test

Sun Java Enterprise System 2005Q1 Deployment Example Series: Evaluation Scenario

Chapter 8 Configuring and Using Single Sign-On

When single sign-on (SSO) is enabled, Java ES users log in to the first service they access. After that, they can use any other single sign-on enabled service without logging in again. In the evaluation solution you enable SSO for your messaging and calendar services. Your test account can log in to the Communications Express web-based interface and access both mail and calendar services. Your test account can also log in to the portal desktop and access both mail and calendar services through the portal desktop. In a production solution, Access Manager also supports single sign-on for other kinds of services, including your custom applications.

This chapter describes how to set up and use single sign-on, in the following sections:

About Single Sign-On

Java ES provides two related mechanisms for implementing SSO. This section describes both.

About Access Manager Single Sign-On

Access Manager SSO supports SSO access to all web-based interfaces. When a user first accesses an SSO-enabled service through a web browser, Access Manager authenticates the user and then sends a SSO cookie to the user's web browser. When the user accesses another SSO-enabled service, the user's web browser first confirms with Access Manager that the user's session is still open and then returns the SSO cookie, which confirms authentication, to Access Manager. The user is able to access the next service without logging in again.

To set up Access Manager SSO for the evaluation solution, you configure your Messaging Server and Calendar Server instances to use SSO instead of their default authentication mechanisms. Access Manager and Communications Express are configured by default for Access Manager SSO.

About Portal Server Proxy Authentication

Portal Server Proxy authentication substitutes a proxy user ID for the individual user’s ID. When the user logs in to the portal service, the portal service authenticates the user's own ID for accessing the portal service. If any channels in the portal desktop are configured for proxy authentication, the portal service uses the proxy user ID to authenticate the channel services, and the user' information appears in the channel sections of the portal desktop.

To set up portal service proxy authentication, you use the Access Manager console to configure a portal SSO adaptor for each service. You must also provision each user account with the LDAP attributes required for proxy authentication.

For the evaluation solution, you set up proxy authentication for the sample portal desktops's mail and calendar channels. For the proxy accounts, you use the administrator accounts for the services: the admin account for the mail service, and the calmaster account for the calendar service. Your test user account is already provisioned for these services.

Configuring for Access Manager Single Sign-On

This section describes how to configure the evaluation solution's mail and calendar services for Access Manager SSO.

ProcedureTo Configure Messaging Server for SSO

Steps

  1. Change directory to the Messaging Server directory:


    cd /opt/SUNWmsgsr/sbin

  2. Run the following variations of the Messaging Server configuration command:

    1. ./configutil -o local.webmail.sso.amnamingurl -v http://evaluation_host/amserver/namingservice

    2. ./configutil -o local.webmail.sso.uwcenabled -v 1

    3. ./configutil -o local.webmail.sso.uwclogouturl -v http://evaluation_host:80/uwc/base/UWCMain\?op=logout

    4. ./configutil -o local.webmail.sso.uwcport -v 80

    5. ./configutil -o local.webmail.sso.uwccontexturi -v “uwc”

    6. ./configutil -o local.webmail.sso.amcookiename -v iPlanetDirectoryPro

    7. ./configutil -o local.webmail.sso.uwchome -v http://evaluation_host/uwc

    8. ./configutil -o service.http.allowadminproxy -v yes

    9. ./configutil -o service.http.ipsecurity -v no

  3. Run the command to stop Messaging Server:


    ./stop-msg

  4. Run the command to restart Messaging Server:


    ./start-msg

    The startup process displays a series of startup messages. The startup process might take a few moments. When startup is complete, the following message is displayed:


    starting job-controller server

    You have configured Messaging Server for SSO.

ProcedureTo Configure Calendar Server for SSO

This section describes configuring Calendar Server for SSO.

Steps

  1. Change directory to the Calendar Server configuration directory:


    cd /opt/SUNWics5/cal/config

  2. Edit the ics.conf file.

    Find each of the following parameters and make the described changes. In some cases you change the value and uncomment the line. In other cases, you simply means uncomment the line.

    1. Find service.http.allowadminproxy. Set its value to yes.

    2. Find local.calendar.sso.amnamingurl. Uncomment the item and set its value to http://evaluation_host:80/amserver/namingservice.

    3. Find local.calendar.sso.singlesignoff. Uncomment the item. Leave its value set to yes.

    4. Find local.calendar.sso.amcoookiename. Uncomment the item. Leave its value set to iPlanetDirectoryPro.

    5. Find local.calendar.sso.logname. Uncomment the item. Leave its value set to am_sso.log.

    6. Find service.calendarsearch.ldap. Set its value to no.

    7. Find service.http.ipsecurity. Uncomment the item. Change its value to n.

    8. Find caldb.serveralarms. Confirm that its value is 1.

    9. Find caldb.serveralarms.dispatch. Confirm that its value is yes.

    10. Find caldb.serveralarms.url. Uncomment the item and confirm that its value isenp:///ics/customalarm.

    11. Find caldb.serveralarms.contenttype. Uncomment the item and set its value to text/calendar.

    12. Find caldb.serveralarms.dispatchtype. Confirm that its value is ens.

  3. Save and close the ics.conf file.

  4. Change directory to the Calendar Server directory:


    cd /opt/SUNWics5/cal/sbin

  5. Run the command to stop Calendar Server:


    ./stop-cal

  6. Run the command to restart Calendar Server:


    ./start-cal

    The startup process displays a series of startup messages. The startup process might take a few moments. When startup is complete, the following message is displayed:


    Calendar services were started.

    You have configured Calendar Server for SSO.

Using Communications Express with Access Manager Single Sign-on

This section describes how to log in to Communications Express and use single sign-on authentication to access mail and calendar services with a single log in.

ProcedureTo Log In to Communications Express with SSO.

Steps

  1. In your web browser, log in to Communications Express. Open the following URL:


    http://evaluation_host/uwc

    The Communications Express authorization page is displayed.

  2. Log in as Test User. Type the following values:

    • User Name: TestUser

    • Password: password

    Click the Log In button. The Communications Express main window is displayed. The mail tab is selected. Test User’s name and email address (test.user@examplecorp.com) are displayed. This verifies that you are logged in as Test User.

  3. Click Compose.

    The New Message window opens.

    Figure 8–1 New Message Window

    Screen capture. Field values as described in step 4.

  4. Compose a test message. Do the following:

    • In the To text field, type test.user@examplecorp.com.

    • In the Subject text field, type Test Message.

    • Click Plain Text.

    • In the message body, type This is a test.

    • Click Send.

    The New Message Window Closes.

  5. Click Get Mail.

    The test message is displayed in Test User's inbox.

  6. Click the Calendar tab.

    Test User’s calendar is displayed.

  7. Click New Event.

    The New Event window is displayed.

  8. Add a test event. Do the following:

    • In the Title text field, type Test Event.

    • In the Date, Time, and Duration fields, accept the default values.

    • In the Location text field, type Test User's Office.

    • Click Save.

    The New Event Window closes. The test event is displayed in Test User's calendar.

  9. This confirms that SSO is working. because you are able to log in once and access both mail and calendar services.

  10. Click Log Out.

    You have now configured your Java ES services for single sign-on and used single sing-on authentication and used single sign-on to access mail and calendar services.

Configuring for Portal Server Proxy Authentication

This section describes how to configure the sample mail and calendar channels that appear in the sample portal desktop for proxy authentication.

ProcedureTo Configure the Portal Calendar Channel for the SSO Adapter Service

To enable proxy authentication for the sample portal Calendar channel, you configure the SSO Adapter Service. You perform this configuration in the Identity Server console.

Steps

  1. In your web browser, open the following URL:


    http://evaluation_host/amconsole/index.html

    The Access Manager login page is displayed.

  2. Type your user name (amadmin) and password (password).

    Click Log In. The Access Manager console window is displayed.

  3. Click the Service Configuration tab.

    The Access Manager Services are displayed.

  4. Scroll down in the left pane. Under Portal Server Configuration, locate SSO Adapter, and then click the arrow symbol that follows the name SSO Adapter.

    The right pane displays the SSO Adapter Service properties. You see a display similar to Figure 8–2.

    Figure 8–2 SSO Adapter Properties

    Screen capture; In left pane, SSO Adapter is selected. In right pane, list of SSO Adapters is displayed, as described in text.

  5. Edit the SUN-ONE-CALENDAR configuration properties. Do the following:

    1. Locate the list of SSO Adapter Templates.

    2. Locate the line for the SUN-ONE-CALENDAR adapter template. Click Edit Properties.

      The right pane displays template property details.

  6. Locate the host property. Select it, and then click Change Type.

    The right pane displays the Edit Property Types display.

  7. Change the value of several properties from Merge to Default. Do the following:

    1. Select the host property. Click Move to Default.

    2. Select the port property. Click Move to Default.

    3. Select the clientPort property. Click Move to Default.

      Click Save. The list of SUN-ONE-CALENDAR adapter properties is displayed.

  8. Use the text fields to edit the values of the following properties:

    1. Locate the enableProxyAuth property. Change the value to true.

    2. Locate the proxyAdminUid property. Change the value to calmaster.

    3. Locate the proxyAdminPassword property. Change the value to password.

    4. Locate the host property. Change the value to evaluation_host.

    5. Locate the port property. Change the value to 89.

    6. Locate the clientPort property. Change the value to 89.

      Click Save to apply your changes.

  9. In the left pane, click the arrow symbol that follows the name SSO Adapter.

    The right pane displays the SSO Adapter Service properties. You see a display similar to Figure 8–2 .

  10. Edit the SUN-UWC-CALENDAR configuration properties. Do the following:

    1. Locate the list of SSO Adapter Templates.

    2. Locate the line for the SUN-UWC-CALENDAR template. Click Edit Properties.

      The right page displays the SUN-UWC-CALENDAR property details.

  11. Locate the host property. Select it, and then click Change Type.

    The right pane displays the Edit Property Types display.

  12. Change the value of several properties from merge to default:

    1. Select the host property. Click Move to Default.

    2. Select the port property. Click Move to Default.

    3. Select the clientHost property. Click Move to Default.

    4. Select the clientPort property. Click Move to Default.

      Click Save. The right pane redisplays the list of SSO Adapter properties.

  13. Use the text fields to edit the values of the following properties:

    1. Locate the enableProxyAuth property. Change the value to true.

    2. Locate the proxyAdminUid property. Change the value to calmaster.

    3. Locate the proxyAdminPassword property. Change the value to password.

    4. Locate the serverSSOEnabled property. Change the value to true.

    5. Locate the host property. Change the value to evaluation_host.

    6. Locate the port property. Change the value to 89.

    7. Locate the clientHost property. Change the value to evaluation_host.

    8. Locate the clientPort property. Change the value to 80.

  14. Click Save to apply your changes.

    You have configured the portal calendar channel for proxy authentication. You continue working in the Access Manager console.

ProcedureTo Configure the Portal Mail Channel for the SSO Adapter Service

To enable proxy authentication for the sample portal Mail channel, you configure the SSO Adapter Service. You perform this configuration in the Access Manager console.

Steps

  1. In the left pane, click the arrow symbol that follows the name SSO Adapter.

    The right pane displays the SSO Adapter Service properties. You see a display similar to Figure 8–2 .

  2. Edit the SUN-ONE-MAIL configuration properties. Do the following:

    1. Locate the list of SSO Adapter Templates.

    2. Locate the line for SUN-ONE-MAIL. Click Edit Properties.

      The right page displays the SUN-ONE-MAIL template property details.

  3. Locate the host property. Select it, and then click Change Type.

    The right pane displays the Edit Property Types display.

  4. Change the value of several properties from merge to default:

    1. Select the host property. Click Move to Default.

    2. Select the port property. Click Move to Default.

    3. Select the smtpServer property. Click Move to Default.

    4. Select the clientPort property. Click Move to Default.

    5. Select the smtpPort property. Click Move to Default.

    6. Select the domain property. Click Move to Default.

      Click Save. The right pane displays the list of SSO Adapter properties.

  5. Use the text fields to edit the values of the following properties:

    1. Locate the enableProxyAuth property. Change the value to true.

    2. Locate the proxyAdminUid property. Change the value to admin.

    3. Locate the proxyAdminPassword property. Change the value to password.

    4. Locate the host property. Change the value to evaluation_host.

    5. Locate the port property. Change the value to 143.

    6. Locate the smtpServer property. Change the value to evaluation_host.

    7. Locate the clientPort property. Change the value to 88.

    8. Locate the smtpPort property. Change the value to 25.

    9. Locate the domain property. Confirm that it is blank.

    10. Locate the serverSSOENabled property. Change the value to true.

  6. Click Save to apply your changes.

  7. In the left pane, click the arrow symbol that follows the name SSO Adapter.

    The right pane displays the SSO Adapter Service properties. You see a display similar to Figure 8–2 .

  8. Edit the SUN-UWC-MAIL configuration properties. Do the following:

    1. Locate the list of SSO Adapter Templates.

    2. Locate the line for the SUN-UWC-MAIL template. Click Edit Properties.

      The right page displays the SUN-UWC-MAIL template property details.

  9. Locate the host property. Select it, and then click Change Type.

    The right pane displays the Edit Property Types display.

  10. Change the value of several properties from merge to default:

    1. Select the host property. Click Move to Default.

    2. Select the port property. Click Move to Default.

    3. Select the smtpServer property. Click Move to Default.

    4. Select the clientPort property. Click Move to Default.

    5. Select the smtpPort property. Click Move to Default.

    6. Select the domain property. Click Move to Default.

      Click Save. The right pane redisplays the list of SUNW-UWC-MAIL adapter template properties.

  11. Use the text fields to edit the values of the following properties:

    1. Locate the enableProxyAuth property. Change the value to true.

    2. Locate the proxyAdminUid property. Change the value to admin.

    3. Locate the proxyAdminPassword property. Change the value to password.

    4. Locate the host property. Change the value to evaluation_host.

    5. Locate the port property. Change the value to 143.

    6. Locate the smtpServer property. Change the value to evaluation_host.

    7. Locate the clientPort property. Change the value to 88.

    8. Locate the smtpPort property. Change the value to 25.

    9. Locate the domain property. Confirm that it is blank

    10. Locate the serverSSOENabled property. Change the value to true.

  12. Click Save to apply your changes.

  13. At a command line, change directory to the Web Server directory:


    cd /opt/SUNWwbsvr/https-evaluation_host

  14. Run the command to restart Web Server:


    ./stop; ./start

    The startup process displays a series of startup messages. The startup process might take a few moments. When startup is complete, the following message is displayed:


    startup: server started successfully

    Restarting Web Server restarts Portal Server and applies all of your configuration changes.

ProcedureTo Configure the Portal Desktop for Proxy Authentication

Steps

  1. Return to the Access Manager console. Click the Identity Management tab.

  2. In the View drop-down, select Services

    The left pane displays a list of services

  3. In the left pane, locate the Portal Desktop service. Click the arrow.

    The right pane display Portal Desktop settings.

  4. In the right pane, click Manage Channels and Containers.

    The right pane displays a list of portal desktop channels.

  5. In the right pane, locate MyFrontPageTabPanelContainer. Click it. (Do not click Edit Properties.)

    The right pane displays the MyFrontPageTabPanelContainer channel properties.

  6. In the right pane, locate the Ready for Use list.

  7. Move the UWCMail and UWCCalendar channels from the Ready to Use list to the Available to End Users on the Content Page Visible on Portal Desktop list.

    1. Select UWCMail.

    2. Click Add.

      UWCMail moves to the Available to End Users on the Content Page list.

    3. Select UWCCalendar.

    4. Click Add.

      UWCCalendar moves to the Available to End Users on the Content Page list.

  8. Move the UWCMail and UWCCalendar channels from the Available to End Users on the Content Page list to the Visible on Portal Desktop list.

    1. Select UWCMail.

    2. Click Add.

      UWCMail moves to the Visible on Portal Desktop list.

    3. Select UWCCalendar.

    4. Click Add.

      UWCCalendar moves to the Visible on Portal Desktop list.

  9. Move the Mail and Calendar channels from the Visible on Portal Desktop list to the Available to End Users on the Content Page list.

    1. Select Mail.

    2. Click Remove.

      UWCMail moves to the Available to End Users on the Content Page list.

    3. Select Calendar.

    4. Click Remove.

      Calendar moves to the Available to End Users on the Content Page list.

  10. Move the Mail and Calendar channels from the Available to End Users on the Content Page list to the Ready For Use list.

    1. Select Mail.

    2. Click Remove.

      Mail moves to the Ready For Use list.

    3. Select Calendar.

    4. Click Remove.

      Calendar moves to the Ready For Use list.

  11. Click Save.

  12. In the right pane, click Top.

    The list of container channels is redisplayed.

  13. In the right pane, locate JSPNativeContainer channel. Click it. (Do not click Edit Properties.)

    The right pane displays the JSPNativeContainer channel properties.

  14. In the right pane, locate the Ready for Use list.

  15. Move the UWCMail and UWCCalendar channels from the Ready for Use list to the Available to End Users on the Content Page list.

    1. Select UWCMail.

    2. Click Add.

      UWCMail moves to the Available to End Users on the Content Page list.

    3. Select UWCCalendar.

    4. Click Add.

      UWCCalendar moves to the Available to End Users on the Content Page list.

  16. Move the UWCMail and UWCCalendar channels from the Available to End Users on the Content Page list to the Visible on Portal Desktop list.

    1. Select UWCMail.

    2. Click Add.

      UWCMail moves to the Visible on Portal Desktop list.

    3. Select UWCCalendar.

    4. Click Add.

      UWCCalendar moves to the Visible on Portal Desktop list.

  17. Move the Mail and Calendar channels from the Visible on Portal Desktop list to the Available to End Users on the Content Page list.

    1. Select Mail.

    2. Click Remove.

      UWCMail moves to the Available to End Users on the Content Page list.

    3. Select Calendar.

    4. Click Remove.

      Calendar moves to the Available to End Users on the Content Page list.

  18. Move the Mail and Calendar channels from the Available to End Users on the Content Page list to the Ready For Use list.

    1. Select Mail.

    2. Click Remove.

      Mail moves to the Ready For Use list.

    3. Select Calendar.

    4. Click Remove.

      Calendar moves to the Ready For Use list.

  19. Click Save.

  20. In the right pane, click Top.

    The list of container channels is redisplayed.

  21. In the right pane, locate JSPRenderingContainer channel. Click it. (Do not click Edit Properties.)

    The right pane displays the JSPRenderingContainer channel properties.

  22. In the right pane, locate the Ready for Use list.

  23. Move the UWCMail and UWCCalendar channels from the Ready for Use list to the Available to End Users on the Content Page Visible on Portal Desktop list.

    1. Select UWCMail.

    2. Click Add.

      UWCMail moves to the Available to End Users on the Content Page list.

    3. Select UWCCalendar.

    4. Click Add.

      UWCCalendar moves to the Available to End Users on the Content Page list.

  24. Move the UWCMail and UWCCalendar channels from the Available to End Users on the Content Page list to the Visible on Portal Desktop list.

    1. Select UWCMail.

    2. Click Add.

      UWCMail moves to the Visible on Portal Desktop list.

    3. Select UWCCalendar.

    4. Click Add.

      UWCCalendar moves to the Visible on Portal Desktop list.

  25. Move the Mail and Calendar channels from the Visible on Portal Desktop list to the Available to End Users on the Content Page list.

    1. Select Mail.

    2. Click Remove.

      UWCMail moves to the Available to End Users on the Content Page list.

    3. Select Calendar.

    4. Click Remove.

      Calendar moves to the Available to End Users on the Content Page list.

  26. Move the Mail and Calendar channels from the Available to End Users on the Content Page list to the Ready For Use list.

    1. Select Mail.

    2. Click Remove.

      Mail moves to the Ready For Use list.

    3. Select Calendar.

    4. Click Remove.

      Calendar moves to the Ready For Use list.

  27. Click Save.

  28. Click Logout in the upper right corner of the window.

ProcedureTo Configure Messaging Server for Proxy Authentication

To configure Messaging Server for proxy authentication, you run configuration commands in the command line.

Steps

  1. Change directory to the Messaging Server directory:


    cd /opt/SUNWmsgsr/sbin

  2. Run the command to configure Messaging Server:


    ./configutil -o store.admins admin

    This command permits the admin user ID to manage the Messaging Server message store and access the user mailboxes.

  3. Run the command to switch to the mail server root:


    su mailsrv

  4. Run the command to configure Messaging Server:


    ./configutil -o service.http.allowadminproxy -v yes

    This command permits Messaging Server to authenticate proxy accounts.

  5. Run the command to exit from the mail server root:


    exit

  6. Run the command to stop Messaging Server.


    ./stop-msg

  7. Run the command to restart Messaging Server.


    ./start-msg

    The startup process displays a series of startup messages. The startup process might take a few moments. When startup is complete, the following message is displayed:


    starting job-controller server

    You have configured Messaging Server to accept proxy authentication.

ProcedureTo Configure Calendar Server for Proxy Authentication

To configure Calendar Server to accept proxy authentication, you edit the Calendar Server configuration file with a text editor. You also run configuration commands in the command line.

Steps

  1. Change directory to the Calendar Server directory:


    cd /etc/opt/SUNWics5/config

  2. Open the ics.conf file in a text editor.

    Find each of the following properties and make the changes described. In some cases this means changing the value and uncommenting the line. In other cases, it simply means uncommenting the line.

    1. Locate the service.http.allowadminproxy property. Make sure it is uncommented. Make sure its value is set to yes:

      service.http.allowadminproxy=yes”

    2. Locate the service.admin.calmaster.cred property. Make sure it is uncommented. Make sure its value is set to password.

      service.admin.calmaster.cred=”password”

    3. Locate the service.admin.calmaster.userid property. Make sure it is uncommented. Make sure its value is set to calmaster:

      service.admin.calmaster.userid=”calmaster”

    4. Save and close the ics.conf file.

  3. Change directory to the Calendar Server directory.


    cd /opt/SUNWics5/cal/sbin

  4. Run the command to stop Calendar Server.


    ./stop-cal

  5. Run the command to restart Calendar Server.


    ./start-cal

    The startup process displays a series of startup messages. The startup process might take a few moments. When startup is complete, the following message is displayed:


    Calendar services were started.

    You have configured Calendar Server for proxy authentication.

Using the Portal Desktop with Proxy Authentication

In this section, you log in to the portal desktop and use proxy authentication to open the Messenger Express and Calendar Express interfaces directly from the portal desktop.

ProcedureTo Use the Proxy Authentication Feature

Steps

  1. In your web browser, open this URL:


    http://evaluation_host/portal/dt

    The sample portal desktop is displayed.

  2. Use the Member Login fields to log in. Type the following values:

    • User Name: TestUser

    • Password: password

    Click Login. The portal desktop calendar and mail channels display mail and calendar information for TestUser. You see a display similar to .

    Figure 8–3 Portal Desktop Showing Mail and Calendar Channels

    Section of portal desktop showing Test User's summary mail and calendar information, as described in text.

  3. Notice that the calendar and mail channels now display information.

  4. Click Launch Calendar.

    The Calender Express main window is displayed. This verifies that proxy authentication is configured correctly for Calendar Server.

  5. Click Launch Mail.

    The Messenger Express main window is displayed. This verifies that proxy authentication is configured correctly for Messaging Server.

  6. Click Log out.

    You have completed the evaluation scenario. You can continue to explore other features of your evaluation deployment.

Uninstalling the Components

After you complete your evaluation, you can use the Java Enterprise System uninstaller to removing the components that you installed. You can find the uninstaller in /var/sadm/prod/entsys.

ProcedureTo Uninstall the Java Enterprise System Components

Steps

  1. Change directory to the uninstaller directory:


    cd /var/sadm/prod/entsys

  2. Run the command that starts the uninstaller:


    ./uninstall

  3. Answer the uninstaller prompts to specify the components to be uninstalled.

    Complete instructions for using the uninstaller are contained in Java Enterprise System Installation Guide, which you can find online at http://download.oracle.com/817-5760.