Configuring the J2EE Agent for CDSSO
For J2EE agents, the CDSSO Redirect Servlet is also deployed but disabled by default. No special steps are required during agent installation. After the installation, you should see the following default CDSSO processing properties in the AMAgent.properties file:
com.sun.identity.agents.config.cdsso.enable = false
com.sun.identity.agents.config.cdsso.redirect.uri = /agentapp/sunwCDSSORedirectURI
com.sun.identity.agents.config.cdsso.cdcservlet.url[0] =
https://am-pool0.red.iplanet.com:8443/amserver/cdcservlet
com.sun.identity.agents.config.cdsso.clock.skew = 0
com.sun.identity.agents.config.cdsso.trusted.id.provider[0] =
https://am-pool0.red.iplanet.com:8443/amserver/cdcservlet
|
Note –
the URL https://am-pool0.red.iplanet.com:8443/amserver/cdcservlet points to the CDC servlet on the Access Manager. The Access Manager protocol, host and port are provided during the agent installation. The two properties, cdcservlet.url and provider, are typically added by the agent installer.
If a J2EE agent resides in the same DNS domain as the Access Manager, CDSSO is not necessary and should be disabled. Check AMAgent.properties and ensure this property value remains the default "false": com.sun.identity.agents.config.cdsso.enable = false.
If a J2EE agent resides in a different DNS domain than the Access Manager, CDSSO can be enabled like this:
com.sun.identity.agents.config.cdsso.enable = true
com.sun.identity.agents.config.cdsso.redirect.uri = /agentapp/sunwCDSSORedirectURI
com.sun.identity.agents.config.cdsso.cdcservlet.url[0] =
https://am-pool0.red.iplanet.com:8443/amserver/cdcservlet
com.sun.identity.agents.config.cdsso.clock.skew = 0
com.sun.identity.agents.config.cdsso.trusted.id.provider[0] =
https://am-pool0.red.iplanet.com:8443/amserver/cdcservlet
|
If multiple Access Manager instances are behind a load balancer, then the actual Access Manager CDC servlet URL for all Access Manager instances should be added to the trusted ID provider list. This list will be consulted when the policy agent CDSSO Redirect Servlet receives the AuthNResponse. If the individual Access Manager CDC servlet URLs are not in the list, the agent rejects the AuthnReponse from a non trusted provider like this:
ERROR: LibertyAuthnResponseHandler : Response received from an untrusted provider
- https://ide-14.red.iplanet.com:443/amserver/cdcservlet
|
For example: if ide-14 and ide-15 are two SSL-enabled Access Manager instances behind a load balancer am-pool0.red.iplanet.com:8443, then the agent CDSSO configuration should look like this:
com.sun.identity.agents.config.cdsso.enable = true com.sun.identity.agents.config.cdsso.redirect.uri = /agentapp/sunwCDSSORedirectURI com.sun.identity.agents.config.cdsso.cdcservlet.url[0] = https://am-pool0.red.iplanet.com:8443/amserver/cdcservlet com.sun.identity.agents.config.cdsso.clock.skew = 0 com.sun.identity.agents.config.cdsso.trusted.id.provider[0] = https://am-pool0.red.iplanet.com:8443/amserver/cdcservlet com.sun.identity.agents.config.cdsso.trusted.id.provider[1] = https://ide-14.red.iplanet.com:443/amserver/cdcservlet com.sun.identity.agents.config.cdsso.trusted.id.provider[2] = https://ide-15.red.iplanet.com:443/amserver/cdcservlet |
Technically, you don't need the load balancer's URL in the trusted provider list. The load balancer URL is derived from the detected Access Manager host, port, and URL, and then added by the agent installer. But it doesn't hurt to have the load balancer URL in the trusted provider list.
The clock skew factor is used to handle minor system clock drifts between the agent and the Access Manager instances. Even with the presence of this parameter, it's a good practice to synchronize system clocks between Access Manager servers and policy agents with a NTP service.
- © 2010, Oracle Corporation and/or its affiliates