Wajih's Chronicles

Installing Oracle WebLogic 10.3.1 (11gR1) on Mac OS X

Friday Oct 30, 2009

Yes there are quite a few blogs on this but none of them is as complete as i would like it to be. So i am documenting my experience here.

1) First download the bits from Oracle. Key is to download the "Generic" Package Installer from here

2) Before starting to install you have to trick the installer into thinking that the local JDK is the generic Sun JDK. If you skip this step the installer will not accept the default Mac OS X JDK and complain that it is Invalid.

$ cd /System/Library/Frameworks/JavaVM.framework/Versions/1.6.0/Home
$ sudo mkdir -p jre/lib
$ cd jre/lib
$ sudo touch rt.jar
$ sudo touch core.jar

3) Now install WLS using the following command. The installation is pretty straightforward.

$ java -Xmx1024m -Dos.name=unix -jar wls1031_generic.jar

4) The next challange is to overcome the java.lang.OutOfMemory error that occurs when you try to access the console at http://localhost:7001/console. As a result the server hangs.

To recover from this error you actually have to kill the JVM. So edit the user_projects/domains/mydomain/bin/setDomainEnv.sh script first and change the line "if [ "${JAVA_VENDOR}" = "Unknown" ] ; then" to "if [ "${JAVA_VENDOR}" = "Sun" ] ; then"

5) One last thing that is recommended is to set USER_MEM_ARGS="-Xms256m -Xmx512m -XX:MaxPermSize=128m" in startWebLogic.sh script. I added this as the first line.

6) Finally start the server

$ cd user_projects/domains/mydomain && ./startWebLogic.sh

[0] Comments
Like this post? del.icio.us | furl | slashdot | technorati | digg
Posted at 08:14PM Oct 30, 2009 by wahmed in General
Tags:

OpenSSO 8 & SAML v2 AttributeStatement

Wednesday Sep 16, 2009

A very useful and essential feature of OpenSSO is to allow attribute mappings. This enables you to send addtional attributes in the SAMLv2 assertion/response to the Service Provider. Once the attribute mapping is defined (can be done either from the GUI under the entities “Assertion Processing” tab or in the metadata itself), the map is sent as a name-value pair to the Service Provider. Also keep in mind that the mapping can and should be defined on the remote service provider so that if your hosted IDP is shared amongst multiple SP’s, each can have their own mapping. For example here the map was defined from the GUI as USERID=employeeNumber for one of the remote SP’s.


<saml:AttributeStatement><saml:Attribute Name="USERID"><saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">121898</saml:AttributeValue><saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">007</saml:AttributeValue></saml:Attribute></saml:AttributeStatement>

Once the Service Provider receives the assertion and has been configured to look for the attribute name USERID, it will grab the value and do whatever it needs to. One such real life example is SalesForce.com CRM. In OpenSSO 8 Express Build 8, there is a wizard to support easy configuration of federation with SalesForce.com which results in a map definition automatically.

One problem that i ran into (not related to the product, phew..) was that however many maps i defined i could not see them in the assertion. As a matter of fact i could not even see the tag. Turns out that earlier i had modified the Authentication->Core setting from Profile=required to Profile=ignored. Reverting back to Profile=required fixed the issue and the assertion started to pass the attributes.

[0] Comments
Like this post? del.icio.us | furl | slashdot | technorati | digg
Posted at 09:22AM Sep 16, 2009 by wahmed in General
Tags:

OpenSSO Agent 3.0 and SSL Termination

Monday Aug 17, 2009

While working with a customer whose J2EE 3.0 agent was (deployed on Tomcat 6 in non-SSL mode) behind a SSL enabled load balancer i.e., SSL Terminated, we had to set these two properties in the centralized configuration of the Agent under the "Advanced" tab to make it work properly otherwise obviously the agent was redirecting everything to http and port 80 which the Load Balancer was blocking. Also note that we created the policies with a resource of "https" (as desired).

Like this post? del.icio.us | furl | slashdot | technorati | digg
Posted at 12:59PM Aug 17, 2009 by wahmed in General
Tags:

Identity Suites Essentials OpenSSO Tutorials

Sunday Feb 08, 2009

We have just made available an internal suite of tutorials to the public on http://wikis.sun.com/display/ISE.

These tutorials include step by step installation and configuration information both for OpenSSO and Identity Manager. They also include common post installation use cases that we have seen deployed at various customers.

I intend to continue contributing additional tutorials/use cases to the OpenSSO Tutorial so keep watching it.

Like this post? del.icio.us | furl | slashdot | technorati | digg
Posted at 08:01PM Feb 08, 2009 by wahmed in General
Tags:

How to Federate with Google Apps using OpenSSO as the Identity Provider

Wednesday Oct 15, 2008

My colleague Pat Patterson had written a howto on how to Federate with Google Apps using an much older build of OpenSSO. At that time he had to use a custom account mapper (i.e. write code) to map the NameID in the SAML v2 response. Now with the latest OpenSSO builds the custom account mapper is no longer required as account mapping for SAML v2 is supported OOTB using the administrative console of OpenSSO thanks to Heng-Ming Hsu (another colleague) who recently added this functionality to OpenSSO's DefaultIDPAccountMapper.

Here is a simple writeup on how to federate with Google Apps using OpenSSO. I did this in less than 10 minutes but i already had Glassfish installed and opensso.war deployed. Note that this writeup is using non-SSL connections. In production it is recommended to use SSL enabled web servers.

Ingredients

OpenSSO latest nightly build
* http://download.java.net/general/opensso/nightly/latest/opensso/opensso.zip (i used Oct 6th build)


Any OpenSSO Supported Container
* http://opensso.dev.java.net/public/use/docs/fampdf/rn.pdf
* I used Glassfish V2R2 http://glassfish.dev.java.net


A Premier Account for Google Applications
* http://google.com/a


Procedure

The OpenSSO is the Identity Provider (IDP) and Google Apps is the Service Provider (SP). We will use SAML v2 as the Single Sign-On (SSO) protocol between the two and create a Circle Of Trust (COT) on the IDP.

Note your browser will need the Quicktime(TM) plugin to view the videos



1. Deploy opensso.war on your container

Download opensso.zip, extract opensso.war and deploy it on your container. For Glassfish it is very simple and done via the "asadmin deploy" command (for the feint hearted the Glassfish administrative console can also be used to deploy the war file).

Carefully read the release notes to see if your container requires any pre-deployment tasks such as modifying your container's server.policy file

-bash-3.00# ./asadmin deploy --user admin --passwordfile /var/tmp/asadmin_passwd --port 4848 --enabled=true --contextroot /opensso /var/tmp/opensso/deployable-war/opensso.war
Command deploy executed successfully.
-bash-3.00# ./asadmin stop-domain
Domain idp stopped.
-bash-3.00# ./asadmin start-domain

Starting Domain idp, please wait.Log redirected to /var/opt/glassfish/domains/idp/logs/server.log.
Redirecting output to /var/opt/glassfish/domains/idp/logs/server.log
Domain domain1 is ready to receive client requests. Additional services are being started in background.
Domain [idp] is running [Sun Java System Application Server 9.1_02 (build b04-fcs)] with its configuration and logs at: [/var/opt/glassfish/domains].
Admin Console is available at [http://localhost:4848].
Use the same port [4848] for "asadmin" commands.
User web applications are available at these URLs:
[http://localhost:8080 https://localhost:8181 ].
Following web-contexts are available:
[/web1 /__wstx-services /opensso ].
Standard JMX Clients (like JConsole) can connect to JMXServiceURL:
[service:jmx:rmi:///jndi/rmi://utopia:8686/jmxrmi] for domain management purposes.
Domain listens on at least following ports for connections:
[8080 8181 4848 3700 3820 3920 8686 ].
Domain does not support application server clusters and other standalone instances.



2. Configure OpenSSO after deploying to your container

Run though the OpenSSO configuration wizard by pointing your browser to the containers URL and opensso context. In my case it is http://idp.unopass.net/opensso

* To download this video click here



3. Configure IDP on OpenSSO via the Workflow Wizard

One of the defining features of OpenSSO is its workflow wizards which help you to create a hosted IDP/SP or remote IDP/SP very quickly without the need to create metadata files and importing manually.

* To download this video click here



4. Configure SP on Google Apps

* To download this video click here



5. Define Name Identifier (NameID) mapping

Google Apps requires that the userid be sent back in the SAML response. OpenSSO does not do this by default but now provides a very simple way of mapping the nameid to any attribute in the users profile (in the ldap directory).

* To download this video click here



6. SSO into Google Apps using your new OpenSSO IDP

Finally test the SSO by trying to access http://mail.google.com/a/<your domain>. You should NOT be prompted by the traditional Google Login screen, rather you should be redirected to IDP's (OpenSSO) Login page. You should log into OpenSSO with the same userid but password can be different (Hint: you need to create this user if it does not already exist in OpenSSO).

* To download this video click here

After watching this video keep in mind that SSO demos are never impressive unless you show what is happening behind the scenes. One way to do so is to show the SAML 2 protocol (SOAP) messages.

The good news is that they can be grabbed from the debug logs of OpenSSO. You have to enable "message" level debugging first form the OpenSSO Administrative Console under Configuration->Sites. You will then be able to see the AuthN requests and SAML assertion in the debug log called "Federation". For example.

AuthN Request


<?xml version="1.0" encoding="UTF-8"?>
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="glcmf
hikbbhohichialilnnpjakbeljekmkhppkb" Version="2.0" IssueInstant="2008-10-14T00:5
7:14Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Provider
Name="google.com" IsPassive="false" AssertionConsumerServiceURL="https://www.goo
gle.com/a/unopass.net/acs"><saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:
assertion">google.com</saml:Issuer><samlp:NameIDPolicy AllowCreate="true" Format
="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" /></samlp:AuthnRequest>

Response


IDPSSOUtil.sendResponse: SAML Response content :
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="s247893b2ec9
0665dfd5d9bd4a092f5e3a7194fef4" InResponseTo="hkcmljnccpheoobdofbjcngjbadmgcfhaapdb
nni" Version="2.0" IssueInstant="2008-10-15T17:24:46Z" Destination="https://www.goo
gle.com/a/unopass.net/acs"><saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:ass
ertion">http://idp.unopass.net:80/opensso</saml:Issuer><samlp:Status xmlns:samlp="u
rn:oasis:names:tc:SAML:2.0:protocol">
<samlp:StatusCode xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
Value="urn:oasis:names:tc:SAML:2.0:status:Success">
</samlp:StatusCode>
</samlp:Status><saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" I
D="s295c56ccd7872209ae336b934d1eed5be52a8e6ec" IssueInstant="2008-10-15T17:24:46Z"
Version="2.0">
<saml:Issuer>http://idp.unopass.net:80/opensso</saml:Issuer><Signature xmlns="http:
//www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<Reference URI="#s295c56ccd7872209ae336b934d1eed5be52a8e6ec">
<Transforms>
<Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue>4hocV3nNTGSZoZjeUZaM3xrphEM=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>
CPCZxaNG/fF6NjncZs6JEzDNpzUNsJsJPhgffw9y8T0oR8iI8+71iW3MIPrfzD2UfSBbHR0W6HYM
fKK2Es3cSOCmfEJ/PmqrrXu2gMHD0TpNWDraXM28DqGkiQvEHJ7/yoX0gxp+KJMQnVgPfrI6kPBz
Ly1TWM6QnwqSI9l8oOg=
</SignatureValue>
<KeyInfo>
<X509Data>
<X509Certificate>
MIICQDCCAakCBEeNB0swDQYJKoZIhvcNAQEEBQAwZzELMAkGA1UEBhMCVVMxEzARBgNVBAgTCkNh
bGlmb3JuaWExFDASBgNVBAcTC1NhbnRhIENsYXJhMQwwCgYDVQQKEwNTdW4xEDAOBgNVBAsTB09w
ZW5TU08xDTALBgNVBAMTBHRlc3QwHhcNMDgwMTE1MTkxOTM5WhcNMTgwMTEyMTkxOTM5WjBnMQsw
CQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTEUMBIGA1UEBxMLU2FudGEgQ2xhcmExDDAK
BgNVBAoTA1N1bjEQMA4GA1UECxMHT3BlblNTTzENMAsGA1UEAxMEdGVzdDCBnzANBgkqhkiG9w0B
AQEFAAOBjQAwgYkCgYEArSQc/U75GB2AtKhbGS5piiLkmJzqEsp64rDxbMJ+xDrye0EN/q1U5Of+
RkDsaN/igkAvV1cuXEgTL6RlafFPcUX7QxDhZBhsYF9pbwtMzi4A4su9hnxIhURebGEmxKW9qJNY
Js0Vo5+IgjxuEWnjnnVgHTs1+mq5QYTA7E6ZyL8CAwEAATANBgkqhkiG9w0BAQQFAAOBgQB3Pw/U
QzPKTPTYi9upbFXlrAKMwtFf2OW4yvGWWvlcwcNSZJmTJ8ARvVYOMEVNbsT4OFcfu2/PeYoAdiDA
cGy/F2Zuj8XJJpuQRSE6PtQqBuDEHjjmOQJ0rV/r8mO1ZCtHRhpZ5zYRjhRC9eCbjx9VrFax0JDC
/FfwWigmrW0Y0Q==
</X509Certificate>
</X509Data>
</KeyInfo>
</Signature><saml:Subject>
<saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" NameQua
lifier="http://idp.unopass.net:80/opensso">admin</saml:NameID><saml:SubjectConfirma
tion Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml:SubjectConfirmationData InResponseTo="hkcmljnccpheoobdofbjcngjbadmgcfhaapdbnn
i" NotOnOrAfter="2008-10-15T17:34:46Z" Recipient="https://www.google.com/a/unopass.
net/acs"/></saml:SubjectConfirmation>
</saml:Subject><saml:Conditions NotBefore="2008-10-15T17:14:46Z" NotOnOrAfter="2008
-10-15T17:34:46Z">
<saml:AudienceRestriction>
<saml:Audience>google.com</saml:Audience>
</saml:AudienceRestriction>
</saml:Conditions>
<saml:AuthnStatement AuthnInstant="2008-10-15T17:24:46Z" SessionIndex="s2bb816b5a88
52dcc29f3301784c1640f245a9ec01"><saml:AuthnContext><saml:AuthnContextClassRef>urn:o
asis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClas
sRef></saml:AuthnContext></saml:AuthnStatement></saml:Assertion></samlp:Response>

[7] Comments
Like this post? del.icio.us | furl | slashdot | technorati | digg
Posted at 03:34PM Oct 15, 2008 by wahmed in General
Tags:

OpenSSO custom auth module for RSA Access Manager (formely ClearTrust)

Thursday Sep 04, 2008

I have just checked in code for a custom auth module that validates a RSA ClearTrust SSOToken (CTSESSION) in the OpenSSO CVS repository. This was a result of getting inspired by the much more feature rich SiteMinder module.

Just like the SiteMinder auth module, the obvious two use case of this module are:

  • Co-existence with OpenSSO while authenticating to ClearTrust
  • Migrating to OpenSSO in a ClearTrust environment

This module has been deployed in production and a colleague of mine has polished the code a bit more (my Java skills are ahm...lets say require a jump start most of the time). I'll be checking in the polished code later next week.

For details on deploying this module refer to the README.txt file in the following directory

http://opensso.dev.java.net/source/browse/opensso/products/federation/openfm/integrations/cleartrust/

Like this post? del.icio.us | furl | slashdot | technorati | digg
Posted at 10:10AM Sep 04, 2008 by wahmed in General
Tags:

OpenFM Quick Installation Notes

Wednesday Feb 28, 2007

  • Grab openfm.war from opensso.dev.java.net
  • In WS 7.0 create a new listener called fm or use web container of your choice.
  • Deploy openfm.war to container
  • Hit the deployed URL with web browser, it takes you to configurator.jsp
  • Fill in the information, hit save, configuration failed.
  • Looked at the webserver error log, apparently it is trying to create a directory /AccessManager.
  • Realized that the user under which web server is running is webservd and by default the home directory for it is "/".
  • Changed the home directory of webservd to /home/webservd, restarted the container
  • Hit the configurator again, this time success!

Like this post? del.icio.us | furl | slashdot | technorati | digg
Posted at 08:09PM Feb 28, 2007 by wahmed in General
Tags:

Run Java Enterprise System on Slackware Linux

Friday Aug 11, 2006

These notes are Java ES 3 (2005Q1).[Read More]

Like this post? del.icio.us | furl | slashdot | technorati | digg
Posted at 03:47PM Aug 11, 2006 by wahmed in General
Tags:

MIME Types Mess!

Friday Sep 30, 2005

The reason for my first blog is that i just spent a couple of hours trying to figure out why my mozilla was opening *.sxw documents with staroffice 7 whereas everywhere i looked it was associated to staroffice 8. Since i use KDE i was looking thru all the places where kde determines its MIME types and associated application. Then i thought that since mozilla is build on GTK+ perhaps it has an affinity to gnome, so i started looking under ~/.gnome, /usr/share/mime-info etc. Finally thru a strace i saw the ~/.mailcap was being used. Once i moved/deleted this file, mozilla automatically picked up the mime type defined in KDE. But no wait actually later on i found out that it did not pick it up from KDE. It actally picked it up from /etc/mailcap which was added by Star Office 8 installation. So back to square one. Why can't there be a standard for this unless as usual i am ignorant and there is actually one. BTW i also thought that using gtk-qt-engine will help but it didn't. It did however help greatly in unifying my GTK+ look and feel to the same as KDE. To me this is all a big mess. Every desktop application depending on what toolkit it is based on (or not based on) seems to have its own affinity to where to look for these MIME types! Ah well i have vented my frustration. I feel better now!

Like this post? del.icio.us | furl | slashdot | technorati | digg
Posted at 04:18PM Sep 30, 2005 by wahmed in General
Tags: