Wednesday, May 27, 2015

Installing RADIUS Extensions in OpenAM 12

In in my previous post I shared a link for downloading a jar that contained the RADIUS extensions that we have made to the native RADIUS authentication module in OpenAM. In this post I'll show you how to tell OpenAM to expose and use the Radius Server functionality resident in that jar.

Installing

To use the Radius extensions in that jar you must perform the following simple steps:

  1. Shut down your servlet container such as tomcat.
  2. Replace the existing jar (the openam-auth-radius.jar file located in the WEB-INF/lib directory of a deployed, expanded OpenAM war) with the downloaded openam-auth-radius-1.0.1.jar. (The name of the jar is not important and does not have any impact on the runtime system.) The existing authentication module code has not been modified and will continue to work out of the new jar.
  3. Inject the following context listener declaration shown in bold text into the WEB-INF/web.xml file either above or below the existing guice context listener as shown.

    <!-- Initialises the Guice Injector. -->
       <listener>
            <listener-class>
            org.forgerock.guice.core.GuiceInitialisationFilter
            </listener-class>
        </listener>
        <listener>
            <listener-class>
    com.sun.identity.authentication.modules.radius.server.config.ServletContextListenerLauncher
            </listener-class>
        </listener>

  4. Restart your servlet container.
That is it. You now have the extended Radius support. 

As OpenAM starts up you'll now see the following lines logged to catalina.out since I used java.logging in the current implementation and not the OpenAM Debug logger. For brevity I've trimmed out the level, data, time, class, and method doing the logging and added line numbers for the discussion that follows:

1) [localhost-startStop-1] ---> ServletContextListenerLauncher starting RadiusServiceStarter

2) [localhost-startStop-1] Loaded OpenAM Authn Radius Module = 1.0.1 built 2015-05-21 19:54 UTC


3) [RADIUS-RadiusServiceStarter]  RadiusServerService not found. Loading...
4) [RADIUS-RadiusServiceStarter] Service Descriptor file for RadiusServerService found at: jar:file:/Users/boydmr/tomcat8/apache-tomcat-8.0.9/webapps/sso/WEB-INF/lib/openam-auth-radius-1.0.1.jar!/RadiusServerService.xml
5) [RADIUS-RadiusServiceStarter] Loading RADIUS Config...
6) [RADIUS-RadiusServiceStarter] --- Loaded Config ---
7) [RadiusServiceConfig NO 1812 P( 1, 10, 10, 10)]
8) [RADIUS-RadiusServiceStarter] RADIUS service disabled.

There are several important things to note in these lines:  

  • Lines 1 and 2 show the context listener being called and logging its version and build information. 
  • All lines related to Radius after that are logged by a thread launched by the context listener and suitably named as the  RADIUS-RadiusServiceStarter
  • Lines 3 and 4 will change for every start hereafter. It turns out that there is an admin console configuration page that is part of the feature set. When starting up, that service is looked for. If not found, as noted in line 3 due to this being our first startup on the extended features, the service descriptor file will be loaded out of the jar as noted in line 4. When next starting, a version of line 3 will indicate that the service was found in OpenAM configuration and hence doesn't need to be loaded.
  • Line 5 shows that configuration is being loaded from the admin console service which included suitable defaults for loading prior to an administrator ever accessing its page.
  • Lines 6 and 7 then show the specific pieces of information being loaded with the values in line 7 correlating with values found in the main configuration page. Namely, whether the Radius UDP listener is enabled, on what port it will listen if started, and the thread pool parameters. If we have any clients defined we would see an additional line per each configured client.
  • Finally, line 8 indicates that the Radius listener is not currently active to receive requests.
When you now access the admin console you'll see that the Radius configuration pages that I outlined in a previous post will now be accessible and can be used to enable the Radius Listener and define clients that can connect to it.

Enjoy.



No comments:

Post a Comment