager 2.

To Create a J2EE Policy Agent Profile on Protected Resource 3

1. As a root user, log into the Protected Resource 3 host.

2. Create an agent profile.

   Create a text file named agent_profile_password, and add to it a name for the new agent profile. Example:

   # cd /export # vi agent_profile_password asagent

   Save the file.

3. Generate an encrypted password for the new agent profile.

   # cd /var/opt/SUNWam/fm/federation/users # /opt/SUNWam/fm/bin/ampassword -i /var/opt/SUNWam/fm/war_staging --hash asagent EW1Ck/Yw4kpyYs9jbu5Dx5pJaH8=

4. Create a text file named asagent.properties, and add the agent profile password to the file.

   The J2EE Policy Agent installer requires this file for installation.

   # vi asagent.properties password=EW1Ck/Yw4kpyYs9jbu5Dx5pJaH8=

   Save the file.

To Create an J2EE Policy Agent Profile on Protected Resource 4

1. As a root user, log into the Protected Resource 4 host.

2. Create an agent profile.

   Create a text file named agent_profile_password, and add to it a name for the new agent profile. Example:

   # cd /export # vi agent_profile_password asagent

   Save the file.

3. Generate an encrypted password for the new agent profile.

   # cd /var/opt/SUNWam/fm/federation/users # /opt/SUNWam/fm/bin/ampassword -i /var/opt/SUNWam/fm/war_staging --hash asagent EW1Ck/Yw4kpyYs9jbu5Dx5pJaH8=

4. Create a text file named asagent.properties, and add the agent profile password to the file.

   The J2EE Policy Agent installer requires this file for installation.

   # vi asagent.properties password=EW1Ck/Yw4kpyYs9jbu5Dx5pJaH8=

   Save the file.

13.2 Installing Application Server 3 and J2EE Policy Agent 3

You must have the Sun Java System Application Server installer and the Sun J2EE Policy Agent installer mounted on Protected Resource 1. See Chapter 2, Before You Beginat the beginning of this manual.

To Install Application Server 3 on Protected Resource 3

1. As a root user, log into the Application Server 3 host.

2. Start the Java Enterprise System installer with the -nodisplay option.

   # cd /mnt/Solaris_sparc # ./installer -nodisplay

3. When prompted, provide the following information:

   Welcome to the Sun Java(TM) Enterprise System; serious software made simple... <Press ENTER to Continue>	Press Enter.
   <Press ENTER to display the Software License Agreement>	Press Enter.
   Have you read, and do you accept, all of the termsof the preceding Software License Agreement [No]	Enter y.
   Please enter a comma separated list of languages you would like supported with this installation [8]	Enter 8 for “English only.”
   Do you want to install the full set of Sun Java (TM) Enterprise System Products and Services? [Yes]	Enter No.
   Enter a comma separated list of products to install,or press R to refresh the list []	Enter 14 to install Sun Java (TM) Application Server Enterprise Edition 8.1 2005Q4.
   Component Selection — Selected Product Sun Java (TM) Application Server Enterprise Edition 8.1 2005Q4. Enter a comma separated list of productsto install,or press R to refresh the list []	Enter 1,3,5,6 to install Domain Administration Server, Command Line Administration Tool, PointBase Database, and the Sample Applications.
   Press "Enter" to Continue or Enter a comma separated list of products to deselect... [1]	Press Enter.
   Enter 1 to upgrade these shared components and 2 to cancel [1]	You are prompted to upgrade shared components only if the installer detects that an upgrade is required.  Enter 1 to upgrade shared components.
   Enter the name of the target installation directory for each product: Web Server [/opt/SUNWappserver] :	Accept the default value.
   Data and Server Configuration [/var/opt/SUNWappserver]	Accept the default value.
   System ready for installation Enter 1 to continue [1]	Enter 1.
   1. Configure Now - Selectively override defaults or express through 2. Configure Later - Manually configure following installation Select Type of Configuration [1]	Enter 1.
   Common Server Settings Enter Host Name [ProtectedResource-3]	Accept the default value.
   Enter DNS Domain Name [siroe.com]	Accept the default value.
   Enter IP Address [192.18.72.151]	Accept the default value.
   Enter Server admin User ID [admin]	Accept the default value.
   Enter Admin User's Password (Password cannot be less than 8 characters) []	For this example, enter 11111111.
   Confirm Admin User's Password []	Enter the same password to confirm it.
   Enter System User [root]	Accept the default value.
   Enter System Group [root]	Accept the default value.
   Admin User Name: [admin]	Accept the default value.
   Password (min. 8 characters) []	For this example, enter 11111111.
   Re-enter Password []	For this example, enter 11111111.
   Admin Port [4849]	Accept the default value.
   JMX Port [8686]	Accept the default value.
   HTTP Port [8080]	Accept the default value.
   HTTPS Port [8181]	Accept the default value.
   Master Password (min. 8 characters) [ ]	For this example, enter 11111111.
   Re-enter Master Password (min. 8 characters) [ ]	For this example, enter 11111111.
   Ready to Install 1. Install 2. Start Over 3. Exit Installation What would you like to do [1]	When ready to install, enter 1.

4. After you have exited the installer, start Application Server 3:

   # cd /opt/SUNWappserver/appserver/bin # ./asadmin start-domain --user admin --password 11111111 Starting Domain domain1, please wait. Log redirected to /var/opt/SUNWappserver/domains/domain1/logs/server.log. Domain domain1 started.

5. To verify that the Application Server 3 is successfully installed, go to the Application Server URL:

   http://ProtectedResource-3:8080/index.html

   The default Application Server page is displayed and contains the following message: “Your server is up and running!”

To Run the J2EE Policy Agent Installer on Application Server 3

Before You Begin

You must obtain and unpack the J2EE Policy Agent software from the following Sun Microsystems web page: http://www.sun.com/download/products.xml?id=43543381.

1. In the directory where you downloaded the J2EE Policy Agent TAR file, unpack the J2EE Policy Agent bits using the GNU untar utility. Example:

   # cd /export # gunzip SJS_Appserver_81_agent_2.2.tar.zip # gtar -xvf /usr/sfw/bin/SJS_Appserver_81_agent_2.2.tar

   ---

   Note –

   For .tar.gz archives, do not use a program other than GNU_tar to untar the contents of the J2EE agent deliverables. Using a different program, such as another tar program, can result in some files not being extracted properly. To learn more about the GNU_tar program, visit the following web site: http://www.gnu.org/software/tar/tar.html

   ---

2. Start the J2EE Policy Agent installer.

   # cd /export/j2ee_agents/am_as81_agent/bin
   # ./agentadmin --install

3. When prompted, provide the following information:

   Enter the Application Server Config Directory Path [/var/opt/SUNWappserver/ domains/domain1/config]	Accept the default value.
   Enter the Application Server Instance name: [server]	Accept the default value.
   Access Manager Services Host:	Enter LoadBalancer-9.siroe.com.
   Access Manager Services port: [80]	Enter 3443.
   Access Manager Services Protocol: [http]	Enter https.
   Access Manager Services Deployment URI: [/amserver]	Enter /federation.
   Enter the Agent Host name:	ProtectedResource-3.siroe.com
   Is the Domain administration server host remote? [false]	Accept the default value.
   Enter the port number for Application Server instance [80]:	Enter 8080.
   Enter the Preferred Protocol for Application instance [http]:	Accept the default value.
   Enter the Deployment URI for the Agent Application [/agentapp]	Accept the default value.
   Enter the Encryption Key [d1ui072LoDGSD5ZEz0Z4e3bvaJN2f3wz]:	Accept the default value.
   Enter the Agent Profile name:	Enter asagent.
   Enter the path to the password file:	Enter /export/agent_profile_password.
   Is the agent being installed on the DAS host for a remote instant [false]	Accept the default value.
   Are the Agent and Access Manager installed on the same instance of Application Server? [false]:	Accept the default value.
   Verify your settings and decide from the choices below: 1. Continue with Installation 2. Back to the last interaction 3. Start Over 4. Exit Please make your selection [1]:	Accept the default value.

4. After the installer has finished installing the agent, verify that installation was successful. You check can for installation errors in the following log file:

   /export/j2ee_agents/am_as81_agent/logs/audit/install.log

13.3 Completing the J2EE Policy Agent 3 Installation

The J2EE Policy Agent is not yet ready to begin working. A number of these tasks must be completed before the agent can do its job. Use the following as your checklist for completing the J2EE Policy Agents installation and configuration:

1. Deploy the J2EE Policy Agent housekeeping application.

2. Enable the J2EE Policy Agent 3 to run in SSO-Only mode.

3. Initialize the Application Server 3 certificate database.

4. Deploy the sample agent application on Application Server 3.

5. Verify the use of the sample agent application on Application Server 3.

To Deploy the J2EE Policy Agent Housekeeping Application

The J2EE Policy Agent uses the agent housekeeping application for notifications and other internal functionality. This application is bundled with the agent binaries.

1. As a root user, log into the Application Server 1 host.

2. Go to the following directory:

   /export/j2ee-agents/am_as81_agent/etc

3. Run the following command:

   # /opt/SUNWappserver/appserver/bin/asadmin deploy --user admin --password 11111111 --contextroot /agentapp agentapp.war Command deploy executed successfully.

To Enable the J2EE Policy Agent 3 to Run in SSO-Only Mode

1. Go to the following directory:

   /export/j2ee_agents/am_as81_agent/agent_001/config

   Make a backup copy of AMagent.properties, and then modify the original AMAgent.properties file.

2. Set the following property as in the example:

   com.sun.identity.agents.config.filter.mode = SSO_ONLY

   Federation Manager can run only in SSO-Only mode. In order to communicate with Federation Manager, the policy agent must also run in SSO-Only mode.

3. Add the following property

   com.iplanet.am.naming.ignoreNamingService=true

   When set to true, the policy agent ignores the Federation Manager naming service for session validation purposes. Instead, the policy agent uses the local naming service URL defined in the com.iplanet.am.naming.url property elsewhere in this file.

   Save the file.

To Initialize the Application Server 3 Certificate Database

Before You Begin

You must have access to the certutil command to complete this task. See 2.11 Obtaining and Using the Certificate Database Tool.

1. Log into the Protected Resource 3 host.

2. Copy into a temporary directory the root CA certificate from the Federation Manager load balancer.

   For example, in this deployment example, the JDK keystore is in the following directory:

   /usr/jdk/entsys-j2se/jre/lib/security

   This directory contains the Federation Manager trusted CA files, including cacert.

3. Go to the following directory:

   /var/opt/SUNWappserver/domains/domain1/config

   This directory contains two files you will need. The files are named cert8.db and key3.db, and are installed by default with Application Server 8.1. By default, Application Server 8.1 uses the NSS certificate databases for SSL purposes. You must import the Federation Manager load balancer root CA certificate to this Application Server certificate database.

4. Obtain a copy of the Federation Manager 1 root CA certificate.

   You can obtain a copy from the certificate issuer. Or you can copy the certificate stored on the Federation Manager 1 host.

   In this deployment example, the Federation Manager 1 root CA certificate has already been copied to the following directory on Protected Resource 3:

   /net/slapd/export/share/cacert

5. In the directory where you have deployed the certutil utility, run the certutil command. Example:

   # certutil -A -n rootCA -t T,c,c -i /net/slapd/export/share/cacert -d .

6. To verify that the certificate was properly initialized, list the certificates in the database:

   # certutil -L -n rootCA -d .

   A list of certificates is displayed, and the initialized certificate file is included in the list.

To Deploy the Sample Agent Application on Application Server 3

1. As a root user, log into the Protected Resource 3 host.

2. Go to the following directory:

   /export/j2ee_agents/am_as81_agent/sampleapp/dist

3. Run the deploy command:

   //opt/SUNWappserver/appserver/bin/asadmin deploy --host localhost --port 4849 --user admin --password 11111111 --contextroot /agentsample --name agentsample agentsample.ear Command deploy executed successfully.

4. Restart Application Server 3.

   # cd /opt/SUNWappserver/appserver/bin # ./asadmin stop-domain Domain domain1 stopped. # ./asadmin start-domain --user admin --password 11111111 Domain domain1 started.

To Verify the Use of the Sample Agent Application on Application Server 3

1. Go to the Application Server 3 URL:

   http://ProtectedResource-3.siroe.com:8080/agentsample/index.html

2. Log in to the Federation Manager console using the following information:

   User Name:

   spuser

   Password:

   spuser

   The Sample Application welcome page is displayed.

13.4 Installing Application Server 4 and J2EE Policy Agent 4

You must have the Sun Java System Application Server installer and the Sun J2EE Policy Agent installer mounted on Protected Resource 1. See Chapter 2, Before You Beginat the beginning of this manual.

To Install Application Server 4 on Protected Resource 4

1. As a root user, log into the Application Server 4 host.

2. Start the Java Enterprise System installer with the -nodisplay option.

   # cd /mnt/Solaris_sparc # ./installer -nodisplay

3. When prompted, provide the following information:

   Welcome to the Sun Java(TM) Enterprise System; serious software made simple... <Press ENTER to Continue>	Press Enter.
   <Press ENTER to display the Software License Agreement>	Press Enter.
   Have you read, and do you accept, all of the termsof the preceding Software License Agreement [No]	Enter y.
   Please enter a comma separated list of languages you would like supported with this installation [8]	Enter 8 for “English only.”
   Do you want to install the full set of Sun Java (TM) Enterprise System Products and Services? [Yes]	Enter No.
   Enter a comma separated list of products to install,or press R to refresh the list []	Enter 14 to install Sun Java (TM) Application Server Enterprise Edition 8.1 2005Q4.
   Component Selection — Selected Product Sun Java (TM) Application Server Enterprise Edition 8.1 2005Q4. Enter a comma separated list of productsto install,or press R to refresh the list []	Enter 1,3,5,6 to install Domain Administration Server, Command Line Administration Tool, PointBase Database, and the Sample Applications.
   Press "Enter" to Continue or Enter a comma separated list of products to deselect... [1]	Press Enter.
   Enter 1 to upgrade these shared components and 2 to cancel [1]	You are prompted to upgrade shared components only if the installer detects that an upgrade is required.  Enter 1 to upgrade shared components.
   Enter the name of the target installation directory for each product: Web Server [/opt/SUNWappserver] :	Accept the default value.
   Data and Server Configuration [/var/opt/SUNWappserver]	Accept the default value.
   System ready for installation Enter 1 to continue [1]	Enter 1.
   1. Configure Now - Selectively override defaults or express through 2. Configure Later - Manually configure following installation Select Type of Configuration [1]	Enter 1.
   Common Server Settings Enter Host Name [ProtectedResource-4]	Accept the default value.
   Enter DNS Domain Name [siroe.com]	Accept the default value.
   Enter IP Address [192.18.72.152]	Accept the default value.
   Enter Server admin User ID [admin]	Accept the default value.
   Enter Admin User's Password (Password cannot be less than 8 characters) []	For this example, enter 11111111.
   Confirm Admin User's Password []	Enter the same password to confirm it.
   Enter System User [root]	Accept the default value.
   Enter System Group [root]	Accept the default value.
   Admin User Name: [admin]	Accept the default value.
   Password (min. 8 characters) []	For this example, enter 11111111.
   Re-enter Password []	For this example, enter 11111111.
   Admin Port [4849]	Accept the default value.
   JMX Port [8686]	Accept the default value.
   HTTP Port [8080]	Accept the default value.
   HTTPS Port [8181]	Accept the default value.
   Master Password (min. 8 characters) [ ]	For this example, enter 11111111.
   Re-enter Master Password (min. 8 characters) [ ]	For this example, enter 11111111.
   Ready to Install 1. Install 2. Start Over 3. Exit Installation What would you like to do [1]	When ready to install, enter 1.

4. After you have exited the installer, start Application Server 4:

   # cd /opt/SUNWappserver/appserver/bin # ./asadmin start-domain --user admin --password 11111111 Starting Domain domain1, please wait. Log redirected to /var/opt/SUNWappserver/domains/domain1/logs/server.log. Domain domain1 started.

5. To verify that the Application Server 4 is successfully installed, go to the Application Server URL:

   http://ProtectedResource-4:8080/index.html

   The default Application Server page is displayed and contains the following message: “Your server is up and running!”

To Run the J2EE Policy Agent Installer on Application Server 4

Before You Begin

You must obtain and unpack the J2EE Policy Agent software from the following Sun Microsystems web page: http://www.sun.com/download/products.xml?id=43543381

1. In the directory where you downloaded the J2EE Policy Agent TAR file, unpack the J2EE Policy Agent bits using the GNU untar utility. Example:

   # cd /export # gunzip SJS_Appserver_81_agent_2.2.tar.zip # gtar -xvf /usr/sfw/bin/SJS_Appserver_81_agent_2.2.tar

   ---

   Note –

   For .tar.gz archives, do not use a program other than GNU_tar to untar the contents of the J2EE agent deliverables. Using a different program, such as another tar program, can result in some files not being extracted properly. To learn more about the GNU_tar program, visit the following web site: http://www.gnu.org/software/tar/tar.html

   ---

2. Start the J2EE Policy Agent installer.

   # cd /export/j2ee_agents/am_as81_agent/bin
   # ./agentadmin --install

3. When prompted, provide the following information:

   Enter the Application Server Config Directory Path [/var/opt/SUNWappserver/ domains/domain1/config]	Accept the default value.
   Enter the Application Server Instance name: [server]	Accept the default value.
   Access Manager Services Host:	Enter LoadBalancer-9.siroe.com.
   Access Manager Services port: [80]	Enter 3443.
   Access Manager Services Protocol: [http]	Enter https.
   Access Manager Services Deployment URI: [/amserver]	Enter /federation.
   Enter the Agent Host name:	ProtectedResource-4.siroe.com
   Is the Domain administration server host remote? [false]	Accept the default value.
   Enter the port number for Application Server instance [80]:	Enter 8080.
   Enter the Preferred Protocol for Application instance [http]:	Accept the default value.
   Enter the Deployment URI for the Agent Application [/agentapp]	Accept the default value.
   Enter the Encryption Key [d1ui072LoDGSD5ZEz0Z4e3bvaJN2f3wz]:	Accept the default value.
   Enter the Agent Profile name:	Enter asagent.
   Enter the path to the password file:	Enter /export/agent_profile_password.
   Is the agent being installed on the DAS host for a remote instant [false]	Accept the default value.
   Are the Agent and Access Manager installed on the same instance of Application Server? [false]:	Accept the default value.
   Verify your settings and decide from the choices below: 1. Continue with Installation 2. Back to the last interaction 3. Start Over 4. Exit Please make your selection [1]:	Accept the default value.

4. After the installer has finished installing the agent, verify that installation was successful. You can check for installation errors in the following log file:

   /export/j2ee_agents/am_as81_agent/logs/audit/install.log

13.5 Completing the J2EE Policy Agent 4 Installation

The J2EE Policy Agent is not yet ready to begin working. A number of these tasks must be completed before the agent can do its job. Use the following as your checklist for completing the J2EE Policy Agents installation and configuration:

1. Deploy the J2EE Policy Agent housekeeping application.

2. Enable the J2EE Policy Agent 4 to run in SSO-Only mode.

3. Initialize the Application Server 4 certificate database.

4. Deploy the sample agent application on Application Server 4.

5. Verify the use of the sample agent application on Application Server 4.

To Deploy the J2EE Policy Agent Housekeeping Application

The J2EE Policy Agent uses the agent housekeeping application for notifications and other internal functionality. This application is bundled with the agent binaries.

1. As a root user, log into the Application Server 4 host.

2. Go to the following directory:

   /export/j2ee-agents/am_as81_agent/etc

3. Run the following command:

   # /opt/SUNWappserver/appserver/bin/asadmin deploy --user admin --password 11111111 --contextroot /agentapp agentapp.war Command deploy executed successfully.

To Enable the J2EE Policy Agent 4 to Run in SSO-Only Mode

1. Go to the following directory:

   /export/j2ee_agents/am_as81_agent/agent_001/config

   Make a backup copy of AMagent.properties, and then modify the original AMagent.properties file.

2. Set the following property as in the example:

   com.sun.identity.agents.config.filter.mode = SSO_ONLY

   Federation Manager can run only in SSO-Only mode. In order to communicate with Federation Manager, the policy agent must also run in SSO-Only mode.

3. Add the following property

   com.iplanet.am.naming.ignoreNamingService=true

   When set to true, the policy agent ignores the Federation Manager naming service for session validation purposes. Instead, the policy agent uses the local naming service URL defined in the com.iplanet.am.naming.url property elsewhere in this file.

   Save the file.

To Initialize the Application Server 4 Certificate Database

Before You Begin

You must have access to the certutil command to complete this task. See 2.11 Obtaining and Using the Certificate Database Tool.

1. Log into the Protected Resource 4 host.

2. Copy into a temporary directory the root CA certificate from the Federation Manager load balancer.

   For example, in this deployment example, the JDK keystore is in the following directory:

   /usr/jdk/entsys-j2se/jre/lib/security

   This directory contains the Federation Manager trusted CA files, including cacert.

3. Go to the following directory:

   /var/opt/SUNWappserver/domains/domain1/config

   This directory contains two files you will need. The files are named cert8.db and key3.db, and are installed by default with Application Server 8.1. By default, Application Server 8.1 uses the NSS certificate databases for SSL purposes. You must import the Federation Manager load balancer root CA certificate to this Application Server certificate database.

4. Obtain a copy of the Federation Manager 1 root CA certificate.

   You can obtain a copy from the certificate issuer. Or you can copy the certificate stored on the Federation Manager 1 host.

   In this deployment example, the Federation Manager 1 root CA certificate has already been copied to the following directory on Protected Resource 4:

   /net/slapd/export/share/cacert

5. In the directory where you deployed the certutil utility, run the certutil command. Example:

   # certutil -A -n rootCA -t T,c,c -i /net/slapd/export/share/cacert -d .

6. To verify that the certificate was properly initialized, list the certificates in the database:

   # certutil -L -n rootCA -d .

   A list of certificates is displayed, and the initialized certificate file is included in the list.

To Deploy the Sample Agent Application on Application Server 4

1. As a root user, log into the Protected Resource 4 host.

2. Go to the following directory:

   /export/j2ee_agents/am_as81_agent/sampleapp/dist

3. Run the deploy command:

   //opt/SUNWappserver/appserver/bin/asadmin deploy --host localhost --port 4849 --user admin --password 11111111 --contextroot /agentsample --name agentsample agentsample.ear Command deploy executed successfully.

4. Restart Application Server 4.

   # cd /opt/SUNWappserver/appserver/bin # ./asadmin stop-domain Domain domain1 stopped. # ./asadmin start-domain --user admin --password 11111111 Domain domain1 started.

To Verify the Use of the Sample Agent Application on Application Server 4

1. Go to the Application Server 4 URL:

   http://ProtectedResource-4.siroe.com:8080/agentsample/index.html

2. Log in to the Federation Manager console using the following information:

   User Name:

   spuser

   Password:

   spuser

   The Sample Application welcome page is displayed.

13.6 Configuring the J2EE Policy Agents Load Balancer

Load Balancer 10 can be located in a less-secured zone, and handles traffic for the J2EE Policy Agents.

Load Balancer 10 is configured for simple persistence so that browser requests from the same IP address will always be directed to the same J2EE Policy Agent instance . This guarantees that the requests from the same user session will always be sent to the same J2EE Policy Agent instance. This is important from the performance perspective. Each J2EE Policy Agent must validate the user session and evaluate applicable policies. The results are subsequently cached on the individual J2EE Policy Agent to improve the performance. If no load balancer persistence is set, and the same user's requests are spread across two agents, then each agent must build up its own cache. To do so, both agents must validate the session and evaluate policies. This effectively doubles the workload on the Access Manager servers, and cuts the overall system capacity by half. The problem becomes even more acute as the number of J2EE Policy Agents increases further.

As a general rule, in situations where each J2EE Policy Agent instance is protecting identical resources, some form of load balancer persistence is highly recommended for the performance reasons. The actual type of persistence may vary when a different load balancer is used, as long as it achieves the goal of sending the requests from the same user session to the same J2EE Policy Agent instance.

Use the following as your checklist for Configuring the J2EE Policy Agents load balancer:

1. Configure the J2EE Policy Agents load balancer.

2. Terminate SSL at the J2EE Policy Agents load balancer.

To Configure the J2EE Policy Agents Load Balancer

1. Go to URL for the Big IP load balancer login page and log in.

   https://ls-f5.siroe.com

   User name:

   username

   Password:

   password

2. Request an SSL Certificate for Load Balancer 10.

   1. Log in to the BIG-IP load balancer.

   2. Click Proxies in the left pane.

   3. Click the Cert Admin tab, and then click the “Generate New Key Pair/ Certificate Request” button.

   4. In the Create Certificate Request page, provide the following information:

      Key Identifier:

      LoadBalancer-10.siroe.com

      Organization:

      siroe.com

      Domain Name:

      LoadBalancer-10.siroe.com

      Email Address:

      jdoe@siroe.com

   5. Click the Generate Request button.

   6. In the Generate Request page, copy the request that looks similar to this:

      -----BEGIN CERTIFICATE REQUEST----- UbM77e50M63v1Z2A/5O5MA0GCSqGSIb3DQEOBAU AMF8xCzAJBgNVBAYTAlVTMSAwHgYDVQQKExdSU0 EgRGF0YSBTZWN1cml0eSwgSW5jLjEuMCwGA1UEC xMlU2VjdXJlIFNlcnZlciBDZXJ0aWZpY2F0aW9u IEF1dGhvcml0eTAeFw0wMTA4MDIwMDAwMDBaFw0 wMzA4MDIyMzU5NTlaMIGQMQswCQYDVQQGEwJVUz ERMA8GA1UECBMIVmlyZ2luaWExETAPBgNVBAcUC FJpY2htb25kMSAwHgYDVQQKFBdDYXZhbGllciBU ZWxlcGhvYm9uZGluZy5jYXZ0ZWwuY29tMIGfMA0 GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC8x/1dxo 2YnblilQLmpiEziOqb7ArVfI1ymXo/MKcbKjnY2 -----END CERTIFICATE REQUEST-----

   7. Paste this text into a request form provided by a root certificate authority (CA) such as Verisign or Thwarte.

      See the certificate authority website such as http://www.verisign.com/ or http://www.thawte.com/ for detailed instructions on submitting a certificate request.

3. After you receive the certificate from the issuer, install the SSL Certificate.

   1. In the BIG-IP load balancer console, click the Cert Admin tab.

   2. On the Cert Admin tab, click Install Certificate.

   3. In the Install SSL Certificate page, paste the certificate text you received from the certificate issuer. Example:

      -----BEGIN CERTIFICATE REQUEST----- UbM77e50M63v1Z2A/5O5MA0GCSqGSIb3DQEOBAU AMF8xCzAJBgNVBAYTAlVTMSAwHgYDVQQKExdSU0 EgRGF0YSBTZWN1cml0eSwgSW5jLjEuMCwGA1UEC xMlU2VjdXJlIFNlcnZlciBDZXJ0aWZpY2F0aW9u IEF1dGhvcml0eTAeFw0wMTA4MDIwMDAwMDBaFw0 wMzA4MDIyMzU5NTlaMIGQMQswCQYDVQQGEwJVUz ERMA8GA1UECBMIVmlyZ2luaWExETAPBgNVBAcUC FJpY2htb25kMSAwHgYDVQQKFBdDYXZhbGllciBU ZWxlcGhvYm9uZGluZy5jYXZ0ZWwuY29tMIGfMA0 GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC8x/1dxo 2YnblilQLmpiEziOqb7ArVfI1ymXo/MKcbKjnY2 -----END CERTIFICATE REQUEST-----

   4. Click Install Certificate.

4. Create a Pool.

   A pool contains all the backend server instances.

   1. Open the Configuration Utility.

      Click “Configure your BIG-IP (R) using the Configuration Utility.”

   2. In the left pane, click Pools.

   3. On the Pools tab, click the Add button.

   4. In the Add Pool dialog, provide the following information:

      Pool Name

      federation _j2ee_agents

      Load Balancing Method

      Round Robin

      Resources

      Add the IP address of both Application Server hosts. In this example:

      192.18.72.152:8080 (for Application Server 3)

      192.18.72.151:8080 (for Application Server 4)

   5. Click the Done button.

   6. In the List of Pools, click the name of the pool you just created (federation_j2ee_agents).

5. Add a Virtual Server.

   If you encounter Javascript errors or otherwise cannot proceed to create a virtual server, try using Microsoft Internet Explorer for this step.

   1. In the left frame, Click Virtual Servers.

   2. On the Virtual Servers tab, click the Add button.

   3. In the Add a Virtual Server dialog box, provide the following information:

      Address

      192.18.69.14 (for LoadBalancer-10.siroe.com )

      Services Port

      1080

      Pool

      federation_j2ee_agents

   4. Continue to click Next until you reach the Pool Selection dialog box.

   5. Click the Done button.

To Terminate SSL at the J2EE Policy Agents Load Balancer

You should still be logged into the BigIP load balancer program after the last task.

1. Create an SSL Proxy.

2. Click the Proxies tab, and then click the Add button.

3. In the Add Proxy page, provide the following information:

   Proxy Type:

   Mark the SSL box.

   Proxy Address:

   192.18.49.14

   Proxy Service:

   4443

   Destination Address:

   192.18.69.14

   Destination Service:

   4080

   SSL Certificate:

   LoadBalancer-10.siroe.com

   SSL Key:

   LoadBalancer-10.siroe.com

   Server SSL Certificate:

   LoadBalancer-10.siroe.com

   Server SSL Key:

   LoadBalancer-10.siroe.com

   Click Next.

   Rewrite Redirects:

   Matching

   Click Done.

13.7 Configuring the Application Servers for SSL Termination

Download the Sun Java System Application Server Enterprise Ed 8.1 2005Q1 Patch to the Application Server 3 host and to the Application 4 host using one of the following URLs:

Solaris (sparc) 119166-22

http://sunsolve.sun.com/search/document.do?assetkey=1-21-119166

Solaris (x86) 119170-14

http://sunsolve.sun.com/search/document.do?assetkey=1-21-119170-14

Linux 119171-14

http://sunsolve.sun.com/search/document.do?assetkey=1-21-119171-14

Use the following as you checklist for configuring the Application Servers for SSL Termination:

1. Configure Application Server 3 for SSL termination.

2. Configure Application Server 4 for SSL termination.

To Configure Application Server 3 for SSL Termination

1. As a root user, log into the Application Server 3 host.

2. Stop Application Server 3.

   # cd /opt/SUNWappserver/appserver/bin/ # ./asadmin stop-domain

3. Install Patch 119166-22 as described in the file README.119166-22.

   Be sure to complete the patch post-installation instructions as described in that file.

   # cd /tmp # unzip 119166-21.zip # patchadd -G /tmp/119166-22

4. Verify that the patch was indeed installed successfully.

   # showrev -p | grep 119166-22 Patch: 119166-22 Obsoletes: Requires: Incompatibles: Packages: SUNWasuee, SUNWaswbcr, SUNWascmnse, SUNWasacee, SUNWasdemdb, SUNWashdm, SUNWasdem, SUNWascmn, SUNWasac, SUNWascml, SUNWasu, SUNWasjdoc, SUNWasman, SUNWasut, SUNWasmanee

5. Edit the following file:

   /var/opt/SUNWappserver/domains/domain1/applications/j2ee-apps/ agentsample/agentservlets_war/WEB-INF/sun-web.xml

   Append the following directive to the end of the file:

   ... <property name="relativeRedirectAllowed" value="true"/> </sun-web-app>

   Save the file and exit.

6. Edit the following file:

   /var/opt/SUNWappserver/domains/domain1/applications/j2ee-modules/ agentapp/WEB-INF/sun-web.xml

   Append this directive to the end of the file:

   ... <property name="relativeRedirectAllowed" value="true"/> </sun-web-app>

   Save the file and exit.

7. Start the Application Server.

   # cd /opt/SUNWappserver/appserver/bin/ # ./asadmin start-domain --user admin --password 11111111

To Configure Application Server 4 for SSL Termination

1. As a root user, log into the Application Server 4 host.

2. Stop Application Server 4.

   # cd /opt/SUNWappserver/appserver/bin/ # ./asadmin stop-domain

3. Install Patch 119166-22 as described in the file README.119166-22.

   Be sure to complete the patch post-installation instructions as described in that file.

   # cd /tmp # unzip 119166-21.zip # patchadd -G /tmp/119166-22

4. Verify that the patch was indeed installed successfully.

   # showrev -p | grep 119166-22 Patch: 119166-21 Obsoletes: Requires: Incompatibles: Packages: SUNWasuee, SUNWaswbcr, SUNWascmnse, SUNWasacee, SUNWasdemdb, SUNWashdm, SUNWasdem, SUNWascmn, SUNWasac, SUNWascml, SUNWasu, SUNWasjdoc, SUNWasman, SUNWasut, SUNWasmanee

5. Edit the following file:

   /var/opt/SUNWappserver/domains/domain1/applications/j2ee-apps/ agentsample/agentservlets_war/WEB-INF/sun-web.xml

   Append the following directive to the end of the file:

   ... <property name="relativeRedirectAllowed" value="true"/> </sun-web-app>

   Save the file and exit.

6. Edit the following file:

   /var/opt/SUNWappserver/domains/domain1/applications/j2ee-modules/ agentapp/WEB-INF/sun-web.xml

   Append this directive to the end of the file:

   ... <property name="relativeRedirectAllowed" value="true"/> </sun-web-app>

   Save the file and exit.

7. Start Application Server 4.

   # cd /opt/SUNWappserver/appserver/bin/ # ./asadmin start-domain --user admin --password 11111111

13.8 Configuring the J2EE Policy Agents to Work with the J2EE Policy Agents Load Balancer

Use the following as your checklist for configuring the J2EE policy agents to work with the agents load balancer.

1. Configure J2EE Policy Agent 3 to work with the J2EE Policy Agents load balancer.

2. Configure J2EE Policy Agent 4 to work with the J2EE Policy Agents load balancer.

3. Verify that the J2EE Policy Agents load balancer works properly.

To Configure J2EE Policy Agent 3 to Work with the J2EE Policy Agents Load Balancer

1. As a root user, log into the Protected Resource 3 host.

2. Go to the following directory:

   # cd /export/j2ee_agents/am_as81_agent/agent_001/config

3. Update the AMagents.properties file.

   Set the following properties as in this example:

   # vi AMAgent.properties com.sun.identity.agents.config.fqdn.mapping[LoadBalancer-10.siroe.com] = LoadBalancer-10.siroe.com com.sun.identity.agents.config.agent.host = LoadBalancer-10.siroe.com com.sun.identity.agents.config.agent.port = 4443 com.sun.identity.agents.config.agent.protocol = https

   Save the file.

4. Restart Application Server 3.

   # cd /opt/SUNWappserver/appserver/bin #./asadmin stop-domain Domain domain1 stopped. # ./asadmin start-domain --user admin --password 11111111 Starting Domain domain1, please wait. Log redirected to /var/opt/SUNWappserver/domains/domain1/logs/server.log. Domain domain1 started.

To Configure J2EE Policy Agent 4 to Work with the J2EE Policy Agents Load Balancer

1. As a root user, log into the Protected Resource 4 host.

2. Go to the following directory:

   # cd /export/j2ee_agents/am_as81_agent/agent_001/config

3. Update the AMagents.properties file.

   Set the following properties as in this example:

   # vi AMAgent.properties com.sun.identity.agents.config.fqdn.mapping[LoadBalancer-10.siroe.com] = LoadBalancer-10.siroe.com com.sun.identity.agents.config.agent.host = LoadBalancer-10.siroe.com com.sun.identity.agents.config.agent.port = 4443 com.sun.identity.agents.config.agent.protocol = https

   Save the file.

4. Restart Application Server 4.

   # cd /opt/SUNWappserver/appserver/bin #./asadmin stop-domain Domain domain1 stopped. # ./asadmin start-domain --user admin --password 11111111 Starting Domain domain1, please wait. Log redirected to /var/opt/SUNWappserver/domains/domain1/logs/server.log. Domain domain1 started.

To Verify that the J2EE Policy Agents Load Balancer Works Properly

1. Open a new browser.

2. Go the to J2EE Policy Agents load balancer URL:

   https://LoadBalancer-10.siroe.com:4443/agentsample

   The Federation Manager login page is displayed.

3. Log in to the Federation Manager console using the following information:

   User Name:

   spuser

   Password:

   spuser

   The J2EE Policy Agent Sample Application welcome page is displayed.

13.9 Configuring the J2EE Policy Agents Load Balancer to Participate in SAMLv2 Protocols

Use the following as your checklist for configuring the J2EE Policy Agents load balancer to participate in SAMLv2 Protocols:

1. Configure the J2EE Policy Agents load balancer to participate in SAMLv2 protocols.

2. Verify that the J2EE Policy Agents load balancer uses SAMLv2 protocols.

To Configure the J2EE Policy Agents Load Balancer to Participate in SAMLv2 Protocols

1. As a root user, log into the Protected Resource 3 host.

2. Go to the following directory:

   /export/j2ee_agents/am_as81_agent/agent_001/config

3. Make a backup of the AMagent.properties file, and then set the following properties:

   # vi AMagent.properties com.sun.identity.agents.config.login.url[0] = https://LoadBalancer-9.siroe.com:3443/federation/saml2/ jsp/spSSOInit.jsp?metaAlias=/sp&idpEntitityID=loadbalancer-3.example.com com.sun.identity.agents.config.redirect.param = RelayState

   Save the file.

4. Restart Application Server 3.

   # cd /opt/SUNWappserver/appserver/bin #./asadmin stop-domain Domain domain1 stopped. # ./asadmin start-domain --user admin --password 11111111 Starting Domain domain1, please wait. Log redirected to /var/opt/SUNWappserver/domains/domain1/logs/server.log. Domain domain1 started.

5. As a root user, log into the Protected Resource 4 host.

6. Go to the following directory:

   /export/j2ee_agents/am_as81_agent/agent_001/config

7. Make a backup of the AMagent.properties file, and then set the following properties:

   # vi AMagent.properties com.sun.identity.agents.config.login.url[0] = https://LoadBalancer-9.siroe.com:3443/federation/saml2/ jsp/spSSOInit.jsp?metaAlias=/sp&idpEntitityID=loadbalancer-3.example.com com.sun.identity.agents.config.redirect.param = RelayState

   Save the file.

8. Restart Application Server 4.

   # cd /opt/SUNWappserver/appserver/bin #./asadmin stop-domain Domain domain1 stopped. # ./asadmin start-domain --user admin --password 11111111 Starting Domain domain1, please wait. Log redirected to /var/opt/SUNWappserver/domains/domain1/logs/server.log. Domain domain1 started.

To Verify that the J2EE Policy Agents Load Balancer Uses SAMLv2 Protocols

1. Go to the following URL:

   https://LoadBalancer-10.siroe.com:4443/agentssample

   The Access Manager login is displayed.

2. Log in to the Access Manager console using the following information:

   User Name:

   idp

   Password:

   idp

   The J2EE Policy Agent Sample Application welcome page is displayed.