Friday Apr 03, 2009

OpenSSO startup on Glassfish

I have been doing some work with OpenSSO on Glassfish lately and since I typically use Solaris or Linux (or MacOSX), I have not had any issues with the startup of OpenSSO on Glassfish at system startup. This week I had a reason to configure OpenSSO on Glassfish on a Windows virtual machine. I ran into a few challenges in getting OpenSSO to start properly. Here are some notes of what I learned on the topic.

Windows Service Example

Once Glassfish is installed, you can create a Windows Services using the following utility (it can also be created directly with sc.exe): As described here: How do I run GlassFish as a Windows service?, obtain the Glassfish utility to create a Windows Service. Download GlassfishSvc.jar This will allow you to create a Windows Service to start and stop Glassfish.

INSTALL Windows Service

> cd C:\\glassfish
> java -jar glassfishsvc.jar -i -n "Glassfish OpenSSO Domain"  -d "C:\\\\glassfish" -m opensso -a admin 
Now the Glassfish instance can be controlled as a Windows Service. There is one more step. When OpenSSO starts up it looks for a file in the users home directory that installed it (in the home directory, see the .openssocfg/AMConfig_machinename_glassfish_domains_domainname_applications_j2ee-modules_opensso_ file). This file is used to allow OpenSSO to find it's configuration directory in the file system. For more information on this configuration file, see: OpenSSO Install Doc This will not be found by default once the Windows service is created because the Glassfish service will not be running as the user who installed it.

Solution for Windows service for Glassfish with OpenSSO:

For the OpenSSO glassfish instance, goto the Services and login as Administrator to ensure that the OpenSSO bootstrap file is found during startup. If this step is not done, when the service is started, Glassfish will not find the configuration directory, and the Configuration page will be displayed when you goto the /opensso URL. To resolve this issue, open the Windows Services, select the new Glassfish service created, right click and select properties. Select the Logon tab, select This account, enter the account and password of the user used when OpenSSO was configured (see example below).

> sc.exe create glassfish-dmgr binPath="C:\\glassfish\\lib\\appservService.exe \\"C:\\glassfish\\bin\\asadmin.bat start-domain domain1\\" \\"C:\\glassfish\\bin\\asadmin.bat stop-domain domain1\\"" start=manual DisplayName="Glassfish Deployment Manager"

UNINSTALL Windows Service

If you need to remove the Glassfish service, here is an example:
java -jar glassfishsvc.jar -u -n "Glassfish OpenSSO Domain"

If the uninstall does not work, another option is:
> sc delete "Glassfish OpenSSO Domain"

If you get an error, like:
[SC] DeleteService FAILED 1072:
The specified service has been marked for deletion.

The next time machine is restarted, the service will be deleted.

Solaris Manifest Example

For reference Here is an example Solaris manifest for starting Glassfish I use (on both Solaris and OpenSolaris): Note: The following assumes Glassfishv2 is installed in /var/opt and the domain which is installed for OpenSSO is called opensso and is configured to use port80.

<?xml version='1.0'?>
<!DOCTYPE service_bundle SYSTEM '/usr/share/lib/xml/dtd/service_bundle.dtd.1'>
<service_bundle type='manifest' name='export'>
  <service name='opensso/glassfishv2/port80' type='service' version='0'>
    <create_default_instance enabled='false'/>
    <dependency name='filesystem' grouping='require_all' restart_on='restart' type='service'>
      <service_fmri value='svc:/system/filesystem/local'/>
    <exec_method name='start' type='method' exec='/var/opt/glassfish/bin/asadmin start-domain opensso' timeout_seconds='600'>
    <exec_method name='stop' type='method' exec='/var/opt/glassfish/bin/asadmin stop-domain opensso' timeout_seconds='300'>
    <stability value='Unstable'/>
        <loctext xml:lang='C'>glassfishv2port80</loctext>

The above xml example can be copied to a file (example glassfish-smf-port80.xml and The following commands can be used to manage the service on Solaris:
# svccfg validate glassfish-smf-port80.xml
# svccfg import glassfish-smf-port80.xml
# svcs port80
# svcadm enable -s port80
# svcadm disable -s port80

Saturday Feb 07, 2009

Identity Suite Essentials Tutorials

A collection of identity management tutorials have just been made public, available: Identity Suite Essentials. This material was originally developed last October by Sun engineers to provide tutorial information for our peers. We are making this available publically in the hope that others find value in the material for becoming acquainted with Sun Identity Manager and OpenSSO Enterprise.


The Identity Suite Essentials (ISE) is a collection of tutorials which are designed to provide the student with basic knowledge of these products. This self paced material covers the Sun Java Identity Management Suite. The purpose of these tutorials is to provide a positive first experience with these products. This includes initial installation and configuration of these products in a lab environment.

Thanks to the following contributors:

Thursday Apr 24, 2008

Fedlet comes out with a (Head) Bang

OpenSSO is maturing at a rapid pace with a fantastic new feature addition released today, the Fedlet! Watch the video below to see the Instant federation for a partner in action with OpenSSO. This video is proof that federation can be fun (or at least that Daniel can make it fun).

I get involved in all types of identity discussions (provisioning, identity compliance, access management, federation, etc.) in my travels, recently (Tuesday), I had the opportunity to talk to Sun customers and potential customer about Federated Access Management at The Sun Identity Roadshow in Dallas. There was a lengthy Q&A after the session and some of the questions were related to asking when it will be easier to create federation agreements and enable smaller partners. I answered by describing the Federation configuration wizards in OpenSSO make configuration of federation simple, and the fedlet will make it easy to enable a partner to federate with you. The video above shows exactly how easy these tasks can be.




« June 2016