Appendix A Deploying the SAML v2 Plug-in for Federation Services Generated WAR
The SAML v2 Plug-in for Federation Services runs in a simple web container and requires no complex integration with data stores or server environments. Once deployed, it extends the functionality of either server product to include SAML v2–based interactions. Instructions for deploying the SAML v2 Plug-in for Federation Services WAR in each of these web containers are in the following sections.
-
Deploying the SAML v2 Plug-in for Federation Services in
Sun Java System Web Server -
Deploying the SAML v2 Plug-in for Federation Services in
Sun Java System Application Server -
Deploying the SAML v2 Plug-in for Federation Services in
BEA WebLogic Server -
Deploying Federation Manager in
WebSphere Application Server
Deploying the SAML v2 Plug-in for Federation Services in Sun Java System Web Server
Sun Java System Web Server has the wdeploy command line utility to deploy a WAR file. The syntax is:
wdeploy deploy -u /deployment-URI -i instance-name -v vs-id -d deployment-directory WAR-file-location
where:
|
deployment-URI |
Defines the URI for the application. Note – Note the inclusion of the leading slash. |
|
instance-name |
Defines the instance of Web Server to which you are deploying the web application. |
|
vs-id |
Defines the virtual server ID of the instance of Web Server to which you are deploying the web application. |
|
deployment-directory |
Defines the directory to which the WAR will be deployed. |
|
WAR-file-location |
Defines the full path to the WAR file being deployed. |
When you execute wdeploy, a web application with the defined URI and directory is added to the server.xml file. The WAR file is also extracted from its location and deployed in the deployment directory.
Note –
More information on the wdeploy utility can be found in the Sun Java System Web Server 6.1 SP4 Programmer’s Guide to Web Applications.
To Deploy an Instance of the SAML v2 Plug-in for Federation Services in Web Server
To deploy the SAML v2 Plug-in for Federation Services in Web Server, type:
# WebServer-base/SUNWwbsvr/bin/https/httpadmin/bin/wdeploy deploy -u /deployment-URI -i instance-name -v vs-id -d WebServer-base/instance-name/deployment-URI war-file-location |
For example, when deploying the SAML v2 Plug-in for Federation Services in an instance of Federation Manager deployed in Web Server, you might use:
# /WebServer-base/SUNWwbsvr/bin/https/httpadmin/bin/wdeploy deploy - u /saml2 -i niceday.red.sun.com -v https-niceday.red.sun.com -d /opt/SUNWwbsvr/https-niceday.red.sun.com/saml2 /var/opt/SUNWam/fm/war_staging/federation.war |
To Remove the SAML v2 Plug-in for Federation Services from Web Server
To remove the SAML v2 Plug-in for Federation Services from Web Server, type:
# /WebServer-base/bin/https/httpadmin/bin/wdeploy delete -u /deployment-URI -i instance-name -v vs-id -n hard |
where:
|
WebServer-base |
Defines the Web Server installation directory. |
|
deployment-URI |
Defines the SAML v2 Plug-in for Federation Services URI (with leading slash). |
|
instance-name |
Defines the instance of Web Server to which the web application is deployed. |
|
vs-id |
Defines the virtual server ID of the instance of Web Server to which you are deploying the web application. |
For example:
# /WebServer-base/SUNWwbsvr/bin/https/httpadmin/bin/wdeploy delete -u /saml2 -i https-niceday.red.sun.com -v https-niceday.red.sun.com -n hard |
Deploying the SAML v2 Plug-in for Federation Services in Sun Java System Application Server
With Sun Java System Application Server, you can
use the deploy subcommand of the asadmin utility
to deploy a WAR file. The syntax is:
# asadmin deploy --user admin-user --passwordfile filename --port port --contextroot deployment-URI --name deployment-URI --target instance-name WAR-file-location
where:
|
admin-user |
Defines the ID of the Application Server administrator. |
|
filename |
Defines the full path to the file that stores the password of the Application Server administrator. You must manually edit this file so it can be understood by the asadmin utility. The password must be in the form: AS_ADMIN_PASSWORD=password where password is the password in text used during the installation of Application Server. |
|
port |
Defines the port for the Application Server Domain Administration Server. The default is 4849. |
|
deployment-URI |
Defines the URI for the application. Note – Note the inclusion of the leading slash. |
|
instance-name |
Defines the instance of Application Server to which the WAR will be deployed. |
|
WAR-file-location |
Defines the full path to the WAR file being deployed. |
Note –
The asadmin options listed above are those relevant to deploying the SAML v2 Plug-in for Federation Services. For more information (including the full set of options), see the Sun Java System Application Server Enterprise Edition 8.1 2005Q2 Reference Manual.
To Deploy the SAML v2 Plug-in for Federation Services in Application Server
To deploy the SAML v2 Plug-in for Federation Services in Application Server, type:
# ApplicationServer-base/bin/asadmin deploy --user AS-administrator --passwordfile filename --port port-number --contextroot deployment-URI --name deployment-URI --target instance-name war-file-location |
For example, when deploying the SAML v2 Plug-in for Federation Services in an instance of Federation Manager deployed in Application Server, you might use:
# /opt/SUNWappserver/appserver/bin/asadmin deploy --user admin --passwordfile /tmp/pwdfile --port 4849 --contextroot fm --name fm --target server1 /var/opt/SUNWam/fm/war_staging/federation.war |
Following the deployment, you must modify the Application Server server.policy file. By default, it is located in the /var/opt/SUNWappserver/domains/domain-name/ directory. In the sample below, the capitalized contents (all but WEB-INF) must be replaced with information applicable to your deployment.
Example A–1 Application Server server.policy File
// Federation Manager RELATED ADDITIONS
grant {
permission java.util.PropertyPermission "user.language", "write";
};
grant codeBase "file:${BASEDIR}/${PROD_DIR}/fm/web-src/WEB-INF/lib/am_sdk.jar" {
permission java.net.SocketPermission "*", "connect,accept,resolve";
};
grant codeBase "file:${BASEDIR}/${PROD_DIR}/fm/web-src/WEB-INF/lib/am_services.jar" {
permission java.net.SocketPermission "*", "connect,accept,resolve";
};
grant codeBase "file:$AS81_VARDIR/domains/$AS81_DOMAIN/applications/
j2ee-modules/${DEPLOY_WARPREFIX}/-" {
permission java.net.SocketPermission "*", "connect,accept,resolve";
};
grant {
permission java.lang.RuntimePermission "modifyThreadGroup";
permission java.lang.RuntimePermission "setFactory";
permission java.lang.RuntimePermission "accessClassInPackage.*";
permission java.util.logging.LoggingPermission "control";
permission java.lang.RuntimePermission "shutdownHooks";
permission javax.security.auth.AuthPermission "insertProvider.Mozilla-JSS";
permission java.security.SecurityPermission "putProviderProperty.Mozilla-JSS";
permission javax.security.auth.AuthPermission "getLoginConfiguration";
permission javax.security.auth.AuthPermission "setLoginConfiguration";
permission javax.security.auth.AuthPermission "modifyPrincipals";
permission javax.security.auth.AuthPermission "createLoginContext.*";
permission java.security.SecurityPermission "insertProvider.Mozilla-JSS";
permission javax.security.auth.AuthPermission "putProviderProperty.Mozilla-JSS";
permission java.io.FilePermission "ALL FILES", "execute,delete";
permission java.io.FilePermission "$VAR_SUBDIR/logs/*", "delete,write";
permission java.util.PropertyPermission "java.util.logging.config.class", "write";
permission java.security.SecurityPermission "removeProvider.SUN";
permission java.security.SecurityPermission "insertProvider.SUN";
permission java.security.SecurityPermission "removeProvider.Mozilla-JSS";
permission javax.security.auth.AuthPermission "doAs";
permission java.util.PropertyPermission "java.security.krb5.realm", "write";
permission java.util.PropertyPermission "java.security.krb5.kdc", "write";
permission java.util.PropertyPermission "java.security.auth.login.config", "write";
permission javax.security.auth.kerberos.ServicePermission "*", "accept";
permission javax.net.ssl.SSLPermission "setHostnameVerifier";
};
Modifications to server.policy are made as follows:
Table A–1 server.policy Modifications After Installation|
Replaceable Content |
Default Value |
|---|---|
|
$BASEDIR |
/opt |
|
$PROD_DIR |
SUNWam |
|
$AS81_VARDIR |
/var/opt/SUNWappserver |
|
$AS81_DOMAIN |
domain1 |
|
$VAR_SUBDIR |
/var/opt/SUNWam |
|
$DEPLOY_WARPREFIX |
federation |
To Remove the SAML v2 Plug-in for Federation Services from Application Server
To remove the SAML v2 Plug-in for Federation Services from Application Server, type:
# ApplicationServer-base/bin/asadmin undeploy --user AS-administrator --passwordfile filename --host host --port port --target instance-name deployment-URI |
where:
|
ApplicationServer-base |
Defines the Application Server installation directory. |
|
AS-administrator |
Defines the administrator of the Application Server |
|
filename |
Defines the file that holds the Application Server administrator password. |
|
host |
Defines the host server being used. |
|
port |
Defines the port number being used. |
|
instance-name |
Defines the instance of Application Server to which the application is deployed. |
|
deployment-URI |
Defines the SAML v2 Plug-in for Federation Services URI (with leading slash). |
For example:
# /opt/SUNWappserver/appserver/bin/asadmin undeploy --user admin --passwordfile /tmp/pwdfile --host samplehost.sun.com --port 4849 --target server1 /saml2 |
Deploying the SAML v2 Plug-in for Federation Services in BEA WebLogic Server
With BEA WebLogic Server 8.1 (minimum
version supported), you can use the weblogic.Deployer utility
on the command line to deploy a WAR file. More information on this utility
can be found in the BEA WebLogic Server documentation.
To Deploy the SAML v2 Plug-in for Federation Services in BEA WebLogic Server
To deploy the SAML v2 Plug-in for Federation Services in WebLogic Server, type:
# WebLogic-base/bin/java -classpath WebLogic-classpath weblogic.Deployer -adminurl http://server-host:server-port -name deployment-URI -username WebLogic-admin -password WebLogic-admin-password -target instance-name -deploy WAR-file-location |
where:
|
WebLogic-base |
Defines the WebLogic Server installation directory. |
|
WebLogic-classpath |
Includes the JDK path and weblogic.jar. |
|
server-host |
Defines the WebLogic Server host machine. |
|
server-port |
Defines the port of the WebLogic Server host machine. |
|
deployment-URI |
Defines the SAML v2 Plug-in for Federation Services URI. |
|
WebLogic-admin |
Defines the ID of the WebLogic Server super user (weblogic, by default). |
|
WebLogic-admin-password |
Defines the password of the WebLogic Server super user. |
|
instance-name |
Defines the instance of WebLogic Server to which the WAR will be deployed. |
|
WAR-file-location |
Defines the full path to the WAR file being deployed. |
For example, when deploying the SAML v2 Plug-in for Federation Services in an instance of Federation Manager deployed in the WebLogic Server, you might use:
/export/bea8/jdk142_06/bin/java -classpath /export/bea8/weblogic8/lib/weblogic.jar:. weblogic.Deployer -adminurl http://samplehost.sun.com:7001 -name /saml2 -username weblogic -password 11111111 -target myserver -deploy /var/opt/SUNWam/fm/war_staging/federation.war |
To Remove the SAML v2 Plug-in for Federation Services from BEA WebLogic Server
To remove the SAML v2 Plug-in for Federation Services from WebLogic Server, type:
# WebLogic-base/bin/java -classpath WebLogic-classpath weblogic.Deployer -undeploy -adminurl http://server-host:server-port -name deployment-URI -username WebLogic-admin -password WebLogic-admin-password -target WebLogic-Server |
where:
|
WebLogic-base |
Defines the WebLogic Server installation directory. |
|
WebLogic-classpath |
Includes the JDK path and weblogic.jar. |
|
server-host |
Defines the WebLogic Server host machine. |
|
server-port |
Defines the port of the WebLogic Server host machine. |
|
deployment-URI |
Defines the SAML v2 Plug-in for Federation Services URI. |
|
WebLogic-admin |
Defines the ID of the WebLogic Server super user (weblogic, by default). |
|
WebLogic-admin-password |
Defines the password of the WebLogic Server super user. |
|
WebLogic-Server |
Defines the instance of WebLogic Server. |
For example:
/export/bea8/jdk142_06/bin/java -classpath /export/bea8/weblogic8/lib/weblogic.jar:. weblogic.Deployer -undeploy -adminurl http://samplehost.sun.com:7001 -name /saml2 -username weblogic -password 11111111 -target myserver |
Deploying Federation Manager in WebSphere Application Server
Before deploying an application or deleting an instance in WebSphere Application Server 5.1 (minimum version
supported), you must modify the Jacl (Java Action Command
Language) descriptor file. Following this you may run the wsadmin.sh file from the command line. More information on both
of these steps can be found in the WebSphere Application Server documentation.
To Deploy the SAML v2 Plug-in for Federation Services in WebSphere Application Server
To deploy the SAML v2 Plug-in for Federation Services in WebSphere
Application Server, edit the Jacl descriptor by adding the following:
\$AdminApp install WAR-file-location {-contextroot deployment-URI -usedefaultbindings -nopreCompile JSPs -distributeApp -nouseMetaDataFromBinary -node WebSphereAS-node -cell WebSphereAS-cell -server WebSphereAS-instance -nodeployejb -appname deployment-URI -createMBeansForResources -noreloadEnabled -reloadInterval 0 -nodeployws}
where:
|
WAR-file-location |
Defines the full path to the WAR file being deployed. |
|
deployment-URI |
Defines the SAML v2 Plug-in for Federation Services URI. |
|
WebSphereAS-node |
Defines the node under which the Application Server instance is configured. |
|
WebSphereAS-cell |
Defines the cell under which the Application Server node is configured. |
|
WebSphereAS-instance |
Defines the instance of the Application Server to which the SAML v2 Plug-in for Federation Services will be deployed. |
After editing the Jacl descriptor, run the following command to deploy the WAR:
# WebSphereAS-base/bin/wsadmin.sh -f Jacl-descriptor-file |
To Remove the SAML v2 Plug-in for Federation Services from WebSphere Application Server
To remove the SAML v2 Plug-in for Federation Services from WebSphere
Application Server, edit the Jacl descriptor
by adding the following:
\$AdminApp uninstall deploy-tag {-node WebSphereAS-node -cell WebSphereAS-cell -server WebSphereAS-instance}
where:
|
deploy-tag |
Defines the SAML v2 Plug-in for Federation Services URI. |
|
WebSphereAS-node |
Defines the node under which the Application Server instance is configured. |
|
WebSphereAS-cell |
Defines the cell under which the Application Server node is configured. |
|
WebSphereAS-instance |
Defines the instance of the Application Server to which Federation Manager will be deployed. |
After editing the Jacl descriptor, run the following command to remove:
# WebSphereAS-base/bin/wsadmin.sh -f Jacl-descriptor-file |
- © 2010, Oracle Corporation and/or its affiliates