Sunday Mar 01, 2009

Verify AM/OpenSSO Attributes

When deployed OpenSSO or Access Manager to secure Web Applications often times it is desirable to “know” what attributes are being returned from OpenSSO to determine certain behavior of a particular application. The Webspace Server provides with an add-on to integrate with OpenSSO and implements Client SDK to accomplish the authentication with OpenSSO. This has been explained in detail at http://wikis.sun.com/display/websynergy/OpenSSO+add-on.

In case, the authentication issues come up where a user successfully authenticates against OpenSSO but can't login into Web Space server it is very likely that the required attributes are not returned from the OpenSSO via client sdk. The Web Space server logs provide the information about the attributes returned and other related messages. This might require administration access to the log files on the file system.

To display what OpenSSO attributes are returned in the Web Browser I have written a web application “CheckAMAttrs” that would provide the information which looks like below picture. This will help debug any attributes related issues.

CheckAMAttrs

For more information and to download the application go the Wiki. Though the Wiki is written specific to the Webspace server, it should work with any other OpenSSO deployments.

Thursday Feb 12, 2009

Integrating WebSpace server with OpenSSO/Access Manager

The WebSpace Server is Sun's Portal Server offering ( Project Websynergy) with great feature set that rightly fit into an enterprise. The WebSpace server provides support for OpenSSO authentication out of the box using OpenSSO's RESTful web services. Having said that, this would not work with Access Manager. To provide support for both OpenSSO and Access Manager, we provide an “addon” which uses the client SDK to perform authentication and currently supports OpenSSO and Access Manager 7.1. In addition to providing authentication, the addon comes bundled with a portlet that would allow an administrator to map OpenSSO/AM role to WebSpace server's Community for content. What it means is that, when a user is added to a role on OpenSSO/AM, the user will be assigned with a memebership to the mapped Community on WebSpace server. However, the permissions are maintained and managed by WebSpace server only.

You can find more information on following Wiki

http://wikis.sun.com/display/websynergy/OpenSSO+and+WebSynergy

http://wikis.sun.com/display/websynergy/OpenSSO+add-on





Tuesday Oct 14, 2008

Deploy and Configure OpenSSO on Glassfish from Command Line

Create a Glassfish domain “opensso “which runs on port 18080 and 18443 (SSL). Admin port running on 14848.

Assume that the Glassfish is installed under /opt/glassfish


$ cd /opt/glassfish/bin

$ ./asadmin create-domain --adminport 14848 --instanceport 18080 --savemasterpassword=true --user admin --savelogin=true --domainproperties http.ssl.port=18443 opensso


Configure the server policy on Glassfish for OpenSSO


As per the installation procedure of OpenSSO for Glassfish it is required to update the server.policy. I have created a file opensso_policy.txt with required contents.


$ cp /opt/glassfish/domains/opensso/config

$ cat opensso_policy.txt >> server.policy


Configure the JVM requirements for OpenSSO


Note: Here I have used GNU sed which allows in place replacement (-i switch). If you are not using GNU sed then you might need to make a copy of the file with change.


$ sed -i "s/<jvm-options>-client<\\/jvm-options>/<jvm-options>-server<\\/jvm-options>/" domain.xml

$ sed -i "s/<jvm-options>-Xmx512m<\\/jvm-options>/<jvm-options>-Xmx1024m<\\/jvm-options>/" domain.xml


Start OpenSSO


$ cd /opt/glassfish/bin

$ ./asadmin start-domain opensso


Deploy OpenSSO war file


Assuming the opensso.war is available under /opt/opensso/deployable-war


$./asadmin deploy --port 14848 --user admin /opt/opensso/deployable-war/opensso.war

Command deploy executed successfully.


Run the OpenSSO configurator


I have written a Java code ( download postOpenSSO.class) that performs a http POST to OpenSSO's configurator.jsp. It reads a configuration input file ( openssodeploy.,config) from the same directory from where it is invoked.


Assume that you have downloaded postConfig.class and openssodeploy.config into /opt/openssodeploy directory. If openssodeploy.config is the default, if not, you can pass the file name to postOpenSSO class.


$ cd /opt/openssodeploy

$ java postOpenSSO



About

Srikanth Konjarla

Search

Categories
Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today