Cool Open Identity Stack Scripts/Utilities – GitHub Repos #ForgeRock #IDM

I was working on a few scripts to test out some of the new REST APIs in OpenAM 11.  I saved them out to GitHub and you are welcome to have at them.

I thought it might also be cool to share some of the other Repo’s that are related to ForgeRock as well.  There are some really cool scripts available for interacting with OpenAM, OpenIDM and OpenDJ.

These are freely available but not officially supported by ForgeRock or the developers of the scripts.  Just click on the person’s name to go to their GitHub repo.


  • Brad Tumy (AuthNUser, checkEntitlements, listAgents *New API and Legacy API*, updatePolicy)
  • Simon Moffatt (Really cool interactive menu!)


  • Ludo Poitou (Some really handy utilities e.g.: &
  • Chris Ridd (Very handy utils e.g.: slowops: analyzes operation times in access logs)
  • Simon Moffatt


  • Simon Moffatt (Interactive mode menu for calling OpenIDM’s REST APIs)

Full OIS Stack:

  • Warren Strange (Ansible (like puppet) scripts for deploying the OIS stack to Vagrant)

I am sure there are other great repos that I have missed, so feel free to add them in the comments and I can update the post.

Disclaimer: These scripts have been very handy to me but YMMV.


For those about to Rock! … introducing the ForgeRock Identity stack introductory bootstrap “sequester special”

I am offering an introductory special to ForgeRock’s Identity (I3) Stack.  I am calling this the “Sequester Special”. The Federales are cutting back budgets and furloughing the Air Traffic controllers (cough … why not the TSA agents at the airport instead) but this is your chance to capitalize on that.

So what’s this all about?

You get to try out the  ForgeRock Open Identity Stack (**ForgeRock support license required for binaries used in a production environment**) and you get a  reduced rate on professional services … to ease those sequester blues.

Download the information sheet here.

Sequester Special | For those about to ROCK …

ForgeRock Open Identity (I3) Stack Bootstrap Package

Tumy-Tech’s Professional Services team provides services to assist you in successfully and rapidly implementing ForgeRock’s Open Identity (I3) Stack into your environment.  The end result? A working implementation of ForgeRock’s Open Identity Stack designed to introduce you to ForgeRock’s products as well as demonstrate several common configurations requested by your many customers.

The ForgeRock Bootstrap Package Includes:

  • ForgeRock Open Identity (I3) Stack installation 
  • User Identity Reconciliation from enterprise LDAP (or AD)
  • User Provisioning & Single Sign-On (SSO) to Google Apps
  • Just-In-Time (JIT) Provisioning & SSO to
  • Customized Installation & Configuration Documentation


Components Included:

  • OpenDJ
  • OpenIDM
  • OpenAM

Customer Requirements:

  • Customer provided servers must meet ForgeRock product specifications.
  • Customer must have an existing Google Apps for Business (or Education) account.
  • Customer must have an existing account (or
  • Customer installation environment must have internet connection.
  • Cost does not include travel expenses. (Remote installations are recommended; however, we can provide on-site service if you prefer.  All travel expenses will be invoiced to customer.)


Disclaimers (the small print):

  • Use of ForgeRock binaries, in production, require a license and subscription from ForgeRock.
  • Each product will be installed on up to one server in customer’s environment.
  • Tumy-Tech will use the most up-to-date, stable build publicly available.
  • OpenIDM will be configured to reconcile users from one existing LDAP (AD or LDAP) user store with up to 20 attributes mapped.
  • Typical bootstrap setup time: 2-3 days. (Additional requirements / use cases are welcome but may require additional time and cost.)

Call or Email our sales team, today, to schedule (240.215.4825 /

Extending OpenAM Policy Service to support additional actions

I am wrapping a crazy busy week.  Probably one of my most technically in-depth week in a really long time.  So what kept me busy?  Deep-diving into OpenAM’s Entitlement’s engine, learning about it’s REST interfaces and how to extend OpenAM to leverage custom service types.  I’ll explain later since I know your thinking, “Tumy … dude, what the heck is a service type?”.

Alright, let’s jump into it …

Entitlements are policies or rules that state what you (or any user) can and can’t do.  Sounds simple right?  In Information Security entitlements usually define what resources a user can access, how they can access it, when they can access it and so on and so on.   A resource can be a web url, a banking transaction, a database record, or frankly anything you might want to protect.  Typically entitlements are expressed through XACML  Entitlements are used in access control settings and used to define fine-grained authorization rules.    This is starting to become too much of a Entitlements 101 class so let me just jump into the hand’s on stuff.

Ok, Forgerock … in their OpenAM product they have an Entitlements engine which is essentially a Policy Management Point and a Policy Decision Point (Google is your friend if you don’t know what those things are).  Out of the box OpenAM supports a few different “service types” which are essentially a set of resources and their associated actions.  For example a web url would potentially have the actions of “GET” and “POST”.  There are a couple of other service types too (a banking example and a few others).  But what happens when our resource is not a web URL and we want to have actions besides “GET” or “POST”.  What we if we wanted to have a resources defined as database table names and we wanted to have actions such as “READ”, “UPDATE”, “DELETE”.  (Update:  Starting in OpenAM Version 11.2 some of these additional actions are available out of the box) We want to be able to create rules that we can either allow a user to read information from a specific table or deny their ability to read from a certain table.  Ok, hopefully you get the idea … if you don’t email me and we can talk about it.  OpenAM has a great set of command line tools that you can use to interface with the product, these tools have also been “web” enabled on a jsp page which is accessible through the admin console (it’s disabled by default though).

To create this new service type there are a few steps we need to take:

  • Create a custom Application Type
  • Create a custom Service Type
  • Create a custom Application
  • Create the policy, using the custom service type

4 easy steps.

The Custom Application Type is a few lines that get imported.  Let’s assume that you have enabled the web ssoadmin.jsp and have accessed it here:

You would see a page like this:


Do a quick search for “create-appl-type” and you then click on it.

Fill in the form that is displayed with this information:

Application Type Name: BTPoliyService

This creates the set of actions that will be available for your resources of this type.  Save that and then you need to create the Custom Service Type.  This is created by modifying an XML file and then importing that file into a form that is similar to the one we just saw.
The service type provides a little more detail on the actions and sets the True/False values that will be displayed in the policy manager.

<?xml version=”1.0″ encoding=”UTF-8″?><!DOCTYPE ServicesConfiguration SYSTEM “jar://com/sun/identity/sm/sms.dtd”><ServicesConfiguration><Service name=”BTPolicyService” version=”1.0″>

<Schema serviceHierarchy=”/DSAMEConfig/BTPolicyService” i18nFileName=”BTPolicyService” i18nKey=”BTPolicyService”>
<AttributeSchema name=”serviceObjectClasses” type=”list” syntax=”string” i18nKey=”BTPolicyService”/>
<AttributeSchema i18nKey=”READ” name=”READ” syntax=”boolean” type=”single” uitype=”radio” >
<AttributeSchema i18nKey=”DELETE” name=”DELETE” syntax=”boolean” type=”single” uitype=”radio” >
<AttributeSchema i18nKey=”UPDATE” name=”UPDATE” syntax=”boolean” type=”single” uitype=”radio” >
<AttributeSchema i18nKey=”ADD-ACCESS” name=”ADD-ACCESS” syntax=”boolean” type=”single” uitype=”radio” >

In the above XML file, you should notice there are several spots where I have provided the name of the service “DatabaseTablePolicyService” and then the actions and their True/False values. In the ssoadm.jsp search for “create-svc” and then copy and paste this file into that form.

Next step and last step of the “extending” part of the process. So, in the ssoadm.jsp web page, search for “create-appl”. Click on this link and it will open a form very similar to the “create-appl-type” form. Enter the following information:

resources= table://*

Notice in the above file, that I add the application name and it matches the name we have used in the other configurations. I added the actions again and finally I actually define a resource. I personally like to describe the resource type in a URL style … I can use “table://” as my resource in the policy and that will help remind me later what type of resource that is. You don’t have to prefix your resources in your policy with that … it seems to be optional.

At this point you can jump back over to the OpenAM Admin console and create a policy based on this resource, as you can see in the following screenshot.

Screen Shot 2012-12-15 at 11.27.07 PM

So, that’s pretty cool stuff … The entitlements engine is pretty robust, it’s fast and … it has a RESTful interface. I am going to do a deep-dive blog post on the RESTful services at some point but for now let’s just take a look at how you can evaluate an entitlement.

Evaluating a Privilege:

* ssoToken = Authenticated User’s Token
* iPlanetDirectoryPro = session cookie … admin users session token
* action = action user is attempting (GET, POST, READ, DELETE, etc)
* application = application type of policy (defaults to iPlanetAMWebAgentService)
* Subject (user attempting action … encoded session token)

curl -v -H “X-Query-Parameters: ssotoken:AQIC5wM2LY4SfczpL5a3M02ju3uyOd6iMj4zZvPZXB3BNQ4.*AAJTSQACMDE.*” -b “iPlanetDirectoryPro=\”AQIC5wM2LY4SfcxcPg_yUwYu-iQPHH663tv9AnoEEr6j_2k.*AAJTSQACMDE.*\”” “;resource=table://my_table_name&amp;application=BTPolicyService&amp;subject=4l18suAL/hXNCfzykwIlbV0WbtM%3D&#8221;

This will return a JSON formatted object:

“actionsValues”:{READ:”true”, UPDATE:”false”, DELETE:”true”, ADD-ACCESS:”false”},

You can create a policy that would return attributes, from the user’s identity record, along with this JSON object. There are also RESTful services that will just return an allow or deny, which is great if you don’t need as much information back.

So, that was real high level and really basic but I hope that I gave you some ideas for the potential of this engine. Let me know if you have any questions or want to chat about. Also, I am available on a consulting basis to help design or implement this in your environment.


  • There were a bunch of people at ForgeRock that help me out at various points through this.  You guys know who you are … I’ll leave your names out so that you don’t get bombarded with requests.
  • Also, there were a few non-ForgeRock guys that went through this last year and gave me some pointers along the way.  Thanks!
  • And finally … to the guys that did this first at Sun.  Thanks for building this stuff and documenting it.  I am thankful that those web pages that you created haven’t vanished yet.

OpenAM: Protecting a Web Application

In response to a post that I had written before on how to install OpenDJ and OpenAM I had someone remind me that I never came back and wrote the follow on post (which I had promised to do).  They posted the question to my other blog site (which I have since migrated over to this site).  I am going to answer the question here as this is the only blog that I am presently maintaining.


Can you paste me the link which talks about next part of the installation.
1. Configure OpenAM to look to OpenDJ for users
2. Install a Web agent
3. Create an Access Policy to protect a web application.

I often say that I am successful by “standing on the shoulders of giants”.  There is so much great “how to” content on the ForgeRock Community wiki site and that is where I turn to when I am looking for help or advice on OpenAM, OpenDJ and OpenIDM. Take a look at the section, “OpenAM: How do I?”.  There are a number of “how-to” articles that are literally step by step with screen shots.  

The link for the article that specifically talks about how to configure OpenAM to protect a web application can be found here:  Add Authentication to a Website using OpenAM.

******** Shameless Plug Alert ************

To protect a single web site is pretty simple and straight forward but sometimes you have unusual or difficult use cases where you need another set of eyes or additional help architecting your solution.  I have a lot of experience with the ForgeRock suite and I am available to provide consulting services.  Please don’t hesitate to reach out if you are interested in contracting my services.

OpenDJ & OpenAM automatic startup on Ubuntu

I have been installing the ForgeRock stack on Ubuntu a lot lately.  One of the things that I noticed is that when configuring OpenAM and OpenDJ for automatic startup you need to let OpenDJ finish starting up before starting Tomcat (OpenAM) … otherwise OpenAM will not be able to find it’s configuration and assume that it’s a new install.  I added a timer to the start up script to make the script sleep for a minute before starting (YMMV) Mark Craig (from ForgeRock) clued me into a nice little bit of code “start on started opendj” essentially this tells the startup script to wait until opendj has started before starting Tomcat.  Thanks Mark, that’s exactly what I was looking for.


cd [install dir]/opendj/bin

sudo ./create-rc-script -f /etc/init.d/opendj -u [user to run as]

cd /etc/init.d

sudo update-rc.d opendj defaults

OpenAM [on Tomcat]

sudo vi /etc/init.d/tomcat

Now paste the following content:

    # Tomcat auto-start
    # description: Auto-starts tomcat
    # start tomcat with user: ubuntu
    # pidfile: /var/run/

    export JAVA_HOME=/usr/lib/jvm/java-7-openjdk-amd64

    case $1 in
            start on started opendj
            /bin/su ubuntu /opt/tomcat/bin/
            /bin/su ubuntu /opt/tomcat/bin/
            /bin/su ubuntu /opt/tomcat/bin/
            /bin/su ubuntu /opt/tomcat/bin/
    exit 0

Make the script executable by running the chmod command:

sudo chmod 755 /etc/init.d/tomcat

The last step is linking this script to the startup folders with a symbolic link. Run the following two commands:.

sudo ln -s /etc/init.d/tomcat /etc/rc1.d/K99tomcat

sudo ln -s /etc/init.d/tomcat /etc/rc2.d/S99tomcat

Restart the system and tomcat will start automatically.

Open Source Identity Solutions

I was asked by a colleague today to provide sources of analysis comparing Open Source IDM Solutions. I think they were looking for comparisons to closed source solutions but there is not a lot of that out there. I provided the following list as a starting point.

I generally like to save time (avoid searching for this again in the future) so I decided to put what I found here. If I am missing anything please let me know and I will update the list.

Provisioning/User Identity Management:


SSO/Access Management/Authentication:


Directory Services:


How to install OpenDJ 2.4 and OpenAM 9.5.2


I am going to assume that you have already downloaded the required software:

  • OpenDJ 2.4
  • OpenAM 9.5.2
  • A J2ee container for OpenAM (I am using Glassfish 2.1 ** I have included a note on using Glassfish a little later in this post.)

** If not, you can download at: and

My System specs:

  • Linux ssobridge 2.6.35-28-generic #50-Ubuntu SMP Fri Mar 18 19:00:26 UTC 2011 i686 GNU/Linux
  • Ubuntu 10.10
  • Virtualbox (Host machine is a Macbook Pro)

Install OpenDJ:

  • Change to the directory where you have the OpenDJ installer (e.g., /opt/software/opendj/)
  • unzip
  • This will create a directory called: OpenDJ-2.4.0 (you can rename this if you want)
  • Change into this new directory and run the setup (e.g. ./setup)

Next we will specify the hostname and ldap ports for this instance.

Set the replication requirements, This is a single instance so, I selected stand-alone.

Specify the base DN. As I will be using this instance for development work I enable OpenDJ to create User entries.

On the following screen you can modify runtime options.

Double check your settings and then click on Finish.

It will only take a few minutes to install.

When it is completed you will see a “success” message.

To confirm that the install went as planned you can log into the control-panel app. (Change to /opt/opendj/OpenDJ-2.4.0/bin and type: ./control-panel)

Type in the password that you provided during the installation into the password field.

If you are able to login and you can see the Connection handlers as enabled then you have confirmed that your installation was successful.

Install J2EE container:

  • These instructions will depend on which J2EE container you are using. I am using Glassfish because of simplicity and the small footprint. I do realize that this particular version is aged. OpenAM is not currently supported on OpenAM 3.X … and it is my understanding that there are no plans to support it. Check with ForgeRock to confirm that statement though.
  • To launch the glassfish installer I use the following command:

$java –jar glassfish-installer-v2.1.1-b31g-linux.jar

  • You must accept the license agreement … (otherwise it’s a very short process 😉 )

  • Change into the newly created “glassfish” directory (e.g. /opt/software/glassfish)
  • Change the permissions on /lib/ant/bin to add the execute bit (chmod –R +x lib/ant/bin)
  • Type: lib/ant/bin/ant –f setup.xml
  • You’ll see some text scroll by with the output from the build, which should end with the text “BUILD SUCCESSFUL”
  • Take note of the ports that are configured:

§ 4848 for Admin
§ 8080 for HTTP Instance
§ etc.


  • You will need to start the default domain next
  • Change to /opt/software/glassfish/bin
  • Type: ./asadmin start-domain
  • Once the domain is started you can get to the Admin console from a web browser (http://domainname:4848)
  • You will then need to login using the admin credentials (admin/adminadmin)

· The first time you login you will be asked to register … I generally skip this step in my development environment.

Install OpenAM

· From the Glassfish Admin console click on: Applications/Web Applications

· Click on “Deploy”

· Click on “Choose File” and then locate the OpenAM war file

· I change the Application Name and Context Root to openam. This will help with consistency in my environment.
· Next, click “OK”
· It will take a few seconds to upload and deploy, but if successful you will see a screen similar to this:

· To configure OpenAM for the first time you should click on “Launch”. You will then see the OpenAM Configuration Options screen.

· Either option is fine, but we will go with Default Configuration (we can modify the settings after the install)

This part of the process generally only takes a few minutes to complete and you will see the progress as it occurs.

When the configuration as completed you will see the following:

Click on “Proceed to Login”

The default admin account is “amAdmin”.

There are a few things that we still need to do now:

  • Configure OpenAM to look to OpenDJ for users
  • Install a Web agent
  • Create an Access Policy to protect a web application.

I’ll cover these items in a future post. Stay tuned!