How To Install OpenAM and OpenDJ

Mat David
9 min readSep 25, 2021

--

In this tutorial, you will install OpenDJ, Tomcat and deploy OpenAM on Tomcat server. Once deployed, you will configure AM to use OpenDJ as identity repository.

Some Notes to prepare for the lab.

  • Download Openam.war file, the supported OS are Linux, Windows and Solaris.
  • The supported servers for OpenAM are Tomcat (recommended), Jboss, Glassfish, Weblogic or Websphere.
  • Memory — min 4- 8g with 1gb of heap and at least 10gb of log space; If required double the logs space and reorient the memory. Create a user, call is fruser.
  • Jdk 6 or 7 are supported; OS 32 bit or 64 bits are supported; and for client JDK AM 6 or 7 are supported.
  • The different deployment components of AM are OpenAM, and OpenDJ directory store. Other subsidiary components are, CTS store, Config Store and user store based on DJ.
  • OpenAM.war is deployed into J2EE Container. The war file gets deployed once the container starts. Once deployed, the web UI can be started and you can also use command line to configure different components in AM.
  • AMSetupServlet is responsible for different processes of creation — initial setup and bootstrap, DJ schema config, AM service config, Create initial AM config.
  • You can configuring AM in two ways. One is default with all the embedded Configs and user stores. The other is new configuration with all external User store, sites, LB URLs, cookie domain & load custom schema. For smaller config, use embedded DJ, for larger deployments use external DJs. For this lab we use embedded DJ for configs and external DJ for Identity store.
  • Invoke the OpenAM URL. The first screen ForgeRock Configurator screen is seen. Enter password and confirm password.
  • In this tutorial, you will install tomcat and deploy OpenAM. Once deployed, you will configure it with OpenDJ.
  • Install OpenDJ
  • Download from : https://backstage.forgerock.com/downloads/, you. could download the latest version. Register your self and download the softwares.
  • I used OpenAM 6.5.2.2, and DJ 6.5.2.

Unzip the downloaded DJ software to a directory. In the lab, I have it under /opt/. Move to the /opt/opendj/ folder.

Execute /opt/opendj/setup.
Accept the license. Click Enter.
Choose 1 for Directory Server, click Enter
Choose a password of choices and confirm password
Choose default values for query monitoring and Hardening (More prod requirement).
Enter the hostname for DJ, in my case I set it to dj.example.com
Accept the displayed port and choose yes to Server start after complete.

Choose 1 for Directory Server:

Use the default path, in this las /opt/opendj

Choose the root user as cn=Directory Manager and enter a password and confirmed password. Leave the rest defaults

For the secure server connections, for the purpose of lab, choose Generate self-signed certificate 1.

As seen in the screen shot, confirm the configuration details are correct. Enter yes to accept those choices and continue. For Enable LDAP, choose default yes.

Confirm the configs.

Choose Yes for Enable LDAP, LDAPS, No for HTTP, yes for HTTPS. Confirm the confirmation. In my lab setup, I already have an instance of DJ running, that is the reason the LDAP port is 389 and LDAPS port is 636.

In your setup, it could be 1389 for LDAP and 1636 for LDAPS.

For the base DN, choose 2 to Create only a base DN entry and choose default. If you want you base DN to be different, this is where you change it. Click Enter

Accept the values as shown in the screen and click Enter.

The equivalent command is shown in the screen shot.

OpenDJ Configuration Summary

Choose choice 1 and click Enter.

The install and configs are complete. Check the status with the following command

sudo /opt/opendj/bin/status — offline

Now that we have successfully installed DJ, let’s Install OpenAM and configure the user repository.

Install OpenAM

In this part of the tutorial, you will install tomcat and deploy OpenAM. Once deployed, you will configure it with OpenDJ.

Install Tomcat

  • You have installed DJ successfully. Now lets start with OpenAM.
  • Download Tomcat from Install and start tomcat.

https://tomcat.apache.org/download-80.cgi
Unzip tomcat. The tomcat software was downloaded to the following folder for the lab. Move to the folder where you want the software to be installed and execute the following command.
unzip <path>/apache-tomcat-8.5.70.tar.gz
cd <path>/apache-tomcat-8.5.70/bin/

[fruser@deviam bin]$ ./startup.sh
Using CATALINA_BASE: <path>/apache-tomcat-8.5.70
Using CATALINA_HOME: <path>/apache-tomcat-8.5.70
Using CATALINA_TMPDIR: <path>/apache-tomcat-8.5.70/temp
Using JRE_HOME: /<pathto>/jdk18Using CLASSPATH: <path>/apache-tomcat-8.5.70/bin/bootstrap.jar:<path>/apache-tomcat-8.5.70/bin/tomcat-juli.jar
Using CATALINA_OPTS:

Tomcat started.

  1. Mv or cp <openam>.war to sso.war

Mv the sso.war to the webapp folder under tomcat as shown. The moved file deploys itself.

<path>/Downloads/sso.war
ls -ltr <path>/apache-tomcat-8.5.70/webapps/
total 196

Access it using the URL.
My VM host file was changed to below setting.
<ipaddress> openam hostname & DJ hostname

Invoke the OpenAM URL. The first screen ForgeRock Configurator screen is seen. Enter the password and confirm password.

In your deployment, if the openam.war is deployed as sso.war, replace the cropped context for the the deployment screenshot with sso or any context that matches your deployment.

Click Next. In the Server Setting (step 2), Enter the URL : port AM will be accessible. Enter cookie domain. Leave the default configuration directory.

Click Next on the Server Setting screen.

OpenAM Server Config

On the step 3 of the configuration page, leave the First instance checked. Leave the Embedded DS for configuration. Leave as a default value the rest of the information.

Click Next on the Data Store Setting page.

For the User Data Store Settings, (For this lab, OpenDJ is used as a user identity store). OpenDJ should be installed. The DJ configuration is taken from that.

Choose External User Data Store, enter, dj.example.com (Directory Name) , 1389 (nonssl port). For prod use SSL. Enter the Root suffix and the Login ID and the password used when installing dJ.

Click Next on the User Data Store screen.

OpenAM DJ configuration

On the Site Configuration screen, select No, (because this AM is not behind a LB site). In enterprise, it is deployed behind a site then you have to choose ‘Yes’ .

Skip this screen by clicking the Next button.

On the configuration summary page, confirm the details you have entered (modify by clicking the edit button, if any changes are required. ) . Click on Create Configuration to successfully complete the AM configs.

OpenAM config Summary

On the summary details page, if all goes well you will see a similar screen.

To continue to login, click on proceed to Login.

OpenAM Configuration Complete

Once you finish install, check the config folder.

Configure OpenAM to use OpenDJ as an identity repository

We will use the External realm to set up a federation between OAM and OpenAM. Lets create a new realm and configure the datastore.

Login into OpenAM with the credentials you created during installs.

Click on New Realm button and enter ExternalPartners as seen in the screenshot and click Create.

Back on the Realms page, you see the realm created.

OpenAM Realms

Let’s configure the identity store with the OpenDJ instance we created. Click on the Realm->ExternalPartners->Identity Stores- > Create a new Identity Store as below, Identity Store ID as External and Type = OpenDJ.

Click Create.

Click on the newly created DJ instance and enter the values for :

LDAP Server, Bind DN, Password, and the Organization DN. These values should match the once you used when installing the OpenDJ instance in the previous Lab.

In my lab, I used dj.example.com, 1389, Bind DN=cn=Directory Manager, password, and the based DN dc=example,dc=com

OpenDJ AM Configuration

Once you save the values, if all the configurations are successful. You can see the identities in the identities link.

Some helpful commands to add and search the user DJ repository.

Search user records

<path>/opendj/bin/ldapsearch -h dj.example.com -p 1389 -D “cn=Directory Manager” -w *** -b dc=example,dc=com objectclass=*

Sample ldif file to load an user.

dn: uid=mdave1,ou=people,dc=example,dc=com
changetype: add
objectClass: inetuser
objectClass: inetorgperson
objectClass: top
objectClass: person
cn: Mat1 Dave1
employeeNumber: 0
givenName: Mat
inetUserStatus: Active
mail: mdave1@deviam.com
sn: Dave
uid: mdave1
userPassword: <Enter password in plain text>

<pathto>/opendj/bin/ldapmodify — hostname dj.example.com — port 1389 — bindDN “cn=Directory Manager” — bindPassword *** mdave1

# ADD operation successful for DN uid=mdave1,ou=people,dc=example,dc=com

Command to verify that the user has been added.

<pathto>/opendj/bin/ldapsearch -h dj.example.com -p 1389 -D “cn=Directory Manager” -w *** -b dc=example,dc=com uid=mdave1
dn: uid=mdave1,ou=people,dc=example,dc=com
objectClass: inetuser
objectClass: inetorgperson
objectClass: top
objectClass: person
objectClass: organizationalPerson
cn: Mat1 Dave1
employeeNumber: 0
givenName: Mat
inetUserStatus: Active
mail: mdave1@deviam.com
sn: Dave
uid: mdave1
userPassword: {SSHA512}ujRdR9QjZZcvRO5ztXMRjiOzj8gH/reHUSbWNzGOiex+fPG8m/4D+dTVxdTbr4G34mpaDnbF27KO1U24H/Kd4RHoxfk6Gyfu

Once the user record has been loaded, you can verify those records from the identities section.

OpenAM Identity View

This post walked through how to install OpenDJ, load a user to OpenDJ, Install Tomcat and deploy, configure OpenAM.

We created a new realm in OpenAM and configured OpenDJ as the external directory server for identities. This is one of the many part series to follow.

--

--

Mat David
Mat David

Written by Mat David

I am an Identity & Access Management Consultant. My tech. writing interests are Access, Identity Mangmt. E-books on Kindle: https://amazon.com/author/mdaviam

No responses yet