OpenAM Tools

Updated on July 9, 2015 for OpenAM 12.0.0, which is a non-subscription release.

One of the nice features OpenAM offers sysadmins is the ability to perform most (if not all) configurations from the command line. Some install advice below.

Assuming you’ve got the OpenAM server up and running on Tomcat or your favorite application server, one of the things you’re really going to want are the command line administration tools. These are not installed by default.

Good documentation of how to use these commands that makes intelligent use of hyperlinking is here.

Keep in mind that the file system paths below are examples only.

I’m using Fedora 21 here, with Red Hat packaged Apache Tomcat as the application server.

OpenAM was deployed and configured by copying the .war file to /var/lib/tomcat/webapps, with the configuration directory at /usr/share/tomcat/webapps/openam.

1. Create subdirectory /usr/share/tomcat/openam/tools.

2. Unzip SSOAdminTools-12.0.0.zip into this directory.

3. Change into the tools directory and run ./setup.

Path to config files of OpenAM server: /usr/share/tomcat/openam

Debug directory: /usr/share/tomcat/openam/tools/debug

Log directory: /usr/share/tomcat/openam/tools/log

Scripts will be found under /usr/share/tomcat/openam/tools/openam/bin

This should be added to your user’s PATH.

You’ll also need to create a pwd.txt file for the tools to use. This will hold the amAdmin user password. I put mine under my app server user’s home, which happens to be /usr/share/tomcat. Make the file read only, and only read only, by the application server user (in my case “tomcat”).

NOTE: On Red Hat systems the tomcat user has its shell set to /usr/sbin/nologin. This should be changed to /bin/bash and a password set for the user.

If you don’t expect an exchange like this:

[tomcat@mytest config]$ ssoadm create-datastore -u amadmin -f $HOME/etc/pwd.txt -e / -m "ldap1 datastore" -t LDAPv3 -D data_store_ldapt.txt

Password file /usr/share/tomcat/etc/pwd.txt needs to be readonly by owner only.

Just do a chmod 400 the file to fix this.

In real life I create a master environment file for each OpenAM instance that can be sourced by the app user, like this:

JAVA_HOME=/usr/lib/jvm/java
SSOCFG_HOME=/usr/share/tomcat/openam
SSOTOOLS_HOME=$SSOCFG_HOME/tools
PATH=$SSOTOOLS_HOME/openam/bin:$JAVA_HOME/bin:$PATH
export JAVA_HOME SSOTOOLS_HOME SSOCFG_HOME PATH

Some useful commands (see the above cited command line reference for more):

List the servers in an OpenAM environment:

ssoadm list-servers 
-u amadmin 
-f $HOME/etc/pwd.txt

In this and the examples to follow “-u” is the ID of the admin user and “-f” in the full path to the pwd.txt file you created above.

List all Web Agents for a realm (in this example the “testrealm”):

ssoadm list-agents 
-u amadmin 
-f $HOME/etc/pwd.txt 
-t WebAgent 
-e testrealm

Here “-t” is for the type of agent, and “-e” is the name of the realm. The output will show the actual configuration directory dn of the realm.

List the configuration of a server:

ssoadm list-server-cfg 
-u amadmin 
-f $HOME/etc/pwd.txt 
-s http://test1.example.com:8081/openam

Here the “-s” stands for “server”, the value being the base url where your OpenAM node can be accessed.

This entry was posted in System Administration on by .

About phil

My name is Phil Lembo. In my day job I’m an enterprise IT architect for a leading distribution and services company. The rest of my time I try to maintain a semi-normal family life in the suburbs of Raleigh, NC. E-mail me at philipATlembobrothersDOTcom. The opinions expressed here are entirely my own and not those of my employers, past, present or future (except where I quote others, who will need to accept responsibility for their own rants).