Chapter 1. Administration Interfaces & Tools
Prev   Next

Chapter 1. Administration Interfaces & Tools

Table of Contents
1.1. OpenAM Web-Based Console
1.2. OpenAM Command-Line Tools
1.3. OpenAM ssoadm.jsp

This chapter provides a brief introduction to the web-based OpenAM console. It also lists and describes each command line interface (CLI) administration tool.

1.1. OpenAM Web-Based Console

After you install OpenAM, login to the web-based console as OpenAM Administrator, amadmin with the password you set during installation. Navigate to a URL such as http://openam.example.com:8080/openam. In this case, communications proceed over the HTTP protocol to a FQDN (openam.example.com), over a standard Java EE web container port number (8080), to a specific deployment URI (/openam).

How the console looks to amadmin

[D]

When you login as the OpenAM Administrator, amadmin, you have access to the complete OpenAM console. In addition, OpenAM has set a cookie in your browser that lasts until the session expires, you logout, or you close your browser.[1]

When you login to the OpenAM console as a non-administrative end user, you do not have access to the administrative console. Your access is limited to a configuration page with your account information.

How the console looks to an end user

[D]

If you configure OpenAM to grant administrative capabilities to another user, then that user also sees the console after login. For instance, the OpenAM Administrator granted Kirsten Vaughan privileges to administer the OpenAM Top Level Realm. (This can be done through the console under Access Control > / (Top Level Realm) > Privileges. Kirsten has authorization to read and write policy properties and configured policy agent properties.) When Kirsten logs in, she sees only part of the console capabilities.[2]

How the console looks to an administrator

[D]

1.2. OpenAM Command-Line Tools

The script tools in the following list have .bat versions for use on Microsoft Windows.

You can install the following OpenAM command-line tools.

agentadmin

This tool lets you manage OpenAM policy agent installations.

Unpack this tool as part of policy agent installation.

ampassword

This tool lets you change OpenAM Administrator passwords, and display encrypted password values.

Install this from the .

amverifyarchive

This tool checks log archives for tampering.

Install this from .

This executable .jar file lets you perform a silent installation of an OpenAM server with a configuration file. For example, the java -jar configurator.jar -f config.file command couples the configurator.jar archive with the config.file. The sampleconfiguration file provided with the tool is set up with the format for the config.file, and it must be adapted for your environment.

Install this from .

ssoadm

This tool provides a rich command-line interface for the configuration of OpenAM core services.

In a test environment you can activate ssoadm.jsp to access the same functionality in your browser. Once active, you can use many features of the ssoadm command, by navigating to the ssoadm.jsp URI, in a URL such as http://openam.example.com:8080/openam/ssoadm.jsp.

Install this from .

To translate settings applied in OpenAM console to service attributes for use with ssoadm, login to the OpenAM console as amadmin and access the services page, in a URL such as http://openam.example.com:8080/openam/services.jsp.

The commands access the OpenAM configuration over HTTP (or HTTPS). When using the administration commands in a site configuration, the commands access the configuration through the front end load balancer.

Sometimes a command cannot access the load balancer, because:

  • Network routing restrictions prevent the tool from accessing the load balancer.

  • For testing purposes, the load balancer uses a self-signed certificate for HTTPS, and the tool does not have a way of trusting the self-signed certificate.

  • The load balancer is temporarily unavailable.

In such cases you can work around the problem by adding an option such as the following to the java command in the tool's script. The option sets a comma-separated list of key-value pairs, where the key is the load balancer URL and the value is the server URL. (This all belongs on one line with no spaces in the script.)

-D"com.iplanet.am.naming.map.site.to.server=https://lb.example.com:443/openam=
http://server1.example.com:8080/openam,https://lb.example.com:443/openam=
http://server2.example.com:8080/openam"

In the above example the load balancer is on the lb host, https://lb.example.com:443/openam is the site name, and the OpenAM servers in the site are on server1 and server2.

1.3. OpenAM ssoadm.jsp

You can use the ssoadm.jsp page to access a large subset of the configuration capabilities of the ssoadm command. Yet, ssoadm.jsp is disabled by default to prevent potential misuse.

Procedure 1.1. To Enable ssoadm.jsp

  1. Login as OpenAM administrator, amadmin.

  2. Click Configuration > Servers and Sites > Servers > URL of your server.

  3. Click Advanced to display the Advanced Properties table, and then click Add. In the text boxes that appear, include the following information, and then click Save.

    Property Name

    ssoadm.disabled

    Property Value

    false

  4. To see if the change worked, navigate to the URL of OpenAM with the /ssoadm.jsp URI. For the aforementioned URL, you would navigate to http://openam.example.com:8080/openam/ssoadm.jsp.


[1] Persistent cookies can remain valid when you close your browser. This section reflects OpenAM default behavior before you configure additional functionality.

[2] For more on delegated administration, see the chapter covering realms.

Prev   Next
Preface Home Chapter 2. Defining Authentication Services