Embed Size (px)
DESCRIPTION
Presented by Steve Ferris, VP of Services and ForgeRock Co-Founder at ForgeRock Open Identity Summit, June 2013
Citation preview
OpenAM Survival TipsOpen Identity Summit Summer 2013 #OIS13
Under the covers in thirty minutes Lets explore some of the critical product areas Little things can cause big problems
Naming Service Internals Came from iPlanet RemotePassage & Webtop Began to appear in Portal Server 3.0 Used by OpenAM SDK clients to determine how to
communicate with OpenAM Can get complex in multi-site, multi-VIP deployments Preferred Naming URLs, secondary site URLs, lots to
consider Not very forgiving
Naming Service Calculation All down to how the client is going to talk to server
CDSSO Debugging Points
CDSSO Debugging
•Capturing the HTTP headers is essential to understanding the end to end flow
• HTTP headers will detail where in the flow the problem has occurred
• Where the flow breaks is key to determining the problem• Server Side: CDCServlet debugging
• Policy Agent: Restricted Token debugging
CDCServlet Debugging
•Hostname Lookup• FQDN of the Policy Agent and any VIPs
• Hostname Reverse Lookup• The IP of the interface used by the Policy Agent to contact OpenSSO, must match the Policy Agent FQDN
• Agent Profiles• All FQDN used to access a Policy Agent
agentRootURL=protocol://fqdn:port/
CDCServlet Debugging cont…
•Agent Profiles• agentRootURL values must be confined to a single Agent Profile
• Duplication will lead to errors when restriction is validatedldapsearch -b "ou=web_agent,ou=default,ou=OrganizationConfig,ou=1.0,ou=AgentService,ou=services,o=amroot"
-D "cn=directory manager" -w password -h am4 -p 390 sunIdentityServerDeviceKeyValue=agentRootURL=https://am.internal.forgerock.com:443/ dn | grep dn | wc –l
Return value must be 1
Restricted Token OperationsAgent Profile Validation using Application Token
Ensures the Principal of the token matches that in the restriction
Request URL validation using IP/Hostname Ensures the IP/Hostname in the request matches that in the restriction
Caution: Duplicate agentRootURL values can lead to the wrong Agent Profile being found and restrictions being invalid.
Caution: Hostname must be resolvable else Exceptions will lead to restrictions being invalid.
Session Service Client Architecture
Session Service Server Architecture
Multi Site Deployments
• Multiple sites mean multiple login URLs• GSLB can help provide a single login URL and an abstraction layer
• Good option, can have a single site that spans multiple DCs
• If you are running legacy session failover there are possible pain points
• Latency will be the killer in the end, but you can do things to make things easier
Legacy Session Failover Multi Site• Split MQs into sub clusters
• amsfo.conf; only list the local MQ brokers
• AM patch; allows per instance MQ broker lists
• Latency can lead to message build up
• Monitor the topics and alert on a threshold; use imqcmd
• WAN Firewalls•Set MQ to use static ports else BAD things will happen
Come and pick my brains and finally… Sadly no time for Q&A and
cannot cover everything in 30 minutes
So have a question? Please do ask! Here all week!
A great thank you from me, Peach, Pelham and little Porter!
The End!
