Friday May 15, 2009

The OpenSSO Docs Wiki Heats Up

If you haven't visited the OpenSSO Resource Center lately, go have a look. My colleagues on the docs team have been doing a fantastic job of posting high quality information there. The site gets richer and richer every day.

Today, the site hit the mother lode when Gina from the OpenSSO writers team exposed a wealth of troubleshooting tips and FAQs based on support cases on the Community Contributions page of the Resource Center. Together with the How To's and White Papers already present on the page, this makes for extremely interesting reading.

I gotta say, I love working on a technology that has this quality and quantity of informaton available out in the open.

OpenSSO Instructor-Led Training is Now Available

The OpenSSO Enterprise 8.0: Deployment Essentials course - which I developed last winter - is now available as an instructor-led class from Sun. The Sun course code for this class is AM-3800.

Classes have started to appear on the Sun US training calendar and to other Sun training calendars around the world. More classes will be added to the calendars in the very near future.

In this course, you build up a complex OpenSSO deployment - complete with SSL, multiple web containers, and session failover. Then you use that deployment to exploit OpenSSO capabilities like authentication, authorization, customization, and audit logging. At the end of the week, you deploy a simpler federated identity environment and enable SAML 2 and fedlets.

One of the really nice things that happened during course development was that I was able to get a great set of beta testers from the OpenSSO community. I ran a live class in San Francisco, with people from the community, and held a number of remote trials with other community members. So like everything with OpenSSO, it really was a community effort.

Thursday Apr 30, 2009

Mind-Blowing - An OpenSSO App for the iPhone

An amazing demo came out today - a new iPhone app called POssO:

This app lets you perform basic help desk administration tasks like create user, change password, and reset password right from your phone. It's got built-in VPN support (a Cisco client), which enables intranet access from the phone with your token card. It also has built-in password policy management, notifications, and log management features.

The transport protocol is encrypted (SSL), and with SSL over VPN the data is safe. The app also enforces all RBAC policies set up on the server.

Best of all, the app is absolutely free - with no ads.

Update - May 12, 2009 - POssO is now available at

Monday Dec 22, 2008

Changing Default GlassFish v3 Prelude Port Numbers 4848, 8080, and 8181

When you create courses, you sometimes do crazy things like installing multiple GlassFish domain administration servers (DAS) in a single host.

When you install GlassFish, it gives you default port numbers of of 4848 (for administration), 8080 (for the HTTP listener), and 8181 (for the HTTPS listener). But what do you do if you want to change them?

I got a few ideas googling "asadmin port number" and the like but couldn't really find a good example. So, I figured out how you do it and thought I would post an example in case anyone finds themselves in the same predicament as I did today.

Here are some examples that work in GlassFish v3 Prelude:

  1. To change the HTTP port to 10080:

    asadmin set server.http-service.http-listener.http-listener-1.port=10080

  2. To change the HTTPS port to 10443:

    asadmin set server.http-service.http-listener.http-listener-2.port=10443

  3. To change the administration server port to 14848:

    asadmin set server.http-service.http-listener.admin-listener.port=14848

It's handy to know you can grep for server properties in GlassFish v3 Prelude as follows:

asadmin get server | grep listener

shows all the properties with the text "listener" in them.

In GlassFish v3 Prelude, you can set port numbers for administration and the HTTP listener in the installer - but not for the HTTPS listener. You might find yourself needing to explicitly specify the administration port in your asadmin command. For example:

asadmin set --port 14848 server.http-service.http-listener.http-listener-2.port=10443

For GlassFish v2, use the asadmin get command as described here.

Hope this is helpful to someone.

Wednesday Dec 10, 2008

Installing OpenSSO Enterprise 8.0 on GlassFish v3 Prelude Release

I've been building some training for OpenSSO Enterprise 8.0, and I want to use GlassFish v3 Prelude Release as my OpenSSO web container for this training.

So I pulled down the GlassFish release, installed it, deployed OpenSSO, started up the OpenSSO console, and logged in. But instead of seeing the console main page, the login page appeared a second time, with the user name and password fields blanked out.

The issue has to do with cookie handling. Dennis noted it in his blog entry here.

Well, it turns out getting OpenSSO Enterprise 8.0 to run on this release of GlassFish is a snap - if you know the workaround. Here are the steps for Solaris OS:
  1. Obtain the GlassFish v3 Prelude Release from

  2. Run the command (which is what you obtained when you downloaded GlassFish). Specify installation options as needed. The rest of these instructions assume that you specified /opt/glassfish as your installation directory.

  3. Start the domain administration server: /opt/glassfish/bin/asadmin start-domain domain1

  4. Start a browser, then start the GlassFish administration console ( and log in to the console.

  5. Click Application Server (in the left window pane), then the JVM Settings tab, then the JVM Options tab.

  6. Click the Add JVM Option button. A new line opens up.

  7. Add the following option: (this is the workaround).

  8. Change the -client option to -server, and change the -Xmx512m option to at least -Xmx1024m (as documented in the OpenSSO Installation and Configuration Guide.

  9. Log out of the GlassFish admin console.

  10. Restart the GlassFish DAS:
      /opt/glassfish/bin/asadmin stop-domain domain1
      /opt/glassfish/bin/asadmin start-domain domain1

  11. Deploy the OpenSSO web application and configure it.

  12. Start the OpenSSO console and log in. This should take you to the console's main page.

Friday Sep 26, 2008

OpenSSO Deployment Screencasts Are on YouTube

I was cruising through YouTube and happened to come across these screencasts of the OpenSSO Deployment course, WSPL-AM-3508-D. Check them out!

Thanks to Waylon in New Zealand for putting these up. I'm looking forward to seeing more of them!

Lab 1, Exercise 1

Lab 1, Exercise 2

Lab 1, Exercise 3

Monday Aug 18, 2008

Three, Two, One ... Go!

I'm pleased to be able to let you know that training for the OpenSSO Early Access Release is now available at

The training comprises five self-paced, downloadable labs that take you through a complex OpenSSO deployment. You deploy two Apache Tomcat servers, SSL-enable them, install a software load balancer, install OpenSSO into the environment, and configure OpenSSO for session failover. Then you install an example web server and an example application server, and install Policy Agent software to see how OpenSSO protects web sites and J2EE applications.

Go to the OpenSSO site and click Training on the blue bar on the left. Follow the links that take you to the Sun Learning Services Online Lab Community.

From there, you will be able to get the labs, at no cost. The only thing you need before you can access the labs is a login ID at My Sun.

After following the setup instructions, you'll have:

  • A PDF-format workbook that contains the step-by-instructions for doing the labs

  • A Solaris 10, Update 5 virtual machine preconfigured with all the software you need to do five labs. This virtual machine has some interesting capabilities:

    • Four whole root zones, so scenarios requiring multiple hosts can be easily and quickly configured

    • All the zones are fully encapsulated in ZFS file systems. A script that exploits ZFS features lets students roll the virtual machine forward or backwards, to do any lab in the workbook. For example, if you are interested only in configuring session failover, you could roll the machine forward to Lab 3 (the session failover lab).

      If you then changed your mind and decided you wanted to do the lab in which you run the OpenSSO configurator, you could roll the machine back to the start of Lab 2. And, if you were then to decide you wanted to do the labs from scratch, you could roll the machine back to the starting point for Lab 1.

      Don't want to do the labs at all - just need to build OpenSSO demos? Roll the machine forward to the start point for Lab 6.
      The idea behind this type of learning is flexibility: "just in time, just enough, just for me."

Saturday Aug 09, 2008

And Now, The OpenSSO Early Access Release

An Early Access release of OpenSSO is now available in the form of OpenSSO Express Build 5.

Participate in this program and help Sun make the first commercial offering of OpenSSO as good as it gets.

If you're not familiar with OpenSSO, here are some selected quotes from Felix Gaehtgens' very nice review of OpenSSO for Kuppinger Cole:

  • The development of OpenSSO is lively, and the product has improved dramatically over the years.
  • The initial teething problems have long been overcome - specifically the limited amount of “committers” ... Nowadays, the OpenSSO project has around 60 committers, 10 of them being external, i.e. non Sun-employees. The community and Sun engineers now have a reputation for being quite responsive in helping community members while in development.
  • This new announcement (of the OpenSSO release model) is a very good step forward for Sun’s customers ... Customers have the best of both worlds – a very innovative product with a large and active engineering base, together with professional support.

Nice stuff. Nice product. Developed by the nicest engineering team I've had the privilege of working downstream from, and I've worked downstream from a lot of engineering teams over the years. And the most responsive - Felix sure got that one right.

Wednesday Jul 23, 2008

OpenSSO Express

Today, Sun announced support for OpenSSO Express.

For all of us in the OpenSSO community, this is a big deal. It's the first supported release of the open source version of the product formerly known as Sun Java System Access Manager.

We're still getting our terminology straight, but generally speaking:

  • OpenSSO is our shorthand for the OpenSSO project, with its nightly builds.
  • OpenSSO Express refers to versioned, supported, fully indemnified builds. The first build of OpenSSO Express, announced today, is OpenSSO Express V1 Build 4.5.

Those of you who follow the mailing list have probably already guessed that I've been working hard at building training based on OpenSSO Express. More to come about that later.

Tuesday Nov 27, 2007

OpenSSO Store Now Open

This just in - you can now buy cool OpenSSO stuff at

I want a dog t-shirt. Even if I don't have a dog.

Sunday Nov 18, 2007

Adventures with Missing Memory

I recently installed Ubuntu Linux 7.10 on my Ultra 40 at home. When I ran any command that reported memory (free, top, system monitor, etc.) it reported that 2.5 GB was available on my system. The problem with this is that my system has 3 GB.

I did a lot of searches on "missing memory," "underreported memory," etc. and never came up with anything. But after running the dmesg command today on an unrelated matter, I noticed this message:

Use a PAE enabled kernel

After a few searches, I determined that Ubuntu had chosen the wrong kernel for my machine. I needed the bigsmp flavor. Previous Linux variants had installed this by default but not Ubuntu 7.10. It was not easy to figure out how to get that kernel, either. A search in Synaptic for bigsmp yielded nothing. So back to Google, where I was able to find the advice to install the linux-image-server package. So I did, restarted my system, and the bigsmp kernel came up in my grub boot list.

So I booted it.

Now some more fun - gnome wouldn't come up in high resolution. Seems this kernel is incompatible with the nvidia video driver I had installed. gnome put me in 800x600 mode. So I went to the Restricted Drivers panel to disable my nvidia drivers.

More fun. I got a message telling me that this panel wouldn't start up without the linux-restricted-modules-2.6-22.14-server

So I go to Synaptic and look for the package. It's not there! Back to Google, more searching around, appears the package doesn't exist but I can get it if I recompile things on my system. I don't feel like it, so no more nvidia drivers and no more nice compiz for this release.


So one more power down, then reboot into the generic kernel, where it nicely lets me disable my generic driver. Then a final reboot into the bigsmp (aka server) kernel, where I now have access to the full 3 GB on my system.

Monday Nov 12, 2007

Access Manager Makes It Into Gartner's Leaders Quadrant

Today was a big day for a lot of us who have worked with the Sun Java System Access Manager product, which is the progenitor of the OpenSSO product.

Gartner Group promoted Access Manager from the challenger quadrant to the leaders product.

There's a nice article about it here.

It's been a great experience to watch this product grow and mature into what it is today. And, there are some really great things coming on the horizon, all open source.

Congratulations to Jamie Nelson and his fine team. I have worked with these folks for several years now, and they're one of the best engineering teams I've had an opportunity to interact with during my career in software engineering, consulting, training, and instructional design. Just a really nice group of very talented people. Way to go, guys!

Tuesday Feb 06, 2007

A Fun New Toy, Part 1

No, not the carbon fiber bike I've been lusting over. This time, my toy is a fun new site on the web.

SSOCircle is a site developed by Hu Liu, a consultant based in Steinbach, Germany. As it says on SSOCircle's home page, "SSOCircle is for those who want to federate their applications or just want to get some SSO experience. SSOCircle provides a ready to use Identity Provider."

My plate has been very full at work lately - I've been updating the Access Manager training course, AKA AM-3480 for Access Manager 7.1 among other things - but when I saw the February 2 entry on Pat's blog, I couldn't resist giving this thing a try.

Hu Liu has set up a SAML 2.0 identity provider based on the OpenSSO project. It should work with any SAML 2.0-compliant service provider (SP), and there's functionality at SSOCircle to add your own SP to the SSOCircle circle of trust (CoT). For demonstration purposes, I used the the sample service provider site that Pat mentions in his blog entry. This site has already been set up as an SP in the SSOCircle CoT. (Setting up an SP to go in the SSOCircle CoT is now on my "to do" list, and when I get around to doing it, I'll blog about it.) It took all of two minutes to set up my account at SSOCircle and federate with the sample SP site. Here are the steps I followed, if you want to try it out:

  1. From the SSOCircle home page, I click Login / Register and register as a new user.

  2. I wait for my registration confirmation e-mail to come back, and when it does, I follow the instructions in it to complete the account registration process.

  3. I go back to the SSOCircle home page and log in.

  4. I look at my cookies (because it is always a good idea to look to the cookie) and find a cookie named iPlanetDirectoryPro with a reference to an SSO token - a sure sign that OpenSSO is in the house.

  5. So at this stage, I'm authenticated with the identity provider, and have the SSO token reference to prove it. Now I go to the SP site. It is important to notice that the page heading reads "ZXID SP Federated SSO (user NOT logged in, no session)."

  6. I click Login to (SAML20: Artifact).

  7. A new screen comes up with the title, "ZXID SP Management (user logged in, session active)."

So, voila, I'm an authenticated user at the SP without having had to log in there. The SP delegated authentication to the IdP. I have an account at the IdP but not at the SP, but I am still able to use the SP's site. That's Internet SSO functionality - one of the basic features of federated identity.

Imagine if you are the administrator at the SP. Your company or organization has established a business relationship with the identity provider that says that you trust anyone who has authenticated to the IdP to let them use your web services. No provisioning, no account maintenance, and - we hope - a very quick ramp up time.

I'll check out the ramp up time - how long it takes me to set up an SP and enter the SSOCircle CoT - in a future entry.

Tuesday Jan 02, 2007

My "Hot Topic" Presentation

Stacy Thurston asked me to record a short presentation about Identity Federation last month. This presentation is going to be used in the new Hot Topics series.

More about Hot Topics when my presentation is available on the web.

I've posted the slides I used here.

Sunday Dec 10, 2006

An Unusual Experience With openSUSE 10.2

Yesterday was a gray, rainy day in the Bay Area. No chance for a bike ride, and I procrastinated until it was too late to go to the gym and take a spinning class. I've been wanting to upgrade my OS on my home computer, a screaming, dual-Opteron Sun Ultra 40, for a while now but didn't have the free weekend I figured I'd need to do it. But now with all this free time on my hands...

I considered trying Ubuntu 6.10 (Edgy Eft) but remembered what happened the last time I tried installing Ubuntu. I booted up the install CD and the OS froze when it got to the screen when you click the icon to install the thing. Seems as though the Ubuntu installer it didn't like my Logitech diNovo Bluetooth Keyboard and Mouse. I couldn't find anything about this problem on Google, and I didn't have another mouse and keyboard I could switch out for the installation. So I decided I liked my diNovo more than I liked Ubuntu, so I decided to try SUSE 10.2.

SUSE 10.1 has been reasonably good, although there were problems with the software updater early in the release cycle. Fairly early on, maybe a couple of months into the release cycle, the problems got worked out and it has operated flawlessly ever since.

So yesterday I decided I still liked my diNovo better than Ubuntu, so why bother with Ubuntu? I downloaded SUSE 10.2, burned a DVD, and started the installation.

That's when I had my unusual experience.

SUSE 10.2 installed flawlessly, and I did not encounter a single problem getting all my software and hardware working with it. (Well, there was one minor issue with Thunderbird. More below.)

This was something I had never had happen with a Linux distribution. I usually allow a full day for installing and working out issues, then a few days to get everything just right. In this case, I started the installation at around noon, and was done with all my system configuration around 2.

Kudos to whoever at SUSE is responsible for making 10.2 so easy to get up and running!

There seems to be a drumbeat among Linux tech types lately that "Ubuntu is the distribution you want to have." I don't get it. I like Ubuntu, but I don't think it is any better than SUSE. And, I have run into problems getting it to install with my diNovo, and getting it to display in the screen resolution I want (a well known issue with Ubuntu), and I don't care for the look and feel (all that brown - yuck - looks so seveties). When I first used Ubuntu, apt-get was a compelling reason to switch to this distro. But now that zen seems to be working well in SUSE (probably just in time to switch to yet another package installer in, that advantage has gone away.

Here are some things I really like about SUSE 10.2:

  • It installs non-OSS packages that I need, like Acroread and Flash
  • zen installer works well (with one exception - see below)
  • You can now get an ISO for the OS on a single DVD - no more 5 CD sets
  • Nice clean default look and feel
  • Everything works

Here are some SUSE 10.2 lessons learned:

  • You can't install Thunderbird using zen. You have to go to YAST for some reason.
  • You now add fonts to /usr/share/fonts instead of the old X11R6 location. I suppose this is part of the Xorg upgrade.

Here are general things that you might find helpful if you are installing SUSE:

  • If you need to add a user with a user number greater than 60000, you have to use the CLI. The GUI tools do not let you add users with high user numbers.
  • If you want to use CUPS from a browser, you have to add a user with lppasswd.
  • If you use VMWare, make sure you have the most current update before installing a new Linux kernel.
  • If you hate beagle (desktop indexer) like I do, disable it by removing the cron script out of /etc/cron.daily. I created a directory called /etc/cron.never just for this pig, which SUSE installs and has you run by default. You can get rid of all the files in your .beagle directory. I had 2 GB of these on my system before I removed them, and they were all little bitty files that made my system backups take forever. Couldn't someone come up with something better?

It's still raining. Off to spinning class.




« July 2016