h1. Steps to install opensso agent 3.0 b3 for glassfish
Assume FAM 8 server has been deployed using the b3 build [OpenSSO b3 download | https://opensso.dev.java.net/public/use/index.html]
The opensso server url is http://myhost.red.iplanet.com:8080/opensso.
The glassfish server instance is at http://myhost.red.iplanet.com:8090.
h2. How to install opensso agent 3.0 b3 for glassfish
{noformat}
1. Download appserver_v9_agent.zip from the same b3 build mentioned above.
2. Unzip it to an install directory say /myagent.
Create a text file /myagent/passwordfile that contains the agent user password in clear text.
3. cd to /myagent/j2ee_agents/appserver_v9_agent/bin
4. chmod 755 agentadmin
5. Stop the agent container.
6. Start installation: ./agentadmin --install
************************************************************************
Welcome to the Access Manager Policy Agent for Sun Java(TM) System
Application Server 8.1/8.2/9.0/9.1. If the Policy Agent is used with
Federation Manager services, User needs to enter information relevant to
Federation Manager.
************************************************************************
Enter the complete path to the directory which is used by Application Server
to store its configuration Files. This directory uniquely identifies the
Application Server instance that is secured by this Agent.
[ ? : Help, ! : Exit ]
Enter the Application Server Config Directory Path
[/var/opt/SUNWappserver/domains/domain1/config]:/space/products/glassfish/glassfish/domains/domain1/config
Enter the name of the Application Server instance that is secured by this
Agent.
[ ? : Help, < : Back, ! : Exit ]
Enter the Application Server Instance name [server]:
Enter the URL where the Access Manager is running. Please include the
deployment URI also as shown below:
(http://myserver.company.com:8080/opensso)
[ ? : Help, < : Back, ! : Exit ]
Access Manager URL: http://myhost.red.iplanet.com:8080/opensso
Enable this field only when the agent is being installed on a remote server
instance host.
[ ? : Help, < : Back, ! : Exit ]
Is Domain administration server host remote ? [false]:
Enter the Agent protected Application Server URL
[ ? : Help, < : Back, ! : Exit ]
Agent URL: http://myhost.red.iplanet.com:8090
Enter the deployment URI for the Agent Application. This Application is used
by the agent for internal housekeeping.
[ ? : Help, < : Back, ! : Exit ]
Enter the Deployment URI for the Agent Application [/agentapp]:
Enter a valid Encryption Key.
[ ? : Help, < : Back, ! : Exit ]
Enter the Encryption Key [RjZAM5H5cDkhC0X5x4cHkMX7K0OtTm1L]:
Enter a valid Agent profile name. Before proceeding with the agent
installation, please ensure that a valid Agent profile exists in Access
Manager.
[ ? : Help, < : Back, ! : Exit ]
Enter the Agent Profile name: myagent1
Enter the path to a file that contains the password to be used for identifying
the Agent.
[ ? : Help, < : Back, ! : Exit ]
Enter the path to the password file: /myagent/passwordfile
Enter true only if agent is being installed on a remote instance from the
Domain Administration server host.
[ ? : Help, < : Back, ! : Exit ]
Is the agent being installed on the DAS host for a remote instance ? [false]:
-----------------------------------------------
SUMMARY OF YOUR RESPONSES
-----------------------------------------------
Application Server Config Directory :
/space/products/glassfish/glassfish/domains/domain1/config
Application Server Instance name : server
Access Manager URL : http://myhost.red.iplanet.com:8080/opensso
Domain Administration Server Host is remote : false
Agent URL : http://myhost.red.iplanet.com:8090
Deployment URI for the Agent Application : /agentapp
Encryption Key : RjZAM5H5cDkhC0X5x4cHkMX7K0OtTm1L
Agent Profile name : myagent1
Agent Profile Password file name : /myagent/passwordfile
Agent installed on the DAS host for a remote instance : false
Verify your settings above and decide from the choices below.
1. Continue with Installation
2. Back to the last interaction
3. Start Over
4. Exit
Please make your selection [1]:
Creating a backup for file
/space/products/glassfish/glassfish/domains/domain1/config/login.conf
...DONE.
Creating a backup for file
/space/products/glassfish/glassfish/domains/domain1/config/server.policy
...DONE.
Adding Agent Realm to
/space/products/glassfish/glassfish/domains/domain1/config/login.conf
file ...DONE.
Adding java permissions to
/space/products/glassfish/glassfish/domains/domain1/config/server.policy
file ...DONE.
Creating directory layout and configuring Agent file for Agent_001
instance ...DONE.
Reading data from file /tmp/passwordfile and encrypting it ...DONE.
Generating audit log file name ...DONE.
Creating tag swapped AMAgent.properties file for instance Agent_001 ...DONE.
Creating a backup for file
/space/products/glassfish/glassfish/domains/domain1/config/domain.xml
...DONE.
Adding Agent parameters to
/space/products/glassfish/glassfish/domains/domain1/config/domain.xml
file ...DONE.
SUMMARY OF AGENT INSTALLATION
-----------------------------
Agent instance name: Agent_001
Agent Bootstrap file location:
/export/home/space/agents/glassfish/j2ee_agents/appserver_v9_agent/Agent_001/config/AMAgent.properties
Agent Configuration file location
/export/home/space/agents/glassfish/j2ee_agents/appserver_v9_agent/Agent_001/config/AMAgentConfiguration.properties
Agent Audit directory location:
/export/home/space/agents/glassfish/j2ee_agents/appserver_v9_agent/Agent_001/logs/audit
Agent Debug directory location:
/export/home/space/agents/glassfish/j2ee_agents/appserver_v9_agent/Agent_001/logs/debug
Install log file location:
/export/home/space/agents/glassfish/j2ee_agents/appserver_v9_agent/logs/audit/install.log
Thank you for using Access Manager Policy Agent
7. Agent install is done. Go to FAM 8 server to create an agent profile myagent1.
8. Login to FAM 8 server console as amadmin user: http://myhost.red.iplanet.com:8080/opensso
9. Navigate to "Configuration -> Agents -> J2EE"
10. In the Agent section, click on New button
11. In the Name field, enter myagent1
Enter password (the same password as specified in /myagent/passwordfile, provided during agent install)
Reenter password
Enter http://myhost.red.iplanet.com:8080/opensso in Server URL field
Enter http://myhost.red.iplanet.com:8090/agentapp in Agent URL field
Then click on Create button at the top right corner.
12. The console displays the J2EE Agent page again with a link myagent1
click on the myagent1 link, the Edit myagent1 page shows up.
13. The agent profile is now created.
14. Now restart the agent container.
15. Deploy agentapp.war, it is located at /myagent/j2ee_agents/appserver_v9_agent/etc.
This is a housekeeping app for agent. It receives notifications from FAM 8 server and passes them on to the agent.
16. The agent should now function.
{noformat}
h2. How to set up the sample application
{noformat}
1. On the agent machine, cd /myagent/j2ee_agents/appserver_v9_agent/sampleapp
This directory has the sample app source and depolyable files.
if your FAM server's root suffix is "dc=opensso,dc=java,dc=net", then you don't have to change anything.
Just deploy the agentsample.ear file located in dist directory.
If not, you need to modify sun-application.xml and sun-web.xml in etc directory by replacing
the "dc=opensso,dc=java,dc=net" with your root suffix.
Then you need to rebuild the ear file following the instuction in the readme.txt section
"Compiling and Assembling the Application".
Now, deploy the agentsample.ear file located in dist directory.
2. Login to FAM server console as amadmin user and navigate to "Configuration -> Agents -> J2EE".
3. Click on myagent1 link, the myagent1 page shows up. The agent page looks a little cryptic right now.
We are working on improving the look and feel.
4. Under Global tab, General section, in the field com.sun.identity.agents.config.access.denied.uri,
enter /agentsample/authentication/accessdenied.html
Make sure you now choose the "save" button on this page to save your changes.
5. Under Application tab, Login Processing section, in the field com.sun.identity.agents.config.login.form,
remove the default value [0]=, and add [0]=/agentsample/authentication/login.html
6. Under Application tab, Logout Processing section, in the field com.sun.identity.agents.config.logout.uri,
remove the default value []=, and add [agentsample]=/agentsample/logout
7. Under Application tab, URI Processing section, in the field com.sun.identity.agents.config.notenforced.uri,
remove the default value [0]=, and add the following respectively,
[0]=/agentsample/public/*
[1]=/agentsample/images/*
[2]=/agentsample/styles/*
[3]=/agentsample/index.html
[4]=/agentsample/
[5]=/agentsample
Make sure you now choose the "save" button on this page to save your changes.
8. optionally under Global tab, General section, set the com.iplanet.services.debug.level to message, so that the debug info will be logged at message level.
Make sure you now choose the "save" button on this page to save your changes.
9. Go back to main console page, and click on Access Control tab
10. Click on realm "opensso", click on Subjects tab, click on User tab. create a new user called "chris" with password "chris".
Click on Group tab, create groups "manager" and "employee". assign the user "chris" to both "manager" and "employee".
11. Go to Policies tab. create a new policy p1. create a rule r1 with resource name
http://myhost.red.iplanet.com:8090/agentsample/*, allow actions GET and POST.
Click on Save button to save the rule r1. Then in the same policy, create a Subject s1,
assign group "manager" and "employee" to the subject s1.
Save the subject, and most importantly save the policy p1.
12. the sample application setup is done.
Open up a browser and enter http://myhost.red.iplanet.com:8090/agentsample.
On the left hand side frame, there are three links.
J2EE Declarative Security
J2EE Security API
URL Policy Enforcement
Click on URL Policy Enforcement, on the right frame, a page shows up with a link saying
"Invoke a Servlet Protected by URL Policy". Click on the link, the agent will take you to the FAM login page.
Enter chirs/chris. The browser should show you a successful invocation page if things go well.
Exercise the other two links in the similar manner.
{noformat}
Assume FAM 8 server has been deployed using the b3 build [OpenSSO b3 download | https://opensso.dev.java.net/public/use/index.html]
The opensso server url is http://myhost.red.iplanet.com:8080/opensso.
The glassfish server instance is at http://myhost.red.iplanet.com:8090.
h2. How to install opensso agent 3.0 b3 for glassfish
{noformat}
1. Download appserver_v9_agent.zip from the same b3 build mentioned above.
2. Unzip it to an install directory say /myagent.
Create a text file /myagent/passwordfile that contains the agent user password in clear text.
3. cd to /myagent/j2ee_agents/appserver_v9_agent/bin
4. chmod 755 agentadmin
5. Stop the agent container.
6. Start installation: ./agentadmin --install
************************************************************************
Welcome to the Access Manager Policy Agent for Sun Java(TM) System
Application Server 8.1/8.2/9.0/9.1. If the Policy Agent is used with
Federation Manager services, User needs to enter information relevant to
Federation Manager.
************************************************************************
Enter the complete path to the directory which is used by Application Server
to store its configuration Files. This directory uniquely identifies the
Application Server instance that is secured by this Agent.
[ ? : Help, ! : Exit ]
Enter the Application Server Config Directory Path
[/var/opt/SUNWappserver/domains/domain1/config]:/space/products/glassfish/glassfish/domains/domain1/config
Enter the name of the Application Server instance that is secured by this
Agent.
[ ? : Help, < : Back, ! : Exit ]
Enter the Application Server Instance name [server]:
Enter the URL where the Access Manager is running. Please include the
deployment URI also as shown below:
(http://myserver.company.com:8080/opensso)
[ ? : Help, < : Back, ! : Exit ]
Access Manager URL: http://myhost.red.iplanet.com:8080/opensso
Enable this field only when the agent is being installed on a remote server
instance host.
[ ? : Help, < : Back, ! : Exit ]
Is Domain administration server host remote ? [false]:
Enter the Agent protected Application Server URL
[ ? : Help, < : Back, ! : Exit ]
Agent URL: http://myhost.red.iplanet.com:8090
Enter the deployment URI for the Agent Application. This Application is used
by the agent for internal housekeeping.
[ ? : Help, < : Back, ! : Exit ]
Enter the Deployment URI for the Agent Application [/agentapp]:
Enter a valid Encryption Key.
[ ? : Help, < : Back, ! : Exit ]
Enter the Encryption Key [RjZAM5H5cDkhC0X5x4cHkMX7K0OtTm1L]:
Enter a valid Agent profile name. Before proceeding with the agent
installation, please ensure that a valid Agent profile exists in Access
Manager.
[ ? : Help, < : Back, ! : Exit ]
Enter the Agent Profile name: myagent1
Enter the path to a file that contains the password to be used for identifying
the Agent.
[ ? : Help, < : Back, ! : Exit ]
Enter the path to the password file: /myagent/passwordfile
Enter true only if agent is being installed on a remote instance from the
Domain Administration server host.
[ ? : Help, < : Back, ! : Exit ]
Is the agent being installed on the DAS host for a remote instance ? [false]:
-----------------------------------------------
SUMMARY OF YOUR RESPONSES
-----------------------------------------------
Application Server Config Directory :
/space/products/glassfish/glassfish/domains/domain1/config
Application Server Instance name : server
Access Manager URL : http://myhost.red.iplanet.com:8080/opensso
Domain Administration Server Host is remote : false
Agent URL : http://myhost.red.iplanet.com:8090
Deployment URI for the Agent Application : /agentapp
Encryption Key : RjZAM5H5cDkhC0X5x4cHkMX7K0OtTm1L
Agent Profile name : myagent1
Agent Profile Password file name : /myagent/passwordfile
Agent installed on the DAS host for a remote instance : false
Verify your settings above and decide from the choices below.
1. Continue with Installation
2. Back to the last interaction
3. Start Over
4. Exit
Please make your selection [1]:
Creating a backup for file
/space/products/glassfish/glassfish/domains/domain1/config/login.conf
...DONE.
Creating a backup for file
/space/products/glassfish/glassfish/domains/domain1/config/server.policy
...DONE.
Adding Agent Realm to
/space/products/glassfish/glassfish/domains/domain1/config/login.conf
file ...DONE.
Adding java permissions to
/space/products/glassfish/glassfish/domains/domain1/config/server.policy
file ...DONE.
Creating directory layout and configuring Agent file for Agent_001
instance ...DONE.
Reading data from file /tmp/passwordfile and encrypting it ...DONE.
Generating audit log file name ...DONE.
Creating tag swapped AMAgent.properties file for instance Agent_001 ...DONE.
Creating a backup for file
/space/products/glassfish/glassfish/domains/domain1/config/domain.xml
...DONE.
Adding Agent parameters to
/space/products/glassfish/glassfish/domains/domain1/config/domain.xml
file ...DONE.
SUMMARY OF AGENT INSTALLATION
-----------------------------
Agent instance name: Agent_001
Agent Bootstrap file location:
/export/home/space/agents/glassfish/j2ee_agents/appserver_v9_agent/Agent_001/config/AMAgent.properties
Agent Configuration file location
/export/home/space/agents/glassfish/j2ee_agents/appserver_v9_agent/Agent_001/config/AMAgentConfiguration.properties
Agent Audit directory location:
/export/home/space/agents/glassfish/j2ee_agents/appserver_v9_agent/Agent_001/logs/audit
Agent Debug directory location:
/export/home/space/agents/glassfish/j2ee_agents/appserver_v9_agent/Agent_001/logs/debug
Install log file location:
/export/home/space/agents/glassfish/j2ee_agents/appserver_v9_agent/logs/audit/install.log
Thank you for using Access Manager Policy Agent
7. Agent install is done. Go to FAM 8 server to create an agent profile myagent1.
8. Login to FAM 8 server console as amadmin user: http://myhost.red.iplanet.com:8080/opensso
9. Navigate to "Configuration -> Agents -> J2EE"
10. In the Agent section, click on New button
11. In the Name field, enter myagent1
Enter password (the same password as specified in /myagent/passwordfile, provided during agent install)
Reenter password
Enter http://myhost.red.iplanet.com:8080/opensso in Server URL field
Enter http://myhost.red.iplanet.com:8090/agentapp in Agent URL field
Then click on Create button at the top right corner.
12. The console displays the J2EE Agent page again with a link myagent1
click on the myagent1 link, the Edit myagent1 page shows up.
13. The agent profile is now created.
14. Now restart the agent container.
15. Deploy agentapp.war, it is located at /myagent/j2ee_agents/appserver_v9_agent/etc.
This is a housekeeping app for agent. It receives notifications from FAM 8 server and passes them on to the agent.
16. The agent should now function.
{noformat}
h2. How to set up the sample application
{noformat}
1. On the agent machine, cd /myagent/j2ee_agents/appserver_v9_agent/sampleapp
This directory has the sample app source and depolyable files.
if your FAM server's root suffix is "dc=opensso,dc=java,dc=net", then you don't have to change anything.
Just deploy the agentsample.ear file located in dist directory.
If not, you need to modify sun-application.xml and sun-web.xml in etc directory by replacing
the "dc=opensso,dc=java,dc=net" with your root suffix.
Then you need to rebuild the ear file following the instuction in the readme.txt section
"Compiling and Assembling the Application".
Now, deploy the agentsample.ear file located in dist directory.
2. Login to FAM server console as amadmin user and navigate to "Configuration -> Agents -> J2EE".
3. Click on myagent1 link, the myagent1 page shows up. The agent page looks a little cryptic right now.
We are working on improving the look and feel.
4. Under Global tab, General section, in the field com.sun.identity.agents.config.access.denied.uri,
enter /agentsample/authentication/accessdenied.html
Make sure you now choose the "save" button on this page to save your changes.
5. Under Application tab, Login Processing section, in the field com.sun.identity.agents.config.login.form,
remove the default value [0]=, and add [0]=/agentsample/authentication/login.html
6. Under Application tab, Logout Processing section, in the field com.sun.identity.agents.config.logout.uri,
remove the default value []=, and add [agentsample]=/agentsample/logout
7. Under Application tab, URI Processing section, in the field com.sun.identity.agents.config.notenforced.uri,
remove the default value [0]=, and add the following respectively,
[0]=/agentsample/public/*
[1]=/agentsample/images/*
[2]=/agentsample/styles/*
[3]=/agentsample/index.html
[4]=/agentsample/
[5]=/agentsample
Make sure you now choose the "save" button on this page to save your changes.
8. optionally under Global tab, General section, set the com.iplanet.services.debug.level to message, so that the debug info will be logged at message level.
Make sure you now choose the "save" button on this page to save your changes.
9. Go back to main console page, and click on Access Control tab
10. Click on realm "opensso", click on Subjects tab, click on User tab. create a new user called "chris" with password "chris".
Click on Group tab, create groups "manager" and "employee". assign the user "chris" to both "manager" and "employee".
11. Go to Policies tab. create a new policy p1. create a rule r1 with resource name
http://myhost.red.iplanet.com:8090/agentsample/*, allow actions GET and POST.
Click on Save button to save the rule r1. Then in the same policy, create a Subject s1,
assign group "manager" and "employee" to the subject s1.
Save the subject, and most importantly save the policy p1.
12. the sample application setup is done.
Open up a browser and enter http://myhost.red.iplanet.com:8090/agentsample.
On the left hand side frame, there are three links.
J2EE Declarative Security
J2EE Security API
URL Policy Enforcement
Click on URL Policy Enforcement, on the right frame, a page shows up with a link saying
"Invoke a Servlet Protected by URL Policy". Click on the link, the agent will take you to the FAM login page.
Enter chirs/chris. The browser should show you a successful invocation page if things go well.
Exercise the other two links in the similar manner.
{noformat}