Indira's blog

The Following are quick steps to configure amSDK Plugin

Before proceeding with the below steps, one should have completed the prerequisites required by section 1.0

• 
  

    Deploy  and Configure the opensso.war on a supported container

  
  


• 
  

    Install and configure CLI (ssoadm)

  
  


• 
  

   You must use a Sun Java System Directory Server Enterprise Edition as your amSDK repository , NO other LDAP servers are supported 

  
  

 Make sure the server is up and running by login to the console as 'amadmin' as well as through the command line tool 'ssoadm'

 2.0 Edit  and Load the appropriate  LDAP schema files

 Locate your opensso configuration directory (CONFIGDIR) and edit the following LDIF files(can be found in CONFIGDIR/template/ldif) 
You need to perform the steps in the same order as shown below

2.1 Load sunone_schema2.ldif

You can find the file in the CONFIGDIR/template/ldif directory , you dont need to make any changes to this file, load as it is  

ldapmodify -h dshost -p 3456 -D"cn=directory manager" -w secret12 -c -a -f sunone_schema2.ldif 

2.2 Load ds_remote_schema.ldif

This file also does not require any modifications, just load as it is  

 ldapmodify -h dshost -p 3456 -D"cn=directory manager" -w secret12 -c -a -f ds_remote_schema.ldif 

2.3 Load plugin.ldif  

This file can be loaded as it is, it enables certain plugins in the directory server 

ldapmodify -h dshost -p 3456 -D"cn=directory manager" -w secret12 -c -a -f plugin.ldif 

2.4 Load fam_sds_schema.ldif

This file is located under the  CONFIGDIR , load this file as it is.

 ldapmodify -h dshost -p 3456 -D"cn=directory manager" -w secret12 -c -a -f ../../fam_sds_schema.ldif 

2.5 Load index.ldif

This file requires certain modifications, like you need to replace   @DB_NAME@ with your backend

DB name and @ORG_NAMING_ATTR@ with your deployment specific organization naming attribute. Usually it is 'o'

•     You can get the DB_NAME by running the following command 

ldapsearch -h dshost -p 3456 -s base -b"cn=config" -D"cn=directory manager" -w secret12 "objectclass=*"|grep backend

nsslapd-backendconfig: cn=config,cn=opensso,cn=ldbm database,cn=plugins,cn=con

in this case my suffix is dc=opensso,dc=java,dc=net, DB_NAME is 'opensso'

 ldapmodify -h dshost -p 3456 -D"cn=directory manager" -w secret12 -c -a -f index.ldif 

2.6 Load install.ldif

To load the install.ldif you have to modify the following parameters

ldapmodify -h dshost -p 3456 -D"cn=directory manager" -w secret12 -c -a -f install.ldif 

 

           TAG 

        

 

           Value if SM suffix is dc=opensso,dc=java,dc=net 

        

 

           Comments

        

 

          @NORMALIZED_RS@ 

 

           dc=opensso,dc=java,dc=net 

 

           Basically removing leading trailing spaces

        

 

          @RS_RDN@

opensso

  the first part of dc

 @ADMIN_PWD@

secret12

 amadmin and dsameuser passwd

 @AMLDAPUSERPASSWD@  

secret123

 amldapuser passwd

 @SERVER_HOST@

 opensso.example.com

 This is the DNS alias/realm alias equivalent

 @USER_NAMING_ATTR@

 uid

 user naming attribute typically uid

 @ORG_NAMING_ATTR@ 

 o

 organization naming attribute. typically "o"

 @ORG_OBJECT_CLASS@

sunmanagedisorganization

 this is the default organization marker objectclass in the legacy mode

 @People_NM_ORG_ROOT_SUFFIX@ 

 People_dc=opensso_dc=java_dc=net

3.0 Add the "Access Manager  Repository Plug-in"

You need to have the ssoadm tool configured before runningthe following command (make sure to have /tmp/plaintxtpassofdsameuser, /tmp/plaintxtpassofproxyuser in place)

3.1 Add the Subschema

 ./ssoadm add-amsdk-idrepo-plugin  -u amadmin -f /tmp/.opensso_pass -b "dc=opensso,dc=java,dc=net" -s ldap://dshost.red.iplanet.com:3456 -x /tmp/plaintxtpassofdsameuser  -p /tmp/plaintxtpassofproxyuser     -v -a uid -o o

Process Request ...

Constructing Request Context...

Validating mandatory options...

Processing Sub Command ...

Executing class, com.sun.identity.cli.datastore.AddAMSDKIdRepoPlugin.

Authenticating...

Authenticated.

add-amsdk-idrepo-plugin: AMSDK Plugin creaded successfully.

3.2 Creating the amsdk repository from CLI

    * ./ssoadm create-datastore -e / -u amadmin -f /tmp/.opensso_pass -t amSDK -D datastore_amsdk_attrs.txt -m qatest_ldapv3foramds 

4.0 How to verify amSDK Repository

Make sure you restart the OpenSSO web container after you have added the  amSDK plugin

- Login to Console, Navigate to "Access Control" -> Data Stores -> "New" -> verify that you see "Access Manager Repository Plug-in"

- Create a role and make sure you can assign a service to a role

5.0 How to remove amSDK

5.1 Delete  the amsdk datastore instances

for eg:

    * ./ssoadm delete-datastores -m qatest_ldapv3foramds -e / -u amadmin -f /tmp/.opensso_pass 

5.2 Remove the sub schema

    * ./ssoadm remove-sub-schema -s sunIdentityRepositoryService -t Organization -a amSDK -u amadmin -f /tmp/.opensso_pass 

5.3 Remove the DAI service

    * ./ssoadm delete-svc -s DAI -u amadmin -f /tmp/.opensso_pass 

NOTE: the delegation policies are not removed though