Setting up Access Manager Single Sign-On
This section provides information on how to set up Communications Express and Messenger Express to communicate with each other using Access Manager Single Sign-On.
If you have chosen to adopt Sun Java System LDAP Schema, v.2 as the schema model, you need to enable Access Manager in Communications Express to use Access Manager’s Single Sign-On mechanism to obtain valid user sessions.
To enable Communication Express users access the mail module rendered by the Messenger Express using the Access Manager Single sign-on, you need to modify the Messenger Express specific parameters using the configutil tool located at msg-svr_install_root/sbin /configutil. It is important to explicitly set the Messenger Express specific parameters after install, as the installer does not set these parameters. For more information on using the configutil tool, refer to Chapter 4, Configuring General Messaging Capabilities, of the Sun Java System Messaging Server Administration Guide
When setting up Access Manager Single Sign-on, Communications Express and Access Manager can be deployed in both SSL and non-SSL modes in the same web container instance or in different web container instances. When Access Manager and Communications Express are deployed in different Web Container Instances you need to Configure Access Manager Remote SDK on the system where Communications Express is deployed. Listed below are the deployment scenarios for Access Manager and Communications Express deployed in different web container instances in both SSL and non SSL modes.
-
Access Manager and Communications Express deployed in different web container instance in non-SSL mode.
-
Access Manager and Communications Express deployed in different web container instance in SSL mode.
-
Access Manager and Communications Express deployed in different web container instances with Access Manager deployed in SSL mode and Communications Express in non-SSL mode.
-
Access Manager and Communications Express deployed in different web containers that are running on the same system, in non-SSL mode
-
Access Manager and Communications Express deployed in different web containers on the same system in SSL mode.
To Enable Single Sign-On in Communications Express With Access
Manager
Steps
-
Open the uwc-deployed-path/WEB-INF/config/ uwcauth.properties file.
-
Modify the following Communications Express parameters in uwcauth.properties file to enable Access Manager SSO.
Parameter
Purpose
Specifies whether Access Manager is enabled.
Initially the value is set in the configurator.
Set the attribute to true to enable Access Manager.
Set the attribute to false to disable Access Manager.
Specifies the parameter of Access Manager login URL.
For example, uwcauth.identity.login.url=http://siroe.example.com:85/amserver/UI/login
uwcauth.identity.cookiename
Specifies the cookie name used by Access Manager.
The value of uwcauth.identity.cookiename should correspond to the value specified in Access Manager configurator.
Default cookie name used by Access Manager is iPlanetDirectoryPro
uwcauth.identity.binddn
Specifies the complete DN of the amadmin.
For example,
uid=amAdmin, ou=People, o=siroe.example.com, o=example.com
Note: The uwcauth.identity.binddn and uwcauth.identity.bindcred values should correspond to the values entered when installing Access Manager.
For example, uwcauth.identity.binddn=uid=amAdmin, ou=People, o=siroe.example.com, o=example.com and uwcauth.identity.bindcred=password .
uwcauth.identity.bindcred
Specifies the password of the amadmin.
uwcauth.http.port
Specifies the port number that Communications Express listens to when Communications Express is configured on a non SSL port.
Default port number is 80.
uwcauth.https.port
Specifies the https port number that Communications Express listens to when Communications Express is configured on an SSL port.
Default https port number is 443
identitysso.singlesignoff
Specifies the single sign-off status.
If set to true the logout destroys the Access Manager session completely and all applications participating in this Access Manager session are signed out.
If set to false, only the Communications Express session is destroyed and the user is taken to the url configured in identitysso.portalurl .
Default status is true.
identitysso.portalurl
Specifies the URL to which Communications Express is to be redirected.
If Access Manager is enabled and single sign-off is set to false, Communications Express is redirected to the URL assigned to identitysso.portalurl.
By default Communications Express is redirected to http://www.sun.com
-
Set the value of the parameter uwcauth.messagingsso.enable to false when setting up Communications Express for Access Manager Single Sign-On.
Communications Express will now use the Access Manager’s Single Sign-On mechanism for obtaining valid user sessions.
To Deploy Access Manager and Communications Express in the
Same Web Container Instance
Steps
-
Open the IS-SDK-BASEDIR/lib/AMConfig.properties file.
An example of IS-SDK-BASEDIR is /opt/SUNWam/lib.
-
Make sure the following property is set in AMConfig.properties file:
com.iplanet.am.jssproxy.trustAllServerCerts=true
AMConfig.properties is present in IS-SDK-BASEDIR/lib
For example, /opt/SUNWam/lib
-
Restart the web container for the changes to take effect.
Access Manager and Communications Express deployed in the same web container instance in SSL mode can now use the Access Manager’s Single Sign-On mechanism for obtaining valid user sessions.
To Deploy Access Manager and Communications Express in Different
Web Container Instance
Steps
-
Change to IS-INSTALL-DIR/ bin
-
Copy the Access Manager IS-INSTALL-DIR /bin/amsamplesilent file.
cp amsamplesilent amsamplesilent.uwc
-
Edit the copy of amsamplesilent created in the previous step.
Set the parameters to correspond to the deployment details.
If you are deploying Access Manager SDK in a web container, such as Sun Java System Web Server or Sun Java System Application Server, set the DEPLOY_LEVEL to value 4, that is, select the option “SDK only with container config.”
-
Set AM_ENC_PWD to the value of the password encryption key used during the installation of Access Manager.
The encryption key is stored in the parameter am.encryption.pwd under:
${IS_INSTALL_DIR}/lib/AMConfig.properties
-
Set NEW_INSTANCE to true.
-
If you are deploying Access Manager SDK in Sun Java System Web Server, set WEB_CONTAINER to WS6.
If you are deploying Access Manager SDK in Sun Java System Application Server, set the WEB_CONTAINER to AS7 or AS8.
-
For a more detailed description on the other parameters in the amsamplesilent file and to help you configure the Access Manager Remote SDK parameters refer to Chapter 1, Identity Server 2004Q2 Configuration Scripts, in the Sun Java System Identity Server Administration Guide
-
Configure Access Manager SDK in the web container.
Make sure directory server that is used by Access Manager is running.
-
Start the web container instance in which the Access Manager SDK will be deployed.
-
Change directory to IS-INSTALL-DIR/ bin.
-
Run the following command:
./amconfig -s amsamplesilent.uwc
-
Restart the web container instance for configurations to take effect.
Access Manager and Communications Express deployed in the different web container instances in SSL and non-SSL mode will now use the Access Manager’s Single Sign-On mechanism for obtaining valid user sessions.
Note –Refer to Tuning Communications Express, for instructions on enabling or disabling Access Manager after deploying Communications Express.
To Enable Single Sign-On in Messenger Express With Access
Manager
Steps
-
Run the configutil tool.
msg-svr_install_root /sbin/configutil
If you have deployed Messenger Express as MEM, ensure that the value of the following parameters in Messaging Server are the same on the mshttpd, a component of messaging server, at the backend and MEM in the front end:
-
Set the following Messenger Express parameters to enable Communication Express users access Messenger Express using the Access Manager Single Sign-on.
Parameters
Purpose
This configuration enables SSO from Access Manager.
The parameter should point to the URL Access Manager runs the naming service.
For example,
configutil -o local.webmail.sso.amnamingurl -v http://siroe.example.com:85/amserver/namingservice
Enables Communications Express access Messenger Express.
To disable, set the parameter to 0.
Specifies the URL Messenger Express uses to invalidate the Communications Express session.
If you have configured local.webmail.sso.uwclogouturl explicitly in Messenger Express, then this value is used to logout. Otherwise, Messenger Express constructs the logout url based on the http host in the request header.
For example,
http://siroe.example.com:85/base/UWCmain?op=logout
When Communications Express is not deployed under /, such as /uwc, the value of this parameter may look like:
http://siroe.example.com:85/uwc/base/UWCmain?op=logout
Specifies the Communications Express port.
For example, 85.
local.webmail.sso.uwccontexturi
Specifies the URI path in which Communications Express is deployed.
Specify this parameter only when Communications Express is not deployed under /.
For example, if Communications Express is deployed in /uwc, local.webmail.sso.uwccontexturi=uwc
local.webmail.sso.amcookiename
Specifies the Access Manager session cookie name.
Ensure that in the uwcauth.properties file, the value of uwcauth.identity.cookiename is set to the value of local.webmail.sso.amcookiename.
For example, iPlanetDirectoryPro
local.webmail.sso.uwchome
Specifies the url required to access the home link.
Once the Messenger Express specific parameters are set, Communication Express users can access Messenger Express using the Access Manager Single sign-on.
- © 2010, Oracle Corporation and/or its affiliates