Deployment Example: SAML v2 Using Sun OpenSSO Enterprise 8.0

Previous: Chapter 9 Configuring OpenSSO Enterprise Realms for User Authentication
Next: 10.2 Installing the Web Server and Web Policy Agent on Protected Resource 1

10.1 Installing the J2EE Container and J2EE Policy Agent on Protected Resource 1

Download the BEA WebLogic Server bits to the Protected Resource 1 host machine (pr1.sp-example.com) and install the application server. Additionally, download, install and configure the appropriate J2EE policy agent. Use the following list of procedures as a checklist for completing this task.

To Install BEA WebLogic Server on Protected Resource 1

BEA WebLogic Server is the application server used as the J2EE web container on Protected Resource 1.

Before You Begin

Ensure that your machine is properly patched. Refer to the BEA web site to make sure that your system has the recommended patches.

As a root user, log into the pr1.sp-example.com host machine.

Create a directory into which you can download the WebLogic Server bits and change into it.
# mkdir /export/BEAWL10 # cd /export/BEAWL10

Download the WebLogic Server bits from http://commerce.bea.com/.

For this deployment, we download the Solaris version.

# ls -al

total 294548
drwxr-xr-x   2 root     root         512 Aug  7 13:23 .
drwxr-xr-x   3 root     sys          512 Aug  7 13:16 ..
-rw-r--r--   1 root     root     656834948 Aug  7 13:24 server100_solaris32.bin

Run the installer.
# ./server100_solaris32.bin

When prompted, do the following:

The Welcome screen is displayed.

Click Next.

Accept the License agreement

Select Yes and click Next.

Create a new BEA Home

Type /usr/local/bea and click Next.

Select "Custom"

Click Next.

Deselect the following:
- Workshop for WebLogic Platform

Click Next.

Choose Product Installation Directories

Type /usr/local/bea/weblogic10 and click Next.

Installation Complete

Deselect Run Quickstart and click Done.

(Optional) Verify that the application was correctly installed.

# cd /usr/local/bea
# ls -al

total 90
drwxr-xr-x   7 root     root         512 Jul 15 11:59 .
drwxr-xr-x   4 root     root         512 Jul 15 11:58 ..
-rwxr-xr-x   1 root     root         826 Jul 15 11:59 UpdateLicense.sh
-rw-r--r--   1 root     root          14 Jul 15 11:59 beahomelist
drwxr-xr-x   6 root     root         512 Jul 15 11:59 jdk150_06
-rw-r--r--   1 root     root       12447 Jul 15 11:59 license.bea
drwxr-xr-x   2 root     root         512 Jul 15 11:59 logs
drwxr-xr-x   6 root     root        6656 Jul 15 11:58 modules
-rw-r--r--   1 root     root       15194 Jul 15 11:59 registry.dat
-rw-r--r--   1 root     root        1077 Jul 15 11:59 registry.xml
drwxr-xr-x   4 root     root         512 Jul 15 12:01 utils
drwxr-xr-x  10 root     root         512 Jul 15 11:59 weblogic10

To Configure BEA WebLogic Server on Protected Resource 1

Before You Begin

This procedure assumes you have just completed To Install BEA WebLogic Server on Protected Resource 1 and are still logged into the host machine as the root user.

Run the WebLogic Server configuration script.

# cd /usr/local/bea/weblogic10/common/bin
# ./config.sh

When prompted, do the following:

Select "Create a new Weblogic domain"

Click Next.

Select "Generate a domain configured automatically 
to support the following BEA products:"

Click Next.

Configure Administrator Username and Password

Enter the following and click Next.

Username: weblogic
Password: bea10admin
Confirm Password: bea10admin

Select "Prduction Mode" and "BEA Supplied JDK's" 
(Sun SDK 1.5.0_06@/usr/local/bea/jdk150_06)

Click Next.

Customize Environment and Services Settings

Select yes and click Next.

Configure the Administration Server

Accept the default values and click Next.

Configure Managed Servers

Select Add, enter the following values, and click Next.

Name: ApplicationServer-1
Listen Port: 1081

Configure Clusters

Accept the default values and click Next.

Configure Machines

Select the Unix Machine tab, then select Add, type pr1 and click Next.

Assign Servers to Machines

From the left panel select AdminServer and ApplicationServer-1. From the right panel select pr-1. Click --> and then click Next.

Review WebLogic Domain

Click Next.

Create WebLogic Domain

Add the following and click Create.

Domain name: pr1
Domain Location: /usr/local/bea/user_projects/domains (default)

Creating Domain

Click Done.

Start AdminServer, the WebLogic administration server.
# cd /usr/local/bea/user_projects/domains/pr1 # ./startWebLogic.sh
When prompted, type the following credentials.

Username

weblogic

Password

bea10admin

Run the netstat command to verify that the port is open and listening.
# netstat -an | grep 7001 XXX.XX.XX.101.7001 *.* 0 0 49152 0 LISTEN XXX.X.X.1.7001 *.* 0 0 49152 0 LISTEN
Note –
You can also access the administration console by pointing a web browser to http://pr1.sp-example.com:7001/console.

Change to the AdminServer directory.

# cd /usr/local/bea/user_projects/domains/pr1/servers/AdminServer

Create a security directory and change into it.
# mkdir security # cd security

Create a boot.properties file for the WebLogic Server administration server administrator credentials.

The administration server administrative user and password are stored in boot.properties. Application Server 1 uses this information during startup. WebLogic Server encrypts the file, so there is no security risk even if you enter the user name and password in clear text.
# cat > boot.properties username=weblogic password=bea10admin Hit Control D to terminate the command ^D

Restart WebLogic to encrypt the username and password in boot.properties.

# cd /usr/local/bea/user_projects/domains/pr1/bin
# ./stopWebLogic.sh
# ./startWebLogic.sh

Start the managed servers.

# cd /usr/local/bea/user_projects/domains/pr1/bin
# ./startManagedWebLogic.sh ApplicationServer-1 t3://localhost:7001

You will be prompted for the administrative user credentials.

Username: weblogic
Password: bea10admin

Change to the ApplicationServer-1 directory.

# cd /usr/local/bea/user_projects/domains/pr1/
  servers/ApplicationServer-1

Create a security directory and change into it.
# mkdir security # cd security

Create a boot.properties file for the WebLogic Server managed server administrator credentials.

The managed server administrative user and password are stored in boot.properties. The Application Server 1 managed server uses this information during startup. WebLogic Server encrypts the file, so there is no security risk even if you enter the user name and password in clear text.
# cat > boot.properties username=weblogic password=bea10admin Hit Control D to terminate the command ^D

Restart the managed server.

# cd /usr/local/bea/user_projects/domains/ 
  pr-1/bin
# ./stopManagedWebLogic.sh ApplicationServer-1 
   t3://localhost:7001
# ./startManagedWebLogic.sh ApplicationServer-1 
   t3://localhost:7001

Run the netstat command to verify that the port is open and listening.

# netstat -an | grep 1081

XXX.XX.XX.101.1081     *.*                0      0 49152      0 LISTEN
XXX.X.X.1.1081         *.*                0      0 49152      0 LISTEN

Access http://pr1.sp-example.com:7001/console from a web browser.

Click servers under Domain Structure —>Environment.

On the Summary of Servers page, verify that both AdminServer (admin) and ApplicationServer-1 are running and OK.

Log out of the console.

Log out of the pr1.sp-example.com host machine.

To Import a Certificate Authority Root Certificate to Protected Resource 1

The Certificate Authority (CA) root certificate enables the J2EE policy agent to trust the certificate from the OpenSSO Enterprise Load Balancer 2, and to establish trust with the certificate chain that is formed from the CA to the certificate.

Before You Begin

Copy the same CA root certificate used in To Install a CA Root Certificate to OpenSSO Enterprise Load Balancer 2 to the /export/software directory on the pr1.sp-example.com host machine.

As a root user, log into the pr1.sp-example.com host machine.

Change to the directory where cacerts, the certificate store is located.
# cd /usr/local/bea/jdk150_06/jre/lib/security.
Tip –
Backup cacerts before modifying it.

Import ca.cer, the CA root certificate.

# /usr/local/bea/jdk150_06/bin/keytool -import -trustcacerts 
  -alias OpenSSLTestCA -file /export/software/ca.cer 
  -keystore /usr/local/bea/jdk150_06/jre/lib/security/cacerts -storepass changeit

Owner: EMAILADDRESS=nobody@nowhere.com, CN=OpenSSLTestCA, OU=Sun,
O=Sun,L=Santa Clara, ST=California C=US
Issuer: EMAILADDRESS=nobody@nowhere.com, CN=OpenSSLTestCA, OU=Sun,
O=Sun,L=Santa Clara, ST=California C=US
Serial number: 97dba0aa26db6386
Valid from: Tue Apr 18 07:66:19 PDT 2006 until: Tue Jan 13 06:55:19
PST 2009
Certificate fingerprints:
MD5: 9f:57:ED:B2:F2:88:B6:E8:0F:1E:08:72:CF:70:32:06
SHA1: 31:26:46:15:C5:12:5D:29:46:2A:60:A1:E5:9E:26:64:36:80:E4:70
Trust this certificate: [no] yes

Certificate was added to keystore.

Verify that ca.cer was successfully imported.

# /usr/local/bea/jdk150_06/bin/keytool -list 
  -keystore /usr/local/bea/jdk150_06/jre/lib/security/cacerts 
  -storepass changeit | grep -i openssl

OpenSSLTestCA, Sep 15, 2008, trustedCertEntry,

Log out of the pr1 host machine.

To Install the J2EE Policy Agent on Protected Resource 1

Before You Begin

Set JAVA_HOME to /usr/local/bea/jdk150_06.

As a root user, log into the pr1.sp-example.com host machine.

Stop the WebLogic Server 1 administration server and the WebLogic Server 1 managed instance.

# cd /usr/local/bea/user_projects/domains/pr1/bin
# ./stopManagedWebLogic.sh ApplicationServer-1 t3://localhost:7001
# ./stopWebLogic.sh

Create a directory into which you will download the J2EE Policy Agent bits and change into it.
# mkdir /export/J2EEPA1 # cd /export/J2EEPA1

Create a text file that contains a password for the Agent Profile created during installation.

The J2EE Policy Agent installer requires this.
# cat > agent.pwd j2eeagent1 Hit Control D to terminate the command ^D

Download the J2EE policy agent bits for WebLogic Server from http://www.sun.com/download/index.jsp.

# ls -al

total 18824
drwxr-xr-x   2 root     root         512 Jul 17 16:02 .
drwxr-xr-x   8 root     root         512 Jul 17 15:58 ..
-rw-r--r--   1 root     root          11 Jul 17 15:59 agent.pwd
-rw-r--r--   1 root     root           9 Jul 17 16:01 agentadm.pwd
-rw-r--r--   1 root     root     9623704 Jul 17 16:02 weblogic_v10_agent_3.zip

Unzip the J2EE policy agent bits.
# unzip weblogic_v10_agent_3.zip

Run the J2EE policy agent installer.

# cd /export/J2EEPA1/j2ee_agents/weblogic_v10_agent/bin
# chmod 755 agentadmin
# ./agentadmin --custom-install

When prompted, provide the following information.

The following information is to configure the J2EE Policy Agent against the OpenSSO Enterprise secure port.

Please read the following License Agreement carefully:

Press Enter to continue. Continue to press Enter until you reach the end of the License Agreement and the installer's Welcome page is displayed.

Enter startup script location.

Enter /usr/local/bea/user_projects/domains/pr1/bin/startwebLogic.sh

Enter the WebLogic Server instance 
name: [AdminServer]

Enter the name of the WebLogic Server instance secured by the agent ApplicationServer-1

Enter the WebLogic home directory: 
[/usr/local/bea/wlserver_10.0]

Enter /usr/local/bea/weblogic10.

OpenSSO Enterprise 
URL

Enter the URL where OpenSSO Enterprise is running (including the URI): https://lb4.sp-example.com:1081/opensso

Is the agent being deployed on a Portal domain [false]

Accept the default value.

Agent URL:

Enter the URL where the policy agent is running (including the URI): http://pr1.sp-example.com:1081/agentapp

Enter the Encryption Key 
[+Yr3K4K1/lWFe4H17SBHMNIUzLNRut7H]:

Accept the default value.

Enter the Agent Profile Name:

j2eeagent-1

Enter the path to the password File:

Enter /export/J2EEPA1/agent.pwd, path to the file that contains the password used for identifying the policy agent.

Note –

A warning message is displayed regarding the existence of the agent profile.

This Agent Profile does not exist in 
OpenSSO Enterprise. 
Will it be created by the installer? (Agent 
Administrator name and password are required) 
[true]:

Accept the default value to create the Agent Profile during installation.

-----------------------------------------------
SUMMARY OF YOUR RESPONSES
-----------------------------------------------
Startup script location :
  /usr/local/bea/user_projects/domains/
  pr1/bin/startWebLogic.sh
WebLogic Server instance name : 
  ApplicationServer-1
WebLogic home directory : 
  /usr/local/bea/weblogic10
OpenSSO Server URL : 
  https://lb4.sp-example.com:1081/opensso
Agent Installed on Portal domain : false
Agent URL : 
  http://pr1.sp-example.com:1081/agentapp
Encryption Key : 
  +Yr3K4K1/lWFe4H17SBHMNIUzLNRut7H
Agent Profile name : j2eeagent-1
Agent Profile Password file name :
  /export/J2EEPA1/agent.pwd

Verify your settings and decide from 
the choices below:
1. Continue with Installation
2. Back to the last interaction
3. Start Over
4. Exit
Please make your selection [1]:

Accept the default value.

---------------------------------------------
SUMMARY OF AGENT INSTALLATION
-----------------------------
Agent instance name: Agent_001
Agent Bootstrap file location:
/export/J2EEPA1/j2ee_agents/
  weblogic_v10_agent/Agent_001/
  config/FAMAgentBootstrap.properties
Agent Configuration file location
/export/J2EEPA1/j2ee_agents/
  weblogic_v10_agent/Agent_001/
  config/FAMAgentConfiguration.properties
Agent Audit directory location:
/export/J2EEPA1/j2ee_agents/
  weblogic_v10_agent/Agent_001/logs/audit
Agent Debug directory location:
/export/J2EEPA1/j2ee_agents/
  weblogic_v10_agent/Agent_001/logs/debug

Install log file location:
/export/J2EEPA1/j2ee_agents/
  weblogic_v10_agent/installer-logs
  /audit/custom.log

Accept the default value.

When the installer is finished, a new file is in the bin directory called setAgentEnv_ApplicationServer-1.sh.

Modify the startup script setDomainEnv.sh to reference setAgentEnv_ApplicationServer-1.sh with the following sub procedure.

Tip –
Backup setDomainEnv.sh before you modify it.
1. Change to the bin directory.
  # cd /usr/local/bea/user_projects/domains/pr1/bin
2. Insert the following line at the end of setDomainEnv.sh.
  . /usr/local/bea/user_projects/domains/pr1/ bin/setAgentEnv_ApplicationServer-1.sh
3. Save setDomainEnv.sh and close the file.

Change permissions for setAgentEnv_ApplicationServer-1.sh.
# chmod 755 setAgentEnv_ApplicationServer-1.sh

Start the WebLogic Server administration server and managed instance.

# ./startWebLogic.sh &
# ./startManagedWebLogic.sh ApplicationSever-1 t3://localhost:7001

Watch for startup errors.

Verify that the J2EE Policy Agent 1 was successfully created in OpenSSO Enterprise using the following sub procedure.
1. Access https://lb4.sp-example.com:1081/opensso/console from a web browser.
2. Log in to the OpenSSO Enterprise console as the administrator.
  
  User Name:
  
  amadmin
  
  Password:
  
  ossoadmin
3. Under the Access Control tab, click / (Top Level Realm).
4. Click the Agents tab.
5. Click the J2EE tab.
  
  j2eeagent-1 is displayed under the Agent table.
6. Click j2eeagent-1.
  
  The j2eeagent-1 properties page is displayed.
7. Log out of the OpenSSO Enterprise console and close the browser.

Remove the password files.

# cd /export/J2EEPA1
# rm agent.pwd
# rm agentadm.pwd

Log out of the pr1.sp-example.com host machine.

To Deploy and Start the J2EE Policy Agent Housekeeping Application

The agent application is a housekeeping application bundled with the binaries and used by the agent for notifications and other internal functionality. This application must be deployed to the agent-protected web container using the same URI that was supplied during the agent installation process. For example, during the installation process, if you entered /agentapp as the deployment URI for the agent application, use that same context path in this procedure.

Access http://pr1.sp-example.com:7001/console from a web browser.

Under Domain Structure, click Deployments.

On the Summary of Deployments page, in the Change Center, click Lock & Edit.

Under Deployments, click Install.

On the Install Application Assistant page, click the pr1.sp-example.com link.

In the field named Location: pr1.sp-example.com, click the root directory.

Navigate to /export/J2EEPA1/j2ee_agents/weblogic_v10_agent/etc, the application directory.

Select agentapp.war and click Next.

In the Install Application Assistant page, choose Install this deployment as an application and click Next.

In the list of Servers, mark the checkbox for ApplicationServer-1 and click Next.

In the Optional Settings page, click Next.

Click Finish.

On the Settings for agentapp page, click Save.

In the Change Center, click Activate Changes.

On the Settings for agentapp page, click Deployments.

On the Summary of Deployments page, mark the agentapp checkbox and click Start > Servicing all requests.

On the Start Application Assistant page, click Yes.

Tip –
If you encounter a JavaScript^TM error, start the WebLogic Server instance and perform the steps again.

To Deploy the J2EE Policy Agent Sample Application

Access Application Server 1 at http://pr1.sp-example.com:7001/console.

On the Change Center, click Lock & Edit.

Under Domain Structure, click Deployments.

Under Deployments, click Install.

On the Install Application Assistant page, click the pr1.sp-example.com link.

In the list for Location: pr1.example.com, click the root directory.

Navigate to the application directory (/export/J2EEPA1/j2ee_agents/weblogic_v10_agent/sampleapp/dist), select agentsample.ear and click Next.

In the Install Application Assistant page, choose Install this deployment as an application and click Next.

In the list of Servers, mark the checkbox for ApplicationServer-1 and click Next.

On the Optional Settings page, click Next to accept the default settings.

On the Review Your Choices page, click Finish.

The Target Summary section indicates that the module agentsample will be installed on the target ApplicationServer-1.

On the Settings for agentsample page, click Save.

On the Settings for agentsample page, click Activate Changes.

Under Domain Structure, click Deployments.

In the Deployments list, mark the checkbox for agentsample and click Start > Servicing All Requests.

On the Start Application Assistant page, click Yes.

The state of the deployment changes from Prepared to Active.

Log out of the Application Server 1 console.

To Configure the J2EE Policy Agent to Bypass Application Server Administrator Authentication

The J2EE policy agent can operate in local or centralized mode. The centralized option was selected during the custom installation of the agent. Centralized agent configuration stores agent configuration data in a data store managed by OpenSSO Enterprise. Since J2EE policy agents are configured in centralized mode, any configuration changes must be made using the OpenSSO Enterprise server. In this procedure, configure the agent to bypass authentication of the Application Server administrator.

Access https://lb4.sp-example.com:1081/opensso/console from a web browser.

Under the Access Control tab, click / (Top Level Realm).

Click the Agents tab.

Click the J2EE tab.

j2eeagent-1 is displayed under the Agent table.

Click j2eeagent-1.

The j2eeagent-1 properties page is displayed.

Click the Miscellaneous tab.

The Miscellaneous properties page is displayed.

Provide the user name of the Application Server administrator in the Bypass Principal List and click Add.

Enter weblogic to ensure that the administrator will be authenticated against WebLogic itself and not OpenSSO Enterprise.

Click Save.

Exit the console and close the browser.

To Enable the J2EE Policy Agent to Run in SSO Only Mode

Access https://lb4.sp-example.com:1081/opensso/console from a web browser.

Under the Access Control tab, click / (Top Level Realm).

Click the Agents tab.

Click the J2EE tab.

j2eeagent-1 is displayed under the Agent table.

Click j2eeagent-1.

The j2eeagent-1 properties page is displayed.

Click the General link on the j2eeagent-1 properties page.

Remove the existing value of the Agent Filter Mode property.

This value is displayed in the Current Values text box.

Add the following values to the New Value text boxes and click Add.

Map Key

agentsample

Corresponding Map Value

SSO_ONLY

Click Save.

Log out of the OpenSSO Enterprise console and close the browser.

Restart the WebLogic administration server and managed instance.

# cd /usr/local/bea/user_projects/domains/pr1/bin
# ./stopManagedWebLogic.sh ApplicationServer-1 t3://localhost:7001
# ./stopWebLogic.sh
# ./startWebLogic.sh
# ./startManagedWebLogic.sh ApplicationServer-1 t3://localhost:7001

Log out of the pr1.sp-example.com host machine.

Verify the configurations with the following sub procedure.
1. Close and reopen the browser application.
2. Access http://pr1.sp-example.com:1081/agentsample from a web browser.
3. Log in to the OpenSSO Enterprise console as the administrator.
  
  User Name:
  
  spuser
  
  Password:
  
  spuser
  
  The user is redirected to the service provider console for authentication.
4. Close the browser.

To Configure the J2EE Policy Agent for SAML v2 Communication

Access https://lb4.sp-example.com:1081/opensso/console from a web browser.

Under the Access Control tab, click / (Top Level Realm).

Click the Agents tab.

Click the J2EE tab.

j2eeagent-1 is displayed under the Agent table.

Click j2eeagent-1.

The j2eeagent-1 properties page is displayed.

Click the OpenSSO Services tab.

The Edit j2eeagent-1 page is displayed.

Click the Login URL link on the Edit j2eeagent-1 page.

Remove the existing value of the OpenSSO Login URL property.

This value is displayed in the Selected box.

Enter https://lb4.sp-example.com:1081/opensso/spssoinit? metaAlias=/sp&idpEntityID=https://lb2.idp-example.com:1181/opensso in the text box and click Add.

This URL redirects the agent to the identity provider for authentication.

Enter https://lb4.sp-example.com:1081/opensso/saml2/jsp/spSingleLogoutInit.jsp?idpEntityID=https://lb2.idp-example.com:1181/opensso as a value of the OpenSSO Logout URL attribute and click Add.

Click Save.

Click the Application tab.

Add the following values to the Application Logout URI text boxes and click Add.

Map Key

agentsample

Corresponding Map Value

/agentsample/logout

Click Save.

Log out of the OpenSSO Enterprise console and close the browser.

Restart the WebLogic administration server and managed instance.

# cd /usr/local/bea/user_projects/domains/pr1/bin
# ./stopManagedWebLogic.sh ApplicationServer-1 t3://localhost:7001
# ./stopWebLogic.sh
# ./startWebLogic.sh
# ./startManagedWebLogic.sh ApplicationServer-1 t3://localhost:7001

Log out of the pr1.sp-example.com host machine.

Verify the configurations with the following sub procedure.
1. Access http://pr1.sp-example.com:1081/agentsample from a web browser.
  
  The user is redirected to the OpenSSO Enterprise login page on the identity provider side.
2. Log in to the OpenSSO Enterprise console as the administrator.
  
  User Name:
  
  idpuser
  
  Password:
  
  idpuser
  
  After successful authentication, single sign on is accomplished between the identity provider and the service provider.

Access http://pr1.sp-example.com:1081/agentsample/logout from a web browser.

The J2EE policy agent sample application welcome page is displayed. The user has successfully logged out of both the identity provider and the service provider.