Tuesday Jul 15, 2008

Integrating Liferay(Websynergy) with OpenSSO on Glassfish V3

Liferay is an open source portal and Sun is using Liferays codebase and contributing Sun features.  The project name for the same is Websynergy. OpenSSO is an open source  project for single sign on.  This document describes how to integrate Liferay(Websynergy) with OpenSSO on Glassfish V3 TP2.

1.  Download OpenSSO from https://opensso.dev.java.net  . You can  use stable Build 4.
2.  Download Glassfish V3 from https://glassfish.dev.java.net
3.  Iam assuming  OpenSSO and Liferay on the same machine for this example but they can be on two different machines.
4. Install ANT 1.7, JDK 1.6 and SVN 1.4.5. Make sure all are in PATH.
5. Checkout Liferay latest source from sourceforge.net (svn co https://lportal.svn.sourceforge.net/svnroot/lportal/trunk portal). Latest version is "5.1" if checked out from trunk.
6. Go to Liferay source code directory and modify appserver.properties. Specify the glassfish version as v3 and glassfish install location.
7. From Liferay Source Code Directory  run ant -f build.xml all.
8. Once, build is successful, liferay is up and running on Glassfish V3 after few 5 minutes of compilation time. Access http://host:port to verify.

Note : On liferay site we have pre-built image of only GFv2.1 but not GFv3. Thats why we manually did a build for GFv3 as above

See below steps now for OpenSSO :

1. Unzip opensso.zip . Go to deployable-war directory and copy opensso.war to glassfish hotdeploy directory.
2. Glassfish autodeploy scanner will pick the war and deploy it.
3. Access http://host:port/opensso. Web based install screen of OpenSSO will be seen. Select default configuration and go through the steps which are very easy.
4. Login to opensso as amadmin. Create the user Joe Bloggs by giving "ID=joebloggs" and "Email=test@liferay.com"
(Note : First create the user, then edit to set email).
5. Logout and login to OpenSSO as joebloggs. It should work fine.
6. Now  login to Liferay as test@liferay.com (Joe Bloggs) . Add application "Enterprise Admin" from desktop.
7. In the "Enterprise Admin" portlet,  Go to EnterpriseAdmin > Organizations > Settings > Authentication > OpenSSO. Change the below values for your opensso host and portalhost. In this example it is the same host.

# Login URL=http://openssohost:port/opensso/UI/Login?goto=http://portalhost:port/c/portal/login
# Logout URL=http://openssohost:port/opensso/UI/Logout?goto=http://portalhost:port/portal/
# Service URL=http://openssohost:port/opensso

Check "Enable" checkbox and Save.

8. Now once you click on Logout. It takes you back to opensso login page and after successful authentication it will come bring the liferay desktop again. Also if you access http://host:port for accessing liferay, opensso authentication screen should come.

Enjoy, your opensso integration with liferay is rocking !!

Wednesday Oct 03, 2007

SRA Gateway, sensitive to domain name case


During Portal and Gateway installation domain name is asked at multiple places. There are occurences of case mismatch while typing the domain name because at some places it is pre-populated and at some places we have to manually type it.

If this is the case then there are severe cookie related problems with the gateway and login may not work. To workaround this issue do the below steps after installation.


1) Switch sra-status to on using psadmin
2) Log into psconsole and changed portal server list and URLs to
which user session is forwarded list to reflect correct domain with correct case
3) Change AMConfig.properties and AMConfig-default.properties to
reflect correct domain with correct case
4) Change Non-Authenticated URL List to reflect correct domain with correct case
5) Change serverconfig.xml to reflect correct domain with correct case
6) Load enableSRAforPortal.xml using amadmin (not really required for
7) Log into amconsole and change Organization Aliases, Platform
Server List, Cookie Domain List to reflect central.sun.com
8) Restart everything and gateway started working .

How to make Gateway to authenticate to a particular org

By default Gateway authenticates to the default top-level org. Consider a scenario where we have 2-3 instances of gateway and each wants to authenticate to separate org. In such cases platform.conf file of that particular gateway can be modified as below


  •  GW 1:
    Modify /etc/opt/SUNWps/platform.default.conf
    Add "gw1.mydomain.com.defaultOrg =o=SubOrg1,o=DeveloperSample,dc=india,dc=sun,dc=com"
  • GW 2:
    Modify /etc/opt/SUNWps/platform.default.conf
    Add "gw2.mydomain.com.defaultOrg =o=SubOrg2,o=EnterpriseSample,dc=india,dc=sun,dc=com"

Proxy setting for Application Server to contact Internet content

Lots of portlets available in Sun Java System Portal Server render content from the internet. As portal server is deployed on Application Server or Web Server, below settings can be done in the server configuration file. 

For Application Server its domain.xml and for Web Server it is server.xml


 You will also need to modify the startup script for the app server i.e asenv.conf


Updating platform server list from command line

Sometimes during complex portal deployment scenarios there are chances that we might make mistakes in updating Platform Server List in Access Manager and as a result we may not be able to login to Access Manager anymore. We can update the Platform Server List from command line as below.

1) Remove the iplanetamplatformservice

  • amadmin -u amadmin - w passwd -r iplanetamplatformservice

2) Edit the /etc/opt/SUNWam/config/xml/amPlatform.xml to include the correct  server name(s) for the property iplanet-am-platform-server-list

3) Load the updated xml schema

  • amadmin -u amadmin - w passwd -s /etc/opt/SUNWam/config/xml/amPlatform.xml
  • restart server

Difference between notification and polling

Portal Server and Gateway uses Access Manager and Access Manager SDK for session. It can use either use notification or polling for session notification. Below is the explaination for the same.


\* The following keys are used to enable session client side notification
\* Default polling period is 180 seconds

The above two properties are used by session client code, if Polling is set to false notification will be enabled , if polling is set to true notification mode will be disabled.
Note : The AM Server always runs in notification mode so changing this property on the server side doesn't has any effect.

Notification Mode: In notification mode for each session the client registers a notification listener on the server, when any thing changes for that session on the server (time out etc) , the server send notification to the client so the client can update its cache.

Polling Mode : In Polling mode, the session client contacts the server for each session if its caching time has expired and will update its cache.

Enabling web proxy between Portal and Gateway

Usually Gateway is inside a DMZ in the internet and Portal Server is in the intranet. A few ports are opened up in the firewall for communication between the two. In case we have to configure a web proxy between Portal and Gateway then below are the steps.

Add into /etc/opt/SUNWportal/platform.conf.default

  •    http.proxyHost=<Proxy Hostname>
  •    http.proxyPort=<Proxy Port number>
  •    http.proxySet=true

Goto /psconsole -> Secure Remote Access -> 'default' profile -> Deployment tab
    In the 'Proxy Setting' add the following

  •       'Use Proxy'           = true
  •       'Webproxy URLs' = \*
  •       'Domain/SubDomain' = <Domain name>
  •       'Proxy'  = <Proxy Hostname>:<Proxy Port>

Sunday Sep 30, 2007

SSL termination at Load Balancer between Gateway and Portal Server


SSL Termination at Load Balancer between Gateway and Portal Server means that SSL traffic between Gateway and the Portal Server is terminated at the Load Balancer. SSL has an overhead of encryption/decryption which affects performance. This article provides steps to install this scenario.

There might be other ways to install this scenario but this is the simplest approach to achieve this. 

Assume there are two instances of Portal PS1 and PS2 on Node1 and Node2 respectively. Gateway is on Node3 and Load Balancer on Node4  between Gateway and Portal Server Instances

Access Manager(AM) instances are on Portal Server (PS) instances. Assume there are two instances for AM and PS.

Gateway ---------> LB ---------------> PS instances (PS1, PS2 .......)

1)  Install  PS, AM and Directory Server (DS) on Node1 where AM and DS are from JES5 or JES5u1 RR build. Portal is OpenPortal PS7.2 on top of AS9.1

2) Start the Container and Access /portal to make sure everything is installed fine on Node1

3) On Node3, install Gateway and AM-SDK and point to PS1. Make sure that one can login via gateway to PS1. Now we have basic set-up ready for with single Gateway and Portal Server without a Load Balancer. Now we are going to add complexity to it.

4) On Node2, install AS9.1. This is for creating AM and PS instances i.e AM2 and PS2

5) Login to AM1 amconsole via browser. As soon as you login to amconsole, you will see "Organization Aliases" listbox on the right side with entries <Node1.domain.com> and <domain>. In this listbox add  <Node2.domain.com>.

6) Now click on Service Configuration -> Platform. On the right hand side there will be "Platform Server List" with entry <http://Node1.domain.com:port>. To this add one more entry <http://Node2.domain.com:port>

7) Install AM2 on Node2. Point to DS on Node1. Restart AS9.1 on Node2 and access amconsole to make sure that one can successfully login.

8) Now create portal instance PS2 on Node2. Install PS2 in config later mode. Modify Webcontainer.properties.SJSAS9.1 and run the below command

  • ./psadmin create-instance -u amadmin -f ps_password -p <portal-id> -w /opt/SUNWportal/template/Webcontainer.properties.SJSAS91

9) Restart AS9.1 on Node2 and access /portal for successful login.

10) Install Load Balancer on Node4. This can be software or a hardware load balancer. You should know about how to make it SSL  with certificates signed from Certificate Authority. Make sure that one can loadbalance AM and PS uris via this SSL instance of Load Balancer.

11) Access psconsole either on Node1 or Node2. Go to Secure Remote Access -> default.  There is a listbox for "Portal Servers". Remove the existing entry in this listbox and add <https://Node4.domain.com:port/portal>. Below that there is listbix for " URLs to which User Session Cookie is Forwarded". In this add below URLs and Save .



12. Click on security Tab. In the Non-Authenticated URL list below entries will be there.


Add below set of entries also



13. Now run below command from Node1 AND Node2

  • ./psadmin provision-sra -u amadmin -f ps_password -p portal1 --gateway-profile default --enable
  • ./psadmin provision-sra -u amadmin -f ps_password  --loadbalancer-url https://Node4.domain.com:port/portal --console --console-url https://Node4.domain.com:port/psconsole --gateway-profile default --enable

This will populate Non-Authenticated URL list under the default gateway profile.

14. On Node1, open /etc/opt/SUNWam/config/AMConfig.properties and edit following

  • Add line: com.sun.identity.server.fqdnMap[Node4.domain.com]=Node4.domain.com
  • Edit line: com.sun.identity.loginurl=https://Node4.domain.com:port/amserver/UI/Login
  • com.iplanet.am.jssproxy.trustAllServerCerts=true

15. Add Certificate Authority Root CA certificate to JVM keystore  as follows on Node1 and Node2

  • cd /usr/jdk/entsys-j2se/jre/lib security
  • /usr/jdk/entsys-j2se/jre/bin/keytool -keystore cacerts -keyalg RSA -import -trustcacerts -alias "Node1.domain.com" -storepass changeit -file <path-to-rootca-certificate>

16. Run below command on both the Nodes

  • ./psadmin set-attribute -u amadmin -f ps_password  -p portal1 -m desktop -a AccessURL  "https://Node4.domain.com:port"

17. Repeat above step on Node2. Restart AS9.1 and cacao on both the nodes.

18. Install server certificate and Root CA certificate on Gateway Node from the same Certificate Authority from where Load Balancer was asigned certificate.

19 Now we have to point the gateway to LB instead of PS1 and AM1. Do the following on Gateway Node

  • In the platform.conf.default file change gateway.ignoreServerList=true
  • In the platform.conf.default file change gateway.dsame.agent=https\\://Node4.domain.com\\:port/portal/RemoteConfigServlet
  • In the AMConfig-default.properties and AMConfig.properties change the AM related information as shown below


20. Restart the Gateway and access it via browser. 



Wednesday Sep 26, 2007

Installing OpenPortal 7.2 on SSL instance of Glassfish

Glassfish(GF)  by default supports both TLS(1.0) and SSL(3.0). GF uses JSSE (Java Secured Socket Extension) for SSL implementation and JKS for keystore. These steps will be totally different for those who have already worked on installing Portal Server on AS8.1/8.2 in previous releases of Portal Server.

The certificate database in AS8.x used to be under /var/opt/SUNWappserver/domains/domain1/config under \*.db files. But in case of GF, its under the same config directory but the certificate database is keystore.jks

 The first step is to generate a new self signed SSL key and certificate. The application server comes with a default key that you definitely want to replace for production use. Keys are stored in a Java keystore file and managed by Java's standard keytool command line utility.

1) Delete existing key alias as below

cd  $GF_INSTALL_DIR/domains/domain1/config
cp keystore.jks keystore-backup.jks
keytool -delete -alias s1as -keystore keystore.jks
Enter keystore password: changeit

In the above commands we made a backup of Glassfish's keystore file because we are going to make some changes to it. We deleted the s1as alias from the keystore. Glassfish uses the s1as alias for it's default SSL key. You can't generate a new key on top of an existing alias, so we needed to delete it first. An other approach would be to create a new alias for the new key, then reconfigure Glassfish to use it.

2) Generate key request as below 

/usr/jdk/entsys-j2se/jre/bin/keytool -genkey -alias s1as -keyalg RSA -keysize 512 -dname "CN=<hostname-fqdn>,Ou=People,O=Sun,L=Bangalore,S=Karnataka,C=IN" -keystore keystore.jks
Enter keystore password:  changeit
Enter key password for <s1as>
        (RETURN if same as keystore password):

3) Generate certificate signing request:

/usr/jdk/entsys-j2se/jre/bin/keytool -certreq -alias s1as -sigalg "MD5withRSA" -file certreq.pem -keypass changeit -keystore keystore.jks -storepass changeit
bash-2.05# cat certreq.pem

4) Get the certificate signed from certificate authority and save the response in a text file locally as below. I use http://raasi.red.iplanet.com to get by certificate signed for testing purposes.

/usr/jdk/entsys-j2se/jre/bin/keytool -import -trustcacerts -alias s1as -file servercert.pem -keypass changeit -keystore keystore.jks -storepass changeit
Certificate reply was installed in keystore

servercert.pem is the signed certificate response from the certificate authority.

5)  Import the Root CA of the certificate authority in the keystore database as below

 /usr/jdk/entsys-j2se/jre/bin/keytool -import -alias rootca -trustcacerts -file <path to root ca> -keystore keystore.jks -storepass changeit
Owner: EMAILADDRESS=veera.natarajan@sun.com, CN=Veera Natarajan, OU=SSE, O=Sun Microsystems Inc., ST=California, C=US
Issuer: EMAILADDRESS=veera.natarajan@sun.com, CN=Veera Natarajan, OU=SSE, O=Sun Microsystems Inc., ST=California, C=US
Serial number: a7a9faedf950f415
Valid from: Thu Apr 26 07:29:26 IST 2007 until: Sun Apr 25 07:29:26 IST 2010
Certificate fingerprints:
         MD5:  3A:5C:76:90:D8:FA:23:7B:17:A8:B6:DA:F8:9B:AB:F4
         SHA1: EC:C5:72:75:03:91:D5:13:41:4F:37:38:B3:99:22:DD:68:F0:7F:5E
Trust this certificate? [no]:  yes
Certificate was added to keystore

6) Now install Access Manager and Directory Server from JES5u1 RR build. Provide port/protocol as 8181/https in the installer screens.

7) Now install Open Portal on top of this. 

8) In case there is SRA gateway then add the Root CA  to gateway truststore as follows

/usr/jdk/entsys-j2se/jre/bin/keytool -keystore cacerts -keyalg RSA -import -trustcacerts -alias "<hostname-fqdn>" -storepass changeit -file <path to rootca>
Owner: EMAILADDRESS=veera.natarajan@sun.com, CN=Veera Natarajan, OU=SSE, O=Sun Microsystems Inc., ST=California, C=US
Issuer: EMAILADDRESS=veera.natarajan@sun.com, CN=Veera Natarajan, OU=SSE, O=Sun Microsystems Inc., ST=California, C=US
Serial number: a7a9faedf950f415
Valid from: Thu Apr 26 07:29:26 IST 2007 until: Sun Apr 25 07:29:26 IST 2010
Certificate fingerprints:
         MD5:  3A:5C:76:90:D8:FA:23:7B:17:A8:B6:DA:F8:9B:AB:F4
         SHA1: EC:C5:72:75:03:91:D5:13:41:4F:37:38:B3:99:22:DD:68:F0:7F:5E
Trust this certificate? [no]:  yes
Certificate was added to keystore

The above steps should work with GFv2, GFv2 update releases and GFv3 TP1 


Ajit Kamble


« July 2016