Project

General

Profile

OpenSSO Installation (with Debian Etch)

This document will briefly describe the installation procedure of OpenSSO on a Debian Etch system.

The protocol logs the OpenSSO installation on idp.e-taxonomy.eu. Please, adapt this hostname to your environment.

Prerequisites

Installing Java

Follow Sun JDK Debian installation.

Installing Tomcat

First, follow Tomcat Debian installation.

Increase Java heap memory

Next, OpenSSO requires more heap space than configured by default. Increase the Java heap memory to at least 512MB by changing the following line in /etc/default/tomcat5.5:

CATALINA_OPTS="-Djava.awt.headless=true -Xmx512M -server"

Set ACL's

Change the owner/group of /usr/share/tomcat5.5 to tomcat55/root to prevent failure of the OpenSSO installation.

chown -R tomcat55:root /usr/share/tomcat5.5

Installing Apache

Follow Apache2.2 Denian installation, but omit installation of mod_jk!

mod_proxy installation

We will use mod_proxy instead of mod_jk to integrate Tomcat into Apache. There, enable the following Apache2 modules

a2enmod ssl
a2enmod proxy
a2enmod proxy_http
a2enmod proxy_ajp

Configure Apache site for opensso

Create an individual Apache2 site for opensso (e.g. /etc/apache2/sites-available/opensso) or adapt the default site as follows:

Listen 443
<VirtualHost idp.e-taxonomy.eu:443>
    ServerAdmin webmaster@localhost

    ServerName              idp.e-taxonomy.eu
    SSLEngine               on
    SSLCertificateFile      /etc/ssl/certs/idp.e-taxonomy.eu-cert.pem
    SSLCertificateKeyFile   /etc/ssl/private/idp.e-taxonomy.eu-key.pem

<Location /opensso>
    Allow from all
    ProxyPass ajp://localhost:8009/opensso/
    ProxyPassReverse ajp://localhost:8009/opensso/
    ProxyPassReverseCookiePath  ajp://localhost:8009/opensso/ /opensso
    ProxyPassReverseCookieDomain  ajp://localhost:8009/opensso/ idp.e-taxonomy.eu
  </Location>
</VirtualHost>

Of course, you will have to replace the SSLCertificateFile and_SSLCertificateKeyFile_ with your certificate instances. The ProxyPass entries will configure the Apache2 proxy module, which is needed to protect Tomcat via the Apache2 web server.

Finally, enable opensso site (if not configured as default) and restart Apache2 web server.

a2ensite opensso
/etc/init.d/apache2 reload

Install OpenSSO

Downloading, unpacking and deploying the OpenSSO distribution

You will find the OpenSSO distribution on http://download.java.net/general/opensso/. Currenty, it is recommended to use the nightly builds, because they are eliminating several errors.

So, download and unzip the distribution of your choice. Since, I preferred to install OpenSSO to /opt/opensso, the following commands will do the job.

wget http://download.java.net/general/opensso/nightly/latest/opensso/opensso_nightly_20090204.zip
unzip opensso_nightly_20090204.zip -d /opt 

The OpenSSO distribution includes several tools (configurator, admin and session), which should be also extracted into /opt/opensso/tools:

unzip /opt/opensso/tools/ssoConfiguratorTools.zip -d /opt/opensso/tools/configurator
unzip /opt/opensso/tools/ssoAdminTools.zip -d /opt/opensso/tools/admin
unzip /opt/opensso/tools/ssoSessionTools.zip -d /opt/opensso/tools/session

Next, deploy the file /opt/opensso/deployable-war/opensso.war to tomcat webapps, and ensure that the file is accessible by tomcat.

cp opensso/deployable-war/opensso.war /var/lib/tomcat5.5/webapps
chown -R tomcat55:root /var/lib/tomcat5.5/webapps/opensso.war

Finally, starting tomcat should deploy the opensso.war file automatically

/etc/init.d/tomcat5.5 start

Now, OpenSSO should be accessible below the /opensso URL-path (e.g. https://idp.e-taxonomy.eu/opensso/.

Basic OpenSSO setup

localhost alias

Before starting with the basic OpenSSO configuration, ensure to create an localhost alias to your host name, which is identical to the DNS name of the host. I run into a lot of troubles, because the subsequent configuration process always failed, before I did it. Therefore, edit /etc/hosts according to your needs, i.e. you should add an alias to your host name(here idp.e-taxonomy.eu).

127.0.0.1       localhost idp.e-taxonomy.eu idp
xxx.xxx.xxx.xxx idp.e-taxonomy.eu idp

Manage the Java truststore

Since, we want OpenSSO to operate in secure SSL-mode, Java must be equipped with trusted Root-CA certificates (e.g. the RootCA and ServerCA certificates of our WP5.7 Certification Authority).

keytool -import -v -alias EDIT-RootCA -keystore /etc/java-1.5.0-sun/security/cacerts -storepass changeit -file /etc/ssl/certs/EDIT-WP5.7-cacert.pem
keytool -import -v -alias EDIT-ServerCA -keystore /etc/java-1.5.0-sun/security/cacerts -storepass changeit -file /etc/ssl/certs/EDIT-WP5.7-ServerCA-cacert.pem

Alternatively, IBM KeyMan is a comfortable Java keystore management tool.

Next, you have to choose your preferred setup method.

You can use the graphical setup provided at https://idp.e-taxonomy.eu/opensso/ or the configurator tool.

Graphical setup

Using the graphical setup, you can select between quick and advanced setup. The graphical setup will guide you through the process. This way, you will probably find the OpenSSO configuration files in /usr/share/tomcat5.5/opensso

Console setup using the configurator tool

For repeated or scripted setups, the configurator tool is more comfortable, since you don't have to repeat your input again and again. If you have already unpacked the configurator tool (refer to OpenSSO installation), copy the sample configuration file somewhere (e.g. root/opensso.config) and customize it.

cp /opt/opensso/tools/conigurator/sampleconfiguration /root/opensso.config

The following example deploys opensso to the URL https://idp.e-taxonomy.eu/opensso/ and stores configuration files to /etc/opensso. It configures the embedded OpenDS Directory Server to port 50389 as DataStore and UserStore. Please, change the passwords!

The original sampleconfiguration file also documents the configuration options

SERVER_URL=https://idpdemo2.e-taxonomy.eu
DEPLOYMENT_URI=/opensso
BASE_DIR=/etc/opensso
locale=en_US
PLATFORM_LOCALE=en_US
AM_ENC_KEY=
ADMIN_PWD=11111111
AMLDAPUSERPASSWD=00000000
COOKIE_DOMAIN=.e-taxonomy.eu

DATA_STORE=embedded
DIRECTORY_SSL=SIMPLE
DIRECTORY_SERVER=idpdemo2.e-taxonomy.eu
DIRECTORY_PORT=50389
ROOT_SUFFIX=dc=opensso,dc=java,dc=net
DS_DIRMGRDN=cn=Directory Manager
DS_DIRMGRPASSWD=11111111

USERSTORE_TYPE=
USERSTORE_SSL=SIMPLE
USERSTORE_HOST=idpdemo2.e-taxonomy.eu
USERSTORE_PORT=50389
USERSTORE_SUFFIX=dc=opensso,dc=java,dc=net
USERSTORE_MGRDN=Directory Manager
USERSTORE_PASSWD=11111111

Them, create the configuration directory (e.g. _/etc/opensso and make it writeable for tomcat:

mkdir -p /etc/opensso
chown -R tomcat55:root /etc/opensso/
chmod 775 /etc/opensso

Before runing the configurator tool, (re)start Apache2 and Tomcat

/etc/init.d/apache2 restart
/etc/init.d/tomcat5.5 restart

Tomcat will deploy opensso automatically. This will take a minute or so.

Finally, start the configurator tool

cd /opt/opensso/tools/configurator
java -jar /opt/opensso/tools/configurator/configurator.jar -f /root/opensso.config

If the configuration was successful, output should look like

...Success.
Creating OpenSSO suffix...Success.
Tag swapping schema files....Success.
Loading Schema am_sm_ds_schema.ldif...Success.
Loading Schema am_remote_opends_schema.ldif...Success.
Loading Schema fam_sds_schema.ldif...Success.
Reinitializing system properties....Done
Registering service amEntrySpecific.xml...Success.
Registering service amAuthConfig.xml...Success.
Registering service amAuthHTTPBasic.xml...Success.
Registering service amAdminConsole.xml...Success.
Registering service idRepoService.xml...Success.
Registering service amAuth.xml...Success.
Registering service amAuthAD.xml...Success.
Registering service amAuthAnonymous.xml...Success.
Registering service amAuthCert.xml...Success.
Registering service amAuthDataStore.xml...Success.
Registering service amAuthJDBC.xml...Success.
Registering service amAuthLDAP.xml...Success.
Registering service amAuthMSISDN.xml...Success.
Registering service amAuthMembership.xml...Success.
Registering service amAuthNT.xml...Success.
Registering service amAuthWindowsDesktopSSO.xml...Success.
Registering service amClientData.xml...Success.
Registering service amClientDetection.xml...Success.
Registering service amDelegation.xml...Success.
Registering service amFilteredRole.xml...Success.
Registering service amG11NSettings.xml...Success.
Registering service amLogging.xml...Success.
Registering service amNaming.xml...Success.
Registering service amPlatform.xml...Success.
Registering service amPolicy.xml...Success.
Registering service amPolicyConfig.xml...Success.
Registering service amRealmService.xml...Success.
Registering service amSession.xml...Success.
Registering service amWebAgent.xml...Success.
Registering service amUser.xml...Success.
Registering service identityLocaleService.xml...Success.
Registering service amAgent70.xml...Success.
Registering service amPasswordReset.xml...Success.
Registering service amAuthRadius.xml...Success.
Registering service amAuthSafeWord.xml...Success.
Registering service amAuthSecurID.xml...Success.
Registering service amAuthUnix.xml...Success.
Registering service AgentService.xml...Success.
Registering service fmAuthFederation.xml...Success.
Registering service fmAuthSAE.xml...Success.
Registering service fmAuthnSvc.xml...Success.
Registering service fmDisco.xml...Success.
Registering service fmIDFF.xml...Success.
Registering service fmLibertyPersonalProfile.xml...Success.
Registering service fmCOTConfig.xml...Success.
Registering service fmSAML2.xml...Success.
Registering service fmSAML.xml...Success.
Registering service fmSOAPBinding.xml...Success.
Registering service fmSAML2SOAPBinding.xml...Success.
Registering service fmWSFederation.xml...Success.
Registering service fmMultiProtocol.xml...Success.
Registering service famSTS.xml...Success.
Registering service famFederationCommon.xml...Success.
Registering service famIDFFConfig.xml...Success.
Registering service famLibertyInteraction.xml...Success.
Registering service famLibertySecurity.xml...Success.
Registering service famSAML2Config.xml...Success.
Configuring system....Done
Configuring server instance....Done
Creating demo user....Done
Configuration complete!

You should be able to login on https://idp.e-taxonomy.eu/opensso/ as user amAdmin with the password configured in option ADMIN_PWD of your opensso configuration file (e.g./root/opensso.config).

Add picture from clipboard (Maximum size: 40 MB)