test

Deployment Example: SAML v2 Using Sun OpenSSO Enterprise 8.0

13.3 Installing Application Server on the Secure Attribute Exchange Service Provider Host Machine

To test a Secure Attribute Exchange we configure and use JavaServer Pages (bundled with the OpenSSO Enterprise Client SDK) to emulate real world applications. saeSPApp.jsp represents the service provider application that will receive the attributes from the identity provider. It will be installed on the sae.sp-example.com host machine. The following procedures will install and configure one instance of Application Server as the web container for the service provider application.

ProcedureTo Install Application Server on the Secure Attribute Exchange Service Provider Host Machine

Before You Begin

This procedure assumes you have completed 13.1 Patching the Secure Attribute Exchange Host Machines.

  1. Log in to the sae.sp-example.com host machine as a root user.

  2. Create a directory into which the Application Server bits can be downloaded and change into it.


    # mkdir /export/AS91
# cd /export/AS91

  3. Download the Sun Java System Application Server 9.1 Update 1 binary from the Sun Microsystems Product Download page to the /export/AS91 directory.

  4. Grant the downloaded binary execute permission using the chmod command.


    # chmod +x sjsas-9_1_01-solaris-sparc.bin

  5. Install the software.


    # ./sjsas-9_1_01-solaris-sparc.bin -console

  6. When prompted, provide the following information.


    You are running the installation program 
for the Sun Java System Application Server. This 
program asks you to supply configuration preference
settings that it uses to install the server.

This installation program consists of one or 
more selections that provide you with information
and let you enter preferences that determine
how Sun Java System Application Server is 
installed and configured. 

When you are presented with the following
question, the installation process pauses to 
allow you to read the information that has 
been presented When you are ready to continue, 
press Enter.

    Press Enter to continue. 

    		 

    Have you read, and do you accept, all of 
the terms of the preceding Software License 
Agreement [no] {"<" goes back, "!" exits}?

    Enter yes.

    		 

    Installation Directory [/opt/SUNWappserver]
{"<" goes back, "!" exits}

    Enter /opt/SUNWappserver91 


    The specified directory "/opt/SUNWappserver91"
does not exist. Do you want to create it now or 
choose another directory?

1. Create Directory
2. Choose New.

Enter the number corresponding to your choice [1] 
{"<" goes back, "!" exits}

    Enter 1 to create the directory.

    		 

    The Sun Java System Application Server
requires a Java 2 SDK. Please provide the path to
a Java 2 SDK 5.0 or greater. [/usr/jdk/instances/jdk1.5.0] 
{"<" goes back, "!" exits}

    Press Enter to accept the default value. 

    		 

    Supply the admin user's password and override
any of the other initial configuration settings as 
necessary.

Admin User [admin] {"<" goes back, "!" exits}

    Press Enter to accept the default value. 

    		 

    Admin User's Password (8 chars minimum):
Re-enter Password:

    Enter domain1pwd and then re-enter domain1pwd.

    		 

    Do you want to store admin user name and 
password in .asadminpass file in user's home
directory [yes] {"<" goes back, "!" exits}?

    Press Enter to accept the default value. 

    		 

    Admin Port [4848] {"<" goes back, "!" exits}
HTTP Port [8080] {"<" goes back, "!" exits}
HTTPS Port [8181] {"<" goes back, "!" exits}

    Press Enter to accept the three default values. 

    		 

    Do you want to enable Updatecenter client 
[yes] {"<" goes back, "!" exits}?

    Press Enter to accept the default value. 

    		 

    Do you want to upgrade from previous 
Application Server version [no] 
{"<" goes back, "!" exits}?

    Press Enter to accept the default value. 

    		 

    The following items for the product Sun Java 
System Application Server will be installed:

Product: Sun Java System Application Server
Location: /opt/SUNWappserver91
Space Required: 161.61 MB
-------------------------------------------
Sun Java System message Queue 4.1
Application Server
Startup

Ready To Install

1. Install Now
2. Start Over
3. Exit Installation

What would you like to do [1] 
{"<" goes back, "!" exits}?

    Press Enter to accept the default value and begin the installation process. 

    		 

    - Installing Sun Java System Application 
Server

|-1%-----25%-----50%-----75%-----100%|

 - Installation Successful.

    When installation is complete, an Installation Successful message is displayed:

    		 

    Next Steps:

1. Access the About Application Server 9.1 welcome 
page at:
 file:///opt/SUNWappserver91/docs/about.html

2. Start the Application Server by executing:
  /opt/SUNWappserver91/bin/asadmin 
  start-domain domain1

3. Start the Admin Console:
  http://sae.sp-example.com:4848

Please press Enter/Return key to exit the 
installation program. {"!" exits}

    Press Enter to exit the installation program. 

  7. Log out of the sae.sp-example.com host machine.

ProcedureTo Secure Communications from the Service Provider Application

Create a request for a server certificate and import the certificate authority (CA) root certificate and server certificate to the keystore. This will secure communications initiated by the service provider application.

Before You Begin

Backup domain.xml before modifying it.

  1. Log in to the sae.sp-example.com host machine as a root user.

  2. Generate a private/public key pair and reference it with the alias, sae-sp.

    sae-sp will be used in a later step to retrieve the public key which is contained in a self-signed certificate.


    # cd /opt/SUNWappserver91/domains/domain1/config
# keytool -genkey -noprompt -keyalg rsa -keypass changeit 
-alias sae-sp -keystore keystore.jks -dname "CN=sae.sp-example.com, 
OU=OpenSSO, O=Sun Microsystems, L=Santa Clara, ST=California, C=US" 
-storepass changeit

  3. Verify that the key pair was successfully created and stored in the certificate store using the following command.


    # keytool -list -v -keystore keystore.jks -storepass changeit

    The output of this command lists a key entry with the alias sae-sp.

    Note –

    The output of this command may list more than one certificate based on the entries in the keystore.

  4. Generate a server certificate request.


    # keytool -certreq -alias sae-sp -keypass changeit 
-keystore keystore.jks -storepass changeit file sae-sp.csr

    sae-sp.csr is the server certificate request.

  5. (Optional) Verify that sae-sp.csr was created.


    # ls -la sae-sp.csr

 -rw-r--r--   1 osso80adm staff        715 Apr  4 15:04 sae-sp.csr

  6. Send sae-sp.csr to the CA of your choice.

    The CA issues and returns a certified server certificate named sae-sp.cer.

  7. Import ca.cer, the CA root certificate, into the certificate store.

    The root certificate must be imported into two keystores (keystore.jks and cacerts.jks) with Application Server.


    # keytool -import -trustcacerts -alias OpenSSLTestCA 
-file ca.cer -keystore keystore.jks -storepass changeit

Owner: EMAILADDRESS=nobody@nowhere.com, CN=openssltestca, OU=am, 
  O=sun, L=santa clara, ST=california, C=us
Issuer: EMAILADDRESS=nobody@nowhere.com, CN=openssltestca, OU=am, 
  O=sun, L=santa clara, ST=california, C=us
Serial number: f59cd13935f5f498
Valid from: Thu Sep 20 11:41:51 PDT 2007 until: Thu Jun 17 11:41:51 PDT 2010
Certificate fingerprints:
  MD5:  78:7D:F0:04:8A:5B:5D:63:F5:EC:5B:21:14:9C:8A:B9
  SHA1: A4:27:8A:B0:45:7A:EE:16:31:DC:E5:32:46:61:9E:B8:A3:20:8C:BA

Trust this certificate? [no]: Yes

Certificate was added to keystore
    		 

    # keytool -import -trustcacerts -alias OpenSSLTestCA 
-file ca.cer -keystore cacerts.jks -storepass changeit

Owner: EMAILADDRESS=nobody@nowhere.com, CN=openssltestca, OU=am, 
  O=sun, L=santa clara, ST=california, C=us
Issuer: EMAILADDRESS=nobody@nowhere.com, CN=openssltestca, OU=am, 
  O=sun, L=santa clara, ST=california, C=us
Serial number: f59cd13935f5f498
Valid from: Thu Sep 20 11:41:51 PDT 2007 until: Thu Jun 17 11:41:51 PDT 2010
Certificate fingerprints:
  MD5:  78:7D:F0:04:8A:5B:5D:63:F5:EC:5B:21:14:9C:8A:B9
  SHA1: A4:27:8A:B0:45:7A:EE:16:31:DC:E5:32:46:61:9E:B8:A3:20:8C:BA

Trust this certificate? [no]: Yes

Certificate was added to keystore

  8. Replace the self-signed public key certificate (associated with the s1as alias) with the server certificate received from the CA.


    # keytool -import -file sae-sp.cer -alias sae-sp 
-keystore keystore.jks -storepass changeit

Certificate reply was installed in keystore

  9. (Optional) Verify that the self-signed public key certificate has been overwritten by the server certificate received from the CA.


    # keytool -list -alias sae-sp -v -keystore keystore.jks 
-storepass changeit

The certificate indicated by the alias "sae-sp" is signed by CA.

  10. Change the certificate alias from the default s1as to the new sae-sp in the domain.xml file for the domain1 domain.

    The Application Server configuration file is domain.xml.

    <http-listener acceptor-threads="1" address="0.0.0.0" 
blocking-enabled="false" default-virtual-server="server" enabled="true" 
family="inet" id="http-listener-2" port="1081" security-enabled="true" 
server-name="" xpowered-by="true">
<ssl cert-nickname="sae-sp" client-auth-enabled="false" ssl2-enabled="false"
ssl3-enabled="true" tls-enabled="true" tls-rollback-enabled="true"/>

ProcedureTo Modify the Service Provider Web Container domain.xml Configuration File

Modify the following Java Virtual Machine (JVM) options in the Application Server configuration file, domain.xml to prepare for the installation of the Client SDK.

Before You Begin

  1. Change to the config directory.


    # cd /opt/SUNWappserver91/domains/domain1/config

  2. Open domain.xml in a text editor and make the following changes:

    • Replace <jvm-options>-client</jvm-options> with <jvm-options>-server</jvm-options>.

    • Replace <jvm-options>-Xmx512m</jvm-options> with <jvm-options>-Xmx1024m</jvm-options>.

  3. Save the file and close it.

  4. Restart the domain1 domain.


    # cd /opt/SUNWappserver91/bin
# ./asadmin stop-domain

Server was successfully stopped.

./asadmin start-domain

Redirecting output to /opt/SUNWappserver91/domains/domain1/logs/server.log

  5. Verify that the certificate used for SSL communication is the root CA certificate.

    1. Access https://sae.sp-example.com/index.html from a web browser.

    2. View the details of the certificate in the security warning to ensure that it is Issued by “OpenSSLTestCA”.

      After inspecting and accepting the certificate, you should see the default index.html page.

    3. Close the browser.

ProcedureTo Deploy the Client SDK on the Service Provider Host Machine

When you deploy the Client SDK, you also deploy the saeSPApp.jsp.

Before You Begin

This procedure assumes you are still logged in as the root user to the sae-sp host machine.

  1. Get the Client SDK WAR using the following sub procedure.

    1. Log in to the osso1.sp-example.com host machine.

    2. Change to the /export/OSSO_BITS/opensso/samples/war directory.

    3. Copy opensso-client-jdk15.war to the /export/OSSO_BITS/opensso/samples/war directory on the sae.sp-example.com host machine.

    4. Log out of the osso1.sp-example.com host machine.

  2. Access http://sae.sp-example.com:4848/login.jsf from a web browser.

    User Name:

    admin

    Password:

    domain1pwd

  3. Click Web Applications in the left frame of Application Server.

  4. Click Deploy.

    The Deploy Enterprise Applications/Modules page is displayed.

  5. Click the radio button next to Packaged file to be uploaded to the server and browse for the opensso-client-jdk15.war WAR in the /export/OSSO_BITS/opensso/samples/war directory.

  6. Enter opensso-client as the Application Name.

  7. Click OK to deploy the Client SDK.

  8. (Optional) List the contents of the j2ee-modules directory to verify that the WAR was successfully deployed.

    1. Change to the /opt/SUNWappserver91/domains/domain1/applications/j2ee-modules directory.

    2. List the contents of the directory.


      # ls -al

total 6
drwxr-xr-x 3 root staff 512 Aug 15 14:01 .
drwxr-xr-x 6 root staff 512 Aug 15 14:55 ..
drwxr-xr-x 21 root staff 1024 Aug 15 14:01 opensso-client

  9. Log out of the sae.sp-example.com host machine.

Next Steps

Add the IP address and host machine names to the /etc/hosts file on both the sae.idp-example.com and the sae.sp-example.com host machines as well as the host machine on which the browser is located.