|
|
Running an ALES Java-SSM on a WebSphere Container
by Steve Pozarycki
The following will instruct a user on how to run an ALES (AquaLogic Enterprise Security) Java-SSM (Security Services Module) in a WebSphere Container. This document does not go into detail on developing an ALES enabled application however a sample JSP can be made available. The ALES documentation is located at: http://edocs.bea.com/ales/docs26/index.html. With the sample application one must also install the corresponding ALES products which are available at: http://commerce.bea.com/products/aqualogic/aqualogic_prod_fam.jsp.
Version Information
WebSphere:
The version of WebSphere used was 6.x however WebSphere 5.x was also used and tested. One caveat was that the web-application used on WAS 6.x had to be slightly modified due to the web.xml which was used since WAS 5.x was more selective in the format of this file.
AquaLogic Enterprise Security:
The version of AquaLogic Enterprise Security Java-SSM used was ALES 2.6. Any cumulative patch level applied to this version of ALES will also work.
JDK:
The JDKs that were tested was the IBM JDK that came pre-installed with the WebSphere containers.
Installation and Setup
The following installation and setup was originally done on a Windows environment however the same steps can be used for a UNIX environment.
If one does not already have a WebSphere container a 60 day trial can be download from:
http://www.ibm.com/developerworks/downloads/ws/was/?S_TACT=105AGX10&S_CMP=LP Install WebSphere 6.x on a machine selecting all the defaults and choosing to install the sample application/server.
- Extract the zip file to a directory.
- Run launchpad.exe (Make a note of the "System Admin" and "samples" user/password one chooses. In this case it is admin/admin and samples/samples respectively.
Websphere is usually started as a service on Windows and it can be checked if the process is running there. One can also stop/start it with the following scripts assuming the default directory was used for the installation process:
"C:\Program Files\IBM\WebSphere\AppServer\profiles\AppSrv01\bin\startServer.bat" server1
"C:\Program Files\IBM\WebSphere\AppServer\profiles\AppSrv01\bin\stopServer.bat" server1
Modify the server.xml file under "C:\Program Files\IBM\WebSphere\AppServer\profiles\AppSrv01\config\cells\<MACHINENAME>Node01Cell\nodes\<MACHINENAME>Node01\servers\server1" to look like the server.xml example at the end of this document. Please pay particular attention to the genericJvmArguments section around where one has installed the Java-SSM and the Java-SSM instance. Also take a look at the classpath entries section where the ALES *.jar files are added. These jar files could also be added to one's application however one would have to be aware of the different application and system classloaders being used within WebSphere. Restart the server so the server.xml file takes effect.
The WebSphere log files are located under the following directory, assuming one has chosen the default installation directories:
"C:\Program Files\IBM\WebSphere\AppServer\profiles\AppSrv01\logs\server1"
The WebSphere Admin Console is available from the following URL, assuming one has chosen not to modify the standard ports in the installation:
https://localhost:9043/ibm/console/logon.jsp
Make sure that the ALES processes are running (Admin, SCM, etc).
Login to the console and deploy the web-app by following the instructions under "Enterprise Applications" and "Install a New Application". Make sure to "start" the web-app which is listed under the “Enterprise Applications” section.
Once the application is deployed within WebSphere:
- Bring up the web-application or JSP within a browser: (9080 is the default port from the default installation)
http://localhost:9080 /<Application Name>/<Application>.jsp
- Run the web-app or JSP with valid data in order to test the authentication and authorization models.
Troubleshooting
If any errors occur, first please check the classpath and application jar files required to see what may be missing as this is the cause of most exceptions. If there is a license exception, please make sure that the %BEA_HOME% containing the license.bea file is on the system classpath. If an exception occurs with finding the "com.ibm.net.ssl.www2.protocol.https.Handler" class, then depending on the "Cumulative Patch" (CP) version of ALES 2.6 one has, one may need to contact BEA Support and request a patch from CR331238. If one receives a strange error message when invoking their application like the following:
[7/3/07 20:38:12:390 EDT] 00000065 SystemErr R Caused by: javax.security.auth.login.LoginException: No LoginModules configured for $$ASSERTION$$
at javax.security.auth.login.LoginContext.init(LoginContext.java:279)
at javax.security.auth.login.LoginContext.<init>(LoginContext.java:426)
at com.bea.security.service.PrincipalAuthenticator.authInternal(PrincipalAuthenticator.java:364)
at com.bea.security.service.PrincipalAuthenticator.getSubjectFromCallbackHandler(PrincipalAuthenticator.java:774)
at com.bea.security.service.PrincipalAuthenticator.assertIdentity(PrincipalAuthenticator.java:661)
...
Solution
Please make sure in the application code that after doing the following:
SecurityRuntime.initialize(cfg);
rt = SecurityRuntime.getInstance();
pd = rt.getPolicyDomain(configId);
Add the following code right after getting the Policy Domain:
// NOTE: Required on Websphere only to force initialization
ServerConfiguration sc = new ServerConfiguration();
javax.security.auth.login.Configuration.setConfiguration( sc );
// NOTE:
The reason for this is that on a WebSphere container it does not automatically do this. When the same application is run on a Tomcat or WebLogic container the above "added" code is not needed in the application since those containers automatically handle this.
One may also run into a LogFactory exception in the WebSphere container. The reason for this is that WebSphere re-packages its own version and this sometimes conflicts with other applications which use this jar file. The LogFactory exception looks like the following when using the commons-logging.jar file:
[7/11/07 19:26:41:574 EDT] 4f486714 SystemErr R Caused by: org.apache.commons.logging.LogConfigurationException: The chosen LogFactory implementation does n
ot extend LogFactory. Please check your configuration. (Caused by java.lang.ClassNotFoundException: com.ibm.ws.commons.logging.TrLogFactory)
[7/11/07 19:26:41:574 EDT] 4f486714 SystemErr R at org.apache.commons.logging.LogFactory$2.run(LogFactory.java:574)
[7/11/07 19:26:41:574 EDT] 4f486714 SystemErr R at java.security.AccessController.doPrivileged1(Native Method)
[7/11/07 19:26:41:574 EDT] 4f486714 SystemErr R at java.security.AccessController.doPrivileged(AccessController.java(Compiled Code))
[7/11/07 19:26:41:574 EDT] 4f486714 SystemErr R at org.apache.commons.logging.LogFactory.newFactory(LogFactory.java:517)
[7/11/07 19:26:41:575 EDT] 4f486714 SystemErr R at org.apache.commons.logging.LogFactory.getFactory(LogFactory.java:308)
[7/11/07 19:26:41:575 EDT] 4f486714 SystemErr R at org.apache.commons.logging.LogFactory.getLog(LogFactory.java:370)
[7/11/07 19:26:41:575 EDT] 4f486714 SystemErr R at org.apache.axis.components.logger.LogFactory.getLog(LogFactory.java:37)
[7/11/07 19:26:41:575 EDT] 4f486714 SystemErr R at org.apache.axis.components.net.DefaultSocketFactory.(DefaultSocketFactory.java:38)
Solution
Create a commons-logging.properties file containing the following one line:
org.apache.commons.logging.LogFactory=org.apache.commons.logging.impl.LogFactoryImpl
Add this newly created commons-logging.properties file into the top level of the commons-logging.jar by extracting this jar file and then re-jarring the file.
WebSphere Server.xml Sample Snippet
NOTE:
The items to focus on are within the genericJvmArguments section (in bold) where one will add the ALES Java SSM directory information (similar to the Tomcat JAVA_OPTIONS). The other place to focus on is the settings section (in bold) where one is added the ALES *.jar files required for the Java-SSM. The settings section also contains the directory structure for the BEA_HOME directory where the license.bea file for ALES resides. The following directories listed below would have to change to the specific environment which one is working on. There are three high level directories:
"/home/bea" is the BEA_HOME directory
"/home/bea/ales26-ssm" is the ALES-SSM Installation directory
"/home/bea/ales26-ssm/java-ssm/instance/jssm" is the Directory containing the Java-SSM "instance" information which one has configured.
<processDefinitions xmi:type="processexec:JavaProcessDef" xmi:id="JavaProcessDef_1183474731390" workingDirectory="${USER_INSTALL_ROOT}" executableTargetKind="JAVA_CLASS" executableTarget="com.ibm.ws.runtime.WsServer">
<execution xmi:id="ProcessExecution_1183474731390" processPriority="20" runAsUser="" runAsGroup=""/>
<ioRedirect xmi:id="OutputRedirect_1183474731390" stdoutFilename="${SERVER_LOG_ROOT}/native_stdout.log" stderrFilename="${SERVER_LOG_ROOT}/native_stderr.log"/>
<monitoringPolicy xmi:id="MonitoringPolicy_1183474731390" maximumStartupAttempts="3" pingInterval="60" pingTimeout="300" autoRestart="true" nodeRestartState="STOPPED"/>
<jvmEntries xmi:id="JavaVirtualMachine_1183474731390" verboseModeClass="false" verboseModeGarbageCollection="false" verboseModeJNI="false" runHProf="false" hprofArguments="" debugMode="false" debugArgs="-Djava.compiler=NONE -Xdebug -Xnoagent -Xrunjdwp:transport=dt_socket,server=y,suspend=n,address=7777" genericJvmArguments="-Dlog4j.configuration=file:/home/bea/ales26-ssm/java-ssm/instance/jssm/config/log4j.properties -Dlog4j.ignoreTCL=true -Dwles.scm.port=7013 -Dwles.scm.configurationKeyFile=/home/bea/ales26-ssm/java-ssm/instance/jssm/ssl/config.key -Dwles.ssl.passwordFile=/home/bea/ales26-ssm/java-ssm/instance/jssm/ssl/password.xml -Dwles.ssl.passwordKeyFile=/home/bea/ales26-ssm/java-ssm/instance/jssm/ssl/password.key -Dwles.ssl.identityKeyStore=/home/bea/ales26-ssm/java-ssm/instance/jssm/ssl/identity.jks -Dwles.ssl.identityKeyAlias=wles-ssm -Dwles.ssl.identityKeyPasswordAlias=wles-ssm -Dwles.ssl.trustedCAKeyStore=/home/bea/ales26-ssm/java-ssm/instance/jssm/ssl/trust.jks -Dwles.ssl.trustedPeerKeyStore=/home/bea/ales26-ssm/java-ssm/instance/jssm/ssl/peer.jks -Dwles.ssl.trustedKeystore=/home/bea/ales26-ssm/java-ssm/instance/jssm/ssl/demoProviderTrust.jks -Dwles.arme.port=8001 -Darme.configuration=/home/bea/ales26-ssm/java-ssm/instance/jssm/config/WLESarme.properties -Dwles.config.signer=w2k3r2wls -Dales.blm.home=/home/bea/ales26-ssm/java-ssm/instance/jssm -Djava.io.tmpdir=/home/bea/ales26-ssm/java-ssm/instance/jssm/work/jar_temp -Dales.RealmName=jssm -Dales.https.handler=com.ibm.net.ssl.www2.protocol.https.Handler -Dwles.providers.dir=/home/bea/ales26-ssm/java-ssm/lib/ -Xverify:none" disableJIT="false">
<classpath>/home/bea/ales26-ssm/java-ssm/instance/jssm/config</classpath>
<classpath>/home/bea</classpath>
<classpath>/home/bea/ales26-ssm/java-ssm/lib/api.jar</classpath>
<classpath>/home/bea/ales26-ssm/java-ssm/lib/axis.jar</classpath>
<classpath>/home/bea/ales26-ssm/java-ssm/lib/antlr.jar</classpath>
<classpath>/home/bea/ales26-ssm/java-ssm/lib/framework.jar</classpath>
<classpath>/home/bea/ales26-ssm/java-ssm/lib/org.mortbay.jetty.jar</classpath>
<classpath>/home/bea/ales26-ssm/java-ssm/lib/scmapi.jar</classpath>
<classpath>/home/bea/ales26-ssm/java-ssm/lib/log4j.jar</classpath>
<classpath>/home/bea/ales26-ssm/java-ssm/lib/jmx.jar</classpath>
<classpath>/home/bea/ales26-ssm/java-ssm/lib/connector.jar</classpath>
<classpath>/home/bea/ales26-ssm/java-ssm/lib/asi_classes.jar</classpath>
<classpath>/home/bea/ales26-ssm/java-ssm/lib/EccpressoCore.jar</classpath>
<classpath>/home/bea/ales26-ssm/java-ssm/lib/EccpressoJcae.jar</classpath>
<classpath>/home/bea/ales26-ssm/java-ssm/lib/jsafeFIPS.jar</classpath>
<classpath>/home/bea/ales26-ssm/java-ssm/lib/jsafeJCEFIPS.jar</classpath>
<classpath>/home/bea/ales26-ssm/java-ssm/lib/sslplus.jar</classpath>
<classpath>/home/bea/ales26-ssm/java-ssm/lib/ssladapter.jar</classpath>
<classpath>/home/bea/ales26-ssm/java-ssm/lib/wlcipher.jar</classpath>
<classpath>/home/bea/ales26-ssm/java-ssm/lib/asitools.jar</classpath>
<classpath>/home/bea/ales26-ssm/java-ssm/lib/process.jar</classpath>
<classpath>/home/bea/ales26-ssm/java-ssm/lib/webservice.jar</classpath>
<classpath>/home/bea/ales26-ssm/java-ssm/lib/webserviceclient.jar</classpath>
<classpath>/home/bea/ales26-ssm/java-ssm/lib/sslserver.jar</classpath>
<classpath>/home/bea/ales26-ssm/java-ssm/lib/sslclient.jar</classpath>
<classpath>/home/bea/ales26-ssm/java-ssm/lib/axis.jar</classpath>
<classpath>/home/bea/ales26-ssm/java-ssm/lib/javax.servlet.jar</classpath>
<classpath>/home/bea/ales26-ssm/java-ssm/lib/commons-discovery-0.2.jar</classpath>
<classpath>/home/bea/ales26-ssm/java-ssm/lib/commons-logging.jar</classpath>
<classpath>/home/bea/ales26-ssm/java-ssm/lib/pdsoap.jar</classpath>
<classpath>/home/bea/ales26-ssm/java-ssm/lib/wsdl4j-1.5.1.jar</classpath>
<classpath>/home/bea/ales26-ssm/java-ssm/lib/jaxrpc.jar</classpath>
<classpath>/home/bea/ales26-ssm/java-ssm/lib/providers/ALESIdentityAsserter.jar</classpath>
<classpath>/home/bea/ales26-ssm/java-ssm/lib/providers/ALESIdentityCredentialMapper.jar</classpath>
<classpath>/home/bea/ales26-ssm/java-ssm/lib/providers/ASIAdjudicator.jar</classpath>
<classpath>/home/bea/ales26-ssm/java-ssm/lib/providers/ASIAuthorizer.jar</classpath>
<classpath>/home/bea/ales26-ssm/java-ssm/lib/providers/backport-util-concurrent.jar</classpath>
<classpath>/home/bea/ales26-ssm/java-ssm/lib/providers/DatabaseAuthenticator.jar</classpath>
<classpath>/home/bea/ales26-ssm/java-ssm/lib/providers/DatabaseCredentialMapper.jar</classpath>
<classpath>/home/bea/ales26-ssm/java-ssm/lib/providers/management.jar</classpath>
<classpath>/home/bea/ales26-ssm/java-ssm/lib/providers/ojdbc14.jar</classpath>
<classpath>/home/bea/ales26-ssm/java-ssm/lib/providers/persistence-api.jar</classpath>
<classpath>/home/bea/license.bea</classpath>
</jvmEntries>
</processDefinitions>
</div>
|
