Deployment Example: Single Sign-On, Load Balancing and Failover Using Sun OpenSSO Enterprise 8.0

Chapter 4 Installing Sun Java System Directory Server and Creating Instances for Sun OpenSSO Enterprise User Data

This chapter contains instructions for installing Sun Java™ System Directory Server and creating the instances in which Sun OpenSSO Enterprise user data will be stored. Additionally, the procedure for enabling multi-master replication between the two instances and the procedure for configuring the user data load balancer are included. This chapter contains the following sections:

Note –

If you have an existing user data store, you can go directly to the instructions in Chapter 5, Deploying and Configuring OpenSSO Enterprise followed by Chapter 6, Configuring OpenSSO Enterprise Realms for User Authentication.

4.1 Installing and Configuring Directory Server 1 and Directory Server 2

This section contains the instructions for installing Directory Server on two different host machines and creating the directory instances named am-users in which the OpenSSO Enterprise user data will be stored. Use the following list of procedures as a checklist for completing the task.

To Download the Directory Server Bits and Required Patches to the Directory Server Host Machines

Use this procedure to download the Directory Server Enterprise Edition (EE) 6.1 bits and the required system patches to both the Directory Server 1 host machine (ds-1.example.com) and the Directory Server 2 host machine (ds-2.example.com).

Access http://www.sun.com/software/products/directory_srvr_ee/get.jsp from a web browser and click Download Now.

Provide the following information in the Select product configuration section and click View Downloads.

Step 1: Select Component

Directory Server Enterprise Edition

Step 2: Select Version

6.1

Step 3: Select Delivery Type

Compress Archive (ZIP)

Step 4: Select Platform

Choose the platform you are using.

The Selection Results page will be displayed with links to the download sites for the Directory Server bits and required patches.

Note –
The patch numbers generated for download on the Selection Results page are based on your input. Check the most recent Directory Server Enterprise Edition 6.1 Release Notes to determine if you need to install other patches based on your machine's architecture and operating system. In this deployment, the Release Notes indicate that based on the hardware and operating system being used, patch 118855–36, patch 119964–08, and patch 122033–05 are required.

Log into the ds–1 host machine as a root user.

Run patchadd to see if the patches are already installed.

See the patchadd man page for more information.
# patchadd -p | grep 118855–36
No results are returned which indicates that the patch is not yet installed on the system.
# patchadd -p | grep 119964–08
No results are returned which indicates that the patch is not yet installed on the system.
# patchadd -p | grep 122033–05
No results are returned which indicates that the patch is not yet installed on the system.

Note –
If these patches are already installed on your machine, proceed to step 7.

Make a directory for the patch downloads and change into it.
# mkdir /export/patches # cd /export/patches

Download the patches.

You can click on the patch links from the Selection Results page or search for patches directly at http://sunsolve.sun.com. If searching directly, navigate to the PatchFinder page and enter the patch number. For each patch you are downloading, click the HTTP link beside the heading Download Signed Patch (xxx bytes).

Note –
Signed patches are downloaded as JAR files. Unsigned patches are downloaded as ZIP files. In this step, ZIP files are downloaded.

Make a directory for the Directory Server download and change into it.
# mkdir /export/DS61 # cd /export/DS61

Download the Base Full Install of Directory Server EE 6.1 — Zip Distribution, Multi-Language, (DS/DPS/DE/ISW/DSRK) bits.

Note –
No Directory Server Administration Console is installed with these bits. This deployment example uses the command line to configure the software.

Log out of the ds–1 host machine.

Repeat this same procedure on the ds–2 host machine.

To Patch the Directory Server Host Machines

If necessary, use this procedure to patch both the ds–1 host machine and the ds–2 host machine.

Change into the directory that contains the downloaded patch files.
# cd /export/patches

Unzip the patch files.

# unzip 118855–36.zip
# unzip 119964-08.zip
# unzip 122033-05.zip

Install the patches.
# patchadd /export/patches/118855-36 # patchadd /export/patches/119964-08 # patchadd /export/patches/122033-05
Tip –
You can use the -M option to install all patches at once. See the patchadd man page for more information.

Reboot your machine, if requested.

After installation is complete, verify that each patch was added successfully.
# patchadd -p | grep 118855–36
A series of patch numbers are displayed, and the patch 118855–36 is present.
# patchadd -p | grep 119964-08
A series of patch numbers are displayed, and the patch 119964-08 is present.
# patchadd -p | grep 122033-05
A series of patch numbers are displayed, and the patch 122033-05 is present.

Log out of the ds–1 host machine.

Repeat this same procedure on the ds–2 host machine.

To Install Directory Server 1

Before You Begin

This procedures assumes To Download the Directory Server Bits and Required Patches to the Directory Server Host Machines and To Patch the Directory Server Host Machines have been completed.

(Optional) Resolve the following issues, if necessary.
- The LD_LIBRARY_PATH environment variable should not be set to the default setting. Change the value to empty as in the following example:
  # setenv LD_LIBRARY_PATH
- The JAVA_HOME environment variable should be set appropriately for your system architecture as in the following example:
  # setenv JAVA_HOME /usr/jdk/jdk1.5.0_09

Unzip the Directory Server ZIP file.

# cd /export/DS61
# ls

DSEE.6.1.Solaris10-X86_AMD64-full.tar.gz

# gunzip DSEE.6.1.Solaris10-X86_AMD64-full.tar.gz

Untar the resulting .tar file.
# tar xvf DSEE.6.1.Solaris10-X86_AMD64-full.tar
The DSEE_ZIP_Distribution directory is the result of the decompression.

Change into DSEE_ZIP_Distribution and run dsee_deploy install to install Directory Server.
# cd DSEE_ZIP_Distribution # ./dsee_deploy install -i /var/opt/mps/serverroot
The Licensing Agreement is displayed. At each Type return to continue prompt, press Return to continue.

When Do you accept the license terms? is displayed, enter yes to continue.

Once you accept the license terms, the Directory Server binaries will be installed in the /var/opt/mps/serverroot/ds6 directory.

To Create an OpenSSO Enterprise User Data Instance on Directory Server 1

Use this procedure to create a Directory Server instance named am-users for storing user data. The instance uses port 1489 for LDAP and port 1736 for LDAPS. It will be populated with user data in 4.5 Importing Test Users.

Before You Begin

This procedure assumes you have just completed To Install Directory Server 1 and are still logged into the ds—1 host machine as a root user.

Change to the bin directory.
# cd /var/opt/mps/serverroot/ds6/bin

Run dsadm create to create a user data instance called am-users.

# ./dsadm create -p 1489 -P 1736 /var/opt/mps/am-users

Choose the Directory Manager password: dsmanager

Confirm the Directory Manager password: dsmanager

use 'dsadm start /var/opt/mps/am-users' to start the instance

Run dsadm start to start the instance.

# ./dsadm start /var/opt/mps/am-users

Server started: pid=5810

Run netstat to verify that the new instance is up and running on both ports.

# netstat -an | grep 1736

.1736		*.*		0		0  65536		0 LISTEN
.1736		*.*		0		0  65536		0 LISTEN

# netstat -an | grep 1489

.1489		*.*		0		0  65536		0 LISTEN
.1489		*.*		0		0  65536		0 LISTEN

Run ldapsearch to verify that you can read the root Directory Server entry of the new instance.

# cd /var/opt/mps/serverroot/dsrk6/bin
# ./ldapsearch -h ds-1.example.com 
-p 1489 -b "" -s base "(objectclass=*)"

version: 1
dn:
objectClass: top
...
supportedLDAPVersion: 3
vendorname: Sun Microsystems, Inc.
vendorVersion: Sun-Java(tm)-System-Directory/6.1
...

To Create a Base Suffix for the User Data Instance on Directory Server 1

Use this procedure to create the base suffix in which the user entries will be stored.

Before You Begin

This procedure assumes you have just completed To Create an OpenSSO Enterprise User Data Instance on Directory Server 1 and are still logged into the ds-1 host machine as a root user.

Run dsconf create-suffix to create a base suffix.

# ./dsconf create-suffix -p 1489 -B dbExample 
-L /var/opt/mps/am-users/db/exampleDS dc=company,dc=com

Provide the appropriate information when prompted.

Certificate "CN=ds-1, CN=1736, CN=directory Server, O=Sun Microsystems" 
presented by the server is not trusted.

Type "Y" to accept, "y" to accept just once, "n" to refuse, "d" for more details: Y

Enter "cn=Directory Manager" password: dsmanager

Tip –

When you enter an uppercase Y, you are not asked for the certificate again in the next steps.

Run dsconf list-suffixes to verify that the base suffix was successfully created.
# ./dsconf list-suffixes -p 1489 Enter "cn=Directory Manager" password: dsmanager dc=company,dc=com
If the base suffix was successfully created, dc=company,dc=com is returned. You can also see am-users in a command line list of directory instances.
# cd /var/opt/mps # ls am-users serverroot

Log out of the ds–1 host machine.

To Install Directory Server 2

Before You Begin

This procedures assumes To Download the Directory Server Bits and Required Patches to the Directory Server Host Machines and To Patch the Directory Server Host Machines have been completed.

(Optional) Resolve the following issues, if necessary.
- The LD_LIBRARY_PATH environment variable should not be set to the default setting. Change the value to empty as in the following example:
  # setenv LD_LIBRARY_PATH
- The JAVA_HOME environment variable should be set appropriately for your system architecture as in the following example:
  # setenv JAVA_HOME /usr/jdk/jdk1.5.0_09

Unzip the Directory Server ZIP file.

# cd /export/DS61
# ls

DSEE.6.1.Solaris10-X86_AMD64-full.tar.gz

# gunzip DSEE.6.1.Solaris10-X86_AMD64-full.tar.gz

Untar the resulting .tar file.
# tar xvf DSEE.6.1.Solaris10-X86_AMD64-full.tar
The DSEE_ZIP_Distribution directory is the result of the decompression.

Change into DSEE_ZIP_Distribution and run dsee_deploy install to install Directory Server.
# cd DSEE_ZIP_Distribution # ./dsee_deploy install -i /var/opt/mps/serverroot
The Licensing Agreement is displayed. At each Type return to continue prompt, press Return to continue.

When Do you accept the license terms? is displayed, enter yes to continue.

Once you accept the license terms, the Directory Server binaries will be installed in the /var/opt/mps/serverroot/ds6 directory.

To Create an OpenSSO Enterprise User Data Instance on Directory Server 2

Before You Begin

This procedure assumes you have just completed To Install Directory Server 2 and are still logged into the ds—2 host machine as a root user.

Change to the bin directory.
# cd /var/opt/mps/serverroot/ds6/bin

Run dsadm create to create a user data instance called am-users.

# ./dsadm create -p 1489 -P 1736 /var/opt/mps/am-users

Choose the Directory Manager password: dsmanager

Confirm the Directory Manager password: dsmanager

use 'dsadm start /var/opt/mps/am-users' to start the instance

Run dsadm start to start the instance.

# ./dsadm start /var/opt/mps/am-users

Server started: pid=5810

Run netstat to verify that the new instance is up and running on both ports.

# netstat -an | grep 1736

.1736		*.*		0		0  65536		0 LISTEN
.1736		*.*		0		0  65536		0 LISTEN

# netstat -an | grep 1489

.1489		*.*		0		0  65536		0 LISTEN
.1489		*.*		0		0  65536		0 LISTEN

Run ldapsearch to verify that you can read the root Directory Server entry of the new instance.

# cd /var/opt/mps/serverroot/dsrk6/bin
# ./ldapsearch -h ds-2.example.com 
-p 1489 -b "" -s base "(objectclass=*)"

version: 1
dn:
objectClass: top
...
supportedLDAPVersion: 3
vendorname: Sun Microsystems, Inc.
vendorVersion: Sun-Java(tm)-System-Directory/6.1
...

To Create a Base Suffix for the User Data Instance on Directory Server 2

Use this procedure to create the base suffix in which the user entries will be stored.

Before You Begin

This procedure assumes you have just completed To Create an OpenSSO Enterprise User Data Instance on Directory Server 2 and are still logged into the ds-2 host machine as a root user.

Run dsconf create-suffix to create a base suffix.

# ./dsconf create-suffix -p 1489 -B dbExample 
-L /var/opt/mps/am-users/db/exampleDS dc=company,dc=com

Provide the appropriate information when prompted.

Certificate "CN=ds-2, CN=1736, CN=directory Server, O=Sun Microsystems" 
presented by the server is not trusted.

Type "Y" to accept, "y" to accept just once, "n" to refuse, "d" for more details: Y

Enter "cn=Directory Manager" password: dsmanager

Tip –

When you enter an uppercase Y, you are not asked for the certificate again in the next steps.

Run dsconf list-suffixes to verify that the base suffix was successfully created.
# ./dsconf list-suffixes -p 1489 Enter "cn=Directory Manager" password: dsmanager dc=company,dc=com
If the base suffix was successfully created, dc=company,dc=com is returned. You can also see am-users in a command line list of directory instances.
# cd /var/opt/mps # ls am-users serverroot

Log out of the ds–2 host machine.

4.2 Enabling Multi-Master Replication of the User Data Instances

This section contains the instructions to enable multi-master replication (MMR) between two Directory Server instances, each configured as a master. This includes creating replication agreements between the masters and initializing the second directory master with the data and schema from the first directory master. The previously created am-users user data instances will serve as the two master instances. Use the following list of procedures as a checklist for completing the task.

To Enable Multi-Master Replication for User Data Instance on Directory Server 1

(Optional) Run dsconf list-suffixes to verify that the user data instance is not already enabled for replication.

# cd /var/opt/mps/serverroot/ds6/bin
# ./dsconf list-suffixes -p 1489 -v

Enter "cn=Directory Manager" password: dsmanager
...
dc=company,dc=com 	1		not-replicated		N/A		N/A		29	0

The "list-suffixes" operation succeeded on "ds-1.example.com:1489"

The base suffix of the user data instance is not replicated.

Run dsconf enable-repl to enable replication of the user data instance.

# ./dsconf enable-repl -h ds-1.example.com -p 1489 
-d 11 master dc=company,dc=com

Enter "cn=Directory Manager" password: dsmanager

Use "dsconf create-repl-agmt" to create replication agreements on
"dc=company,dc=com".

The -d option takes as input a randomly chosen identifier to represent the Directory Server 1 user data instance; in this case, 11 master indicates that the user data instance is a master and not a replica. The base suffix is specified as dc=company,dc=com.

Run dsconf list-suffixes again to verify that the instance is now enabled for replication.

# ./dsconf list-suffixes -p 1489 -v

Enter "cn=Directory Manager" password: dsmanager
...
dc=company,dc=com 	1		master(11)		N/A		N/A		29	0

The "list-suffixes" operation succeeded on 
"ds-1.example.com:1489"

The base suffix of the instance is master(11) indicating that the master was successfully enabled.

Log out of the ds–1 host machine.

To Enable Multi-Master Replication for User Data Instance on Directory Server 2

(Optional) Run dsconf list-suffixes to verify that the user data instance is not already enabled for replication.

# cd /var/opt/mps/serverroot/ds6/bin
# ./dsconf list-suffixes -p 1489 -v

Enter "cn=Directory Manager" password: dsmanager
...
dc=company,dc=com 	1		not-replicated		N/A		N/A		29	0

The "list-suffixes" operation succeeded on "ds-2.example.com:1489"

The base suffix of the user data instance is not replicated.

Run dsconf enable-repl to enable replication of the user data instance.

# ./dsconf enable-repl -h ds-2.example.com -p 1489 
-d 22 master dc=company,dc=com

Enter "cn=Directory Manager" password: dsmanager

Use "dsconf create-repl-agmt" to create replication agreements on
"dc=company,dc=com".

The -d option takes as input a randomly chosen identifier to represent the Directory Server 2 user data instance; in this case, 22 master indicates that the user data instance is a master and not a replica. The base suffix is specified as dc=company,dc=com.

Run dsconf list-suffixes again to verify that the instance is now enabled for replication.

# ./dsconf list-suffixes -p 1489 -v

Enter "cn=Directory Manager" password: dsmanager
...
dc=company,dc=com 	1		master(22)		N/A		N/A		29		0

The "list-suffixes" operation succeeded on 
"ds-2.example.com:1489"

The base suffix of the instance is master(22) indicating that the master was successfully enabled.

Log out of the ds–2 host machine.

To Change the Default Replication Manager Password for Each User Data Instance

The replication manager is the user that data suppliers use to bind to the consumer server when sending replication updates. (In MMR the consumer server refers to whichever master happens to be the consumer for a particular operation.) It is recommended to change the default password created during the process of enabling replication.

Create a temporary file that contains the new replication manager password.

This file will be read once, and the password stored for future use.
# cd /var/opt/mps/serverroot/ds6/bin # echo replmanager > pwd.txt

Verify that the file was successfully created.
# cat pwd.txt replmanager

Run dsconf set-server-prop to set the replication manager password using pwd.txt as input.

# ./dsconf set-server-prop -h ds-1.example.com -p 1489 
def-repl-manager-pwd-file:pwd.txt

Enter "cn=Directory Manager" password: dsmanager

Remove the pwd.txt file.

Log out of the ds–1 host machine.

Create a temporary file that contains the new replication manager password.

This file will be read once, and the password stored for future use.
# cd /var/opt/mps/serverroot/ds6/bin # echo replmanager > pwd.txt

Verify that the file was successfully created.
# cat pwd.txt replmanager

Run dsconf set-server-prop to set the replication manager password using pwd.txt as input.

# ./dsconf set-server-prop -h ds-2.example.com -p 1489 
def-repl-manager-pwd-file:pwd.txt

Enter "cn=Directory Manager" password: dsmanager

Remove the pwd.txt file.

Log out of the ds–2 host machine.

To Create Replication Agreements for Each User Data Instance

A replication agreement is a set of parameters on a supplier that controls how updates are sent to a given consumer. In this deployment, we are simply making the user data instances aware of each other.

Run dsconf create-repl-agmt to create the replication agreement.

# cd /var/opt/mps/serverroot/ds6/bin
# ./dsconf create-repl-agmt -h ds-1.example.com 
 -p 1489 dc=company,dc=com ds-2.example.com:1489

Enter "cn=Directory Manager" password: dsmanager

Use "dsconf init-repl-dest dc=company,dc=com ds-2.example.com:1489" 
to start replication of "dc=company,dc=com" data.

Run dsconf list-repl-agmts to verify that the replication agreement was successfully created.
# ./dsconf list-repl-agmts -p 1489 Enter "cn=Directory Manager" password: dsmanager dc=company,dc=com ds-2.example.com:1489
This response indicates that the Directory Server 1 base suffix will be replicated to Directory Server 2.

Log out of the ds–1 host machine.

Run dsconf create-repl-agmt to create the replication agreement.

# cd /var/opt/mps/serverroot/ds6/bin
# ./dsconf create-repl-agmt -h ds-2.example.com -p 1489 
dc=company,dc=com ds-1.example.com:1489

Enter "cn=Directory Manager" password: dsmanager

Use "dsconf init-repl-dest dc=company,dc=com ds-1.example.com:1489" 
to start replication of "dc=company,dc=com" data.

Run dsconf list-repl-agmts to verify that the replication agreement was successfully created.
# ./dsconf list-repl-agmts -p 1489 Enter "cn=Directory Manager" password: dsmanager dc=company,dc=com ds-1.example.com:1489
This response indicates that the Directory Server 2 base suffix will be replicated to Directory Server 1.

Log out of the ds–2 host machine.

To Initialize the Replication Agreements

Use this procedure to initialize the user data instance on Directory Server 1. The previously created agreements will replicate the data to Directory Server 2.

Note –

Initialization is not required on both instances when configuring for MMR.

Run dsconf show-repl-agmt-status to verify that the replication agreements are not yet initialized.

# cd /var/opt/mps/serverroot/ds6/bin
# ./dsconf show-repl-agmt-status -h ds-1.example.com 
 -p 1489 dc=company,dc=com ds-2.example.com:1489

Enter "cn=Directory Manager" password: dsmanager

Configuration Status 		: OK
Authentication Status		: OK
Initialization Status		: NOT OK

Status:						: Dest. Not Initialized

Run dsconf init-repl-dest to initialize the replication agreements.

# ./dsconf init-repl-dest -h ds-1.example.com 
 -p 1489 dc=company,dc=com ds-2.example.com:1489

Enter "cn=Directory Manager" password: dsmanager

Started initialization of "ds-2.example.com:1489"; Aug 25, 2008 3:10:01 PM
Sent 2 entries.
Completed initialization of "ds-2.example.com:1489"; Aug 25, 2008 3:10:04 PM

Run dsconf show-repl-agmt-status again to verify that the replication agreements are now initialized.

# ./dsconf show-repl-agmt-status -h ds-1.example.com 
 -p 1489 dc=company,dc=com ds-2.example.com:1489

Enter "cn=Directory Manager" password: dsmanager

Configuration Status 		: OK
Authentication Status		: OK
Initialization Status		: OK

Status:						: Enabled
Last Update Date				:  Aug 25, 2008 3:10:08 PM

To Verify Successful User Data Replication

Before You Begin

This procedure assumes you have just completed To Initialize the Replication Agreements and are still logged into the ds–1 host machine as a root user.

Run ldapmodify on the ds-1 host machine to create a new directory entry.

# cd /var/opt/mps/serverroot/dsrk6/bin
# ./ldapmodify -a -h ds-1.example.com -p 1489 
 -D cn=admin,cn=Administrators,cn=config -w dsmanager

dn: ou=People,dc=company,dc=com
objectclass: top
objectclass: organizationalUnit
ou: People
description: Container for user entries

Hit ENTER to indicate end of input.

adding new entry ou=People,dc=company,dc=com

Hit Control C to terminate the command.

^C

This step creates a new organizational unit on Directory Server 1.

After the entry is created, log in to the ds–2 host machine as a root user.

Run ldapsearch on Directory Server 2 to verify that the directory entry was successfully replicated.

# cd /var/opt/mps/serverroot/dsrk6/bin
# ./ldapsearch -b "dc=company,dc=com" -p 1489 
-D "cn=Directory Manager" -w dsmanager 
"objectclass=organizationalUnit"

version: 1
dn: ou=People,dc=company,dc=com
objectClass: top
objectClass: organizationalUnit
ou: People
description Container for user entries

Now run ldapdelete on Directory Server 2 to delete the entry just created.

# ./ldapdelete -h ds-2.example.com -p 1489 
 -D "cn=Directory Manager" -w dsmanager 
"ou=People,dc=company,dc=com"

Now, as a root user on Directory Server 1, run ldapsearch to verify that the entry was deleted.
# ./ldapsearch -b "dc=company,dc=com" -p 1489 -D "cn=Directory Manager" -w dsmanager "objectclass=organizationalUnit"
The search will return no results as the delete was successfully replicated.

Log out of both Directory Server host machines.

4.3 Enabling Secure Communication for the Directory Server User Data Instances

By default, when an instance of Directory Server is created (in this case, am-users), its SSL port is secured with a self-signed certificate named defaultCert. A self-signed certificate contains a public and private key; the public key is signed by the private key. The am-users instances, though, need to use a server certificate signed by a certificate authority (CA) to allow for secure communication between the instances and the soon-to-be-installed user data load balancer. This entails installing the server certificate signed by the CA and the root certificate confirming the signature of the CA on both Directory Server host machines. Use the following list of procedures as a checklist for completing this task.

To Install a Root Certificate and a Server Certificate on Directory Server 1

Before You Begin

You should already have a root certificate from the CA of your choice. Send server certificate requests to the same CA. For more information, see 3.3 Obtaining Secure Socket Layer Certificates.

Generate a request for a server certificate signed by a CA.

# cd /var/opt/mps/serverroot/ds6/bin
# ./dsadm request-cert -S "CN=ds-1.example.com, 
OU=OpenSSO Enterprise, O=Sun Microsystems, L=Santa Clara 
 ST=California, C=US" -F ascii -o ds-1.csr /var/opt/mps/am-users

ds-1.csr is the certificate request.

Send ds-1.csr to the CA of your choice.

The CA issues and returns a certified server certificate named ds-1.cer.

Add ds-1.cer, the CA-signed server certificate, to the certificate store.
# ./dsadm add-cert /var/opt/mps/am-users ds-1 ds-1.cer

(Optional) Verify that the certificate was successfully added.
# ./dsadm list-certs /var/opt/mps/am-users
A list of certificates for the am-users instance is displayed including the defaultCert and ds-1.

Add ca.cer, the root certificate, to the certificate store.

# ./dsadm add-cert --ca /var/opt/mps/am-users CA-cert ca.cer

(Optional) Verify that the root certificate was successfully added.

# ./dsadm list-certs -C /var/opt/mps/am-users | grep CA-cert

CA-cert
2007/09/20 11:41  2010/06/17 11:41  n  
E=nobody@nowhere.com,CN=openssltestca,OU=am,
O=sun,L=santa clara,ST=california,C=us  Same as issuer

Configure the Directory Server instance to use the imported certificates.

# ./dsconf set-server-prop -h ds-1.example.com 
-p 1489 ssl-rsa-cert-name:ds-1

Enter "cn=Directory Manager" password: dsmanager

Before setting SSL configuration, export Directory Server data.

Do you want to continue [y/n] ?  y

Directory Server must be restarted for changes to take effect.

Restart the Directory Server instance.

# ./dsadm stop /var/opt/mps/am-users
# ./dsadm start /var/opt/mps/am-users

Server started: pid=5472

Run ldapsearch on Directory Server 1 to verify that the directory entries can be accessed through the secure port.

# cd /var/opt/mps/serverroot/dsrk6/bin
# ./ldapsearch -h ds-1.example.com -p 1736 
-Z -P /var/opt/mps/am-users/alias slapd-cert8.db 
-b "" -s base "(objectclass=*)"

version: 1
dn:
objectClass:top
namingContexts: dc=company,dc=com
supportedExtension: 2.16.840.1.113730.3.5.7
:
supportedSSLCiphers: SSL-CK_RC4_128_EXPORT40_WITH_MD5
supportedSSLCiphers: SSL-CK_RC2_128_CBC_EXPORT40_WITH_MD5

This confirms that the Directory Server instance can be accessed through the secure port.

Log out of the ds–1 host machine.

To Install a Root Certificate and a Server Certificate on Directory Server 2

Before You Begin

You should already have a root certificate from the CA of your choice. Send any server certificate requests to the same CA. For more information, see 3.3 Obtaining Secure Socket Layer Certificates.

Generate a request for a server certificate signed by a CA.

# cd /var/opt/mps/serverroot/ds6/bin
# ./dsadm request-cert -S "CN=ds-2.example.com, 
OU=OpenSSO Enterprise, O=Sun Microsystems, L=Santa Clara 
 ST=California, C=US" -F ascii -o ds-2.csr /var/opt/mps/am-users

ds-2.csr is the certificate request.

Send ds-2.csr to the CA of your choice.

The CA issues and returns a certified server certificate named ds-2.cer.

Add ds-2.cer, the CA-signed server certificate, to the certificate store.
# ./dsadm add-cert /var/opt/mps/am-users ds-2 ds-2.cer

(Optional) Verify that the certificate was successfully added.
# ./dsadm list-certs /var/opt/mps/am-users
A list of certificates for the am-users instance is displayed including the defaultCert and ds-2.

Add ca.cer, the root certificate, to the certificate store.

# ./dsadm add-cert --ca /var/opt/mps/am-users CA-cert ca.cer

(Optional) Verify that the root certificate was successfully added.

# ./dsadm list-certs -C /var/opt/mps/am-users | grep CA-cert

CA-cert
2007/09/20 11:41  2010/06/17 11:41  n  
E=nobody@nowhere.com,CN=openssltestca,OU=am,
O=sun,L=santa clara,ST=california,C=us  Same as issuer

Configure the Directory Server instance to use the imported certificates.

# ./dsconf set-server-prop -h ds-2.example.com 
-p 1489 ssl-rsa-cert-name:ds-2

Enter "cn=Directory Manager" password: dsmanager

Before setting SSL configuration, export Directory Server data.

Do you want to continue [y/n] ?  y

Directory Server must be restarted for changes to take effect.

Restart the Directory Server instance.

# ./dsadm stop /var/opt/mps/am-users
# ./dsadm start /var/opt/mps/am-users

Server started: pid=5472

Run ldapsearch on Directory Server 2 to verify that the directory entries can be accessed through the secure port.

# cd /var/opt/mps/serverroot/dsrk6/bin
# ./ldapsearch -h ds-2.example.com -p 1736 
-Z -P /var/opt/mps/am-users/alias slapd-cert8.db 
-b "" -s base "(objectclass=*)"

version: 1
dn:
objectClass:top
namingContexts: dc=company,dc=com
supportedExtension: 2.16.840.1.113730.3.5.7
:
supportedSSLCiphers: SSL-CK_RC4_128_EXPORT40_WITH_MD5
supportedSSLCiphers: SSL-CK_RC2_128_CBC_EXPORT40_WITH_MD5

This confirms that the Directory Server instance can be accessed through the secure port.

Log out of the ds–2 host machine.

4.4 Configuring Load Balancer 1 for the User Data Instances

Load Balancer 1 is configured in front of the Directory Server user data instances. This section assumes that you have already installed the load balancer. Before beginning, note the following:

The load balancer hardware and software used in the lab facility for this deployment is BIG-IP® manufactured by F5 Networks. If you are using different load balancer software, see the documentation that comes with that product for detailed settings information.
Contact your network administrator to obtain an available virtual IP address for the load balancer you want to configure.
Know the IP address of the load balancer hardware, the URL for the load balancer login page, and a username and password for logging in to the load balancer application.
Get the IP addresses for Directory Server 1 and Directory Server 2 by running the following command on each host machine:
# ifconfig -a

Use the following list of procedures as a checklist for completing the task.

To Request a Certificate for the User Data Load Balancer

Generate a request for a server certificate to send to a CA. For more information, see 3.3 Obtaining Secure Socket Layer Certificates.

Access https://is-f5.example.com, the BIG-IP load balancer login page, in a web browser.

Click Configure your BIG-IP (R) using the Configuration Utility.

In the left pane, click Proxies.

Click the Cert-Admin tab.

On the SSL Certificate Administration page, click Generate New Key Pair/Certificate Request.

In the Create Certificate Request page, provide the following information.

Key Identifier:

lb-1.example.com

Organizational Unit Name:

Deployment

Domain Name:

lb-1.example.com

Challenge Password:

password

Retype Password:

password

Click Generate Key Pair/Certificate Request.

On the SSL Certificate Request page, the request is generated in the Certificate Request field.

Save the text contained in the Certificate Request field to a file named lb-1.csr.

Log out of the console and close the browser.

Send lb-1.csr to the CA of your choice.

The CA issues and returns a certified server certificate named lb-1.cer.

To Import the Root Certificate to the User Data Load Balancer

Import the CA root certificate on Load Balancer 1 to ensure that a link between Load Balancer 1 can be maintained with the CA. Use the same root certificate that you imported in 4.3 Enabling Secure Communication for the Directory Server User Data Instances. For more information, see 3.3 Obtaining Secure Socket Layer Certificates.

Before You Begin

You should already have a root certificate from the CA of your choice.

Access https://is-f5.example.com, the BIG-IP load balancer login page, in a web browser.

Click Proxies.

Click the Cert-Admin tab.

Click Import.

In the Import Type field, choose Certificate and click Continue.

Click Browse in the Certificate File field on the Install SSL Certificate page.

Choose Browser in the Choose File dialog box.

Navigate to ca.cer and click Open.

Enter OpenSSL_CA_cert in the Certificate Identifier field.

Click Install Certificate.

The Certificate OpenSSL_CA_Cert page is displayed.

Click Return to Certificate Administration on the Certificate OpenSSL_CA_Cert page.

OpenSSL_CA_Cert, the root certificate, is now included in the Certificate ID list.

To Install the Server Certificate to the User Data Load Balancer

Before You Begin

This procedure assumes you have received the server certificate requested in To Request a Certificate for the User Data Load Balancer, just completed To Import the Root Certificate to the User Data Load Balancer, and are still logged into the load balancer console.

In the BIG-IP load balancer console, click Proxies.

Click the Cert-Admin tab.

The key lb-1.example.com is in the Key List.

In the Certificate ID column, click Install for lb-1.example.com.

In the Certificate File field, click Browse.

In the Choose File dialog, navigate to lb-1.cer, the server certificate, and click Open.

Click Install Certificate.

On the Certificate lb-1.example.com page, click Return to Certificate Administration Information.

Verify that the Certificate ID indicates lb-1.example.com on the SSL Certificate Administration page.

Log out of the load balancer console.

To Configure the User Data Load Balancer 1

Before You Begin

This procedure assumes that you have just completed To Import the Root Certificate to the User Data Load Balancer and are still logged into the load balancer console.

Click Configure your BIG-IP (R) using the Configuration Utility.

Create a Pool.

A pool contains all the backend server instances.
1. In the left pane, click Pools.
2. On the Pools tab, click Add.
3. In the Add Pool dialog, provide the following information:
  
  Pool Name
  
  DirectoryServer-UserData-Pool
  
  Load Balancing Method
  
  Round Robin
  
  Resources
  
  Add the IP address and port number of both Directory Server host machines: ds-1:1736 and ds-2:1736.
4. Click Done.

Add a Virtual Server.

The virtual server presents an address to the outside world and, when users attempt to connect, it would forward the connection to the most appropriate real server.

Tip –
If you encounter JavaScript^TM errors or otherwise cannot proceed to create a virtual server, try using Internet Explorer.
1. In the left frame, click Virtual Servers.
2. Click Add on the Virtual Servers tab.
3. In the Add a Virtual Server dialog box, provide the following information:
  
  Address
  
  Enter the IP address for lb-1.example.com
  
  Service
  
  490
4. Continue to click Next until you reach the Pool Selection dialog box.
5. Assign DirectoryServer-UserData-Pool to the virtual server in the Pool Selection dialog box.
6. Click Done.

Add Monitors

Monitors are required for the load balancer to detect the backend server failures.
1. In the left frame, click Monitors.
2. Click the Basic Associations tab.
3. Add an LDAP monitor for the Directory Server 1 node.
  
  In the Node column, locate the IP address and port number, ds-1:1736, and select the Add checkbox.
4. Add an LDAP monitor for the Directory Server 2 node.
  
  In the Node column, locate the IP address and port number, ds–2:1736, and select the Add checkbox.
5. At the top of the Node column, in the drop-down list, choose tcp.
6. Click Apply.

Configure the load balancer for persistence.

The user data load balancer is configured for simple persistence. With simple persistence, all requests sent within a specified interval are processed by the same Directory Server instance, ensuring complete replication of entries. For example, when a request requires information to be written to Directory Server 1, that information must also be replicated to Directory Server 2. As the replication takes time to complete, if a related request is directed by the load balancer to Directory Server 2 during the replication process itself, the request may fail as the entry might only be partially created. When properly configured, simple persistence ensures that both requests are routed to Directory Server 1 and processed in consecutive order; the first request is finished before the second request begins processing. Simple persistence ensures that within the specified interval, no errors or delays occur due to replication time or redirects when retrieving data. Simple persistence tracks connections based only on the client IP address.
1. In the left frame, click Pools.
2. Click the name of the pool you want to configure.
  
  In this example, DirectoryServer-UserData-Pool.
3. Click the Persistence tab.
4. Under Persistence Type, select Simple.
5. Enter 300 seconds for the Timeout interval.
6. Click Apply.

Verify the Directory Server load balancer configuration.

On each host machine, use the tail command to monitor the Directory Server access log.

# cd /var/opt/mps/am-users/logs
# tail -f access

You should see connections to the load balancer IP address opening and closing. For example:

[12/July/2008:13:10:20-0700] conn=69755 op=-1 msgId=-1 - closed 
[12/July/2008:13:10:25-0700] conn=69756 op=-1 msgId=-1 
- fd=27 slot=27 LDAP connection from IP_address to IP_address
[12/July/2008:13:10:25-0700] conn=69756 op=0 msgId=0 
- RESULT err=80 tag=120 nentries=0 etime=0 
[12/July/2008:13:10:25-0700] conn=69756 op=-1 msgId=-1 
- closing from IP_address

Execute the following LDAP search against the Directory Server load balancer from Directory Server 1.

# cd /var/opt/mps/serverroot/dsrk6/bin
# ./ldapsearch -h lb-1.example.com -p 490 -Z 
-P /var/opt/mps/am-users/alias/slapd-cert8.db
-b "dc=company,dc=com" -D "cn=directory manager" 
-w dsmanager "(objectclass=*)"

version: 1
dn: dc=company,dc=com
dc: company
objectClass: top
objectClass: domain

The ldapsearch operation should return entries. Make sure they display in the access log on only one Directory Server.

Run dsadm stop to stop Directory Server 1.

# cd /var/opt/mps/serverroot/ds6/bin
# ./dsadm stop /var/opt/mps/am-users

Perform the (same) LDAP search against the Directory Server load balancer from Directory Server 2.

# cd /var/opt/mps/serverroot/dsrk6/bin
# ./ldapsearch -h lb-1.example.com -p 490 -Z 
-P /var/opt/mps/am-users/alias/slapd-cert8.db
-b "dc=company,dc=com" -D "cn=directory manager" 
-w dsmanager "(objectclass=*)"

version: 1
dn: dc=company,dc=com
dc: company
objectClass: top
objectClass: domain

The ldapsearch operation should return entries. Verify that the entries display in the access log on only Directory Server 2.

Note –

You may encounter the following error message:

ldap_simple_bind: Cant' connect to the LDAP 
server — Connection refused

This means that the load balancer may not fully detect that Directory Server 1 is stopped. In this case, you may have started the search too soon based on the polling interval setting. For example, if the polling interval is set to 10 seconds, you should wait ten seconds to start the search. You can reset the timeout properties to a lower value using the load balancer console.

Click the Monitors tab.
Click the tcp monitor name.
In the Interval field, set the value to 5.

This tells the load balancer to poll the server every 5 seconds.
In the Timeout field, set the value to 16.
Click Apply and repeat the LDAP search.

See your load balancer documentation for more information on the timeout property.

Start Directory Server 1.
# ./dsadm start /var/opt/mps/am-users

Stop Directory Server 2.

# cd /var/opt/mps/serverroot/ds6/bin
# ./dsadm stop /var/opt/mps/am-users

Perform the following LDAP search against the Directory Server load balancer from Directory Server 1 to confirm that the request is forwarded to the running Directory Server 1.

# cd /var/opt/mps/serverroot/dsrk6/bin
 ./ldapsearch -h lb-1.example.com -p 490 -Z 
-P /var/opt/mps/am-users/alias/slapd-cert8.db
-b "dc=company,dc=com" -D "cn=directory manager" 
-w dsmanager "(objectclass=*)"

version: 1
dn: dc=company,dc=com
dc: company
objectClass: top
objectClass: domain

The ldapsearch operation should return entries. Make sure the entries display in the access log on only Directory Server 1.

Start Directory Server 2.
# ./dsadm start /var/opt/mps/am-users

Log out of both Directory Server host machines and the load balancer console.

To Create an SSL Proxy for SSL Termination at the User Data Load Balancer 1

SSL communication is terminated at Load Balancer 1. The request is then re-encrypted and securely forwarded to the SSL port of the Directory Server user data instance. Load Balancer 1 also encrypts the responses it receives back from the user data instance, and sends these encrypted responses back to the client. Towards this end create an SSL proxy for SSL termination and regeneration.

Before You Begin

You should have a root certificate issued by a recognized CA.

Access https://is-f5.example.com, the BIG-IP load balancer login page, in a web browser.

Click Configure your BIG-IP (R) using the Configuration Utility.

In the left pane, click Proxies.

Under the Proxies tab, click Add.

In the Add Proxy dialog, provide the following information.

Proxy Type:

Check the SSL and ServerSSL checkbox.

Proxy Address:

The IP address of Load Balancer 1.

Proxy Service:

489

The secure port number

Destination Address:

The IP address of Load Balancer 1.

Destination Service:

490

The non-secure port number

Destination Target:

Choose Local Virtual Server.

SSL Certificate:

Choose lb-1.example.com.

SSL Key:

Choose lb-1.example.com.

Enable ARP:

Check this checkbox.

Click Next.

On the page starting with “Insert HTTP Header String,” change to Rewrite Redirects and choose Matching.

Click Next.

On the page starting with “Client Cipher List String”, accept the defaults.

Click Next.

On the page starting with “Server Chain File,” change to Server Trusted CA's File and select “OpenSSL_CA_Cert.crt” from the drop-down list.

Click Done.

The new proxy server is added to the Proxy Server list.

Log out of the load balancer console.

4.5 Importing Test Users

Create user entries in the replicated Directory Server user data instances for the following users:

testuser1
testuser2

These users will be used to verify that the policy agent is configured and working properly. Additionally, the Groups container will be used for the same purpose.

Note –

If you are using an existing user data store, create the appropriate users in it and move on to Chapter 6, Configuring OpenSSO Enterprise Realms for User Authentication.

Use the following procedure, To Import Test User Data into the Replicated Directory Server Instances, to create an LDIF file for the test users and import the file into ds–1. The test users will then be replicated to ds–2.

To Import Test User Data into the Replicated Directory Server Instances

Create an LDIF file with the following entries.

dn: ou=users,dc=company,dc=com
objectclass: top
objectclass: organizationalUnit
ou: users
description: Container for user entries

dn: ou=Groups,dc=company,dc=com
objectClass: top
objectClass: organizationalUnit
ou: Groups
description: Container for group entries

dn: uid=testuser1,ou=users,dc=company,dc=com
uid: testuser1
givenName: Test
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetadmin
objectClass: inetorgperson
objectClass: inetUser
sn: User1
cn: Test User1
userPassword: password
inetUserStatus: Active

dn: uid=testuser2,ou=users,dc=company,dc=com
uid: testuser2
givenName: Test
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetorgperson
objectClass: inetUser
sn: User2
cn: Test User2
userPassword: password
inetUserStatus: Active

Save the file as am-users.ldif in the /tmp directory.

Import the LDIF file into Directory Server 1 using ldapmodify.

# cd /var/opt/mps/serverroot/dsrk6/bin
# ./ldapmodify -h ds-1.example.com -p 1489 
 -D "cn=Directory Manager" -w dsmanager 
 -a -f /tmp/am-users.ldif

adding new entry ou=users,dc=company,dc=com

adding new entry ou=Groups,dc=company,dc=com

adding new entry uid=testuser1,ou=users,dc=company,dc=com

adding new entry uid=testuser2,ou=users,dc=company,dc=com

Verify that the new users were imported using ldapsearch.

# ./ldapsearch -h ds-1.example.com
 -b "dc=company,dc=com" -p 1489 -D "cn=Directory Manager"
 -w dsmanager "uid=test*"

version: 1
dn: uid=testuser1,ou=users,dc=company,dc=com
uid: testuser1
givenName: Test
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetadmin
objectClass: inetorgperson
objectClass: inetUser
sn: User1
cn: Test User1
userPassword: {SSHA}H5LpB+QLZMoL9SiXzY/DokHKXRclELVy7w25AA==
inetUserStatus: Active

dn: uid=testuser2,ou=users,dc=company,dc=com
uid: testuser2
givenName: Test
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetorgperson
objectClass: inetUser
sn: User2
cn: Test User2
userPassword: {SSHA}aLNFCQ1qw78KpJeloVZJAAa5QSAPf/9c2mxCQQ==
inetUserStatus: Active

Log out of the ds–1 host machine.

(Optional) Verify that the entries were replicated to Directory Server 2 by logging in as a root user to the ds–2 host machine and using ldapsearch.

# cd /var/opt/mps/serverroot/dsrk6/bin
# ./ldapsearch -h ds-2.example.com
 -b "dc=company,dc=com" -p 1489 -D "cn=Directory Manager"
 -w dsmanager ""

version: 1
dn: dc=company,dc=com
objectClass: top
objectClass: domain
dc: company

dn: ou=users,dc=company,dc=com
objectClass: top
objectClass: organizationalUnit
ou: users
description: Container for user entries

dn: ou=Groups,dc=company,dc=com
objectClass: top
objectClass: organizationalUnit
ou: Groups
description: Container for group entries

dn: uid=testuser1,ou=users,dc=company,dc=com
uid: testuser1
givenName: Test
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetadmin
objectClass: inetorgperson
objectClass: inetUser
sn: User1
cn: Test User1
inetUserStatus: Active
userPassword: {SSHA}H5LpB+QLZMoL9SiXzY/DokHKXRclELVy7w25AA==

dn: uid=testuser2,ou=users,dc=company,dc=com
uid: testuser2
givenName: Test
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetorgperson
objectClass: inetUser
sn: User2
cn: Test User2
inetUserStatus: Active
userPassword: {SSHA}aLNFCQ1qw78KpJeloVZJAAa5QSAPf/9c2mxCQQ==

Log out of the ds–2 host machine.