Risk-Free trial

How to deploy OpenAM with DAUI

Internet is full of tutorials and steps how to install and configure individual tools, but sometimes there are required steps to connect these tutorials together. Sure, there are some deployment guides for complex architectures, but they are typically very complex. The goal of this article is to provide complete, but simple steps how to install and configure ForgeRock’s OpenAM access manager and DAUI (Distributed Authentication User Interface) for authentication. This solution uses also ForgeRock’s OpenDJ directory server as configuration and user data store.

After you prepare an environment (OS, networking and other pre-requisites), installation of ForgeRock’s platform following  below manual steps should take you something between 1-2 hours.

Preparation

I used the 64bit version of Ubuntu Server 11.04 as the operating system for the deployment and added following packages:

sudo apt-get install unzip
sudo apt-get install libxtst-dev
sudo apt-get install ia32-libs
sudo apt-get install libstdc++5

The architecture consists of 3 logical nodes – Directory Server, Access Manager (running on GlassFish applications server) and Distributed Authentication User Interface (running on Sun Web Server). All these nodes could be installed together on 1 system, or they can be splitted on 2 or 3 different systems.

My objective was to focus on the OpenAM + DAUI integration and avoid spending effort on other elements of the integrated infrastructure (e.g. the web server or the app server, JDK), so I used technologies that I’m the most familiar with (Sun middleware). You could try the same procedure on middleware components of your choice, but make sure that you use a supported set of components.

In my environment, I decided to keep it simple and have everything on 1 machine, however I created separate virtual hostname for every node, this setting is done in /etc/hosts:

127.0.1.1 ds-1 ds-1.profiq.cz oam-1 oam-1.profiq.cz da-1 da-1.profiq.cz

To have an access to these domains, you have to add this setting (for exernal IP) to /etc/hosts file (or Windows equivalent) on your workstation.

Permissions:

In my installation, all products are installed into /opt directory, feel free to use any other directory, but make sure that your user has write access to this directory.

Download:

I have all tools (Sun JDK 1.6.0_26, OpenDJ 2.4.4, GlassFish 2.1.1., OpenAM 9.5.3, Sun Web Server 7.0) downloaded in my home directory /home/profiq.

JDK

JDK is a dependency of OpenDJ, you need to have it installed first.

In my case I used Sun JDK 1.6.0_26, however similar steps would work also for other JDK:

Install JDK:

chmod 755 jdk-6u26-linux-x64.bin
./jdk-6u26-linux-x64.bin
mv jdk1.6.0_26 /opt

Set environment variables to use JDK:

export JAVA_HOME=/opt/jdk1.6.0_26
export PATH=$JAVA_HOME/bin:$PATH

Verify that correct version of Java is used (Java path is set correctly):

java -version
java version "1.6.0_26"
Java(TM) SE Runtime Environment (build 1.6.0_26-b03)
Java HotSpot(TM) 64-Bit Server VM (build 20.1-b02, mixed mode)

As I use graphical installers in these steps, you need to have graphical access on the machine (directly or VNC session), or export display to your workstation. In my case I exported display to my workstation:

export DISPLAY=192.168.1.2:0

On my workstation I enabled connections from external machines:

xhost +

OpenDJ

In this environment, OpenDJ is used as user data store and AM configuration store.

Installation steps for OpenDJ:

unzip OpenDJ-2.4.4.zip
mv OpenDJ-2.4.4 /opt/
cd /opt/OpenDJ-2.4.4/
./setup

1. Welcome: Next

2. Server Settings

  • Host Name: ds-1.profiq.cz
  • LDAP Listener Port: 1389
  • Administration Connector Port: 4444
  • LDAP Secure Access: disabled
  • Root User DN: cn=Directory Manager
  • Password: dsmanager
  • Password (confirm): dsmanager

3. Topology Options: This will be a stand alone server

4. Directory Data

  • Directory Base DN: dc=example,dc=com
  • Directory Data: Only Create Base Entry

5. Runtime Options: Next

6. Review: Start Server when Configuration has Completed

7. Finished: Close

To use OpenDJ as a configuration store, you need to enable multiple structural objectclasses:

/opt/OpenDJ-2.4.4/bin/dsconfig -h ds-1.profiq.cz -p 4444 
    -D "cn=Directory Manager" -w dsmanager -X -n 
    --advanced set-global-configuration-prop 
    --set single-structural-objectclass-behavior:accept

After configuration store settings you need to restart OpenDJ to apply changes:

/opt/OpenDJ-2.4.4/bin/stop-ds
/opt/OpenDJ-2.4.4/bin/start-ds

You need some user base, at least very basic:

cat << EOF > /tmp/am-users.ldif
dn: ou=users,dc=example,dc=com
objectclass: top
objectclass: organizationalUnit
ou: users
description: Container for user entries

dn: ou=Groups,dc=example,dc=com
objectClass: top
objectClass: organizationalUnit
ou: Groups
description: Container for group entries

dn: uid=testuser1,ou=users,dc=example,dc=com
uid: testuser1
givenName: Test
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetorgperson
sn: User1
cn: Test User1
userPassword: password
EOF

Now you can load user data to LDAP:

/opt/OpenDJ-2.4.4/bin/ldapmodify -h ds-1.profiq.cz -p 1389 
    -D "cn=Directory Manager" -w dsmanager -a -f /tmp/am-users.ldif
Processing ADD request for ou=users,dc=example,dc=com
ADD operation successful for DN ou=users,dc=example,dc=com
Processing ADD request for ou=Groups,dc=example,dc=com
ADD operation successful for DN ou=Groups,dc=example,dc=com
Processing ADD request for uid=testuser1,ou=users,dc=example,dc=com
ADD operation successful for DN uid=testuser1,ou=users,dc=example,dc=com

OpenDJ Sanity Test

TEST: Search test user

Steps:

/opt/OpenDJ-2.4.4/bin/ldapsearch -b "dc=example,dc=com" -p 1389 
    -D "cn=Directory Manager" -w dsmanager "uid=test*"

Expected output:

dn: uid=testuser1,ou=users,dc=example,dc=com
userPassword: {SSHA}USaAWTd9qWVINQ8+X+vAFxgtapz+iSguMH9TZQ==
givenName: Test
objectClass: person
objectClass: organizationalPerson
objectClass: inetorgperson
objectClass: top
uid: testuser1
cn: Test User1
sn: User1

Glassfish

As GlassFish 3 is not yet supported by OpenAM, I used GlassFish 2.1.1. If you install it on a different system, you need to install JDK also there.

GlassFish install:

cd /opt
java -Xmx256m -jar ~/glassfish-installer-v2.1.1-b31g-linux.jar
  • uncheck Enable autoupdate
  • Accept

Now start the configuration script using ant:

cd /opt/glassfish
chmod -R +x lib/ant/bin
lib/ant/bin/ant -f setup.xml

You can use the default GlassFish domain, or you can create a custom one. I decided rather to create special domain for OpenAM:

cd /opt/glassfish/bin
./asadmin create-domain --domaindir /opt/glassfish/domains --adminport 8989 
    --user domain2adm --instanceport 1080 oamdomain

Please enter the admin password> domain2pwd
Please enter the admin password again> domain2pwd
Please enter the master password [Enter to accept the default]:>
    domain2master
Please enter the master password again [Enter to accept the default]:> 
    domain2master

Using port 8989 for Admin.
Using port 1080 for HTTP Instance.
Using default port 7676 for JMS.
Using default port 3700 for IIOP.
Using default port 8181 for HTTP_SSL.
Using default port 3820 for IIOP_SSL.
Using default port 3920 for IIOP_MUTUALAUTH.
Using default port 8686 for JMX_ADMIN.
Domain being created with profile:developer, as specified by variable 
    AS_ADMIN_PROFILE in configuration file.
------ Using Profile [developer] to create the domain ------
XML processing for profile: Base document 
    [/opt/glassfish/lib/install/templates/default-domain.xml.template].
    Profile name [developer]. Processing property [domain.xml.style-sheets].

Security Store uses: JKS
Domain oamdomain created.

Now modify domain.xml for the domain, to meet OAM requirements:

cd /opt/glassfish/domains/oamdomain/config
sed "s/-client/-server/" -i domain.xml
sed "s/-Xmx512m/-Xmx1024m/" -i domain.xml

And start the domain:

cd /opt/glassfish/domains/oamdomain/bin
./startserv
admin username:domain2adm
admin password: domain2pwd
master password: domain2master
Redirecting output to /opt/glassfish/domains/oamdomain/logs/server.log

You can watch server status tailing a log file:

tail -f /opt/glassfish/domains/oamdomain/logs/server.log

Now when the domain is running, deploy OpenAM (the file is still called opensso.war):

cd /opt/glassfish/bin
./asadmin deploy --user domain2adm --host oam-1.profiq.cz --port=8989 
    --contextroot opensso --name opensso --target server 
    /home/profiq/opensso/deployable-war/opensso.war
Please enter the admin password> domain2pwd
Command deploy executed successfully.

GlassFish Sanity Tests

TEST: Login to admin console

Steps:

http://oam-1.profiq.cz:8989

  • User Name: domain2adm
  • Password: domain2pwd
Logout

Expected output:

You are successfully logged in and out of admin console.

TEST: Access the domain page

Steps:

http://oam-1.profiq.cz:1080

Expected output:

GlassFish page is displayed.

OpenAM

Now setup OpenAM, the link to access would look like http://oam-1.profiq.cz:1080/opensso (with your OpenAM host/port)

Create New Configuration

1. General

  • Password: oamadmin
  • Confirm Password: oamadmin

2. Server Settings:

  • Server URL: http://oam-1.profiq.cz:1080
  • Cookie Domain: .profiq.cz
  • Platform Local: en_US
  • Configuration Directory: /opt/oam-config

3. Configuration Data Store Settings

  • First Instance
  • OpenDS or Sun Java System Directory Server
  • SSL/TLS enabled: uncheck
  • Host Name: ds-1.profiq.cz
  • Port: 1389
  • Encryption Key: <default>
  • Root Suffix: dc=example,dc=com
  • Login ID: cn=Directory Manager
  • Password: dsmanager

4. User Data Store Settings

  • User Data Store Type: OpenDS
  • SSL/TLS enabled: uncheck
  • Directory Name: ds-1.profiq.cz
  • Port: 1389
  • Root Suffix: dc=example,dc=com
  • Login ID: cn=Directory Manager
  • Password: dsmanager

5. Site Configuration

  • Part of site configuration: No

6. Default Policy User Agent

  • Password: agentuser
  • Confirm Password: agentuser

7. Summary

  • Create Configuration

Configuration Complete!

OK, you are done with setup, but you still need to configure it:

Proceed to Login

Sing in to OpenAM

  • User Name: amadmin
  • Password: oamadmin

Access Control -> / (Top Level Realm)

  • Realm Attributes -> New Value: da-1.profiq.cz (host where DAUI would run)

Add -> Save -> Data Stores -> OpenDS

  • LDAP Groups container Naming Attribute : ou
  • LDAP Groups Container Value: groups
  • LDAP People Container Naming Attribute : ou
  • LDAP People Container Value: users

Save -> Back to Data Stores -> Subjects

  • Test User1 is displayed

Authentication -> All Core Settigns…

  • User Profile: Ignored

Save -> Back to Authentication -> Back to Access Control -> / (Top Level Realm) -> Agents -> 2.2 Agents -> New…

  • Name: authuiadmin
  • Password: authuiadmin
  • Re-Enter Password: authuiadmin

Create -> Log Out

OpenAM Sanity Tests

TEST: Login as a test user

Steps:

http://oam-1.profiq.cz:1080/opensso

  • User Name: testuser1
  • Password: password

http://oam-1.profiq.cz:1080/opensso/UI/Logout

Expected output:

User is successfully logged in and out.

TEST: Login as an agent user

http://oam-1.profiq.cz:1080/opensso

  • User Name: authuiadmin
  • Password: authuiadmin

http://oam-1.profiq.cz:1080/opensso/UI/Logout

Expected output:

User is successfully logged in and out.

Web Server

Installation:

mkdir /home/profiq/ws-64
cd /home/profiq/ws-64
unzip ../V19747-01.zip
./setup

1. Welcome: Next

2. Software License Agreement: Yes

3. Installation Directory: /opt/ws7

4. Select the Type of Installation: Custom

5. Component Selection: Server Core, Administration Command Line Interface

6. Java Configuration: Install Java SE Development Kit (JDK) 1.6.0_17

7. Administration Options: Create an Administration Server and a Web Server Instance

8. Administration Server Settings

  • Host Name: da-1.profiq.cz
  • SSL Port: 8990 (this number would be 8989 by default, but GlassFish is using this port now)
  • Create a non-SSL Port: uncheck
  • Administration User Name: admin
  • Administration Password: web4dmin
  • Retype Password: web4dmin

9. Web Server Settings

  • Server Name: da-1.profiq.cz
  • HTTP Port: 8080
  • Create a Document Root

10. Ready to Install:

  • Start Administraton Server: check
  • Install Now

11. Skip Registration

12. Installation Complete: Finish

Web Server Sanity Tests

TEST: Login to admin console

Steps:

https://da-1.profiq.cz:8990

  • User Name: admin
  • Password: web4dmin
Logout

Expected output:

You are successfully logged in and out of admin console.

DAUI

At first you need to create a WAR file for DAUI (if OpenAM is installed on a different system, it is OK to create WAR file there, and then copy it to WS machine):

cd /home/profiq/opensso
mkdir war-staging
cd war-staging
jar xf ../deployable-war/opensso.war
cd ../deployable-war
chmod +x createwar.sh
./createwar.sh -s ../war-staging -t distauth -w auth.war

Now WS is installed, WAR file is ready, so you can deploy DAUI:

cd /opt/ws7/bin
./wadm add-webapp --user=admin --host=da-1.profiq.cz --port=8990 
    --config=da-1.profiq.cz --vs=da-1.profiq.cz --uri=/auth 
    /home/profiq/opensso/deployable-war/auth.war
Please enter admin-user-password> web4dmin
CLI201 Command 'add-webapp' ran successfully
./wadm deploy-config --user=admin --host=da-1.profiq.cz --port=8990 
    da-1.profiq.cz
Please enter admin-user-password> web4dmin
CLI201 Command 'deploy-config' ran successfully

And now start it:

cd /opt/ws7/https-da-1.profiq.cz/bin
./startserv
Sun Java System Web Server 7.0U8 (64-Bit) B01/20/2010 08:17
info: CORE5076: Using [Java HotSpot(TM) 64-Bit Server VM, Version 1.6.0_17]
    from [Sun Microsystems Inc.]
info: WEB0100: Loading web module in virtual server [da-1.profiq.cz] at
    [/auth]
info: HTTP3072: http-listener-1: http://da-1.profiq.cz:8080 ready to accept
    requests
info: CORE3274: successful server startup

And configure it (use link to your DAUI hostname/port):

http://da-1.profiq.cz:8080/auth

  • Server Protocol: http
  • Server Host: oam-1.profiq.cz
  • Server Port: 1080
  • Server Deployment URI: opensso
  • DistAuth Server Protocol: http
  • DistAuth Server Host: da-1.profiq.cz
  • DistAuth Server Port: 8080
  • DistAuth Server Deployment URI: /auth
  • Debug Directory: /opt/debug-auth
  • Debug Level: error
  • Encryption Key: <default>
  • Application user name: authuiadmin
  • Application user password: authuiadmin
  • Confirm Application user password: authuiadmin

DAUI Sanity Tests

TEST: Access Web Server using authentication

http://da-1.profiq.cz:8080/auth/UI/Login?goto=/

  • User Name: testuser1
  • Password: password

http://da-1.profiq.cz:8080/auth/UI/Logout

Expected output:

At first, OpenAM login page is displayed and after login, Web Server page is displayed. Logout should work too.

Warning: If you get an error message, that server is not trusted, it could be caused also by old cookies in your browser (left from previous installations on the same host), this is sometimes difficult to troubleshoot, so if you see this error, try to remove cookies related to servers you use for deployment.

TEST: Access Web Server using authentication with wrong password

http://da-1.profiq.cz:8080/auth/UI/Login?goto=/

  • User Name: testuser1
  • Password: wrongpass

Expected output:

At first, OpenAM login page is displayed. After filling wrong password, authentication should fail and Web Server page shouldn’t be displayed.

References

[1] Deployment Example: Single Sign-On, Load Balancing and Failover Using Sun OpenSSO Enterprise 8.0

[2] How to set up multiple DAUI instances

[3] Configure an external OpenDJ or OpenDS as the configuration store

daui forgerock openam opendj system testing

2 Responses to “How to deploy OpenAM with DAUI”

  1. Peter Major says:

    Hi there,

    just sharing some notes on your very detailed otherwise excellent article:
    * DUAI is actually DAUI (as it is Distributed Authentication User Interface instead of “Distrubutive Agent User Interface” or “Distributive Authentication User Interface” 😉 ), also good to know it is also known as DAS in some places
    * “Now you can load user date to LDAP” -> data typo
    * please mention which version of OpenAM did you use for this article, as some steps might change in future versions of the product
    * Although you can install the configuration store and the user store to the same suffix, it is not recommended. It’s better if you create a separate “base DN” for the config
    * You could also use the testuser generation feature of the OpenDJ installer, that way the default LDAP container name/value would be correct as ou=people
    * In the DAUI WAR generation part you’re using a non-referenced temp directory instead of war-staging

    Anyways keep up with the good work and keep this great articles coming!

    Regards,
    Peter from [2] 😉

  2. skatuscak says:

    Hi Peter,

    Thanks a lot for your comments. I already fixed most of the things that you mentioned.
    Good to see that Forge Rock people read our blog 🙂

    Regards,
    Slavo

Leave a Reply

Related articles

Tags