Installing and Configuring WSS Agent with WebSphere

Blog Post created by SungHoon_Kim Employee on Jun 1, 2016

This is not complete and is Work in Progress.


Firstly you will need to have WebSphere installed.

I have WebSphere installed on RHEL 6.5(x64) at "/apps/IBM/WebSphere/AppServer".

It is installed by root.

I have a server configured at "/apps/IBM/WebSphere/AppServer/profiles/AppSrv01/servers/server1"


I am not using external JDK. I am using IBM Java that came bundled with WebSphere.


You need to have an existing Policy Server that supports WSS Agent.

I have R12.52SP1CR4 Policy Server on the same machine at /apps/CA/siteminder".

It is installed by smuser.

I am running in "FIPSONLY" mode.


You need to have an existing User Store.

I am using AD and I have admin account to connect to it.

I also have a test user account to test authentication.


You need to have a Web Service to test this.

It must be JAX-RPC Application which has "webservices.xml" file.

Sample application has rootcontext of "/securitytest".


Install WSS Agent. I would recommend R12.52SP1CR4.

(There were couple of files missing in the CR5, the and cryptojFIPS.jar)


During installation, enter the path to your WebSphere(/apps/IBM/WebSphere/AppServer).

WSS Agent will copy the jar files to "/apps/IBM/WebSphere/AppServer/lib/ext" folder and some other files to "/apps/CA/Web_Services_Security" folder.


***After the installation, you must copy the "/apps/IBM/WebSphere/AppServer/lib/ext/thirdparty/cryptojFIPS.jar" to "/apps/IBM/WebSphere/AppServer/java/jre/lib/ext" folder.


*** Modify the "/apps/IBM/WebSphere/AppServer/java/jre/lib/security/" file as below.



Make absolutely sure that there is no typo or uppercase lowercase mistake.

You do not need to add "com.rsa.cryptoj.fips140initialmode=NON_FIPS140_MODE" since this is running in "FIPSONLY" mode.


Logon to WebSphere console and register LDAP userstore.

"Console ==> Security ==> Global security ==> User account repository"

Select "Standalone LDAP registry" from "Available realm definitions" and click "Configure..." button.

Enter required information as below.

Click "Apply".


Then click on "Java Authentication and Authorization Service".


Click on "System logins".

Click "New"


Create "XMLAgent" as below. You MUST name the alias as "XMLAgent".

The order must be followed and all must be set to "REQUIRED".

Login Module Class Name            REQUIRED 1                  REQUIRED 2   REQUIRED 3

Click "Apply" and "OK"


Now goto "/apps/CA" (parent folder of Web_Services_Security folder) and create "WebServices_Security" folder.

Note the missing underscore!!!

The reason is the SystemErr.log reported that it cannot find the log.config file and that filepath was different from where the WSS Agent was installed.



You will also need to copy the "/apps/CA/Web_Services_Security/wasagent/config/JavaAgent.conf" and "" file as well.


For some reason, these files were loaded from "/apps/IBM/WebSphere/AppServer/profiles/AppSrv01/config/" folder but once I created the "/apps/CA/Web_Services_Security/wasagent/config/" it permanently was looking for files in this folder.

I left "SmHost.conf" file in the "/apps/CA/Web_Services_Security/wasagent/config" folder so the JavaAgent.conf is still pointing to that filepath.



You also need to create "/apps/CA/WebServices_Security/bin/" folder as that is the default folder where soasm_agent.log file is generated. Please ensure the folder has appropriate permission to create files.


Next is to deploy the web services.

I have the web service extracted at "/apps/SecurityTest_war.ear/"

Navigate to "/apps/SecurityTest_war.ear/SecurityTest.war/WEB-INF/" and modify the "webservices.xml" file as below.

Please note the <handler> part.

Your application may have existing <handler>. In that case you must ensure the WSS Agent handler comes at the top.

In this case, there is only WSS Agent handler.


Restart the WebSphere.


Logon to SiteMinder AdminUI and create the following.


Create User Directory.

This is the same user directory that you registered at the WebSphere.



Create "XML Document Credential Collector" authentication scheme.


You must ensure the XPATH is defined correctly.


Create Domain/Realm/Rule/Policy.



Please ensure you have chosen "Post", "ProcessSOAP" and "ProcessXML" actions.




Now import a keypair and give it alias as "defaultenterpriseprivatekey".


Otherwise, you will get error in the soasm_agent.log below.


After import, you will see the "IssuerDN" of your signing key.


Next is to use SoapUI to send request.


The Soap Document in the Body should have the matching user credential as defined in the Authentication Scheme(XPATH).

At the right panel, you can see the SMSESSION cookie was returned.

So, the authentication looked as if it was successful but there were errors reporting about the structure of XML document missing some elements.



To be continued...