Previous     Contents     Index          Next     
iPlanet Directory Server Access Management Edition Installation and Configuration Guide



Chapter 6   Basic Configurations


This chapter describes configurations typically implemented when you initially deploy iPlanet Directory Server Access Management Edition (DSAME).

Topics in this chapter include:



Installing the Cross-Domain Single Sign-On Component

The cross-domain single sign-on feature makes it possible for users to authenticate in one domain, and then to use applications in many other domains without having to re-authenticate. Two major components are added to DSAME to implement cross-domain single sign-on:

  • Cross-Domain Controller. The controller is responsible for redirecting a request to the authentication service if no Single Sign-On (SSO) information exists, or for redirecting the request to the CDSSO Component with SSO information appended to the query string. The controller is automatically installed when you install DSAME services. The default URL for the controller is http://DSAME_host:DSAME_port/URI/cdcservlet

  • Cross-Domain Single Sign-On (CDSSO) Component. The CDSSO component is primarily responsible for handling cookie setting for the domain in which cross-domain single sign-on is deployed. The CDSSO component is installed separately on all participating DNS domains.


Installation Overview

To enable cross-domain single sign-on, you must follow this sequence:

  1. Install DSAME Services.

    Follow the instructions in Chapter 4 "Simple Installations With No Existing Directory Server" or in Chapter 5 "Using an Existing Directory Server" as appropriate for your needs.

  2. Install the CDSSO component on all participating DNS domains.

    DSAME Services and a remote Web Server must already be installed and running. See "To Install the CDSSO Component" in this chapter".

  3. Configure the CDSSO component installed on each participating DNS domain.

    See "To Configure the CDSSO Component".

  4. (Optional) Configure DSAME web agents to work with the CDSSO component.

    See "To Configure DSAME Web Agents to Work With the CDSSO Component".


To Install the CDSSO Component

DSAME Services and a remote Web Server must already be installed and running. You must have root permissions when you run the DSAME installation program. Be sure all web browsers are closed before starting the installation program.

  1. Run the aminstall program. On the product CD, you'll find the program in the directory /cdrom/DSAME_51. If you've downloaded the product binaries, you'll find the program in the directory where you untarred the binary files.

    At the command line, enter aminstall

    The aminstall command accepts the -v [verbose] option. The verbose option gives brief progress messages as the actions of the install program take place. Otherwise, installation messages are written to log files in the following directory:

    /var/opt/SUNWam/install

  2. Read the License Agreement. When prompted, Do you agree to the license terms? Enter y for Yes.

  3. When the following message displays, enter 4.
    Select which component to install:

    1) DSAME Management and Policy Services
    2) iPlanet Directory Server 5.1
    3) iPlanet Directory Server Configuration for DSAME
    4) DSAME Cross Domain Single Sign-On
    5) Exit

  4. Provide the following information when prompted:

    DSAME Policy and Management Services have been detected on this host. Do you want to install the Cross-domain SSO as part of these Services? Enter y for Yes to install the CDSSO as part of the DSAME Services.

    What is the deployment URI prefix for the DSAME Cross Domain SSO? Enter a URI prefix that indicates where HTML pages associated with the CDSSO component will be located and also where to look for other web application specific information like classes and jars. The default is /amcdsso.

    Are all settings correct? Enter y for Yes.

  5. When the following message displays, enter 5 to exit the installation program:
    Select which component to install:

    1) DSAME Management and Policy Services
    2) iPlanet Directory Server 5.1
    3) iPlanet Directory Server Configuration for DSAME
    4) DSAME Cross Domain Single Sign-On
    5) Exit


To Configure the CDSSO Component

  1. Edit AMConfig.properties file of the installed CDSSO component, which is found in the DSAME_root/SUNWam/web-apps/cdsso/WEB-INF/lib directory.

    Set the com.iplanet.services.cdsso.CDCURL property to the URL of the cross-domain controller service running on the DSAME services. For example:

    com.iplanet.services.cdsso.CDCURL = http(s)://DSAME_host:DSAME_port/services/cdcservlet

  2. Edit CDSSO.properties file of the installed CDSSO component, which is found in the DSAME_root/SUNWam/web-apps/cdsso/WEB-INF/classes directory.

    Set com.iplanet.services.cdsso.cookieDomain property to the domain name which hosts the CDSSO component. For example:

    com.iplanet.services.cdsso.cookieDomain = .sales.com

    where the CDSSO component is hosted in sales.com domain.

    The com.iplanet.services.cdsso.cookieDomain property specifies the list of domain names on which CDSSO component is running for which the cookie is set. If the property field is left blank, the cookie domain is assumed to be the hosting domain of CDSSO component. Make sure that all the cookie domains are separated with coma (,).


To Configure DSAME Web Agents to Work With the CDSSO Component

You can configure DSAME agents that are installed on remote web servers to work with CDSSO components that are installed on participating DNS domains.

  1. Edit the agent's AMConfig.properties file. Change the com.iplanet.am.policy.agents.url.authLoginUrl property to point to the agent's domain's cross-domain single sign-on service URL. For example:

    com.iplanet.am.policy.agents.url.authLoginUrl = http://CDSSO_host:CDSSO_port/CDSSO_URI/cdsso

    where authLoginUrl is the CDSSO component's URL.

  2. Add the cross-domain single sign-on service URL to the agent's not-enforced list.



Installing Multiple DSAME Instances Against the Same Directory Server

You can install more than one instance of DSAME against this Directory Server for enhanced performance, to support directory replication, or for agent failover purposes. When you run the DSAME installation program for the first time, you'll typically use Option 1) Install DSAME Policy and Management Services. When you use this option, Directory Server is automatically installed for you. This is the master Directory Server. If you plan to install multiple installations of DSAME against this same master directory, you must run ammultiserverinstall script.

Figure 6-1 illustrates two DSAME instances installed against a single Directory Server.

Figure 6-1    Two DSAME Instances Installed Against a Single Directory Server.


To Install Multiple DSAME Instances Against the Same Directory Server

You must have root permissions to create and install multiple DSAME instances.

  1. Go to the following directory:

    cd DSAME_root/SUNWam/bin

  2. At the command line, enter the following command:

    ./ammultiserverinstall instance_name port_number

    where instance_name is the new DSAME instance you want to create and port_number is the port number of the new DSAME instance.

    When a new instance is installed the following files and directory are created:

    • A new amserver script file at:

      /DSAME_root/SUNWam/bin/amserver.instance_name

    • A new AMConfig.properties file at:

      /DSAME_root/SUNWam/lib/AMConfig-instance_name.properties

    • A new web server instance directory at:

      /DSAME_root/SUNWam/servers/https-instance_name


Starting DSAME Instance

  • To start a single DSAME instance enter the following command:

    ./amserver.instance_name start

  • To start all the DSAME instances, enter the following command:

    ./amserver startall


Stopping DSAME Instance

  • To stop a single DSAME instance, enter the following command:

    ./amserver.instance_name stop

  • To stop all the DSAME instances, enter the following command:

    ./amserver stopall


Deleting DSAME Instance

  • To delete a DSAME instance, enter the following command:

    ./amserver delete instance_name



Support for Directory Replication and High Availability

Load balancing across replicated servers and locating replicated servers closer to users are two ways to improve server performance and response time in your enterprise. You can implement directory replication agreements in your DSAME deployment to increase the availability and performance of the DSAME servers and services. You can set up DSAME directory servers in single-supplier or multi-supplier configurations. You can also configure load-balancing applications such as iPlanet Directory Access Router to work with DSAME.


Replication Considerations

Configure your directory servers for replication before you install DSAME. This ensures that the supplier and consumer databases are synchronized from the beginning, and gives you a chance to verify that referrals and updates are working properly. The information must be identical in each DSAME database.

When you install DSAME for replication purposes, in each instance of Directory Server and in each instance of DSAME, specify the same values for the following:

  • Directory Manager

  • Directory Manager Password

  • Directory Server Administrator ID

  • Server Administrator Password

  • Base suffix

  • Default organization

There may be situations in which you cannot implement directory replication in a DSAME deployment. For example, authentication server host names or IP addresses must be the same. This precludes using geographically separated replicated DSAME servers. The remote servers would not be able to perform authentication against servers that are only local to their respective LANs.

For comprehensive information on planning and implementing Directory Server replication, see the Deployment Guide and the Installation Guide for iPlanet Directory Server. You can access these guides on the Internet at:

http://docs.iplanet.com/docs/manuals/directory.html


Configuring DSAME to Support Directory Replication

You can configure DSAME to work with single-supplier or multi-supplier replication. For each of the configurations pictured in this section, follow the same instructions. See "To Configure DSAME to Work With Directory Replication" of this manual.

Figure 6-2 illustrates a single-supplier configuration where the Consumer is a read-only database. Requests for write operations are referred to the supplier database. This configuration provides some measure of enhanced server performance by distributing the workload to more than one directory.

Figure 6-2    Single-Supplier Replication.

Figure 6-3 illustrates a multi-supplier configuration using multiple instances of DSAME. This configuration provides failover protection as well as high availability, resulting in further enhanced server performance.

Figure 6-3    Multi-Supplier Configuration. Also known as Multi-Master Replication (MMR)

Figure 6-4 illustrates a multi-supplier configuration that includes iPlanet Access Router. This configuration takes full advantage of DSAME support for failover, high availability, and managed load-balancing.

Figure 6-4    Multi-Supplier Replication With Load-Balancer.


To Configure DSAME to Work With Directory Replication

Use the following steps to configure replication at the root or top level of the DSAME directory tree. You can also use these steps to configure replication at the default organization level.

  1. Install your supplier and consumer Directory Servers (version 5.1). See the Directory Server Installation Guide for detailed instructions.

  2. Set up replication agreements between your supplier and consumer Directory Servers, and then verify that the directory referrals and updates are working properly. See the Directory Server Administrator's Guide for detailed instructions.

  3. If you plan to use DSAME with user data from an existing, pre-5.1 Directory Server, you must migrate the user data and make Directory Information Tree (DIT) changes before proceeding. Follow the detailed instructions in Chapter 5 "Using an Existing Directory Server" of this manual. Then skip to Step 5.

  4. If you are deploying DSAME and Directory Server for the first time, or if you simply do not plan to use existing user data with DSAME, then run the DSAME installation program to install the DSAME Management and Policy services.

    During installation, you'll be asked if you're using an existing Directory Server. You'll answer yes, and then you'll specify the host name and port number for a supplier Directory Server you installed in Step 1.

    For detailed instructions, see "Step 2: Install DSAME Services" in Chapter 5.

  5. In the server where DSAME Management and Policy services are installed, modify the following file:

    DSAME_root/SUNWam/lib/AMConfig.properties

    1. Modify the following properties to reflect the host and port number of a consumer Directory Server you installed in step 1.

      • com.iplanet.am.directory.host

      • com.iplanet.am.directory.port

    2. Modify the following properties:

      • replica.enabled=true

      • com.iplanet.am.replica.retries

        Specify the number of times DSAME should continue to make the same request when the requested entry is not found.

      • com.iplanet.am.replica.delay.between.retries

        Specify the number of milliseconds DSAME should allow to elapse between retries.

  6. In each DSAME Authentication module you've enabled, you must specify the consumer directory that you installed in step 1. In the following substeps, the LDAP Authentication module is used as an example:

    1. In the DSAME console, in the View field, choose Service Management.

    2. In the Service Name column, under Authentication, locate the module you need to reconfigure. In the Properties column, click the arrow that corresponds to module you need to reconfigure.

    3. In the right pane, there are two fields named LDAP Server and Port.

      • In the first field named LDAP Server and Port, enter the host name and port number for your primary (consumer) Directory Server.
        Example: consumer1.madisonparc.com:389

      • In the second field named LDAP Server and Port, enter the host name and port number for your secondary or (supplier) directory.
        Example: supplier1.madisonparc.com:399

    4. Click Submit.

  7. In the following file: DSAME_root/SUNWam/config/ums/serverconfig.xml, specify the host name and port number of the consumer directory you installed in step1. Example:

    <iPlanetDataAccessLayer>

    <ServerGroup name="default" minConnPool="1"

    maxConnPool="10">

    <Server name="Server1"

    host="consumer1.madisonparc.com" port="389"

    type="SIMPLE" />

  8. Restart DSAME with the following command:

    /etc/init.d/amserver start


Configuring a LDAP Load-Balancers to Work With DSAME

You can configure LDAP load-balancers such as iPlanet Directory Access Router to work with DSAME. iPlanet Directory Access Router dynamically performs proportional load balancing of LDAP operations across a set of configured directory servers. If one or more directory servers should become unavailable, the load is proportionally redistributed among the remaining servers. When a directory server comes back on line, the load is proportionally—and dynamically—reallocated.

Figure 6-5    Multi-Master Replication With Managed Load-Balancer.

Using LDAP load-balancers, it adds a layer of high availability and directory failover protection beyond the basic level that comes with DSAME. For example, when you configure iPlanet Directory Access Router, you can specify what percentage of the load gets redistributed to each of your servers when one server becomes unavailable. iPlanet Directory Access Router continues to manage request traffic, and begins rejecting client queries when all back-end LDAP servers become unavailable.

By comparison, the DSAME high availability feature cannot be configured or managed as precisely. But when you add a LDAP load-balancers such as iPlanet Directory Access Router, DSAME seamlessly directs all requests to the application for total management.

If you choose to install a load-balancer, you must configure DSAME to recognize the application.


To Configure DSAME to Work With a Load-Balancer

  1. Before you can perform the following steps, you must:

    • Set up your Directory Servers for replication. For comprehensive information about directory replication and for detailed setup instructions, see "Managing Replication" in the iPlanet Directory Server Administrator's Guide.

    • Install and configure your LDAP load-balancer. Follow the instructions in the documentation that comes with the product.

  2. In the file, DSAME_root/SUNWam/lib/AMconfig.properties modify the following properties to reflect the host and port number of a consumer Directory Server you installed in step 1.

    • com.iplanet.am.directory.host

    • com.iplanet.am.directory.port

  3. For each DSAME Authentication module you've enabled, specify the consumer directory that you installed in step 1. In the following substeps, the LDAP Authentication module is used as an example:

    1. In the DSAME console, in the View field, choose Service Management.

    2. In the Service Name column, under Authentication, locate the module you need to reconfigure. In the Properties column, click the arrow that corresponds to module you need to reconfigure.

    3. In the right pane, there are two fields named LDAP Server and Port.

      • In the first field named LDAP Server and Port, enter the host name and port number for your primary (consumer) Directory Server using the form:

        proxyhostname:port

      • In the second field named LDAP Server and Port, enter nothing.

    4. Click Submit.

  4. In the DSAME_root/SUNWam/config/ums/serverconfig.xml,specify the host name and port number of the consumer directory you installed in step1.

    Example:

    <iPlanetDataAccessLayer>

    <ServerGroup name="default" minConnPool="1"

    maxConnPool="10">

    <Server name="Server1"

    host="idar.madisonparc.com" port="389"

    type="SIMPLE" />

  5. Restart DSAME with the following command:

    /etc/init.d/amserver start



Secure Sockets Layer (SSL)

You can use the Secure Sockets Layer (SSL) protocol to provide secure connections between Directory Server and the DSAME services you use in your enterprise. The SSL protocol consists of rules governing server authentication, client authentication, and encrypted communication between servers and clients. When you enable SSL to work with DSAME, the requests and transactions between Directory Server and the DSAME console are encrypted and protected from intrusion by unauthorized entities.

Figure 6-6    How SSL Works in DSAME.

Enabling SSL for DSAME is a two-step process:

This section explains how to enable SSL for DSAME services and URL access agents. It references the following resources for SSL information, which are appended to this manual for your convenience:

  • iPlanet Directory Server Administrator's Guide

    Chapter 11, "Managing SSL"

  • iPlanet Web Server Administrator's Guide

    Chapter 5, "Securing Your Web Browser Directory"

For comprehensive information on SSL and on determining your SSL needs, see Chapter 7, "Designing a Secure Directory" in iPlanet Directory Server Deployment Guide. This guide comes with iPlanet Directory Server, and is also available on the Internet at
http://docs.iplanet.com/docs/manuals/directory.html


Step 1: Enable LDAP Over SSL

  1. Install a Server Certificate in Directory Server.

    Follow the detailed instructions in "Obtaining and Installing Server Certificates" of this manual to perform the following steps. Or access the iPlanet Directory Server documentation on the Internet at http://docs.iplanet.com/docs/manuals/directory.html

  2. Activate SSL in the Directory Server.

    Follow the detailed instructions in "Activating SSL" of this manual.

  3. In the Web Server that runs DSAME services, in the Web Server console, create a trust database. Follow the detailed instructions "Creating a Trust Database".

  4. In the Web Server that runs DSAME services, install the root CA Certificate for Directory Server's server certificate. (This is the certificate you obtained in Step 2.) Follow the detailed instructions in "Requesting and Installing Other Server Certificates".

  5. Edit the following DSAME configuration file:

    DSAME_root/SUNWam/config/ums/serverconfig.xml

    For the server corresponding to the Directory Server configured for SSL, provide the following values:

    port. Enter the SSL port number you specified in Step 2.

    type. Enter SSL.

    Example:

    <?xml version="1.0" encoding="ISO-8859-1" standalone="yes"?>

    <iPlanetDataAccessLayer>

    <ServerGroup name="default" minConnPool="1" maxConnPool="10">

    <Server name="Server1"

    host="adam.red.madisonparc.com" port="636"

    type="SSL" />

    <User name="User1" type="proxy">

    <DirDN>

    cn=puser,ou=People,o=isp

    </DirDN>

    <DirPassword>

    AQAA5Q9jwkb4pAJ2LGFYRDlqWxXxId+5v4nU

    </DirPassword>

    </User>

    ...

  6. Restart DSAME with the following command:

    /etc/init.d/amserver start

  7. If the Directory Server is not yet running, you are prompted for the internal key. Enter the key (password) you specified when creating the trust database in Step 3.

When DSAME starts up, its connection to Directory Server will be secured with SSL.


Step 2: Enable DSAME to Run in SSL Mode

When you enable DSAME to run in SSL mode, requests and transactions between the DSAME console and other SSL-configured Web Servers are encrypted and protected from intrusion by unauthorized entities.

  1. Login to DSAME as Top Level Administrator.

  2. In the Service Name column, choose DSAME Platform.

  3. In the Server List box:

    1. Remove this DSAME server from the list. First select its name in the list, and then click Remove.

    2. Change Protocol to https (instead of http).

    3. To add the same server with https, click Add.

  4. Edit the following DSAME configuration file: DSAME_root/SUNWam/lib/
    AMConfig.properties

    Modify values for the following to reflect the HTTPS protocol and new port number (if the port number was changed):

    • com.iplanet.am.server.protocol

    • com.iplanet.am.server.port

    • com.iplanet.am.profile.port

    • com.iplanet.am.naming.url

    • com.iplanet.am.notification.url

  5. In the Web Server that runs DSAME services, using the Web Server console, obtain and install a server certificate if one is not already installed.


    Note

    In the following substeps, the following warning message might display:

    Warning: Manual edits not loaded.

    In this case, first click the Apply link in the upper right corner of the console, and then click Load Configuration Files


    1. To obtain a server certificate, follow the detailed instructions for "Requesting Other Server Certificates".

    2. To install the server certificate, follow the detailed instructions for "Installing Other Server Certificates".

  6. In the Web Server console, select the Web Server that runs DSAME services, and click Manage.

    1. In the Web Server instance, choose Preferences.

    2. Click Edit Sockets.

    3. In the Security field for the default DSAME port, enter On.

    4. Click OK to save the change.

    5. Click Apply.

    6. To save changes to Web Server configuration files, click Apply Changes.

  7. Restart DSAME with the following command:

    /etc/init.d/amerserver start

  8. You are prompted for server certificate password. Enter the password.


Configuring DSAME Instance to SSL

You can configure new DSAME instance that is installed using the ammultiserverinstall script, to run in SSL mode. Perform the following steps:

  1. Enable SSL for DSAME. Follow the steps, Step 1: Enable LDAP Over SSL and Step 2: Enable DSAME to Run in SSL Mode

  2. Copy the server.xml and magnus.conf files from /DSAME_root/SUNWam/https-instance_name/conf_bk to /DSAME_root/SUNWam/https-instance_name/config

  3. Run the following command:

    ./amserver startall


Previous     Contents     Index          Next     
Copyright 2002 Sun Microsystems, Inc. All rights reserved.

Last Updated May 13, 2002