<chapter xml:id='chap-glassfish'
version='5.0' xml:lang='en'
<title>Installing the GlassFish Policy Agent</title>
<indexterm><primary>GlassFish Server</primary></indexterm>
<para>This chapter covers installation of the policy agent for GlassFish.</para>
<section xml:id="before-glassfish-agent-install">
<title>Before You Install</title>
<para>Make sure OpenAM is installed and running, and that you can contact OpenAM
from the system running the policy agent. Next, create a profile for your
policy agent as described in the <citetitle>Administration Guide</citetitle>
section on <link xlink:href="admin-guide#create-agent-profiles"
xlink:role=""><citetitle>Creating Agent
Profiles</citetitle></link>. To protect resources with the agent also create
at least one policy as described in the section on <link
Policies</citetitle></link>. Consider creating a simple policy, such as a
policy that allows only authenticated users to access your resources, in order
to test your policy agent after installation.</para>
<para>You must install GlassFish before you install the policy agent, and you
must stop the domain with applications to protect during installation. Policy
agents support <?eval ${agentGlassFishSupport}?>.</para>
<para>You must install a Java 6 runtime environment, and set the
<literal>JAVA_HOME</literal> environment variable.</para>
<screen>$ echo $JAVA_HOME
$ which java
<para>>Go to <link xlink:href="install-guide#download-openam-software"
xlink:role=""><citetitle>Obtaining OpenAM Software</citetitle></link>
to determine which version of the agent to download and download the agent.
Also verify the checksum of the file you download against the checksum
posted on the download page.</para>
<para>Unzip the file in the directory where you plan to install the J2EE
policy agent. The agent you install stores its configuration and logs
under this directory.</para>
<para>When you unzip the policy agent, you find the following directories
under the <filename>j2ee_agents/appserver_v10_agent</filename> directory.</para>
<para>The installation and configuration program,
<para>Configuration templates used by the <command>agentadmin</command>
command during installation</para>
<para>Not used</para>
<para>Agent web application used during installation</para>
<para>Location for log files written during installation</para>
<para>Shared libraries used by the J2EE policy agent</para>
<para>Property files used by the installation program</para>
<para>Sample application that demonstrates key features of the policy
agent. Wait until you have installed the agent to deploy this.</para>
<section xml:id="install-glassfish-agent">
<title>Installing the GlassFish Policy Agent</title>
<para>Complete the following procedures to install the policy agent.</para>
<procedure xml:id="create-glassfish-agent-profile">
<title>To Create the GlassFish Agent Profile</title>
<para>Regardless of whether you store configurations centrally in OpenAM
or locally with your agents, the agent requires a profile so that it can
connect to and communicate with OpenAM.</para>
<para>In the OpenAM console, browse to Access Control &gt;
<replaceable>Realm Name</replaceable> &gt; Agents &gt; J2EE,
and then click the New... button in the Agent table.</para>
<para>Complete the web form using the following hints.</para>
<para>The name for the agent profile used when you install the
<para>Password the agent uses to authenticate to OpenAM</para>
<para>Centralized configurations are stored in the OpenAM configuration
store. You can manage the centralized configuration through the OpenAM
console. Local configurations are stored in a file alongside the
<term>Server URL</term>
<para>The full URL to an OpenAM instance, or if OpenAM is deployed in
a site configuration (behind a load balancer) then the site URL</para>
<para>In centralized configuration mode, the Server URL is used to
populate the agent profile for services such as Login, Logout, Naming,
and Cross Domain SSO.</para>
<term>Agent URL</term>
<para>The URL to the J2EE agent application, such as
<para>In centralized configuration mode, the Agent URL is used to
populate the Agent Profile for services such as notifications.</para>
<procedure xml:id="create-glassfish-agent-pwdfile">
<title>To Create the Password File</title>
<para>Create a text file containing only the password.</para>
<screen>$ echo password > /tmp/pwd.txt</screen>
<para>Protect the password file you create as appropriate for your
operating system.</para>
<screen>$ chmod 400 /tmp/pwd.txt</screen>
<procedure xml:id="install-agent-into-glassfish">
<title>To Install the Policy Agent into GlassFish</title>
<para>Shut down the GlassFish domain where you plan to install the
<screen>$ /path/to/glassfish/bin/asadmin stop-domain domain1
Waiting for the domain to stop ....
Command stop-domain executed successfully.</screen>
<para>Make sure OpenAM is running.</para>
<para>Run <command>agentadmin --install</command> to install the agent.</para>
<screen>$ /path/to/j2ee_agents/appserver_v10_agent/bin/agentadmin --install
Application Server Config Directory :
Application Server Instance name : server
OpenAM server URL :
Agent URL :
Agent Profile name : GlassFish Agent
Agent Profile Password file name : /tmp/pwd.txt
Agent instance name: Agent_001
Agent Bootstrap file location:
<?eval ${agentsBootstrapFile}?>
Agent Configuration file location
<?eval ${agentsConfigurationFile}?>
Agent Audit directory location:
Agent Debug directory location:
Install log file location:
<para>Upon successful completion, the installer has updated the GlassFish
configuration, and also set up configuration and log directories for the
<para>If the agent is in a different domain than the server, refer to <citetitle>Administration Guide</citetitle> procedure, <link
xlink:role=""><citetitle>Configuring Cross-Domain
Single Sign On</citetitle></link>.</para>
<para>Take note of the configuration files and log locations.</para>
<para>Each agent instance that you install on the system has its own
numbered configuration and logs directory. The first agent's configuration
and logs are thus located under the directory
<term><filename>config/<?eval ${agentsBootstrapFile}?></filename></term>
<para>Used to bootstrap the J2EE policy agent, allowing the agent to
connect to OpenAM and download its configuration</para>
<term><filename>config/<?eval ${agentsConfigurationFile}?></filename></term>
<para>Only used if you configured the J2EE policy agent to use local
<para>Operational audit log directory, only used if remote logging
to OpenAM is disabled</para>
<para>Debug directory where the debug file resides. Useful in
troubleshooting policy agent issues.</para>
<para>If your policy agent configuration is not in the top-level realm (/),
then you must edit config/<?eval ${agentsBootstrapFile}?> to identify
the sub-realm that has your policy agent configuration.
Find and change
the / to the path to your policy agent profile. This allows the policy agent
to properly identify itself to the OpenAM server. </para>
<para>To protect a web application, you must add the following filter
to the application's <filename>web.xml</filename> configuration,
following the opening &lt;web-app&gt; tag. The file for the sample
application delivered with the agent is
<programlisting language="xml"> &lt;filter&gt;
&lt;description&gt;OpenAM Policy Agent Filter&lt;/description&gt;
<para>Start the GlassFish domain where you installed the agent.</para>
<screen>$ /path/to/glassfish/bin/asadmin start-domain domain1
Waiting for domain1 to start .....
Successfully started the domain : domain1
domain Location: /path/to/glassfish/glassfish/domains/domain1
Log File: /path/to/glassfish/glassfish/domains/domain1/logs/server.log
Admin Port: 4848
Command start-domain executed successfully.</screen>
<para>Deploy the agent web application.</para>
<screen>cd /path/to/glassfish/glassfish/bin/asadmin
$ deploy --name agentapp --contextroot /agentapp
<para>Check your work by quickly deploying the sample application,
through the GlassFish administration console, and verifying that the agent
redirects to OpenAM for authentication and that access is denied after
successful login to OpenAM. (Access is denied because when no policy exists
for a protected resource the default decision for OpenAM is to deny all
<section xml:id="silent-glassfish-agent-installation">
<title>Silent GlassFish Policy Agent Installation</title>
<para>When performing a scripted, silent installation, use
<command>agentadmin --install --saveResponse
to create a response file for scripted installation. Then install silently
using <command>agentadmin --install --useResponse
<section xml:id="uninstall-glassfish-agent">
<title>Removing GlassFish Policy Agent Software</title>
<para>Shut down the GlassFish domain before you uninstall the
policy agent.</para>
<screen>$ /path/to/glassfish/bin/asadmin stop-domain domain1
Waiting for the domain to stop ....
Command stop-domain executed successfully.</screen>
<para>To remove the J2EE policy agent, use <command>agentadmin
--uninstall</command>. You must provide the GlassFish configuration directory
location, and the instance name.</para>
<para>Uninstall does not remove the agent instance directory, but you can
do so manually after removing the agent configuration from GlassFish.</para>