Tuesday Jul 15, 2008

Integrating Liferay(Websynergy) with OpenSSO on Glassfish V3

Liferay is an open source portal and Sun is using Liferays codebase and contributing Sun features.  The project name for the same is Websynergy. OpenSSO is an open source  project for single sign on.  This document describes how to integrate Liferay(Websynergy) with OpenSSO on Glassfish V3 TP2.

1.  Download OpenSSO from https://opensso.dev.java.net  . You can  use stable Build 4.
2.  Download Glassfish V3 from https://glassfish.dev.java.net
3.  Iam assuming  OpenSSO and Liferay on the same machine for this example but they can be on two different machines.
4. Install ANT 1.7, JDK 1.6 and SVN 1.4.5. Make sure all are in PATH.
5. Checkout Liferay latest source from sourceforge.net (svn co https://lportal.svn.sourceforge.net/svnroot/lportal/trunk portal). Latest version is "5.1" if checked out from trunk.
6. Go to Liferay source code directory and modify appserver.properties. Specify the glassfish version as v3 and glassfish install location.
7. From Liferay Source Code Directory  run ant -f build.xml all.
8. Once, build is successful, liferay is up and running on Glassfish V3 after few 5 minutes of compilation time. Access http://host:port to verify.

Note : On liferay site we have pre-built image of only GFv2.1 but not GFv3. Thats why we manually did a build for GFv3 as above

See below steps now for OpenSSO :

1. Unzip opensso.zip . Go to deployable-war directory and copy opensso.war to glassfish hotdeploy directory.
2. Glassfish autodeploy scanner will pick the war and deploy it.
3. Access http://host:port/opensso. Web based install screen of OpenSSO will be seen. Select default configuration and go through the steps which are very easy.
4. Login to opensso as amadmin. Create the user Joe Bloggs by giving "ID=joebloggs" and "Email=test@liferay.com"
(Note : First create the user, then edit to set email).
5. Logout and login to OpenSSO as joebloggs. It should work fine.
6. Now  login to Liferay as test@liferay.com (Joe Bloggs) . Add application "Enterprise Admin" from desktop.
7. In the "Enterprise Admin" portlet,  Go to EnterpriseAdmin > Organizations > Settings > Authentication > OpenSSO. Change the below values for your opensso host and portalhost. In this example it is the same host.

# Login URL=http://openssohost:port/opensso/UI/Login?goto=http://portalhost:port/c/portal/login
# Logout URL=http://openssohost:port/opensso/UI/Logout?goto=http://portalhost:port/portal/
# Service URL=http://openssohost:port/opensso

Check "Enable" checkbox and Save.

8. Now once you click on Logout. It takes you back to opensso login page and after successful authentication it will come bring the liferay desktop again. Also if you access http://host:port for accessing liferay, opensso authentication screen should come.

Enjoy, your opensso integration with liferay is rocking !!


Wednesday Sep 26, 2007

Installing OpenPortal 7.2 on SSL instance of Glassfish

Glassfish(GF)  by default supports both TLS(1.0) and SSL(3.0). GF uses JSSE (Java Secured Socket Extension) for SSL implementation and JKS for keystore. These steps will be totally different for those who have already worked on installing Portal Server on AS8.1/8.2 in previous releases of Portal Server.

The certificate database in AS8.x used to be under /var/opt/SUNWappserver/domains/domain1/config under \*.db files. But in case of GF, its under the same config directory but the certificate database is keystore.jks

 The first step is to generate a new self signed SSL key and certificate. The application server comes with a default key that you definitely want to replace for production use. Keys are stored in a Java keystore file and managed by Java's standard keytool command line utility.

1) Delete existing key alias as below

cd  $GF_INSTALL_DIR/domains/domain1/config
cp keystore.jks keystore-backup.jks
keytool -delete -alias s1as -keystore keystore.jks
Enter keystore password: changeit

In the above commands we made a backup of Glassfish's keystore file because we are going to make some changes to it. We deleted the s1as alias from the keystore. Glassfish uses the s1as alias for it's default SSL key. You can't generate a new key on top of an existing alias, so we needed to delete it first. An other approach would be to create a new alias for the new key, then reconfigure Glassfish to use it.

2) Generate key request as below 

/usr/jdk/entsys-j2se/jre/bin/keytool -genkey -alias s1as -keyalg RSA -keysize 512 -dname "CN=<hostname-fqdn>,Ou=People,O=Sun,L=Bangalore,S=Karnataka,C=IN" -keystore keystore.jks
Enter keystore password:  changeit
Enter key password for <s1as>
        (RETURN if same as keystore password):

3) Generate certificate signing request:

/usr/jdk/entsys-j2se/jre/bin/keytool -certreq -alias s1as -sigalg "MD5withRSA" -file certreq.pem -keypass changeit -keystore keystore.jks -storepass changeit
bash-2.05# cat certreq.pem
-----BEGIN NEW CERTIFICATE REQUEST-----
MIIBLjCB2QIBADB0MQswCQYDVQQGEwJJTjESMBAGA1UECBMJS2FybmF0YWthMRIwEAYDVQQHEwlC
YW5nYWxvcmUxDDAKBgNVBAoTA1N1bjEPMA0GA1UECxMGUGVvcGxlMR4wHAYDVQQDExVuaWNwMjMw
LmluZGlhLnN1bi5jb20wXDANBgkqhkiG9w0BAQEFAANLADBIAkEAszpE+STWpXO5CC5L/9NIw0hU
QkQWbSoTzgtNHQLs4/umnDM5KfaLNOUGkYc/ajuSty+NchSdM5meTFFb5oyhOQIDAQABoAAwDQYJ
KoZIhvcNAQEEBQADQQBBj5jdLvW6frQBpZYGj/HS6vsT1xu0I04PdKNsrgjikSYl53wMd7DY/2Ou
D0ZifSN4hTYOZUeDAuxz2VvCYvKp
-----END NEW CERTIFICATE REQUEST-----

4) Get the certificate signed from certificate authority and save the response in a text file locally as below. I use http://raasi.red.iplanet.com to get by certificate signed for testing purposes.

/usr/jdk/entsys-j2se/jre/bin/keytool -import -trustcacerts -alias s1as -file servercert.pem -keypass changeit -keystore keystore.jks -storepass changeit
Certificate reply was installed in keystore

servercert.pem is the signed certificate response from the certificate authority.

5)  Import the Root CA of the certificate authority in the keystore database as below

 /usr/jdk/entsys-j2se/jre/bin/keytool -import -alias rootca -trustcacerts -file <path to root ca> -keystore keystore.jks -storepass changeit
Owner: EMAILADDRESS=veera.natarajan@sun.com, CN=Veera Natarajan, OU=SSE, O=Sun Microsystems Inc., ST=California, C=US
Issuer: EMAILADDRESS=veera.natarajan@sun.com, CN=Veera Natarajan, OU=SSE, O=Sun Microsystems Inc., ST=California, C=US
Serial number: a7a9faedf950f415
Valid from: Thu Apr 26 07:29:26 IST 2007 until: Sun Apr 25 07:29:26 IST 2010
Certificate fingerprints:
         MD5:  3A:5C:76:90:D8:FA:23:7B:17:A8:B6:DA:F8:9B:AB:F4
         SHA1: EC:C5:72:75:03:91:D5:13:41:4F:37:38:B3:99:22:DD:68:F0:7F:5E
Trust this certificate? [no]:  yes
Certificate was added to keystore

6) Now install Access Manager and Directory Server from JES5u1 RR build. Provide port/protocol as 8181/https in the installer screens.

7) Now install Open Portal on top of this. 

8) In case there is SRA gateway then add the Root CA  to gateway truststore as follows

/usr/jdk/entsys-j2se/jre/bin/keytool -keystore cacerts -keyalg RSA -import -trustcacerts -alias "<hostname-fqdn>" -storepass changeit -file <path to rootca>
Owner: EMAILADDRESS=veera.natarajan@sun.com, CN=Veera Natarajan, OU=SSE, O=Sun Microsystems Inc., ST=California, C=US
Issuer: EMAILADDRESS=veera.natarajan@sun.com, CN=Veera Natarajan, OU=SSE, O=Sun Microsystems Inc., ST=California, C=US
Serial number: a7a9faedf950f415
Valid from: Thu Apr 26 07:29:26 IST 2007 until: Sun Apr 25 07:29:26 IST 2010
Certificate fingerprints:
         MD5:  3A:5C:76:90:D8:FA:23:7B:17:A8:B6:DA:F8:9B:AB:F4
         SHA1: EC:C5:72:75:03:91:D5:13:41:4F:37:38:B3:99:22:DD:68:F0:7F:5E
Trust this certificate? [no]:  yes
Certificate was added to keystore



The above steps should work with GFv2, GFv2 update releases and GFv3 TP1 



About

Ajit Kamble

Search

Categories
Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today