Microsoft Office SharePoint and Outlook Web Access: Installing Agent for Microsoft IIS 6.0
You can use Agent for Microsoft IIS 6.0 to provide users with authenticated access to beyond that of web sites. Specifically, you can use this agent to protect Microsoft Office SharePoint or Outlook Web Access. However, to protect these particular resources additional configuration is required. That is to say, you must configure Access Manager as described in the instructions that follow.
Microsoft Office SharePoint and Outlook Web Access: Preparing to Install the Agent
This section focuses on pre-installation steps required for Microsoft Office SharePoint and Outlook Web Access. First, you need to perform the pre-installation steps that apply generally to Agent for Microsoft IIS 6.0, then you need to perform the pre-installation steps specific to Microsoft SharePoint and Outlook Web Access.
To Prepare to Install the Agent
Implement the general pre-installation steps regarding Agent for Microsoft IIS 6.0 as covered in Preparing To Install Agent for Microsoft IIS 6.0 before completing the task that follows.
Microsoft SharePoint and Outlook Web Access: To Prepare
for Installation
The steps described in this task are required after you perform the pre-installation steps for the basic installation on Microsoft IIS 6.0 as described in Preparing To Install Agent for Microsoft IIS 6.0.
These additional pre-installation steps are necessary to deploy a post-authentication module on Access Manager. In order to achieve SSO with Microsoft SharePoint or Outlook Web Access using Agent for Microsoft IIS 6.0, a post-authenitcation module is required to be deployed on Access Manager.
Perform the steps in this task on the Access Manager host.
Before You Begin
Caution – When installing Agent for Microsoft IIS 6.0 to protect Outlook Web Access, prior to installing the agent, ensure that the user repositories in Access Manager and Microsoft Exchange Server are synchronized.
For Outlook Web Access 2007, this synchronization can be avoided if the Active Directory instance used by Exchange Server is used as the Access Manager user repository, using the Access Manager LDAP v3 plug-in.
Note –
This info serves as a reminder about the compatibility of this agent with versions of Access Manager when the agent is deployed to protect Microsoft SharePoint or Outlook Web Access. The following Access Manager versions are supported:
-
Access Manager 7.0 series from Patch 7 forward
-
Access Manager 7.1 series from Patch 1 forward
For more information about the compatibility of Agent for Microsoft IIS 6.0 with versions of Access Manager, see Compatibility of Policy Agent 2.2 With Specific Access Manager Versions.
The following information about Access Manager is helpful for this task:
AccessManager-base represents the Access Manager base installation directory. On Solaris systems, the default base installation directory is /opt/SUNWam.
The following is the default location of the AMConfig.properties file:
/etc/opt/SUNWam/config
-
Set the JAVA_HOME variable to the location in which JDK binaries are installed.
-
Execute DESgenKey.class as follows:
# java -classpath am_sdk.jarPath com.sun.identity.common.DESGenKey
where am_sdk.jarPath is a place holder for the path to the am_sdk.jar file.
For example:
java -classpath /opt/SUNWam/lib/am_sdk.jar com.sun.identity.common.DESGenKey Key ==> cIlz47oZBJs=
Executing the DESgenKey.class returns a string output.
Note –The am_sdk.jar file, which is an Access Manager JAR file, is typically found in the lib folder of the Access Manager installation, such as /opt/SUNWam/lib in a package installation or sun/webserver7/https-hostname/web-app/hostname/amserver/WEB-INF/lib in single war file installation.
-
Add the string produced in the previous step to a newly created text file as described in the substeps that follow.
-
Configure the com.sun.am.replaypasswd.key property in the AMConfig.properties configuration file as described in the substeps that follow.
-
Open the AMConfig.properties configuration file.
-
Add the following property to the file:
com.sun.am.replaypasswd.key
-
Copy the string from the des_key.txt file.
-
Add the copied string as the value of the com.sun.am.replaypasswd.key property.
For example, if the string in the des_key.txt file is wuqUJyr=5Gc=, then the new property would be set as follows:
com.sun.am.replaypasswd.key = wuqUJyr=5Gc=
-
-
Configure a property specific to Microsoft Office SharePoint or Outlook Web Access in the AMConfig.properties file as described in the substeps that follow.
-
Add the respective property and corresponding value to the file as indicated:
-
Microsoft Office SharePoint:
For SharePoint, an optional property allows you to set an attribute in the Access Manager repository LDAP other than uid that allows users to log in to Access Manager to in turn log in to SharePoint:
com.sun.am.sharepoint_login_attr_name = SharePoint-login-value
where,SharePoint-login-value is a placeholder that represents an attribute in the user repository used by SharePoint to authenticate.
For example:
com.sun.am.sharepoint_login_attr_name = displayName
For example purposes, a user has a uid of ak1234 and a displayName of andy. In this example, the user logs in to Access Manager using the uid (ak1234). However, the SharePoint repository has a record for andy, not ak1234, and the user uses andy to log in to the SharePoint application.
Therefore, this property maps ak1234 to andy as the user accesses the SharePoint application after authenticating with Access Manager.
In other words, this property provides a method for mapping any user attribute used by SharePoint to authenticate to the attribute used by Access Manager to authenticate.
-
Outlook Web Access
Add the following property and value if you are installing the agent for Outlook Web Access.
com.sun.am.iis_owa_enabled = true
-
-
Save and close the AMConfig.properties file.
-
-
Restart Access Manager.
-
Deploy the post-authentication plug-in, ReplayPasswd, as described in the substeps that follow.
This step requires the use of Access Manager Console.
-
Log in to Access Manager as amadmin.
-
With the Access Control tab selected, click the name of the realm you wish to configure.
-
Click the Authentication tab.
-
Click Advanced Properties.
The Advanced Properties button is in the General section.
-
Scroll down to the Authentication Post Processing Classes field.
-
Add the text related to Authentication Post Processing Classes in the manner appropriate for the Access Manager version you are using:
-
Click Save.
-
Click Log Out to log out of the Access Manager Console.
-
-
Verify the deployment of the post-authentication plug-in, ReplayPasswd, as described in the substeps that follow.
-
Stop Access Manager.
-
Access the AMConfig.properties configuration file.
-
Note the value of the following property before changing it to message, as indicated:
com.iplanet.services.debug.level = message
You must change this value back to its original value at the completion of this step.
-
Save and close the file.
-
Start Access Manager.
-
Log in to Access Manager Console.
Again use amadmin.
-
Click Log Out to immediately log out of the Access Manager Console.
-
Change directories to the Access Manager debug log files.
The default location of the debug log files is /var/opt/SUNWam/debug.
-
Verify the existence of a file named ReplayPasswd.
The existence of this file indicates the successful deployment of the post-authentication plug-in.
-
Reset the debug value to its original value.
-
Restart Access Manager.
-
Microsoft Office SharePoint and Outlook Web Access: Installing the Agent
Once you have completed the preceding pre-installation steps, perform the actual installation as described in Installing Agent for Microsoft IIS 6.0.
- © 2010, Oracle Corporation and/or its affiliates