Chapter 1 Getting Started With OpenSSO Enterprise 8.0

Sun^TM OpenSSO Enterprise is being developed as part of the OpenSSO project (https://opensso.dev.java.net/) and is the Sun commercial version of OpenSSO server.

OpenSSO Enterprise includes features such as access management, federation management, and web services security that are found in earlier releases of Sun Java System Access Manager and Sun Java System Federation Manager. However, OpenSSO Enterprise also includes many new features, which are described in the OpenSSO Enterprise 8.0 Release Notes and the OpenSSO Enterprise 8.0 Technical Overview.

OpenSSO Enterprise is available as a web archive (WAR) file on the sites:

Sun: http://www.sun.com/software/products/opensso_enterprise
OpenSSO project: http://opensso.dev.java.net/

Before you install and configure OpenSSO Enterprise:

First, check the OpenSSO Enterprise 8.0 Requirements.
Then, review the Overview of Installing and Configuring OpenSSO Enterprise before you continue with the detailed steps in subsequent chapters of this guide.

OpenSSO Enterprise 8.0 Requirements

Table 1–1 OpenSSO Enterprise 8.0 Requirements


Requirement	Description
File system	If you plan to use the OpenSSO configuration data store, you must deploy OpenSSO Enterprise on a local file system and not on an NFS-mounted file system. The OpenSSO configuration data store, which is deployed with OpenSSO Enterprise, is not supported on an NFS-mounted file system.
Web container	One of the following web containers must be running on the host server where you plan to deploy OpenSSO Enterprise: Sun Java System Application Server 9.1 Update 1 or Update 2 Glassfish Application Server V2 UR1 or UR2 Sun Java System Web Server 7.0 Update 3 Apache Tomcat 6.0.18 (or later) BEA WebLogic Server 10 BEA WebLogic Server 9.2 MP2 Oracle Application Server 10g, version 10.1.3.x IBM WebSphere Application Server 6.1 Apache Geronimo Application Server 2.1.2 (with Tomcat on Solaris systems only) JBoss Application Server 4.x Note: These web container versions and any subsequent updates to the version are supported. For more information about supported versions and open issues for each web container, see the Sun OpenSSO Enterprise 8.0 Release Notes.
Configuration Data Store	OpenSSO Enterprise requires a data store for its configuration data, which you select when you run the GUI or command-line Configurator: OpenSSO data store If you deploying OpenSSO Enterprise in a multiple server deployment, each OpenSSO Enterprise instance must share the same configuration data store. The OpenSSO configuration data store is not supported on an NFS-mounted file system. Sun Java System Directory Server
User Data Store	OpenSSO Enterprise also requires a data store for its user data: Sun Java System Directory Server If you are deploying multiple OpenSSO Enterprise instances in a multiple server deployment, all instances must access the same Directory Server. Microsoft Active Directory IBM Tivoli Directory Server OpenSSO data store Note: Storing user data in the OpenSSO data store is recommended only for prototype, proof of concept (POC), or developer deployments that have a small number of users. It is not recommended for production deployments.
Password encryption key	If you deploying OpenSSO Enterprise in a multiple server deployment, you must use the same password encryption key value for each OpenSSO Enterprise instance. Copy the encryption key value from the first instance and then use this value when you configure each additional instance.
Web container runtime user permissions	If the runtime user of the OpenSSO Enterprise web container instance is a non-root user, this user must be able to write to its own home directory. For example, if you are installing Sun Java System Web Server, the default runtime user for the Web Server instance is `webservd`. On Solaris systems, the `webservd` user has the following entry in the `/etc/passwd` file: `webservd:x:80:80:WebServer Reserved UID:/:` The `webservd` user does not have permission to write to its default home directory (`/`). Therefore, you must change the permissions to allow the `webservd` user to write to its default home directory. Otherwise, the `webservd` user will encounter an error after you configure OpenSSO Enterprise using the Configurator.
Mode	OpenSSO Enterprise is always deployed in Realm Mode.

Overview of Installing and Configuring OpenSSO Enterprise

Some OpenSSO Enterprise 8.0 Changes to Consider

Before you install and configure OpenSSO Enterprise, here are a few changes to consider:

You install OpenSSO Enterprise from the opensso.war file, using the web container administration console or deployment command. You no longer run a standalone installer.
You initially configure OpenSSO Enterprise using the GUI or command-line Configurator. Then, to perform additional configuration, you use either the Administration Console or command-line utilities such as the new ssoadm utility. You no longer run the amconfig script with the amsamplesilent file.
Configuration data, including policy agent configuration data, is stored in a centralized repository. This repository can be either Sun Java System Directory Server or the OpenSSO data store (which is usually transparent to the user). OpenSSO Enterprise does not use the AMConfig.properties or serverconfig.xml files, except for co-existence with previous versions of Access Manager.

Summary of the OpenSSO Enterprise 8.0 Installation and Configuration Steps

To install and configure an instance of OpenSSO Enterprise server, follow these general steps:

If necessary, install, configure, and start one of the supported web containers listed in Table 1–1.
Download and unzip the opensso_enterprise_80.zip file from the OpenSSO project site:

http://opensso.dev.java.net/public/use/index.html

Be sure to check the OpenSSO Enterprise 8.0 Release Notes page for any current issues.
Deploy the opensso.war file to the web container, using the web container administration console or deployment command.

For the detailed steps, see Chapter 3, Installing OpenSSO Enterprise.
Run either the GUI or command-line Configurator.

To run the GUI Configurator, enter the following URL in your browser:
```
protocol://host.domain:port/deploy_uri
```
For example: http://opensso.example.com:8080/opensso

If you are running the GUI Configurator, enter values in the Configurator fields or accept the default value for some fields. The Configurator has two configuration options:
- The Default Configuration option requires you to enter only the OpenSSO Enterprise administrator (amAdmin) and default policy agent (UrlAccessAgent) passwords. The Configurator then uses default values for the other configuration options.
  
  Use the Default Configuration for development environments or simple demonstration purposes when you just want to evaluate OpenSSO Enterprise features.
- The Custom Configuration option allows you to enter specific configuration values for your deployment (or accept the default values).
  
  Use the Custom Configuration for production and more complex environments. For example, a multi-server installation with several OpenSSO Enterprise instances behind a load balancer.
For the detailed steps, see Chapter 4, Configuring OpenSSO Enterprise Using the GUI Configurator or Chapter 5, Configuring OpenSSO Enterprise Using the Command-Line Configurator.
Launch OpenSSO Enterprise using the specific web container console or deployment command, or by specifying the URL from Step 4 in your browser.
Login to the Console as the OpenSSO Enterprise administrator (amAdmin) using the password you specified when you ran the Configurator.
To make additional configuration changes to your deployment, use the OpenSSO Enterprise Administration Console or the ssoadm command-line utility. For information, refer to the Administration Console Online Help or the Sun OpenSSO Enterprise 8.0 Administration Reference.

Using Sun Service Tags With OpenSSO Enterprise

OpenSSO Enterprise 8.0 is Service Tag enabled. To use Service Tags, you must first register your product. On the OpenSSO Enterprise Administration Console, under Common Tasks, click Register This Product.

To register, you need a Sun Online Account (SOA) or Sun Developer Network (SDN) account. If you do not have one of these accounts, you can get an account during the product registration process.

For more information about Sun Service Tags and Sun Connection, see http://www.sun.com/service/sunconnection/index.jsp.