Chapter 5 Configuring Federation Manager Servers to Work with Directory Servers

This chapter contains detailed information about the following groups of tasks:

• 5.1 Migrating Federation Manager 1 Configuration from Flat Files to Directory Servers

• 5.2 Migrating Federation Manager 1 User Data from Flat Files to Directory Servers

• 5.3 Migrating Federation Manager 2 Configuration from Flat Files to Directory Servers

• 5.4 Migrating Federation Manager 2 User Data from Flat Files to Directory Servers

• 5.5 Configuring the Federation Manager Authentication Service to Work with the Directory Servers

5.1 Migrating Federation Manager 1 Configuration from Flat Files to Directory Servers

Use the following as your checklist for migrating Federation Manager 1 configuration from flat files to the Directory Servers:

1. Migrate Federation Manager 1 services schema into the Directory Servers.

2. Update the Federation Manager 1 serverconfig.xml file.

3. Update the Federation Manager 1 AMConfig.properties file.

4. Regenerate and redeploy the Federation Manager 1 WAR file.

5. Update the Platform Server list.

To Migrate Federation Manager 1 Services Schema into the Directory Servers

The Federation Manager LDIF files are located in the following directory:

/opt/SUNWam/fm/ldif

The file fm_sm_sds_schema.ldif is for use with Sun Directory Server. The file fm_sm_ad_schema.ldif is for use with Microsoft Active Directory.

1. As a root user, log in to the Federation Manager 1 host.

2. Load the Federation Manager schema into the Directory Server configuration instance.

   # cd /opt/SUNWam/fm/ldif # ldapmodify -D "cn=Directory Manager" -w 11111111 -h LoadBalancer-7.siroe.com -p 389 -f ./fm_sm_sds_schema.ldif

   The ldapmodify utility loads the object classes and service attributes required for Federation Manager services into the Directory Server schema.

3. On each of the Directory Server hosts, you can watch the error logs for LDIF errors.

   # cd /var/opt/mps/serverroot/slapd-fm-config/logs # tail -f errors

4. Migrate the Federation Manager services schema from flat files to the Directory Server.

   # cd /opt/SUNWam/fm/bin # ./fmff2ds -h LoadBalancer-7.siroe.com -p 389 -r "o=siroe.com" -f /var/opt/SUNWam/fm/federation -u "cn=Directory Manager" -w 11111111 -j /usr/jdk/instances/jdk.5.0

5. Verify that Federation Manager schema was successfully moved to the Directory Server.

   1. Start the Directory Server 3SP console.

      # cd /var/opt/mps/serverroot/ # ./startconsole &

   2. Log in to the Directory Server console.

      User ID:

      cn=Directory Manager

      Password

      11111111

      Administration URL:

      http://DirectoryServer-3SP.siroe.com:1391

   3. In the navigation pane, expand the DirectoryServer-3SP.siroe.com suffix, and expand the Server Group.

   4. Double-click the Directory Server (fm-config) instance, and open its console.

   5. Click the Directory tab.

   6. Under the o=siroe.com suffix, expand the Services object.

      All of the Federation Manager services are displayed.

To Update the Federation Manager 1 serverconfig.xml File

1. Go the following directory that contains the serverconfig.xml file:

   # cd /var/opt/SUNWam/fm/war_staging/web-src/WEB-INF/config/

2. Make a backup of the file serverconfig.xml, and then make the following changes in serverconfig.xml:

   1. In the following entry, change the host name and port number attribute values.:

      <iPlanetDataAccessLayer> <ServerGroup name="default" minConnPool="1" maxConnPool="10"> <Server name="Server1" host="LoadBalancer-7.siroe.com" port="389" type="SIMPLE" /> <User name="User1" type="proxy"> <DirDN> uid=amadmin,ou=people,o=siroe.com

   2. Verify that the following user entries exist in the file:

      <User name="User1" type="proxy"> <DirDN> uid=amadmin,ou=people,o=siroe.com </DirDN> <DirPassword> AQICGmG7l+gzO6bjmbDBve/MqicBf/zR2I+P </DirPassword> </User> <User name="User2" type="admin"~ <DirDN> uid=amadmin,ou=people,o=siroe.com </DirDN> <DirPassword> AQICGmG7l+gzO6bjmbDBve/MqicBf/zR2I+P </DirPassword> </User>

   In this deployment example, the proxy user and administrative user have the same DN. In effect, these are the same user. They are both superusers contained in the ou=service branch of the Directory Server. These users have privileges to read, write, and search the Federation Manager configuration. The user amadmin does not exist in the Directory Server at this point.

3. Add the user amadmin to the Directory Server.

   1. On the Federation Manager 1 host, go to the following directory:

      /opt/SUNWam/fm/bin

   2. Create a file named amadminconfig.ldif with the following entries:

      dn=o=siroe.com changetype:modify add:aci dn: ou=People,o=siroe.com changetype: add objectClass: top objectClass: organizationalunit dn: uid=amAdmin,ou=People,o=siroe.com changetype: add objectclass: inetuser objectclass: inetorgperson objectclass: organizationalperson objectclass: person objectclass: top objectClass: iPlanetPreferences objectclass: inetAdmin inetuserstatus: Active cn: amAdmin sn: amAdmin userPassword: 11111111 aci: (target="ldap:///ou=services,*o=siroe.com") (targetattr = "*") (version 3.0; acl "S1IS Top-level Admin Role access allow"; allow (all) userdn = "ldap:///uid=amAdmin,ou=People, o=siroe.com";)

      This LDIF creates a People container and the user amAadmin with the Top-level Admin Role. The user is assigned read, write, and search privileges.

   3. Use the ldapmodify utility to load ./amadminconfig.ldif into the Directory Server 3SP.

      # ldapmodify -D "cn=Directory Manager" -w 11111111 -h LoadBalancer-7.siroe.com -f amadminconfig.ldif

To Update the Federation Manager 1 AMConfig.properties File

1. Go to the directory that contains the AMConfig.properties file:

   # cd /var/opt/SUNWam/fm/war_staging/web-src/WEB-INF/classes

2. In AMConfig.properties, set the implementation class for the SM data store.

   Make a backup of the AMConfig.properties file, and the set the following property:

   com.sun.identity.sm.sms_object_class_name=com.sun.identity.sm.ldap.SMSLdapObject

To Regenerate and Redeploy the Federation Manager 1 WAR File

1. On the Federation Manager 1 host, run the fmwar command.

   #cd /opt/SUNWam/fm/bin # ./fmwar -n federation -d /var/opt/SUNWam/fm/war_staging -s /export/fmsilent

2. Undeploy the existing Federation Manager WAR 1 file.

   # cd /opt/SUNWwbsvr/bin/https/bin # ./wdeploy delete -u /federation -i FederationManager-1.siroe.com -v https-FederationManager-1.siroe.com -n hard

   The —n hard option deletes the directory where Federation Manager is exported as well as the URI. If you use the —n soft option, only the URI is deleted.

3. Deploy the customized Federation Manager 1 WAR file.

   # ./wdeploy deploy -u /federation -i FederationManager-1.siroe.com -v https-FederationManager-1.siroe.com /var/opt/SUNWam/fm/war_staging/federation.war

   This WAR file contains all the SAMLv2 configuration and Directory Server configuration you completed in the previous tasks.

4. Restart the Federation Manager web container.

   #cd /opt/SUNWwbsvr/https-FederationManager-1.siroe.com # ./stop # ./start

5. Verify that you can access the Federation Manager 1 server.

   1. In a browser, go to the Federation Manager URL:

      http://FederationManager-1.siroe.com:8080/federation/UI/Login

   2. Log in to the Federation Manager console:

      User Name:

      amadmin

      Password:

      11111111

   If you can log in successfully, the WAR file was deployed successfully.

To Update the Platform Server List

1. In a browser, go to the Federation Manager URL:

   http://FederationManager-1.siroe.com:8080/federation/UI/Login

2. Log in to the Federation Manager console:

   User Name:

   amadmin

   Password:

   11111111

3. Click the Configuration tab, and then go to the “System properties | Platform” section of the page.

4. Add a new entry to the Server List.

   In the Server List field, enter the following:

   http://FedeartionManager-2.siroe.com:8080|02

   Click Add.

5. Click Save, and then log out of the Federation Manager console.

5.2 Migrating Federation Manager 1 User Data from Flat Files to Directory Servers

Use the following as your checklist for migrating Federation Manager 1 user data from flat files to Directory Servers:

1. Load SAMLv2 users schema into the Directory Servers.

2. Update the Federation Manager 1 AMConfig.properties file.

3. Update the Federation Manager 1 serverconfig.xml file.

To Load SAMLv2 Users Schema into the Directory Servers

The Federation Manager LDIF files are located in the following directory:

/opt/SUNWam/saml2/ldif

The file ./saml2_sds_schema.ldif is for use with Sun Directory Server. The file saml2_ad_schema.ldif is for use with Microsoft Active Directory.

1. Load the Federation Manager schema into the Directory Servers.

   # cd /opt/SUNWam/saml2/ldif # ldapmodify -D "cn=Directory Manager" -w 11111111 -h LoadBalancer-8.siroe.com -p 1389 -f saml2_sds_schema.ldif

   The ldapmodify utility loads the object classes and user attributes required for Federation Manager users into the Directory Server schema.

2. On each of the Directory Server hosts, you can watch the error logs for LDIF errors.

   # cd /var/opt/mps/serverroot/slapd-fm-users/logs # tail -f errors

3. Create the amadmin suffix in the Directory Server.

   1. Create a file named amadminusers.ldif with the following entries:

      dn: ou=People,o=siroeusers.com changetype: add objectClass: top objectClass: organizationalunit dn: uid=amAdmin,ou=People,o=siroeusers.com changetype: add objectclass: inetuser objectclass: inetorgperson objectclass: organizationalperson objectclass: person objectclass: top objectClass: iPlanetPreferences objectclass: inetAdmin inetuserstatus: Active cn: amAdmin sn: amAdmin userPassword: 11111111 dn:o=siroeusers.com changetype:modify add:aci aci: (target="ldap:///*ou=People,o=siroeusers.com") (targetattr = "*") (version 3.0; acl "S1IS Top-level Admin Role access allow"; allow (all) userdn = "ldap:///uid=amAdmin,ou=People, o=siroeusers.com";)

      This LDIF creates a People container and the suffix o=siroeusers.com.

   2. Use the ldapmodify utility to load amadminusers.ldif into the Directory Servers.

      # ldapmodify -D "cn=Directory Manager" -w 11111111 -h LoadBalancer-8.siroe.com -p 1389 -f amadminusers.ldif

To Update the Federation Manager 1 AMConfig.properties File

1. In the Federation Manager 1 host, go to the directory that contains the file AMConfig.properties:

   # cd /var/opt/SUNWam/fm/war_staging/web-src/WEB-INF/classes/

2. Set the default datastore provider property:

   com.sun.identity.common.datastore.provider.default= com.sun.identity.common.LDAPDataStoreProvider

   Save the file.

To Update the Federation Manager 1 serverconfig.xml File

1. Go to the directory that contains the file serverconfig.xml:

   # cd /var/opt/SUNWam/fm/war_staging/web-src/WEB-INF/config

2. Make a backup of serverconfig.xml, and then modify the following entry.

   Modify the host name, port, and user DNs as in the following example:

   <ServerGroup name="userdefault" minConnPool="1" maxConnPool="10"> <Server name="Server1" host="LoadBalancer-8.siroe.com" port="1389" type="SIMPLE" /> <User name="User1" type="proxy"> <DirDN> uid=amadmin,ou=people,o=siroeusers.com </DirDN> <DirPassword> AQICGmG7l+gzO6bjmbDBve/MqicBf/zR2I+P </DirPassword> </User> <User name="User2" type="admin"> <DirDN> uid=amadmin,ou=people,o=siroeusers.com </DirDN> <DirPassword> AQICGmG7l+gzO6bjmbDBve/MqicBf/zR2I+P </DirPassword> </User> <BaseDN> ou=people,o=siroeusers.com </BaseDN> </ServerGroup>

   Save the file.

3. Regenerate the redeploy the Federation Manager 1 WAR file.

   See To Regenerate and Redeploy the Federation Manager 1 WAR File in this manual.

5.3 Migrating Federation Manager 2 Configuration from Flat Files to Directory Servers

Use the following as your checklist for migrating Federation Manager 2 configuration from flat files to Directory Servers:

1. Update the Federation Manager 2 serverconfig.xml file.

2. Update the Federation Manager 2 AMConfig.properties file.

3. Regenerate and redeploy the Federation Manager 2 WAR file.

To Update the Federation Manager 2 serverconfig.xml File

1. Go the following directory that contains the serverconfig.xml file:

   # cd /var/opt/SUNWam/fm/war_staging/web-src/WEB-INF/config/

2. Make a backup of the file serverconfig.xml, and then make the following changes in serverconfig.xml:

   1. In the following entry, change the host name and port number attribute values:

      <iPlanetDataAccessLayer> <ServerGroup name="default" minConnPool="1" maxConnPool="10"> <Server name="Server1" host="LoadBalancer-7.siroe.com" port="389" type="SIMPLE" /> <User name="User1" type="proxy"> <DirDN> uid=amadmin,ou=people,o=siroe.com

   2. Verify that the following user entries exist in the file:

      <User name="User1" type="proxy"> <DirDN> uid=amadmin,ou=people,o=siroe.com </DirDN> <DirPassword> AQICGmG7l+gzO6bjmbDBve/MqicBf/zR2I+P </DirPassword> </User> <User name="User2" type="admin"~ <DirDN> uid=amadmin,ou=people,o=siroe.com </DirDN> <DirPassword> AQICGmG7l+gzO6bjmbDBve/MqicBf/zR2I+P </DirPassword> </User>

   In this deployment example, the proxy user and administrative user have the same DN. In effect, these are the same user. They are both superusers contained in the ou=service branch of the Directory Server. These users have privileges to read, write, and search the Federation Manager configuration. The user amadmin does not exist in the Directory Server at this point.

To Update the Federation Manager 2 AMConfig.properties File

1. Go to the directory that contains the AMConfig.properties file:

   # cd /var/opt/SUNWam/fm/war_staging/web-src/WEB-INF/classes

2. In AMConfig.properties, set the implementation class for the SM data store.

   Make a backup of the AMConfig.properties file, and the set the following property:

   com.sun.identity.sm.sms_object_class_name=com.sun.identity.sm.ldap.SMSLdapObject

To Regenerate and Redeploy the Federation Manager 2 WAR File

1. On the Federation Manager 2 host, run the fmwar command.

   #cd /opt/SUNWam/fm/bin # ./fmwar -n federation -d /var/opt/SUNWam/fm/war_staging -s /export/fmsilent

2. Undeploy the existing Federation Manager WAR 2 file.

   # cd /opt/SUNWwbsvr/bin/https/bin # ./wdeploy delete -u /federation -i FederationManager-2.siroe.com -v https-FederationManager-1.siroe.com -n hard

   The —n hard option deletes the directory where Federation Manager is exported as well as the URI. If you use the —n soft option, only the URI is deleted.

3. Deploy the customized Federation Manager 2 WAR file.

   # ./wdeploy deploy -u /federation -i FederationManager-2.siroe.com -v https-FederationManager-2.siroe.com /var/opt/SUNWam/fm/war_staging/federation.war

   This WAR file contains all the SAMLv2 configuration and Directory Server configuration you completed in the previous tasks.

4. Restart the Federation Manager web container.

   #cd /opt/SUNWwbsvr/https-FederationManager-2.siroe.com # ./stop # ./start

5. Verify that you can access the Federation Manager 2 server.

   1. In a browser, go to the Federation Manager URL:

      http://FederationManager-2.siroe.com:8080/federation/UI/Login

   2. Log in to the Federation Manager console:

      User Name:

      amadmin

      Password:

      11111111

   If you can log in successfully, the WAR file was deployed successfully.

5.4 Migrating Federation Manager 2 User Data from Flat Files to Directory Servers

Use the following as your checklist for migrating Federation Manager 2 user data from flat files to Directory Servers:

1. Update the Federation Manager 2 AMConfig.properties file.

2. Update the Federation Manager 2 serverconfig.xml file.

To Update the Federation Manager 2 AMConfig.properties File

1. In the Federation Manager 2 host, go to the directory that contains the file AMConfig.properties:

   # cd /var/opt/SUNWam/fm/war_staging/web-src/WEB-INF/classes/

2. Make a backup AMConfig.properties, and then in the AMConfig.properties file, set the default datastore provider property:

   com.sun.identity.common.datastore.provider.default= com.sun.identity.common.LDAPDataStoreProvider

   Save the file.

To Update the Federation Manager 2 serverconfig.xml File

1. Go to the directory that contains the file serverconfig.xml:

   # cd /var/opt/SUNWam/fm/war_staging/web-src/WEB-INF/config

2. Make a backup of serverconfig.xml, and then modify the following entry.

   Modify the host name, port, and user DNs as in the following example:

   <ServerGroup name="userdefault" minConnPool="1" maxConnPool="10"> <Server name="Server1" host="LoadBalancer-8.siroe.com" port="1389" type="SIMPLE" /> <User name="User1" type="proxy"> <DirDN> uid=amadmin,ou=people,o=siroeusers.com </DirDN> <DirPassword> AQICGmG7l+gzO6bjmbDBve/MqicBf/zR2I+P </DirPassword> </User> <User name="User2" type="admin"> <DirDN> uid=amadmin,ou=people,o=siroeusers.com </DirDN> <DirPassword> AQICGmG7l+gzO6bjmbDBve/MqicBf/zR2I+P </DirPassword> </User> <BaseDN> ou=people,o=siroeusers.com </BaseDN> </ServerGroup>

   Save the file.

3. Regenerate the redeploy the Federation Manager 2 WAR file.

   See To Regenerate and Redeploy the Federation Manager 2 WAR File.

4. Restart the Federation Manager web container.

   #cd /opt/SUNWwbsvr/https-FederationManager-2.siroe.com # ./stop # ./start

5. Verify that you can access the Federation Manager 2 server.

   1. In a browser, go to the Federation Manager URL:

      http://FederationManager-2.siroe.com:8080/federation/UI/Login

   2. Log in to the Federation Manager console:

      User Name:

      amadmin

      Password:

      11111111

   If you can log in successfully, the WAR file was deployed successfully.

5.5 Configuring the Federation Manager Authentication Service to Work with the Directory Servers

Use the following as your checklist for configuring the Federation Manager authentication service:

1. Migrate the Federation Manager User Data to the Directory Server User data store.

2. Verify that LDAP authentication works properly.

To Migrate the Federation Manager User Data to the Directory Server User Data Store

1. Go to the Federation Manager 1 URL:

   http://FederationManager-1.siroe.com:8080/federation/UI/Login

   Notice that above the User Name field, the text says “This server uses flat file authentication scheme.”

2. Log in to the Federation Manager 1 console:

   User Name

   amadmin

   Password

   11111111

3. Add a new authentication service.

   1. Click the Organization tab.

   2. Click the Authentication subtab, and then click Add.

   3. In the list of Authentication Modules, select LDAP, and then click Next.

   4. On the LDAP page, provide the following information:

      Primary LDAP Server List:

      Add LoadBalancer-8.siroe.com:1389.

      DN to Start User Search List:

      Add o=siroeusers.com.

      DN for Root User Bind:

      cn=fmldapuser,ou=People,o=siroeusers.com

      This root DN is used by the authentication module to create a connection to the Directory Server. This eliminates the need to authenticate each user by individual uid.

      Password for Root User Bind:

      00000000

      Password for Root User Bind (confirm):

      00000000

      Attribute used to Retrieve User Profile:

      uid

      Attribute User do Search for a User to be Authenticated:

      uid

   5. Click Assign.

4. On the Authentication page, locate the module named Core, and click its Edit link.

5. On the Core page, provide the following information:

   Organization Authentication Modules:

   Choose Flatfile, LDAP and SAMLv2.

   People Container for All Users:

   Add to the list ou=People,o=sirousers.com.

   Click Save.

6. Verify that LDAP is included as an Organizational Attribute.

   Click the Configuration tab. On the Configuration tab, under Authentication, click Core.

   On the Core page, under Organization Attributes, verify that Flatfile, LDAP, and SAMLv2 are included in the list of Organization Authentication Modules.

7. In the Directory Server, create a user named fmldapuser.

   This user is the Federation Manager user that can access the Directory Server. This user and has read, write, and search permissions in o=siroeusers.com branch of the Directory Server.

   1. Create an LDIF file named fmldapuser.ldif with the following entries:

      dn: cn=fmldapuser,ou=People,o=siroeusers.com changetype: add objectclass: inetuser objectclass: organizationalperson objectclass: person objectclass: top cn: fmldapuser sn: fmldapuser userPassword: 00000000 dn:o=siroeusers.com changetype:modify add:aci aci: (target="ldap:///o=siroeusers.com")(targetattr="*") (version 3.0; acl "FM special ldap auth user rights"; allow (read,search) userdn = "ldap:///cn=fmldapuser,ou=People,o=siroeusers.com"; )

   2. Load ./fmldapuser.ldif into Directory Server 1.

      # ldapmodify -D "cn=Directory Manager" -w d1rm4ngr -h LoadBalancer-8.siroe.com -p 1389 -f ./fmldapuser.ldif

8. Change the default authentication module from Flat File to LDAP.

   1. Log in to the Federation Manager 1 host.

   2. Go to the following directory:

      /opt/SUNWam/fm/bin

   3. Create a file named ldap.xml file that contains the following entries:

      <?xml version="1.0" encoding="ISO-8859-1"?> <!-- Copyright (c) 2005 Sun Microsystems, Inc. All rights reserved Use is subject to license terms. --> <!DOCTYPE Requests PUBLIC "-//iPlanet//Sun Java System Access Manager 2005Q4 Admin CLI DTD//EN" "jar://com/iplanet/am/admin/cli/amAdmin.dtd"> <!-- CREATE REQUESTS --> <Requests> <OrganizationRequests DN="o=siroe.com"> <ModifyServiceTemplate serviceName="iPlanetAMAuthService" schemaType="Organization"> <AttributeValuePair> Attribute name="iplanet-am-auth-org-config" /> <Value>&lt;AttributeValuePair&gt;&lt;Value&gt; com.sun.identity.authentication.modules.ldap.LDAP REQUIRED&lt; /Value&gt;&lt;/AttributeValuePair&gt;</Value> </AttributeValuePair> </ModifyServiceTemplate> </OrganizationRequests> </Requests>

      The attributes and AttributeValuePair in bold are the significant changes made to the configuration.

   4. Load ldap.xml.

      # ./amadmin -i /var/opt/SUNWam/fm/war-staging -u amadmin -w 11111111 -t ldap.xml

To Verify that LDAP Authentication Works Properly

1. Go to the following Federation Manager URL:

   http://FederationManager-1.siroe.com:8080/federation/UI/Login

   The Federation Manger login page displays the following message: “This server uses LDAP Authentication.”

2. Log in to the Federation Manager console:

   User Name:

   amadmin

   Password:

   11111111

   If you can log in successfully, then the LDAP Authentication module was able to successfully bind to the root user to the fm—config instance of Directory Server 3SP.

3. Create a test user in the fm-users instance of Directory Server 3SP.

   1. Start the Directory Server 3SP console.

      # cd /var/opt/mps/serverroot/ # ./startconsole &

   2. In Directory Server 3SP, expand the Server Group, and open the fm-users instance.

   3. Open the fm-users console, and click the Directory Tab.

   4. On the Directory Tab, under the o=siroeusers.com suffix, right-click the People container.

      Choose New>User.

   5. In the Create New User dialog, provide the following information:

      First Name:

      Test

      Last Name:

      User

      User ID:

      testuser1

      Password:

      11111111

      Click OK.

4. Go to the following Federation Manager URL:

   http://FederationManager-1.siroe.com:8080/federation/UI/Login

5. Log in to the Federation Manager console:

   User Name:

   testuser1

   Password:

   11111111

   If you can log in successfully, then the LDAP Authentication module was able to successfully bind the new user to the fm-users instance of Directory Server 3SP.