Changing the Default Data Store for Configuration Data to an LDAPv3–compliant Directory

When Federation Manager is deployed, the server configuration data is stored in a flat file. After installation, Federation Manager can be reconfigured to retrieve this data from an LDAPv3–compliant directory. To proceed, you must follow this sequence:

1. Set up your LDAPv3–compliant directory.

   See Setting Up Your LDAPv3–Compliant Directory.

2. Install your instance of Federation Manager.

   See Chapter 2, Installing and Deploying Federation Manager.

3. Reconfigure the Federation Manager configuration data.

   See Modifying Federation Manager Configuration Data to Recognize an LDAPv3–compliant Directory.

4. Migrate the new data to the directory.

   See Building and Loading LDIF Configuration Data Using fmff2ds.

Setting Up Your LDAPv3–Compliant Directory

The following sections contain procedures for setting up the supported LDAPv3–compliant directories.

Although Federation Manager has only been tested on supported LDAPv3–compliant directories, it should work with any LDAPv3-compliant directory server.

This section contains the following procedures:

• To Set Up Sun Java System Directory Server as a Configuration Data Store

• To Set Up Microsoft Active Directory as a Configuration Data Store

To Set Up Sun Java System Directory Server as a Configuration Data Store

In order to change the Federation Manager data store for configuration data to Sun Java System Directory Server, follow the procedure described below in To Set Up Sun Java System Directory Server as a Configuration Data Store.

1. Install Directory Server based on the instructions in the Sun Java Enterprise System 2005Q4 Installation Guide for UNIX.

2. Install Federation Manager based on the instructions in Chapter 2, Installing and Deploying Federation Manager.

3. Configure Federation Manager to communicate with Directory Server based on the instructions in Modifying Federation Manager Configuration Data to Recognize an LDAPv3–compliant Directory.

4. Build the new LDAP-based configuration data from the flat file data, and load the data and accompanying schema into Directory Server based on the instructions in Building and Loading LDIF Configuration Data Using fmff2ds.

To Set Up Microsoft Active Directory as a Configuration Data Store

In order to change the Federation Manager data store for configuration data to Microsoft Active Directory, you must set up the directory and load the Federation Manager LDIF schema. The procedure is described in To Set Up Microsoft Active Directory as a Configuration Data Store.

When the Active Directory installation wizard asks you to type a new domain, you may type a non-existent domain as in xyz.com. In this example, the root suffix will be dc=xyz,dc=com.

1. Install Microsoft Active Directory in either a Microsoft Windows 2000 Advanced Server or a Microsoft Windows 2003 Advanced Server.

   The procedures for these installations can be found in your Active Directory documentation or on the Microsoft web site.

2. Install the Active Directory Schema Snap-in.

   Instructions for installing the Active Directory Schema Snap-in can also be found on the Microsoft web site

3. Open the Microsoft Management Console (MMC).

   Using this console you can load the LDIF schema into Active Directory.

4. Point your cursor to Active Directory Schema and hold the right mouse button down.

5. Select Operations Master... from the drop-down menu.

6. Check The Schema may be modified on this Domain Controller from the Change Schema Master" window and click OK.

   This enables schema modification. The administrator DN is cn=administator,cn=users,ROOT-SUFFIX.

7. Install and configure Federation Manager according to the information in Modifying Federation Manager Configuration Data to Recognize an LDAPv3–compliant Directory.

Modifying Federation Manager Configuration Data to Recognize an LDAPv3–compliant Directory

After installing your LDAPv3–compliant directory you must reconfigure certain of the Federation Manager configuration data before migrating it to the directory. If the Federation Manager WAR is exploded, you must restart the web container after making these changes. If the Federation Manager WAR is not exploded, make your changes in the staging directory (located by default in the IS_INSTALL_VARDIR/war_staging directory where IS_INSTALL_VARDIR is defined in the silent installation file detailed in The Silent Installation File), regenerate the WAR, and deploy the modified WAR. The following instructions assume that the WAR has been exploded.

• To Set Up Federation Manager for an LDAPv3–compliant Directory

• To Add a Second Instance of Federation Manager to the Server List

To Set Up Federation Manager for an LDAPv3–compliant Directory

Before You Begin

If Federation Manager is working solely against an LDAPv3–compliant directory, you must create two users in the directory with the correct read and write privileges to the ou=services tree: amadmin and dsameuser. See serverconfig.xml Users.

1. Install Federation Manager according to the instructions in Chapter 2, Installing and Deploying Federation Manager.

2. Edit the default ServerGroup in the serverconfig.xml file as follows:

   • Change the host, port, and type attributes of the Server tag to reflect your directory's installation.

   • Change the DirDN and DirPassword attributes of the User tag in both the proxy and admin entries to reflect an existing user DN and password (encrypted using ampassword). Alternately, you can  create a new administrator in the directory. This new user must have read, search, write and delete permission on the ou=services subtree of the directory information tree (DIT) containing the Federation Manager configuration data once the data store has been changed to Open LDAP.

     ---

     Note –

     Ensure the proper user permissions have been allocated. This should be done after running fmff2ds.

     ---

   • Change the values of the BaseDN to that of the parent DN containing the configuration data. For example, dc=sun,dc=com.

   See

3. Edit the AMConfig.properties file as follows:

   • Change the value of the com.sun.identity.sm.sms_object_class_name property to com.sun.identity.sm.ldap.SMSLdapObject.

   • If the DirDN specified in the step above is different from the default amadmin, you need to modify the com.sun.identity.authentication.special.users property by adding (or replacing) the specified DN of the directory's super user. This property may contain a pipe-separated list of user DNs as in: com.sun.identity.authentication.special.users=cn=dsameuser,ou=DSAME Users,dc=sun,dc=com|cn=administrator,cn=users,dc=sun,dc=com.

   AMConfig.properties is located in the /exploded-FM-WAR-directory/WEB-INF/classes directory where exploded-FM-WAR-directory is the directory to which the Federation Manager WAR was deployed.

4. Run fmff2ds according to the information in Building and Loading LDIF Configuration Data Using fmff2ds.

5. Restart the web container.

   Federation Manager is now communicating with Directory Server.

To Add a Second Instance of Federation Manager to the Server List

This procedure is useful when an LDAPv3–compliant directory is used for storing configuration data. If creating a second instance of Federation Manager by running fmwar, you will need to add the new instance to the Server List attribute of the original instance of Federation Manager before starting the new instance. The following procedure describes how to do this.

1. Login to the console of the original instance of Federation Manager as administrator.

2. Select the Configuration tab.

3. Select Platform under System Properties.

4. Enter the new instance in the Server List global attribute and click Add.

   The value is entered in the form protocol://host-name:port|instance-name. For example, http://host2.sun.com:81|02.

Building and Loading LDIF Configuration Data Using fmff2ds

fmff2ds is a command-line utility used to convert service configuration data from a flat file to an LDIF file. This utility does not work with user data. fmff2ds performs the following functions:

• Builds and loads an LDAP schema for your directory based on included templates.

• Builds an LDIF file from a configuration data flat file and loads it into the directory.

The syntax for fmff2ds is:

fmff2ds [-a]  -h  directory-server-host -p directory-server-port -r root-suffix -f flat-file 
-u userDN [-w userPW] -j Java-directory

fmff2ds -V

fmff2ds -?

where: