Deployment Example 2: Federation Using SAML v2

Part II Setting Up the Service Provider Site

Chapter 3 Installing and Deploying the Federation Manager Servers

This chapter contains detailed information about the following groups of tasks:

3.1 Installing and Configuring Federation Manager 1

Use the following as your checklist for installing and configuring Federation Manager 1:

To Install the Web Server for Federation Manager 1

Before You Begin

The Java ES installer must be mounted on the host computer system where you will install Web Server. See the section 2.2 Downloading and Mounting the Java Enterprise System 2005Q4 Installer in this manual.

As a root user, log into the Web Server host.

Start the Java Enterprise System installer with the -nodisplay option.
# cd /mnt/Solaris_sparc # ./installer -nodisplay

When prompted, provide the following information:

Welcome to the Sun Java(TM) Enterprise System; 
serious software made  simple... 
<Press ENTER to Continue>

Press Enter.

<Press ENTER to display the Software 
License Agreement>

Press Enter.

Have you read, and do you accept, all of 
the termsof the preceding Software 
License Agreement [No]

Enter y.

Please enter a comma separated list of 
languages you would like supported with 
this installation [8]

Enter 8 for “English only.”

Enter a comma separated list of products to 
install,or press R to refresh the list  []

Enter 3 to select Web Server.

Press "Enter" to Continue or Enter a 
comma separated list of products to deselect... [1]

Press Enter.

Enter 1 to upgrade these shared components 
and 2 to cancel  [1]

You are prompted to upgrade shared components only if the installer detects that an upgrade is required.

Enter 1 to upgrade shared components.

Enter the name of the target 
installation directory for each product: 
Web Server [/opt/SUNWwbsvr] :

Accept the default value.

System ready for installation 
Enter 1 to continue [1]

Enter 1.

1. Configure Now - Selectively override defaults or 
express through  
2. Configure Later - Manually configure following 
installation 
 Select Type of Configuration [1]

Enter 1.

Common Server Settings  
Enter Host Name [FederationManager-1]

Accept the default value.

Enter DNS Domain Name [siroe.com]

Accept the default value.

Enter IP Address [192.18.87.180]

Accept the default value.

Enter Server admin User ID [admin]

Enter admin.

Enter Admin User's Password 
(Password cannot be less than 8 characters) 
[]

For this example, enter admin123.

Confirm Admin User's Password []

Enter the same password to confirm it.

Enter System User [root]

Accept the default value.

Enter System Group [root]

Accept the default value.

Enter  Server Admin User ID 
[admin]

Accept the default value.

Enter Admin User's Password []

For this example, enter admin123.

Enter Host Name 
[FederationManager-1.siroe.com]

Accept the default value.

Enter Administration Port [8888]

Accept the default value.

Enter Administration Server User ID 
[root]

Accept the default value.

Enter System User ID [webservd]

Enter root.

Enter System Group [webservd]

Enter root.

Enter HTTP Port [80]

Enter 8080.

Enter content Root [/opt/SUNWwbsvr/docs]

Accept the default value.

Do you want to automatically start 
Web Serverwhen system re-starts.(Y/N)    [N]

Accept the default value.

Ready to Install
1. Install 2. Start Over 3. Exit Installation
What would you like to do [1]

First, see the next numbered (Optional) step. When ready to install, enter 1.

(Optional) During installation, you can monitor the log to watch for installation errors. Example:

# cd /var/sadm/install/logs

# tail —f Java_Enterprise_System_install.B xxxxxx

Upon successful installation, enter ! to exit.

Verify that the Web Server is installed properly.
1. Start the Web Server administration server to verify it starts with no errors.
  
  # cd /opt/SUNWwbsvr/https-admserv
  
  # ./stop; ./start
2. Run the netstat command to verify that the Web Server ports are open and listening.
  # netstat -an | grep 8888 *.8888 *.* 0 0 49152 0 LISTEN
3. Start a browser, and go to the Web Server administration URL.
  
  http://FederationManager-1.siroe.com:8888
4. Log in to the Web Server console.
  
  Username
  
  admin
  
  Password
  
  admin123
  
  You should be able to see the Web Server console. You can log out of the console now.
5. Start the Web Server instance.
  # cd /opt/SUNWwbsvr/https-FederationManager-1.siroe.com # ./stop; ./start
6. Go to the Web Server instance URL.
  
  http://FederationManager-1.siroe.com:8080
  
  You should see the default Web Server index page.

To Install Federation Manager Server 1

Before You Begin

If you have installed Solaris 10 using a distribution package other than the Solaris Enterprise distribution package, then you must remove the SUNWjas and SUNWjato packages that were automatically installed for you. These packages are different versions than the SUNWjas and SUNWjato packages used by Federation Manager. The appropriate packages will be installed when you run the Federation Manager installer.

Download the Sun Java System Federation Manager program from the following page on the Sun Microsystems website: http://www.sun.com/download/products.xml?id=44a5bbb5

Unpack the Federation Manager installer.

# tar -xvf fm-7.0-domestic-us.sparc-sun-solaris2.8.tar

# ls
LICENSE.TXT
README.TXT
SUNWamfm
common
fm-7.0-domestic-us.sparc-sun-solaris2.8.tar
fmsetup
fmsilent-template

Edit the download_directory/fmsilent-template file.

Make a backup of the fmsilent-template file, and then set the following properties in the file:

FM_PROCESS_USER=root
FM_PROCESS_GROUP=root
INST_ORGANIZATION=o=siroe.com
SERVER_HOST=FederationManager-1.siroe.com
SERVER_PORT=8080
ADMINPASSWD=11111111

Save the file as /export/fmsilent.

(Optional) For online help regarding the Federation Manager installer options, enter the following with no options:
# ./fmsetup

To start the Federation Manager installer, run the following command:
# ./fmsetup install -s /export/fmsilent

Next Steps

The Federation Manager installer creates the following web archive (WAR) file:

/var/opt/SUNWam/fm/war_staging/federation.war

You usually customize the Federation Manager WAR file for the environment before the WAR file can be deployed. In a deployment where SAMLv2 is not used, you could customize and deploy the Federation Manager WAR file now. However in this deployment example, you will install the SAMLv2 plug-in and the SAMLv2 patch before you customize the Federation Manager WAR file. So proceed directly to the next task, To Deploy the Federation Manager 1 WAR File.

To Deploy the Federation Manager 1 WAR File

Go to the Web Server directory that contains the wdeploy command:
# cd /opt/SUNWwbsvr/bin/https/bin

Run the wdeploy command:

# ./wdeploy deploy -u /federation -i FederationManager-1.siroe.com 
-v https-FederationManager-1.siroe.com 
/var/opt/SUNWam/fm/war_staging/federation.war

Verify that the WAR file was successfully deployed.

Verify that a directory has been created with the same name you specified during Federation Manager installation as the URI. In this deployment example, the directory is named federation.

# cd /opt/SUNWwbsvr/https-FederationManager-1.siroe.com/
webapps/https-FederationManager-1.siroe.com/federation
# ls
META-INF		config		docs					html				js
WEB-INF		console	fed_css			images			saml2
com_sun_web_ui	css	fed_images		index.html	samples

Restart the Federation Manager server, and verify that you can successfully access it.
# cd /opt/SUNWwbsvr/https-FederationManager-1.siroe.com # ./stop; ./start

In a browser, go to the following URL:

http://FederationManager-1.siroe.com:8080/federation/UI/Login

Log in to the Federation Manager console:

User Name:

amadmin

Password:

11111111

If you can successfully log in, then the Federation Manager WAR file has been successfully deployed.

To Install the SAMLv2 Plug-In on Federation Manager 1

Before You Begin

You must download the SAMLv2 Plug-In and the SAMLv2 Patch 2 onto the Federation Manager 1 host.

To download the SAMLv2 Plug-In, go to the following URL and follow instructions for downloading the plug-in:

http://www.sun.com/download/products.xml?id=43e00414

As a root user, log in to the Federation Manager 1 host.

Change to the directory where you unpacked the SAMLv2 installation files. Example:

# cd /tmp/saml2
# ls
./                             SUNWsaml2/
../                            saml2setup*
ENTITLEMENT.TXT                saml2silent
LICENSE.TXT                    samlv2-1.0-solaris-sparc.tar
README.TXT                     version

In a different directory, make a copy of the saml2silent file.

For this deployment example, no changes are made to the saml2silent file. All default values contained in the saml2silent file are used during installation. If you changed anything in the fmsilent other than the changes described in the section To Install Federation Manager Server 1, you should reflect the same changes in the saml2silent file.

Run the SAMLv2 installer.
# cd /tmp/saml2 # ./saml2setup install -s saml2silent
When installation is complete, you will see the following message:
To complete the installation of SAML2 you must deploy the war file. Refer to the web container documentation or the release notes for directions on deploying a war file.
Do not deploy the Federation Manager WAR file as instructed in the onscreen message. Instead, complete the following step and then proceed directly to the next task, To Install SAMLv2 Patch 2 on Federation Manager 1.

Restart the Federation Manager server, and verify that you can successfully access it.
# /opt/SUNWwbsvr/https-FederationManager-1.siroe.com # ./stop; ./start

To Install SAMLv2 Patch 2 on Federation Manager 1

Before You Begin

To download the SAMLv2 Patch 2, go to one of the following URLs and follow instructions for downloading the patch for your operating system:

Solaris (sparc) 122983-02

http://sunsolve.sun.com/search/document.do?assetkey=1-21-122983-02-1
Solaris (x86) 122984-02

http://sunsolve.sun.com/search/document.do?assetkey=1-21-122984-02-1
Linux 122985-02

http://sunsolve.sun.com/search/document.do?assetkey=1-21-122985-02-01

Go to the directory where you downloaded and upacked the SAMLv2 patch installation file.

#cd /temp/saml2patch/122983-02
#ls
LEGAL_LICENSE.TXT
LICENSE.TXT
patchinfo
postbackout
postpatch
prebackout
prepatch
README.122983-02
rel_notes.html
SUNWsaml2

Run the SAMLv2 patch installer.

The —G option in the following example is for Solaris 10 zones. The option is not necessary if you are not using the Solaris 10 platform.
# cd /temp/saml2patch # patchadd -G 122983-02
When installation is complete, you will see the following message:
Patch packages installed: SUNWsaml2

Go to the directory where the saml2silent file is located.
# cd /opt/SUNWam/saml2/bin

Run the update command.
# ./saml2setup update -s /opt/SUNWam/saml2/bin/saml2silent
Any updates required because of the newly-installed patch are made in SAMLv2.

Redeploy the Federation Manager 1 WAR file.

At this point, the Federation Manager WAR file has been updated with SAMLv2 and SAMLv2 patch configurations. Once the WAR file is updated, you must deploy the WAR file.

See To Regenerate and Redeploy the Federation Manager 1 WAR File.

3.2 Installing and Configuring Federation Manager 2

Use the following as your checklist for installing and configuring Federation Manager 2:

To Install the Web Server for Federation Manager 2

Before You Begin

As a root user, log into the Web Server host.

Start the Java Enterprise System installer with the -nodisplay option.
# cd /mnt/Solaris_sparc # ./installer -nodisplay

When prompted, provide the following information:

Welcome to the Sun Java(TM) Enterprise System; 
serious software made  simple... 
<Press ENTER to Continue>

Press Enter.

<Press ENTER to display the Software 
License Agreement>

Press Enter.

Have you read, and do you accept, all of 
the termsof the preceding Software 
License Agreement [No]

Enter y.

Please enter a comma separated list of 
languages you would like supported with 
this installation [8]

Enter 8 for “English only.”

Enter a comma separated list of products to 
install,or press R to refresh the list  []

Enter 3 to select Web Server.

Press "Enter" to Continue or Enter a 
comma separated list of products to deselect... [1]

Press Enter.

Enter 1 to upgrade these shared components 
and 2 to cancel  [1]

You are prompted to upgrade shared components only if the installer detects that an upgrade is required.

Enter 1 to upgrade shared components.

Enter the name of the target 
installation directory for each product: 
Web Server [/opt/SUNWwbsvr] :

Accept the default value.

System ready for installation 
Enter 1 to continue [1]

Enter 1.

1. Configure Now - Selectively override defaults or 
express through  
2. Configure Later - Manually configure following 
installation 
 Select Type of Configuration [1]

Enter 1.

Common Server Settings  
Enter Host Name [FederationManager-2]

Accept the default value.

Enter DNS Domain Name [siroe.com]

Accept the default value.

Enter IP Address [192.18.87.180]

Accept the default value.

Enter Server admin User ID [admin]

Enter admin.

Enter Admin User's Password 
(Password cannot be less than 8 characters) 
[]

For this example, enter admin123.

Confirm Admin User's Password []

Enter the same password to confirm it.

Enter System User [root]

Accept the default value.

Enter System Group [root]

Accept the default value.

Enter  Server Admin User ID 
[admin]

Accept the default value.

Enter Admin User's Password []

For this example, enter admin123.

Enter Host Name 
[FederationManager-2.siroe.com]

Accept the default value.

Enter Administration Port [8888]

Accept the default value.

Enter Administration Server User ID 
[root]

Accept the default value.

Enter System User ID [webservd]

Enter root.

Enter System Group [webservd]

Enter root.

Enter HTTP Port [80]

Enter 8080.

Enter content Root [/opt/SUNWwbsvr/docs]

Accept the default value.

Do you want to automatically start 
Web Serverwhen system re-starts.(Y/N)    [N]

Accept the default value.

Ready to Install
1. Install 2. Start Over 3. Exit Installation
What would you like to do [1]

First, see the next numbered (Optional) step. When ready to install, enter 1.

(Optional) During installation, you can monitor the log to watch for installation errors. Example:

# cd /var/sadm/install/logs

# tail —f Java_Enterprise_System_install.B xxxxxx

Upon successful installation, enter ! to exit.

Verify that the Web Server is installed properly.
1. Start the Web Server administration server to verify it starts with no errors.
  
  # cd /opt/SUNWwbsvr/https-admserv
  
  # ./stop; ./start
2. Run the netstat command to verify that the Web Server ports are open and listening.
  # netstat -an | grep 8888 *.8888 *.* 0 0 49152 0 LISTEN
3. Start a browser, and go to the Web Server administration URL.
  
  http://FederationManager-2.siroe.com:8888
4. Log in to the Web Server console.
  
  Username
  
  admin
  
  Password
  
  admin123
  
  You should be able to see the Web Server console. You can log out of the console now.
5. Start the Web Server instance.
  # cd /opt/SUNWwbsvr/https-FederationManager-2.siroe.com # ./stop; ./start
6. Go to the Web Server instance URL.
  
  http://FederationManager-2.siroe.com:8080
  
  You should see the default Web Server index page.

To Install Federation Manager Server 2

Before You Begin

Download the Sun Java System Federation Manager program from the following page on the Sun Microsystems website: http://www.sun.com/download/products.xml?id=44a5bbb5

Unpack the Federation Manager installer.

# tar -xvf fm-7.0-domestic-us.sparc-sun-solaris2.8.tar

# ls
LICENSE.TXT
README.TXT
SUNWamfm
common
fm-7.0-domestic-us.sparc-sun-solaris2.8.tar
fmsetup
fmsilent-template

Edit the download_directory//fmfmsilent file.

Make a backup of the fmsilent-template file, and then set the following properties in the file:

FM_PROCESS_USER=root
FM_PROCESS_GROUP=root
INST_ORGANIZATION=o=siroe.com
SERVER_HOST=FederationManager-2.siroe.com
SERVER_PORT=8080
ADMINPASSWD=11111111

Save the file as /export/fmsilent.

(Optional) For online help regarding the Federation Manager installer options, enter the following with no options:
# ./fmsetup

To start the Federation Manager installer, run the following command:
# ./fmsetup install -s /export/fmsilent

Next Steps

The Federation Manager installer creates the following web archive (WAR) file:

/var/opt/SUNWam/fm/war_staging/federation.war

To Deploy the Federation Manager 2 WAR File

Go to the Web Server directory that contains the wdeploy command:
# cd /opt/SUNWwbsvr/bin/https/bin

Run the wdeploy command:

# ./wdeploy deploy -u /federation -i FederationManager-2.siroe.com 
-v https-FederationManager-2.siroe.com 
/var/opt/SUNWam/fm/war_staging/federation.war

Verify that the WAR file was successfully deployed.

Verify that a directory has been created with the same name you specified during Federation Manager installation as the URI. In this deployment example, the directory is named federation.

# cd /opt/SUNWwbsvr/https-FederationManager-2.siroe.com/
webapps/https-FederationManager-2.siroe.com/federation
# ls
META-INF		config		docs					html				js
WEB-INF		console	fed_css			images			saml2
com_sun_web_ui	css	fed_images		index.html	samples

Restart the Federation Manager server, and verify that you can successfully access it.
# cd /opt/SUNWwbsvr/https-FederationManager-2.siroe.com # ./stop; ./start

In a browser, go to the following URL:

http://FederationManager-2.siroe.com:8080/federation/UI/Login

Log in to the Federation Manager console:

User Name:

amadmin

Password:

11111111

If you can successfully log in, then the Federation Manager WAR file has been successfully deployed.

To Install the SAMLv2 Plug-In on Federation Manager 2

Before You Begin

To download the SAMLv2 Plug-In, go to the following URL and follow instructions for downloading the plug-in:

http://www.sun.com/download/products.xml?id=43e00414

As a root user, log in to the Federation Manager 2 host.

Change to the directory where you unpacked the SAMLv2 installation files. Example:

# cd /tmp/saml2
# ls
./                             SUNWsaml2/
../                            saml2setup*
ENTITLEMENT.TXT                saml2silent
LICENSE.TXT                    samlv2-1.0-solaris-sparc.tar
README.TXT                     version

In a different directory, make a copy of the saml2silent file.

For this deployment example, no changes are made to the saml2silent file. All default values contained in the saml2silent file are used during installation. If you changed anything in the fmsilent other than the changes described in the section To Install Federation Manager Server 2, you should reflect the same changes in the saml2silent file.

Run the SAMLv2 installer.
# cd /tmp/saml2 # ./saml2setup install -s saml2silent
When installation is complete, you will see the following message:
To complete the installation of SAML2 you must deploy the war file. Refer to the web container documentation or the release notes for directions on deploying a war file.
Do not deploy the Federation Manager WAR file as instructed in the onscreen message. Instead, complete the following step and then proceed directly to the next task, To Install the SAMLv2 Patch 2 on Federation Manager 2.

Restart the Federation Manager server, and verify that you can successfully access it.
# /opt/SUNWwbsvr/https-FederationManager-2.siroe.com # ./stop; ./start

To Install the SAMLv2 Patch 2 on Federation Manager 2

Before You Begin

To download the SAMLv2 Patch 2, go to the following URL and follow instructions for downloading the patch:

Solaris (sparc) 122983-02

http://sunsolve.sun.com/search/document.do?assetkey=1-21-122983-02-1
Solaris (x86) 122984-02

http://sunsolve.sun.com/search/document.do?assetkey=1-21-122984-02-1
Linux 122985-02

http://sunsolve.sun.com/search/document.do?assetkey=1-21-122985-02-01

Go to the directory where you downloaded and upacked the SAMLv2 patch installation file.

#cd /temp/saml2patch/122983-02
#ls
LEGAL_LICENSE.TXT
LICENSE.TXT
patchinfo
postbackout
postpatch
prebackout
prepatch
README.122983-01
rel_notes.html
SUNWsaml2

Run the SAMLv2 patch installer.

The —G option is for Solaris 10 zones. If you are not using the Solaris 10 platform, do not use the —G option.
# cd /temp/saml2patch # patchadd -G 122983-02
When installation is complete, you will see the following message:
Patch packages installed: SUNWsaml2

Go to the directory where the SAMLv2 saml2silent file is located.
# cd /opt/SUNWam/saml2/bin

Run the update command.

# ./saml2setup update -s /opt/SUNWam/saml2/bin/saml2silent

Redeploy the Federation Manager 2 WAR file.

At this point, the Federation Manager WAR file has been updated with SAMLv2 and SAMLv2 patch configurations. The next step is to deploy the WAR file.

See To Regenerate and Redeploy the Federation Manager 2 WAR File.

3.3 Configuring the Federation Manager Load Balancer

In this phase of the deployment, you set up Load Balancer 9 to manage Federation Manager requests. For more information about the f-5 Networks BIG-IP load balancers used in this deployment, see 2.9 Setting Up Load Balancer Hardware and Software in this manual.

Use the following as your checklist for configuring the Federation Manager Load Balancer:

To Configure Load Balancer 9 for the Federation Manager Servers

Before You Begin

Contact your network administrator to obtain an available virtual IP address for the load balancer you want to configure.

You must also know the IP address of the load balancer hardware, the URL for the load balancer login page, and a username and password for logging in to the load balancer application.

Note –
The load balancer hardware and software used in the lab facility for this deployment is BIG-IP® manufactured by F5 Networks. If you are using different load balancer software, see the documentation that comes with that product for detailed settings information.
You must also have ready the IP addresses for Federation Manager 1 and Federation Manager 2.

To obtain these IP addresses, on each Federation Manager host, run the following command:

ifconfig —a

Create a Pool.

A pool contains all the backend server instances.
1. Go to URL for the Big IP load balancer login page.
2. Open the Configuration Utility.
  
  Click “Configure your BIG-IP (R) using the Configuration Utility.”
3. In the left pane, click Pools.
4. On the Pools tab, click the Add button.
5. In the Add Pool dialog, provide the following information:
  
  Pool Name
  
  Example: fm_server_pool
  
  Load Balancing Method
  
  Round Robin
  
  Resources
  
  Add the IP address of both Federation Manager hosts. In this example:
  
  192.18.72.89 (for Federation Manager 1)
  
  192.18.72.86 (for Federation Manager 2)
6. Click the Done button.

Add a Virtual Server.

If you encounter Javascript errors or otherwise cannot proceed to create a virtual server, try using Microsoft Internet Explorer for this step.
1. In the left frame, Click Virtual Servers.
2. On the Virtual Servers tab, click the Add button.
3. In the Add a Virtual Server dialog box, provide the following information:
  
  Address
  
  192.18.69.14 (for LoadBalancer-9.siroe.com )
  
  Service
  
  1080
4. Continue to click Next until you reach the Select Physical Resources page.
  
  Select Pool, and then choose fm_server_pool from the drop-down list.
5. On the same page, set the Cookie Name property to fmlbcookie.
6. Click the Done button.

Configure the load balancer for persistence.
1. In the left frame, click Pools.
2. Click the name of the pool you want to configure.
  
  In this example, fm_server_pool.
3. Click the Persistence tab.
4. On the Persistence tab, under Persistence Type, select Active HTTP Cookie and set the following:
  
  Method:
  
  Insert
  
  When the Insert method is specified, the first time a server receives a request, the load balancer inserts a cookie and cookie value. On subsequent requests, when the load balancer sees the same cookie name and value, it redirects the request to the same server that received the initial request.
5. Click Apply.

Create a new monitor.

This monitor will simply indicate whether the Federation Manager servers are running or stopped.
1. Click the Monitors tab.
2. Click the Add.
3. In the Name and Parent window, provide the following information, and then click Next.
  
  Name
  
  fm_servers_monitor
  
  Inherits From
  
  http
4. In the Basic Properties window, accept the default values, and then click Next.
  
  Interval
  
  5
  
  Timeout
  
  16
5. In the Configure Destination Address and Service window, accept the default values and then click Done.
  
  The new monitor is added to the list on the Monitors tab.

Click the Basic Associations tab.
1. Find the IP addresses for Federation Manager 1 and for Federation Manager 2
  
  In this example: 192.18.72.89 for Federation Manager 1, and 192.18.82.86 for Federation Manager 2.
2. In the Node dropdown list, select fm_servers_monitor.
3. Mark the ADD box for each IP address, and then click APPLY.
  
  When you click Nodes in the left frame of the console, you will be able to see if each server is running or stopped.

To Configure Federation Manager 1 to Work with the Federation Manager Load Balancer

As a root user, log in to the Federation Manager 1 host.

Go to the directory that contains the AMConfig.properties file.
# cd /var/opt/SUNWam/fm/war_staging/web-src/WEB-INF/classes

In the AMConfig.properties file, set the following property:

com.sun.identity.server.fqdnMap[LoadBalancer-9.siroe.com]=LoadBalancer-9.siroe.com

Add the following property:
com.sun.identity.url.redirect=https,LoadBalancer-9.siroe.com
This property will be used when you terminate SSL at the Federation Manager load balancer.

Add the Federation Manager load balancers to the Organization Aliases list.
1. Go to the Federation Manager login URL:
  http://Federationmanager-1.siroe.com:8080/federation/UI/Login
2. Log in to the Federation Manager console:
  
  User Name:
  
  amadmin
  
  Password:
  
  11111111
3. Click the Configuration tab. On the General Properties page, Under Organizational Attributes, add the Federation Manager load balancer to the DNS Aliases list.
  
  In the Add field, enter LoadBalancer-9.siroe.com, and then click Add.
  
  Click Save.

Regenerate the Federation Manager WAR file.

#cd /opt/SUNWam/fm/bin
# ./fmwar -n federation -d /var/opt/SUNWam/fm/war_staging -s /export/fmsilent

Redeploy the Federation Manager WAR file.

See the section To Regenerate and Redeploy the Federation Manager 1 WAR File in this manual.

To Configure Federation Manager 2 to Work with the Federation Manager Load Balancer

As a root user, log in to the Federation Manager 2 host.

Go to the directory that contains the AMConfig.properties file.
# cd /var/opt/SUNWam/fm/war_staging/web-src/WEB-INF/classes

In the AMConfig.properties file, set the following properties:

com.sun.identity.server.fqdnMap[LoadBalancer-9.siroe.com]=LoadBalancer-9.siroe.com

Add the following property:
com.sun.identity.url.redirect=https,LoadBalancer-9.siroe.com
This property will be used when you terminate SSL at the Federation Manager load balancer.

Add the Federation Manager load balancers to the Organization Aliases list.
1. Go to the Federation Manager login URL:
  http://FederationManager-2.siroe.com:8080/federation/UI/Login
2. Log in to the Federation Manager console:
  
  User Name:
  
  amadmin
  
  Password:
  
  11111111
3. Click the Organization tab. Under Organization Attributes, add the Federation Manager load balancers to the DNS Aliases list.
  
  In the Add field, enter LoadBalancer-9.siroe.com, and then click Add.
  
  Click Save.

Regenerate the Federation Manager 2 WAR file.

See the section in this manual, To Regenerate and Redeploy the Federation Manager 2 WAR File.

To Verify that the Federation Manager Load Balancers are Working Properly

Use the tail command to monitor traffic requests to Federation Manager 1 and Federation Manager 2.
1. As a root user, log in to the Federation Manager 1 host.
2. Restart the Federation Manager 1 server:
  # cd /FederationManager-base/SUNWwbsvr/https-FederationManager-2.siroe.com # ./stop; ./start
3. Use the tail command to monitor the Federation Manager access log.
  # tail —f logs/access
4. As a root user, log in to the Federation Manager 2 host.
5. Start the Federation Manager 2 server:
  # cd FederationManager-base/SUNWwbsvr/https-FederationManager-2.siroe.com # ./stop; ./start
6. Use the tail command to monitor the Directory Server access log.
  # tail —f logs/access

Go to the following Federation Manager URL:

http://LoadBalancer-9.siroe.com:1080/federation/UI/Login

Log in to the Federation Manager console:

User Name:

amadmin

Password:

11111111

As you log in and log out of the Federation Manager console, you should see in the access log that all requests are going to the same Federation Manager server. This indicates that the load balancer is working properly, and that the persistence setting is properly configured.

3.4 Configuring SSL Termination at the Federation Manager Load Balancer

In this deployment, SSL is not enabled at each Federation Manager server but is instead terminated at the load balancer. By terminating SSL at the load balancer, you can be sure that communication to the Federation Manager servers is secure while achieving the highest server availability and fastest response times.

Use the following as your checklist for configuring SSL termination at the Federation Manager load balancer:

To Request an SSL Certificate

Click Proxies in the left pane.

Click the Cert Admin tab, and then click the “Generate New Key Pair/ Certificate Request” button.

In the Create Certificate Request page, provide the following information:

Key Identifier:

LoadBalancer-9.siroe.com

Organization:

siroe.com

Domain Name:

LoadBalancer-9.siroe.com

Email Address:

jdoe@siroe.com

Click the Generate Request button.

In the Generate Request page, copy the request that looks similar to this:

Paste this text into a request form provided by a root certificate authority (CA) such as Verisign or Thwarte.

See the certificate authority website such as http://www.verisign.com/ or http://www.thawte.com/ for detailed instructions on submitting a certificate request.

To Install the SSL Certificate

After you receive the certificate from the issuer, install the SSL Certificate.

In the BIG-IP load balancer console, click the Cert Admin tab.

On the Cert Admin tab, click Install Certificate.

In the Install SSL Certificate page, paste the certificate text you received from the certificate issuer. Example:

Click Install Certificate.

In the left frame, click Proxies, and then click Add.

On the Add Proxy page, provide the following information:

Proxy Type:

SSL

Proxy Address:

Enter the IP address of LoadBalancer-9.siroe.com.

Proxy Service:

Enter 3443.

Destination Address:

Enter the IP address of LoadBalancer-9.siroe.com.

Destination Service:

Enter 1080.

SSL Certificate:

LoadBalancer-9.siroe.com

SSL Key:

LoadBalancer-9.siroe.com

Enable ARP:

Mark this box.

Click Next, then provide the following information:

Rewrite Redirects:

Choose Matching.

Click Done.

To Configure the Web Server 1 for SSL Termination

As a root user, log in to the Federation Manager 1 host.

Go to the following directory:

/opt/SUNWwbsvr/https-FederationManager-1.siroe.com/config

Modify the server.xml file.

Make a backup of server.xml, and then modify the original file. Change this line:

<LS id="ls1" port="8080" servername="FederationManager-1.siroe.com" defaultvs ...

to:

<LS id="ls1" port="8080" servername="https://LoadBalancer-9.siroe.com" defaultvs ...

Save the file.

Restart the Web Server.

# cd /opt/SUNWwbsvr/https-FederationManager-1.siroe.com/
# ./stop ; ./start

To Configure the Web Server 2 for SSL Termination

As a root user, log in to the Federation Manager 2 host.

Go to the following directory:

/opt/SUNWwbsvr/https-FederationManager-2.siroe.com/config

Modify the server.xml file.

Make a backup of server.xml, and then modify the original file. Change this line:

<LS id="ls1" port="8080" servername="FederationManager-2.siroe.com" defaultvs ...

to:

<LS id="ls1" port="8080" servername="https://LoadBalancer-9.siroe.com" defaultvs ...

Save the file.

Restart the Web Server.

# cd /opt/SUNWwbsvr/https-FederationManager-2.siroe.com/
# ./stop ; ./start

To Verify that SSL on the Federation Manager Load Balancer is Working Properly

Go to the Federation Manager URL:

https://LoadBalancer-9.siroe.com:3443/federation/UI/Login

The following message is displayed:

“Unable to verify the identity of LoadBalancer-9.siroe.com as a trusted site.”

Choose “Accept this certificate temporarily for this session,” and then click OK.

Log in to the Federation Manager console:

User Name:

amadmin

Password:

11111111

If you can log in successfully, then SSL is configured properly.

Chapter 4 Installing and Configuring the Directory Servers

This chapter contains detailed information about the following groups of tasks:

4.1 Installing Two Directory Servers

The Java ES installer must be mounted on the host computer system where you will install Directory Server. See the section 2.2 Downloading and Mounting the Java Enterprise System 2005Q4 Installer in this manual.

Use the following as your checklist or installing two Directory Server:

To Install Directory Server 3SP

As a root user, log in to the Directory Server 3SP host.

Start the installer with the nodisplay option. Example:
```
# cd /mnt/Solaris_sparc
# ./installer -nodisplay
```

When prompted, provided the following information:

Welcome to the Sun Java(TM) Enterprise System; 
serious software made simple...
<Press ENTER to Continue>

Press Enter.

<Press ENTER to display the Software 
License Agreement>

Press Enter.

Have you read, and do you accept, all of
the terms of the preceding Software License
Agreement?

Enter y.

Please enter a comma separated list of 
languages you would like supported with this 
installation

Enter 8 to select “English only.”

Enter a comma separated list of products
to install, or press R to refresh the 
list.

Enter 6,20.

Be sure you've specified Sun Java System Administration Server 5 2005Q4 and Sun Java System Directory Server 5 2005Q4.

Press "Enter" to Continue or Enter a comma 
separatedlist of products to deselect.

Press Enter.

Enter 1 to upgrade these shared components and 
2 to cancel.

If upgrades are required, enter 1 to upgrade shared components.

Enter the name of the target 
installation directory for each product:

Accept the default value for each product.

System ready for installation...

Enter 1 to continue.

Select Type of Configuration

Enter 1 to configure now.

Enter Host Name [DirectoryServer-3SP]

Accept the default value.

Enter DNS Domain Name [siroe.com]

Accept the default value.

Enter IP Address [10.5.82.207]

Accept the default value.

Enter Server admin User ID [admin]

Accept the default value.

Enter Admin User's Password (Password cannot be 
less than 8 characters)

For this example, enter admin123.

Confirm Admin User's Password []

Enter the same password again.

Enter System User [root]

Accept the default value.

Enter System Group [root]

Accept the default value.

Enter Server Admin ID [admin]

Accept the default value.

Enter Admin User's Password 
(At least 8 characters long)

For this example, enter admin123.

Retype Password []

Enter the same password again.

Enter Directory Manager DN 
[cn=Directory Manager]

Accept the default value.

Enter Directory Manager's Password 
(At least 8 characters long)

For this example, enter 11111111.

Retype Password []

Enter the same password again.

Directory Server Root  
[/var/opt/mps/serverroot]

Accept the default value.

Enter Server Identifier [DirectoryServer-3SP]

Accept the default value.

Enter Server Port [390]

Enter 1390.

Enter a valid Suffix 
[siroe.com]

Enter dc=siroe,dc=com.

Enter Administration Domain 
[siroe.com]

Accept the default value.

Enter System User [root]

Accept the default value.

Enter System Group [root]

Accept the default value.

This server's configuration can be stored in 
this new directory server or in another 
previously prepared configuration server.

Enter 1 to choose “The new instance will be the configuration directory server.”

This server can store its own user data 
and group data, or it can access user data and 
group data from another instance of directory 
server.

Enter 1 to store data in the new directory server.

The new directory server can be populated 
with sample or real data.

Enter 4 to choose “Populate with no data.”

Do you wish to disable Schema Checking 
when importing data?

Enter n.

Enter the Server Root 
[/var/opt/mps/serverroot]

Accept the default value.

Enter the Administration Port [390]

Enter 1391.

Enter the Administration Domain 
[siroe.com]

Accept the default value.

Enter System User [root]

Accept the default value.

Enter System Group [root]

Accept the default value.

Enter Administration ID for 
Configuration Server 
Administration ID[admin]

Accept the default value.

Enter the admin Password []

For this example, enter admin123.

Enter the Configuration Directory Host 
[DirectoryServer-3SP.siroe.com]

Accept the default value.

Enter the Configuration Directory Port [1390]

Accept the default value.

Ready to Install.
The following components will be installed:
Directory Server Preparation Tool
Directory Server 5
Administration Server

Enter 1 to install now.

(Optional) During installation, you can monitor the log to watch for installation errors. Example:

# cd /var/sadm/install/logs

# tail —f Java_Enterprise_System_install.B xxxxxx

Upon successful installation, enter ! to exit.

Verify that Directory Server was successfully installed.
1. As a root user, log in to Directory Server 3SP.
2. Start the Directory Server.
```
# cd /var/opt/mps/serverroot/slapd-DirectoryServer-3SP
# ./stop-slapd; ./start-slapd
```
3. Use the tail command to monitor the Directory Server error log and see that the server successfully starts up.
```
# tail -50 logs/errors
```
4. Use the netstat command to verify that the Directory Server port is open and listening.
```
# netstat -an | grep 1390
* 1390			*.*			0			0 49152			0 LISTEN
```
5. Start the Administration Server that manages Directory Server.
```
 cd /var/opt/mps/serverroot 
./stop-admin; ./start-admin 
```
  Installation is successful if the Administration Server displays a start-up message.
6. Use the netstat command to verify that the Administration Server port is open and listening.
```
# netstat -an | grep 1391
* 1391			*.*			0			0 49152			0 LISTEN
```

To Install Directory Server 4SP

As a root user, log in to the Directory Server 4SP host.

Start the installer with the nodisplay option. Example:
```
# cd /mnt/Solaris_sparc
# ./installer -nodisplay
```

When prompted, provided the following information:

Welcome to the Sun Java(TM) Enterprise System; 
serious software made simple...
<Press ENTER to Continue>

Press Enter.

<Press ENTER to display the Software 
License Agreement>

Press Enter.

Have you read, and do you accept, all of
the terms of the preceding Software License
Agreement?

Enter y.

Please enter a comma separated list of 
languages you would like supported with this 
installation

Enter 8 to select “English only.”

Enter a comma separated list of products
to install, or press R to refresh the 
list.

Enter 6,20.

Be sure you've specified Sun Java System Administration Server 5 2005Q4 and Sun Java System Directory Server 5 2005Q4.

Press "Enter" to Continue or Enter a comma 
separatedlist of products to deselect.

Press Enter.

Enter 1 to upgrade these shared components and 
2 to cancel.

If upgrades are required, enter 1 to upgrade shared components.

Enter the name of the target 
installation directory for each product:

Accept the default value for each product.

System ready for installation...

Enter 1 to continue.

Select Type of Configuration

Enter 1 to configure now.

Enter Host Name [DirectoryServer-4SP]

Accept the default value.

Enter DNS Domain Name [siroe.com]

Accept the default value.

Enter IP Address [10.5.82.207]

Accept the default value.

Enter Server admin User ID [admin]

Accept the default value.

Enter Admin User's Password (Password cannot be 
less than 8 characters)

For this example, enter admin123.

Confirm Admin User's Password []

Enter the same password again.

Enter System User [root]

Accept the default value.

Enter System Group [root]

Accept the default value.

Enter Server Admin ID [admin]

Accept the default value.

Enter Admin User's Password 
(At least 8 characters long)

For this example, enter admin123.

Retype Password []

Enter the same password again.

Enter Directory Manager DN 
[cn=Directory Manager]

Accept the default value.

Enter Directory Manager's Password 
(At least 8 characters long)

For this example, enter 11111111.

Retype Password []

Enter the same password again.

Directory Server Root  
[/var/opt/mps/serverroot]

Accept the default value.

Enter Server Identifier [DirectoryServer-4SP]

Accept the default value.

Enter Server Port [390]

Enter 1390.

Enter a valid Suffix 
[siroe.com]

Enter dc=siroe,dc=com.

Enter Administration Domain 
[siroe.com]

Accept the default value.

Enter System User [root]

Accept the default value.

Enter System Group [root]

Accept the default value.

This server's configuration can be stored in 
this new directory server or in another 
previously prepared configuration server.

Enter 1 to choose “The new instance will be the configuration directory server.”

This server can store its own user data 
and group data, or it can access user data and 
group data from another instance of directory 
server.

Enter 1 to store data in the new directory server.

The new directory server can be populated 
with sample or real data.

Enter 4 to choose “Populate with no data.”

Do you wish to disable Schema Checking 
when importing data?

Enter n.

Enter the Server Root 
[/var/opt/mps/serverroot]

Accept the default value.

Enter the Administration Port [390]

Enter 1391

Enter the Administration Domain 
[siroe.com]

Accept the default value.

Enter System User [root]

Accept the default value.

Enter System Group [root]

Accept the default value.

Enter Administration ID for 
Configuration Server 
Administration ID[admin]

Accept the default value.

Enter the admin Password []

For this example, enter admin123.

Enter the Configuration Directory Host 
[DirectoryServer-4SP.siroe.com]

Accept the default value.

Enter the Configuration Directory Port [1390]

Accept the default value.

Ready to Install.
The following components will be installed:
Directory Server Preparation Tool
Directory Server 5
Administration Server

Enter 1 to install now.

(Optional) During installation, you can monitor the log to watch for installation errors. Example:

# cd /var/sadm/install/logs

# tail —f Java_Enterprise_System_install.B xxxxxx

Upon successful installation, enter ! to exit.

Verify that Directory Server was successfully installed.
1. As a root user, log in to Directory Server 4SP.
2. Start the Directory Server.
```
# cd /var/opt/mps/serverroot/slapd-DirectoryServer-4SP
# ./stop-slapd; ./start-slapd
```
3. Use the tail command to monitor the Directory Server error log and verify that the server successfully starts up.
```
# tail -50 logs/errors
```
4. Use the netstat command to verify that the Directory Server port is open and listening.
```
# netstat -an | grep 1390
* 1390			*.*			0			0 49152			0 LISTEN
```
5. Start the Administration Server that manages Directory Server.
```
 cd /var/opt/mps/serverroot 
./stop-admin; ./start-admin 
```
  Installation is successful if the Administration Server displays a start-up message.
6. Use the netstat command to verify that the Administration Server port is open and listening.
```
# netstat -an | grep 1391
* 1391			*.*			0			0 49152			0 LISTEN
```

4.2 Creating New Directory Server Instances

On each Directory Server, create a new configuration instance and a new user data instance. When you're finished, Directory Server 3SP and Directory Server 4SP will each contain three instances. For example, Directory Server 3SP will contain three instances: DirectoryServer-3SP, fm-config, and fm-users. DirectoryServer-3SP stores Directory Server administration configuration. The instance named fm-config stores Federation Manager configuration, and the instance named fm-users stores Federation Manager user data. Directory Server 4SP will contain the identical directory structure.

Use the following as your checklist for creating new Directory Server instances:

To Create a New Configuration Instance in Directory Server 3SP

Create a new data instance for storing Federation Manager configuration. This ensures that if you ever have to uninstall or restore Federation Manager configuration, the Directory Server configuration remains untouched and will not have to be restored.

As a root user, log in to Directory Server 3SP.

Set the X window display variable, and start the Directory Server 3SP console.
```
# cd /var/opt/mps/serverroot/ 
# export DISPLAY=DirectoryServer-3SP.siroe.com:1 
# ./startconsole &
```

Log in to the Directory Server 3SP console.

Username

cn=Directory Manager

Password

11111111

Administration URL

http://DirectoryServer-3SP.siroe.com:1391

In the Directory Server console, under the Servers and Applications tab, expand the Server Administration domain list until you see the Server Group item.

Right-click on Server Group, and choose “Create an instance of Sun Directory Server.”

In the Create New Instance dialog box, provide the following information:

Server identifier:

Enter fm-config.

Network port:

Enter 1389.

Base suffix:

Enter o=siroe.com.

Directory Manager DN:

Enter cn=Directory Manager

Password:

For this example, enter 11111111.

Confirm Password:

Enter the same password to confirm it.

Server Runtime (UNIX) user ID:

Enter root.

Click OK, and then close the status window.

Verify that the new Directory Server instance named fm-config successfully starts up .
1. As a root user, log in to Directory Server 3SP.
2. Start the new data Directory Server instance.
  # cd /var/opt/mps/serverroot/slapd-fm-config # ./stop-slapd; ./start-slapd
3. Use the tail command to monitor the Directory Server error log and see that the server starts up successfully.
  # tail —f logs/errors

To Create a New User Data Instance in Directory Server 3SP

Create a new data instance for storing both Federation Manager configuration and user data. This ensures that if you ever have to uninstall or restore Federation Manager configuration, the Directory Server configuration remains untouched and will not have to be restored.

As a root user, log in to Directory Server 3SP.

Set the X window display variable, and start the Directory Server console.
```
# cd /var/opt/mps/serverroot/ 
# export DISPLAY=DirectoryServer-3SP.siroe.com:1 
# ./startconsole &
```

Log in to the Directory Server 3SP console.

Username

cn=Directory Manager

Password

11111111

Administration URL

http://DirectoryServer-3SP.siroe.com:1391

In the Directory Server console, under the Servers and Applications tab, expand the Server Administration domain list until you see the Server Group item.

Right-click on Server Group, and choose “Create an instance of Sun Directory Server.”

In the Create New Instance dialog box, provide the following information:

Server identifier:

Enter fm-users.

Network port:

Enter 1489.

Base suffix:

Enter o=siroeusers.com.

Directory Manager DN:

Enter cn=Directory Manager

Password:

For this example, enter 11111111.

Confirm Password:

Enter the same password to confirm it.

Server Runtime (UNIX) user ID:

Enter root.

Click OK, and then close the status window.

Verify that the new Directory Server instance named fm-users successfully starts up .
1. As a root user, log in to Directory Server 3SP.
2. Start the new data Directory Server instance.
  # cd /var/opt/mps/serverroot/slapd-fm-users # ./stop-slapd; ./start-slapd
3. Use the tail command to monitor the Directory Server error log and see that the server starts up successfully.
  # tail —f logs/errors

To Create a New Configuration Instance in Directory Server 4SP

As a root user, log in to Directory Server 4SP.

Set the X window display variable, and start the Directory Server console.
```
# cd /var/opt/mps/serverroot/ 
# export DISPLAY=DirectoryServer-4SP.siroe.com:1 
# ./startconsole &
```

Log in to the Directory Server 4SP console.

Username

cn=Directory Manager

Password

11111111

Administration URL

http://DirectoryServer-4SP.siroe.com:1391

In the Directory Server console, under the Servers and Applications tab, expand the Server Administration domain list until you see Server Group item.

Right-click on Server Group, and choose “Create an instance of Sun Directory Server.”

In the Create New Instance dialog box, provide the following information:

Server identifier:

Enter fm-config.

Network port:

Enter 1389.

Base suffix:

Enter o=siroe.com.

Directory Manager DN:

Enter cn=Directory Manager

Password:

For this example, enter 11111111.

Confirm Password:

Enter the same password to confirm it.

Server Runtime (UNIX) user ID:

Enter root.

Click OK, and then close the status window.

Verify that the new Directory Server instance named fm-config successfully starts up .
1. As a root user, log in to Directory Server 4SP.
2. Start the new data Directory Server instance.
  # cd /var/opt/mps/serverroot/slapd-fm-config # ./stop-slapd; ./start-slapd
3. Use the tail command to monitor the Directory Server error log and see that the server starts up successfully.
  # tail —f logs/errors

To Create a New User Data Instance in Directory Server 4SP

As a root user, log in to Directory Server 4SP.

Set the X window display variable, and start the Directory Server console.
```
# cd /var/opt/mps/serverroot/ 
# export DISPLAY=DirectoryServer-4SP.siroe.com:1 
# ./startconsole &
```

Log in to the Directory Server 4SP console.

Username

cn=Directory Manager

Password

11111111

Administration URL

http://DirectoryServer-4SP.siroe.com:1391

In the Directory Server console, under the Servers and Applications tab, expand the Server Administration domain list until you see Server Group item.

Right-click on Server Group, and choose “Create an instance of Sun Directory Server.”

In the Create New Instance dialog box, provide the following information:

Server identifier:

Enter fm-users.

Network port:

Enter 1489.

Base suffix:

Enter o=siroeusers.com.

Directory Manager DN:

Enter cn=Directory Manager

Password:

For this example, enter 11111111.

Confirm Password:

Enter the same password to confirm it.

Server Runtime (UNIX) user ID:

Enter root.

Click OK, and then close the status window.

Verify that the new Directory Server instance named fm-users successfully starts up .
1. Log in as root to Directory Server 4SP.
2. Start the new data Directory Server instance.
  # cd /var/opt/mps/serverroot/slapd-fm-users # ./stop-slapd; ./start-slapd
3. Use the tail command to monitor the Directory Server error log and see that the server starts up successfully.
  # tail —f logs/errors

4.3 Enabling Multi-Master Replication of the Configuration Instances

In this procedure you enable multi-master replication (MMR) between two directory masters. With MMR enabled, whenever a directory entry is changed in Directory Server 3SP, the change is automatically replicated in Directory Server 4SP. The reverse is also true.

Use the following as your checklist for enabling MMR among the configuration instances:

To Enable Multi-Master Replication of the Configuration Instance on Directory Server 3SP

Start the Directory Server 3SP console.

# cd /var/opt/mps/serverroot/ 
# ./startconsole &

Log in to the Directory Server 3SP console.

Username

cn=Directory Manager

Password

11111111

Administration URL

http://DirectoryServer-3SP.siroe.com:1391

In the Directory Server console, under the Servers and Applications tab, expand the Server Administration domain list until you see the Server Group item.

Click to expand the Server Group.

You should see three items: an Administration Server, a Directory Server (fm-config), and a Directory Server (fm-config).

Double-click the instance name Directory Server (fm-config) to display the console for managing the instance fm-config.

Click the Configuration tab and navigate to the Replication pane.
1. Expand the Data node.
2. Expand the node for the suffix you want to be a master replica.
  
  In this example, double-click the suffix o=siroe.com.
3. Click Replication.

Click the “Enable replication” button to start the Replication Wizard.

Select Master Replica, and then click Next to continue.

Enter a Replica ID, and then click Next.

For this example, when enabling replication on DirectoryServer-3SP, assign the number 11.

If you have not already been prompted to select the change log file, you are prompted to select one now.

The default change log file is shown in the text field. If you do not wish to use the default, type in a filename for the change log, or click Browse to display a file selector. If the change log has already been enabled, the wizard will skip this step.

If you have not already been prompted to enter and confirm a password for the default replication manager, you are prompted now.

The replication manager is not used in the case of single-master replication, but you must still enter a password to proceed. For this example, enter 11111111.
1. Click Next.
The Replication Wizard displays a status message while updating the replication configuration.

Click Close when replication is finished.

To Enable Multi-Master Replication of the Configuration Instance on Directory Server 4SP

Start the Directory Server 4SP console.

# cd /var/opt/mps/serverroot/ 
# ./startconsole &

Log in to the Directory Server 4SP console.

Username

cn=Directory Manager

Password

11111111

Administration URL

http://DirectoryServer-4SP.siroe.com:1391

In the Directory Server console, under the Servers and Applications tab, expand the Server Administration domain list until you see the Server Group item.

Click to expand the Server Group.

You should see three items: an Administration Server, a Directory Server (fm-config), and a Directory Server (fm-users).

Double-click the instance name Directory Server (fm-config) to display the console for managing the instance fm-config.

Click the Configuration tab and navigate to the Replication pane.
1. Expand the Data node.
2. Expand the node for the suffix you want to be a master replica.
  
  In this example, double-click the suffix o=siroe.com.
3. Click Replication.

Click the “Enable replication” button to start the Replication Wizard.

Select Master Replica, and then click Next to continue.

Enter a Replica ID, and then click Next.

For this example, when enabling replication on DirectoryServer-4SP, assign the number 22.

If you have not already been prompted to select the change log file, you are prompted to select one now.

The default change log file is shown in the text field. If you do not wish to use the default, type in a filename for the change log, or click Browse to display a file selector. If the change log has already been enabled, the wizard will skip this step.

If you have not already been prompted to enter and confirm a password for the default replication manager, you are prompted now.

The replication manager is not used in the case of single-master replication, but you must still enter a password to proceed. For this example, enter 11111111 .
1. Click Next.
The Replication Wizard displays a status message while updating the replication configuration.

Click Close when replication is finished.

To Create a Replication Agreement for the Configuration Instance on Directory Server 3SP

On DirectoryServer-3SP, in the Directory Server console, display the general properties for the Directory Server instance named fm-config .

Navigate through the tree in the left panel to find the Directory Server instance named fm-config, and click on the instance name to display its general properties.

Click the Open button to display the console for managing the fm-config instance.

Click the Configuration tab and navigate to the Replication pane.
1. Expand the Data node.
2. Expand the node for the suffix you want to be a master replica.
  
  In this example, double-click the suffix o=siroe.com.
3. Click Replication.

Click the New button.

In the Replication Agreement dialog box, click the Other button.

In the Remote Server dialog box, provide the following information, and then click OK.

Host

DirectoryServer-4SP.siroe.com

Port

1389

Secure Port

Leave this box unmarked.

In the Replication Agreement dialog, for the distinguished name (DN) of the replication manager entry on the consumer server, accept the default value.

By default, the DN is that of the default replication manager.

For the password of the replication manager, enter 11111111.

(Optional) Provide a description string for this agreement.

For this example, enter Replication from DirectoryServer-3SP to DirectoryServer-4SP.

Click OK when done.

In the confirmation dialog, click Yes to test the connection to the server and port number.

Use the given replication manager and password 11111111.

If the connection fails, you will still have the option of using this agreement. For example, the parameters are correct but the server is offline. When you have finished, the agreement appears in the list of replication agreements for this master replica.

To Create a Replication Agreement for the Configuration Instance on Directory Server 4SP

On DirectoryServer-4, in the Directory Server console, display the general properties for the Directory Server instance named fm-config.

Navigate through the tree in the left panel to find the Directory Server instance named fm-config, and click on the instance name to display its general properties.

Click the Open button to display the console for managing the fm-config instance.

Click the Configuration tab and navigate to the Replication pane.
1. Expand the Data node.
2. Expand the node for the suffix you want to be a master replica.
  
  In this example, double-click the suffix o=siroe.com.
3. Click Replication.

Click the New button.

In the Replication Agreement dialog box, click the Other button.

In the Remote Server dialog box, provide the following information, and then click OK.

Host

DirectoryServer-3SP.siroe.com

Port

1389

Secure Port

Leave this box unmarked.

In the Replication Agreement dialog, for the distinguished name (DN) of the replication manager entry on the consumer server, accept the default value.

By default, the DN is that of the default replication manager.

For the password of the replication manager, enter 11111111.

(Optional) Provide a description string for this agreement.

For this example, enter Replication from DirectoryServer-4SP to DirectoryServer-3SP.

Click OK when done.

In the confirmation dialog, click Yes to test the connection to the server and port number.

Use the given replication manager and password.

If the connection fails, you will still have the option of using this agreement. For example, the parameters are correct but the server is offline. When you have finished, the agreement appears in the list of replication agreements for this master replica.

To Initialize the Configuration Instance Master Replica

In the Directory Server 3SP console, navigate through the tree in the left panel to find the Directory Server instance named fm-config.

Click on the instance name to display its general properties.

Double-click the instance name Directory Server (fm-config) in the tree to display the console for managing the data.

Click the Configuration tab and navigate to the Replication pane.
1. Expand the Data node.
2. Expand the node for the suffix you want to be a master replica.
  
  In this example, double-click the suffix o=siroe.com.
3. Click Replication.

In the list of defined agreements, select the replication agreement corresponding to Directory Server 4SP, the consumer you want to initialize.

Click Action > Initialize remote replica.

A confirmation message warns you that any information already stored in the replica on the consumer will be removed.

In the Confirmation dialog, click Yes.

Online consumer initialization begins immediately. The icon of the replication agreement shows a red gear to indicate the status of the initialization process.

Click Refresh > Continuous Refresh to follow the status of the consumer initialization.

Any messages for the highlighted agreement will appear in the text box below the list.

Verify that replication is working properly.
1. Log in to both Directory Server hosts as a root user, and start both Directory Server consoles.
2. Log in to each Directory Server console.
3. In each Directory Server console, enable the audit log on both Directory Server instances.
  
  Go to Configuration > Logs > Audit Log. Check Enable Logging, and then click Save.
4. In separate terminal windows , use the tail -f command to watch the audit log files change.
5. In the Directory Server 3SP console, create a new user entry.
  - Go to the Directory tab, and right-click the suffix o=siroe. Then click New > Group.
    
    Name the new group People, and then click OK.
  - Click People, and then right-click to choose New > User.
  - In the Create New User dialog, enter a first name and last name, an then click OK.
  Note the user entry is created in the instance audit log. Check to be sure the same entry is also created in Directory Server 4SP in the Directory Server instance audit log
6. On DirectoryServer-4SP, in the Directory Server console, create a new user entry.
  - Go to the Directory tab, and right—click the suffix o=siroe.com. Click People, and then right-click to choose New > User.
  - In the Create New User dialog, enter a first name and last name, an then click OK.
    
    Note the user entry is created in the instance audit log. Check to be sure the same entry is also created in Directory Server 3SP in the Directory Server instance audit log
7. Delete both new user entries in the Directory Server 4SP console.
  
  Look in the Directory Server 3SP console to verify that both users have been deleted.

4.4 Enabling Multi-Master Replication of the User Data Instances

Use the following as your checklist for enabling MMR among the user data instances:

To Enable Multi-Master Replication for the User Data Instance on Directory Server 3SP

On Directory Server 3SP, start the Directory Server console.
# cd /var/opt/mps/serverroot/ # ./startconsole &

Log in to the Directory Server 3SP console.

Username

cn=Directory Manager

Password

11111111

Administration URL

http://DirectoryServer-3SP.siroe.com:1391

In the Directory Server console, under the Servers and Applications tab, expand the Server Administration domain list until you see the Server Group item.

Click to expand the Server Group.

You should see three items: an Administration Server, a Directory Server (fm-config), and a Directory Server (fm-users).

Double-click the instance name Directory Server (fm-users) to display the console for managing the instance fm-users.

Click the Configuration tab and navigate to the Replication pane.
1. Expand the Data node.
2. Expand the node for the suffix you want to be a master replica.
  
  In this example, double-click the suffix o=siroeusers.com.
3. Click Replication.

Click the “Enable replication” button to start the Replication Wizard.

Select Master Replica, and then click Next to continue.

Enter a Replica ID, and then click Next.

For this example, when enabling replication on Directory Server 3SP, assign the number 33.

If you have not already been prompted to select the change log file, you are prompted to select one now.

The default change log file is shown in the text field. If you do not wish to use the default, type in a filename for the change log, or click Browse to display a file selector. If the change log has already been enabled, the wizard will skip this step.

If you have not already been prompted to enter and confirm a password for the default replication manager, you are prompted now.

The replication manager is not used in the case of single-master replication, but you must still enter a password to proceed. For this example, enter 11111111.
1. Click Next.
The Replication Wizard displays a status message while updating the replication configuration.

Click Close when replication is finished.

To Enable Multi-Master Replication for the User Data Instance on Directory Server 4SP

Start the Directory Server 4SP console.

# cd /var/opt/mps/serverroot/ 
# ./startconsole &

Log in to the Directory Server 4SP console.

Username

cn=Directory Manager

Password

11111111

Administration URL

http://DirectoryServer-4SP.siroe.com:1391

In the Directory Server console, under the Servers and Applications tab, expand the Server Administration domain list until you see the Server Group item.

Click to expand the Server Group.

You should see three items: an Administration Server, a Directory Server (fm-config), and a Directory Server (fm-users).

Double-click the instance name Directory Server (fm-users) to display the console for managing the instance fm-users.

Click the Configuration tab and navigate to the Replication pane.
1. Expand the Data node.
2. Expand the node for the suffix you want to be a master replica.
  
  In this example, double-click the suffix o=siroeusers.com.
3. Click Replication.

Click the “Enable replication” button to start the Replication Wizard.

Select Master Replica, and then click Next to continue.

Enter a Replica ID, and then click Next.

For this example, when enabling replication on Directory Server 4SP, assign the number 44.

If you have not already been prompted to select the change log file, you are prompted to select one now.

The default change log file is shown in the text field. If you do not wish to use the default, type in a filename for the change log, or click Browse to display a file selector. If the change log has already been enabled, the wizard will skip this step.

If you have not already been prompted to enter and confirm a password for the default replication manager, you are prompted now.

The replication manager is not used in the case of single-master replication, but you must still enter a password to proceed. For this example, enter 11111111 .
1. Click Next.
The Replication Wizard displays a status message while updating the replication configuration.

Click Close when replication is finished.

To Create a Replication Agreement for the User Data Instance on Directory Server 3SP

In the Directory Server 3SP console, display the general properties for the Directory Server instance named fm-users .

Navigate through the tree in the left panel to find the Directory Server instance named fm-users, and click on the instance name to display its general properties.

Click the Open button to display the console for managing the fm-users instance.

Click the Configuration tab and navigate to the Replication pane.
1. Expand the Data node.
2. Expand the node for the suffix you want to be a master replica.
  
  In this example, double-click the suffix o=siroeusers.com.
3. Click Replication.

Click the New button.

In the Replication Agreement dialog box, click the Other button.

In the Remote Server dialog box, provide the following information, and then click OK.

Host

DirectoryServer-4SP.siroe.com

Port

1489

Secure Port

Leave this box unmarked.

In the Replication Agreement dialog, for the distinguished name (DN) of the replication manager entry on the consumer server, accept the default value.

By default, the DN is that of the default replication manager.

For the password of the replication manager, enter 11111111.

(Optional) Provide a description string for this agreement.

For this example, enter Replication from DirectoryServer-3SP to DirectoryServer-4SP.

Click OK when done.

In the confirmation dialog, click Yes to test the connection to the server and port number.

Use the given replication manager and password 11111111.

If the connection fails, you will still have the option of using this agreement. For example, the parameters are correct but the server is offline. When you have finished, the agreement appears in the list of replication agreements for this master replica.

To Create a Replication Agreement for the User Data Instance on Directory Server 4SP

On DirectoryServer-4SP, in the Directory Server console, display the general properties for the Directory Server instance named fm-users.

Navigate through the tree in the left panel to find the Directory Server instance named fm-users, and click on the instance name to display its general properties.

Click the Open button to display the console for managing the fm-users instance.

Click the Configuration tab and navigate to the Replication pane.
1. Expand the Data node.
2. Expand the node for the suffix you want to be a master replica.
  
  In this example, double-click the suffix o=siroeusers.com.
3. Click Replication.

Click the New button.

In the Replication Agreement dialog box, click the Other button.

In the Remote Server dialog box, provide the following information, and then click OK.

Host

DirectoryServer-3SP.siroe.com

Port

1489

Secure Port

Leave this box unmarked.

In the Replication Agreement dialog, for the distinguished name (DN) of the replication manager entry on the consumer server, accept the default value.

By default, the DN is that of the default replication manager.

For the password of the replication manager, enter 11111111.

(Optional) Provide a description string for this agreement.

For this example, enter Replication from DirectoryServer-4SP to DirectoryServer-3SP.

Click OK when done.

In the confirmation dialog, click Yes to test the connection to the server and port number.

Use the given replication manager and password.

If the connection fails, you will still have the option of using this agreement. For example, the parameters are correct but the server is offline. When you have finished, the agreement appears in the list of replication agreements for this master replica.

To Initialize the User Data Instance Master Replica

In the Directory Server 3SP console, navigate through the tree in the left panel to find the Directory Server instance named fm-users.

Click on the instance name to display its general properties.

Double-click the instance name Directory Server (fm-users) in the tree to display the console for managing the data.

Click the Configuration tab and navigate to the Replication pane.
1. Expand the Data node.
2. Expand the node for the suffix you want to be a master replica.
  
  In this example, double-click the suffix o=siroeusers.com.
3. Click Replication.

In the list of defined agreements, select the replication agreement corresponding to Directory Server 4SP, the consumer you want to initialize.

Click Action > Initialize remote replica.

A confirmation message warns you that any information already stored in the replica on the consumer will be removed.

In the Confirmation dialog, click Yes.

Online consumer initialization begins immediately. The icon of the replication agreement shows a red gear to indicate the status of the initialization process.

Click Refresh > Continuous Refresh to follow the status of the consumer initialization.

Any messages for the highlighted agreement will appear in the text box below the list.

Verify that replication is working properly.
1. As a root user, log in to both Directory Server hosts, and start both Directory Server consoles.
2. Log in to each Directory Server console.
3. In each Directory Server console, enable the audit log on both Directory Server instances.
  
  Go to Configuration > Logs > Audit Log. Check Enable Logging, and then click Save.
4. In separate terminal windows , use the tail -f command to watch the audit log files change.
5. In the Directory Server 3SP console, create a new user entry.
  - Go to the Directory tab, and right-click the suffix o=siroeusers.com. Then click New > Group.
    
    Name the new group People, and then click OK.
  - Click People, and then right-click to choose New > User.
  - In the Create New User dialog, enter a first name and last name, an then click OK.
  Note the user entry is created in the instance audit log. Check to be sure the same entry is also created in on DirectoryServer-4SP in the Directory Server instance audit log
6. In the Directory Server 4SP console, create a new user entry.
  - Go to the Directory tab, and right—click the suffix o=siroeusers.comClick People, and then right-click to choose New > User.
7. Delete both new user entries in the Directory Server 4SP console.
  
  Look in the Directory Server 3SP console to verify that both users have been deleted.

4.5 Configuring the Directory Server Load Balancers

In the following procedures, you configure one load balancer in front the Directory Server configuration instances, and one load balancer in front of the Directory Server user data instances.

Use the following as your checklist for configuring the Directory Server load balancers:

4.5.1 Simple Persistence

In this deployment, both Directory Server load balancers are configured for simple persistence. When the load balancer is configured for simple persistence, all Federation Manager requests sent within a specified interval are sent to the same Directory Server for processing. Simple persistence ensures that within the specified interval, no errors or delays occur due to replication time or redirects when retrieving data.

When a request requires information to be written to Directory Server 3SP, that information is also replicated in Directory Server 4SP. But the replication takes time to complete. During that time, if a related request is directed by the load balancer to Directory Server 4SP, the request may fail.

For example, when simple persistence is not configured properly, creating a realm from the Federation Manager administration console could fail in the following way. A request for the parent entry creation is routed to Directory Server 3SP, and a second request to create the subentry is routed to Directory Server 4SP. But if the parent entry request is not yet fully replicated to Directory Server 4SP, the subentry request fails. The result is a partially created realm which may not contain all its subentries such as realm administration roles. Simple persistence eliminates this type of error. When persistence is properly configured, both the parent entry request and the subentry request are routed to Directory Server 3SP. The requests are processed in consecutive order. The parent entry is fully created before the subentry request begins processing.

To Configure Load Balancer 7 for the Directory Server Configuration Instances

Before You Begin

Contact your network administrator to obtain an available virtual IP address for the load balancer you want to configure.

You must also know the IP address of the load balancer hardware, the URL for the load balancer login page, and a username and password for logging in to the load balancer application.

Note –
The load balancer hardware and software used in the lab facility for this deployment is BIG-IP® manufactured by F5 Networks. If you are using different load balancer software, see the documentation that comes with that product for detailed settings information.
You must also have ready the IP addresses for Directory Server 3SP and Directory Server 4SP.

To obtain these IP addresses, on each Directory Server host, run the following command:

ifconfig —a

Create a Pool.

A pool contains all the backend server instances.
1. Go to URL for the Big IP load balancer login page.
2. Open the Configuration Utility.
  
  Click “Configure your BIG-IP (R) using the Configuration Utility.”
3. In the left pane, click Pools.
4. On the Pools tab, click the Add button.
5. In the Add Pool dialog, provide the following information:
  
  Pool Name
  
  Example: federation_ds_pool
  
  Load Balancing Method
  
  Round Robin
  
  Resources
  
  Add the IP address of both Directory Server hosts. In this example:
  
  192.18.69.135( for DirectoryServer-3SP:1389)
  
  192.18.72.136 (for DirectoryServer-4SP:1389)
6. Click the Done button.

Add a Virtual Server.

If you encounter Javascript errors or otherwise cannot proceed to create a virtual server, try using Microsoft Internet Explorer for this step.
1. In the left frame, Click Virtual Servers.
2. On the Virtual Servers tab, click the Add button.
3. In the Add a Virtual Server dialog box, provide the following information:
  
  Address
  
  192.18.69.16 (for LoadBalancer-7.siroe.com )
  
  Service
  
  389
  
  Pool
  
  federation_ds_pool
4. Continue to click Next until you reach the Pool Selection dialog box.
5. In the Pool Selection dialog box, assign the Pool (federation_ds_pool) that you have just created.
6. Click the Done button.

Add Monitors

Monitors are required for the load balancer to detect the backend server failures.
1. In the left frame, click Monitors.
2. Click the Basic Associations tab.
3. Add an LDAP monitor for the Directory Server 3SP node.
  
  Three columns exist on this page: Node, Node Address, and Service. In the Node column, locate the IP address and port number DirectoryServer-3SP:1389. Select the Add checkbox.
4. Add an LDAP monitor for the Directory Server 4SP node.
  
  In the Node column, locate the IP address and port number for DirectoryServer-4SP:1389 . Select the Add checkbox.
5. At the top of the Node column, in the drop-down list, choose tcp .
6. Click Apply.

Configure the load balancer for simple persistence.
1. In the left frame, click Pools.
2. Click the name of the pool you want to configure.
  
  In this example, federation_ds_pool.
3. Click the Persistence tab.
4. On the Persistence tab, under Persistence Type, select the Simple.
5. Set the timeout interval.
  
  In the Timeout field, enter 300 seconds.
6. Click Apply.

Verify the Directory Server load balancer configuration.
1. Log in as a root user to the host of each Directory Server.
2. On each Directory Server host, use the tail command to monitor the Directory Server access log.
  
  # cd /var/opt/mps/serverroot/slapd-DirectorySerer-3SP/logs
  
  # tail -f access
  
  You should see connections to the load balancer IP address opening and closing. Example:
```
conn=54 op=-1 msgId=-1 — fd=22 slot=22 LDAP connection from 
192.18.69.18 to 192.18.72.33
```
```
conn=54 op=-1 msgId=-1 — closing — B1
```
```
conn=54 op=-1 msgId=-1 — closed.
```
3. Execute the following LDAP search against the Directory Server load balancer:
  # cd /var/opt/mps/serverroot/shared/bin/ # ./ldapsearch -h LoadBalancer-7.siroe.com -p 389 -b "o=siroe.com" -D "cn=directory manager" -w 11111111 "(objectclass=*)"
  The ldapsearch operation should return entries. Make sure the directory access entries display in only one Directory Server access log.
4. Stop Directory Server 3SP, and again perform the following LDAP search against the Directory Server load balancer:
  # ./ldapsearch -h LoadBalancer-7.siroe.com -p 389 -b "o=siroeusers.com" -D "cn=directory manager" -w 11111111 "(objectclass=*)"
  The ldapsearch operation should return entries. Verify that the Directory Server access entries display in only one Directory Server access log.
5. If you encounter the following error message:
  # ./ldapsearch —h 192.18.69.13 —p 1389 —b “o=siroeusers.com“ —D “cn=Directory Manager” —w 11111111 ldap_simple_bind: Cant' connect to the LDAP server — Connection refused
  You can reset the timeout properties to lower values:
  - In the load balancer console, click the Monitors tab, and then click the ldap-tcp monitor name.
  - In the Interval field, set the value to 5.
  - In the Timeout field, set the value to 16.
  - Click Apply.
  Repeat the LDAP search.
6. Restart the stopped Directory Server 3SP, and then stop Directory Server 4SP.
  
  Confirm that the requests are forwarded to the running Directory Server 4SP.
7. Perform the following LDAP search against the Directory Server load balancer.
  # ./ldapsearch -h LoadBalancer-7.siroe.com -p 389 -b "o=siroe.com" -D "cn=Directory Manager" -w 11111111 "(objectclass=*)"
  The ldapsearch operation should return entries. Make sure the directory access entries display in only the one Directory Server access log.

To Configure Load Balancer 8 for the Directory Server User Data Instances

Before You Begin

Contact your network administrator to obtain an available virtual IP address for the load balancer you want to configure.

You must also know the IP address of the load balancer hardware, the URL for the load balancer login page, and a username and password for logging in to the load balancer application.

Note –
The load balancer hardware and software used in the lab facility for this deployment is BIG-IP® manufactured by F5 Networks. If you are using different load balancer software, see the documentation that comes with that product for detailed settings information.
You must also have ready the IP addresses for Directory Server 3SP and Directory Server 4SP.

To obtain these IP addresses, on each Directory Server host, run the following command:

ifconfig —a

Create a Pool.

A pool contains all the backend server instances.
1. Go to URL for the Big IP load balancer login page.
2. Open the Configuration Utility.
  
  Click “Configure your BIG-IP (R) using the Configuration Utility.”
3. In the left pane, click Pools.
4. On the Pools tab, click the Add button.
5. In the Add Pool dialog, provide the following information:
  
  Pool Name
  
  Example: federation_users_pool
  
  Load Balancing Method
  
  Round Robin
  
  Resources
  
  Add the IP address of both Directory Server hosts. In this example: .
  
  192.18.69.135(for DirectoryServer-3SP:1489)
  
  192.18.72.136 (for DirectoryServer-4SP:1489)
6. Click the Done button.

Add a Virtual Server.

If you encounter Javascript errors or otherwise cannot proceed to create a virtual server, try using Microsoft Internet Explorer for this step.
1. In the left frame, Click Virtual Servers.
2. On the Virtual Servers tab, click the Add button.
3. In the Add a Virtual Server dialog box, provide the following information:
  
  Address
  
  192.18.69.16 (for LoadBalancer-8.siroe.com )
  
  Service
  
  1389
  
  Pool
  
  federation_users_pool
4. Continue to click Next until you reach the Pool Selection dialog box.
5. In the Pool Selection dialog box, assign the Pool (federation_users_pool) that you have just created.
6. Click the Done button.

Add Monitors

Monitors are required for the load balancer to detect the backend server failures.
1. In the left frame, click Monitors.
2. Click the Basic Associations tab.
3. Add an LDAP monitor for the Directory Server 3SP node.
  
  Three columns exist on this page: Node, Node Address, and Service. In the Node column, locate the IP address and port number DirectoryServer-3SP:1489. Select the Add checkbox.
4. Add an LDAP monitor for the Directory Server 4SP node.
  
  In the Node column, locate the IP address and port number for DirectoryServer-4SP:1489 . Select the Add checkbox.
5. At the top of the Node column, in the drop-down list, choose ldap-tcp .
6. Click Apply.

Configure the load balancer for simple persistence.
1. In the left frame, click Pools.
2. Click the name of the pool you want to configure.
  
  In this example, federation_users_pool.
3. Click the Persistence tab.
4. On the Persistence tab, under Persistence Type, select the Simple.
5. Set the timeout interval.
  
  In the Timeout field, enter 300 seconds.
6. Click Apply.

Verify the Directory Server load-balancer configuration.
1. Log in as a root user to the host of each Directory Server.
2. On each Directory Server host, use the tail command to monitor the Directory Server access log.
  
  # cd /var/opt/mps/serverroot/slapd-fm-users/logs
  
  # tail -f access
  
  You should see connections to the load balancer IP address opening and closing. Example:
```
conn=54 op=-1 msgId=-1 — fd=22 slot=22 LDAP connection from 
192.18.69.18 to 192.18.72.33
```
```
conn=54 op=-1 msgId=-1 — closing — B1
```
```
conn=54 op=-1 msgId=-1 — closed.
```
3. Execute the following LDAP search against the Directory Server load balancer:
  # cd /var/opt/mps/serverroot/shared/bin/ # ./ldapsearch -h LoadBalancer-8.siroe.com -p 1389 -b "o=siroeusers.com" -D "cn=directory manager" -w 11111111 "(objectclass=*)"
  The ldapsearch operation should return entries. Make sure the directory access entries display in only one Directory Server access log.
4. Stop Directory Server 3SP, and again perform the following LDAP search against the Directory Server load balancer:
  # ./ldapsearch -h LoadBalancer-8.siroe.com -p 1389 -b "o=siroeusers.com" -D "cn=directory manager" -w 11111111 "(objectclass=*)"
  The ldapsearch operation should return entries. Verify that the Directory Server access entries display in only one Directory Server access log.
5. If you encounter the following error message:
```
# ./ldapsearch —h 192.18.69.13 —p 1389 —b “o=siroeusers.com“ 
—D “cn=Directory Manager” —w 11111111
ldap_simple_bind: Cant' connect to the LDAP 
server — Connection refused
```
  You can reset the timeout properties to lower values:
  - In the load balancer console, click the Monitors tab, and then click the ldap-tcp monitor name.
  - In the Interval field, set the value to 5.
  - In the Timeout field, set the value to 16.
  - Click Apply.
  Repeat the LDAP search.
6. Restart the stopped Directory Server 3SP, and then stop Directory Server 4SP.
  
  Confirm that the requests are forwarded to the running Directory Server 4SP.
7. Perform the following LDAP search against the Directory Server load balancer.
  # ./ldapsearch -h LoadBalancer-8.siroe.com -p 389 -b "o=siroeusers.com" -D "cn=Directory Manager" -w 11111111 "(objectclass=*)"
  The ldapsearch operation should return entries. Make sure the directory access entries display in only the one Directory Server access log.

Chapter 5 Configuring Federation Manager Servers to Work with Directory Servers

This chapter contains detailed information about the following groups of tasks:

5.1 Migrating Federation Manager 1 Configuration from Flat Files to Directory Servers

Use the following as your checklist for migrating Federation Manager 1 configuration from flat files to the Directory Servers:

To Migrate Federation Manager 1 Services Schema into the Directory Servers

The Federation Manager LDIF files are located in the following directory:

/opt/SUNWam/fm/ldif

The file fm_sm_sds_schema.ldif is for use with Sun Directory Server. The file fm_sm_ad_schema.ldif is for use with Microsoft Active Directory.

As a root user, log in to the Federation Manager 1 host.

Load the Federation Manager schema into the Directory Server configuration instance.
# cd /opt/SUNWam/fm/ldif # ldapmodify -D "cn=Directory Manager" -w 11111111 -h LoadBalancer-7.siroe.com -p 389 -f ./fm_sm_sds_schema.ldif
The ldapmodify utility loads the object classes and service attributes required for Federation Manager services into the Directory Server schema.

On each of the Directory Server hosts, you can watch the error logs for LDIF errors.
# cd /var/opt/mps/serverroot/slapd-fm-config/logs # tail -f errors

Migrate the Federation Manager services schema from flat files to the Directory Server.

# cd /opt/SUNWam/fm/bin
# ./fmff2ds -h LoadBalancer-7.siroe.com -p 389 -r "o=siroe.com" 
-f /var/opt/SUNWam/fm/federation 
-u "cn=Directory Manager" -w 11111111 
-j /usr/jdk/instances/jdk.5.0

Verify that Federation Manager schema was successfully moved to the Directory Server.
1. Start the Directory Server 3SP console.
  # cd /var/opt/mps/serverroot/ # ./startconsole &
2. Log in to the Directory Server console.
  
  User ID:
  
  cn=Directory Manager
  
  Password
  
  11111111
  
  Administration URL:
  
  http://DirectoryServer-3SP.siroe.com:1391
3. In the navigation pane, expand the DirectoryServer-3SP.siroe.com suffix, and expand the Server Group.
4. Double-click the Directory Server (fm-config) instance, and open its console.
5. Click the Directory tab.
6. Under the o=siroe.com suffix, expand the Services object.
  
  All of the Federation Manager services are displayed.

To Update the Federation Manager 1 `serverconfig.xml` File

Go the following directory that contains the serverconfig.xml file:
# cd /var/opt/SUNWam/fm/war_staging/web-src/WEB-INF/config/

Make a backup of the file serverconfig.xml, and then make the following changes in serverconfig.xml:

In the following entry, change the host name and port number attribute values.:

<iPlanetDataAccessLayer>
        <ServerGroup name="default" minConnPool="1" maxConnPool="10">
               <Server name="Server1" host="LoadBalancer-7.siroe.com" 
								port="389" type="SIMPLE" />
                <User name="User1" type="proxy">
                        <DirDN>
                                uid=amadmin,ou=people,o=siroe.com

Verify that the following user entries exist in the file:

<User name="User1" type="proxy">
                        <DirDN>
                                uid=amadmin,ou=people,o=siroe.com
                        </DirDN>
                        <DirPassword>
                                AQICGmG7l+gzO6bjmbDBve/MqicBf/zR2I+P
                        </DirPassword>
                </User>
                <User name="User2" type="admin"~
                        <DirDN>
                                uid=amadmin,ou=people,o=siroe.com
                        </DirDN>
                        <DirPassword>
                                AQICGmG7l+gzO6bjmbDBve/MqicBf/zR2I+P
                        </DirPassword>
                </User>

In this deployment example, the proxy user and administrative user have the same DN. In effect, these are the same user. They are both superusers contained in the ou=service branch of the Directory Server. These users have privileges to read, write, and search the Federation Manager configuration. The user amadmin does not exist in the Directory Server at this point.

Add the user amadmin to the Directory Server.

On the Federation Manager 1 host, go to the following directory:
/opt/SUNWam/fm/bin

Create a file named amadminconfig.ldif with the following entries:

    
    dn=o=siroe.com
    changetype:modify
    add:aci
    
    dn: ou=People,o=siroe.com
    changetype: add
    objectClass: top
    objectClass: organizationalunit

    dn: uid=amAdmin,ou=People,o=siroe.com
    changetype: add
    objectclass: inetuser
    objectclass: inetorgperson
    objectclass: organizationalperson
    objectclass: person
    objectclass: top
    objectClass: iPlanetPreferences
    objectclass: inetAdmin
    inetuserstatus: Active
    cn: amAdmin
    sn: amAdmin
    userPassword: 11111111

 
    aci: (target="ldap:///ou=services,*o=siroe.com")
         (targetattr = "*") (version 3.0; acl "S1IS Top-level Admin Role 
         access allow"; 
         allow (all) userdn = "ldap:///uid=amAdmin,ou=People,
         o=siroe.com";)

This LDIF creates a People container and the user amAadmin with the Top-level Admin Role. The user is assigned read, write, and search privileges.

Use the ldapmodify utility to load ./amadminconfig.ldif into the Directory Server 3SP.

# ldapmodify -D "cn=Directory Manager" -w 11111111 
-h LoadBalancer-7.siroe.com -f amadminconfig.ldif

To Update the Federation Manager 1 AMConfig.properties File

Go to the directory that contains the AMConfig.properties file:
# cd /var/opt/SUNWam/fm/war_staging/web-src/WEB-INF/classes

In AMConfig.properties, set the implementation class for the SM data store.

Make a backup of the AMConfig.properties file, and the set the following property:
com.sun.identity.sm.sms_object_class_name=com.sun.identity.sm.ldap.SMSLdapObject

To Regenerate and Redeploy the Federation Manager 1 WAR File

On the Federation Manager 1 host, run the fmwar command.

#cd /opt/SUNWam/fm/bin
# ./fmwar -n federation -d /var/opt/SUNWam/fm/war_staging -s /export/fmsilent

Undeploy the existing Federation Manager WAR 1 file.
# cd /opt/SUNWwbsvr/bin/https/bin # ./wdeploy delete -u /federation -i FederationManager-1.siroe.com -v https-FederationManager-1.siroe.com -n hard
The —n hard option deletes the directory where Federation Manager is exported as well as the URI. If you use the —n soft option, only the URI is deleted.

Deploy the customized Federation Manager 1 WAR file.
# ./wdeploy deploy -u /federation -i FederationManager-1.siroe.com -v https-FederationManager-1.siroe.com /var/opt/SUNWam/fm/war_staging/federation.war
This WAR file contains all the SAMLv2 configuration and Directory Server configuration you completed in the previous tasks.

Restart the Federation Manager web container.

#cd /opt/SUNWwbsvr/https-FederationManager-1.siroe.com
# ./stop
# ./start

Verify that you can access the Federation Manager 1 server.
1. In a browser, go to the Federation Manager URL:
  http://FederationManager-1.siroe.com:8080/federation/UI/Login
2. Log in to the Federation Manager console:
  
  User Name:
  
  amadmin
  
  Password:
  
  11111111
If you can log in successfully, the WAR file was deployed successfully.

To Update the Platform Server List

In a browser, go to the Federation Manager URL:

http://FederationManager-1.siroe.com:8080/federation/UI/Login

Click the Configuration tab, and then go to the “System properties | Platform” section of the page.

Add a new entry to the Server List.

In the Server List field, enter the following:
http://FedeartionManager-2.siroe.com:8080|02
Click Add.

Click Save, and then log out of the Federation Manager console.

5.2 Migrating Federation Manager 1 User Data from Flat Files to Directory Servers

Use the following as your checklist for migrating Federation Manager 1 user data from flat files to Directory Servers:

To Load SAMLv2 Users Schema into the Directory Servers

The Federation Manager LDIF files are located in the following directory:

/opt/SUNWam/saml2/ldif

The file ./saml2_sds_schema.ldif is for use with Sun Directory Server. The file saml2_ad_schema.ldif is for use with Microsoft Active Directory.

Load the Federation Manager schema into the Directory Servers.
# cd /opt/SUNWam/saml2/ldif # ldapmodify -D "cn=Directory Manager" -w 11111111 -h LoadBalancer-8.siroe.com -p 1389 -f saml2_sds_schema.ldif
The ldapmodify utility loads the object classes and user attributes required for Federation Manager users into the Directory Server schema.

On each of the Directory Server hosts, you can watch the error logs for LDIF errors.
# cd /var/opt/mps/serverroot/slapd-fm-users/logs # tail -f errors

Create the amadmin suffix in the Directory Server.

Create a file named amadminusers.ldif with the following entries:

dn: ou=People,o=siroeusers.com
    changetype: add
    objectClass: top
    objectClass: organizationalunit

    dn: uid=amAdmin,ou=People,o=siroeusers.com
    changetype: add
    objectclass: inetuser
    objectclass: inetorgperson
    objectclass: organizationalperson
    objectclass: person
    objectclass: top
    objectClass: iPlanetPreferences
    objectclass: inetAdmin
    inetuserstatus: Active
    cn: amAdmin
    sn: amAdmin
    userPassword: 11111111
        dn:o=siroeusers.com
    changetype:modify
    add:aci
    aci: (target="ldap:///*ou=People,o=siroeusers.com")
         (targetattr = "*") (version 3.0; 
          acl "S1IS Top-level Admin Role access allow"; 
          allow (all) userdn = "ldap:///uid=amAdmin,ou=People,
          o=siroeusers.com";)

This LDIF creates a People container and the suffix o=siroeusers.com.

Use the ldapmodify utility to load amadminusers.ldif into the Directory Servers.

# ldapmodify -D "cn=Directory Manager" -w 11111111 
-h LoadBalancer-8.siroe.com -p 1389 -f amadminusers.ldif

To Update the Federation Manager 1 AMConfig.properties File

In the Federation Manager 1 host, go to the directory that contains the file AMConfig.properties:
# cd /var/opt/SUNWam/fm/war_staging/web-src/WEB-INF/classes/

Set the default datastore provider property:

com.sun.identity.common.datastore.provider.default=
com.sun.identity.common.LDAPDataStoreProvider

Save the file.

To Update the Federation Manager 1 serverconfig.xml File

Go to the directory that contains the file serverconfig.xml:
# cd /var/opt/SUNWam/fm/war_staging/web-src/WEB-INF/config

Make a backup of serverconfig.xml, and then modify the following entry.

Modify the host name, port, and user DNs as in the following example:

<ServerGroup name="userdefault" minConnPool="1" 
				maxConnPool="10">
                <Server name="Server1" host="LoadBalancer-8.siroe.com" 
                port="1389" type="SIMPLE" />
                <User name="User1" type="proxy">
                        <DirDN>
                                uid=amadmin,ou=people,o=siroeusers.com
                        </DirDN>
                        <DirPassword>
                                AQICGmG7l+gzO6bjmbDBve/MqicBf/zR2I+P
                        </DirPassword>
                </User>
                <User name="User2" type="admin">
                        <DirDN>
                                uid=amadmin,ou=people,o=siroeusers.com
                        </DirDN>
                        <DirPassword>
                                AQICGmG7l+gzO6bjmbDBve/MqicBf/zR2I+P
                        </DirPassword>
                </User>
                <BaseDN>
                        ou=people,o=siroeusers.com
                </BaseDN>
        				</ServerGroup>

Save the file.

Regenerate the redeploy the Federation Manager 1 WAR file.

See To Regenerate and Redeploy the Federation Manager 1 WAR File in this manual.

5.3 Migrating Federation Manager 2 Configuration from Flat Files to Directory Servers

Use the following as your checklist for migrating Federation Manager 2 configuration from flat files to Directory Servers:

To Update the Federation Manager 2 serverconfig.xml File

Go the following directory that contains the serverconfig.xml file:
# cd /var/opt/SUNWam/fm/war_staging/web-src/WEB-INF/config/

Make a backup of the file serverconfig.xml, and then make the following changes in serverconfig.xml:

In the following entry, change the host name and port number attribute values:

<iPlanetDataAccessLayer>
        <ServerGroup name="default" minConnPool="1" maxConnPool="10">
               <Server name="Server1" host="LoadBalancer-7.siroe.com" 
								port="389" type="SIMPLE" />
                <User name="User1" type="proxy">
                        <DirDN>
                                uid=amadmin,ou=people,o=siroe.com

Verify that the following user entries exist in the file:

<User name="User1" type="proxy">
                        <DirDN>
                                uid=amadmin,ou=people,o=siroe.com
                        </DirDN>
                        <DirPassword>
                                AQICGmG7l+gzO6bjmbDBve/MqicBf/zR2I+P
                        </DirPassword>
                </User>
                <User name="User2" type="admin"~
                        <DirDN>
                                uid=amadmin,ou=people,o=siroe.com
                        </DirDN>
                        <DirPassword>
                                AQICGmG7l+gzO6bjmbDBve/MqicBf/zR2I+P
                        </DirPassword>
                </User>

To Update the Federation Manager 2 AMConfig.properties File

Go to the directory that contains the AMConfig.properties file:
# cd /var/opt/SUNWam/fm/war_staging/web-src/WEB-INF/classes

In AMConfig.properties, set the implementation class for the SM data store.

Make a backup of the AMConfig.properties file, and the set the following property:
com.sun.identity.sm.sms_object_class_name=com.sun.identity.sm.ldap.SMSLdapObject

To Regenerate and Redeploy the Federation Manager 2 WAR File

On the Federation Manager 2 host, run the fmwar command.

#cd /opt/SUNWam/fm/bin
# ./fmwar -n federation -d /var/opt/SUNWam/fm/war_staging -s /export/fmsilent

Undeploy the existing Federation Manager WAR 2 file.
# cd /opt/SUNWwbsvr/bin/https/bin # ./wdeploy delete -u /federation -i FederationManager-2.siroe.com -v https-FederationManager-1.siroe.com -n hard
The —n hard option deletes the directory where Federation Manager is exported as well as the URI. If you use the —n soft option, only the URI is deleted.

Deploy the customized Federation Manager 2 WAR file.
# ./wdeploy deploy -u /federation -i FederationManager-2.siroe.com -v https-FederationManager-2.siroe.com /var/opt/SUNWam/fm/war_staging/federation.war
This WAR file contains all the SAMLv2 configuration and Directory Server configuration you completed in the previous tasks.

Restart the Federation Manager web container.

#cd /opt/SUNWwbsvr/https-FederationManager-2.siroe.com
# ./stop
# ./start

Verify that you can access the Federation Manager 2 server.
1. In a browser, go to the Federation Manager URL:
  http://FederationManager-2.siroe.com:8080/federation/UI/Login
2. Log in to the Federation Manager console:
  
  User Name:
  
  amadmin
  
  Password:
  
  11111111
If you can log in successfully, the WAR file was deployed successfully.

5.4 Migrating Federation Manager 2 User Data from Flat Files to Directory Servers

Use the following as your checklist for migrating Federation Manager 2 user data from flat files to Directory Servers:

To Update the Federation Manager 2 AMConfig.properties File

In the Federation Manager 2 host, go to the directory that contains the file AMConfig.properties:
# cd /var/opt/SUNWam/fm/war_staging/web-src/WEB-INF/classes/

Make a backup AMConfig.properties, and then in the AMConfig.properties file, set the default datastore provider property:
com.sun.identity.common.datastore.provider.default= com.sun.identity.common.LDAPDataStoreProvider
Save the file.

To Update the Federation Manager 2 serverconfig.xml File

Go to the directory that contains the file serverconfig.xml:
# cd /var/opt/SUNWam/fm/war_staging/web-src/WEB-INF/config

Make a backup of serverconfig.xml, and then modify the following entry.

Modify the host name, port, and user DNs as in the following example:

<ServerGroup name="userdefault" minConnPool="1" 
				maxConnPool="10">
                <Server name="Server1" host="LoadBalancer-8.siroe.com" 
                port="1389" type="SIMPLE" />
                <User name="User1" type="proxy">
                        <DirDN>
                                uid=amadmin,ou=people,o=siroeusers.com
                        </DirDN>
                        <DirPassword>
                                AQICGmG7l+gzO6bjmbDBve/MqicBf/zR2I+P
                        </DirPassword>
                </User>
                <User name="User2" type="admin">
                        <DirDN>
                                uid=amadmin,ou=people,o=siroeusers.com
                        </DirDN>
                        <DirPassword>
                                AQICGmG7l+gzO6bjmbDBve/MqicBf/zR2I+P
                        </DirPassword>
                </User>
                <BaseDN>
                        ou=people,o=siroeusers.com
                </BaseDN>
        				</ServerGroup>

Save the file.

Regenerate the redeploy the Federation Manager 2 WAR file.

See To Regenerate and Redeploy the Federation Manager 2 WAR File.

Restart the Federation Manager web container.

#cd /opt/SUNWwbsvr/https-FederationManager-2.siroe.com
# ./stop
# ./start

Verify that you can access the Federation Manager 2 server.
1. In a browser, go to the Federation Manager URL:
  http://FederationManager-2.siroe.com:8080/federation/UI/Login
2. Log in to the Federation Manager console:
  
  User Name:
  
  amadmin
  
  Password:
  
  11111111
If you can log in successfully, the WAR file was deployed successfully.

5.5 Configuring the Federation Manager Authentication Service to Work with the Directory Servers

Use the following as your checklist for configuring the Federation Manager authentication service:

To Migrate the Federation Manager User Data to the Directory Server User Data Store

Go to the Federation Manager 1 URL:

http://FederationManager-1.siroe.com:8080/federation/UI/Login

Notice that above the User Name field, the text says “This server uses flat file authentication scheme.”

Add a new authentication service.
1. Click the Organization tab.
2. Click the Authentication subtab, and then click Add.
3. In the list of Authentication Modules, select LDAP, and then click Next.
4. On the LDAP page, provide the following information:
  
  Primary LDAP Server List:
  
  Add LoadBalancer-8.siroe.com:1389.
  
  DN to Start User Search List:
  
  Add o=siroeusers.com.
  
  DN for Root User Bind:
  
  cn=fmldapuser,ou=People,o=siroeusers.com
  
  This root DN is used by the authentication module to create a connection to the Directory Server. This eliminates the need to authenticate each user by individual uid.
  
  Password for Root User Bind:
  
  00000000
  
  Password for Root User Bind (confirm):
  
  00000000
  
  Attribute used to Retrieve User Profile:
  
  uid
  
  Attribute User do Search for a User to be Authenticated:
  
  uid
5. Click Assign.

On the Authentication page, locate the module named Core, and click its Edit link.

On the Core page, provide the following information:

Organization Authentication Modules:

Choose Flatfile, LDAP and SAMLv2.

People Container for All Users:

Add to the list ou=People,o=sirousers.com.

Click Save.

Verify that LDAP is included as an Organizational Attribute.

Click the Configuration tab. On the Configuration tab, under Authentication, click Core.

On the Core page, under Organization Attributes, verify that Flatfile, LDAP, and SAMLv2 are included in the list of Organization Authentication Modules.

In the Directory Server, create a user named fmldapuser.

This user is the Federation Manager user that can access the Directory Server. This user and has read, write, and search permissions in o=siroeusers.com branch of the Directory Server.

Create an LDIF file named fmldapuser.ldif with the following entries:

dn: cn=fmldapuser,ou=People,o=siroeusers.com
changetype: add
objectclass: inetuser
objectclass: organizationalperson
objectclass: person
objectclass: top
cn: fmldapuser
sn: fmldapuser
userPassword: 00000000
 
dn:o=siroeusers.com
changetype:modify
add:aci
aci: (target="ldap:///o=siroeusers.com")(targetattr="*")
(version 3.0; acl "FM special ldap auth user rights"; 
allow (read,search) userdn = 
"ldap:///cn=fmldapuser,ou=People,o=siroeusers.com"; )

Load ./fmldapuser.ldif into Directory Server 1.

# ldapmodify -D "cn=Directory Manager" -w d1rm4ngr 
-h LoadBalancer-8.siroe.com -p 1389 -f ./fmldapuser.ldif

Change the default authentication module from Flat File to LDAP.

Go to the following directory:
/opt/SUNWam/fm/bin

Create a file named ldap.xml file that contains the following entries:

				<?xml version="1.0" encoding="ISO-8859-1"?>
				<!--
    				Copyright (c) 2005 Sun Microsystems, Inc. All rights reserved
    				Use is subject to license terms.
				-->
                                                                                
				<!DOCTYPE Requests
    				PUBLIC "-//iPlanet//Sun Java System Access Manager 2005Q4 Admin 
							CLI DTD//EN" "jar://com/iplanet/am/admin/cli/amAdmin.dtd">
                                                                                
			<!--  CREATE REQUESTS -->
                                                                                
				<Requests>
				<OrganizationRequests DN="o=siroe.com">
   				<ModifyServiceTemplate serviceName="iPlanetAMAuthService"
    				schemaType="Organization">
     				<AttributeValuePair>
                 Attribute name="iplanet-am-auth-org-config" />
                 <Value>&lt;AttributeValuePair&gt;&lt;Value&gt;
                 com.sun.identity.authentication.modules.ldap.LDAP REQUIRED&lt;
                 /Value&gt;&lt;/AttributeValuePair&gt;</Value>
             </AttributeValuePair>
   				</ModifyServiceTemplate>
				</OrganizationRequests>
				</Requests>

The attributes and AttributeValuePair in bold are the significant changes made to the configuration.

Load ldap.xml.

# ./amadmin -i /var/opt/SUNWam/fm/war-staging -u amadmin -w 11111111 -t ldap.xml

To Verify that LDAP Authentication Works Properly

Go to the following Federation Manager URL:

http://FederationManager-1.siroe.com:8080/federation/UI/Login

The Federation Manger login page displays the following message: “This server uses LDAP Authentication.”

Log in to the Federation Manager console:

User Name:

amadmin

Password:

11111111

If you can log in successfully, then the LDAP Authentication module was able to successfully bind to the root user to the fm—config instance of Directory Server 3SP.

Create a test user in the fm-users instance of Directory Server 3SP.
1. Start the Directory Server 3SP console.
  # cd /var/opt/mps/serverroot/ # ./startconsole &
2. In Directory Server 3SP, expand the Server Group, and open the fm-users instance.
3. Open the fm-users console, and click the Directory Tab.
4. On the Directory Tab, under the o=siroeusers.com suffix, right-click the People container.
  
  Choose New>User.
5. In the Create New User dialog, provide the following information:
  
  First Name:
  
  Test
  
  Last Name:
  
  User
  
  User ID:
  
  testuser1
  
  Password:
  
  11111111
  
  Click OK.

Go to the following Federation Manager URL:

http://FederationManager-1.siroe.com:8080/federation/UI/Login

Log in to the Federation Manager console:

User Name:

testuser1

Password:

11111111

If you can log in successfully, then the LDAP Authentication module was able to successfully bind the new user to the fm-users instance of Directory Server 3SP.

Chapter 6 Setting Up the Service Provider Keystores

In this phase of the deployment, you create SAMLv2 metadata that is recognized by and required by the Liberty Identity protocols. Federation Manager provides sample templates that you can modify to suit your environment.

This chapter contains detailed information about the following groups of tasks:

6.1 Configuring the Keystore for Federation Manager 1

Use the Java keytool command to create private keys for XML signing and SAML encryption. Once the keys and stored in a keystore, you extract a certificate request from the keystore, and then submit the request to a trusted Certificate Authority (CA). The trusted CA sends you a certificate which will be used for XML signing.

Use the following as your checklist for configuring the keystore for Federation Manager 1:

To Obtain an XML Signing Certificate from a Trusted Certificate Authority

As a root user, log in to the Federation Manager 1 host.

Make a directory for creating a keystore. Example:
# cd /etc/opt/SUNWam/ # mkdir config

Create a keystore with a private key.

A keystore is a database for storing XML signing certificates, your private keys, and your public keys. For detailed information about keystores and about using the keytool utility to create and manage keystores, see http://java.sun.com/j2se/1.5.0/docs/tooldocs/solaris/keytool.html.

Use the keytool utility that comes with JDK and is installed with Federation Manager. Example:

# cd /etc/opt/SUNWam/config
# which keytool
 /usr/jdk/instances/jdk/1.5.0_06/bin/keytool
# keytool -genkey -alias LoadBalancer-9 -keyalg RSA -keysize 1024 
-dname "cn=LoadBalancer-9.siroe.com,o=siroe.com" -validity 365 
-keystore fmkeystore
Enter keystore password: password
Enter key password for <LoadBalancer-9>
			  (RETURN if same as keystore password): keypassword

Note –

The keystore password you specify here must be identical to the keystore password you specify when you install a copy of this certificate onto Federation Manager 2. The two Federation Managers will be recognized as a single entity.

Verify that the keystore and private key were created properly.

You should be able to see fmkeystore in the following directory, and verify that the current date is within the certificate's valid date range.

# cd /etc/opt/SUNWam/config
# ls -lrt
-rw-r--r--		1 root		root		1261 Nov 2 11:03  fmkeystore
# keytool -list -keystore fmkeystore -alias LoadBalancer-9 -v
# Enter keystore password: password
Alias name: LoadBalancer-9
Creation date: Nov 2, 2006
Entry type: keyEntry
Certificate chain length: 1
Certificate[1]:
Qwner: CN=LoadBalancer-9.siroe.com, O=siroe.com
Issuer: CN=LoadBalancer-9.siroe.com, O=siroe.com
Serial number: 454a40c1
Valid from: Thu nov 02 11:02:25 PST 2006 until: Fri Nov 02 12:02:25 PDT 2007
Certificate fingerprints:
			MDS:  60:11:C7:01:51:D0:7C:BC:16:26:E7:C0:54:98:6D:9D
			SHA1: 37:E7:15:91:45:C0:EF:49:A1:CC:EF:9E:64:6C:E2:1E:52:90:3D:4E

Submit a request to a trusted certificate authority (CA) for an XML signing certificate.

Create the request.

# cd /etc/opt/SUNWam/config
# keytool -certreq -alias LoadBalancer-9 -file fm.certreq -keystore fmkeystore
Enter keystore password: password
Enter key password for <LoadBalancer-9>: keypassword

Verify that the request text was successfully generated.

# vi fm.certreq
-----BEGIN NEW CERTIFICATE REQUEST-----
mllBdjCB4AlBADA3MR1wEAYDVQQKEwlzaXjvZs5jb20xlTAfBgNVBAMTGGxvYWRiYWkhbmNlci05
LnNpcm9IlmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgykCgYEAozsGuaqGlL1Z5j6n+aXYACUh
KFpb8f451GG5Eg6Vy862hlstl1b8KaAYARHk0lGjzwb26AiLXlWpDyOmf2hXR91po7oo/Vw/K9Qv
qv/+7FDtCBp9DkcnHXR4aKNGknZ58Rn/VbURGqipvXSe2J+5EB46Nnq8jlGMba/2eSjeRfsCAwEA
AaAAMA0GCSqGSlb3DQEBBAUAA4GBAJ3u+f5mC7AVXErSDucNHZn4Li42ULQBEZmTk3K73U9Ar4wx
ex2Ee6lAsPDyb3g4jUmduBSkrSbKyxZhPutVZQTlfHkiLbd6vHWl1K97DedLoWlt9nZAo3xZyBym
6UCH0HYVly/TAL8fhsielElg8lsidlejis(hfkeowhkdlgile27uak9pwnbmqkdigleIDUekdo30
-----END OF NEW CERTIFICATE REQUEST-----

Follow the instructions provided by your Certificate Authority (CA) for submitting the fm.certreq file and sending the text to the CA.

The CA will process your request, and send you a certificate. When you open the certificate file with an editor, the certificate text will look similar to this:

In this deployment example, the certificate text was saved in a text file named fm.certificate.

Import the root CA certificate.
1. Submit a request to the Certificate Authority for a root CA certificate.
2. After you receive the root CA certificate, copy the certificate to the following directory:
  /etc/opt/SUNWam/config
3. Import the root CA certificate:
  # keytool -import -alias OpenSSL_CA_Cert -keystore fmkeystore -file ca.cert Enter keystore password: password ... Trust this certificate? [no]: yes Certificate was added to keystore.

After you receive the certificate from the trusted CA, import the certificate into the Load Balancer 9 keystore.

The alias name that you specify here will be used later in the deployment when you configure the Federation protocols.

# keytool -import -alias LoadBalancer-9 -keystore fmkeystore 
-file fm.certificate
Enter keystore password: password
Enter key password for <LoadBalancer-9>: keypassword

Top-level certificate in reply:

Owner: CN=Certificate Manager, OU=Identity Services, 
O=Sun Microsystems Inc., L=Santa Clara, ST=California, C=US
Issuer: CN=Certificate Manager, OU=Identity Services, 
O=Sun Microsystems, Inc., L=Santa Clara, ST=California, C=US
Serial number:320
Valid from Mon Aug 16 00:00:00 PDT 2004 until: Mon Aug 16 00:00:00 PDT 2032
Certificate fingerprints:
			MDS:	CD:07:DF:A6:CA:B9:AB:94:FF:CF:17:35:AB:C2:C2:51
			SHA1:9A:B5:F7:54:DE:8A:BC:E9:F6:1D:F1:5B:71:46:72:9E:F0:4E:B8:7A

...is not trusted.  Install reply anyway? [no]:yes

Verify that the certificate is properly installed.

When you run this command, note that the Entry Type must be keyEntry as in this example. The keyEntry type contains both private key and the public certificate chain. You will need both of these. The trustedcertEntry type contains only the public key and no private key.

# keytool -list -keystore fmkeystore -alias LoadBalancer-9 -rfc
Enter keystore password: password
Alias name: LoadBalancer-9
Creation date: Nov 2, 2006
Entry type: keyEntry
Certificate chain length: 2

Certificate text similar to the following is displayed:

Certificate[1]:
-----BEGIN CERTIFICATE-----
MIICYDCCAgqgAwIBAgICBoowDQYJKoZIhvcNAQEEBQAwgZIxCzAJBgNVBAYTAlVTMRMwEQYDVQQI
EwpDYWxpZm9ybmlhMRQwEgYDVQQHEwtTYW50YSBDbGFyYTEeMBwGA1UEChMVU3VuIE1pY3Jvc3lz
dGVtcyBJbmMuMRowGAYDVQQLExFJZGVudGl0eSBTZXJ2aWNlczEcMBoGA1UEAxMTQ2VydGlmaWNh
dGUgTWFuYWdlcjAeFw0wNjExMDIxOTExMzRaFw0xMDA3MjkxOTExMzRaMDcxEjAQBgNVBAoTCXNp
cm9lLmNvbTEhMB8GA1UEAxMYbG9hZGJhbGFuY2VyLTkuc2lyb2UuY29tMIGfMA0GCSqGSIb3DQEB
AQUAA4GNADCBiQKBgQCjOwa5qoaUuVnknqf5pdgAJSEoWlvx/jnUYbkSDpXLzraEiy2UhvwpoBgB
EeTSUaPPBvboCItchakPI6Z/aFdH3Wmjuij9XD8r1C+q//7sUO0IGn0ORycddHhoo0aSdnnxGf9V
tREaqKm9dJ7Yn7kQHjo2eryMgYxtr/Z5Il5F+wIDAQABo2AwXjARBglghkgBhvhCAQEEBAMCBkAw
DgYDVR0PAQH/BAQDAgTwMB8GA1UdIwQYMBaAFDugITflTCfsWyNLTXDl7cMDUKuuMBgGA1UdEQQR
MA+BDW1hbGxhQHN1bi5jb20wDQYJKoZIhvcNAQEEBQADQQB/6DOB6sRqCZu2OenM9eQR0gube85e
nTTxU4a7x1naFxzYXK1iQ1vMARKMjDb19QEJIEJKZlDK4uS7yMlf1nFS
-----END CERTIFICATE-----
Certificate[2]:
-----BEGIN CERTIFICATE-----
MIICjjCCAjigAwIBAgICAyAwDQYJKoZIhvcNAQEFBQAwgZIxCzAJBgNVBAYTAlVTMRMwEQYDVQQI
EwpDYWxpZm9ybmlhMRQwEgYDVQQHEwtTYW50YSBDbGFyYTEeMBwGA1UEChMVU3VuIE1pY3Jvc3lz
dGVtcyBJbmMuMRowGAYDVQQLExFJZGVudGl0eSBTZXJ2aWNlczEcMBoGA1UEAxMTQ2VydGlmaWNh
dGUgTWFuYWdlcjAeFw0wNDA4MTYwNzAwMDBaFw0zMjA4MTYwNzAwMDBaMIGSMQswCQYDVQQGEwJV
UzETMBEGA1UECBMKQ2FsaWZvcm5pYTEUMBIGA1UEBxMLU2FudGEgQ2xhcmExHjAcBgNVBAoTFVN1
biBNaWNyb3N5c3RlbXMgSW5jLjEaMBgGA1UECxMRSWRlbnRpdHkgU2VydmljZXMxHDAaBgNVBAMT
E0NlcnRpZmljYXRlIE1hbmFnZXIwXDANBgkqhkiG9w0BAQEFAANLADBIAkEArPzFAYBufzrX2i7G
/HhBi1RtEjYDHCy15WWytK6ZwbfXUMeyGadHweoZniOBU3VKdHhjIDCjqMMN25/rEM5ozwIDAQAB
o3YwdDARBglghkgBhvhCAQEEBAMCAAcwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUO6AhN+VM
J+xbI0tNcOXtwwNQq64wHwYDVR0jBBgwFoAUO6AhN+VMJ+xbI0tNcOXtwwNQq64wDgYDVR0PAQH/
BAQDAgGGMA0GCSqGSIb3DQEBBQUAA0EAVHUPw/JfaTYTU8rHjR+6Xr6GqNbaT4eZtNXs5wIYljwl
HvLjL/AITbxrinqfFiOB2JAOW+gLxo4j6LV6W9/2Mw==
-----END CERTIFICATE-----

Certificate [1] is the public key. This is the certificate that is presented to remote parties in a federated environment. Certificate [2] represents the certificate that authenticates the trusted authority or certificate issuer.

To Obtain an Encryption Certificate from a Trusted Certificate Authority

The Liberty Identity specification requires all XML files to be signed. You can obtain and use one certificate to use for both signing and encryption. Or as an alternative, you can obtain one certificate to use for signing, and obtain a second certificate to use for encryption. In this deployment, for illustration purposes, one certificate is used for signing, and a second certificate is used for encryption.

As a root user, log in to the Federation Manager 1 host.

User Name:

amadmin

Password:

11111111

Go to the following directory:

/etc/opt/SUNWam/config

Create a keystore with a private key.

# keytool -genkey -alias LoadBalancer-9-enc -keyalg RSA -keysize 1024 
-dname "cn=LoadBalancer-9.siroe.com,o=siroe.com" -validity 365 
-keystore fmkeystore
Enter keystore password: keypassword
Enter key password for <LoadBalancer-9-enc>
			  (RETURN if same as keystore password): keypassword

Note –

The key password you specify here must be identical to the key password you specify for the encryption certificate.

Verify that the keystore and private key were created properly.

You should be able to see fmkeystore in the following directory, and verify that the current date is within the certificate's valid date range.

# cd /etc/opt/SUNWam/config
# ls -lrt
-rw-r--r--		1 root		root		1261 Nov 2 11:03  fmkeystore
# keytool -list -keystore fmkeystore -alias LoadBalancer-9-enc -v
# Enter keystore password: password
Alias name: LoadBalancer-9-enc
Creation date: Nov 7, 2006
Entry type: keyEntry
Certificate chain length: 2
Certificate[1]:
Owner: CN=loadbalancer-9.siroe.com
Issuer: CN=Certificate Manager, OU=Identity Services, 
O=Sun Microsystems Inc., L=Santa Clara, ST=California, C=US
Serial number: 68f
Valid from: Tue Nov 07 15:56:17 PST 2006 until: Tue Aug 03 16:56:17 PDT 2010
Certificate fingerprints:
         MD5:  69:9C:CF:F6:0D:7E:F4:A7:A8:C3:DC:CD:2F:EC:1A:F4
         SHA1: 29:2F:71:98:6B:AD:4C:27:F2:53:08:94:E0:4B:AF:62:96:1F:B0:F0
Certificate[2]:
Owner: CN=Certificate Manager, OU=Identity Services, 
O=Sun Microsystems Inc., L=Santa Clara, ST=California, C=US
Issuer: CN=Certificate Manager, OU=Identity Services, 
O=Sun Microsystems Inc., L=Santa Clara, ST=California, C=US
Serial number: 320
Valid from: Mon Aug 16 00:00:00 PDT 2004 until: Mon Aug 16 00:00:00 PDT 2032
Certificate fingerprints:
         MD5:  CD:07:DF:A6:CA:B9:AB:94:FF:CF:17:35:AB:C2:C2:51
         SHA1: 9A:B5:F7:54:DE:8A:BC:E9:F6:1D:F1:5B:71:46:72:9E:F0:4E:B8:7A

Submit a request for an encryption certificate.

Create the request.

# cd /etc/opt/SUNWam/config
# keytool -certreq -alias LoadBalancer-9-enc 
-file cert-enc.csr -keystore fmkeystore
Enter keystore password: password
Enter key password for <LoadBalancer-9-enc>: keypassword

Verify that the request text was successfully generated.

# vi cert-enc.csr
-----BEGIN NEW CERTIFICATE REQUEST-----
mllBdjCB4AlBADA3MR1wEAYDVQQKEwlzaXjvZs5jb20xlTAfBgNVBAMTGGxvYWRiYWkhbmNlci05
LnNpcm9IlmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgykCgYEAozsGuaqGlL1Z5j6n+aXYACUh
KFpb8f451GG5Eg6Vy862hlstl1b8KaAYARHk0lGjzwb26AiLXlWpDyOmf2hXR91po7oo/Vw/K9Qv
qv/+7FDtCBp9DkcnHXR4aKNGknZ58Rn/VbURGqipvXSe2J+5EB46Nnq8jlGMba/2eSjeRfsCAwEA
AaAAMA0GCSqGSlb3DQEBBAUAA4GBAJ3u+f5mC7AVXErSDucNHZn4Li42ULQBEZmTk3K73U9Ar4wx
ex2Ee6lAsPDyb3g4jUmduBSkrSbKyxZhPutVZQTlfHkiLbd6vHWl1K97DedLoWlt9nZAo3xZyBym
6UCH0HYVly/TAL8fhsielElg8lsidlejis(hfkeowhkdlgile27uak9pwnbmqkdigleIDUekdo30
-----END OF NEW CERTIFICATE REQUEST-----

Follow the instructions provided by your Certificate Authority (CA) for submitting the cert-enc.csr file and sending the text to the CA.

The CA will process your request, and send you a certificate. When you open the certificate file with an editor, the certificate text will look similar to this:

In this deployment example, the certificate text was saved in a text file named fm-enc.

Import the certificate into the Load Balancer 9 keystore.

# keytool -import -alias LoadBalancer-9-enc -keystore fmkeystore 
-file fm-enc
Enter keystore password: password
Enter key password for <LoadBalancer-9-enc>: keypassword

Top-level certificate in reply:

Owner: CN=Certificate Manager, OU=Identity Services, 
O=Sun Microsystems Inc., L=Santa Clara, ST=California, C=US
Issuer: CN=Certificate Manager, OU=Identity Services, 
O=Sun Microsystems, Inc., L=Santa Clara, ST=California, C=US
Serial number:320
Valid from Mon Aug 16 00:00:00 PDT 2004 until: Mon Aug 16 00:00:00 PDT 2032
Certificate fingerprints:
			MDS:	CD:07:DF:A6:CA:B9:AB:94:FF:CF:17:35:AB:C2:C2:51
			SHA1:9A:B5:F7:54:DE:8A:BC:E9:F6:1D:F1:5B:71:46:72:9E:F0:4E:B8:7A

...is not trusted.  Install reply anyway? [no]:yes

Verify that the certificate is properly installed.

# keytool -list -keystore fmkeystore -alias LoadBalancer-9-enc -rfc
Enter keystore password: password
Alias name: LoadBalancer-9-enc
Creation date: Nov 2, 2006
Entry type: keyEntry
Certificate chain length: 2

Certificate text similar to the following is displayed:

6.2 Configuring Federation Manager 1 to Recognize the New Keystores and Key Files

The XML signature provider, the XML encryption provider, and the Federation Manager servers use the keystore configuration in the AMConfig.properties file for signing purposes. By default, Federation Manager supports multiple XML signature algorithms. In this deployment example, you explicitly specify the RSA signature algorithm by setting the appropriate property in the AMConfig.properties file.

Note –

Be sure that you are using the recommended version of the keytool utility. Example:

# which keytool
/usr/jdk/instances/jdk/1.5.0_06/bin/keytool

Use the following as your checklist for configuring Federation Manager 1:

To Create the Federation Manager 1 Keystore Passwords

Create a .storepass file.

# /opt/SUNWam/fm/bin/ampassword -i /var/opt/SUNWam/fm/war_staging -e
password >/etc/opt/SUNWam/config/.storepass

Create a .keypass file.

# /opt/SUNWam/fm/bin/ampassword -i /var/opt/SUNWam/fm/war_staging -e
keypassword >/etc/opt/SUNWam/config/.keypass

To Modify the `AMConfig.properties` File

Go to the following directory:
/var/opt/SUNWam/fm/war_staging/web-src/WEB-INF/classes/
Make a backup of the AMConfig.properties file before you make changes.

In AMConfig.properties, set the following properties as in this example:

com.sun.identity.saml.xmlsig.keystore=/etc/opt/SUNWam/config/fmkeystore
com.sun.identity.saml.xmlsig.storepass=/etc/opt/SUNWam/config/.storepass
com.sun.identity.saml.xmlsig.keypass=/etc/opt/SUNWam/config/.keypass
com.sun.identity.saml.xmlsig.certalias=LoadBalancer-9
...
com.sun.identity.jss.donotInstallAtHighestPriorty=true

Uncomment the following property, and set the value as in this example:

com.sun.identity.saml.xmlsig.xmlSigAlgorithm=
http://www.w3.org/2000/09/xmldsig#rsa-sha1

Save the file.

Regenerate and redeploy the Federation Manager 1 WAR file.

See To Regenerate and Redeploy the Federation Manager 1 WAR File in this manual.

6.3 Configuring the Keystore for Federation Manager 2

The XML signing certificates must be identical on both Federation Manager instances. This ensures that when the SAMLv2 metadata is published, the metadata represents both Federation Manager instances as a single entity. In this procedure you copy the XML signing certificate from Federation Manager 1 and install the certificate on Federation Manager 2.

To Install the Federation Manager 1 XML Signing Certificate on Federation Manager 2

As a root user, log in to the Federation Manager 2 host.

Make a directory for creating a keystore. Example:
# cd /etc/opt/SUNWam # mkdir config

Copy into this directory the keystore files that were created for Federation Manager 1.

Verify that the certificate is properly installed.

# keytool -list -keystore fmkeystore -alias LoadBalancer-9 -rfc
Enter keystore password: password
Alias name: LoadBalancer-9
Creation date: Nov 2, 2006
Entry type: keyEntry
Certificate chain length: 2

Certificate text similar to the following is displayed:

Certificate[1]:
-----BEGIN CERTIFICATE-----
MIICYDCCAgqgAwIBAgICBoowDQYJKoZIhvcNAQEEBQAwgZIxCzAJBgNVBAYTAlVTMRMwEQYDVQQI
EwpDYWxpZm9ybmlhMRQwEgYDVQQHEwtTYW50YSBDbGFyYTEeMBwGA1UEChMVU3VuIE1pY3Jvc3lz
dGVtcyBJbmMuMRowGAYDVQQLExFJZGVudGl0eSBTZXJ2aWNlczEcMBoGA1UEAxMTQ2VydGlmaWNh
dGUgTWFuYWdlcjAeFw0wNjExMDIxOTExMzRaFw0xMDA3MjkxOTExMzRaMDcxEjAQBgNVBAoTCXNp
cm9lLmNvbTEhMB8GA1UEAxMYbG9hZGJhbGFuY2VyLTkuc2lyb2UuY29tMIGfMA0GCSqGSIb3DQEB
AQUAA4GNADCBiQKBgQCjOwa5qoaUuVnknqf5pdgAJSEoWlvx/jnUYbkSDpXLzraEiy2UhvwpoBgB
EeTSUaPPBvboCItchakPI6Z/aFdH3Wmjuij9XD8r1C+q//7sUO0IGn0ORycddHhoo0aSdnnxGf9V
tREaqKm9dJ7Yn7kQHjo2eryMgYxtr/Z5Il5F+wIDAQABo2AwXjARBglghkgBhvhCAQEEBAMCBkAw
DgYDVR0PAQH/BAQDAgTwMB8GA1UdIwQYMBaAFDugITflTCfsWyNLTXDl7cMDUKuuMBgGA1UdEQQR
MA+BDW1hbGxhQHN1bi5jb20wDQYJKoZIhvcNAQEEBQADQQB/6DOB6sRqCZu2OenM9eQR0gube85e
nTTxU4a7x1naFxzYXK1iQ1vMARKMjDb19QEJIEJKZlDK4uS7yMlf1nFS
-----END CERTIFICATE-----
Certificate[2]:
-----BEGIN CERTIFICATE-----
MIICjjCCAjigAwIBAgICAyAwDQYJKoZIhvcNAQEFBQAwgZIxCzAJBgNVBAYTAlVTMRMwEQYDVQQI
EwpDYWxpZm9ybmlhMRQwEgYDVQQHEwtTYW50YSBDbGFyYTEeMBwGA1UEChMVU3VuIE1pY3Jvc3lz
dGVtcyBJbmMuMRowGAYDVQQLExFJZGVudGl0eSBTZXJ2aWNlczEcMBoGA1UEAxMTQ2VydGlmaWNh
dGUgTWFuYWdlcjAeFw0wNDA4MTYwNzAwMDBaFw0zMjA4MTYwNzAwMDBaMIGSMQswCQYDVQQGEwJV
UzETMBEGA1UECBMKQ2FsaWZvcm5pYTEUMBIGA1UEBxMLU2FudGEgQ2xhcmExHjAcBgNVBAoTFVN1
biBNaWNyb3N5c3RlbXMgSW5jLjEaMBgGA1UECxMRSWRlbnRpdHkgU2VydmljZXMxHDAaBgNVBAMT
E0NlcnRpZmljYXRlIE1hbmFnZXIwXDANBgkqhkiG9w0BAQEFAANLADBIAkEArPzFAYBufzrX2i7G
/HhBi1RtEjYDHCy15WWytK6ZwbfXUMeyGadHweoZniOBU3VKdHhjIDCjqMMN25/rEM5ozwIDAQAB
o3YwdDARBglghkgBhvhCAQEEBAMCAAcwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUO6AhN+VM
J+xbI0tNcOXtwwNQq64wHwYDVR0jBBgwFoAUO6AhN+VMJ+xbI0tNcOXtwwNQq64wDgYDVR0PAQH/
BAQDAgGGMA0GCSqGSIb3DQEBBQUAA0EAVHUPw/JfaTYTU8rHjR+6Xr6GqNbaT4eZtNXs5wIYljwl
HvLjL/AITbxrinqfFiOB2JAOW+gLxo4j6LV6W9/2Mw==
-----END CERTIFICATE-----

6.4 Configuring Federation Manager 2 to Recognize the New Keystores and Key Files

Use the following as your checklist for configuring Federation Manager 2 to recognize the new keystores and key files:

To Create the Federation Manager 2 Keystore Passwords

Create a .storepass file.

# /opt/SUNWam/fm/bin/ampassword -i /var/opt/SUNWam/fm/war_staging -e
password >/etc/opt/SUNWam/config/.storepass

Create a .keypass file.

# /opt/SUNWam/fm/bin/ampassword -i /var/opt/SUNWam/fm/war_staging -e
keypassword >/etc/opt/SUNWam/config/.keypass

To Modify the `AMConfig.properties` File

Go to the following directory:
/var/opt/SUNWam/fm/war_staging/web-src/WEB-INF/classes/
Make a backup of the AMConfig.properties file before you make changes.

In AMConfig.properties, set the following properties as in this example:

com.sun.identity.saml.xmlsig.keystore=/etc/opt/SUNWam/config/fmkeystore
com.sun.identity.saml.xmlsig.storepass=/etc/opt/SUNWam/config/.storepass
com.sun.identity.saml.xmlsig.keypass=/etc/opt/SUNWam/config/.keypass
com.sun.identity.saml.xmlsig.certalias=LoadBalancer-9
...
com.sun.identity.jss.donotInstallAtHighestPriorty=true

Uncomment the following property, and set the value as in this example:

com.sun.identity.saml.xmlsig.xmlSigAlgorithm=
http://www.w3.org/2000/09/xmldsig#rsa-sha1

Save the file.

Regenerate and redeploy the Federation Manager 2 WAR file.

See To Regenerate and Redeploy the Federation Manager 2 WAR File.

6.5 Loading the Access Manager Root CA Certificates into the Federation Manager Servers

In this procedure you import a root CA certificate from Access Manager 1 into the JDK trusted CA certificate for the Federation Manager servers. This step is not necessary if you are using one of the root CA certificates that come with JDK by default. The JDK default root CA certificates come from Verisign, Thwarte, and other major certificate issuers. In this deployment example, root CA certificates were obtained from certificate issuers that JDK does not recognize by default. So in this deployment example, the following procedure is necessary to establish trust among the local SSO provider (Federation Manager) and remote SSO providers (such as Access Manager).

To Load the Root CA Certificate into the Federation Manager 1 Web Container

As a root user, log into the Federation Manager 1 host.

Locate the JAVAHOME directory and JDK keystore directory for the Federation Manager 1 web container.
#cd /opt/SUNWwbsvr/https-FederationManager-1.siroe.com/config # view server.xml
Locate the following JAVA javahome entry. In this deployment example, it looks like this:
<JAVA javahome="/usr/jdk/entsys-j2se"
To find the JDK keystore file, append the following to the javahome path:
/jre/lib/security
For example, in this deployment example, the JDK keystore is in the following directory:
/usr/jdk/entsys-j2se/jre/lib/security
This directory contains the Federation Manager trusted CA files.

Obtain a copy of the Access Manager 1 root CA certificate.

You can obtain a copy from the certificate issuer. Or you can copy the certificate stored on the Access Manager 1 host.

In this deployment example, the Access Manager 1 root CA certificate has already been copied to the following directory on Federation Manager 1:
/net/slapd/export/share/cacert

Import the Access Manager root CA certificate into the Federation Manager JDK keystore.

The alias rootCA represents the name of the root CA certificate you want to import.

# cd /usr/jdk/entsys-j2se/jre/lib/security
# keytool -import -keystore cacerts -alias rootCA  
-file /net/slapd/export/share/cacert
Enter keystore password: changeit
Owner: CN=Certificate Manager, OU=Identity Services, 
O=Sun Microsystems Inc., L=Santa Clara, ST=California, C=US
Issuer: CN=Certificate Manager, OU=Identity Services, 
O=Sun Microsystems, Inc., L=Santa Clara, ST=California, C=US
Serial number:320
Valid from Mon Aug 16 00:00:00 PDT 2004 until: Mon Aug 16 00:00:00 PDT 2032
Certificate fingerprints:
			MDS:	CD:07:DF:A6:CA:B9:AB:94:FF:CF:17:35:AB:C2:C2:51
			SHA1:9A:B5:F7:54:DE:8A:BC:E9:F6:1D:F1:5B:71:46:72:9E:F0:4E:B8:7A
Trust this certificate? [no]: yes
Certificate was added to keystore.

To verify that the root CA certificate was successfully imported, run the list command:

# cd /usr/jdk/instances/jdk1.5.0/jre/lib/security
# keytool -list -keystore cacerts -alias rootCA -rfc
Enter keystore password:  changeit
Alias name: rootCA
Creation date: Mar 9, 2007
Entry type: trustedCertEntry
 
-----BEGIN CERTIFICATE-----
MIICjjCCAjigAwIBAgICAyAwDQYJKoZIhvcNAQEFBQAwgZIxCzAJBgNVBAYTAlVTMRMwEQYDVQQI
EwpDYWxpZm9ybmlhMRQwEgYDVQQHEwtTYW50YSBDbGFyYTEeMBwGA1UEChMVU3VuIE1pY3Jvc3lz
dGVtcyBJbmMuMRowGAYDVQQLExFJZGVudGl0eSBTZXJ2aWNlczEcMBoGA1UEAxMTQ2VydGlmaWNh
dGUgTWFuYWdlcjAeFw0wNDA4MTYwNzAwMDBaFw0zMjA4MTYwNzAwMDBaMIGSMQswCQYDVQQGEwJV
UzETMBEGA1UECBMKQ2FsaWZvcm5pYTEUMBIGA1UEBxMLU2FudGEgQ2xhcmExHjAcBgNVBAoTFVN1
biBNaWNyb3N5c3RlbXMgSW5jLjEaMBgGA1UECxMRSWRlbnRpdHkgU2VydmljZXMxHDAaBgNVBAMT
E0NlcnRpZmljYXRlIE1hbmFnZXIwXDANBgkqhkiG9w0BAQEFAANLADBIAkEArPzFAYBufzrX2i7G
/HhBi1RtEjYDHCy15WWytK6ZwbfXUMeyGadHweoZniOBU3VKdHhjIDCjqMMN25/rEM5ozwIDAQAB
o3YwdDARBglghkgBhvhCAQEEBAMCAAcwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUO6AhN+VM
J+xbI0tNcOXtwwNQq64wHwYDVR0jBBgwFoAUO6AhN+VMJ+xbI0tNcOXtwwNQq64wDgYDVR0PAQH/
BAQDAgGGMA0GCSqGSIb3DQEBBQUAA0EAVHUPw/JfaTYTU8rHjR+6Xr6GqNbaT4eZtNXs5wIYljwl
HvLjL/AITbxrinqfFiOB2JAOW+gLxo4j6LV6W9/2Mw==
-----END CERTIFICATE-----

To Load the Root CA Certificate into the Federation Manager 2 Web Container

As a root user, log into the Federation Manager 2 host.

Locate the JAVAHOME directory and JDK keystore directory for the Federation Manager 2 web container.
#cd /opt/SUNWwbsvr/https-FederationManager-2.siroe.com/config # view server.xml
Locate the following JAVA javahome entry. In this deployment example, it looks like this:
<JAVA javahome="/usr/jdk/entsys-j2se"
To find the JDK keystore file, append the following to the javahome path:
/jre/lib/security
For example, in this deployment example, the JDK keystore is in the following directory:
/usr/jdk/entsys-j2se/jre/lib/security
This directory contains the Federation Manager JDK trusted CA files.

Obtain a copy of the Access Manager 1 root CA certificate.

You can obtain a copy from the certificate issuer. Or you can copy the certificate stored on the Access Manager 1 host.

In this deployment example, the Access Manager 1 root CA certificate has already been copied to the following directory on Federation Manager 1:
/net/slapd/export/share/cacert

Import the Access Manager 1 root CA certificate into the Federation Manager 2 JDK keystore.

The alias rootCA represents the name of the root CA certificate you want to import.

# cd /usr/jdk/entsys-j2se/jre/lib/security
# keytool -import -keystore cacerts -alias rootCA  
-file /net/slapd/export/share/cacert
Enter keystore password: changeit
Owner: CN=Certificate Manager, OU=Identity Services, 
O=Sun Microsystems Inc., L=Santa Clara, ST=California, C=US
Issuer: CN=Certificate Manager, OU=Identity Services, 
O=Sun Microsystems, Inc., L=Santa Clara, ST=California, C=US
Serial number:320
Valid from Mon Aug 16 00:00:00 PDT 2004 until: Mon Aug 16 00:00:00 PDT 2032
Certificate fingerprints:
			MDS:	CD:07:DF:A6:CA:B9:AB:94:FF:CF:17:35:AB:C2:C2:51
			SHA1:9A:B5:F7:54:DE:8A:BC:E9:F6:1D:F1:5B:71:46:72:9E:F0:4E:B8:7A
Trust this certificate? [no]: yes
Certificate was added to keystore.

To verify that the root CA certificate was successfully imported, run the list command:

# cd /usr/jdk/instances/jdk1.5.0/jre/lib/security
# keytool -list -keystore cacerts -alias rootCA -rfc
Enter keystore password:  changeit
Alias name: rootCA
Creation date: Mar 9, 2007
Entry type: trustedCertEntry
 
-----BEGIN CERTIFICATE-----
MIICjjCCAjigAwIBAgICAyAwDQYJKoZIhvcNAQEFBQAwgZIxCzAJBgNVBAYTAlVTMRMwEQYDVQQI
EwpDYWxpZm9ybmlhMRQwEgYDVQQHEwtTYW50YSBDbGFyYTEeMBwGA1UEChMVU3VuIE1pY3Jvc3lz
dGVtcyBJbmMuMRowGAYDVQQLExFJZGVudGl0eSBTZXJ2aWNlczEcMBoGA1UEAxMTQ2VydGlmaWNh
dGUgTWFuYWdlcjAeFw0wNDA4MTYwNzAwMDBaFw0zMjA4MTYwNzAwMDBaMIGSMQswCQYDVQQGEwJV
UzETMBEGA1UECBMKQ2FsaWZvcm5pYTEUMBIGA1UEBxMLU2FudGEgQ2xhcmExHjAcBgNVBAoTFVN1
biBNaWNyb3N5c3RlbXMgSW5jLjEaMBgGA1UECxMRSWRlbnRpdHkgU2VydmljZXMxHDAaBgNVBAMT
E0NlcnRpZmljYXRlIE1hbmFnZXIwXDANBgkqhkiG9w0BAQEFAANLADBIAkEArPzFAYBufzrX2i7G
/HhBi1RtEjYDHCy15WWytK6ZwbfXUMeyGadHweoZniOBU3VKdHhjIDCjqMMN25/rEM5ozwIDAQAB
o3YwdDARBglghkgBhvhCAQEEBAMCAAcwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUO6AhN+VM
J+xbI0tNcOXtwwNQq64wHwYDVR0jBBgwFoAUO6AhN+VMJ+xbI0tNcOXtwwNQq64wDgYDVR0PAQH/
BAQDAgGGMA0GCSqGSIb3DQEBBQUAA0EAVHUPw/JfaTYTU8rHjR+6Xr6GqNbaT4eZtNXs5wIYljwl
HvLjL/AITbxrinqfFiOB2JAOW+gLxo4j6LV6W9/2Mw==
-----END CERTIFICATE-----

Chapter 7 Configuring SAMLv2 Metadata for the Federation Manager Servers

Use the following as your checklist for configuring SAMLv2 metadata for the Federation Manager servers:

7.1 Creating a Circle of Trust

When you create metadata for the Service Provider, the Service Provider entity is added to a circle of trust. A circle of trust is used to group Service Providers and Identity Providers in a secure, trusted environment. Other remote provider entities can be added to the circle of trust. Whenever the SAMLv2 protocol is initiated, the SAMLv2 plug-in determines which circle of trust the requesting entity belongs to, and what other providers are available to interact with it. All entities within the same circle of trust can participate in the SAMLv2 protocols.

To Create a Circle of Trust

As a root user, log into the Federation Manager 1 host.

Run the cotcreate command:

# /opt/SUNWam/saml2/bin/saml2meta -i /var/opt/SUNWam/fm/war_staging 
cotcreate -u amadmin -w 11111111 -t saml2_circle_of_trust 
Circle of trust "saml2_circle_of_trust" is created successfully.

7.2 Configuring the SAMLv2 Service Provider Metadata

Federation Manager provides two metadata templates you can customize to meet your needs. For examples of customized metadata templates, see 7.2.1 Sample Metadata Template Files at the end of this section.

Note –

When you customize the metadata XML files, you must enter the entityID attribute using lowercase letters. For example, for the host LoadBalancer-9.siroe.com, enter the entityIDas loadbalancer-9.siroe.com. The entityID will not be recognized if you use mixed case letters.

To Generate and Customize the Service Provider Template Files

Go to the following directory:
/opt/SUNWam/saml2/bin

Generate the SAMLv2 template files.

# ./saml2meta -i /var/opt/SUNWam/fm/war_staging template -u amadmin
-w 11111111 -e loadbalancer-9.siroe.com -s /sp -a LoadBalancer-9 
-f LoadBalancer-9-enc 
-m /etc/opt/SUNWam/config/saml2-sp-template.xml 
-x /etc/opt/SUNWam/config/saml2-sp-extented-template.xml

The saml2-sp-extended-template.xmlis similar to the standard saml2-sp-template.xml file. However, the extended file contains data about the SAMLv2 plug-in that is specific to Federation Manager.

Customize the saml2–sp-template.xml file.

When the file is first generated, default values are automatically generated and placed in the file. You must manually change these values to match the actual deployment environment. In this deployment example, a load balancer with SSL termination is being used. So you must modify the file to use the HTTPS protocol and the load balancer service URL.
# vi /etc/opt/SUNWam/config/saml2-sp-template.xml
1. In each Location URL and each ResponseLocation URL, change the protocol http to https.
  
  Search for each occurrence of Location and ResponseLocation to be sure you have changed each URL.
2. Globally change all occurrences of FederationManager-1 to loadbalancer-9.
3. Globally change all occurrences of 8080 to 3443.
Save the file.

Customize the saml2-sp-extended-template.xml file.

# vi /etc/opt/SUNWam/config/saml2-sp-extended-template.xml

Modify the following attribute-pair values to enable XML signing.

<Attribute name="wantArtifactResponseSigned">
						<Value>true</Value>
<Attribute name="wantLogoutRequestSigned">
 					<Value>true</Value>
<Attribute name="wantLogoutResponseSigned">
 					<Value>true</Value>
<Attribute name="wantMNIRequestSigned">
 					<Value>true</Value>
<Attribute name="wantMNIResponseSigned">
 					<Value>true</Value>
<Attribute name="cotlist">
 					<Value>saml2_circle_of_trust</Value>

Load the metadata.

See 7.3 Loading the Service Provider SAMLv2 Metadata.

7.2.1 Sample Metadata Template Files

In the following examples, changes to the file are indicated in bold.

Note –

Example 7–1 Modified `saml2-sp-template.xml` File

<EntityDescriptor
    xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
    entityID="loadbalancer-9.siroe.com">
    <SPSSODescriptor
        AuthnRequestsSigned="false"
        WantAssertionsSigned="false"
        protocolSupportEnumeration=
            "urn:oasis:names:tc:SAML:2.0:protocol">
        <KeyDescriptor use="signing">
            <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
                <X509Data>
                    <X509Certificate>
MIICYDCCAgqgAwIBAgICBoowDQYJKoZIhvcNAQEEBQAwgZIxCzAJBgNVBAYTAlVTMRMwEQYDVQQI
EwpDYWxpZm9ybmlhMRQwEgYDVQQHEwtTYW50YSBDbGFyYTEeMBwGA1UEChMVU3VuIE1pY3Jvc3lz
dGVtcyBJbmMuMRowGAYDVQQLExFJZGVudGl0eSBTZXJ2aWNlczEcMBoGA1UEAxMTQ2VydGlmaWNh
dGUgTWFuYWdlcjAeFw0wNjExMDIxOTExMzRaFw0xMDA3MjkxOTExMzRaMDcxEjAQBgNVBAoTCXNp
cm9lLmNvbTEhMB8GA1UEAxMYbG9hZGJhbGFuY2VyLTkuc2lyb2UuY29tMIGfMA0GCSqGSIb3DQEB
AQUAA4GNADCBiQKBgQCjOwa5qoaUuVnknqf5pdgAJSEoWlvx/jnUYbkSDpXLzraEiy2UhvwpoBgB
EeTSUaPPBvboCItchakPI6Z/aFdH3Wmjuij9XD8r1C+q//7sUO0IGn0ORycddHhoo0aSdnnxGf9V
tREaqKm9dJ7Yn7kQHjo2eryMgYxtr/Z5Il5F+wIDAQABo2AwXjARBglghkgBhvhCAQEEBAMCBkAw
DgYDVR0PAQH/BAQDAgTwMB8GA1UdIwQYMBaAFDugITflTCfsWyNLTXDl7cMDUKuuMBgGA1UdEQQR
MA+BDW1hbGxhQHN1bi5jb20wDQYJKoZIhvcNAQEEBQADQQB/6DOB6sRqCZu2OenM9eQR0gube85e
nTTxU4a7x1naFxzYXK1iQ1vMARKMjDb19QEJIEJKZlDK4uS7yMlf1nFS
                    </X509Certificate>
                </X509Data>
            </KeyInfo>
        </KeyDescriptor>
        <KeyDescriptor use="encryption">
            <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
                <X509Data>
                    <X509Certificate>
MIICTDCCAfagAwIBAgICBo8wDQYJKoZIhvcNAQEEBQAwgZIxCzAJBgNVBAYTAlVTMRMwEQYDVQQI
EwpDYWxpZm9ybmlhMRQwEgYDVQQHEwtTYW50YSBDbGFyYTEeMBwGA1UEChMVU3VuIE1pY3Jvc3lz
dGVtcyBJbmMuMRowGAYDVQQLExFJZGVudGl0eSBTZXJ2aWNlczEcMBoGA1UEAxMTQ2VydGlmaWNh
dGUgTWFuYWdlcjAeFw0wNjExMDcyMzU2MTdaFw0xMDA4MDMyMzU2MTdaMCMxITAfBgNVBAMTGGxv
YWRiYWxhbmNlci05LnNpcm9lLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAw574iRU6
HsSO4LXW/OGTXyfsbGv6XRVOoy3v+J1pZ51KKejcDjDJXNkKGn3/356AwIaqbcymWd59T0zSqYfR
Hn+45uyjYxRBmVJseLpVnOXLub9jsjULfGx0yjH4w+KsZSZCXatoCHbj/RJtkzuZY6V9to/hkH3S
InQB4a3UAgMCAwEAAaNgMF4wEQYJYIZIAYb4QgEBBAQDAgZAMA4GA1UdDwEB/wQEAwIE8DAfBgNV
HSMEGDAWgBQ7oCE35Uwn7FsjS01w5e3DA1CrrjAYBgNVHREEETAPgQ1tYWxsYUBzdW4uY29tMA0G
CSqGSIb3DQEBBAUAA0EAMlbfBg/ff0Xkv4DOR5LEqmfTZKqgdlD81cXynfzlF7XfnOqI6hPIA90I
x5Ql0ejivIJAYcMGUyA+/YwJg2FGoA==
                    </X509Certificate>
                </X509Data>
            </KeyInfo>
            <EncryptionMethod Algorithm=
                "https://www.w3.org/2001/04/xmlenc#aes128-cbc">
                <KeySize xmlns="https://www.w3.org/2001/04/xmlenc#">128</KeySize>
            </EncryptionMethod>
        </KeyDescriptor>
        <SingleLogoutService
            Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
            Location="https://LoadBalancer-9.siroe.com:3443/federation/
            SPSloRedirect/metaAlias/sp"
            ResponseLocation="https://LoadBalancer-9.siroe.com:3443/
            federation/SPSloRedirect/metaAlias/sp"/>
        <SingleLogoutService
            Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"
            Location="https://LoadBalancer-9.siroe.com:3443/
            federation/SPSloSoap/metaAlias/sp"/>
       <ManageNameIDService
            Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
            Location="https://LoadBalancer-9.siroe.com:3443/federation/
            SPMniRedirect/metaAlias/sp"
            ResponseLocation="https://LoadBalancer-9.siroe.com:3443/
            federation/SPMniRedirect/metaAlias/sp"/>
        <ManageNameIDService
            Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"
            Location="https://LoadBalancer-9.siroe.com:3443/
            federation/SPMniSoap/metaAlias/sp"
            ResponseLocation="https://LoadBalancer-9.siroe.com:3443/
            federation/SPMniSoap/metaAlias/sp"/>
        <NameIDFormat>
            urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
        </NameIDFormat>
        <NameIDFormat>
            urn:oasis:names:tc:SAML:2.0:nameid-format:transient
        </NameIDFormat>
        <AssertionConsumerService
            isDefault="true"
            index="0"
            Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact"
            Location="https://LoadBalancer-9.siroe.com:3443/
            federation/Consumer/metaAlias/sp"/>
        <AssertionConsumerService
            index="1"
            Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
            Location="https://LoadBalancer-9.siroe.com:3443/
            federation/Consumer/metaAlias/sp"/>
    </SPSSODescriptor>
</EntityDescriptor>

Example 7–2 Modified `saml2-sp-metadata-template.xml` File

<EntityConfig xmlns="urn:sun:fm:SAML:2.0:entityconfig"
    xmlns:fm="urn:sun:fm:SAML:2.0:entityconfig"
    hosted="1"
    entityID="loadbalancer-9.siroe.com">
                                                                                
    <SPSSOConfig metaAlias="/sp">
        <Attribute name="signingCertAlias">
            <Value>LoadBalancer-9</Value>
        </Attribute>
        <Attribute name="encryptionCertAlias">
            <Value>LoadBalancer-9-enc</Value>
        </Attribute>
        <Attribute name="basicAuthOn">
            <Value>false</Value>
        </Attribute>
        <Attribute name="basicAuthUser">
            <Value></Value>
        </Attribute>
        <Attribute name="basicAuthPassword">
            <Value></Value>
        </Attribute>
        <Attribute name="autofedEnabled">
            <Value>false</Value>
        </Attribute>
        <Attribute name="autofedAttribute">
            <Value></Value>
        </Attribute>
        <Attribute name="transientUser">
            <Value></Value>
        </Attribute>
        <Attribute name="spAccountMapper">
            <Value>com.sun.identity.saml2.plugins.DefaultSPAccountMapper</Value>
        </Attribute>
        <Attribute name="spAttributeMapper">
            <Value>com.sun.identity.saml2.plugins.DefaultSPAttributeMapper</Value>
        </Attribute>
        <Attribute name="spAuthncontextMapper">
            <Value>com.sun.identity.saml2.plugins.DefaultSPAuthnContextMapper</Value>
        </Attribute>
        <Attribute name="spAuthncontextClassrefMapping">
            <Value>PasswordProtectedTransport|0|default</Value>
        </Attribute>
        <Attribute name="spAuthncontextComparisonType">
        <Value>exact</Value>
        </Attribute>
        <Attribute name="attributeMap">
            <Value></Value>
        </Attribute>
        <Attribute name="saml2AuthModuleName">
           <Value></Value>
       </Attribute>
       <Attribute name="localAuthURL">
           <Value></Value>
       </Attribute>
       <Attribute name="intermediateUrl">
           <Value></Value>
       </Attribute>
       <Attribute name="defaultRelayState">
           <Value></Value>
       </Attribute>
       <Attribute name="assertionTimeSkew">
           <Value>300</Value>
       </Attribute>
       <Attribute name="wantAttributeEncrypted">
           <Value></Value>
       </Attribute>
       <Attribute name="wantAssertionEncrypted">
           <Value></Value>
       </Attribute>
       <Attribute name="wantNameIDEncrypted">
           <Value></Value>
       </Attribute>
       <Attribute name="wantArtifactResponseSigned">
           <Value>true</Value>
       </Attribute>
       <Attribute name="wantLogoutRequestSigned">
           <Value>true</Value>
       </Attribute>
       <Attribute name="wantLogoutResponseSigned ">
           <Value>true</Value>
       </Attribute>
       <Attribute name="wantMNIRequestSigned">
           <Value>true</Value>
       </Attribute>
       <Attribute name="wantMNIResponseSigned">
           <Value>true</Value>
       </Attribute>
       <Attribute name="cotlist">
           <Value>saml2_cirlce_of_trust</Value>
       </Attribute>
    </SPSSOConfig>
</EntityConfig>

7.3 Loading the Service Provider SAMLv2 Metadata

When you load the SAMLv2 metadata into Directory Server, the Service Provider entity configuration is created. The entity configuration enables the SAMLv2 plug-in to recognize all SAMLv2 protocol URLs. The SAMLv2 metadata is also used for exchanging data with remote parties.

7.3.1 To Load the Customized Service Provider Metadata

Load the customized saml2-sp-template.xml and saml2-sp-extended-template.xml configuration files using the following command:

# /opt/SUNWam/saml2/bin/saml2meta -i /var/opt/SUNWam/fm/war_staging import 
-u amadmin -w 11111111 -m /etc/opt/SUNWam/config/saml2-sp-template.xml 
-x /etc/opt/SUNWam/config/saml2-sp-extended-template.xml

Note –

If the files do not load successfully, be sure that all entityID attributes in the files are entered using lowercase letters. The entityID attribute is not recognized if mixed case letters are used.