OpenAM Setup v0.2

Prerequisites

Ensure that OpenDJ is setup and running.

DNS

OpenAM requires that you use fully qualified domain names, such as openam.example.com so we'll use,

openam.krypton.com and www.openam.krypton.com

First, OpenAM does requires these entries on the server. Edit your /etc/hosts file accordingly.

If you are not using real DNS, then ensure that these entries are on your client machine's hosts file.

Setup Tomcat

Setup Zero Footprint Tomcat run as serveradmin. Do not have Tomcat started yet.

OpenAM Download and Prep

Download

Download the files

wget http://download.forgerock.org/downloads/openam/snapshot9.5/openam_954.war
wget http://download.forgerock.org/downloads/openam/snapshot9.5/ssoAdminTools_954.zip

Data Directory

Each OpenAM instance has a configuration directory, agents directory and administration tools. As a sudo enabled user,

cd /opt
sudo mkdir openam.0
cd openam.0
sudo mkdir agents config admintools
cd /opt
sudo chown -R serveradmin:staff ./openam.0
sudo chmod -R 750 ./openam.0

Deploy

Rename and copy the war to the Tomcat deployment directory

cp openam_954.war /opt/apache/tomcat.0/webapps/openam.war

Start Tomcat and browse to http://openam.krypton.com:8080/openam/ to start the wizard.

Initial Wizard

Select Custom Configuration.

Default User Password

User = amadmin
Pass = Adam's password+

Server Settings

Server URL = openam.krypton.com:8080
Cookie Domain = .krypton.com
Platform Local = en_US
Configuration Director = /opt/openam.0/config where the 0 designates this as the first instance

Configuration Data Store Settings

First Instance = selected

Data Store = OpenDS or Sun Java System Directory Server
SSL/TLS Enabled = no
Host Name = localhost
Port = 50389
Admin Port = 5444
JMX Port = 1689
Root Suffix = dc=openam,dc=krypton,dc=com
Login ID = cn=Directory Manager
Password = Adam's password+

Originally I wanted to use OpenDJ for the Data Store but it is recommended against by ForgeRock. Read the OpenDJ setup for more details.

If you really want to use an external data store for the Configuration read https://wikis.forgerock.org/confluence/display/openam/Configure+an+external+OpenDJ+or+OpenDS+as+the+configuration+store

User Data Store Settings

The OpenAM data store is not supported in the production environment per the wizard.

Other User Data Store = selected

User Data Store Type = OpenDS

SSL/TLS Enabled = no
Host Name = opendj.krypton.com
Port = 1389
Root Suffix = dc=krypton,dc=com
Login ID = cn=Directory Manager

Site Configuration

Select No

Default Policy Agent User

Set password for policy agent must be different so using 2Keys.

Summary Details

Configuration Store Details

User Store Details

Site Configuration Details

Run

The LDAP operation failed., refer to install.log under /opt/openam-config.0 for more information.

Another bug in a sense. Carefully reading the manual,

If you decide to use an existing installation of OpenDJ for configuration data, then you must first relax the restriction on objects with multiple structural object classes, by using the OpenDJ *dsconfig* command before completing OpenAM configuration.

Enter this into the command line

cd /opt/opends.0
./dsconfig -h opendj.krypton.com -p 4444 -D "cn=Directory Manager" -w ****** set-global-configuration-prop --set single-structural-objectclass-behavior:warn -X -n

When the configuration completes, click Proceed to Login, and then login as OpenAM administrator.

There is a note from the online manual,

But no instructions on how to do this or even why we need to do this.

Ah, I figured it out. By default OpenAM selects the user running the web container's home directory as the location for the OpenAM configuration files. It is saying to set permissions up so other users can not modify it. In our case, we are using serveradmin as the user running the web container, but then we choose a more explicit directory /opt/openam-config and is already configured to only allow staff and svradm.