Use the following as your checklist for migrating Federation Manager 1 configuration from flat files to the Directory Servers:
The Federation Manager LDIF files are located in the following directory:
/opt/SUNWam/fm/ldif
The file fm_sm_sds_schema.ldif is for use with Sun Directory Server. The file fm_sm_ad_schema.ldif is for use with Microsoft Active Directory.
As a root user, log in to the Federation Manager 1 host.
Load the Federation Manager schema into the Directory Server configuration instance.
# cd /opt/SUNWam/fm/ldif # ldapmodify -D "cn=Directory Manager" -w 11111111 -h LoadBalancer-7.siroe.com -p 389 -f ./fm_sm_sds_schema.ldif |
The ldapmodify utility loads the object classes and service attributes required for Federation Manager services into the Directory Server schema.
On each of the Directory Server hosts, you can watch the error logs for LDIF errors.
# cd /var/opt/mps/serverroot/slapd-fm-config/logs # tail -f errors |
Migrate the Federation Manager services schema from flat files to the Directory Server.
# cd /opt/SUNWam/fm/bin # ./fmff2ds -h LoadBalancer-7.siroe.com -p 389 -r "o=siroe.com" -f /var/opt/SUNWam/fm/federation -u "cn=Directory Manager" -w 11111111 -j /usr/jdk/instances/jdk.5.0 |
Verify that Federation Manager schema was successfully moved to the Directory Server.
Start the Directory Server 3SP console.
# cd /var/opt/mps/serverroot/ # ./startconsole & |
Log in to the Directory Server console.
cn=Directory Manager
11111111
http://DirectoryServer-3SP.siroe.com:1391
In the navigation pane, expand the DirectoryServer-3SP.siroe.com suffix, and expand the Server Group.
Double-click the Directory Server (fm-config) instance, and open its console.
Click the Directory tab.
Under the o=siroe.com suffix, expand the Services object.
All of the Federation Manager services are displayed.
Go the following directory that contains the serverconfig.xml file:
# cd /var/opt/SUNWam/fm/war_staging/web-src/WEB-INF/config/ |
Make a backup of the file serverconfig.xml, and then make the following changes in serverconfig.xml:
In the following entry, change the host name and port number attribute values.:
<iPlanetDataAccessLayer> <ServerGroup name="default" minConnPool="1" maxConnPool="10"> <Server name="Server1" host="LoadBalancer-7.siroe.com" port="389" type="SIMPLE" /> <User name="User1" type="proxy"> <DirDN> uid=amadmin,ou=people,o=siroe.com |
Verify that the following user entries exist in the file:
<User name="User1" type="proxy"> <DirDN> uid=amadmin,ou=people,o=siroe.com </DirDN> <DirPassword> AQICGmG7l+gzO6bjmbDBve/MqicBf/zR2I+P </DirPassword> </User> <User name="User2" type="admin"~ <DirDN> uid=amadmin,ou=people,o=siroe.com </DirDN> <DirPassword> AQICGmG7l+gzO6bjmbDBve/MqicBf/zR2I+P </DirPassword> </User> |
In this deployment example, the proxy user and administrative user have the same DN. In effect, these are the same user. They are both superusers contained in the ou=service branch of the Directory Server. These users have privileges to read, write, and search the Federation Manager configuration. The user amadmin does not exist in the Directory Server at this point.
Add the user amadmin to the Directory Server.
On the Federation Manager 1 host, go to the following directory:
/opt/SUNWam/fm/bin |
Create a file named amadminconfig.ldif with the following entries:
dn=o=siroe.com changetype:modify add:aci dn: ou=People,o=siroe.com changetype: add objectClass: top objectClass: organizationalunit dn: uid=amAdmin,ou=People,o=siroe.com changetype: add objectclass: inetuser objectclass: inetorgperson objectclass: organizationalperson objectclass: person objectclass: top objectClass: iPlanetPreferences objectclass: inetAdmin inetuserstatus: Active cn: amAdmin sn: amAdmin userPassword: 11111111 aci: (target="ldap:///ou=services,*o=siroe.com") (targetattr = "*") (version 3.0; acl "S1IS Top-level Admin Role access allow"; allow (all) userdn = "ldap:///uid=amAdmin,ou=People, o=siroe.com";) |
This LDIF creates a People container and the user amAadmin with the Top-level Admin Role. The user is assigned read, write, and search privileges.
Use the ldapmodify utility to load ./amadminconfig.ldif into the Directory Server 3SP.
# ldapmodify -D "cn=Directory Manager" -w 11111111 -h LoadBalancer-7.siroe.com -f amadminconfig.ldif |
Go to the directory that contains the AMConfig.properties file:
# cd /var/opt/SUNWam/fm/war_staging/web-src/WEB-INF/classes |
In AMConfig.properties, set the implementation class for the SM data store.
Make a backup of the AMConfig.properties file, and the set the following property:
com.sun.identity.sm.sms_object_class_name=com.sun.identity.sm.ldap.SMSLdapObject |
On the Federation Manager 1 host, run the fmwar command.
#cd /opt/SUNWam/fm/bin # ./fmwar -n federation -d /var/opt/SUNWam/fm/war_staging -s /export/fmsilent |
Undeploy the existing Federation Manager WAR 1 file.
# cd /opt/SUNWwbsvr/bin/https/bin # ./wdeploy delete -u /federation -i FederationManager-1.siroe.com -v https-FederationManager-1.siroe.com -n hard |
The —n hard option deletes the directory where Federation Manager is exported as well as the URI. If you use the —n soft option, only the URI is deleted.
Deploy the customized Federation Manager 1 WAR file.
# ./wdeploy deploy -u /federation -i FederationManager-1.siroe.com -v https-FederationManager-1.siroe.com /var/opt/SUNWam/fm/war_staging/federation.war |
This WAR file contains all the SAMLv2 configuration and Directory Server configuration you completed in the previous tasks.
Restart the Federation Manager web container.
#cd /opt/SUNWwbsvr/https-FederationManager-1.siroe.com # ./stop # ./start |
Verify that you can access the Federation Manager 1 server.
In a browser, go to the Federation Manager URL:
http://FederationManager-1.siroe.com:8080/federation/UI/Login |
Log in to the Federation Manager console:
amadmin
11111111
If you can log in successfully, the WAR file was deployed successfully.
In a browser, go to the Federation Manager URL:
http://FederationManager-1.siroe.com:8080/federation/UI/Login |
Log in to the Federation Manager console:
amadmin
11111111
Click the Configuration tab, and then go to the “System properties | Platform” section of the page.
Add a new entry to the Server List.
In the Server List field, enter the following:
http://FedeartionManager-2.siroe.com:8080|02 |
Click Add.
Click Save, and then log out of the Federation Manager console.