This is the Command Line Reference, part four of the Sun Java System Access Manager 7 2005Q4 Administration Guide.
All of the command line tools described in this section can be found in the following default locations:
AccessManager-base/SUNWam/bin (Solairs) AccessManager-base/identity/bin (Linux)
This section contains the following chapters:
This chapter provides information on the amadmin command line tool.
The primary purposes of the command line executable amadmin is to load XML service files into the data store and to perform batch administrative tasks on the DIT. amadmin can be found in AccessManager-base/SUNWam/bin and is used to:
Load XML service files - Administrators load services into Access Manager that use the XML service file format defined in the sms.dtd. All services must be loaded using amadmin; they cannot be imported through the Access Manager console.
XML service files are stored in the data store as static blobs of XML data that is referenced by Access Manager. This information is not used by Directory Server, which only understands LDAP.
Perform batch updates of identity objects to the DIT - Administrators can perform batch updates to the Directory Server DIT using the batch processing XML file format defined in the amadmin.dtd. For example, if an administrator wants to create 10 organizations, 1000 users, and 100 groups, it can be done in one attempt by putting the requests in one or more batch processing XML files and loading them using amadmin.
amadmin only supports a subset of features that the Access Manager console supports and is not intended as a replacement. It is recommended that the console be used for small administrative tasks while amadmin is used for larger administrative tasks.
There are a number of structural rules that must be followed in order to use amadmin. The generic syntaxes for using the tool are:
amadmin -u | --runasdn dnname -w | --password password [-l | --locale localename] [[-v | --verbose] | [-d |--debug]] -t | --data xmlfile1 [ xmlfile2 ...]
amadmin -u | --runasdn dnname -w | --password password [-l | --locale localename] [[-v | --verbose] | [-d | --debug]] -s | --schema xmlfile1 [xmlfile2 ...]
amadmin -u | --runasdn dnname -w | --password password [-l | --locale localename] [[-v | --verbose] | [-d | --debug]] -r | --deleteService serviceName1 [serviceName2 ...]
amadmin -u | --runasdn dnname -w | --password password or -f | --passwordfile passwordfile [-c | --continue] [-l | --locale localename] [[-v | --verbose] | [-d | --debug]] -m | --session servername pattern
amadmin -h | --help
amadmin -n | --version
amadmin -u | --runasdn dnname -w | --password password or - f |--passwordfile passwordfile [-l | --locale localename] [[-v | --verbose] | [-d] |--debug]] -a |--addAttributes serviceName schemaType xmlfile[xmlfile2 ] ...
Two hyphens must be entered exactly as shown in the syntax.
Following are definitions of the amadmin command line parameter options:
--runasdn is used to authenticate the user to the LDAP server. The argument is a value equal to that of the Distinguished Name (DN) of the user authorized to run amadmin; for example
--runasdn uid=amAdmin,ou=People,o=iplanet.com,o=isp .
The DN can also be formatted by inserting spaces between the domain components and double quoting the entire DN such as: --runasdn "uid=amAdmin, ou=People, o=iplanet.com, o=isp".
--password is a mandatory option and takes a value equal to that of the password of the DN specified with the --runasdn option.
--locale is an option that takes a value equal to that of the name of the locale. This option can be used for the customization of the message language. If not provided, the default locale, en_US, is used.
--continue is an option that will continue to process the XML files even if there are errors. For example, if there are three XML files to be loaded at the same time, and the first XML file fails, amadmin will continue to load the remaining files. The continue option only applies to separate requests.
--session (-m) is an option to manage the sessions, or to display the current sessions. When specifying --runasdn , it must be the same as the DN for the super user in AMConfig.properties , or just ID for the top-level admin user.
The following example will display all sessions for a particular service host name,:
amadmin -u uid=amadmin,ou=people,dc=iplanet,dc=com -v -w 12345678 -m http://sun.com:58080
The following example will display a particular user’s session:
amadmin -u uid=amadmin,ou=people,dc=iplanet,dc=com -v -w 12345678 -m http://sun.com:58080 username
You can terminate a session by entering the corresponding index number, or enter multiple index numbers (with spaces) to terminate multiple sessions.
While using the following option:
amadmin -m | --session servername pattern
The pattern may be a wildcard (*). If this pattern is using a wildcard (*), it has to be escaped with a meta character (\\) from the shell.
--debug is an option that will write messages to the amAdmin file created under the /var/opt/SUNWam/debug directory. These messages are technically-detailed but not i18n-compliant. To generate amadmin operation logs, when logging to database, the classpath for the database driver needs to be added manually. For example, add the following lines when logging to mysql in amadmin:
CLASSPATH=$CLASSPATH:/opt/IS61/SUNWam/lib/mysql-connector-java-3.0.6-stable-bin.jar export CLASSPATH
--verbose is an option that prints to the screen the overall progress of the amadmin command. It does not print to a file the detailed information. Messages output to the command line are i18n- compliant.
--data is an option that takes as its value the name of the batch processing XML file being imported. One or more XML files can be specified. This XML file can create, delete and read various directory objects as well as register and unregister services. .
--schema is an option that loads the attributes of an Access Manager service into the Directory Server. It takes as an argument an XML service file in which the service attributes are defined. This XML service file is based on the sms.dtd . One or more XML files can be specified.
Either the --data or --schema option must be specified, depending on whether configuring batch updates to the DIT, or loading service schema and configuration data.
--deleteservice is an option for deleting a service and its schema only.
--serviceName is an option that takes a value equal to the service name which is defined under the Service name=... tag of an XML service file. This portion is displayed in --serviceName.
... <ServicesConfiguration> <Service name="sampleMailService" version="1.0"> <Schema serviceHierarchy="/other.configuration/sampleMailService" i18nFileName="sampleMailService" i18nKey="iplanet-am-sample-mail-service-description"> ... |
--help is an argument that displays the syntax for the amadmin command.
--version is an argument that displays the utility name, product name, product version and legal notice.
This section lists the parameters of amadmin for use with Federation Management. For more information on Federation Management, see the Access Manager Federation Management Guide.
amadmin -u|--runasdn <user’s DN> -w|--password <password> or -f|--passwordfile <passwordfile> -e|--entityname <entity name> -g|--import <xmlfile>
The user’s DN
The user’s password.
The name of file that contains user’s password.
The entity name. For example, http://www.example.com. An entity should belong to only one organization.
The name of an XML file that contains the meta information. This file should adhere to Liberty meta specification and XSD.
amadmin -u|--runasdn <user’s DN>
-w|--password <password> or -f|--passwordfile <passwordfile> -e|--entityname <entity name> -o|--export <filename>
The user’s DN
The user’s password.
The name of file that contains user’s password.
The name of Entity that resides in the Directory Server
The name of the file to contain the XML of the entity. XML shall be Liberty meta XSD compliance.
amadmin -u|--runasdn <user’s DN> -w|--password <password> or -f|--passwordfile <passwordfile> -e|--entityname <entity name> -q|--exportwithsig <filename>
The user’s DN
The user’s password.
The name of file that contains user’s password.
The name of Entity that resides in the Directory Server
The name of the file to contain the XML of the entity. This file is digitally signed. The XML must be Liberty meta XSD compliant.
The following section shows the amadmin syntax for adding, locating and removing resource bundles.
amadmin -u|--runasdn <user-dn> -w|--password <user-password>
-b|--addresourcebundle <name-of-resource-bundle>
-i|--resourcebundlefilename <resource-bundle-file-name>
[-R|--resourcelocale] <locale>
amadmin -u|--runasdn <user-dn> -w|--password <user-password>
-z|--getresourcestrings <name-of-resource-bundle>
[-R|--resourcelocale] <locale>
amadmin -u|--runasdn <user-dn> -w|--password <user-password>
-j|--deleteresourcebundle <name-of-resource-bundle>
[-R|--resourcelocale] <locale>
This chapter provides information on the amPassword command line tool and contains the following section:
Access Manager contains an ampassword utility under /opt/SUNWam/bin on SPARC systems and /opt/sun/Identity/bin on Linux systems. This utility allows you change the Directory Server password for the administrator or user.
Modify the serverconfig.xml file, located in the following directory:
AccessManager-base/SUNWam/config/ |
Change port the server attribute to the SSL port which Access Manager is running.
Change the type attribute to SSL.
For example:
<iPlanetDataAccessLayer> <ServerGroup name="default" minConnPool="1" maxConnPool="10"> <Server name="Server1" host="sun.com" port="636" type="SSL" /> <User name="User1" type="proxy"> <DirDN> cn=puser,ou=DSAME Users,dc=iplanet,dc=com </DirDN> <DirPassword> AQIC5wM2LY4Sfcy+AQBQxghVwhBE92i78cqf </DirPassword> </User> ... |
ampassword only changes the password in Directory Server. You will have to manually change passwords in the ServerConfig.xml and all authentication templates for Access Manager.
This chapter provides information on the bak2am command line tool and contains the following section:
Access Manager contains an bak2am utility under AccessManager-base/SUNWam/bin. This utility performs a restore of the Access Manager components that were backed-up by the am2back utility.
The generic syntax for using the bak2am tool for the Solaris operating system is:
./bak2am [ -v | --verbose ] -z | --gzip tar.gz-file ./bak2am [ -v | --verbose ] -t | --tar tar-file ./bak2am -h | --help ./bak2am -n | --version
The generic syntax for using the bak2am tool for the Windows 2000 operating system is:
bak2am [ -v | --verbose ] -d | --directory directory-name bak2am -h | --help bak2am -n | --version
Two hyphens must be entered exactly as shown in the syntax.
--gzip specifies the full path and filename of the backup file in tar.gz format. By default, the path is AccessManager-base/backup . This option is for Solaris only.
--tar specifies the full path and filename of the backup file in tar format. By default, the path is AccessManager-base/backup . This option is for Solaris only.
--verbose is used to run the backup utility in verbose mode.
--directory specifies the backup directory. By default, the path is AccessManager-base/backup. This option is for Windows 2000 only.
--help is an argument that displays the syntax for the bak2am command.
--version is an argument that displays the utility name, product name, product version and legal notice.
This chapter provides information on the am2bak command line tool.
Access Manager contains an am2bak utility under AccessManager-base/SUNWam/bin. This utility performs a backup of either all or optional components of Access Manager. Directory Server must be running while taking the log backup.
The generic syntax for using the am2bak tool for the Solaris operating system is:
./am2bak [ -v | --verbose ] [ -k | --backup backup-name ] [ -l | --location location ] [[-c | --config] | [-b | --debug] | [-g | --log] | [-t | --cert] | [-d | --ds] | [-a | --all]]*
./am2bak -h | --help
./am2bak -n | --version
The generic syntax for using the am2bak tool for the Windows 2000 operating system is:
am2bak [ -v | --verbose ] [ -k | --backup backup-name ] [ -l | --location location ] [[-c | --config] | [-b | --debug] | [-g | --log] | [-t | --cert] | [-d | --ds] | [-a | --all]]*
am2bak -h | --help
am2bak -n | --version
Two hyphens must be entered exactly as shown in the syntax.
--verbose is used to run the backup utility in verbose mode.
--backup backup-name defines the name of the backup file. The default is ambak.
--location specifies the directory location of the backup. The default location is AccessManager-base/backup.
--config specifies backup only for configuration files.
--debug specifies backup only for debug files.
--log specifies backup only for log files.
--cert specifies backup only for certificate database files.
--ds specifies backup only for the Directory Server.
--all specifies a complete backup of the entire Access Manager.
--help is an argument that displays the syntax for the am2bak command.
--version is an argument that displays the utility name, product name, product version and legal notice.
Login as root.
The user running this script must have root access.
Run the script ensuring that the correct path is used, if necessary.
The script will backup the following Solaris™ Operating Environment files:
Configuration and Customization Files:
AccessManager-base/SUNWam/config/
AccessManager-base/SUNWam/locale/
AccessManager-base/SUNWam/servers/httpacl
AccessManager-base/SUNWam/lib/*.properties (Java property files)
AccessManager-base/SUNWam/bin/amserver. instance-name
AccessManager-base/SUNWam/servers/https- all_instances
AccessManager-base/SUNWam/servers/web-apps- all_instances
AccessManager-base/SUNWam/web-apps/services/WEB-INF/config
AccessManager-base/SUNWam/web-apps/services/config
AccessManager-base/SUNWam/web-apps/applications/WEB-INF/classes
AccessManager-base/SUNWam/web-apps/applications/console
/etc/rc3.d/K55amserver.all_instances
/etc/rc3.d/S55amserver.all_instances
DirectoryServer-base/slapd- host /config/schema/
DirectoryServer-base/slapd- host /config/slapd-collations.conf
Access Manager/slapd- host /config/dse.ldif
Log And Debug Files:
var/opt/SUNWam/logs (Access Manager log files)
var/opt/SUNWam/install (Access Manager installation log files)
var/opt/SUNWam/debug (Access Manager debug files)
Certificates:
Access Manager/SUNWam/servers/alias
Access Manager/alias
The script will also backup the following Microsoft® Windows 2000 operating system files:
Configuration and Customization Files:
AccessManager-base/web-apps/services/WEB-INF/config/*
AccessManager-base/locale/*
AccessManager-base/web-apps/applications/WEB-INF/classes/*.properties (java property files)
AccessManager-base/servers/https- host/config/jvm12.conf
AccessManager-base/servers/https- host/config/magnus.conf
AccessManager-base/servers/https- host/config/obj.conf
DirectoryServer-base/slapd-host/config/schema/*.ldif
DirectoryServer-base/slapd-host/config/slapd-collations.conf
DirectoryServer-base/slapd-host/config/dse.ldif
Log And Debug Files:
var/opt/logs (Access Manager log files)
var/opt/debug (Access Manager debug files)
Certificates:
AccessManager-base/servers/alias
AccessManager/alias
This chapter provides information on the amserver command line tool. This chapter contains the following section:
The amserver command line executable starts and stops the amunixd and amsercuridd helpers, associated with Unix and SecurID authentication modules, respectively.
The generic syntax for the tools is:
./amserver { start | stop }
start is a command that starts the helper.
stop is a command that stops the helper.
This chapter provides information on the VerifyArchive command line tool and contains the following section:
The purpose of VerifyArchive is to verify the log archives. A log archive is a set of timestamped logs and their corresponding key stores (keystores contain the keys used to generate the MACs and the Digital Signatures which are used to detect tampering of the log files). Verification of an archive detects possible tampering and/or deletion of any file in the archive.
VerifyArchive extracts all of the archive sets, and all files belonging to each archive set, for a given logName. When executed, VerifyArchive searches each log record to for tampering If tampering is detected, it prints a message specifying which file and the number of the record that has been tampered with.
VerifyArchive also checks for any files that have been deleted from the archive set. If a deleted file is detected, it prints a message explaining that verification has failed. If no tampering or deleted files are detected, it returns a message explaining that the archive verification has been successfully completed.
An error may occur if you run amverifyarchive as a user without administrator privileges.
All of the parameters options are required. The syntax is as follows:
amverifyarchive -l logName -p path -u uname -w password
logName refers to the name of the log which is to be verified (such as, amConsole, amAuthentication and so forth). VerifyArchive verifies the both the access and error logs for the given logName. For example, if amConsole is specified, the verifier verifies the amConsole.access and amConsole.error files. Alternatively, the logName can be specified as amConsole.access or amConsole.error to restrict the verification of those logs only.
path is the full directory path where the log files are stored.
uname is the user id of the Access Manager administrator.
password is the password of the Access Manager adminstrator.
This chapter provides information on the amsecuiridd helper and contains the following section:
The Access Manager SecurID authentication module is implemented using the Security Dynamic ACE/Client C API and the amsecruidd helper, which communicates between the Access Manager SecurID authentication module and the SecurID Server. The SecurID authentication module invokes the amsecuridd daemon by opening a socket to localhost:57943 to listen for SecurID authentication requests.
57943 is the default port number. If this port number is already used, you can specify a different port number in the SecurID Helper Authentication Port attribute in the SecurID Authentication module. This port number must be unique accross all organizations.
Because the interface to amsecuridd is in clear text through stdin, only local host connections are permitted. amsecuridd uses the SecurID remote API (version 5.x) on the back end for data encryption.
The amsecuridd helper listens on port number 58943 (by default) to receive its configuration information. If this port is already used, you can change it in the securidHelper.ports attribute in the AMConfig.properties file (by default, located in AccessManager-base /SUNWam/config/). The securidHelp.ports attribute contains a space-separated list of the ports for each amsecuridd helper instance. Restart Access Manager once the changes to AMConfig.properties are saved.
A separate instance of amsecuridd should run for each organization that communicates with a separate ACE/Server (containing different sdconf.rec files).
The syntax is as follows:
amsecuridd [-v] [-c portnum]
Turns on verbose mode and logs to /var/opt/SUNWam/debug/securidd_client.debug .
Configures the listening port number. The default is 58943.
amsecuridd is located, by default, in AccessManager-base /SUNWam/share/bin. To run the helper on the default ports, enter the following command (without options):
./amsecuridd
To run the helper on non-default port, enter the following command:
./amsecuridd [-v] [-c portnm]
amsecuridd can also be run through the amserver command line utitility, but it will only run on the default ports.
In order to run the helper, the following libraries are required (most can be found in the operating system in /usr/lib/):
libnsl.so.1
libthread.so.1
libc.so.1
libdl.so.1
libmp.so.2
librt.so.1
libaio.so.1
libmd5.so.1
Set LD_LIBRARY_PATH to AccessManager-base /Sunwam/lib/ to find libaceclnt.so.