chap-websphere.xml revision b6cd10668830bc4a7a7f794b703dc98929b4e3a2
<?xml version="1.0" encoding="UTF-8"?>
<!--
! CCPL HEADER START
!
! This work is licensed under the Creative Commons
! Attribution-NonCommercial-NoDerivs 3.0 Unported License.
! To view a copy of this license, visit
! or send a letter to Creative Commons, 444 Castro Street,
! Suite 900, Mountain View, California, 94041, USA.
!
! You can also obtain a copy of the license at
! See the License for the specific language governing permissions
! and limitations under the License.
!
! If applicable, add the following below this CCPL HEADER, with the fields
! enclosed by brackets "[]" replaced with your own identifying information:
! Portions Copyright [yyyy] [name of copyright owner]
!
! CCPL HEADER END
!
! Copyright 2011-2013 ForgeRock, Inc.
!
-->
<chapter xml:id='chap-websphere'
xmlns='http://docbook.org/ns/docbook'
version='5.0' xml:lang='en'
xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'
xsi:schemaLocation='http://docbook.org/ns/docbook http://docbook.org/xml/5.0/xsd/docbook.xsd'
xmlns:xlink='http://www.w3.org/1999/xlink'
xmlns:xinclude='http://www.w3.org/2001/XInclude'>
<title>Installing the IBM WebSphere Policy Agent</title>
<indexterm><primary>IBM WebSphere Application Server</primary></indexterm>
<para>This chapter covers installation of the policy agent for IBM
WebSphere.</para>
<section xml:id="before-websphere-agent-install">
<title>Before You Install</title>
<para>Make sure OpenAM is installed and running, and that you can contact OpenAM
from the system running the policy agent. Next, create a profile for your
policy agent as described in the <citetitle>Administration Guide</citetitle>
section on <link xlink:href="admin-guide#create-agent-profiles"
Profiles</citetitle></link>. To protect resources with the agent also create
at least one policy as described in the section on <link
xlink:href="admin-guide#configure-authz-policy"
Policies</citetitle></link>. Consider creating a simple policy, such as a
policy that allows only authenticated users to access your resources, in order
to test your policy agent after installation.</para>
<para>You must install WebSphere before you install the policy agent, and you
must stop the server during installation.</para>
<para>You must install a Java 6 runtime environment, and set the
<literal>JAVA_HOME</literal> environment variable.</para>
<screen>$ echo $JAVA_HOME
$ which java
<para>If you are using IBM Java, see <xref linkend="install-with-ibm-jvm" />.</para>
<para>>Go to <link xlink:href="install-guide#download-openam-software"
xlink:role="http://docbook.org/xlink/role/olink"><citetitle>Obtaining OpenAM Software</citetitle></link>
to determine which version of the agent to download and download the agent.
Also verify the checksum of the file you download against the checksum
posted on the download page.</para>
<para>Unzip the file in the directory where you plan to install the J2EE
policy agent. The agent you install stores its configuration and logs
under this directory.</para>
<variablelist>
<para>When you unzip the policy agent, you find the following directories
<para>Despite the directory name, the policy agent supports
<?eval ${agentWebSphereSupport}?>.</para>
<varlistentry>
<term><filename>bin</filename></term>
<listitem>
<para>The installation and configuration program,
<command>agentadmin</command>.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><filename>config</filename></term>
<listitem>
<para>Configuration templates used by the <command>agentadmin</command>
command during installation</para>
</listitem>
</varlistentry>
<varlistentry>
<term><filename>data</filename></term>
<listitem>
<para>Not used</para>
</listitem>
</varlistentry>
<varlistentry>
<term><filename>etc</filename></term>
<listitem>
<para>Agent web application that handles notifications and Cross
Domain SSO</para>
</listitem>
</varlistentry>
<varlistentry>
<term><filename>installer-logs</filename></term>
<listitem>
<para>Location for log files written during installation</para>
</listitem>
</varlistentry>
<varlistentry>
<term><filename>lib</filename></term>
<listitem>
<para>Shared libraries used by the J2EE policy agent</para>
</listitem>
</varlistentry>
<varlistentry>
<term><filename>locale</filename></term>
<listitem>
<para>Property files used by the installation program</para>
</listitem>
</varlistentry>
<varlistentry>
<term><filename>sampleapp</filename></term>
<listitem>
<para>Sample application that demonstrates key features of the policy
agent. Wait until you have installed the agent to deploy this.</para>
</listitem>
</varlistentry>
</variablelist>
<procedure xml:id="install-with-ibm-jvm">
<title>To Install With IBM Java</title>
<para>The WebSphere policy agent runs with IBM Java. In order to install
the policy agent using IBM Java on platforms other than AIX, you must first
change the <command>agentadmin</command> script to use IBMJCE.</para>
<step>
</step>
<step>
<para>Edit the line specifying <literal>AGENT_OPTS</literal> on platforms
other than AIX.</para>
<literallayout class="monospaced"
>AGENT_OPTS="-DamKeyGenDescriptor.provider=IBMJCE \
-DamCryptoDescriptor.provider=IBMJCE -DamRandomGenProvider=IBMJCE"</literallayout>
</step>
<step>
<para>Edit the last line to include the IBMJCE settings before the
classpath is set.</para>
<literallayout class="monospaced"
>$JAVA_VM \
-DamCryptoDescriptor.provider=IBMJCE -DamKeyGenDescriptor.provider=IBMJCE \
-classpath "$AGENT_CLASSPATH" $AGENT_OPTS \
</step>
<step>
<para>Save your work.</para>
<para>You can now install the WebSphere policy agent with IBM Java as
described in <xref linkend="install-websphere-agent" />.</para>
</step>
</procedure>
</section>
<section xml:id="install-websphere-agent">
<title>Installing the WebSphere Policy Agent</title>
<para>Complete the following procedures to install the policy agent.</para>
<procedure xml:id="create-websphere-agent-profile">
<title>To Create the WebSphere Agent Profile</title>
<para>Regardless of whether you store configurations centrally in OpenAM
or locally with your agents, the agent requires a profile so that it can
connect to and communicate with OpenAM.</para>
<step>
<para>In the OpenAM console, browse to Access Control >
<replaceable>Realm Name</replaceable> > Agents > J2EE,
and then click the New... button in the Agent table.</para>
</step>
<step>
<para>Complete the web form using the following hints.</para>
<variablelist>
<varlistentry>
<term>Name</term>
<listitem>
<para>The name for the agent profile used when you install the
agent</para>
</listitem>
</varlistentry>
<varlistentry>
<term>Password</term>
<listitem>
<para>Password the agent uses to authenticate to OpenAM</para>
</listitem>
</varlistentry>
<varlistentry>
<term>Configuration</term>
<listitem>
<para>Centralized configurations are stored in the OpenAM configuration
store. You can manage the centralized configuration through the OpenAM
console. Local configurations are stored in a file alongside the
agent.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>Server URL</term>
<listitem>
<para>The full URL to an OpenAM instance, or if OpenAM is deployed in
a site configuration (behind a load balancer) then the site URL</para>
<para>In centralized configuration mode, the Server URL is used to
populate the agent profile for services such as Login, Logout, Naming,
and Cross Domain SSO.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>Agent URL</term>
<listitem>
<para>The URL to the J2EE agent application, such as
<para>In centralized configuration mode, the Agent URL is used to
populate the Agent Profile for services such as notifications.</para>
</listitem>
</varlistentry>
</variablelist>
</step>
</procedure>
<procedure xml:id="create-websphere-agent-pwdfile">
<title>To Create the Password File</title>
<step>
<para>Create a text file containing only the password.</para>
</step>
<step>
<para>Protect the password file you create as appropriate for your
operating system.</para>
</step>
</procedure>
<procedure xml:id="install-agent-into-websphere">
<title>To Install the Policy Agent into WebSphere</title>
<step>
<para>Shut down the WebSphere server where you plan to install the
agent.</para>
</step>
<step>
<para>Make sure OpenAM is running.</para>
</step>
<step>
<para>Run <command>agentadmin --install</command> to install the agent.</para>
...
-----------------------------------------------
SUMMARY OF YOUR RESPONSES
-----------------------------------------------
Instance Config Directory :
Instance Server name : server1
OpenAM server URL : http://openam.example.com:8080/openam
Agent URL : http://www.example.com:9080/agentapp
Agent Profile name : WebSphere Agent
...
SUMMARY OF AGENT INSTALLATION
-----------------------------
Agent instance name: Agent_001
Agent Bootstrap file location:
<?eval ${agentsBootstrapFile}?>
Agent Configuration file location
<?eval ${agentsConfigurationFile}?>
Agent Audit directory location:
Agent Debug directory location:
Install log file location:
...</screen>
<para>Upon successful completion, the installer has updated the WebSphere
configuration, copied the agent libraries to WebSphere's external library
directory, and also set up configuration and log directories for the
agent.</para>
<note>
<para>If the agent is in a different domain than the server, refer to <citetitle>Administration Guide</citetitle> procedure, <link
xlink:href="admin-guide#chap-cdsso"
Single Sign On</citetitle></link>.</para>
</note>
</step>
<step>
<para>Take note of the configuration files and log locations.</para>
<para>Each agent instance that you install on the system has its own
numbered configuration and logs directory. The first agent's configuration
and logs are thus located under the directory
<variablelist>
<varlistentry>
<term><filename>config/<?eval ${agentsBootstrapFile}?></filename></term>
<listitem>
<para>Used to bootstrap the J2EE policy agent, allowing the agent to
connect to OpenAM and download its configuration</para>
</listitem>
</varlistentry>
<varlistentry>
<term><filename>config/<?eval ${agentsConfigurationFile}?></filename></term>
<listitem>
<para>Only used if you configured the J2EE policy agent to use local
configuration</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Operational audit log directory, only used if remote logging
to OpenAM is disabled</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Debug directory where the debug file resides. Useful in
troubleshooting policy agent issues.</para>
</listitem>
</varlistentry>
</variablelist>
</step>
<step>
<para>If your policy agent configuration is not in the top-level realm (/),
then you must edit config/<?eval ${agentsBootstrapFile}?> to identify
the sub-realm that has your policy agent configuration.
Find com.sun.identity.agents.config.organization.name and change
the / to the path to your policy agent profile. This allows the policy agent
to properly identify itself to the OpenAM server. </para>
</step>
<step>
<para>Restart the WebSphere server.</para>
</step>
</procedure>
<procedure xml:id="protect-websphere-apps-after-agent-installation">
<title>To Protect Applications After Agent Installation</title>
<step performance="optional">
<para>Deploy the
agent application in WebSphere.</para>
</step>
<step>
<para>For each web application to protect, add the following filter
following the opening <web-app> tag. The file for the sample
application delivered with the agent is
<programlisting language="xml"> <filter>
<filter-name>Agent</filter-name>
<display-name>Agent</display-name>
<description>OpenAM Policy Agent Filter</description>
</filter>
<filter-mapping>
<filter-name>Agent</filter-name>
<url-pattern>/*</url-pattern>
<dispatcher>REQUEST</dispatcher>
<dispatcher>INCLUDE</dispatcher>
<dispatcher>FORWARD</dispatcher>
<dispatcher>ERROR</dispatcher>
</filter-mapping></programlisting>
<para>You might also have to update additional configuration files. See
the sample application located under
for examples.</para>
</step>
<step performance="optional">
<para>If you have a policy configured, you can test your policy agent.
For example, try to browse to a resource that your policy agent protects.
You should be redirected to OpenAM to authenticate, for example as user
<literal>demo</literal>, password <literal>changeit</literal>. After
you authenticate, OpenAM then redirects you back to the resource you tried
to access.</para>
</step>
</procedure>
</section>
<section xml:id="silent-websphere-agent-installation">
<title>Silent WebSphere Policy Agent Installation</title>
<para>When performing a scripted, silent installation, use
<command>agentadmin --install --saveResponse
<replaceable>response-file</replaceable></command>
to create a response file for scripted installation. Then install silently
using <command>agentadmin --install --useResponse
<replaceable>response-file</replaceable></command>.</para>
</section>
<section xml:id="uninstall-websphere-agent">
<title>Removing WebSphere Policy Agent Software</title>
<para>Shut down the WebSphere server before you uninstall the
policy agent.</para>
<para>To remove the J2EE policy agent, use <command>agentadmin
--uninstall</command>. You must provide the WebSphere configuration directory
location.</para>
<para>Uninstall does not remove the agent instance directory, but you can
do so manually after removing the agent configuration from WebSphere.</para>
</section>
<section xml:id="websphere-network-deployment">
<title>Notes About WebSphere Network Deployment</title>
<para>When using WebSphere Application Server Network Deployment, you must
install policy agents on the Deployment Manager, on each Node Agent, and
on each Application Server. Installation requires that you stop and then
restart the Deployment Manager, each Node Agent, and each Application Server
in the Network Deployment.</para>
<para>Before installation, synchronize each server configuration with the
profile saved by the Deployment Manager using the <command>syncNode</command>
command. After agent installation, copy the server configuration for each
Deployment Manager profile. After you have synchronized the configurations,
you must restart the Deployment Manager for the Network Deployment.</para>
</section>
</chapter>