In the light of FRAAS-5321 and
OPENAM-17140 being closed without either being fixed, we need to update our documentation, warning users to create a policy set within each new realm they create. This will be of particular interest to cloud users who are forced to work in two realms ("alpha" and "beta") in everything they do.
The default policy set in each realm is supposed to be iPlanetAMWebAgentService. Indeed this is the default policy set in the root realm (where it is created automatically), but no other realm. Why the root realm is an exception is not clear. Why creating this policy set automatically in every other realm represents a "security risk" is also not clear.
If given no other information (i.e. an alternative policy set name to use) the Agents will assume this name. If this policy set doesn't exist, or no alternative policy set is nominated, policy evaluation just won't work and everything (no matter how many policies say otherwise) will return "permission denied".
The above may be rather surprising for customers trying to get their system to work.
Other than manually creating this policy set within each realm, alternative policy sets should be nominated via the (Java Agent) property:
which can either be set for all web applications with:
(where the specified policy set should be created in all realms used by the Agent) or for specific web applications with:
What the equivalent properties are for the Web Agent is something Nicholas James will have to say.
It is regrettable that the section which deals with Agent pre-installation tasks is repeated multiple times for each supported container. Hopefully this is only in one place and can be modified easily.