Wednesday, November 11, 2015

ssoadm CLI for scaling and de-scaling of OpenAM nodes

So I am still in a project where OpenAM and OpenDJ are all deployed on AWS.  In a scenario when a spawned node is "de-scaled", it's good to clean up the server configuration.

For example, there are 2 nodes now (am0-test and am1-test). And am1-test is scheduled for "de-scale". 

In AWS terminology, the autoscaling group is performing a scaling in. 



When am1-test is finally terminated, we would like to clean up OpenAM Servers & Sites as follows:



That's easy using ssoadm CLI commands. 

$ ./ssoadm delete-server -u amadmin -f .pwd.txt -s http://am1-test.XXX.net:8080/auth


But how about the cleaning up of Realm/DNS Aliases?



That's where the ssoadm CLI command is lacking.


Listing of Realm/DNS Aliases is OK. Easy.

$ ./ssoadm get-realm -s sunIdentityRepositoryService -u amadmin -f .pwd.txt -e /

sunKeyValue: sunidentityrepositoryservice-sunOrganizationStatus=Active
sunxmlKeyValue: sunidentityrepositoryservice-sunOrganizationAliases=login-test.XXX.com.sg
sunxmlKeyValue: sunidentityrepositoryservice-sunOrganizationAliases=am1-test.XXX.net
sunxmlKeyValue: sunidentityrepositoryservice-sunOrganizationAliases=am0-test.XXX.net
sunxmlKeyValue: sunidentityrepositoryservice-sunOrganizationAliases=XXX


So, we only want to remove sunOrganizationAliases=am1-test.XXX.net right? I mean this is what we'll do via OpenAM Administration Console. Thus, we want the same for CLI isn't it?


There is a delete-realm-attr command that seems suitable.

$ ./ssoadm delete-realm-attr -s sunIdentityRepositoryService -u amadmin -f .pwd.txt -e / -a sunOrganizationAliases=am1-test.XXX.net

Attribute was removed.


Great! Attribute was removed. However, when get-realm command is executed again, nothing is being removed.

A look at the syntax indicates -a has to be the name of the attribute to be removed.




This means the CLI command has to be:

$ ./ssoadm delete-realm-attr -s sunIdentityRepositoryService -u amadmin -f .pwd.txt -e / -a sunOrganizationAliases



This is even worse. All the entries except the following are removed.


$ ./ssoadm get-realm -s sunIdentityRepositoryService -u amadmin -f .pwd.txt -e /
sunKeyValue: sunidentityrepositoryservice-sunOrganizationStatus=Active


And if one try to log in to OpenAM, the following error will occur:





The workaround is to use set-realm-svc-attrs command to add those sunOrganizationAliases back.



Notice that -a now accepts attribute values, instead of only attribute name.

$ ./ssoadm set-realm-attr -s sunIdentityRepositoryService -u amadmin -f .pwd.txt -e / -a sunOrganizationAliases -p -a sunOrganizationAliases=login-test.XXX.com.sg
$ ./ssoadm set-realm-attr -s sunIdentityRepositoryService -u amadmin -f .pwd.txt -e / -a sunOrganizationAliases -p -a sunOrganizationAliases=am0-test.XXX.net
$ ./ssoadm set-realm-attr -s sunIdentityRepositoryService -u amadmin -f .pwd.txt -e / -a sunOrganizationAliases -p -a sunOrganizationAliases=XXX


What a pain!

.

No comments:

Post a Comment