Telecommunication with an SSL Data Store

This blog entry is two years old. You can do this with the OpenSSO configurator now when you deploy the WAR.

I found this procedure internally and I thought it might help some externally. The engineer was configuring OpenSSO to communicate with an SSL data store.

  1. Set up your data store with SSL enabled.
  2. Import a root certificate for your data store to the web container using the following command:

    JAVA_HOME/bin/keytool -import -keystore keystore_file_name -keyalg RSA -trustcacerts -alias alias_name -storepass changeit -file certificate_file_name

    • For Sun Application Server 9.1, keystore_file_name in the default domain1 is /opt/SUNWappserver/domains/domain1/config/cacerts.jks
    • For Sun Web Server 7.0U1, keystore_file_name is /usr/jdk/entsys-j2se/jre/lib/security/cacerts
  3. Restart the web container.
  4. Deploy opensso.war.
    When running the WAR configurator, you can't point to the SSL port so you must point to the non-SSL port.
  5. Log into the administration console as the administrator; by default amadmin.
  6. Create a new data store configuration or edit the existing one.
    Click the Data Stores tab for the appropriate realm under the Access Control tab. Be sure to enable the following two attributes:
    • LDAP Server must have the host name and SSL port of the SSL data store.
    • LDAP SSL must be checked.
  7. Create a new User that points to the SSL port of the data store.
    Click the Directory Configuration tab after choosing the appropriate Server under the Sites and Servers tab, located under the Configuration tab. Select New... under User and configure the user so that it points to the SSL port.
  8. Delete the default non-SSL user and save.
And now OpenSSO is configured to communicate with a secure directory. In celebration here's another type of communication: Telecommunication, live by A Flock of Seagulls.

Comments:

Step 7 and Step 8 do not make sense with OpenSSO Enterprise 8. When I goto the Directory Configuration tab my option is to add a new Server, not a User. Has this changed? I have added another server but did not delete the non-SSL server entry as this points to the embedded store. Should I delete it? Or, should I just go give up, go home, and drink a few? Any help or insite would be most appreciated.

Posted by Andy Jartz on August 26, 2009 at 07:02 AM PDT #

Thanks again for this useful information! I will create an issue in the Issue Tracker with this post as a workaround.

I didn't see an issue filed for it in the Issue Tracker and wasted about a couple hours this morning trying to use the "Enable SSL" option of the configurator to setup SSL communication for the Configuration Data Store.

Posted by Bijan Vakili on January 11, 2010 at 12:16 AM PST #

Sorry you wasted a few hours, Bijan, but I'm glad you found the entry.

This might sound self-serving but I've written so much on this blog over the last three years that when I need info I can usually find it by searching 'docteger' and the subject I am looking for. Ten to one, something will come up that I've already written. Who knew? ;>

Posted by DocTeger on January 11, 2010 at 12:29 AM PST #

By the way, besides the following locations, do you know of anywhere else that references the LDAP connection information? Thanks.

Access Control->Realm->Directory Servers->LDAP Server & LDAP SSL

Configuration->Authentication->LDAP->Primary LDAP Server & SSL Access to LDAP Server

Configuration->Servers and Sites->Directory Configuration->New Server & Delete Server1

Namely, do any of the files in the OpenSSO Configuration Directory need an update?

Thanks again.

Posted by Bijan Vakili on January 11, 2010 at 12:45 AM PST #

OpenSSO does support configuration of secured (ssl) datastore through configurator. There are no workarounds needed. Pls check the official docs.

Posted by guest on January 11, 2010 at 03:53 AM PST #

Bijan, not sure where in config directory there might be LDAP values. You might check the opensso alias archives or just send a question.

To 192.18.121.211: this entry was written 2 years ago.

Posted by DocTeger on January 11, 2010 at 04:45 AM PST #

Post a Comment:
Comments are closed for this entry.
About

docteger

Search

Categories
Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today