To implement Single Sign On (SSO) on new Ellucian XE environment, Ellucian Identify Service (EIS) is required to be installed along with proper configuration with LDAP.
Before having Ellucian Identity Service installed, Java JDK 7 update 79 is commended to be installed. Higher version Java 7 update 80 and Java 8 do not work with Ellucian Identify Service at time of writing.
My prior post “Installing Java JDK and Tomcat server on Linux” is good reference for java installation.
1: Installing Ellucian Identity Service (EIS)
The base version of Ellucian Identity Service (EIS) is 1.0.0. After getting file “EllucianIdentityService_100.zip” downloaded, simply copy it to installation folder and then extract it like below.
-bash-4.2$ unzip EllucianIdentityService_100.zip
Once it’s done, a new folder “EllucianIdentityService” is created.
That’s it. Ellucian Identity Service (EIS) 1.0.0 is installed. Before running it, it’s recommended to upgrade or patch it to higher versions.
At time of writing, the highest version of EIS is 1.1.4. The path to get is
- upgrade it to 1.1.0 (EllucianIdentityService_upgrade-1.1.0.zip)
- patch it to 1.1.1 (EllucianIdentityService_patch-1.1.1.zip)
- patch it to 1.1.2 (EllucianIdentityService_patch-1.1.2.zip)
- patch it to 1.1.3 (EllucianIdentityService_patch-1.1.3.zip)
- patch it to 1.1.4 (EllucianIdentityService_patch-1.1.4.zip)
It’s also not difficult to get above jobs done. But, it’s a little bit tricky here. let’s take patch 1.1.2 as example.
The readme.txt disclose the following steps to apply the patch 1.1.2.
1. Extract the update ZIP file to the Ellucian Identity Service server and copy the
EllucianIdentityService_patch-1.1.2 directory to the same location where the
EllucianIdentityService directory is installed.
The directory structure, from the parent directory will look like the following:
2. In a command prompt, change directory to the 'EllucianIdentityService_patch-1.1.2' directory and run the appropriate command for your operating system:
* Linux/Unix : ANT_HOME=../EllucianIdentityService/apache-ant
By following this instruction, I encountered failure while running last command. It returns
-bash-4.2$ ANT_HOME=../EllucianIdentityService/apache-ant/; export ANT_HOME
-bash: ../EllucianIdentityService/apache-ant/bin/ant: Permission denied
My workaround to solve it is to give whole directory name of ant.
-bash-4.2$ . $ANT_HOME/bin/ant
[echo] Configuring EIS at /ellucian-EIS/EllucianIdentityService_patch-1.1.2/../EllucianIdentityService
[echo] Checking Prerequisites
[echo] Copying artifacts
[copy] Copying 57 files to /ellucian-EIS/EllucianIdentityService
[echo] Updated: authenticationendpoint/WEB-INF/web.xml
Total time: 0 seconds
2. EIS 1.1.x and TLS Compatibility
“Ellucian Identity Service 1.1.0 included TLS enhancements that were recommended by WSO2 and Ellucian’s own security testing tools. These enhancements disable certain SSL-related vulnerabilities, such as a Poodle Attack, and focus on TLS using Java 7.
Due to these enhancements, applications that require SSLv3 or older cipher suites may not be able to open secure communication channels directly with EIS.
For Ellucian applications running on WebLogic or Tomcat, the application server must be configured to use TLS and Java 7. For more information about TLS configuration used by Ellucian Identity Service, see the section “Transport Layer Security Enhancements for Tomcat” in the Setting Up Ellucian Identity Service 1.1 guide.
As a temporary workaround, EIS 1.1.1 provides a new configuration script that lets you switch between the SSLv3 settings that were included prior to EIS 1.1.0 and the TLS settings delivered with EIS 1.1.0. This workaround will allow you to temporarily disable the TLS enhancements and test protocols, such as CAS and SAML, until your integrating applications can communicate using TLS.” —- EIS Patch 1.1.1 readme.txt
My experience about this is not to enable TLS until you are comfortable with all integration using TLS. Simply enabling TLS would cause communication issue, such as management console of EIS can’t be loaded properly.
3. Running EIS in background process
Running EIS in background process can be done as blow.
- Start Server: $EIS_HOME/bin/wso2server.sh start
- Stop Server: $EIS_HOME/bin/wso2server.sh stop
If you experience the following error, you might need to apply workaround below.
Error: -bash-4.2$ $EIS_HOME/bin/wso2server.sh start
-bash: ps: write error: Bad file descriptor
This happens due to redirection error in wso2server.sh. In wso2server.sh line no 177 there is a line as below
p $PID >& ; then”
there is a redirection to “&-“. but this is kind of obsolete new operating systems as mentioned at .
So I have changed that line to the line below.
“if ps -p $PID > /dev/null ; then”
Once done, the environment parameters as below need to be added to /etc/profile.