Saturday Feb 07, 2009

Two gotchas to keep in mind when using Jboss and OpenSSO

One of our partners were trying out OpenSSO with Jboss 4.x appl server, to host OpenSSO as well run the J2EE apps. They called us, with the following two issues:
  1. The OpenSSO install goes on fine, in Jboss server. However, the moment we restart JBoss, we need to do the setup again !!
    Ans: This seemed to be a know problem, wherein Jboss seems to reinstal the Opensso.war file and hence the previous OpenSSO-OpenDS configuration is wiped out. The solution as described in this helpful blog, was to create a opensso.war directory under and unzip Opensso. This way, the opensso is not redeployed, when Jboss server is started again.
  2. The OpenSSO opensso agent install goes fine, but after install when we access the the opensso sample app, we get a classpath not found error!!
    Ans: The first thing, I need to say is the OpenSSO 3.0 agent for Jboss seems to be in Beta, so we did not try this at all. We used the OpenSSO 2.2 agent for Jboss. The problem seemed to be the change that was supposed to be done in run.sh as given in http://docs.sun.com/app/docs/doc/819-7169/6n94q2rk5?a=view . the problem is that there seems to be a small typo here. The correct syntax is . /opt/jboss-4.0.2/bin/setAgentClasspath$CONFIG.sh (that is a . and a space and /opt/jboss-4.0.2/bin/setAgentClasspath$CONFIG.sh). The Windows instructions are correct, but the Solaris and Linux instructions have an issue. There are no instructions for the OpenSSO ver 3.0 version, hence we did not try these. Also, the agent sample that gets shipped is written for Access Manager (the older version), needs to be changed to reflect the admin console of OpenSSO.

Monday Jan 12, 2009

Protecting Jboss applications, setting up JDBC authentication and JDBC Password Syntax Transform using OpenSSO

We (myself and Ramesh Nagappan ) recently helped a partner setup a OpenSSO integration with their J2EE applications. The following were the requirements:
  1. J2EE based web application running on Jboss 4.x
  2. The web app used Oracle database as a the user repository
  3. The password field was encrypted in the database
  4. They also needed to integrate Biometric based security for their web application

The following software will be needed:
  1. JDK 1.6.x (preferred) or JDK 1.5.x
  2. OpenSSO bits: Download the opensso.zip file at https://opensso.dev.java.net/
  3. Glassfish app server: Download Glassfish from https://glassfish.dev.java.net/downloads
  4. OpenSSO agent for Jboss 4.0.x
  5. You can find a list of Agents at https://opensso.dev.java.net/public/agents.html
  6. There is early access OpenSSO 3.0 agent for Jboss 4.x at http://download.java.net/general/opensso/nightly/20090107.1/j2eeagents/

The next set of instructions are:
  1. Install Glassfish app server, this is as simple unzipping the zip file and doing the install instructions in the README file. very simple
  2. Install OpenSSO, this is given in more detail in the next section

The first step is to make sure we have a machine, which has a fully qualified domain name and a static IP address. Before, we start installing OpenSSO, we need to make sure that the server has a fully qualified domain name. This can be done, by means of an entry in the hosts files (in Unix as well as in Windows) like below:
191.168.12.1 myserver myserver.domain.com

  1. Create a base directory. "/opensso_bits"
  2. Install GlassFish. If you already have GlassFish running, go to next step.
  3. Start Glassfish instance and make the following changes to the instance on which opensso is being deployed (fam)
    
    cd /bin
    ./asadmin start-domain
    
    ./asadmin delete-jvm-options  --port 4848 --user admin "\\\\-client"
    ./asadmin create-jvm-options  --port 4848 --user admin "\\\\-server"
    
    ./asadmin delete-jvm-options  --port 4848 --user admin "\\\\-Xmx512m"
    ./asadmin create-jvm-options  --port 4848 --user admin "\\\\-Xmx1G"
    
    
    Note: We are making the the JVM option to run in server mode, and increasing heap memory to be 1GB, by using the above commands.
  4. Restart the glassfish instance.
    cd /bin
    ./asadmin stop-domain
    ./asadmin start-domain
    
    
  5. Deploy OpenSSO on the Glassfish domain Then go to http://myserver.company.com/opensso, you should get the configuration page. We can either select the express configuration setup or the customized setup. Most of the details should be pre-filled. If you have issues, you have the right permissions as the user running the glassfish/opensso etc. After everything, you'll see a message "Configuration Complete", "Proceed to Login". Click on "Proceed to Login"
  6. Login as amadmin with the corresponding password.
  7. Go to Access Control tab, click on the opensso realm name, click on Agents, click on 2.2 agents and click New (This is needed as the Jboss agent is still in the older 2.2.x agent family. When we get the newer 3.0 agents, the steps will be different. I have just found after we did this exercise, that there is a nightly build early access 3.0 agent for Jboss 4.x at http://download.java.net/general/opensso/nightly/20090107.1/j2eeagents/)
  8. Create new Agent, with name TestProfile and password (these data will be used while configuring the agent).
  9. Create a new Policy to protect the Jboss application, with the following data:
    	Rule : http://myjbossapp.domain.com:8080/\*
    	Subject: Can be authenticated users, or roles etc
    	Conditions: Optional
    
  10. Installation of OpenSSO agent for Jboss 4.0.x. The documentation is available at http://docs.sun.com/app/docs/doc/819-7169
     
    Unzip the OpenSSO (Access Manager Agent) in a temporary directory.
    Go to the directory
    C:\\\\SJS_JBoss_4.0_Server_agent_2.2-01\\j2ee_agents\\am_jboss_agent\\bin>
    
    Run agentadmin – install (two dashes) command. 
    
    A sample command list is given below (Please change it as per your Jboss installation) directory
    -----------------------------------------------
    SUMMARY OF YOUR RESPONSES
    -----------------------------------------------
    JBoss Server Config Directory : C:\\jboss-4.0.5.GA\\server\\default\\conf
    
    Access Manager Services Host : manimac1.mani.com
    Access Manager Services Port : 9090
    Access Manager Services Protocol : http
    Access Manager Services Deployment URI : /opensso
    Agent Host name : manimac1.mani.com
    Agent permissions gets added to java permissions policy file : false
    Application Server Instance Port number : 8080
    Protocol for Application Server instance : http
    Deployment URI for the Agent Application : /myapp
    Encryption Key : 9fwEMd2mKLH8OPDLZ1lW8edVxfJRYu3+
    Agent Profile name : TestProfile
    Agent Profile Password file name : /opensso/agentpassword
    
    
  11. The next changes are in the web.xml file of the JBoss J2EE application, please see the section “Installing the Agent Filter for the Deployed Application on Agent for JBoss Application Server 4.0” at http://docs.sun.com/app/docs/doc/819-7169/6n94q2rk5?a=view
  12. Restart JBoss

Setting up JDBC Authentication and tackling encrypted passwords ..

The partner application used a Oracle database table for user authentication, and the password field in the database was encrypted. Hence, we needed to do the following steps to make the JBoss app use the JDBC authentication module of OpenSSO :
  1. The password field in the database was encrypted, hence we have to create a custom class (it is the original com.sun.identity.authentication.modules.jdbc.ClearTextTransform.java source code) which will encrypt the password and then return this password to the OpenSSO JDBC auth module. The source code of the sample password transform class is given below. To compile this, add opensso.jar to your classpath.
    import com.sun.identity.authentication.spi.AuthLoginException;
    import com.sun.identity.authentication.modules.jdbc.\*;
       
    /\*\*
     \* A very simple test implementation of the JDBC Password Syntax Transform.
     \*/
    public class MyPasswordTextTransform implements JDBCPasswordSyntaxTransform  {
        /\*\* 
         \* Creates a new instance of ClearTextTransform. 
         \*/
        public MyPasswordTextTransform() {
        }
        
        /\*\* 
         \* This simply returns the clear text format of the password. 
         \*
         \* @param input Password before transform
         \* @return Password after transform in this case the same thing.
         \* @throws AuthLoginException
         \*/  
        public String transform(String input) throws AuthLoginException {
    
    	
    
            if (input == null) {
                throw new AuthLoginException(
                    "No input to the Clear Text Transform!");
            }
            return input;
        }
    }
    
    
  2. Copy this class to the opensso/WEB-INF/classes directory. I have a problem relating to using a package for this class, and opensso not being able to load this class, this is yet to be resolved. If this is only a class name, then there seems to be no problem.
  3. Copy the JDBC driver of the database to the OpenSSO Lib directory
  4. Under the Authentication tab, create a New Module instance of JDBC. The JDBC fields are fairly self explanatory. The prepared statement should be changed to reflect the database schema.
  5. Change the transform password syntax field from com.sun.identity.authentication.modules.jdbc.ClearTextTransform to be MyPasswordTextTransform
  6. Create a new Authentication chain, and add the JDBC module created in the previous step with Required flag
  7. Change the Default authentication chain to be the new JDBC authentication chain.
  8. Log out, and try accessing http://openssoserver.company.com/opensso with a user which is present in the database.
  9. If there are issues, log back in as amadmin and debug the issues. Most of the issues could be with JDBC connectivity.

Setting up Biometric Authentication with OpenSSO..

We relied on our expert, Ramesh Nagappan's expertise as documented in this article at http://developers.sun.com/identity/reference/techart/bioauthentication.html The Biometric module will be one more authentication module in the authentication chain. Its recommended that Biometric authentication be combined with another factor like username/password or digital certificates. Setting this up will require the following:
  1. Biometric scanners like Fingerprint scanners, which are certified to work with Sun OpenSSO. Install the scanners in the client PCs and install drivers, and test that they are working. The client desktops will also need to have a latest JRE installed.
  2. Install the Biometric server software
  3. Setup the Biometric authentication on the opensso server
  4. Test everything works
Hope this blog has been useful !!!!
About

Ramblings of a Sun engineer based in Bangalore, India. Strictly my own views and not my employer's.

Search

Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today