09 March, 2016

OpenAM (OpenSSO) + Liferay 6.2

We are starting OpenAM integration by considering we have setup OpenDJ with Liferay. See http://www.liferaysolution.com/2016/03/opendj-liferay-62.html

Install OpenDJ


2)  You can deploy this war file in the same tomcat where your liferay is runinng or you can deploy in separate tomcat server (apache-tomcat-7.0.68). My recommendation is , use separate tomcat server for that

3) For our comfort, rename war file from OpenAM-11.0.0.war to OpenSSO.war and start tomcat server for deployment

4) Once it's deployed into tomcat, you can access it through  http://jignesh.openam.com:7070/OpenSSO. Here jignesh.openam.com:7070 is the host name which i configured for newly installed tomcat server.
Also make sure that server have enough JVM memory allocation using below line in startup.bat
set JAVA_OPTS=-Dfile.encoding=UTF-8 -Xms128m -Xmx1024m -XX:PermSize=64m -XX:MaxPermSize=256m



5) Click on create new configuration link
6) Give the password called password1 for General >> Default user password

7)Click next
8) Provide host name and other setting given in below snap

9) click next and Configure Data store setting given as below screen



10) click next and Configure User Data store setting given as below screen where you will give your OpenDJ related setting where your User is stored



11) Click next and don't make any change in Site Configuration
12) click on next and give the password calles password2 for Default Policy Agent [UrlAccessAgent]
13) click next and check the summary

14) Click on Create configuration button which will take 2-3 minutes time to configure OpenSSO if you configured everything properly.

You are done with setup !!!!
Now you may have to make sure whether the configuration you did is correct or not for OpenAM and its reading all the users from OpenDJ or not.

OpenAM Configuration

if you have done this setup proper then it will bring you to the login screen of OpenAM which can be access by http://jignesh.openam.com:7070/OpenSSO


you can login with
amadmin
password1 (First default user  password which you set through configuration step)

1) Once you login, you will be able to see below screen

2) Go to Access Control Tab where you can create your own Realm or can use / (Top Level Realm) which is available

3) click on / (Top Level Realm) and go to Subjects tab where you should be able to see all your users which is available and if its not then you need to to Data stores tab where you can find your data store link and can configure proper LDAP settings.


4) Also here you will have to create Joe bloggs user in LDAP OpenDJ under people group so it will be available for us. use the same email,first name, last name and screen name to create user in OpenDJ

5) No we will have to create J2ee agent inside OpenAM which will be needed for SSO with Liferay
6) Go to Agents >> J2EE tab
 7) Click on new button to create new agent called LiferayEEagent

8) Now you also need to apply the agent for the tomcat server where your SSO application is running

extract the zip file and put tomcat_v6_agent folder in some directory

go to tj2ee_agents\tomcat_v6_agent\bin folder and run agentadmin --install from command prompt

it will ask you couple of questions for configuration and tomcat paths which will be given as below

Tomcat Server Config Directory : C:\jignesh\apache-tomcat-7.0.68\conf
OpenAM server URL : http://jignesh.openam.com:7070/OpenSSO
$CATALINA_HOME environment variable : C:\jignesh\apache-tomcat-7.0.68

Agent URL : http://jignesh.openam.com:7070/agentapp
Agent Profile name : LiferayEEagent
Agent Profile Password file name :  C:\jignesh\apache-tomcat-7.0.68\agent-pass.txt

Verify your settings above and decide from the choices below.
1. Continue with Installation
2. Back to the last interaction
3. Start Over
4. Exit
Please make your selection [1]: 1

here make sure you give the same
Agent Profile name : LiferayEEagent
Agent Profile Password file name : C:\jignesh\apache-tomcat-7.0.68\agent-pass.txt

which you used during j2ee agent creation time from OpenAM. password you may need to put some txt file and you may need to provide location

9) you setup j2ee policy agent in openAm as well as tomcat server so you are good to go ahead now.
Note: if your server doesn start after applying agent for tomcat, just go to config folder and replace server.xml file and also you may need to put set JAVA_OPTS=%JAVA_OPTS% -Dopenam.agents.bootstrap.dir=C:/jignesh/tomcat_v6_agent/Agent_001/config in your startup.bat file of tomcat where your sso is running

10) Now go to Configuration >> Servers and Sites tab from access control panel and click on default server setting button and security tab

11) Go to Cookie section and mark Encode Cookie Value: true and save the configurations

You are done from OpenAM side configurations.

Liferay Configuration

Put below properties in portal-ext.properties file :

open.sso.auth.enabled=true
open.sso.login.url=http://jignesh.openam.com:7070/OpenSSO/UI/login?goto=http://jignesh.openam.com:8080/c/portal/login
open.sso.logout.url=http://jignesh.openam.com:7070/OpenSSO/UI/Logout?goto=http://jignesh.openam.com:8080/c/portal/logout
open.sso.service.url=http://jignesh.openam.com:7070/OpenSSO
open.sso.screen.name.attr=uid
open.sso.email.address.attr=mail
open.sso.first.name.attr=givenname
open.sso.last.name.attr=sn
open.sso.logout.on.session.expiration=false


Add below code in your tomcat web.xml file

<filter>
                <description>SJS Access Manager Tomcat Policy Agent Filter</description>
                <display-name>Agent</display-name>
        <filter-name>Agent</filter-name>
        <filter-class>com.sun.identity.agents.filter.AmAgentFilter</filter-class>
    </filter>

    <filter-mapping>
        <filter-name>Agent</filter-name>
        <url-pattern>/web*</url-pattern>
        <dispatcher>REQUEST</dispatcher>
        <dispatcher>INCLUDE</dispatcher>
        <dispatcher>FORWARD</dispatcher>
        <dispatcher>ERROR</dispatcher>
    </filter-mapping>

Restart Liferay tomcat



How to Test
Go to your Liferay server URL : jignesh.openam.com:8080
click on signin link
it will bring you to openAM login
once you login with your joebloggs credentials , it will redirect you to liferay and you will alrady logged in there in liferay


Note: New OpenAM version 13 doesnt work with Liferay as it may need some more configurations which I am not much aware about :)

Enjoy!!!!!!!!!!!!!

Rate Me:

0 Discussion: