This chapter contains detailed information about the following groups of tasks:
Use the following as your checklist for installing and configuring Federation Manager 1:
The Java ES installer must be mounted on the host computer system where you will install Web Server. See the section 2.2 Downloading and Mounting the Java Enterprise System 2005Q4 Installer in this manual.
As a root user, log into the Web Server host.
Start the Java Enterprise System installer with the -nodisplay option.
# cd /mnt/Solaris_sparc # ./installer -nodisplay |
When prompted, provide the following information:
(Optional) During installation, you can monitor the log to watch for installation errors. Example:
# cd /var/sadm/install/logs
# tail —f Java_Enterprise_System_install.B xxxxxx
Upon successful installation, enter ! to exit.
Verify that the Web Server is installed properly.
Start the Web Server administration server to verify it starts with no errors.
# cd /opt/SUNWwbsvr/https-admserv
# ./stop; ./start
Run the netstat command to verify that the Web Server ports are open and listening.
# netstat -an | grep 8888 *.8888 *.* 0 0 49152 0 LISTEN |
Start a browser, and go to the Web Server administration URL.
http://FederationManager-1.siroe.com:8888
Log in to the Web Server console.
admin
admin123
You should be able to see the Web Server console. You can log out of the console now.
Start the Web Server instance.
# cd /opt/SUNWwbsvr/https-FederationManager-1.siroe.com # ./stop; ./start |
Go to the Web Server instance URL.
http://FederationManager-1.siroe.com:8080
You should see the default Web Server index page.
If you have installed Solaris 10 using a distribution package other than the Solaris Enterprise distribution package, then you must remove the SUNWjas and SUNWjato packages that were automatically installed for you. These packages are different versions than the SUNWjas and SUNWjato packages used by Federation Manager. The appropriate packages will be installed when you run the Federation Manager installer.
Download the Sun Java System Federation Manager program from the following page on the Sun Microsystems website: http://www.sun.com/download/products.xml?id=44a5bbb5
Unpack the Federation Manager installer.
# tar -xvf fm-7.0-domestic-us.sparc-sun-solaris2.8.tar # ls LICENSE.TXT README.TXT SUNWamfm common fm-7.0-domestic-us.sparc-sun-solaris2.8.tar fmsetup fmsilent-template |
Edit the download_directory/fmsilent-template file.
Make a backup of the fmsilent-template file, and then set the following properties in the file:
FM_PROCESS_USER=root FM_PROCESS_GROUP=root INST_ORGANIZATION=o=siroe.com SERVER_HOST=FederationManager-1.siroe.com SERVER_PORT=8080 ADMINPASSWD=11111111 |
Save the file as /export/fmsilent.
(Optional) For online help regarding the Federation Manager installer options, enter the following with no options:
# ./fmsetup |
To start the Federation Manager installer, run the following command:
# ./fmsetup install -s /export/fmsilent |
The Federation Manager installer creates the following web archive (WAR) file:
/var/opt/SUNWam/fm/war_staging/federation.war
You usually customize the Federation Manager WAR file for the environment before the WAR file can be deployed. In a deployment where SAMLv2 is not used, you could customize and deploy the Federation Manager WAR file now. However in this deployment example, you will install the SAMLv2 plug-in and the SAMLv2 patch before you customize the Federation Manager WAR file. So proceed directly to the next task, To Deploy the Federation Manager 1 WAR File.
Go to the Web Server directory that contains the wdeploy command:
# cd /opt/SUNWwbsvr/bin/https/bin |
Run the wdeploy command:
# ./wdeploy deploy -u /federation -i FederationManager-1.siroe.com -v https-FederationManager-1.siroe.com /var/opt/SUNWam/fm/war_staging/federation.war |
Verify that the WAR file was successfully deployed.
Verify that a directory has been created with the same name you specified during Federation Manager installation as the URI. In this deployment example, the directory is named federation.
# cd /opt/SUNWwbsvr/https-FederationManager-1.siroe.com/ webapps/https-FederationManager-1.siroe.com/federation # ls META-INF config docs html js WEB-INF console fed_css images saml2 com_sun_web_ui css fed_images index.html samples |
Restart the Federation Manager server, and verify that you can successfully access it.
# cd /opt/SUNWwbsvr/https-FederationManager-1.siroe.com # ./stop; ./start |
In a browser, go to the following URL:
http://FederationManager-1.siroe.com:8080/federation/UI/Login |
Log in to the Federation Manager console:
amadmin
11111111
If you can successfully log in, then the Federation Manager WAR file has been successfully deployed.
You must download the SAMLv2 Plug-In and the SAMLv2 Patch 2 onto the Federation Manager 1 host.
To download the SAMLv2 Plug-In, go to the following URL and follow instructions for downloading the plug-in:
http://www.sun.com/download/products.xml?id=43e00414
As a root user, log in to the Federation Manager 1 host.
Change to the directory where you unpacked the SAMLv2 installation files. Example:
# cd /tmp/saml2 # ls ./ SUNWsaml2/ ../ saml2setup* ENTITLEMENT.TXT saml2silent LICENSE.TXT samlv2-1.0-solaris-sparc.tar README.TXT version |
In a different directory, make a copy of the saml2silent file.
For this deployment example, no changes are made to the saml2silent file. All default values contained in the saml2silent file are used during installation. If you changed anything in the fmsilent other than the changes described in the section To Install Federation Manager Server 1, you should reflect the same changes in the saml2silent file.
Run the SAMLv2 installer.
# cd /tmp/saml2 # ./saml2setup install -s saml2silent |
When installation is complete, you will see the following message:
To complete the installation of SAML2 you must deploy the war file. Refer to the web container documentation or the release notes for directions on deploying a war file. |
Do not deploy the Federation Manager WAR file as instructed in the onscreen message. Instead, complete the following step and then proceed directly to the next task, To Install SAMLv2 Patch 2 on Federation Manager 1.
Restart the Federation Manager server, and verify that you can successfully access it.
# /opt/SUNWwbsvr/https-FederationManager-1.siroe.com # ./stop; ./start |
To download the SAMLv2 Patch 2, go to one of the following URLs and follow instructions for downloading the patch for your operating system:
Solaris (sparc) 122983-02
http://sunsolve.sun.com/search/document.do?assetkey=1-21-122983-02-1
Solaris (x86) 122984-02
http://sunsolve.sun.com/search/document.do?assetkey=1-21-122984-02-1
Linux 122985-02
http://sunsolve.sun.com/search/document.do?assetkey=1-21-122985-02-01
Go to the directory where you downloaded and upacked the SAMLv2 patch installation file.
#cd /temp/saml2patch/122983-02 #ls LEGAL_LICENSE.TXT LICENSE.TXT patchinfo postbackout postpatch prebackout prepatch README.122983-02 rel_notes.html SUNWsaml2 |
Run the SAMLv2 patch installer.
The —G option in the following example is for Solaris 10 zones. The option is not necessary if you are not using the Solaris 10 platform.
# cd /temp/saml2patch # patchadd -G 122983-02 |
When installation is complete, you will see the following message:
Patch packages installed: SUNWsaml2 |
Go to the directory where the saml2silent file is located.
# cd /opt/SUNWam/saml2/bin |
Run the update command.
# ./saml2setup update -s /opt/SUNWam/saml2/bin/saml2silent |
Any updates required because of the newly-installed patch are made in SAMLv2.
Redeploy the Federation Manager 1 WAR file.
At this point, the Federation Manager WAR file has been updated with SAMLv2 and SAMLv2 patch configurations. Once the WAR file is updated, you must deploy the WAR file.
See To Regenerate and Redeploy the Federation Manager 1 WAR File.
Use the following as your checklist for installing and configuring Federation Manager 2:
The Java ES installer must be mounted on the host computer system where you will install Web Server. See the section 2.2 Downloading and Mounting the Java Enterprise System 2005Q4 Installer in this manual.
As a root user, log into the Web Server host.
Start the Java Enterprise System installer with the -nodisplay option.
# cd /mnt/Solaris_sparc # ./installer -nodisplay |
When prompted, provide the following information:
|
Press Enter. |
|
|
Press Enter. |
|
|
Enter y. |
|
|
Enter 8 for “English only.” |
|
|
Enter 3 to select Web Server. |
|
|
Press Enter. |
|
Enter 1 to upgrade these shared components and 2 to cancel [1] |
You are prompted to upgrade shared components only if the installer detects that an upgrade is required. Enter 1 to upgrade shared components. |
|
|
Accept the default value. |
|
|
Enter 1. |
|
|
Enter 1. |
|
|
Accept the default value. |
|
|
Accept the default value. |
|
|
Accept the default value. |
|
|
Enter admin. |
|
|
For this example, enter admin123. |
|
|
Enter the same password to confirm it. |
|
|
Accept the default value. |
|
|
Accept the default value. |
|
|
Accept the default value. |
|
|
For this example, enter admin123. |
|
|
Accept the default value. |
|
|
Accept the default value. |
|
|
Accept the default value. |
|
|
Enter root. |
|
|
Enter root. |
|
|
Enter 8080. |
|
|
Accept the default value. |
|
|
Accept the default value. |
|
|
First, see the next numbered (Optional) step. When ready to install, enter 1. |
(Optional) During installation, you can monitor the log to watch for installation errors. Example:
# cd /var/sadm/install/logs
# tail —f Java_Enterprise_System_install.B xxxxxx
Upon successful installation, enter ! to exit.
Verify that the Web Server is installed properly.
Start the Web Server administration server to verify it starts with no errors.
# cd /opt/SUNWwbsvr/https-admserv
# ./stop; ./start
Run the netstat command to verify that the Web Server ports are open and listening.
# netstat -an | grep 8888 *.8888 *.* 0 0 49152 0 LISTEN |
Start a browser, and go to the Web Server administration URL.
http://FederationManager-2.siroe.com:8888
Log in to the Web Server console.
admin
admin123
You should be able to see the Web Server console. You can log out of the console now.
Start the Web Server instance.
# cd /opt/SUNWwbsvr/https-FederationManager-2.siroe.com # ./stop; ./start |
Go to the Web Server instance URL.
http://FederationManager-2.siroe.com:8080
You should see the default Web Server index page.
If you have installed Solaris 10 using a distribution package other than the Solaris Enterprise distribution package, then you must remove the SUNWjas and SUNWjato packages that were automatically installed for you. These packages are different versions than the SUNWjas and SUNWjato packages used by Federation Manager. The appropriate packages will be installed when you run the Federation Manager installer.
Download the Sun Java System Federation Manager program from the following page on the Sun Microsystems website: http://www.sun.com/download/products.xml?id=44a5bbb5
Unpack the Federation Manager installer.
# tar -xvf fm-7.0-domestic-us.sparc-sun-solaris2.8.tar # ls LICENSE.TXT README.TXT SUNWamfm common fm-7.0-domestic-us.sparc-sun-solaris2.8.tar fmsetup fmsilent-template |
Edit the download_directory//fmfmsilent file.
Make a backup of the fmsilent-template file, and then set the following properties in the file:
FM_PROCESS_USER=root FM_PROCESS_GROUP=root INST_ORGANIZATION=o=siroe.com SERVER_HOST=FederationManager-2.siroe.com SERVER_PORT=8080 ADMINPASSWD=11111111 |
Save the file as /export/fmsilent.
(Optional) For online help regarding the Federation Manager installer options, enter the following with no options:
# ./fmsetup |
To start the Federation Manager installer, run the following command:
# ./fmsetup install -s /export/fmsilent |
The Federation Manager installer creates the following web archive (WAR) file:
/var/opt/SUNWam/fm/war_staging/federation.war
You usually customize the Federation Manager WAR file for the environment before the WAR file can be deployed. In a deployment where SAMLv2 is not used, you could customize and deploy the Federation Manager WAR file now. However in this deployment example, you will install the SAMLv2 plug-in and the SAMLv2 patch before you customize the Federation Manager WAR file. So proceed directly to the next task, To Deploy the Federation Manager 2 WAR File.
Go to the Web Server directory that contains the wdeploy command:
# cd /opt/SUNWwbsvr/bin/https/bin |
Run the wdeploy command:
# ./wdeploy deploy -u /federation -i FederationManager-2.siroe.com -v https-FederationManager-2.siroe.com /var/opt/SUNWam/fm/war_staging/federation.war |
Verify that the WAR file was successfully deployed.
Verify that a directory has been created with the same name you specified during Federation Manager installation as the URI. In this deployment example, the directory is named federation.
# cd /opt/SUNWwbsvr/https-FederationManager-2.siroe.com/ webapps/https-FederationManager-2.siroe.com/federation # ls META-INF config docs html js WEB-INF console fed_css images saml2 com_sun_web_ui css fed_images index.html samples |
Restart the Federation Manager server, and verify that you can successfully access it.
# cd /opt/SUNWwbsvr/https-FederationManager-2.siroe.com # ./stop; ./start |
In a browser, go to the following URL:
http://FederationManager-2.siroe.com:8080/federation/UI/Login |
Log in to the Federation Manager console:
amadmin
11111111
If you can successfully log in, then the Federation Manager WAR file has been successfully deployed.
To download the SAMLv2 Plug-In, go to the following URL and follow instructions for downloading the plug-in:
http://www.sun.com/download/products.xml?id=43e00414
As a root user, log in to the Federation Manager 2 host.
Change to the directory where you unpacked the SAMLv2 installation files. Example:
# cd /tmp/saml2 # ls ./ SUNWsaml2/ ../ saml2setup* ENTITLEMENT.TXT saml2silent LICENSE.TXT samlv2-1.0-solaris-sparc.tar README.TXT version |
In a different directory, make a copy of the saml2silent file.
For this deployment example, no changes are made to the saml2silent file. All default values contained in the saml2silent file are used during installation. If you changed anything in the fmsilent other than the changes described in the section To Install Federation Manager Server 2, you should reflect the same changes in the saml2silent file.
Run the SAMLv2 installer.
# cd /tmp/saml2 # ./saml2setup install -s saml2silent |
When installation is complete, you will see the following message:
To complete the installation of SAML2 you must deploy the war file. Refer to the web container documentation or the release notes for directions on deploying a war file. |
Do not deploy the Federation Manager WAR file as instructed in the onscreen message. Instead, complete the following step and then proceed directly to the next task, To Install the SAMLv2 Patch 2 on Federation Manager 2.
Restart the Federation Manager server, and verify that you can successfully access it.
# /opt/SUNWwbsvr/https-FederationManager-2.siroe.com # ./stop; ./start |
To download the SAMLv2 Patch 2, go to the following URL and follow instructions for downloading the patch:
Solaris (sparc) 122983-02
http://sunsolve.sun.com/search/document.do?assetkey=1-21-122983-02-1
Solaris (x86) 122984-02
http://sunsolve.sun.com/search/document.do?assetkey=1-21-122984-02-1
Linux 122985-02
http://sunsolve.sun.com/search/document.do?assetkey=1-21-122985-02-01
Go to the directory where you downloaded and upacked the SAMLv2 patch installation file.
#cd /temp/saml2patch/122983-02 #ls LEGAL_LICENSE.TXT LICENSE.TXT patchinfo postbackout postpatch prebackout prepatch README.122983-01 rel_notes.html SUNWsaml2 |
Run the SAMLv2 patch installer.
The —G option is for Solaris 10 zones. If you are not using the Solaris 10 platform, do not use the —G option.
# cd /temp/saml2patch # patchadd -G 122983-02 |
When installation is complete, you will see the following message:
Patch packages installed: SUNWsaml2 |
Go to the directory where the SAMLv2 saml2silent file is located.
# cd /opt/SUNWam/saml2/bin |
Run the update command.
# ./saml2setup update -s /opt/SUNWam/saml2/bin/saml2silent |
Redeploy the Federation Manager 2 WAR file.
At this point, the Federation Manager WAR file has been updated with SAMLv2 and SAMLv2 patch configurations. The next step is to deploy the WAR file.
See To Regenerate and Redeploy the Federation Manager 2 WAR File.
In this phase of the deployment, you set up Load Balancer 9 to manage Federation Manager requests. For more information about the f-5 Networks BIG-IP load balancers used in this deployment, see 2.9 Setting Up Load Balancer Hardware and Software in this manual.
Use the following as your checklist for configuring the Federation Manager Load Balancer:
Configure Load Balancer 9 for the Federation Manager Servers.
Configure Federation Manager 1 to work with the Federation Manager Load Balancer.
Configure Federation Manager 2 to work with the Federation Manager Load Balancer.
Verify that the Federation Manager load balancers are working properly.
Contact your network administrator to obtain an available virtual IP address for the load balancer you want to configure.
You must also know the IP address of the load balancer hardware, the URL for the load balancer login page, and a username and password for logging in to the load balancer application.
The load balancer hardware and software used in the lab facility for this deployment is BIG-IP® manufactured by F5 Networks. If you are using different load balancer software, see the documentation that comes with that product for detailed settings information.
You must also have ready the IP addresses for Federation Manager 1 and Federation Manager 2.
To obtain these IP addresses, on each Federation Manager host, run the following command:
ifconfig —a
Create a Pool.
A pool contains all the backend server instances.
Go to URL for the Big IP load balancer login page.
Open the Configuration Utility.
Click “Configure your BIG-IP (R) using the Configuration Utility.”
In the left pane, click Pools.
On the Pools tab, click the Add button.
In the Add Pool dialog, provide the following information:
Example: fm_server_pool
Round Robin
Add the IP address of both Federation Manager hosts. In this example:
192.18.72.89 (for Federation Manager 1)
192.18.72.86 (for Federation Manager 2)
Click the Done button.
Add a Virtual Server.
If you encounter Javascript errors or otherwise cannot proceed to create a virtual server, try using Microsoft Internet Explorer for this step.
In the left frame, Click Virtual Servers.
On the Virtual Servers tab, click the Add button.
In the Add a Virtual Server dialog box, provide the following information:
192.18.69.14 (for LoadBalancer-9.siroe.com )
1080
Continue to click Next until you reach the Select Physical Resources page.
Select Pool, and then choose fm_server_pool from the drop-down list.
On the same page, set the Cookie Name property to fmlbcookie.
Click the Done button.
Configure the load balancer for persistence.
In the left frame, click Pools.
Click the name of the pool you want to configure.
In this example, fm_server_pool.
Click the Persistence tab.
On the Persistence tab, under Persistence Type, select Active HTTP Cookie and set the following:
Insert
When the Insert method is specified, the first time a server receives a request, the load balancer inserts a cookie and cookie value. On subsequent requests, when the load balancer sees the same cookie name and value, it redirects the request to the same server that received the initial request.
Click Apply.
Create a new monitor.
This monitor will simply indicate whether the Federation Manager servers are running or stopped.
Click the Monitors tab.
Click the Add.
In the Name and Parent window, provide the following information, and then click Next.
fm_servers_monitor
http
In the Basic Properties window, accept the default values, and then click Next.
5
16
In the Configure Destination Address and Service window, accept the default values and then click Done.
The new monitor is added to the list on the Monitors tab.
Click the Basic Associations tab.
Find the IP addresses for Federation Manager 1 and for Federation Manager 2
In this example: 192.18.72.89 for Federation Manager 1, and 192.18.82.86 for Federation Manager 2.
In the Node dropdown list, select fm_servers_monitor.
Mark the ADD box for each IP address, and then click APPLY.
When you click Nodes in the left frame of the console, you will be able to see if each server is running or stopped.
As a root user, log in to the Federation Manager 1 host.
Go to the directory that contains the AMConfig.properties file.
# cd /var/opt/SUNWam/fm/war_staging/web-src/WEB-INF/classes |
In the AMConfig.properties file, set the following property:
com.sun.identity.server.fqdnMap[LoadBalancer-9.siroe.com]=LoadBalancer-9.siroe.com |
Add the following property:
com.sun.identity.url.redirect=https,LoadBalancer-9.siroe.com |
This property will be used when you terminate SSL at the Federation Manager load balancer.
Add the Federation Manager load balancers to the Organization Aliases list.
Go to the Federation Manager login URL:
http://Federationmanager-1.siroe.com:8080/federation/UI/Login |
Log in to the Federation Manager console:
amadmin
11111111
Click the Configuration tab. On the General Properties page, Under Organizational Attributes, add the Federation Manager load balancer to the DNS Aliases list.
In the Add field, enter LoadBalancer-9.siroe.com, and then click Add.
Click Save.
Regenerate the Federation Manager WAR file.
#cd /opt/SUNWam/fm/bin # ./fmwar -n federation -d /var/opt/SUNWam/fm/war_staging -s /export/fmsilent |
Redeploy the Federation Manager WAR file.
See the section To Regenerate and Redeploy the Federation Manager 1 WAR File in this manual.
As a root user, log in to the Federation Manager 2 host.
Go to the directory that contains the AMConfig.properties file.
# cd /var/opt/SUNWam/fm/war_staging/web-src/WEB-INF/classes |
In the AMConfig.properties file, set the following properties:
com.sun.identity.server.fqdnMap[LoadBalancer-9.siroe.com]=LoadBalancer-9.siroe.com |
Add the following property:
com.sun.identity.url.redirect=https,LoadBalancer-9.siroe.com |
This property will be used when you terminate SSL at the Federation Manager load balancer.
Add the Federation Manager load balancers to the Organization Aliases list.
Go to the Federation Manager login URL:
http://FederationManager-2.siroe.com:8080/federation/UI/Login |
Log in to the Federation Manager console:
amadmin
11111111
Click the Organization tab. Under Organization Attributes, add the Federation Manager load balancers to the DNS Aliases list.
In the Add field, enter LoadBalancer-9.siroe.com, and then click Add.
Click Save.
Regenerate the Federation Manager 2 WAR file.
See the section in this manual, To Regenerate and Redeploy the Federation Manager 2 WAR File.
Use the tail command to monitor traffic requests to Federation Manager 1 and Federation Manager 2.
As a root user, log in to the Federation Manager 1 host.
Restart the Federation Manager 1 server:
# cd /FederationManager-base/SUNWwbsvr/https-FederationManager-2.siroe.com # ./stop; ./start |
Use the tail command to monitor the Federation Manager access log.
# tail —f logs/access |
As a root user, log in to the Federation Manager 2 host.
Start the Federation Manager 2 server:
# cd FederationManager-base/SUNWwbsvr/https-FederationManager-2.siroe.com # ./stop; ./start |
Use the tail command to monitor the Directory Server access log.
# tail —f logs/access |
Go to the following Federation Manager URL:
http://LoadBalancer-9.siroe.com:1080/federation/UI/Login |
Log in to the Federation Manager console:
amadmin
11111111
As you log in and log out of the Federation Manager console, you should see in the access log that all requests are going to the same Federation Manager server. This indicates that the load balancer is working properly, and that the persistence setting is properly configured.
In this deployment, SSL is not enabled at each Federation Manager server but is instead terminated at the load balancer. By terminating SSL at the load balancer, you can be sure that communication to the Federation Manager servers is secure while achieving the highest server availability and fastest response times.
Use the following as your checklist for configuring SSL termination at the Federation Manager load balancer:
Log in to the BIG-IP load balancer.
Click Proxies in the left pane.
Click the Cert Admin tab, and then click the “Generate New Key Pair/ Certificate Request” button.
In the Create Certificate Request page, provide the following information:
LoadBalancer-9.siroe.com
siroe.com
LoadBalancer-9.siroe.com
jdoe@siroe.com
Click the Generate Request button.
In the Generate Request page, copy the request that looks similar to this:
-----BEGIN CERTIFICATE REQUEST----- UbM77e50M63v1Z2A/5O5MA0GCSqGSIb3DQEOBAU AMF8xCzAJBgNVBAYTAlVTMSAwHgYDVQQKExdSU0 EgRGF0YSBTZWN1cml0eSwgSW5jLjEuMCwGA1UEC xMlU2VjdXJlIFNlcnZlciBDZXJ0aWZpY2F0aW9u IEF1dGhvcml0eTAeFw0wMTA4MDIwMDAwMDBaFw0 wMzA4MDIyMzU5NTlaMIGQMQswCQYDVQQGEwJVUz ERMA8GA1UECBMIVmlyZ2luaWExETAPBgNVBAcUC FJpY2htb25kMSAwHgYDVQQKFBdDYXZhbGllciBU ZWxlcGhvYm9uZGluZy5jYXZ0ZWwuY29tMIGfMA0 GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC8x/1dxo 2YnblilQLmpiEziOqb7ArVfI1ymXo/MKcbKjnY2 -----END CERTIFICATE REQUEST----- |
Paste this text into a request form provided by a root certificate authority (CA) such as Verisign or Thwarte.
See the certificate authority website such as http://www.verisign.com/ or http://www.thawte.com/ for detailed instructions on submitting a certificate request.
After you receive the certificate from the issuer, install the SSL Certificate.
Log in to the BIG-IP load balancer console.
In the BIG-IP load balancer console, click the Cert Admin tab.
On the Cert Admin tab, click Install Certificate.
In the Install SSL Certificate page, paste the certificate text you received from the certificate issuer. Example:
-----BEGIN CERTIFICATE REQUEST----- UbM77e50M63v1Z2A/5O5MA0GCSqGSIb3DQEOBAU AMF8xCzAJBgNVBAYTAlVTMSAwHgYDVQQKExdSU0 EgRGF0YSBTZWN1cml0eSwgSW5jLjEuMCwGA1UEC xMlU2VjdXJlIFNlcnZlciBDZXJ0aWZpY2F0aW9u IEF1dGhvcml0eTAeFw0wMTA4MDIwMDAwMDBaFw0 wMzA4MDIyMzU5NTlaMIGQMQswCQYDVQQGEwJVUz ERMA8GA1UECBMIVmlyZ2luaWExETAPBgNVBAcUC FJpY2htb25kMSAwHgYDVQQKFBdDYXZhbGllciBU ZWxlcGhvYm9uZGluZy5jYXZ0ZWwuY29tMIGfMA0 GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC8x/1dxo 2YnblilQLmpiEziOqb7ArVfI1ymXo/MKcbKjnY2 -----END CERTIFICATE REQUEST----- |
Click Install Certificate.
In the left frame, click Proxies, and then click Add.
On the Add Proxy page, provide the following information:
SSL
Enter the IP address of LoadBalancer-9.siroe.com.
Enter 3443.
Enter the IP address of LoadBalancer-9.siroe.com.
Enter 1080.
LoadBalancer-9.siroe.com
LoadBalancer-9.siroe.com
Mark this box.
Click Next, then provide the following information:
Choose Matching.
Click Done.
As a root user, log in to the Federation Manager 1 host.
Go to the following directory:
/opt/SUNWwbsvr/https-FederationManager-1.siroe.com/config |
Modify the server.xml file.
Make a backup of server.xml, and then modify the original file. Change this line:
<LS id="ls1" port="8080" servername="FederationManager-1.siroe.com" defaultvs ... |
to:
<LS id="ls1" port="8080" servername="https://LoadBalancer-9.siroe.com" defaultvs ... |
Save the file.
Restart the Web Server.
# cd /opt/SUNWwbsvr/https-FederationManager-1.siroe.com/ # ./stop ; ./start |
As a root user, log in to the Federation Manager 2 host.
Go to the following directory:
/opt/SUNWwbsvr/https-FederationManager-2.siroe.com/config |
Modify the server.xml file.
Make a backup of server.xml, and then modify the original file. Change this line:
<LS id="ls1" port="8080" servername="FederationManager-2.siroe.com" defaultvs ... |
to:
<LS id="ls1" port="8080" servername="https://LoadBalancer-9.siroe.com" defaultvs ... |
Save the file.
Restart the Web Server.
# cd /opt/SUNWwbsvr/https-FederationManager-2.siroe.com/ # ./stop ; ./start |
Go to the Federation Manager URL:
https://LoadBalancer-9.siroe.com:3443/federation/UI/Login
The following message is displayed:
“Unable to verify the identity of LoadBalancer-9.siroe.com as a trusted site.”
Choose “Accept this certificate temporarily for this session,” and then click OK.
Log in to the Federation Manager console:
amadmin
11111111
If you can log in successfully, then SSL is configured properly.
This chapter contains detailed information about the following groups of tasks:
4.3 Enabling Multi-Master Replication of the Configuration Instances
4.4 Enabling Multi-Master Replication of the User Data Instances
The Java ES installer must be mounted on the host computer system where you will install Directory Server. See the section 2.2 Downloading and Mounting the Java Enterprise System 2005Q4 Installer in this manual.
Use the following as your checklist or installing two Directory Server:
As a root user, log in to the Directory Server 3SP host.
Start the installer with the nodisplay option. Example:
# cd /mnt/Solaris_sparc # ./installer -nodisplay
When prompted, provided the following information:
|
Press Enter. |
|
|
Press Enter. |
|
|
Enter y. |
|
|
Enter 8 to select “English only.” |
|
|
Enter 6,20. Be sure you've specified Sun Java System Administration Server 5 2005Q4 and Sun Java System Directory Server 5 2005Q4. |
|
|
Press Enter. |
|
|
If upgrades are required, enter 1 to upgrade shared components. |
|
|
Accept the default value for each product. |
|
|
Enter 1 to continue. |
|
|
Enter 1 to configure now. |
|
|
Accept the default value. |
|
|
Accept the default value. |
|
|
Accept the default value. |
|
|
Accept the default value. |
|
|
For this example, enter admin123. |
|
|
Enter the same password again. |
|
|
Accept the default value. |
|
|
Accept the default value. |
|
|
Accept the default value. |
|
|
For this example, enter admin123. |
|
|
Enter the same password again. |
|
|
Accept the default value. |
|
|
For this example, enter 11111111. |
|
|
Enter the same password again. |
|
|
Accept the default value. |
|
|
Accept the default value. |
|
|
Enter 1390. |
|
|
Enter dc=siroe,dc=com. |
|
|
Accept the default value. |
|
|
Accept the default value. |
|
|
Accept the default value. |
|
|
Enter 1 to choose “The new instance will be the configuration directory server.” |
|
|
Enter 1 to store data in the new directory server. |
|
|
Enter 4 to choose “Populate with no data.” |
|
|
Enter n. |
|
|
Accept the default value. |
|
|
Enter 1391. |
|
|
Accept the default value. |
|
|
Accept the default value. |
|
|
Accept the default value. |
|
|
Accept the default value. |
|
|
For this example, enter admin123. |
|
|
Accept the default value. |
|
|
Accept the default value. |
|
|
Enter 1 to install now. |
(Optional) During installation, you can monitor the log to watch for installation errors. Example:
# cd /var/sadm/install/logs
# tail —f Java_Enterprise_System_install.B xxxxxx
Upon successful installation, enter ! to exit.
Verify that Directory Server was successfully installed.
As a root user, log in to Directory Server 3SP.
Start the Directory Server.
# cd /var/opt/mps/serverroot/slapd-DirectoryServer-3SP # ./stop-slapd; ./start-slapd
Use the tail command to monitor the Directory Server error log and see that the server successfully starts up.
# tail -50 logs/errors
Use the netstat command to verify that the Directory Server port is open and listening.
# netstat -an | grep 1390 * 1390 *.* 0 0 49152 0 LISTEN
Start the Administration Server that manages Directory Server.
cd /var/opt/mps/serverroot ./stop-admin; ./start-admin
Installation is successful if the Administration Server displays a start-up message.
Use the netstat command to verify that the Administration Server port is open and listening.
# netstat -an | grep 1391 * 1391 *.* 0 0 49152 0 LISTEN
As a root user, log in to the Directory Server 4SP host.
Start the installer with the nodisplay option. Example:
# cd /mnt/Solaris_sparc # ./installer -nodisplay
When prompted, provided the following information:
|
Press Enter. |
|
|
Press Enter. |
|
|
Enter y. |
|
|
Enter 8 to select “English only.” |
|
|
Enter 6,20. Be sure you've specified Sun Java System Administration Server 5 2005Q4 and Sun Java System Directory Server 5 2005Q4. |
|
|
Press Enter. |
|
|
If upgrades are required, enter 1 to upgrade shared components. |
|
|
Accept the default value for each product. |
|
|
Enter 1 to continue. |
|
|
Enter 1 to configure now. |
|
|
Accept the default value. |
|
|
Accept the default value. |
|
|
Accept the default value. |
|
|
Accept the default value. |
|
|
For this example, enter admin123. |
|
|
Enter the same password again. |
|
|
Accept the default value. |
|
|
Accept the default value. |
|
|
Accept the default value. |
|
|
For this example, enter admin123. |
|
|
Enter the same password again. |
|
|
Accept the default value. |
|
|
For this example, enter 11111111. |
|
|
Enter the same password again. |
|
|
Accept the default value. |
|
|
Accept the default value. |
|
|
Enter 1390. |
|
|
Enter dc=siroe,dc=com. |
|
|
Accept the default value. |
|
|
Accept the default value. |
|
|
Accept the default value. |
|
|
Enter 1 to choose “The new instance will be the configuration directory server.” |
|
|
Enter 1 to store data in the new directory server. |
|
|
Enter 4 to choose “Populate with no data.” |
|
|
Enter n. |
|
|
Accept the default value. |
|
|
Enter 1391 |
|
|
Accept the default value. |
|
|
Accept the default value. |
|
|
Accept the default value. |
|
|
Accept the default value. |
|
|
For this example, enter admin123. |
|
|
Accept the default value. |
|
|
Accept the default value. |
|
|
Enter 1 to install now. |
(Optional) During installation, you can monitor the log to watch for installation errors. Example:
# cd /var/sadm/install/logs
# tail —f Java_Enterprise_System_install.B xxxxxx
Upon successful installation, enter ! to exit.
Verify that Directory Server was successfully installed.
As a root user, log in to Directory Server 4SP.
Start the Directory Server.
# cd /var/opt/mps/serverroot/slapd-DirectoryServer-4SP # ./stop-slapd; ./start-slapd
Use the tail command to monitor the Directory Server error log and verify that the server successfully starts up.
# tail -50 logs/errors
Use the netstat command to verify that the Directory Server port is open and listening.
# netstat -an | grep 1390 * 1390 *.* 0 0 49152 0 LISTEN
Start the Administration Server that manages Directory Server.
cd /var/opt/mps/serverroot ./stop-admin; ./start-admin
Installation is successful if the Administration Server displays a start-up message.
Use the netstat command to verify that the Administration Server port is open and listening.
# netstat -an | grep 1391 * 1391 *.* 0 0 49152 0 LISTEN
On each Directory Server, create a new configuration instance and a new user data instance. When you're finished, Directory Server 3SP and Directory Server 4SP will each contain three instances. For example, Directory Server 3SP will contain three instances: DirectoryServer-3SP, fm-config, and fm-users. DirectoryServer-3SP stores Directory Server administration configuration. The instance named fm-config stores Federation Manager configuration, and the instance named fm-users stores Federation Manager user data. Directory Server 4SP will contain the identical directory structure.
Use the following as your checklist for creating new Directory Server instances:
Create a new Configuration Instance in Directory Server 3SP.
Create a new Configuration Instance in Directory Server 4SP.
Create a new data instance for storing Federation Manager configuration. This ensures that if you ever have to uninstall or restore Federation Manager configuration, the Directory Server configuration remains untouched and will not have to be restored.
As a root user, log in to Directory Server 3SP.
Set the X window display variable, and start the Directory Server 3SP console.
# cd /var/opt/mps/serverroot/ # export DISPLAY=DirectoryServer-3SP.siroe.com:1 # ./startconsole &
Log in to the Directory Server 3SP console.
cn=Directory Manager
11111111
http://DirectoryServer-3SP.siroe.com:1391
In the Directory Server console, under the Servers and Applications tab, expand the Server Administration domain list until you see the Server Group item.
Right-click on Server Group, and choose “Create an instance of Sun Directory Server.”
In the Create New Instance dialog box, provide the following information:
Enter fm-config.
Enter 1389.
Enter o=siroe.com.
Enter cn=Directory Manager
For this example, enter 11111111.
Enter the same password to confirm it.
Enter root.
Click OK, and then close the status window.
Verify that the new Directory Server instance named fm-config successfully starts up .
As a root user, log in to Directory Server 3SP.
Start the new data Directory Server instance.
# cd /var/opt/mps/serverroot/slapd-fm-config # ./stop-slapd; ./start-slapd |
Use the tail command to monitor the Directory Server error log and see that the server starts up successfully.
# tail —f logs/errors |
Create a new data instance for storing both Federation Manager configuration and user data. This ensures that if you ever have to uninstall or restore Federation Manager configuration, the Directory Server configuration remains untouched and will not have to be restored.
As a root user, log in to Directory Server 3SP.
Set the X window display variable, and start the Directory Server console.
# cd /var/opt/mps/serverroot/ # export DISPLAY=DirectoryServer-3SP.siroe.com:1 # ./startconsole &
Log in to the Directory Server 3SP console.
cn=Directory Manager
11111111
http://DirectoryServer-3SP.siroe.com:1391
In the Directory Server console, under the Servers and Applications tab, expand the Server Administration domain list until you see the Server Group item.
Right-click on Server Group, and choose “Create an instance of Sun Directory Server.”
In the Create New Instance dialog box, provide the following information:
Enter fm-users.
Enter 1489.
Enter o=siroeusers.com.
Enter cn=Directory Manager
For this example, enter 11111111.
Enter the same password to confirm it.
Enter root.
Click OK, and then close the status window.
Verify that the new Directory Server instance named fm-users successfully starts up .
As a root user, log in to Directory Server 3SP.
Start the new data Directory Server instance.
# cd /var/opt/mps/serverroot/slapd-fm-users # ./stop-slapd; ./start-slapd |
Use the tail command to monitor the Directory Server error log and see that the server starts up successfully.
# tail —f logs/errors |
As a root user, log in to Directory Server 4SP.
Set the X window display variable, and start the Directory Server console.
# cd /var/opt/mps/serverroot/ # export DISPLAY=DirectoryServer-4SP.siroe.com:1 # ./startconsole &
Log in to the Directory Server 4SP console.
cn=Directory Manager
11111111
http://DirectoryServer-4SP.siroe.com:1391
In the Directory Server console, under the Servers and Applications tab, expand the Server Administration domain list until you see Server Group item.
Right-click on Server Group, and choose “Create an instance of Sun Directory Server.”
In the Create New Instance dialog box, provide the following information:
Enter fm-config.
Enter 1389.
Enter o=siroe.com.
Enter cn=Directory Manager
For this example, enter 11111111.
Enter the same password to confirm it.
Enter root.
Click OK, and then close the status window.
Verify that the new Directory Server instance named fm-config successfully starts up .
As a root user, log in to Directory Server 4SP.
Start the new data Directory Server instance.
# cd /var/opt/mps/serverroot/slapd-fm-config # ./stop-slapd; ./start-slapd |
Use the tail command to monitor the Directory Server error log and see that the server starts up successfully.
# tail —f logs/errors |
As a root user, log in to Directory Server 4SP.
Set the X window display variable, and start the Directory Server console.
# cd /var/opt/mps/serverroot/ # export DISPLAY=DirectoryServer-4SP.siroe.com:1 # ./startconsole &
Log in to the Directory Server 4SP console.
cn=Directory Manager
11111111
http://DirectoryServer-4SP.siroe.com:1391
In the Directory Server console, under the Servers and Applications tab, expand the Server Administration domain list until you see Server Group item.
Right-click on Server Group, and choose “Create an instance of Sun Directory Server.”
In the Create New Instance dialog box, provide the following information:
Enter fm-users.
Enter 1489.
Enter o=siroeusers.com.
Enter cn=Directory Manager
For this example, enter 11111111.
Enter the same password to confirm it.
Enter root.
Click OK, and then close the status window.
Verify that the new Directory Server instance named fm-users successfully starts up .
In this procedure you enable multi-master replication (MMR) between two directory masters. With MMR enabled, whenever a directory entry is changed in Directory Server 3SP, the change is automatically replicated in Directory Server 4SP. The reverse is also true.
Use the following as your checklist for enabling MMR among the configuration instances:
Enable multi-master replication of the Configuration Instance on Directory Server 3SP.
Enable multi-master replication of the Configuration Instance on Directory Server 4SP.
Create a replication agreement for the Configuration Instance on Directory Server 3SP.
Create a replication agreement for the Configuration Instance on Directory Server 4SP.
Start the Directory Server 3SP console.
# cd /var/opt/mps/serverroot/ # ./startconsole & |
Log in to the Directory Server 3SP console.
cn=Directory Manager
11111111
http://DirectoryServer-3SP.siroe.com:1391
In the Directory Server console, under the Servers and Applications tab, expand the Server Administration domain list until you see the Server Group item.
Click to expand the Server Group.
You should see three items: an Administration Server, a Directory Server (fm-config), and a Directory Server (fm-config).
Double-click the instance name Directory Server (fm-config) to display the console for managing the instance fm-config.
Click the Configuration tab and navigate to the Replication pane.
Click the “Enable replication” button to start the Replication Wizard.
Select Master Replica, and then click Next to continue.
Enter a Replica ID, and then click Next.
For this example, when enabling replication on DirectoryServer-3SP, assign the number 11.
If you have not already been prompted to select the change log file, you are prompted to select one now.
The default change log file is shown in the text field. If you do not wish to use the default, type in a filename for the change log, or click Browse to display a file selector. If the change log has already been enabled, the wizard will skip this step.
If you have not already been prompted to enter and confirm a password for the default replication manager, you are prompted now.
The replication manager is not used in the case of single-master replication, but you must still enter a password to proceed. For this example, enter 11111111.
The Replication Wizard displays a status message while updating the replication configuration.
Click Close when replication is finished.
Start the Directory Server 4SP console.
# cd /var/opt/mps/serverroot/ # ./startconsole & |
Log in to the Directory Server 4SP console.
cn=Directory Manager
11111111
http://DirectoryServer-4SP.siroe.com:1391
In the Directory Server console, under the Servers and Applications tab, expand the Server Administration domain list until you see the Server Group item.
Click to expand the Server Group.
You should see three items: an Administration Server, a Directory Server (fm-config), and a Directory Server (fm-users).
Double-click the instance name Directory Server (fm-config) to display the console for managing the instance fm-config.
Click the Configuration tab and navigate to the Replication pane.
Click the “Enable replication” button to start the Replication Wizard.
Select Master Replica, and then click Next to continue.
Enter a Replica ID, and then click Next.
For this example, when enabling replication on DirectoryServer-4SP, assign the number 22.
If you have not already been prompted to select the change log file, you are prompted to select one now.
The default change log file is shown in the text field. If you do not wish to use the default, type in a filename for the change log, or click Browse to display a file selector. If the change log has already been enabled, the wizard will skip this step.
If you have not already been prompted to enter and confirm a password for the default replication manager, you are prompted now.
The replication manager is not used in the case of single-master replication, but you must still enter a password to proceed. For this example, enter 11111111 .
The Replication Wizard displays a status message while updating the replication configuration.
Click Close when replication is finished.
On DirectoryServer-3SP, in the Directory Server console, display the general properties for the Directory Server instance named fm-config .
Navigate through the tree in the left panel to find the Directory Server instance named fm-config, and click on the instance name to display its general properties.
Click the Open button to display the console for managing the fm-config instance.
Click the Configuration tab and navigate to the Replication pane.
Click the New button.
In the Replication Agreement dialog box, click the Other button.
In the Remote Server dialog box, provide the following information, and then click OK.
DirectoryServer-4SP.siroe.com
1389
Leave this box unmarked.
In the Replication Agreement dialog, for the distinguished name (DN) of the replication manager entry on the consumer server, accept the default value.
By default, the DN is that of the default replication manager.
For the password of the replication manager, enter 11111111.
(Optional) Provide a description string for this agreement.
For this example, enter Replication from DirectoryServer-3SP to DirectoryServer-4SP.
Click OK when done.
In the confirmation dialog, click Yes to test the connection to the server and port number.
Use the given replication manager and password 11111111.
If the connection fails, you will still have the option of using this agreement. For example, the parameters are correct but the server is offline. When you have finished, the agreement appears in the list of replication agreements for this master replica.
On DirectoryServer-4, in the Directory Server console, display the general properties for the Directory Server instance named fm-config.
Navigate through the tree in the left panel to find the Directory Server instance named fm-config, and click on the instance name to display its general properties.
Click the Open button to display the console for managing the fm-config instance.
Click the Configuration tab and navigate to the Replication pane.
Click the New button.
In the Replication Agreement dialog box, click the Other button.
In the Remote Server dialog box, provide the following information, and then click OK.
DirectoryServer-3SP.siroe.com
1389
Leave this box unmarked.
In the Replication Agreement dialog, for the distinguished name (DN) of the replication manager entry on the consumer server, accept the default value.
By default, the DN is that of the default replication manager.
For the password of the replication manager, enter 11111111.
(Optional) Provide a description string for this agreement.
For this example, enter Replication from DirectoryServer-4SP to DirectoryServer-3SP.
Click OK when done.
In the confirmation dialog, click Yes to test the connection to the server and port number.
Use the given replication manager and password.
If the connection fails, you will still have the option of using this agreement. For example, the parameters are correct but the server is offline. When you have finished, the agreement appears in the list of replication agreements for this master replica.
In the Directory Server 3SP console, navigate through the tree in the left panel to find the Directory Server instance named fm-config.
Click on the instance name to display its general properties.
Double-click the instance name Directory Server (fm-config) in the tree to display the console for managing the data.
Click the Configuration tab and navigate to the Replication pane.
In the list of defined agreements, select the replication agreement corresponding to Directory Server 4SP, the consumer you want to initialize.
Click Action > Initialize remote replica.
A confirmation message warns you that any information already stored in the replica on the consumer will be removed.
In the Confirmation dialog, click Yes.
Online consumer initialization begins immediately. The icon of the replication agreement shows a red gear to indicate the status of the initialization process.
Click Refresh > Continuous Refresh to follow the status of the consumer initialization.
Any messages for the highlighted agreement will appear in the text box below the list.
Verify that replication is working properly.
Log in to both Directory Server hosts as a root user, and start both Directory Server consoles.
Log in to each Directory Server console.
In each Directory Server console, enable the audit log on both Directory Server instances.
Go to Configuration > Logs > Audit Log. Check Enable Logging, and then click Save.
In separate terminal windows , use the tail -f command to watch the audit log files change.
In the Directory Server 3SP console, create a new user entry.
Go to the Directory tab, and right-click the suffix o=siroe. Then click New > Group.
Name the new group People, and then click OK.
Click People, and then right-click to choose New > User.
In the Create New User dialog, enter a first name and last name, an then click OK.
Note the user entry is created in the instance audit log. Check to be sure the same entry is also created in Directory Server 4SP in the Directory Server instance audit log
On DirectoryServer-4SP, in the Directory Server console, create a new user entry.
Go to the Directory tab, and right—click the suffix o=siroe.com. Click People, and then right-click to choose New > User.
In the Create New User dialog, enter a first name and last name, an then click OK.
Note the user entry is created in the instance audit log. Check to be sure the same entry is also created in Directory Server 3SP in the Directory Server instance audit log
Delete both new user entries in the Directory Server 4SP console.
Look in the Directory Server 3SP console to verify that both users have been deleted.
Use the following as your checklist for enabling MMR among the user data instances:
Enable multi-master replication for the User Data Instance on Directory Server 3SP.
Enable multi-master replication for the User Data Instance on Directory Server 4SP.
Create a replication agreement for the User Data Instance on Directory Server 3SP.
Create a replication agreement for the User Data Instance on Directory Server 4SP.
On Directory Server 3SP, start the Directory Server console.
# cd /var/opt/mps/serverroot/ # ./startconsole & |
Log in to the Directory Server 3SP console.
cn=Directory Manager
11111111
http://DirectoryServer-3SP.siroe.com:1391
In the Directory Server console, under the Servers and Applications tab, expand the Server Administration domain list until you see the Server Group item.
Click to expand the Server Group.
You should see three items: an Administration Server, a Directory Server (fm-config), and a Directory Server (fm-users).
Double-click the instance name Directory Server (fm-users) to display the console for managing the instance fm-users.
Click the Configuration tab and navigate to the Replication pane.
Click the “Enable replication” button to start the Replication Wizard.
Select Master Replica, and then click Next to continue.
Enter a Replica ID, and then click Next.
For this example, when enabling replication on Directory Server 3SP, assign the number 33.
If you have not already been prompted to select the change log file, you are prompted to select one now.
The default change log file is shown in the text field. If you do not wish to use the default, type in a filename for the change log, or click Browse to display a file selector. If the change log has already been enabled, the wizard will skip this step.
If you have not already been prompted to enter and confirm a password for the default replication manager, you are prompted now.
The replication manager is not used in the case of single-master replication, but you must still enter a password to proceed. For this example, enter 11111111.
The Replication Wizard displays a status message while updating the replication configuration.
Click Close when replication is finished.
Start the Directory Server 4SP console.
# cd /var/opt/mps/serverroot/ # ./startconsole & |
Log in to the Directory Server 4SP console.
cn=Directory Manager
11111111
http://DirectoryServer-4SP.siroe.com:1391
In the Directory Server console, under the Servers and Applications tab, expand the Server Administration domain list until you see the Server Group item.
Click to expand the Server Group.
You should see three items: an Administration Server, a Directory Server (fm-config), and a Directory Server (fm-users).
Double-click the instance name Directory Server (fm-users) to display the console for managing the instance fm-users.
Click the Configuration tab and navigate to the Replication pane.
Click the “Enable replication” button to start the Replication Wizard.
Select Master Replica, and then click Next to continue.
Enter a Replica ID, and then click Next.
For this example, when enabling replication on Directory Server 4SP, assign the number 44.
If you have not already been prompted to select the change log file, you are prompted to select one now.
The default change log file is shown in the text field. If you do not wish to use the default, type in a filename for the change log, or click Browse to display a file selector. If the change log has already been enabled, the wizard will skip this step.
If you have not already been prompted to enter and confirm a password for the default replication manager, you are prompted now.
The replication manager is not used in the case of single-master replication, but you must still enter a password to proceed. For this example, enter 11111111 .
The Replication Wizard displays a status message while updating the replication configuration.
Click Close when replication is finished.
In the Directory Server 3SP console, display the general properties for the Directory Server instance named fm-users .
Navigate through the tree in the left panel to find the Directory Server instance named fm-users, and click on the instance name to display its general properties.
Click the Open button to display the console for managing the fm-users instance.
Click the Configuration tab and navigate to the Replication pane.
Click the New button.
In the Replication Agreement dialog box, click the Other button.
In the Remote Server dialog box, provide the following information, and then click OK.
DirectoryServer-4SP.siroe.com
1489
Leave this box unmarked.
In the Replication Agreement dialog, for the distinguished name (DN) of the replication manager entry on the consumer server, accept the default value.
By default, the DN is that of the default replication manager.
For the password of the replication manager, enter 11111111.
(Optional) Provide a description string for this agreement.
For this example, enter Replication from DirectoryServer-3SP to DirectoryServer-4SP.
Click OK when done.
In the confirmation dialog, click Yes to test the connection to the server and port number.
Use the given replication manager and password 11111111.
If the connection fails, you will still have the option of using this agreement. For example, the parameters are correct but the server is offline. When you have finished, the agreement appears in the list of replication agreements for this master replica.
On DirectoryServer-4SP, in the Directory Server console, display the general properties for the Directory Server instance named fm-users.
Navigate through the tree in the left panel to find the Directory Server instance named fm-users, and click on the instance name to display its general properties.
Click the Open button to display the console for managing the fm-users instance.
Click the Configuration tab and navigate to the Replication pane.
Click the New button.
In the Replication Agreement dialog box, click the Other button.
In the Remote Server dialog box, provide the following information, and then click OK.
DirectoryServer-3SP.siroe.com
1489
Leave this box unmarked.
In the Replication Agreement dialog, for the distinguished name (DN) of the replication manager entry on the consumer server, accept the default value.
By default, the DN is that of the default replication manager.
For the password of the replication manager, enter 11111111.
(Optional) Provide a description string for this agreement.
For this example, enter Replication from DirectoryServer-4SP to DirectoryServer-3SP.
Click OK when done.
In the confirmation dialog, click Yes to test the connection to the server and port number.
Use the given replication manager and password.
If the connection fails, you will still have the option of using this agreement. For example, the parameters are correct but the server is offline. When you have finished, the agreement appears in the list of replication agreements for this master replica.
In the Directory Server 3SP console, navigate through the tree in the left panel to find the Directory Server instance named fm-users.
Click on the instance name to display its general properties.
Double-click the instance name Directory Server (fm-users) in the tree to display the console for managing the data.
Click the Configuration tab and navigate to the Replication pane.
In the list of defined agreements, select the replication agreement corresponding to Directory Server 4SP, the consumer you want to initialize.
Click Action > Initialize remote replica.
A confirmation message warns you that any information already stored in the replica on the consumer will be removed.
In the Confirmation dialog, click Yes.
Online consumer initialization begins immediately. The icon of the replication agreement shows a red gear to indicate the status of the initialization process.
Click Refresh > Continuous Refresh to follow the status of the consumer initialization.
Any messages for the highlighted agreement will appear in the text box below the list.
Verify that replication is working properly.
As a root user, log in to both Directory Server hosts, and start both Directory Server consoles.
Log in to each Directory Server console.
In each Directory Server console, enable the audit log on both Directory Server instances.
Go to Configuration > Logs > Audit Log. Check Enable Logging, and then click Save.
In separate terminal windows , use the tail -f command to watch the audit log files change.
In the Directory Server 3SP console, create a new user entry.
Go to the Directory tab, and right-click the suffix o=siroeusers.com. Then click New > Group.
Name the new group People, and then click OK.
Click People, and then right-click to choose New > User.
In the Create New User dialog, enter a first name and last name, an then click OK.
Note the user entry is created in the instance audit log. Check to be sure the same entry is also created in on DirectoryServer-4SP in the Directory Server instance audit log
In the Directory Server 4SP console, create a new user entry.
Go to the Directory tab, and right—click the suffix o=siroeusers.comClick People, and then right-click to choose New > User.
Delete both new user entries in the Directory Server 4SP console.
Look in the Directory Server 3SP console to verify that both users have been deleted.
In the following procedures, you configure one load balancer in front the Directory Server configuration instances, and one load balancer in front of the Directory Server user data instances.
Use the following as your checklist for configuring the Directory Server load balancers:
Configure Load Balancer 7 for the Directory Server Configuration instances.
Configure Load Balancer 8 for the Directory Server User Data instances.
In this deployment, both Directory Server load balancers are configured for simple persistence. When the load balancer is configured for simple persistence, all Federation Manager requests sent within a specified interval are sent to the same Directory Server for processing. Simple persistence ensures that within the specified interval, no errors or delays occur due to replication time or redirects when retrieving data.
When a request requires information to be written to Directory Server 3SP, that information is also replicated in Directory Server 4SP. But the replication takes time to complete. During that time, if a related request is directed by the load balancer to Directory Server 4SP, the request may fail.
For example, when simple persistence is not configured properly, creating a realm from the Federation Manager administration console could fail in the following way. A request for the parent entry creation is routed to Directory Server 3SP, and a second request to create the subentry is routed to Directory Server 4SP. But if the parent entry request is not yet fully replicated to Directory Server 4SP, the subentry request fails. The result is a partially created realm which may not contain all its subentries such as realm administration roles. Simple persistence eliminates this type of error. When persistence is properly configured, both the parent entry request and the subentry request are routed to Directory Server 3SP. The requests are processed in consecutive order. The parent entry is fully created before the subentry request begins processing.
Contact your network administrator to obtain an available virtual IP address for the load balancer you want to configure.
You must also know the IP address of the load balancer hardware, the URL for the load balancer login page, and a username and password for logging in to the load balancer application.
The load balancer hardware and software used in the lab facility for this deployment is BIG-IP® manufactured by F5 Networks. If you are using different load balancer software, see the documentation that comes with that product for detailed settings information.
You must also have ready the IP addresses for Directory Server 3SP and Directory Server 4SP.
To obtain these IP addresses, on each Directory Server host, run the following command:
ifconfig —a
Create a Pool.
A pool contains all the backend server instances.
Go to URL for the Big IP load balancer login page.
Open the Configuration Utility.
Click “Configure your BIG-IP (R) using the Configuration Utility.”
In the left pane, click Pools.
On the Pools tab, click the Add button.
In the Add Pool dialog, provide the following information:
Example: federation_ds_pool
Round Robin
Add the IP address of both Directory Server hosts. In this example:
192.18.69.135( for DirectoryServer-3SP:1389)
192.18.72.136 (for DirectoryServer-4SP:1389)
Click the Done button.
Add a Virtual Server.
If you encounter Javascript errors or otherwise cannot proceed to create a virtual server, try using Microsoft Internet Explorer for this step.
In the left frame, Click Virtual Servers.
On the Virtual Servers tab, click the Add button.
In the Add a Virtual Server dialog box, provide the following information:
192.18.69.16 (for LoadBalancer-7.siroe.com )
389
federation_ds_pool
Continue to click Next until you reach the Pool Selection dialog box.
In the Pool Selection dialog box, assign the Pool (federation_ds_pool) that you have just created.
Click the Done button.
Add Monitors
Monitors are required for the load balancer to detect the backend server failures.
In the left frame, click Monitors.
Click the Basic Associations tab.
Add an LDAP monitor for the Directory Server 3SP node.
Three columns exist on this page: Node, Node Address, and Service. In the Node column, locate the IP address and port number DirectoryServer-3SP:1389. Select the Add checkbox.
Add an LDAP monitor for the Directory Server 4SP node.
In the Node column, locate the IP address and port number for DirectoryServer-4SP:1389 . Select the Add checkbox.
At the top of the Node column, in the drop-down list, choose tcp .
Click Apply.
Configure the load balancer for simple persistence.
Verify the Directory Server load balancer configuration.
Log in as a root user to the host of each Directory Server.
On each Directory Server host, use the tail command to monitor the Directory Server access log.
# cd /var/opt/mps/serverroot/slapd-DirectorySerer-3SP/logs
# tail -f access
You should see connections to the load balancer IP address opening and closing. Example:
conn=54 op=-1 msgId=-1 — fd=22 slot=22 LDAP connection from 192.18.69.18 to 192.18.72.33
conn=54 op=-1 msgId=-1 — closing — B1
conn=54 op=-1 msgId=-1 — closed.
Execute the following LDAP search against the Directory Server load balancer:
# cd /var/opt/mps/serverroot/shared/bin/ # ./ldapsearch -h LoadBalancer-7.siroe.com -p 389 -b "o=siroe.com" -D "cn=directory manager" -w 11111111 "(objectclass=*)" |
The ldapsearch operation should return entries. Make sure the directory access entries display in only one Directory Server access log.
Stop Directory Server 3SP, and again perform the following LDAP search against the Directory Server load balancer:
# ./ldapsearch -h LoadBalancer-7.siroe.com -p 389 -b "o=siroeusers.com" -D "cn=directory manager" -w 11111111 "(objectclass=*)" |
The ldapsearch operation should return entries. Verify that the Directory Server access entries display in only one Directory Server access log.
If you encounter the following error message:
# ./ldapsearch —h 192.18.69.13 —p 1389 —b “o=siroeusers.com“ —D “cn=Directory Manager” —w 11111111 ldap_simple_bind: Cant' connect to the LDAP server — Connection refused |
You can reset the timeout properties to lower values:
In the load balancer console, click the Monitors tab, and then click the ldap-tcp monitor name.
In the Interval field, set the value to 5.
In the Timeout field, set the value to 16.
Click Apply.
Repeat the LDAP search.
Restart the stopped Directory Server 3SP, and then stop Directory Server 4SP.
Confirm that the requests are forwarded to the running Directory Server 4SP.
Perform the following LDAP search against the Directory Server load balancer.
# ./ldapsearch -h LoadBalancer-7.siroe.com -p 389 -b "o=siroe.com" -D "cn=Directory Manager" -w 11111111 "(objectclass=*)" |
The ldapsearch operation should return entries. Make sure the directory access entries display in only the one Directory Server access log.
Contact your network administrator to obtain an available virtual IP address for the load balancer you want to configure.
You must also know the IP address of the load balancer hardware, the URL for the load balancer login page, and a username and password for logging in to the load balancer application.
The load balancer hardware and software used in the lab facility for this deployment is BIG-IP® manufactured by F5 Networks. If you are using different load balancer software, see the documentation that comes with that product for detailed settings information.
You must also have ready the IP addresses for Directory Server 3SP and Directory Server 4SP.
To obtain these IP addresses, on each Directory Server host, run the following command:
ifconfig —a
Create a Pool.
A pool contains all the backend server instances.
Go to URL for the Big IP load balancer login page.
Open the Configuration Utility.
Click “Configure your BIG-IP (R) using the Configuration Utility.”
In the left pane, click Pools.
On the Pools tab, click the Add button.
In the Add Pool dialog, provide the following information:
Example: federation_users_pool
Round Robin
Add the IP address of both Directory Server hosts. In this example: .
192.18.69.135(for DirectoryServer-3SP:1489)
192.18.72.136 (for DirectoryServer-4SP:1489)
Click the Done button.
Add a Virtual Server.
If you encounter Javascript errors or otherwise cannot proceed to create a virtual server, try using Microsoft Internet Explorer for this step.
In the left frame, Click Virtual Servers.
On the Virtual Servers tab, click the Add button.
In the Add a Virtual Server dialog box, provide the following information:
192.18.69.16 (for LoadBalancer-8.siroe.com )
1389
federation_users_pool
Continue to click Next until you reach the Pool Selection dialog box.
In the Pool Selection dialog box, assign the Pool (federation_users_pool) that you have just created.
Click the Done button.
Add Monitors
Monitors are required for the load balancer to detect the backend server failures.
In the left frame, click Monitors.
Click the Basic Associations tab.
Add an LDAP monitor for the Directory Server 3SP node.
Three columns exist on this page: Node, Node Address, and Service. In the Node column, locate the IP address and port number DirectoryServer-3SP:1489. Select the Add checkbox.
Add an LDAP monitor for the Directory Server 4SP node.
In the Node column, locate the IP address and port number for DirectoryServer-4SP:1489 . Select the Add checkbox.
At the top of the Node column, in the drop-down list, choose ldap-tcp .
Click Apply.
Configure the load balancer for simple persistence.
Verify the Directory Server load-balancer configuration.
Log in as a root user to the host of each Directory Server.
On each Directory Server host, use the tail command to monitor the Directory Server access log.
# cd /var/opt/mps/serverroot/slapd-fm-users/logs
# tail -f access
You should see connections to the load balancer IP address opening and closing. Example:
conn=54 op=-1 msgId=-1 — fd=22 slot=22 LDAP connection from 192.18.69.18 to 192.18.72.33
conn=54 op=-1 msgId=-1 — closing — B1
conn=54 op=-1 msgId=-1 — closed.
Execute the following LDAP search against the Directory Server load balancer:
# cd /var/opt/mps/serverroot/shared/bin/ # ./ldapsearch -h LoadBalancer-8.siroe.com -p 1389 -b "o=siroeusers.com" -D "cn=directory manager" -w 11111111 "(objectclass=*)" |
The ldapsearch operation should return entries. Make sure the directory access entries display in only one Directory Server access log.
Stop Directory Server 3SP, and again perform the following LDAP search against the Directory Server load balancer:
# ./ldapsearch -h LoadBalancer-8.siroe.com -p 1389 -b "o=siroeusers.com" -D "cn=directory manager" -w 11111111 "(objectclass=*)" |
The ldapsearch operation should return entries. Verify that the Directory Server access entries display in only one Directory Server access log.
If you encounter the following error message:
# ./ldapsearch —h 192.18.69.13 —p 1389 —b “o=siroeusers.com“ —D “cn=Directory Manager” —w 11111111 ldap_simple_bind: Cant' connect to the LDAP server — Connection refused
You can reset the timeout properties to lower values:
In the load balancer console, click the Monitors tab, and then click the ldap-tcp monitor name.
In the Interval field, set the value to 5.
In the Timeout field, set the value to 16.
Click Apply.
Repeat the LDAP search.
Restart the stopped Directory Server 3SP, and then stop Directory Server 4SP.
Confirm that the requests are forwarded to the running Directory Server 4SP.
Perform the following LDAP search against the Directory Server load balancer.
# ./ldapsearch -h LoadBalancer-8.siroe.com -p 389 -b "o=siroeusers.com" -D "cn=Directory Manager" -w 11111111 "(objectclass=*)" |
The ldapsearch operation should return entries. Make sure the directory access entries display in only the one Directory Server access log.
This chapter contains detailed information about the following groups of tasks:
5.1 Migrating Federation Manager 1 Configuration from Flat Files to Directory Servers
5.2 Migrating Federation Manager 1 User Data from Flat Files to Directory Servers
5.3 Migrating Federation Manager 2 Configuration from Flat Files to Directory Servers
5.4 Migrating Federation Manager 2 User Data from Flat Files to Directory Servers
5.5 Configuring the Federation Manager Authentication Service to Work with the Directory Servers
Use the following as your checklist for migrating Federation Manager 1 configuration from flat files to the Directory Servers:
The Federation Manager LDIF files are located in the following directory:
/opt/SUNWam/fm/ldif
The file fm_sm_sds_schema.ldif is for use with Sun Directory Server. The file fm_sm_ad_schema.ldif is for use with Microsoft Active Directory.
As a root user, log in to the Federation Manager 1 host.
Load the Federation Manager schema into the Directory Server configuration instance.
# cd /opt/SUNWam/fm/ldif # ldapmodify -D "cn=Directory Manager" -w 11111111 -h LoadBalancer-7.siroe.com -p 389 -f ./fm_sm_sds_schema.ldif |
The ldapmodify utility loads the object classes and service attributes required for Federation Manager services into the Directory Server schema.
On each of the Directory Server hosts, you can watch the error logs for LDIF errors.
# cd /var/opt/mps/serverroot/slapd-fm-config/logs # tail -f errors |
Migrate the Federation Manager services schema from flat files to the Directory Server.
# cd /opt/SUNWam/fm/bin # ./fmff2ds -h LoadBalancer-7.siroe.com -p 389 -r "o=siroe.com" -f /var/opt/SUNWam/fm/federation -u "cn=Directory Manager" -w 11111111 -j /usr/jdk/instances/jdk.5.0 |
Verify that Federation Manager schema was successfully moved to the Directory Server.
Start the Directory Server 3SP console.
# cd /var/opt/mps/serverroot/ # ./startconsole & |
Log in to the Directory Server console.
cn=Directory Manager
11111111
http://DirectoryServer-3SP.siroe.com:1391
In the navigation pane, expand the DirectoryServer-3SP.siroe.com suffix, and expand the Server Group.
Double-click the Directory Server (fm-config) instance, and open its console.
Click the Directory tab.
Under the o=siroe.com suffix, expand the Services object.
All of the Federation Manager services are displayed.
Go the following directory that contains the serverconfig.xml file:
# cd /var/opt/SUNWam/fm/war_staging/web-src/WEB-INF/config/ |
Make a backup of the file serverconfig.xml, and then make the following changes in serverconfig.xml:
In the following entry, change the host name and port number attribute values.:
<iPlanetDataAccessLayer> <ServerGroup name="default" minConnPool="1" maxConnPool="10"> <Server name="Server1" host="LoadBalancer-7.siroe.com" port="389" type="SIMPLE" /> <User name="User1" type="proxy"> <DirDN> uid=amadmin,ou=people,o=siroe.com |
Verify that the following user entries exist in the file:
<User name="User1" type="proxy"> <DirDN> uid=amadmin,ou=people,o=siroe.com </DirDN> <DirPassword> AQICGmG7l+gzO6bjmbDBve/MqicBf/zR2I+P </DirPassword> </User> <User name="User2" type="admin"~ <DirDN> uid=amadmin,ou=people,o=siroe.com </DirDN> <DirPassword> AQICGmG7l+gzO6bjmbDBve/MqicBf/zR2I+P </DirPassword> </User> |
In this deployment example, the proxy user and administrative user have the same DN. In effect, these are the same user. They are both superusers contained in the ou=service branch of the Directory Server. These users have privileges to read, write, and search the Federation Manager configuration. The user amadmin does not exist in the Directory Server at this point.
Add the user amadmin to the Directory Server.
On the Federation Manager 1 host, go to the following directory:
/opt/SUNWam/fm/bin |
Create a file named amadminconfig.ldif with the following entries:
dn=o=siroe.com changetype:modify add:aci dn: ou=People,o=siroe.com changetype: add objectClass: top objectClass: organizationalunit dn: uid=amAdmin,ou=People,o=siroe.com changetype: add objectclass: inetuser objectclass: inetorgperson objectclass: organizationalperson objectclass: person objectclass: top objectClass: iPlanetPreferences objectclass: inetAdmin inetuserstatus: Active cn: amAdmin sn: amAdmin userPassword: 11111111 aci: (target="ldap:///ou=services,*o=siroe.com") (targetattr = "*") (version 3.0; acl "S1IS Top-level Admin Role access allow"; allow (all) userdn = "ldap:///uid=amAdmin,ou=People, o=siroe.com";) |
This LDIF creates a People container and the user amAadmin with the Top-level Admin Role. The user is assigned read, write, and search privileges.
Use the ldapmodify utility to load ./amadminconfig.ldif into the Directory Server 3SP.
# ldapmodify -D "cn=Directory Manager" -w 11111111 -h LoadBalancer-7.siroe.com -f amadminconfig.ldif |
Go to the directory that contains the AMConfig.properties file:
# cd /var/opt/SUNWam/fm/war_staging/web-src/WEB-INF/classes |
In AMConfig.properties, set the implementation class for the SM data store.
Make a backup of the AMConfig.properties file, and the set the following property:
com.sun.identity.sm.sms_object_class_name=com.sun.identity.sm.ldap.SMSLdapObject |
On the Federation Manager 1 host, run the fmwar command.
#cd /opt/SUNWam/fm/bin # ./fmwar -n federation -d /var/opt/SUNWam/fm/war_staging -s /export/fmsilent |
Undeploy the existing Federation Manager WAR 1 file.
# cd /opt/SUNWwbsvr/bin/https/bin # ./wdeploy delete -u /federation -i FederationManager-1.siroe.com -v https-FederationManager-1.siroe.com -n hard |
The —n hard option deletes the directory where Federation Manager is exported as well as the URI. If you use the —n soft option, only the URI is deleted.
Deploy the customized Federation Manager 1 WAR file.
# ./wdeploy deploy -u /federation -i FederationManager-1.siroe.com -v https-FederationManager-1.siroe.com /var/opt/SUNWam/fm/war_staging/federation.war |
This WAR file contains all the SAMLv2 configuration and Directory Server configuration you completed in the previous tasks.
Restart the Federation Manager web container.
#cd /opt/SUNWwbsvr/https-FederationManager-1.siroe.com # ./stop # ./start |
Verify that you can access the Federation Manager 1 server.
In a browser, go to the Federation Manager URL:
http://FederationManager-1.siroe.com:8080/federation/UI/Login |
Log in to the Federation Manager console:
amadmin
11111111
If you can log in successfully, the WAR file was deployed successfully.
In a browser, go to the Federation Manager URL:
http://FederationManager-1.siroe.com:8080/federation/UI/Login |
Log in to the Federation Manager console:
amadmin
11111111
Click the Configuration tab, and then go to the “System properties | Platform” section of the page.
Add a new entry to the Server List.
In the Server List field, enter the following:
http://FedeartionManager-2.siroe.com:8080|02 |
Click Add.
Click Save, and then log out of the Federation Manager console.
Use the following as your checklist for migrating Federation Manager 1 user data from flat files to Directory Servers:
The Federation Manager LDIF files are located in the following directory:
/opt/SUNWam/saml2/ldif
The file ./saml2_sds_schema.ldif is for use with Sun Directory Server. The file saml2_ad_schema.ldif is for use with Microsoft Active Directory.
Load the Federation Manager schema into the Directory Servers.
# cd /opt/SUNWam/saml2/ldif # ldapmodify -D "cn=Directory Manager" -w 11111111 -h LoadBalancer-8.siroe.com -p 1389 -f saml2_sds_schema.ldif |
The ldapmodify utility loads the object classes and user attributes required for Federation Manager users into the Directory Server schema.
On each of the Directory Server hosts, you can watch the error logs for LDIF errors.
# cd /var/opt/mps/serverroot/slapd-fm-users/logs # tail -f errors |
Create the amadmin suffix in the Directory Server.
Create a file named amadminusers.ldif with the following entries:
dn: ou=People,o=siroeusers.com changetype: add objectClass: top objectClass: organizationalunit dn: uid=amAdmin,ou=People,o=siroeusers.com changetype: add objectclass: inetuser objectclass: inetorgperson objectclass: organizationalperson objectclass: person objectclass: top objectClass: iPlanetPreferences objectclass: inetAdmin inetuserstatus: Active cn: amAdmin sn: amAdmin userPassword: 11111111 dn:o=siroeusers.com changetype:modify add:aci aci: (target="ldap:///*ou=People,o=siroeusers.com") (targetattr = "*") (version 3.0; acl "S1IS Top-level Admin Role access allow"; allow (all) userdn = "ldap:///uid=amAdmin,ou=People, o=siroeusers.com";) |
This LDIF creates a People container and the suffix o=siroeusers.com.
Use the ldapmodify utility to load amadminusers.ldif into the Directory Servers.
# ldapmodify -D "cn=Directory Manager" -w 11111111 -h LoadBalancer-8.siroe.com -p 1389 -f amadminusers.ldif |
In the Federation Manager 1 host, go to the directory that contains the file AMConfig.properties:
# cd /var/opt/SUNWam/fm/war_staging/web-src/WEB-INF/classes/ |
Set the default datastore provider property:
com.sun.identity.common.datastore.provider.default= com.sun.identity.common.LDAPDataStoreProvider |
Save the file.
Go to the directory that contains the file serverconfig.xml:
# cd /var/opt/SUNWam/fm/war_staging/web-src/WEB-INF/config |
Make a backup of serverconfig.xml, and then modify the following entry.
Modify the host name, port, and user DNs as in the following example:
<ServerGroup name="userdefault" minConnPool="1" maxConnPool="10"> <Server name="Server1" host="LoadBalancer-8.siroe.com" port="1389" type="SIMPLE" /> <User name="User1" type="proxy"> <DirDN> uid=amadmin,ou=people,o=siroeusers.com </DirDN> <DirPassword> AQICGmG7l+gzO6bjmbDBve/MqicBf/zR2I+P </DirPassword> </User> <User name="User2" type="admin"> <DirDN> uid=amadmin,ou=people,o=siroeusers.com </DirDN> <DirPassword> AQICGmG7l+gzO6bjmbDBve/MqicBf/zR2I+P </DirPassword> </User> <BaseDN> ou=people,o=siroeusers.com </BaseDN> </ServerGroup> |
Save the file.
Regenerate the redeploy the Federation Manager 1 WAR file.
See To Regenerate and Redeploy the Federation Manager 1 WAR File in this manual.
Use the following as your checklist for migrating Federation Manager 2 configuration from flat files to Directory Servers:
Go the following directory that contains the serverconfig.xml file:
# cd /var/opt/SUNWam/fm/war_staging/web-src/WEB-INF/config/ |
Make a backup of the file serverconfig.xml, and then make the following changes in serverconfig.xml:
In the following entry, change the host name and port number attribute values:
<iPlanetDataAccessLayer> <ServerGroup name="default" minConnPool="1" maxConnPool="10"> <Server name="Server1" host="LoadBalancer-7.siroe.com" port="389" type="SIMPLE" /> <User name="User1" type="proxy"> <DirDN> uid=amadmin,ou=people,o=siroe.com |
Verify that the following user entries exist in the file:
<User name="User1" type="proxy"> <DirDN> uid=amadmin,ou=people,o=siroe.com </DirDN> <DirPassword> AQICGmG7l+gzO6bjmbDBve/MqicBf/zR2I+P </DirPassword> </User> <User name="User2" type="admin"~ <DirDN> uid=amadmin,ou=people,o=siroe.com </DirDN> <DirPassword> AQICGmG7l+gzO6bjmbDBve/MqicBf/zR2I+P </DirPassword> </User> |
In this deployment example, the proxy user and administrative user have the same DN. In effect, these are the same user. They are both superusers contained in the ou=service branch of the Directory Server. These users have privileges to read, write, and search the Federation Manager configuration. The user amadmin does not exist in the Directory Server at this point.
Go to the directory that contains the AMConfig.properties file:
# cd /var/opt/SUNWam/fm/war_staging/web-src/WEB-INF/classes |
In AMConfig.properties, set the implementation class for the SM data store.
Make a backup of the AMConfig.properties file, and the set the following property:
com.sun.identity.sm.sms_object_class_name=com.sun.identity.sm.ldap.SMSLdapObject |
On the Federation Manager 2 host, run the fmwar command.
#cd /opt/SUNWam/fm/bin # ./fmwar -n federation -d /var/opt/SUNWam/fm/war_staging -s /export/fmsilent |
Undeploy the existing Federation Manager WAR 2 file.
# cd /opt/SUNWwbsvr/bin/https/bin # ./wdeploy delete -u /federation -i FederationManager-2.siroe.com -v https-FederationManager-1.siroe.com -n hard |
The —n hard option deletes the directory where Federation Manager is exported as well as the URI. If you use the —n soft option, only the URI is deleted.
Deploy the customized Federation Manager 2 WAR file.
# ./wdeploy deploy -u /federation -i FederationManager-2.siroe.com -v https-FederationManager-2.siroe.com /var/opt/SUNWam/fm/war_staging/federation.war |
This WAR file contains all the SAMLv2 configuration and Directory Server configuration you completed in the previous tasks.
Restart the Federation Manager web container.
#cd /opt/SUNWwbsvr/https-FederationManager-2.siroe.com # ./stop # ./start |
Verify that you can access the Federation Manager 2 server.
In a browser, go to the Federation Manager URL:
http://FederationManager-2.siroe.com:8080/federation/UI/Login |
Log in to the Federation Manager console:
amadmin
11111111
If you can log in successfully, the WAR file was deployed successfully.
Use the following as your checklist for migrating Federation Manager 2 user data from flat files to Directory Servers:
In the Federation Manager 2 host, go to the directory that contains the file AMConfig.properties:
# cd /var/opt/SUNWam/fm/war_staging/web-src/WEB-INF/classes/ |
Make a backup AMConfig.properties, and then in the AMConfig.properties file, set the default datastore provider property:
com.sun.identity.common.datastore.provider.default= com.sun.identity.common.LDAPDataStoreProvider |
Save the file.
Go to the directory that contains the file serverconfig.xml:
# cd /var/opt/SUNWam/fm/war_staging/web-src/WEB-INF/config |
Make a backup of serverconfig.xml, and then modify the following entry.
Modify the host name, port, and user DNs as in the following example:
<ServerGroup name="userdefault" minConnPool="1" maxConnPool="10"> <Server name="Server1" host="LoadBalancer-8.siroe.com" port="1389" type="SIMPLE" /> <User name="User1" type="proxy"> <DirDN> uid=amadmin,ou=people,o=siroeusers.com </DirDN> <DirPassword> AQICGmG7l+gzO6bjmbDBve/MqicBf/zR2I+P </DirPassword> </User> <User name="User2" type="admin"> <DirDN> uid=amadmin,ou=people,o=siroeusers.com </DirDN> <DirPassword> AQICGmG7l+gzO6bjmbDBve/MqicBf/zR2I+P </DirPassword> </User> <BaseDN> ou=people,o=siroeusers.com </BaseDN> </ServerGroup> |
Save the file.
Regenerate the redeploy the Federation Manager 2 WAR file.
See To Regenerate and Redeploy the Federation Manager 2 WAR File.
Restart the Federation Manager web container.
#cd /opt/SUNWwbsvr/https-FederationManager-2.siroe.com # ./stop # ./start |
Verify that you can access the Federation Manager 2 server.
In a browser, go to the Federation Manager URL:
http://FederationManager-2.siroe.com:8080/federation/UI/Login |
Log in to the Federation Manager console:
amadmin
11111111
If you can log in successfully, the WAR file was deployed successfully.
Use the following as your checklist for configuring the Federation Manager authentication service:
Go to the Federation Manager 1 URL:
http://FederationManager-1.siroe.com:8080/federation/UI/Login
Notice that above the User Name field, the text says “This server uses flat file authentication scheme.”
Log in to the Federation Manager 1 console:
amadmin
11111111
Add a new authentication service.
Click the Organization tab.
Click the Authentication subtab, and then click Add.
In the list of Authentication Modules, select LDAP, and then click Next.
On the LDAP page, provide the following information:
Add LoadBalancer-8.siroe.com:1389.
Add o=siroeusers.com.
cn=fmldapuser,ou=People,o=siroeusers.com
This root DN is used by the authentication module to create a connection to the Directory Server. This eliminates the need to authenticate each user by individual uid.
00000000
00000000
uid
uid
Click Assign.
On the Authentication page, locate the module named Core, and click its Edit link.
On the Core page, provide the following information:
Choose Flatfile, LDAP and SAMLv2.
Add to the list ou=People,o=sirousers.com.
Click Save.
Verify that LDAP is included as an Organizational Attribute.
Click the Configuration tab. On the Configuration tab, under Authentication, click Core.
On the Core page, under Organization Attributes, verify that Flatfile, LDAP, and SAMLv2 are included in the list of Organization Authentication Modules.
In the Directory Server, create a user named fmldapuser.
This user is the Federation Manager user that can access the Directory Server. This user and has read, write, and search permissions in o=siroeusers.com branch of the Directory Server.
Create an LDIF file named fmldapuser.ldif with the following entries:
dn: cn=fmldapuser,ou=People,o=siroeusers.com changetype: add objectclass: inetuser objectclass: organizationalperson objectclass: person objectclass: top cn: fmldapuser sn: fmldapuser userPassword: 00000000 dn:o=siroeusers.com changetype:modify add:aci aci: (target="ldap:///o=siroeusers.com")(targetattr="*") (version 3.0; acl "FM special ldap auth user rights"; allow (read,search) userdn = "ldap:///cn=fmldapuser,ou=People,o=siroeusers.com"; ) |
Load ./fmldapuser.ldif into Directory Server 1.
# ldapmodify -D "cn=Directory Manager" -w d1rm4ngr -h LoadBalancer-8.siroe.com -p 1389 -f ./fmldapuser.ldif |
Change the default authentication module from Flat File to LDAP.
Log in to the Federation Manager 1 host.
Go to the following directory:
/opt/SUNWam/fm/bin |
Create a file named ldap.xml file that contains the following entries:
<?xml version="1.0" encoding="ISO-8859-1"?> <!-- Copyright (c) 2005 Sun Microsystems, Inc. All rights reserved Use is subject to license terms. --> <!DOCTYPE Requests PUBLIC "-//iPlanet//Sun Java System Access Manager 2005Q4 Admin CLI DTD//EN" "jar://com/iplanet/am/admin/cli/amAdmin.dtd"> <!-- CREATE REQUESTS --> <Requests> <OrganizationRequests DN="o=siroe.com"> <ModifyServiceTemplate serviceName="iPlanetAMAuthService" schemaType="Organization"> <AttributeValuePair> Attribute name="iplanet-am-auth-org-config" /> <Value><AttributeValuePair><Value> com.sun.identity.authentication.modules.ldap.LDAP REQUIRED< /Value></AttributeValuePair></Value> </AttributeValuePair> </ModifyServiceTemplate> </OrganizationRequests> </Requests> |
The attributes and AttributeValuePair in bold are the significant changes made to the configuration.
Load ldap.xml.
# ./amadmin -i /var/opt/SUNWam/fm/war-staging -u amadmin -w 11111111 -t ldap.xml |
Go to the following Federation Manager URL:
http://FederationManager-1.siroe.com:8080/federation/UI/Login
The Federation Manger login page displays the following message: “This server uses LDAP Authentication.”
Log in to the Federation Manager console:
amadmin
11111111
If you can log in successfully, then the LDAP Authentication module was able to successfully bind to the root user to the fm—config instance of Directory Server 3SP.
Create a test user in the fm-users instance of Directory Server 3SP.
Start the Directory Server 3SP console.
# cd /var/opt/mps/serverroot/ # ./startconsole & |
In Directory Server 3SP, expand the Server Group, and open the fm-users instance.
Open the fm-users console, and click the Directory Tab.
On the Directory Tab, under the o=siroeusers.com suffix, right-click the People container.
Choose New>User.
In the Create New User dialog, provide the following information:
Test
User
testuser1
11111111
Click OK.
Go to the following Federation Manager URL:
http://FederationManager-1.siroe.com:8080/federation/UI/Login
Log in to the Federation Manager console:
testuser1
11111111
If you can log in successfully, then the LDAP Authentication module was able to successfully bind the new user to the fm-users instance of Directory Server 3SP.
In this phase of the deployment, you create SAMLv2 metadata that is recognized by and required by the Liberty Identity protocols. Federation Manager provides sample templates that you can modify to suit your environment.
This chapter contains detailed information about the following groups of tasks:
6.2 Configuring Federation Manager 1 to Recognize the New Keystores and Key Files
6.4 Configuring Federation Manager 2 to Recognize the New Keystores and Key Files
6.5 Loading the Access Manager Root CA Certificates into the Federation Manager Servers
Use the Java keytool command to create private keys for XML signing and SAML encryption. Once the keys and stored in a keystore, you extract a certificate request from the keystore, and then submit the request to a trusted Certificate Authority (CA). The trusted CA sends you a certificate which will be used for XML signing.
Use the following as your checklist for configuring the keystore for Federation Manager 1:
Obtain an XML Signing Certificate from a trusted certificate authority.
Obtain an Encryption Certificate from a trusted certificate authority.
As a root user, log in to the Federation Manager 1 host.
Make a directory for creating a keystore. Example:
# cd /etc/opt/SUNWam/ # mkdir config |
Create a keystore with a private key.
A keystore is a database for storing XML signing certificates, your private keys, and your public keys. For detailed information about keystores and about using the keytool utility to create and manage keystores, see http://java.sun.com/j2se/1.5.0/docs/tooldocs/solaris/keytool.html.
Use the keytool utility that comes with JDK and is installed with Federation Manager. Example:
# cd /etc/opt/SUNWam/config # which keytool /usr/jdk/instances/jdk/1.5.0_06/bin/keytool # keytool -genkey -alias LoadBalancer-9 -keyalg RSA -keysize 1024 -dname "cn=LoadBalancer-9.siroe.com,o=siroe.com" -validity 365 -keystore fmkeystore Enter keystore password: password Enter key password for <LoadBalancer-9> (RETURN if same as keystore password): keypassword |
The keystore password you specify here must be identical to the keystore password you specify when you install a copy of this certificate onto Federation Manager 2. The two Federation Managers will be recognized as a single entity.
Verify that the keystore and private key were created properly.
You should be able to see fmkeystore in the following directory, and verify that the current date is within the certificate's valid date range.
# cd /etc/opt/SUNWam/config # ls -lrt -rw-r--r-- 1 root root 1261 Nov 2 11:03 fmkeystore # keytool -list -keystore fmkeystore -alias LoadBalancer-9 -v # Enter keystore password: password Alias name: LoadBalancer-9 Creation date: Nov 2, 2006 Entry type: keyEntry Certificate chain length: 1 Certificate[1]: Qwner: CN=LoadBalancer-9.siroe.com, O=siroe.com Issuer: CN=LoadBalancer-9.siroe.com, O=siroe.com Serial number: 454a40c1 Valid from: Thu nov 02 11:02:25 PST 2006 until: Fri Nov 02 12:02:25 PDT 2007 Certificate fingerprints: MDS: 60:11:C7:01:51:D0:7C:BC:16:26:E7:C0:54:98:6D:9D SHA1: 37:E7:15:91:45:C0:EF:49:A1:CC:EF:9E:64:6C:E2:1E:52:90:3D:4E |
Submit a request to a trusted certificate authority (CA) for an XML signing certificate.
Create the request.
# cd /etc/opt/SUNWam/config # keytool -certreq -alias LoadBalancer-9 -file fm.certreq -keystore fmkeystore Enter keystore password: password Enter key password for <LoadBalancer-9>: keypassword |
Verify that the request text was successfully generated.
# vi fm.certreq -----BEGIN NEW CERTIFICATE REQUEST----- mllBdjCB4AlBADA3MR1wEAYDVQQKEwlzaXjvZs5jb20xlTAfBgNVBAMTGGxvYWRiYWkhbmNlci05 LnNpcm9IlmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgykCgYEAozsGuaqGlL1Z5j6n+aXYACUh KFpb8f451GG5Eg6Vy862hlstl1b8KaAYARHk0lGjzwb26AiLXlWpDyOmf2hXR91po7oo/Vw/K9Qv qv/+7FDtCBp9DkcnHXR4aKNGknZ58Rn/VbURGqipvXSe2J+5EB46Nnq8jlGMba/2eSjeRfsCAwEA AaAAMA0GCSqGSlb3DQEBBAUAA4GBAJ3u+f5mC7AVXErSDucNHZn4Li42ULQBEZmTk3K73U9Ar4wx ex2Ee6lAsPDyb3g4jUmduBSkrSbKyxZhPutVZQTlfHkiLbd6vHWl1K97DedLoWlt9nZAo3xZyBym 6UCH0HYVly/TAL8fhsielElg8lsidlejis(hfkeowhkdlgile27uak9pwnbmqkdigleIDUekdo30 -----END OF NEW CERTIFICATE REQUEST----- |
Follow the instructions provided by your Certificate Authority (CA) for submitting the fm.certreq file and sending the text to the CA.
The CA will process your request, and send you a certificate. When you open the certificate file with an editor, the certificate text will look similar to this:
-----BEGIN CERTIFICATE----- MIIFJQYJKoZIhvcNAQcCoIIFFjCCBRICAQExADAPBgkqhkiG9w0BBwGgAgQAoIIE 9jCCAmAwggIKoAMCAQICAgaKMA0GCSqGSIb3DQEBBAUAMIGSMQswCQYDVQQGEwJV UzETMBEGA1UECBMKQ2FsaWZvcm5pYTEUMBIGA1UEBxMLU2FudGEgQ2xhcmExHjAc BgNVBAoTFVN1biBNaWNyb3N5c3RlbXMgSW5jLjEaMBgGA1UECxMRSWRlbnRpdHkg U2VydmljZXMxHDAaBgNVBAMTE0NlcnRpZmljYXRlIE1hbmFnZXIwHhcNMDYxMTAy MTkxMTM0WhcNMTAwNzI5MTkxMTM0WjA3MRIwEAYDVQQKEwlzaXJvZS5jb20xITAf BgNVBAMTGGxvYWRiYWxhbmNlci05LnNpcm9lLmNvbTCBnzANBgkqhkiG9w0BAQEF AAOBjQAwgYkCgYEAozsGuaqGlLlZ5J6n+aXYACUhKFpb8f451GG5Eg6Vy862hIst lIb8KaAYARHk0lGjzwb26AiLXIWpDyOmf2hXR91po7oo/Vw/K9Qvqv/+7FDtCBp9 DkcnHXR4aKNGknZ58Rn/VbURGqipvXSe2J+5EB46Nnq8jIGMba/2eSJeRfsCAwEA AaNgMF4wEQYJYIZIAYb4QgEBBAQDAgZAMA4GA1UdDwEB/wQEAwIE8DAfBgNVHSME GDAWgBQ7oCE35Uwn7FsjS01w5e3DA1CrrjAYBgNVHREEETAPgQ1tYWxsYUBzdW4u Y29tMA0GCSqGSIb3DQEBBAUAA0EAf+gzgerEagmbtjnpzPXkEdILm3vOXp008VOG u8dZ2hcc2FytYkNbzAESjIw29fUBCSBCSmZQyuLku8jJX9ZxUjCCAo4wggI4oAMC AQICAgMgMA0GCSqGSIb3DQEBBQUAMIGSMQswCQYDVQQGEwJVUzETMBEGA1UECBMK Q2FsaWZvcm5pYTEUMBIGA1UEBxMLU2FudGEgQ2xhcmExHjAcBgNVBAoTFVN1biBN aWNyb3N5c3RlbXMgSW5jLjEaMBgGA1UECxMRSWRlbnRpdHkgU2VydmljZXMxHDAa BgNVBAMTE0NlcnRpZmljYXRlIE1hbmFnZXIwHhcNMDQwODE2MDcwMDAwWhcNMzIw ODE2MDcwMDAwWjCBkjELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWEx FDASBgNVBAcTC1NhbnRhIENsYXJhMR4wHAYDVQQKExVTdW4gTWljcm9zeXN0ZW1z IEluYy4xGjAYBgNVBAsTEUlkZW50aXR5IFNlcnZpY2VzMRwwGgYDVQQDExNDZXJ0 aWZpY2F0ZSBNYW5hZ2VyMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAKz8xQGAbn86 19ouxvx4QYtUbRI2AxwsteVlsrSumcG311DHshmnR8HqGZ4jgVN1SnR4YyAwo6jD Dduf6xDOaM8CAwEAAaN2MHQwEQYJYIZIAYb4QgEBBAQDAgAHMA8GA1UdEwEB/wQF MAMBAf8wHQYDVR0OBBYEFDugITflTCfsWyNLTXDl7cMDUKuuMB8GA1UdIwQYMBaA FDugITflTCfsWyNLTXDl7cMDUKuuMA4GA1UdDwEB/wQEAwIBhjANBgkqhkiG9w0B AQUFAANBAFR1D8PyX2k2E1PKx40ful6+hqjW2k+HmbTV7OcCGJY8JR7y4y/wCE28 a4p6nxYjgdiQDlvoC8aOI+i1elvf9jMxAA== -----END CERTIFICATE----- |
In this deployment example, the certificate text was saved in a text file named fm.certificate.
Import the root CA certificate.
Submit a request to the Certificate Authority for a root CA certificate.
After you receive the root CA certificate, copy the certificate to the following directory:
/etc/opt/SUNWam/config |
Import the root CA certificate:
# keytool -import -alias OpenSSL_CA_Cert -keystore fmkeystore -file ca.cert Enter keystore password: password ... Trust this certificate? [no]: yes Certificate was added to keystore. |
After you receive the certificate from the trusted CA, import the certificate into the Load Balancer 9 keystore.
The alias name that you specify here will be used later in the deployment when you configure the Federation protocols.
# keytool -import -alias LoadBalancer-9 -keystore fmkeystore -file fm.certificate Enter keystore password: password Enter key password for <LoadBalancer-9>: keypassword Top-level certificate in reply: Owner: CN=Certificate Manager, OU=Identity Services, O=Sun Microsystems Inc., L=Santa Clara, ST=California, C=US Issuer: CN=Certificate Manager, OU=Identity Services, O=Sun Microsystems, Inc., L=Santa Clara, ST=California, C=US Serial number:320 Valid from Mon Aug 16 00:00:00 PDT 2004 until: Mon Aug 16 00:00:00 PDT 2032 Certificate fingerprints: MDS: CD:07:DF:A6:CA:B9:AB:94:FF:CF:17:35:AB:C2:C2:51 SHA1:9A:B5:F7:54:DE:8A:BC:E9:F6:1D:F1:5B:71:46:72:9E:F0:4E:B8:7A ...is not trusted. Install reply anyway? [no]:yes |
Verify that the certificate is properly installed.
When you run this command, note that the Entry Type must be keyEntry as in this example. The keyEntry type contains both private key and the public certificate chain. You will need both of these. The trustedcertEntry type contains only the public key and no private key.
# keytool -list -keystore fmkeystore -alias LoadBalancer-9 -rfc Enter keystore password: password Alias name: LoadBalancer-9 Creation date: Nov 2, 2006 Entry type: keyEntry Certificate chain length: 2 |
Certificate text similar to the following is displayed:
Certificate[1]: -----BEGIN CERTIFICATE----- MIICYDCCAgqgAwIBAgICBoowDQYJKoZIhvcNAQEEBQAwgZIxCzAJBgNVBAYTAlVTMRMwEQYDVQQI EwpDYWxpZm9ybmlhMRQwEgYDVQQHEwtTYW50YSBDbGFyYTEeMBwGA1UEChMVU3VuIE1pY3Jvc3lz dGVtcyBJbmMuMRowGAYDVQQLExFJZGVudGl0eSBTZXJ2aWNlczEcMBoGA1UEAxMTQ2VydGlmaWNh dGUgTWFuYWdlcjAeFw0wNjExMDIxOTExMzRaFw0xMDA3MjkxOTExMzRaMDcxEjAQBgNVBAoTCXNp cm9lLmNvbTEhMB8GA1UEAxMYbG9hZGJhbGFuY2VyLTkuc2lyb2UuY29tMIGfMA0GCSqGSIb3DQEB AQUAA4GNADCBiQKBgQCjOwa5qoaUuVnknqf5pdgAJSEoWlvx/jnUYbkSDpXLzraEiy2UhvwpoBgB EeTSUaPPBvboCItchakPI6Z/aFdH3Wmjuij9XD8r1C+q//7sUO0IGn0ORycddHhoo0aSdnnxGf9V tREaqKm9dJ7Yn7kQHjo2eryMgYxtr/Z5Il5F+wIDAQABo2AwXjARBglghkgBhvhCAQEEBAMCBkAw DgYDVR0PAQH/BAQDAgTwMB8GA1UdIwQYMBaAFDugITflTCfsWyNLTXDl7cMDUKuuMBgGA1UdEQQR MA+BDW1hbGxhQHN1bi5jb20wDQYJKoZIhvcNAQEEBQADQQB/6DOB6sRqCZu2OenM9eQR0gube85e nTTxU4a7x1naFxzYXK1iQ1vMARKMjDb19QEJIEJKZlDK4uS7yMlf1nFS -----END CERTIFICATE----- Certificate[2]: -----BEGIN CERTIFICATE----- MIICjjCCAjigAwIBAgICAyAwDQYJKoZIhvcNAQEFBQAwgZIxCzAJBgNVBAYTAlVTMRMwEQYDVQQI EwpDYWxpZm9ybmlhMRQwEgYDVQQHEwtTYW50YSBDbGFyYTEeMBwGA1UEChMVU3VuIE1pY3Jvc3lz dGVtcyBJbmMuMRowGAYDVQQLExFJZGVudGl0eSBTZXJ2aWNlczEcMBoGA1UEAxMTQ2VydGlmaWNh dGUgTWFuYWdlcjAeFw0wNDA4MTYwNzAwMDBaFw0zMjA4MTYwNzAwMDBaMIGSMQswCQYDVQQGEwJV UzETMBEGA1UECBMKQ2FsaWZvcm5pYTEUMBIGA1UEBxMLU2FudGEgQ2xhcmExHjAcBgNVBAoTFVN1 biBNaWNyb3N5c3RlbXMgSW5jLjEaMBgGA1UECxMRSWRlbnRpdHkgU2VydmljZXMxHDAaBgNVBAMT E0NlcnRpZmljYXRlIE1hbmFnZXIwXDANBgkqhkiG9w0BAQEFAANLADBIAkEArPzFAYBufzrX2i7G /HhBi1RtEjYDHCy15WWytK6ZwbfXUMeyGadHweoZniOBU3VKdHhjIDCjqMMN25/rEM5ozwIDAQAB o3YwdDARBglghkgBhvhCAQEEBAMCAAcwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUO6AhN+VM J+xbI0tNcOXtwwNQq64wHwYDVR0jBBgwFoAUO6AhN+VMJ+xbI0tNcOXtwwNQq64wDgYDVR0PAQH/ BAQDAgGGMA0GCSqGSIb3DQEBBQUAA0EAVHUPw/JfaTYTU8rHjR+6Xr6GqNbaT4eZtNXs5wIYljwl HvLjL/AITbxrinqfFiOB2JAOW+gLxo4j6LV6W9/2Mw== -----END CERTIFICATE----- |
Certificate [1] is the public key. This is the certificate that is presented to remote parties in a federated environment. Certificate [2] represents the certificate that authenticates the trusted authority or certificate issuer.
The Liberty Identity specification requires all XML files to be signed. You can obtain and use one certificate to use for both signing and encryption. Or as an alternative, you can obtain one certificate to use for signing, and obtain a second certificate to use for encryption. In this deployment, for illustration purposes, one certificate is used for signing, and a second certificate is used for encryption.
As a root user, log in to the Federation Manager 1 host.
amadmin
11111111
Go to the following directory:
/etc/opt/SUNWam/config
Create a keystore with a private key.
# keytool -genkey -alias LoadBalancer-9-enc -keyalg RSA -keysize 1024 -dname "cn=LoadBalancer-9.siroe.com,o=siroe.com" -validity 365 -keystore fmkeystore Enter keystore password: keypassword Enter key password for <LoadBalancer-9-enc> (RETURN if same as keystore password): keypassword |
The key password you specify here must be identical to the key password you specify for the encryption certificate.
Verify that the keystore and private key were created properly.
You should be able to see fmkeystore in the following directory, and verify that the current date is within the certificate's valid date range.
# cd /etc/opt/SUNWam/config # ls -lrt -rw-r--r-- 1 root root 1261 Nov 2 11:03 fmkeystore # keytool -list -keystore fmkeystore -alias LoadBalancer-9-enc -v # Enter keystore password: password Alias name: LoadBalancer-9-enc Creation date: Nov 7, 2006 Entry type: keyEntry Certificate chain length: 2 Certificate[1]: Owner: CN=loadbalancer-9.siroe.com Issuer: CN=Certificate Manager, OU=Identity Services, O=Sun Microsystems Inc., L=Santa Clara, ST=California, C=US Serial number: 68f Valid from: Tue Nov 07 15:56:17 PST 2006 until: Tue Aug 03 16:56:17 PDT 2010 Certificate fingerprints: MD5: 69:9C:CF:F6:0D:7E:F4:A7:A8:C3:DC:CD:2F:EC:1A:F4 SHA1: 29:2F:71:98:6B:AD:4C:27:F2:53:08:94:E0:4B:AF:62:96:1F:B0:F0 Certificate[2]: Owner: CN=Certificate Manager, OU=Identity Services, O=Sun Microsystems Inc., L=Santa Clara, ST=California, C=US Issuer: CN=Certificate Manager, OU=Identity Services, O=Sun Microsystems Inc., L=Santa Clara, ST=California, C=US Serial number: 320 Valid from: Mon Aug 16 00:00:00 PDT 2004 until: Mon Aug 16 00:00:00 PDT 2032 Certificate fingerprints: MD5: CD:07:DF:A6:CA:B9:AB:94:FF:CF:17:35:AB:C2:C2:51 SHA1: 9A:B5:F7:54:DE:8A:BC:E9:F6:1D:F1:5B:71:46:72:9E:F0:4E:B8:7A |
Submit a request for an encryption certificate.
Create the request.
# cd /etc/opt/SUNWam/config # keytool -certreq -alias LoadBalancer-9-enc -file cert-enc.csr -keystore fmkeystore Enter keystore password: password Enter key password for <LoadBalancer-9-enc>: keypassword |
Verify that the request text was successfully generated.
# vi cert-enc.csr -----BEGIN NEW CERTIFICATE REQUEST----- mllBdjCB4AlBADA3MR1wEAYDVQQKEwlzaXjvZs5jb20xlTAfBgNVBAMTGGxvYWRiYWkhbmNlci05 LnNpcm9IlmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgykCgYEAozsGuaqGlL1Z5j6n+aXYACUh KFpb8f451GG5Eg6Vy862hlstl1b8KaAYARHk0lGjzwb26AiLXlWpDyOmf2hXR91po7oo/Vw/K9Qv qv/+7FDtCBp9DkcnHXR4aKNGknZ58Rn/VbURGqipvXSe2J+5EB46Nnq8jlGMba/2eSjeRfsCAwEA AaAAMA0GCSqGSlb3DQEBBAUAA4GBAJ3u+f5mC7AVXErSDucNHZn4Li42ULQBEZmTk3K73U9Ar4wx ex2Ee6lAsPDyb3g4jUmduBSkrSbKyxZhPutVZQTlfHkiLbd6vHWl1K97DedLoWlt9nZAo3xZyBym 6UCH0HYVly/TAL8fhsielElg8lsidlejis(hfkeowhkdlgile27uak9pwnbmqkdigleIDUekdo30 -----END OF NEW CERTIFICATE REQUEST----- |
Follow the instructions provided by your Certificate Authority (CA) for submitting the cert-enc.csr file and sending the text to the CA.
The CA will process your request, and send you a certificate. When you open the certificate file with an editor, the certificate text will look similar to this:
-----BEGIN CERTIFICATE----- MIIFJQYJKoZIhvcNAQcCoIIFFjCCBRICAQExADAPBgkqhkiG9w0BBwGgAgQAoIIE 9jCCAmAwggIKoAMCAQICAgaKMA0GCSqGSIb3DQEBBAUAMIGSMQswCQYDVQQGEwJV UzETMBEGA1UECBMKQ2FsaWZvcm5pYTEUMBIGA1UEBxMLU2FudGEgQ2xhcmExHjAc BgNVBAoTFVN1biBNaWNyb3N5c3RlbXMgSW5jLjEaMBgGA1UECxMRSWRlbnRpdHkg U2VydmljZXMxHDAaBgNVBAMTE0NlcnRpZmljYXRlIE1hbmFnZXIwHhcNMDYxMTAy MTkxMTM0WhcNMTAwNzI5MTkxMTM0WjA3MRIwEAYDVQQKEwlzaXJvZS5jb20xITAf BgNVBAMTGGxvYWRiYWxhbmNlci05LnNpcm9lLmNvbTCBnzANBgkqhkiG9w0BAQEF AAOBjQAwgYkCgYEAozsGuaqGlLlZ5J6n+aXYACUhKFpb8f451GG5Eg6Vy862hIst lIb8KaAYARHk0lGjzwb26AiLXIWpDyOmf2hXR91po7oo/Vw/K9Qvqv/+7FDtCBp9 DkcnHXR4aKNGknZ58Rn/VbURGqipvXSe2J+5EB46Nnq8jIGMba/2eSJeRfsCAwEA AaNgMF4wEQYJYIZIAYb4QgEBBAQDAgZAMA4GA1UdDwEB/wQEAwIE8DAfBgNVHSME GDAWgBQ7oCE35Uwn7FsjS01w5e3DA1CrrjAYBgNVHREEETAPgQ1tYWxsYUBzdW4u Y29tMA0GCSqGSIb3DQEBBAUAA0EAf+gzgerEagmbtjnpzPXkEdILm3vOXp008VOG u8dZ2hcc2FytYkNbzAESjIw29fUBCSBCSmZQyuLku8jJX9ZxUjCCAo4wggI4oAMC AQICAgMgMA0GCSqGSIb3DQEBBQUAMIGSMQswCQYDVQQGEwJVUzETMBEGA1UECBMK Q2FsaWZvcm5pYTEUMBIGA1UEBxMLU2FudGEgQ2xhcmExHjAcBgNVBAoTFVN1biBN aWNyb3N5c3RlbXMgSW5jLjEaMBgGA1UECxMRSWRlbnRpdHkgU2VydmljZXMxHDAa BgNVBAMTE0NlcnRpZmljYXRlIE1hbmFnZXIwHhcNMDQwODE2MDcwMDAwWhcNMzIw ODE2MDcwMDAwWjCBkjELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNhbGlmb3JuaWEx FDASBgNVBAcTC1NhbnRhIENsYXJhMR4wHAYDVQQKExVTdW4gTWljcm9zeXN0ZW1z IEluYy4xGjAYBgNVBAsTEUlkZW50aXR5IFNlcnZpY2VzMRwwGgYDVQQDExNDZXJ0 aWZpY2F0ZSBNYW5hZ2VyMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAKz8xQGAbn86 19ouxvx4QYtUbRI2AxwsteVlsrSumcG311DHshmnR8HqGZ4jgVN1SnR4YyAwo6jD Dduf6xDOaM8CAwEAAaN2MHQwEQYJYIZIAYb4QgEBBAQDAgAHMA8GA1UdEwEB/wQF MAMBAf8wHQYDVR0OBBYEFDugITflTCfsWyNLTXDl7cMDUKuuMB8GA1UdIwQYMBaA FDugITflTCfsWyNLTXDl7cMDUKuuMA4GA1UdDwEB/wQEAwIBhjANBgkqhkiG9w0B AQUFAANBAFR1D8PyX2k2E1PKx40ful6+hqjW2k+HmbTV7OcCGJY8JR7y4y/wCE28 a4p6nxYjgdiQDlvoC8aOI+i1elvf9jMxAA== -----END CERTIFICATE----- |
In this deployment example, the certificate text was saved in a text file named fm-enc.
Import the certificate into the Load Balancer 9 keystore.
# keytool -import -alias LoadBalancer-9-enc -keystore fmkeystore -file fm-enc Enter keystore password: password Enter key password for <LoadBalancer-9-enc>: keypassword Top-level certificate in reply: Owner: CN=Certificate Manager, OU=Identity Services, O=Sun Microsystems Inc., L=Santa Clara, ST=California, C=US Issuer: CN=Certificate Manager, OU=Identity Services, O=Sun Microsystems, Inc., L=Santa Clara, ST=California, C=US Serial number:320 Valid from Mon Aug 16 00:00:00 PDT 2004 until: Mon Aug 16 00:00:00 PDT 2032 Certificate fingerprints: MDS: CD:07:DF:A6:CA:B9:AB:94:FF:CF:17:35:AB:C2:C2:51 SHA1:9A:B5:F7:54:DE:8A:BC:E9:F6:1D:F1:5B:71:46:72:9E:F0:4E:B8:7A ...is not trusted. Install reply anyway? [no]:yes |
Verify that the certificate is properly installed.
When you run this command, note that the Entry Type must be keyEntry as in this example. The keyEntry type contains both private key and the public certificate chain. You will need both of these. The trustedcertEntry type contains only the public key and no private key.
# keytool -list -keystore fmkeystore -alias LoadBalancer-9-enc -rfc Enter keystore password: password Alias name: LoadBalancer-9-enc Creation date: Nov 2, 2006 Entry type: keyEntry Certificate chain length: 2 |
Certificate text similar to the following is displayed:
-----BEGIN CERTIFICATE----- MIICYDCCAgqgAwIBAgICBoowDQYJKoZIhvcNAQEEBQAwgZIxCzAJBgNVBAYTAlVTMRMwEQYDVQQI EwpDYWxpZm9ybmlhMRQwEgYDVQQHEwtTYW50YSBDbGFyYTEeMBwGA1UEChMVU3VuIE1pY3Jvc3lz dGVtcyBJbmMuMRowGAYDVQQLExFJZGVudGl0eSBTZXJ2aWNlczEcMBoGA1UEAxMTQ2VydGlmaWNh dGUgTWFuYWdlcjAeFw0wNjExMDIxOTExMzRaFw0xMDA3MjkxOTExMzRaMDcxEjAQBgNVBAoTCXNp cm9lLmNvbTEhMB8GA1UEAxMYbG9hZGJhbGFuY2VyLTkuc2lyb2UuY29tMIGfMA0GCSqGSIb3DQEB AQUAA4GNADCBiQKBgQCjOwa5qoaUuVnknqf5pdgAJSEoWlvx/jnUYbkSDpXLzraEiy2UhvwpoBgB EeTSUaPPBvboCItchakPI6Z/aFdH3Wmjuij9XD8r1C+q//7sUO0IGn0ORycddHhoo0aSdnnxGf9V tREaqKm9dJ7Yn7kQHjo2eryMgYxtr/Z5Il5F+wIDAQABo2AwXjARBglghkgBhvhCAQEEBAMCBkAw DgYDVR0PAQH/BAQDAgTwMB8GA1UdIwQYMBaAFDugITflTCfsWyNLTXDl7cMDUKuuMBgGA1UdEQQR MA+BDW1hbGxhQHN1bi5jb20wDQYJKoZIhvcNAQEEBQADQQB/6DOB6sRqCZu2OenM9eQR0gube85e nTTxU4a7x1naFxzYXK1iQ1vMARKMjDb19QEJIEJKZlDK4uS7yMlf1nFS -----END CERTIFICATE----- Certificate[2]: -----BEGIN CERTIFICATE----- MIICjjCCAjigAwIBAgICAyAwDQYJKoZIhvcNAQEFBQAwgZIxCzAJBgNVBAYTAlVTMRMwEQYDVQQI EwpDYWxpZm9ybmlhMRQwEgYDVQQHEwtTYW50YSBDbGFyYTEeMBwGA1UEChMVU3VuIE1pY3Jvc3lz dGVtcyBJbmMuMRowGAYDVQQLExFJZGVudGl0eSBTZXJ2aWNlczEcMBoGA1UEAxMTQ2VydGlmaWNh dGUgTWFuYWdlcjAeFw0wNDA4MTYwNzAwMDBaFw0zMjA4MTYwNzAwMDBaMIGSMQswCQYDVQQGEwJV UzETMBEGA1UECBMKQ2FsaWZvcm5pYTEUMBIGA1UEBxMLU2FudGEgQ2xhcmExHjAcBgNVBAoTFVN1 biBNaWNyb3N5c3RlbXMgSW5jLjEaMBgGA1UECxMRSWRlbnRpdHkgU2VydmljZXMxHDAaBgNVBAMT E0NlcnRpZmljYXRlIE1hbmFnZXIwXDANBgkqhkiG9w0BAQEFAANLADBIAkEArPzFAYBufzrX2i7G /HhBi1RtEjYDHCy15WWytK6ZwbfXUMeyGadHweoZniOBU3VKdHhjIDCjqMMN25/rEM5ozwIDAQAB o3YwdDARBglghkgBhvhCAQEEBAMCAAcwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUO6AhN+VM J+xbI0tNcOXtwwNQq64wHwYDVR0jBBgwFoAUO6AhN+VMJ+xbI0tNcOXtwwNQq64wDgYDVR0PAQH/ BAQDAgGGMA0GCSqGSIb3DQEBBQUAA0EAVHUPw/JfaTYTU8rHjR+6Xr6GqNbaT4eZtNXs5wIYljwl HvLjL/AITbxrinqfFiOB2JAOW+gLxo4j6LV6W9/2Mw== -----END CERTIFICATE----- |
Certificate [1] is the public key. This is the certificate that is presented to remote parties in a federated environment. Certificate [2] represents the certificate that authenticates the trusted authority or certificate issuer.
The XML signature provider, the XML encryption provider, and the Federation Manager servers use the keystore configuration in the AMConfig.properties file for signing purposes. By default, Federation Manager supports multiple XML signature algorithms. In this deployment example, you explicitly specify the RSA signature algorithm by setting the appropriate property in the AMConfig.properties file.
Be sure that you are using the recommended version of the keytool utility. Example:
# which keytool /usr/jdk/instances/jdk/1.5.0_06/bin/keytool |
Use the following as your checklist for configuring Federation Manager 1:
Create a .storepass file.
# /opt/SUNWam/fm/bin/ampassword -i /var/opt/SUNWam/fm/war_staging -e password >/etc/opt/SUNWam/config/.storepass |
Create a .keypass file.
# /opt/SUNWam/fm/bin/ampassword -i /var/opt/SUNWam/fm/war_staging -e keypassword >/etc/opt/SUNWam/config/.keypass |
Go to the following directory:
/var/opt/SUNWam/fm/war_staging/web-src/WEB-INF/classes/ |
Make a backup of the AMConfig.properties file before you make changes.
In AMConfig.properties, set the following properties as in this example:
com.sun.identity.saml.xmlsig.keystore=/etc/opt/SUNWam/config/fmkeystore com.sun.identity.saml.xmlsig.storepass=/etc/opt/SUNWam/config/.storepass com.sun.identity.saml.xmlsig.keypass=/etc/opt/SUNWam/config/.keypass com.sun.identity.saml.xmlsig.certalias=LoadBalancer-9 ... com.sun.identity.jss.donotInstallAtHighestPriorty=true |
Uncomment the following property, and set the value as in this example:
com.sun.identity.saml.xmlsig.xmlSigAlgorithm= http://www.w3.org/2000/09/xmldsig#rsa-sha1 |
Save the file.
Regenerate and redeploy the Federation Manager 1 WAR file.
See To Regenerate and Redeploy the Federation Manager 1 WAR File in this manual.
The XML signing certificates must be identical on both Federation Manager instances. This ensures that when the SAMLv2 metadata is published, the metadata represents both Federation Manager instances as a single entity. In this procedure you copy the XML signing certificate from Federation Manager 1 and install the certificate on Federation Manager 2.
As a root user, log in to the Federation Manager 2 host.
Make a directory for creating a keystore. Example:
# cd /etc/opt/SUNWam # mkdir config |
Copy into this directory the keystore files that were created for Federation Manager 1.
Verify that the certificate is properly installed.
When you run this command, note that the Entry Type must be keyEntry as in this example. The keyEntry type contains both private key and the public certificate chain. You will need both of these. The trustedcertEntry type contains only the public key and no private key.
# keytool -list -keystore fmkeystore -alias LoadBalancer-9 -rfc Enter keystore password: password Alias name: LoadBalancer-9 Creation date: Nov 2, 2006 Entry type: keyEntry Certificate chain length: 2 |
Certificate text similar to the following is displayed:
Certificate[1]: -----BEGIN CERTIFICATE----- MIICYDCCAgqgAwIBAgICBoowDQYJKoZIhvcNAQEEBQAwgZIxCzAJBgNVBAYTAlVTMRMwEQYDVQQI EwpDYWxpZm9ybmlhMRQwEgYDVQQHEwtTYW50YSBDbGFyYTEeMBwGA1UEChMVU3VuIE1pY3Jvc3lz dGVtcyBJbmMuMRowGAYDVQQLExFJZGVudGl0eSBTZXJ2aWNlczEcMBoGA1UEAxMTQ2VydGlmaWNh dGUgTWFuYWdlcjAeFw0wNjExMDIxOTExMzRaFw0xMDA3MjkxOTExMzRaMDcxEjAQBgNVBAoTCXNp cm9lLmNvbTEhMB8GA1UEAxMYbG9hZGJhbGFuY2VyLTkuc2lyb2UuY29tMIGfMA0GCSqGSIb3DQEB AQUAA4GNADCBiQKBgQCjOwa5qoaUuVnknqf5pdgAJSEoWlvx/jnUYbkSDpXLzraEiy2UhvwpoBgB EeTSUaPPBvboCItchakPI6Z/aFdH3Wmjuij9XD8r1C+q//7sUO0IGn0ORycddHhoo0aSdnnxGf9V tREaqKm9dJ7Yn7kQHjo2eryMgYxtr/Z5Il5F+wIDAQABo2AwXjARBglghkgBhvhCAQEEBAMCBkAw DgYDVR0PAQH/BAQDAgTwMB8GA1UdIwQYMBaAFDugITflTCfsWyNLTXDl7cMDUKuuMBgGA1UdEQQR MA+BDW1hbGxhQHN1bi5jb20wDQYJKoZIhvcNAQEEBQADQQB/6DOB6sRqCZu2OenM9eQR0gube85e nTTxU4a7x1naFxzYXK1iQ1vMARKMjDb19QEJIEJKZlDK4uS7yMlf1nFS -----END CERTIFICATE----- Certificate[2]: -----BEGIN CERTIFICATE----- MIICjjCCAjigAwIBAgICAyAwDQYJKoZIhvcNAQEFBQAwgZIxCzAJBgNVBAYTAlVTMRMwEQYDVQQI EwpDYWxpZm9ybmlhMRQwEgYDVQQHEwtTYW50YSBDbGFyYTEeMBwGA1UEChMVU3VuIE1pY3Jvc3lz dGVtcyBJbmMuMRowGAYDVQQLExFJZGVudGl0eSBTZXJ2aWNlczEcMBoGA1UEAxMTQ2VydGlmaWNh dGUgTWFuYWdlcjAeFw0wNDA4MTYwNzAwMDBaFw0zMjA4MTYwNzAwMDBaMIGSMQswCQYDVQQGEwJV UzETMBEGA1UECBMKQ2FsaWZvcm5pYTEUMBIGA1UEBxMLU2FudGEgQ2xhcmExHjAcBgNVBAoTFVN1 biBNaWNyb3N5c3RlbXMgSW5jLjEaMBgGA1UECxMRSWRlbnRpdHkgU2VydmljZXMxHDAaBgNVBAMT E0NlcnRpZmljYXRlIE1hbmFnZXIwXDANBgkqhkiG9w0BAQEFAANLADBIAkEArPzFAYBufzrX2i7G /HhBi1RtEjYDHCy15WWytK6ZwbfXUMeyGadHweoZniOBU3VKdHhjIDCjqMMN25/rEM5ozwIDAQAB o3YwdDARBglghkgBhvhCAQEEBAMCAAcwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUO6AhN+VM J+xbI0tNcOXtwwNQq64wHwYDVR0jBBgwFoAUO6AhN+VMJ+xbI0tNcOXtwwNQq64wDgYDVR0PAQH/ BAQDAgGGMA0GCSqGSIb3DQEBBQUAA0EAVHUPw/JfaTYTU8rHjR+6Xr6GqNbaT4eZtNXs5wIYljwl HvLjL/AITbxrinqfFiOB2JAOW+gLxo4j6LV6W9/2Mw== -----END CERTIFICATE----- |
Certificate [1] is the public key. This is the certificate that is presented to remote parties in a federated environment. Certificate [2] represents the certificate that authenticates the trusted authority or certificate issuer.
The XML signature provider, the XML encryption provider, and the Federation Manager servers use the keystore configuration in the AMConfig.properties file for signing purposes. By default, Federation Manager supports multiple XML signature algorithms. In this deployment example, you explicitly specify the RSA signature algorithm by setting the appropriate property in the AMConfig.properties file.
Use the following as your checklist for configuring Federation Manager 2 to recognize the new keystores and key files:
Create a .storepass file.
# /opt/SUNWam/fm/bin/ampassword -i /var/opt/SUNWam/fm/war_staging -e password >/etc/opt/SUNWam/config/.storepass |
Create a .keypass file.
# /opt/SUNWam/fm/bin/ampassword -i /var/opt/SUNWam/fm/war_staging -e keypassword >/etc/opt/SUNWam/config/.keypass |
Go to the following directory:
/var/opt/SUNWam/fm/war_staging/web-src/WEB-INF/classes/ |
Make a backup of the AMConfig.properties file before you make changes.
In AMConfig.properties, set the following properties as in this example:
com.sun.identity.saml.xmlsig.keystore=/etc/opt/SUNWam/config/fmkeystore com.sun.identity.saml.xmlsig.storepass=/etc/opt/SUNWam/config/.storepass com.sun.identity.saml.xmlsig.keypass=/etc/opt/SUNWam/config/.keypass com.sun.identity.saml.xmlsig.certalias=LoadBalancer-9 ... com.sun.identity.jss.donotInstallAtHighestPriorty=true |
Uncomment the following property, and set the value as in this example:
com.sun.identity.saml.xmlsig.xmlSigAlgorithm= http://www.w3.org/2000/09/xmldsig#rsa-sha1 |
Save the file.
Regenerate and redeploy the Federation Manager 2 WAR file.
See To Regenerate and Redeploy the Federation Manager 2 WAR File.
In this procedure you import a root CA certificate from Access Manager 1 into the JDK trusted CA certificate for the Federation Manager servers. This step is not necessary if you are using one of the root CA certificates that come with JDK by default. The JDK default root CA certificates come from Verisign, Thwarte, and other major certificate issuers. In this deployment example, root CA certificates were obtained from certificate issuers that JDK does not recognize by default. So in this deployment example, the following procedure is necessary to establish trust among the local SSO provider (Federation Manager) and remote SSO providers (such as Access Manager).
Load the root CA certificate into the Federation Manager 1 web container.
Load the root CA certificate into the Federation Manager 2 web container.
As a root user, log into the Federation Manager 1 host.
Locate the JAVAHOME directory and JDK keystore directory for the Federation Manager 1 web container.
#cd /opt/SUNWwbsvr/https-FederationManager-1.siroe.com/config # view server.xml |
Locate the following JAVA javahome entry. In this deployment example, it looks like this:
<JAVA javahome="/usr/jdk/entsys-j2se" |
To find the JDK keystore file, append the following to the javahome path:
/jre/lib/security |
For example, in this deployment example, the JDK keystore is in the following directory:
/usr/jdk/entsys-j2se/jre/lib/security |
This directory contains the Federation Manager trusted CA files.
Obtain a copy of the Access Manager 1 root CA certificate.
You can obtain a copy from the certificate issuer. Or you can copy the certificate stored on the Access Manager 1 host.
In this deployment example, the Access Manager 1 root CA certificate has already been copied to the following directory on Federation Manager 1:
/net/slapd/export/share/cacert |
Import the Access Manager root CA certificate into the Federation Manager JDK keystore.
The alias rootCA represents the name of the root CA certificate you want to import.
# cd /usr/jdk/entsys-j2se/jre/lib/security # keytool -import -keystore cacerts -alias rootCA -file /net/slapd/export/share/cacert Enter keystore password: changeit Owner: CN=Certificate Manager, OU=Identity Services, O=Sun Microsystems Inc., L=Santa Clara, ST=California, C=US Issuer: CN=Certificate Manager, OU=Identity Services, O=Sun Microsystems, Inc., L=Santa Clara, ST=California, C=US Serial number:320 Valid from Mon Aug 16 00:00:00 PDT 2004 until: Mon Aug 16 00:00:00 PDT 2032 Certificate fingerprints: MDS: CD:07:DF:A6:CA:B9:AB:94:FF:CF:17:35:AB:C2:C2:51 SHA1:9A:B5:F7:54:DE:8A:BC:E9:F6:1D:F1:5B:71:46:72:9E:F0:4E:B8:7A Trust this certificate? [no]: yes Certificate was added to keystore. |
To verify that the root CA certificate was successfully imported, run the list command:
# cd /usr/jdk/instances/jdk1.5.0/jre/lib/security # keytool -list -keystore cacerts -alias rootCA -rfc Enter keystore password: changeit Alias name: rootCA Creation date: Mar 9, 2007 Entry type: trustedCertEntry -----BEGIN CERTIFICATE----- MIICjjCCAjigAwIBAgICAyAwDQYJKoZIhvcNAQEFBQAwgZIxCzAJBgNVBAYTAlVTMRMwEQYDVQQI EwpDYWxpZm9ybmlhMRQwEgYDVQQHEwtTYW50YSBDbGFyYTEeMBwGA1UEChMVU3VuIE1pY3Jvc3lz dGVtcyBJbmMuMRowGAYDVQQLExFJZGVudGl0eSBTZXJ2aWNlczEcMBoGA1UEAxMTQ2VydGlmaWNh dGUgTWFuYWdlcjAeFw0wNDA4MTYwNzAwMDBaFw0zMjA4MTYwNzAwMDBaMIGSMQswCQYDVQQGEwJV UzETMBEGA1UECBMKQ2FsaWZvcm5pYTEUMBIGA1UEBxMLU2FudGEgQ2xhcmExHjAcBgNVBAoTFVN1 biBNaWNyb3N5c3RlbXMgSW5jLjEaMBgGA1UECxMRSWRlbnRpdHkgU2VydmljZXMxHDAaBgNVBAMT E0NlcnRpZmljYXRlIE1hbmFnZXIwXDANBgkqhkiG9w0BAQEFAANLADBIAkEArPzFAYBufzrX2i7G /HhBi1RtEjYDHCy15WWytK6ZwbfXUMeyGadHweoZniOBU3VKdHhjIDCjqMMN25/rEM5ozwIDAQAB o3YwdDARBglghkgBhvhCAQEEBAMCAAcwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUO6AhN+VM J+xbI0tNcOXtwwNQq64wHwYDVR0jBBgwFoAUO6AhN+VMJ+xbI0tNcOXtwwNQq64wDgYDVR0PAQH/ BAQDAgGGMA0GCSqGSIb3DQEBBQUAA0EAVHUPw/JfaTYTU8rHjR+6Xr6GqNbaT4eZtNXs5wIYljwl HvLjL/AITbxrinqfFiOB2JAOW+gLxo4j6LV6W9/2Mw== -----END CERTIFICATE----- |
As a root user, log into the Federation Manager 2 host.
Locate the JAVAHOME directory and JDK keystore directory for the Federation Manager 2 web container.
#cd /opt/SUNWwbsvr/https-FederationManager-2.siroe.com/config # view server.xml |
Locate the following JAVA javahome entry. In this deployment example, it looks like this:
<JAVA javahome="/usr/jdk/entsys-j2se" |
To find the JDK keystore file, append the following to the javahome path:
/jre/lib/security |
For example, in this deployment example, the JDK keystore is in the following directory:
/usr/jdk/entsys-j2se/jre/lib/security |
This directory contains the Federation Manager JDK trusted CA files.
Obtain a copy of the Access Manager 1 root CA certificate.
You can obtain a copy from the certificate issuer. Or you can copy the certificate stored on the Access Manager 1 host.
In this deployment example, the Access Manager 1 root CA certificate has already been copied to the following directory on Federation Manager 1:
/net/slapd/export/share/cacert |
Import the Access Manager 1 root CA certificate into the Federation Manager 2 JDK keystore.
The alias rootCA represents the name of the root CA certificate you want to import.
# cd /usr/jdk/entsys-j2se/jre/lib/security # keytool -import -keystore cacerts -alias rootCA -file /net/slapd/export/share/cacert Enter keystore password: changeit Owner: CN=Certificate Manager, OU=Identity Services, O=Sun Microsystems Inc., L=Santa Clara, ST=California, C=US Issuer: CN=Certificate Manager, OU=Identity Services, O=Sun Microsystems, Inc., L=Santa Clara, ST=California, C=US Serial number:320 Valid from Mon Aug 16 00:00:00 PDT 2004 until: Mon Aug 16 00:00:00 PDT 2032 Certificate fingerprints: MDS: CD:07:DF:A6:CA:B9:AB:94:FF:CF:17:35:AB:C2:C2:51 SHA1:9A:B5:F7:54:DE:8A:BC:E9:F6:1D:F1:5B:71:46:72:9E:F0:4E:B8:7A Trust this certificate? [no]: yes Certificate was added to keystore. |
To verify that the root CA certificate was successfully imported, run the list command:
# cd /usr/jdk/instances/jdk1.5.0/jre/lib/security # keytool -list -keystore cacerts -alias rootCA -rfc Enter keystore password: changeit Alias name: rootCA Creation date: Mar 9, 2007 Entry type: trustedCertEntry -----BEGIN CERTIFICATE----- MIICjjCCAjigAwIBAgICAyAwDQYJKoZIhvcNAQEFBQAwgZIxCzAJBgNVBAYTAlVTMRMwEQYDVQQI EwpDYWxpZm9ybmlhMRQwEgYDVQQHEwtTYW50YSBDbGFyYTEeMBwGA1UEChMVU3VuIE1pY3Jvc3lz dGVtcyBJbmMuMRowGAYDVQQLExFJZGVudGl0eSBTZXJ2aWNlczEcMBoGA1UEAxMTQ2VydGlmaWNh dGUgTWFuYWdlcjAeFw0wNDA4MTYwNzAwMDBaFw0zMjA4MTYwNzAwMDBaMIGSMQswCQYDVQQGEwJV UzETMBEGA1UECBMKQ2FsaWZvcm5pYTEUMBIGA1UEBxMLU2FudGEgQ2xhcmExHjAcBgNVBAoTFVN1 biBNaWNyb3N5c3RlbXMgSW5jLjEaMBgGA1UECxMRSWRlbnRpdHkgU2VydmljZXMxHDAaBgNVBAMT E0NlcnRpZmljYXRlIE1hbmFnZXIwXDANBgkqhkiG9w0BAQEFAANLADBIAkEArPzFAYBufzrX2i7G /HhBi1RtEjYDHCy15WWytK6ZwbfXUMeyGadHweoZniOBU3VKdHhjIDCjqMMN25/rEM5ozwIDAQAB o3YwdDARBglghkgBhvhCAQEEBAMCAAcwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUO6AhN+VM J+xbI0tNcOXtwwNQq64wHwYDVR0jBBgwFoAUO6AhN+VMJ+xbI0tNcOXtwwNQq64wDgYDVR0PAQH/ BAQDAgGGMA0GCSqGSIb3DQEBBQUAA0EAVHUPw/JfaTYTU8rHjR+6Xr6GqNbaT4eZtNXs5wIYljwl HvLjL/AITbxrinqfFiOB2JAOW+gLxo4j6LV6W9/2Mw== -----END CERTIFICATE----- |
Use the following as your checklist for configuring SAMLv2 metadata for the Federation Manager servers:
When you create metadata for the Service Provider, the Service Provider entity is added to a circle of trust. A circle of trust is used to group Service Providers and Identity Providers in a secure, trusted environment. Other remote provider entities can be added to the circle of trust. Whenever the SAMLv2 protocol is initiated, the SAMLv2 plug-in determines which circle of trust the requesting entity belongs to, and what other providers are available to interact with it. All entities within the same circle of trust can participate in the SAMLv2 protocols.
As a root user, log into the Federation Manager 1 host.
Run the cotcreate command:
# /opt/SUNWam/saml2/bin/saml2meta -i /var/opt/SUNWam/fm/war_staging cotcreate -u amadmin -w 11111111 -t saml2_circle_of_trust Circle of trust "saml2_circle_of_trust" is created successfully. |
Federation Manager provides two metadata templates you can customize to meet your needs. For examples of customized metadata templates, see 7.2.1 Sample Metadata Template Files at the end of this section.
When you customize the metadata XML files, you must enter the entityID attribute using lowercase letters. For example, for the host LoadBalancer-9.siroe.com, enter the entityIDas loadbalancer-9.siroe.com. The entityID will not be recognized if you use mixed case letters.
Log in as a root user to the host FederationManager–1.
Go to the following directory:
/opt/SUNWam/saml2/bin |
Generate the SAMLv2 template files.
# ./saml2meta -i /var/opt/SUNWam/fm/war_staging template -u amadmin -w 11111111 -e loadbalancer-9.siroe.com -s /sp -a LoadBalancer-9 -f LoadBalancer-9-enc -m /etc/opt/SUNWam/config/saml2-sp-template.xml -x /etc/opt/SUNWam/config/saml2-sp-extented-template.xml |
The saml2-sp-extended-template.xmlis similar to the standard saml2-sp-template.xml file. However, the extended file contains data about the SAMLv2 plug-in that is specific to Federation Manager.
Customize the saml2–sp-template.xml file.
When the file is first generated, default values are automatically generated and placed in the file. You must manually change these values to match the actual deployment environment. In this deployment example, a load balancer with SSL termination is being used. So you must modify the file to use the HTTPS protocol and the load balancer service URL.
# vi /etc/opt/SUNWam/config/saml2-sp-template.xml |
In each Location URL and each ResponseLocation URL, change the protocol http to https.
Search for each occurrence of Location and ResponseLocation to be sure you have changed each URL.
Globally change all occurrences of FederationManager-1 to loadbalancer-9.
Globally change all occurrences of 8080 to 3443.
Save the file.
Customize the saml2-sp-extended-template.xml file.
# vi /etc/opt/SUNWam/config/saml2-sp-extended-template.xml |
Modify the following attribute-pair values to enable XML signing.
<Attribute name="wantArtifactResponseSigned"> <Value>true</Value> <Attribute name="wantLogoutRequestSigned"> <Value>true</Value> <Attribute name="wantLogoutResponseSigned"> <Value>true</Value> <Attribute name="wantMNIRequestSigned"> <Value>true</Value> <Attribute name="wantMNIResponseSigned"> <Value>true</Value> <Attribute name="cotlist"> <Value>saml2_circle_of_trust</Value> |
Load the metadata.
In the following examples, changes to the file are indicated in bold.
When you customize the metadata XML files, you must enter the entityID attribute using lowercase letters. For example, for the host LoadBalancer-9.siroe.com, enter the entityIDas loadbalancer-9.siroe.com. The entityID will not be recognized if you use mixed case letters.
<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" entityID="loadbalancer-9.siroe.com"> <SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="false" protocolSupportEnumeration= "urn:oasis:names:tc:SAML:2.0:protocol"> <KeyDescriptor use="signing"> <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#"> <X509Data> <X509Certificate> MIICYDCCAgqgAwIBAgICBoowDQYJKoZIhvcNAQEEBQAwgZIxCzAJBgNVBAYTAlVTMRMwEQYDVQQI EwpDYWxpZm9ybmlhMRQwEgYDVQQHEwtTYW50YSBDbGFyYTEeMBwGA1UEChMVU3VuIE1pY3Jvc3lz dGVtcyBJbmMuMRowGAYDVQQLExFJZGVudGl0eSBTZXJ2aWNlczEcMBoGA1UEAxMTQ2VydGlmaWNh dGUgTWFuYWdlcjAeFw0wNjExMDIxOTExMzRaFw0xMDA3MjkxOTExMzRaMDcxEjAQBgNVBAoTCXNp cm9lLmNvbTEhMB8GA1UEAxMYbG9hZGJhbGFuY2VyLTkuc2lyb2UuY29tMIGfMA0GCSqGSIb3DQEB AQUAA4GNADCBiQKBgQCjOwa5qoaUuVnknqf5pdgAJSEoWlvx/jnUYbkSDpXLzraEiy2UhvwpoBgB EeTSUaPPBvboCItchakPI6Z/aFdH3Wmjuij9XD8r1C+q//7sUO0IGn0ORycddHhoo0aSdnnxGf9V tREaqKm9dJ7Yn7kQHjo2eryMgYxtr/Z5Il5F+wIDAQABo2AwXjARBglghkgBhvhCAQEEBAMCBkAw DgYDVR0PAQH/BAQDAgTwMB8GA1UdIwQYMBaAFDugITflTCfsWyNLTXDl7cMDUKuuMBgGA1UdEQQR MA+BDW1hbGxhQHN1bi5jb20wDQYJKoZIhvcNAQEEBQADQQB/6DOB6sRqCZu2OenM9eQR0gube85e nTTxU4a7x1naFxzYXK1iQ1vMARKMjDb19QEJIEJKZlDK4uS7yMlf1nFS </X509Certificate> </X509Data> </KeyInfo> </KeyDescriptor> <KeyDescriptor use="encryption"> <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#"> <X509Data> <X509Certificate> MIICTDCCAfagAwIBAgICBo8wDQYJKoZIhvcNAQEEBQAwgZIxCzAJBgNVBAYTAlVTMRMwEQYDVQQI EwpDYWxpZm9ybmlhMRQwEgYDVQQHEwtTYW50YSBDbGFyYTEeMBwGA1UEChMVU3VuIE1pY3Jvc3lz dGVtcyBJbmMuMRowGAYDVQQLExFJZGVudGl0eSBTZXJ2aWNlczEcMBoGA1UEAxMTQ2VydGlmaWNh dGUgTWFuYWdlcjAeFw0wNjExMDcyMzU2MTdaFw0xMDA4MDMyMzU2MTdaMCMxITAfBgNVBAMTGGxv YWRiYWxhbmNlci05LnNpcm9lLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAw574iRU6 HsSO4LXW/OGTXyfsbGv6XRVOoy3v+J1pZ51KKejcDjDJXNkKGn3/356AwIaqbcymWd59T0zSqYfR Hn+45uyjYxRBmVJseLpVnOXLub9jsjULfGx0yjH4w+KsZSZCXatoCHbj/RJtkzuZY6V9to/hkH3S InQB4a3UAgMCAwEAAaNgMF4wEQYJYIZIAYb4QgEBBAQDAgZAMA4GA1UdDwEB/wQEAwIE8DAfBgNV HSMEGDAWgBQ7oCE35Uwn7FsjS01w5e3DA1CrrjAYBgNVHREEETAPgQ1tYWxsYUBzdW4uY29tMA0G CSqGSIb3DQEBBAUAA0EAMlbfBg/ff0Xkv4DOR5LEqmfTZKqgdlD81cXynfzlF7XfnOqI6hPIA90I x5Ql0ejivIJAYcMGUyA+/YwJg2FGoA== </X509Certificate> </X509Data> </KeyInfo> <EncryptionMethod Algorithm= "https://www.w3.org/2001/04/xmlenc#aes128-cbc"> <KeySize xmlns="https://www.w3.org/2001/04/xmlenc#">128</KeySize> </EncryptionMethod> </KeyDescriptor> <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://LoadBalancer-9.siroe.com:3443/federation/ SPSloRedirect/metaAlias/sp" ResponseLocation="https://LoadBalancer-9.siroe.com:3443/ federation/SPSloRedirect/metaAlias/sp"/> <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://LoadBalancer-9.siroe.com:3443/ federation/SPSloSoap/metaAlias/sp"/> <ManageNameIDService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://LoadBalancer-9.siroe.com:3443/federation/ SPMniRedirect/metaAlias/sp" ResponseLocation="https://LoadBalancer-9.siroe.com:3443/ federation/SPMniRedirect/metaAlias/sp"/> <ManageNameIDService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://LoadBalancer-9.siroe.com:3443/ federation/SPMniSoap/metaAlias/sp" ResponseLocation="https://LoadBalancer-9.siroe.com:3443/ federation/SPMniSoap/metaAlias/sp"/> <NameIDFormat> urn:oasis:names:tc:SAML:2.0:nameid-format:persistent </NameIDFormat> <NameIDFormat> urn:oasis:names:tc:SAML:2.0:nameid-format:transient </NameIDFormat> <AssertionConsumerService isDefault="true" index="0" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="https://LoadBalancer-9.siroe.com:3443/ federation/Consumer/metaAlias/sp"/> <AssertionConsumerService index="1" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://LoadBalancer-9.siroe.com:3443/ federation/Consumer/metaAlias/sp"/> </SPSSODescriptor> </EntityDescriptor> |
<EntityConfig xmlns="urn:sun:fm:SAML:2.0:entityconfig" xmlns:fm="urn:sun:fm:SAML:2.0:entityconfig" hosted="1" entityID="loadbalancer-9.siroe.com"> <SPSSOConfig metaAlias="/sp"> <Attribute name="signingCertAlias"> <Value>LoadBalancer-9</Value> </Attribute> <Attribute name="encryptionCertAlias"> <Value>LoadBalancer-9-enc</Value> </Attribute> <Attribute name="basicAuthOn"> <Value>false</Value> </Attribute> <Attribute name="basicAuthUser"> <Value></Value> </Attribute> <Attribute name="basicAuthPassword"> <Value></Value> </Attribute> <Attribute name="autofedEnabled"> <Value>false</Value> </Attribute> <Attribute name="autofedAttribute"> <Value></Value> </Attribute> <Attribute name="transientUser"> <Value></Value> </Attribute> <Attribute name="spAccountMapper"> <Value>com.sun.identity.saml2.plugins.DefaultSPAccountMapper</Value> </Attribute> <Attribute name="spAttributeMapper"> <Value>com.sun.identity.saml2.plugins.DefaultSPAttributeMapper</Value> </Attribute> <Attribute name="spAuthncontextMapper"> <Value>com.sun.identity.saml2.plugins.DefaultSPAuthnContextMapper</Value> </Attribute> <Attribute name="spAuthncontextClassrefMapping"> <Value>PasswordProtectedTransport|0|default</Value> </Attribute> <Attribute name="spAuthncontextComparisonType"> <Value>exact</Value> </Attribute> <Attribute name="attributeMap"> <Value></Value> </Attribute> <Attribute name="saml2AuthModuleName"> <Value></Value> </Attribute> <Attribute name="localAuthURL"> <Value></Value> </Attribute> <Attribute name="intermediateUrl"> <Value></Value> </Attribute> <Attribute name="defaultRelayState"> <Value></Value> </Attribute> <Attribute name="assertionTimeSkew"> <Value>300</Value> </Attribute> <Attribute name="wantAttributeEncrypted"> <Value></Value> </Attribute> <Attribute name="wantAssertionEncrypted"> <Value></Value> </Attribute> <Attribute name="wantNameIDEncrypted"> <Value></Value> </Attribute> <Attribute name="wantArtifactResponseSigned"> <Value>true</Value> </Attribute> <Attribute name="wantLogoutRequestSigned"> <Value>true</Value> </Attribute> <Attribute name="wantLogoutResponseSigned "> <Value>true</Value> </Attribute> <Attribute name="wantMNIRequestSigned"> <Value>true</Value> </Attribute> <Attribute name="wantMNIResponseSigned"> <Value>true</Value> </Attribute> <Attribute name="cotlist"> <Value>saml2_cirlce_of_trust</Value> </Attribute> </SPSSOConfig> </EntityConfig> |
When you load the SAMLv2 metadata into Directory Server, the Service Provider entity configuration is created. The entity configuration enables the SAMLv2 plug-in to recognize all SAMLv2 protocol URLs. The SAMLv2 metadata is also used for exchanging data with remote parties.
Load the customized saml2-sp-template.xml and saml2-sp-extended-template.xml configuration files using the following command:
# /opt/SUNWam/saml2/bin/saml2meta -i /var/opt/SUNWam/fm/war_staging import -u amadmin -w 11111111 -m /etc/opt/SUNWam/config/saml2-sp-template.xml -x /etc/opt/SUNWam/config/saml2-sp-extended-template.xml |
If the files do not load successfully, be sure that all entityID attributes in the files are entered using lowercase letters. The entityID attribute is not recognized if mixed case letters are used.