How to deploy OpenAM with DAUI using SSL
skatuscak
13 years ago 5.12.2011
In my previous article “How to deploy OpenAM with DAUI” I wrote down steps how to install complete architecture where DAUI is configured with OpenAM. To keep it simple, I used only plain non-encrypted communication between individual components, however in the real world, many deployments require some more security and encrypted cryptography is a basic requirement. This article is based on previous one and it adds steps to install full architecture with SSL encryption.
As this article contains some small changes against non-SSL version, that could be easily skipped or unnoticed, I rather highlighted them using italics.
Preparation
I used the 64bit version of Ubuntu Server 11.04 as the operating system for the deployment and added following packages:
sudo apt-get install unzip sudo apt-get install libxtst-dev sudo apt-get install ia32-libs sudo apt-get install libstdc++5
For cryptography related tasks I installed also NSS (Network Security Services) library and command line tools.
sudo apt-get install libnss3 sudo apt-get install libnss3-tools
The architecture is the same as for non-SSL, consists of 3 logical nodes – Directory Server, OpenAM (running on GlassFish applications server) and Distributed Authentication User Interface (running on Sun Web Server). All these nodes could be installed together on 1 system, or they can be splitted on 2 or 3 different systems.
On my environment, I decided to keep it simple and have everything on one machine, however I created separate virtual hostname for every node.
+------------------+ +---------------------+ +--------------+ | DAUI | HTTPS | OpenAM Server 9.5.3 | LDAPS | | | Sun Web Server 7 | ----> | GlassFish v2.1.1 | ----> | OpenDJ 2.4.4 | +------------------+ +---------------------+ +--------------+ da-1.profiq.cz oam-1.profiq.cz ds-1.profiq.cz
127.0.1.1 ds-1 ds-1.profiq.cz oam-1 oam-1.profiq.cz da-1 da-1.profiq.cz
To have an access to these domains, you have to add this setting (for exernal IP) to /etc/hosts file (or Windows equivalent) on your workstation.
Permissions:
In my installation, all products are installed into /opt directory, feel free to use any other directory, but make sure that your user has write access to this directory.
Download:
I have all tools (Sun JDK 1.6.0_26, OpenDJ 2.4.4, GlassFish 2.1.1., OpenAM 9.5.3, Sun Web Server 7.0) downloaded in my home directory /home/profiq.
JDK
JDK is a dependency of OpenDJ, you need to have it installed first.
In my case I used Sun JDK 1.6.0_26, however similar steps would work also for other JDK:
Install JDK:
chmod 755 jdk-6u26-linux-x64.bin ./jdk-6u26-linux-x64.bin mv jdk1.6.0_26 /opt
Set environment variables to use JDK:
export JAVA_HOME=/opt/jdk1.6.0_26 export PATH=$JAVA_HOME/bin:$PATH
Verify that correct version of Java is used (Java path is set correctly):
java -version java version "1.6.0_26" Java(TM) SE Runtime Environment (build 1.6.0_26-b03) Java HotSpot(TM) 64-Bit Server VM (build 20.1-b02, mixed mode)
As I use graphical installers in these steps, you need to have graphical access on the machine (directly or VNC session), or export display to your workstation. In my case I exported display to my workstation:
export DISPLAY=192.168.1.2:0
On my workstation I enabled connections from external machines:
xhost +
Security
In this chapter I provide steps required to prepare a certificate database for NSS, self-signed CA (certification authority) and key/certificate for OpenDJ. Certificate would be imported to keystore, that would be used by OpenDJ.
In NSS all keys and certificates are stored a certificate database. At first you need to create this database:
mkdir /opt/nss cd /opt/nss mkdir dbdir certutil -N -d dbdir Enter new password: nssnssnss Re-enter password: nssnssnss
Now create a certification authority. In this case, CA certificate is self-signed, however there is also an option to have a CA certificate signed by another CA and create a certificate chain. More usual scenario is, that you will have your CA signed by another trusted CA (like Verisign) and that would make trusted also certificates signed by your CA. Another option is to have all your certificates directly signed by trusted CA.
certutil -s "cn=ca, o=profiq, C=cz" -S -n CA -t CTu,CTu,CTu -v 600 -x -d dbdir -1 -2 -5 Enter Password or Pin for "NSS Certificate DB": nssnssnss A random seed must be generated that will be used in the creation of your key. One of the easiest ways to create a random seed is to use the timing of keystrokes on a keyboard. To begin, type keys on the keyboard until this progress meter is full. DO NOT USE THE AUTOREPEAT FUNCTION ON YOUR KEYBOARD! Continue typing until the progress meter is full: |************************************************************| Finished. Press enter to continue: Generating key. This may take a few moments... 0 - Digital Signature 1 - Non-repudiation 2 - Key encipherment 3 - Data encipherment 4 - Key agreement 5 - Cert signing key 6 - CRL signing key Other to finish > 5 0 - Digital Signature 1 - Non-repudiation 2 - Key encipherment 3 - Data encipherment 4 - Key agreement 5 - Cert signing key 6 - CRL signing key Other to finish > 9 Is this a critical extension [y/N]? n Is this a CA certificate [y/N]? y Enter the path length constraint, enter to skip [<0 for unlimited path]: > -1 Is this a critical extension [y/N]? n 0 - SSL Client 1 - SSL Server 2 - S/MIME 3 - Object Signing 4 - Reserved for future use 5 - SSL CA 6 - S/MIME CA 7 - Object Signing CA Other to finish > 5 0 - SSL Client 1 - SSL Server 2 - S/MIME 3 - Object Signing 4 - Reserved for future use 5 - SSL CA 6 - S/MIME CA 7 - Object Signing CA Other to finish > 9 Is this a critical extension [y/N]? n
And now export the CA certificate to a file:
certutil -L -d dbdir -r -n CA -o CA.der
Some tools like ssoAdminTools use JDK trust store, to check whether certificate is trusted. If you import CA certificate to this store, all valid certificates signed by this CA would be validated as trusted. Without this step, ssoadm tool wouldn’t be able to locate system configuration and would return error message:
Cannot locate system configuration. Directory Server may be down or configuration directory is invalid.
Sun JDK stores CA certificates in $JAVA_HOME/jre/lib/security/cacerts file, so you should import your CA certificate there:
cd /opt/jdk1.6.0_26/jre/lib/security keytool -import -trustcacerts -alias CA -file /opt/nss/CA.der -keystore cacerts Enter keystore password: changeit Owner: CN=ca, O=profiq, C=cz Issuer: CN=ca, O=profiq, C=cz Serial number: 962e014d Valid from: Fri Nov 11 07:58:06 CET 2011 until: Fri Nov 11 07:58:06 CET 2061 Certificate fingerprints: MD5: F9:C1:77:68:9C:22:B0:47:DE:30:21:D7:97:59:9A:42 SHA1: EA:B4:C1:FF:19:FF:26:94:A5:E6:9F:2A:C1:B2:05:B6:FC:90:42:F8 Signature algorithm name: SHA1withRSA Version: 3 Extensions: #1: ObjectId: 2.5.29.15 Criticality=false KeyUsage [ Key_CertSign ] #2: ObjectId: 2.5.29.19 Criticality=false BasicConstraints:[ CA:true PathLen:2147483647 ] #3: ObjectId: 2.16.840.1.113730.1.1 Criticality=false NetscapeCertType [ SSL CA ] Trust this certificate? [no]: yes Certificate was added to keystore
In OpenDJ setup, there is a step where you can set keystore with custom certificate to use.
You need to prepare it now.
At first generate key and certificate request:
cd /opt/nss keytool -genkey -alias ds-1 -keyalg rsa -dname "cn=ds-1.profiq.cz,o=profiq,c=cz" -keystore keystore.jks -keypass password -storetype jks -storepass password keytool -certreq -alias ds-1 -file ds-1.csr -keystore keystore.jks -keypass password -storetype jks -storepass password
Now sign this certificate using certification authority that you prepared before:
certutil -C -c CA -v 60 -d dbdir -a -i ds-1.csr -o ds-1.cer Enter Password or Pin for "NSS Certificate DB": nssnssnss
Now you have to import this CA certificate and DS certificate to keystore.jks, the keystore that will be used by OpenDJ:
keytool -import -trustcacerts -alias CA -file CA.der -keystore keystore.jks -storepass password Certificate already exists in system-wide CA keystore under alias <ca> Do you still want to add it to your own keystore? [no]: yes Certificate was added to keystore keytool -import -file ds-1.cer -alias ds-1 -keystore keystore.jks -storepass password Certificate reply was installed in keystore
You can verify the content of the keystore:
keytool -list -v -keystore keystore.jks -storepass password Keystore type: JKS Keystore provider: SUN Your keystore contains 2 entries Alias name: ca Creation date: Nov 11, 2011 Entry type: trustedCertEntry Owner: CN=ca, O=profiq, C=cz Issuer: CN=ca, O=profiq, C=cz Serial number: 962e014d Valid from: Fri Nov 11 07:58:06 CET 2011 until: Fri Nov 11 07:58:06 CET 2061 Certificate fingerprints: MD5: F9:C1:77:68:9C:22:B0:47:DE:30:21:D7:97:59:9A:42 SHA1: EA:B4:C1:FF:19:FF:26:94:A5:E6:9F:2A:C1:B2:05:B6:FC:90:42:F8 Signature algorithm name: SHA1withRSA Version: 3 Extensions: #1: ObjectId: 2.5.29.15 Criticality=false KeyUsage [ Key_CertSign ] #2: ObjectId: 2.5.29.19 Criticality=false BasicConstraints:[ CA:true PathLen:2147483647 ] #3: ObjectId: 2.16.840.1.113730.1.1 Criticality=false NetscapeCertType [ SSL CA ] ******************************************* ******************************************* Alias name: ds-1 Creation date: Nov 11, 2011 Entry type: PrivateKeyEntry Certificate chain length: 2 Certificate[1]: Owner: CN=ds-1.profiq.cz, O=profiq, C=cz Issuer: CN=ca, O=profiq, C=cz Serial number: 962e0234 Valid from: Fri Nov 11 07:59:57 CET 2011 until: Fri Nov 11 07:59:57 CET 2016 Certificate fingerprints: MD5: 81:2E:AF:27:4F:23:09:94:13:A5:28:07:6C:DA:74:7C SHA1: 60:FC:53:14:73:C2:73:38:30:7B:6B:39:6E:DE:0D:D3:11:EE:0C:AF Signature algorithm name: SHA1withRSA Version: 3 Certificate[2]: Owner: CN=ca, O=profiq, C=cz Issuer: CN=ca, O=profiq, C=cz Serial number: 962e014d Valid from: Fri Nov 11 07:58:06 CET 2011 until: Fri Nov 11 07:58:06 CET 2061 Certificate fingerprints: MD5: F9:C1:77:68:9C:22:B0:47:DE:30:21:D7:97:59:9A:42 SHA1: EA:B4:C1:FF:19:FF:26:94:A5:E6:9F:2A:C1:B2:05:B6:FC:90:42:F8 Signature algorithm name: SHA1withRSA Version: 3 Extensions: #1: ObjectId: 2.5.29.15 Criticality=false KeyUsage [ Key_CertSign ] #2: ObjectId: 2.5.29.19 Criticality=false BasicConstraints:[ CA:true PathLen:2147483647 ] #3: ObjectId: 2.16.840.1.113730.1.1 Criticality=false NetscapeCertType [ SSL CA ] ******************************************* *******************************************
OpenDJ
In this environment, OpenDJ is used as user data store and AM configuration store.
Installation steps for OpenDJ:
unzip OpenDJ-2.4.4.zip mv OpenDJ-2.4.4 /opt/ cd /opt/OpenDJ-2.4.4/ ./setup
1. Welcome: Next
2. Server Settings
- Host Name: ds-1.profiq.cz
- LDAP Listener Port: 1389
- Administration Connector Port: 4444
- LDAP Secure Access:
- SSL Access: Enable SSL on Port: 1636
- StartTLS Access: Enable StartTLS for LDAP
- Certificate: Use an Existing Certificate
- Keys Store Type: Java Key Store (JKS) File
- Key Store Path: /opt/nss/keystore.jks
- Key Store PIN: password
- Select Alias: ds-1
- Root User DN: cn=Directory Manager
- Password: dsmanager
- Password (confirm): dsmanager
3. Topology Options: This will be a stand alone server
4. Directory Data
- Directory Base DN: dc=example,dc=com
- Directory Data: Only Create Base Entry
5. Runtime Options: Next
6. Review: Start Server when Configuration has Completed
7. Finished: Close
To use OpenDJ as a configuration store, you need to enable multiple structural objectclasses:
/opt/OpenDJ-2.4.4/bin/dsconfig -h ds-1.profiq.cz -p 4444 -D "cn=Directory Manager" -w dsmanager -X -n --advanced set-global-configuration-prop --set single-structural-objectclass-behavior:accept
After configuration store settings you need to restart OpenDJ to apply changes:
/opt/OpenDJ-2.4.4/bin/stop-ds /opt/OpenDJ-2.4.4/bin/start-ds
You need some user base, at least very basic:
cat << EOF > /tmp/am-users.ldif dn: ou=users,dc=example,dc=com objectclass: top objectclass: organizationalUnit ou: users description: Container for user entries dn: ou=Groups,dc=example,dc=com objectClass: top objectClass: organizationalUnit ou: Groups description: Container for group entries dn: uid=testuser1,ou=users,dc=example,dc=com uid: testuser1 givenName: Test objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetorgperson sn: User1 cn: Test User1 userPassword: password EOF
For user data loading using ldapmodify, you can use SSL port, in this case you need to add also –useSSL parameter:
/opt/OpenDJ-2.4.4/bin/ldapmodify --useSSL -h ds-1.profiq.cz -p 1636 -D "cn=Directory Manager" -w dsmanager -a -f /tmp/am-users.ldif The server is using the following certificate: Subject DN: CN=ds-1.profiq.cz, O=profiq, C=cz Issuer DN: CN=ca, O=profiq, C=cz Validity: Fri Nov 11 07:59:57 CET 2011 through Fri Nov 11 07:59:57 CET 2016 Do you wish to trust this certificate and continue connecting to the server? Please enter "yes" or "no":yes Processing ADD request for ou=users,dc=example,dc=com ADD operation successful for DN ou=users,dc=example,dc=com Processing ADD request for ou=Groups,dc=example,dc=com ADD operation successful for DN ou=Groups,dc=example,dc=com Processing ADD request for uid=testuser1,ou=users,dc=example,dc=com ADD operation successful for DN uid=testuser1,ou=users,dc=example,dc=com
OpenDJ Sanity Test
TEST: Search test user
Steps:
/opt/OpenDJ-2.4.4/bin/ldapsearch --useSSL -b "dc=example,dc=com" -p 1636 -D "cn=Directory Manager" -w dsmanager "uid=test*"
Expected output:
The server is using the following certificate: Subject DN: CN=ds-1.profiq.cz, O=profiq, C=cz Issuer DN: CN=ca, O=profiq, C=cz Validity: Fri Nov 11 07:59:57 CET 2011 through Fri Nov 11 07:59:57 CET 2016 Do you wish to trust this certificate and continue connecting to the server? Please enter "yes" or "no":yes dn: uid=testuser1,ou=users,dc=example,dc=com userPassword: {SSHA}0WkcuyCdYLPSNPgRzJNQCXVkXs43F5rlwax0lw== givenName: Test objectClass: person objectClass: organizationalPerson objectClass: inetorgperson objectClass: top uid: testuser1 cn: Test User1 sn: User1
Glassfish
As GlassFish 3 is not yet supported by OpenAM, I used GlassFish 2.1.1. If you install it on different system, you need to install JDK also here.
GlassFish install:
cd /opt java -Xmx256m -jar ~/glassfish-installer-v2.1.1-b31g-linux.jar
- uncheck Enable autoupdate
- Accept
Now start the configuration script using ant:
cd /opt/glassfish chmod -R +x lib/ant/bin lib/ant/bin/ant -f setup.xml
Now you have to create a domain, for SSL architecture there is one small change, you have to set also SSL port:
cd /opt/glassfish/bin ./asadmin create-domain --domaindir /opt/glassfish/domains --adminport 8989 --user domain2adm --instanceport 1080 --domainproperties http.ssl.port=1081 oamdomain Please enter the admin password> domain2pwd Please enter the admin password again> domain2pwd Please enter the master password [Enter to accept the default]:> domain2master Please enter the master password again [Enter to accept the default]:> domain2master Using port 8989 for Admin. Using port 1080 for HTTP Instance. Using default port 7676 for JMS. Using default port 3700 for IIOP. Using port 1081 for HTTP_SSL. Using default port 3820 for IIOP_SSL. Using default port 3920 for IIOP_MUTUALAUTH. Using default port 8686 for JMX_ADMIN. Domain being created with profile:developer, as specified by variable AS_ADMIN_PROFILE in configuration file. ------ Using Profile [developer] to create the domain ------ XML processing for profile: Base document [/opt/glassfish/lib/install/templates/default-domain.xml.template]. Profile name [developer]. Processing property [domain.xml.style-sheets]. Security Store uses: JKS Domain oamdomain created.
Now you need to generate key and certificate for OpenAM:
cd /opt/glassfish/domains/oamdomain/config/ keytool -genkey -noprompt -keyalg rsa -keypass domain2master -alias oam-1 -keystore keystore.jks -dname "cn=oam-1.profiq.cz,o=profiq,c=cz" -storepass domain2master keytool -list -v -keystore keystore.jks -storepass domain2master Keystore type: JKS Keystore provider: SUN Your keystore contains 2 entries Alias name: oam-1 Creation date: Nov 11, 2011 Entry type: PrivateKeyEntry Certificate chain length: 1 Certificate[1]: Owner: CN=oam-1.profiq.cz, O=profiq, C=cz Issuer: CN=oam-1.profiq.cz, O=profiq, C=cz Serial number: 4ebcd042 Valid from: Fri Nov 11 08:35:30 CET 2011 until: Thu Feb 09 08:35:30 CET 2012 Certificate fingerprints: MD5: 56:84:5C:99:BE:11:81:77:EB:AA:1F:CE:98:CE:FF:BB SHA1: 96:91:38:53:BB:28:38:36:A6:65:3D:A4:E2:F7:88:19:13:B6:E0:B5 Signature algorithm name: SHA1withRSA Version: 3 ******************************************* ******************************************* Alias name: s1as Creation date: Nov 11, 2011 Entry type: PrivateKeyEntry Certificate chain length: 1 Certificate[1]: Owner: CN=node3.profiq.cz, OU=Sun GlassFish Enterprise Server, O=Sun Microsystems, L=Santa Clara, ST=California, C=US Issuer: CN=node3.profiq.cz, OU=Sun GlassFish Enterprise Server, O=Sun Microsystems, L=Santa Clara, ST=California, C=US Serial number: 4ebcc9c1 Valid from: Fri Nov 11 08:07:45 CET 2011 until: Mon Nov 08 08:07:45 CET 2021 Certificate fingerprints: MD5: 8C:75:EA:BC:89:5F:EE:6D:16:F5:79:06:12:D5:8E:BC SHA1: F9:71:11:3B:0C:98:61:2C:87:8D:89:7E:C5:7F:A5:8A:53:94:2A:73 Signature algorithm name: SHA1withRSA Version: 3 Extensions: #1: ObjectId: 2.5.29.14 Criticality=false SubjectKeyIdentifier [ KeyIdentifier [ 0000: 70 20 5F 76 5E 69 48 54 DC 57 6A 06 10 ED F1 90 p _v^iHT.Wj..... 0010: A1 94 D2 A6 .... ] ] ******************************************* *******************************************
Currenty, 2 certificates are listed in the domain keystore, oam-1 is the one to use (but at first you need to sign it), and s1as is the default one.
Now sign your certificate using your CA:
keytool -certreq -alias oam-1 -keypass domain2master -keystore keystore.jks -storepass domain2master -file oam-1.csr certutil -C -c CA -v 60 -d /opt/nss/dbdir -a -i /opt/glassfish/domains/oamdomain/config/oam-1.csr -o /opt/glassfish/domains/oamdomain/config/oam-1.cer Enter Password or Pin for "NSS Certificate DB": nssnssnss
You need to import CA certificate to the domain keystore and to keystore that is used for trusted certification authorities. Also OAM certicicate should be imported to the domain keystore:
keytool -import -trustcacerts -alias CA -file /opt/nss/CA.der -keystore keystore.jks -storepass domain2master Trust this certificate? [no]: yes keytool -import -trustcacerts -alias CA -file /opt/nss/CA.der -keystore cacerts.jks -storepass domain2master Trust this certificate? [no]: yes keytool -import -file oam-1.cer -alias oam-1 -keystore keystore.jks -storepass domain2master keytool -list -v -keystore keystore.jks -storepass domain2master Keystore type: JKS Keystore provider: SUN Your keystore contains 3 entries Alias name: ca Creation date: Nov 11, 2011 Entry type: trustedCertEntry Owner: CN=ca, O=profiq, C=cz Issuer: CN=ca, O=profiq, C=cz Serial number: 962e014d Valid from: Fri Nov 11 07:58:06 CET 2011 until: Fri Nov 11 07:58:06 CET 2061 Certificate fingerprints: MD5: F9:C1:77:68:9C:22:B0:47:DE:30:21:D7:97:59:9A:42 SHA1: EA:B4:C1:FF:19:FF:26:94:A5:E6:9F:2A:C1:B2:05:B6:FC:90:42:F8 Signature algorithm name: SHA1withRSA Version: 3 Extensions: #1: ObjectId: 2.5.29.15 Criticality=false KeyUsage [ Key_CertSign ] #2: ObjectId: 2.5.29.19 Criticality=false BasicConstraints:[ CA:true PathLen:2147483647 ] #3: ObjectId: 2.16.840.1.113730.1.1 Criticality=false NetscapeCertType [ SSL CA ] ******************************************* ******************************************* Alias name: oam-1 Creation date: Nov 11, 2011 Entry type: PrivateKeyEntry Certificate chain length: 2 Certificate[1]: Owner: CN=oam-1.profiq.cz, O=profiq, C=cz Issuer: CN=ca, O=profiq, C=cz Serial number: 962e136c Valid from: Fri Nov 11 08:38:28 CET 2011 until: Fri Nov 11 08:38:28 CET 2016 Certificate fingerprints: MD5: 31:AA:2C:48:E2:63:EA:1C:8A:21:8A:FC:E4:05:27:84 SHA1: 07:18:B9:A6:2D:CF:45:8D:BA:45:A9:06:DE:15:00:35:AA:3C:D7:EF Signature algorithm name: SHA1withRSA Version: 3 Certificate[2]: Owner: CN=ca, O=profiq, C=cz Issuer: CN=ca, O=profiq, C=cz Serial number: 962e014d Valid from: Fri Nov 11 07:58:06 CET 2011 until: Fri Nov 11 07:58:06 CET 2061 Certificate fingerprints: MD5: F9:C1:77:68:9C:22:B0:47:DE:30:21:D7:97:59:9A:42 SHA1: EA:B4:C1:FF:19:FF:26:94:A5:E6:9F:2A:C1:B2:05:B6:FC:90:42:F8 Signature algorithm name: SHA1withRSA Version: 3 Extensions: #1: ObjectId: 2.5.29.15 Criticality=false KeyUsage [ Key_CertSign ] #2: ObjectId: 2.5.29.19 Criticality=false BasicConstraints:[ CA:true PathLen:2147483647 ] #3: ObjectId: 2.16.840.1.113730.1.1 Criticality=false NetscapeCertType [ SSL CA ] ******************************************* ******************************************* Alias name: s1as Creation date: Nov 11, 2011 Entry type: PrivateKeyEntry Certificate chain length: 1 Certificate[1]: Owner: CN=node3.profiq.cz, OU=Sun GlassFish Enterprise Server, O=Sun Microsystems, L=Santa Clara, ST=California, C=US Issuer: CN=node3.profiq.cz, OU=Sun GlassFish Enterprise Server, O=Sun Microsystems, L=Santa Clara, ST=California, C=US Serial number: 4ebcc9c1 Valid from: Fri Nov 11 08:07:45 CET 2011 until: Mon Nov 08 08:07:45 CET 2021 Certificate fingerprints: MD5: 8C:75:EA:BC:89:5F:EE:6D:16:F5:79:06:12:D5:8E:BC SHA1: F9:71:11:3B:0C:98:61:2C:87:8D:89:7E:C5:7F:A5:8A:53:94:2A:73 Signature algorithm name: SHA1withRSA Version: 3 Extensions: #1: ObjectId: 2.5.29.14 Criticality=false SubjectKeyIdentifier [ KeyIdentifier [ 0000: 70 20 5F 76 5E 69 48 54 DC 57 6A 06 10 ED F1 90 p _v^iHT.Wj..... 0010: A1 94 D2 A6 .... ] ] ******************************************* *******************************************
You should see 3 certificates listed in the domain keystore, CA certificate, oam-1 (signed by the CA) and the default s1as.
Now modify domain.xml for the domain, to meet OAM requirements:
cd /opt/glassfish/domains/oamdomain/config sed "s/-client/-server/" -i domain.xml sed "s/-Xmx512m/-Xmx1024m/" -i domain.xml
One small change agains non-SSL version is, that you also have to change the name of used certificate from default s1as to your oam-1:
sed "s/s1as/oam-1/g" -i domain.xml
And now you can start the domain:
cd /opt/glassfish/domains/oamdomain/bin ./startserv admin username:domain2adm admin password: domain2pwd master password: domain2master Redirecting output to /opt/glassfish/domains/oamdomain/logs/server.log
You can watch server status tailing a log file:
tail -f /opt/glassfish/domains/oamdomain/logs/server.log
Now when the domain is running, deploy OpenAM (the file is still called opensso.war):
cd /opt/glassfish/bin ./asadmin deploy --user domain2adm --host oam-1.profiq.cz --port=8989 --contextroot opensso --name opensso --target server /home/profiq/opensso/deployable-war/opensso.war Please enter the admin password> domain2pwd Command deploy executed successfully.
GlassFish Sanity Tests
TEST: Login to admin console
Steps:
http://oam-1.profiq.cz:8989
- User Name: domain2adm
- Password: domain2pwd
Expected output:
You are successfully logged in and out of admin console.
TEST: Access the domain page
Steps:
https://oam-1.profiq.cz:1081
Because you are using custom certificate, you would probably see the message that the page is not trusted. To prevent this message, you can import CA.der certificate to your web browser and then all web pages signed by this CA would be trusted, or you can just allow your browser to trust this page and let you in.
Expected output:
GlassFish page is displayed.
OpenAM
Now setup OpenAM, the link to access would look like https://oam-1.profiq.cz:1081/opensso (with your OpenAM host/port)
Create New Configuration
1. General
- Password: oamadmin
- Confirm Password: oamadmin
2. Server Settings:
- Server URL: https://oam-1.profiq.cz:1081
- Cookie Domain: .profiq.cz
- Platform Local: en_US
- Configuration Directory: /opt/oam-config
3. Configuration Data Store Settings
- First Instance
- OpenDS or Sun Java System Directory Server
- SSL/TLS enabled: check
- Host Name: ds-1.profiq.cz
- Port: 1636
- Encryption Key: <default>
- Root Suffix: dc=example,dc=com
- Login ID: cn=Directory Manager
- Password: dsmanager
4. User Data Store Settings
- User Data Store Type: OpenDS
- SSL/TLS enabled: check
- Directory Name: ds-1.profiq.cz
- Port: 1636
- Root Suffix: dc=example,dc=com
- Login ID: cn=Directory Manager
- Password: dsmanager
5. Site Configuration
- Part of site configuration: No
6. Default Policy User Agent
- Password: agentuser
- Confirm Password: agentuser
7. Summary
- Create Configuration
Configuration Complete!
OK, you are done with setup, but you still need to configure it:
Proceed to Login
Sing in to OpenAM
- User Name: amadmin
- Password: oamadmin
Access Control -> / (Top Level Realm)
- Realm Attributes -> New Value: da-1.profiq.cz (host where DAUI would run)
Add -> Save -> Data Stores -> OpenDS
- LDAP Groups container Naming Attribute : ou
- LDAP Groups Container Value: groups
- LDAP People Container Naming Attribute : ou
- LDAP People Container Value: users
Save -> Back to Data Stores -> Subjects
- Test User1 is displayed
Authentication -> All Core Settigns…
- User Profile: Ignored
Save -> Back to Authentication -> Back to Access Control -> / (Top Level Realm) -> Agents -> 2.2 Agents -> New…
- Name: authuiadmin
- Password: authuiadmin
- Re-Enter Password: authuiadmin
Create -> Log Out
OpenAM Sanity Tests
TEST: Login as a test user
Steps:
https://oam-1.profiq.cz:1081/opensso
- User Name: testuser1
- Password: password
https://oam-1.profiq.cz:1081/opensso/UI/Logout
Expected output:
User is successfully logged in and out.
TEST: Login as an agent user
https://oam-1.profiq.cz:1081/opensso
- User Name: authuiadmin
- Password: authuiadmin
https://oam-1.profiq.cz:1081/opensso/UI/Logout
Expected output:
User is successfully logged in and out.
Web Server
Installation:
mkdir /home/profiq/ws-64 cd /home/profiq/ws-64 unzip ../V19747-01.zip ./setup
1. Welcome: Next
2. Software License Agreement: Yes
3. Installation Directory: /opt/ws7
4. Select the Type of Installation: Custom
5. Component Selection: Server Core, Administration Command Line Interface
6. Java Configuration: Install Java SE Development Kit (JDK) 1.6.0_17
7. Administration Options: Create an Administration Server and a Web Server Instance
8. Administration Server Settings
- Host Name: da-1.profiq.cz
- SSL Port: 8990 (this number would be 8989 by default, but GlassFish is using this port now)
- Create a non-SSL Port: uncheck
- Administration User Name: admin
- Administration Password: web4dmin
- Retype Password: web4dmin
9. Web Server Settings
- Server Name: da-1.profiq.cz
- HTTP Port: 8080
- Create a Document Root
10. Ready to Install:
- Start Administraton Server: check
- Install Now
11. Skip Registration
12. Installation Complete: Finish
To enable SSL listener for DAUI, you need to prepare a certificate:
cd /opt/ws7/bin echo "wadm_password=web4dmin" > /tmp/admin.pwd ./wadm create-cert-request --user=admin --password-file=/tmp/admin.pwd --host=da-1.profiq.cz --port=8990 --key-type=rsa --org="Sun Microsystems" --org-unit="Sun Distributed Authentication" --locality="Santa Clara" --state=California --country=US --config=da-1.profiq.cz --token=internal --server-name=da-1.profiq.cz > /opt/nss/da-1.csr certutil -C -c CA -v 60 -d /opt/nss/dbdir -a -i /opt/nss/da-1.csr -o /opt/nss/da-1.cer Enter Password or Pin for "NSS Certificate DB": nssnssnss
And now import the CA certificate and the DAUI certificate to the Web Server keystore:
./wadm install-cert --user=admin --password-file=/tmp/admin.pwd --config=da-1.profiq.cz --port=8990 --token=internal --cert-type=ca --nickname=CA /opt/nss/CA.der CLI201 Command 'install-cert' ran successfully ./wadm list-certs --user=admin --password-file=/tmp/admin.pwd --token=internal --config=da-1.profiq.cz --cert-type=ca | grep profiq ca - profiq ./wadm install-cert --user=admin --password-file=/tmp/admin.pwd --config=da-1.profiq.cz --port=8990 --token=internal --cert-type=server --nickname=da-1 /opt/nss/da-1.cer CLI201 Command 'install-cert' ran successfully ./wadm list-certs --user=admin --password-file=/tmp/admin.pwd --token=internal --config=da-1.profiq.cz da-1
Certificates are ready, so now you can create SSL listener and do some additional configuration on it:
./wadm create-http-listener --user=admin --password-file=/tmp/admin.pwd --host=da-1.profiq.cz --port=8990 --listener-port=8081 --config=da-1.profiq.cz --server-name=da-1.profiq.cz --default-virtual-server-name=da-1.profiq.cz http-listener-2 CLI201 Command 'create-http-listener' ran successfully ./wadm set-ssl-prop --user=admin --password-file=/tmp/admin.pwd --config=da-1.profiq.cz --http-listener=http-listener-2 enabled=true CLI201 Command 'set-ssl-prop' ran successfully ./wadm set-ssl-prop --user=admin --password-file=/tmp/admin.pwd --config=da-1.profiq.cz --http-listener=http-listener-2 server-cert-nickname=da-1 CLI201 Command 'set-ssl-prop' ran successfully ./wadm deploy-config --user=admin --password-file=/tmp/admin.pwd --host=da-1.profiq.cz --port=8990 da-1.profiq.cz CLI201 Command 'deploy-config' ran successfully
If you want an DAUI to trust OpenAM server, it is not enough to import CA to its direct keystore, you need to import it also to JDK keystore. In case you selected a bundled JDK, you will find it in /opt/ws7/jdk.
Steps are similar, as for JDK used by OpenDJ and OpenAM:
chmod 644 /opt/ws7/jdk/jre/lib/security/cacerts /opt/ws7/jdk/jre/bin/keytool -import -trustcacerts -alias CA -file /opt/nss/CA.der -keystore /opt/ws7/jdk/jre/lib/security/cacerts -storepass changeit Owner: CN=ca, O=profiq, C=cz Issuer: CN=ca, O=profiq, C=cz Serial number: 962e014d Valid from: Fri Nov 11 07:58:06 CET 2011 until: Fri Nov 11 07:58:06 CET 2061 Certificate fingerprints: MD5: F9:C1:77:68:9C:22:B0:47:DE:30:21:D7:97:59:9A:42 SHA1: EA:B4:C1:FF:19:FF:26:94:A5:E6:9F:2A:C1:B2:05:B6:FC:90:42:F8 Signature algorithm name: SHA1withRSA Version: 3 Extensions: #1: ObjectId: 2.5.29.15 Criticality=false KeyUsage [ Key_CertSign ] #2: ObjectId: 2.5.29.19 Criticality=false BasicConstraints:[ CA:true PathLen:2147483647 ] #3: ObjectId: 2.16.840.1.113730.1.1 Criticality=false NetscapeCertType [ SSL CA ] Trust this certificate? [no]: yes Certificate was added to keystore
Now you can start Web Server domain:
cd /opt/ws7/https-da-1.profiq.cz/bin ./startserv Sun Java System Web Server 7.0U8 (64-Bit) B01/20/2010 08:17 info: CORE5076: Using [Java HotSpot(TM) 64-Bit Server VM, Version 1.6.0_17] from [Sun Microsystems Inc.] info: WEB0100: Loading web module in virtual server [da-1.profiq.cz] at [/auth] info: HTTP3072: http-listener-1: http://da-1.profiq.cz:8080 ready to accept requests info: HTTP3072: http-listener-2: https://da-1.profiq.cz:8081 ready to accept requests info: CORE3274: successful server startup
If SSL listener was created correctly, you should see 2 listeners running.
Web Server Sanity Tests
TEST: Login to admin console
Steps:
https://da-1.profiq.cz:8990
- User Name: admin
- Password: web4dmin
Expected output:
You are successfully logged in and out of admin console.
TEST: Access the Web Server
Steps:
Try to access both SSL and non-SSL pages:
https://da-1.profiq.cz:8081
http://da-1.profiq.cz:8080
Expected output:
Sun Web Server default page is displayed.
DAUI
At first you need to create a WAR file for DAUI (if OpenAM is installed on a different system, it is OK to create WAR file there, and then copy it to WS machine):
cd /home/profiq/opensso mkdir war-staging cd war-staging jar xf ../deployable-war/opensso.war cd ../deployable-war chmod +x createwar.sh ./createwar.sh -s ../war-staging -t distauth -w auth.war
Now WS is installed, WAR file is ready, so you can deploy DAUI, but first stop the Web Server domain:
/opt/ws7/https-da-1.profiq.cz/bin/stopserv server has been shutdown cd /opt/ws7/bin ./wadm add-webapp --user=admin --host=da-1.profiq.cz --port=8990 --config=da-1.profiq.cz --vs=da-1.profiq.cz --uri=/auth /home/profiq/opensso/deployable-war/auth.war Please enter admin-user-password> web4dmin CLI201 Command 'add-webapp' ran successfully ./wadm deploy-config --user=admin --host=da-1.profiq.cz --port=8990 da-1.profiq.cz Please enter admin-user-password> web4dmin CLI201 Command 'deploy-config' ran successfully
Now you can start Web Server domain back:
cd /opt/ws7/https-da-1.profiq.cz/bin ./startserv Sun Java System Web Server 7.0U8 (64-Bit) B01/20/2010 08:17 info: CORE5076: Using [Java HotSpot(TM) 64-Bit Server VM, Version 1.6.0_17] from [Sun Microsystems Inc.] info: WEB0100: Loading web module in virtual server [da-1.profiq.cz] at [/auth] info: HTTP3072: http-listener-1: http://da-1.profiq.cz:8080 ready to accept requests info: HTTP3072: http-listener-2: https://da-1.profiq.cz:8081 ready to accept requests info: CORE3274: successful server startup
DAUI is now ready to configure (use link to your DAUI hostname/port):
https://da-1.profiq.cz:8081/auth
- Server Protocol: https
- Server Host: oam-1.profiq.cz
- Server Port: 1081
- Server Deployment URI: opensso
- DistAuth Server Protocol: https
- DistAuth Server Host: da-1.profiq.cz
- DistAuth Server Port: 8081
- DistAuth Server Deployment URI: /auth
- Debug Directory: /opt/debug-auth
- Debug Level: error
- Encryption Key: <default>
- Application user name: authuiadmin
- Application user password: authuiadmin
- Confirm Application user password: authuiadmin
DAUI Sanity Tests
TEST: Access Web Server using authentication
https://da-1.profiq.cz:8081/auth/UI/Login?goto=/
- User Name: testuser1
- Password: password
https://da-1.profiq.cz:8081/auth/UI/Logout
Expected output:
At first, OpenAM login page is displayed and after login, Web Server page is displayed. Logout should work too.
Warning: If you get an error message, that server is not trusted, it could be caused also by old cookies in your browser (left from previous installations on the same host), this is sometimes difficult to troubleshoot, so if you see this error, try to remove cookies related to servers you use for deployment.
TEST: Access Web Server using authentication with wrong password
https://da-1.profiq.cz:8081/auth/UI/Login?goto=/
- User Name: testuser1
- Password: wrongpass
Expected output:
At first, OpenAM login page is displayed. After filling wrong password, authentication should fail and Web Server page shouldn’t be displayed.
References
[1] How to deploy OpenAM with DAUI
[2] Deployment Example: Single Sign-On, Load Balancing and Failover Using Sun OpenSSO Enterprise 8.0
[3] How to set up multiple DAUI instances
[4] Configure an external OpenDJ or OpenDS as the configuration store