In this deployment, protected resources are hosted on one machine that contains two installed web containers (one Sun Java™ System Web Server and one BEA WebLogic Server application server) and the appropriate policy agent for each (a web policy agent and a J2EE policy agent, respectively). The policy agents are configured to access the OpenSSO Enterprise Load Balancer 4. This chapter contains the following sections:
10.1 Installing the J2EE Container and J2EE Policy Agent on Protected Resource 1
10.2 Installing the Web Server and Web Policy Agent on Protected Resource 1
Download the BEA WebLogic Server bits to the Protected Resource 1 host machine (pr1.sp-example.com) and install the application server. Additionally, download, install and configure the appropriate J2EE policy agent. Use the following list of procedures as a checklist for completing this task.
To Import a Certificate Authority Root Certificate to Protected Resource 1
To Deploy and Start the J2EE Policy Agent Housekeeping Application
To Configure the J2EE Policy Agent to Bypass Application Server Administrator Authentication
To Configure the J2EE Policy Agent for SAML v2 Communication
BEA WebLogic Server is the application server used as the J2EE web container on Protected Resource 1.
Ensure that your machine is properly patched. Refer to the BEA web site to make sure that your system has the recommended patches.
As a root user, log into the pr1.sp-example.com host machine.
Create a directory into which you can download the WebLogic Server bits and change into it.
# mkdir /export/BEAWL10 # cd /export/BEAWL10 |
Download the WebLogic Server bits from http://commerce.bea.com/.
For this deployment, we download the Solaris version.
# ls -al total 294548 drwxr-xr-x 2 root root 512 Aug 7 13:23 . drwxr-xr-x 3 root sys 512 Aug 7 13:16 .. -rw-r--r-- 1 root root 656834948 Aug 7 13:24 server100_solaris32.bin |
Run the installer.
# ./server100_solaris32.bin |
When prompted, do the following:
|
Click Next. |
|
|
Select Yes and click Next. |
|
|
Type /usr/local/bea and click Next. |
|
|
Click Next. |
|
|
Click Next. |
|
|
Type /usr/local/bea/weblogic10 and click Next. |
|
|
Deselect Run Quickstart and click Done. |
(Optional) Verify that the application was correctly installed.
# cd /usr/local/bea # ls -al total 90 drwxr-xr-x 7 root root 512 Jul 15 11:59 . drwxr-xr-x 4 root root 512 Jul 15 11:58 .. -rwxr-xr-x 1 root root 826 Jul 15 11:59 UpdateLicense.sh -rw-r--r-- 1 root root 14 Jul 15 11:59 beahomelist drwxr-xr-x 6 root root 512 Jul 15 11:59 jdk150_06 -rw-r--r-- 1 root root 12447 Jul 15 11:59 license.bea drwxr-xr-x 2 root root 512 Jul 15 11:59 logs drwxr-xr-x 6 root root 6656 Jul 15 11:58 modules -rw-r--r-- 1 root root 15194 Jul 15 11:59 registry.dat -rw-r--r-- 1 root root 1077 Jul 15 11:59 registry.xml drwxr-xr-x 4 root root 512 Jul 15 12:01 utils drwxr-xr-x 10 root root 512 Jul 15 11:59 weblogic10 |
This procedure assumes you have just completed To Install BEA WebLogic Server on Protected Resource 1 and are still logged into the host machine as the root user.
Run the WebLogic Server configuration script.
# cd /usr/local/bea/weblogic10/common/bin # ./config.sh |
When prompted, do the following:
Start AdminServer, the WebLogic administration server.
# cd /usr/local/bea/user_projects/domains/pr1 # ./startWebLogic.sh |
When prompted, type the following credentials.
weblogic
bea10admin
Run the netstat command to verify that the port is open and listening.
# netstat -an | grep 7001 XXX.XX.XX.101.7001 *.* 0 0 49152 0 LISTEN XXX.X.X.1.7001 *.* 0 0 49152 0 LISTEN |
You can also access the administration console by pointing a web browser to http://pr1.sp-example.com:7001/console.
Change to the AdminServer directory.
# cd /usr/local/bea/user_projects/domains/pr1/servers/AdminServer |
Create a security directory and change into it.
# mkdir security # cd security |
Create a boot.properties file for the WebLogic Server administration server administrator credentials.
The administration server administrative user and password are stored in boot.properties. Application Server 1 uses this information during startup. WebLogic Server encrypts the file, so there is no security risk even if you enter the user name and password in clear text.
# cat > boot.properties username=weblogic password=bea10admin Hit Control D to terminate the command ^D |
Restart WebLogic to encrypt the username and password in boot.properties.
# cd /usr/local/bea/user_projects/domains/pr1/bin # ./stopWebLogic.sh # ./startWebLogic.sh |
Start the managed servers.
# cd /usr/local/bea/user_projects/domains/pr1/bin # ./startManagedWebLogic.sh ApplicationServer-1 t3://localhost:7001 |
You will be prompted for the administrative user credentials.
weblogic
bea10admin
Change to the ApplicationServer-1 directory.
# cd /usr/local/bea/user_projects/domains/pr1/ servers/ApplicationServer-1 |
Create a security directory and change into it.
# mkdir security # cd security |
Create a boot.properties file for the WebLogic Server managed server administrator credentials.
The managed server administrative user and password are stored in boot.properties. The Application Server 1 managed server uses this information during startup. WebLogic Server encrypts the file, so there is no security risk even if you enter the user name and password in clear text.
# cat > boot.properties username=weblogic password=bea10admin Hit Control D to terminate the command ^D |
Restart the managed server.
# cd /usr/local/bea/user_projects/domains/ pr-1/bin # ./stopManagedWebLogic.sh ApplicationServer-1 t3://localhost:7001 # ./startManagedWebLogic.sh ApplicationServer-1 t3://localhost:7001 |
Run the netstat command to verify that the port is open and listening.
# netstat -an | grep 1081 XXX.XX.XX.101.1081 *.* 0 0 49152 0 LISTEN XXX.X.X.1.1081 *.* 0 0 49152 0 LISTEN |
Access http://pr1.sp-example.com:7001/console from a web browser.
Login to the BEA WebLogic Server as the administrator.
weblogic
bea10admin
Click servers under Domain Structure —>Environment.
On the Summary of Servers page, verify that both AdminServer (admin) and ApplicationServer-1 are running and OK.
Log out of the console.
Log out of the pr1.sp-example.com host machine.
The Certificate Authority (CA) root certificate enables the J2EE policy agent to trust the certificate from the OpenSSO Enterprise Load Balancer 2, and to establish trust with the certificate chain that is formed from the CA to the certificate.
Copy the same CA root certificate used in To Install a CA Root Certificate to OpenSSO Enterprise Load Balancer 2 to the /export/software directory on the pr1.sp-example.com host machine.
As a root user, log into the pr1.sp-example.com host machine.
Change to the directory where cacerts, the certificate store is located.
# cd /usr/local/bea/jdk150_06/jre/lib/security. |
Backup cacerts before modifying it.
Import ca.cer, the CA root certificate.
# /usr/local/bea/jdk150_06/bin/keytool -import -trustcacerts -alias OpenSSLTestCA -file /export/software/ca.cer -keystore /usr/local/bea/jdk150_06/jre/lib/security/cacerts -storepass changeit Owner: EMAILADDRESS=nobody@nowhere.com, CN=OpenSSLTestCA, OU=Sun, O=Sun,L=Santa Clara, ST=California C=US Issuer: EMAILADDRESS=nobody@nowhere.com, CN=OpenSSLTestCA, OU=Sun, O=Sun,L=Santa Clara, ST=California C=US Serial number: 97dba0aa26db6386 Valid from: Tue Apr 18 07:66:19 PDT 2006 until: Tue Jan 13 06:55:19 PST 2009 Certificate fingerprints: MD5: 9f:57:ED:B2:F2:88:B6:E8:0F:1E:08:72:CF:70:32:06 SHA1: 31:26:46:15:C5:12:5D:29:46:2A:60:A1:E5:9E:26:64:36:80:E4:70 Trust this certificate: [no] yes Certificate was added to keystore. |
Verify that ca.cer was successfully imported.
# /usr/local/bea/jdk150_06/bin/keytool -list -keystore /usr/local/bea/jdk150_06/jre/lib/security/cacerts -storepass changeit | grep -i openssl OpenSSLTestCA, Sep 15, 2008, trustedCertEntry, |
Log out of the pr1 host machine.
Set JAVA_HOME to /usr/local/bea/jdk150_06.
As a root user, log into the pr1.sp-example.com host machine.
Stop the WebLogic Server 1 administration server and the WebLogic Server 1 managed instance.
# cd /usr/local/bea/user_projects/domains/pr1/bin # ./stopManagedWebLogic.sh ApplicationServer-1 t3://localhost:7001 # ./stopWebLogic.sh |
Create a directory into which you will download the J2EE Policy Agent bits and change into it.
# mkdir /export/J2EEPA1 # cd /export/J2EEPA1 |
Create a text file that contains a password for the Agent Profile created during installation.
The J2EE Policy Agent installer requires this.
# cat > agent.pwd j2eeagent1 Hit Control D to terminate the command ^D |
Download the J2EE policy agent bits for WebLogic Server from http://www.sun.com/download/index.jsp.
# ls -al total 18824 drwxr-xr-x 2 root root 512 Jul 17 16:02 . drwxr-xr-x 8 root root 512 Jul 17 15:58 .. -rw-r--r-- 1 root root 11 Jul 17 15:59 agent.pwd -rw-r--r-- 1 root root 9 Jul 17 16:01 agentadm.pwd -rw-r--r-- 1 root root 9623704 Jul 17 16:02 weblogic_v10_agent_3.zip |
Unzip the J2EE policy agent bits.
# unzip weblogic_v10_agent_3.zip |
Run the J2EE policy agent installer.
# cd /export/J2EEPA1/j2ee_agents/weblogic_v10_agent/bin # chmod 755 agentadmin # ./agentadmin --custom-install |
When prompted, provide the following information.
The following information is to configure the J2EE Policy Agent against the OpenSSO Enterprise secure port.
|
Press Enter to continue. Continue to press Enter until you reach the end of the License Agreement and the installer's Welcome page is displayed. |
|
|
Enter /usr/local/bea/user_projects/domains/pr1/bin/startwebLogic.sh |
|
|
Enter the name of the WebLogic Server instance secured by the agent ApplicationServer-1 |
|
|
Enter /usr/local/bea/weblogic10. |
|
|
Enter the URL where OpenSSO Enterprise is running (including the URI): https://lb4.sp-example.com:1081/opensso |
|
|
Accept the default value. |
|
|
Enter the URL where the policy agent is running (including the URI): http://pr1.sp-example.com:1081/agentapp |
|
|
Accept the default value. |
|
|
j2eeagent-1 |
|
|
Enter /export/J2EEPA1/agent.pwd, path to the file that contains the password used for identifying the policy agent. Note – A warning message is displayed regarding the existence of the agent profile. |
|
|
Accept the default value to create the Agent Profile during installation. |
|
|
Accept the default value. |
|
|
Accept the default value. |
When the installer is finished, a new file is in the bin directory called setAgentEnv_ApplicationServer-1.sh.
Modify the startup script setDomainEnv.sh to reference setAgentEnv_ApplicationServer-1.sh with the following sub procedure.
Backup setDomainEnv.sh before you modify it.
Change permissions for setAgentEnv_ApplicationServer-1.sh.
# chmod 755 setAgentEnv_ApplicationServer-1.sh |
Start the WebLogic Server administration server and managed instance.
# ./startWebLogic.sh & # ./startManagedWebLogic.sh ApplicationSever-1 t3://localhost:7001 |
Watch for startup errors.
Verify that the J2EE Policy Agent 1 was successfully created in OpenSSO Enterprise using the following sub procedure.
Access https://lb4.sp-example.com:1081/opensso/console from a web browser.
Log in to the OpenSSO Enterprise console as the administrator.
amadmin
ossoadmin
Under the Access Control tab, click / (Top Level Realm).
Click the Agents tab.
Click the J2EE tab.
j2eeagent-1 is displayed under the Agent table.
Click j2eeagent-1.
The j2eeagent-1 properties page is displayed.
Log out of the OpenSSO Enterprise console and close the browser.
Remove the password files.
# cd /export/J2EEPA1 # rm agent.pwd # rm agentadm.pwd |
Log out of the pr1.sp-example.com host machine.
The agent application is a housekeeping application bundled with the binaries and used by the agent for notifications and other internal functionality. This application must be deployed to the agent-protected web container using the same URI that was supplied during the agent installation process. For example, during the installation process, if you entered /agentapp as the deployment URI for the agent application, use that same context path in this procedure.
Access http://pr1.sp-example.com:7001/console from a web browser.
Log in to the WebLogic Server console as the administrator.
weblogic
bea10admin
Under Domain Structure, click Deployments.
On the Summary of Deployments page, in the Change Center, click Lock & Edit.
Under Deployments, click Install.
On the Install Application Assistant page, click the pr1.sp-example.com link.
In the field named Location: pr1.sp-example.com, click the root directory.
Navigate to /export/J2EEPA1/j2ee_agents/weblogic_v10_agent/etc, the application directory.
Select agentapp.war and click Next.
In the Install Application Assistant page, choose Install this deployment as an application and click Next.
In the list of Servers, mark the checkbox for ApplicationServer-1 and click Next.
In the Optional Settings page, click Next.
Click Finish.
On the Settings for agentapp page, click Save.
In the Change Center, click Activate Changes.
On the Settings for agentapp page, click Deployments.
On the Summary of Deployments page, mark the agentapp checkbox and click Start > Servicing all requests.
On the Start Application Assistant page, click Yes.
If you encounter a JavaScriptTM error, start the WebLogic Server instance and perform the steps again.
Access Application Server 1 at http://pr1.sp-example.com:7001/console.
Log in to the WebLogic Server console as the administrator.
weblogic
bea10admin
On the Change Center, click Lock & Edit.
Under Domain Structure, click Deployments.
Under Deployments, click Install.
On the Install Application Assistant page, click the pr1.sp-example.com link.
In the list for Location: pr1.example.com, click the root directory.
Navigate to the application directory (/export/J2EEPA1/j2ee_agents/weblogic_v10_agent/sampleapp/dist), select agentsample.ear and click Next.
In the Install Application Assistant page, choose Install this deployment as an application and click Next.
In the list of Servers, mark the checkbox for ApplicationServer-1 and click Next.
On the Optional Settings page, click Next to accept the default settings.
On the Review Your Choices page, click Finish.
The Target Summary section indicates that the module agentsample will be installed on the target ApplicationServer-1.
On the Settings for agentsample page, click Save.
On the Settings for agentsample page, click Activate Changes.
Under Domain Structure, click Deployments.
In the Deployments list, mark the checkbox for agentsample and click Start > Servicing All Requests.
On the Start Application Assistant page, click Yes.
The state of the deployment changes from Prepared to Active.
Log out of the Application Server 1 console.
The J2EE policy agent can operate in local or centralized mode. The centralized option was selected during the custom installation of the agent. Centralized agent configuration stores agent configuration data in a data store managed by OpenSSO Enterprise. Since J2EE policy agents are configured in centralized mode, any configuration changes must be made using the OpenSSO Enterprise server. In this procedure, configure the agent to bypass authentication of the Application Server administrator.
Access https://lb4.sp-example.com:1081/opensso/console from a web browser.
Log in to the OpenSSO Enterprise console as the administrator.
amadmin
ossoadmin
Under the Access Control tab, click / (Top Level Realm).
Click the Agents tab.
Click the J2EE tab.
j2eeagent-1 is displayed under the Agent table.
Click j2eeagent-1.
The j2eeagent-1 properties page is displayed.
Click the Miscellaneous tab.
The Miscellaneous properties page is displayed.
Provide the user name of the Application Server administrator in the Bypass Principal List and click Add.
Enter weblogic to ensure that the administrator will be authenticated against WebLogic itself and not OpenSSO Enterprise.
Click Save.
Exit the console and close the browser.
Access https://lb4.sp-example.com:1081/opensso/console from a web browser.
Log in to the OpenSSO Enterprise console as the administrator.
amadmin
ossoadmin
Under the Access Control tab, click / (Top Level Realm).
Click the Agents tab.
Click the J2EE tab.
j2eeagent-1 is displayed under the Agent table.
Click j2eeagent-1.
The j2eeagent-1 properties page is displayed.
Click the General link on the j2eeagent-1 properties page.
Remove the existing value of the Agent Filter Mode property.
This value is displayed in the Current Values text box.
Add the following values to the New Value text boxes and click Add.
agentsample
SSO_ONLY
Click Save.
Log out of the OpenSSO Enterprise console and close the browser.
Log in to the pr1.sp-example.com host machine as root user.
Restart the WebLogic administration server and managed instance.
# cd /usr/local/bea/user_projects/domains/pr1/bin # ./stopManagedWebLogic.sh ApplicationServer-1 t3://localhost:7001 # ./stopWebLogic.sh # ./startWebLogic.sh # ./startManagedWebLogic.sh ApplicationServer-1 t3://localhost:7001 |
Log out of the pr1.sp-example.com host machine.
Verify the configurations with the following sub procedure.
Close and reopen the browser application.
Access http://pr1.sp-example.com:1081/agentsample from a web browser.
Log in to the OpenSSO Enterprise console as the administrator.
spuser
spuser
The user is redirected to the service provider console for authentication.
Close the browser.
Access https://lb4.sp-example.com:1081/opensso/console from a web browser.
Log in to the OpenSSO Enterprise console as the administrator.
amadmin
ossoadmin
Under the Access Control tab, click / (Top Level Realm).
Click the Agents tab.
Click the J2EE tab.
j2eeagent-1 is displayed under the Agent table.
Click j2eeagent-1.
The j2eeagent-1 properties page is displayed.
Click the OpenSSO Services tab.
The Edit j2eeagent-1 page is displayed.
Click the Login URL link on the Edit j2eeagent-1 page.
Remove the existing value of the OpenSSO Login URL property.
This value is displayed in the Selected box.
Enter https://lb4.sp-example.com:1081/opensso/spssoinit? metaAlias=/sp&idpEntityID=https://lb2.idp-example.com:1181/opensso in the text box and click Add.
This URL redirects the agent to the identity provider for authentication.
Enter https://lb4.sp-example.com:1081/opensso/saml2/jsp/spSingleLogoutInit.jsp?idpEntityID=https://lb2.idp-example.com:1181/opensso as a value of the OpenSSO Logout URL attribute and click Add.
Click Save.
Click the Application tab.
Add the following values to the Application Logout URI text boxes and click Add.
agentsample
/agentsample/logout
Click Save.
Log out of the OpenSSO Enterprise console and close the browser.
Log in to the pr1.sp-example.com host machine.
Restart the WebLogic administration server and managed instance.
# cd /usr/local/bea/user_projects/domains/pr1/bin # ./stopManagedWebLogic.sh ApplicationServer-1 t3://localhost:7001 # ./stopWebLogic.sh # ./startWebLogic.sh # ./startManagedWebLogic.sh ApplicationServer-1 t3://localhost:7001 |
Log out of the pr1.sp-example.com host machine.
Verify the configurations with the following sub procedure.
Access http://pr1.sp-example.com:1081/agentsample from a web browser.
The user is redirected to the OpenSSO Enterprise login page on the identity provider side.
Log in to the OpenSSO Enterprise console as the administrator.
idpuser
idpuser
After successful authentication, single sign on is accomplished between the identity provider and the service provider.
Access http://pr1.sp-example.com:1081/agentsample/logout from a web browser.
The J2EE policy agent sample application welcome page is displayed. The user has successfully logged out of both the identity provider and the service provider.
Download the Sun Java System Web Server bits to the Protected Resource 1 host machine (pr1.sp-example.com) and install it. Additionally, download, install and configure the appropriate web policy agent. Use the following list of procedures as a checklist for completing the task.
To Install and Configure Sun Java System Web Server on Protected Resource 1
To Import a Certificate Authority Root Certificate to Protected Resource 1
To Install and Configure Web Policy Agent on Protected Resource 1
Sun Java System Web Server is the second web container used on the pr1.sp-example.com host machine.
Read the latest version of the Web Server 7.0 Release Notes to determine if you need to install patches on your host machine. In this case, the Release Notes indicate that based on the hardware and operating system being used, patch 119963–08, patch 120011–14, and patch 117461–08 are required.
As a root user, log into the pr1.sp-example.com host machine.
Run patchadd to see if the patch is installed.
# patchadd -p | grep 117461–08 |
A list of patch numbers is displayed. On our lab machine, the required patch 117461–08 is present so there is no need to install it.
# patchadd -p | grep 119963–08 |
No results are returned which indicates that the patch is not yet installed on the system.
# patchadd -p | grep 120011-14 |
No results are returned which indicates that the patch is not yet installed on the system.
Make a directory for downloading the patch you need and change into it.
# mkdir /export/patches # cd /export/patches |
Download the patches.
You can search for patches directly at http://sunsolve.sun.com. Navigate to the PatchFinder page, enter the patch number, click Find Patch, and download the appropriate patch.
Signed patches are downloaded as JAR files. Unsigned patches are downloaded as ZIP files.
Unzip the patch file.
# unzip 119963–08.zip # unzip 120011–14.zip |
Run patchadd to install the patches.
# patchadd /export/patches/119963–08 # patchadd /export/patches/120011–14 |
After installation is complete, run patchadd to verify that the patch was added successfully.
# patchadd -p | grep 119963–08 |
In this example, a series of patch numbers are displayed, and the patch 119963–08 is present.
# patchadd -p | grep 120011-14 |
In this example, a series of patch numbers are displayed, and the patch 120011–14 is present.
This procedure assumes you have just finished To Patch the Protected Resource 1 Host Machine and are still logged in as the root user.
Create a directory into which you can download the Web Server bits and change into it.
# mkdir /export/WS7 # cd /export/WS7 |
Download the Sun Java System Web Server 7.0 Update 3 software from http://www.sun.com/download/products.xml?id=45ad781d.
Follow the instructions on the Sun Microsystems Product Downloads web site for downloading the software.
Unpack the Web Server package.
# gunzip sjsws-7_0u3-solaris-sparc.tar.gz # tar xvf sjsws-7_0u3-solaris-sparc.tar |
Run setup.
# cd /export/WS7 # ./setup --console |
When prompted, provide the following information.
|
Press Enter. Continue to press Enter when prompted. |
|
|
Enter yes. |
|
|
Enter /opt/SUNWwbsvr |
|
|
Enter yes. |
|
|
Enter 2. |
|
|
Enter 1,3,5. |
|
|
Enter 1. |
|
|
Enter 1. |
|
|
Accept the default value. |
|
|
Accept the default value. |
|
|
Accept the default value. |
|
|
Enter no. |
|
|
Accept the default value (for the administration server). |
|
|
Accept the default value. |
|
|
Enter web4dmin. |
|
|
Enter web4dmin. |
|
|
Accept the default value. |
|
|
Enter 1080. |
|
|
Enter root (for the instance). |
|
|
Accept the default value. |
|
|
Enter no. |
|
|
Enter1. |
When installation is complete, the following message is displayed:
Installation Successful. |
Start the Web Server administration server.
# cd /opt/SUNWwbsvr/admin-server/bin # ./startserv |
Run netstat to verify that the port is open and listening.
# netstat -an | grep 8989 *.8989 *.* 0 0 49152 0 LISTEN |
(Optional) Login to the Web Server administration console at https://pr1.sp-example.com:8989 as the administrator.
admin
web4dmin
You should see the Web Server administration console.
(Optional) Log out of the Web Server console and close the browser.
Start the Protected Resource 1 Web Server instance.
# cd /opt/SUNWwbsvr/https-pr1.sp-example.com/bin # ./startserv Sun Java System Web Server 7.0U3 B06/16/2008 12:00 info: CORE5076: Using [Java HotSpot(TM) Server VM, Version 1.5.0_15] from [Sun Microsystems Inc.] info: HTTP3072: http-listener-1: http://pr1.sp-example.com:1080 ready to accept requests info: CORE3274: successful server startup |
Run netstat to verify that the port is open and listening.
# netstat -an | grep 1080 *.1080 *.* 0 0 49152 0 LISTEN |
(Optional) Access the Protected Resource 1 instance at http://pr1.sp-example.com:1080 using a web browser.
You should see the default Web Server index page.
Log out of the pr1.sp-example.com host machine.
The Certificate Authority (CA) root certificate enables the web policy agent to trust the certificate from the OpenSSO Enterprise Load Balancer 2, and to trust the certificate chain that is formed from the CA to the server certificate.
Copy the same CA root certificate used in To Install a CA Root Certificate to OpenSSO Enterprise Load Balancer 2 to the pr1.sp-example.com host machine. In this example, the file is /export/software/ca.cer.
Backup cacerts before modifying it.
As a root user, log into the pr1.sp-example.com host machine.
Import the CA root certificate into cacerts, the certificate store.
# /opt/SUNWwbsvr/jdk/jre/bin/keytool -import -trustcacerts -alias OpenSSLTestCA -file /export/software/ca.cer -keystore /opt/SUNWwbsvr/jdk/jre/lib/security/cacerts -storepass changeit Owner: EMAILADDRESS=nobody@nowhere.com, CN=OpenSSLTestCA, OU=Sun, O=Sun,L=Santa Clara, ST=California C=US Issuer: EMAILADDRESS=nobody@nowhere.com, CN=OpenSSLTestCA, OU=Sun, O=Sun,L=Santa Clara, ST=California C=US Serial number: f59cd13935f5f498 Valid from: Thu Sep 20 11:14:51 PDT 2008 18 07:66:19 PDT 2006 until: Thu Jun 17 11:41:51 PDT 2010 Certificate fingerprints: MD5: 78:7D:F0:04:8A:5B:5D:63:F5:EC:5B:21:14:9C:8A:B9 SHA1: A4:27:8A:B0:45:7A:EE:16:31:DC:E5:32:46:61:9E:B8:A3:20:8C:BA Trust this certificate: [no] yes Certificate was added to keystore. |
Verify that the CA root certificate was imported.
# /opt/SUNWwbsvr/jdk/jre/bin/keytool -list -keystore /opt/SUNWwbsvr/jdk/jre/lib/security/cacerts -storepass changeit | grep -i open openSSLTestCA, Sep 20, 2008, trustedCertEntry, |
Log out of the pr1.sp-example.com host machine.
The JAVA_HOME environment variable should be set to /opt/SUNWwbsvr/jdk/jre.
As a root user, log into the pr1.sp-example.com host machine.
Create a directory into which you can download the Web Server agent bits and change into it.
# mkdir /export/WebPA1 # cd /export/WebPA1 |
Create a text file that contains the Agent Profile password.
The Web Policy Agent installer requires this for installation.
# cat > agent.pwd webagent1 Hit Control D to terminate the command ^D |
Download the web policy agent for Web Server from http://www.sun.com/download/.
# ls -al total 7512 drwxr-xr-x 2 root root 512 Jul 24 14:48 . drwxr-xr-x 11 root root 512 Jul 24 14:41 .. -rw-r--r-- 1 root root 10 Jul 24 14:42 agent.pwd -rw-r--r-- 1 root root 9 Jul 24 14:42 agentadm.pwd -rw-r--r-- 1 root root 3826794 Jul 24 14:48 sjsws_v70_SunOS_sparc_agent_3.zip |
Unzip the downloaded file.
# unzip sjsws_v70_SunOS_sparc_agent_3.zip |
Run the agent installer.
# cd /export/WebPA1/web_agents/sjsws_agent/bin # ./agentadmin --custom-install |
When prompted, do the following.
|
Press Enter and continue to press Enter until you have reached the end of the License Agreement. |
|
|
Type yes and press Enter. |
|
|
Type /opt/SUNWwbsvr/https-pr1.sp-example.com/config and press Enter. |
|
|
Type https://lb4.example.com:1081/opensso and press Enter. |
|
|
Type http://pr1.sp-example.com:1080 and press Enter. |
|
|
Accept the default value. |
|
|
Type webagent-1 and press Enter. |
|
|
Type /export/WebPA1/agent.pwd and press Enter. Note – A warning message is displayed regarding the existence of the agent profile. |
|
|
Type 1 and press Enter. |
Restart the Web Server 1 instance.
# cd /opt/SUNWwbsvr/https-pr1.sp-example.com/bin # ./stopserv; ./startserv server has been shutdown Sun Java System Web Server 7.0U3 B06/16/2008 12:00 info: CORE3016: daemon is running as super-user info: CORE5076: Using [Java HotSpot(TM) Server VM, Version 1.5.0_15] from [Sun Microsystems Inc.] info: HTTP3072: http-listener-1: http://pr1.sp-example.com:1080 ready to accept requests info: CORE3274: successful server startup |
Verify that the Web Policy Agent was successfully created in OpenSSO Enterprise using the following sub procedure.
Access https://lb4.sp-example.com:1081/opensso/console from a web browser.
Log in to the OpenSSO Enterprise console as the administrator.
amadmin
ossoadmin
Under the Access Control tab, click / (Top Level Realm).
Click the Agents tab.
By default, the Web tab is displayed. You should see webagent-1 under the Agent table.
Click webagent-1.
The webagent-1 properties page is displayed.
Log out of the console and close the browser.
Remove the password files.
# cd /export/WebPA1 # rm agent.pwd # rm agentadm.pwd |
Log out of the pr1.sp-example.com host machine.
Access https://lb4.sp-example.com:1081/opensso/console from a web browser.
Log in to the OpenSSO Enterprise console as the administrator.
amadmin
ossoadmin
Under the Access Control tab, click / (Top Level Realm).
Click the Agents tab.
Click the Web tab.
webagent-1 is displayed under the Agent table.
Click webagent-1.
The webagent-1 properties page is displayed.
Click the General link on the webagent-1 properties page.
Select the check box to enable the SSO Mode Only property.
Click Save.
Log out of the OpenSSO Enterprise console and close the browser.
Log in to the pr1.sp-example.com host machine as root user.
Restart the Web Server.
# cd /opt/SUNWwbsvr/https-pr1.sp-example.com/bin # ./stopserv # ./startserv |
Log out of the pr1.sp-example.com host machine.
Verify the configurations with the following sub procedure.
Access https://lb4.sp-example.com:1081/opensso/console from a web browser.
Log in to the OpenSSO Enterprise console as the administrator.
amadmin
ossoadmin
Under the Access Control tab, click / (Top Level Realm).
Click the Agents tab.
Click the Web tab.
webagent-1 is displayed under the Agent table.
Click webagent-1.
The webagent-1 properties page is displayed.
Click the OpenSSO Services tab.
The Edit webagent-1 page is displayed.
Click the Login URL link on the Edit webagent-1 page.
Remove the existing value of the OpenSSO Login URL property.
This value is displayed in the Selected box.
Enter https://lb4.sp-example.com:1081/opensso/spssoinit?metaAlias=/sp&idpEntityID=https://lb2.idp-example.com:1181/opensso in the text box and click Add.
This URL redirects the agent to the identity provider for authentication.
Select the existing value of the OpenSSO Logout URL attribute and click Delete.
Enter https://lb4.sp-example.com:1081/opensso/saml2/jsp/spSingleLogoutInit.jsp?metaAlias=/sp&idpEntityID=https://lb2.idp-example.com:1181/opensso in the text box and click Add.
Enter http://www.sun.com as a value of the Logout Redirect URL attribute and click Add.
Enter http://pr1.sp-example.com:1080/logout.html as a value of the Agent Logout URL List attribute and click Add.
Click Save.
Log out of the OpenSSO Enterprise console and close the browser.
Log in to the pr1.sp-example.com host machine.
Create the logout.html file using the following sub procedure.
# cd /opt/SUNWwbsvr/https-pr1.sp-example.com/docs # vi logout.html |
This creates an empty file.
Restart the Web Server.
# cd /opt/SUNWwbsvr/https-pr1.sp-example.com/bin # ./stopserv # ./startserv |
Log out of the pr1.sp-example.com host machine.
Verify the configurations with the following sub procedure.
Access http://pr1.sp-example.com:1080/index.html from a web browser.
The OpenSSO Enterprise login page on the identity provider side is displayed. The browser is then redirected to the identity provider for authentication.
Log in to the OpenSSO Enterprise console using the following credentials.
idpuser
idpuser
The default Web Server page is displayed.
Access http://pr1.sp-example.com:1080/logout.html from a web browser.
This will log out the user from the service provider and the identity provider using the SAML v2 single logout protocol.
Close the browser.