Risk-Free trial

How to deploy OpenAM with DAUI using SSL

In my previous article “How to deploy OpenAM with DAUI”  I wrote down steps how to install complete architecture where DAUI is configured with OpenAM. To keep it simple, I used only plain non-encrypted communication between individual components, however in the real world, many deployments require some more security and encrypted cryptography is a basic requirement. This article is based on previous one and it adds steps to install full architecture with SSL encryption.

As this article contains some small changes against non-SSL version, that could be easily skipped or unnoticed, I rather highlighted them using italics.

Preparation

I used the 64bit version of Ubuntu Server 11.04 as the operating system for the deployment and added following packages:

sudo apt-get install unzip
sudo apt-get install libxtst-dev
sudo apt-get install ia32-libs
sudo apt-get install libstdc++5

For cryptography related tasks I installed also NSS (Network Security Services) library and command line tools.

sudo apt-get install libnss3
sudo apt-get install libnss3-tools

The architecture is the same as for non-SSL, consists of 3 logical nodes – Directory Server, OpenAM (running on GlassFish applications server) and Distributed Authentication User Interface (running on Sun Web Server). All these nodes could be installed together on 1 system, or they can be splitted on 2 or 3 different systems.

On my environment, I decided to keep it simple and have everything on one machine, however I created separate virtual hostname for every node.

+------------------+         +---------------------+         +--------------+
|       DAUI       |  HTTPS  | OpenAM Server 9.5.3 |  LDAPS  |              |
| Sun Web Server 7 |  ---->  | GlassFish v2.1.1    |  ---->  | OpenDJ 2.4.4 |
+------------------+         +---------------------+         +--------------+
   da-1.profiq.cz                 oam-1.profiq.cz             ds-1.profiq.cz
Hostname setting is done in /etc/hosts:
127.0.1.1 ds-1 ds-1.profiq.cz oam-1 oam-1.profiq.cz da-1 da-1.profiq.cz

To have an access to these domains, you have to add this setting (for exernal IP) to /etc/hosts file (or Windows equivalent) on your workstation.

Permissions:

In my installation, all products are installed into /opt directory, feel free to use any other directory, but make sure that your user has write access to this directory.

Download:

I have all tools (Sun JDK 1.6.0_26, OpenDJ 2.4.4, GlassFish 2.1.1., OpenAM 9.5.3, Sun Web Server 7.0) downloaded in my home directory /home/profiq.

JDK

JDK is a dependency of OpenDJ, you need to have it installed first.

In my case I used Sun JDK 1.6.0_26, however similar steps would work also for other JDK:

Install JDK:

chmod 755 jdk-6u26-linux-x64.bin
./jdk-6u26-linux-x64.bin
mv jdk1.6.0_26 /opt

Set environment variables to use JDK:

export JAVA_HOME=/opt/jdk1.6.0_26
export PATH=$JAVA_HOME/bin:$PATH

Verify that correct version of Java is used (Java path is set correctly):

java -version
java version "1.6.0_26"
Java(TM) SE Runtime Environment (build 1.6.0_26-b03)
Java HotSpot(TM) 64-Bit Server VM (build 20.1-b02, mixed mode)

As I use graphical installers in these steps, you need to have graphical access on the machine (directly or VNC session), or export display to your workstation. In my case I exported display to my workstation:

export DISPLAY=192.168.1.2:0

On my workstation I enabled connections from external machines:

xhost +

Security

In this chapter I provide steps required to prepare a certificate database for NSS, self-signed CA (certification authority) and key/certificate for OpenDJ. Certificate would be imported to keystore, that would be used by OpenDJ.

In NSS all keys and certificates are stored a certificate database. At first you need to create this database:

mkdir /opt/nss
cd /opt/nss
mkdir dbdir

certutil -N -d dbdir
Enter new password: nssnssnss
Re-enter password: nssnssnss

Now create a certification authority. In this case, CA certificate is self-signed, however there is also an option to have a CA certificate signed by another CA and create a certificate chain. More usual scenario is, that you will have your CA signed by another trusted CA (like Verisign) and that would make trusted also certificates signed by your CA. Another option is to have all your certificates directly signed by trusted CA.

certutil -s "cn=ca, o=profiq, C=cz" -S -n CA -t CTu,CTu,CTu -v 600 -x 
    -d dbdir -1 -2 -5
Enter Password or Pin for "NSS Certificate DB": nssnssnss

A random seed must be generated that will be used in the
creation of your key. One of the easiest ways to create a
random seed is to use the timing of keystrokes on a keyboard.

To begin, type keys on the keyboard until this progress meter
is full. DO NOT USE THE AUTOREPEAT FUNCTION ON YOUR KEYBOARD!
Continue typing until the progress meter is full:

|************************************************************|

Finished. Press enter to continue:
Generating key. This may take a few moments...
0 - Digital Signature
1 - Non-repudiation
2 - Key encipherment
3 - Data encipherment
4 - Key agreement
5 - Cert signing key
6 - CRL signing key
Other to finish
> 5
0 - Digital Signature
1 - Non-repudiation
2 - Key encipherment
3 - Data encipherment
4 - Key agreement
5 - Cert signing key
6 - CRL signing key
Other to finish
> 9
Is this a critical extension [y/N]?
n
Is this a CA certificate [y/N]?
y
Enter the path length constraint, enter to skip [<0 for unlimited path]: > -1
Is this a critical extension [y/N]?
n
0 - SSL Client
1 - SSL Server
2 - S/MIME
3 - Object Signing
4 - Reserved for future use
5 - SSL CA
6 - S/MIME CA
7 - Object Signing CA
Other to finish
> 5
0 - SSL Client
1 - SSL Server
2 - S/MIME
3 - Object Signing
4 - Reserved for future use
5 - SSL CA
6 - S/MIME CA
7 - Object Signing CA
Other to finish
> 9
Is this a critical extension [y/N]?
n

And now export the CA certificate to a file:

certutil -L -d dbdir -r -n CA -o CA.der

Some tools like ssoAdminTools use JDK trust store, to check whether certificate is trusted. If you import CA certificate to this store, all valid certificates signed by this CA would be validated as trusted. Without this step, ssoadm tool wouldn’t be able to locate system configuration and would return error message:

Cannot locate system configuration. Directory Server may be down or
configuration directory is invalid.

Sun JDK stores CA certificates in $JAVA_HOME/jre/lib/security/cacerts file, so you should import your CA certificate there:

cd /opt/jdk1.6.0_26/jre/lib/security
keytool -import -trustcacerts -alias CA -file /opt/nss/CA.der 
    -keystore cacerts
Enter keystore password: changeit
Owner: CN=ca, O=profiq, C=cz
Issuer: CN=ca, O=profiq, C=cz
Serial number: 962e014d
Valid from: Fri Nov 11 07:58:06 CET 2011 until: Fri Nov 11 07:58:06 CET 2061
Certificate fingerprints:
MD5: F9:C1:77:68:9C:22:B0:47:DE:30:21:D7:97:59:9A:42
SHA1: EA:B4:C1:FF:19:FF:26:94:A5:E6:9F:2A:C1:B2:05:B6:FC:90:42:F8
Signature algorithm name: SHA1withRSA
Version: 3

Extensions:

#1: ObjectId: 2.5.29.15 Criticality=false
KeyUsage [
Key_CertSign
]

#2: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
CA:true
PathLen:2147483647
]

#3: ObjectId: 2.16.840.1.113730.1.1 Criticality=false
NetscapeCertType [
SSL CA
]

Trust this certificate? [no]: yes
Certificate was added to keystore

In OpenDJ setup, there is a step where you can set keystore with custom certificate to use.
You need to prepare it now.

At first generate key and certificate request:

cd /opt/nss
keytool -genkey -alias ds-1 -keyalg rsa 
    -dname "cn=ds-1.profiq.cz,o=profiq,c=cz" -keystore keystore.jks 
    -keypass password -storetype jks -storepass password
keytool -certreq -alias ds-1 -file ds-1.csr -keystore keystore.jks 
    -keypass password -storetype jks -storepass password

Now sign this certificate using certification authority that you prepared before:

certutil -C -c CA -v 60 -d dbdir -a -i ds-1.csr -o ds-1.cer
Enter Password or Pin for "NSS Certificate DB": nssnssnss

Now you have to import this CA certificate and DS certificate to keystore.jks, the keystore that will be used by OpenDJ:

keytool -import -trustcacerts -alias CA -file CA.der -keystore keystore.jks 
    -storepass password
Certificate already exists in system-wide CA keystore under alias <ca>
Do you still want to add it to your own keystore? [no]: yes
Certificate was added to keystore

keytool -import -file ds-1.cer -alias ds-1 -keystore keystore.jks 
    -storepass password
Certificate reply was installed in keystore

You can verify the content of the keystore:

keytool -list -v -keystore keystore.jks -storepass password

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 2 entries

Alias name: ca
Creation date: Nov 11, 2011
Entry type: trustedCertEntry

Owner: CN=ca, O=profiq, C=cz
Issuer: CN=ca, O=profiq, C=cz
Serial number: 962e014d
Valid from: Fri Nov 11 07:58:06 CET 2011 until: Fri Nov 11 07:58:06 CET 2061
Certificate fingerprints:
MD5: F9:C1:77:68:9C:22:B0:47:DE:30:21:D7:97:59:9A:42
SHA1: EA:B4:C1:FF:19:FF:26:94:A5:E6:9F:2A:C1:B2:05:B6:FC:90:42:F8
Signature algorithm name: SHA1withRSA
Version: 3

Extensions:

#1: ObjectId: 2.5.29.15 Criticality=false
KeyUsage [
Key_CertSign
]

#2: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
CA:true
PathLen:2147483647
]

#3: ObjectId: 2.16.840.1.113730.1.1 Criticality=false
NetscapeCertType [
SSL CA
]

*******************************************
*******************************************
Alias name: ds-1
Creation date: Nov 11, 2011
Entry type: PrivateKeyEntry
Certificate chain length: 2
Certificate[1]:
Owner: CN=ds-1.profiq.cz, O=profiq, C=cz
Issuer: CN=ca, O=profiq, C=cz
Serial number: 962e0234
Valid from: Fri Nov 11 07:59:57 CET 2011 until: Fri Nov 11 07:59:57 CET 2016
Certificate fingerprints:
MD5: 81:2E:AF:27:4F:23:09:94:13:A5:28:07:6C:DA:74:7C
SHA1: 60:FC:53:14:73:C2:73:38:30:7B:6B:39:6E:DE:0D:D3:11:EE:0C:AF
Signature algorithm name: SHA1withRSA
Version: 3
Certificate[2]:
Owner: CN=ca, O=profiq, C=cz
Issuer: CN=ca, O=profiq, C=cz
Serial number: 962e014d
Valid from: Fri Nov 11 07:58:06 CET 2011 until: Fri Nov 11 07:58:06 CET 2061
Certificate fingerprints:
MD5: F9:C1:77:68:9C:22:B0:47:DE:30:21:D7:97:59:9A:42
SHA1: EA:B4:C1:FF:19:FF:26:94:A5:E6:9F:2A:C1:B2:05:B6:FC:90:42:F8
Signature algorithm name: SHA1withRSA
Version: 3

Extensions:

#1: ObjectId: 2.5.29.15 Criticality=false
KeyUsage [
Key_CertSign
]

#2: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
CA:true
PathLen:2147483647
]

#3: ObjectId: 2.16.840.1.113730.1.1 Criticality=false
NetscapeCertType [
SSL CA
]

*******************************************
*******************************************

OpenDJ

In this environment, OpenDJ is used as user data store and AM configuration store.

Installation steps for OpenDJ:

unzip OpenDJ-2.4.4.zip
mv OpenDJ-2.4.4 /opt/
cd /opt/OpenDJ-2.4.4/
./setup

1. Welcome: Next

2. Server Settings

    • Host Name: ds-1.profiq.cz
    • LDAP Listener Port: 1389
    • Administration Connector Port: 4444
    • LDAP Secure Access:
  • SSL Access: Enable SSL on Port: 1636
  • StartTLS Access: Enable StartTLS for LDAP
  • Certificate: Use an Existing Certificate
  • Keys Store Type: Java Key Store (JKS) File
  • Key Store Path: /opt/nss/keystore.jks
  • Key Store PIN: password
  • Select Alias: ds-1
  • Root User DN: cn=Directory Manager
  • Password: dsmanager
  • Password (confirm): dsmanager
Note: as a Key Store PIN you should use keystore password, naming this property PIN is a little bit confusing, however there is also option to use PIN files.

3. Topology Options: This will be a stand alone server

4. Directory Data

  • Directory Base DN: dc=example,dc=com
  • Directory Data: Only Create Base Entry

5. Runtime Options: Next

6. Review: Start Server when Configuration has Completed

7. Finished: Close

To use OpenDJ as a configuration store, you need to enable multiple structural objectclasses:

/opt/OpenDJ-2.4.4/bin/dsconfig -h ds-1.profiq.cz -p 4444 
    -D "cn=Directory Manager" -w dsmanager -X -n 
    --advanced set-global-configuration-prop 
    --set single-structural-objectclass-behavior:accept

After configuration store settings you need to restart OpenDJ to apply changes:

/opt/OpenDJ-2.4.4/bin/stop-ds
/opt/OpenDJ-2.4.4/bin/start-ds

You need some user base, at least very basic:

cat << EOF > /tmp/am-users.ldif
dn: ou=users,dc=example,dc=com
objectclass: top
objectclass: organizationalUnit
ou: users
description: Container for user entries

dn: ou=Groups,dc=example,dc=com
objectClass: top
objectClass: organizationalUnit
ou: Groups
description: Container for group entries

dn: uid=testuser1,ou=users,dc=example,dc=com
uid: testuser1
givenName: Test
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetorgperson
sn: User1
cn: Test User1
userPassword: password
EOF

For user data loading using ldapmodify, you can use SSL port, in this case you need to add also –useSSL parameter:

/opt/OpenDJ-2.4.4/bin/ldapmodify --useSSL -h ds-1.profiq.cz -p 1636 
    -D "cn=Directory Manager" -w dsmanager -a -f /tmp/am-users.ldif
The server is using the following certificate:
    Subject DN:  CN=ds-1.profiq.cz, O=profiq, C=cz
    Issuer DN:  CN=ca, O=profiq, C=cz
    Validity:  Fri Nov 11 07:59:57 CET 2011 through Fri Nov 11 07:59:57
        CET 2016
Do you wish to trust this certificate and continue connecting to the server?
Please enter "yes" or "no":yes
Processing ADD request for ou=users,dc=example,dc=com
ADD operation successful for DN ou=users,dc=example,dc=com
Processing ADD request for ou=Groups,dc=example,dc=com
ADD operation successful for DN ou=Groups,dc=example,dc=com
Processing ADD request for uid=testuser1,ou=users,dc=example,dc=com
ADD operation successful for DN uid=testuser1,ou=users,dc=example,dc=com

OpenDJ Sanity Test

TEST: Search test user

Steps:

/opt/OpenDJ-2.4.4/bin/ldapsearch --useSSL -b "dc=example,dc=com" -p 1636 
    -D "cn=Directory Manager" -w dsmanager "uid=test*"

Expected output:

The server is using the following certificate:
    Subject DN:  CN=ds-1.profiq.cz, O=profiq, C=cz
    Issuer DN:  CN=ca, O=profiq, C=cz
    Validity:  Fri Nov 11 07:59:57 CET 2011 through Fri Nov 11 07:59:57
        CET 2016
Do you wish to trust this certificate and continue connecting to the server?
Please enter "yes" or "no":yes
dn: uid=testuser1,ou=users,dc=example,dc=com
userPassword: {SSHA}0WkcuyCdYLPSNPgRzJNQCXVkXs43F5rlwax0lw==
givenName: Test
objectClass: person
objectClass: organizationalPerson
objectClass: inetorgperson
objectClass: top
uid: testuser1
cn: Test User1
sn: User1

Glassfish

As GlassFish 3 is not yet supported by OpenAM, I used GlassFish 2.1.1. If you install it on different system, you need to install JDK also here.

GlassFish install:

cd /opt
java -Xmx256m -jar ~/glassfish-installer-v2.1.1-b31g-linux.jar
  • uncheck Enable autoupdate
  • Accept

Now start the configuration script using ant:

cd /opt/glassfish
chmod -R +x lib/ant/bin
lib/ant/bin/ant -f setup.xml

Now you have to create a domain, for SSL architecture there is one small change, you have to set also SSL port:

cd /opt/glassfish/bin
./asadmin create-domain --domaindir /opt/glassfish/domains --adminport 8989 
    --user domain2adm --instanceport 1080 
    --domainproperties http.ssl.port=1081  oamdomain

Please enter the admin password> domain2pwd
Please enter the admin password again> domain2pwd
Please enter the master password [Enter to accept the default]:>
    domain2master
Please enter the master password again [Enter to accept the default]:> 
    domain2master

Using port 8989 for Admin.
Using port 1080 for HTTP Instance.
Using default port 7676 for JMS.
Using default port 3700 for IIOP.
Using port 1081 for HTTP_SSL.
Using default port 3820 for IIOP_SSL.
Using default port 3920 for IIOP_MUTUALAUTH.
Using default port 8686 for JMX_ADMIN.
Domain being created with profile:developer, as specified by variable 
    AS_ADMIN_PROFILE in configuration file.
------ Using Profile [developer] to create the domain ------
XML processing for profile: Base document 
    [/opt/glassfish/lib/install/templates/default-domain.xml.template].
    Profile name [developer]. Processing property
    [domain.xml.style-sheets].

Security Store uses: JKS
Domain oamdomain created.

Now you need to generate key and certificate for OpenAM:

cd /opt/glassfish/domains/oamdomain/config/
keytool -genkey -noprompt -keyalg rsa -keypass domain2master -alias oam-1 
    -keystore keystore.jks -dname "cn=oam-1.profiq.cz,o=profiq,c=cz" 
    -storepass domain2master
keytool -list -v -keystore keystore.jks -storepass domain2master

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 2 entries

Alias name: oam-1
Creation date: Nov 11, 2011
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=oam-1.profiq.cz, O=profiq, C=cz
Issuer: CN=oam-1.profiq.cz, O=profiq, C=cz
Serial number: 4ebcd042
Valid from: Fri Nov 11 08:35:30 CET 2011 until: Thu Feb 09 08:35:30 CET 2012
Certificate fingerprints:
         MD5:  56:84:5C:99:BE:11:81:77:EB:AA:1F:CE:98:CE:FF:BB
         SHA1: 96:91:38:53:BB:28:38:36:A6:65:3D:A4:E2:F7:88:19:13:B6:E0:B5
         Signature algorithm name: SHA1withRSA
         Version: 3

*******************************************
*******************************************

Alias name: s1as
Creation date: Nov 11, 2011
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=node3.profiq.cz, OU=Sun GlassFish Enterprise Server, 
    O=Sun Microsystems, L=Santa Clara, ST=California, C=US
Issuer: CN=node3.profiq.cz, OU=Sun GlassFish Enterprise Server, 
    O=Sun Microsystems, L=Santa Clara, ST=California, C=US
Serial number: 4ebcc9c1
Valid from: Fri Nov 11 08:07:45 CET 2011 until: Mon Nov 08 08:07:45 CET 2021
Certificate fingerprints:
         MD5:  8C:75:EA:BC:89:5F:EE:6D:16:F5:79:06:12:D5:8E:BC
         SHA1: F9:71:11:3B:0C:98:61:2C:87:8D:89:7E:C5:7F:A5:8A:53:94:2A:73
         Signature algorithm name: SHA1withRSA
         Version: 3

Extensions: 

#1: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 70 20 5F 76 5E 69 48 54   DC 57 6A 06 10 ED F1 90  p _v^iHT.Wj.....
0010: A1 94 D2 A6                                        ....
]
]

*******************************************
*******************************************

Currenty, 2 certificates are listed in the domain keystore, oam-1 is the one to use (but at first you need to sign it), and s1as is the default one.

Now sign your certificate using your CA:

keytool -certreq -alias oam-1 -keypass domain2master -keystore keystore.jks 
    -storepass domain2master -file oam-1.csr
certutil -C -c CA -v 60 -d /opt/nss/dbdir -a 
    -i /opt/glassfish/domains/oamdomain/config/oam-1.csr 
    -o /opt/glassfish/domains/oamdomain/config/oam-1.cer
Enter Password or Pin for "NSS Certificate DB": nssnssnss

You need to import CA certificate to the domain keystore and to keystore that is used for trusted certification authorities. Also OAM certicicate should be imported to the domain keystore:

keytool -import -trustcacerts -alias CA -file /opt/nss/CA.der 
    -keystore keystore.jks -storepass domain2master
Trust this certificate? [no]:  yes

keytool -import -trustcacerts -alias CA -file /opt/nss/CA.der 
    -keystore cacerts.jks -storepass domain2master
Trust this certificate? [no]:  yes

keytool -import -file oam-1.cer -alias oam-1 -keystore keystore.jks 
    -storepass domain2master
keytool -list -v -keystore keystore.jks  -storepass domain2master

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 3 entries

Alias name: ca
Creation date: Nov 11, 2011
Entry type: trustedCertEntry

Owner: CN=ca, O=profiq, C=cz
Issuer: CN=ca, O=profiq, C=cz
Serial number: 962e014d
Valid from: Fri Nov 11 07:58:06 CET 2011 until: Fri Nov 11 07:58:06 CET 2061
Certificate fingerprints:
         MD5:  F9:C1:77:68:9C:22:B0:47:DE:30:21:D7:97:59:9A:42
         SHA1: EA:B4:C1:FF:19:FF:26:94:A5:E6:9F:2A:C1:B2:05:B6:FC:90:42:F8
         Signature algorithm name: SHA1withRSA
         Version: 3

Extensions: 

#1: ObjectId: 2.5.29.15 Criticality=false
KeyUsage [
  Key_CertSign
]

#2: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
  CA:true
  PathLen:2147483647
]

#3: ObjectId: 2.16.840.1.113730.1.1 Criticality=false
NetscapeCertType [
   SSL CA
]

*******************************************
*******************************************

Alias name: oam-1
Creation date: Nov 11, 2011
Entry type: PrivateKeyEntry
Certificate chain length: 2
Certificate[1]:
Owner: CN=oam-1.profiq.cz, O=profiq, C=cz
Issuer: CN=ca, O=profiq, C=cz
Serial number: 962e136c
Valid from: Fri Nov 11 08:38:28 CET 2011 until: Fri Nov 11 08:38:28 CET 2016
Certificate fingerprints:
         MD5:  31:AA:2C:48:E2:63:EA:1C:8A:21:8A:FC:E4:05:27:84
         SHA1: 07:18:B9:A6:2D:CF:45:8D:BA:45:A9:06:DE:15:00:35:AA:3C:D7:EF
         Signature algorithm name: SHA1withRSA
         Version: 3
Certificate[2]:
Owner: CN=ca, O=profiq, C=cz
Issuer: CN=ca, O=profiq, C=cz
Serial number: 962e014d
Valid from: Fri Nov 11 07:58:06 CET 2011 until: Fri Nov 11 07:58:06 CET 2061
Certificate fingerprints:
         MD5:  F9:C1:77:68:9C:22:B0:47:DE:30:21:D7:97:59:9A:42
         SHA1: EA:B4:C1:FF:19:FF:26:94:A5:E6:9F:2A:C1:B2:05:B6:FC:90:42:F8
         Signature algorithm name: SHA1withRSA
         Version: 3

Extensions: 

#1: ObjectId: 2.5.29.15 Criticality=false
KeyUsage [
  Key_CertSign
]

#2: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
  CA:true
  PathLen:2147483647
]

#3: ObjectId: 2.16.840.1.113730.1.1 Criticality=false
NetscapeCertType [
   SSL CA
]

*******************************************
*******************************************

Alias name: s1as
Creation date: Nov 11, 2011
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=node3.profiq.cz, OU=Sun GlassFish Enterprise Server,
    O=Sun Microsystems, L=Santa Clara, ST=California, C=US
Issuer: CN=node3.profiq.cz, OU=Sun GlassFish Enterprise Server,
    O=Sun Microsystems, L=Santa Clara, ST=California, C=US
Serial number: 4ebcc9c1
Valid from: Fri Nov 11 08:07:45 CET 2011 until: Mon Nov 08 08:07:45 CET 2021
Certificate fingerprints:
         MD5:  8C:75:EA:BC:89:5F:EE:6D:16:F5:79:06:12:D5:8E:BC
         SHA1: F9:71:11:3B:0C:98:61:2C:87:8D:89:7E:C5:7F:A5:8A:53:94:2A:73
         Signature algorithm name: SHA1withRSA
         Version: 3

Extensions: 

#1: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 70 20 5F 76 5E 69 48 54   DC 57 6A 06 10 ED F1 90  p _v^iHT.Wj.....
0010: A1 94 D2 A6                                        ....
]
]

*******************************************
*******************************************

You should see 3 certificates listed in the domain keystore, CA certificate, oam-1 (signed by the CA) and the default s1as.

Now modify domain.xml for the domain, to meet OAM requirements:

cd /opt/glassfish/domains/oamdomain/config
sed "s/-client/-server/" -i domain.xml
sed "s/-Xmx512m/-Xmx1024m/" -i domain.xml

One small change agains non-SSL version is, that you also have to change the name of used certificate from default s1as to your oam-1:

sed "s/s1as/oam-1/g" -i domain.xml

And now you can start the domain:

cd /opt/glassfish/domains/oamdomain/bin
./startserv
admin username:domain2adm
admin password: domain2pwd
master password: domain2master
Redirecting output to /opt/glassfish/domains/oamdomain/logs/server.log

You can watch server status tailing a log file:

tail -f /opt/glassfish/domains/oamdomain/logs/server.log

Now when the domain is running, deploy OpenAM (the file is still called opensso.war):

cd /opt/glassfish/bin
./asadmin deploy --user domain2adm --host oam-1.profiq.cz --port=8989 
    --contextroot opensso --name opensso --target server 
    /home/profiq/opensso/deployable-war/opensso.war
Please enter the admin password> domain2pwd
Command deploy executed successfully.

GlassFish Sanity Tests

TEST: Login to admin console

Steps:

http://oam-1.profiq.cz:8989

  • User Name: domain2adm
  • Password: domain2pwd
Logout

Expected output:

You are successfully logged in and out of admin console.

TEST: Access the domain page

Steps:

https://oam-1.profiq.cz:1081

Because you are using custom certificate, you would probably see the message that the page is not trusted. To prevent this message, you can import CA.der certificate to your web browser and then all web pages signed by this CA would be trusted, or you can just allow your browser to trust this page and let you in.

Expected output:

GlassFish page is displayed.

OpenAM

Now setup OpenAM, the link to access would look like https://oam-1.profiq.cz:1081/opensso (with your OpenAM host/port)

Create New Configuration

1. General

  • Password: oamadmin
  • Confirm Password: oamadmin

2. Server Settings:

  • Server URL: https://oam-1.profiq.cz:1081
  • Cookie Domain: .profiq.cz
  • Platform Local: en_US
  • Configuration Directory: /opt/oam-config

3. Configuration Data Store Settings

  • First Instance
  • OpenDS or Sun Java System Directory Server
  • SSL/TLS enabled: check
  • Host Name: ds-1.profiq.cz
  • Port: 1636
  • Encryption Key: <default>
  • Root Suffix: dc=example,dc=com
  • Login ID: cn=Directory Manager
  • Password: dsmanager

4. User Data Store Settings

  • User Data Store Type: OpenDS
  • SSL/TLS enabled: check
  • Directory Name: ds-1.profiq.cz
  • Port: 1636
  • Root Suffix: dc=example,dc=com
  • Login ID: cn=Directory Manager
  • Password: dsmanager

5. Site Configuration

  • Part of site configuration: No

6. Default Policy User Agent

  • Password: agentuser
  • Confirm Password: agentuser

7. Summary

  • Create Configuration

Configuration Complete!

OK, you are done with setup, but you still need to configure it:

Proceed to Login

Sing in to OpenAM

  • User Name: amadmin
  • Password: oamadmin

Access Control -> / (Top Level Realm)

  • Realm Attributes -> New Value: da-1.profiq.cz (host where DAUI would run)

Add -> Save -> Data Stores -> OpenDS

  • LDAP Groups container Naming Attribute : ou
  • LDAP Groups Container Value: groups
  • LDAP People Container Naming Attribute : ou
  • LDAP People Container Value: users

Save -> Back to Data Stores -> Subjects

  • Test User1 is displayed

Authentication -> All Core Settigns…

  • User Profile: Ignored

Save -> Back to Authentication -> Back to Access Control -> / (Top Level Realm) -> Agents -> 2.2 Agents -> New…

  • Name: authuiadmin
  • Password: authuiadmin
  • Re-Enter Password: authuiadmin

Create -> Log Out

OpenAM Sanity Tests

TEST: Login as a test user

Steps:

https://oam-1.profiq.cz:1081/opensso

  • User Name: testuser1
  • Password: password

https://oam-1.profiq.cz:1081/opensso/UI/Logout

Expected output:

User is successfully logged in and out.

TEST: Login as an agent user

https://oam-1.profiq.cz:1081/opensso

  • User Name: authuiadmin
  • Password: authuiadmin

https://oam-1.profiq.cz:1081/opensso/UI/Logout

Expected output:

User is successfully logged in and out.

Web Server

Installation:

mkdir /home/profiq/ws-64
cd /home/profiq/ws-64
unzip ../V19747-01.zip
./setup

1. Welcome: Next

2. Software License Agreement: Yes

3. Installation Directory: /opt/ws7

4. Select the Type of Installation: Custom

5. Component Selection: Server Core, Administration Command Line Interface

6. Java Configuration: Install Java SE Development Kit (JDK) 1.6.0_17

7. Administration Options: Create an Administration Server and a Web Server Instance

8. Administration Server Settings

  • Host Name: da-1.profiq.cz
  • SSL Port: 8990 (this number would be 8989 by default, but GlassFish is using this port now)
  • Create a non-SSL Port: uncheck
  • Administration User Name: admin
  • Administration Password: web4dmin
  • Retype Password: web4dmin

9. Web Server Settings

  • Server Name: da-1.profiq.cz
  • HTTP Port: 8080
  • Create a Document Root

10. Ready to Install:

  • Start Administraton Server: check
  • Install Now

11. Skip Registration

12. Installation Complete: Finish

To enable SSL listener for DAUI, you need to prepare a certificate:

cd /opt/ws7/bin
echo "wadm_password=web4dmin" > /tmp/admin.pwd
./wadm create-cert-request --user=admin --password-file=/tmp/admin.pwd 
    --host=da-1.profiq.cz --port=8990 
    --key-type=rsa --org="Sun Microsystems" 
    --org-unit="Sun Distributed Authentication" --locality="Santa Clara" 
    --state=California --country=US --config=da-1.profiq.cz 
    --token=internal --server-name=da-1.profiq.cz > /opt/nss/da-1.csr
certutil -C -c CA -v 60 -d /opt/nss/dbdir -a -i /opt/nss/da-1.csr 
    -o /opt/nss/da-1.cer
Enter Password or Pin for "NSS Certificate DB": nssnssnss

And now import the CA certificate and the DAUI certificate to the Web Server keystore:

./wadm install-cert --user=admin --password-file=/tmp/admin.pwd 
    --config=da-1.profiq.cz --port=8990 --token=internal --cert-type=ca 
    --nickname=CA /opt/nss/CA.der
CLI201 Command 'install-cert' ran successfully

./wadm list-certs --user=admin --password-file=/tmp/admin.pwd 
    --token=internal --config=da-1.profiq.cz --cert-type=ca | grep profiq
ca - profiq

./wadm install-cert --user=admin --password-file=/tmp/admin.pwd 
    --config=da-1.profiq.cz --port=8990 --token=internal --cert-type=server 
    --nickname=da-1 /opt/nss/da-1.cer
CLI201 Command 'install-cert' ran successfully

./wadm list-certs --user=admin --password-file=/tmp/admin.pwd 
    --token=internal --config=da-1.profiq.cz
da-1

Certificates are ready, so now you can create SSL listener and do some additional configuration on it:

./wadm create-http-listener --user=admin --password-file=/tmp/admin.pwd 
    --host=da-1.profiq.cz --port=8990 --listener-port=8081 
    --config=da-1.profiq.cz --server-name=da-1.profiq.cz 
    --default-virtual-server-name=da-1.profiq.cz http-listener-2
CLI201 Command 'create-http-listener' ran successfully

./wadm set-ssl-prop --user=admin --password-file=/tmp/admin.pwd 
    --config=da-1.profiq.cz --http-listener=http-listener-2 enabled=true
CLI201 Command 'set-ssl-prop' ran successfully

./wadm set-ssl-prop --user=admin --password-file=/tmp/admin.pwd 
    --config=da-1.profiq.cz --http-listener=http-listener-2 
    server-cert-nickname=da-1
CLI201 Command 'set-ssl-prop' ran successfully

./wadm deploy-config --user=admin --password-file=/tmp/admin.pwd 
    --host=da-1.profiq.cz --port=8990 da-1.profiq.cz
CLI201 Command 'deploy-config' ran successfully

If you want an DAUI to trust OpenAM server, it is not enough to import CA to its direct keystore, you need to import it also to JDK keystore. In case you selected a bundled JDK, you will find it in /opt/ws7/jdk.
Steps are similar, as for JDK used by OpenDJ and OpenAM:

chmod 644 /opt/ws7/jdk/jre/lib/security/cacerts
/opt/ws7/jdk/jre/bin/keytool -import -trustcacerts -alias CA 
    -file /opt/nss/CA.der -keystore /opt/ws7/jdk/jre/lib/security/cacerts 
    -storepass changeit
Owner: CN=ca, O=profiq, C=cz
Issuer: CN=ca, O=profiq, C=cz
Serial number: 962e014d
Valid from: Fri Nov 11 07:58:06 CET 2011 until: Fri Nov 11 07:58:06 CET 2061
Certificate fingerprints:
         MD5:  F9:C1:77:68:9C:22:B0:47:DE:30:21:D7:97:59:9A:42
         SHA1: EA:B4:C1:FF:19:FF:26:94:A5:E6:9F:2A:C1:B2:05:B6:FC:90:42:F8
         Signature algorithm name: SHA1withRSA
         Version: 3

Extensions: 

#1: ObjectId: 2.5.29.15 Criticality=false
KeyUsage [
  Key_CertSign
]

#2: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
  CA:true
  PathLen:2147483647
]

#3: ObjectId: 2.16.840.1.113730.1.1 Criticality=false
NetscapeCertType [
   SSL CA
]

Trust this certificate? [no]:  yes
Certificate was added to keystore

Now you can start Web Server domain:

cd /opt/ws7/https-da-1.profiq.cz/bin
./startserv
Sun Java System Web Server 7.0U8 (64-Bit) B01/20/2010 08:17
info: CORE5076: Using [Java HotSpot(TM) 64-Bit Server VM, Version 1.6.0_17]
    from [Sun Microsystems Inc.]
info: WEB0100: Loading web module in virtual server [da-1.profiq.cz] at
    [/auth]
info: HTTP3072: http-listener-1: http://da-1.profiq.cz:8080 ready to accept 
    requests
info: HTTP3072: http-listener-2: https://da-1.profiq.cz:8081 ready to accept
    requests
info: CORE3274: successful server startup

If SSL listener was created correctly, you should see 2 listeners running.

Web Server Sanity Tests

TEST: Login to admin console

Steps:

https://da-1.profiq.cz:8990

  • User Name: admin
  • Password: web4dmin
Logout

Expected output:

You are successfully logged in and out of admin console.

TEST: Access the Web Server

Steps:

Try to access both SSL and non-SSL pages:

https://da-1.profiq.cz:8081

http://da-1.profiq.cz:8080

Expected output:

Sun Web Server default page is displayed.

DAUI

At first you need to create a WAR file for DAUI (if OpenAM is installed on a different system, it is OK to create WAR file there, and then copy it to WS machine):

cd /home/profiq/opensso
mkdir war-staging
cd war-staging
jar xf ../deployable-war/opensso.war
cd ../deployable-war
chmod +x createwar.sh
./createwar.sh -s ../war-staging -t distauth -w auth.war

Now WS is installed, WAR file is ready, so you can deploy DAUI, but first stop the Web Server domain:

/opt/ws7/https-da-1.profiq.cz/bin/stopserv
server has been shutdown

cd /opt/ws7/bin
./wadm add-webapp --user=admin --host=da-1.profiq.cz --port=8990 
    --config=da-1.profiq.cz --vs=da-1.profiq.cz --uri=/auth 
    /home/profiq/opensso/deployable-war/auth.war
Please enter admin-user-password> web4dmin
CLI201 Command 'add-webapp' ran successfully

./wadm deploy-config --user=admin --host=da-1.profiq.cz --port=8990 
    da-1.profiq.cz
Please enter admin-user-password> web4dmin
CLI201 Command 'deploy-config' ran successfully

Now you can start Web Server domain back:

cd /opt/ws7/https-da-1.profiq.cz/bin
./startserv
Sun Java System Web Server 7.0U8 (64-Bit) B01/20/2010 08:17
info: CORE5076: Using [Java HotSpot(TM) 64-Bit Server VM, Version 1.6.0_17]
    from [Sun Microsystems Inc.]
info: WEB0100: Loading web module in virtual server [da-1.profiq.cz] at
    [/auth]
info: HTTP3072: http-listener-1: http://da-1.profiq.cz:8080 ready to accept 
    requests
info: HTTP3072: http-listener-2: https://da-1.profiq.cz:8081 ready to accept
    requests
info: CORE3274: successful server startup

DAUI is now ready to configure (use link to your DAUI hostname/port):

https://da-1.profiq.cz:8081/auth

  • Server Protocol: https
  • Server Host: oam-1.profiq.cz
  • Server Port: 1081
  • Server Deployment URI: opensso
  • DistAuth Server Protocol: https
  • DistAuth Server Host: da-1.profiq.cz
  • DistAuth Server Port: 8081
  • DistAuth Server Deployment URI: /auth
  • Debug Directory: /opt/debug-auth
  • Debug Level: error
  • Encryption Key: <default>
  • Application user name: authuiadmin
  • Application user password: authuiadmin
  • Confirm Application user password: authuiadmin

DAUI Sanity Tests

TEST: Access Web Server using authentication

https://da-1.profiq.cz:8081/auth/UI/Login?goto=/

  • User Name: testuser1
  • Password: password

https://da-1.profiq.cz:8081/auth/UI/Logout

Expected output:

At first, OpenAM login page is displayed and after login, Web Server page is displayed. Logout should work too.

Warning: If you get an error message, that server is not trusted, it could be caused also by old cookies in your browser (left from previous installations on the same host), this is sometimes difficult to troubleshoot, so if you see this error, try to remove cookies related to servers you use for deployment.

TEST: Access Web Server using authentication with wrong password

https://da-1.profiq.cz:8081/auth/UI/Login?goto=/

  • User Name: testuser1
  • Password: wrongpass

Expected output:

At first, OpenAM login page is displayed. After filling wrong password, authentication should fail and Web Server page shouldn’t be displayed.

References

[1] How to deploy OpenAM with DAUI

[2] Deployment Example: Single Sign-On, Load Balancing and Failover Using Sun OpenSSO Enterprise 8.0

[3] How to set up multiple DAUI instances

[4] Configure an external OpenDJ or OpenDS as the configuration store

[5] Using the Certificate Database Tool

agent daui forgerock openam opendj security system testing

Leave a Reply

Related articles

Tags