How to deploy OpenAM with DAUI
skatuscak
13 years ago 21.11.2011
Internet is full of tutorials and steps how to install and configure individual tools, but sometimes there are required steps to connect these tutorials together. Sure, there are some deployment guides for complex architectures, but they are typically very complex. The goal of this article is to provide complete, but simple steps how to install and configure ForgeRock’s OpenAM access manager and DAUI (Distributed Authentication User Interface) for authentication. This solution uses also ForgeRock’s OpenDJ directory server as configuration and user data store.
After you prepare an environment (OS, networking and other pre-requisites), installation of ForgeRock’s platform following below manual steps should take you something between 1-2 hours.
Preparation
I used the 64bit version of Ubuntu Server 11.04 as the operating system for the deployment and added following packages:
sudo apt-get install unzip sudo apt-get install libxtst-dev sudo apt-get install ia32-libs sudo apt-get install libstdc++5
The architecture consists of 3 logical nodes – Directory Server, Access Manager (running on GlassFish applications server) and Distributed Authentication User Interface (running on Sun Web Server). All these nodes could be installed together on 1 system, or they can be splitted on 2 or 3 different systems.
My objective was to focus on the OpenAM + DAUI integration and avoid spending effort on other elements of the integrated infrastructure (e.g. the web server or the app server, JDK), so I used technologies that I’m the most familiar with (Sun middleware). You could try the same procedure on middleware components of your choice, but make sure that you use a supported set of components.
In my environment, I decided to keep it simple and have everything on 1 machine, however I created separate virtual hostname for every node, this setting is done in /etc/hosts:
127.0.1.1 ds-1 ds-1.profiq.cz oam-1 oam-1.profiq.cz da-1 da-1.profiq.cz
To have an access to these domains, you have to add this setting (for exernal IP) to /etc/hosts file (or Windows equivalent) on your workstation.
Permissions:
In my installation, all products are installed into /opt directory, feel free to use any other directory, but make sure that your user has write access to this directory.
Download:
I have all tools (Sun JDK 1.6.0_26, OpenDJ 2.4.4, GlassFish 2.1.1., OpenAM 9.5.3, Sun Web Server 7.0) downloaded in my home directory /home/profiq.
JDK
JDK is a dependency of OpenDJ, you need to have it installed first.
In my case I used Sun JDK 1.6.0_26, however similar steps would work also for other JDK:
Install JDK:
chmod 755 jdk-6u26-linux-x64.bin ./jdk-6u26-linux-x64.bin mv jdk1.6.0_26 /opt
Set environment variables to use JDK:
export JAVA_HOME=/opt/jdk1.6.0_26 export PATH=$JAVA_HOME/bin:$PATH
Verify that correct version of Java is used (Java path is set correctly):
java -version java version "1.6.0_26" Java(TM) SE Runtime Environment (build 1.6.0_26-b03) Java HotSpot(TM) 64-Bit Server VM (build 20.1-b02, mixed mode)
As I use graphical installers in these steps, you need to have graphical access on the machine (directly or VNC session), or export display to your workstation. In my case I exported display to my workstation:
export DISPLAY=192.168.1.2:0
On my workstation I enabled connections from external machines:
xhost +
OpenDJ
In this environment, OpenDJ is used as user data store and AM configuration store.
Installation steps for OpenDJ:
unzip OpenDJ-2.4.4.zip mv OpenDJ-2.4.4 /opt/ cd /opt/OpenDJ-2.4.4/ ./setup
1. Welcome: Next
2. Server Settings
- Host Name: ds-1.profiq.cz
- LDAP Listener Port: 1389
- Administration Connector Port: 4444
- LDAP Secure Access: disabled
- Root User DN: cn=Directory Manager
- Password: dsmanager
- Password (confirm): dsmanager
3. Topology Options: This will be a stand alone server
4. Directory Data
- Directory Base DN: dc=example,dc=com
- Directory Data: Only Create Base Entry
5. Runtime Options: Next
6. Review: Start Server when Configuration has Completed
7. Finished: Close
To use OpenDJ as a configuration store, you need to enable multiple structural objectclasses:
/opt/OpenDJ-2.4.4/bin/dsconfig -h ds-1.profiq.cz -p 4444 -D "cn=Directory Manager" -w dsmanager -X -n --advanced set-global-configuration-prop --set single-structural-objectclass-behavior:accept
After configuration store settings you need to restart OpenDJ to apply changes:
/opt/OpenDJ-2.4.4/bin/stop-ds /opt/OpenDJ-2.4.4/bin/start-ds
You need some user base, at least very basic:
cat << EOF > /tmp/am-users.ldif dn: ou=users,dc=example,dc=com objectclass: top objectclass: organizationalUnit ou: users description: Container for user entries dn: ou=Groups,dc=example,dc=com objectClass: top objectClass: organizationalUnit ou: Groups description: Container for group entries dn: uid=testuser1,ou=users,dc=example,dc=com uid: testuser1 givenName: Test objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetorgperson sn: User1 cn: Test User1 userPassword: password EOF
Now you can load user data to LDAP:
/opt/OpenDJ-2.4.4/bin/ldapmodify -h ds-1.profiq.cz -p 1389 -D "cn=Directory Manager" -w dsmanager -a -f /tmp/am-users.ldif Processing ADD request for ou=users,dc=example,dc=com ADD operation successful for DN ou=users,dc=example,dc=com Processing ADD request for ou=Groups,dc=example,dc=com ADD operation successful for DN ou=Groups,dc=example,dc=com Processing ADD request for uid=testuser1,ou=users,dc=example,dc=com ADD operation successful for DN uid=testuser1,ou=users,dc=example,dc=com
OpenDJ Sanity Test
TEST: Search test user
Steps:
/opt/OpenDJ-2.4.4/bin/ldapsearch -b "dc=example,dc=com" -p 1389 -D "cn=Directory Manager" -w dsmanager "uid=test*"
Expected output:
dn: uid=testuser1,ou=users,dc=example,dc=com userPassword: {SSHA}USaAWTd9qWVINQ8+X+vAFxgtapz+iSguMH9TZQ== givenName: Test objectClass: person objectClass: organizationalPerson objectClass: inetorgperson objectClass: top uid: testuser1 cn: Test User1 sn: User1
Glassfish
As GlassFish 3 is not yet supported by OpenAM, I used GlassFish 2.1.1. If you install it on a different system, you need to install JDK also there.
GlassFish install:
cd /opt java -Xmx256m -jar ~/glassfish-installer-v2.1.1-b31g-linux.jar
- uncheck Enable autoupdate
- Accept
Now start the configuration script using ant:
cd /opt/glassfish chmod -R +x lib/ant/bin lib/ant/bin/ant -f setup.xml
You can use the default GlassFish domain, or you can create a custom one. I decided rather to create special domain for OpenAM:
cd /opt/glassfish/bin ./asadmin create-domain --domaindir /opt/glassfish/domains --adminport 8989 --user domain2adm --instanceport 1080 oamdomain Please enter the admin password> domain2pwd Please enter the admin password again> domain2pwd Please enter the master password [Enter to accept the default]:> domain2master Please enter the master password again [Enter to accept the default]:> domain2master Using port 8989 for Admin. Using port 1080 for HTTP Instance. Using default port 7676 for JMS. Using default port 3700 for IIOP. Using default port 8181 for HTTP_SSL. Using default port 3820 for IIOP_SSL. Using default port 3920 for IIOP_MUTUALAUTH. Using default port 8686 for JMX_ADMIN. Domain being created with profile:developer, as specified by variable AS_ADMIN_PROFILE in configuration file. ------ Using Profile [developer] to create the domain ------ XML processing for profile: Base document [/opt/glassfish/lib/install/templates/default-domain.xml.template]. Profile name [developer]. Processing property [domain.xml.style-sheets]. Security Store uses: JKS Domain oamdomain created.
Now modify domain.xml for the domain, to meet OAM requirements:
cd /opt/glassfish/domains/oamdomain/config sed "s/-client/-server/" -i domain.xml sed "s/-Xmx512m/-Xmx1024m/" -i domain.xml
And start the domain:
cd /opt/glassfish/domains/oamdomain/bin ./startserv admin username:domain2adm admin password: domain2pwd master password: domain2master Redirecting output to /opt/glassfish/domains/oamdomain/logs/server.log
You can watch server status tailing a log file:
tail -f /opt/glassfish/domains/oamdomain/logs/server.log
Now when the domain is running, deploy OpenAM (the file is still called opensso.war):
cd /opt/glassfish/bin ./asadmin deploy --user domain2adm --host oam-1.profiq.cz --port=8989 --contextroot opensso --name opensso --target server /home/profiq/opensso/deployable-war/opensso.war Please enter the admin password> domain2pwd Command deploy executed successfully.
GlassFish Sanity Tests
TEST: Login to admin console
Steps:
http://oam-1.profiq.cz:8989
- User Name: domain2adm
- Password: domain2pwd
Expected output:
You are successfully logged in and out of admin console.
TEST: Access the domain page
Steps:
http://oam-1.profiq.cz:1080
Expected output:
GlassFish page is displayed.
OpenAM
Now setup OpenAM, the link to access would look like http://oam-1.profiq.cz:1080/opensso (with your OpenAM host/port)
Create New Configuration
1. General
- Password: oamadmin
- Confirm Password: oamadmin
2. Server Settings:
- Server URL: http://oam-1.profiq.cz:1080
- Cookie Domain: .profiq.cz
- Platform Local: en_US
- Configuration Directory: /opt/oam-config
3. Configuration Data Store Settings
- First Instance
- OpenDS or Sun Java System Directory Server
- SSL/TLS enabled: uncheck
- Host Name: ds-1.profiq.cz
- Port: 1389
- Encryption Key: <default>
- Root Suffix: dc=example,dc=com
- Login ID: cn=Directory Manager
- Password: dsmanager
4. User Data Store Settings
- User Data Store Type: OpenDS
- SSL/TLS enabled: uncheck
- Directory Name: ds-1.profiq.cz
- Port: 1389
- Root Suffix: dc=example,dc=com
- Login ID: cn=Directory Manager
- Password: dsmanager
5. Site Configuration
- Part of site configuration: No
6. Default Policy User Agent
- Password: agentuser
- Confirm Password: agentuser
7. Summary
- Create Configuration
Configuration Complete!
OK, you are done with setup, but you still need to configure it:
Proceed to Login
Sing in to OpenAM
- User Name: amadmin
- Password: oamadmin
Access Control -> / (Top Level Realm)
- Realm Attributes -> New Value: da-1.profiq.cz (host where DAUI would run)
Add -> Save -> Data Stores -> OpenDS
- LDAP Groups container Naming Attribute : ou
- LDAP Groups Container Value: groups
- LDAP People Container Naming Attribute : ou
- LDAP People Container Value: users
Save -> Back to Data Stores -> Subjects
- Test User1 is displayed
Authentication -> All Core Settigns…
- User Profile: Ignored
Save -> Back to Authentication -> Back to Access Control -> / (Top Level Realm) -> Agents -> 2.2 Agents -> New…
- Name: authuiadmin
- Password: authuiadmin
- Re-Enter Password: authuiadmin
Create -> Log Out
OpenAM Sanity Tests
TEST: Login as a test user
Steps:
http://oam-1.profiq.cz:1080/opensso
- User Name: testuser1
- Password: password
http://oam-1.profiq.cz:1080/opensso/UI/Logout
Expected output:
User is successfully logged in and out.
TEST: Login as an agent user
http://oam-1.profiq.cz:1080/opensso
- User Name: authuiadmin
- Password: authuiadmin
http://oam-1.profiq.cz:1080/opensso/UI/Logout
Expected output:
User is successfully logged in and out.
Web Server
Installation:
mkdir /home/profiq/ws-64 cd /home/profiq/ws-64 unzip ../V19747-01.zip ./setup
1. Welcome: Next
2. Software License Agreement: Yes
3. Installation Directory: /opt/ws7
4. Select the Type of Installation: Custom
5. Component Selection: Server Core, Administration Command Line Interface
6. Java Configuration: Install Java SE Development Kit (JDK) 1.6.0_17
7. Administration Options: Create an Administration Server and a Web Server Instance
8. Administration Server Settings
- Host Name: da-1.profiq.cz
- SSL Port: 8990 (this number would be 8989 by default, but GlassFish is using this port now)
- Create a non-SSL Port: uncheck
- Administration User Name: admin
- Administration Password: web4dmin
- Retype Password: web4dmin
9. Web Server Settings
- Server Name: da-1.profiq.cz
- HTTP Port: 8080
- Create a Document Root
10. Ready to Install:
- Start Administraton Server: check
- Install Now
11. Skip Registration
12. Installation Complete: Finish
Web Server Sanity Tests
TEST: Login to admin console
Steps:
https://da-1.profiq.cz:8990
- User Name: admin
- Password: web4dmin
Expected output:
You are successfully logged in and out of admin console.
DAUI
At first you need to create a WAR file for DAUI (if OpenAM is installed on a different system, it is OK to create WAR file there, and then copy it to WS machine):
cd /home/profiq/opensso mkdir war-staging cd war-staging jar xf ../deployable-war/opensso.war cd ../deployable-war chmod +x createwar.sh ./createwar.sh -s ../war-staging -t distauth -w auth.war
Now WS is installed, WAR file is ready, so you can deploy DAUI:
cd /opt/ws7/bin ./wadm add-webapp --user=admin --host=da-1.profiq.cz --port=8990 --config=da-1.profiq.cz --vs=da-1.profiq.cz --uri=/auth /home/profiq/opensso/deployable-war/auth.war Please enter admin-user-password> web4dmin CLI201 Command 'add-webapp' ran successfully ./wadm deploy-config --user=admin --host=da-1.profiq.cz --port=8990 da-1.profiq.cz Please enter admin-user-password> web4dmin CLI201 Command 'deploy-config' ran successfully
And now start it:
cd /opt/ws7/https-da-1.profiq.cz/bin ./startserv Sun Java System Web Server 7.0U8 (64-Bit) B01/20/2010 08:17 info: CORE5076: Using [Java HotSpot(TM) 64-Bit Server VM, Version 1.6.0_17] from [Sun Microsystems Inc.] info: WEB0100: Loading web module in virtual server [da-1.profiq.cz] at [/auth] info: HTTP3072: http-listener-1: http://da-1.profiq.cz:8080 ready to accept requests info: CORE3274: successful server startup
And configure it (use link to your DAUI hostname/port):
http://da-1.profiq.cz:8080/auth
- Server Protocol: http
- Server Host: oam-1.profiq.cz
- Server Port: 1080
- Server Deployment URI: opensso
- DistAuth Server Protocol: http
- DistAuth Server Host: da-1.profiq.cz
- DistAuth Server Port: 8080
- DistAuth Server Deployment URI: /auth
- Debug Directory: /opt/debug-auth
- Debug Level: error
- Encryption Key: <default>
- Application user name: authuiadmin
- Application user password: authuiadmin
- Confirm Application user password: authuiadmin
DAUI Sanity Tests
TEST: Access Web Server using authentication
http://da-1.profiq.cz:8080/auth/UI/Login?goto=/
- User Name: testuser1
- Password: password
http://da-1.profiq.cz:8080/auth/UI/Logout
Expected output:
At first, OpenAM login page is displayed and after login, Web Server page is displayed. Logout should work too.
Warning: If you get an error message, that server is not trusted, it could be caused also by old cookies in your browser (left from previous installations on the same host), this is sometimes difficult to troubleshoot, so if you see this error, try to remove cookies related to servers you use for deployment.
TEST: Access Web Server using authentication with wrong password
http://da-1.profiq.cz:8080/auth/UI/Login?goto=/
- User Name: testuser1
- Password: wrongpass
Expected output:
At first, OpenAM login page is displayed. After filling wrong password, authentication should fail and Web Server page shouldn’t be displayed.
References
[1] Deployment Example: Single Sign-On, Load Balancing and Failover Using Sun OpenSSO Enterprise 8.0
[2] How to set up multiple DAUI instances
[3] Configure an external OpenDJ or OpenDS as the configuration store
Hi there,
just sharing some notes on your very detailed otherwise excellent article:
* DUAI is actually DAUI (as it is Distributed Authentication User Interface instead of “Distrubutive Agent User Interface” or “Distributive Authentication User Interface” 😉 ), also good to know it is also known as DAS in some places
* “Now you can load user date to LDAP” -> data typo
* please mention which version of OpenAM did you use for this article, as some steps might change in future versions of the product
* Although you can install the configuration store and the user store to the same suffix, it is not recommended. It’s better if you create a separate “base DN” for the config
* You could also use the testuser generation feature of the OpenDJ installer, that way the default LDAP container name/value would be correct as ou=people
* In the DAUI WAR generation part you’re using a non-referenced temp directory instead of war-staging
Anyways keep up with the good work and keep this great articles coming!
Regards,
Peter from [2] 😉
Hi Peter,
Thanks a lot for your comments. I already fixed most of the things that you mentioned.
Good to see that Forge Rock people read our blog 🙂
Regards,
Slavo