Federated Access Manager TOI, Session 3

Friday, February 8 was the third and final session of the Federated Access Manager TOI. Following are links to the first two session entries, the topics covered in this third session, and my notes.

Upgrade
Bina

FAM8 supports upgrade from:
  • JES AM versions of 6.3/7.0/7.1 (6.2 TBD)
  • AM 7.1 War based installations
  • FM 7.0 to FAM 8.0

  • Supports backwards compatibility of all existing features (with exceptions eg. IDFF)
  • AM 7.0/7.1 Client SDK and Full AM SDK versions compatible with FAM 8.0.
  • Modes
    • Legacy to Legacy or Realm
    • Realm to Realm
Must upgrade all AM server instances and all AM SDK instances

HIGH-LEVEL UPGRADE PROCESS:

NOTE: Use the same URI from your previous install (use amserver rather than fam) or you will have to change URI in many places not accessed by upgrade scripts.

  • Upgrade instances of directory servers and web containers
  • Upgrade the FAM8 bits with UI customizations and regenerate WAR
  • Deploy FAM8 WAR and configure

FAM8 supports co-existance with:
  • AM 7.0 ,AM 7.1 with FAM 8.0 (Realm/Legacy)
  • FM 7.0 with FAM 8.0 (Legacy)(TBD)

Security Token Service
Mrudul

Security Token Service (STS) is a web service that provides the issuance and management of security tokens. It is built as a part of the OpenSSO WAR and deployed as a web service end point (servlet).
  • Speaks WS-Trust protocol
  • Allows plugins for different token implementations
  • Allows plugins for different token validations
  • Provides WS-Trust protocol-based client APIs for clients and applications to access STS
  • Provides WS-I BSP based security tokens such as UserName,X509,SAML,etc.

Sequence Flow:

Configured under the Agent tab (profiles) in GUI

Uses WS-Metadata Exchange protocol (MEX)

Web Services Security
Mrudul

Information on docs.sun

Samples to be included:

The client could be
  • End user identity
  • Web services client application identity
Embedded Config Store: OpenDS
Rajeev

Embed open source OpenDS in FAM 8 - not productized Sun DS

2 modes: single server or mutiple instances

Info in blog entries:

3rd Party Access Manager Product Integration
Malla

  • Simple SSO integration between FAM and SiteMinder and Oracle Access Manager in same internet domain
  • Enable legacy OAM and SM deployments for Federation protocols
My notes that you, the reader, would not understand:
third party AM in IDP Environment slide
5 and 6 as they are are optional steps
5 should be 4
6 should be 5
4 should be 6

Session Failover
Beomsuk

Using Oracle Berkeley DB Java Edition
  • 100% pure Java for platform independence
  • Optimized for Java applications that require high throughput and concurrency
  • Direct Persistence Layer (DPL) API for EJB-style POJO persitence, as well as a Java Collections API
  • Single JAR file for easy integration
Nothing to document as this is all transparent to user

Berkeley DB is nothing but a bunch of API (?)

Security (JCE/JSS)
Beomsuk

Support JCE and JSS
  • Encryption Class
    • com.iplanet.services.util.JCEEncryption
    • com.iplanet.services.util.JSSEncryption
  • Secure Random Class
    • com.iplanet.am.util.JSSSecureRandomFactoryImpl
    • com.iplanet.am.util.SecureRandomFactoryImpl
  • SSL Socket Factory
    • com.iplanet.services.ldap.JSSSocketFactory
    • netscape.ldap.factory.JSSESocketFactory
Federal Information Processing Standards (FIPS)

FIPS currently supported on Sun WS, and Sun APP Server EE (not glassfish)

FAM/IDM Integration
Rahul Gopal

Main components involved
  • SunAccessManagerRealmResourceAdapter - an IDM resource adapter used to plug-in backend systems
  • AM Policy Agent to protect IDM resources

So, after three days of meetings and note taking, let's relax now with some music and comedy from Alison Moyet and Dawn French. Here's the video for Whsipering Your Name.

Comments:

Is there any more information regarding "3rd Party Access Manager Product Integration", particularly OAM? I've looked at the SM federation extensions, and I'm curious what has been down with OAM. My searching on the web has not come up with anything else.

Thanks,

Jeff

Posted by Jeff Schmidt on May 31, 2008 at 08:24 AM PDT #

I am trying to configure opensso loadbalancing and session failover for our production deployment with build 3. I have two servers running weblogic 10.0 MP1 on Red Hat Linux.

I have completed these steps:
1) Install the sessions tools (message queue brokers) on both servers. This seems to be working correctly.

2) deployed opensso.war on both servers.
3) Configured Both the SSO instances by entering the basic information on the configurator.jsp page. I selected embedded OpenDS as the configuration directory.
4)I was able to login to both sso server consoles independently.
Now I cannot find the documentation to configure session failover.
5) I also need to protect two web applications, one on weblogic and one on JBOSS. I am using agent version 2.2.
During the development phase, I was using opensso build 2 and j2ee agents 2.2, but without LB and failover.

The SSO servers are behind a hardware loadbalancer.
Basically I need to know -
1) How do I configure embedded OpenDS replication
2) How to set up the Sites and Servers
3)How do I configure J2EE agents v 2.2 in the opensso console.
4)Anything else that I am missing

Thanks in advance

Posted by pushpahas prakash on July 22, 2008 at 01:51 AM PDT #

That's a tall drink of water, Pushpahas. I suggest you copy this comment, paste it into an email, and send it on to the users@opensso.dev.java.net alias. Also, you can check blogs.sun.com/JohnD for agent info.

Posted by DocTeger on July 22, 2008 at 01:59 AM PDT #

Post a Comment:
Comments are closed for this entry.
About

docteger

Search

Categories
Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today