OpenSSO Early Access Release Notes
Questions/Issues : issues@opensso.dev.java.net
Last updated : 06/23/2008
1. How to Install OpenSSO Build 4.5
Download OpenSSO Build 4.5 : opensso.zip. Unzip it and deploy the opensso.war to the supported web containers as listed in Section2 below.
Download OpenSSO Build 4.5 web services agents : openssowssproviders.zip. Upzip it and follow the instructions.
Agents 3.0 that works with Build 4.5 can be downloaded at the OpenSSO download website
Agent 2.2 also works with Build 4.5 Agent 2.2 can be downloaded from below :
http://www.sun.com/download/index.jsp?cat=Identity%20Management&tab=3&subcat=Policy%20Agents
2. Important Notes and Limitations for OpenSSO Build 4.5
-- WebServer 7.0 U3 is required
-- WebLogic 9.2 MP2 is required
-- JDK 1.5 must be used when running STS client and service as well as STS samples. In other words, JDK 1.6 does not work with STS yet.
-- When configuring build 4.5 with OpenDS replication using AS 9.1 EE U1/U2, turn security manager OFF. Otherwise security manager can be ON with the right permissions set as described in section 3.
-- Web Services Security agents (JSR 196 based) are only available on GF v2 and AS 9.1 EE.
3. Supported Web Containers
|
Web Container |
Steps Required Before OpenSSO Deployment and Configuration |
|
https://glassfish.dev.java.net/downloads/v2ur1-b09d.html https://glassfish.dev.java.net/downloads/v2ur2-b04.html |
Edit domain.xml in the glassfih domain where OpenSSO will be deployed to : 1. Change jvm-options from “-client” to “-server” 2. Change jvm-options from -Xmx512m to -Xmx1024m 3. If the Java Security Manager is on, need to have the following permissions in server.policy : grant { permission java.net.SocketPermission "*", "listen,connect,accept,resolve"; permission java.util.PropertyPermission "*", "read, write"; permission java.lang.RuntimePermission "modifyThreadGroup"; permission java.lang.RuntimePermission "setFactory"; permission java.lang.RuntimePermission "accessClassInPackage.*"; permission java.util.logging.LoggingPermission "control"; permission java.lang.RuntimePermission "shutdownHooks"; permission javax.security.auth.AuthPermission "getLoginConfiguration"; permission javax.security.auth.AuthPermission "setLoginConfiguration"; permission javax.security.auth.AuthPermission "modifyPrincipals"; permission javax.security.auth.AuthPermission "createLoginContext.*"; permission java.io.FilePermission "<<ALL FILES>>", "read,write,execute,delete"; permission java.util.PropertyPermission "java.util.logging.config.class", "write"; permission java.security.SecurityPermission "removeProvider.SUN"; permission java.security.SecurityPermission "insertProvider.SUN"; permission javax.security.auth.AuthPermission "doAs"; permission java.util.PropertyPermission "java.security.krb5.realm", "write"; permission java.util.PropertyPermission "java.security.krb5.kdc", "write"; permission java.util.PropertyPermission "java.security.auth.login.config", "write"; permission java.util.PropertyPermission "user.language", "write"; permission javax.security.auth.kerberos.ServicePermission "*", "accept"; permission javax.net.ssl.SSLPermission "setHostnameVerifier"; permission java.security.SecurityPermission "putProviderProperty.IAIK"; permission java.security.SecurityPermission "removeProvider.IAIK"; permission java.security.SecurityPermission "insertProvider.IAIK"; permission java.lang.RuntimePermission "setDefaultUncaughtExceptionHandler"; permission javax.management.MBeanServerPermission "newMBeanServer"; permission javax.management.MBeanPermission "*", "registerMBean"; permission java.lang.RuntimePermission "createClassLoader"; permission java.lang.RuntimePermission "accessDeclaredMembers"; permission java.lang.reflect.ReflectPermission "suppressAccessChecks"; permission javax.security.auth.AuthPermission "getSubject"; permission javax.management.MBeanTrustPermission "register"; permission java.lang.management.ManagementPermission "monitor"; permission javax.management.MBeanServerPermission "createMBeanServer"; permission java.util.PropertyPermission "javax.xml.soap.MetaFactory", "write"; permission java.util.PropertyPermission "javax.xml.soap.MessageFactory", "write"; permission java.util.PropertyPermission "javax.xml.soap.SOAPConnectionFactory", "write"; permission java.util.PropertyPermission "javax.xml.soap.SOAPFactory", "write"; permission java.net.NetPermission "getProxySelector"; permission java.security.SecurityPermission "getProperty.authconfigprovider.factory"; permission java.security.SecurityPermission "setProperty.authconfigprovider.factory"; permission javax.security.auth.AuthPermission "doAsPrivileged"; permission javax.security.auth.AuthPermission "modifyPublicCredentials"; permission java.security.SecurityPermission "insertProvider.XMLDSig"; permission java.security.SecurityPermission "putProviderProperty.WSS_TRANSFORM"; permission java.security.SecurityPermission "insertProvider.WSS_TRANSFORM"; }; |
|
Application Server 9.1U1 Enterprise Edition (EE)
|
1. Make sure jvm-options has “-server” instead of “-client” 2. Turn Security Manager OFF if you want to test OpenDS for configuration replication for multiple OpenSSO instances. 3. . If the Java Security Manager is ON (for non replication related testing), need to have the following permissions in server.policy : grant { permission java.net.SocketPermission "*", "listen,connect,accept,resolve"; permission java.util.PropertyPermission "*", "read, write"; permission java.lang.RuntimePermission "modifyThreadGroup"; permission java.lang.RuntimePermission "setFactory"; permission java.lang.RuntimePermission "accessClassInPackage.*"; permission java.util.logging.LoggingPermission "control"; permission java.lang.RuntimePermission "shutdownHooks"; permission javax.security.auth.AuthPermission "getLoginConfiguration"; permission javax.security.auth.AuthPermission "setLoginConfiguration"; permission javax.security.auth.AuthPermission "modifyPrincipals"; permission javax.security.auth.AuthPermission "createLoginContext.*"; permission java.io.FilePermission "<<ALL FILES>>", "read,write,execute,delete"; permission java.util.PropertyPermission "java.util.logging.config.class", "write"; permission java.security.SecurityPermission "removeProvider.SUN"; permission java.security.SecurityPermission "insertProvider.SUN"; permission javax.security.auth.AuthPermission "doAs"; permission java.util.PropertyPermission "java.security.krb5.realm", "write"; permission java.util.PropertyPermission "java.security.krb5.kdc", "write"; permission java.util.PropertyPermission "java.security.auth.login.config", "write"; permission java.util.PropertyPermission "user.language", "write"; permission javax.security.auth.kerberos.ServicePermission "*", "accept"; permission javax.net.ssl.SSLPermission "setHostnameVerifier"; permission java.security.SecurityPermission "putProviderProperty.IAIK"; permission java.security.SecurityPermission "removeProvider.IAIK"; permission java.security.SecurityPermission "insertProvider.IAIK"; permission java.lang.RuntimePermission "setDefaultUncaughtExceptionHandler"; permission javax.management.MBeanServerPermission "newMBeanServer"; permission javax.management.MBeanPermission "*", "registerMBean"; permission java.lang.RuntimePermission "createClassLoader"; permission java.lang.RuntimePermission "accessDeclaredMembers"; permission java.lang.reflect.ReflectPermission "suppressAccessChecks"; permission javax.security.auth.AuthPermission "getSubject"; permission javax.management.MBeanTrustPermission "register"; permission java.lang.management.ManagementPermission "monitor"; permission javax.management.MBeanServerPermission "createMBeanServer"; permission java.util.PropertyPermission "javax.xml.soap.MetaFactory", "write"; permission java.util.PropertyPermission "javax.xml.soap.MessageFactory", "write"; permission java.util.PropertyPermission "javax.xml.soap.SOAPConnectionFactory", "write"; permission java.util.PropertyPermission "javax.xml.soap.SOAPFactory", "write"; permission java.net.NetPermission "getProxySelector"; permission java.security.SecurityPermission "getProperty.authconfigprovider.factory"; permission java.security.SecurityPermission "setProperty.authconfigprovider.factory"; permission javax.security.auth.AuthPermission "doAsPrivileged"; permission javax.security.auth.AuthPermission "modifyPublicCredentials"; permission java.security.SecurityPermission "insertProvider.XMLDSig"; permission java.security.SecurityPermission "putProviderProperty.WSS_TRANSFORM"; permission java.security.SecurityPermission "insertProvider.WSS_TRANSFORM"; }; |
|
1. Increase JVM option from the default "-Xms128M -Xmx256M" to "-Xms256M -Xmx512M". WS 7.0 U3 location : http://koori.sfbay/java/re/sjsws/7.0u3/nightly/bundles/latest/ Note : FAM8 Build 4.5 does NOT support WS 7.0 U1 and U2. |
|
|
1. Do NOT use Tomcat 5.5.26 as it does not work with OpenSSO Build 4.5 2. Increase JVM option -Xmx to 1024M |
|
|
Tomcat 6.x |
1. Do NOT use Tomcat 6.0.16 as it does not work with OpenSSO Build 4.5 2. Increase JVM option -Xmx to 1024M |
|
WebLogic 9.2 MP2 Server or later |
1. Edit < bea_home >/< instance >/domains/wl_server/bin/setDomainEnv.sh to add system property click.mode=debug. This can be done using JVM_OPTIONS. For example , on Windows : set JVM_OPTIONS=-Dclick.mode=debug 2. If security manager is ON, the same policy permissions as doc:ed under AS 9.1/GF need to be set in weblogic.policy. |
|
WebLogic 10 Server |
1. Edit < bea_home >/< instance >/domains/wl_server/bin/setDomainEnv.sh to add system property click.mode=debug. This can be done using JVM_OPTIONS. For example , on Windows : set JVM_OPTIONS=-Dclick.mode=debug 2. If security manager is ON, the same policy permissions as doc:ed under AS 9.1/GF need to be set in weblogic.policy. |
|
None |
|
|
WebSphere 6.1 |
1.Edit <install_root>/IBM/WebSphere/AppServer/profiles/AppSrv01/config/cells/<cell>/nodes/< node >/servers/< server >/server.xml, add to the < jvmEntries ... / > : genericJvmArguments="-Djava.awt.headless=true -DamCryptoDescriptor.provider=IBMJCE -DamKeyGenDescriptor.provider=IBMJCE” 2.Edit <install_root>/IBM/WebSphere/AppServer/profiles/AppSrv01/properties/server.policy, add the following permissions : grant { permission java.net.SocketPermission "*", "listen,connect,accept,resolve"; permission java.util.PropertyPermission "*", "read, write"; permission java.lang.RuntimePermission "modifyThreadGroup"; permission java.lang.RuntimePermission "setFactory"; permission java.lang.RuntimePermission "accessClassInPackage.*"; permission java.util.logging.LoggingPermission "control"; permission java.lang.RuntimePermission "shutdownHooks"; permission javax.security.auth.AuthPermission "getLoginConfiguration"; permission javax.security.auth.AuthPermission "setLoginConfiguration"; permission javax.security.auth.AuthPermission "modifyPrincipals"; permission javax.security.auth.AuthPermission "createLoginContext.*"; permission java.io.FilePermission "<<ALL FILES>>", "read,write,execute,delete"; permission java.util.PropertyPermission "java.util.logging.config.class", "write"; permission java.security.SecurityPermission "removeProvider.SUN"; permission java.security.SecurityPermission "insertProvider.SUN"; permission javax.security.auth.AuthPermission "doAs"; permission java.util.PropertyPermission "java.security.krb5.realm", "write"; permission java.util.PropertyPermission "java.security.krb5.kdc", "write"; permission java.util.PropertyPermission "java.security.auth.login.config", "write"; permission java.util.PropertyPermission "user.language", "write"; permission javax.security.auth.kerberos.ServicePermission "*", "accept"; permission javax.net.ssl.SSLPermission "setHostnameVerifier"; permission java.security.SecurityPermission "putProviderProperty.IAIK"; permission java.security.SecurityPermission "removeProvider.IAIK"; permission java.security.SecurityPermission "insertProvider.IAIK"; permission java.lang.RuntimePermission "setDefaultUncaughtExceptionHandler"; permission javax.management.MBeanServerPermission "newMBeanServer"; permission javax.management.MBeanPermission "*", "registerMBean"; permission java.lang.RuntimePermission "createClassLoader"; permission java.lang.RuntimePermission "accessDeclaredMembers"; permission java.lang.reflect.ReflectPermission "suppressAccessChecks"; permission javax.security.auth.AuthPermission "getSubject"; permission javax.management.MBeanTrustPermission "register"; permission java.lang.management.ManagementPermission "monitor"; permission javax.management.MBeanServerPermission "createMBeanServer"; permission java.util.PropertyPermission "javax.xml.soap.MetaFactory", "write"; permission java.util.PropertyPermission "javax.xml.soap.MessageFactory", "write"; permission java.util.PropertyPermission "javax.xml.soap.SOAPConnectionFactory", "write"; permission java.util.PropertyPermission "javax.xml.soap.SOAPFactory", "write"; permission java.net.NetPermission "getProxySelector"; permission java.security.SecurityPermission "getProperty.authconfigprovider.factory"; permission java.security.SecurityPermission "setProperty.authconfigprovider.factory"; permission javax.security.auth.AuthPermission "doAsPrivileged"; permission javax.security.auth.AuthPermission "modifyPublicCredentials"; permission java.security.SecurityPermission "insertProvider.XMLDSig"; permission java.security.SecurityPermission "putProviderProperty.WSS_TRANSFORM"; permission java.security.SecurityPermission "insertProvider.WSS_TRANSFORM"; }; 3. Fix the JSP issue on WAS 6.1 as following : WAS 6.1 has Eclipse based JSP compiler which uses JDT(Java Development Tooling) and AST(Abstract Syntax Tree) Parser <http://www-128.ibm.com/developerworks/opensource/library/os-ast/> for parsing and generating the java code. This compiler depends on some of the user env settings and if not propogated well to the compiler during the compiler initialization it may fail to initialize properly. There are two workarounds to this problem: * The easiest one is to install as any non-root user and everything should work as expected. * The other route you can take is modify your web archive descriptor to have JDK compiler or you can use jikes as well. To modify the compiler used for you JSP compilation you can edit your ibm-web-ext.xmi file under the web module deployment directory and can have a line similar to this: <jspAttributes xmi:id="JSPAttribute_XXXXX" name="useJDKCompiler" value="true"/> For XXXXX you can put any number all you have to do is just make sure JSPAttribute_XXXXX is unique. You can find out more details on running SAML2 on WAS 6.1 on AIX : http://blogs.sun.com/docteger/entry/deploying_opensso_on_websphere_6 CLI : famadm and ampassword Before running "setup -p <configuration path>", modify setup script as follows: Insert:
-D"amCryptoDescriptor.provider=IBMJCE"
-D"amKeyGenDescriptor.provider=IBMJCE" before -cp of
the last line. 1. Add xalan.jar to class path : edit famadm file, add :${TOOLS_HOME}/lib/xalan.jar to the classpath after openfedlib.jar.
2. Add IBMJCE : edit famadm file, add -D"amKeyGenDescriptor.provider=IBMJCE" -D"amCryptoDescriptor.provider=IBMJCE" before com.sun.identity.cli.CommandManager and before com.sun.identity.tools.bundles.Main
|
|
Geronimo Application Server 2.1.1 (with Tomcat on Solaris only) |
1. Modify /geronimo-tomcat6-jee5-2.0.2/bin/geronimo.sh file. Add -X:MaxPermSize=512M as in the following start block: elif [ "$1" = "start" ] ; then shift touch "$GERONIMO_OUT" $START_OS_CMD "$_RUNJAVA" $JAVA_OPTS $GERONIMO_OPTS \ $JAVA_AGENT_OPTS \ -Dorg.apache.geronimo.base.dir="$GERONIMO_BASE" \ -Djava.endorsed.dirs="$ENDORSED_DIRS" \ -Djava.io.tmpdir="$GERONIMO_TMPDIR" \ -XX:MaxPermSize=512M \ -jar "$GERONIMO_HOME"/bin/server.jar $LONG_OPT "$@" \ >> $GERONIMO_OUT 2>&1 & echo "" echo "Geronimo started in background. PID: $!" if [ ! -z "$GERONIMO_PID" ]; then echo $! > $GERONIMO_PID fi 2. To deploy OpenSSO war on Geronimo, you need to provide a deployment plan inside or outside the the war. If placed inside the war, the plan file must be called geronimo-web.xml and should be placed in WEB-INF directory. If placed outside the war, the plan file can be named otherwise. Here is a sample of the plan file: <?xml version="1.0" encoding="UTF-8"?> <web-app xmlns="http://geronimo.apache.org/xml/ns/j2ee/web-1.2"> <environment> <moduleId> <groupId>sun</groupId> <artifactId>FAM</artifactId> <version>8.0</version> <type>war</type> </moduleId> </environment> <context-root>/fam1</context-root> </web-app> In the above example, the war is deployed at: geronimo-tomcat6-jee5-2.0.2/repository/sun/FAM/8.0/FAM-8.0.war.
The web app is deployed at protocol://server:port/fam1. You may change the deployment plan according to your deployment scenario. Some Helpful Notes : -- Geronimo console URL: protocol://server:8080/console/portal/welcome -- Default user name and password: system/manager -- To start geronimo server: /geronimo-tomcat6-jee5-2.0.2/bin/geronimo.sh start -- To stop geronimo server:/geronimo-tomcat6-jee5-2.0.2/bin/geronimo.sh stop |
|
JBoss 4.x |
OpenSSO build 4.5 supports ONLY Exploded Deployment on JBoss 4.x : http://wiki.jboss.org/wiki/Wiki.jsp?page=ExplodedDeployment Steps to deploy OpenSSO build 4.5
are :
|
4. What's New in OpenSSO Build 4.5 from OpenSS V1 Build 4
- Simplified Web Services Security Agents (Providers based on JSR 196 SPI) on GF V2 and AS 9.1 EE
- Fedlet workflow
-- Pre built fedlet
-- Federation configuration validation
-- Services Tags
-- New NameID format support
-- Newly arranged SAMLv2 pages in console
-- SecuID Java API integration to FAM (In FAM only, not available in OpenSSO)
-- Agent and IDRepo upgrade support
-- Identity Services enhancements implementation
-- Metro 1.3 EA integration (JSR 196 etc)
-- STS available on all supported web containers
-- SAMLv2 Assertion failover
-- Online help integration
-- SiteMinder Integration
-- IDMgr integration validation