Home > Integration > How to install and configure OpenAM Web Policy Agent

How to install and configure OpenAM Web Policy Agent

I prepared one more article about OpenAM, now it is about OpenAM Web Policy Agent. This article is an example how to use OpenAM to protect resources on a Web Server.

The architecture used in this article is again based on the architecture I used in my previous articles [1]. It expects that OpenDJ and OpenAM are installed and configured, also it expects Sun Web Server 7.0 installed and configured for SSL. DAUI is not needed now.

Just to keep things clear, important links on my environment are:

OpenAM – https://oam-1.profiq.cz:1081/opensso

WebServer – https://da-1.profiq.cz:8081 (SSL), http://da-1.profiq.cz:8080 (plain)

Installation and configuration of OpenAM Web Policy Agent consists of 2 parts – OpenAM settings (create Web Agent and Policy) and Agent part (install Agent on Web Server).

OpenAM

At first you have to log-in to the OpenAM console as amadmin user. The link from my architecture is https://oam-1.profiq.cz:1081/opensso (use link to your OpenAM console). Some configuration steps in this part are redundant to [1], however I rather keep it there to make sure, you don’t miss some important setting:

  • User Name: amadmin
  • Password: oamadmin
  • Log In

Access Control -> / (Top Level Realm)

  • Realm Attributes -> New Value: da-1.profiq.cz (host where the web agent would run)

Add -> Save -> Data Stores -> OpenDS

  • LDAP Groups container Naming Attribute : ou
  • LDAP Groups Container Value: groups
  • LDAP People Container Naming Attribute : ou
  • LDAP People Container Value: users

Save -> Back to Data Stores -> Subjects

  • Test User1 is displayed

Authentication -> All Core Settigns…

  • User Profile: Ignored

Save -> Back to Authentication -> Back to Access Control -> / (Top Level Realm) -> Agents -> Web -> Agent -> New…

Policies -> New Policy…

  • Name: Protected Resource 1

Rules -> New…

Step 1 of 2: Select Service Type for the Rule

  • Service Type: URL Policy Agent (with resource name)
  • Next

Step 2 of 2: New Rule

Rules -> New…

Step 1 of 2: Select Service Type for the Rule

  • Service Type: URL Policy Agent (with resource name)
  • Next

Step 2 of 2: New Rule

Subjects -> New…

Step 1 of 2: Select Subject Type

  • Type: OpenAM Identity Subject
  • Next

Step 2 of 2: New Subject – OpenAM Identity Subject

  • Name: Test Subject
  • Filter: User
  • Search
  • In available list you should see available user, Add testuser1.
  • Finish
OK -> Log Out
Web Policy Agent
For Web Policy Agent, there is a prerequisite to have a Web Container installed. I used Sun Web Server 7.0, using installation steps from [1].

Basic installation of Sun Web Server consists of 2 servers – admin server and domain server. Make sure that both of them are down:

/opt/ws7/admin-server/bin/stopserv
server has been shutdown

/opt/ws7/https-da-1.profiq.cz/bin/stopserv
server has been shutdown

The Web Agent installer requires you to set the name and password you set for web agent in the OpenAM console. The password needs to be stored in a file, so you have to prepare this file first:

echo webagent > /tmp/webagent.pwd

Installation of Web Agent doesn’t work like a classic setup tool, which asks for a directory and then copies files there. Instead, it asks for parameters it needs, and creates config in the directory where setup is started from. Therefore, you have to unzip an agent to a directory where you want to have it installed (in my case /opt), and run install script from there. You also need to have java directory in PATH:

export JAVA_HOME=/opt/jdk1.6.0_26
export PATH=$JAVA_HOME/bin:$PATH

cd /opt
unzip /home/profiq/sjsws_v70_Linux_64_agent_304.zip

Before the installation, you need to have prepared this information:

And now proceed the installation:

/opt/web_agents/sjsws_agent/bin/agentadmin --install

Please read the following License Agreement carefully:

[Press <Enter> to continue...] or [Enter n To Finish]
n

Do you completely agree with all the terms and conditions of this License
Agreement (yes/no): [no]: yes

************************************************************************
Welcome to the OpenSSO Policy Agent for Sun Java System Web Server.

************************************************************************
Enter the complete path to the directory which is used by Sun Java System Web
Server to store its configuration Files. This directory uniquely
identifies the Sun Java System Web Server instance that is secured by this
Agent.
[ ? : Help, ! : Exit ]
Enter the Sun Java System Web Server Config Directory Path
[/var/opt/SUNWwbsvr7/https-node3/config]: /opt/ws7/https-da-1.profiq.cz/config
Enter the URL where the OpenSSO server is running. Please include the
deployment URI also as shown below:
(http://opensso.sample.com:58080/opensso)
[ ? : Help, < : Back, ! : Exit ]
OpenSSO server URL: https://oam-1.profiq.cz:1081/opensso
Enter the Agent URL as shown below: (http://agent1.sample.com:1234)
[ ? : Help, < : Back, ! : Exit ]
Agent URL: https://da-1.profiq.cz:8081
Enter the Agent profile name
[ ? : Help, < : Back, ! : Exit ]
Enter the Agent Profile name: webagent
Enter the path to a file that contains the password to be used for identifying
the Agent.
[ ? : Help, < : Back, ! : Exit ]
Enter the path to the password file: /tmp/webagent.pwd
-----------------------------------------------
SUMMARY OF YOUR RESPONSES
-----------------------------------------------
Sun Java System Web Server Config Directory :
/opt/ws7/https-da-1.profiq.cz/config
OpenSSO server URL : https://oam-1.profiq.cz:1081/opensso
Agent URL : https://da-1.profiq.cz:8081
Agent Profile name : webagent
Agent Profile Password file name : /tmp/webagent.pwd

Verify your settings above and decide from the choices below.
1. Continue with Installation
2. Back to the last interaction
3. Start Over
4. Exit
Please make your selection [1]: 1

Creating directory layout and configuring Agent file for Agent_001
instance ...DONE.

Reading data from file /tmp/webagent.pwd and encrypting it ...DONE.

Generating audit log file name ...DONE.

Creating tag swapped OpenSSOAgentBootstrap.properties file for instance
Agent_001 ...DONE.

Creating a backup for file
/opt/ws7/https-da-1.profiq.cz/config/obj.conf ...DONE.

Creating a backup for file
/opt/ws7/https-da-1.profiq.cz/config/magnus.conf ...DONE.

Adding Agent parameters to
/opt/ws7/https-da-1.profiq.cz/config/magnus.conf file ...DONE.

Adding Agent parameters to
/opt/ws7/https-da-1.profiq.cz/config/obj.conf file ...DONE.
SUMMARY OF AGENT INSTALLATION
-----------------------------
Agent instance name: Agent_001
Agent Bootstrap file location:
/home/profiq/web_agents/sjsws_agent/Agent_001/config/
OpenSSOAgentBootstrap.properties
Agent Configuration Tag file location
/home/profiq/web_agents/sjsws_agent/Agent_001/config/
OpenSSOAgentConfiguration.properties
Agent Audit directory location:
/home/profiq/web_agents/sjsws_agent/Agent_001/logs/audit
Agent Debug directory location:
/home/profiq/web_agents/sjsws_agent/Agent_001/logs/debug
Install log file location:
/home/profiq/web_agents/sjsws_agent/installer-logs/audit/install.log

Thank you for using OpenSSO Policy Agent. INSTALL NOTE: Installer modifies
obj.conf file in the config directory you specified. To make agent changes
effective do Pull and deploy configuration using Web Server Admin Console or
CLI. If there are multiple obj.conf files already present, then manually add
agent settings to the required obj.conf files. UNINSTALL NOTE: Uninstall
removes agent settings from obj.conf file in the config directory you
specified. If there are multiple obj.conf files configured manually in the
same config directory, then please remove them manually. For more
information, please refer agent documentation.

Now you can start the domain server:

/opt/ws7/https-da-1.profiq.cz/bin/startserv

Web Policy Agent Tests

TEST: Access Web Server

Access: http://da-1.profiq.cz:8080

OpenSSO login page is displayed

  • User Name: testuser1
  • Password: password
Web Server page is displayed

http://oam-1.profiq.cz:1080/opensso/UI/Logout

Expected output:

At first, OpenAM login page is displayed and after login, Web Server page is displayed. Logout should work too.

TEST: Access Web Server using SSL

Access: https://da-1.profiq.cz:8081

OpenSSO login page is displayed

  • User Name: testuser1
  • Password: password
Web Server page is displayed

http://oam-1.profiq.cz:1080/opensso/UI/Logout

Expected output:

At first, OpenAM login page is displayed and after login, Web Server page is displayed. Logout should work too.

References

[1] How to deploy OpenAM with DAUI using SSL

[2] Installing the Sun Web Server Policy Agent

Advertisements
Categories: Integration Tags: , , ,
  1. Arkam
    16/09/2014 at 6:07 pm

    I have exactly followed this Guide.

    However In my Case I am getting a 403 Error.

    I do get redirected to openam which is fine.

    If i enter a wrong username or passwd i get authorization error which is fine.

    Only bit which does not works is that Either i enter a legitimate User or a non legitimate user i always get 403.

    Surely something is wrong in my policy setup because if i click agent and tick SSo Enabled which disables authorisation and lets every one authenticate then Every user can connect.

    Thanks for your helpful guide. Can you please Assist me with my issue.

    • 17/09/2014 at 7:08 pm

      Hello Arkam,

      Did you have a look at agent logs? Also, agent logs with maximum debug output?

  2. Anas
    24/12/2014 at 10:39 am

    Hi,
    I installed the Web Agent jee for Tomcat 7 portal. but i was not able to add the filters to the XML files as described on the installation Doc. when i add it to the web.xml. the we site dose not work.

    Highly appreciate your support.

    Regards,
    Anas
    Anas.aloan@accenture.com

    • 05/01/2015 at 7:01 am

      Hi Anas, I appreciate your interest! This article talks about deployment of Web Policy Agents. You seem to have a problem with deployment of J2EE Policy Agents. We are happy to answer your questions specific to the article. We suggest you to read OpenAM install docs, write to the OpenAM engineering community or contacts ForgeRock’s support to get general advice. You can start your community engagement here: https://forgerock.org/openam/ or get support here: http://forgerock.com/services/support/

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: