SungHoon_Kim

Creating an ALL-IN-ONE VM Image - Part 4

Blog Post created by SungHoon_Kim Employee on Nov 3, 2015

This is something I like to do once in a while. It takes long time to setup everything but to me it is a hobby. It is like putting zigsaw puzzles.

 

WARNING: THIS IS NOT SUPPORTED! THIS IS ONLY TO FULFILL YOUR CURIOSITY AND SATISFY YOUR SPIRIT GOING AGAINST ALL ODDS. THIS IS NOT A DEMONSTRATION ALLOWING YOU TO RUN SUCH CONFIGURATION IN YOUR DEV/TEST/QA/PROD ENVIRONMENT.

 

Following components will be installed.

 

01. Install OS (Windows 2008 R2 - English)

02. Microsoft Loopback Adapter

03. Active Directory

04. DNS

05. IIS

06. Certificate Authority

07. MSSQL 2012

08. JDK 1.7.0_80 (32bit and 64bit)

09. NewAtlanta ServletExec 6.0

10. ASF Apache

11. CA Directory

12. Oracle Directory Server 11g

13. CA Single Sign-On Policy Server

14. CA Single Sign-On AdminUI

15. CA Single Sign-On Web Agent/Option Pack

16. CA Single Sign-On Secure Proxy Server

17. CABI 3.3

 

Some trivial steps are skipped such as installing the OS and promoting to a Domain Controller.

 

10. ASF Apache

 

  • Binary

First, download and install ASF Apache.

There is only 32bit ASF Apache, so if you want to run a 64bit then you will either have to compile yourself or get a thirdparty compiled version.

For example, following site is of the places where you can get the win64 version.

!! From internal research, the ASF Apache 2.4 compined with VC10 is what had been tested by CA so you MUST download the binaries from the following URL(VC10).

 

https://www.apachelounge.com/download/VC10/

 

In this setup, I will be downloading the following file.

https://www.apachelounge.com/download/VC10/binaries/httpd-2.4.17-win64.zip

 

Extract the file and check the "Apache24\logs\install.log" and it will explain where it was installed to.

ServerRoot= c:/Apache24

 

It is easier to match the same folder although you can move it to other folders.

So, I will be extracing the zip file at "C:\" and so the ServerRoot will remain the same.

 

  • Prerequisite

Built with Visual Studio® 2015 x64

--------------------------------------------------

- Be sure you have installed the Visual C++ Redistributable for Visual Studio 2015 x64.

  Download and install, if you not have it already, from:

 

Download Microsoft Visual C++ 2010 SP1 Redistributable Package (x64) from Official Microsoft Download Center

for vcredist.x64.exe

 

Download Microsoft Visual C++ 2010 SP1 Redistributable Package (x86) from Official Microsoft Download Center

for vcredist_x86.exe

 

  • Registry

How Web Agent Configuration Wizard detect the existing Apache instance is by registry and files.

As we are extracting the zip file, there is no registry.

Open regedit and navigate to HKLM\SOFTWARE and create the following key.

"HKLM\SOFTWARE\Apache Source Foundation\Apache\2.4.17"

Under this key, create following entries.

(String) ServerRoot = C:\Apache24\

(DWORD) Shared = 1

!! From internal research, from R12.52 onwards, Agent Configuration Wizard will detect the ASF Apache 2.4 from Windows Service registry as there is no Apache installer that generates the registry. This is different from how Agent Configuration Wizard used to detect the Apache from registry under "Apache Source Foundation". So this step turns out to be unnecessary! However, it will be applicable to lower version of Apache servers.

 

 

  • httpd.conf

Need to make some changes such as the IP that it should listen on and the port.

Install a NotePad++ type of tools and modify the httpd.conf file.

 

BeforeAfter
Listen 80Listen 192.168.201.101:81

 

  • Service

Register a default instance as below.

C:\Apache24\bin> httpd.exe -D SSL -d C:\Apache24 -k install

or if you want to name the service then add "-n" switch

C:\Apache24\bin> httpd.exe -D SSL -d C:\Apache24 -n "ASF Apache 2.4" -k install

Now that this instance is registered as "ASF Apache 2.4" service name, you can start up the service by running the following command.

net start "ASF Apache 2.4"

 

And accessing http://192.168.201.101:81 should display "It works!" message.

You can also get same result http://www.sso.lab:81

 

This is just to make the ASF Apache work.

 

Now that we want this to be listening on its own IP address, add "Microsoft Loopback Adapter" as instructed in the "Part 1" and assign IP 192.168.201.105.

And register a DNS Forward Lookup Zone as "cookie.lab" and add a Host entry as "www" and map it to 192.168.201.105.

Set the DNS not to update automatically. ("Do not allow dynamic updates")

All the instructions remain the same.

 

Then modify the httpd.conf as below.

BeforeAfter
Listen 192.168.201.101:81

Listen 192.168.201.105:80

#ServerName www.example.com:80ServerName www.cookie.lab:80

 

Then uninstall the service configuration as below.

 

C:\Apache24\bin> httpd -D SSL -d C:\Apache24 -n "ASF Apache 2.4" -k uninstall

 

Then re-register using different name.

I would prefer to register the apache service using their FQHN.

 

C:\Apache24\bin> httpd -D SSL -d C:\Apache24 -n "www.cookie.lab" -k install

 

And startup the service.

 

C:\Apache24\bin> net start www.cookie.lab

 

Check the http://www.cookie.lab displays "It works!" message.

(The reason I am showing the above changes here is because there will be more to come later on. Which will make this single apache binary installation to act as multiple apache instances by manipulating config files.)

 

 

11. CA Directory

 

  • Installation

There are 2 ISO files.

In this setup I am using CA Directory 12.0 SP16.

DVD08104223E.iso  <== 1,387,130KB This is the DX Server installation

DVD08104321E.iso  <==    398,658KB This is AdminTools

 

Mount the DVD08104223E.iso file.and select "dxsetup.exe" when autorun screen pops up.

If you did not get the autorun window then you can manually execute the following.

<DVD/ISO>/windows_x86_64/dxserver/windows/dxsetup.exe

 

 

 

 

  • Configuration

CA Directory is installed but it does not create any DSA instances so you need to manually create one.

C:\> dxnewdsa PRIMARY 1389 O=SM

This command creates a DSA instance named "PRIMARY" and listen on port "1389" and creates rootDN as "O=SM"

However, this DSA instance will listen on all IP address so we need to limit it to listen only on 192.168.201.102 and also listen on IPv4 only.

 

Modify the "C:\Program Files\CA\Directory\dxserver\config\knowledge\PRIMARY.dxc" file above as below.

NOTE : The address has to be double quoted or it will fail to startup. You cannot use port 389 because AD is listening on ALL IP ADDRESSES.

 

Restart the DSA.

C:\> dxserver stop all   <== This will stop all DSA instances

C:\> dxserver stop PRIMARY <== This will stop only the PRIMARY instance.

Just run whichever is appropriate.

 

If there are any failure to startup, you need to check the logs below.

"C:\Program Files\CA\Directory\dxserver\logs\<InstanceName>_alarm.log"

"C:\Program Files\CA\Directory\dxserver\logs\<InstanceName>_trace.log"

 

It should give you some good clue on what the reason is.

Usually it is a syntax error or failing to register to address.

 

If that still does not provide meaningful message, you can raise the log level in the following file.

"C:\Program Files\CA\Directory\dxserver\config\logging\default.dxc"

You will find the "set trace = error;" line.

Before you can modify this file, you will need to remove the read-only bit on the file.

In fact, it is not good to share "default.dxc" file, it is better to have a separate logging configuration file but we will not touch go any further on this topic here.

We will get to it later on when we use this DSA instance as policy store.

 

 

  • Accessing DSA Instance

Mount the other DVD08104321E.iso file. Do not click on AutoRun window.

I am only going to install JXPlorer.

Navigate to "D:\windows_x86_32\jxplorer\windows" folder and run "JXv3.2_install_windows.exe"

 

 

 

The installer will hang at this point where it is installing "Uninstaller". It is a known issue.

In fact, all the necessary files to run JXPlorer is already copied so you can kill this installer process.

C:> taskkill /IM "JXV*" /F

C:> taskkill /IM "jxp*" /F

C:> taskkill /IM "javaw*" /F

 

This will kill the installer and other related processes.

 

Navigate to "C:\Program Files\CA\Directory\JXPlorer\" and run the "jxplorer.bat" script.

Click on the socket icon above at the upper left corner and enter the details of the "PRIMARY" DSA instance information.

Host: 192.168.201.102

Port: 1389

Protocol: LDAP v3

Base DN: O=SM

Security Level: Anonymous

 

Then click on the "Save" button to save the setting for future use.

You can see the O=SM at the left pane.

Right click on it and create an "OU=Admin" by selecting "New".

Click "Submit" to finish creating this object.

Now, right click on "OU=Admin" from left pane and select "New" to create a user object.

Those attributes that are mandatory to have a value are at the top and in bold letters.

For "inetorgperson" objectclass, "sn" is mandatory so you need to have a value. I entered "Administrator".

And as this user will need to have a password to login, enter the password at the "userPassword" attribute.

Click "Submit" to complete creating this user object.

Now, right click on the "CN=diradmin" at the left pane and select "Copy DN".

Then click on the "Connect to DSA", the socket icon at the upper left to bring up the connection and update as above.

Security Level: User + Password <== This was Anonymous before.

User DN: CN=diradmin,OU=Admin,O=SM

Password: password that you entered when creating this admin user.

 

Click on the "Save" button to save this change. Then click "OK" to connect.

This time it is connecting to this DSA as "CN=diradmin,OU=Admin,O=SM" user and not Anonymous.

 

 

  • Service startup

When you create DSA instance, it also creates a Windows Service.

But the services is set to startup manually by default.

So, this should be configured to startup automatically.

 

 

Double click on the service named "CA Directory - PRIMARY" and configure the startup to "Automatic" and click "Apply"

 

This concludes Part 4 of ALL IN ONE Image.

Outcomes