Configuring Sun Java System Access Manager Policy Agents on IBM WebSphere 6.0 Cluster

You can download the PDF version this document here. Right now I have some issues with this blog to get the complete text displayed.

1. Deployment setup and Assumptions

For this exercise it is assumed the WebSphere Network Deployment Server (WNDS) has one cell with two clusters in it.(CARE and IS ) Each cluster has exactly two Application Server instances belonging to the same profile, hosting one or more applications. The cluster member Application Servers instances are distributed among two physical nodes as depicted in the diagrams below. The WNDS profile is located in one of the nodes. The clusters are already created before installing the agents. This document will not cover the procedures for creating WebSphere clusters or configuring the IBM HTTP Server for load balancing. Additionally no custom SSL key store is used. The Application Server and Access Manager traffic happens over HTTP.

To deploy the policy agents on the WebSphere clusters there is no need to defederate the nodes.

1.1 Software versions used

    WAS6.0.0.1 , WNDS, Solaris 10 SPARC , Access Manager 7.0P3 (realm) , WebSphere 6.0 Policy Agent - 2.2 patch 3 and IBM_HTTP_Server/6.0 Apache/2.0.47

1.2 Applicability

This document is relevant only to the WebSphere and other product major versions specified in the section 1. The steps detailed in this document are applicable only in the deployment where Access Manager and the protected applications are deployed within the same DNS domain. Apparently IBM Websphere Application Server 6.0 provides multiple options to create and deploy the websphere clusters. It is pretty easy to adapt this document based on the specific type of application server federation profile.

2. Installing Policy agents on the WAS clusters and Deployment Manager

In a cluster scenario, policy agents needs to be configured for each Application Server instance including the Deployment Manager and node agents.

NOTE : If you are using the IBM JDK in your JAVA_HOME then edit the agentadmin utility to include the following JVM options before invoking the agentadmin. -DamCryptoDescriptor.provider=IBMJCE and -DamKeyGenDescriptor.provider=IBMJCE

Refer the policyAgent's documentation for more details

2.1 Installing agents on the Application server instances on node2

Agents must be installed in each instance where the application to be protected is deployed. First start with the node2 (ide-10) host. Unzip the agents bits to a writable location, then stop the server instance. Invoke agentadmin –install with relevant parameters and the server instance name.

NOTE: For all the agent configuration in a cell, you must use the same agent ID and password, otherwise clusters will not startup. For this exercise we are using the agent id as 'was6' . This ID should have been created in the Access Manager before starting the agentadmin tool. Stop the application server or the node agents instance before starting the agentadmin tool.

You can find more information on these agent profiles and how it has to be created at the Access Manager in this link

For example the the installation summary for the server instance is-ide10:

agentadmin –install

<read and agree to the license >


Welcome to the Access Manager Policy Agent for IBM WebSphere Application

Server 6.0 If the Policy Agent is used with Federation Manager services, User

needs to enter information relevant to Federation Manager.


Enter the fully qualified path to the configuration directory of the Server

Instance for the WebSphere node.

[ ? : Help, ! : Exit ]

Enter the Instance Config Directory

[/opt/WebSphere/AppServer/profiles/default/config/cellside-10Node01Cell/nodes/ide-10Node01/servers/server1]: /opt/IBM/WebSphere/AppServer/profiles/care/config/cells/ide-12Cell01/nodes/ide-10Node02/servers/is-ide10

Enter the Server Instance name.

[ ? : Help, < : Back, ! : Exit ]

Enter the Server Instance name [server1]: is-ide10

Enter the WebSphere Install Root directory.

[ ? : Help, < : Back, ! : Exit ]

Enter the WebSphere Install Root directory [/opt/WebSphere/AppServer]: /opt/IBM/WebSphere/AppServer

Enter the fully qualified host name of the server where Access Manager

Services are installed.

[ ? : Help, < : Back, ! : Exit ]

Access Manager Services Host:

Enter the port number of the Server that runs Access Manager Services.

[ ? : Help, < : Back, ! : Exit ]

Access Manager Services port [80]: 58080

Enter http/https to specify the protocol used by the Server that runs Access

Manager services.

[ ? : Help, < : Back, ! : Exit ]

Access Manager Services Protocol [http]:

Enter the Deployment URI for Access Manager Services.

[ ? : Help, < : Back, ! : Exit ]

Access Manager Services Deployment URI [/amserver]:

Enter the fully qualified host name on which the Application Server

protected by the agent is installed.

[ ? : Help, < : Back, ! : Exit ]

Enter the Agent Host name:

Enter the preferred port number on which the application server provides its


[ ? : Help, < : Back, ! : Exit ]

Enter the port number for Application Server instance [80]: 9081

Select http or https to specify the protocol used by the Application server

instance that will be protected by Access Manager Policy Agent.

[ ? : Help, < : Back, ! : Exit ]

Enter the Preferred Protocol for Application Server instance [http]:

Enter the deployment URI for the Agent Application. This Application is used

by the agent for internal housekeeping.

[ ? : Help, < : Back, ! : Exit ]

Enter the Deployment URI for the Agent Application [/agentapp]:

Enter a valid Encryption Key.

[ ? : Help, < : Back, ! : Exit ]

Enter the Encryption Key [yuQwMRC3AxkqrkMznVKw+JVpNiw3tZj+]:

Enter a valid Agent profile name. Before proceeding with the agent

installation, please ensure that a valid Agent profile exists in Access


[ ? : Help, < : Back, ! : Exit ]

Enter the Agent Profile name: was6

Enter the path to a file that contains the password to be used for identifying

the Agent.

[ ? : Help, < : Back, ! : Exit ]

Enter the path to the password file: /tmp/pass

Enter true if the Agent is being installed on the same instance of Application

Server on which Access Manager is deployed. Enter false if that is not the


[ ? : Help, < : Back, ! : Exit ]

Are the Agent and Access Manager installed on the same instance of

Application Server ? [false]:




Instance Config Directory :


Instance Server name : is-ide10

WebSphere Install Root Directory : /opt/IBM/WebSphere/AppServer

Access Manager Services Host :

Access Manager Services Port : 58080

Access Manager Services Protocol : http

Access Manager Services Deployment URI : /amserver

Agent Host name :

Application Server Instance Port number : 9081

Protocol for Application Server instance : http

Deployment URI for the Agent Application : /agentapp

Encryption Key : yuQwMRC3AxkqrkMznVKw+JVpNiw3tZj+

Agent Profile name : was6

Agent Profile Password file name : /tmp/pass

Agent and Access Manager on same application server instance : false

Verify your settings above and decide from the choices below.

1. Continue with Installation

2. Back to the last interaction

3. Start Over

4. Exit

Please make your selection [1]:

Copy agent.jar,amclientsdk.jar to


Creating directory layout and configuring file for

agent_001 instance ...DONE.

Reading data from file /tmp/pass and encrypting it ...DONE.

Generating audit log file name ...DONE.

Creating tag swapped file for instance agent_001 ...DONE.

Creating a backup for file



Configure server.xml file




Agent instance name: agent_001

Agent Configuration file location:


Agent Audit directory location:


Agent Debug directory location:


Install log file location:


Thank you for using Access Manager Policy Agent

Repeat the above step for the other Application Server instance. Use the same agent binaries. Do not use separate agents bits for each instance. You can use the same bits to create more agent instances. After a successful installation, you would see an agent_002 instance in the agents root directory. When the agentadmin is invoked for the second time to create more agent instances, it will not ask for Access Manager related details. Supply only the Application Server instance,agent profile id/password and the encryption key.


After successfully completing the agents installation on the application ser

<script type="text/javascript"> var sc_project=2888759; var sc_invisible=0; var sc_partition=29; var sc_security="cf821ff4"; var sc_text=2; </script> <script type="text/javascript" src=""></script>

Post a Comment:
Comments are closed for this entry.

Indira Thangasamy, I manage the OpenSSO Quality engineering team.


« July 2016