Chapter 7. Installing the Varnish Policy Agent
Prev		Next

Chapter 7. Installing the Varnish Policy Agent

Table of Contents

7.1. Before You Install
7.2. Installing Varnish Web Policy Agent
7.3. Custom Varnish Web Policy Agent Installation
7.4. Remove Varnish Web Policy Agent Software

This chapter covers installation of the policy agent for Varnish HTTP Accelerator 3.0.3.

Varnish is unlike the other policy agents supported for OpenAM. It does not require the Java environment necessary for the other policy agents, and it has a unique set of instructions for the agentadmin command. Varnish uses a directory called vmods. This is the location where you will need to handle any required installation or Varnish updates, and it requires the user to have administrative rights to update this directory for changes to take effect. You can also configure your Varnish instance using the Varnish Configuration Language (VCL) file.

7.1. Before You Install

You need to setup your container and OpenAM before installing the web agent.

Install the server.
Create and delegating an agent profile.
Download and prepare the policy agent for installation.

Procedure 7.1. Installing the server

Make sure OpenAM is installed and running.
Contact OpenAM from the system running the policy agent.
Install the Varnish HTTP Accelerator.

Procedure 7.2. Creating a Policy Agent Profile

To create a new web agent profile, you need a name and password, and the URLs to OpenAM and the application to protect. The agent requires a profile so that it can connect to and communicate with OpenAM.

In the OpenAM console, browse to Access Control > Realm Name> Agents > Web, and then click the New... button in the Agent table.
Complete the web form.

[D]
Use the following information to help you with the form.
Name
The name for the agent profile used when you install the agent
Password
Password the agent uses to authenticate to OpenAM
Configuration
Centralized configurations are stored in the OpenAM configuration store. You can manage the centralized configuration through the OpenAM console. Local configurations are stored in a file alongside the agent.
Server URL
The full URL to an OpenAM instance, or if OpenAM is deployed in a site configuration (behind a load balancer) then the site URL
In centralized configuration mode, the Server URL is used to populate the agent profile for services such as Login, Logout, Naming, and Cross Domain SSO.
Agent URL
The web server URL that the agent protects
In centralized configuration mode, the Agent URL is used to populate the Agent Profile for services such as notifications.
After creating the agent profile, you can click the link to the new profile to adjust and export the configuration.

Procedure 7.3. To Create the Password File for Customized Installations

Create a text file containing only the password.
```
$ echo password > /tmp/pwd.txt
```
Protect the password file you create as appropriate for your operating system.
```
$ chmod 400 /tmp/pwd.txt
```

Procedure 7.4. Preparing the Agent for Installation

Go to Obtaining OpenAM Software to determine which version of the agent to download and download the agent.
Verify the checksum of the file you download against the checksum posted on the download page.
Unzip the file in the directory where you plan to install the policy agent. The agent you install stores its configuration and logs under this directory.

7.2. Installing Varnish Web Policy Agent

Complete the following procedure to install the policy agent.

Procedure 7.5. To Install the Varnish Policy Agent

Stop Varnish.
```
$ sudo service varnish stop
```
Make sure OpenAM is running.
Run ./agentadmin to install the agent.
```
$ cd /path/to/web_agents/varnish/bin/
$ ./agentadmin
```
Note
If the agent is in a different domain than the server, refer to the Administration Guide chapter, Configuring Cross-Domain Single Sign On.
Accept the ForgeRock Web Policy Agent License. Select Configure Varnish Web Policy Agent instance from the subsequent window.
Click on Configure Varnish Web Policy Agent instance and enter the following information for each consecutive screen.
Press F3 to move to the next field, or F2 to return to the previous field to make a correction. Be careful as you make your entires, backspace will erase the entire entry, not just the last character.
- URL where the OpenAM server runs
```
Enter URL where the OpenAM server is running:
   http://openam.example.com:8080/openam
```
- Agent URL that protects the web container
```
Enter URL where Agent is protecting the Web Container:
   http://www.website.example.com:80
```
- Profile ID and password
```
Enter the Agent profile attributes in the OpenAM server:
   Profile ID: webagent
   Password: cangetin
```
- Path to Varnish modules directory
```
Enter the path to Varnish modules directory    
   /usr/lib/varnish/vmods
```
Once you have configured your agent, you will get a page displaying the agent configuration results. Verify the information. Click F4 when you are done.
```
Agent configuration results:
 OpenAM URL: http://openam.example.com:8080/openam
  Agent URL: http://website.example.com
    Profile: webagent
 WebServer configuration:
  /opt/webagent/web_agents/varnish/bin/instances/agent_1/config/am.vcl
```
Encrypt the password if you want additional security.
Note
The new agent appears as agent_1. You can return to this screen at any time by running /path/to/web_agents/varnish/bin/agentadmin to remove it.
Exit the screen.
Take note of the configuration files and log locations.
Each agent instance that you install on the system has its own numbered configuration and logs directory. The first agent's configuration and logs are thus located under the directory /path/to/web_agents/varnish/instances/agent_1/.
config/OpenAMAgentBootstrap.properties
Used to bootstrap the web policy agent, allowing the agent to connect to OpenAM and download its configuration
config/OpenAMAgentConfiguration.properties
Only used if you configured the web policy agent to use local configuration
logs/audit/
Operational audit log directory, only used if remote logging to OpenAM is disabled
logs/debug/
Debug directory where the amAgent debug file resides. Useful in troubleshooting policy agent issues.
If your policy agent configuration is not in the top-level realm (/), then you must edit config/OpenAMAgentBootstrap.properties to identify the sub-realm that has your policy agent configuration. Find com.sun.identity.agents.config.organization.name and change the / to the path to your policy agent profile. This allows the policy agent to properly identify itself to the OpenAM server.

Setup the backend by updating the following lines in the VLC script. Make sure port and host are set correctly.

$ vi /path/to/web_agents/varnish/instances/agent_1/config/am.vcl
 import am;
 backend default {
 .host = "127.0.0.1";
 .port = "8080";
 }

Start Varnish with the following command. It will also load the VLC script.

varnishd -u root -F -T localhost:8080 -f
  /path/to/web_agents/varnish/instances/agent_1/config/am.vcl -a :80 -s malloc,50M

Procedure 7.6. To Check the Policy Agent Installation

Check the Varnish error log after you start the server to make sure startup completed successfully.

Check the amAgent debug log to verify that no errors occurred on startup.

$ tail /path/to/web_agents/varnish/instances/agent_1/logs/debug/amAgent
2011-09-03 13:28:16.971    -1 32686:9daae60 all: ==============...=====
2011-09-03 13:28:16.972    -1 32686:9daae60 all: Version: ...
2011-09-03 13:28:16.972    -1 32686:9daae60 all: Revision: ...
2011-09-03 13:28:16.972    -1 32686:9daae60 all: Build Date: ...
2011-09-03 13:28:16.972    -1 32686:9daae60 all: Build Machine: ..forgerock.com
2011-09-03 13:28:16.972    -1 32686:9daae60 all: ==============...=====

If you have a policy configured, you can test your policy agent. For example, try to browse to a resource that your policy agent protects. You should be redirected to OpenAM to authenticate, for example as user demo, password changeit. After you authenticate, OpenAM then redirects you back to the resource you tried to access.

7.3. Custom Varnish Web Policy Agent Installation

Varnish is unique because modifications are done in Command Line Mode where you can use it to create a new server configuration template/vcl file, such as instance/agent_1/config. This file is then used to start Varnish to create the file or directory links to the Varnish vmods, where it will be properly loaded when Varnish is started.

You can use the following commands for customizing your Varnish policy agent.

agentadmin -l
Lists all of the agent instances
agentadmin -r agent_1
Removes the agent_1 instance create in the example
agentadmin -e password
Encrypts the password using an base64 output for the encoded password and encryption key
agentadmin -o openamurl -a agenturl -i agent_profile_id -p /path/to/passwordfile -c /usr/lib/varnish/vmods
Creates the agent instance with the configuration parameters. Based on the examples in the procedures, you would get the following:
- openamurl for the OpenAM server at http://openam.example.com:80/openam
- agenturl of the Agent server url is http://www.website.example.com:80
- agent_profile is the agent profile name shown in OpenAM
- /path/to/passwordfile is the path where you saved the agent profile password file
- /path/to/varnish/vmod is the path to the Varnish vmods directory /usr/lib/varnish/vmods
agentadmin -v
View the version
agentadmin -?
Displays a list of all possible options supported by Varnish

7.4. Remove Varnish Web Policy Agent Software

Shut down the Varnish server before you uninstall the policy agent.

$ sudo service varnish stop

To remove the web policy agent, use ./agentadmin.

$ cd /path/to/web_agents/varnish/bin/
$ ./agentadmin

Scroll down and select Remove 'agent' instance.

Prev		Next
Chapter 6. Installing the Oracle iPlanet/Sun Web Server Policy Agent	Home	Chapter 8. Troubleshooting