This chapter contains detailed information about the following groups of tasks:
13.1 Creating J2EE Policy Agent Profiles on the Federation Manager Servers
13.2 Installing Application Server 3 and J2EE Policy Agent 3
13.4 Installing Application Server 4 and J2EE Policy Agent 4
13.8 Configuring the J2EE Policy Agents to Work with the J2EE Policy Agents Load Balancer
13.9 Configuring the J2EE Policy Agents Load Balancer to Participate in SAMLv2 Protocols
When you install the J2EE Policy Agent, the agent profile is used to retrieve the J2EE Policy Agent user password. At this point, the J2EE Policy Agent authentication still occurs through flat files. This new account will be used by J2EE Policy Agent to authenticate to the Federation Manager servers.
Use the following as your checklist for creating J2EE Policy Agent profiles on the Federation Manager Servers:
As a root user, log into the Protected Resource 3 host.
Create an agent profile.
Create a text file named agent_profile_password, and add to it a name for the new agent profile. Example:
# cd /export # vi agent_profile_password asagent |
Save the file.
Generate an encrypted password for the new agent profile.
# cd /var/opt/SUNWam/fm/federation/users # /opt/SUNWam/fm/bin/ampassword -i /var/opt/SUNWam/fm/war_staging --hash asagent EW1Ck/Yw4kpyYs9jbu5Dx5pJaH8= |
Create a text file named asagent.properties, and add the agent profile password to the file.
The J2EE Policy Agent installer requires this file for installation.
# vi asagent.properties password=EW1Ck/Yw4kpyYs9jbu5Dx5pJaH8= |
Save the file.
As a root user, log into the Protected Resource 4 host.
Create an agent profile.
Create a text file named agent_profile_password, and add to it a name for the new agent profile. Example:
# cd /export # vi agent_profile_password asagent |
Save the file.
Generate an encrypted password for the new agent profile.
# cd /var/opt/SUNWam/fm/federation/users # /opt/SUNWam/fm/bin/ampassword -i /var/opt/SUNWam/fm/war_staging --hash asagent EW1Ck/Yw4kpyYs9jbu5Dx5pJaH8= |
Create a text file named asagent.properties, and add the agent profile password to the file.
The J2EE Policy Agent installer requires this file for installation.
# vi asagent.properties password=EW1Ck/Yw4kpyYs9jbu5Dx5pJaH8= |
Save the file.
You must have the Sun Java System Application Server installer and the Sun J2EE Policy Agent installer mounted on Protected Resource 1. See Chapter 2, Before You Beginat the beginning of this manual.
As a root user, log into the Application Server 3 host.
Start the Java Enterprise System installer with the -nodisplay option.
# cd /mnt/Solaris_sparc # ./installer -nodisplay |
When prompted, provide the following information:
After you have exited the installer, start Application Server 3:
# cd /opt/SUNWappserver/appserver/bin # ./asadmin start-domain --user admin --password 11111111 Starting Domain domain1, please wait. Log redirected to /var/opt/SUNWappserver/domains/domain1/logs/server.log. Domain domain1 started. |
To verify that the Application Server 3 is successfully installed, go to the Application Server URL:
http://ProtectedResource-3:8080/index.html |
The default Application Server page is displayed and contains the following message: “Your server is up and running!”
You must obtain and unpack the J2EE Policy Agent software from the following Sun Microsystems web page: http://www.sun.com/download/products.xml?id=43543381.
In the directory where you downloaded the J2EE Policy Agent TAR file, unpack the J2EE Policy Agent bits using the GNU untar utility. Example:
# cd /export # gunzip SJS_Appserver_81_agent_2.2.tar.zip # gtar -xvf /usr/sfw/bin/SJS_Appserver_81_agent_2.2.tar |
For .tar.gz archives, do not use a program other than GNU_tar to untar the contents of the J2EE agent deliverables. Using a different program, such as another tar program, can result in some files not being extracted properly. To learn more about the GNU_tar program, visit the following web site: http://www.gnu.org/software/tar/tar.html
Start the J2EE Policy Agent installer.
# cd /export/j2ee_agents/am_as81_agent/bin # ./agentadmin --install
When prompted, provide the following information:
|
Accept the default value. |
|
|
Accept the default value. |
|
|
Enter LoadBalancer-9.siroe.com. |
|
|
Enter 3443. |
|
|
Enter https. |
|
|
Enter /federation. |
|
|
ProtectedResource-3.siroe.com |
|
|
Accept the default value. |
|
|
Enter 8080. |
|
|
Accept the default value. |
|
|
Accept the default value. |
|
|
Accept the default value. |
|
|
Enter asagent. |
|
|
Enter /export/agent_profile_password. |
|
|
Accept the default value. |
|
|
Accept the default value. |
|
|
Accept the default value. |
After the installer has finished installing the agent, verify that installation was successful. You check can for installation errors in the following log file:
/export/j2ee_agents/am_as81_agent/logs/audit/install.log |
The J2EE Policy Agent is not yet ready to begin working. A number of these tasks must be completed before the agent can do its job. Use the following as your checklist for completing the J2EE Policy Agents installation and configuration:
Deploy the sample agent application on Application Server 3.
Verify the use of the sample agent application on Application Server 3.
The J2EE Policy Agent uses the agent housekeeping application for notifications and other internal functionality. This application is bundled with the agent binaries.
As a root user, log into the Application Server 1 host.
Go to the following directory:
/export/j2ee-agents/am_as81_agent/etc |
Run the following command:
# /opt/SUNWappserver/appserver/bin/asadmin deploy --user admin --password 11111111 --contextroot /agentapp agentapp.war Command deploy executed successfully. |
Go to the following directory:
/export/j2ee_agents/am_as81_agent/agent_001/config |
Make a backup copy of AMagent.properties, and then modify the original AMAgent.properties file.
Set the following property as in the example:
com.sun.identity.agents.config.filter.mode = SSO_ONLY |
Federation Manager can run only in SSO-Only mode. In order to communicate with Federation Manager, the policy agent must also run in SSO-Only mode.
Add the following property
com.iplanet.am.naming.ignoreNamingService=true |
When set to true, the policy agent ignores the Federation Manager naming service for session validation purposes. Instead, the policy agent uses the local naming service URL defined in the com.iplanet.am.naming.url property elsewhere in this file.
Save the file.
You must have access to the certutil command to complete this task. See 2.11 Obtaining and Using the Certificate Database Tool.
Log into the Protected Resource 3 host.
Copy into a temporary directory the root CA certificate from the Federation Manager load balancer.
For example, in this deployment example, the JDK keystore is in the following directory:
/usr/jdk/entsys-j2se/jre/lib/security |
This directory contains the Federation Manager trusted CA files, including cacert.
Go to the following directory:
/var/opt/SUNWappserver/domains/domain1/config |
This directory contains two files you will need. The files are named cert8.db and key3.db, and are installed by default with Application Server 8.1. By default, Application Server 8.1 uses the NSS certificate databases for SSL purposes. You must import the Federation Manager load balancer root CA certificate to this Application Server certificate database.
Obtain a copy of the Federation Manager 1 root CA certificate.
You can obtain a copy from the certificate issuer. Or you can copy the certificate stored on the Federation Manager 1 host.
In this deployment example, the Federation Manager 1 root CA certificate has already been copied to the following directory on Protected Resource 3:
/net/slapd/export/share/cacert |
In the directory where you have deployed the certutil utility, run the certutil command. Example:
# certutil -A -n rootCA -t T,c,c -i /net/slapd/export/share/cacert -d . |
To verify that the certificate was properly initialized, list the certificates in the database:
# certutil -L -n rootCA -d . |
A list of certificates is displayed, and the initialized certificate file is included in the list.
As a root user, log into the Protected Resource 3 host.
Go to the following directory:
/export/j2ee_agents/am_as81_agent/sampleapp/dist |
Run the deploy command:
//opt/SUNWappserver/appserver/bin/asadmin deploy --host localhost --port 4849 --user admin --password 11111111 --contextroot /agentsample --name agentsample agentsample.ear Command deploy executed successfully. |
Restart Application Server 3.
# cd /opt/SUNWappserver/appserver/bin # ./asadmin stop-domain Domain domain1 stopped. # ./asadmin start-domain --user admin --password 11111111 Domain domain1 started. |
Go to the Application Server 3 URL:
http://ProtectedResource-3.siroe.com:8080/agentsample/index.html |
Log in to the Federation Manager console using the following information:
spuser
spuser
The Sample Application welcome page is displayed.
You must have the Sun Java System Application Server installer and the Sun J2EE Policy Agent installer mounted on Protected Resource 1. See Chapter 2, Before You Beginat the beginning of this manual.
As a root user, log into the Application Server 4 host.
Start the Java Enterprise System installer with the -nodisplay option.
# cd /mnt/Solaris_sparc # ./installer -nodisplay |
When prompted, provide the following information:
|
Press Enter. |
|||
|
Press Enter. |
|||
|
Enter y. |
|||
|
Enter 8 for “English only.” |
|||
|
Enter No. |
|||
|
Enter 14 to install Sun Java (TM) Application Server Enterprise Edition 8.1 2005Q4. |
|||
|
Enter 1,3,5,6 to install Domain Administration Server, Command Line Administration Tool, PointBase Database, and the Sample Applications. |
|||
|
Press Enter. |
|||
Enter 1 to upgrade these shared components and 2 to cancel [1] |
You are prompted to upgrade shared components only if the installer detects that an upgrade is required. Enter 1 to upgrade shared components. |
|||
|
Accept the default value. |
|||
|
Accept the default value. |
|||
|
Enter 1. |
|||
|
Enter 1. |
|||
|
Accept the default value. |
|||
|
Accept the default value. |
|||
|
Accept the default value. |
|||
|
Accept the default value. |
|||
|
For this example, enter 11111111. |
|||
|
Enter the same password to confirm it. |
|||
|
Accept the default value. |
|||
|
Accept the default value. |
|||
|
Accept the default value. |
|||
|
For this example, enter 11111111. |
|||
|
For this example, enter 11111111. |
|||
|
Accept the default value. |
|||
|
Accept the default value. |
|||
|
Accept the default value. |
|||
|
Accept the default value. |
|||
|
For this example, enter 11111111. |
|||
|
For this example, enter 11111111. |
|||
|
When ready to install, enter 1. |
After you have exited the installer, start Application Server 4:
# cd /opt/SUNWappserver/appserver/bin # ./asadmin start-domain --user admin --password 11111111 Starting Domain domain1, please wait. Log redirected to /var/opt/SUNWappserver/domains/domain1/logs/server.log. Domain domain1 started. |
To verify that the Application Server 4 is successfully installed, go to the Application Server URL:
http://ProtectedResource-4:8080/index.html |
The default Application Server page is displayed and contains the following message: “Your server is up and running!”
You must obtain and unpack the J2EE Policy Agent software from the following Sun Microsystems web page: http://www.sun.com/download/products.xml?id=43543381
In the directory where you downloaded the J2EE Policy Agent TAR file, unpack the J2EE Policy Agent bits using the GNU untar utility. Example:
# cd /export # gunzip SJS_Appserver_81_agent_2.2.tar.zip # gtar -xvf /usr/sfw/bin/SJS_Appserver_81_agent_2.2.tar |
For .tar.gz archives, do not use a program other than GNU_tar to untar the contents of the J2EE agent deliverables. Using a different program, such as another tar program, can result in some files not being extracted properly. To learn more about the GNU_tar program, visit the following web site: http://www.gnu.org/software/tar/tar.html
Start the J2EE Policy Agent installer.
# cd /export/j2ee_agents/am_as81_agent/bin # ./agentadmin --install
When prompted, provide the following information:
|
Accept the default value. |
|
|
Accept the default value. |
|
|
Enter LoadBalancer-9.siroe.com. |
|
|
Enter 3443. |
|
|
Enter https. |
|
|
Enter /federation. |
|
|
ProtectedResource-4.siroe.com |
|
|
Accept the default value. |
|
|
Enter 8080. |
|
|
Accept the default value. |
|
|
Accept the default value. |
|
|
Accept the default value. |
|
|
Enter asagent. |
|
|
Enter /export/agent_profile_password. |
|
|
Accept the default value. |
|
|
Accept the default value. |
|
|
Accept the default value. |
After the installer has finished installing the agent, verify that installation was successful. You can check for installation errors in the following log file:
/export/j2ee_agents/am_as81_agent/logs/audit/install.log |
The J2EE Policy Agent is not yet ready to begin working. A number of these tasks must be completed before the agent can do its job. Use the following as your checklist for completing the J2EE Policy Agents installation and configuration:
Deploy the sample agent application on Application Server 4.
Verify the use of the sample agent application on Application Server 4.
The J2EE Policy Agent uses the agent housekeeping application for notifications and other internal functionality. This application is bundled with the agent binaries.
As a root user, log into the Application Server 4 host.
Go to the following directory:
/export/j2ee-agents/am_as81_agent/etc |
Run the following command:
# /opt/SUNWappserver/appserver/bin/asadmin deploy --user admin --password 11111111 --contextroot /agentapp agentapp.war Command deploy executed successfully. |
Go to the following directory:
/export/j2ee_agents/am_as81_agent/agent_001/config |
Make a backup copy of AMagent.properties, and then modify the original AMagent.properties file.
Set the following property as in the example:
com.sun.identity.agents.config.filter.mode = SSO_ONLY |
Federation Manager can run only in SSO-Only mode. In order to communicate with Federation Manager, the policy agent must also run in SSO-Only mode.
Add the following property
com.iplanet.am.naming.ignoreNamingService=true |
When set to true, the policy agent ignores the Federation Manager naming service for session validation purposes. Instead, the policy agent uses the local naming service URL defined in the com.iplanet.am.naming.url property elsewhere in this file.
Save the file.
You must have access to the certutil command to complete this task. See 2.11 Obtaining and Using the Certificate Database Tool.
Log into the Protected Resource 4 host.
Copy into a temporary directory the root CA certificate from the Federation Manager load balancer.
For example, in this deployment example, the JDK keystore is in the following directory:
/usr/jdk/entsys-j2se/jre/lib/security |
This directory contains the Federation Manager trusted CA files, including cacert.
Go to the following directory:
/var/opt/SUNWappserver/domains/domain1/config |
This directory contains two files you will need. The files are named cert8.db and key3.db, and are installed by default with Application Server 8.1. By default, Application Server 8.1 uses the NSS certificate databases for SSL purposes. You must import the Federation Manager load balancer root CA certificate to this Application Server certificate database.
Obtain a copy of the Federation Manager 1 root CA certificate.
You can obtain a copy from the certificate issuer. Or you can copy the certificate stored on the Federation Manager 1 host.
In this deployment example, the Federation Manager 1 root CA certificate has already been copied to the following directory on Protected Resource 4:
/net/slapd/export/share/cacert |
In the directory where you deployed the certutil utility, run the certutil command. Example:
# certutil -A -n rootCA -t T,c,c -i /net/slapd/export/share/cacert -d . |
To verify that the certificate was properly initialized, list the certificates in the database:
# certutil -L -n rootCA -d . |
A list of certificates is displayed, and the initialized certificate file is included in the list.
As a root user, log into the Protected Resource 4 host.
Go to the following directory:
/export/j2ee_agents/am_as81_agent/sampleapp/dist |
Run the deploy command:
//opt/SUNWappserver/appserver/bin/asadmin deploy --host localhost --port 4849 --user admin --password 11111111 --contextroot /agentsample --name agentsample agentsample.ear Command deploy executed successfully. |
Restart Application Server 4.
# cd /opt/SUNWappserver/appserver/bin # ./asadmin stop-domain Domain domain1 stopped. # ./asadmin start-domain --user admin --password 11111111 Domain domain1 started. |
Go to the Application Server 4 URL:
http://ProtectedResource-4.siroe.com:8080/agentsample/index.html |
Log in to the Federation Manager console using the following information:
spuser
spuser
The Sample Application welcome page is displayed.
Load Balancer 10 can be located in a less-secured zone, and handles traffic for the J2EE Policy Agents.
Load Balancer 10 is configured for simple persistence so that browser requests from the same IP address will always be directed to the same J2EE Policy Agent instance . This guarantees that the requests from the same user session will always be sent to the same J2EE Policy Agent instance. This is important from the performance perspective. Each J2EE Policy Agent must validate the user session and evaluate applicable policies. The results are subsequently cached on the individual J2EE Policy Agent to improve the performance. If no load balancer persistence is set, and the same user's requests are spread across two agents, then each agent must build up its own cache. To do so, both agents must validate the session and evaluate policies. This effectively doubles the workload on the Access Manager servers, and cuts the overall system capacity by half. The problem becomes even more acute as the number of J2EE Policy Agents increases further.
As a general rule, in situations where each J2EE Policy Agent instance is protecting identical resources, some form of load balancer persistence is highly recommended for the performance reasons. The actual type of persistence may vary when a different load balancer is used, as long as it achieves the goal of sending the requests from the same user session to the same J2EE Policy Agent instance.
Use the following as your checklist for Configuring the J2EE Policy Agents load balancer:
Go to URL for the Big IP load balancer login page and log in.
https://ls-f5.siroe.com
username
password
Request an SSL Certificate for Load Balancer 10.
Log in to the BIG-IP load balancer.
Click Proxies in the left pane.
Click the Cert Admin tab, and then click the “Generate New Key Pair/ Certificate Request” button.
In the Create Certificate Request page, provide the following information:
LoadBalancer-10.siroe.com
siroe.com
LoadBalancer-10.siroe.com
jdoe@siroe.com
Click the Generate Request button.
In the Generate Request page, copy the request that looks similar to this:
-----BEGIN CERTIFICATE REQUEST----- UbM77e50M63v1Z2A/5O5MA0GCSqGSIb3DQEOBAU AMF8xCzAJBgNVBAYTAlVTMSAwHgYDVQQKExdSU0 EgRGF0YSBTZWN1cml0eSwgSW5jLjEuMCwGA1UEC xMlU2VjdXJlIFNlcnZlciBDZXJ0aWZpY2F0aW9u IEF1dGhvcml0eTAeFw0wMTA4MDIwMDAwMDBaFw0 wMzA4MDIyMzU5NTlaMIGQMQswCQYDVQQGEwJVUz ERMA8GA1UECBMIVmlyZ2luaWExETAPBgNVBAcUC FJpY2htb25kMSAwHgYDVQQKFBdDYXZhbGllciBU ZWxlcGhvYm9uZGluZy5jYXZ0ZWwuY29tMIGfMA0 GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC8x/1dxo 2YnblilQLmpiEziOqb7ArVfI1ymXo/MKcbKjnY2 -----END CERTIFICATE REQUEST----- |
Paste this text into a request form provided by a root certificate authority (CA) such as Verisign or Thwarte.
See the certificate authority website such as http://www.verisign.com/ or http://www.thawte.com/ for detailed instructions on submitting a certificate request.
After you receive the certificate from the issuer, install the SSL Certificate.
In the BIG-IP load balancer console, click the Cert Admin tab.
On the Cert Admin tab, click Install Certificate.
In the Install SSL Certificate page, paste the certificate text you received from the certificate issuer. Example:
-----BEGIN CERTIFICATE REQUEST----- UbM77e50M63v1Z2A/5O5MA0GCSqGSIb3DQEOBAU AMF8xCzAJBgNVBAYTAlVTMSAwHgYDVQQKExdSU0 EgRGF0YSBTZWN1cml0eSwgSW5jLjEuMCwGA1UEC xMlU2VjdXJlIFNlcnZlciBDZXJ0aWZpY2F0aW9u IEF1dGhvcml0eTAeFw0wMTA4MDIwMDAwMDBaFw0 wMzA4MDIyMzU5NTlaMIGQMQswCQYDVQQGEwJVUz ERMA8GA1UECBMIVmlyZ2luaWExETAPBgNVBAcUC FJpY2htb25kMSAwHgYDVQQKFBdDYXZhbGllciBU ZWxlcGhvYm9uZGluZy5jYXZ0ZWwuY29tMIGfMA0 GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC8x/1dxo 2YnblilQLmpiEziOqb7ArVfI1ymXo/MKcbKjnY2 -----END CERTIFICATE REQUEST----- |
Click Install Certificate.
Create a Pool.
A pool contains all the backend server instances.
Open the Configuration Utility.
Click “Configure your BIG-IP (R) using the Configuration Utility.”
In the left pane, click Pools.
On the Pools tab, click the Add button.
In the Add Pool dialog, provide the following information:
federation _j2ee_agents
Round Robin
Add the IP address of both Application Server hosts. In this example:
192.18.72.152:8080 (for Application Server 3)
192.18.72.151:8080 (for Application Server 4)
Click the Done button.
In the List of Pools, click the name of the pool you just created (federation_j2ee_agents).
Add a Virtual Server.
If you encounter Javascript errors or otherwise cannot proceed to create a virtual server, try using Microsoft Internet Explorer for this step.
In the left frame, Click Virtual Servers.
On the Virtual Servers tab, click the Add button.
In the Add a Virtual Server dialog box, provide the following information:
192.18.69.14 (for LoadBalancer-10.siroe.com )
1080
federation_j2ee_agents
Continue to click Next until you reach the Pool Selection dialog box.
Click the Done button.
You should still be logged into the BigIP load balancer program after the last task.
Create an SSL Proxy.
Click the Proxies tab, and then click the Add button.
In the Add Proxy page, provide the following information:
Mark the SSL box.
192.18.49.14
4443
192.18.69.14
4080
LoadBalancer-10.siroe.com
LoadBalancer-10.siroe.com
LoadBalancer-10.siroe.com
LoadBalancer-10.siroe.com
Click Next.
Matching
Click Done.
Download the Sun Java System Application Server Enterprise Ed 8.1 2005Q1 Patch to the Application Server 3 host and to the Application 4 host using one of the following URLs:
http://sunsolve.sun.com/search/document.do?assetkey=1-21-119166
http://sunsolve.sun.com/search/document.do?assetkey=1-21-119170-14
http://sunsolve.sun.com/search/document.do?assetkey=1-21-119171-14
Use the following as you checklist for configuring the Application Servers for SSL Termination:
As a root user, log into the Application Server 3 host.
Stop Application Server 3.
# cd /opt/SUNWappserver/appserver/bin/ # ./asadmin stop-domain |
Install Patch 119166-22 as described in the file README.119166-22.
Be sure to complete the patch post-installation instructions as described in that file.
# cd /tmp # unzip 119166-21.zip # patchadd -G /tmp/119166-22 |
Verify that the patch was indeed installed successfully.
# showrev -p | grep 119166-22 Patch: 119166-22 Obsoletes: Requires: Incompatibles: Packages: SUNWasuee, SUNWaswbcr, SUNWascmnse, SUNWasacee, SUNWasdemdb, SUNWashdm, SUNWasdem, SUNWascmn, SUNWasac, SUNWascml, SUNWasu, SUNWasjdoc, SUNWasman, SUNWasut, SUNWasmanee |
Edit the following file:
/var/opt/SUNWappserver/domains/domain1/applications/j2ee-apps/ agentsample/agentservlets_war/WEB-INF/sun-web.xml |
Append the following directive to the end of the file:
... <property name="relativeRedirectAllowed" value="true"/> </sun-web-app> |
Save the file and exit.
Edit the following file:
/var/opt/SUNWappserver/domains/domain1/applications/j2ee-modules/ agentapp/WEB-INF/sun-web.xml |
Append this directive to the end of the file:
... <property name="relativeRedirectAllowed" value="true"/> </sun-web-app> |
Save the file and exit.
Start the Application Server.
# cd /opt/SUNWappserver/appserver/bin/ # ./asadmin start-domain --user admin --password 11111111 |
As a root user, log into the Application Server 4 host.
Stop Application Server 4.
# cd /opt/SUNWappserver/appserver/bin/ # ./asadmin stop-domain |
Install Patch 119166-22 as described in the file README.119166-22.
Be sure to complete the patch post-installation instructions as described in that file.
# cd /tmp # unzip 119166-21.zip # patchadd -G /tmp/119166-22 |
Verify that the patch was indeed installed successfully.
# showrev -p | grep 119166-22 Patch: 119166-21 Obsoletes: Requires: Incompatibles: Packages: SUNWasuee, SUNWaswbcr, SUNWascmnse, SUNWasacee, SUNWasdemdb, SUNWashdm, SUNWasdem, SUNWascmn, SUNWasac, SUNWascml, SUNWasu, SUNWasjdoc, SUNWasman, SUNWasut, SUNWasmanee |
Edit the following file:
/var/opt/SUNWappserver/domains/domain1/applications/j2ee-apps/ agentsample/agentservlets_war/WEB-INF/sun-web.xml |
Append the following directive to the end of the file:
... <property name="relativeRedirectAllowed" value="true"/> </sun-web-app> |
Save the file and exit.
Edit the following file:
/var/opt/SUNWappserver/domains/domain1/applications/j2ee-modules/ agentapp/WEB-INF/sun-web.xml |
Append this directive to the end of the file:
... <property name="relativeRedirectAllowed" value="true"/> </sun-web-app> |
Save the file and exit.
Start Application Server 4.
# cd /opt/SUNWappserver/appserver/bin/ # ./asadmin start-domain --user admin --password 11111111 |
Use the following as your checklist for configuring the J2EE policy agents to work with the agents load balancer.
Configure J2EE Policy Agent 3 to work with the J2EE Policy Agents load balancer.
Configure J2EE Policy Agent 4 to work with the J2EE Policy Agents load balancer.
Verify that the J2EE Policy Agents load balancer works properly.
As a root user, log into the Protected Resource 3 host.
Go to the following directory:
# cd /export/j2ee_agents/am_as81_agent/agent_001/config |
Update the AMagents.properties file.
Set the following properties as in this example:
# vi AMAgent.properties com.sun.identity.agents.config.fqdn.mapping[LoadBalancer-10.siroe.com] = LoadBalancer-10.siroe.com com.sun.identity.agents.config.agent.host = LoadBalancer-10.siroe.com com.sun.identity.agents.config.agent.port = 4443 com.sun.identity.agents.config.agent.protocol = https |
Save the file.
Restart Application Server 3.
# cd /opt/SUNWappserver/appserver/bin #./asadmin stop-domain Domain domain1 stopped. # ./asadmin start-domain --user admin --password 11111111 Starting Domain domain1, please wait. Log redirected to /var/opt/SUNWappserver/domains/domain1/logs/server.log. Domain domain1 started. |
As a root user, log into the Protected Resource 4 host.
Go to the following directory:
# cd /export/j2ee_agents/am_as81_agent/agent_001/config |
Update the AMagents.properties file.
Set the following properties as in this example:
# vi AMAgent.properties com.sun.identity.agents.config.fqdn.mapping[LoadBalancer-10.siroe.com] = LoadBalancer-10.siroe.com com.sun.identity.agents.config.agent.host = LoadBalancer-10.siroe.com com.sun.identity.agents.config.agent.port = 4443 com.sun.identity.agents.config.agent.protocol = https |
Save the file.
Restart Application Server 4.
# cd /opt/SUNWappserver/appserver/bin #./asadmin stop-domain Domain domain1 stopped. # ./asadmin start-domain --user admin --password 11111111 Starting Domain domain1, please wait. Log redirected to /var/opt/SUNWappserver/domains/domain1/logs/server.log. Domain domain1 started. |
Open a new browser.
Go the to J2EE Policy Agents load balancer URL:
https://LoadBalancer-10.siroe.com:4443/agentsample |
The Federation Manager login page is displayed.
Log in to the Federation Manager console using the following information:
spuser
spuser
The J2EE Policy Agent Sample Application welcome page is displayed.
Use the following as your checklist for configuring the J2EE Policy Agents load balancer to participate in SAMLv2 Protocols:
Configure the J2EE Policy Agents load balancer to participate in SAMLv2 protocols.
Verify that the J2EE Policy Agents load balancer uses SAMLv2 protocols.
As a root user, log into the Protected Resource 3 host.
Go to the following directory:
/export/j2ee_agents/am_as81_agent/agent_001/config |
Make a backup of the AMagent.properties file, and then set the following properties:
# vi AMagent.properties com.sun.identity.agents.config.login.url[0] = https://LoadBalancer-9.siroe.com:3443/federation/saml2/ jsp/spSSOInit.jsp?metaAlias=/sp&idpEntitityID=loadbalancer-3.example.com com.sun.identity.agents.config.redirect.param = RelayState |
Save the file.
Restart Application Server 3.
# cd /opt/SUNWappserver/appserver/bin #./asadmin stop-domain Domain domain1 stopped. # ./asadmin start-domain --user admin --password 11111111 Starting Domain domain1, please wait. Log redirected to /var/opt/SUNWappserver/domains/domain1/logs/server.log. Domain domain1 started. |
As a root user, log into the Protected Resource 4 host.
Go to the following directory:
/export/j2ee_agents/am_as81_agent/agent_001/config |
Make a backup of the AMagent.properties file, and then set the following properties:
# vi AMagent.properties com.sun.identity.agents.config.login.url[0] = https://LoadBalancer-9.siroe.com:3443/federation/saml2/ jsp/spSSOInit.jsp?metaAlias=/sp&idpEntitityID=loadbalancer-3.example.com com.sun.identity.agents.config.redirect.param = RelayState |
Save the file.
Restart Application Server 4.
# cd /opt/SUNWappserver/appserver/bin #./asadmin stop-domain Domain domain1 stopped. # ./asadmin start-domain --user admin --password 11111111 Starting Domain domain1, please wait. Log redirected to /var/opt/SUNWappserver/domains/domain1/logs/server.log. Domain domain1 started. |