test

Deployment Example: Single Sign-On, Load Balancing and Failover Using Sun OpenSSO Enterprise 8.0

7.5 Generating and Deploying the Distributed Authentication User Interface WAR

Use the following list of procedures as a checklist to create and deploy the Distributed Authentication User Interface WAR on both host machines.

  1. To Generate the Distributed Authentication User Interface WAR

  2. To Deploy the Generated WAR as Distributed Authentication User Interface 1

  3. To Configure Distributed Authentication User Interface 1

  4. To Deploy the Generated WAR as Distributed Authentication User Interface 2

  5. To Configure Distributed Authentication User Interface 2

  6. To Configure Load Balancer Cookies for the Distributed Authentication User Interface

  7. To Verify That Authentication Using the Distributed Authentication User Interface Load Balancer is Successful

ProcedureTo Generate the Distributed Authentication User Interface WAR

Create a WAR named ossodistauth.war that will be used to deploy the Distributed Authentication User Interface.

  1. As a root user, log in to the osso–1 host machine.

  2. Create a directory to serve as the staging area for the WAR.


    # cd /export/OSSO_BITS/opensso
# mkdir war-staging
# cd war-staging

  3. Extract the contents of opensso.war into the war-staging directory.


    # jar xvf /export/OSSO_BITS/opensso/deployable-war/opensso.war

  4. Generate the WAR using the Distributed Authentication User Interface file list.

    osso-distauth.list is included with the OpenSSO Enterprise download.


    # jar cvf /export/OSSO_BITS/opensso/deployable-war/ossodistauth.war
 @/export/OSSO_BITS/opensso/deployable-war/osso-distauth.list

  5. Update the generated WAR with additional files in the /opensso/deployable-war/distauth directory of the unzipped download.

    See the README for more information.


    # cd /export/OSSO_BITS/opensso/deployable-war/distauth
# jar uvf /export/OSSO_BITS/opensso/deployable-war/ossodistauth.war

    The WAR is updated and ready to be used to deploy the Distributed Authentication User Interface.

  6. Log out of the osso–1 host machine.

ProcedureTo Deploy the Generated WAR as Distributed Authentication User Interface 1

Before You Begin

This procedure assumes you have completed To Generate the Distributed Authentication User Interface WAR.

  1. As a root user, log in to the da–1 host machine.

  2. Switch to the non-root user.


    # su da80adm

  3. Change to the directory into which ossodistauth.war will be copied.


    # cd /export/da80adm

  4. Copy ossodistauth.war from the osso–1 host machine.


    # ftp osso-1.example.com

Connected to osso-1.example.com
220 osso-1.example.com FTP server ready.

Name (osso-1.example.com:username):username

Password: password
     ...
Using binary mode to transfer files

ftp> cd /export/OSSO_BITS/opensso/deployable-war

CWD command successful

ftp> mget ossodistauth.war

mget ossodistauth.war? y

200 PORT command successful

ftp> bye

  5. Verify that ossodistauth.war was successfully copied and is owned by the non-root user.


    # ls -al

total 17630
drwxr-xr-x   3 da80adm  staff        512 Jun 30 15:20 .
drwxr-xr-x   6 root     sys          512 May 13 11:22 ..
-rw-r--r--   1 da80adm  staff        144 May 13 11:22 .profile
drwx------   3 da80adm  staff        512 May 13 14:55 .sunw
-rw-r--r--   1 da80adm  staff   10017728 Jun 30 15:20 ossodistauth.war
-rw-r--r--   1 da80adm  staff        136 May 13 11:22 local.cshrc
-rw-r--r--   1 da80adm  staff        157 May 13 11:22 local.login
-rw-r--r--   1 da80adm  staff        174 May 13 11:22 local.profile

  6. Start the Web Server Administration Server.


    # cd /opt/SUNWwbsvr/admin-server/bin
# ./startserv

  7. Add the Distributed Authentication User Interface WAR using the wadm command line interface.


    # cd /opt/SUNWwbsvr/bin
# ./wadm add-webapp --user=admin 
--host=da-1.example.com --port=8989
--config=da-1.example.com --vs=da-1.example.com
--uri=/distAuth
/export/da80adm/ossodistauth.war

Please enter admin-user-password: web4dmin

Do you trust the above certificate? [y|n] y

CLI201 Command 'add-webapp' ran successfully

  8. Deploy the Distributed Authentication User Interface WAR using the wadm command line interface.


    # ./wadm deploy-config --user=admin 
--host=da-1.example.com --port=8989
da-1.example.com

Please enter admin-user-password: web4dmin

CLI201 Command 'deploy-config' ran successfully

  9. Verify that the distAuth web application has been deployed.


    # cd /opt/SUNWwbsvr/https-da-1.example.com/web-app/da-1.example.com
# ls -al

total 6
drwxr-xr-x   4 da80adm  staff        512 Jun 30 15:40 .
drwxr-xr-x   3 da80adm  staff        512 Jun 30 15:40 ..
drwxr-xr-x   6 da80adm  staff        512 Jun 30 15:40 distAuth

  10. Restart the Web Server instance.


    # cd /opt/SUNWwbsvr/https-da-1.example.com/bin
# ./stopserv; ./startserv

server has been shutdown
Sun Java System Web Server 7.0U2 B12/09/2008 09:02
info: CORE5076: Using [Java HotSpot(TM) Server VM, Version 1.5.0_12]
from [Sun Microsystems Inc.]
info: WEB0100: Loading web module in virtual server [da-1.example.com]
at [/distAuth]
info: HTTP3072: http-listener-1: http://da-1.example.com:1080 ready to
accept requests
info: HTTP3072: http-listener-2: https://da-1.example.com:1443 ready to
accept requests
info: CORE3274: successful server startup

    The output indicates that the distAuth web application has been successfully loaded.

ProcedureTo Configure Distributed Authentication User Interface 1

  1. Access http://da-1.example.com:1080/distAuth from a web browser.

    The Configurator page is displayed the first time the Distributed Authentication User Interface is accessed.

  2. Provide the following configuration information and click Configure.

    Server Protocol 

    https

    Server Host 

    lb-2.example.com

    Server Port 

    1081

    Server Deployment URI 

    opensso

    distAuth Server Protocol

    http

    distAuth Server Host

    da-1.example.com

    distAuth Server Port

    1080

    distAuth Server Deployment URI

    /distAuth

    distAuth Server Cookie Name

    AMDistAuthCookie

    Debug Directory 

    /export/da80adm/Debug

    Debug level 

    error

    Encryption Key 

    Accept the default value. 

    Application User Name 

    authuiadmin

    Application User Password 

    authuiadmin

    Confirm Application User Password 

    authuiadmin

    These values will configure the Distributed Authentication User Interface web application to communicate with OpenSSO Enterprise through Load Balancer 2. You see the following message after a successful configuration.


    DistAuth application is successfully configured.
AMDistAuthConfig.properties created at /export/da80adm/AMDistAuthConfig.properties

Click here to go to login page.

  3. Access http://da-1.example.com:1080/distAuth/UI/Login?goto=http://da-1.example.com:1080 from a web browser.

  4. Log in to the Distributed Authentication User Interface as testuser1.

    Username

    testuser1

    Password

    password

    After successful authentication, you should be redirected to the index page for the Web Server instance in which the Distributed Authentication User Interface is deployed. This confirms that the Distributed Authentication User Interface has authenticated to OpenSSO Enterprise using the load balancer's secure channel.

    Caution – Caution –

    You may click the login link after configuration of the Distributed Authentication User Interface. If you do and provide valid administrator credentials you will get an error page indicating that the requested object does not exist on this server. This is because the success login URL configured on OpenSSO Enterprise is a relative URL.

ProcedureTo Deploy the Generated WAR as Distributed Authentication User Interface 2

Before You Begin

This procedure assumes you have completed To Generate the Distributed Authentication User Interface WAR.

  1. As a root user, log in to the da–2 host machine.

  2. Switch to the non-root user.


    # su da80adm

  3. Change to the directory into which ossodistauth.war will be copied.


    # cd /export/da80adm

  4. Copy ossodistauth.war from the osso–1 host machine.


    # ftp osso-1.example.com

Connected to osso-1.example.com
220 osso-1.example.com FTP server ready.

Name (osso-1.example.com:username):username

Password: password
     ...
Using binary mode to transfer files

ftp> cd /export/OSSO_BITS/opensso/deployable-war

CWD command successful

ftp> mget ossodistauth.war

mget ossodistauth.war? y

200 PORT command successful

ftp> bye

  5. Verify that ossodistauth.war was successfully copied and is owned by the non-root user.


    # ls -al

total 17630
drwxr-xr-x   3 da80adm  staff        512 Jun 30 15:20 .
drwxr-xr-x   6 root     sys          512 May 13 11:22 ..
-rw-r--r--   1 da80adm  staff        144 May 13 11:22 .profile
drwx------   3 da80adm  staff        512 May 13 14:55 .sunw
-rw-r--r--   1 da80adm  staff   10017728 Jun 30 15:20 ossodistauth.war
-rw-r--r--   1 da80adm  staff        136 May 13 11:22 local.cshrc
-rw-r--r--   1 da80adm  staff        157 May 13 11:22 local.login
-rw-r--r--   1 da80adm  staff        174 May 13 11:22 local.profile

  6. Start the Web Server Administration Server.


    # cd /opt/SUNWwbsvr/admin-server/bin
# ./startserv

  7. Add the Distributed Authentication User Interface WAR using the wadm command line interface.


    # cd /opt/SUNWwbsvr/bin
# ./wadm add-webapp --user=admin 
--host=da-2.example.com --port=8989
--config=da-2.example.com --vs=da-2.example.com
--uri=/distAuth
/export/da80adm/ossodistauth.war

Please enter admin-user-password: web4dmin

Do you trust the above certificate? [y|n] y

CLI201 Command 'add-webapp' ran successfully

  8. Deploy the Distributed Authentication User Interface WAR using the wadm command line interface.


    # ./wadm deploy-config --user=admin 
--host=da-2.example.com --port=8989
da-2.example.com

Please enter admin-user-password: web4dmin

CLI201 Command 'deploy-config' ran successfully

  9. Verify that the distAuth web application has been deployed.


    # cd /opt/SUNWwbsvr/https-da-2.example.com/web-app/da-2.example.com
# ls -al

total 6
drwxr-xr-x   4 da80adm  staff        512 Jun 30 15:40 .
drwxr-xr-x   3 da80adm  staff        512 Jun 30 15:40 ..
drwxr-xr-x   6 da80adm  staff        512 Jun 30 15:40 distAuth

  10. Restart the Web Server instance.


    # cd /opt/SUNWwbsvr/https-da-2.example.com/bin
# ./stopserv; ./startserv

server has been shutdown
Sun Java System Web Server 7.0U2 B12/09/2008 09:02
info: CORE5076: Using [Java HotSpot(TM) Server VM, Version 1.5.0_12]
from [Sun Microsystems Inc.]
info: WEB0100: Loading web module in virtual server [da-2.example.com]
at [/distAuth]
info: HTTP3072: http-listener-1: http://da-2.example.com:1080 ready to
accept requests
info: HTTP3072: http-listener-2: https://da-2.example.com:1443 ready to
accept requests
info: CORE3274: successful server startup

    The output indicates that the distAuth web application has been successfully loaded.

ProcedureTo Configure Distributed Authentication User Interface 2

  1. Access http://da-2.example.com:1080/distAuth from a web browser.

    The Configurator page is displayed the first time the Distributed Authentication User Interface is accessed.

  2. Provide the following configuration information and click Configure.

    Server Protocol 

    https

    Server Host 

    lb-2.example.com

    Server Port 

    1081

    Server Deployment URI 

    opensso

    distAuth Server Protocol

    http

    distAuth Server Host

    da-2.example.com

    distAuth Server Port

    1080

    distAuth Server Deployment URI

    /distAuth

    distAuth Server Cookie Name

    AMDistAuthCookie

    Debug Directory 

    /export/da80adm/Debug

    Debug level 

    error

    Encryption Key 

    Accept the default value. 

    Application User Name 

    authuiadmin

    Application User Password 

    authuiadmin

    Confirm Application User Password 

    authuiadmin

    These values will configure the Distributed Authentication User Interface web application to communicate with OpenSSO Enterprise through Load Balancer 2. You see the following message after a successful configuration.


    DistAuth application is successfully configured.
AMDistAuthConfig.properties created at /export/da80adm/AMDistAuthConfig.properties

Click here to go to login page.

  3. Access http://da-2.example.com:1080/distAuth/UI/Login?goto=http://da-2.example.com:1080 from a web browser.

  4. Log in to the Distributed Authentication User Interface as testuser1.

    Username

    testuser1

    Password

    password

    After successful authentication, you should be redirected to the index page for the Web Server instance in which the Distributed Authentication User Interface is deployed. This confirms that the Distributed Authentication User Interface has authenticated to OpenSSO Enterprise using the load balancer's secure channel.

    Caution – Caution –

    You may click the login link after configuration of the Distributed Authentication User Interface. If you do and provide valid administrator credentials you will get an error page indicating that the requested object does not exist on this server. This is because the success login URL configured on OpenSSO Enterprise is a relative URL.

ProcedureTo Configure Load Balancer Cookies for the Distributed Authentication User Interface

Access to the Distributed Authentication User Interface is through Load Balancer 3. In order to maintain server affinity, the Distributed Authentication User Interface needs to specify sticky cookies. Towards this end, AMDistAuthConfig.properties is modified on both Distributed Authentication User Interface host machines.

  1. As a root user, log in to the da–1 host machine.

  2. Switch to the non-root user.


    # su da80adm

  3. Change to the non-root user directory.


    # cd /export/da80adm

  4. Modify AMDistAuthConfig.properties as follows.

    • Uncomment the last two lines at the end of the file.

    • Set the following property values:


      • com.iplanet.am.lbcookie.name=DistAuthLBCookie


      • com.iplanet.am.lbcookie.value=4131721920.41733.0000
    Note –

    Use the same cookie name for the value of the com.iplanet.am.lbcookie.name property that was specified for load balancer persistence in To Configure the Distributed Authentication User Interface Load Balancer. Failure to do so might cause the OpenSSO Enterprise login page to go into a loop since stickiness could not be maintained based on the cookie name.

  5. Save the file and close it.

  6. Restart the Web Server instance.


    # cd /opt/SUNWwbsvr/https-da-1.example.com/bin
# ./stopserv; ./startserv

  7. Log out of the da–1 host machine.

  8. As a root user, log in to the da–2 host machine.

  9. Switch to the non-root user.


    # su da80adm

  10. Change to the non-root user directory.


    # cd /export/da80adm

  11. Modify AMDistAuthConfig.properties as follows.

    • Uncomment the last two lines at the end of the file.

    • Set the following property values:


      • com.iplanet.am.lbcookie.name=DistAuthLBCookie


      • com.iplanet.am.lbcookie.value=4148499136.41733.0000
    Note –

    Use the same cookie name for the value of the com.iplanet.am.lbcookie.name property that was specified for load balancer persistence in To Configure the Distributed Authentication User Interface Load Balancer. Failure to do so might cause the OpenSSO Enterprise login page to go into a loop since stickiness could not be maintained based on the cookie name.

  12. Save the file and close it.

  13. Restart the Web Server instance.


    # cd /opt/SUNWwbsvr/https-da-2.example.com/bin
# ./stopserv; ./startserv

  14. Log out of the da–2 host machine.

ProcedureTo Verify That Authentication Using the Distributed Authentication User Interface Load Balancer is Successful

  1. Access the load balancer's secure port at https://lb-3.example.com:1443/distAuth/UI/Login?goto=https://lb-3.example.com:1443 from a web browser.

  2. Log in to the OpenSSO Enterprise console as testuser1.

    Username

    testuser1

    Password

    password

    After successful login, you should be redirected to the index page for one of the Web Server instances in which the Distributed Authentication User Interface is deployed. If the load balancer configuration is incorrect, the OpenSSO Enterprise login page would not have been displayed in the previous step.