Protecting a Web Site With OpenAM This guide shows you how to quickly set up OpenAM and get started with access management. In reading and following the instructions in this guide, you will learn how to protect a Web page using OpenAM and a Web policy agent. You need a Linux, Solaris, or Windows system that can run the OpenAM Web policy agent with a minimum of 1 GB of available RAM memory, a few hundred MB of free disk space, a web browser, and an Internet connection to download software. If you are using Mac OS X, set up a virtual machine running Linux to try these procedures because the web policy agent is not built for Apache HTTP Server on Mac OS X. About OpenAM OpenAM provides a service called access management, which manages access to resources, such as a web page, an application, or web service, available over the network. Once it is set up, OpenAM provides an infrastructure for managing users, roles, and access to resources. In this chapter, you manage access to a single web page. OpenAM centralizes access control by handling both authentication and authorization. Authentication is the process of identifying an individual, for example, by confirming a successful login. Authorization is the process of granting access to resources to authenticated individuals. OpenAM centralizes authentication by using a variety of authentication modules that connect to identity repositories that store identities and provide authentication services. The identity repositories can be implemented as LDAP directories, relational databases, RADIUS, Windows authentication, one-time password services, and other standards-based access management systems. OpenAM lets you chain together the authentication services used. Authentication chains let you configure stronger authentication for more sensitive resources for example. They also let you set up modules that remember a device when the user logs in successfully. Or that evaluate the risk given the login circumstances and therefore can require more credentials when a user is logging in from an unusual location. This chapter uses OpenAM’s built-in identity repository and authentication modules to make it easier to get started. OpenAM centralizes authorization by letting you use OpenAM to manage access policies separate from applications and resources. Instead of building access policy into a web application, you install a policy agent with the web application to request policy decisions from OpenAM. This way you can avoid issues that could arise when developers must embed policy decisions into their applications. With OpenAM, if policy changes or an issue is found after the application is deployed, you have only to change the policy definition in OpenAM, not deploy a new version of the application. OpenAM makes the authorization decisions, and policy agents enforce the decisions on OpenAM’s behalf. The rest of this chapter has you demonstrate OpenAM access management by installing OpenAM, creating a policy, and installing a policy agent on a web server to enforce the policy for a web page. Software Requirements To Try Out OpenAM This chapter shows you how to install the software OpenAM needs to protect a web page. You will learn how to install Apache HTTP Server, Apache Tomcat, OpenAM core server with OpenAM Console, and OpenAM Apache Policy Agent. Installation instructions for Java Development Kit (JDK) are not included in this chapter, as OpenAM is a Java web application, and the JDK is pre-installed. Java Development Kit OpenAM is a Java web application, and requires a Java Development Kit installed on the system where it runs. The OpenAM web policy agent installer is also a Java program. Apache HTTP Server Apache HTTP Server serves the web page OpenAM protects. Apache Tomcat Because OpenAM is a Java web application, it runs in a web container, in this case, Apache Tomcat. OpenAM core server with OpenAM Console This is the main web application for OpenAM. OpenAM sets up an OpenDJ directory server at configuration time to use, in this case, to hold OpenAM’s configuration and to serve as an identity store and authentication service. OpenAM Apache Policy Agent Install a policy agent in Apache HTTP Server to intercept requests from users and enforce access policy decisions OpenAM makes. The policy agent intercepts requests from users, and enforces access policy decisions made by OpenAM. The policy agent enforces policy by redirecting users to OpenAM for authentication and by contacting OpenAM to get authorization decisions for resources, such as the web page to protect. Follow the steps in the following sections of this chapter to learn how OpenAM protects a web site without changing the web site itself. Setting Up the Software This section includes the following procedures that detail how to set up OpenAM to protect a web page: "To Prepare Your Hosts File" "To Install Apache HTTP Server" "To Install Apache Tomcat" "To Install OpenAM" "To Configure a Policy in OpenAM" "To Create a Web Policy Agent Profile" "To Install OpenAM Web Policy Agent" The procedures in this section are written for use on a Linux system. If you are running Microsoft Windows, adapt the examples accordingly. To Prepare Your Hosts File OpenAM requires that you use fully qualified domain names when protecting web resources. This is because OpenAM uses HTTP cookies to keep track of sessions for single sign-on (SSO), and setting and reading cookies depends on the server name and domain. You can get started with OpenAM without setting up separate systems for each fully qualified domain name. Give your system openam.example.com and www.example.com aliases by editing your hosts file. Alternatively, if you already have a DNS set up, you can use that instead of your hosts file. Add the aliases to your hosts file using your preferred text editor. $ sudo vi /etc/hosts Password: ### Edit /etc/hosts ### $ cat /etc/hosts | grep openam 127.0.0.1 localhost openam.example.com www.example.com To Install Apache HTTP Server Apache HTTP Server is a popular web server that is supported by OpenAM’s web policy agents. Apache HTTP Server might already be installed on your system, but since you are installing software for the sole purpose of getting started with OpenAM, install the web server separately instead of modifying any existing installations. Full installation instructions are available online. Verify the correct tools are installed to build Apache HTTP Server 2.2 from source. For Linux distributions, you need development tools including the C compiler. How you install these depends on your distribution. For Red Hat and CentOS distributions: # yum groupinstall 'Development Tools' For Ubuntu distributions: $ sudo apt-get install build-essential checkinstall Download Apache HTTP Server 2.2 sources from the Apache download page. The OpenAM web policy agent requires Apache Portable Runtime 1.3 or later, so make sure you download Apache HTTP Server 2.2.9 or later. Extract the download. Configure the sources for compilation. The --prefix option can be used to install the Web server in a location where you can write files. $ cd ~/Downloads/httpd-2.2.25 $ ./configure --prefix=/path/to/apache Compile Apache HTTP Server. $ make Install Apache HTTP Server. $ make install Edit the configuration to set the server name to www.example.com and the port to one, such as 8000 that the web server process can use when starting with your user ID. $ vi /path/to/apache/conf/httpd.conf $ grep 8000 /path/to/apache/conf/httpd.conf Listen 8000 ServerName www.example.com:8000 Test the installation to ensure Apache HTTP Server is working. Make sure that your system’s firewall does not block the port that Apache HTTP Server uses. See the documentation for your version of your system regarding how to allow traffic through the firewall on a specific port. A variety of firewalls are in use on Linux systems. The one in use depends on your specific distribution. Start the web server. $ /path/to/apache/bin/apachectl -k start Point your browser to following URL: http://www.example.com:8000. This is the page to protect with OpenAM. Do not proceed with the next steps unless this page appears. To Install Apache Tomcat OpenAM runs as a Java web application inside an application container. Apache Tomcat is an application container that runs on a variety of platforms. The following instructions are loosely based on the RUNNING.txt file delivered with Tomcat. Make sure you have a recent JDK LTS release installed. One way of checking the version of the JDK is to list the version of the javac compiler. $ javac -version If the javac compiler is not found, then either you do not have a Java Development Kit installed, or it is installed, but not on your PATH. Download Apache Tomcat 9 from its download page. Extract the download. $ cd /path/to $ unzip ~/Downloads/apache-tomcat-9.0.93.zip $ mv apache-tomcat-9.0.93 tomcat On UNIX-like systems, make the scripts in Tomcat’s bin/ directory executable. $ chmod +x /path/to/tomcat/bin/*.sh Set the JAVA_HOME environment variable to the file system location of the Java Development Kit. On Linux, set JAVA_HOME as follows. export JAVA_HOME=/path/to/jdk Create a Tomcat setenv.sh (Unix/Linux) or setenv.bat (Windows) script to set the JAVA_HOME environment variable to the file system location of the Java Development Kit, and to set the heap and permanent generation size or metaspace size appropriately. If you are using JDK 7: export JAVA_HOME="/path/to/usr/jdk" export CATALINA_OPTS="$CATALINA_OPTS -Xmx2g -XX:MaxPermSize=256m" If you are using JDK 8: export JAVA_HOME="/path/to/usr/jdk" export CATALINA_OPTS="$CATALINA_OPTS -Xmx2g -XX:MaxMetaspaceSize=256m" If you have a custom installation that differs from the documented Tomcat installation, make sure to set Tomcat’s CATALINA_TMPDIR to a writable directory to ensure the installation succeeds. This temporary directory is used by the JVM (java.io.tmpdir) to write disk-based storage policies and other temporary files. Make sure that your system’s firewall does not block the port that Apache Tomcat uses. See the Apache documentation for instructions for allowing traffic through the firewall on a specific port for the version of Tomcat on your system. A variety of firewalls are in use on Linux systems. The version your system uses depends on your specific distribution. Start Tomcat. $ /path/to/tomcat/bin/startup.sh It might take Tomcat several seconds to start. When Tomcat has successfully started, you should see information indicating how long startup took in the /path/to/tomcat/logs/catalina.out log file. INFO: Server startup in 4655 ms Browse to Tomcat’s home page, such as http://openam.example.com:8080. Tomcat will serve the OpenAM web application. Make sure you have successfully gotten to this point before you proceed. To Install OpenAM Deploy OpenAm into Tomcat and then configure it for use. Download the OpenAM .war file from the OpenAM releases page on the GitHub. Deploy the .war file in Tomcat as openam.war. $ mv ~/Downloads/OpenAM-13.5.2.war /path/to/tomcat/webapps/openam.war Tomcat deploys OpenAM under the /path/to/tomcat/webapps/openam/ directory. You can access the web application in a browser at http://openam.example.com:8080/openam/. Browse to OpenAM where it is deployed in Tomcat, in this example, http://openam.example.com:8080/openam/, to configure the application. On the OpenAM home page, click Create Default Configuration. Review the software license agreement. If you agree to the license, click "I accept the license agreement", and then click Continue. Set the Default User [amAdmin] password to changeit and the Default Policy Agent [UrlAccessAgent] password to secret12, and then click Create Configuration to configure OpenAM. If you were configuring OpenAM for real-world use, you would not use either of those passwords, but this is only to get started with OpenAM. The amadmin user is the OpenAM administrator, who is like a superuser in that amadmin has full control over the OpenAM configuration. The UrlAccessAgent is not used in this guide. Click the Proceed to Login link, then log in as amadmin with the password specified in the previous step, changeit. After login, OpenAM should direct you to the Realms page. OpenAM stores its configuration, including the embedded OpenDJ directory server in the folder named ~/openam/ in your home directory. The folder shares the same name as your server instance. It also has a hidden folder, ~/.openamcfg/, with a file used by OpenAM when it starts up. If you ruin your configuration of OpenAM somehow, the quickest way to start over is to stop Tomcat, delete these two folders, and configure OpenAM again. OpenAM core server and OpenAM Console are now configured. Make sure you have successfully logged in to OpenAM Console before you proceed. To Configure a Policy in OpenAM OpenAM authenticates users and then makes authorization decisions based on access policies that indicate user entitlements. Follow these steps to create a policy that allows all authenticated users to perform an HTTP GET (for example, to browse) the Apache HTTP home page that you set up earlier. In the OpenAM console, select the Top Level Realm on the Realms page. OpenAM allows you to organize identities, policies, and policy agent profiles into realms as described in "Configuring Realms" in the Administration Guide. For now, use the default Top Level Realm. On the Realm Overview page, navigate to Authorization > Policy Sets > Default Policy Set > Add a Policy. For more information on the relationship between realms, policy sets, and policies, see "About Authorization in OpenAM" in the Administration Guide. On the New Policy page, enter the following data: In the Name field, give your new policy the name Authenticated users can get Apache HTTP home page. On the Resource Type drop-down list, select URL. On the Resources drop-down list, select the URL pattern for your policy. In this example, select ://:*/, then enter the resource URL: http://www.example.com:8000/, and then click Add. Click Create to save your settings. On your policy page, select the Actions tab, and then enter the following information: On the Add an action drop-down list, select GET. On the Add an action drop-down list, select POST. Save your changes. On your policy page, navigate to Subjects and enter the following data: On the All of drop-down list, review the list and select All of…. On the Type section, click the Edit icon. On the Type drop-down list, select Authenticated Users, and then click the checkmark. Save your changes. Review your configuration. To make changes to the configuration, click the relevant tab and amend the configuration. Next, you must create a web policy agent profile before installing the agent in Apache HTTP Server to enforce your new policy. To Create a Web Policy Agent Profile OpenAM stores profile information about policy agents centrally by default. You can manage the policy agent profile through OpenAM Console. The policy agent retrieves its configuration from its OpenAM profile at installation and start up, and OpenAM notifies the policy agent of changes to its configuration. Follow these steps before installing the policy agent itself. In OpenAM Console, browse to Realms > / Top Level Realm > Agents > Web, and then click New in the Agents table. In the page to configure your new web policy agent, set the following values. Name WebAgent Password password Configuration Keep the default, Centralized Server URL http://openam.example.com:8080/openam Agent URL http://www.example.com:8000 8000 is the port number you set previously for Apache HTTP Server. Click Create to save the new web policy agent profile in OpenAM. Next, install a policy agent in Apache HTTP Server to enforce your new policy. To Install OpenAM Web Policy Agent OpenAM policy agents enforce policies defined in OpenAM. While the policy agent’s job is to verify that users have the appropriate privileges to the resources they request, the policy agents do not make policy decisions. They call on OpenAM to make policy decisions using information presented by the user (or the user’s client application), such as the SSO token in the HTTP cookie, which OpenAM uses to manage user sessions. A policy agent is, in essence, a gatekeeper for OpenAM. The agent runs inside of Apache HTTP Server as a library, which the server loads at startup time. When a request comes in, the agent redirects users to OpenAM for authentication and calls on OpenAM for policy decisions as necessary. Download the OpenAM policy agent for your version of Apache HTTP Server from the Web Agent releases page on the GitHub. Create a password file, for example $HOME/.pwd.txt, that the agent installer reads when first connecting to OpenAM to read its profile. The file should only contain the password string, on a single line. The password file should be read-only by the user who installs the policy agent. $ chmod 400 $HOME/.pwd.txt The password is stored encrypted after installation. Make sure OpenAM is running. You can verify this by logging into OpenAM Console. Stop Apache HTTP Server while you install the policy agent. $ /path/to/apache/bin/apachectl stop Extract the download. $ cd /path/to $ unzip ~/Downloads/Apache-v22-Linux-64-Agent-4.1.zip Install the web policy agent in Apache HTTP Server, making sure that you provide the correct information to the installer as shown in the following example. When you run the command, you will be prompted to read and accept the software license agreement for the agent installation. You can suppress the license agreement prompt by including the --acceptLicence parameter. The inclusion of the option indicates that you have read and accepted the terms stated in the license. To view the license agreement, open <server-root>/legal-notices/license.txt. $ cd /path/to/web_agents/apache22_agent/bin $ ./agentadmin --install --acceptLicense ... ----------------------------------------------- SUMMARY OF YOUR RESPONSES ----------------------------------------------- Apache Server Config Directory : /path/to/apache/conf OpenAM server URL : http://openam.example.com:8080/openam Agent URL : http://www.example.com:8000 Agent Profile name : WebAgent Agent Profile Password file name : $HOME/.pwd.txt ... Start Apache HTTP Server, and verify that the web policy agent is configured correctly. $ /path/to/apache/bin/apachectl -k start $ tail /path/to/apache/logs/error_log ...[notice] Apache/2.2.25 (Unix) OpenAM WPA/4.1 configured -- resuming normal operations You can now try your installation to see OpenAM in action. Trying It Out Now that you have completed "Setting Up the Software", you can access the protected web page to see OpenAM at work. Log out of OpenAM Console. Browse to http://www.example.com:8000 to attempt to access the Apache "It works!" page. At this point, the policy agent intercepts your request for the page. Your browser does not return a cookie indicating an OpenAM session, so the policy agent redirects you to OpenAM to authenticate. Log in as the built-in default OpenAM demonstration user demo with password changeit. On successful login, OpenAM sets a session cookie named iPlanetDirectoryPro in your browser for the domain .example.com. The cookie is then returned to servers in the example.com domain, such as, openam.example.com and www.example.com. If you examine this cookie in your browser, you see that it has a value, such as AQIC5wM2LY4SfcwciyfvJcQDUIB7kIWEH187Df_txqLdAVc.AAJTSQACMDEAAlNLABMxMDYwNzY1MjQ0NTE0ODI2NTkx. This is the SSO Token value. The value is in fact an encrypted reference to the session that is stored only by OpenAM. So, only OpenAM can determine whether you are actually logged in, or instead, that the session is no longer valid and you need to authenticate again. The OpenAM session is used for SSO. When the browser presents the cookie to a server in the domain, the agent on the server can check with OpenAM using the SSO Token as a reference to the session. This lets OpenAM make policy decisions based on who is authenticated, or prompt for additional authentication, if necessary. Your SSO session can end in a few ways. For example, when examining the cookie in your browser, you should notice that it expires when the browser session ends (when you shut down your browser). Alternatively, you can log out of OpenAM explicitly. Sessions can also expire. OpenAM sets two limits, one that causes your session to expire if it remains inactive for a configurable period of time (default: 30 minutes), and another that caps the session lifetime (default: 2 hours). After successful login, you are redirected to the Apache "It works!" page. In the background, OpenAM redirected your browser again to the page you tried to access originally, http://www.example.com:8000. This time, the web policy agent intercepted the request and found the SSO Token so it could request a policy decision from OpenAM regarding whether the user with the SSO Token has access to get http://www.example.com:8000/. OpenAM replied to the policy agent that it could allow access, and the policy agent allowed Apache HTTP Server to send back the web page. Congratulations on protecting your first web site with OpenAM! Notice that you had only to install software and to configure OpenAM. You did not have to change your web site at all in order to add SSO and to set up access policies. OpenAM can do much more than protect web pages. Read the next chapter to learn more. Trying Out Stateless Sessions In the "Trying It Out" section, you successfully configured OpenAM and viewed the iPlanetDirectoryPro session cookie. The session cookie contains information for OpenAM or a policy agent to locate the session data object on the server from which the session originated. Sessions that are stored in a server’s memory are called stateful, which is the default configuration at the realm level. OpenAM also supports stateless sessions, in which the authenticated user’s session is stored on the client-side (for example, in a browser), not in memory. The session cookie cannot be updated until the session ends, when the user logs out or the session expires. To try out stateless sessions, see "Configuring Session State" in the Administration Guide. Preface Where To Go From Here