Use the following list of procedures as a checklist for installing and configuring the Distributed Authentication User Interface 2.
To Create a Non-Root User on the Distributed Authentication User Interface 2 Host
To Install Sun Java System Web Server for Distributed Authentication User Interface 2
To Configure the WAR for Distributed Authentication User Interface 2
To Deploy the Distributed Authentication User Interface 2 WAR
To Verify that Authentication Through the Distributed Authentication User Interface 2 is Successful
Create a non-root user with the roleadd command in the Solaris Operating Environment on the Distributed Authentication User Interface (AuthenticationUI–2) host machine
As a root user, log in to the AuthenticationUI–2 host machine.
Use roleadd to create a new user.
# roleadd -s /sbin/sh -m -g staff -d /export/da71adm da71adm |
(Optional) Verify that the user was created.
# cat /etc/passwd root:x:0:0:Super-User:/:/sbin/sh daemon:x:1:1::/: ... nobody4:x:65534:SunOS 4.x NFS Anonymous Access User:/: da71adm:x:215933:10::/export/da71adm:/sbin/sh |
(Optional) Verify that the user's directory was created.
# cd /export/da71adm # ls local.cshrc local.profile local.login |
(Optional) Create a password for the non-root user.
# passwd da71adm New Password: 6a714dm Re-ener new Pasword:6a714dm passwd: password successfully changed for da71adm |
If you do not perform this step, you will not be able to switch user (su) when logged in as the non-root user.
This procedure assumes that you have just completed To Create a Non-Root User on the Distributed Authentication User Interface 2 Host.
Before beginning the installation, read the Web Server 7.0 Release Notes to determine the latest patches you might need to install.
On the AuthenticationUI–2 host machine, install required patches if necessary.
In this case, the Release Notes indicate that based on the hardware and operating system being used, patch 118855-36 and patch 119964–08 are required.
Run patchadd to see if the patches are already installed.
# patchadd -p | grep 118855-36 |
No results are returned which indicates that the patch is not yet installed on the system.
# patchadd -p | grep 119964-08 |
No results are returned which indicates that the patch is not yet installed on the system.
Make a directory for downloading the patches you need and change into it.
# mkdir /export/patches # cd /export/patches |
Download the patches.
You can search for patches directly at http://sunsolve.sun.com. Navigate to the PatchFinder page, enter the patch number, click Find Patch, and download the appropriate patch.
Signed patches are downloaded as JAR files. Unsigned patches are downloaded as ZIP files.
Unzip the patch files.
# unzip 118855–36.zip # unzip 119964-08.zip |
Run patchadd to install the patches.
# patchadd /export/patches/118855-36 # patchadd /export/patches/119964-08 |
You can use the -M option to install all patches at once. See the patchadd man page for more information.
After installation is complete, run patchadd to verify that each patch was added successfully.
# patchadd -p | grep 118855–36 |
In this example, a series of patch numbers are displayed, and the patch 118855–36 is present.
# patchadd -p | grep 119964-08 |
In this example, a series of patch numbers are displayed, and the patch 119964-08 is present.
Create a directory into which you can download the Web Server bits and change into it.
# mkdir /export/WS7 # cd /export/WS7 |
Download the Sun Java System Web Server 7.0 software from http://www.sun.com/download/products.xml?id=45ad781d.
Follow the instructions on the Sun Microsystems Product Downloads web site for downloading the software.
Unpack the software package.
# gunzip sjsws-7_0-solaris-amd64.tar.gz # tar xvf sjsws-7_0-solaris-amd64.tar |
Run setup.
# cd /export/WS7 # ./setup --console |
When prompted, provide the following information.
|
Press Enter. Continue to press Enter when prompted. |
|
|
Enter yes. |
|
|
Enter /opt/SUNWwbsvr |
|
|
Enter yes. |
|
|
Enter 2. |
|
|
Enter 1,3,5. |
|
|
Enter 1. |
|
|
Enter 1. |
|
|
Enter no. |
|
|
Accept the default value. |
|
|
Accept the default value. |
|
|
Enter no. |
|
|
Enter da71adm. |
|
|
Accept the default value. |
|
|
Enter web4dmin. |
|
|
Enter web4dmin. |
|
|
Accept the default value. |
|
|
Enter 1080. |
|
|
Accept the default value. |
|
|
Enter 1. |
When installation is complete, the following message is displayed:
Installation Successful. |
To verify that Web Server was installed with the non-root user, examine the permissions.
# cd /opt/SUNWwbsvr/admin-server # ls -al total 16 drwxr-xr-x 8 root root 512 Jul 19 10:36 . drwxr-xr-x 11 da71adm staff 512 Jul 19 10:36 .. drwxr-xr-x 2 root root 512 Jul 19 10:36 bin drwx------ 2 da71adm staff 512 Jul 19 10:36 config drwx------ 3 da71adm staff 512 Jul 19 11:09 config-store drwx------ 3 da71adm staff 512 Jul 19 10:40 generated drwxr-xr-x 2 da71adm staff 512 Jul 19 10:40 logs drwx------ 2 da71adm staff 512 Jul 19 10:36 sessions |
The appropriate files and directories are owned by da71adm.
Start the Web Server administration server.
# su da71adm # cd /opt/SUNWwbsvr/admin-server/bin # ./startserv |
To verify that the non-root user was able to start Web Server, access https://AuthenticationUI-2.example.com:8989 from a web browser.
Log out of the AuthenticationUI–2 host machine.
This procedure configures the amauthdistui.war that will be used for deployment in To Deploy the Distributed Authentication User Interface 2 WAR.
As a root user, log in to the AuthenticationUI–2 host machine.
Switch to the non-root user.
# su da71adm |
Change to the directory into which you will copy amDistAuth.zip.
# cd /export/da71adm |
amDistAuth.zip contains the files you need to install the Distributed Authentication User Interface. It is included in the Access Manager software downloaded in 6.2 Deploying and Configuring Access Manager 1 and Access Manager 2.
Copy amDistAuth.zip from the AccessManager–1 host machine.
# cd /export/da71adm # ftp AccessManager-1.example.com Connected to AccessManager-1.example.com 220 AccessManager-1.example.com FTP server ready. Name (AccessManager-1.example.com:username):username Password: ******** ... Using binary mode to transfer files ftp> cd /export/AM71/applications CWD command successful ftp> mget amDistAuth.zip? mget amDistAuth.zip? y 200 PORT command successful ftp> bye |
List the contents of /export/da71adm to verify that amDistAuth.zip was transferred and is owned by the non-root user.
# ls -al total 26496 drwxr-xr-x 5 da71adm staff 512 Jul 19 20:59 . drwxr-xr-x 7 root sys 512 Jul 20 10:13 .. -rw-r--r-- 1 da71adm staff 144 Jul 19 19:53 .profile drwx------ 3 da71adm staff 512 Jul 19 20:41 .sunw -rw-r--r-- 1 da71adm staff 6747654 Jul 19 20:43 amDistAuth.zip |
Unzip amDistAuth.zip.
# unzip amDistAuth.zip |
List the contents again to verify the unzip.
# ls -al total 26496 drwxr-xr-x 5 da71adm staff 512 Jul 19 20:59 . drwxr-xr-x 7 root sys 512 Jul 20 10:13 .. -rw-r--r-- 1 da71adm staff 144 Jul 19 19:53 .profile drwx------ 3 da71adm staff 512 Jul 19 20:41 .sunw -rw-r--r-- 1 da71adm staff 572 Jul 19 20:59 .wadmtruststore -rw-r--r-- 1 da71adm staff 6772566 Jul 19 20:56 amauthdistui.war -rw-r--r-- 1 da71adm staff 6747654 Jul 19 20:43 amDistAuth.zip drwxr-xr-x 2 da71adm staff 512 Jul 19 20:52 lib -rw-r--r-- 1 da71adm staff 136 Jul 19 19:53 local.cshrc -rw-r--r-- 1 da71adm staff 157 Jul 19 19:53 local.login -rw-r--r-- 1 da71adm staff 174 Jul 19 19:53 local.profile -rw-r--r-- 1 da71adm staff 10038 Mar 19 15:33 README.distAuthUI -rw-r--r-- 1 da71adm staff 1865 Mar 19 15:31 setup.bat -rw-r--r-- 1 da71adm staff 1865 Mar 19 15:31 setup.sh drwxr-xr-x 3 da71adm staff 512 Jun 25 20:13 WEB-INF |
Change permissions on setup.sh, the Distributed Authentication User Interface configuration script.
# chmod +x setup.sh |
This gives the non-root user permission to run the script that configures the Distributed Authentication User Interface WAR for its deployment.
Run setup.sh.
# ./setup.sh |
If using a shell other than sh, you must modify the setup script before running it.
Open setup.sh in a text editor.
Add #!/bin/sh as the first line of the file.
Save and close the file.
Run the script.
Provide the following information.
|
Enter /tmp/distAuth |
|
|
Enter authuiadmin |
|
|
Enter 4uthu14dmin |
|
|
Enter http |
|
|
Enter LoadBalancer-3.example.com |
|
|
Enter 7070 |
|
|
Enter amserver |
|
|
Press Enter to accept the default value. |
|
|
Enter http |
|
|
Enter AuthenticationUI-2.example.com |
|
|
Enter 1080 |
|
|
Enter distAuth |
|
|
Press Enter to accept the default value. |
After running the script, amauthdistui.war is updated with the above values. The next step is To Deploy the Distributed Authentication User Interface 2 WAR.
This procedure assumes you just completed To Configure the WAR for Distributed Authentication User Interface 2 and are still logged into the AuthenticationUI–2 host machine as the non-root user.
Start the Web Server administration server.
# cd /opt/SUNWwbsvr/admin-server/bin # ./startserv |
Add the Distributed Authentication User Interface WAR.
# cd /opt/SUNWwbsvr/bin # ./wadm add-webapp --user=admin --host=AuthenticationUI-2.example.com --port=8989 --config=AuthenticationUI-2.example.com --vs=AuthenticationUI-2.example.com --uri=/distAuth /export/da71adm/amauthdistui.war Please enter admin-user-password:web4dmin ... Do you trust the above certificate? [y|n] y CLI201 Command 'add-webapp' ran successfully |
Deploy the Distributed Authentication User Interface WAR.
# ./wadm deploy-config --user=admin --host=AuthenticationUI-2.example.com --port=8989 AuthenticationUI-2.example.com Please enter admin-user-password: web4dmin CLI201 Command 'deploy-config' ran successfully |
Restart the Web Server AuthenticationUI-2 instance.
# cd /opt/SUNWwbsvr/https-AuthenticationUI-2.example.com/bin # ./stopserv; ./startserv |
Verify that the distAuth web module is loaded.
# cd /opt/SUNWwbsvr/https-AuthenticationUI-2.example.com/ web-app/AuthenticationUI-2.example.com # ls -al total 6 drwxr-xr-x 3 da71adm staff 512 Jul 19 21:00 . drwxr-xr-x 3 da71adm staff 512 Jul 19 21:00 .. drwxr-xr-x 8 da71adm staff 512 Jul 19 21:00 distAuth |
Log out of the AuthenticationUI–2 host machine.
Import a Certificate Authority (CA) root certificate that enables the Distributed Authentication User Interface to trust the SSL certificate from the Access Manager Load Balancer 3, and establish trust with the certificate chain that is formed from the CA to the certificate.
As a root user, log in to the AuthenticationUI–2 host machine.
Copy the CA root certificate into a directory.
Use the same root certificate installed in To Import a Certificate Authority Root Certificate on the Access Manager Load Balancer. In this example, the file is /export/software/ca.cer.
Import the CA root certificate into the Java keystore.
# /opt/SUNWwbsvr/jdk/jre/bin/keytool -import -trustcacerts -alias OpenSSLTestCA -file /export/software/ca.cer -keystore /opt/SUNWwbsvr/jdk/jre/lib/security/cacerts -storepass password Owner: EMAILADDRESS=nobody@nowhere.com, CN=OpenSSLTestCA, OU=Sun, O=Sun,L=Santa Clara, ST=California C=US Issuer: EMAILADDRESS=nobody@nowhere.com, CN=OpenSSLTestCA, OU=Sun, O=Sun,L=Santa Clara, ST=California C=US Serial number: 97dba0aa26db6386 Valid from: Tue Apr 18 07:66:19 PDT 2006 until: Tue Jan 13 06:55:19 PST 2009 Certificate fingerprints: MD5: 9f:57:ED:B2:F2:88:B6:E8:0F:1E:08:72:CF:70:32:06 SHA1: 31:26:46:15:C5:12:5D:29:46:2A:60:A1:E5:9E:26:64:36:80:E4:70 Trust this certificate: [no] yes Certificate was added to keystore. |
Verify that the CA root certificate was imported into the keystore.
# /opt/SUNWwbsvr/jdk/jre/bin/keytool -list -keystore /opt/SUNWwbsvr/jdk/jre/lib/security/cacerts -storepass password | grep -i open openssltestca, Nov 8, 2006, trustedCertEntry |
Restart the Web Server AuthenticationUI-2 instance.
# cd /opt/SUNWwbsvr/https-AuthenticationUI-2.example.com/bin # ./stopserv server has been shutdown # ./startserv Sun Java System Web Server 7.0 B12/04/2006 07:59 info: CORE5076: Using [Java HotSpot(TM) Server VM, Version 1.5.0_09] from [Sun Microsystems Inc.] info: WEB0100: Loading web module in virtual server [AuthenticationUI-2.example.com] at [/distAuth] info: HTTP3072: http-listener-1: http://AuthenticationUI-2. example.com:1080 ready to accept requests info: CORE3274: successful server startup |
Log out of the AuthenticationUI–2 host machine.
Find a host that has direct network connectivity to Distributed Authentication User Interface 2 and the external facing load balancer of the Access Manager servers. One natural place is the AuthenticationUI–2 host machine itself.
As a root user, log into the AuthenticationUI–2 host machine.
Modify AMConfig.properties.
Change to the classes directory.
# cd /opt/SUNWwbsvr/https-AuthenticationUI-2.example.com/ web-app/AuthenticationUI-2.example.com/distAuth/WEB-INF/classes |
Backup AMConfig.properties before you modify it.
Set the values of the properties as follows.
com.iplanet.am.naming.url=https://LoadBalancer-3. example.com:9443/amserver/namingservice com.iplanet.am.server.protocol=https com.iplanet.am.server.port=9443
Save the file and close it.
Restart the AuthenticationUI-2 host machine.
# cd /opt/SUNWwbsvr/https-AuthenticationUI-2.example.com/bin # ./stopserv; ./startserv |
Access http://AuthenticationUI-2.example.com:1080/distAuth/UI/Login?goto= http://LoadBalancer-3.example.com:7070 from a web browser.
Log in to the Access Manager console as the administrator.
amadmin
4m4dmin1
After successful authentication, you should be redirected to the index page for the Web Server in which Access Manager is deployed.
Log out of the Access Manager console.