Deployment Example 2: Federation Using SAML v2

14.5 Completing the Web Policy Agent 4 Installation

Use the following as your checklist for completing the Web Policy Agent 4 installation:

To Edit the AMAgent.Properties File

Edit the AMAgent.properties file.

# cd /etc/opt/SUNWam/agents/es6/ 
config/_opt_SUNWwbsvr_https-ProtectedResource-4.siroe.com

Make a backup of AMAgent.properties, and then set the following properties:

com.sun.am.policy.am.username = UrlAccessAgent
com.sun.am.policy.am.password = BeVPgddAimR404ivWY6HPQ==
com.sun.am.policy.agents.config.do_sso_only = true

Add the following properties to the original file:
com.sun.am.ignore.naming.service = true

(Optional) Set the debug property as in this example:
com.sun.am.log.level = all:5
Save the file.

Restart Web Server 4.

# cd /opt/SUNWwbsvr/https-ProtectedResource-4.siroe.com
 #./stop; ./start

To Verify that Web Policy Agent 4 is Working Properly

Go to the following URL:

http://ProtectedResource-4.siroe.com:2080

Log in to Access Manager using the following information:

Username

spuser

Password

spuser

You should see the default index.html page for Web Server 4.

To Import the Root CA Certificate into the Web Server 4 Key Store

The Web Policy Agent on Protected Resource 4 connects to Federation Manager servers through Load Balancer 9. The load balancer is SSL-enabled, so the agent must be able to trust the load balancer SSL certificate in order to establish the SSL connection. To do this, import the root CA certificate that issued the Load Balancer 3 SSL server certificate into the Web Policy Agent certificate store.

Before You Begin

Obtain the root CA certificate, and copy it to the Protected Resource 4 host. Copy the certificate into the file /export/software/ca.cert.

Copy the root CA certificate to Protected Resource 4.

Open a browser, and go to the Web Server 4 administration console.

http://ProtectedResource-4.siroe.com:8888

In the Select a Server field, select ProtectedResource-4.siroe.com, and then click Manage.

Tip –
If a “Configuration files have not been loaded” message is displayed, it may be because the Web Server instance that is being accessed through the administration server has had its configuration files manually edited. This is the case when the Web Policy Agent is installed. The mirror configuration files are different from the current configuration files. In order to be sure the changes are not lost, you must apply the changes. First click Apply, and then click Apply Changes. The configuration files are read, and the server is stopped and restarted.

Click the Security tab.

On the Initialize Trust Database page, enter a Database Password.

Enter the password again to confirm it, and then click OK.

In the left frame, click Install Certificate and provide the following information, and then click OK:

Certificate For:

Choose Trusted Certificate Authority (CA).

Key Pair File Password:

password

Certificate Name:

rootCA.cert

Message in this File:

/export/software/ca.cert

Click Add Server Certificate.

Click Manage Certificates.

The root CA Certificate name rooCA.cert is included in the list of certificates.

Click the Preferences tab.

Restart Web Server 4.

On the Server On/Off page, click Server Off. When the server indicates that the administration server is off, click Server On.

Restart Web Server 4.

# cd /opt/SUNWwbsvr/https-ProtectedResource-4.siroe.com
# ./stop; ./start

To Verify that Web Policy Agent 4 Can Access the Federation Manager Load Balancer

Go to the Protected Resource 4 URL:

http://ProtectedResource-4.siroe.com:2080/index.html

Log into the Federation Manager console using the following information:

User Name:

spuser

Password:

spuser

The policy agent redirects the request, and the URL changes to https://LoadBalancer-9.siroe.com:3443/federation/UI/Login. The default Sun ONE Web Server page is displayed. This verifies that the web policy agent is properly configured to access the Federation Manager load balancer.