OpenSSOInstallDebianEtch » History » Revision 7
« Previous |
Revision 7/13
(diff)
| Next »
Lutz Suhrbier, 02/06/2009 03:57 PM
- Table of contents
- OpenSSO Installation (with Debian Etch)
OpenSSO Installation (with Debian Etch)¶
This document will briefly describe the installation procedure of OpenSSO on a Debian Etch system.
The protocol logs the OpenSSO installation on idp.e-taxonomy.eu. Please, adapt this hostname to your environment.
Prerequisites¶
Installing Java¶
Follow Sun JDK Debian installation.
Installing Tomcat¶
First, follow Tomcat Debian installation.
Increase Java heap memory¶
Next, OpenSSO requires more heap space than configured by default. Increase the Java heap memory to at least 512MB by changing the following line in /etc/default/tomcat5.5:
CATALINA_OPTS="-Djava.awt.headless=true -Xmx512M -server"
Set ACL's¶
Change the owner/group of /usr/share/tomcat5.5 to tomcat55/root to prevent failure of the OpenSSO installation.
chown -R tomcat55:root /usr/share/tomcat5.5
Installing Apache¶
Follow Apache2.2 Denian installation, but omit installation of mod_jk!
mod_proxy installation¶
We will use mod_proxy instead of mod_jk to integrate Tomcat into Apache. There, enable the following Apache2 modules
a2enmod ssl a2enmod proxy a2enmod proxy_http a2enmod proxy_ajp
Configure Apache site for opensso¶
Create an individual Apache2 site for opensso (e.g. /etc/apache2/sites-available/opensso) or adapt the default site as follows:
Listen 443 <VirtualHost idp.e-taxonomy.eu:443> ServerAdmin webmaster@localhost ServerName idp.e-taxonomy.eu SSLEngine on SSLCertificateFile /etc/ssl/certs/idp.e-taxonomy.eu-cert.pem SSLCertificateKeyFile /etc/ssl/private/idp.e-taxonomy.eu-key.pem <Location /opensso> Allow from all ProxyPass ajp://localhost:8009/opensso/ ProxyPassReverse ajp://localhost:8009/opensso/ ProxyPassReverseCookiePath ajp://localhost:8009/opensso/ /opensso ProxyPassReverseCookieDomain ajp://localhost:8009/opensso/ idp.e-taxonomy.eu </Location> </VirtualHost>
Of course, you will have to replace the SSLCertificateFile and_SSLCertificateKeyFile_ with your certificate instances. The ProxyPass entries will configure the Apache2 proxy module, which is needed to protect Tomcat via the Apache2 web server.
Finally, enable opensso site (if not configured as default) and restart Apache2 web server.
a2ensite opensso /etc/init.d/apache2 reload
Install OpenSSO¶
Downloading, unpacking and deploying the OpenSSO distribution¶
You will find the OpenSSO distribution on http://download.java.net/general/opensso/. Currenty, it is recommended to use the nightly builds, because they are eliminating several errors.
So, download and unzip the distribution of your choice. Since, I preferred to install OpenSSO to /opt/opensso, the following commands will do the job.
wget http://download.java.net/general/opensso/nightly/latest/opensso/opensso_nightly_20090204.zip unzip opensso_nightly_20090204.zip -d /opt
The OpenSSO distribution includes several tools (configurator, admin and session), which should be also extracted into /opt/opensso/tools:
unzip /opt/opensso/tools/ssoConfiguratorTools.zip -d /opt/opensso/tools/configurator unzip /opt/opensso/tools/ssoAdminTools.zip -d /opt/opensso/tools/admin unzip /opt/opensso/tools/ssoSessionTools.zip -d /opt/opensso/tools/session
Next, deploy the file /opt/opensso/deployable-war/opensso.war to tomcat webapps, and ensure that the file is accessible by tomcat.
cp opensso/deployable-war/opensso.war /var/lib/tomcat5.5/webapps chown -R tomcat55:root /var/lib/tomcat5.5/webapps/opensso.war
Finally, starting tomcat should deploy the opensso.war file automatically
/etc/init.d/tomcat5.5 start
Now, OpenSSO should be accessible below the /opensso URL-path (e.g. https://idp.e-taxonomy.eu/opensso/.
Basic OpenSSO setup¶
localhost alias¶
Before starting with the basic OpenSSO configuration, ensure to create an localhost alias to your host name, which is identical to the DNS name of the host. I run into a lot of troubles, because the subsequent configuration process always failed, before I did it. Therefore, edit /etc/hosts according to your needs, i.e. you should add an alias to your host name(here idp.e-taxonomy.eu).
127.0.0.1 localhost idp.e-taxonomy.eu idp xxx.xxx.xxx.xxx idp.e-taxonomy.eu idp
Manage the Java truststore¶
Since, we want OpenSSO to operate in secure SSL-mode, Java must be equipped with trusted Root-CA certificates (e.g. the RootCA and ServerCA certificates of our WP5.7 Certification Authority).
keytool -import -v -alias EDIT-RootCA -keystore /etc/java-1.5.0-sun/security/cacerts -storepass changeit -file /etc/ssl/certs/EDIT-WP5.7-cacert.pem keytool -import -v -alias EDIT-ServerCA -keystore /etc/java-1.5.0-sun/security/cacerts -storepass changeit -file /etc/ssl/certs/EDIT-WP5.7-ServerCA-cacert.pem
Alternatively, IBM KeyMan is a comfortable ava keystore management tool.
Next, you have to choose your preferred setup method.
You can use the graphical setup provided at https://idp.e-taxonomy.eu/opensso/ or the configurator tool.
Graphical setup¶
Using the graphical setup, you can select between quick and advanced setup. The graphical setup will guide you through the process. This way, you will probably find the OpenSSO configuration files in /usr/share/tomcat5.5/opensso
Console setup using the configurator tool¶
For repeated or scripted setups, the configurator tool is more comfortable, since you don't have to repeat your input again and again. If you have already unpacked the configurator tool (refer to OpenSSO installation), copy the sample configuration file somewhere (e.g. root/opensso.config) and customize it.
cp /opt/opensso/tools/conigurator/sampleconfiguration /root/opensso.config
The following example deploys opensso to the URL https://idp.e-taxonomy.eu/opensso/ and stores configuration files to /etc/opensso. It configures the embedded OpenDS Directory Server to port 50389 as DataStore and UserStore. Please, change the passwords!
The original sampleconfiguration file also documents the configuration options
SERVER_URL=https://idpdemo2.e-taxonomy.eu DEPLOYMENT_URI=/opensso BASE_DIR=/etc/opensso locale=en_US PLATFORM_LOCALE=en_US AM_ENC_KEY= ADMIN_PWD=11111111 AMLDAPUSERPASSWD=00000000 COOKIE_DOMAIN=.e-taxonomy.eu DATA_STORE=embedded DIRECTORY_SSL=SIMPLE DIRECTORY_SERVER=idpdemo2.e-taxonomy.eu DIRECTORY_PORT=50389 ROOT_SUFFIX=dc=opensso,dc=java,dc=net DS_DIRMGRDN=cn=Directory Manager DS_DIRMGRPASSWD=11111111 USERSTORE_TYPE= USERSTORE_SSL=SIMPLE USERSTORE_HOST=idpdemo2.e-taxonomy.eu USERSTORE_PORT=50389 USERSTORE_SUFFIX=dc=opensso,dc=java,dc=net USERSTORE_MGRDN=Directory Manager USERSTORE_PASSWD=11111111
Them, create the configuration directory (e.g. _/etc/opensso and make it writeable for tomcat:
mkdir -p /etc/opensso chown -R tomcat55:root /etc/opensso/ chmod 775 /etc/opensso
Before runing the configurator tool, (re)start Apache2 and Tomcat
/etc/init.d/apache2 restart /etc/init.d/tomcat5.5 restart
Tomcat will deploy opensso automatically. This will take a minute or so.
Finally, start the configurator tool
cd /opt/opensso/tools/configurator java -jar /opt/opensso/tools/configurator/configurator.jar -f /root/opensso.config
If the configuration was successful, output should look like
...Success. Creating OpenSSO suffix...Success. Tag swapping schema files....Success. Loading Schema am_sm_ds_schema.ldif...Success. Loading Schema am_remote_opends_schema.ldif...Success. Loading Schema fam_sds_schema.ldif...Success. Reinitializing system properties....Done Registering service amEntrySpecific.xml...Success. Registering service amAuthConfig.xml...Success. Registering service amAuthHTTPBasic.xml...Success. Registering service amAdminConsole.xml...Success. Registering service idRepoService.xml...Success. Registering service amAuth.xml...Success. Registering service amAuthAD.xml...Success. Registering service amAuthAnonymous.xml...Success. Registering service amAuthCert.xml...Success. Registering service amAuthDataStore.xml...Success. Registering service amAuthJDBC.xml...Success. Registering service amAuthLDAP.xml...Success. Registering service amAuthMSISDN.xml...Success. Registering service amAuthMembership.xml...Success. Registering service amAuthNT.xml...Success. Registering service amAuthWindowsDesktopSSO.xml...Success. Registering service amClientData.xml...Success. Registering service amClientDetection.xml...Success. Registering service amDelegation.xml...Success. Registering service amFilteredRole.xml...Success. Registering service amG11NSettings.xml...Success. Registering service amLogging.xml...Success. Registering service amNaming.xml...Success. Registering service amPlatform.xml...Success. Registering service amPolicy.xml...Success. Registering service amPolicyConfig.xml...Success. Registering service amRealmService.xml...Success. Registering service amSession.xml...Success. Registering service amWebAgent.xml...Success. Registering service amUser.xml...Success. Registering service identityLocaleService.xml...Success. Registering service amAgent70.xml...Success. Registering service amPasswordReset.xml...Success. Registering service amAuthRadius.xml...Success. Registering service amAuthSafeWord.xml...Success. Registering service amAuthSecurID.xml...Success. Registering service amAuthUnix.xml...Success. Registering service AgentService.xml...Success. Registering service fmAuthFederation.xml...Success. Registering service fmAuthSAE.xml...Success. Registering service fmAuthnSvc.xml...Success. Registering service fmDisco.xml...Success. Registering service fmIDFF.xml...Success. Registering service fmLibertyPersonalProfile.xml...Success. Registering service fmCOTConfig.xml...Success. Registering service fmSAML2.xml...Success. Registering service fmSAML.xml...Success. Registering service fmSOAPBinding.xml...Success. Registering service fmSAML2SOAPBinding.xml...Success. Registering service fmWSFederation.xml...Success. Registering service fmMultiProtocol.xml...Success. Registering service famSTS.xml...Success. Registering service famFederationCommon.xml...Success. Registering service famIDFFConfig.xml...Success. Registering service famLibertyInteraction.xml...Success. Registering service famLibertySecurity.xml...Success. Registering service famSAML2Config.xml...Success. Configuring system....Done Configuring server instance....Done Creating demo user....Done Configuration complete!
You should be able to login on https://idpdemo2.e-taxonomy.eu/opensso/ as user amAdmin with the password configured in option ADMIN_PWD of your opensso configuration file (e.g./root/opensso.config).
Updated by Lutz Suhrbier about 15 years ago · 7 revisions