This is adapted from some documentation I created a few years ago, with some minor updates to bring it into line with the state of things under OpenAM 12.0.0 release.
Configuration notes for OpenAM.
The following changes should be made in Configuration… Global… Session:
Active User Sessions: 5 (default)
Per Server Changes
1. For external instances: change security cookie name from iPlanetDirectoryPro to “ourfed” under Security for each server.
2. For internal instances:
(a) Change Cookie Name to ourint. In the gui, Configuration… Servers and Sites… [ServerName]… Security… Cookies.
(default is iPlanetDirectoryPro and can only be changed by going into Inheritance Settings and un-checking inherited value)
NOTE: If you use the gui console to create Web Agent objects you must also conform the cookie name in each object to this custom name. The OpenAM server must be restarted after making that change to be effective (cookie name changes are not “hot swap”). Failure to do so will result in a web agent communications failure.
Following section disputed – not implemented:
(b) Change Encode Cookie Value to yes. In the gui, Configuration… Servers and Sites… [ServerName]… Security… Cookies.
(default is No and can only be changed by going into Inheritance Settings and un-checking inherited value)
3. Install OpenAM Tools on primary node in all environments.
Add a (insecure) http url to the site configuration (if you set the primary url to https during site creation — which you should have).
Configuration… Servers and Sites… [Site Name]… Secondary URLs:
Add http://ssoint.example.com/openam as a secondary url:
[tomcat@example ~]$ ssoadm show-site -u amadmin \ -f $HOME/etc/pwd.txt -s ssoint Site primary URL: https://ssoint.example.com/openam. Site secondary URLs: http://ssoint.example.com/openam
Directory Connections Changes
The following changes should be applied to the default settings for the Configuration and User LDAP directory connections:
* Minimum Connections: 10
* Maximum Connections: 65
* Minimum Connections: 10
* Maximum Connections: 65
* Search Entry Limit: 1000 (entries)
* Search Time Limit: 5 (seconds)
* Cache: ENABLED (checkbox)
* Cache size: 1048576 (bytes)
For User Directories:
remove: add: extensibleobject posixaccount shadowaccount
remove: employeenumber add: displayname c departmentnumber l mobile o ou postalcode st street title homephone loginshell uidnumber gidnumber homedirectory
Keys and the OpenAM Server
The OpenAM system uses a two of different kinds of keys to encrypt data and to authorize transactions by clients with the server.
Each OpenAM server has a pair of these that are generated on initial configuration of a server. Following is guidance on how to find them.
The keys are the Authentication Shared Service Key and the Password Encryption Key.
These keys are displayed under Configuration… Servers and Sites… [Server Name]… Security.
They can also be found by doing an LDAP search as Directory Manager on the configuration directory.
The entry containing this information is:
“dn: ou=[OpenAM server URL], ou=com-sun-identity-servers, ou=default, ou=GlobalConfig, ou=1.0, ou=iPlanetAMPlatformService, ou=services,dc=opensso, dc=java, dc=net”
Because the naming attribute value for this entry, “ou”, has an abbreviated value, “ou=[OpenAM server URL]”, it is probably easier to search using that. For example:
ldapsearch -h ssoint.example.com -p 50389 -D "cn=directory manager" \ -w xxxxxx -b "dc=opensso,dc=java,dc=net" -s sub \ "(ou=http://server1.example.com:8080/openam)"
Here are the relevant parts of the entry returned in LDIF format:
dn: ou=http://server1.example.com:8080/openam,ou=com-sun-identity-servers,o u=default,ou=GlobalConfig,ou=1.0,ou=iPlanetAMPlatformService,ou=services,dc =opensso,dc=java,dc=net objectClass: sunServiceComponent objectClass: top ou: http://server1.example.com:8080/openam * * * sunKeyValue: serverconfig=com.iplanet.am.service.secret=AQICP4ojDtUFuULt1TYK 0SYei+NIFR/rv7Uh * * * sunKeyValue: serverconfig=am.encryption.pwd=BqA3LIGMvF7wM6PBUq7lazDEJ+B4GMbD
The first value above is the Authentication Shared Service Key, the second is the Password Encryption Key.
Secret Question and Answer
Both the question and answer are stored in iplanet-am-user-password-reset-question-answer as an encrypted value. Multiple questions and answers can be stored in this multi-valued attribute.
The “secret question and answer” is a feature only available in the “legacy” user interface. The minimalist XUI interface does not support it. To take advantage of it you need to do 3 things:
1. Disable the XUI interface. In the admin console go to Configuration… Authentication… Core… clear the checkbox for XUI Interface Enabled and save.
2. Enable the Password Reset service under Configuration… Global… Password Reset. Check “Enabled” for both Password Reset and Personal Question. Set maximum number of questions to 3. Enter dn and password of OpenAM LDAP user (e.g. cn=openam,ou=special users, dc=example, dc=com), and save.
3. Enable self service under Configuration… Global… User Self Service… checking Forgotten Password For Users Enabled and save.
Other User Profile Enhancements
It is possible to use OpenAM as an LDAP user profile editor, enabling administrators and users to modify provisioned attribute values.
Among my own enhancements was to change the mail attribute from type “single” to “list”, allowing me to store more than one value in what is a multi-valued attribute in the standard LDAP schema.