OpenAM SSO Tools: Cannot obtain Application SSO token

This is a common, repeatable, error you’ll experience after setting up a new site for an existing OpenAM server that already has the SSO Tools installed. Solution follows.

See my previous article on setting up OpenAM’s SSO Tools, as updated for OpenAM 12, here.

This is the full error message:

[tomcat@test1 ~]$ ssoadm list-servers -u amadmin \
-f etc/pwd.txt

Logging configuration class
"com.sun.identity.log.s1is.LogConfigReader" failed
com.sun.identity.security.AMSecurityPropertiesException:
AdminTokenAction:  FATAL ERROR: Cannot obtain
Application SSO token.
Check AMConfig.properties for the following properties
	com.sun.identity.agents.app.username
	com.iplanet.am.service.password
Logging configuration class
"com.sun.identity.log.s1is.LogConfigReader" failed

OpenAM lead Peter Major of ForgeRock provides the solution in this forum post:

Issue with ssoadm tool after setting up OpenAM site

Peter’s answer refers back to the OpenAM CLI Overview section of the product documentation. The fix is to insert a line in the ssoadm script file that maps the site to the backend server uri.

Here’s the change in context, where my site is called “sso.example.com” and the SSO Tools are installed under /usr/share/tomcat/openam/tools (where ssoadm will be located at /usr/share/tomcat/openam/tools/openam/bin/ssoadm):

-D"com.sun.identity.idm.remote.notification.enabled=false" \
-D"com.iplanet.am.naming.map.site.to.server=https://sso.example.com:443/openam=http://localhost:8080/openam" \
com.sun.identity.cli.CommandManager "$@"

The line numbers are from the version of ssoadm that ships with OpenAM 12.

I used “localhost” for the backend server host name for maximum portability.

This entry was posted in Development, Identity Management, System Administration on by .

About phil

My name is Phil Lembo. In my day job I’m an enterprise IT architect for a leading distribution and services company. The rest of my time I try to maintain a semi-normal family life in the suburbs of Raleigh, NC. E-mail me at philipATlembobrothersDOTcom. The opinions expressed here are entirely my own and not those of my employers, past, present or future (except where I quote others, who will need to accept responsibility for their own rants).