Deployment Example: SAML v2 Using Sun OpenSSO Enterprise 8.0

Chapter 8 Deploying and Configuring OpenSSO Enterprise

This chapter includes instructions on how to deploy and configure two instances of Sun OpenSSO Enterprise 8.0 on the service provider side. It begins with the installation of Sun Java™ System Application Server onto each host machine, followed by the deployment and configuration of the OpenSSO Enterprise WAR. This chapter contains the following sections:

8.1 Installing the Application Server Web Containers

In this section, we create a non-root user with the roleadd command in the Solaris Operating Environment on each OpenSSO Enterprise host machine and install Sun Java System Application Server 9.1 Update 1 using the non-root user. Use the following list of procedures as a checklist for completing the task.

  1. To Patch the OpenSSO Enterprise Host Machines

  2. To Create a Non-Root User on the OpenSSO Enterprise 1 Host Machine

  3. To Install Application Server on the OpenSSO Enterprise 1 Host Machine

  4. To Create a Non-Root User on the OpenSSO Enterprise 2 Host Machine

  5. To Install Application Server on the OpenSSO Enterprise 2 Host Machine


Note –

We use roleadd rather than useradd for security reasons; roleadd disables the ability of the user to log in.


ProcedureTo Patch the OpenSSO Enterprise Host Machines

On our lab machines, the required Application Server patch is 117461–08. Results for your machine might be different. Read the latest documentation for your web container to determine if you need to install patches and, if so, what they might be. You can search for patches directly at http://sunsolve.sun.com. Navigate to the PatchFinder page, enter the patch number, click Find Patch, and download the appropriate patch for the OpenSSO Enterprise 1 host machine (osso1.sp-example.com) and the OpenSSO Enterprise 2 host machine (osso2.sp-example.com).

  1. Log in to the osso1.sp-example.com host machine as a root user.

  2. Run patchadd to see if the patch is already installed.


    # patchadd -p | grep 117461-08
    

    A series of patch numbers are displayed, and patch 117461–08 is present so there is no need to install any patches at this time.

  3. Log out of the osso1.sp-example.com host machine.

  4. Log in to the osso2.sp-example.com host machine as a root user.

  5. Run patchadd to see if the patch is already installed.


    # patchadd -p | grep 117461-08
    

    A series of patch numbers are displayed, and patch 117461–08 is present so there is no need to install any patches at this time.

  6. Log out of the osso1.sp-example.com host machine.

ProcedureTo Create a Non-Root User on the OpenSSO Enterprise 1 Host Machine

  1. Log in to the osso1.sp-example.com host machine as a root user.

  2. Create a new user with roleadd.


    # roleadd -s /sbin/sh -m -g staff -d /export/osso80adm osso80adm
    
  3. (Optional) Verify that the user was created.


    # cat /etc/passwd
    
    root:x:0:0:Super-User:/:/sbin/sh
    daemon:x:1:1::/:
    ...
    nobody4:x:65534:65534:SunOS 4.x NFS Anonymous Access User:/:
    osso80adm:x:223830:10::/export/osso80adm:/sbin/sh
  4. (Optional) Verify that the user's directory was created.


    # cd /export/osso80adm
    # ls
    
    local.cshrc    local.profile    local.login
  5. Create a password for the non-root user.


    # passwd osso80adm
    New Password: nonroot1pwd
    Re-ener new Pasword: nonroot1pwd
    
    passwd: password successfully changed for osso80adm

    Caution – Caution –

    If you do not perform this step, you will not be able to switch user (su) when logged in as the non-root user.


ProcedureTo Install Application Server on the OpenSSO Enterprise 1 Host Machine

Install Application Server and the appropriate CA root and CA-signed server certificates.

Before You Begin

This procedure assumes you have just completed To Create a Non-Root User on the OpenSSO Enterprise 1 Host Machine and are still logged into the osso1.sp-example.com host machine as a root user.

  1. Create a directory into which the Application Server bits can be downloaded and change into it.


    # mkdir /export/AS91
    # cd /export/AS91
    
  2. Download the Sun Java System Application Server 9.1 Update 2 binary from the Sun Microsystems Product Download page to the /export/AS91 directory.

  3. Grant the downloaded binary execute permission using the chmod command.


    # chmod +x sjsas-9_1_02-solaris-sparc-ml.bin
    
  4. Install the software.


    # ./sjsas-9_1_02-solaris-sparc-ml.bin -console
    
  5. When prompted, provide the following information.


    You are running the installation program 
    for the Sun Java System Application Server. This 
    program asks you to supply configuration preference
    settings that it uses to install the server.
    
    This installation program consists of one or 
    more selections that provide you with information
    and let you enter preferences that determine
    how Sun Java System Application Server is 
    installed and configured. 
    
    When you are presented with the following
    question, the installation process pauses to 
    allow you to read the information that has 
    been presented When you are ready to continue, 
    press Enter.

    Press Enter to continue. 


    Some questions require more detailed 
    information that you are required to type. The 
    question may have a default value that is 
    displayed inside of brackets []. For example, 
    the following question has a default answer 
    of yes:
    
    Are you sure? [yes]
    
    If you want to accept the default answer, 
    press only the Enter key (which on some 
    keyboards is labeled Return).
    
    If you want to provide a different 
    answer, type it at the command prompt 
    and then press Enter.

    Press Enter to continue. 


    Welcome to the Sun Java System 
    Application Server Installation program.

    Press Enter to continue. 


    Before you install this product, 
    you must read and accept the entire 
    Software License Agreement under which 
    this product is licensed for your use.

    Press Enter to display the Software License Agreement. 


    This Agreement, including any 
    terms contained in your Entitlement, is 
    the entire agreement between you and Sun
    relating to its subject matter. It 
    supersedes all prior or contemporaneous 
    oral or written communications, proposals,
    representations and warranties and prevails 
    over any conflicting or additional terms of 
    any quote, order, acknowledgment, or other 
    communication between the parties relating 
    to its subject matter during the term of this
    Agreement. No modification of this Agreement 
    will be binding, unless in writing and signed 
    by an authorized representative of each party.
    
    Please contact Sun Microsystems, Inc. 
    4150 Network Circle, Santa Clara, California 
    95054 if you have questions.
    
    If you have read and accept all the terms of 
    the entire Software License Agreement, answer 
    'yes', and the installation will continue.
    
    If you do not accept all the terms of the 
    Software License Agreement, answer 'no', 
    and the installation program will end 
    without installing the product.
    
    Have you read, and do you accept, all of the 
    terms of the preceding Software License 
    Agreement [no] {"<" goes back, "!" exits}?

    Type yes and press Enter.


    The Sun Java System Application Server 
    components will be installed in the following 
    directory, which is referred to as the 
    "Installation Directory".To use this directory, 
    press only the Enter key. To use a different 
    directory, type in the full path of the 
    directory to use followed by pressing the 
    Enter key.
    
    Installation Directory [/opt/SUNWappserver]
    {"<" goes back, "!" exits}

    Enter /opt/SUNWappserver91


    The directory "/opt/SUNWappserver91"
    does not exist. Do you want to create it now or 
    choose another directory?
    
    1. Create Directory
    2. Choose New.
    
    Enter the number corresponding to your choice [1] 
    {"<" goes back, "!" exits}

    Press Enter to accept the default value. 


    The Sun Java System Application Server
    requires a Java 2 SDK. Please provide the path to
    a Java 2 SDK 5.0 or greater. [/usr/jdk/instances/jdk1.5.0] 
    {"<" goes back, "!" exits}

    Press Enter to accept the default value. 


    Supply the admin user's password and override
    any of the other initial configuration settings as 
    necessary.
    
    Admin User [admin] {"<" goes back, "!" exits}

    Press Enter to accept the default value. 


    Admin User's Password (8 chars minimum):
    Re-enter Password:

    Enter domain1pwd and then re-enter domain1pwd.


    Do you want to store admin user name and 
    password in .asadminpass file in user's home
    directory [yes] {"<" goes back, "!" exits}?

    Press Enter to accept the default value. 


    Admin Port [4848] {"<" goes back, "!" exits}
    HTTP Port [8080] {"<" goes back, "!" exits}
    HTTPS Port [8181] {"<" goes back, "!" exits}

    Press Enter to accept the three default values. 


    Do you want to enable Updatecenter client 
    [yes] {"<" goes back, "!" exits}?

    Press Enter to accept the default value. 


    Do you want to upgrade from previous 
    Applicatin Server version [no] 
    {"<" goes back, "!" exits}?

    Press Enter to accept the default value. 


    The following items for the product Sun Java 
    System Application Server will be installed:
    
    Product: Sun Java System Application Server
    Location: /opt/SUNWappserver91
    Space Required: 185.42 MB
    -------------------------------------------
    Sun Java System Message Queue 4.1
    Application Server
    Startup
    
    Ready To Install
    
    1. Install Now
    2. Start Over
    3. Exit Installation
    
    What would you like to do [1] 
    {"<" goes back, "!" exits}?

    Press Enter to accept the default value and begin the installation process. 


    - Installing Sun Java System Application 
    Server
    
    |-1%-----25%-----50%-----75%-----100%|
    
     - Installation Successful.

    When installation is complete, an Installation Successful message is displayed:


    Next Steps:
    
    1. Access the About Application Server 9.1 welcome 
    page at:
     file:///opt/SUNWappserver91/docs/about.html
    
    2. Start the Application Server by executing:
      /opt/SUNWappserver91/bin/asadmin 
      start-domain domain1
    
    3. Start the Admin Console:
      http://osso1.sp-example.com:4848
    
    Please press Enter/Return key to exit the 
    installation program. {"!" exits}

    Press Enter to exit the installation program. 

  6. Create a second Application Server domain for the non-root user.

    The default domain created during the installation process is owned by root. We create a new domain for osso80adm, the non-root user, into which we will deploy OpenSSO Enterprise.


    # cd /opt/SUNWappserver91/bin
    # su osso80adm
    # ./asadmin create-domain 
    --domaindir /export/osso80adm/domains 
    --adminport 8989 --user domain2adm --instanceport 1080 
    --domainproperties http.ssl.port=1081 ossodomain
    
     Please enter the admin password>
    
    domain2pwd
    
    Please enter the admin password again>
    
    domain2pwd
    
    Please enter the master password 
    
      [Enter to accept the default]:>
    
    domain2master
    
    Please enter the master password again 
    
      [Enter to accept the default]:>
    
    domain2master
    
    Using port 8989 for Admin.
    Using port 1080 for HTTP Instance.
    Using default port 7676 for JMS.
    Using default port 3700 for IIOP.
    Using port 1081 for HTTP_SSL.
    Using default port 3820 for IIOP_SSL.
    Using default port 3920 for IIOP_MUTUALAUTH.
    Using default port 8686 for JMX_ADMIN.
    Domain being created with profile:developer, as specified 
      by variable AS_ADMIN_PROFILE in configuration file.
    Security Store uses: JKS
    2008-09-14 18:21:15.907 GMT Thread[main,5,main] 
    java.io.FileNotFoundException:
    derby.log (Permission denied)
    -------------------------------------------------
    2008-09-14 18:21:16.216 GMT:
    Booting Derby version The Apache Software Foundation 
    - Apache Derby - 10.2.2.1 -
    (538595): instance c013800d-0118-e205-d50b-00000c0c0770 
    on database directory
    /export/osso80adm/domains/ossodomain/lib/databases/ejbtimer
    
      Database Class Loader started - derby.database.classpath=''
      Domain ossodomain created.

    Note –

    Creating a non-root domain displays a FileNotFoundException. Please see Appendix G, Known Issues and Limitations.


  7. Verify that the non-root user domain was created with the correct permissions using the following sub-procedure.

    1. Change to the ossodomain directory.


      # cd /export/osso80adm/domains/ossodomain
      
    2. List the contents of the directory.


      # ls -la
      
      total 30
      drwxr-xr-x  15 osso80adm staff   512 Sep 14 16:43 .
      drwxr-xr-x   3 osso80adm staff   512 Sep 14 16:43 ..
      drwxr-xr-x   2 osso80adm staff   512 Sep 14 16:43 addons
      drwxr-xr-x   6 osso80adm staff   512 Sep 14 16:43 applications
      drwxr-xr-x   3 osso80adm staff   512 Sep 14 16:43 autodeploy
      drwxr-xr-x   2 osso80adm staff   512 Sep 14 16:43 bin
      drwx------   3 osso80adm staff  1024 Sep 14 16:43 config
      drwxr-xr-x   2 osso80adm staff   512 Sep 14 16:43 docroot
      drwxr-xr-x   6 osso80adm staff   512 Sep 14 16:43 generated
      drwxr-xr-x   3 osso80adm staff   512 Sep 14 16:43 imq
      drwxr-xr-x   5 osso80adm staff   512 Sep 14 16:43 java-web-start
      drwxr-xr-x   8 osso80adm staff   512 Sep 14 16:43 jbi
      drwxr-xr-x   6 osso80adm staff   512 Sep 14 16:43 lib
      drwxr-xr-x   2 osso80adm staff   512 Sep 14 16:43 logs
      drwxr-xr-x   2 osso80adm staff   512 Sep 14 16:43 session-store

      The files and directories are owned by osso80adm.

  8. Start ossodomain, the non-root user domain, using the following sub-procedure.

    1. Change to the non-root user domain bin directory.


      # cd /export/osso80adm/domains/ossodomain/bin
      
    2. Start ossodomain.


      # ./startserv
      
      admin username:domain2adm
      
      admin password:domain2pwd
      
      master password:domain2master
      
      Redirecting output to /export/osso80adm/domains/ossodomain/logs/server.log
  9. Verify that ossodomain has started with the following sub-procedure.

    1. Access http://osso1.sp-example.com:8989/login.jsf from a web browser.

    2. Log in to the Application Server console as the ossodomain administrator.

      Username

      domain2adm

      Password

      domain2pwd

      When the Application Server administration console is displayed, it is verification that the non-root user was able to start the domain server.

    3. Exit the console and close the browser.

  10. Create a request for a CA-signed server certificate to secure communications between the soon-to-be-configured OpenSSO Enterprise load balancer and ossodomain using the following sub-procedure.

    1. Generate a private/public key pair and reference it with the alias, opensso-sp-1.

      opensso-sp-1 will be used in a later step to retrieve the public key which is contained in a self-signed certificate.


      # cd /export/osso80adm/domains/ossodomain/config
      # keytool -genkey -noprompt -keyalg rsa -keypass domain2master 
      -alias opensso-sp-1 -keystore keystore.jks -dname "CN=osso1.sp-example.com, 
      OU=OpenSSO, O=Sun Microsystems, L=Santa Clara, ST=California, C=US" 
      -storepass domain2master
      
    2. Verify that the key pair was successfully created and stored in the certificate store.


      # keytool -list -v -keystore keystore.jks -storepass domain2master
      
       Keystore type: jks
       Keystore provider: SUN
       
       Your keystore contains two entries.
      ...
       Alias name: opensso-sp-1
       Creation date: Sep 14, 2008
       Entry type: keyEntry
       Certificate chain length: 1
       Certificate[1]:
       Owner: CN=osso1.sp-example.com, OU=OpenSSO, O=Sun Microsystems,
      L=Santa Clara, ST=California, C=US
       Issuer: CN=osso-osso1.sp-example.com, OU=OpenSSO, O=Sun Microsystems,
      L=Santa Clara, ST=California, C=US
       Serial number: 48cdb299
       Valid from: Sun Sep 14 15:02:47 PDT 2008 until: Sat Dec 13 15:02:47 PDT 2008
       Certificate fingerprints:
        MD5:  14:0F:88:BC:C8:6F:2C:8B:F0:A2:C2:F1:AF:FC:93:F1:
        SHA1: 9D:22:05:14:51:21:33:CB:06:36:25:FE:0A:B6:DF:45:EE:B1:19:86:

      Note –

      The output of this command may list more than one certificate based on the entries in the keystore.


    3. Generate a CA-signed server certificate request.


      # keytool -certreq -alias opensso-sp-1 -keypass domain2master 
      -keystore keystore.jks -storepass domain2master file opensso-sp-1.csr
      

      opensso-sp-1.csr is the server certificate request.

    4. (Optional) Verify that opensso-sp-1.csr was created.


      # ls -la opensso-sp-1.csr
      
       -rw-r--r--   1 osso80adm staff        715 Sep 14 15:04 opensso-sp-1.csr
    5. Send osso-sp-1.csr to the CA of your choice.

      The CA issues and returns a certified certificate named opensso-sp-1.cer.

    6. Import ca.cer, the CA root certificate.

      The root certificate must be imported into two keystores (keystore.jks and cacerts.jks) with Application Server. Use the same root certificate that you imported in 7.4 Enabling Secure Communication for the Directory Server User Data Instances. For more information, see 3.3 Obtaining Secure Socket Layer Certificates.


      # keytool -import -trustcacerts -alias OpenSSLTestCA 
      -file ca.cer -keystore keystore.jks -storepass domain2master
      
      Owner: EMAILADDRESS=nobody@nowhere.com, CN=OpenSSLTestCA, OU=am, 
        O=sun, L=santa clara, ST=california, C=us
      Issuer: EMAILADDRESS=nobody@nowhere.com, CN=OpenSSLTestCA, OU=am, 
        O=sun, L=santa clara, ST=california, C=us
      Serial number: f59cd13935f5f498
      Valid from: Thu Sep 20 11:41:51 PDT 2007 until: Thu Jun 17 11:41:51 PDT 2010
      Certificate fingerprints:
        MD5:  78:7D:F0:04:8A:5B:5D:63:F5:EC:5B:21:14:9C:8A:B9
        SHA1: A4:27:8A:B0:45:7A:EE:16:31:DC:E5:32:46:61:9E:B8:A3:20:8C:BA
      
      Trust this certificate? [no]: Yes
      
      Certificate was added to keystore

      # keytool -import -trustcacerts -alias OpenSSLTestCA 
      -file ca.cer -keystore cacerts.jks -storepass ossomaster
      
      Owner: EMAILADDRESS=nobody@nowhere.com, CN=OpenSSLTestCA, OU=am, 
        O=sun, L=santa clara, ST=california, C=us
      Issuer: EMAILADDRESS=nobody@nowhere.com, CN=OpenSSLTestCA, OU=am, 
        O=sun, L=santa clara, ST=california, C=us
      Serial number: f59cd13935f5f498
      Valid from: Thu Sep 20 11:41:51 PDT 2007 until: Thu Jun 17 11:41:51 PDT 2010
      Certificate fingerprints:
        MD5:  78:7D:F0:04:8A:5B:5D:63:F5:EC:5B:21:14:9C:8A:B9
        SHA1: A4:27:8A:B0:45:7A:EE:16:31:DC:E5:32:46:61:9E:B8:A3:20:8C:BA
      
      Trust this certificate? [no]: Yes
      
      Certificate was added to keystore
    7. Replace the self-signed public key certificate (associated with the s1as alias) with the CA-signed server certificate.


      # keytool -import -file opensso-sp-1.cer -alias opensso-sp-1 
      -keystore keystore.jks -storepass domain2master
      
      Certificate reply was installed in keystore
    8. (Optional) Verify that the self-signed public key certificate has been overwritten by the server certificate received from the CA.


      # keytool -list -v -keystore keystore.jks 
      -storepass domain2master
      
      The certificate indicated by the alias "osso-sp-1" is signed by CA.
    9. Change the certificate alias from the default s1as to the new opensso-sp-1 in the domain.xml file for the ossodomain domain.

      The Application Server configuration file is domain.xml.

      <http-listener acceptor-threads="1" address="0.0.0.0" 
      blocking-enabled="false" default-virtual-server="server" enabled="true" 
      family="inet" id="http-listener-2" port="1081" security-enabled="true" 
      server-name="" xpowered-by="true">
      <ssl cert-nickname="opensso-sp-1" client-auth-enabled="false" ssl2-enabled="false"
      ssl3-enabled="true" tls-enabled="true" tls-rollback-enabled="true"/>

      Tip –

      Backup domain.xml before modifying it.


  11. Modify the JVM options in your web container's configuration file using the following sub-procedure.

    OpenSSO Enterprise is deployed with an embedded configuration data store (if desired). In order for the configuration data store to be created successfully, the following JVM options should be modified in the web container's configuration file. We will be modifying domain.xml again for this example.


    Tip –

    Backup domain.xml before modifying it.


    1. Change to the config directory.


      # cd /export/osso80adm/domains/ossodomain/config
      
    2. Open domain.xml in a text editor and make the following changes:

      • Replace <jvm-options>-client</jvm-options> with <jvm-options>-server</jvm-options>.

      • Replace <jvm-options>-Xmx512m</jvm-options> with <jvm-options>-Xmx1024m</jvm-options>.

    3. Save the file and close it.

  12. Restart the ossodomain domain.


    # cd /export/osso80adm/domains/ossodomain/bin
    # ./stopserv
    
    Server was successfully stopped.
    
    ./startserv
    
    admin username:domain2adm
    
    admin password:domain2pwd
    
    master password:domain2master
    
    Redirecting output to /export/osso80adm/domains/ossodomain/logs/server.log
  13. Verify that the certificate used for SSL communication is the root CA certificate.

    1. Access https://osso1.sp-example.com:1081/index.html from a web browser.

    2. View the details of the certificate in the security warning to ensure that it is Issued by “OpenSSLTestCA”.

      After inspecting and accepting the certificate, you should see the default index.html page.

    3. Close the browser.

  14. Log out of the osso1.sp-example.com host machine.

ProcedureTo Create a Non-Root User on the OpenSSO Enterprise 2 Host Machine

  1. Log in to the osso2.sp-example.com host machine as a root user.

  2. Create a new user with roleadd.


    # roleadd -s /sbin/sh -m -g staff -d /export/osso80adm osso80adm
    
  3. (Optional) Verify that the user was created.


    # cat /etc/passwd
    
    root:x:0:0:Super-User:/:/sbin/sh
    daemon:x:1:1::/:
    ...
    nobody4:x:65534:65534:SunOS 4.x NFS Anonymous Access User:/:
    osso80adm:x:223830:10::/export/osso80adm:/sbin/sh
  4. (Optional) Verify that the user's directory was created.


    # cd /export/osso80adm
    # ls
    
    local.cshrc    local.profile    local.login
  5. Create a password for the non-root user.


    # passwd osso80adm
    New Password: nonroot2pwd
    Re-ener new Pasword: nonroot2pwd
    
    passwd: password successfully changed for osso80adm

    Caution – Caution –

    If you do not perform this step, you will not be able to switch user (su) when logged in as the non-root user.


ProcedureTo Install Application Server on the OpenSSO Enterprise 2 Host Machine

Install Application Server and the appropriate CA root and CA-signed server certificates.

Before You Begin

This procedure assumes you have just completed To Create a Non-Root User on the OpenSSO Enterprise 2 Host Machine and are still logged into the osso2.sp-example.com host machine as a root user.

  1. Create a directory into which the Application Server bits can be downloaded and change into it.


    # mkdir /export/AS91
    # cd /export/AS91
    
  2. Download the Sun Java System Application Server 9.1 Update 2 binary from the Sun Microsystems Product Download page to the AS91 directory of the osso2.sp-example.com host machine.

  3. Grant the downloaded binary execute permission using the chmod command.


    # chmod +x sjsas-9_1_02-solaris-sparc-ml.bin
    
  4. Install the software.


    # ./sjsas-9_1_02-solaris-sparc-ml.bin -console
    
  5. When prompted, provide the following information.


    You are running the installation program 
    for the Sun Java System Application Server. This 
    program asks you to supply configuration preference
    settings that it uses to install the server.
    
    This installation program consists of one or 
    more selections that provide you with information
    and let you enter preferences that determine
    how Sun Java System Application Server is 
    installed and configured. 
    
    When you are presented with the following
    question, the installation process pauses to 
    allow you to read the information that has 
    been presented When you are ready to continue, 
    press Enter.

    Press Enter to continue. 


    Some questions require more detailed 
    information that you are required to type. The 
    question may have a default value that is 
    displayed inside of brackets []. For example, 
    the following question has a default answer 
    of yes:
    
    Are you sure? [yes]
    
    If you want to accept the default answer, 
    press only the Enter key (which on some 
    keyboards is labeled Return).
    
    If you want to provide a different 
    answer, type it at the command prompt 
    and then press Enter.

    Press Enter to continue. 


    Welcome to the Sun Java System 
    Application Server Installation program.

    Press Enter to continue. 


    Before you install this product, 
    you must read and accept the entire 
    Software License Agreement under which 
    this product is licensed for your use.

    Press Enter to display the Software License Agreement. 


    This Agreement, including any 
    terms contained in your Entitlement, is 
    the entire agreement between you and Sun
    relating to its subject matter. It 
    supersedes all prior or contemporaneous 
    oral or written communications, proposals,
    representations and warranties and prevails 
    over any conflicting or additional terms of 
    any quote, order, acknowledgment, or other 
    communication between the parties relating 
    to its subject matter during the term of this
    Agreement. No modification of this Agreement 
    will be binding, unless in writing and signed 
    by an authorized representative of each party.
    
    Please contact Sun Microsystems, Inc. 
    4150 Network Circle, Santa Clara, California 
    95054 if you have questions.
    
    If you have read and accept all the terms of 
    the entire Software License Agreement, answer 
    'yes', and the installation will continue.
    
    If you do not accept all the terms of the 
    Software License Agreement, answer 'no', 
    and the installation program will end 
    without installing the product.
    
    Have you read, and do you accept, all of the 
    terms of the preceding Software License 
    Agreement [no] {"<" goes back, "!" exits}?

    Type yes and press Enter.


    The Sun Java System Application Server 
    components will be installed in the following 
    directory, which is referred to as the 
    "Installation Directory".To use this directory, 
    press only the Enter key. To use a different 
    directory, type in the full path of the 
    directory to use followed by pressing the 
    Enter key.
    
    Installation Directory [/opt/SUNWappserver]
    {"<" goes back, "!" exits}

    Enter /opt/SUNWappserver91


    The directory "/opt/SUNWappserver91"
    does not exist. Do you want to create it now or 
    choose another directory?
    
    1. Create Directory
    2. Choose New.
    
    Enter the number corresponding to your choice [1] 
    {"<" goes back, "!" exits}

    Press Enter to accept the default value. 


    The Sun Java System Application Server
    requires a Java 2 SDK. Please provide the path to
    a Java 2 SDK 5.0 or greater. [/usr/jdk/instances/jdk1.5.0] 
    {"<" goes back, "!" exits}

    Press Enter to accept the default value. 


    Supply the admin user's password and override
    any of the other initial configuration settings as 
    necessary.
    
    Admin User [admin] {"<" goes back, "!" exits}

    Press Enter to accept the default value. 


    Admin User's Password (8 chars minimum):
    Re-enter Password:

    Enter domain1pwd and then re-enter domain1pwd.


    Do you want to store admin user name and 
    password in .asadminpass file in user's home
    directory [yes] {"<" goes back, "!" exits}?

    Press Enter to accept the default value. 


    Admin Port [4848] {"<" goes back, "!" exits}
    HTTP Port [8080] {"<" goes back, "!" exits}
    HTTPS Port [8181] {"<" goes back, "!" exits}

    Press Enter to accept the three default values. 


    Do you want to enable Updatecenter client 
    [yes] {"<" goes back, "!" exits}?

    Press Enter to accept the default value. 


    Do you want to upgrade from previous 
    Applicatin Server version [no] 
    {"<" goes back, "!" exits}?

    Press Enter to accept the default value. 


    The following items for the product Sun Java 
    System Application Server will be installed:
    
    Product: Sun Java System Application Server
    Location: /opt/SUNWappserver91
    Space Required: 185.42 MB
    -------------------------------------------
    Sun Java System Message Queue 4.1
    Application Server
    Startup
    
    Ready To Install
    
    1. Install Now
    2. Start Over
    3. Exit Installation
    
    What would you like to do [1] 
    {"<" goes back, "!" exits}?

    Press Enter to accept the default value and begin the installation process. 


    - Installing Sun Java System Application 
    Server
    
    |-1%-----25%-----50%-----75%-----100%|
    
     - Installation Successful.

    When installation is complete, an Installation Successful message is displayed:


    Next Steps:
    
    1. Access the About Application Server 9.1 welcome 
    page at:
     file:///opt/SUNWappserver91/docs/about.html
    
    2. Start the Application Server by executing:
      /opt/SUNWappserver91/bin/asadmin 
      start-domain domain1
    
    3. Start the Admin Console:
      http://osso2.sp-example.com:4848
    
    Please press Enter/Return key to exit the 
    installation program. {"!" exits}

    Press Enter to exit the installation program. 

  6. Create a second Application Server domain for the non-root user.

    The default domain created during the installation process is owned by root. We create a new domain for osso80adm, the non-root user, into which we will deploy OpenSSO Enterprise.


    # cd /opt/SUNWappserver91/bin
    # su osso80adm
    # ./asadmin create-domain 
    --domaindir /export/osso80adm/domains 
    --adminport 8989 --user domain2adm --instanceport 1080 
    --domainproperties http.ssl.port=1081 ossodomain
    
     Please enter the admin password>
    
    domain2pwd
    
    Please enter the admin password again>
    
    domain2pwd
    
    Please enter the master password 
    
      [Enter to accept the default]:>
    
    domain2master
    
    Please enter the master password again 
    
      [Enter to accept the default]:>
    
    domain2master
    
    Using port 8989 for Admin.
    Using port 1080 for HTTP Instance.
    Using default port 7676 for JMS.
    Using default port 3700 for IIOP.
    Using port 1081 for HTTP_SSL.
    Using default port 3820 for IIOP_SSL.
    Using default port 3920 for IIOP_MUTUALAUTH.
    Using default port 8686 for JMX_ADMIN.
    Domain being created with profile:developer, as specified 
      by variable AS_ADMIN_PROFILE in configuration file.
    Security Store uses: JKS
    2008-09-14 18:21:15.907 GMT Thread[main,5,main] 
    java.io.FileNotFoundException:
    derby.log (Permission denied)
    -------------------------------------------------
    2008-09-14 18:21:16.216 GMT:
    Booting Derby version The Apache Software Foundation 
    - Apache Derby - 10.2.2.1 -
    (538595): instance c013800d-0118-e205-d50b-00000c0c0770 
    on database directory
    /export/osso80adm/domains/ossodomain/lib/databases/ejbtimer
    
      Database Class Loader started - derby.database.classpath=''
      Domain ossodomain created.

    Note –

    Creating a non-root domain displays a FileNotFoundException. Please see Appendix G, Known Issues and Limitations.


  7. Verify that the non-root user domain was created with the correct permissions using the following sub-procedure.

    1. Change to the ossodomain directory.


      # cd /export/osso80adm/domains/ossodomain
      
    2. List the contents of the directory.


      # ls -la
      
      total 30
      drwxr-xr-x  15 osso80adm staff   512 Sep 14 16:43 .
      drwxr-xr-x   3 osso80adm staff   512 Sep 14 16:43 ..
      drwxr-xr-x   2 osso80adm staff   512 Sep 14 16:43 addons
      drwxr-xr-x   6 osso80adm staff   512 Sep 14 16:43 applications
      drwxr-xr-x   3 osso80adm staff   512 Sep 14 16:43 autodeploy
      drwxr-xr-x   2 osso80adm staff   512 Sep 14 16:43 bin
      drwx------   3 osso80adm staff  1024 Sep 14 16:43 config
      drwxr-xr-x   2 osso80adm staff   512 Sep 14 16:43 docroot
      drwxr-xr-x   6 osso80adm staff   512 Sep 14 16:43 generated
      drwxr-xr-x   3 osso80adm staff   512 Sep 14 16:43 imq
      drwxr-xr-x   5 osso80adm staff   512 Sep 14 16:43 java-web-start
      drwxr-xr-x   8 osso80adm staff   512 Sep 14 16:43 jbi
      drwxr-xr-x   6 osso80adm staff   512 Sep 14 16:43 lib
      drwxr-xr-x   2 osso80adm staff   512 Sep 14 16:43 logs
      drwxr-xr-x   2 osso80adm staff   512 Sep 14 16:43 session-store

      The files and directories are owned by osso80adm.

  8. Start ossodomain, the non-root user domain, using the following sub-procedure.

    1. Change to the non-root user domain bin directory.


      # cd /export/osso80adm/domains/ossodomain/bin
      
    2. Start ossodomain.


      # ./startserv
      
      admin username:domain2adm
      
      admin password:domain2pwd
      
      master password:domain2master
      
      Redirecting output to /export/osso80adm/domains/ossodomain/logs/server.log
  9. Verify that ossodomain has started with the following sub-procedure.

    1. Access http://osso2.sp-example.com:8989/login.jsf from a web browser.

    2. Log in to the Application Server console as the ossodomain administrator.

      Username

      domain2adm

      Password

      domain2pwd

      When the Application Server administration console is displayed, it is verification that the non-root user was able to start the domain server.

    3. Exit the console and close the browser.

  10. Create a request for a CA-signed server certificate to secure communications between the soon-to-be-configured OpenSSO Enterprise load balancer and ossodomain using the following sub-procedure.

    1. Generate a private/public key pair and reference it with the alias, opensso-sp-2.

      opensso-sp-2 will be used in a later step to retrieve the public key which is contained in a self-signed certificate.


      # cd /export/osso80adm/domains/ossodomain/config
      # keytool -genkey -noprompt -keyalg rsa -keypass domain2master 
      -alias opensso-sp-2 -keystore keystore.jks -dname "CN=osso2.sp-example.com, 
      OU=OpenSSO, O=Sun Microsystems, L=Santa Clara, ST=California, C=US" 
      -storepass domain2master
      
    2. Verify that the key pair was successfully created and stored in the certificate store.


      # keytool -list -v -keystore keystore.jks -storepass domain2master
      
       Keystore type: jks
       Keystore provider: SUN
       
       Your keystore contains two entries.
      ...
      ...
       Alias name: opensso-sp-2
       Creation date: Sep 14, 2008
       Entry type: keyEntry
       Certificate chain length: 1
       Certificate[1]:
       Owner: CN=osso2.sp-example.com, OU=OpenSSO, O=Sun Microsystems,
      L=Santa Clara, ST=California, C=US
       Issuer: CN=osso2.sp-example.com, OU=OpenSSO, O=Sun Microsystems,
      L=Santa Clara, ST=California, C=US
       Serial number: 48cdb299
       Valid from: Sun Sep 14 15:02:47 PDT 2008 until: Sat Dec 13 15:02:47 PDT 2008
       Certificate fingerprints:
        MD5:  14:0F:88:BC:C8:6F:2C:8B:F0:A2:C2:F1:AF:FC:93:F1:
        SHA1: 9D:22:05:14:51:21:33:CB:06:36:25:FE:0A:B6:DF:45:EE:B1:19:86:

      Note –

      The output of this command may list more than one certificate based on the entries in the keystore.


    3. Generate a CA-signed server certificate request.


      # keytool -certreq -alias opensso-sp-2 -keypass domain2master 
      -keystore keystore.jks -storepass domain2master file opensso-sp-2.csr
      

      opensso-sp-2.csr is the server certificate request.

    4. (Optional) Verify that opensso-sp-2.csr was created.


      # ls -la opensso-sp-2.csr
      
       -rw-r--r--   1 osso80adm staff        715 Sep 14 15:04 opensso-sp-2.csr
    5. Send opensso-sp-2.csr to the CA of your choice.

      The CA issues and returns a certified certificate named opensso-sp-2.cer.

    6. Import ca.cer, the CA root certificate.

      The root certificate must be imported into two keystores (keystore.jks and cacerts.jks) with Application Server. Use the same root certificate that you imported in 7.4 Enabling Secure Communication for the Directory Server User Data Instances. For more information, see 3.3 Obtaining Secure Socket Layer Certificates.


      # keytool -import -trustcacerts -alias OpenSSLTestCA 
      -file ca.cer -keystore keystore.jks -storepass domain2master
      
      Owner: EMAILADDRESS=nobody@nowhere.com, CN=OpenSSLTestCA, OU=am, 
        O=sun, L=santa clara, ST=california, C=us
      Issuer: EMAILADDRESS=nobody@nowhere.com, CN=OpenSSLTestCA, OU=am, 
        O=sun, L=santa clara, ST=california, C=us
      Serial number: f59cd13935f5f498
      Valid from: Thu Sep 20 11:41:51 PDT 2007 until: Thu Jun 17 11:41:51 PDT 2010
      Certificate fingerprints:
        MD5:  78:7D:F0:04:8A:5B:5D:63:F5:EC:5B:21:14:9C:8A:B9
        SHA1: A4:27:8A:B0:45:7A:EE:16:31:DC:E5:32:46:61:9E:B8:A3:20:8C:BA
      
      Trust this certificate? [no]: Yes
      
      Certificate was added to keystore

      # keytool -import -trustcacerts -alias OpenSSLTestCA 
      -file ca.cer -keystore cacerts.jks -storepass domain2master
      
      Owner: EMAILADDRESS=nobody@nowhere.com, CN=OpenSSLTestCA, OU=am, 
        O=sun, L=santa clara, ST=california, C=us
      Issuer: EMAILADDRESS=nobody@nowhere.com, CN=OpenSSLTestCA, OU=am, 
        O=sun, L=santa clara, ST=california, C=us
      Serial number: f59cd13935f5f498
      Valid from: Thu Sep 20 11:41:51 PDT 2007 until: Thu Jun 17 11:41:51 PDT 2010
      Certificate fingerprints:
        MD5:  78:7D:F0:04:8A:5B:5D:63:F5:EC:5B:21:14:9C:8A:B9
        SHA1: A4:27:8A:B0:45:7A:EE:16:31:DC:E5:32:46:61:9E:B8:A3:20:8C:BA
      
      Trust this certificate? [no]: Yes
      
      Certificate was added to keystore
    7. Replace the self-signed public key certificate (associated with the s1as alias) with the CA-signed server certificate.


      # keytool -import -file opensso-sp-2.cer -alias opensso-sp-2 
      -keystore keystore.jks -storepass domain2master
      
      Certificate reply was installed in keystore
    8. (Optional) Verify that the self-signed public key certificate has been overwritten by the CA-signed server certificate.


      # keytool -list -v -keystore keystore.jks 
      -storepass domain2master
      
      The certificate indicated by the alias "opensso-sp-2" is signed by CA.
    9. Change the certificate alias from the default s1as to the new opensso-sp-2 in the domain.xml file for the ossodomain domain.

      The Application Server configuration file is domain.xml.

      <http-listener acceptor-threads="1" address="0.0.0.0" 
      blocking-enabled="false" default-virtual-server="server" enabled="true" 
      family="inet" id="http-listener-2" port="1081" security-enabled="true" 
      server-name="" xpowered-by="true">
      <ssl cert-nickname="opensso-sp-2" client-auth-enabled="false" ssl2-enabled="false"
      ssl3-enabled="true" tls-enabled="true" tls-rollback-enabled="true"/>

      Tip –

      Backup domain.xml before modifying it.


  11. Modify the JVM options in your web container's configuration file using the following sub-procedure.

    OpenSSO Enterprise is deployed with an embedded configuration data store (if desired). In order for the configuration data store to be created successfully, the following JVM options should be modified in the web container's configuration file. We will be modifying domain.xml again for this example.


    Tip –

    Backup domain.xml before modifying it.


    1. Change to the config directory.


      # cd /export/osso80adm/domains/ossodomain/config
      
    2. Open domain.xml in a text editor and make the following changes:

      • Replace <jvm-options>-client</jvm-options> with <jvm-options>-server</jvm-options>.

      • Replace <jvm-options>-Xmx512m</jvm-options> with <jvm-options>-Xmx1024m</jvm-options>.

    3. Save the file and close it.

  12. Restart the ossodomain domain.


    # cd /export/osso80adm/domains/ossodomain/bin
    # ./stopserv
    
    Server was successfully stopped.
    
    ./startserv
    
    admin username:domain2adm
    
    admin password:domain2pwd
    
    master password:domain2master
    
    Redirecting output to /export/osso80adm/domains/ossodomain/logs/server.log
  13. Verify that the certificate used for SSL communication is the root CA certificate.

    1. Access https://osso2.sp-example.com:1081/index.html from a web browser.

    2. View the details of the certificate in the security warning to ensure that it is Issued by “OpenSSLTestCA”.

      After inspecting and accepting the certificate, you should see the default index.html page.

    3. Close the browser.

  14. Log out of the osso2.sp-example.com host machine.

8.2 Configuring the OpenSSO Enterprise Load Balancer

The two instances of OpenSSO Enterprise are fronted by one load balancer (Load Balancer 2). Users will access OpenSSO Enterprise through the secure port 1081. Load Balancer 2 sends the user and agent requests to the server where the session originated. Secure Sockets Layer (SSL) is terminated and regenerated before a request is forwarded to the OpenSSO Enterprise servers to allow the load balancer to inspect the traffic for proper routing. Load Balancer 2 is capable of the following types of load balancing:

Cookie-based 

The load balancer makes decisions based on client's cookies. The load balancer looks at the request and detects the presence of a cookie by a specific name. If the cookie is detected in the request, the load balancer routes the request to the specific server to which the cookie has been assigned. If the cookie is not detected in the request, the load balancer balances client requests among the available servers. 

IP-based 

This is similar to cookie-based load balancing, but the decision is based on the IP address of the client. The load balancer sends all requests from a specific IP address to the same server. 

TCP 

The load balancer mainstreams session affinity. This means that all requests related to a TCP session, are forwarded to the same server. In this deployment example, Load Balancer 2 forwards all requests from a single client to exactly the same server. When the session is started and maintained by one client, session affinity is guaranteed. This type of load-balancing is applicable to the TCP-based protocols. 

This section assumes that you have already installed a load balancer. Before you begin, note the following:

Use the following list of procedures as a checklist for completing the task.

  1. To Request a Certificate for OpenSSO Enterprise Load Balancer 2

  2. To Install a CA Root Certificate to OpenSSO Enterprise Load Balancer 2

  3. To Install the Server Certificate to OpenSSO Enterprise Load Balancer 2

  4. To Configure OpenSSO Enterprise Load Balancer 2

  5. To Create an SSL Proxy for SSL Termination at the OpenSSO Enterprise Load Balancer 2

ProcedureTo Request a Certificate for OpenSSO Enterprise Load Balancer 2

You should already have a root certificate from the CA of your choice. Generate a request for a server certificate to send to the CA. For more information, see 3.3 Obtaining Secure Socket Layer Certificates.

  1. Access https://is-f5.siroe.com, the BIG-IP load balancer login page, in a web browser.

  2. Log in to the BIG-IP console as the administrator.

  3. Click Configure your BIG-IP (R) using the Configuration Utility.

  4. In the left pane, click Proxies.

  5. Click the Cert-Admin tab.

  6. On the SSL Certificate Administration page, click Generate New Key Pair/Certificate Request.

  7. In the Create Certificate Request page, provide the following information.

    Key Identifier:

    lb2.sp-example.com

    Organizational Unit Name:

    Deployment

    Domain Name:

    lb2.sp-example.com

    Challenge Password:

    password

    Retype Password:

    password

  8. Click Generate Key Pair/Certificate Request.

    On the SSL Certificate Request page, the request is generated in the Certificate Request field.

  9. Save the text contained in the Certificate Request field to a file named lb-2.csr.

  10. Log out of the console and close the browser.

  11. Send lb-2.csr to the CA of your choice.

    The CA issues and returns a signed server certificate named lb-2.cer.

ProcedureTo Install a CA Root Certificate to OpenSSO Enterprise Load Balancer 2

Install the CA root certificate on Load Balancer 2 to ensure that a link between it and the CA can be maintained. Use the same root certificate that you imported in 7.4 Enabling Secure Communication for the Directory Server User Data Instances. For more information, see 3.3 Obtaining Secure Socket Layer Certificates.

  1. Access https://is-f5.example.com, the BIG-IP load balancer login page, in a web browser.

  2. Log in to the BIG-IP console as the administrator.

  3. In the BIG-IP load balancer console, click Proxies.

  4. Click the Cert-Admin tab.

  5. Click Import.

  6. In the Import Type field, choose Certificate, and click Continue.

  7. Click Browse in the Certificate File field on the Install SSL Certificate page.

  8. In the Choose File dialog, choose Browser.

  9. Navigate to ca.cer and click Open.

  10. In the Certificate Identifier field, enter openSSLCA.

  11. Click Install Certificate.

  12. On the Certificate openSSLCA page, click Return to Certificate Administration.

    The root certificate named openSSLCA is now included in the Certificate ID list.

ProcedureTo Install the Server Certificate to OpenSSO Enterprise Load Balancer 2

Before You Begin

This procedure assumes you have received the CA-signed server certificate requested in To Request a Certificate for OpenSSO Enterprise Load Balancer 2, just completed To Install a CA Root Certificate to OpenSSO Enterprise Load Balancer 2, and are still logged into the load balancer console.

  1. In the BIG-IP load balancer console, click Proxies.

  2. Click the Cert-Admin tab.

    The key lb2.sp-example.com is in the Key List.

  3. In the Certificate ID column, click Install for lb2.sp-example.com.

  4. In the Certificate File field, click Browse.

  5. In the Choose File dialog, navigate to lb-2.cer, the CA-signed server certificate, and click Open.

  6. Click Install Certificate.

  7. On the Certificate lb2.sp-example.com page, click Return to Certificate Administration Information.

    Verify that the Certificate ID indicates lb2.sp-example.com on the SSL Certificate Administration page.

  8. Log out of the load balancer console.

ProcedureTo Configure OpenSSO Enterprise Load Balancer 2

  1. Access https://is-f5.example.com, the BIG-IP load balancer login page, in a web browser.

  2. Log in to the BIG-IP console as the administrator.

  3. Click Configure your BIG-IP (R) using the Configuration Utility.

  4. Create a Pool.

    A pool contains all the backend server instances.

    1. In the left pane, click Pools.

    2. On the Pools tab, click Add.

    3. In the Add Pool dialog, provide the following information.

      Pool Name

      OpenSSO-SP-Pool

      Load Balancing Method

      Round Robin

      Resources

      Add the IP addresses and port numbers for both OpenSSO Enterprise host machines.


      Note –

      Use port number 1081.


    4. Click Done.

  5. Add a Virtual Server.

    The virtual server presents an address to the outside world and, when users attempt to connect, it would forward the connection to the most appropriate real server.


    Note –

    If you encounter JavaScriptTM errors or otherwise cannot proceed to create a virtual server, try using Internet Explorer.


    1. In the left frame, click Virtual Servers.

    2. On the Virtual Servers tab, click Add.

    3. In the Add a Virtual Server dialog box, provide the following information:

      Address

      Enter the IP address for lb2.sp-example.com

      Service

      1082

    4. Continue to click Next until you reach the Pool Selection dialog box.

    5. In the Pool Selection dialog box, assign the OpenSSO-SP-Pool Pool.

    6. Click Done.

  6. Add Monitors.

    OpenSSO Enterprise comes with a JSP file named isAlive.jsp that can be contacted to determine if the server is down. Since we have not yet deployed OpenSSO Enterprise, isAlive.jsp cannot be used. In the following sub procedure, create a custom monitor that periodically accesses the Application Server instance(s). If desired, the monitor can be changed later to use isAlive.jsp.

    1. Click the Monitors tab

    2. Click the Basic Associations tab

    3. Find the IP address for osso1.sp-example.com:1080 and osso2.sp-example.com:1080.

    4. Mark the Add checkbox that corresponds to the IP address for both osso1.sp-example.com:1080 and osso2.sp-example.com:1080.

    5. At the top of the Node column, choose the tcp monitor.

    6. Click Apply.

  7. Configure the load balancer for persistence.

    1. In the left pane, click Pools.

    2. Click the name of the pool you want to configure; in this case, OpenSSO-SP-Pool.

    3. Click the Persistence tab.

    4. Under Persistence Type, select Passive HTTP Cookie.

    5. Under Cookie Name, enter amlbcookie.

    6. Click Apply.

  8. In the left pane, click BIGpipe.

  9. In the BIGpipe command window, type the following:


    makecookie ip-address:port
    

    ip-address is the IP address of the osso1.sp-example.com host machine and port is the same machine's port number; in this case, 1081.

  10. Press Enter to execute the command.

    Something similar to Set-Cookie: BIGipServer[poolname]=692589248.36895.0000; path=/ is displayed. Save the numbered value (in this case, 692589248.88888.0000) for use in To Create a Site on OpenSSO Enterprise 1.

  11. In the left pane, click BIGpipe again.

  12. In the BIGpipe command window, type the following:


    makecookie ip-address:port
    

    ip-address is the IP address of the osso2.sp-example.com host machine and port is the same machine's port number; in this case, 1081.

  13. Press Enter to execute the command.

    Something similar to Set-Cookie: BIGipServer[poolname]=692589248.12345.0000; path=/ is displayed. Save the numbered value (in this case, 692589248.99999.0000) for use in To Create a Site on OpenSSO Enterprise 1.

  14. Log out of the load balancer console.

ProcedureTo Create an SSL Proxy for SSL Termination at the OpenSSO Enterprise Load Balancer 2

SSL communication is terminated at Load Balancer 2. The request is then re-encrypted and securely forwarded to OpenSSO Enterprise. When clients send an SSL-encrypted request to Load Balancer 2, it decrypts the request and re-encrypts it before sending it on to the OpenSSO Enterprise SSL port. Load Balancer 2 also encrypts the responses it receives back from OpenSSO Enterprise, and sends these encrypted responses back to the client. Towards this end create an SSL proxy for SSL termination and regeneration.

Before You Begin

Use the same root certificate that you imported in 7.4 Enabling Secure Communication for the Directory Server User Data Instances. For more information, see 3.3 Obtaining Secure Socket Layer Certificates.

  1. Access https://is-f5.example.com, the BIG-IP load balancer login page, in a web browser.

  2. Log in to the BIG-IP console as the administrator.

  3. Click Configure your BIG-IP (R) using the Configuration Utility.

  4. In the left pane, click Proxies.

  5. Under the Proxies tab, click Add.

  6. In the Add Proxy dialog, provide the following information.

    Proxy Type:

    Check the SSL and ServerSSL checkbox.

    Proxy Address:

    The IP address of Load Balancer 2.

    Proxy Service:

    1081

    The secure port number

    Destination Address:

    The IP address of Load Balancer 2.

    Destination Service:

    1082

    The non-secure port number

    Destination Target:

    Choose Local Virtual Server.

    SSL Certificate:

    Choose lb2.sp-example.com.

    SSL Key:

    Choose lb2.sp-example.com.

    Enable ARP:

    Check this checkbox.

  7. Click Next.

  8. On the page starting with “Insert HTTP Header String,” change to Rewrite Redirects and choose Matching.

  9. Click Next.

  10. On the page starting with “Server Chain File,” change to Server Trusted CA's File, select “ca.cer” from the drop-down list.

  11. Click Done.

    The new proxy server is added to the Proxy Server list.

  12. Log out of the load balancer console.

  13. Access https://lb2.sp-example.com:1081/index.html from a web browser.

    If the Application Server index page is displayed, you can access it using the new proxy server port number and the load balancer is configured properly.


    Tip –

    A message may be displayed indicating that the browser doesn't recognize the certificate issuer. If this happens, install the CA root certificate in the browser so that the browser recognizes the certificate issuer. See your browser's online help system for information on installing a root CA certificate.


  14. Close the browser.

8.3 Deploying and Configuring OpenSSO Enterprise 1 and OpenSSO Enterprise 2

An OpenSSO Enterprise WAR will be deployed in the installed Application Server containers on both OpenSSO Enterprise host machines. Additionally, you will configure the deployed applications. Use the following list of procedures as a checklist for completing the tasks.

  1. To Generate an OpenSSO Enterprise WAR on the OpenSSO Enterprise 1 Host Machine

  2. To Deploy the OpenSSO Enterprise WAR as OpenSSO Enterprise 1

  3. To Copy the OpenSSO Enterprise WAR to the OpenSSO Enterprise 2 Host Machine

  4. To Deploy the OpenSSO Enterprise WAR File as OpenSSO Enterprise 2

  5. To Configure OpenSSO Enterprise 1

  6. To Configure OpenSSO Enterprise 2

ProcedureTo Generate an OpenSSO Enterprise WAR on the OpenSSO Enterprise 1 Host Machine

  1. As a root user, log in to the osso1.sp-example.com host machine.

  2. Create a directory into which the OpenSSO Enterprise ZIP file can be downloaded and change into it.


    # mkdir /export/OSSO_BITS
    # cd /export/OSSO_BITS
    
  3. Download the OpenSSO Enterprise ZIP file from http://www.sun.com/download/.

  4. Unzip the downloaded file.


    # unzip opensso_enterprise_80.zip
    # cd /export/OSSO_BITS/opensso
    # ls -al
    
    total 68
    drwxr-xr-x  14 root     root     512 Sep 8 11:13 ./
    drwxrwxr-x   3 root     root     512 Sep 15 13:06 ../
    -rw-r--r--   1 root     root    1349 Sep 8 10:58 README
    drwxr-xr-x   6 root     root     512 Sep 8 11:15 deployable-war/
    drwxr-xr-x   2 root     root     512 Sep 8 11:13 docs/
    drwxr-xr-x   2 root     root     512 Sep 8 11:13 fedlet/
    drwxr-xr-x   5 root     root     512 Sep 8 11:11 integrations/
    drwxr-xr-x   2 root     root     512 Sep 8 11:13 ldif/
    drwxr-xr-x   4 root     root     512 Sep 8 11:13 libraries/
    -rw-r--r--   1 root     root   17003 Sep 8 10:58 license.txt
    drwxr-xr-x   2 root     root     512 Sep 8 11:13 migration/
    drwxr-xr-x   2 root     root     512 Sep 8 11:13 patches/
    drwxr-xr-x   2 root     root     512 Sep 8 11:13 samples/
    drwxr-xr-x   2 root     root     512 Sep 8 11:14 tools/
    drwxr-xr-x   8 root     root     512 Sep 8 11:13 upgrade/
    drwxr-xr-x   2 root     root    2048 Sep 8 11:11 xml/

    
    
  5. Switch to the non-root user.


    # su osso80adm
    
  6. Create a staging area in the non-root user directory into which the WAR will be exploded.


    # cd /export/osso80adm
    # mkdir osso-staging
    

    Tip –

    In the staging area, after exploding the WAR, you can modify the WAR contents to suit your needs, generate a new WAR, and deploy it on any number of remote host computers. Whenever you need to make changes to the WAR, you maintain the changes in this one staging area, and redeploy the modified WAR as many times as you want, on as many host machines as you need.


  7. Explode the WAR file.


    # cd osso-staging
    # jar xvf /export/OSSO_BITS/opensso/deployable-war/opensso.war
    
  8. Make the following modifications to the bootstrap.properties file.

    By default, during the WAR deployment, OpenSSO Enterprise creates a bootstrap file in the user's home directory. The bootstrap.properties file points to the directory where all the OpenSSO Enterprise configurations will be created. With these modifications, OpenSSO Enterprise will create the bootstrap file in the directory you specify; in this case, /export/osso80adm/config. bootstrap.properties is located in /export/osso80adm/osso-staging/WEB-INF/classes.

    • Uncomment the line that reads #configuration.dir=.

    • Add the following value to the configuration.dir= property so it reads as follows.


      configuration.dir=/export/osso80adm/config
  9. Regenerate the WAR.


    # cd /export/osso80adm/osso-staging
    # jar cvf ../opensso.war *
    

    A new WAR file is created, including the modified bootstrap.properties.

  10. Verify that the new WAR was created in the proper location and with the appropriate permissions.


    # cd /export/osso80adm/osso-staging
    # /bin/rm -rf *
    # jar xvf ../opensso.war
    # ls -al
    
    total 498
    drwxr-xr-x 7 osso80adm staff 512 Aug 5 13:44 .
    drwxr-xr-x 12 root sys 512 Aug 5 11:11 ..
    -rw------- 1 osso80adm staff 779 Aug 5 14:56 .asadmintruststore
    drwx------ 2 osso80adm staff 512 Aug 5 14:44 .gconf
    drwx------ 2 osso80adm staff 512 Aug 5 14:44 .gconfd
    -rw-r--r-- 1 osso80adm staff 144 Aug 5 17:02 .profile
    drwx------ 3 osso80adm staff 512 Aug 5 11:20 .sunw
    drwxr-xr-x 3 osso80adm staff 512 Aug 5 14:55 domains
    drwxr-xr-x 21 osso80adm staff 1024 Aug 5 13:43 osso-staging
    -rw-r--r-- 1 osso80adm staff 68884903 Aug 5 13:45 opensso.war
    -rw-r--r-- 1 osso80adm staff 136 Aug 5 17:02 local.cshrc
    -rw-r--r-- 1 osso80adm staff 157 Aug 5 17:02 local.login
    -rw-r--r-- 1 osso80adm staff 174 Aug 5 17:02 local.profile

    Note –

    The opensso.war file is owned by osso80adm.


ProcedureTo Deploy the OpenSSO Enterprise WAR as OpenSSO Enterprise 1

Before You Begin

This procedure assumes you have just completed To Generate an OpenSSO Enterprise WAR on the OpenSSO Enterprise 1 Host Machine and are still logged into the osso1.sp-example.com host machine

  1. On the osso1.sp-example.com host machine, switch to the non-root user osso80adm.


    # /bin/su osso80adm
    
  2. Start the ossodomain domain.


    # cd /export/osso80adm/domains/ossodomain/bin
    # ./startserv
    
    admin username:domain2adm
    
    admin password:domain2pwd
    
    master password:domain2master
    
    Redirecting output to /export/osso80adm/domains/ossodomain/logs/server.log
  3. Run asadmin deploy to deploy the OpenSSO Enterprise WAR.


    # cd /opt/SUNWappserver91/bin
    # ./asadmin deploy --user domain2adm --host osso1.sp-example.com 
    --port=8989 --contextroot opensso --name opensso --target server 
    /export/osso80adm/opensso.war
    
    Please enter the admin password> domain2pwd
    
    Command deploy executed successfully.
  4. List the contents of the j2ee-modules directory to verify that the WAR file was successfully deployed.


    # cd /export/osso80adm/domains/ossodomain/applications/j2ee-modules
    # ls -al
    
    total 6
    drwxr-xr-x   3 osso80adm staff      512 Aug 5 14:01 .
    drwxr-xr-x   6 osso80adm staff      512 Aug 5 14:55 ..
    drwxr-xr-x  21 osso80adm staff     1024 Aug 5 14:01 opensso
    

    opensso exists in the directory and is owned by the non-root user osso80adm.

  5. Log out of the osso1.sp-example.com host machine.

ProcedureTo Copy the OpenSSO Enterprise WAR to the OpenSSO Enterprise 2 Host Machine

Before You Begin

This procedure assumes you have completed To Generate an OpenSSO Enterprise WAR on the OpenSSO Enterprise 1 Host Machine.

  1. As a root user, log in to the osso2.sp-example.com host machine.

  2. Switch to the non-root user osso80adm.


    # /bin/su osso80adm
    
  3. Change into the osso80adm directory.


    # cd /export/osso80adm
    
  4. Copy opensso.war from the osso1.sp-example.com host machine to the osso80adm directory.

  5. Verify that the WAR file was copied into the proper location and with the appropriate permissions.


    # ls -al
    
    total 130552
    drwxr-xr-x   6 osso80adm staff        512 Sep 5 14:14 .
    drwxr-xr-x   8 root      sys          512 Sep 5 10:54 ..
    -rw-r--r--   1 osso80adm staff         70 Sep 5 14:13 .asadminpass
    -rw-------   1 osso80adm staff        778 Sep 5 14:12 .asadmintruststore
    drwx------   2 osso80adm staff        512 Sep 5 13:15 .gconf
    drwx------   2 osso80adm staff        512 Sep 5 13:26 .gconfd
    -rw-r--r--   1 osso80adm staff        144 Sep 5 15:00 .profile
    drwx------   3 osso80adm staff        512 Sep 5 15:26 .sunw
    drwxr-xr-x   3 osso80adm staff        512 Sep 5 14:12 domains
    -rw-r--r--   1 osso80adm staff   68884903 Sep 5 14:14 opensso.war
    -rw-r--r--   1 osso80adm staff        136 Sep 5 15:00 local.cshrc
    -rw-r--r--   1 osso80adm staff        157 Sep 5 15:00 local.login
    -rw-r--r--   1 osso80adm staff        174 Sep 5 15:00 local.profile

    opensso.war exists in the directory and is owned by osso80adm.

ProcedureTo Deploy the OpenSSO Enterprise WAR File as OpenSSO Enterprise 2

Before You Begin

This procedure assumes you have just completed To Copy the OpenSSO Enterprise WAR to the OpenSSO Enterprise 2 Host Machine and are still logged into the osso2.sp-example.com host machine

  1. On the osso2.sp-example.com host machine, switch to the non-root user osso80adm.


    # /bin/su osso80adm
    
  2. Start the ossodomain domain.


    # cd /export/osso8/domains/ossodomain/bin
    # ./startserv
    
    admin username:domain2adm
    
    admin password:domain2pwd
    
    master password:domain2master
    
    Redirecting output to /export/osso80adm/domains/ossodomain/logs/server.log
  3. Run asadmin deploy to deploy the OpenSSO Enterprise WAR file.


    # cd /opt/SUNWappserver91/bin
    # ./asadmin deploy --user domain2adm --host osso2.sp-example.com 
    --port=8989 --contextroot opensso --name opensso --target server 
    /export/osso80adm/opensso.war
    
    Please enter the admin password> domain2pwd
    
    Command deploy executed successfully.
  4. List the contents of the j2ee-modules directory to verify that the WAR file was successfully deployed.


    # cd /export/osso80adm/domains/ossodomain/applications/j2ee-modules
    # ls -al
    
    total 6
    drwxr-xr-x   3 osso80adm staff      512 Sep 5 14:01 .
    drwxr-xr-x   6 osso80adm staff      512 Sep 5 14:55 ..
    drwxr-xr-x  21 osso80adm staff     1024 Sep 5 14:01 opensso
    

    opensso exists in the directory and is owned by the non-root user osso80adm.

  5. Log out of the osso2.sp-example.com host machine.

ProcedureTo Configure OpenSSO Enterprise 1

  1. Access https://osso1.sp-example.com:1081/opensso from a web browser.

    The OpenSSO Enterprise Configurator page is displayed for first time access.

  2. Select Create New Configuration under Custom Configuration on the Configurator page.

    The OpenSSO Enterprise Custom Configuration Wizard is displayed.

  3. Provide the following information for the Default User [amAdmin] in Step 1: General and click Next.

    Password

    ossoadmin

    Confirm

    ossoadmin

  4. Accept the default values in Step 2: Server Settings and click Next

  5. Do the following in Step 3: Configuration Store and click Next

    1. Select First Instance.

    2. Select Embedded DS as the configuration data store.

    3. Accept the default values for the Port, Encryption Key, and Root Suffix fields.

  6. Select Remote Directory in Step 4: User Store Settings, provide the following information and click Next

    SSL Enabled

    Check the box.

    Directory Name

    lb2.sp-example.com

    Port

    489

    Root Suffix

    o=spusers.com

    Password

    dsmanager

    Store Type

    Select Generic LDAP.

  7. Select No in Step 5: Site Configuration and click Next.

  8. Provide the following information for the Default Agent User [amldapuser] in Step 6: Default Agent User and click Next.

    Password

    agentuser

    Confirm

    agentuser

  9. Click Create Configuration on the Summary page.

    The Configuration Complete page is displayed after configuration is completed.

  10. Click Proceed to Login on the Configuration Complete page.

  11. Log in to the OpenSSO Enterprise console as the administrator.

    User Name:

    amadmin

    Password:

    ossoadmin

    If authentication succeeds and the OpenSSO Enterprise console is displayed, OpenSSO Enterprise has successfully accessed the embedded configuration data store.

  12. (Optional) To verify that the config directory and the supporting bootstrap directory have been created with the proper permissions, do the following.

    1. As a root user, log in to the osso1.sp-example.com host machine.

    2. Examine the file system.


      # cd /export/osso80adm
      # ls -al
      
      total 130556
      drwxr-xr-x   8 osso80adm staff        512 Sep  6 19:32 .
      drwxr-xr-x  14 root      sys          512 Sep  6 09:07 ..
      -rw-r--r--   1 osso80adm staff         70 Sep 27 14:01 .asadminpass
      -rw-------   1 osso80adm staff       1527 Sep  6 18:27 .asadmintruststore
      -rw-r--r--   1 osso80adm staff        144 Sep 11 17:02 .profile
      drwx------   3 osso80adm staff        512 Sep 24 11:20 .sunw
      drwxr-xr-x   4 osso80adm staff        512 Sep  6 19:34 config
      drwxr-xr-x   4 osso80adm staff        512 Sep  6 18:26 domains
      -rw-r--r--   1 osso80adm staff        136 Sep 11 17:02 local.cshrc
      -rw-r--r--   1 osso80adm staff        157 Sep 11 17:02 local.login
      -rw-r--r--   1 osso80adm staff        174 Sep 11 17:02 local.profile

      The config directory was created and is owned by non-root user osso80adm.

    3. Log out of the osso1.sp-example.com host machine.

ProcedureTo Configure OpenSSO Enterprise 2

  1. Access https://osso2.sp-example.com:1081/opensso from a web browser.

    The OpenSSO Enterprise Configurator page is displayed for first time access.

  2. Select Create New Configuration under Custom Configuration on the Configurator page.

    The OpenSSO Enterprise Custom Configuration Wizard is displayed.

  3. Provide the following information for the Default User [amAdmin] in Step 1: General and click Next.

    Password

    ossoadmin

    Confirm

    ossoadmin

  4. Accept the default values in Step 2: Server Settings and click Next

  5. Do the following in Step 3: Configuration Store and click Next

    1. Select Add to Existing Deployment as the configuration data store.

    2. Server URL: https://osso2.sp-example.com:1081/opensso

  6. Select No in Step 5: Site Configuration and click Next.

  7. Click Create Configuration on the Summary page.

    The Configuration Complete page is displayed after configuration is completed.

  8. Click Proceed to Login on the Configuration Complete page.

  9. Log in to the OpenSSO Enterprise console as the administrator.

    User Name:

    amadmin

    Password:

    ossoadmin

    If authentication succeeds and the OpenSSO Enterprise console is displayed, OpenSSO Enterprise has successfully accessed the embedded configuration data store.

  10. (Optional) To verify that the config directory and the supporting bootstrap directory have been created with the proper permissions, do the following.

    1. As a root user, log in to the osso2.sp-example.com host machine.

    2. Examine the file system.


      # cd /export/osso80adm
      # ls -al
      
      total 130556
      drwxr-xr-x   8 osso80adm staff        512 Aug  6 19:32 .
      drwxr-xr-x  14 root      sys          512 Aug  6 09:07 ..
      -rw-r--r--   1 osso80adm staff         70 Mar 27 14:01 .asadminpass
      -rw-------   1 osso80adm staff       1527 Aug  6 18:27 .asadmintruststore
      -rw-r--r--   1 osso80adm staff        144 Mar 11 17:02 .profile
      drwx------   3 osso80adm staff        512 Mar 24 11:20 .sunw
      drwxr-xr-x   4 osso80adm staff        512 Aug  6 19:34 config
      drwxr-xr-x   4 osso80adm staff        512 Aug  6 18:26 domains
      -rw-r--r--   1 osso80adm staff        136 Mar 11 17:02 local.cshrc
      -rw-r--r--   1 osso80adm staff        157 Mar 11 17:02 local.login
      -rw-r--r--   1 osso80adm staff        174 Mar 11 17:02 local.profile

      The config directory was created and is owned by non-root user osso80adm.

    3. Log out of the osso2.sp-example.com host machine.

8.4 Configuring the OpenSSO Enterprise Platform Service

The Platform Service provides centralized configuration management for an OpenSSO Enterprise deployment. In this procedure, you configure the two OpenSSO Enterprise servers to work as a single unit. Once configured as a site, all client requests go through the configured load balancer. Use the following list of procedures as a checklist for completing this task.

  1. To Create a Site on OpenSSO Enterprise 1

  2. To Verify that the OpenSSO Enterprise Site was Configured Properly

ProcedureTo Create a Site on OpenSSO Enterprise 1

It is not necessary to repeat this procedure on OpenSSO Enterprise 2.

  1. Access https://osso1.sp-example.com:1081/opensso/console in a web browser.

  2. Log in to the OpenSSO Enterprise console as the administrator.

    Username

    amadmin

    Password

    ossoadmin

  3. Under the Configuration tab, click Servers and Sites.

    The Servers and Sites page is displayed.

  4. Click New under Sites.

    The New Site properties page is displayed.

  5. Enter the following values for the load balancer and click OK.

    Name

    sp-site

    Primary URL

    https://lb2.sp-example.com:1081/opensso

    A new site called sp-site is displayed in the Sites list.

  6. Click on the https://osso1.sp-example.com:1081/opensso server entry under the Servers list.

    The Edit https://osso1.sp-example.com:1081/opensso page is displayed.

  7. Assign sp-site from the Parent Site drop down list and click Save.

  8. Click the Advanced tab.

  9. Enter the number generated for the osso1.sp-example.com host machine as the value of the com.iplanet.am.lbcookie.value property and click Save.

    The number was generated using the makecookie command in To Configure OpenSSO Enterprise Load Balancer 2.

  10. Click Back to Server and Sites.

  11. Click on the https://osso2.sp-example.com:1081/opensso server entry under the Servers list.

    The Edit https://osso2.sp-example.com:1081/opensso page is displayed.

  12. Assign sp-site from the Parent Site drop down list and click Save.

  13. Click the Advanced tab.

  14. Enter the number generated for the osso2.sp-example.com host machine as the value of the com.iplanet.am.lbcookie.value property and click Save.

    The number was generated using the makecookie command in To Configure OpenSSO Enterprise Load Balancer 2.

  15. Click Back to Server and Sites.


    Note –

    You should see sp-site under the Site Name column for both servers.


  16. Log out of the OpenSSO Enterprise console.

  17. As a root user, log in to the osso1.sp-example.com host machine.

  18. Restart OpenSSO Enterprise for the changes to take effect.


    # /bin/su osso80adm
    # cd /export/osso80adm/domains/ossodomain/bin
    # ./stopserv; ./startserv
    
    Server was successfully stopped.
    
    admin username:  domain2adm
    
    admin password:  domain2pwd
    
    master password: domain2master
    
    Redirecting output to /export/osso80adm/domains/ossodomain/logs/server.log
  19. As a root user, log in to the osso2.sp-example.com host machine.

  20. Restart the web container for the changes to take effect.


    # /bin/su osso80adm
    # cd /export/osso80adm/domains/ossodomain/bin
    # ./stopserv; ./startserv
    
    Server was successfully stopped.
    
    admin username:  domain2adm
    
    admin password:  domain2pwd
    
    master password: domain2master
    
    Redirecting output to /export/osso80adm/domains/ossodomain/logs/server.log
  21. Log out of both OpenSSO Enterprise host machines.

ProcedureTo Verify that the OpenSSO Enterprise Site was Configured Properly

  1. Access the load balancer at https://lb2.sp-example.com:1081/opensso/UI/Login.

    If an error message is displayed indicating that the browser cannot connect to either osso1.sp-example.com or osso2.sp-example.com, the site configuration is not correct. If the site configuration is correct, all browser interactions will occur as expected.

  2. When the OpenSSO Enterprise login page is displayed, verify that the browser URL still contains the Primary Site URL for the load balancer.

    If it does not contain the Site URL, the site configuration is incorrect. If the site configuration is correct, all browser interactions will occur through the secure Site URL.

  3. Log in to the OpenSSO Enterprise console as the administrator.

    User Name:

    amadmin

    Password:

    ossoadmin

    A successful login occurs when the site configuration is correct.

  4. Log out of the OpenSSO Enterprise console.

8.5 Configuring OpenSSO Enterprise for SAML v2

Configure OpenSSO Enterprise on the service provider side to recognize the Directory Server LDAP schema previously modified for SAML v2 attributes.

ProcedureTo Configure OpenSSO Enterprise for the Modified LDAP Schema

Before You Begin

This procedure assumes you have completed 7.3 Modifying the Directory Server Schema.

  1. Access https://lb4.sp-example.com:1081/opensso/console from a web browser.

  2. Log in to the OpenSSO Enterprise console as the administrator.

    Username

    amadmin

    Password

    ossoadmin

    The Common Tasks tab is displayed.

  3. Click the Access Control tab and / (Top-level Realm) on the Access Control page.

  4. Click the Data Stores tab.

  5. Under the Data Stores tab, click embedded.

    The Generic LDAPv3 page is displayed.

  6. Add the following values to properties on the Generic LDAPv3 page.

    • Type sunFMSAML2NameIdentifier in the New Value box of the LDAP User Object Class property and click Add.

    • Add the following values to the LDAP User Attribute property.

      • Type sun-fm-saml2-nameid-infokey in the New Value box and click Add.

      • Type sun-fm-saml2-nameid-info in the New Value box and click Add.

  7. Click Save on the Generic LDAPv3 page.

  8. Log out of the OpenSSO Enterprise console.