Sun OpenSSO Enterprise Policy Agent 3.0 Guide for Sun Java System Web Proxy Server 4.0.x

Last updated April 29, 2009

The Web Proxy Server 4.0.x policy agent is a version 3.0 web agent that functions with Sun^TM OpenSSO Enterprise to protect resources deployed on Sun Java^TM System Web Proxy Server 4.0.x.

Contents

• Supported Platforms, Compatibility, and Coexistence for the Web Proxy Server 4.0.x Agent

• Pre-Installation Tasks for the Web Proxy Server 4.0.x Agent

• Installing the Web Proxy Server 4.0.x Agent

• Post-Installation Tasks for the Web Proxy Server 4.0.x Agent

• Managing the Web Proxy Server 4.0.x Agent

• Uninstalling the Web Proxy Server 4.0.x Agent

• Migrating a Version 2.2 Web Proxy Server 4.0.x Policy Agent

• Sun Microsystems Related Information

• Revision History

A version 2.2 web agent also exists for Web Proxy Server 4.0.x. However, to use the new version 3.0 web agent features, you must deploy the version 3.0 Web Proxy Server 4.0.x agent described in this guide. For general information about web policy agents, including the new features for version 3.0 agents, see the Sun OpenSSO Enterprise Policy Agent 3.0 User’s Guide for Web Agents.

Supported Platforms, Compatibility, and Coexistence for the Web Proxy Server 4.0.x Agent

• Supported Platforms for the Web Proxy Server 4.0.x Agent

• Supported Deployment Containers for the Web Proxy Server 4.0.x Agent

• Compatibility With Access Manager 7.1 and Access Manager 7 2005Q4

• Coexistence With Version 2.2 Policy Agents

Supported Platforms for the Web Proxy Server 4.0.x Agent

The Web Proxy Server 4.0.x agent is supported on these platforms:

• Solaris OS on SPARC platforms, versions 9 and 10 (32–bit systems)

• Solaris OS on x86 platforms, versions 9 and 10 (32–bit systems)

• Red Hat Enterprise Linux Advanced Server 4.0 and 5.0 (32–bit systems)

• Windows 2003, Enterprise Edition (32–bit systems)

• Windows 2003, Standard Edition (32–bit systems)

Supported Deployment Containers for the Web Proxy Server 4.0.x Agent

The agent is supported on Sun Java System Web Proxy Server 4.0.x.

Compatibility With Access Manager 7.1 and Access Manager 7 2005Q4

Access Manager 7.1 and Access Manager 7 2005Q4 are compatible with version 3.0 policy agents. However, because Access Manager 7.1 and Access Manager 7 2005Q4 do not support centralized agent configuration, a version 3.0 agent deployed with Access Manager must store its configuration data locally in the OpenSSOAgentBootstrap.properties and OpenSSOAgentConfiguration.properties files.

Coexistence With Version 2.2 Policy Agents

OpenSSO Enterprise supports both version 3.0 and version 2.2 agents in the same deployment. A version 2.2 agent, however, must continue to store configuration data locally in its AMAgent.properties file. And because the version 2.2 agent configuration data is local to the agent, OpenSSO Enterprise centralized agent configuration is not supported for version 2.2 agents. To configure a version 2.2 agent, you must continue to edit the agent's AMAgent.properties file.

For documentation about version 2.2 agents, see http://docs.sun.com/coll/1322.1.

Pre-Installation Tasks for the Web Proxy Server 4.0.x Agent

• Setting Your JAVA_HOME Environment Variable

• Downloading and Unzipping the Agent Distribution File

• Creating a Password File

• Creating an Agent Profile

• Creating an Agent Administrator

Setting Your JAVA_HOME Environment Variable

The agent installation program requires the Java Runtime Environment (JRE) 1.5 or later. Before you install the agent , set your JAVA_HOME environment variable to point to the JDK installation directory for the JDK version you are using. If you have not set this variable (or if you set it incorrectly), the program will prompt you for the correct path.

Downloading and Unzipping the Agent Distribution File

To Download and Unzip the Agent Distribution File

1. Login into the server where you want to install the agent.

2. Create a directory to unzip the agent distribution file.

3. Download and unzip the agent distribution file, depending on your platform:

   • Solaris SPARC systems (32–bit): proxy40_v40_SunOS_sparc_agent_3.zip

   • Solaris x86 systems (32–bit): proxy40_v40_SunOS_x86_agent_3.zip

   • Linux systems (32–bit): proxy40_v40_Linux_agent_3.zip

   • Windows systems (32–bit): proxy40_v40_WINNT_agent_3.zip

   These distribution files are available for download on these sites:

   • Sun Downloads: http://www.sun.com/download/index.jsp

   • OpenSSO project: https://opensso.dev.java.net/public/use/agents.html. (This agent was developed as part of the OpenSSO project.)

   The following table shows the layout after you unzip the agent distribution file. AgentHome is where you unzipped the agent distribution file.

   For the Web Proxy Server 4.0 agent, PolicyAgent-base, which is used in this guiide, is AgentHome/web_agents/proxy40_agent.

   Directory  AgentHome/web_agents/proxy40_agent	Description
   /bin	agentadmin or agentadmin.bat program certutil and crypt_util programs
   /config	Template, properties, and XML files
   /data	Empty
   /etc	Empty
   /lib	Library and JAR files
   /locale	Properties files
   /installer-logs	The audit directory contains the install.log or uninstall.log file after you install or uninstall the agent.

Creating a Password File

A password file is an ASCII text file with only one line specifying the password in clear text. By using a password file, you are not forced to expose a password at the command line during the agent installation. When you install the Web Proxy Server 4.0.x agent using the agentadmin program, you are prompted to specify paths to following password files:

• An agent profile password file is required for both the agentadmin default and custom installation options.

• An agent administrator password file is required only if you use the custom installation option and have the agentadmin program automatically create the agent profile in OpenSSO Enterprise server during the installation.

To Create a Password File

1. Create an ASCII text file for the agent profile. For example: /tmp/wps4agentpw

2. If you want the agentadmin program to automatically create the agent profile in OpenSSO Enterprise server during the installation, create another password file for the agent administrator. For example: /tmp/agentadminpw

3. Using a text editor, enter the appropriate password in clear text on the first line in each file.

4. Secure each password file appropriately, depending on the requirements for your deployment.

Creating an Agent Profile

A web agent uses an agent profile to communicate with OpenSSO Enterprise server. A version 2.2 web agent can use the default agent profile (UrlAccessAgent). For a version 3.0 agent, however, you must create an agent profile using any of these three methods:

• Use the OpenSSO Enterprise Console, as described in Creating an Agent Profile.

• Use the ssoadm command-line utility with the create-agent subcommand. For more information about the ssoadm command, see the Sun OpenSSO Enterprise 8.0 Administration Reference.

• Choose the “Option to create the agent profile in the server during installation” when you run the agentadmin program.

To Create an Agent Profile in the OpenSSO Enterprise Console

1. Login into the OpenSSO Enterprise Administration Console as amadmin.

2. Click Access Control, realm-name, Agents, and Web.

3. Under Agent, click New.

4. In the Name field, enter the name for the new agent profile.

5. Enter and confirm the Password.

   Important: This password must be the same password that you enter in the agent profile password file that you specify when you run the agentadmin program to install the agent.

6. In the Configuration field, check the location where the agent configuration properties are stored:

   • Local: In the OpenSSOAgentConfiguration.properties file on the server where the agent is installed.

   • Centralized: In the OpenSSO Enterprise server central configuration data repository.

7. In the Server URL field, enter the OpenSSO Enterprise server URL.

   For example: http://openssohost.example.com:8080/opensso

8. In the Agent URL field, enter the URL for the agent.

   For example: http://agenthost.example.com:8090/

9. Click Create.

   The console creates the agent profile and displays the WebAgent page again with a link to the new agent profile.

   To do additional configuration for the agent, click this link to display the Edit agent page. For information about the agent configuration fields, see the Console online Help.

   If you prefer, you can also use the ssoadm command-line utility to edit the agent profile. For more information, see the Sun OpenSSO Enterprise 8.0 Administration Reference.

   ---

   Tip –

   Make a note of the values you specified for the agent profile, including the profile name, password, server URL, and agent URL. You will need these values when you install the Web Proxy Server 4.0.xagent using the agentadmin program.

   ---

Creating an Agent Administrator

An agent administrator can manage agents in OpenSSO Enterprise, including:

• Agent management: Use the agent administrator to manage agents either in the OpenSSO Enterprise Console or by executing the ssoadm utility.

• Agent installation: If you install the agent using the custom installation option (agentadmin --custom-install) and want to have the installation program create the agent profile, specify the agent administrator (and password file) when you are prompted.

To Create an Agent Administrator

1. Login to OpenSSO Enterprise Console as amadmin.

2. Create a new agents administrator group:

   1. Click Access Control, realm-name, Subjects, and then Group.

   2. Click New.

   3. In ID, enter the name of the group. For example: agentadmingroup

   4. Click OK.

3. Create a new agent administrator user and add the agent administrator user to the agents administrator group:

   1. Click Access Control, realm-name, Subjects, and then User.

   2. Click New and provide the following values:

      • ID: Name of the agent administrator. For example: agentadminuser

        This is the name you will use to login to the OpenSSO Enterprise Console .

      • First Name (optional), Last Name, and Full Name.

        For simplicity, use the same name for each of these values that you specified in the previous step for ID.

      • Password (and confirmation)

      • User Status: Active

   3. Click OK.

   4. Click the new agent administrator name.

   5. On the Edit User page, click Group.

   6. Add the agents administrator group from Available to Selected.

   7. Click Save.

4. Assign read and write access to the agents administrator group:

   1. Click Access Control, realm-name, Privileges and then on the new agents administrator group link.

   2. Check Read and write access to all configured Agents.

   3. Click Save.

Next Steps

Login into the OpenSSO Enterprise Console as the new agent administrator. The only available top-level tab is Access Control. Under realm-name, you will see only the Agents tab and sub tabs.

Installing the Web Proxy Server 4.0.x Agent

• Gathering Information to Install the Web Proxy Server 4.0.x Agent

• Installing the Web Proxy Server 4.0.x Agent Using the agentadmin Program

• Considering Specific Deployment Scenarios for the Web Proxy Server 4.0.x Agent

Gathering Information to Install the Web Proxy Server 4.0.x Agent

The following table describes the information you will need to provide when you run the agentadmin program to install Web Proxy Server 4.0.x agent. For some agentadmin prompts, you can accept the default value displayed by the program, if you prefer.

Installing the Web Proxy Server 4.0.x Agent Using the agentadmin Program

Before you install the Web Proxy Server 4.0.x agent:

• The Web Proxy Server 4.0.x instance must be installed and configured on the server where you plan to install the agent. For installation information, see http://docs.sun.com/app/docs/coll/1311.10.

• An OpenSSO Enterprise server instance must be installed and running. To check the server, specify the server URL. For example: http://opensso-host.example.com:8080/opensso

• You must have downloaded and unzipped the agent distribution file, as described in Downloading and Unzipping the Agent Distribution File.

To Install the Web Proxy Server 4.0.x Agent Using the agentadmin Program

1. Log in to the server where you want to install the agent.

   Important: To install the agent, you must have write permission to the files and directories for the Web Proxy Server 4.0.x instance.

2. Stop the Web Proxy Server 4.0.x instance.

3. Change to the PolicyAgent-base/bin directory. For example:

   /opt/web_agents/proxy40_agent/bin

4. Start the agent installation. For example:

   # ./agentadmin --custom-install

   On Windows systems, run the agentadmin.bat program.

5. Enter information as requested by the agentadmin program, or accept the default values displayed by the program.

   After you have made your choices, the agentadmin program displays a summary of your responses. For example:

   -----------------------------------------------
   SUMMARY OF YOUR RESPONSES
   -----------------------------------------------
   Sun Java System Proxy Server Config Directory :
   /opt/sun/proxyserver40/proxy-server1/config 
   OpenSSO server URL : http://opensso-host.example.com:8080/opensso 
   Agent URL : http://agent-host.example.com:8090 
   Agent Profile name : WPS4Agent 
   Agent Profile Password file name : /tmp/wps4agentpw 
   
   Verify your settings above and decide from the choices below.
   1. Continue with Installation
   2. Back to the last interaction
   3. Start Over
   4. Exit
   Please make your selection [1]:

6. Verify your choices and either continue with the installation (selection 1, the default) , or make any necessary changes.

   If you continue, the program installs the agent and displays a summary of the installation. For example:

   SUMMARY OF AGENT INSTALLATION
   -----------------------------
   Agent instance name: Agent_001
   Agent Bootstrap file location:
   /opt/web_agents/proxy40_agent/Agent_001/config/OpenSSOAgentBootstrap.properties
   Agent Configuration Tag file location
   /opt/web_agents/proxy40_agent/Agent_001/config/OpenSSOAgentConfiguration.properties
   Agent Audit directory location:
   /opt/web_agents/proxy40_agent/Agent_001/logs/audit
   Agent Debug directory location:
   /opt/web_agents/proxy40_agent/Agent_001/logs/debug

7. After the installation finishes successfully, if you wish, check the installation log file in the PolicyAgent-base/installer-logs/audit directory:

8. Restart the Web Proxy Server 4.0.x instance that is being protected by the policy agent.

Example 1 Sample Installation Run for the Web Proxy Server 4.0.x Agent

************************************************************************
Welcome to the OpenSSO Policy Agent for Sun Java System Proxy Server.
************************************************************************

Enter the complete path to the directory which is used by Sun Java System Proxy
Server to store its configuration Files. This directory uniquely
identifies the Sun Java System Proxy Server instance that is secured by this
Agent.
[ ? : Help, ! : Exit ]
Enter the Sun Java System Proxy Server Config Directory Path
[/opt/sun/proxyserver40/proxy-server1/config]: 

Enter the URL where the OpenSSO server is running. Please include the
deployment URI also as shown below:
(http://opensso.sample.com:58080/opensso)
[ ? : Help, < : Back, ! : Exit ]
OpenSSO server URL: http://opensso-host.example.com:8080/opensso

Enter the Agent URL as shown below: (http://agent1.sample.com:1234)
[ ? : Help, < : Back, ! : Exit ]
Agent URL: http://agent-host.example.com:8090

Enter the Agent profile name
[ ? : Help, < : Back, ! : Exit ]
Enter the Agent Profile name: WPS4Agent

Enter the path to a file that contains the password to be used for identifying
the Agent.
[ ? : Help, < : Back, ! : Exit ]
Enter the path to the password file: /tmp/wps4agentpw

-----------------------------------------------
SUMMARY OF YOUR RESPONSES
-----------------------------------------------
Sun Java System Proxy Server Config Directory :
/opt/sun/proxyserver40/proxy-server1/config 
OpenSSO server URL : http://opensso-host.example.com:8080/opensso 
Agent URL : http://agent-host.example.com:8090 
Agent Profile name : WPS4Agent 
Agent Profile Password file name : /tmp/wps4agentpw 

Verify your settings above and decide from the choices below.
1. Continue with Installation
2. Back to the last interaction
3. Start Over
4. Exit
Please make your selection [1]: 

Creating directory layout and configuring Agent file for Agent_001
instance ...DONE.

Reading data from file /tmp/wps4agentpw and encrypting it ...DONE.

Generating audit log file name ...DONE.

Creating tag swapped OpenSSOAgentBootstrap.properties file for instance
Agent_001 ...DONE.

Creating a backup for file
/opt/sun/proxyserver40/proxy-server1/config/obj.conf ...DONE.

Adding Agent parameters to
/opt/sun/proxyserver40/proxy-server1/config/obj.conf file ...DONE.


SUMMARY OF AGENT INSTALLATION
-----------------------------
Agent instance name: Agent_001
Agent Bootstrap file location:
/opt/web_agents/proxy40_agent/Agent_001/config/
    OpenSSOAgentBootstrap.properties
Agent Configuration Tag file location
/opt/web_agents/proxy40_agent/Agent_001/config/
    OpenSSOAgentConfiguration.properties
Agent Audit directory location:
/opt/web_agents/proxy40_agent/Agent_001/logs/audit
Agent Debug directory location:
/opt/web_agents/proxy40_agent/Agent_001/logs/debug

Install log file location:
/opt/web_agents/proxy40_agent/installer-logs/audit/install.log

Thank you for using OpenSSO Policy Agent. INSTALL NOTE: Installer modifies
obj.conf file in the config directory you specified. UNINSTALL NOTE:
Uninstall removes agent settings from obj.conf file in the config directory
you specified. If there are multiple obj.conf files configured manually in
the same config directory, then please remove them manually. For more
information, please refer agent documentation.

After You Finish the Install

Agent Instance Directory: The installation program creates the following directory for each Web Proxy Server 4.0.x agent instance:

PolicyAgent-base/Agent_nnn

where nnn identifies the agent instance as Agent_001, Agent_002, and so on for each additional agent instance.

Each agent instance directory contains the following subdirectories:

• /config contains the configuration files for the agent instance, including OpenSSOAgentBootstrap.properties and OpenSSOAgentConfiguration.properties.

• /logs contains the following subdirectories

  • /audit contains local audit trail for the agent instance.

  • /debug contains the debug files for the agent instance when the agent runs in debug mode.

Considering Specific Deployment Scenarios for the Web Proxy Server 4.0.x Agent

• Configuring the Web Proxy Server 4.0.x Agent on Multiple Web Proxy Server 4.0.x Instances

• Installing Web Proxy Server 4.0.x Agent on the OpenSSO Enterprise Host Server

Configuring the Web Proxy Server 4.0.x Agent on Multiple Web Proxy Server 4.0.x Instances

After you install the Web Proxy Server 4.0.x agent for a specific Web Proxy Server 4.0.x instance, you can install the agent on another Web Proxy Server 4.0.x instance by running the agentadmin program again for that instance.

Installing Web Proxy Server 4.0.x Agent on the OpenSSO Enterprise Host Server

Installing the Web Proxy Server 4.0.x agent on the OpenSSO Enterprise host server is not supported.

Post-Installation Tasks for the Web Proxy Server 4.0.x Agent

• Setting up a Reverse Proxy for the Web Proxy Server 4.0.x Agent

• Using SSL With the Web Proxy Server 4.0.x Agent

• Setting the Web Proxy Server 4.0.x Agent dll Path in the System PATH (Windows only)

• Changing the Password for an Agent Profile (Optional)

Setting up a Reverse Proxy for the Web Proxy Server 4.0.x Agent

Although Web Proxy Server 4.0 works in both forward and reverse proxy modes, the Web Proxy Server 4.0 agent supports a Web Proxy Server 4.0 instance in reverse proxy mode only. You can configure Web Proxy Server 4.0 in reverse proxy mode using either of these methods:

• Mapping requires defining regular and reverse mappings.

• Virtual multi-hosting allows the reverse proxy server to respond to multiple DNS aliases as if a different server was installed in each of the addresses.

Choose one of these methods, depending on the requirements of your deployment. For the specific configuration steps required for each method, see the Sun Java System Web Proxy Server 4.0.10 Administration Guide.

Using SSL With the Web Proxy Server 4.0.x Agent

During the agent installation, if you specified the HTTPS protocol, the Web Proxy Server 4.0.x agent should already be configured and ready to communicate using SSL. Before continuing with the following tasks, ensure that the Web Proxy Server 4.0.x instance is configured for SSL.

• Configuring Notifications for the Web Proxy Server 4.0.x Agent for SSL

• Disabling the Default Trust Behavior of the Web Proxy Server 4.0.x Agent

• Installing the OpenSSO Enterprise Root CA Certificate for a Remote Web Proxy Server 4.0.x Instance

Configuring Notifications for the Web Proxy Server 4.0.x Agent for SSL

To Configure Notifications for the Web Proxy Server 4.0.x Agent for SSL

Before You Begin

The Web Proxy Server 4.0.x instance must be running in SSL mode and receiving notifications.

1. Add the Web Proxy Server 4.0.x CA root certificate to the OpenSSO Enterprise certificate database.

2. Mark the CA root certificate as trusted to enable OpenSSO Enterprise to send notifications to the Web Proxy Server 4.0.x instance.

Disabling the Default Trust Behavior of the Web Proxy Server 4.0.x Agent

This section applies only if OpenSSO Enterprise is using SSL. By default the Web Proxy Server 4.0.x agent does not perform certificate checking, because the following property in the agent's OpenSSOAgentBootstrap.properties configuration file is set to true:

com.sun.identity.agents.config.trust.server.certs = true

The agent trusts any server certificate sent over SSL by the OpenSSO Enterprise host. If you want the agent to perform certificate checking, follow this task.

To Disable the Default Trust Behavior of the Web Proxy Server 4.0.x Agent

1. Find the agent's OpenSSOAgentBootstrap.properties file. For example:

   /opt/web_agents/proxy40_agent/Agent_001/config/OpenSSOAgentBootstrap.properties

2. In the OpenSSOAgentBootstrap.properties file, set the following property to false:

   com.sun.identity.agents.config.trust.server.certs = false

3. In the OpenSSOAgentBootstrap.properties file, set the following SSL properties, depending on your specific deployment:

   • com.sun.identity.agents.config.sslcert.dir is the directory containing the certificate database.

   • com.sun.identity.agents.config.certdb.prefix is the certificate database prefix, if you have multiple certificate databases in the same directory.

   • com.sun.identity.agents.config.certdb.password is the certificate database password.

   • com.sun.identity.agents.config.certificate.alias is the alias.

4. Restart the Web Proxy Server 4.0.x instance.

Installing the OpenSSO Enterprise Root CA Certificate for a Remote Web Proxy Server 4.0.x Instance

The root CA certificate that you install on a remote Web Proxy Server 4.0.x instance must be the same one that is installed on the OpenSSO Enterprise host.

For the procedure to install a root CA certificate, see the Sun Java System Web Proxy Server 4.0.10 Administration Guide.

Setting the Web Proxy Server 4.0.x Agent dll Path in the System PATH (Windows only)

On Windows systems, before you restart the Web Proxy Server 4.0.x instance, set the agent dll path in the system PATH variable. Otherwise, you might get a “Configuration initialization failed” error, indicating that an agent dll file could not be found.

The system PATH variable must include drive:installation-directory\web_agents\proxy40_agent\lib.

For example: c:\v30agents\web_agents\proxy40_agent\lib

Changing the Password for an Agent Profile (Optional)

After you install the agent, you can change the agent profile password, if required for your deployment.

To Change the Password for an Agent Profile

1. On the OpenSSO Enterprise server:

   1. Login into the Administration Console as amAdmin.

   2. Click Access Control, realm-name, Agents, Web, and then the name of the agent you want to configure.

      The Console displays the Edit page for the agent profile.

   3. Enter and confirm the new unencrypted password.

   4. Click Save.

2. On the server where the Web Proxy Server 4.0.x agent is installed:

   1. In the agent profile password file, replace the old password with the new unencrypted password.

   2. Change to the PolicyAgent-base/bin directory.

   3. Encrypt the new password using the agentadmin program. For example:

      #./agentadmin --encrypt Agent_002 /tmp/wps4agentpw

      Agent_002 is the agent instance whose password you want to encrypt.

      passwd is the password file in the /tmp directory.

      The agentadmin program returns the new encrypted password. For example:

      The encrypted value is: /54GwN432q+MEnfh/AHLMA==

   4. In the agent-instance/config/OpenSSOAgentBootstrap.properties file, set the following property to the new encrypted password from the previous step. For example:

      com.sun.am.policy.am.password=/54GwN432q+MEnfh/AHLMA==

   5. Restart the Web Proxy Server 4.0.x instance that is being protected by the policy agent.

Managing the Web Proxy Server 4.0.x Agent

OpenSSO Enterprise stores version 3.0 policy agent configuration data (as well as server configuration data) in a centralized data repository. You manage this configuration data using these options:

• OpenSSO Enterprise Administration Console

  You can manage both version 3.0 J2EE and web agents from the OpenSSO Enterprise Console. Tasks that you can perform include creating, deleting, updating, listing, and displaying agent configurations. Using the Console, you can set properties for an agent that you previously set by editing the agent's AMAgent.properties file.

  For more information, refer to the Administration Console online Help.

• ssoadm command-line utility

  The ssoadm utility is the command-line interface to OpenSSO Enterprise server and is available after you install the tools and utilities in the openssoAdminTools.zip file. The ssoadm utility includes subcommands to manage policy agents, including:

  • Creating, deleting, updating, listing, and displaying agent configurations

  • Creating deleting, listing, and displaying agent groups

  • Adding and removing an agent to and from a group

  For information about the ssoadm utility, including the syntax for each subcommand, see the Sun OpenSSO Enterprise 8.0 Administration Reference.

Managing a Version 3.0 Agent With a Local Configuration

In some scenarios, you might need to deploy a version 3.0 agent using a local configuration. For example, if you deploy the agent with Access Manager 7.1 or Access Manager 7 2005Q4, which do not support centralized agent configuration, local configuration is used by default.

The following property in the OpenSSO Enterprise server Agent Service schema (AgentService.xml file) indicates that the configuration is local:

com.sun.identity.agents.config.repository.location=local

In this scenario, you must manage the version 3.0 agent by editing properties in the agent's local OpenSSOAgentConfiguration.properties file (in the same manner that you edit the AMAgent.properties file for version 2.2 agents).

A version 3.0 agent also stores configuration information in the local OpenSSOAgentBootstrap.properties file. The agent uses information in the bootstrap file to start and initialize itself and to communicate with OpenSSO Enterprise server. In most cases, you won't need to edit the bootstrap file; however, if you do edit the file, be very careful, or the agent might not function properly.

Uninstalling the Web Proxy Server 4.0.x Agent

• Preparing to Uninstall the Web Proxy Server 4.0.x Agent

• Uninstalling the Web Proxy Server 4.0.x Agent Using the agentadmin Program

Preparing to Uninstall the Web Proxy Server 4.0.x Agent

To Prepare to Uninstall Web Proxy Server 4.0.x Agent

1. Undeploy any applications protected by the Web Proxy Server 4.0.x agent.

2. Stop the Web Proxy Server 4.0.x instance, if it is running.

Uninstalling the Web Proxy Server 4.0.x Agent Using the agentadmin Program

To Uninstall the Web Proxy Server 4.0.x Agent

1. Change to the following directory:

   PolicyAgent-base/bin

2. Issue one of the following commands:

   # ./agentadmin --uninstall

   or

   # ./agentadmin --uninstallAll

   The --uninstall removes only one instance of the agent, while the --uninstallAll option prompts you to remove all configured instances of the agent.

3. The uninstall program prompts you for the Web Server configuration directory path. For example:

   /opt/sun/proxyserver40/proxy-server1/config

4. The uninstall program displays the path and then asks if you want to continue:

   To continue with the uninstallation, select 1 (the default).

Example 2 Uninstallation Sample for the Web Proxy Server 4.0.x Agent

************************************************************************
Welcome to the OpenSSO Policy Agent for Sun Java System Proxy Server.
************************************************************************

Enter the complete path to the directory which is used by Sun Java System Proxy
Server to store its configuration Files. This directory uniquely
identifies the Sun Java System Proxy Server instance that is secured by this
Agent.
[ ? : Help, ! : Exit ]
Enter the Sun Java System Proxy Server Config Directory Path
[/opt/sun/proxyserver40/proxy-server1/config]: 

-----------------------------------------------
SUMMARY OF YOUR RESPONSES
-----------------------------------------------
Sun Java System Proxy Server Config Directory :
/opt/sun/proxyserver40/proxy-server1/config 

Verify your settings above and decide from the choices below.
1. Continue with Uninstallation
2. Back to the last interaction
3. Start Over
4. Exit
Please make your selection [1]: 

Deleting the config directory
/opt/web_agents/proxy40_agent/Agent_001/config
...DONE.

Removing Agent parameters from
/opt/sun/proxyserver40/proxy-server1/config/obj.conf file ...DONE.


Uninstall log file location:
/opt/web_agents/proxy40_agent/installer-logs/audit/uninstall.log

Thank you for using OpenSSO Policy Agent. INSTALL NOTE: Installer modifies
obj.conf file in the config directory you specified. UNINSTALL NOTE:
Uninstall removes agent settings from obj.conf file in the config directory
you specified. If there are multiple obj.conf files configured manually in
the same config directory, then please remove them manually. For more
information, please refer agent documentation.

After You Finish the Uninstall

• The /config directory is removed from the agent instance directory, but the /logs directory still exists.

• The uninstall program creates an uninstall log file in the PolicyAgent-base/installer-logs/audit directory.

• The agent instance directory is not automatically removed. For example, if you uninstall the agent for Agent_001, a subsequent agent installation creates the Agent_002 instance directory. To remove an agent instance directory, you must manually remove the directory.

Migrating a Version 2.2 Web Proxy Server 4.0.x Policy Agent

The version 3.0 agentadmin program includes the new --migrate option to migrate a version 2.2 agent to version 3.0. After you migrate a version 2.2 agent, the agent can use the new version 3.0 agent features.

The migration process migrates the agent's binary files, updates the agent's deployment container configuration, and converts the agent's AMAgent.properties file to the new version 3.0 OpenSSOAgentBootstrap.properties and OpenSSOAgentConfiguration.properties files.

Migrating a version 2.2 agent involves these general steps:

1. On the server where the version 2.2 agent is installed, run the version 3.0 agentadmin program with the --migrate option.

   To get the version 3.0 agentadmin program, you must download the version 3.0 agent that corresponds to the version 2.2 agent you are migrating. For example, if you are migrating the version 2.2 Web Proxy Server agent, download the version 3.0 Web Proxy Server 4.0.x agent.

2. On the OpenSSO Enterprise server, run the ssoadm utility to create the new version 3.0 agent configuration in the centralized agent configuration repository.

   Therefore, the ssoadm utility must be installed from the openssoAdminTools.zip file on the OpenSSO Enterprise server. For information, see “Installing the OpenSSO Enterprise Utilities and Scripts” in the Sun OpenSSO Enterprise 8.0 Installation and Configuration Guide.

The agentadmin program creates a new deployment directory for the migrated agent, starting with Agent_001. The program does not modify the version 2.2 agent deployment directory files, in case you need these files after you migrate.

The following procedure, the migrated version 3.0 agent instance uses a new agent profile name, which is WPS4v3Agent in the examples. The old version 2.2 and new version 3.0 agent profile passwords are the same. If you need to change the password for the new version 3.0 agent profile, see Changing the Password for an Agent Profile (Optional).

To Migrate a Version 2.2 Agent:

1. Login to the server where the version 2.2 agent is installed.

   To migrate the agent, you must have write permission to the version 2.2 agent's deployment container files and directories.

2. Stop the Web Proxy Server 4.0.x instance for the version 2.2 agent.

3. Create a directory to download and unzip the version 3.0 agent. For example: v30agent

4. Download and unzip the version 3.0 agent that corresponds to the version 2.2 agent you are migrating.

   The version 3.0 agents are available from the OpenSSO project site: https://opensso.dev.java.net/public/use/index.html

5. Change to the version 3.0 agent's /bin directory.

   For example, if you downloaded and unzipped the version 3.0 Web Proxy Server 4.0.x agent in the v30agent directory:

   cd /v30agent/web_agents/proxy40_agent/bin

6. Run the version 3.0 agentadmin program with the --migrate option. For example:

   ./agentadmin --migrate

7. When the agentadmin program prompts you, enter the path to the version 2.2 agent's deployment directory. For example:

   ...
   Enter the migrated agent's deployment directory:
   /opt/web_agents/proxy40_agent
   ...

   In this example, /opt is the directory where you downloaded and upzipped the version 2.2 agent.

   The agentadmin program migrates the version 2.2 agent.

8. Copy the Agent_nnn/config/OpenSSOAgentConfiguration.properties file to the /bin directory where ssoadm is installed on the OpenSSO Enterprise server.

9. In OpenSSOAgentConfiguration.properties, add the un-encrypted version 2.2 agent profile password at the end of the file, as follows:

   userpassword=v2.2–agent-profile-password

10. On OpenSSO Enterprise server, create a password file for the OpenSSO Enterprise administrator (amadmin).

    This password file is an ASCII text file with only one line specifying the amadmin password in plain text. For example: /tmp/amadminpw

11. On OpenSSO Enterprise server, run ssoadm to create a new agent configuration in the OpenSSO Enterprise centralized agent configuration repository. For example:

    cd tools_zip_root/opensso/bin
    ./ssoadm create-agent -b WPS4v3Agent -t WebAgent -u amadmin 
    -f /tmp/amadminpw -D ./OpenSSOAgentConfiguration.properties

    In this example:

    • tools_zip_root is the directory where you unzipped openssoAdminTools.zip.

    • WPS4v3Agent is the version 3.0 agent configuration name.

    • WebAgent is the agent type for J2EE agents.

    • /tmp/amadminpw is the path to the amadmin password file.

    Caution: After you run ssoadm, you might want to delete OpenSSOAgentConfiguration.properties from the /bin directory. This file contains sensitive information, including as the agent profile password, and the original file is maintained on the server where the agent is installed.

12. Restart the Web Proxy Server 4.0.x instance for the migrated agent.

Next Steps

After you migrate the agent, you can manage the new 3.0 agent configuration using the OpenSSO Enterprise Administration Console or the ssoadm utility, as described in Managing the Web Proxy Server 4.0.x Agent.

Sun Microsystems Related Information

• Additional Sun Resources

• Accessibility Features for People With Disabilities

• Related Third-Party Web Sites

• How to Report Problems and Provide Feedback

• Sun Welcomes Your Comments

Additional Sun Resources

You can find additional useful information and resources at the following locations:

• Sun Services: http://www.sun.com/service/consulting/

• Sun Software Products: http://wwws.sun.com/software/

• Sun Support Resources http://sunsolve.sun.com/

• Sun Developer Network (SDN): http://developers.sun.com/

• Sun Developer Services: http://www.sun.com/developers/support/

Accessibility Features for People With Disabilities

To obtain accessibility features that have been released since the publishing of this media, consult Section 508 product assessments available from Sun upon request to determine which versions are best suited for deploying accessible solutions.

For information about Sun's commitment to accessibility, visit http://sun.com/access.

Related Third-Party Web Sites

Third-party URLs are referenced in this document and provide additional, related information.

Sun is not responsible for the availability of third-party Web sites mentioned in this document. Sun does not endorse and is not responsible or liable for any content, advertising, products, or other materials that are available on or through such sites or resources. Sun will not be responsible or liable for any actual or alleged damage or loss caused by or in connection with the use of or reliance on any such content, goods, or services that are available on or through such sites or resources.

How to Report Problems and Provide Feedback

If you have questions or issues with OpenSSO Enterprise, contact Sun as follows:

• Sun Support Resources (SunSolve) services at http://sunsolve.sun.com/.

  This site has links to the Knowledge Base, Online Support Center, and ProductTracker, as well as to maintenance programs and support contact numbers.

• The telephone dispatch number associated with your maintenance contract

So that we can best assist you in resolving problems, please have the following information available when you contact support:

If you are requesting help for a problem, please include the following information:

• Description of the problem, including when the problem occurs and its impact on your operation

• Machine type, operating system version, web container and version, JDK version, and OpenSSO Enterprise version, including any patches or other software that might be affecting the problem

• Steps to reproduce the problem

• Any error logs or core dumps

Sun Welcomes Your Comments

Sun is interested in improving its documentation and welcomes your comments and suggestions. To share your comments, go to http://docs.sun.com/ and click Feedback. In the online form, provide the full document title and part number. The part number is a 7-digit or 9-digit number that can be found on the title page or in the document's URL. For example, the title of this guide is Sun OpenSSO Enterprise Policy Agent 3.0 Guide for Sun Java System Web Proxy Server 4.0.x, and the part number is 820-7797.

Revision History