This procedure assumes you have just completed To Create a Non-Root User on the OpenSSO Enterprise 2 Host Machine and are still logged into the osso–2 host machine as a root user.
Create a directory into which the Application Server bits can be downloaded and change into it.
# mkdir /export/AS91 # cd /export/AS91 |
Download the Sun Java System Application Server 9.1 Update 1 binary from the Sun Microsystems Product Download page to the /export/AS91 directory.
Grant the downloaded binary execute permission using the chmod command.
# chmod +x sjsas-9_1_01-solaris-sparc.bin |
Install the software.
# ./sjsas-9_1_01-solaris-sparc.bin -console |
When prompted, provide the following information.
|
Press Enter to continue. |
|
|
Enter yes. |
|
|
Enter /opt/SUNWappserver91 |
|
|
Enter 1 to create the directory. |
|
|
Press Enter to accept the default value. |
|
|
Press Enter to accept the default value. |
|
|
Enter domain1pwd and then re-enter domain1pwd. |
|
|
Press Enter to accept the default value. |
|
|
Press Enter to accept the three default values. |
|
|
Press Enter to accept the default value. |
|
|
Press Enter to accept the default value. |
|
|
Press Enter to accept the default value and begin the installation process. |
|
|
When installation is complete, an Installation Successful message is displayed: |
|
|
Press Enter to exit the installation program. |
Create a second Application Server domain for the non-root user.
The default domain created during the installation process is owned by root. We create a new domain for the non-root user osso80adm into which we will deploy OpenSSO Enterprise.
# cd /opt/SUNWappserver91/bin # su osso80adm # ./asadmin create-domain --domaindir /export/osso80adm/domains --adminport 8989 --user domain2adm --instanceport 1080 --domainproperties http.ssl.port=1081 ossodomain Please enter the admin password> domain2pwd Please enter the admin password again> domain2pwd Please enter the master password [Enter to accept the default]:> domain2master Please enter the master password again [Enter to accept the default]:> domain2master Using port 8989 for Admin. Using port 1080 for HTTP Instance. Using default port 7676 for JMS. Using default port 3700 for IIOP. Using port 1081 for HTTP_SSL. Using default port 3820 for IIOP_SSL. Using default port 3920 for IIOP_MUTUALAUTH. Using default port 8686 for JMX_ADMIN. Domain being created with profile:developer, as specified by variable AS_ADMIN_PROFILE in configuration file. Security Store uses: JKS 2008-08-24 18:21:15.907 GMT Thread[main,5,main] java.io.FileNotFoundException: derby.log (Permission denied) ------------------------------------------------- 2008-03-24 18:21:16.216 GMT: Booting Derby version The Apache Software Foundation - Apache Derby - 10.2.2.1 - (538595): instance c013800d-0118-e205-d50b-00000c0c0770 on database directory /export/osso80adm/domains/ossodomain/lib/databases/ejbtimer Database Class Loader started - derby.database.classpath='' Domain ossodomain created. |
The FileNotFoundException is a known issue. Please see Appendix F, Known Issues and Limitations.
Verify that the non-root user domain was created with the correct permissions using the following sub-procedure.
Change to the ossodomain directory.
# cd /export/osso80admin/domains/ossodomain |
List the contents of the directory.
# ls -la total 30 drwxr-xr-x 15 osso80adm staff 512 Mar 20 14:12 . drwxr-xr-x 3 osso80adm staff 512 Mar 20 14:12 .. drwxr-xr-x 2 osso80adm staff 512 Mar 20 14:12 addons drwxr-xr-x 6 osso80adm staff 512 Mar 20 14:12 applications drwxr-xr-x 3 osso80adm staff 512 Mar 20 14:12 autodeploy drwxr-xr-x 2 osso80adm staff 512 Mar 20 14:12 bin drwx------ 3 osso80adm staff 1024 Mar 26 13:27 config drwxr-xr-x 2 osso80adm staff 512 Mar 20 14:12 docroot drwxr-xr-x 6 osso80adm staff 512 Mar 26 13:34 generated drwxr-xr-x 3 osso80adm staff 512 Mar 20 14:12 imq drwxr-xr-x 5 osso80adm staff 512 Mar 20 14:16 java-web-start drwxr-xr-x 8 osso80adm staff 512 Mar 20 14:16 jbi drwxr-xr-x 6 osso80adm staff 512 Mar 20 14:12 lib drwxr-xr-x 2 osso80adm staff 512 Mar 26 13:26 logs drwxr-xr-x 2 osso80adm staff 512 Mar 20 14:12 session-store |
The files and directories are owned by osso80adm.
Start ossodomain, the non-root user domain, using the following sub-procedure.
Switch to the non-root user.
# su osso80adm |
Change to the bin directory.
# cd /export/osso80adm/domains/ossodomain/bin |
Start ossodomain.
# ./startserv admin username:domain2adm admin password:domain2pwd master password:domain2master Redirecting output to /export/osso80adm/domains/ossodomain/logs/server.log |
Verify that ossodomain has started with the following sub-procedure.
Access http://osso-2.example.com:8989/login.jsf from a web browser.
Log in to the Application Server console as the administrator.
domain2adm
domain2pwd
When the Application Server administration console is displayed, it is verification that the non-root user was able to start the domain server.
Exit the console and close the browser.
Create a request for a server certificate to secure communications between the soon-to-be-configured Load Balancer 2 and ossodomain using the following sub-procedure.
Generate a private/public key pair and reference it with the alias, osso-2.
osso-2 will be used in a later step to retrieve the public key which is contained in a self-signed certificate.
# cd /export/osso80adm/domains/ossodomain/config # keytool -genkey -noprompt -keyalg rsa -keypass domain2master -alias osso-2 -keystore keystore.jks -dname "CN=osso-2.example.com, OU=OpenSSO, O=Sun Microsystems, L=Santa Clara, ST=California, C=US" -storepass domain2master |
Verify that the key pair was successfully created and stored in the certificate store.
# keytool -list -v -keystore keystore.jks -storepass domain2master Alias name: osso-2 Creation date: Aug 4, 2008 Entry type: keyEntry Certificate chain length: 1 Certificate[1]: Owner: CN=osso-2.example.com, OU=OpenSSO, O=Sun Microsystems, L=Santa Clara, ST=California, C=US Issuer: CN=osso-2.example.com, OU=OpenSSO, O=Sun Microsystems, L=Santa Clara, ST=California, C=US Serial number: 47f6a587 Valid from: Fri Aug 04 15:02:47 PDT 2008 until: Thu Nov 03 15:02:47 PDT 2008 Certificate fingerprints: MD5: 62:0E:5E:EB:8A:73:B2:F9:08:83:05:C5:DC:07:3C:E1 SHA1: D4:9C:BA:25:4C:B5:71:20:CF:F3:18:46:AF:2E:7F:71:2A:4B:BD:B3 The certificate indicated by the alias "osso-2" is a self-signed certificate. |
The output of this command may list more than one certificate based on the entries in the keystore.
Generate a server certificate request.
# keytool -certreq -alias osso-2 -keypass domain2master -keystore keystore.jks -storepass domain2master file osso-2.csr |
osso-2.csr is the server certificate request.
(Optional) Verify that osso-2.csr was created.
# ls -la osso-2.csr -rw-r--r-- 1 osso80adm staff 715 Apr 4 15:04 osso-2.csr |
Send osso-2.csr to the CA of your choice.
The CA issues and returns a certified server certificate named osso-2.cer.
Import ca.cer, the CA root certificate, into the certificate store.
The root certificate must be imported into two keystores (keystore.jks and cacerts.jks) with Application Server.
# keytool -import -trustcacerts -alias OpenSSLTestCA -file ca.cer -keystore keystore.jks -storepass domain2master Owner: EMAILADDRESS=nobody@nowhere.com, CN=openssltestca, OU=am, O=sun, L=santa clara, ST=california, C=us Issuer: EMAILADDRESS=nobody@nowhere.com, CN=openssltestca, OU=am, O=sun, L=santa clara, ST=california, C=us Serial number: f59cd13935f5f498 Valid from: Thu Sep 20 11:41:51 PDT 2007 until: Thu Jun 17 11:41:51 PDT 2010 Certificate fingerprints: MD5: 78:7D:F0:04:8A:5B:5D:63:F5:EC:5B:21:14:9C:8A:B9 SHA1: A4:27:8A:B0:45:7A:EE:16:31:DC:E5:32:46:61:9E:B8:A3:20:8C:BA Trust this certificate? [no]: Yes Certificate was added to keystore |
# keytool -import -trustcacerts -alias OpenSSLTestCA -file ca.cer -keystore cacerts.jks -storepass domain2master Owner: EMAILADDRESS=nobody@nowhere.com, CN=openssltestca, OU=am, O=sun, L=santa clara, ST=california, C=us Issuer: EMAILADDRESS=nobody@nowhere.com, CN=openssltestca, OU=am, O=sun, L=santa clara, ST=california, C=us Serial number: f59cd13935f5f498 Valid from: Thu Sep 20 11:41:51 PDT 2007 until: Thu Jun 17 11:41:51 PDT 2010 Certificate fingerprints: MD5: 78:7D:F0:04:8A:5B:5D:63:F5:EC:5B:21:14:9C:8A:B9 SHA1: A4:27:8A:B0:45:7A:EE:16:31:DC:E5:32:46:61:9E:B8:A3:20:8C:BA Trust this certificate? [no]: Yes Certificate was added to keystore |
Replace the self-signed public key certificate (associated with the osso-2 alias) with the server certificate received from the CA.
# keytool -import -file osso-2.cer -alias osso-2 -keystore keystore.jks -storepass domain2master Certificate reply was installed in keystore |
(Optional) Verify that the self-signed public key certificate has been overwritten by the server certificate received from the CA.
# keytool -list -v -keystore keystore.jks -storepass domain2master The certificate indicated by the alias "osso-2" is signed by CA. |
Change the certificate alias from the default s1as to the new osso-2 in the domain.xml file for the ossodomain domain.
The Application Server configuration file is domain.xml.
<http-listener acceptor-threads="1" address="0.0.0.0" blocking-enabled="false" default-virtual-server="server" enabled="true" family="inet" id="http-listener-2" port="1081" security-enabled="true" server-name="" xpowered-by="true"> <ssl cert-nickname="osso-2" client-auth-enabled="false" ssl2-enabled="false" ssl3-enabled="true" tls-enabled="true" tls-rollback-enabled="true"/>
Backup domain.xml before modifying it.
Modify the JVM options in your web container's configuration file using the following sub-procedure.
OpenSSO Enterprise is deployed with an embedded configuration data store (if desired). In order for the configuration data store to be created successfully, the following JVM options should be modified in the web container's configuration file. We will be modifying domain.xml again for this example.
Backup domain.xml before modifying it.
Change to the config directory.
# cd /export/osso80adm/domains/ossodomain/config |
Open domain.xml in a text editor and make the following changes:
Replace <jvm-options>-client</jvm-options> with <jvm-options>-server</jvm-options>.
Replace <jvm-options>-Xmx512m</jvm-options> with <jvm-options>-Xmx1024m</jvm-options>.
Save the file and close it.
Restart the ossodomain domain.
# cd /export/osso80adm/domains/ossodomain/bin # ./stopserv Server was successfully stopped. ./startserv admin username:domain2adm admin password:domain2pwd master password:domain2master Redirecting output to /export/osso80adm/domains/ossodomain/logs/server.log |
The second Application Server domain is only running as a non-root user and not sharing the domain administrator credentials used to start the server with the non-root user.
Verify that the certificate used for SSL communication is the root CA certificate.
Log out of the osso-2 host machine.