Global Open Versity Tomcat AS with OpenDS and OpenSSO on Linux v1.

Integrating OpenSSO and OpenDS on Apache Tomcat AS HowTo

By Kefa Rabah, krabah@globalopenversity.org August 2, 2009

Introduction
Apache Tomcat version 6.0 implements the Servlet 2.5 and JavaServer Pages 2.1
specifications from the Java Community Process, and includes many additional features that
make it a useful platform for developing and deploying web applications and web services.
The goal of this post is to provide step by step instructions on how to integrate Apache
Tomcat AS with OpenSSO. In addition OpenDS LDAP server will be used as a user store for
both of them.

The Sun OpenSSO Enterprise (formerly Sun Access Manager and Sun Federation Manager) is
the single solution for Web access management, federation, and Web services security. The
Open Web SSO project (OpenSSO) provides core identity services to simplify the
implementation of transparent single sign-on (SSO) as a security component in a network
infrastructure. OpenSSO provides the foundation for integrating diverse web applications
that might typically operate against a disparate set of identity repositories and are hosted on
a variety of platforms such as web and application servers. This project is based on the code
base of Sun JavaTM System Access Manager, a core identity infrastructure product offered by
Sun Microsystems.

It is important to mention that the initial code and instructions on how to integrate OpenSSO
with Tomcat (previous major release) were contributed by Bolesław Dawidowicz (thanks for
the contribution!). Configuration of OpenSSO with OpenDS was described in Indira's blog.

Step 1: System Setup

First and foremost ensure that you have setup you DNS server and that your machine is
using FQDN. This is mainly because OpenSSO does not play well if you want to test it on
your local machine i.e., 'localhost'. To workaround that you can give your local machine
valid FQDN.

Check out /etc/hosts to ensure that you have a correct setup, in our case, it’s as follows:

# Do not remove the following first line, or various programs

# that require network functionality will fail.
127.0.0.1 server04.beemtech.edu localhost.localdomain localhost
192.168.83.12 server04.beemtech.edu server04 mail www ftp
::1 localhost6.localdomain6 localhost6

Now you'll be able to refer to it using "http://www.beemtech.edu" in your browser.

Step 2: OpenDS LDAP Directory Server Setup

1. OpenDS Setup
1. In this tutorial we'll use OpenDS directory server. Download the QuickSetup.jnlp
version to your temp directory.
2. Locate the package and double-click it to start the installation process and follow the
installation Wizard the instruction.
1
April 2007, Kefa Rabah, Global Open Versity, Vancouver Canada

www.globalopenversity.org A GOV Open Knowledge Access Technical Publication HowTo

Global Open Versity Tomcat AS with OpenDS and OpenSSO on Linux v1.0

3. On the Server Settings page, set port 8389, use "password" as password, the rest
are auto-completed. Click Next.

4. On the Directory Data page, enter the Directory Base DNS:

"dc=opensso,dc=java,dc=net";
5. For Directory Data, select the "Import Automatically-Generated Sample Data"
option, which pre-populates it with 2000 random users, see the figure below. Click
Next.

6. On the Review page (Not shown), ensure that the settings are correct, and then
click the Finish.

2
April 2007, Kefa Rabah, Global Open Versity, Vancouver Canada

www.globalopenversity.org A GOV Open Knowledge Access Technical Publication HowTo

Global Open Versity Tomcat AS with OpenDS and OpenSSO on Linux v1.0

7. The final Finished page should look like the figure shown below:

8. Click "Launch Control-Panel" to startup your OpenDS server listening on port 8389,
or via cmd type:

/usr/OpenDS/bin/control-panel

from the OpenDS Control Pane > Server Status click Start to start the OpendDS
server, and enter your credentials to logon.

2. Install LDAPBROWSER
1. At the moment you should have an instance of the OpenDS LDAP server listening on
port 8389.
2. To be able to use it with portal we need to provision it with sample data. To do this
we'll use simple LDAP tool with GUI written in Java – the LDAP Browser/Editor. It's

3
April 2007, Kefa Rabah, Global Open Versity, Vancouver Canada

www.globalopenversity.org A GOV Open Knowledge Access Technical Publication HowTo

Global Open Versity Tomcat AS with OpenDS and OpenSSO on Linux v1.0

a very lightweight tool that runs on many environments. Follow installation notes
specified here: http://www.filewatcher.com/m/Browser282b2.tar.gz.651283.0.0.html
3. You will simply need to download the archive, unpack it and run the lbe.sh or
lbe.bat script (assuming that you have the java command in your operating system
path).
4. My standard setup puts the unarchived app code into a directory called
/usr/ldapbrowser, which I normally create by simply copying Browser282b2.tar.gz
to /usr and doing a tar xvzf on it right there
5. Next cd to the installed directory, and run the ./lbe.sh on Linux or double-click
lbe.bat on windows script to start the ldapbrowser
6. If you are using Fedora Linux you can also find 'lbe' rpm package in Dries repository.
7. Run LDAP Browser/Editor, and choose menu File > Connect

Change to 'Quick Connect' tab and enter following information:

• host: localhost
• port: 8389
• leave 'Base DN' empty
• uncheck 'Annonymous bind' checkbox
• user DN: cn=Directory Manager
• password: password
• click 'Connect'

8. You should be able to see the imported LDAP tree.

4
April 2007, Kefa Rabah, Global Open Versity, Vancouver Canada

www.globalopenversity.org A GOV Open Knowledge Access Technical Publication HowTo

Global Open Versity Tomcat AS with OpenDS and OpenSSO on Linux v1.0

3. Extend OpenDS Schema to Integrate OpenSSO

1. Copy "98-opends_user_schema.ldif" and "99-am_sm_ds_schema.ldif" files into
"OpenDS-1.0.0-build004/config/schema/" folder. Those configuration files comes
from Indira Blog and will extend OpenDS schema to enable cooperation with
OpenSSO. According to OpenSSO mailing lists it should support OpenDS out of box in
the future.
2. Start OpenDS by running:

$ /usr/OpenDS/bin/control-panel

You can also use "status-panel" binary which provide GUI for managing OpenDS
state.
3. Download the ldif file "ldapentries", also based on ldif from Indira Blog, from:
http://blogs.sun.com/indira/resource/ldapentries. And modify it as follows:

dn: ou=agents,dc=opensso,dc=java,dc=net
objectClass: top
objectClass: organizationalUnit

dn: ou=groups,dc=opensso,dc=java,dc=net
objectClass: top
objectClass: organizationalUnit

dn: ou=dsame users,dc=opensso,dc=java,dc=net

objectClass: top
objectClass: organizationalUnit

dn: cn=dsameuser,ou=DSAME Users,dc=opensso,dc=java,dc=net

objectclass: inetuser
objectclass: organizationalperson

5
April 2007, Kefa Rabah, Global Open Versity, Vancouver Canada

www.globalopenversity.org A GOV Open Knowledge Access Technical Publication HowTo

Global Open Versity Tomcat AS with OpenDS and OpenSSO on Linux v1.0

objectclass: person
objectclass: top
cn: dsameuser
sn: dsameuser
userPassword: secret12

dn: cn=amldapuser,ou=DSAME Users,dc=opensso,dc=java,dc=net

objectclass: inetuser
objectclass: organizationalperson
objectclass: person
objectclass: top
cn: amldapuser
sn: amldapuser
userPassword: secret123

dn:dc=opensso,dc=java,dc=net
changetype:modify
add:aci
aci: (target="ldap:///dc=opensso,dc=java,dc=net")(targetattr="*")(version 3.0;
acl "S1IS special dsame user rights for all under the root suffix"; allow
(all) userdn = "ldap:///cn=dsameuser,ou=DSAME
Users,dc=opensso,dc=java,dc=net"; )

dn:dc=opensso,dc=java,dc=net
changetype:modify
add:aci
aci: (target="ldap:///dc=opensso,dc=java,dc=net")(targetattr="*")(version 3.0;
acl "S1IS special ldap auth user rights"; allow (read,search) userdn =
"ldap:///cn=amldapuser,ou=DSAME Users,dc=opensso,dc=java,dc=net"; )

With the following ldapmodify command it is possible to add all the entries into the OpenDS
Directory Server, as follows:

$ cd /usr/OpenDS/bin

$ ./ldapmodify -p 8389 -h localhost -D"cn=Directory Manager" -w password -c -a

-f ldapentries.ldif
Processing ADD request for ou=agents,dc=opensso,dc=java,dc=net
ADD operation successful for DN ou=agents,dc=opensso,dc=java,dc=net
Processing ADD request for ou=groups,dc=opensso,dc=java,dc=net
ADD operation successful for DN ou=groups,dc=opensso,dc=java,dc=net
Processing ADD request for ou=dsame users,dc=opensso,dc=java,dc=net
ADD operation successful for DN ou=dsame users,dc=opensso,dc=java,dc=net
Processing ADD request for cn=dsameuser,ou=DSAME Users,dc=opensso,dc=java,dc=net
ADD operation successful for DN cn=dsameuser,ou=DSAME Users,dc=opensso,dc=java,dc=net
Processing ADD request for cn=amldapuser,ou=DSAME Users,dc=opensso,dc=java,dc=net
ADD operation successful for DN cn=amldapuser,ou=DSAME Users,dc=opensso,dc=java,dc=net
Processing MODIFY request for dc=opensso,dc=java,dc=net
MODIFY operation successful for DN dc=opensso,dc=java,dc=net
Processing MODIFY request for dc=opensso,dc=java,dc=net
MODIFY operation successful for DN dc=opensso,dc=java,dc=net

You can also use the LDAP Browser we installed earlier to leverage this task.

6
April 2007, Kefa Rabah, Global Open Versity, Vancouver Canada

www.globalopenversity.org A GOV Open Knowledge Access Technical Publication HowTo

Global Open Versity Tomcat AS with OpenDS and OpenSSO on Linux v1.0

Step 3: OpenSSO deployment and installation on Tomcat

1. Download and unzip tomcat - we'll use "apache-tomcat-6.0.20" binary here.

2. Edit file "apache-tomcat-6.0.20/conf/server.xml" and change default HTTP
connector port to 8081:

<Connector port="8081" protocol="HTTP/1.1" maxHttpHeaderSize="8192"

maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" redirectPort="8443" acceptCount="100"
connectionTimeout="20000" disableUploadTimeout="true" />

Comment out AJP connector:

<!--<Connector port="8009" enableLookups="false" redirectPort="8443"

protocol="AJP/1.3" />-->

3. Download Sun OpenSSO Enterprise. Click to go OpenSSO Download where you will
find OpenSSO Release and Builds ready for download. At the time of writing we
used the latest release OpenSSO Enterprise 8.0: opensso_express_80.zip.
3. Extract the downloaded .zip file then change to deployable-war directory and copy
the "opensso.war" file into tomcat "webapps" directory and run tomcat:

[krabah@server04 ~]$ cd $CATALINA_HOME

[krabah@server04 tomcat]$ cp ../../opensso/deployable-war/opensso.war webapps/
[krabah@server04 tomcat]$ cd bin/
[krabah@server04 bin]$ chmod a+x *.sh
[krabah@server04 bin]$ ./startup.sh

4. Start your OpenDS server if not started.

5. Put http://www.domain.com:8081/opensso/ in your browser to see the OpenSSO
configuration page: Click "Create Default Configuration" option to perform quick
file system based configuration and follow the instructions. Let's use "password"
value to keep it simple :)

7
April 2007, Kefa Rabah, Global Open Versity, Vancouver Canada

www.globalopenversity.org A GOV Open Knowledge Access Technical Publication HowTo

Global Open Versity Tomcat AS with OpenDS and OpenSSO on Linux v1.0

6. On the Default Configuration page fill in your credentials amAdmin use

<passwoprd> and amldapuser use <secret123>

7. On Configuration Complete Alert, click Proceed to Login

8
April 2007, Kefa Rabah, Global Open Versity, Vancouver Canada

www.globalopenversity.org A GOV Open Knowledge Access Technical Publication HowTo

Global Open Versity Tomcat AS with OpenDS and OpenSSO on Linux v1.0

8. Click "Proceed to Login" to go to the deployed OpenSSO instance. Finally, as a

test, you should be able to authenticate into OpenSSO console with the credentials
"amadmin" user and password provided in previous step.

Reboot the server, if you’re having trouble to login into the Admin console, and you
should be access the main admin page, as shown below:

9
April 2007, Kefa Rabah, Global Open Versity, Vancouver Canada

www.globalopenversity.org A GOV Open Knowledge Access Technical Publication HowTo

Global Open Versity Tomcat AS with OpenDS and OpenSSO on Linux v1.0

9. OpenSSO is robust open-source software for Web development, complete with

support plans from Sun. Do check them out in case of any trouble!
10. Stay tuned for Part II of this article on integrating OpenSSO with OpenDS server.
11. Have fun with Tomcat and OpenSSO & GOOD LUCK!

-----------------------
Kefa Rabah is the Founder and CIO, of Serengeti Systems Group Inc. Kefa is knowledgeable in several
fields of Science & Technology, IT Security Compliance and Project Management, and Renewable Energy
Systems. He is also the founder of Global Open Versity, a Center of Excellence in eLearning.

10
April 2007, Kefa Rabah, Global Open Versity, Vancouver Canada

www.globalopenversity.org A GOV Open Knowledge Access Technical Publication HowTo