|
| Sun ONE Identity Server Policy Agent Guide |
ContentsWhat You Are Expected to Know
Identity Server Documentation Set
What's in This Guide
Documentation Conventions Used in This Manual
Typographic Conventions
Related Information
Terminology
Chapter 1 Read This FirstHow Policy Agents Work
Uses for Policy Agents
Supported Servers
How an Agent Interacts with Sun ONE Identity Server 6.0
Before You Begin Installation
Java Runtime Environment 1.3.1
The Web Server that Runs Sun ONE Identity Server Services vs. Remote Web Servers
Configuring Agent for Multiple Web Server Instances on the Same Computer System
Providing Failover Protection for Sun ONE Identity Server Agents
Updating the Agent Cache
Global Not-Enforced URL List
Global Not-Enforced IP Address List
Enforcing Authentication Only Without Enforcing Policies
Forwarding LDAP User Attributes via HTTP Headers
The AMAgent.properties File
Setting the Fully Qualified Domain Name
Cookie Reset Feature
Configuring CDSSO
Verifying a Successful Installation
Chapter 2 Policy Agents for Solaris 8 and 9Before You Begin
Supported Solaris Web Servers
Installation Using the GUI
Patch Cluster for Solaris
Installing a Proxy Server Policy Agent
Installation Using the Command-Line
To Install a Web Server Agent Using the Command-Line
Configuring Agent for Multiple Web Server Instances
To Install a Web Proxy Server Agent Using the Command-Line
To Configure Agent for Multiple Web Server Instances on the Same Computer System
Using Secure Sockets Layer (SSL) with an Agent
Using the config Script for Silent Installations
Removing an Agent Using the unconfig Script
Configuring the IBM HTTP Server
Configuring the Domino DSAPI Filter
Web or Web Proxy Server Running in SSL Mode
Setting the REMOTE_USER Server Variable
The Agent's Default Trust Behavior
Disabling the Agent's Default Trust Behavior
Installing the Root CA Certificate on the Remote Web Server
Validating Client IP Addresses
POST Data Preservation
Shared Secret Encryption Utility
Uninstalling a Policy Agent
Before Uninstalling the Policy Agent for Lotus Domino 5.0.10
Troubleshooting Solaris Agents
Uninstalling Using the GUI
Uninstalling Using the Command-Line Interface
Known Problems
Chapter 3 Policy Agents for Windows 2000Before You Begin
Supported Windows Web Servers
Installation Using the GUI
Installing the Policy Agent for Microsoft IIS
Installation Using the Command-Line
Installing an Agent Using the Command-Line
Configuring the Domino DSAPI Filter
Configuring Domino DSAPI Filter for Multiple Server Partitions
Using Secure Sockets Layer (SSL) with an Agent
The Agent's Default Trust Behavior
Setting the REMOTE_USER Server Variable
Disabling the Agent's Default Trust Behavior
Installing the Root CA Certificate on the Remote Web Server
Validating Client IP Addresses
POST Data Preservation
Shared Secret Encryption Utility
Uninstalling and Disabling Policy Agent
Uninstalling a Policy Agent
Troubleshooting the Installation
Disabling a Policy Agent Installed on Microsoft IIS
Uninstalling the Policy Agent for Lotus Domino 5.0.10
Uninstalling an Agent Using the Command-Line
IIS Policy Agent
Known Problems
Chapter 4 Policy Agents for Windows NTBefore You Begin
Supported Windows NT Web Server
Installation Using the GUI
Installing the Policy Agent for Microsoft IIS 4.0
Installation Using the Command-Line
Uninstalling and Disabling Policy Agents
To Install an Agent Using the Command Line
Using Secure Sockets Layer (SSL) with an Agent
To Uninstall an Agent Using the Command Line
The Agent's Default Trust Behavior
Setting the REMOTE_USER Server Variable
Disabling the Agent's Default Trust Behavior
Installing the Root CA Certificate on the Remote Web Server
Validating Client IP Addresses
Shared Secret Encryption Utility
Troubleshooting the IIS 4.0 Policy Agent
Known Problems
Chapter 5 Policy Agent for Red Hat Linux 7.2Before You Begin
Configuring Apache Web Server with Posix Threads
Installation Using the GUI
Installing the Policy Agent
Installation Using the Command-Line
Uninstalling the Policy Agent
Installing the Policy Agent
Configuring Agent for Multiple Web Server Instances
Uninstalling the Policy Agent
To Configure Agent for Multiple Web Server Instances on the Same Computer System
Using Secure Sockets Layer (SSL) with an Agent
Using the config Script for Silent Installations
Removing an Agent Using the unconfig Script
The Agent's Default Trust Behavior
Setting the REMOTE_USER Server Variable
Disabling the Agent's Default Trust Behavior
Installing the Root CA Certificate on the Remote Web Server
Validating Client IP Addresses
Shared Secret Encryption Utility
Troubleshooting Information
Chapter 6 Read This FirstUses of Policy Agent for Application Server
Examples
Supported Servers
Chapter 7 Policy Agent for WebLogic 6.1 SP2Supported Platforms
How the Policy Agent for WebLogic 6.1 SP2 Works
Guidelines
Installing the Agent
Pre-installation Tasks
WebLogic Server Configuration
Launching the Installation Program on Solaris 8
Launching the Installation Program on Windows 2000 Server
Launching the Installation Program on HP-UX 11
Installing the Agent Using GUI
Installing the Agent Realm
Application Configuration
Troubleshooting the Installation
Installing the Agent Filter Component in an Application
Agent Configuration
Creating Role-to-Principal Mappings
Application Specific Agent Configuration
Special Case: Default Web Application
Global Agent Configuration
Not-Enforced List Usage Considerations
Common Configuration
Using Agent and Sun ONE Identity Server SDK APIs
Audit Configuration
Realm Configuration
Global Filter Configuration
Application Filter Configuration
Debug Engine Configuration
Uninstalling the Agent
Uninstalling the Agent Using GUI
Troubleshooting Uninstallation Problems
Chapter 8 Policy Agent 2.0 for IBM WebSphere 4.0.4 AEOverview
Guidelines
Agent-based Authentication and Authorization
Limitations
Coarse Grained and Fine Grained Access-control
Create Enhanced Security Aware Applications
Supported Platform
Software Requirements
Installing the Agent
Pre-Installation Tasks
Configuring WebSphere Application Server
Launching the Installation Program
Installing the Agent Using GUI
Agent Configuration Details
Installing the Agent Using Command-Line
Application Configuration
Using Agent and Sun ONE Identity Server SDK APIs
Creating Role-to-Principal Mappings
Application-Specific Agent Configuration
Providing Application-Specific Not-Enforced List
Special Case: Default Web Application
Global Agent Configuration
Not-Enforced List Usage Considerations
Agent Configuration
Common Configuration
Realm Configuration
Global Interceptor Configuration
Application Interceptor Configuration
Debug Engine Configuration
SSL Configuration
Configuration Changes in AmConfig.properties
Uninstalling the Agent
Configuration Changes in serverconfig.xml
Importing the root CA cert into Application Server JVM Keystore
Launching the Uninstallation Program
Troubleshooting Information
Uninstalling the Agent Using GUI
Uninstalling the Agent Using Command Line
Installation/Uninstallation Problems
Fixing the Problems Manually
Chapter 9 Policy Agent for Sun ONE Application Server 7.0Supported Platforms
Guidelines
Installing the Agent
Pre-installation Tasks
Application Configuration
Installing the Agent Using GUI
Installing the Agent Using Command-Line
Silent Installation
Installing the Agent Filter Component in an Application
Agent Configuration
Creating Role-to-Principal Mapping
Application-Specific Agent Configuration
Special Case: Default Web Application
Common Configuration
Using Agent and Sun ONE Identity Server SDK APIs
Audit Configuration
Realm Configuration
Global Filter Configuration
Application Filter Configuration
Debug Engine Configuration
Uninstalling the Agent
Uninstalling the Agent Using GUI
Uninstalling the Agent Using Command-Line
Appendix A Configuration Tasks Performed by InstallerWebLogic 6.1 SP2
WebLogic Server Startup Script Modifications
WebSphere 4.0.4 AE
Adding Parameters to Java Virtual Machine
Installation of JCE 1.2.1 and JSSE 1.0.2 Extensions
Modifications to Admin Server Configuration File
Sun ONE Application Server 7.0
Modifications to trustedserver.properties
Modifications to sas.client.props
Configurations Through Administrative Console
Agent Realm Configuration
Application Server Config Files
Appendix B Sample Scenarios for Role-to-Principal MappingWebLogic 6.1 SP2
Declarative Security
WebSphere 4.0.4 AE
Programmatic Security
Web Authorization
Sun ONE Application Server 7.0
EJB Authorization
Declarative Security
Programmatic Security
Appendix C Using the Policy Agent Debug Engine