---
title: Prepare for installation
description: Learn more about installing Java Agent in Installation. Consider the following points for using the agent with Advanced Identity Cloud:
component: java-agents
version: 2025.11
page_id: java-agents:identity-cloud-guide:installation
canonical_url: https://docs.pingidentity.com/java-agents/2025.11/identity-cloud-guide/installation.html
section_ids:
  demo-user: Add a test user in Advanced Identity Cloud
  create-policy: Create a policy set and policy in Advanced Identity Cloud
  create-agent-profile: Create an agent profile in Advanced Identity Cloud
  secret-label-identifier-changes: Secret Label Identifier changes
---

# Prepare for installation

Learn more about installing Java Agent in [Installation](../installation-guide/preface.html). Consider the following points for using the agent with Advanced Identity Cloud:

* Configure Advanced Identity Cloud and set up a policy before you install the agent. When you configure the agent in the Advanced Identity Cloud admin UI, you can select the policy.

* For environments with load balancers or reverse proxies, consider the communication between the agent and the Advanced Identity Cloud tenants, and between the agent and the client. Configure the environment **before** you install the agent.

## Add a test user in Advanced Identity Cloud

Add a user so you can test the examples in this guide.

1. In the Advanced Identity Cloud admin UI, select [icon: people, set=material, size=inline] Identities > Manage > Alpha realm - Users.

2. Add a new user with the following values:

   * Username : `bjensen`

   * First name : `Babs`

   * Last name : `Jensen`

   * Email Address : `bjensen@example.com`

   * Password : `Ch4ng3!t`

## Create a policy set and policy in Advanced Identity Cloud

1. In the Advanced Identity Cloud admin UI, select [icon: open_in_new, set=material, size=inline] Native Consoles > Access Management. The AM admin UI is displayed.

2. In the AM admin UI, select Authorization > Policy Sets > New Policy Set, and add a policy set with the following values:

   * Id : `PEP`

   * Resource Types : `URL`

3. In the policy set, add a policy with the following values:

   * Name : `PEP-policy`

   * Resource Type : `URL`

   * Resource pattern : `*://*:*/*`

   * Resource value : `*://*:*/*`

4. On the Actions tab, add actions to allow HTTP `GET` and `POST`.

5. On the Subjects tab, remove any default subject conditions, add a subject condition for all `Authenticated Users`.

## Create an agent profile in Advanced Identity Cloud

1. In the Advanced Identity Cloud admin UI, go to [icon: verified_user, set=material, size=inline] Gateways & Agents > New Gateway/Agent, and add a Java Agent with the following values:

   * Agent ID : `java-agent`

   * Password : `password`

   * Application URL : `https://agent.example.com:443/app`

   * Use Secret Store for password: (Optional) Enable to use a secret store for the agent profile password.

     Once enabled, the Secret Label Identifier field displays.

   * Secret Label Identifier: Enter a value that represents the `identifier` part of the secret label for the agent. This value should clearly identify the agent (for example, `java-agent`). Advanced Identity Cloud uses the identifier to generate a secret label in the following format: `am.application.agents.identifier.secret`.

     Learn more in [Secret labels](https://docs.pingidentity.com/pingoneaic/latest/tenants/esvs-signing-encryption.html#secret-labels) and [Map ESV secrets to secret labels](https://docs.pingidentity.com/pingoneaic/latest/tenants/esvs-signing-encryption.html#map-esv-secrets-to-secret-labels).

2. Click Save Profile and Done.

3. On the agent profile page, enable Use Policy Authorization, select a policy set to assign to the profile, and then click Save.

   If a suitable policy set isn't available, select Edit advanced settings to edit or create one.

### Secret Label Identifier changes

Advanced Identity Cloud maintains secret mappings when the Secret Label Identifier is changed as follows:

* If you update the Secret Label Identifier:

  * If no other agent shares that secret mapping, Advanced Identity Cloud updates any corresponding secret mapping for the previous identifier.

  * If another agent shares that secret mapping, Advanced Identity Cloud creates a new secret mapping for the updated identifier and copies its aliases from the previously shared secret mapping.

* If you delete the Secret Label Identifier, Advanced Identity Cloud deletes any corresponding secret mapping for the previous identifier, provided no other agent shares that secret mapping.