Sun Java System Access Manager 7.1 Administration Reference

Chapter 7 serverconfig.xml Reference

The file serverconfig.xml provides configuration information for Sun Java™ System Access Manager regarding the Directory Server that is used as its data store. This chapter explains the elements of the file and how to configure it for failover, how can you have multiple instances, how can you un-deploy the console and remove console files from a server. It contains the following sections:

Overview

serverconfig.xml is located in / AccessManager-base /SUNWam/config/ums. It contains the parameters used by the Identity SDK to establish the LDAP connection pool to Directory Server. No other function of the product uses this file. Two users are defined in this file: user1 is a Directory Server proxy user and user2 is the Directory Server administrator.

Proxy User

The Proxy User can take on any user’s privileges (for example, the organization administrator or an end user). The connection pool is created with connections bound to the proxy user. Access Manager creates a proxy user with the DN of cn=puser,ou=DSAME Users,dc=example,dc=com. This user is used for all queries made to Directory Server. It benefits from a proxy user ACI already configured in the Directory Server and, therefore, can perform actions on behalf of a user when necessary. It maintains an open connection through which all queries are passed (retrieval of service configurations, organization information, etc.). The proxy user password is always encrypted. Proxy User illustrates where the encrypted password is located in serverconfig.xml .


Example 7–1 Proxy User In serverconfig.xml


<User name="User1" type="proxy">
<DirDN>
cn=puser,ou=DSAME Users,dc=example,dc=com
</DirDN>
<DirPassword>
AQICkc3qIrCeZrpexyeoL4cdeXih4vv9aCZZ
</DirPassword>
</User>


            

Admin User

dsameuser is used for binding purposes when the Access Manager SDK performs operations on Directory Server that are not linked to a particular user (for example, retrieving service configuration information). Proxy User performs these operations on behalf of dsameuser, but a bind must first validate the dsameuser credentials. During installation, Access Manager creates cn=dsameuser,ou=DSAME Users,dc=example,dc=com . Proxy User illustrates where the encrypted dsameuser password is found in serverconfig.xml .


Example 7–2 Admin User In serverconfig.xml


 <User name="User2" type="admin">
 <DirDN>
 cn=dsameuser,ou=DSAME Users,dc=example,dc=com
 </DirDN>
 <DirPassword>
 AQICkc3qIrCeZrpexyeoL4cdeXih4vv9aCZZ
 </DirPassword>
 </User>


            

server-config Definition Type Document

server-config.dtd defines the structure for serverconfig.xml . It is located in AccessManager-base /SUNWam/dtd. This section defines the main elements of the DTD. MiscConfig Element is an example of the serverconfig.xml file.

iPlanetDataAccessLayer Element

iPlanetDataAccessLayer is the root element. It allows for the definition of multiple server groups per XML file. Its immediate sub-element is the ServerGroup Element. It contains no attributes.

ServerGroup Element

ServerGroup defines a pointer to one or more directory servers. They can be master servers or replica servers. The sub-elements that qualify the ServerGroup include Server Element, User Element, BaseDN Element and MiscConfig Element. The XML attributes of ServerGroup are the name of the server group, and minConnPool and maxConnPool which define the minimum (1) and maximum (10) connections that can be opened for the LDAP connection pool. More than one defined ServerGroup element is not supported.


Note –

Access Manager uses a connection pool to access Directory Server. All connections are opened when Access Manager starts and are not closed. They are reused.


Server Element

Server defines a specific Directory Server instance. It contains no sub-elements. The required XML attributes of Server are a user-friendly name for the server, the host name, the port number on which the Directory Server runs, and the type of LDAP connection that must be opened (either simple or SSL).


Note –

For an example of automatic failover using the Server element, see Failover Or Multimaster Configuration.


User Element

User contains sub-elements that define the user configured for the Directory Server instance. The sub-elements that qualify User include DirDN and DirPassword. It’s required XML attributes are the name of the user, and the type of user. The values for type identify the user’s privileges and the type of connection that will be opened to the Directory Serverinstance. Options include:

DirDN Element

DirDN contains the LDAP Distinguished Name of the defined user.

DirPassword Element

DirPassword contains the defined user’s encrypted password.


Caution – Caution –

It is important that passwords and encryption keys are kept consistent throughout the deployment. For example, the passwords defined in this element are also stored in Directory Server. If the password is to be changed in one place, it must be updated in both places. Additionally, this password is encrypted. If the encryption key defined in the am.encryption.pwd property is changed, all passwords in serverconfig.xml must be re-encrypted using ampassword --encrypt password. .


BaseDN Element

BaseDN defines the base Distinguished Name for the server group. It contains no sub-elements and no XML attributes.

MiscConfig Element

MiscConfig is a placeholder for defining any LDAP JDK features like cache size. It contains no sub-elements. It’s required XML attributes are the name of the feature and its defined value.


Example 7–3 serverconfig.xml


<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<!--
 Copyright (c) 2002 Sun Microsystems, Inc. All rights reserved.

 Use is subject to license terms.

-->
<iPlanetDataAccessLayer>
        <ServerGroup name="default" minConnPool="1" maxConnPool="10">
                <Server name="Server1" host="
               ishost.domain_name" port="389"
type="SIMPLE" />
                <User name="User1" type="proxy">
                        <DirDN>
                                cn=puser,ou=DSAME Users,dc=example,dc=com
                        </DirDN>
                        <DirPassword>
                                AQICkc3qIrCeZrpexyeoL4cdeXih4vv9aCZZ
                        </DirPassword>
                </User>
                <User name="User2" type="admin">
                        <DirDN>
                                cn=dsameuser,ou=DSAME Users,dc=example,dc=com
                        </DirDN>
                        <DirPassword>
                                AQICkc3qIrCeZrpexyeoL4cdeXih4vv9aCZZ
                        </DirPassword>
                </User>
                <BaseDN>
                        dc=example,dc=com
                </BaseDN>
        </ServerGroup>
</iPlanetDataAccessLayer>


            

Failover Or Multimaster Configuration

Access Manager allows automatic failover to any Directory Server defined as a ServerGroup ElementServer Element in serverconfig.xml. More than one server can be configured for failover purposes or multimasters. If the first configured server goes down, the second configured server will takeover. Failover Or Multimaster Configuration illustrates serverconfig.xml with automatic failover configuration.


Example 7–4 Configured Failover in serverconfig.xml


<?xml version="1.0" encoding="ISO-8859-1" standalone="yes"?>
<!--
PROPRIETARY/CONFIDENTIAL. Use of this product is subject to license terms.
Copyright 2002 Sun Microsystems, Inc. All rights reserved.
-->
<iPlanetDataAccessLayer>
     <ServerGroup name="default" minConnPool="1" maxConnPool="10">
          <Server name="Server1" host="
            amhost1.domain_name" port="389" type="SIMPLE" />
          <Server name="Server2" host="
            amhost2.domain_name" port="389" type="SIMPLE" />
          <Server name="Server3" host="
            amhost3.domain_name" port="390" type="SIMPLE" />
          <User name="User1" type="proxy">
               <DirDN>
                    cn=puser,ou=DSAME Users,dc=example,dc=com
               </DirDN>
               <DirPassword>
                    AQIC5wM2LY4Sfcy+AQBQxghVwhBE92i78cqf
               </DirPassword>
          </User>
          <User name="User2" type="admin">
               <DirDN>
                    cn=dsameuser,ou=DSAME Users,dc=example,dc=com
               </DirDN>
               <DirPassword>
                    AQIC5wM2LY4Sfcy+AQBQxghVwhBE92i78cqf
               </DirPassword>
          </User>
          <BaseDN>
               o=isp
          </BaseDN>
     </ServerGroup>
</iPlanetDataAccessLayer>