Friday May 15, 2009

The OpenSSO Docs Wiki Heats Up

If you haven't visited the OpenSSO Resource Center lately, go have a look. My colleagues on the docs team have been doing a fantastic job of posting high quality information there. The site gets richer and richer every day.

Today, the site hit the mother lode when Gina from the OpenSSO writers team exposed a wealth of troubleshooting tips and FAQs based on support cases on the Community Contributions page of the Resource Center. Together with the How To's and White Papers already present on the page, this makes for extremely interesting reading.

I gotta say, I love working on a technology that has this quality and quantity of informaton available out in the open.

OpenSSO Instructor-Led Training is Now Available

The OpenSSO Enterprise 8.0: Deployment Essentials course - which I developed last winter - is now available as an instructor-led class from Sun. The Sun course code for this class is AM-3800.

Classes have started to appear on the Sun US training calendar and to other Sun training calendars around the world. More classes will be added to the calendars in the very near future.

In this course, you build up a complex OpenSSO deployment - complete with SSL, multiple web containers, and session failover. Then you use that deployment to exploit OpenSSO capabilities like authentication, authorization, customization, and audit logging. At the end of the week, you deploy a simpler federated identity environment and enable SAML 2 and fedlets.

One of the really nice things that happened during course development was that I was able to get a great set of beta testers from the OpenSSO community. I ran a live class in San Francisco, with people from the community, and held a number of remote trials with other community members. So like everything with OpenSSO, it really was a community effort.

Thursday Apr 30, 2009

Mind-Blowing - An OpenSSO App for the iPhone

An amazing demo came out today - a new iPhone app called POssO:

This app lets you perform basic help desk administration tasks like create user, change password, and reset password right from your phone. It's got built-in VPN support (a Cisco client), which enables intranet access from the phone with your token card. It also has built-in password policy management, notifications, and log management features.

The transport protocol is encrypted (SSL), and with SSL over VPN the data is safe. The app also enforces all RBAC policies set up on the server.

Best of all, the app is absolutely free - with no ads.

Update - May 12, 2009 - POssO is now available at

Thursday Dec 25, 2008

A Great Gift for January 20, 2009

Today, time to blog about something fun.

Shortly after the recent elections, I came across a new book, Feisty First Ladies (and other unforgettable White House Women) by Autumn Stephens.

I love history, and this little volume puts a fun and somewhat irreverent spin on the wives, mistresses, mothers, and other women who have left their own imprint on our nation's history by virtue of their personalities - or lack thereof.

The book includes essays on:

  • All of the wives of all the presidents who have been married (can you name the one President who was never married?)
  • Women who served as the White House hostesses during periods in which the President was unmarried
  • Other women who influenced presidential politics in some interesting ways

Feisty First Ladies has a lot of fun information to share with your friends. For example:

  • In a letter to her sister, Martha Washington described being first lady as "being more like a state prisoner than anything else."
  • Rachel Jackson was simultaneously married to two men for a short period. Andrew Jackson's opponent, John Quincy Adams, smeared her during the election of 1828 as an adulteress, a bigamist, and an American Jezebel.
  • Mary Lincoln stopped in New York to order 16 fancy frocks - at the height of the Civil War. The unpopular wife of Honest Abe is quoted as saying "I intend to wear what I please."
  • It is rumored that Florence Harding, bent on saving her husband from the humiliation of the Teapot Dome scandal and other cabinet corruption, did Warren in. No autopsy was ever performed, and she torched as many of his presidential papers as she could get her hands on.
  • Nancy Reagan, aka "the iron butterfly" and "the Evita of Santa Barbara," is quoted as saying "I'd never wear a crown. It would mess up my hair."
  • After her $150,000+ post-nomination shopping spree, the Huffington Post described Sarah Palin as a "Neiman Marxist."
  • Michelle Obama was assigned as as advisor to summer associate Barack when he did his internship out of law school. She refused offer after offer of a date with him, finally relenting after a month to go out for dinner and a movie (for the record - Do The Right Thing by Spike Lee).

A great read in advance of the upcoming Obama inauguration. I noticed it's already available at Amazon.

Monday Dec 22, 2008

Changing Default GlassFish v3 Prelude Port Numbers 4848, 8080, and 8181

When you create courses, you sometimes do crazy things like installing multiple GlassFish domain administration servers (DAS) in a single host.

When you install GlassFish, it gives you default port numbers of of 4848 (for administration), 8080 (for the HTTP listener), and 8181 (for the HTTPS listener). But what do you do if you want to change them?

I got a few ideas googling "asadmin port number" and the like but couldn't really find a good example. So, I figured out how you do it and thought I would post an example in case anyone finds themselves in the same predicament as I did today.

Here are some examples that work in GlassFish v3 Prelude:

  1. To change the HTTP port to 10080:

    asadmin set server.http-service.http-listener.http-listener-1.port=10080

  2. To change the HTTPS port to 10443:

    asadmin set server.http-service.http-listener.http-listener-2.port=10443

  3. To change the administration server port to 14848:

    asadmin set server.http-service.http-listener.admin-listener.port=14848

It's handy to know you can grep for server properties in GlassFish v3 Prelude as follows:

asadmin get server | grep listener

shows all the properties with the text "listener" in them.

In GlassFish v3 Prelude, you can set port numbers for administration and the HTTP listener in the installer - but not for the HTTPS listener. You might find yourself needing to explicitly specify the administration port in your asadmin command. For example:

asadmin set --port 14848 server.http-service.http-listener.http-listener-2.port=10443

For GlassFish v2, use the asadmin get command as described here.

Hope this is helpful to someone.

Wednesday Dec 10, 2008

Installing OpenSSO Enterprise 8.0 on GlassFish v3 Prelude Release

I've been building some training for OpenSSO Enterprise 8.0, and I want to use GlassFish v3 Prelude Release as my OpenSSO web container for this training.

So I pulled down the GlassFish release, installed it, deployed OpenSSO, started up the OpenSSO console, and logged in. But instead of seeing the console main page, the login page appeared a second time, with the user name and password fields blanked out.

The issue has to do with cookie handling. Dennis noted it in his blog entry here.

Well, it turns out getting OpenSSO Enterprise 8.0 to run on this release of GlassFish is a snap - if you know the workaround. Here are the steps for Solaris OS:
  1. Obtain the GlassFish v3 Prelude Release from

  2. Run the command (which is what you obtained when you downloaded GlassFish). Specify installation options as needed. The rest of these instructions assume that you specified /opt/glassfish as your installation directory.

  3. Start the domain administration server: /opt/glassfish/bin/asadmin start-domain domain1

  4. Start a browser, then start the GlassFish administration console ( and log in to the console.

  5. Click Application Server (in the left window pane), then the JVM Settings tab, then the JVM Options tab.

  6. Click the Add JVM Option button. A new line opens up.

  7. Add the following option: (this is the workaround).

  8. Change the -client option to -server, and change the -Xmx512m option to at least -Xmx1024m (as documented in the OpenSSO Installation and Configuration Guide.

  9. Log out of the GlassFish admin console.

  10. Restart the GlassFish DAS:
      /opt/glassfish/bin/asadmin stop-domain domain1
      /opt/glassfish/bin/asadmin start-domain domain1

  11. Deploy the OpenSSO web application and configure it.

  12. Start the OpenSSO console and log in. This should take you to the console's main page.

Friday Sep 26, 2008

OpenSSO Deployment Screencasts Are on YouTube

I was cruising through YouTube and happened to come across these screencasts of the OpenSSO Deployment course, WSPL-AM-3508-D. Check them out!

Thanks to Waylon in New Zealand for putting these up. I'm looking forward to seeing more of them!

Lab 1, Exercise 1

Lab 1, Exercise 2

Lab 1, Exercise 3

Monday Aug 18, 2008

Three, Two, One ... Go!

I'm pleased to be able to let you know that training for the OpenSSO Early Access Release is now available at

The training comprises five self-paced, downloadable labs that take you through a complex OpenSSO deployment. You deploy two Apache Tomcat servers, SSL-enable them, install a software load balancer, install OpenSSO into the environment, and configure OpenSSO for session failover. Then you install an example web server and an example application server, and install Policy Agent software to see how OpenSSO protects web sites and J2EE applications.

Go to the OpenSSO site and click Training on the blue bar on the left. Follow the links that take you to the Sun Learning Services Online Lab Community.

From there, you will be able to get the labs, at no cost. The only thing you need before you can access the labs is a login ID at My Sun.

After following the setup instructions, you'll have:

  • A PDF-format workbook that contains the step-by-instructions for doing the labs

  • A Solaris 10, Update 5 virtual machine preconfigured with all the software you need to do five labs. This virtual machine has some interesting capabilities:

    • Four whole root zones, so scenarios requiring multiple hosts can be easily and quickly configured

    • All the zones are fully encapsulated in ZFS file systems. A script that exploits ZFS features lets students roll the virtual machine forward or backwards, to do any lab in the workbook. For example, if you are interested only in configuring session failover, you could roll the machine forward to Lab 3 (the session failover lab).

      If you then changed your mind and decided you wanted to do the lab in which you run the OpenSSO configurator, you could roll the machine back to the start of Lab 2. And, if you were then to decide you wanted to do the labs from scratch, you could roll the machine back to the starting point for Lab 1.

      Don't want to do the labs at all - just need to build OpenSSO demos? Roll the machine forward to the start point for Lab 6.
      The idea behind this type of learning is flexibility: "just in time, just enough, just for me."

Saturday Aug 09, 2008

And Now, The OpenSSO Early Access Release

An Early Access release of OpenSSO is now available in the form of OpenSSO Express Build 5.

Participate in this program and help Sun make the first commercial offering of OpenSSO as good as it gets.

If you're not familiar with OpenSSO, here are some selected quotes from Felix Gaehtgens' very nice review of OpenSSO for Kuppinger Cole:

  • The development of OpenSSO is lively, and the product has improved dramatically over the years.
  • The initial teething problems have long been overcome - specifically the limited amount of “committers” ... Nowadays, the OpenSSO project has around 60 committers, 10 of them being external, i.e. non Sun-employees. The community and Sun engineers now have a reputation for being quite responsive in helping community members while in development.
  • This new announcement (of the OpenSSO release model) is a very good step forward for Sun’s customers ... Customers have the best of both worlds – a very innovative product with a large and active engineering base, together with professional support.

Nice stuff. Nice product. Developed by the nicest engineering team I've had the privilege of working downstream from, and I've worked downstream from a lot of engineering teams over the years. And the most responsive - Felix sure got that one right.

Wednesday Jul 23, 2008

OpenSSO Express

Today, Sun announced support for OpenSSO Express.

For all of us in the OpenSSO community, this is a big deal. It's the first supported release of the open source version of the product formerly known as Sun Java System Access Manager.

We're still getting our terminology straight, but generally speaking:

  • OpenSSO is our shorthand for the OpenSSO project, with its nightly builds.
  • OpenSSO Express refers to versioned, supported, fully indemnified builds. The first build of OpenSSO Express, announced today, is OpenSSO Express V1 Build 4.5.

Those of you who follow the mailing list have probably already guessed that I've been working hard at building training based on OpenSSO Express. More to come about that later.

Tuesday Dec 18, 2007

Access Manager Training January, 2008, and Beyond

I send out a monthly e-mail within Sun to let people know about the availability of classes on Access Manager. Michael suggested that I post some of the details to let people who follow this blog know what's out there and available.

Sun currently has one instructor-led training offering for Access Manager: course number AM-3480, Access Manager 7.1 Configuration and Customization. The class is a week long. There's a description of this training course here. The course is offered worldwide. Upcoming teaches in 2008 include:

  • January 14 - Heimstetten, Germany
  • January 14 - San Francisco, CA
  • January 21 - Tokyo (Chofu), Japan
  • January 28 - Seattle, WA
  • February 4 - Oslo, Norway
  • February 4 - Sacramento, CA
  • February 4 - Tampa, FL
  • February 4 - Edison, NJ
  • February 4 - Houston, TX
  • February 18 - Guillemont Park, UK
  • February 18 - Cary, NC
  • February 25 - Burlington, MA
  • March 3 - Brussels, Belgium
  • March 24 - Tokyo (Chofu), Japan
  • March 31 - Ratingen, Germany
  • May 19 - Guillemont Park, UK
  • May 19 - Nieuwegein, Netherlands
  • June 2 - Paris, France

Some things to be aware of with regard to these classes:
  • You can enroll by using the Sun website for the country in which the class in being held, or by calling Sun Training in that country.
  • If there aren't more than a couple or three students who want to attend any given class, the class might be canceled. (So, bring your friends to Access Manager training.)

Tuesday Nov 27, 2007

OpenSSO Store Now Open

This just in - you can now buy cool OpenSSO stuff at

I want a dog t-shirt. Even if I don't have a dog.

Sunday Nov 18, 2007

Adventures with Missing Memory

I recently installed Ubuntu Linux 7.10 on my Ultra 40 at home. When I ran any command that reported memory (free, top, system monitor, etc.) it reported that 2.5 GB was available on my system. The problem with this is that my system has 3 GB.

I did a lot of searches on "missing memory," "underreported memory," etc. and never came up with anything. But after running the dmesg command today on an unrelated matter, I noticed this message:

Use a PAE enabled kernel

After a few searches, I determined that Ubuntu had chosen the wrong kernel for my machine. I needed the bigsmp flavor. Previous Linux variants had installed this by default but not Ubuntu 7.10. It was not easy to figure out how to get that kernel, either. A search in Synaptic for bigsmp yielded nothing. So back to Google, where I was able to find the advice to install the linux-image-server package. So I did, restarted my system, and the bigsmp kernel came up in my grub boot list.

So I booted it.

Now some more fun - gnome wouldn't come up in high resolution. Seems this kernel is incompatible with the nvidia video driver I had installed. gnome put me in 800x600 mode. So I went to the Restricted Drivers panel to disable my nvidia drivers.

More fun. I got a message telling me that this panel wouldn't start up without the linux-restricted-modules-2.6-22.14-server

So I go to Synaptic and look for the package. It's not there! Back to Google, more searching around, appears the package doesn't exist but I can get it if I recompile things on my system. I don't feel like it, so no more nvidia drivers and no more nice compiz for this release.


So one more power down, then reboot into the generic kernel, where it nicely lets me disable my generic driver. Then a final reboot into the bigsmp (aka server) kernel, where I now have access to the full 3 GB on my system.

Monday Nov 12, 2007

Access Manager Makes It Into Gartner's Leaders Quadrant

Today was a big day for a lot of us who have worked with the Sun Java System Access Manager product, which is the progenitor of the OpenSSO product.

Gartner Group promoted Access Manager from the challenger quadrant to the leaders product.

There's a nice article about it here.

It's been a great experience to watch this product grow and mature into what it is today. And, there are some really great things coming on the horizon, all open source.

Congratulations to Jamie Nelson and his fine team. I have worked with these folks for several years now, and they're one of the best engineering teams I've had an opportunity to interact with during my career in software engineering, consulting, training, and instructional design. Just a really nice group of very talented people. Way to go, guys!

Tuesday Oct 09, 2007

ZFS and File System State Management

ZFS, available from Solaris 10 update 2 on, is one amazing piece of technology. Bloggers like Drew get what I get about ZFS, which is that once you grok its features and start combining them, you can do some weird and wonderful things.

State management of training machines is something I've been trying to do well for about 15 years now. I've been through a lot of technologies like Norton ghost, scripting, jumpstarting, and OS virtualized images and while they all work, they also have limitations that often make me have to settle for less than what I really want to do.

So I was playing around with a VMware Solaris 10 Update 2 a couple of months ago that had /z, a big ol' ZFS file system, about 5 GB on it, and a whole root zone completely encapsulated within the ZFS file system. Here's what I was able to do with it:

  1. First, I took a ZFS snapshot called z@machinestartstate.
  2. I booted and logged into the whole root zone.
  3. I set the zone up to have the start state for one of the classes for which I am responsible. Let's call it class 1.
  4. I took another ZFS snapshot called z@class1startstate.
  5. I saved the deltas between the two snapshots: zfs send -i z@machinestartstate z@class1startstate > machinestartstate.class1startstate.
  6. I did Lab 1.
  7. I took another ZFS snapshot called z@class1lab1endstate.
  8. I saved the deltas between the two snapshots: zfs send -i z@class1startstate z@class1lab1endstate > class1startstate.z@class1lab1endstate.
  9. I did Lab 2.
  10. I took another ZFS snapshot called z@class1lab2endstate.
  11. I saved the deltas between the two snapshots: zfs send -i z@class1lab1endstate z@class1lab2endstate > class1lab1endstate.class1lab2endstate.
  12. I followed the same steps for Labs 3 through 10, and then did the same things for 5 other classes I am responsible for.
Now look at the possibilities I have. As long as I can get back to my original virtual machine image, I can play the delta files back to any state I want:
  • zfs rollback -r z@machinestartstate always takes me back to the original virtual machine state.
  • zfs recv < machinestartstate.class1startstate
  • restores the start state for class 1.
  • zfs recv < class1startstate.class1lab1endstate
  • restores the end state for Lab 1 of class 1.
and so forth. In subsequent blog entries, I'll be writing about how to create a Solaris 10 VMware virtual machine for this setup, and provide workarounds for some issues I found while getting this working.



« December 2016