Month: September 2010

New feature in DAS in OpenAM 9.5.1RC2

Sometimes there is a need, when you need to add an additional filter for the Distributed Authentication User Interface. For example if you want to set some extra request parameters, or just want to add/filter out some response HTTP headers, anything that fits your needs. The problem with this is, that you can not configure your webapplication to run the Filter init methods always in the exact same order, because this is not covered by the EE specs, you can only control the filter order for doFilter. When your custom filters initialization depends on the DAS filter, then OPENAM-229 comes into the picture.
The fix for this issue was to move the initialization code to a helper class, which can take care of initialization for everyone. So if you have an own filter you only have to put the following snippet at the beginning of your init:

if (!DistAuthConfiguratorFilter.isConfigured) {
    DistAuthConfiguratorFilter.isConfigured = 

And off you go, now the initialization order wouldn’t matter anymore, since the DistAuth will be always init’d first.

How to enable the Password Reset service

What’s the password reset service exactly?

The password reset service let’s the user to change it’s own password, when the current one is forgotten/lost. First the user has to post his/her username, then he has to answer a pre-defined or user-defined question. If the answer was correct, then a mail will be sent to the user with the new password. It’s pretty easy, right?
So let’s see how could we configure this easily in a subrealm:

  • Go to Access Control -> <realm-name> -> Services
  • Click on Add, and choose Password Reset
  • Configure the LDAP settings, and enable personal questions
  • Press Finish

This will enable the password reset functionality. Let’s see how you can try this out:

  • Log in with a simple user and go to /openam/console
  • There will be a new edit link for the password reset options, click on it
  • Create a new question/answer and Save (don’t forget to check the checkbox in the first column!)
  • now log out, and go to /openam/password?realm=/<realm-name>
  • supply your username
  • and there is your custom question which will only accept your custom answer πŸ˜‰

And that’s it. πŸ™‚ Hopefully OPENAM-192 will be merged into trunk soon, which will allow you to use realm aliases instead of ugly GET parameters for realm identification. πŸ˜‰

How to change the default signing key for Federation

Although OpenAM is supplied with a default keystore, it’s recommended to create your own keystore with an own signing key. This keystore is used by the federation and WSS agents, so if you already use those, make sure, you’re not using them with the default ‘test’ private key.
So, if you want to change your default keystore, then you need to do the following:

  • Generate a new key and keystore (skip if you already have one):
  • keytool -genkeypair -alias mykey -keyalg RSA -keysize 1024 -validity 365
     -storetype JKS -keystore keystore.jks

    This will ask you some trivial questions, you just need to answer them. πŸ˜‰

  • Now you need to encrypt your passwords (keystore and private key) with SSOAdm, to be able to use them with OpenAM:
    openam/bin/ampassword -e .keypass  # for private key
    openam/bin/ampassword -e .storepass # for keystore

    Override the files with the ampassword output, so they would only contain the encrypted password.

  • Move the new files (keystore.jks, .storepass, .keypass) to ~/openam/openam folder and override the previous ones.
  • Restart OpenAM
  • If you already had a configured Federation, then go to Federation -> in Entity Providers list choose the IDP -> Signing and Encryption -> and change the signing key alias to the new alias.

Note: if you change the signing key, you need to make sure, that all of the SP’s will accept the new sign too!