Thursday Mar 27, 2008

A Primer on OpenSSO, Policy Agents and Pan's People

Here's a link to an excellent tutorial on getting started with OpenSSO and policy agents.

And now that you're finished, you just might want to loosen up so here is a clip of Pan's People, a group of females who would dance to a song on the BBC-TV music chart show Top of the Pops when the artist wasn't available to sing it live (or Memorex). (Think the Solid Gold dancers for those in the States.) This clip is the troupe dancing to Creedence Clearwater Revival's Green River.

And, of course, there's the even funnier take-off by French and Saunders' Pan's Indeedy People moving to Yellow River - with a long yellow cloth to boot.

Yellow River? Don't take me there.

Friday Mar 21, 2008

Configuring DSEE as a User Data Store is Easy

There are two ways to configure Sun Java System Directory Server Enterprise Edition (DSEE) as the user data store for OpenSSO.

  1. By configuring DSEE as a user data store during deployment.
  2. By preparing the DSEE manually.

The first option is easy-breezy. When you first launch OpenSSO, the configurator is displayed. By checking the Load UM Schema option and pointing to the instance of DSEE, that instance will be configured as the user data store.

The second option is a little less breezy. Follow this procedure to configure DSEE manually.

  1. Load the user attribute schema and index files into DSEE using ldapmodify.

    For example:

    ldapmodify -h host -p port -D"cn=directory manager" -w passwd -c -f file-name

    TIP: If you run into a SASL BIND error, use the -x option with ldapmodify.

    The schema and index files\* are (and can be found in):

    • /path-to-context-root/fam/WEB-INF/template/sms/sunone_schema2.ldif
    • /path-to-context-root/fam/WEB-INF/template/sms/ds_remote_schema.ldif
    • /path-to-context-root/fam/WEB-INF/template/openfm/fam_sds_schema.ldif (also in /fam/ldif/ and /opensso)
    • /path-to-context-root/fam/WEB-INF/template/openfm/fam_sds_index.ldif (also in /fam/ldif/)
    • /path-to-context-root/fam/WEB-INF/template/sms/index.ldif
    • /path-to-context-root/fam/WEB-INF/template/sms/plugin.ldif

    path-to-context-root is specific to the web container on which OpenSSO is deployed.

    \*NOTE: The schema files are platform and root suffix neutral; you can retrieve these files from any instance of OpenSSO and load them to any other instance. The index files, on the other hand, are not neutral. index.ldif and fam_sds_index.ldif contain the back-end database name of the instance to which they were originally deployed. For example, if originally deployed in a system with a dc=red,dc=sun1,dc=com root suffix, an index entry might look like:

    dn: cn=nsroledn,cn=index,cn=red,cn=ldbm database,cn=plugins,cn=config
    dn: cn=memberof,cn=index,cn=red,cn=ldbm database,cn=plugins,cn=config
    dn: cn=iplanet-am-static-group-dn,cn=index,cn=red,cn=ldbm database,cn=plugins,cn=config
    dn: cn=iplanet-am-modifiable-by,cn=index,cn=red,cn=ldbm database,cn=plugins,cn=config
    dn: cn=sunxmlkeyvalue,cn=index,cn=red,cn=ldbm database,cn=plugins,cn=config
    dn: cn=o,cn=index,cn=red,cn=ldbm database,cn=plugins,cn=config
    dn: cn=ou,cn=index,cn=red,cn=ldbm database,cn=plugins,cn=config
    dn: cn=sunPreferredDomain,cn=index,cn=red,cn=ldbm database,cn=plugins,cn=config
    dn: cn=associatedDomain,cn=index,cn=red,cn=ldbm database,cn=plugins,cn=config
    dn: cn=sunOrganizationAlias,cn=index,cn=red,cn=ldbm database,cn=plugins,cn=config

    Thus, in order to use these index files on a system with the root suffix of dc=sun2,dc=com, replace all occurrences of red in the files with sun2 before loading.

  2. Prepare the DIT for the default Data Store configuration by creating the base container entries.

    1. Copy the following text into a file named /tmp/new/ldapentries.
      dn: ou=people,dc=sun,dc=com
      objectClass: top
      objectClass: organizationalUnit
      dn: ou=groups,dc=sun,dc=com
      objectClass: top
      objectClass: organizationalUnit

      NOTE: Be sure to replace dc=sun,dc=com with your root suffix.
    2. Run the following command:

      ldapmodify -h host -p port -D"cn=directory manager" -w passwd -c -a -f /tmp/new/ldapentries
Now you can login to OpenSSO and create a data store with the FAM schema using DSEE. The bind DN is cn=dsameuser,ou=dsame users,ROOT_SUFFIX.

Now to remind you just how easy that was - here's the Barenaked Ladies with Easy.

Monday Mar 17, 2008

Telecommunication with an SSL Data Store

This blog entry is two years old. You can do this with the OpenSSO configurator now when you deploy the WAR.

I found this procedure internally and I thought it might help some externally. The engineer was configuring OpenSSO to communicate with an SSL data store.

  1. Set up your data store with SSL enabled.
  2. Import a root certificate for your data store to the web container using the following command:

    JAVA_HOME/bin/keytool -import -keystore keystore_file_name -keyalg RSA -trustcacerts -alias alias_name -storepass changeit -file certificate_file_name

    • For Sun Application Server 9.1, keystore_file_name in the default domain1 is /opt/SUNWappserver/domains/domain1/config/cacerts.jks
    • For Sun Web Server 7.0U1, keystore_file_name is /usr/jdk/entsys-j2se/jre/lib/security/cacerts
  3. Restart the web container.
  4. Deploy opensso.war.
    When running the WAR configurator, you can't point to the SSL port so you must point to the non-SSL port.
  5. Log into the administration console as the administrator; by default amadmin.
  6. Create a new data store configuration or edit the existing one.
    Click the Data Stores tab for the appropriate realm under the Access Control tab. Be sure to enable the following two attributes:
    • LDAP Server must have the host name and SSL port of the SSL data store.
    • LDAP SSL must be checked.
  7. Create a new User that points to the SSL port of the data store.
    Click the Directory Configuration tab after choosing the appropriate Server under the Sites and Servers tab, located under the Configuration tab. Select New... under User and configure the user so that it points to the SSL port.
  8. Delete the default non-SSL user and save.
And now OpenSSO is configured to communicate with a secure directory. In celebration here's another type of communication: Telecommunication, live by A Flock of Seagulls.

Wednesday Mar 12, 2008

Developers Call to Federation/Web Services/SAML Arms

This is a link to a PDF of the Federation, SAMLv2, and Web Services chapters of the FAM8 Developers Guide. This is a skeleton of what is going in the book. Let me know if you see something (or know of something) that I missed.

And here's another type of arms that belongs to someone with whom Elvis Presley wants to lie.

Loving Arms has been covered by many artists since it's original recording in the 60s. My favorite versions are Elvis's, the Dixie Chicks, and Ms. Millie Jackson. What's yours?

Tuesday Mar 04, 2008

Policy Logic in OpenSSO

Here's some information that, thanks to a comment from a member of the OpenSSO community, I found missing from our doc set. We wrote a great deal about policy but not a heck of a lot about policy logic.

NOTE: If you'd like an overview of policy and authorization take a look at the Authorization and Policy Service chapter in the Sun Java System Access Manager 7.1 Technical overview or the OpenSSO Policy Service Architecture document. I'll wait.

Done? OK. Now that you know everything there is to know about policy, here is the last piece. All of the following should be satisfied for a policy to be applicable to a request.

  1. The Resource Name defined in a policy's Rules should match that of the protected, requested resource. The match can be an exact literal match or one due to the presence of wild cards. Currently, policy agents only support http:// and https:// URLs as a Resource Name; they do not support IP addresses in place of the host name. Wild cards are supported as a substitution for a protocol, a host name, a port number, or a resource - as in:

  2. The requesting user should satisfy at least one of the Subject(s) defined by the policy. For example, if the Subject type is defined as Access Manager Identity Subject, the requesting user should be a member of the role selected in the policy.
  3. At least one Condition in EACH selected Condition Type defined in a policy should be satisfied by the requesting user, resource and/or environment parameters. For example, if the policy is defined with two Time conditions and two IP Address/DNS Name conditions, the request should satisfy at least one Time condition and at least one IP Address/DNS Name condition.

And sometimes policies collide; when this happens, the following rules take effect:
  1. When multiple policies are applicable to a particular resource, the order in which the policies are evaluated is not deterministic.
  2. If a policy decision for a requested action is boolean, a value of false overrides one of true. For example, when deciding authorization for a web URL, deny overrides allow.
  3. If a policy decision for a requested action is boolean and the request is determined to be false based on policies evaluated thus far, no further policies will be evaluated for the requested action. This behavior can be changed by toggling the Continue Evaluation On Deny Decision attribute in the Policy Configuration Service.

So, in conclusion, sometimes musical styles collide also. When this happens there are no rules. You might get Sammy Davis, Jr. (smokin' a ciggy butt) and Cass Elliot singing their Las Vegas-style version of the Peter, Paul and Mary classic, I Dig Rock and Roll Music.

Or you get Mary dancing like she's in a mosh pit to an acoustic version of the same song.

UPDATE: For more information on policy logic and wildcards see the following entries:

Wednesday Feb 27, 2008

Are you going to JavaOne? CommunityOne?

I'll be there.

For the uninitiated, JavaOne is an annual four day conference, held in San Francisco and dedicated to all things Java. Aside from the Pavilion (which takes up both sides of the famed Moscone Center) in which exhibitors and sponsors promote their wares, JavaOne 2008 also has technical sessions, birds-of-a-feather discussions (read small, informal groups talking about a specific topic), panels, and hands-on labs. The 2008 conference runs from May 6-9, 2008; registration links, the session schedule and a lot more information can be found on the JavaOne 2008 home page.

This year, JavaOne has also scheduled the 2nd CommunityOne conference for members of the open source community. This free day presents sessions on everything you might need to know to get started creating and deploying the next generation infrastructure using open source projects. CommunityOne is the day before JavaOne on May 5, 2008. CommunityOne is FREE and open to anyone who registers.

The third piece of the JavaOne pie is Java University. This one day program of training courses is also held (unfortunately) on May 5, 2008 so you must pick and choose between Java University events and CommunityOne events. Check out my JavaOne blog entry from 2007. (You might also be interested in how I got there.)

Finally, in honor of the return of JavaOne to the City by the Bay, here's a clip of Jeanette MacDonald singing the ultimate San Francisco song called, concisely, San Francisco. Sorry, San Francisco (Be Sure To Wear Some Flowers in Your Hair) and I Left My Heart in San Francisco but it is.

Unfortunately this clip is colorized but, in looking for the original black and white footage, I found the earthquake sequence (in black and white) from the same movie, San Francisco. They don't make 'em like this anymore and I should know - I just saw 300.

OK, so now I feel terribly guilty about dissing San Francisco (Be Sure To Wear Some Flowers in Your Hair) and I Left My Heart in San Francisco so here are links to those performances by Scott McKenzie and Tony Bennett, respectively. But after watching these you better get back to work.

Monday Feb 18, 2008

King Leonidas Has Nothing On OpenSSO

According to SuperPat, OpenSSO has reached 600 members strong. That beats 300 hands down. Congratulations to all on this milestone!

Apologies to our distaff members for the song; you can look at the pictures though. There's even a full length version to enjoy.

The Weather Girls. Gotta love 'em.

Wednesday Feb 13, 2008

Configuring OpenSSO Without configurator.jsp

After OpenSSO WAR is deployed in the appropriate web container, the application is launched for the first time and you configure it using the configurator.jsp. If you don't want to use configurator.jsp you can do either of the following.
  1. Write a simple Java class that does an HTTP post to configurator.jsp.
  2. Use wget to do a post from the command line.
So last night I watched The Lair of The White Worm. The 1988 horror comedy wasn't so great (although I feel it might improve with age) but there was one party scene with a song about the D'Ampton worm which stopped my laundry folding. Here is the trailer for the movie with the D'Ampton worm song playing in the background.

If you liked the sound of this Pogues-esque folk song you can go directly to youtube to see the party scene in its entirety (with song lyrics in the description). Unfortunately for us, the user who uploaded the D'Ampton worm scene disabled embedding.

Tuesday Feb 12, 2008

Deploying OpenSSO on WebSphere 6.1 AIX

Thanks to Emily, developer extraordinaire, for the following procedure.

Following are the steps you need to run OpenSSO on WebSphere 6.1 AIX:
  1. After deploying the WAR and before running the configurator, modify the /export/IBM/WebSphere/AppServer/profiles/AppSrv01/properties/server.policy and /export/IBM/WebSphere/AppServer/profiles/AppSrv01/config/cells/itsyNode01Cell/nodes/itsyNode01/servers/server1/server.xml files as follows.

    CAUTION: Backup both files before making any modifications.

    1. Add the following Java security permissions to server.policy:

      // ADDITIONS FOR Access Manager
      grant {
      permission "\*", "connect,accept,resolve";
      permission java.util.PropertyPermission "\*", "read, write";
      permission java.lang.RuntimePermission "modifyThreadGroup";
      permission java.lang.RuntimePermission "setFactory";
      permission java.lang.RuntimePermission "accessClassInPackage.\*";
      permission java.util.logging.LoggingPermission "control";
      permission java.lang.RuntimePermission "shutdownHooks";
      permission "getLoginConfiguration";
      permission "setLoginConfiguration";
      permission "modifyPrincipals";
      permission "createLoginContext.\*";
      permission "\*", "read,write,execute,delete";
      permission java.util.PropertyPermission "java.util.logging.config.class", "write";
      permission "removeProvider.SUN";
      permission "insertProvider.SUN";
      permission "doAs";
      permission java.util.PropertyPermission "", "write";
      permission java.util.PropertyPermission "", "write";
      permission java.util.PropertyPermission "", "write";
      permission java.util.PropertyPermission "user.language", "write";
      permission "\*", "accept";
      permission "setHostnameVerifier";
      permission "putProviderProperty.IAIK";
      permission "removeProvider.IAIK";
      permission "insertProvider.IAIK";
      // END OF ADDITIONS FOR Access Manager
    2. Modify server.xml as follows:

      1. Add the following JVM entries:

      2. If using SSL, add the following properties and JVM entries (in bold):

        </cacheGroups> </services>
        <properties xmi:id="Property_1120370477732" name="amCryptoDescriptor.provider" value="IBMJCE" required="false"/>
        <properties xmi:id="Property_1120370511939" name="amKeyGenDescriptor.provider" value="IBMJCE" required="false"/>
        -DamCryptoDescriptor.provider=IBMJCE -DamKeyGenDescriptor.provider=IBMJCE"/>
  2. After configuring OpenSSO but before running the SAMLv2 sample configurator, change the JSP compile version to 1.5 using the jdkSourceLevel parameter.

    WebSphere Application Server version 6.1 uses JDK 1.5. By default though, the SAMLv2 JSP's JDK source level uses JDK 1.3. As the SAMLv2 sample configurator uses the JDK 1.5 syntax, running it with the default source level will not work. You can add, change or delete any JSP engine configuration parameters (including the source level) with the WEB-INF/ibm-web-ext.xmi file. A sample of the WEB-INF/ibm-web-ext.xmi file is pasted below. The lines in bold text are JSP engine configuration parameters.

    <?xml version="1.0" encoding="UTF-8"?>
    <webappext:WebAppExtension xmi:version="2.0" xmlns:xmi=
    xmlns:webappext="webappext.xmi" xmlns:webapplication="webapplication.xmi" xmi:id="WebAppExtension_1" reloadInterval="9" reloadingEnabled="true" defaultErrorPage="error.jsp" additionalClassPath="" fileServingEnabled="true" directoryBrowsingEnabled="false" serveServletsByClassnameEnabled="true" autoRequestEncoding="true" autoResponseEncoding="false"
    <webApp href="WEB-INF/web.xml#WebApp_1"/>
    <jspAttributes xmi:id="JSPAttribute_1" name="useThreadTagPool" value="true"/>
    <jspAttributes xmi:id="JSPAttribute_2" name="verbose" value="false"/>
    <jspAttributes xmi:id="JSPAttribute_3" name="deprecation" value="false"/>
    <jspAttributes xmi:id="JSPAttribute_4" name="reloadEnabled" value="true"/>
    <jspAttributes xmi:id="JSPAttribute_5" name="reloadInterval" value="5"/>
    <jspAttributes xmi:id="JSPAttribute_6" name="keepgenerated" value="true"/>
    <!-- <jspAttributes xmi:id="JSPAttribute_7" name="trackDependencies" value="true"/> -->

    Note: The integer in the JSPAttribute_n ID must be unique within the file.

    The following procedure illustrates how to modify the WEB-INF/ibm-web-ext.xmi file parameters. An example where we have added the jdkSourceLevel parameter follows after. jdkSourceLevel is a new JSP engine parameter which was introduced in WebSphere Application Server version 6.1 to support JDK 5. (Here is a listing of JSP engine parameters.) jdkSourceLevel should be used instead of the compileWithAssert parameter, although compileWithAssert still works in version 6.1. jdkSourceLevel parameter values are:
    • 13 (default) - This value will disable all new language features of JDK 1.4 and JDK 5.0.
    • 14 - This value will enable the use of the assertion facility and will disable all new language features of JDK 5.0.
    • 15 - This value will enable the use of the assertion facility and all new language features of JDK 5.0.

    CAUTION: Backup WEB-INF/ibm-web-ext.xmi before making any modifications.

    1. Open WEB-INF/ibm-web-ext.xmi.
      WEB-INF/ibm-web-ext.xmi is located in either of the following directories.

      • The web module's configuration directory as in:

        WAS_ROOT/profiles//profilename//config/cells//cellname//applications//enterpriseappname// deployments//deployedname///webmodulename/
      • The web modules's binaries directory which is created if an application was deployed with the flag Use Binary Configuration set to true. In this case, the directory is:


    2. Edit WEB-INF/ibm-web-ext.xmi as follows.

      • To add configuration parameters, use the format:

        xmi:id="JSPAttribute_6" name="parametername" value="parametervalue"/>
      • To remove configuration parameters, either delete the line from the file, or enclose the statement with brackets and dashes as in:

        <!-- --> tags.
    3. For example, you can change /WEB-INF/ibm-web-ext.xmi to:

      <?xml version="1.0" encoding="UTF-8"?> < xmi:version="2.0" xmlns:xmi="""webappext.xmi" xmi:id="WebAppExtension_1185836603523"> <webApp href="WEB-INF/web.xml#WebApp_1185836603521"/> <jspAttributes xmi:id="JSPAttribute_1185836603523" name="reloadEnabled" value="true"/> <jspAttributes xmi:id="JSPAttribute_1185836603524" name="reloadInterval" value="10"/> <jspAttributes xmi:id="JSPAttribute_1" name="jdkSourceLevel" value="15"/> </>

    4. Save the file.
    5. Restart the application.

      It is not necessary to restart WebSphere for parameter changes to take effect. However, some JSP engine configuration parameters affect the Java source code that is generated for a JSP. If such a parameter is changed, you must retranslate the JSP files in the web module to regenerate Java source. You can use the batch compiler to retranslate all the JSP files in a web module which uses the JSP engine configuration parameters set in the ibm-web-ext.xmi unless specifically overriden. JSP engine configuration parameters identifies the parameters that affect the generated Java source.
  3. Before running setup -p configuration path, modify the setup script by inserting

    -D"amCryptoDescriptor.provider=IBMJCE" -D"amKeyGenDescriptor.provider=IBMJCE"

    before -cp on the last line and save the file.
  4. Before running famadm do the following:

    • Add the :${TOOLS_HOME}/lib/xalan.jar to the classpath after openfedlib.jar.
    • Add the line

      -D"amKeyGenDescriptor.provider=IBMJCE" -D"amCryptoDescriptor.provider=IBMJCE"

      before com.sun.identity.cli.CommandManager AND before in the famadm file and save it.
  5. Before running ampassword add

    -D"amCryptoDescriptor.provider=IBMJCE" -D"amKeyGenDescriptor.provider=IBMJCE"

    before AND before in the ampassword file and save it.
  6. And in honor of our developer extraordinaire, here is Adam Green with his song and video entitled, what else, Emily.

Monday Feb 11, 2008

Federated Access Manager TOI, Session 3

Friday, February 8 was the third and final session of the Federated Access Manager TOI. Following are links to the first two session entries, the topics covered in this third session, and my notes.


FAM8 supports upgrade from:
  • JES AM versions of 6.3/7.0/7.1 (6.2 TBD)
  • AM 7.1 War based installations
  • FM 7.0 to FAM 8.0

  • Supports backwards compatibility of all existing features (with exceptions eg. IDFF)
  • AM 7.0/7.1 Client SDK and Full AM SDK versions compatible with FAM 8.0.
  • Modes
    • Legacy to Legacy or Realm
    • Realm to Realm
Must upgrade all AM server instances and all AM SDK instances


NOTE: Use the same URI from your previous install (use amserver rather than fam) or you will have to change URI in many places not accessed by upgrade scripts.

  • Upgrade instances of directory servers and web containers
  • Upgrade the FAM8 bits with UI customizations and regenerate WAR
  • Deploy FAM8 WAR and configure

FAM8 supports co-existance with:
  • AM 7.0 ,AM 7.1 with FAM 8.0 (Realm/Legacy)
  • FM 7.0 with FAM 8.0 (Legacy)(TBD)

Security Token Service

Security Token Service (STS) is a web service that provides the issuance and management of security tokens. It is built as a part of the OpenSSO WAR and deployed as a web service end point (servlet).
  • Speaks WS-Trust protocol
  • Allows plugins for different token implementations
  • Allows plugins for different token validations
  • Provides WS-Trust protocol-based client APIs for clients and applications to access STS
  • Provides WS-I BSP based security tokens such as UserName,X509,SAML,etc.

Sequence Flow:

Configured under the Agent tab (profiles) in GUI

Uses WS-Metadata Exchange protocol (MEX)

Web Services Security

Information on docs.sun

Samples to be included:

The client could be
  • End user identity
  • Web services client application identity
Embedded Config Store: OpenDS

Embed open source OpenDS in FAM 8 - not productized Sun DS

2 modes: single server or mutiple instances

Info in blog entries:

3rd Party Access Manager Product Integration

  • Simple SSO integration between FAM and SiteMinder and Oracle Access Manager in same internet domain
  • Enable legacy OAM and SM deployments for Federation protocols
My notes that you, the reader, would not understand:
third party AM in IDP Environment slide
5 and 6 as they are are optional steps
5 should be 4
6 should be 5
4 should be 6

Session Failover

Using Oracle Berkeley DB Java Edition
  • 100% pure Java for platform independence
  • Optimized for Java applications that require high throughput and concurrency
  • Direct Persistence Layer (DPL) API for EJB-style POJO persitence, as well as a Java Collections API
  • Single JAR file for easy integration
Nothing to document as this is all transparent to user

Berkeley DB is nothing but a bunch of API (?)

Security (JCE/JSS)

Support JCE and JSS
  • Encryption Class
  • Secure Random Class
  • SSL Socket Factory
    • netscape.ldap.factory.JSSESocketFactory
Federal Information Processing Standards (FIPS)

FIPS currently supported on Sun WS, and Sun APP Server EE (not glassfish)

FAM/IDM Integration
Rahul Gopal

Main components involved
  • SunAccessManagerRealmResourceAdapter - an IDM resource adapter used to plug-in backend systems
  • AM Policy Agent to protect IDM resources

So, after three days of meetings and note taking, let's relax now with some music and comedy from Alison Moyet and Dawn French. Here's the video for Whsipering Your Name.

Wednesday Feb 06, 2008

Federated Access Manager TOI, Session 2

This morning was the second session for the Federated Access Manager TOI. Following are the topics covered (with notes).

Session 1

Secure Attribute Exchange
SAMLv2 profiles
  • Assertion Query/Request Profile
    • Query existing SAML2 assertions based on specific criteria (authentication context, assertion identifier, etc.)
    • Query initiator is the SAML Requester
      Initiates the profile by sending a query message to SAML authority
    • Responder is the SAML Authority
      Validates and processes the query to issue a response
    • Supports:
      • Attribute Query (request attributes from a specific identity - successful response is assertion containing requested attributes) Basic Attribute and X509 Subject Attribute Queries
      • Authentication Query (request assertion for a principal based on the authentication context - successful response is assertion(s) containing the authentication statements available to the principal)
        Supports SOAP only
      • Assertion Query (request existing assertion(s) using assertion(s) identifier - assertion must be cached)
      • Authorization Decision Query (asks if a certain resource is accessible to a particular principal - made to authorization authority/policy engine)
        XACML authzn decision is an extension of this

  • Enhanced Client or Proxy (ECP)
    • Specifies interactions between enhanced clients or proxies (eg. HTTP proxy) and SPs and IDPs
    • ECP acts as a SOAP intermediary between the SP and IDP
    • SSO Profile with PAOS Binding
    • FAM 8.0 SAMLv2 IDP and SP are able to process request received from ECP
    • Arrow of step 6 should be going the other way and some type of authentication is required between 5 and 6
    • FAM 8.0 SAMLv2 IDP and SP can process request received from ECP
    • ECP Client included as part of Opensso Extensions not FAM - can be used for testing
      • Proxy Version (HTTP)
      • Java Based Version (HTTPs)
  • Name Identifier Management
    Allows the change of principal's name identifier (shared between IDP and SP) after federation (possibly for security purposes or maybe IDP has a timing rule)
    • IDP can issue a ManageNameIDRequest to the SP to change the name identifier shared between them from a previous SSO
    • SP can issue a ManageNameIDRequest to attach an alias to its Principal
    • ManageNameIDResponse is returned after processing the request
    • Subsequent communication between SP & IDP will use the new name identifier
  • Name Identifier Mapping
  • POST Binding
    Added support for POST binding for a number of profiles
    • Web SSO Profile
    • Single Logout Profile
    • Name Identifier Management
    • Name Identifier Termination
  • Affiliations is a feature not a profile - will be implemented with SAML2 but will be very close to what we already have for IDFF
  • Represents access control policies, requests and response to get polices and authzn decisions
  • XACMLv2.0 current standard
  • Support SAML2 profile of XACML
    • XACMLAuthzDecisionQuery
    • XACMLAuthzDecisionStatement
  • Aravindan says should be doc'ed under Policy
  • Sample in path-to-context-root/fam/samples/sdk directory
  • XACML Design Doc
IDP Proxy
  • IDP proxy is one entity that acts as both IDP and SP
  • In wei -> ping -> jamie example, ping is IDP proxy
  • Supports:
    • SSO
    • SSO with IDP disco service
    • SLO
  • IDP proxy supports chaining
  • useIntroductionforIDPproxy attribute is to turn on Disco Service
  • #1 use case in slides is the default
Multi Protocol Support

Support for IDFF, SAML2, WS-Fed in one circle of trust
  • Enables a circle-of-trust to contain entities supporting different kind of federation protocols
  • Enables SSO and SLO to work across heterogeneous protocols within the same circle-of-trust - mainly to enable SSO and SLO for the same session shared among different ID-FF/SAML2/WS-Federation IDPs hosted on the same FAM instance
  • Sample included in which user will create a circle of trust containing one multi-federation protocol Identity Provider instance and three Service Provider instances speaking ID-FF, SAMLv2 and WS-Federation protocol

Identity Services
  • Allow developers to invoke FAM without knowledge of product
  • Developer uses php et al and may not need our client API
  • Use IDE to implement in your application
  • WSDL URL used in IDE
  • REST URL used with scripting languages
  • Change name of feature

Monday Feb 04, 2008

Federated Access Manager TOI, Session 1

There is a point in the timeline of a software release where engineers deliver what those in the 'biz' call a TOI or transfer of information. Engineers put together slide decks and spend a few hours telling anyone who will listen what to expect from the upcoming release. Each presentation ends with a question and answer session from the interested parties (documentation writers, QA engineers, training, development engineers, etc.). Today we had the first session for the Federated Access Manager 8.0 TOI and here are my notes.

Supported Software
  • Operating Systems
    • Solaris
    • Linux
    • Windows
    • AIX for WebSphere only
  • Containers:
    • Sun WS
    • Sun AS
    • WebLogic
    • WebSphere
    • Oracle AS
    • JBoss
    • Tomcat
    • Geronimo for Solaris only (Geronimo can install Jetty AS and Tomcat AS; FAM supports only TomCat)
  • Directory servers as user stores
    • Sun DS
    • AD
    • IBM Tivoli DS
Installation and Configuration
Ping, Jon
  • FAM server bits require JDK 1.5 or higher
  • Client of FAM requires JDK 1.4 or higher
  • Single WAR deployment
  • Configuration Wizard guides the users through a seven (or so) screen installation process; it replaces the one page configurator.jsp

Centralized Server Configuration Data
  • An embedded directory server offers centralized server configuration data management
    Previously each configured instance of the product had it's own server configuration data stored local to the server product in and serverconfig.xml. Now each FAM instance has its own branch in an instance of an embedded data store offering ease in managing multiple instances of FAM. Embedded data store can be Sun Directory Server or open source OpenDS. The latter is installed with FAM8.
  • A FAM instance's service configuration data properties used to be stored in and serverconfig.xml. They are now stored in the centralized data store under a sub-configuration of the Platform Service branch.
  • Modify centralized server configuration data using
    1. FAM console: under Configuration -> Sites & Servers click on the appropriate name/hyperlink from the list of servers displayed to view and edit the centralized server configuration data.
    2. famadm CLI using subcommands such as:
      1. list-server-cfg is to list the configuration of an server instance
      2. remove-server-cfg is to remove a configuration’s property values
      3. update-server-cfg is to set configuration’s property values
Bootstrapping FAM

WAR points to bootstrap file which points to centralized server configuration data store which holds bootstrapping data that is retrieved for bootstrapping process

famadm CLI
  • amadmin CLI will ship for two more releases only; over this time will be deprecated and replaced by famadm CLI
  • famadm CLI supports all commands of amadmin
  • famadm still works with In the absence of code>, famadm retrieves server configuration from the centralized depository.
  • Installation
    1. Unzip in temporary directory on server where FAM is hosted and type setup with a value for the installation directory of FAM server
    2. Must be setup for each instance of FAM - no global properties (although, in general, all global properties are reproduced in the instance service configuration data)
  • amAdmin password must always be in a separate file and pointed to during CLI input
  • Legacy DITs can use famadm CLI
  • If you don't specify -protocol option - defaults to SAMLv2
  • DON'T DOCUMENT: there is also a web-based CLI purely for internal usage that will not be supported for release (ie:
    I don't believe the fact that I am mentioning this web-based CLI here is documenting. If it is, I'm sure I'll hear about it.
  • New subcommands
    1. backup and restore server configuration data by exporting from DS to file or importing file to DS; SMS info that is exported here is global to FAM
      encryptsecret option, used for purposes of export and import, takes any string and is stored only in the head of the person who entered it - NOT part of service configuration data
    2. create and update datastores (also can be done from console)
    3. export-server and import-server options: exports only properties that had been stored in the late and lamented and serverconfig.xml; server config data that is exported here is per FAM instance
  • famadm is used for agent config

  • Secure Attribute Exchange
  • New SAML2 profiles (ECP, AttributeQuery, AuthnQuery, X509 Profile, IDP Proxy, ...) all should be supported by the time of release
  • WS-Federation
  • SSO/SLO across multiple protocols
  • Bulk Federation preassigns a name identifier for a list of users at both ends of federation transaction
    Only for IDFF or SAML2
    AM71 is PERL-based; FAM 8 is Java-based
Centralized Agent Management and Agent 3.0
  • Agent install/uninstall via agentadmin CLI packaged with agent ZIP/WAR and installed on agent server
  • Centralized agent management - agent config data is now in service config store not IDRepo store (Data Stores) which was under realm tab - now under Configuration tab
  • still exists but has fewer properties - only local bootstrap data
    Additional info will be stored locally in (local configuration data) while embedded server configuration data store will hold centralized configuration data
  • Support local config for backward compatibility and centralized config
    Benefit of choosing local config - 2.2 agent customers deploy FAM8; agents are sometimes controlled by org's partners and thus they can have local control over centralized org control
    1. Agent starts up and reads local bootstrap properties and gets Naming URL and makes call to Auth Service (agent needs to authenticate to server first)
    2. Auth calls IdRepo which calls SMS which checks username and PW in Centralized Agent Config data (under FAM config data root)
    3. Gets SSOToken then returns to agent config data to get agent's config data location (local or central depending on config of agent)
    NOTE: Find out about Attribute service on Wednesday (REST)
  • agent config hot swapping - if property is hot swappable and I change the value of it during runtime the value changes on the fly
  • can enable notification and polling
  • agent grouping - share common config properties among multiple agent instances (ease of mngt feature)
  • no admin specific to agents (like policy and amadmin)
  • agent upgrade - new feature that automates the upgrade process

Web Services Security

  • Security Token Service
  • Web Services Security (API, Framework, Plug-ins) securing client web services, add plug-in without config(?)

Common Tasks
  • New tab in console to access feature setup wizards (aka workflows) for easy customer configuration
  • Initial tasks are federation-based (supports SAML2 currently; will support IDFF by release)
    • Simplified IDP/SP setup (minimal customer input, can take input from URL or file)
    • COT setup
    Wizrds also offer SSO verification between IDP and SP


  • 6.3 console is no longer available for legacy mode install; only Directory Management tab will show up for legacy support (Jon)
  • Identity Services - ???
  • 3rd Party Integration
    • FAM + CA's SiteMinder (SSO, Federation)
    • FAM + Oracle's Access Manager

Tuesday Jan 29, 2008

Coupla Access Manager 7.1 Tips

For those using Access Manager 7.1 here are a coupla things you might want to know about.

  • Access Manager 7.1 can be installed in one of two modes: realm or legacy. So after installation how do you determine if Access Manager is running in realm mode or legacy mode?

    Type the following URL into the Location window of your browser and hit Enter.



    FQDN is the host name and domain of the machine on which the product was installed. If the server returns true, Access Manager is running in realm mode; otherwise, it's running in legacy mode.
  • If the host name and/or domain name of the machine on which Access Manager is running changes, this change needs to be reflected in a number of configuration files. This recently published technical note, Host Name Changes in a Sun Java System Access Manager 7.1 WAR Deployment explains it all for you.

And while we're at it here are a coupla versions of the same classic song, Jolene. The first video is a version by a coupla people in a little band called The White Stripes. The second is a version by the song's writer, Dolly Parton (who has a coupla - no I won't go there even though she does in the video). Take your pick or watch both.

I mean both videos.

Monday Jan 28, 2008

The OpenSSO Bootstrap File Deconstructed

Since build 2, OpenSSO uses a file for bootstrapping itself. Previously, held server configuration information but now bootstrap points to a centralized data store that holds the OpenSSO server configuration information.

After deploying the OpenSSO WAR and running the configurator, OpenSSO server configuration data is written to a central instance of OpenDS by the service management ( API. A setup servlet also creates a file named bootstrap in the top-level /opensso directory. This file contains information that points to the location from which OpenSSO can retrieve configuration data to bootstrap itself. The content in bootstrap can be either of the following:
  • A directory local to OpenSSO (for example, /export/SUNWam) indicates the server was configured with a previous release. The directory is where resides.
  • A URL that points to a directory service using the following format:
    For example:
    • is the host name and port of the machine on which the directory is installed
    • is the instance name
    • AQIC5wM2LY4Sfcxi1dVZEdtfwar2vhWNkmS8 is the encrypted password of the OpenSSO administrator
    • %2Fopensso%2Fopends is the path to the directory installation
    • dc%3Dopensso%2Cdc%3Djava%2Cdc%3Dnet is the base DN
    • cn%3DDirectory+Manager is the directory administrator
    • BQIC5xM2LY4SfcximdVZEdtfwar4vhWNkmG7 is the encrypted password for the directory administrator
    OpenSSO supports Microsoft's Active Directory, Sun's Directory Server, and the open source OpenDS.
  • Flat files are no longer supported for configuration data but configuration data store failover is supported via the bootstrap file. If more than one URL is present in bootstrap and OpenSSO is unable to connect or authenticate to the data store at the first URL, the bootstrapping servlet will try the second (and so on). Another feature of bootstrap is that the number sign [#] can be used to exclude a URL as in:


    And, for some extracurricular bootstrapping, take the Replacements, some Lou Reed, a dash of early Bowie, a pinch of Violent Femmes, some 60s surf sounds, a big garage with the door closed, and you have the British band Bootstrap and their song Streetlight. The video uses scenes from Faster Pussycat Kill Kill, the classic film by Russ Meyer. A configuration made in heaven!

Thursday Jan 24, 2008

Host Machine and Domain Name Changes: Access Manager 7.1

UPDATE: The completed document has been published to here. The link to the review copy below has been disabled.

I've just put together a technical note on what to do if the host machine or domain name changes for an instance of Access Manager 7.1 (WAR deployment only). It contains procedures for modifying properties and/or files in both a regular environment and in a federation environment. Here is a PDF version I sent out for engineering review. A complete HTML version should be posted to the Access Manager 7.1 documentation set on next week after I receive any comments.

There are other things you can do when a host name changes. For example, here is what was done when the host name changed on The Match Game. It's a long clip but you get to see the late Brett Sommers, the late Charles Nelson Reilly, the late Gene Rayburn, and the late Eva Gabor! Or is it Jolie? Or is it Zsa Zsa? Wait...Zsa Zsa is not late.

Thursday Jan 10, 2008

OpenSSO: Subscribe and Learn

Charles Wesley, one of the QA engineers working on Federated Access Manager and related products, sent this procedure out to the mailing list. This is the type of minutiae (in a good way) that is available on the list. Plus, you can ask questions specific to your deployment, get answers, and help to review the official docs. You can join the list here - but only if you have an account.

Thanks Charles for giving me the opportunity to publicize the list and for this procedure - which only needed a little formatting in its move from email to blog.

Configuring OpenSSO on an Instance of Web Server 7.x Owned by webservd

When installed using the Java Enterprise System installer, Web Server 7.x creates a web server instance owned by the user webservd. In Solaris 10, webservd has a home directory of / by default. If OpenSSO is deployed to an instance owned by webservd with the default settings, the configuration will fail because the OpenSSO configurator will not create files under /. Following is a simple procedure to allow configuration on a webservd-owned web server instance to succeed.
  1. Create a new home directory for webservd
    mkdir /export/home/webservd
  2. Change the ownership of the directory to owner webservd and group webservd
    chmod -R webservd:webservd /export/home/webservd
  3. Replace / with /export/home/webservd as the home directory of webservd in the /etc/passwd file.
  4. Restart the web server instance on which OpenSSO will be deployed.
  5. Deploy the OpenSSO WAR.
  6. Configure the war file and enter /export/home/webservd as the configuration directory that will be used by OpenSSO.
So, in keeping with today's theme, I went looking for a clip of the song, The Things I Will Not Miss (aka On The List), from the 1973 musical remake of Lost Horizon. For those hoping to see Sally Kellerman and Olivia Hussey, fuggedaboutit. Here's Moshe en Joost!

Wednesday Dec 12, 2007

User and Policy Samples: OpenSSO Client SDK

Now that I've gotten through the installation of the OpenSSO Client SDK sample WAR and it's Service Configuration Servlet sample, let's take a look at other Client SDK samples. The next one on the Client SDK - Samples list is the User Profile (Attributes) Sample Servlet.

The sample code retrieves and displays the profile that corresponds to the user ID entered in the Username text box. I created a user profile aaaa, entered the ID and password in the text fields and, voila, straight forward and it worked.

Note the email address, given name and other information retreived.

The Policy Evaluator Client Sample Servlet retrieves from the Policy Service a policy decision that would be passed to a web agent for enforcement. I created a policy using the OpenSSO server for the resource with a GET allow and POST deny rule for all authenticated users on Fridays. is the call on the client side that initiates the retrieval of the policy decision.

And while you're waiting for my follow-up entries on the SSO and command-line samples for the Client SDK, you might want to check out this video of Nellie McKay and learn how to do the dance that's sweeping the nation - come one everyone, 'do the Zombie'. It'll do you good.

Sunday Dec 09, 2007

Federated Access Manager 8.0 Roadmap and Features

I have been asked one particular question many times over the last few months and have been fudging my answer because way back when I wrote an entry that attempted to answer this question I was chastised by some muckety-mucks. On Friday, I was searching for some information and, lo and behold, found that Daniel Raskin, our relatively new marketing guru, had written a blog regarding the answer to the very same question I have been hesitating to answer: can you give me some information regarding FAM 8.0 roadmap and features? So, here are links to the blog entries that answer that question. Way to go, Daniel!

Federated Access Manager 8.0 -- The Overview (Part I)

Federated Access Manager 8.0 -- The Features (Part II)

On Saturday, I was searching for something fun to watch and found this clip of one of the all-time great comics, Totie Fields. Way to go, Totie!




« July 2016