Saturday, September 17, 2011

Install OpenAM Core Only

For production deployment, most customers prefer the OpenAM Administration Console not to be exposed to the Internet. Instead, they'll like the Admin Console to be accessible within the Intranet.

The solution is to deploy a OpenAM Core Only distribution in the Internet; while deploying a OpenAM Console Only distribution in the Intranet.

After deploying OpenAM Core Only, you'll still get the Login Page. There's no difference in behavior from the out-of-the-box installation.

The only difference is when you attempt to login. Once you have successfully authenticated, you'll be shown the following page.

The JSPs for the console pages have been stripped off. As such, the requested resource is not available.

This type of deployment is useful if the OpenAM Login Page is not utilized for end-users' authentication purpose.


Friday, September 9, 2011

OpenAM : Why is Login Page missing after reboot?

I came across this question before. Today, I encountered this scenario after my VM hung and I needed to reboot the server.

Very strange. Everything was running fine for so many days. I panicked when I have to re-configure again.

Well, after I cooled down, I then realized my OpenDJ was not started yet!! I had my OpenAM installed with configuration and user data stores in the external OpenDJ. (I did not use the embedded OpenDJ that was bundled with OpenAM)

Ok, so I shutdown OpenAM. Started OpenDJ, followed by OpenAM.

Everything is now back to normal. Phew!

Anyway, I would expect OpenAM to be smarter. At least, it should check whether or not there is an existing instance installed by looking into the .openssocfg directory.

If existing instance(s) found, then it should not redirect users to the Configuration Page.


LDAP Error 21: The request contains invalid syntax.

In my test environment, I have configured an external data store which is connected to OpenDJ 2.4.3. My OpenAM configuration store is connected to the same OpenDJ instance.

I was trying to perform a simple load-test and needed some test users. As such, I tried to create new users via the OpenAM Administration Console. Since "First Name" is not compulsory, I skipped that field.

No good. I encountered "LDAP Error 21: The request contains invalid syntax.".

Very strange. How can this be? When my external data store was Sun DSEE, I have never encountered the same issue before.

A look at the OpenDJ access log revealed the following:

[08/Sep/2011:14:54:43 +0800] ADD REQ conn=71 op=3 msgID=278 dn="uid=test001,ou=people,o=st701" [08/Sep/2011:14:54:43 +0800] ADD RES conn=71 op=3 msgID=278 result=21 message="Entry "uid=test001,ou=people,o=st701" contains a value "" for attribute givenName that is invalid according to the syntax for that attribute: The operation attempted to assign a zero-length value to an attribute with the directory string syntax" etime=4

A check with OpenDJ indicated that "Directory String" has a property "allow-zero-length-values" set to false by default.

How to resolve?

$ bin/dsconfig -h -p 888 -D "cn=Directory Manager" -w [password] set-attribute-syntax-prop \
-n --syntax-name "Directory String" --set allow-zero-length-values:true

PS: The 2 product teams (OpenAM vs OpenDJ) have to talk to each other. Both products have to work seamlessly out-of-the-box. One team has to give in to another at times. My thought.

Wednesday, September 7, 2011

OpenAM : Extending to a Dual Instance Deployment

If you are using the web-based GUI to install your 2nd OpenAM instance, you'll come to Step 3 wizard page (Configuration Data Store Settings).

Since this is the 2nd instance, we should select "Add to Existing Deployment?". Then we should key in the "Server URL" - which points to the 1st OpenAM instance.

Once the Server URL is entered, the LDAP Server will be auto-populated. Strange thing is the Port is populated with "null".

So is this going to work or not? I went ahead to continue with the installation.

The installation completed without any error! After installation, I logged into OpenAM Admin Console to double check. Everything is good. The LDAP port for my 2nd instance is reflected as "1389" - which is correct.

It's still a mystery why "null" was displayed in the installation wizard.


Tuesday, September 6, 2011

AM SFO: Dual instances on single machine

We have just won a project to migrate from Sun Access Manager 7 to ForgeRock OpenAM 9.5.3. This site has high concurrent access and many Policy Agents. It also needs to support Session Failover. 

There are many ways to scale OpenAM and the corresponding AMSFO.

In my test labs, I was trying to get 2 instances of AMSFO to run concurrently. I followed this Wiki (Extending to a Dual Instance Deployment) from OpenAM.

Everything runs fine for the 1st instance (port 7777). I just could not get the 2nd instance (port 8777) to start up properly on the same physical machine.

It kept throwing the following error:

Sep 6, 2011 3:06:08 PM com.sun.messaging.jmq.jmsclient.ExceptionHandler throwConnectionException
WARNING: [C4003]: Error occurred on connection creation []. - cause: Connection refused

I think there must be a mis-configuration in the Java Message Queue. OpenAM 9.5.3 uses Sun GlassFish(tm) Message Queue 4.4.

So I searched Google and located this document. I think what was missing is to instruct each MQ to bind to its own dedicated IP address ( imq.hostname - Default host name or IP address for all connection services ).

I also learnt that there are many other listening ports when AMSFO is started, besides the broker port 7777.

Before AMSFO is started:

After AMSFO is started:

So, it's very obvious there was a clash in ports when the 2nd instance was trying to start. (e.g. 50722, 55044 etc.. It's random port numbers.. But so lucky of me to keep clashing on used ports)


In the start-up script amsfo, edit the following:
Apply the same to the start-up script in the 2nd instance, but change the imq.hostname to