OpenSSO Sharepoint 2010 Policy Agent Installation

Submitted by T on Fri, 10/21/2011 - 06:31

Install the Web Policy Agent

Installing the policy agent for Sharepoint Server involves taking the following steps:

  1. Create the Web Agent Profile.
  2. Create the Password File.
  3. Configure Policy Agent Installation.
  4. Install the Policy Agent.
  5. Generate the Replay Password.
  6. Configure OpenSSO Agent and Server with the Replay Password.
  7. Configure IIS7 for Basic Authentication.
  8. Create OpenSSO Policy.

Create the Web Agent Profile

The agent requires a profile so that it can connect to and communicate with OpenSSO.

In the OpenSSO console, browse to Access Control -> Realm Name-> Agents -> Web and then click the New... button in the Agent section of the page.

 

Complete the web form as follows:

Name
The name for the agent profile used to install the agent

Password
Password the agent uses to authenticate to OpenSSO

Configuration
Centralized configurations are stored in the OpenSSO configuration store. You can manage the centralized configuration through the OpenSSO console. Local configurations are stored in a file alongside the agent.

Server URL
The full URL to an OpenSSO instance, or if OpenSSO is deployed in a site configuration (behind a load balancer) then the site URL
In centralized configuration mode, the Server URL is used to populate the agent profile for services such as Login, Logout, Naming, and Cross Domain SSO.

Agent URL
The web server URL that the agent protects
In centralized configuration mode, the Agent URL is used to populate the Agent Profile for services such as notifications.

 

Create the Password File

Create a text file containing only the password.

Configure Policy Agent Installation

To protect Microsoft Office with SharePoint Server 2010 on Windows Server 2008, 64-bit systems, the IIS 7.0 agent is deployed as an ISAPI filter.

  1. Log onto the server as a user with Administrator privileges.
  2. Make sure OpenSSO is running.
  3. Run IIS7Admin.vbs to install the agent.

C:\Sun\IIS7Agent\bin>cscript IIS7CreateConfig.vbs config.txt
Microsoft (R) Windows Script Host Version 5.8
Copyright (C) Microsoft Corporation. All rights reserved.

Copyright c 2009, 2011, Oracle and/or its affiliates. All rights reserved.
---------------------------------------------------------
    Microsoft (TM) Internet Information Server (7.0)
---------------------------------------------------------
Enter the Agent Resource File Name [IIS7Resource.en] :

Enter the Agent URL (Example: http://agent.example.com:80) :
http://win2008r2.ltes.com:80

Displaying the list of Web Sites and its corresponding Identifiers (id)

SITE "Default Web Site" (id:1,bindings:http/*:80:,net.tcp/808:*,net.pipe/*,net.m
smq/localhost,msmq.formatname/localhost,state:Stopped)

SITE "SharePoint Web Services" (id:2,bindings:http/*:32843:,https/*:32844:,net.t
cp/32845:*,net.pipe/*,state:Started)

SITE "SharePoint Central Administration v4" (id:342466872,bindings:http/:11533:,
state:Started)

SITE "SharePoint - 80" (id:592320721,bindings:http/:80:,state:Started)

Web Site Identifier :
592320721
------------------------------------------------
Oracle OpenSSO Enterprise 8.0
------------------------------------------------
Enter the URL where the OpenSSO server is running. Please include the deployment
 URI also as shown in the example (Example: http://opensso.example.com:58080/opensso):
http://win2008r2.ltes.com:8080/opensso

Please enter the Agent Profile name :
iis7Agent

Enter the Agent profile password file :
C:\Sun\IIS7Agent\agentPassword.txt

-----------------------------------------------------
Agent Configuration file created : config.txt

Install the Policy Agent

  1. Run IIS7Admin.vbs to install the agent.

C:\Sun\IIS7Agent\bin>cscript IIS7Admin.vbs -config config.txt
Microsoft (R) Windows Script Host Version 5.8
Copyright (C) Microsoft Corporation. All rights reserved.

Copyright c 2009, 2011, Oracle and/or its affiliates. All rights reserved.

Enter the Agent Resource File Name [IIS7Resource.en] :

Creating the Agent Config Directory
Creating the OpenSSOAgentBootstrap.properties and OpenSSOAgentConfiguration.prop
erties File
Updating the Windows Product Registry
Intalling the module into IIS.
Completed Configuring the IIS 7.0 Agent
Generate the Replay Password
* Generate the replay password key using DESgenKey.class on the OpenSSO server.
C:\java -classpath \Sun\WebServer7\https-Win2008R2.ltes.com\we
b-app\Win2008R2.ltes.com\opensso\WEB-INF\lib\amserver.jar com.sun.identity.commo
n.DESGenKey
Key ==> 75jgRSbchTE=

Configure OpenSSO Agent and Server with the Replay Password

  1. Add the replay password key to the OpenSSOAgentConfiguration.properties file on the agent side.
    cd C:\Sun\OOS7Agent\Identifier_342466872\config
    edit OpenSSOAgentConfiguration.properties

  1. In the OpenSSO console, browse to Configuration->Servers and Sites and click the OpenSSO server name.
  2. Select the Advanced tab and add the following properties and values

Property                                                            Name Value
com.sun.am.replaypasswd.key                         75jgRSbchTE=
com.sun.am.sharepoint_login_attr_name         displayName

  1. Click Save and ignore any warnings.
  2. Add the replay password to the Agent profile in the OpenSSO console

Browse to Access Control->Top Level Realm->Agents->Web->[AgentProfileName]->Advanced.
In the Microsoft IIS Server section set the values:
      Authentication Type - Basic
      Replay Password Key - 75jgRSbchTE=

  1. Configure the post-authentication plug-in:

Browse to Access Control->Top Level Realm->Authentication->Advanced Properties.
Scroll down  to the Authentication Post Processing Classes
Add com.sun.identity.authentication.spi.ReplayPasswd to the Authentication Post Processing Classes
Save the changes
Log out of the OpenSSO console.

  1. Restart the OpenSSO server web container.

Configure IIS7 for Basic Authentication

  1. Set the IIS7 authentication method as Basic Authentication by running inetmgr:

Select the local computer, Sites, SharePoint - 80.
In the right hand click Authentication in the IIS section.

Enable Basic Authentication.

 

Close all property windows

  1. Restart the IIS 7.x server using iisreset.

Create OpenSSO Policy

Any attempt to access the Sharepoint site at this point will result in a 403 permission denied error.  This is easily resolved by creating an access policy for the site in the OpenSSO console.


Note

If the OpenSSO data store is not Active Directory make sure that the user credentials in the data store match their credentials in Active Directory.

Uninstall IIS7 Web Policy Agent.

  1. To uninstall the web policy agent

Log onto the server as a user with Administrator privileges

  1. Run

C:\Sun\IIS7Agent\bin>cscript IIS7Admin.vbs -unconfig config.txt

  1. Run

C:\Sun\IIS7Agent\bin>iisreset.
 

Add new comment

More information about text formats

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
By submitting this form, you accept the Mollom privacy policy.