How To
Archived

How do I set up Realm DNS Aliases in OpenAM 13.x?

Last updated Jan 5, 2021

The purpose of this article is to provide information on setting up Realm DNS Aliases in OpenAM.


1 reader recommends this article

Archived

This article has been archived and is no longer maintained by ForgeRock.

Setting up Realm DNS Aliases

Realm DNS aliases are an alternative to using Fully Qualified Domain Names (FQDNs) in OpenAM as they implicitly add the realm to the request. For example, http://host1.example.com:8080/openam/XUI/#login/ is interpreted as http://host1.example.com:8080/openam/XUI/#login/&realm=myrealm when realm DNS aliases are used.

Warning

Realm DNS aliases must be unique; you cannot have the same realm DNS alias configured in more than one realm, this can cause the server to become unresponsive.

AM 5 and later

See Setup and Maintenance Guide › To Configure DNS Aliases for Accessing a Realm for further information. 

OpenAM 13

You can set up realm DNS aliases in sub-realms as follows:

  1. Specify the realm DNS alias in the sub-realm using either the console or ssoadm:
    • Console: navigate to: Realms > [Realm Name] > Properties > Realm/DNS Aliases and ensure the appropriate DNS aliases are specified.
    • ssoadm: enter the following command: $ ./ssoadm set-realm-attrs -s sunIdentityRepositoryService -e [realmname] -u [adminID] -f [passwordfile] -p -a sunOrganizationAliases=[DNSAlias] replacing [realmname], [adminID], [passwordfile] and [DNSAlias] with appropriate values.
  2. Map the FQDN to the realm DNS alias using either the console or ssoadm:
    • OpenAM 13.5 console: navigate to Configure > Server Defaults > Advanced and add the com.sun.identity.server.fqdnMap[realmDNSalias] property with a value of realmDNSalias for each realm DNS alias. For example:  property name: com.sun.identity.server.fqdnMap[host1.example.com] property value: host1.example.com
    • OpenAM 13 console: navigate to Configuration > Servers and Sites > Default Server Settings > Advanced and add the com.sun.identity.server.fqdnMap[realmDNSalias] property with a value of realmDNSalias for each realm DNS alias.
    • ssoadm: enter the following command: $ ./ssoadm update-server-cfg -u [adminID] -f [passwordfile] -s default -a com.sun.identity.server.fqdnMap[realmDNSalias1]=realmDNSalias1 com.sun.identity.server.fqdnMap[realmDNSalias2]=realmDNSalias2  replacing [adminID], [passwordfile] and realmDNSalias with appropriate values. The first instance of the realmDNSalias mapping must be contained within [ ]. For example: $ ./ssoadm update-server-cfg -u amadmin -f pwd.txt -s default -a com.sun.identity.server.fqdnMap[host1.example.com]=host1.example.com com.sun.identity.server.fqdnMap[openam.example.net]=openam.example.net 
  3. Restart the web application container in which OpenAM runs to apply these configuration changes.

See Also

How do I set up Realm DNS Aliases in AM (All versions) when CDSSO is configured?

Administration Guide › Configuring Realms

Related Training

ForgeRock Access Management Core Concepts (AM-400)

Related Issue Tracker IDs

OPENAM-10337 (PUT to /json/global-config/realms/ fails if Accept-API-Version is missing/doesn't specify Protocol.)

OPENAM-8836 (Realm alias in XUI Admin Console should be reflected in fqdnMap)

OPENAM-8416 (Matching DNS alias in realms breaks user authentication and locks out amadmin)

OPENAM-8207 (OpenAM allows creation of duplicate realm mappings - rendering logon impossible)

OPENAM-5892 (same Realm/DNS alias can be configured in two different realms)


Copyright and Trademarks Copyright © 2021 ForgeRock, all rights reserved.