Installing Java EE Agents in Jetty Server

This chapter covers installation of the policy agent for Jetty.

Before You Install

Make sure OpenAM is installed and running, and that you can contact OpenAM from the system running the policy agent. Next, create a profile for your policy agent as described in Creating Agent Profiles. To protect resources with the agent, create at least one policy as described in Configuring Policies in the OpenAM Administration Guide. Consider creating a simple policy, such as a policy that allows only authenticated users to access your resources in order to test your policy agent after installation.

You must install Jetty before you install the policy agent, and you must stop the server during installation.

You must install a supported version of the Java runtime environment. Set the JAVA_HOME environment variable accordingly. The policy agent installer requires Java.

$ echo $JAVA_HOME
/path/to/java

See the OpenAM Installation Guide section, Obtaining OpenAM Software to determine which version of the agent to download, and download the agent. Also verify the checksum of the file you download against the checksum posted on the download page.

Command line examples in this chapter show Jetty accessed remotely. If you are following the examples and have issues accessing Jetty remotely, you might have to change filter settings in the deployment descriptor file, such as /path/to/jetty/webapps/test/WEB-INF/web.xml, as shown in the following example:

<filter>
 <filter-name>TestFilter</filter-name>
 <filter-class>com.acme.TestFilter</filter-class>
 <init-param>
  <param-name>remote</param-name>
  <param-value>true</param-value> <!-- default: false -->
 </init-param>
</filter>

Unzip the file in the directory where you plan to install the J2EE policy agent. The agent you install stores its configuration and logs under this directory.

When you unzip the policy agent, you find the following directories under the j2ee_agents/jetty_v61_agent directory.

Despite the directory name, the policy agent supports multiple container versions.

bin

The installation and configuration program agentadmin. For more details about the available command-line tools, see Command-Line Tool Reference.

config

Configuration templates used by the agentadmin command during installation

data

Not used

etc

Configuration templates used during installation

installer-logs

Location for log files written during installation

legal-notices

Contains licensing information including third-party licenses

lib

Shared libraries used by the Java EE policy agent

locale

Property files used by the installation program

README

README file containing platform and install information for the agent

Installing the Jetty Policy Agent

Complete the following procedures to install the policy agent.

To Create the Agent Profile

Regardless of whether you store configurations centrally in OpenAM or locally with your agents, the agent requires a profile so that it can connect to and communicate with OpenAM.

  1. In the OpenAM console, browse to Realms > Realm Name > Agents > J2EE, and then click the New…​ button in the Agent table.

  2. Complete the web form using the following hints:

    Name

    The name for the agent profile used when you install the agent

    Password

    Password the agent uses to authenticate to OpenAM

    Configuration

    Centralized configurations are stored in the OpenAM configuration store. You can manage the centralized configuration through the OpenAM console. Local configurations are stored in a file alongside the agent.

    Server URL

    The full URL to an OpenAM instance, or if OpenAM is deployed in a site configuration (behind a load balancer) then the site URL

    In centralized configuration mode, the Server URL is used to populate the agent profile for services, such as Login, Logout, Naming, and Cross Domain SSO.

    Agent URL

    The URL to the J2EE agent application, such as http://www.example.com:8080/agentapp

    In centralized configuration mode, the Agent URL is used to populate the Agent Profile for services, such as notifications.

To Create a Password File
  1. Create a text file containing only the password specified when creating the agent profile.

    UNIX example:

    $ echo password > /tmp/pwd.txt

    Windows example:

    C:\> echo password > pwd.txt
  2. Protect the password file you create as appropriate for your operating system:

    UNIX example:

    $ chmod 400 /tmp/pwd.txt

    Windows example:

    In Windows Explorer, right-click the created password file, for example pwd.txt, select Read-Only, and then click OK.

To Install the Policy Agent into Jetty
  1. Shut down the Jetty server where you plan to install the agent.

  2. Make sure OpenAM is running.

  3. Run agentadmin --install to install the agent.

    When you run the command, you will be prompted to read and accept the software license agreement for the agent installation. You can suppress the license agreement prompt by including the --acceptLicence parameter. The inclusion of the option indicates that you have read and accepted the terms stated in the license. To view the license agreement, open <server-root>/legal-notices/license.txt.

    $ /path/to/j2ee_agents/jetty_v61_agent/bin/agentadmin --install --acceptLicense
    ...
    -----------------------------------------------
    SUMMARY OF YOUR RESPONSES
    -----------------------------------------------
    Jetty Server Config Directory : /path/to/jetty/etc
    OpenAM server URL : http://openam.example.com:8080/openam
    Jetty installation directory. : /path/to/jetty
    Agent URL : http://www.example.com:8080/agentapp
    Agent Profile name : Jetty Agent
    Agent Profile Password file name : /tmp/pwd.txt
    
    ...
    SUMMARY OF AGENT INSTALLATION
    -----------------------------
    Agent instance name: Agent_001
    Agent Bootstrap file location:
    /path/to/j2ee_agents/jetty_v61_agent/Agent_001/config/
     OpenSSOAgentBootstrap.properties
    Agent Configuration file location
    /path/to/j2ee_agents/jetty_v61_agent/Agent_001/config/
     OpenSSOAgentConfiguration.properties
    Agent Audit directory location:
    /path/to/j2ee_agents/jetty_v61_agent/Agent_001/logs/audit
    Agent Debug directory location:
    /path/to/j2ee_agents/jetty_v61_agent/Agent_001/logs/debug
    
    
    Install log file location:
    /path/to/j2ee_agents/jetty_v61_agent/installer-logs/audit/install.log
    ...

    Upon successful completion, the installer updates Jetty’s start.jar to reference the agent, sets up the agent web application, and also sets up configuration and log directories for the agent.

    If the agent is in a different domain than the server, refer to Administration Guide procedure, Configuring Cross-Domain Single Sign On.

  4. Take note of the configuration files and log locations.

    Each agent instance that you install on the system has its own numbered configuration and logs directory. The first agent’s configuration and logs are thus located under the directory j2ee_agents/jetty_v61_agent/Agent_001/:

    config/OpenSSOAgentBootstrap.properties

    Used to bootstrap the Java EE policy agent, allowing the agent to connect to OpenAM and download its configuration.

    config/OpenSSOAgentConfiguration.properties

    Only used if you configured the Java EE policy agent to use local configuration.

    logs/audit/

    Operational audit log directory, only used if remote logging to OpenAM is disabled.

    logs/debug/

    Debug directory where the debug.out debug file resides. Useful in troubleshooting policy agent issues.

  5. If your policy agent configuration is not in the top-level realm (/), then you must edit config/OpenSSOAgentBootstrap.properties to identify the sub-realm that has your policy agent configuration. Find com.sun.identity.agents.config.organization.name and change the / to the path to your policy agent profile. This allows the policy agent to properly identify itself to the OpenAM server.

  6. To protect a web application, you must add the following filter to the application’s WEB-INF/web.xml deployment descriptor, following the opening <web-app> tag.

    <filter>
      <filter-name>Agent</filter-name>
      <display-name>Agent</display-name>
      <description>OpenAM Policy Agent Filter</description>
     <filter-class>com.sun.identity.agents.filter.AmAgentFilter</filter-class>
     </filter>
     <filter-mapping>
      <filter-name>Agent</filter-name>
      <url-pattern>/*</url-pattern>
      <dispatcher>REQUEST</dispatcher>
      <dispatcher>INCLUDE</dispatcher>
      <dispatcher>FORWARD</dispatcher>
      <dispatcher>ERROR</dispatcher>
     </filter-mapping>
  7. Start the Jetty server where you installed the agent:

    $ cd /path/to/jetty ; java -jar start.jar
    ...
    2011-09-15 12:49:55.469:INFO::Extract file:/path/to/jetty/webapps/agentapp.war
    ...
    2011-09-15 12:50:14.163:INFO::Started SelectChannelConnector@0.0.0.0:8080
  8. (Optional) If you have a policy configured, you can test your policy agent. For example, try to browse to a resource that your policy agent protects. You should be redirected to OpenAM to authenticate, for example, as user demo, password changeit. After you authenticate, OpenAM then redirects you back to the resource you tried to access.

Silent Jetty Policy Agent Installation

When performing a scripted, silent installation, use agentadmin --acceptLicense --saveResponse response-file to create a response file for scripted installation. Then install silently using agentadmin --install --acceptLicense --useResponse response-file.

Removing Jetty Policy Agent Software

Shut down the Jetty server before you uninstall the policy agent.

To remove the Java EE policy agent, use agentadmin --uninstall. You must provide the Jetty configuration directory location.

Uninstall does not remove the agent instance directory, but you can do so manually after removing the agent configuration from Jetty.