10.2 Installing the Web Server and Web Policy Agent on Protected Resource 1

Download the Sun Java System Web Server bits to the Protected Resource 1 host machine (pr1.sp-example.com) and install it. Additionally, download, install and configure the appropriate web policy agent. Use the following list of procedures as a checklist for completing the task.

• To Patch the Protected Resource 1 Host Machine

• To Install and Configure Sun Java System Web Server on Protected Resource 1

• To Import a Certificate Authority Root Certificate to Protected Resource 1

• To Install and Configure Web Policy Agent on Protected Resource 1

• To Enable the Web Policy Agent to Run in SSO Only Mode

• To Configure the Web Policy Agent for SAML v2 Communication

To Patch the Protected Resource 1 Host Machine

Sun Java System Web Server is the second web container used on the pr1.sp-example.com host machine.

Before You Begin

Read the latest version of the Web Server 7.0 Release Notes to determine if you need to install patches on your host machine. In this case, the Release Notes indicate that based on the hardware and operating system being used, patch 119963–08, patch 120011–14, and patch 117461–08 are required.

1. As a root user, log into the pr1.sp-example.com host machine.

2. Run patchadd to see if the patch is installed.

   # patchadd -p | grep 117461–08

   A list of patch numbers is displayed. On our lab machine, the required patch 117461–08 is present so there is no need to install it.

   # patchadd -p | grep 119963–08

   No results are returned which indicates that the patch is not yet installed on the system.

   # patchadd -p | grep 120011-14

   No results are returned which indicates that the patch is not yet installed on the system.

3. Make a directory for downloading the patch you need and change into it.

   # mkdir /export/patches # cd /export/patches

4. Download the patches.

   You can search for patches directly at http://sunsolve.sun.com. Navigate to the PatchFinder page, enter the patch number, click Find Patch, and download the appropriate patch.

   ---

   Note –

   Signed patches are downloaded as JAR files. Unsigned patches are downloaded as ZIP files.

   ---

5. Unzip the patch file.

   # unzip 119963–08.zip # unzip 120011–14.zip

6. Run patchadd to install the patches.

   # patchadd /export/patches/119963–08 # patchadd /export/patches/120011–14

7. After installation is complete, run patchadd to verify that the patch was added successfully.

   # patchadd -p | grep 119963–08

   In this example, a series of patch numbers are displayed, and the patch 119963–08 is present.

   # patchadd -p | grep 120011-14

   In this example, a series of patch numbers are displayed, and the patch 120011–14 is present.

To Install and Configure Sun Java System Web Server on Protected Resource 1

Before You Begin

This procedure assumes you have just finished To Patch the Protected Resource 1 Host Machine and are still logged in as the root user.

1. Create a directory into which you can download the Web Server bits and change into it.

   # mkdir /export/WS7 # cd /export/WS7

2. Download the Sun Java System Web Server 7.0 Update 3 software from http://www.sun.com/download/products.xml?id=45ad781d.

   Follow the instructions on the Sun Microsystems Product Downloads web site for downloading the software.

3. Unpack the Web Server package.

   # gunzip sjsws-7_0u3-solaris-sparc.tar.gz # tar xvf sjsws-7_0u3-solaris-sparc.tar

4. Run setup.

   # cd /export/WS7 # ./setup --console

5. When prompted, provide the following information.

   Welcome to the Sun Java System Web Server 7.0u3 installation wizard. ... You will be asked to specify preferences that determine how Sun Java System Web Server 7.0U3 is installed and configured. The installation program pauses as questions are presented so you can read the information and make your choice. When you are ready to continue, press Enter. (Return on some keyboards.)	Press Enter. Continue to press Enter when prompted.
   Have you read the Software License Agreement and do you accept all terms [no] {"," goes back, "!" exits}?	Enter yes.
   Sun Java System Web Server 7.0 Installation Directory [/sun/webserver7] {"," goes back, "!" exits} :	Enter /opt/SUNWwbsvr
   Specified directory /opt/SUNWwbsvr does not exist. Create Directory? [Yes/No] [yes] {"," goes back, "!" exits}	Enter yes.
   Select Type of Installation 1. Express 2. Custom 3. Exit What would you like to do? [1] {"," goes back, "!" exits}	Enter 2.
   Component Selection 1. Server Core 2. Server Core 64-biy Binaries 3. Administration Command Line Interface 4. Sample Applications 5. Language Pack Enter the comma-separated list [1,2,3,4,5] {"," goes back, "!" exits}	Enter 1,3,5.
   Java Configuration Sun Java System Web Server 7.0 requires Java Se Development Kit (JDK). Provide the path to a JDK 1.5.0_15 or greater. 1. Install Java SE Development Kit (JDK) 1.5.0_15 2. Reuse existing Java SE Development Kit (JDK) 1.5.0_15 3. Exit What would you like to do? [1] {"," goes back, "!" exits}	Enter 1.
   Administrative Options 1. Create an Administration Server and a Web Server Instance 2. Create an Administration Node Enter your option. [1] {"," goes back, "!" exits}	Enter 1.
   Create SMF services for server instances [yes/no] [no] {"," goes back, "!" exits}	Accept the default value.
   Host Name [pr1.sp-example.com] {"," goes back, "!" exits}	Accept the default value.
   SSL Port [8989] {"," goes back, "!" exits}	Accept the default value.
   Create a non-SSL Port? [yes/no] [no] {"," goes back, "!" exits}	Enter no.
   Runtime User ID [root] {"," goes back, "!" exits}	Accept the default value (for the administration server).
   Administrator User Name [admin] {"," goes back, "!" exits}	Accept the default value.
   Administrator Password:	Enter web4dmin.
   Retype Password:	Enter web4dmin.
   Server Name [pr1.sp-example.com] {"," goes back, "!" exits}	Accept the default value.
   Http Port [8080] {"," goes back, "!" exits}	Enter 1080.
   Runtime User ID [webserverd] {"," goes back, "!" exits}	Enter root (for the instance).
   Document Root Directory [/opt/SUNWwbsvr/ https-pr1.sp-example.com/docs] {"," goes back, "!" exits}	Accept the default value.
   Start Administration Server [yes/no] [yes] {"," goes back, "!" exits}	Enter no.
   Ready To Install 1. Install Now 2. Start Over 3. Exit Installation What would you like to do [1] {"," goes back, "!" exits}?	Enter1.

   When installation is complete, the following message is displayed:

   Installation Successful.

6. Start the Web Server administration server.

   # cd /opt/SUNWwbsvr/admin-server/bin # ./startserv

7. Run netstat to verify that the port is open and listening.

   # netstat -an | grep 8989 *.8989 *.* 0 0 49152 0 LISTEN

8. (Optional) Login to the Web Server administration console at https://pr1.sp-example.com:8989 as the administrator.

   Username

   admin

   Password

   web4dmin

   You should see the Web Server administration console.

9. (Optional) Log out of the Web Server console and close the browser.

10. Start the Protected Resource 1 Web Server instance.

    # cd /opt/SUNWwbsvr/https-pr1.sp-example.com/bin # ./startserv Sun Java System Web Server 7.0U3 B06/16/2008 12:00 info: CORE5076: Using [Java HotSpot(TM) Server VM, Version 1.5.0_15] from [Sun Microsystems Inc.] info: HTTP3072: http-listener-1: http://pr1.sp-example.com:1080 ready to accept requests info: CORE3274: successful server startup

11. Run netstat to verify that the port is open and listening.

    # netstat -an | grep 1080 *.1080 *.* 0 0 49152 0 LISTEN

12. (Optional) Access the Protected Resource 1 instance at http://pr1.sp-example.com:1080 using a web browser.

    You should see the default Web Server index page.

13. Log out of the pr1.sp-example.com host machine.

To Import a Certificate Authority Root Certificate to Protected Resource 1

The Certificate Authority (CA) root certificate enables the web policy agent to trust the certificate from the OpenSSO Enterprise Load Balancer 2, and to trust the certificate chain that is formed from the CA to the server certificate.

Before You Begin

• Copy the same CA root certificate used in To Install a CA Root Certificate to OpenSSO Enterprise Load Balancer 2 to the pr1.sp-example.com host machine. In this example, the file is /export/software/ca.cer.

• Backup cacerts before modifying it.

1. As a root user, log into the pr1.sp-example.com host machine.

2. Import the CA root certificate into cacerts, the certificate store.

   # /opt/SUNWwbsvr/jdk/jre/bin/keytool -import -trustcacerts -alias OpenSSLTestCA -file /export/software/ca.cer -keystore /opt/SUNWwbsvr/jdk/jre/lib/security/cacerts -storepass changeit Owner: EMAILADDRESS=nobody@nowhere.com, CN=OpenSSLTestCA, OU=Sun, O=Sun,L=Santa Clara, ST=California C=US Issuer: EMAILADDRESS=nobody@nowhere.com, CN=OpenSSLTestCA, OU=Sun, O=Sun,L=Santa Clara, ST=California C=US Serial number: f59cd13935f5f498 Valid from: Thu Sep 20 11:14:51 PDT 2008 18 07:66:19 PDT 2006 until: Thu Jun 17 11:41:51 PDT 2010 Certificate fingerprints: MD5: 78:7D:F0:04:8A:5B:5D:63:F5:EC:5B:21:14:9C:8A:B9 SHA1: A4:27:8A:B0:45:7A:EE:16:31:DC:E5:32:46:61:9E:B8:A3:20:8C:BA Trust this certificate: [no] yes Certificate was added to keystore.

3. Verify that the CA root certificate was imported.

   # /opt/SUNWwbsvr/jdk/jre/bin/keytool -list -keystore /opt/SUNWwbsvr/jdk/jre/lib/security/cacerts -storepass changeit | grep -i open openSSLTestCA, Sep 20, 2008, trustedCertEntry,

4. Log out of the pr1.sp-example.com host machine.

To Install and Configure Web Policy Agent on Protected Resource 1

Before You Begin

The JAVA_HOME environment variable should be set to /opt/SUNWwbsvr/jdk/jre.

1. As a root user, log into the pr1.sp-example.com host machine.

2. Create a directory into which you can download the Web Server agent bits and change into it.

   # mkdir /export/WebPA1 # cd /export/WebPA1

3. Create a text file that contains the Agent Profile password.

   The Web Policy Agent installer requires this for installation.

   # cat > agent.pwd webagent1 Hit Control D to terminate the command ^D

4. Download the web policy agent for Web Server from http://www.sun.com/download/.

   # ls -al total 7512 drwxr-xr-x 2 root root 512 Jul 24 14:48 . drwxr-xr-x 11 root root 512 Jul 24 14:41 .. -rw-r--r-- 1 root root 10 Jul 24 14:42 agent.pwd -rw-r--r-- 1 root root 9 Jul 24 14:42 agentadm.pwd -rw-r--r-- 1 root root 3826794 Jul 24 14:48 sjsws_v70_SunOS_sparc_agent_3.zip

5. Unzip the downloaded file.

   # unzip sjsws_v70_SunOS_sparc_agent_3.zip

6. Run the agent installer.

   # cd /export/WebPA1/web_agents/sjsws_agent/bin # ./agentadmin --custom-install

7. When prompted, do the following.

   Please read the following License Agreement carefully:	Press Enter and continue to press Enter until you have reached the end of the License Agreement.
   Do you completely agree with all the terms and conditions of this License Agreement (yes/no): [no]:	Type yes and press Enter.
   Enter the Sun Java System Web Server Config Directory Path [/var/opt/SUNWwbsvr7/ https-pr1.sp-example.com/config]:	Type /opt/SUNWwbsvr/https-pr1.sp-example.com/config and press Enter.
   Enter the OpenSSO Enterprise URL including the deployment URI (http://opensso.sample.com:58080/opensso)	Type https://lb4.example.com:1081/opensso and press Enter.
   Enter the Agent URL: (http://agent1.sample.com:1234)	Type http://pr1.sp-example.com:1080 and press Enter.
   Enter the Encryption Key [WSpf7aqc3AFIGvf2mCqvNBOsf44cDrf3].	Accept the default value.
   Enter the Agent profile name [UrlAccessAgent]:	Type webagent-1 and press Enter.
   Enter the path to a file that contains the password to be used for identifying the Agent.	Type /export/WebPA1/agent.pwd and press Enter. Note – A warning message is displayed regarding the existence of the agent profile.
   ----------------------------------------- SUMMARY OF YOUR RESPONSES ----------------------------------------------- Sun Java System Web Server Config Directory : /opt/SUNWwbsvr/https-pr1.sp-example.com/config OpenSSO Server URL : https://lb4.sp-example.com:1081/opensso Agent URL : http://pr1.sp-example.com:1080 Encryption Key : WSpf7aqc3AFIGvf2mCqvNBOsf44cDrf3 Agent Profile name : webagent-1 Agent Profile Password file name : /export/WebPA1/agent.pwd Agent Profile will be created right now by agent installer : true Agent Administrator : amadmin Agent Administrator's password file name : /export/WebPA1/agentadm.pwd Verify your settings above and decide from the choices below. 1. Continue with Installation 2. Back to the last interaction 3. Start Over 4. Exit Please make your selection [1]:	Type 1 and press Enter.

8. Restart the Web Server 1 instance.

   # cd /opt/SUNWwbsvr/https-pr1.sp-example.com/bin # ./stopserv; ./startserv server has been shutdown Sun Java System Web Server 7.0U3 B06/16/2008 12:00 info: CORE3016: daemon is running as super-user info: CORE5076: Using [Java HotSpot(TM) Server VM, Version 1.5.0_15] from [Sun Microsystems Inc.] info: HTTP3072: http-listener-1: http://pr1.sp-example.com:1080 ready to accept requests info: CORE3274: successful server startup

9. Verify that the Web Policy Agent was successfully created in OpenSSO Enterprise using the following sub procedure.

   1. Access https://lb4.sp-example.com:1081/opensso/console from a web browser.

   2. Log in to the OpenSSO Enterprise console as the administrator.

      User Name:

      amadmin

      Password:

      ossoadmin

   3. Under the Access Control tab, click / (Top Level Realm).

   4. Click the Agents tab.

      By default, the Web tab is displayed. You should see webagent-1 under the Agent table.

   5. Click webagent-1.

      The webagent-1 properties page is displayed.

   6. Log out of the console and close the browser.

10. Remove the password files.

    # cd /export/WebPA1 # rm agent.pwd # rm agentadm.pwd

11. Log out of the pr1.sp-example.com host machine.

To Enable the Web Policy Agent to Run in SSO Only Mode

1. Access https://lb4.sp-example.com:1081/opensso/console from a web browser.

2. Log in to the OpenSSO Enterprise console as the administrator.

   User Name:

   amadmin

   Password:

   ossoadmin

3. Under the Access Control tab, click / (Top Level Realm).

4. Click the Agents tab.

5. Click the Web tab.

   webagent-1 is displayed under the Agent table.

6. Click webagent-1.

   The webagent-1 properties page is displayed.

7. Click the General link on the webagent-1 properties page.

8. Select the check box to enable the SSO Mode Only property.

9. Click Save.

10. Log out of the OpenSSO Enterprise console and close the browser.

11. Log in to the pr1.sp-example.com host machine as root user.

12. Restart the Web Server.

    # cd /opt/SUNWwbsvr/https-pr1.sp-example.com/bin # ./stopserv # ./startserv

13. Log out of the pr1.sp-example.com host machine.

14. Verify the configurations with the following sub procedure.

    1. Close and reopen the browser.

    2. Access https://lb4.sp-example.com:1080/index.html from a web browser.

    3. Log in to the OpenSSO Enterprise console using the following credentials.

       User Name:

       spuser

       Password:

       spuser

       The default Web Server page is displayed.

    4. Close the browser.

To Configure the Web Policy Agent for SAML v2 Communication

1. Access https://lb4.sp-example.com:1081/opensso/console from a web browser.

2. Log in to the OpenSSO Enterprise console as the administrator.

   User Name:

   amadmin

   Password:

   ossoadmin

3. Under the Access Control tab, click / (Top Level Realm).

4. Click the Agents tab.

5. Click the Web tab.

   webagent-1 is displayed under the Agent table.

6. Click webagent-1.

   The webagent-1 properties page is displayed.

7. Click the OpenSSO Services tab.

   The Edit webagent-1 page is displayed.

8. Click the Login URL link on the Edit webagent-1 page.

9. Remove the existing value of the OpenSSO Login URL property.

   This value is displayed in the Selected box.

10. Enter https://lb4.sp-example.com:1081/opensso/spssoinit?metaAlias=/sp&idpEntityID=https://lb2.idp-example.com:1181/opensso in the text box and click Add.

    This URL redirects the agent to the identity provider for authentication.

11. Select the existing value of the OpenSSO Logout URL attribute and click Delete.

12. Enter https://lb4.sp-example.com:1081/opensso/saml2/jsp/spSingleLogoutInit.jsp?metaAlias=/sp&idpEntityID=https://lb2.idp-example.com:1181/opensso in the text box and click Add.

13. Enter http://www.sun.com as a value of the Logout Redirect URL attribute and click Add.

14. Enter http://pr1.sp-example.com:1080/logout.html as a value of the Agent Logout URL List attribute and click Add.

15. Click Save.

16. Log out of the OpenSSO Enterprise console and close the browser.

17. Log in to the pr1.sp-example.com host machine.

18. Create the logout.html file using the following sub procedure.

    # cd /opt/SUNWwbsvr/https-pr1.sp-example.com/docs # vi logout.html

    This creates an empty file.

19. Restart the Web Server.

    # cd /opt/SUNWwbsvr/https-pr1.sp-example.com/bin # ./stopserv # ./startserv

20. Log out of the pr1.sp-example.com host machine.

21. Verify the configurations with the following sub procedure.

    1. Access http://pr1.sp-example.com:1080/index.html from a web browser.

       The OpenSSO Enterprise login page on the identity provider side is displayed. The browser is then redirected to the identity provider for authentication.

    2. Log in to the OpenSSO Enterprise console using the following credentials.

       User Name:

       idpuser

       Password:

       idpuser

       The default Web Server page is displayed.

    3. Access http://pr1.sp-example.com:1080/logout.html from a web browser.

       This will log out the user from the service provider and the identity provider using the SAML v2 single logout protocol.

    4. Close the browser.