This is a common, repeatable, error you’ll experience after setting up a new site for an existing OpenAM server that already has the SSO Tools installed. Solution follows.
See my previous article on setting up OpenAM’s SSO Tools, as updated for OpenAM 12, here.
This is the full error message:
[tomcat@test1 ~]$ ssoadm list-servers -u amadmin \ -f etc/pwd.txt Logging configuration class "com.sun.identity.log.s1is.LogConfigReader" failed com.sun.identity.security.AMSecurityPropertiesException: AdminTokenAction: FATAL ERROR: Cannot obtain Application SSO token. Check AMConfig.properties for the following properties com.sun.identity.agents.app.username com.iplanet.am.service.password Logging configuration class "com.sun.identity.log.s1is.LogConfigReader" failed
OpenAM lead Peter Major of ForgeRock provides the solution in this forum post:
Peter’s answer refers back to the OpenAM CLI Overview section of the product documentation. The fix is to insert a line in the ssoadm script file that maps the site to the backend server uri.
Here’s the change in context, where my site is called “sso.example.com” and the SSO Tools are installed under /usr/share/tomcat/openam/tools (where ssoadm will be located at /usr/share/tomcat/openam/tools/openam/bin/ssoadm):
-D"com.sun.identity.idm.remote.notification.enabled=false" \ -D"com.iplanet.am.naming.map.site.to.server=https://sso.example.com:443/openam=http://localhost:8080/openam" \ com.sun.identity.cli.CommandManager "$@"
The line numbers are from the version of ssoadm that ships with OpenAM 12.
I used “localhost” for the backend server host name for maximum portability.