Chapter 6 Post-Installation of Policy Agent 2.2 for Sun Java System Web Server 7.0
This chapter describes configuration steps of Policy Agent 2.2 for Sun Java System Web Server 7.0.
This chapter covers the configuration of SSL with the agent. After completing the applicable tasks described in this chapter, perform the tasks to configure the web agent to your site's specific needs as explained in Chapter 7, Managing Policy Agent 2.2 for Sun Java System Web Server 7.0.
Using SSL With Agent for Sun Java System Web Server 7.0
During installation, if you choose the HTTPS protocol, Agent for Sun Java System Web Server 7.0 is automatically configured and ready to communicate over Secure Sockets Layer (SSL). Before proceeding with tasks in this section, ensure that the Sun Java System Web Server 7.0 instance is configured for SSL.
Caution – You should have a solid understanding of SSL concepts and the security certificates required to enable communication over the HTTPS protocol. See the documentation for Sun Java System Web Server 7.0.
To Configure Notification on Agent for Sun Java System Web Server 7.0 for
SSL
If Sun Java System Web Server 7.0 is running in SSL mode and is receiving notifications, first perform the following broadly defined steps:
-
Add the Sun Java System Web Server 7.0 certificate’s root CA certificate to the Access Manager’s certificate database.
-
Mark the CA root certificate as trusted to enable Access Manager to successfully send notifications to Agent for Sun Java System Web Server 7.0.
Default Trust Behavior of Agent for Sun Java System Web Server 7.0
This section only applies when Access Manager itself is running SSL. By default, the web agent installed on a remote Sun Java System Web Server 7.0 instance trusts any server certificate presented over SSL by the Access Manager host. The web agent does not check the root Certificate Authority (CA) certificate. If the Access Manager host is SSL-enabled and you want the agent to perform certificate checking, adhere to the guidelines as described in the following subsections:
Disabling the Default Trust Behavior of Agent for Sun Java System Web Server 7.0
The following property in the web agent AMAgent.properties configuration file controls the agent’s trust behavior, and by default it is set to true:
com.sun.am.trust_server_certs
To Disable the Default Trust Behavior of Agent for Sun Java System Web Server 7.0
With the property com.sun.am.trust_server_certs set to true, the web agent does not perform certificate checking. Setting this property to false is one of the steps involved in enabling the web agent to perform certificate checking as illustrated in the following task.
-
Set the following property in the web agent AMAgent.properties configuration file to false as follows:
com.sun.am.trust_server_certs = false
-
Set the directory Cert DB in the web agent AMAgent.properties configuration file.
The following is a UNIX-based example of how to set this property:
com.sun.am.sslcert.dir = /opt/SUNWam/servers/alias
-
Set the Cert DB Prefix, if required.
In cases where the specified Cert DB directory has multiple certificate databases, the following property must be set to the prefix of the certificate database to be used:
com.sun.am.certdb.prefix
Set the property as follows:
com.sun.am.certdb.prefix = https-host.domain.com.host-
Installing the Access Manager Root CA Certificate for a Remote Sun Java System Web Server 7.0 Instance
The root CA certificate that you install on the remote instance of Sun Java System Web Server 7.0 must be the same one that is installed on the Access Manager host.
To Install the Access Manager Root CA Certificate on Sun Java System Web Server 7.0
- © 2010, Oracle Corporation and/or its affiliates