-
1. GateIn + OpenAM 9.5.2
macois Apr 5, 2011 11:25 AM (in response to macois)1 of 1 people found this helpfulHi,
The guide is wrong on one point :
=> The modification on the jaas.conf file :
The guide says to uncomment this :
// Uncomment the following part (and comment the other part for CAS integration
org.gatein.sso.agent.login.SSOLoginModule required
org.exoplatform.services.security.j2ee.TomcatLoginModule required
portalContainerName=portal
realmName=gatein-domain
But the syntax is false, we just need that (be careful on the ';' :
// Uncomment the following part (and comment the other part for CAS integration
org.gatein.sso.agent.login.SSOLoginModule required;
org.exoplatform.services.security.j2ee.TomcatLoginModule required;
-
2. GateIn + OpenAM 9.5.2
macois Apr 6, 2011 6:24 AM (in response to macois)Hi, after few tests,
I've no error in my logs (good point) but I stil have my infinite loop on the blank page. It's a matter with the cookies, isn't it ???
Please help me, thanks
-
3. GateIn + OpenAM 9.5.2
stevepamer Apr 6, 2011 9:31 AM (in response to macois)OpenAM doesnt like localhost. You need to use FQDN.
-steve
-
4. GateIn + OpenAM 9.5.2
macois Apr 6, 2011 9:51 AM (in response to stevepamer)Thanks for answering me Steve !
Do you think I can use the same domain so (openam.vauban.com) for my GateIn and my OpenAM even if the two applications are on the same machine but on two tomcat different ?
thanks,
regards,
françois.
-
5. GateIn + OpenAM 9.5.2
macois Apr 6, 2011 10:08 AM (in response to macois)Hi,
I've tried with the same FQDN for OpenAM and GateIn and with two different FQDN and the both are KO (on the same machine).
Do you have another idea ?
Thanks,
F.
-
6. GateIn + OpenAM 9.5.2
stevepamer Apr 6, 2011 10:42 AM (in response to macois)You should be able to use the same FQDN for both. When you installed openAM you set the cookie domain.
Whe you access the system do not use localhost in the URL use the FQDN.
If you look at the cookies in your browser, where do you find the OpenAM cookie?
It should be under the cookie domain that you installed with.
I had this problem when I first installed and there are articles around regarding this.
You found the other issue with the cookie encoding.
-steve
-
7. GateIn + OpenAM 9.5.2
macois Apr 6, 2011 11:08 AM (in response to stevepamer)Hi Steve,
Oki for the fqdn, so it's the matter anymore (since I used two different fqdn : domain.agent.com (for gatein) and openam.vauban.com (for openam)). And I do my tests all the time with the domain domain.agent.com or openam.vauban.com.
In my brother the cookie is called : iPlanetDirectoryPro under the domain .vauban.com
In my OpenAm, I found this :
For the cookie : Configuration > Server and Sites > Server default configuration > Security > The cookie is called too : iPlanetDirectoryPro
(and the same for my server)
For the domain : Access Control > Domain : GateIn > Domain/Alias DNS : .vauban.com, vauban
Does it seem correct for you ?Thanks by advance,
François
-
8. GateIn + OpenAM 9.5.2
mposolda Apr 6, 2011 11:20 AM (in response to macois)Hello,
I think that you can have problem with validation of OpenAM ticket. You can look at sources of class OpenSSOAgent http://anonsvn.jboss.org/repos/gatein/components/sso/tags/1.0.1-GA/agent/src/main/java/org/gatein/sso/agent/opensso/OpenSSOAgent.java which is doing validation . You can enable DEBUG log for this class in server/default/conf/jboss-log4j.xml and it's possible that then you will see in server.log what is wrong .
You can also try to debug this class in your IDE, that may give you more informations.
Hope this helps,
Marek
-
9. GateIn + OpenAM 9.5.2
stevepamer Apr 6, 2011 11:28 AM (in response to macois)Hi Francois,
Hmmm. That all *seems* to be ok.
Don tknow if it matters but I have everything in one domain (in your case it would be openam.vauban.com, and domain.vauban.com).
From my experience, the infinite redirect is either from the agent not finding the cookie because of a mismatch in domains
or cannot interpret it (encoding issue) so it keeps going back to the openam server but the openam server can see it just fine
so it sends it right back.
You will probably have to turn up the logging on the agent side to message level and wade through that. There is a
forum on forgerock.com that might be able to help.
Sorry, but I dont have any more ideas at the moment.
Best Regards,
Steve
-
10. GateIn + OpenAM 9.5.2
macois Apr 6, 2011 12:13 PM (in response to stevepamer)Thanks for the two answers, it's cool to have some helps when you've a tricky problem...like this one.
For the logging part in DEBUG, I modified the file GateInHOME\conf\logging.properties and I pass all the logs in DEBUG.
I still have no log when I reproduce the problem.
So, is-it the good file ?
Or it confirms the cookie problem ?
Thanks by advance,
F.
-
11. GateIn + OpenAM 9.5.2
stevepamer Apr 6, 2011 4:35 PM (in response to macois)1 of 1 people found this helpfulHi Francois,
I just followed these instructions and was able to get GateIn working with OpenAM 9.5.2.
Steve
-
12. Re: GateIn + OpenAM 9.5.2
macois Apr 7, 2011 3:05 AM (in response to stevepamer)Hi !
Oki it's a very good news for me, it's possible
I've just to manage it on my local PC.
So I will follow your documentation and test it !
Did you use two different PCs ? Two domains ? Which version of the sso gate in packaging did you use ?
Did you configure OpenAM in order to encode the cookies ? or to use the c66encode ?
Did you add some others configurations ?
Did you have a problem with the modification of the jaas.conf file ?
- If you are running GateIn in Tomcat, edit $GATEIN_HOME/conf/jaas.conf and uncomment this section
org.gatein.sso.agent.login.SSOLoginModule requiredorg.exoplatform.services.security.j2ee.TomcatLoginModule requiredportalContainerName=portalrealmName=gatein-domain
On my PC, I just kept the two first lines with a semi colon at the end of each line.
Thanks for your help,
François.
- If you are running GateIn in Tomcat, edit $GATEIN_HOME/conf/jaas.conf and uncomment this section
-
13. GateIn + OpenAM 9.5.2
stevepamer Apr 7, 2011 7:57 AM (in response to macois)Hi,
I am using two Linux machines, one for openAM running in Tomcat 6, and the other with GateIn installed in JBoss 5.
One domain.
My gateIn package was 1.0.1-GA found here:
https://repository.jboss.org/nexus/content/groups/public/org/gatein/sso/sso-packaging/1.0.1-GA/
I used the default c66encode. OpenAM 9.5.2 by default is now c66Encode=true.
No other special configuration that I am using that would effect this.
I have a seperate OpenDS for my OpenAM, and use additional read only LDAP in GateIn against that directory (which doesnt work correctly, yet)
but am able to authenticate against users created in GateIn (root, mary, etc)
I am running GateIn in JBoss, not Tomcat, so I did not have to configure jaas.conf.
the instructions seem to assume that you are running on the same host so step 5 didnt mention that you
need to edit gatein.properties and put in the host and port for your GateIn host.
Good Luck,
Steve
-
14. GateIn + OpenAM 9.5.2
prabhat.jha Apr 7, 2011 8:55 AM (in response to stevepamer)Hi Steve,
We appreciate your active contributions to GateIn community on OpenAM integration. Thanks a lot.
Is is possible for you to create a wiki/how-to doc on this topic assuming that a user has just downloaded GateIn? We have created few similar docs such as http://community.jboss.org/wiki/Createanewportalusingextension
Thanks,
Prabhat