Important: Perform the following tasks before you perform any other post-installation tasks for the WebSphere Application Server 6.1 agent:
Creating a New J2EE Agent Profile Role and Assign the Role to the Agent Profile User
Creating the WebSphere Administrative Role in Access Manager
The process to create an agent profile user for the WebSphere Application Server 6.1agent is different than the process for other J2EE agents. If you have already created an agent profile user in the pre-installation tasks as described in Creating a J2EE Agent Profile, you must remove that user from the Access Manager Console and then recreate the agent profile user using the same user name and password.
Use the new agent profile user to stop WebSphere Application Server 6.1 after WebSphere global security is turned on.
Login to the Access Manager Console.
With the Access Control tab selected, click the name of the realm for which you would like to create the agent profile.
Select the Subjects tab.
Make sure you are in the User tab.
Click New and enter values for the following fields:
ID. Enter the name or identity of the agent. This name should be the same name you used in the pre-installation task. For example: agentprofileuser.
Password. Enter and then confirm the agent password.
This password should be the same password you used in the pre-installation task.
User Status. Set the device status of the agent to Active.
Any other required fields.
Click Create.
This new internal role is specifically for the agent profile user for the WebSphere Application Server 6.1 agent. This role will allow the agent profile user to read user attributes in the user repository.
Login to the Access Manager Console.
With the Access Control tab selected, click the name of the realm for which you would like to create the agent profile role.
Select the Subjects tab and then click the Role tab.
Click New and then enter a value for the agent profile role. For example: agentprofilerole
Click Create.
Under the Role tab, click the agent profile role.
On the new page, click the User tab.
Select the agent profile user (such as agentprofileuser) under the Available field.
Click Add and then Save.
Login to the Access Manager Console.
With the Access Control tab selected, click the name of the realm where your agent profile role was created.
Click the Privileges tab.
Find and click the agent profile role. For example: agentprofilerole
On the new page, check the “Read only access to data stores” checkbox.
Click Save.
This user will be able to login to the WebSphere Administration Console when global security is enabled.
Login to the Access Manager Console.
With the Access Control tab selected, click the name of the realm for which you would like to create an agent profile.
Select the Subjects tab.
Make sure you are in the User tab.
Click New and enter values for the following fields:
ID. Enter the name or identity of the user. For example: wasadmin
Password. Enter and confirm the user password.
User Status. Set the device status of the agent to Active.
Any other required fields.
Click Create.
Any user with this role, in addition to the primary administrative user, will be able to login to the WebSphere Administration Console.
Login to the Access Manager Console.
With the Access Control tab selected, click the name of the realm for which you would like to create an agent profile role.
Select the Subjects tab and then click the Role tab.
Click New and enter the value for the WebSphere administrative role. For example: wasadminrole
Important: Use all lowercase characters for the role name; otherwise, WebSphere might not recognize the name.
Click Create.
On the returned page, click the WebSphere administrative role under the Role tab. For example: wasadminrole
Click the User tab.
Select the agent profile user (for example: agentprofileuser) and other users who will be able to login into the WebSphere Administration Console.
Click Add and then Save.
To get a non-expiring SSO token for the agent's self authentication to the Access Manager server, you must set the com.sun.identity.authentication.special.users property in the AMConfig.properties file.
In the AMConfig.properties file for the Access Manager server, edit the following property to include the distinguished name (DN) of the agent profile user. Use the legacy SDK DN and not the universal UID of the user. For example:
com.sun.identity.authentication.special.users= cn=dsameuser,ou=DSAME Users,dc=sun, dc=com|cn=amService-UrlAccessAgent,ou=DSAME Users, dc=sun,dc=com |uid=dmgr,ou=people,dc=sun,dc=com|uid=agentprofileuser, ou=people,dc=sun,dc=com
To find the DN of the user, use ldapsearch with the ou=people,ROOT_SUFFIX base and (|(uid=agentprofileuser)(cn=agentprofileuser)) filter.
After you edit the AMConfig.properties file, restart the Access Manager server.
In a multiple server deployment, you must set the com.sun.identity.authentication.special.users property in the AMConfig.properties file for each Access Manager server in the deployment.