You must configure OpenSSO Enterprise server for the AMSDK Identity Repository plug-in, using the ssoadm command. Consider these two scenarios to determine the steps you follow:
Scenario 1: You do not want to customize the DAI service (ums.xml file). Follow Configuring OpenSSO Enterprise Server Using the ssoadm Command with add-amsdk-idrepo-plugin Subcommand.
Scenario 2: You want to customize the DAI service (ums.xml file). Follow Configuring OpenSSO Enterprise Server Manually.
After you follow either scenario, continue with Creating a Data Store Using the AMSDK Plug-in.
In this scenario, you do not want to customize the DAI service (ums.xml file). The ssoadm command with the add-amsdk-idrepo-plugin subcommand configures OpenSSO Enterprise server to enable the AMSDK Identity Repository plug-in by performing all of these tasks:
Loads the Directory Access Instructions (DAI) service
Adds the IdRepo subschema (sunIdentityRepositoryService)
Updates the Directory Server information in serverconfig.xml
Enables persistent searches for the AMSDK Identity Repository plug-in
Execute the ssoadm command with the add-amsdk-idrepo-plugin subcommand. For example:
# ./ssoadm add-amsdk-idrepo-plugin -u amadmin -f ./password-file \ -a user-naming-attribute -o oranization-naming-attribute \ -b "dc=example,dc=com" -s ldaphost.example.com:389 \ -x ./dsamepassword -p ./proxypassword
where:
-u specifies the administrative user. For example: amadmin
-f specifies the password file for the administrative user.
-a and -o specify the user naming attribute and organization naming attribute, respectively. Both parameters are optional. The default values are uid and o.
-b specifies the base DN of the Directory Server in which the Access Manager repository is being configured. For example: dc=example,dc=com
-s specifies the directory server host, port, and protocol. Examples for the -s option are:
ldap://host:port
host:port (The protocol defaults to ldap.)
host (The protocol defaults to ldap, and the port defaults to 389.)
-x specifies the password file for dsameuser.
-p specifies the password file for proxyuser.
On Solaris and Linux systems, the password files specified by -x and -p must have 400 (read-only by owner) permissions.
Restart the OpenSSO Enterprise server web container.
Continue with Creating a Data Store Using the AMSDK Plug-in.
In this scenario, you want to customize the DAI service (ums.xml file), so you must configure OpenSSO Enterprise server manually by:
Updating the Directory Server Information for the AMSDK Plug-in
Enabling Persistent Search Connections for the AMSDK Plug-in
In the zip-root/opensso/xml/ums.xml file, replace the following items, as needed for your deployment:
@USER_NAMING_ATTR@ with your user naming attribute. For example, uid (which is the default)
@ORG_NAMING_ATTR@ with your organization naming attribute. For example, o (which is the default)
Load the DAI service from the ums.xml file using the ssoadm command with the create-svc subcommand. For example:
# ./ssoadm create-svc -u amadmin -f ./password-file \ --xmlfile zip-root/opensso/xml/ums.xml
where:
-u specifies the administrative user. For example: amadmin
-f specifies the password file for the administrative user.
--xmlfile (or -X) specifies the path to the ums.xml file.
zip-root is where the opensso_enterprise_80.zip file was unzipped.
In zip-root/opensso/xml/idRepoAmSDK.xml, replace @NORMALIZED_ORGBASE@ with the Directory Server root suffix.
Load the IdRepo subschema using the ssoadm command with the add-sub-schema subcommand. For example:
# ./ssoadm add-sub-schema -u amadmin -f ./password-file \ -s sunIdentityRepositoryService -t Organization -F zip-root/opensso/xml/idRepoAmSDK.xml
where:
-u specifies the administrative user. For example: amadmin
-f specifies the password file for the administrative user.
-s specifies the service name. Must be sunIdentityRepositoryService
-t specifies the schema type. Must be: Organization
-F specifies the path to the idRepoAmSDK.xml file.
Update the Directory Server information by exporting, modifying, and then re-importing the information.
Important: If your deployment has multiple OpenSSO Enterprise server instances, you must perform the following steps on all server instances.
Export the Directory Server configuration information from the OpenSSO Enterprise server instance using the ssoadm command with the get-svccfg-xml subcommand. For example:
# ./ssoadm get-svrcfg-xml -u amadmin -f ./password-file \ -s http(s)://host.domain:port/opensso -o serverconfig.xml
where:
-u specifies the administrative user. For example: amadmin
-f specifies the password file for the administrative user.
-s specifies the server instance name. For example: https://openssohost1.example.com:8080/opensso
-o specifies the output file name that will contain the Directory Server configuration information. For example: serverconfig.xml
Edit the Directory Server configuration information in the serverconfig.xml file as follows:
Import the revised Directory Server configuration information using the ssoadm command with the set-svccfg-xml subcommand. For example:
# ./ssoadm set-svrcfg-xml -u amadmin -f ./password-file \ -s http(s)://host.domain:port/opensso -X serverconfig.xml
where:
-u specifies the administrative user. For example: amadmin
-f specifies the password file for the administrative user.
-s specifies the server instance name. For example: http://openssohost1.example.com:8080/opensso
-X specifies the input file name that contains the revised Directory Server configuration information. For example: serverconfig.xml
This task involves enabling the persistent search (psearch) connections for the OpenSSO Enterprise server to allow the AMSDK Identity Repository plug-in to receive change notifications.