This document outlines the steps to integrate Liferay 6.0 with OpenSSO/OpenAM and LDAP. It involves installing:
1) Liferay Portal,
2) OpenDJ LDAP server,
3) OpenSSO/OpenAM on Tomcat or JBoss,
4) Configuring OpenAM and enabling LDAP authentication in Liferay. Key steps include deploying OpenAM WAR file to Tomcat/JBoss, configuring OpenAM with default password, and enabling LDAP authentication in Liferay control panel.
This document outlines the steps to integrate Liferay 6.0 with OpenSSO/OpenAM and LDAP. It involves installing:
1) Liferay Portal,
2) OpenDJ LDAP server,
3) OpenSSO/OpenAM on Tomcat or JBoss,
4) Configuring OpenAM and enabling LDAP authentication in Liferay. Key steps include deploying OpenAM WAR file to Tomcat/JBoss, configuring OpenAM with default password, and enabling LDAP authentication in Liferay control panel.
This document outlines the steps to integrate Liferay 6.0 with OpenSSO/OpenAM and LDAP. It involves installing:
1) Liferay Portal,
2) OpenDJ LDAP server,
3) OpenSSO/OpenAM on Tomcat or JBoss,
4) Configuring OpenAM and enabling LDAP authentication in Liferay. Key steps include deploying OpenAM WAR file to Tomcat/JBoss, configuring OpenAM with default password, and enabling LDAP authentication in Liferay control panel.
This document outlines the steps to integrate Liferay 6.0 with OpenSSO/OpenAM and LDAP. It involves installing:
1) Liferay Portal,
2) OpenDJ LDAP server,
3) OpenSSO/OpenAM on Tomcat or JBoss,
4) Configuring OpenAM and enabling LDAP authentication in Liferay. Key steps include deploying OpenAM WAR file to Tomcat/JBoss, configuring OpenAM with default password, and enabling LDAP authentication in Liferay control panel.
Download as ODT, PDF, TXT or read online from Scribd
Download as odt, pdf, or txt
You are on page 1of 9
Integrating Liferay 6.
0 With OpenSSO/OpenAM+LDAP
Table of Contents Integrating Liferay 6.0 With OpenSSO/OpenAM+LDAP.........................................................................1 1 Introduction............................................................................................................................................2 2 Prerequisites...........................................................................................................................................2 3 Steps Required for..................................................................................................................................2 3.1 Installing Liferay Portal..................................................................................................................2 3.2 Installing OpenDJ LDAP Server....................................................................................................3 3.3 Installing OpenSSO/OpenAM ......................................................................................................3 3.3.1 Installation of the Tomcat server consisted of........................................................................3 3.3.2 Installation of OpenAM consisted of......................................................................................4 3.3.3 Additional OpenAM Configuration........................................................................................5 3.4 Enabling LDAP Authentication......................................................................................................6 3.5 Integrating Liferay Portal with OpenAM and Enabling LDAP ....................................................6 3.5.1 Enabling LDAP ......................................................................................................................6 4 Reference...............................................................................................................................................8 1 Introduction This guide will walk you through the steps to implement Single Singn On feature with Liferay portal v6.0. This document is intended for test driving OpenSSO(or OpenAM) within a simple single sign-on setting using JBOSS as the target platform where liferay portal would be running..
2 Prerequisites To make a quick OpenAM setup we will need:-
1. Liferay-portal-6.0.6, bundled with JBOSS -v5.1.0
You could also find above prerequisites here:- \\172.16.50.152\Samvahak\SSO
Liferay Portal and OpenSSO both require a minimum 1.5 JVM, but I would recommend using Java 6 (as Java 1.5 reached its End of Service Life in October, 2009). Make sure that your JAVA_HOME, JBOSS_HOME and CATALINA_HOME (for Tomcat server) environment variable are correctly set to point to your Java 6 installation.
For OpenSSO to work correctly with Liferay Portal, both servers (Tomcat and Jboss) need to be running in the same domain.
3 Steps Required for
3.1 Installing Liferay Portal
For this article, we used Liferay Portal 6.0 bundled with JBOSS 5.1.0.
1. Unzip liferay-portal-jboss-6.0-5.1.0.zip to a directory.
On Linux/MacOS, you will need to add execute permissions to all of the shell scripts in “liferay-portal-6.0/jboss-5.1.0/bin” directory:chmod +x *.sh 2. Set the JBOSS_HOME.
3. In liferay-portal-6.0/jboss-5.1.0/bin/, executing run.sh(run.bat) will start Jboss, and deploy
Liferay Portal. 4. Open a browser to http://localhos:10000 , and you will see the Liferay login page. You can login with [email protected] /test.
3.2 Installing OpenDJ LDAP Server
OpenDJ is a new LDAPv3 compliant directory service, developed for the Java platform, providing a high performance, highly available and secure store for the identities. It is comprises of an open source directory server, client tools, and an LDAP SDK. All modules are Java based and require Java 1.6.
OpenDJ is a downstream build of the OpenDS project, with a different name to avoid trademark issues. For more information:- http://opendj.forgerock.org/faq.html
Please follow the below link for OpenDJ installation:-
NOTE:- -->While installing OpenDJ, we need to import the default users. The imported users are automatically generated sample data. -->Admin rights are required if we are installing OpenDJ with Run as the windows service option.If the system don't have admin rights uncheck the Run as window service option otherwise OpenDJ installation will give an error.
3.3 Installing OpenSSO/OpenAM
OpenSSO is an open source access management and federation server platform. Announced by Sun Microsystems in July 2005. Oracle completed their acquisition of Sun Microsystems in February 2010 and announced that OpenSSO would no longer be their strategic product.
OpenSSO will continue to be developed and supported by ForgeRock under the name of OpenAM.
As OpenAM also requires a servlet container, we can either use latest Tomcat (6.0.32) or JBOSS(5.1.0) depending on whether we want to run it on Tomcat or JBOSS.
3.3.1 Installation of the Tomcat/JBOSS servers
3.3.1.1 Installation of Tomcat server consisted of (For running
OpenSSO/OpenAM on Tomcat) 1. Unzip apache-tomcat-6.0.32 zip file. This will create an apache-tomcat-6.0.32 folder. 2. As both Liferay Portal(on Jboss) and OpenAM(on Tomcat) will be running on the same machine. On Linux/MacOS, you will need to add execute permissions to all of the shell scripts in the bin directory: chmod +x *.sh 3. Edit catalina.sh (or catalina.bat) and add the following line to the start of the file, after the comment block listing the various Environment Variable Prerequisite:-
4. Modify “server.xml”, in order to run it on port 8081 instead of default port 8080. You could find it in tomcat directory- apache-tomcat-6.0.32 \conf. open server.xml. edit entry <Connector port="8080" protocol="HTTP/1.1" connectionTimeout="20000" redirectPort="8443" />
to <Connector port="8081" protocol="HTTP/1.1" connectionTimeout="20000" redirectPort="8443" />
3.3.1.2 Installation of JBOSS server (For running OpenSSO/OpenAM
on JBOSS) consisted of
1. Create a copy of the default port in $ JBOSS_HOME\server. Rename it to ports-01.
Note:- After doing above step, there will be two folder in the JBOSS_HOME/server ie. default and ports-01.
bindings-jboss-beans.xml. Remove the binding sets for default port, ports-01,ports-02, ports-03 and any other port i.e. Only binding set for ports-01 should remain. <!-- The binding sets --> <parameter> <set> <inject bean="Ports01Bindings"/> </set> </parameter> 3. Modify Liferay run.bat add following in JAVA_OPTS variable. -Dcom.iplanet.am.cookie.encode=true
4. After doing above changes, we can run two instance of JBOSS server. Liferay will run on one JBOSS instance through(bin/run.bat). For running OpenSSO, we have to open a new command prompt and run it as below-
cd $JBOSS_HOME/bin run.bat -D jboss.service.binding.set=ports-01 -c ports-01
Note:- OpenSSO will be running on the 8180 port and Liferay will run on default 10000 port.
For more information regarding JBOSS configuration, you can refer below link:- https://wikis.forgerock.org/confluence/display/openam/ Considerations+when+deploying+on+JBoss+AS+5.1
3.3.2 Installation of OpenAM consisted of
1. Unzip openam_snapshot_951RC1.zip to a directory. This will create an openssofolder.
2. Copy the opensso.war from opensso/deployable-war/ to apache-tomcat-6.0.32/webapps/ (for OpenSSO/OpenAM running on Tomcat).
In apache-tomcat-6.0.32/bin/, execute startup.sh (or startup.bat) to start Tomcat and deploy
OpenAM.
After Tomcat has deployed OpenAM, you will see the exploded war file as apache- tomcat-6.0.32/webapps/opensso.
--OR --
In case of OpenSSO/OpenAM running on JBOSS server, copy opensso/deployable-war/ to
$JBOSS_HOME/server/ports-01/deploy.
Start Liferay as mentioned below on command prompt.
Open a browser to http://localhost:8081/opensso, which should redirect you to http://localhost:8081/opensso/config/options.htm, to complete the OpenAM configuration.
-- OR-- In case of OpenSSO/JBOSS server -- Open a browser to http://localhost:8180/opensso, which should redirect you to http://localhost:8180/opensso/config/options.htm, to complete the OpenAM configuration.
4. You should see the OpenAM configuration options page. Under Custom Configuration,click Create New Configuration. Enter the following:
Default User Password — password
Server Settings — default entries are ok. Configuration Data Store Settings — select First Instance, select OpenAM as, Configuration Data Store, leave other entries. User Data Store Settings — select Open DS, and fill the entries accordingly as mentioned in below link.. Site Configuration — select No Default Policy Agent User — policy01 Configurator Summary Details – click,Create Configuration. This will create the configuration for your OpenAM server under ~/opensso(:\Documents and Settings\ {username}\opensso).
For more information regarding OpenAM configuration, you could read through step Procedure1.4.To Configure OpenAM on below link:- http://openam.forgerock.org/doc/install-guide/OpenAM-Install-Guide.html
1. When this completes, in the Configuration Complete dialog, click Proceed to Login, which should now redirect you to http://localhost:8081/opensso/UI/Login (for OpenSSO running on Tomcat) or http://localhost:8180/opensso/UI/Login ( for OpenSSO running on JBOSS) 2. Type amAdmin as the username, password as the password, and click, Log In. You should now see the OpenAM Console. 3. You can now delete the opensso.war file from apache-tomcat-6.0.32/webapps/ directory.
Note:- While installing OpenAM, Cookie Domain should be set as Full Computer Name prefixed by . (dot)
3.3.3 Additional OpenAM Configuration
In-order to get OpenAM to work correctly with Liferay, you would need to set Encode Cookie Value to Yes. This will prevent infinite redirection between Liferay and OpenAM on login. 1. In the OpenAM Console, select the Configuration tab. 2. Select the Servers and Sites tab. 3. Click Default Server Settings. 4. Select the Security tab. 5. In the Cookie section, select the Yes check-box beside Encode Cookie Value. 6. Click Save. Also set the com.iplanet.am.cookie.c66Encodeproperty to true as well, to resolve the infinite redirection problem: 1. In the OpenAM Console, select the Configuration tab. 2. Select the Servers and Sites tab. 3. Click Default Server Settings. 4. Select the Advanced tab. 5. Find the com.iplanet.am.cookie.c66Encodeproperty, and set the value to true. 6. Click Save.
Before updating Liferay to use OpenAM, please add the default Liferay user,[email protected] , to OpenAM. 1. In the OpenAM Console, select the Access Control tab. 2. Click the / (Top Level Realm) realm. 3. Select the Subjects tab. 4. Click New… 5. Setup the default Liferay user: ID — joebloggs (test, in our customized Liferay) First Name — Joe (Test, in our customized Liferay) Last Name — Bloggs (Test, in our customized Liferay) Full Name — Joe Bloggs (test, in our customized Liferay) Password — password Click OK to create the user. 6. Click test to add the email address. Enter [email protected] for the Email Address, and click Save.
3.4 Enabling LDAP Authentication
Log in to the OpenSSO Enterprise console as an administrator. 1. Click the Access Control tab. 2. Navigate to Top Level Realm > Authentication > Authentication Chaining. 3. In the Authentication Chaining section, click New. 4. Enter a name (eg. idmauth) for the chain and click OK. 5. On the new chain's Properties page, add the LDAP module as REQUIRED, and click Save. 6. Click Back to Authentication. 7. For the Organization Authentication Configuration property value, choose the service you just created. 8. In the Module Instances section, choose LDAP. 9. Save the changes. 10. Log out of the OpenSSO Enterprise console. 3.5 Integrating Liferay Portal with OpenAM and Enabling LDAP
3.5.1 Enabling LDAP
1. Start Liferay (liferay-portal-6.0.6/jboss-5.1.0/bin/run.bat). 2. Login to Liferay portal using user [email protected] and password test.(http://localhost:10000/ ) 3. Manage->Control Panel->Portal Settings->Authentication->LDAP. 4. Mark both check box checked. (Enable and Required ) 5. Click on Add->Other Directory Server. 6. Fill entries for Connection accordingly and “Test LDAP Connection”. 7. Also make sure that it is showing users when clicking on “Test LDAP Users”. 8. After successful test, click on Save.
Now update Liferay Portal to integrate with OpenAM for authentication.
1. In Liferay portal, go to Manage->Control Panel->Portal Settings->Authentication->Open SSO.
2. Mark both check box checked. (Enable and LDAP Import Enabled ) 3. Fill Login URL entry with following. http://localhost:8081/sso/UI/Login?goto=http://localhost:10000/c/portal/login 4. Fill Logout URL entry with. http://localhost:8081/sso/UI/Logout?goto=http://localhost:10000/web/guest/home 5. Service URL. http://localhost:8081/sso
6.
7. Click on Test OpenSSO Configuration.
8. If Successfully tested, click on Save. 9. Shut down liferay portal.(bin/shutdown). 10. Create a new file, called portal-ext.properties, in Liferay directory, under liferay-portal- 6.0.6/jboss-5.1.0/server/default/deploy/ROOT.war/WEB-INF/classes. 11. Edit this file, and add the following properties:
13. Once Liferay has started, open a browser to http://localhost:10000 . 14. Click on Sign In and you should be redirected to the OpenAM login page 15. (http://localhost:8081/opensso/UI/Login ). Enter test for the User Name, and password for the Password. Click Log In.
You will be authenticated against OpenAM, and redirected to Liferay.
Now Liferay is using OpenAM for authentication, if you create a new user in OpenAM, that user will also be created in Liferay on the first log in. That newly created user in Liferay will only have the basic information filled in – First Name, Last Name, Screenname, Email Address – and will have the default Roles, Groups, and Organizations assigned.
NOTE:- → OpenAM is supported with Apache Tomcat-v6.0.18 onwards. → If you are not using customized liferay+jboss, then it would run on default port 8080 instead of 10000. So please change the entries accordingly.
