dockernginxhostnameopenamforgerock

How to create a web policy agent in OpenAM given that the server URL has a not fully qualified hostname?


Question: How to create a web policy agent in OpenAM given that the server URL, which OpenAM runs on, has a not fully qualified hostname?

Initial situation: For a Prove of concept (POC), I emulate a server structure using docker. I have an apache webserver as a resource server (docker container), an OpenAM docker container for the access management, and a flask web app running in a third container as the client. I configured OpenAM via the GUI. Sofar my flask app can authenticate, request, and retrieve access tokens using simple requests as specified here. However now I also want to protect the apache resource server. For the start without flask and simply by installing an OpenAM Web Policy Agent on the apache webserver and configuring a web policy agent profile in OpenAM following this official ForgeRock guide.

Problem: When configuring the agent profile in OpenAM using the GUI the OpenAM container's domain name http://openam:8080/openam is not accepted as a valid server URL.

host name error

If I use instead e.g. http://openam.local:8080/openam the error does not show.

What I tried so far:

  1. I added an Nginx container that functions as a reverse proxy and used it to change the container's hostnames to <container>.local. Now I can reach the containers e.g. via http://openam.local:8080/openam and http://apache.local:8080. However, when I now access the OpenAM GUI using http://openam.local:8080/openam, enter the default passwords, and press Create Configuration the configuration fails with the following message:creat config error
  2. Unable to solve the problem from (1) I figured that I recall the Nginx setup and instead try to configure the agent profile using the command line - in the hope that the above error Hostname of server URL is not fully qualified is restricted to the GUI. For the setup via the command line there existed the easy command ./ssoadm create-agent ... as descript here. But ssoadm was deprecated in favor of Amster and I am unable to figure out how to configure the agent policy using Amster.

Solution

  • When using docker as described in the original question you can simply set the hostname of the container using -h flag.

    Example OpeanAM:

    docker run -h openam.example.com -p 8080:8080 --name openam openidentityplatform/openam
    

    Example Apache Web Server:

    docker run -it --name apache_agent -p 80:80 -h example.com --shm-size 2G --link=openam  apache_agent
    

    OpenAM can now be reached via http://openam.example.com:8080/openam and the apache server via http://example.com.

    The OpenAM configuration runs through without an error and when configuring the Web Policy Agent the URL is fully qualified.

    Reference and best resource to get started with OpenAM is this Quick-Start-Guide from the OpenAM git repo's wiki.