Command Line Tools

This chapter provides a reference for the ForgeRock Access Management command line tools.

Name

ampassword — change passwords for the AM Administrator

Synopsis

ampassword {options}

Description

This command allows you to change passwords held in the configuration store, and to encrypt passwords.

Options

The following options are supported.

-a | --admin [ -o | --old old-password-file -n | --new new-password-file ]

Change the password for amAdmin from the value stored in old-password-file to the value stored in new-password-file.

-p | --proxy [ -o | --old old-password-file -n | --new new-password-file ]

Change the password for the proxy administrator from the value stored in old-password-file to the value stored in new-password-file.

The proxy administrator password is shown encrypted in the output from ssoadm get-svrcfg-xml.

-e | --encrypt [ password-file ]

Display the password value provided encrypted with the key generated during AM installation.

-h | --help

Display the usage message.

Examples

The following example encrypts the password contained within a text file.

Create a text file, for example $HOME/.pwd.txt, containing the password string on a single line.

Encrypt the password by using the ampassword command:

$ ampassword -e $HOME/.pwd.txt
AQICkZs3qy5QUCXir9tebIEEZYGFXI2lCC4B

Name

amverifyarchive — check AM log archives for tampering

Synopsis

amverifyarchive {options}

Description

This command checks log archive integrity.

Options

The following options are required.

-l logName: Verify log files of the specified type. To specify an individual log rather than a type, provide the entire log file name.
-p path: Path to log files to verify.
-u userName: User who can read log files.
-w password: Password of the user who can read log files.

Examples

The following example checks the amConsole logs.

$ amverifyarchive \
 -l amConsole \
 -p /path/to/openam/var/audit/ \
 -u amadmin \
 -w password

Name

configurator.jar — install or upgrade AM using a configuration file

Synopsis

configurator.jar {options}

Description

This executable .jar file, openam-configurator-tool-14.1.3.11.jar, lets you perform silent installation, configuring a deployed AM server by applying settings from a configuration file.

Options

The following options are supported.

-f | --file configuration-file: Configure a deployed AM web application archive using the specified configuration file. Installation and upgrade configuration files are described in the sections below.
--acceptLicense: Auto-accept the software license agreement and suppress the display of the licence acceptance screen to the user. If the configuration file contains the ACCEPT_LICENSES property, it will have precedence over the command-line option.
-? | --help: Display the usage message.

Installation Configuration File

Base your configuration on the sampleconfiguration file delivered with AM, and using the hints in this section, or the comments included in the file.

Server Properties

These properties pertain to the AM server instance.

SERVER_URL: URL to the web container where you want AM to run, such as http://openam.example.com:8080
DEPLOYMENT_URI: URI where you want to deploy AM on the web container, such as /openam
BASE_DIR: Configuration directory where AM stores files and embedded configuration directory server, such as $HOME/openam
locale: The user locale, such as en_GB
PLATFORM_LOCALE: The locale of the AM server, such as en_US
AM_ENC_KEY: The password encryption key, which must be the same on all servers in a multi-server installation, such as O6QWwHPO4os+zEz3Nqn/2daAYWyiFE32. If left blank, installing AM generates a random password encryption key that you can view in the AM console under Deployment > Servers > Server Name > Security.
ADMIN_PWD: Password of the AM administrator user amAdmin, which must be at least 8 characters in length and must match that of other servers in a multiserver deployment
COOKIE_DOMAIN: Name of the trusted DNS domain AM returns to a browser when it grants a session ID to a user. By default, it is set to the full URL that was used to access the configurator, such as example.com.
ACCEPT_LICENSES: Optional boolean property that can be set to always auto-accept the software license agreement and suppress the display of the license acceptance screen to the user. A value of true auto-accepts the license; any other value will be assumed to equal false, resulting in the presentation of the license. Default value is false. This property takes precedence over the --acceptLicense option, which can also be passed in to the application with the openam-configurator-tool-14.1.3.11.jar file.

Configuration Store Properties

These properties pertain to the directory server where AM stores its configuration.

DATA_STORE: Type of the configuration data store. The value embedded means set up AM with an embedded, DS configuration store. The value dirServer means an external directory server, such as ForgeRock Directory Services, or Oracle Directory Server Enterprise Edition. If you set this to dirServer, and the configuration store contains the configuration of other AM servers, then the server is added to the existing multiserver installation.
DIRECTORY_SSL: To use LDAP without SSL, set this to SIMPLE. To use LDAP with SSL, set this to SSL.
DIRECTORY_SERVER: Fully qualified domain name of the configuration store directory server host, such as opendj.example.com
DIRECTORY_PORT: LDAP or LDAPS port number for the configuration store directory server, such as 389 or 636
DIRECTORY_ADMIN_PORT: Administration port number for the configuration store directory server, such as 4444
DIRECTORY_JMX_PORT: Java Management eXtension port number, such as 1689, used with the DS embedded configuration store
ROOT_SUFFIX: Root suffix distinguished name (DN) for the configuration store, such as o=openam
DS_DIRMGRDN: Distinguished name of the directory manager of the configuration store, such as uid=admin
DS_DIRMGRPASSWD: Password for the directory manager of the configuration store

User Data Store Properties

These properties pertain to the directory server where AM stores user profiles. If you do not include these properties, or you leave these properties commented out, then AM uses the same directory server as it uses for the configuration store.

USERSTORE_TYPE

The type of directory server used. Valid values include the following.

LDAPv3ForOpenDS: ForgeRock 0penDJ or Sun OpenDS
LDAPv3ForAD: Active Directory with host and port settings
LDAPv3ForADDC: Active Directory with a Domain Name setting
LDAPv3ForADAM: Active Directory Application Mode
LDAPv3ForODSEE: Sun Java System Directory Server
LDAPv3ForTivoli: IBM Tivoli Directory Server

USERSTORE_SSL

To use LDAP without SSL, set this to SIMPLE. To use LDAP with SSL, set this to SSL.

USERSTORE_DOMAINNAME

If USERSTORE_TYPE is LDAPv3ForADDC, you set this to the Active Directory Domain Name, such as ad.example.com, and then set only the USERSTORE_SSL, USERSTORE_MGRDN, and USERSTORE_PASSWD additional parameters. This lets Active Directory use DNS to retrieve service locations. Otherwise, do not use.

USERSTORE_HOST

Fully qualified domain name of the user data store directory server, such as opendj.example.com

USERSTORE_PORT

Port number of the user data store. Default for LDAP is 389, and for LDAP over SSL is 636.

USERSTORE_SUFFIX

Root suffix distinguished name for the user data in the directory, such as dc=example,dc=com

USERSTORE_MGRDN

Distinguished name of the directory manager of the user data store, such as uid=admin

USERSTORE_PASSWD

Password for the directory manager of the user data store

Site Properties

These properties pertain when you configure multiple AM servers in a site deployment, where a load balancer spreads request across multiple servers.

LB_SITE_NAME: The name of the AM site
LB_PRIMARY_URL: The load balancer URL for the site, such as http://lb.example.com:80/openam.

Upgrade Configuration File

Base your configuration on the sampleconfiguration file delivered with AM, and using the hints in this section, or the comments included in the file.

Upgrade Properties

SERVER_URL: URL to the web container where AM runs, such as http://openam.example.com:8080
DEPLOYMENT_URI: URI where AM is deployed on the web container, such as /openam
ACCEPT_LICENSES: Optional boolean property that can be set to always auto-accept the software license agreement and suppress displaying the license acceptance screen to the user. A value of true auto-accepts the license; any other value will be assumed to equal false, resulting in the presentation of the license. Default value is false. This property takes precedence over the --acceptLicense option, which can also be passed in to the application with the openam-configurator-tool-14.1.3.11.jar file.

Examples

The following example shows a configuration file to install a server with an external configuration and identity data stores:

# Server properties, AM_ENC_KEY="" means generate random key
SERVER_URL=https://openam.example.com:8443
DEPLOYMENT_URI=/openam
BASE_DIR=$HOME/openam
locale=en_US
PLATFORM_LOCALE=en_US
AM_ENC_KEY=
ADMIN_PWD=change3me
COOKIE_DOMAIN=openam.example.com
ACCEPT_LICENSES=true

# External configuration data store
DATA_STORE=dirServer
DIRECTORY_SSL=SSL
DIRECTORY_SERVER=opendj.example.com
DIRECTORY_PORT=1636
DIRECTORY_ADMIN_PORT=4444
DIRECTORY_JMX_PORT=1689
ROOT_SUFFIX=o=openam
DS_DIRMGRDN=uid=admin
DS_DIRMGRPASSWD=chang3me

# External DS-based user data store
USERSTORE_TYPE=LDAPv3ForOpenDS
USERSTORE_SSL=SSL
#USERSTORE_DOMAINNAME=ad.example.com 
USERSTORE_HOST=opendj.example.com
USERSTORE_PORT=1636
USERSTORE_SUFFIX=dc=example,dc=com
USERSTORE_MGRDN=uid=admin
USERSTORE_PASSWD=secret12

# Uncomment to specify the site for the first server in a site configuration
#LB_SITE_NAME=lb
#LB_PRIMARY_URL=http://lb.example.com:80/openam

The following example shows a configuration file to install the second server in a site configuration.

# Server properties, AM_ENC_KEY from first server
SERVER_URL=https://server2.example.com:8443
DEPLOYMENT_URI=/openam
BASE_DIR=$HOME/openam
locale=en_US
PLATFORM_LOCALE=en_US
AM_ENC_KEY=O6QWwHPO4os+zEz3Nqn/2daAYWyiFE32
ADMIN_PWD=change3me
AMLDAPUSERPASSWD=secret12
COOKIE_DOMAIN=openam.example.com
ACCEPT_LICENSES=true

# External configuration data store
DATA_STORE=dirServer
DIRECTORY_SSL=SSL
DIRECTORY_SERVER=opendj.example.com
DIRECTORY_PORT=1636
DIRECTORY_ADMIN_PORT=4444
DIRECTORY_JMX_PORT=1689
ROOT_SUFFIX=o=openam
DS_DIRMGRDN=uid=admin
DS_DIRMGRPASSWD=chang3me

# External DS-based user data store
USERSTORE_TYPE=LDAPv3ForOpenDS
USERSTORE_SSL=SSL
#USERSTORE_DOMAINNAME=ad.example.com
USERSTORE_HOST=opendj.example.com
USERSTORE_PORT=1636
USERSTORE_SUFFIX=dc=example,dc=com
USERSTORE_MGRDN=uid=admin
USERSTORE_PASSWD=secret12


# Site properties
LB_SITE_NAME=lb
LB_PRIMARY_URL=http://lb.example.com:80/openam

The following example shows a configuration file to upgrade an AM server:

SERVER_URL=https://openam.example.com:8443
DEPLOYMENT_URI=/openam
ACCEPT_LICENSES=true

The following example uses a configuration file with the --acceptLicense option on the command line.

$ java \
 -jar openam-configurator-tool-14.1.3.11.jar \
 -f config.file \
 --acceptLicense

Name

upgrade.jar — upgrade AM using a configuration file

Synopsis

upgrade.jar {options}

Description

This executable jar file, openam-upgrade-tool-14.1.3.11.jar, lets you perform a silent upgrade on a deployed AM server by applying settings from a configuration file or using arguments. This capability allows you to include the upgrade.jar from a command line or in an upgrade script.

Options

The following options are supported.

-f | --file configuration-file: Upgrade a deployed AM web application archive using the specified configuration file. Upgrade configuration files are described in the sections below. Also, you can specify the system properties on the command line, instead of using the configuration file. See Example 2 below.
--acceptLicense: Auto-accept the software license agreement and suppress the display of the licence acceptance screen to the user. If the configuration file contains the ACCEPT_LICENSES property, it will have precedence over the command-line option.
-? | --help: Display the usage message.

Upgrade Configuration File

Base your configuration on the sampleupgrade file delivered with AM, and using the hints in this section, or the comments included in the file.

Upgrade Properties

SERVER_URL: URL to the web container where AM runs, such as http://openam.example.com:8080.
DEPLOYMENT_URI: URI where AM is deployed on the web container, such as /openam.
ACCEPT_LICENSES: Optional boolean property that can be set to always auto-accept the software license agreement and suppress displaying the license acceptance screen to the user. A value of true auto-accepts the license; any other value will be assumed to equal false, resulting in the presentation of the license. Default value is false. This property takes precedence over the --acceptLicense option, which can also be passed in to the application with the openam-upgrade-tool-14.1.3.11.jar file.

Examples

The following example shows a configuration file and the commands to upgrade a server using the upgrade.jar. The configuration file is saved as /tmp/upgrade.txt.

SERVER_URL=http://openam.example.com:8080
DEPLOYMENT_URI=/openam
ACCEPT_LICENSES=true

$JAVA_HOME/bin/java -jar ~/openam/tools/openam-upgrade-tool-14.1.3.11.jar \
 -f /tmp/upgrade.txt

The following example shows how to specify system properties with the upgrade.jar.

SERVER_URL=http://openam.example.com:8080
DEPLOYMENT_URI=/openam
ACCEPT_LICENSES=true

$JAVA_HOME/bin/java -jar ~/openam/tools/openam-upgrade-tool-14.1.3.11.jar \
 -DSERVER_URL=http://openam.example.com:8080 -DDEPLOYMENT_URI=/openam

The following example shows the use of the --acceptLicense option with the upgrade.jar.

SERVER_URL=http://openam.example.com:8080
DEPLOYMENT_URI=/openam

$JAVA_HOME/bin/java -jar ~/openam/tools/openam-upgrade-tool-14.1.3.11.jar \
 -DSERVER_URL=http://openam.example.com:8080 -DDEPLOYMENT_URI=/openam \
 --acceptLicense

Name

ssoadm — configure OpenAM core services

Synopsis

ssoadm [subcommand] [options]

Description

The ssoadm command provides a rich command-line interface for configuring OpenAM core services.

Also see the Installation Guide procedure, To Set Up Administration Tools for instructions on setting up the ssoadm command.

Global Options

The following global options are supported.

--debug, -d

Run in debug mode. Results sent to the debug file.

--help, -?

Print usage.

This command can also be used with subcommands as in ssoadm subcommand --help.

--information, -O

Print basic information about the tool.

--locale, -l

Name of the locale to display the results.

--verbose, -v

Run in verbose mode. Results sent to standard output.

--version, -V

Print the version of this tool.

JVM Properties for ssoadm

You can specifically set the authentication module or chain for administrator logins using two JVM settings. These settings provide more control to select the exact authentication mechanisms to be used when ssoadm authenticates administrators in the top-level realm.

To set these properties, manually edit the following two JVM settings in the ssoadm or ssoadm.bat script.

org.forgerock.openam.ssoadm.auth.indexType: Specifies the module or chain-based authentication in the top level realm. If the property is set, OpenAM uses only that authentication mechanism.
org.forgerock.openam.ssoadm.auth.indexName: Specifies the actual name of the authentication module/chain as controlled by the indexType setting. For example, if the indexType is set to module_instance and indexName is set to LDAP, then ssoadm authenticates using only the LDAP authentication module.

Subcommands: By Category

This section lists subcommands by category. The subsequent section lists subcommands in alphabetical order with a short description.

See ssoadm subcommand --help for detailed options.

Agent Configuration

Authentication Service Management

Data Store Management

Entitlements

Federation Management

Policy Management

Realm Management

Service Management

To translate settings applied in OpenAM console to service attributes for use with ssoadm, login to the OpenAM console as as amadmin and access the services page, such as http://openam.example.com:8080/openam/services.jsp.

Other

Subcommands: Alphabetical Order

The following subcommands are supported.

See also ssoadm subcommand --help.

ssoadm add-agent-to-grp

Add agents to a agent group.

Usage: ssoadm add-agent-to-grp --options [--global-options]

Options

--adminid, -u: The full DN of an administrative user running the command.
--agentgroupname, -b: Name of agent group.
--agentnames, -s: Names of agents.
--password-file, -f: File name that contains password of administrator.
--realm, -e: Name of realm.

ssoadm add-amsdk-idrepo-plugin

Create AMSDK IdRepo Plug-in

Usage: ssoadm add-amsdk-idrepo-plugin --options [--global-options]

Options

--adminid, -u: The full DN of an administrative user running the command.
--basedn, -b: Directory Server base distinguished name.
--bind-password-file, -m: File that contains password of bind password.
--binddn, -e: Directory Server bind distinguished name.
--directory-servers, -s: directory servers <protocol>://<hostname>:<port>. Can have multiple entries.
--dsame-password-file, -x: File that contains password of the dsameuser
--password-file, -f: File name that contains password of administrator.
--puser-password-file, -p: File that contains password of the puser
[--org, -o]: Organization objects naming attribute (defaults to 'o')
[--user, -a]: User objects naming attribute (defaults to 'uid')

ssoadm add-app-priv

Add a policy set privilege to delegate resources of a given policy set. Note that policy sets are cached for 30 minutes. Restart OpenAM to apply changes immediately.

Usage: ssoadm add-app-priv --options [--global-options]

Options

--actions, -a: Possible values are READ, MODIFY, DELEGATE, ALL
--adminid, -u: The full DN of an administrative user running the command.
--application, -t: Policy set name
--name, -m: Name for the this delegation
--password-file, -f: File name that contains password of administrator.
--realm, -e: Realm name
--subjects, -s: Subject name
--subjecttype, -b: Possible values are User or Group
[--description, -p]: Description for the this delegation.
[--resources, -r]: Resources to delegate, All resources in the policy set will be delegated if this option is absent.

ssoadm add-attr-defs

Add default attribute values in schema.

Usage: ssoadm add-attr-defs --options [--global-options]

Options

--adminid, -u: The full DN of an administrative user running the command.
--password-file, -f: File name that contains password of administrator.
--schematype, -t: Type of schema.
--servicename, -s: Name of service.
[--attributevalues, -a]: Attribute values e.g. homeaddress=here.
[--datafile, -D]: Name of file that contains attribute values data.
[--subschemaname, -c]: Name of sub schema.

ssoadm add-attrs

Add attribute schema to an existing service.

Usage: ssoadm add-attrs --options [--global-options]

Options

--adminid, -u: The full DN of an administrative user running the command.
--attributeschemafile, -F: XML file containing attribute schema definition.
--password-file, -f: File name that contains password of administrator.
--schematype, -t: Schema Type.
--servicename, -s: Service Name.
[--subschemaname, -c]: Name of sub schema.

ssoadm add-auth-cfg-entr

Add authentication configuration entry

Usage: ssoadm add-auth-cfg-entr --options [--global-options]

Options

--adminid, -u: The full DN of an administrative user running the command.
--criteria, -c: Criteria for this entry. Possible values are REQUIRED, OPTIONAL, SUFFICIENT, REQUISITE
--modulename, -o: Module Name.
--name, -m: Name of authentication configuration.
--password-file, -f: File name that contains password of administrator.
--realm, -e: Name of realm.
[--options, -t]: Options for this entry.
[--position, -p]: Position where the new entry is to be added. This is option is not set, entry shall be added to the end of the list. If value of this option is 0, it will be inserted to the front of the list. If value is greater of the length of the list, entry shall be added to the end of the list.

ssoadm add-cot-member

Add a member to a circle of trust.

Usage: ssoadm add-cot-member --options [--global-options]

Options

--adminid, -u: The full DN of an administrative user running the command.
--cot, -t: Circle of Trust
--entityid, -y: Entity ID
--password-file, -f: File name that contains password of administrator.
[--realm, -e]: Realm where circle of trust resides
[--spec, -c]: Specify metadata specification, either wsfed, idff or saml2, defaults to saml2

ssoadm add-member

Add an identity as member of another identity

Usage: ssoadm add-member --options [--global-options]

Options

--adminid, -u: The full DN of an administrative user running the command.
--idname, -i: Name of identity.
--idtype, -t: Type of Identity
--memberidname, -m: Name of identity that is member.
--memberidtype, -y: Type of Identity of member such as User, Role and Group.
--password-file, -f: File name that contains password of administrator.
--realm, -e: Name of realm.

ssoadm add-plugin-interface

Add Plug-in interface to service.

Usage: ssoadm add-plugin-interface --options [--global-options]

Options

--adminid, -u: The full DN of an administrative user running the command.
--i18nkey, -k: Plug-in I18n Key.
--interfacename, -i: Name of interface.
--password-file, -f: File name that contains password of administrator.
--pluginname, -g: Name of Plug-in.
--servicename, -s: Name of service.

ssoadm add-plugin-schema

Add Plug-in schema to service.

Usage: ssoadm add-plugin-schema --options [--global-options]

Options

--adminid, -u: The full DN of an administrative user running the command.
--classname, -c: Name of the Plugin Schema class implementation
--i18nkey, -k: Plug-in I18n Key.
--i18nname, -n: Plug-in I18n Name.
--interfacename, -i: Name of interface.
--password-file, -f: File name that contains password of administrator.
--pluginname, -g: Name of Plug-in.
--servicename, -s: Name of service.

ssoadm add-privileges

Add privileges to an identity. To add a privilege to all authenticated users, use the "All Authenticated Users" idname with "role" idtype.

Usage: ssoadm add-privileges --options [--global-options]

Options

--adminid, -u: The full DN of an administrative user running the command.
--idname, -i: Name of identity.
--idtype, -t: Type of Identity such as Role and Group.
--password-file, -f: File name that contains password of administrator.
--privileges, -g: Name of privileges to be added. Privilege names are AgentAdmin, ApplicationModifyAccess, ApplicationReadAccess, ApplicationTypesReadAccess, ConditionTypesReadAccess, DecisionCombinersReadAccess, EntitlementRestAccess, FederationAdmin, LogAdmin, LogRead, LogWrite, PolicyAdmin, PrivilegeRestAccess, PrivilegeRestReadAccess, RealmAdmin, RealmReadAccess, ResourceTypeModifyAccess, ResourceTypeReadAccess, SubjectAttributesReadAccess, and SubjectTypesReadAccess.
--realm, -e: Name of realm.

ssoadm add-res-bundle

Add resource bundle to data store.

Usage: ssoadm add-res-bundle --options [--global-options]

Options

--adminid, -u: The full DN of an administrative user running the command.
--bundlefilename, -B: Resource bundle physical file name.
--bundlename, -b: Resource Bundle Name.
--password-file, -f: File name that contains password of administrator.
[--bundlelocale, -o]: Locale of the resource bundle.

ssoadm add-site-members

Add members to a site.

Usage: ssoadm add-site-members --options [--global-options]

Options

--adminid, -u: The full DN of an administrative user running the command.
--password-file, -f: File name that contains password of administrator.
--servernames, -e: Server names, e.g. http://www.example.com:8080/fam
--sitename, -s: Site name, e.g. mysite

ssoadm add-site-sec-urls

Add Site Secondary URLs.

Usage: ssoadm add-site-sec-urls --options [--global-options]

Options

--adminid, -u: The full DN of an administrative user running the command.
--password-file, -f: File name that contains password of administrator.
--secondaryurls, -a: Secondary URLs
--sitename, -s: Site name, e.g. mysite

ssoadm add-sub-schema

Add sub schema.

Usage: ssoadm add-sub-schema --options [--global-options]

Options

--adminid, -u: The full DN of an administrative user running the command.
--filename, -F: Name of file that contains the schema
--password-file, -f: File name that contains password of administrator.
--schematype, -t: Type of schema.
--servicename, -s: Name of service.

ssoadm add-svc-attrs

Add service attribute values in a realm. Long content for an attribute can be supplied in a file by appending '-file' to the attribute name, and giving the filename as the value.

Usage: ssoadm add-svc-attrs --options [--global-options]

Options

--adminid, -u: The full DN of an administrative user running the command.
--password-file, -f: File name that contains password of administrator.
--realm, -e: Name of realm.
--servicename, -s: Name of service.
[--attributevalues, -a]: Attribute values to be added e.g. homeaddress=here.
[--datafile, -D]: Name of file that contains attribute values to be added.

ssoadm add-svc-identity

Add Service to an identity

Usage: ssoadm add-svc-identity --options [--global-options]

Options

--adminid, -u: The full DN of an administrative user running the command.
--idname, -i: Name of identity.
--idtype, -t: Type of Identity such as User, Role and Group.
--password-file, -f: File name that contains password of administrator.
--realm, -e: Name of realm.
--servicename, -s: Name of service.
[--attributevalues, -a]: Attribute values e.g. homeaddress=here.
[--datafile, -D]: Name of file that contains attribute values data.

ssoadm add-svc-realm

Add service to a realm. Long content for an attribute can be supplied in a file by appending '-file' to the attribute name, and giving the filename as the value.

Usage: ssoadm add-svc-realm --options [--global-options]

Options

--adminid, -u: The full DN of an administrative user running the command.
--password-file, -f: File name that contains password of administrator.
--realm, -e: Name of realm.
--servicename, -s: Service Name.
[--attributevalues, -a]: Attribute values e.g. homeaddress=here.
[--datafile, -D]: Name of file that contains attribute values data.

ssoadm agent-remove-props

Remove agent's properties.

Usage: ssoadm agent-remove-props --options [--global-options]

Options

--adminid, -u: The full DN of an administrative user running the command.
--agentname, -b: Name of agent.
--attributenames, -a: properties name(s).
--password-file, -f: File name that contains password of administrator.
--realm, -e: Name of realm.

ssoadm clone-server

Clone a server instance.

Usage: ssoadm clone-server --options [--global-options]

Options

--adminid, -u: The full DN of an administrative user running the command.
--cloneservername, -o: Clone server name
--password-file, -f: File name that contains password of administrator.
--servername, -s: Server name

ssoadm create-agent

Create a new agent configuration.

Usage: ssoadm create-agent --options [--global-options]

Options

--adminid, -u: The full DN of an administrative user running the command.
--agentname, -b: Name of agent.
--agenttype, -t: Type of agent. Possible values: J2EEAgent, WebAgent, 2.2_Agent, SharedAgent, OAuth2Client
--password-file, -f: File name that contains password of administrator.
--realm, -e: Name of realm.
[--agenturl, -g]: Agent URL. e.g. http://www.agent.example:8080/agent. WebAgent does not take URL with path. e.g. http://www.agent.example:8080. This option is valid only for J2EEAgent and WebAgent agent types, and is required when the agent type is J2EEAgent or WebAgent.
[--attributevalues, -a]: Properties e.g. sunIdentityServerDeviceKeyValue=https://agent.example.com:443/
[--datafile, -D]: Name of file that contains properties.
[--serverurl, -s]: Server URL. e.g. http://www.example.com:58080/openam. This option is valid only for J2EEAgent and WebAgent agent types, and is required when the agent type is J2EEAgent or WebAgent.

ssoadm create-agent-grp

Create a new agent group.

Usage: ssoadm create-agent-grp --options [--global-options]

Options

--adminid, -u: The full DN of an administrative user running the command.
--agentgroupname, -b: Name of agent group.
--agenttype, -t: Type of agent group. e.g. J2EEAgent, WebAgent
--password-file, -f: File name that contains password of administrator.
--realm, -e: Name of realm.
[--attributevalues, -a]: Properties e.g. homeaddress=here.
[--datafile, -D]: Name of file that contains properties.
[--serverurl, -s]: Server URL. e.g. http://www.example.com:58080/openam. This option is valid for J2EEAgent and WebAgent.

ssoadm create-appl

Create policy set.

Usage: ssoadm create-appl --options [--global-options]

Options

--adminid, -u: The full DN of an administrative user running the command.
--applicationtype, -t: Application type name
--name, -m: Policy set name
--password-file, -f: File name that contains password of administrator.
--realm, -e: Realm name
[--attributevalues, -a]: Attribute values e.g. applicationType=iPlanetAMWebAgentService.
[--datafile, -D]: Name of file that contains attribute values data. Mandatory attributes are resources, subjects, conditions and entitlementCombiner. Optional ones are actions, searchIndexImpl, saveIndexImpl, resourceComparator, subjectAttributeNames.

ssoadm create-appl-type

Create application type.

Usage: ssoadm create-appl-type --options [--global-options]

Options

--adminid, -u: The full DN of an administrative user running the command.
--name, -m: Application Type name
--password-file, -f: File name that contains password of administrator.
[--attributevalues, -a]: Application Type attribute values e.g. actions=enabled=true.
[--datafile, -D]: Name of file that contains attribute type values data. Mandatory attributes are actions, searchIndexImpl and saveIndexImpl. Optional are resourceComparator.

ssoadm create-auth-cfg

Create authentication configuration

Usage: ssoadm create-auth-cfg --options [--global-options]

Options

--adminid, -u: The full DN of an administrative user running the command.
--name, -m: Name of authentication configuration.
--password-file, -f: File name that contains password of administrator.
--realm, -e: Name of realm.

ssoadm create-auth-instance

Create authentication module instance

Usage: ssoadm create-auth-instance --options [--global-options]

Options

--adminid, -u: The full DN of an administrative user running the command.
--authtype, -t: Type of authentication module instance. Possible values include AD, Adaptive, Anonymous, Cert, DataStore, DeviceIdMatch, DeviceIdSave, Federation, HOTP, HTTPBasic, JDBC, LDAP, Membership, MSISDN, OATH, OAuth, OpenIdConnect, PersistentCookie, RADIUS, SAE, Scripted, WindowsDesktopSSO, NT, and WSSAuthModule.
--name, -m: Name of authentication module instance.
--password-file, -f: File name that contains password of administrator.
--realm, -e: Name of realm.

ssoadm create-cot

Create circle of trust.

Usage: ssoadm create-cot --options [--global-options]

Options

--adminid, -u: The full DN of an administrative user running the command.
--cot, -t: Circle of Trust
--password-file, -f: File name that contains password of administrator.
[--prefix, -p]: Prefix URL for idp discovery reader and writer URL.
[--realm, -e]: Realm where circle of trust resides
[--trustedproviders, -k]: Trusted Providers

ssoadm create-datastore

Create data store under a realm

Usage: ssoadm create-datastore --options [--global-options]

Options

--adminid, -u: The full DN of an administrative user running the command.
--datatype, -t: Type of datastore. Use the list-datastore-types subcommand to get a list of supported datastore types.
--name, -m: Name of datastore.
--password-file, -f: File name that contains password of administrator.
--realm, -e: Name of realm.
[--attributevalues, -a]: Attribute values e.g. sunIdRepoClass=com.sun.identity.idm.plugins.files.FilesRepo.
[--datafile, -D]: Name of file that contains attribute values data.

ssoadm create-identity

Create identity in a realm

Usage: ssoadm create-identity --options [--global-options]

Options

--adminid, -u: The full DN of an administrative user running the command.
--idname, -i: Name of identity.
--idtype, -t: Type of Identity such as User, Role and Group.
--password-file, -f: File name that contains password of administrator.
--realm, -e: Name of realm.
[--attributevalues, -a]: Attribute values e.g. sunIdentityServerDeviceStatus=Active.
[--datafile, -D]: Name of file that contains attribute values data.

ssoadm create-metadata-templ

Create new metadata template.

Usage: ssoadm create-metadata-templ --options [--global-options]

Options

--adminid, -u: The full DN of an administrative user running the command.
--entityid, -y: Entity ID
--password-file, -f: File name that contains password of administrator.
[--affiecertalias, -K]: Affiliation encryption certificate alias
[--affiliation, -F]: Specify metaAlias for hosted affiliation. to be created. The format must be <realm name>/<identifier>
[--affimembers, -M]: Affiliation members
[--affiownerid, -N]: Affiliation Owner ID
[--affiscertalias, -J]: Affiliation signing certificate alias
[--attraecertalias, -G]: Attribute authority encryption certificate alias.
[--attrascertalias, -B]: Attribute authority signing certificate alias
[--attrauthority, -I]: Specify metaAlias for hosted attribute authority to be created. The format must be <realm name>/<identifier>.
[--attrqecertalias, -R]: Attribute query provider encryption certificate alias
[--attrqscertalias, -A]: Attribute query provider signing certificate alias
[--attrqueryprovider, -S]: Specify metaAlias for hosted attribute query provider to be created. The format must be <realm name>/<identifier>.
[--authnaecertalias, -E]: Authentication authority encryption certificate alias.
[--authnascertalias, -D]: Authentication authority signing certificate alias
[--authnauthority, -C]: Specify metaAlias for hosted authentication authority to be created. The format must be <realm name>/<identifier>.
[--extended-data-file, -x]: Specify file name for the extended metadata to be created. XML will be displayed on terminal if this file name is not provided.
[--identityprovider, -i]: Specify metaAlias for hosted identity provider to be created. The format must be <realm name>/<identifier>.
[--idpecertalias, -g]: Identity provider encryption certificate alias.
[--idpscertalias, -b]: Identity provider signing certificate alias
[--meta-data-file, -m]: Specify file name for the standard metadata to be created. XML will be displayed on terminal if this file name is not provided.
[--serviceprovider, -s]: Specify metaAlias for hosted service provider to be created. The format must be <realm name>/<identifier>.
[--specertalias, -r]: Service provider encryption certificate alias
[--spec, -c]: Specify metadata specification, either wsfed, idff or saml2, defaults to saml2
[--spscertalias, -a]: Service provider signing certificate alias
[--xacmlpdpecertalias, -j]: Policy decision point encryption certificate alias
[--xacmlpdpscertalias, -t]: Policy decision point signing certificate alias
[--xacmlpdp, -p]: Specify metaAlias for policy decision point to be created. The format must be <realm name>/<identifier>.
[--xacmlpepecertalias, -z]: Policy enforcement point encryption certificate alias
[--xacmlpepscertalias, -k]: Policy enforcement point signing certificate alias
[--xacmlpep, -e]: Specify metaAlias for policy enforcement point to be created. The format must be <realm name>/<identifier>.

ssoadm create-realm

Create realm.

Usage: ssoadm create-realm --options [--global-options]

Options

--adminid, -u: The full DN of an administrative user running the command.
--password-file, -f: File name that contains password of administrator.
--realm, -e: Name of realm to be created.

ssoadm create-server

Create a server instance.

Usage: ssoadm create-server --options [--global-options]

Options

--adminid, -u: The full DN of an administrative user running the command.
--password-file, -f: File name that contains password of administrator.
--serverconfigxml, -X: Server Configuration XML file name.
--servername, -s: Server name, e.g. http://www.example.com:8080/fam
[--attributevalues, -a]: Attribute values e.g. homeaddress=here.
[--datafile, -D]: Name of file that contains attribute values data.

ssoadm create-site

Create a site.

Usage: ssoadm create-site --options [--global-options]

Options

--adminid, -u: The full DN of an administrative user running the command.
--password-file, -f: File name that contains password of administrator.
--sitename, -s: Site name, e.g. mysite
--siteurl, -i: Site's primary URL, e.g. http://www.example.com:8080
[--secondaryurls, -a]: Secondary URLs

ssoadm create-sub-cfg

Create a new sub configuration. Long content for an attribute can be supplied in a file by appending '-file' to the attribute name, and giving the filename as the value.

Usage: ssoadm create-sub-cfg --options [--global-options]

Options

--adminid, -u: The full DN of an administrative user running the command.
--password-file, -f: File name that contains password of administrator.
--servicename, -s: Name of service.
--subconfigname, -g: Sub-schema name of (or path to) the type of sub-configuration being added.
[--attributevalues, -a]: Attribute values e.g. homeaddress=here.
[--datafile, -D]: Name of file that contains attribute values data.
[--priority, -p]: Priority of the sub configuration.
[--realm, -e]: Name of realm (Sub Configuration shall be added to global configuration if this option is not provided).
[--subconfigid, -b]: User-specfieid ID of (or path to) the sub-configuration.

ssoadm create-svc

Create a new service in server.

Usage: ssoadm create-svc --options [--global-options]

Options

--adminid, -u: The full DN of an administrative user running the command.
--password-file, -f: File name that contains password of administrator.
--xmlfile, -X: XML file(s) that contains schema.
[--continue, -c]: Continue adding service if one or more previous service cannot be added.

ssoadm create-svrcfg-xml

Create serverconfig.xml file. No options are required for flat file configuration data store.

Usage: ssoadm create-svrcfg-xml --options [--global-options]

Options

--adminid, -u: The full DN of an administrative user running the command.
--password-file, -f: File name that contains password of administrator.
[--basedn, -b]: Directory Server base distinguished name.
[--dsadmin, -a]: Directory Server administrator distinguished name
[--dshost, -t]: Directory Server host name
[--dspassword-file, -x]: File that contains Directory Server administrator password
[--dsport, -p]: Directory Server port number
[--outfile, -o]: File name where serverconfig XML is written.

ssoadm create-xacml

Create policies in a realm with XACML input.

Usage: ssoadm create-xacml --options [--global-options]

Options

--adminid, -u: The full DN of an administrative user running the command.
--password-file, -f: File name that contains password of administrator.
--realm, -e: Name of realm.
--xmlfile, -X: File that contains the policy XACML definition. In the console, paste the XML into the text field instead.
[--dryrun, -n]: Provide a summary of the policies which would be updated, and those which would be added, as a result of the create-xacml command without the 'dryrun' option specified. Nothing will be updated or added when using this option.
[--outfile, -o]: Filename where the output of a 'dryrun' command will be sent to. If no 'dryrun' command is specified, the outfile will not be used for anything.

ssoadm delete-agent-grps

Delete agent groups.

Usage: ssoadm delete-agent-grps --options [--global-options]

Options

--adminid, -u: The full DN of an administrative user running the command.
--password-file, -f: File name that contains password of administrator.
--realm, -e: Name of realm.
[--agentgroupnames, -s]: Separate multiple agent group names with spaces.
[--file, -D]: File containing agent group names, with multiple group names separated by spaces.

ssoadm delete-agents

Delete agent configurations.

Usage: ssoadm delete-agents --options [--global-options]

Options

--adminid, -u: The full DN of an administrative user running the command.
--password-file, -f: File name that contains password of administrator.
--realm, -e: Name of realm.
[--agentnames, -s]: Separate multiple agent names with spaces.
[--file, -D]: File containing agent names, with multiple agent names separated by spaces.

ssoadm delete-appl-types

Delete application types.

Usage: ssoadm delete-appl-types --options [--global-options]

Options

--adminid, -u: The full DN of an administrative user running the command.
--names, -m: Application Type names
--password-file, -f: File name that contains password of administrator.

ssoadm delete-appls

Delete policy sets. Note that policy sets are cached for 30 minutes. Restart OpenAM to apply changes immediately.

Usage: ssoadm delete-appls --options [--global-options]

Options

--adminid, -u: The full DN of an administrative user running the command.
--names, -m: Policy set names
--password-file, -f: File name that contains password of administrator.
--realm, -e: Realm name

ssoadm delete-attr

Delete attribute schemas from a service

Usage: ssoadm delete-attr --options [--global-options]

Options

--adminid, -u: The full DN of an administrative user running the command.
--attributeschema, -a: Name of attribute schema to be removed.
--password-file, -f: File name that contains password of administrator.
--schematype, -t: Type of schema.
--servicename, -s: Name of service.
[--subschemaname, -c]: Name of sub schema.

ssoadm delete-attr-def-values

Delete attribute schema default values.

Usage: ssoadm delete-attr-def-values --options [--global-options]

Options

--adminid, -u: The full DN of an administrative user running the command.
--attributeschema, -a: Name of attribute schema
--defaultvalues, -e: Default value(s) to be deleted
--password-file, -f: File name that contains password of administrator.
--schematype, -t: Type of schema.
--servicename, -s: Name of service.
[--subschemaname, -c]: Name of sub schema.

ssoadm delete-auth-cfgs

Delete authentication configurations

Usage: ssoadm delete-auth-cfgs --options [--global-options]

Options

--adminid, -u: The full DN of an administrative user running the command.
--names, -m: Name of authentication configurations.
--password-file, -f: File name that contains password of administrator.
--realm, -e: Name of realm.

ssoadm delete-auth-instances

Delete authentication instances

Usage: ssoadm delete-auth-instances --options [--global-options]

Options

--adminid, -u: The full DN of an administrative user running the command.
--names, -m: Name of authentication instances.
--password-file, -f: File name that contains password of administrator.
--realm, -e: Name of realm.

ssoadm delete-cot

Delete circle of trust.

Usage: ssoadm delete-cot --options [--global-options]

Options

--adminid, -u: The full DN of an administrative user running the command.
--cot, -t: Circle of Trust
--password-file, -f: File name that contains password of administrator.
[--realm, -e]: Realm where circle of trust resides

ssoadm delete-datastores

Delete data stores under a realm

Usage: ssoadm delete-datastores --options [--global-options]

Options

--adminid, -u: The full DN of an administrative user running the command.
--names, -m: Names of datastore.
--password-file, -f: File name that contains password of administrator.
--realm, -e: Name of realm.

ssoadm delete-entity

Delete entity.

Usage: ssoadm delete-entity --options [--global-options]

Options

--adminid, -u: The full DN of an administrative user running the command.
--entityid, -y: Entity ID
--password-file, -f: File name that contains password of administrator.
[--extendedonly, -x]: Set to flag to delete only extended data.
[--realm, -e]: Realm where data resides
[--spec, -c]: Specify metadata specification, either wsfed, idff or saml2, defaults to saml2

ssoadm delete-identities

Delete identities in a realm

Usage: ssoadm delete-identities --options [--global-options]

Options

--adminid, -u: The full DN of an administrative user running the command.
--idtype, -t: Type of Identity such as User, Role and Group.
--password-file, -f: File name that contains password of administrator.
--realm, -e: Name of realm.
[--file, -D]: Name of file that contains the identity names to be deleted.
[--idnames, -i]: Names of identites.

ssoadm delete-realm

Delete realm.

Usage: ssoadm delete-realm --options [--global-options]

Options

--adminid, -u: The full DN of an administrative user running the command.
--password-file, -f: File name that contains password of administrator.
--realm, -e: Name of realm to be deleted.
[--recursive, -r]: Delete descendent realms recursively.

ssoadm delete-realm-attr

Delete attribute from a realm.

Usage: ssoadm delete-realm-attr --options [--global-options]

Options

--adminid, -u: The full DN of an administrative user running the command.
--attributename, -a: Name of attribute to be removed.
--password-file, -f: File name that contains password of administrator.
--realm, -e: Name of realm.
--servicename, -s: Name of service.

ssoadm delete-server

Delete a server instance.

Usage: ssoadm delete-server --options [--global-options]

Options

--adminid, -u: The full DN of an administrative user running the command.
--password-file, -f: File name that contains password of administrator.
--servername, -s: Server name, e.g. http://www.example.com:8080/fam

ssoadm delete-site

Delete a site.

Usage: ssoadm delete-site --options [--global-options]

Options

--adminid, -u: The full DN of an administrative user running the command.
--password-file, -f: File name that contains password of administrator.
--sitename, -s: Site name, e.g. mysite

ssoadm delete-sub-cfg

Remove Sub Configuration.

Usage: ssoadm delete-sub-cfg --options [--global-options]

Options

--adminid, -u: The full DN of an administrative user running the command.
--password-file, -f: File name that contains password of administrator.
--servicename, -s: Name of service.
--subconfigname, -g: Name of sub configuration.
[--realm, -e]: Name of realm (Sub Configuration shall be deleted from the global configuration if this option is not provided).

ssoadm delete-svc

Delete service from the server.

Usage: ssoadm delete-svc --options [--global-options]

Options

--adminid, -u: The full DN of an administrative user running the command.
--password-file, -f: File name that contains password of administrator.
--servicename, -s: Service Name(s).
[--continue, -c]: Continue deleting service if one or more previous services cannot be deleted.
[--deletepolicyrule, -r]: Delete policy rule.

ssoadm delete-xacml

Delete XACML policies from a realm.

Usage: ssoadm delete-xacml --options [--global-options]

Options

--adminid, -u: The full DN of an administrative user running the command.
--password-file, -f: File name that contains password of administrator.
--realm, -e: Name of realm.
[--file, -D]: Name of file that contains the policy names to be deleted.
[--policynames, -p]: Names of policy to be deleted.

ssoadm do-batch

Do multiple requests in one command.

Usage: ssoadm do-batch --options [--global-options]

Options

--adminid, -u: The full DN of an administrative user running the command.
--batchfile, -Z: Name of file that contains commands and options.
--password-file, -f: File name that contains password of administrator.
[--batchstatus, -b]: Name of status file.
[--continue, -c]: Continue processing the rest of the request when preceeding request was erroneous.

ssoadm do-bulk-federation

Perform bulk federation.

Usage: ssoadm do-bulk-federation --options [--global-options]

Options

--adminid, -u: The full DN of an administrative user running the command.
--metaalias, -m: Specify metaAlias for local provider.
--nameidmapping, -e: Name of file that will be created by this sub command. It contains remote user Id to name identifier. It shall be used by remote provider to update user profile.
--password-file, -f: File name that contains password of administrator.
--remoteentityid, -r: Remote entity Id
--useridmapping, -g: File name of local to remote user Id mapping. Format <local-user-id>|<remote-user-id>
[--spec, -c]: Specify metadata specification, either idff or saml2, defaults to saml2

ssoadm do-migration70

Migrate organization to realm.

Usage: ssoadm do-migration70 --options [--global-options]

Options

--adminid, -u: The full DN of an administrative user running the command.
--entrydn, -e: Distinguished name of organization to be migrated.
--password-file, -f: File name that contains password of administrator.

ssoadm embedded-status

Status of embedded store.

Usage: ssoadm embedded-status --options [--global-options]

Options

--adminid, -u: The full DN of an administrative user running the command.
--password-file, -f: File name that contains password of administrator.
--port, -p: Embedded store port
[--password, -w]: Embedded store password

ssoadm export-entity

Export entity.

Usage: ssoadm export-entity --options [--global-options]

Options

--adminid, -u: The full DN of an administrative user running the command.
--entityid, -y: Entity ID
--password-file, -f: File name that contains password of administrator.
[--extended-data-file, -x]: Extended data
[--meta-data-file, -m]: Metadata
[--realm, -e]: Realm where data resides
[--sign, -g]: Set this flag to sign the metadata
[--spec, -c]: Specify metadata specification, either wsfed, idff or saml2, defaults to saml2

ssoadm export-server

Export a server instance.

Usage: ssoadm export-server --options [--global-options]

Options

--adminid, -u: The full DN of an administrative user running the command.
--password-file, -f: File name that contains password of administrator.
--servername, -s: Server name
[--outfile, -o]: Filename where configuration was written.

ssoadm export-svc-cfg

Export service configuration. In production environments, you should back up the service configuration using file system utilities or the export-ldif command. Note that export-ldif/import-ldif commands must be on the same deployment where the encryption keys are located.

Usage: ssoadm export-svc-cfg --options [--global-options]

Options

--adminid, -u: The full DN of an administrative user running the command.
--encryptsecret, -e: Secret key for encrypting password. Any arbitrary value can be specified.
--password-file, -f: File name that contains password of administrator.
[--outfile, -o]: Filename where configuration was written.

ssoadm get-attr-choicevals

Get choice values of attribute schema.

Usage: ssoadm get-attr-choicevals --options [--global-options]

Options

--adminid, -u: The full DN of an administrative user running the command.
--attributename, -a: Name of attribute.
--password-file, -f: File name that contains password of administrator.
--schematype, -t: Type of schema.
--servicename, -s: Name of service.
[--subschemaname, -c]: Name of sub schema.

ssoadm get-attr-defs

Get default attribute values in schema.

Usage: ssoadm get-attr-defs --options [--global-options]

Options

--adminid, -u: The full DN of an administrative user running the command.
--password-file, -f: File name that contains password of administrator.
--schematype, -t: Type of schema. One of dynamic, global, or organization (meaning realm).
--servicename, -s: Name of service.
[--attributenames, -a]: Attribute name(s).
[--subschemaname, -c]: Name of sub schema.

ssoadm get-auth-cfg-entr

Get authentication configuration entries

Usage: ssoadm get-auth-cfg-entr --options [--global-options]

Options

--adminid, -u: The full DN of an administrative user running the command.
--name, -m: Name of authentication configuration.
--password-file, -f: File name that contains password of administrator.
--realm, -e: Name of realm.

ssoadm get-auth-instance

Get authentication instance values

Usage: ssoadm get-auth-instance --options [--global-options]

Options

--adminid, -u: The full DN of an administrative user running the command.
--name, -m: Name of authentication instance.
--password-file, -f: File name that contains password of administrator.
--realm, -e: Name of realm.

ssoadm get-identity

Get identity property values

Usage: ssoadm get-identity --options [--global-options]

Options

--adminid, -u: The full DN of an administrative user running the command.
--idname, -i: Name of identity.
--idtype, -t: Type of Identity such as User, Role and Group.
--password-file, -f: File name that contains password of administrator.
--realm, -e: Name of realm.
[--attributenames, -a]: Attribute name(s). All attribute values shall be returned if the option is not provided.

ssoadm get-identity-svcs

Get the service in an identity

Usage: ssoadm get-identity-svcs --options [--global-options]

Options

--adminid, -u: The full DN of an administrative user running the command.
--idname, -i: Name of identity.
--idtype, -t: Type of Identity such as User, Role and Group.
--password-file, -f: File name that contains password of administrator.
--realm, -e: Name of realm.

ssoadm get-realm

Get realm property values.

Usage: ssoadm get-realm --options [--global-options]

Options

--adminid, -u: The full DN of an administrative user running the command.
--password-file, -f: File name that contains password of administrator.
--realm, -e: Name of realm.
--servicename, -s: Name of service.

ssoadm get-realm-svc-attrs

Get realm's service attribute values.

Usage: ssoadm get-realm-svc-attrs --options [--global-options]

Options

--adminid, -u: The full DN of an administrative user running the command.
--password-file, -f: File name that contains password of administrator.
--realm, -e: Name of realm.
--servicename, -s: Name of service.

ssoadm get-recording-status

Get the status of recording operations.

Usage: ssoadm get-recording-status --options [--global-options]

Options

--adminid, -u: The full DN of an administrative user running the command.
--password-file, -f: File name that contains password of administrator.
--servername, -s: Server name, e.g. http://openam.example.com:8080/openam

ssoadm get-revision-number

Get service schema revision number.

Usage: ssoadm get-revision-number --options [--global-options]

Options

--adminid, -u: The full DN of an administrative user running the command.
--password-file, -f: File name that contains password of administrator.
--servicename, -s: Name of service.

ssoadm get-sub-cfg

Get sub configuration.

Usage: ssoadm get-sub-cfg --options [--global-options]

Options

--adminid, -u: The full DN of an administrative user running the command.
--password-file, -f: File name that contains password of administrator.
--servicename, -s: Name of service.
--subconfigname, -g: Name of sub configuration.
[--realm, -e]: Name of realm (Sub Configuration shall be retrieved from the global configuration if this option is not provided).

ssoadm get-svrcfg-xml

Get server configuration XML from centralized data store

Usage: ssoadm get-svrcfg-xml --options [--global-options]

Options

--adminid, -u: The full DN of an administrative user running the command.
--password-file, -f: File name that contains password of administrator.
--servername, -s: Server name, e.g. http://www.example.com:8080/fam
[--outfile, -o]: File name where serverconfig XML is written.

ssoadm import-bulk-fed-data

Import bulk federation data which is generated by 'do-bulk-federation' sub command.

Usage: ssoadm import-bulk-fed-data --options [--global-options]

Options

--adminid, -u: The full DN of an administrative user running the command.
--bulk-data-file, -g: File name of bulk federation data which is generated by 'do-bulk-federation' sub command.
--metaalias, -m: Specify metaAlias for local provider.
--password-file, -f: File name that contains password of administrator.
[--spec, -c]: Specify metadata specification, either idff or saml2, defaults to saml2

ssoadm import-entity

Import entity.

Usage: ssoadm import-entity --options [--global-options]

Options

--adminid, -u: The full DN of an administrative user running the command.
--password-file, -f: File name that contains password of administrator.
[--cot, -t]: Specify name of the Circle of Trust this entity belongs.
[--extended-data-file, -x]: Specify file name for the extended entity configuration to be imported.<web>Extended entity configuration to be imported.
[--meta-data-file, -m]: Specify file name for the standard metadata to be imported.<web>Standard metadata to be imported.
[--realm, -e]: Realm where entity resides.
[--spec, -c]: Specify metadata specification, either wsfed, idff or saml2, defaults to saml2

ssoadm import-server

Import a server instance.

Usage: ssoadm import-server --options [--global-options]

Options

--adminid, -u: The full DN of an administrative user running the command.
--password-file, -f: File name that contains password of administrator.
--servername, -s: Server name
--xmlfile, -X: XML file that contains configuration.

ssoadm import-svc-cfg

Import service configuration. In production environments, you should restore the service configuration using file system utilities or the import-ldif command. Note that import-ldif/export-ldif commands must be on the same deployment where the encryption keys are located.

Usage: ssoadm import-svc-cfg --options [--global-options]

Options

--adminid, -u: The full DN of an administrative user running the command.
--encryptsecret, -e: Secret key for decrypting password.
--password-file, -f: File name that contains password of administrator.
--xmlfile, -X: XML file that contains configuration data.

ssoadm list-agent-grp-members

List agents in agent group.

Usage: ssoadm list-agent-grp-members --options [--global-options]

Options

--adminid, -u: The full DN of an administrative user running the command.
--agentgroupname, -b: Name of agent group.
--password-file, -f: File name that contains password of administrator.
--realm, -e: Name of realm.
[--filter, -x]: Filter (Pattern).

ssoadm list-agent-grps

List agent groups.

Usage: ssoadm list-agent-grps --options [--global-options]

Options

--adminid, -u: The full DN of an administrative user running the command.
--password-file, -f: File name that contains password of administrator.
--realm, -e: Name of realm.
[--agenttype, -t]: Type of agent. e.g. J2EEAgent, WebAgent
[--filter, -x]: Filter (Pattern).

ssoadm list-agents

List agent configurations.

Usage: ssoadm list-agents --options [--global-options]

Options

--adminid, -u: The full DN of an administrative user running the command.
--password-file, -f: File name that contains password of administrator.
--realm, -e: Name of realm.
[--agenttype, -t]: Type of agent. e.g. J2EEAgent, WebAgent
[--filter, -x]: Filter (Pattern).

ssoadm list-app-privs

List policy set privileges in a realm.

Usage: ssoadm list-app-privs --options [--global-options]

Options

--adminid, -u: The full DN of an administrative user running the command.
--password-file, -f: File name that contains password of administrator.
--realm, -e: Realm name

ssoadm list-appl-types

List application types.

Usage: ssoadm list-appl-types --options [--global-options]

Options

--adminid, -u: The full DN of an administrative user running the command.
--password-file, -f: File name that contains password of administrator.

ssoadm list-appls

List policy set in a realm.

Usage: ssoadm list-appls --options [--global-options]

Options

--adminid, -u: The full DN of an administrative user running the command.
--password-file, -f: File name that contains password of administrator.
--realm, -e: Realm name

ssoadm list-auth-cfgs

List authentication configurations

Usage: ssoadm list-auth-cfgs --options [--global-options]

Options

--adminid, -u: The full DN of an administrative user running the command.
--password-file, -f: File name that contains password of administrator.
--realm, -e: Name of realm.

ssoadm list-auth-instances

List authentication instances

Usage: ssoadm list-auth-instances --options [--global-options]

Options

--adminid, -u: The full DN of an administrative user running the command.
--password-file, -f: File name that contains password of administrator.
--realm, -e: Name of realm.

ssoadm list-cot-members

List the members in a circle of trust.

Usage: ssoadm list-cot-members --options [--global-options]

Options

--adminid, -u: The full DN of an administrative user running the command.
--cot, -t: Circle of Trust
--password-file, -f: File name that contains password of administrator.
[--realm, -e]: Realm where circle of trust resides
[--spec, -c]: Specify metadata specification, either wsfed, idff or saml2, defaults to saml2

ssoadm list-cots

List circles of trust.

Usage: ssoadm list-cots --options [--global-options]

Options

--adminid, -u: The full DN of an administrative user running the command.
--password-file, -f: File name that contains password of administrator.
[--realm, -e]: Realm where circle of trusts reside

ssoadm list-datastore-types

List the supported data store types

Usage: ssoadm list-datastore-types --options [--global-options]

Options

--adminid, -u: The full DN of an administrative user running the command.
--password-file, -f: File name that contains password of administrator.

ssoadm list-datastores

List data stores under a realm

Usage: ssoadm list-datastores --options [--global-options]

Options

--adminid, -u: The full DN of an administrative user running the command.
--password-file, -f: File name that contains password of administrator.
--realm, -e: Name of realm.

ssoadm list-entities

List entities under a realm.

Usage: ssoadm list-entities --options [--global-options]

Options

--adminid, -u: The full DN of an administrative user running the command.
--password-file, -f: File name that contains password of administrator.
[--realm, -e]: Realm where entities reside.
[--spec, -c]: Specify metadata specification, either wsfed, idff or saml2, defaults to saml2

ssoadm list-identities

List identities in a realm

Usage: ssoadm list-identities --options [--global-options]

Options

--adminid, -u: The full DN of an administrative user running the command.
--filter, -x: Filter (Pattern).
--idtype, -t: Type of Identity such as User, Role and Group.
--password-file, -f: File name that contains password of administrator.
--realm, -e: Name of realm.

ssoadm list-identity-assignable-svcs

List the assignable service to an identity

Usage: ssoadm list-identity-assignable-svcs --options [--global-options]

Options

--adminid, -u: The full DN of an administrative user running the command.
--idname, -i: Name of identity.
--idtype, -t: Type of Identity such as User, Role and Group.
--password-file, -f: File name that contains password of administrator.
--realm, -e: Name of realm.

ssoadm list-realm-assignable-svcs

List the assignable services to a realm.

Usage: ssoadm list-realm-assignable-svcs --options [--global-options]

Options

--adminid, -u: The full DN of an administrative user running the command.
--password-file, -f: File name that contains password of administrator.
--realm, -e: Name of realm.

ssoadm list-realms

List realms by name.

Usage: ssoadm list-realms --options [--global-options]

Options

--adminid, -u: The full DN of an administrative user running the command.
--password-file, -f: File name that contains password of administrator.
--realm, -e: Name of realm where search begins.
[--filter, -x]: Filter (Pattern).
[--recursive, -r]: Search recursively

ssoadm list-res-bundle

List resource bundle in data store.

Usage: ssoadm list-res-bundle --options [--global-options]

Options

--adminid, -u: The full DN of an administrative user running the command.
--bundlename, -b: Resource Bundle Name.
--password-file, -f: File name that contains password of administrator.
[--bundlelocale, -o]: Locale of the resource bundle.

ssoadm list-server-cfg

List server configuration.

Usage: ssoadm list-server-cfg --options [--global-options]

Options

--adminid, -u: The full DN of an administrative user running the command.
--password-file, -f: File name that contains password of administrator.
--servername, -s: Server name, e.g. http://www.example.com:8080/fam or enter default to list default server configuration.
[--withdefaults, -w]: Set this flag to get default configuration.

ssoadm list-servers

List all server instances.

Usage: ssoadm list-servers --options [--global-options]

Options

--adminid, -u: The full DN of an administrative user running the command.
--password-file, -f: File name that contains password of administrator.

ssoadm list-sessions

List stateful sessions.

Usage: ssoadm list-sessions --options [--global-options]

Options

--adminid, -u: The full DN of an administrative user running the command.
--host, -t: Host Name.
--password-file, -f: File name that contains password of administrator.
[--filter, -x]: Filter (Pattern).
[--quiet, -q]: Do not prompt for session invalidation.

ssoadm list-sites

List all sites.

Usage: ssoadm list-sites --options [--global-options]

Options

--adminid, -u: The full DN of an administrative user running the command.
--password-file, -f: File name that contains password of administrator.

ssoadm list-xacml

Export policies in realm as XACML.

Usage: ssoadm list-xacml --options [--global-options]

Options

--adminid, -u: The full DN of an administrative user running the command.
--password-file, -f: File name that contains password of administrator.
--realm, -e: Name of realm.
[--namesonly, -n]: Returns only names of matching policies. Policies are not returned.
[--outfile, -o]: Filename where policy definition will be printed to. Definition will be printed in standard output if this option is not provided.
[--policynames, -p]: Names of policy. This can be a wildcard. All policy definition in the realm will be returned if this option is not provided.

ssoadm policy-export

Export policy configuration for a given realm

Usage: ssoadm policy-export --options [--global-options]

Options

--adminid, -u: The full DN of an administrative user running the command.
--jsonfile, -J: JSON file for which to write the policy model to.
--password-file, -f: File name that contains password of administrator.
--realm, -e: Realm name
--servername, -s: Server name, e.g. http://openam.example.com:8080/openam

ssoadm policy-import

Import policy model into a given realm

Usage: ssoadm policy-import --options [--global-options]

Options

--adminid, -u: The full DN of an administrative user running the command.
--jsonfile, -J: JSON file containing the policy model to be imported.
--password-file, -f: File name that contains password of administrator.
--realm, -e: Realm name
--servername, -s: Server name, e.g. http://openam.example.com:8080/openam

ssoadm register-auth-module

Registers authentication module.

Usage: ssoadm register-auth-module --options [--global-options]

Options

--adminid, -u: The full DN of an administrative user running the command.
--authmodule, -a: Java class name of authentication module.
--password-file, -f: File name that contains password of administrator.

ssoadm remove-agent-from-grp

Remove agents from a agent group.

Usage: ssoadm remove-agent-from-grp --options [--global-options]

Options

--adminid, -u: The full DN of an administrative user running the command.
--agentgroupname, -b: Name of agent group.
--agentnames, -s: Names of agents.
--password-file, -f: File name that contains password of administrator.
--realm, -e: Name of realm.

ssoadm remove-app-priv-resources

Remove policy set privilege resources. Note that policy sets are cached for 30 minutes. Restart OpenAM to apply changes immediately.

Usage: ssoadm remove-app-priv-resources --options [--global-options]

Options

--adminid, -u: The full DN of an administrative user running the command.
--application, -t: Policy set name
--name, -m: Name for the this delegation
--password-file, -f: File name that contains password of administrator.
--realm, -e: Realm name
[--resources, -r]: Resources to removed, All resources in the policy set will be removed if this option is absent.

ssoadm remove-app-priv-subjects

Remove policy set privilege subjects.

Usage: ssoadm remove-app-priv-subjects --options [--global-options]

Options

--adminid, -u: The full DN of an administrative user running the command.
--name, -m: Name for the this delegation
--password-file, -f: File name that contains password of administrator.
--realm, -e: Realm name
--subjects, -s: Subject name
--subjecttype, -b: Possible values are User or Group

ssoadm remove-app-privs

Remove policy set privileges.

Usage: ssoadm remove-app-privs --options [--global-options]

Options

--adminid, -u: The full DN of an administrative user running the command.
--names, -m: Names of policy set privileges to be removed
--password-file, -f: File name that contains password of administrator.
--realm, -e: Realm name

ssoadm remove-attr-choicevals

Remove choice values from attribute schema.

Usage: ssoadm remove-attr-choicevals --options [--global-options]

Options

--adminid, -u: The full DN of an administrative user running the command.
--attributename, -a: Name of attribute.
--choicevalues, -k: Choice values e.g. Inactive
--password-file, -f: File name that contains password of administrator.
--schematype, -t: Type of schema.
--servicename, -s: Name of service.
[--subschemaname, -c]: Name of sub schema.

ssoadm remove-attr-defs

Remove default attribute values in schema.

Usage: ssoadm remove-attr-defs --options [--global-options]

Options

--adminid, -u: The full DN of an administrative user running the command.
--attributenames, -a: Attribute name(s).
--password-file, -f: File name that contains password of administrator.
--schematype, -t: Type of schema.
--servicename, -s: Name of service.
[--subschemaname, -c]: Name of sub schema.

ssoadm remove-cot-member

Remove a member from a circle of trust.

Usage: ssoadm remove-cot-member --options [--global-options]

Options

--adminid, -u: The full DN of an administrative user running the command.
--cot, -t: Circle of Trust
--entityid, -y: Entity ID
--password-file, -f: File name that contains password of administrator.
[--realm, -e]: Realm where circle of trust resides
[--spec, -c]: Specify metadata specification, either wsfed, idff or saml2, defaults to saml2

ssoadm remove-member

Remove membership of identity from another identity

Usage: ssoadm remove-member --options [--global-options]

Options

--adminid, -u: The full DN of an administrative user running the command.
--idname, -i: Name of identity.
--idtype, -t: Type of Identity
--memberidname, -m: Name of identity that is member.
--memberidtype, -y: Type of Identity of member such as User, Role and Group.
--password-file, -f: File name that contains password of administrator.
--realm, -e: Name of realm.

ssoadm remove-plugin-schema

Add Plug-in interface to service.

Usage: ssoadm remove-plugin-schema --options [--global-options]

Options

--adminid, -u: The full DN of an administrative user running the command.
--interfacename, -i: Name of interface.
--password-file, -f: File name that contains password of administrator.
--pluginname, -g: Name of Plug-in.
--servicename, -s: Name of service.

ssoadm remove-privileges

Remove privileges from an identity

Usage: ssoadm remove-privileges --options [--global-options]

Options

--adminid, -u: The full DN of an administrative user running the command.
--idname, -i: Name of identity.
--idtype, -t: Type of Identity such as Role and Group.
--password-file, -f: File name that contains password of administrator.
--privileges, -g: Name of privileges to be removed. Privilege names are AgentAdmin, ApplicationModifyAccess, ApplicationReadAccess, ApplicationTypesReadAccess, ConditionTypesReadAccess, DecisionCombinersReadAccess, EntitlementRestAccess, FederationAdmin, LogAdmin, LogRead, LogWrite, PolicyAdmin, PrivilegeRestAccess, PrivilegeRestReadAccess, RealmAdmin, RealmReadAccess, ResourceTypeModifyAccess, ResourceTypeReadAccess, SubjectAttributesReadAccess, and SubjectTypesReadAccess.
--realm, -e: Name of realm.

ssoadm remove-res-bundle

Remove resource bundle from data store.

Usage: ssoadm remove-res-bundle --options [--global-options]

Options

--adminid, -u: The full DN of an administrative user running the command.
--bundlename, -b: Resource Bundle Name.
--password-file, -f: File name that contains password of administrator.
[--bundlelocale, -o]: Locale of the resource bundle.

ssoadm remove-server-cfg

Remove server configuration.

Usage: ssoadm remove-server-cfg --options [--global-options]

Options

--adminid, -u: The full DN of an administrative user running the command.
--password-file, -f: File name that contains password of administrator.
--propertynames, -a: Name of properties to be removed.
--servername, -s: Server name, e.g. http://www.example.com:8080/fam or enter default to remove default server configuration.

ssoadm remove-site-members

Remove members from a site.

Usage: ssoadm remove-site-members --options [--global-options]

Options

--adminid, -u: The full DN of an administrative user running the command.
--password-file, -f: File name that contains password of administrator.
--servernames, -e: Server names, e.g. http://www.example.com:8080/fam
--sitename, -s: Site name, e.g. mysite

ssoadm remove-site-sec-urls

Remove Site Secondary URLs.

Usage: ssoadm remove-site-sec-urls --options [--global-options]

Options

--adminid, -u: The full DN of an administrative user running the command.
--password-file, -f: File name that contains password of administrator.
--secondaryurls, -a: Secondary URLs
--sitename, -s: Site name, e.g. mysite

ssoadm remove-sub-schema

Remove sub schema.

Usage: ssoadm remove-sub-schema --options [--global-options]

Options

--adminid, -u: The full DN of an administrative user running the command.
--password-file, -f: File name that contains password of administrator.
--schematype, -t: Type of schema.
--servicename, -s: Name of service.
--subschemanames, -a: Name(s) of sub schema to be removed.
[--subschemaname, -c]: Name of parent sub schema.

ssoadm remove-svc-attrs

Remove service attribute values in a realm.

Usage: ssoadm remove-svc-attrs --options [--global-options]

Options

--adminid, -u: The full DN of an administrative user running the command.
--password-file, -f: File name that contains password of administrator.
--realm, -e: Name of realm.
--servicename, -s: Name of service.
[--attributevalues, -a]: Attribute values to be removed e.g. homeaddress=here.
[--datafile, -D]: Name of file that contains attribute values to be removed.

ssoadm remove-svc-identity

Remove Service from an identity

Usage: ssoadm remove-svc-identity --options [--global-options]

Options

--adminid, -u: The full DN of an administrative user running the command.
--idname, -i: Name of identity.
--idtype, -t: Type of Identity such as User, Role and Group.
--password-file, -f: File name that contains password of administrator.
--realm, -e: Name of realm.
--servicename, -s: Name of service.

ssoadm remove-svc-realm

Remove service from a realm.

Usage: ssoadm remove-svc-realm --options [--global-options]

Options

--adminid, -u: The full DN of an administrative user running the command.
--password-file, -f: File name that contains password of administrator.
--realm, -e: Name of realm.
--servicename, -s: Name of service to be removed.

ssoadm set-appl

Set policy set attributes. Note that policy sets are cached for 30 minutes. Restart OpenAM to apply changes immediately.

Usage: ssoadm set-appl --options [--global-options]

Options

--adminid, -u: The full DN of an administrative user running the command.
--name, -m: Policy set name
--password-file, -f: File name that contains password of administrator.
--realm, -e: Realm name
[--attributevalues, -a]: Attribute values e.g. applicationType=iPlanetAMWebAgentService.
[--datafile, -D]: Name of file that contains attribute values data. Possible attributes are resources, subjects, conditions, actions, searchIndexImpl, saveIndexImpl, resourceComparator, subjectAttributeNames and entitlementCombiner.

ssoadm set-attr-any

Set any member of attribute schema.

Usage: ssoadm set-attr-any --options [--global-options]

Options

--adminid, -u: The full DN of an administrative user running the command.
--any, -y: Attribute Schema Any value
--attributeschema, -a: Name of attribute schema
--password-file, -f: File name that contains password of administrator.
--schematype, -t: Type of schema.
--servicename, -s: Name of service.
[--subschemaname, -c]: Name of sub schema.

ssoadm set-attr-bool-values

Set boolean values of attribute schema.

Usage: ssoadm set-attr-bool-values --options [--global-options]

Options

--adminid, -u: The full DN of an administrative user running the command.
--attributename, -a: Name of attribute.
--falsei18nkey, -j: Internationalization key for false value.
--falsevalue, -z: Value for false.
--password-file, -f: File name that contains password of administrator.
--schematype, -t: Type of schema.
--servicename, -s: Name of service.
--truei18nkey, -k: Internationalization key for true value.
--truevalue, -e: Value for true.
[--subschemaname, -c]: Name of sub schema.

ssoadm set-attr-choicevals

Set choice values of attribute schema.

Usage: ssoadm set-attr-choicevals --options [--global-options]

Options

--adminid, -u: The full DN of an administrative user running the command.
--attributename, -a: Name of attribute.
--password-file, -f: File name that contains password of administrator.
--schematype, -t: Type of schema.
--servicename, -s: Name of service.
[--add, -p]: Set this flag to append the choice values to existing ones.
[--choicevalues, -k]: Choice value e.g. o102=Inactive.
[--datafile, -D]: Name of file that contains attribute values data.
[--subschemaname, -c]: Name of sub schema.

ssoadm set-attr-defs

Set default attribute values in schema.

Usage: ssoadm set-attr-defs --options [--global-options]

Options

--adminid, -u: The full DN of an administrative user running the command.
--password-file, -f: File name that contains password of administrator.
--schematype, -t: Type of schema.
--servicename, -s: Name of service.
[--attributevalues, -a]: Attribute values e.g. homeaddress=here.
[--datafile, -D]: Name of file that contains attribute values data.
[--subschemaname, -c]: Name of sub schema.

ssoadm set-attr-end-range

Set attribute schema end range.

Usage: ssoadm set-attr-end-range --options [--global-options]

Options

--adminid, -u: The full DN of an administrative user running the command.
--attributeschema, -a: Name of attribute schema
--password-file, -f: File name that contains password of administrator.
--range, -r: End range
--schematype, -t: Type of schema.
--servicename, -s: Name of service.
[--subschemaname, -c]: Name of sub schema.

ssoadm set-attr-i18n-key

Set i18nKey member of attribute schema.

Usage: ssoadm set-attr-i18n-key --options [--global-options]

Options

--adminid, -u: The full DN of an administrative user running the command.
--attributeschema, -a: Name of attribute schema
--i18nkey, -k: Attribute Schema I18n Key
--password-file, -f: File name that contains password of administrator.
--schematype, -t: Type of schema.
--servicename, -s: Name of service.
[--subschemaname, -c]: Name of sub schema.

ssoadm set-attr-start-range

Set attribute schema start range.

Usage: ssoadm set-attr-start-range --options [--global-options]

Options

--adminid, -u: The full DN of an administrative user running the command.
--attributeschema, -a: Name of attribute schema
--password-file, -f: File name that contains password of administrator.
--range, -r: Start range
--schematype, -t: Type of schema.
--servicename, -s: Name of service.
[--subschemaname, -c]: Name of sub schema.

ssoadm set-attr-syntax

Set syntax member of attribute schema.

Usage: ssoadm set-attr-syntax --options [--global-options]

Options

--adminid, -u: The full DN of an administrative user running the command.
--attributeschema, -a: Name of attribute schema
--password-file, -f: File name that contains password of administrator.
--schematype, -t: Type of schema.
--servicename, -s: Name of service.
--syntax, -x: Attribute Schema Syntax
[--subschemaname, -c]: Name of sub schema.

ssoadm set-attr-type

Set type member of attribute schema.

Usage: ssoadm set-attr-type --options [--global-options]

Options

--adminid, -u: The full DN of an administrative user running the command.
--attributeschema, -a: Name of attribute schema
--password-file, -f: File name that contains password of administrator.
--schematype, -t: Type of schema.
--servicename, -s: Name of service.
--type, -p: Attribute Schema Type
[--subschemaname, -c]: Name of sub schema.

ssoadm set-attr-ui-type

Set UI type member of attribute schema.

Usage: ssoadm set-attr-ui-type --options [--global-options]

Options

--adminid, -u: The full DN of an administrative user running the command.
--attributeschema, -a: Name of attribute schema
--password-file, -f: File name that contains password of administrator.
--schematype, -t: Type of schema.
--servicename, -s: Name of service.
--uitype, -p: Attribute Schema UI Type
[--subschemaname, -c]: Name of sub schema.

ssoadm set-attr-validator

Set attribute schema validator.

Usage: ssoadm set-attr-validator --options [--global-options]

Options

--adminid, -u: The full DN of an administrative user running the command.
--attributeschema, -a: Name of attribute schema
--password-file, -f: File name that contains password of administrator.
--schematype, -t: Type of schema.
--servicename, -s: Name of service.
--validator, -r: validator class name
[--subschemaname, -c]: Name of sub schema.

ssoadm set-attr-view-bean-url

Set properties view bean URL member of attribute schema.

Usage: ssoadm set-attr-view-bean-url --options [--global-options]

Options

--adminid, -u: The full DN of an administrative user running the command.
--attributeschema, -a: Name of attribute schema
--password-file, -f: File name that contains password of administrator.
--schematype, -t: Type of schema.
--servicename, -s: Name of service.
--url, -r: Attribute Schema Properties View Bean URL
[--subschemaname, -c]: Name of sub schema.

ssoadm set-entitlement-conf

Set entitlements service configuration

Usage: ssoadm set-entitlement-conf --options [--global-options]

Options

--adminid, -u: The full DN of an administrative user running the command.
--password-file, -f: File name that contains password of administrator.
[--attributevalues, -a]: Attribute values e.g. evalThreadSize=4.
[--datafile, -D]: Name of file that contains attribute values data. Possible attributes are evalThreadSize, searchThreadSize, policyCacheSize and indexCacheSize.

ssoadm set-identity-attrs

Set attribute values of an identity

Usage: ssoadm set-identity-attrs --options [--global-options]

Options

--adminid, -u: The full DN of an administrative user running the command.
--idname, -i: Name of identity.
--idtype, -t: Type of Identity such as User, Role and Group.
--password-file, -f: File name that contains password of administrator.
--realm, -e: Name of realm.
[--attributevalues, -a]: Attribute values e.g. homeaddress=here.
[--datafile, -D]: Name of file that contains attribute values data.

ssoadm set-identity-svc-attrs

Set service attribute values of an identity

Usage: ssoadm set-identity-svc-attrs --options [--global-options]

Options

--adminid, -u: The full DN of an administrative user running the command.
--idname, -i: Name of identity.
--idtype, -t: Type of Identity such as User, Role and Group.
--password-file, -f: File name that contains password of administrator.
--realm, -e: Name of realm.
--servicename, -s: Name of service.
[--attributevalues, -a]: Attribute values e.g. homeaddress=here.
[--datafile, -D]: Name of file that contains attribute values data.

ssoadm set-inheritance

Set Inheritance value of Sub Schema.

Usage: ssoadm set-inheritance --options [--global-options]

Options

--adminid, -u: The full DN of an administrative user running the command.
--inheritance, -r: Value of Inheritance.
--password-file, -f: File name that contains password of administrator.
--schematype, -t: Type of schema.
--servicename, -s: Name of service.
--subschemaname, -c: Name of sub schema.

ssoadm set-plugin-viewbean-url

Set properties view bean URL of plug-in schema.

Usage: ssoadm set-plugin-viewbean-url --options [--global-options]

Options

--adminid, -u: The full DN of an administrative user running the command.
--interfacename, -i: Name of interface.
--password-file, -f: File name that contains password of administrator.
--pluginname, -g: Name of Plug-in.
--servicename, -s: Name of service.
--url, -r: Properties view bean URL.

ssoadm set-realm-attrs

Set attribute values of a realm.

Usage: ssoadm set-realm-attrs --options [--global-options]

Options

--adminid, -u: The full DN of an administrative user running the command.
--password-file, -f: File name that contains password of administrator.
--realm, -e: Name of realm.
--servicename, -s: Name of service.
[--append, -p]: Set this flag to append the values to existing ones.
[--attributevalues, -a]: Attribute values e.g. homeaddress=here.
[--datafile, -D]: Name of file that contains attribute values data.

ssoadm set-realm-svc-attrs

Set attribute values of a service that is assigned to a realm. Long content for an attribute can be supplied in a file by appending '-file' to the attribute name, and giving the filename as the value.

Usage: ssoadm set-realm-svc-attrs --options [--global-options]

Options

--adminid, -u: The full DN of an administrative user running the command.
--password-file, -f: File name that contains password of administrator.
--realm, -e: Name of realm.
--servicename, -s: Name of service.
[--append, -p]: Set this flag to append the values to existing ones.
[--attributevalues, -a]: Attribute values e.g. homeaddress=here.
[--datafile, -D]: Name of file that contains attribute values data.

ssoadm set-revision-number

Set service schema revision number.

Usage: ssoadm set-revision-number --options [--global-options]

Options

--adminid, -u: The full DN of an administrative user running the command.
--password-file, -f: File name that contains password of administrator.
--revisionnumber, -r: Revision Number
--servicename, -s: Name of service.

ssoadm set-site-id

Set the ID of a site.

Usage: ssoadm set-site-id --options [--global-options]

Options

--adminid, -u: The full DN of an administrative user running the command.
--password-file, -f: File name that contains password of administrator.
--siteid, -i: Site's ID, e.g. 10
--sitename, -s: Site name, e.g. mysite

ssoadm set-site-pri-url

Set the primary URL of a site.

Usage: ssoadm set-site-pri-url --options [--global-options]

Options

--adminid, -u: The full DN of an administrative user running the command.
--password-file, -f: File name that contains password of administrator.
--sitename, -s: Site name, e.g. mysite
--siteurl, -i: Site's primary URL, e.g. http://site.www.example.com:8080

ssoadm set-site-sec-urls

Set Site Secondary URLs.

Usage: ssoadm set-site-sec-urls --options [--global-options]

Options

--adminid, -u: The full DN of an administrative user running the command.
--password-file, -f: File name that contains password of administrator.
--secondaryurls, -a: Secondary URLs
--sitename, -s: Site name, e.g. mysite

ssoadm set-sub-cfg

Set sub configuration. Long content for an attribute can be supplied in a file by appending '-file' to the attribute name, and giving the filename as the value.

Usage: ssoadm set-sub-cfg --options [--global-options]

Options

--adminid, -u: The full DN of an administrative user running the command.
--operation, -o: Operation (either add/set/delete) to be performed on the sub configuration.
--password-file, -f: File name that contains password of administrator.
--servicename, -s: Name of service.
--subconfigname, -g: Name of sub configuration.
[--attributevalues, -a]: Attribute values e.g. homeaddress=here.
[--datafile, -D]: Name of file that contains attribute values data.
[--realm, -e]: Name of realm (Sub Configuration shall be set to global configuration if this option is not provided).

ssoadm set-svc-attrs

Set service attribute values in a realm. Long content for an attribute can be supplied in a file by appending '-file' to the attribute name, and giving the filename as the value.

Usage: ssoadm set-svc-attrs --options [--global-options]

Options

--adminid, -u: The full DN of an administrative user running the command.
--password-file, -f: File name that contains password of administrator.
--realm, -e: Name of realm.
--servicename, -s: Name of service.
[--attributevalues, -a]: Attribute values e.g. homeaddress=here.
[--datafile, -D]: Name of file that contains attribute values data.

ssoadm set-svc-i18n-key

Set service schema i18n key.

Usage: ssoadm set-svc-i18n-key --options [--global-options]

Options

--adminid, -u: The full DN of an administrative user running the command.
--i18nkey, -k: I18n Key.
--password-file, -f: File name that contains password of administrator.
--servicename, -s: Name of service.

ssoadm set-svc-view-bean-url

Set service schema properties view bean URL.

Usage: ssoadm set-svc-view-bean-url --options [--global-options]

Options

--adminid, -u: The full DN of an administrative user running the command.
--password-file, -f: File name that contains password of administrator.
--servicename, -s: Name of service.
--url, -r: Service Schema Properties View Bean URL

ssoadm set-svrcfg-xml

Set server configuration XML to centralized data store

Usage: ssoadm set-svrcfg-xml --options [--global-options]

Options

--adminid, -u: The full DN of an administrative user running the command.
--password-file, -f: File name that contains password of administrator.
--servername, -s: Server name, e.g. http://www.example.com:8080/fam
--xmlfile, -X: XML file that contains configuration.

ssoadm show-agent

Show agent profile.

Usage: ssoadm show-agent --options [--global-options]

Options

--adminid, -u: The full DN of an administrative user running the command.
--agentname, -b: Name of agent.
--password-file, -f: File name that contains password of administrator.
--realm, -e: Name of realm.
[--includepassword, -p]: Include the hashed password in the export.
[--inherit, -i]: Set this to inherit properties from parent group.
[--outfile, -o]: Filename where configuration is written to.

ssoadm show-agent-grp

Show agent group profile.

Usage: ssoadm show-agent-grp --options [--global-options]

Options

--adminid, -u: The full DN of an administrative user running the command.
--agentgroupname, -b: Name of agent group.
--password-file, -f: File name that contains password of administrator.
--realm, -e: Name of realm.
[--outfile, -o]: Filename where configuration is written to.

ssoadm show-agent-membership

List agent's membership.

Usage: ssoadm show-agent-membership --options [--global-options]

Options

--adminid, -u: The full DN of an administrative user running the command.
--agentname, -b: Name of agent.
--password-file, -f: File name that contains password of administrator.
--realm, -e: Name of realm.

ssoadm show-agent-types

Show agent types.

Usage: ssoadm show-agent-types --options [--global-options]

Options

--adminid, -u: The full DN of an administrative user running the command.
--password-file, -f: File name that contains password of administrator.

ssoadm show-app-priv

Show policy set privilege.

Usage: ssoadm show-app-priv --options [--global-options]

Options

--adminid, -u: The full DN of an administrative user running the command.
--name, -m: Name of policy set privilege
--password-file, -f: File name that contains password of administrator.
--realm, -e: Realm name

ssoadm show-appl

Show policy set attributes.

Usage: ssoadm show-appl --options [--global-options]

Options

--adminid, -u: The full DN of an administrative user running the command.
--name, -m: Policy set name
--password-file, -f: File name that contains password of administrator.
--realm, -e: Realm name

ssoadm show-appl-type

Show application type details.

Usage: ssoadm show-appl-type --options [--global-options]

Options

--adminid, -u: The full DN of an administrative user running the command.
--name, -m: Application Type name
--password-file, -f: File name that contains password of administrator.

ssoadm show-auth-modules

Show the supported authentication modules in the system.

Usage: ssoadm show-auth-modules --options [--global-options]

Options

--adminid, -u: The full DN of an administrative user running the command.
--password-file, -f: File name that contains password of administrator.

ssoadm show-data-types

Show the supported data type in the system.

Usage: ssoadm show-data-types --options [--global-options]

Options

--adminid, -u: The full DN of an administrative user running the command.
--password-file, -f: File name that contains password of administrator.

ssoadm show-datastore

Show data store profile.

Usage: ssoadm show-datastore --options [--global-options]

Options

--adminid, -u: The full DN of an administrative user running the command.
--name, -m: Name of datastore.
--password-file, -f: File name that contains password of administrator.
--realm, -e: Name of realm.

ssoadm show-entitlement-conf

Display entitlements service configuration

Usage: ssoadm show-entitlement-conf --options [--global-options]

Options

--adminid, -u: The full DN of an administrative user running the command.
--password-file, -f: File name that contains password of administrator.

ssoadm show-identity-ops

Show the allowed operations of an identity a realm

Usage: ssoadm show-identity-ops --options [--global-options]

Options

--adminid, -u: The full DN of an administrative user running the command.
--idtype, -t: Type of Identity such as User, Role and Group.
--password-file, -f: File name that contains password of administrator.
--realm, -e: Name of realm.

ssoadm show-identity-svc-attrs

Show the service attribute values of an identity

Usage: ssoadm show-identity-svc-attrs --options [--global-options]

Options

--adminid, -u: The full DN of an administrative user running the command.
--idname, -i: Name of identity.
--idtype, -t: Type of Identity such as User, Role and Group.
--password-file, -f: File name that contains password of administrator.
--realm, -e: Name of realm.
--servicename, -s: Name of service.

ssoadm show-identity-types

Show the supported identity type in a realm

Usage: ssoadm show-identity-types --options [--global-options]

Options

--adminid, -u: The full DN of an administrative user running the command.
--password-file, -f: File name that contains password of administrator.
--realm, -e: Name of realm.

ssoadm show-members

Show the members of an identity. For example show the members of a role

Usage: ssoadm show-members --options [--global-options]

Options

--adminid, -u: The full DN of an administrative user running the command.
--idname, -i: Name of identity.
--idtype, -t: Type of Identity such as User, Role and Group.
--membershipidtype, -m: Membership identity type.
--password-file, -f: File name that contains password of administrator.
--realm, -e: Name of realm.

ssoadm show-memberships

Show the memberships of an identity. For sample show the memberships of an user.

Usage: ssoadm show-memberships --options [--global-options]

Options

--adminid, -u: The full DN of an administrative user running the command.
--idname, -i: Name of identity.
--idtype, -t: Type of Identity such as User, Role and Group.
--membershipidtype, -m: Membership identity type.
--password-file, -f: File name that contains password of administrator.
--realm, -e: Name of realm.

ssoadm show-privileges

Show privileges assigned to an identity

Usage: ssoadm show-privileges --options [--global-options]

Options

--adminid, -u: The full DN of an administrative user running the command.
--idname, -i: Name of identity.
--idtype, -t: Type of Identity such Role and Group.
--password-file, -f: File name that contains password of administrator.
--realm, -e: Name of realm.

ssoadm show-realm-svcs

Show services in a realm.

Usage: ssoadm show-realm-svcs --options [--global-options]

Options

--adminid, -u: The full DN of an administrative user running the command.
--password-file, -f: File name that contains password of administrator.
--realm, -e: Name of realm.
[--mandatory, -y]: Include Mandatory services.

ssoadm show-site

Show site profile.

Usage: ssoadm show-site --options [--global-options]

Options

--adminid, -u: The full DN of an administrative user running the command.
--password-file, -f: File name that contains password of administrator.
--sitename, -s: Site name, e.g. mysite

ssoadm show-site-members

Display members of a site.

Usage: ssoadm show-site-members --options [--global-options]

Options

--adminid, -u: The full DN of an administrative user running the command.
--password-file, -f: File name that contains password of administrator.
--sitename, -s: Site name, e.g. mysite

ssoadm start-recording

Start recording a bundle that contains troubleshooting information, including debug logs, thread dumps, and environment information.

Usage: ssoadm start-recording --options [--global-options]

Options

--adminid, -u: The full DN of an administrative user running the command.
--jsonfile, -J: JSON control file for a recording operation.
--password-file, -f: File name that contains password of administrator.
--servername, -s: Server name, e.g. http://openam.example.com:8080/openam

ssoadm stop-recording

Stop an active recording operation.

Usage: ssoadm stop-recording --options [--global-options]

Options

--adminid, -u: The full DN of an administrative user running the command.
--password-file, -f: File name that contains password of administrator.
--servername, -s: Server name, e.g. http://openam.example.com:8080/openam

ssoadm unregister-auth-module

Unregisters authentication module.

Usage: ssoadm unregister-auth-module --options [--global-options]

Options

--adminid, -u: The full DN of an administrative user running the command.
--authmodule, -a: Java class name of authentication module.
--password-file, -f: File name that contains password of administrator.

ssoadm update-agent

Update agent configuration.

Usage: ssoadm update-agent --options [--global-options]

Options

--adminid, -u: The full DN of an administrative user running the command.
--agentname, -b: Name of agent.
--password-file, -f: File name that contains password of administrator.
--realm, -e: Name of realm.
[--attributevalues, -a]: Properties e.g. homeaddress=here.
[--datafile, -D]: Name of file that contains properties.
[--set, -s]: Set this flag to overwrite properties values.

ssoadm update-agent-grp

Update agent group configuration.

Usage: ssoadm update-agent-grp --options [--global-options]

Options

--adminid, -u: The full DN of an administrative user running the command.
--agentgroupname, -b: Name of agent group.
--password-file, -f: File name that contains password of administrator.
--realm, -e: Name of realm.
[--attributevalues, -a]: Properties e.g. homeaddress=here.
[--datafile, -D]: Name of file that contains properties.
[--set, -s]: Set this flag to overwrite properties values.

ssoadm update-app-priv

Update a policy set privilege.

Usage: ssoadm update-app-priv --options [--global-options]

Options

--adminid, -u: The full DN of an administrative user running the command.
--name, -m: Name for the this delegation
--password-file, -f: File name that contains password of administrator.
--realm, -e: Realm name
[--actions, -a]: Possible values are READ, MODIFY, DELEGATE, ALL
[--description, -p]: Description for the this delegation.

ssoadm update-app-priv-resources

Set policy set privilege resources. Note that policy sets are cached for 30 minutes. Restart OpenAM to apply changes immediately.

Usage: ssoadm update-app-priv-resources --options [--global-options]

Options

--adminid, -u: The full DN of an administrative user running the command.
--application, -t: Policy set name
--name, -m: Name for the this delegation
--password-file, -f: File name that contains password of administrator.
--realm, -e: Realm name
[--add, -p]: Resources are added to this policy set if this option is set. Otherwise, resources in the current policy set privilege will be overwritten.
[--resources, -r]: Resources to delegate, All resources in the policy set will be delegated if this option is absent.

ssoadm update-app-priv-subjects

Set policy set privilege subjects.

Usage: ssoadm update-app-priv-subjects --options [--global-options]

Options

--adminid, -u: The full DN of an administrative user running the command.
--name, -m: Name for the this delegation
--password-file, -f: File name that contains password of administrator.
--realm, -e: Realm name
--subjects, -s: Subject name
--subjecttype, -b: Possible values are User or Group
[--add, -p]: Subjects are added to this policy set if this option is set. Otherwise, subjects in the current policy set privilege will be overwritten.

ssoadm update-auth-cfg-entr

Set authentication configuration entries

Usage: ssoadm update-auth-cfg-entr --options [--global-options]

Options

--adminid, -u: The full DN of an administrative user running the command.
--name, -m: Name of authentication configuration.
--password-file, -f: File name that contains password of administrator.
--realm, -e: Name of realm.
[--datafile, -D]: Name of file that contains formatted authentication configuration entries in this format name|flag|options. option can be REQUIRED, OPTIONAL, SUFFICIENT, REQUISITE. e.g. myauthmodule|REQUIRED|my options.
[--entries, -a]: formatted authentication configuration entries in this format name|flag|options. option can be REQUIRED, OPTIONAL, SUFFICIENT, REQUISITE. e.g. myauthmodule|REQUIRED|my options.

ssoadm update-auth-cfg-props

Set authentication configuration properties

Usage: ssoadm update-auth-cfg-props --options [--global-options]

Options

--adminid, -u: The full DN of an administrative user running the command.
--name, -m: Name of authentication configuration.
--password-file, -f: File name that contains password of administrator.
--realm, -e: Name of realm.
[--attributevalues, -a]: authentication configuration properties, valid configuration keys are: iplanet-am-auth-login-failure-url, iplanet-am-auth-login-success-url and iplanet-am-auth-post-login-process-class.
[--datafile, -D]: Name of file that contains authentication configuration properties.

ssoadm update-auth-instance

Update authentication instance values

Usage: ssoadm update-auth-instance --options [--global-options]

Options

--adminid, -u: The full DN of an administrative user running the command.
--name, -m: Name of authentication instance.
--password-file, -f: File name that contains password of administrator.
--realm, -e: Name of realm.
[--attributevalues, -a]: Attribute values e.g. homeaddress=here.
[--datafile, -D]: Name of file that contains attribute values data.

ssoadm update-datastore

Update data store profile.

Usage: ssoadm update-datastore --options [--global-options]

Options

--adminid, -u: The full DN of an administrative user running the command.
--name, -m: Name of datastore.
--password-file, -f: File name that contains password of administrator.
--realm, -e: Name of realm.
[--attributevalues, -a]: Attribute values e.g. sunIdRepoClass=com.sun.identity.idm.plugins.files.FilesRepo.
[--datafile, -D]: Name of file that contains attribute values data.

ssoadm update-entity-keyinfo

Update XML signing and encryption key information in hosted entity metadata.

Usage: ssoadm update-entity-keyinfo --options [--global-options]

Options

--adminid, -u: The full DN of an administrative user running the command.
--entityid, -y: Entity ID
--password-file, -f: File name that contains password of administrator.
[--idpecertalias, -g]: Identity provider encryption certificate aliases.
[--idpscertalias, -b]: Identity provider signing certificate aliases
[--realm, -e]: Realm where entity resides.
[--specertalias, -r]: Service provider encryption certificate aliases
[--spec, -c]: Specify metadata specification, either wsfed, idff or saml2, defaults to saml2
[--spscertalias, -a]: Service provider signing certificate aliases

ssoadm update-server-cfg

Update server configuration.

Usage: ssoadm update-server-cfg --options [--global-options]

Options

--adminid, -u: The full DN of an administrative user running the command.
--password-file, -f: File name that contains password of administrator.
--servername, -s: Server name, e.g. http://www.example.com:8080/fam or enter default to update default server configuration.
[--attributevalues, -a]: Attribute values e.g. homeaddress=here.
[--datafile, -D]: Name of file that contains attribute values data.

ssoadm update-svc

Update service.

Usage: ssoadm update-svc --options [--global-options]

Options

--adminid, -u: The full DN of an administrative user running the command.
--password-file, -f: File name that contains password of administrator.
--xmlfile, -X: XML file(s) that contains schema.
[--continue, -c]: Continue updating service if one or more previous services cannot be updated.

Name

ssoadm — multiple attributes in a single command

Using Multiple Attributes in a Single ssoadm Command

You can set multiple attributes in a single ssoadm command by using a text file or by specifying multiple attributes with the -a option.

Text File

Create a text file with each property on each line followed by a line feed and save the file for example, as TEXT_FILE:
```
iplanet-am-session-max-session-time=150
iplanet-am-session-max-idle-time=15
iplanet-am-session-max-caching-time=5
```

Run the ssoadm command specifying the name of the file with the --datafile (-D) option:

$ ./ssoadm set-attr-defs \
  --servicename iPlanetAMSessionService \
  --schematype dynamic \
  --adminid uid=amAdmin,ou=People,dc=openam,dc=forgerock,dc=org \
  --password-file passwordfile \
  --datafile TEXT_FILE

Using the --attributevalues Option

Run ssoadm using the --attributevalues (-a) option. Separate each attribute with a space.

$ ./ssoadm set-attr-defs \
  --servicename iPlanetAMSessionService \
  --schematype dynamic \
  --adminid uid=amAdmin,ou=People,dc=openam,dc=forgerock,dc=org \
  --password-file passwordfile \
  --attributevalues \
      iplanet-am-session-max-session-time=150 \
      iplanet-am-session-max-idle-time=15 \
      iplanet-am-session-max-caching-time=5

Command Line Tools

Name

Synopsis

Description

Options

Examples

Name

Synopsis

Description

Options

Examples

Name

Synopsis

Description

Options

Installation Configuration File

Upgrade Configuration File

Examples

Name

Synopsis

Description

Options

Upgrade Configuration File

Examples

Name

Synopsis

Description

Global Options

JVM Properties for ssoadm

Subcommands: By Category

Agent Configuration

Authentication Service Management

Data Store Management

Entitlements

Federation Management

Identity Management

Policy Management

Realm Management

Server Configuration

Service Management

Other

Subcommands: Alphabetical Order

ssoadm add-agent-to-grp

ssoadm add-amsdk-idrepo-plugin

ssoadm add-app-priv

ssoadm add-attr-defs

ssoadm add-attrs

ssoadm add-auth-cfg-entr

ssoadm add-cot-member

ssoadm add-member

ssoadm add-plugin-interface

ssoadm add-plugin-schema

ssoadm add-privileges

ssoadm add-res-bundle

ssoadm add-site-members

ssoadm add-site-sec-urls

ssoadm add-sub-schema

ssoadm add-svc-attrs

ssoadm add-svc-identity

ssoadm add-svc-realm

ssoadm agent-remove-props

ssoadm clone-server

ssoadm create-agent

ssoadm create-agent-grp

ssoadm create-appl

ssoadm create-appl-type

ssoadm create-auth-cfg

ssoadm create-auth-instance

ssoadm create-cot

ssoadm create-datastore

ssoadm create-identity

ssoadm create-metadata-templ

ssoadm create-realm

ssoadm create-server

ssoadm create-site

ssoadm create-sub-cfg

ssoadm create-svc

ssoadm create-svrcfg-xml

ssoadm create-xacml

ssoadm delete-agent-grps