When Federation Manager is deployed, the server configuration data is stored in a flat file. After installation, Federation Manager can be reconfigured to retrieve this data from an LDAPv3–compliant directory. To proceed, you must follow this sequence:
Set up your LDAPv3–compliant directory.
Install your instance of Federation Manager.
Reconfigure the Federation Manager configuration data.
Migrate the new data to the directory.
The following sections contain procedures for setting up the supported LDAPv3–compliant directories.
Although Federation Manager has only been tested on supported LDAPv3–compliant directories, it should work with any LDAPv3-compliant directory server.
This section contains the following procedures:
Sun Java System Directory Serveras a Configuration Data Store
In order to change the Federation Manager data store for configuration data
Sun Java System Directory Server, follow
the procedure described below in To Set Up
Sun Java System Directory Server as a Configuration Data Store.
Install Directory Server based on the instructions in the Sun Java Enterprise System 2005Q4 Installation Guide for UNIX.
Install Federation Manager based on the instructions in Chapter 2, Installing and Deploying Federation Manager.
Configure Federation Manager to communicate with Directory Server based on the instructions in Modifying Federation Manager Configuration Data to Recognize an LDAPv3–compliant Directory.
Build the new LDAP-based configuration data from the flat file data, and load the data and accompanying schema into Directory Server based on the instructions in Building and Loading LDIF Configuration Data Using fmff2ds.
Microsoft Active Directoryas a Configuration Data Store
In order to change the Federation Manager data store for configuration data
Microsoft Active Directory,
you must set up the directory and load the Federation Manager LDIF schema. The procedure
is described in To Set Up
Microsoft Active Directory as a Configuration Data Store.
When the Active Directory installation wizard asks you to type a new domain, you may type a non-existent domain as in xyz.com. In this example, the root suffix will be dc=xyz,dc=com.
Microsoft Active Directory in either a
Microsoft Windows 2000 Advanced Server or
Microsoft Windows 2003 Advanced Server.
The procedures for these installations can be found in your Active Directory documentation or on the Microsoft web site.
Active Directory Schema Snap-in.
Instructions for installing the
Directory Schema Snap-in can also be found on the Microsoft web site
Open the Microsoft Management Console (MMC).
Using this console you can load the LDIF schema into Active Directory.
Point your cursor to Active Directory Schema and hold the right mouse button down.
Select Operations Master... from the drop-down menu.
Check The Schema may be modified on this Domain Controller from the Change Schema Master" window and click OK.
This enables schema modification. The administrator DN is cn=administator,cn=users,ROOT-SUFFIX.
Install and configure Federation Manager according to the information in Modifying Federation Manager Configuration Data to Recognize an LDAPv3–compliant Directory.
After installing your LDAPv3–compliant directory you must reconfigure certain of the Federation Manager configuration data before migrating it to the directory. If the Federation Manager WAR is exploded, you must restart the web container after making these changes. If the Federation Manager WAR is not exploded, make your changes in the staging directory (located by default in the IS_INSTALL_VARDIR/war_staging directory where IS_INSTALL_VARDIR is defined in the silent installation file detailed in The Silent Installation File), regenerate the WAR, and deploy the modified WAR. The following instructions assume that the WAR has been exploded.
If Federation Manager is working solely against an LDAPv3–compliant directory, you must create two users in the directory with the correct read and write privileges to the ou=services tree: amadmin and dsameuser. See serverconfig.xml Users.
Install Federation Manager according to the instructions in Chapter 2, Installing and Deploying Federation Manager.
Edit the default ServerGroup in the serverconfig.xml file as follows:
Change the host, port, and type attributes of the Server tag to reflect your directory's installation.
Change the DirDN and DirPassword attributes of the User tag in both the proxy and admin entries to reflect an existing user DN and password (encrypted using ampassword). Alternately, you can create a new administrator in the directory. This new user must have read, search, write and delete permission on the ou=services subtree of the directory information tree (DIT) containing the Federation Manager configuration data once the data store has been changed to Open LDAP.
Ensure the proper user permissions have been allocated. This should be done after running fmff2ds.
Change the values of the BaseDN to that of the parent DN containing the configuration data. For example, dc=sun,dc=com.
Edit the AMConfig.properties file as follows:
Change the value of the
com.sun.identity.sm.sms_object_class_name property to
If the DirDN specified in the step
above is different from the default amadmin, you
need to modify the com.sun.identity.authentication.special.users property by adding (or replacing) the specified DN of the
directory's super user. This property may contain a pipe-separated
list of user DNs as in:
AMConfig.properties is located in the /exploded-FM-WAR-directory/WEB-INF/classes directory where exploded-FM-WAR-directory is the directory to which the Federation Manager WAR was deployed.
Run fmff2ds according to the information in Building and Loading LDIF Configuration Data Using fmff2ds.
Restart the web container.
Federation Manager is now communicating with Directory Server.
This procedure is useful when an LDAPv3–compliant directory is used for storing configuration data. If creating a second instance of Federation Manager by running fmwar, you will need to add the new instance to the Server List attribute of the original instance of Federation Manager before starting the new instance. The following procedure describes how to do this.
Login to the console of the original instance of Federation Manager as administrator.
Select the Configuration tab.
Select Platform under System Properties.
Enter the new instance in the Server List global attribute and click Add.
The value is entered in the form protocol://host-name:port|instance-name. For example, http://host2.sun.com:81|02.
fmff2ds is a command-line utility used to convert service configuration data from a flat file to an LDIF file. This utility does not work with user data. fmff2ds performs the following functions:
Builds and loads an LDAP schema for your directory based on included templates.
Builds an LDIF file from a configuration data flat file and loads it into the directory.
The syntax for fmff2ds is:
fmff2ds [-a] -h directory-server-host -p directory-server-port -r root-suffix -f flat-file -u userDN [-w userPW] -j Java-directory
By default, fmff2ds assumes Sun Java System Directory Server is the underlying directory server. By specifying -a, fmff2ds will load data into Microsoft Active Directory.
Defines the root suffix of the underlying directory server.
Defines the location of the flat file directory. By default, /var/opt/SUNWam/fm/URI.
Defines the distinguished name of the user connecting to the directory server.
Defines the password of the user connecting to the directory server. If this option is not specified, the user will be prompted to type the bind password for the specified userDN. When the option is not given and the DSHOME property is not set to the Sun Directory Server installation root directory, user will be prompted to enter bind password for three times during the process.
Java-directory defines the directory where the Java Development Kit (JDK) is located. The JDK must be version 1.4.2 or higher.
Displays version information.
Displays help information.