Installing OpenAM Core Services

This chapter covers tasks required for a full install of OpenAM server with or without OpenAM Console.

This chapter does not cover installation for enforcing policies on resource servers. To manage access to resources on other servers, you can use OpenIG or OpenAM policy agents.

OpenIG is a high-performance reverse proxy server with specialized session management and credential replay functionality. It can function as a standards-based policy enforcement point.

OpenAM policy agents provide policy enforcement on supported web servers and Java EE containers, and are tightly integrated with OpenAM. See the OpenAM Web Policy Agent User’s Guide, or the OpenAM Java EE Policy Agent User’s Guide for instructions on installing OpenAM policy agents in supported web servers and Java EE application containers.

OpenAM Installation Options
Installation Action Documentation Reference

Install quickly for evaluation using default settings

"To Deploy OpenAM" and "To Configure OpenAM With Defaults"

Alternatively, follow the full example in xref:getting-started:index.adoc[Getting Started With OpenAM].

Install OpenAM server, choosing settings

"To Deploy OpenAM" and "To Custom Configure OpenAM"

Erase the configuration and start over

"To Delete an OpenAM Configuration Before Redeploying"

Add an OpenAM server to a site

"To Deploy OpenAM", and "To Add a Server to a Site"

Troubleshoot an OpenAM installation

"To Troubleshoot an OpenAM Installation"

Install ssoadm for CLI configuration

"Installing OpenAM Tools", or "OpenAM ssoadm.jsp" in the Administration Guide.

Perform a command-line install

"To Set Up Configuration Tools"

Skin OpenAM for your organization

"Customizing the OpenAM End User Pages"

Uninstall OpenAM

"Removing OpenAM Software"

Select the .war file based on the type of deployment you need, as defined in the following table.

To Deploy OpenAM

The OpenAM-13.5.2.war file contains OpenAM server with OpenAM Console. How you deploy the .war file depends on your web application container.

  1. Deploy the .war file on your container.

    For example, copy the file to deploy on Apache Tomcat.

    $ cp OpenAM-13.5.2.war /path/to/tomcat/webapps/openam.war

    You change the file name to openam.war when deploying in Tomcat so that the deployment URI is /openam.

    You change the file name to something other than openam.war when deploying in Tomcat so that the deployment URI is not /openam. For helpful hints on avoiding obvious deployment defaults, see "Avoiding Obvious Defaults" in the Administration Guide.

    To properly configure OpenAM, OpenAM requires a deployment URI with a non-empty string after /. Do not deploy OpenAM at the root context. Do not rename the .war file to ROOT.war before deploying on Tomcat, for example.

    It can take several seconds for OpenAM to be deployed in your container.

  2. Browse to the initial configuration screen, for example at http://openam.example.com:8080/openam.

    openam start
To Configure OpenAM With Defaults

The default configuration option configures the embedded OpenDJ server using default ports. If the ports are already in use, OpenAM uses free ports as both configuration store and identity store.

The default configuration sets the cookie domain based on the full URL that was used to access the configurator, such as example.com, server.west.example.com, or example.local.

Configuration settings are saved to the home directory of the user running the web application container in a directory named after the deployment URI. In other words if OpenAM is deployed under /openam, then the configuration is saved under $HOME/openam/.

  1. In the initial configuration screen, click Create Default Configuration under Default Configuration.

  2. Review the software license agreement. If you agree to the license, click "I accept the license agreement", and then click Continue.

    openam license dialog

  3. Provide different passwords for the default OpenAM administrator, amadmin, and default Policy Agent users.

    openam default conf

  4. When the configuration completes, click Proceed to Login, and then login as the OpenAM administrator with the first of the two passwords you provided.

    openam first login

    After successful login, OpenAM redirects you to OpenAM Realms.

    openam realms
To Delete an OpenAM Configuration Before Redeploying

If you need to delete your configuration and start the process from the beginning, follow these steps.

  1. Stop the OpenAM web application to clear the configuration held in memory.

    The following example shuts down Apache Tomcat (Tomcat) for example.

    $ /path/to/tomcat/bin/shutdown.sh
Password:
Using CATALINA_BASE:   /path/to/tomcat
Using CATALINA_HOME:   /path/to/tomcat
Using CATALINA_TMPDIR: /path/to/tomcat/temp
Using JRE_HOME:        /path/to/jdk/jre
Using CLASSPATH:
       /path/to/tomcat/bin/bootstrap.jar:/path/to/tomcat/bin/tomcat-juli.jar

  2. Delete OpenAM configuration files, by default under the $HOME of the user running the web application container.

    $ rm -rf $HOME/openam $HOME/.openamcfg

    When using the internal OpenAM configuration store, this step deletes the embedded directory server and all of its contents. This is why you stop the application server before removing the configuration.

    If you use an external configuration store, delete the entries under the configured OpenAM suffix (by default dc=openam,dc=forgerock,dc=org).

  3. Restart the OpenAM web application.

    The following example starts the Tomcat container.

    $ /path/to/tomcat/bin/startup.sh
Password:
Using CATALINA_BASE:   /path/to/tomcat
Using CATALINA_HOME:   /path/to/tomcat
Using CATALINA_TMPDIR: /path/to/tomcat/temp
Using JRE_HOME:        /path/to/jdk/jre
Using CLASSPATH:
       /path/to/tomcat/bin/bootstrap.jar:/path/to/tomcat/bin/tomcat-juli.jar
To Custom Configure OpenAM

  1. In the initial configuration screen, click Create New Configuration under Custom Configuration.

  2. Read the license agreement. If you agree to the license, click "I agree to the license agreement", and then click Continue.

  3. On the Default User Password page, provide a password with at least eight characters for the OpenAM Administrator, amadmin.

    openam conf amadmin

  4. Verify that the server settings are valid for your configuration.

    openam conf server settings
    Server URL

    Provide a valid URL to the base of your OpenAM web container, including a FQDN.

    In a test environment, you can simulate the FQDN by adding it to your /etc/hosts as an alias. The following excerpt shows lines from the /etc/hosts file on a Linux system where OpenAM is installed.

    127.0.0.1 localhost.localdomain localhost
::1 localhost6.localdomain6 localhost6
127.0.1.1 openam openam.example.com
    Cookie Domain

    Domain that created cookies will be valid for, for example example.com.

    Platform Locale

    Supported locales include en_US (English), de (German), es (Spanish), fr (French), ja (Japanese), ko (Korean), zh_CN (Simplified Chinese), and zh_TW (Traditional Chinese).

    Configuration Directory

    Location on server for OpenAM configuration files. OpenAM must be able to write to this directory.

  5. In the Configuration Store screen, you can accept the defaults to allow OpenAM to store configuration data in an embedded directory. The embedded directory can be configured separately to replicate data for high availability if necessary.

    openam conf store

    You can also add this OpenAM installation to an existing deployment, providing the URL of the site. See "To Add a Server to a Site" for details.

    Alternatively, if you already manage an OpenDJ deployment, you can store OpenAM configuration data in your existing directory service. You must, however, create the suffix to store configuration data on the directory server before you configure OpenAM. OpenAM does not create the suffix when you use an external configuration store. For instructions to create a configuration store backend, see Step 3 in "To Install an External OpenDJ Directory Server".

  6. In the User Store screen, you configure where OpenAM looks for user identities.

    OpenAM must have write access to the directory service you choose, as it adds to the directory schema needed to allow OpenAM to manage access for users in the user store.

    openam conf user store
    User Data Store Type

    If you have already provisioned a directory service with users in a supported user data store, then select that type of directory from the options available.

    SSL/TLS Enabled

    To use a secure connection, check this box, then make sure the port you define corresponds to the port the directory server listens to for StartTLS or SSL connections. When using this option you also need to make sure the trust store used by the JVM running OpenAM has the necessary certificates installed.

    Directory Name

    FQDN for the host housing the directory service.

    Port

    LDAP directory port. The default for LDAP and LDAP with StartTLS to protect the connection is port 389. The default for LDAP over SSL is port 636. Your directory service might use a different port.

    Root Suffix

    Base distinguished name (DN) where user data is stored.

    Login ID

    Directory administrator user DN. The administrator must be able to update the schema and user data.

    Password

    Password for the directory administrator user.

  7. In the Site Configuration screen, you can set up OpenAM as part of a site where the load is balanced across multiple OpenAM servers.

    If you have a site configuration with a load balancer, you can enable session high availability persistence and failover.[1] OpenAM then stores sessions across server restarts, so that users do not have to login again.

    If you then add additional servers to this OpenAM site, OpenAM performs session failover, storing session data in a directory service that is shared by different OpenAM servers. The shared storage means that if an OpenAM server fails, other OpenAM servers in the site have access to the user’s session data and can serve requests about that user. As a result, the user does not have to log in again. If session failover is important for your deployment, also follow the instructions in "Setting Up OpenAM Session Failover".

    openam conf site

    It is possible to set up a site after initial installation and configuration, as is described in "Setting Up OpenAM Session Failover".

  8. In the Agent Information screen, provide a password with at least eight characters to be used by policy agents to connect to OpenAM.

    openam conf pa

  9. Check the summary screen, and if necessary, click Previous to return to earlier screens to fix any configuration errors as needed.

    openam conf summary

    After you click Create Configuration in the summary screen, configuration proceeds, logging progress that you can read in your browser and later, in the installation log. The process ends, and OpenAM shows the Proceed to Login prompt.

    openam proceed to login

  10. When the configuration completes, click Proceed to Login, and then login as the OpenAM administrator, amadmin.

    openam first login

    After login, OpenAM redirects you to the OpenAM Realms page.

    openam realms

    You can also access OpenAM Console by browsing to the Console URL, such as, http://openam.example.com:8080/openam/console.

  11. Restrict permissions to the configuration directory (by default, $HOME/openam, where $HOME corresponds to the user who runs the web container). Prevent other users from accessing files in the configuration directory.

  12. If you specified the Other User Data Store option in the User Data Store Settings screen, you must index several attributes in your external identity repository. See "To Index External Identity Repository Attributes" for more information.

To Add a Server to a Site

High availability requires redundant servers in case of failure. With OpenAM, you configure an OpenAM site with multiple servers in a pool behind a load balancing service that exposes a single URL as an entry point to the site.

Follow these steps to configure a server to an existing site.

  1. In the initial configuration screen, under Custom Configuration, click Create New Configuration.

  2. In the first screen, enter the same password entered for the OpenAM Administrator, amadmin, when you configured the first server in the site.

  3. Configure server settings as required.

    The cookie domain should be identical to that of the first server in the site.

  4. In the configuration store screen, select Add to Existing Deployment, and enter the URL of the first OpenAM server in the site.

    The directory used to store configuration data should use the same directory service used for this purpose by other OpenAM servers in the site. If you use the embedded OpenDJ directory server, for example, you can set up the configurator for data replication with embedded directory servers used by other servers in the site.

    Settings for the user store are then shared with the existing server, so the corresponding wizard screen is skipped.

  5. In the site configuration screen, select Yes and enter the same site configuration details as for the first server in the site.

    Settings for agent information are also shared with the existing server, so the corresponding wizard screen is skipped.

  6. In the summary screen, verify the settings you chose, and then click Create Configuration.

  7. When the configuration process finishes, click Proceed to Login, and then login as the OpenAM administrator to access OpenAM Console.

To Troubleshoot an OpenAM Installation

OpenAM can capture information in debug log files that are useful when troubleshooting OpenAM problems. "Debug Logging" in the Administration Guide describes how to enable debug logging after OpenAM has been started.

It is also possible to capture debug logs while installing OpenAM. This can be useful if you need to troubleshoot an installation problem.

Follow these steps to capture debug logs while installing OpenAM on Tomcat:

  1. If Tomcat is already started, stop it.

  2. Specify the -Dcom.iplanet.services.debug.level=message option in the CATALINA_OPTS environment variable:

    $ export CATALINA_OPTS=-Dcom.iplanet.services.debug.level=message

    There are several ways that you can specify the CATALINA_OPTS environment variable. You can set the variable:

    • In the /path/to/tomcat/bin/setenv.sh file

    • In the login shell of the user who runs Tomcat

  3. Run the OpenAM installation. Debug log files containing troubleshooting information appear in the /path/to/openam/openam/debug directory.

  4. When you have completed OpenAM installation and no longer need to capture debug logs, stop Tomcat, revert the debug logging options, and restart Tomcat.

1. You can configure OpenAM to store sessionsstatefullyorstatelessly. Stateful sessions are stored in memory on the OpenAM server. They are also written to disk by the"Configuring the Core Token Service"if you select the Enable Session HA and Persistence and Failover option in the Site Configuration screen. Stateless sessions are stored in HTTP cookies. The Enable Session HA and Persistence and Failover setting does not apply to stateless sessions. For more information about stateful and stateless sessions, see"Configuring Session State"in theAdministration Guide.