How To
ForgeRock Identity Platform
Does not apply to Identity Cloud

How do I make batch changes using ssoadm in AM (All versions)?

Last updated Apr 13, 2021

The purpose of this article is to provide information on making batch changes using ssoadm in AM. You can make multiple changes to AM using ssoadm commands, which makes scripted installs or upgrades possible.


1 reader recommends this article

Overview

There are two approaches you can take to making batch changes, both of which utilize ssoadm commands. You can:

  • use the ssoadm do-batch command.
  • use a bash or bat script (depending on your operating system).

Using the ssoadm do-batch command means multiple ssoadm commands are executed together in a single JVM call. This can be much quicker than using a bash or bat script (depending on the number of changes) where ssoadm commands are executed consecutively as individual JVM calls. However, if you use a bash or bat script, you can make use of variables, which may be advantageous depending on your setup.

The following sections give examples of these two approaches based on running the following ssoadm commands as a batch to make some service related changes:

AM 7 and later:

$ ./ssoadm set-attr-defs -s iPlanetAMSessionService -t dynamic -u uid=amAdmin,ou=People,dc=openam,dc=forgerock,dc=org -f pwd.txt -a iplanet-am-session-max-session-time=150 $ ./ssoadm set-attr-defs -s iPlanetAMSessionService -t dynamic -u uid=amAdmin,ou=People,dc=openam,dc=forgerock,dc=org -f pwd.txt -a iplanet-am-session-max-idle-time=15 $ ./ssoadm set-attr-defs -s iPlanetAMSessionService -t dynamic -u uid=amAdmin,ou=People,dc=openam,dc=forgerock,dc=org -f pwd.txt -a iplanet-am-session-max-caching-time=5 $ ./ssoadm set-realm-svc-attrs -s MailServer -e /employees -u uid=amAdmin,ou=People,dc=openam,dc=forgerock,dc=org -f pwd.txt -a forgerockEmailServiceSMTPSSLEnabled="Non SSL"

Pre-AM 7:

$ ./ssoadm set-attr-defs -s iPlanetAMSessionService -t dynamic -u amadmin -f pwd.txt -a iplanet-am-session-max-session-time=150 $ ./ssoadm set-attr-defs -s iPlanetAMSessionService -t dynamic -u amadmin -f pwd.txt -a iplanet-am-session-max-idle-time=15 $ ./ssoadm set-attr-defs -s iPlanetAMSessionService -t dynamic -u amadmin -f pwd.txt -a iplanet-am-session-max-caching-time=5 $ ./ssoadm set-realm-svc-attrs -s MailServer -e /employees -u amadmin -f pwd.txt -a forgerockEmailServiceSMTPSSLEnabled="Non SSL"
Note

If you only want to change multiple attributes related to the same ssoadm sub-command (for example, set-attr-defs), there are simpler options available as described in How do I add multiple attributes with a single ssoadm command in AM (All versions)?

Using do-batch commands

Firstly you need to create a batch file containing all the ssoadm commands you want to run. The ssoadm commands you include in the batch file take the same format as the ones you would normally run individually but with the ./ssoadm part, and the -u and -p parameters removed. The only exception to this is when attribute values are surrounded in quotes; in this situation, you should surround the attribute name and value in quotes.

For example:

  1. Create a batch file (called services.batch to match the next command) containing the following: # Update service properties set-attr-defs -s iPlanetAMSessionService -t dynamic -a iplanet-am-session-max-session-time=150 set-attr-defs -s iPlanetAMSessionService -t dynamic -a iplanet-am-session-max-idle-time=15 set-attr-defs -s iPlanetAMSessionService -t dynamic -a iplanet-am-session-max-caching-time=5 set-realm-svc-attrs -s MailServer -e /employees -a "forgerockEmailServiceSMTPSSLEnabled=Non SSL"
  2. Execute the commands in the batch file using the following ssoadm command: $ ./ssoadm do-batch -u [adminID] -f [passwordfile] -Z services.batchreplacing [adminID] and [passwordfile] with appropriate values.
Note

You can still include data files or multiple attributes in the ssoadm commands within the batch file as described in How do I add multiple attributes with a single ssoadm command in AM (All versions)?

Using bash or bat scripts

Firstly you need to create a bash or bat script containing all the ssoadm commands you want to run and any variables you want to use. Obviously you can extend this script to perform other tasks as applicable, but for the purposes of this example, it will just be used for simple ssoadm updates.

For example:

  1. Create a data file (called DATA_FILE to match the next command) with the following contents: iplanet-am-session-max-session-time=150 iplanet-am-session-max-idle-time=15 iplanet-am-session-max-caching-time=5
  2. Create a bash or bat script (called services.bash to match the next command) containing the following: # !/bin/bash # # Example bash script # # Define variables SSOADM=/opt/tools/openam/bin/ssoadm PWORD=/opt/tools/openam/pwd.txt # # Update service properties # ${SSOADM} set-attr-defs -s iPlanetAMSessionService -t dynamic -u [adminID] -f ${PWORD} -D DATA_FILE ${SSOADM} set-realm-svc-attrs -s MailServer -e /employees -u [adminID] -f ${PWORD} -a forgerockEmailServiceSMTPSSLEnabled="Non SSL"Making sure you update the variables to match your environment and replace [adminID] with appropriate values.
  3. Execute the bash script using the following command: $ bash services.bash

See Also

How do I add multiple attributes with a single ssoadm command in AM (All versions)?

How do I improve the performance of ssoadm in AM (All versions)?

FAQ: Installing and using ssoadm in AM

Related Training

N/A

Related Issue Tracker IDs

N/A


Copyright and Trademarks Copyright © 2021 ForgeRock, all rights reserved.