Installing Forgerock Directory Server V7 on AWS

 

Steps i have followed

install jdk 11

yum install java-11-openjdk-devel

./dskeymgr create-deployment-key --deploymentKeyPassword Password

export DEPLOYMENT_KEY=put deployment key that was generated previously

unzip DS-7.0.0

cd to opendj

run below command

./setup \

 --deploymentKey $DEPLOYMENT_KEY \

 --deploymentKeyPassword Passw0rd1 \

 --rootUserDN uid=admin \

 --rootUserPassword Passw0rd1 \

 --monitorUserPassword Passw0rd1 \

 --hostname ds1.avantatech.com \

 --adminConnectorPort 4444 \

 --ldapPort 1389 \

 --enableStartTls \

 --ldapsPort 1636 \

 --httpsPort 8443 \

 --profile am-identity-store \

 --set am-identity-store/amIdentityStoreAdminPassword:Passw0rd1 \

 --acceptLicense \

 --start-ds

if you don't have a certificate disabled the Global Password policy by running ./dsconfig

[iamuser@ip-172-31-42-151 bin]$ ./dsconfig

>>>> Specify OpenDJ LDAP connection parameters

Directory server hostname or IP address

[ip-172-31-42-151.us-east-2.compute.internal]: ds1.avantastech.com

Directory server administration port number [4444]:

Administrator user bind DN [uid=admin]:

Password for user 'uid=admin':

The certificate 'CN=DS, O=ForgeRock.com' is not trusted for the following reason: unable to find valid certification path to requested target

Server Certificate:

User DN  : CN=DS, O=ForgeRock.com

Validity : From 'Tue Sep 01 23:25:54 UTC 2020'

             To 'Wed Sep 01 23:25:54 UTC 2021'

Issuer   : CN=Deployment key, O=ForgeRock.com

User DN  : CN=Deployment key, O=ForgeRock.com

Validity : From 'Tue Sep 01 23:12:45 UTC 2020'

             To 'Fri Aug 30 23:12:45 UTC 2030'

Issuer   : CN=Deployment key, O=ForgeRock.com

Do you trust this server certificate?

  1) No

  2) Yes, for this session only

  3) Yes, also add it to a truststore

  4) View certificate details

Enter choice: [1]: 3

The certificate 'CN=DS, O=ForgeRock.com' is not trusted for the following reason: No subject alternative DNS name matching ds1.avantastech.com found.

Server Certificate:

User DN  : CN=DS, O=ForgeRock.com

Validity : From 'Tue Sep 01 23:25:54 UTC 2020'

             To 'Wed Sep 01 23:25:54 UTC 2021'

Issuer   : CN=Deployment key, O=ForgeRock.com

User DN  : CN=Deployment key, O=ForgeRock.com

Validity : From 'Tue Sep 01 23:12:45 UTC 2020'

             To 'Fri Aug 30 23:12:45 UTC 2030'

Issuer   : CN=Deployment key, O=ForgeRock.com

Do you trust this server certificate?

  1) No

  2) Yes, for this session only

  3) Yes, also add it to a truststore

  4) View certificate details

Enter choice: [1]: 3

>>>> OpenDJ configuration console main menu

What do you want to configure?

    1)   Access Control Handler               22)  Log Publisher

    2)   Access Log Filtering Criteria        23)  Log Retention Policy

    3)   Account Status Notification Handler  24)  Log Rotation Policy

    4)   Administration Connector             25)  Mail Server

    5)   Alert Handler                        26)  Password Generator

    6)   Backend                              27)  Password Policy

    7)   Backend Index                        28)  Password Storage Scheme

    8)   Backend VLV Index                    29)  Password Validator

    9)   Certificate Mapper                   30)  Plugin

    10)  Connection Handler                   31)  Plugin Root

    11)  Crypto Manager                       32)  Replication Domain

    12)  Debug Target                         33)  Replication Server

    13)  Entry Cache                          34)  Root DSE Backend

    14)  Extended Operation Handler           35)  SASL Mechanism Handler

    15)  Global Access Control Policy         36)  Schema Provider

    16)  Global Configuration                 37)  Service Discovery Mechanism

    17)  Group Implementation                 38)  Synchronization Provider

    18)  HTTP Authorization Mechanism         39)  Trust Manager Provider

    19)  HTTP Endpoint                        40)  Virtual Attribute

    20)  Identity Mapper                      41)  Work Queue

    21)  Key Manager Provider

    a)   show advanced components and properties

    q)   quit

Enter choice: 27

>>>> Password Policy management menu

What would you like to do?

    1)  Create a new Password Policy

    2)  View and edit an existing Password Policy

    3)  Delete an existing Password Policy

    4)  List existing Password Policies

    a)  show advanced components and properties

    q)  quit

    b)  back

Enter choice [b]: 2

>>>> Select the Authentication Policy from the following list:

    1)  Default Password Policy

    2)  Root Password Policy

    a)  show advanced components and properties

    q)  quit

    c)  cancel

Enter choice [c]: 2

>>>> Configure the properties of the Password Policy "Root Password Policy"

         Property                                   Value(s)

         ----------------------------------------------------------------------

    1)   account-status-notification-handler        -

    2)   allow-expired-password-changes             false

    3)   allow-user-password-changes                true

    4)   default-password-storage-scheme            PBKDF2-HMAC-SHA256

    5)   deprecated-password-storage-scheme         -

    6)   expire-passwords-without-warning           false

    7)   force-change-on-add                        false

    8)   force-change-on-reset                      false

    9)   grace-login-count                          0

    10)  idle-lockout-interval                      0 s

    11)  last-login-time-attribute                  -

    12)  last-login-time-format                     -

    13)  lockout-duration                           0 s

    14)  lockout-failure-count                      0

    15)  lockout-failure-expiration-interval        0 s

    16)  max-password-age                           0 s

    17)  max-password-reset-age                     0 s

    18)  min-password-age                           0 s

    19)  password-attribute                         userPassword

    20)  password-change-requires-current-password  true

    21)  password-expiration-warning-interval       5 d

    22)  password-generator                         -

    23)  password-history-count                     0

    24)  password-history-duration                  0 s

    25)  password-validator                         At least 8 characters,

                                                    Common passwords

    26)  previous-last-login-time-format            -

    27)  require-change-by-time                     -

    28)  require-secure-authentication              true

    29)  require-secure-password-changes            true

    a)   show advanced components and properties

    q)   quit

    c)   cancel

    f)   finish - apply changes

    ?)   help

Enter choice [f]: 28

>>>> Configuring the "require-secure-authentication" property

    Indicates whether users with the associated password policy are required

    to authenticate in a secure manner.

    This might mean either using a secure communication channel between the

    client and the server, or using a SASL mechanism that does not expose the

    credentials.

Do you want to modify the "require-secure-authentication" property?

    1)  Keep the value: true

    2)  Change it to the default value: false

    3)  Specify a new value or expression

    q)  quit

    ?)  help

Enter choice [1]: 2

Press RETURN to continue

>>>> Configure the properties of the Password Policy "Root Password Policy"

         Property                                   Value(s)

         ----------------------------------------------------------------------

    1)   account-status-notification-handler        -

    2)   allow-expired-password-changes             false

    3)   allow-user-password-changes                true

    4)   default-password-storage-scheme            PBKDF2-HMAC-SHA256

    5)   deprecated-password-storage-scheme         -

    6)   expire-passwords-without-warning           false

    7)   force-change-on-add                        false

    8)   force-change-on-reset                      false

    9)   grace-login-count                          0

    10)  idle-lockout-interval                      0 s

    11)  last-login-time-attribute                  -

    12)  last-login-time-format                     -

    13)  lockout-duration                           0 s

    14)  lockout-failure-count                      0

    15)  lockout-failure-expiration-interval        0 s

    16)  max-password-age                           0 s

    17)  max-password-reset-age                     0 s

    18)  min-password-age                           0 s

    19)  password-attribute                         userPassword

    20)  password-change-requires-current-password  true

    21)  password-expiration-warning-interval       5 d

    22)  password-generator                         -

    23)  password-history-count                     0

    24)  password-history-duration                  0 s

    25)  password-validator                         At least 8 characters,

                                                    Common passwords

    26)  previous-last-login-time-format            -

    27)  require-change-by-time                     -

    28)  require-secure-authentication              false

    29)  require-secure-password-changes            true

    a)   show advanced components and properties

    q)   quit

    c)   cancel

    f)   finish - apply changes

    ?)   help

Enter choice [f]:

The Password Policy was modified successfully

The equivalent non-interactive command-line is:

dsconfig set-password-policy-prop \

          --policy-name Root\ Password\ Policy \

          --set require-secure-authentication:false \

          --hostname ds1.avantastech.com \

          --port 4444 \

          --bindDn uid=admin \

          --bindPassword ****** \

          --trustAll \

          --no-prompt

Press RETURN to continue

>>>> Password Policy management menu

What would you like to do?

    1)  Create a new Password Policy

    2)  View and edit an existing Password Policy

    3)  Delete an existing Password Policy

    4)  List existing Password Policies

    a)  show advanced components and properties

    q)  quit

    b)  back

Enter choice [b]: q

[iamuser@ip-172-31-42-151 bin]$

Now connect to Directory Server using Apache Directory Studo or any other software.

Unexpected end of JSON input

the issue was fixed using jdk 1.8 version that I download from the oracle site. before this, I was using default java that comes with Linux using yum install java

https://youtu.be/GLmU5wdE0Ks

Forgerock installing opends and openam 6.5 in AWS from scratch

ApacheDirectoryStudio A Java Runtime Environment (JRE) or Java Development Kit (JDK) must be available in order to run ApacheDirectoryStudio. No Java virtual machine wsa found after searching the following locations

Error
ApacheDirectoryStudio

A Java Runtime Environment (JRE) or Java Development Kit (JDK)
must be available in order to run ApacheDirectoryStudio. No Java virtual machine wsa found
after searching the following locations:
C:\Program Files\Apache Directory Studio\jre\bin\javaw.exe
javaw.exe in your current PATH

in you install simple java you will get below error

ApacheDirectoryStudio

Java was started but returning exit code=13

C:/Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe

-Dosgi.requiredJavaVersion=1.8

-jar C:/Program Files\Apache Directory

Studio\\plugins/org.eclipse.equinox.launcher_1.5.700.v20200207-215.jar

-os win32

-ws win32

..........

.

Solution:

The issue is Apache Directory Studio is looking for JDK. It is also mentioned in the Apache Directory Studio installation documentaion to have JDK 1.8 or newer installed.

Download JDK and install it. Once finished JDK installation. start the Apache Directory Studio It will work

here is link to download JDK 1.8

https://www.oracle.com/java/technologies/javase/javase-jdk8-downloads.html

basic opendj ldap commands

./ldapsearch --hostname ds1.avantastech.com --port 1389 --baseDN "ou=People,dc=avantastech,dc=com"  uid=user.1


Change a Password for a User
./ldappasswordmodify -p 1389  -D "cn=directory manager" -w Password -a "dn:uid=user.19,ou=People,dc=avantastech,dc=com" -n changeit


Access OpenDJ configurations

./dsconfig --hostname ds1.avantastech.com --port 4444 --bindDN "cn=directory manager" --bindPassword Password --trustAll

Create a Backup
./backup --backUpAll --backupDirectory /app/forgerock/opendj/backup --port 4444 --bindDn "cn=directory manager" --bindPassword Password --trustAll --no-prompt



Restore UserRoot from a Backup $

./opendj/bin/restore -p 4444 -D "cn=directory manager" -w Password -d /app/forgerock/opendj/backup/userRoot --trustAll

Export ldif File
./export-ldif --port 4444 --backendId userRoot --ldifFile /app/forgerock/backup/ldif-file/users.ldif --bindDN "cn=directory manager" --bindPassword Password --trustAll --no-prompt

Get Password Policy
 ./dsconfig get-password-policy-prop --policy-name "Default Password Policy" -h ds1.avantastech.com -D "cn=directory manager" -w Password -p 4444 --trustall --no-prompt


Get OpeDJ Server ID

./dsconfig get-global-configuration-prop --hostname ds1.avantastech.com --port 4444 --bindDN "cn=Directory Manager" --bindPassword Password --property server-id --trustAll --no-prompt

Forgerock opendj ERROR: The Directory Server could not acquire an exclusive lock on file

Looks like your server got shut down abnormally.

solution:
either shut down the server again or remove server.lock file that is under locks folder.

Start the server. It will resolve the issue

Service Now integration with Forgerock OpenAM

1. create IDP metadata from Forgerock OpenAM make sure you have NameID Format same as Service Now. your metadata should have x509 certificate that is required by SAML to sign the request. If you are not using certificate make sure to select default certificate offered by forgerock AM

2. send metadata to Service Now.
3. import Service Now Metadata (SP) to forgerock AM servers. make changes to SP metadata. Click on Service Now metadata and go to Assertion Processing and at the Attribute Mapper put the attribute you have in Service Now at Advanced --> User Field (uid=user_name)


Service Now configuration:

Service now should have these below values

NameID Policy(SP) same as NameID Format (IDP)


Value in the User Field is same as what IDP have in Service Now Assertion processing --> Attribute Mapper --> Attribute MAP i.e(uid=user_name)


other points to consider is users who are not in SNOW wont be able to login to SNOW if that user does not exists in the SNOW.

foegerock openam error Unable to do sso or federation. com.sun.identity.saml2.common.SAML2Exception: Provider's signing certificate alias is missing.

debug log error
Unable to do sso or federation. com.sun.identity.saml2.common.SAML2Exception: Provider's signing certificate alias is missing.


your IDP is missing certificate that is required by server to sign SAMLrequest.

solution:
configure idp with x509 certificate
reconfigure idp with pre-configure "Signing Key"(option you will get when configuring IDP)

opends enabling replication opendj

to change server names follow below link
https://backstage.forgerock.com/knowledge/kb/book/b73824898#a87750034


to enable replication used below commands


./dsreplication configure --adminUid admin --adminPassword Passw0rd1 --baseDn dc=orasystemsusa,dc=com --host1 dsA.example.com --port1 5444 --bindDn1 "cn=Directory Manager" --bindPassword1 Password --replicationPort1 8989 --host2 dsB.example.com--port2 5444 --bindDn2 "cn=Directory Manager" --bindPassword2 Passwrd --replicationPort2 8989 --trustAll --no-prompt


./dsreplication initialize --baseDN dc=orasystemsusa,dc=com --adminUID admin --adminPassword Password --hostSource dsA.example.com --portSource 5444 --hostDestination dsB.example.com --portDestination 5444 --trustAll --no-prompt


./dsreplication status --adminUID admin --adminPassword Password --hostname dsA.example.com --port 5444 --trustAll

OpenIDM LDAP connector types (LiveSync, Implicit Sync)

1. LiveSync:
                    It sync changes from LDAP to OpenIDM  ( LDAP --> OpenIDM)

2. Implicit Sync:
                           It sync changes from IDM to LDAP (OpenIDM --> OpenDJ)

openidm error SEVERE: OpenICF connector test of SystemIdentifier{ uri='system/ldap/'} failed!

Error while configuring OpenAM with OpenDJ

SEVERE: OpenICF connector test of SystemIdentifier{ uri='system/ldap/'} failed!


Solution:

Issues could be IDM is unable to reach OpenDJ

check the following if ds server information is correct

1. DNS name resolution
2. openidm/db/ds/conf/repo.ds-external.json

forgerock OpenIDM and OpenAM integration error "accountClaiming" "Access Denied"

After integrating OpenIDM with OpenAM when you try login to OpenIDM admin console you get

accountClaiming at the url and "Access Denied" error.

Solution:

During integration you should have specified value of "Authorized OIDC SSO Clients"

if you missed this you will get his error. This property is located at


Services --> Oauth2 Provider --> Advanced OpenID Connect

enter value "openidm" at the value of  "Authorized OIDC SSO Clients"

and SAVE

Now if you try to login to the console. You should be able to login to the IDM console with openam username. Any user you are trying to login with should exist in OpenDJ

 

OpenIDM and OpenAM integration error redirect_uri_mismatch

During integration of OpenIDM and OpenAM, once you change the Directory services from local to OpenDJ you will get this error when you try to login.

Solution:

login to OpenAM
click on Top Level realm
from left side select Applications --> OAuth 2.0

on CORE tab go to Redirection URIs
enter the url you think you have put during "Configure Forgerock Identity Provider" section "Configure Access Management" property "Redirection URIs" value

correcting this value will fix this error