Post-Installation Tasks for the Web Proxy Server 4.0.x Agent

• Setting up a Reverse Proxy for the Web Proxy Server 4.0.x Agent

• Using SSL With the Web Proxy Server 4.0.x Agent

• Setting the Web Proxy Server 4.0.x Agent dll Path in the System PATH (Windows only)

• Changing the Password for an Agent Profile (Optional)

Setting up a Reverse Proxy for the Web Proxy Server 4.0.x Agent

Although Web Proxy Server 4.0 works in both forward and reverse proxy modes, the Web Proxy Server 4.0 agent supports a Web Proxy Server 4.0 instance in reverse proxy mode only. You can configure Web Proxy Server 4.0 in reverse proxy mode using either of these methods:

• Mapping requires defining regular and reverse mappings.

• Virtual multi-hosting allows the reverse proxy server to respond to multiple DNS aliases as if a different server was installed in each of the addresses.

Choose one of these methods, depending on the requirements of your deployment. For the specific configuration steps required for each method, see the Sun Java System Web Proxy Server 4.0.10 Administration Guide.

Using SSL With the Web Proxy Server 4.0.x Agent

During the agent installation, if you specified the HTTPS protocol, the Web Proxy Server 4.0.x agent should already be configured and ready to communicate using SSL. Before continuing with the following tasks, ensure that the Web Proxy Server 4.0.x instance is configured for SSL.

• Configuring Notifications for the Web Proxy Server 4.0.x Agent for SSL

• Disabling the Default Trust Behavior of the Web Proxy Server 4.0.x Agent

• Installing the OpenSSO Enterprise Root CA Certificate for a Remote Web Proxy Server 4.0.x Instance

Configuring Notifications for the Web Proxy Server 4.0.x Agent for SSL

To Configure Notifications for the Web Proxy Server 4.0.x Agent for SSL

Before You Begin

The Web Proxy Server 4.0.x instance must be running in SSL mode and receiving notifications.

1. Add the Web Proxy Server 4.0.x CA root certificate to the OpenSSO Enterprise certificate database.

2. Mark the CA root certificate as trusted to enable OpenSSO Enterprise to send notifications to the Web Proxy Server 4.0.x instance.

Disabling the Default Trust Behavior of the Web Proxy Server 4.0.x Agent

This section applies only if OpenSSO Enterprise is using SSL. By default the Web Proxy Server 4.0.x agent does not perform certificate checking, because the following property in the agent's OpenSSOAgentBootstrap.properties configuration file is set to true:

com.sun.identity.agents.config.trust.server.certs = true

The agent trusts any server certificate sent over SSL by the OpenSSO Enterprise host. If you want the agent to perform certificate checking, follow this task.

To Disable the Default Trust Behavior of the Web Proxy Server 4.0.x Agent

1. Find the agent's OpenSSOAgentBootstrap.properties file. For example:

   /opt/web_agents/proxy40_agent/Agent_001/config/OpenSSOAgentBootstrap.properties

2. In the OpenSSOAgentBootstrap.properties file, set the following property to false:

   com.sun.identity.agents.config.trust.server.certs = false

3. In the OpenSSOAgentBootstrap.properties file, set the following SSL properties, depending on your specific deployment:

   • com.sun.identity.agents.config.sslcert.dir is the directory containing the certificate database.

   • com.sun.identity.agents.config.certdb.prefix is the certificate database prefix, if you have multiple certificate databases in the same directory.

   • com.sun.identity.agents.config.certdb.password is the certificate database password.

   • com.sun.identity.agents.config.certificate.alias is the alias.

4. Restart the Web Proxy Server 4.0.x instance.

Installing the OpenSSO Enterprise Root CA Certificate for a Remote Web Proxy Server 4.0.x Instance

The root CA certificate that you install on a remote Web Proxy Server 4.0.x instance must be the same one that is installed on the OpenSSO Enterprise host.

For the procedure to install a root CA certificate, see the Sun Java System Web Proxy Server 4.0.10 Administration Guide.

Setting the Web Proxy Server 4.0.x Agent dll Path in the System PATH (Windows only)

On Windows systems, before you restart the Web Proxy Server 4.0.x instance, set the agent dll path in the system PATH variable. Otherwise, you might get a “Configuration initialization failed” error, indicating that an agent dll file could not be found.

The system PATH variable must include drive:installation-directory\web_agents\proxy40_agent\lib.

For example: c:\v30agents\web_agents\proxy40_agent\lib

Changing the Password for an Agent Profile (Optional)

After you install the agent, you can change the agent profile password, if required for your deployment.

To Change the Password for an Agent Profile

1. On the OpenSSO Enterprise server:

   1. Login into the Administration Console as amAdmin.

   2. Click Access Control, realm-name, Agents, Web, and then the name of the agent you want to configure.

      The Console displays the Edit page for the agent profile.

   3. Enter and confirm the new unencrypted password.

   4. Click Save.

2. On the server where the Web Proxy Server 4.0.x agent is installed:

   1. In the agent profile password file, replace the old password with the new unencrypted password.

   2. Change to the PolicyAgent-base/bin directory.

   3. Encrypt the new password using the agentadmin program. For example:

      #./agentadmin --encrypt Agent_002 /tmp/wps4agentpw

      Agent_002 is the agent instance whose password you want to encrypt.

      passwd is the password file in the /tmp directory.

      The agentadmin program returns the new encrypted password. For example:

      The encrypted value is: /54GwN432q+MEnfh/AHLMA==

   4. In the agent-instance/config/OpenSSOAgentBootstrap.properties file, set the following property to the new encrypted password from the previous step. For example:

      com.sun.am.policy.am.password=/54GwN432q+MEnfh/AHLMA==

   5. Restart the Web Proxy Server 4.0.x instance that is being protected by the policy agent.