Friday, February 12, 2010

Test Environment: OpenSSO + JBoss + WSO2 ESB + Liferay

Today I'm trying to setup a test environment for an architecture we thought could solve some project problems.

The architecture is the following:
  • JBoss 4.2 or 5.1 (the choice is delayed)
  • OpenSSO 8
  • WSO2 ESB
  • Liferay 5.2
As first start I installed OpenSSO 8 Enterprise (the Express version is not working for me under any environment I tried: Tomcat 5.5, Tomcet 6, JBoss 4.2, JBoss 5.1, Glassfish 2.1) on top of Tomcat 6.
The installation is easy, just deploy the opensso.war inside the tomcat/webapps folder, giving Tomcat one gigabyte of memory (add JAVA_OPTS=-Xmx1024m in and a fully qualified domain name to the host running tomcat ( alias for in /etc/hosts). On first access to the url (it's very important you use the fully qualified domain name on your first access as it's used for configuration) I simply ran the Default Configuration (suggested for test environments only) which requires just two passwords: the amAdmin credentials will be used to access the administration console while the amAgent credentials will be used .

After I installed the OpenSSO policy agent on top of JBoss 4.2. First of all you need to create the J2EE policy agent profile in OpenSSO. To perform this you have to access the OpenSSO administration console (username amAdmin, password the one you specified during initial configuration) and follow the official instructions replacing the informations providen there with your test environment infos; mine were:
  • Name : JBoss
  • Server URL :
  • Agent URL :
Please note the Agent URL has a different name and port: the name is resolved through /etc/host to (but MUST share the same domain with the Server URL or additional configuration is needed) while the port MUST be different because I'm running both servers on the same machine.

I'm just performing an initial test of the architecture so I'm cloning the server/default folder of my JBoss 4.2 installation to server/sso, cleaning it up from previous work and editing the deploy/jboss-web.deployer/server.xml to switch the connector ports to 8180 (HTTP) and 8109 (AJP).

I unzipped the JBoss Policy Agent 3.0 package (unpacked in /opt/jboss/opensso removing the messing directory structure j2ee_agents/jboss_v42_agent) then I created a file with the agent password

$> echo "agent password" > /opt/jboss/opensso/agent.pwd

then I ran the bin/agentadmin script using this informations:
  • JBoss Server Config Directory : /opt/jboss/server/sso/conf
  • JBoss Server Home Directory : /opt/jboss
  • OpenSSO server URL :
  • Agent URL :
  • Agent Profile name : JBoss
  • Agent Profile Password file name : /opt/jboss/opensso/agent.pwd
  • Agent permissions gets added to java permissions policy file : false
Upon procedure completion some files were added to my server/sso JBoss instance, but I had to:
  • rename the deploy/agentapp.war file to deploy/opensso-agent.war because I used a non standard name;
  • change the jboss/bin/ script because the suggested procedure to add the agent classpath wasn't good for my environment; I used this script excerpt in place of the suggested one (please note that this excerpt need you to change the first line of from #!/bin/sh to #!/bin/bash.

I then ran my JBoss test instance with /opt/jboss/bin/ -c sso and everything seems working: I tested it trying to access the application being redirected to the OpenSSO login page on

The last test was about securing the JBoss JMX Console through OpenSSO. The activity required me to:
  • add this snippet to the deploy/jmx-console.war/WEB-INF/web.xml file
  • add this snippet to the deploy/jmx-console.war/WEB-INF/jboss-web.xml file
Upon completion the same OpenSSO login page should be displayed before trying to access the url.

Ok, then let's try to log into the JBoss JMX Console, but with which credentials?!? On my first try I used the OpenSSO Administration Console superuser credentials (amAdmin/adminadmin) but I encountered a redirection loop failure thus discovering my setup wasn't ready yet. Googling a little bit I discovered this error can be simply solved adding an addition parameter for the JVM to the Tomcat configuration: JAVA_OPTS="$JAVA_OPTS".

Solved the problem and going back to the JMX Console I got a 403 (resource forbidden) error and after some investigations I discovered the easiest solution was to tell OpenSSO to simply apply a limited policy of type SSO_ONLY (Access Control > Top Level Realm > Agents > J2EE > JBoss > General add a jmx-console=SSO_ONLY map entry).

In the near future I wish to try the usage of the OpenID 2 standard on OpenSSO, I've found some instructions on another blog but I hadn't the time to investigate yet.

1 comment:

Roberto Lo Giacco said...

Actually the JBoss Agent 3.0 causes a redirect loop if used on top of JBossAS 5.1