The Following are quick steps to configure amSDK Plugin

NOTE :

Make sure you dont use the same directory   server for Identity Repository Plugin and Access Manager (amSDK) Repository Plug-in as well, this will yield undesired results.

1.0 Prerequisites

Before proceeding with the below steps, one should have completed the prerequisites required by section 1.0

  •   Deploy  and Configure the opensso.war on a supported container

  •   Install and configure CLI (ssoadm)

  •  You must use a Sun Java System Directory Server Enterprise Edition as your amSDK repository , NO other LDAP servers are supported 

 Make sure the server is up and running by login to the console as ‘amadmin’ as well as through the command line tool ‘ssoadm’

 2.0 Edit  and Load the appropriate  LDAP schema files

 Locate your opensso configuration directory (CONFIGDIR) and edit the following LDIF files(can be found in CONFIGDIR/template/ldif) 
You need to perform the steps in the same order as shown below

2.1 Load sunone_schema2.ldif

You can find the file in the CONFIGDIR/template/ldif directory , you dont need to make any changes to this file, load as it is  

ldapmodify -h dshost -p 3456 -D"cn=directory manager" -w secret12 -c -a -f sunone_schema2.ldif 

2.2 Load ds_remote_schema.ldif

This file also does not require any modifications, just load as it is  

 ldapmodify -h dshost -p 3456 -D"cn=directory manager" -w secret12 -c -a -f ds_remote_schema.ldif 

2.3 Load plugin.ldif  

This file can be loaded as it is, it enables certain plugins in the directory server 

ldapmodify -h dshost -p 3456 -D"cn=directory manager" -w secret12 -c -a -f plugin.ldif 

2.4 Load fam_sds_schema.ldif

This file is located under the  CONFIGDIR , load this file as it is.

 ldapmodify -h dshost -p 3456 -D"cn=directory manager" -w secret12 -c -a -f ../../fam_sds_schema.ldif 

2.5 Load index.ldif

This file requires certain modifications, like you need to replace   @DB_NAME@ with your backend

DB name and @ORG_NAMING_ATTR@ with your deployment specific organization naming attribute. Usually it is ‘o’

  •     You can get the DB_NAME by running the following command 
ldapsearch -h dshost -p 3456 -s base -b"cn=config" -D"cn=directory manager" -w secret12 "objectclass=\*"|grep backend

nsslapd-backendconfig: cn=config,cn=opensso,cn=ldbm database,cn=plugins,cn=con

in this case my suffix is dc=opensso,dc=java,dc=net, DB_NAME is ‘opensso’

 ldapmodify -h dshost -p 3456 -D"cn=directory manager" -w secret12 -c -a -f index.ldif 
adding new entry cn=nsroledn,cn=index,cn=opensso,cn=ldbm database,cn=plugins,cn=config
ldap_add: Already exists
adding new entry cn=memberof,cn=index,cn=opensso,cn=ldbm database,cn=plugins,cn=config
adding new entry cn=iplanet-am-static-group-dn,cn=index,cn=opensso,cn=ldbm database,cn=plugins,cn=config
adding new entry cn=iplanet-am-modifiable-by,cn=index,cn=opensso,cn=ldbm database,cn=plugins,cn=config
adding new entry cn=sunxmlkeyvalue,cn=index,cn=opensso,cn=ldbm database,cn=plugins,cn=config
adding new entry cn=o,cn=index,cn=opensso,cn=ldbm database,cn=plugins,cn=config
adding new entry cn=ou,cn=index,cn=opensso,cn=ldbm database,cn=plugins,cn=config
adding new entry cn=sunPreferredDomain,cn=index,cn=opensso,cn=ldbm database,cn=plugins,cn=config
adding new entry cn=associatedDomain,cn=index,cn=opensso,cn=ldbm database,cn=plugins,cn=config
adding new entry cn=sunOrganizationAlias,cn=index,cn=opensso,cn=ldbm database,cn=plugins,cn=config

2.6 Load install.ldif

To load the install.ldif you have to modify the following parameters

ldapmodify -h dshost -p 3456 -D"cn=directory manager" -w secret12 -c -a -f install.ldif

 

 TAG
 Value if SM suffix is dc=opensso,dc=java,dc=net
 Comments
@NORMALIZED_RS@ 
dc=opensso,dc=java,dc=net 
Basically removing leading trailing spaces
@RS_RDN@
opensso
  the first part of dc
 @ADMIN_PWD@
secret12
 amadmin and dsameuser passwd
 @AMLDAPUSERPASSWD@  
secret123
 amldapuser passwd
 @SERVER_HOST@
 opensso.example.com
 This is the DNS alias/realm alias equivalent
 @USER_NAMING_ATTR@
 uid
 user naming attribute typically uid
 @ORG_NAMING_ATTR@ 
 o
 organization naming attribute. typically "o"
 @ORG_OBJECT_CLASS@
sunmanagedisorganization
 this is the default organization marker objectclass in the legacy mode
 @People_NM_ORG_ROOT_SUFFIX@ 
 People_dc=opensso_dc=java_dc=net

modifying entry cn=config
modifying entry cn=config
modifying entry cn=config,cn=ldbm database,cn=plugins,cn=config
adding new entry dc=opensso,dc=java,dc=net
ldap_add: Already exists
adding new entry ou=DSAME Users,dc=opensso,dc=java,dc=net
modifying entry cn=schema
modifying entry dc=opensso,dc=java,dc=net
modifying entry dc=opensso,dc=java,dc=net
modifying entry dc=opensso,dc=java,dc=net
modifying entry dc=opensso,dc=java,dc=net
modifying entry dc=opensso,dc=java,dc=net
modifying entry dc=opensso,dc=java,dc=net
modifying entry dc=opensso,dc=java,dc=net
modifying entry dc=opensso,dc=java,dc=net
modifying entry dc=opensso,dc=java,dc=net
modifying entry dc=opensso,dc=java,dc=net
modifying entry dc=opensso,dc=java,dc=net
modifying entry dc=opensso,dc=java,dc=net
modifying entry dc=opensso,dc=java,dc=net
modifying entry dc=opensso,dc=java,dc=net
modifying entry dc=opensso,dc=java,dc=net
modifying entry dc=opensso,dc=java,dc=net
modifying entry dc=opensso,dc=java,dc=net
modifying entry dc=opensso,dc=java,dc=net
modifying entry dc=opensso,dc=java,dc=net
modifying entry dc=opensso,dc=java,dc=net
modifying entry dc=opensso,dc=java,dc=net
modifying entry dc=opensso,dc=java,dc=net
adding new entry o=Internet,dc=opensso,dc=java,dc=net
adding new entry cn=Deny Write Access,dc=opensso,dc=java,dc=net
adding new entry cn=Top-level Admin Role,dc=opensso,dc=java,dc=net
adding new entry cn=Top-level Help Desk Admin Role,dc=opensso,dc=java,dc=net
adding new entry cn=Top-level Policy Admin Role,dc=opensso,dc=java,dc=net
adding new entry ou=People,dc=opensso,dc=java,dc=net
adding new entry cn=ou=People_dc=opensso_dc=java_dc=net,dc=opensso,dc=java,dc=net
adding new entry ou=Groups,dc=opensso,dc=java,dc=net
adding new entry cn=puser,ou=DSAME Users,dc=opensso,dc=java,dc=net
adding new entry cn=dsameuser,ou=DSAME Users,dc=opensso,dc=java,dc=net
adding new entry cn=amldapuser,ou=DSAME Users,dc=opensso,dc=java,dc=net
adding new entry cn=ContainerDefaultTemplateRole,dc=opensso,dc=java,dc=net

3.0 Add the "Access Manager  Repository Plug-in"

You need to have the ssoadm tool configured before runningthe following command (make sure to have /tmp/plaintxtpassofdsameuser, /tmp/plaintxtpassofproxyuser in place)

3.1 Add the Subschema
 ./ssoadm add-amsdk-idrepo-plugin  -u amadmin -f /tmp/.opensso_pass -b "dc=opensso,dc=java,dc=net" -s ldap://dshost.red.iplanet.com:3456 -x /tmp/plaintxtpassofdsameuser  -p /tmp/plaintxtpassofproxyuser     -v -a uid -o o

Process Request …

Constructing Request Context…

Validating mandatory options…

Processing Sub Command …

Executing class, com.sun.identity.cli.datastore.AddAMSDKIdRepoPlugin.

Authenticating…

Authenticated.

add-amsdk-idrepo-plugin: AMSDK Plugin creaded successfully.

3.2 Creating the amsdk repository from CLI
    \* ./ssoadm create-datastore -e / -u amadmin -f /tmp/.opensso_pass -t amSDK -D datastore_amsdk_attrs.txt -m qatest_ldapv3foramds 

4.0 How to verify amSDK Repository

Make sure you restart the OpenSSO web container after you have added the  amSDK plugin

– Login to Console, Navigate to "Access Control" -> Data Stores -> "New" -> verify that you see "Access Manager Repository Plug-in"

– Create a role and make sure you can assign a service to a role

5.0 How to remove amSDK

5.1 Delete  the amsdk datastore instances

for eg:

    \* ./ssoadm delete-datastores -m qatest_ldapv3foramds -e / -u amadmin -f /tmp/.opensso_pass
5.2 Remove the sub schema
    \* ./ssoadm remove-sub-schema -s sunIdentityRepositoryService -t Organization -a amSDK -u amadmin -f /tmp/.opensso_pass 
5.3 Remove the DAI service
    \* ./ssoadm delete-svc -s DAI -u amadmin -f /tmp/.opensso_pass 

NOTE: the delegation policies are not removed though

Advertisements