Use the following list of procedures as a checklist to create and deploy the Distributed Authentication User Interface WAR on both host machines.
To Generate the Distributed Authentication User Interface WAR
To Deploy the Generated WAR as Distributed Authentication User Interface 1
To Deploy the Generated WAR as Distributed Authentication User Interface 2
To Configure Load Balancer Cookies for the Distributed Authentication User Interface
Create a WAR named ossodistauth.war that will be used to deploy the Distributed Authentication User Interface.
As a root user, log in to the osso–1 host machine.
Create a directory to serve as the staging area for the WAR.
# cd /export/OSSO_BITS/opensso # mkdir war-staging # cd war-staging |
Extract the contents of opensso.war into the war-staging directory.
# jar xvf /export/OSSO_BITS/opensso/deployable-war/opensso.war |
Generate the WAR using the Distributed Authentication User Interface file list.
osso-distauth.list is included with the OpenSSO Enterprise download.
# jar cvf /export/OSSO_BITS/opensso/deployable-war/ossodistauth.war @/export/OSSO_BITS/opensso/deployable-war/osso-distauth.list |
Update the generated WAR with additional files in the /opensso/deployable-war/distauth directory of the unzipped download.
See the README for more information.
# cd /export/OSSO_BITS/opensso/deployable-war/distauth # jar uvf /export/OSSO_BITS/opensso/deployable-war/ossodistauth.war |
The WAR is updated and ready to be used to deploy the Distributed Authentication User Interface.
Log out of the osso–1 host machine.
This procedure assumes you have completed To Generate the Distributed Authentication User Interface WAR.
As a root user, log in to the da–1 host machine.
Switch to the non-root user.
# su da80adm |
Change to the directory into which ossodistauth.war will be copied.
# cd /export/da80adm |
Copy ossodistauth.war from the osso–1 host machine.
# ftp osso-1.example.com Connected to osso-1.example.com 220 osso-1.example.com FTP server ready. Name (osso-1.example.com:username):username Password: password ... Using binary mode to transfer files ftp> cd /export/OSSO_BITS/opensso/deployable-war CWD command successful ftp> mget ossodistauth.war mget ossodistauth.war? y 200 PORT command successful ftp> bye |
Verify that ossodistauth.war was successfully copied and is owned by the non-root user.
# ls -al total 17630 drwxr-xr-x 3 da80adm staff 512 Jun 30 15:20 . drwxr-xr-x 6 root sys 512 May 13 11:22 .. -rw-r--r-- 1 da80adm staff 144 May 13 11:22 .profile drwx------ 3 da80adm staff 512 May 13 14:55 .sunw -rw-r--r-- 1 da80adm staff 10017728 Jun 30 15:20 ossodistauth.war -rw-r--r-- 1 da80adm staff 136 May 13 11:22 local.cshrc -rw-r--r-- 1 da80adm staff 157 May 13 11:22 local.login -rw-r--r-- 1 da80adm staff 174 May 13 11:22 local.profile |
Start the Web Server Administration Server.
# cd /opt/SUNWwbsvr/admin-server/bin # ./startserv |
Add the Distributed Authentication User Interface WAR using the wadm command line interface.
# cd /opt/SUNWwbsvr/bin # ./wadm add-webapp --user=admin --host=da-1.example.com --port=8989 --config=da-1.example.com --vs=da-1.example.com --uri=/distAuth /export/da80adm/ossodistauth.war Please enter admin-user-password: web4dmin Do you trust the above certificate? [y|n] y CLI201 Command 'add-webapp' ran successfully |
Deploy the Distributed Authentication User Interface WAR using the wadm command line interface.
# ./wadm deploy-config --user=admin --host=da-1.example.com --port=8989 da-1.example.com Please enter admin-user-password: web4dmin CLI201 Command 'deploy-config' ran successfully |
Verify that the distAuth web application has been deployed.
# cd /opt/SUNWwbsvr/https-da-1.example.com/web-app/da-1.example.com # ls -al total 6 drwxr-xr-x 4 da80adm staff 512 Jun 30 15:40 . drwxr-xr-x 3 da80adm staff 512 Jun 30 15:40 .. drwxr-xr-x 6 da80adm staff 512 Jun 30 15:40 distAuth |
Restart the Web Server instance.
# cd /opt/SUNWwbsvr/https-da-1.example.com/bin # ./stopserv; ./startserv server has been shutdown Sun Java System Web Server 7.0U2 B12/09/2008 09:02 info: CORE5076: Using [Java HotSpot(TM) Server VM, Version 1.5.0_12] from [Sun Microsystems Inc.] info: WEB0100: Loading web module in virtual server [da-1.example.com] at [/distAuth] info: HTTP3072: http-listener-1: http://da-1.example.com:1080 ready to accept requests info: HTTP3072: http-listener-2: https://da-1.example.com:1443 ready to accept requests info: CORE3274: successful server startup |
The output indicates that the distAuth web application has been successfully loaded.
Access http://da-1.example.com:1080/distAuth from a web browser.
The Configurator page is displayed the first time the Distributed Authentication User Interface is accessed.
Provide the following configuration information and click Configure.
Server Protocol |
https |
Server Host |
lb-2.example.com |
Server Port |
1081 |
Server Deployment URI |
opensso |
distAuth Server Protocol |
http |
distAuth Server Host |
da-1.example.com |
distAuth Server Port |
1080 |
distAuth Server Deployment URI |
/distAuth |
distAuth Server Cookie Name |
AMDistAuthCookie |
Debug Directory |
/export/da80adm/Debug |
Debug level |
error |
Encryption Key |
Accept the default value. |
Application User Name |
authuiadmin |
Application User Password |
authuiadmin |
Confirm Application User Password |
authuiadmin |
These values will configure the Distributed Authentication User Interface web application to communicate with OpenSSO Enterprise through Load Balancer 2. You see the following message after a successful configuration.
DistAuth application is successfully configured. AMDistAuthConfig.properties created at /export/da80adm/AMDistAuthConfig.properties Click here to go to login page. |
Access http://da-1.example.com:1080/distAuth/UI/Login?goto=http://da-1.example.com:1080 from a web browser.
Log in to the Distributed Authentication User Interface as testuser1.
testuser1
password
After successful authentication, you should be redirected to the index page for the Web Server instance in which the Distributed Authentication User Interface is deployed. This confirms that the Distributed Authentication User Interface has authenticated to OpenSSO Enterprise using the load balancer's secure channel.
You may click the login link after configuration of the Distributed Authentication User Interface. If you do and provide valid administrator credentials you will get an error page indicating that the requested object does not exist on this server. This is because the success login URL configured on OpenSSO Enterprise is a relative URL.
This procedure assumes you have completed To Generate the Distributed Authentication User Interface WAR.
As a root user, log in to the da–2 host machine.
Switch to the non-root user.
# su da80adm |
Change to the directory into which ossodistauth.war will be copied.
# cd /export/da80adm |
Copy ossodistauth.war from the osso–1 host machine.
# ftp osso-1.example.com Connected to osso-1.example.com 220 osso-1.example.com FTP server ready. Name (osso-1.example.com:username):username Password: password ... Using binary mode to transfer files ftp> cd /export/OSSO_BITS/opensso/deployable-war CWD command successful ftp> mget ossodistauth.war mget ossodistauth.war? y 200 PORT command successful ftp> bye |
Verify that ossodistauth.war was successfully copied and is owned by the non-root user.
# ls -al total 17630 drwxr-xr-x 3 da80adm staff 512 Jun 30 15:20 . drwxr-xr-x 6 root sys 512 May 13 11:22 .. -rw-r--r-- 1 da80adm staff 144 May 13 11:22 .profile drwx------ 3 da80adm staff 512 May 13 14:55 .sunw -rw-r--r-- 1 da80adm staff 10017728 Jun 30 15:20 ossodistauth.war -rw-r--r-- 1 da80adm staff 136 May 13 11:22 local.cshrc -rw-r--r-- 1 da80adm staff 157 May 13 11:22 local.login -rw-r--r-- 1 da80adm staff 174 May 13 11:22 local.profile |
Start the Web Server Administration Server.
# cd /opt/SUNWwbsvr/admin-server/bin # ./startserv |
Add the Distributed Authentication User Interface WAR using the wadm command line interface.
# cd /opt/SUNWwbsvr/bin # ./wadm add-webapp --user=admin --host=da-2.example.com --port=8989 --config=da-2.example.com --vs=da-2.example.com --uri=/distAuth /export/da80adm/ossodistauth.war Please enter admin-user-password: web4dmin Do you trust the above certificate? [y|n] y CLI201 Command 'add-webapp' ran successfully |
Deploy the Distributed Authentication User Interface WAR using the wadm command line interface.
# ./wadm deploy-config --user=admin --host=da-2.example.com --port=8989 da-2.example.com Please enter admin-user-password: web4dmin CLI201 Command 'deploy-config' ran successfully |
Verify that the distAuth web application has been deployed.
# cd /opt/SUNWwbsvr/https-da-2.example.com/web-app/da-2.example.com # ls -al total 6 drwxr-xr-x 4 da80adm staff 512 Jun 30 15:40 . drwxr-xr-x 3 da80adm staff 512 Jun 30 15:40 .. drwxr-xr-x 6 da80adm staff 512 Jun 30 15:40 distAuth |
Restart the Web Server instance.
# cd /opt/SUNWwbsvr/https-da-2.example.com/bin # ./stopserv; ./startserv server has been shutdown Sun Java System Web Server 7.0U2 B12/09/2008 09:02 info: CORE5076: Using [Java HotSpot(TM) Server VM, Version 1.5.0_12] from [Sun Microsystems Inc.] info: WEB0100: Loading web module in virtual server [da-2.example.com] at [/distAuth] info: HTTP3072: http-listener-1: http://da-2.example.com:1080 ready to accept requests info: HTTP3072: http-listener-2: https://da-2.example.com:1443 ready to accept requests info: CORE3274: successful server startup |
The output indicates that the distAuth web application has been successfully loaded.
Access http://da-2.example.com:1080/distAuth from a web browser.
The Configurator page is displayed the first time the Distributed Authentication User Interface is accessed.
Provide the following configuration information and click Configure.
Server Protocol |
https |
Server Host |
lb-2.example.com |
Server Port |
1081 |
Server Deployment URI |
opensso |
distAuth Server Protocol |
http |
distAuth Server Host |
da-2.example.com |
distAuth Server Port |
1080 |
distAuth Server Deployment URI |
/distAuth |
distAuth Server Cookie Name |
AMDistAuthCookie |
Debug Directory |
/export/da80adm/Debug |
Debug level |
error |
Encryption Key |
Accept the default value. |
Application User Name |
authuiadmin |
Application User Password |
authuiadmin |
Confirm Application User Password |
authuiadmin |
These values will configure the Distributed Authentication User Interface web application to communicate with OpenSSO Enterprise through Load Balancer 2. You see the following message after a successful configuration.
DistAuth application is successfully configured. AMDistAuthConfig.properties created at /export/da80adm/AMDistAuthConfig.properties Click here to go to login page. |
Access http://da-2.example.com:1080/distAuth/UI/Login?goto=http://da-2.example.com:1080 from a web browser.
Log in to the Distributed Authentication User Interface as testuser1.
testuser1
password
After successful authentication, you should be redirected to the index page for the Web Server instance in which the Distributed Authentication User Interface is deployed. This confirms that the Distributed Authentication User Interface has authenticated to OpenSSO Enterprise using the load balancer's secure channel.
You may click the login link after configuration of the Distributed Authentication User Interface. If you do and provide valid administrator credentials you will get an error page indicating that the requested object does not exist on this server. This is because the success login URL configured on OpenSSO Enterprise is a relative URL.
Access to the Distributed Authentication User Interface is through Load Balancer 3. In order to maintain server affinity, the Distributed Authentication User Interface needs to specify sticky cookies. Towards this end, AMDistAuthConfig.properties is modified on both Distributed Authentication User Interface host machines.
As a root user, log in to the da–1 host machine.
Switch to the non-root user.
# su da80adm |
Change to the non-root user directory.
# cd /export/da80adm |
Modify AMDistAuthConfig.properties as follows.
Uncomment the last two lines at the end of the file.
Set the following property values:
com.iplanet.am.lbcookie.name=DistAuthLBCookie |
com.iplanet.am.lbcookie.value=4131721920.41733.0000 |
Use the same cookie name for the value of the com.iplanet.am.lbcookie.name property that was specified for load balancer persistence in To Configure the Distributed Authentication User Interface Load Balancer. Failure to do so might cause the OpenSSO Enterprise login page to go into a loop since stickiness could not be maintained based on the cookie name.
Save the file and close it.
Restart the Web Server instance.
# cd /opt/SUNWwbsvr/https-da-1.example.com/bin # ./stopserv; ./startserv |
Log out of the da–1 host machine.
As a root user, log in to the da–2 host machine.
Switch to the non-root user.
# su da80adm |
Change to the non-root user directory.
# cd /export/da80adm |
Modify AMDistAuthConfig.properties as follows.
Uncomment the last two lines at the end of the file.
Set the following property values:
com.iplanet.am.lbcookie.name=DistAuthLBCookie |
com.iplanet.am.lbcookie.value=4148499136.41733.0000 |
Use the same cookie name for the value of the com.iplanet.am.lbcookie.name property that was specified for load balancer persistence in To Configure the Distributed Authentication User Interface Load Balancer. Failure to do so might cause the OpenSSO Enterprise login page to go into a loop since stickiness could not be maintained based on the cookie name.
Save the file and close it.
Restart the Web Server instance.
# cd /opt/SUNWwbsvr/https-da-2.example.com/bin # ./stopserv; ./startserv |
Log out of the da–2 host machine.
Access the load balancer's secure port at https://lb-3.example.com:1443/distAuth/UI/Login?goto=https://lb-3.example.com:1443 from a web browser.
Log in to the OpenSSO Enterprise console as testuser1.
testuser1
password
After successful login, you should be redirected to the index page for one of the Web Server instances in which the Distributed Authentication User Interface is deployed. If the load balancer configuration is incorrect, the OpenSSO Enterprise login page would not have been displayed in the previous step.