Installing, Configuring, and Deploying Sun Java System Access Manager the Simple Way

By Anant Kadam and Marina Sum, September 25, 2007

Sun Java System Access Manager 7.1 (henceforth, Access Manager) integrates authentication and authorization services, policy agents, identity management, and identity federation for protecting network resources. Subsequently, you can secure access to resources and manage the identities of the users who access them.

You can deploy Access Manager on most platforms on most containersthat is, most Web servers or application serversthat comply with the Java Servlet 2.3 API Specification. Such was not always the case; see the appendix.

This article describes a simple and efficient way to install, configure, and deploy Access Manager on Sun Java System Application Server (henceforth, Application Server), which is also an open-source project called GlassFish. On average, the entire process takes less than 10 minutes to complete and so is especially handy for prototypes.

Contents


-	Downloading the Software
-	Configuring Application Server
-	Deploying and Configuring Access Manager
-	Understanding the File Layout
-	Undeploying Access Manager
-	Reconfiguring Access Manager
-	Appendix: Deployment Then and Now
-	References

Downloading the Software

First, download the following software:

Sun Application Server Platform Edition 9.0 or a later release, derived from GlassFish

Access Manager

The ZIP file contains the Java Development Kit (JDK) version-specific Web archive (WAR) files, the application for Distributed Authentication, administrative command-line interface (CLI) tools, session failover tools, legal files, and procedures for running the samples. Unzip the file to a directory of your choice, referred to as Access_Manager_install_dir in the rest of this article. Figure 1 shows this directory's file structure.

Figure 1: File Structure of Access Manager

The main difference between the jdk14 and jdk15 binaries is size. Sun's JDK 1.5.x includes most of the Java archive (JAR) files for Java Web Services Developer Pack (Java WSDP), but those files are not part of Access Manager for the containers that run under Sun's JDK 1.5.x. The example in this article uses the amserver.war file under Access_Manager_install_dir /applications/jdk15.

Configuring Application Server

If you have enabled Security Manager in the Java virtual machine, add the Access Manager-related permissions to Application Server's server.policy file, as follows.

// ADDITIONS FOR Access Manager
grant codeBase "file:\${com.sun.aas.instanceRoot}/applications/j2ee-modules/amserver/-" {
    permission java.net.SocketPermission "*", "connect,accept,resolve";
    permission java.util.PropertyPermission "*", "read, write";
    permission java.lang.RuntimePermission "modifyThreadGroup";
    permission java.lang.RuntimePermission "setFactory";
    permission java.lang.RuntimePermission "accessClassInPackage.*";
    permission java.util.logging.LoggingPermission "control";
    permission java.lang.RuntimePermission "shutdownHooks";
    permission javax.security.auth.AuthPermission "getLoginConfiguration";
    permission javax.security.auth.AuthPermission "setLoginConfiguration";
    permission javax.security.auth.AuthPermission "modifyPrincipals";
    permission javax.security.auth.AuthPermission "createLoginContext.*";
    permission java.io.FilePermission "<<ALL FILES>>", "execute,delete";
    permission java.util.PropertyPermission "java.util.logging.config.class", "write";
    permission java.security.SecurityPermission "removeProvider.SUN";
    permission java.security.SecurityPermission "insertProvider.SUN";
    permission javax.security.auth.AuthPermission "doAs";
    permission java.util.PropertyPermission "java.security.krb5.realm", "write";
    permission java.util.PropertyPermission "java.security.krb5.kdc", "write";
    permission java.util.PropertyPermission "java.security.auth.login.config", "write";
    permission java.util.PropertyPermission "user.language", "write";
    permission javax.security.auth.kerberos.ServicePermission "*", "accept";
    permission javax.net.ssl.SSLPermission "setHostnameVerifier";
    permission java.security.SecurityPermission "putProviderProperty.IAIK";
    permission java.security.SecurityPermission "removeProvider.IAIK";
    permission java.security.SecurityPermission "insertProvider.IAIK";
};
// END OF ADDITIONS FOR Access Manager

Note: If you deploy Access Manager 7.1 with a name other than amserver, change the amserver string in the grant statement correspondingly. Alternatively, just cite grant {...} for testing.

Note: If your container of choice is IBM WebSphere, set the following two Java virtual machine options in the container's server.xml file:

-DamCryptoDescriptor.provider=IBMJCE
-DamKeyGenDescriptor.provider=IBMJCE

For example:

genericJvmArguments="-DamCryptoDescriptor.provider=IBMJCE -DamKeyGenDescriptor.provider=IBMJCE"

Afterward, restart Application Server for the changes to take effect.

Deploying and Configuring Access Manager

Now deploy the Access Manager WAR file on any Web container that is supported by Sun Java Enterprise System 5. Three steps are involved:

Deploy the WAR file.
Configure Access Manager.
Verify the configuration.

Deploying the WAR File
To deploy the WAR file:

Log in to the Application Server Administration Console at http://localhost:4848.

The default user name is admin; the default password is adminadmin.

On the left pane, select Web Applications under Applications. On the right pane, specify the location of the Access Manager WAR file ( Access_Manager_install_dir /applications/jdk15/amserver.war) and click Deploy.

Once deployment is successful, Application Server displays amserver under Deployed Web Applications, as shown in Figure 2.

Figure 2: Successful Deployment of Access Manager on Application Server (Click image for larger view.)

Configuring Access Manager
To configure Access Manager:

Click Launch.

Alternatively, go to http:// hostname.domain_name .com: portnumber /amserver, where:

hostname.domain_name .com is the name of the host on which Access Manager is deployed.
portnumber is the number of the port from which Access Manager will be listening for incoming requests.

The Access Manager Configurator page is displayed, as shown in Figure 3.

Figure 3: Configurator Page in Application Server (Click image for larger view.)

Specify the amAdmin password (for example, admin123) and the configuration directory (for example, /amconfig).
Optional. To specify Sun Java System Directory Server as a configuration store, ensure that the Directory Server instance is installed and running and then do the following.
1. Under Configuration Store Settings, select Directory Server.
2. Under Server Settings, fill in the Name, Port, and "Suffix to store configuration data" fields.
3. Under Directory Server Administration, fill in the Password and Retype Password fields.
Click Configure.

Access Manager displays the status of the configuration process.

In this example, File System is the default for storing service configuration data. That is, all the service configuration files are under the config_dir / deploy_URI /sms directory, /amconfig/amserver/sms in this case.

After successful configuration, Access Manager displays the login screen, as shown in Figure 4.

Figure 4: Access Manager Login Screen (Click image for larger view.)

Verifying the Configuration
Finally, verify the configuration by logging in. The Access Manager Administration Console is displayed, as shown in Figure 5.

Figure 5: Access Manager Administration Console (Click image for larger view.)

Understanding the File Layout

As soon as configuration is complete, Access Manager creates the following files in your system:

Configuration files These files reside in the directory specified in the Configurator page (General Settings > Configuration Directory). In this example, that directory is called /amconfig. See its file structure in Figure 6.

Figure 6: File Structure in the Configuration Directory

Bootstrap files These files are required for locating configuration information in specific Access Manager instances. At a given point, depending on the number of the configured instances on the same host machine, multiple bootstrap files might apply. Do not delete those files.

By default, a bootstrap file resides under the user.home directory. You can change that location as desired. For details on the procedure, see "Deploying Access Manager as a Single WAR File" in the Sun Java System Access Manager 7.1 Postinstallation Guide.

Access Manager constructs the file name by editing the real path from Servlet Context and replacing the \ and / symbols with the _ symbol. For example, if the user running Application Server is root, the bootstrap file in this example is /AccessManager/AMConfig_opt_SUNWappserver_domains_domain1_applications_j2ee-modules_amserver_.

Undeploying Access Manager

Access Manager offers no scripts for undeploying configured instances. To undeploy Access Manager:

Undeploy with container-specific commands.
Delete the configuration files and bootstrap file.

See the preceding section.
Optional. Undo the server policy changes.

If you would like to redeploy Access Manager, skip this step.
Restart the Web container.

Reconfiguring Access Manager

To test with various configuration values without undeploying Access Manager:

Delete the configuration files and bootstrap file.
Restart the Web container.
Go to http:// hostname.domain_name .com: portnumber /amserver.

The Configurator page is displayed.

Appendix: Deployment Then and Now

In its earlier versions, the installer deployed Access Manager as packages. They were a collection of JAR files along with supporting XML, JavaServer Pages (JSP), HTML, and GIF files; also locale files and properties in the AMConfig.properties and serverconfig.xml files, the latter for directory configurations. That approach led to a number of problems, as follows:

The installer was container-aware.
The installer had operating system-related dependencies.
Reverting to original configurations was complicated.
Wide distribution of Access Manager was not feasible.

Consequently, the Access Manager engineering team set a goal to repackage the components to be deployable as J2EE applications. That goal became a reality in Access Manager 7.1: You can now conveniently deploy it as a single Web application, hassle free.

References

Sun Java System Access Manager
Sun developer services
- Support
- Training and certification

Rate and Review

Tell us what you think of the content of this page.

Excellent Good Fair Poor

Comments:

</td>
                    </tr>
                     <tr>
                       <td>                        <strong>Your email address (no reply is possible without an address):</strong>
                        <br/>
                         <a href="http://sun.com/privacy/" target="_new">Sun Privacy Policy</a>
                        <br/>
                         <input maxlength="60" name="custom_1" size="35" type="text" value=""/>                        <br/>
Note: We are not able to respond to all submitted comments.
                      </td>
                    </tr>
                     <tr>
                       <td>                        <input border="0" class="buttonblue" onmouseout="this.style.color='#FFF';" onmouseover="this.style.color='#fbe249';" type="submit" value=" Submit » "/>  
                        <input name="custom_0" type="hidden" value="Anant Kadam, Marina Sum"/>  
                        <input name="custom_4" type="hidden" value="Installing, Configuring, and Deploying Sun Java System Access Manager the Simple Way"/>  
                        <input name="custom_5" type="hidden" value="http://developers.sun.com/identity/reference/techart/install.html"/>  
                        <input name="cf_Form_Name" type="hidden" value="Rate and Review - article feedback"/>  
                        <input name="cf_Form_Location" type="hidden" value="Registrations"/>  
                        <input name="cf_iso2" type="hidden" value="XH"/>  
                        <input name="charset" type="hidden" value="ISO-8859-1"/>
                      </td>
                    </tr>
                  </table>
                </td>
              </tr>
            </table>
          </form>
					
	</div>
</div>
<div class="orcl6w5"><div class="orcl6x0"></div><div class="orcl6x1"></div></div>
	<div class="orcl6w6">
		<div class="orcl6x0"></div>
		<div class="orcl6x1"></div>
	
</div>

</div>
<div id="Wrapper_FixedWidth_Rightnav">
<div style="background-color:#FFFFFF;">
    
                                      
       <style type="text/css">
body {font-family:Arial, Helvetica, sans-serif}
#downRSS {padding:0;position:absolute;top:3px;right:10px;}
#downWrapper {padding:0 0 0px 0;background-color:#ffffff;}
#downMain {padding:5px 0 0 0; margin: 0; font-size:12px; }
#downMain .downLoad {background-image:url(http://www.oracleimg.com/ocom/groups/public/@otn/documents/digitalasset/115899.gif); background-repeat:no-repeat; background-position:top left; padding:0 0 10px 16px; margin:0 0 0 5px;}
#downMain a:link {color:#000;text-decoration:underline;} 
#downMain a:visited {color:#999;text-decoration:underline;}
#downMain a:hover {color:#ff0000;text-decoration:underline;}
</style>
<table width="100%" cellspacing="0" cellpadding="0" border="0" bgcolor="#dddddd">
    <tbody>
        <tr>
            <td><img width="10" height="20" alt="Left Curve" src="/ocom/groups/public/@otn/documents/digitalasset/121830.gif" /></td>
            <td align="center">
            <div align="center"><span class="boldbodycopy">Java SDKs and Tools</span></div>
            </td>
            <td align="right"><img width="10" height="20" alt="Right Curve" src="/ocom/groups/public/@otn/documents/digitalasset/104150.gif" /></td>
        </tr>
        <tr>
            <td colspan="3">
            <div id="downWrapper">
            <div id="downMain">
            <div class="downLoad"><a target="" href="/technetwork/java/javase/downloads/index.html">Java SE</a></div>
            <div class="downLoad"><a target="" href="/technetwork/java/javaee/downloads/index.html">Java EE and Glassfish</a></div>
            <div class="downLoad"><a target="" href="/technetwork/java/javame/downloads/index.html">Java ME</a></div>
<div class="downLoad"><a target="" href="/technetwork/java/javafx/downloads/index.html">JavaFX</a></div>
            <div class="downLoad"><a target="" href="/technetwork/java/javacard/downloads/index.html">Java Card</a></div>
<div class="downLoad"><a target="" href="http://netbeans.org/downloads/index.html">NetBeans IDE</a></div>
            
            </div>
            </div>
            </td>
        </tr>
    </tbody>
</table>

</div>
</div>

</div>

<div id="Wrapper_FixedWidth_Footer">
            <div class="addThisPrintEmail">
                
	<a href="javascript:mailpage()"><img height="16" src="/ocom/groups/systemobject/@mktg_admin/@ocom_admin/documents/digitalasset/email.gif" width="19" border="0" /></a> <span style="MARGIN-BOTTOM: 2px">
	<a href="javascript:mailpage()">E-mail this page</a></span>   
	<a onclick="printerView()" href="javascript: void 0;"><img height="16" alt="Printer View" src="/ocom/groups/systemobject/@mktg_admin/@ocom_admin/documents/digitalasset/print_icon.gif" width="19" border="0" /> Printer View</a>
			
            </div>
 
				
		 <div data-trackas="ffooter" data-openff="Open Info" data-closeff="Close Info" class="u06v1" id="u06v1"><div class="u06v1z1"> </div> <div class="u06v1w1"><div class="u06v1w2"><ul>     <h5>Oracle Cloud</h5>     <li><a href="/us/solutions/cloud/overview/index.html" data-lbl="cloud:learn-about-oracle-cloud">Learn About Oracle Cloud</a></li>     <li><a href="https://cloud.oracle.com/mycloud/f?p=service:free_trial:0" data-lbl="cloud:get-a-free-trial" target="_blank">Get a Free Trial</a></li>     <li><a href="/us/solutions/cloud/platform/overview/index.html" data-lbl="cloud:learn-about-paas">Learn About PaaS</a></li>     <li><a href="/us/technologies/saas/overview/index.html" data-lbl="cloud:learn-about-saas">Learn About SaaS</a></li>     <li><a href="/us/solutions/cloud/infrastructure/overview/index.html" data-lbl="cloud:learn-about-iaas">Learn About IaaS</a></li> </ul></div> <div class="u06v1w2"><ul>     <h5>Java</h5>     <li><a href="/us/technologies/java/overview/index.html" data-lbl="java:learn-about-java">Learn About Java</a></li>     <li><a href="http://java.com/download" data-lbl="java:download-java-for-consumers" target="_blank">Download Java for Consumers</a></li>     <li><a href="/technetwork/java/javase/downloads/index.html" data-lbl="java:download-java-for-developers">Download Java for Developers</a></li>     <li><a href="/technetwork/java/index.html" data-lbl="java:java-resources-for-developers">Java Resources for Developers</a></li>     <li><a href="https://cloud.oracle.com/mycloud/f?p=service:java:0" data-lbl="java:java-cloud-service" target="_blank">Java Cloud Service</a></li>     <li><a href="/technetwork/java/javamagazine/index.html" data-lbl="java:java-magazine">Java Magazine</a></li> </ul></div> <div class="u06v1w2"><ul>     <h5>Customer and Events</h5>     <li><a href="/us/corporate/customers/index.html" data-lbl="customers-and-events:explore-and-read-customer-stories">Explore and Read Customer Stories</a></li>     <li><a href="http://events.oracle.com/search/search?group=Events&keyword=" data-lbl="customers-and-events:all-oracle-events" target="_blank">All Oracle Events</a></li>     <li><a href="http://www.oracle.com/openworld/index.html" data-lbl="customers-and-events:oracle-openworld" target="_blank">Oracle OpenWorld</a></li>     <li><a href="http://www.oracle.com/javaone/index.html" data-lbl="customers-and-events:javaone" target="_blank">JavaOne</a></li> </ul></div> <div class="u06v1w2"><ul>     <h5>Communities</h5>     <li><a href="/us/corporate/blogs/index.html" data-lbl="communities:blogs">Blogs</a></li>     <li><a href="http://forums.oracle.com/forums/index.jspa?cat=1" data-lbl="communities:discussion-forums" target="_blank">Discussion Forums</a></li>     <li><a href="https://wikis.oracle.com" data-lbl="communities:wikis" target="_blank">Wikis</a></li>     <li><a href="/technetwork/community/oracle-ace/index.html" data-lbl="communities:oracle-aces">Oracle ACEs</a></li>     <li><a href="/us/corporate/customers/oracle-users-groups-192206.html" data-lbl="communities:user-groups">User Groups</a></li>     <li><a href="/us/social-media/twitter/index.html" data-lbl="communities:social-media-channels">Social Media Channels</a></li> </ul></div> <div class="u06v1w2"><ul>     <h5>Services and Store</h5>     <li><a href="/us/support/software/premier/my-oracle-support-068523.html" data-lbl="services-and-store:log-in-to-my-oracle-support">Log In to My Oracle Support</a></li>     <li><a href="http://education.oracle.com/" data-lbl="services-and-store:training-and-certification" target="_blank">Training and Certification</a></li>     <li><a href="/partners/en/join-now/index.html" data-lbl="services-and-store:become-a-partner" target="_blank">Become a Partner</a></li>     <li><a href="/us/partnerships/solutions-catalog/specialized-partners/index.html" data-lbl="services-and-store:find-a-partner-solution">Find a Partner Solution</a></li>     <li><a href="https://shop.oracle.com/" data-lbl="services-and-store:purchase-from-the-oracle-store" target="_blank">Purchase from the Oracle Store</a></li>     <li><div class="u06callout"><h5>Contact and Chat</h5>     <a href="/us/corporate/contact/global-070511.html" data-lbl="contact-and-chat:global-contacts">Global Contacts</a><br />     <a href="/us/support/contact/index.html" data-lbl="contact-and-chat:oracle-support" target="">Oracle Support</a><br />     <strong>Phone:</strong> 800-633-0738<br />     </div></li> </ul></div></div> <div class="u06v1z2"> </div></div>   <div data-trackas="footer" id="u06"><hr /> <h3><a href="/us/corporate/index.html" data-lbl="hardware and software engineered to work together">Hardware and Software, Engineered to Work Together</a></h3> <ul class="u06-links">     <li><a href="/us/syndication/subscribe/index.html" data-lbl="subscribe">Subscribe</a></li>     <li><a href="/us/corporate/careers/index.html" data-lbl="careers">Careers</a></li>     <li><a href="/us/corporate/contact/index.html" data-lbl="contact us">Contact Us</a></li>     <li><a href="/us/sitemaps/index.html" data-lbl="site maps">Site Maps</a></li>     <li><a href="/us/legal/index.html" data-lbl="legal notices">Legal Notices</a></li>     <li><a href="/us/legal/terms/index.html" data-lbl="terms of use">Terms of Use</a></li>     <li><a href="/us/legal/privacy/index.html" data-lbl="privacy rights">Privacy</a></li>     <li><div style="*margin-top:5px;" id="teconsent"><script type='text/javascript' src='http://consent.truste.com/notice?domain=oracle.com&c=teconsent&language=en&text=true'></script></div>     </li>     <li class="u06-mobile"><a href="/us/corporate/mobile-application/index.html" data-lbl="oracle mobile"><span> </span></a></li> </ul> <ul class="scl-icons">     <li class="scl-facebook"><a title="Oracle on Facebook" href="/us/social-media/facebook/index.html" data-lbl="facebook">Facebook</a></li>     <li class="scl-linkedin"><a title="Oracle on LinkedIn" href="/us/social-media/linkedin/index.html" data-lbl="linkedIn">LinkedIn</a></li>     <li class="scl-twitter"><a title="Follow Oracle on Twitter" href="/us/social-media/twitter/index.html" data-lbl="twitter">Twitter</a></li>     <li class="scl-googleplus"><a title="Follow Oracle on Google+" href="https://plus.google.com/u/0/115607918987921226255" data-lbl="google plus" target="_blank">Google+</a></li>     <li class="scl-youtube"><a title="Watch Oracle on YouTube" href="http://www.youtube.com/oracle/" data-lbl="youtube" target="_blank">YouTube</a></li>     <li class="scl-feed"><a title="Oracle RSS Feeds" href="/us/syndication/feeds/index.html" data-lbl="oracle rss feed">Oracle RSS Feed</a></li> </ul></div> 
 
			
          </div>
        </div>

<script language="JavaScript" src="http://www.oracleimg.com/us/assets/metrics/ora_otn.js"></script>

</div>
    </div>
  </div>

Products and Services

Solutions

Downloads

Store

Support

Training

Partners

About

Oracle Technology Network

Installing, Configuring, and Deploying Sun Java System Access Manager the Simple Way