Updated on July 9, 2015 for OpenAM 12.0.0, which is a non-subscription release.
One of the nice features OpenAM offers sysadmins is the ability to perform most (if not all) configurations from the command line. Some install advice below.
Assuming you’ve got the OpenAM server up and running on Tomcat or your favorite application server, one of the things you’re really going to want are the command line administration tools. These are not installed by default.
Good documentation of how to use these commands that makes intelligent use of hyperlinking is here.
Keep in mind that the file system paths below are examples only.
I’m using Fedora 21 here, with Red Hat packaged Apache Tomcat as the application server.
OpenAM was deployed and configured by copying the .war file to /var/lib/tomcat/webapps, with the configuration directory at /usr/share/tomcat/webapps/openam.
1. Create subdirectory /usr/share/tomcat/openam/tools.
2. Unzip SSOAdminTools-12.0.0.zip into this directory.
3. Change into the tools directory and run ./setup.
Path to config files of OpenAM server: /usr/share/tomcat/openam
Debug directory: /usr/share/tomcat/openam/tools/debug
Log directory: /usr/share/tomcat/openam/tools/log
Scripts will be found under /usr/share/tomcat/openam/tools/openam/bin
This should be added to your user’s PATH.
You’ll also need to create a pwd.txt file for the tools to use. This will hold the amAdmin user password. I put mine under my app server user’s home, which happens to be /usr/share/tomcat. Make the file read only, and only read only, by the application server user (in my case “tomcat”).
NOTE: On Red Hat systems the tomcat user has its shell set to /usr/sbin/nologin. This should be changed to /bin/bash and a password set for the user.
If you don’t expect an exchange like this:
[tomcat@mytest config]$ ssoadm create-datastore -u amadmin -f $HOME/etc/pwd.txt -e / -m "ldap1 datastore" -t LDAPv3 -D data_store_ldapt.txt Password file /usr/share/tomcat/etc/pwd.txt needs to be readonly by owner only.
Just do a chmod 400 the file to fix this.
In real life I create a master environment file for each OpenAM instance that can be sourced by the app user, like this:
JAVA_HOME=/usr/lib/jvm/java SSOCFG_HOME=/usr/share/tomcat/openam SSOTOOLS_HOME=$SSOCFG_HOME/tools PATH=$SSOTOOLS_HOME/openam/bin:$JAVA_HOME/bin:$PATH export JAVA_HOME SSOTOOLS_HOME SSOCFG_HOME PATH
Some useful commands (see the above cited command line reference for more):
List the servers in an OpenAM environment:
ssoadm list-servers -u amadmin -f $HOME/etc/pwd.txt
In this and the examples to follow “-u” is the ID of the admin user and “-f” in the full path to the pwd.txt file you created above.
List all Web Agents for a realm (in this example the “testrealm”):
ssoadm list-agents -u amadmin -f $HOME/etc/pwd.txt -t WebAgent -e testrealm
Here “-t” is for the type of agent, and “-e” is the name of the realm. The output will show the actual configuration directory dn of the realm.
List the configuration of a server:
ssoadm list-server-cfg -u amadmin -f $HOME/etc/pwd.txt -s http://test1.example.com:8081/openam
Here the “-s” stands for “server”, the value being the base url where your OpenAM node can be accessed.