OpenAM12: Secure Tomcat 6

Posted on October 12, 2016 by Jianming Li

Install Tomcat 6

* Add to hosts file:
127.0.0.1 tomcat6.my.com
* Unzip apache-tomcat-6.0.45.zip and rename as c:\prog\apache-tomcat-6.0.45.com
* Change listening ports from 8xxx to 9xxx, e.g. 808 to 10080 in conf\server.xml file
8005 > 10005
8080 > 10080
8443 > 10443
8009 > 10009
* Add setenv.bat to bin directory to contain:

set JAVA_OPTS=-Dfile.encoding=UTF-8 -Xms128m -Xmx1024m -XX:PermSize=64m -XX:MaxPermSize=256m
set JAVA_HOME=C:\prog\jdk1.7.0_45

* Start new Tomcat and point browser to: http://tomcat6.my.com:10080/docs
* Shutdown Tomcat to install agent!

Create Tomcat6 Agent Profile

* Login OpenAM
* Add a new J2EE agent named Tomcat6

openam13_agenttocmat6_1_create

* Select new agent and enable SSO Only Mode:

openam13_agentapache2_2_ssoonly

Install OpenAM Agent

* Download Tomcat Policy Agent from Forgerock, e.g. Tomcat-v6-Agent_3.3.0.zip
* Extract tomcat_v6_agent folder to C:\prog\apache-tomcat-6.0.45.com
* Create a new password file named tomcat6pass.txt. Enter password in the file, e.g. Wx1
* Go to C:\prog\apache-tomcat-6.0.45.com\tomcat_v6_agent\bin and run:

agentadmin.bat --install
 
Tomcat conf directory: C:\prog\apache-tomcat-6.0.45.com\conf
OpenAM URL: http://openam.my.com:8080/openam
$CATALINA_HOME: C:\prog\apache-tomcat-6.0.45.com
Install agent filter in global web.xml ? [true]: true
Agent URL: http://tomcat6.my.com:10080/docs
Agent profile name: Tomcat6
Password file: C:\prog\apache-tomcat-6.0.45.com\tomcat_v6_agent\tomcat6pass.txt

* Install output:

-----------------------------------------------
SUMMARY OF YOUR RESPONSES
-----------------------------------------------
Tomcat Server Config Directory : C:\prog\apache-tomcat-6.0.45.com\conf
 
OpenAM server URL : http://openam.my.com:8080/openam
$CATALINA_HOME environment variable :
C:\prog\apache-tomcat-6.0.45.com
Tomcat global web.xml filter install : true
Agent URL : http://tomcat6.my.com:10080/docs
Agent Profile name : Tomcat6
Agent Profile Password file name :
C:\prog\apache-tomcat-6.0.45.com\tomcat_v6_agent\tomcat6pass.txt
 
Verify your settings above and decide from the choices below.
1. Continue with Installation
2. Back to the last interaction
3. Start Over
4. Exit
Please make your selection [1]:
 
Updating the C:\prog\apache-tomcat-6.0.45.com/bin/setenv.bat script
with the Agent configuration JVM option ...DONE.
DONE.
 
Creating directory layout and configuring Agent file for Agent_001
instance ...DONE.
 
Reading data from file
C:\prog\apache-tomcat-6.0.45.com\tomcat_v6_agent\tomcat6pass.txt
and encrypting it ...DONE.
 
Generating audit log file name ...DONE.
 
Creating tag swapped OpenSSOAgentBootstrap.properties file for instance
Agent_001 ...DONE.
 
Creating a backup for file
C:\prog\apache-tomcat-6.0.45.com\conf/server.xml ...DONE.
 
Creating a backup for file
C:\prog\apache-tomcat-6.0.45.com\conf/web.xml ...DONE.
 
Adding OpenAM Tomcat Agent Realm to Server XML file :
C:\prog\apache-tomcat-6.0.45.com\conf/server.xml ...DONE.
 
Adding filter to Global deployment descriptor file :
C:\prog\apache-tomcat-6.0.45.com\conf/web.xml ...DONE.
 
Adding OpenAM Tomcat Agent Filter and Form login authentication to selected
Web applications ...DONE.
 
 
SUMMARY OF AGENT INSTALLATION
-----------------------------
Agent instance name: Agent_001
Agent Bootstrap file location:
C:/prog/apache-tomcat-6.0.45.com/tomcat_v6_agent/Agent_001/config/OpenSSOAgentBootstrap.properties
Agent Configuration file location
C:/prog/apache-tomcat-6.0.45.com/tomcat_v6_agent/Agent_001/config/OpenSSOAgentConfiguration.properties
Agent Audit directory location:
C:/prog/apache-tomcat-6.0.45.com/tomcat_v6_agent/Agent_001/logs/audit
Agent Debug directory location:
C:/prog/apache-tomcat-6.0.45.com/tomcat_v6_agent/Agent_001/logs/debug
 
Install log file location:
C:/prog/apache-tomcat-6.0.45.com/tomcat_v6_agent/installer-logs/audit/install.log
 
Thank you for using OpenAM Policy Agent

* Changes made:
conf/Server.xml:
Replaced:

      <Realm className="org.apache.catalina.realm.UserDatabaseRealm"
             resourceName="UserDatabase"/>

with

    <Realm className="com.sun.identity.agents.tomcat.v6.AmTomcatRealm" debug="99"/>

conf/web.xml:
Added:

    <filter>
        <filter-name>Agent</filter-name>
        <display-name>Agent</display-name>
        <description>SJS Access Manager Tomcat Policy Agent Filter</description>
        <filter-class>com.sun.identity.agents.filter.AmAgentFilter</filter-class>
    </filter>
 
    <filter-mapping>
        <filter-name>Agent</filter-name>
        <url-pattern>/*</url-pattern>
        <dispatcher>REQUEST</dispatcher>
        <dispatcher>INCLUDE</dispatcher>
        <dispatcher>FORWARD</dispatcher>
        <dispatcher>ERROR</dispatcher>
    </filter-mapping>

Test

* Start Tomcat for target app
* Point browser to http://tomcat6.my.com:10080/docs.
– Note, if you already login OpenAM with browser, e.g. Firefox, you need to use a different browser, e.g. IE. Otherwise, you won’t see the login page since you’re already authenticated.

This entry was posted in openam and tagged , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

CAPTCHA

*

This site uses Akismet to reduce spam. Learn how your comment data is processed.