Posts

  • Install Alfresco 3.4c CE in 5 minutes

    Sometimes it is necessary a fresh installation of Alfresco for testing purposes and of a quickly way. In my case i want to create virtual machines with different configurations and variations of Alfresco.
    Well, this post explains how to do an installation quickly of Alfresco.

    I. Pre-requisites

    • Virtual Box machine with Windows XP SP2 as guest S.O. and 1024 MB Ram.
    • JDK 1.6.0_13 installed.
    • MySQL Server 5.1.33-community.
    • Alfresco 3.4c CE installer downloaded (alfresco-community-3.4.c-installer-win-x32.exe).

    II. Installation

    1. Create an empty database for Alfresco named, in my case, “alf34c_db1”.

    [sourcecode language=”text” gutter=”true” wraplines=”false”]
    C:\1bpms-demo\xampplite\mysql\bin>mysql -u root -p
    Enter password:
    Welcome to the MySQL monitor. Commands end with ; or \g.
    Your MySQL connection id is 3
    Server version: 5.1.33-community MySQL Community Server (GPL) Type ‘help;’ or ‘\h’ for help. Type ‘\c’ to clear the buffer. mysql> CREATE DATABASE alf34c_db1 DEFAULT CHARACTER SET utf8;
    mysql> GRANT ALL ON alf34c_db1.* TO alf_user1@’localhost’ IDENTIFIED BY ‘demodemo’ WITH GRANT OPTION;
    mysql> GRANT ALL ON alf34c_db1.* TO alf_user1@’localhost.localdomain’ IDENTIFIED BY ‘demodemo’ WITH GRANT OPTION; Query OK, 0 rows affected (0.00 sec) mysql> quit;
    Bye

    [/sourcecode] 2. Execute the Alfresco installer. 3. In “Installation type” selects “Advance - Configures serve ports and service properties”, then in the “Database Installation” popup to select “I wish to use an existing database”. Then, enter the following:

    [caption id=”” align=”alignnone” width=”407” caption=”Alfresco installer - Database configuration”]Alfresco installer - Database configuration[/caption] 4. When finalizing installer, run ${ALF_HOME}/tomcat/bin/startup.bat. 5. When starting you can see in the catalina out how to Alfresco create database structure and populates with initial data. Also, you can see several errors in catalina out console because you need modify JVM variables.

    [caption id=”” align=”alignnone” width=”521” caption=”OutOfMemoryError and PermGen error when starting Alfresco”]OutOfMemoryError and PermGen error when starting Alfresco[/caption] Then, add or modify JAVA_OPTS variable in Tomcat to ${ALF_HOME}/tomcat/bin/setenv.bat file. This file looks like to:

    [sourcecode language=”text” gutter=”true” wraplines=”false” highlight=”1”]
    set JAVA_OPTS=-Xms256m -Xmx1024m -Xss96k -XX:MaxPermSize=256m -server
    set JAVA_HOME=C:\1BPMS-~1\alf34c_1\java
    set JAVA_OPTS=%JAVA_OPTS%

    [/sourcecode] In some case, you need to copy jaxb-api-2.1.jar from ${ALF_HOME}/tomcat/webapps/alfresco/WEB-INF/lib to ${ALF_HOME}/tomcat/endorsed. 6. Restart. When finished, open browser and go to http://localhost:8080/alfresco. You can log in to Alfresco with admin/admin. END. References : 1) Error al arrancar el servidor alfresco 3.2

    http://forums.alfresco.com/es/viewtopic.php?f=5&t=1785 2) java.lang.OutOfMemoryError: PermGen space
    http://forums.alfresco.com/en/viewtopic.php?t=14451

  • Redirect to Liferay page after logout in CAS

    To redirect any webpage after logout in CAS, follow the instructions below: 1. Change Liferay CAS configuration. Go to
    Control Panel > Settings > Authentication > CAS 2. Update “Logout URL” property:

    [sourcecode language=”text” gutter=”true” wraplines=”false”]
    https://directorysrv1:8443/cas-server-webapp-3.3.5/logout?service=${my-logout-page} Where:
    ${my-logout-page}: http://lfry01:8080/web/guest/lfry01-logout-page

    [/sourcecode] 3. Change CAS configuration. Set the “followServiceRedirects” property to “true”
    on the “logoutController” bean defined in the cas-servlet.xml.

    [sourcecode language=”text” gutter=”true” wraplines=”false”]

    [root@directorysrv1 ~]# vim /usr/share/tomcat5/webapps/cas-server-webapp-3.3.5/WEB-INF/cas-servlet.xml

    [/sourcecode]

    [sourcecode language=”xml” wraplines=”false” highlight=”7” padlinenumbers=”2”]

    […]

    […]

    [/sourcecode] 4. Re-start Tomcat (CAS-server):

    [sourcecode language=”text” gutter=”true” wraplines=”false”]

    [root@directorysrv1 ~]# service tomcat5 restart
    Stopping tomcat5: [ OK ]
    Starting tomcat5: [ OK ]

    [root@directorysrv1 ~]#

    [/sourcecode] 5. Test redirect.

    [caption id=”” align=”alignnone” width=”414” caption=”Page redirected by CAS”]Page redirected by CAS[/caption]

  • Web-SSO between Liferay and Alfresco with CAS and Penrose (part 1/2)

    I know it, It is nothing new. But I always encounter this situation and I have always come back to explain again and again. The requirements are:

    1. CAS for Authentication and SSO.
    2. Web application to do SSO between they: Liferay Portal 6.0.5 CE and Alfresco 3.2 CE.
    3. Penrose Virtual Directory with OpenDS as backend to store user credentials and to get a LDAP interface. This post is based on a previous one about Liferay Portal Server LDAP Authentication with Penrose Server, I recommend you read it for it will be easier to follow.

    I. Install and configure CAS server

    Note:

    • CAS server v3.3.5 comes with appropriate libraries for Tomcat 5 and OpenJDK bundled in CentOS. Otherwise you will have to recompile and / or include some libraries more. 1. See preview post on “Liferay Portal Server LDAP Authentication with Penrose Server” (here) 2. Download CAS server (http://www.jasig.org/cas/download/cas-server-335-final) and deploy cas-server-webapp-3.3.5.war into any Java Web Server, in this case we will deploy into Tomcat server previuosly installed in CentOS box. In my case, CentOS has installed Penrose Virtual Directory Server and has already loaded a LDAP tree with several users/identities (see details in last blog post). 3. Verify if Tomcat is installed into CentOS:

    [sourcecode language=”text” gutter=”true” wraplines=”false” highlight=”1”]

    [root@directorysrv1 /]# rpm -ql tomcat5
    /etc/logrotate.d/tomcat5
    /etc/rc.d/init.d/tomcat5
    /etc/sysconfig/tomcat5
    /etc/tomcat5
    /etc/tomcat5/Catalina
    /etc/tomcat5/Catalina/localhost

    /var/log/tomcat5
    /var/log/tomcat5/catalina.out

    [root@directorysrv1 /]#

    [/sourcecode] If tomcat is not installed, you can download RPM packages and then install it:

    [sourcecode language=”text” gutter=”true” wraplines=”false” highlight=”1”]

    [root@directorysrv1 /]# yum install tomcat5 tomcat5-webapps tomcat5-admin-webapps

    [/sourcecode] We are using OpenJDK (this is the CentOS Java by default):

    [sourcecode language=”text” gutter=”true” wraplines=”false” highlight=”1”]

    [root@directorysrv1 /]# java -version
    java version “1.6.0”
    OpenJDK Runtime Environment (build 1.6.0-b09)
    OpenJDK Client VM (build 1.6.0-b09, mixed mode)

    [root@directorysrv1 /]#

    [/sourcecode] 4. Copy CAS server (cas-server-webapp-3.3.5.war) in Tomcat and start the server:

    [sourcecode language=”text” gutter=”true” wraplines=”false” highlight=”1,10”]

    [root@directorysrv1 /]# cp /temp/cas-server-webapp-3.3.5.war /usr/share/tomcat5/webapps/

    [root@directorysrv1 /]# ll /usr/share/tomcat5/webapps/
    total 19248
    -rw-r–r– 1 root root 19658857 Dec 31 11:00 cas-server-webapp-3.3.5.war
    drwxrwxr-x 21 root tomcat 4096 Aug 13 11:35 jsp-examples
    drwxrwxr-x 4 root tomcat 4096 Aug 13 11:35 ROOT
    drwxrwxr-x 4 root tomcat 4096 Aug 13 11:35 servlets-examples
    drwxrwxr-x 12 root tomcat 4096 Aug 13 11:35 tomcat-docs
    drwxrwxr-x 3 root tomcat 4096 Aug 13 11:35 webdav

    [root@directorysrv1 /]# service tomcat5 start
    Starting tomcat5: [ OK ]

    [root@directorysrv1 /]#

    [/sourcecode] To have tomcat start automatically when the system boots, use “chkconfig tomcat5 on”. 5. Verify that CAS server has been deployed successfully. Open a browser with this
    url: http://directorysrv1:8080/cas-server-webapp-3.3.5 6. To avoid errors, it’s vital that you ensure the Tomcat process owner (user tomcat) has write privileges to the path where cas.log and/or perfStats.log would be written.
    Then, edit CAS’s log4j.xml or log4j.properties and add a valid path (for example: /usr/share/tomcat5/logs/) to these log (cas.log and/or perfStats.log) files:

    [sourcecode language=”text” gutter=”true” wraplines=”false” highlight=”2”]

    [root@directorysrv1 /]# cd /usr/share/tomcat5/webapps/cas-server-webapp-3.3.5/WEB-INF/classes

    [root@directorysrv1 /]# nano log4j.properties

    [/sourcecode] Add a valid path to log file.

    [sourcecode language=”text” gutter=”true” wraplines=”false” highlight=”3”]

    log4j.appender.logfile=org.apache.log4j.RollingFileAppender
    log4j.appender.logfile.File=/usr/share/tomcat5/logs/cas.log
    log4j.appender.logfile.MaxFileSize=512KB

    Keep three backup files.

    log4j.appender.logfile.MaxBackupIndex=3

    Pattern to output: date priority [category] - message

    [/sourcecode] 7. After the changes in log4j.xml or log4j.properties, restart the Tomcat server and open the CAS login page: http://directorysrv1:8080/cas-server-webapp-3.3.5/login If everything is ok, you should see the following:

    [caption id=”” align=”alignnone” width=”473” caption=”Login page in CAS Server”]Login page in CAS Server[/caption] 8. By default, CAS server has enable basic authentication based in userid/password where any userid is equal to password, for example, test with rogerc/rogerc, you should see the message of “log in successful”.

    [caption id=”” align=”alignnone” width=”474” caption=”Successfully log into CAS with default authentication model”]Successfully log into CAS with default authentication model[/caption]

    II. Configure CAS server with Penrose Virtual Directory Server

    Now we have to change simple test authentication (userid = pwd) model for the LDAP authentication (existing users and password stored in LDAP tree “ou=Employees,dc=intix,dc=info” previously loaded - see last blog post here -). In other words, instead of authenticating with userid=rogerc/password=rogerc we will use
    userid=roger@intix.info and password=xxxx in CAS. 1. Edit the deployerConfigContext.xml file:

    [sourcecode language=”text” gutter=”true” wraplines=”false” highlight=”2”]

    [root@directorysrv1 /]# cd /usr/share/tomcat5/webapps/cas-server-webapp-3.3.5/WEB-INF

    [root@directorysrv1 /]# nano deployerConfigContext.xml

    [/sourcecode] .. comment SimpleTestUsernamePasswordAuthenticationHandler and add these lines:

    [sourcecode language=”xml” wraplines=”false” highlight=”3,6,7,8,15” padlinenumbers=”2”]

    </p>

    </list> </property> </bean>

    ldap://directorysrv1:10389/ java.naming.security.authentication simple [/sourcecode] You can download [deployerConfigContext.xml file from here](http://dl.dropbox.com/u/2961879/blog20101231_sso_alfresco_liferay/deployerConfigContext.xml). 2\. Start Tomcat. You will see in catalina.out [sourcecode language="text" gutter="true" wraplines="false" highlight="14"] ... INFO: SessionListener: contextInitialized() Dec 31, 2010 2:05:16 PM org.apache.coyote.http11.Http11BaseProtocol start INFO: Starting Coyote HTTP/1.1 on http-8080 Dec 31, 2010 2:05:16 PM org.apache.jk.common.ChannelSocket init INFO: JK: ajp13 listening on /0.0.0.0:8009 Dec 31, 2010 2:05:16 PM org.apache.jk.server.JkMain start INFO: Jk running ID=0 time=0/15 config=null Dec 31, 2010 2:05:16 PM org.apache.catalina.storeconfig.StoreLoader load INFO: Find registry server-registry.xml at classpath resource Dec 31, 2010 2:05:16 PM org.apache.catalina.startup.Catalina start INFO: Server startup in 4294 ms ... 2010...,660 INFO [org.jasig.cas.web.flow.InitialFlowSetupAction] - <Setting path for ...> 2010...,877 INFO [org.jasig.cas.ticket.registry.support.DefaultTicketRegistryCleaner] - <Starting... 2010...,878 INFO [org.jasig.cas.ticket.registry.support.DefaultTicketRegistryCleaner] - <0 found ... 2010...,878 INFO [org.jasig.cas.ticket.registry.support.DefaultTicketRegistryCleaner] - <Finished... [/sourcecode] 3\. Test CAS server with BindLdapAuthenticationHandler. Open a browser, go to the CAS login page and enter any usr/pwd that exists in the LDAP tree "ou=Employees,dc=intix,dc=info", for example: userid= Aamod.Wroclawski@intix.info with password=test [caption id="" align="alignnone" width="287" caption="Successfully log into CAS with userid=Aamod.Wroclawski@intix.info with password=test"]![Successfully log into CAS with userid=Aamod.Wroclawski@intix.info with password=test](/assets/03sso-cas_login_ldap_mail.png)[/caption] In the catalina.out you can see the following: [sourcecode language="text" gutter="true" wraplines="false" highlight="2"] ... 2010...,575 INFO [...successfully authenticated ... [username: Aamod.Wroclawski@intix.info]> 2010...,984 INFO [... ] - [/sourcecode] ## III. Enable HTTPS and configure SSL Certificate on Tomcat server that contains CAS server **Note:** * SSL Certificate is used to enable secure channel by communication between CAS server and any Webapp that does the authentication and Web-SSO with CAS. * It is necessary to install the Root SSL Certificate of the CAS server for each trusted certificate repository of Web Server container (or Java Virtual Machine). * All certificates will be selfsigned, only for testing purposes. 1\. Create a key pairs for the new SSL certificate for CAS server with 730 days of validity: [sourcecode language="text" gutter="true" wraplines="false" highlight="1"] keytool -genkey -alias tomcat -keypass -keyalg RSA -keystore ./ -validity 730</p>

    Where: CERT_PWD is "changeit" CAS_KEYSTORE is "cas-3_3_5.keystore" [/sourcecode] .. create self signed SSL certificate: [sourcecode language="text" gutter="true" wraplines="false" highlight="1"] [root@directorysrv1 /]# keytool -genkey -alias tomcat -keypass changeit -keyalg RSA -keystore /usr/share/tomcat5/cas-3_3_5.keystore -validity 730 Enter keystore password: Re-enter new password: What is your first and last name? [Unknown]: directorysrv1 What is the name of your organizational unit? [Unknown]: INTIX I+D What is the name of your organization? [Unknown]: INTIX.info What is the name of your City or Locality? [Unknown]: BARCELONA What is the name of your State or Province? [Unknown]: CATALUNYA What is the two-letter country code for this unit? [Unknown]: ES Is CN=directorysrv1, OU="INTIX I+D", O=INTIX.info, L=BARCELONA, ST=CATALUNYA, C=ES correct? [no]: yes

    [root@directorysrv1 bin]# [/sourcecode] 2\. Export the SSL certificate: [sourcecode language="text" gutter="true" wraplines="false" highlight="1"] [root@directorysrv1 /]# keytool -export -alias tomcat -keypass changeit -keystore /usr/share/tomcat5/cas-3_3_5.keystore -storepass changeit -file /usr/share/tomcat5/directorysrv1_730days.crt Certificate stored in file </usr/share/tomcat5/directorysrv1_730days.crt> [root@directorysrv1 /]# [/sourcecode] 3\. Remove comments in /usr/share/tomcat5/conf/server.xml and enable HTTPS: [sourcecode language="xml" gutter="true" wraplines="false" highlight="4,10,11"] ...

    ... [/sourcecode] You can download [server.xml from here](http://dl.dropbox.com/u/2961879/blog20101231_sso_alfresco_liferay/server.xml). 5\. Now you can test CAS server on SSL, in this case you have to open a browser with this URL: <https://directorysrv1:8443/cas-server-webapp-3.3.5/login> [caption id="" align="alignnone" width="320" caption="CAS login on SSL"]![CAS login on SSL](/assets/04sso-cas_login_SSL.png)[/caption] ## IV. Configure Liferay with CAS and LDAP Authentication 1\. Import CAS server SSL public certificate in the JVM/JRE where Liferay is running, in my case I have Liferay running in WinXP box called "lfry01". [sourcecode language="text" gutter="true" wraplines="false" highlight="1"] c:\>keytool -import -alias tomcat -file c:\0share1\cas-3.3.5_cert\directorysrv1_730days.crt -keystore c:\1bpms-demo\liferay-portal-6.0.5\tomcat-6.0.26\jre1.6.0_21\win\lib\security\cacerts Enter keystore password: Owner: CN=directorysrv1, OU="INTIX I+D", O=INTIX.info, L=BARCELONA, ST=CATALUNYA, C=ES Issuer: CN=directorysrv1, OU="INTIX I+D", O=INTIX.info, L=BARCELONA, ST=CATALUNYA, C=ES Serial number: 4d1df9bc Valid from: Fri Dec 31 16:41:48 GMT+01:00 2010 until: Sun Dec 30 16:41:48 GMT+01:00 2012 Certificate fingerprints: MD5: 11:4D:72:BB:80:42:EE:F7:4A:CA:E9:EA:F6:4F:86:8D SHA1: 7F:6B:12:64:31:8B:47:4E:11:33:D7:FE:EF:C6:D4:65:12:59:8D:2E Signature algorithm name: SHA1withRSA
    Version: 3 Trust this certificate? [no]: yes Certificate was added to keystore

    c:\> [/sourcecode] 2\. Configure Liferay CAS and LDAP Authentication: In last blog post We configured LDAP Authentication in Liferay, in this new example we just should add CAS server configuration in Liferay. [sourcecode language="text" gutter="true" wraplines="false"] * Enabled: Yes * Import from LDAP: Yes * Login URL: https://directorysrv1:8443/cas-server-webapp-3.3.5/login * Logout URL: https://directorysrv1:8443/cas-server-webapp-3.3.5/logout * Server Name: lfry01:8080 * Server URL: https://directorysrv1:8443/cas-server-webapp-3.3.5 * Service URL: http://lfry01:8080/c/portal/login [/sourcecode] [caption id="" align="alignnone" width="494" caption="CAS configuration in Liferay Control Panel"]![CAS configuration in Liferay Control Panel](/assets/05sso-liferay_ldap_cas_authn_config.png)[/caption] 3\. Test LDAP Authentication and CAS with Liferay: * Go to Liferay http://lfry01:8080 * Click on "Sign in" link located on the top right [caption id="" align="alignnone" width="190" caption="Click on "Sign in" (top right on guest page of Liferay)"]![Click on "Sign in" \(top right on guest page of Liferay\)](/assets/06sso-liferay_ldap_cas_authn_signin.png)[/caption] * CAS login form appears, enter with userid=Aamod.Wroclawski@intix.info and pwd=test [caption id="" align="alignnone" width="484" caption="Login page when requesting a protected resource in Liferay"]![Login page when requesting a protected resource in Liferay](/assets/06sso-liferay_ldap_cas_authn_signin2.png)[/caption] * If authentication is OK, then you will be redirected to the Aamod.Wroclawski's page within liferay [caption id="" align="alignnone" width="466" caption="When doing a successful logon in CAS, we are redirected to the requested page in Liferay"]![When doing a successful logon in CAS, we are redirected to the requested page in Liferay](/assets/06sso-liferay_ldap_cas_authn_signin3.png)[/caption] ## V. Install and configure Alfresco with CAS and LDAP Authentication In the next post will explain how to configure Alfresco with CAS to do SSO and Authentication. We also will see the importance of using an LDAP for supplying identidates and verify the SSO between Liferay and Alfresco. See you soon. **References:** * Alfresco Authentication Subsystems: http://wiki.alfresco.com/wiki/Alfresco_Authentication_Subsystems * External authentication subsystem: http://wiki.alfresco.com/wiki/Alfresco_Authentication_Subsystems#External * Alfresco With mod auth CAS: http://wiki.alfresco.com/wiki/Alfresco_With_mod_auth_cas

  • Liferay Portal LDAP Authentication with Penrose Server

    We explained in a previous post Identity Management (IdM) in Portal, ECM and BPM Projects how important is having a Corporate Directory (LDAP server) that serves as a repository for different types of identities and roles that will require for our business application in authentication and authorization processes.


    Fig 0. Penrose Server, a Java free open source Virtual Directory

    We also explained the importance of using a Virtual Directory as a natural evolution of the classic Directory and Meta Directory. We also highlight its functionality, scalability and ability to integrate different sources of identity information regardless of the type of source, may be other LDAP servers, Database servers, even Webservices. Well, in this post will explain how to deploy and configure Penrose Server (Virtual Directory free / open source) to store user identity information from a MySQL table so we can use them as users of Liferay Portal without having to program or modify any adapter or hook Liferay. Penrose Server has, by default, OpenDS as backend, then any LDAP objectClass that exists in OpenDS exists in Penrose Server. Said that, come on with installation.

    1. Pre-requisites

    1. Download Java Development Kit (>=1.5), for example ./jdk-1_5_0_17-linux-amd64.bin

    2. CentOS already has OpenJDK. You can verify it:

    [root@directorysrv1 /]# java -version
    java version "1.6.0"
    OpenJDK  Runtime Environment (build 1.6.0-b09)
    OpenJDK Client VM (build 1.6.0-b09, mixed mode)
    

    2. Installing Penrose Server (Virtual Directory)

    A virtual directory maps information from disparate data sources, such as LDAP services and Database, into a single location for users to access.

    1. Download the RPM from here http://penrose.redhat.com/display/PENROSE20/Penrose+2.0+Release

    2. Install the package(s):

    [root@directorysrv1 tempo]# rpm -i vd-server-2.0-1.i386.rpm
    VD Server 2.0 has been installed in /opt/vd-server-2.0.
    

    3. Make sure that JAVA is configured: Edit /opt/vd-server-2.0/vd.conf file.

    [root@directorysrv1 /]# vim /opt/vd-server-2.0/etc/vd.conf
    

    Add the JAVA_HOME variable, pointing to your JDK. For example, in CentOS is:

    JAVA_HOME=/usr/lib/jvm/java-1.6.0-openjdk
    

    After editing the vd.conf file, copy it into the host’s /etc directory.

    [root@directorysrv1 /]# cp /opt/vd-server-2.0/etc/vd.conf /etc
    

    4. Run a configuration script to reset the server hostname, give the admin username and password, and set the port numbers and other information for the associated LDAP and JMX services of the Virtual Directory. For example:

    [root@directorysrv1 /]# cd /opt/vd-server-2.0/bin/
    [root@directorysrv1 bin]# ./vd-config.sh
    Configuring VD Server:
    ----------------------
    
    Hostname [directorysrv1.intix.info]:
    Root DN [uid=admin,ou=system]:
    Root Password [*****]:
    User account [root]:
    Group account [root]: 
    
    Configuring JMX Service:
    ------------------------
    
    RMI Port [1099]:
    RMI Transport Port [40888]: 
    
    Configuring OpenDS Service:
    ---------------------------
    
    LDAP Enabled [true]:
    LDAP Port [10389]:
    Secure LDAP Enabled [false]:
    Secure LDAP Port [10636]:
    SSL Certificate Name [server-cert]:
    Key Store Type (JKS/PKCS12) [JKS]:
    Key Store File [config/keystore]:
    Key Store PIN File [config/keystore.pin]: 
    
    [root@directorysrv1 bin]#
    

    3. Installing additional libraries

    You can install on Virtual Directory Server libraries (jar files) to extend functionalities. These libraries cover a range of different functions, including JDBC drivers, custom adapters, custom modules, and other third party libraries.

    1. Copy the JAR files into the /opt/vd-server-2.0/lib/ext/ directory; for example:

    [root@directorysrv1 /]# cp /export/myjdbc.jar /opt/vd-server-2.0/lib/ext/myjdbc.jar
    

    2. Is necessary restart the Virtual Directory Server.

    4. Uninstalling Penrose Server

    The Virtual Directory Server packages can be uninstalled using package management tools, the same as used to install it. To remove the Server, use the -e option with rpm:

    [root@directorysrv1 bin]# rpm -ev vd-server-2.0-1.i386.rpm
    

    5. Starting Penrose Server

    1. Virtual Directory is started by running a shell script /opt/vd-server-2.0/bin/vd-server.sh. For example:

    [root@directorysrv1 /]# cd /opt/vd-server-2.0/bin
    [root@directorysrv1 bin]# ./vd-server.sh
    [12/02/2010 01:40:11.693] VD Server is ready.
    

    2. To stop the server, simply close the script.

    6. Starting Penrose Server as a linux service

    The Virtual Directory can be stopped, started, and restarted using system tools on CentOS. Init scripts are included with the configuration files with Virtual Directory Server.

    1. Log into the Virtual Directory Server host machine as root user.
    2. Open the Virtual Directory init script directory.

    [root@directorysrv1 /]# cd /opt/vd-server-2.0/etc/init.d
    

    3. Edit the /opt/vd-server-2.0/etc/init.d/vd-server script so that the Virtual Directory Server home and script locations are correct. For example:

    VD_SERVER_HOME=/opt/vd-server-2.0
    VD_SERVER_SCRIPT=$VD_SERVER_HOME/bin/vd-server.sh
    

    4. Copy the init file to the /etc/init.d/ directory.

    sh[root@directorysrv1 /]# cp /opt/vd-server-2.0/etc/init.d/vd-server /etc/init.d/

    5. Make the init script executable.

    [root@directorysrv1 /]# chmod +x /etc/init.d/vd-server
    

    6. Test the new Virtual Directory service.

    [root@directorysrv1 /]# service vd-server start
    Starting vd-server:                                        [  OK  ]
    [root@directorysrv1 init.d]# [12/03/2010 10:24:31.782] VD Server is ready.
    [root@directorysrv1 init.d]#
    

    After setting Virtual Directory Server up as a service, it can be managed using the service on CentOS:

    [root@directorysrv1 /]# service vd-server {start|stop|restart}
    

    7. Connect to Penrose Server LDAP interface

    It is necessary download and install any LDAP client, for example, Apache Directory Studio.

    1. Execute any LDAP client, for example Apache Directory Studio.

    2. Add new LDAP connection with these values:

    • hostname or ip : directorysrv1 (or directorysrv1.intix.info)
    • port : 10389
    • user credentials: uid=admin,ou=system
    • password: secret

    3. Now you can browse on existing LDAP entries or to create a new partition (LDAP tree).

    8. Create a new virtual LDAP tree binding MySQL Server

    1. Install MySQL Server, in my case I will install MySQL Server in the same CentOS host where Virtual Directory has already installed. It is just for testing purposes.

    [root@directorysrv1 /]# yum --disablerepo=\* --enablerepo=c5-media -y install mysql-server
    Loaded plugins: fastestmirror
    [...]
    Running Transaction
      Installing     : perl-DBD-MySQL                       1/2
      Installing     : mysql-server                         2/2 
    
    Installed:
      mysql-server.i386 0:5.0.77-4.el5_4.2                                                                                        
    
    Dependency Installed:
      perl-DBD-MySQL.i386 0:3.0007-2.el5                                                                                          
    
    Complete!
    [root@directorysrv1 /]#
    

    2. Start MySQL Server as service.

    [root@directorysrv1 init.d]# service mysqld start
    Initializing MySQL database:  Installing MySQL system tables...
    [...]
                                                               [  OK  ]
    Starting MySQL:                                            [  OK  ]
    [root@directorysrv1 init.d]#
    

    3. Update root password in MySQL Server:

    [root@directorysrv1 /]# mysqladmin -u root password "demodemo"
    

    4. Enable remote access to MySQL for root user on all database and tables. Remote access is necessary when you want to connect to your MySQL from a different computer.

    [root@directorysrv1 /]# mysql -u root -p
    Enter password:
    Welcome to the MySQL monitor.  Commands end with ; or \g.
    Your MySQL connection id is 5
    Server version: 5.0.77 Source distribution
    
    Type 'help;' or '\h' for help. Type '\c' to clear the buffer.
    
    mysql> GRANT ALL ON *.* TO root@'%' IDENTIFIED BY 'demodemo';
    Query OK, 0 rows affected (0.00 sec)
    
    mysql> quit;
    Bye
    

    5. Create a new Database and tables that will store identities (user credentials).

    These user credentials stored in tables will be accessible as a LDAP tree by the Virtual Directory Server. This new LDAP tree can be used to configure the login and authentication process required for different applications/products such as Liferay, Alfresco, Intalio, etc.. In this example we will explain how to do it for Liferay Portal. We will use an existing MySQL Database (Employee DB) for testing purposes. Download existing DB from here (http://datacharmer.blogspot.com/2008/07/dont-guess-test-sample-database-with.html), then install it in our current MySQL server:

    -- unzip DB

    [root@directorysrv1 temp]# tar -xjf /temp/employees_db-full-1.0.4.tar.bz2
    [root@directorysrv1 temp]# cd /temp/employees_db/
    

    -- create schema and load data

    sh[root@directorysrv1 temp]# mysql -u root -p -t < employees.sql

    -- test integrity of loaded data with SHA1

    [root@directorysrv1 employees_db]# time mysql -u root -p -t < test_employees_sha.sql
    Enter password:
    +----------------------+
    | INFO                 |
    +----------------------+
    | TESTING INSTALLATION |
    +----------------------+
    +--------------+------------------+------------------------------------------+
    | table_name   | expected_records | expected_crc                             |
    +--------------+------------------+------------------------------------------+
    | employees    |           300024 | 4d4aa689914d8fd41db7e45c2168e7dcb9697359 |
    | departments  |                9 | 4b315afa0e35ca6649df897b958345bcb3d2b764 |
    | dept_manager |               24 | 9687a7d6f93ca8847388a42a6d8d93982a841c6c |
    | dept_emp     |           331603 | d95ab9fe07df0865f592574b3b33b9c741d9fd1b |
    | titles       |           443308 | d12d5f746b88f07e69b9e36675b6067abb01b60e |
    | salaries     |          2844047 | b5a1785c27d75e33a4173aaa22ccf41ebd7d4a9f |
    +--------------+------------------+------------------------------------------+
    +--------------+------------------+------------------------------------------+
    | table_name   | found_records    | found_crc                                |
    +--------------+------------------+------------------------------------------+
    | employees    |           300024 | 4d4aa689914d8fd41db7e45c2168e7dcb9697359 |
    | departments  |                9 | 4b315afa0e35ca6649df897b958345bcb3d2b764 |
    | dept_manager |               24 | 9687a7d6f93ca8847388a42a6d8d93982a841c6c |
    | dept_emp     |           331603 | d95ab9fe07df0865f592574b3b33b9c741d9fd1b |
    | titles       |           443308 | d12d5f746b88f07e69b9e36675b6067abb01b60e |
    | salaries     |          2844047 | b5a1785c27d75e33a4173aaa22ccf41ebd7d4a9f |
    +--------------+------------------+------------------------------------------+
    +--------------+---------------+-----------+
    | table_name   | records_match | crc_match |
    +--------------+---------------+-----------+
    | employees    | OK            | ok        |
    | departments  | OK            | ok        |
    | dept_manager | OK            | ok        |
    | dept_emp     | OK            | ok        |
    | titles       | OK            | ok        |
    | salaries     | OK            | ok        |
    +--------------+---------------+-----------+
    
    real    0m59.756s
    user    0m0.011s
    sys     0m0.057s
    

    The final Employees DB schema/model that we will use to create LDAP tree is the following:

    6. Download MySQL JDBC library and copy to Virtual Directory Server, in this case to /opt/vd-server-2.0/lib/ext/ folder.

    [root@directorysrv1 temp]# cp mysql-connector-java-5.1.13-bin.jar /opt/vd-server-2.0/lib/ext/
    

    7. Create a new Partition in our Virtual Directory Server. A Partition in our Virtual Directory contains all relationships beetwen:

    • Connections: data servers such as DB servers or other LDAP servers
    • Sources: applications such as for Liferay, for Alfresco, for Intalio, for Windows Authentication, …
    • Identities: individual entries and
    • Mappings: links between entities.

    It is necessary to add new namingContexts to existing Root DSE in /opt/vd-server-2.0/conf/directory.xml. This file will be like: [/conf/directory.xml](/assets/blog20101203_virtualdirectory_portal/directory.xml)

    8. Map tables-fields with attributes of the new LDAP tree in our Virtual Directory.

    • Liferay Portal domain: new LDAP tree/domain, in this example is “@intix.info”.
    • Liferay Portal Users: the employees table of MySQL DB maps to inetOrgPerson (or organizationalPerson or other similar) entries in LDAP.
    • Liferay Portal Groups: the departments table of MySQL DB maps to organizationalUnit (or other similar) entries in LDAP, in this example we will not use Groups.
    • Additional fields required for Liferay Portal such email, title will be obtained by joining fields values such employees.first_name, employees.last_name with “@intix.info”, and title will be obtained of titles.title and so on. In this example, “title” LDAP attribute of inetOrgPerson will be compose with differents values of the Employees table.
    • The password to log into Liferay Portal will be stored as SHA1 in a new field created in table Employees. For our convenience, all user passwords will be equal to “function_sha1(‘test’) =qUqP5cyxm6YcTAhz05Hph5gvu9M=”.
    • Only allow access to Liferay Portal to users (Employees) hired in August 1999. In this case we will use this sentence: SELECT emp_no FROM employees WHERE hire_date BETWEEN ‘1999-08-01’ AND ‘1999-08-31’ . This constrain will be a filter in our Virtual Directory Partition.

    For your convenience, I include all files that are part of the new Partition (connections, sources, mapping and constrains) created into Virtual Directory. You can download it from here: Penrose Server partition intix.info

    9. Create new partition (“intix_info_liferay” folder) in Virtual Directory.

    [root@directorysrv1 /]# mkdir /opt/vd-server-2.0/partitions/intix_info_liferay/DIR-INF
    

    10. Copy all files (connections.xml, directory.xml, mappings.xml, modules.xml, partition.xml and sources.xml) to /opt/vd-server-2.0/partitons/intix_info_liferay/DIR-INF

    11. Restart Virtual Directory:

    [root@directorysrv1 /]# service vd-server restart
    

    12. Browse into the new LDAP tree created (partition) in the Virtual Directory binding the new database created in MySQL Server.

    9. Configure LDAP Authentication in Liferay Portal

    Now, We have a LDAP server (Penrose) with user credentials (identities) loaded. The next step is to configure Liferay Portal with these LDAP tree to do log in to Portal. If you have already a Liferay installed, you have to make sure that Liferay can resolve the Virtual Directory. To check it:

    [chilcano@lfry01 /]# ping directorysrv1
    

    Then, from Liferay > Control Panel, configure LDAP authentication with Email Address as credentials to login.

    Add and configure a new LDAP server (Penrose Server) in Liferay.

    .

    .

    10. Testing LDAP Authentication from Liferay Portal

    Now you can use any user credential (any value of Employee table) to login Liferay.

    11. Testing LDAP Authentication from Apache Directory Studio

    The user “aamod.wroclawski@intix.info” with password “test” can be verified. You can do from apache Directory Studio. Open Apache Directory Studio, connect to Penrose Server, then go to entry “uid=480838,ou=Employees,dc=intix,dc=info”, click on password attribute, then open a windows where you can verify password. Follow the figures:

    If you are planning to install other product or application in your organization, you could create a new LDAP tree under Root DSE intix.info as ou=Alfresco Users, dc=intix, dc=info and to select or filter existing users from Employee table. Well, Penrose Server (Virtual Directory) has several applications and is easy adaptable to any Security User Schema. Any questions, do not hesitate to emailme. Bye.

    References

  • BPM trend: ¿Agile BPM?

    Marco Brambilla posted on his blog “Working @ Web and Business Process Engineering” his view on history and trend of BPM and I totally agree with it.

    [caption id=”” align=”alignnone” width=”430” caption=”BPM history in one picture”]BPM history in one picture[/caption] Nowadays, companies want to develop business applications in an agile way (quickly and low cost), this does apply to any business applications and not only to BPM apps. This is called “rapid application development” (RAD) and in this escenario we should make use of 2 things mainly:

    1. Methodology : Best practices for proper and quick implementation and applications.
    2. Tools : a set of tools that support the “Software Development Life Cycle” (SDLC) over and obviously speeds up the entire production cycle. I have used 2 FOSS tools of this type:
    3. Intalio (http://www.intalio.com/bpm/features)
    4. Bonita BPM (http://www.bonitasoft.com/products/Business_Process_Management_features.php)
      .. and yes, currently the trend is “ Model-Driven Development “ (MDD), and i can see it in BPM classic tools, they are moving towards MDD, examples:
    5. jBPM5 (http://planet.jboss.org/post/should_you_bet_on_jbpm)
    6. Activiti and Camunda Fox (http://www.activiti.org/cycle.html)
      For further information, here some related links:
  • Comparing MySQL and Postgres 9.0 Replication

    Comparing MySQL and Postgres 9.0 Replication
    By By Robin Schumacher and Gary Carter, EnterpriseDB
    TheServerSide.com

    Comparing MySQL and Postgres 9.0 Replication

    By Robin Schumacher and Gary Carter, www.enterprisedb.com

    Replication is one of the most popular features used in RDBMS’s today. Replication is used for disaster recovery purposes (i.e. backup or warm stand-by servers), reporting systems where query activity is offloaded onto another machine to conserve resources on the transactional server, and scale-out architectures that use sharding or other methods to increase overall query performance and data throughput.

    Replication is not restricted to only the major proprietary databases; open source databases such as MySQL and PostgreSQL also offer replication as a feature. While MySQL has offered built-in replication for a number of years, PostgreSQL replication used to be accomplished via community software that was an add-on to the core Postgres Server. That all changed with the release of version 9.0 of PostgreSQL, which now offers built-in streaming replication that is based on its proven write ahead log technology.

    With the two most popular open source databases now providing built-in replication, questions are being asked about how they differ in their replication technologies. What follows is a brief overview of both MySQL and PostgreSQL replication, with a brief compare and contrast of the implementations being performed immediately afterwards.

    mysql replication.jpg

    viaA Quick Comparison of MySQL and Postgres 9.0 Replication.

  • Building a content delivery plataform with Alfresco

    Un tema muy interesante ahora en día es la distribución de contenido a través de internet. Es decir, cómo construir una plataforma al estilo Youtube, Vimeo o Netflix para distribuir contenido rico o multimedia a través del canal internet. Está claro, hay muchas escenarios de aplicación y técnicamente hay muchas herramientas para hacer esto, pero es más importante pensar en el modelo de negocio y cómo alcanzar la monetización. Es decir, no sólo construir tu canal de tv por web, no sólo pensar en la distribución o streaming del contenido, sino también en la monetización o como rentabilizar la inversión.

    En mayo del 2010 hice un Webinar sobre este tema, expliqué cómo construir una plataforma de este tipo y cómo obtener beneficios de ello. Hice una una prueba de concepto usando Alfresco ECM para el construir una plataforma dando soporte en todo el ciclo de vida del contenido. Aquí os dejo el PPT, y si estáis interesado en los Webscripts de Alfresco y el Player que usé para esta prueba de concepto, no dudéis en comentármelo.

    [slideshare id=5816944&doc=03webinarcontentdeliveryplatformv1-0-intix-101117184148-phpapp02] Hace poco leí un caso de éxito que combina Cloud Computing y Content Delivery Platform, es el caso de Netflix.
    También he podido observar que existen iniciativa similares en el mercado Español y Latinoamericano pero orientada a contenidos educativos.
    Quiero recalcar que en ambos escenario Alfresco ECM es una herramienta ideal para construir dichas plataformas, evidentemente, hay otras alternativas, pero no tan versátiles y escalables como lo es Alfresco. Aqui os dejo los links:

  • Identity Management (IdM) in Portal, ECM and BPM Projects

    When developing projects Portal, ECM or BPM, often tend to ignore authentication and authorization solution, and a solution that will store user identities. The Authentication, Authorization and Web-SSO solutions require that we have an infrastructure for Identity Management already installed and configured, often commonly use a Meta Directory or LDAP server, but experience leads us to have to use something more dynamic and scalable, especially in projects where it is not clear the initial source of users, roles and hierarchy within the organization. In this scenario, I usually recommend a solution of Virtual Directory to store the identities of our users and CAS as a service and Web-SSO authentication. Both are fully complementary to each other and lead to very quickly build an identity management solution robust and “lowcost” in our organization.

    Services in Identity Management Systems (IdM)

    If we have already an Identity Management infrastructure involves:

    Directory or Repository Centralized for Identities.

    Corporate Directory is an LDAP server that allows to store user or identity information to the applications in the Organization. Organizations should have 2 directories, one for internal services (windows or intranet login, kerberos authentication, etc..) And other web applications or standalone as Liferay Portal.

    Mechanisms of replication, synchronization and consolidation of directories or repositories.

    Some organizations usually have several offices around the world, each has a Directory or LDAP server that allows us to provide services to the office to which belongs, while through the LDAP Directory Server or Consolidated Global can offer services such as search people from other offices through a single Address Book. To do this, we need mechanisms to consolidate data from LDAP Server and data from different sources such as DBMS regardless of where and how them are stored, etc..

    Identities Lifecycle Management.

    This basically is to create, read, update and delete identities or any of its attributes. Some solutions include services such as Rollout, Renewal,Forgotten password, …

    Single Authentication Service or Identity Validation.

    Authentication is only identity validation, that is, when we make a validation request, the validation authority or authentication service responds by saying that the details of the person or users (data credentials or identity) exist or not in the LDAP server. In addition to the centralized storage of all identities in the Directory or LDAP Server, you need a validation service that can respond if the credentials are correct to requests for validation made by the standalone application, portal, login windows, etc.. of the organization. Such service must know how to respond to different requests of different types of applications and protocols.Typically different protocols are often defined, as many as types of requests for validation, for example, a protocol could be a “bind ldap”, “soap” or a simple “https” request.

    Authorization Service.

    Authorization is the process of decision based on certain attributes by which allows a person, machine or server to access a particular resource.

    “Single Sing On” Service.

    This service is logs in once and gains access to all systems without being prompted to log in again at each of them. Single sign-off is the reverse property whereby a single action of signing out terminates access to multiple software systems. Solutions Free/Open Source most used are:

    [caption id=”” align=”alignnone” width=”449” caption=”Virtual Directory services”]Virtual Directory services[/caption]

    What is the difference between Virtual and Meta Directory?

    Virtual Directory is a service that operates between applications and identity data as a real directory. A virtual directory receives queries and directs them to the appropriate data sources.

    • Virtual Directory loosely couple identity data and applications.
    • Virtual and Meta Directory provide a consolidated view of identity data by adding a layer on native repositories (ldap, rdbms, …).
    • Meta Directory draw identity data from native repositories and store it in a new consolidated real directory that faces enterprise applications.
    • Meta Directory (tight coupling) is a good in which identity data is not updated frequently.
    • Virtual Directory offers a way to provide that consolidated view of identity data without having to reconstruct an entire real directory infrastructure.

      “[…]Instead of creating new identity repositories, virtual directory handle identity queries on a case-by-case basis, drawing the required, authorized data (and only the required data) in real time from its native repositories around a network and presenting it to an enterprise application as needed. When the query is complete the virtual directory disappears; once again, the data exists only in its native repositories, under the control of the original owner.” (Penrose FAQ - http://docs.safehaus.org/display/PENROSE/FAQ) There are few solutions for Virtual Directory, here are some FOSS and Commercial:

    • Penrose - http://penrose.redhat.com/display/PENROSE/Home
    • Atlassian Crowd - http://www.atlassian.com/software/crowd/
    • Radiant Logic VDS - http://www.radiantlogic.com/main/products_vds.html

    List of FOSS products and technologies for IdM

    [caption id=”” align=”alignnone” width=”459” caption=”Virtual Directory and IdM products”]Virtual Directory and IdM products[/caption] Bye.

  • Migración de Websites a Alfresco WCM

    Hace un tiempo organizamos una serie de webinars sobre Gestión de Expedientes, Migración de Websites y Plataforma de Distribución de Contenidos usando Alfresco e Intalio, pues aquí os traigo el PPT que usé para el Webinar de Migración de Websites.

    [slideshare id=5707145&doc=01webinarcasomigracionportalwebv1-4-1-intix-101108145555-phpapp01] En este momento, Alfresco ECM v3.4.x tiene funcionalidades mejoradas para WCM (Web Content Management) permitiendo la creación rápida de websites alojando todo el contenido web en el repositorio Alfresco, pero no para la migración de repositorios propietarios como FileNet, Drupal, Liferay, … a Alfresco. Por ello hay que recurrir a diferentes estrategias y diferentes herramientas para automatizar en la medida de lo posible todo el proceso de migración. Llegará el día en que el repositorio documental sea algo estándar, es decir, FileNet, Alfresco, Sharepoint, etc… todos ellos con el mismo tipo de repositorio en donde alojemos los objetos (documentos), como por ejemplo un repositorio de tipo NOSQL , tal como lo indica Jeff Potts en su blog. En este escenario ideal, el proceso de migración se convertiría en migración de datos, donde en lugar de datos relacionales migraremos los objetos-documentos. Actualmente hay iniciativas para reemplazar la BDs relacionales que requieren los CMS y ECMs por BDs del tipo NOSQL, por ejemplo Drupal y MongoDB. En fin, seguimos en contacto. Saludos.

  • Gestión de Expedientes con Alfresco ECM

    Hace algún tiempo organicé una serie de webinars en Barcelona orientado a hacer difusión de las capacidades de unos productos commercial opensource muy usados: Alfresco ECM, Intalio BPMS y Bonita. Pues el resultado fue asombroso, sobretodo para el webinar relacionado a “Gestión de Expedientes”. Se apuntaron cientos de personas interesadas, de España y Latinoamérica, incluso de Portugal, a raíz de ello, la demanda de conocer los productos y reuniones para profundizar en cada una de las necesidades de los clientes se incrementó.