You install web policy agents in the web servers holding web resources that you want to protect. By default, the web policy agent has only enough configuration at installation time to connect to OpenAM in order to get the rest of its configuration from the OpenAM configuration store. With nearly all configuration stored centrally, you can manage policy agents centrally from the OpenAM console.
You can opt to store the agent configuration locally if necessary. If you store the configuration locally, then avoid issues with the configuration by making sure you provide valid values for configuration properties ending in the following.
-
.cookie.name -
.fqdn.default -
.agenturi.prefix -
.naming.url -
.login.url -
.instance.name -
.username -
.password -
.connection_timeout -
.policy_clock_skew
You configure web policy agents per realm. Thus to access centralized
configuration, you select Access Control > Realm
Name > Agents > Web > Agent
Name. Web policy agent configuration is distinct from
policy configuration. The only policy-like configuration that you apply to
web policy agents is indicating which URLs in the web server can be
ignored (not enforced URLs) and which client IP
address are exempt from policy enforcement (not enforced
IPs).
For each aspect of web policy agent configuration, you can configure the policy agent through the OpenAM console during testing, and then export the resulting configuration in order to script configuration in your production environment.
