| These instructions are an example of configuring OpenSSO to protect the UML application. These instructions reference a reverse proxy agent in front of the UML application server. The recommended approach would be to use a web or application server agent to protect UML. |
OpenSSO Configuration
These instructions assume that OpenSSO (*.war file) is deployed to a glassfish domain.
Once deployed, OpenSSO needs to be Configured.
OpenSSO can be configured by either using the GUI or the Command Line. To Configure using the Command Line, follow the below mentioned steps.
The command line tools for this example have been installed under "/var/opt/OpenSSO/Configurator"
This example also uses an OpenDS instance for the users.
To use the OpenDS instance running on Port 1389 as the user store and configure an embedded configuration OpenDS store on Port 51389 for OpenSSO, the configuration file available under the "/var/opt/OpenSSO/Configurator" folder should be used. The configuration file is called "config-file" and this file will feed the required data to the command line tool to configure OpenSSO. Make sure to set JAVA_HOME before running the command line tool.
# cd /var/opt/OpenSSO/Configurator
# JAVA_HOME=/usr/java
# java -jar configurator.jar -f config-file
Sample OpenSSO config file
##############################################################################
###
### SERVER_URL is the URL of the web container on which OpenSSO Server is
### deployed.
###
### DEPLOYMENT_URI is the OpenSSO Server deployment URI.
###
### BASE_DIR is the configuration directory
###
### locale is the user locale.
###
### PLATFORM_LOCALE is is the locale of OpenSSO Server.
###
### AM_ENC_KEY is the password encryption key. In a multiserver installation,
### this parameter must have the same value as the other servers. By default,
### AM_ENC_KEY is set to "" which means that OpenSSO Server will generate a
### random password encryption key.
###
### ADMIN_PWD is the password for the default user, amAdmin. The password must
### be at least 8 characters in length. If this configuration will be part of
### an existing deployment, the password you enter must match that of the
### original deployment.
###
### AMLDAPUSERPASSWD is the password for default policy agent [UrlAccessAgent].
### The password must be at least 8 characters in length. If this configuration
### will be part of an existing deployment, the password you enter must match
### that of the original deployment.
###
### COOKIE_DOMAIN is the name of the trusted DNS domain that OpenSSO Server
### returns to a browser when it grants a session ID to a user.
###
#############################################################################
SERVER_URL=http://sedemo8.identric.com:82
DEPLOYMENT_URI=/opensso
BASE_DIR=/var/opt/OpenSSO/Config
locale=en_US
PLATFORM_LOCALE=en_US
AM_ENC_KEY=""
ADMIN_PWD=identity
AMLDAPUSERPASSWD=agent123
COOKIE_DOMAIN=.identric.com
##############################################################################
###
### DATA_STORE is the type of configuration data store. Valid values are
### 'embedded' - OpenSSO
### 'dirServer' - Sun Java System Directory Server
### If 'dirServer' is specified and the configuration data store contains
### configuration of existing OpenSSO Servers, this OpenSSO Server will be
### added to the existing multi-server setup.
###
### DIRECTORY_SSL specifies if the configuration data store is using SSL.
### Valid values are
### 'SSL' - SSL
### 'SIMPLE' - none SSL
###
### DIRECTORY_SERVER is the host name of the configuration data store.
###
### DIRECTORY_PORT is the port on which the configuration data store is
### listening for connections.
###
### ROOT_SUFFIX is the initial or root suffix of the configuration data store.
###
### DS_DIRMGRDN is the DN (distinguished name) of the directory manager,
### the user who has unrestricted access to the configuration data store.
###
### DS_DIRMGRPASSWD is the password for the directory manager of the
### configuration data store.
###
#############################################################################
DATA_STORE=embedded
DIRECTORY_SSL=SIMPLE
DIRECTORY_SERVER=sedemo8.identric.com
DIRECTORY_PORT=51389
ROOT_SUFFIX=dc=opensso,dc=java,dc=net
DS_DIRMGRDN=cn=Directory Manager
DS_DIRMGRPASSWD=identity
##############################################################################
###
### DS_EMB_REPL_FLAG is the flag for enabling configuration data store in
### multi-server setup. This flag is valid only if DATA_STORE is set to
### 'embedded'. To enable this flag, the value needs to be 'embReplFlag'.
###
### DS_EMB_REPL_REPLPORT1 is replication port of the configuration data store
### of the new OpenSSO Server.
###
### DS_EMB_REPL_HOST2 is the host name of the existing OpenSSO Server.
###
### DS_EMB_REPL_PORT2 is listening port of the configuration data store of
### the existing OpenSSO Server.
###
### DS_EMB_REPL_REPLPORT2 is replication port of the configuration data store
### of the existing OpenSSO Server
###
##############################################################################
#DS_EMB_REPL_FLAG=embReplFlag
#DS_EMB_REPL_REPLPORT1=58989
#DS_EMB_REPL_HOST2=sample2.sun.com
#DS_EMB_REPL_PORT2=50389
#DS_EMB_REPL_REPLPORT2=50889
##############################################################################
###
### The following properties will not be used in a multi-server setup.
###
### USERSTORE_TYPE is the type of user data store. Valid values are
### 'LDAPv3ForAMD' - LDAP with OpenSSO Schema
### 'LDAPv3' - Generic LDAP (no OpenSSO Schema)
### '' - use configuration data store as user data store. DATA_STORE needs to
### be 'embedded'. The remaining user data store propreties will be ignored.
###
### USERSTORE_SSL specifies if the user data store is using SSL.
### Valid values are
### 'SSL' - SSL
### 'SIMPLE' - none SSL
###
### USERSTORE_HOST is the host name of the user data store.
###
### USERSTORE_PORT is the port on which the user data store is listening for
### connections.
###
### USERSTORE_SUFFIX is the initial or root suffix of the user data store.
###
### USERSTORE_MGRDN is the DN (distinguished name) of the directory manager,
### the user who has unrestricted access to the user data store.
###
### USERSTORE_PASSWD is the password for the directory manager of the user
### data store
##############################################################################
USERSTORE_TYPE=LDAPv3
USERSTORE_SSL=SIMPLE
USERSTORE_HOST=sedemo8.identric.com
USERSTORE_PORT=1389
USERSTORE_SUFFIX=dc=identric,dc=com
USERSTORE_MGRDN=cn=Directory Manager
USERSTORE_PASSWD=password
##############################################################################
###
### LB_SITE_NAME is the name of the site.
###
### LB_PRIMARY_URL is the load balancer URL.
###
##############################################################################
#LB_SITE_NAME=lb
#LB_PRIMARY_URL=http://lb.sun.com:58080/opensso
This will be the output of the above command.
Checking configuration directory /opensso....Success.
Installing OpenSSO configuration store...Success RSA/ECB/OAEPWithSHA1AndMGF1Padding.
Installing OpenSSO configuration store in /opensso/opends...Success.
Creating OpenSSO suffix...Success.
Tag swapping schema files....Success.
Loading Schema am_sm_ds_schema.ldif...Success.
Loading Schema am_remote_opends_schema.ldif...Success.
Loading Schema fam_sds_schema.ldif...Success.
Reinitializing system properties....Done
Registering service amEntrySpecific.xml...Success.
.
.
.
.
Registering service famLibertySecurity.xml...Success.
Registering service famSAML2Config.xml...Success.
Configuring system....Done
Configuring server instance....Done
Creating Web Service Security Agents....Done
Setting up registration files....Done
Configuration complete!
NOTE: If you want to change the Hostname, Port number, etc. for the embedded OpenDS instance, you can edit the "config-file" to do so.
Relevant configuration information for this example:
OpenSSO Data Store configuration
Once the Configuration is complete, verify that a Datastore called "generic ldapv3" is created.
Login to the OpenSSO console using "amadmin" credentials.
Navigate to : Access Control -> / (Top level Realm) -> Data Stores. You should see a "generic ldapv3" Data Store.
You will need to configure the "generic ldapv3" Data Store for User Authentication by enabling Sub Scope search in the LDAPv3 Plug-in. In order to do that:
Login to the OpenSSO console using "amadmin" credentials.
Navigate to : Access Control -> / (Top level Realm) -> Data Stores
Click on "generic ldapv3"
Scroll down to find the property: LDAPv3 Plug-in Search Scope
Click on the radio button: SCOPE_SUB
Scroll down to find the property: LDAP User Object Class
Remove the inetUser Object class from the Current Values.
Scroll down to find the property: LDAP User Attributes
Remove the inetUserStatus from the Current Values
Scroll down to find the property: LDAP People Container Naming Attributes
Set the value to: ou
Scroll down to find the property: LDAP People Container Value:
Set the value to: People
"Save" the changes
Logout from the OpenSSO Console
To verify the change has taken effect:
Login to the OpenSSO console using "amadmin" credentials.
Navigate to : Access Control -> / (Top level Realm) -> Subjects
Click on "Users". You should all see the Users provisioned on the OpenDS instance running on Port 1389
Click on "Groups". You should see all the Groups provisioned on the OpenDS instance running on Port 1389
You should also be able to Authenticate against OpenSSO using any of the Users present in the Directory on port 1389.
OpenSSO Command Line Tools configuration
The following steps will configure the OpenSSO tools which will be used for the IDM Resource Adapter for provisioning.
(make sure JAVA_HOME is set)
# mkdir /var/opt/OpenSSO/opensso-client
# mkdir /var/opt/OpenSSO/opensso_debug
# mkdir /var/opt/OpenSSO/opensso-tools
# cd /var/opt/OpenSSO/opensso-client
# unzip opensso-client.zip
# chmod +x scripts/compile-samples.sh
# scripts/compile-samples.sh
Note: Some input files use unchecked or unsafe operations.
Note: Recompile with -Xlint:unchecked for details.
# chmod +x scripts/setup.sh
root@opensolaris:/var/opt/OpenSSO/opensso-client/sdk# scripts/setup.sh
Debug directory (make sure this directory exists): /var/opt/OpenSSO/opensso_debug
Application user (e.g. URLAccessAgent) password: password
Protocol of the server: http
Host name of the server: sedemo8.identric.com
Port of the server: 82
Server's deployment URI: /opensso
Naming URL (hit enter to accept default value, http://sedemo8.identric.com:82//opensso/namingservice):
The file will be used for the IdM RA:
/var/opt/OpenSSO/opensso-client/sdk/resources/AMConfig.properties
Configure the tools
# cd /var/opt/OpenSSO/opensso-tools
# unzip ssoAdminTools.zip
# ./setup
root@opensolaris:/var/opt/OpenSSO/opensso-tools# ./setup
Path to config files of OpenSSO server (example: /opensso):/opensso
Debug Directory:/var/opt/OpenSSO/opensso-tools/debug
Log Directory:/var/opt/OpenSSO/opensso-tools/log
The scripts are properly setup under directory: /var/opt/OpenSSO/opensso-tools/opensso
Debug directory is /var/opt/OpenSSO/opensso-tools/debug.
Log directory is /var/opt/OpenSSO/opensso-tools/log.
The version of this tools.zip is: Enterprise 8.0 Build 6(2008-October-31 09:07)
The version of your server instance is: Enterprise 8.0 Build 6(2008-October-31 09:07)
Encrypt the amadmin password:
Create a file witht the amadmin password (identity)
vi /var/opt/OpenSSO/amadmin_pwd
cd /var/opt/OpenSSO/opensso-tools/opensso/bin
./ampassword --encrypt /var/opt/OpenSSO/amadmin_pwd
AQICCjRHEr44EUeWWWapwhqoTwZ3ut+Zop9r
Customize the /var/opt/OpenSSO/opensso-client/sdk/resources/AMConfig.properties
Save the original file to a backup
cp /var/opt/OpenSSO/opensso-client/sdk/resources/AMConfig.properties /var/opt/OpenSSO/opensso-client/sdk/resources/AMConfig.properties.orig
Add the following value to this file:
am.encryption.pwd=AQICCjRHEr44EUeWWWapwhqoTwZ3ut+Zop9r
vi /var/opt/OpenSSO/opensso-client/sdk/resources/AMConfig.properties
Modify the following property as shown:
com.sun.identity.agents.app.username=amadmin
Modify the following property using the value from the encrypted password generated in step 3 above:
com.iplanet.am.service.secret=AQICCjRHEr44EUeWWWapwhqoTwZ3ut+Zop9r
Configure Identity Manager to use the opensso sdk
NOTE: This step is already in the SEDemo build, verify that the IDM instance is setup properly
cp /var/opt/OpenSSO/opensso-client/sdk/resources/AMConfig.properties $WSHOME/WEB-INF/classes
cp /var/opt/OpenSSO/opensso-client/sdk/lib/openssoclientsdk.jar $WSHOME/WEB-INF/
Restart the application server.
Setup the Identity Manager Resource Adapter for OpenSSO
- Create a new Resource Adapter
See docs: Sun OpenSSO Enterprise 8.0 Integration Guide
Validate the the Resource Adpater is working by performing a full reconciliation.
(Link accounts which match with Identity Manager accounts, this will allow the accounts to be linked for OpenSSO to be used for SSO into Identity Manager.)
Apache 2.0
This is used for reverse-proxy for OpenSSO. Use the apache 2.0.63 http://archive.apache.org/dist/httpd/.
(need to add install/config instructions)
| Apache Home |
/var/opt/apache2/ |
Obtain the install file for apache2
expand the file
Configure apache to use the appropriate proxy modules
# ./configure --prefix=/var/opt/apache2 --enable-proxy --enable-proxy-http --enable-proxy-connect --enable-ssl
# make
# make install
# /var/opt/apache2/bin/apachectl start
| Internet Hostname/Domain |
Mapped to Host |
http port |
| sedemo8.identric.com |
sedemo8.identric.com |
80 |
Change the apache port to 1080 in the configuration file: (/var/opt/apache2/conf/httpd.conf)
Add the proper group to the configuraiton file: (/var/opt/apache2/conf/httpd.conf)
Add the Virtual Host definition to the configuraiton file: (/var/opt/apache2/conf/httpd.conf)
<VirtualHost 192.168.100.101:1080>
ProxyPreserveHost On
ProxyPass /UML http://sedemo8:84/UML
ProxyPassReverse /UML http://sedemo8:84/UML
ServerName sedemo8.identric.com
ServerAlias identric.com
</VirtualHost>
Import the Solaris manifest file
# svccfg import SMF-apache2-port1080.xml
Restart apache:
The SMF service is called port1080.
# svcs port1080
STATE STIME FMRI
enabled 16:39:03 svc:/sedemo/apache2/port1080:default
#svcadm disable -s port1080
#svcadm enable -s port1080
OpenSSO Policy Agent installation
The OpenSSO Policy Agent 3.0 needs to be installed on the Apache Server. Follow the steps below to install the agent.
Make sure that the Apache Server is NOT running before installing the Agent.
# svcadm disable -s port1080
You need to create two password files before installing the agent:
# cd /var/opt/OpenSSO
Create two password files : "agentpwd" and "adminpwd"
agentpwd should contain the text: agent123
adminpwd should contain the text: identity
To install the agent:
# cd /var/opt/OpenSSO/web_agents/apache_agent/bin
# ./agentadmin --custom-install
The installer will ask you a few questions. Answer them as below:
opensolaris:[root] ./agentadmin --custom-install
************************************************************************
Welcome to the Sun Federated Access Manager Policy Agent for Apache Server.
************************************************************************
Enter the complete path to the directory which is used by Apache Server to
store its configuration Files. This directory uniquely identifies the
Apache Server instance that is secured by this Agent.
[ ? : Help, ! : Exit ]
Enter the Apache Server Config Directory Path [/opt/apache/conf]: /var/opt/apache2/conf
Enter the URL where the OpenSSO server is running. Please include the
deployment URI also as shown below:
(http://opensso.sample.com:58080/opensso)
[ ? : Help, < : Back, ! : Exit ]
OpenSSO server URL: http://sedemo8.identric.com:82/opensso
Enter the Agent URL as shown below: (http://agent1.sample.com:1234)
[ ? : Help, < : Back, ! : Exit ]
Agent URL: http://sedemo8.identric.com:1080
Enter the Agent profile name
[ ? : Help, < : Back, ! : Exit ]
Enter the Agent Profile name: apache-agent
Enter the path to a file that contains the password to be used for identifying
the Agent.
[ ? : Help, < : Back, ! : Exit ]
Enter the path to the password file: /var/opt/OpenSSO/agentpwd
WARNING:
Agent profile/User: apache-agent does not exist in OpenSSO server! Either
"Hit the Back button, and re-enter the correct agent profile name/user
name", or "Create this agent profile when asked(available only in
custom-install)", or "Continue without validating it because agent
profile is in sub realm", or "Continue without validating/creating it, and
manually validate/create it in OpenSSO server after installation".
Enter true if the Agent Profile is being created into OpenSSO server by the
installer. Enter false if it will be not be created by installer.
[ ? : Help, < : Back, ! : Exit ]
This Agent Profile does not exist in OpenSSO server, will it be created by the
installer? (Agent Administrator's name and password are required) [true]: true
Agent Administrator is the Administrator user that can create, delete or
update agent profile.
[ ? : Help, < : Back, ! : Exit ]
Enter the Agent Administrator's name: amadmin
Enter the path to a file that contains the password of Agent Administrator
[ ? : Help, < : Back, ! : Exit ]
Enter the path to the password file that contains the password of Agent
Administrator: /var/opt/OpenSSO/adminpwd
-----------------------------------------------
SUMMARY OF YOUR RESPONSES
-----------------------------------------------
Apache Server Config Directory : /var/opt/apache2/conf
OpenSSO server URL : http://sedemo8.identric.com:82/opensso
Agent URL : http://sedemo8.identric.com:1080
Agent Profile name : apache-agent
Agent Profile Password file name : /var/opt/OpenSSO/agentpwd
Agent Profile will be created right now by agent installer : true
Agent Administrator : amadmin
Agent Administrator's password file name : /var/opt/OpenSSO/adminpwd
Verify your settings above and decide from the choices below.
1. Continue with Installation
2. Back to the last interaction
3. Start Over
4. Exit
Please make your selection [1]:
Creating directory layout and configuring Agent file for Agent_001
instance ...DONE.
Reading data from file /var/opt/OpenSSO/agentpwd and encrypting it ...DONE.
Generating audit log file name ...DONE.
Creating tag swapped OpenSSOAgentBootstrap.properties file for instance
Agent_001 ...DONE.
Creating the Agent Profile apache-agent ...DONE.
Creating a backup for file /var/opt/apache2/conf/httpd.conf ...DONE.
Adding Agent parameters to
/var/opt/OpenSSO/web_agents/apache_agent/Agent_001/config/dsame.conf
file ...DONE.
Adding Agent parameters to /var/opt/apache2/conf/httpd.conf file ...DONE.
SUMMARY OF AGENT INSTALLATION
-----------------------------
Agent instance name: Agent_001
Agent Bootstrap file location:
/var/opt/OpenSSO/web_agents/apache_agent/Agent_001/config/OpenSSOAgentBootstrap.properties
Agent Configuration Tag file location
/var/opt/OpenSSO/web_agents/apache_agent/Agent_001/config/OpenSSOAgentConfiguration.properties
Agent Audit directory location:
/var/opt/OpenSSO/web_agents/apache_agent/Agent_001/logs/audit
Agent Debug directory location:
/var/opt/OpenSSO/web_agents/apache_agent/Agent_001/logs/debug
Install log file location:
/var/opt/OpenSSO/web_agents/apache_agent/installer-logs/audit/custom.log
Thank you for using Sun Federated Access Manager Policy Agent
Configuring Agent Parameters on OpenSSO
The next step after the installation of the Agent is to configure a few Agent parameters. Here are the steps to do that:
#
Configure the OpenSSO Enterprise Agent Profile
1. Log in to the OpenSSO Enterprise console as amadmin.
2. Navigate to Access Control -> /(Top-Level Real) -> Agents -> Web Agents.
3. Click the policy agent profile : apache-agent
4. Navigate to the tab "OpenSSO Services".
5. For the property OpenSSO Enterprise Login URL (com.sun.identity.agents.config.login.url), verify that the existing entry is:
[0]=http://sedemo8.identric.com:82/opensso/UI/Login
Navigate to the tab "Application".
1. For the property Session Attribute Fetch Mode (com.sun.identity.agents.config.session.attribute.fetch.mode), choose the option HTTP_HEADER.
2. For the property Session Attribute Mapping (com.sun.identity.agents.config.session.attribute.mapping), remove the existing entry, and add this entry:
[UserToken]=openptkid
3. For the property Not Enforced URLs (com.sun.identity.agents.config.notenforced.url), add these entries.
http://sedemo8.identric.com:1080/UML/anon/index.jsp*
http://sedemo8.identric.com:1080/UML/css/*
http://sedemo8.identric.com:1080/UML/images/*
4. For the property: Resources Access Denied URL
enter the value: http://sedemo8.identric.com/OpenSSOAccessDenied.jsp
Note: this is page access denied message and with navigation instructions.
5. Click Save.
Log out from the OpenSSO Enterprise console.
