When setting an OpenAM infrastructure, it is common to have more than one environment, for example having a Development, Test/Acceptance and Production environment is very common. One of the questions that arises is, how do I move my configuration from the Acceptance to the Production environment ?
The answer to this question has to do with the deployment practices. For OpenAM there are two ways to configure the system: Use the Web GUI and use the CLI (Commnad Line Interface)
The recommended practice is to script the installation by using the CLI (ssoadm). In this way the configuration can be redeployed at any time and in different environments; it helps to enforce deployment practices and maintains a live documentation of the existing configuration.
The scripts could be as simple or as complex as needed, depending on how much you want the deployment to be automated. Some administrators use simple scripts containing the specific ssoadm commands together with the parameters for the environment, some other administrators have a generic set of scripts and use properties files to use as input for the configuration scripts of the specific environment.
The Command Line Reference shows the ssoadm available sub-comands and parameters:
Examples of typical configuration commands are:
Create a Data Store configuration for a realm
(Where datastore_info.text contains the parameters to configure the Data Store)
Here an example of a script that deploys a specific environment. This is just an illustrative example and the complexity of a script for a production environment can change depending of the features used. This example applies to a Linux environment, but a similar bat file can be created for a Windows environment:
Another way to execute the ssoadm command is by using the do batch subcommand.
More complex scripted deployment
A more complex set of automation scripts can include the installation and deployment of the
whole environment, for example this would be a list of generic tasks:
- Install your web container
- Tune your Web Container JVM parameters
- Install OpenDJ, configure schema, set JVM parameters
- Configure the indexes for the OpenDJ
- Load the OpenDJ data
- Deploy the OpenAM war in the web container
- Perform the initial OpenAM Configuration (using the configurator.jar and the silent installation)
- Deploy the ssoadm CLI
- Configure OpenAM (using ssoadm commands)
- Create site
- Configure realm
- Add authentication configuration
- Configure global services
- Configure data stores
- Configure Federation
Each of the tasks described above can be scripted and the input for the scripts can be obtained from a properties file and templates for the installation.
How do I script an existing environment that was deployed using the GUI
If you want to export the configuration of an existing deployment, you can do that by exporting the whole configuration with one command, but that does not give the details of each step and it does not give you the flexibility to adjust the configuration to a specific environment, given that the output is a big XML file containing all the services.
The approach should be to deploy the OpenAM of a production environment from the beginning using scripts.
However, if you want to copy a specific part of the configuration from one environment to another, you could use a specific ssoadm command that will provide you with an output that can be reused as the input for an ssoadm command in another environment.
Here some examples of such commands:
- Data Store Configuration
- Edit the necessary attributes (for example the password for the bind user)
Load the configuration in the other environment with a command like:
- Authentication Configuration
List authentication instances in a realm, i.e. list the authentication modules defined in a realm
List a specific authentication instance configuration:
Create an equivalent instance in the destination environment (for example LDAP)
Edit the output of the get-auth-instance as needed (for example the bind password) and import in the destination system
- Policy Configuration
List the policies defined in a specific realm. Example policies in the top realm / and write the output in a file named Policies
- Edit the output of the command above, for example remove the text header
Import the policies in the destination environment by using the file policies as the input to create-policies
Notice that the above command will not be executed if a policy already exists.
If your policies are already defined and they need to be updated, do:
Notice that updating the policies will only update the existing policies and will leave untouched the ones that are not defined in the XML file
If you want to start from scratch, delete the policies first and create them again.
- Agent configuration
List the agent groups of a realm
List the specific configuration of a policy agent and store the output in a file called apache_agent_output_config:
Create an agent using as input the file named apache_agent_output_config: