Sun OpenSSO Enterprise 8.0 includes features such as access management, federation management, and web services security that are found in earlier releases of Sun Java System Access Manager and Sun Java System Federation Manager. However, OpenSSO Enterprise also includes many new features, which are described in the OpenSSO Enterprise 8.0 Release Notes and the OpenSSO Enterprise 8.0 Technical Overview.
OpenSSO Enterprise is available as a web archive (WAR) file on the following site:
http://www.sun.com/software/products/opensso_enterprise
Before you install and configure OpenSSO Enterprise:
Requirement |
Description |
---|---|
File system |
If you plan to use the OpenSSO configuration data store, you must deploy OpenSSO Enterprise on a local file system and not on an NFS-mounted file system. The OpenSSO configuration data store, which is deployed with OpenSSO Enterprise, is not supported on an NFS-mounted file system. |
Web container |
One of the following web containers must be running on the host server where you plan to deploy OpenSSO Enterprise:
Note: These web container versions and any subsequent updates to the version are supported. For more information about supported versions and open issues for each web container, see the Sun OpenSSO Enterprise 8.0 Release Notes. |
Configuration Data Store |
OpenSSO Enterprise requires a data store for its configuration data, which you select when you run the GUI or command-line Configurator:
|
User Data Store |
OpenSSO Enterprise also requires a data store for its user data:
|
Password encryption key |
If you deploying OpenSSO Enterprise in a multiple server deployment, you must use the same password encryption key value for each OpenSSO Enterprise instance. Copy the encryption key value from the first instance and then use this value when you configure each additional instance. |
Web container runtime user permissions |
If the runtime user of the OpenSSO Enterprise web container instance is a non-root user, this user must be able to write to its own home directory. For example, if you are installing Sun Java System Web Server, the default runtime user for the Web Server instance is webservd. On Solaris systems, the webservd user has the following entry in the /etc/passwd file: webservd:x:80:80:WebServer Reserved UID:/: The webservd user does not have permission to write to its default home directory (/). Therefore, you must change the permissions to allow the webservd user to write to its default home directory. Otherwise, the webservd user will encounter an error after you configure OpenSSO Enterprise using the Configurator. |
Mode |
OpenSSO Enterprise is always deployed in Realm Mode. |
Before you install and configure OpenSSO Enterprise, here are a few changes to consider:
You install OpenSSO Enterprise from the opensso.war file, using the web container administration console or deployment command. You no longer run a standalone installer.
You initially configure OpenSSO Enterprise using the GUI or command-line Configurator. Then, to perform additional configuration, you use either the Administration Console or command-line utilities such as the new ssoadm utility. You no longer run the amconfig script with the amsamplesilent file.
Configuration data, including policy agent configuration data, is stored in a centralized repository. This repository can be either Sun Java System Directory Server or the OpenSSO data store (which is usually transparent to the user). OpenSSO Enterprise does not use the AMConfig.properties or serverconfig.xml files, except for co-existence with previous versions of Access Manager.
To install and configure an instance of OpenSSO Enterprise server, follow these general steps:
Check the Sun OpenSSO Enterprise 8.0 Release Notes for any recent issues or updates to the release.
If necessary, install, configure, and start one of the supported web containers listed in Table 1–1.
Download and unzip the opensso_enterprise_80.zip file from the following site:
http://www.oracle.com/technetwork/indexes/downloads/index.html
OpenSSO Enterprise 8.0 patch releases are available as patch ID 141655 on http://sunsolve.sun.com/.
For information about installing a patch release, see Chapter 23, Patching OpenSSO Enterprise 8.0.
Deploy the opensso.war file to the web container, using the web container administration console or deployment command.
For the detailed steps, see Chapter 3, Installing OpenSSO Enterprise.
Run either the GUI or command-line Configurator.
To run the GUI Configurator, enter the following URL in your browser:
protocol://host.domain:port/deploy_uri
For example: http://opensso.example.com:8080/opensso
If you are running the GUI Configurator, enter values in the Configurator fields or accept the default value for some fields. The Configurator has two configuration options:
The Default Configuration option requires you to enter only the OpenSSO Enterprise administrator (amAdmin) and default policy agent (UrlAccessAgent) passwords. The Configurator then uses default values for the other configuration options.
Use the Default Configuration for development environments or simple demonstration purposes when you just want to evaluate OpenSSO Enterprise features.
The Custom Configuration option allows you to enter specific configuration values for your deployment (or accept the default values).
Use the Custom Configuration for production and more complex environments. For example, a multi-server installation with several OpenSSO Enterprise instances behind a load balancer.
For the detailed steps, see Chapter 4, Configuring OpenSSO Enterprise Using the GUI Configurator or Chapter 5, Configuring OpenSSO Enterprise Using the Command-Line Configurator.
Launch OpenSSO Enterprise using the specific web container console or deployment command, or by specifying the URL from Step 4 in your browser.
Login to the Console as the OpenSSO Enterprise administrator (amAdmin) using the password you specified when you ran the Configurator.
To make additional configuration changes to your deployment, use the OpenSSO Enterprise Administration Console or the ssoadm command-line utility. For information, refer to the Administration Console Online Help or the Sun OpenSSO Enterprise 8.0 Administration Reference.
Depending on your security requirements, consider making a snapshot of your deployment using the OpenSSO Diagnostic Tool. Then, you can run the Tamper Detection test periodically to very the integrity of your deployment. For more information, see Chapter 7, Running the OpenSSO Diagnostic Tool.
OpenSSO Enterprise 8.0 is Service Tag enabled. To use Service Tags, you must first register your product. On the OpenSSO Enterprise Administration Console, under Common Tasks, click Register This Product.
To register, you need a Sun Online Account (SOA) or Sun Developer Network (SDN) account. If you do not have one of these accounts, you can get an account during the product registration process.
For more information about Sun Service Tags and Sun Connection, see http://www.sun.com/service/sunconnection/index.jsp.