The Domain Administration Server (DAS) manages the cluster.
Download and unzip the appserver_v9_agent_3.zip distribution file in a directory that can be accessed by the DAS instance.
Follow the instructions described in Downloading and Unzipping the appserver_v9_agent.zip Distribution File.
Create an agent password file, as described in Creating a Password File.
Stop all GlassFish domains, instances, and node agents before starting the installation process.
Otherwise, you might lose the OpenSSO policy agent installation changes in the DAS domain.xml file.
Install the agent using the agentadmin --custom-install option, as described in Installing the Application Server and GlassFish Agent. The installer prompts you for the following values:
CONFIG_DIR is the path to the GlassFish configuration directory.
INSTANCE_NAME should be the default value server.
AM_SERVER_URL is URL where OpenSSO server is running. For example: http://openssohost.example.com:8080/opensso
DAS_HOST_IS_REMOTE should be false.
AGENT_URL is the agent URL. For example: http://agenthost.example.com:8090/agentapp
AGENT_ENCRYPT_KEY is the key used to encrypt the agent profile password. Use the default value or specify a new value as described in Table 1.
AGENT_PROFILE_NAME is the agent profile name. This guide uses remotecluster as the name.
AGENT_PASSWORD_FILE is the agent profile password file, which is an ASCII text file with only one line specifying the agent profile password in plain text.
CREATE_AGENT_PROFILE_NAME should be false in this scenario.
AGENT_ADMINISTRATOR_NAME should be blank, unless you have created an agent administrator.
AGENT_ADMINISTRATOR_PASSWORD_FILE should be blank, unless you have created an agent administrator and corresponding password file.
REMOTE_INSTANCE_LOCAL_DAS should be false.
AGENT_INSTANCE_NAME should be blank.
REMOTE_AGENT_INSTALL_DIR should be blank.
For an example response file for a silent installation, see Silent Agent Installation and Configuration Response File.
In the OpenSSO Console, create an agent profile, as described in Creating an Agent Profile.
For the agent profile Name (remotecluster used in examples), Password, Server URL, and Agent URL, use same values you specified during the agent installation in the previous step. For Configuration, specify Centralized (the default).
The following example shows a response file named agentinstall.inf that you could use as input for a silent installation and configuration of the agent to the DAS instance. To use this file, invoke the following command:
./agentadmin custom-install useResponse agentinstall.inf
## Agent User Response File START OF FILE CONFIG_DIR= /export/sun/gf2.1/domains/telco/config INSTANCE_NAME= server AM_SERVER_URL= http://openssohost.example.com:8080/opensso DAS_HOST_IS_REMOTE= false AGENT_URL= http://is-lb-2.example.com:38181/agentapp AGENT_ENCRYPT_KEY= cW18Pj2R9Mt7mdvzDUL5+LMMUhm+qeIp AGENT_PROFILE_NAME= remotecluster AGENT_PASSWORD_FILE= /tmp/pass CREATE_AGENT_PROFILE_NAME= false AGENT_ADMINISTRATOR_NAME= AGENT_ADMINISTRATOR_PASSWORD_FILE= REMOTE_INSTANCE_LOCAL_DAS= false AGENT_INSTANCE_NAME= REMOTE_AGENT_INSTALL_DIR= ##Agent User Response File END OF FILE
The policy agent installer (agentadmin) makes following changes in the DAS instance:
Adds the Java Class Path Suffix with the JAR and locale files of the agent to the domain.xml file for the server-config target only (because server was the instance name specified during the installation). This change is not made to the default-config or the agents30-config targets. This distinction is critical to make sure you properly configure the agent to protect the applications deployed on the target agents30-config. For example:
${path.separator}/export/sun/j2ee_agents/appserver_v9_agent/lib/agent.jar\$ {path.separator}/export/sun/j2ee_agents/appserver_v9_agent/lib/openssoclientsdk.- jar\${path.separator}/export/sun/j2ee_agents/appserver_v9_agent/locale\$ {path.separator}/export/sun/j2ee_agents/appserver_v9_agent/Agent_001/config
where:
/export/sun is the base directory (BASE_DIR) where you unzipped the agent distribution file (appserver_v9_agent_3.zip).
Agent_001 identifies the agent instance that was created during installation.
Adds the JVM option for the target server-config to enable the policy agents logging:
- Djava.util.logging.config.file=<BASE_DIR>/j2ee_agents/appserver_v9_agent/config/ OpenSSOAgentLogConfig.properties
Adds the following J2EE permissions to read the agent JAR files in the server.policy file:
grant codeBase "file:<BASE_DIR>/j2ee_agents/appserver_v9_agent/lib/*" { permission java.security.AllPermission; };
Adds the agent realm in config/login.conf as follows:
agentRealm { com.sun.identity.agents.appserver.v81.AmASLoginModule required; };
Creates a new default authentication realm named agentRealm for the server instance.
Now, you must apply these changes to the cluster configuration so the applications deployed on the cluster can be protected by the agent.