OpenSSO - UML Integration Instructions

These instructions are an example of configuring OpenSSO to protect the UML application. These instructions reference a reverse proxy agent in front of the UML application server. The recommended approach would be to use a web or application server agent to protect UML.

OpenSSO Configuration

These instructions assume that OpenSSO (*.war file) is deployed to a glassfish domain.
Once deployed, OpenSSO needs to be Configured.

OpenSSO can be configured by either using the GUI or the Command Line. To Configure using the Command Line, follow the below mentioned steps.

The command line tools for this example have been installed under "/var/opt/OpenSSO/Configurator"

This example also uses an OpenDS instance for the users.

To use the OpenDS instance running on Port 1389 as the user store and configure an embedded configuration OpenDS store on Port 51389 for OpenSSO, the configuration file available under the "/var/opt/OpenSSO/Configurator" folder should be used. The configuration file is called "config-file" and this file will feed the required data to the command line tool to configure OpenSSO. Make sure to set JAVA_HOME before running the command line tool.

 

# cd /var/opt/OpenSSO/Configurator
# JAVA_HOME=/usr/java
# java -jar configurator.jar -f config-file

Sample OpenSSO config file 

##############################################################################
###
### SERVER_URL is the URL of the web container on which OpenSSO Server is
### deployed.
###
### DEPLOYMENT_URI is the OpenSSO Server deployment URI.
###
### BASE_DIR is the configuration directory
###
### locale is the user locale.
###
### PLATFORM_LOCALE is is the locale of OpenSSO Server.
###
### AM_ENC_KEY is the password encryption key.  In a multiserver installation,
### this parameter must have the same value as the other servers.  By default,
### AM_ENC_KEY is set to "" which means that OpenSSO Server will generate a 
### random password encryption key.
###
### ADMIN_PWD is the password for the default user, amAdmin. The password must
### be at least 8 characters in length. If this configuration will be part of
### an existing deployment, the password you enter must match that of the
### original deployment.
###
### AMLDAPUSERPASSWD is the password for default policy agent [UrlAccessAgent].
### The password must be at least 8 characters in length. If this configuration
### will be part of an existing deployment, the password you enter must match
### that of the original deployment.
###
### COOKIE_DOMAIN is the name of the trusted DNS domain that OpenSSO Server
### returns to a browser when it grants a session ID to a user.
###
#############################################################################
SERVER_URL=http://sedemo8.identric.com:82
DEPLOYMENT_URI=/opensso
BASE_DIR=/var/opt/OpenSSO/Config
locale=en_US
PLATFORM_LOCALE=en_US
AM_ENC_KEY=""
ADMIN_PWD=identity
AMLDAPUSERPASSWD=agent123
COOKIE_DOMAIN=.identric.com


##############################################################################
###
### DATA_STORE is the type of configuration data store. Valid values are
### 'embedded' - OpenSSO
### 'dirServer' - Sun Java System Directory Server
### If 'dirServer' is specified and the configuration data store contains
### configuration of existing OpenSSO Servers, this OpenSSO Server will be
### added to the existing multi-server setup.
###
### DIRECTORY_SSL specifies if the configuration data store is using SSL.
### Valid values are
### 'SSL' - SSL
### 'SIMPLE' - none SSL
###
### DIRECTORY_SERVER is the host name of the configuration data store.
###
### DIRECTORY_PORT is the port on which the configuration data store is
### listening for connections.
###
### ROOT_SUFFIX is the initial or root suffix of the configuration data store.
###
### DS_DIRMGRDN is the DN (distinguished name) of the directory manager,
### the user who has unrestricted access to the configuration data store.
###
### DS_DIRMGRPASSWD is the password for the directory manager of the
### configuration data store.
###
#############################################################################
DATA_STORE=embedded
DIRECTORY_SSL=SIMPLE
DIRECTORY_SERVER=sedemo8.identric.com
DIRECTORY_PORT=51389
ROOT_SUFFIX=dc=opensso,dc=java,dc=net
DS_DIRMGRDN=cn=Directory Manager
DS_DIRMGRPASSWD=identity


##############################################################################
###
### DS_EMB_REPL_FLAG is the flag for enabling configuration data store in
### multi-server setup. This flag is valid only if DATA_STORE is set to
### 'embedded'. To enable this flag, the value needs to be 'embReplFlag'.
###
### DS_EMB_REPL_REPLPORT1 is replication port of the configuration data store
### of the new OpenSSO Server.
###
### DS_EMB_REPL_HOST2 is the host name of the existing OpenSSO Server.
###
### DS_EMB_REPL_PORT2 is listening port of the configuration data store of
### the existing OpenSSO Server.
###
### DS_EMB_REPL_REPLPORT2 is replication port of the configuration data store
### of the existing OpenSSO Server
###
##############################################################################
#DS_EMB_REPL_FLAG=embReplFlag
#DS_EMB_REPL_REPLPORT1=58989
#DS_EMB_REPL_HOST2=sample2.sun.com
#DS_EMB_REPL_PORT2=50389
#DS_EMB_REPL_REPLPORT2=50889


##############################################################################
###
### The following properties will not be used in a multi-server setup.
###
### USERSTORE_TYPE is the type of user data store. Valid values are
### 'LDAPv3ForAMD' - LDAP with OpenSSO Schema
### 'LDAPv3' - Generic LDAP (no OpenSSO Schema)
### '' - use configuration data store as user data store. DATA_STORE needs to
### be 'embedded'. The remaining user data store propreties will be ignored.
###
### USERSTORE_SSL specifies if the user data store is using SSL.
### Valid values are
### 'SSL' - SSL
### 'SIMPLE' - none SSL
###
### USERSTORE_HOST is the host name of the user data store.
###
### USERSTORE_PORT is the port on which the user data store is listening for
### connections.
###
### USERSTORE_SUFFIX is the initial or root suffix of the user data store.
###
### USERSTORE_MGRDN is the DN (distinguished name) of the directory manager,
### the user who has unrestricted access to the user data store.
###
### USERSTORE_PASSWD  is the password for the directory manager of the user
### data store
##############################################################################
USERSTORE_TYPE=LDAPv3
USERSTORE_SSL=SIMPLE
USERSTORE_HOST=sedemo8.identric.com
USERSTORE_PORT=1389
USERSTORE_SUFFIX=dc=identric,dc=com
USERSTORE_MGRDN=cn=Directory Manager
USERSTORE_PASSWD=password


##############################################################################
###
### LB_SITE_NAME is the name of the site.
###
### LB_PRIMARY_URL is the load balancer URL.
###
##############################################################################
#LB_SITE_NAME=lb
#LB_PRIMARY_URL=http://lb.sun.com:58080/opensso

This will be the output of the above command.

 

Checking configuration directory /opensso....Success.
Installing OpenSSO configuration store...Success RSA/ECB/OAEPWithSHA1AndMGF1Padding.
Installing OpenSSO configuration store in /opensso/opends...Success.
Creating OpenSSO suffix...Success.
Tag swapping schema files....Success.
Loading Schema am_sm_ds_schema.ldif...Success.
Loading Schema am_remote_opends_schema.ldif...Success.
Loading Schema fam_sds_schema.ldif...Success.
Reinitializing system properties....Done
Registering service amEntrySpecific.xml...Success.
.
.
.
.
Registering service famLibertySecurity.xml...Success.
Registering service famSAML2Config.xml...Success.
Configuring system....Done
Configuring server instance....Done
Creating Web Service Security Agents....Done
Setting up registration files....Done
Configuration complete!

NOTE: If you want to change the Hostname, Port number, etc. for the embedded OpenDS instance, you can edit the "config-file" to do so.

Relevant configuration information for this example:

OpenSSO Access URL {{ http://sedemo8.identric.com:82/opensso

}}
Admin User amadmin
Admin Password identity

OpenSSO Data Store configuration

Once the Configuration is complete, verify that a Datastore called "generic ldapv3" is created.

 
Login to the OpenSSO console using "amadmin" credentials.

Navigate to : Access Control -> / (Top level Realm) -> Data Stores. You should see a "generic ldapv3" Data Store.

You will need to configure the "generic ldapv3" Data Store for User Authentication by enabling Sub Scope search in the LDAPv3 Plug-in. In order to do that:

 

Login to the OpenSSO console using "amadmin" credentials.

Navigate to : Access Control -> / (Top level Realm) -> Data Stores

Click on "generic ldapv3" 

Scroll down to find the property: LDAPv3 Plug-in Search Scope

Click on the radio button: SCOPE_SUB

Scroll down to find the property:   LDAP User Object Class
Remove the inetUser Object class from the Current Values. 

Scroll down to find the property:   LDAP User Attributes
Remove the inetUserStatus from the Current Values  

Scroll down to find the property:   LDAP People Container Naming Attributes
Set the value to: ou

Scroll down to find the property:  LDAP People Container Value: 
Set the value to: People

"Save" the changes

Logout from the OpenSSO Console

To verify the change has taken effect:

 

Login to the OpenSSO console using "amadmin" credentials.

Navigate to : Access Control -> / (Top level Realm) -> Subjects

Click on "Users". You should all see the Users provisioned on the OpenDS instance running on Port 1389

Click on "Groups". You should see all the Groups provisioned on the OpenDS instance running on Port 1389

You should also be able to Authenticate against OpenSSO using any of the Users present in the Directory on port 1389.

OpenSSO Command Line Tools configuration

The following steps will configure the OpenSSO tools which will be used for the IDM Resource Adapter for provisioning.

(make sure JAVA_HOME is set)

 
# mkdir /var/opt/OpenSSO/opensso-client
# mkdir /var/opt/OpenSSO/opensso_debug
# mkdir /var/opt/OpenSSO/opensso-tools

# cd /var/opt/OpenSSO/opensso-client
# unzip opensso-client.zip 

# chmod +x scripts/compile-samples.sh
# scripts/compile-samples.sh
Note: Some input files use unchecked or unsafe operations.
Note: Recompile with -Xlint:unchecked for details.

# chmod +x scripts/setup.sh

root@opensolaris:/var/opt/OpenSSO/opensso-client/sdk# scripts/setup.sh
Debug directory (make sure this directory exists): /var/opt/OpenSSO/opensso_debug
Application user (e.g. URLAccessAgent) password: password
Protocol of the server: http
Host name of the server: sedemo8.identric.com
Port of the server: 82
Server's deployment URI: /opensso
Naming URL (hit enter to accept default value, http://sedemo8.identric.com:82//opensso/namingservice):

The file will be used for the IdM RA:

 
/var/opt/OpenSSO/opensso-client/sdk/resources/AMConfig.properties

Configure the tools

 
# cd /var/opt/OpenSSO/opensso-tools
# unzip ssoAdminTools.zip 

# ./setup

root@opensolaris:/var/opt/OpenSSO/opensso-tools# ./setup 
Path to config files of OpenSSO server (example: /opensso):/opensso
Debug Directory:/var/opt/OpenSSO/opensso-tools/debug
Log Directory:/var/opt/OpenSSO/opensso-tools/log
The scripts are properly setup under directory: /var/opt/OpenSSO/opensso-tools/opensso
Debug directory is /var/opt/OpenSSO/opensso-tools/debug.
Log directory is /var/opt/OpenSSO/opensso-tools/log.
The version of this tools.zip is: Enterprise 8.0 Build 6(2008-October-31 09:07)
The version of your server instance is: Enterprise 8.0 Build 6(2008-October-31 09:07)

Encrypt the amadmin password:

Create a file witht the amadmin password (identity)

 
vi /var/opt/OpenSSO/amadmin_pwd


cd /var/opt/OpenSSO/opensso-tools/opensso/bin

./ampassword --encrypt /var/opt/OpenSSO/amadmin_pwd
AQICCjRHEr44EUeWWWapwhqoTwZ3ut+Zop9r

Customize the /var/opt/OpenSSO/opensso-client/sdk/resources/AMConfig.properties

Save the original file to a backup

 
cp /var/opt/OpenSSO/opensso-client/sdk/resources/AMConfig.properties /var/opt/OpenSSO/opensso-client/sdk/resources/AMConfig.properties.orig

Add the following value to this file:
am.encryption.pwd=AQICCjRHEr44EUeWWWapwhqoTwZ3ut+Zop9r

vi /var/opt/OpenSSO/opensso-client/sdk/resources/AMConfig.properties

Modify the following property as shown:
com.sun.identity.agents.app.username=amadmin

Modify the following property using the value from the encrypted password generated in step 3 above:
com.iplanet.am.service.secret=AQICCjRHEr44EUeWWWapwhqoTwZ3ut+Zop9r

Configure Identity Manager to use the opensso sdk

NOTE: This step is already in the SEDemo build, verify that the IDM instance is setup properly

 
cp /var/opt/OpenSSO/opensso-client/sdk/resources/AMConfig.properties $WSHOME/WEB-INF/classes

cp /var/opt/OpenSSO/opensso-client/sdk/lib/openssoclientsdk.jar $WSHOME/WEB-INF/

Restart the application server.

Setup the Identity Manager Resource Adapter for OpenSSO

  • Create a new Resource Adapter

See docs: Sun OpenSSO Enterprise 8.0 Integration Guide

Validate the the Resource Adpater is working by performing a full reconciliation.

(Link accounts which match with Identity Manager accounts, this will allow the accounts to be linked for OpenSSO to be used for SSO into Identity Manager.)

Apache 2.0

This is used for reverse-proxy for OpenSSO. Use the apache 2.0.63 http://archive.apache.org/dist/httpd/.

(need to add install/config instructions)

  • svcs -l http
Apache Home /var/opt/apache2/

Obtain the install file for apache2
expand the file

Configure apache to use the appropriate proxy modules

 
# ./configure --prefix=/var/opt/apache2 --enable-proxy --enable-proxy-http --enable-proxy-connect --enable-ssl 
# make
# make install
# /var/opt/apache2/bin/apachectl start
Internet Hostname/Domain Mapped to Host http port
sedemo8.identric.com sedemo8.identric.com 80

Change the apache port to 1080 in the configuration file: (/var/opt/apache2/conf/httpd.conf)

 
Listen 1080

Add the proper group to the configuraiton file: (/var/opt/apache2/conf/httpd.conf)

 
Group nobody

Add the Virtual Host definition to the configuraiton file: (/var/opt/apache2/conf/httpd.conf)

 
<VirtualHost 192.168.100.101:1080>
        ProxyPreserveHost On
        ProxyPass /UML http://sedemo8:84/UML
        ProxyPassReverse /UML http://sedemo8:84/UML
        ServerName sedemo8.identric.com
        ServerAlias identric.com
</VirtualHost>

Import the Solaris manifest file

 
# svccfg import SMF-apache2-port1080.xml

Restart apache:

The SMF service is called port1080.

 
# svcs port1080
STATE          STIME    FMRI
enabled       16:39:03 svc:/sedemo/apache2/port1080:default

#svcadm disable -s port1080
#svcadm enable -s port1080

OpenSSO Policy Agent installation

The OpenSSO Policy Agent 3.0 needs to be installed on the Apache Server. Follow the steps below to install the agent.

 

Make sure that the Apache Server is NOT running before installing the Agent.

# svcadm disable -s port1080

You need to create two password files before installing the agent:

 

# cd /var/opt/OpenSSO

Create two password files : "agentpwd" and "adminpwd" 
agentpwd should contain the text:  agent123
adminpwd should contain the text: identity

To install the agent:

# cd /var/opt/OpenSSO/web_agents/apache_agent/bin

# ./agentadmin --custom-install

The installer will ask you a few questions. Answer them as below:

 
opensolaris:[root] ./agentadmin --custom-install



************************************************************************
Welcome to the Sun Federated Access Manager Policy Agent for Apache Server.

************************************************************************


Enter the complete path to the directory which is used by Apache Server to
store its configuration Files. This directory uniquely identifies the
Apache Server instance that is secured by this Agent.
[ ? : Help, ! : Exit ]
Enter the Apache Server Config Directory Path [/opt/apache/conf]: /var/opt/apache2/conf


Enter the URL where the OpenSSO server is running. Please include the
deployment URI also as shown below:
(http://opensso.sample.com:58080/opensso)
[ ? : Help, < : Back, ! : Exit ]
OpenSSO server URL: http://sedemo8.identric.com:82/opensso


Enter the Agent URL as shown below: (http://agent1.sample.com:1234)
[ ? : Help, < : Back, ! : Exit ]
Agent URL: http://sedemo8.identric.com:1080


Enter the Agent profile name
[ ? : Help, < : Back, ! : Exit ]
Enter the Agent Profile name: apache-agent


Enter the path to a file that contains the password to be used for identifying
the Agent.
[ ? : Help, < : Back, ! : Exit ]
Enter the path to the password file: /var/opt/OpenSSO/agentpwd


WARNING:
Agent profile/User: apache-agent does not exist in OpenSSO server! Either
"Hit the Back button, and re-enter the correct agent profile name/user
name", or "Create this agent profile when asked(available only in
custom-install)", or "Continue without validating it because agent
profile is in sub realm", or "Continue without validating/creating it, and
manually validate/create it in OpenSSO server after installation".



Enter true if the Agent Profile is being created into OpenSSO server by the
installer. Enter false if it will be not be created by installer.
[ ? : Help, < : Back, ! : Exit ]
This Agent Profile does not exist in OpenSSO server, will it be created by the
installer? (Agent Administrator's name and password are required) [true]: true


Agent Administrator is the Administrator user that can create, delete or
update agent profile.
[ ? : Help, < : Back, ! : Exit ]
Enter the Agent Administrator's name: amadmin


Enter the path to a file that contains the password of Agent Administrator
[ ? : Help, < : Back, ! : Exit ]
Enter the path to the password file that contains the password of Agent
Administrator: /var/opt/OpenSSO/adminpwd


-----------------------------------------------
SUMMARY OF YOUR RESPONSES
-----------------------------------------------
Apache Server Config Directory : /var/opt/apache2/conf 
OpenSSO server URL : http://sedemo8.identric.com:82/opensso 
Agent URL : http://sedemo8.identric.com:1080 
Agent Profile name : apache-agent 
Agent Profile Password file name : /var/opt/OpenSSO/agentpwd 
Agent Profile will be created right now by agent installer : true 
Agent Administrator : amadmin 
Agent Administrator's password file name : /var/opt/OpenSSO/adminpwd 

Verify your settings above and decide from the choices below.
1. Continue with Installation
2. Back to the last interaction
3. Start Over
4. Exit
Please make your selection [1]: 

Creating directory layout and configuring Agent file for Agent_001
instance ...DONE.

Reading data from file /var/opt/OpenSSO/agentpwd and encrypting it ...DONE.

Generating audit log file name ...DONE.

Creating tag swapped OpenSSOAgentBootstrap.properties file for instance
Agent_001 ...DONE.

Creating the Agent Profile apache-agent ...DONE.

Creating a backup for file /var/opt/apache2/conf/httpd.conf ...DONE.

Adding Agent parameters to
/var/opt/OpenSSO/web_agents/apache_agent/Agent_001/config/dsame.conf
file ...DONE.

Adding Agent parameters to /var/opt/apache2/conf/httpd.conf file ...DONE.


SUMMARY OF AGENT INSTALLATION
-----------------------------
Agent instance name: Agent_001
Agent Bootstrap file location:
/var/opt/OpenSSO/web_agents/apache_agent/Agent_001/config/OpenSSOAgentBootstrap.properties
Agent Configuration Tag file location
/var/opt/OpenSSO/web_agents/apache_agent/Agent_001/config/OpenSSOAgentConfiguration.properties
Agent Audit directory location:
/var/opt/OpenSSO/web_agents/apache_agent/Agent_001/logs/audit
Agent Debug directory location:
/var/opt/OpenSSO/web_agents/apache_agent/Agent_001/logs/debug


Install log file location:
/var/opt/OpenSSO/web_agents/apache_agent/installer-logs/audit/custom.log

Thank you for using Sun Federated Access Manager Policy Agent

Configuring Agent Parameters on OpenSSO

The next step after the installation of the Agent is to configure a few Agent parameters. Here are the steps to do that:

 

#

Configure the OpenSSO Enterprise Agent Profile

   1.  Log in to the OpenSSO Enterprise console as amadmin.
   2.  Navigate to Access Control -> /(Top-Level Real) -> Agents -> Web Agents.
   3.  Click the policy agent profile : apache-agent
   4.  Navigate to the tab "OpenSSO Services".
   5.  For the property OpenSSO Enterprise Login URL (com.sun.identity.agents.config.login.url), verify that the existing entry is:
      [0]=http://sedemo8.identric.com:82/opensso/UI/Login


Navigate to the tab "Application".

   1. For the property Session Attribute Fetch Mode (com.sun.identity.agents.config.session.attribute.fetch.mode), choose the option HTTP_HEADER.
   2. For the property Session Attribute Mapping (com.sun.identity.agents.config.session.attribute.mapping), remove the existing entry, and add this entry:

      [UserToken]=openptkid

   3. For the property Not Enforced URLs (com.sun.identity.agents.config.notenforced.url), add these entries. 

      
      http://sedemo8.identric.com:1080/UML/anon/index.jsp*

      http://sedemo8.identric.com:1080/UML/css/*

      http://sedemo8.identric.com:1080/UML/images/*

   4. For the property: Resources Access Denied URL
      enter the value:  http://sedemo8.identric.com/OpenSSOAccessDenied.jsp
      
      Note:  this is page access denied message and with navigation instructions.
      
   5. Click Save.


Log out from the OpenSSO Enterprise console.

Creating OpenSSO Policies for OpenPTK User Management Lite - UML

UML User Policy

 
    1. Log in to the OpenSSO Enterprise console as amadmin.
    2. Navigate to Access Control -> /(Top-Level Real) -> Policies
    3. Click "New" to create a new policy
    4. Name the Policy as "UML Policy"
    5. Create 3 new "Rules" by clicking the "New" button under rules.
    
           1.  New URL Policy Agent (with resource name) rule
           Click "New" under Rule
           Choose "URL Policy Agent (with resource name)
           Rule name: UML Rule1
           Resource Name: http://sedemo8.identric.com:1080/UML
           Select both GET and POST  and "allow" actions for both.
           
           Click "Finish"
           
           Create another New Rule
           2.  New URL Policy Agent (with resource name) rule
            
           Click "New" under Rule
           Choose "URL Policy Agent (with resource name)
           Rule name: UML Rule2
           Resource Name: http://sedemo8.identric.com:1080/UML/index.jsp
           Select both GET and POST  and "allow" actions for both. 
           
           Click "Finish"
            
            Create another New Rule        
           3. New URL Policy Agent (with resource name) rule
        
           Click "New" under Rule
           Choose "URL Policy Agent (with resource name)
           Rule name: UML Rule3
           Resource Name: http://sedemo8.identric.com:1080/UML/*/
           Select both GET and POST  and "allow" actions for both.

            Create another New Rule        
           4. New URL Policy Agent (with resource name) rule
        
           Click "New" under Rule
           Choose "URL Policy Agent (with resource name)
           Rule name: UML Rule4
           Resource Name: http://sedemo8.identric.com:1080/UML/user
           Select both GET and POST  and "deny" actions for both.
 
             Create another New Rule        
           5. New URL Policy Agent (with resource name) rule
        
           Click "New" under Rule
           Choose "URL Policy Agent (with resource name)
           Rule name: UML Rule5
           Resource Name: http://sedemo8.identric.com:1080/UML/user/*?*
           Select both GET and POST  and "deny" actions for both.
 
              Create another New Rule        
           6. New URL Policy Agent (with resource name) rule
        
           Click "New" under Rule
           Choose "URL Policy Agent (with resource name)
           Rule name: UML Rule6
           Resource Name: http://sedemo8.identric.com:1080/UML/user/*
           Select both GET and POST  and "deny" actions for both.
           
              Create another New Rule        
           7. New URL Policy Agent (with resource name) rule
        
           Click "New" under Rule
           Choose "URL Policy Agent (with resource name)
           Rule name: UML Rule7
           Resource Name: http://sedemo8.identric.com:1080/UML/anon/*?*
           Select both GET and POST  and "deny" actions for both.   
           Click "Finish"
           
  6. Create "New" Subjects
  
          1. Click on "New" under Subjects
          2. Choose "Authenticated Users"
          3. Click "Next"
          4. Name: "Authenticated Users"
          5. Click "Finish"
          (DO NOT select the "Exclusive" option)

  7. Create "New" Condition
  
          1. Click on "New" under conditions
          2. Choose: "Authentication to a Realm"
          3. Click "Next"
          4. Name: "Root Realm Authentication"
          5. Click "Finish"
          
  8. Click on "OK" to exit the Policy configuration page
  
  9. Logout of the OpenSSO Console
  
  10. Restart the OpenSSO Server
  
          # svcadm disable -s port82
          
          # svcadm enable -s port82

UML Admin Policy

 
    1. Log in to the OpenSSO Enterprise console as amadmin.
    2. Navigate to Access Control -> /(Top-Level Real) -> Policies
    3. Click "New" to create a new policy
    4. Name the Policy as "UML Admin Policy"
    5. Create 3 new "Rules" by clicking the "New" button under rules.
    
           1.  New URL Policy Agent (with resource name) rule
           Click "New" under Rule
           Choose "URL Policy Agent (with resource name)
           Rule name: UML Admin Rule1
           Resource Name: http://sedemo8.identric.com:1080/UML/admin
           Select both GET and POST  and "allow" actions for both.
           
           Click "Finish"
           
           Create another New Rule
           2.  New URL Policy Agent (with resource name) rule
            
           Click "New" under Rule
           Choose "URL Policy Agent (with resource name)
           Rule name: UML Admin Rule2
           Resource Name: http://sedemo8.identric.com:1080/UML/admin/*
           Select both GET and POST  and "allow" actions for both. 
           
           Click "Finish"
            
            Create another New Rule        
           3. New URL Policy Agent (with resource name) rule
        
           Click "New" under Rule
           Choose "URL Policy Agent (with resource name)
           Rule name: UML Admin Rule3
           Resource Name: http://sedemo8.identric.com:1080/UML/admin/*?*
           Select both GET and POST  and "allow" actions for both.
           
           Click "Finish"
           
  6. Create "New" Subjects
  
          1. Click on "New" under Subjects
          2. Choose "OpenSSO Identity Subject"
          3. Click "Next"
          4. Name: "Admin Users Only"
          (DO NOT select the "Exclusive" option)
          5. Under Select Identity Type, select:  Group
          6. Select Search
          7. Select the group:  Information Technologies
          8. Select Add
          9. Click "Finish"
          

  7. Create "New" Condition
  
          1. Click on "New" under conditions
          2. Choose: "Authentication to a Realm"
          3. Click "Next"
          4. Name: "Root Realm Authentication"
          5. Click "Finish"
          
  8. Click on "OK" to exit the Policy configuration page
  
  9. Logout of the OpenSSO Console
  
  10. Restart the OpenSSO Server
  
          # svcadm disable -s port82
          
          # svcadm enable -s port82

Configure Agent for header variable needed by User Management Lite

Login to the OpenSSO console using "amadmin" credentials.

Navigate to : _Access Control -> / (Top level Realm) -> Agents_

select: _apache-agent_

Select the tab: _Application_

In the section: _Profile Attributes Processing_

enter value for: _Profile Attribute Fetch Mode_
_HTTP_HEADER_

enver a value for: _Profile Attribute Map_

Map Key: _uid_

Corresponding Map Value: _openptkid_

Select the tab: _OpenSSO Services_

Under the section: _Agent Logout URL_

enter: _Logout Redirect URL_

__http://sedemo8.identric.com:1080/__

Enter labels to add to this page:
Please wait 
Looking for a label? Just start typing.

Sign up or Log in to add a comment or watch this page.


The individuals who post here are part of the extended Sun Microsystems community and they might not be employed or in any way formally affiliated with Sun Microsystems. The opinions expressed here are their own, are not necessarily reviewed in advance by anyone but the individual authors, and neither Sun nor any other party necessarily agrees with them.

Copyright 1994-2009 Sun Microsystems, Inc.
Powered by Atlassian Confluence Sun Guidelines on Public Discourse Privacy Policy Terms of Use Trademarks Site Map Employment Investor Relations Contact