Skip to ContentSun and Oracle Channel Sun How to Buy Log In

Sun OpenSSO Enterprise 8.0 Administration Reference

Contained Within

Sun OpenSSO Enterprise 8.0

Find More Documentation

Featured Support Resources

Scarica il manuale in formato PDF (2539 KB)

Part I Command Line Interface Reference

Chapter 1 ssoadm Command Line Interface Reference

This chapter provides information on the OpenSSO Enterprise ssoadm command line interface. This interface is new to the 8.0 release and replaces the amadmin command line tool used in previous releases. ssoadm has a multitude of sub commands that perform specific tasks for creating, deleting, and managing all OpenSSO Enterprise data. These sub commands are grouped by functional area.

Note –

amadmin is still supported for backwards computability for versions that have been upgraded to OpenSSO. See Chapter 2, The amadmin Command Line Tool for more information.

The primary purpose of ssoadm is to load data configuration data into the data store and to perform batch administrative tasks on the DIT. For information and instructions to unpack and set up ssoadm, see Installing the OpenSSO Enterprise Utilities and Scripts in the ssoAdminTools.zip File in Sun OpenSSO Enterprise 8.0 Installation and Configuration Guide.

ssoadm is primarily used to:

Load XML service files - Administrators load services into OpenSSO Enterprise that use the XML service file format defined in the sms.dtd. .

Note –

XML service files are stored in the data store as static blobs of XML data that is referenced by OpenSSO Enterprise. This information is not used by Directory Server, which only understands LDAP.

Perform batch updates of identity objects to the DIT - Administrators can perform batch updates to the Directory Server DIT using the do-batch subcommand. For example, if an administrator wants to create 10 organizations, 1000 users, and 100 groups, it can be done in one attempt by putting the requests in one or more batch processing XML files and loading them using ssoadm.

When ssoadm is executed, the command performs a version check of the OpenSSO Enterprise server. If the expected server version does not match, the ssoadm command will fail.

Using the ssoadm Command Line Interface

ssoadm contains many subcommands to perform specific tasks for a services, plug-ins, polices federation profiles, and so forth. Each subcommand contains a number of options, both required and non-required, that are defined to carry out these tasks. The following sections describe the usage of the subcommands and their associated options.

The basic syntax for the ssoadm command is:

ssoadm subcommand --options [--global-options]

The following global options are common to all subcommands, but are not required for the command to function:

[--locale, -l]: Name of the locale to display the results.
[--debug, -d]: Run in debug mode. Results sent to the debug file.
[--verbose, -v]: Run in verbose mode. Results sent to standard output.

Password File

In most ssoadm subcommands, the password file is required option. The password file is a simple file that contains the administrator password for the given task. To create a password file:

Create the password file in a location you will remember. For example:

echo "" > /tmp/testpwd
It is recommended to change the permissions to read-only:

chmod 400 /tmp/testpwd

ssoadm Usage Example

This section provides an example of how you can use the ssoadm command-line for a subcommand. This example highlights the update-agent option. The update-agent option allows you to configure agent properties. The following is an example of how the ssoadm command can be issued with the update-agent option.

# ./ssoadm update-agent -e testRealm1 -b testAgent1 -u amadmin -f 
/tmp/testpwd -a "com.sun.identity.agents.config.notenforced.url[0]=/exampledir/public/*"

Caution –

When issuing the ssoadm command, if you include values that contain wildcards (* or -*-), then the property name/value pair should be enclosed in double quotes to avoid substitution by the shell. This applies when you use the -a (--attributevalues) option. The double quotes are not necessary when you list the properties in a data file and access them with the -D option.

Listing Options for an ssoadm Subcommand

You can read the options for a subcommand from this section or you can list the options yourself while using the command. On the machine hosting OpenSSO Enterprise, in the directory containing the ssoadm utility, issue the ssoadm command with the appropriate subcommand. For example:

# ./ssoadm update-agent

Since the preceding command is missing required options, the utility merely lists all the options available for this subcommand. The global options are common to all subcommands. For example:

ssoadm update-agent --options [--global-options]
Update agent configuration.
Usage:
ssoadm
    --realm|-e
    --agentname|-b
    --adminid|-u
    --password-file|-f
    [--set|-s]
    [--attributevalues|-a]
    [--datafile|-D]

Global Options:
    --locale, -l
        Name of the locale to display the results.

    --debug, -d
        Run in debug mode. Results sent to the debug file.

    --verbose, -v
        Run in verbose mode. Results sent to standard output.

Options:
    --realm, -e
        Name of realm.

    --agentname, -b
        Name of agent.

    --adminid, -u
        Administrator ID of running the command.

    --password-file, -f
        File name that contains password of administrator.

    --set, -s
        Set this flag to overwrite properties values.

    --attributevalues, -a
        properties e.g. homeaddress=here.

    --datafile, -D
        Name of file that contains properties.

Subcommand Usage

By looking at the usage information of a subcommand, you can determine which options are required and which are optional. You can list an option for the command with either a single letter, such as -e or with an entire word, such as --realm. The following is a list of the usage information for the update-agent subcommand:

ssoadm update-agent
    --realm|-e
    --agentname|-b
    --adminid|-u
    --password-file|-f
    [--set|-s]
    [--attributevalues|-a]
    [--datafile|-D]

The options not bounded by square brackets are required. Therefore, realm, agentname, adminid, password-file. However, even though the three options in brackets (the global options) are considered optional, you must use either --attributevalues or --datafile to provide a property name and the corresponding value. The --attributevalues option is appropriate for assigning values to a single property. The --datafile option is appropriate for setting several properties at once. The realm and agentname options identify the specific agent you are configuring. The adminid and password-file commands identify you as someone who has the right to configure this agent.

The following command serves as an example of how you can change several agent properties at once. In this scenario the properties and their respective values are stored in a file, /tmp/testproperties, to which the command points:

# ./ssoadm update-agent -e testRealm1 -b testAgent1 -u amadmin -f 
/tmp/testpwd -D /tmp/testproperties

For subcommand options that accept multiple values, the values are space-separated and placed within quotation marks. For example, the -–attrubutevalues option, uses the following format:

–attributevalues “attributename=value” “attributename=value2”

ssoadm Subcommands and Options

The following section lists the ssoadm subcommands and their associated options. The sub commands are grouped under the following functional areas:

Agent Configuration

The following subcommands execute operations for the supported agent profile types defined in the OpenSSO Centralized Agent Configuration service.

add-agent-to-grp

Add agents to an agent group.

Syntax

ssoadm add-agent-to-grp --options [--global-options]

Options

--realm, -e: The name of the realm.
--agentgroupname, -b: The name of the agent group.
--agentnames, -s: The names of the agent.
--adminid, -u: The administrator ID running the command.
--password-file, -f: The filename that contains the password of the administrator.

agent-remove-props

Remove an agent's properties.

Syntax

ssoadm agent-remove-props --options [--global-options]

Options

--realm, -e: The name of the realm.
--agentname, -b: The name of the agent.
--attributenames, -a: The names of the properties.
--adminid, -u: The administrator ID running the command.
--password-file, -f: The filename that contains the password of the administrator.

create-agent

Create a new agent configuration.

Syntax

ssoadm create-agent --options [--global-options]

Options

--realm, -e: The name of the realm.
--agentname, -b: The name of the agent.
--agenttype, -t: The type of agent. For example, J2EEAgent or WebAgent.
--adminid, -u: The administrator ID running the command.
--password-file, -f: The filename that contains the password of the administrator.
[--attributevalues, -a]: The properties. For example, homeaddress=here.
[--datafile, -D]: The filename that contains the properties.

create-agent-grp

Create a new agent group.

Syntax

ssoadm create-agent-grp --options [--global-options]

Options

--realm, -e: The name of the realm.
--agentgroupname, -b: The name of the agent's group.
--agenttype, -t: The type of agent. For example, J2EEAgent or WebAgent.
--adminid, -u: The administrator ID running the command.
--password-file, -f: The filename that contains the password of the administrator.
[--attributevalues, -a]: The properties. For example, homeaddress=here.
[--datafile, -D]: The filename that contains the properties.

delete-agent-grps

Delete existing agent groups.

Syntax

ssoadm delete-agent-grps --options [--global-options]

Options

--realm, -e: The name of the realm.
--agentgroupnames, -s: The names of the agent group.
--adminid, -u: The administrator ID running the command.
--password-file, -f: The filename that contains the password of the administrator.

delete-agents

Delete existing agent configurations.

Syntax

ssoadm delete-agents --options [--global-options]

Options

--realm, -e: The name of the realm.
--agentnames, -s: The names of the agent.
--adminid, -u: The administrator ID running the command.
--password-file, -f: The filename that contains the password of the administrator.

list-agent-grp-members

List the agents in an agent group.

Syntax

ssoadm list-agent-grp-members --options [--global-options]

Options

--realm, -e: The name of the realm.
--agentgroupname, -b: The name of the agent group.
--adminid, -u: The administrator ID running the command.
--password-file, -f: The filename that contains the password of the administrator.
[--filter, -x]: Filter by a pattern.

list-agent-grps

List the agent groups.

Syntax

ssoadm list-agent-grps --options [--global-options]

Options

--realm, -e: The name of the realm.
--adminid, -u: The administrator ID running the command.
--password-file, -f: The filename that contains the password of the administrator.
[--filter, -x]: Filter by a pattern.
[--agenttype, -t]: The type of agent. For example, J2EEAgent or WebAgent.

list-agents

List the agent configurations.

Syntax

ssoadm list-agents --options [--global-options]

Options

--realm, -e: The name of the realm.
--adminid, -u: The administrator ID running the command.
--password-file, -f: The filename that contains the password of the administrator.
[--filter, -x]: Filter by a pattern.
[--agenttype, -t]: The type of agent. For example, J2EEAgent or WebAgent.

remove-agent-from-grp

Remove agents from an agent group.

Syntax

ssoadm remove-agent-from-grp --options [--global-options]

Options

--realm, -e: The name of the realm.
--agentgroupname, -b: The name of the agent group.
--agentnames, -s: The names of the agent.
--adminid, -u: The administrator ID running the command.
--password-file, -f: The filename that contains the password of the administrator.

show-agent

Show the agent profile.

Syntax

ssoadm show-agent --options [--global-options]

Options

--realm, -e: The name of the realm.
--agentname, -b: The name of the agent.
--adminid, -u: The administrator ID running the command.
--password-file, -f: The filename that contains the password of the administrator.
[--outfile, -o]: The filename where configuration is written.
[--inherit, -i]: Set this option to inherit properties from the parent group.

show-agent-grp

Show the agent group profile.

Syntax

ssoadm show-agent-grp --options [--global-options]

Options

--realm, -e: The name of the realm.
--agentgroupname, -b: The name of the agent group.
--adminid, -u: The administrator ID running the command.
--password-file, -f: The filename that contains the password of the administrator.
[--outfile, -o]: The filename where configuration is written.

show-agent-membership

List the agent's membership.

Syntax

ssoadm show-agent-membership --options [--global-options]

Options

--realm, -e: The name of the realm.
--agentname, -b: The name of the agent.
--adminid, -u: The administrator ID running the command.
--password-file, -f: The filename that contains the password of the administrator.

show-agent-types

Show the agent types.

Syntax

ssoadm show-agent-types --options [--global-options]

Options

--adminid, -u: The administrator ID running the command.
--password-file, -f: The filename that contains the password of the administrator.

update-agent

Update the agent's configuration.

Syntax

ssoadm update-agent --options [--global-options]

Options

--realm, -e: The name of the realm.
--agentname, -b: The name of the agent.
--adminid, -u: The administrator ID running the command.
--password-file, -f: The filename that contains the password of the administrator.
[--set, -s]: Set this flag to overwrite a property's values.
[--attributevalues, -a]: The properties. For example, homeaddress=here.
[--datafile, -D]: The filename that contains the properties.

update-agent-grp

Update the agent group's configuration.

Syntax

ssoadm update-agent-grp --options [--global-options]

Options

--realm, -e: The name of the realm.
--agentgroupname, -b: The name of the agent group.
--adminid, -u: The administrator ID running the command.
--password-file, -f: The filename that contains the password of the administrator.
[--set, -s]: Set this flag to overwrite a property's values.
[--attributevalues, -a]: The properties. For example, homeaddress=here.
[--datafile, -D]: The filename that contains the properties.

Authentication Service Management

The following subcommands execute operations for the OpenSSO Enterprise Authentication service.

add-auth-cfg-entr

Add an authentication configuration entry.

Syntax

ssoadm add-auth-cfg-entr --options [--global-options]

Options

--realm, -e: The name of the realm.
--name, -m: The name of the authentication configuration.
--modulename, -o: The module name.
--criteria, -c: The criteria for this entry. Possible values are REQUIRED, OPTIONAL, SUFFICIENT, and REQUISITE.
--adminid, -u: The administrator ID running the command.
--password-file, -f: The filename that contains the password of the administrator.
[--options, -t]: The options for this entry.
[--position, -p]: The position where the new entry is to be added.

create-auth-cfg

Create an authentication configuration.

Syntax

ssoadm create-auth-cfg --options [--global-options]

Options

--realm, -e: The name of the realm.
--name, -m: The name of the authentication configuration.
--adminid, -u: The administrator ID running the command.
--password-file, -f: The filename that contains the password of the administrator.

create-auth-instance

Create an authentication instance.

Syntax

ssoadm create-auth-instance --options [--global-options]

Options

--realm, -e: The name of the realm.
--name, -m: The name of the authentication instance.
--authtype, -t: The type of authentication instance. For example LDAP or DataStore.
--adminid, -u: The administrator ID running the command.
--password-file, -f: The filename that contains the password of the administrator.

delete-auth-cfgs

Delete existing authentication configurations.

Syntax

ssoadm delete-auth-cfgs --options [--global-options]

Options

--realm, -e: The name of the realm.
--names, -m: The names of the authentication configurations.
--adminid, -u: The administrator ID running the command.
--password-file, -f: The filename that contains the password of the administrator.

delete-auth-instances

Delete existing authentication instances.

Syntax

ssoadm delete-auth-instances --options [--global-options]

Options

--realm, -e: The name of the realm.
--names, -m: The names of the authentication instances.
--adminid, -u: The administrator ID running the command.
--password-file, -f: The filename that contains the password of the administrator.

get-auth-cfg-entr

Get the authentication configuration entries.

Syntax

ssoadm get-auth-cfg-entr --options [--global-options]

Options

--realm, -e: The name of the realm.
--name, -m: The name of the authentication configuration.
--adminid, -u: The administrator ID running the command.
--password-file, -f: The filename that contains the password of the administrator.

get-auth-instance

Get the authentication instance values.

Syntax

ssoadm get-auth-instance --options [--global-options]

Options

--realm, -e: The name of the realm.
--name, -m: The name of the authentication instance.
--adminid, -u: The administrator ID running the command.
--password-file, -f: The filename that contains the password of the administrator.

list-auth-cfgs

List the authentication configurations.

Syntax

ssoadm list-auth-cfgs --options [--global-options]

Options

--realm, -e: The name of the realm.
--adminid, -u: The administrator ID running the command.
--password-file, -f: The filename that contains the password of the administrator.

list-auth-instances

List the authentication instances.

Syntax

ssoadm list-auth-instances --options [--global-options]

Options

--realm, -e: The name of the realm.
--adminid, -u: The administrator ID running the command.
--password-file, -f: The filename that contains the password of the administrator.

register-auth-module

Syntax

ssoadm register-auth-module --options [--global-options]

Options

--authmodule, -a: The Java class name of the authentication module.
--adminid, -u: The administrator ID running the command.
--password-file, -f: The filename that contains the password of the administrator.

unregister-auth-module

Unregister the authentication module.

Syntax

ssoadm unregister-auth-module --options [--global-options]

Options

--authmodule, -a: The Java class name of the authentication module.
--adminid, -u: The administrator ID running the command.
--password-file, -f: The filename that contains the password of the administrator.

update-auth-cfg-entr

Set the authentication configuration entries.

Syntax

ssoadm update-auth-cfg-entr --options [--global-options]

Options

--realm, -e: The name of the realm.
--name, -m: The name of the authentication configuration.
--adminid, -u: The administrator ID running the command.
--password-file, -f: The filename that contains the password of the administrator.
[--entries, -a]: The formatted authentication configuration entries.
[--datafile, -D]: The filename that contains the formatted authentication configuration entries.

update-auth-instance

Update the authentication instance values.

Syntax

ssoadm update-auth-instance --options [--global-options]

Options

--realm, -e: The name of the realm.
--name, -m: The name of the authentication instance.
--adminid, -u: The administrator ID running the command.
--password-file, -f: The filename that contains the password of the administrator.
[--attributevalues, -a]: The attribute values. For example, homeaddress=here.
[--datafile, -D]: The filename that contains the attribute values.

Datastore Management

The following subcommands execute operations for managing OpenSSO Enterprise datastores.

add-amsdk-idrepo-plugin

Create the AMSDK IdRepo plug-in.

Syntax

ssoadm add-amsdk-idrepo-plugin --options [--global-options]

Options

--directory-servers, -s

Contains the Directory Servers, and can contain multiple entries. Use the following format:

protocol://hostname:port

--basedn, -b

The Directory Server base distinguished name.

--dsame-password-file, -x

The filename that contains the password of the dsameuser.

--puser-password-file, -p

The filename that contains the password of the puser.

--adminid, -u

The administrator ID running the command.

--password-file, -f

The filename that contains the password of the administrator.

[--user, -a]

The user objects naming attribute (defaults to uid).

[--org, -o]

the organization objects naming attribute (defaults to o).

create-datastore

Create a datastore under a realm.

Syntax

ssoadm create-datastore --options [--global-options]

Options

--realm, -e: The name of the realm.
--name, -m: The name of the datastore.
--datatype, -t: The type of the datastore.
--adminid, -u: The administrator ID running the command.
--password-file, -f: The filename that contains the password of the administrator.
[--attributevalues, -a]: The attribute values. For example, sunIdRepoClass=com.sun.identity.idm.plugins.ldapv3.LDAPv3Repo".
[--datafile, -D]: The filename that contains the attribute values.

delete-datastores

Delete the data stores under a realm.

Syntax

ssoadm delete-datastores --options [--global-options]

Options

--realm, -e: The name of the realm.
--names, -m: The names of the data stores.
--adminid, -u: The administrator ID running the command.
--password-file, -f: The filename that contains the password of the administrator.

list-datastore-types

List the supported data store types.

Syntax

ssoadm list-datastore-types --options [--global-options]

Options

--adminid, -u: The administrator ID running the command.
--password-file, -f: The filename that contains the password of the administrator.

list-datastores

List the data stores under a realm.

Syntax

ssoadm list-datastores --options [--global-options]

Options

--realm, -e: The name of the realm.
--adminid, -u: The administrator ID running the command.
--password-file, -f: The filename that contains the password of the administrator.

show-datastore

Show the data store profile.

Syntax

ssoadm show-datastore --options [--global-options]

Options

--realm, -e: The name of the realm.
--name, -m: The name of the datastore.
--adminid, -u: The administrator ID running the command.
--password-file, -f: The filename that contains the password of the administrator.

update-datastore

Update the datastore profile.

Syntax

ssoadm update-datastore --options [--global-options]

Options

--realm, -e: The name of the realm.
--name, -m: The name of the datastore.
--adminid, -u: The administrator ID running the command.
--password-file, -f: The filename that contains the password of the administrator.
[--attributevalues, -a]: The attribute values. For example, sunIdRepoClass=com.sun.identity.idm.plugins.files.FilesRepo.
[--datafile, -D]: The filename that contains the attribute values.

Identity Management

The following subcommands execute operations for managing identities associated with OpenSSO Enterprise.

add-member

Add an identity as a member of another identity.

Syntax

ssoadm add-member --options [--global-options]

Options

--realm, -e: The name of the realm.
--memberidname, -m: The name of the member's identity.
--memberidtype, -y: The type of the member's identity. For example, User, Role or Group.
--idname, -i: The name of the identity.
--idtype, -t: The type of the identity.
--adminid, -u: The administrator ID running the command.
--password-file, -f: The filename that contains the password of the administrator.

add-privileges

Add privileges to an identity.

Syntax

ssoadm add-privileges --options [--global-options]

Options

--realm, -e: The name of the realm.
--idname, -i: The name of the identity.
--idtype, -t: The type of the identity. For example, User, Role or Group.
--privileges, -g: The names of the privileges to be added.
--adminid, -u: The administrator ID running the command.
--password-file, -f: The filename that contains the password of the administrator.

add-svc-identity

Add a service to an identity.

Syntax

ssoadm add-svc-identity --options [--global-options]

Options

--realm, -e: The name of the realm.
--idname, -i: The name of the identity.
--idtype, -t: The type of the identity. For example, User, Role or Group.
--servicename, -s: The name of the service.
--adminid, -u: The administrator ID running the command.
--password-file, -f: The filename that contains the password of the administrator.
[--attributevalues, -a]: The attribute values. For example, homeaddress=here.
[--datafile, -D]: The filename that contains the attribute values.

create-identity

Create an identity in a realm.

Syntax

ssoadm create-identity --options [--global-options]

Options

--realm, -e: The name of the realm.
--idname, -i: The name of the identity.
--idtype, -t: The type of the identity. For example, User, Role or Group.
--adminid, -u: The administrator ID running the command.
--password-file, -f: The filename that contains the password of the administrator.
[--attributevalues, -a]: The attribute values. For example, inetuserstatus=Active.
[--datafile, -D]: The filename that contains the attribute values.

delete-identities

Delete the identities in a realm.

Syntax

ssoadm delete-identities --options [--global-options]

Options

--realm, -e: The name of the realm.
--idname, -i: The name of the identity.
--idtype, -t: The type of the identity. For example, User, Role or Group.
--adminid, -u: The administrator ID running the command.
--password-file, -f: The filename that contains the password of the administrator.

get-identity

Get the identity property values.

Syntax

ssoadm get-identity --options [--global-options]

Options

--realm, -e: The name of the realm.
--idname, -i: The name of the identity.
--idtype, -t: The type of the identity. For example, User, Role or Group.
--adminid, -u: The administrator ID running the command.
--password-file, -f: The filename that contains the password of the administrator.
--attributenames, -a: The attribute names. All attribute values will be returned if this option is not provided.

get-identity-svcs

Get the service in an identity.

Syntax

ssoadm get-identity-svcs --options [--global-options]

Options

--realm, -e: The name of the realm.
--idname, -i: The name of the identity.
--idtype, -t: The type of the identity. For example, User, Role or Group.
--adminid, -u: The administrator ID running the command.
--password-file, -f: The filename that contains the password of the administrator.
[--attributenames, -a]: Attribute name(s). All attribute values shall be returned if the option is not provided.

list-identities

List the identities in a realm.

Syntax

ssoadm list-identities --options [--global-options]

Options

--realm, -e: The name of the realm.
--filter, -x: Filter by a pattern.
--idtype, -t: The type of the identity. For example, User, Role or Group.
--adminid, -u: The administrator ID running the command.
--password-file, -f: The filename that contains the password of the administrator.

list-identity-assignable-svcs

List the assignable services for an identity.

Syntax

ssoadm list-identity-assignable-svcs --options [--global-options]

Options

--realm, -e: The name of the realm.
--idname, -i: The name of the identity.
--idtype, -t: The type of the identity. For example, User, Role or Group.
--adminid, -u: The administrator ID running the command.
--password-file, -f: The filename that contains the password of the administrator.

remove-member

Remove the membership of an identity from another identity.

Syntax

ssoadm remove-member --options [--global-options]

Options

--realm, -e: The name of the realm.
--memberidname, -m: The name of the member's identity.
--memberidtype, -y: The type of the member's identity. For example, User, Role or Group.
--idname, -i: The name of the identity.
--idtype, -t: The type of the identity.
--adminid, -u: The administrator ID running the command.
--password-file, -f: The filename that contains the password of the administrator.

remove-privileges

Remove the privileges from an identity.

Syntax

ssoadm remove-privileges --options [--global-options]

Options

--realm, -e: The name of the realm.
--idname, -i: The name of the identity.
--idtype, -t: The type of the identity. For example, User, Role or Group.
--privileges, -g: The names of the privileges to be removed.
--adminid, -u: The administrator ID running the command.
--password-file, -f: The filename that contains the password of the administrator.

remove-svc-identity

Remove a service from an identity.

Syntax

ssoadm remove-svc-identity --options [--global-options]

Options

--realm, -e: The name of the realm.
--idname, -i: The name of the identity.
--idtype, -t: The type of the identity. For example, User, Role or Group.
--servicename, -s: The name of the service.
--adminid, -u: The administrator ID running the command.
--password-file, -f: The filename that contains the password of the administrator.

set-identity-attrs

Set the attribute values of an identity.

Syntax

ssoadm set-identity-attrs --options [--global-options]

Options

--realm, -e: The name of the realm.
--idname, -i: The name of the identity.
--idtype, -t: The type of the identity. For example, User, Role or Group.
--adminid, -u: The administrator ID running the command.
--password-file, -f: The filename that contains the password of the administrator.
[--attributevalues, -a]: The attribute values. For example, homeaddress=here.
[--datafile, -D]: The filename that contains the attribute values.

set-identity-svc-attrs

Set the service attribute values of an identity.

Syntax

ssoadm set-identity-svc-attrs --options [--global-options]

Options

--realm, -e: The name of the realm.
--idname, -i: The name of the identity.
--idtype, -t: The type of the identity. For example, User, Role or Group.
--servicename, -s: The name of the service.
--adminid, -u: The administrator ID running the command.
--password-file, -f: The filename that contains the password of the administrator.
[--attributevalues, -a]: The attribute values. For example, homeaddress=here.
[--datafile, -D]: The filename that contains the attribute values.

show-identity-ops

Show the allowed operations of an identity in a realm.

Syntax

ssoadm show-identity-ops --options [--global-options]

Options

--realm, -e: The name of the realm.
--idtype, -t: The type of the identity. For example, User, Role or Group.
--adminid, -u: The administrator ID running the command.
--password-file, -f: The filename that contains the password of the administrator.

show-identity-svc-attrs

Show the service attribute values of an identity.

Syntax

ssoadm show-identity-svc-attrs --options [--global-options]

Options

--realm, -e: The name of the realm.
--idname, -i: The name of the identity.
--idtype, -t: The type of the identity. For example, User, Role or Group.
--servicename, -s: The name of the service.
--adminid, -u: The administrator ID running the command.
--password-file, -f: The filename that contains the password of the administrator.

show-identity-types

Show the supported identity types in a realm.

Syntax

ssoadm show-identity-types --options [--global-options]

Options

--realm, -e: The name of the realm.
--adminid, -u: The administrator ID running the command.
--password-file, -f: The filename that contains the password of the administrator.

show-members

Show the members of an identity. For example, the members of a role.

Syntax

ssoadm show-members --options [--global-options]

Options

--realm, -e: The name of the realm.
--idname, -i: The name of the identity.
--idtype, -t: The type of the identity. For example, User, Role or Group.
--membershipidtype, -m: The membership identity type.
--adminid, -u: The administrator ID running the command.
--password-file, -f: The filename that contains the password of the administrator.

show-memberships

Show the memberships of an identity. For example, the memberships of a user.

Syntax

ssoadm show-memberships --options [--global-options]

Options

--realm, -e: The name of the realm.
--idname, -i: The name of the identity.
--idtype, -t: The type of the identity. For example, User, Role or Group.
--membershipidtype, -m: The membership identity type.
--adminid, -u: The administrator ID running the command.
--password-file, -f: The filename that contains the password of the administrator.

show-privileges

Show the privileges assigned to an identity.

Syntax

ssoadm show-privileges --options [--global-options]

Options

--realm, -e: The name of the realm.
--idname, -i: The name of the identity.
--idtype, -t: The type of the identity. For example, User, Role or Group.
--adminid, -u: The administrator ID running the command.
--password-file, -f: The filename that contains the password of the administrator.

Realm and Policy Management

The following subcommands execute operations for managing realms and policies in OpenSSO Enterprise.

add-svc-attrs

Add service attribute values in a realm.

Syntax

ssoadm add-svc-attrs --options [--global-options]

Options

--realm, -e: The name of the realm.
--servicename, -s: The name of the service.
--adminid, -u: The administrator ID running the command.
--password-file, -f: The filename that contains the password of the administrator.
[--attributevalues, -a]: The attribute values. For example, homeaddress=here.
[--datafile, -D]: The filename that contains the attribute values.

add-svc-realm

Add a service to a realm.

Syntax

ssoadm add-svc-realm --options [--global-options]

Options

--realm, -e: The name of the realm.
--servicename, -s: The name of the service.
--adminid, -u: The administrator ID running the command.
--password-file, -f: The filename that contains the password of the administrator.
[--attributevalues, -a]: The attribute values. For example, homeaddress=here.
[--datafile, -D]: The filename that contains the attribute values.

create-policies

Create policies in a realm.

Syntax

ssoadm create-policies --options [--global-options]

Options

--realm, -e: The name of the realm.
--xmlfile, -X: The filename that contains the policy XML definition.
--adminid, -u: The administrator ID running the command.
--password-file, -f: The filename that contains the password of the administrator.

create-realm

Create a realm.

Syntax

ssoadm create-realm --options [--global-options]

Options

--realm, -e: The name of the realm to be created.
--adminid, -u: The administrator ID running the command.
--password-file, -f: The filename that contains the password of the administrator.

delete-policies

Delete policies from a realm.

Syntax

ssoadm delete-policies --options [--global-options]

Options

--realm, -e: The name of the realm to which the policy belongs.
--policynames, -p: The names of the policies to be deleted.
--adminid, -u: The administrator ID running the command.
--password-file, -f: The filename that contains the password of the administrator.

delete-realm

Delete a realm.

Syntax

ssoadm delete-realm --options [--global-options]

Options

--realm, -e: The name of the realm.
--adminid, -u: The administrator ID running the command.
--password-file, -f: The filename that contains the password of the administrator.
[--recursive, -r]: Deletes the descendent realms recursively.

delete-realm-attr

Delete an attribute from a realm.

Syntax

ssoadm delete-realm-attr --options [--global-options]

Options

--realm, -e: The name of the realm.
--servicename, -s: The name of the service.
--attributename, -a: The name of the attribute to be removed.
--adminid, -u: The administrator ID running the command.
--password-file, -f: The filename that contains the password of the administrator.

get-realm

Get the realm property values.

Syntax

ssoadm get-realm --options [--global-options]

Options

--realm, -e: The name of the realm.
--servicename, -s: The name of the service.
--adminid, -u: The administrator ID running the command.
--password-file, -f: The filename that contains the password of the administrator.

get-realm-svc-attrs

Get the realm's service attribute values.

Syntax

ssoadm get-realm-svc-attrs --options [--global-options]

Options

--realm, -e: The name of the realm.
--servicename, -s: The name of the service.
--adminid, -u: The administrator ID running the command.
--password-file, -f: The filename that contains the password of the administrator.

list-policies

List the policy definitions in a realm.

Syntax

ssoadm list-policies --options [--global-options]

Options

--realm, -e: The name of the realm.
--adminid, -u: The administrator ID running the command.
--password-file, -f: The filename that contains the password of the administrator.
[--policynames, -p]: The names of the policy. This can be used as a wildcard. All policy definitions in the realm will be returned.
[--outfile, -o]: The filename where the policy definition will be written. The definitions will be printed in standard output.

list-realm-assignable-svcs

List the realm's assignable services.

Syntax

ssoadm list-realm-assignable-svcs --options [--global-options]

Options

--realm, -e: The name of the realm.
--adminid, -u: The administrator ID running the command.
--password-file, -f: The filename that contains the password of the administrator.

list-realms

List the realms by name.

Syntax

ssoadm list-realms --options [--global-options]

Options

--realm, -e: The name of the realm.
--adminid, -u: The administrator ID running the command.
--password-file, -f: The filename that contains the password of the administrator.
[--filter, -x]: Filter by a pattern.
[--recursive, -r]: Search recursively.

remove-svc-attrs

Remove a realm's service attribute values.

Syntax

ssoadm remove-svc-attrs --options [--global-options]

Options

--realm, -e: The name of the realm.
--servicename, -s: The name of the service.
--adminid, -u: The administrator ID running the command.
--password-file, -f: The filename that contains the password of the administrator.
[--attributevalues, -a]: The attribute values to be removed. For example, homeaddress=here.
[--datafile, -D]: The filename that contains the attribute values to be removed.

remove-svc-realm

Remove a service from a realm.

Syntax

ssoadm remove-svc-realm --options [--global-options]

Options

--realm, -e: The name of the realm.
--servicename, -s: The name of the service to be removed.
--adminid, -u: The administrator ID running the command.
--password-file, -f: The filename that contains the password of the administrator.

set-realm-attrs

Set a realm's attribute values.

Syntax

ssoadm set-realm-attrs --options [--global-options]

Options

--realm, -e: The name of the realm.
--servicename, -s: The name of the service.
--adminid, -u: The administrator ID running the command.
--password-file, -f: The filename that contains the password of the administrator.
[--append, -p]: Set this flag to append the values to existing ones.
[--attributevalues, -a]: The attribute values. For example, homeaddress=here.
[--datafile, -D]: The filename that contains the attribute values.

set-svc-attrs

Set the realm's service attribute values.

Syntax

ssoadm set-svc-attrs --options [--global-options]

Options

--realm, -e: The name of the realm.
--servicename, -s: The name of the service.
--adminid, -u: The administrator ID running the command.
--password-file, -f: The filename that contains the password of the administrator.
[--attributevalues, -a]: The attribute values. For example, homeaddress=here.
[--datafile, -D]: The filename that contains the attribute values.

show-auth-modules

Show the supported authentication modules in the system.

Syntax

ssoadm show-auth-modules --options [--global-options]

Options

--adminid, -u: The administrator ID running the command.
--password-file, -f: The filename that contains the password of the administrator.

show-data-types

Show the supported data types in the system.

Syntax

ssoadm show-data-types --options [--global-options]

Options

--adminid, -u: The administrator ID running the command.
--password-file, -f: The filename that contains the password of the administrator.

show-realm-svcs

Show the services in a realm.

Syntax

ssoadm show-realm-svcs --options [--global-options]

Options

--realm, -e: The name of the realm.
--adminid, -u: The administrator ID running the command.
--password-file, -f: The filename that contains the password of the administrator.
[--mandatory, -y]: Include mandatory services.

Service Management

The following subcommands execute operations for managing realms and policies in OpenSSO Enterprise.

add-attr-defs

Add the default attribute values in a schema.

Syntax

ssoadm add-attr-defs --options [--global-options]

Options

--servicename, -s: The name of the service.
--schematype, -t: The type of schema.
--adminid, -u: The administrator ID running the command.
--password-file, -f: The filename that contains the password of the administrator.
[--attributevalues, -a]: The attribute values. For example, homeaddress=here.
[--datafile, -D]: The filename that contains the attribute values.
[--subschemaname, -c]: The name of the sub schema.

add-attrs

Add an attribute schema to an existing service.

Syntax

ssoadm add-attrs --options [--global-options]

Options

--servicename, -s: The name of the service.
--schematype, -t: The type of schema.
--attributeschemafile, -F: An XML file containing the attribute schema definition.
--adminid, -u: The administrator ID running the command.
--password-file, -f: The filename that contains the password of the administrator.
[--subschemaname, -c]: The name of the sub schema.

add-plugin-interface

Add the plug-in interface to a service.

Syntax

ssoadm add-plugin-interface --options [--global-options]

Options

--servicename, -s: The name of the service.
--interfacename, -i: The name of the interface.
--pluginname, -g: The name of the plug-in.
--i18nkey, -k: The i18n key plug-in.
--adminid, -u: The administrator ID running the command.
--password-file, -f: The filename that contains the password of the administrator.

add-sub-schema

Add a sub schema.

Syntax

ssoadm add-sub-schema --options [--global-options]

Options

--servicename, -s: The name of the service.
--schematype, -t: The type of schema.
--filename, -F: The filename that contains the schema.
--adminid, -u: The administrator ID running the command.
--password-file, -f: The filename that contains the password of the administrator.
[--subschemaname, -c]: The name of the sub schema.

create-boot-url

Create a bootstrap URL that can bootstrap the product web application.

Syntax

ssoadm create-boot-url --options [--global-options]

Options

--dshost, -t: The Directory Server hostname.
--dsport, -p: The Directory Server port number.
--basedn, -b: The Directory Server base distinguished name.
--dsadmin, -a: The Directory Server base distinguished name.
--dspassword-file, -x: The filename that contains the Directory Server administrator password.
--adminid, -u: The administrator ID running the command.
--password-file, -f: The filename that contains the password of the administrator.
[--ssl, -s]: Set this flag for LDAPS.

create-sub-cfg

Create a new sub configuration.

Syntax

ssoadm create-sub-cfg --options [--global-options]

Options

--servicename, -s: The name of the service.
--subconfigname, -g: The name of the sub configuration.
--adminid, -u: The administrator ID running the command.
--password-file, -f: The filename that contains the password of the administrator.
[--attributevalues, -a]: The attribute values. For example, homeaddress=here.
[--datafile, -D]: The filename that contains the attribute values.
[--realm, -e]: The name of the realm. The sub configuration will be added to the global configuration if this option is not selected.
[--subconfigid, -b]: The ID of the parent configuration. The sub configuration will be added to the root configuration if this option is not selected.
[--priority, -p]: The priority of the sub configuration.

create-svc

Create a new service in the server.

Syntax

ssoadm create-svc --options [--global-options]

Options

--xmlfile, -X: The XML file that contains the schema.
--adminid, -u: The administrator ID running the command.
--password-file, -f: The filename that contains the password of the administrator.
[--continue, -c]: Continue adding services if one or more previous services can not be added.

create-svrcfg-xml

Create the serverconfig.xml file.

Syntax

ssoadm create-svrcfg-xml --options [--global-options]

Options

--adminid, -u: The administrator ID running the command.
--password-file, -f: The filename that contains the password of the administrator.
[--dshost, -t]: The Directory Server hostname.
[--dsport, -p]: The Directory Server port number.
[--basedn, -b]: The Directory Server base distinguished name.
[--dsadmin, -a]: The Directory Server base distinguished name.
[--dspassword-file, -x]: The filename that contains the Directory Server administrator password.
[--outfile, -o]: The filename where serverconfig.xml is written.

delete-attr

Delete the attribute schemas from a service.

Syntax

ssoadm delete-attr --options [--global-options]

Options

--servicename, -s: The name of the service.
--schematype, -t: The type of schema.
--attributeschema, -a: The name of the attribute schema to be removed.
--adminid, -u: The administrator ID running the command.
--password-file, -f: The filename that contains the password of the administrator.
[--subschemaname, -c]: The name of the sub schema.

delete-attr-def-values

Delete the attribute schema default values.

Syntax

ssoadm delete-attr-def-values --options [--global-options]

Options

--servicename, -s: The name of the service.
--schematype, -t: The type of schema.
--defaultvalues, -e: The default values to be deleted.
--adminid, -u: The administrator ID running the command.
--password-file, -f: The filename that contains the password of the administrator.
[--subschemaname, -c]: The name of the sub schema.

delete-sub-cfg

Delete the sub configuration.

Syntax

ssoadm delete-sub-cfg --options [--global-options]

Options

--servicename, -s: The name of the service.
--subconfigname, -g: The name of the sub configuration.
--adminid, -u: The administrator ID running the command.
--password-file, -f: The filename that contains the password of the administrator.
--attributevalues, -a: The attribute values. For example, homeaddress=here.
--datafile, -D: The filename that contains the attribute values.
--realm, -e: The name of the realm. The sub configuration will be added to the global configuration if this option is not selected.
--subconfigid, -b: The ID of the parent configuration. The sub configuration will be added to the root configuration if this option is not selected.
--priority, -p: The priority of the sub configuration.

delete-svc

Delete the service from the server.

Syntax

ssoadm delete-svc --options [--global-options]

Options

--servicename, -s: The name of the service.
--adminid, -u: The administrator ID running the command.
--password-file, -f: The filename that contains the password of the administrator.
[--continue, -c]: Continue deleting services if one or more previous services can not be deleted.
[--deletepolicyrule, -r]: Delete the policy rule.

export-svc-cfg

Export the service configuration.

Syntax

ssoadm export-svc-cfg --options [--global-options]

Options

--encryptsecret, -e: The secret key for encrypting a password.
--adminid, -u: The administrator ID running the command.
--password-file, -f: The filename that contains the password of the administrator.
[--outfile, -o]: The filename where configuration is written.

get-attr-defs

Get the default attribute values in a schema.

Syntax

ssoadm get-attr-defs --options [--global-options]

Options

--servicename, -s: The name of the service.
--schematype, -t: The type of schema.
--adminid, -u: The administrator ID running the command.
--password-file, -f: The filename that contains the password of the administrator.
[--subschemaname, -c]: The name of the sub schema.
[--attributenames, -a]: The names of the attribute.

get-revision-number

Get the service schema revision number.

Syntax

ssoadm get-revision-number --options [--global-options]

Options

--servicename, -s: The name of the service.
--adminid, -u: The administrator ID running the command.
--password-file, -f: The filename that contains the password of the administrator.

import-svc-cfg

Import the service configuration.

Syntax

ssoadm import-svc-cfg --options [--global-options]

Options

--encryptsecret, -e: The secret key for decrypting the password.
--xmlfile, -X: The XML file that contains the configuration data.
--adminid, -u: The administrator ID running the command.
--password-file, -f: The filename that contains the password of the administrator.

remove-attr-choicevals

Remove choice values from the attribute schema.

Syntax

ssoadm remove-attr-choicevals --options [--global-options]

Options

--servicename, -s: The name of the service.
--schematype, -t: The type of schema.
--attributename, -a: The name of the attribute.
--choicevalues, -k: The choice values. For example, inactive.
--adminid, -u: The administrator ID running the command.
--password-file, -f: The filename that contains the password of the administrator.
[--subschemaname, -c]: The name of the sub schema.

remove-attr-defs

Remove the default attribute values in a schema.

Syntax

ssoadm remove-attr-defs --options [--global-options]

Options

--servicename, -s: The name of the service.
--schematype, -t: The type of schema.
--attributenames, -a: The names of the attribute.
--adminid, -u: The administrator ID running the command.
--password-file, -f: The filename that contains the password of the administrator.
[--subschemaname, -c]: The name of the sub schema.

remove-sub-schema

Remove the sub schema.

Syntax

ssoadm remove-sub-schema --options [--global-options]

Options

--servicename, -s: The name of the service.
--schematype, -t: The type of schema.
--subschemanames, -a: The names of the sub schema to be removed.
--adminid, -u: The administrator ID running the command.
--password-file, -f: The filename that contains the password of the administrator.
[--subschemaname, -c]: The name of the parent sub schema.

set-attr-any

Set any member of the attribute schema.

Syntax

ssoadm set-attr-any --options [--global-options]

Options

--servicename, -s: The name of the service.
--schematype, -t: The type of schema.
--attributeschema, -a: The name of the attribute schema.
--any, -y: The attribute schema. Any value.
--adminid, -u: The administrator ID running the command.
--password-file, -f: The filename that contains the password of the administrator.
[--subschemaname, -c]: The name of the sub schema.

set-attr-bool-values

Set the boolean values of the attribute schema.

Syntax

ssoadm set-attr-bool-values --options [--global-options]

Options

--servicename, -s: The name of the service.
--schematype, -t: The type of schema.
--attributename, -a: The name of the attribute.
--truevalue, -e: The value for true.
--truei18nkey, -k: The internationalization key for the true value.
--falsevalue, -z: The value for false.
--falsei18nkey, -j: The internationalization key for the false value.
--adminid, -u: The administrator ID running the command.
--password-file, -f: The filename that contains the password of the administrator.
[--subschemaname, -c]: The name of the sub schema.

set-attr-choicevals

Set choice values for the attribute schema.

Syntax

ssoadm set-attr-choicevals --options [--global-options]

Options

--servicename, -s: The name of the service.
--schematype, -t: The type of schema.
--attributename, -a: The name of the attribute.
--adminid, -u: The administrator ID running the command.
--password-file, -f: The filename that contains the password of the administrator.
[--add, -p]: Set this flag to append the choice values to existing ones.
[--subschemaname, -c]: The name of the sub schema.
[--datafile, -D]: The filename that contains the attribute values.
[--choicevalues, -k]: The choice values. For example, 0102=Inactive.

set-attr-defs

Set the default attribute values in a schema.

Syntax

ssoadm set-attr-defs --options [--global-options]

Options

--servicename, -s: The name of the service.
--schematype, -t: The type of schema.
--adminid, -u: The administrator ID running the command.
--password-file, -f: The filename that contains the password of the administrator.
[--subschemaname, -c]: The name of the sub schema.
[--attributevalues, -a]: The attribute values. For example, homeaddress=here.
[--datafile, -D]: The filename that contains the attribute values.

set-attr-end-range

Set the attribute schema end range.

Syntax

ssoadm set-attr-end-range --options [--global-options]

Options

--servicename, -s: The name of the service.
--schematype, -t: The type of schema.
--attributeschema, -a: The name of the attribute schema.
--range, -r: The end range.
--adminid, -u: The administrator ID running the command.
--password-file, -f: The filename that contains the password of the administrator.
[--subschemaname, -c]: The name of the sub schema.

set-attr-i18n-key

Set the i18nkey member of the attribute schema.

Syntax

ssoadm set-attr-i18n-key --options [--global-options]

Options

--servicename, -s: The name of the service.
--schematype, -t: The type of schema.
--attributeschema, -a: The name of the attribute schema.
--i18nkey, -k: The attribute schema i18n key.
--adminid, -u: The administrator ID running the command.
--password-file, -f: The filename that contains the password of the administrator.
[--subschemaname, -c]: The name of the sub schema.

set-attr-start-range

Set the attribute schema start range.

Syntax

ssoadm set-attr-start-range --options [--global-options]

Options

--servicename, -s: The name of the service.
--schematype, -t: The type of schema.
--attributeschema, -a: The name of the attribute schema.
--range, -r: The start range.
--adminid, -u: The administrator ID running the command.
--password-file, -f: The filename that contains the password of the administrator.
[--subschemaname, -c]: The name of the sub schema.

set-attr-syntax

Set the syntax member of the attribute schema.

Syntax

ssoadm set-attr-syntax --options [--global-options]

Options

--servicename, -s: The name of the service.
--schematype, -t: The type of schema.
--attributeschema, -a: The name of the attribute schema.
--syntax, -x: The attribute schema syntax.
--adminid, -u: The administrator ID running the command.
--password-file, -f: The filename that contains the password of the administrator.
[--subschemaname, -c]: The name of the sub schema.

set-attr-type

Set the type member of the attribute schema.

Syntax

ssoadm set-attr-type --options [--global-options]

Options

--servicename, -s: The name of the service.
--schematype, -t: The type of schema.
--attributeschema, -a: The name of the attribute schema.
--type, -p: The attribute schema type.
--adminid, -u: The administrator ID running the command.
--password-file, -f: The filename that contains the password of the administrator.
[--subschemaname, -c]: The name of the sub schema.

set-attr-ui-type

Set the UI type member of the attribute schema.

Syntax

ssoadm set-attr-ui-type --options [--global-options]

Options

--servicename, -s: The name of the service.
--schematype, -t: The type of schema.
--attributeschema, -a: The name of the attribute schema.
--uitype, -p: The attribute schema UI type.
--adminid, -u: The administrator ID running the command.
--password-file, -f: The filename that contains the password of the administrator.
[--subschemaname, -c]: The name of the sub schema.

set-attr-validator

Set the attribute schema validator.

Syntax

ssoadm set-attr-validator --options [--global-options]

Options

--servicename, -s: The name of the service.
--schematype, -t: The type of schema.
--attributeschema, -a: The name of the attribute schema.
--validator, -r: The validator class name.
--adminid, -u: The administrator ID running the command.
--password-file, -f: The filename that contains the password of the administrator.
[--subschemaname, -c]: The name of the sub schema.

set-attr-view-bean-url

Set the properties view bean URL member of the attribute schema.

Syntax

ssoadm set-attr-view-bean-url --options [--global-options]

Options

--servicename, -s: The name of the service.
--schematype, -t: The type of schema.
--attributeschema, -a: The name of the attribute schema.
--url, -r: The attribute schema properties view bean URL.
--adminid, -u: The administrator ID running the command.
--password-file, -f: The filename that contains the password of the administrator.
[--subschemaname, -c]: The name of the sub schema.

set-inheritance

Set the inheritance value of the sub schema.

Syntax

ssoadm set-inheritance --options [--global-options]

Options

--servicename, -s: The name of the service.
--schematype, -t: The type of schema.
--subschemaname, -c: The name of the sub schema.
--inheritance, -r: The value of inheritance.
--adminid, -u: The administrator ID running the command.
--password-file, -f: The filename that contains the password of the administrator.

set-plugin-viewbean-url

Set the properties view bean URL of the plug-in schema.

Syntax

ssoadm set-plugin-viewbean-url --options [--global-options]

Options

--servicename, -s: The name of the service.
--interfacename, -i: The name of the interface.
--pluginname, -g: The name of the plug-in.
--url, -r: The properties view bean URL.
--adminid, -u: The administrator ID running the command.
--password-file, -f: The filename that contains the password of the administrator.

set-revision-number

Set the service schema revision number.

Syntax

ssoadm set-revision-number --options [--global-options]

Options

--servicename, -s: The name of the service.
--revisionnumber, -r: The revision number.
--adminid, -u: The administrator ID running the command.
--password-file, -f: The filename that contains the password of the administrator.

set-sub-cfg

Set the sub configuration.

Syntax

ssoadm set-sub-cfg --options [--global-options]

Options

--servicename, -s: The name of the service.
--subconfigname, -g: The name of the sub configuration.
--operation, -o: The operation (either add/set/modify) to be performed on the sub configuration.
--adminid, -u: The administrator ID running the command.
--password-file, -f: The filename that contains the password of the administrator.
[--attributevalues, -a]: The attribute values. For example, homeaddress=here.
[--datafile, -D]: The filename that contains the attribute values.
[--realm, -e]: The name of the realm. The sub configuration will be added to the global configuration if this option is not selected.

set-svc-i18n-key

Set the service schema i18n key.

Syntax

ssoadm set-svc-i18n-key --options [--global-options]

Options

--servicename, -s: The name of the service.
--i18nkey, -k: The i18n key.
--adminid, -u: The administrator ID running the command.
--password-file, -f: The filename that contains the password of the administrator.

set-svc-view-bean-url

Set the service schema properties view bean URL.

Syntax

ssoadm set-svc-view-bean-url --options [--global-options]

Options

--servicename, -s: The name of the service.
--url, -r: The service schema properties view bean URL.
--adminid, -u: The administrator ID running the command.
--password-file, -f: The filename that contains the password of the administrator.

update-svc

Update the service.

Syntax

ssoadm update-svc --options [--global-options]

Options

--xmlfile, -X: The XML file that contains the schema.
--adminid, -u: The administrator ID running the command.
--password-file, -f: The filename that contains the password of the administrator.
[--continue, -c]: Continue updating services if one or more previous services can not be updated.

Server Configuration

The following subcommands execute operations for configuring and managing OpenSSO Enterprise servers and sites within your enterprise.

add-site-members

Add members to a site.

Syntax

ssoadm add-site-members --options [--global-options]

Options

--sitename, -s: The name of the site. For example, mysite.
--servernames, -e: The server name. For example, http://www.example.com:8080/opensso.
--adminid, -u: The administrator ID running the command.
--password-file, -f: The filename that contains the password of the administrator.

add-site-sec-urls

Add site secondary URLs.

Syntax

ssoadm add-site-sec-urls --options [--global-options]

Options

--sitename, -s: The name of the site. For example, mysite.
--secondaryurls, -a: The secondary URLs.
--adminid, -u: The administrator ID running the command.
--password-file, -f: The filename that contains the password of the administrator.

clone-server

Clone a server instance.

Syntax

ssoadm clone-server --options [--global-options]

Options

--servername, -a: The server name.
--cloneservername, -o: The clone server name.
--adminid, -u: The administrator ID running the command.
--password-file, -f: The filename that contains the password of the administrator.

create-server

Create a server instance.

Syntax

ssoadm create-server --options [--global-options]

Options

--servername, -a: The server name. For example, http://www.example.com:8080/opensso.
--serverconfigxml, -X: The server configuration XML filename.
--adminid, -u: The administrator ID running the command.
--password-file, -f: The filename that contains the password of the administrator.
[--attributevalues, -a]: The attribute values. For example, homeaddress=here.
[--datafile, -D]: The filename that contains the attribute values.

create-site

Create a site.

Syntax

ssoadm create-site --options [--global-options]

Options

--sitename, -s: The site name. For example, mysite.
--siteurl, -i: The site's primary URL. For example, http://www.example.com:8080.
--adminid, -u: The administrator ID running the command.
--password-file, -f: The filename that contains the password of the administrator.
[--secondaryurls, -a]: The secondary URLs.

delete-server

Delete a server instance.

Syntax

ssoadm delete-server --options [--global-options]

Options

--servername, -s: The server name. For example, http://www.example.com:8080/opensso.
--adminid, -u: The administrator ID running the command.
--password-file, -f: The filename that contains the password of the administrator.

delete-site

Delete a site.

Syntax

ssoadm delete-site --options [--global-options]

Options

--sitename, -s: The site name. For example, mysite.
--adminid, -u: The administrator ID running the command.
--password-file, -f: The filename that contains the password of the administrator.

export-server

Export a server instance.

Syntax

ssoadm export-server --options [--global-options]

Options

--servername, -s: The server name. For example, http://www.example.com:8080/opensso.
--adminid, -u: The administrator ID running the command.
--password-file, -f: The filename that contains the password of the administrator.
[--outfile, -o]: The filename where configuration is written.

get-svrcfg-xml

Get the server configuration XML from the centralized data store.

Syntax

ssoadm get-svrcfg-xml --options [--global-options]

Options

--servername, -s: The server name.
--adminid, -u: The administrator ID running the command.
--password-file, -f: The filename that contains the password of the administrator.
[--outfile, -o]: The filename where serverconfig.XML is written.

import-server

Import a server instance.

Syntax

ssoadm import-server --options [--global-options]

Options

--servername, -s: The server name.
--xmlfile, -X: The XML file that contains the configuration.
--adminid, -u: The administrator ID running the command.
--password-file, -f: The filename that contains the password of the administrator.

list-server-cfg

List the server configuration.

Syntax

ssoadm list-server-cfg --options [--global-options]

Options

--servername, -s: The server name.
--adminid, -u: The administrator ID running the command.
--password-file, -f: The filename that contains the password of the administrator.
[--withdefaults, -w]: Set this flag to get the default configuration.

list-servers

List all the server instances.

Syntax

ssoadm list-servers --options [--global-options]

Options

--adminid, -u: The administrator ID running the command.
--password-file, -f: The filename that contains the password of the administrator.

list-sites

List all the sites.

Syntax

ssoadm list-sites --options [--global-options]

Options

--adminid, -u: The administrator ID running the command.
--password-file, -f: The filename that contains the password of the administrator.

remove-server-cfg

Remove the server configuration.

Syntax

ssoadm remove-server-cfg --options [--global-options]

Options

--servername, -s: The server name. For example, http://www.example.com:8080/opensso.
--propertynames, -a: The names of the properties to be removed.
--adminid, -u: The administrator ID running the command.
--password-file, -f: The filename that contains the password of the administrator.

remove-site-members

Remove members from a site.

Syntax

ssoadm remove-site-members --options [--global-options]

Options

--sitename, -s: The site name. For example, mysite.
--servernames, -e: The server name. For example, http://www.example.com:8080/opensso.
--adminid, -u: The administrator ID running the command.
--password-file, -f: The filename that contains the password of the administrator.

remove-site-sec-urls

Remove the site secondary URLs.

Syntax

ssoadm remove-site-sec-urls --options [--global-options]

Options

--sitename, -s: The site name. For example, mysite.
--secondaryurls, -a: The secondary URLs.
--adminid, -u: The administrator ID running the command.
--password-file, -f: The filename that contains the password of the administrator.

set-site-pri-url

Set the primary URL of a site.

Syntax

ssoadm set-site-pri-url --options [--global-options]

Options

--sitename, -s: The site name. For example, mysite.
--siteurl, -i: The site's primary URL. For example, http://www.example.com:8080.
--adminid, -u: The administrator ID running the command.
--password-file, -f: The filename that contains the password of the administrator.

set-site-sec-urls

Set the site secondary URLs.

Syntax

ssoadm set-site-sec-urls --options [--global-options]

Options

--sitename, -s: The site name. For example, mysite.
--secondaryurls, -a: The secondary URLs.
--adminid, -u: The administrator ID running the command.
--password-file, -f: The filename that contains the password of the administrator.

set-svrcfg-xml

Set the server configuration XML to the centralized data store.

Syntax

ssoadm set-svrcfg-xml --options [--global-options]

Options

--servername, -s: The server name.
--xmlfile, -X: The XML file that contains the configuration.
--adminid, -u: The administrator ID running the command.
--password-file, -f: The filename that contains the password of the administrator.
[--outfile, -o]: The filename where serverconfig XML is written.

show-site

Show the site profile.

Syntax

ssoadm show-site --options [--global-options]

Options

--sitename, -s: The site name. For example, mysite.
--adminid, -u: The administrator ID running the command.
--password-file, -f: The filename that contains the password of the administrator.

show-site-members

Display the members of a site.

Syntax

ssoadm show-site-members --options [--global-options]

Options

--sitename, -s: The site name. For example, mysite.
--adminid, -u: The administrator ID running the command.
--password-file, -f: The filename that contains the password of the administrator.

update-server-cfg

Update the server configuration.

Syntax

ssoadm update-server-cfg --options [--global-options]

Options

--servername, -s: The server name.
--adminid, -u: The administrator ID running the command.
--password-file, -f: The filename that contains the password of the administrator.
[--attributevalues, -a]: The attribute values. For example, homeaddress=here.
[--datafile, -D]: The filename that contains the attribute values.

Federation Management

The following subcommands execute operations for configuring and managing Federation-related data.

add-cot-member

Add a member to a circle of trust.

Syntax

ssoadm add-cot-member --options [--global-options]

Options

--cot, -t: The circle of trust.
--entityid, -y: The entity ID.
--adminid, -u: The administrator ID running the command.
--password-file, -f: The filename that contains the password of the administrator.
[--realm, -e]: The name of the realm that contains the circle of trust.
[--spec, -c]: Specifies the metadata specification, either idff or saml2. The default is saml2.

create-cot

Create a circle of trust.

Syntax

ssoadm create-cot --options [--global-options]

Options

--cot, -t: The circle of trust.
--adminid, -u: The administrator ID running the command.
--password-file, -f: The filename that contains the password of the administrator.
[--realm, -e]: The name of the realm that contains the circle of trust.
[--trustedproviders, -k]: The trusted providers.
[--prefix, -p]: The prefix URL for the idp discovery reader and the writer URL.

create-metadata-templ

Create a new metadata template.

Syntax

ssoadm create-metadata-templ --options [--global-options]

Options

--entityid, -y: The entity ID.
--adminid, -u: The administrator ID running the command.
--password-file, -f: The filename that contains the password of the administrator.
[--meta-data-file, -m]: Specifies the filename for the standard metadata to be created.
[--extended-data-file, -x]: Specifies the filename for the extended metadata to be created.
[--serviceprovider, -s]: Specifies the metaAlias for the hosted service provider to be created. The format must be <realm name>/.
[--identityprovider, -i]: Specifies the metaAlias for the hosted identity provider to be created. The format must be <realm name>/.
[--attrqueryprovider, -S]: Specifies the metaAlias for the hosted attribute query provider to be created. The format must be <realm name>/.
[--attrauthority, -I]: Specifies the metaAlias for the hosted attribute authority to be created. The format must be <realm name>/.
[--authnauthority, -C]: Specifies the metaAlias for the hosted authentication authority to be created. The format must be <realm name>/.
[--xacmlpep, -e]: Specifies the metaAlias for the policy enforcement point to be created. The format must be <realm name>/.
[--xacmlpdp, -p]: Specifies the metaAlias for the policy decision point to be created. The format must be <realm name>/.
[--affiliation, -F]: Specifies the metaAlias for the hosted affiliation to be created. The format must be <realm name>/<identifier.
[--affiownerid, -N]: The affiliation owner ID.
[--affimembers, -M]: The affiliation members.
[--spscertalias, -a]: The service provider signing certificate alias.
[--idpscertalias, -b]: The identity provider signing certificate alias.
[--attrqscertalias, -A]: The attribute query provider signing certificate alias.
[--attrascertalias, -B]: The attribute authority signing certificate alias.
[--authnascertalias, -D]: The authentication authority signing certificate alias.
[--affiscertalias, -J]: The affiliation signing certificate alias.
[--xacmlpdpscertalias, -t]: The policy decision point signing certificate alias.
[--xacmlpepscertalias, -k]: The policy enforcement point signing certificate alias.
[--specertalias, -r]: The service provider encryption certificate alias.
[--idpecertalias, -g]: The identity provider encryption certificate alias.
[--attrqecertalias, -R]: The attribute query provider encryption certificate alias.
[--attraecertalias, -G]: The attribute authority encryption certificate alias.
[--authnaecertalias, -E]: The authentication authority encryption certificate alias.
[--affiecertalias, -K]: The affiliation encryption certificate alias.
[--xacmlpdpecertalias, -j]: The policy decision point encryption certificate alias.
[--xacmlpepecertalias, -z]: The policy enforcement point encryption certificate alias.
[--spec, -c]: Specifies the metadata specification, either idff or saml2. The default issaml2.

delete-cot

Delete the circle of trust.

Syntax

ssoadm delete-cot --options [--global-options]

Options

--cot, -t: The circle of trust.
--adminid, -u: The administrator ID running the command.
--password-file, -f: The filename that contains the password of the administrator.
[--realm, -e]: The name of the realm that contains the circle of trust.

delete-entity

Delete an entity.

Syntax

ssoadm delete-entity --options [--global-options]

Options

--entityid, -y: The entity ID.
--adminid, -u: The administrator ID running the command.
--password-file, -f: The filename that contains the password of the administrator.
[--realm, -e]: The name of the realm that contains the circle of trust.
[--extendedonly, -x]: Set this flag to only delete extended data.
[--spec, -c]: Specifies the metadata specification, either idff or saml2. The default is saml2.

do-bulk-federation

Perform bulk federation.

Syntax

ssoadm do-bulk-federation --options [--global-options]

Options

--metaalias, -m: Specify a metaAlias for the local provider.
--remoteentityid, -r: The remote entity ID.
--useridmapping, -g: The filename that contains the local to remote user ID mapping. Format as follows: <local-user-id>|<remote-user-id>.
--nameidmapping, -e: The filename that will be created by this sub command. It contains remote the user ID to name the identifier.
--adminid, -u: The administrator ID running the command.
--password-file, -f: The filename that contains the password of the administrator.
[--spec, -c]: Specifies the metadata specification, either idff or saml2. The default is saml2.

export-entity

Export an entity.

Syntax

ssoadm export-entity --options [--global-options]

Options

--entityid, -y: The entity ID.
--adminid, -u: The administrator ID running the command.
--password-file, -f: The filename that contains the password of the administrator.
[--realm, -e]: The name of the realm to which the entity belongs.
[--sign, -g]: Set this flag to sign the metadata.
[--meta-data-file, -m]: The metadata.
[--extended-data-file, -x]: The extended data.
[--spec, -c]: Specifies the metadata specification, either idff or saml2. The default is saml2.

import-bulk-fed-data

Import the bulk federation data that is generated by the do-bulk-federation sub command.

Syntax

ssoadm import-bulk-fed-data --options [--global-options]

Options

--metaalias, -m: Specifies the metaAlias for the local provider.
--bulk-data-file, -g: The filename that contains the bulk federation data that is generated by the do-bulk-federation sub command.
--adminid, -u: The administrator ID running the command.
--password-file, -f: The filename that contains the password of the administrator.
[--spec, -c]: Specifies the metadata specification, either idff or saml2. The default issaml2.

import-entity

Import an entity.

Syntax

ssoadm import-entity --options [--global-options]

Options

--adminid, -u: The administrator ID running the command.
--password-file, -f: The filename that contains the password of the administrator.
[--realm, -e]: The name of the realm to which the entity belongs.
[--meta-data-file, -m]: Specifies the filename for the standard metadata to be imported.
[--extended-data-file, -x]: Specifies the filename for the extended entity configuration to be imported.
[--cot, -t]: The circle of trust.
[--spec, -c]: Specifies the metadata specification, either idff or saml2. The default issaml2.

list-cot-members

List the members in a circle of trust.

Syntax

ssoadm list-cot-members --options [--global-options]

Options

--cot, -t: The circle of trust.
--adminid, -u: The administrator ID running the command.
--password-file, -f: The filename that contains the password of the administrator.
[--realm, -e]: The name of the realm to which the circle of trust belongs.
[--spec, -c]: Specifies the metadata specification, either idff or saml2. The default issaml2.

list-cots

List the circles of trust.

Syntax

ssoadm list-cots --options [--global-options]

Options

--adminid, -u: The administrator ID running the command.
--password-file, -f: The filename that contains the password of the administrator.
[--realm, -e]: The name of the realm to which the circle of trust belongs.

list-entities

List the entities under a realm.

Syntax

ssoadm list-entities --options [--global-options]

Options

--adminid, -u: The administrator ID running the command.
--password-file, -f: The filename that contains the password of the administrator.
[--realm, -e]: The name of the realm to which the entities belong.
[--spec, -c]: Specifies the metadata specification, either idff or saml2. The default issaml2.

remove-cot-member

Remove a member from a circle of trust.

Syntax

ssoadm remove-cot-member --options [--global-options]

Options

--cot, -t: The circle of trust.
--entityid, -y: The entity ID.
--adminid, -u: The administrator ID running the command.
--password-file, -f: The filename that contains the password of the administrator.
[--realm, -e]: The name of the realm to which the circle of trust belongs.
[--spec, -c]: Specifies the metadata specification, either idff or saml2. The default issaml2.

update-entity-keyinfo

Update the XML signing and encryption key information in the hosted entity metadata.

Syntax

ssoadm update-entity-keyinfo --options [--global-options]

Options

--entityid, -y: The entity ID.
--adminid, -u: The administrator ID running the command.
--password-file, -f: The filename that contains the password of the administrator.
[--spscertalias, -a]: The service provider signing certificate alias.
[--idpscertalias, -b]: The identity provider signing certificate alias.
[--specertalias, -r]: The service provider encryption certificate alias.
[--idpecertalias, -g]: The identity provider encryption certificate alias.
[--spec, -c]: Specifies the metadata specification, either idff or saml2. The default issaml2.

Miscellaneous

Lists the agent configurations.

add-res-bundle

Add a resource bundle to the data store.

Syntax

ssoadm add-res-bundle --options [--global-options]

Options

--bundlename, -b: The resource bundle name.
--bundlefilename, -B: The resource bundle physical file name.
--adminid, -u: The administrator ID running the command.
--password-file, -f: The filename that contains the password of the administrator.
[--bundlelocale, -o]: The locale of the resource bundle.

do-batch

Do multiple requests in one command.

Syntax

ssoadm do-batch --options [--global-options]

Options

--batchfile, -D: The filename that contains the commands and options.
--adminid, -u: The administrator ID running the command.
--password-file, -f: The filename that contains the password of the administrator.
[--batchstatus, -b]: The name of the status file.
[--continue, -c]: Continue processing the rest of the request when the previous request was erroneous.

do-migration70

Migrate the organization to a realm.

Syntax

ssoadm do-migration70 --options [--global-options]

Options

--entrydn, -e: The distinguished name of the organization to be migrated.
--adminid, -u: The administrator ID running the command.
--password-file, -f: The filename that contains the password of the administrator.

list-res-bundle

List a resource bundle in a data store.

Syntax

ssoadm list-res-bundle --options [--global-options]

Options

--bundlename, -b: The resource bundle name.
--adminid, -u: The administrator ID running the command.
--password-file, -f: The filename that contains the password of the administrator.
[--bundlelocale, -o]: The locale of the resource bundle.

list-sessions

List the sessions.

Syntax

ssoadm list-sessions --options [--global-options]

Options

--host, -t: The host name.
--adminid, -u: The administrator ID running the command.
--password-file, -f: The filename that contains the password of the administrator.
--filter, -x: Filter by a pattern.
[--quiet, -q]: Do not prompt for session invalidation.

remove-res-bundle

Remove a resource bundle from a data store.

Syntax

ssoadm remove-res-bundle --options [--global-options]

Options

--bundlename, -b: The resource bundle name.
--adminid, -u: The administrator ID running the command.
--password-file, -f: The filename that contains the password of the administrator.
[--bundlelocale, -o]: The locale of the resource bundle.

Chapter 2 The amadmin Command Line Tool

Note –

In the 8.0 release, the amadmin command line tool has been replaced by the ssoadm command line utility. This section is provided as reference for backwards compatibility for upgraded systems.

This chapter provides information on the amadmin command line tool.

The amadmin Command Line Executable

The primary purposes of the command line executable amadmin is to load XML service files into the data store and to perform batch administrative tasks on the DIT. It is used to:

Load XML service files - Administrators load services into OpenSSO Enterprise that use the XML service file format defined in the sms.dtd. All services must be loaded using amadmin; they cannot be imported through the OpenSSO Enterprise console.

Note –

XML service files are stored in the data store as static blobs of XML data that is referenced by OpenSSO Enterprise. This information is not used by Directory Server, which only understands LDAP.

Perform batch updates of identity objects to the DIT - Administrators can perform batch updates to the Directory Server DIT using the batch processing XML file format defined in the amadmin.dtd. For example, if an administrator wants to create 10 organizations, 1000 users, and 100 groups, it can be done in one attempt by putting the requests in one or more batch processing XML files and loading them using amadmin.

Note –

amadmin only supports a subset of features that the OpenSSO Enterprise console supports and is not intended as a replacement. It is recommended that the console be used for small administrative tasks while amadmin is used for larger administrative tasks.

If there is an environment variable named OPTIONS on the system, you must remove it. This command line utility will not function properly with this environment variable.

The amadmin Syntax

There are a number of structural rules that must be followed in order to use amadmin. The generic syntaxes for using the tool are:

amadmin -u | --runasdn dnname -w | --password password [-l | --locale localename] [[-v | --verbose] | [-d |--debug]] -t | --data xmlfile1 [ xmlfile2 ...]
amadmin -u | --runasdn dnname -w | --password password [-l | --locale localename] [[-v | --verbose] | [-d | --debug]] -s | --schema xmlfile1 [xmlfile2 ...]
amadmin -u | --runasdn dnname -w | --password password [-l | --locale localename] [[-v | --verbose] | [-d | --debug]] -r | --deleteService serviceName1 [serviceName2 ...]
amadmin -u | --runasdn dnname -w | --password password or -f | --passwordfile passwordfile [-c | --continue] [-l | --locale localename] [[-v | --verbose] | [-d | --debug]] -m | --session servername pattern
amadmin -h | --help
amadmin -n | --version
amadmin -u | --runasdn dnname -w | --password password or - f |--passwordfile passwordfile [-l | --locale localename] [[-v | --verbose] | [-d] |--debug]] -a |--addattributes serviceName schemaType xmlfile[xmlfile2 ] ...

Note –

Two hyphens must be entered exactly as shown in the syntax.

amadmin Options

Following are definitions of the amadmin command line parameter options:

--runasdn (-u)

--runasdn is used to authenticate the user to the LDAP server. The argument is a value equal to that of the Distinguished Name (DN) of the user authorized to run amadmin; for example

--runasdn uid=amAdmin,ou=People,o=example.com,o=isp .

The DN can also be formatted by inserting spaces between the domain components and double quoting the entire DN such as: --runasdn "uid=amAdmin, ou=People, o=iplanet.com, o=isp".

--password (-w)

--password is a mandatory option and takes a value equal to that of the password of the DN specified with the --runasdn option.

--locale (-l)

--locale is an option that takes a value equal to that of the name of the locale. This option can be used for the customization of the message language. If not provided, the default locale, en_US, is used.

--continue (-c)

--continue is an option that will continue to process the next request within an XML file even if there are errors. For example, if a request within an XML file fails, then amadmin will continue to the next request in the same XML file. When all operations in the first XML file are completed, amadmin will continue to the second XML file.

--session (-m)

--session (-m) is an option to manage the sessions, or to display the current sessions. When specifying --runasdn , it must be the same as the DN for the super user in AMConfig.properties , or just ID for the top-level admin user.

The following example will display all sessions for a particular service host name,:

amadmin -u uid=amadmin,ou=people,dc=iplanet,dc=com 
-v  -w 12345678 -m http://sun.com:58080

The following example will display a particular user’s session:

amadmin -u uid=amadmin,ou=people,dc=iplanet,dc=com -v 
 -w 12345678 -m http://sun.com:58080 username

You can terminate a session by entering the corresponding index number, or enter multiple index numbers (with spaces) to terminate multiple sessions.

While using the following option:

amadmin -m | --session servername pattern

The pattern may be a wildcard (*). If this pattern is using a wildcard (*), it has to be escaped with a meta character (\\) from the shell.

--debug (-d)

--debug is an option that will write messages to the amAdmin file created under the /var/opt/SUNWam/debug directory. These messages are technically-detailed but not i18n-compliant. To generate amadmin operation logs, when logging to database, the classpath for the database driver needs to be added manually. For example, add the following lines when logging to mysql in amadmin:

CLASSPATH=$CLASSPATH:/opt/IS61/SUNWam/lib/mysql-connector-java-3.0.6-stable-bin.jar
export CLASSPATH

--verbose (-v)

--verbose is an option that prints to the screen the overall progress of the amadmin command. It does not print to a file the detailed information. Messages output to the command line are i18n- compliant.

--data (-t)

--data is an option that takes as its value the name of the batch processing XML file being imported. One or more XML files can be specified. This XML file can create, delete and read various directory objects as well as register and unregister services. .

--schema (-s)

--schema is an option that loads the attributes of an OpenSSO Enterprise service into the Directory Server. It takes as an argument an XML service file in which the service attributes are defined. This XML service file is based on the sms.dtd . One or more XML files can be specified.

Note –

Either the --data or --schema option must be specified, depending on whether configuring batch updates to the DIT, or loading service schema and configuration data.

--addattributes (-a)

Adds a new attribute to the specified serviceName and schemaType(global, dynamic, organization, or user). The attribute schema being added is defined in the XML file.

--deleteservice (-r)

--deleteservice is an option for deleting a service and its schema only.

--serviceName

--serviceName is an option that takes a value equal to the service name which is defined under the Service name=... tag of an XML service file. This portion is displayed in -–servicename.

Example 2–1 Portion of `sampleMailService.xml`

...
<ServicesConfiguration>
    <Service name="sampleMailService" version="1.0">
        <Schema
 serviceHierarchy="/other.configuration/sampleMailService"
            i18nFileName="sampleMailService"
            i18nKey="iplanet-am-sample-mail-service-description">
...

--help (-h)

--help is an argument that displays the syntax for the amadmin command.

--version (-n)

--version is an argument that displays the utility name, product name, product version and legal notice.

Using amadmin for Federation Management

This section lists the parameters of amadmin for use with Federation Management.

Loading the Liberty meta compliance XML into Directory Server

amadmin -u|--runasdn <user’s DN>
-w|--password <password> or -f|--passwordfile <passwordfile>
-e|--entityname <entity name>
-g|--import <xmlfile>

--runasdn (-u)

The user’s DN

--password (-w)

The user’s password.

--passwordfile (-f)

The name of file that contains user’s password. This file is not encrypted and should be protected as a read-only file owned by the web container runtime user (which may not necessarily be root). The default owner is root but it is not required to be. . Any encryption method you use must be managed outside of amadmin.

--entityname (-e)

The entity name. For example, http://www.example.com. An entity should belong to only one organization.

--import (-g)

The name of an XML file that contains the meta information. This file should adhere to Liberty meta specification and XSD.

Exporting an Entity to an XML File (Without XML Digital Signing)

amadmin -u|--runasdn <user’s DN>

-w|--password <password> or -f|--passwordfile <passwordfile>
-e|--entityname <entity name>
-o|--export <filename>

--runasdn (-u)

The user’s DN

--password (-w)

The user’s password.

--passwordfile (-f)

The name of file that contains user’s password.

--entityname (--e)

The name of Entity that resides in the Directory Server

--export (-o)

The name of the file to contain the XML of the entity. The XML file must be Liberty meta XSD-compliant.

Exporting an Entity to an XML File (With XML Digital Signing)

amadmin -u|--runasdn <user’s DN>
-w|--password <password> or -f|--passwordfile <passwordfile>
-e|--entityname <entity name> -x|--xmlsig -o|--export <filename>

--runasdn (-u)

The user’s DN

--password (-w)

The user’s password.

--passwordfile (-f)

The name of file that contains user’s password.

--entityname (--e)

The name of Entity that resides in the Directory Server

--export (-o)

The name of the file to contain the XML of the entity. The XML file must be Liberty meta XSD-compliant.

--xmlsig (-x)

Used in with the --export option and if specified, the exported file will be signed

Changing from Legacy Mode to Realm Mode

If you install OpenSSO Enterprise in Legacy Mode, you can change to Realm Mode by using the amadmin command with the -M option. For example:

amadmin -u cn=amAdmin,ou=People,dc=example,dc=com -w amadmin-password -M dc=example,dc=com

Caution –

If you install OpenSSO Enterprise 8.0 in Realm Mode, you cannot revert to Legacy Mode.

Using amadmin for Resource Bundles

The following section shows the amadmin syntax for adding, locating and removing resource bundles.

Add resource bundle.

amadmin -u|--runasdn <user-dn> -w|--password <user-password>

-b|--addresourcebundle <name-of-resource-bundle>

-i|--resourcebundlefilename <resource-bundle-file-name>

[-R|--resourcelocale] <locale>

Get resource strings.

amadmin -u|--runasdn <user-dn> -w|--password <user-password>

-z|--getresourcestrings <name-of-resource-bundle>

[-R|--resourcelocale] <locale>

Remove resource bundle.

amadmin -u|--runasdn <user-dn> -w|--password <user-password>

-j|--deleteresourcebundle <name-of-resource-bundle>

[-R|--resourcelocale] <locale>

Chapter 3 The ampassword Command Line Tool

This chapter provides information on the amPassword command line too.

The ampassword Command Line Executable

OpenSSO Enterprise contains an ampassword utility in your server's tools directory. For information on unpacking and setting up this utility, see Chapter 6, Installing the OpenSSO Enterprise Utilities and Scripts, in Sun OpenSSO Enterprise 8.0 Installation and Configuration Guide. This tool allows you change the Directory Server password for the administrator or user.

To Run ampassword with OpenSSO Enterprise in SSL mode

Use the ssoadm get-svrcfg-xml command to retrieve the serverconfig.xml file.

Edit this file to change the protocol of the directory server

For example:

<iPlanetDataAccessLayer>
<ServerGroup name="default" minConnPool="1" maxConnPool="10">
    <Server name="Server1" host="sun.com" port="636" type="SSL" />
    <User name="User1" type="proxy">
        <DirDN>
                 cn=puser,ou=DSAME Users,dc=iplanet,dc=com
        </DirDN>
        <DirPassword>
                  AQIC5wM2LY4Sfcy+AQBQxghVwhBE92i78cqf
         </DirPassword>
 </User> ...

You can also edit Directory Server configuration data in the Servers and Sites tab in the OpenSSO console. For more information, see Servers and Sites.

Import the edited serverconfig.xml file using ssoadm set-svrcfg-xml

ampassword only changes the password in Directory Server. You will have to manually change passwords and all authentication templates for OpenSSO Enterprise.

Chapter 4 The amverifyarchive Command Line Tool

This chapter provides information on the amverifyarchive command line tool and contains the following section:

The amverifyarchive Command Line Executable

The amverifyarchive Command Line Executable

The purpose of amverifyarchive is to verify the log archives. A log archive is a set of timestamped logs and their corresponding key stores (keystores contain the keys used to generate the MACs and the Digital Signatures which are used to detect tampering of the log files). Verification of an archive detects possible tampering and/or deletion of any file in the archive.

amverifyarchive extracts all of the archive sets, and all files belonging to each archive set, for a given logName. When executed, amverifyarchive searches each log record to for tampering If tampering is detected, it prints a message specifying which file and the number of the record that has been tampered with.

amverifyarchive also checks for any files that have been deleted from the archive set. If a deleted file is detected, it prints a message explaining that verification has failed. If no tampering or deleted files are detected, it returns a message explaining that the archive verification has been successfully completed.

Note –

An error may occur if you run amamverifyarchive as a user without administrator privileges.

amverifyarchive Syntax

All of the parameters options are required. The syntax is as follows:

amamverifyarchive -l logName -p path -u 
uname -w password

amverifyarchive Options

logName

logName refers to the name of the log which is to be verified (such as, amConsole, amAuthentication and so forth). amverifyarchive verifies the both the access and error logs for the given logName. For example, if amConsole is specified, the verifier verifies the amConsole.access and amConsole.error files. Alternatively, the logName can be specified as amConsole.access or amConsole.error to restrict the verification of those logs only.

path

path is the full directory path where the log files are stored.

uname

uname is the user id of the OpenSSO Enterprise administrator.

password

password is the password of the OpenSSO Enterprise administrator.