Forgerock installing opends and openam 6.5 in AWS from scratch

ApacheDirectoryStudio A Java Runtime Environment (JRE) or Java Development Kit (JDK) must be available in order to run ApacheDirectoryStudio. No Java virtual machine wsa found after searching the following locations

Error
ApacheDirectoryStudio

A Java Runtime Environment (JRE) or Java Development Kit (JDK)
must be available in order to run ApacheDirectoryStudio. No Java virtual machine wsa found
after searching the following locations:
C:\Program Files\Apache Directory Studio\jre\bin\javaw.exe
javaw.exe in your current PATH

in you install simple java you will get below error

ApacheDirectoryStudio

Java was started but returning exit code=13

C:/Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe

-Dosgi.requiredJavaVersion=1.8

-jar C:/Program Files\Apache Directory

Studio\\plugins/org.eclipse.equinox.launcher_1.5.700.v20200207-215.jar

-os win32

-ws win32

..........

.

Solution:

The issue is Apache Directory Studio is looking for JDK. It is also mentioned in the Apache Directory Studio installation documentaion to have JDK 1.8 or newer installed.

Download JDK and install it. Once finished JDK installation. start the Apache Directory Studio It will work

here is link to download JDK 1.8

https://www.oracle.com/java/technologies/javase/javase-jdk8-downloads.html

basic opendj ldap commands

./ldapsearch --hostname ds1.avantastech.com --port 1389 --baseDN "ou=People,dc=avantastech,dc=com"  uid=user.1


Change a Password for a User
./ldappasswordmodify -p 1389  -D "cn=directory manager" -w Password -a "dn:uid=user.19,ou=People,dc=avantastech,dc=com" -n changeit


Access OpenDJ configurations

./dsconfig --hostname ds1.avantastech.com --port 4444 --bindDN "cn=directory manager" --bindPassword Password --trustAll

Create a Backup
./backup --backUpAll --backupDirectory /app/forgerock/opendj/backup --port 4444 --bindDn "cn=directory manager" --bindPassword Password --trustAll --no-prompt



Restore UserRoot from a Backup $

./opendj/bin/restore -p 4444 -D "cn=directory manager" -w Password -d /app/forgerock/opendj/backup/userRoot --trustAll

Export ldif File
./export-ldif --port 4444 --backendId userRoot --ldifFile /app/forgerock/backup/ldif-file/users.ldif --bindDN "cn=directory manager" --bindPassword Password --trustAll --no-prompt

Get Password Policy
 ./dsconfig get-password-policy-prop --policy-name "Default Password Policy" -h ds1.avantastech.com -D "cn=directory manager" -w Password -p 4444 --trustall --no-prompt


Get OpeDJ Server ID

./dsconfig get-global-configuration-prop --hostname ds1.avantastech.com --port 4444 --bindDN "cn=Directory Manager" --bindPassword Password --property server-id --trustAll --no-prompt

Forgerock opendj ERROR: The Directory Server could not acquire an exclusive lock on file

Looks like your server got shut down abnormally.

solution:
either shut down the server again or remove server.lock file that is under locks folder.

Start the server. It will resolve the issue

Service Now integration with Forgerock OpenAM

1. create IDP metadata from Forgerock OpenAM make sure you have NameID Format same as Service Now. your metadata should have x509 certificate that is required by SAML to sign the request. If you are not using certificate make sure to select default certificate offered by forgerock AM

2. send metadata to Service Now.
3. import Service Now Metadata (SP) to forgerock AM servers. make changes to SP metadata. Click on Service Now metadata and go to Assertion Processing and at the Attribute Mapper put the attribute you have in Service Now at Advanced --> User Field (uid=user_name)


Service Now configuration:

Service now should have these below values

NameID Policy(SP) same as NameID Format (IDP)


Value in the User Field is same as what IDP have in Service Now Assertion processing --> Attribute Mapper --> Attribute MAP i.e(uid=user_name)


other points to consider is users who are not in SNOW wont be able to login to SNOW if that user does not exists in the SNOW.

foegerock openam error Unable to do sso or federation. com.sun.identity.saml2.common.SAML2Exception: Provider's signing certificate alias is missing.

debug log error
Unable to do sso or federation. com.sun.identity.saml2.common.SAML2Exception: Provider's signing certificate alias is missing.


your IDP is missing certificate that is required by server to sign SAMLrequest.

solution:
configure idp with x509 certificate
reconfigure idp with pre-configure "Signing Key"(option you will get when configuring IDP)

opends enabling replication opendj

to change server names follow below link
https://backstage.forgerock.com/knowledge/kb/book/b73824898#a87750034


to enable replication used below commands


./dsreplication configure --adminUid admin --adminPassword Passw0rd1 --baseDn dc=orasystemsusa,dc=com --host1 dsA.example.com --port1 5444 --bindDn1 "cn=Directory Manager" --bindPassword1 Password --replicationPort1 8989 --host2 dsB.example.com--port2 5444 --bindDn2 "cn=Directory Manager" --bindPassword2 Passwrd --replicationPort2 8989 --trustAll --no-prompt


./dsreplication initialize --baseDN dc=orasystemsusa,dc=com --adminUID admin --adminPassword Password --hostSource dsA.example.com --portSource 5444 --hostDestination dsB.example.com --portDestination 5444 --trustAll --no-prompt


./dsreplication status --adminUID admin --adminPassword Password --hostname dsA.example.com --port 5444 --trustAll