这两天从www.AskBenny.cn的google analytics 中惊奇的发现,从Google来的网络爬虫居然自己爬了Google广告,甚是惊奇.
** 这个是PDF格式的原件地址,http://www.blogjava.net/Files/joey/opensso.rar ,大家可以拿去参考,但是请注意这个文档是2006年写的,后来再无更新,所以请注意版本。
这是一个OpenSSO的实际应用实例, 因为是客户要求英文,所以只有英文版,我的英文比较烂,所以请大家包涵了. 其实如果你在用OpenSSO的时候有什么麻烦,我认为最好的求助地方是OpenSSO小组的MailList,在OpenSSO网站上有, 他们真的很热心,基本有问24小时内必复,而且都是OpenSSO小组的成员答复的.真的很棒.
大家对我的文章里有什么疑问也可以给我留言.还有因为原来是PDF格式的, 后转成txt格式, 所以有些地方不是很好看.请大家见谅
Implement SSO with AD
Joey
December 26, 2006
Contents
1 Software Environment 2
2 Create Users in AD 2
3 Join Linux into Windows2003 Domain 2
4 Install JBoss server and JRE 5 3
5 Fix Windows TCP port 3
6 Deploy and Cong Access Manager 4
6.1 Deploy Access Manager . . . . . . . . . . . . . . . . . . . . . . . 4
6.2 Cong Access Manager . . . . . . . . . . . . . . . . . . . . . . . . 4
7 Install Sun Java System Access Manager Policy Agent 6
8 Make Application to support SSO 7
A Cong DHCP Server 8
B Cong Domain controller 9
C Authorize DHCP server 10
1
1 Software Environment
Roles Computer name Platform
Domain Server,DHCP srv-1.contoso.com Window2003 Active Directory
Server,DNS Server
Application server 1 test-1.contoso.com Win2K3/XP, JRE5.0, SJS AM
Policy Agent 2.2 For JBoss
Application server 2 test-2.contoso.com Win2K3/XP, JRE5.0, SJS AM
Policy Agent 2.2 For JBoss
Access Manager server ams.contoso.com Ret Hat Linux, JBoss 4.02 or
above
2 Create Users in AD
Create two group in AD, add one user for each group, and create amadmin as
administrator for AM.
User Group in AD
admin users
danie users
amadmin Users
3 Join Linux into Windows2003 Domain( Only for WIndows2003 DC, Ret Hat Linux )
1. Modify /etc/krb5.conf
Replace ’EXAMPLE.COM’ with your domain name, replace ker-
beros.example.com with your AD server name. (case-sensitive in this
section,just follow this demo).
krb5.conf sample: suppose Domain name is contoso.com,
AD server is srv-1.contoso.com, and IP is 10.0.0.2.
and then keep others default setting in krb5.conf
[libdefaults]
default_realm = CONTOSO.COM
dns_lookup_kdc = false
dns_lookup_realm = false
[realms]
CONTOSO.COM = {
admin_server = srv-1.contoso.com:749
default_domain = contoso.com
kdc = 10.0.0.2:88
}
[domain_realm]
.contoso.com=CONTOSO.COM
2
contoso.com=CONTOSO.COM
2. Modify /etc/samba/smb.cof smb.cof sample:
realm = contoso.com # add this by your self.
workgroup = CONTOSO
security = ADS
3. Get a ticket. run kinit administrator(enter the administrator password
when prompted command) in a shell window.
sample: kinit administrator@CONTOSO.COM
4. Join the domain Run net join in a shell window.
sample: net ads join
5. restart samba or just restart system simply.
4 Install JBoss server and JRE 5
Install JBoss server and JRE 5 on Test-1.contoso.com, Test-2.contoso.com ,an
ams.contoso.com
5 Fix Windows TCP port
1. Start Registry Editor.
2. Locate the following subkey in the registry, and then click Parameters:
HKEY LOCAL MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
3. On the Edit menu, click New, and then add the following registry entry:
Value Name: MaxUserPort
Value Type: DWORD
Value data: 65534
Valid Range: 5000-65534 (decimal)
Default: 0x1388 (5000 decimal)
Description: This parameter controls the maximum port number that is
used when a program requests any available user port from the system.
Typically , ephemeral (short-lived) ports are allocated between the values
of 1024 and 5000 inclusive.
4. Quit Registry Editor. 2
2 For more information, check here http://support.microsoft.com/default.aspx?scid=kb;EN-
US;196271
3
6 Deploy and Cong Access Manager
Do this step on ams.contoso.com
6.1 Deploy Access Manager
Copy ”opensso.war” to (JBossDIR) \ server\default\deploy
6.2 Cong Access Manager
1. Start JBoss server.
2. In Brower (From any client computer), access the link ”http://ams.contoso.com:8080/opensso”.
See following picture.
3. In Congurator page, you can change anything according your need. But
in this case I keep all default values, just input new password in Super
Administrator password, password is ”12345678”. And cookie Domain:
”.contoso.com”Click Congure button.
4. If everything is ok, you can see this page after few seconds. and you can
click link ”here” or wait for 5 seconds, It will be automatically redirected
to ”Sun Java System Access Manager” login page. See following picture.
5. And we need to login Access Manager. Type ”amadmin” for User Name,
and ”12345678” for password.(This password is we input in 6.2.3)
6. Cong AD Authentication After you nish 6.2.5, use this web link to
access AM. http://ams.contoso.com:8080/opensso.
Set Core Service.
– Click Conguration→ Authentication → Service Name : Core
– Select User Prole : Dynamic
– Click ”Save”, Click ”Back to Conguration”.
Access Control → Realm Name - opensso → Authentication, see
pic 3.
Cong AD Module Instances
– Click ”New” Button in ”Module Instances”.
– Type a Name for new Instances, we use ”AD” in here and select
”Active Directory” for type options, click ok. see pic-4.
– Click ”AD” what we just created in last step. and Input ...
4
Item Values
Primary Active Directory srv-1.contoso.com:389 (remove default value)
Server
DN to Start User Search dc=contoso, dc=com (remove default value)
DN for Root User Bind cn=administrator,cn=users,dc=contoso,
dc=com (remove default value)
Password for Root User Bind (Password of Domain administrator)
Password for Root User Bind (Password of Domain administrator)
(conrm)
Attribute Used to Retrieve cn
User Prole
Attributes Used to Search for cn (remove default value)
a User to be Authenticated
Return User DN to Authenti- DeSelected
cate
– ”Save” and click ”Back to Authentication”.
7. Cong Authentication Chaining.
Click ”New” Button in ”Authentication Chaining”.
Type a name for New Authentication Chain; we use ”ADChain” in
there. Click ”OK” button.
In ”AD Chain-Properties” Page, Click ”Add” button, and select
”AD” for Instance. See pic-5, click ”Save” and ”Back to Authen-
tication”.
Set Default Authentication Chain
Authentication → General,
– select ”ADChain” for ”Default Authentication Chain”
– select ”ADChain” for ”Administrator Authentication Chain”
– click ”Save” button, click ”Realms” button.
Create Agent
Main Page → Access Control , select OpenSSO → Subjects →
Agent → new Agent
ID Agent1
Password (password)
Password (conrm) (password)
Device status Active
5
7 Install Sun Java System Access Manager Pol-
icy Agent
1. Create a pasword le for following step. Just input the agent password
into this le. sample: d:\ deploy\ password.txt
2. Unzip Access Manager Policy Agent.
3. Change to the following directory.
PolicyAgent-base/bin
4. Issue the following command, and ll the values follow this table.
agentadmin –install
Item Values
JBoss Server Cong Directory D:\deploy\jboss-
4.0.5.GA\server\default\conf
Access Manager Services Host ams.contoso.com
Access Manager Services Port 8080
Access Manager Services Pro- http
tocol
Access Manager Services De- /opensso
ployment URI
Agent Host name test-1.contoso.com
Agent permissions gets added false
to java permissions policy le
Application Server Instance 8080
Port number
Protocol for Application http
Server instance
Deployment URI for the Agent /opensso
Application
Encryption Key iF95s8yb4EFZSJQ7qFKybmZdyuXvKofQ
Agent Prole name Agent1
Agent Prole Password le d:\deploy\password.txt
name
6
8 Make Application to support SSO
1. Copy amclientsdk.jar to Application lib directory.
2. Add lter to Application.
In web.xml, add following code.
Agent
com.sun.identity.agents.filter.AmAgentFilter
Agent
/*
REQUEST
INCLUDE
FORWARD
ERROR
3. Get the user name who is login on.
import com. iplanet . sso . SSOTokenManager ;
import com. iplanet . sso . SSOToken ;
import com. iplanet . sso . SSOException ;
. . . . . .
SSOTokenManager manager = SSOTokenManager .
getInstance () ;
SSOToken token = manager . createSSOToken ( request ) ;
// HttpServletRequest request
if (manager . isValidToken ( token ) )
{
String userDN = token . getPrincipal () . getName () ;
String userName = userDN . substring (userDN .
indexOf (”=”) + 1 , userDN . indexOf (” ,”) ) ;
System . out . println (”User DN = ” + userDN) ;
System . out . println (”User Name = ” + userName) ;
}
. . . . .
4. Deploy this application.
If this application has been deployed before, you better undeploy it and
clean JBoss temp directory.
7
A Cong DHCP Server
DHCP server conguration steps, do it on srv-1.contoso.com
1. In ”Manage You Server” click ”Add or remove a role”.
2. ”Congure Your Server Wizard”, click ”Next”.
3. Select ”Custom conguration”, click ”Next”.
4. Select ”DHCP server” click ”Next”.
5. Summary, Click ”Next”.
6. ”New Scope Wizard” click ”Next”
7. ”Scope Name”, set Name is ”Contoso HQ”. Click ”Next”.
8. ”IP Address Range”, set ”start IP address” is 10.0.0.10; ”End IP address”
is 10.0.0.254. click ”Next”
9. ”Add Exclusions”, no need do nothing, just click ”Next”
10. ”Lease Duration”, click ”Next”.
11. ” Congure DHCP Options”, click ”Next”
12. ”Router (Default Gateway)”, set IP address 10.0.0.1, click add, next.
13. ”Domain Name and DNS servers” set parent domain as ”contoso.com”,
for IP address, add 10.0.0.2. click ”Next”
14. ”WINS servers”, just click ”Next”.
15. ”Activate Scope”, select ”Yes, I want to active this scope now”, click
”next”.
16. Click nish (twice).
8
B Cong Domain controller
Steps for cong Domain controller On server srv-1.contoso.com
1. Run command ”DCPROMO”.
2. ”Welcome to the Active Directory Installation Wizard”, click ”Next”.
3. ”Operating System Compatibility”, click ”Next”.
4. ”Domain Controller type”, select ”Domain controller for a new domain”,
click ”Next”.
5. ”Create New Domain”, select ”Domain in a new forest”, and click ”Next”.
6. ”Install or Congure DNS”, select ”No, just install and congure DNS on
this computer”, click ”Next”.
7. ”New Domain Name”, type ”contoso.com”, clicks ”Next ”.
8. ”NetBIOS Domain Name”, accept ”CONTOSO” as Domain NetBIOS
Name. Click ”Next”.
9. ”Database and Log Folders”, accept default value for Database and Log
folder. Click ”Next”.
10. ”Shared System Volume”, accept default for Folder location, click ”Next”.
11. ”Permissions”, select ”Permissions compatible only with Windows 2000
or Windows Server2003 operating systems”. Click ”Next”.
12. ”Directory Services Restore Mode Administrator Password”, type pass-
word, clicks ”Next”.
13. ”Summary”, click ”Next”.
14. ”Optional Networking Components”(a modal dialog).click ”ok”.
15. ”Local Area Connection Properties” pops up. Select TCP/IP, assign
10.0.0.2 to IP address, type TAB two times, assign 10.0.0.1 to Default
gateway. Assign 127.0.0.1 to Preferred DNS server. Click ”Ok” and then
click ”Close”.
16. ”Completing the Active Directory Installation Wizard” click ”Finish”.
17. Click Restart Now.
9
C Authorize DHCP server
On server srv-1.contoso.com
Manage your Server → Manage this DHCP server → right click ”srv-1.contoso.com”,
select ”Authorize”.
10