Introduction
Apache Tomcat version 6.0 implements the Servlet 2.5 and JavaServer Pages 2.1
specifications from the Java Community Process, and includes many additional features that
make it a useful platform for developing and deploying web applications and web services.
The goal of this post is to provide step by step instructions on how to integrate Apache
Tomcat AS with OpenSSO. In addition OpenDS LDAP server will be used as a user store for
both of them.
The Sun OpenSSO Enterprise (formerly Sun Access Manager and Sun Federation Manager) is
the single solution for Web access management, federation, and Web services security. The
Open Web SSO project (OpenSSO) provides core identity services to simplify the
implementation of transparent single sign-on (SSO) as a security component in a network
infrastructure. OpenSSO provides the foundation for integrating diverse web applications
that might typically operate against a disparate set of identity repositories and are hosted on
a variety of platforms such as web and application servers. This project is based on the code
base of Sun JavaTM System Access Manager, a core identity infrastructure product offered by
Sun Microsystems.
It is important to mention that the initial code and instructions on how to integrate OpenSSO
with Tomcat (previous major release) were contributed by Bolesław Dawidowicz (thanks for
the contribution!). Configuration of OpenSSO with OpenDS was described in Indira's blog.
Check out /etc/hosts to ensure that you have a correct setup, in our case, it’s as follows:
1. OpenDS Setup
1. In this tutorial we'll use OpenDS directory server. Download the QuickSetup.jnlp
version to your temp directory.
2. Locate the package and double-click it to start the installation process and follow the
installation Wizard the instruction.
1
April 2007, Kefa Rabah, Global Open Versity, Vancouver Canada
3. On the Server Settings page, set port 8389, use "password" as password, the rest
are auto-completed. Click Next.
6. On the Review page (Not shown), ensure that the settings are correct, and then
click the Finish.
2
April 2007, Kefa Rabah, Global Open Versity, Vancouver Canada
7. The final Finished page should look like the figure shown below:
8. Click "Launch Control-Panel" to startup your OpenDS server listening on port 8389,
or via cmd type:
/usr/OpenDS/bin/control-panel
from the OpenDS Control Pane > Server Status click Start to start the OpendDS
server, and enter your credentials to logon.
2. Install LDAPBROWSER
1. At the moment you should have an instance of the OpenDS LDAP server listening on
port 8389.
2. To be able to use it with portal we need to provision it with sample data. To do this
we'll use simple LDAP tool with GUI written in Java – the LDAP Browser/Editor. It's
3
April 2007, Kefa Rabah, Global Open Versity, Vancouver Canada
a very lightweight tool that runs on many environments. Follow installation notes
specified here: http://www.filewatcher.com/m/Browser282b2.tar.gz.651283.0.0.html
3. You will simply need to download the archive, unpack it and run the lbe.sh or
lbe.bat script (assuming that you have the java command in your operating system
path).
4. My standard setup puts the unarchived app code into a directory called
/usr/ldapbrowser, which I normally create by simply copying Browser282b2.tar.gz
to /usr and doing a tar xvzf on it right there
5. Next cd to the installed directory, and run the ./lbe.sh on Linux or double-click
lbe.bat on windows script to start the ldapbrowser
6. If you are using Fedora Linux you can also find 'lbe' rpm package in Dries repository.
7. Run LDAP Browser/Editor, and choose menu File > Connect
4
April 2007, Kefa Rabah, Global Open Versity, Vancouver Canada
$ /usr/OpenDS/bin/control-panel
You can also use "status-panel" binary which provide GUI for managing OpenDS
state.
3. Download the ldif file "ldapentries", also based on ldif from Indira Blog, from:
http://blogs.sun.com/indira/resource/ldapentries. And modify it as follows:
dn: ou=agents,dc=opensso,dc=java,dc=net
objectClass: top
objectClass: organizationalUnit
dn: ou=groups,dc=opensso,dc=java,dc=net
objectClass: top
objectClass: organizationalUnit
5
April 2007, Kefa Rabah, Global Open Versity, Vancouver Canada
objectclass: person
objectclass: top
cn: dsameuser
sn: dsameuser
userPassword: secret12
dn:dc=opensso,dc=java,dc=net
changetype:modify
add:aci
aci: (target="ldap:///dc=opensso,dc=java,dc=net")(targetattr="*")(version 3.0;
acl "S1IS special dsame user rights for all under the root suffix"; allow
(all) userdn = "ldap:///cn=dsameuser,ou=DSAME
Users,dc=opensso,dc=java,dc=net"; )
dn:dc=opensso,dc=java,dc=net
changetype:modify
add:aci
aci: (target="ldap:///dc=opensso,dc=java,dc=net")(targetattr="*")(version 3.0;
acl "S1IS special ldap auth user rights"; allow (read,search) userdn =
"ldap:///cn=amldapuser,ou=DSAME Users,dc=opensso,dc=java,dc=net"; )
With the following ldapmodify command it is possible to add all the entries into the OpenDS
Directory Server, as follows:
$ cd /usr/OpenDS/bin
You can also use the LDAP Browser we installed earlier to leverage this task.
6
April 2007, Kefa Rabah, Global Open Versity, Vancouver Canada
3. Download Sun OpenSSO Enterprise. Click to go OpenSSO Download where you will
find OpenSSO Release and Builds ready for download. At the time of writing we
used the latest release OpenSSO Enterprise 8.0: opensso_express_80.zip.
3. Extract the downloaded .zip file then change to deployable-war directory and copy
the "opensso.war" file into tomcat "webapps" directory and run tomcat:
7
April 2007, Kefa Rabah, Global Open Versity, Vancouver Canada
8
April 2007, Kefa Rabah, Global Open Versity, Vancouver Canada
Reboot the server, if you’re having trouble to login into the Admin console, and you
should be access the main admin page, as shown below:
9
April 2007, Kefa Rabah, Global Open Versity, Vancouver Canada
-----------------------
Kefa Rabah is the Founder and CIO, of Serengeti Systems Group Inc. Kefa is knowledgeable in several
fields of Science & Technology, IT Security Compliance and Project Management, and Renewable Energy
Systems. He is also the founder of Global Open Versity, a Center of Excellence in eLearning.
10
April 2007, Kefa Rabah, Global Open Versity, Vancouver Canada