Notes from Heck

Building a Single Sign-On Module for the BIRT Report Viewer - Part 2

This is the second post of the BIRT SSO Series wherein I describe the implementation of a single sign-on module for the Eclipse BIRT Report Viewer. This post gets straight into the details of server configuration. It is recommended that you first read the introduction in Part 1 to get acquainted with the background and the premises on which this solution is built.

Part 2: Server & Environment Configuration

I had noted in Part 1 that I hosted my report server under a sub-path of the top level domain. For this there needs to be a form of inter-process communication enabled via mod_jk in order for Apache to pipe requests and responses to and from Tomcat. mod_jk is easy to compile from source, if your particular Linux distribution does not happen to supply it from its package repository.

You'll need the apxs tool in order to compile the extension. On a Fedora system, this is available in the httpd-devel package. Once you've downloaded and extracted the tomcat-connectors source bundle, cd into the native folder and issue the command:

$ ./configure --with-apxs=/usr/sbin/apxs
$ make

Then copy the apache-2.0/mod_jk.so file into /usr/lib[64]/httpd/modules. Edit your httpd.conf file and add the following lines:

LoadModule jk_module modules/mod_jk.so  
JkWorkersFile conf/workers.properties  

Then create a new file /etc/httpd/conf/workers.properties and add the following lines:

worker.list=worker1  
worker.worker1.port=8009  
worker.worker1.host=localhost  
worker.worker1.type=ajp13  

This configuration assumes that your Tomcat server is running on the same machine as Apache, but it is not a necessary condition. I'm running my Drupal application under a vhost and so the JkMount directive is placed inside the vhost directive. If your application is deployed directly, then it should go into the workers.properties file described above.

    ServerName yourdomain.com
    ...
    ...
    JkMount /birt/* worker1

Your Tomcat CATALINA_BASE/server.xml file should contain the following lines:

<!-- Define a SSL HTTP/1.1 Connector on port 8443  
This connector uses the JSSE configuration.  
When using APR, the connector should be using the OpenSSL style configuration      described in the APR documentation -->  
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"  
SSLEnabled="true" maxThreads="150" scheme="https" secure="true"  
keystoreFile="${user.home}/.keystore" keystorePass="changeit"  
clientAuth="false" sslProtocol="TLS" />

<!-- Define an AJP 1.3 Connector on port 8009 -->  
<Connector port="8009" protocol="AJP/1.3" redirectPort="8443" enableLookups="false"/>  

Your tomcat-users.xml file should have the manager and admin roles defined, something like:

<tomcat-users>  
  <role rolename="manager"/>
  <role rolename="admin"/>
  <user username="root" password="password" roles="admin,manager"/>
</tomcat-users>  

Finally, the BIRT SSO module requires that the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files be downloaded and made available to the JRE on which it will be run. For Java 1.7, the policy files are available at: http://www.oracle.com/technetwork/java/javase/downloads/jce-7-download-432124.html.

NOTE: Although the instructions tell you to install the jar files in JAVA_HOME/lib/security in case you're running tomcat on a JDK, they must actually be put in JAVA_HOME/jre/lib/security. In case you're running on a JRE directly, the instructions on the site should work.

This concludes the server and environment setup required for the module to work. Part 3 of this series delves into the details of the module implementation.

Author image
Bangalore, India Upwork Profile
I’m a developer, a hobbyist biker, and a Linux enthusiast. When not riding into the sunset, and not being a general nuisance, I like to experiment with new systems and concepts in technology.