This chapter contains detailed information about the following groups of tasks:
5.1 Migrating Federation Manager 1 Configuration from Flat Files to Directory Servers
5.2 Migrating Federation Manager 1 User Data from Flat Files to Directory Servers
5.3 Migrating Federation Manager 2 Configuration from Flat Files to Directory Servers
5.4 Migrating Federation Manager 2 User Data from Flat Files to Directory Servers
5.5 Configuring the Federation Manager Authentication Service to Work with the Directory Servers
Use the following as your checklist for migrating Federation Manager 1 configuration from flat files to the Directory Servers:
The Federation Manager LDIF files are located in the following directory:
/opt/SUNWam/fm/ldif
The file fm_sm_sds_schema.ldif is for use with Sun Directory Server. The file fm_sm_ad_schema.ldif is for use with Microsoft Active Directory.
As a root user, log in to the Federation Manager 1 host.
Load the Federation Manager schema into the Directory Server configuration instance.
# cd /opt/SUNWam/fm/ldif # ldapmodify -D "cn=Directory Manager" -w 11111111 -h LoadBalancer-7.siroe.com -p 389 -f ./fm_sm_sds_schema.ldif |
The ldapmodify utility loads the object classes and service attributes required for Federation Manager services into the Directory Server schema.
On each of the Directory Server hosts, you can watch the error logs for LDIF errors.
# cd /var/opt/mps/serverroot/slapd-fm-config/logs # tail -f errors |
Migrate the Federation Manager services schema from flat files to the Directory Server.
# cd /opt/SUNWam/fm/bin # ./fmff2ds -h LoadBalancer-7.siroe.com -p 389 -r "o=siroe.com" -f /var/opt/SUNWam/fm/federation -u "cn=Directory Manager" -w 11111111 -j /usr/jdk/instances/jdk.5.0 |
Verify that Federation Manager schema was successfully moved to the Directory Server.
Start the Directory Server 3SP console.
# cd /var/opt/mps/serverroot/ # ./startconsole & |
Log in to the Directory Server console.
cn=Directory Manager
11111111
http://DirectoryServer-3SP.siroe.com:1391
In the navigation pane, expand the DirectoryServer-3SP.siroe.com suffix, and expand the Server Group.
Double-click the Directory Server (fm-config) instance, and open its console.
Click the Directory tab.
Under the o=siroe.com suffix, expand the Services object.
All of the Federation Manager services are displayed.
Go the following directory that contains the serverconfig.xml file:
# cd /var/opt/SUNWam/fm/war_staging/web-src/WEB-INF/config/ |
Make a backup of the file serverconfig.xml, and then make the following changes in serverconfig.xml:
In the following entry, change the host name and port number attribute values.:
<iPlanetDataAccessLayer> <ServerGroup name="default" minConnPool="1" maxConnPool="10"> <Server name="Server1" host="LoadBalancer-7.siroe.com" port="389" type="SIMPLE" /> <User name="User1" type="proxy"> <DirDN> uid=amadmin,ou=people,o=siroe.com |
Verify that the following user entries exist in the file:
<User name="User1" type="proxy"> <DirDN> uid=amadmin,ou=people,o=siroe.com </DirDN> <DirPassword> AQICGmG7l+gzO6bjmbDBve/MqicBf/zR2I+P </DirPassword> </User> <User name="User2" type="admin"~ <DirDN> uid=amadmin,ou=people,o=siroe.com </DirDN> <DirPassword> AQICGmG7l+gzO6bjmbDBve/MqicBf/zR2I+P </DirPassword> </User> |
In this deployment example, the proxy user and administrative user have the same DN. In effect, these are the same user. They are both superusers contained in the ou=service branch of the Directory Server. These users have privileges to read, write, and search the Federation Manager configuration. The user amadmin does not exist in the Directory Server at this point.
Add the user amadmin to the Directory Server.
On the Federation Manager 1 host, go to the following directory:
/opt/SUNWam/fm/bin |
Create a file named amadminconfig.ldif with the following entries:
dn=o=siroe.com changetype:modify add:aci dn: ou=People,o=siroe.com changetype: add objectClass: top objectClass: organizationalunit dn: uid=amAdmin,ou=People,o=siroe.com changetype: add objectclass: inetuser objectclass: inetorgperson objectclass: organizationalperson objectclass: person objectclass: top objectClass: iPlanetPreferences objectclass: inetAdmin inetuserstatus: Active cn: amAdmin sn: amAdmin userPassword: 11111111 aci: (target="ldap:///ou=services,*o=siroe.com") (targetattr = "*") (version 3.0; acl "S1IS Top-level Admin Role access allow"; allow (all) userdn = "ldap:///uid=amAdmin,ou=People, o=siroe.com";) |
This LDIF creates a People container and the user amAadmin with the Top-level Admin Role. The user is assigned read, write, and search privileges.
Use the ldapmodify utility to load ./amadminconfig.ldif into the Directory Server 3SP.
# ldapmodify -D "cn=Directory Manager" -w 11111111 -h LoadBalancer-7.siroe.com -f amadminconfig.ldif |
Go to the directory that contains the AMConfig.properties file:
# cd /var/opt/SUNWam/fm/war_staging/web-src/WEB-INF/classes |
In AMConfig.properties, set the implementation class for the SM data store.
Make a backup of the AMConfig.properties file, and the set the following property:
com.sun.identity.sm.sms_object_class_name=com.sun.identity.sm.ldap.SMSLdapObject |
On the Federation Manager 1 host, run the fmwar command.
#cd /opt/SUNWam/fm/bin # ./fmwar -n federation -d /var/opt/SUNWam/fm/war_staging -s /export/fmsilent |
Undeploy the existing Federation Manager WAR 1 file.
# cd /opt/SUNWwbsvr/bin/https/bin # ./wdeploy delete -u /federation -i FederationManager-1.siroe.com -v https-FederationManager-1.siroe.com -n hard |
The —n hard option deletes the directory where Federation Manager is exported as well as the URI. If you use the —n soft option, only the URI is deleted.
Deploy the customized Federation Manager 1 WAR file.
# ./wdeploy deploy -u /federation -i FederationManager-1.siroe.com -v https-FederationManager-1.siroe.com /var/opt/SUNWam/fm/war_staging/federation.war |
This WAR file contains all the SAMLv2 configuration and Directory Server configuration you completed in the previous tasks.
Restart the Federation Manager web container.
#cd /opt/SUNWwbsvr/https-FederationManager-1.siroe.com # ./stop # ./start |
Verify that you can access the Federation Manager 1 server.
In a browser, go to the Federation Manager URL:
http://FederationManager-1.siroe.com:8080/federation/UI/Login |
Log in to the Federation Manager console:
amadmin
11111111
If you can log in successfully, the WAR file was deployed successfully.
In a browser, go to the Federation Manager URL:
http://FederationManager-1.siroe.com:8080/federation/UI/Login |
Log in to the Federation Manager console:
amadmin
11111111
Click the Configuration tab, and then go to the “System properties | Platform” section of the page.
Add a new entry to the Server List.
In the Server List field, enter the following:
http://FedeartionManager-2.siroe.com:8080|02 |
Click Add.
Click Save, and then log out of the Federation Manager console.
Use the following as your checklist for migrating Federation Manager 1 user data from flat files to Directory Servers:
The Federation Manager LDIF files are located in the following directory:
/opt/SUNWam/saml2/ldif
The file ./saml2_sds_schema.ldif is for use with Sun Directory Server. The file saml2_ad_schema.ldif is for use with Microsoft Active Directory.
Load the Federation Manager schema into the Directory Servers.
# cd /opt/SUNWam/saml2/ldif # ldapmodify -D "cn=Directory Manager" -w 11111111 -h LoadBalancer-8.siroe.com -p 1389 -f saml2_sds_schema.ldif |
The ldapmodify utility loads the object classes and user attributes required for Federation Manager users into the Directory Server schema.
On each of the Directory Server hosts, you can watch the error logs for LDIF errors.
# cd /var/opt/mps/serverroot/slapd-fm-users/logs # tail -f errors |
Create the amadmin suffix in the Directory Server.
Create a file named amadminusers.ldif with the following entries:
dn: ou=People,o=siroeusers.com changetype: add objectClass: top objectClass: organizationalunit dn: uid=amAdmin,ou=People,o=siroeusers.com changetype: add objectclass: inetuser objectclass: inetorgperson objectclass: organizationalperson objectclass: person objectclass: top objectClass: iPlanetPreferences objectclass: inetAdmin inetuserstatus: Active cn: amAdmin sn: amAdmin userPassword: 11111111 dn:o=siroeusers.com changetype:modify add:aci aci: (target="ldap:///*ou=People,o=siroeusers.com") (targetattr = "*") (version 3.0; acl "S1IS Top-level Admin Role access allow"; allow (all) userdn = "ldap:///uid=amAdmin,ou=People, o=siroeusers.com";) |
This LDIF creates a People container and the suffix o=siroeusers.com.
Use the ldapmodify utility to load amadminusers.ldif into the Directory Servers.
# ldapmodify -D "cn=Directory Manager" -w 11111111 -h LoadBalancer-8.siroe.com -p 1389 -f amadminusers.ldif |
In the Federation Manager 1 host, go to the directory that contains the file AMConfig.properties:
# cd /var/opt/SUNWam/fm/war_staging/web-src/WEB-INF/classes/ |
Set the default datastore provider property:
com.sun.identity.common.datastore.provider.default= com.sun.identity.common.LDAPDataStoreProvider |
Save the file.
Go to the directory that contains the file serverconfig.xml:
# cd /var/opt/SUNWam/fm/war_staging/web-src/WEB-INF/config |
Make a backup of serverconfig.xml, and then modify the following entry.
Modify the host name, port, and user DNs as in the following example:
<ServerGroup name="userdefault" minConnPool="1" maxConnPool="10"> <Server name="Server1" host="LoadBalancer-8.siroe.com" port="1389" type="SIMPLE" /> <User name="User1" type="proxy"> <DirDN> uid=amadmin,ou=people,o=siroeusers.com </DirDN> <DirPassword> AQICGmG7l+gzO6bjmbDBve/MqicBf/zR2I+P </DirPassword> </User> <User name="User2" type="admin"> <DirDN> uid=amadmin,ou=people,o=siroeusers.com </DirDN> <DirPassword> AQICGmG7l+gzO6bjmbDBve/MqicBf/zR2I+P </DirPassword> </User> <BaseDN> ou=people,o=siroeusers.com </BaseDN> </ServerGroup> |
Save the file.
Regenerate the redeploy the Federation Manager 1 WAR file.
See To Regenerate and Redeploy the Federation Manager 1 WAR File in this manual.
Use the following as your checklist for migrating Federation Manager 2 configuration from flat files to Directory Servers:
Go the following directory that contains the serverconfig.xml file:
# cd /var/opt/SUNWam/fm/war_staging/web-src/WEB-INF/config/ |
Make a backup of the file serverconfig.xml, and then make the following changes in serverconfig.xml:
In the following entry, change the host name and port number attribute values:
<iPlanetDataAccessLayer> <ServerGroup name="default" minConnPool="1" maxConnPool="10"> <Server name="Server1" host="LoadBalancer-7.siroe.com" port="389" type="SIMPLE" /> <User name="User1" type="proxy"> <DirDN> uid=amadmin,ou=people,o=siroe.com |
Verify that the following user entries exist in the file:
<User name="User1" type="proxy"> <DirDN> uid=amadmin,ou=people,o=siroe.com </DirDN> <DirPassword> AQICGmG7l+gzO6bjmbDBve/MqicBf/zR2I+P </DirPassword> </User> <User name="User2" type="admin"~ <DirDN> uid=amadmin,ou=people,o=siroe.com </DirDN> <DirPassword> AQICGmG7l+gzO6bjmbDBve/MqicBf/zR2I+P </DirPassword> </User> |
In this deployment example, the proxy user and administrative user have the same DN. In effect, these are the same user. They are both superusers contained in the ou=service branch of the Directory Server. These users have privileges to read, write, and search the Federation Manager configuration. The user amadmin does not exist in the Directory Server at this point.
Go to the directory that contains the AMConfig.properties file:
# cd /var/opt/SUNWam/fm/war_staging/web-src/WEB-INF/classes |
In AMConfig.properties, set the implementation class for the SM data store.
Make a backup of the AMConfig.properties file, and the set the following property:
com.sun.identity.sm.sms_object_class_name=com.sun.identity.sm.ldap.SMSLdapObject |
On the Federation Manager 2 host, run the fmwar command.
#cd /opt/SUNWam/fm/bin # ./fmwar -n federation -d /var/opt/SUNWam/fm/war_staging -s /export/fmsilent |
Undeploy the existing Federation Manager WAR 2 file.
# cd /opt/SUNWwbsvr/bin/https/bin # ./wdeploy delete -u /federation -i FederationManager-2.siroe.com -v https-FederationManager-1.siroe.com -n hard |
The —n hard option deletes the directory where Federation Manager is exported as well as the URI. If you use the —n soft option, only the URI is deleted.
Deploy the customized Federation Manager 2 WAR file.
# ./wdeploy deploy -u /federation -i FederationManager-2.siroe.com -v https-FederationManager-2.siroe.com /var/opt/SUNWam/fm/war_staging/federation.war |
This WAR file contains all the SAMLv2 configuration and Directory Server configuration you completed in the previous tasks.
Restart the Federation Manager web container.
#cd /opt/SUNWwbsvr/https-FederationManager-2.siroe.com # ./stop # ./start |
Verify that you can access the Federation Manager 2 server.
In a browser, go to the Federation Manager URL:
http://FederationManager-2.siroe.com:8080/federation/UI/Login |
Log in to the Federation Manager console:
amadmin
11111111
If you can log in successfully, the WAR file was deployed successfully.
Use the following as your checklist for migrating Federation Manager 2 user data from flat files to Directory Servers:
In the Federation Manager 2 host, go to the directory that contains the file AMConfig.properties:
# cd /var/opt/SUNWam/fm/war_staging/web-src/WEB-INF/classes/ |
Make a backup AMConfig.properties, and then in the AMConfig.properties file, set the default datastore provider property:
com.sun.identity.common.datastore.provider.default= com.sun.identity.common.LDAPDataStoreProvider |
Save the file.
Go to the directory that contains the file serverconfig.xml:
# cd /var/opt/SUNWam/fm/war_staging/web-src/WEB-INF/config |
Make a backup of serverconfig.xml, and then modify the following entry.
Modify the host name, port, and user DNs as in the following example:
<ServerGroup name="userdefault" minConnPool="1" maxConnPool="10"> <Server name="Server1" host="LoadBalancer-8.siroe.com" port="1389" type="SIMPLE" /> <User name="User1" type="proxy"> <DirDN> uid=amadmin,ou=people,o=siroeusers.com </DirDN> <DirPassword> AQICGmG7l+gzO6bjmbDBve/MqicBf/zR2I+P </DirPassword> </User> <User name="User2" type="admin"> <DirDN> uid=amadmin,ou=people,o=siroeusers.com </DirDN> <DirPassword> AQICGmG7l+gzO6bjmbDBve/MqicBf/zR2I+P </DirPassword> </User> <BaseDN> ou=people,o=siroeusers.com </BaseDN> </ServerGroup> |
Save the file.
Regenerate the redeploy the Federation Manager 2 WAR file.
See To Regenerate and Redeploy the Federation Manager 2 WAR File.
Restart the Federation Manager web container.
#cd /opt/SUNWwbsvr/https-FederationManager-2.siroe.com # ./stop # ./start |
Verify that you can access the Federation Manager 2 server.
In a browser, go to the Federation Manager URL:
http://FederationManager-2.siroe.com:8080/federation/UI/Login |
Log in to the Federation Manager console:
amadmin
11111111
If you can log in successfully, the WAR file was deployed successfully.
Use the following as your checklist for configuring the Federation Manager authentication service:
Go to the Federation Manager 1 URL:
http://FederationManager-1.siroe.com:8080/federation/UI/Login
Notice that above the User Name field, the text says “This server uses flat file authentication scheme.”
Log in to the Federation Manager 1 console:
amadmin
11111111
Add a new authentication service.
Click the Organization tab.
Click the Authentication subtab, and then click Add.
In the list of Authentication Modules, select LDAP, and then click Next.
On the LDAP page, provide the following information:
Add LoadBalancer-8.siroe.com:1389.
Add o=siroeusers.com.
cn=fmldapuser,ou=People,o=siroeusers.com
This root DN is used by the authentication module to create a connection to the Directory Server. This eliminates the need to authenticate each user by individual uid.
00000000
00000000
uid
uid
Click Assign.
On the Authentication page, locate the module named Core, and click its Edit link.
On the Core page, provide the following information:
Choose Flatfile, LDAP and SAMLv2.
Add to the list ou=People,o=sirousers.com.
Click Save.
Verify that LDAP is included as an Organizational Attribute.
Click the Configuration tab. On the Configuration tab, under Authentication, click Core.
On the Core page, under Organization Attributes, verify that Flatfile, LDAP, and SAMLv2 are included in the list of Organization Authentication Modules.
In the Directory Server, create a user named fmldapuser.
This user is the Federation Manager user that can access the Directory Server. This user and has read, write, and search permissions in o=siroeusers.com branch of the Directory Server.
Create an LDIF file named fmldapuser.ldif with the following entries:
dn: cn=fmldapuser,ou=People,o=siroeusers.com changetype: add objectclass: inetuser objectclass: organizationalperson objectclass: person objectclass: top cn: fmldapuser sn: fmldapuser userPassword: 00000000 dn:o=siroeusers.com changetype:modify add:aci aci: (target="ldap:///o=siroeusers.com")(targetattr="*") (version 3.0; acl "FM special ldap auth user rights"; allow (read,search) userdn = "ldap:///cn=fmldapuser,ou=People,o=siroeusers.com"; ) |
Load ./fmldapuser.ldif into Directory Server 1.
# ldapmodify -D "cn=Directory Manager" -w d1rm4ngr -h LoadBalancer-8.siroe.com -p 1389 -f ./fmldapuser.ldif |
Change the default authentication module from Flat File to LDAP.
Log in to the Federation Manager 1 host.
Go to the following directory:
/opt/SUNWam/fm/bin |
Create a file named ldap.xml file that contains the following entries:
<?xml version="1.0" encoding="ISO-8859-1"?> <!-- Copyright (c) 2005 Sun Microsystems, Inc. All rights reserved Use is subject to license terms. --> <!DOCTYPE Requests PUBLIC "-//iPlanet//Sun Java System Access Manager 2005Q4 Admin CLI DTD//EN" "jar://com/iplanet/am/admin/cli/amAdmin.dtd"> <!-- CREATE REQUESTS --> <Requests> <OrganizationRequests DN="o=siroe.com"> <ModifyServiceTemplate serviceName="iPlanetAMAuthService" schemaType="Organization"> <AttributeValuePair> Attribute name="iplanet-am-auth-org-config" /> <Value><AttributeValuePair><Value> com.sun.identity.authentication.modules.ldap.LDAP REQUIRED< /Value></AttributeValuePair></Value> </AttributeValuePair> </ModifyServiceTemplate> </OrganizationRequests> </Requests> |
The attributes and AttributeValuePair in bold are the significant changes made to the configuration.
Load ldap.xml.
# ./amadmin -i /var/opt/SUNWam/fm/war-staging -u amadmin -w 11111111 -t ldap.xml |
Go to the following Federation Manager URL:
http://FederationManager-1.siroe.com:8080/federation/UI/Login
The Federation Manger login page displays the following message: “This server uses LDAP Authentication.”
Log in to the Federation Manager console:
amadmin
11111111
If you can log in successfully, then the LDAP Authentication module was able to successfully bind to the root user to the fm—config instance of Directory Server 3SP.
Create a test user in the fm-users instance of Directory Server 3SP.
Start the Directory Server 3SP console.
# cd /var/opt/mps/serverroot/ # ./startconsole & |
In Directory Server 3SP, expand the Server Group, and open the fm-users instance.
Open the fm-users console, and click the Directory Tab.
On the Directory Tab, under the o=siroeusers.com suffix, right-click the People container.
Choose New>User.
In the Create New User dialog, provide the following information:
Test
User
testuser1
11111111
Click OK.
Go to the following Federation Manager URL:
http://FederationManager-1.siroe.com:8080/federation/UI/Login
Log in to the Federation Manager console:
testuser1
11111111
If you can log in successfully, then the LDAP Authentication module was able to successfully bind the new user to the fm-users instance of Directory Server 3SP.