As you all know, Directory Services are key to OpenSSO. We support many of them but, beside OpenDS which we use for our embedded configuration store, one of the best LDAP Directory server out there is Sun’s Directory Server Enterprise Edition (DSEE for short). In a typical deployment you will want to store user data on a separate Directory Service.
I always thought that, starting from a freshly installed Solaris 10 box, the deployment of DSEE is everything but smooth. This post lists the initial steps one has to take to perform such deployment and follow the DSEE Administration guide (your sole reference on the matter) . This was also strongly inspired by some excellent posts (listed at the end).
First a few assumptions:
- Our starting point is a machine that runs Solaris 10. I used the latest release (Sept. ’09) available here. All updates were applied after the installation.
- I’ll assume the installation is done as root. This might not be the optimal approach, security-wise, but I’m keeping it simple here.
- I’m installing DSEE via the JES 5 installer. JES (Java Enterprise System) is our main delivery system for lots of Sun’s software. The neat thing about JES is that it bundles applications together (e.g. Access Manager 7.1 and DSEE). In the present case I only installed DSEE and DSCC, the DS Control Center (a useful interface to administer DSEE deployments).
Now onto the steps:
- The first step to be done is to configure DSCC by performing:
<dsee install dir>/dscc6/bin/dsccsetup initialize
Doing so results in an error from cacao: Cannot find property: [cacao embedded].
The problem here is that JES reverted the version of cacao (Solaris’ Common Agent Container (more info here) to a previous one. - We need to reinstall cacao from the Solaris 10 CD. Look for the 2 following packages: SUNWcacaort, SUNWcacaodtrace To install them, change to the packages directory and enter:
pkgadd -d . SUNWcacaort
pkgadd -d . SUNWcacaodtrace - Start cacao: /usr/sbin/cacaoadm start
You can verify it’s running fine with: cacaoadm status - You can now re-attempt to run the initialization (step 1). You should see a message saying that the DSCC Registry has been created successfully.
- If you want to make sure cacao starts upon reboot, enter:
/usr/sbin/cacaoadm enable - The the admin guide says to access DSCC through the Java Web Console in your browser. Well, we need to make sure it is running first:
/usr/sbin/smcwebserver status
Most likely it’s not… - Start the Java Web Server with:
smcwebserver start
Now you can access it with your browser and … Oops… it only listens on your localhost (127.0.0.1).
To fix this, use svccfg:
# /usr/sbin/svccfg
# svc:> select system/webconsole
# svc:/system/webconsole> setprop options/tcp_listen=true
# svc:/system/webconsole>quit
You’ll have to restart the Java Web Console at this point:
/usr/sbin/smcwebserver restart - The Java Web Console is now accessible on the standard port 6789 (using https) and Voilà, the configuration of DSEE as specified in the Administration guide can now proceed unhindered.
Was this useful? Did you have a different DSEE install experience? If so, please let me know!
Some very useful links I used for this post:
- http://oldmangriffous.blogspot.com/2008/10/centralised-authentication-on-solaris_26.html
- http://www.tjhsst.edu/admin/livedoc/index.php/Sun_Java_System_Directory_Server
November 4, 2009 at 14:56
Excellent. The install is far too broken IMO. Things like Cacao shouldn’t happen. God help you if you want to set up idsync for windows as well… grrrrrr
Frustrating! Shouldn’t need to log support calls just to get the software installed!
November 6, 2009 at 14:46
—————————————————————————
Instalation and configuration of Directory Server 6.3 and SGES v2.1 (9.1.1)
—————————————————————————
## Variables used below ..
ds_installpath == where Directory server will be deployed
suffix == root suffix for LDAP tree in DS instance
ds_instance == path to DS instance, usually /var/opt/$something
dscc_instance == path to DSCC instance, usually $ds_installpath/var/dscc6/dcc/ads
sges_installpath == where sges will be deployed, usually /opt/SUNWappserver
hostname == hostname of our host
1) download software:
download from sun.com DSEE.6.3.1.Solaris-Sparc-full.tar.gz and sges_ee-2_1-solaris-sparc-ml.bin
2) install Directory Server 6.3:
you need to unpack archives .. there will be ds6.3 and ds6.3.1-patch ..
## we need install first ds6.3
cd $ds63_unpacked/DSEE_ZIP_Distribution
./dsee_deploy install -i $ds_installpath –no-cacao
## then install patch
cd $ds_631-patch_unpacked
./dsee_deploy install -i $ds_installpath –no-cacao
3) Configure our new DS:
## create dscc instance:
cd $ds_installpath/dscc6/bin
./dsccsetup ads-create ## you’ll be prompted for passwd
## you can optionally create normal instance
cd $ds_installpath/ds6/bin
./dsadm create $ds_instance
./dsadm start $ds_instance
./dsconf create-suffix -h localhost -p 389 dc=$suffix
## and register it into our dscc one:
cd $ds_installpath/dscc6/bin
./dsccreg add-server -h localhost –description “muehehe” $ds_instance
## add ds/dscc instances as smf services:
cd $ds_installpath/ds6/bin
./dsadm stop $ds_instance
./dsadm enable-service $ds_instance
./dsadm stop $dscc_instance
./dsadm enable-service $dscc_instance
svcs -a | grep ds: ## prints out a service names, then use `svcadm enable $svc` to enable them
## OPTIONAL STEPS:
## disable cacao and smcwebserver as far as we don’t like them ;)
smcwebserver disable; smcwebserver stop
cacaoadm disable; cacaoadm stop
## heal freshly installed DS, which is already molested by cacao
cd $ds_installpath/dscc6/bin
./dsccsetup cacao-unreg
## check, if cacao deployed with ds6 is not running and if yes, use
kill -11 `pgrep cacao` ## it doesn’t deserves anything better than be segfaulted
4) install GlassFish Enterprise Server:
go where you store sges_ee-2_1-solaris-sparc-ml.bin and if it’s already not, chmod +x it
## just begin installation, you’ll be asked for few questions
./sges_ee-2_1-solaris-sparc-ml.bin -tmpdir /var/tmp/sso -console
5) configure newly installed sges:
## create domain and configure it for deploying dscc controlcenter
mkdir $sges_domaindir
cd $sges_installpath/bin
./asadmin create-domain –domaindir $sges_domaindir –adminport 4848 –user admin dscc
## append following in $sges_domaindir/dscc/config/server.policy
// Permissions for Directory Service Control Center
grant codeBase “file:${com.sun.aas.instanceRoot}/applications/j2ee-modules/dscc/-”
{
permission java.security.AllPermission;
};
## then end the process of configuration
./asadmin start-domain –domaindir $sges_domaindir –user admin dscc
cp $ds_installpath/var/dscc6/dscc.war $sges_domaindir/dscc/autodeploy
6) check if all services are running:
## admin iface for GlassFish
https://$hostname:4848
## our Directory Server Control Center
http://$hostname:8080/dscc
7) enjoy !!
November 6, 2009 at 14:49
Great addition Daniel!
Cheers,
Hubert
November 6, 2009 at 15:01
[…] that you get to meet people (virtually at least) with all kinds of background and knowledge. In my last blog entry I described the standard way of deploying DSEE on Solaris (using DSCC and Java Web Console). While […]