Configuring OpenAM Server
Revised October 26, 2012
To configure OpenAM server, you must perform the following steps:
To configure policies on OpenAM server, you must log in to OpenAM and select the Access Control tab. Click the Top Level Realm option, select the Policies tab, and then create a new policy. Follow the steps as given in the Cisco white paper, https://supportforums.cisco.com/docs/DOC-14462, for creating a new policy. While following the instructions given in the white paper, make sure to create policies with the below mentioned Connection-specific information:
- Ensure the following points while adding rules to the policy:
– Each rule should be of the URL Policy Agent service type
– Make sure to check the GET and POST checkbox for each rule
– Create a rule for each of the following resources, where 'fqdn' is the fully qualified domain name of your Connection server:
- Ensure the following points while adding a subject to the policy:
– Make sure that the Subject Type field is Authenticated Users.
– Specify a subject name
– Do not check the Exclusive check box.
- Ensure the following points while adding a condition to the policy:
– Mention the Condition type as Active Session Time
– Specify a condition name
– Configure active session timeout as 120 minutes and select 'No' for the Terminate Session option.
Step 2: Configure a Windows Desktop SSO login module instance
Follow the instructions for configuring Windows Desktop as given in the Cisco white paper, https://supportforums.cisco.com/docs/DOC-14462.
Step 3: Configure a J2EE Agent Profile for Policy Agent 3.0
Follow the instructions to create a new J2EE agent as given in the Cisco white paper, https://supportforums.cisco.com/docs/DOC-14462 with the below mentioned Connection-specific settings:
- The name mentioned as agent profile name is the name that you need to enter when enabling SSO on the Connection server, when it prompts as "Enter the name of the profile configured for this policy agent".
- The agent password entered here is the password that is entered on the Connection server when it prompts as "Enter the password of the profile name".
- Make sure to add the following URIs to the Login Form URI section on the Application tab:
- Under the Application tab, add the following URI in the Not Enforced URI Processing session:
In addition to above Connection-specific configuration, ensure the following points:
- Import users from LDAP to Connection. Users must be configured with the appropriate roles to log in to Cisco Unity Connection Administration, or Cisco Unity Connection Serviceability.
- Upload the OpenAM certificate into Connection as described in the Configuring SSO on Cisco Unified Communications Manager 8.6 section of the Cisco white paper, https://supportforums.cisco.com/docs/DOC-14462 .
Running CLI Commands for Single Sign-On
The following sections describe the CLI commands that configure single sign-on:
- utils sso enable
- utils sso disable
- utils sso status
For more information, see the Cisco white paper, https://supportforums.cisco.com/docs/DOC-14462 .
The utils sso command enables and configures SSO-based authentication. Make sure to run the command on every node in the cluster.
When you enable or disable single sign-on the Cisco Unity Connection, web server (Tomcat) restarts.
utils sso enable
enable -Enables SSO-based authentication. This command starts the single sign-on configuration wizard.
This command disables SSO-based authentication. This command lists the web applications for which SSO is enabled. Enter Yes when prompted to disable single sign-on for the specified application. You must run this command on all nodes in a cluster.
utils sso disable
This command displays the status and configuration parameters of single sign-on.
utils sso status