test

Sun OpenSSO Enterprise 8.0 Administration Guide

Centralizing Agent Profiles

OpenSSO Enterprise leverages its embedded configuration data store for centralizing the storage of remote policy agent profiles and web services security related information. By moving this configuration data to OpenSSO Enterprise, an administrator can use the console or the command line interface tools to manage the properties and values. Any configuration changes to the hot-swappable properties are conveyed immediately. The following sections have more infomration on the agent profiles that can be configured.

Attribute descriptions for the agent profiles are in Chapter 5, Centralized Agent Configuration Attributes, in Sun OpenSSO Enterprise 8.0 Administration Reference.

Web Policy Agent Profile

Values for the configuration properties of a web policy agent can be defined using OpenSSO Enterprise if, during the web policy agent profile creation, centralized configuration was chosen. If local configuration was selected, the properties related to this policy agent profile must be modified directly in the OpenSSOAgentConfiguration.properties file in the agent installation directory on the agent's host machine. For detailed information on web policy agents, see the Sun OpenSSO Enterprise Policy Agent 3.0 User’s Guide for Web Agents

J2EE Policy Agent Profile

Values for the configuration properties of a J2EE policy agent can be defined using OpenSSO Enterprise if, during the J2EE policy agent profile creation, centralized configuration was chosen. If local configuration was selected, the properties related to this agent must be modified directly in the OpenSSOAgentConfiguration.properites file in the agent installation directory on the agent's host machine. For detailed information on J2EE policy agents, see the Sun OpenSSO Enterprise Policy Agent 3.0 User’s Guide for J2EE Agents.

Web Service Provider Security Agent Profile

The Web Service Provider (WSP) security agent profile stores the configuration data related to validating a request from a web service client and securing the response returned by the WSP. The data includes the WSP's supported security mechanisms, keystore locations, SAML configurations and endpoints. The WSP agent profile also has a mechanism to authenticate against OpenSSO Enterprise to generate a session for the WSP. For more information, see Part IV, The Web Services Stack, Identity Services, and Web Services Security, in Sun OpenSSO Enterprise 8.0 Technical Overview.

Out of the box, wsp is the default WSP security agent profile. Additional profiles can be defined with the profile name dependant on the endpoint of the service defined in the web service provider's WSDL file. (The security agent searches based on the endpoint.) This allows multiple web service providers to use the same configuration data store. The name of the web service provider must be unique across all agents.

Caution – Caution –

The Group functionality is not supported with the Web Service Provider Security Agent Profile.

Web Service Client Security Agent Profile

The Web Service Client (WSC) security agent profile stores the configuration data related to securing a request from a WSC and validating the request when received by the WSP. The data includes the WSP's supported security mechanisms, keystore locations, SAML configurations, signing and encryption instructions, and endpoints. It also defines whether an end user token should be generated. For more information, see Part IV, The Web Services Stack, Identity Services, and Web Services Security, in Sun OpenSSO Enterprise 8.0 Technical Overview.

Out of the box, wsc is the default WSC security agent profile. Additional profiles can be defined with the profile name dependant on the service name defined in the web service client's WSDL file. (The security agent searches based on the service name.) This allows multiple web service clients to use the same configuration data store. The name of the web service client must be unique across all agents.

Caution – Caution –

The Group functionality is not supported with the Web Service Client Security Agent Profile.

STS Client Agent Profile

The Security Token Service (STS) Client agent profile stores the configuration data related to securing an outbound request to the OpenSSO Enterprise Security Token Service or Discovery Service to obtain a security token. The data includes the supported security mechanisms, keystore locations, signing and encryption instructions, and endpoints.

For more information, see Part IV, The Web Services Stack, Identity Services, and Web Services Security, in Sun OpenSSO Enterprise 8.0 Technical Overview.

Caution – Caution –

The Group functionality is not supported with the STS Client Agent Profile.

2.2 Agents

OpenSSO Enterprise is backward compatible with OpenSSO Enterprise web and J2EE Policy Agents 2.2. Policy Agents 2.2 must be configured local to the deployment container on which it is installed thus, from the OpenSSO Enterprise console, there are a limited number of options that can be configured. For more information, see Sun Java System Access Manager Policy Agent 2.2 User’s Guide.

Agent Authenticator

An agent authenticator is a type of agent that, once it is authenticated, can obtain the read-only data of agent profiles of any type (policy, security or token) for purposes of authenticating the agent. The agent profiles must be defined in the Agent Authenticator profile and exist in the same realm. Users that have the Agent Authenticator's username and password can read agent profile data, but do not have the create, update, or delete permissions of the Agent Administrator.