Chapter 15. Installing the Oracle WebLogic Policy Agent

Chapter 15. Installing the Oracle WebLogic Policy Agent
Prev		Next

Table of Contents

15.1. Before You Install
15.2. Installing the WebLogic Policy Agent
15.3. Silent WebLogic Policy Agent Installation
15.4. Post Installation of WebLogic Policy Agent
15.5. Removing WebLogic Policy Agent Software

This chapter covers installation of the policy agent for Oracle WebLogic.

15.1. Before You Install

Make sure OpenAM is installed and running, and that you can contact OpenAM from the system running the policy agent. Next, create a profile for your policy agent as described in the Administration Guide section on Creating Agent Profiles. To protect resources with the agent also create at least one policy as described in the section on Configuring Policies. Consider creating a simple policy, such as a policy that allows only authenticated users to access your resources, in order to test your policy agent after installation.

You must install WebLogic before you install the policy agent, and you must stop the server during installation.

You must install a Java 6 runtime environment, and set the JAVA_HOME environment variable.

$ echo $JAVA_HOME
/path/to/java1.6
$ which java
/usr/bin/java

>Go to Obtaining OpenAM Software to determine which version of the agent to download and download the agent. Also verify the checksum of the file you download against the checksum posted on the download page.

Unzip the file in the directory where you plan to install the J2EE policy agent. The agent you install stores its configuration and logs under this directory.

When you unzip the policy agent, you find the following directories under the j2ee_agents/weblogic_v10_agent directory.

bin: The installation and configuration program, agentadmin.
config: Configuration templates used by the agentadmin command during installation
data: Not used
etc: Agent web application and startup configuration
installer-logs: Location for log files written during installation
lib: Shared libraries used by the J2EE policy agent
locale: Property files used by the installation program
sampleapp: Sample application that demonstrates key features of the policy agent. Wait until you have installed the agent to deploy this.

15.2. Installing the WebLogic Policy Agent

Complete the following procedures to install the policy agent.

Procedure 15.1. To Create the WebLogic Agent Profile

Regardless of whether you store configurations centrally in OpenAM or locally with your agents, the agent requires a profile so that it can connect to and communicate with OpenAM.

In the OpenAM console, browse to Access Control > Realm Name > Agents > J2EE, and then click the New... button in the Agent table.
Complete the web form using the following hints.
Name
The name for the agent profile used when you install the agent
Password
Password the agent uses to authenticate to OpenAM
Configuration
Centralized configurations are stored in the OpenAM configuration store. You can manage the centralized configuration through the OpenAM console. Local configurations are stored in a file alongside the agent.
Server URL
The full URL to an OpenAM instance, or if OpenAM is deployed in a site configuration (behind a load balancer) then the site URL
In centralized configuration mode, the Server URL is used to populate the agent profile for services such as Login, Logout, Naming, and Cross Domain SSO.
Agent URL
The URL to the J2EE agent application, such as http://www.example.com:8080/agentapp
In centralized configuration mode, the Agent URL is used to populate the Agent Profile for services such as notifications.

Procedure 15.2. To Create the Password File

Create a text file containing only the password.
```
$ echo password > /tmp/pwd.txt
```
Protect the password file you create as appropriate for your operating system.
```
$ chmod 400 /tmp/pwd.txt
```

Procedure 15.3. To Install the Policy Agent into WebLogic

Shut down the WebLogic server where you plan to install the agent.
Make sure OpenAM is running.

Run agentadmin --install to install the agent.

$ /path/to/j2ee_agents/weblogic_v10_agent/bin/agentadmin --install
...
-----------------------------------------------
SUMMARY OF YOUR RESPONSES
-----------------------------------------------
Startup script location :
/path/to/domain/mydomain/bin/startWebLogic.sh
WebLogic Server instance name : AdminServer
WebLogic home directory : /path/to/wlserver
OpenAM server URL : http://openam.example.com:8080/openam
Agent URL : http://www.example.com:7001/agentapp
Agent Profile name : WebLogic Agent
Agent Profile Password file name : /tmp/pwd.txt

...
SUMMARY OF AGENT INSTALLATION
-----------------------------
Agent instance name: Agent_001
Agent Bootstrap file location:
/path/to/j2ee_agents/weblogic_v10_agent/Agent_001/config/
 OpenSSOAgentBootstrap.properties
Agent Configuration file location
/path/to/j2ee_agents/weblogic_v10_agent/Agent_001/config/
 OpenSSOAgentConfiguration.properties
Agent Audit directory location:
/path/to/j2ee_agents/weblogic_v10_agent/Agent_001/logs/audit
Agent Debug directory location:
/path/to/j2ee_agents/weblogic_v10_agent/Agent_001/logs/debug


Install log file location:
/path/to/j2ee_agents/weblogic_v10_agent/installer-logs/audit/install.log
...

Upon successful completion, the installer has updated the WebLogic configuration, copied the agent libraries to WebLogic's library directory, and also set up configuration and log directories for the agent.

Note

If the agent is in a different domain than the server, refer to Administration Guide procedure, Configuring Cross-Domain Single Sign On.

Take note of the configuration files and log locations.
Each agent instance that you install on the system has its own numbered configuration and logs directory. The first agent's configuration and logs are thus located under the directory j2ee_agents/weblogic_v10_agent/Agent_001/.
config/OpenSSOAgentBootstrap.properties
Used to bootstrap the J2EE policy agent, allowing the agent to connect to OpenAM and download its configuration
config/OpenSSOAgentConfiguration.properties
Only used if you configured the J2EE policy agent to use local configuration
logs/audit/
Operational audit log directory, only used if remote logging to OpenAM is disabled
logs/debug/
Debug directory where the debug file resides. Useful in troubleshooting policy agent issues.
If your policy agent configuration is not in the top-level realm (/), then you must edit config/OpenSSOAgentBootstrap.properties to identify the sub-realm that has your policy agent configuration. Find com.sun.identity.agents.config.organization.name and change the / to the path to your policy agent profile. This allows the policy agent to properly identify itself to the OpenAM server.

The agent requires sourcing before it will work properly. There are two ways to source.

Manually source the file containing the policy agent environment settings for WebLogic before starting the application server.
```
. /path/to/setAgentEnv_AdminServer.sh
```
Or edit the startWebLogic.sh script to set the sourcing needed for the agent, by adding these lines after the code block shown. Add the setAgentEnv_AdminServer.sh line to the following location in the file. The drawback to this approach is that it could be overwritten, as noted in the file.
```
$ vi /path/to/startWebLogic.sh
 # Any changes to this script may be lost when adding extensions to this configuration.
 DOMAIN_HOME="/opt/Oracle/Middleware/user_projects/domains/base_domain"
  . /path/to/setAgentEnv_AdminServer.sh
 ${DOMAIN_HOME}/bin/startWebLogic.sh $*
```

Note

If the sourcing is not properly set, the following message appears.

<Error> <HTTP> <cent.example.com> 
 <AdminServer> <[STANDBY] ExecuteThread: '5' for queue: 'weblogic.kernel.Default 
 (self-tuning)'> <<WLS Kernel>> <><> <> <1360800613441> 
 <BEA-101165> <Could not load user defined filter in web.xml: 
 ServletContext@1761850405[app:agentapp module:agentapp.war path:null 
 spec-version:null] com.sun.identity.agents.filter.AmAgentFilter.
 java.lang.ClassNotFoundException: com.sun.identity.agents.filter.AmAgentFilter

Start the WebLogic server.
Configure shutdown classes for the environment.
1. In WebLogic console, browse to Environment > Startup & Shutdown Classes.
2. Click Lock & Edit.
3. Click New.
4. Select the Shutdown Class option, and then click Next.
5. Provide the Name Agent, and the Class Name org.forgerock.agents.weblogic.v10.lifecycle.ShutdownListener.
6. Select the appropriate targets to call the shutdown class once per Java Virtual Machine, and then click Finish.
7. Click Activate Changes.

Procedure 15.4. To Protect Applications After Agent Installation

Deploy the /path/to/j2ee_agents/weblogic_v10_agent/etc/agentapp.war agent application in WebLogic.

For each web application to protect, add the following filter to the application's web.xml configuration, following the opening <web-app> tag. The file for the sample application delivered with the agent is /path/to/j2ee_agents/weblogic_v10_agent/sampleapp/etc/web.xml.

 <filter>
  <filter-name>Agent</filter-name>
  <display-name>Agent</display-name>
  <description>OpenAM Policy Agent Filter</description>
 <filter-class>com.sun.identity.agents.filter.AmAgentFilter</filter-class>
 </filter>
 <filter-mapping>
  <filter-name>Agent</filter-name>
  <url-pattern>/*</url-pattern>
  <dispatcher>REQUEST</dispatcher>
  <dispatcher>INCLUDE</dispatcher>
  <dispatcher>FORWARD</dispatcher>
  <dispatcher>ERROR</dispatcher>
 </filter-mapping>

You might also have to update additional configuration files. See the sample application located under /path/to/j2ee_agents/weblogic_v10_agent/sampleapp for examples.

If you have a policy configured, you can test your policy agent. For example, try to browse to a resource that your policy agent protects. You should be redirected to OpenAM to authenticate, for example as user demo, password changeit. After you authenticate, OpenAM then redirects you back to the resource you tried to access.

15.3. Silent WebLogic Policy Agent Installation

When performing a scripted, silent installation, use agentadmin --install --saveResponse response-file to create a response file for scripted installation. Then install silently using agentadmin --install --useResponse response-file.

15.4. Post Installation of WebLogic Policy Agent

After installing WebLogic, some configuration is required before the policy agent will work.

Procedure 15.5. To Configure the WebLogic Policy Agent

WebLogic is unique in that it requires additional configuration after the installation is complete.

Go to the WebLogic Server Administratotion Console and login.
Click Security realms.
Click the name of the realm to use for OpenAM.
Click Providers > Authentication.
Click Lock & Edit > New.
Enter the desired type in Type as AgentAuthenticator, provide a name, and click OK.
Click on the name of the agent authenticator you just created.
Use OPTIONAL for the control flag and save.
Click on Providers to display the Authentication Providers Table.
Click on Default Authenticator, use OPTIONAL for the control flag, and save.
Activate the changes once the default authenticator is done saving.
You will need to restart the WebLogic Server to implement the changes.

15.5. Removing WebLogic Policy Agent Software

Shut down the WebLogic server before you uninstall the policy agent.

To remove the J2EE policy agent, use agentadmin --uninstall. You must provide the WebLogic configuration directory location.

Uninstall does not remove the agent instance directory, but you can do so manually after removing the agent configuration from WebLogic.

Prev		Next
Chapter 14. Installing the IBM WebSphere Policy Agent	Home	Chapter 16. Troubleshooting