Perl 6 - the future is here, just unevenly distributed

IRC log for #openam, 2015-05-22

| Channels | #openam index | Today | | Search | Google Search | Plain-Text | summary

All times shown according to UTC.

Time Nick Message
04:37 bendechrai joined #openam
04:40 bendechrai Hi folks! I'm stuggling to resolve a base URL issue. I have OpenAM running on port 8080, and nginx proxying on port 443 so it's all nice and encrypted. The issue I'm facing is there are a number of places where the base URL comes through in the interface. For example, when performing an OAuth2 workflow, the OpenAM permission screen links back to :8080. I can't seem to find any place to change the base URL. Is there a common or best practic
04:40 bendechrai e for this? Thanks!
04:56 bendechrai I've "resloved" it for now by using nginx's subs_filter to rewrite the HTML responses and convert the URLs at delivery time, but if there's a "better" way, I'd love to know :)
06:35 aldaris joined #openam
06:40 bendechrai left #openam
06:56 daveloper joined #openam
09:15 aldaris joined #openam
10:26 aldaris joined #openam
11:08 MegaMatt joined #openam
11:51 aldaris joined #openam
12:10 mckeanbs joined #openam
12:12 daveloper joined #openam
12:21 aldaris joined #openam
12:31 jamiebowen joined #openam
13:26 insanidade joined #openam
13:27 insanidade hi all. what value should I set for my "cookie domain" when installin openam?
13:27 insanidade *installing. sorry
13:27 MegaMatt whatever cookie domain you will be using
13:28 MegaMatt http://en.wikipedia.org/wiki​/HTTP_cookie#Domain_and_Path
13:28 insanidade my server url will be http://openamdes.company.local:7011
13:28 jjpp usually it is wise to have your openam to reside in that domain or some subdomain of that domain.
13:28 insanidade I specified ".local" as cookie domain but it failed during installation
13:29 MegaMatt I believe you need more than the TLD
13:29 MegaMatt You can’t set .com for example
13:29 aldaris The cookie domain check in OpenAM atm checks for 2 dots
13:29 jjpp or at least the parts of openam that your users will access with browser (like daui, if you have one)
13:29 aldaris jjpp: DAS doesn't really have a future
13:30 insanidade so, in my case, it could be ".company.local", right ?
13:30 MegaMatt Yes, I would suggest at least .company.local
13:30 aldaris yes, I think that should work
13:30 jjpp aldaris: what will be the next best thing after das? some lightweight thing that talks to rest backend?
13:31 aldaris IG in front of the REST endpoints most likely
13:32 jjpp so far i like the idea that I can hide openam with it's million services that I don't want to use or configure and only allow general public to use some specific services
13:33 jjpp (then again, I have spent a few hours last month implementing a proxy to allow controlled access to some of those services that das does not proxy)
13:34 insanidade thanks.
13:34 insanidade and what should be the default user for logging in after a first install?
13:35 jjpp whatever you chose the admin user to be? (amadmin by default?)
13:35 aldaris amadmin
13:35 insanidade yes. amadmin ... I absolutely forgot that. thanks again.
13:35 insanidade jjpp: I haven't gone through a step where that user name would be chosen
13:36 jjpp hm, okay, I was wondering if that was configurable or not.. :)
13:36 MegaMatt insanidade: You might benefit from https://www.forgerock.com/en-us/services/un​iversity-training/fr-420-openam-deployment/ btw….. if you haven’t taken any training that is
13:37 insanidade MegaMatt: I'll consider that. All I have done so far was based on reading the docs and working together with other people in the company who have already installed it. thanks.
13:39 MegaMatt Sometimes it’s nice to have an instructor just lead you through everything, and be able to play along to really understand it
13:40 MegaMatt Even if you’ve done the deployment a couple of times, sometimes you find things you wouldn’t have otherwise ;)
13:40 jjpp especially in huuuuuge systems like openam. :)
13:50 aldaris jjpp: don't know what you are talking about :)
13:57 jjpp well.. every now and then I find another part of openam that I have not seen before (possibly because it has just been written:). but it might be because of me not trying enough to grasp the whole openam. :)
14:01 * jjpp thinks . o O ( also, there is a quite high probability that I'll move somewhere much closer to Oslo than I am now.. which might mean diffrent things about my cabapilities to study openam. )
14:01 z4ce joined #openam
14:01 aldaris not really, we don't have AM developers in Oslo :)
14:03 jjpp these are all in Bristol?
14:05 jjpp it might also mean that I have less time to do things that I'm doing now.. so.. it could go either way..
14:06 jjpp anyway, babysitter wants to go home, so I have to leave for today. :)
14:06 jjpp afk
14:43 daveloper joined #openam
14:48 z4ce joined #openam
15:53 aldaris joined #openam
16:14 z4ce_ joined #openam
17:16 aldaris joined #openam
18:06 aldaris joined #openam
18:15 insanidade joined #openam
18:15 insanidade MegaMatt: you sent me a link about a deployment training this morning
18:16 insanidade MegaMatt: those are online sessions, right ?
18:16 MegaMatt I believe it’s a virtual class room
18:16 MegaMatt Yeah, its online with an instructor
18:17 insanidade that's great.
18:18 MegaMatt I could ask around for promo codes if you’re interested
18:19 insanidade I just sent the link to my managers so they take a look and decide if I should take that course - personally, I'd love it.
18:20 insanidade MegaMatt: thanks for the offer. I'll consider it.
18:21 MegaMatt Right on, I hope it gets approved — I think it’s worth it. You might be able to bundle it with other stuff depending on what kind of relationship you have with FR
18:21 MegaMatt Not sure if you already have a subscription - but I think sales guys can bundle in training pretty easy .. but I don’t know for sure — I’m not in sales
18:22 MegaMatt And if you already have a sub, you might have training credits already…. who knows
18:22 insanidade good to know.
18:23 insanidade I think we don't have a sub. we are still deploying it internally and learning how to use it to protect the other products we develop.
18:24 insanidade identity management is crucial to our business. we are learning how to use openam. we are doing so internally for the time being.
18:24 insanidade tipically, subscriptions would provide at least support and training, right ?
18:25 MegaMatt Well, again, I’m not in sales.. but yes.. from what I’ve seen you can get support, training, and “professional services” packages too
18:25 MegaMatt Which include things like arch reviews, having people on site during production cut over.. stuff like that
18:25 insanidade I see. I've been part of a "professional services" team for a while.
18:26 insanidade that's good to know. I was not aware of such services from FR.
18:28 MegaMatt Yup.. So you can bundle all that stuff together and get a better deal, I’d imagine...
18:28 MegaMatt I’m sure your mgt is probably already engaged somewhat with sales .. maybe
18:28 MegaMatt heh
18:28 insanidade maybe. or not  ;p
18:29 MegaMatt Well, they should at least be talking to them - to see what kind of things they can offer
18:29 insanidade not sure. they expect us to be absolutely fluent in it as if it was a black box that spits just like whatever they want ;p
18:29 MegaMatt Heh
18:30 MegaMatt I mean, I’d bet the typical thing is you bundle training onto a subscription — but who knows maybe you can bundle a subscription onto your training.. hehe
18:30 MegaMatt Because if you’re really going to use OpenAM, it’s worth it to go through the official trainings
18:30 insanidade me and other guys are in the process of convincing them that we should have at least a small team of people dedicated to openAM - I hope they'll understand that somewhere in the future.
18:30 insanidade I totally agree.
18:31 MegaMatt I did FR-420 probably about a year ago
18:31 MegaMatt and the instructor was great
18:32 MegaMatt Oh wow, actually coming up on two years in September .. time goes fast :/
18:32 insanidade yeah, I'll let my managers understand such advantages ;_)
18:35 aldaris joined #openam
18:49 aldaris joined #openam
19:28 insanidade I'm trying version 12 I just installed and I'm curious about those xml lines I had to add to my application's descriptor xml file in order to have my application protected.
19:28 insanidade do I still need it?
19:29 MegaMatt Sounds like you are talking about two different things
19:29 insanidade I've just gone through the following configuration and those xml filter lines are no longer mentioned: http://docs.forgerock.org/en/openam​/12.0.0/getting-started/index/chap-​first-steps.html#configure-policy
19:29 MegaMatt Your application is using a J2EE agent, I’m guessing?
19:29 insanidade yes
19:30 insanidade in weblogic
19:30 MegaMatt Yeah, so when you install the agent, that’s when you’re chaning descriptor to have it protected by that agent
19:31 MegaMatt The agent install is separate from OpenAM
19:31 MegaMatt You can use any (supported) version of the agent with OpenAM 12… or OpenAM 11
19:31 insanidade by "install the agent", do you mean that step iin which I run a script and answer a few questions ?
19:32 MegaMatt http://docs.forgerock.org/en/openam-​pa/3.5.0/jee-users-guide/index.html
19:32 MegaMatt That’s the J2EE agent
19:32 MegaMatt And the steps to install the agent into a J2EE container
19:32 MegaMatt OpenAM is separate from that
19:33 MegaMatt You’ll notice the agent has you modify the web.xml file for example
19:33 insanidade I'll read it. thanks.
19:34 MegaMatt So you have 2 different Weblogic servers.. one with an application to be protected (has agent) — and then another weblogic that has OpenAM deployed (no agent)
19:35 insanidade oh, that I understand. I have the server in one weblogic instance I have just configured and I have my app AND the agent in a second weblogic instance. That's the issue: I'd like to protect that app.
19:35 MegaMatt Yep, so the app is protected by that agent…
19:36 MegaMatt So you can deploy any openam and the app stays the same, with the agent protecting it …
19:38 MegaMatt Configuring the agent is what induces a change of the app’s web.xml file … not configuration of OpenAM .. configuration of OpenAM in weblogic induces you to change the config xml stuff as seen here: http://docs.forgerock.org/en/openam/12.0.​0/install-guide/#prepare-oracle-weblogic
19:39 MegaMatt Does that make sense?
19:42 MegaMatt The link you pasted has instructions on installing a web policy agent, not a j2ee policy agent :D
19:43 insanidade I understand. I had it working in previous version (11). I was not the guy who configured the server - I just configured the agent and the xml file in my app ;_)
19:43 insanidade now I'm facing both sides ;D
19:46 insanidade thanks for the warnings ;_)
19:46 insanidade I think my policy agents are configured (openam server)
19:46 insanidade Now I'm missing the agent configuration (my app's side)
19:46 MegaMatt yep
19:47 MegaMatt Sounds right
19:48 insanidade hahah
19:48 insanidade I just got to it ;p
19:48 insanidade http://docs.forgerock.org/en/openam-pa/3.5.​0/jee-users-guide/index.html#chap-weblogic
19:49 MegaMatt Yep, that’s the agent side
19:49 insanidade Just met those infamous xml lines
19:54 insanidade so, for the "policy agent" stuff, we have Applications and Applications have Policies
19:55 insanidade by default, an Application called iPlanetAMWebAgentService is already available.
19:55 MegaMatt yep
19:56 insanidade I just created a policy in it which allows any authenticated user to reach my http://myapplication.app.local:7011/*
19:56 insanidade now, I have to add those xml lines (the filters) to my descriptor file (project's web.xml)
19:56 insanidade and expect to see openam's login page when trying to reach my application.
19:57 insanidade right ?
19:57 MegaMatt Yes, sounds right
19:57 insanidade (that's what I remember from last time I deployed a project protected by openam)
20:01 insanidade do I need more than one policy agent configured in openam ?
20:01 MegaMatt What do you mean?
20:02 insanidade I mean: in openam's server console, in the Agents section, an Application named iPlanetAMWebAgentService was already available. I just created policies inside that application.
20:02 insanidade what if I create a second Application besides iPlanetAMWebAgentService ?
20:02 MegaMatt You can, if you want
20:03 MegaMatt read here: http://openam.forgerock.org/doc/webhelp/​admin-guide/what-is-authz-policies.html
20:03 insanidade Does the installed agent "talk" to both iPlanetAMWebAgentService and myOtherAgentService ?
20:03 MegaMatt will help make it clear
20:03 MegaMatt When you configure a policy agent, if the application for its policies is not named iPlanetAMWebAgentService, then you must edit the policy agent configuration, setting the application name to match your application.
20:03 MegaMatt The application you specify must exist in the evaluation realm that you specify for the policy agent.
20:10 insanidade so, basically, I should use iPlanetAMWebAgentService and define my policies in it.
20:11 MegaMatt If you want. It’s there for backwards compatibility iirc
20:11 insanidade that would be ok for me ;_)
20:42 crabmeat joined #openam
20:52 MegaMatt joined #openam
21:06 aldaris joined #openam
21:52 aldaris joined #openam
22:25 MegaMatt joined #openam
22:42 aldaris joined #openam
23:15 aldaris joined #openam
23:29 metadaddy joined #openam
23:47 aldaris joined #openam

| Channels | #openam index | Today | | Search | Google Search | Plain-Text | summary