Skip Navigation Links | |
Exit Print View | |
Sun OpenSSO Enterprise Policy Agent 3.0 Guide for Microsoft Internet Information Services (IIS) 7.0 |
Sun OpenSSO Enterprise Policy Agent 3.0 Guide for Microsoft Internet Information Services (IIS) 7.0
Supported Platforms, Compatibility, and Coexistence for the IIS 7.0 Agent
Supported Platforms for the IIS 7.0 Agent
Compatibility With Access Manager 7.1 and Access Manager 7 2005Q4
Coexistence With Version 2.2 Policy Agents
Pre-Installation Tasks for the IIS 7.0 Agent
Meeting the Requirements for the IIS 7.0 Agent
Downloading and Unzipping the IIS 7.0 Agent Distribution File
To Download and Unzip the IIS 7.0 Agent Distribution File
To Create an Agent Profile in the Oracle OpenSSO Console
Creating an Agent Administrator (Optional)
To Create an Agent Administrator in the OpenSSO Console
Gathering Information to Install and Configure the IIS 7.0 Agent
Installing and Configuring the IIS 7.0 Agent
Creating a Configuration File for the IIS 7.0 Agent
Configuring the IIS 7.0 Agent for a Web Site
Verfiying an IIS 7.0 Agent Installation
Considering Specific Deployment Scenarios for the IIS 7.0 Agent
Installing the IIS 7.0 Agent on Multiple IIS 7.0 Servers
Installing the IIS 7.0 Agent on the OpenSSO Host Server
To Install and Configure the IIS 7.0 Agent With Office SharePoint Server 2010
Post-Installation Tasks for the IIS 7.0 Agent
Creating and Adding Logout URLS in a CDSSO Deployment
To Create the Logout URL Pages
To Add the Logout URLs in the OpenSSO Console
Using SSL With the IIS 7.0 Agent (Optional)
Installing the OpenSSO Root CA Certificate on the IIS 7.0 Agent
Disabling the Trust Behavior for the IIS 7.0 Agent
Changing the Password for an Agent Profile (Optional)
To Change the Password for an Agent Profile
Managing a Version 3.0 Agent With a Centralized Configuration
Managing a Version 3.0 Agent With a Local Configuration
Uninstalling the IIS 7.0 Agent
To Uninstall the IIS 7.0 Agent
Oracle's Accessibility Program
Gathering Information to Install and Configure the IIS 7.0 Agent
Considering Specific Deployment Scenarios for the IIS 7.0 Agent
The following table describes the information you will need to provide when you install and configure the IIS 7.0 agent.
Table 2 Information Required to Install and Configure the IIS 7.0 Agent
|
The IIS7CreateConfig.vbs script creates the IIS 7.0 agent configuration file. The IIS7CreateConfig.vbs script prompts you for information and then creates a configuration file that you can use later to configure the IIS 7.0 agent.
You must have Administrator privileges to run the IIS7CreateConfig.vbs script.
Note: If you are deploying the IIS 7.0 agent on multiple Web sites, you must create a unique agent configuration file for each of the Web sites.
where PolicyAgent-base depends where you unzipped the IIS 7.0 agent distribution file. For example:
For example: C:\Agents\web_agents\iis7_agent\bin
The \bin directory contains the IIS7CreateConfig.vbs script, which you run to create the agent configuration file.
cscript IIS7CreateConfig.vbs ConfigFile
where ConfigFile is the unique name for agent configuration file.
For example: cscript IIS7CreateConfig.vbs IIS7Config.txt
The IIS7CreateConfig.vbs script creates this file and then saves your responses to prompts about the agent host and the OpenSSO server in the file.
Agent Resource File Name: Accept the default value IIS7Resource.en (English version).
Agent URL: : Specify the URL for the IIS 7.0 agent including the port number. For example: http://agenthost.example.com:80
Web Site Identifier: Specify the unique identifier associated with the Web site for which you are creating a configuration file. Accept a value from the displayed list.
OpenSSO server URL, including the deployment URI: For example: http://ssohost.example.com:8080/opensso
Agent Profile name: For example: IIS7Agent.
Agent Profile password File: Path to the file that contains the agent profile password. For example: C:\tmp\IIS7Agentpw.txt
Example 1 Sample IIS7CreateConfig.vbs Script Run
Microsoft (R) Windows Script Host Version 5.7 Copyright (C) Microsoft Corporation. All rights reserved. Copyright c 2011 Oracle Corporation, All rights reserved Use is subject to license terms --------------------------------------------------------- Microsoft (TM) Internet Information Server (7.0) --------------------------------------------------------- Enter the Agent Resource File Name [IIS7Resource.en] : Enter the Agent URL (Example: http://agent.example.com:80) : http://agenthost.example.com:80 Displaying the list of Web Sites and its corresponding Identifiers (id) SITE "Default Web Site" (id:1,bindings:http/*:80:,state:Started) Web Site Identifier : 1 ------------------------------------------------ OpenSSO Enterprise 8.0 ------------------------------------------------ Enter the URL where the OpenSSO server is running. Please include the deployment URI also as shown in the example (Example: http://opensso.example.com:58080/opensso): http://opensso.example.com:8080/opensso Please enter the Agent Profile name : IIS7Agent Enter the Agent profile password file : c:\tmp\IIS7Agentpw.txt ----------------------------------------------------- Agent Configuration file created : IIS7Config.txt -----------------------------------------------------
The IIS7Admin.vbs script configures the IIS 7.0 agent for a specific Web site, based on an agent configuration file created by the IIS7CreateConfig.vbs script.
You must have Administrator privileges to run the IIS7Admin.vbs script.
The IIS7Admin.vbs script performs these functions:
Creates a subdirectory named Identifier_id under the web_agents\iis7_agent directory, where id is the Web site identifier. This directory contains the IIS 7.0 agent's \config and \logs directories.
Creates the OpenSSOAgentBootstrap.properties and OpenSSOAgentConfiguration.properties files for the IIS 7.0 agent using the agent configuration file created by the IIS7CreateConfig.vbs script.
Updates the Windows registry with the location of properties file.
Adds the IIS 7.0 HTTP module to the Web site for which the agent is configured.
Note: To configure the IIS 7.0 agent for multiple Web sites, follow this procedure for each Web site, using a unique agent configuration file for each site.
where PolicyAgent-base depends where you unzipped the IIS 7.0 agent distribution file. For example:
For example: C:\Agents\web_agents\iis7_agent\bin
For example: cscript IIS7Admin.vbs -config IIS7Config.txt
where IIS7Config.txt is the agent configuration file that you created in Creating a Configuration File for the IIS 7.0 Agent.
Notes:
The script name and options are case-sensitive.
For the Agent Resource File Name prompt, accept the default value (IIS7Resource.en).
The IIS7Admin.vbs script displays the progress of the configuration, as shown in the following sample:
Microsoft (R) Windows Script Host Version 5.7 Copyright (C) Microsoft Corporation. All rights reserved. Copyright c 2011 Oracle Corporation, Inc. All rights reserved Use is subject to license terms Enter the Agent Resource File Name [IIS7Resource.en] : Creating the Agent Config Directory Creating the OpenSSOAgentBootstrap.properties and OpenSSOAgentConfiguration.properties File Updating the Windows Product Registry Completed Configuring the IIS 7.0 Agent
Next Steps
To view the agent log file (amAgent), see PolicyAgent-base\debug\Identifier_site-identifier\logs\debug, where site-identifier is a number such as 1 that identifies the Web site where the IIS 7.0 agent is being configured.
If the agent is installed correctly, accessing the protected resource will redirect you to the OpenSSO server login page.
After a successful authentication, you should be able to access the protected resource, if the agent is correctly defined.
After you install the IIS 7.0 agent on a specific IIS 7.0 server, you can install the agent on another IIS 7.0 server instance by running the IIS7CreateConfig.vbs and IIS7Admin.vbs scripts again for the new server instance.
You can also just copy and edit an existing IIS 7.0 agent configuration file, providing new values for the new IIS 7.0 server instance. Then, run the IIS7Admin.vbs script using the edited agent configuration file.
The IIS7Admin.vbs script creates the OpenSSOAgentBootstrap.properties and OpenSSOAgentConfiguration.properties files for the new server instance, so you do not need to copy and edit these files manually for the new instance.
Oracle OpenSSO server is not supported on the web container. Therefore, installing the IIS 7.0 agent and OpenSSO server on the same server instance is not supported.
To protect Microsoft Office with SharePoint Server 2010 on Windows Server 2008, 64–bit systems, the IIS 7.0 agent is deployed as an ISAPI filter.
To configure the IIS 7.0 agent, you run the IIS7CreateConfig.vbs and IIS7Admin.vbs scripts and then configure the agent in OpenSSO server. To run these scripts using cscript, you must be logged in as a Windows Server 2008 Administrator who owns the execution (cmd) environment.
Note - The IIS 7.0 agent with SharePoint Server 2010 is supported with OpenSSO Enterprise 8.0 and later releases.
The IIS7CreateConfig.vbs script is in the PolicyAgent-base\bin directory. For example:
cscript IIS7CreateConfig.vbs agent-config.txt
When the script prompts you, provide values for your deployment or accept the default values:
Microsoft (R) Windows Script Host Version 5.8 Copyright (C) Microsoft Corporation. All rights reserved. Copyright c 2009, 2011, Oracle and/or its affiliates. All rights reserved. --------------------------------------------------------- Microsoft (TM) Internet Information Server (7.0) --------------------------------------------------------- Enter the Agent Resource File Name [IIS7Resource.en] : Enter the Agent URL (Example: http://agent.example.com:80) : http://agent.example.com:80 Displaying the list of Web Sites and its corresponding Identifiers (id) SITE "Default Web Site" (id:1,bindings:http/*:80:,net.tcp/808:*,net.pipe/*,net.m smq/localhost,msmq.formatname/localhost,state:Stopped) SITE "SharePoint Web Services" (id:2,bindings:http/*:32843:,https/*:32844:,net.t cp/32845:*,net.pipe/*,state:Stopped) SITE "SharePoint Central Administration v4" (id:155768732,bindings:http/:48923:, state:Started) SITE "SharePoint - 80" (id:766968230,bindings:http/:80:,state:Started) Web Site Identifier : 766968230 ------------------------------------------------ Oracle OpenSSO Enterprise 8.0 ------------------------------------------------ Enter the URL where the OpenSSO server is running. Please include the deployment URI also as shown in the example (Example: http://opensso.example.com:58080/opensso): http://opensso.example.com:58080/opensso Please enter the Agent Profile name : IIS7SharePoint2010Agent Enter the Agent profile password file : C:\sharepointagent\password.txt ----------------------------------------------------- Agent Configuration file created : agent-config.txt -------------------------------------------------------------------------------
The IIS7Admin.vbs script is also in the PolicyAgent-base\bin directory. For example:
cscript IIS7Admin.vbs -config agent-config.txt
java -classpath amserver.jarPath/amserver.jar com.sun.identity.common.DESGenKey
In this example, amserver.jarPath is the complete path to the amserver.jar file.
Executing the DESgenKey.class returns a string as output. For example: c1QBAWv7vHk=
com.sun.identity.agents.config.replaypasswd.key = c1QBAWv7vHk=
com.sun.am.replaypasswd.key with the replay password key value. For example: c1QBAWv7vHk=
com.sun.am.sharepoint_login_attr_name with an attribute name in the user repository used by SharePoint Server 2010 to authenticate. For example: displayName
Note: Ignore any warnings after you add these keys.
Authentication Type to Basic (from the default value dsame).
Replay Password Key to the generated key (c1QBAWv7vHk= in the example).