OpenSSO Secure Token Server – 4

This blog is the final in a series that will describe how to deploy OpenSSO to protect Oracle WebLogic resources by configuring it as a Secure Token Server.

Part 1 is available here, part 2 is available here and part 3 is available here

Modify the WSS Configuration Files

The following steps describe how to configure OpenSSO WSS Agents.

  • Download and unzip the openssowssagents.zip file. This file contains OpenSSO Web Services Security Agents, based on JAX-WS Handlers.
  • Expand the zip file.
  • Copy the resources/keystore.jks, resources/.keypass, and resources/.storepass files to a convenient directory.  This directory is represented by @KEYSTORE_LOCATION@ in the <wssagents_unzip_location>/config/AMConfig.properties file.
  • Update AMConfig.properties for StockService as follows:

##### Following properties need to be updated for OpenSSO WSS Agents #####

com.iplanet.services.debug.directory=C:/Documents and Settings/Administrator/StockService/Debug

com.iplanet.am.naming.url=http://ws-provider.ltes.com:80/opensso/namingservice

com.iplanet.am.server.protocol=http

com.iplanet.am.server.host=ws-provider.ltes.com

com.iplanet.am.server.port=80

com.iplanet.am.services.deploymentDescriptor=/opensso

com.sun.identity.loginurl=http://ws-provider.ltes.com:80/opensso/UI/Login

com.sun.identity.saml.xmlsig.keystore=C:/Sun/Middleware/user_projects/domains/wss/resources/service.jks

com.sun.identity.saml.xmlsig.storepass=C:/Sun/Middleware/user_projects/domains/wss/resources/.storepass

com.sun.identity.saml.xmlsig.keypass=C:/Sun/Middleware/user_projects/domains/wss/resources/.keypass

com.sun.identity.saml.xmlsig.certalias=service

com.sun.identity.liberty.ws.trustedca.certaliases=cacert:Self-CA

com.sun.identity.wss.wsc.providername=

com.iplanet.am.cookie.encode=true

/*

* Security Credentials to read the configuration data

*/

com.sun.identity.agents.app.username=agentAuth

com.iplanet.am.service.password=changeit

com.iplanet.am.service.secret=

##### End of properties for OpenSSO WSS Agents #####

  • Update AMConfig.properties for StockClient as follows:

##### Following properties need to be updated for OpenSSO WSS Agents #####

com.iplanet.services.debug.directory=C:/Documents and Settings/Administrator/StockClient/Debug

com.iplanet.am.naming.url=http://ws-provider.ltes.com:80/opensso/namingservice

com.iplanet.am.server.protocol=http

com.iplanet.am.server.host=ws-provider.ltes.com

com.iplanet.am.server.port=80

com.iplanet.am.services.deploymentDescriptor=/opensso

com.sun.identity.loginurl=http://ws-provider.ltes.com:80/opensso/UI/Login

com.sun.identity.saml.xmlsig.keystore=C:/Sun/Middleware/user_projects/domains/wsc/resources/client.jks

com.sun.identity.saml.xmlsig.storepass=C:/Sun/Middleware/user_projects/domains/wsc/resources/.storepass

com.sun.identity.saml.xmlsig.keypass=C:/Sun/Middleware/user_projects/domains/wsc/resources/.keypass

com.sun.identity.saml.xmlsig.certalias=client

com.sun.identity.liberty.ws.trustedca.certaliases=cacert: Self-CA

com.sun.identity.wss.wsc.providername=

com.iplanet.am.cookie.encode=true

/*

* Security Credentails to read the configuration data

*/

com.sun.identity.agents.app.username=agentAuth

com.iplanet.am.service.password=changeit

com.iplanet.am.service.secret=

##### End of properties for OpenSSO WSS Agents #####

Modify the StockService Application

  • Expand the unsecured StockService.war file that was created previously using the following command:

jar -xvf StockService.war

  • Create a lib directory under the WEB-INF directory if lib does not exist already then, copy all <wssagents_unzip_location>/lib/*.jar files to the WEB-INF/lib directory.
  • Copy the <wssagents_unzip_location>/config/AMConfig.properties file to the WEB-INF/classes directory.
  • Merge the <wssagents_unzip_location>/config/server_handlers.xml file into the existing configuration file WEB-INF/classes/com/sun/stockquote.

The files must be merged so that the following handler is the first handler in the handler chain:

<handler>

<handler-name>

ServerHandler

</handler-name>

<handler-class>

com.sun.identity.wssagents.jaxws.server.ServerHandler

</handler-class>

</handler>

  • Build the secured StockService application into the StockService.war file with the following command:

jar -cvf StockService.war *

  • Deploy the StockService.war file to the WebLogic container.
  • Access the web service WSDL with the following URL:

http://ws-provider.ltes.com:7001/StockService/StockService?wsdl

Modify the StockClient Application

  • Expand the unsecured StockClient.war file that was created previously using the following command:

jar -xvf StockClient.war

  • Create a lib directory under the WEB-INF directory if lib does not exist already. Then, copy all <wssagents_unzip_location>/lib/*.jar files to the WEB-INF/lib directory.
  • Copy the previously updated AMConfig.properties file into the WEB-INF/classes directory.
  • Merge the <wssagents_unzip_location>/config/server_handlers.xml file into the existing configuration file WEB-INF/classes/server_handlers.xml.

The following handler must be the first handler in the handler chain:

<handler>

<handler-name>

ClientHandler

</handler-name>

<handler-class>

com.sun.identity.wssagents.jaxws.client.ClientHandler

</handler-class>

</handler>

  • Add the following client filter to the WEB-INF/web.xml file.

<filter>

<filter-name>

LoginFilter

</filter-name>

<filter-class>

com.sun.identity.wssagents.jaxws.client.ClientFilter

</filter-class>

</filter>

<filter-mapping>

<filter-name>

LoginFilter

</filter-name>

<url-pattern>

/*

</url-pattern>

</filter-mapping>

  • Build the secured StockClient application into the StockClient.war file with the following command:

jar -cvf StockClient.war *

  • Deploy the StockClient.war file to the WebLogic.
  • Access the web service client with a URL of the following form:

http://ws-client.ltes.com:8001/StockClient

  • The URL redirects to the OpenSSO Authentication service UI for end-user authentication to the default authentication module, as shown in the following figure:

  • After successfully authenticating to the OpenSSO server, the browser is redirected the StockClient application page.

  • Click GetQuote to display the web service response from the StockService application.