[CENTOS] OpenAM installation on VirtualBox

In my work, I will write OSS x Security Article in a technical information magazine, and as the first experimental memo, this article Until OpenAM sneaks on VirtualBox on your Mac. As the second step, in Next article, you can log in to the AWS Management Console with the user ID created in OpenAM. build-openam.png

reference

--Multi-machine setting to start multiple units at the same time with Vagrant - https://weblabo.oscasierra.net/vagrant-malti-machine/

environment

Previously implemented on a company-rented MacBook Air. This time, I re-executed it on my personal MacBook Pro to write this article. I started with almost no prerequisite software, so it may be better for similar situations. As a Unix lover, I really like macOS, where Unix commands can be slammed in Terminal.

macbookpro% sw_vers
ProductName:	Mac OS X
ProductVersion:	10.15.6
BuildVersion:	19G73

VirtualBox preparation

Download VirtualBox

Install the latest VirtualBox. Needless to say, it is a virtualized hypervisor provided by Oracle. It also works on macOS. Download from below.

VirtualBox installation

Start the dmg file and start the installation according to the instructions. vbox-install.png However, I get an error as shown below and cannot proceed. macblock.png This is a security enhancement called SKEL added since macOS 10.13 High Sierra, according to here. It seems that due to the function, permission must be given when trying to load the third-party kernel extension "KEXT". When you open Security & Privacy from System Preferences, the same message appears at the bottom, so click the lock mark and press the allow button to allow it. Then follow the instructions. sec&privacy.png

You can play with VirtualBox directly, but I think you'll be trying out various VMs in the future, so I'd like to play with it easily. So, I decided to use Vagrant, which can automatically build and configure VMs such as VirtaulBox and VMware. Vagrant is OSS provided by HashiCorp, and there is a macOS version.

Preparing Vagrant

Install Vagrant

Start the dmg file and install it without any problems. vagrant-install.png

macbookpro% vagrant --version
Vagrant 2.2.9

Vagrant settings

Next is the Vagrant settings. If you prepare a directory for Vagrant (qiita in this case) and initialize it, a configuration file called Vagrantfile will be created.

macbookpro% mkdir qiita
macbookpro% cd qiita
macbookpro% vagrant init
A `Vagrantfile` has been placed in this directory. You are now
ready to `vagrant up` your first virtual environment! Please read
the comments in the Vagrantfile as well as documentation on
`vagrantup.com` for more information on using Vagrant.

Prepare the OpenAM VM to be built this time on the following assumptions.

hostname function OS IP address port Remarks
samlidp OpenAM CentOS 7 192.168.75.200 10022

You can choose from several free Linux, but for the time being, I am an employee of the company that acquired Red Hat, so I chose CentOS, which is a RHEL clone. The latest version of CentOS is 8.2, but according to here, OpenAM only supports CentOS 6 and 7. .. Vagrant provides a major OS image as standard, check here and select CentOS 7.

To do this, modify the Vagrantfile. Modify as follows with your favorite editor such as vi. I'll talk about synced_folder later.

macbookpro% diff Vagrantfile.org Vagrantfile
69a70,76
>   config.vm.box="centos/7"
>   config.vm.synced_folder "../data","/vagrant_data"
>   config.vm.define "samlidp" do |node|
>     node.vm.hostname = "samlidp"
>     node.vm.network :private_network, ip: "192.168.75.200"
>     node.vm.network :forwarded_port, guest: 22, host: 10022, id: "ssh"
>   end
>   end

To download CentOS 7, use the following command. On the way, you will be asked to select the VM type, so select VirtualBox.

macbookpro% vagrant box add centos/7
==> box: Loading metadata for box 'centos/7'
    box: URL: https://vagrantcloud.com/centos/7
This box can work with multiple providers! The providers that it
can work with are listed below. Please review the list and choose
the provider you will be working with.

1) hyperv
2) libvirt
3) virtualbox
4) vmware_desktop

Enter your choice: 3
==> box: Adding box 'centos/7' (v2004.01) for provider: virtualbox
    box: Downloading: https://vagrantcloud.com/centos/boxes/7/versions/2004.01/providers/virtualbox.box
==> box: Box download is resuming from prior download progress
Download redirected to host: cloud.centos.org
    box: Calculating and comparing box checksum...
==> box: Successfully added box 'centos/7' (v2004.01) for 'virtualbox'!

Vagrant has a nice feature that allows you to share files between the host and the VM. This time as well, it is very convenient to be able to refer to the files downloaded on the macOS side from the VM side, so I will use it. That setting is in the Vagrantfile

config.vm.synced_folder "../data","/vagrant_data"

It is the part of. This makes the ../data directory on the host side (as seen from the directory containing the Vagrantfile) visible as the / vagrant_data directory on the VM side, allowing files to be shared. Therefore, after creating the ../data directory, try starting the OpenAM host (samlidp).

macbookpro% mkdir ../data
macbookpro% vagrant up samlidp
Bringing machine 'samlidp' up with 'virtualbox' provider...
==> samlidp: Importing base box 'centos/7'...
==> samlidp: Matching MAC address for NAT networking...
==> samlidp: Checking if box 'centos/7' version '2004.01' is up to date...
==> samlidp: Setting the name of the VM: qiita_samlidp_1596494850684_97193
  (Omission)
==> samlidp: Rsyncing folder: /Users/kobesuzuobu/qiita/ => /vagrant
==> samlidp: Mounting shared folders...
    samlidp: /vagrant_data => /Users/kobesuzuobu/data
Vagrant was unable to mount VirtualBox shared folders. This is usually
because the filesystem "vboxsf" is not available. This filesystem is
made available via the VirtualBox Guest Additions and kernel module.
Please verify that these guest additions are properly installed in the
guest. This is not a bug in Vagrant and is usually caused by a faulty
Vagrant box. For context, the command attempted was:

mount -t vboxsf -o uid=1000,gid=1000 vagrant_data /vagrant_data

The error output from the command was:

mount: unknown filesystem type 'vboxsf'

In my environment, as mentioned above, I got an error and stopped. According to here, it seems to be an error due to the version mismatch of the file sharing function on the host side and the VM side described above, and it can be solved by installing Plug-In. It seems, so I will try it.

macbookpro% vagrant plugin install vagrant-vbguest
Installing the 'vagrant-vbguest' plugin. This can take a few minutes...
Fetching micromachine-3.0.0.gem
Fetching vagrant-vbguest-0.24.0.gem
Installed the plugin 'vagrant-vbguest (0.24.0)'!
macbookpro% vagrant up samlidp                    
Bringing machine 'samlidp' up with 'virtualbox' provider...
==> samlidp: Checking if box 'centos/7' version '2004.01' is up to date...

The error when starting the VM has now disappeared.

Using VM from Vagrant

Immediately, use the vagrant ssh command from the macOS side to ssh login to the started VM.

macbookpro% vagrant ssh samlidp
[vagrant@samlidp ~]$ 

Since I was able to log in successfully, I will continue to install OpenAM on the VM. I immediately tried to use the file sharing function, but the / vagrant_data file system was not visible from the VM. I'm not sure about the situation, but once I stopped the VM with vagrant halt samlidp, I tried to upload it again, and after installing some additional things, it started normally.

macbookpro% vagrant up samlidp    
Bringing machine 'samlidp' up with 'virtualbox' provider...
==> samlidp: Checking if box 'centos/7' version '2004.01' is up to date...
==> samlidp: Clearing any previously set forwarded ports...
==> samlidp: Clearing any previously set network interfaces...
  (Omission)
==> samlidp: Rsyncing folder: /Users/kobesuzuobu/qiita/ => /vagrant
==> samlidp: Mounting shared folders...
    samlidp: /vagrant_data => /Users/kobesuzuobu/data
==> samlidp: Machine already provisioned. Run `vagrant provision` or use the `--provision`
==> samlidp: flag to force provisioning. Provisioners marked to run always will still run.

Now you can see the / vagrant_file filesystem in df as below.

macbookpro% vagrant ssh samlidp
Last login: Mon Aug  3 23:10:38 2020 from 10.0.2.2
[vagrant@samlidp ~]$ df -k
Filesystem     1K-blocks      Used Available Use% Mounted on
devtmpfs          241824         0    241824   0% /dev
tmpfs             249340         0    249340   0% /dev/shm
tmpfs             249340      4584    244756   2% /run
tmpfs             249340         0    249340   0% /sys/fs/cgroup
/dev/sda1       41921540   3438796  38482744   9% /
vagrant_data   244912536 185393884  59518652  76% /vagrant_data
tmpfs              49872         0     49872   0% /run/user/1000

Host-side download tool preparation

In the future, I will be playing with various OSS, but I want to be able to download various files in one shot, so I will prepare a little here. Specifically, there is no wget in CentOS on the VM, so I will put it on the host side. The brew command is required to install wget, so install Homebrew.

Homebrew preparation

To install Homebrew, follow the steps below as described in Go to the above site. I got an update for Xcode that was already installed in my environment.

macbookpro% /bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install.sh)"
Password:
==> This script will install:
/usr/local/bin/brew
/usr/local/share/doc/homebrew
/usr/local/share/man/man1/brew.1
/usr/local/share/zsh/site-functions/_brew
/usr/local/etc/bash_completion.d/brew
/usr/local/Homebrew
  (Omission)
Receiving objects: 100% (775016/775016), 308.92 MiB | 1.86 MiB/s, done.
Resolving deltas: 100% (516220/516220), done.
Updating files: 100% (5415/5415), done.
Tapped 2 commands and 5161 formulae (5,440 files, 338.8MB).
Already up-to-date.
==> Installation successful!

==> Homebrew has enabled anonymous aggregate formulae and cask analytics.
Read the analytics documentation (and how to opt-out) here:
  https://docs.brew.sh/Analytics
No analytics data has been sent yet (or will be during this `install` run).

==> Homebrew is run entirely by unpaid volunteers. Please consider donating:
  https://github.com/Homebrew/brew#donations

==> Next steps:
- Run `brew help` to get started
- Further documentation: 
    https://docs.brew.sh

Homebrew (brew command) is now available as shown below.

macbookpro% brew --version
Homebrew 2.4.9
Homebrew/homebrew-core (git revision 2e056; last commit 2020-08-03)

wget preparation

Then use this Homebrew to install wget.

macbookpro% brew install wget
==> Downloading https://homebrew.bintray.com/bottles/gettext-0.21.catalina.bottl
==> Downloading from https://d29vzk4ow07wi7.cloudfront.net/cdea54f52b7c36ebcb5fe
######################################################################## 100.0%
  (Omission)

If you need to have [email protected] first in your PATH run:
  echo 'export PATH="/usr/local/opt/[email protected]/bin:$PATH"' >> ~/.zshrc

For compilers to find [email protected] you may need to set:
  export LDFLAGS="-L/usr/local/opt/[email protected]/lib"
  export CPPFLAGS="-I/usr/local/opt/[email protected]/include"

You can now use wget as well.

macbookpro% wget --version
GNU Wget 1.20.3 built on darwin19.0.0.

-cares +digest -gpgme +https +ipv6 +iri +large-file -metalink +nls 
+ntlm +opie -psl +ssl/openssl 

Wgetrc: 
    /usr/local/etc/wgetrc (system)
Locale: 
    /usr/local/Cellar/wget/1.20.3_2/share/locale 
Compile: 
    clang -DHAVE_CONFIG_H -DSYSTEM_WGETRC="/usr/local/etc/wgetrc" 
    -DLOCALEDIR="/usr/local/Cellar/wget/1.20.3_2/share/locale" -I. 
    -I../lib -I../lib -I/usr/local/opt/[email protected]/include -DNDEBUG -g 
    -O2 
Link: 
    clang -DNDEBUG -g -O2 -lidn2 -L/usr/local/opt/[email protected]/lib -lssl 
    -lcrypto -ldl -lz ftp-opie.o openssl.o http-ntlm.o ../lib/libgnu.a 
    -liconv -lintl -Wl,-framework -Wl,CoreFoundation -lunistring 

Copyright (C) 2015 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later
<http://www.gnu.org/licenses/gpl.html>.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Originally written by Hrvoje Niksic <[email protected]>.
Please send bug reports and questions to <[email protected]>.

Preparing for OpenAM

Java SDK preparation

Java SDK download

Apache Tomcat is required as the base for OpenAM. Tomcat requires the Java SDK. Download the following to the ../data directory. If you do not have your own profile in Oracle, you need to register first, and you can download it by logging in with your email address and password.

Java SDK installation

You can see the downloaded file in / vagrant_data on the VM, so become root and try local install with yum.

[root@samlidp ~]# yum localinstall /vagrant_data/jdk-8u261-linux-x64.rpm 
Loaded plugins: fastestmirror
Examining /vagrant_data/jdk-8u261-linux-x64.rpm: 2000:jdk1.8-1.8.0_261-fcs.x86_64
Marking /vagrant_data/jdk-8u261-linux-x64.rpm to be installed
Resolving Dependencies
--> Running transaction check
---> Package jdk1.8.x86_64 2000:1.8.0_261-fcs will be installed
--> Finished Dependency Resolution

Dependencies Resolved

================================================================================
 Package    Arch       Version                   Repository                Size
================================================================================
Installing:
 jdk1.8     x86_64     2000:1.8.0_261-fcs        /jdk-8u261-linux-x64     245 M

Transaction Summary
================================================================================
Install  1 Package

Total size: 245 M
Installed size: 245 M
Is this ok [y/d/N]: y
Downloading packages:
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
  Installing : 2000:jdk1.8-1.8.0_261-fcs.x86_64                             1/1 
Unpacking JAR files...
	tools.jar...
	plugin.jar...
	javaws.jar...
	deploy.jar...
	rt.jar...
	jsse.jar...
	charsets.jar...
	localedata.jar...
  Verifying  : 2000:jdk1.8-1.8.0_261-fcs.x86_64                             1/1 

Installed:
  jdk1.8.x86_64 2000:1.8.0_261-fcs                                              

Complete!

Apache tomcat preparation

Download Apache Tomcat

It seems that it went well, so next we will proceed to install Apache Tomcat, the Web application server that is a prerequisite for OpenAM. According to here again, due to OpenAM restrictions, Tomcat needs to include 7 or 8, so the latest of them Install 8.5.57.

Download the source code of Apache Tomcat itself to the ../data directory with the wget you prepared earlier.

macbookpro% wget https://ftp.riken.jp/net/apache/tomcat/tomcat-8/v8.5.57/bin/apache-tomcat-8.5.57.tar.gz
--2020-08-26 14:19:29--  https://ftp.riken.jp/net/apache/tomcat/tomcat-8/v8.5.57/bin/apache-tomcat-8.5.57.tar.gz
Resolving ftp.riken.jp (ftp.riken.jp)... 134.160.38.1
Connecting to ftp.riken.jp (ftp.riken.jp)|134.160.38.1|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 10379806 (9.9M) [application/x-gzip]
Saving to: ‘apache-tomcat-8.5.57.tar.gz’

apache-tomcat-8.5.5 100%[===================>]   9.90M  3.35MB/s    in 3.0s    

2020-08-26 14:19:32 (3.35 MB/s) - ‘apache-tomcat-8.5.57.tar.gz’ saved [10379806/10379806]

Apache Tomcat installation and configuration

Log in to the VM and continue installation and configuration. First, create the user ID and group required to run Tomcat.

[vagrant@samlidp ~]$ sudo su -
[root@samlidp ~]# useradd tomcat
[root@samlidp ~]# passwd tomcat
Changing password for user tomcat.
New password:Naisho
BAD PASSWORD: The password contains the user name in some form
Retype new password: 
passwd: all authentication tokens updated successfully.

If you go to the shared directory with the host OS / vagrant_data, you will see the downloaded tar.gz file, unpack it, move it to the specified location, and change the owner and owning group to the one created above.

[root@samlidp ~]# cd /vagrant_data
[root@samlidp vagrant_data]# tar xvpzf apache-tomcat-8.5.57.tar.gz
apache-tomcat-8.5.57/conf/
apache-tomcat-8.5.57/conf/catalina.policy
apache-tomcat-8.5.57/conf/catalina.properties
  (Omission)
apache-tomcat-8.5.57/bin/startup.sh
apache-tomcat-8.5.57/bin/tool-wrapper.sh
apache-tomcat-8.5.57/bin/version.sh
[root@samlidp vagrant_data]# mv apache-tomcat-8.5.57 /opt/tomcat
[root@samlidp vagrant_data]# cd /opt
[root@samlidp opt]# chown -R tomcat:tomcat tomcat

Next, prepare a file for registering the service so that Tomcat can be started via Systemd. Create two files with an editor such as vi as shown below, and reload Systemd.

[root@samlidp opt]# cat /etc/systemd/system/tomcat.service
[Unit]
Description=Apache Tomcat 8
After=network.target

[Service]
User=tomcat
Type=forking
EnvironmentFile=/etc/sysconfig/tomcat
KillMode=none
ExecStart=/opt/tomcat/bin/startup.sh
ExecStop=/opt/tomcat/bin/shutdown.sh

[Install]
WantedBy=multi-user.target

[root@samlidp opt]# cat /etc/sysconfig/tomcat
Java_HOME="/usr/java/jdk1.8.0_261-amd64/jre/"
Java_OPTS="-DJava.security.egd=file:/dev/./urandom"

[root@samlidp opt]# systemctl daemon-reload

Now that you're ready, start Tomcat via Systemd and check.

[root@samlidp opt]# systemctl enable tomcat
Created symlink from /etc/systemd/system/multi-user.target.wants/tomcat.service to /etc/systemd/system/tomcat.service.
[root@samlidp opt]# systemctl start tomcat
[root@samlidp opt]# systemctl status tomcat
● tomcat.service - Apache Tomcat 8
   Loaded: loaded (/etc/systemd/system/tomcat.service; enabled; vendor preset: disabled)
   Active: active (running) since Wed 2020-08-26 05:30:19 UTC; 6s ago
  Process: 7993 ExecStart=/opt/tomcat/bin/startup.sh (code=exited, status=0/SUCCESS)
 Main PID: 8007 (java)
   CGroup: /system.slice/tomcat.service
           └─8007 /usr/bin/java -Djava.util.logging.config.file=/opt/tomcat/c...

Aug 26 05:30:19 samlidp systemd[1]: Starting Apache Tomcat 8...
Aug 26 05:30:19 samlidp systemd[1]: Started Apache Tomcat 8.
[root@samlidp opt]# ss -nat | grep 8080
LISTEN     0      100       [::]:8080                  [::]:*                  

It seems that Apache Tomcat is running on port 8080 without any problem, so I will try to access it from the browser immediately. As I wrote in the Vagrantfile, the VM called samlidp on which Tomcat is running runs on the IP address: 192.168.75.200, so access it from Firefox on macOS at http://192.168.75.200:8080/. apache-tomcat.png

Preparing for OpenAM

Download OpenAM

Now that you have successfully accessed Apache Tomcat, proceed to install OpenAM. The latest version of OpenAM seems to be 13.5.2, but all 13.5.x seems to require Subscription, so download the 13.0.0 zip file. To download, you need to register as a user, and log in with your user ID, password and authentication method (I choose Skip because I just use free software).

OpenAM installation and configuration

Unzip is not included in CentOS by default, so solve it with macOS on the host side.

macbookpro% unzip OpenAM-13.0.0.zip 
Archive:  OpenAM-13.0.0.zip
   creating: openam/
   creating: openam/legal-notices/
  inflating: openam/legal-notices/license.txt  
  inflating: openam/legal-notices/THIRDPARTYREADME.txt  
   creating: openam/ldif/
  inflating: openam/ldif/fam_sds_schema.ldif  
  inflating: openam/ldif/fam_sds_index.ldif  
  inflating: openam/ldif/fam_tivolids_schema.ldif  
  inflating: openam/ldif/fam_ad_schema.ldif  
  inflating: openam/ldif/README      
  inflating: openam/OpenAM-13.0.0.war  
  inflating: openam/ClientSDK-13.0.0.jar  
  inflating: openam/Fedlet-13.0.0.zip  
  inflating: openam/SSOAdminTools-13.0.0.zip  
  inflating: openam/ExampleClientSDK-CLI-13.0.0.zip  
  inflating: openam/ExampleClientSDK-WAR-13.0.0.war  
  inflating: openam/IDPDiscovery-13.0.0.war  
  inflating: openam/SSOConfiguratorTools-13.0.0.zip  

Log in to the VM, copy the expanded war file to the specified directory of Tomcat, and change the owner.

[vagrant@samlidp ~]$ sudo su -
Last login: Wed Aug 26 05:24:47 UTC 2020 on pts/0
[root@samlidp ~]# cd /vagrant_data/openam/
[root@samlidp openam]# cp OpenAM-13.0.0.war /opt/tomcat/webapps/openam.war
[root@samlidp openam]# cd /opt/tomcat/webapps/
[root@samlidp webapps]# chown tomcat:tomcat openam.war
[root@samlidp webapps]# chmod 755 openam.war

Then restart Apache Tomcat to check.

[root@samlidp webapps]# systemctl restart tomcat
[root@samlidp webapps]# ss -nat | grep 808
LISTEN     0      100       [::]:8080                  [::]:*                  
TIME-WAIT  0      0        [::1]:34808                [::1]:8080    

It seems to be working fine, so try accessing http://192.168.75.200:8080/openam/ from your browser. openam-default.png For the future, make it possible to resolve the name in / etc / hosts on macOS. Here, we will use the domain kawajun.local that we created arbitrarily.

macbookpro% sudo vi /etc/hosts
Password:
  (Add the following)
192.168.75.200  samlidp.kawajun.local samlidp

Try accessing with this name just in case. openam-domain.png Congratulations, I was able to open the OpenAM default page from Firefox on macOS.

Recommended Posts

OpenAM installation on VirtualBox
Docker installation on CentOS 6
Zabbix 5 installation on CentOS 8
OpenJDK installation on CentOS 7
Docker installation on WSL2
Ruby installation on WSL2 + Ubuntu 20.04
Install Apache on CentOS on VirtualBox
Elmer / Ice installation (Ubuntu on WSL)
Ruby on Rails installation method [Mac edition]
VirtualBox behaves suspiciously after Docker on Win10-Home