OpenSSO Secure Token Server – 4

This blog is the final in a series that will describe how to deploy OpenSSO to protect Oracle WebLogic resources by configuring it as a Secure Token Server.

Part 1 is available here, part 2 is available here and part 3 is available here

Modify the WSS Configuration Files

The following steps describe how to configure OpenSSO WSS Agents.

  • Download and unzip the openssowssagents.zip file. This file contains OpenSSO Web Services Security Agents, based on JAX-WS Handlers.
  • Expand the zip file.
  • Copy the resources/keystore.jks, resources/.keypass, and resources/.storepass files to a convenient directory.  This directory is represented by @KEYSTORE_LOCATION@ in the <wssagents_unzip_location>/config/AMConfig.properties file.
  • Update AMConfig.properties for StockService as follows:

##### Following properties need to be updated for OpenSSO WSS Agents #####

com.iplanet.services.debug.directory=C:/Documents and Settings/Administrator/StockService/Debug

com.iplanet.am.naming.url=http://ws-provider.ltes.com:80/opensso/namingservice

com.iplanet.am.server.protocol=http

com.iplanet.am.server.host=ws-provider.ltes.com

com.iplanet.am.server.port=80

com.iplanet.am.services.deploymentDescriptor=/opensso

com.sun.identity.loginurl=http://ws-provider.ltes.com:80/opensso/UI/Login

com.sun.identity.saml.xmlsig.keystore=C:/Sun/Middleware/user_projects/domains/wss/resources/service.jks

com.sun.identity.saml.xmlsig.storepass=C:/Sun/Middleware/user_projects/domains/wss/resources/.storepass

com.sun.identity.saml.xmlsig.keypass=C:/Sun/Middleware/user_projects/domains/wss/resources/.keypass

com.sun.identity.saml.xmlsig.certalias=service

com.sun.identity.liberty.ws.trustedca.certaliases=cacert:Self-CA

com.sun.identity.wss.wsc.providername=

com.iplanet.am.cookie.encode=true

/*

* Security Credentials to read the configuration data

*/

com.sun.identity.agents.app.username=agentAuth

com.iplanet.am.service.password=changeit

com.iplanet.am.service.secret=

##### End of properties for OpenSSO WSS Agents #####

  • Update AMConfig.properties for StockClient as follows:

##### Following properties need to be updated for OpenSSO WSS Agents #####

com.iplanet.services.debug.directory=C:/Documents and Settings/Administrator/StockClient/Debug

com.iplanet.am.naming.url=http://ws-provider.ltes.com:80/opensso/namingservice

com.iplanet.am.server.protocol=http

com.iplanet.am.server.host=ws-provider.ltes.com

com.iplanet.am.server.port=80

com.iplanet.am.services.deploymentDescriptor=/opensso

com.sun.identity.loginurl=http://ws-provider.ltes.com:80/opensso/UI/Login

com.sun.identity.saml.xmlsig.keystore=C:/Sun/Middleware/user_projects/domains/wsc/resources/client.jks

com.sun.identity.saml.xmlsig.storepass=C:/Sun/Middleware/user_projects/domains/wsc/resources/.storepass

com.sun.identity.saml.xmlsig.keypass=C:/Sun/Middleware/user_projects/domains/wsc/resources/.keypass

com.sun.identity.saml.xmlsig.certalias=client

com.sun.identity.liberty.ws.trustedca.certaliases=cacert: Self-CA

com.sun.identity.wss.wsc.providername=

com.iplanet.am.cookie.encode=true

/*

* Security Credentails to read the configuration data

*/

com.sun.identity.agents.app.username=agentAuth

com.iplanet.am.service.password=changeit

com.iplanet.am.service.secret=

##### End of properties for OpenSSO WSS Agents #####

Modify the StockService Application

  • Expand the unsecured StockService.war file that was created previously using the following command:

jar -xvf StockService.war

  • Create a lib directory under the WEB-INF directory if lib does not exist already then, copy all <wssagents_unzip_location>/lib/*.jar files to the WEB-INF/lib directory.
  • Copy the <wssagents_unzip_location>/config/AMConfig.properties file to the WEB-INF/classes directory.
  • Merge the <wssagents_unzip_location>/config/server_handlers.xml file into the existing configuration file WEB-INF/classes/com/sun/stockquote.

The files must be merged so that the following handler is the first handler in the handler chain:

<handler>

<handler-name>

ServerHandler

</handler-name>

<handler-class>

com.sun.identity.wssagents.jaxws.server.ServerHandler

</handler-class>

</handler>

  • Build the secured StockService application into the StockService.war file with the following command:

jar -cvf StockService.war *

  • Deploy the StockService.war file to the WebLogic container.
  • Access the web service WSDL with the following URL:

http://ws-provider.ltes.com:7001/StockService/StockService?wsdl

Modify the StockClient Application

  • Expand the unsecured StockClient.war file that was created previously using the following command:

jar -xvf StockClient.war

  • Create a lib directory under the WEB-INF directory if lib does not exist already. Then, copy all <wssagents_unzip_location>/lib/*.jar files to the WEB-INF/lib directory.
  • Copy the previously updated AMConfig.properties file into the WEB-INF/classes directory.
  • Merge the <wssagents_unzip_location>/config/server_handlers.xml file into the existing configuration file WEB-INF/classes/server_handlers.xml.

The following handler must be the first handler in the handler chain:

<handler>

<handler-name>

ClientHandler

</handler-name>

<handler-class>

com.sun.identity.wssagents.jaxws.client.ClientHandler

</handler-class>

</handler>

  • Add the following client filter to the WEB-INF/web.xml file.

<filter>

<filter-name>

LoginFilter

</filter-name>

<filter-class>

com.sun.identity.wssagents.jaxws.client.ClientFilter

</filter-class>

</filter>

<filter-mapping>

<filter-name>

LoginFilter

</filter-name>

<url-pattern>

/*

</url-pattern>

</filter-mapping>

  • Build the secured StockClient application into the StockClient.war file with the following command:

jar -cvf StockClient.war *

  • Deploy the StockClient.war file to the WebLogic.
  • Access the web service client with a URL of the following form:

http://ws-client.ltes.com:8001/StockClient

  • The URL redirects to the OpenSSO Authentication service UI for end-user authentication to the default authentication module, as shown in the following figure:

  • After successfully authenticating to the OpenSSO server, the browser is redirected the StockClient application page.

  • Click GetQuote to display the web service response from the StockService application.
Advertisements

OpenSSO Secure Token Server – 3

This blog is the third in a series that will describe how to deploy OpenSSO to protect Oracle WebLogic resources by configuring it as a Secure Token Server.

Part 1 is available here and part 2 is available here.

Update the Web Service Provider Profile

The following steps describe how to create the Web Service Provider profile.

  • Click Web Service Provider. Under Agent click WSP.

  • Select all Security Mechanisms and set Preserve Security Headers in Message to true.

  • Click the checkboxes for Is Request Signature Verified, Is Response Signed.

  • Enter the Web Service End Point URL:

http://ws-provider.ltes.com:7001/StockService/StockService

  • Enter the key aliases, keystore location and password.

  • Save the changes.

Update the Agent Authenticator Profile

This Agent Authenticator (agentAuth) acts as the application user. It authenticates WSS agents to the OpenSSO server through the OpenSSO client SDK in order to retrieve agent profiles or configurations from the OpenSSO server. To do its job, agentAuth requires permission to read the configuration information of the newly created WSC and WSP agent profiles.

Set the agentAuth read permission as follows:

  • Select the Agent Authenticator tab.

  • Under Agent, click agentAuth to edit it.
  • Under the heading Agent Profiles allowed ensure that WSC and WSP are selected.
  • Save the changes and log out of OpenSSO.

Edit the Security Token Service Configuration Parameters

Log onto OpenSSO and navigate to Configuration -> Global -> Security Token Service.

Make the following changes:

  • In the Token Issuance Attributes section change the issuer to Self-CA and the Certificate Alias Name to opensso

  • In the Key Store section change the Private Key Alias and the Public Key Alias of Web Service (WS-Trust) Client to opensso.

  • In the Token Validation Attributes section change the Trusted Issuers to cacert:Self-CA.

Change the Cookie c66Encode Flag

The c66Encode flag resolves a problem whereby some application servers return the wrong cookie id if certain characters are used in the id.  C66Encoding ensures that those characters are not used in the cookie id.

Follow these steps to turn c66Encoding on.

  • Log onto the OpenSSO console and navigate to Configuration -> Servers and Sites.
  • Click the Default Servers Settings button.
  • Select the Advanced tab.
  • Change the value of com.iplanet.am.cookie.c66Encode to true

  • Save the changes
  • Restart the OpenSSO web container

OpenSSO – Secure Token Server

I think that the demise of OpenSSO has been greatly over exaggerated. There are positions open for people with OpenSSO skills and there are many forums with people asking for help in solving OpenSSO/OpenAM problems.

One question that comes up regularly is how to configure OpenSSO as a Secure Token Server.

This blog is the first in a series that will describe how to deploy OpenSSO to protect Oracle WebLogic resources by configuring it as a Secure Token Server.

A Secure Token Server is a third-party broker that allows a Web Service client to authenticate and receive a security token which is then sent to a Web Service Provider. The Web Service Provider validates the token and verifies that it came from a trusted secure token server.  It then uses the token to make authentication and authorization decisions.

Create and Deploy the SSL Certificates

This deployment uses self-signed certificates. The following instructions describe how to create and install them using OpenSSL and keytool.

  1. Create root certificate.
  2. Create the trusted certificates store
  3. Create key and signing requests.
  4. Sign the requests.
  5. Create the keystores.
  6. Add the public certificates to the keystores.

It is assumed that openssl.cfg has already been created.

Create the root certificate

openssl req -new -x509 -extensions v3_ca -keyout private/cakey.pem -out cacert.pem -days 365 -config openssl.cnf

Create the trusted certificates store

openssl x509 -outform DER -in cacert.pem -out cacert.cert
keytool -import -trustcacerts -keystore cacerts -storepass changeit -noprompt -alias cacert -file cacert.cert

Create a Key and Signing Request

Client

openssl req -new -nodes -out clientReq.pem -keyout private/clientKey.pem -config openssl.cnf

Server

openssl req -new -nodes -out serverReq.pem -keyout private/serverKey.pem -config openssl.cnf

OpenSSO

openssl req -new -nodes -out openssoReq.pem -keyout private/openssoKey.pem -config openssl.cnf

Sign the Requests

Client

openssl ca -out clientCert.pem -config openssl.cnf -infiles clientReq.pem

Server

openssl ca -out serverCert.pem -config openssl.cnf -infiles serverReq.pem

OpenSSO

openssl ca -out openssoCert.pem -config openssl.cnf -infiles openssoReq.pem

Create the Keystores

The following instructions use the ImportKey class to import the keys into the Java keystore.

Client

  • Convert both, the key and the certificate into DER format
    openssl pkcs8 -topk8 -nocrypt -in private\clientKey.pem -inform PEM -out clientKey.der -outform DER
    openssl x509 -in clientCert.pem -inform PEM -out clientCert.der -outform DER
  • Import the files into the JKS
    java ImportKey clientKey.der clientCert.der
  • Copy and rename the keystore
    copy “\<home directory>\keystore.ImportKey client.jks
  • Change keystore password:
    keytool -keystore client.jks -storepasswd
  • Change certificate password:
    keytool -keypasswd -alias importkey -keypass importkey -new changeit -keystore client.jks
  • Change the alias
    keytool -keystore client.jks -storepass changeit -changealias -alias importkey -keypass changeit -destalias client
  • Check the Keystore Contents
    keytool -list -v -keystore client.jks

Server

  • Convert both, the key and the certificate into DER format
    openssl pkcs8 -topk8 -nocrypt -in private\serverKey.pem -inform PEM -out serverKey.der -outform DER
    openssl x509 -in serverCert.pem -inform PEM -out serverCert.der -outform DER
  • Import the files into the JKS
    java ImportKey serverKey.der serverCert.der
  • Copy and rename the keystore
    copy \<home directory>\keystore.ImportKey server.jks
  • Change keystore password:
    keytool -keystore server.jks -storepasswd
  • Change certificate password:
    keytool -keypasswd -alias importkey -keypass importkey -new changeit -keystore server.jks
  • Change the alias
    keytool -keystore server.jks -storepass changeit -changealias -alias importkey -keypass changeit -destalias server
  • Check the Keystore Contents
    keytool -list -v -keystore server.jks

OpenSSO

  • Convert both, the key and the certificate into DER format
    openssl pkcs8 -topk8 -nocrypt -in private\openssoKey.pem -inform PEM -out openssoKey.der -outform DER
    openssl x509 -in openssoCert.pem -inform PEM -out openssoCert.der -outform DER
  • Import the files into the JKS
    java ImportKey openssoKey.der openssoCert.der
  • Copy and rename the keystore
    copy \<home directory>\keystore.ImportKey opensso.jks
  • Change keystore password:
    keytool -keystore opensso.jks -storepasswd
  • Change certificate password:
    keytool -keypasswd -alias importkey -keypass importkey -new changeit -keystore opensso.jks
  • Change the alias
    keytool -keystore opensso.jks -storepass changeit -changealias -alias importkey -keypass changeit -destalias opensso
  • Check the Keystore Contents
    keytool -list -v -keystore opensso.jks

Add the Public Certificates to the KeyStores

Server

  • Add the Client Public Certificate
    keytool -importcert -alias client -trustcacerts -keystore server.jks -storepass changeit -file clientCert.der
  • Add the OpenSSO Public Certificate
    keytool -importcert -alias opensso -trustcacerts -keystore server.jks -storepass changeit -file openssoCert.der
  • Check the contents of the Keystore
    keytool -list -v -keystore server.jks
    Client
  • Add the Server Public Certificate
    keytool -importcert -alias server -trustcacerts -keystore client.jks -storepass changeit -file serverCert.der
  • Add the OpenSSO Public Certificate
    keytool -importcert -alias opensso -trustcacerts -keystore client.jks -storepass changeit -file openssoCert.der
  • Check the contents of the Keystore
    keytool -list -v -keystore client.jks

OpenSSO

  • Add the Client Public Certificate
    keytool -importcert -alias client -trustcacerts -keystore opensso.jks -storepass changeit -file clientCert.der
  • Add the Server Public Certificate
    keytool -importcert -alias server -trustcacerts -keystore opensso.jks -storepass changeit -file serverCert.der
  • Check the contents of the Keystore
    keytool -list -v -keystore opensso.jks

That’s it for now.  I’ll post the next installment next week.

Arsenal

I think that Arsene Wenger has bought well so far in this transfer window but he has to get a more disciplined and defensive minded midfielder in to replace Alex Song.  With two weeks of the transfer window remaining I’ve decided not to give my opinion on the team until it closes.

OpenSSO Sharepoint 2010 Policy Agent Installation (Explained)

This post explains how to install an OpenSSO policy agent to work with Sharepoint 2010.

Install the Web Policy Agent

Installing the policy agent for Sharepoint Server involves taking the following steps:

  1. Create the Web Agent Profile.
  2. Create the Password File.
  3. Configure Policy Agent Installation.
  4. Install the Policy Agent.
  5. Generate the Replay Password.
  6. Configure OpenSSO Agent and Server with the Replay Password.
  7. Configure IIS7 for Basic Authentication.
  8. Create OpenSSO Policy.

Create the Web Agent Profile

The agent requires a profile so that it can connect to and communicate with OpenSSO.

In the OpenSSO console, browse to Access Control -> Realm Name-> Agents -> Web and then click the New… button in the Agent section of the page.

Complete the web form as follows:

Name
The name for the agent profile used to install the agent

Password
Password the agent uses to authenticate to OpenSSO

Configuration
Centralized configurations are stored in the OpenSSO configuration store. You can manage the centralized configuration through the OpenSSO console. Local configurations are stored in a file alongside the agent.

Server URL
The full URL to an OpenSSO instance, or if OpenSSO is deployed in a site configuration (behind a load balancer) then the site URL
In centralized configuration mode, the Server URL is used to populate the agent profile for services such as Login, Logout, Naming, and Cross Domain SSO.

Agent URL
The web server URL that the agent protects
In centralized configuration mode, the Agent URL is used to populate the Agent Profile for services such as notifications.

Create the Password File

Create a text file containing only the password.

Configure Policy Agent Installation

To protect Microsoft Office with SharePoint Server 2010 on Windows Server 2008, 64-bit systems, the IIS 7.0 agent is deployed as an ISAPI filter.

  1. Log onto the server as a user with Administrator privileges.
  2. Make sure OpenSSO is running.
  3. Run IIS7Admin.vbs to install the agent.

C:\Sun\IIS7Agent\bin>cscript IIS7CreateConfig.vbs config.txt
Microsoft (R) Windows Script Host Version 5.8
Copyright (C) Microsoft Corporation. All rights reserved.

Copyright c 2009, 2011, Oracle and/or its affiliates. All rights reserved.
———————————————————
Microsoft (TM) Internet Information Server (7.0)
———————————————————
Enter the Agent Resource File Name [IIS7Resource.en] :

Enter the Agent URL (Example: http://agent.example.com:80) :
http://win2008r2.ltes.com:80

Displaying the list of Web Sites and its corresponding Identifiers (id)

SITE “Default Web Site” (id:1,bindings:http/*:80:,net.tcp/808:*,net.pipe/*,net.m
smq/localhost,msmq.formatname/localhost,state:Stopped)

SITE “SharePoint Web Services” (id:2,bindings:http/*:32843:,https/*:32844:,net.t
cp/32845:*,net.pipe/*,state:Started)

SITE “SharePoint Central Administration v4” (id:342466872,bindings:http/:11533:,
state:Started)

SITE “SharePoint – 80” (id:592320721,bindings:http/:80:,state:Started)

Web Site Identifier :
592320721
————————————————
Oracle OpenSSO Enterprise 8.0
————————————————
Enter the URL where the OpenSSO server is running. Please include the deployment
URI also as shown in the example (Example: http://opensso.example.com:58080/opensso):
http://win2008r2.ltes.com:8080/opensso

Please enter the Agent Profile name :
iis7Agent

Enter the Agent profile password file :
C:\Sun\IIS7Agent\agentPassword.txt

—————————————————–
Agent Configuration file created : config.txt

Install the Policy Agent

  1. Run IIS7Admin.vbs to install the agent.

C:\Sun\IIS7Agent\bin>cscript IIS7Admin.vbs -config config.txt
Microsoft (R) Windows Script Host Version 5.8
Copyright (C) Microsoft Corporation. All rights reserved.

Copyright c 2009, 2011, Oracle and/or its affiliates. All rights reserved.

Enter the Agent Resource File Name [IIS7Resource.en] :

Creating the Agent Config Directory
Creating the OpenSSOAgentBootstrap.properties and OpenSSOAgentConfiguration.prop
erties File
Updating the Windows Product Registry
Intalling the module into IIS.
Completed Configuring the IIS 7.0 Agent
Generate the Replay Password
* Generate the replay password key using DESgenKey.class on the OpenSSO server.
C:\java -classpath \Sun\WebServer7\https-Win2008R2.ltes.com\we
b-app\Win2008R2.ltes.com\opensso\WEB-INF\lib\amserver.jar com.sun.identity.commo
n.DESGenKey
Key ==> 75jgRSbchTE=

Configure OpenSSO Agent and Server with the Replay Password

  1. Add the replay password key to the OpenSSOAgentConfiguration.properties file on the agent side.
    cd C:\Sun\OOS7Agent\Identifier_342466872\config
    edit OpenSSOAgentConfiguration.properties

  1. In the OpenSSO console, browse to Configuration->Servers and Sites and click the OpenSSO server name.
  2. Select the Advanced tab and add the following properties and values

Property                                                            Name Value
com.sun.am.replaypasswd.key                         75jgRSbchTE=
com.sun.am.sharepoint_login_attr_name         displayName

  1. Click Save and ignore any warnings.
  2. Add the replay password to the Agent profile in the OpenSSO console

Browse to Access Control->Top Level Realm->Agents->Web->[AgentProfileName]->Advanced.
In the Microsoft IIS Server section set the values:
Authentication Type – Basic
Replay Password Key – 75jgRSbchTE=

  1. Configure the post-authentication plug-in:

Browse to Access Control->Top Level Realm->Authentication->Advanced Properties.
Scroll down  to the Authentication Post Processing Classes
Add com.sun.identity.authentication.spi.ReplayPasswd to the Authentication Post Processing Classes
Save the changes
Log out of the OpenSSO console.

  1. Restart the OpenSSO server web container.

Configure IIS7 for Basic Authentication

  1. Set the IIS7 authentication method as Basic Authentication by running inetmgr:

Select the local computer, Sites, SharePoint – 80.
In the right hand click Authentication in the IIS section.

Enable Basic Authentication.

Close all property windows

  1. Restart the IIS 7.x server using iisreset.

Create OpenSSO Policy

Any attempt to access the Sharepoint site at this point will result in a 403 permission denied error.  This is easily resolved by creating an access policy for the site in the OpenSSO console.

Note

If the OpenSSO data store is not Active Directory make sure that the user credentials in the data store match their credentials in Active Directory.

Uninstall IIS7 Web Policy Agent.

  1. To uninstall the web policy agent

Log onto the server as a user with Administrator privileges

  1. Run

C:\Sun\IIS7Agent\bin>cscript IIS7Admin.vbs -unconfig config.txt

  1. Run

C:\Sun\IIS7Agent\bin>iisreset.