Thursday, December 3, 2009

Version of the embedded opends config store

Opensso comes with its very own bundles opends inside, which acts as config store, and can also double as user store for POCs.
NOTE: Using the embedded opends as user store in production environment is not supported

Today , I ran into a requirement where I had to find the version of the opends in one of the installs
This can be achieved using ldapsearch.
  • ldapsearch -h abc.abc.com -p 53389 -D"cn=directory manager" -w ****** -b "cn=Version,cn=monitor" -s base ""
    version: 1
    dn: cn=Version,cn=monitor
    objectClass: extensibleObject
    objectClass: top
    objectClass: ds-monitor-entry
    revisionNumber: 5097
    shortName: OpenDS
    compactVersion: OpenDS-1.0.2-build002
    pointVersion: 2
    cn: Version
    buildID: 20090317124610Z
    majorVersion: 1
    productName: OpenDS Directory Server
    minorVersion: 0
    fullVersion: OpenDS Directory Server 1.0.2-build002
    buildNumber: 2

  • ldapsearch -h abc.abc.com -p 53389 -D"cn=directory manager" -w ****** -b "" -s base "" vendorVersion
    version: 1
    dn:
    vendorVersion: OpenDS Directory Server 1.0.2-build002

Friday, November 13, 2009

Incorrect AVA format

Got this error when trying to create a keystore.

c:\3960\glassfish\domains\domain1\config>keytool -genkey -keyalg RSA -keystore a
mkeystore.jks -validity 365 -alias "fam8" -dname "amqa-x2100-01.red.iplanet.com,
ou=identity,o=sun.com,L=santa clara, ST=CA, C=US"
Enter keystore password:
Re-enter new password:
keytool error: java.io.IOException: Incorrect AVA format

Which was because, i had incorrect dname
Should be "cn=amqa-x2100-01.red.iplanet.co...........

Wednesday, November 4, 2009

Some not-so-coomon ssoadm examples

ssoadm command line utility that comes with OpenSSO is indeed a very handy little piece of tool
Here are few examples for some not so common usages of ssoadm, which I learnt and want to share

1) Here was a request to the users alias "does someone know the ssoadm command to change signature algorithm for saml2 assertion ( typically to choose RSA-SHA256 ) ? ( corresponding to the gui for the admin console in Configuration/Global/federation/Signature ) "

You should be able to use "ssoadm set-attr-defs" to set the signature algorithm and "ssoadm get-attr-defs" to see the updated value.

./ssoadm set-attr-defs -s sunFAMFederationCommon -t Global -u amadmin -f /usr/tmp/pass -a "SignatureAlgorithm=http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"
bash-3.00# ./ssoadm get-attr-defs -s sunFAMFederationCommon -t Global -u amadmin -f /usr/tmp/pass
(Thanks Charles)

Thursday, October 15, 2009

del del del..unwanted mails..bites me back

There were series of mails from our IT department warning us about servers being decommissioned. But first I postponed the needed, then forgot, and then ignored the FINAL WARNING.
What happens...
My lack of action bit me back and my solaris box was unusable

Having grown up with windows machines, unix is something I am still getting used to.
So I was so scaared of what happens

But it turns out that, the IT team had done a pretty good document which guided us step by step.
And in course I also learnt a couple of new things

- ypwhich - gives the NIS server the machine is currently using
-- you can also try "ypwhich another-machine-on-nw"

- /etc/resolv.conf - Defines which naming server to use
Eg - nameserver 129.147.9.5, where 129.147.9.5 is the ip address of the naming server used

Thursday, September 24, 2009

"No more processes" in solaris machine

Another new error
Product deployment failed in solaris with error some jre lib exception
Googling said I had to increase the number of processes in os level in /etc/system
But even vi failed with "no more processes"
So had to reboot and issue gone!!

First time i saw this.. should remember

Friday, July 24, 2009

Opensso configuration failure - case 2 - UnsupportedClassVersionError

The upcoming express build, build 8 ( as well as the available nightly's) now support only jdk6 at the opensso server container.

This is the exception you see when configuring with jdk5

Symptom:
-----------
Opensso configuration fails

--> Configuration fails at
Checking configuration directory /export/isqa/SJSWS/opensso-8080....Success.
Installing OpenSSO configuration store...Success RSA/ECB/OAEPWithSHA1AndMGF1Padd
ing.
Installing OpenSSO configuration store in /export/isqa/SJSWS/opensso-8080/opends
...Success.
Creating OpenSSO suffix...Success.
Tag swapping schema files....Success.
Loading Schema opends_config_schema.ldif...Success.
Loading Schema opends_user_schema.ldif...Success.
Loading Schema opends_embinit.ldif...Success.
Loading Schema opends_user_index.ldif...Success.
Loading Schema opends_plugin.ldif...Success.
...Success.
Reinitializing system properties.AMSetupServlet.processRequest: errorcom.sun.ide
ntity.security.AMSecurityPropertiesException: AdminTokenAction: FATAL ERROR: Ca
nnot obtain Application SSO token.
Check AMConfig.properties for the following properties
com.sun.identity.agents.app.username
com.iplanet.am.service.password
at com.sun.identity.security.AdminTokenAction.run(AdminTokenAction.java:
258)
at java.security.AccessController.doPrivileged(Native Method)
at com.sun.identity.security.AdminTokenAction.run(AdminTokenAction.java:
258)
at java.security.AccessController.doPrivileged(Native Method)
at com.iplanet.am.util.SystemProperties.initializeProperties(SystemPrope
rties.java:450)
at com.sun.identity.setup.AMSetupServlet.reInitConfigProperties(AMSetupS

--> {config dir}/opensso/debug/Configuration shows
amSMS:07/21/2009 02:20:35:953 PM PDT: Thread[service-j2ee-5,5,main]
ERROR: SMSObjectDB: Unable to get amsdkbasedn:

Got LDAPServiceException code=19
at com.iplanet.services.ldap.DSConfigMgr.getDSConfigMgr(DSConfigMgr.java
:162)
at com.sun.identity.sm.SMSObjectDB.getAMSdkBaseDN(SMSObjectDB.java:58)
at com.sun.identity.sm.SMSObjectDB.getRootSuffix(SMSObjectDB.java:112)
at com.sun.identity.sm.ldap.SMSLdapObject.initialize(SMSLdapObject.java:
201)
.....................

The lower level exception message
Connection to the server could not be established
The lower level exception:
com.sun.identity.shared.ldap.LDAPException: Connection to the server could not b
e established (-1)

--> /opends/logs dont report any exception

--> Container logs says "java.lang.UnsupportedClassVersionError: PWC1651: Class com.sun.identity.idsvcs.I
dentityServicesImpl has unsupported major or minor version numbers, which are gr
eater than those found in the Java Runtime Environment version 1.5.0_15
"

So this is the culprit - JDK container is using is - 1.5.0_15

Solution:
-----------
Upgrade container jdk to jdk6 and reconfigure

Other configuration Issues:
http://nithyastechnotes.blogspot.com/2009/07/opensso-configuration-failure-case-1.html
http://nithyastechnotes.blogspot.com/2009/07/opensso-deployment-issue-in-geronimo.html

Thursday, July 23, 2009

Opensso deployment issue in geronimo 2.1.4

The opensso nightly builds dont deploy on geronimo 2.1.4

This is due to a the way the webservices-tools.jar is bundled.

rwxr-xr-x 0 26-Sep-2008 13:19:20 1.0/
drwxr-xr-x 0 26-Sep-2008 13:19:22 1.0/META-INF/
-rw-r--r-- 656 28-Mar-2005 12:23:02 1.0/META-INF/MANIFEST.MF
drwxr-xr-x 0 26-Sep-2008 13:19:22 1.0/META-INF/services/
-rw-r--r-- 164 28-Mar-2005 12:22:14 1.0/META-INF/services/com.sun.tools.xjc.CodeAugmenter
-rw-r--r-- 44 2-Nov-2002 16:15:24 1.0/META-INF/services/org.relaxng.datatype.DatatypeLibraryFactory
drwxr-xr-x 0 28-Mar-2005 12:20:58 1.0/com/
drwxr-xr-x 0 26-Sep-2008 13:19:20 1.0/com/sun/
drwxr-xr-x 0 26-Sep-2008 13:19:22 1.0/com/sun/codemodel/
-rw-r--r-- 287 28-Mar-2005 12:20:36 1.0/com/sun/codemodel/CodeWriter.class
...
-rw-r--r-- 1179 28-Feb-2008 18:49:50 com/sun/codemodel/CodeWriter.class

Because of the 1.0 in the package structure.

Geronimo issue opened for this is - https://issues.apache.org/jira/browse/XBEAN-126

Opensso issue opened to document this is - https://opensso.dev.java.net/issues/show_bug.cgi?id=4976

NOTE : opensso works fine on geronimo 2.1.1