Deployment Example: SAML v2 Using Sun OpenSSO Enterprise 8.0

ProcedureTo Install Application Server on the OpenSSO Enterprise 2 Host Machine

Before You Begin

This procedure assumes you have just completed To Create a Non-Root User on the OpenSSO Enterprise 2 Host Machine and are still logged into the host machine as a root user.

  1. Create a directory into which the Application Server bits can be downloaded and change into it.

    # mkdir /export/AS91
    # cd /export/AS91
  2. Download the Sun Java System Application Server 9.1 Update 1 binary from the Sun Microsystems Product Download page to the /export/AS91 directory.

  3. Grant the downloaded binary execute permission using the chmod command.

    # chmod +x sjsas-9_1_01-solaris-sparc.bin
  4. Install the software.

    # ./sjsas-9_1_01-solaris-sparc.bin -console
  5. When prompted, provide the following information.

    You are running the installation program 
    for the Sun Java System Application Server. This 
    program asks you to supply configuration preference
    settings that it uses to install the server.
    This installation program consists of one or 
    more selections that provide you with information
    and let you enter preferences that determine
    how Sun Java System Application Server is 
    installed and configured. 
    When you are presented with the following
    question, the installation process pauses to 
    allow you to read the information that has 
    been presented When you are ready to continue, 
    press Enter.

    Press Enter to continue. 

    Have you read, and do you accept, all of 
    the terms of the preceding Software License 
    Agreement [no] {"<" goes back, "!" exits}?

    Enter yes.

    Installation Directory [/opt/SUNWappserver]
    {"<" goes back, "!" exits}

    Enter /opt/SUNWappserver91

    The specified directory "/opt/SUNWappserver91"
    does not exist. Do you want to create it now or 
    choose another directory?
    1. Create Directory
    2. Choose New.
    Enter the number corresponding to your choice [1] 
    {"<" goes back, "!" exits}

    Enter 1 to create the directory.

    The Sun Java System Application Server
    requires a Java 2 SDK. Please provide the path to
    a Java 2 SDK 5.0 or greater. [/usr/jdk/instances/jdk1.5.0] 
    {"<" goes back, "!" exits}

    Press Enter to accept the default value. 

    Supply the admin user's password and override
    any of the other initial configuration settings as 
    Admin User [admin] {"<" goes back, "!" exits}

    Press Enter to accept the default value. 

    Admin User's Password (8 chars minimum):
    Re-enter Password:

    Enter domain1pwd and then re-enter domain1pwd.

    Do you want to store admin user name and 
    password in .asadminpass file in user's home
    directory [yes] {"<" goes back, "!" exits}?

    Press Enter to accept the default value. 

    Admin Port [4848] {"<" goes back, "!" exits}
    HTTP Port [8080] {"<" goes back, "!" exits}
    HTTPS Port [8181] {"<" goes back, "!" exits}

    Press Enter to accept the three default values. 

    Do you want to enable Updatecenter client 
    [yes] {"<" goes back, "!" exits}?

    Press Enter to accept the default value. 

    Do you want to upgrade from previous 
    Applicatin Server version [no] 
    {"<" goes back, "!" exits}?

    Press Enter to accept the default value. 

    The following items for the product Sun Java 
    System Application Server will be installed:
    Product: Sun Java System Application Server
    Location: /opt/SUNWappserver91
    Space Required: 161.61 MB
    Sun Java System message Queue 4.1
    Application Server
    Ready To Install
    1. Install Now
    2. Start Over
    3. Exit Installation
    What would you like to do [1] 
    {"<" goes back, "!" exits}?

    Press Enter to accept the default value and begin the installation process. 

    - Installing Sun Java System Application 
     - Installation Successful.

    When installation is complete, an Installation Successful message is displayed:

    Next Steps:
    1. Access the About Application Server 9.1 welcome 
    page at:
    2. Start the Application Server by executing:
      start-domain domain1
    3. Start the Admin Console:
    Please press Enter/Return key to exit the 
    installation program. {"!" exits}

    Press Enter to exit the installation program. 

  6. Create a second Application Server domain for the non-root user.

    The default domain created during the installation process is owned by root. We create a new domain for the non-root user osso80adm into which we will deploy OpenSSO Enterprise.

    # cd /opt/SUNWappserver91/bin
    # su osso80adm
    # ./asadmin create-domain 
    --domaindir /export/osso80adm/domains 
    --adminport 8989 --user domain2adm --instanceport 1080 
    --domainproperties http.ssl.port=1081 ossodomain
     Please enter the admin password>
    Please enter the admin password again>
    Please enter the master password 
      [Enter to accept the default]:>
    Please enter the master password again 
      [Enter to accept the default]:>
    Using port 8989 for Admin.
    Using port 1080 for HTTP Instance.
    Using default port 7676 for JMS.
    Using default port 3700 for IIOP.
    Using port 1081 for HTTP_SSL.
    Using default port 3820 for IIOP_SSL.
    Using default port 3920 for IIOP_MUTUALAUTH.
    Using default port 8686 for JMX_ADMIN.
    Domain being created with profile:developer, as specified 
      by variable AS_ADMIN_PROFILE in configuration file.
    Security Store uses: JKS
    2008-08-24 18:21:15.907 GMT Thread[main,5,main]
    derby.log (Permission denied)
    2008-03-24 18:21:16.216 GMT:
    Booting Derby version The Apache Software Foundation 
    - Apache Derby - -
    (538595): instance c013800d-0118-e205-d50b-00000c0c0770 
    on database directory
      Database Class Loader started - derby.database.classpath=''
      Domain ossodomain created.

    Note –

    The FileNotFoundException is a known issue. Please see Appendix G, Known Issues and Limitations.

  7. Verify that the non-root user domain was created with the correct permissions using the following sub-procedure.

    1. Change to the ossodomain directory.

      # cd /export/osso80admin/domains/ossodomain
    2. List the contents of the directory.

      # ls -la
      total 30
      drwxr-xr-x  15 osso80adm staff   512 Mar 20 14:12 .
      drwxr-xr-x   3 osso80adm staff   512 Mar 20 14:12 ..
      drwxr-xr-x   2 osso80adm staff   512 Mar 20 14:12 addons
      drwxr-xr-x   6 osso80adm staff   512 Mar 20 14:12 applications
      drwxr-xr-x   3 osso80adm staff   512 Mar 20 14:12 autodeploy
      drwxr-xr-x   2 osso80adm staff   512 Mar 20 14:12 bin
      drwx------   3 osso80adm staff  1024 Mar 26 13:27 config
      drwxr-xr-x   2 osso80adm staff   512 Mar 20 14:12 docroot
      drwxr-xr-x   6 osso80adm staff   512 Mar 26 13:34 generated
      drwxr-xr-x   3 osso80adm staff   512 Mar 20 14:12 imq
      drwxr-xr-x   5 osso80adm staff   512 Mar 20 14:16 java-web-start
      drwxr-xr-x   8 osso80adm staff   512 Mar 20 14:16 jbi
      drwxr-xr-x   6 osso80adm staff   512 Mar 20 14:12 lib
      drwxr-xr-x   2 osso80adm staff   512 Mar 26 13:26 logs
      drwxr-xr-x   2 osso80adm staff   512 Mar 20 14:12 session-store

      The files and directories are owned by osso80adm.

  8. Start ossodomain, the non-root user domain, using the following sub-procedure.

    1. Switch to the non-root user.

      # su osso80adm
    2. Change to the bin directory.

      # cd /export/osso80adm/domains/ossodomain/bin
    3. Start ossodomain.

      # ./startserv
      admin username:domain2adm
      admin password:domain2pwd
      master password:domain2master
      Redirecting output to /export/osso80adm/domains/ossodomain/logs/server.log
  9. Verify that ossodomain has started with the following sub-procedure.

    1. Access from a web browser.

    2. Log in to the Application Server console as the administrator.





      When the Application Server administration console is displayed, it is verification that the non-root user was able to start the domain server.

    3. Exit the console and close the browser.

  10. Create a request for a server certificate to secure communications between the soon-to-be-configured OpenSSO Enterprise load balancer and ossodomain using the following sub-procedure.

    1. Generate a private/public key pair and reference it with the alias, opensso-idp-2.

      opensso-idp-2 will be used in a later step to retrieve the public key which is contained in a self-signed certificate.

      # cd /export/osso80adm/domains/ossodomain/config
      # keytool -genkey -noprompt -keyalg rsa -keypass domain2master 
      -alias opensso-idp-2 -keystore keystore.jks -dname ", 
      OU=OpenSSO, O=Sun Microsystems, L=Santa Clara, ST=California, C=US" 
      -storepass domain2master
    2. Verify that the key pair was successfully created and stored in the certificate store.

      # keytool -list -v -keystore keystore.jks -storepass domain2master
       Alias name: opensso-idp-2
       Creation date: Aug 4, 2008
       Entry type: keyEntry
       Certificate chain length: 1
       Owner:, OU=OpenSSO, O=Sun Microsystems,
      L=Santa Clara, ST=California, C=US
       Issuer:, OU=OpenSSO, O=Sun Microsystems,
      L=Santa Clara, ST=California, C=US
       Serial number: 47f6a587
       Valid from: Fri Aug 04 15:02:47 PDT 2008 until: Thu Nov 03 15:02:47 PDT 2008
       Certificate fingerprints:
        MD5:  62:0E:5E:EB:8A:73:B2:F9:08:83:05:C5:DC:07:3C:E1
        SHA1: D4:9C:BA:25:4C:B5:71:20:CF:F3:18:46:AF:2E:7F:71:2A:4B:BD:B3
      The certificate indicated by the alias "opensso-idp-2" is a 
      self-signed certificate.

      Note –

      The output of this command may list more than one certificate based on the entries in the keystore.

    3. Generate a server certificate request.

      # keytool -certreq -alias opensso-idp-2 -keypass domain2master 
      -keystore keystore.jks -storepass domain2master file opensso-idp-2.csr

      opensso-idp-2.csr is the server certificate request.

    4. (Optional) Verify that opensso-idp-2.csr was created.

      # ls -la opensso-idp-2.csr
       -rw-r--r--   1 osso80adm staff        715 Apr  4 15:04 opensso-idp-2.csr
    5. Send opensso-idp-2.csr to the CA of your choice.

      The CA issues and returns a certified server certificate named opensso-idp-2.cer.

    6. Import ca.cer, the CA root certificate, into the certificate store.

      The root certificate must be imported into two keystores (keystore.jks and cacerts.jks) with Application Server.

      # keytool -import -trustcacerts -alias OpenSSLTestCA 
      -file ca.cer -keystore keystore.jks -storepass domain2master
      Owner:, CN=openssltestca, OU=am, 
        O=sun, L=santa clara, ST=california, C=us
      Issuer:, CN=openssltestca, OU=am, 
        O=sun, L=santa clara, ST=california, C=us
      Serial number: f59cd13935f5f498
      Valid from: Thu Sep 20 11:41:51 PDT 2007 until: Thu Jun 17 11:41:51 PDT 2010
      Certificate fingerprints:
        MD5:  78:7D:F0:04:8A:5B:5D:63:F5:EC:5B:21:14:9C:8A:B9
        SHA1: A4:27:8A:B0:45:7A:EE:16:31:DC:E5:32:46:61:9E:B8:A3:20:8C:BA
      Trust this certificate? [no]: Yes
      Certificate was added to keystore

      # keytool -import -trustcacerts -alias OpenSSLTestCA 
      -file ca.cer -keystore cacerts.jks -storepass domain2master
      Owner:, CN=openssltestca, OU=am, 
        O=sun, L=santa clara, ST=california, C=us
      Issuer:, CN=openssltestca, OU=am, 
        O=sun, L=santa clara, ST=california, C=us
      Serial number: f59cd13935f5f498
      Valid from: Thu Sep 20 11:41:51 PDT 2007 until: Thu Jun 17 11:41:51 PDT 2010
      Certificate fingerprints:
        MD5:  78:7D:F0:04:8A:5B:5D:63:F5:EC:5B:21:14:9C:8A:B9
        SHA1: A4:27:8A:B0:45:7A:EE:16:31:DC:E5:32:46:61:9E:B8:A3:20:8C:BA
      Trust this certificate? [no]: Yes
      Certificate was added to keystore
    7. Replace the self-signed public key certificate (associated with the s1as alias) with the server certificate received from the CA.

      # keytool -import -file opensso-idp-2.cer -alias opensso-idp-2 
      -keystore keystore.jks -storepass domain2master
      Certificate reply was installed in keystore
    8. (Optional) Verify that the self-signed public key certificate has been overwritten by the server certificate received from the CA.

      # keytool -list -v -keystore keystore.jks 
      -storepass domain2master
      The certificate indicated by the alias "opensso-idp-2" is signed by CA.
    9. Change the certificate alias from the default s1as to the new opensso-idp-2 in the domain.xml file for the ossodomain domain.

      The Application Server configuration file is domain.xml.

      <http-listener acceptor-threads="1" address="" 
      blocking-enabled="false" default-virtual-server="server" enabled="true" 
      family="inet" id="http-listener-2" port="1081" security-enabled="true" 
      server-name="" xpowered-by="true">
      <ssl cert-nickname="opensso-idp-2" client-auth-enabled="false" ssl2-enabled="false"
      ssl3-enabled="true" tls-enabled="true" tls-rollback-enabled="true"/>

      Tip –

      Backup domain.xml before modifying it.

  11. Modify the JVM options in your web container's configuration file using the following sub-procedure.

    OpenSSO Enterprise is deployed with an embedded configuration data store (if desired). In order for the configuration data store to be created successfully, the following JVM options should be modified in the web container's configuration file. We will be modifying domain.xml again for this example.

    Tip –

    Backup domain.xml before modifying it.

    1. Change to the config directory.

      # cd /export/osso80adm/domains/ossodomain/config
    2. Open domain.xml in a text editor and make the following changes:

      • Replace <jvm-options>-client</jvm-options> with <jvm-options>-server</jvm-options>.

      • Replace <jvm-options>-Xmx512m</jvm-options> with <jvm-options>-Xmx1024m</jvm-options>.

    3. Save the file and close it.

  12. Restart the ossodomain domain.

    # cd /export/osso80adm/domains/ossodomain/bin
    # ./stopserv
    Server was successfully stopped.
    admin username:domain2adm
    admin password:domain2pwd
    master password:domain2master
    Redirecting output to /export/osso80adm/domains/ossodomain/logs/server.log
  13. Verify that the certificate used for SSL communication is the root CA certificate.

    1. Access https:/// from a web browser.

    2. View the details of the certificate in the security warning to ensure that it is Issued by “OpenSSLTestCA”.

      After inspecting and accepting the certificate, you should see the default index.html page.

    3. Close the browser.

  14. Log out of the / host machine.