OpenAM installation on VirtualBox
In my work, I will write OSS x Security Article in a technical information magazine, and as the first experimental memo, this article Until OpenAM sneaks on VirtualBox on your Mac. As the second step, in Next article, you can log in to the AWS Management Console with the user ID created in OpenAM.
–Multi-machine setting to start multiple units at the same time with Vagrant
- Tomcat v8 on CentOS7
- OpenAM v13 on CentOS7
Previously implemented on a company-rented MacBook Air. This time, I re-executed it on my personal MacBook Pro to write this article. I started with almost no prerequisite software, so it may be better for similar situations. As a Unix lover, I really like macOS, where Unix commands can be slammed in Terminal.
- MacBook Pro (Retina, 15-inch, Mid 2015)
- Processor: 2.2GHz QuadCore Intel Core i7
- Memory: 16GB
- macOS Catalina 10.15.6
macbookpro% sw_vers ProductName: Mac OS X ProductVersion: 10.15.6 BuildVersion: 19G73
Install the latest VirtualBox. Needless to say, it is a virtualized hypervisor provided by Oracle. It also works on macOS. Download from below.
- VirtualBox 6.1.12
Start the dmg file and start the installation according to the instructions.
However, I get an error as shown below and cannot proceed.
This is a security enhancement called SKEL added since macOS 10.13 High Sierra, according to here. It seems that due to the function, permission must be given when trying to load the third-party kernel extension “KEXT”. When you open Security & Privacy from System Preferences, the same message appears at the bottom, so click the lock mark and press the allow button to allow it. Then follow the instructions.
You can play with VirtualBox directly, but I think you’ll be trying out various VMs in the future, so I’d like to play with it easily. So, I decided to use Vagrant, which can automatically build and configure VMs such as VirtaulBox and VMware. Vagrant is OSS provided by HashiCorp, and there is a macOS version.
- Vagrant 2.2.9
Start the dmg file and install it without any problems.
macbookpro% vagrant --version Vagrant 2.2.9
Next is the Vagrant settings.
If you prepare a directory for Vagrant (qiita in this case) and initialize it, a configuration file called Vagrantfile will be created.
macbookpro% mkdir qiita macbookpro% cd qiita macbookpro% vagrant init A `Vagrantfile` has been placed in this directory. You are now ready to `vagrant up` your first virtual environment! Please read the comments in the Vagrantfile as well as documentation on `vagrantup.com` for more information on using Vagrant.
Prepare the OpenAM VM to be built this time on the following assumptions.
You can choose from several free Linux, but for the time being, I am an employee of the company that acquired Red Hat, so I chose CentOS, which is a RHEL clone. The latest version of CentOS is 8.2, but according to here, OpenAM only supports CentOS 6 and 7. .. Vagrant provides a major OS image as standard, check here and select CentOS 7.
To do this, modify the Vagrantfile. Modify as follows with your favorite editor such as vi. I’ll talk about synced_folder later.
macbookpro% diff Vagrantfile.org Vagrantfile 69a70,76 > config.vm.box="centos/7" > config.vm.synced_folder "../data","/vagrant_data" > config.vm.define "samlidp" do |node| > node.vm.hostname = "samlidp" > node.vm.network :private_network, ip: "192.168.75.200" > node.vm.network :forwarded_port, guest: 22, host: 10022, id: "ssh" > end > end
To download CentOS 7, use the following command. On the way, you will be asked to select the VM type, so select VirtualBox.
macbookpro% vagrant box add centos/7 ==> box: Loading metadata for box 'centos/7' box: URL: https://vagrantcloud.com/centos/7 This box can work with multiple providers! The providers that it can work with are listed below. Please review the list and choose the provider you will be working with. 1) hyperv 2) libvirt 3) virtualbox 4) vmware_desktop Enter your choice: 3 ==> box: Adding box 'centos/7' (v2004.01) for provider: virtualbox box: Downloading: https://vagrantcloud.com/centos/boxes/7/versions/2004.01/providers/virtualbox.box ==> box: Box download is resuming from prior download progress Download redirected to host: cloud.centos.org box: Calculating and comparing box checksum... ==> box: Successfully added box 'centos/7' (v2004.01) for 'virtualbox'!
Vagrant has a nice feature that allows you to share files between the host and the VM. This time as well, it is very convenient to be able to refer to the files downloaded on the macOS side from the VM side, so I will use it. That setting is in the Vagrantfile
It is the part of. This makes the ../data directory on the host side (as seen from the directory containing the Vagrantfile) visible as the / vagrant_data directory on the VM side, allowing files to be shared. Therefore, after creating the ../data directory, try starting the OpenAM host (samlidp).
macbookpro% mkdir ../data macbookpro% vagrant up samlidp Bringing machine 'samlidp' up with 'virtualbox' provider... ==> samlidp: Importing base box 'centos/7'... ==> samlidp: Matching MAC address for NAT networking... ==> samlidp: Checking if box 'centos/7' version '2004.01' is up to date... ==> samlidp: Setting the name of the VM: qiita_samlidp_1596494850684_97193 (Omission) ==> samlidp: Rsyncing folder: /Users/kobesuzuobu/qiita/ => /vagrant ==> samlidp: Mounting shared folders... samlidp: /vagrant_data => /Users/kobesuzuobu/data Vagrant was unable to mount VirtualBox shared folders. This is usually because the filesystem "vboxsf" is not available. This filesystem is made available via the VirtualBox Guest Additions and kernel module. Please verify that these guest additions are properly installed in the guest. This is not a bug in Vagrant and is usually caused by a faulty Vagrant box. For context, the command attempted was: mount -t vboxsf -o uid=1000,gid=1000 vagrant_data /vagrant_data The error output from the command was: mount: unknown filesystem type 'vboxsf'
In my environment, as mentioned above, I got an error and stopped. According to here, it seems to be an error due to the version mismatch of the file sharing function on the host side and the VM side described above, and it can be solved by installing Plug-In. It seems, so I will try it.
macbookpro% vagrant plugin install vagrant-vbguest Installing the 'vagrant-vbguest' plugin. This can take a few minutes... Fetching micromachine-3.0.0.gem Fetching vagrant-vbguest-0.24.0.gem Installed the plugin 'vagrant-vbguest (0.24.0)'! macbookpro% vagrant up samlidp Bringing machine 'samlidp' up with 'virtualbox' provider... ==> samlidp: Checking if box 'centos/7' version '2004.01' is up to date...
The error when starting the VM has now disappeared.
Using VM from Vagrant
Immediately, use the vagrant ssh command from the macOS side to ssh login to the started VM.
macbookpro% vagrant ssh samlidp [[email protected] ~]$
Since I was able to log in successfully, I will continue to install OpenAM on the VM. I immediately tried to use the file sharing function, but the / vagrant_data file system was not visible from the VM. I’m not sure about the situation, but once I stopped the VM with vagrant halt samlidp, I tried to upload it again, and after installing some additional things, it started normally.
macbookpro% vagrant up samlidp Bringing machine 'samlidp' up with 'virtualbox' provider... ==> samlidp: Checking if box 'centos/7' version '2004.01' is up to date... ==> samlidp: Clearing any previously set forwarded ports... ==> samlidp: Clearing any previously set network interfaces... (Omission) ==> samlidp: Rsyncing folder: /Users/kobesuzuobu/qiita/ => /vagrant ==> samlidp: Mounting shared folders... samlidp: /vagrant_data => /Users/kobesuzuobu/data ==> samlidp: Machine already provisioned. Run `vagrant provision` or use the `--provision` ==> samlidp: flag to force provisioning. Provisioners marked to run always will still run.
Now you can see the / vagrant_file filesystem in df as below.
macbookpro% vagrant ssh samlidp Last login: Mon Aug 3 23:10:38 2020 from 10.0.2.2 [[email protected] ~]$ df -k Filesystem 1K-blocks Used Available Use% Mounted on devtmpfs 241824 0 241824 0% /dev tmpfs 249340 0 249340 0% /dev/shm tmpfs 249340 4584 244756 2% /run tmpfs 249340 0 249340 0% /sys/fs/cgroup /dev/sda1 41921540 3438796 38482744 9% / vagrant_data 244912536 185393884 59518652 76% /vagrant_data tmpfs 49872 0 49872 0% /run/user/1000
Host-side download tool preparation
In the future, I will be playing with various OSS, but I want to be able to download various files in one shot, so I will prepare a little here.
Specifically, there is no wget in CentOS on the VM, so I will put it on the host side. The brew command is required to install wget, so install Homebrew.
- Homebrew 2.4.9
To install Homebrew, follow the steps below as described in Go to the above site. I got an update for Xcode that was already installed in my environment.
macbookpro% /bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install.sh)" Password: ==> This script will install: /usr/local/bin/brew /usr/local/share/doc/homebrew /usr/local/share/man/man1/brew.1 /usr/local/share/zsh/site-functions/_brew /usr/local/etc/bash_completion.d/brew /usr/local/Homebrew (Omission) Receiving objects: 100% (775016/775016), 308.92 MiB | 1.86 MiB/s, done. Resolving deltas: 100% (516220/516220), done. Updating files: 100% (5415/5415), done. Tapped 2 commands and 5161 formulae (5,440 files, 338.8MB). Already up-to-date. ==> Installation successful! ==> Homebrew has enabled anonymous aggregate formulae and cask analytics. Read the analytics documentation (and how to opt-out) here: https://docs.brew.sh/Analytics No analytics data has been sent yet (or will be during this `install` run). ==> Homebrew is run entirely by unpaid volunteers. Please consider donating: https://github.com/Homebrew/brew#donations ==> Next steps: - Run `brew help` to get started - Further documentation: https://docs.brew.sh
Homebrew (brew command) is now available as shown below.
macbookpro% brew --version Homebrew 2.4.9 Homebrew/homebrew-core (git revision 2e056; last commit 2020-08-03)
Then use this Homebrew to install wget.
- wget 1.20.3
macbookpro% brew install wget ==> Downloading https://homebrew.bintray.com/bottles/gettext-0.21.catalina.bottl ==> Downloading from https://d29vzk4ow07wi7.cloudfront.net/cdea54f52b7c36ebcb5fe ######################################################################## 100.0% (Omission) If you need to have [email protected] first in your PATH run: echo 'export PATH="/usr/local/opt/[email protected]/bin:$PATH"' >> ~/.zshrc For compilers to find [email protected] you may need to set: export LDFLAGS="-L/usr/local/opt/[email protected]/lib" export CPPFLAGS="-I/usr/local/opt/[email protected]/include"
You can now use wget as well.
macbookpro% wget --version GNU Wget 1.20.3 built on darwin19.0.0. -cares +digest -gpgme +https +ipv6 +iri +large-file -metalink +nls +ntlm +opie -psl +ssl/openssl Wgetrc: /usr/local/etc/wgetrc (system) Locale: /usr/local/Cellar/wget/1.20.3_2/share/locale Compile: clang -DHAVE_CONFIG_H -DSYSTEM_WGETRC="/usr/local/etc/wgetrc" -DLOCALEDIR="/usr/local/Cellar/wget/1.20.3_2/share/locale" -I. -I../lib -I../lib -I/usr/local/opt/[email protected]/include -DNDEBUG -g -O2 Link: clang -DNDEBUG -g -O2 -lidn2 -L/usr/local/opt/[email protected]/lib -lssl -lcrypto -ldl -lz ftp-opie.o openssl.o http-ntlm.o ../lib/libgnu.a -liconv -lintl -Wl,-framework -Wl,CoreFoundation -lunistring Copyright (C) 2015 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <http://www.gnu.org/licenses/gpl.html>. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Originally written by Hrvoje Niksic <[email protected]>. Please send bug reports and questions to <[email protected]>.
Preparing for OpenAM
Java SDK preparation
Java SDK download
Apache Tomcat is required as the base for OpenAM. Tomcat requires the Java SDK. Download the following to the ../data directory. If you do not have your own profile in Oracle, you need to register first, and you can download it by logging in with your email address and password.
- Java SDK 8u261
Java SDK installation
You can see the downloaded file in / vagrant_data on the VM, so become root and try local install with yum.
[[email protected] ~]# yum localinstall /vagrant_data/jdk-8u261-linux-x64.rpm Loaded plugins: fastestmirror Examining /vagrant_data/jdk-8u261-linux-x64.rpm: 2000:jdk1.8-1.8.0_261-fcs.x86_64 Marking /vagrant_data/jdk-8u261-linux-x64.rpm to be installed Resolving Dependencies --> Running transaction check ---> Package jdk1.8.x86_64 2000:1.8.0_261-fcs will be installed --> Finished Dependency Resolution Dependencies Resolved ================================================================================ Package Arch Version Repository Size ================================================================================ Installing: jdk1.8 x86_64 2000:1.8.0_261-fcs /jdk-8u261-linux-x64 245 M Transaction Summary ================================================================================ Install 1 Package Total size: 245 M Installed size: 245 M Is this ok [y/d/N]: y Downloading packages: Running transaction check Running transaction test Transaction test succeeded Running transaction Installing : 2000:jdk1.8-1.8.0_261-fcs.x86_64 1/1 Unpacking JAR files... tools.jar... plugin.jar... javaws.jar... deploy.jar... rt.jar... jsse.jar... charsets.jar... localedata.jar... Verifying : 2000:jdk1.8-1.8.0_261-fcs.x86_64 1/1 Installed: jdk1.8.x86_64 2000:1.8.0_261-fcs Complete!
Apache tomcat preparation
Download Apache Tomcat
It seems that it went well, so next we will proceed to install Apache Tomcat, the Web application server that is a prerequisite for OpenAM. According to here again, due to OpenAM restrictions, Tomcat needs to include 7 or 8, so the latest of them Install 8.5.57.
- Apache Tomcat 8.5.57
Download the source code of Apache Tomcat itself to the ../data directory with the wget you prepared earlier.
macbookpro% wget https://ftp.riken.jp/net/apache/tomcat/tomcat-8/v8.5.57/bin/apache-tomcat-8.5.57.tar.gz --2020-08-26 14:19:29-- https://ftp.riken.jp/net/apache/tomcat/tomcat-8/v8.5.57/bin/apache-tomcat-8.5.57.tar.gz Resolving ftp.riken.jp (ftp.riken.jp)... 184.108.40.206 Connecting to ftp.riken.jp (ftp.riken.jp)|220.127.116.11|:443... connected. HTTP request sent, awaiting response... 200 OK Length: 10379806 (9.9M) [application/x-gzip] Saving to: ‘apache-tomcat-8.5.57.tar.gz’ apache-tomcat-8.5.5 100%[===================>] 9.90M 3.35MB/s in 3.0s 2020-08-26 14:19:32 (3.35 MB/s) - ‘apache-tomcat-8.5.57.tar.gz’ saved [10379806/10379806]
Apache Tomcat installation and configuration
Log in to the VM and continue installation and configuration. First, create the user ID and group required to run Tomcat.
[[email protected] ~]$ sudo su - [[email protected] ~]# useradd tomcat [[email protected] ~]# passwd tomcat Changing password for user tomcat. New password:Naisho BAD PASSWORD: The password contains the user name in some form Retype new password: passwd: all authentication tokens updated successfully.
If you go to the shared directory with the host OS / vagrant_data, you will see the downloaded tar.gz file, unpack it, move it to the specified location, and change the owner and owning group to the one created above.
[[email protected] ~]# cd /vagrant_data [[email protected] vagrant_data]# tar xvpzf apache-tomcat-8.5.57.tar.gz apache-tomcat-8.5.57/conf/ apache-tomcat-8.5.57/conf/catalina.policy apache-tomcat-8.5.57/conf/catalina.properties (Omission) apache-tomcat-8.5.57/bin/startup.sh apache-tomcat-8.5.57/bin/tool-wrapper.sh apache-tomcat-8.5.57/bin/version.sh [[email protected] vagrant_data]# mv apache-tomcat-8.5.57 /opt/tomcat [[email protected] vagrant_data]# cd /opt [[email protected] opt]# chown -R tomcat:tomcat tomcat
Next, prepare a file for registering the service so that Tomcat can be started via Systemd. Create two files with an editor such as vi as shown below, and reload Systemd.
[[email protected] opt]# cat /etc/systemd/system/tomcat.service [Unit] Description=Apache Tomcat 8 After=network.target [Service] User=tomcat Type=forking EnvironmentFile=/etc/sysconfig/tomcat KillMode=none ExecStart=/opt/tomcat/bin/startup.sh ExecStop=/opt/tomcat/bin/shutdown.sh [Install] WantedBy=multi-user.target [[email protected] opt]# cat /etc/sysconfig/tomcat Java_HOME="/usr/java/jdk1.8.0_261-amd64/jre/" Java_OPTS="-DJava.security.egd=file:/dev/./urandom" [[email protected] opt]# systemctl daemon-reload
Now that you’re ready, start Tomcat via Systemd and check.
[[email protected] opt]# systemctl enable tomcat Created symlink from /etc/systemd/system/multi-user.target.wants/tomcat.service to /etc/systemd/system/tomcat.service. [[email protected] opt]# systemctl start tomcat [[email protected] opt]# systemctl status tomcat ● tomcat.service - Apache Tomcat 8 Loaded: loaded (/etc/systemd/system/tomcat.service; enabled; vendor preset: disabled) Active: active (running) since Wed 2020-08-26 05:30:19 UTC; 6s ago Process: 7993 ExecStart=/opt/tomcat/bin/startup.sh (code=exited, status=0/SUCCESS) Main PID: 8007 (java) CGroup: /system.slice/tomcat.service └─8007 /usr/bin/java -Djava.util.logging.config.file=/opt/tomcat/c... Aug 26 05:30:19 samlidp systemd: Starting Apache Tomcat 8... Aug 26 05:30:19 samlidp systemd: Started Apache Tomcat 8. [[email protected] opt]# ss -nat | grep 8080 LISTEN 0 100 [::]:8080 [::]:*
It seems that Apache Tomcat is running on port 8080 without any problem, so I will try to access it from the browser immediately. As I wrote in the Vagrantfile, the VM called samlidp on which Tomcat is running runs on the IP address: 192.168.75.200, so access it from Firefox on macOS at http://192.168.75.200:8080/.
Preparing for OpenAM
Now that you have successfully accessed Apache Tomcat, proceed to install OpenAM. The latest version of OpenAM seems to be 13.5.2, but all 13.5.x seems to require Subscription, so download the 13.0.0 zip file. To download, you need to register as a user, and log in with your user ID, password and authentication method (I choose Skip because I just use free software).
- OpenAM 13.0.0
OpenAM installation and configuration
Unzip is not included in CentOS by default, so solve it with macOS on the host side.
macbookpro% unzip OpenAM-13.0.0.zip Archive: OpenAM-13.0.0.zip creating: openam/ creating: openam/legal-notices/ inflating: openam/legal-notices/license.txt inflating: openam/legal-notices/THIRDPARTYREADME.txt creating: openam/ldif/ inflating: openam/ldif/fam_sds_schema.ldif inflating: openam/ldif/fam_sds_index.ldif inflating: openam/ldif/fam_tivolids_schema.ldif inflating: openam/ldif/fam_ad_schema.ldif inflating: openam/ldif/README inflating: openam/OpenAM-13.0.0.war inflating: openam/ClientSDK-13.0.0.jar inflating: openam/Fedlet-13.0.0.zip inflating: openam/SSOAdminTools-13.0.0.zip inflating: openam/ExampleClientSDK-CLI-13.0.0.zip inflating: openam/ExampleClientSDK-WAR-13.0.0.war inflating: openam/IDPDiscovery-13.0.0.war inflating: openam/SSOConfiguratorTools-13.0.0.zip
Log in to the VM, copy the expanded war file to the specified directory of Tomcat, and change the owner.
[[email protected] ~]$ sudo su - Last login: Wed Aug 26 05:24:47 UTC 2020 on pts/0 [[email protected] ~]# cd /vagrant_data/openam/ [[email protected] openam]# cp OpenAM-13.0.0.war /opt/tomcat/webapps/openam.war [[email protected] openam]# cd /opt/tomcat/webapps/ [[email protected] webapps]# chown tomcat:tomcat openam.war [[email protected] webapps]# chmod 755 openam.war
Then restart Apache Tomcat to check.
[[email protected] webapps]# systemctl restart tomcat [[email protected] webapps]# ss -nat | grep 808 LISTEN 0 100 [::]:8080 [::]:* TIME-WAIT 0 0 [::1]:34808 [::1]:8080
It seems to be working fine, so try accessing http://192.168.75.200:8080/openam/ from your browser.
For the future, make it possible to resolve the name in / etc / hosts on macOS. Here, we will use the domain kawajun.local that we created arbitrarily.
macbookpro% sudo vi /etc/hosts Password: (Add the following) 192.168.75.200 samlidp.kawajun.local samlidp
Try accessing with this name just in case.
Congratulations, I was able to open the OpenAM default page from Firefox on macOS.