Previous Contents Index Next |
iPlanet Directory Server Access Management Edition Installation and Configuration Guide |
Chapter 6 Basic Configurations
This chapter describes configurations typically implemented when you initially deploy iPlanet Directory Server Access Management Edition (DSAME).Topics in this chapter include:
Installing the Cross-Domain Single Sign-On Component
Installing Multiple DSAME Instances Against the Same Directory Server
Installing the Cross-Domain Single Sign-On Component
The cross-domain single sign-on feature makes it possible for users to authenticate in one domain, and then to use applications in many other domains without having to re-authenticate. Two major components are added to DSAME to implement cross-domain single sign-on:
Cross-Domain Controller. The controller is responsible for redirecting a request to the authentication service if no Single Sign-On (SSO) information exists, or for redirecting the request to the CDSSO Component with SSO information appended to the query string. The controller is automatically installed when you install DSAME services. The default URL for the controller is http://DSAME_host:DSAME_port/URI/cdcservlet
Cross-Domain Single Sign-On (CDSSO) Component. The CDSSO component is primarily responsible for handling cookie setting for the domain in which cross-domain single sign-on is deployed. The CDSSO component is installed separately on all participating DNS domains.
Installation Overview
To enable cross-domain single sign-on, you must follow this sequence:
Install DSAME Services.
Install the CDSSO component on all participating DNS domains.
- Follow the instructions in Chapter 4 "Simple Installations With No Existing Directory Server" or in Chapter 5 "Using an Existing Directory Server" as appropriate for your needs.
Configure the CDSSO component installed on each participating DNS domain.
- DSAME Services and a remote Web Server must already be installed and running. See "To Install the CDSSO Component" in this chapter".
(Optional) Configure DSAME web agents to work with the CDSSO component.
- See "To Configure the CDSSO Component".
- See "To Configure DSAME Web Agents to Work With the CDSSO Component".
To Install the CDSSO Component
DSAME Services and a remote Web Server must already be installed and running. You must have root permissions when you run the DSAME installation program. Be sure all web browsers are closed before starting the installation program.
Run the aminstall program. On the product CD, you'll find the program in the directory /cdrom/DSAME_51. If you've downloaded the product binaries, you'll find the program in the directory where you untarred the binary files.
Read the License Agreement. When prompted, Do you agree to the license terms? Enter y for Yes.
- At the command line, enter aminstall
- The aminstall command accepts the -v [verbose] option. The verbose option gives brief progress messages as the actions of the install program take place. Otherwise, installation messages are written to log files in the following directory:
- /var/opt/SUNWam/install
When the following message displays, enter 4.
Provide the following information when prompted:
When the following message displays, enter 5 to exit the installation program:
- DSAME Policy and Management Services have been detected on this host. Do you want to install the Cross-domain SSO as part of these Services? Enter y for Yes to install the CDSSO as part of the DSAME Services.
- What is the deployment URI prefix for the DSAME Cross Domain SSO? Enter a URI prefix that indicates where HTML pages associated with the CDSSO component will be located and also where to look for other web application specific information like classes and jars. The default is /amcdsso.
- Are all settings correct? Enter y for Yes.
To Configure the CDSSO Component
Edit AMConfig.properties file of the installed CDSSO component, which is found in the DSAME_root/SUNWam/web-apps/cdsso/WEB-INF/lib directory.
Edit CDSSO.properties file of the installed CDSSO component, which is found in the DSAME_root/SUNWam/web-apps/cdsso/WEB-INF/classes directory.
- Set the com.iplanet.services.cdsso.CDCURL property to the URL of the cross-domain controller service running on the DSAME services. For example:
- com.iplanet.services.cdsso.CDCURL = http(s)://DSAME_host:DSAME_port/services/cdcservlet
- Set com.iplanet.services.cdsso.cookieDomain property to the domain name which hosts the CDSSO component. For example:
- com.iplanet.services.cdsso.cookieDomain = .sales.com
- where the CDSSO component is hosted in sales.com domain.
- The com.iplanet.services.cdsso.cookieDomain property specifies the list of domain names on which CDSSO component is running for which the cookie is set. If the property field is left blank, the cookie domain is assumed to be the hosting domain of CDSSO component. Make sure that all the cookie domains are separated with coma (,).
To Configure DSAME Web Agents to Work With the CDSSO Component
You can configure DSAME agents that are installed on remote web servers to work with CDSSO components that are installed on participating DNS domains.
Edit the agent's AMConfig.properties file. Change the com.iplanet.am.policy.agents.url.authLoginUrl property to point to the agent's domain's cross-domain single sign-on service URL. For example:
Add the cross-domain single sign-on service URL to the agent's not-enforced list.
- com.iplanet.am.policy.agents.url.authLoginUrl = http://CDSSO_host:CDSSO_port/CDSSO_URI/cdsso
- where authLoginUrl is the CDSSO component's URL.
Installing Multiple DSAME Instances Against the Same Directory Server
You can install more than one instance of DSAME against this Directory Server for enhanced performance, to support directory replication, or for agent failover purposes. When you run the DSAME installation program for the first time, you'll typically use Option 1) Install DSAME Policy and Management Services. When you use this option, Directory Server is automatically installed for you. This is the master Directory Server. If you plan to install multiple installations of DSAME against this same master directory, you must run ammultiserverinstall script.Figure 6-1 illustrates two DSAME instances installed against a single Directory Server.
Figure 6-1    Two DSAME Instances Installed Against a Single Directory Server.
To Install Multiple DSAME Instances Against the Same Directory Server
You must have root permissions to create and install multiple DSAME instances.
Go to the following directory:
At the command line, enter the following command:
To start a single DSAME instance enter the following command:
To start all the DSAME instances, enter the following command:
To stop a single DSAME instance, enter the following command:
To stop all the DSAME instances, enter the following command:
Support for Directory Replication and High Availability
Load balancing across replicated servers and locating replicated servers closer to users are two ways to improve server performance and response time in your enterprise. You can implement directory replication agreements in your DSAME deployment to increase the availability and performance of the DSAME servers and services. You can set up DSAME directory servers in single-supplier or multi-supplier configurations. You can also configure load-balancing applications such as iPlanet Directory Access Router to work with DSAME.
Replication Considerations
Configure your directory servers for replication before you install DSAME. This ensures that the supplier and consumer databases are synchronized from the beginning, and gives you a chance to verify that referrals and updates are working properly. The information must be identical in each DSAME database.When you install DSAME for replication purposes, in each instance of Directory Server and in each instance of DSAME, specify the same values for the following:
There may be situations in which you cannot implement directory replication in a DSAME deployment. For example, authentication server host names or IP addresses must be the same. This precludes using geographically separated replicated DSAME servers. The remote servers would not be able to perform authentication against servers that are only local to their respective LANs.
For comprehensive information on planning and implementing Directory Server replication, see the Deployment Guide and the Installation Guide for iPlanet Directory Server. You can access these guides on the Internet at:
http://docs.iplanet.com/docs/manuals/directory.html
Configuring DSAME to Support Directory Replication
You can configure DSAME to work with single-supplier or multi-supplier replication. For each of the configurations pictured in this section, follow the same instructions. See "To Configure DSAME to Work With Directory Replication" of this manual.Figure 6-2 illustrates a single-supplier configuration where the Consumer is a read-only database. Requests for write operations are referred to the supplier database. This configuration provides some measure of enhanced server performance by distributing the workload to more than one directory.
Figure 6-2    Single-Supplier Replication.
Figure 6-3 illustrates a multi-supplier configuration using multiple instances of DSAME. This configuration provides failover protection as well as high availability, resulting in further enhanced server performance.
Figure 6-3    Multi-Supplier Configuration. Also known as Multi-Master Replication (MMR)
Figure 6-4 illustrates a multi-supplier configuration that includes iPlanet Access Router. This configuration takes full advantage of DSAME support for failover, high availability, and managed load-balancing.
Figure 6-4    Multi-Supplier Replication With Load-Balancer.
To Configure DSAME to Work With Directory Replication
Use the following steps to configure replication at the root or top level of the DSAME directory tree. You can also use these steps to configure replication at the default organization level.
Install your supplier and consumer Directory Servers (version 5.1). See the Directory Server Installation Guide for detailed instructions.
Set up replication agreements between your supplier and consumer Directory Servers, and then verify that the directory referrals and updates are working properly. See the Directory Server Administrator's Guide for detailed instructions.
If you plan to use DSAME with user data from an existing, pre-5.1 Directory Server, you must migrate the user data and make Directory Information Tree (DIT) changes before proceeding. Follow the detailed instructions in Chapter 5 "Using an Existing Directory Server" of this manual. Then skip to Step 5.
If you are deploying DSAME and Directory Server for the first time, or if you simply do not plan to use existing user data with DSAME, then run the DSAME installation program to install the DSAME Management and Policy services.
In the server where DSAME Management and Policy services are installed, modify the following file:
- During installation, you'll be asked if you're using an existing Directory Server. You'll answer yes, and then you'll specify the host name and port number for a supplier Directory Server you installed in Step 1.
- For detailed instructions, see "Step 2: Install DSAME Services" in Chapter 5.
Modify the following properties to reflect the host and port number of a consumer Directory Server you installed in step 1.
In each DSAME Authentication module you've enabled, you must specify the consumer directory that you installed in step 1. In the following substeps, the LDAP Authentication module is used as an example:Modify the following properties:
In the DSAME console, in the View field, choose Service Management.
In the following file: DSAME_root/SUNWam/config/ums/serverconfig.xml, specify the host name and port number of the consumer directory you installed in step1. Example:In the Service Name column, under Authentication, locate the module you need to reconfigure. In the Properties column, click the arrow that corresponds to module you need to reconfigure.
In the right pane, there are two fields named LDAP Server and Port.
In the first field named LDAP Server and Port, enter the host name and port number for your primary (consumer) Directory Server.
Click Submit.
Example: consumer1.madisonparc.com:389In the second field named LDAP Server and Port, enter the host name and port number for your secondary or (supplier) directory.
Example: supplier1.madisonparc.com:399
<iPlanetDataAccessLayer> <ServerGroup name="default" minConnPool="1" maxConnPool="10"> <Server name="Server1" host="consumer1.madisonparc.com" port="389" type="SIMPLE" /> Restart DSAME with the following command:
Configuring a LDAP Load-Balancers to Work With DSAME
You can configure LDAP load-balancers such as iPlanet Directory Access Router to work with DSAME. iPlanet Directory Access Router dynamically performs proportional load balancing of LDAP operations across a set of configured directory servers. If one or more directory servers should become unavailable, the load is proportionally redistributed among the remaining servers. When a directory server comes back on line, the load is proportionallyand dynamicallyreallocated.
Figure 6-5    Multi-Master Replication With Managed Load-Balancer.
Using LDAP load-balancers, it adds a layer of high availability and directory failover protection beyond the basic level that comes with DSAME. For example, when you configure iPlanet Directory Access Router, you can specify what percentage of the load gets redistributed to each of your servers when one server becomes unavailable. iPlanet Directory Access Router continues to manage request traffic, and begins rejecting client queries when all back-end LDAP servers become unavailable.
By comparison, the DSAME high availability feature cannot be configured or managed as precisely. But when you add a LDAP load-balancers such as iPlanet Directory Access Router, DSAME seamlessly directs all requests to the application for total management.
If you choose to install a load-balancer, you must configure DSAME to recognize the application.
To Configure DSAME to Work With a Load-Balancer
Before you can perform the following steps, you must:
Set up your Directory Servers for replication. For comprehensive information about directory replication and for detailed setup instructions, see "Managing Replication" in the iPlanet Directory Server Administrator's Guide.
In the file, DSAME_root/SUNWam/lib/AMconfig.properties modify the following properties to reflect the host and port number of a consumer Directory Server you installed in step 1.Install and configure your LDAP load-balancer. Follow the instructions in the documentation that comes with the product.
For each DSAME Authentication module you've enabled, specify the consumer directory that you installed in step 1. In the following substeps, the LDAP Authentication module is used as an example:
In the DSAME console, in the View field, choose Service Management.
In the DSAME_root/SUNWam/config/ums/serverconfig.xml,specify the host name and port number of the consumer directory you installed in step1.In the Service Name column, under Authentication, locate the module you need to reconfigure. In the Properties column, click the arrow that corresponds to module you need to reconfigure.
In the right pane, there are two fields named LDAP Server and Port.
In the first field named LDAP Server and Port, enter the host name and port number for your primary (consumer) Directory Server using the form:
Click Submit.In the second field named LDAP Server and Port, enter nothing.
Restart DSAME with the following command:
- Example:
<iPlanetDataAccessLayer> <ServerGroup name="default" minConnPool="1" maxConnPool="10"> <Server name="Server1" host="idar.madisonparc.com" port="389" type="SIMPLE" />
Secure Sockets Layer (SSL)
You can use the Secure Sockets Layer (SSL) protocol to provide secure connections between Directory Server and the DSAME services you use in your enterprise. The SSL protocol consists of rules governing server authentication, client authentication, and encrypted communication between servers and clients. When you enable SSL to work with DSAME, the requests and transactions between Directory Server and the DSAME console are encrypted and protected from intrusion by unauthorized entities.
Figure 6-6    How SSL Works in DSAME.
Enabling SSL for DSAME is a two-step process:
This section explains how to enable SSL for DSAME services and URL access agents. It references the following resources for SSL information, which are appended to this manual for your convenience:
For comprehensive information on SSL and on determining your SSL needs, see Chapter 7, "Designing a Secure Directory" in iPlanet Directory Server Deployment Guide. This guide comes with iPlanet Directory Server, and is also available on the Internet at
http://docs.iplanet.com/docs/manuals/directory.html
Install a Server Certificate in Directory Server.
When DSAME starts up, its connection to Directory Server will be secured with SSL.
- Follow the detailed instructions in "Obtaining and Installing Server Certificates" of this manual to perform the following steps. Or access the iPlanet Directory Server documentation on the Internet at http://docs.iplanet.com/docs/manuals/directory.html
Step 1: Generate a Certificate Request
Activate SSL in the Directory Server.Step 2: Send the Certificate Request
Step 3: Install the Certificate (on Directory Server)
Step 4: Trust the Certificate Authority (Install the Root CA Certificate)
Step 5: Confirm That Your New Certificates Are Installed
In the Web Server that runs DSAME services, in the Web Server console, create a trust database. Follow the detailed instructions "Creating a Trust Database".
- Follow the detailed instructions in "Activating SSL" of this manual.
In the Web Server that runs DSAME services, install the root CA Certificate for Directory Server's server certificate. (This is the certificate you obtained in Step 2.) Follow the detailed instructions in "Requesting and Installing Other Server Certificates".
Edit the following DSAME configuration file:
Restart DSAME with the following command:
- DSAME_root/SUNWam/config/ums/serverconfig.xml
- For the server corresponding to the Directory Server configured for SSL, provide the following values:
- port. Enter the SSL port number you specified in Step 2.
- type. Enter SSL.
- Example:
If the Directory Server is not yet running, you are prompted for the internal key. Enter the key (password) you specified when creating the trust database in Step 3.
Step 2: Enable DSAME to Run in SSL Mode
When you enable DSAME to run in SSL mode, requests and transactions between the DSAME console and other SSL-configured Web Servers are encrypted and protected from intrusion by unauthorized entities.
Login to DSAME as Top Level Administrator.
In the Service Name column, choose DSAME Platform.
Remove this DSAME server from the list. First select its name in the list, and then click Remove.
Edit the following DSAME configuration file: DSAME_root/SUNWam/lib/Change Protocol to https (instead of http).
To add the same server with https, click Add.
AMConfig.properties
In the Web Server that runs DSAME services, using the Web Server console, obtain and install a server certificate if one is not already installed.
- Modify values for the following to reflect the HTTPS protocol and new port number (if the port number was changed):
To obtain a server certificate, follow the detailed instructions for "Requesting Other Server Certificates".
In the Web Server console, select the Web Server that runs DSAME services, and click Manage.To install the server certificate, follow the detailed instructions for "Installing Other Server Certificates".
In the Web Server instance, choose Preferences.
Restart DSAME with the following command:In the Security field for the default DSAME port, enter On.
To save changes to Web Server configuration files, click Apply Changes.
You are prompted for server certificate password. Enter the password.
Configuring DSAME Instance to SSL
You can configure new DSAME instance that is installed using the ammultiserverinstall script, to run in SSL mode. Perform the following steps:
Enable SSL for DSAME. Follow the steps, Step 1: Enable LDAP Over SSL and Step 2: Enable DSAME to Run in SSL Mode
Copy the server.xml and magnus.conf files from /DSAME_root/SUNWam/https-instance_name/conf_bk to /DSAME_root/SUNWam/https-instance_name/config
Previous Contents Index Next
Copyright 2002 Sun Microsystems, Inc. All rights reserved.
Last Updated May 13, 2002