Deployment Example: Single Sign-On, Load Balancing and Failover Using Sun OpenSSO Enterprise 8.0

8.2.1 Installing and Configuring the Web Container and Web Policy Agent on Protected Resource 1

Download the Sun Java System Web Server bits to the pr-1 host machine and install it. Additionally, download, install and configure the appropriate web policy agent. Use the following list of procedures as a checklist for completing the task.

  1. To Install and Configure Sun Java System Web Server as Web Container 1 on Protected Resource 1

  2. To Import the Certificate Authority Root Certificate into Web Server 1

  3. To Install and Configure Web Policy Agent 1 on Protected Resource 1

  4. To Configure Policy for Web Policy Agent 1 on Protected Resource 1

  5. To Verify that Web Policy Agent 1 is Working Properly

ProcedureTo Install and Configure Sun Java System Web Server as Web Container 1 on Protected Resource 1

Sun Java System Web Server is the web container used on the pr-1 host machine.

Before You Begin

Read the latest version of the Web Server 7.0 Release Notes to determine if you need to install patches on your host machine. In this case, the Release Notes indicate that based on the hardware and operating system being used, patch 119963–08, patch 120011–14, and patch 117461–08 are required.

  1. As a root user, log into the pr-1 host machine.

  2. Install the required patches if necessary.

    Patch results for your machines might be different.

    1. Run patchadd to see if the patch is installed.


      # patchadd -p | grep 117461–08
      

      A list of patch numbers is displayed. On our lab machine, the required patch 117461–08 is present so there is no need to install it.


      # patchadd -p | grep 119963–08
      

      No results are returned which indicates that the patch is not yet installed on the system.


      # patchadd -p | grep 120011-14
      

      No results are returned which indicates that the patch is not yet installed on the system.

    2. Make a directory for downloading the patch you need and change into it.


      # mkdir /export/patches
      # cd /export/patches
      
    3. Download the patches.

      You can search for patches directly at http://sunsolve.sun.com. Navigate to the PatchFinder page, enter the patch number, click Find Patch, and download the appropriate patch.


      Note –

      Signed patches are downloaded as JAR files. Unsigned patches are downloaded as ZIP files.


    4. Unzip the patch file.


      # unzip 119963–08.zip
      # unzip 120011–14.zip
      
    5. Run patchadd to install the patches.


      # patchadd /export/patches/119963–08
      # patchadd /export/patches/120011–14
      
    6. After installation is complete, run patchadd to verify that the patch was added successfully.


      # patchadd -p | grep 119963–08
      

      In this example, a series of patch numbers are displayed, and the patch 119963–08 is present.


      # patchadd -p | grep 120011-14
      

      In this example, a series of patch numbers are displayed, and the patch 120011–14 is present.

  3. Create a directory into which you can download the Web Server bits and change into it.


    # mkdir /export/WS7
    # cd /export/WS7
    
  4. Download the Sun Java System Web Server 7.0 Update 3 software from http://www.sun.com/download/products.xml?id=45ad781d.

    Follow the instructions on the Sun Microsystems Product Downloads web site for downloading the software.

  5. Unpack the Web Server package.


    # gunzip sjsws-7_0u3-solaris-sparc.tar.gz
    # tar xvf sjsws-7_0u3-solaris-sparc.tar
    
  6. Run setup.


    # cd /export/WS7
    # ./setup --console
    
  7. When prompted, provide the following information.


    Welcome to the Sun Java System Web 
    Server 7.0u3 installation wizard.
    ...
    You will be asked to specify preferences that 
    determine how Sun Java System Web Server 7.0U3 
    is installed and configured. 
    
    The installation program pauses as questions 
    are presented so you can read the 
    information and make your choice. When you 
    are ready to continue, press Enter. 
    (Return on some keyboards.)

    Press Enter. Continue to press Enter when prompted. 


    Have you read the Software License 
    Agreement and do you accept all terms 
    [no] {"," goes back, "!" exits}?

    Enter yes.


    Sun Java System Web Server 7.0 
    Installation Directory [/sun/webserver7] 
    {"," goes back, "!" exits} :

    Enter /opt/SUNWwbsvr


    Specified directory /opt/SUNWwbsvr 
    does not exist. Create Directory? [Yes/No]
    [yes] {"," goes back, "!" exits}

    Enter yes.


    Select Type of Installation
    
    1. Express
    2. Custom
    3. Exit
    
    What would you like to do? [1]
    {"," goes back, "!" exits}

    Enter 2.


    Component Selection
    
    1. Server Core
    2. Server Core 64-biy Binaries
    3. Administration Command Line Interface
    4. Sample Applications
    5. Language Pack
    
    Enter the comma-separated list [1,2,3,4,5] 
    {"," goes back, "!" exits}

    Enter 1,3,5.


    Java Configuration
    
    Sun Java System Web Server 7.0 requires Java 
    Se Development Kit (JDK). Provide the path 
    to a JDK 1.5.0_15 or greater.
    
    1. Install Java SE Development Kit (JDK) 1.5.0_15
    2. Reuse existing Java SE Development Kit 
       (JDK) 1.5.0_15
    3. Exit
    
    What would you like to do? [1] 
    {"," goes back, "!" exits}

    Enter 1.


    Administrative Options
    
    1. Create an Administration Server and a 
       Web Server Instance
    2. Create an Administration Node
    
    Enter your option. [1]
    {"," goes back, "!" exits}

    Enter 1.


    Create SMF services for server instances 
    [yes/no] [no] {"," goes back, "!" exits}

    Accept the default value. 


    Host Name [pr-1.example.com] 
    {"," goes back, "!" exits}

    Accept the default value. 


    SSL Port [8989] 
    {"," goes back, "!" exits}

    Accept the default value. 


    Create a non-SSL Port? [yes/no] [no] 
    {"," goes back, "!" exits}

    Enter no.


    Runtime User ID [root] 
    {"," goes back, "!" exits}

    Accept the default value (for the administration server). 


    Administrator User Name [admin]
    {"," goes back, "!" exits}

    Accept the default value. 


    Administrator Password:

    Enter web4dmin.


    Retype Password:

    Enter web4dmin.


    Server Name [pr-1.example.com] 
    {"," goes back, "!" exits}

    Accept the default value. 


    Http Port [8080] 
    {"," goes back, "!" exits}

    Enter 1080.


    Runtime User ID [webserverd] 
    {"," goes back, "!" exits}

    Enter root (for the instance).


    Document Root Directory [/opt/SUNWwbsvr/
    https-pr-1.example.com/docs] 
    {"," goes back, "!" exits}

    Accept the default value. 


    Start Administration Server [yes/no] 
    [yes] {"," goes back, "!" exits}

    Enter no.


    Ready To Install
    
    1. Install Now
    2. Start Over
    3. Exit Installation
    
    What would you like to do [1] 
    {"," goes back, "!" exits}?

    Enter1.

    When installation is complete, the following message is displayed:


    Installation Successful.
  8. Start the Web Server administration server.


    # cd /opt/SUNWwbsvr/admin-server/bin
    # ./startserv
    
  9. Run netstat to verify that the port is open and listening.


    # netstat -an | grep 8989
    
    *.8989               *.*                0      0 49152      0 LISTEN
  10. (Optional) Login to the Web Server administration console at https://pr-1.example.com:8989 as the administrator.

    Username

    admin

    Password

    web4dmin

    You should see the Web Server administration console.

  11. (Optional) Log out of the Web Server console and close the browser.

  12. Start the Protected Resource 1 Web Server instance.


    # cd /opt/SUNWwbsvr/https-pr-1.example.com/bin
    # ./startserv
    
    Sun Java System Web Server 7.0U3 B06/16/2008 12:00
    info: CORE5076: Using [Java HotSpot(TM) Server VM, Version 1.5.0_15] from
    [Sun Microsystems Inc.]
    info: HTTP3072: http-listener-1: http://pr-1.example.com:1080 ready to
    accept requests
    info: CORE3274: successful server startup
  13. Run netstat to verify that the port is open and listening.


    # netstat -an | grep 1080
    
    *.1080               *.*                0      0 49152      0 LISTEN
  14. (Optional) Access the Protected Resource 1 instance at http://pr-1.example.com:1080 using a web browser.

    You should see the default Web Server index page.

  15. Log out of the pr–1 host machine.

ProcedureTo Import the Certificate Authority Root Certificate into Web Server 1

The Certificate Authority (CA) root certificate enables the web policy agent to trust the certificate from the OpenSSO Enterprise Load Balancer 2, and to trust the certificate chain that is formed from the CA to the server certificate.

Before You Begin
  1. As a root user, log into the pr-1 host machine.

  2. Import the CA root certificate into cacerts, the certificate store.


    # /opt/SUNWwbsvr/jdk/jre/bin/keytool -import -trustcacerts 
    -alias OpenSSLTestCA -file /export/software/ca.cer 
    -keystore /opt/SUNWwbsvr/jdk/jre/lib/security/cacerts -storepass changeit
    
    Owner: EMAILADDRESS=nobody@nowhere.com, CN=OpenSSLTestCA, OU=Sun,
    O=Sun,L=Santa Clara, ST=California C=US
    Issuer: EMAILADDRESS=nobody@nowhere.com, CN=OpenSSLTestCA, OU=Sun,
    O=Sun,L=Santa Clara, ST=California C=US
    Serial number: f59cd13935f5f498
    Valid from: Thu Sep 20 11:14:51 PDT 2008 18 07:66:19 PDT 2006 
    until: Thu Jun 17 11:41:51 PDT 2010
    Certificate fingerprints:
    MD5: 78:7D:F0:04:8A:5B:5D:63:F5:EC:5B:21:14:9C:8A:B9
    SHA1: A4:27:8A:B0:45:7A:EE:16:31:DC:E5:32:46:61:9E:B8:A3:20:8C:BA
    
    Trust this certificate: [no] yes
    
    Certificate was added to keystore.
  3. Verify that the CA root certificate was imported.


    # /opt/SUNWwbsvr/jdk/jre/bin/keytool -list 
    -keystore /opt/SUNWwbsvr/jdk/jre/lib/security/cacerts 
    -storepass changeit | grep -i open
    
    openSSLTestCA, Sep 20, 2008, trustedCertEntry,
  4. Log out of the pr-1 host machine.

ProcedureTo Install and Configure Web Policy Agent 1 on Protected Resource 1

Before You Begin

The JAVA_HOME environment variable should be set to /opt/SUNWwbsvr/jdk/jre.

  1. As a root user, log into the pr–1 host machine.

  2. Create a directory into which you can download the Web Server agent bits and change into it.


    # mkdir /export/WebPA1
    # cd /export/WebPA1
    
  3. Create a text file that contains the Agent Profile password.

    The Web Policy Agent installer requires this for installation.


    # cat > agent.pwd
    
    webagent1
    
    Hit Control D to terminate the command
    
    ^D
    
  4. Create a text file that contains the Agent Administrator password.

    This text file should contain the OpenSSO Enterprise administrator (by default, amadmin) password. The Web policy agent installer requires this to create the agent profile on the server.


    # cat > agentadm.pwd
    
    ossoadmin
    
    Hit Control D to terminate the command
    
    ^D
    
  5. Download the web policy agent for Web Server from http://www.sun.com/download/.


    # ls -al
    
    total 7512
    drwxr-xr-x   2 root     root         512 Jul 24 14:48 .
    drwxr-xr-x  11 root     root         512 Jul 24 14:41 ..
    -rw-r--r--   1 root     root          10 Jul 24 14:42 agent.pwd
    -rw-r--r--   1 root     root           9 Jul 24 14:42 agentadm.pwd
    -rw-r--r--   1 root     root     3826794 Jul 24 14:48 sjsws_v70_SunOS_sparc_agent_3.zip
    
  6. Unzip the downloaded file.


    # unzip sjsws_v70_SunOS_sparc_agent_3.zip
    
  7. Run the agent installer.


    # cd /export/WebPA1/web_agents/sjsws_agent/bin
    # ./agentadmin --custom-install
    
  8. When prompted, do the following.


    Please read the following License 
    Agreement carefully:

    Press Enter and continue to press Enter until you have reached the end of the License Agreement. 


    Do you completely agree with all the terms and 
    conditions of this License Agreement (yes/no): [no]:

    Type yes and press Enter.


    Enter the Sun Java System Web Server Config 
    Directory Path [/var/opt/SUNWwbsvr7/
      https-pr-1.example.com/config]:

    Type /opt/SUNWwbsvr/https-pr-1.example.com/config and press Enter.


    Enter the OpenSSO Enterprise URL 
    including the deployment URI 
    (http://opensso.sample.com:58080/opensso)

    Type https://lb-2.example.com:1081/opensso and press Enter.


    Enter the Agent URL: 
    (http://agent1.sample.com:1234)

    Type http://pr-1.example.com:1080 and press Enter.


    Enter the Encryption Key[WSpf7aqc3AFIGvf2mCqvNBOsf44cDrf3].

    Accept the default value. 


    Enter the Agent profile name 
    [UrlAccessAgent]:

    Type webagent-1 and press Enter.


    Enter the path to a file that contains the 
    password to be used for identifying the Agent.

    Type /export/WebPA1/agent.pwd and press Enter.


    Note –

    A warning message is displayed regarding the existence of the agent profile.



    This Agent Profile does not exist in 
    OpenSSO Enterprise, will 
    it be created by the installer? (Agent 
    Administror's name and password are required) 
    [true)

    Press Enter to accept the default and have the installer create the Agent Profile. 


    Enter the Agent Administrator's 
    name:

    Type amadmin and press Enter.


    Enter the path to the password file 
    that contains the password of the Agent 
    Administrator.

    Type /export/WebPA1/agentadm.pwd and press Enter.


    -----------------------------------------
    SUMMARY OF YOUR RESPONSES
    -----------------------------------------------
    
    Sun Java System Web Server Config Directory :
     /opt/SUNWwbsvr/https-pr-1.example.com/config
    OpenSSO Server URL :
     https://lb-2.example.com:1081/opensso
    Agent URL : http://pr-1.example.com:1080
    Encryption Key :
     WSpf7aqc3AFIGvf2mCqvNBOsf44cDrf3
    Agent Profile name : webagent-1
    Agent Profile Password file name :
     /export/WebPA1/agent.pwd
    Agent Profile will be created right now by 
     agent installer : true
    Agent Administrator : amadmin
    Agent Administrator's password file name :
     /export/WebPA1/agentadm.pwd
    
    Verify your settings above and decide from 
    the choices below.
    
      1. Continue with Installation
      2. Back to the last interaction
      3. Start Over
      4. Exit
    
    Please make your selection [1]:

    Type 1 and press Enter.

  9. Restart the Web Server 1 instance.


    # cd /opt/SUNWwbsvr/https-pr-1.example.com/bin 
    # ./stopserv; ./startserv 
    
    server has been shutdown
    Sun Java System Web Server 7.0U3 B06/16/2008 12:00
    info: CORE3016: daemon is running as super-user
    info: CORE5076: Using [Java HotSpot(TM) Server VM, Version 1.5.0_15]
    from [Sun Microsystems Inc.]
    info: HTTP3072: http-listener-1: http://pr-1.example.com:1080 ready to
    accept requests
    info: CORE3274: successful server startup
  10. Use the following sub-procedure to verify that the Web Policy Agent 1 was successfully created.

    1. Access https://osso-1.example.com:1081/opensso/console from a web browser.

    2. Log in to the OpenSSO Enterprise console as the administrator.

      User Name:

      amadmin

      Password:

      ossoadmin

    3. Under the Access Control tab, click / (Top Level Realm).

    4. Click the Agents tab.

      By default, the Web tab is displayed. You should see webagent-1 under the Agent table.

    5. Click webagent-1.

      The webagent-1 properties page is displayed.

    6. Log out of the console and close the browser.

  11. Remove the password files.


    # cd /export/WebPA1
    # rm agent.pwd
    # rm agentadm.pwd
    
  12. Log out of the pr-2 host machine.

ProcedureTo Configure Policy for Web Policy Agent 1 on Protected Resource 1

Use the OpenSSO Enterprise console to configure policy for Web Policy Agent 1 that will be used to verify that the agent is working properly.


Note –

You will add additional policies later when we add a load balancer in front of the Protected Resource 1 host machine.


  1. Access https://osso-1.example.com:1081/opensso/console from a web browser.

  2. Log in to the OpenSSO Enterprise console as the administrator.

    Username

    amadmin

    Password

    ossoadmin

  3. Under the Access Control tab, click / (Top Level Realm).

  4. Click the Policies tab.

  5. Click New Policy.

  6. Enter URL Policy for Protected Resource 1 in the Name field.

  7. Under Rules, click New.

    The Rules properties page is displayed.

  8. Select URL Policy Agent (with resource name) and click Next.

  9. Provide the following information on the resulting page and click Finish.

    Name:

    URL Rule for Protected Resource 1

    Resource Name:

    http://pr-1.example.com:1080/*

    GET

    Mark this check box and verify that Allow is selected.

    POST

    Mark this check box and verify that Allow is selected.

    The rule URL Rule for Protected Resource 1 is added to the list of Rules.

  10. Under Subjects, click New.

    The Subjects properties page is displayed.

  11. Select Access Manager Identity Subject and click Next.

  12. On the resulting page, provide the following information and click Search.

    Name:

    Test Subject

    Filter:

    Choose User and click Search to display a list of available users.

    Available:

    From the available users, select testuser1 and click Add.

  13. Click Finish.

  14. Click OK.

    The new policy is included in the list of Policies.

  15. Click Back to Access Control.

  16. Log out of the console.

ProcedureTo Verify that Web Policy Agent 1 is Working Properly

  1. Access http://pr-1.example.com:1080/index.html from a web browser.

  2. Log in to OpenSSO Enterprise as testuser1.

    Username

    testuser1

    Password

    password

    You should see the default index page for Web Server 1 as testuser1 was configured in the test policy to be allowed to access Protected Resource 1.

  3. Log out and close the browser.

  4. Once again, access http://pr-1.example.com:1080/index.html from a web browser.


    Tip –

    If you are not redirected to the OpenSSO Enterprise login page for authentication, clear your browser's cache and cookies and try again.


  5. Log in to OpenSSO Enterprise as testuser2.

    Username

    testuser2

    Password

    password

    You should see the message, You're not authorized to view this page, (or Your client is not allowed to access the requested object) as testuser2 was not included in the test policy that allows access to Protected Resource 1.