STS Setup Manual

STS Setup Manual

Passive STS:

Steps of setting up the Passive STS

1.  Install OpenSSO

2.  Setup SP and IDP in OpenSSO

3.  Install Policy Agent

4.  Configure policy agent to protect trader_client

Prerequisite

l  Install Glassfish

a.  Download glassfish from glassfish.dev.java.net

b.  Install glassfish

java –jar glassfish.jar

cd glassfish

ant –f setup.xml

c.  Set AS_HOME=glassfish_root_dir

l  Create domains in Glassfish

If you are planning to deploy all the passive STS compoment on one machine, you need to create three domains in Glassfish.

1.  One domain for Policy Agent.

2.  One domain for OpenSSO ( hosting SP ) .

3.  One domain for OpenSSO ( hosting IDP ) .

Because SP and IDP in a circle of trust should be in different domain, as well as Policy Agent and OpenSSO.

a.  Start domain1 by command

asadmin start-domain domain1

b.  Create domain2 by command

asadmin create-domain --adminport 6868 --user admin domain2

c.  Enter password :

The password for admin is adminadmin

The password for master is optional

d.  Change the port number in file AS_HOME/domains/domain1/config/domain.xml, to make sure that different domain use different port number.

Then, you need to create the third domain as the steps above.

l  Add three more domain names in system

If you want to setup SP, IDP and policy agent in one machine, you need to create more entries, so that each server instance can use the corresponding domain name.

a.  Open file host in System32/drivers/etc

b.  Add more entries in file host as following

127.0.0.1 dev.stonehenge.com

Install OpenSSO

You can install OpenSSO in any one of the three domains. This manual supposes that you will install OpenSSO in domain1. Supposed domain1 will use ‘sp.stonehenge.com’ as domain name

l  Edit the domain.xml file of domain1 as following

a.  Open the domain.xml file in %AS_HOME%/domains/domain1/config.

b.  Change the following JVM options as shown in the table below:

Changes to Make / Before Editing / After Editing
"client" to "server" / <jvm-options>-client</jvm-options> / <jvm-options>-server</jvm-options>
"512 to "1024" / <jvm-options>-Xmx512m</jvm-options> / <jvm-options>-Xmx1024m</jvm-options>

c. Restart the glassfish instance for domain1 by

asadmin start-domain domain1

l  Download the OpenSSO binaries and deploy it into domain1

a.  Download opensso_enteprise_80.zip and unzip it

b.  Copy opensso.war in opensso/deployable-war to domain1/autodeploy

Start domain1 by asadmin start-domain domain1

c.  Open browser with http://sp.stonehenge.com:Port_number/opensso, you will get the OpenSSO server page labeled Configuration Options.

l  Create custom Configuration

a.  Click ‘Create New Configuration’ Under ‘Custom Configuration’

b.  Enter password for amAdmin

c.  Set the Server Settings

-  Server URL <e.g. http:// sp.stonehenge.com:8090>

-  Cookie Domain <e.g. .stonehenge.com>

-  Platform Locale <e.g. en_US>

-  Configuration Directory <e.g. /openssoconfig>

d.  Set Configuration Store Details with default value

e.  Set User Data Store Settings by selecting ‘OpenSSO User Data Store’

f.  Enter password for Policy Agent User

g.  Click button ‘Create Configuration’ to create custom configuration for opensso

h.  When you see the amessage ‘Configuration Complete’, ‘Proceed to Login’, click on ‘Proceed to Login’

i.  Login as amadmin with the corresponding password.

You need to install another OpenSSO in doman3/domain2 as the steps above, but make sure the second OpenSSO are using different domain name, configuration Directory and Data Store Port with OpenSSO in domain1.

Setup SP and IDP in OpenSSO

Before you setup SP and IDP, you need to make the hostname and port number of URL in ‘Fedsp.xml’ and ‘Fedspx.xml’ are in accord with the OpenSSO which will host SP; And the hostname and port number of URL in ‘Fedidp.xml’ and ‘Fedidpx.xml’ should be in accord with the OpenSSO which will host IDP.

l  Setup Hosted SP and Remote IDP in OpenSSO deployed in one domain

a.  Login OpenSSO deployed in one domain (e.g. domain1)

b.  Click tab ‘Federation’

c.  Click button ‘Import Entity’ under ‘Entity Providers’

d.  Upload file ‘Fedsp.xml’ as metadata file, and ‘Fedspx.xml’ as extended data file

e.  Upload file ‘Fedidp.xml’ as metadata file

f.  Click button ‘Ok’

g.  Click button ‘New’ under ‘Circle of Trust’

h.  Enter the name for circle of trust (e.g. Fedcircle), and add all the Entity Providers to the circle of trust

i.  Click button ‘Ok’

Then, you will have a hosted SP and remote IDP in one circle of trust.

l  Setup Hosted IDP and Remote SP in OpenSSO deployed in another

a.  Login OpenSSO deployed in one domain (e.g. domain2)

b.  Click tab ‘Federation’

c.  Click button ‘Import Entity’ under ‘Entity Providers’

d.  Upload file ‘Fedidp.xml’ as metadata file, and ‘Fedidpx.xml’ as extended data file

e.  Upload file ‘Fedsp.xml’ as metadata file

f.  Click button ‘Ok’

g.  Click button ‘New’ under ‘Circle of Trust’

h.  Enter the name for circle of trust (e.g. Fedcircle), and add all the Entity Providers to the circle of trust

i.  Click button ‘Ok’

Then, you will have a hosted IDP and remote SP in one circle of trust.

If you could get OpenSSO login page by browsing https://openssohost:openssoSecurityPort/opensso/WSFederationServlet/metaAlias/Fedsp?goto=https://openssohost:openssoSecurityPort/opensso, and could login the system by the account demo (username:demo password:changeit), it means that SP and IDP work fine together.

Install Policy Agent

l  Setup Policy Agent in OpenSSO

a.  Login OpenSSO which contains hosted SP (e.g. OpenSSO in domain1)

b.  Click tab ‘Access Control’

c.  Enter to ‘Top Level Realm’ by click the realm name

d.  Click tab ‘Agent’, then click the sub tab ‘J2EE’

e.  Click button ‘New’ under ‘Agent’

f.  Configure the new Agent as following:

Name: (e.g. AGENT_NAME)

Required Field Password: (e.g. PASSWORD)

Required Field Re-Enter Password: (e.g. PASSWORD)

Configuration: Centralized

Required Field Server URL: (e.g. http:// sp.stonehenge.com:8090/opensso)

Required Field Agent URL: (e.g. http:// agent.stonehenge.com:8091/agentapp)

g.  Click button ‘Create’

h.  Enter to the new agent by clicking the agent name

i.  Change the ‘Agent Filter Mode’ under General to SSO_ONLY

j.  Click tab ‘OpenSSO Services’

k.  Change ‘OpenSSO Login URL’ under Login URL to SP Token Issuer Endpoint URL (e.g. http://openssohost:openssoport/opensso/WSFederationServlet/metaAlias/Fedsp)

l.  Click button ‘Save’ and restart domain 1

l  Install Policy Agent in glassfish domain

You cannot install policy agent to glassfish domain which contains OpenSSO, so you need to install policy agent to the third domain

a.  Download the Sun Java System Application Server 9 (J2EE) agent, and unzip it

b.  Ensure the domain which contains OpenSSO with SP is running(in our instruction is domain1)

c.  Ensure the third domain is stopped

d.  Go to ‘D:\installations\j2ee_agents\appserver_v9_agent\bin’

e.  Start the policy agent installation by command agentadmin --install

f.  Ensure the agent configuration info is as same as the configuration info when setting up policy agent in OpenSSO, especially the agent name, password ,server URL and Agent URL

g.  Start the third domain

Configure policy agent to protect trader_client

l  Create new user in OpenSSO

a.  Log in to the OpenSSO Administrator Console (including the two OpenSSO instances created before)

b.  Click tab ‘Access Control tab’, then click Top Level Realm

c.  Click tab ‘Subjects’, then click ‘New’ button under User to go to the new user page

d.  Fill the fields, click button ‘Ok’

l  Deploy web application on glassfish

Deploy trader client to glassfish domain which contains policy agent by command:

ant STS deploy / ant STS redeploy

You could verify the configuration status by the steps below. (About deploy trader client, see ‘Deployment’ item in file ‘trunk\documents\Manual.doc’)

a.  Open browser with http://domainname:domainport/trader_client

b.  When you get OpenSSO login page, enter the username and password you created in OpenSSO

c.  Then you will be redirected to trader client home page

Active STS:

Steps of setting up the Active STS

1.  Update Database

2.  Set the endpoint URL in WSDL definition files

3.  Set METRO_BS URL

Prerequisite

You have installed Passive STS by the steps above.

Update Database

a.  Run all the SQL scripts in %STOCKTADER_HOME%¥etc\DB

b.  Update the Configuration Service URL as http://localhost:domainPortNum/config_service/ConfigService in table CONFIGSERVICE in DB.

c.  Set the Configuration Service URL as http://localhost:domainPortNum/config_service/ConfigService) in file STOCKTADER_HOME\resources\conf\TradeServiceConfig.properties

Set the endpoint URL in WSDL definition files

a.  In the file STOCKTADER_HOME\trader_client\src\wsit-client.xml, locate to the ‘endpoint’ and ‘wsdlLocation’ of the Active STS Service URL. And change the URL port to the domain port you deployed Active STS on.

b.  In the file STOCKTADER_HOME\etc\active_sts\ ActiveSTS.wsdl, locate to ‘ServiceProvider’, Change the URL port of BS endpoint to the domain port you deployed BS on.

Then go to root directory of the build (STOCKTADER_HOME), and redeploy the code to glassfish by command: ant STS redeploy

Set METRO_BSSTS URL

l  Set the METRO_BS URL in UI part of Trader client

a.  Open the Metro trader client by http://localhost:domainPortNum/trader_client.

b.  Navigate to Config Service page by clicking the tab ‘Config’, and click ‘Next Configuration Page’ button.

c.  Click button ‘Advanced Configuration’, then change the ‘METRO_BSSTS’ service URL to

http://localhost: domainPortNum /business_service/TradeServiceWsasSTS.

d.  Click button ‘Set’ to save the updated BS service info.

If you can access Home/Quotes/Account/Portfolio pages without login from trader client page, your Active STS is working.