chap-sun-websvr.xml revision 1333c72f0f97e72c63d67213bf59885c0654b607
<?xml version="1.0" encoding="UTF-8"?>
<!--
! CCPL HEADER START
!
! This work is licensed under the Creative Commons
! Attribution-NonCommercial-NoDerivs 3.0 Unported License.
! To view a copy of this license, visit
! or send a letter to Creative Commons, 444 Castro Street,
! Suite 900, Mountain View, California, 94041, USA.
!
! You can also obtain a copy of the license at
! See the License for the specific language governing permissions
! and limitations under the License.
!
! If applicable, add the following below this CCPL HEADER, with the fields
! enclosed by brackets "[]" replaced with your own identifying information:
! Portions Copyright [yyyy] [name of copyright owner]
!
! CCPL HEADER END
!
! Copyright 2011-2013 ForgeRock, Inc
!
-->
<chapter xml:id='chap-sun-websvr'
xmlns='http://docbook.org/ns/docbook'
version='5.0' xml:lang='en'
xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'
xsi:schemaLocation='http://docbook.org/ns/docbook http://docbook.org/xml/5.0/xsd/docbook.xsd'
xmlns:xlink='http://www.w3.org/1999/xlink'
xmlns:xinclude='http://www.w3.org/2001/XInclude'>
<title>Installing the Sun Web Server Policy Agent</title>
<indexterm><primary>Sun Web Server</primary></indexterm>
<para>This chapter covers installation of the policy agent for Sun
Web Server.</para>
<section xml:id="before-sjsws-agent-install">
<title>Before You Install</title>
<para>Make sure OpenAM is installed, running, that you can contact OpenAM
from the system running the policy agent. Next, create a profile for your
policy agent as described in the <citetitle>Administration Guide</citetitle>
section on <link xlink:href="admin-guide#create-agent-profiles"
Profiles</citetitle></link>. To protect resources with the agent also create
at least one policy as described in the section on <link
xlink:href="admin-guide#configure-authz-policy"
Policies</citetitle></link>. Consider creating a simple policy, such as a
policy that allows only authenticated users to access your resources, in order
to test your policy agent after installation.</para>
<para>You must install Apache HTTP Server before you install the policy
agent, and you must stop the server during installation.</para>
<para>You must install a supported version of the Java runtime environment.
Please review the <link xlink:show="new"
xlink:href="http://openam.forgerock.org/openam-documentation/openam-doc-source/doc/release-notes/#java-requirements">
<citetitle>OpenAM Release Notes</citetitle></link> for the currently supported version
of Java, and set the <literal>JAVA_HOME</literal> environment
variable accordingly. The policy agent installer requires Java.</para>
<screen>$ echo $JAVA_HOME
$ which java
<para>>Go to <link xlink:href="install-guide#download-openam-software"
xlink:role="http://docbook.org/xlink/role/olink"><citetitle>Obtaining OpenAM Software</citetitle></link>
to determine which version of the agent to download and download the agent.
Also verify the checksum of the file you download against the checksum
posted on the download page.</para>
<para>Unzip the file in the directory where you plan to install the web
policy agent. The agent you install stores its configuration and logs
under this directory.</para>
<variablelist>
<para>When you unzip the policy agent .zip download, you find the following
directory.</para>
<varlistentry>
<term><filename>bin</filename></term>
<listitem>
<para>Contains the installation and configuration program,
<command>agentadmin</command>; the certificate management tool
<command>certutil</command> and the password hashing tool
<command>crypt_util</command>.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><filename>config</filename></term>
<listitem>
<para>Configuration templates used by the <command>agentadmin</command>
command during installation</para>
</listitem>
</varlistentry>
<varlistentry>
<term><filename>data</filename></term>
<listitem>
<para>Not used</para>
</listitem>
</varlistentry>
<varlistentry>
<term><filename>etc</filename></term>
<listitem>
<para>Not used</para>
</listitem>
</varlistentry>
<varlistentry>
<term><filename>installer-logs</filename></term>
<listitem>
<para>Location for log files written during installation</para>
</listitem>
</varlistentry>
<varlistentry>
<term><filename>lib</filename></term>
<listitem>
<para>Shared libraries used by the web policy agent</para>
</listitem>
</varlistentry>
<varlistentry>
<term><filename>locale</filename></term>
<listitem>
<para>Property files used by the installation program</para>
</listitem>
</varlistentry>
</variablelist>
</section>
<section xml:id="install-sjsws-web-agent">
<title>Installing Sun Web Server Web Policy Agent</title>
<para>Complete the following procedures to install the policy agent.</para>
<procedure xml:id="create-sjsws-agent-profile">
<title>To Create the Sun Web Server Web Agent Profile</title>
<para>Regardless of whether you store configurations centrally in OpenAM
or locally with your agents, the agent requires a profile so that it can
connect to and communicate with OpenAM.</para>
<step>
<para>In the OpenAM console, browse to Access Control >
<replaceable>Realm Name</replaceable>> Agents > Web,
and then click the New... button in the Agent table.</para>
</step>
<step>
<para>Complete the web form using the following hints.</para>
<variablelist>
<varlistentry>
<term>Name</term>
<listitem>
<para>The name for the agent profile used when you install the
agent</para>
</listitem>
</varlistentry>
<varlistentry>
<term>Password</term>
<listitem>
<para>Password the agent uses to authenticate to OpenAM</para>
</listitem>
</varlistentry>
<varlistentry>
<term>Configuration</term>
<listitem>
<para>Centralized configurations are stored in the OpenAM configuration
store. You can manage the centralized configuration through the OpenAM
console. Local configurations are stored in a file alongside the
agent.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>Server URL</term>
<listitem>
<para>The full URL to an OpenAM instance, or if OpenAM is deployed in
a site configuration (behind a load balancer) then the site URL</para>
<para>In centralized configuration mode, the Server URL is used to
populate the agent profile for services such as Login, Logout, Naming,
and Cross Domain SSO.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>Agent URL</term>
<listitem>
<para>The web server URL that the agent protects</para>
<para>In centralized configuration mode, the Agent URL is used to
populate the Agent Profile for services such as notifications.</para>
</listitem>
</varlistentry>
</variablelist>
</step>
</procedure>
<procedure xml:id="create-sjsws-agent-pwdfile">
<title>To Create the Password File</title>
<step>
<para>Create a text file containing only the password.</para>
</step>
<step>
<para>Protect the password file you create as appropriate for your
operating system.</para>
</step>
</procedure>
<procedure xml:id="install-agent-into-sjsws">
<title>To Install the Policy Agent into Sun Web Server</title>
<step>
<para>Shut down Sun Web Server instance where you plan to install the
agent.</para>
</step>
<step>
<para>Make sure OpenAM is running.</para>
</step>
<step>
<para>Run <command>agentadmin --install</command> to install the
agent.</para>
...
-----------------------------------------------
SUMMARY OF YOUR RESPONSES
-----------------------------------------------
Sun Java System Web Server Config Directory :
OpenAM server URL : http://openam.example.com:8080/openam
Agent URL : http://www.example.com:8080
Agent Profile name : Sun Web Server Agent
...
SUMMARY OF AGENT INSTALLATION
-----------------------------
Agent instance name: Agent_001
Agent Bootstrap file location:
<?eval ${agentsBootstrapFile}?>
Agent Configuration Tag file location
<?eval ${agentsConfigurationFile}?>
Agent Audit directory location:
Agent Debug directory location:
Install log file location:
...</screen>
<para>Upon successful completion, the installer has backed up and updated
the Sun Web Server instance configuration, and has also set up
configuration and log directories for the agent.</para>
<note>
<para>If the agent is in a different domain than the server, refer to <citetitle>Administration Guide</citetitle> procedure, <link
xlink:href="admin-guide#chap-cdsso"
Single Sign On</citetitle></link>.</para>
</note>
</step>
<step>
<para>Take note of the configuration files and log locations.</para>
<para>Each agent instance that you install on the system has its own
numbered configuration and logs directory. The first agent's configuration
and logs are thus located under the directory
<variablelist>
<varlistentry>
<term><filename>config/<?eval ${agentsBootstrapFile}?></filename></term>
<listitem>
<para>Used to bootstrap the web policy agent, allowing the agent to
connect to OpenAM and download its configuration</para>
</listitem>
</varlistentry>
<varlistentry>
<term><filename>config/<?eval ${agentsConfigurationFile}?></filename></term>
<listitem>
<para>Only used if you configured the web policy agent to use local
configuration</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Operational audit log directory, only used if remote logging
to OpenAM is disabled</para>
</listitem>
</varlistentry>
<varlistentry>
<listitem>
<para>Debug log directory. Useful in troubleshooting policy agent
issues.</para>
</listitem>
</varlistentry>
</variablelist>
</step>
<step>
<para>If your policy agent configuration is not in the top-level realm (/),
then you must edit config/<?eval ${agentsBootstrapFile}?> to identify
the sub-realm that has your policy agent configuration.
Find com.sun.identity.agents.config.organization.name and change
the / to the path to your policy agent profile. This allows the policy agent
to properly identify itself to the OpenAM server. </para>
</step>
<step>
<para>Set up ownership of the log directory. The default is to run as a
webservd user instead of root. To post its logs, the agent needs permission to
add the files to the directory.</para>
<screen>chown -R webservd:webservd /opt/web_agents/sjsws_agent/Agent_<replaceable>number</replaceable>/logs</screen>
</step>
<step>
<para>Restart the Sun Web Server instance where you installed the
agent.</para>
</step>
<step>
<para>Check that the agent protects the web site.</para>
<para>If you have not yet configured any policies to allow access, then
you should receive an HTTP 403 Forbidden error. In the above example, when
the page returned appears in the browser as follows.</para>
<literallayout><emphasis role="strong">Forbidden</emphasis>
Your client is not allowed to access the requested object.</literallayout>
<para>If it appears the protection is inadequate, complete one of the
following steps.</para>
<note>
<para>A potential cause for the protection failing is updates to the
property. A <literal>object-file</literal> property refers to the
cause problems with protection. Also, admin changes can update the
</note>
<stepalternatives>
<step>
not needed.</para>
configuration.</para>
<note>
<para>Do not change the original file.</para>
</note>
<virtual-server>
<name>virtual.example.com</name>
<http-listener-name>http-listener-1</http-listenername>
<host>virtual.example.com</host>
- <object-file>virtual.example.com-obj.conf</object-file>
<name>virtual.example.com</name>
</virtual-server></screen>
</step>
<step>
is needed.</para>
<literal>object-file</literal> property to validate the location of
<note>
<para>Do not change the original file.</para>
</note>
<Object path="*/dummypost/sunpostpreserve*">
Service type=text/* method=(GET) fn=append_post_data
</Object>
<Object path="*/UpdateAgentCacheServlet*">
Service type=text/* method=(POST) fn=process_notification
</Object></screen>
</step>
</stepalternatives>
</step>
<step>
<para>Save the file and restart the Sun Web Server.</para>
</step>
</procedure>
</section>
<section xml:id="custom-sjsws-agent-installation">
<title>Custom Sun Web Policy Agent Installation</title>
<para>For alternative installations, use <command>agentadmin
--custom-install</command>.</para>
<para>When performing a scripted, silent installation, use
<command>agentadmin --install --saveResponse
<replaceable>response-file</replaceable></command>
to create a response file for scripted installation. Then install silently
using <command>agentadmin --install --useResponse
<replaceable>response-file</replaceable></command>.</para>
create the policy agent profile during installation. The OpenAM administrator
must first create an agent administrator user, as described in <link
xlink:href="admin-guide#delegate-agent-profile-creation"
Profile Creation</citetitle></link>, and provide you with the agent
administrator user name and password. Before running the
alone in a read-only file only the user installing can access, as for the
agent password. When the <command>agentadmin</command> command prompts you to
create the profile during installation, enter <literal>true</literal>, and
then respond to the <command>agentadmin</command> prompts for the agent
administrator user name and password file.</para>
</section>
<section xml:id="uninstall-sjsws-agent">
<title>Remove Sun Web Policy Agent Software</title>
<para>Shut down the Sun Web Server before you uninstall the
policy agent.</para>
<para>To remove the web policy agent, use <command>agentadmin
--uninstall</command>.</para>
</section>
</chapter>