sun access manager(glassfish+ldap+nginx )做权限管理
glassfish-installer-v2.1-b60e-sunos.jar
appserver_v9_agent.zip
amserver.war
jdk1.6.0_13
DSEE.6.3.Solaris-Sparc-full.tar.gz
StudioExpress-sol-sparc-2009-03-pkg.sh
环境准备
1. 安装 Sun Studio Express 03/09 (或者 Sun Studio 12 )
bash StudioExpress-sol-sparc-2009-03-pkg.sh
Sun Studio Express 03/09 安装后的目录为 /opt/SSX0903.
2. 安装配置 BlastWave 基本环境,并安装以下相关软件包:
wget
pkgadd -d ./pkgutil_sparc.pkg
pkutil -i openssl pcre wget
3. 调整 Solaris 10 环境
Solaris 10 自带的 tar 功能有限而且有BUG, 一个比较彻底的办法是用 blast wave 的 gtar 取代它:
mv /usr/sbin/tar /usr/sbin/tar.sun
ln -s /opt/csw/bin/gtar /usr/sbin/tar
(Solaris 10的 /usr/bin/tar 本身就是到 /usr/sbin/tar 的符号链接 )
为了方便, 可以修改 /etc/profile 将以下内容添加到环境变量PATH:
PATH=/opt/SSX0903/bin:/opt/csw/bin:/opt/csw/sbin:$PATH
一 、dsee 安装设置
解压缩
tar -zxf DSEE.6.3.Linux-X86-full.tar.gz
cd /DSEE_ZIP_Distribution
用./idsktune查看系统兼容性
./dsee_deploy install -i /export/home/sunds/dsee/
cd /export/home/sunds/dsee/ds6/bin
mkdir /export/home/sunds/instances
./dsadm create /export/home/sunds/instances/1
./dsconf create-suffix -p 2389 ,dc=zn,dc=com
二 、nginx 安装设置
4. 下载 nginx 0.6.37 源代码
wget -c
tar xvfz nginx-0.6.37.tar.gz
cd nginx-0.6.37
构造 nginx
./configure \
--prefix=/var/nginx \
--user=nginx --group=nginx \
--conf-path=/var/nginx/etc/nginx.conf \
--with-cc=/opt/SSX0903/bin/cc \
--with-cc-opt=-I/opt/csw/include \
--with-ld-opt="-L/opt/csw/lib -R/opt/csw/lib" \
--with-http_ssl_module \
--with-http_addition_module \
--with-http_gzip_static_module \
--with-http_dav_module \
--with-http_sub_module \
--with-http_realip_module \
--with-http_stub_status_module \
--http-client-body-temp-path=/var/run/nginx/nginx-http-temp \
--http-proxy-temp-path=/var/run/nginx/nginx-proxy-temp \
--http-fastcgi-temp-path=/var/run/nginx/nginx-fastcgi-temp \
--http-log-path=/var/log/nginx/access.log \
--error-log-path=/var/log/nginx/error.log
--pid-path=/var/run/nginx/nginx.pid \
--lock-path=/var/run/nginx/nginx.lock
dmake -j 32
make install
设置nginx 两个vhosts
它的的 docmount 都proxy 到glassfish domain
am.zn.com
location / {
proxy_pass
proxy_redirect default;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_redirect off;
}
agent.zn.com
location / {
proxy_pass
proxy_redirect default;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_redirect off;
}
可以给对这两个域名访问都传成443 也可以加入证书认证
三glassfish 安装
wget -c
java -Xmx256m -jar glassfish-installer-v2.1-b60e-sunos.jar
cd glassfish
chmod -R -x lib/ant/bin/
./lib/ant/bin/ant -f setup.xml
1. 建立一个新的glassfish domain: am
./bin/asadmin create-domain --passwordfile xx/glassfish/bin/password --portbase 10000 am
2. 启动domainam
$./bin/asadmin start-domain am
3. 部署amserver
访问
部署amserver.war
4. 设置amserver
访问
servers url :
configuration directory : ~/am
ldap :localhost
port :2389
dc=zn,dc=com
cn=Directory Manager
5. 修domains/am/config/server.policy文件,在文件尾添加以下部分内容:
// ADDITIONS FOR Access Manager on Sun Java System Application Server
grant codeBase "file:\${com.sun.aas.instanceRoot}/applications/j2ee-modules/amserver/-" {
permission java.net.SocketPermission "*", "connect,accept,resolve";
permission java.util.PropertyPermission "*", "read, write";
permission java.net.SocketPermission "*", "connect,accept,resolve";
permission java.util.PropertyPermission "*", "read, write";
permission java.lang.RuntimePermission "modifyThreadGroup";
permission java.lang.RuntimePermission "setFactory";
permission java.lang.RuntimePermission "accessClassInPackage.*";
permission java.util.logging.LoggingPermission "control";
permission java.lang.RuntimePermission "shutdownHooks";
permission javax.security.auth.AuthPermission "getLoginConfiguration";
permission javax.security.auth.AuthPermission "setLoginConfiguration";
permission javax.security.auth.AuthPermission "modifyPrincipals";
permission javax.security.auth.AuthPermission "createLoginContext.*";
permission java.io.FilePermission "<
>", "execute,delete";
permission java.util.PropertyPermission "java.util.logging.config.class", "write";
permission java.security.SecurityPermission "removeProvider.SUN";
permission java.security.SecurityPermission "insertProvider.SUN";
permission javax.security.auth.AuthPermission "doAs";
permission java.util.PropertyPermission "java.security.krb5.realm", "write";
permission java.util.PropertyPermission "java.security.krb5.kdc", "write";
permission java.util.PropertyPermission "java.security.auth.login.config", "write";
permission java.util.PropertyPermission "user.language", "write";
permission javax.security.auth.kerberos.ServicePermission "*", "accept";
permission javax.net.ssl.SSLPermission "setHostnameVerifier";
permission java.security.SecurityPermission "putProviderProperty.IAIK";
permission java.security.SecurityPermission "removeProvider.IAIK";
permission java.security.SecurityPermission "insertProvider.IAIK";
};
// END OF ADDITIONS FOR Access Manager
6. 在AM中建立一个agent profile
访问控制 > 领域 - sample > 主题 > 代理 > 新建…
ID:myagent
密码:password
在~/am
添加一个文件zn
echp password > zn
7. 安装 agent
./bin/asadmin create-domain --passwordfile xx/glassfish/bin/password --portbase 20000 agent
unzip appserver_v9_agent.zip
j2ee_agents/appserver_v9_agent/bin/agentadmin –-install
Application Server Config Directory :
glassfish/domains/agent/config
Application Server Instance name : server
Access Manager Services Host : am.zn.com
Access Manager Services Port : 80
Access Manager Services Protocol : http
Access Manager Services Deployment URI : /amserver
Agent Host name : agent.zn.com
Domain Administration Server Host is remote : false
Application Server Instance Port number : 80
Protocol for Application Server instance : http
Deployment URI for the Agent Application : /agentapp
Encryption Key :
Agent Profile name : myagent
Agent Profile Password file name :
~/am/zn
Agent installed on the DAS host for a remote instance : false
Agent and Access Manager on same application server instance : false
8. 修改~/am/AMConfig.properties
把com.iplanet.am.cookie.encode=false改成com.iplanet.am.cookie.encode=true
$./bin/asadmin start-domain agent
部署应用agentapps
j2ee_agents/appserver_v9_agent/etc/agentapp.war
重起两个domain
部署要用amserver 管理的应用
在应用的web.xml 文件里加入以下
Agent
com.sun.identity.agents.filter.AmAgentFilter
Agent
/*
REQUEST
INCLUDE
FORWARD
ERROR