DSEE Tip: Installing Access Manager and Configuring to use DSEE

Following on from my previous page on Installing DSEE this simple set of instructions indicates how to install an Access Manager Instance onto a pre-existing Glassfish installation and then configure it to access the previously installed DSEE instance.

Installing Access Manager

Installing and configuring Access Manager to integrate with the DSEE instance requires a number of steps. If you plan on installing everything on a single machine it is recommended that you install a GlassFish instance specifically for your Access manager installation and then install the Proxy Agent on your primary GlassFish instance. To facilitate this we will need to do a number of pre-install configurations, because of the way the information is store on the file system, providing a fully qualified domain for each instance.

Pre-install Configuration
  1. Add two entries two your host file (pick your own names). These will be used to refer to the Access Manager GlassFish instance and your main GlassFish instance.

  • 127.0.0.1 amanager.sun.com

  • 127.0.0.1 amproxy.sun.com

  1. Install Access Manager GlassFish (we will assume this is on 58080 and will be know as Glassfish58080).

    We will assume that this is installed in : C:\\Software\\AppServers\\GlassFish\\glassfish58080 .

  2. Install Primary GlassFish (we will assume this is on 28080 and will be known as Glassfish28080).

    We will assume that this is installed in : C:\\Software\\AppServers\\GlassFish\\glassfish28080 .

Access Manager Install
  1. Download the Access Manager Installation Zip (http://www.sun.com/download/index.jsp?cat=Identity%20Management&tab=3&subcat=Access%20Manager)

  2. Extract the Access Manager distribution.

  3. In the Glassfish58080 asadmin console, deploy the web application amserver.war (jdk15 version).

  4. Launch amserver from the asadmin console. The first time this is started, it will redirect you to the configurator. If this does not occur then remove the files in the <User Dir>/AccessManager (on windows C:\\Documents and Settings\\<user>\\AccessManager).

  5. Change the configuration store settings to Directory Server (default is File System)

    1. Server name = localhost (whatever DS was installed to)

    2. port = 1389

    3. suffix = dc=am,dc=sun,dc=com

    4. Check “Load User Management Schema”

    5. All passwords on this screen should be “adminadmin” unless you have changed them earlier in the installation process.
  6. Once the configuration is complete amserver console will be displayed.

  7. Select the am Realm

  8. Select the Authentication Tab

    1. Select (Edit) the ldapService in the Authentication Chaining Table

    2. Change the Instance from File to LDAP and Save

    3. Check the File in Module Instances Table and Delete.

    4. Save
  9. Select Data Stores Tab

    1. Create new Data Store (Local DSEE)

    2. Sun Directory Server with Access Manager Schema

    3. Add LDAP Bind Password (adminadmin)

    4. Finish (Save)

    5. Check file Data Store and Delete
  10. Select Subjects Tab

    1. Select Users Sub Tab

    2. Create a new User
  11. Select Policies Tab

    1. Create New Policy (Web Application)

    2. Add a Rule : This will define the URLs that will be covered by this Policy. When specifying the host name use that of the Proxy Agent (amproxy.sun.com).

    3. Add Subject (User)

      Web Application Policy
      Simple Rule
      Add Subjects (Users)
  12. Select the Subjects Tab

    1. Select the Agent Sub Tab

    2. Create a new Agent (Glassfish28080Agent) this will be used in the next section to specify how the Proxy Agent will be connected to the main AM instance.
  13. Log out of Access Manager Admin and login as the new user to test it works.

  14. Shutdown the Glassfish28080 server and edit the domain server.policy file adding the lines specified in the technical Article http://developers.sun.com/identity/reference/techart/install.html and below.


/ ADDITIONS FOR Access Manager
grant codeBase "file:\\${com.sun.aas.instanceRoot}/applications/j2ee-modules/amserver/-" {
    permission java.net.SocketPermission "\*", "connect,accept,resolve";
    permission java.util.PropertyPermission "\*", "read, write";
    permission java.lang.RuntimePermission "modifyThreadGroup";
    permission java.lang.RuntimePermission "setFactory";
    permission java.lang.RuntimePermission "accessClassInPackage.\*";
    permission java.util.logging.LoggingPermission "control";
    permission java.lang.RuntimePermission "shutdownHooks";
    permission javax.security.auth.AuthPermission "getLoginConfiguration";
    permission javax.security.auth.AuthPermission "setLoginConfiguration";
    permission javax.security.auth.AuthPermission "modifyPrincipals";
    permission javax.security.auth.AuthPermission "createLoginContext.\*";
    permission java.io.FilePermission "<<ALL FILES>>", "execute,delete";
    permission java.util.PropertyPermission "java.util.logging.config.class", "write";
    permission java.security.SecurityPermission "removeProvider.SUN";
    permission java.security.SecurityPermission "insertProvider.SUN";
    permission javax.security.auth.AuthPermission "doAs";
    permission java.util.PropertyPermission "java.security.krb5.realm", "write";
    permission java.util.PropertyPermission "java.security.krb5.kdc", "write";
    permission java.util.PropertyPermission "java.security.auth.login.config", "write";
    permission java.util.PropertyPermission "user.language", "write";
    permission javax.security.auth.kerberos.ServicePermission "\*", "accept";
    permission javax.net.ssl.SSLPermission "setHostnameVerifier";
    permission java.security.SecurityPermission "putProviderProperty.IAIK";
    permission java.security.SecurityPermission "removeProvider.IAIK";
    permission java.security.SecurityPermission "insertProvider.IAIK";
};
// END OF ADDITIONS FOR Access Manager

Policy Agent Install
  1. Download Policy Agent (http://www.sun.com/download/index.jsp?cat=Identity%20Management&tab=3&subcat=Access%20Manager)

  2. Extract Policy Agent Files

  3. Execute agentadmin --install .

    The Table below give the answers to the questions asked during installation; following the license agreement:


    Question

    Response

    Comment





    1.

    Enter the Application Server Config Directory Path :

    C:\\Software\\AppServers\\GlassFish\\glassfish28080\\domains\\domain1\\config


    2.

    Enter the Application Server Instance name [server]:

    server

    User the default

    3.

    Access Manager Services Host:

    amanager.sun.com

    This is the fully qualified name of the Access Manager Server as used in the previous section.

    4.

    Access Manager Services port [80]:

    58080


    5.

    Access Manager Services Protocol [http]:

    http

    Use the default

    6.

    Access Manager Services Deployment URI [/amserver]:

    amserver

    Use the default, this is the URI defined during the installation of the amserver.war.

    7.

    Enter the Agent Host name:

    amproxy.sun.com

    Fully qualified name that will be used to identify the Application Server running the proxy.

    8.

    Is Domain administration server host remote ? [false]:

    false

    Because it is all local

    9.

    Enter the port number for Application Server instance [80]:

    28080


    10.

    Enter the Preferred Protocol for Application Server instance [http]:

    Http

    Use default

    11.

    Enter the Deployment URI for the Agent Application [/agentapp]:

    agentapp

    Use the default because we will install the agentapp.war with the default URI

    12.

    Enter the Encryption Key [kPexwQIl8JfRr9iG+/MZhSvkH/1LV6+f]:


    Use the default unless you really want to generate your own.

    13.

    Enter the Agent Profile name:

    Glassfish28080Agent

    This is the name of the Agent we created in the previous section of the document during the Access Manager configuration.

    14.

    Enter the path to the password file:

    C:\\Software\\AccessManager\\Glassfish28080\\appserver_v9_agent\\password

    We will assume that the we have extracted to agent zip file to C:\\Software\\AccessManager\\Glassfish28080\\appserver_v9_agent and that we create a file called password which contains just the password associated with the Glassfish28080Agent

    15.

    Is the agent being installed on the DAS host for a remote instance ? [false]:

    false


    16.

    Are the Agent and Access Manager installed on the same instance of Application Server ? [false]:

    false

    Although technically they are on the same box we have created multiple fully qualified domain and installed them on amanager.sun.com & amproxy.sun.com. This implementation keeps the installation simple.

    17.

    -----------------------------------------------

    SUMMARY OF YOUR RESPONSES

    -----------------------------------------------

    Application Server Config Directory :

    C:\\Software\\AppServer\\Glassfish\\glassfish-v2\\glassfish48080\\domains\\domain1\\conf

    ig


    Application Server Instance name : server

    Access Manager Services Host : amanager.sun.com

    Access Manager Services Port : 58080

    Access Manager Services Protocol : http

    Access Manager Services Deployment URI : /amserver

    Agent Host name : amproxy.sun.com

    Domain Administration Server Host is remote : false

    Application Server Instance Port number : 28080

    Protocol for Application Server instance : http

    Deployment URI for the Agent Application : /agentapp

    Encryption Key : kPexwQIl8JfRr9iG+/MZhSvkH/1LV6+f

    Agent Profile name : Glassfish28080Agent

    Agent Profile Password file name :

    C:\\Software\\AccessManager\\Glassfish28080\\appserver_v9_agent\\password


    Agent installed on the DAS host for a remote instance : false

    Agent and Access Manager on same application server instance : false


    Verify your settings above and decide from the choices below.

    1. Continue with Installation

    2. Back to the last interaction

    3. Start Over

    4. Exit

    Please make your selection [1]:

    1

    If the summary information is correct then install.






  4. This installation will create the directory C:\\Software\\AccessManager\\Glassfish28080\\appserver_v9_agent\\Agent_001 edit the AMAgent.properties in the config directory and set :

    com.sun.identity.agents.config.filter.mode = URL_POLICY

    This will allow you to specify Policies on a URL basis.
  5. Start the Glassfish28080 Server

  6. Install the agentapp.war located in C:\\Software\\AccessManager\\Glassfish28080\\appserver_v9_agent\\etc.

  7. To force the Access Manager login Page to appear when accessing a Web Application we need to modify the applications web.xml and add the following:

        <filter>      
            <filter-name>Agent</filter-name>
            <filter-class>com.sun.identity.agents.filter.AmAgentFilter</filter-class>
        </filter>

        <filter-mapping>
            <filter-name>Agent</filter-name>
            <url-pattern>/\*</url-pattern>
        </filter-mapping> 
  8. This can easily be done using NetBeans.
    NetBeans Web Filter Creation

  9. Redeploy Application and start this will take you to the Access Manager login Screen.

Resources

Comments:

This how-to was AWSOME!!! Would you mind posting your startup scripts for the glassfish, directory server, and access manager? I'm running RHEL 4AS and am unsure of what exactly must be started at boot and what can be left off.

Thanks
Ahnjoan

Posted by Ahnjoan Amous on February 02, 2008 at 07:18 AM GMT #

Hi I have added some Start / Stop scripts to the end of the entry along with some additional information about setting up a proxy agent. Essentially for startup you will need to start DSEE, Cacao and the GlassFish instances.

Posted by guest on February 06, 2008 at 05:27 AM GMT #

Post a Comment:
Comments are closed for this entry.
About

As a member of the Oracle A-Team we specialise in enabling and supporting the Oracle Fusion Middleware communities.

Search

Archives
« April 2014
MonTueWedThuFriSatSun
 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
    
       
Today