Sun Java Enterprise System 2003Q4 Deployment Example Series: Evaluation Scenario |
Chapter 4
Provisioning a Java Enterprise System UserThis chapter shows you how to set up Identity Server as a general purpose provisioning tool and how to provision a Java Enterprise System user with Identity Server. This chapter contains the following sections:
About Java Enterprise System User ProvisioningA Java Enterprise System user is an account that has access to one or more services provided by Java Enterprise System components. (Some services may be provided by several Java Enterprise System components working together.)
The idea of a Java Enterprise System user encompasses:
- An end user who can use services provided by any of the following Java Enterprise System components: Identity Server, Portal Server, Messaging Server, Calendar Server, or Instant Messaging Server.
- A user account, consisting of end-user data that is stored as a Directory Server LDAP database entry. The data in the user account includes information that identifies the services the user is authorized to access. In the simplest scenarios, all Java Enterprise System services write their entries for a user to a single user account.
User provisioning is creating the user’s account and enabling the user’s access to Java Enterprise System services.
Java Enterprise System has the following interfaces for user provisioning and working with LDAP directory entries:
The procedures in this chapter show you how to provision a user with the Sun ONE Identity Server Console.
In a production system, Java Enterprise System administrators manage users. User management tasks not demonstrated in this chapter include LDAP organizational planning, database management, and delegated administration.
Using Identity Server as a Provisioning ToolThis section describes how to set up the LDAP attributes necessary for using Identity Server as a general purpose provisioning tool. You set up the LDAP attributes with Identity Server Services. Identity Server Services are a mechanism for grouping and managing LDAP attributes.
Identity Server Services are not end-user services. The Sample Mail Server Service and Sample Calendar Server Service described in this section add Identity Server LDAP attributes that enable you to provision users with end-user mail and calendar services.
Importing the Identity Server Services into Identity Server
The Java Enterprise System installer supplies definitions for two Identity Server Services that add LDAP attributes for managing end-user mail and calendar services. These definitions are supplied as two Extensible Markup Language (XML) files. These XML files describe Identity Server Services named Sample Mail Server Service and Sample Calendar Server Service.
Sample Mail Server Service and Sample Calendar Server Service are not intended for production use. User provisioning in a production environment is typically performed by batch processing operations, which these sample services do not support. For information on production user provisioning, and the command line tools used in production user provisioning, see Sun ONE Identity Server 6.1 Administration Guide and Sun ONE Messaging and Collaboration 6.0 User Management Utility Installation and Reference Guide.
To Import the Identity Server Services into Identity Server
- Navigate to the samples directory:
cd /opt/SUNWam/samples/integration
- Run the amadin command for the Sample Mail Server Service:
/opt/SUNWam/bin/amadmin --runasdn "uid=amadmin,ou=people,dc=example,dc=com" --password password --schema sampleMailServerService.xml
Note
If your domain name includes a subdomain, you must specify each element of the name separately. For example, if you use my.example.com, you must type dc=my,dc=example,dc=com.
- Run the amadin command for the Sample Calendar Server Service:
/opt/SUNWam/bin/amadmin --runasdn "uid=amadmin,ou=people,dc=example,dc=com" --password password --schema sampleCalendarServerService.xml
- Use the cp command to copy the associated property files, which enable localization, to the locale directory:
cp sampleMailServerService.properties /opt/SUNWam/locale
cp sampleCalendarServerService.properties /opt/SUNWam/locale
- Stop Identity Server:
/opt/SUNWam/bin/amserver stop
- Stop and restart Application Server:
cd /var/opt/SUNWappserver7/domains/domain1/server1/bin
./stopserv
./startserv
Restarting Application Server also restarts Identity Server.
Registering the Identity Server Services
In this section, you use the Identity Server console to register Sample Mail Server Service and Sample Calendar Server Service with your Administration Server domain and LDAP organization.
To Register the Sample Services With Your Administration Server Domain
- In a web browser, open the following URL:
http://example.com:81/amconsole
The Login dialog opens.
Tip
Remember to substitute the host and domain that you are using.
The URL includes the URI amconsole. You specified this URI on the installer’s Identity Server: Web Container for Running the Sun ONE Identity Services page. See To Supply Identity Server Information.
- In the login dialog, type the Administration User ID (the default value is amadmin) and password. Click OK.
The Identity Server administration console opens in the browser. Figure 4-1 shows the administration console displaying information about the example domain. The domain name is displayed and highlighted in the left panel, just below the word Search.
Note
You defined the Administration User ID and password on the installer’s Identity Server: Sun ONE Application Server page. See To Supply Identity Server Information.
Figure 4-1 Sun ONE Identity Server Console
- In the left pane, open the View drop-down menu and choose Services.
The window refreshes, and the left pane displays a list of services in the domain. Figure 4-2 shows the console window displaying a list of services. Notice that the View menu is displaying “Services.”
Figure 4-2 Displaying a List of Services
- In the left pane, click Register.
A list of services that can be registered is displayed in the right pane. Your display should resemble Figure 4-3.
Figure 4-3 Registering Services With a Domain
- Select and register the Sample Calendar Server Service and Sample Mail Server Service.
- Scroll to the bottom of the list.
- Select Sample Calendar Server Service and Sample Mail Server Service.
- Click the Register button that appears at the end of the list.
The display refreshes. In the left pane, the Sample Calendar Server Service and Sample Mail Server Service are added to the list of registered services.
To Register the Sample Services With Your Organization
- In the left pane, open the View menu and choose Organizations.
The window refreshes, and the left pane displays a list of organizations in the domain. Figure 4-4 shows the list of organizations in the example domain.
Figure 4-4 Listing Organizations in the Example Domain
- Click the name of your organization.
The window refreshes. The left pane’s title bar now shows your domain and your organization. Your display should be similar to Figure 4-5.
Figure 4-5 Selecting an Organization
- In the left pane, open the View drop-down menu and choose Services.
The window refreshes. Your display should be similar to Figure 4-6.
Figure 4-6 Viewing Services for the Example.Com Organization
- Click Register.
The window refreshes, and the right pane displays a list of services that can be registered.
- Select Sample Calendar Server Service, Sample Mail Server Service, Portal Desktop, and SSO Adapter. Click the Register button at the end of the list.
The window refreshes. In the left pane, the four services you selected are added to the list of registered services.
Provisioning a Sample End UserThis section describes how to use Identity Server to provision an end user. You set up a user name and password, and you use Sample Mail Server Service and Sample Calender Server Service to give the user access to the end-user services Mail Express and Calendar Express.
To Provision a Sample End User
- In the left pane, open the View drop-down menu and choose Users.
The window refreshes, and the left pane displays a list of users in your organization. Your display should resemble Figure 4-7, which shows the list of users in the example domain organization. In particular, the list of users should include admin, calmaster, and msg-admin-allinone.example.com.
Figure 4-7 Sun ONE Identity Server Console Window
- In the left pane, click New.
The window refreshes, and the right pane displays input fields.
Figure 4-8 New User Fields
- Define your Java Enterprise System user.
- Scroll the left pane all the way to the left, until the View menu is visible. Open the View menu and choose Users.
The window refreshes. The left pane displays a list of users for the organization, including the user that you just created.
- Scroll the left pane to the right and click the arrow symbol (>) that follows the new user’s Full Name.
In Figure 4-9, the left pane displays the new user’s Full Name (Scott McDuke) and the > symbol.
Figure 4-9 Sample Calendar Server Service Properties
- In the right pane, open the View menu and choose Sample Calendar Server Service. The window refreshes and displays the user’s Sample Calendar Service properties.
- Type the following values:
- In the right pane, open the View menu and choose Sample Mail Server Service.
The window refreshes and displays the user’s Sample Mail Server Service properties.
Figure 4-10 Sample Mail Server Service Properties
- In the Sample Mail Server Service property fields, type the following values:
- Click Logout (in the upper right corner of the page).