At this point in the deployment, / (Top Level Realm), the root realm, is configured to authenticate special OpenSSO Enterprise accounts (for example, amadmin and agents) against the embedded configuration data store. Create a sub realm to authenticate external users against the Directory Server user data store instances. This creates a demarcation between OpenSSO Enterprise configuration and administrative data and the user data. Use the following list of procedures as a checklist for completing this task.
To Verify That the Sub Realm Can Access the External User Data Store
To Verify That the Sub Realm Subjects Can Successfully Authenticate
 To Create a Sub Realm
To Create a Sub RealmWhen a sub realm is created it inherits configuration data (including which user data store) from / (Top Level Realm) (the default root realm) and uses it to authenticate users. The user data store can be modified per sub realm. In this deployment, we use the inherited GenericLDAPv3 data store.
Access https://osso-1.example.com:1081/opensso/console from a web browser.
Log in to the OpenSSO Enterprise console as the administrator.
amadmin
ossoadmin
Click the Access Control tab.
Click New to create a new realm.
The New Realm page is displayed.
Set the following attribute values on the New Realm page.
Enter users.
Enter users in the New Value field and click Add.
Click OK.
The users realm is listed as a sub realm of / (Top Level Realm), the root realm.
 To Change the User Profile Configuration for
the Sub Realm
To Change the User Profile Configuration for
the Sub RealmThis procedure assumes you have just completed To Create a Sub Realm and are still logged in to the OpenSSO Enterprise console.
Under the Access Control tab, click the users realm.
Click the Authentication tab.
Click the Advanced Properties link under General.
The Core Realm Attributes page is displayed.
Change the value of User Profile to Ignored.
This new value specifies that a user profile is not required by the Authentication Service in order to issue a token after successful authentication.
Click Save.
Log out of the OpenSSO Enterprise console.
 To Modify the Sub Realm for User Authentication
To Modify the Sub Realm for User AuthenticationAccess https://osso-1.example.com:1081/opensso/console in a web browser.
Log in to the OpenSSO Enterprise console as the administrator.
amadmin
ossoadmin
Click the Access Control tab.
Click users, the sub realm, under the Access Control tab.
Click the Data Stores tab.
The GenericLDAPv3 data store link is displayed.
Click GenericLDAPv3.
On the GenericLDAPv3 data store properties page, set the following attribute values and click Save.
Enter ou.
Enter Groups.
Enter ou.
Enter users.
If this field is empty, the search for user entries will start from the root suffix.
Click Back to Data Stores.
(Optional) Click the Subjects tab to verify that the test users are now displayed.
testuser1 and testuser2 are displayed under Users (as well as others created during OpenSSO Enterprise configuration).
Log out of the OpenSSO Enterprise console.
 To Verify That the Sub Realm Can Access the
External User Data Store
To Verify That the Sub Realm Can Access the
External User Data StoreThis optional procedure is to verify the modifications made in To Create a Sub Realm and To Change the User Profile Configuration for the Sub Realm.
Access https://osso-1.example.com:1081/opensso/console from a web browser.
Log in to the OpenSSO Enterprise console as the administrator.
amadmin
ossoadmin
Click on the Access Control tab
Click on the users sub realm.
Click on the Subjects tab.
testuser1 and testuser2 are displayed under Users.
Log out of the OpenSSO Enterprise console.
 To Verify That the Sub Realm Subjects Can
Successfully Authenticate
To Verify That the Sub Realm Subjects Can
Successfully AuthenticateAccess https://osso-1.example.com:1081/opensso/UI/Login?realm=users from a web browser.
The parameter realm=users specifies the realm to use for authentication. At this point, a user can log in against Directory Server only if the realm parameter is defined in the URL.
Log in to OpenSSO Enterprise with a user name and password from the am-users directory.
testuser1
password
You should be able to log in successfully and see a page with a message that reads You're logged in. Since the User Profile attribute was set to Ignored, the user's profile is not displayed after a successful login. If the login is not successful, watch the Directory Server access log to troubleshoot the problem.