To implement Single Sign On (SSO) on new Ellucian XE environment, Ellucian Identify Service (EIS) is required to be installed along with proper configuration with LDAP.
1: Installing Ellucian Identity Service (EIS)
The base version of Ellucian Identity Service (EIS) is 1.0.0. After getting file “EllucianIdentityService_100.zip” downloaded, simply copy it to installation folder and then extract it like below.
-bash-4.2$ unzip EllucianIdentityService_100.zip
Once it’s done, a new folder “EllucianIdentityService” is created.
That’s it. Ellucian Identity Service (EIS) 1.0.0 is installed. Before running it, it’s recommended to upgrade or patch it to higher versions.
At time of writing, the highest version of EIS is 1.1.4. The path to get is
- upgrade it to 1.1.0 (EllucianIdentityService_upgrade-1.1.0.zip)
- patch it to 1.1.1 (EllucianIdentityService_patch-1.1.1.zip)
- patch it to 1.1.2 (EllucianIdentityService_patch-1.1.2.zip)
- patch it to 1.1.3 (EllucianIdentityService_patch-1.1.3.zip)
- patch it to 1.1.4 (EllucianIdentityService_patch-1.1.4.zip)
It’s also not difficult to get above jobs done. But, it’s a little bit tricky here. let’s take patch 1.1.2 as example.
The readme.txt disclose the following steps to apply the patch 1.1.2.
1. Extract the update ZIP file to the Ellucian Identity Service server and copy the EllucianIdentityService_patch-1.1.2 directory to the same location where the EllucianIdentityService directory is installed. The directory structure, from the parent directory will look like the following: /---- |--EllucianIdentityService |--EllucianIdentityService_patch-1.1.2 2. In a command prompt, change directory to the 'EllucianIdentityService_patch-1.1.2' directory and run the appropriate command for your operating system: * Linux/Unix : ANT_HOME=../EllucianIdentityService/apache-ant export ANT_HOME ../EllucianIdentityService/apache-ant/bin/ant
By following this instruction, I encountered failure while running last command. It returns
-bash-4.2$ ANT_HOME=../EllucianIdentityService/apache-ant/; export ANT_HOME -bash-4.2$ ../EllucianIdentityService/apache-ant/bin/ant -bash: ../EllucianIdentityService/apache-ant/bin/ant: Permission denied
My workaround to solve it is to give whole directory name of ant.
-bash-4.2$ . $ANT_HOME/bin/ant Buildfile: /ellucian-EIS/EllucianIdentityService_patch-1.1.2/build.xml [echo] [echo] Configuring EIS at /ellucian-EIS/EllucianIdentityService_patch-1.1.2/../EllucianIdentityService check-prereqs: [echo] Checking Prerequisites copy-artifacts: [echo] Copying artifacts [copy] Copying 57 files to /ellucian-EIS/EllucianIdentityService update-webxml: [echo] Updated: authenticationendpoint/WEB-INF/web.xml apply-patches: [echo] Completed. BUILD SUCCESSFUL Total time: 0 seconds
2. EIS 1.1.x and TLS Compatibility
“Ellucian Identity Service 1.1.0 included TLS enhancements that were recommended by WSO2 and Ellucian’s own security testing tools. These enhancements disable certain SSL-related vulnerabilities, such as a Poodle Attack, and focus on TLS using Java 7.
Due to these enhancements, applications that require SSLv3 or older cipher suites may not be able to open secure communication channels directly with EIS.
For Ellucian applications running on WebLogic or Tomcat, the application server must be configured to use TLS and Java 7. For more information about TLS configuration used by Ellucian Identity Service, see the section “Transport Layer Security Enhancements for Tomcat” in the Setting Up Ellucian Identity Service 1.1 guide.
As a temporary workaround, EIS 1.1.1 provides a new configuration script that lets you switch between the SSLv3 settings that were included prior to EIS 1.1.0 and the TLS settings delivered with EIS 1.1.0. This workaround will allow you to temporarily disable the TLS enhancements and test protocols, such as CAS and SAML, until your integrating applications can communicate using TLS.” —- EIS Patch 1.1.1 readme.txt
My experience about this is not to enable TLS until you are comfortable with all integration using TLS. Simply enabling TLS would cause communication issue, such as management console of EIS can’t be loaded properly.
3. Running EIS in background process
Running EIS in background process can be done as blow.
- Start Server: $EIS_HOME/bin/wso2server.sh start
- Stop Server: $EIS_HOME/bin/wso2server.sh stop
If you experience the following error, you might need to apply workaround below.
Error: -bash-4.2$ $EIS_HOME/bin/wso2server.sh start
-bash: ps: write error: Bad file descriptor
This happens due to redirection error in wso2server.sh. In wso2server.sh line no 177 there is a line as below
p $PID >&; then”
there is a redirection to “&-“. but this is kind of obsolete new operating systems as mentioned at .
So I have changed that line to the line below.
“if ps -p $PID > /dev/null ; then”