Sun Java System Access Manager 7.1 Postinstallation Guide

Chapter 8 Configuring Access Manager in SSL Mode

Using the Secure Sockets Layer (SSL) protocol with simple authentication guarantees confidentiality and data integrity. To enable Access Manager to use SSL, mode you would typically:

Configuring Access Manager With a Secure Sun Java System Web Server

This section describes how to configure Access Manager in SSL mode with Sun Java System Web Server.

ProcedureTo Configure a Secure Web Server

  1. Login to the Access Manager Console as amadmin.

  2. Click Configuration, System Properties, and then Platform.

  3. Under Server Instance, click the server name.

  4. Change the http:// protocol to the https:// protocol.

  5. Click OK and then Save.


    Note –

    Be sure to click Save. If you don’t, you will still be able to continue with the following steps, but all configuration changes you have made will be lost, and you will not be able to log in as administrator to fix it.


  6. Login to the Web Server console. The default port is 8888.

  7. Select the Web Server instance on which Access Manager is running and click Manage.

    The console displays a pop-up window explaining that the configuration has changed. Click OK.

  8. Click Apply and then Apply Changes.

  9. Click Apply Changes.

    Web Server should automatically restart. Click OK to continue.

  10. Stop the selected Web Server instance.

  11. Click the Security Tab.

  12. Click on Create Database.

  13. Enter the new database password and click OK.

    Ensure that you write down the database password for later use.

  14. Once the Certificate Database has been created, click on Request a Certificate.

  15. Enter the data in the fields provided in the screen.

    The Key Pair Field Password field is the same as you entered in Step 9. In the location field, you will need to spell out the location completely. Abbreviations, such as CA, will not work. All of the fields must be defined. In the Common Name field, provide the hostname of your Web Server.

  16. Once the form is submitted, you will see a message such as:


    --BEGIN CERTIFICATE REQUEST---
    
    afajsdllwqeroisdaoi234rlkqwelkasjlasnvdknbslajowijalsdkjfalsdflasdf
    
    alsfjawoeirjoi2ejowdnlkswnvnwofijwoeijfwiepwerfoiqeroijeprwpfrwl
    
    --END CERTIFICATE REQUEST--
    
                   
  17. Copy this text and submit it for the certificate request.

    Ensure that you get the Root CA certificate.

  18. You will receive a certificate response containing the certificate, such as:


    --BEGIN CERTIFICATE---
    
    afajsdllwqeroisdaoi234rlkqwelkasjlasnvdknbslajowijalsdkjfalsdflasdf
    
    alsfjawoeirjoi2ejowdnlkswnvnwofijwoeijfwiepwerfoiqeroijeprwpfrwl
    
    --END CERTIFICATE---
    
                   
  19. Copy this text into your clipboard, or save the text into a file.

  20. Go to the Web Server console and click on Install Certificate.

  21. Click on Certificate for this Server.

  22. Enter the Certificate Database password in the Key Pair File Password field.

  23. Paste the certificate into the provided text field, or check the radio button and enter the filename in the text box. Click Submit.

    The browser will display the certificate, and provide a button to add the certificate.

  24. Click Install Certificate.

  25. Click Certificate for Trusted Certificate Authority.

  26. Install the Root CA Certificate in the same manner described in steps 16 through 21.

  27. Once you have completed installing both certificates, click on the Preferences tab in the Web Server console.

  28. Select Add Listen Socket if you wish to have SSL enabled on a different port. Then, select Edit Listen Socket.

  29. Change the security status from Disabled to Enabled, and click OK to submit the changes, click Apply and Apply Changes.

    Steps 26–29 apply to Access Manager.

  30. Open the AMConfig.properties file. By default, the location of this file is etc/opt/SUNWam/config.

  31. Replace all of the protocol occurrences of http:// to https://, except for the Web Server Instance Directory. This is also specified in AMConfig.properties, but must remain the same.

  32. Save the AMConfig.properties file.

  33. In the Web Server console, click the ON/OFF button for the Access Manager hosting web server instance.

    The Web Server displays a text box in the Start/Stop page.

  34. Enter the Certificate Database password in the text field and select Start.

Next Steps

If you are configuring Access Manager certificate authentication with an SSL-enabled Web Server 6.1 instance and want Web Server to accept both certificate-based and non- certificate-based authentication requests, set the following value in the Web Server obj.conf file:

PathCheck fn="get-client-cert" dorequest="1" require="0

Configuring Access Manager with a Secure Sun Java System Application Server

Setting up Access Manager to run on an SSL-enabled Application server is a two-step process. First, secure the Application Server instance to the installed Access Manager, then configure Access Manager itself.

Setting Up Application Server 8.2 With SSL

This section describes the steps to set up Application Server 8.2 in SSL mode.

ProcedureTo Secure the Application Server Instance

  1. Log into the Sun Java System Application Server console as an administrator by entering the following address in your browser:

    http://fullservername:port

    The default port is 4848.

  2. Enter the username and password you entered during installation.

  3. Select the Application Server instance on which you installed (or will install) Access Manager. The right frame displays that the configuration has changed.

  4. Click Apply Changes.

  5. Click Restart. The Application Server should automatically restart.

  6. In the left frame, click Security.

  7. Click the Manage Database tab.

  8. Click Create Database, if it is not selected.

  9. Enter the new database password and confirm, then click the OK button. Make sure that you write down the database password for later use.

  10. Once the Certificate Database has been created, click the Certificate Management tab.

  11. Click the Request link, if it is not selected.

  12. Enter the following Request data for the certificate

    1. Select it if this is a new certificate or a certificate renewal. Many certificates expire after a specific period of time and some certificate authorities (CA) will automatically send you renewal notification.

    2. Specify the way in which you want to submit the request for the certificate.

      If the CA expects to receive the request in an E-mail message, check CA E-mail and enter the E-mail address of the CA. For a list of CAs, click List of Available Certificate Authorities.

      If you are requesting the certificate from an internal CA that is using the Certificate Server, click CA URL and enter the URL for the Certificate Server. This URL should point to the certificate server’s program that handles certificate requests.

    3. Enter the password for your key-pair file (this is the password you specified in step 9).

    4. Enter the following identification information:

      Common Name. The full name of the server including the port number.

      Requestor Name. The name of the requestor.

      Telephone Number. The telephone number of the requestor

      Common Name . The fully qualified name of the Sun Java System Application Server on which the digital certificate will be installed.

      E-mail Address. The E-mail address of the administrator.

      Organization Name. The name of your organization. The certificate authority may require any host names entered in this attribute belong to a domain registered to this organization.

      Organizational Unit Name. The name of your division, department, or other operational unit of your organization.

      Locality Name (city). The name of your city or town.

      State Name. The name of the state or province in which your organization operates if your organization is in the United States or Canada, respectively. Do not abbreviate.

      Country Code. The two-letter ISO code for your country. For example, the code for the United States is US.

  13. Click the OK button. A message will be displayed, for example:


    --BEGIN NEW CERTIFICATE REQUEST---
    afajsdllwqeroisdaoi234rlkqwelkasjlasnvdknbslajowijalsdkjfalsdfla
    alsfjawoeirjoi2ejowdnlkswnvnwofijwoeijfwiepwerfoiqeroijeprwpfrwl
    --END NEW CERTIFICATE REQUEST--
  14. Copy all of this text to a file and click OK. Make sure that you get the Root CA certificate.

  15. Select a CA and follow the instructions on that authority’s web site to get a digital certificate. You can get the certificate from CMS, Verisign or Entrust.net

  16. After you receive your digital certificate from the certificate authority, you can copy the text into your clipboard, or save the text into a file.

  17. Go to the Application Server console and click on the Install link.

  18. Select Certificate For This Server.

  19. Enter the Certificate Database password in the Key Pair File Password field.

  20. Paste the certificate into the provided text field, Message text (with headers), or enter the filename in the Message that is in this file text box. Select the appropriate radio button.

  21. Click OK button. The browser displays the certificate, and provides a button to add the certificate.

  22. Click Add Server Certificate.

  23. Install the Root CA Certificate in the same manner described above. However, select Certificate for Trusted Certificate Authority.

  24. Once you have completed installing both certificates, expand the HTTP Server node in the left frame

  25. Select HTTP Listeners under HTTP Server.

  26. Select http-listener-1. The browser displays the socket information.

  27. Change the value of the port used by http-listener-1 from the value entered while installing application server, to a more appropriate value such as 443.

  28. Select SSL/TLS Enabled.

  29. Select Certificate Nickname.

  30. Specify the Return server. This should match the common name specified in Step 12.

  31. Click Save.

  32. Select the Application Server instance on which you will install the Access Manager software. The right frame shows that the configuration has changed.

  33. Click Apply Changes.

  34. Click Restart. The application server should automatically restart.

Configuring Application Server 8.1 With SSL

The basic steps to configure Application Server 8.1 with SSL are as follows. See the Application Server 8.1 documentation for detailed instructions.

  1. Create a secure port on the Application server through the Application Server Administration console. For more information, see “Configuring Security” in the Sun Java System Application Server Enterprise Edition 8.1 Administration Guide.

  2. Verify that the certificate authority (CA) that trusts the server's certificate is present in the web container's trust database. Then, obtain and install a server certificate for the web container. For more information, see “Working with Certificates and SSL” also in the Sun Java System Application Server Enterprise Edition 8.1 Administration Guide.

    The Sun Java System Application Server Enterprise Edition 8.1 Administration Guide is available in the following collection:

    http://docs.sun.com/coll/1310.1

  3. Restart the web container.

Configuring Access Manager in SSL Mode

This section describes the steps to configure Access Manager in SSL mode. Before you set up SSL for Access Manager, make sure that you configured the web container for your deployment.

ProcedureTo Configure Access Manager in SSL Mode

  1. In the Access Manager console, go to the Service Configuration module and select the Platform service. In the Server List attribute, add the same URL with the HTTPS protocol and an SSL-enabled port number. Click Save.


    Note –

    If a single instance of Access Manager is listening on two ports (one in HTTP and one in HTTPS) and you try to access Access Manager with a stalled cookie, Access Manager will become unresponsive. This is not a supported configuration.


  2. Open the AMConfig.properties file from the following default location:


    /etc/opt/SUNWam/config
  3. Replace all of the protocol occurrences of http:// to https:// and change the port number to an SSL-enabled port number.

  4. Save the AMConfig.properties file.

  5. Restart the Application Server.

Configuring AMSDK with a Secure BEA WebLogic Server

The BEA WebLogic Server must first be installed and configured as a web container before you configure it with the AMSDK in SSL. For installation instructions, see the BEA WebLogic server documentation. To configure WebLogic as a web container for Access Manager, see Configuring Access Manager Using the amconfig Script.

ProcedureTo Configure a Secure WebLogic Instance

  1. Create a domain using the quick start menu

  2. Go to the WebLogic installation directory and generate the certificate request.

  3. Apply for the server certificate using the CSR text file to a CA.

  4. Save the approved certificate in to a text file. For example, approvedcert.txt.

  5. Load the Root CA in cacerts by using the following commands:

    cd jdk141_03/jre/lib/security/

    jdk141_03/jre/bin/keytool -keystore cacerts -keyalg RSA -import -trustcacerts -alias "<alias name>" -storepass changeit -file /opt/bea81/cacert.txt

  6. Load the Server certificate by using the following command:

    jdk141_03/jre/bin/keytool -import -keystore <keystorename> -keyalg RSA -import -trustcacerts -file approvedcert.txt -alias "mykey"

  7. Login to WebLogic console with your username and password.

  8. Browse to the following location:

    yourdomain> Servers> myserver> Configure Keystores

  9. Select Custom Identity and then Java Standard Trust

  10. Enter the keystore location. For example, /opt/bea81/keystore .

  11. Enter Keystore Password and Keystore Pass Phrase. For example:

    Keystore Password: JKS/Java Standard Trust (for WL 8.1 it is only JKS)

    Key Store Pass Phrase: changeit

  12. Review the SSL Private Key Settings Private Key alias and password.


    Note –

    You must use the full strength SSL licence or SSL startup will fail


  13. In Access Manager, the following parameters in AmConfig.properties are automatically configured during installation. If they are not, you can edit them appropriately:


    com.sun.identity.jss.donotInstallAtHighestPriority=true
    [not required for Access Manager 6.3 and later]
    com.iplanet.security.SecureRandomFactoryImpl=
      com.iplanet.am.util.SecureRandomFactoryImpl
    com.iplanet.security.SSLSocketFactoryImpl=
      netscape.ldap.factory.JSSESocketFactory
    com.iplanet.security.encryptor=
      com.iplanet.services.util.JCEEncryption

    If your JDK path is the following:


    com.iplanet.am.jdk.path=/usr/jdk/entsys-j2se

    then use the keytool utility to import the root CA in the certificate database. For example:


    /usr/jdk/entsys-j2se/jre/lib/security
    /usr/jdk/entsys-j2se/jre/bin/keytool -keystore cacerts  
    -keyalg RSA -import -trustcacerts -alias "machinename" -storepass changeit -file
    /opt/bea81/cacert.txt

    The keytool utility is located in the following directory:


    /usr/jdk/entsys-j2se/jre/bin/keytool
  14. Remove -D"java.protocol.handler.pkgs=com.iplanet.services.comm" from the Access Manager amadmin command line utility.

  15. Configure Access Manager in SSL Mode. For more information, see Configuring Access Manager in SSL Mode.

Configuring AMSDK with a Secure IBM WebSphere Application Server

The IBM WebSphere Server must first be installed and configured as a web container before you configure it with the AMSDK in SSL. For installation instructions, see the WebSphere server documentation. To configure WebLogic as a web container for Access Manager, see Chapter 2, Access Manager 7.1 Configuration Scripts.

ProcedureTo Configure a Secure WebSphere Instance

  1. Start ikeyman.sh, located in the Websphere /bin directory.

  2. From the Signer menu, import the certification authority’s (CA) certificate.

  3. From the Personal Certs menu, generate the CSR.

  4. Retrieve the certificate created in the previous step.

  5. Select Personal Certificates and import the server certificate.

  6. From the WebSphere console, change the default SSL settings and select the ciphers.

  7. Set the default IBM JSSE SSL provider.

  8. Enter the following command to import the Root CA certificate from the file you just created into application server JVM Keystore:


    $ appserver_root-dir/java/bin/ keytool -import -trustcacerts -alias cmscacert 
    -keystore ../jre/lib/security/cacerts -file 
    /full_path_cacert_filename.txt

    app-server-root-dir is the root directory for the application server and full_path_cacert_filename.txt is the full path to the file containing the certificate.

  9. In Access Manager, update the following parameters in AmConfig.properties to use JSSE:


    com.sun.identity.jss.donotInstallAtHighestPriority=true
    com.iplanet.security.SecureRandomFactoryImpl=com.iplanet.
    am.util.SecureRandomFactoryImpl
    com.iplanet.security.SSLSocketFactorImpl=netscape.ldap.factory.
    JSSESocketFactory
    com.iplanet.security.encyptor=com.iplanet.services.unil.JCEEncryption
  10. Configure Access Manager in SSL Mode. For more information, see Configuring Access Manager in SSL Mode.

Configuring Access Manager With Directory Server in SSL Mode

Access Manager uses the LDAPS communications protocol to provide secure communications over the network with Directory Server. LDAPS is the standard LDAP protocol that runs on top of the Secure Sockets Layer (SSL) to encrypt data. The basic steps are as follows:

Configuring Directory Server in SSL Mode

To configure Directory Server in SSL mode, you must obtain and install a server certificate, configure Directory Server to trust the CA’s certificate, and then enable SSL. For the detailed steps to complete these tasks, see Using SSL With Directory Server in Sun Java System Directory Server Enterprise Edition 6.0 Administration Guide.

After you finish, or if your Directory Server is already SSL-enabled, continue with the next section to configure Access Manager to connect to the SSL-enabled Directory Server.

Configuring Access Manager to Connect to an SSL-Enabled Directory Server

After Directory Server is configured for SSL mode, you must configure Access Manager to securely connect to Directory Server. You perform some of the following steps in the Access Manager Console, and then you edit the serverconfig.xml and AMConfig.properties files.

ProcedureTo Configure Access Manager to Connect to an SSL-Enabled Directory Server

  1. Login to the Access Manager Console as amadmin.

  2. Click the Configuration tab.

  3. Under Authentication Service Name, click LDAP.

    On the LDAP pane:

    1. Under Primary LDAP Server, change the Directory Server port to the SSL port.

    2. For SSL Access to LDAP Server, click Enabled.

    3. Click Save.

  4. Click Back to Configuration and then under Authentication Service Name, click Membership.

    On the Membership pane:

    1. Under Primary LDAP Server, change the Directory Server port to the SSL port.

    2. For SSL Access to LDAP Server, click Enabled.

    3. Click Save.

  5. Click Back to Configuration and then under Global Properties, click Policy Configuration.

    On the Policy Configuration pane:

    1. Under Primary LDAP Server, change the Directory Server port to the SSL port.

    2. For LDAP SSL, click Enabled.

    3. Click Save and log out of the console.

  6. In the serverconfig.xml file, change the following values in the <Server> element:

    • For port, specify the SSL port to which Access Manager listens (default is 636).

    • For type, change SIMPLE to SSL.

  7. In the AMConfig.properties file, set the following properties:

    • com.iplanet.am.directory.port=636 (if you are using the default port)

    • com.iplanet.am.directory.ssl.enabed=true

  8. Restart the Access Manager web container.

Configuration File Locations

The serverconfig.xml and AMConfig.properties files are in the following directory, depending on you platform: