Chapter 2 Installing the Access Manager Policy Agent 2.2 for Application Server 9.0
/ Web Services
The Sun Java™ System Access Manager Policy Agent 2.2 for Sun Java System Application Server 9.0 / Web
Services is installed in a Java 2 Enterprise Edition (Java EE) container
(for example, Sun Java System Application Server), and used in conjunction with Sun Java System Access Manager.
This chapter contains installation instructions and includes the following
sections:
Installation Overview
The Access Manager Policy Agent 2.2 for Sun Java System Application Server 9.0 / Web Services
is installed when installing any of the following bundles.
-
Java EE 5 SDK Update 3 Preview
Download
the bits by clicking either Download, Download with JDK, or Download
with Tools. This is the most recent bundle which includes
the full version of Access Manager 7.1.
-
Java
Application Platform SDK Update 2
Download the
bits by clicking either Download, Download with JDK, or Download with
Tools. This bundle includes the beta version of Access Manager 7.1.
-
Java EE 5
SDK Update 2
Download the bits by clicking Download
with Tools only. This bundle includes the beta version of Access Manager 7.1.
-
NetBeans™ Enterprise Pack 5.5
Download the
bits by clicking Download. This bundle includes the beta version of Access Manager 7.1.
Additionally, the Sun Java System Access Manager 7.1 web archive (WAR) will be generated
and deployed. Although this deployment process has been automated
by the installers of the respective products, information on the Access Manager 7.1
WAR itself can be found in Chapter 12, Deploying Access Manager as a Single WAR File, in Sun Java System Access Manager 7.1 Postinstallation Guide.
Note –
If you have already installed Access Manager 7.1 and the Policy
Agent 2.2 for Sun Java System Application Server 9.0 / Web Services, you can move on to Chapter 3, Using the Access Manager Policy Agent 2.2 for Application Server 9.0 / Web Services.
The installation procedures documented in this chapter are also
performed by the installers of the respective products. They are documented
here for use with third-party Java EE containers and for informational
purposes.
Installing Access Manager
The initial step in installing Access Manager 7.1 is to deploy the Access Manager WAR
as a web application using the Application Server administration console. Instructions
on how to do this can be found in Downloading an Access Manager 7.1 WAR File in Sun Java System Access Manager 7.1 Postinstallation Guide.
Following is the procedure to complete the installation of Access Manager 7.1.
To Complete the Installation of Access Manager 7.1
The following configurations will complete the installation
of Access Manager 7.1.
Before You Begin
These instructions assume that Sun Java System Application Server Platform Edition 9.0
has already been installed and the Access Manager WAR has already been deployed.
For more information, see Sun Java System Application Server Platform Edition 9 Installation Guide and Downloading an Access Manager 7.1 WAR File in Sun Java System Access Manager 7.1 Postinstallation Guide respectively.
-
Add the following as Java security permissions to the server.policy file of the Application Server.
Each Application Server domain
has its own standard J2SE policy file named server.policy.
It is located in the domain-dir/config directory. More information can be found in The server.policy File in Sun Java System Application Server Platform Edition 9 Developer’s Guide.
// ADDITIONS FOR Access Manager
grant codeBase "file:\${com.sun.aas.instanceRoot}/applications/j2ee-modules/amserver/-" {
permission java.net.SocketPermission "*", "connect,accept,resolve";
permission java.util.PropertyPermission "*", "read, write";
permission java.lang.RuntimePermission "modifyThreadGroup";
permission java.lang.RuntimePermission "setFactory";
permission java.lang.RuntimePermission "accessClassInPackage.*";
permission java.util.logging.LoggingPermission "control";
permission java.lang.RuntimePermission "shutdownHooks";
permission javax.security.auth.AuthPermission "insertProvider.Mozilla-JSS";
permission java.security.SecurityPermission "putProviderProperty.Mozilla-JSS";
permission javax.security.auth.AuthPermission "getLoginConfiguration";
permission javax.security.auth.AuthPermission "setLoginConfiguration";
permission javax.security.auth.AuthPermission "modifyPrincipals";
permission javax.security.auth.AuthPermission "createLoginContext.*";
permission java.security.SecurityPermission "insertProvider.Mozilla-JSS";
permission javax.security.auth.AuthPermission "putProviderProperty.Mozilla-JSS";
permission java.io.FilePermission "<<ALL FILES>>", "execute,delete";
permission java.util.PropertyPermission "java.util.logging.config.class", "write";
permission java.security.SecurityPermission "removeProvider.SUN";
permission java.security.SecurityPermission "insertProvider.SUN";
permission java.security.SecurityPermission "removeProvider.Mozilla-JSS";
permission javax.security.auth.AuthPermission "doAs";
permission java.util.PropertyPermission "java.security.krb5.realm", "write";
permission java.util.PropertyPermission "java.security.krb5.kdc", "write";
permission java.util.PropertyPermission "java.security.auth.login.config", "write";
permission java.util.PropertyPermission "user.language", "write";
permission javax.security.auth.kerberos.ServicePermission "*", "accept";
permission javax.net.ssl.SSLPermission "setHostnameVerifier";
permission java.security.SecurityPermission "putProviderProperty.IAIK";
permission java.security.SecurityPermission "removeProvider.IAIK";
permission java.security.SecurityPermission "insertProvider.IAIK";
};
// END OF ADDITIONS FOR Access Manager
-
Auto POST the following configuration data to configurator.jsp.
configurator.jsp is
the dynamic configuration page for the Access Manager single WAR application.
It is used after deploying the WAR. When you launch Access Manager 7.1, if you
have not yet configured the application, you will be directed to configurator.jsp. If Access Manager 7.1 is already configured, you
will be directed to the Access Manager Console login page. configurator.jsp is located in the Access Manager_protocol://Access Manager_host:Access Manager_port/amserver/ directory.
The required request parameters in configurator.jsp and
accompanying values are:
-
SERVER_URL: The
fully qualified name and port of the host on which Access Manager is installed.
Use the format:
Access Manager_protocol://Access Manager_host:Access Manager_port
-
SERVER_URI: By
default, the value is /amserver.
-
BASE_DIR: The path
to the directory in which Access Manager will create its flat file database.
By default, /tmp/amserver.
-
ADMIN_PWD: The
password of the top-level administrator; by default, admin123.
-
ADMIN_CONFIRM_PWD:
Confirmation of the password defined in ADMIN_PWD.
More information on the configurator.jsp can
be found in Chapter 12, Deploying Access Manager as a Single WAR File, in Sun Java System Access Manager 7.1 Postinstallation Guide.
Note –
Auto POST means to use an HTTP POST
of the required request parameters for this JavaServer Page (JSP)
programmatically (from the installer code itself) without showing
these parameters or prompting the user.
-
Check that the Access Manager server is running using the following
URL:
Access Manager_protocol://Access Manager_host:Access Manager_port/amserver/isAlive.jsp
-
Log in to Access Manager as the top-level administrator using the
following URL:
Access Manager_protocol://Access Manager_host:Access Manager_port/amserver
By default, the top-level administrator is amadmin,
and the amadmin password is admin123.
Installing the Policy Agent 2.2 for Sun Java System Application Server 9.0
/ Web Services
Following is the procedure to complete the installation of the
Policy Agent 2.2 for Sun Java System Application Server 9.0 / Web Services.
To Complete the Installation of the Policy
Agent 2.2 for Sun Java System Application Server 9.0 / Web Services
Before You Begin
The initial step in installing the Policy Agent 2.2 for Sun Java System Application Server 9.0
/ Web Services is to deploy the Access Manager WAR as a web application using
the Application Server administration console. See Installing Access Manager if this has not been done.
Note –
javaee.home is a variable that
should be replaced with the installation directory of the Java EE 5
SDK.
-
Note the directory name and the path to the directory
into which the following files are placed:
If you used one of the installers, the files were put in a particular
directory: /javaee.home/addons/accessmanager for installations of Java Application Platform SDK (when
Download or Download with JDK is selected), and /javaee.home/addons/amserver for installations of Java
Application Platform SDK or Java EE 5 SDK Update 1 (when Download with
Tools is selected), and NetBeans Enterprise Pack 5.5. Be sure to make
a note of this directory and path. Otherwise, put the files in a directory
and make a note of the directory and path in which they were placed.
-
Modify the global Java Virtual Machine (JVM) settings
in Application Server by adding the following to the classpath suffix:
-
amwebServiceProvider.jar (including
the complete path)
-
amclientsdk.jar (including the
complete path)
-
The complete path to the directory which contains
the client's AMConfig.properties:
-
/javaee.home/domains/domain_name/config for installations of Java
Application Platform SDK (when Download or Download with JDK is selected).
-
/javaee.home/addons/amserver for installations of Java Application Platform SDK or Java EE 5
SDK Update 1 (when Download with Tools is selected) and NetBeans Enterprise
Pack 5.5.
-
Add the following web services security providers configurations
to the domain.xml file as per Application Server guidelines.
domain.xml is located in the /ApplicationServer-install/domains/domain1/config directory and contains most of the Application Server configuration
information.
Note –
More information can be found in Chapter 1, The domain.xml File, in Sun Java System Application Server Platform Edition 9 Administration Reference.
The following provider code fragment needs to be added under
the <message-security-config auth-layer="HttpServlet"> tag:
<provider-config class-name="com.sun.identity.agents.jsr196.as9soap.AMHttpAuthModule"
provider-id="AMHttpProvider" provider-type="server">
<request-policy auth-source="content"/>
<response-policy auth-source="content"/>
</provider-config>
|
The following provider code fragments need to
be added under the <message-security-config auth-layer="SOAP"> tag:
<provider-config class-name="com.sun.identity.agents.jsr196.as9soap.AMServerAuthModule"
provider-id="AMServerProvider-SAML-HolderOfKey" provider-type="server">
<request-policy auth-source="content"/>
<response-policy auth-source="content"/>
<property name="providername" value="SAML-HolderOfKey"/>
</provider-config>
|
<provider-config class-name="com.sun.identity.agents.jsr196.as9soap.AMServerAuthModule"
provider-id="AMServerProvider-SAML-SenderVouches" provider-type="server">
<request-policy auth-source="content"/>
<response-policy auth-source="content"/>
<property name="providername" value="SAML-SenderVouches"/>
</provider-config>
|
<provider-config class-name="com.sun.identity.agents.jsr196.as9soap.AMServerAuthModule"
provider-id="AMServerProvider-X509Token" provider-type="server">
<request-policy auth-source="content"/>
<response-policy auth-source="content"/>
<property name="providername" value="X509Token"/>
</provider-config>
|
<provider-config class-name="com.sun.identity.agents.jsr196.as9soap.AMServerAuthModule"
provider-id="AMServerProvider-LibertySAMLToken" provider-type="server">
<request-policy auth-source="content"/>
<response-policy auth-source="content"/>
<property name="providername" value="LibertySAMLToken"/>
</provider-config>
|
<provider-config class-name="com.sun.identity.agents.jsr196.as9soap.AMClientAuthModule"
provider-id="AMClientProvider" provider-type="client">
<request-policy auth-source="content"/>
<response-policy auth-source="content"/>
<property name="providername" value="wsc"/>
</provider-config>
|
<provider-config class-name="com.sun.identity.agents.jsr196.as9soap.AMServerAuthModule"
provider-id="AMServerProvider-UserNameToken" provider-type="server">
<request-policy auth-source="content"/>
<response-policy auth-source="content"/>
<property name="providername" value="UserNameToken"/>
</provider-config>
|
<provider-config class-name="com.sun.identity.agents.jsr196.as9soap.AMServerAuthModule"
provider-id="AMServerProvider-LibertyX509Token" provider-type="server">
<request-policy auth-source="content"/>
<response-policy auth-source="content"/>
<property name="providername" value="LibertyX509Token"/>
</provider-config>
|
<provider-config class-name="com.sun.identity.agents.jsr196.as9soap.AMServerAuthModule"
provider-id="AMServerProvider-LibertyBearerToken" provider-type="server">
<request-policy auth-source="content"/>
<response-policy auth-source="content"/>
<property name="providername" value="LibertyBearerToken"/>
</provider-config>
|
<provider-config class-name="com.sun.identity.agents.jsr196.as9soap.AMServerAuthModule"
provider-id="AMServerProvider" provider-type="server">
<request-policy auth-source="content"/>
<response-policy auth-source="content"/>
<property name="providername" value="wsp"/>
</provider-config>
|
-
Modify AMConfig.properties as follows:
JAVA_HOME=/usr/java
# AM Server Information
# Protocol can be either http or https
SERVER_PROTOCOL=amserver_protocol
SERVER_HOSTNAME=amserver_host
SERVER_PORT=amserver_port
# Application username and password
APPLICATION_USERNAME=amadmin
APPLICATION_PASSWORD=admin123
NAMING_URL=amserver_protocol://amserver_host:amserver_port/amserver/namingservice
# Debug information
DEBUG_LEVEL=error
DEBUG_DIR=/tmp/amclient
# Cookie information
AM_COOKIE_NAME=iPlanetDirectoryPro
# SAML xml signature keystore file, keystore password file,
# key password file and Liberty trusted CA aliases.
# path_to_file should be replaced by the appropriate value as below:
# /javaee.home/addons/accessmanager for installations of Java Application Platform SDK
# (when Download or Download with JDK is selected), and /javaee.home/addons/amserver
# for installations of Java Application Platform SDK or Java EE 5 SDK Update 1
# (when Download with Tools is selected), and NetBeans Enterprise Pack 5.5 (when Download is selected).
SAML_KEYSTORE=/path_to_file/amclientkeystore.jks
SAML_STOREPASS=/path_to_file/.storepass
SAML_KEYAPSS=/path_to_file/.keypass
LIBERTY_TRUSTEDCA_ALIASES=amserver:<amserver_host>
# Login URL and Authentication service URL for Liberty use case
LOGIN_URL=amserver_protocol://amserver_host:amserver_port/amserver/UI/Login
LIBERTY_AUTHSVC_URL=amserver_protocol://amserver_host:amserver_port/amserver/Liberty/authnsvc
Note –
The directory specified as a value for DEBUG_DIR in AMConfig.properties should be different than the one specified
as the value for BASE_DIR in Installing Access Manager.
-
Restart the Application Server.
Uninstallation
The following procedure is to uninstall Access Manager 7.1 and the Policy
Agent 2.2 for Sun Java System Application Server 9.0 / Web Services.
To Uninstall Access Manager 7.1 and the Policy Agent
2.2 for Sun Java System Application Server 9.0 / Web Services
-
Undeploy the amserver web application
using the Application Server administration console.
-
Note the path to the Access Manager flat file directory from the AccessManager/AMConfig_ApplicationServer-base_domains_Domain name_applications_j2ee-modules_amserver_ file
located under the home directory of the user who has installed and
configured Access Manager.
For example, the AccessManager/AMConfig_opt_SUNWappserver_domains_domain1_applications_j2ee-modules_amserver_ file under the user's home directory.
Note –
The location of the user's directory depends on the user
and operating system. For example, on a UNIX system, if the user is root, the user's home directory is /.
If the user is xyz, the user's home directory is /home/xyz.
-
Delete the Access Manager flat file directory.
-
Delete the AccessManager/AMConfig_ApplicationServer-base_domains_Domain name_applications_j2ee-modules_amserver_ file
under the user's home directory.
-
Restart the Application Server.
以 PDF 格式下载本书 (746 KB)