Command-line Samples: OpenSSO Client SDK
By docteger on Dec 19, 2007
After successfully completing the OpenSSO Client SDK web-based samples (see sidebar for links), I moved to the command-line samples. IMPORTANT: Be sure to run all the scripts discussed in this entry one level up from the directory in which they are found as in:
scripts/setup.shand so on. After unzipping and deploying
fam-client-jdk15.war, I make the scripts in the
sdkdirectory executable by running
chmod 755 \*.sh. Because I am using JDK 1.5 the following message was displayed:
Note: source/com/sun/identity/samples/authentication/Login.java uses or overrides a deprecated API. Note: Recompile with -Xlint:deprecation for details. Note: Some input files use unchecked or unsafe operations. Note: Recompile with -Xlint:unchecked for details.This message refers to the components in the script needed for JDK 1.4 so it can be ignored. Following I compiled the samples by running
compile-samples.sh. Then I ran the following sample scripts.
SSOTokenSample.shWhen you run
setup.shyou are creating
AMConfig.propertiesand populating it with values based on your deployment.
Main.javais the code used. NOTE: Although the server side
AMConfig.propertieshas been deprecated for current and future versions of OpenSSO in favor of OpenDS, the Client SDK still uses it's own version of the file. The following is output to the screen with my input in italics.
debug directory: /opensso/debug password of OpenSSO: admin123 protocol: http server name:ilsdev2.red.iplanet.com port: 8080 URI: opensso (no slash) Naming: /namingserviceThis script creates
sdk/resourcesdirectory. The first time I ran
Login.sh(which logs in and then logs out the user based on
Login.java), I got this error:
com.sun.identity.authentication.spi.AuthLoginException: Failed to create new Authentication Context: Naming Service is not available. at com.sun.identity.authentication.AuthContext.login(AuthContext.java:534) at com.sun.identity.authentication.AuthContext.login(AuthContext.java:377) at com.sun.identity.samples.authentication.Login.getAuthContext(Login.java:64) at com.sun.identity.samples.authentication.Login.main(Login.java:206)It turns out that
AMConfig.properties(which takes as a value the URL of the OpenSSO Naming Service) did not have a defined port number. I'm not sure how this happened because every other URL had taken the value from my setup input. Once I modified the property and restarted glassfish,
Realm (e.g. /): / Login module name (e.g. DataStore or LDAP): DataStore Login locale (e.g. en_US or fr_FR): en_US DataStore: Obtained login context User Name:amadmin Password:admin123 Login succeeded. Logged Out!!NOTE: If you want to chose LDAP, you have to configure the LDAP authentication module using the OpenSSO console. Be aware that the OpenDS server installed with OpenSSO is intended for configuration only. Next I ran
CommandLineSSO.shwhich demonstrates how to retrieve a user profile using CommandLineSSO.java . I got an error that informed me to check the
AMConfig.properties. Of the two,
com.iplanet.am.service.passwordhad no value so, after some internal email investigation, I populated it with the correct password,
changeit. I saved the file, restarted Glassfish, and ran
CommandLineSSO.shagain. This time it was successful. The following output was displayed:
Organization: / DataStore: Obtained login context User Name:amadmin Password:admin123 Successful authentication ... User Name: id=amadmin,ou=user,dc=opensso,dc=java,dc=net User Attributes: dn=[uid=amAdmin,ou=people,dc=opensso,dc=java,dc=net] roles=[Top-level Admin Role] inetuserstatus=[Active]Next I ran
CommandLineIdrepo.shwhich functioned without a hitch. And it was F-U-N, FUN! You can perform any number of operations on the identity repository. The source files for this sample can be found here. I created the sub realm
aaaaan identity I had previously created.
CommandLineIdrepo.shran as follows:
Userid [amAdmin]: amadmin Userid amadmin's password [openssoxxx]: admin123 Realm [/]: ==>Authentication SUCCESSFUL for user amadmin AMIdentity realm name for realm '/' is 'dc=opensso,dc=java,dc=net' getting subrealms Realm '/' has no subrealms Currently in realm '/'. Realm '/' has no subrealms AMIdentityRepository operations 0: Select (sub)Realm 1: Create Identity 2: Delete Identity 3: Get Allowed Operations 4: Get Supported IdTypes 5: Search/Select Identities 6: Return to / realm 7: Exit Enter selection: 1 Supported IdTypes: 0: user 1: agent 2: agentonly 3: agentgroup 4: realm 5: No selection Select type: [0..3]: 4 No realms found. Enter idName to create: CLRealm CLRealm active/inactive [a,i]: a Created realm identity 'CLRealm' isExists = false Current list of realms: CLRealm idRepoProcessing IdRepoException creating 'IdType: realm': Plug-in com.sun.identity.idm.plugins.internal.AgentsRepo: Unable to read attributes. Currently in realm '/'. Realm '/' has no subrealms AMIdentityRepository operations 0: Select (sub)Realm 1: Create Identity 2: Delete Identity 3: Get Allowed Operations 4: Get Supported IdTypes 5: Search/Select Identities 6: Return to / realm 7: Exit Enter selection: 2 Supported IdTypes: 0: user 1: agent 2: agentonly 3: agentgroup 4: realm 5: No selection Select type: [0..3]: 0 Found 6 entries of type user. AMIdentities: 0: amAdmin 1: amldapuser 2: dsameuser 3: anonymous 4: aaaa 5: amService-URLAccessAgent 6: No selection Select id: [0..6]: 4 Current list of users: amAdmin amldapuser dsameuser anonymous aaaa amService-URLAccessAgent Currently in realm '/'. Realm '/' has no subrealms AMIdentityRepository operations 0: Select (sub)Realm 1: Create Identity 2: Delete Identity 3: Get Allowed Operations 4: Get Supported IdTypes 5: Search/Select Identities 6: Return to / realm 7: Exit Enter selection: 7 idRepoProcessing: user 'amadmin' logged outNext I ran
CommandLineLogging.shwhich demonstrates log writing as well as the login process. The script calls LogSample.java. You will need to authenticate two users: the subject of the LogRecord and the logger. In the following output,
bbbbis the subject and
amadminis the logger.
Subject Userid [user1]: bbbb Subject Userid bbbb's password [user1password]: bbbb Log file [TestLog]: accepted default Log message [Test Log Record]: accepted default LoggedBy Userid [amadmin]: accepted default LoggedBy Userid's password [amadminpswd]: admin123 Realm [/]: accepted default ==>Authentication SUCCESSFUL for user bbbb ==>Authentication SUCCESSFUL for user amadmin LogSample: Logging Successful !!!
TestLogis created in
/opensso/log. Here is
TestRecordthe logging record written to
#Version: 1.0 #Fields: time Data ModuleName MessageID Domain ContextID LogLevel LoginID NameID IPAddr LoggedBy HostName "2007-12-18 08:39:36" "Test Log Record" MyModule "Not Available" dc=opensso,dc=java,dc=net 713eba0d5788db2301 INFO id=bbbb,ou=user,dc=opensso,dc=java,dc=net "Not Available" null id=amadmin,ou=user,dc=opensso,dc=java,dc=net 220.127.116.11
SSOTokenSample.shis an SSOToken verification sample. You enter an SSOTokenID and the script verifies that it is a valid, authenticated token. SSOTokenSample.java demonstrates this action and how to use other functions of the SSO API. Before running this sample, you will need an SSO Token ID. I went back to the web-based Service Configuration Sample, ran it and copied the ID that was displayed. Then I ran
SSOTokenSample.shand got the following output.
Enter SSOToken ID: AQIC5wM2LY4SfcyCY9VHtZbfWtJFuZShI3N1jX5fO5fFuXY=@AAJTSQACMDE=# SSOToken host name: 192.xx.xx.xxx [secret stuff] SSOToken Principal name: id=amadmin,ou=user,dc=opensso,dc=java,dc=net Authentication type used: DataStore IPAddress of the host: 192.xx.xx.xxx [secret stuff] SSO Token validation test Succeeded. Token ID: AQIC5wM2LY4SfcyCY9VHtZbfWtJFuZShI3N1jX5fO5fFuXY=@AAJTSQACMDE=# Property: TimeZone: PST Property: County: SantaClara