The serverconfig.xml file provides configuration information to Federation Manager regarding the LDAPv3–compliant directory being used as its data store. serverconfig.xml is located in the /exploded-FM-WAR-directory/WEB-INF/config directory where exploded-FM-WAR-directory is the directory to which the Federation Manager WAR was deployed. It contains the parameters used to establish the LDAP connection pool to the LDAPv3–compliant directory.
<?xml version="1.0" encoding="XML_ENCODING" standalone="yes"?> <!-- Copyright (c) 2004 Sun Microsystems, Inc. All rights reserved Use is subject to license terms. --> <iPlanetDataAccessLayer> <ServerGroup name="default" minConnPool="1" maxConnPool="10"> <Server name="Server1" host="DIRECTORY_SERVER" port="DIRECTORY_PORT" type="SIMPLE" /> <User name="User1" type="proxy"> <DirDN> uid=amadmin,ou=people,NORMALIZED_ORGBASE </DirDN> <DirPassword> ENCADMINPASSWD </DirPassword> </User> <User name="User2" type="admin"> <DirDN> uid=amadmin,ou=people,NORMALIZED_ORGBASE </DirDN> <DirPassword> ENCADMINPASSWD </DirPassword> </User> <BaseDN> NORMALIZED_RS </BaseDN> </ServerGroup> <ServerGroup name="internalauthentication" minConnPool="1" maxConnPool="10"> <Server name="Server1" host="DIRECTORY_SERVER" port="DIRECTORY_PORT" type="SIMPLE" /> <User name="User1" type="proxy"> <DirDN> uid=amadmin,ou=people,NORMALIZED_ORGBASE </DirDN> <DirPassword> ENCADMINPASSWD </DirPassword> </User> <User name="User2" type="admin"> <DirDN> uid=amadmin,ou=people,NORMALIZED_ORGBASE </DirDN> <DirPassword> ENCADMINPASSWD </DirPassword> </User> <BaseDN> NORMALIZED_RS </BaseDN> </ServerGroup> <!-- Modify this ServerGroup to point to your LDAP server for user data. If your component needs to use a different LDAP server, add a ServerGroup for that component. Some of the possible ServerGroup names you can use are: saml, federation, disco, idpp, and authnsvc. Make sure user dn in your LDAP server uses the same naming attribute as your "admin" user; and baseDN is the people container LDAP server uses. --> <ServerGroup name="userdefault" minConnPool="1" maxConnPool="10"> <Server name="Server1" host="DIRECTORY_SERVER" port="DIRECTORY_PORT" type="SIMPLE" /> <User name="User1" type="proxy"> <DirDN> uid=amadmin,ou=people,NORMALIZED_ORGBASE </DirDN> <DirPassword> ENCADMINPASSWD </DirPassword> </User> <User name="User2" type="admin"> <DirDN> uid=amadmin,ou=people,NORMALIZED_ORGBASE </DirDN> <DirPassword> ENCADMINPASSWD </DirPassword> </User> <BaseDN> ou=people,NORMALIZED_RS </BaseDN> </ServerGroup> </iPlanetDataAccessLayer> |
This section contains information on the following:
The server-config.dtd defines the structure for serverconfig.xml. It is located in /FederationManager-base/XXXXXXXX.
<?xml version="1.0" encoding="ISO-8859-1"?> <-- Copyright (c) 2002 Sun Microsystems, Inc. All rights reserved. Use is subject to license terms. --> <!-- The root.--> <!ELEMENT iPlanetDataAccessLayer (ServerGroup+) > <!ELEMENT ServerGroup Server+ User+ BaseDN MiscConfig*> <!ATTLIST ServerGroup name ID #REQUIRED minConnPool NMTOKEN "1" maxConnPool NMTOKEN "10" > <!ELEMENT BaseDN (#PCDATA) > <!-- An Server contains an id, host name and port. --> <!ELEMENT Server> <!ATTLIST Server name ID #REQUIRED host CDATA #REQUIRED port NMTOKEN "389" type (SIMPLE|SSL) "SIMPLE" > <!--An User contains an ID, the type of privileges the DN and Password provides. The type of connection of a DirInstance is realized from the type of User it is associated with or it contains.--> <!ELEMENT User (DirDN, DirPassword)> <!ATTLIST User name ID #REQUIRED type (auth|proxy|rebind|admin) "auth" > <!ELEMENT DirDN (#PCDATA)> <!ELEMENT DirPassword (#PCDATA)> <!ELEMENT MiscConfig EMPTY> <!ATTLIST MiscConfig name CDATA #REQUIRED value CDATA #IMPLIED > |
This section defines the main elements of the DTD.
iPlanetDataAccessLayer is the root element. It allows for the definition of multiple server groups per XML file. Its immediate sub-element is the ServerGroup. It contains no attributes.
ServerGroup defines a pointer to one or more LDAPv3–compliant directories. They can be master or replica servers. The sub-elements that qualify ServerGroup include:
Server
User
BaseDN
MiscConfig
The ServerGroup attributes are the name of the server group, and values for minConnPool and maxConnPool which define the minimum (1) and maximum (10) connections that can be opened for the LDAP connection pool respectively. More than one defined ServerGroup element is not supported.
Federation Manager uses a connection pool to access the LDAPv3–compliant directory. All connections are opened when Federation Manager starts and are not closed. They are reused.
Server defines a specific LDAPv3–compliant directory instance. It contains no sub-elements. The required XML attributes are a user-friendly name for the server, the host name, the port number on which the LDAPv3–compliant directory runs, and the type of LDAP connection that must be opened (either simple or SSL).
User contains sub-elements that define the user configured for the instance of the LDAPv3–compliant directory. The User sub-elements are DirDN and DirPassword. It's required XML attributes are the name of the user, and the type of user. The values for type identify the user's privileges and the type of connection that will be opened to the directory instance. Options include:
auth defines a user authenticated to the LDAPv3–compliant directory.
proxy defines a proxy user for the LDAPv3–compliant directory. See Proxy User.
rebind defines a user with credentials that can be used to rebind to the LDAPv3–compliant directory.
admin defines a user with administrative privileges for the LDAPv3–compliant directory. See Admin User.
DirDN contains the LDAP Distinguished Name (DN) of the defined user.
DirPassword contains the defined user's encrypted password.
It is important that passwords and encryption keys are kept consistent throughout the deployment. For example, the passwords defined in this element are stored in the LDAPv3–compliant directory. If the password is changed in one place, it must be updated in all places where it is defined. Additionally, this password is encrypted. If the encryption key defined in the am.encryption.pwd property is changed, all passwords in serverconfig.xml must be re-encrypted using ampassword.
BaseDN defines the base DN for the server group. It contains no sub-elements and no XML attributes.
MiscConfig is a placeholder for defining any LDAP JDK features like cache size. It contains no sub-elements. It's required XML attributes are the name of the feature and its defined value.
Two users are defined in serverconfig.xml:
serverconfig.xml
The Proxy User can take on any user's privileges (for example, the organization administrator or an end user). The connection pool is created with connections bound to the proxy user. Federation Manager creates a proxy user with the DN of cn=puser,ou=DSAME Users,dc=example,dc=com. This user is used for all queries made to the LDAPv3–compliant directory. It benefits from a proxy user ACI already configured in the LDAPv3–compliant directory and, therefore, can perform actions on behalf of a user, when necessary. It maintains an open connection through which all queries are passed (retrieval of service configurations, organization information, etc.). The proxy user password is always encrypted.
dsameuser, the administrator user, is used for binding purposes when the Federation Manager SDK performs operations on the LDAPv3–compliant directory that are not linked to a particular user (for example, retrieving service configuration information). The Proxy User performs these operations on behalf of the dsameuser, but a bind must first validate the dsameuser credentials. During installation, Federation Manager creates cn=dsameuser,ou=DSAME Users,dc=example,dc=com.