integrating opensso & opends using tomcat webserver on linux v1.0
DESCRIPTION
specifications from the Java Community Process, and includes many additional features that make it a useful platform for developing and deploying web applications and web services. The goal of this post is to provide step by step instructions on how to integrate Apache Tomcat AS with OpenSSO. In addition OpenDS LDAP server will be used as a user store for both of them.The Sun OpenSSO Enterprise (formerly Sun Access Manager and Sun Federation Manager) is the single solution for Web access management, federation, and Web services security. The Open Web SSO project (OpenSSO) provides core identity services to simplify the implementation of transparent single sign-on (SSO) as a security component in a network infrastructure. OpenSSO provides the foundation for integrating diverse web applications that might typically operate against a disparate set of identity repositories and are hosted on a variety of platforms such as web and application servers. This project is based on the code base of Sun JavaTM System Access Manager, a core identity infrastructure product offered by Sun Microsystems.In this article we'll show you how to integrate OpenDS (LDAP) & OpenSSO on Tomcat AS.TRANSCRIPT
Global Open Versity Tomcat AS with OpenDS and OpenSSO on Linux v1.0
April 2007, Kefa Rabah, Global Open Versity, Vancouver Canada www.globalopenversity.org A GOV Open Knowledge Access Technical Publication HowTo
1
Integrating OpenSSO and OpenDS on Apache Tomcat AS HowTo By Kefa Rabah, [email protected] August 2, 2009
Introduction Apache Tomcat version 6.0 implements the Servlet 2.5 and JavaServer Pages 2.1 specifications from the Java Community Process, and includes many additional features that make it a useful platform for developing and deploying web applications and web services. The goal of this post is to provide step by step instructions on how to integrate Apache Tomcat AS with OpenSSO. In addition OpenDS LDAP server will be used as a user store for both of them. The Sun OpenSSO Enterprise (formerly Sun Access Manager and Sun Federation Manager) is the single solution for Web access management, federation, and Web services security. The Open Web SSO project (OpenSSO) provides core identity services to simplify the implementation of transparent single sign-on (SSO) as a security component in a network infrastructure. OpenSSO provides the foundation for integrating diverse web applications that might typically operate against a disparate set of identity repositories and are hosted on a variety of platforms such as web and application servers. This project is based on the code base of Sun JavaTM System Access Manager, a core identity infrastructure product offered by Sun Microsystems. It is important to mention that the initial code and instructions on how to integrate OpenSSO with Tomcat (previous major release) were contributed by Bolesław Dawidowicz (thanks for the contribution!). Configuration of OpenSSO with OpenDS was described in Indira's blog.
Step 1: System Setup First and foremost ensure that you have setup you DNS server and that your machine is using FQDN. This is mainly because OpenSSO does not play well if you want to test it on your local machine i.e., 'localhost'. To workaround that you can give your local machine valid FQDN. Check out /etc/hosts to ensure that you have a correct setup, in our case, it’s as follows: # Do not remove the following first line, or various programs # that require network functionality will fail. 127.0.0.1 server04.beemtech.edu localhost.localdomain localhost 192.168.83.12 server04.beemtech.edu server04 mail www ftp ::1 localhost6.localdomain6 localhost6 Now you'll be able to refer to it using "http://www.beemtech.edu" in your browser.
Step 2: OpenDS LDAP Directory Server Setup 1. OpenDS Setup
1. In this tutorial we'll use OpenDS directory server. Download the QuickSetup.jnlp version to your temp directory.
2. Locate the package and double-click it to start the installation process and follow the installation Wizard the instruction.
Global Open Versity Tomcat AS with OpenDS and OpenSSO on Linux v1.0
April 2007, Kefa Rabah, Global Open Versity, Vancouver Canada www.globalopenversity.org A GOV Open Knowledge Access Technical Publication HowTo
2
3. On the Server Settings page, set port 8389, use "password" as password, the rest are auto-completed. Click Next.
4. On the Directory Data page, enter the Directory Base DNS:
"dc=opensso,dc=java,dc=net"; 5. For Directory Data, select the "Import Automatically-Generated Sample Data"
option, which pre-populates it with 2000 random users, see the figure below. Click Next.
6. On the Review page (Not shown), ensure that the settings are correct, and then click the Finish.
Global Open Versity Tomcat AS with OpenDS and OpenSSO on Linux v1.0
April 2007, Kefa Rabah, Global Open Versity, Vancouver Canada www.globalopenversity.org A GOV Open Knowledge Access Technical Publication HowTo
3
7. The final Finished page should look like the figure shown below:
8. Click "Launch Control-Panel" to startup your OpenDS server listening on port 8389, or via cmd type: /usr/OpenDS/bin/control-panel from the OpenDS Control Pane > Server Status click Start to start the OpendDS server, and enter your credentials to logon.
2. Install LDAPBROWSER
1. At the moment you should have an instance of the OpenDS LDAP server listening on port 8389.
2. To be able to use it with portal we need to provision it with sample data. To do this we'll use simple LDAP tool with GUI written in Java – the LDAP Browser/Editor. It's
Global Open Versity Tomcat AS with OpenDS and OpenSSO on Linux v1.0
April 2007, Kefa Rabah, Global Open Versity, Vancouver Canada www.globalopenversity.org A GOV Open Knowledge Access Technical Publication HowTo
4
a very lightweight tool that runs on many environments. Follow installation notes specified here: http://www.filewatcher.com/m/Browser282b2.tar.gz.651283.0.0.html
3. You will simply need to download the archive, unpack it and run the lbe.sh or lbe.bat script (assuming that you have the java command in your operating system path).
4. My standard setup puts the unarchived app code into a directory called /usr/ldapbrowser, which I normally create by simply copying Browser282b2.tar.gz to /usr and doing a tar xvzf on it right there
5. Next cd to the installed directory, and run the ./lbe.sh on Linux or double-click lbe.bat on windows script to start the ldapbrowser
6. If you are using Fedora Linux you can also find 'lbe' rpm package in Dries repository.
7. Run LDAP Browser/Editor, and choose menu File > Connect
Change to 'Quick Connect' tab and enter following information:
• host: localhost • port: 8389 • leave 'Base DN' empty • uncheck 'Annonymous bind' checkbox • user DN: cn=Directory Manager • password: password • click 'Connect'
8. You should be able to see the imported LDAP tree.
Global Open Versity Tomcat AS with OpenDS and OpenSSO on Linux v1.0
April 2007, Kefa Rabah, Global Open Versity, Vancouver Canada www.globalopenversity.org A GOV Open Knowledge Access Technical Publication HowTo
5
3. Extend OpenDS Schema to Integrate OpenSSO
1. Copy "98-opends_user_schema.ldif" and "99-am_sm_ds_schema.ldif" files into "OpenDS-1.0.0-build004/config/schema/" folder. Those configuration files comes from Indira Blog and will extend OpenDS schema to enable cooperation with OpenSSO. According to OpenSSO mailing lists it should support OpenDS out of box in the future.
2. Start OpenDS by running: $ /usr/OpenDS/bin/control-panel You can also use "status-panel" binary which provide GUI for managing OpenDS state.
3. Download the ldif file "ldapentries", also based on ldif from Indira Blog, from: http://blogs.sun.com/indira/resource/ldapentries. And modify it as follows:
dn: ou=agents,dc=opensso,dc=java,dc=net objectClass: top objectClass: organizationalUnit dn: ou=groups,dc=opensso,dc=java,dc=net objectClass: top objectClass: organizationalUnit dn: ou=dsame users,dc=opensso,dc=java,dc=net objectClass: top objectClass: organizationalUnit dn: cn=dsameuser,ou=DSAME Users,dc=opensso,dc=java,dc=net objectclass: inetuser objectclass: organizationalperson
Global Open Versity Tomcat AS with OpenDS and OpenSSO on Linux v1.0
April 2007, Kefa Rabah, Global Open Versity, Vancouver Canada www.globalopenversity.org A GOV Open Knowledge Access Technical Publication HowTo
6
objectclass: person objectclass: top cn: dsameuser sn: dsameuser userPassword: secret12 dn: cn=amldapuser,ou=DSAME Users,dc=opensso,dc=java,dc=net objectclass: inetuser objectclass: organizationalperson objectclass: person objectclass: top cn: amldapuser sn: amldapuser userPassword: secret123 dn:dc=opensso,dc=java,dc=net changetype:modify add:aci aci: (target="ldap:///dc=opensso,dc=java,dc=net")(targetattr="*")(version 3.0; acl "S1IS special dsame user rights for all under the root suffix"; allow (all) userdn = "ldap:///cn=dsameuser,ou=DSAME Users,dc=opensso,dc=java,dc=net"; ) dn:dc=opensso,dc=java,dc=net changetype:modify add:aci aci: (target="ldap:///dc=opensso,dc=java,dc=net")(targetattr="*")(version 3.0; acl "S1IS special ldap auth user rights"; allow (read,search) userdn = "ldap:///cn=amldapuser,ou=DSAME Users,dc=opensso,dc=java,dc=net"; ) With the following ldapmodify command it is possible to add all the entries into the OpenDS Directory Server, as follows: $ cd /usr/OpenDS/bin $ ./ldapmodify -p 8389 -h localhost -D"cn=Directory Manager" -w password -c -a -f ldapentries.ldif Processing ADD request for ou=agents,dc=opensso,dc=java,dc=net ADD operation successful for DN ou=agents,dc=opensso,dc=java,dc=net Processing ADD request for ou=groups,dc=opensso,dc=java,dc=net ADD operation successful for DN ou=groups,dc=opensso,dc=java,dc=net Processing ADD request for ou=dsame users,dc=opensso,dc=java,dc=net ADD operation successful for DN ou=dsame users,dc=opensso,dc=java,dc=net Processing ADD request for cn=dsameuser,ou=DSAME Users,dc=opensso,dc=java,dc=net ADD operation successful for DN cn=dsameuser,ou=DSAME Users,dc=opensso,dc=java,dc=net Processing ADD request for cn=amldapuser,ou=DSAME Users,dc=opensso,dc=java,dc=net ADD operation successful for DN cn=amldapuser,ou=DSAME Users,dc=opensso,dc=java,dc=net Processing MODIFY request for dc=opensso,dc=java,dc=net MODIFY operation successful for DN dc=opensso,dc=java,dc=net Processing MODIFY request for dc=opensso,dc=java,dc=net MODIFY operation successful for DN dc=opensso,dc=java,dc=net You can also use the LDAP Browser we installed earlier to leverage this task.
Global Open Versity Tomcat AS with OpenDS and OpenSSO on Linux v1.0
April 2007, Kefa Rabah, Global Open Versity, Vancouver Canada www.globalopenversity.org A GOV Open Knowledge Access Technical Publication HowTo
7
Step 3: OpenSSO deployment and installation on Tomcat
1. Download and unzip tomcat - we'll use "apache-tomcat-6.0.20" binary here. 2. Edit file "apache-tomcat-6.0.20/conf/server.xml" and change default HTTP
connector port to 8081:
<Connector port="8081" protocol="HTTP/1.1" maxHttpHeaderSize="8192" maxThreads="150" minSpareThreads="25" maxSpareThreads="75" enableLookups="false" redirectPort="8443" acceptCount="100" connectionTimeout="20000" disableUploadTimeout="true" /> Comment out AJP connector: <!--<Connector port="8009" enableLookups="false" redirectPort="8443" protocol="AJP/1.3" />-->
3. Download Sun OpenSSO Enterprise. Click to go OpenSSO Download where you will find OpenSSO Release and Builds ready for download. At the time of writing we used the latest release OpenSSO Enterprise 8.0: opensso_express_80.zip.
3. Extract the downloaded .zip file then change to deployable-war directory and copy the "opensso.war" file into tomcat "webapps" directory and run tomcat: [krabah@server04 ~]$ cd $CATALINA_HOME [krabah@server04 tomcat]$ cp ../../opensso/deployable-war/opensso.war webapps/ [krabah@server04 tomcat]$ cd bin/ [krabah@server04 bin]$ chmod a+x *.sh [krabah@server04 bin]$ ./startup.sh
4. Start your OpenDS server if not started. 5. Put http://www.domain.com:8081/opensso/ in your browser to see the OpenSSO
configuration page: Click "Create Default Configuration" option to perform quick file system based configuration and follow the instructions. Let's use "password" value to keep it simple :)
Global Open Versity Tomcat AS with OpenDS and OpenSSO on Linux v1.0
April 2007, Kefa Rabah, Global Open Versity, Vancouver Canada www.globalopenversity.org A GOV Open Knowledge Access Technical Publication HowTo
8
6. On the Default Configuration page fill in your credentials amAdmin use <passwoprd> and amldapuser use <secret123>
7. On Configuration Complete Alert, click Proceed to Login
Global Open Versity Tomcat AS with OpenDS and OpenSSO on Linux v1.0
April 2007, Kefa Rabah, Global Open Versity, Vancouver Canada www.globalopenversity.org A GOV Open Knowledge Access Technical Publication HowTo
9
8. Click "Proceed to Login" to go to the deployed OpenSSO instance. Finally, as a test, you should be able to authenticate into OpenSSO console with the credentials "amadmin" user and password provided in previous step.
Reboot the server, if you’re having trouble to login into the Admin console, and you should be access the main admin page, as shown below:
Global Open Versity Tomcat AS with OpenDS and OpenSSO on Linux v1.0
April 2007, Kefa Rabah, Global Open Versity, Vancouver Canada www.globalopenversity.org A GOV Open Knowledge Access Technical Publication HowTo
10
9. OpenSSO is robust open-source software for Web development, complete with support plans from Sun. Do check them out in case of any trouble!
10. Stay tuned for Part II of this article on integrating OpenSSO with OpenDS server.
11. Have fun with Tomcat and OpenSSO & GOOD LUCK! ----------------------- Kefa Rabah is the Founder and CIO, of Serengeti Systems Group Inc. Kefa is knowledgeable in several fields of Science & Technology, IT Security Compliance and Project Management, and Renewable Energy Systems. He is also the founder of Global Open Versity, a Center of Excellence in eLearning.