** 這個(gè)是PDF格式的原件地址，http://www.aygfsteel.com/Files/joey/opensso.rar ,大家可以拿去參考，但是請(qǐng)注意這個(gè)文檔是2006年寫的，后來(lái)再無(wú)更新，所以請(qǐng)注意版本。

     這是一個(gè)OpenSSO的實(shí)際應(yīng)用實(shí)例, 因?yàn)槭强蛻粢笥⑽?所以只有英文版,我的英文比較爛,所以請(qǐng)大家包涵了. 其實(shí)如果你在用OpenSSO的時(shí)候有什么麻煩,我認(rèn)為最好的求助地方是OpenSSO小組的MailList,在OpenSSO網(wǎng)站上有, 他們真的很熱心,基本有問24小時(shí)內(nèi)必復(fù),而且都是OpenSSO小組的成員答復(fù)的.真的很棒.
 
大家對(duì)我的文章里有什么疑問也可以給我留言.還有因?yàn)樵瓉?lái)是PDF格式的, 后轉(zhuǎn)成txt格式, 所以有些地方不是很好看.請(qǐng)大家見諒


                Implement SSO with AD

                             Joey

                        December 26, 2006

 

Contents

1 Software Environment                                                    2

2 Create Users in AD                                                      2

3 Join Linux into Windows2003 Domain                                      2

4 Install JBoss server and JRE 5                                          3

5 Fix Windows TCP port                                                    3

6 Deploy and Cong Access Manager                                          4
 6.1 Deploy Access Manager . . . . . . . . . . . . . . . . . . . . . . .  4
 6.2 Cong Access Manager . . . . . . . . . . . . . . . . . . . . . . . .  4

7 Install Sun Java System Access Manager Policy Agent                     6

8 Make Application to support SSO                                         7

A Cong DHCP Server                                                        8

B Cong Domain controller                                                  9

C Authorize DHCP server                                                  10

 

                                1

1 Software Environment

 Roles                               Computer name       Platform

 Domain             Server,DHCP       srv-1.contoso.com   Window2003 Active Directory
 Server,DNS Server
 Application server 1                test-1.contoso.com  Win2K3/XP, JRE5.0, SJS AM
                                                       Policy Agent 2.2 For JBoss
 Application server 2                test-2.contoso.com  Win2K3/XP, JRE5.0, SJS AM
                                                       Policy Agent 2.2 For JBoss
 Access Manager server               ams.contoso.com     Ret Hat Linux, JBoss 4.02 or
                                                       above

2 Create Users in AD

Create two group in AD, add one user for each group, and create amadmin as
administrator for AM.

 User                                Group in AD

 admin                               users
 danie                               users
 amadmin                             Users

3 Join Linux into Windows2003 Domain( Only for WIndows2003 DC, Ret Hat Linux )

  1. Modify /etc/krb5.conf

           Replace ’EXAMPLE.COM’ with your domain name, replace ker-
           beros.example.com with your AD server name. (case-sensitive in this
           section,just follow this demo).

     krb5.conf sample: suppose Domain name is contoso.com,
     AD server is srv-1.contoso.com, and IP is 10.0.0.2.
     and then keep others default setting in krb5.conf

     [libdefaults]
                default_realm = CONTOSO.COM
                dns_lookup_kdc = false
                dns_lookup_realm = false

     [realms]
     CONTOSO.COM = {
                admin_server = srv-1.contoso.com:749
                default_domain = contoso.com
                kdc = 10.0.0.2:88
     }

     [domain_realm]
                .contoso.com=CONTOSO.COM

 

 

                                        2

                contoso.com=CONTOSO.COM

 

  2. Modify /etc/samba/smb.cof smb.cof sample:

         realm = contoso.com              # add this by your self.
         workgroup = CONTOSO
         security = ADS

 

  3. Get a ticket. run kinit administrator(enter the administrator password
      when prompted command) in a shell window.

      sample: kinit administrator@CONTOSO.COM

  4. Join the domain Run net join in a shell window.

      sample: net ads join

  5. restart samba or just restart system simply.

4 Install JBoss server and JRE 5

Install JBoss server and JRE 5 on Test-1.contoso.com, Test-2.contoso.com ,an
ams.contoso.com

5 Fix Windows TCP port

  1. Start Registry Editor.

  2. Locate the following subkey in the registry, and then click Parameters:
      HKEY LOCAL MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters

  3. On the Edit menu, click New, and then add the following registry entry:
      Value Name: MaxUserPort
      Value Type: DWORD
      Value data: 65534
      Valid Range: 5000-65534 (decimal)
      Default: 0x1388 (5000 decimal)
      Description: This parameter controls the maximum port number that is
      used when a program requests any available user port from the system.
      Typically , ephemeral (short-lived) ports are allocated between the values
      of 1024 and 5000 inclusive.

  4. Quit Registry Editor.      2

 

  2 For more information, check here http://support.microsoft.com/default.aspx?scid=kb;EN-
US;196271

 

                                            3

6 Deploy and Cong Access Manager

Do this step on ams.contoso.com

6.1 Deploy Access Manager

Copy ”opensso.war” to (JBossDIR) \ server\default\deploy

6.2 Cong Access Manager

  1. Start JBoss server.

  2. In Brower (From any client computer), access the link ”http://ams.contoso.com:8080/opensso”.
     See following picture.

  3. In Congurator page, you can change anything according your need. But
     in this case I keep all default values, just input new password in Super
     Administrator password, password is ”12345678”. And cookie Domain:
     ”.contoso.com”Click Congure button.

  4. If everything is ok, you can see this page after few seconds. and you can
     click link ”here” or wait for 5 seconds, It will be automatically redirected
     to ”Sun Java System Access Manager” login page. See following picture.

  5. And we need to login Access Manager. Type ”amadmin” for User Name,
     and ”12345678” for password.(This password is we input in 6.2.3)

  6. Cong AD Authentication After you nish 6.2.5, use this web link to
     access AM. http://ams.contoso.com:8080/opensso.

         Set Core Service.

             – Click Conguration→ Authentication → Service Name : Core

             – Select User Prole : Dynamic

             – Click ”Save”, Click ”Back to Conguration”.

         Access Control → Realm Name - opensso → Authentication, see
          pic 3.

         Cong AD Module Instances

             – Click ”New” Button in ”Module Instances”.

             – Type a Name for new Instances, we use ”AD” in here and select
                ”Active Directory” for type options, click ok. see pic-4.

             – Click ”AD” what we just created in last step. and Input ...

 

                                          4

             Item                                Values

             Primary       Active    Directory     srv-1.contoso.com:389 (remove default value)
             Server
             DN to Start User Search             dc=contoso, dc=com (remove default value)
             DN for Root User Bind               cn=administrator,cn=users,dc=contoso,
                                                dc=com (remove default value)
             Password for Root User Bind         (Password of Domain administrator)
             Password for Root User Bind         (Password of Domain administrator)
             (conrm)
             Attribute Used to Retrieve          cn
             User Prole
             Attributes Used to Search for       cn (remove default value)
             a User to be Authenticated
             Return User DN to Authenti-         DeSelected
             cate

        – ”Save” and click ”Back to Authentication”.

7. Cong Authentication Chaining.

     Click ”New” Button in ”Authentication Chaining”.

     Type a name for New Authentication Chain; we use ”ADChain” in
      there. Click ”OK” button.

     In ”AD Chain-Properties” Page, Click ”Add” button, and select
      ”AD” for Instance. See pic-5, click ”Save” and ”Back to Authen-
      tication”.

     Set Default Authentication Chain
      Authentication → General,

        – select ”ADChain” for ”Default Authentication Chain”

        – select ”ADChain” for ”Administrator Authentication Chain”

        – click ”Save” button, click ”Realms” button.

     Create Agent
      Main Page → Access Control , select OpenSSO → Subjects →
      Agent → new Agent

        ID                       Agent1
        Password                 (password)
        Password (conrm)         (password)
        Device status            Active

 

                                     5

7 Install Sun Java System Access Manager Pol-
   icy Agent

 1. Create a pasword le for following step. Just input the agent password
    into this le. sample: d:\ deploy\ password.txt

 2. Unzip Access Manager Policy Agent.

 3. Change to the following directory.
    PolicyAgent-base/bin

 4. Issue the following command, and ll the values follow this table.
    agentadmin –install

     Item                              Values

     JBoss Server Cong Directory       D:\deploy\jboss-
                                      4.0.5.GA\server\default\conf
     Access Manager Services Host      ams.contoso.com
     Access Manager Services Port      8080
     Access Manager Services Pro-      http
     tocol
     Access Manager Services De-       /opensso
     ployment URI
     Agent Host name                   test-1.contoso.com
     Agent permissions gets added      false
     to java permissions policy le
     Application Server Instance       8080
     Port number
     Protocol for Application            http
     Server instance
     Deployment URI for the Agent      /opensso
     Application
     Encryption Key                    iF95s8yb4EFZSJQ7qFKybmZdyuXvKofQ
     Agent Prole name                  Agent1
     Agent Prole Password le           d:\deploy\password.txt
     name

 

                                    6

8 Make Application to support SSO

 1. Copy amclientsdk.jar to Application lib directory.

 2. Add lter to Application.

    In web.xml, add following code.

         
                Agent
                com.sun.identity.agents.filter.AmAgentFilter
         
         
                Agent
                /*
                REQUEST
                INCLUDE
                FORWARD
                ERROR
         

 3. Get the user name who is login on.

    import com. iplanet . sso . SSOTokenManager ;
    import com. iplanet . sso . SSOToken ;
    import com. iplanet . sso . SSOException ;

    . . . . . .
           SSOTokenManager manager = SSOTokenManager .
                getInstance () ;
           SSOToken token = manager . createSSOToken ( request ) ;
            // HttpServletRequest request
            if (manager . isValidToken ( token ) )
               {
               String userDN = token . getPrincipal () . getName () ;
               String userName = userDN . substring (userDN .
                  indexOf (”=”) + 1 , userDN . indexOf (” ,”) ) ;
                System . out . println (”User DN = ” + userDN) ;
                System . out . println (”User Name = ” + userName) ;

              }
    . . . . .

 4. Deploy this application.
    If this application has been deployed before, you better undeploy it and
    clean JBoss temp directory.

 

                                     7

A Cong DHCP Server

DHCP server conguration steps, do it on srv-1.contoso.com

 1. In ”Manage You Server” click ”Add or remove a role”.

 2. ”Congure Your Server Wizard”, click ”Next”.

 3. Select ”Custom conguration”, click ”Next”.

 4. Select ”DHCP server” click ”Next”.

 5. Summary, Click ”Next”.

 6. ”New Scope Wizard” click ”Next”

 7. ”Scope Name”, set Name is ”Contoso HQ”. Click ”Next”.

 8. ”IP Address Range”, set ”start IP address” is 10.0.0.10; ”End IP address”
    is 10.0.0.254. click ”Next”

 9. ”Add Exclusions”, no need do nothing, just click ”Next”

10. ”Lease Duration”, click ”Next”.

11. ” Congure DHCP Options”, click ”Next”

12. ”Router (Default Gateway)”, set IP address 10.0.0.1, click add, next.

13. ”Domain Name and DNS servers” set parent domain as ”contoso.com”,
    for IP address, add 10.0.0.2. click ”Next”

14. ”WINS servers”, just click ”Next”.

15. ”Activate Scope”, select ”Yes, I want to active this scope now”, click
    ”next”.

16. Click nish (twice).

 

                                       8

B Cong Domain controller

Steps for cong Domain controller On server srv-1.contoso.com

  1. Run command ”DCPROMO”.

  2. ”Welcome to the Active Directory Installation Wizard”, click ”Next”.

  3. ”Operating System Compatibility”, click ”Next”.

  4. ”Domain Controller type”, select ”Domain controller for a new domain”,
     click ”Next”.

  5. ”Create New Domain”, select ”Domain in a new forest”, and click ”Next”.

  6. ”Install or Congure DNS”, select ”No, just install and congure DNS on
     this computer”, click ”Next”.

  7. ”New Domain Name”, type ”contoso.com”, clicks ”Next ”.

  8. ”NetBIOS Domain Name”, accept ”CONTOSO” as Domain NetBIOS
     Name. Click ”Next”.

  9. ”Database and Log Folders”, accept default value for Database and Log
     folder. Click ”Next”.

 10. ”Shared System Volume”, accept default for Folder location, click ”Next”.

 11. ”Permissions”, select ”Permissions compatible only with Windows 2000
     or Windows Server2003 operating systems”. Click ”Next”.

 12. ”Directory Services Restore Mode Administrator Password”, type pass-
     word, clicks ”Next”.

 13. ”Summary”, click ”Next”.

 14. ”Optional Networking Components”(a modal dialog).click ”ok”.

 15. ”Local Area Connection Properties” pops up. Select TCP/IP, assign
     10.0.0.2 to IP address, type TAB two times, assign 10.0.0.1 to Default
     gateway. Assign 127.0.0.1 to Preferred DNS server. Click ”Ok” and then
     click ”Close”.

 16. ”Completing the Active Directory Installation Wizard” click ”Finish”.

 17. Click Restart Now.

 

                                        9

C Authorize DHCP server

On server srv-1.contoso.com
Manage your Server → Manage this DHCP server → right click ”srv-1.contoso.com”,
select ”Authorize”.

 

                                  10