Total Pageviews

Saturday, September 12, 2020

Installing Forgerock Directory Server V7 on AWS


 

Steps i have followed


install jdk 11


yum install java-11-openjdk-devel

./dskeymgr create-deployment-key --deploymentKeyPassword Password


export DEPLOYMENT_KEY=put deployment key that was generated previously

unzip DS-7.0.0

cd to opendj

run below command

./setup \
 --deploymentKey $DEPLOYMENT_KEY \
 --deploymentKeyPassword Passw0rd1 \
 --rootUserDN uid=admin \
 --rootUserPassword Passw0rd1 \
 --monitorUserPassword Passw0rd1 \
 --hostname ds1.avantatech.com \
 --adminConnectorPort 4444 \
 --ldapPort 1389 \
 --enableStartTls \
 --ldapsPort 1636 \
 --httpsPort 8443 \
 --profile am-identity-store \
 --set am-identity-store/amIdentityStoreAdminPassword:Passw0rd1 \
 --acceptLicense \
 --start-ds

if you don't have a certificate disabled the Global Password policy by running ./dsconfig



[iamuser@ip-172-31-42-151 bin]$ ./dsconfig


>>>> Specify OpenDJ LDAP connection parameters

Directory server hostname or IP address
[ip-172-31-42-151.us-east-2.compute.internal]: ds1.avantastech.com

Directory server administration port number [4444]:

Administrator user bind DN [uid=admin]:

Password for user 'uid=admin':


The certificate 'CN=DS, O=ForgeRock.com' is not trusted for the following reason: unable to find valid certification path to requested target

Server Certificate:

User DN  : CN=DS, O=ForgeRock.com
Validity : From 'Tue Sep 01 23:25:54 UTC 2020'
             To 'Wed Sep 01 23:25:54 UTC 2021'
Issuer   : CN=Deployment key, O=ForgeRock.com


User DN  : CN=Deployment key, O=ForgeRock.com
Validity : From 'Tue Sep 01 23:12:45 UTC 2020'
             To 'Fri Aug 30 23:12:45 UTC 2030'
Issuer   : CN=Deployment key, O=ForgeRock.com



Do you trust this server certificate?

  1) No
  2) Yes, for this session only
  3) Yes, also add it to a truststore
  4) View certificate details

Enter choice: [1]: 3


The certificate 'CN=DS, O=ForgeRock.com' is not trusted for the following reason: No subject alternative DNS name matching ds1.avantastech.com found.

Server Certificate:

User DN  : CN=DS, O=ForgeRock.com
Validity : From 'Tue Sep 01 23:25:54 UTC 2020'
             To 'Wed Sep 01 23:25:54 UTC 2021'
Issuer   : CN=Deployment key, O=ForgeRock.com


User DN  : CN=Deployment key, O=ForgeRock.com
Validity : From 'Tue Sep 01 23:12:45 UTC 2020'
             To 'Fri Aug 30 23:12:45 UTC 2030'
Issuer   : CN=Deployment key, O=ForgeRock.com



Do you trust this server certificate?

  1) No
  2) Yes, for this session only
  3) Yes, also add it to a truststore
  4) View certificate details

Enter choice: [1]: 3



>>>> OpenDJ configuration console main menu

What do you want to configure?

    1)   Access Control Handler               22)  Log Publisher
    2)   Access Log Filtering Criteria        23)  Log Retention Policy
    3)   Account Status Notification Handler  24)  Log Rotation Policy
    4)   Administration Connector             25)  Mail Server
    5)   Alert Handler                        26)  Password Generator
    6)   Backend                              27)  Password Policy
    7)   Backend Index                        28)  Password Storage Scheme
    8)   Backend VLV Index                    29)  Password Validator
    9)   Certificate Mapper                   30)  Plugin
    10)  Connection Handler                   31)  Plugin Root
    11)  Crypto Manager                       32)  Replication Domain
    12)  Debug Target                         33)  Replication Server
    13)  Entry Cache                          34)  Root DSE Backend
    14)  Extended Operation Handler           35)  SASL Mechanism Handler
    15)  Global Access Control Policy         36)  Schema Provider
    16)  Global Configuration                 37)  Service Discovery Mechanism
    17)  Group Implementation                 38)  Synchronization Provider
    18)  HTTP Authorization Mechanism         39)  Trust Manager Provider
    19)  HTTP Endpoint                        40)  Virtual Attribute
    20)  Identity Mapper                      41)  Work Queue
    21)  Key Manager Provider

    a)   show advanced components and properties
    q)   quit

Enter choice: 27


>>>> Password Policy management menu

What would you like to do?

    1)  Create a new Password Policy
    2)  View and edit an existing Password Policy
    3)  Delete an existing Password Policy
    4)  List existing Password Policies

    a)  show advanced components and properties
    q)  quit
    b)  back

Enter choice [b]: 2


>>>> Select the Authentication Policy from the following list:

    1)  Default Password Policy
    2)  Root Password Policy

    a)  show advanced components and properties
    q)  quit
    c)  cancel

Enter choice [c]: 2


>>>> Configure the properties of the Password Policy "Root Password Policy"

         Property                                   Value(s)
         ----------------------------------------------------------------------
    1)   account-status-notification-handler        -
    2)   allow-expired-password-changes             false
    3)   allow-user-password-changes                true
    4)   default-password-storage-scheme            PBKDF2-HMAC-SHA256
    5)   deprecated-password-storage-scheme         -
    6)   expire-passwords-without-warning           false
    7)   force-change-on-add                        false
    8)   force-change-on-reset                      false
    9)   grace-login-count                          0
    10)  idle-lockout-interval                      0 s
    11)  last-login-time-attribute                  -
    12)  last-login-time-format                     -
    13)  lockout-duration                           0 s
    14)  lockout-failure-count                      0
    15)  lockout-failure-expiration-interval        0 s
    16)  max-password-age                           0 s
    17)  max-password-reset-age                     0 s
    18)  min-password-age                           0 s
    19)  password-attribute                         userPassword
    20)  password-change-requires-current-password  true
    21)  password-expiration-warning-interval       5 d
    22)  password-generator                         -
    23)  password-history-count                     0
    24)  password-history-duration                  0 s
    25)  password-validator                         At least 8 characters,
                                                    Common passwords
    26)  previous-last-login-time-format            -
    27)  require-change-by-time                     -
    28)  require-secure-authentication              true
    29)  require-secure-password-changes            true

    a)   show advanced components and properties
    q)   quit
    c)   cancel
    f)   finish - apply changes
    ?)   help

Enter choice [f]: 28


>>>> Configuring the "require-secure-authentication" property

    Indicates whether users with the associated password policy are required
    to authenticate in a secure manner.

    This might mean either using a secure communication channel between the
    client and the server, or using a SASL mechanism that does not expose the
    credentials.

Do you want to modify the "require-secure-authentication" property?

    1)  Keep the value: true
    2)  Change it to the default value: false
    3)  Specify a new value or expression

    q)  quit
    ?)  help

Enter choice [1]: 2

Press RETURN to continue


>>>> Configure the properties of the Password Policy "Root Password Policy"

         Property                                   Value(s)
         ----------------------------------------------------------------------
    1)   account-status-notification-handler        -
    2)   allow-expired-password-changes             false
    3)   allow-user-password-changes                true
    4)   default-password-storage-scheme            PBKDF2-HMAC-SHA256
    5)   deprecated-password-storage-scheme         -
    6)   expire-passwords-without-warning           false
    7)   force-change-on-add                        false
    8)   force-change-on-reset                      false
    9)   grace-login-count                          0
    10)  idle-lockout-interval                      0 s
    11)  last-login-time-attribute                  -
    12)  last-login-time-format                     -
    13)  lockout-duration                           0 s
    14)  lockout-failure-count                      0
    15)  lockout-failure-expiration-interval        0 s
    16)  max-password-age                           0 s
    17)  max-password-reset-age                     0 s
    18)  min-password-age                           0 s
    19)  password-attribute                         userPassword
    20)  password-change-requires-current-password  true
    21)  password-expiration-warning-interval       5 d
    22)  password-generator                         -
    23)  password-history-count                     0
    24)  password-history-duration                  0 s
    25)  password-validator                         At least 8 characters,
                                                    Common passwords
    26)  previous-last-login-time-format            -
    27)  require-change-by-time                     -
    28)  require-secure-authentication              false
    29)  require-secure-password-changes            true

    a)   show advanced components and properties
    q)   quit
    c)   cancel
    f)   finish - apply changes
    ?)   help

Enter choice [f]:

The Password Policy was modified successfully

The equivalent non-interactive command-line is:
dsconfig set-password-policy-prop \
          --policy-name Root\ Password\ Policy \
          --set require-secure-authentication:false \
          --hostname ds1.avantastech.com \
          --port 4444 \
          --bindDn uid=admin \
          --bindPassword ****** \
          --trustAll \
          --no-prompt

Press RETURN to continue


>>>> Password Policy management menu

What would you like to do?

    1)  Create a new Password Policy
    2)  View and edit an existing Password Policy
    3)  Delete an existing Password Policy
    4)  List existing Password Policies

    a)  show advanced components and properties
    q)  quit
    b)  back

Enter choice [b]: q
[iamuser@ip-172-31-42-151 bin]$

Now connect to Directory Server using Apache Directory Studo or any other software.



Saturday, May 9, 2020

ApacheDirectoryStudio A Java Runtime Environment (JRE) or Java Development Kit (JDK) must be available in order to run ApacheDirectoryStudio. No Java virtual machine wsa found after searching the following locations

Error
ApacheDirectoryStudio

A Java Runtime Environment (JRE) or Java Development Kit (JDK)
must be available in order to run ApacheDirectoryStudio. No Java virtual machine wsa found
after searching the following locations:
C:\Program Files\Apache Directory Studio\jre\bin\javaw.exe
javaw.exe in your current PATH


in you install simple java you will get below error

ApacheDirectoryStudio

Java was started but returning exit code=13
C:/Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe
-Dosgi.requiredJavaVersion=1.8
-jar C:/Program Files\Apache Directory
Studio\\plugins/org.eclipse.equinox.launcher_1.5.700.v20200207-215.jar
-os win32
-ws win32
..........
.


Solution:
The issue is Apache Directory Studio is looking for JDK. It is also mentioned in the Apache Directory Studio installation documentaion to have JDK 1.8 or newer installed.

Download JDK and install it. Once finished JDK installation. start the Apache Directory Studio It will work

here is link to download JDK 1.8
https://www.oracle.com/java/technologies/javase/javase-jdk8-downloads.html


Wednesday, April 29, 2020

basic opendj ldap commands



./ldapsearch --hostname ds1.avantastech.com --port 1389 --baseDN "ou=People,dc=avantastech,dc=com"  uid=user.1


Change a Password for a User
./ldappasswordmodify -p 1389  -D "cn=directory manager" -w Password -a "dn:uid=user.19,ou=People,dc=avantastech,dc=com" -n changeit


Access OpenDJ configurations

./dsconfig --hostname ds1.avantastech.com --port 4444 --bindDN "cn=directory manager" --bindPassword Password --trustAll

Create a Backup
./backup --backUpAll --backupDirectory /app/forgerock/opendj/backup --port 4444 --bindDn "cn=directory manager" --bindPassword Password --trustAll --no-prompt



Restore UserRoot from a Backup $

./opendj/bin/restore -p 4444 -D "cn=directory manager" -w Password -d /app/forgerock/opendj/backup/userRoot --trustAll

Export ldif File
./export-ldif --port 4444 --backendId userRoot --ldifFile /app/forgerock/backup/ldif-file/users.ldif --bindDN "cn=directory manager" --bindPassword Password --trustAll --no-prompt

Get Password Policy
 ./dsconfig get-password-policy-prop --policy-name "Default Password Policy" -h ds1.avantastech.com -D "cn=directory manager" -w Password -p 4444 --trustall --no-prompt


Get OpeDJ Server ID

./dsconfig get-global-configuration-prop --hostname ds1.avantastech.com --port 4444 --bindDN "cn=Directory Manager" --bindPassword Password --property server-id --trustAll --no-prompt

Monday, April 20, 2020

Forgerock opendj ERROR: The Directory Server could not acquire an exclusive lock on file


Looks like your server got shut down abnormally.

solution:
either shut down the server again or remove server.lock file that is under locks folder.

Start the server. It will resolve the issue

Tuesday, February 11, 2020

Service Now integration with Forgerock OpenAM



1. create IDP metadata from Forgerock OpenAM make sure you have NameID Format same as Service Now. your metadata should have x509 certificate that is required by SAML to sign the request. If you are not using certificate make sure to select default certificate offered by forgerock AM

2. send metadata to Service Now.
3. import Service Now Metadata (SP) to forgerock AM servers. make changes to SP metadata. Click on Service Now metadata and go to Assertion Processing and at the Attribute Mapper put the attribute you have in Service Now at Advanced --> User Field (uid=user_name)


Service Now configuration:

Service now should have these below values

NameID Policy(SP) same as NameID Format (IDP)


Value in the User Field is same as what IDP have in Service Now Assertion processing --> Attribute Mapper --> Attribute MAP i.e(uid=user_name)


other points to consider is users who are not in SNOW wont be able to login to SNOW if that user does not exists in the SNOW.


Monday, February 10, 2020

foegerock openam error Unable to do sso or federation. com.sun.identity.saml2.common.SAML2Exception: Provider's signing certificate alias is missing.


debug log error
Unable to do sso or federation. com.sun.identity.saml2.common.SAML2Exception: Provider's signing certificate alias is missing.


your IDP is missing certificate that is required by server to sign SAMLrequest.

solution:
configure idp with x509 certificate
reconfigure idp with pre-configure "Signing Key"(option you will get when configuring IDP)


Saturday, February 8, 2020

opends enabling replication opendj



to change server names follow below link
https://backstage.forgerock.com/knowledge/kb/book/b73824898#a87750034


to enable replication used below commands


./dsreplication configure --adminUid admin --adminPassword Passw0rd1 --baseDn dc=orasystemsusa,dc=com --host1 dsA.example.com --port1 5444 --bindDn1 "cn=Directory Manager" --bindPassword1 Password --replicationPort1 8989 --host2 dsB.example.com--port2 5444 --bindDn2 "cn=Directory Manager" --bindPassword2 Passwrd --replicationPort2 8989 --trustAll --no-prompt


./dsreplication initialize --baseDN dc=orasystemsusa,dc=com --adminUID admin --adminPassword Password --hostSource dsA.example.com --portSource 5444 --hostDestination dsB.example.com --portDestination 5444 --trustAll --no-prompt


./dsreplication status --adminUID admin --adminPassword Password --hostname dsA.example.com --port 5444 --trustAll

Tuesday, January 28, 2020

OpenIDM LDAP connector types (LiveSync, Implicit Sync)


1. LiveSync:
                    It sync changes from LDAP to OpenIDM  ( LDAP --> OpenIDM)

2. Implicit Sync:
                           It sync changes from IDM to LDAP (OpenIDM --> OpenDJ)

Monday, January 27, 2020

openidm error SEVERE: OpenICF connector test of SystemIdentifier{ uri='system/ldap/'} failed!



Error while configuring OpenAM with OpenDJ

SEVERE: OpenICF connector test of SystemIdentifier{ uri='system/ldap/'} failed!


Solution:

Issues could be IDM is unable to reach OpenDJ

check the following if ds server information is correct

1. DNS name resolution
2. openidm/db/ds/conf/repo.ds-external.json


forgerock OpenIDM and OpenAM integration error "accountClaiming" "Access Denied"


After integrating OpenIDM with OpenAM when you try login to OpenIDM admin console you get

accountClaiming at the url and "Access Denied" error.

Solution:

During integration you should have specified value of "Authorized OIDC SSO Clients"

if you missed this you will get his error. This property is located at


Services --> Oauth2 Provider --> Advanced OpenID Connect

enter value "openidm" at the value of  "Authorized OIDC SSO Clients"

and SAVE

Now if you try to login to the console. You should be able to login to the IDM console with openam username. Any user you are trying to login with should exist in OpenDJ

 

Friday, January 24, 2020

OpenIDM and OpenAM integration error redirect_uri_mismatch








During integration of OpenIDM and OpenAM, once you change the Directory services from local to OpenDJ you will get this error when you try to login.

Solution:

login to OpenAM
click on Top Level realm
from left side select Applications --> OAuth 2.0

on CORE tab go to Redirection URIs
enter the url you think you have put during "Configure Forgerock Identity Provider" section "Configure Access Management" property "Redirection URIs" value

correcting this value will fix this error