In the 8.0 release, the amadmin command line tool has been replaced by the ssoadm command line utility. This section is provided as reference for backwards compatibility for upgraded systems.
This chapter provides information on the amadmin command line tool.
The primary purposes of the command line executable amadmin is to load XML service files into the data store and to perform batch administrative tasks on the DIT. It is used to:
Load XML service files - Administrators load services into OpenSSO Enterprise that use the XML service file format defined in the sms.dtd. All services must be loaded using amadmin; they cannot be imported through the OpenSSO Enterprise console.
XML service files are stored in the data store as static blobs of XML data that is referenced by OpenSSO Enterprise. This information is not used by Directory Server, which only understands LDAP.
Perform batch updates of identity objects to the DIT - Administrators can perform batch updates to the Directory Server DIT using the batch processing XML file format defined in the amadmin.dtd. For example, if an administrator wants to create 10 organizations, 1000 users, and 100 groups, it can be done in one attempt by putting the requests in one or more batch processing XML files and loading them using amadmin.
amadmin only supports a subset of features that the OpenSSO Enterprise console supports and is not intended as a replacement. It is recommended that the console be used for small administrative tasks while amadmin is used for larger administrative tasks.
If there is an environment variable named OPTIONS on the system, you must remove it. This command line utility will not function properly with this environment variable.
There are a number of structural rules that must be followed in order to use amadmin. The generic syntaxes for using the tool are:
amadmin -u | --runasdn dnname -w | --password password [-l | --locale localename] [[-v | --verbose] | [-d |--debug]] -t | --data xmlfile1 [ xmlfile2 ...]
amadmin -u | --runasdn dnname -w | --password password [-l | --locale localename] [[-v | --verbose] | [-d | --debug]] -s | --schema xmlfile1 [xmlfile2 ...]
amadmin -u | --runasdn dnname -w | --password password [-l | --locale localename] [[-v | --verbose] | [-d | --debug]] -r | --deleteService serviceName1 [serviceName2 ...]
amadmin -u | --runasdn dnname -w | --password password or -f | --passwordfile passwordfile [-c | --continue] [-l | --locale localename] [[-v | --verbose] | [-d | --debug]] -m | --session servername pattern
amadmin -h | --help
amadmin -n | --version
amadmin -u | --runasdn dnname -w | --password password or - f |--passwordfile passwordfile [-l | --locale localename] [[-v | --verbose] | [-d] |--debug]] -a |--addattributes serviceName schemaType xmlfile[xmlfile2 ] ...
Two hyphens must be entered exactly as shown in the syntax.
Following are definitions of the amadmin command line parameter options:
--runasdn is used to authenticate the user to the LDAP server. The argument is a value equal to that of the Distinguished Name (DN) of the user authorized to run amadmin; for example
--runasdn uid=amAdmin,ou=People,o=example.com,o=isp .
The DN can also be formatted by inserting spaces between the domain components and double quoting the entire DN such as: --runasdn "uid=amAdmin, ou=People, o=iplanet.com, o=isp".
--password is a mandatory option and takes a value equal to that of the password of the DN specified with the --runasdn option.
--locale is an option that takes a value equal to that of the name of the locale. This option can be used for the customization of the message language. If not provided, the default locale, en_US, is used.
--continue is an option that will continue to process the next request within an XML file even if there are errors. For example, if a request within an XML file fails, then amadmin will continue to the next request in the same XML file. When all operations in the first XML file are completed, amadmin will continue to the second XML file.
--session (-m) is an option to manage the sessions, or to display the current sessions. When specifying --runasdn , it must be the same as the DN for the super user in AMConfig.properties , or just ID for the top-level admin user.
The following example will display all sessions for a particular service host name,:
amadmin -u uid=amadmin,ou=people,dc=iplanet,dc=com -v -w 12345678 -m http://sun.com:58080
The following example will display a particular user’s session:
amadmin -u uid=amadmin,ou=people,dc=iplanet,dc=com -v -w 12345678 -m http://sun.com:58080 username
You can terminate a session by entering the corresponding index number, or enter multiple index numbers (with spaces) to terminate multiple sessions.
While using the following option:
amadmin -m | --session servername pattern
The pattern may be a wildcard (*). If this pattern is using a wildcard (*), it has to be escaped with a meta character (\\) from the shell.
--debug is an option that will write messages to the amAdmin file created under the /var/opt/SUNWam/debug directory. These messages are technically-detailed but not i18n-compliant. To generate amadmin operation logs, when logging to database, the classpath for the database driver needs to be added manually. For example, add the following lines when logging to mysql in amadmin:
CLASSPATH=$CLASSPATH:/opt/IS61/SUNWam/lib/mysql-connector-java-3.0.6-stable-bin.jar export CLASSPATH
--verbose is an option that prints to the screen the overall progress of the amadmin command. It does not print to a file the detailed information. Messages output to the command line are i18n- compliant.
--data is an option that takes as its value the name of the batch processing XML file being imported. One or more XML files can be specified. This XML file can create, delete and read various directory objects as well as register and unregister services. .
--schema is an option that loads the attributes of an OpenSSO Enterprise service into the Directory Server. It takes as an argument an XML service file in which the service attributes are defined. This XML service file is based on the sms.dtd . One or more XML files can be specified.
Either the --data or --schema option must be specified, depending on whether configuring batch updates to the DIT, or loading service schema and configuration data.
Adds a new attribute to the specified serviceName and schemaType(global, dynamic, organization, or user). The attribute schema being added is defined in the XML file.
--deleteservice is an option for deleting a service and its schema only.
--serviceName is an option that takes a value equal to the service name which is defined under the Service name=... tag of an XML service file. This portion is displayed in -–servicename.
... <ServicesConfiguration> <Service name="sampleMailService" version="1.0"> <Schema serviceHierarchy="/other.configuration/sampleMailService" i18nFileName="sampleMailService" i18nKey="iplanet-am-sample-mail-service-description"> ... |
--help is an argument that displays the syntax for the amadmin command.
--version is an argument that displays the utility name, product name, product version and legal notice.
This section lists the parameters of amadmin for use with Federation Management.
amadmin -u|--runasdn <user’s DN> -w|--password <password> or -f|--passwordfile <passwordfile> -e|--entityname <entity name> -g|--import <xmlfile>
The user’s DN
The user’s password.
The name of file that contains user’s password. This file is not encrypted and should be protected as a read-only file owned by the web container runtime user (which may not necessarily be root). The default owner is root but it is not required to be. . Any encryption method you use must be managed outside of amadmin.
The entity name. For example, http://www.example.com. An entity should belong to only one organization.
The name of an XML file that contains the meta information. This file should adhere to Liberty meta specification and XSD.
amadmin -u|--runasdn <user’s DN>
-w|--password <password> or -f|--passwordfile <passwordfile> -e|--entityname <entity name> -o|--export <filename>
The user’s DN
The user’s password.
The name of file that contains user’s password.
The name of Entity that resides in the Directory Server
The name of the file to contain the XML of the entity. The XML file must be Liberty meta XSD-compliant.
amadmin -u|--runasdn <user’s DN> -w|--password <password> or -f|--passwordfile <passwordfile> -e|--entityname <entity name> -x|--xmlsig -o|--export <filename>
The user’s DN
The user’s password.
The name of file that contains user’s password.
The name of Entity that resides in the Directory Server
The name of the file to contain the XML of the entity. The XML file must be Liberty meta XSD-compliant.
Used in with the --export option and if specified, the exported file will be signed
If you install OpenSSO Enterprise in Legacy Mode, you can change to Realm Mode by using the amadmin command with the -M option. For example:
amadmin -u cn=amAdmin,ou=People,dc=example,dc=com -w amadmin-password -M dc=example,dc=com
If you install OpenSSO Enterprise 8.0 in Realm Mode, you cannot revert to Legacy Mode.
The following section shows the amadmin syntax for adding, locating and removing resource bundles.
amadmin -u|--runasdn <user-dn> -w|--password <user-password>
-b|--addresourcebundle <name-of-resource-bundle>
-i|--resourcebundlefilename <resource-bundle-file-name>
[-R|--resourcelocale] <locale>
amadmin -u|--runasdn <user-dn> -w|--password <user-password>
-z|--getresourcestrings <name-of-resource-bundle>
[-R|--resourcelocale] <locale>
amadmin -u|--runasdn <user-dn> -w|--password <user-password>
-j|--deleteresourcebundle <name-of-resource-bundle>
[-R|--resourcelocale] <locale>