How to install and configure OpenAM Web Policy Agent
skatuscak
13 years ago
I prepared one more article about OpenAM, now it is about OpenAM Web Policy Agent. This article is an example how to use OpenAM to protect resources on a Web Server.
The architecture used in this article is again based on the architecture I used in my previous articles [1]. It expects that OpenDJ and OpenAM are installed and configured, also it expects Sun Web Server 7.0 installed and configured for SSL. DAUI is not needed now.
Just to keep things clear, important links on my environment are:
OpenAM – https://oam-1.profiq.cz:1081/opensso
WebServer – https://da-1.profiq.cz:8081 (SSL), http://da-1.profiq.cz:8080 (plain)
Installation and configuration of OpenAM Web Policy Agent consists of 2 parts – OpenAM settings (create Web Agent and Policy) and Agent part (install Agent on Web Server).
OpenAM
At first you have to log-in to the OpenAM console as amadmin user. The link from my architecture is https://oam-1.profiq.cz:1081/opensso (use link to your OpenAM console). Some configuration steps in this part are redundant to [1], however I rather keep it there to make sure, you don’t miss some important setting:
- User Name: amadmin
- Password: oamadmin
- Log In
Access Control -> / (Top Level Realm)
- Realm Attributes -> New Value: da-1.profiq.cz (host where the web agent would run)
Add -> Save -> Data Stores -> OpenDS
- LDAP Groups container Naming Attribute : ou
- LDAP Groups Container Value: groups
- LDAP People Container Naming Attribute : ou
- LDAP People Container Value: users
Save -> Back to Data Stores -> Subjects
- Test User1 is displayed
Authentication -> All Core Settigns…
- User Profile: Ignored
Save -> Back to Authentication -> Back to Access Control -> / (Top Level Realm) -> Agents -> Web -> Agent -> New…
- Name: webagent
- Password: webagent
- Re-Enter Password: webagent
- Configuration: Centralized
- Server URL: https://oam-1.profiq.cz:1081/opensso
- Agent URL: https://da-1.profiq.cz:8081
- Create
Policies -> New Policy…
- Name: Protected Resource 1
Rules -> New…
Step 1 of 2: Select Service Type for the Rule
- Service Type: URL Policy Agent (with resource name)
- Next
Step 2 of 2: New Rule
- Name: URL Rule – HTTPS
- Resource Name: https://da-1.profiq.cz:8081/*
- GET: check, Allow
- POST: check, Allow
- Finish
Rules -> New…
Step 1 of 2: Select Service Type for the Rule
- Service Type: URL Policy Agent (with resource name)
- Next
Step 2 of 2: New Rule
- Name: URL Rule – HTTP
- Resource Name: http://da-1.profiq.cz:8080/*
- GET: check, Allow
- POST: check, Allow
- Finish
Subjects -> New…
Step 1 of 2: Select Subject Type
- Type: OpenAM Identity Subject
- Next
Step 2 of 2: New Subject – OpenAM Identity Subject
- Name: Test Subject
- Filter: User
- Search
- In available list you should see available user, Add testuser1.
- Finish
Basic installation of Sun Web Server consists of 2 servers – admin server and domain server. Make sure that both of them are down:
/opt/ws7/admin-server/bin/stopserv server has been shutdown /opt/ws7/https-da-1.profiq.cz/bin/stopserv server has been shutdown
The Web Agent installer requires you to set the name and password you set for web agent in the OpenAM console. The password needs to be stored in a file, so you have to prepare this file first:
echo webagent > /tmp/webagent.pwd
Installation of Web Agent doesn’t work like a classic setup tool, which asks for a directory and then copies files there. Instead, it asks for parameters it needs, and creates config in the directory where setup is started from. Therefore, you have to unzip an agent to a directory where you want to have it installed (in my case /opt), and run install script from there. You also need to have java directory in PATH:
export JAVA_HOME=/opt/jdk1.6.0_26 export PATH=$JAVA_HOME/bin:$PATH cd /opt unzip /home/profiq/sjsws_v70_Linux_64_agent_304.zip
Before the installation, you need to have prepared this information:
- Web Server Config Directory: /opt/ws7/https-da-1.profiq.cz/config (use your domain config)
- OpenSSO server URL: https://oam-1.profiq.cz:1081/opensso
- Agent URL: https://da-1.profiq.cz:8081 (use URL to SSL listener of Web Server)
- Agent Profile name: webagent
- Agent Profile Password file name: /tmp/webagent.pwd
And now proceed the installation:
/opt/web_agents/sjsws_agent/bin/agentadmin --install Please read the following License Agreement carefully: [Press <Enter> to continue...] or [Enter n To Finish] n Do you completely agree with all the terms and conditions of this License Agreement (yes/no): [no]: yes ************************************************************************ Welcome to the OpenSSO Policy Agent for Sun Java System Web Server. ************************************************************************ Enter the complete path to the directory which is used by Sun Java System Web Server to store its configuration Files. This directory uniquely identifies the Sun Java System Web Server instance that is secured by this Agent. [ ? : Help, ! : Exit ] Enter the Sun Java System Web Server Config Directory Path [/var/opt/SUNWwbsvr7/https-node3/config]: /opt/ws7/https-da-1.profiq.cz/config Enter the URL where the OpenSSO server is running. Please include the deployment URI also as shown below: (http://opensso.sample.com:58080/opensso) [ ? : Help, < : Back, ! : Exit ] OpenSSO server URL: https://oam-1.profiq.cz:1081/opensso Enter the Agent URL as shown below: (http://agent1.sample.com:1234) [ ? : Help, < : Back, ! : Exit ] Agent URL: https://da-1.profiq.cz:8081 Enter the Agent profile name [ ? : Help, < : Back, ! : Exit ] Enter the Agent Profile name: webagent Enter the path to a file that contains the password to be used for identifying the Agent. [ ? : Help, < : Back, ! : Exit ] Enter the path to the password file: /tmp/webagent.pwd ----------------------------------------------- SUMMARY OF YOUR RESPONSES ----------------------------------------------- Sun Java System Web Server Config Directory : /opt/ws7/https-da-1.profiq.cz/config OpenSSO server URL : https://oam-1.profiq.cz:1081/opensso Agent URL : https://da-1.profiq.cz:8081 Agent Profile name : webagent Agent Profile Password file name : /tmp/webagent.pwd Verify your settings above and decide from the choices below. 1. Continue with Installation 2. Back to the last interaction 3. Start Over 4. Exit Please make your selection [1]: 1 Creating directory layout and configuring Agent file for Agent_001 instance ...DONE. Reading data from file /tmp/webagent.pwd and encrypting it ...DONE. Generating audit log file name ...DONE. Creating tag swapped OpenSSOAgentBootstrap.properties file for instance Agent_001 ...DONE. Creating a backup for file /opt/ws7/https-da-1.profiq.cz/config/obj.conf ...DONE. Creating a backup for file /opt/ws7/https-da-1.profiq.cz/config/magnus.conf ...DONE. Adding Agent parameters to /opt/ws7/https-da-1.profiq.cz/config/magnus.conf file ...DONE. Adding Agent parameters to /opt/ws7/https-da-1.profiq.cz/config/obj.conf file ...DONE. SUMMARY OF AGENT INSTALLATION ----------------------------- Agent instance name: Agent_001 Agent Bootstrap file location: /home/profiq/web_agents/sjsws_agent/Agent_001/config/ OpenSSOAgentBootstrap.properties Agent Configuration Tag file location /home/profiq/web_agents/sjsws_agent/Agent_001/config/ OpenSSOAgentConfiguration.properties Agent Audit directory location: /home/profiq/web_agents/sjsws_agent/Agent_001/logs/audit Agent Debug directory location: /home/profiq/web_agents/sjsws_agent/Agent_001/logs/debug Install log file location: /home/profiq/web_agents/sjsws_agent/installer-logs/audit/install.log Thank you for using OpenSSO Policy Agent. INSTALL NOTE: Installer modifies obj.conf file in the config directory you specified. To make agent changes effective do Pull and deploy configuration using Web Server Admin Console or CLI. If there are multiple obj.conf files already present, then manually add agent settings to the required obj.conf files. UNINSTALL NOTE: Uninstall removes agent settings from obj.conf file in the config directory you specified. If there are multiple obj.conf files configured manually in the same config directory, then please remove them manually. For more information, please refer agent documentation.
Now you can start the domain server:
/opt/ws7/https-da-1.profiq.cz/bin/startserv
Web Policy Agent Tests
TEST: Access Web Server
Access: http://da-1.profiq.cz:8080
OpenSSO login page is displayed
- User Name: testuser1
- Password: password
http://oam-1.profiq.cz:1080/opensso/UI/Logout
Expected output:
At first, OpenAM login page is displayed and after login, Web Server page is displayed. Logout should work too.
TEST: Access Web Server using SSL
Access: https://da-1.profiq.cz:8081
OpenSSO login page is displayed
- User Name: testuser1
- Password: password
http://oam-1.profiq.cz:1080/opensso/UI/Logout
Expected output:
At first, OpenAM login page is displayed and after login, Web Server page is displayed. Logout should work too.
References
I have exactly followed this Guide.
However In my Case I am getting a 403 Error.
I do get redirected to openam which is fine.
If i enter a wrong username or passwd i get authorization error which is fine.
Only bit which does not works is that Either i enter a legitimate User or a non legitimate user i always get 403.
Surely something is wrong in my policy setup because if i click agent and tick SSo Enabled which disables authorisation and lets every one authenticate then Every user can connect.
Thanks for your helpful guide. Can you please Assist me with my issue.
Hello Arkam,
Did you have a look at agent logs? Also, agent logs with maximum debug output?
Hi,
I installed the Web Agent jee for Tomcat 7 portal. but i was not able to add the filters to the XML files as described on the installation Doc. when i add it to the web.xml. the we site dose not work.
Highly appreciate your support.
Regards,
Anas
[email protected]