Chapter 10   Basic Configurations


This chapter describes configurations typically implemented when you initially deploy iPlanet Directory Server Access Management Edition (DSAME).

Topics in this chapter include:

• Installing the Cross-Domain Single Sign-On Component

• Support for Directory Replication and High Availability

• Support for Directory Replication and High Availability

• Secure Sockets Layer (SSL)

Installing the Cross-Domain Single Sign-On Component

---

The cross-domain single sign-on feature makes it possible for users to authenticate in one domain, and then to use applications in many other domains without having to re-authenticate. Two major components are added to DSAME to implement cross-domain single sign-on:

• Cross-Domain Controller. The controller is responsible for redirecting a request to the authentication service if no Single Sign-On (SSO) information exists, or for redirecting the request to the CDSSO Component with SSO information appended to the query string. The controller is automatically installed when you install DSAME services. The default URL for the controller is http://DSAME_host:DSAME_port/URI/cdcservlet

• Cross-Domain Single Sign-On (CDSSO) Component. The CDSSO component is primarily responsible for handling cookie setting for the domain in which cross-domain single sign-on is deployed. The CDSSO component is installed separately on all participating DNS domains.

Installation Overview

To enable cross-domain single sign-on, you must follow this sequence:

1. Install DSAME Services.

   Follow the instructions in Chapter 8 "Simple Installations With No Existing Directory Server" or in Chapter 9 "Using an Existing Directory Server" on appropriate for your needs.

2. Install the CDSSO component on all participating DNS domains.

   DSAME Services and a remote Web Server must already be installed and running. See "To Install the CDSSO Component" in this chapter.

3. Configure the CDSSO component installed on each participating DNS domain.

   See "To Configure the CDSSO Component".

4. (Optional) Configure DSAME web agents to work with the CDSSO component.

   See "To Configure DSAME Web Agents to Work with the CDSSO Component".

To Install the CDSSO Component

DSAME Services and a remote Web Server must already be installed and running. You must have root permissions when you run the DSAME installation program. Be sure all web browsers are closed before starting the installation program.

1. If you're installing DSAME from the product CD, insert the CD into the drive of the system on which you want to install the software. If you've downloaded the product, unzip the product binaries file.

2. Run the setup.exe program. You'll find the program in the root directory of the CD-ROM. If you've downloaded the product binariers, you'll find the program in the directory where you unzipped the binary files.

   Double-click the setup.exe icon.

   Installation messages are written to log files in the following directory:

   C:\Documents and Settings\Administrator\Local Settings\Temp\

3. Read the License Agreement. When prompted, Do you agree to the license terms? Click Yes (Accept License).

4. In the Components to Be Installed/Uninstalled window, select only DSAME Cross Domain Single Sign-On Component. Deselect all other options, and then click Next.

5. In the Existing Web Server window, a message is displayed saying Existing Web Server has been detected. Click Next to install the Cross-Domain Single Sign-On.

6. In the CDSSO Web Server Information window, provide the following information, and then click Next.

   Host Name: Enter the fully qualified name of the computer system of the Web Server that hosts the participating DNS domain.

   iPlanet Web Server Instance Directory: Enter the full path to the directory where Web Server is installed and the Web Server instance name. It is the Web Server that hosts the participating DNS domain. This Web Server is remote relative to the Web Server that runs DSAME services.

   Web Server Port: Enter the port number of the Web Server specified above.

   Protocol: If the Web Server where the CDSSO component will be installed runs on Secure Socket Layer (SSL) protocol, then select HTTPS. Otherwise, select HTTP.

   CDSSO Deployment URI: The Universal Resource Identifier (URI) indicates where HTML pages used by the CDSSO component are stored. Enter a URI prefix. The default is /amcdsso

7. In the DSAME Services Information window, provide the following information, and then click Next:

   DSAME Services Host: Enter the fully qualified name of the computer system where DSAME Management and Policy Services are installed.

   DSAME Services Port: Enter the port number for the Web Server that runs DSAME services.

   Protocol: If the Web Server where the DSAME is installed runs on Secure Socket Layer (SSL) protocol, then select HTTPS. Otherwise, select HTTP.

   Deployment URI: The Universal Resource Identifier (URI) prefix tells the Web Server where to look for HTML pages associated with a DSAME service and also for other web application specific information like classes and jars. Enter the URI prefix specified during DSAME installation. The default is /amserver

8. In the Currently Selected Settings window, review the configuration information that you've entered. If you need to make changes, click Back. Otherwise, click Next to proceed.

9. In the Ready to Install window, review the installation information. If you need to make changes, click Back. Otherwise, click Install Now to begin the installation.

10. In the Installation Summary window, click Details for a detailed summary of the configuration information that was processed during Installation. Then click Exit to end the program.

To Configure the CDSSO Component

1. Edit AMConfig.properties file of the installed CDSSO component, which is found in the DSAME_root\web-apps\cdsso\WEB-INF\lib directory.

   Set the com.iplanet.services.cdsso.CDCURL property to the URL of the cross-domain controller service running on the DSAME services. For example:

   com.iplanet.services.cdsso.CDCURL = http(s)://DSAME_host:DSAME_port/services/cdcservlet

2. Edit CDSSO.properties file of the installed CDSSO component, which is found in the DSAME_root\web-apps\cdsso\WEB-INF\classes directory.

   Set com.iplanet.services.cdsso.cookieDomain property to the domain name which hosts the CDSSO component. For example:

   com.iplanet.services.cdsso.cookieDomain = .sales.com

   where the CDSSO component is hosted in sales.com domain.

   The com.iplanet.services.cdsso.cookieDomain property specifies the list of domain names on which CDSSO component is running for which the cookie is set. If the property field is left blank, the cookie domain is assumed to be the hosting domain of CDSSO component. Make sure that all the cookie domains are separated with coma (,).

To Configure DSAME Web Agents to Work with the CDSSO Component

You can configure DSAME agents that are installed on remote web servers to work with CDSSO components that are installed on participating DNS domains.

1. Edit the agent's AMConfig.properties file. Change the com.iplanet.am.policy.agents.url.authLoginUrl property to point to the agent's domain's cross-domain single sign-on service URL. For example:

   com.iplanet.am.policy.agents.url.authLoginUrl = http://CDSSO_host:CDSSO_port/CDSSO_URI/cdsso

2. Add the cross-domain single sign-on service URL to the agent's not-enforced list.

Support for Directory Replication and High Availability

---

Load balancing across replicated servers and locating replicated servers closer to users are two ways to improve server performance and response time in your enterprise. You can implement directory replication agreements in your DSAME deployment to increase the availability and performance of the DSAME servers and services. You can set up DSAME directory servers in single-supplier or multi-supplier configurations. You can also configure load-balancers such as iPlanet Directory Access Router to work with DSAME.

Replication Considerations

Configure your directory servers for replication before you install DSAME. This ensures that the supplier and consumer databases are synchronized from the beginning, and gives you a chance to verify that referrals and updates are working properly. The information must be identical in each DSAME database.

When you install DSAME for replication purposes, in each instance of Directory Server and in each instance of DSAME, specify the same values for the following:

• Directory Manager

• Directory Manager Password

• Directory Server Administrator ID

• Server Administrator Password

• Base Suffix

• Default Organization

There may be situations in which you cannot implement directory replication in a DSAME deployment. For example, authentication server host names or IP addresses must be the same. This precludes using geographically separated replicated DSAME servers. The remote servers would not be able to perform authentication against servers that are only local to their respective LANs.

For comprehensive information on planning and implementing Directory Server replication, see the Deployment Guide and the Installation Guide for iPlanet Directory Server. You can access these guides on the Internet at:

http://docs.iplanet.com/docs/manuals/directory.html

Configuring DSAME to Support Directory Replication

You can configure DSAME to work with single-supplier or multi-supplier replication. For each of the configurations pictured in this section, follow the same instructions. See "To Configure DSAME to Work With Directory Replication" of this manual.

Figure 10-1 illustrates a single-supplier configuration where the Consumer is a read-only database. Requests for write operations are referred to the supplier database. This configuration provides some measure of enhanced server performance by distributing the workload to more than one directory.

Figure 10-1    Single-Supplier Replication.

Figure 10-2 illustrates a multi-supplier configuration using multiple instances of DSAME. This configuration provides failover protection as well as high availability, resulting in further enhanced server performance.

Figure 10-2    Multi-Supplier Configuration. Also known as Multi-Master Replication (MMR)

Figure 10-3 illustrates a multi-supplier configuration that includes iPlanet Access Router. This configuration takes full advantage of DSAME support for failover, high availability, and managed load-balancing.

Figure 10-3    Multi-Supplier Replication With Load-Balancer.

To Configure DSAME to Work With Directory Replication

Use the following steps to configure replication at the root or top level of the DSAME directory tree. You can also use these steps to configure replication at the default organization level.

1. Install your supplier and consumer Directory Servers (version 5.1). See the Directory Server Installation Guide for detailed instructions.

2. Set up replication agreements between your supplier and consumer Directory Servers, and then verify that the directory referrals and updates are working properly. See the Directory Server Administrator's Guide for detailed instructions.

3. If you plan to use DSAME with user data from an existing, pre-5.1 Directory Server, you must migrate the user data and make Directory Tree Information (DIT) changes before proceeding. Follow the detailed instructions in Chapter 5 "Using an Existing Directory Server" of this manual. Then skip to step 5.

4. If you are deploying DSAME and Directory Server for the first time, or if you simply do not plan to use existing user data with DSAME, then run the DSAME installation program to install the DSAME Management and Policy services.

   During installation, you'll be asked if you're using an existing Directory Server. You'll answer "yes," and then you'll specify the host name and port number for a supplier Directory Server you installed in step 1.

   For detailed instructions, see "Support for Directory Replication and High Availability".

5. In the Web Server where DSAME Management and Policy services are installed, modify the following file:

   DSAME_root\lib\AMConfig.properties

   1. Modify the following properties to reflect the host and port number of a consumer Directory Server you installed in step 1.
      • com.iplanet.am.directory.host

      • com.iplanet.am.directory.port

   2. Modify the following properties:
      • replica.enabled=true

      • com.iplanet.am.replica.retries

        Specify the number of times DSAME should continue to make the same request when the requested entry is not found.

      • com.iplanet.am.replica.delay.between.retries

        Specify the number of milliseconds DSAME should allow to elapse between retries.

6. In each DSAME Authentication module you've enabled, you must specify the consumer directory that you installed in step 1. In the following substeps, the LDAP Authentication module is used as an example:
   1. In the DSAME console, in the View field, choose Service Management.

   2. In the Service Name column, under Authentication, locate the module you need to reconfigure. In the Properties column, click the arrow that corresponds to module you need to reconfigure.

   3. In the right pane, there are two fields named LDAP Server and Port.
      • In the first field named LDAP Server and Port, enter the host name and port number for your primary (consumer) Directory Server.
        Example: consumer1.madisonparc.com:389

      • In the second field named LDAP Server and Port, enter the host name and port number for your secondary or (supplier) directory.
        Example: supplier1.madisonparc.com:399

   4. Click Submit.

7. In the file DSAME_root\config\ums\serverconfig.xml specify the host name and port number of the consumer directory you installed in step1. Example:

   <iPlanetDataAccessLayer>

   <ServerGroup name="default" minConnPool="1"

   maxConnPool="10">

   <Server name="Server1"

   host="consumer1.madisonparc.com" port="389"

   type="SIMPLE" />

8. Restart DSAME. Use one of the following methods:
   • In a DOS prompt window, enter the following commands:

     cd DSAME_root\bin

     amserver stop

     amserver start

   • From the Start menu, select Programs > Administrative Tools > Services. In the Services window, right-click the icon for DSAME-hostname. From the menu, choose Restart.

Configuring a Load-Balancer to Work With DSAME

You can configure load-balancer such as iPlanet Directory Access Router to work with DSAME. iPlanet Directory Access Router dynamically performs proportional load balancing of LDAP operations across a set of configured directory servers. If one or more directory servers should become unavailable, the load is proportionally redistributed among the remaining servers. When a directory server comes back on line, the load is proportionally and dynamically reallocated.

Figure 10-4    Multi-Master Replication With Managed Load-Balancer.

Using a load-balancer adds a layer of high availability and directory failover protection beyond the basic level that comes with DSAME. For example, when you configure iPlanet Directory Access Router, you can specify what percentage of the load gets redistributed to each of your servers when one server becomes unavailable. iPlanet Directory Access Router continues to manage request traffic, and begins rejecting client queries when all back-end LDAP servers become unavailable.

By comparison, the DSAME high availability feature cannot be configured or managed as precisely. But when you add a load-balancer such as iPlanet Directory Access Router, DSAME seamlessly directs all requests to the application for total management.

If you choose to install a load-balancer, you must configure DSAME to recognize the application.

To Configure DSAME to Work With a Load-Balancer

1. Before you can perform the following steps, you must:
   • Set up your Directory Servers for replication. For comprehensive information about directory replication and for detailed setup instructions, see "Managing Replication" in the iPlanet Directory Server Administrator's Guide.

   • Install and configure your LDAP load-balancer. Follow the instructions in the documentation that comes with the product.

2. In the following file:

   DSAME_root\lib\AMconfig.properties

   modify the following properties to reflect the host and port number of a consumer Directory Server you installed in step 1.

   • com.iplanet.am.directory.host

   • com.iplanet.am.directory.port

3. For each DSAME Authentication module you've enabled, specify the consumer directory that you installed in step 1. In the following substeps, the LDAP Authentication module is used as an example:
   1. In the DSAME console, in the View field, choose Service Management.

   2. In the Service Name column, under Authentication, locate the module you need to reconfigure. In the Properties column, click the arrow that corresponds to module you need to reconfigure.

   3. In the right pane, there are two fields named LDAP Server and Port.
      • In the first field named LDAP Server and Port, enter the host name and port number for your primary (consumer) Directory Server using the form:

        iPlanet_DAR_host.domain_name.com:port_number

      • In the second field named LDAP Server and Port, enter nothing.

   4. Click Submit.

4. In the file: DSAME_root\config\ums\serverconfig.xml specify the host name and port number of the consumer directory you installed in step1. Example:

   <iPlanetDataAccessLayer>

   <ServerGroup name="default" minConnPool="1"

   maxConnPool="10">

   <Server name="Server1

   host="iDAR_hostname.madisonparc.com"port="389"

   type="SIMPLE" />

5. Restart DSAME. Use one of the following methods:
   • In a DOS prompt window, enter the following commands:

     cd DSAME_root\bin

     amserver stop

     amserver start

   • From the Start menu, select Programs > Administrative Tools > Services. In the Services window, right-click the icon for DSAME-hostname. From the menu, choose Restart.

Secure Sockets Layer (SSL)

---

You can use the Secure Sockets Layer (SSL) protocol to provide secure connections between Directory Server and the DSAME services you use in your enterprise. The SSL protocol consists of rules governing server authentication, client authentication, and encrypted communication between servers and clients. When you enable SSL to work with DSAME, the requests and transactions between Directory Server and the DSAME console are encrypted and protected from intrusion by unauthorized entities.

Figure 10-5    How SSL Works in DSAME.

Enabling SSL for DSAME is a two-step process:

• Step 1: Enable LDAP Over SSL

• Step 2: Enable DSAME to Run in SSL Mode

This section explains how to enable SSL for DSAME services and URL access agents. It references the following resources for SSL information, which are appended to this manual for your convenience:

• iPlanet Directory Server Administrator's Guide

  Chapter 11, "Managing SSL"

• iPlanet Web Server Administrator's Guide

  Chapter 5, "Securing Your Web Browser"

For comprehensive information on SSL and on determining your SSL needs, see Chapter 7, "Designing a Secure Directory" in iPlanet Directory Server Deployment Guide. This guide comes with iPlanet Directory Server, and is also available on the Internet at
http://docs.iplanet.com/docs/manuals/directory.html

Step 1: Enable LDAP Over SSL

1. Install a Server Certificate in Directory Server.

   Follow the detailed instructions in "Obtaining and Installing Server Certificates" of this manual to perform the following steps. Or access the iPlanet Directory Server documentation on the Internet at http://docs.iplanet.com/docs/manuals/directory.html

   • Step 1: Generate a Certificate Request

   • Step 2: Send the Certificate Request

   • Step 3: Install the Certificate (on Directory Server)

   • Step 4: Trust the Certificate Authority (Install the Root CA Certificate)

   • Step 5: Confirm That Your New Certificates Are Installed

2. Activate SSL in the Directory Server.

   Follow the detailed instructions in "Activating SSL" of this manual.

3. In the Web Server that runs DSAME services is installed, in the Web Server console, create a trust database.

   Follow the detailed instructions "Creating a Trust Database".

4. In the Web Server that runs DSAME services, install the root CA Certificate for Directory Server's server certificate. (This is the certificate you obtained in Step 2.) Follow the detailed instructions in "Requesting and Installing Other Server Certificates".

5. Edit the following DSAME configuration file:

   DSAME_root\config\ums\serverconfig.xml

   For the server corresponding to the Directory Server configured for SSL, provide the following values:

   port. Enter the SSL port number you specified in Step 2.

   type. Enter SSL.

   Example:

   <?xml version="1.0" encoding="ISO-8859-1" standalone="yes"?>

   <iPlanetDataAccessLayer>

   <ServerGroup name="default" minConnPool="1"

   maxConnPool="10">

   <Server name="Server1"

   host="adam.red.madisonparc.com"

   port="636" type="SSL" />

   <User name="User1" type="proxy">

   <DirDN>

   cn=puser,ou=People,o=isp

   </DirDN>

   <DirPassword>

   AQAA5Q9jwkb4pAJ2LGFYRDlqWxXxId+5v4nU

   </DirPassword>

   </User>

6. Restart DSAME. Use one of the following methods:
   • At the command line, enter the following commands:

     cd DSAME_root\bin

     amserver stop

     amserver start

   • From the Start menu, select Programs > Administrative Tools > Services. In the Services window, right-click the icon for DSAME-hostname. From the menu, choose Restart.

7. If the Directory Server is not yet running, you are prompted for the internal key. Enter the key (password) you specified when creating the trust database in Step 3.

When DSAME starts up, its connection to Directory Server will be secured with SSL.

Step 2: Enable DSAME to Run in SSL Mode

When you enable DSAME to run in SSL mode, requests and transactions between the DSAME console and other SSL-configured Web Servers are encrypted and protected from intrusion by unauthorized entities.

1. Login to DSAME as Super Administrator.

2. In Service Name column, choose DSAME Platform.

3. In the Server List box:
   1. Remove this DSAME server from the list. First select its name in the list, and then click Remove.

   2. Change Protocol to https (instead of http).

   3. To add the same server with https, click Add.

4. Edit the following DSAME configuration file: DSAME_root\bin\AMConfig.properties

   Modify values for the following to reflect the HTTPS protocol and new port number (if the port number was changed):

   • com.iplanet.am.server.protocol

   • com.iplanet.am.server.port

   • com.iplanet.am.profile.port

   • com.iplanet.am.naming.url

   • com.iplanet.am.notification.url

5. In the Web Server that runs DSAME services, using the Web Server console, obtain and install a server certificate if one is not already installed.

   
   

   ---

   Note	In the following substeps, the following warning message may display: "Warning: Manual edits not loaded," In this case, click the Apply link in the upper right corner of the console, and then click Load Configuration Files

   ---

   
   

   1. To obtain a server certificate, follow the detailed instructions for "Requesting Other Server Certificates".

   2. To install the server certificate, follow the detailed instructions for "Installing Other Server Certificates".

6. In the Web Server console, select the Web Server that runs DSAME services, and then click Manage.
   1. In the Web Server instance, choose Preferences.

   2. Click Edit Sockets.

   3. In the Security field for the default DSAME port, enter On.

   4. Click OK to save the change.

   5. Click Apply.

   6. To save changes to Web Server configuration files, click Apply Changes.

7. Restart DSAME. Use one of the following methods:
   • In a DOS prompt window, enter the following commands:

     cd DSAME_root\bin

     amserver stop

     amserver start

   • From the Start menu, select Programs > Administrative Tools > Services. In the Services window, right-click the icon for DSAME-hostname. From the menu, choose Restart.