Академический Документы
Профессиональный Документы
Культура Документы
WSPL-AM-3508-D
This product or document is protected by copyright and distributed under licenses restricting its use, copying, distribution, and
decompilation. No part of this product or document may be reproduced in any form by any means without prior written authorization of
Sun and its licensors, if any.
Third-party software, including font technology, is copyrighted and licensed from Sun suppliers.
Sun, Sun Microsystems, the Sun logo, Sun Java, Java, JavaScript, JavaServer Pages, JDK, JSP, JVM, J2SE, J2EE, GlassFish, and Solaris are
trademarks or registered trademarks of Sun Microsystems, Inc. in the U.S. and other countries.
Mozilla is a trademark or registered trademark of Netscape Communications Corporation in the United States and other countries.
UNIX is a registered trademark in the U.S. and other countries, exclusively licensed through X/Open Company, Ltd.
Federal Acquisitions: Commercial Software – Government Users Subject to Standard License Terms and Conditions
Export Laws. Products, Services, and technical data delivered by Sun may be subject to U.S. export controls or the trade laws of other
countries. You will comply with all such laws and obtain all licenses to export, re-export, or import as may be required after delivery to
You. You will not export or re-export to entities on the most current U.S. export exclusions lists or to any country subject to U.S. embargo
or terrorist controls as specified in the U.S. export laws. You will not use or provide Products, Services, or technical data for nuclear, missile,
or chemical biological weaponry end uses.
DOCUMENTATION IS PROVIDED “AS IS” AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS, AND
WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE
OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE
LEGALLY INVALID.
THIS MANUAL IS DESIGNED TO SUPPORT AN INSTRUCTOR-LED TRAINING (ILT) COURSE AND IS INTENDED TO BE
USED FOR REFERENCE PURPOSES IN CONJUNCTION WITH THE ILT COURSE. THE MANUAL IS NOT A STANDALONE
TRAINING TOOL. USE OF THE MANUAL FOR SELF-STUDY WITHOUT CLASS ATTENDANCE IS NOT RECOMMENDED.
Please
Recycle
Copyright 2008 Sun Microsystems, Inc., 4150 Network Circle, Santa Clara, California 95054, Etats-Unis. Tous droits réservés.
Ce produit ou document est protégé par un copyright et distribué avec des licences qui en restreignent l’utilisation, la copie, la distribution,
et la décompilation. Aucune partie de ce produit ou document ne peut être reproduite sous aucune forme, par quelque moyen que ce soit,
sans l’autorisation préalable et écrite de Sun et de ses bailleurs de licence, s’il y en a.
Le logiciel détenu par des tiers, et qui comprend la technologie relative aux polices de caractères, est protégé par un copyright et licencié
par des fournisseurs de Sun.
Sun, Sun Microsystems, le logo Sun, Sun Java, Java, JavaScript,, JavaServer Pages, JDK, JSP, JVM, J2SE, J2EE, GlassFish, et Solaris sont des
marques de fabrique ou des marques déposées de Sun Microsystems, Inc. aux Etats-Unis et dans d’autres pays.
Mozilla est une marque de Netscape Communications Corporation aux Etats-Unis et à d'autres pays.
UNIX est une marques déposée aux Etats-Unis et dans d’autres pays et licenciée exclusivement par X/Open Company, Ltd.
Législation en matière dexportations. Les Produits, Services et données techniques livrés par Sun peuvent être soumis aux contrôles
américains sur les exportations, ou à la législation commerciale dautres pays. Nous nous conformerons à lensemble de ces textes et nous
obtiendrons toutes licences dexportation, de ré-exportation ou dimportation susceptibles dêtre requises après livraison à Vous. Vous
nexporterez, ni ne ré-exporterez en aucun cas à des entités figurant sur les listes américaines dinterdiction dexportation les plus courantes,
ni vers un quelconque pays soumis à embargo par les Etats-Unis, ou à des contrôles anti-terroristes, comme prévu par la législation
américaine en matière dexportations. Vous nutiliserez, ni ne fournirez les Produits, Services ou données techniques pour aucune utilisation
finale liée aux armes nucléaires, chimiques ou biologiques ou aux missiles.
LA DOCUMENTATION EST FOURNIE “EN L’ETAT” ET TOUTES AUTRES CONDITIONS, DECLARATIONS ET GARANTIES
EXPRESSES OU TACITES SONT FORMELLEMENT EXCLUES, DANS LA MESURE AUTORISEE PAR LA LOI APPLICABLE, Y
COMPRIS NOTAMMENT TOUTE GARANTIE IMPLICITE RELATIVE A LA QUALITE MARCHANDE, A L’APTITUDE A UNE
UTILISATION PARTICULIERE OU A L’ABSENCE DE CONTREFAÇON.
CE MANUEL DE RÉFÉRENCE DOIT ÊTRE UTILISÉ DANS LE CADRE D’UN COURS DE FORMATION DIRIGÉ PAR UN
INSTRUCTEUR (ILT). IL NE S’AGIT PAS D’UN OUTIL DE FORMATION INDÉPENDANT. NOUS VOUS DÉCONSEILLONS DE
L’UTILISER DANS LE CADRE D’UNE AUTO-FORMATION.
Please
Recycle
Table of Contents
About This Workbook .................................................. Lab Preface-ix
Lab Goals........................................................................ Lab Preface-ix
Conventions ......................................................................Lab Preface-x
Icons ..........................................................................Lab Preface-x
Typographical Conventions ....................................... Preface-xi
Additional Conventions...................................... Lab Preface-xii
Preparing an Environment for a Complex OpenSSO Deployment ...
Lab 1-1
Objectives .................................................................................... Lab 1-1
Exercise 1: Logging in to, Starting Zones on, and Navigating
Around the Learning Virtual Machine .................................Lab 1-2
Preparation..........................................................................Lab 1-2
Task – Navigating Around The Learning VM...............Lab 1-5
Exercise 2: Installing and Configuring Apache Tomcat for Use as an
OpenSSO Web Container........................................................Lab 1-9
Preparation........................................................................Lab 1-10
Task 1 – Installing Tomcat Software .............................Lab 1-10
Task 2 – Configuring Tomcat Port Numbers ...............Lab 1-11
Task 3 – Modifying Tomcat Start Pages .......................Lab 1-12
Task 4 – Starting and Stopping Tomcat Instances.......Lab 1-13
Exercise 3: Securing the Tomcat Instances ............................Lab 1-16
Preparation........................................................................Lab 1-16
Task 1 – Creating a Certificate Database and a Local CA
Certificate .......................................................................Lab 1-17
Task 2 – Creating Java Key Stores for Each Tomcat Instance...
Lab 1-19
Task 3 – Creating Server Certificates for Each Instance .....Lab
1-21
Task 4 – Signing and Storing the Server Certificates ..Lab 1-24
Task 5 – Configuring Tomcat for SSL Access ..............Lab 1-26
Task 6 – Preparing the JVM Key Store for OpenSSO
Configuration ................................................................Lab 1-28
Task 7 – Testing SSL Access ...........................................Lab 1-29
v
Copyright 2008 Sun Microsystems, Inc. All Rights Reserved. Sun Services, Revision A.0.4
Exercise 4: Installing, Securing and Configuring a Software-Based
Load Balancer .........................................................................Lab 1-31
Preparation........................................................................Lab 1-31
Task 1 – Installing Web Server 7.0 .................................Lab 1-32
Task 2 – Installing the Local CA Certificate in the Web Server
Instance...........................................................................Lab 1-33
Task 3 – Obtaining and Installing a Server Certificate for the
Web Server Instance .....................................................Lab 1-35
Task 4 – Configuring and Securing a New Listener Port...Lab
1-37
Task 5 – Configuring and Testing the Load Balancer.Lab 1-39
Exercise Summary.....................................................................Lab 1-42
Deploying a Multi-Instance OpenSSO Site .............................Lab 2-1
Objectives .................................................................................... Lab 2-1
Exercise 1: Deploying a Multi-Instance OpenSSO Site..........Lab 2-2
Preparation..........................................................................Lab 2-3
Task 1 – Modifying the Web Container Configuration as
Specified in the Release Notes .........................................Lab 2-7
Task 2 – Deploying the OpenSSO Web Archive File on the
Two Tomcat Instances..................................................Lab 2-10
Task 3 – Configuring OpenSSO on the First Tomcat Instance .
Lab 2-11
Task 4 – Configuring OpenSSO on the Second Tomcat
Instance...........................................................................Lab 2-15
Task 5 – Testing the Load-Balanced, Multi-Instance OpenSSO
Deployment ...................................................................Lab 2-18
Exercise 2: Setting Up the OpenSSO Command-Line Tools.......Lab
2-20
Preparation........................................................................Lab 2-20
Task – Installing and Testing the famadm
Command-Line Interface .............................................Lab 2-20
Exercise Summary.....................................................................Lab 2-23
Configuring Session Failover ..................................................Lab 3-1
Objectives .................................................................................... Lab 3-1
Exercise 1: Configuring Session Failover for an OpenSSO Site..Lab
3-2
Preparation..........................................................................Lab 3-3
Task 1 – Installing the Session Failover Tools................Lab 3-7
Task 2 – Encrypting the Message Queue Password .....Lab 3-9
Task 3 – Configuring Settings in the amsfo.conf File.......Lab
3-10
Task 4 – Adding a Secondary Configuration Instance to the
Session Service...............................................................Lab 3-11
Exercise 2: Verifying that OpenSSO Sessions Fail Over......Lab 3-13
Preparation........................................................................Lab 3-13
vi OpenSSO Deployment
Copyright 2008 Sun Microsystems, Inc. All Rights Reserved. Sun Services, Revision A.0.4
Task 1 – Starting the Message Queue Broker and Restarting
Servers ............................................................................Lab 3-13
Task 2 – Testing Session Failover ..................................Lab 3-15
Task 3 – Disabling Session Failover...............................Lab 3-18
Exercise Summary.....................................................................Lab 3-20
Installing a Web Policy Agent to Manage Access to a Web Site Lab
4-1
Objectives .................................................................................... Lab 4-1
Exercise 1: Deploying a Web Server Instance That Hosts a Web Site
Lab 4-2
Preparation..........................................................................Lab 4-3
Task 1 – Copying the Local CA Certificate Into the zone2
Zone ..................................................................................Lab 4-7
Task 2 – Installing Web Server Software ........................Lab 4-8
Task 3 – Installing the Local CA Certificate Into the Web
Server Instance ..............................................................Lab 4-10
Exercise 2: Preparing the Environment for the Web Policy Agent
Installation...............................................................................Lab 4-12
Preparation........................................................................Lab 4-12
Task 1 – Preparing the JVM Key Store for Policy Agent
Installation......................................................................Lab 4-13
Task 2 – Creating an Agent Administrator ..................Lab 4-14
Task 3 – Logging in as the Agent Administrator and Creating
an Agent Profile.............................................................Lab 4-17
Task 4 – Copying the Policy Agent Software and Create a
Password File for the Agent Profile ...........................Lab 4-19
Exercise 3: Installing and Testing the Web Policy Agent....Lab 4-20
Preparation........................................................................Lab 4-20
Task 1 – Installing the Web Policy Agent Software ....Lab 4-20
Task 2 – Restarting Servers.............................................Lab 4-22
Task 3 – Testing the Web Policy Agent.........................Lab 4-22
Exercise Summary.....................................................................Lab 4-24
Installing a J2EE Policy Agent to Manage Access to J2EE
Applications .............................................................................. Lab 5-1
Objectives .................................................................................... Lab 5-1
Exercise 1: Deploying a GlassFish Application Server Instance Lab
5-2
Preparation..........................................................................Lab 5-3
Task 1 – Installing GlassFish Application Server SoftwareLab
5-7
Task 2 – Installing the Local CA Certificate Into the Domain
Administration Server Key Store..................................Lab 5-9
Exercise 2: Preparing the Environment for the J2EE Policy Agent
Installation...............................................................................Lab 5-11
Preparation........................................................................Lab 5-11
vii
Copyright 2008 Sun Microsystems, Inc. All Rights Reserved. Sun Services, Revision A.0.4
Task 1 – Logging in as the Agent Administrator and Creating
an Agent Profile.............................................................Lab 5-12
Task 2 – Copying the Policy Agent Software and Creating a
Password File for the Agent Profile ...........................Lab 5-13
Exercise 3: Installing and Testing the J2EE Policy Agent....Lab 5-14
Preparation........................................................................Lab 5-14
Task 1 – Installing the J2EE Policy Agent Software ....Lab 5-14
Task 2 – Deploying the Agent Application ..................Lab 5-16
Task 3 – Deploying the Sample Application................Lab 5-16
Task 4 – Testing the J2EE Policy Agent ........................Lab 5-17
Exercise Summary.....................................................................Lab 5-18
Lab Goals
Upon completion of this workbook, you should be able to:
● Log in to, start zones on, and navigate around the learning virtual
machine
● Install and configure Apache Tomcat (Tomcat) for use as an
OpenSSO web container
● Secure Tomcat instances
● Install, secure, and configure a software-based load balancer
● Deploy a multi-instance OpenSSO site
● Set up the OpenSSO command-line tools
● Configure session failover for an OpenSSO site
● Verify that OpenSSO sessions fail over
● Deploy a Web Server instance that hosts a web site
● Prepare the environment for the Web Policy Agent installation
● Install and test the Web Policy Agent
● Deploy a GlassFish™ application server instance
● Prepare the environment for the Java™ 2 Platform, Enterprise
Edition (J2EE™) Policy Agent installation
● Install and test the J2EE Policy Agent
Preface-ix
Copyright 2008 Sun Microsystems, Inc. All Rights Reserved. Sun Services, Revision A.0.4
Conventions
Conventions
The following conventions are used in this course to represent various
training elements and alternative learning resources.
Icons
Note – Indicates additional information that can help students but is not
crucial to their understanding of the concept being described. Students
should be able to understand the concept or complete the task without
this information. Examples of notational information include keyword
shortcuts and minor system adjustments.
Typographical Conventions
Courier is used for the names of commands, files, directories,
programming code, and on-screen computer output; for example:
Use ls -al to list all files.
system% You have mail.
Courier bold is used for characters and numbers that you type; for
example:
To list the files in this directory, type:
# ls
Courier bold is also used for each line of programming code that is
referenced in a textual description; for example:
1 import java.io.*;
2 import javax.servlet.*;
3 import javax.servlet.http.*;
Notice the javax.servlet interface is imported to allow access to its
life cycle methods (Line 2).
Palatino italics is used for book titles, new words or terms, or words that
you want to emphasize; for example:
Read Chapter 6 in the User’s Guide.
These are called class options.
Additional Conventions
Java programming language examples use the following additional
conventions:
● Courier is used for the class names, methods, and keywords.
● Method names are not followed with parentheses unless a formal or
actual parameter list is shown; for example:
“The doIt method...” refers to any method called doIt.
“The doIt() method...” refers to a method called doIt that takes
no arguments.
● Line breaks occur only where there are separations (commas),
conjunctions (operators), or white space in the code. Broken code is
indented four spaces under the starting code.
Objectives
Upon completion of this lab, you should be able to:
● Log in to, start zones on, and navigate around the learning virtual
machine
● Install and configure Apache Tomcat (Tomcat) for use as an
OpenSSO web container
● Secure Tomcat instances
● Install, secure, and configure a software-based load balancer
Lab 1-1
Copyright 2008 Sun Microsystems, Inc. All Rights Reserved. Sun Services, Revision A.0.4
Exercise 1: Logging in to, Starting Zones on, and Navigating Around the Learning
Preparation
The following section contains information you need and describes
actions you take prior to proceeding to the first task in this exercise.
Prerequisite Labs
Your lab system can be in one of two states defined in Table 1-1 on
page L1-2. Determine which of these two states describes your lab system.
Then, depending on the state of your lab system, follow the instructions
in the table.
Lab System
Description Instructions
State
First Time • You installed the learning Perform the steps in the
Doing Labs virtual machine on your section, ‘‘Task 2 –
system Starting the Learning
Virtual Machine’’ on
• You have not done any page L1-3.
labs on the learning
virtual machine
For your convenience, most of the passwords used in this class have the
same value: cangetin. Setting system passwords to the same value is not
a security best practice.
4. Prepare the whole root zone zone1 for doing lab exercises:
global # lab -p
5. Perform the steps in ‘‘Task 4 – Starting the zone1 Zone’’ on
page L1-4.
Your lab system is now ready for the lab. Proceed to ‘‘Task – Navigating
Around The Learning VM’’ on page L1-5.
Note – The learning VM is configured so that you can start a web browser
from any zone, and so that networking works in any zone. If you attempt
to start a web browser, but no browser window appears, you have most
likely not run the lab -p command in the global zone before running the
zlogin command to log in to a whole root zone.
Note – Under some conditions, JavaScript™ code stalls the OpenSSO site
when running in Firefox in the learning VM. If the OpenSSO site does not
render when you navigate to the site, then temporarily disable JavaScript
in your browser to view the site.
If you disable JavaScript to view the OpenSSO site, be sure to re-enable it.
Subsequent labs require JavaScript to be enabled in your browser.
● Subdirectory – /opt/ses/shared/software/agent-
v3.20080627-webserver-v7
Software – Sun OpenSSO Policy Agent 3.0 for Sun Java
System Web Server 7.0 (Policy Agent for Web Server)
URL – https://opensso.dev.java.net
● Subdirectory – /opt/ses/shared/software/apache-
tomcat-6.0.14
Software – Tomcat 6.0.14
URL – http://tomcat.apache.org
● Subdirectory – /opt/ses/shared/software/glassfish-
v2ur2
Software – GlassFish application server (GlassFish)
URL – https://glassfish.dev.java.net
● Subdirectory – /opt/ses/shared/software/opensso-
v1b4.5
Software – OpenSSO build 4.5
URL – https://opensso.dev.java.net
● Subdirectory – /opt/ses/shared/software/webserver-
v7u2
Software – Sun Java™ System Web Server 7.0 Update 2
(Web Server)
URL – http://developers.sun.com/webtier/
community/index.jsp
6. In a terminal window, change to the /opt/ses/lab/scripts
directory and list the content in that directory:
cd /opt/ses/lab/scripts
ls
The /opt/ses/lab/scripts directory contains bash shell scripts
that provide shortcuts for typing long commands.
7. Log out of the zone1 zone:
exit
8. Verify that the same software binaries that are accessible from the
zone1 zone are also accessible from the zone2 zone.
zoneadm -z zone2 boot
zlogin zone2
ls /opt/ses/shared/software
9. Change to the /opt/ses/lab directory and list the content in that
directory:
cd /opt/ses/lab
ls
In the zone2 zone, the /opt/ses/lab directory contains both bash
shell scripts and a small web site that you use to demonstrate
OpenSSO web access management.
10. Verify that the set of bash shell scripts available in the zone2 zone
differ from the scripts available in the zone1 zone:
cd scripts
ls
11. Return to the zone1 zone:
exit
zlogin zone1
Note – You perform the remaining tasks in this lab in the zone1 zone.
After you have completed this exercise, you take the following actions in
subsequent exercises and labs to build a complex OpenSSO deployment:
● You configure a software-based load balancer to distribute the
requests between the Tomcat instances
● You install the OpenSSO web application into each of the Tomcat
instances
● You configure session failover for the OpenSSO instances
● You install a web site on a Web Server instance, then install Policy
Agent for Web Server to provide web access management for the
web site
● You install a sample application on a GlassFish instance, then install
Policy Agent for Application Server to provide web access
management for the sample application
Preparation
No special preparation is required for this exercise.
Because you work with two Tomcat instances, you cannot use the default
Tomcat port numbers. You need to use different port numbers for each
instance so that you can differentiate between the two simultaneously-
running instances.
In this task, you configure the two Tomcat instances to use different port
numbers.
Modifying the default Tomcat start page lets you easily determine which
of the two Tomcat instances are being accessed.
Note – These labs use the “\” character at the ends of lines in example
commands to indicate line continuation. When you see a command that
appears in multiple lines, each ending with the “\” character, enter the
command on a single line, without pressing Enter. Do not type the “\”
character when entering the command.
After creating this local CA, you create server certificates for each of the
Tomcat instances, and have the local CA sign the server certificates. Then
you store the certificates in Java key stores, which Tomcat uses for its
certificate database. Finally, you reconfigure Tomcat so that the two
instances are secured, and verify that you can access the Tomcat instances
using the secure HTTP (HTTPS) ports, rather than the HTTP ports with
which you accessed Tomcat in the last exercise.
Preparation
No special preparation is required for this exercise.
5. For many of the steps in this lab, including this step, there are two
ways you can perform the step:
● Use scripts provided for you, to save you from having to type
long commands
● Execute the certutil and keytool commands from the
command line, and gain greater insight into how you enable
SSL
Either execute the script or run the commands, but do not do both.
Create a certificate database, then create a local CA certificate that
you use to sign certificates later in this lab.
● Commands:
Create the certificate database:
/usr/sfw/bin/certutil -N -d /opt/certs \
-f /opt/certs/password
Create the local CA certificate:
/usr/sfw/bin/certutil -S -n LocalCA -x \
-t "CTu,Cu,Cu" -s "CN=LocalCA,o=example.com" \
-m 1000 -d /opt/certs -z /etc/passwd \
-f /opt/certs/password
● Script:
/opt/ses/lab/scripts/createCertDBWithLocalCA
6. Verify that you have created the certificate database and the local CA
certificate:
/usr/sfw/bin/certutil -L -d /opt/certs
Note – You import the LocalCA.crt file into a Web Server instance that
serves as a load balancer later in this lab. Importing a certificate file into a
Web Server instance requires execute permission.
5. Create two Java key stores—one for each Tomcat instance. When you
create the Java key stores import the local CA certificate into the key
stores.
● Commands:
Create the Java key store for the first Tomcat instance:
keytool -import -v -keystore \
/opt/certs/instance1.jks -storepass cangetin \
-alias localca -file LocalCA.crt
Respond yes to the Trust this certificate? prompt.
Create the Java key store for the second Tomcat instance:
keytool -import -v -keystore \
/opt/certs/instance2.jks -storepass cangetin \
-alias localca -file LocalCA.crt
Respond yes to the Trust this certificate? prompt.
● Script:
/opt/ses/lab/scripts/createJavaKeystores
Respond yes to the Trust this certificate? prompt both
times it appears during script execution.
6. Review the content of the two Java key stores:
keytool -list -keystore /opt/certs/instance1.jks \
-storepass cangetin
keytool -list -keystore /opt/certs/instance2.jks \
-storepass cangetin
● Script:
/opt/ses/lab/scripts/signAndStoreServerCerts
Output appears in the terminal window indicating that a
certification request was created, and that a certificate replies
were installed in the /opt/certs/instance1.jks and
/opt/certs/instance2.jks key stores.
2. Validate that the signed server certificate is present in the Java key
stores that are used by the two Tomcat instances:
keytool -list -keystore /opt/certs/instance1.jks \
-storepass cangetin
keytool -list -keystore /opt/certs/instance2.jks \
-storepass cangetin
Entries for the local CA certificate and the server certificate should be
present in both key stores.
1. CA certificates are required to be present in the JVM Java key store in the
following cases:
● When configuring the first OpenSSO instance of a multi-instance site,
in which the OpenSSO instances are deployed on web containers that
are SSL-enabled
● When configuring an OpenSSO instance that uses a directory server
that is accessed using the LDAPS protocol
● When installing Policy Agent software that accesses an SSL-enabled
OpenSSO instance
7. Select Accept This Certificate Temporarily for this Session and click
OK.
The start page for Tomcat appears. The following text should appear
on the start page:
Apache Tomcat on Instance 1
8. In a browser, navigate to the start page for the second Tomcat
instance:
https://zone1.example.com:20443
9. The browser presents you with a message offering to give you an
opportunity to examine the server’s certificate. Examine the
certificate and verify the following:
● The certificate is, in fact, the certificate for the second Tomcat
instance.
● The certificate details are identical to the details you provided
when you created the certificate in Task 3 – Creating Server
Certificates for Each Instance on page L1-21.
10. Click Close to close the window with certificate details.
11. Select Accept This Certificate Temporarily for this Session and click
OK.
The start page for Tomcat appears. The following text should appear
on the start page:
Apache Tomcat on Instance 2
The load balancer that you use in these labs is Web Server 7.0 with the
reverse proxy feature.
Preparation
No special preparation is required for this exercise.
Note – In the preceding command, you use the ”-l ” argument to start
the load balancer. You can also use the “-1” argument to start the first
Tomcat instance. Be careful to use the correct argument with the
startservers script.
c. Click OK.
The Reverse Proxy URI Created Successfully message
appears.
The entry for the “/” URI appears in the reverse proxies list.
d. Select the “/” URI.
A dialog box that lets you enter load balancing details appears.
e. Specify the following value in the dialog box:
● Sticky cookie: Type amlbcookie
f. Click OK.
g. The Deployment Pending link appears in the upper right corner
of the console.
h. Click the Deployment Pending link.
The Configuration Deployment dialog box appears.
i. Click Deploy to deploy the changes to the configuration.
The message, The configuration has been deployed
successfully to all available nodes, appears in the
Configuration Deployment dialog box.
Note – The preceding configuration change does not require Web Server
restart.
j. Click Close.
7. Log out of the Web Server administration console.
8. Verify that load balancing works correctly:
a. Clear cache and remove cookies from the browser session.
b. Shut down the browser.
c. Restart the browser.
Exercise Summary
Objectives
Upon completion of this lab, you should be able to:
● Deploy a multi-instance OpenSSO site
● Set up the OpenSSO command-line tools
Lab 2-1
Copyright 2008 Sun Microsystems, Inc. All Rights Reserved. Sun Services, Revision A.0.4
Exercise 1: Deploying a Multi-Instance OpenSSO Site
Preparation
This section contains preparatory information and describes actions you
must take prior to proceeding to the first lab exercise.
Prerequisite Labs
The tasks to prepare your lab system depends on whether you performed
the prerequisite lab, and whether you have performed other labs, in
addition to the prerequisite lab.
Your lab system can be in one of three states defined in Table 2-1 on
page L2-3. Determine which of these three states describes your lab
system. Then, depending on the state of your lab system, follow the
instructions in the table.
Lab System
Description Instructions
State
Lab System
Description Instructions
State
Ready to Go, • You completed the Perform the steps in the
Powered prerequisite labs and no section, ‘‘Task 2 –
Down additional labs Restarting the Learning
Virtual Machine’’ on
• After completing the page L2-4.
preceding lab, you
powered down the
learning virtual machine
Your lab system is now ready for the lab. Proceed to ‘‘Task 1 – Modifying
the Web Container Configuration as Specified in the Release Notes’’ on
page L2-7.
It is important to read both the Installation and Configuration Guide and the
Release Notes to obtain the most up-to-date information about OpenSSO
deployment.
You can find the Installation and Configuration Guide at the OpenSSO web
site—https://opensso.dev.java.net—along with other product
documentation. To access OpenSSO documentation, navigate to the
OpenSSO web site, then select the Early Access link (under the
Documentation link) on the left side of the screen.
You can also find the Release Notes at the OpenSSO web site. To access the
OpenSSO Release Notes, navigate to the OpenSSO web site and select the
Downloads link on the left side of the screen. A list of builds appears. For
each build, there is a Release Notes link.
Caution – The locations of the Installation and Configuration Guide and the
Release Notes provided in the previous text, while current as of this
writing, are subject to change.
used by the first Tomcat instance’s JVM. Note – The Release Notes for OpenSSO build 4.5 specify setting the Xmx
option to 1024m, which is double the memory you specify in step 6b. In
the learning environment, using the -Xmx512m option provides adequate
memory for your needs, and helps learning VM performance. For other
environments, be sure to use the -Xmx1024m option.
The Release Notes for OpenSSO build 4.5 do not specify that you use the -
server option for Tomcat 6.x web containers. The
-server option should be used in all environments except the simplest
test environments. Even though the -server option is not specified in the
Release Notes, use this option in the learning environment to become
accustomed to specifying it.
WAR file deployment for Tomcat is almost trivially simple—you just copy
the WAR file to the Tomcat webapps directory.
In the next task, you configure OpenSSO on the second Tomcat instance.
The two OpenSSO instances plus the load balancer comprise an OpenSSO
site.
You can configure OpenSSO from the command-line using the curl
command. This lab does not describe command-line configuration.
The configuration directory is a file system directory that contains flat files
used for system configuration and other purposes. XML schema files,
directory server schema files, log files, and debug files are all located in
the configuration directory. In Sun Java System Access Manager (Access
Manager) 7.1—the predecessor release to OpenSSO—these files were
stored in various locations, depending on operating system platform. For
example, on the Solaris™ Operating System (Solaris OS), these files were
located in the /etc and /var directories.
d. Click Next.
The User Store Settings page appears.
e. Select Embedded and click Next.
The Site Configuration page appears.
Note – Make sure you have not typed cangetin as the password for the
default agent user.
Click Next.
The Configurator Summary Details page appears.
Review the values you have entered. If incorrect values appear
on the Configurator Summary Details page, make corrections as
necessary.
h. Click Create Configuration.
Progress messages inform you of configuration progress.
The Configuration Complete page appears.
j. Verify that both Tomcat instances are down before you attempt
to restart the instances.
Run the following command:
ps -ef | grep apache
The presence of output similar to the following indicates that
Tomcat instances have not completely shut down:
root 5306 4391 1 13:18:16 pts/4 1:37
/usr/jdk/jdk1.5.0_14/bin/java -
Djava.util.logging.manager=org.apache.juli.Class
Do not proceed to the next step until you have verified that all
Tomcat instances are shut down.
k. Restart the two Tomcat instances:
/opt/ses/lab/scripts/startservers -f
4. Remove cache and cookies from your browser, and restart the
browser.
5. Navigate to the following URL:
https://zone1.example.com:10443/opensso
6. The OpenSSO login screen appears.
Log in to OpenSSO as the amAdmin user. The password is cangetin.
7. The OpenSSO console start page appears.
8. Verify that the site configuration is correct:
a. Select the Configuration tab.
b. Select the Sites and Servers tab.
c. Note that a site named WS7LB is present, and that a server with
the URL https://zone1.example.com:10443/opensso is
assigned to the WS7LB site.
9. Log out of the console.
The load balancer forwards the request to one of the OpenSSO instances,
and that instance challenges you for authentication credentials. If you
authenticate correctly, the OpenSSO console appears on the screen.
You use the Sessions tab to determine the OpenSSO instance on which
your session resides.
Then you log out of the console, restart your browser, authenticate a
second time, and, again, determine which OpenSSO instance holds your
session. It should be the other instance.
Preparation
No special preparation is required for this exercise.
4. Unzip the CLI tools .zip file, then remove the .zip file from the cli
directory:
unzip famAdminTools.zip
rm famAdminTools.zip
5. Set up the OpenSSO CLI:
a. Start the setup script:
JAVA_HOME=/usr/jdk/jdk1.5.0_14
export JAVA_HOME
./setup
The setup script prompts you to enter the path to the server
configuration files:
Path to config files of server (example:
/fam_config/opensso):
b. Type /opt/opensso/instance1 and press Enter.
The following messages appear in the terminal window:
The scripts are properly setup under directory:
/opt/opensso/instance1/cli/opensso
The version of this tools.zip is: 8.0
The version of your server instance is: 8.0 (2008-
June-27 10:01)
6. Create a read-only file containing the amAdmin user’s password:
echo cangetin > /opt/opensso/instance1/password
chmod 400 /opt/opensso/instance1/password
You use the password file when executing the OpenSSO CLI.
7. Verify that the OpenSSO CLI works as expected by executing the
famadm command with the list-servers option:
/opt/opensso/instance1/cli/opensso/bin/famadm \
list-servers --adminid amAdmin \
--password-file /opt/opensso/instance1/password
The following output appears in the terminal window:
https://zone1.example.com:10443/opensso
https://zone1.example.com:20443/opensso
8. Change to the OpenSSO instance2 directory and make a directory
for the CLI tools:
cd /opt/opensso/instance2
mkdir cli
9. Copy the .zip file that contains the CLI tools into the cli directory
that you just created:
cd cli
cp /opt/opensso/tools/famAdminTools.zip .
10. Unzip the CLI tools .zip file, then remove the .zip file from the cli
directory:
unzip famAdminTools.zip
rm famAdminTools.zip
11. Set up the OpenSSO CLI:
a. Start the setup script:
JAVA_HOME=/usr/jdk/jdk1.5.0_14
export JAVA_HOME
./setup
The setup script prompts you to enter the path to the server
configuration files:
Path to config files of server (example:
/fam_config/opensso):
b. Type /opt/opensso/instance2 and press Enter.
The following messages appear in the terminal window:
The scripts are properly setup under directory:
/opt/opensso/instance2/cli/opensso
The version of this tools.zip is: 8.0
The version of your server instance is: 8.0 (2008-
June-27 10:01)
12. Create a read-only file containing the amAdmin user’s password:
echo cangetin > /opt/opensso/instance2/password
chmod 400 /opt/opensso/instance2/password
You use the password file when executing the OpenSSO CLI.
13. Verify that the OpenSSO CLI works as expected by executing the
famadm command with the list-servers option:
/opt/opensso/instance2/cli/opensso/bin/famadm \
list-servers --adminid amAdmin \
--password-file /opt/opensso/instance2/password
The following output appears in the terminal window:
https://zone1.example.com:10443/opensso
https://zone1.example.com:20443/opensso
Exercise Summary
Objectives
Upon completion of this lab, you should be able to:
● Configure session failover for an OpenSSO site
● Verify that OpenSSO sessions fail over
Lab 3-1
Copyright 2008 Sun Microsystems, Inc. All Rights Reserved. Sun Services, Revision A.0.4
Exercise 1: Configuring Session Failover for an OpenSSO Site
OpenSSO sessions are stored in random access memory (RAM), and are,
therefore, volatile. Without session failover, if a server on which an
OpenSSO instance goes down, the sessions are lost, and all the users who
had sessions on that server are forced to reauthenticate if they want to
access resources being protected by the OpenSSO site.
With the session failover feature enabled, sessions still reside in RAM, but
are also written to a persistent data store. If an OpenSSO instance goes
down, the session information stored in the OpenSSO instance is lost.
However, OpenSSO clients, such as the OpenSSO console or Policy
Agents, can connect to another OpenSSO instance. This other OpenSSO
instance can then determine that it does not have the session information
in memory and can retrieve it from the persistent data store.
Session failover uses the Sun Java System Message Queue (Message
Queue) software to communicate with the persistent data store.
Preparation
This section contains preparatory information and describes actions you
must take prior to proceeding to the first lab exercise.
Prerequisite Labs
The tasks to prepare your lab system depends on whether you performed
the prerequisite labs, and whether you have performed other labs, in
addition to the prerequisite labs.
Your lab system can be in one of three states defined in Table 3-1 on
page L3-3. Determine which of these three states describes your lab
system. Then, depending on the state of your lab system, follow the
instructions in the table.
Lab System
Description Instructions
State
Lab System
Description Instructions
State
Ready to Go, • You completed the Perform the steps in the
Powered prerequisite labs and no section, ‘‘Task 2 –
Down additional labs Restarting the Learning
Virtual Machine’’ on
• After completing the page L3-4.
preceding lab, you
powered down the
learning virtual machine
Your lab system is now ready for the lab. Proceed to ‘‘Task 1 – Installing
the Session Failover Tools’’ on page L3-7.
3. Copy the .zip file that contains the session failover tools into the
sfo directory that you just created:
cd sfo
cp /opt/opensso/tools/famSessionTools.zip .
4. Unzip the session failover tools .zip file, then remove the .zip file
from the sfo directory:
unzip famSessionTools.zip
rm famSessionTools.zip
5. Set up the OpenSSO CLI:
a. Start the setup script:
JAVA_HOME=/usr/jdk/jdk1.5.0_14
export JAVA_HOME
./setup
The setup script prompts you to enter the directory into which
you want to install the session failover scripts:
Directory to install the scripts (example:
sfoscripts):
Note – In this lab, you deploy a single Message Queue broker on a single
Solaris OS zone, giving you an easy path to explore OpenSSO session
failover in the learning environment.
Part of the secondary configuration instance is a check box that lets you
enable session failover. This check box is enabled by default, therefore,
when you create a new secondary configuration instance, session failover
is automatically enabled. Take note of this check box when you create
your secondary configuration instance.
At the end of this lab, you disable session failover by unchecking the
Session Failover Enabled check box.
8. Click Add.
The WS7LB secondary configuration instance appears in the Session
Service configuration.
9. Click Save.
10. Log out of the console.
Then you shut down one of the servers to see what happens.
Preparation
No special preparation is required for this exercise.
3. Verify that both Tomcat instances are down before you perform the
next step.
Run the following command:
ps -ef | grep apache
The presence of output similar to the following indicates that Tomcat
instances have not completely shut down:
root 5306 4391 1 13:18:16 pts/4 1:37
/usr/jdk/jdk1.5.0_14/bin/java -
Djava.util.logging.manager=org.apache.juli.Class
Do not proceed to the next step until you have verified that all
Tomcat instances are shut down.
4. Activate session failover by running the amsfo script with the start
argument:
/opt/opensso/instance1/sfo/scripts/bin/amsfo start
5. Start the two Tomcat instances:
/opt/ses/lab/scripts/startservers -f
6. Review the session failover log file:
more /tmp/amsession/logs/amsessiondb.log
You should see log records similar to the following:
Starting... true
/usr/jdk/instances/jdk1.5.0/jre/bin/java -Xms128m -
Xmx512m -classpath
/opt/opensso/instance1/sfo/jmq/mq/lib/imq.jar:/opt/open
sso/instance1/sfo/jmq/mq/lib/jms.jar:/opt/opensso/insta
nce1/sfo/ext/je.jar:/opt/opensso/instance1/sfo/locale:/
opt/opensso/instance1/sfo/lib/am_sessiondb.jar:.
com.sun.identity.ha.jmqdb.client.FAMHaDB
Initailizing and connecting to the Message Queue server
...
Checking for peer BDB daemon processes. Please wait ...
Successfully started.
7. Verify that the message, Successfully started, appears in the log
file.
This message indicates successful startup of session failover.
Review session failover log files to demonstrate that the session was
migrated.
3. Leaving the console open, use the terminal window to review the
session failover log file:
more /tmp/amsession/logs/amsessiondb.log
You should see log records similar to the following:
OP=WRITE
service=session
WRITE message received.
>>>>>>>>>>>>>> Write by Primary Key : -1279015892
OP=WRITE
service=session
WRITE message received.
>>>>>>>>>>>>>> Write by Primary Key : -1279015892
The preceding log records indicate that a session was written to the
session database.
4. Shut down the OpenSSO instance on which your session resides:
● If your session resides on the zone1.example.com:10443
instance, shut down the first OpenSSO instance:
/opt/ses/lab/scripts/stopservers -1
● If your session resides on the zone1.example.com:20443
instance, shut down the second OpenSSO instance:
/opt/ses/lab/scripts/stopservers -2
5. Return to the OpenSSO console and use the View drop list to verify
that your session has migrated to the other OpenSSO instance:
● If your session originally resided on the
zone1.example.com:10443 instance, it now resides on the
zone1.example.com:20443 instance.
● If your session originally resided on the
zone1.example.com:20443 instance, it now resides on the
zone1.example.com:10443 instance.
6. Verify that no active sessions appear when you display the Sessions
tab for the instance that you shut down in step 4.
You should see an error message indicating that sessions cannot be
viewed on this instance. This error message indicates that the
instance is down.
7. Review the session failover log file to confirm that session failover
has occurred:
more /tmp/amsession/logs/amsessiondb.log
You should see log records similar to the following:
OP=READ
service=session
READ message received.
>>>>>>>>>>>>>> Read by Primary Key : -1098220087
>>>>>>>>>>>>>> Found record !
OP=WRITE
service=session
WRITE message received.
>>>>>>>>>>>>>> Write by Primary Key : -1098220087
OP=WRITE
service=session
WRITE message received.
>>>>>>>>>>>>>> Write by Primary Key : -1098220087
The preceding log records indicate that a session was retrieved from
the session database to achieve failover.
8. Start the OpenSSO instance on which your original session resided:
● If your session originally resided on the
zone1.example.com:10443 instance, start the first OpenSSO
instance:
/opt/ses/lab/scripts/startservers -1
● If your session originally resided on the
zone1.example.com:20443 instance, start the second
OpenSSO instance:
/opt/ses/lab/scripts/startservers -2
Exercise Summary
Objectives
Upon completion of this lab, you should be able to:
● Deploy a Web Server instance that hosts a web site
● Prepare the environment for the Web Policy Agent installation
● Install and test the Web Policy Agent
Lab 4-1
Copyright 2008 Sun Microsystems, Inc. All Rights Reserved. Sun Services, Revision A.0.4
Exercise 1: Deploying a Web Server Instance That Hosts a Web Site
In this lab, you work with components that reside in two zones:
● The zone1 zone – The OpenSSO site, comprising load-balanced two
OpenSSO instances, resides in the zone1 zone.
You use the following URL to access the OpenSSO instances:
https://zone1.example.com:8443/opensso.
● The zone2 zone – A Sun Java System Web Server (Web Server)
instance serves the example web site in the zone2 zone. In a
subsequent exercise, you install Policy Agent software into the Web
Server instance to protect the example web site.
You use the following URL to access the example web site:
https://zone2.example.com:8080/index.html.
You start the exercise by starting the load balancer and the OpenSSO
instances in the zone1 zone. Then you install the sample web site in the
zone2 zone.
Preparation
This section contains preparatory information and describes actions you
must take prior to proceeding to the first lab exercise.
Prerequisite Labs
The tasks to prepare your lab system depends on whether you performed
the prerequisite labs, and whether you have performed other labs, in
addition to the prerequisite labs.
Your lab system can be in one of three states defined in Table 4-1 on
page L4-3. Determine which of these three states describes your lab
system. Then, depending on the state of your lab system, follow the
instructions in the table.
Lab System
Description Instructions
State
Installing a Web Policy Agent to Manage Access to a Web Site Lab 4-3
Copyright 2008 Sun Microsystems, Inc. All Rights Reserved. Sun Services, Revision A.0.4
Exercise 1: Deploying a Web Server Instance That Hosts a Web Site
Lab System
Description Instructions
State
Ready to Go, • You completed the Perform the steps in the
Powered prerequisite labs and no section, ‘‘Task 2 –
Down additional labs Restarting the Learning
Virtual Machine’’ on
• After completing the page L4-4.
preceding lab, you
powered down the
learning virtual machine
Installing a Web Policy Agent to Manage Access to a Web Site Lab 4-5
Copyright 2008 Sun Microsystems, Inc. All Rights Reserved. Sun Services, Revision A.0.4
Exercise 1: Deploying a Web Server Instance That Hosts a Web Site
Note – Session failover is not used in this lab, so there is no need to start
the message queue broker.
Your lab system is now ready for the lab. Proceed to ‘‘Task 1 – Copying
the Local CA Certificate Into the zone2 Zone’’ on page L4-7.
This is the only task in this lab that requires you to log in to the zone1
zone. You perform all remaining tasks and exercises in the zone2 zone.
2. If you are not logged in to the zone1 zone, log in to the zone1 zone.
3. Change to the directory containing the certificate for the local CA:
cd /opt/certs
4. Display the local CA certificate in the terminal window:
cat LocalCA.crt
5. Copy the certificate contents—the output from the cat command—
to a copy-and-paste buffer.
Be sure to copy the entire certificate, including the -----BEGIN
CERTIFICATE----- and -----END CERTIFICATE----- labels, into
the copy-and paste buffer.
6. Log out of the zone1 zone:
exit
7. Boot up and log in to the zone2 zone:
zoneadm -z zone2 boot
zlogin zone2
You perform the rest of this lab in the zone2 zone.
Installing a Web Policy Agent to Manage Access to a Web Site Lab 4-7
Copyright 2008 Sun Microsystems, Inc. All Rights Reserved. Sun Services, Revision A.0.4
Exercise 1: Deploying a Web Server Instance That Hosts a Web Site
Note – You import the LocalCA.crt file into the Web Server instance that
you install later in this lab. Importing a certificate file into a Web Server
instance requires execute permission.
During Web Server installation, you set the document root setting to the
/opt/ses/lab/site directory. The /opt/ses/lab/site directory
contains the example web site.
Installing a Web Policy Agent to Manage Access to a Web Site Lab 4-9
Copyright 2008 Sun Microsystems, Inc. All Rights Reserved. Sun Services, Revision A.0.4
Exercise 1: Deploying a Web Server Instance That Hosts a Web Site
Therefore, the Web Server must have the local CA certificate in its
certificate database, or SSL handshaking fails when the Policy Agent
attempts to access the OpenSSO site.
Use the Web Server wadm CLI to install the local CA certificate in the Web
Server instance’s certificate database.
After this message appears, users are not able to run the wadm shell. This
bug is Web Server bug number CR6687299.
<jvm-options>-XX:LargePageSizeInBytes=4194304</jvm-options>
Add the preceding directive to the <jvm> section of the server.xml file,
together with the other <jvm-options> directives. Then restart the Web
Server administration server as follows:
/opt/webserver/admin-server/bin/stopserv
/opt/webserver/admin-server/bin/startserv
2. Type cangetin.
The following prompt appears:
Connected to zone2.example.com:8989
Sun Java System Web Server 7.0U2 B12/09/2007 07:28
wadm>
3. Do not press Return while typing the following:
install-cert --config=zone2.example.com --cert-type=ca
--nickname=localca /opt/certs/LocalCA.crt
The following prompt appears:
CLI201 Command 'install-cert' ran successfully
wadm>
4. Type the following command:
deploy-config --restart zone2.example.com
The following prompt appears:
CLI201 Command 'deploy-config' ran successfully
wadm>
5. Type exit to terminate the wadm CLI.
6. Verify that the local CA certificate is present in the Web Server
instance’s certificate database:
/usr/sfw/bin/certutil -L \
-d /opt/webserver/https-zone2.example.com/config
The entry, LocalCA - example.com, should be the only entry in the
list.
Installing a Web Policy Agent to Manage Access to a Web Site Lab 4-11
Copyright 2008 Sun Microsystems, Inc. All Rights Reserved. Sun Services, Revision A.0.4
Exercise 2: Preparing the Environment for the Web Policy Agent Installation
Preparation
No special preparation is required for this exercise.
In order for the installer program to successfully access the OpenSSO site,
you must install the CA certificate of the CA that signed server certificates
for the OpenSSO site into the certificate store of the JVM that the Policy
Agent installer uses.
Installing a Web Policy Agent to Manage Access to a Web Site Lab 4-13
Copyright 2008 Sun Microsystems, Inc. All Rights Reserved. Sun Services, Revision A.0.4
Exercise 2: Preparing the Environment for the Web Policy Agent Installation
When the agent administrator user logs in to the OpenSSO console, the
only information available to the user pertains to agent profiles. Other
information, such as realm definitions, authentication configuration, and
policy definitions, is hidden from the agent administrator user.
g. Click OK.
The agentadmins group appears in the groups list.
3. Create an agent administrator user named agentadmin:
a. Select the User tab.
b. Click New.
The New User page appears.
c. Enter data in the New User page as follows:
● ID – Type agentadmin
● First Name – Type Agent
● Last name – Type Administrator
● Full Name – Type Agent Administrator
● Password – Type cangetin
● Password (confirm) – Type cangetin
● User Status – Select Active.
d. Click OK
The Agent Administrator user appears in the users list.
4. Make the agentadmin user a member of the agentadmins group:
e. Select the Group tab.
f. Select agentadmins
g. Select the User tab.
h. Select the Agent Administrator user from the Available column.
i. Click Add.
The Agent Administrator user entry moves from the Available
column to the Selected column.
j. Click Save.
5. Assign administrative privileges to the agent administrators group:
a. Click Back to Subjects.
b. Select the Privileges tab.
c. Select the agentadmins group.
d. Select the Read And Write Access to All Configured Agents
privilege.
e. Click Save.
Installing a Web Policy Agent to Manage Access to a Web Site Lab 4-15
Copyright 2008 Sun Microsystems, Inc. All Rights Reserved. Sun Services, Revision A.0.4
Exercise 2: Preparing the Environment for the Web Policy Agent Installation
Installing a Web Policy Agent to Manage Access to a Web Site Lab 4-17
Copyright 2008 Sun Microsystems, Inc. All Rights Reserved. Sun Services, Revision A.0.4
Exercise 2: Preparing the Environment for the Web Policy Agent Installation
Installing a Web Policy Agent to Manage Access to a Web Site Lab 4-19
Copyright 2008 Sun Microsystems, Inc. All Rights Reserved. Sun Services, Revision A.0.4
Exercise 3: Installing and Testing the Web Policy Agent
You start the exercise by installing the Policy Agent in the zone2 zone.
Then, you verify that the Policy Agent protects the example web site by
demonstrating that in order to access the web site, you must first
authenticate to OpenSSO.
Preparation
No special preparation is required for this exercise.
After the installation has completed, you examine the log files to verify
that no installation errors occurred.
Installing a Web Policy Agent to Manage Access to a Web Site Lab 4-21
Copyright 2008 Sun Microsystems, Inc. All Rights Reserved. Sun Services, Revision A.0.4
Exercise 3: Installing and Testing the Web Policy Agent
After you change file permissions, you restart the Web Server.
Start a new browser session and attempt to access the example web site.
The Policy Agent should intercept your request to access the site and
redirect the request to the OpenSSO site, which then challenges you for
authentication credentials.
Installing a Web Policy Agent to Manage Access to a Web Site Lab 4-23
Copyright 2008 Sun Microsystems, Inc. All Rights Reserved. Sun Services, Revision A.0.4
Exercise Summary
Exercise Summary
Objectives
Upon completion of this lab, you should be able to:
● Deploy a GlassFish application server instance
● Prepare the environment for the J2EE Policy Agent installation
● Install and test the J2EE Policy Agent
Lab 5-1
Copyright 2008 Sun Microsystems, Inc. All Rights Reserved. Sun Services, Revision A.0.4
Exercise 1: Deploying a GlassFish Application Server Instance
In this lab, you work with components that reside in two zones:
● The zone1 zone – The OpenSSO site, comprising load-balanced two
OpenSSO instances, resides in the zone1 zone.
You use the following URL to access the OpenSSO instances:
https://zone1.example.com:8443/opensso.
● The zone2 zone – A GlassFish instance serves J2EE applications in
the zone2 zone. In a subsequent exercise, you install Policy Agent
software into the GlassFish instance to protect J2EE applications
served by the GlassFish instance.
You use the following URL to access the GlassFish instance:
https://zone2.example.com:8080/ndex.html.
If you deployed an example web site and protected it with a Web Policy
Agent in the “Installing a Web Policy Agent to Manage Access to a Web
Site” lab, you stopped the Web Server instance at the end of the lab. The
Web Server instance is not needed for this lab.
Preparation
This section contains preparatory information and describes actions you
must take prior to proceeding to the first lab exercise.
Prerequisite Labs
The tasks to prepare your lab system depends on whether you performed
the prerequisite labs, and whether you have performed other labs, in
addition to the prerequisite labs.
Your lab system can be in one of three states defined in Table 5-1 on
page L5-3. Determine which of these three states describes your lab
system. Then, depending on the state of your lab system, follow the
instructions in the table.
Lab System
Description Instructions
State
Installing a J2EE Policy Agent to Manage Access to J2EE Applications Lab 5-3
Copyright 2008 Sun Microsystems, Inc. All Rights Reserved. Sun Services, Revision A.0.4
Exercise 1: Deploying a GlassFish Application Server Instance
Lab System
Description Instructions
State
Ready to Go, • You completed the Perform the steps in the
Powered prerequisite labs and no section, ‘‘Task 2 –
Down additional labs Restarting the Learning
Virtual Machine’’ on
• After completing the page L5-4.
preceding lab, you
powered down the
learning virtual machine
Installing a J2EE Policy Agent to Manage Access to J2EE Applications Lab 5-5
Copyright 2008 Sun Microsystems, Inc. All Rights Reserved. Sun Services, Revision A.0.4
Exercise 1: Deploying a GlassFish Application Server Instance
Note – Session failover is not used in this lab, so there is no need to start
the message queue broker.
The web site that you deployed in the “Installing a Web Policy Agent to
Manage Access to a Web Site” lab is not used in this lab, so there is no
need to start the Web Server instance that serves the web site.
Your lab system is now ready for the lab. Proceed to ‘‘Task 1 – Installing
GlassFish Application Server Software’’ on page L5-7.
2. If you have not booted up the zone2 zone, do so using the following
command:
zoneadm -z zone2 boot
3. If you are not logged in to the zone2 zone, log in to the zone2 zone:
zlogin zone2
You perform the rest of this lab in the zone2 zone.
4. Copy the GlassFish software to a local directory:
cd /opt
cp /opt/ses/shared/software/glassfish-v2ur2/ \
glassfish-installer-v2ur2-b04-sunos_x86.jar .
5. Set the JAVA_HOME environment variable:
JAVA_HOME=/usr/jdk/jdk1.5.0_14
export JAVA_HOME
The GlassFish installer requires this setting.
6. Install the GlassFish software:
java -Xmx256m -jar \
glassfish-installer-v2ur2-b04-sunos_x86.jar
A dialog box with the GlassFish license appears.
7. Scroll to the bottom of the license agreement, then click Accept.
Messages appear in the terminal window as GlassFish installation
proceeds.
When installation is complete, the Installation Complete
message appears in the terminal window.
Installing a J2EE Policy Agent to Manage Access to J2EE Applications Lab 5-7
Copyright 2008 Sun Microsystems, Inc. All Rights Reserved. Sun Services, Revision A.0.4
Exercise 1: Deploying a GlassFish Application Server Instance
8. Delete the GlassFish installer (to save disk space in the learning VM):
rm glassfish-installer-v2ur2-b04-sunos_x86.jar
9. Configure the GlassFish instance as a non-clustered instance:
a. Set the ANT_HOME environment variable:
ANT_HOME=/opt/glassfish/lib/ant
export ANT_HOME
GlassFish setup requires this setting.
b. Change permissions on the ant binary so that it this binary
executable:
chmod -R +x $ANT_HOME/bin
c. Set up the GlassFish instance:
$ANT_HOME/bin/ant -f /opt/glassfish/setup.xml
10. Start the GlassFish domain administration server (DAS):
/opt/glassfish/bin/asadmin start-domain domain1
In this lab, you deploy the sample J2EE application to the DAS as a
convenience for learning purposes. When you install the Policy
Agent later in this lab, you install it on the DAS, so that the Policy
Agent protects the sample J2EE application.
In this lab, you do not create additional GlassFish instances. To
protect J2EE applications deployed to GlassFish instances other than
the DAS, install Policy Agent software on those instances.
11. Verify that you can run the administration console for the GlassFish
instance:
a. In a browser, navigate to the following URL:
http://zone2.example.com:4848
You should see the GlassFish login screen.
b. Log in to the console as the admin user. The password is
adminadmin.
c. The console main page appears.
d. Log out of the console.
In this deployment, the DAS is not SSL-enabled. However, the DAS sends
requests to the SSL-enabled OpenSSO site after Policy Agent installation,
which you perform in “Exercise 3: Installing and Testing the J2EE Policy
Agent.”
Therefore, the DAS must have the local CA certificate in its certificate
store, or SSL handshaking fails after the Policy Agent attempts to access
the OpenSSO site.
Installing a J2EE Policy Agent to Manage Access to J2EE Applications Lab 5-9
Copyright 2008 Sun Microsystems, Inc. All Rights Reserved. Sun Services, Revision A.0.4
Exercise 1: Deploying a GlassFish Application Server Instance
2. Validate that the local CA certificate is present in the JVM Java key
stores:
keytool -list -keystore \
/opt/glassfish/domains/domain1/config/cacerts.jks \
-storepass changeit | grep localca
An entry for the local CA certificate should be present.
– Install the CA certificates of any CAs that signed server certificates for
the OpenSSO site into the certificate store of the JVM that the Policy
Agent installer uses
Both of these tasks were performed in the “Installing a Web Policy Agent
to Manage Access to a Web Site” lab and need not be repeated in this lab.
Preparation
No special preparation is required for this exercise.
Installing a J2EE Policy Agent to Manage Access to J2EE Applications Lab 5-11
Copyright 2008 Sun Microsystems, Inc. All Rights Reserved. Sun Services, Revision A.0.4
Exercise 2: Preparing the Environment for the J2EE Policy Agent Installation
You created the agent administrator user in the “Installing a Web Policy
Agent to Manage Access to a Web Site” lab.
Installing a J2EE Policy Agent to Manage Access to J2EE Applications Lab 5-13
Copyright 2008 Sun Microsystems, Inc. All Rights Reserved. Sun Services, Revision A.0.4
Exercise 3: Installing and Testing the J2EE Policy Agent
You start the exercise by installing the Policy Agent in the zone2 zone.
Then you deploy the Agent application and the Policy Agent sample
application on the GlassFish instance.
Finally, you verify that the Policy Agent protects the sample application
by demonstrating that in order to access the sample application, you must
first authenticate to OpenSSO.
Preparation
No special preparation is required for this exercise.
After the installation has completed, you examine the log files to verify
that no installation errors occurred, then restart the DAS.
Installing a J2EE Policy Agent to Manage Access to J2EE Applications Lab 5-15
Copyright 2008 Sun Microsystems, Inc. All Rights Reserved. Sun Services, Revision A.0.4
Exercise 3: Installing and Testing the J2EE Policy Agent
Start a new browser session and attempt to access the sample application.
The Policy Agent should intercept your request to access the application
and redirect the request to the OpenSSO site, which then challenges you
for authentication credentials.
Installing a J2EE Policy Agent to Manage Access to J2EE Applications Lab 5-17
Copyright 2008 Sun Microsystems, Inc. All Rights Reserved. Sun Services, Revision A.0.4
Exercise Summary
Exercise Summary