Deploying OpenSSO on WebSphere 6.1 AIX

Thanks to Emily, developer extraordinaire, for the following procedure.

Following are the steps you need to run OpenSSO on WebSphere 6.1 AIX:
  1. After deploying the WAR and before running the configurator, modify the /export/IBM/WebSphere/AppServer/profiles/AppSrv01/properties/server.policy and /export/IBM/WebSphere/AppServer/profiles/AppSrv01/config/cells/itsyNode01Cell/nodes/itsyNode01/servers/server1/server.xml files as follows.

    CAUTION: Backup both files before making any modifications.

    1. Add the following Java security permissions to server.policy:

      
      // ADDITIONS FOR Access Manager
      grant {
      permission java.net.SocketPermission "\*", "connect,accept,resolve";
      permission java.util.PropertyPermission "\*", "read, write";
      permission java.lang.RuntimePermission "modifyThreadGroup";
      permission java.lang.RuntimePermission "setFactory";
      permission java.lang.RuntimePermission "accessClassInPackage.\*";
      permission java.util.logging.LoggingPermission "control";
      permission java.lang.RuntimePermission "shutdownHooks";
      permission javax.security.auth.AuthPermission "getLoginConfiguration";
      permission javax.security.auth.AuthPermission "setLoginConfiguration";
      permission javax.security.auth.AuthPermission "modifyPrincipals";
      permission javax.security.auth.AuthPermission "createLoginContext.\*";
      permission java.io.FilePermission "\*", "read,write,execute,delete";
      permission java.util.PropertyPermission "java.util.logging.config.class", "write";
      permission java.security.SecurityPermission "removeProvider.SUN";
      permission java.security.SecurityPermission "insertProvider.SUN";
      permission javax.security.auth.AuthPermission "doAs";
      permission java.util.PropertyPermission "java.security.krb5.realm", "write";
      permission java.util.PropertyPermission "java.security.krb5.kdc", "write";
      permission java.util.PropertyPermission "java.security.auth.login.config", "write";
      permission java.util.PropertyPermission "user.language", "write";
      permission javax.security.auth.kerberos.ServicePermission "\*", "accept";
      permission javax.net.ssl.SSLPermission "setHostnameVerifier";
      permission java.security.SecurityPermission "putProviderProperty.IAIK";
      permission java.security.SecurityPermission "removeProvider.IAIK";
      permission java.security.SecurityPermission "insertProvider.IAIK";
      };
      // END OF ADDITIONS FOR Access Manager
    2. Modify server.xml as follows:

      1. Add the following JVM entries:

        genericJvmArguments="-Djava.awt.headless=true 
        -DamCryptoDescriptor.provider=IBMJCE 
        -DamKeyGenDescriptor.provider=IBMJCE"/>
      2. If using SSL, add the following properties and JVM entries (in bold):

        </cacheGroups> </services>
        <properties xmi:id="Property_1120370477732" name="amCryptoDescriptor.provider" value="IBMJCE" required="false"/>
        <properties xmi:id="Property_1120370511939" name="amKeyGenDescriptor.provider" value="IBMJCE" required="false"/>
        genericJvmArguments="-Djava.awt.headless=true
        -Djava.protocol.handler.pkgs=com.ibm.net.ssl.internal.www.protocol
        -DamCryptoDescriptor.provider=IBMJCE -DamKeyGenDescriptor.provider=IBMJCE"/>
  2. After configuring OpenSSO but before running the SAMLv2 sample configurator, change the JSP compile version to 1.5 using the jdkSourceLevel parameter.

    WebSphere Application Server version 6.1 uses JDK 1.5. By default though, the SAMLv2 JSP's JDK source level uses JDK 1.3. As the SAMLv2 sample configurator uses the JDK 1.5 syntax, running it with the default source level will not work. You can add, change or delete any JSP engine configuration parameters (including the source level) with the WEB-INF/ibm-web-ext.xmi file. A sample of the WEB-INF/ibm-web-ext.xmi file is pasted below. The lines in bold text are JSP engine configuration parameters.

    
    <?xml version="1.0" encoding="UTF-8"?>
    <webappext:WebAppExtension xmi:version="2.0" xmlns:xmi=http://www.omg.org/XMI
    xmlns:webappext="webappext.xmi" xmlns:webapplication="webapplication.xmi" xmi:id="WebAppExtension_1" reloadInterval="9" reloadingEnabled="true" defaultErrorPage="error.jsp" additionalClassPath="" fileServingEnabled="true" directoryBrowsingEnabled="false" serveServletsByClassnameEnabled="true" autoRequestEncoding="true" autoResponseEncoding="false"
    <webApp href="WEB-INF/web.xml#WebApp_1"/>
    <jspAttributes xmi:id="JSPAttribute_1" name="useThreadTagPool" value="true"/>
    <jspAttributes xmi:id="JSPAttribute_2" name="verbose" value="false"/>
    <jspAttributes xmi:id="JSPAttribute_3" name="deprecation" value="false"/>
    <jspAttributes xmi:id="JSPAttribute_4" name="reloadEnabled" value="true"/>
    <jspAttributes xmi:id="JSPAttribute_5" name="reloadInterval" value="5"/>
    <jspAttributes xmi:id="JSPAttribute_6" name="keepgenerated" value="true"/>
    <!-- <jspAttributes xmi:id="JSPAttribute_7" name="trackDependencies" value="true"/> -->
    </webappext:WebAppExtension>

    Note: The integer in the JSPAttribute_n ID must be unique within the file.

    The following procedure illustrates how to modify the WEB-INF/ibm-web-ext.xmi file parameters. An example where we have added the jdkSourceLevel parameter follows after. jdkSourceLevel is a new JSP engine parameter which was introduced in WebSphere Application Server version 6.1 to support JDK 5. (Here is a listing of JSP engine parameters.) jdkSourceLevel should be used instead of the compileWithAssert parameter, although compileWithAssert still works in version 6.1. jdkSourceLevel parameter values are:
    • 13 (default) - This value will disable all new language features of JDK 1.4 and JDK 5.0.
    • 14 - This value will enable the use of the assertion facility and will disable all new language features of JDK 5.0.
    • 15 - This value will enable the use of the assertion facility and all new language features of JDK 5.0.

    CAUTION: Backup WEB-INF/ibm-web-ext.xmi before making any modifications.

    1. Open WEB-INF/ibm-web-ext.xmi.
      WEB-INF/ibm-web-ext.xmi is located in either of the following directories.

      • The web module's configuration directory as in:

        WAS_ROOT/profiles//profilename//config/cells//cellname//applications//enterpriseappname// deployments//deployedname///webmodulename/
      • The web modules's binaries directory which is created if an application was deployed with the flag Use Binary Configuration set to true. In this case, the directory is:

        WAS_ROOT/profiles//profilename//installedApps//nodename///enterpriseappname///webmodulename//

    2. Edit WEB-INF/ibm-web-ext.xmi as follows.

      • To add configuration parameters, use the format:

        xmi:id="JSPAttribute_6" name="parametername" value="parametervalue"/>
      • To remove configuration parameters, either delete the line from the file, or enclose the statement with brackets and dashes as in:

        <!-- --> tags.
    3. For example, you can change /WEB-INF/ibm-web-ext.xmi to:

      <?xml version="1.0" encoding="UTF-8"?> <com.ibm.ejs.models.base.extensions.webappext:WebAppExtension xmi:version="2.0" xmlns:xmi="http://www.omg.org/XMI" xmlns:com.ibm.ejs.models.base.extensions.webappext="webappext.xmi" xmi:id="WebAppExtension_1185836603523"> <webApp href="WEB-INF/web.xml#WebApp_1185836603521"/> <jspAttributes xmi:id="JSPAttribute_1185836603523" name="reloadEnabled" value="true"/> <jspAttributes xmi:id="JSPAttribute_1185836603524" name="reloadInterval" value="10"/> <jspAttributes xmi:id="JSPAttribute_1" name="jdkSourceLevel" value="15"/> </com.ibm.ejs.models.base.extensions.webappext:WebAppExtension>

    4. Save the file.
    5. Restart the application.

      It is not necessary to restart WebSphere for parameter changes to take effect. However, some JSP engine configuration parameters affect the Java source code that is generated for a JSP. If such a parameter is changed, you must retranslate the JSP files in the web module to regenerate Java source. You can use the batch compiler to retranslate all the JSP files in a web module which uses the JSP engine configuration parameters set in the ibm-web-ext.xmi unless specifically overriden. JSP engine configuration parameters identifies the parameters that affect the generated Java source.
  3. Before running setup -p configuration path, modify the setup script by inserting

    -D"amCryptoDescriptor.provider=IBMJCE" -D"amKeyGenDescriptor.provider=IBMJCE"

    before -cp on the last line and save the file.
  4. Before running famadm do the following:

    • Add the :${TOOLS_HOME}/lib/xalan.jar to the classpath after openfedlib.jar.
    • Add the line

      -D"amKeyGenDescriptor.provider=IBMJCE" -D"amCryptoDescriptor.provider=IBMJCE"

      before com.sun.identity.cli.CommandManager AND before com.sun.identity.tools.bundles.Main in the famadm file and save it.
  5. Before running ampassword add

    -D"amCryptoDescriptor.provider=IBMJCE" -D"amKeyGenDescriptor.provider=IBMJCE"

    before com.iplanet.services.ldap.ServerConfigMgr AND before com.sun.identity.tools.bundles.Main in the ampassword file and save it.
  6. And in honor of our developer extraordinaire, here is Adam Green with his song and video entitled, what else, Emily.

Comments:

why the directoryBrowsingEnabled is set to false in ibm-web-ext.xmi file? please i have need the definition for this...

Posted by Kabali on March 28, 2008 at 11:24 PM PDT #

That is not intentional. The example just took the default file. You can set other attributes in the xmi file as needed. But need to set jdkSourceLevel to 15.

Posted by Emily Xu on March 31, 2008 at 02:55 AM PDT #

Sounds good to me, Emily. Thanks.

Posted by DocTeger on March 31, 2008 at 07:29 AM PDT #

Hello - do you know when the agent 3.0 is available for Websphere?? We are keen!

Posted by Rob A on November 19, 2008 at 11:27 PM PST #

Hi,

Do you have any steps to be performed when you install OpenSSO on WebSphere 6.1 with Web Service Future packs... Without WSFP it works fine..

Thanks...

Posted by Ranjan on September 21, 2009 at 07:08 AM PDT #

Sorry, Ranjan, I don't. You might try the OpenSSO users alias.

Posted by Michael Teger on September 21, 2009 at 07:23 AM PDT #

Post a Comment:
Comments are closed for this entry.
About

docteger

Search

Categories
Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today