I want better performance running OpenAM on Tomcat application server, thus I spent the effort to configure APR (Apache Portable Runtime) for Tomcat.
As usual (this is not my 1st time), I always encounter this error whenever I start Tomcat after configuration:
Nov 30, 2011 4:01:23 PM org.apache.catalina.core.AprLifecycleListener init
INFO: The APR based Apache Tomcat Native library which allows optimal performance in production environments was not found on the java.library.path: /am/bin/jdk1.6.0_27/jre/lib/amd64/server:/am/bin/jdk1.6.0_27/jre/lib/amd64:/am/bin/jdk1.6.0_27/jre/../lib/amd64:/usr/java/packages/lib/amd64:/usr/lib64:/lib64:/lib:/usr/lib
This is a very silly mistake for not following the instruction carefully.
The resolution is to add the following to catalina.sh:
[am@testMachine bin]$ vi catalina.sh
JAVA_OPTS="-server -Xms2048M -Xmx2048M -Djava.library.path=/usr/local/apr/lib"
.
Wednesday, November 30, 2011
Monday, November 14, 2011
Agent-less SSO
Sometimes, legacy or COTS (commerical off the shelf) web applications cannot be customized to integrate with Policy Agent. That's where ESSO comes into play (and that explains why ESSO solution is never cheap, besides being cumbersome to deploy. of course, my opinion).
BitKoo and OpenIG have solutions that attempt to resolve this issue.
Basically, a Proxy/Gateway is introduced. This is where the access to the actual application is intercepted and password being replayed securely.
In the case of BitKoo, user credential is stored securely in a keystore.
On the other hand, OpenIG (aka ApexIdentity Gateway) integrates, out-of-the-box, with all 3rd party web access management solutions (e.g. OpenAM).
The key point is any web application can come on-board without ever modifying the target application again.
.
BitKoo and OpenIG have solutions that attempt to resolve this issue.
Basically, a Proxy/Gateway is introduced. This is where the access to the actual application is intercepted and password being replayed securely.
In the case of BitKoo, user credential is stored securely in a keystore.
On the other hand, OpenIG (aka ApexIdentity Gateway) integrates, out-of-the-box, with all 3rd party web access management solutions (e.g. OpenAM).
The key point is any web application can come on-board without ever modifying the target application again.
.
Friday, November 11, 2011
Policy Agent debugging
If you have deployed Policy Agent in Centralized mode and have set the debug level to Message, yet when the policy agent container is started and you only see the following:
2011-10-31 09:56:35.408 -1 20816:1f8957d0 all: Version: 3.0-04
2011-10-31 09:56:35.408 -1 20816:1f8957d0 all:
2011-10-31 09:56:35.408 -1 20816:1f8957d0 all: Build Date: Fri Jul 29 00:05:09 BST 2011
2011-10-31 09:56:35.408 -1 20816:1f8957d0 all: Build Machine: constable.internal.forgerock.com
2011-10-31 09:56:35.408 -1 20816:1f8957d0 all: =======================================
The log is very verbose when the debug level is set to Message. Then definitely there is something wrong.
There is one more tweak to it...
Go to the ../Agent_001/config directory and amend the following 2 properties files:
1. OpenSSOAgentBootstrap.properties
2. OpenSSOAgentConfiguration.properties
Look for the following:
# AGENT DEBUG LOG LEVEL
com.sun.identity.agents.config.debug.level = all:5 (default is empty)
Restart your policy agent container. You'll see more log statements.
This method was helpful to me when there was some misconfiguration in the network or load-balancer stickiness issues. Of course, there are many more scenarios that could potentially happen.
.
Wednesday, November 9, 2011
BlackBerry Desktop Software for Mac
With BlackBerry Desktop Software for Mac, synchronizing musics from my iTunes to the smartphone has become a breeze!
Of course, there are Calendar, Contacts, Notes and Tasks sync. But I'm using Google Calendar and not Exchange, so that's not useful for me.
.
If you are deploying SharePoint, this link is very helpful for your pre-sales activities.
There are Foundation, Standard and Enterprise editions. You need to be careful which edition to choose. Otherwise, some features might not be available.
.
Sunday, November 6, 2011
OpenAM Policy Agent - Life Cycle
I always prefer diagram to wordings. Below is an illustration on how a Centralized Agent Configuration works:
When an agent starts up, it reads its bootstrapping file to initialize itself.
OpenSSOAgentBootstrap.properties is stored on the agent machine and indicates the location from where the configuration properties need to be retrieved. Based on the repository setting in OpenSSOAgentBootstrap.properties, it retrieves the rest of its configuration properties. It fetches its configuration from OpenAM Server.
An agent fetches its configuration properties periodically to determine if there have been any configuration changes. Any agent configuration changes made centrally are conveyed to the affected agents, which will react accordingly based on the nature of the updated properties. If the properties affected are hot swappable, the agent can start using the new values without a restart of the underlying agent web container. Notification of the agent when configuration data changes and polling by the agent for configuration changes can be enabled. Agents can also receive notifications of session and policy changes.
Note:
For Apache Policy Agent, do not enable notification.
.
Saturday, November 5, 2011
Cluster initialization failed. Disabling the cluster service.
Switching from Solaris to Linux OS can be a challenge to me, at times.
I was installing and configuring Glassfish Message Queue for OpenAM Session Failover a month back and was not able to make it work initially.
The configuration was made exactly the same as what I would have done on a Solaris box. I have done that far too many times to have miss out anything. But.... the MQ just would not start on a Linux box!
So debugging was needed... In the end, I found the issue - "Invalid broker address for this broker to run in cluster: Loopback IP address is not allowed in broker address mq://127.0.0.1:7676/..."
I found out that in Linux OS, loopback IP is not allowed.
The resolution is to add imq.hostname in the BROKER_OPTIONS:
[lx123 ]$ cd /am/bin/sfo/bin
[lx123 bin]$ vi amsfo
BROKER_OPTIONS="-silent -Dimq.hostname=am1.lx.com"
.
Subscribe to:
Posts (Atom)