Prerequisites
Ensure that OpenDJ is setup and running.
DNS
OpenAM requires that you use fully qualified domain names, such as openam.example.com so we'll use,
openam.krypton.com and www.openam.krypton.com
First, OpenAM does requires these entries on the server. Edit your /etc/hosts file accordingly.
If you are not using real DNS, then ensure that these entries are on your client machine's hosts file.
Setup Tomcat
Setup Zero Footprint Tomcat run as serveradmin. Do not have Tomcat started yet.
OpenAM Download and Prep
Download
Download the files
wget http://download.forgerock.org/downloads/openam/snapshot9.5/openam_954.war wget http://download.forgerock.org/downloads/openam/snapshot9.5/ssoAdminTools_954.zip
Data Directory
Each OpenAM instance has a configuration directory, agents directory and administration tools. As a sudo enabled user,
cd /opt sudo mkdir openam.0 cd openam.0 sudo mkdir agents config admintools cd /opt sudo chown -R serveradmin:staff ./openam.0 sudo chmod -R 750 ./openam.0
Deploy
Rename and copy the war to the Tomcat deployment directory
cp openam_954.war /opt/apache/tomcat.0/webapps/openam.war
Start Tomcat and browse to http://openam.krypton.com:8080/openam/ to start the wizard.
Initial Wizard
Select Custom Configuration.
Default User Password
User = amadmin
Pass = Adam's password+
Server Settings
Server URL = openam.krypton.com:8080
Cookie Domain = .krypton.com
Platform Local = en_US
Configuration Director = /opt/openam.0/config where the 0 designates this as the first instance
As per the forum notes, you MUST use the fully quantified domain name, openam.krypton.com and not krypton.com in your browser url.
Configuration Data Store Settings
First Instance = selected
Data Store = OpenDS or Sun Java System Directory Server
SSL/TLS Enabled = no
Host Name = localhost
Port = 50389
Admin Port = 5444
JMX Port = 1689
Root Suffix = dc=openam,dc=krypton,dc=com
Login ID = cn=Directory Manager
Password = Adam's password+
Originally I wanted to use OpenDJ for the Data Store but it is recommended against by ForgeRock. Read the OpenDJ setup for more details.
ForgeRock also recommends using the embedded LDAP server as the configuration store when you have four or fewer instances of OpenAM in production. At the same time, ForgeRock does not recommend
Since both the Configuration Data Store and the User Data Store use very similar schemas we make a point to differentiate the root suffix.
If you really want to use an external data store for the Configuration read https://wikis.forgerock.org/confluence/display/openam/Configure+an+external+OpenDJ+or+OpenDS+as+the+configuration+store
User Data Store Settings
Other User Data Store = selected
User Data Store Type = OpenDS
SSL/TLS Enabled = no
Host Name = opendj0.krypton.com
Port = 1389
Root Suffix = dc=krypton,dc=com
Login ID = cn=Directory Manager
Site Configuration
Select No
Default Policy Agent User
Set password for policy agent must be different so using 2Keys.
Summary Details
Configuration Store Details
SSL/TLS Enabled Host Name Listening Port Root Suffix User Name Directory Name | No krypton.com 1389 dc=opendj.krypton,dc=com cn=Directory Manager /opt/openam-config.0 |
User Store Details
SSL/TLS Enabled Host Name Listening Port Root Suffix User Name User Data Store Type | No krypton.com 1389 dc=opendj.krypton,dc=com cn=Directory Manager OpenDS |
Site Configuration Details
This instance is not setup behind a load balancer |
Run
The LDAP operation failed., refer to install.log under /opt/openam-config.0 for more information.
Another bug in a sense. Carefully reading the manual,
If you decide to use an existing installation of OpenDJ for configuration data, then you must first relax the restriction on objects with multiple structural object classes, by using the OpenDJ *dsconfig* command before completing OpenAM configuration.
Enter this into the command line
cd /opt/opends.0 ./dsconfig -h opendj.krypton.com -p 4444 -D "cn=Directory Manager" -w ****** set-global-configuration-prop --set single-structural-objectclass-behavior:warn -X -n
When the configuration completes, click Proceed to Login, and then login as OpenAM administrator.
There is a note from the online manual,
Restrict permissions to the configuration directory (by default $HOME/openam, where $HOME corresponds to the user who runs the web container).
But no instructions on how to do this or even why we need to do this.
Ah, I figured it out. By default OpenAM selects the user running the web container's home directory as the location for the OpenAM configuration files. It is saying to set permissions up so other users can not modify it. In our case, we are using serveradmin as the user running the web container, but then we choose a more explicit directory /opt/openam-config and is already configured to only allow staff and svradm.