Sun ONE logo      Previous      Contents      Index      Next     

Sun ONE Identity Server 6.0 Installation and Configuration Guide

Chapter 8
Basic Configurations

This chapter describes configurations typically implemented when you initially deploy Identity Server.

Topics in this chapter include:

The Cross-Domain Single Sign-On Component

Cross-Domain Single Sign-On (CDSSO), a crucial feature of Identity Server, makes it possible for users to authenticate in one domain, and then to use applications in many other domains without having to re-authenticate. Two major components are added to Identity Server to implement cross-domain single sign-on:

Overview of CDSSO Installation

To enable cross-domain single sign-on, you must follow this sequence:

  1. Install Identity Server Management and Policy Services.

    2. Follow the instructions in Chapter 4, "Installing Identity Server with a New Directory Server"” or in Chapter 5, "Installing Identity Server Against an Existing Directory Server"” as appropriate to your needs.

  2. Install the CDSSO component on all participating DNS domains. For steps, see "The Cross-Domain Single Sign-On Component"” in this chapter.
  3. Configure the CDSSO component installed on each participating DNS domain. For instructions, see "To Configure the CDSSO Component".
  4. Optionally, configure Identity Server web agents to work with the CDSSO component. For steps, see "To Configure Identity Server Web Agents to Work With the CDSSO Component".

Before You Begin

You must resolve the following issues before running the Installation program:

To Install CDSSO

  1. Start the Identity Server Installation program.

    2. To run the Installation wizard, in the directory that contains the Installation program, enter the following command:

    UNIX

    ./setup

    Windows

    setup.exe

    To run the Installation program from the command line, in the directory that contains the Installation program, enter the following command:

    UNIX

    ./setup -nosdisplay

    Windows

    setup -nodisplay

    Note

    The remaining steps describe the GUI version of the Installation program. If you’re using the command-line version of the Installation program, you’ll be prompted to provide the same information as that presented in the Installation wizard. In the command-line version, you can use the following commands:

    • Press Enter to accept the default value in brackets, or to continue on after entering a new value.
    • Press < to go back to the previous screen.
    • Enter Exit to stop the program and return to the command line.

  2. In the Welcome window, click Next.
  3. To accept the terms of the License Agreement, click “Yes (Accept License).”
  4. In the Components to Be Installed/Uninstalled panel, select only Identity Server Cross Domain Single Sign-On Component, and then click Next.

    5. Figure 8-1  Components to Be Installed/Uninstalled Panel

  5. In the Existing Web Server panel and provide the following information, and then click Next:

    6. Do you want to use an existing Web Server? Click Yes, if you want to use your existing Sun ONE Web Server.

    Click No, if you want to install the Sun ONE Web Server available with Identity Server.

  6. If you have selected yes, you can skip this step and proceed to Step 7.

    7. If you have selected no above, you should provide the following information to install and configure the Sun ONE Web Server available with Identity Server, and then click Next.

    Figure 8-2  Sun ONE Web Server Information Panel

    Administrator: Type the user name of the administrator who will configure the web server. You may overwrite the default name shown in the field.

    Port: Type the port number that the web server will use. You may overwrite the default port number displayed in the field.

    Password: Type the Administrator user’s password.

    Confirm Password: Retype the password to confirm it.

    Enter user to run server as: Type the user account the Web Server will run as. Example: nobody.

    Enter group to run this server as: Type the group the above user belongs to. Example: nobody.

  7. In the CDSSO Web Server Information panel, provide the following information, and then click Next.

    8. Host Name: Type the fully qualified domain name of the computer that hosts the participating DNS domain.

    Instance Directory: Type the full path to the directory where Web Server is installed, and the Web Server instance name. This field is available only if you have selected to use an existing web server in a previous step.

    Web Server Port: Type the port number of the Web Server specified above.

    CDSSO Deployment URI: The Universal Resource Identifier (URI) indicates where HTML pages used by the CDSSO component are stored. Type a URI prefix. The default is /amcdsso

  8. In the Identity Server Services Information panel, provide the following information, and then click Next:

    9. Identity Server Services Host: Type the fully qualified domain name of the computer system where Identity Server Management and Policy Services are installed.

    Identity Server Services Port: Type the port number for the Web Server that runs Identity Server services.

    Services Deployment URI: The Universal Resource Identifier (URI) prefix tells the Web Server where to look for HTML pages associated with a Identity Server service and also for other web application-specific information such as classes and jars. Type the URI prefix specified during Identity Server installation. The default is /amserver.

  9. In the Currently Selected Settings panel, review the configuration information that you’ve entered. If you need to make changes, click Back. Otherwise, click Next to proceed.
  10. In the Ready to Install panel, review the installation information. If you need to make changes, click Back. Otherwise, click Install Now to begin the installation.

To Configure the CDSSO Component

  1. Edit AMConfig.properties file of the installed CDSSO component, which is found in the Identity_Server_root/SUNWam/web-apps/cdsso/WEB-INF/lib directory.

    2. Set the com.iplanet.services.cdsso.CDCURL property to the URL of the cross-domain controller service running on the Identity Server services. For example:

      com.iplanet.services.cdsso.CDCURL =     http(s)://Identity_Server_root:host:Identity_Server_root:port/services/
          cdcservlet

  2. Edit CDSSO.properties file of the installed CDSSO component, which is found in the Identity_Server_root/SUNWam/web-apps/cdsso/WEB-INF/classes directory.

    3. Set com.iplanet.services.cdsso.cookieDomain property to the domain name which hosts the CDSSO component. For example:

    com.iplanet.services.cdsso.cookieDomain = .sales.com

    where the CDSSO component is hosted in sales.com domain.

    The com.iplanet.services.cdsso.cookieDomain property specifies the list of domain names on which CDSSO component is running for which the cookie is set. If the property field is left blank, the cookie domain is assumed to be the hosting domain of CDSSO component. Make sure that all the cookie domains are separated with coma (,).

To Configure Identity Server Web Agents to Work With the CDSSO Component

You can configure Identity Server agents that are installed on remote web servers to work with CDSSO components that are installed on participating DNS domains.

  1. Edit the agent’s AMAgent.properties file. Change the com.sun.am.policy.agents.url.loginURL property to point to the agent’s domain’s cross-domain single sign-on service URL. For example:

    2. com.sun.am.policy.agents.url.loginURL = http://CDSSO_host:CDSSO_port/CDSSO_URI/cdsso

    where loginURL is the CDSSO component’s URL.

  2. Add the CDSSO URL to the agent’s not-enforced list.

Installing Multiple Identity Server Instances Against the Same Directory Server

You can install more than one instance of Identity Server against this Directory Server for enhanced performance, to support directory replication, or for agent failover purposes. When you run the Identity Server installation program for the first time, you’ll typically install Identity Server Policy and Management Services. When you use this option, Directory Server is automatically installed for you. This is the master Directory Server. If you plan to install multiple installations of Identity Server against this same master directory, you must run ammultiserverinstall script.

Figure 8-3 illustrates two Identity Server instances installed against a single Directory Server.

Figure 8-3  Two Identity Server Instances Installed Against a Single Directory Server.

To Install Multiple Identity Server Instances Against the Same Directory Server

You must have root permissions to create and install multiple Identity Server instances.

  1. Go to the following directory:

    2. cd Identity_Server_root/SUNWam/bin

  2. At the command line, type the following command:

    3. ./ammultiserverinstall instance_name port_number

    where instance_name is the new Identity Server instance you want to create and port_number is the port number of the new Identity Server instance.

    When a new instance is installed the following files and directory are created:

    • A new amserver script file at:

      •         /Identity_Server_root/SUNWam/bin/amserver.instance_name

    • A new AMConfig.properties file at:

      •    /Identity_Server_root/SUNWam/lib/AMConfig-instance_name.properties

    • A new web server instance directory at:

      •    /Identity_Server_root/SUNWam/servers/https-instance_name

Starting Identity Server Instance
Stopping Identity Server Instance
Deleting Identity Server Instance

Support for Directory Replication and High Availability

Load balancing across replicated servers and locating replicated servers closer to users are two ways to improve server performance and response time in your enterprise. You can implement directory replication agreements in your Identity Server deployment to increase the availability and performance of the Identity Server servers and services. You can set up Identity Server directory servers in single-supplier or multi-supplier configurations. You can also configure load-balancing applications such as Sun ONE Directory Access Router to work with Identity Server.

Replication Considerations

Configure your directory servers for replication before you install Identity Server. This ensures that the supplier and consumer databases are synchronized from the beginning, and gives you a chance to verify that referrals and updates are working properly. The information must be identical in each Identity Server database.

When you install Identity Server for replication purposes, in each instance of Directory Server and in each instance of Identity Server, specify the same values for the following:

There may be situations in which you cannot implement directory replication in a Identity Server deployment. For example, authentication server host names or IP addresses must be the same. This precludes using geographically separated replicated Identity Server servers. The remote servers would not be able to perform authentication against servers that are only local to their respective LANs.

For comprehensive information on planning and implementing Directory Server replication, see the Deployment Guide and the Installation Guide for Sun ONE Directory Server. You can access these guides on the Internet at the following URL:

http://docs.sun.com/db/prod/s1dirsrv

Configuring Identity Server to Support Directory Replication

You can configure Identity Server to work with single-supplier or multi-supplier replication. For each of the configurations pictured in this section, follow the same instructions. See "To Configure Identity Server to Work With Directory Replication" of this manual.

Figure 8-4 illustrates a single-supplier configuration where the Consumer is a read-only database. Requests for write operations are referred to the supplier database. This configuration provides some measure of enhanced server performance by distributing the workload to more than one directory.

Figure 8-4  Single-Supplier Replication.

Figure 8-5 illustrates a multi-supplier configuration using multiple instances of Identity Server. This configuration provides failover protection as well as high availability, resulting in further enhanced server performance.

Figure 8-5  Multi-Supplier Configuration. Also known as Multi-Master Replication (MMR)

Figure 8-6 illustrates a multi-supplier configuration that includes Sun ONE Access Router. This configuration takes full advantage of Identity Server support for failover, high availability, and managed load-balancing.

Figure 8-6  Multi-Supplier Replication With Load-Balancer.

To Configure Identity Server to Work With Directory Replication

Use the following steps to configure replication at the root or top level of the Identity Server directory tree when Identity Server has not yet been installed. You can also use these steps to configure replication at the default organization level.

  1. Install your supplier and consumer Directory Servers (version 5.1). See the Directory Server Installation Guide for detailed instructions.
  2. Set up replication agreements between your supplier and consumer Directory Servers, and then verify that the directory referrals and updates are working properly. See the Directory Server Administrator’s Guide for detailed instructions.
  3. If you plan to use Identity Server with user data from an existing, pre-5.1 Directory Server, you must migrate the user data and make Directory Information Tree (DIT) changes before proceeding. Follow the detailed instructions in Chapter 5, "Installing Identity Server Against an Existing Directory Server" of this manual. Then skip to Step 5.
  4. If you are deploying Identity Server and Directory Server for the first time, or if you simply do not plan to use existing user data with Identity Server, then run the Identity Server installation program to install the Identity Server Management and Policy services.

    5. During installation, you’ll be asked if you’re using an existing Directory Server. You’ll answer yes, and then you’ll specify the host name and port number for a supplier Directory Server you installed in Step 1.

    For detailed instructions, see "Installing User and Policy Management Services" in Chapter 5.

  5. In the server where Identity Server Management and Policy services are installed, modify the following file:

    6. Identity_Server_root/SUNWam/lib/AMConfig.properties

    1. Modify the following properties to reflect the host and port number of a consumer Directory Server you installed in step 1.
      • com.iplanet.am.directory.host
      • com.iplanet.am.directory.port
    2. Modify the following properties:
      • com.iplanet.am.replica.retries

        • Specify the number of times Identity Server should continue to make the same request when the requested entry is not found.

      • com.iplanet.am.replica.delay.between.retries

        • Specify the number of milliseconds Identity Server should allow to elapse between retries.

  6. In each Identity Server Authentication module you’ve enabled, you must specify the consumer directory that you installed in step 1. In the following substeps, the LDAP Authentication module is used as an example:
    1. In the Identity Server console, in the View field, choose Service Management.
    2. In the Service Name column, under Authentication, locate the module you need to reconfigure. In the Properties column, click the arrow that corresponds to module you need to reconfigure.
    3. In the right pane, there are two fields named LDAP Server and Port.
      • In the first field named LDAP Server and Port, type the host name and port number for your primary (consumer) Directory Server.
        Example: consumer1.madisonparc.com:389
      • In the second field named LDAP Server and Port, type the host name and port number for your secondary or (supplier) directory.
        Example: supplier1.madisonparc.com:399
    4. Click Submit.
  7. In the following file: Identity_Server_root/SUNWam/config/ums/serverconfig.xml, specify the host name and port number of the consumer directory you installed in step 1. Example:

    		8.

    <iPlanetDataAccessLayer>

    <ServerGroup name="default" minConnPool="1"

    maxConnPool="10">

    <Server name="Server1"

    host="consumer1.madisonparc.com" port="389"

    type="SIMPLE" />

  8. Restart Identity Server with the following command:

    9. /Identity_Server_root/SUNWam/bin/amserver start

Configuring LDAP Load-Balancers to Work With Identity Server

You can configure LDAP load-balancers such as Sun ONE Directory Access Router to work with Identity Server. Sun ONE Directory Access Router dynamically performs proportional load balancing of LDAP operations across a set of configured directory servers. If one or more directory servers should become unavailable, the load is proportionally redistributed among the remaining servers. When a directory server comes back on line, the load is proportionally—and dynamically—reallocated.

Figure 8-7  Multi-Master Replication With Managed Load-Balancer.

Using LDAP load-balancers, it adds a layer of high availability and directory failover protection beyond the basic level that comes with Identity Server. For example, when you configure Sun ONE Directory Access Router, you can specify what percentage of the load gets redistributed to each of your servers when one server becomes unavailable. Sun ONE Directory Access Router continues to manage request traffic, and begins rejecting client queries when all back-end LDAP servers become unavailable.

By comparison, the Identity Server high availability feature cannot be configured or managed as precisely. But when you add a LDAP load-balancers such as Sun ONE Directory Access Router, Identity Server seamlessly directs all requests to the application for total management.

If you choose to install a load-balancer, you must configure Identity Server to recognize the application.

To Configure Identity Server to Work With a Load-Balancer

  1. Before you can perform the following steps, you must:
    • Set up your Directory Servers for replication. For comprehensive information about directory replication and for detailed setup instructions, see “Managing Replication” in the Sun ONE Directory Server Administrator’s Guide.
    • Install and configure your LDAP load-balancer. Follow the instructions in the documentation that comes with the product.
  2. In the file Identity_Server_root/SUNWam/lib/AMconfig.properties, modify the following properties to reflect the host and port number of a consumer Directory Server you installed in step 1.
    • com.iplanet.am.directory.host
    • com.iplanet.am.directory.port
  3. For each Identity Server Authentication module you’ve enabled, specify the consumer directory that you installed in step 1. In the following substeps, the LDAP Authentication module is used as an example:
    1. In the Identity Server console, in the View field, choose Service Management.
    2. In the Service Name column, under Authentication, locate the module you need to reconfigure. In the Properties column, click the arrow that corresponds to module you need to reconfigure.
    3. In the right pane, there are two fields named LDAP Server and Port.
      • In the first field named LDAP Server and Port, type the host name and port number for your primary (consumer) Directory Server using the form:

        • proxyhostname:port

      • In the second field named LDAP Server and Port, enter nothing.
    4. Click Submit.
  4. In the Identity_Server_root/SUNWam/config/ums/serverconfig.xml,specify the host name and port number of the consumer directory you installed in step 1.

    5. Example:

    <iPlanetDataAccessLayer>

    <ServerGroup name="default" minConnPool="1"

    maxConnPool="10">

    <Server name="Server1"

    host="idar.madisonparc.com" port="389"

    type="SIMPLE" />

  5. Restart Identity Server with the following command:

    6.   /Identity_Server_root/SUNWam/bin/amserver start



Previous      Contents      Index      Next     

Copyright 2003 Sun Microsystems, Inc. All rights reserved.