Overview

Item	Description
Purpose	Provide interface for side-loading assessments that can be configured by ART
Communicates With	OpenAM ProgMan Permissions ART
Repository Location	https://github.com/SmarterApp/SS_TestSpecificationBank
Additional Documentation	API SB11 Development Teams code review process SBAC11Level II Requirements-TestSpecBank.pdf Build Sequence testspecbank_Install tsb-progman-config.txt TestSpecBankTestScript TestSpecBank_TestPlan Design Pictures

Instructions

Create AWS MongoDB Instance

Create server instance to host the MongoDB instance that will support the component being deployed
- Select an image with the Ubuntu 14.04 LTS 64-bit operating system
Create or choose an AWS security group with the following ports for inbount TCP traffic (can be done during instance creation):
- 22
- 27017 - 27019
- 28017 - 28018
Remove apparmor:
- sudo /etc/init.d/apparmor stop
- sudo update-rc.d -f apparmor remove
- sudo apt-get --purge remove -y apparmor apparmor-utils libapparmor-perl libapparmor1
Update package manager:
- sudo apt-get update
- sudo apt-get upgrade -y
Install packages to satisfy dependencies:
- sudo apt-get install -y ntp
Install MongoDB 2.4.9:
- sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv 7F0CEB10
- echo 'deb http://downloads-distro.mongodb.org/repo/ubuntu-upstart dist 10gen' | sudo tee /etc/apt/sources.list.d/mongodb.list
- sudo apt-get update
- sudo apt-get install mongodb-10gen=2.4.9
Pin the version of MongoDB so apt-get will not upgrade it:
- echo "mongodb-10gen hold" | sudo dpkg --set-selections
Configure MongoDB by copying the following into /etc/mongodb.conf:
IMPORTANT: The config file below has noauth=true set. This is a temporary configuration to allow for adding MongoDB user accounts. This setting will be changed later in the checklist.

# mongodb.conf

# Where to store the data.
dbpath=/var/lib/mongodb

#where to log
logpath=/var/log/mongodb/mongodb.log

logappend=true

#bind_ip = 127.0.0.1
bind_ip = 0.0.0.0
port = 27017

# Enable journaling, http://www.mongodb.org/display/DOCS/Journaling
journal=true

# Enables periodic logging of CPU utilization and I/O wait
#cpu = true

# Turn on/off security.  Off is currently the default
noauth = true
#auth = true

# Verbose logging output.
#verbose = true

# Inspect all client data for validity on receipt (useful for
# developing drivers)
#objcheck = true

# Enable db quota management
#quota = true

# Set oplogging level where n is
#   0=off (default)
#   1=W
#   2=R
#   3=both
#   7=W+some reads
#oplog = 0

# Diagnostic/debugging option
#nocursors = true

# Ignore query hints
#nohints = true

# Disable the HTTP interface (Defaults to localhost:27018).
#nohttpinterface = true

# Turns off server-side scripting.  This will result in greatly limited
# functionality
#noscripting = true

# Turns off table scans.  Any query that would do a table scan fails.
#notablescan = true

# Disable data file preallocation.
#noprealloc = true

# Specify .ns file size for new databases.
# nssize = <size>

# Accout token for Mongo monitoring server.
#mms-token = <token>

# Server name for Mongo monitoring server.
#mms-name = <server-name>

# Ping interval for Mongo monitoring server.
#mms-interval = <seconds>

# Replication Options

# in replicated mongo databases, specify here whether this is a slave or master
#slave = true
#source = master.example.com
# Slave only: specify a single database to replicate
#only = master.example.com
# or
#master = true
#source = slave.example.com

# Address of a server to pair with.
#pairwith = <server:port>
# Address of arbiter server.
#arbiter = <server:port>
# Automatically resync if slave data is stale
#autoresync
# Custom size for replication operation log.
#oplogSize = <MB>
# Size limit for in-memory storage of op ids.
#opIdMem = <bytes>

Restart MongoDB:
- sudo service mongodb restart
Add an administrative-level user to MongoDB:

$ mongo admin
db.addUser({
    user:"mongo_admin",
    pwd:"[choose a suitable password]",
    roles:["dbAdminAnyDatabase","userAdminAnyDatabase","clusterAdmin","readWrite"]
});

Update /etc/mongodb.conf to enable authentication:
- Comment out the noauth = true line
- Uncomment the auth = true line
Example:

# Turn on/off security.  Off is currently the default
#noauth = true
auth = true

Restart MongoDB:
- sudo service mongodb restart
Connect to MongoDB in the admin database:
- mongo admin -u mongo_admin -p [password for the mongo_admin user] --authenticationDatabase admin
Add a user for the component:

use [name of database];
db.addUser({
    user:"[name of user]",
    pwd:"[password for user]",
    roles:["readWrite"]
});

Example:

use progman;
db.addUser({
    user:"progman",
    pwd:"[redacted]",
    roles:["readWrite"]
});

Verify User Can Authenticate to MongoDB

On the AWS instance hosting MongoDB, run the following commands:
- mongo admin -u mongo_admin -p '[The password for the mongo_admin user]' --authenticationDatabase admin
- mongo [component database name] -u [Component user] -p '[The password for the component user]'
If successful, the prompt should appear as follows:

MongoDB shell version: 2.4.9
connecting to: admin
>

Create AWS Web Application Instance

Create server instance to host the Test Specification Bank (TestSpecBank) component
- Select an image with the Ubuntu 14.04 LTS 64-bit operating system
Create or choose an AWS security group with the following ports for inbound TCP traffic (can be done during instance creation):
- 22
- 80
- 443
- 1043
- 8080
- 8084
- 8443

TestSpecBank Setup

Update package manager:
- sudo apt-get update
- sudo apt-get upgrade -y
Install packages to satisfy dependencies:
- sudo apt-get install -y ntp mercurial openjdk-7-jdk

Set Up Tomcat Server

Remove apparmor:
- sudo /etc/init.d/apparmor stop
- sudo update-rc.d -f apparmor remove
- sudo apt-get --purge remove -y apparmor apparmor-utils libapparmor-perl libapparmor1
Install Tomcat Server (if not installed already):
- sudo apt-get install -y tomcat7
Stop the Tomcat service:
- sudo service tomcat7 stop
Remove the ROOT directory:
- sudo rm -rf /var/lib/tomcat7/webapps/ROOT
Update the server.xml to allow for large HTTP Headers:
- Edit the /etc/tomcat7/server.xml file
- Find the <Connector> element
- Add the following attribute and value to the <Connector> element:
  - maxHttpHeaderSize="65536"
- Example of an updated <Connector> element:


     <Connector port="8080" protocol="HTTP/1.1"
          connectionTimeout="20000"
          URIEncoding="UTF-8"
          redirectPort="8443"
          maxHttpHeaderSize="65536" />

Set Up a Keystore

Create resources directory and child directories:
- sudo mkdir -p /var/lib/tomcat7/resources/{progman,security}
- sudo chown -R tomcat7:tomcat7 /var/lib/tomcat7/resources/
Create the wildcard SSL cert public key (*.sbtds.org):
- sudo vi /var/lib/tomcat7/resources/security/sbtds_org.cer
Copy the certificate contents (including the BEGIN CERTIFICATE and END CERTIFICATE lines) into /var/lib/tomcat7/resources/security/sbtds_org.cer
- Example:

-----BEGIN CERTIFICATE-----
// This is where the certificate content is
-----END CERTIFICATE-----

Create the keystore (NOTE: the keystore file must be named samlKeystore.jks):
- cd /var/lib/tomcat7
- sudo keytool -importcert -alias [<A meaningful alias] -keystore ./resources/security/samlKeystore.jks -file ./resources/security/[name of certificate file]
  - Example: sudo keytool -importcert -alias sbtdsorg -keystore ./resources/security/samlKeystore.jks -file ./resources/security/sbtds_org.cer
  - provide password
  - Type yes when prompted to trust the certificate
Generate the private key:
- sudo keytool -genkey -alias [choose a meaningful alias] -keyalg RSA -keystore [path/to/keystore] -keysize 2048
  - Example: sudo keytool -genkey -alias proctor-saml-sp -keyalg RSA -keystore ./resources/security/samlKeystore.jks -keysize 2048
- Provide the password to the keystore created previously.
- Answer the prompts. Example of the command and prompts shown below:

sudo keytool -genkey -alias progman-saml-sp -keyalg RSA -keystore ./resources/security/samlKeystore.jks  -keysize 2048
Enter keystore password:
What is your first and last name?
  [Unknown]:  ProgMan Component
What is the name of your organizational unit?
  [Unknown]:  sbac
What is the name of your organization?
  [Unknown]:  SBAC
What is the name of your City or Locality?
  [Unknown]:  San Diego
What is the name of your State or Province?
  [Unknown]:  California
What is the two-letter country code for this unit?
  [Unknown]:  US
Is CN=ProgMan Component, OU=sbac, O=SBAC, L=San Diego, ST=California, C=US correct?
  [no]:  yes

Verify Keystore Contents

To view the keystore contnets, use the following command:
- sudo keytool -list -keystore [path/to/samlKeystore.jks]
  - Example: sudo keytool -list -keystore /var/lib/tomcat7/resources/security/samlKeystore.jks
- Output will be similar to the following (after providing the correct password):

Enter keystore password:

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 2 entries

sbtdsorg, Apr 6, 2016, trustedCertEntry,
Certificate fingerprint (SHA1): D6:06:FA:33:AB:E4:27:26:D5:E1:B2:AB:1E:1D:FF:1E:7E:C0:21:4F
progman-saml-sp, Apr 6, 2016, PrivateKeyEntry,
Certificate fingerprint (SHA1): 8D:3A:66:1D:0C:7B:0A:40:96:B7:A6:8F:13:27:AB:E8:05:7D:8D:3A

Additional Notes

Common keystore commands can be found here

Configure TestSpecBank in ProgMan

Log into the ProgMan web application
Select Manage Component Properties
If a record for the component already exists, click the Edit button (the pencil icon on the lefthand side of the row)
If a record for the component must be created, click the New button (above the table of records)
- When creating a new record, provide the following:
  - A meaningful name for the component
  - The name of the environment
Click the option button to view the properties in Property File Entry mode
Copy the properties shown below and paste them into the text area of the Edit Configuration Settings screen in ProgMan.
NOTE: It may be worthwhile to edit the properties and their values in another text editor prior to pasting the values into the Edit Configuration Settings screen in ProgMan. It is possible the ProgMan session could time out prior to completing the component’s configuration.
Shown below are the TestSpecBank properties that need to be configured in ProgMan:
permission.uri=http://[FQDN or IP address for the Permissions component]/rest
component.name=TestSpecBank
tsb.mna.description=The Test Spec Bank Component
mna.mnaUrl=http://name.of.mna.server/rest
mna.logger.level=DEBUG
mna.clean.days=30
mna.clean.cron=0 0 0 * * ?
mna.oauth.batch.account=mna-client-username
mna.oauth.batch.password=mna-client-password
tsb.mongo.hostname=[FQDN or IP address of MongoDB server that hosts the TestSpecBank database]
tsb.mongo.port=[Port that MongoDB listens on. MongoDB’s default port is 27017]
tsb.mongo.username=[MongoDB user account with readWrite access to TestSpecBank’s MongoDB database]
tsb.mongo.password=[Password for MongoDB user account with readWrite access to TestSpecBank’s MongoDB database]
tsb.mongo.dbname=[Name of TestSpecBank’s database in MongoDB]
tsb.dtd.url=http://name.of.test.authoring.server/rest/resources/dtd/testpackage_v_9_19_2013.dtd
tsb.rest.context.root=/rest/
tsb.minJs=false
tib.tibUrl=http://name.of.test.item.bank.server/
tsb.sftp.host=
tsb.sftp.port=22
tsb.sftp.user=
tsb.sftp.pass=
tsb.sftp.dir=
tsb.tib.sftp.host=
tsb.tib.sftp.port=22
tsb.tib.sftp.user=
tsb.tib.sftp.pass=
tsb.download.directory=
tsb.export.cron.trigger=0,30 * * * * ?
tsb.security.idp=https://[FQDN or IP address of OpenAM server]/auth/saml2/jsp/exportmetadata.jsp?realm=/sbac
tsb.security.dir=file:////var/lib/tomcat7/resources/security
tsb.security.saml.keystore.pass=[Password to access the content of the samlKeystore.jks]
tsb.security.saml.keystore.user=[Name of private key for TestSpecBank in samlKeystore.jks]
tsb.oauth.checktoken.endpoint=https://[FQDN or IP address of OpenAM server]/auth/oauth2/tokeninfo?realm=/sbac
tsb.oauth.resource.client.id=[The OAuth client name for the TestSpecBank component; can use a “common” OAuth client name, e.g. one OAuth client for multiple components]
tsb.oauth.resource.client.secret=[Password for OAuth client used for TestSpecBank. Starting value is sbac12345]
tsb.webapp.saml.metadata.filename=[Name of file that stores SAML data for TestSpecBank Web Application component]
tsb.rest.saml.metadata.filename=[Name of file that stores SAML data for TestSpecBank REST component]
Example ProgMan properties for TestSpecBank:

permission.uri=http://52.32.19.35:8080/rest
component.name=TestSpecBank
tsb.mna.description=The Test Spec Bank Component
mna.mnaUrl=http://name.of.mna.server/rest
mna.logger.level=DEBUG
mna.clean.days=30
mna.clean.cron=0 0 0 * * ?
mna.oauth.batch.account=mna-client-username
mna.oauth.batch.password=mna-client-password
tsb.mongo.hostname=172.31.24.48
tsb.mongo.port=27017
tsb.mongo.username=mongo_admin
tsb.mongo.password=[redacted]
tsb.mongo.dbname=tsb
tsb.dtd.url=http://name.of.test.authoring.server/rest/resources/dtd/testpackage_v_9_19_2013.dtd
tsb.rest.context.root=/rest/
tsb.minJs=false
tib.tibUrl=http://name.of.test.item.bank.server/
tsb.sftp.host=
tsb.sftp.port=22
tsb.sftp.user=
tsb.sftp.pass=
tsb.sftp.dir=
tsb.tib.sftp.host=
tsb.tib.sftp.port=22
tsb.tib.sftp.user=
tsb.tib.sftp.pass=
tsb.download.directory=
tsb.export.cron.trigger=0,30 * * * * ?
tsb.security.idp=https://sso-dev.sbtds.org/auth/saml2/jsp/exportmetadata.jsp?realm=/sbac
tsb.security.dir=file:////var/lib/tomcat7/resources/security
tsb.security.saml.keystore.pass=[redacted]
tsb.security.saml.keystore.user=tsb-saml-sp
tsb.oauth.checktoken.endpoint=https://sso-dev.sbtds.org/auth/oauth2/tokeninfo?realm=/sbac
tsb.oauth.resource.client.id=tsb
tsb.oauth.resource.client.secret=[redacted]
tsb.webapp.saml.metadata.filename=tsb_saml_sp.xml
tsb.rest.saml.metadata.filename=tsb_rest_sp.xml

Deploy TestSpecBank Components

Configure Tomcat

Stop the Tomcat service:
- sudo service tomcat7 stop
Edit the /etc/default/tomcat7 file, updating the JAVA_OPTS value to what’s shown below:

JAVA_OPTS="-Djava.awt.headless=true\
 -XX:+UseConcMarkSweepGC\
 -Xms[initial amount of memory that can be allocated to the JVM heap]\
 -Xmx[maximum amount of memory that can be allocated to the JVM heap]\
 -XX:PermSize=[initial amount of memory that can be used for PermGen]\
 -XX:MaxPermSize=[maximum amount of memory that can be used for PermGen]\
 -DSB11_CONFIG_DIR=$CATALINA_BASE/resources\
 -Dspring.profiles.active=progman.client.impl.integration,mna.client.null,server.singleinstance\
 -Dprogman.baseUri=http://[URL to the ProgMan REST component]/rest/\
 -Dprogman.locator=[name of component in ProgMan],[name of Component's environment in ProgMan]"

NOTE: If the component being set up will be load-balanced, then change the server.singleinstance (for the spring.profiles.active option) to server.loadbalanced.
Example:

JAVA_OPTS="-Djava.awt.headless=true\
 -XX:+UseConcMarkSweepGC\
 -Xms512m\
 -Xmx4096m\
 -XX:PermSize=512m\
 -XX:MaxPermSize=1512m\
 -DSB11_CONFIG_DIR=$CATALINA_BASE/resources\
 -Dprogman.baseUri=http://52.34.140.123:8080/rest/\
 -Dspring.profiles.active=mna.client.null,progman.client.impl.integration,server.singleinstance\
 -Dprogman.locator=tsb,Development"

Create TestSpecBank Log File Directories

Create directories for TestSpecBank log files:
- sudo mkdir -p /usr/share/tomcat7/logs/{test-spec-bank.webapp,test-spec-bank.rest}
- sudo chown -R tomcat7:tomcat7 /usr/share/tomcat7/logs

Download War Files

Download the latest .war file for the TestSpecBank REST Component into the Tomcat server’s webapps directory:
- sudo wget https://github.com/SmarterApp/SS_TestSpecificationBank/releases/download/R02.00.00/test-spec-bank.rest-R02.00.00.war -O /var/lib/tomcat7/webapps/rest.war
Download the latest .war file for the TestSpecBank Web Application Component into the Tomcat server’s webapps directory:
- sudo wget https://github.com/SmarterApp/SS_TestSpecificationBank/releases/download/R02.00.00/test-spec-bank.webapp-R02.00.00.war -O /var/lib/tomcat7/webapps/ROOT.war
Create a pm-client-security.properties file in /var/lib/tomcat7/resources/progman
Copy the following into /var/lib/tomcat7/resources/progman/pm-client-security.properties:

oauth.access.url=https://[FQDN or IP address of OpenAM server]/auth/oauth2/access_token?realm=/sbac
pm.oauth.client.id=[OAuth client id from OpenAM]
pm.oauth.client.secret=[OAuth client secret from OpenAM]
pm.oauth.batch.account=[User account in OpenDJ]
pm.oauth.batch.password=[Password for OpenDJ user account]

Example:

oauth.access.url=https://sso-dev.sbtds.org/auth/oauth2/access_token?realm=/sbac
pm.oauth.client.id=pm
pm.oauth.client.secret=[redacted]
pm.oauth.batch.account=prime.user@example.com
pm.oauth.batch.password=[redacted]

Update ownership for directories and files in the /var/lib/tomcat7/resources/ directory:
- sudo chown -R tomcat7:tomcat7 /var/lib/tomcat7/resources
Start Tomcat to expand the deployed .war files:
- sudo service tomcat7 start

IMPORTANT: Conduct the SAML Setup and Configuration for the REST component and Web Application Component. After completing the SAML Setup and Configuration steps, there should be two metadata files:

A SAML XML metadata file for the REST component, located where-ever the file name/path is configured for tsb.security.dir and tsb.rest.saml.metadata.filename (e.g. /var/lib/tomcat7/resources/security/tsb_rest_local_sp.xml)
A SAML XML metadata file for the web application component located where-ever the file name/path is configured for tsb.security.dir and tsb.webapp.saml.metadata.filename (e.g. /var/lib/tomcat7/resources/security/tsb_local_sp.xml)

SAML (Security Assertion Markup Language) Setup and Configuration

Configure Automatic Metadata Generation

Create SAML Metadata File For the Component

Use the following command to generate a SAML metadata file for use with the automatic generation process:
- sudo wget https://[FQDN or IP address of OpenAM server]/auth/saml2/jsp/exportmetadata.jsp?realm=/sbac -O /var/lib/tomcat7/resources/security/[Name of the saml.metadata.filename as configured in ProgMan]
  - Example: sudo wget https://sso-dev.sbtds.org/auth/saml2/jsp/exportmetadata.jsp?realm=/sbac -O /var/lib/tomcat7/resources/security/saml_metadata.xml
  - NOTE: When configuring ProgMan (and only ProgMan), the file name will be in the /var/lib/tomcat7/resources/progman/progman-bootstrap.properties file.
- Change ownership of the SAML metadata file(s) to tomcat7:
  - sudo chown tomcat7:tomcat7 /var/lib/tomcat7/resources/security/*.xml

Update the securityContext.xml File for Automatic Metadata Generation

Open securityContext.xml file in an editor for the deployed component
- NOTE: The securityContext.xml file can be found in [Tomcat web application directory]/[component]/WEB-INF/classes/security
  - Example: /var/lib/tomcat7/webapps/ROOT/WEB-INF/classes/security/securityContext.xml
- NOTE: When editing the securityContext.xml file, elevated privileges (i.e. sudo) may by required
Add the following line within a <security:http> element:
- <security:custom-filter before="FIRST" ref="metadataGeneratorFilter" />
- NOTE: Typically a <security:http> element can be found around line 31 of the securityContext.xml file
- Example:

<security:http entry-point-ref="delegatingAuthenticationEntryPoint" use-expressions="true">
    <security:custom-filter before="FIRST" ref="metadataGeneratorFilter" />
    <security:custom-filter ref="oauth2ProviderFilter" before="PRE_AUTH_FILTER" />
    <security:custom-filter after="BASIC_AUTH_FILTER" ref="samlFilter"/>
    <security:intercept-url pattern="/**" access="isFullyAuthenticated()"/>
</security:http>

Add configuration for the SAML metadata generator to securityContext.xml:
- Add the following <bean> definitions to securityContext.xml, immediately after the closing </security:http> tag:

<bean id="metadataGeneratorFilter" class="org.springframework.security.saml.metadata.MetadataGeneratorFilter">
    <constructor-arg ref="metadataGenerator"/>
</bean>

<bean id="metadataGenerator" class="org.springframework.security.saml.metadata.MetadataGenerator">
    <property name="bindingsSSO">
        <list>
            <value>redirect</value>
            <value>artifact</value>
        </list>
    </property>
    <property name="entityId" value="[name of component]"/>
</bean>

NOTE: The component name should not have spaces.

Example of a metadataGenerator configured with an entityId of progman_rest:

<bean id="metadataGeneratorFilter" class="org.springframework.security.saml.metadata.MetadataGeneratorFilter">
    <constructor-arg ref="metadataGenerator"/>
</bean>

<bean id="metadataGenerator" class="org.springframework.security.saml.metadata.MetadataGenerator">
    <property name="bindingsSSO">
        <list>
            <value>redirect</value>
            <value>artifact</value>
        </list>
    </property>
    <property name="entityId" value="progman_rest"/>
</bean>

Restart Tomcat:
- sudo service tomcat7 restart

Verify SAML Metadata Setup

Visit the /saml/metadata endpoint for the deployed component:
- Example: http://54.213.81.243:8080/rest/saml/metadata
The output should appear as XML containing:
- The X509 Certificate data
- URLs containing the domain name of the server hosting the component as the value of a Location attribute
  - Examples:
    - <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="http://54.213.81.243:8080/rest/saml/SingleLogout"/>
    - <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="http://54.213.81.243:8080/rest/saml/SSO" index="0" isDefault="true"/>

SAML Pre-Configured Metadata Configuration

Use wget to save the output of /saml/metadata endpoint to /var/lib/tomcat7/resources/security/[Name of the saml.metadata.filename as configured in ProgMan]
- Example: save the sudo wget http://54.213.81.243:8080/saml/metadata -O /var/lib/tomcat7/resources/security/saml_metadata.xml
Disable (by removing or commenting out) the <security:custom-filter before="FIRST" ref="metadataGeneratorFilter" /> from the securityContext.xml file to disable the autoamtic generation of SAML metadata
- The automatic generation of SAML metadata is only needed once to generate the metadata file. After the metadata file is generated, there is no further need for automatically generating SAML metadata.
OPTIONAL: Remove the metadataGeneratorFilter and metadataGenerator bean definitions from the securityContext.xml
Set permissions on the metadata XML file(s) so that only the tomcat7 user can read it/them:
- sudo chmod 0400 /var/lib/tomcat/resources/security/*.xml

Verify SAML Metadata Setup

Visit the /saml/metadata endpoint for the deployed component:
- Example: http://54.213.81.243:8080/rest/saml/metadata
The output should appear as XML containing:
- The X509 Certificate data
- URLs containing the domain name of the server hosting the component as the value of a Location attribute
  - Examples:
    - <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="http://54.213.81.243:8080/rest/saml/SingleLogout"/>
    - <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="http://54.213.81.243:8080/rest/saml/SSO" index="0" isDefault="true"/>

Additional Notes

Spring SAML Metadata Configuration

SAML Service Provider Registration

Launch OpenAM
Log in with appropriate credentials
Click on Register Remote Service Provider
On the Create a SAMLv2 Remote Service Provider page:
- Select the /sbac realm
- Verify the URL option button is checked/selected
- Enter the /saml/metadata endpoint for the desired component in the URL field
  - Example: enter http://54.213.81.243:8080/saml/metadata in the URL field
- Under the Circle of Trust
  - Verify the Add to existing option button is checked/selected
  - Verify sbac is the selected value for the Existing Circle of Trust dropdown list
- Click the Configure button (upper righthand corner, across from the Create a SAMLv2 Remote Service Provider header)

Verify the Service Provider is Configured

Click on the Federation tab
Observe the following:
- The Circle of Trust table contains a record that represents the component that was added
- The Entity Providers table conains a record with a Name equal to the entityId set in the component’s SAML metadata file

Update ART Configuration for TestSpecBank in ProgMan

After TestSpecBank REST and Web Application Components have been registered as service providers, update the following ProgMan settings for ART:
- tsb.tsbUrl=[FQDN or IP Address of the TestSpecBank server]/rest/
- Example:
  - tsb.tsbUrl=http://54.149.254.189:8080/rest/
Save the changes to ART’s configuration settings in ProgMan
ssh into the ART server
Restart tomcat:
- sudo service tomcat7 restart

Verification

Log into TestSpecBank with an account that has access to the TestSpecBank (e.g. the Prime User account).

back to Deployment Checklists