Friday, February 12, 2010

Test Environment: OpenSSO + JBoss + WSO2 ESB + Liferay

Today I'm trying to setup a test environment for an architecture we thought could solve some project problems.

The architecture is the following:
  • JBoss 4.2 or 5.1 (the choice is delayed)
  • OpenSSO 8
  • WSO2 ESB
  • Liferay 5.2
As first start I installed OpenSSO 8 Enterprise (the Express version is not working for me under any environment I tried: Tomcat 5.5, Tomcet 6, JBoss 4.2, JBoss 5.1, Glassfish 2.1) on top of Tomcat 6.
The installation is easy, just deploy the opensso.war inside the tomcat/webapps folder, giving Tomcat one gigabyte of memory (add JAVA_OPTS=-Xmx1024m in and a fully qualified domain name to the host running tomcat ( alias for in /etc/hosts). On first access to the url (it's very important you use the fully qualified domain name on your first access as it's used for configuration) I simply ran the Default Configuration (suggested for test environments only) which requires just two passwords: the amAdmin credentials will be used to access the administration console while the amAgent credentials will be used .

After I installed the OpenSSO policy agent on top of JBoss 4.2. First of all you need to create the J2EE policy agent profile in OpenSSO. To perform this you have to access the OpenSSO administration console (username amAdmin, password the one you specified during initial configuration) and follow the official instructions replacing the informations providen there with your test environment infos; mine were:
  • Name : JBoss
  • Server URL :
  • Agent URL :
Please note the Agent URL has a different name and port: the name is resolved through /etc/host to (but MUST share the same domain with the Server URL or additional configuration is needed) while the port MUST be different because I'm running both servers on the same machine.

I'm just performing an initial test of the architecture so I'm cloning the server/default folder of my JBoss 4.2 installation to server/sso, cleaning it up from previous work and editing the deploy/jboss-web.deployer/server.xml to switch the connector ports to 8180 (HTTP) and 8109 (AJP).

I unzipped the JBoss Policy Agent 3.0 package (unpacked in /opt/jboss/opensso removing the messing directory structure j2ee_agents/jboss_v42_agent) then I created a file with the agent password

$> echo "agent password" > /opt/jboss/opensso/agent.pwd

then I ran the bin/agentadmin script using this informations:
  • JBoss Server Config Directory : /opt/jboss/server/sso/conf
  • JBoss Server Home Directory : /opt/jboss
  • OpenSSO server URL :
  • Agent URL :
  • Agent Profile name : JBoss
  • Agent Profile Password file name : /opt/jboss/opensso/agent.pwd
  • Agent permissions gets added to java permissions policy file : false
Upon procedure completion some files were added to my server/sso JBoss instance, but I had to:
  • rename the deploy/agentapp.war file to deploy/opensso-agent.war because I used a non standard name;
  • change the jboss/bin/ script because the suggested procedure to add the agent classpath wasn't good for my environment; I used this script excerpt in place of the suggested one (please note that this excerpt need you to change the first line of from #!/bin/sh to #!/bin/bash.

I then ran my JBoss test instance with /opt/jboss/bin/ -c sso and everything seems working: I tested it trying to access the application being redirected to the OpenSSO login page on

The last test was about securing the JBoss JMX Console through OpenSSO. The activity required me to:
  • add this snippet to the deploy/jmx-console.war/WEB-INF/web.xml file
  • add this snippet to the deploy/jmx-console.war/WEB-INF/jboss-web.xml file
Upon completion the same OpenSSO login page should be displayed before trying to access the url.

Ok, then let's try to log into the JBoss JMX Console, but with which credentials?!? On my first try I used the OpenSSO Administration Console superuser credentials (amAdmin/adminadmin) but I encountered a redirection loop failure thus discovering my setup wasn't ready yet. Googling a little bit I discovered this error can be simply solved adding an addition parameter for the JVM to the Tomcat configuration: JAVA_OPTS="$JAVA_OPTS".

Solved the problem and going back to the JMX Console I got a 403 (resource forbidden) error and after some investigations I discovered the easiest solution was to tell OpenSSO to simply apply a limited policy of type SSO_ONLY (Access Control > Top Level Realm > Agents > J2EE > JBoss > General add a jmx-console=SSO_ONLY map entry).

In the near future I wish to try the usage of the OpenID 2 standard on OpenSSO, I've found some instructions on another blog but I hadn't the time to investigate yet.

Friday, February 5, 2010

Redmine Installation on Ubuntu 9.04

I decided to give a try to Redmine 0.9.1 and decided to test it on my own notebook running Ubuntu 9.04 (64 bit). As a Ruby newby I had a few issues that's why I'm going to post here my experience. By the way: Redmine is running fine on my notebook authenticating users against my corporate OpenLDAP!

First of all I installed the gem and ruby packages from the Ubuntu repos:

sudo apt-get install rubygems ruby

I decided to perform te remaining installation steps from gem (which, by the way, is a good tool to install ruby packages, something like apt):

sudo gem install rails
sudo gem install rake
sudo gem install rack -v=1.0.1

By default Redmine runs on top of mySQL, but I prefer PostgreSQL as RDBMS so I followed the Redmine wiki instructions to configure PostgreSQL as backend.

sudo gem install pg

Here I got the first problem as a native library I haven't installed on my PC was required, but the outputted message was unclear: something regarding a missing pg_config parameter or command.
After some search I discovered pg_config is a command line utility available through the Ubuntu repositories, so the problem is easily solved running:

sudo apt-get install libpq-dev

Now the previous installation command should finish properly and you can continue with the instructions available on the Redmine wiki.

Once started the WEBrick server I started playing with the web application but I encountered another problem: the OpenLDAP integration. I entered all the parameters in the fields and get a succesfult connection test but I was unable to log into the system with OpenLDAP accounts: I discovered the problem was I entered too much informations in the LDAP Authentication definition!

Strange but solving: in the Redmine LDAP Authentication definition page you MUST NOT insert any credentials (I was erroneusly populating those fields with LDAP administrator credentials) but leave those fields blank and voilĂ , LDAP integration works!