This chapter contains detailed information about the following groups of tasks:
13.1 Creating J2EE Policy Agent Profiles on the Federation Manager Servers
13.2 Installing Application Server 3 and J2EE Policy Agent 3
13.4 Installing Application Server 4 and J2EE Policy Agent 4
13.8 Configuring the J2EE Policy Agents to Work with the J2EE Policy Agents Load Balancer
13.9 Configuring the J2EE Policy Agents Load Balancer to Participate in SAMLv2 Protocols
When you install the J2EE Policy Agent, the agent profile is used to retrieve the J2EE Policy Agent user password. At this point, the J2EE Policy Agent authentication still occurs through flat files. This new account will be used by J2EE Policy Agent to authenticate to the Federation Manager servers.
Use the following as your checklist for creating J2EE Policy Agent profiles on the Federation Manager Servers:
As a root user, log into the Protected Resource 3 host.
Create an agent profile.
Create a text file named agent_profile_password, and add to it a name for the new agent profile. Example:
# cd /export # vi agent_profile_password asagent |
Save the file.
Generate an encrypted password for the new agent profile.
# cd /var/opt/SUNWam/fm/federation/users # /opt/SUNWam/fm/bin/ampassword -i /var/opt/SUNWam/fm/war_staging --hash asagent EW1Ck/Yw4kpyYs9jbu5Dx5pJaH8= |
Create a text file named asagent.properties, and add the agent profile password to the file.
The J2EE Policy Agent installer requires this file for installation.
# vi asagent.properties password=EW1Ck/Yw4kpyYs9jbu5Dx5pJaH8= |
Save the file.
As a root user, log into the Protected Resource 4 host.
Create an agent profile.
Create a text file named agent_profile_password, and add to it a name for the new agent profile. Example:
# cd /export # vi agent_profile_password asagent |
Save the file.
Generate an encrypted password for the new agent profile.
# cd /var/opt/SUNWam/fm/federation/users # /opt/SUNWam/fm/bin/ampassword -i /var/opt/SUNWam/fm/war_staging --hash asagent EW1Ck/Yw4kpyYs9jbu5Dx5pJaH8= |
Create a text file named asagent.properties, and add the agent profile password to the file.
The J2EE Policy Agent installer requires this file for installation.
# vi asagent.properties password=EW1Ck/Yw4kpyYs9jbu5Dx5pJaH8= |
Save the file.
You must have the Sun Java System Application Server installer and the Sun J2EE Policy Agent installer mounted on Protected Resource 1. See Chapter 2, Before You Beginat the beginning of this manual.
As a root user, log into the Application Server 3 host.
Start the Java Enterprise System installer with the -nodisplay option.
# cd /mnt/Solaris_sparc # ./installer -nodisplay |
When prompted, provide the following information:
After you have exited the installer, start Application Server 3:
# cd /opt/SUNWappserver/appserver/bin # ./asadmin start-domain --user admin --password 11111111 Starting Domain domain1, please wait. Log redirected to /var/opt/SUNWappserver/domains/domain1/logs/server.log. Domain domain1 started. |
To verify that the Application Server 3 is successfully installed, go to the Application Server URL:
http://ProtectedResource-3:8080/index.html |
The default Application Server page is displayed and contains the following message: “Your server is up and running!”
You must obtain and unpack the J2EE Policy Agent software from the following Sun Microsystems web page: http://www.sun.com/download/products.xml?id=43543381.
In the directory where you downloaded the J2EE Policy Agent TAR file, unpack the J2EE Policy Agent bits using the GNU untar utility. Example:
# cd /export # gunzip SJS_Appserver_81_agent_2.2.tar.zip # gtar -xvf /usr/sfw/bin/SJS_Appserver_81_agent_2.2.tar |
For .tar.gz archives, do not use a program other than GNU_tar to untar the contents of the J2EE agent deliverables. Using a different program, such as another tar program, can result in some files not being extracted properly. To learn more about the GNU_tar program, visit the following web site: http://www.gnu.org/software/tar/tar.html
Start the J2EE Policy Agent installer.
# cd /export/j2ee_agents/am_as81_agent/bin # ./agentadmin --install
When prompted, provide the following information:
|
Accept the default value. |
|
|
Accept the default value. |
|
|
Enter LoadBalancer-9.siroe.com. |
|
|
Enter 3443. |
|
|
Enter https. |
|
|
Enter /federation. |
|
|
ProtectedResource-3.siroe.com |
|
|
Accept the default value. |
|
|
Enter 8080. |
|
|
Accept the default value. |
|
|
Accept the default value. |
|
|
Accept the default value. |
|
|
Enter asagent. |
|
|
Enter /export/agent_profile_password. |
|
|
Accept the default value. |
|
|
Accept the default value. |
|
|
Accept the default value. |
After the installer has finished installing the agent, verify that installation was successful. You check can for installation errors in the following log file:
/export/j2ee_agents/am_as81_agent/logs/audit/install.log |
The J2EE Policy Agent is not yet ready to begin working. A number of these tasks must be completed before the agent can do its job. Use the following as your checklist for completing the J2EE Policy Agents installation and configuration:
Deploy the sample agent application on Application Server 3.
Verify the use of the sample agent application on Application Server 3.
The J2EE Policy Agent uses the agent housekeeping application for notifications and other internal functionality. This application is bundled with the agent binaries.
As a root user, log into the Application Server 1 host.
Go to the following directory:
/export/j2ee-agents/am_as81_agent/etc |
Run the following command:
# /opt/SUNWappserver/appserver/bin/asadmin deploy --user admin --password 11111111 --contextroot /agentapp agentapp.war Command deploy executed successfully. |
Go to the following directory:
/export/j2ee_agents/am_as81_agent/agent_001/config |
Make a backup copy of AMagent.properties, and then modify the original AMAgent.properties file.
Set the following property as in the example:
com.sun.identity.agents.config.filter.mode = SSO_ONLY |
Federation Manager can run only in SSO-Only mode. In order to communicate with Federation Manager, the policy agent must also run in SSO-Only mode.
Add the following property
com.iplanet.am.naming.ignoreNamingService=true |
When set to true, the policy agent ignores the Federation Manager naming service for session validation purposes. Instead, the policy agent uses the local naming service URL defined in the com.iplanet.am.naming.url property elsewhere in this file.
Save the file.
You must have access to the certutil command to complete this task. See 2.11 Obtaining and Using the Certificate Database Tool.
Log into the Protected Resource 3 host.
Copy into a temporary directory the root CA certificate from the Federation Manager load balancer.
For example, in this deployment example, the JDK keystore is in the following directory:
/usr/jdk/entsys-j2se/jre/lib/security |
This directory contains the Federation Manager trusted CA files, including cacert.
Go to the following directory:
/var/opt/SUNWappserver/domains/domain1/config |
This directory contains two files you will need. The files are named cert8.db and key3.db, and are installed by default with Application Server 8.1. By default, Application Server 8.1 uses the NSS certificate databases for SSL purposes. You must import the Federation Manager load balancer root CA certificate to this Application Server certificate database.
Obtain a copy of the Federation Manager 1 root CA certificate.
You can obtain a copy from the certificate issuer. Or you can copy the certificate stored on the Federation Manager 1 host.
In this deployment example, the Federation Manager 1 root CA certificate has already been copied to the following directory on Protected Resource 3:
/net/slapd/export/share/cacert |
In the directory where you have deployed the certutil utility, run the certutil command. Example:
# certutil -A -n rootCA -t T,c,c -i /net/slapd/export/share/cacert -d . |
To verify that the certificate was properly initialized, list the certificates in the database:
# certutil -L -n rootCA -d . |
A list of certificates is displayed, and the initialized certificate file is included in the list.
As a root user, log into the Protected Resource 3 host.
Go to the following directory:
/export/j2ee_agents/am_as81_agent/sampleapp/dist |
Run the deploy command:
//opt/SUNWappserver/appserver/bin/asadmin deploy --host localhost --port 4849 --user admin --password 11111111 --contextroot /agentsample --name agentsample agentsample.ear Command deploy executed successfully. |
Restart Application Server 3.
# cd /opt/SUNWappserver/appserver/bin # ./asadmin stop-domain Domain domain1 stopped. # ./asadmin start-domain --user admin --password 11111111 Domain domain1 started. |
Go to the Application Server 3 URL:
http://ProtectedResource-3.siroe.com:8080/agentsample/index.html |
Log in to the Federation Manager console using the following information:
spuser
spuser
The Sample Application welcome page is displayed.
You must have the Sun Java System Application Server installer and the Sun J2EE Policy Agent installer mounted on Protected Resource 1. See Chapter 2, Before You Beginat the beginning of this manual.
As a root user, log into the Application Server 4 host.
Start the Java Enterprise System installer with the -nodisplay option.
# cd /mnt/Solaris_sparc # ./installer -nodisplay |
When prompted, provide the following information:
|
Press Enter. |
|||
|
Press Enter. |
|||
|
Enter y. |
|||
|
Enter 8 for “English only.” |
|||
|
Enter No. |
|||
|
Enter 14 to install Sun Java (TM) Application Server Enterprise Edition 8.1 2005Q4. |
|||
|
Enter 1,3,5,6 to install Domain Administration Server, Command Line Administration Tool, PointBase Database, and the Sample Applications. |
|||
|
Press Enter. |
|||
Enter 1 to upgrade these shared components and 2 to cancel [1] |
You are prompted to upgrade shared components only if the installer detects that an upgrade is required. Enter 1 to upgrade shared components. |
|||
|
Accept the default value. |
|||
|
Accept the default value. |
|||
|
Enter 1. |
|||
|
Enter 1. |
|||
|
Accept the default value. |
|||
|
Accept the default value. |
|||
|
Accept the default value. |
|||
|
Accept the default value. |
|||
|
For this example, enter 11111111. |
|||
|
Enter the same password to confirm it. |
|||
|
Accept the default value. |
|||
|
Accept the default value. |
|||
|
Accept the default value. |
|||
|
For this example, enter 11111111. |
|||
|
For this example, enter 11111111. |
|||
|
Accept the default value. |
|||
|
Accept the default value. |
|||
|
Accept the default value. |
|||
|
Accept the default value. |
|||
|
For this example, enter 11111111. |
|||
|
For this example, enter 11111111. |
|||
|
When ready to install, enter 1. |
After you have exited the installer, start Application Server 4:
# cd /opt/SUNWappserver/appserver/bin # ./asadmin start-domain --user admin --password 11111111 Starting Domain domain1, please wait. Log redirected to /var/opt/SUNWappserver/domains/domain1/logs/server.log. Domain domain1 started. |
To verify that the Application Server 4 is successfully installed, go to the Application Server URL:
http://ProtectedResource-4:8080/index.html |
The default Application Server page is displayed and contains the following message: “Your server is up and running!”
You must obtain and unpack the J2EE Policy Agent software from the following Sun Microsystems web page: http://www.sun.com/download/products.xml?id=43543381
In the directory where you downloaded the J2EE Policy Agent TAR file, unpack the J2EE Policy Agent bits using the GNU untar utility. Example:
# cd /export # gunzip SJS_Appserver_81_agent_2.2.tar.zip # gtar -xvf /usr/sfw/bin/SJS_Appserver_81_agent_2.2.tar |
For .tar.gz archives, do not use a program other than GNU_tar to untar the contents of the J2EE agent deliverables. Using a different program, such as another tar program, can result in some files not being extracted properly. To learn more about the GNU_tar program, visit the following web site: http://www.gnu.org/software/tar/tar.html
Start the J2EE Policy Agent installer.
# cd /export/j2ee_agents/am_as81_agent/bin # ./agentadmin --install
When prompted, provide the following information:
|
Accept the default value. |
|
|
Accept the default value. |
|
|
Enter LoadBalancer-9.siroe.com. |
|
|
Enter 3443. |
|
|
Enter https. |
|
|
Enter /federation. |
|
|
ProtectedResource-4.siroe.com |
|
|
Accept the default value. |
|
|
Enter 8080. |
|
|
Accept the default value. |
|
|
Accept the default value. |
|
|
Accept the default value. |
|
|
Enter asagent. |
|
|
Enter /export/agent_profile_password. |
|
|
Accept the default value. |
|
|
Accept the default value. |
|
|
Accept the default value. |
After the installer has finished installing the agent, verify that installation was successful. You can check for installation errors in the following log file:
/export/j2ee_agents/am_as81_agent/logs/audit/install.log |
The J2EE Policy Agent is not yet ready to begin working. A number of these tasks must be completed before the agent can do its job. Use the following as your checklist for completing the J2EE Policy Agents installation and configuration:
Deploy the sample agent application on Application Server 4.
Verify the use of the sample agent application on Application Server 4.
The J2EE Policy Agent uses the agent housekeeping application for notifications and other internal functionality. This application is bundled with the agent binaries.
As a root user, log into the Application Server 4 host.
Go to the following directory:
/export/j2ee-agents/am_as81_agent/etc |
Run the following command:
# /opt/SUNWappserver/appserver/bin/asadmin deploy --user admin --password 11111111 --contextroot /agentapp agentapp.war Command deploy executed successfully. |
Go to the following directory:
/export/j2ee_agents/am_as81_agent/agent_001/config |
Make a backup copy of AMagent.properties, and then modify the original AMagent.properties file.
Set the following property as in the example:
com.sun.identity.agents.config.filter.mode = SSO_ONLY |
Federation Manager can run only in SSO-Only mode. In order to communicate with Federation Manager, the policy agent must also run in SSO-Only mode.
Add the following property
com.iplanet.am.naming.ignoreNamingService=true |
When set to true, the policy agent ignores the Federation Manager naming service for session validation purposes. Instead, the policy agent uses the local naming service URL defined in the com.iplanet.am.naming.url property elsewhere in this file.
Save the file.
You must have access to the certutil command to complete this task. See 2.11 Obtaining and Using the Certificate Database Tool.
Log into the Protected Resource 4 host.
Copy into a temporary directory the root CA certificate from the Federation Manager load balancer.
For example, in this deployment example, the JDK keystore is in the following directory:
/usr/jdk/entsys-j2se/jre/lib/security |
This directory contains the Federation Manager trusted CA files, including cacert.
Go to the following directory:
/var/opt/SUNWappserver/domains/domain1/config |
This directory contains two files you will need. The files are named cert8.db and key3.db, and are installed by default with Application Server 8.1. By default, Application Server 8.1 uses the NSS certificate databases for SSL purposes. You must import the Federation Manager load balancer root CA certificate to this Application Server certificate database.
Obtain a copy of the Federation Manager 1 root CA certificate.
You can obtain a copy from the certificate issuer. Or you can copy the certificate stored on the Federation Manager 1 host.
In this deployment example, the Federation Manager 1 root CA certificate has already been copied to the following directory on Protected Resource 4:
/net/slapd/export/share/cacert |
In the directory where you deployed the certutil utility, run the certutil command. Example:
# certutil -A -n rootCA -t T,c,c -i /net/slapd/export/share/cacert -d . |
To verify that the certificate was properly initialized, list the certificates in the database:
# certutil -L -n rootCA -d . |
A list of certificates is displayed, and the initialized certificate file is included in the list.
As a root user, log into the Protected Resource 4 host.
Go to the following directory:
/export/j2ee_agents/am_as81_agent/sampleapp/dist |
Run the deploy command:
//opt/SUNWappserver/appserver/bin/asadmin deploy --host localhost --port 4849 --user admin --password 11111111 --contextroot /agentsample --name agentsample agentsample.ear Command deploy executed successfully. |
Restart Application Server 4.
# cd /opt/SUNWappserver/appserver/bin # ./asadmin stop-domain Domain domain1 stopped. # ./asadmin start-domain --user admin --password 11111111 Domain domain1 started. |
Go to the Application Server 4 URL:
http://ProtectedResource-4.siroe.com:8080/agentsample/index.html |
Log in to the Federation Manager console using the following information:
spuser
spuser
The Sample Application welcome page is displayed.
Load Balancer 10 can be located in a less-secured zone, and handles traffic for the J2EE Policy Agents.
Load Balancer 10 is configured for simple persistence so that browser requests from the same IP address will always be directed to the same J2EE Policy Agent instance . This guarantees that the requests from the same user session will always be sent to the same J2EE Policy Agent instance. This is important from the performance perspective. Each J2EE Policy Agent must validate the user session and evaluate applicable policies. The results are subsequently cached on the individual J2EE Policy Agent to improve the performance. If no load balancer persistence is set, and the same user's requests are spread across two agents, then each agent must build up its own cache. To do so, both agents must validate the session and evaluate policies. This effectively doubles the workload on the Access Manager servers, and cuts the overall system capacity by half. The problem becomes even more acute as the number of J2EE Policy Agents increases further.
As a general rule, in situations where each J2EE Policy Agent instance is protecting identical resources, some form of load balancer persistence is highly recommended for the performance reasons. The actual type of persistence may vary when a different load balancer is used, as long as it achieves the goal of sending the requests from the same user session to the same J2EE Policy Agent instance.
Use the following as your checklist for Configuring the J2EE Policy Agents load balancer:
Go to URL for the Big IP load balancer login page and log in.
https://ls-f5.siroe.com
username
password
Request an SSL Certificate for Load Balancer 10.
Log in to the BIG-IP load balancer.
Click Proxies in the left pane.
Click the Cert Admin tab, and then click the “Generate New Key Pair/ Certificate Request” button.
In the Create Certificate Request page, provide the following information:
LoadBalancer-10.siroe.com
siroe.com
LoadBalancer-10.siroe.com
jdoe@siroe.com
Click the Generate Request button.
In the Generate Request page, copy the request that looks similar to this:
-----BEGIN CERTIFICATE REQUEST----- UbM77e50M63v1Z2A/5O5MA0GCSqGSIb3DQEOBAU AMF8xCzAJBgNVBAYTAlVTMSAwHgYDVQQKExdSU0 EgRGF0YSBTZWN1cml0eSwgSW5jLjEuMCwGA1UEC xMlU2VjdXJlIFNlcnZlciBDZXJ0aWZpY2F0aW9u IEF1dGhvcml0eTAeFw0wMTA4MDIwMDAwMDBaFw0 wMzA4MDIyMzU5NTlaMIGQMQswCQYDVQQGEwJVUz ERMA8GA1UECBMIVmlyZ2luaWExETAPBgNVBAcUC FJpY2htb25kMSAwHgYDVQQKFBdDYXZhbGllciBU ZWxlcGhvYm9uZGluZy5jYXZ0ZWwuY29tMIGfMA0 GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC8x/1dxo 2YnblilQLmpiEziOqb7ArVfI1ymXo/MKcbKjnY2 -----END CERTIFICATE REQUEST----- |
Paste this text into a request form provided by a root certificate authority (CA) such as Verisign or Thwarte.
See the certificate authority website such as http://www.verisign.com/ or http://www.thawte.com/ for detailed instructions on submitting a certificate request.
After you receive the certificate from the issuer, install the SSL Certificate.
In the BIG-IP load balancer console, click the Cert Admin tab.
On the Cert Admin tab, click Install Certificate.
In the Install SSL Certificate page, paste the certificate text you received from the certificate issuer. Example:
-----BEGIN CERTIFICATE REQUEST----- UbM77e50M63v1Z2A/5O5MA0GCSqGSIb3DQEOBAU AMF8xCzAJBgNVBAYTAlVTMSAwHgYDVQQKExdSU0 EgRGF0YSBTZWN1cml0eSwgSW5jLjEuMCwGA1UEC xMlU2VjdXJlIFNlcnZlciBDZXJ0aWZpY2F0aW9u IEF1dGhvcml0eTAeFw0wMTA4MDIwMDAwMDBaFw0 wMzA4MDIyMzU5NTlaMIGQMQswCQYDVQQGEwJVUz ERMA8GA1UECBMIVmlyZ2luaWExETAPBgNVBAcUC FJpY2htb25kMSAwHgYDVQQKFBdDYXZhbGllciBU ZWxlcGhvYm9uZGluZy5jYXZ0ZWwuY29tMIGfMA0 GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC8x/1dxo 2YnblilQLmpiEziOqb7ArVfI1ymXo/MKcbKjnY2 -----END CERTIFICATE REQUEST----- |
Click Install Certificate.
Create a Pool.
A pool contains all the backend server instances.
Open the Configuration Utility.
Click “Configure your BIG-IP (R) using the Configuration Utility.”
In the left pane, click Pools.
On the Pools tab, click the Add button.
In the Add Pool dialog, provide the following information:
federation _j2ee_agents
Round Robin
Add the IP address of both Application Server hosts. In this example:
192.18.72.152:8080 (for Application Server 3)
192.18.72.151:8080 (for Application Server 4)
Click the Done button.
In the List of Pools, click the name of the pool you just created (federation_j2ee_agents).
Add a Virtual Server.
If you encounter Javascript errors or otherwise cannot proceed to create a virtual server, try using Microsoft Internet Explorer for this step.
In the left frame, Click Virtual Servers.
On the Virtual Servers tab, click the Add button.
In the Add a Virtual Server dialog box, provide the following information:
192.18.69.14 (for LoadBalancer-10.siroe.com )
1080
federation_j2ee_agents
Continue to click Next until you reach the Pool Selection dialog box.
Click the Done button.
You should still be logged into the BigIP load balancer program after the last task.
Create an SSL Proxy.
Click the Proxies tab, and then click the Add button.
In the Add Proxy page, provide the following information:
Mark the SSL box.
192.18.49.14
4443
192.18.69.14
4080
LoadBalancer-10.siroe.com
LoadBalancer-10.siroe.com
LoadBalancer-10.siroe.com
LoadBalancer-10.siroe.com
Click Next.
Matching
Click Done.
Download the Sun Java System Application Server Enterprise Ed 8.1 2005Q1 Patch to the Application Server 3 host and to the Application 4 host using one of the following URLs:
http://sunsolve.sun.com/search/document.do?assetkey=1-21-119166
http://sunsolve.sun.com/search/document.do?assetkey=1-21-119170-14
http://sunsolve.sun.com/search/document.do?assetkey=1-21-119171-14
Use the following as you checklist for configuring the Application Servers for SSL Termination:
As a root user, log into the Application Server 3 host.
Stop Application Server 3.
# cd /opt/SUNWappserver/appserver/bin/ # ./asadmin stop-domain |
Install Patch 119166-22 as described in the file README.119166-22.
Be sure to complete the patch post-installation instructions as described in that file.
# cd /tmp # unzip 119166-21.zip # patchadd -G /tmp/119166-22 |
Verify that the patch was indeed installed successfully.
# showrev -p | grep 119166-22 Patch: 119166-22 Obsoletes: Requires: Incompatibles: Packages: SUNWasuee, SUNWaswbcr, SUNWascmnse, SUNWasacee, SUNWasdemdb, SUNWashdm, SUNWasdem, SUNWascmn, SUNWasac, SUNWascml, SUNWasu, SUNWasjdoc, SUNWasman, SUNWasut, SUNWasmanee |
Edit the following file:
/var/opt/SUNWappserver/domains/domain1/applications/j2ee-apps/ agentsample/agentservlets_war/WEB-INF/sun-web.xml |
Append the following directive to the end of the file:
... <property name="relativeRedirectAllowed" value="true"/> </sun-web-app> |
Save the file and exit.
Edit the following file:
/var/opt/SUNWappserver/domains/domain1/applications/j2ee-modules/ agentapp/WEB-INF/sun-web.xml |
Append this directive to the end of the file:
... <property name="relativeRedirectAllowed" value="true"/> </sun-web-app> |
Save the file and exit.
Start the Application Server.
# cd /opt/SUNWappserver/appserver/bin/ # ./asadmin start-domain --user admin --password 11111111 |
As a root user, log into the Application Server 4 host.
Stop Application Server 4.
# cd /opt/SUNWappserver/appserver/bin/ # ./asadmin stop-domain |
Install Patch 119166-22 as described in the file README.119166-22.
Be sure to complete the patch post-installation instructions as described in that file.
# cd /tmp # unzip 119166-21.zip # patchadd -G /tmp/119166-22 |
Verify that the patch was indeed installed successfully.
# showrev -p | grep 119166-22 Patch: 119166-21 Obsoletes: Requires: Incompatibles: Packages: SUNWasuee, SUNWaswbcr, SUNWascmnse, SUNWasacee, SUNWasdemdb, SUNWashdm, SUNWasdem, SUNWascmn, SUNWasac, SUNWascml, SUNWasu, SUNWasjdoc, SUNWasman, SUNWasut, SUNWasmanee |
Edit the following file:
/var/opt/SUNWappserver/domains/domain1/applications/j2ee-apps/ agentsample/agentservlets_war/WEB-INF/sun-web.xml |
Append the following directive to the end of the file:
... <property name="relativeRedirectAllowed" value="true"/> </sun-web-app> |
Save the file and exit.
Edit the following file:
/var/opt/SUNWappserver/domains/domain1/applications/j2ee-modules/ agentapp/WEB-INF/sun-web.xml |
Append this directive to the end of the file:
... <property name="relativeRedirectAllowed" value="true"/> </sun-web-app> |
Save the file and exit.
Start Application Server 4.
# cd /opt/SUNWappserver/appserver/bin/ # ./asadmin start-domain --user admin --password 11111111 |
Use the following as your checklist for configuring the J2EE policy agents to work with the agents load balancer.
Configure J2EE Policy Agent 3 to work with the J2EE Policy Agents load balancer.
Configure J2EE Policy Agent 4 to work with the J2EE Policy Agents load balancer.
Verify that the J2EE Policy Agents load balancer works properly.
As a root user, log into the Protected Resource 3 host.
Go to the following directory:
# cd /export/j2ee_agents/am_as81_agent/agent_001/config |
Update the AMagents.properties file.
Set the following properties as in this example:
# vi AMAgent.properties com.sun.identity.agents.config.fqdn.mapping[LoadBalancer-10.siroe.com] = LoadBalancer-10.siroe.com com.sun.identity.agents.config.agent.host = LoadBalancer-10.siroe.com com.sun.identity.agents.config.agent.port = 4443 com.sun.identity.agents.config.agent.protocol = https |
Save the file.
Restart Application Server 3.
# cd /opt/SUNWappserver/appserver/bin #./asadmin stop-domain Domain domain1 stopped. # ./asadmin start-domain --user admin --password 11111111 Starting Domain domain1, please wait. Log redirected to /var/opt/SUNWappserver/domains/domain1/logs/server.log. Domain domain1 started. |
As a root user, log into the Protected Resource 4 host.
Go to the following directory:
# cd /export/j2ee_agents/am_as81_agent/agent_001/config |
Update the AMagents.properties file.
Set the following properties as in this example:
# vi AMAgent.properties com.sun.identity.agents.config.fqdn.mapping[LoadBalancer-10.siroe.com] = LoadBalancer-10.siroe.com com.sun.identity.agents.config.agent.host = LoadBalancer-10.siroe.com com.sun.identity.agents.config.agent.port = 4443 com.sun.identity.agents.config.agent.protocol = https |
Save the file.
Restart Application Server 4.
# cd /opt/SUNWappserver/appserver/bin #./asadmin stop-domain Domain domain1 stopped. # ./asadmin start-domain --user admin --password 11111111 Starting Domain domain1, please wait. Log redirected to /var/opt/SUNWappserver/domains/domain1/logs/server.log. Domain domain1 started. |
Open a new browser.
Go the to J2EE Policy Agents load balancer URL:
https://LoadBalancer-10.siroe.com:4443/agentsample |
The Federation Manager login page is displayed.
Log in to the Federation Manager console using the following information:
spuser
spuser
The J2EE Policy Agent Sample Application welcome page is displayed.
Use the following as your checklist for configuring the J2EE Policy Agents load balancer to participate in SAMLv2 Protocols:
Configure the J2EE Policy Agents load balancer to participate in SAMLv2 protocols.
Verify that the J2EE Policy Agents load balancer uses SAMLv2 protocols.
As a root user, log into the Protected Resource 3 host.
Go to the following directory:
/export/j2ee_agents/am_as81_agent/agent_001/config |
Make a backup of the AMagent.properties file, and then set the following properties:
# vi AMagent.properties com.sun.identity.agents.config.login.url[0] = https://LoadBalancer-9.siroe.com:3443/federation/saml2/ jsp/spSSOInit.jsp?metaAlias=/sp&idpEntitityID=loadbalancer-3.example.com com.sun.identity.agents.config.redirect.param = RelayState |
Save the file.
Restart Application Server 3.
# cd /opt/SUNWappserver/appserver/bin #./asadmin stop-domain Domain domain1 stopped. # ./asadmin start-domain --user admin --password 11111111 Starting Domain domain1, please wait. Log redirected to /var/opt/SUNWappserver/domains/domain1/logs/server.log. Domain domain1 started. |
As a root user, log into the Protected Resource 4 host.
Go to the following directory:
/export/j2ee_agents/am_as81_agent/agent_001/config |
Make a backup of the AMagent.properties file, and then set the following properties:
# vi AMagent.properties com.sun.identity.agents.config.login.url[0] = https://LoadBalancer-9.siroe.com:3443/federation/saml2/ jsp/spSSOInit.jsp?metaAlias=/sp&idpEntitityID=loadbalancer-3.example.com com.sun.identity.agents.config.redirect.param = RelayState |
Save the file.
Restart Application Server 4.
# cd /opt/SUNWappserver/appserver/bin #./asadmin stop-domain Domain domain1 stopped. # ./asadmin start-domain --user admin --password 11111111 Starting Domain domain1, please wait. Log redirected to /var/opt/SUNWappserver/domains/domain1/logs/server.log. Domain domain1 started. |
Go to the following URL:
https://LoadBalancer-10.siroe.com:4443/agentssample |
The Access Manager login is displayed.
Log in to the Access Manager console using the following information:
idp
idp
The J2EE Policy Agent Sample Application welcome page is displayed.
This chapter contains detailed information about the following groups of tasks:
14.1 Creating Web Agent Profiles on the Federation Manager Servers
14.7 Configuring the Web Policy Agents Load Balancer to Participate in SAMLv2 Protocols
Use the following as your check list for creating Web Agent profiles on the Federation Manager servers:
Create the UrlAccessAgent.properties file on Federation Manager 1.
Create the UrlAccessAgent.properties file on Federation Manager 2.
Log into the Federation Manager 1 host.
Generate an encrypted password:
# /opt/SUNWam/fm/bin/ampassword -i /var/opt/SUNWam/fm/war_staging --hash 11111111 BeUPgddAimR404ivWY6HPQ== |
Make note of this encrypted password. You will use this password as the UrlAccessAgent encrypted password which is similar to a shared secret used by other web containers.
Go to the following directory:
/var/opt/SUNWam/fm/federation/users |
Create a file that contains the UrlAccessAgent encrypted password.
# vi UrlAccessAgent.properties password=BeUPgddAimR404ivWY6HPQ== |
Save the file.
Restart the Federation Manager 1 server.
# /opt/SUNWwbsvr/https-FederationManager-1.siroe.com # ./stop; ./start |
Log into the Federation Manager 2 host.
Generate an encrypted password:
# /opt/SUNWam/fm/bin/ampassword -i /var/opt/SUNWam/fm/war_staging --hash 11111111 BeUPgddAimR404ivWY6HPQ== |
Make note of this encrypted password. You will use this password as the UrlAccessAgent encrypted password which is similar to a shared secret used by other web containers.
Go to the following directory:
/var/opt/SUNWam/fm/federation/users |
Create a file that contains the UrlAccessAgent encrypted password.
# vi UrlAccessAgent.properties password=BeUPgddAimR404ivWY6HPQ== |
Save the file.
Restart the Federation Manager 2 server.
# /opt/SUNWwbsvr/https-FederationManager-2.siroe.com # ./stop; ./start |
For this part of the deployment, you must have the JES 5 installer and Web Policy Agent installer mounted on the host Protected Resource 1. See the section 2.2 Downloading and Mounting the Java Enterprise System 2005Q4 Installer in this manual.
Use the following as your checklist for installing Web Server 3 and Web Policy Agent 3:
As a root user, log into the Protected Resource 3 host.
Start the Java Enterprise System installer with the -nodisplay option.
# cd /mnt/Solaris_sparc # ./installer -nodisplay |
When prompted, provide the following information:
|
Press Enter. |
|
|
Press Enter. |
|
|
Enter y. |
|
|
Enter 8 for “English only.” |
|
|
Enter 3 to select Web Server. |
|
|
Press Enter. |
|
Enter 1 to upgrade these shared components and 2 to cancel [1] |
You are prompted to upgrade shared components only if the installer detects that an upgrade is required. Enter 1 to upgrade shared components. |
|
|
Accept the default value. |
|
|
Enter 1. |
|
|
Enter 1. |
|
|
Accept the default value. |
|
|
Accept the default value. |
|
|
Accept the default value. |
|
|
Accept the default value. |
|
|
For this example, enter 11111111. |
|
|
Enter the same password to confirm it. |
|
|
Accept the default value. |
|
|
Accept the default value. |
|
|
Accept the default value. |
|
|
For this example, enter 11111111. |
|
|
Accept the default value. |
|
|
Accept the default value. |
|
|
Accept the default value. |
|
|
Enter root. |
|
|
Enter root. |
|
|
Enter 2080. |
|
|
Accept the default value. |
|
|
Accept the default value. |
|
|
First, see the next numbered (Optional) step. When ready to install, enter 1. |
(Optional) During installation, you can monitor the log to watch for installation errors. Example:
# cd /var/sadm/install/logs
# tail —f Java_Enterprise_System_install.B xxxxxx
Upon successful installation, enter ! to exit.
Verify that the Web Server is installed properly.
Start the Web Server administration server to verify it starts with no errors.
# cd /opt/SUNWwbsvr/https-admserv
# ./stop; ./start
Run the netstat command to verify that the Web Server ports are open and listening.
# netstat -an | grep 8888 *.8888 *.* 0 0 49152 0 LISTEN |
Go to the Web Server URL.
http://ProtectedResource-3.siroe.com:8888
Log in to the Web Server using the following information:
admin
11111111
You should be able to see the Web Server console. You can log out of the console now.
Start the Protected Resource 3 instance.
# cd /opt/SUNWwbsvr/https-ProtectedResource-3.siroe.com # ./stop; ./start |
Run the netstat command to verify that the Web Server ports are open and listening.
# netstat -an | grep 2080 *.2080 *.* 0 0 49152 0 LISTEN |
Go to the instance URL.
http://ProtectedResource-3.siroe.com:1080
You should see the default Web Server index page.
If the Web Policy Agent installer is hosted on the same system where you are installing the Web Policy Agent, you can disregard this warning.
If the installer is hosted on a system other than the local system where you are installing the Web Policy Agent, you must start an X-display session on the system that hosts the installer. You must use an X-display program such as Reflections X or VNC even though you use the command-line installer. This is a known problem with this version of the Web Policy Agent. For more information about this known problem, see http://docs.sun.com/app/docs/doc/819-2796/6n52flfoq?a=view#adtcd.
As a root user, log into the Protected Resource 3 host.
Download the Java System Web Policy Agents 2.2 package from the following website:
Unpack the downloaded package.
In this example, the package was downloaded into the directory /temp.
# cd /temp # gunzip sun-one-policy-agent-2.2-es6-solaris_sparc.tar.gz # tar —xvof sun-one-policy-agent-2.2-es6-solaris_sparc.tar |
Start the Web Policy Agents installer.
# ./setup -nodisplay
When prompted, provide the following information:
|
Press Enter. |
||
|
Press Enter. |
||
|
Enter y. |
||
|
Accept the default value. |
||
|
Accept the default value. |
||
|
Enter
|
||
|
Enter 2080. |
||
|
Enter https. |
||
|
Accept the default value. |
||
|
For this example, enter the external-facing load balancer host name. Example: LoadBalancer-3.example.com |
||
|
Enter the load balancer HTTP port number. For this example, enter 3443. |
||
|
Enter https. |
||
|
Enter /federation. |
||
|
Enter /federation. |
||
|
Accept the default value. |
||
|
Enter the amldapuser password that was entered when Access Manager was installed. For this example, enter 11111111 . |
||
|
Enter the 11111111 password again to confirm it. |
||
|
Accept the default value. |
||
|
First, see the next (Optional) numbered step. When you are ready to start installation, press Enter. |
(Optional) During installation, you can monitor the log to watch for installation errors. Example:
# cd /var/sadm/install/logs # tail —f var/sadm/install/logs/ Sun_Java_tm__System_Access_Manager_Policy_Agent_install.Bxxxxxxxx |
Restart the Web Server.
# cd /opt/SUNWwbsvr/https-ProtectedResource-3.siroe.com # cd ./stop; ./start |
Examine the Web Server log for startup errors.
# /opt/SUNWwbsvr/https-ProtectedResource-3.siroe.com/logs # vi errors |
Use the following as your checklist for completing the Web Policy Agent 3 installation:
Import the root CA certificate into the Web Server 3 key store.
Verify that Web Policy Agent 3 can access the Federation Manager load balancer.
Log in to as a root user to Federation Manager 1 host.
Edit the AMAgent.properties file.
# cd /etc/opt/SUNWam/agents/es6/ config/_opt_SUNWwbsvr_https-ProtectedResource-3.siroe.com |
Make a backup of AMAgent.properties, and then set the following properties:
com.sun.am.policy.am.username = UrlAccessAgent com.sun.am.policy.am.password = BeVPgddAimR404ivWY6HPQ== com.sun.am.policy.agents.config.do_sso_only = true |
Add the following properties to the original file:
com.sun.am.ignore.naming.service = true |
(Optional) Set the debug property as in this example:
com.sun.am.log.level = all:5 |
Save the file.
Restart Web Server 3.
# cd /opt/SUNWwbsvr/https-ProtectedResource-3.siroe.com #./stop; ./start
Go to the following URL:
http://ProtectedResource-3.siroe.com:2080
Log in to Access Manager using the following information:
spuser
spuser
You should see the default index.html page for Web Server 3.
The Web Policy Agent on Protected Resource 3 connects to Federation Manager servers through Load Balancer 9. The load balancer is SSL-enabled, so the agent must be able to trust the load balancer SSL certificate in order to establish the SSL connection. To do this, import the root CA certificate that issued the Load Balancer 3 SSL server certificate into the Web Policy Agent certificate store.
Obtain the root CA certificate, and copy it to the Protected Resource 3 host . Copy the certificate into the file /export/software/ca.cert.
Copy the root CA certificate to Protected Resource 3.
Open a browser, and go to the Web Server 3 administration console.
http://ProtectedResource-3.siroe.com:8888
Log in to the Web Server 3 console using the following information:
admin
11111111
In the Select a Server field, select ProtectedResource-3.siroe.com, and then click Manage.
If a “Configuration files have not been loaded” message is displayed, it may be because the Web Server instance that is being accessed through the administration server has had its configuration files manually edited. This is the case when the Web Policy Agent is installed. The mirror configuration files are different from the current configuration files. In order to be sure the changes are not lost, you must apply the changes. First click Apply, and then click Apply Changes. The configuration files are read, and the server is stopped and restarted.
Click the Security tab.
On the Initialize Trust Database page, enter a Database Password.
Enter the password again to confirm it, and then click OK.
In the left frame, click Install Certificate and provide the following information, and then click OK:
Choose Trusted Certificate Authority (CA).
password
rootCA.cert
/export/software/ca.cert
Click Add Server Certificate.
Click Manage Certificates.
The root CA Certificate name rootCA.cert is included in the list of certificates.
Click the Preferences tab.
Restart Web Server 3.
On the Server On/Off page, click Server Off. When the server indicates that the administration server is off, click Server On.
Restart Web Server 3.
# cd /opt/SUNWwbsvr/https-ProtectedResource-3.siroe.com # ./stop; ./start
Go to the Protected Resource 3 URL:
http://ProtectedResource-3.siroe.com:2080/index.html |
Log into the Federation Manager console using the following information:
spuser
spuser
The policy agent redirects the request, and the URL changes to https://LoadBalancer-9.siroe.com:3443/federation/UI/Login. The default Sun ONE Web Server page is displayed. This verifies that the web policy agent is properly configured to access the Federation Manager load balancer.
For this part of the deployment, you must have the JES 5 installer and Web Policy Agent installer mounted on the host Protected Resource 1. See the section 2.2 Downloading and Mounting the Java Enterprise System 2005Q4 Installer in this manual.
Use the following as you checklist for installing Web Server 4 and Web Policy Agent 4:
As a root user, log into the Protected Resource 4 host.
Start the Java Enterprise System installer with the -nodisplay option.
# cd /mnt/Solaris_sparc # ./installer -nodisplay |
When prompted, provide the following information:
|
Press Enter. |
|
|
Press Enter. |
|
|
Enter y. |
|
|
Enter 8 for “English only.” |
|
|
Enter 3 to select Web Server. |
|
|
Press Enter. |
|
Enter 1 to upgrade these shared components and 2 to cancel [1] |
You are prompted to upgrade shared components only if the installer detects that an upgrade is required. Enter 1 to upgrade shared components. |
|
|
Accept the default value. |
|
|
Enter 1. |
|
|
Enter 1. |
|
|
Accept the default value. |
|
|
Accept the default value. |
|
|
Accept the default value. |
|
|
Accept the default value. |
|
|
For this example, enter 11111111. |
|
|
Enter the same password to confirm it. |
|
|
Accept the default value. |
|
|
Accept the default value. |
|
|
Accept the default value. |
|
|
For this example, enter 11111111. |
|
|
Accept the default value. |
|
|
Accept the default value. |
|
|
Accept the default value. |
|
|
Enter root. |
|
|
Enter root. |
|
|
Enter 2080. |
|
|
Accept the default value. |
|
|
Accept the default value. |
|
|
First, see the next numbered (Optional) step. When ready to install, enter 1. |
(Optional) During installation, you can monitor the log to watch for installation errors. Example:
# cd /var/sadm/install/logs
# tail —f Java_Enterprise_System_install.B xxxxxx
Upon successful installation, enter ! to exit.
Verify that the Web Server is installed properly.
Start the Web Server administration server to verify it starts with no errors.
# cd /opt/SUNWwbsvr/https-admserv
# ./stop; ./start
Run the netstat command to verify that the Web Server ports are open and listening.
# netstat -an | grep 8888 *.8888 *.* 0 0 49152 0 LISTEN |
Go to the Web Server URL.
http://ProtectedResource-4.siroe.com:8888
Log in to the Web Server using the following information:
admin
11111111
You should be able to see the Web Server console. You can log out of the console now.
Start the Protected Resource 4 instance.
# cd /opt/SUNWwbsvr/https-ProtectedResource-4.siroe.com # ./stop; ./start |
Run the netstat command to verify that the Web Server ports are open and listening.
# netstat -an | grep 2080 *.2080 *.* 0 0 49152 0 LISTEN |
Go to the instance URL.
http://ProtectedResource-4.siroe.com:1080
You should see the default Web Server index page.
If the Web Policy Agent installer is hosted on the same system where you are installing the Web Policy Agent, you can disregard this warning.
If the installer is hosted on a system other than the local system where you are installing the Web Policy Agent, you must start an X-display session on the system that hosts the installer. You must use an X-display program such as Reflections X or VNC even though you use the command-line installer. This is a known problem with this version of the Web Policy Agent. For more information about this known problem, see http://docs.sun.com/app/docs/doc/819-2796/6n52flfoq?a=view#adtcd.
As a root user, log into the Protected Resource 4 host.
Download the Java System Web Policy Agents 2.2 package from the following website:
Unpack the downloaded package.
In this example, the package was downloaded into the directory /temp.
# cd /temp # gunzip sun-one-policy-agent-2.2-es6-solaris_sparc.tar.gz # tar —xvof sun-one-policy-agent-2.2-es6-solaris_sparc.tar |
Start the Web Policy Agents installer.
# ./setup -nodisplay
When prompted, provide the following information:
|
Press Enter. |
||
|
Press Enter. |
||
|
Enter y. |
||
|
Accept the default value. |
||
|
Accept the default value. |
||
|
Enter
|
||
|
Enter 2080. |
||
|
Accept the default value. |
||
|
Accept the default value. |
||
|
For this example, enter the load balancer host name. Example: LoadBalancer-9.siroe.com |
||
|
Enter the load balancer HTTP port number. For this example, enter 3443. |
||
|
Enter https. |
||
|
Enter /federation. |
||
|
Enter /federation. |
||
|
Accept the default value. |
||
|
Enter the amldapuser password that was entered when Access Manager was installed. For this example, enter 11111111 . |
||
|
Enter the 11111111 password again to confirm it. |
||
|
Accept the default value. |
||
|
First, see the next (Optional) numbered step. When you are ready to start installation, press Enter. |
(Optional) During installation, you can monitor the log to watch for installation errors. Example:
# cd /var/sadm/install/logs # tail —f var/sadm/install/logs/ Sun_Java_tm__System_Access_Manager_Policy_Agent_install.Bxxxxxxxx |
Restart the Web Server.
# cd /opt/SUNWwbsvr/https-ProtectedResource-4.siroe.com # cd ./stop; ./start |
Examine the Web Server log for startup errors.
# /opt/SUNWwbsvr/https-ProtectedResource-4.siroe.com/logs # vi errors |
Use the following as your checklist for completing the Web Policy Agent 4 installation:
Import the root CA certificate into the Web Server 4 key store.
Verify that Web Policy Agent 4 can access the Federation Manager load balancer.
Log in to as a root user to Federation Manager 1 host.
Edit the AMAgent.properties file.
# cd /etc/opt/SUNWam/agents/es6/ config/_opt_SUNWwbsvr_https-ProtectedResource-4.siroe.com |
Make a backup of AMAgent.properties, and then set the following properties:
com.sun.am.policy.am.username = UrlAccessAgent com.sun.am.policy.am.password = BeVPgddAimR404ivWY6HPQ== com.sun.am.policy.agents.config.do_sso_only = true |
Add the following properties to the original file:
com.sun.am.ignore.naming.service = true |
(Optional) Set the debug property as in this example:
com.sun.am.log.level = all:5 |
Save the file.
Restart Web Server 4.
# cd /opt/SUNWwbsvr/https-ProtectedResource-4.siroe.com #./stop; ./start
Go to the following URL:
http://ProtectedResource-4.siroe.com:2080
Log in to Access Manager using the following information:
spuser
spuser
You should see the default index.html page for Web Server 4.
The Web Policy Agent on Protected Resource 4 connects to Federation Manager servers through Load Balancer 9. The load balancer is SSL-enabled, so the agent must be able to trust the load balancer SSL certificate in order to establish the SSL connection. To do this, import the root CA certificate that issued the Load Balancer 3 SSL server certificate into the Web Policy Agent certificate store.
Obtain the root CA certificate, and copy it to the Protected Resource 4 host. Copy the certificate into the file /export/software/ca.cert.
Copy the root CA certificate to Protected Resource 4.
Open a browser, and go to the Web Server 4 administration console.
http://ProtectedResource-4.siroe.com:8888
Log in to the Web Server 4 console using the following information:
admin
11111111
In the Select a Server field, select ProtectedResource-4.siroe.com, and then click Manage.
If a “Configuration files have not been loaded” message is displayed, it may be because the Web Server instance that is being accessed through the administration server has had its configuration files manually edited. This is the case when the Web Policy Agent is installed. The mirror configuration files are different from the current configuration files. In order to be sure the changes are not lost, you must apply the changes. First click Apply, and then click Apply Changes. The configuration files are read, and the server is stopped and restarted.
Click the Security tab.
On the Initialize Trust Database page, enter a Database Password.
Enter the password again to confirm it, and then click OK.
In the left frame, click Install Certificate and provide the following information, and then click OK:
Choose Trusted Certificate Authority (CA).
password
rootCA.cert
/export/software/ca.cert
Click Add Server Certificate.
Click Manage Certificates.
The root CA Certificate name rooCA.cert is included in the list of certificates.
Click the Preferences tab.
Restart Web Server 4.
On the Server On/Off page, click Server Off. When the server indicates that the administration server is off, click Server On.
Restart Web Server 4.
# cd /opt/SUNWwbsvr/https-ProtectedResource-4.siroe.com # ./stop; ./start
Go to the Protected Resource 4 URL:
http://ProtectedResource-4.siroe.com:2080/index.html |
Log into the Federation Manager console using the following information:
spuser
spuser
The policy agent redirects the request, and the URL changes to https://LoadBalancer-9.siroe.com:3443/federation/UI/Login. The default Sun ONE Web Server page is displayed. This verifies that the web policy agent is properly configured to access the Federation Manager load balancer.
Load Balancer 11 can be located in a less-secured zone, and handles traffic for the Web Policy Agents.
Load Balancer 11 is configured for simple persistence so that browser requests from the same IP address will always be directed to the same Web Policy Agent instance . This guarantees that the requests from the same user session will always be sent to the same Web Policy Agent instance. This is important from the performance perspective. Each Web Policy Agent must validate the user session and evaluate applicable policies. The results are subsequently cached on the individual Web Policy Agent to improve the performance. If no load balancer persistence is set, and the same user's requests are spread across two agents, then each agent must build up its own cache. To do so, both agents must validate the session and evaluate policies. This effectively doubles the workload on the Access Manager servers, and cuts the overall system capacity by half. The problem becomes even more acute as the number of Web Policy Agents increases further.
As a general rule, in situations where each Web Policy Agent instance is protecting identical resources, some form of load balancer persistence is highly recommended for the performance reasons. The actual type of persistence may vary when a different load balancer is used, as long as it achieves the goal of sending the requests from the same user session to the same Web Policy Agent instance.
Use the following as your checklist for configuring the Web Policy Agents load balancer:
To Configure the Web Policy Agents to Work with the Web Policy Agents Load Balancer
To Verify that the Web Policy Agents Load Balancer is Working Properly
Go to URL for the Big IP load balancer login page and log in.
https://ls-f5.siroe.com
Log in using the following information:
username
password
Request an SSL Certificate for Load Balancer 11.
Log in to the BIG-IP load balancer.
Click Proxies in the left pane.
Click the Cert Admin tab, and then click the “Generate New Key Pair/ Certificate Request” button.
In the Create Certificate Request page, provide the following information:
LoadBalancer-11.siroe.com
siroe.com
LoadBalancer-11.siroe.com
jdoe@siroe.com
Click the Generate Request button.
In the Generate Request page, copy the request that looks similar to this:
-----BEGIN CERTIFICATE REQUEST----- UbM77e50M63v1Z2A/5O5MA0GCSqGSIb3DQEOBAU AMF8xCzAJBgNVBAYTAlVTMSAwHgYDVQQKExdSU0 EgRGF0YSBTZWN1cml0eSwgSW5jLjEuMCwGA1UEC xMlU2VjdXJlIFNlcnZlciBDZXJ0aWZpY2F0aW9u IEF1dGhvcml0eTAeFw0wMTA4MDIwMDAwMDBaFw0 wMzA4MDIyMzU5NTlaMIGQMQswCQYDVQQGEwJVUz ERMA8GA1UECBMIVmlyZ2luaWExETAPBgNVBAcUC FJpY2htb25kMSAwHgYDVQQKFBdDYXZhbGllciBU ZWxlcGhvYm9uZGluZy5jYXZ0ZWwuY29tMIGfMA0 GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC8x/1dxo 2YnblilQLmpiEziOqb7ArVfI1ymXo/MKcbKjnY2 -----END CERTIFICATE REQUEST----- |
Paste this text into a request form provided by a root certificate authority (CA) such as Verisign or Thwarte.
See the certificate authority website such as http://www.verisign.com/ or http://www.thawte.com/ for detailed instructions on submitting a certificate request.
After you receive the certificate from the issuer, install the SSL Certificate.
In the BIG-IP load balancer console, click the Cert Admin tab.
On the Cert Admin tab, click Install Certificate.
In the Install SSL Certificate page, paste the certificate text you received from the certificate issuer. Example:
-----BEGIN CERTIFICATE REQUEST----- UbM77e50M63v1Z2A/5O5MA0GCSqGSIb3DQEOBAU AMF8xCzAJBgNVBAYTAlVTMSAwHgYDVQQKExdSU0 EgRGF0YSBTZWN1cml0eSwgSW5jLjEuMCwGA1UEC xMlU2VjdXJlIFNlcnZlciBDZXJ0aWZpY2F0aW9u IEF1dGhvcml0eTAeFw0wMTA4MDIwMDAwMDBaFw0 wMzA4MDIyMzU5NTlaMIGQMQswCQYDVQQGEwJVUz ERMA8GA1UECBMIVmlyZ2luaWExETAPBgNVBAcUC FJpY2htb25kMSAwHgYDVQQKFBdDYXZhbGllciBU ZWxlcGhvYm9uZGluZy5jYXZ0ZWwuY29tMIGfMA0 GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC8x/1dxo 2YnblilQLmpiEziOqb7ArVfI1ymXo/MKcbKjnY2 -----END CERTIFICATE REQUEST----- |
Click Install Certificate.
Create a Pool.
A pool contains all the backend server instances.
Open the Configuration Utility.
Click “Configure your BIG-IP (R) using the Configuration Utility.”
In the left pane, click Pools.
On the Pools tab, click the Add button.
In the Add Pool dialog, provide the following information:
federation_web_agents
Round Robin
192.18.72.151:2080 (for Protected Resource 3)
192.18.72.152:2080 (for Protected Resource 4)
Click Done.
Configure the load balancer for simple persistence.
Add a Virtual Server.
If you encounter Javascript errors or otherwise cannot proceed to create a virtual server, try using Microsoft Internet Explorer for this step.
In the left frame, Click Virtual Servers.
On the Virtual Servers tab, click the Add button.
In the Add Virtual Server dialog box, provide the following information:
192.18.69.14 (for LoadBalancer-11.siroe.com )
5080
Click Next.
Continue to click Next until you reach the Select Physical Resources dialog box.
federation_web_agents
In the Pool Selection dialog box, assign the Pool (federation_web_agents) that you have just created.
Click the Done button.
Create proxies.
In the left frame, click Proxies.
On the Proxies tab, click Add.
In the Add Proxy page, provide the following information:
Mark the SSL checkbox.
192.18.69.14
6443
192.18.69.14
5080
LoadBalancer-11.siroe.com
LoadBalancer-11.siroe.com
LoadBalancer-11.siroe.com
LoadBalancer-11.siroe.com
Click Done.
Add Monitors.
Click the Monitors tab, and then click the Add button.
In the Add Monitor dialog provide the following information:
WebAgent-http
Choose http.
Click Next.
In the Configure Basic Properties page, click Next.
In the Configure ECV HTTP Monitor, in the Send String field, enter the following:
GET /launch.html
Click Next.
In the Destination Address and Service (Alias) page, click Done.
On the Monitors tab, the monitor you just added is now contained in the list of monitors.
Click the Basic Associations tab.
Look for the IP addresses for ProtectedResource-3:2080 and ProtectedResourece-4:1080.
Mark the Add checkbox for ProtectedResource-3 and ProtectedResource-4.
At the top of the Node column, choose the monitor that you just added, WebAgent-http.
Click Apply.
In this procedure you modify the AMAgent.properties file. Map Protected Resource 3 and Protected Resource 4 to Load Balancer 11.
Log in as a root user to Protected Resource 3.
# cd etc/opt/SUNWam/agents/es6/ config/_opt_SUNWwbsvr_https-ProtectedResource-3.siroe.com |
Use a text editor to modify the AMAgent.properties file.
For this property:
com.sun.am.policy.agents.config.notenforced_list
append the following to the end of the value string :
http://ProtectedResource-3.siroe.com:1080/launch.html http://LoadBalancer-11.siroe.com:90/launch.html
Set the following properties:
com.sun.am.load_balancer.enable = true com.sun.am.policy.agents.config.override_protocol = true com.sun.am.policy.agents.config.override_host = true com.sun.am.policy.agents.config.override_port = true com.sun.am.policy.agents.config.agenturi.prefix = https://LoadBalancer-11.siroe.com:6443/amagent com.sun.am.policy.agents.config.fqdn.map = [LoadBalancer-11.siroe.com|LoadBalancer-11.siroe.com] com.sun.am.policy.agents.config.fqdn.default = LoadBalancer-11.siroe.com |
Save the file.
Restart Web Server 3 on Protected Resource 3.
#cd /opt/SUNWwbsvr/https-ProtectedResource-3.siroe.com ./stop; ./start |
Log in as a root user to Protected Resource 4.
# cd etc/opt/SUNWam/agents/es6/ config/_opt_SUNWwbsvr_https-ProtectedResource-4.siroe.com |
Use a text editor to modify the AMAgent.properties file.
For this property:
com.sun.am.policy.agents.config.notenforced_list
append the following to the end of the value string :
http://ProtectedResource-4.siroe.com:1080/launch.html http://LoadBalancer-11.siroe.com:90/launch.html
Set the following properties:
com.sun.am.load_balancer.enable = true com.sun.am.policy.agents.config.override_protocol = true com.sun.am.policy.agents.config.override_host = true com.sun.am.policy.agents.config.override_port = true com.sun.am.policy.agents.config.agenturi.prefix = https://LoadBalancer-11.siroe.com:6443/amagent com.sun.am.policy.agents.config.fqdn.map = [LoadBalancer-11.siroe.com|LoadBalancer-11.siroe.com] com.sun.am.policy.agents.config.fqdn.default = LoadBalancer-11.siroe.com |
Save the file.
Restart Web Server 4 on Protected Resource 4.
#cd /opt/SUNWwbsvr/https-ProtectedResource-4.siroe.com ./stop; ./start |
In a browser, go to the following URL:
https://LoadBalancer-11.siroe.com:6443/index.html
The load balancer redirects the request to the Access Manager login page.
Log in to the Access Manager console using the following information:
spuser
spuser
If the default Web Server index.html page is displayed, then the load balancer is configured properly.
Verify that Load Balancer 11 monitors are monitoring the Web Servers properly.
Log in as a root user to Protected Resource 3.
Run the tail command.
# cd /opt/SUNWwbsvr/https-ProtectedResource-3.siroe.com/logs # tail -f access |
If you see frequent entries similar to this one:
192.18.69.18 - - [06/Oct/2006:13:53:07 -0700] "GET /launch.html" 200 8526 |
then the custom monitor is configured properly. If you do not see "GET /launch.html", then you must troubleshoot the load balancer configuration.
Log in as root to Protected Resource 4.
Run the tail command.
# cd /opt/SUNWwbsvr/https-ProtectedResource-4.siroe.com/logs # tail -f access |
If you see frequent entries similar to this one:
192.18.69.18 - - [06/Oct/2006:13:53:07 -0700] "GET /launch.html" 200 8526 |
then the custom monitor is configured properly. If you do not see "GET /launch.html", then you must troubleshoot the load balancer configuration.
Use the following as your checklist for configuring the Web Policy Agents load balancer to participate in SAMLv2 protocols:
Enable the Web Policy Agents load balancer to use SAMLv2 protocols.
Verify that the Web Policy Agents load balancer uses SAMLv2 protocols.
As a root user, log in to the Protected Resource 3 host.
Go to the following directory:
/etc/opt/SUNWam/agents/es6/config/ _opt_SUNWwbsvr_https-ProtectedResource-3.siroe.com |
Make a backup of AMAgent.properties, and then set the following properties:
com.sun.am.policy.am.login.url = https://LoadBalancer-9.siroe.com:3443/federation/saml2/ jsp/spSSOInit.jsp?metaAlias=/sp&idpEntityID=loadbalancer-3.example.com |
Add the following property:
com.sun.am.policy.agents.config.url.redirect.param = RelayState |
Save the file.
As a root user, log in to the Protected Resource 4 host.
Go to the following directory:
/etc/opt/SUNWam/agents/es6/config/ _opt_SUNWwbsvr_https-ProtectedResource-4.siroe.com |
Make a backup of AMAgent.properties, and then set the following properties:
com.sun.am.policy.am.login.url = https://LoadBalancer-9.siroe.com:3443/federation/saml2/ jsp/spSSOInit.jsp?metaAlias=/sp&idpEntityID=loadbalancer-3.example.com |
Add the following property:
com.sun.am.policy.agents.config.url.redirect.param = RelayState |
Save the file.
Restart the Protected Resource 3 host.
# cd /opt/SUNWwbsvr/https-ProtectedResource-3.siroe.com # ./stop; ./start |
Restart the Protected Resource 4 host.
# cd /opt/SUNWwbsvr/https-ProtectedResource-4.siroe.com # ./stop; ./start |