OpenAM12: IIS 7 Web Policy Agent

 

Install IIS 7

* OS: Windows 2008R2
* Add roles:
Web Server (IIS) with:
Application Development
* Add to hosts file:

192.168.1.7 openam.my.com
192.168.1.35 iis7.my.com

Create IIS Agent Profile

* Login OpenAM
* Go to : Access Control > / (Top Level Realm) > Agents > Web tab
* Add a new Web agent named IIS7:
– Note that you need to specify port number in both Server and Agent URL even for default ports 80 and 443

openam_iisagent_profile_1

* Select new agent and enable SSO Only Mode
* If web server is behind a load balancer then
– Go to Advanced tab
– Select all Load Balancer options

Install OpenAM Agent

* Download IIS Web Policy Agent, e.g. IIS_WINNT_64bit_4.0.0.zip, from ForgeRock download site.
* Unzip iis_agent folder to, e.g. C:\prog, directory
* For SSL support (e.g. OpenAM uses HTTPS),
– Download pre-compiled openssl for Windows, e.g. from here, e.g. openssl-1.0.2k-x64_86-win64.zip.
– Copy following Openssl dll files:
libeay32.dll
ssleay32.dll
to:
C:\Windows\SysWOW64 (for 32 bit Openssl)
C:\Windows\system32 (for 64 bit Openssl)
– Run iisreset in order for IIS to pickup Openssl dll files
* Create a new password file named iis7pass.txt. Enter password in the file, e.g. Wx1
* Open a privileged command window
* Go to C:\prog\iis_agent\bin

Interactive Install

agentadmin.exe --i
 
Installation parameters:
 
   OpenAM URL: http://openam.my.com:8080/openam
   Agent URL: http://iis7.my.com:80
   Agent Profile name: IIS7
   Agent realm/organization name: /
   Agent Profile password source: C:\prog\iis_agent\iis7pass.txt
 
Confirm configuration (yes/no): [no]: yes
Validating...
Validating... Success.
Cleaning up validation data...
Creating configuration...
Installation complete.

* Don’t forget iisreset

Silent Install

# Find which site to install agent into
agentadmin.exe --n
IIS Server Site configuration:
 
Number of Sites: 1
 
id: 1   name: "DEFAULT WEB SITE"
 
# Silent install
agentadmin.exe --s "1" "http://openam.my.com:8080/openam" "http://iis7.my.com:80" "/" "IIS7" "C:\prog\iis_agent\iis7pass.txt" --changeOwner --acceptLicence

* Don’t forget iisreset

Web Site Authentication

* Login IIS server
* Open IIS Manager
* Select the web site
* Enable anonymous authentication type for the site
* Disable all other authentication types for the site

Test

* Point browser to agent URL, e.g. http://iis7.my.com:80
* You’ll be prompted to login OpenAM
* Once logged in, you’re redirected to agent site

Agentadmin Commands

List Web Sites

agentadmin.exe --n
IIS Server Site configuration:
 
Number of Sites: 1
 
id: 1   name: "DEFAULT WEB SITE"

List Installed Agents

agentadmin.exe --l
 
OpenAM Web Agent configuration instances:
 
   id:            agent_1
   configuration: C:\prog\iis_agent\bin\..\instances\agent_1
   server/site:   2

Disable Agent

* This does not work in version 4.0.0

agentadmin.exe --d agent_1

Enable Agent

agentadmin.exe --e agent_1
 
Enabling agent_1 module configuration in site 2... Done.

Remove Agent

agentadmin.exe --r agent_1
 
Warning! This procedure will remove agent_1 configuration from IIS Site 2.
 
Continue (yes/no): [no]: y
 
Removing agent_1 configuration...
 
Removing agent_1 configuration... Done.

Remove All Agent

agentadmin.exe --g

References

* Documentation
* Users Guide

This entry was posted in IIS, openam and tagged , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *


*

This site uses Akismet to reduce spam. Learn how your comment data is processed.