Wednesday, July 28, 2010

WSO2 Identity Server as OpenID Provider


I am going to explain  how we can use Openid issued by WSO2Identity server in an actual environment. Here I am using Liferay portal as Openid consumer and assume that Liferay portal and Identity server have been setup in different hosts in a LAN.

1. First  download WSO2Identity server from here and you can extract in to a directory in your file system. Lets call as CARBON_HOME

2. You can start Identity server by running  wso2server.sh (in unix) or wso2server.bat (in windows)  file in the CARBON_HOME/bin directory

Identity server will be started with default configuration. if you examine openid url of  a user(default admin username is admin) in identity server. It will look like

https://localhost:9443/openid/admin

But this openid url can not be accessed by other hosts in your network. So Lets change our host name.

3. Lets assume we want to configure host name as "wso2identity" (or any ip address).  First configure following parameters in carbon.xml which can be found in CARBON_HOME/conf

 <ServerURL>https://wso2identity:${carbon.management.port}${carbon.context}/services/</ServerURL>
 <HostName>wso2identity</HostName>

configure following parameters in identity.xml which can be found in same location

    <OpenIDServerUrl>https://wso2identity:9443/openidserver</OpenIDServerUrl>
    <OpenIDUserPattern>https://wso2identity:9443/openid/</OpenIDUserPattern>

4. Restart identity server. Now openid url 

https://wso2identity:9443/openid/admin

5. Download latest version of Liferay portal from here and you can extract in to a directory in your file system. Lets call as LIFERAY_HOME

6. Set CATALINA_HOME =LIFERAY_HOME/tomcat_dir

7. Start Liferay portal by running  catalina.sh run (in unix) or calalina.bat file in CATALINA_HOME/bin directory.

8. Create a user account in Liferay and configure an openid  that is issued by identity server  (https://wso2identity:9443/openid/admin)



9. Now try to sign in by providing your openid


10. You will probably get following error message.    Because there are one configuration to do, if we use default keystore, wso2carbon.jks for identity server.


Liferay use java cacerts as its trust-store. But wso2carbon.jks contains self signed certificate. So public key should be imported to the cacerts that is used by Liferay. Then Liferay can trust the Openid provided by wso2identity server.

11. Import Identity server public certificate to the cacerts

first export wso2carbon cert from wso2carbon.jks which can be found in CARBON_HOME/resources/security directory. sample keytool command

> keytool -export -keystore wso2carbon.jks -file carbon.cert -alias localhost -keypass wso2carbon

Then import it to cacerts in JAVA_HOME/jre/lib/security

> keytool -import -keystore cacerts -file carbon.cert -alias carbon -keypass changeit

12. Then restart Liferay portal. Now you can sign in to Liferay portal using  wso2identity server's Openid.........!!!


2 comments:

  1. This comment has been removed by the author.

    ReplyDelete
  2. after authenticating from wso2 identity it is giving forbidden error in liferay , please any solution is there , please reply fast,

    ReplyDelete