Project

General

Profile

OpenSSOInstallDebianEtch » History » Version 7

Lutz Suhrbier, 02/06/2009 03:57 PM

1 2 Lutz Suhrbier
{{>toc}}
2 1 Lutz Suhrbier
3 2 Lutz Suhrbier
4
5
6 1 Lutz Suhrbier
# [[OpenSSO]] Installation (with Debian Etch)
7 2 Lutz Suhrbier
8
9
This document will briefly describe the installation procedure of [[OpenSSO|OpenSSO]] on a Debian Etch system.
10
11
The protocol logs the [[OpenSSO]] installation on idp.e-taxonomy.eu. Please, adapt this hostname to your environment.
12
13
14
15
## Prerequisites
16
17
18
19
### Installing Java
20
21
Follow [[ShibbolethIdPInstallDebianEtch#SUNJDK5Installation|Sun JDK Debian installation]].
22
23
24
25
### Installing Tomcat
26
27
First, follow [[ShibbolethIdPInstallDebianEtch#ApacheTomcat55Installation|Tomcat Debian installation]].
28
29
30
31
#### Increase Java heap memory
32
33
Next, [[OpenSSO]] requires more heap space than configured by default. Increase the Java heap memory to at least 512MB by changing the following line in _/etc/default/tomcat5.5_:
34
35
~~~
36
CATALINA_OPTS="-Djava.awt.headless=true -Xmx512M -server"
37
~~~
38
39
40
#### Set ACL's
41
42
Change the owner/group of _/usr/share/tomcat5.5_ to tomcat55/root to prevent failure of the [[OpenSSO]] installation.
43
44
~~~
45
chown -R tomcat55:root /usr/share/tomcat5.5
46
~~~
47
48
49
### Installing Apache
50
51
Follow [[ShibbolethIdPInstallDebianEtch#ApacheWebServer22Installation|Apache2.2 Denian installation]], *but omit installation of _mod_jk_*!
52
53
54 7 Lutz Suhrbier
55
#### mod_proxy installation
56 2 Lutz Suhrbier
57
We will use mod_proxy instead of mod_jk to integrate Tomcat into Apache. There, enable the following Apache2 modules
58
59
~~~
60
a2enmod ssl
61
a2enmod proxy
62
a2enmod proxy_http
63
a2enmod proxy_ajp
64
~~~
65
66
67
#### Configure Apache site for opensso
68
69
Create an individual Apache2 site for opensso (e.g. _/etc/apache2/sites-available/opensso_) or adapt the default site as follows:
70
71
~~~
72
Listen 443
73
<VirtualHost idp.e-taxonomy.eu:443>
74
	ServerAdmin webmaster@localhost
75
	
76
	ServerName              idp.e-taxonomy.eu
77
  	SSLEngine               on
78
  	SSLCertificateFile      /etc/ssl/certs/idp.e-taxonomy.eu-cert.pem
79
  	SSLCertificateKeyFile   /etc/ssl/private/idp.e-taxonomy.eu-key.pem
80
	
81
<Location /opensso>
82
	Allow from all
83
	ProxyPass ajp://localhost:8009/opensso/
84
	ProxyPassReverse ajp://localhost:8009/opensso/
85
	ProxyPassReverseCookiePath  ajp://localhost:8009/opensso/ /opensso
86
	ProxyPassReverseCookieDomain  ajp://localhost:8009/opensso/ idp.e-taxonomy.eu
87
  </Location>
88
</VirtualHost>
89
~~~
90 6 Lutz Suhrbier
Of course, you will have to replace the _SSLCertificateFile_ and_SSLCertificateKeyFile_ with your certificate instances. The ProxyPass entries will configure the Apache2 proxy module, which is needed to protect Tomcat via the Apache2 web server.
91 4 Lutz Suhrbier
92 1 Lutz Suhrbier
93 6 Lutz Suhrbier
Finally, enable opensso site (if not configured as default) and restart Apache2 web server.
94
95 2 Lutz Suhrbier
~~~
96 1 Lutz Suhrbier
a2ensite opensso
97 4 Lutz Suhrbier
/etc/init.d/apache2 reload
98 3 Lutz Suhrbier
~~~
99 5 Lutz Suhrbier
100
101
## Install [[OpenSSO]]
102 1 Lutz Suhrbier
103
104 6 Lutz Suhrbier
### Downloading, unpacking and deploying the [[OpenSSO]] distribution
105 1 Lutz Suhrbier
106 6 Lutz Suhrbier
You will find the [[OpenSSO]] distribution on http://download.java.net/general/opensso/. Currenty, it is recommended to use the nightly builds, because they are eliminating several errors.
107 1 Lutz Suhrbier
108 6 Lutz Suhrbier
109
So, download and unzip the distribution of your choice. Since, I preferred to install [[OpenSSO]] to _/opt/opensso_, the following commands will do the job.
110
111 1 Lutz Suhrbier
~~~
112 6 Lutz Suhrbier
wget http://download.java.net/general/opensso/nightly/latest/opensso/opensso_nightly_20090204.zip
113
unzip opensso_nightly_20090204.zip -d /opt 
114 1 Lutz Suhrbier
~~~
115 5 Lutz Suhrbier
116 6 Lutz Suhrbier
The [[OpenSSO]] distribution includes several tools (configurator, admin and session), which should be also extracted into _/opt/opensso/tools_:
117 1 Lutz Suhrbier
118 5 Lutz Suhrbier
~~~
119 6 Lutz Suhrbier
unzip /opt/opensso/tools/ssoConfiguratorTools.zip -d /opt/opensso/tools/configurator
120
unzip /opt/opensso/tools/ssoAdminTools.zip -d /opt/opensso/tools/admin
121
unzip /opt/opensso/tools/ssoSessionTools.zip -d /opt/opensso/tools/session
122 5 Lutz Suhrbier
~~~
123 1 Lutz Suhrbier
124 6 Lutz Suhrbier
Next, deploy the file _/opt/opensso/deployable-war/opensso.war_ to tomcat webapps, and ensure that the file is accessible by tomcat.
125 1 Lutz Suhrbier
126
~~~
127 6 Lutz Suhrbier
cp opensso/deployable-war/opensso.war /var/lib/tomcat5.5/webapps
128
chown -R tomcat55:root /var/lib/tomcat5.5/webapps/opensso.war
129 1 Lutz Suhrbier
~~~
130
131 6 Lutz Suhrbier
Finally, starting tomcat should deploy the _opensso.war_ file automatically
132 1 Lutz Suhrbier
133
~~~
134 6 Lutz Suhrbier
/etc/init.d/tomcat5.5 start
135 1 Lutz Suhrbier
~~~
136
137 6 Lutz Suhrbier
Now, [[OpenSSO]] should be accessible below the /opensso URL-path (e.g. https://idp.e-taxonomy.eu/opensso/.
138 1 Lutz Suhrbier
139 6 Lutz Suhrbier
140
141
### Basic [[OpenSSO]] setup
142
143
144
#### localhost alias
145
146
Before starting with the basic [[OpenSSO]] configuration, ensure to create an localhost alias to your host name, which is identical to the DNS name of the host. I run into a lot of troubles, because the subsequent configuration process always failed, before I did it. Therefore, edit _/etc/hosts_ according to your needs, i.e. you should add an alias to your host name(here idp.e-taxonomy.eu).
147
148 5 Lutz Suhrbier
~~~
149 6 Lutz Suhrbier
127.0.0.1		localhost idp.e-taxonomy.eu idp
150
xxx.xxx.xxx.xxx	idp.e-taxonomy.eu idp
151 5 Lutz Suhrbier
~~~
152
153
154 6 Lutz Suhrbier
#### Manage the Java truststore
155 5 Lutz Suhrbier
156 6 Lutz Suhrbier
Since, we want [[OpenSSO]] to operate in secure SSL-mode, Java must be equipped with trusted Root-CA certificates (e.g. the RootCA and ServerCA certificates of our [[WP57CertificationAuthority|WP5.7 Certification Authority]]).
157 5 Lutz Suhrbier
158
~~~
159 6 Lutz Suhrbier
keytool -import -v -alias EDIT-RootCA -keystore /etc/java-1.5.0-sun/security/cacerts -storepass changeit -file /etc/ssl/certs/EDIT-WP5.7-cacert.pem
160
keytool -import -v -alias EDIT-ServerCA -keystore /etc/java-1.5.0-sun/security/cacerts -storepass changeit -file /etc/ssl/certs/EDIT-WP5.7-ServerCA-cacert.pem
161 5 Lutz Suhrbier
~~~
162 6 Lutz Suhrbier
Alternatively, [IBM KeyMan](http://www.alphaworks.ibm.com/tech/keyman) is a comfortable ava keystore management tool.
163 5 Lutz Suhrbier
164
165 6 Lutz Suhrbier
Next, you have to choose your preferred setup method.
166 5 Lutz Suhrbier
167 6 Lutz Suhrbier
You can use the graphical setup provided at _https://idp.e-taxonomy.eu/opensso/_ or the configurator tool.
168 5 Lutz Suhrbier
169
170
171 6 Lutz Suhrbier
#### Graphical setup
172 5 Lutz Suhrbier
173 6 Lutz Suhrbier
Using the graphical setup, you can select between quick and advanced setup. The graphical setup will guide you through the process. This way, you will probably find the [[OpenSSO]] configuration files in _/usr/share/tomcat5.5/opensso_
174 5 Lutz Suhrbier
175
176 6 Lutz Suhrbier
177
#### Console setup using the configurator tool
178
179
For repeated or scripted setups, the configurator tool is more comfortable, since you don't have to repeat your input again and again. If you have already unpacked the configurator tool (refer to [[#InstallOpenSSO|OpenSSO installation]]), copy the sample configuration file somewhere (e.g. _root/opensso.config_) and customize it.
180
181 5 Lutz Suhrbier
~~~
182 6 Lutz Suhrbier
cp /opt/opensso/tools/conigurator/sampleconfiguration /root/opensso.config
183
~~~
184
185
The following example deploys opensso to the URL https://idp.e-taxonomy.eu/opensso/ and stores configuration files to _/etc/opensso_. It configures the embedded OpenDS Directory Server to port 50389 as DataStore and UserStore. Please, *change the passwords*!
186
187
The original sampleconfiguration file also documents the configuration options
188
189
~~~
190 5 Lutz Suhrbier
SERVER_URL=https://idpdemo2.e-taxonomy.eu
191
DEPLOYMENT_URI=/opensso
192
BASE_DIR=/etc/opensso
193
locale=en_US
194
PLATFORM_LOCALE=en_US
195
AM_ENC_KEY=
196
ADMIN_PWD=11111111
197
AMLDAPUSERPASSWD=00000000
198
COOKIE_DOMAIN=.e-taxonomy.eu
199
200
DATA_STORE=embedded
201
DIRECTORY_SSL=SIMPLE
202
DIRECTORY_SERVER=idpdemo2.e-taxonomy.eu
203
DIRECTORY_PORT=50389
204
ROOT_SUFFIX=dc=opensso,dc=java,dc=net
205
DS_DIRMGRDN=cn=Directory Manager
206
DS_DIRMGRPASSWD=11111111
207
208
USERSTORE_TYPE=
209
USERSTORE_SSL=SIMPLE
210
USERSTORE_HOST=idpdemo2.e-taxonomy.eu
211
USERSTORE_PORT=50389
212
USERSTORE_SUFFIX=dc=opensso,dc=java,dc=net
213
USERSTORE_MGRDN=Directory Manager
214
USERSTORE_PASSWD=11111111
215
~~~
216
217 6 Lutz Suhrbier
Them, create the configuration directory (e.g. _/etc/opensso and make it writeable for tomcat:
218 5 Lutz Suhrbier
219
~~~
220
mkdir -p /etc/opensso
221
chown -R tomcat55:root /etc/opensso/
222
chmod 775 /etc/opensso
223
~~~
224
225 6 Lutz Suhrbier
Before runing the configurator tool, (re)start Apache2 and Tomcat
226 5 Lutz Suhrbier
227
~~~
228 6 Lutz Suhrbier
/etc/init.d/apache2 restart
229
/etc/init.d/tomcat5.5 restart
230 5 Lutz Suhrbier
~~~
231
232
Tomcat will deploy opensso automatically. This will take a minute or so.
233
234
235 6 Lutz Suhrbier
Finally, start the configurator tool
236 5 Lutz Suhrbier
237
~~~
238 6 Lutz Suhrbier
cd /opt/opensso/tools/configurator
239
java -jar /opt/opensso/tools/configurator/configurator.jar -f /root/opensso.config
240 5 Lutz Suhrbier
~~~
241
242 6 Lutz Suhrbier
If the configuration was successful, output should look like
243
244 5 Lutz Suhrbier
~~~
245
...Success.
246
Creating OpenSSO suffix...Success.
247
Tag swapping schema files....Success.
248
Loading Schema am_sm_ds_schema.ldif...Success.
249
Loading Schema am_remote_opends_schema.ldif...Success.
250
Loading Schema fam_sds_schema.ldif...Success.
251
Reinitializing system properties....Done
252
Registering service amEntrySpecific.xml...Success.
253
Registering service amAuthConfig.xml...Success.
254
Registering service amAuthHTTPBasic.xml...Success.
255
Registering service amAdminConsole.xml...Success.
256
Registering service idRepoService.xml...Success.
257
Registering service amAuth.xml...Success.
258
Registering service amAuthAD.xml...Success.
259
Registering service amAuthAnonymous.xml...Success.
260
Registering service amAuthCert.xml...Success.
261
Registering service amAuthDataStore.xml...Success.
262
Registering service amAuthJDBC.xml...Success.
263
Registering service amAuthLDAP.xml...Success.
264
Registering service amAuthMSISDN.xml...Success.
265
Registering service amAuthMembership.xml...Success.
266
Registering service amAuthNT.xml...Success.
267
Registering service amAuthWindowsDesktopSSO.xml...Success.
268
Registering service amClientData.xml...Success.
269
Registering service amClientDetection.xml...Success.
270
Registering service amDelegation.xml...Success.
271
Registering service amFilteredRole.xml...Success.
272
Registering service amG11NSettings.xml...Success.
273
Registering service amLogging.xml...Success.
274
Registering service amNaming.xml...Success.
275
Registering service amPlatform.xml...Success.
276
Registering service amPolicy.xml...Success.
277
Registering service amPolicyConfig.xml...Success.
278
Registering service amRealmService.xml...Success.
279
Registering service amSession.xml...Success.
280
Registering service amWebAgent.xml...Success.
281
Registering service amUser.xml...Success.
282
Registering service identityLocaleService.xml...Success.
283
Registering service amAgent70.xml...Success.
284
Registering service amPasswordReset.xml...Success.
285
Registering service amAuthRadius.xml...Success.
286
Registering service amAuthSafeWord.xml...Success.
287
Registering service amAuthSecurID.xml...Success.
288
Registering service amAuthUnix.xml...Success.
289
Registering service AgentService.xml...Success.
290
Registering service fmAuthFederation.xml...Success.
291
Registering service fmAuthSAE.xml...Success.
292
Registering service fmAuthnSvc.xml...Success.
293
Registering service fmDisco.xml...Success.
294
Registering service fmIDFF.xml...Success.
295
Registering service fmLibertyPersonalProfile.xml...Success.
296
Registering service fmCOTConfig.xml...Success.
297
Registering service fmSAML2.xml...Success.
298
Registering service fmSAML.xml...Success.
299
Registering service fmSOAPBinding.xml...Success.
300
Registering service fmSAML2SOAPBinding.xml...Success.
301
Registering service fmWSFederation.xml...Success.
302
Registering service fmMultiProtocol.xml...Success.
303
Registering service famSTS.xml...Success.
304
Registering service famFederationCommon.xml...Success.
305
Registering service famIDFFConfig.xml...Success.
306
Registering service famLibertyInteraction.xml...Success.
307
Registering service famLibertySecurity.xml...Success.
308
Registering service famSAML2Config.xml...Success.
309 1 Lutz Suhrbier
Configuring system....Done
310
Configuring server instance....Done
311
Creating demo user....Done
312
Configuration complete!
313
~~~
314
315 6 Lutz Suhrbier
You should be able to login on https://idpdemo2.e-taxonomy.eu/opensso/ as user _amAdmin_ with the password configured in option _ADMIN_PWD_ of your opensso configuration file (e.g._/root/opensso.config_).