So I am still in a project where OpenAM and OpenDJ are all deployed on AWS. In a scenario when a spawned node is "de-scaled", it's good to clean up the server configuration.
For example, there are 2 nodes now (am0-test and am1-test). And am1-test is scheduled for "de-scale".
In AWS terminology, the autoscaling group is performing a scaling in.
When am1-test is finally terminated, we would like to clean up OpenAM Servers & Sites as follows:
That's easy using ssoadm CLI commands.
$ ./ssoadm delete-server -u amadmin -f .pwd.txt -s http://am1-test.XXX.net:8080/auth
But how about the cleaning up of Realm/DNS Aliases?
That's where the ssoadm CLI command is lacking.
Listing of Realm/DNS Aliases is OK. Easy.
So, we only want to remove sunOrganizationAliases=am1-test.XXX.net right? I mean this is what we'll do via OpenAM Administration Console. Thus, we want the same for CLI isn't it?
There is a delete-realm-attr command that seems suitable.
$ ./ssoadm delete-realm-attr -s sunIdentityRepositoryService -u amadmin -f .pwd.txt -e / -a sunOrganizationAliases=am1-test.XXX.net
Attribute was removed.
Great! Attribute was removed. However, when get-realm command is executed again, nothing is being removed.
A look at the syntax indicates -a has to be the name of the attribute to be removed.
This means the CLI command has to be:
$ ./ssoadm delete-realm-attr -s sunIdentityRepositoryService -u amadmin -f .pwd.txt -e / -a sunOrganizationAliases
This is even worse. All the entries except the following are removed.
$ ./ssoadm get-realm -s sunIdentityRepositoryService -u amadmin -f .pwd.txt -e /
And if one try to log in to OpenAM, the following error will occur:
The workaround is to use set-realm-svc-attrs command to add those sunOrganizationAliases back.
$ ./ssoadm set-realm-attr -s sunIdentityRepositoryService -u amadmin -f .pwd.txt -e / -a sunOrganizationAliases -p -a sunOrganizationAliases=login-test.XXX.com.sg
$ ./ssoadm set-realm-attr -s sunIdentityRepositoryService -u amadmin -f .pwd.txt -e / -a sunOrganizationAliases -p -a sunOrganizationAliases=am0-test.XXX.net
$ ./ssoadm set-realm-attr -s sunIdentityRepositoryService -u amadmin -f .pwd.txt -e / -a sunOrganizationAliases -p -a sunOrganizationAliases=XXX
What a pain!