Monday Aug 24, 2009

Using Alfresco with Sun software products

Alfresco is a very popular open source Content management system (CMS) and Document management system (DMS). It competes well with commercial offerings. There has been a few instances of requests from technical folks, about the integration points between Alfresco and Sun software, primarily Glassfish application server, Sun Webspace portal server and OpenSSO.

Alfresco and Glassfish
Running Alfresco on Glassfish application server is pretty easy. This is well documented in Amanda's blog and also the Alfresco web site.

Alfresco and OpenSSO
Alfresco is well integrated with OpenSSO and Sun Directory server.

Alfresco and Sun Webspace Portal server
The content and documents managed in Alfresco can be displayed or administered in Sun webspace portal via Portlets. The Alfresco web services API or the CMIS api can be used to accomplish this . There is also a white paper written by our ISV engineering team, let me know if you need it.

On a final note, the Sun webspace server has a built in content management and document management system. If your requirements can be met with what Webspace can offer, then there is no need to use a separate CMS and DMS system ;-)

Wednesday Feb 25, 2009

Verizon Uses OpenSSO and Directory Server to Enable 75M Users

I had to blog about this. Verizon is live with 40 million users, 1 million logins per day, and peaks at 4,000 logins per minute, using OpenSSO and Sun Directory server !! As an architect, this is the kind of scalability that we like to brag about (publicly!!) . Please see the blogs by Dan Raskin and Nick Wooler. The Verizon presentation is at .

Saturday Feb 07, 2009

Two gotchas to keep in mind when using Jboss and OpenSSO

One of our partners were trying out OpenSSO with Jboss 4.x appl server, to host OpenSSO as well run the J2EE apps. They called us, with the following two issues:
  1. The OpenSSO install goes on fine, in Jboss server. However, the moment we restart JBoss, we need to do the setup again !!
    Ans: This seemed to be a know problem, wherein Jboss seems to reinstal the Opensso.war file and hence the previous OpenSSO-OpenDS configuration is wiped out. The solution as described in this helpful blog, was to create a opensso.war directory under and unzip Opensso. This way, the opensso is not redeployed, when Jboss server is started again.
  2. The OpenSSO opensso agent install goes fine, but after install when we access the the opensso sample app, we get a classpath not found error!!
    Ans: The first thing, I need to say is the OpenSSO 3.0 agent for Jboss seems to be in Beta, so we did not try this at all. We used the OpenSSO 2.2 agent for Jboss. The problem seemed to be the change that was supposed to be done in as given in . the problem is that there seems to be a small typo here. The correct syntax is . /opt/jboss-4.0.2/bin/setAgentClasspath$ (that is a . and a space and /opt/jboss-4.0.2/bin/setAgentClasspath$ The Windows instructions are correct, but the Solaris and Linux instructions have an issue. There are no instructions for the OpenSSO ver 3.0 version, hence we did not try these. Also, the agent sample that gets shipped is written for Access Manager (the older version), needs to be changed to reflect the admin console of OpenSSO.

Monday Jan 12, 2009

Protecting Jboss applications, setting up JDBC authentication and JDBC Password Syntax Transform using OpenSSO

We (myself and Ramesh Nagappan ) recently helped a partner setup a OpenSSO integration with their J2EE applications. The following were the requirements:
  1. J2EE based web application running on Jboss 4.x
  2. The web app used Oracle database as a the user repository
  3. The password field was encrypted in the database
  4. They also needed to integrate Biometric based security for their web application

The following software will be needed:
  1. JDK 1.6.x (preferred) or JDK 1.5.x
  2. OpenSSO bits: Download the file at
  3. Glassfish app server: Download Glassfish from
  4. OpenSSO agent for Jboss 4.0.x
  5. You can find a list of Agents at
  6. There is early access OpenSSO 3.0 agent for Jboss 4.x at

The next set of instructions are:
  1. Install Glassfish app server, this is as simple unzipping the zip file and doing the install instructions in the README file. very simple
  2. Install OpenSSO, this is given in more detail in the next section

The first step is to make sure we have a machine, which has a fully qualified domain name and a static IP address. Before, we start installing OpenSSO, we need to make sure that the server has a fully qualified domain name. This can be done, by means of an entry in the hosts files (in Unix as well as in Windows) like below: myserver

  1. Create a base directory. "/opensso_bits"
  2. Install GlassFish. If you already have GlassFish running, go to next step.
  3. Start Glassfish instance and make the following changes to the instance on which opensso is being deployed (fam)
    cd /bin
    ./asadmin start-domain
    ./asadmin delete-jvm-options  --port 4848 --user admin "\\\\-client"
    ./asadmin create-jvm-options  --port 4848 --user admin "\\\\-server"
    ./asadmin delete-jvm-options  --port 4848 --user admin "\\\\-Xmx512m"
    ./asadmin create-jvm-options  --port 4848 --user admin "\\\\-Xmx1G"
    Note: We are making the the JVM option to run in server mode, and increasing heap memory to be 1GB, by using the above commands.
  4. Restart the glassfish instance.
    cd /bin
    ./asadmin stop-domain
    ./asadmin start-domain
  5. Deploy OpenSSO on the Glassfish domain Then go to, you should get the configuration page. We can either select the express configuration setup or the customized setup. Most of the details should be pre-filled. If you have issues, you have the right permissions as the user running the glassfish/opensso etc. After everything, you'll see a message "Configuration Complete", "Proceed to Login". Click on "Proceed to Login"
  6. Login as amadmin with the corresponding password.
  7. Go to Access Control tab, click on the opensso realm name, click on Agents, click on 2.2 agents and click New (This is needed as the Jboss agent is still in the older 2.2.x agent family. When we get the newer 3.0 agents, the steps will be different. I have just found after we did this exercise, that there is a nightly build early access 3.0 agent for Jboss 4.x at
  8. Create new Agent, with name TestProfile and password (these data will be used while configuring the agent).
  9. Create a new Policy to protect the Jboss application, with the following data:
    	Rule :\*
    	Subject: Can be authenticated users, or roles etc
    	Conditions: Optional
  10. Installation of OpenSSO agent for Jboss 4.0.x. The documentation is available at
    Unzip the OpenSSO (Access Manager Agent) in a temporary directory.
    Go to the directory
    Run agentadmin – install (two dashes) command. 
    A sample command list is given below (Please change it as per your Jboss installation) directory
    JBoss Server Config Directory : C:\\jboss-4.0.5.GA\\server\\default\\conf
    Access Manager Services Host :
    Access Manager Services Port : 9090
    Access Manager Services Protocol : http
    Access Manager Services Deployment URI : /opensso
    Agent Host name :
    Agent permissions gets added to java permissions policy file : false
    Application Server Instance Port number : 8080
    Protocol for Application Server instance : http
    Deployment URI for the Agent Application : /myapp
    Encryption Key : 9fwEMd2mKLH8OPDLZ1lW8edVxfJRYu3+
    Agent Profile name : TestProfile
    Agent Profile Password file name : /opensso/agentpassword
  11. The next changes are in the web.xml file of the JBoss J2EE application, please see the section “Installing the Agent Filter for the Deployed Application on Agent for JBoss Application Server 4.0” at
  12. Restart JBoss

Setting up JDBC Authentication and tackling encrypted passwords ..

The partner application used a Oracle database table for user authentication, and the password field in the database was encrypted. Hence, we needed to do the following steps to make the JBoss app use the JDBC authentication module of OpenSSO :
  1. The password field in the database was encrypted, hence we have to create a custom class (it is the original source code) which will encrypt the password and then return this password to the OpenSSO JDBC auth module. The source code of the sample password transform class is given below. To compile this, add opensso.jar to your classpath.
    import com.sun.identity.authentication.spi.AuthLoginException;
    import com.sun.identity.authentication.modules.jdbc.\*;
     \* A very simple test implementation of the JDBC Password Syntax Transform.
    public class MyPasswordTextTransform implements JDBCPasswordSyntaxTransform  {
         \* Creates a new instance of ClearTextTransform. 
        public MyPasswordTextTransform() {
         \* This simply returns the clear text format of the password. 
         \* @param input Password before transform
         \* @return Password after transform in this case the same thing.
         \* @throws AuthLoginException
        public String transform(String input) throws AuthLoginException {
            if (input == null) {
                throw new AuthLoginException(
                    "No input to the Clear Text Transform!");
            return input;
  2. Copy this class to the opensso/WEB-INF/classes directory. I have a problem relating to using a package for this class, and opensso not being able to load this class, this is yet to be resolved. If this is only a class name, then there seems to be no problem.
  3. Copy the JDBC driver of the database to the OpenSSO Lib directory
  4. Under the Authentication tab, create a New Module instance of JDBC. The JDBC fields are fairly self explanatory. The prepared statement should be changed to reflect the database schema.
  5. Change the transform password syntax field from com.sun.identity.authentication.modules.jdbc.ClearTextTransform to be MyPasswordTextTransform
  6. Create a new Authentication chain, and add the JDBC module created in the previous step with Required flag
  7. Change the Default authentication chain to be the new JDBC authentication chain.
  8. Log out, and try accessing with a user which is present in the database.
  9. If there are issues, log back in as amadmin and debug the issues. Most of the issues could be with JDBC connectivity.

Setting up Biometric Authentication with OpenSSO..

We relied on our expert, Ramesh Nagappan's expertise as documented in this article at The Biometric module will be one more authentication module in the authentication chain. Its recommended that Biometric authentication be combined with another factor like username/password or digital certificates. Setting this up will require the following:
  1. Biometric scanners like Fingerprint scanners, which are certified to work with Sun OpenSSO. Install the scanners in the client PCs and install drivers, and test that they are working. The client desktops will also need to have a latest JRE installed.
  2. Install the Biometric server software
  3. Setup the Biometric authentication on the opensso server
  4. Test everything works
Hope this blog has been useful !!!!

Wednesday Jul 23, 2008

Sun Announces Support for OpenSSO Express

Sun Announces OpenSSO Express Support

July 23, 2008—Sun today announces comprehensive, enterprise-class support and indemnification for OpenSSO, the open source code-base from which Sun Access Manager is derived. And Sun is making its Sun Access Manager offering even more attractive to enterprises by extending support to also include OpenSSO Express, early access versions of the next Access Manager release that have been fully tested and certified by the OpenSSO community.

More details are available at They already seem to have Alcatel-Lucent as an OpenSSO user, thats great !! I think, we have a lot of opportunities for OpenSSO in India

Ramblings of a Sun engineer based in Bangalore, India. Strictly my own views and not my employer's.


« August 2016