OpenSSO Build 4 Release Notes

Questions/Issues : issues@opensso.dev.java.net

Last updated : 04/02/2008

1. How to Install OpenSSO Build 4

    Download OpenSSO Build 4 : opensso.zip. Unzip it and deploy the opensso.war to the supported web containers as listed in Section2 below.

    Agents 3.0 that works with Build 4 can be downloaded at the OpenSSO download website

    Agent 2.2 also works with Build 4. Agent 2.2 can be downloaded from below :

    http://www.sun.com/download/index.jsp?cat=Identity%20Management&tab=3&subcat=Policy%20Agents

2. Supported Web Containers

Web Container

Steps Required Before OpenSSO Deployment and Configuration

Glassfish V2 UR1

https://glassfish.dev.java.net/downloads/v2ur1-b09d.html

Edit domain.xml in the glassfih domain where OpenSSO will be deployed to :

1. Change jvm-options from “-client” to “-server”

2. Change jvm-options from -Xmx512m to -Xmx1024m

3. If the Java Security Manager is on, need to the following permissions to server.policy :

grant { 
 
 permission java.net.SocketPermission "*", "listen,connect,accept,resolve"; 
 permission java.util.PropertyPermission "*", "read, write"; 
 permission java.lang.RuntimePermission "modifyThreadGroup"; 
 permission java.lang.RuntimePermission "setFactory"; 
 permission java.lang.RuntimePermission "accessClassInPackage.*"; 
 permission java.util.logging.LoggingPermission "control"; 
 permission java.lang.RuntimePermission "shutdownHooks"; 
 permission javax.security.auth.AuthPermission "getLoginConfiguration"; 
 permission javax.security.auth.AuthPermission "setLoginConfiguration"; 
 permission javax.security.auth.AuthPermission "modifyPrincipals"; 
 permission javax.security.auth.AuthPermission "createLoginContext.*"; 
 permission java.io.FilePermission "<<ALL FILES>>", "read,write,execute,delete"; 
 permission java.util.PropertyPermission "java.util.logging.config.class", "write"; 
 permission java.security.SecurityPermission "removeProvider.SUN"; 
 permission java.security.SecurityPermission "insertProvider.SUN"; 
 permission javax.security.auth.AuthPermission "doAs"; 
 permission java.util.PropertyPermission "java.security.krb5.realm", "write"; 
 permission java.util.PropertyPermission "java.security.krb5.kdc", "write"; 
 permission java.util.PropertyPermission "java.security.auth.login.config", "write"; 
 permission java.util.PropertyPermission "user.language", "write"; 
 permission javax.security.auth.kerberos.ServicePermission "*", "accept"; 
 permission javax.net.ssl.SSLPermission "setHostnameVerifier"; 
 permission java.security.SecurityPermission "putProviderProperty.IAIK"; 
 permission java.security.SecurityPermission "removeProvider.IAIK"; 
 permission java.security.SecurityPermission "insertProvider.IAIK"; 
 permission java.lang.RuntimePermission "setDefaultUncaughtExceptionHandler"; 
 permission javax.management.MBeanServerPermission "newMBeanServer"; 
 permission javax.management.MBeanPermission "*", "registerMBean"; 
 permission java.lang.RuntimePermission "createClassLoader"; 
 permission javax.security.auth.AuthPermission "getSubject"; 
  
 permission javax.management.MBeanTrustPermission "register"; 
 permission java.lang.management.ManagementPermission "monitor"; 
 permission javax.management.MBeanServerPermission "createMBeanServer";
 permission java.util.PropertyPermission "javax.xml.soap.MetaFactory", "write"; 
 permission java.util.PropertyPermission "javax.xml.soap.MessageFactory", "write"; 
 permission java.util.PropertyPermission "javax.xml.soap.SOAPConnectionFactory", "write"; 
 permission java.util.PropertyPermission "javax.xml.soap.SOAPFactory", "write"; 

};

Application Server 9.1U1 Enterprise Edition (EE)

1. Make sure jvm-options has “-server” instead of “-client”

2. If the Java Security Manager is on, need to add the following permissions to server.policy : 

grant { 
 
 permission java.net.SocketPermission "*", "listen,connect,accept,resolve"; 
 permission java.util.PropertyPermission "*", "read, write"; 
 permission java.lang.RuntimePermission "modifyThreadGroup"; 
 permission java.lang.RuntimePermission "setFactory"; 
 permission java.lang.RuntimePermission "accessClassInPackage.*"; 
 permission java.util.logging.LoggingPermission "control"; 
 permission java.lang.RuntimePermission "shutdownHooks"; 
 permission javax.security.auth.AuthPermission "getLoginConfiguration"; 
 permission javax.security.auth.AuthPermission "setLoginConfiguration"; 
 permission javax.security.auth.AuthPermission "modifyPrincipals"; 
 permission javax.security.auth.AuthPermission "createLoginContext.*"; 
 permission java.io.FilePermission "<<ALL FILES>>", "read,write,execute,delete"; 
 permission java.util.PropertyPermission "java.util.logging.config.class", "write"; 
 permission java.security.SecurityPermission "removeProvider.SUN"; 
 permission java.security.SecurityPermission "insertProvider.SUN"; 
 permission javax.security.auth.AuthPermission "doAs"; 
 permission java.util.PropertyPermission "java.security.krb5.realm", "write"; 
 permission java.util.PropertyPermission "java.security.krb5.kdc", "write"; 
 permission java.util.PropertyPermission "java.security.auth.login.config", "write"; 
 permission java.util.PropertyPermission "user.language", "write"; 
 permission javax.security.auth.kerberos.ServicePermission "*", "accept"; 
 permission javax.net.ssl.SSLPermission "setHostnameVerifier"; 
 permission java.security.SecurityPermission "putProviderProperty.IAIK"; 
 permission java.security.SecurityPermission "removeProvider.IAIK"; 
 permission java.security.SecurityPermission "insertProvider.IAIK"; 
 permission java.lang.RuntimePermission "setDefaultUncaughtExceptionHandler"; 
 permission javax.management.MBeanServerPermission "newMBeanServer"; 
 permission javax.management.MBeanPermission "*", "registerMBean"; 
 permission java.lang.RuntimePermission "createClassLoader"; 
 permission javax.security.auth.AuthPermission "getSubject"; 
  
 permission javax.management.MBeanTrustPermission "register"; 
 permission java.lang.management.ManagementPermission "monitor"; 
 permission javax.management.MBeanServerPermission "createMBeanServer";
 permission java.util.PropertyPermission "javax.xml.soap.MetaFactory", "write"; 
 permission java.util.PropertyPermission "javax.xml.soap.MessageFactory", "write"; 
 permission java.util.PropertyPermission "javax.xml.soap.SOAPConnectionFactory", "write"; 
 permission java.util.PropertyPermission "javax.xml.soap.SOAPFactory", "write"; 

};

Web Server 7.0 U1 / U2

None

Tomcat 5.5.x

1. Do NOT use Tomcat 5.5.26 as it does not work with OpenSSO Build 4

2. Increase JVM option -Xmx to 1024M

Tomcat 6.x

1. Do NOT use Tomcat 6.0.16 as it does not work with OpenSSO Build 4

2. Increase JVM option -Xmx to 1024M

WebLogic 9.2 Server

1. Edit < bea_home >/< instance >/domains/wl_server/bin/setDomainEnv.sh to add system properties -Dcom.sun.xml.namespace.QName.useCompatibleSerialVersionUID=1.0 and click.mode=debug. This can be done using JVM_OPTIONS. For example , on Windows :

set JVM_OPTIONS=-Dclick.mode=debug -Dcom.sun.xml.namespace.QName.useCompatibleSerialVersionUID=1.0

WebLogic 10 Server

1. Edit < bea_home >/< instance >/domains/wl_server/bin/setDomainEnv.sh to add system property click.mode=debug. This can be done using JVM_OPTIONS. For example , on Windows :

set JVM_OPTIONS=-Dclick.mode=debug

Oracle Application Server 10g

1. Login to system console : http://is-x86-01.red.iplanet.com:7777 (for example)


2. Select "home" link on "Cluster Topology" > "Memebers"


3. Select "Application" Tab on "OC4J:home"


4. Click "Deploy" button and put the path to the OpenSSO war file location, and click "Next" button.


5. Put name for "Application Name" like opensso and click "Next" button.


6. Click the pencil icon for "Configure Class Loading" on "Deployment Tasks" table and deselect all Shared lib in "Import" column on "Import Shared Libraries" and back to "Deploy : Deployment Settings" by clicking "O.k" button.


7. Click "Deploy" button.

8. If embedded (i.e. OpenDS) is used for configuration, adding following jvm option : -Doc4j.jmx.security.proxy.off=true

WebSphere 6.1

1.Edit <install_root>/IBM/WebSphere/AppServer/profiles/AppSrv01/config/cells/<cell>/nodes/< node >/servers/< server >/server.xml, add to the < jvmEntries ... / > :

genericJvmArguments="-Djava.awt.headless=true -DamCryptoDescriptor.provider=IBMJCE -DamKeyGenDescriptor.provider=IBMJCE”

2.Edit

<install_root>/IBM/WebSphere/AppServer/profiles/AppSrv01/properties/server.policy, add the following permissions :

grant { 
 
 permission java.net.SocketPermission "*", "listen,connect,accept,resolve"; 
 permission java.util.PropertyPermission "*", "read, write"; 
 permission java.lang.RuntimePermission "modifyThreadGroup"; 
 permission java.lang.RuntimePermission "setFactory"; 
 permission java.lang.RuntimePermission "accessClassInPackage.*"; 
 permission java.util.logging.LoggingPermission "control"; 
 permission java.lang.RuntimePermission "shutdownHooks"; 
 permission javax.security.auth.AuthPermission "getLoginConfiguration"; 
 permission javax.security.auth.AuthPermission "setLoginConfiguration"; 
 permission javax.security.auth.AuthPermission "modifyPrincipals"; 
 permission javax.security.auth.AuthPermission "createLoginContext.*"; 
 permission java.io.FilePermission "<<ALL FILES>>", "read,write,execute,delete"; 
 permission java.util.PropertyPermission "java.util.logging.config.class", "write"; 
 permission java.security.SecurityPermission "removeProvider.SUN"; 
 permission java.security.SecurityPermission "insertProvider.SUN"; 
 permission javax.security.auth.AuthPermission "doAs"; 
 permission java.util.PropertyPermission "java.security.krb5.realm", "write"; 
 permission java.util.PropertyPermission "java.security.krb5.kdc", "write"; 
 permission java.util.PropertyPermission "java.security.auth.login.config", "write"; 
 permission java.util.PropertyPermission "user.language", "write"; 
 permission javax.security.auth.kerberos.ServicePermission "*", "accept"; 
 permission javax.net.ssl.SSLPermission "setHostnameVerifier"; 
 permission java.security.SecurityPermission "putProviderProperty.IAIK"; 
 permission java.security.SecurityPermission "removeProvider.IAIK"; 
 permission java.security.SecurityPermission "insertProvider.IAIK"; 
 permission java.lang.RuntimePermission "setDefaultUncaughtExceptionHandler"; 
 permission javax.management.MBeanServerPermission "newMBeanServer"; 
 permission javax.management.MBeanPermission "*", "registerMBean"; 
 permission java.lang.RuntimePermission "createClassLoader"; 
 permission javax.security.auth.AuthPermission "getSubject"; 
  
 permission javax.management.MBeanTrustPermission "register"; 
 permission java.lang.management.ManagementPermission "monitor"; 
 permission javax.management.MBeanServerPermission "createMBeanServer";
 permission java.util.PropertyPermission "javax.xml.soap.MetaFactory", "write"; 
 permission java.util.PropertyPermission "javax.xml.soap.MessageFactory", "write"; 
 permission java.util.PropertyPermission "javax.xml.soap.SOAPConnectionFactory", "write"; 
 permission java.util.PropertyPermission "javax.xml.soap.SOAPFactory", "write";

};



You can find out more details on running SAML2 on WAS 6.1 on AIX :

http://blogs.sun.com/docteger/entry/deploying_opensso_on_websphere_6

CLI : famadm and ampassword

Before running "setup -p <configuration path>", modify setup script as follows:

Insert: -D"amCryptoDescriptor.provider=IBMJCE" -D"amKeyGenDescriptor.provider=IBMJCE" before -cp of the last line.
Save.

After you run <tools>/setup -p, before you run famadm

1. Add xalan.jar to class path : edit famadm file, add :${TOOLS_HOME}/lib/xalan.jar to the classpath after openfedlib.jar.


2. Add IBMJCE : edit famadm file, add -D"amKeyGenDescriptor.provider=IBMJCE" -D"amCryptoDescriptor.provider=IBMJCE" before com.sun.identity.cli.CommandManager and before com.sun.identity.tools.bundles.Main


3. Save the change to famadm

After you run <tools>/setup -p, before you run ampassword


1. Add IBMJCE : edit ampassword file, add -D"amCryptoDescriptor.provider=IBMJCE" -D"amKeyGenDescriptor.provider=IBMJCE" before com.iplanet.services.ldap.ServerConfigMgr and before com.sun.identity.tools.bundles.Main


2. Save the change to ampassword

Geronimo Application Server 2.0.2 (with Tomcat on Solaris only)

1. Modify /geronimo-tomcat6-jee5-2.0.2/bin/geronimo.sh file. Add

-Dorg.apache.activeio.journal.active.DisableLocking=true -X:MaxPermSize=512M -Xms256M -Xmx512M as in the following start block:

elif [ "$1" = "start" ] ; then

          shift
          touch "$GERONIMO_OUT"
          $START_OS_CMD "$_RUNJAVA" $JAVA_OPTS $GERONIMO_OPTS \
          $JAVA_AGENT_OPTS \
          -Dorg.apache.geronimo.base.dir="$GERONIMO_BASE" \
          -Djava.endorsed.dirs="$ENDORSED_DIRS" \
          -Djava.io.tmpdir="$GERONIMO_TMPDIR" \
          -Dorg.apache.activeio.journal.active.DisableLocking=true \
          -XX:MaxPermSize=512M \
          -Xms256M -Xmx512M \
          -jar "$GERONIMO_HOME"/bin/server.jar $LONG_OPT "$@" \
          >> $GERONIMO_OUT 2>&1 &
          echo ""
          echo "Geronimo started in background. PID: $!"
          if [ ! -z "$GERONIMO_PID" ]; then
            echo $! > $GERONIMO_PID
          fi

2. To deploy OpenSSO war on Geronimo, you need to provide a deployment plan inside or outside the the war. If placed inside the war, the plan file must be called geronimo-web.xml and should be placed in WEB-INF directory. If placed outside the war, the plan file can be named otherwise. Here is a sample of the plan file: 

      <?xml version="1.0" encoding="UTF-8"?>
      <web-app xmlns="http://geronimo.apache.org/xml/ns/j2ee/web-1.2">
         <environment>
             <moduleId>
                 <groupId>sun</groupId>
                 <artifactId>FAM</artifactId>
                 <version>8.0</version>
                 <type>war</type>
             </moduleId>
         </environment>
         <context-root>/fam1</context-root>

</web-app>

In the above example, the war is deployed at:

geronimo-tomcat6-jee5-2.0.2/repository/sun/FAM/8.0/FAM-8.0.war.


The web app is deployed at protocol://server:port/fam1. You may change the deployment plan according to your deployment scenario.

    Some Helpful Notes :

    -- Geronimo console URL: protocol://server:8080/console/portal/welcome

    -- Default user name and password: system/manager

    -- To start geronimo server: /geronimo-tomcat6-jee5-2.0.2/bin/geronimo.sh start

    -- To stop geronimo server:/geronimo-tomcat6-jee5-2.0.2/bin/geronimo.sh stop

JBoss 4.x

OpenSSO V1 Build 4 supports ONLY Exploded Deployment on JBoss 4.x : http://wiki.jboss.org/wiki/Wiki.jsp?page=ExplodedDeployment

Steps to deploy OpenSSO V1 Build 4 are :

1) Create a sub-dir, under <JBOSS_HOME>/server/<instance>/deploy/<name_of_war_file>
For instance: # mkdir /opt/jboss-4.2.2.GA/server/fam/deploy/opensso.war


2) Explode the contents of opensso.war under this new directory:
# cd /opt/jboss-4.2.2.GA/server/fam/deploy/opensso.war
# jar xvf /tmp/opensso.war
Your don't need to restart the container, since JBoss will automatically hot-deploy it.


3) Point your browser to http://<host>:<port>/opensso, and start configuring opensso.


4) The opensso configurator will write a bootstrap file under <user-home>
For instance: /AccessManager/AMConfig_opt_jboss-4.2.2.GA_server_fam_._deploy_opensso.war_



3. What's New in OpenSSO Build 4

-- New OpenSSO configurator

-- STS service is available on Glassfish, Sun Application Server, Sun Web Server, Geronimo, Tomcat.

-- Simplified STS client sample

-- OpenDS replication across multiple OpenSSO instances when OpenDS is used as embedded configuration store

-- Security/SSL related fixes

-- General bug fixes in all areas : http://tinyurl.com/2zlr2p

4. Known Issues and Limitations in Build 4

-- STS client sample and STS service are not working on Oracle Application Server, JBoss , WebLogic Server and WebSphere.

-- OpenDS replication may be out of sync sometimes under certain scenarios.

-- New OpenSSO replication (i.e. OpenDS) configuration failure may cause the existing OpenSSO configuration failure.

-- When a third OpenSSO instance is being configured for OpenDS replication, the configuration UI is misleading. But the actually configuration will succeed.

-- Build 4 does not support Tomcat 5.5.26 and Tomcat 6.0.16

-- Agents and IDRepo upgrade is not supported

-- To be fixed issues from issue tracker on OpenSSO website