I talked more about the new Session Failover mechanism in OpenAM 10.1 in my previous blog. The use of Open Message Queue and Berkeley DB Java Edition has been dropped in favor of the embedded OpenDJ that ships with each OpenAM release.
So how does it work with the embedded OpenDJ?
A new ou is created - ou=tokens. Whenever a user logs in and a session is created, an entry will be created in the OpenDJ under ou=famrecords,ou=openam-session,ou=tokens,dc=xxx,dc=xx.
And if you have multi instances of OpenAM, the multi-master replication (MMR) in the embedded OpenDJ kicks in to take care of session replication from nodes to nodes.
As simple as that. Neat!
.
Wednesday, February 27, 2013
Tuesday, February 26, 2013
OpenAM 10.1 Session Failover Mechanism
In my previous blog, I mentioned that there is a new implementation of the Session Failover in OpenAM 10.1.
This new implementation is important to me as all my customers are using Session Failover in their production environment. So I need to evaluate it in order to advise them.
Well, if one install OpenAM 10.1 via the GUI (i seldom use GUI though), this is how easy one can turn on Session Failover. You just need to check on "Enable Session HA Persistence and Failover". Yes, that's it!
Now, let's assume session failover is not enabled during installation and configuration, it is equally easy to turn on Session Failover post-configuration.
Navigate to Configuration > Global > Session. Click on New.
That's it? Yes, that's it!
Gone are the days when one has to install AMSFO utilities which include the Open Message Queue and Berkeley DB Java Edition. And then to instruct OpenAM to store user sessions into the appropriate message queue via the Database Url.
.
Monday, February 25, 2013
OpenAM 10.1.0 Release Notes
It's great news that OpenAM 10.1.0 Xpress has been released late last week.
With this new release, the session failover mechanism has been changed. It used to be utilizing Open Message Queue and Berkeley DB Java Edition.
The current implementation makes use of the embedded OpenDJ server to store user sessions. The best thing about it is this implementation can be used to make sessions persist across restart for single OpenAM servers.
However, do take note: "When session failover is configured to use external OpenDJ directory servers, OpenAM must access those directory servers through an LDAP load balancer that can fail over connections from OpenAM whenever a directory server goes offline. Otherwise, sessions could continue to persist after users logout of OpenAM."
There are 2 other limitations which I think worth mentioning.
1. Do not run different versions of OpenAM together in the same OpenAM site.
==> This has not been possible before. But I really hope it can happen in the future. This will make migration really easy. Just a wish, no harm wishing. :)
2. Not all features of OpenAM work with IPv6.
==> IPv6 is pretty hot these days and the IT governing body in Singapore has even dictated that all software be compliant with IPv6 in all the ministries. This makes life difficult for Systems Integrators like us. If a software does not fully support IPv6, what can we do? It takes time for all software (especially matured software) to slowly conform to IPv6.
.
With this new release, the session failover mechanism has been changed. It used to be utilizing Open Message Queue and Berkeley DB Java Edition.
The current implementation makes use of the embedded OpenDJ server to store user sessions. The best thing about it is this implementation can be used to make sessions persist across restart for single OpenAM servers.
However, do take note: "When session failover is configured to use external OpenDJ directory servers, OpenAM must access those directory servers through an LDAP load balancer that can fail over connections from OpenAM whenever a directory server goes offline. Otherwise, sessions could continue to persist after users logout of OpenAM."
There are 2 other limitations which I think worth mentioning.
1. Do not run different versions of OpenAM together in the same OpenAM site.
==> This has not been possible before. But I really hope it can happen in the future. This will make migration really easy. Just a wish, no harm wishing. :)
2. Not all features of OpenAM work with IPv6.
==> IPv6 is pretty hot these days and the IT governing body in Singapore has even dictated that all software be compliant with IPv6 in all the ministries. This makes life difficult for Systems Integrators like us. If a software does not fully support IPv6, what can we do? It takes time for all software (especially matured software) to slowly conform to IPv6.
.
Saturday, February 16, 2013
OpenDJ Utilities
The following links are helpful if you want to extract useful information from OpenDJ logs:
Github - ludomp/opendj-utils
Github - chrisridd/opendj-utils
.
Github - ludomp/opendj-utils
Github - chrisridd/opendj-utils
.
Friday, February 15, 2013
OpenAM Lineage
I have told customers multi-times - OpenAM is not a new product, even though ForgeRock is only 2. In fact, OpenAM is around 13 years old now. The history of OpenAM dates back to early 2000 when Sun Microsystems started this as a Directory Server Access Management Edition (DSAME).
Interestingly, after Oracle took over Sun OpenSSO, the product was "chopped" into several non-compatiable products - each sold differently :).
.
Interestingly, after Oracle took over Sun OpenSSO, the product was "chopped" into several non-compatiable products - each sold differently :).
Thursday, February 14, 2013
ForgeRock Open Source Advantage
The following slide sums up what my customers have been asking for the past 1-2 years regarding ForgeRock Open Source Advantage.
Great job!
.
Monday, February 4, 2013
Architecture Definition
It is always hard to balance between the Problem space and Solution space when architecting solutions for customers.
An art indeed.
.
Invalid Credential when Add to Existing Deployment - Part II
Last week, I posted this - Invalid Credential when Add to Existing Deployment where I attempted to install and configure a 2nd instance of OpenAM server via the Configuration Wizard UI.
Not successful if the default ldapService is not switched to DataStore.
Out of curiosity, I install a 3rd instance of OpenAM server in our test labs. However, I choose to configure via SSO Configurator Tool this time round.
Went through smoothly like a breeze!
[azlabs@idp config]$ java -jar configurator.jar -f am3config
Checking configuration directory /home/azlabs/var/am3....Success.
Installing OpenAM configuration store...Success RSA/ECB/OAEPWithSHA1AndMGF1Padding.
Extracting OpenDJ, please wait...Complete
Running OpenDJ setupSetup command: --cli --adminConnectorPort 7888 --baseDN dc=azlabs,dc=sg --rootUserDN cn=Directory Manager --ldapPort 52389 --skipPortCheck --rootUserPassword xxxxxxx --jmxPort 3689 --no-prompt --configFile /home/azlabs/var/am3/opends/config/config.ldif --doNotStart --hostname am3.azlabs.sg %0AOpenDJ+2.4.5%0APlease+wait+while+the+setup+program+initializes...%0A%0ASee+%2Fhome%2Fazlabs%2Fopt%2Ftomcat-7.0.34-am3%2Ftemp%2Fopends-setup-6235062839150188850.log+for+a+detailed+log+of+this+operation.%0A%0AConfiguring+Directory+Server+.....+Done.%0A%0ATo+see+basic+server+configuration+status+and+configuration+you+can+launch+%2Fhome%2Fazlabs%2Fvar%2Fam3%2Fopends%2Fbin%2Fstatus%0A...Success.
...Success
Installing OpenAM configuration store in /home/azlabs/var/am3/opends...Success.
:
:
:
...Success.
Reinitializing system properties....Done
Configuring server instance....Done
Setting up monitoring authentication file.
Configuration complete!
Strange indeed.
.
Not successful if the default ldapService is not switched to DataStore.
Out of curiosity, I install a 3rd instance of OpenAM server in our test labs. However, I choose to configure via SSO Configurator Tool this time round.
Went through smoothly like a breeze!
[azlabs@idp config]$ java -jar configurator.jar -f am3config
Checking configuration directory /home/azlabs/var/am3....Success.
Installing OpenAM configuration store...Success RSA/ECB/OAEPWithSHA1AndMGF1Padding.
Extracting OpenDJ, please wait...Complete
Running OpenDJ setupSetup command: --cli --adminConnectorPort 7888 --baseDN dc=azlabs,dc=sg --rootUserDN cn=Directory Manager --ldapPort 52389 --skipPortCheck --rootUserPassword xxxxxxx --jmxPort 3689 --no-prompt --configFile /home/azlabs/var/am3/opends/config/config.ldif --doNotStart --hostname am3.azlabs.sg %0AOpenDJ+2.4.5%0APlease+wait+while+the+setup+program+initializes...%0A%0ASee+%2Fhome%2Fazlabs%2Fopt%2Ftomcat-7.0.34-am3%2Ftemp%2Fopends-setup-6235062839150188850.log+for+a+detailed+log+of+this+operation.%0A%0AConfiguring+Directory+Server+.....+Done.%0A%0ATo+see+basic+server+configuration+status+and+configuration+you+can+launch+%2Fhome%2Fazlabs%2Fvar%2Fam3%2Fopends%2Fbin%2Fstatus%0A...Success.
...Success
Installing OpenAM configuration store in /home/azlabs/var/am3/opends...Success.
:
:
:
...Success.
Reinitializing system properties....Done
Configuring server instance....Done
Setting up monitoring authentication file.
Configuration complete!
Strange indeed.
.
Friday, February 1, 2013
OpenIDM Architecture
A picture says a thousand words.
Honestly, it's still not ready for today's enterprises after talking to customers. But we shall see in a year or 2... I'm optimistic about this product! :)
.
Honestly, it's still not ready for today's enterprises after talking to customers. But we shall see in a year or 2... I'm optimistic about this product! :)
.
Subscribe to:
Posts (Atom)