OpenAM Web Policy Agent Installation Guide
Chapter 5. Installing the Microsoft IIS 7 Policy Agent

Procedure 5.1. To Create the IIS 7 Web Agent Profile

Regardless of whether you store configurations centrally in OpenAM or locally with your agents, the agent requires a profile so that it can connect to and communicate with OpenAM.

1. In the OpenAM console, browse to Access Control > Realm Name> Agents > Web, and then click the New... button in the Agent table.

2. Complete the web form using the following hints.

   Name

   The name for the agent profile used when you install the agent

   Password

   Password the agent uses to authenticate to OpenAM

   Configuration

   Centralized configurations are stored in the OpenAM configuration store. You can manage the centralized configuration through the OpenAM console. Local configurations are stored in a file alongside the agent.

   Server URL

   The full URL to an OpenAM instance, or if OpenAM is deployed in a site configuration (behind a load balancer) then the site URL

   In centralized configuration mode, the Server URL is used to populate the agent profile for services such as Login, Logout, Naming, and Cross Domain SSO.

   Agent URL

   The web server URL that the agent protects

   In centralized configuration mode, the Agent URL is used to populate the Agent Profile for services such as notifications.

Procedure 5.2. To Create the Password File

1. Protect the password file you will create as appropriate.

2. Create a text file containing only the password.

   C:\>notepad C:\Windows\Temp\pwd.txt

Procedure 5.3. To Configure Policy Agent Installation

1. Log on as a user with Administrator privileges.

2. Change to the directory where you unpacked the agent download.

   C:\>cd web_agents\iis7_agent\bin

3. Create a configuration file using the IIS7CreateConfig.vbs script.

   	Note
   	The Web Site Identifier is the value of id, not the site name.

   C:\web_agents\iis7_agent\bin>cscript IIS7CreateConfig.vbs config.txt
   ...
   Enter the Agent Resource File Name [IIS7Resource.en] :
   
   Enter the Agent URL (Example: http://agent.example.com:80) :
   http://windows7.example.com:80
   
   Displaying the list of Web Sites and its corresponding Identifiers (id)
   
   SITE "Default Web Site" (id:1,bindings:http/*:80:,state:Started)
   
   Web Site Identifier :
   1
   ...
   Enter the URL where the OpenAM server is running...:
   http://openam.example.com:8080/openam
   
   Please enter the Agent Profile name :
   IIS 7 Web Agent
   
   Enter the Agent profile password file :
   C:\Windows\Temp\pwd.txt
   
   -----------------------------------------------------
   Agent Configuration file created : config.txt
   -----------------------------------------------------

Procedure 5.4. To Install the Policy Agent into IIS 7

1. Log on as a user with Administrator privileges.

2. Make sure OpenAM is running.

3. Run IIS7Admin.vbs to install the agent.

   C:\web_agents\iis7_agent\bin>cscript IIS7Admin.vbs -config config.txt
   ...
   Enter the Agent Resource File Name [IIS7Resource.en] :
   
   Creating the Agent Config Directory
   Creating the  and
     File
   Updating the Windows Product Registry
   Installing policy web agent module in IIS (status: 0)
   Adding policy web agent module to "Default Web Site" (status: 0)
   Completed Configuring the IIS 7.0 Agent

4. Make sure the authentication method for IIS 7 is set to anonymous.

5. Restart IIS 7.

   C:\web_agents\iis7_agent\bin>iisreset
   
   Attempting stop...
   Internet services successfully stopped
   Attempting start...
   Internet services successfully restarted

   	Note
   	If the agent is in a different domain than the server, refer to Administration Guide procedure, Configuring Cross-Domain Single Sign On.

6. Take note of the configuration files and log locations.

   Each agent instance that you install on the system has its own configuration and logs directory. The agent protecting the Default Web Site (id: 1) shown in the examples above has configuration and logs located under the directory web_agents\iis7_agent\Identifier_1. The number in the path to the agent configuration reflects the IIS site ID, unlike the other agents for which the number in the path is a counter. The number in the path therefore remains the same when you uninstall and then reinstall an agent to protect the same site.

   config\

   Used to bootstrap the web policy agent, allowing the agent to connect to OpenAM and download its configuration

   config\

   Only used if you configured the web policy agent to use local configuration

   audit\

   Operational audit log directory, only used if remote logging to OpenAM is disabled

   debug\

   Debug directory where the amAgent debug file resides. Useful in troubleshooting policy agent issues.

7. If your policy agent configuration is not in the top-level realm (/), then you must edit config\ to identify the sub-realm that has your policy agent configuration. Find com.sun.identity.agents.config.organization.name and change the / to the path to your policy agent profile. This allows the policy agent to properly identify itself to the OpenAM server.

8. If you have a policy configured, you can test your policy agent. For example, try to browse to a resource that your policy agent protects. You should be redirected to OpenAM to authenticate, for example as user demo, password changeit. After you authenticate, OpenAM then redirects you back to the resource you tried to access.