Posted by: cmani2010 | January 12, 2009

Protecting Jboss applications, setting up JDBC authentication and JDBC Password Syntax Transform using OpenSSO

We (myself and Ramesh Nagappan ) recently helped a partner setup a OpenSSO integration with their J2EE applications. The following were the requirements:

  1. J2EE based web application running on Jboss 4.x
  2. The web app used Oracle database as a the user repository
  3. The password field was encrypted in the database
  4. They also needed to integrate Biometric based security for their web application

The following software will be needed:

  1. JDK 1.6.x (preferred) or JDK 1.5.x
  2. OpenSSO bits: Download the opensso.zip file at https://opensso.dev.java.net/
  3. Glassfish app server: Download Glassfish from https://glassfish.dev.java.net/downloads
  4. OpenSSO agent for Jboss 4.0.x
  5. You can find a list of Agents at https://opensso.dev.java.net/public/agents.html
  6. There is early access OpenSSO 3.0 agent for Jboss 4.x at http://download.java.net/general/opensso/nightly/20090107.1/j2eeagents/

The next set of instructions are:

  1. Install Glassfish app server, this is as simple unzipping the zip file and doing the install instructions in the README file. very simple
  2. Install OpenSSO, this is given in more detail in the next section

The first step is to make sure we have a machine, which has a fully qualified domain name and a static IP address. Before, we start installing OpenSSO, we need to make sure that the server has a fully qualified domain name. This can be done, by means of an entry in the hosts files (in Unix as well as in Windows) like below:
191.168.12.1 myserver myserver.domain.com

  1. Create a base directory. “/opensso_bits”
  2. Install GlassFish. If you already have GlassFish running, go to next step.
  3. Start Glassfish instance and make the following changes to the instance on which opensso is being deployed (fam)
    cd /bin
    ./asadmin start-domain
    ./asadmin delete-jvm-options  --port 4848 --user admin "\\-client"
    ./asadmin create-jvm-options  --port 4848 --user admin "\\-server"
    ./asadmin delete-jvm-options  --port 4848 --user admin "\\-Xmx512m"
    ./asadmin create-jvm-options  --port 4848 --user admin "\\-Xmx1G"
    

    Note: We are making the the JVM option to run in server mode, and increasing heap memory to be 1GB, by using the above commands.

  4. Restart the glassfish instance.
    cd /bin
    ./asadmin stop-domain
    ./asadmin start-domain
    
  5. Deploy OpenSSO on the Glassfish domain
    Then go to http://myserver.company.com/opensso, you should get the configuration page. We can either select the express configuration setup or the customized setup. Most of the details should be pre-filled. If you have issues, you have the right permissions as the user running the glassfish/opensso etc. After everything, you’ll see a message “Configuration Complete”, “Proceed to Login”. Click on “Proceed to Login”

  6. Login as amadmin with the corresponding password.
  7. Go to Access Control tab, click on the opensso realm name, click on Agents, click on 2.2 agents and click New (This is needed as the Jboss agent is still in the older 2.2.x agent family. When we get the newer 3.0 agents, the steps will be different. I have just found after we did this exercise, that there is a nightly build early access 3.0 agent for Jboss 4.x at http://download.java.net/general/opensso/nightly/20090107.1/j2eeagents/)
  8. Create new Agent, with name TestProfile and password (these data will be used while configuring the agent).
  9. Create a new Policy to protect the Jboss application, with the following data:
    Rule : http://myjbossapp.domain.com:8080/*
    Subject: Can be authenticated users, or roles etc
    Conditions: Optional
    
  10. Installation of OpenSSO agent for Jboss 4.0.x. The documentation is available at http://docs.sun.com/app/docs/doc/819-7169
    Unzip the OpenSSO (Access Manager Agent) in a temporary directory.
    Go to the directory
    C:\\SJS_JBoss_4.0_Server_agent_2.2-01\j2ee_agents\am_jboss_agent\bin>
    Run agentadmin – install (two dashes) command.
    A sample command list is given below (Please change it as per your Jboss installation) directory
    -----------------------------------------------
    SUMMARY OF YOUR RESPONSES
    -----------------------------------------------
    JBoss Server Config Directory : C:\jboss-4.0.5.GA\server\default\conf
    Access Manager Services Host : manimac1.mani.com
    Access Manager Services Port : 9090
    Access Manager Services Protocol : http
    Access Manager Services Deployment URI : /opensso
    Agent Host name : manimac1.mani.com
    Agent permissions gets added to java permissions policy file : false
    Application Server Instance Port number : 8080
    Protocol for Application Server instance : http
    Deployment URI for the Agent Application : /myapp
    Encryption Key : 9fwEMd2mKLH8OPDLZ1lW8edVxfJRYu3+
    Agent Profile name : TestProfile
    Agent Profile Password file name : /opensso/agentpassword
    
  11. The next changes are in the web.xml file of the JBoss J2EE application, please see the section “Installing the Agent Filter for the Deployed Application on Agent for JBoss Application Server 4.0” at http://docs.sun.com/app/docs/doc/819-7169/6n94q2rk5?a=view
  12. Restart JBoss

Setting up JDBC Authentication and tackling encrypted passwords ..

The partner application used a Oracle database table for user authentication, and the password field in the database was encrypted. Hence, we needed to do the following steps to make the JBoss app use the JDBC authentication module of OpenSSO :

  1. The password field in the database was encrypted, hence we have to create a custom class (it is the original com.sun.identity.authentication.modules.jdbc.ClearTextTransform.java source code) which will encrypt the password and then return this password to the OpenSSO JDBC auth module. The source code of the sample password transform class is given below. To compile this, add opensso.jar to your classpath.
    import com.sun.identity.authentication.spi.AuthLoginException;
    import com.sun.identity.authentication.modules.jdbc.*;
    /**
    * A very simple test implementation of the JDBC Password Syntax Transform.
    */
    public class MyPasswordTextTransform implements JDBCPasswordSyntaxTransform  {
    /**
    * Creates a new instance of ClearTextTransform.
    */
    public MyPasswordTextTransform() {
    }
    /**
    * This simply returns the clear text format of the password.
    *
    * @param input Password before transform
    * @return Password after transform in this case the same thing.
    * @throws AuthLoginException
    */
    public String transform(String input) throws AuthLoginException {
    if (input == null) {
    throw new AuthLoginException(
    "No input to the Clear Text Transform!");
    }
    return input;
    }
    }
    
  2. Copy this class to the opensso/WEB-INF/classes directory. I have a problem relating to using a package for this class, and opensso not being able to load this class, this is yet to be resolved. If this is only a class name, then there seems to be no problem.
  3. Copy the JDBC driver of the database to the OpenSSO Lib directory
  4. Under the Authentication tab, create a New Module instance of JDBC. The JDBC fields are fairly self explanatory. The prepared statement should be changed to reflect the database schema.
  5. Change the transform password syntax field from com.sun.identity.authentication.modules.jdbc.ClearTextTransform to be MyPasswordTextTransform
  6. Create a new Authentication chain, and add the JDBC module created in the previous step with Required flag
  7. Change the Default authentication chain to be the new JDBC authentication chain.
  8. Log out, and try accessing http://openssoserver.company.com/opensso with a user which is present in the database.
  9. If there are issues, log back in as amadmin and debug the issues. Most of the issues could be with JDBC connectivity.

Setting up Biometric Authentication with OpenSSO..

We relied on our expert, Ramesh Nagappan’s expertise as documented in this article at http://developers.sun.com/identity/reference/techart/bioauthentication.html The Biometric module will be one more authentication module in the authentication chain. Its recommended that Biometric authentication be combined with another factor like username/password or digital certificates. Setting this up will require the following:

  1. Biometric scanners like Fingerprint scanners, which are certified to work with Sun OpenSSO. Install the scanners in the client PCs and install drivers, and test that they are working. The client desktops will also need to have a latest JRE installed.
  2. Install the Biometric server software
  3. Setup the Biometric authentication on the opensso server
  4. Test everything works

Hope this blog has been useful !!!!

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Categories

%d bloggers like this: