OpenAM Configuration

This is adapted from some documentation I created a few years ago, with some minor updates to bring it into line with the state of things under OpenAM 12.0.0 release.

Configuration notes for OpenAM.

Global Changes

The following changes should be made in Configuration… Global… Session:

Active User Sessions: 5 (default)

Per Server Changes

1. For external instances: change security cookie name from iPlanetDirectoryPro to “ourfed” under Security for each server.

2. For internal instances:

(a) Change Cookie Name to ourint. In the gui, Configuration… Servers and Sites… [ServerName]… Security… Cookies.

(default is iPlanetDirectoryPro and can only be changed by going into Inheritance Settings and un-checking inherited value)

com.iplanet.am.cookie.name=ourint

NOTE: If you use the gui console to create Web Agent objects you must also conform the cookie name in each object to this custom name. The OpenAM server must be restarted after making that change to be effective (cookie name changes are not “hot swap”). Failure to do so will result in a web agent communications failure.

Following section disputed – not implemented:

(b) Change Encode Cookie Value to yes. In the gui, Configuration… Servers and Sites… [ServerName]… Security… Cookies.

(default is No and can only be changed by going into Inheritance Settings and un-checking inherited value)

com.iplanet.am.cookie.encode=true

3. Install OpenAM Tools on primary node in all environments.

Site Changes

Add a (insecure) http url to the site configuration (if you set the primary url to https during site creation — which you should have).

Configuration… Servers and Sites… [Site Name]… Secondary URLs:

Add http://ssoint.example.com/openam as a secondary url:

[tomcat@example ~]$ ssoadm show-site -u amadmin \
 -f $HOME/etc/pwd.txt -s ssoint
Site primary URL: https://ssoint.example.com/openam.
Site secondary URLs:
http://ssoint.example.com/openam

Directory Connections Changes

The following changes should be applied to the default settings for the Configuration and User LDAP directory connections:

Configuraton Directories
* Minimum Connections: 10
* Maximum Connections: 65

User Directories
* Minimum Connections: 10
* Maximum Connections: 65
* Search Entry Limit: 1000 (entries)
* Search Time Limit: 5 (seconds)
* Cache: ENABLED (checkbox)
* Cache size: 1048576 (bytes)

For User Directories:

Objectclasses

remove:

add:
extensibleobject
posixaccount
shadowaccount

Attributes

remove:
employeenumber

add:
displayname
c
departmentnumber
l
mobile
o
ou
postalcode
st
street
title
homephone
loginshell
uidnumber
gidnumber
homedirectory

Keys and the OpenAM Server

The OpenAM system uses a two of different kinds of keys to encrypt data and to authorize transactions by clients with the server.

Each OpenAM server has a pair of these that are generated on initial configuration of a server. Following is guidance on how to find them.

The keys are the Authentication Shared Service Key and the Password Encryption Key.

These keys are displayed under Configuration… Servers and Sites… [Server Name]… Security.

They can also be found by doing an LDAP search as Directory Manager on the configuration directory.

The entry containing this information is:

“dn: ou=[OpenAM server URL], ou=com-sun-identity-servers, ou=default, ou=GlobalConfig, ou=1.0, ou=iPlanetAMPlatformService, ou=services,dc=opensso, dc=java, dc=net”

Because the naming attribute value for this entry, “ou”, has an abbreviated value, “ou=[OpenAM server URL]”, it is probably easier to search using that. For example:

ldapsearch -h ssoint.example.com -p 50389 -D "cn=directory manager" \
-w xxxxxx -b "dc=opensso,dc=java,dc=net" -s sub \
"(ou=http://server1.example.com:8080/openam)"

Here are the relevant parts of the entry returned in LDIF format:

dn: ou=http://server1.example.com:8080/openam,ou=com-sun-identity-servers,o
 u=default,ou=GlobalConfig,ou=1.0,ou=iPlanetAMPlatformService,ou=services,dc
 =opensso,dc=java,dc=net
objectClass: sunServiceComponent
objectClass: top
ou: http://server1.example.com:8080/openam

* * *

sunKeyValue: serverconfig=com.iplanet.am.service.secret=AQICP4ojDtUFuULt1TYK
 0SYei+NIFR/rv7Uh

* * *

sunKeyValue: serverconfig=am.encryption.pwd=BqA3LIGMvF7wM6PBUq7lazDEJ+B4GMbD

The first value above is the Authentication Shared Service Key, the second is the Password Encryption Key.

Password Reset

Secret Question and Answer

Both the question and answer are stored in iplanet-am-user-password-reset-question-answer as an encrypted value. Multiple questions and answers can be stored in this multi-valued attribute.

The “secret question and answer” is a feature only available in the “legacy” user interface. The minimalist XUI interface does not support it. To take advantage of it you need to do 3 things:

1. Disable the XUI interface. In the admin console go to Configuration… Authentication… Core… clear the checkbox for XUI Interface Enabled and save.

2. Enable the Password Reset service under Configuration… Global… Password Reset. Check “Enabled” for both Password Reset and Personal Question. Set maximum number of questions to 3. Enter dn and password of OpenAM LDAP user (e.g. cn=openam,ou=special users, dc=example, dc=com), and save.

3. Enable self service under Configuration… Global… User Self Service… checking Forgotten Password For Users Enabled and save.

4. Extract from and edit to add pairs for additional questions and answers as described under Configuring User Self Service Features in the OpenAM Administration Guide.

Discussion in OPENSSO-4144 and Re: Value of iplanet-am-user-password-reset-question-answer attribute.

Other User Profile Enhancements

It is possible to use OpenAM as an LDAP user profile editor, enabling administrators and users to modify provisioned attribute values.

Extending user profile attributes is described in the OpenAM Developer’s Guide under Customizing Profile Attributes.

Among my own enhancements was to change the mail attribute from type “single” to “list”, allowing me to store more than one value in what is a multi-valued attribute in the standard LDAP schema.

This entry was posted in Identity Management, System Administration on by .

About phil

My name is Phil Lembo. In my day job I’m an enterprise IT architect for a leading distribution and services company. The rest of my time I try to maintain a semi-normal family life in the suburbs of Raleigh, NC. E-mail me at philipATlembobrothersDOTcom. The opinions expressed here are entirely my own and not those of my employers, past, present or future (except where I quote others, who will need to accept responsibility for their own rants).