Monday Jan 17, 2011

Book on OpenSSO/OpenAM

OpenSSO Book

You can Order the book from this place

 Click here to view the book cover in PDF format

It is one of my childhood ambition to write books and see my writings
on the print.  I have written few articles in Tamil and English but
those are not more than 10 pages. I kind of believed that I have a
penchant for writing, in the past I have authored lot of technical
documents as part of my job for customers consumption.

When the editors at Packt publications
approached me about the possibility of authoring a book on OpenSSO, I
have readily accepted the offer hoping to complete the book in couple of
months. Later realized it took a month to even scope out contents of
the book, There are lot of information that can be shared about
OpenSSO/OpenAM, I have rather decided to focus on the access management
features before jumping on to web services security or a full fledged
federation services. There are many items that are in the book not
available in the public documentation, I grew from the ranks to a senior
manager in the Access Management organization served almost a decade on
OpenSSO and its predecessors alone, so I had to condense my ten years
of technical experience in to 200 pages book, that was one big
challenge.  Original plan was to complete  the book in 8 months, but it
took little over a year, partially the delay was attributed to
Oracle/Sun acquisition where I had to undergo another round of approval
from Oracle management to pursue on this book. Most of my Sun blog contents are in the book.

[Read More]

Tuesday Oct 13, 2009

OpenSSO Policy Agents 3.0 on Glass Fish Cluster

The goal of this document is to enable the reader to be able to 
protect their Java EE application deployed on Glass Fish Enterprise
Server 2.1 Cluster using OpenSSO and Policy Agents 3.0. This document
is verified and validated with OpenSSO policy agents 3.0 and GFv2.1 EE
cluster as described in the next section.

[Read More]

Thursday Aug 13, 2009

SAML2 SSO to using OpenSSO

Now it is so simple to use OpenSSO as an Identity Provider to SSO
with applications using the SAMLv2 protocol. Out of the
box OpenSSO supports an easy to use work flow feature that enable the
customers to integrate applications to their existing
authentication infrastructure. More you can read it from my new url

[Read More]

moving to wordpress

It is time for me to move to I like the editor and it is so easy to upload an image/file. You can find my new posts at 

[Read More]

Friday Jun 26, 2009

Creating Authentication Chain using OpenSSO ssoadm CLI

You can use ssoadm CLI to automate the OpenSSO service configuration. 
In the next few blog entries I am planning to give some examples on how
to perform certain configuration changes using the ssoadm CLI. In this
article I am going to show you how to create an Authentication Chain.
You should have configured the CLI  as a prerequisite.

[Read More]

Sunday Jun 14, 2009

Using Oracle Internet Directory (OID) as Identity store for OpenSSO

The postings I made in the past seem to be very useful to the OpenSSO community I conclude this based on the private mails that I have received periodically. This time I am venturing out to see how the Oracle Internet Directory (OID) could be massaged to store the OpenSSO User and Group information. I dont  claim to be an expert in Oracle Directory Server nevertheless what I provide here is a validated procedure that is expected to work.  Though I am part of the  OpenSSO enterprise product team,  in no means I imply this particular identity store is  a official part of the supported OpenSSO release.  

[Read More]

Monday Jun 08, 2009

How To Determine LDAP persistent search support

How To Determine whether the given LDAP server support persistent search

the persistent search draft version control 2.16.840.1.113730.3.4.3 is implemented by many of the LDAP servers including

  • IBM(Tivoli Directory)

  • Novell(eDirectory)

  • Sun(DSEE)

  • OpenDS(OpenDS Directory Server 1.0.0-build007)

  • Fedora-Directory/1.0.4 B2006.312.1539

perform the following search for the persistent search control 2.16.840.1.113730.3.4.3
ldapsearch -p 389 -h ds_host -s base -b '' "objectclass=\*" supportedControl | grep 2.16.840.1.113730.3.4.3

Active Directory

AD implements in a different form using the LDAP control 1.2.840.113556.1.4.528

ldapsearch  -h AD_HOST -p PORT  -D"CN=Administrator,CN=Users,dc=test,dc=com" -w secret12 -s base  -b '' "objectclass=\*" supportedControl | grep 1.2.840.113556.1.4.528

Thursday Apr 09, 2009

Password Reset with OpenDS

This blog is an addendum  to my earlier entry on the password reset application.
This article specifically addresses the steps involved in configuring
the OpenDS as the user store for the OpenSSO and enabling password
reset that works  in association with OpenDS Password policy. 

[Read More]

Monday Mar 09, 2009

Using OpenDS as user store for OpenSSO

I have been receiving email constantly about questions that regard to configuring OpenDS as user store for OpenSSO. In  my earlier post I have detailed a hack to configure OpenDS with OpenSSO.  Starting from Express build 7 of OpenSSO , OpenDS is officially supported as the user store with some known limitation regards to support for OpenDS password policies. These shortcomings will be resolved in the forth coming Express builds.  

[Read More]

Monday Nov 10, 2008

How to get debug logs of opensso Configurator

It is easy to configure  an already existing  opensso system to run in 'debug' mode, but what if the system is being configured and you want to view the debug traces of opensso? There is a way to do that in OpenSSO. 

[Read More]

Friday Nov 07, 2008

Configuring multiple OpenSSO servers with Configuration store as Directory Server Enterprise Edition

This document specifically addresses the workaround for the
opensso issue 4094, yet this document can be used to configure the
Opensso Server against an existing Sun Java System Directory Server
Enterprise Edition. (DSEE)

[Read More]

Thursday Nov 06, 2008

Configuring Access Manager Repository Plug-in in OpenSSO

Out of the box Access Manager Repository Plug-in datastore plugin cannot be created in the OpenSSO server, This is not a bug rather it is intentional to configure it manually depending up on the customer requirement.   Access Manager Repository Plug-in data store may be applicable in the co-existence and/or upgrade scenarios with its predecessors like Sun Java System Access Manager.  For the fresh deployments customers should be using the Identity Repository Datastore Plugins. 

[Read More]

Workaround fix for the ssoadm CLI issue 3955


While configuring the OpenSSO(build 6) server against Sun Directory Server to store the configuration data, if you have selected  different passwords for the 'amadmin' user and for the DSEE Bind DN user(for eg: cn=directory manager), then  the command line tool 'ssoadm' will fail on certain circumstances.
This issue does not happen when OpenSSO server is configured with default configuration store. There are two workarounds to resolve the issue.

  • Create cn=dsameuser entry under the configuration directory server

  • Update the serverconfig.xml in the configuration store

later option is recommended to the production customers

[Read More]

Tuesday Jul 01, 2008

REST based Identity Services in OpenSSO

People who love programming in the interpretive languages would love the OpenSSO  REST based Identity Services, OpenSSO offers decently powerful REST interfaces to manipulate the idenity information stored in any supported OpenSSO identity store. I strongly encourage to read  Aravindan Ranganathan's  article on Identity Servic

This document is generated based on the  article

[Read More]

Saturday Apr 12, 2008

Creating user Data Stores in opensso using famadm CLI

OpenSSO support most of the commercially available LDAP servers as
identity store. In this blog entry I am goign to show you how to create
these data store from famadm CLI. IT is easy and less error prone and

[Read More]

Indira Thangasamy, I manage the OpenSSO Quality engineering team.


« December 2016