Chapter 1   Read This First


This chapter provides a brief overview of URL policy agents, as well as some concepts you'll need to understand before proceeding with the Installation program. The information in this chapter is common to both Solaris and Windows operating systems. Topics include:

• How URL Policy Agents Work

• Before You Begin Installation

How URL Policy Agents Work

---

DSAME URL policy agents protect content on your Web Servers and Proxy Servers from unauthorized intrusions. They control access to services and web resources based on the policies configured by an administrator.

Uses for URL Policy Agents

URL policy agents are installed on Web Servers for a variety of reasons. Here are three examples:

• An agent on a Human Resources server prevents non-Human Resources personnel from viewing confidential salary information and other sensitive data.

• An agent on an Operations Web Server allows only network administrators to view network status reports or to modify network administration records.

• An agent on an Engineering Web Server allows authorized personnel from many internal segments of a company to publish and share research and development information. At the same time, the agent restricts external partners from gaining access to the proprietary information.

In each of these situations, a system administrator must set up policies that allow or deny users access to content on a Web Server. For information on setting policies and for assigning roles and policies to users, see the DSAME Administrator's Guide.

How an Agent Interacts with DSAME

Figure 1-1 illustrates how a URL Policy Agent installed on a remote Web Server interacts with DSAME. When a user points a browser to a particular URL on a protected Web Server, the following interactions take place:

1. The agent intercepts the request and validates the existing authentication credentials. If the existing authentication level is insufficient, the appropriate DSAME authentication service will present a login page. The login page prompts the user for credentials such as username and password.

2. The authentication service verifies that the user credentials are valid. For example, the default LDAP authentication service verifies that the username and password are stored in iPlanet Directory Server. You might use other authentication modules such as RADIUS or Certificate modules. In such cases, credentials are not verified by Directory Server but are verified by the appropriate authentication module.

3. If the user's credentials are properly authenticated, the URL policy agent examines all the roles assigned to the user.

4. Based on the aggregate of all policies assigned to the user, the individual is either allowed or denied access to the URL.

Figure 1-1    An agent's interaction with DSAME Policy and Management Services.

Supported Servers

---

Policy Agent Pack 1.0 supports the following servers running on the Solaris 8 operating system:

• iPlanet Web Server 6.0 SPx

• iPlanet Web Server 4.1 SP8

• iPlanet Proxy Server 3.6

• Apache 1.3.12

Policy Agent Pack 1.0 supports the following servers running on the Windows 2000 operating system:

• Microsoft IIS 5.0

• iPlanet Web Server 6.0 SP2

Before You Begin Installation

---

The following are issues or concepts you should be familiar with before you start the Installation program:

• Java Runtime Environment (JRE) 1.2.2 Requirement

• The Web Server That Runs DSAME Services vs. Remote Web Servers

• Installing Multiple Web Server Agents on the Same Computer System

• Providing Failover Protection for DSAME Agents

• The AMAgent.properties File

Java Runtime Environment (JRE) 1.2.2 Requirement

You must have the Java Runtime Environment (JRE) 1.2.2 installed or available on a shared file system in order to run the graphical user interface (GUI) version of the Agent Installation program. Currently, JRE 1.2.2 is the only JRE version certified for use with the Agent Installation program.

If you're using the Solaris operating system, and JRE 1.2.2 is not available, you can use the command-line version of the Agent Installation program. See Using the Command-Line Version of the Installation Program for more information.

If you're using the Windows operation system, the Installation program will install JRE 1.2.2 if suitable version of not automatically detected.

The Web Server That Runs DSAME Services vs. Remote Web Servers

You can use the Installation program install a URL policy agent on the Web Server where DSAME is installed. In iPlanet documentation, this server is referred to as the Web Server that runs the DSAME services.You can also use the Installation program to install additional URL policy agents on remote web servers in your enterprise, too. A remote web server in a DSAME deployment is any web server other than the one that runs DSAME policy and management services. It is "remote" relative to the DSAME-dedicated Web Server.

Installing Multiple Web Server Agents on the Same Computer System

If you have multiple iPlanet Web Servers installed on one computer system, you can install a different agent for each server or server instance. Note that since only one iPlanet Proxy Server can be installed per computer system, you cannot install multiple Proxy Server agents on the same computer system. The same principle is also true for Apache Web Server and for Microsoft IIS.

For more information, see Installing Multiple Web Server Agents on the Same Solaris Computer System, and Installing Multiple Policy Agents on the Same Windows Computer System.

Providing Failover Protection for DSAME Agents

When you install a URL Policy agent, you can specify a failover or backup Web Server for running the DSAME Policy and Management services. This is essentially a high availability option. It ensures that if the Web Server the runs DSAME service becomes unavailable, the agent can still process access requests through the secondary or failover Web Server running DSAME service.

To set up failover protection for the URL policy agent, you must first install two different instances of DSAME on two separate Web Servers. See the detailed instructions in the DSAME Installation and Configuration Guide. Then follow the instructions in the next sections of this manual to install the appropriate Agent. The agent Installation program will prompt you for the host name and port number of the failover Web Server you configured to work with DSAME.

The AMAgent.properties File

The AMAgent.properties file stores configuration parameters used by the URL policy agent. From time to time, you may need to make changes to the default parameters in this file. For example, when you want to specify a different failover Web Server for running DSAME services, or when you want enable SSL on the remote server where the agent is installed.

The AMAgent.properties file includes information for the following configurations:

debugging policy agent DSAME services

policy API service and agent deployment descriptors session failover

Table 1-1 provides the default location for AMAgent.properties on the various supported servers.

Table 1-1    Locating AMAgent.properties on different platforms.

Server	Location
All Supported Unix Web Servers	/etc/SUNWam/conf/_path_instance_name/
iPlanet Web Server 6.0 Windows 2000	\agent_root\Agents\iws60\web-apps\agent\WEB-INF\config\
Microsoft IIS 5.0 Windows 2000	\agent_root\Agents\iis50\config\

  

Changing that AMAgent.properties file can have serious and far-reaching effects. Remember that you can safely change many of the properties in this file by simply re-installing the agent. However, if you must make manual changes, keep the following in mind:

• Make a backup copy of this file before you make changes.

• Trailing spaces are significant; use them judiciously.

• Use forward slashes (/) to separate directories, not backslash (\).

• Spaces in the Windows file names are allowed.

Verifying a Successful Installation

After installing a URL policy agent, it's a good practice to make sure that the agent was installed successfully and works as you expect it to work. There are two things you can check to verify a successful agent installation.

First, try to access some web content on the remote Web Server where the agent is installed. If the agent is installed correctly, you should see the DSAME login page. Figure 1-2 is an example of a DSAME login page that uses LDAP authentication. Secondly, check the AMAgent.properties file. Make sure that each property is set properly.

Figure 1-2    The DSAME login page.