OpenSSOInstallDebianEtch » History » Version 12
Andreas Müller, 02/23/2022 11:54 PM
1 | 2 | Lutz Suhrbier | {{>toc}} |
---|---|---|---|
2 | 1 | Lutz Suhrbier | |
3 | 2 | Lutz Suhrbier | |
4 | |||
5 | |||
6 | 1 | Lutz Suhrbier | # [[OpenSSO]] Installation (with Debian Etch) |
7 | 2 | Lutz Suhrbier | |
8 | |||
9 | This document will briefly describe the installation procedure of [[OpenSSO|OpenSSO]] on a Debian Etch system. |
||
10 | |||
11 | The protocol logs the [[OpenSSO]] installation on idp.e-taxonomy.eu. Please, adapt this hostname to your environment. |
||
12 | |||
13 | |||
14 | |||
15 | ## Prerequisites |
||
16 | |||
17 | |||
18 | |||
19 | ### Installing Java |
||
20 | |||
21 | Follow [[ShibbolethIdPInstallDebianEtch#SUNJDK5Installation|Sun JDK Debian installation]]. |
||
22 | |||
23 | |||
24 | |||
25 | ### Installing Tomcat |
||
26 | |||
27 | First, follow [[ShibbolethIdPInstallDebianEtch#ApacheTomcat55Installation|Tomcat Debian installation]]. |
||
28 | |||
29 | |||
30 | |||
31 | #### Increase Java heap memory |
||
32 | |||
33 | Next, [[OpenSSO]] requires more heap space than configured by default. Increase the Java heap memory to at least 512MB by changing the following line in _/etc/default/tomcat5.5_: |
||
34 | |||
35 | ~~~ |
||
36 | CATALINA_OPTS="-Djava.awt.headless=true -Xmx512M -server" |
||
37 | ~~~ |
||
38 | |||
39 | |||
40 | #### Set ACL's |
||
41 | |||
42 | Change the owner/group of _/usr/share/tomcat5.5_ to tomcat55/root to prevent failure of the [[OpenSSO]] installation. |
||
43 | |||
44 | ~~~ |
||
45 | chown -R tomcat55:root /usr/share/tomcat5.5 |
||
46 | ~~~ |
||
47 | |||
48 | |||
49 | ### Installing Apache |
||
50 | |||
51 | Follow [[ShibbolethIdPInstallDebianEtch#ApacheWebServer22Installation|Apache2.2 Denian installation]], *but omit installation of _mod_jk_*! |
||
52 | |||
53 | |||
54 | 7 | Lutz Suhrbier | |
55 | #### mod_proxy installation |
||
56 | 2 | Lutz Suhrbier | |
57 | We will use mod_proxy instead of mod_jk to integrate Tomcat into Apache. There, enable the following Apache2 modules |
||
58 | |||
59 | ~~~ |
||
60 | a2enmod ssl |
||
61 | a2enmod proxy |
||
62 | a2enmod proxy_http |
||
63 | a2enmod proxy_ajp |
||
64 | ~~~ |
||
65 | |||
66 | |||
67 | #### Configure Apache site for opensso |
||
68 | |||
69 | Create an individual Apache2 site for opensso (e.g. _/etc/apache2/sites-available/opensso_) or adapt the default site as follows: |
||
70 | |||
71 | ~~~ |
||
72 | Listen 443 |
||
73 | <VirtualHost idp.e-taxonomy.eu:443> |
||
74 | ServerAdmin webmaster@localhost |
||
75 | |||
76 | ServerName idp.e-taxonomy.eu |
||
77 | SSLEngine on |
||
78 | SSLCertificateFile /etc/ssl/certs/idp.e-taxonomy.eu-cert.pem |
||
79 | SSLCertificateKeyFile /etc/ssl/private/idp.e-taxonomy.eu-key.pem |
||
80 | |||
81 | <Location /opensso> |
||
82 | Allow from all |
||
83 | ProxyPass ajp://localhost:8009/opensso/ |
||
84 | ProxyPassReverse ajp://localhost:8009/opensso/ |
||
85 | ProxyPassReverseCookiePath ajp://localhost:8009/opensso/ /opensso |
||
86 | ProxyPassReverseCookieDomain ajp://localhost:8009/opensso/ idp.e-taxonomy.eu |
||
87 | </Location> |
||
88 | </VirtualHost> |
||
89 | ~~~ |
||
90 | 6 | Lutz Suhrbier | Of course, you will have to replace the _SSLCertificateFile_ and_SSLCertificateKeyFile_ with your certificate instances. The ProxyPass entries will configure the Apache2 proxy module, which is needed to protect Tomcat via the Apache2 web server. |
91 | 4 | Lutz Suhrbier | |
92 | 1 | Lutz Suhrbier | |
93 | 6 | Lutz Suhrbier | Finally, enable opensso site (if not configured as default) and restart Apache2 web server. |
94 | |||
95 | 2 | Lutz Suhrbier | ~~~ |
96 | 1 | Lutz Suhrbier | a2ensite opensso |
97 | 4 | Lutz Suhrbier | /etc/init.d/apache2 reload |
98 | 3 | Lutz Suhrbier | ~~~ |
99 | 5 | Lutz Suhrbier | |
100 | |||
101 | ## Install [[OpenSSO]] |
||
102 | 1 | Lutz Suhrbier | |
103 | |||
104 | 6 | Lutz Suhrbier | ### Downloading, unpacking and deploying the [[OpenSSO]] distribution |
105 | 1 | Lutz Suhrbier | |
106 | 6 | Lutz Suhrbier | You will find the [[OpenSSO]] distribution on http://download.java.net/general/opensso/. Currenty, it is recommended to use the nightly builds, because they are eliminating several errors. |
107 | 1 | Lutz Suhrbier | |
108 | 6 | Lutz Suhrbier | |
109 | So, download and unzip the distribution of your choice. Since, I preferred to install [[OpenSSO]] to _/opt/opensso_, the following commands will do the job. |
||
110 | |||
111 | 1 | Lutz Suhrbier | ~~~ |
112 | 6 | Lutz Suhrbier | wget http://download.java.net/general/opensso/nightly/latest/opensso/opensso_nightly_20090204.zip |
113 | unzip opensso_nightly_20090204.zip -d /opt |
||
114 | 1 | Lutz Suhrbier | ~~~ |
115 | 5 | Lutz Suhrbier | |
116 | 6 | Lutz Suhrbier | The [[OpenSSO]] distribution includes several tools (configurator, admin and session), which should be also extracted into _/opt/opensso/tools_: |
117 | 1 | Lutz Suhrbier | |
118 | 5 | Lutz Suhrbier | ~~~ |
119 | 6 | Lutz Suhrbier | unzip /opt/opensso/tools/ssoConfiguratorTools.zip -d /opt/opensso/tools/configurator |
120 | unzip /opt/opensso/tools/ssoAdminTools.zip -d /opt/opensso/tools/admin |
||
121 | unzip /opt/opensso/tools/ssoSessionTools.zip -d /opt/opensso/tools/session |
||
122 | 5 | Lutz Suhrbier | ~~~ |
123 | 1 | Lutz Suhrbier | |
124 | 6 | Lutz Suhrbier | Next, deploy the file _/opt/opensso/deployable-war/opensso.war_ to tomcat webapps, and ensure that the file is accessible by tomcat. |
125 | 1 | Lutz Suhrbier | |
126 | ~~~ |
||
127 | 6 | Lutz Suhrbier | cp opensso/deployable-war/opensso.war /var/lib/tomcat5.5/webapps |
128 | chown -R tomcat55:root /var/lib/tomcat5.5/webapps/opensso.war |
||
129 | 1 | Lutz Suhrbier | ~~~ |
130 | |||
131 | 6 | Lutz Suhrbier | Finally, starting tomcat should deploy the _opensso.war_ file automatically |
132 | 1 | Lutz Suhrbier | |
133 | ~~~ |
||
134 | 6 | Lutz Suhrbier | /etc/init.d/tomcat5.5 start |
135 | 1 | Lutz Suhrbier | ~~~ |
136 | |||
137 | 6 | Lutz Suhrbier | Now, [[OpenSSO]] should be accessible below the /opensso URL-path (e.g. https://idp.e-taxonomy.eu/opensso/. |
138 | 1 | Lutz Suhrbier | |
139 | 6 | Lutz Suhrbier | |
140 | |||
141 | ### Basic [[OpenSSO]] setup |
||
142 | |||
143 | |||
144 | #### localhost alias |
||
145 | |||
146 | Before starting with the basic [[OpenSSO]] configuration, ensure to create an localhost alias to your host name, which is identical to the DNS name of the host. I run into a lot of troubles, because the subsequent configuration process always failed, before I did it. Therefore, edit _/etc/hosts_ according to your needs, i.e. you should add an alias to your host name(here idp.e-taxonomy.eu). |
||
147 | |||
148 | 5 | Lutz Suhrbier | ~~~ |
149 | 6 | Lutz Suhrbier | 127.0.0.1 localhost idp.e-taxonomy.eu idp |
150 | xxx.xxx.xxx.xxx idp.e-taxonomy.eu idp |
||
151 | 5 | Lutz Suhrbier | ~~~ |
152 | |||
153 | |||
154 | 6 | Lutz Suhrbier | #### Manage the Java truststore |
155 | 5 | Lutz Suhrbier | |
156 | 6 | Lutz Suhrbier | Since, we want [[OpenSSO]] to operate in secure SSL-mode, Java must be equipped with trusted Root-CA certificates (e.g. the RootCA and ServerCA certificates of our [[WP57CertificationAuthority|WP5.7 Certification Authority]]). |
157 | 5 | Lutz Suhrbier | |
158 | ~~~ |
||
159 | 6 | Lutz Suhrbier | keytool -import -v -alias EDIT-RootCA -keystore /etc/java-1.5.0-sun/security/cacerts -storepass changeit -file /etc/ssl/certs/EDIT-WP5.7-cacert.pem |
160 | keytool -import -v -alias EDIT-ServerCA -keystore /etc/java-1.5.0-sun/security/cacerts -storepass changeit -file /etc/ssl/certs/EDIT-WP5.7-ServerCA-cacert.pem |
||
161 | 5 | Lutz Suhrbier | ~~~ |
162 | 10 | Lutz Suhrbier | Alternatively, [IBM KeyMan](http://www.alphaworks.ibm.com/tech/keyman) is a comfortable Java keystore management tool. |
163 | 5 | Lutz Suhrbier | |
164 | |||
165 | 6 | Lutz Suhrbier | Next, you have to choose your preferred setup method. |
166 | 5 | Lutz Suhrbier | |
167 | 6 | Lutz Suhrbier | You can use the graphical setup provided at _https://idp.e-taxonomy.eu/opensso/_ or the configurator tool. |
168 | 5 | Lutz Suhrbier | |
169 | |||
170 | |||
171 | 6 | Lutz Suhrbier | #### Graphical setup |
172 | 5 | Lutz Suhrbier | |
173 | 6 | Lutz Suhrbier | Using the graphical setup, you can select between quick and advanced setup. The graphical setup will guide you through the process. This way, you will probably find the [[OpenSSO]] configuration files in _/usr/share/tomcat5.5/opensso_ |
174 | 5 | Lutz Suhrbier | |
175 | |||
176 | 6 | Lutz Suhrbier | |
177 | #### Console setup using the configurator tool |
||
178 | |||
179 | For repeated or scripted setups, the configurator tool is more comfortable, since you don't have to repeat your input again and again. If you have already unpacked the configurator tool (refer to [[#InstallOpenSSO|OpenSSO installation]]), copy the sample configuration file somewhere (e.g. _root/opensso.config_) and customize it. |
||
180 | |||
181 | 5 | Lutz Suhrbier | ~~~ |
182 | 6 | Lutz Suhrbier | cp /opt/opensso/tools/conigurator/sampleconfiguration /root/opensso.config |
183 | ~~~ |
||
184 | |||
185 | The following example deploys opensso to the URL https://idp.e-taxonomy.eu/opensso/ and stores configuration files to _/etc/opensso_. It configures the embedded OpenDS Directory Server to port 50389 as DataStore and UserStore. Please, *change the passwords*! |
||
186 | |||
187 | The original sampleconfiguration file also documents the configuration options |
||
188 | |||
189 | ~~~ |
||
190 | 5 | Lutz Suhrbier | SERVER_URL=https://idpdemo2.e-taxonomy.eu |
191 | DEPLOYMENT_URI=/opensso |
||
192 | BASE_DIR=/etc/opensso |
||
193 | locale=en_US |
||
194 | PLATFORM_LOCALE=en_US |
||
195 | AM_ENC_KEY= |
||
196 | ADMIN_PWD=11111111 |
||
197 | AMLDAPUSERPASSWD=00000000 |
||
198 | COOKIE_DOMAIN=.e-taxonomy.eu |
||
199 | |||
200 | DATA_STORE=embedded |
||
201 | DIRECTORY_SSL=SIMPLE |
||
202 | DIRECTORY_SERVER=idpdemo2.e-taxonomy.eu |
||
203 | DIRECTORY_PORT=50389 |
||
204 | ROOT_SUFFIX=dc=opensso,dc=java,dc=net |
||
205 | DS_DIRMGRDN=cn=Directory Manager |
||
206 | DS_DIRMGRPASSWD=11111111 |
||
207 | |||
208 | USERSTORE_TYPE= |
||
209 | USERSTORE_SSL=SIMPLE |
||
210 | USERSTORE_HOST=idpdemo2.e-taxonomy.eu |
||
211 | USERSTORE_PORT=50389 |
||
212 | USERSTORE_SUFFIX=dc=opensso,dc=java,dc=net |
||
213 | USERSTORE_MGRDN=Directory Manager |
||
214 | USERSTORE_PASSWD=11111111 |
||
215 | ~~~ |
||
216 | |||
217 | 6 | Lutz Suhrbier | Them, create the configuration directory (e.g. _/etc/opensso and make it writeable for tomcat: |
218 | 5 | Lutz Suhrbier | |
219 | ~~~ |
||
220 | mkdir -p /etc/opensso |
||
221 | chown -R tomcat55:root /etc/opensso/ |
||
222 | chmod 775 /etc/opensso |
||
223 | ~~~ |
||
224 | |||
225 | 6 | Lutz Suhrbier | Before runing the configurator tool, (re)start Apache2 and Tomcat |
226 | 5 | Lutz Suhrbier | |
227 | ~~~ |
||
228 | 6 | Lutz Suhrbier | /etc/init.d/apache2 restart |
229 | /etc/init.d/tomcat5.5 restart |
||
230 | 5 | Lutz Suhrbier | ~~~ |
231 | |||
232 | Tomcat will deploy opensso automatically. This will take a minute or so. |
||
233 | |||
234 | |||
235 | 6 | Lutz Suhrbier | Finally, start the configurator tool |
236 | 5 | Lutz Suhrbier | |
237 | ~~~ |
||
238 | 6 | Lutz Suhrbier | cd /opt/opensso/tools/configurator |
239 | java -jar /opt/opensso/tools/configurator/configurator.jar -f /root/opensso.config |
||
240 | 5 | Lutz Suhrbier | ~~~ |
241 | |||
242 | 6 | Lutz Suhrbier | If the configuration was successful, output should look like |
243 | |||
244 | 5 | Lutz Suhrbier | ~~~ |
245 | ...Success. |
||
246 | Creating OpenSSO suffix...Success. |
||
247 | Tag swapping schema files....Success. |
||
248 | Loading Schema am_sm_ds_schema.ldif...Success. |
||
249 | Loading Schema am_remote_opends_schema.ldif...Success. |
||
250 | Loading Schema fam_sds_schema.ldif...Success. |
||
251 | Reinitializing system properties....Done |
||
252 | Registering service amEntrySpecific.xml...Success. |
||
253 | Registering service amAuthConfig.xml...Success. |
||
254 | Registering service amAuthHTTPBasic.xml...Success. |
||
255 | Registering service amAdminConsole.xml...Success. |
||
256 | Registering service idRepoService.xml...Success. |
||
257 | Registering service amAuth.xml...Success. |
||
258 | Registering service amAuthAD.xml...Success. |
||
259 | Registering service amAuthAnonymous.xml...Success. |
||
260 | Registering service amAuthCert.xml...Success. |
||
261 | Registering service amAuthDataStore.xml...Success. |
||
262 | Registering service amAuthJDBC.xml...Success. |
||
263 | Registering service amAuthLDAP.xml...Success. |
||
264 | Registering service amAuthMSISDN.xml...Success. |
||
265 | Registering service amAuthMembership.xml...Success. |
||
266 | Registering service amAuthNT.xml...Success. |
||
267 | Registering service amAuthWindowsDesktopSSO.xml...Success. |
||
268 | Registering service amClientData.xml...Success. |
||
269 | Registering service amClientDetection.xml...Success. |
||
270 | Registering service amDelegation.xml...Success. |
||
271 | Registering service amFilteredRole.xml...Success. |
||
272 | Registering service amG11NSettings.xml...Success. |
||
273 | Registering service amLogging.xml...Success. |
||
274 | Registering service amNaming.xml...Success. |
||
275 | Registering service amPlatform.xml...Success. |
||
276 | Registering service amPolicy.xml...Success. |
||
277 | Registering service amPolicyConfig.xml...Success. |
||
278 | Registering service amRealmService.xml...Success. |
||
279 | Registering service amSession.xml...Success. |
||
280 | Registering service amWebAgent.xml...Success. |
||
281 | Registering service amUser.xml...Success. |
||
282 | Registering service identityLocaleService.xml...Success. |
||
283 | Registering service amAgent70.xml...Success. |
||
284 | Registering service amPasswordReset.xml...Success. |
||
285 | Registering service amAuthRadius.xml...Success. |
||
286 | Registering service amAuthSafeWord.xml...Success. |
||
287 | Registering service amAuthSecurID.xml...Success. |
||
288 | Registering service amAuthUnix.xml...Success. |
||
289 | Registering service AgentService.xml...Success. |
||
290 | Registering service fmAuthFederation.xml...Success. |
||
291 | Registering service fmAuthSAE.xml...Success. |
||
292 | Registering service fmAuthnSvc.xml...Success. |
||
293 | Registering service fmDisco.xml...Success. |
||
294 | Registering service fmIDFF.xml...Success. |
||
295 | Registering service fmLibertyPersonalProfile.xml...Success. |
||
296 | Registering service fmCOTConfig.xml...Success. |
||
297 | Registering service fmSAML2.xml...Success. |
||
298 | Registering service fmSAML.xml...Success. |
||
299 | Registering service fmSOAPBinding.xml...Success. |
||
300 | Registering service fmSAML2SOAPBinding.xml...Success. |
||
301 | Registering service fmWSFederation.xml...Success. |
||
302 | Registering service fmMultiProtocol.xml...Success. |
||
303 | Registering service famSTS.xml...Success. |
||
304 | Registering service famFederationCommon.xml...Success. |
||
305 | Registering service famIDFFConfig.xml...Success. |
||
306 | Registering service famLibertyInteraction.xml...Success. |
||
307 | Registering service famLibertySecurity.xml...Success. |
||
308 | Registering service famSAML2Config.xml...Success. |
||
309 | 1 | Lutz Suhrbier | Configuring system....Done |
310 | Configuring server instance....Done |
||
311 | Creating demo user....Done |
||
312 | Configuration complete! |
||
313 | ~~~ |
||
314 | |||
315 | 9 | Lutz Suhrbier | You should be able to login on https://idp.e-taxonomy.eu/opensso/ as user _amAdmin_ with the password configured in option _ADMIN_PWD_ of your opensso configuration file (e.g._/root/opensso.config_). |