test

Sun OpenSSO Enterprise 8.0 Update 1 Release Notes

Chapter 5 Deploying IBM WebSphere Application Server 7.0 as the OpenSSO Enterprise 8.0 Update 1 Web Container

WebSphere Application Server 7.0 is supported on Solaris, Linux, Windows, and IBM AIX 5.3 systems.

Before Deploying OpenSSO on WebSphere Application Server 7.0

Complete the following steps:

  1. Add genericJvmArguments and Security Permissions

  2. Run the JSP compiler

Before making changes to any file described in this chapter, it a good practice to stop the web container and make a backup of the file.

Add GenericJvmArguments and Security Permissions

Add the genericJvmArguments using the WebSphere Admin Console or by editing the server.xml file:

  1. Open the following file:

    install_root/IBM/WebSphere/AppServer/profiles/AppSrv01/config/cells/<cellName>/nodes/<nodeName>/servers/server/server.xml

  2. Find the jvmEntries element.

  3. Add the following JVM options to genericJVMArguments in server.xml and save the file: 


     genericJvmArguments="-Djava.awt.headless=true -DamCryptoDescriptor.provider=IBMJCE
  -DamKeyGenDescriptor.provider=IBMJCE -Djavax.management.builder.initial=  /
-Dcom.sun.management.jmxremote"

  4. If the Java Security Manager is enabled, add the following security permissions to the server.policy file, and then save the file: 


    grant {
permission java.net.SocketPermission "*", "listen,connect,accept,resolve";
permission java.util.PropertyPermission "*", "read, write";
permission java.lang.RuntimePermission "modifyThreadGroup";
permission java.lang.RuntimePermission "setFactory";
permission java.lang.RuntimePermission "accessClassInPackage.*";
permission java.util.logging.LoggingPermission "control";
permission java.lang.RuntimePermission "shutdownHooks";
permission javax.security.auth.AuthPermission "getLoginConfiguration";
permission javax.security.auth.AuthPermission "setLoginConfiguration";
permission javax.security.auth.AuthPermission "modifyPrincipals";
permission javax.security.auth.AuthPermission "createLoginContext.*";
permission java.io.FilePermission "<<ALL FILES>>", "read,write,execute,delete";
permission java.util.PropertyPermission "java.util.logging.config.class", "write";
permission java.security.SecurityPermission "removeProvider.SUN";
permission java.security.SecurityPermission "insertProvider.SUN";
permission javax.security.auth.AuthPermission "doAs";
permission java.util.PropertyPermission "java.security.krb5.realm", "write";
permission java.util.PropertyPermission "java.security.krb5.kdc", "write";
permission java.util.PropertyPermission "java.security.auth.login.config", "write";
permission java.util.PropertyPermission "user.language", "write";
permission javax.security.auth.kerberos.ServicePermission "*", "accept";
permission javax.net.ssl.SSLPermission "setHostnameVerifier";
permission java.security.SecurityPermission "putProviderProperty.IAIK";
permission java.security.SecurityPermission "removeProvider.IAIK";
permission java.security.SecurityPermission "insertProvider.IAIK";
permission java.lang.RuntimePermission "setDefaultUncaughtExceptionHandler";
permission javax.management.MBeanServerPermission "newMBeanServer";
permission javax.management.MBeanPermission "*", "registerMBean";
permission java.lang.RuntimePermission "createClassLoader";
permission javax.security.auth.AuthPermission "getSubject";
permission javax.management.MBeanTrustPermission "register";
permission java.lang.management.ManagementPermission "monitor";
permission javax.management.MBeanPermission "*", "queryMBeans";
permission javax.management.MBeanServerPermission "createMBeanServer";
permission java.security.SecurityPermission "getProperty.authconfigprovider.factory";
permission java.security.SecurityPermission "setProperty.authconfigprovider.factory";
permission java.lang.RuntimePermission "createClassLoader";
permission java.lang.RuntimePermission "getClassLoader";
permission java.lang.RuntimePermission "setContextClassLoader";
permission java.lang.RuntimePermission "setFactory";
permission java.lang.RuntimePermission "setIO";
permission java.lang.RuntimePermission "modifyThread";
permission java.lang.RuntimePermission "stopThread";
permission java.lang.RuntimePermission "getProtectionDomain";
permission java.lang.RuntimePermission "readFileDescriptor";
permission java.lang.RuntimePermission "writeFileDescriptor";
permission java.lang.RuntimePermission "loadLibrary.*";
permission java.lang.RuntimePermission "accessClassInPackage.*";
permission java.lang.RuntimePermission "defineClassInPackage.*";
permission java.lang.RuntimePermission "accessDeclaredMembers";
permission java.lang.RuntimePermission "queuePrintJob";
permission java.io.FilePermission "<<ALL FILES>>", "read,write,execute,delete";
permission java.util.PropertyPermission "*", "read,write";
permission com.ibm.oti.shared.SharedClassPermission "*", "read,write";
permission com.ibm.websphere.security.WebSphereRuntimePermission "getSSLConfig",  /
"read,write,execute,delete";
permission java.lang.reflect.ReflectPermission "suppressAccessChecks";
permission javax.management.MBeanPermission "*", "isInstanceOf";
permission javax.management.MBeanPermission "*", "getAttribute";
permission java.net.NetPermission "getProxySelector";
};

  5. Restart WebSphere Application Server 7.0.

Using the ssoadm and ampassword Utilities with the IBM JDK

After deploying OpenSSO on WebSphere Application Server 7.0, you can use the setup script in ssoAdminTools.zip to install the utilities and scripts. For information, see Chapter 3, Installing the OpenSSO Enterprise 8.0 Update 1 Admin Tools.

  1. Before you run the setup script to install the utilities and scripts, modify the setup script. Before -cp... in the last line, insert: 


    -D"amCryptoDescriptor.provider=IBMJCE"
-D"amKeyGenDescriptor.provider=IBMJCE"

  2. Before you run ssoadm, add the following items to the ssoadm script:

    1. Add xalan.jar to the classpath after openfedlib.jar. For example: 


      $<TOOLS_HOME>/lib/xalan.jar

    2. Add the following items before com.sun.identity.cli.CommandManager and com.sun.identity.tools.bundles.Main 


      -D"amKeyGenDescriptor.provider=IBMJCE"
-D"amCryptoDescriptor.provider=IBMJCE"

  3. Before you run ampassword, add the following items to the ampassword script before com.iplanet.services.ldap.ServerConfigMgr and com.sun.identity.tools.bundles.Main 


    -D"amCryptoDescriptor.provider=IBMJCE"
-D"amKeyGenDescriptor.provider=IBMJCE"

  4. If the OpenSSO server is SSL-enabled, then you must add the IBM JAR files and set -D options in the ssoadm script.

    1. Add the following IBM JAR files:


      WAS_HOME/deploytool/itp/plugins/com.ibm.ast.ws.v7.jaxrpc.jee5_1.0.0.v200808141532/lib/emfwor /
kbench.jar
<WAS_HOME>/deploytool/itp/plugins/com.ibm.websphere.v7_7.0.0.v20080817/wasJars/bootstrap.jar
<WAS_HOME>/deploytool/itp/plugins/com.ibm.websphere.v7_7.0.0.v20080817/wasJars/wsexception.jar
<WAS_HOME>/dev/was_public.jar
<WAS_HOME>/deploytool/itp/plugins/com.ibm.websphere.v7_7.0.0.v20080817/wasJars/ras.jar
<WAS_HOME>/runtimes/com.ibm.jaxws.thinclient_7.0.0.jar

    2. Set the following -D options : 


      -D"java.protocol.handler.pkgs=com.ibm.net.ssl.www.protocol"
-D"javax.net.ssl.trustStoreType=<storeType>"
-D"javax.net.ssl.trustStore=<trustStore_with_path>"
-D"javax.net.ssl.trustStorePassword=<password>"