Installation guide
Using Secure Sockets Layer (SSL) with an Agent
122 Sun ONE Identity Server Policy Agents 2.1 • Web Policy Agents Guide • April 2005
Using Secure Sockets Layer (SSL) with an Agent
During installation, if you had chosen the HTTPS protocol, the agent is
automatically configured and ready to communicate over SSL.
The Agent’s Default Trust Behavior
By default, the policy agent installed on a remote Apache Server will trust any
server certificate presentedoverSSL by the WebServerthat runs SunONEIdentity
Server; the agent does not check the root Certificate Authority (CA) certificate. If
the Web Server that runs Sun ONE Identity Server is SSL-enabled, and you want
the policy agent to perform certificate-checking, you must do the following:
1. Disable the agent’s default trust behavior.
2. Install a root CA certificate on the remote web server (where the agent is
installed). The root CA certificate must the be same one that is installed on the
web server that runs Sun ONE Identity Server service.
Disabling the Agent’s Default Trust Behavior
The following property in the AMAgent.properties file controls the agent’s trust
behavior. By default it is set to
true
:
com.sun.am.trustServerCerts=true
This means that the agent does not perform certificate-checking.
To Disable the Default Behavior
The following property must be set to false:
NOTE
Be sure to use the
unconfig_linux
script to uninstall any agent that was
installed using the
config_linux
script—you cannot use the GUI installation
program to uninstall agents that were installed from the command line. The GUI
uninstallation program must be executed only after unconfiguring all the existing
agents installed using command-line
unconfig
script.
NOTE
Before proceeding with the following steps, ensure that the Web Server is
configured for SSL.