[CENTOS] OpenAM installation on VirtualBox
In my work, I will write OSS x Security Article in a technical information magazine, and as the first experimental memo, this article Until OpenAM sneaks on VirtualBox on your Mac. As the second step, in Next article, you can log in to the AWS Management Console with the user ID created in OpenAM.
reference
--Multi-machine setting to start multiple units at the same time with Vagrant - https://weblabo.oscasierra.net/vagrant-malti-machine/
- Tomcat v8 on CentOS7
- https://qiita.com/gzock/items/4c5cb135f3bb240b1213
- OpenAM v13 on CentOS7
- https://qiita.com/gzock/items/d7d68e5fd3bdefed3db7
environment
Previously implemented on a company-rented MacBook Air. This time, I re-executed it on my personal MacBook Pro to write this article. I started with almost no prerequisite software, so it may be better for similar situations. As a Unix lover, I really like macOS, where Unix commands can be slammed in Terminal.
- MacBook Pro (Retina, 15-inch, Mid 2015)
- Processor: 2.2GHz QuadCore Intel Core i7
- Memory: 16GB
- macOS Catalina 10.15.6
macbookpro% sw_vers
ProductName: Mac OS X
ProductVersion: 10.15.6
BuildVersion: 19G73
VirtualBox preparation
Download VirtualBox
Install the latest VirtualBox. Needless to say, it is a virtualized hypervisor provided by Oracle. It also works on macOS. Download from below.
- VirtualBox 6.1.12
- https://www.virtualbox.org
- VirtualBox-6.1.12-139181-OSX.dmg
VirtualBox installation
Start the dmg file and start the installation according to the instructions.
However, I get an error as shown below and cannot proceed.
This is a security enhancement called SKEL added since macOS 10.13 High Sierra, according to here. It seems that due to the function, permission must be given when trying to load the third-party kernel extension "KEXT". When you open Security & Privacy from System Preferences, the same message appears at the bottom, so click the lock mark and press the allow button to allow it. Then follow the instructions.
You can play with VirtualBox directly, but I think you'll be trying out various VMs in the future, so I'd like to play with it easily. So, I decided to use Vagrant, which can automatically build and configure VMs such as VirtaulBox and VMware. Vagrant is OSS provided by HashiCorp, and there is a macOS version.
Preparing Vagrant
Install Vagrant
- Vagrant 2.2.9
- https://www.vagrantup.com/downloads
- vagrant_2.2.9_x86_64.dmg
Start the dmg file and install it without any problems.
macbookpro% vagrant --version
Vagrant 2.2.9
Vagrant settings
Next is the Vagrant settings. If you prepare a directory for Vagrant (qiita in this case) and initialize it, a configuration file called Vagrantfile will be created.
macbookpro% mkdir qiita
macbookpro% cd qiita
macbookpro% vagrant init
A `Vagrantfile` has been placed in this directory. You are now
ready to `vagrant up` your first virtual environment! Please read
the comments in the Vagrantfile as well as documentation on
`vagrantup.com` for more information on using Vagrant.
Prepare the OpenAM VM to be built this time on the following assumptions.
| hostname | function | OS | IP address | port | Remarks |
|---|---|---|---|---|---|
| samlidp | OpenAM | CentOS 7 | 192.168.75.200 | 10022 |
You can choose from several free Linux, but for the time being, I am an employee of the company that acquired Red Hat, so I chose CentOS, which is a RHEL clone. The latest version of CentOS is 8.2, but according to here, OpenAM only supports CentOS 6 and 7. .. Vagrant provides a major OS image as standard, check here and select CentOS 7.
To do this, modify the Vagrantfile. Modify as follows with your favorite editor such as vi. I'll talk about synced_folder later.
macbookpro% diff Vagrantfile.org Vagrantfile
69a70,76
> config.vm.box="centos/7"
> config.vm.synced_folder "../data","/vagrant_data"
> config.vm.define "samlidp" do |node|
> node.vm.hostname = "samlidp"
> node.vm.network :private_network, ip: "192.168.75.200"
> node.vm.network :forwarded_port, guest: 22, host: 10022, id: "ssh"
> end
> end
To download CentOS 7, use the following command. On the way, you will be asked to select the VM type, so select VirtualBox.
macbookpro% vagrant box add centos/7
==> box: Loading metadata for box 'centos/7'
box: URL: https://vagrantcloud.com/centos/7
This box can work with multiple providers! The providers that it
can work with are listed below. Please review the list and choose
the provider you will be working with.
1) hyperv
2) libvirt
3) virtualbox
4) vmware_desktop
Enter your choice: 3
==> box: Adding box 'centos/7' (v2004.01) for provider: virtualbox
box: Downloading: https://vagrantcloud.com/centos/boxes/7/versions/2004.01/providers/virtualbox.box
==> box: Box download is resuming from prior download progress
Download redirected to host: cloud.centos.org
box: Calculating and comparing box checksum...
==> box: Successfully added box 'centos/7' (v2004.01) for 'virtualbox'!
Vagrant has a nice feature that allows you to share files between the host and the VM. This time as well, it is very convenient to be able to refer to the files downloaded on the macOS side from the VM side, so I will use it. That setting is in the Vagrantfile
config.vm.synced_folder "../data","/vagrant_data"
It is the part of. This makes the ../data directory on the host side (as seen from the directory containing the Vagrantfile) visible as the / vagrant_data directory on the VM side, allowing files to be shared. Therefore, after creating the ../data directory, try starting the OpenAM host (samlidp).
macbookpro% mkdir ../data
macbookpro% vagrant up samlidp
Bringing machine 'samlidp' up with 'virtualbox' provider...
==> samlidp: Importing base box 'centos/7'...
==> samlidp: Matching MAC address for NAT networking...
==> samlidp: Checking if box 'centos/7' version '2004.01' is up to date...
==> samlidp: Setting the name of the VM: qiita_samlidp_1596494850684_97193
(Omission)
==> samlidp: Rsyncing folder: /Users/kobesuzuobu/qiita/ => /vagrant
==> samlidp: Mounting shared folders...
samlidp: /vagrant_data => /Users/kobesuzuobu/data
Vagrant was unable to mount VirtualBox shared folders. This is usually
because the filesystem "vboxsf" is not available. This filesystem is
made available via the VirtualBox Guest Additions and kernel module.
Please verify that these guest additions are properly installed in the
guest. This is not a bug in Vagrant and is usually caused by a faulty
Vagrant box. For context, the command attempted was:
mount -t vboxsf -o uid=1000,gid=1000 vagrant_data /vagrant_data
The error output from the command was:
mount: unknown filesystem type 'vboxsf'
In my environment, as mentioned above, I got an error and stopped. According to here, it seems to be an error due to the version mismatch of the file sharing function on the host side and the VM side described above, and it can be solved by installing Plug-In. It seems, so I will try it.
macbookpro% vagrant plugin install vagrant-vbguest
Installing the 'vagrant-vbguest' plugin. This can take a few minutes...
Fetching micromachine-3.0.0.gem
Fetching vagrant-vbguest-0.24.0.gem
Installed the plugin 'vagrant-vbguest (0.24.0)'!
macbookpro% vagrant up samlidp
Bringing machine 'samlidp' up with 'virtualbox' provider...
==> samlidp: Checking if box 'centos/7' version '2004.01' is up to date...
The error when starting the VM has now disappeared.
Using VM from Vagrant
Immediately, use the vagrant ssh command from the macOS side to ssh login to the started VM.
macbookpro% vagrant ssh samlidp
[vagrant@samlidp ~]$
Since I was able to log in successfully, I will continue to install OpenAM on the VM. I immediately tried to use the file sharing function, but the / vagrant_data file system was not visible from the VM. I'm not sure about the situation, but once I stopped the VM with vagrant halt samlidp, I tried to upload it again, and after installing some additional things, it started normally.
macbookpro% vagrant up samlidp
Bringing machine 'samlidp' up with 'virtualbox' provider...
==> samlidp: Checking if box 'centos/7' version '2004.01' is up to date...
==> samlidp: Clearing any previously set forwarded ports...
==> samlidp: Clearing any previously set network interfaces...
(Omission)
==> samlidp: Rsyncing folder: /Users/kobesuzuobu/qiita/ => /vagrant
==> samlidp: Mounting shared folders...
samlidp: /vagrant_data => /Users/kobesuzuobu/data
==> samlidp: Machine already provisioned. Run `vagrant provision` or use the `--provision`
==> samlidp: flag to force provisioning. Provisioners marked to run always will still run.
Now you can see the / vagrant_file filesystem in df as below.
macbookpro% vagrant ssh samlidp
Last login: Mon Aug 3 23:10:38 2020 from 10.0.2.2
[vagrant@samlidp ~]$ df -k
Filesystem 1K-blocks Used Available Use% Mounted on
devtmpfs 241824 0 241824 0% /dev
tmpfs 249340 0 249340 0% /dev/shm
tmpfs 249340 4584 244756 2% /run
tmpfs 249340 0 249340 0% /sys/fs/cgroup
/dev/sda1 41921540 3438796 38482744 9% /
vagrant_data 244912536 185393884 59518652 76% /vagrant_data
tmpfs 49872 0 49872 0% /run/user/1000
Host-side download tool preparation
In the future, I will be playing with various OSS, but I want to be able to download various files in one shot, so I will prepare a little here. Specifically, there is no wget in CentOS on the VM, so I will put it on the host side. The brew command is required to install wget, so install Homebrew.
Homebrew preparation
- Homebrew 2.4.9
- https://brew.sh/index_ja
To install Homebrew, follow the steps below as described in Go to the above site. I got an update for Xcode that was already installed in my environment.
macbookpro% /bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install.sh)"
Password:
==> This script will install:
/usr/local/bin/brew
/usr/local/share/doc/homebrew
/usr/local/share/man/man1/brew.1
/usr/local/share/zsh/site-functions/_brew
/usr/local/etc/bash_completion.d/brew
/usr/local/Homebrew
(Omission)
Receiving objects: 100% (775016/775016), 308.92 MiB | 1.86 MiB/s, done.
Resolving deltas: 100% (516220/516220), done.
Updating files: 100% (5415/5415), done.
Tapped 2 commands and 5161 formulae (5,440 files, 338.8MB).
Already up-to-date.
==> Installation successful!
==> Homebrew has enabled anonymous aggregate formulae and cask analytics.
Read the analytics documentation (and how to opt-out) here:
https://docs.brew.sh/Analytics
No analytics data has been sent yet (or will be during this `install` run).
==> Homebrew is run entirely by unpaid volunteers. Please consider donating:
https://github.com/Homebrew/brew#donations
==> Next steps:
- Run `brew help` to get started
- Further documentation:
https://docs.brew.sh
Homebrew (brew command) is now available as shown below.
macbookpro% brew --version
Homebrew 2.4.9
Homebrew/homebrew-core (git revision 2e056; last commit 2020-08-03)
wget preparation
Then use this Homebrew to install wget.
- wget 1.20.3
macbookpro% brew install wget
==> Downloading https://homebrew.bintray.com/bottles/gettext-0.21.catalina.bottl
==> Downloading from https://d29vzk4ow07wi7.cloudfront.net/cdea54f52b7c36ebcb5fe
######################################################################## 100.0%
(Omission)
If you need to have [email protected] first in your PATH run:
echo 'export PATH="/usr/local/opt/[email protected]/bin:$PATH"' >> ~/.zshrc
For compilers to find [email protected] you may need to set:
export LDFLAGS="-L/usr/local/opt/[email protected]/lib"
export CPPFLAGS="-I/usr/local/opt/[email protected]/include"
You can now use wget as well.
macbookpro% wget --version
GNU Wget 1.20.3 built on darwin19.0.0.
-cares +digest -gpgme +https +ipv6 +iri +large-file -metalink +nls
+ntlm +opie -psl +ssl/openssl
Wgetrc:
/usr/local/etc/wgetrc (system)
Locale:
/usr/local/Cellar/wget/1.20.3_2/share/locale
Compile:
clang -DHAVE_CONFIG_H -DSYSTEM_WGETRC="/usr/local/etc/wgetrc"
-DLOCALEDIR="/usr/local/Cellar/wget/1.20.3_2/share/locale" -I.
-I../lib -I../lib -I/usr/local/opt/[email protected]/include -DNDEBUG -g
-O2
Link:
clang -DNDEBUG -g -O2 -lidn2 -L/usr/local/opt/[email protected]/lib -lssl
-lcrypto -ldl -lz ftp-opie.o openssl.o http-ntlm.o ../lib/libgnu.a
-liconv -lintl -Wl,-framework -Wl,CoreFoundation -lunistring
Copyright (C) 2015 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later
<http://www.gnu.org/licenses/gpl.html>.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Originally written by Hrvoje Niksic <[email protected]>.
Please send bug reports and questions to <[email protected]>.
Preparing for OpenAM
Java SDK preparation
Java SDK download
Apache Tomcat is required as the base for OpenAM. Tomcat requires the Java SDK. Download the following to the ../data directory. If you do not have your own profile in Oracle, you need to register first, and you can download it by logging in with your email address and password.
- Java SDK 8u261
- https://www.oracle.com/java/technologies/javase/javase-jdk8-downloads.html
- jdk-8u261-linux-x64.rpm
Java SDK installation
You can see the downloaded file in / vagrant_data on the VM, so become root and try local install with yum.
[root@samlidp ~]# yum localinstall /vagrant_data/jdk-8u261-linux-x64.rpm
Loaded plugins: fastestmirror
Examining /vagrant_data/jdk-8u261-linux-x64.rpm: 2000:jdk1.8-1.8.0_261-fcs.x86_64
Marking /vagrant_data/jdk-8u261-linux-x64.rpm to be installed
Resolving Dependencies
--> Running transaction check
---> Package jdk1.8.x86_64 2000:1.8.0_261-fcs will be installed
--> Finished Dependency Resolution
Dependencies Resolved
================================================================================
Package Arch Version Repository Size
================================================================================
Installing:
jdk1.8 x86_64 2000:1.8.0_261-fcs /jdk-8u261-linux-x64 245 M
Transaction Summary
================================================================================
Install 1 Package
Total size: 245 M
Installed size: 245 M
Is this ok [y/d/N]: y
Downloading packages:
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Installing : 2000:jdk1.8-1.8.0_261-fcs.x86_64 1/1
Unpacking JAR files...
tools.jar...
plugin.jar...
javaws.jar...
deploy.jar...
rt.jar...
jsse.jar...
charsets.jar...
localedata.jar...
Verifying : 2000:jdk1.8-1.8.0_261-fcs.x86_64 1/1
Installed:
jdk1.8.x86_64 2000:1.8.0_261-fcs
Complete!
Apache tomcat preparation
Download Apache Tomcat
It seems that it went well, so next we will proceed to install Apache Tomcat, the Web application server that is a prerequisite for OpenAM. According to here again, due to OpenAM restrictions, Tomcat needs to include 7 or 8, so the latest of them Install 8.5.57.
- Apache Tomcat 8.5.57
- https://tomcat.apache.org/download-80.cgi
- apache-tomcat-8.5.57.tar.gz
Download the source code of Apache Tomcat itself to the ../data directory with the wget you prepared earlier.
macbookpro% wget https://ftp.riken.jp/net/apache/tomcat/tomcat-8/v8.5.57/bin/apache-tomcat-8.5.57.tar.gz
--2020-08-26 14:19:29-- https://ftp.riken.jp/net/apache/tomcat/tomcat-8/v8.5.57/bin/apache-tomcat-8.5.57.tar.gz
Resolving ftp.riken.jp (ftp.riken.jp)... 134.160.38.1
Connecting to ftp.riken.jp (ftp.riken.jp)|134.160.38.1|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 10379806 (9.9M) [application/x-gzip]
Saving to: ‘apache-tomcat-8.5.57.tar.gz’
apache-tomcat-8.5.5 100%[===================>] 9.90M 3.35MB/s in 3.0s
2020-08-26 14:19:32 (3.35 MB/s) - ‘apache-tomcat-8.5.57.tar.gz’ saved [10379806/10379806]
Apache Tomcat installation and configuration
Log in to the VM and continue installation and configuration. First, create the user ID and group required to run Tomcat.
[vagrant@samlidp ~]$ sudo su -
[root@samlidp ~]# useradd tomcat
[root@samlidp ~]# passwd tomcat
Changing password for user tomcat.
New password:Naisho
BAD PASSWORD: The password contains the user name in some form
Retype new password:
passwd: all authentication tokens updated successfully.
If you go to the shared directory with the host OS / vagrant_data, you will see the downloaded tar.gz file, unpack it, move it to the specified location, and change the owner and owning group to the one created above.
[root@samlidp ~]# cd /vagrant_data
[root@samlidp vagrant_data]# tar xvpzf apache-tomcat-8.5.57.tar.gz
apache-tomcat-8.5.57/conf/
apache-tomcat-8.5.57/conf/catalina.policy
apache-tomcat-8.5.57/conf/catalina.properties
(Omission)
apache-tomcat-8.5.57/bin/startup.sh
apache-tomcat-8.5.57/bin/tool-wrapper.sh
apache-tomcat-8.5.57/bin/version.sh
[root@samlidp vagrant_data]# mv apache-tomcat-8.5.57 /opt/tomcat
[root@samlidp vagrant_data]# cd /opt
[root@samlidp opt]# chown -R tomcat:tomcat tomcat
Next, prepare a file for registering the service so that Tomcat can be started via Systemd. Create two files with an editor such as vi as shown below, and reload Systemd.
[root@samlidp opt]# cat /etc/systemd/system/tomcat.service
[Unit]
Description=Apache Tomcat 8
After=network.target
[Service]
User=tomcat
Type=forking
EnvironmentFile=/etc/sysconfig/tomcat
KillMode=none
ExecStart=/opt/tomcat/bin/startup.sh
ExecStop=/opt/tomcat/bin/shutdown.sh
[Install]
WantedBy=multi-user.target
[root@samlidp opt]# cat /etc/sysconfig/tomcat
Java_HOME="/usr/java/jdk1.8.0_261-amd64/jre/"
Java_OPTS="-DJava.security.egd=file:/dev/./urandom"
[root@samlidp opt]# systemctl daemon-reload
Now that you're ready, start Tomcat via Systemd and check.
[root@samlidp opt]# systemctl enable tomcat
Created symlink from /etc/systemd/system/multi-user.target.wants/tomcat.service to /etc/systemd/system/tomcat.service.
[root@samlidp opt]# systemctl start tomcat
[root@samlidp opt]# systemctl status tomcat
● tomcat.service - Apache Tomcat 8
Loaded: loaded (/etc/systemd/system/tomcat.service; enabled; vendor preset: disabled)
Active: active (running) since Wed 2020-08-26 05:30:19 UTC; 6s ago
Process: 7993 ExecStart=/opt/tomcat/bin/startup.sh (code=exited, status=0/SUCCESS)
Main PID: 8007 (java)
CGroup: /system.slice/tomcat.service
└─8007 /usr/bin/java -Djava.util.logging.config.file=/opt/tomcat/c...
Aug 26 05:30:19 samlidp systemd[1]: Starting Apache Tomcat 8...
Aug 26 05:30:19 samlidp systemd[1]: Started Apache Tomcat 8.
[root@samlidp opt]# ss -nat | grep 8080
LISTEN 0 100 [::]:8080 [::]:*
It seems that Apache Tomcat is running on port 8080 without any problem, so I will try to access it from the browser immediately. As I wrote in the Vagrantfile, the VM called samlidp on which Tomcat is running runs on the IP address: 192.168.75.200, so access it from Firefox on macOS at http://192.168.75.200:8080/.
Preparing for OpenAM
Download OpenAM
Now that you have successfully accessed Apache Tomcat, proceed to install OpenAM. The latest version of OpenAM seems to be 13.5.2, but all 13.5.x seems to require Subscription, so download the 13.0.0 zip file. To download, you need to register as a user, and log in with your user ID, password and authentication method (I choose Skip because I just use free software).
- OpenAM 13.0.0
- https://backstage.forgerock.com/downloads/search?q=openam
- OpenAM-13.0.0.zip
OpenAM installation and configuration
Unzip is not included in CentOS by default, so solve it with macOS on the host side.
macbookpro% unzip OpenAM-13.0.0.zip
Archive: OpenAM-13.0.0.zip
creating: openam/
creating: openam/legal-notices/
inflating: openam/legal-notices/license.txt
inflating: openam/legal-notices/THIRDPARTYREADME.txt
creating: openam/ldif/
inflating: openam/ldif/fam_sds_schema.ldif
inflating: openam/ldif/fam_sds_index.ldif
inflating: openam/ldif/fam_tivolids_schema.ldif
inflating: openam/ldif/fam_ad_schema.ldif
inflating: openam/ldif/README
inflating: openam/OpenAM-13.0.0.war
inflating: openam/ClientSDK-13.0.0.jar
inflating: openam/Fedlet-13.0.0.zip
inflating: openam/SSOAdminTools-13.0.0.zip
inflating: openam/ExampleClientSDK-CLI-13.0.0.zip
inflating: openam/ExampleClientSDK-WAR-13.0.0.war
inflating: openam/IDPDiscovery-13.0.0.war
inflating: openam/SSOConfiguratorTools-13.0.0.zip
Log in to the VM, copy the expanded war file to the specified directory of Tomcat, and change the owner.
[vagrant@samlidp ~]$ sudo su -
Last login: Wed Aug 26 05:24:47 UTC 2020 on pts/0
[root@samlidp ~]# cd /vagrant_data/openam/
[root@samlidp openam]# cp OpenAM-13.0.0.war /opt/tomcat/webapps/openam.war
[root@samlidp openam]# cd /opt/tomcat/webapps/
[root@samlidp webapps]# chown tomcat:tomcat openam.war
[root@samlidp webapps]# chmod 755 openam.war
Then restart Apache Tomcat to check.
[root@samlidp webapps]# systemctl restart tomcat
[root@samlidp webapps]# ss -nat | grep 808
LISTEN 0 100 [::]:8080 [::]:*
TIME-WAIT 0 0 [::1]:34808 [::1]:8080
It seems to be working fine, so try accessing http://192.168.75.200:8080/openam/ from your browser.
For the future, make it possible to resolve the name in / etc / hosts on macOS. Here, we will use the domain kawajun.local that we created arbitrarily.
macbookpro% sudo vi /etc/hosts
Password:
(Add the following)
192.168.75.200 samlidp.kawajun.local samlidp
Try accessing with this name just in case.
Congratulations, I was able to open the OpenAM default page from Firefox on macOS.
Recommended Posts