Install Web Agent
After installing Web Agent, perform the tasks in Post-installation tasks.
Install Apache Web Agent
Examples in this section use Apache and the Apache HTTP Server agent path. For
IBM HTTP Servers, replace the Apache HTTP Server agent path, apache24_agent
, with the IBM HTTP agent path, httpserver7_agent
.
Consider the following points before you install:
-
By default, the agent replaces authentication functionality provided by Apache, for example, the
mod_auth_*
modules. To use built-in Apache authentication directives, such asAuthName
,FilesMatch
, andRequire
, for specified not-enforced URLs, configure Use Built-in Apache HTTPD Authentication Directives. -
SELinux can prevent the web server from accessing agent libraries, and the agent from being able to write to audit and debug logs. See Troubleshooting.
-
By default, 32 agent instances can run at the same time in a single installation. For information about changing the limit, refer to AM_MAX_AGENTS in Environment variables.
Tune Apache multi-processing modules
The Apache HTTP Server and the IBM HTTP Server include Multi-Processing Modules (MPMs) that extend the basic functionality of a web server to support the wide variety of operating systems and customizations for a particular site.
Before installing the Apache Web Agent, configure and tune the MPMs, as follows:
-
Configure either the
mpm-event
or thempm-worker
modules for Unix-based servers, or thempm_winnt
module for Windows servers.The
prefork-mpm
module may cause performance issues to both the agent and AM. -
Ensure that there are enough processes and threads available to service the expected number of client requests.
MPM-related performance is configured in the
conf/extra/http-mpm.conf
file. The key properties in this file areThreadsPerChild
andMaxRequestWorkers
. Together, these the properties control the maximum number of concurrent requests that can be processed by Apache. The default configuration allows for 150 concurrent clients spread across 6 processes of 25 threads each.<IfModule mpm_worker_module> StartServers 2 MaxRequestWorkers 150 MinSpareThreads 25 MaxSpareThreads 75 ThreadsPerChild 25 MaxConnectionsPerChild 0 </IfModule>
For agent notifications,
MaxSpareThreads
,ThreadLimit
andThreadsPerChild
default values must not be altered; otherwise the notification queue listener thread cannot be registered.Any other values apart from these three in the worker MPM can be customized. For example, it is possible to use a combination of
MaxRequestWorkers
andServerLimit
to achieve a high level of concurrent clients.
Install Apache Web Agent interactively
-
Review the information in Before you install, and perform the steps in Preinstallation tasks.
-
(Optional) In non-Centos or virtual host environments, where an Apache user is not defined in
httpd.conf
, add the option to change ownership of created directories. Set the following environment variables in your command line session:$ export APACHE_RUN_USER=apache $ export APACHE_RUN_GROUP=apache
C:\>set APACHE RUN_USER=apache C:\>set APACHE RUN_GROUP=apache
For more information, refer to Installation environment variables
-
Shut down the server where you plan to install the agent.
-
Make sure AM is running.
-
Run
agentadmin --i
to install the agent:$ cd /web_agents/apache24_agent/bin/ $ ./agentadmin --i
C:\> cd web_agents\apache24_agent\bin C:\path\to\web_agents\apache24_agent\bin> agentadmin.exe --i
You are prompted to read and accept the software license agreement for the agent installation.
-
When prompted, enter information for your deployment.
To cancel the installation at any time, press CTRL-C
.-
Enter the complete path to the Apache configuration file. The installer modifies this file to include the agent configuration and module.
Enter the complete path to the httpd.conf file which is used by Apache HTTP Server to store its configuration. [ q or 'ctrl+c' to exit ] Configuration file [/opt/apache/conf/httpd.conf]:/etc/httpd/conf/httpd.conf
-
When installing the agent as the
root
user, theagentadmin
command can change the directory ownership to the same user and group specified in the Apache configuration.If User
andGroup
are not defined inhttpd.conf
, such as in non Red Hat Enterprise Linux-based distributions, this step appears only if environment variables are set as described in step 2.Determine which user or group is running the Apache server by viewing the
Group
andUser
directives inhttpd.conf
.Enter
yes
to change directory ownership; pressEnter
to accept the default,no
.Change ownership of created directories using User and Group settings in httpd.conf [ q or 'ctrl+c' to exit ] (yes/no): [no]:yes
Failure to set permissions causes issues, such as the Apache HTTP Server not starting up, getting a blank page when accessing a protected resource, or the web agent generating errors during log file rotation.
-
Enter the full path to an existing agent configuration file to import the settings, or press
Enter
to skip the import.The installer can import settings from an existing Web Agent on the new installation and skip prompts for values present in the existing configuration file. You are required to re-enter the agent profile password.
To set properties from an existing configuration enter path to file [ q or 'ctrl+c' to exit, return to ignore ] Existing agent.conf file:
-
Enter the full URL for the AM instance that the agent will use, including the deployment URI.
If a reverse proxy is configured between AM and the agent, set the AM URL to the proxy URL, for example, https://proxy.example.com:443/am
. For information about setting up an environment for reverse proxies, refer to Configure Apache HTTP Server as a reverse proxy.Enter the URL where the AM server is running. Please include the deployment URI also as shown below: (http://am.sample.com:58080/am) [ q or 'ctrl+c' to exit ] AM server URL:http://am.example.com:8080/am
-
Enter the full URL for the Agent.
Enter the Agent URL as shown below: (http://agent.sample.com:1234) [ q or 'ctrl+c' to exit ] Agent URL:http://www.example.com:80
-
Enter the name of the agent profile created in AM.
Enter the Agent profile name [ q or 'ctrl+c' to exit ] Agent Profile name: web-agent
-
Enter the agent profile realm. Realms are case-sensitive.
Enter the Agent realm/organization [ q or 'ctrl+c' to exit ] Agent realm/organization name: [/]:/
-
Enter the full path to the file containing the agent profile password created earlier.
Enter the path to a file that contains the password to be used for identifying the Agent [ q or 'ctrl+c' to exit ] The path to the password file:/secure-directory/pwd.txt
-
The installer displays a summary of the specified configuration settings.
If a setting is incorrect, type
no
, or pressEnter
. The installer loops through the configuration prompts again, using your provided settings as the default. PressEnter
to accept each one, or enter a replacement setting.If the settings are correct, type
yes
to proceed with installation.Installation parameters: AM URL: http://am.example.com:8080/am Agent URL: http://www.example.com:80 Agent Profile name: web-agent Agent realm/organization name: / Agent Profile password source: /secure-directory/pwd.txt Confirm configuration (yes/no): [no]:yes Validating… Validating… Success. Cleaning up validation data… Creating configuration… Installation complete.
On successful completion, the installer adds the agent as a module to the Apache configuration file, in this example,
/etc/httpd/conf/httpd.conf
.The backup configuration file is in the configuration file with the installation datestamp:
http.conf_amagent_yyyymmddhhmmss
.
-
-
(Unix only) Ensure the user or group running the Apache HTTP server has the appropriate permissions on the following directories:
-
Read permission:
/web_agents/apache24_agent/lib
-
Read and write permission:
-
/web_agents/apache24_agent/instances/agent_nnn
-
/web_agents/apache24_agent/log
-
-
Execute permission to validate an installation by using the agentadmin --V[i] command:
-
/web_agents/apache24_agent/instances/agent_nnn
-
/web_agents/apache24_agent/log
-
To determine which user or group is running the Apache HTTP server, check the
Group
andUser
directives in the Apache HTTP server configuration file,httpd.conf
. When permission are incorrect, the following errors can occur:-
Apache HTTP doesn’t start up
-
Access to a protected resource returns a blank page
-
The agent generates errors during log file rotation
The same issues can occur if SELinux is enabled in enforcing
mode, and not configured to allow access to agent directories. For more information, refer to Troubleshooting.
-
-
Start the Apache HTTP Server.
-
Check the installation, as described in Check the Apache Web Agent installation.
Install Apache Web Agent on a virtual host
Web Agent instances can be configured to operate with multiple virtual hosts in Apache. Each configuration instance is independent and has its own configuration file, debug logs, and audit logs. Each instance can connect to a different AM realm, or even different AM servers.
Complete the following procedures to install Web Agent 2023.3 on Apache virtual hosts.
Installing on an Apache virtual host is a manual process, which involves copying
an instance directory created by the agentadmin
installer and adding
to the Apache configuration file of the virtual host.
Perform the following steps to create the configuration required to install a web agent on an Apache virtual host:
-
Install a web agent in the default root configuration of the Apache installation. For more information, refer to Install Apache Web Agent
-
Create an agent profile in AM. For more information, refer to Creating Agent Profiles.
-
Create at least one policy in AM to protect resources on the virtual host, as described in the procedure Configuring policies.
This procedure assumes you have installed a web agent on the default root
configuration of your Apache installation, with configuration in
/web_agents/apache24_agent/instances/agent_1
.
To install on a virtual host, copy this configuration folder, modify required settings, and enable the web agent in the virtual host configuration file.
-
Review the information in Before you install, and perform the steps in Preinstallation tasks.
-
Shut down the Apache HTTP Server where you plan to install the agent.
-
Locate the web agent configuration instance to duplicate, and make a copy, for example
agent_2
: -
Give the user that runs the virtual host modify privileges to the new instance folder. The following examples demonstrate giving privileges to the
agent_2
configuration instance to a user named apache: -
In the new instance folder, edit the
/config/agent.conf
configuration file as follows:-
Set the value of
com.sun.identity.agents.config.username
to name of the agent profile you created in AM for the virtual host. -
Configure the virtual host’s web agent encryption key and password. Consider the following scenarios and choose the one that suits your environment best:
-
Scenario 1: The password of the virtual host’s agent profile is the same as the password of the Apache root’s agent profilefootnote:[
The Apache root’s profile refers to the web agent installation you performed as part of the prerequisites to install web agents on virtual hosts.].
The encryption key and encryption password of the Apache root’s agent and the virtual host’s agent must match. Because you copied the configuration file, you do not need to perform any additional action.
-
Scenario 2: The password of the virtual host’s agent profile is different from the password of the Apache root’s agent profile.(The Apache root’s profile refers to the web agent installation you performed as part of the prerequisites to install web agents on virtual hosts.)
You need to generate a new encryption key and encrypt the new password before configuring them in the virtual host’s agent profile. Perform the following steps:
-
Generate a new encryption key by running the
agentadmin
command with the--k
option. For example:$ agentadmin --k Encryption key value: YWM…5Nw==
-
Unix users only: Store the agent profile password in a file, for example,
newpassword.file
. -
Encrypt the agent’s profile password with the encryption key by running the
agentadmin
command with the--p
option. -
In the virtual host’s
agent.conf
file, set the following properties:-
com.sun.identity.agents.config.key
. Its value is the generated encryption key. For example:com.sun.identity.agents.config.key = YWM...5Nw==
-
com.sun.identity.agents.config.password
. Its value is the encrypted password. For example:com.sun.identity.agents.config.password = 07b...dO4=
-
-
-
-
Replace any references to the original instance directory with the new instance directory. For example, replace the string
agent_1
withagent_2
wherever it occurs in the configuration file.Configuration options that are likely to require changes include:
-
Replace any references to the original website being protected with the new website being protected. For example, replace
http://www.example.com:80/amagent
withhttp://customers.example.com:80/amagent
.Configuration options that are likely to require changes include:
-
Save and close the configuration file.
-
-
Edit the Apache configuration file. This is the same file specified when installing the web agent on the default Apache website. For example,
/etc/httpd/conf/httpd.conf
.-
At the end of the file the installer will have added three new lines of settings, for example:
LoadModule amagent_module /web_agents/apache24_agent/lib/mod_openam.so AmAgent On AmAgentConf /web_agents/apache24_agent/bin/../instances/agent_1/config/agent.conf
Leave the first line,
LoadModule …
, and move the other two lines on the virtual host configuration element of the default site, for example:<VirtualHost *:80> # This first-listed virtual host is also the default for *:80 ServerName www.example.com ServerAlias example.com DocumentRoot "/var/www/html" AmAgent On AmAgentConf /web_agents/apache24_agent/instances/agent_1/config/agent.conf </VirtualHost>
-
Copy the same two lines on the new virtual host, and replace
agent_1
with the new agent configuration instance folder, for exampleagent_2
:<VirtualHost *:80> ServerName customers.example.com DocumentRoot "/var/www/customers" AmAgent On AmAgentConf /web_agents/apache24_agent/instances/agent_2/config/agent.conf </VirtualHost>
If the new virtual host configuration is in a separate file, copy the two configuration lines on the VirtualHost
element within that file.
-
-
Save and close the Apache configuration file.
-
(Unix only) Ensure the user or group running the Apache HTTP server has the appropriate permissions on the following directories:
-
Read permission:
/web_agents/apache24_agent/lib
-
Read and write permission:
-
/web_agents/apache24_agent/instances/agent_nnn
-
/web_agents/apache24_agent/log
-
-
Execute permission to validate an installation by using the agentadmin --V[i] command:
-
/web_agents/apache24_agent/instances/agent_nnn
-
/web_agents/apache24_agent/log
-
To determine which user or group is running the Apache HTTP server, check the
Group
andUser
directives in the Apache HTTP server configuration file,httpd.conf
. When permission are incorrect, the following errors can occur:-
Apache HTTP doesn’t start up
-
Access to a protected resource returns a blank page
-
The agent generates errors during log file rotation
The same issues can occur if SELinux is enabled in enforcing
mode, and not configured to allow access to agent directories. For more information, refer to Troubleshooting.
-
-
Start the Apache HTTP Server.
-
Check the installation, as described in Check the Apache Web Agent Installation.
Install Apache Web Agent silently
Use the agentadmin --s
command for silent installation.
For information about the options, refer to
agentadmin command.
-
Review the information in Before you install, and perform the steps in Preinstallation tasks.
-
Shut down the Apache HTTP Server where you plan to install the agent.
-
Make sure AM is running.
-
Run the
agentadmin --s
command with the required arguments. For example:$ sudo agentadmin --s \ "/etc/httpd/conf/httpd.conf" \ "http://am.example.com:8080/am" \ "http://www.example.com:80" \ "/" \ "webagent4" \ "/secure-directory/pwd.txt" \ --changeOwner \ --acceptLicence Web Agent for Apache Server installation. Validating… Validating… Success. Cleaning up validation data… Creating configuration… Installation complete.
-
(Unix only) Ensure the user or group running the Apache HTTP server has the appropriate permissions on the following directories:
-
Read permission:
/web_agents/apache24_agent/lib
-
Read and write permission:
-
/web_agents/apache24_agent/instances/agent_nnn
-
/web_agents/apache24_agent/log
-
-
Execute permission to validate an installation by using the agentadmin --V[i] command:
-
/web_agents/apache24_agent/instances/agent_nnn
-
/web_agents/apache24_agent/log
-
To determine which user or group is running the Apache HTTP server, check the
Group
andUser
directives in the Apache HTTP server configuration file,httpd.conf
. When permission are incorrect, the following errors can occur:-
Apache HTTP doesn’t start up
-
Access to a protected resource returns a blank page
-
The agent generates errors during log file rotation
The same issues can occur if SELinux is enabled in enforcing
mode, and not configured to allow access to agent directories. For more information, refer to Troubleshooting.
-
-
Start the Apache HTTP Server.
-
Check the installation, as described in Check the Apache Web Agent Installation.
Check the Apache Web Agent installation
-
After you start Apache HTTP Server, check the error log to make sure startup completed successfully:
[Tue Sep …] AH00163: Apache/2.4.6 (CentOS) Web Agent/2023.3 configured — resuming normal operations
-
Make an HTTP request to a resource protected by the agent, then check the
/web_agents/apache24_agent/log/system_0.log
file to verify that no errors occurred on startup. The log should contain a message similar to this:[0x7fb89e7a6700:22]: Web Agent Version: 2023.3 Revision: ab12cde, Container: Apache 2.4 Linux 64bit (Centos6), Build date: Mar …
-
(Optional) If you have a policy configured, test that the agent is processing requests. For example, make an HTTP request to a resource protected by the agent, and check that you are redirected to {am.abbr} to authenticate. After authentication, AM redirects you back to the resource you tried to access.
Install in a subrealm
Examples in this document install the agent in the top-level realm. To install the agent in a subrealm during interactive or silent installation, use the subrealm during the installation or in the response file.
For example, instead of:
Agent realm/organization name: [/]: /
specify:
Agent realm/organization name: [/]: /myrealm
Even though the agent is installed in a subrealm, the default login redirect requires the user realm to be the top-level realm. For information about how to change the user realm, refer to Login redirect.
Configure error logs
Edit the Apache HTTP server configuration file httpd.conf
to cause
the agent error logs to appear in the Apache log system.
The following line, present by default in httpd.conf
, logs warning
conditions for the container:
LogLevel warn
The following example line includes the agent error logs at debug-level:
LogLevel warn amagent:debug
Install the IIS Web Agent
Web Agent instances can be configured to operate with multiple websites in IIS. Each configuration instance is independent and has its own configuration file, debug logs, and audit logs. Each instance can connect to a different AM realm, or even different AM servers.
Consider the following points:
-
Web Agent requires IIS to be run in Integrated mode.
-
A Web Agent configured for a site or parent application protects any application configured within. The same is true for protected applications containing applications within.
Consider the following restrictions:
-
Agents configured in a site or parent application do not protect children applications that do not inherit the parent’s IIS configuration.
-
Agents configured for a site or parent application running under a 64-bit pool do not protect child applications running under 32-bit pools due to architectural differences; 32-bit applications cannot load 64-bit web agent libraries and, therefore, will not be protected.
The same is true for the opposite scenario.
In this case, the child applications require their own web agent installation, as explained in the next item of this list. Both 32-bit and 64-bit agent libraries are supplied with the IIS Web Agent binaries.
-
If an application requires a specific web agent configuration or, for example, the application is a 32-bit application configured within a 64-bit site, follow the procedures in this section to create a new web agent instance for it. Configuring a web agent on an application overrides the application’s parent web agent configuration, if any.
Install Web Agent on the child application before installing it in the parent. Trying to install an agent on a child that is already protected results in error. -
You can disable the agent protection at any level of the IIS hierarchy, with the following constraints:
-
Disabling the agent in a parent application disables the protection on all children applications that do not have a specific agent instance installed on them.
-
Disabling the agent in a child application does not disable protection on its parent application.
-
-
Agents require that the Application Development component is installed alongside the core IIS services. Application Development is an optional component of the IIS web server. The component provides required infrastructure for hosting web applications.
Figure 1. Adding the application development component to IIS
Install IIS Web Agent interactively
-
Review the information in Before you install, and perform the steps in Preinstallation tasks.
-
Log on to Windows as a user with administrator privileges.
-
Make sure AM is running.
-
Run
agentadmin.exe
with the--i
switch to install the agent.c:\> cd web_agents\iis_agent\bin c:\web_agents\iis_agent\bin> agentadmin.exe --i
You are prompted to read and accept the software license agreement for the agent installation.
-
When prompted, enter information for your deployment.
To cancel the installation at any time, press CTRL-C
.-
Choose the site and application in which to install the web agent.
The
agentadmin
command reads the IIS server configuration and converts the IIS hierarchy into an ID composed of three values separated by the dot (.
) character:-
The first value specifies an IIS site. The number
1
specifies the first site in the server. -
The second value specifies an application configured in an IIS site. The number
1
specifies the first application in the site. -
The third value specifies an internal value for the web agent.
The following is an example IIS server configuration read by the
agentadmin
command:IIS Server Site configuration: ==================================== id details ==================================== Default Web Site application path:/, pool DefaultAppPool 1.1.1 virtualDirectory path:/, configuration: C:\inetpub\wwwroot\web.config MySite application path:/, pool: MySite 2.1.1 virtualDirectory path:/, configuration C:\inetpub\MySite\web.config application path:/MyApp1, pool: MySite 2.2.1 virtualDirectory path:/ configuration C:\inetpub\MySite\MyApp1\web.config application path:/MyApp1/MyApp2, pool: MySite 2.3.1 virtualDirectory path:/ configuration C:\inetpub\MySite\MyApp1\MyApp2\web.config Enter IIS Server Site identification number. [ q or 'ctrl+c' to exit ] Site id: 2.1.1
-
ID
2.1.1
corresponds to the first application,/
configured in a second IIS site,MySite
. You would choose this ID to install the web agent at the root of the site. -
ID
2.2.1
corresponds to a second application,MyApp1
, configured in a second IIS site,MySite
. You would choose this ID to install the web agent in theMyApp1
application. -
ID
2.3.1
corresponds to a child application,MyApp1/MyApp2
, configured in the second application,MyApp1
, configured in a second IIS site,MySite
. You would choose this ID to install the web agent in the sub-application,MyApp1/MyApp2
.
-
-
The installer can import settings from an existing web agent on the new installation and skips prompts for any values present in the existing configuration file. You will be required to re-enter the agent profile password.
Enter the full path to an existing agent configuration file to import the settings, or press
Enter
to skip the import.To set properties from an existing configuration enter path to file [ q or 'ctrl+c' to exit, return to ignore ] Existing agent.conf file:
-
Enter the full URL of the AM instance the web agents will be using. Ensure the deployment URI is specified.
If a reverse proxy is configured between AM and the agent, set the AM URL to the proxy URL, for example, https://proxy.example.com:443/am
. For information about setting up an environment for reverse proxies, refer to Configure Apache HTTP Server as a reverse proxy.Enter the URL where the AM server is running. Please include the deployment URI also as shown below: (http://am.sample.com:58080/am) [ q or 'ctrl+c' to exit ] AM server URL: https://am.example.com:8443/am
-
Enter the full URL of the site the agent will be running in.
Enter the Agent URL as shown below: (http://agent.sample.com:1234) [ q or 'ctrl+c' to exit ] Agent URL: http://customers.example.com:80
-
Enter the name given to the agent profile created in AM.
Enter the Agent profile name [ q or 'ctrl+c' to exit ] Agent Profile name: iisagent
-
Enter the agent profile realm. Realms are case-sensitive.
Enter the Agent realm/organization [ q or 'ctrl+c' to exit ] Agent realm/organization name: [/]: /
-
Enter the full path to the file containing the agent profile password created earlier.
Enter the path to a file that contains the password to be used for identifying the Agent [ q or 'ctrl+c' to exit ] The path to the password file: c:\pwd.txt
-
The installer displays a summary of the configuration settings you specified.
If a setting is incorrect, type
no
, or pressEnter
. The installer loops through the configuration prompts using your provided settings as the default. PressEnter
to accept each one, or enter a replacement setting.If the settings are correct, type
yes
to proceed with installation.Installation parameters: AM URL: https://am.example.com:8443/am Agent URL: http://customers.example.com:80 Agent Profile name: iisagent Agent realm/organization name: / Agent Profile password source: c:\pwd.txt Confirm configuration (yes/no): [no]: yes Validating… Validating… Success. Cleaning up validation data… Creating configuration… Installation complete.
On successful completion, the installer adds the agent as a module to the IIS site configuration.
The installer grants full access permissions on the created instance folder to the user that the selected IIS site is running under, so that log files can be written correctly. Each agent instance has a numbered configuration and logs directory. The first agent configuration and logs are located in
web_agents\iis_agent\instances\agent_1\
.
-
-
Ensure the application pool identity related to the IIS site has the appropriate permissions on the following agent installation folders:
-
\web_agents\iis_agent\lib
-
\web_agents\iis_agent\log
-
\web_agents\iis_agent\instances\agent_nnn
To change the ACLs for files and folders related to the agent instance, run the
agentadmin --o
command. For example:C:\web_agents\iis_agent\bin>agentadmin.exe --o "ApplicationPoolIdentity1" "C:\web_agents\iis_agent\lib"
For more information, refer to agentadmin command.
When permissions are not set correctly, errors such as getting a blank page when accessing a protected resource can occur.
-
-
If you installed Web Agent in an application, set CDSSO Redirect URI to the application path, as follows:
-
Go to REALMS > Realm Name > Agents > Web > Agent Name > SSO > Cross Domain SSO.
-
Add the application path to the default value of CDSSO Redirect URI. For example, if you installed Web Agent in an application such as
MyApp1/MyApp2
, set the property toMyApp1/MyApp2/agent/cdsso-oauth2
. -
Save your changes.
-
Install IIS Web Agent silently
Use the agentadmin --s
command for silent installation.
For information about the options, refer to
agentadmin command.
-
Review the information in Before you install, and perform the steps in Preinstallation tasks.
-
Make sure AM is running.
-
Run the
agentadmin --s
command with the required arguments. For example:c:\web_agents\iis_agent\bin> agentadmin.exe --s ^ "2.1.1" ^ "https://am.example.com:8443/am" ^ "http://iis.example.com:80" ^ "/" ^ "iisagent" ^ "c:\pwd.txt" ^ --acceptLicence AM Web Agent for IIS Server installation. Validating… Validating… Success. Cleaning up validation data… Creating configuration… Installation complete.
-
Ensure the application pool identity related to the IIS site has the appropriate permissions on the following agent installation folders:
-
\web_agents\iis_agent\lib
-
\web_agents\iis_agent\log
-
\web_agents\iis_agent\instances\agent_nnn
To change the ACLs for files and folders related to the agent instance, run the
agentadmin --o
command. For example:C:\web_agents\iis_agent\bin>agentadmin.exe --o "ApplicationPoolIdentity1" "C:\web_agents\iis_agent\lib"
For more information, refer to agentadmin command.
When permissions are not set correctly, errors such as getting a blank page when accessing a protected resource can occur.
-
-
(Optional) If you installed the agent in a parent application, enable it for its child applications by following the steps in Disable and enable agent protection for child applications.
Enable and disable IIS Web Agent
Disable and enable Web Agent on an IIS site or application
The agentadmin
command shows only instances of the web agent; to
enable or disable the protection of children applications, refer to
Disable and enable agent protection for child applications.
-
Log on to Windows as a user with administrator privileges.
-
Run
agentadmin.exe --l
to output a list of the installed web agent configuration instances.c:\web_agents\iis_agent\bin> agentadmin.exe --l AM Web Agent configuration instances: id: agent_1 configuration: c:\web_agents\iis_agent\bin\..\instances\agent_1 server/site: 2.2.1
Make a note of the ID value of the configuration instance you want to disable or enable.
-
Perform one of the following steps:
-
To disable the web agent in a site, run
agentadmin.exe --d
, and specify the ID of the web web agent configuration instance to disable.c:\web_agents\iis_agent\bin> agentadmin.exe --d agent_1 Disabling agent_1 configuration… Disabling agent_1 configuration… Done.
-
To enable the web agent in a site, run
agentadmin.exe --e
, and specify the ID of the web agent configuration instance to enable.c:\web_agents\iis_agent\bin> agentadmin.exe --e agent_1 Enabling agent_1 configuration… Enabling agent_1 configuration… Done.
-
Disable and enable agent protection for child applications
-
Edit the child application’s
web.config
configuration. -
Decide whether to enable or disable web agent protection:
-
To disable agent protection, add the following lines to the child application’s
web.config
file:<OpenAmModule enabled="false" configFile="C:\web_agents\iis_agent\instances\agent_1\config\agent.conf" /> <modules> <add name="OpenAmModule64" preCondition="bitness64" /> </modules>
Note that the path specified in
configFile
may be different for your environment. -
To enable agent protection, understand that web agents configured in a site or parent application also protect any applications that are inheriting the IIS configuration from that site or parent.
If you have disabled the agent’s protection for a child application by following the steps in this procedure, remove the lines added to the
web.config
file to enable protection again.
-
Enable support for IIS basic authentication and password replay
The IIS web agent now supports IIS basic authentication and password replay. You must use the appropriate software versions.
Given the proper configuration and with Active Directory as a user data store for AM, the IIS web agent can provide access to the IIS server variables. The instructions for configuring the capability follow in this section, though you should read the section in full, also paying attention to the required workarounds for Microsoft issues.
When configured as described, the web agent requests IIS server variable values from AM, which gets them from Active Directory. The web agent then sets the values in HTTP headers so that they can be accessed by your application.
The following IIS server variables all take the same value when set:
REMOTE_USER
, AUTH_USER
, and login_USER
. The agent either sets all
three, or does not set any of them.
When Logon and Impersonation is enabled, the agent performs Windows login and sets the user impersonation token in the IIS session context.
When
Show Password in HTTP Header
is enabled, the agent adds the password in the USER_PASSWORD
header.
The agent does not modify any other IIS server variables related to the authenticated user’s session.
The agent requires that IIS runs in Integrated mode. Consider the following points for integration with additional Microsoft products:
-
For Microsoft Office integration, you must use Microsoft Office 2007 SP2 or later.
-
For Microsoft SharePoint integration, you must use Microsoft SharePoint Server 2007 SP2 or later.
Microsoft issues
Apply workarounds for the following Microsoft issues:
- Microsoft support issue: 841215
-
Link: http://support.microsoft.com/kb/841215
Description: Error message when you try to connect to a Windows SharePoint document library: "System error 5 has occurred".
Summary: Enable Basic Authentication on the client computer.
- Microsoft support issue: 870853
-
Link: http://support.microsoft.com/kb/870853
Description: Office 2003 and 2007 Office documents open read-only in Internet Explorer.
Summary: Add registry keys as described in Microsoft’s support document.
- Microsoft support issue: 928692
-
Link: http://support.microsoft.com/kb/928692
Description: Error message when you open a Web site by using Basic authentication in Expression Web on a computer that is running Windows Vista: "The folder name is not valid".
Summary: Edit the registry as described in Microsoft’s support document.
- Microsoft support issue: 932118
-
Link: http://support.microsoft.com/kb/932118
Description: Persistent cookies are not shared between Internet Explorer and Office applications.
Summary: Add the website the list of trusted sites.
- Microsoft support issue: 943280
-
Link: http://support.microsoft.com/kb/943280
Description: Prompt for Credentials When Accessing FQDN Sites From a Windows Vista or Windows 7 Computer.
Summary: Edit the registry as described in Microsoft’s support document.
- Microsoft support issue: 968851
-
Link: http://support.microsoft.com/kb/968851
Description: SharePoint Server 2007 Cumulative Update Server Hotfix Package (MOSS server-package): April 30, 2009.
Summary: Apply the fix from Microsoft if you use SharePoint.
- Microsoft support issue: 2123563
-
Link: http://support.microsoft.com/kb/2123563
Description: You cannot open Office file types directly from a server that supports only Basic authentication over a non-TLS connection.
Summary: Enable TLS communications on the web server.
To Configure IIS basic authentication and password replay support
-
Use the
openssl
tool to generate a suitable encryption key:$ openssl rand -base64 32 e63…sw=
-
In the AM admin UI, go to Deployment > Servers > Server Name > Advanced, and then add a property
com.sun.am.replaypasswd.key
with the encryption key you generated in a previous step as the value. -
Go to REALMS > Realm Name > Authentication > Settings > Post Authentication Processing, and in Authentication Post Processing Classes, add the class
com.sun.identity.authentication.spi.ReplayPasswd
. -
Restart AM.
-
In the AM admin UI go to REALMS > Realm Name > Applications > Agents > Web > Agent Name > Advanced
-
In Replay Password Key, enter the encryption key generated in a previous step.
-
For Windows login for user token impersonation, enable Logon and Impersonation.
-
Save your changes.
-
-
(Optional) To set the encrypted password in the IIS
AUTH_PASSWORD
server variable, go to REALMS > Realm Name > Applications > Agents > Web > Agent Name > Advanced, and enable Show Password in HTTP Header. -
(Optional) If you require Windows login, or you need to use basic authentication with SharePoint or OWA, then you must do the following so that the agent requests AM to provide the appropriate account information from Active Directory in its policy response:
-
Configure Active Directory as a user data store
-
Configure the IIS web agent profile User ID Parameter and User ID Parameter Type.
Skip this step if you do not use SharePoint or OWA and no Windows login is required.
Make sure the AM data store is configured to use Active Directory as the user data store.
In the AM admin UI under REALMS > Realm Name > Applications > Agents > Web > Agent Name > AM Services, set User ID Parameter and User ID Parameter Type.
For example, if the real username for Windows domain login in Active Directory is stored on the
sAMAccountName
attribute, then set the User ID Parameter tosAMAccountName
, and the User ID Parameter Type toLDAP
.Setting User ID Parameter Type to
LDAP
causes the web agent to request that AM get the value of the User ID Parameter attribute from the data store, in this case, Active Directory. Given that information, the agent can set the HTTP headersREMOTE_USER
,AUTH_USER
, orlogin_USER
andUSER_PASSWORD
with Active Directory attribute values suitable for Windows login, setting the remote user, and so forth.
-
-
(Optional) To access Microsoft Office from SharePoint pages, configure AM to persist the authentication cookie. For information, refer to "Persistent cookie module" or "Persistent cookie decision node in AM’s Authentication and SSO guide.
Install in a subrealm
Examples in this document install the agent in the top-level realm. To install the agent in a subrealm during interactive or silent installation, use the subrealm during the installation or in the response file.
For example, instead of:
Agent realm/organization name: [/]: /
specify:
Agent realm/organization name: [/]: /myrealm
Even though the agent is installed in a subrealm, the default login redirect requires the user realm to be the top-level realm. For information about how to change the user realm, refer to Login redirect.
Install NGINX Plus Web Agent
Examples use the NGINX Plus R25 agent path. For other supported versions, replace the R25 agent path with the required version. For information about supported versions of NGINX, refer to Other requirements.
Note that SELinux can prevent the web server from accessing agent libraries and the agent from being able to write to audit and debug logs. See Troubleshooting.
Install NGINX Plus Web Agent interactively
-
Review the information in Before you install, and perform the steps in Preinstallation tasks.
-
Shut down the server where you plan to install the agent.
-
Make sure AM is running.
-
Run the
agentadmin --i
command to install the agent:$ cd /web_agents/nginx25_agent/bin/ $ ./agentadmin --i
You are asked to read and accept the software license agreement for the agent installation.
-
When prompted, enter information for your deployment.
To cancel the installation at any time, press CTRL-C
.-
Enter the full path to the NGINX Plus server configuration file,
nginx.conf
:Enter the complete path to your NGINX server configuration file [ q or 'ctrl+c' to exit ] [nginx.conf]:/etc/nginx/nginx.conf
-
The installer can import settings from an existing web agent to the new installation and skips prompts for any values present in the existing configuration file. You will be required to re-enter the agent profile p assword.
Enter the full path to an existing agent configuration file to import the settings, or press
Enter
to skip the import:To set properties from an existing configuration enter path to file [ q or 'ctrl+c' to exit, return to ignore ] Existing OpenSSOAgentBootstrap.properties file:
-
Enter the full URL of the AM instance that the agent should connect to:
If a reverse proxy is configured between AM and the agent, set the AM URL to the proxy URL, for example, https://proxy.example.com:443/am
. For information about setting up an environment for reverse proxies, refer to Configure Apache HTTP Server as a reverse proxy.Enter the URL where the AM server is running. Please include the deployment URI also as shown below: (http://am.sample.com:58080/am) [ q or 'ctrl+c' to exit ] AM server URL:https://am.example.com:8443/am
-
Enter the full URL of the server the agent is running on.
Enter the Agent URL as shown below: (http://agent.sample.com:1234) [ q or 'ctrl+c' to exit ] Agent URL:\http://www.example.com:80
-
Enter the name of the agent profile created in AM:
Enter the Agent profile name [ q or 'ctrl+c' to exit ] Agent Profile name:nginx_agent
-
Enter the agent profile realm. Realms are case-sensitive:
Enter the Agent realm/organization [ q or 'ctrl+c' to exit ] Agent realm/organization name: [/]:/
-
Enter the full path to the file containing the agent profile password created in the prerequisites:
Enter the path to a file that contains the password to be used for identifying the Agent [ q or 'ctrl+c' to exit ] The path to the password file:/secure-directory/pwd.txt
-
The installer displays a summary of the configuration settings you specified.
If a setting is incorrect, type
no
, or pressEnter
. The installer loops through the configuration prompts again, using your provided settings as the default. PressEnter
to accept each one, or enter a replacement setting.If the setting is correct, type
yes
to proceed with installation:Installation parameters: AM URL: https://am.example.com:8443/am Agent URL: http://www.example.com:80 Agent Profile name: nginx_agent Agent realm/organization name: / Agent Profile password source: /secure-directory/pwd.txt Confirm configuration (yes/no): [no]: yes Validating… Validating… Success. Cleaning up validation data… Creating configuration… In order to complete the installation of the agent, update the configuration file /etc/nginx/nginx.conf if this is the first agent in the installation, please insert the following directives into the top section of the NGINX configuration load_module /web_agents/nginx25_agent/lib/openam_ngx_auth_module.so; then insert the following directives into the server or location NGINX configuration sections that you wish this agent to protect: openam_agent on; openam_agent_configuration /web_agents/nginx25_agent/instances/agent_1/config/agent.conf; Please ensure that the agent installation files have read/write permissions for the NGINX server’s user Please press any key to continue. Installation complete.
Each agent instance has a numbered configuration and logs directory. The first agent configuration and logs are located in
/web_agents/nginx25_agent/instances/agent_1/
.
-
-
Finish installation as described in Complete the NGINX Plus Web Agent Installation.
Install NGINX Plus Web Agent silently
Use the agentadmin --s
command for silent installation.
For information about the options, refer to
agentadmin command.
-
Review the information in Before you install, and perform the steps in Preinstallation tasks.
-
Shut down the server where you plan to install the agent.
-
Make sure AM is running.
-
Run the
agentadmin --s
command with the required arguments. For example:$ agentadmin --s \ "/etc/nginx/nginx.conf" \ "https://am.example.com:8443/am" \ "http://www.example.com:80" \ "/" \ "nginx_agent" \ "/secure-directory/pwd.txt" \ --acceptLicence Web Agent for NGINX Server installation. Validating… Validating… Success. Cleaning up validation data… Creating configuration… In order to complete the installation of the agent, update the configuration file /etc/nginx/nginx.conf if this is the first agent in the installation, please insert the following directives into the top section of the NGINX configuration load_module /web_agents/nginx25_agent/lib/openam_ngx_auth_module.so; then insert the following directives into the server or location NGINX configuration sections that you wish this agent to protect: openam_agent on; openam_agent_configuration /web_agents/nginx25_agent/instances/agent_3/config/agent.conf; Please ensure that the agent installation files have read/write permissions for the NGINX server’s user Please press any key to continue.
-
Finish the installation as described in Complete the NGINX Plus Web Agent Installation.
Complete the NGINX Plus Web Agent installation
After interactive or silent installation, following these steps to complete the installation.
-
Edit the NGINX Plus server configuration file
nginx.conf
to load the web agent moduleopenam_ngx_auth_module.so
, if it is not already configured:$ vi nginx.conf user nginx; worker_processes auto; error_log /var/log/nginx/error.log notice; pid /var/run/nginx.pid; load_module /web_agents/nginx25_agent/lib/openam_ngx_auth_module.so;…
-
Edit the NGINX Plus server configuration file containing the context you want to protect and add web agent directives to it. The following directives are supported:
openam_agent [on | off]
-
Controls if an agent instance is
on
oroff
for a particularhttp
,server
, orlocation
context.Set to
on
for a context to protect it and its contents. If a context already protected requires a specific web agent configuration, follow the procedures in this section again to create a new web agent instance for it. The installer will configure the next available web agent instance, for example,agent_2
.Set to
off
for a context to disable the web agent protection for that context and its contents. If the context has a parent, disabling the directive does not affect the protection for the parent.Example 1server { listen 80 default_server; server_name localhost; openam_agent on; openam_agent_configuration /web_agents/nginx25_agent/instances/agent_1/config/agent.conf; #charset koi8-r; #access_log /var/log/nginx/log/host.access.log main; location / { root /www/; index index.html index.htm; } location /customers { openam_agent on; openam_agent_configuration /web_agents/nginx25_agent/instances/agent_2/config/agent.conf; root /www/customers index index.html } location /market { root /www/marketplace index index.html } }
The web agent instance
agent_1
configured at theserver
context is protecting the/
and/market`location
contexts. Thelocation
context/customers
is protected by a second web agent instance,agent_2
.Example 2server { listen 80 default_server; server_name localhost; openam_agent on; openam_agent_configuration /web_agents/nginx25_agent/instances/agent_1/config/agent.conf; #charset koi8-r; #access_log /var/log/nginx/log/host.access.log main; location / { root /www/; index index.html index.htm; } location /customers { openam_agent off root /www/customers index index.html } location /market { root /www/marketplace index index.html } }
The agent instance
agent_1
is protecting theserver
context and the/
and/market`location
contexts. Protection is disabled for the/customers`location
context.
-
Ensure the user or group running the NGINX Plus server has the appropriate permissions over the following directories:
-
Read Permission:
/web_agents/nginx25_agent/lib
-
Read and Write Permission:
-
/web_agents/nginx25_agent/instances/agent_nnn
-
/web_agents/nginx25_agent/log
Apply execute permissions on the folders listed above, recursively, for the user that runs the NGINX Plus server.
To determine which user or group is running the NGINX Plus server, check the
User
directive in the NGINX Plus server configuration file.Failure to set permissions causes issues, such as the NGINX Plus server not starting up, getting a blank page when accessing a protected resource, or the web agent generating errors during log file rotation.
You may see the same issues if SELinux is enabled in enforcing
mode and it is not configured to allow access to agent directories. For more information, refer to Troubleshooting.
-
-
-
Start the server.
The NGINX Plus server only sets the REMOTE_USER
variable if the request contains an HTTP Authorization header, but the NGINX agent does not set an an HTTP Authorization header after the user has authenticated. Therefore, if you need to set the variable so CGI scripts can use it, configure the agent to create a custom header with the required attribute and then configure the NGINX Plus server to capture that header and convert it into theREMOTE_USER
variable.
Check the NGINX Web Agent installation
-
After you start the server, check the server error log to make sure startup completed successfully:
2021… [info] 31#31: agent worker startup complete
-
Make an HTTP request to a resource protected by the agent, then check the
/web_agents/nginx23_agent/log/system_0.log
file to verify that no startup errors occurred:Web Agent Version: 2023.3 Revision: ab12cde, Container: NGINX Plus 23 Linux 64bit (Ubuntu20), Build date: …
-
(Optional) If you have a policy configured, test that the agent is processing requests. For example, make an HTTP request to a resource protected by the agent, and check that you are redirected to {am.abbr} to authenticate. After authentication, AM redirects you back to the resource you tried to access.
Install in a subrealm
Examples in this document install the agent in the top-level realm. To install the agent in a subrealm during interactive or silent installation, use the subrealm during the installation or in the response file.
For example, instead of:
Agent realm/organization name: [/]: /
specify:
Agent realm/organization name: [/]: /myrealm
Even though the agent is installed in a subrealm, the default login redirect requires the user realm to be the top-level realm. For information about how to change the user realm, refer to Login redirect.