ForgeRock OpenAM 12: Switching from XUI to Legacy UI

This blog post was first published @ www.fedji.com, included here with permission.

It’s a weekend, so I don’t seem to have the mental bandwidth for a heavy duty demonstration on ForgeRock products. I’ve a very short video log that has a running time of just over a minute and half to show you how, if required, you can switch from ForgeRock OpenAM 12 XUI (default interface) to OpenAM Legacy UI.

Enjoy!

ForgeRock OpenIG: Getting Credentials from ForgeRock OpenAM

This blog post was first published @ www.fedji.com, included here with permission.

In this episode, you’ll see how ForgeRock OpenIG picks up user credentials from ForgeRock OpenAM, and gives the user access to an application. Now that’s quite a bit of information in a single line. So let’s break it down into pieces:

– A user tries to access ‘http://openig.mydomain.com:8080/replay’ url
– A Java EE OpenAM Policy Agent sitting in front of the ‘http://openig.mydomain.com:8080′ url intercepts the request from the client (user’s browser) and redirects the request to ForgeRock OpenAM (http://openam.mydomain.com:8080/openam)
– ForgeRock OpenAM will send the OpenAM Login Page back to the user
– The user supplies the credential, which the OpenAM verifies. If authentication is successful,OpenAM adds the username of the user and his/her encrypted password to the session and sends it to Java EE Policy Agent
– Java EE Policy agent validates the user’s session, gives control to OpenIG.
– Because the URL that the client requested for (http://openig.mydomain.com:8080/replay), matches a specific route (say 04-route.json) configured in OpenIG, it applies the filters in the route configuration file. The first filter will use a shared key (also known to the OpenAM) to decrypt the encrypted password sent by OpenAM. The second filter will retrieve the username and password from the exchange and replaces your browser’s original HTTP GET request with an HTTP POST login request that contains the credentials to authenticate and the third filter will remove the username and password headers before continuing to process the exchange.
– The HTTP server validates the credentials and respond back to OpenIG with user’s profile page
– OpenIG sends that response to the end user
A couple of things though: OpenAM in our setup is configured to process a ‘Password Replay’ Java Class on successful authentication. The Java EE agent in OpenAM is configured only for Single Sign On (SSO) and is configured to add the UserToken (username) and sunIdentityUserPassword (password) as session attributes in HTTP header.

The picture below may not speak thousand words, but it does speak all the words I uttered above:

OpenIGWithOpenAM

If you’re new to ForgeRock OpenIG, I recommend viewing screen-casts at the following links first:
ForgeRock OpenIG Installation & Configuration
ForgeRock OpenIG: Getting Credentials from File Data Source
ForgeRock OpenIG: Getting Credentials from JDBC Data Source

The following video would not have been possible, but with the help of ForgeRock Documentation.

Enjoy!

 

ForgeRock OpenIDM: Setting Up SSL With MySQL Internal Repository

This blog post was first published @ www.fedji.com, included here with permission.

If you’ve already seen the video demonstration on setting up ForgeRock OpenIDM to use a JDBC repository, you may now be interested to know how to secure the traffic from ForgeRock OpenIDM to its JDBC repository. So in the video that follows, you will see:

– Setting up SSL in MySQL database

– Configuring OpenIDM to use SSLto the MySQL database (its internal repository)

Like several other videos that I’ve already published on this blog space around ForgeRock products, this one also makes use of OpenIDMwithSSLtoJDBC-01

Hope you’ll find the video log useful:

Thanks
MySQL Product Documentation
ForgeRock Documentation

Setting Up ForgeRock OpenAM with HTTPS on Tomcat

This blog post was first published @ www.fedji.com, included here with permission.

This post is a demo version of the ForgeRock Documentation on Setting Up OpenAM with HTTPS on Tomcat. I had earlier published a screen-cast on the ForgeRock OpenAM deployment and Configuration on a here. Below you’ll find the steps that I run in my Ubuntu Linux Container to secure our OpenAM deployment:

– Create a Certificate & store it in keystore in a Linux Container
– Modify the Tomcat Server Configuration file (server.xml) to enable SSL (on port 8443)
– Deploy ForgeRock OpenAM
– Access OpenAM from the host OS and complete the configuration

If it’s hard for your visualize how the infrastructure looks like, here’s an illustration to make life easy.

OpenAMWithSSL

Now on to the action:

If you are not able to view the embedded video, please click here

ForgeRock OpenDJ Replication – Enabling Encryption

This blog post was first published @ www.fedji.com, included here with permission.

This is a sequel to my earlier blog update on ForgeRock OpenDJ Replication and is largely inspired by a question raised in the ForgeRock Community Website. So if you are not very familiar with the steps involved in configuring OpenDJ Replication, I suggest you read/watch it before watching the embedded video below:

One-liner about the infrastructure used: two Linux Containers, each running an instance of ForgeRock OpenDJ is already replicating the OpenDJ data, but the replication traffic is not secure. In the video demonstration that follows, we’ll tighten the security a bit by encrypting the replication traffic as well as monitor the same using wireshark running on the host OS. Well, the diagram below indicates the end state of our screen-cast:

OpenDJReplicationEncrypted

Enjoy

[If you are not able to see the embedded video, please watch it on YouTube here ]