OpenAM J2EE agent installation bringing down tomcat
Asked Answered
V

1

1

OpenAM version -12 , Agent version 3.5 and 3.3 , tomcat version 7

I have tried to follow the link https://forums.alfresco.com/forum/installation-upgrades-configuration-integration/authentication-ldap-sso/sso-openam-06052012 to set up my J2EE Agent. Let me paste the steps after asking the question(see at the end)

but I am getting the error as asked below

Not able to configure J2ee agent on adding my customized data store for users

I have tried to use 3.5 version installed and uninstalled multiple times and tried previous version.

There is a nice discussion on this topic at http://database.developer-works.com/article/16009911/%22Cannot+obtain+Application+SSO+token%22+error but it did not help me much.

I am using LDAP so I have used LDAP realm and subjects are showing up ok. Also I am observing that the policy tab has changed quite a bit from how it is described in the Blogs.

Now with the roadblock I am not sure how to proceed as the error is not giving me any clue what to do. I even added the file named AMConfig.properties in the classpath with username and password of the agent and tried the username and password of the OpenAM admin too as suggested in the discussion mentioned. but that too did not help.

The issue is the Tomcat now is not starting and giving error that AMConfig.properties properties are needed

I know the OpenAM Realm setup is good as I am able to login via this realm to another application (Liferay) where I just have to give the URL for use OpenAM integration. but after uninstallation of the agent the tomcat starts without any error and i am able to login to the application

-------------------Step copied from 1st link(modified)--------------------------

1. Configure your OpenAM agent (tried both 3.5 and 3.3 version on tomcat 7)
a. Log into OpenAM as the admin user and navigate to "Access Control -> (Your Realm) - where in my case LDAP Realm (other application using it without issue)
b. Select Policies -> New Policy
c. Enter Share as the policy name and then create 2 new URL Policy agent rules
d. 1st Resource Name = http://:/share/*
e. 2nd Resource Name = http://alfresco.domain.com:8080/share/*?*
f. Add a subjects - already part of LDAP Realm 
g. Now select Agents -> J2EE - > (your J2EE agent)
h. Select the Application tab
i. Login Processing -> Login Form URI - add /share/page/dologin
j. Logout Processing -> Application Logout URL - add Map Key = share - Corresponding Map Value = /share/page/dologout
k. Not Enforced URI Processing - Add 2 entries - /share and /share/
l. Profile Attributes Processing - Select HTTP_HEADER and add Map Key = uid - Corresponding Map Value = SsoUserHeader (This is what I called my header in the alfresco-global.properties file - see below)

  Auth chain
authentication.chain=external1:external,alfrescoNtlm1:alfrescoNtlm 
alfresco.authentication.allowGuestLogin=true

  SSO settings
external.authentication.enabled=true
external.authentication.defaultAdministratorUserNames=admin
external.authentication.proxyUserName=
external.authentication.proxyHeader=SsoUserHeader

NOTE- It does not seem possible to configure SSO where the Guest login has been disabled. There are webscripts used on the Alfresco repository that need guest login.

That concludes the setup for Alfresco and OpenAM

For Share you need to have the following section uncommented in your share-config-custom.xml


alfresco/web-extension/alfresco-system.p12
pkcs12
alfresco-system



alfrescoCookie
Alfresco Connector
Connects to an Alfresco instance using cookie-based authentication
org.alfresco.web.site.servlet.SlingshotAlfrescoConnector



alfrescoHeader
Alfresco Connector
Connects to an Alfresco instance using header and cookie-based authentication
org.alfresco.web.site.servlet.SlingshotAlfrescoConnector
SsoUserHeader

alfresco
Alfresco - user access
Access to Alfresco Repository WebScripts that require user authentication
alfrescoHeader
http://alfreso.domain.com:8080/alfresco/wcs
user
true


Notice I am not using the SSL cert and in my alfrescoHeader connector I have used SsoUserHeader (as setup in OpenAM) and the endpoint uses the alfrescoHeader connector

Now you need to add the OpenAM filter to the Share web.xml file

Add the following filter just before the Share SSO authentication support filter


Agent
com.sun.identity.agents.filter.AmAgentFilter
Add the following filter mapping to the filter-mapping section


Agent

REQUEST
INCLUDE
FORWARD
ERROR
----- End ----------
Vaso answered 8/3, 2015 at 22:36 Comment(1)
I have restarted the server of OpenAM as suggested by some of the post but not much change in the situation.Vaso
G
3

The error message is a bit misleading: the Cannot obtain application SSO token in general means that the agent was unable to authenticate itself. When you install the agent, the agent asks for a profile name and a password file, those values need to correspond to the agent profile configured within OpenAM. To test if you can authenticate as the user, you could simply try to authenticate as the agent by making the following request:

curl -d "username=profilename&password=password&uri=realm=/%26module=Application" http://aldaris.sch.bme.hu:8080/openam/identity/authenticate

In the above command the realm value needs to be the same as the value for the "com.sun.identity.agents.config.organization.name" property defined in OpenSSOAgentBootstrap.properties (under the agent's install directory).

Having bad username/password combination is only one of the possible root causes for this exception though. It is also possible that during startup the agent was unable to connect to OpenAM to authenticate itself. In those cases the problem could be:

  • network error, firewall issues preventing the agent from contacting OpenAM
  • SSL trust issues: agent's JVM does not trust the certificate of OpenAM's container (only problem if you've installed the agent by providing OpenAM's HTTPS URL and the certificate is self-signed or just simply not trusted by the JVM)
Gustative answered 9/3, 2015 at 14:50 Comment(2)
Thanks Peter. It was the case indeed. following the following link gave me better control on what is going on. docs.forgerock.org/en/openam-pa/3.1.0-Xpress/…Vaso
@Peter Major please tell me what is uri value hereHord

© 2022 - 2024 — McMap. All rights reserved.