Tuesday Mar 24, 2009

Entries in Application "web.xml" to activate the Agent

I have often been asked by customers and partners on what exactly needs to go into the application web.xml, to activate the policy agent.

Typically, developers just install the OpenSSO Policy Agent on an application container and expect that the application is protected by the agent 'auto-magically'. For a J2EE agent protecting an application on a J2EE container, here is what needs to go into the web.xml.

<filter>
    <filter-name>Agent</filter-name>
        <filter-class> com.sun.identity.agents.filter.AmAgentFilter
</filter-class>
    </filter>
    <filter-mapping>
        <filter-name>Agent</filter-name>
        <url-pattern>/\*</url-pattern>
        <dispatcher>REQUEST</dispatcher>
        <dispatcher>INCLUDE</dispatcher>
        <dispatcher>FORWARD</dispatcher>
        <dispatcher>ERROR</dispatcher>
    </filter-mapping>

Restart the application container once these changes are made and the Policy Agent will be activated.

Note: The above entries suffice when you have the agent configured in "SSO Only" mode. 

Monday Jan 26, 2009

Role Manager and OpenSSO Integration

With the maturity of Role Management in medium and small Enterprises, we are now seeing a lot of requirements around an integrated Role Management, Provisioning and Access Management infrastructure.

Recently, I worked on a Proof-of-Concept for a customer where we implemented an end-to-end SRM-OpenSSO-IdM integration.

Here are some of the salient features of this integrated demo that was put in place.

  • Role Manager (SRM) is the provisioning and management point for Business Roles and IT Roles
  • Identity Manager is the provisioning and management point for Users.
  • OpenSSO protects a few sample Web based applications.
  • SRM is also the Policy Management point.
  • OpenSSO Policy agents are the PEP and the OpenSSO Server is the PDP.
  • OpenSSO Policies are Role based URL policies
  • DSEE is configured as the OpenSSO User Store; IT Roles are provisioned on the DSEE Store.
  • SRM creates Business Roles and IT Roles on IdM; creates IT Roles on the OpenSSO (DSEE) store using the IdRepo API.
  • IdM assigns Business Roles "and" IT Roles to Users. Assigned IT Roles are as per the roles provisioned in DSEE.
  • Policies created are based on IT Roles.
  • Policies provisioned using SRM are exported as XML, in a format specific to OpenSSO policies
  • OpenSSO imports these policies, using which AuthZ decisions are made.

Thanks to Anjan Shenoy for getting the Role provisioning on DSEE working and the Policy export from SRM.

This demo is available as a Virtual Box image and I would be more than happy to share this image and provide operational instructions on running this demo. More detailed documentation and white-papers are on the way!!


Wednesday Nov 12, 2008

OpenSSO Enterprise 8.0 released !

Sun OpenSSO Enterprise 8.0 has been released. The bits for the fully supported Enterprise 8.0 release can be downloaded from the usual OpenSSO Download site.

The official revenue release has been posted here on the Sun site. The documentation can be found here.

Kudos to all those folks who worked hard to build, test and get this release out. Hip ! Hip ! Hurray !!


Sunday Nov 09, 2008

OpenSSO Installation: OpenDS Port = -1 during Configuration

OpenSSO configuration is highly sensitive when it comes to domain name and host resolution. After installation (deployment of the WAR file on the container), once you start the custom configuration, sometimes the default OpenDS (embedded config store) port is displayed as "-1". If the port shows up as "-1" -- you can be pretty sure your configuration will not go through; even if you change the port to 50389 or any other available port.

This is caused due to a missing FQDN entry for the host in the hosts file or a missing DNS entry for the host. 

If you have installed OpenSSO on a host - "shesh.sun.com",  make sure you lauch the configurator using a FQDN in the URL and also make sure that the OpenDS host during configuration has the fully qualified host (shesh.sun.com)  and also make sure that the host name can be resolved.

 The ill-informing error simply states that the "OpenDS instance cannot be started" when the configuration is aborted. There will be no "install.log" under the instance root and to get you even more confused, the OpenDS log will say "Directory Server Successfully starter" :-)


Tuesday Sep 09, 2008

OpenSSO and J2EE Agents on WebLogic 10 on Mac.

Yes... I am a Mac user ! I had to build an OpenSSO demo using WebLogic 10 for a customer .... on my Mac. There is no official support for or a certified version of WebLogic for Mac . I did a little bit of digging around and I was able to get OpenSSO b5 up and running on WebLogic 10 and I was also able to install and configure the EA WebLogic Agent 3.0 to protect a sample app on WebLogic .... all this natively on my Mac.

Here is how you do it:

Before we start, an official warning :-) ... THIS IS FOR DEMO PURPOSES ONLY !! I have not had any issues so far, but does not mean I have fully tested this for stability, reliability or performance.. 

Installing WebLogic: 

1. Download the WebLogic 10 bits. You will need to get the package installer from here

   Scroll down to " WebLogic Server Package Installer" and choose "WebLogic Server 10.0 MP1"

   Most importantly, from the "Please select an OS" drop down, choose "IBM AIX (5.2, 5.3, pSeries)"

2. Once the bits are downloaded, use the following command to install the server

java -Dos.name=unix -jar server1001_generic.jar

The installer will take you through the install after asking you the usual questions.

3. Once WebLogic Server is installed, you need to edit the file "setDomainEnv.sh"

     This file will be under "<install-home>/bea/wlserver_10.0/samples/domains/wl_server/bin"

     Edit this file to add the declaration  -XX:MaxPermSize=128m under MEM_ARGS.

    After adding the declaration, the MEM_ARGS parameter should look like " MEM_ARGS="-Xms256m -Xmx512m -XX:MaxPermSize=128m"

4. Start the WebLogic 10 server using the following command:

    # <install-home>/bea/wlserver_10.0/samples/domains/wl_server/bin/startWebLogic.sh

5. Point your browser to "http://localhost:7001" and you should see the WebLogic Server "Getting Started Page".

  Click on "Start the Administration Server console". Login as weblogic/weblogic and verify that you are able to login.

Now, your WebLogic Server is up and running on your Mac.

Installing OpenSSO on WebLogic: 

1. Start the Weblogic Admin console and login as "weblogic / weblogic"

2. Click on "Lock & Edit" in the "Change Centre" window.

3. Click on "Deployments" in the "Domain Structure" window.

4. You will see all installed apps in the "Summary of Deployments" page.

5. Click "Install"

6. The Server will say it cannot find any files. Click on "Upload File"

7. Browse to your opensso.war file. Select this "opensso.war" to upload

8. Once uploaded, click on the "opensso.war" radio-button and hit "Next"

9.  On the next page, choose "Install this deployment as an application"

10. In the "optional Settings" page, choose a name for the deployment. Default is "opensso". The same can be retained. All other options can be default.

11. In the "Additional Configurations" page, choose "Yes, take me to the deployment configuration"

12. Hit "FINISH"

13. Once the WAR file is deployed, click on "Activate Changes" in the "Change Center" window.

Configure OpenSSO the usual way either using default or custom configuration. 

That's it !!! You have your favorite OpenSSO deployed and running on Weblogic...on your Mac !! :-)

Installing the WebLogic J2EE Agent:

If you want to protect applications using on this WebLogic server, download and install the EA WebLogic PA 3.0 from here. Follow the install docs for the agent install.




Monday Aug 25, 2008

"OpenDS Cannot be started" during Configuration.

During Configuration of OpenSSO after deployment of the WAR file, there are times when the Custom Configuration will fail with the error "Failed to start OpenDS instance".

This usually happens when you attempt the configuration for the second time without removing the earlier configuration settings.

To resolve this problem:

  • Undeploy the OpenSSO WAR file
  • Remove ( rm -r) the OpenSSO Config directory containing the OpenSSO and the OpenDS folders
  • Re-deploy the WAR file
  • Run the Custom Configuration

Configuration should go through fine using all default settings.


Tuesday Aug 19, 2008

Deployment Training for OpenSSO

Deployment Training for OpenSSO is now available for FREE !! These training modules are a great resource set along with the Early Access documentation to build your expertise on OpenSSO.

The training material contains five different modules to take you through some detailed deployment instructions. The deployment training includes Secure Services setup (SSL), Load balanced environment setup using Software Load Balancer, Policy configuration and Session Failover.

The training announcement can be found on the OpenSSO Training site.

For more details, please refer to our friend David Goldsmith's blog.

Wednesday Jul 23, 2008

OpenSSO Express announced

Sun today announced OpenSSO Express - an early access to next release of a combined Access Manager and Federation Manager product. These early access builds are fully tested and certified by the OpenSSO community.

Enterprises can now download, evaluate and use the latest builds of OpenSSO and obtain support for these builds from Sun. This is a big leap forward for the OpenSSO community.

The OpenSSO Express announcement details the Support Model and also includes Tech talks from the experts.  More details can be found at the OpenSSO site.


Monday Jan 22, 2007

Liberty 2.0 Workshop: OpenLiberty Announced

OpenLiberty - A global Liberty Alliance Oepn Source initiative was announced today at the Liberty 2.0 workshop in Redwood Shores, CA.

The announcement briefed that "The OpenLiberty initiative will allow openSource developers to incorporate the security and privacy capabilities of Liberty Federation and Web Services into a variety of Identity based applications".

More information on OpenLiberty is available on the OpenLiberty site.

The initial focus is on WSF Web Service Consumer (WSC) libraries and SAML 2.0 libraries. The source code for the ID-WSF WSC libraries is available on Sourceforge.

For details on Project Liberty, check out the Liberty Alliance site.




technorati tags:, , , , ,

Liberty 2.0 Workshop: OpenLiberty Announced

OpenLiberty - A global Liberty Alliance Open Source initiative was announced today at the Liberty 2.0 workshop in Redwood Shores, CA.

The announcement briefed that "The OpenLiberty initiative will allow openSource developers to incorporate the security and privacy capabilities of Liberty Federation and Web Services into a variety of Identity based applications".

More information on OpenLiberty is available on the OpenLiberty site.

The initial focus is on WSF Web Service Consumer (WSC) libraries and SAML 2.0 libraries. The source code for the ID-WSF WSC libraries is available on Sourceforge.

For details on Project Liberty, check out the Liberty Alliance site.




technorati tags:, , , ,

Saturday Nov 18, 2006

Immersion Week 2006

The " Immersion Week ", a week long event for the Techies at Sun, just concluded in the 'cold and windy' Chicago. This year, the event was held in two separate waves, to accommodate more people. For the first time, we invited our Partners to attend this event and it was great to have a good number of them at the event.

The event had technical sessions from all Practices. We, from the Software Practice, had a good line-up of sessions ranging from Identity Management, Access and Federation Management and SOA. As a Product Lead for Access and Federation Manager, I had the opportunity and responsibility to present technical content around Access and Federation Management. Apart from Product features and Roadmap, my content included an Implemenetation case study on "Identity Federation uisng Liberty", Web Service Security and Secure SOA.

These sessions were well received and the attendees showed a lot of interest around the Federation deployment scenarios, the Interoperability modes, Web Service Security using WSI-BSP and also around Access Management in a Secure SOA. This, obviously, led to questions and discussions around an integrated solution using Java CAPS and Access/Federation Manager.

The story around an integrated solution, as we all are aware is 'in the works'.

For the benefit of our Partners and Sun folks who missed the OpenSSO SWTR, I also presented some content on OpenSSO. As expected, the Partner community showed a lot of interest in understanding the OpenSSO initiative and how it is related to the AM and FM Product roadmap.

I would like to thank Aravindan and Superpat (I kinda like this better than just Pat !!), who helped me  with details around  Web Service Security and  OpenSSO. And, thanks to Joe Ferrill - our leader - who was in-charge of the Sessions for the Software Track.

Special thanks to Dave Edstrom, for attending my sessions.

Quite a few people requested for copies of my slide deck. I think they should all have it in their inbox by now. And for those who have not recd it or would like a copy, shoot me an email.

Based on popular demand, I hear that Immersion Week will be held in either Paris or Amsterdam starting next year  .....( yup, I am starting a rumor. If we ask for Paris or Amsterdam, we might get a New York or San Francisco !!)





technorati tags:, , , , ,

Federation code (OpenFederation) released

Showing total commitment to the OpenSSO initiative, we released the code base of the Federation Modules (OpenFederation), to add to the existing modules.

I have had multiple queries, especially from our Partners, in regards to OpenFederation code base and the release date. HERE you go .......

As part of this release, we have a Federation Use Document. For those of you in the field who usually get customer questions around use cases, this is a fantastic resource. This document covers Web Services Framework (WSF) Use cases as well. Great job Qingwen !


technorati tags:, , , , , ,

Thursday Nov 02, 2006

OpenSSO: J2EE Agent code released.

The latest addition to the released OpenSSO stack is the J2EE Agents. Customers and Partners who have been following OpenSSO have been asking for the J2EE agent architecture details and the code base for a while now. So, here you go....

The agent code for  Sun App Server 8.2 is available here .

This should get the Developer community excited.  I often get questions  from customers  asking  why we have  J2EE agents  which are certified to work on  Sun App Server, Weblogic and WebSphere only and why not 'every' J2EE  container.  Now, developers can use this code to get the Agents working on the JBoss' and the Blazixs of the world.....




technorati tags:, ,

Wednesday Nov 01, 2006

Hack through OpenSSO?

There was an interesting customer question posted by one of my co-workers recently: Can someone knowledgable in the workings of OpenSSO, hack an Access Manager implementation?[Read More]

Saturday Oct 28, 2006

OpenSSO

The Power of Open Source..[Read More]
About

webshesh

Search

Categories
Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today