Skip Navigation Links | |
Exit Print View | |
Sun OpenSSO Enterprise Policy Agent 3.0 Guide for Microsoft Internet Information Services (IIS) 7.0 |
Sun OpenSSO Enterprise Policy Agent 3.0 Guide for Microsoft Internet Information Services (IIS) 7.0
Supported Platforms, Compatibility, and Coexistence for the IIS 7.0 Agent
Supported Platforms for the IIS 7.0 Agent
Compatibility With Access Manager 7.1 and Access Manager 7 2005Q4
Coexistence With Version 2.2 Policy Agents
Pre-Installation Tasks for the IIS 7.0 Agent
Meeting the Requirements for the IIS 7.0 Agent
Downloading and Unzipping the IIS 7.0 Agent Distribution File
To Download and Unzip the IIS 7.0 Agent Distribution File
To Create an Agent Profile in the Oracle OpenSSO Console
Creating an Agent Administrator (Optional)
To Create an Agent Administrator in the OpenSSO Console
Gathering Information to Install and Configure the IIS 7.0 Agent
Installing and Configuring the IIS 7.0 Agent
Creating a Configuration File for the IIS 7.0 Agent
Configuring the IIS 7.0 Agent for a Web Site
Verfiying an IIS 7.0 Agent Installation
Considering Specific Deployment Scenarios for the IIS 7.0 Agent
Installing the IIS 7.0 Agent on Multiple IIS 7.0 Servers
Installing the IIS 7.0 Agent on the OpenSSO Host Server
To Install and Configure the IIS 7.0 Agent With Office SharePoint Server 2010
Post-Installation Tasks for the IIS 7.0 Agent
Creating and Adding Logout URLS in a CDSSO Deployment
To Create the Logout URL Pages
To Add the Logout URLs in the OpenSSO Console
Using SSL With the IIS 7.0 Agent (Optional)
Installing the OpenSSO Root CA Certificate on the IIS 7.0 Agent
Disabling the Trust Behavior for the IIS 7.0 Agent
Managing a Version 3.0 Agent With a Centralized Configuration
Managing a Version 3.0 Agent With a Local Configuration
Uninstalling the IIS 7.0 Agent
To Uninstall the IIS 7.0 Agent
Oracle's Accessibility Program
If Cross-Domain Single Sign-On (CDSSO) is enabled for the agent, the OpenSSO logout URL cannot clear the cookies in the agent domain, and you must create two logout pages as IIS 7.0 resources.
http://agenthost.example.com:port/logout.html
http://agenthost.example.com:port/logout2.html
Logout URL: http://agenthost.example.com:port/logout.html
Logout Redirect URL: http://agenthost.example.com:port/logout2.html
http://agenthost.example.com:port/logout.html
http://agenthost.example.com:port/logout2.html
Next Steps
The logout links in an application deployed on the IIS 7.0 instance should invoke the logout URL used in this procedure.
If you specify the https protocol for the OpenSSO server URL during the IIS 7.0 agent installation, the agent is automatically configured and ready to communicate to the OpenSSO server over Secure Sockets Layer (SSL). However, to ensure that the IIS 7.0 agent is configured for SSL communication to the server, follow these tasks:
The root CA certificate that you install on the IIS 7.0 agent must be the same certificate that is installed on the OpenSSO host server.
Oracle provides the Certificate Database Tool, certutil.exe, in the IIS 7.0 agent distribution file, to manage the root CA certificate and the certificate database.
For information about using certutil.exe, see http://www.mozilla.org/projects/security/pki/nss/tools/certutil.html.
After you unzip the IIS 7.0 agent distribution file, certutil.exe is available in the PolicyAgent-base\bin directory.
For example: C:\Agents\web_agents\iis7_agent\bin\certutil.exe
mkdir C:\Agents\web_agents\iis7_agent\cert C:\Agents\web_agents\iis7_agent\bin certutil.exe -N -d ..\cert
where cert is the name of the certificate database directory.
When prompted, enter and confirm the password that will be used to encrypt your keys.
certutil.exe -A -n am_root_ca_cert -t "C,C,C" -d ..\cert -i ..\cert\root_ca.crt
where:
am_root_ca_cert is the name of the OpenSSO root CA certificate.
root_ca.crt is the binary root CA certificate request file.
C:\Agents\web_agents\iis7_agent\bin certutil.exe -L -d ..\cert am_root_ca_cert
You should see the name of the root CA certificate. For example:
am_root_ca_cert C,C,C
By default, the IIS 7.0 agent installed on a remote IIS 7.0 server trusts any server certificate presented over SSL by the OpenSSO server host. For the IIS 7.0 agent to perform certificate checking, you must disable this trust behavior.
C:\Agents\web_agents\iis7_agent\config\OpenSSOAgentBootstrap.properties
Note: These properties have new names for version 3.0 web agents.
Disable the option to trust the server certificate sent over SSL by the OpenSSO host server:
com.sun.identity.agents.config.trust.server.certs = false
Specify the certificate database directory.
com.sun.identity.agents.config.sslcert.dir = path-to-cert-database
For example:
com.sun.identity.agents.config.sslcert.dir = C:/Agents/web_agents/iis7_agent/cert
If the certificate database directory has multiple certificate databases, set the following property to the prefix of the database you want to use. For example:
com.sun.identity.agents.config.certdb.prefix = prefix-
Specify the certificate database password:
com.sun.identity.agents.config.certdb.password = password
Specify the certificate database alias:
com.sun.identity.agents.config.certificate.alias = alias-name
The agent uses information in the OpenSSOAgentBootstrap.properties file to start and initialize itself and to communicate with OpenSSO server.
This task is optional. After you install the agent, you can change the agent profile password, if required for your deployment.
The Console displays the Edit page for the agent profile.
cd C:\Agents\web_agents\iis7_agent\bin
cryptit.exe C:\tmp\IIS7Agentpw.txt encryption-key
where encryption-key can be either the existing key value from the com.sun.identity.agents.config.key property in the IIS 7.0 agent's OpenSSOAgentBootstrap.properties file or a new encryption key value. A new key value must be a minimum of eight alphanumeric characters.
The cryptit.exe program returns the new encrypted password. For example:
/54GwN432q+MEnfh/AHLMA==
Set the following property to the new encrypted password from the previous step. For example:
com.sun.identity.agents.config.password=/54GwN432q+MEnfh/AHLMA==
If you specified a new encryption key value in the previous step, set the following property to this new key value:
com.sun.identity.agents.config.key=new-key-value