cxf-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Oliver Wulff (Confluence)" <>
Subject [CONF] Apache CXF > Fediz Websphere
Date Mon, 24 Jun 2013 06:49:00 GMT
    <base href="">
            <link rel="stylesheet" href="/confluence/s/de/2176/1/15/_/styles/combined.css?spaceKey=CXF&amp;forWysiwyg=true"
<body style="background: white;" bgcolor="white" class="email-body">
<div id="pageContent">
<div id="notificationFormat">
<div class="wiki-content">
<div class="email">
    <h2><a href="">Fediz
    <h4>Page  <b>added</b> by             <a href="">Oliver
    <div class="notificationGreySide">
         <h1><a name="FedizWebsphere-IBMWebspherePlugin"></a>IBM Websphere
<p>This page describes how to enable Federation for a IBM Websphere instance hosting
Relying Party (RP) applications. This configuration is not for a Websphere instance hosting
the Fediz IDP and IDP STS WARs but for applications that use SAML assertions for authentication.
 After this configuration is done, the Websphere-RP instance will validate the incoming SignInResponse
created by the IDP server.</p>

<p>Prior to doing this configuration, make sure you've first deployed the Fediz IDP
and STS on the separate Servlet Container instance as discussed <a href="/confluence/display/CXF/Fediz+IDP"
title="Fediz IDP">here</a>, and can view the STS WSDL at the URL given on that page.
 That page also provides some tips for running multiple Tomcat instances on your machine.</p>

<h3><a name="FedizWebsphere-Installation"></a>Installation</h3>

<p>You have to build the Fediz plugin on your own as it depends on IBM Websphere libraries.
If you have built the plugin on your own you'll find the required libraries in <tt>plugins/websphere/target/</tt></p>

	<li>Create sub-directory <tt>fediz</tt> in <tt>${catalina.home}/lib</tt></li>
	<li>Update in ${catalina.home}/conf<br/>
add the previously created directory to the common loader:<br/>
	<li>Deploy the libraries to the directory created in (1)</li>

<h3><a name="FedizWebsphere-Configuration"></a>Configuration</h3>

<h5><a name="FedizWebsphere-HTTPSconfiguration"></a>HTTPS configuration</h5>

<p>It's recommended to set up a dedicated (separate) Tomcat instance for the Relying
Party. The Fediz RP web applications use the following TCP ports:</p>
	<li>HTTP port: 8080 (used for Maven deployment, mvn tomcat:redeploy)</li>
	<li>HTTPS port: 8443 (where IDP and STS are accessed)</li>
	<li>Server port (for shutdown and other commands): 8005</li>

<p>These are the default ports for a standard Tomcat installation.</p>

<p>The Relying Party must be accessed over HTTPS to protect the security tokens issued
by the IDP.</p>

<p>The Tomcat HTTP(s) configuration is done in conf/server.xml.</p>

<p>This is a sample snippet for an HTTPS configuration:</p>

<div class="error"><span class="error">Unknown macro: {code}</span> 
<p>    &lt;Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"<br/>
               maxThreads="150" scheme="https" secure="true"<br/>
               keystorePass="tompass" sslProtocol="TLS" /&gt;</p></div>

<p>The keystoreFile is relative to $CATALINA_HOME. See <a href=""
class="external-link" rel="nofollow">here</a> for the Tomcat 7 configuration reference.
This page also describes how to create certificates.  Sample Tomcat keystores (not for production
use, but useful for demoing Fediz and running the sample applications) are provided in the
examples/samplekeys folder of the Fediz distribution.  Note the Tomcat keystore here is different
from the one used to configure the Tomcat-IDP instance.</p>

<p>To establish trust, there are significant keystore/truststore requirements between
the Tomcat instances and the various web applications (IDP, STS, Relying party applications,
third party web services, etc.)  See <a href=""
class="external-link" rel="nofollow">this page</a> for more details, it lists the
trust requirements as well as sample scripts for creating your own (self-signed) keys.</p>

<p><b>Warning:  All sample keystores provided with Fediz (including in the WAR
files for its services and examples) are for development/prototyping use only.  They'll need
to be replaced for production use, at a minimum with your own self-signed keys but strongly
recommended to use third-party signed keys.</b></p>

<p>If you are currently just trying to run the Fediz samples, the configuration above
is all you need (the below configuration is already provided within the samples) so you can
return now to the samples' READMEs for the next steps in running them.</p>

<h5><a name="FedizWebsphere-FedizPluginconfigurationforYourWebApplication"></a>Fediz
Plugin configuration for Your Web Application</h5>

<p>The Fediz related configuration is done in a Servlet Container independent configuration
file which is described <a href="/confluence/display/CXF/Fediz+Configuration" title="Fediz

<p>The Fediz plugin requires configuring the FederationAuthenticator like any other
Valve in Tomcat. Detailed information about the Tomcat Valve concept is available <a href=""
class="external-link" rel="nofollow">here</a>.</p>

<p>A Valve can be configured on different levels like <em>Host</em> or <em>Context</em>.
The Fediz configuration file allows to configure all servlet contexts in one file or choosing
one file per Servlet Context. If you choose to have one Fediz configuration file per Servlet
Context then you must configure the FederationAuthenticator on the <em>Context</em>
level otherwise on the <em>Host</em> level in the Tomcat configuration file <em>server.xml</em></p>

<p>You can either configure the context in the server.xml or in META-INF/context.xml
as part of your WAR file.</p>

<h6><a name="FedizWebsphere-METAINF%2Fcontext.xml"></a>META-INF/context.xml</h6>
<div class="error"><span class="error">Unknown macro: {code}</span> 
<p>  &lt;Context&gt; <br/>
    &lt;Valve className="org.apache.cxf.fediz.tomcat.FederationAuthenticator"<br/>
      configFile="conf/Fediz_config.xml" /&gt;<br/>
  &lt;/Context&gt; </p></div>

<h6><a name="FedizWebsphere-Hostlevelinserver.xml"></a>Host level in server.xml</h6>
<div class="error"><span class="error">Unknown macro: {code}</span> 
<p>  &lt;Host name="localhost"  appBase="webapps"<br/>
        unpackWARs="true" autoDeploy="true"&gt;<br/>
    &lt;Valve className="org.apache.cxf.fediz.tomcat.FederationAuthenticator"<br/>
           configFile="conf/Fediz_config.xml" /&gt;<br/>

<h6><a name="FedizWebsphere-Contextlevelinserver.xml"></a>Context level
in server.xml</h6>
<div class="error"><span class="error">Unknown macro: {code}</span> 
<p>  &lt;Context path="/fedizhelloworld" docBase="fedizhelloworld"&gt;<br/>
    &lt;Valve className="org.apache.cxf.fediz.tomcat.FederationAuthenticator"<br/>
      configFile="conf/Fediz_config.xml" /&gt;<br/>

<p>The Fediz configuration file is a Servlet container independent configuration file
and described <a href="/confluence/display/CXF/Fediz+Configuration" title="Fediz Configuration">here</a></p>

<h3><a name="FedizWebsphere-WebApplicationdeployment"></a>Web Application

<p>Deploy your Web Application to your Tomcat installation (&lt;catalina.home&gt;/webapps).
 If you're running the Fediz examples, their README files will have instructions on how to
do this.</p>

<h3><a name="FedizWebsphere-FederationMetadatadocument"></a>Federation Metadata

<p>The Tomcat Fediz plugin supports publishing the WS-Federation Metadata document which
is described <a href="/confluence/display/CXF/Fediz+Metadata" title="Fediz Metadata">here</a>.</p>

    <div id="commentsSection" class="wiki-content pageSection">
       <div style="float: right;" class="grey">
                        <a href="">Stop
watching space</a>
            <span style="padding: 0px 5px;">|</span>
                <a href="">Change
email notification preferences</a>
       <a href="">View
       <a href=";showCommentArea=true#addcomment">Add

View raw message