GoVeg.com

Monday, May 4, 2009

Deployment Identity Manager 8.1

Click on the following link !
Posted by at 1 comment:

Wednesday, March 18, 2009

Directory Server Enterprise Edition upgrade from 6.2 to 6.3.1 - OpenSolaris 2008.11

  • first backup(using ZFS snapshot for example)
  • stop cacao
-bash-3.00# cacaoadm stop
  • stop web console
-bash-3.00# smcwebserver stop
  • stop the DS instances
for example :

-bash-3.00# /var/opt/SUNWdseeInstances/DS62/stop-slapd
  • apply the patch
My DSEE is running in a zone and is located in /opt/SUNWdsee.
It is not very clear in the doc as they reference /local.

To Upgrade Directory Server Enterprise Edition to 6.3.1 Using ZIP Distribution

If you enter the wrong dierctory, you will end up with 2 versions of the software ! A 6.2 and a 6.3. It is not a big problem but your instances will not be upgraded !

-bash-3.00# pwd
/root/126749-05(extract the files)

This is the patch for X86.

-bash-3.00# ./dsee_deploy install -i /opt/SUNWdsee

Do you accept the license terms ? : yes
Check availability of port 11162
Checking running Directory Server instances
Checking running Directory Proxy Server instances
Unzipping sun-ldap-base.zip ...
Unzipping sun-ldap-dsrk6.zip ...
Unzipping sun-ldap-dsrk-man.zip ...
Unzipping sun-ldapcsdk-tools.zip ...
Unzipping sun-ldapcsdk-dev.zip ...
Unzipping sun-ldap-ljdk.zip ...
Unzipping sun-ldap-jre.zip ...
Unzipping sun-ldap-shared.zip ...
Unzipping sun-ldap-shared-l10n.zip ...
Unzipping sun-ldap-directory.zip ...
Unzipping sun-ldap-directory-l10n.zip ...
Unzipping sun-ldap-directory-config.zip ...
Unzipping sun-ldap-directory-man.zip ...
Unzipping sun-ldap-directory-dev.zip ...
Unzipping sun-ldap-mfwk.zip ...
Unzipping sun-ldap-cacao.zip ...
Unzipping sun-ldap-console-agent.zip ...
Unzipping sun-ldap-console-cli.zip ...
Unzipping sun-ldap-console-common.zip ...
Unzipping sun-ldap-console-var.zip ...
Unzipping sun-ldap-jdmk.zip ...
Unzipping sun-ldap-directory-client.zip ...
Unzipping sun-ldap-directory-client-l10n.zip ...
Unzipping sun-ldap-proxy.zip ...
Unzipping sun-ldap-proxy-l10n.zip ...
Unzipping sun-ldap-proxy-man.zip ...
Unzipping sun-ldap-proxy-client.zip ...
Unzipping sun-ldap-proxy-client-l10n.zip ...
Unzipping sun-ldap-console-gui.zip ...
Unzipping sun-ldap-console-gui-help.zip ...
Unzipping sun-ldap-console-gui-l10n.zip ...
Unzipping sun-ldap-console-gui-help-l10n.zip ...
Creating WAR file for Console

Configuring Cacao at /opt/SUNWdsee/dsee6/cacao_2
Setting Cacao parameter jdmk-home with default value [/opt/SUNWdsee/dsee6/private]
Setting Cacao parameter java-home with default value [/opt/SUNWdsee/jre]
Setting Cacao parameter nss-lib-home with default value [/opt/SUNWdsee/dsee6/private/lib]
Setting Cacao parameter nss-tools-home with default value [/opt/SUNWdsee/dsee6/bin]
Registering DSCC agent into cacao
Starting Cacao if necessary
Registering JESMF agent into Cacao
Making a copy of dsee_deploy
Making a copy of listrunnings
You can now start your Directory Server Instances
You can now start your Directory Proxy Server Instances
  • restart the services.
-bash-3.00# smcwebserver status
Sun Java(TM) Web Console is stopped

-bash-3.00# cacaoadm status
default instance is DISABLED at system startup.
default instance is not running.

-bash-3.00# cacaoadm start
Error when trying to start SMF service: [svc:/application/management/common-agent-container-1:default].
Please check the SMF log file for more information: [/var/svc/log/application-management-common-agent-container-1:default.log].

This problem was solved rebooting the zone !

-bash-3.00# reboot
Connection to europortal.vegworld.org closed by remote host.
Connection to europortal.vegworld.org closed.

rudy:~$ ssh -l root -X europortal.vegworld.org
Password:
Last login: Wed Mar 18 17:13:15 2009 from 192.168.1.100
Sun Microsystems Inc. SunOS 5.10 Generic January 2005

-bash-3.00# cacaoadm start
-bash-3.00# smcwebserver start
Starting Sun Java(TM) Web Console Version 3.1 ...
The console is running
  • start DSEE instance(s)
-bash-3.00# /var/opt/SUNWdseeInstances/DS62/start-slapd

-bash-3.00# more /var/opt/SUNWdseeInstances/DS62/logs/errors

BEFORE

[18/Mar/2009:16:37:43 +0100] - Sun-Java(tm)-System-Directory/6.2 B2007.192.2248
(32-bit) starting up

AFTER

[18/Mar/2009:17:16:43 +0100] - Sun-Java(tm)-System-Directory/6.3.1 B2008.1121.05
30 (32-bit) starting up

-Rudy-
Posted by at No comments:
Labels:

Friday, February 27, 2009

Using IDM 8.0 - part 5 - Administering Identity Manager

This is a screenshot of http://identity-manager-80.catalogne.org:8080/idm/login.jsp
Posted by at No comments:
Labels:

Using IDM 8.0 - part 4 - Documentation

IDM_Release_Notes_8-0.pdf
IDM_Resource_Reference_8-0.pdf
IDM_SPE_Deployment_8-0.pdf
IDM_Technical_Deployment_Overview_8-0.pdf
IDM_Administration_8-0.pdf
IDM_Tuning_Troubleshooting_8-0.pdf
IDM_DeploymentTools_8-0.pdf
IDM_Upgrade_8-0.pdf
IDM_Installation_8-0.pdf
IDM_Workflows_Forms_Views_8-0.pdf

You can get the doc in the same location that the software(sun.com).
Posted by at No comments:
Labels:

Using IDM 8.0 - part 3 - Software

  • Identity Manager 8.0
IDM_8_0_0_0.zip
  • MySQL 5 (on OpenSolaris 2008.11)
mysql-5.1.31-solaris10-i386.tar
  • Apache Tomcat 6
apache-tomcat-6.0.18.zip
  • Java Activation Framework
jaf-1_0_2-upd2.zip
and more specifically activation.jar to be copied into /opt/apache-tomcat-6.0.18/webapps/idm/WEB-INF/lib
  • Java Mail
javamail-1_4_1.zip
and more specifically mail.jar to be copied into /opt/apache-tomcat-6.0.18/webapps/idm/WEB-INF/lib
  • Open Message Queue
mq4_3-installer-SunOS_X86.zip
and more specifically jms.jar to be copied into /opt/apache-tomcat-6.0.18/webapps/idm/WEB-INF/lib
  • MySQL jdbc driver
mysql-connector-java-5.1.6-bin.jar to be copied into /opt/apache-tomcat-6.0.18/webapps/idm/WEB-INF/lib

The 4 jars(activation.jar, mail.jar, jms.jar and mysql-connector-java-5.1.6-bin.jar) were archived for later use.
Posted by at No comments:
Labels:

Using IDM 8.0 - part 2 - Displaying the waveset database

  • Displaying the contents of waveset

root@identity-manager-80:/opt/mysql-5.1.31# bin/mysqlshow waveset
+------------+
| Tables |
+------------+
| account |
| acctattr |
| acctchange |
| attribute |
| entattr |
| entchange |
| entitle |
| log |
| logattr |
| objchange |
| object |
| org |
| orgattr |
| orgchange |
| qattr |
| qchange |
| queue |
| roleattr |
| rolechange |
| roleobj |
| slogattr |
| syslog |
| task |
| taskattr |
| taskchange |
| userattr |
| userchange |
| userobj |
+------------+
Posted by at No comments:
Labels:

Using IDM 8.0 - part 1 - Starting and Stopping MySQL and Tomcat

  • Starting MySQL

root@identity-manager-80:~# cd /opt/mysql-5.1.31
root@identity-manager-80:/opt/mysql-5.1.31# bin/mysqld_safe --user=mysql
090227 15:22:19 mysqld_safe Logging to '/opt/mysql-5.1.31/data/identity-manager-80.err'.
090227 15:22:19 mysqld_safe Starting mysqld daemon with databases from /opt/mysql-5.1.31/data


Comment(s) :
  1. It seems not possible to start mysql
    with /opt/mysql-5.1.31/bin/mysqld_safe --user=mysql
    a cd is necessary in /opt/mysql-5.1.31
    or maybe using a environment variable ?
  • Starting Identity Manager(Tomcat)
-Edit catalina.sh and and define the JAVA_HOME environment variable or define the variable into your environment.
JAVA_HOME=/usr/jdk/latest

root@identity-manager-80:~# /opt/apache-tomcat-6.0.18/bin/catalina.sh run
Using CATALINA_BASE: /opt/apache-tomcat-6.0.18
Using CATALINA_HOME: /opt/apache-tomcat-6.0.18
Using CATALINA_TMPDIR: /opt/apache-tomcat-6.0.18/temp
Using JRE_HOME: /usr/jdk/latest
Feb 26, 2009 1:39:11 PM org.apache.catalina.core.AprLifecycleListener init
INFO: The APR based Apache Tomcat Native library which allows optimal performance in production environments was not found on the java.library.path: /usr/jdk/instances/jdk1.6.0_12/jre/lib/i386/server:/usr/jdk/instances/jdk1.6.0_12/jre/lib/i386:/usr/jdk/instances/jdk1.6.0_12/jre/../lib/i386:/usr/jdk/packages/lib/i386:/lib:/usr/lib
Feb 26, 2009 1:39:11 PM org.apache.coyote.http11.Http11Protocol init
INFO: Initializing Coyote HTTP/1.1 on http-8080
Feb 26, 2009 1:39:11 PM org.apache.catalina.startup.Catalina load
INFO: Initialization processed in 637 ms
Feb 26, 2009 1:39:11 PM org.apache.catalina.core.StandardService start
INFO: Starting service Catalina
Feb 26, 2009 1:39:11 PM org.apache.catalina.core.StandardEngine start
INFO: Starting Servlet Engine: Apache Tomcat/6.0.18
Feb 26, 2009 1:39:12 PM org.apache.catalina.loader.WebappClassLoader validateJarFile
INFO: validateJarFile(/opt/apache-tomcat-6.0.18/webapps/idm/WEB-INF/lib/j2ee.jar) - jar not loaded. See Servlet Spec 2.3, section 9.7.2. Offending class: javax/servlet/Servlet.class
Constructing Startup Servlet...
Initializing Startup Servlet...
Defining system properties...
StartupServlet: programmatically derived waveset.home=file:/opt/apache-tomcat-6.0.18/webapps/idm/
StartupServlet: Defining properties from web.xml
Starting: Identity Server...
...Finished starting Startup Servlet
Feb 26, 2009 1:39:18 PM org.apache.coyote.http11.Http11Protocol start
INFO: Starting Coyote HTTP/1.1 on http-8080
Feb 26, 2009 1:39:18 PM org.apache.jk.common.ChannelSocket init
INFO: JK: ajp13 listening on /0.0.0.0:8009
Feb 26, 2009 1:39:18 PM org.apache.jk.server.JkMain start
INFO: Jk running ID=0 time=0/12 config=null
Feb 26, 2009 1:39:18 PM org.apache.catalina.startup.Catalina start
INFO: Server startup in 7312 ms

  • Stopping MySQL

root@identity-manager-80:~# cd /opt/mysql-5.1.31/
root@identity-manager-80:/opt/mysql-5.1.31# bin/mysqladmin -u root shutdown

  • Stopping Tomcat

root@identity-manager-80:~# /opt/apache-tomcat-6.0.18/bin/shutdown.sh
Using CATALINA_BASE: /opt/apache-tomcat-6.0.18
Using CATALINA_HOME: /opt/apache-tomcat-6.0.18
Using CATALINA_TMPDIR: /opt/apache-tomcat-6.0.18/temp
Using JRE_HOME: /usr/jdk/latest

  • What does happen if mysql is not running ?
Identity Manager does not work at all(of course !)
Starting: Identity Server...
com.waveset.util.ConfigurationError:
==> com.mysql.jdbc.exceptions.jdbc4.CommunicationsException: Communications link failure

Last packet sent to the server was 0 ms ago.
...
...
...
  • URLs to access Identity Manager :
http://identity-manager-80.catalogne.org:8080/idm/login.jsp
http://identity-manager-80.catalogne.org:8080/idm/user/login.jsp

*configurator/configurator*---renamed to config
config/secret---don't use it
*administrator/administrator*---renamed to admin
admin/secret---don't use it

users to be used(for security reason)
myconfig/password
myadmin/password

Two new users were created. myconfig and myadmin and the original configurator and administrator were renamed to config and admin. The password of config and admin were changed.
Posted by at No comments:
Labels:

Friday, February 6, 2009

Support of OpenSSO enterprise

Bert Van Beeck :

You get opensso express support when you have the opensso enterprise licence.

Opensso express is more than just the community support.
It's the same support you get from the commercial version (you are able to call sun support for help, etc ...) - which you can not in the pure opensource mode.
The only difference with the enterprise support is that you can not get hot patches to install on top of your express build, for that you need to wait till the next stable express build and deploy the new version.
(this is now easy as it is a full .war file).

Enterprise support means sun makes hot patches and makes those available immediatly. We can not make hot stable patches on a product that is still evolving, but we can help out with questions and issues.

so in a nutshell:

opensso community : only irc, mailinglists, blogs, everything you can find on the internet
opensso express : same as community + the ability to call sun for support for particular "express builds" of opensso
opensso enterprise : same as express + the availability of hot patches

The main difference is that you now get support for a product in development,
which is a huge difference than it was before.

It allows companies that wanna have the latest and best features from an express build (release very regularly) to still have a form of support and indemnification, whereas with the enterprise version they need to wait for it to release.

Rudy :

"You get opensso express support when you have the opensso enterprise licence."
so express support means having an enterprise license... you cannot buy express support apart...

more at Sun OpenSSO Express - wikis.sun.com

-Rudy-
Posted by at No comments:
Labels:

OpenSSO express VS OpenSSO Enterprise

excerpt from Sun OpenSSO Express - wikis.sun.com

Q: What is the difference between "Sun OpenSSO Enterprise" and "Sun OpenSSO Express"?

"OpenSSO Enterprise" corresponds to a commercial build, that is released every 12 - 15 months and has undergone extensive automated testing and manual testing by Sun QA Engineering. "OpenSSO Express" builds are released every 3 months and receive extensive automated testing and moderate manual testing by Sun QA Engineering.

- "OpenSSO Express" builds are stable, but "OpenSSO Enterprise" benefits from more rigorous testing. For "OpenSSO Enterprise", more deployment scenarios are tested and additional performance tests are conducted.
- Customers can avail support from Sun for both "Sun OpenSSO Express" and "Sun OpenSSO Enterprise", but patches/upgrades are provided for "Sun OpenSSO Enterprise" only. With "OpenSSO Express", the fixes are made available in one of future express builds - which may include new features built since the last express release.
- Upgrade path for "OpenSSO Enterprise" is available, where as no upgrade path is provided between one "OpenSSO Express" build and another. Similarly, there is no upgrade path provided between "OpenSSO Express" and "OpenSSO Enterprise".
- Both "OpenSSO Express" and "OpenSSO Enterprise" guarantee backward compatibility with a prior commercial release - but backward compatibility is not guaranteed for new features added in Express releases. These new features are appropriately detailed in release notes.

-Rudy-


Posted by at No comments:
Labels:

Monday, January 12, 2009

Access Manager Administration

1) Patches and Updates
Posted by at No comments:
Labels: ,

Attempt to login as amAdmin to module LDAP denied due to internal users restriction

Introduction

This is a side effect of AM 7.1 patch 2 and seems only happen in legacy mode.

patch 2 :

126356-02 Sun Java System Access Manager 7.1 Solaris Readme

Version

observed on AM 7.1 patch 2 on Solaris 10.

Symptoms

The AM administrator cannot log in anymore ! The AM administrator cannot use the console anymore !

Error(s)

Returned to the console and found into the debug of Access Manager server side.

amAuth : WARNING: LoginState.isValidAuthForInternalUser():
Attempt to login as:amAdmin, to module:LDAP, at realm:dc=iam,dc=finbel,dc=intra, denied due to internal users restriction

Solution

2 ldapmodify to be executed into Directory Server(5.2 in our env).
module=DataStore has to be used to enter AM.

docs.sun.com

ldapmodify -D "cn=Directory Manager" -w dm-password -h ds-host -p ds-port
dn: ds-rootdn
changetype: modify
add: sunRegisteredServiceName
sunRegisteredServiceName: sunAMAuthDataStoreService

ldapmodify -D "cn=Directory Manager" -w dm-password -h ds-host -p ds-port
dn: ou=default,ou=
OrganizationConfig,ou=1.0,ou=sunAMAuthDataStoreService,ou=services, ds-rootdn
changetype: modify
add: sunkeyvalue
sunkeyvalue: sunAMAuthDataStoreAuthLevel=0

Notice that it was not to necessary to execute the second ldapmodify. It was already into Directory Server.

Restart AM.

Now the log in to AM as amadmin is done entering :
https://yourdomain/amserver/UI/Login?module=DataStore
References

some explanations on the authentication module "DataStore"

more here
https://opensso.dev.java.net/issues/show_bug.cgi?id=3924
and here
https://opensso.dev.java.net/issues/show_bug.cgi?id=3961

...Hope this helps...

-rudy-
Posted by at No comments:
Labels:

Thursday, January 8, 2009

amclientsdk authentication as anonymous

This is the AM 7.1 documentation related to "anonymous".
This is the AM 7.1 documentation related to "AuthContext".
If the anonymous authentication has to be done through a browser, the parameter "service" is used.
By example,
https://lb-am-i.iam.finbel.intra/amserver/UI/Login?service=KioskMode
KioskMode is the name that was given to a module instance type "Anonymous" on the AM server.
After a user entered the URL into his browser, the user is authenticated as "anonymous". Good point !
So ? What has to be done to do the same using the amclientsdk ?
Very easy. The parameters service and name of the service have to be passed at "login time".
Example,
lc = new AuthContext(orgName);
lc.login(AuthContext.IndexType.SERVICE, "KioskMode");
The login context is used to retrieve the requirements and in the case of an anonymous only the username has to be passed.
If a "non anonymous" login has to be done, replace the parameters passed to lc.login by...nothing.
Example,
lc = new AuthContext(orgName);
lc.login();
In this case, the password has to be passed.

-rudy-
Posted by at No comments:
Labels:
Subscribe to: Posts (Atom)