OpenAM Survival TipsOpen Identity Summit Summer 2013#OIS13
Under the covers in thirty minutes Lets explore some of the critical product areas Little things can cause big problems
Naming Service Internals Came from iPlanetRemotePassage&Webtop Began to appear in Portal Server 3.0 Used by OpenAM SDK ...
Naming Service Calculation All down to how the client is going to talk to server
CDSSO Debugging Points
CDSSO Debugging•Capturing the HTTP headers is essential tounderstanding the end to end flow•HTTP headers will detail where...
CDCServlet Debugging•Hostname Lookup•FQDN of the Policy Agent and any VIPs•Hostname Reverse Lookup•The IP of the interface...
CDCServlet Debugging cont…•Agent Profiles•agentRootURLvalues must be confined to a single AgentProfile• Duplication will l...
Restricted Token OperationsAgent Profile Validation using Application TokenEnsures the Principal of the token matches th...
Session Service Client Architecture
Session Service Server Architecture
Multi Site Deployments• Multiple sites mean multiple login URLs• GSLB can help provide a single login URL and an abstracti...
Legacy Session Failover Multi Site• Split MQs into sub clusters•amsfo.conf; only list the local MQ brokers• AM patch; allo...
Come and pick my brains and finally… Sadly no time for Q&A andcannot cover everything in30 minutes So have a question?Pl...
The End!
Upcoming SlideShare
Loading in …5
×

OpenAM Survival Tips

2,438 views

Published on

Presented by Steve Ferris, VP of Services and ForgeRock Co-Founder at ForgeRock Open Identity Summit, June 2013

Learn more about ForgeRock Access Management:
https://www.forgerock.com/platform/access-management/

Learn more about ForgeRock Identity Management:
https://www.forgerock.com/platform/identity-management/

Published in: Technology
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
2,438
On SlideShare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
69
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

OpenAM Survival Tips

  1. 1. OpenAM Survival TipsOpen Identity Summit Summer 2013#OIS13
  2. 2. Under the covers in thirty minutes Lets explore some of the critical product areas Little things can cause big problems
  3. 3. Naming Service Internals Came from iPlanetRemotePassage&Webtop Began to appear in Portal Server 3.0 Used by OpenAM SDK clients to determine how tocommunicate with OpenAM Can get complex in multi-site, multi-VIP deployments Preferred Naming URLs, secondary site URLs, lots toconsider Not very forgiving
  4. 4. Naming Service Calculation All down to how the client is going to talk to server
  5. 5. CDSSO Debugging Points
  6. 6. CDSSO Debugging•Capturing the HTTP headers is essential tounderstanding the end to end flow•HTTP headers will detail where in the flow the problem hasoccurred•Where the flow breaks is key to determining the problem•Server Side: CDCServlet debugging• Policy Agent: Restricted Token debugging
  7. 7. CDCServlet Debugging•Hostname Lookup•FQDN of the Policy Agent and any VIPs•Hostname Reverse Lookup•The IP of the interface used by the Policy Agent to contactOpenSSO, must match the Policy Agent FQDN•Agent Profiles•All FQDN used to access a Policy AgentagentRootURL=protocol://fqdn:port/
  8. 8. CDCServlet Debugging cont…•Agent Profiles•agentRootURLvalues must be confined to a single AgentProfile• Duplication will lead to errors when restriction is validatedldapsearch-b"ou=web_agent,ou=default,ou=OrganizationConfig,ou=1.0,ou=AgentService,ou=services,o=amroot"-D "cn=directory manager" -w password -h am4 -p 390sunIdentityServerDeviceKeyValue=agentRootURL=https://am.internal.forgerock.com:443/ dn | grepdn | wc –lReturn value must be 1
  9. 9. Restricted Token OperationsAgent Profile Validation using Application TokenEnsures the Principal of the token matches that in therestrictionRequest URL validation using IP/HostnameEnsures the IP/Hostname in the request matches that in therestrictionCaution: Duplicate agentRootURLvalues can lead to thewrong Agent Profile being found and restrictions being invalid.Caution: Hostname must be resolvable else Exceptions will leadto restrictions being invalid.
  10. 10. Session Service Client Architecture
  11. 11. Session Service Server Architecture
  12. 12. Multi Site Deployments• Multiple sites mean multiple login URLs• GSLB can help provide a single login URL and an abstractionlayer• Good option, can have a single site that spans multiple DCs• If you are running legacy session failover there are possiblepain points• Latency will be the killer in the end, but you can do things tomake things easier
  13. 13. Legacy Session Failover Multi Site• Split MQs into sub clusters•amsfo.conf; only list the local MQ brokers• AM patch; allows per instance MQ broker lists• Latency can lead to message build up•Monitor the topics and alert on a threshold; use imqcmd• WAN Firewalls•Set MQ to use static ports else BAD things will happen
  14. 14. Come and pick my brains and finally… Sadly no time for Q&A andcannot cover everything in30 minutes So have a question?Please do ask! Here allweek! A great thank you from me,Peach, Pelham and littlePorter!
  15. 15. The End!

×