test

Sun OpenSSO Enterprise 8.0 Installation and Configuration Guide

Chapter 1 Getting Started With OpenSSO Enterprise 8.0

Sun OpenSSO Enterprise 8.0 includes features such as access management, federation management, and web services security that are found in earlier releases of Sun Java System Access Manager and Sun Java System Federation Manager. However, OpenSSO Enterprise also includes many new features, which are described in the OpenSSO Enterprise 8.0 Release Notes and the OpenSSO Enterprise 8.0 Technical Overview.

OpenSSO Enterprise is available as a web archive (WAR) file on the following site:

http://www.sun.com/software/products/opensso_enterprise

Before you install and configure OpenSSO Enterprise:

OpenSSO Enterprise 8.0 Requirements

Table 1–1 OpenSSO Enterprise 8.0 Requirements

Requirement 

Description 

File system 

If you plan to use the OpenSSO configuration data store, you must deploy OpenSSO Enterprise on a local file system and not on an NFS-mounted file system. The OpenSSO configuration data store, which is deployed with OpenSSO Enterprise, is not supported on an NFS-mounted file system. 

Web container 

One of the following web containers must be running on the host server where you plan to deploy OpenSSO Enterprise: 

  • Sun Java System Application Server 9.1 Update 1 or Update 2

  • GlassFish Application Server V2 UR1 or UR2

  • Sun Java System Web Server 7.0 Update 3

  • Apache Tomcat 6.0.18 (or later)

  • Oracle WebLogic Server 10

  • Oracle WebLogic Server 9.2 MP2

  • Oracle Application Server 10g, version 10.1.3.x

  • IBM WebSphere Application Server 6.1

  • Apache Geronimo Application Server 2.1.2 (with Tomcat on Solaris systems only)

  • JBoss Application Server 4.x

Note: These web container versions and any subsequent updates to the version are supported.

For more information about supported versions and open issues for each web container, see the Sun OpenSSO Enterprise 8.0 Release Notes.

Configuration Data Store 

OpenSSO Enterprise requires a data store for its configuration data, which you select when you run the GUI or command-line Configurator: 

  • OpenSSO data store

    If you deploying OpenSSO Enterprise in a multiple server deployment, each OpenSSO Enterprise instance must share the same configuration data store.

    The OpenSSO configuration data store is not supported on an NFS-mounted file system.

  • Sun Java System Directory Server

User Data Store 

OpenSSO Enterprise also requires a data store for its user data: 

  • Sun Java System Directory Server

    If you are deploying multiple OpenSSO Enterprise instances in a multiple server deployment, all instances must access the same Directory Server.

  • Microsoft Active Directory

  • IBM Tivoli Directory Server

  • OpenSSO data store

    Note: Storing user data in the OpenSSO data store is recommended only for prototype, proof of concept (POC), or developer deployments that have a small number of users. It is not recommended for production deployments.

Password encryption key 

If you deploying OpenSSO Enterprise in a multiple server deployment, you must use the same password encryption key value for each OpenSSO Enterprise instance. 

Copy the encryption key value from the first instance and then use this value when you configure each additional instance. 

Web container runtime user permissions 

If the runtime user of the OpenSSO Enterprise web container instance is a non-root user, this user must be able to write to its own home directory. 

For example, if you are installing Sun Java System Web Server, the default runtime user for the Web Server instance is webservd. On Solaris systems, the webservd user has the following entry in the /etc/passwd file:

webservd:x:80:80:WebServer Reserved UID:/:

The webservd user does not have permission to write to its default home directory (/). Therefore, you must change the permissions to allow the webservd user to write to its default home directory. Otherwise, the webservd user will encounter an error after you configure OpenSSO Enterprise using the Configurator.

Mode 

OpenSSO Enterprise is always deployed in Realm Mode. 

Overview of Installing and Configuring OpenSSO Enterprise

OpenSSO Enterprise 8.0 Changes to Consider

Before you install and configure OpenSSO Enterprise, here are a few changes to consider:

Summary of the OpenSSO Enterprise 8.0 Installation and Configuration Steps

To install and configure an instance of OpenSSO Enterprise server, follow these general steps:

  1. Check the Sun OpenSSO Enterprise 8.0 Release Notes for any recent issues or updates to the release.

  2. If necessary, install, configure, and start one of the supported web containers listed in Table 1–1.

  3. Download and unzip the opensso_enterprise_80.zip file from the following site:

    http://www.oracle.com/technetwork/indexes/downloads/index.html

    OpenSSO Enterprise 8.0 patch releases are available as patch ID 141655 on http://sunsolve.sun.com/.

    For information about installing a patch release, see Chapter 23, Patching OpenSSO Enterprise 8.0.

  4. Deploy the opensso.war file to the web container, using the web container administration console or deployment command.

    For the detailed steps, see Chapter 3, Installing OpenSSO Enterprise.

  5. Run either the GUI or command-line Configurator.

    To run the GUI Configurator, enter the following URL in your browser:

    protocol://host.domain:port/deploy_uri

    For example: http://opensso.example.com:8080/opensso

    If you are running the GUI Configurator, enter values in the Configurator fields or accept the default value for some fields. The Configurator has two configuration options:

    • The Default Configuration option requires you to enter only the OpenSSO Enterprise administrator (amAdmin) and default policy agent (UrlAccessAgent) passwords. The Configurator then uses default values for the other configuration options.

      Use the Default Configuration for development environments or simple demonstration purposes when you just want to evaluate OpenSSO Enterprise features.

    • The Custom Configuration option allows you to enter specific configuration values for your deployment (or accept the default values).

      Use the Custom Configuration for production and more complex environments. For example, a multi-server installation with several OpenSSO Enterprise instances behind a load balancer.

    For the detailed steps, see Chapter 4, Configuring OpenSSO Enterprise Using the GUI Configurator or Chapter 5, Configuring OpenSSO Enterprise Using the Command-Line Configurator.

  6. Launch OpenSSO Enterprise using the specific web container console or deployment command, or by specifying the URL from Step 4 in your browser.

  7. Login to the Console as the OpenSSO Enterprise administrator (amAdmin) using the password you specified when you ran the Configurator.

  8. To make additional configuration changes to your deployment, use the OpenSSO Enterprise Administration Console or the ssoadm command-line utility. For information, refer to the Administration Console Online Help or the Sun OpenSSO Enterprise 8.0 Administration Reference.

  9. Depending on your security requirements, consider making a snapshot of your deployment using the OpenSSO Diagnostic Tool. Then, you can run the Tamper Detection test periodically to very the integrity of your deployment. For more information, see Chapter 7, Running the OpenSSO Diagnostic Tool.

Using Sun Service Tags With OpenSSO Enterprise

OpenSSO Enterprise 8.0 is Service Tag enabled. To use Service Tags, you must first register your product. On the OpenSSO Enterprise Administration Console, under Common Tasks, click Register This Product.

To register, you need a Sun Online Account (SOA) or Sun Developer Network (SDN) account. If you do not have one of these accounts, you can get an account during the product registration process.

For more information about Sun Service Tags and Sun Connection, see http://www.sun.com/service/sunconnection/index.jsp.