8.1 Installing the Application Server Web Containers

In this section, we create a non-root user with the roleadd command in the Solaris Operating Environment on each OpenSSO Enterprise host machine and install Sun Java System Application Server 9.1 Update 1 using the non-root user. Use the following list of procedures as a checklist for completing the task.

1. To Patch the OpenSSO Enterprise Host Machines

2. To Create a Non-Root User on the OpenSSO Enterprise 1 Host Machine

3. To Install Application Server on the OpenSSO Enterprise 1 Host Machine

4. To Create a Non-Root User on the OpenSSO Enterprise 2 Host Machine

5. To Install Application Server on the OpenSSO Enterprise 2 Host Machine

We use roleadd rather than useradd for security reasons; roleadd disables the ability of the user to log in.

To Patch the OpenSSO Enterprise Host Machines

On our lab machines, the required Application Server patch is 117461–08. Results for your machine might be different. Read the latest documentation for your web container to determine if you need to install patches and, if so, what they might be. You can search for patches directly at http://sunsolve.sun.com. Navigate to the PatchFinder page, enter the patch number, click Find Patch, and download the appropriate patch for the OpenSSO Enterprise 1 host machine (osso1.sp-example.com) and the OpenSSO Enterprise 2 host machine (osso2.sp-example.com).

1. Log in to the osso1.sp-example.com host machine as a root user.

2. Run patchadd to see if the patch is already installed.

   # patchadd -p | grep 117461-08

   A series of patch numbers are displayed, and patch 117461–08 is present so there is no need to install any patches at this time.

3. Log out of the osso1.sp-example.com host machine.

4. Log in to the osso2.sp-example.com host machine as a root user.

5. Run patchadd to see if the patch is already installed.

   # patchadd -p | grep 117461-08

   A series of patch numbers are displayed, and patch 117461–08 is present so there is no need to install any patches at this time.

6. Log out of the osso1.sp-example.com host machine.

To Create a Non-Root User on the OpenSSO Enterprise 1 Host Machine

1. Log in to the osso1.sp-example.com host machine as a root user.

2. Create a new user with roleadd.

   # roleadd -s /sbin/sh -m -g staff -d /export/osso80adm osso80adm

3. (Optional) Verify that the user was created.

   # cat /etc/passwd root:x:0:0:Super-User:/:/sbin/sh daemon:x:1:1::/: ... nobody4:x:65534:65534:SunOS 4.x NFS Anonymous Access User:/: osso80adm:x:223830:10::/export/osso80adm:/sbin/sh

4. (Optional) Verify that the user's directory was created.

   # cd /export/osso80adm # ls local.cshrc local.profile local.login

5. Create a password for the non-root user.

   # passwd osso80adm New Password: nonroot1pwd Re-ener new Pasword: nonroot1pwd passwd: password successfully changed for osso80adm

   ---

   Caution –

   If you do not perform this step, you will not be able to switch user (su) when logged in as the non-root user.

   ---

To Install Application Server on the OpenSSO Enterprise 1 Host Machine

Install Application Server and the appropriate CA root and CA-signed server certificates.

Before You Begin

This procedure assumes you have just completed To Create a Non-Root User on the OpenSSO Enterprise 1 Host Machine and are still logged into the osso1.sp-example.com host machine as a root user.

1. Create a directory into which the Application Server bits can be downloaded and change into it.

   # mkdir /export/AS91 # cd /export/AS91

2. Download the Sun Java System Application Server 9.1 Update 2 binary from the Sun Microsystems Product Download page to the /export/AS91 directory.

3. Grant the downloaded binary execute permission using the chmod command.

   # chmod +x sjsas-9_1_02-solaris-sparc-ml.bin

4. Install the software.

   # ./sjsas-9_1_02-solaris-sparc-ml.bin -console

5. When prompted, provide the following information.

   You are running the installation program for the Sun Java System Application Server. This program asks you to supply configuration preference settings that it uses to install the server. This installation program consists of one or more selections that provide you with information and let you enter preferences that determine how Sun Java System Application Server is installed and configured. When you are presented with the following question, the installation process pauses to allow you to read the information that has been presented When you are ready to continue, press Enter.	Press Enter to continue.
   Some questions require more detailed information that you are required to type. The question may have a default value that is displayed inside of brackets []. For example, the following question has a default answer of yes: Are you sure? [yes] If you want to accept the default answer, press only the Enter key (which on some keyboards is labeled Return). If you want to provide a different answer, type it at the command prompt and then press Enter.	Press Enter to continue.
   Welcome to the Sun Java System Application Server Installation program.	Press Enter to continue.
   Before you install this product, you must read and accept the entire Software License Agreement under which this product is licensed for your use.	Press Enter to display the Software License Agreement.
   This Agreement, including any terms contained in your Entitlement, is the entire agreement between you and Sun relating to its subject matter. It supersedes all prior or contemporaneous oral or written communications, proposals, representations and warranties and prevails over any conflicting or additional terms of any quote, order, acknowledgment, or other communication between the parties relating to its subject matter during the term of this Agreement. No modification of this Agreement will be binding, unless in writing and signed by an authorized representative of each party. Please contact Sun Microsystems, Inc. 4150 Network Circle, Santa Clara, California 95054 if you have questions. If you have read and accept all the terms of the entire Software License Agreement, answer 'yes', and the installation will continue. If you do not accept all the terms of the Software License Agreement, answer 'no', and the installation program will end without installing the product. Have you read, and do you accept, all of the terms of the preceding Software License Agreement [no] {"<" goes back, "!" exits}?	Type yes and press Enter.
   The Sun Java System Application Server components will be installed in the following directory, which is referred to as the "Installation Directory".To use this directory, press only the Enter key. To use a different directory, type in the full path of the directory to use followed by pressing the Enter key. Installation Directory [/opt/SUNWappserver] {"<" goes back, "!" exits}	Enter /opt/SUNWappserver91
   The directory "/opt/SUNWappserver91" does not exist. Do you want to create it now or choose another directory? 1. Create Directory 2. Choose New. Enter the number corresponding to your choice [1] {"<" goes back, "!" exits}	Press Enter to accept the default value.
   The Sun Java System Application Server requires a Java 2 SDK. Please provide the path to a Java 2 SDK 5.0 or greater. [/usr/jdk/instances/jdk1.5.0] {"<" goes back, "!" exits}	Press Enter to accept the default value.
   Supply the admin user's password and override any of the other initial configuration settings as necessary. Admin User [admin] {"<" goes back, "!" exits}	Press Enter to accept the default value.
   Admin User's Password (8 chars minimum): Re-enter Password:	Enter domain1pwd and then re-enter domain1pwd.
   Do you want to store admin user name and password in .asadminpass file in user's home directory [yes] {"<" goes back, "!" exits}?	Press Enter to accept the default value.
   Admin Port [4848] {"<" goes back, "!" exits} HTTP Port [8080] {"<" goes back, "!" exits} HTTPS Port [8181] {"<" goes back, "!" exits}	Press Enter to accept the three default values.
   Do you want to enable Updatecenter client [yes] {"<" goes back, "!" exits}?	Press Enter to accept the default value.
   Do you want to upgrade from previous Applicatin Server version [no] {"<" goes back, "!" exits}?	Press Enter to accept the default value.
   The following items for the product Sun Java System Application Server will be installed: Product: Sun Java System Application Server Location: /opt/SUNWappserver91 Space Required: 185.42 MB ------------------------------------------- Sun Java System Message Queue 4.1 Application Server Startup Ready To Install 1. Install Now 2. Start Over 3. Exit Installation What would you like to do [1] {"<" goes back, "!" exits}?	Press Enter to accept the default value and begin the installation process.
   - Installing Sun Java System Application Server |-1%-----25%-----50%-----75%-----100%| - Installation Successful.	When installation is complete, an Installation Successful message is displayed:
   Next Steps: 1. Access the About Application Server 9.1 welcome page at: file:///opt/SUNWappserver91/docs/about.html 2. Start the Application Server by executing: /opt/SUNWappserver91/bin/asadmin start-domain domain1 3. Start the Admin Console: http://osso1.sp-example.com:4848 Please press Enter/Return key to exit the installation program. {"!" exits}	Press Enter to exit the installation program.

6. Create a second Application Server domain for the non-root user.

   The default domain created during the installation process is owned by root. We create a new domain for osso80adm, the non-root user, into which we will deploy OpenSSO Enterprise.

   # cd /opt/SUNWappserver91/bin # su osso80adm # ./asadmin create-domain --domaindir /export/osso80adm/domains --adminport 8989 --user domain2adm --instanceport 1080 --domainproperties http.ssl.port=1081 ossodomain Please enter the admin password> domain2pwd Please enter the admin password again> domain2pwd Please enter the master password [Enter to accept the default]:> domain2master Please enter the master password again [Enter to accept the default]:> domain2master Using port 8989 for Admin. Using port 1080 for HTTP Instance. Using default port 7676 for JMS. Using default port 3700 for IIOP. Using port 1081 for HTTP_SSL. Using default port 3820 for IIOP_SSL. Using default port 3920 for IIOP_MUTUALAUTH. Using default port 8686 for JMX_ADMIN. Domain being created with profile:developer, as specified by variable AS_ADMIN_PROFILE in configuration file. Security Store uses: JKS 2008-09-14 18:21:15.907 GMT Thread[main,5,main] java.io.FileNotFoundException: derby.log (Permission denied) ------------------------------------------------- 2008-09-14 18:21:16.216 GMT: Booting Derby version The Apache Software Foundation - Apache Derby - 10.2.2.1 - (538595): instance c013800d-0118-e205-d50b-00000c0c0770 on database directory /export/osso80adm/domains/ossodomain/lib/databases/ejbtimer Database Class Loader started - derby.database.classpath='' Domain ossodomain created.

   ---

   Note –

   Creating a non-root domain displays a FileNotFoundException. Please see Appendix G, Known Issues and Limitations.

   ---

7. Verify that the non-root user domain was created with the correct permissions using the following sub-procedure.

   1. Change to the ossodomain directory.

      # cd /export/osso80adm/domains/ossodomain

   2. List the contents of the directory.

      # ls -la total 30 drwxr-xr-x 15 osso80adm staff 512 Sep 14 16:43 . drwxr-xr-x 3 osso80adm staff 512 Sep 14 16:43 .. drwxr-xr-x 2 osso80adm staff 512 Sep 14 16:43 addons drwxr-xr-x 6 osso80adm staff 512 Sep 14 16:43 applications drwxr-xr-x 3 osso80adm staff 512 Sep 14 16:43 autodeploy drwxr-xr-x 2 osso80adm staff 512 Sep 14 16:43 bin drwx------ 3 osso80adm staff 1024 Sep 14 16:43 config drwxr-xr-x 2 osso80adm staff 512 Sep 14 16:43 docroot drwxr-xr-x 6 osso80adm staff 512 Sep 14 16:43 generated drwxr-xr-x 3 osso80adm staff 512 Sep 14 16:43 imq drwxr-xr-x 5 osso80adm staff 512 Sep 14 16:43 java-web-start drwxr-xr-x 8 osso80adm staff 512 Sep 14 16:43 jbi drwxr-xr-x 6 osso80adm staff 512 Sep 14 16:43 lib drwxr-xr-x 2 osso80adm staff 512 Sep 14 16:43 logs drwxr-xr-x 2 osso80adm staff 512 Sep 14 16:43 session-store

      The files and directories are owned by osso80adm.

8. Start ossodomain, the non-root user domain, using the following sub-procedure.

   1. Change to the non-root user domain bin directory.

      # cd /export/osso80adm/domains/ossodomain/bin

   2. Start ossodomain.

      # ./startserv admin username:domain2adm admin password:domain2pwd master password:domain2master Redirecting output to /export/osso80adm/domains/ossodomain/logs/server.log

9. Verify that ossodomain has started with the following sub-procedure.

   1. Access http://osso1.sp-example.com:8989/login.jsf from a web browser.

   2. Log in to the Application Server console as the ossodomain administrator.

      Username

      domain2adm

      Password

      domain2pwd

      When the Application Server administration console is displayed, it is verification that the non-root user was able to start the domain server.

   3. Exit the console and close the browser.

10. Create a request for a CA-signed server certificate to secure communications between the soon-to-be-configured OpenSSO Enterprise load balancer and ossodomain using the following sub-procedure.

    1. Generate a private/public key pair and reference it with the alias, opensso-sp-1.

       opensso-sp-1 will be used in a later step to retrieve the public key which is contained in a self-signed certificate.

       # cd /export/osso80adm/domains/ossodomain/config # keytool -genkey -noprompt -keyalg rsa -keypass domain2master -alias opensso-sp-1 -keystore keystore.jks -dname "CN=osso1.sp-example.com, OU=OpenSSO, O=Sun Microsystems, L=Santa Clara, ST=California, C=US" -storepass domain2master

    2. Verify that the key pair was successfully created and stored in the certificate store.

       # keytool -list -v -keystore keystore.jks -storepass domain2master Keystore type: jks Keystore provider: SUN Your keystore contains two entries. ... Alias name: opensso-sp-1 Creation date: Sep 14, 2008 Entry type: keyEntry Certificate chain length: 1 Certificate[1]: Owner: CN=osso1.sp-example.com, OU=OpenSSO, O=Sun Microsystems, L=Santa Clara, ST=California, C=US Issuer: CN=osso-osso1.sp-example.com, OU=OpenSSO, O=Sun Microsystems, L=Santa Clara, ST=California, C=US Serial number: 48cdb299 Valid from: Sun Sep 14 15:02:47 PDT 2008 until: Sat Dec 13 15:02:47 PDT 2008 Certificate fingerprints: MD5: 14:0F:88:BC:C8:6F:2C:8B:F0:A2:C2:F1:AF:FC:93:F1: SHA1: 9D:22:05:14:51:21:33:CB:06:36:25:FE:0A:B6:DF:45:EE:B1:19:86:

       ---

       Note –

       The output of this command may list more than one certificate based on the entries in the keystore.

       ---

    3. Generate a CA-signed server certificate request.

       # keytool -certreq -alias opensso-sp-1 -keypass domain2master -keystore keystore.jks -storepass domain2master file opensso-sp-1.csr

       opensso-sp-1.csr is the server certificate request.

    4. (Optional) Verify that opensso-sp-1.csr was created.

       # ls -la opensso-sp-1.csr -rw-r--r-- 1 osso80adm staff 715 Sep 14 15:04 opensso-sp-1.csr

    5. Send osso-sp-1.csr to the CA of your choice.

       The CA issues and returns a certified certificate named opensso-sp-1.cer.

    6. Import ca.cer, the CA root certificate.

       The root certificate must be imported into two keystores (keystore.jks and cacerts.jks) with Application Server. Use the same root certificate that you imported in 7.4 Enabling Secure Communication for the Directory Server User Data Instances. For more information, see 3.3 Obtaining Secure Socket Layer Certificates.

       # keytool -import -trustcacerts -alias OpenSSLTestCA -file ca.cer -keystore keystore.jks -storepass domain2master Owner: EMAILADDRESS=nobody@nowhere.com, CN=OpenSSLTestCA, OU=am, O=sun, L=santa clara, ST=california, C=us Issuer: EMAILADDRESS=nobody@nowhere.com, CN=OpenSSLTestCA, OU=am, O=sun, L=santa clara, ST=california, C=us Serial number: f59cd13935f5f498 Valid from: Thu Sep 20 11:41:51 PDT 2007 until: Thu Jun 17 11:41:51 PDT 2010 Certificate fingerprints: MD5: 78:7D:F0:04:8A:5B:5D:63:F5:EC:5B:21:14:9C:8A:B9 SHA1: A4:27:8A:B0:45:7A:EE:16:31:DC:E5:32:46:61:9E:B8:A3:20:8C:BA Trust this certificate? [no]: Yes Certificate was added to keystore

       # keytool -import -trustcacerts -alias OpenSSLTestCA -file ca.cer -keystore cacerts.jks -storepass ossomaster Owner: EMAILADDRESS=nobody@nowhere.com, CN=OpenSSLTestCA, OU=am, O=sun, L=santa clara, ST=california, C=us Issuer: EMAILADDRESS=nobody@nowhere.com, CN=OpenSSLTestCA, OU=am, O=sun, L=santa clara, ST=california, C=us Serial number: f59cd13935f5f498 Valid from: Thu Sep 20 11:41:51 PDT 2007 until: Thu Jun 17 11:41:51 PDT 2010 Certificate fingerprints: MD5: 78:7D:F0:04:8A:5B:5D:63:F5:EC:5B:21:14:9C:8A:B9 SHA1: A4:27:8A:B0:45:7A:EE:16:31:DC:E5:32:46:61:9E:B8:A3:20:8C:BA Trust this certificate? [no]: Yes Certificate was added to keystore

    7. Replace the self-signed public key certificate (associated with the s1as alias) with the CA-signed server certificate.

       # keytool -import -file opensso-sp-1.cer -alias opensso-sp-1 -keystore keystore.jks -storepass domain2master Certificate reply was installed in keystore

    8. (Optional) Verify that the self-signed public key certificate has been overwritten by the server certificate received from the CA.

       # keytool -list -v -keystore keystore.jks -storepass domain2master The certificate indicated by the alias "osso-sp-1" is signed by CA.

    9. Change the certificate alias from the default s1as to the new opensso-sp-1 in the domain.xml file for the ossodomain domain.

       The Application Server configuration file is domain.xml.

       <http-listener acceptor-threads="1" address="0.0.0.0" 
       blocking-enabled="false" default-virtual-server="server" enabled="true" 
       family="inet" id="http-listener-2" port="1081" security-enabled="true" 
       server-name="" xpowered-by="true">
       <ssl cert-nickname="opensso-sp-1" client-auth-enabled="false" ssl2-enabled="false"
       ssl3-enabled="true" tls-enabled="true" tls-rollback-enabled="true"/>

       ---

       Tip –

       Backup domain.xml before modifying it.

       ---

11. Modify the JVM options in your web container's configuration file using the following sub-procedure.

    OpenSSO Enterprise is deployed with an embedded configuration data store (if desired). In order for the configuration data store to be created successfully, the following JVM options should be modified in the web container's configuration file. We will be modifying domain.xml again for this example.

    ---

    Tip –

    Backup domain.xml before modifying it.

    ---

    1. Change to the config directory.

       # cd /export/osso80adm/domains/ossodomain/config

    2. Open domain.xml in a text editor and make the following changes:

       • Replace <jvm-options>-client</jvm-options> with <jvm-options>-server</jvm-options>.

       • Replace <jvm-options>-Xmx512m</jvm-options> with <jvm-options>-Xmx1024m</jvm-options>.

    3. Save the file and close it.

12. Restart the ossodomain domain.

    # cd /export/osso80adm/domains/ossodomain/bin # ./stopserv Server was successfully stopped. ./startserv admin username:domain2adm admin password:domain2pwd master password:domain2master Redirecting output to /export/osso80adm/domains/ossodomain/logs/server.log

13. Verify that the certificate used for SSL communication is the root CA certificate.

    1. Access https://osso1.sp-example.com:1081/index.html from a web browser.

    2. View the details of the certificate in the security warning to ensure that it is Issued by “OpenSSLTestCA”.

       After inspecting and accepting the certificate, you should see the default index.html page.

    3. Close the browser.

14. Log out of the osso1.sp-example.com host machine.

To Create a Non-Root User on the OpenSSO Enterprise 2 Host Machine

1. Log in to the osso2.sp-example.com host machine as a root user.

2. Create a new user with roleadd.

   # roleadd -s /sbin/sh -m -g staff -d /export/osso80adm osso80adm

3. (Optional) Verify that the user was created.

   # cat /etc/passwd root:x:0:0:Super-User:/:/sbin/sh daemon:x:1:1::/: ... nobody4:x:65534:65534:SunOS 4.x NFS Anonymous Access User:/: osso80adm:x:223830:10::/export/osso80adm:/sbin/sh

4. (Optional) Verify that the user's directory was created.

   # cd /export/osso80adm # ls local.cshrc local.profile local.login

5. Create a password for the non-root user.

   # passwd osso80adm New Password: nonroot2pwd Re-ener new Pasword: nonroot2pwd passwd: password successfully changed for osso80adm

   ---

   Caution –

   If you do not perform this step, you will not be able to switch user (su) when logged in as the non-root user.

   ---

To Install Application Server on the OpenSSO Enterprise 2 Host Machine

Install Application Server and the appropriate CA root and CA-signed server certificates.

Before You Begin

This procedure assumes you have just completed To Create a Non-Root User on the OpenSSO Enterprise 2 Host Machine and are still logged into the osso2.sp-example.com host machine as a root user.

1. Create a directory into which the Application Server bits can be downloaded and change into it.

   # mkdir /export/AS91 # cd /export/AS91

2. Download the Sun Java System Application Server 9.1 Update 2 binary from the Sun Microsystems Product Download page to the AS91 directory of the osso2.sp-example.com host machine.

3. Grant the downloaded binary execute permission using the chmod command.

   # chmod +x sjsas-9_1_02-solaris-sparc-ml.bin

4. Install the software.

   # ./sjsas-9_1_02-solaris-sparc-ml.bin -console

5. When prompted, provide the following information.

   You are running the installation program for the Sun Java System Application Server. This program asks you to supply configuration preference settings that it uses to install the server. This installation program consists of one or more selections that provide you with information and let you enter preferences that determine how Sun Java System Application Server is installed and configured. When you are presented with the following question, the installation process pauses to allow you to read the information that has been presented When you are ready to continue, press Enter.	Press Enter to continue.
   Some questions require more detailed information that you are required to type. The question may have a default value that is displayed inside of brackets []. For example, the following question has a default answer of yes: Are you sure? [yes] If you want to accept the default answer, press only the Enter key (which on some keyboards is labeled Return). If you want to provide a different answer, type it at the command prompt and then press Enter.	Press Enter to continue.
   Welcome to the Sun Java System Application Server Installation program.	Press Enter to continue.
   Before you install this product, you must read and accept the entire Software License Agreement under which this product is licensed for your use.	Press Enter to display the Software License Agreement.
   This Agreement, including any terms contained in your Entitlement, is the entire agreement between you and Sun relating to its subject matter. It supersedes all prior or contemporaneous oral or written communications, proposals, representations and warranties and prevails over any conflicting or additional terms of any quote, order, acknowledgment, or other communication between the parties relating to its subject matter during the term of this Agreement. No modification of this Agreement will be binding, unless in writing and signed by an authorized representative of each party. Please contact Sun Microsystems, Inc. 4150 Network Circle, Santa Clara, California 95054 if you have questions. If you have read and accept all the terms of the entire Software License Agreement, answer 'yes', and the installation will continue. If you do not accept all the terms of the Software License Agreement, answer 'no', and the installation program will end without installing the product. Have you read, and do you accept, all of the terms of the preceding Software License Agreement [no] {"<" goes back, "!" exits}?	Type yes and press Enter.
   The Sun Java System Application Server components will be installed in the following directory, which is referred to as the "Installation Directory".To use this directory, press only the Enter key. To use a different directory, type in the full path of the directory to use followed by pressing the Enter key. Installation Directory [/opt/SUNWappserver] {"<" goes back, "!" exits}	Enter /opt/SUNWappserver91
   The directory "/opt/SUNWappserver91" does not exist. Do you want to create it now or choose another directory? 1. Create Directory 2. Choose New. Enter the number corresponding to your choice [1] {"<" goes back, "!" exits}	Press Enter to accept the default value.
   The Sun Java System Application Server requires a Java 2 SDK. Please provide the path to a Java 2 SDK 5.0 or greater. [/usr/jdk/instances/jdk1.5.0] {"<" goes back, "!" exits}	Press Enter to accept the default value.
   Supply the admin user's password and override any of the other initial configuration settings as necessary. Admin User [admin] {"<" goes back, "!" exits}	Press Enter to accept the default value.
   Admin User's Password (8 chars minimum): Re-enter Password:	Enter domain1pwd and then re-enter domain1pwd.
   Do you want to store admin user name and password in .asadminpass file in user's home directory [yes] {"<" goes back, "!" exits}?	Press Enter to accept the default value.
   Admin Port [4848] {"<" goes back, "!" exits} HTTP Port [8080] {"<" goes back, "!" exits} HTTPS Port [8181] {"<" goes back, "!" exits}	Press Enter to accept the three default values.
   Do you want to enable Updatecenter client [yes] {"<" goes back, "!" exits}?	Press Enter to accept the default value.
   Do you want to upgrade from previous Applicatin Server version [no] {"<" goes back, "!" exits}?	Press Enter to accept the default value.
   The following items for the product Sun Java System Application Server will be installed: Product: Sun Java System Application Server Location: /opt/SUNWappserver91 Space Required: 185.42 MB ------------------------------------------- Sun Java System Message Queue 4.1 Application Server Startup Ready To Install 1. Install Now 2. Start Over 3. Exit Installation What would you like to do [1] {"<" goes back, "!" exits}?	Press Enter to accept the default value and begin the installation process.
   - Installing Sun Java System Application Server |-1%-----25%-----50%-----75%-----100%| - Installation Successful.	When installation is complete, an Installation Successful message is displayed:
   Next Steps: 1. Access the About Application Server 9.1 welcome page at: file:///opt/SUNWappserver91/docs/about.html 2. Start the Application Server by executing: /opt/SUNWappserver91/bin/asadmin start-domain domain1 3. Start the Admin Console: http://osso2.sp-example.com:4848 Please press Enter/Return key to exit the installation program. {"!" exits}	Press Enter to exit the installation program.

6. Create a second Application Server domain for the non-root user.

   The default domain created during the installation process is owned by root. We create a new domain for osso80adm, the non-root user, into which we will deploy OpenSSO Enterprise.

   # cd /opt/SUNWappserver91/bin # su osso80adm # ./asadmin create-domain --domaindir /export/osso80adm/domains --adminport 8989 --user domain2adm --instanceport 1080 --domainproperties http.ssl.port=1081 ossodomain Please enter the admin password> domain2pwd Please enter the admin password again> domain2pwd Please enter the master password [Enter to accept the default]:> domain2master Please enter the master password again [Enter to accept the default]:> domain2master Using port 8989 for Admin. Using port 1080 for HTTP Instance. Using default port 7676 for JMS. Using default port 3700 for IIOP. Using port 1081 for HTTP_SSL. Using default port 3820 for IIOP_SSL. Using default port 3920 for IIOP_MUTUALAUTH. Using default port 8686 for JMX_ADMIN. Domain being created with profile:developer, as specified by variable AS_ADMIN_PROFILE in configuration file. Security Store uses: JKS 2008-09-14 18:21:15.907 GMT Thread[main,5,main] java.io.FileNotFoundException: derby.log (Permission denied) ------------------------------------------------- 2008-09-14 18:21:16.216 GMT: Booting Derby version The Apache Software Foundation - Apache Derby - 10.2.2.1 - (538595): instance c013800d-0118-e205-d50b-00000c0c0770 on database directory /export/osso80adm/domains/ossodomain/lib/databases/ejbtimer Database Class Loader started - derby.database.classpath='' Domain ossodomain created.

   ---

   Note –

   Creating a non-root domain displays a FileNotFoundException. Please see Appendix G, Known Issues and Limitations.

   ---

7. Verify that the non-root user domain was created with the correct permissions using the following sub-procedure.

   1. Change to the ossodomain directory.

      # cd /export/osso80adm/domains/ossodomain

   2. List the contents of the directory.

      # ls -la total 30 drwxr-xr-x 15 osso80adm staff 512 Sep 14 16:43 . drwxr-xr-x 3 osso80adm staff 512 Sep 14 16:43 .. drwxr-xr-x 2 osso80adm staff 512 Sep 14 16:43 addons drwxr-xr-x 6 osso80adm staff 512 Sep 14 16:43 applications drwxr-xr-x 3 osso80adm staff 512 Sep 14 16:43 autodeploy drwxr-xr-x 2 osso80adm staff 512 Sep 14 16:43 bin drwx------ 3 osso80adm staff 1024 Sep 14 16:43 config drwxr-xr-x 2 osso80adm staff 512 Sep 14 16:43 docroot drwxr-xr-x 6 osso80adm staff 512 Sep 14 16:43 generated drwxr-xr-x 3 osso80adm staff 512 Sep 14 16:43 imq drwxr-xr-x 5 osso80adm staff 512 Sep 14 16:43 java-web-start drwxr-xr-x 8 osso80adm staff 512 Sep 14 16:43 jbi drwxr-xr-x 6 osso80adm staff 512 Sep 14 16:43 lib drwxr-xr-x 2 osso80adm staff 512 Sep 14 16:43 logs drwxr-xr-x 2 osso80adm staff 512 Sep 14 16:43 session-store

      The files and directories are owned by osso80adm.

8. Start ossodomain, the non-root user domain, using the following sub-procedure.

   1. Change to the non-root user domain bin directory.

      # cd /export/osso80adm/domains/ossodomain/bin

   2. Start ossodomain.

      # ./startserv admin username:domain2adm admin password:domain2pwd master password:domain2master Redirecting output to /export/osso80adm/domains/ossodomain/logs/server.log

9. Verify that ossodomain has started with the following sub-procedure.

   1. Access http://osso2.sp-example.com:8989/login.jsf from a web browser.

   2. Log in to the Application Server console as the ossodomain administrator.

      Username

      domain2adm

      Password

      domain2pwd

      When the Application Server administration console is displayed, it is verification that the non-root user was able to start the domain server.

   3. Exit the console and close the browser.

10. Create a request for a CA-signed server certificate to secure communications between the soon-to-be-configured OpenSSO Enterprise load balancer and ossodomain using the following sub-procedure.

    1. Generate a private/public key pair and reference it with the alias, opensso-sp-2.

       opensso-sp-2 will be used in a later step to retrieve the public key which is contained in a self-signed certificate.

       # cd /export/osso80adm/domains/ossodomain/config # keytool -genkey -noprompt -keyalg rsa -keypass domain2master -alias opensso-sp-2 -keystore keystore.jks -dname "CN=osso2.sp-example.com, OU=OpenSSO, O=Sun Microsystems, L=Santa Clara, ST=California, C=US" -storepass domain2master

    2. Verify that the key pair was successfully created and stored in the certificate store.

       # keytool -list -v -keystore keystore.jks -storepass domain2master Keystore type: jks Keystore provider: SUN Your keystore contains two entries. ... ... Alias name: opensso-sp-2 Creation date: Sep 14, 2008 Entry type: keyEntry Certificate chain length: 1 Certificate[1]: Owner: CN=osso2.sp-example.com, OU=OpenSSO, O=Sun Microsystems, L=Santa Clara, ST=California, C=US Issuer: CN=osso2.sp-example.com, OU=OpenSSO, O=Sun Microsystems, L=Santa Clara, ST=California, C=US Serial number: 48cdb299 Valid from: Sun Sep 14 15:02:47 PDT 2008 until: Sat Dec 13 15:02:47 PDT 2008 Certificate fingerprints: MD5: 14:0F:88:BC:C8:6F:2C:8B:F0:A2:C2:F1:AF:FC:93:F1: SHA1: 9D:22:05:14:51:21:33:CB:06:36:25:FE:0A:B6:DF:45:EE:B1:19:86:

       ---

       Note –

       The output of this command may list more than one certificate based on the entries in the keystore.

       ---

    3. Generate a CA-signed server certificate request.

       # keytool -certreq -alias opensso-sp-2 -keypass domain2master -keystore keystore.jks -storepass domain2master file opensso-sp-2.csr

       opensso-sp-2.csr is the server certificate request.

    4. (Optional) Verify that opensso-sp-2.csr was created.

       # ls -la opensso-sp-2.csr -rw-r--r-- 1 osso80adm staff 715 Sep 14 15:04 opensso-sp-2.csr

    5. Send opensso-sp-2.csr to the CA of your choice.

       The CA issues and returns a certified certificate named opensso-sp-2.cer.

    6. Import ca.cer, the CA root certificate.

       The root certificate must be imported into two keystores (keystore.jks and cacerts.jks) with Application Server. Use the same root certificate that you imported in 7.4 Enabling Secure Communication for the Directory Server User Data Instances. For more information, see 3.3 Obtaining Secure Socket Layer Certificates.

       # keytool -import -trustcacerts -alias OpenSSLTestCA -file ca.cer -keystore keystore.jks -storepass domain2master Owner: EMAILADDRESS=nobody@nowhere.com, CN=OpenSSLTestCA, OU=am, O=sun, L=santa clara, ST=california, C=us Issuer: EMAILADDRESS=nobody@nowhere.com, CN=OpenSSLTestCA, OU=am, O=sun, L=santa clara, ST=california, C=us Serial number: f59cd13935f5f498 Valid from: Thu Sep 20 11:41:51 PDT 2007 until: Thu Jun 17 11:41:51 PDT 2010 Certificate fingerprints: MD5: 78:7D:F0:04:8A:5B:5D:63:F5:EC:5B:21:14:9C:8A:B9 SHA1: A4:27:8A:B0:45:7A:EE:16:31:DC:E5:32:46:61:9E:B8:A3:20:8C:BA Trust this certificate? [no]: Yes Certificate was added to keystore

       # keytool -import -trustcacerts -alias OpenSSLTestCA -file ca.cer -keystore cacerts.jks -storepass domain2master Owner: EMAILADDRESS=nobody@nowhere.com, CN=OpenSSLTestCA, OU=am, O=sun, L=santa clara, ST=california, C=us Issuer: EMAILADDRESS=nobody@nowhere.com, CN=OpenSSLTestCA, OU=am, O=sun, L=santa clara, ST=california, C=us Serial number: f59cd13935f5f498 Valid from: Thu Sep 20 11:41:51 PDT 2007 until: Thu Jun 17 11:41:51 PDT 2010 Certificate fingerprints: MD5: 78:7D:F0:04:8A:5B:5D:63:F5:EC:5B:21:14:9C:8A:B9 SHA1: A4:27:8A:B0:45:7A:EE:16:31:DC:E5:32:46:61:9E:B8:A3:20:8C:BA Trust this certificate? [no]: Yes Certificate was added to keystore

    7. Replace the self-signed public key certificate (associated with the s1as alias) with the CA-signed server certificate.

       # keytool -import -file opensso-sp-2.cer -alias opensso-sp-2 -keystore keystore.jks -storepass domain2master Certificate reply was installed in keystore

    8. (Optional) Verify that the self-signed public key certificate has been overwritten by the CA-signed server certificate.

       # keytool -list -v -keystore keystore.jks -storepass domain2master The certificate indicated by the alias "opensso-sp-2" is signed by CA.

    9. Change the certificate alias from the default s1as to the new opensso-sp-2 in the domain.xml file for the ossodomain domain.

       The Application Server configuration file is domain.xml.

       <http-listener acceptor-threads="1" address="0.0.0.0" 
       blocking-enabled="false" default-virtual-server="server" enabled="true" 
       family="inet" id="http-listener-2" port="1081" security-enabled="true" 
       server-name="" xpowered-by="true">
       <ssl cert-nickname="opensso-sp-2" client-auth-enabled="false" ssl2-enabled="false"
       ssl3-enabled="true" tls-enabled="true" tls-rollback-enabled="true"/>

       ---

       Tip –

       Backup domain.xml before modifying it.

       ---

11. Modify the JVM options in your web container's configuration file using the following sub-procedure.

    OpenSSO Enterprise is deployed with an embedded configuration data store (if desired). In order for the configuration data store to be created successfully, the following JVM options should be modified in the web container's configuration file. We will be modifying domain.xml again for this example.

    ---

    Tip –

    Backup domain.xml before modifying it.

    ---

    1. Change to the config directory.

       # cd /export/osso80adm/domains/ossodomain/config

    2. Open domain.xml in a text editor and make the following changes:

       • Replace <jvm-options>-client</jvm-options> with <jvm-options>-server</jvm-options>.

       • Replace <jvm-options>-Xmx512m</jvm-options> with <jvm-options>-Xmx1024m</jvm-options>.

    3. Save the file and close it.

12. Restart the ossodomain domain.

    # cd /export/osso80adm/domains/ossodomain/bin # ./stopserv Server was successfully stopped. ./startserv admin username:domain2adm admin password:domain2pwd master password:domain2master Redirecting output to /export/osso80adm/domains/ossodomain/logs/server.log

13. Verify that the certificate used for SSL communication is the root CA certificate.

    1. Access https://osso2.sp-example.com:1081/index.html from a web browser.

    2. View the details of the certificate in the security warning to ensure that it is Issued by “OpenSSLTestCA”.

       After inspecting and accepting the certificate, you should see the default index.html page.

    3. Close the browser.

14. Log out of the osso2.sp-example.com host machine.