Prepare for installation
Learn more about installing Java Agent in Installation. Consider the following points for using the agent with Identity Cloud:
-
Configure Identity Cloud and set up a policy before you install the agent. When you configure the agent in the Identity Cloud admin UI, you can select the policy.
-
For environments with load balancers or reverse proxies, consider the communication between the agent and the Identity Cloud servers, and between the agent and the client. Configure the environment before you install the agent.
Example installation for this guide
Unless otherwise stated, the examples in this guide assume the following installation:
-
AM server URL:
https://tenant.forgeblocks.com:443/am
-
Agent URL:
http://agent.example.com:80/app
-
Agent profile name:
java-agent
-
Agent profile realm:
/alpha
-
Agent profile password:
/secure-directory/pwd.txt
Add a demo user in Identity Cloud
Add a user so you can test the examples in this guide.
-
In the Identity Cloud admin UI, select Identities > Manage > Alpha realm - Users.
-
Add a new user with the following values:
-
Username :
demo
-
First name :
demo
-
Last name :
user
-
Email Address :
demo@example.com
-
Password :
Ch4ng3!t
-
Create a policy set and policy in Identity Cloud
-
In the Identity Cloud admin UI, select Native Consoles > Access Management. The AM admin UI is displayed.
-
In the AM admin UI, select Authorization > Policy Sets > New Policy Set, and add a policy set with the following values:
-
Id :
PEP
-
Resource Types :
URL
-
-
In the policy set, add a policy with the following values:
-
Name :
PEP-policy
-
Resource Type :
URL
-
Resource pattern :
*://*:*/*
-
Resource value :
*://*:*/*
-
-
On the Actions tab, add actions to allow HTTP
GET
andPOST
. -
On the Subjects tab, remove any default subject conditions, add a subject condition for all
Authenticated Users
.
Create an agent profile in Identity Cloud
-
In the Identity Cloud admin UI, go to Gateways & Agents > New Gateway/Agent, and add a Java Agent with the following values:
-
Agent ID :
java-agent
-
Password :
password
-
Application URL :
http://agent.example.com:80/app
-
-
Click Save Profile and Done.
-
On the agent profile page, select Use Policy Authorization, select a policy set to assign to the profile, and then click Save.
If a suitable policy set isn’t available, select Edit advanced settings in the Access Management Native Console to edit or create one.
-
(Optional) Use AM’s secret service to manage the agent profile password. If AM finds a matching secret in a secret store, it uses that secret instead of the agent password configured in Step 1.
-
In the settings panel of the agent profile page, click Edit advanced settings in the Access Management Native Console.
-
In the AM admin UI, set a label for the agent password in Secret Label Identifier.
AM uses the identifier to generate a secret label for the agent.
The secret label has the format
am.application.agents.identifier.secret
, where identifier is the Secret Label Identifier.The Secret Label Identifier can only contain characters
a-z
,A-Z
,0-9
, and periods (.
). It can’t start or end with a period. -
Select Secret Stores and configure a secret store.
-
Map the label to the secret. Learn more from AM’s Map and rotate secrets.
Note the following points for using AM’s secret service:
-
Set a Secret Label Identifier that clearly identifies the agent.
-
If you update or delete the Secret Label Identifier, AM updates or deletes the corresponding mapping for the previous identifier provided no other agent shares the mapping.
-
When you rotate a secret, update the corresponding mapping.
-