This chapter provides information on the OpenSSO Enterprise ssoadm command line interface. This interface is new to the 8.0 release and replaces the amadmin command line tool used in previous releases. ssoadm has a multitude of sub commands that perform specific tasks for creating, deleting, and managing all OpenSSO Enterprise data. These sub commands are grouped by functional area.
amadmin is still supported for backwards computability for versions that have been upgraded to OpenSSO. See Chapter 2, The amadmin Command Line Tool for more information.
The primary purpose of ssoadm is to load data configuration data into the data store and to perform batch administrative tasks on the DIT. For information and instructions to unpack and set up ssoadm, see Installing the OpenSSO Enterprise Utilities and Scripts in the ssoAdminTools.zip File in Sun OpenSSO Enterprise 8.0 Installation and Configuration Guide.
ssoadm is primarily used to:
Load XML service files - Administrators load services into OpenSSO Enterprise that use the XML service file format defined in the sms.dtd. .
XML service files are stored in the data store as static blobs of XML data that is referenced by OpenSSO Enterprise. This information is not used by Directory Server, which only understands LDAP.
Perform batch updates of identity objects to the DIT - Administrators can perform batch updates to the Directory Server DIT using the do-batch subcommand. For example, if an administrator wants to create 10 organizations, 1000 users, and 100 groups, it can be done in one attempt by putting the requests in one or more batch processing XML files and loading them using ssoadm.
When ssoadm is executed, the command performs a version check of the OpenSSO Enterprise server. If the expected server version does not match, the ssoadm command will fail.
ssoadm contains many subcommands to perform specific tasks for a services, plug-ins, polices federation profiles, and so forth. Each subcommand contains a number of options, both required and non-required, that are defined to carry out these tasks. The following sections describe the usage of the subcommands and their associated options.
The basic syntax for the ssoadm command is:
ssoadm subcommand --options [--global-options]
The following global options are common to all subcommands, but are not required for the command to function:
Name of the locale to display the results.
Run in debug mode. Results sent to the debug file.
Run in verbose mode. Results sent to standard output.
In most ssoadm subcommands, the password file is required option. The password file is a simple file that contains the administrator password for the given task. To create a password file:
Create the password file in a location you will remember. For example:
echo "" > /tmp/testpwd
It is recommended to change the permissions to read-only:
chmod 400 /tmp/testpwd
This section provides an example of how you can use the ssoadm command-line for a subcommand. This example highlights the update-agent option. The update-agent option allows you to configure agent properties. The following is an example of how the ssoadm command can be issued with the update-agent option.
# ./ssoadm update-agent -e testRealm1 -b testAgent1 -u amadmin -f /tmp/testpwd -a "com.sun.identity.agents.config.notenforced.url[0]=/exampledir/public/*"
When issuing the ssoadm command, if you include values that contain wildcards (* or -*-), then the property name/value pair should be enclosed in double quotes to avoid substitution by the shell. This applies when you use the -a (--attributevalues) option. The double quotes are not necessary when you list the properties in a data file and access them with the -D option.
You can read the options for a subcommand from this section or you can list the options yourself while using the command. On the machine hosting OpenSSO Enterprise, in the directory containing the ssoadm utility, issue the ssoadm command with the appropriate subcommand. For example:
# ./ssoadm update-agent
Since the preceding command is missing required options, the utility merely lists all the options available for this subcommand. The global options are common to all subcommands. For example:
ssoadm update-agent --options [--global-options] Update agent configuration. Usage: ssoadm --realm|-e --agentname|-b --adminid|-u --password-file|-f [--set|-s] [--attributevalues|-a] [--datafile|-D] Global Options: --locale, -l Name of the locale to display the results. --debug, -d Run in debug mode. Results sent to the debug file. --verbose, -v Run in verbose mode. Results sent to standard output. Options: --realm, -e Name of realm. --agentname, -b Name of agent. --adminid, -u Administrator ID of running the command. --password-file, -f File name that contains password of administrator. --set, -s Set this flag to overwrite properties values. --attributevalues, -a properties e.g. homeaddress=here. --datafile, -D Name of file that contains attributes and corresponding values as in attribute-name=attribute-value. Enter one attribute and value per line.
By looking at the usage information of a subcommand, you can determine which options are required and which are optional. You can list an option for the command with either a single letter, such as -e or with an entire word, such as --realm. The following is a list of the usage information for the update-agent subcommand:
ssoadm update-agent --realm|-e --agentname|-b --adminid|-u --password-file|-f [--set|-s] [--attributevalues|-a] [--datafile|-D]
The options not bounded by square brackets are required. Therefore, realm, agentname, adminid, password-file. However, even though the three options in brackets (the global options) are considered optional, you must use either --attributevalues or --datafile to provide a property name and the corresponding value. The --attributevalues option is appropriate for assigning values to a single property. The --datafile option is appropriate for setting several properties at once. The realm and agentname options identify the specific agent you are configuring. The adminid and password-file commands identify you as someone who has the right to configure this agent.
The following command serves as an example of how you can change several agent properties at once. In this scenario the properties and their respective values are stored in a file, /tmp/testproperties, to which the command points:
# ./ssoadm update-agent -e testRealm1 -b testAgent1 -u amadmin -f /tmp/testpwd -D /tmp/testproperties
For subcommand options that accept multiple values, the values are space-separated and placed within quotation marks. For example, the -–attrubutevalues option, uses the following format:
–attributevalues “attributename=value” “attributename=value2”
The following section lists the ssoadm subcommands and their associated options. The sub commands are grouped under the following functional areas:
The following subcommands execute operations for the supported agent profile types defined in the OpenSSO Centralized Agent Configuration service.
Add agents to an agent group.
ssoadm add-agent-to-grp --options [--global-options]
The name of the realm.
The name of the agent group.
The names of the agent.
The administrator ID running the command.
The filename that contains the password of the administrator.
Remove an agent's properties.
ssoadm agent-remove-props --options [--global-options]
The name of the realm.
The name of the agent.
The names of the properties.
The administrator ID running the command.
The filename that contains the password of the administrator.
Create a new agent configuration.
ssoadm create-agent --options [--global-options]
The name of the realm.
The name of the agent.
The type of agent. For example, J2EEAgent or WebAgent.
The administrator ID running the command.
The filename that contains the password of the administrator.
The properties. For example, homeaddress=here.
Name of file that contains attributes and corresponding values as in attribute-name=attribute-value. Enter one attribute and value per line.
Create a new agent group.
ssoadm create-agent-grp --options [--global-options]
The name of the realm.
The name of the agent's group.
The type of agent. For example, J2EEAgent or WebAgent.
The administrator ID running the command.
The filename that contains the password of the administrator.
The properties. For example, homeaddress=here.
Name of file that contains attributes and corresponding values as in attribute-name=attribute-value. Enter one attribute and value per line.
Delete existing agent groups.
ssoadm delete-agent-grps --options [--global-options]
The name of the realm.
The names of the agent group.
The administrator ID running the command.
The filename that contains the password of the administrator.
Delete existing agent configurations.
ssoadm delete-agents --options [--global-options]
The name of the realm.
The names of the agent.
The administrator ID running the command.
The filename that contains the password of the administrator.
List the agents in an agent group.
ssoadm list-agent-grp-members --options [--global-options]
The name of the realm.
The name of the agent group.
The administrator ID running the command.
The filename that contains the password of the administrator.
Filter by a pattern.
List the agent groups.
ssoadm list-agent-grps --options [--global-options]
The name of the realm.
The administrator ID running the command.
The filename that contains the password of the administrator.
Filter by a pattern.
The type of agent. For example, J2EEAgent or WebAgent.
List the agent configurations.
ssoadm list-agents --options [--global-options]
The name of the realm.
The administrator ID running the command.
The filename that contains the password of the administrator.
Filter by a pattern.
The type of agent. For example, J2EEAgent or WebAgent.
Remove agents from an agent group.
ssoadm remove-agent-from-grp --options [--global-options]
The name of the realm.
The name of the agent group.
The names of the agent.
The administrator ID running the command.
The filename that contains the password of the administrator.
Show the agent profile.
ssoadm show-agent --options [--global-options]
The name of the realm.
The name of the agent.
The administrator ID running the command.
The filename that contains the password of the administrator.
The filename where configuration is written.
Set this option to inherit properties from the parent group.
Show the agent group profile.
ssoadm show-agent-grp --options [--global-options]
The name of the realm.
The name of the agent group.
The administrator ID running the command.
The filename that contains the password of the administrator.
The filename where configuration is written.
List the agent's membership.
ssoadm show-agent-membership --options [--global-options]
The name of the realm.
The name of the agent.
The administrator ID running the command.
The filename that contains the password of the administrator.
Show the agent types.
ssoadm show-agent-types --options [--global-options]
The administrator ID running the command.
The filename that contains the password of the administrator.
Update the agent's configuration.
ssoadm update-agent --options [--global-options]
The name of the realm.
The name of the agent.
The administrator ID running the command.
The filename that contains the password of the administrator.
Set this flag to overwrite a property's values.
The properties. For example, homeaddress=here.
Name of file that contains attributes and corresponding values as in attribute-name=attribute-value. Enter one attribute and value per line.
Update the agent group's configuration.
ssoadm update-agent-grp --options [--global-options]
The name of the realm.
The name of the agent group.
The administrator ID running the command.
The filename that contains the password of the administrator.
Set this flag to overwrite a property's values.
The properties. For example, homeaddress=here.
Name of file that contains attributes and corresponding values as in attribute-name=attribute-value. Enter one attribute and value per line.
The following subcommands execute operations for the OpenSSO Enterprise Authentication service.
Add an authentication configuration entry.
ssoadm add-auth-cfg-entr --options [--global-options]
The name of the realm.
The name of the authentication configuration.
The module name.
The criteria for this entry. Possible values are REQUIRED, OPTIONAL, SUFFICIENT, and REQUISITE.
The administrator ID running the command.
The filename that contains the password of the administrator.
The options for this entry.
The position where the new entry is to be added.
Create an authentication configuration.
ssoadm create-auth-cfg --options [--global-options]
The name of the realm.
The name of the authentication configuration.
The administrator ID running the command.
The filename that contains the password of the administrator.
Create an authentication instance.
ssoadm create-auth-instance --options [--global-options]
The name of the realm.
The name of the authentication instance.
The type of authentication instance. For example LDAP or DataStore.
The administrator ID running the command.
The filename that contains the password of the administrator.
Delete existing authentication configurations.
ssoadm delete-auth-cfgs --options [--global-options]
The name of the realm.
The names of the authentication configurations.
The administrator ID running the command.
The filename that contains the password of the administrator.
Delete existing authentication instances.
ssoadm delete-auth-instances --options [--global-options]
The name of the realm.
The names of the authentication instances.
The administrator ID running the command.
The filename that contains the password of the administrator.
Get the authentication configuration entries.
ssoadm get-auth-cfg-entr --options [--global-options]
The name of the realm.
The name of the authentication configuration.
The administrator ID running the command.
The filename that contains the password of the administrator.
Get the authentication instance values.
ssoadm get-auth-instance --options [--global-options]
The name of the realm.
The name of the authentication instance.
The administrator ID running the command.
The filename that contains the password of the administrator.
List the authentication configurations.
ssoadm list-auth-cfgs --options [--global-options]
The name of the realm.
The administrator ID running the command.
The filename that contains the password of the administrator.
List the authentication instances.
ssoadm list-auth-instances --options [--global-options]
The name of the realm.
The administrator ID running the command.
The filename that contains the password of the administrator.
Register an authentication module.
ssoadm register-auth-module --options [--global-options]
The Java class name of the authentication module.
The administrator ID running the command.
The filename that contains the password of the administrator.
Unregister the authentication module.
ssoadm unregister-auth-module --options [--global-options]
The Java class name of the authentication module.
The administrator ID running the command.
The filename that contains the password of the administrator.
Set the authentication configuration entries.
ssoadm update-auth-cfg-entr --options [--global-options]
The name of the realm.
The name of the authentication configuration.
The administrator ID running the command.
The filename that contains the password of the administrator.
The formatted authentication configuration entries.
The filename that contains the formatted authentication configuration entries. Enter one attribute-name=attribute-value per line.
Update the authentication instance values.
ssoadm update-auth-instance --options [--global-options]
The name of the realm.
The name of the authentication instance.
The administrator ID running the command.
The filename that contains the password of the administrator.
The attribute values. For example, homeaddress=here.
Name of file that contains attributes and corresponding values as in attribute-name=attribute-value. Enter one attribute and value per line.
The following subcommands execute operations for managing OpenSSO Enterprise datastores.
Create the AMSDK IdRepo plug-in.
ssoadm add-amsdk-idrepo-plugin --options [--global-options]
Contains the Directory Servers, and can contain multiple entries. Use the following format:
protocol://hostname:port
The Directory Server base distinguished name.
The filename that contains the password of the dsameuser.
The filename that contains the password of the puser.
The administrator ID running the command.
The filename that contains the password of the administrator.
The user objects naming attribute (defaults to uid).
the organization objects naming attribute (defaults to o).
Create a datastore under a realm.
ssoadm create-datastore --options [--global-options]
The name of the realm.
The name of the datastore.
The type of the datastore.
The administrator ID running the command.
The filename that contains the password of the administrator.
The attribute values. For example, sunIdRepoClass=com.sun.identity.idm.plugins.ldapv3.LDAPv3Repo".
Name of file that contains attributes and corresponding values as in attribute-name=attribute-value. Enter one attribute and value per line.
Delete the data stores under a realm.
ssoadm delete-datastores --options [--global-options]
The name of the realm.
The names of the data stores.
The administrator ID running the command.
The filename that contains the password of the administrator.
List the supported data store types.
ssoadm list-datastore-types --options [--global-options]
The administrator ID running the command.
The filename that contains the password of the administrator.
List the data stores under a realm.
ssoadm list-datastores --options [--global-options]
The name of the realm.
The administrator ID running the command.
The filename that contains the password of the administrator.
Show the data store profile.
ssoadm show-datastore --options [--global-options]
The name of the realm.
The name of the datastore.
The administrator ID running the command.
The filename that contains the password of the administrator.
Update the datastore profile.
ssoadm update-datastore --options [--global-options]
The name of the realm.
The name of the datastore.
The administrator ID running the command.
The filename that contains the password of the administrator.
The attribute values. For example, sunIdRepoClass=com.sun.identity.idm.plugins.files.FilesRepo.
Name of file that contains attributes and corresponding values as in attribute-name=attribute-value. Enter one attribute and value per line.
The following subcommands execute operations for managing identities associated with OpenSSO Enterprise.
Add an identity as a member of another identity.
ssoadm add-member --options [--global-options]
The name of the realm.
The name of the member's identity.
The type of the member's identity. For example, User, Role or Group.
The name of the identity.
The type of the identity.
The administrator ID running the command.
The filename that contains the password of the administrator.
Add privileges to an identity.
ssoadm add-privileges --options [--global-options]
The name of the realm.
The name of the identity.
The type of the identity. For example, User, Role or Group.
The names of the privileges to be added.
The administrator ID running the command.
The filename that contains the password of the administrator.
Add a service to an identity.
ssoadm add-svc-identity --options [--global-options]
The name of the realm.
The name of the identity.
The type of the identity. For example, User, Role or Group.
The name of the service.
The administrator ID running the command.
The filename that contains the password of the administrator.
The attribute values. For example, homeaddress=here.
Name of file that contains attributes and corresponding values as in attribute-name=attribute-value. Enter one attribute and value per line.
Create an identity in a realm.
ssoadm create-identity --options [--global-options]
The name of the realm.
The name of the identity.
The type of the identity. For example, User, Role or Group.
The administrator ID running the command.
The filename that contains the password of the administrator.
The attribute values. For example, inetuserstatus=Active.
Name of file that contains attributes and corresponding values as in attribute-name=attribute-value. Enter one attribute and value per line.
Delete the identities in a realm.
ssoadm delete-identities --options [--global-options]
The name of the realm.
The name of the identity.
The type of the identity. For example, User, Role or Group.
The administrator ID running the command.
The filename that contains the password of the administrator.
Get the identity property values.
ssoadm get-identity --options [--global-options]
The name of the realm.
The name of the identity.
The type of the identity. For example, User, Role or Group.
The administrator ID running the command.
The filename that contains the password of the administrator.
The attribute names. All attribute values will be returned if this option is not provided.
Get the service in an identity.
ssoadm get-identity-svcs --options [--global-options]
The name of the realm.
The name of the identity.
The type of the identity. For example, User, Role or Group.
The administrator ID running the command.
The filename that contains the password of the administrator.
Attribute name(s). All attribute values shall be returned if the option is not provided.
List the identities in a realm.
ssoadm list-identities --options [--global-options]
The name of the realm.
Filter by a pattern.
The type of the identity. For example, User, Role or Group.
The administrator ID running the command.
The filename that contains the password of the administrator.
List the assignable services for an identity.
ssoadm list-identity-assignable-svcs --options [--global-options]
The name of the realm.
The name of the identity.
The type of the identity. For example, User, Role or Group.
The administrator ID running the command.
The filename that contains the password of the administrator.
Remove the membership of an identity from another identity.
ssoadm remove-member --options [--global-options]
The name of the realm.
The name of the member's identity.
The type of the member's identity. For example, User, Role or Group.
The name of the identity.
The type of the identity.
The administrator ID running the command.
The filename that contains the password of the administrator.
Remove the privileges from an identity.
ssoadm remove-privileges --options [--global-options]
The name of the realm.
The name of the identity.
The type of the identity. For example, User, Role or Group.
The names of the privileges to be removed.
The administrator ID running the command.
The filename that contains the password of the administrator.
Remove a service from an identity.
ssoadm remove-svc-identity --options [--global-options]
The name of the realm.
The name of the identity.
The type of the identity. For example, User, Role or Group.
The name of the service.
The administrator ID running the command.
The filename that contains the password of the administrator.
Set the attribute values of an identity.
ssoadm set-identity-attrs --options [--global-options]
The name of the realm.
The name of the identity.
The type of the identity. For example, User, Role or Group.
The administrator ID running the command.
The filename that contains the password of the administrator.
The attribute values. For example, homeaddress=here.
Name of file that contains attributes and corresponding values as in attribute-name=attribute-value. Enter one attribute and value per line.
Set the service attribute values of an identity.
ssoadm set-identity-svc-attrs --options [--global-options]
The name of the realm.
The name of the identity.
The type of the identity. For example, User, Role or Group.
The name of the service.
The administrator ID running the command.
The filename that contains the password of the administrator.
The attribute values. For example, homeaddress=here.
Name of file that contains attributes and corresponding values as in attribute-name=attribute-value. Enter one attribute and value per line.
Show the allowed operations of an identity in a realm.
ssoadm show-identity-ops --options [--global-options]
The name of the realm.
The type of the identity. For example, User, Role or Group.
The administrator ID running the command.
The filename that contains the password of the administrator.
Show the service attribute values of an identity.
ssoadm show-identity-svc-attrs --options [--global-options]
The name of the realm.
The name of the identity.
The type of the identity. For example, User, Role or Group.
The name of the service.
The administrator ID running the command.
The filename that contains the password of the administrator.
Show the supported identity types in a realm.
ssoadm show-identity-types --options [--global-options]
The name of the realm.
The administrator ID running the command.
The filename that contains the password of the administrator.
Show the members of an identity. For example, the members of a role.
ssoadm show-members --options [--global-options]
The name of the realm.
The name of the identity.
The type of the identity. For example, User, Role or Group.
The membership identity type.
The administrator ID running the command.
The filename that contains the password of the administrator.
Show the memberships of an identity. For example, the memberships of a user.
ssoadm show-memberships --options [--global-options]
The name of the realm.
The name of the identity.
The type of the identity. For example, User, Role or Group.
The membership identity type.
The administrator ID running the command.
The filename that contains the password of the administrator.
Show the privileges assigned to an identity.
ssoadm show-privileges --options [--global-options]
The name of the realm.
The name of the identity.
The type of the identity. For example, User, Role or Group.
The administrator ID running the command.
The filename that contains the password of the administrator.
The following subcommands execute operations for managing realms and policies in OpenSSO Enterprise.
Add service attribute values in a realm.
ssoadm add-svc-attrs --options [--global-options]
The name of the realm.
The name of the service.
The administrator ID running the command.
The filename that contains the password of the administrator.
The attribute values. For example, homeaddress=here.
Name of file that contains attributes and corresponding values as in attribute-name=attribute-value. Enter one attribute and value per line.
Add a service to a realm.
ssoadm add-svc-realm --options [--global-options]
The name of the realm.
The name of the service.
The administrator ID running the command.
The filename that contains the password of the administrator.
The attribute values. For example, homeaddress=here.
Name of file that contains attributes and corresponding values as in attribute-name=attribute-value. Enter one attribute and value per line.
Create policies in a realm.
ssoadm create-policies --options [--global-options]
The name of the realm.
The filename that contains the policy XML definition.
The administrator ID running the command.
The filename that contains the password of the administrator.
Create a realm.
ssoadm create-realm --options [--global-options]
The name of the realm to be created.
The administrator ID running the command.
The filename that contains the password of the administrator.
Delete policies from a realm.
ssoadm delete-policies --options [--global-options]
The name of the realm to which the policy belongs.
The names of the policies to be deleted.
The administrator ID running the command.
The filename that contains the password of the administrator.
Delete a realm.
ssoadm delete-realm --options [--global-options]
The name of the realm.
The administrator ID running the command.
The filename that contains the password of the administrator.
Deletes the descendent realms recursively.
Delete an attribute from a realm.
ssoadm delete-realm-attr --options [--global-options]
The name of the realm.
The name of the service.
The name of the attribute to be removed.
The administrator ID running the command.
The filename that contains the password of the administrator.
Get the realm property values.
ssoadm get-realm --options [--global-options]
The name of the realm.
The name of the service.
The administrator ID running the command.
The filename that contains the password of the administrator.
Get the realm's service attribute values.
ssoadm get-realm-svc-attrs --options [--global-options]
The name of the realm.
The name of the service.
The administrator ID running the command.
The filename that contains the password of the administrator.
List the policy definitions in a realm.
ssoadm list-policies --options [--global-options]
The name of the realm.
The administrator ID running the command.
The filename that contains the password of the administrator.
The names of the policy. This can be used as a wildcard. All policy definitions in the realm will be returned.
The filename where the policy definition will be written. The definitions will be printed in standard output.
List the realm's assignable services.
ssoadm list-realm-assignable-svcs --options [--global-options]
The name of the realm.
The administrator ID running the command.
The filename that contains the password of the administrator.
List the realms by name.
ssoadm list-realms --options [--global-options]
The name of the realm.
The administrator ID running the command.
The filename that contains the password of the administrator.
Filter by a pattern.
Search recursively.
Remove a realm's service attribute values.
ssoadm remove-svc-attrs --options [--global-options]
The name of the realm.
The name of the service.
The administrator ID running the command.
The filename that contains the password of the administrator.
The attribute values to be removed. For example, homeaddress=here.
The filename that contains the attribute values to be removed, configured as in attribute-name=attribute-value. Enter one attribute and value per line.
Remove a service from a realm.
ssoadm remove-svc-realm --options [--global-options]
The name of the realm.
The name of the service to be removed.
The administrator ID running the command.
The filename that contains the password of the administrator.
Set a realm's attribute values.
ssoadm set-realm-attrs --options [--global-options]
The name of the realm.
The name of the service.
The administrator ID running the command.
The filename that contains the password of the administrator.
Set this flag to append the values to existing ones.
The attribute values. For example, homeaddress=here.
Name of file that contains attributes and corresponding values as in attribute-name=attribute-value. Enter one attribute and value per line.
Set the realm's service attribute values.
ssoadm set-svc-attrs --options [--global-options]
The name of the realm.
The name of the service.
The administrator ID running the command.
The filename that contains the password of the administrator.
The attribute values. For example, homeaddress=here.
Name of file that contains attributes and corresponding values as in attribute-name=attribute-value. Enter one attribute and value per line.
Show the supported authentication modules in the system.
ssoadm show-auth-modules --options [--global-options]
The administrator ID running the command.
The filename that contains the password of the administrator.
Show the supported data types in the system.
ssoadm show-data-types --options [--global-options]
The administrator ID running the command.
The filename that contains the password of the administrator.
Show the services in a realm.
ssoadm show-realm-svcs --options [--global-options]
The name of the realm.
The administrator ID running the command.
The filename that contains the password of the administrator.
Include mandatory services.
The following subcommands execute operations for managing realms and policies in OpenSSO Enterprise.
Add the default attribute values in a schema.
ssoadm add-attr-defs --options [--global-options]
The name of the service.
The type of schema.
The administrator ID running the command.
The filename that contains the password of the administrator.
The attribute values. For example, homeaddress=here.
Name of file that contains attributes and corresponding values as in attribute-name=attribute-value. Enter one attribute and value per line.
The name of the sub schema.
Add an attribute schema to an existing service.
ssoadm add-attrs --options [--global-options]
The name of the service.
The type of schema.
An XML file containing the attribute schema definition.
The administrator ID running the command.
The filename that contains the password of the administrator.
The name of the sub schema.
Add the plug-in interface to a service.
ssoadm add-plugin-interface --options [--global-options]
The name of the service.
The name of the interface.
The name of the plug-in.
The i18n key plug-in.
The administrator ID running the command.
The filename that contains the password of the administrator.
Add a sub schema.
ssoadm add-sub-schema --options [--global-options]
The name of the service.
The type of schema.
The filename that contains the schema.
The administrator ID running the command.
The filename that contains the password of the administrator.
The name of the sub schema.
Create a bootstrap URL that can bootstrap the product web application.
ssoadm create-boot-url --options [--global-options]
The Directory Server hostname.
The Directory Server port number.
The Directory Server base distinguished name.
The Directory Server base distinguished name.
The filename that contains the Directory Server administrator password.
The administrator ID running the command.
The filename that contains the password of the administrator.
Set this flag for LDAPS.
Create a new sub configuration.
ssoadm create-sub-cfg --options [--global-options]
The name of the service.
The name of the sub configuration.
The administrator ID running the command.
The filename that contains the password of the administrator.
The attribute values. For example, homeaddress=here.
Name of file that contains attributes and corresponding values as in attribute-name=attribute-value. Enter one attribute and value per line.
The name of the realm. The sub configuration will be added to the global configuration if this option is not selected.
The ID of the parent configuration. The sub configuration will be added to the root configuration if this option is not selected.
The priority of the sub configuration.
Create a new service in the server.
ssoadm create-svc --options [--global-options]
The XML file that contains the schema.
The administrator ID running the command.
The filename that contains the password of the administrator.
Continue adding services if one or more previous services can not be added.
Create the serverconfig.xml file.
ssoadm create-svrcfg-xml --options [--global-options]
The administrator ID running the command.
The filename that contains the password of the administrator.
The Directory Server hostname.
The Directory Server port number.
The Directory Server base distinguished name.
The Directory Server base distinguished name.
The filename that contains the Directory Server administrator password.
The filename where serverconfig.xml is written.
Delete the attribute schemas from a service.
ssoadm delete-attr --options [--global-options]
The name of the service.
The type of schema.
The name of the attribute schema to be removed.
The administrator ID running the command.
The filename that contains the password of the administrator.
The name of the sub schema.
Delete the attribute schema default values.
ssoadm delete-attr-def-values --options [--global-options]
The name of the service.
The type of schema.
The default values to be deleted.
The administrator ID running the command.
The filename that contains the password of the administrator.
The name of the sub schema.
Delete the sub configuration.
ssoadm delete-sub-cfg --options [--global-options]
The name of the service.
The name of the sub configuration.
The administrator ID running the command.
The filename that contains the password of the administrator.
The attribute values. For example, homeaddress=here.
Name of file that contains attributes and corresponding values as in attribute-name=attribute-value. Enter one attribute and value per line.
The name of the realm. The sub configuration will be added to the global configuration if this option is not selected.
The ID of the parent configuration. The sub configuration will be added to the root configuration if this option is not selected.
The priority of the sub configuration.
Delete the service from the server.
ssoadm delete-svc --options [--global-options]
The name of the service.
The administrator ID running the command.
The filename that contains the password of the administrator.
Continue deleting services if one or more previous services can not be deleted.
Delete the policy rule.
Export the service configuration.
ssoadm export-svc-cfg --options [--global-options]
The secret key for encrypting a password.
The administrator ID running the command.
The filename that contains the password of the administrator.
The filename where configuration is written.
Get the default attribute values in a schema.
ssoadm get-attr-defs --options [--global-options]
The name of the service.
The type of schema.
The administrator ID running the command.
The filename that contains the password of the administrator.
The name of the sub schema.
The names of the attribute.
Get the service schema revision number.
ssoadm get-revision-number --options [--global-options]
The name of the service.
The administrator ID running the command.
The filename that contains the password of the administrator.
Import the service configuration.
ssoadm import-svc-cfg --options [--global-options]
The secret key for decrypting the password.
The XML file that contains the configuration data.
The administrator ID running the command.
The filename that contains the password of the administrator.
Remove choice values from the attribute schema.
ssoadm remove-attr-choicevals --options [--global-options]
The name of the service.
The type of schema.
The name of the attribute.
The choice values. For example, inactive.
The administrator ID running the command.
The filename that contains the password of the administrator.
The name of the sub schema.
Remove the default attribute values in a schema.
ssoadm remove-attr-defs --options [--global-options]
The name of the service.
The type of schema.
The names of the attribute.
The administrator ID running the command.
The filename that contains the password of the administrator.
The name of the sub schema.
Remove the sub schema.
ssoadm remove-sub-schema --options [--global-options]
The name of the service.
The type of schema.
The names of the sub schema to be removed.
The administrator ID running the command.
The filename that contains the password of the administrator.
The name of the parent sub schema.
Set any member of the attribute schema.
ssoadm set-attr-any --options [--global-options]
The name of the service.
The type of schema.
The name of the attribute schema.
The attribute schema. Any value.
The administrator ID running the command.
The filename that contains the password of the administrator.
The name of the sub schema.
Set the boolean values of the attribute schema.
ssoadm set-attr-bool-values --options [--global-options]
The name of the service.
The type of schema.
The name of the attribute.
The value for true.
The internationalization key for the true value.
The value for false.
The internationalization key for the false value.
The administrator ID running the command.
The filename that contains the password of the administrator.
The name of the sub schema.
Set choice values for the attribute schema.
ssoadm set-attr-choicevals --options [--global-options]
The name of the service.
The type of schema.
The name of the attribute.
The administrator ID running the command.
The filename that contains the password of the administrator.
Set this flag to append the choice values to existing ones.
The name of the sub schema.
Name of file that contains attributes and corresponding values as in attribute-name=attribute-value. Enter one attribute and value per line.
The choice values. For example, 0102=Inactive.
Set the default attribute values in a schema.
ssoadm set-attr-defs --options [--global-options]
The name of the service.
The type of schema.
The administrator ID running the command.
The filename that contains the password of the administrator.
The name of the sub schema.
The attribute values. For example, homeaddress=here.
Name of file that contains attributes and corresponding values as in attribute-name=attribute-value. Enter one attribute and value per line.
Set the attribute schema end range.
ssoadm set-attr-end-range --options [--global-options]
The name of the service.
The type of schema.
The name of the attribute schema.
The end range.
The administrator ID running the command.
The filename that contains the password of the administrator.
The name of the sub schema.
Set the i18nkey member of the attribute schema.
ssoadm set-attr-i18n-key --options [--global-options]
The name of the service.
The type of schema.
The name of the attribute schema.
The attribute schema i18n key.
The administrator ID running the command.
The filename that contains the password of the administrator.
The name of the sub schema.
Set the attribute schema start range.
ssoadm set-attr-start-range --options [--global-options]
The name of the service.
The type of schema.
The name of the attribute schema.
The start range.
The administrator ID running the command.
The filename that contains the password of the administrator.
The name of the sub schema.
Set the syntax member of the attribute schema.
ssoadm set-attr-syntax --options [--global-options]
The name of the service.
The type of schema.
The name of the attribute schema.
The attribute schema syntax.
The administrator ID running the command.
The filename that contains the password of the administrator.
The name of the sub schema.
Set the type member of the attribute schema.
ssoadm set-attr-type --options [--global-options]
The name of the service.
The type of schema.
The name of the attribute schema.
The attribute schema type.
The administrator ID running the command.
The filename that contains the password of the administrator.
The name of the sub schema.
Set the UI type member of the attribute schema.
ssoadm set-attr-ui-type --options [--global-options]
The name of the service.
The type of schema.
The name of the attribute schema.
The attribute schema UI type.
The administrator ID running the command.
The filename that contains the password of the administrator.
The name of the sub schema.
Set the attribute schema validator.
ssoadm set-attr-validator --options [--global-options]
The name of the service.
The type of schema.
The name of the attribute schema.
The validator class name.
The administrator ID running the command.
The filename that contains the password of the administrator.
The name of the sub schema.
Set the properties view bean URL member of the attribute schema.
ssoadm set-attr-view-bean-url --options [--global-options]
The name of the service.
The type of schema.
The name of the attribute schema.
The attribute schema properties view bean URL.
The administrator ID running the command.
The filename that contains the password of the administrator.
The name of the sub schema.
Set the inheritance value of the sub schema.
ssoadm set-inheritance --options [--global-options]
The name of the service.
The type of schema.
The name of the sub schema.
The value of inheritance.
The administrator ID running the command.
The filename that contains the password of the administrator.
Set the properties view bean URL of the plug-in schema.
ssoadm set-plugin-viewbean-url --options [--global-options]
The name of the service.
The name of the interface.
The name of the plug-in.
The properties view bean URL.
The administrator ID running the command.
The filename that contains the password of the administrator.
Set the service schema revision number.
ssoadm set-revision-number --options [--global-options]
The name of the service.
The revision number.
The administrator ID running the command.
The filename that contains the password of the administrator.
Set the sub configuration.
ssoadm set-sub-cfg --options [--global-options]
The name of the service.
The name of the sub configuration.
The operation (either add/set/modify) to be performed on the sub configuration.
The administrator ID running the command.
The filename that contains the password of the administrator.
The attribute values. For example, homeaddress=here.
Name of file that contains attributes and corresponding values as in attribute-name=attribute-value. Enter one attribute and value per line.
The name of the realm. The sub configuration will be added to the global configuration if this option is not selected.
Set the service schema i18n key.
ssoadm set-svc-i18n-key --options [--global-options]
The name of the service.
The i18n key.
The administrator ID running the command.
The filename that contains the password of the administrator.
Set the service schema properties view bean URL.
ssoadm set-svc-view-bean-url --options [--global-options]
The name of the service.
The service schema properties view bean URL.
The administrator ID running the command.
The filename that contains the password of the administrator.
Update the service.
ssoadm update-svc --options [--global-options]
The XML file that contains the schema.
The administrator ID running the command.
The filename that contains the password of the administrator.
Continue updating services if one or more previous services can not be updated.
The following subcommands execute operations for configuring and managing OpenSSO Enterprise servers and sites within your enterprise.
Add members to a site.
ssoadm add-site-members --options [--global-options]
The name of the site. For example, mysite.
The server name. For example, http://www.example.com:8080/opensso.
The administrator ID running the command.
The filename that contains the password of the administrator.
Add site secondary URLs.
ssoadm add-site-sec-urls --options [--global-options]
The name of the site. For example, mysite.
The secondary URLs.
The administrator ID running the command.
The filename that contains the password of the administrator.
Clone a server instance.
ssoadm clone-server --options [--global-options]
The server name.
The clone server name.
The administrator ID running the command.
The filename that contains the password of the administrator.
Create a server instance.
ssoadm create-server --options [--global-options]
The server name. For example, http://www.example.com:8080/opensso.
The server configuration XML filename.
The administrator ID running the command.
The filename that contains the password of the administrator.
The attribute values. For example, homeaddress=here.
Name of file that contains attributes and corresponding values as in attribute-name=attribute-value. Enter one attribute and value per line.
Create a site.
ssoadm create-site --options [--global-options]
The site name. For example, mysite.
The site's primary URL. For example, http://www.example.com:8080.
The administrator ID running the command.
The filename that contains the password of the administrator.
The secondary URLs.
Delete a server instance.
ssoadm delete-server --options [--global-options]
The server name. For example, http://www.example.com:8080/opensso.
The administrator ID running the command.
The filename that contains the password of the administrator.
Delete a site.
ssoadm delete-site --options [--global-options]
The site name. For example, mysite.
The administrator ID running the command.
The filename that contains the password of the administrator.
Export a server instance.
ssoadm export-server --options [--global-options]
The server name. For example, http://www.example.com:8080/opensso.
The administrator ID running the command.
The filename that contains the password of the administrator.
The filename where configuration is written.
Get the server configuration XML from the centralized data store.
ssoadm get-svrcfg-xml --options [--global-options]
The server name.
The administrator ID running the command.
The filename that contains the password of the administrator.
The filename where serverconfig.XML is written.
Import a server instance.
ssoadm import-server --options [--global-options]
The server name.
The XML file that contains the configuration.
The administrator ID running the command.
The filename that contains the password of the administrator.
List the server configuration.
ssoadm list-server-cfg --options [--global-options]
The server name.
The administrator ID running the command.
The filename that contains the password of the administrator.
Set this flag to get the default configuration.
List all the server instances.
ssoadm list-servers --options [--global-options]
The administrator ID running the command.
The filename that contains the password of the administrator.
List all the sites.
ssoadm list-sites --options [--global-options]
The administrator ID running the command.
The filename that contains the password of the administrator.
Remove the server configuration.
ssoadm remove-server-cfg --options [--global-options]
The server name. For example, http://www.example.com:8080/opensso.
The names of the properties to be removed.
The administrator ID running the command.
The filename that contains the password of the administrator.
Remove members from a site.
ssoadm remove-site-members --options [--global-options]
The site name. For example, mysite.
The server name. For example, http://www.example.com:8080/opensso.
The administrator ID running the command.
The filename that contains the password of the administrator.
Remove the site secondary URLs.
ssoadm remove-site-sec-urls --options [--global-options]
The site name. For example, mysite.
The secondary URLs.
The administrator ID running the command.
The filename that contains the password of the administrator.
Set the primary URL of a site.
ssoadm set-site-pri-url --options [--global-options]
The site name. For example, mysite.
The site's primary URL. For example, http://www.example.com:8080.
The administrator ID running the command.
The filename that contains the password of the administrator.
Set the site secondary URLs.
ssoadm set-site-sec-urls --options [--global-options]
The site name. For example, mysite.
The secondary URLs.
The administrator ID running the command.
The filename that contains the password of the administrator.
Set the server configuration XML to the centralized data store.
ssoadm set-svrcfg-xml --options [--global-options]
The server name.
The XML file that contains the configuration.
The administrator ID running the command.
The filename that contains the password of the administrator.
The filename where serverconfig XML is written.
Show the site profile.
ssoadm show-site --options [--global-options]
The site name. For example, mysite.
The administrator ID running the command.
The filename that contains the password of the administrator.
Display the members of a site.
ssoadm show-site-members --options [--global-options]
The site name. For example, mysite.
The administrator ID running the command.
The filename that contains the password of the administrator.
Update the server configuration.
ssoadm update-server-cfg --options [--global-options]
The server name.
The administrator ID running the command.
The filename that contains the password of the administrator.
The attribute values. For example, homeaddress=here.
Name of file that contains attributes and corresponding values as in attribute-name=attribute-value. Enter one attribute and value per line.
The following subcommands execute operations for configuring and managing Federation-related data.
Add a member to a circle of trust.
ssoadm add-cot-member --options [--global-options]
The circle of trust.
The entity ID.
The administrator ID running the command.
The filename that contains the password of the administrator.
The name of the realm that contains the circle of trust.
Specifies the metadata specification, either idff or saml2. The default is saml2.
Create a circle of trust.
ssoadm create-cot --options [--global-options]
The circle of trust.
The administrator ID running the command.
The filename that contains the password of the administrator.
The name of the realm that contains the circle of trust.
The trusted providers.
The prefix URL for the idp discovery reader and the writer URL.
Create a new metadata template.
ssoadm create-metadata-templ --options [--global-options]
The entity ID.
The administrator ID running the command.
The filename that contains the password of the administrator.
Specifies the filename for the standard metadata to be created.
Specifies the filename for the extended metadata to be created.
Specifies the metaAlias for the hosted service provider to be created. The format must be <realm name>/.
Specifies the metaAlias for the hosted identity provider to be created. The format must be <realm name>/.
Specifies the metaAlias for the hosted attribute query provider to be created. The format must be <realm name>/.
Specifies the metaAlias for the hosted attribute authority to be created. The format must be <realm name>/.
Specifies the metaAlias for the hosted authentication authority to be created. The format must be <realm name>/.
Specifies the metaAlias for the policy enforcement point to be created. The format must be <realm name>/.
Specifies the metaAlias for the policy decision point to be created. The format must be <realm name>/.
Specifies the metaAlias for the hosted affiliation to be created. The format must be <realm name>/<identifier.
The affiliation owner ID.
The affiliation members.
The service provider signing certificate alias.
The identity provider signing certificate alias.
The attribute query provider signing certificate alias.
The attribute authority signing certificate alias.
The authentication authority signing certificate alias.
The affiliation signing certificate alias.
The policy decision point signing certificate alias.
The policy enforcement point signing certificate alias.
The service provider encryption certificate alias.
The identity provider encryption certificate alias.
The attribute query provider encryption certificate alias.
The attribute authority encryption certificate alias.
The authentication authority encryption certificate alias.
The affiliation encryption certificate alias.
The policy decision point encryption certificate alias.
The policy enforcement point encryption certificate alias.
Specifies the metadata specification, either idff or saml2. The default issaml2.
Delete the circle of trust.
ssoadm delete-cot --options [--global-options]
The circle of trust.
The administrator ID running the command.
The filename that contains the password of the administrator.
The name of the realm that contains the circle of trust.
Delete an entity.
ssoadm delete-entity --options [--global-options]
The entity ID.
The administrator ID running the command.
The filename that contains the password of the administrator.
The name of the realm that contains the circle of trust.
Set this flag to only delete extended data.
Specifies the metadata specification, either idff or saml2. The default is saml2.
Perform bulk federation.
ssoadm do-bulk-federation --options [--global-options]
Specify a metaAlias for the local provider.
The remote entity ID.
The filename that contains the local to remote user ID mapping. Format as follows: <local-user-id>|<remote-user-id>.
The filename that will be created by this sub command. It contains remote the user ID to name the identifier.
The administrator ID running the command.
The filename that contains the password of the administrator.
Specifies the metadata specification, either idff or saml2. The default is saml2.
Export an entity.
ssoadm export-entity --options [--global-options]
The entity ID.
The administrator ID running the command.
The filename that contains the password of the administrator.
The name of the realm to which the entity belongs.
Set this flag to sign the metadata.
The metadata.
The extended data.
Specifies the metadata specification, either idff or saml2. The default is saml2.
Import the bulk federation data that is generated by the do-bulk-federation sub command.
ssoadm import-bulk-fed-data --options [--global-options]
Specifies the metaAlias for the local provider.
The filename that contains the bulk federation data that is generated by the do-bulk-federation sub command.
The administrator ID running the command.
The filename that contains the password of the administrator.
Specifies the metadata specification, either idff or saml2. The default issaml2.
Import an entity.
ssoadm import-entity --options [--global-options]
The administrator ID running the command.
The filename that contains the password of the administrator.
The name of the realm to which the entity belongs.
Specifies the filename for the standard metadata to be imported.
Specifies the filename for the extended entity configuration to be imported.
The circle of trust.
Specifies the metadata specification, either idff or saml2. The default issaml2.
List the members in a circle of trust.
ssoadm list-cot-members --options [--global-options]
The circle of trust.
The administrator ID running the command.
The filename that contains the password of the administrator.
The name of the realm to which the circle of trust belongs.
Specifies the metadata specification, either idff or saml2. The default issaml2.
List the circles of trust.
ssoadm list-cots --options [--global-options]
The administrator ID running the command.
The filename that contains the password of the administrator.
The name of the realm to which the circle of trust belongs.
List the entities under a realm.
ssoadm list-entities --options [--global-options]
The administrator ID running the command.
The filename that contains the password of the administrator.
The name of the realm to which the entities belong.
Specifies the metadata specification, either idff or saml2. The default issaml2.
Remove a member from a circle of trust.
ssoadm remove-cot-member --options [--global-options]
The circle of trust.
The entity ID.
The administrator ID running the command.
The filename that contains the password of the administrator.
The name of the realm to which the circle of trust belongs.
Specifies the metadata specification, either idff or saml2. The default issaml2.
Update the XML signing and encryption key information in the hosted entity metadata.
ssoadm update-entity-keyinfo --options [--global-options]
The entity ID.
The administrator ID running the command.
The filename that contains the password of the administrator.
The service provider signing certificate alias.
The identity provider signing certificate alias.
The service provider encryption certificate alias.
The identity provider encryption certificate alias.
Specifies the metadata specification, either idff or saml2. The default issaml2.
Lists the agent configurations.
Add a resource bundle to the data store.
ssoadm add-res-bundle --options [--global-options]
The resource bundle name.
The resource bundle physical file name.
The administrator ID running the command.
The filename that contains the password of the administrator.
The locale of the resource bundle.
Do multiple requests in one command.
ssoadm do-batch --options [--global-options]
The filename that contains the commands and options.
The administrator ID running the command.
The filename that contains the password of the administrator.
The name of the status file.
Continue processing the rest of the request when the previous request was erroneous.
Migrate the organization to a realm.
ssoadm do-migration70 --options [--global-options]
The distinguished name of the organization to be migrated.
The administrator ID running the command.
The filename that contains the password of the administrator.
List a resource bundle in a data store.
ssoadm list-res-bundle --options [--global-options]
The resource bundle name.
The administrator ID running the command.
The filename that contains the password of the administrator.
The locale of the resource bundle.
List the sessions.
ssoadm list-sessions --options [--global-options]
The host name.
The administrator ID running the command.
The filename that contains the password of the administrator.
Filter by a pattern.
Do not prompt for session invalidation.
Remove a resource bundle from a data store.
ssoadm remove-res-bundle --options [--global-options]
The resource bundle name.
The administrator ID running the command.
The filename that contains the password of the administrator.
The locale of the resource bundle.
In the 8.0 release, the amadmin command line tool has been replaced by the ssoadm command line utility. This section is provided as reference for backwards compatibility for upgraded systems.
This chapter provides information on the amadmin command line tool.
The primary purposes of the command line executable amadmin is to load XML service files into the data store and to perform batch administrative tasks on the DIT. It is used to:
Load XML service files - Administrators load services into OpenSSO Enterprise that use the XML service file format defined in the sms.dtd. All services must be loaded using amadmin; they cannot be imported through the OpenSSO Enterprise console.
XML service files are stored in the data store as static blobs of XML data that is referenced by OpenSSO Enterprise. This information is not used by Directory Server, which only understands LDAP.
Perform batch updates of identity objects to the DIT - Administrators can perform batch updates to the Directory Server DIT using the batch processing XML file format defined in the amadmin.dtd. For example, if an administrator wants to create 10 organizations, 1000 users, and 100 groups, it can be done in one attempt by putting the requests in one or more batch processing XML files and loading them using amadmin.
amadmin only supports a subset of features that the OpenSSO Enterprise console supports and is not intended as a replacement. It is recommended that the console be used for small administrative tasks while amadmin is used for larger administrative tasks.
If there is an environment variable named OPTIONS on the system, you must remove it. This command line utility will not function properly with this environment variable.
There are a number of structural rules that must be followed in order to use amadmin. The generic syntaxes for using the tool are:
amadmin -u | --runasdn dnname -w | --password password [-l | --locale localename] [[-v | --verbose] | [-d |--debug]] -t | --data xmlfile1 [ xmlfile2 ...]
amadmin -u | --runasdn dnname -w | --password password [-l | --locale localename] [[-v | --verbose] | [-d | --debug]] -s | --schema xmlfile1 [xmlfile2 ...]
amadmin -u | --runasdn dnname -w | --password password [-l | --locale localename] [[-v | --verbose] | [-d | --debug]] -r | --deleteService serviceName1 [serviceName2 ...]
amadmin -u | --runasdn dnname -w | --password password or -f | --passwordfile passwordfile [-c | --continue] [-l | --locale localename] [[-v | --verbose] | [-d | --debug]] -m | --session servername pattern
amadmin -h | --help
amadmin -n | --version
amadmin -u | --runasdn dnname -w | --password password or - f |--passwordfile passwordfile [-l | --locale localename] [[-v | --verbose] | [-d] |--debug]] -a |--addattributes serviceName schemaType xmlfile[xmlfile2 ] ...
Two hyphens must be entered exactly as shown in the syntax.
Following are definitions of the amadmin command line parameter options:
--runasdn is used to authenticate the user to the LDAP server. The argument is a value equal to that of the Distinguished Name (DN) of the user authorized to run amadmin; for example
--runasdn uid=amAdmin,ou=People,o=example.com,o=isp .
The DN can also be formatted by inserting spaces between the domain components and double quoting the entire DN such as: --runasdn "uid=amAdmin, ou=People, o=iplanet.com, o=isp".
--password is a mandatory option and takes a value equal to that of the password of the DN specified with the --runasdn option.
--locale is an option that takes a value equal to that of the name of the locale. This option can be used for the customization of the message language. If not provided, the default locale, en_US, is used.
--continue is an option that will continue to process the next request within an XML file even if there are errors. For example, if a request within an XML file fails, then amadmin will continue to the next request in the same XML file. When all operations in the first XML file are completed, amadmin will continue to the second XML file.
--session (-m) is an option to manage the sessions, or to display the current sessions. When specifying --runasdn , it must be the same as the DN for the super user in AMConfig.properties , or just ID for the top-level admin user.
The following example will display all sessions for a particular service host name,:
amadmin -u uid=amadmin,ou=people,dc=iplanet,dc=com -v -w 12345678 -m http://sun.com:58080
The following example will display a particular user’s session:
amadmin -u uid=amadmin,ou=people,dc=iplanet,dc=com -v -w 12345678 -m http://sun.com:58080 username
You can terminate a session by entering the corresponding index number, or enter multiple index numbers (with spaces) to terminate multiple sessions.
While using the following option:
amadmin -m | --session servername pattern
The pattern may be a wildcard (*). If this pattern is using a wildcard (*), it has to be escaped with a meta character (\\) from the shell.
--debug is an option that will write messages to the amAdmin file created under the /var/opt/SUNWam/debug directory. These messages are technically-detailed but not i18n-compliant. To generate amadmin operation logs, when logging to database, the classpath for the database driver needs to be added manually. For example, add the following lines when logging to mysql in amadmin:
CLASSPATH=$CLASSPATH:/opt/IS61/SUNWam/lib/mysql-connector-java-3.0.6-stable-bin.jar export CLASSPATH
--verbose is an option that prints to the screen the overall progress of the amadmin command. It does not print to a file the detailed information. Messages output to the command line are i18n- compliant.
--data is an option that takes as its value the name of the batch processing XML file being imported. One or more XML files can be specified. This XML file can create, delete and read various directory objects as well as register and unregister services. .
--schema is an option that loads the attributes of an OpenSSO Enterprise service into the Directory Server. It takes as an argument an XML service file in which the service attributes are defined. This XML service file is based on the sms.dtd . One or more XML files can be specified.
Either the --data or --schema option must be specified, depending on whether configuring batch updates to the DIT, or loading service schema and configuration data.
Adds a new attribute to the specified serviceName and schemaType(global, dynamic, organization, or user). The attribute schema being added is defined in the XML file.
--deleteservice is an option for deleting a service and its schema only.
--serviceName is an option that takes a value equal to the service name which is defined under the Service name=... tag of an XML service file. This portion is displayed in -–servicename.
... <ServicesConfiguration> <Service name="sampleMailService" version="1.0"> <Schema serviceHierarchy="/other.configuration/sampleMailService" i18nFileName="sampleMailService" i18nKey="iplanet-am-sample-mail-service-description"> ... |
--help is an argument that displays the syntax for the amadmin command.
--version is an argument that displays the utility name, product name, product version and legal notice.
This section lists the parameters of amadmin for use with Federation Management.
amadmin -u|--runasdn <user’s DN> -w|--password <password> or -f|--passwordfile <passwordfile> -e|--entityname <entity name> -g|--import <xmlfile>
The user’s DN
The user’s password.
The name of file that contains user’s password. This file is not encrypted and should be protected as a read-only file owned by the web container runtime user (which may not necessarily be root). The default owner is root but it is not required to be. . Any encryption method you use must be managed outside of amadmin.
The entity name. For example, http://www.example.com. An entity should belong to only one organization.
The name of an XML file that contains the meta information. This file should adhere to Liberty meta specification and XSD.
amadmin -u|--runasdn <user’s DN>
-w|--password <password> or -f|--passwordfile <passwordfile> -e|--entityname <entity name> -o|--export <filename>
The user’s DN
The user’s password.
The name of file that contains user’s password.
The name of Entity that resides in the Directory Server
The name of the file to contain the XML of the entity. The XML file must be Liberty meta XSD-compliant.
amadmin -u|--runasdn <user’s DN> -w|--password <password> or -f|--passwordfile <passwordfile> -e|--entityname <entity name> -x|--xmlsig -o|--export <filename>
The user’s DN
The user’s password.
The name of file that contains user’s password.
The name of Entity that resides in the Directory Server
The name of the file to contain the XML of the entity. The XML file must be Liberty meta XSD-compliant.
Used in with the --export option and if specified, the exported file will be signed
If you install OpenSSO Enterprise in Legacy Mode, you can change to Realm Mode by using the amadmin command with the -M option. For example:
amadmin -u cn=amAdmin,ou=People,dc=example,dc=com -w amadmin-password -M dc=example,dc=com
If you install OpenSSO Enterprise 8.0 in Realm Mode, you cannot revert to Legacy Mode.
The following section shows the amadmin syntax for adding, locating and removing resource bundles.
amadmin -u|--runasdn <user-dn> -w|--password <user-password>
-b|--addresourcebundle <name-of-resource-bundle>
-i|--resourcebundlefilename <resource-bundle-file-name>
[-R|--resourcelocale] <locale>
amadmin -u|--runasdn <user-dn> -w|--password <user-password>
-z|--getresourcestrings <name-of-resource-bundle>
[-R|--resourcelocale] <locale>
amadmin -u|--runasdn <user-dn> -w|--password <user-password>
-j|--deleteresourcebundle <name-of-resource-bundle>
[-R|--resourcelocale] <locale>
This chapter provides information on the amPassword command line too.
OpenSSO Enterprise contains an ampassword utility in your server's tools directory. For information on unpacking and setting up this utility, see Chapter 6, Installing the OpenSSO Enterprise Utilities and Scripts, in Sun OpenSSO Enterprise 8.0 Installation and Configuration Guide. This tool allows you change the Directory Server password for the administrator or user.
Use the ssoadm get-svrcfg-xml command to retrieve the serverconfig.xml file.
Edit this file to change the protocol of the directory server
For example:
<iPlanetDataAccessLayer> <ServerGroup name="default" minConnPool="1" maxConnPool="10"> <Server name="Server1" host="sun.com" port="636" type="SSL" /> <User name="User1" type="proxy"> <DirDN> cn=puser,ou=DSAME Users,dc=iplanet,dc=com </DirDN> <DirPassword> AQIC5wM2LY4Sfcy+AQBQxghVwhBE92i78cqf </DirPassword> </User> ... |
You can also edit Directory Server configuration data in the Servers and Sites tab in the OpenSSO console. For more information, see Servers and Sites.
Import the edited serverconfig.xml file using ssoadm set-svrcfg-xml
ampassword only changes the password in Directory Server. You will have to manually change passwords and all authentication templates for OpenSSO Enterprise.
This chapter provides information on the amverifyarchive command line tool and contains the following section:
The purpose of amverifyarchive is to verify the log archives. A log archive is a set of timestamped logs and their corresponding key stores (keystores contain the keys used to generate the MACs and the Digital Signatures which are used to detect tampering of the log files). Verification of an archive detects possible tampering and/or deletion of any file in the archive.
amverifyarchive extracts all of the archive sets, and all files belonging to each archive set, for a given logName. When executed, amverifyarchive searches each log record to for tampering If tampering is detected, it prints a message specifying which file and the number of the record that has been tampered with.
amverifyarchive also checks for any files that have been deleted from the archive set. If a deleted file is detected, it prints a message explaining that verification has failed. If no tampering or deleted files are detected, it returns a message explaining that the archive verification has been successfully completed.
An error may occur if you run amamverifyarchive as a user without administrator privileges.
All of the parameters options are required. The syntax is as follows:
amamverifyarchive -l logName -p path -u uname -w password
logName refers to the name of the log which is to be verified (such as, amConsole, amAuthentication and so forth). amverifyarchive verifies the both the access and error logs for the given logName. For example, if amConsole is specified, the verifier verifies the amConsole.access and amConsole.error files. Alternatively, the logName can be specified as amConsole.access or amConsole.error to restrict the verification of those logs only.
path is the full directory path where the log files are stored.
uname is the user id of the OpenSSO Enterprise administrator.
password is the password of the OpenSSO Enterprise administrator.