000021471 - How to back up the SAML configuration in RSA Federated Identity Manager (FIM) 2.0

Document created by RSA Customer Support Employee on Jun 16, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000021471
Applies ToRSA Federated Identity Manager (FIM) 2.0
Microsoft Windows 2000 SP4
IssueHow to back up the SAML configuration in RSA Federated Identity Manager (FIM) 2.0
Resolution?configtool SETSAMLCONFIG SAMLCONFIGFILEPATH? completely configures the SAML domain objects based on a SAML domain object configuration file located in SAMLCONFIGFILEPATH. Using this command, one can restore or reimport backed up copies of configurations completely. To initially back up the configuration to a source config file, utilize the following:

    Configtool EXPORTSAMLCONFIG EXPORTSAMLFILEPATH

which reads all the SAML domain objects in the datastore and outputs them as a SAML domain object config file. Then, navigate to the location of the configtool command and type configtool > help. This outputs the help information on the configtool command to a file called help which one can review. It details other parameter options available and usage examples for the configtool command.
NotesUSAGE STATEMENT OF CONFIGTOOL:

Usage: configtool <operation> <arguments>
       configtool -f <command file>
       configtool -brief


Available operations:


ADDAUTHPROVIDER authenticationDomainName authenticationURL

Description: Adds an AuthenticationProvider domain object to LDAP.
Arguments:
  authenticationDomainName - The domain for which authentication services are provided.
  authenticationURL - The URL of a servlet that provides basic authentication.


ADDBEAUSER user ID password systempassword

Description: Adds a user to BEA Weblogic embedded LDAP.
Arguments:
  user ID - The user ID of the new HTTP basic authentication user.
  password - The password that will be assigned to the created HTTP basic authentication user.
  systempassword - The system password created during installation.


ADDFULLADMIN userId

Description: adds a Full Access Administrator entry in the RSA branch.
Arguments:
  userId - the LDAP user to designate as Full Access Adminstrator.


ADDLDAP ldapname type server port secureport dnroot userbranch rsabranch accountid [password] [confirmation]

Description: Adds a directory configuration.
Arguments:
  ldapname - A friendly name for the directory configuration.
  type - Directory type: "activedirectory" or "iplanet", or "weblogic".
  server - Fully qualified domain name of the directory server.
  port - Port on which the directory server runs.
  secureport - Secure directory port.
  dnroot - The directory starting point.
  userbranch - The RDN of the user data - relative to dnroot.
  rsabranch - The RDN of the rsa data - relative to dnroot.
  accountid - Account name for the LDAP directory.
  [password] - Password for the account. If not specified, the user will be prompted..
  [confirmation] - Confirmation of the password.


ADDLDAPFAILOVER ldapname failoverserver failoverport failoversecureport [readonly(true/[false])]

Description: Adds a failover configuration to an existing directory configuration.
Arguments:
  ldapname - The friendly name of the main directory server.
  failoverserver - The fully qualified domain name of the directory server.
  failoverport - The port on which the directory server runs.
  failoversecureport - The secure directory port.
  [readonly(true/[false])] - Indicates whether or not this failover is read-only, default is false (read-write).


ADDLOCALIDMGR bapsURL cookieHandler user ID password [certStore]

Description: Adds/updates a Local Identity Manager.
Arguments:
  bapsURL - The URL of a servlet capable of generating a valid authentication cookie given a SAML artifact.
  cookieHandler - The complete class name of Java class that creates valid authentication cookies.
  user ID - The user ID of the new HTTP basic authentication user.
  password - The password that will be assigned to the created HTTP basic authentication user.
  [certStore] - The name of a certificate store used to create a client-side SSL channel to the SOAP responder.


ADDPRIMARYIDMGR aaURL authURL artifactType sourceURI [sourceID]

Description: Adds/updates a Primary Identity Manager.
Arguments:
  aaURL - The URL of a servlet capable of generating a SAML artifact given a valid authentication cookie.
  authURL - The URL of a servlet capable of generating a valid authentication cookie given the correct parameters.
  artifactType - The type of SAML artifact the Primary Identity Manager will create.
  sourceURI - The URI of a service that responds to SAML requests.
  [sourceID] - The source ID corresponding to the source URI.


ADDSAMLREQUESTCALLER user ID password systempassword

Description: Creates an HTTP basic authentication user allowed access to the SAML SOAP responder.
Arguments:
  user ID - The user ID of the new HTTP basic authentication user.
  password - The password that will be assigned to the created HTTP basic authentication user.
  systempassword - The system password created during installation.


ADDSSLCERTS password rootcert [intermediatecerts]

Description: Adds SSL certificates to the keystore.
Arguments:
  password - The password that protects the keystore.
  rootcert - Full pathname of the file containing the root cert.
  [intermediatecerts...] - Full pathname of the files containing the intermediate certs.


CHANGEKEYSTOREPASSWORD oldkeystorepassword keystorepassword Newkeystorepassword (again)

Description: Resets the RSA Mobile keystore password.
Arguments:
  oldkeystorepassword - The current password used to protect the RSA Mobile keystore.
  keystorepassword - The password that will be used to protect the RSA Mobile keystore.
  Newkeystorepassword (again) - Re-enter the RSA Mobile keystore password.


CHANGESAMLREQUESTERPASSWORD user ID oldpassword password systempassword

Description: Change user (SAML Request Caller) password.
Arguments:
  user ID - Name of the user whose password will be changed.
  oldpassword - The current password for the user.
  password - The new password to set for the user.
  systempassword - Application server administrator password.


CONFIGAUTHSERVERSSL privatekeyfile privatekeypassword certfile cacertfile

Description: Configures the Authentication Server to use the SSL server certificate.
Arguments:
  privatekeyfile - File name and path to the private key package file (should be .pem format).
  privatekeypassword - Password used to unlock the private key package file.
  certfile - File name and path to the SSL server certificate (should be either .der or .pem format).
  cacertfile - File name and path to the CA signer of the SSL server certificate (should be either .der or .pem format).


CONFIGLDAPSSL ldapname password rootcert [intermediatecert1] [intermediatecert2] [intermediatecert3] [intermediatecert4] [intermediatecert5]

Description: Configures ssl connection to LDAP directory.
Arguments:
  ldapname - The friendly name for the LDAP directory.
  password - Password for protecting the RSA Mobile keystore.
  rootcert - Full path to file containing root signer certificate.
  [intermediatecert1] - Full path to file containing intermediate certificate #1 (optional).
  [intermediatecert2] - Full path to file containing intermediate certificate #2 (optional).
  [intermediatecert3] - Full path to file containing intermediate certificate #3 (optional).
  [intermediatecert4] - Full path to file containing intermediate certificate #4 (optional).
  [intermediatecert5] - Full path to file containing intermediate certificate #5 (optional).


CREATEMS managedserverhostname clusterdnsname clustermulticastaddress password

Description: Create Managed Server package.
Arguments:
  managedserverhostname - (Required) Managed server host name.
  clusterdnsname - (Required) Registered DNS name of the cluster.
  clustermulticastaddress - Multicast IP address reserved for the use of the cluster.
  password - (Required) Password to protect secrets.


DEFINESERVER serverName serverDNS serverPort serverSSLPort systempassword

Description: Defines a new instance of the SAML runtime servlets.
Arguments:
  serverName - The name of the server hosting the SAML runtime servlets.
  serverDNS - The fully-qualified DNS name of the server hosting the SAML runtime servlets.
  serverPort - The managed server port of the server hosting the SAML runtime servlets.
  serverSSLPort - The managed server SSL port of the server hosting the SAML runtime servlets.
  systempassword - The system password created during installation.


DEPLOYDATA ldapname

Description: Deploys the initial configuration data.
Arguments:
  ldapname - Friendly name for the LDAP directory.


DESIGNATEADMINSERVER

Description: Designate a managed server to become an administration server.
Arguments:


DISABLELDAPSSL ldapname

Description: Disables SSL connections to LDAP directory.
Arguments:
  ldapname - The friendly name for the LDAP directory.


ENABLELDAPSSL ldapname

Description: Enables SSL connections to LDAP directory.
Arguments:
  ldapname - Friendly name for the LDAP directory.


EXPORTSAMLCONFIG EXPORTSAMLFILEPATH

Description: Read all the SAML domain objects in the datastore and output them as a SAML domain object configuration file.
Arguments:
  EXPORTSAMLFILEPATH - This is the path and filename of the SAML domain object export file.


EXPORTSECRETS password filename

Description: export secrets.
Arguments:
  password - Password for protecting the secrets.
  filename - The name of the file in which to store the protected secrets.


GENCERTREQ hostname countryname email organizationalunitname organizationname locality state privatekeyfile privatekeysize privatekeypassword requestfile

Description: Generates a PKCS#10 certificate request for WebLogic client-server SSL.
Arguments:
  hostname - Fully qualified host name for which the request will be generated.
  countryname - Two-letter country code.
  email - Email address of the administrator.
  organizationalunitname - Organizational unit name.
  organizationname - Organization name.
  locality - Locality (city, town, township, ...).
  state - State name.
  privatekeyfile - The full pathname of the file that will contain the private key. The file must have a .pem extension..
  privatekeysize - Size of the private key (512, 768, or 1024) to be generated.
  privatekeypassword - Password that protects the private key.
  requestfile - Full pathname of the file that will contain the certificate request.


GENLDIF ldapname

Description: Generates a schema LDIF file for the named directory configuration.
Arguments:
  ldapname - The friendly name of the LDAP directory.


IMPORTSECRETS password filename

Description: impert secrets.
Arguments:
  password - Password to unlock the secrets.
  filename - Name of the file that contains the secrets.


INSTALLMS zipfilename password

Description: Install Managed Server package.
Arguments:
  zipfilename - (Required) Package full file name.
  password - (Required) Password to protect secrets.


INSTALLSERVICE systempassword systempassword (again) servertype [keystorepassword] [privatekeypassword] [ctkeystorepassword]

Description: (Windows) Installs the RSA Mobile service.
Arguments:
  systempassword - The system password created during installation.
  systempassword (again) - Re-enter the system password.
  servertype - Possible values: managed | admin.
  [keystorepassword] - The password that will be used to protect the RSA Mobile keystore.
  [privatekeypassword] - The password used to unlock the private key file for SSL between Identity Manager and Authentication Server.
  [ctkeystorepassword] - The password that will be used to protect the Cleartrust keystore.


MAPIDMGR ssoDomainName bapsURL aaURL

Description: Adds/updates a mapping between a Local Identity Manager and a Primary Identity Manager.
Arguments:
  ssoDomainName - The domain for which the Identity Manager mapping will be used.
  bapsURL - The URL of a servlet capable of generating a valid authentication cookie given a SAML artifact.
  aaURL - The URL of a servlet capable of generating a SAML artifact given a valid authentication cookie.


MAPLDAP ldapname objectclass firstname lastname fullname userId email cell suspended bindingattribute

Description: Maps RSA user attributes to directory attributes.
Arguments:
  ldapname - Name of primary directory server.
  objectclass - The LDAP objectclass representing user data.
  firstname - The LDAP attribute corresponding to first name.
  lastname - The LDAP attribute corresponding to last name.
  fullname - The LDAP attribute corresponding to full name.
  userId - The LDAP attribute corresponding to user id.
  email - The LDAP attribute corresponding to email address.
  cell - The LDAP attribute corresponding to customer cell phone.
  suspended - The LDAP attribute corresponding to whether a customer record is suspended or not.
  bindingattribute - The LDAP binding attribute - must be one of the mapped attributes.


PROTECTADMINCONSOLE userId password hostName portNumber SSLPortNumber [authprovider(true/[false])]

Description: add this administration console on the given host to be protected.
Arguments:
  userId - username to use for ldap update.
  password - password for username.
  hostName - fully qualified host name (e.g. def.xyz.com).
  portNumber - port number (e.g. 7001).
  SSLPortNumber - SSL port number (e.g. 7002).
  [authprovider(true/[false])] - configure this ID Manager as the Authentication Provider for it's IP domain (default value is false).


REMOVEFULLADMIN userId

Description: Removes a full access administrator entry in the RSA branch.
Arguments:
  userId - the LDAP user designated as full access adminstrator.


RMVAUTHPROVIDER authenticationDomainName

Description: removes an AuthenticationProvider domain object from LDAP.
Arguments:
  authenticationDomainName - the domain for which authentication services are provided.


RMVIDMGRMAPPING ssoDomainName [ssoRemoveAll]

Description: Removes the mapping between a Local Identity Manager and a Primary Identity Manager.
Arguments:
  ssoDomainName - The domain for which the Identity Manager mapping will be used.
  [ssoRemoveAll] - whether to delete the primary and the local Identity Managers (true/[false]).


RMVLDAPFAILOVER ldapname failoverserver [failoverport]

Description: Removes a failover configuration to an existing directory configuration on the specified port or all ports if <failoverport> is not specified.
Arguments:
  ldapname - The friendly name of the main directory server.
  failoverserver - The fully qualified domain name of the directory server.
  [failoverport] - The port on which the directory server runs.


RMVLOCALIDMGR bapsURL

Description: Removes a Local Identity Manager.
Arguments:
  bapsURL - The URL of a servlet capable of generating a valid authentication cookie given a SAML artifact.


RMVPRIMARYIDMGR aaURL

Description: Removes a Primary Identity Manager.
Arguments:
  aaURL - The URL of a servlet capable of generating a SAML artifact given a valid authentication cookie.


SETAUTHENTICATIONURL userId password authenticationhost authenticationport

Description: Set authentication url.
Arguments:
  userId - Username to use for ldap update.
  password - Password for username.
  authenticationhost - (Required) the full name of host that provides basic authentication.
  authenticationport - (Required) the port number of the authentication service.


SETLICENSE licensekey

Description: Adds a license..
Arguments:
  licensekey - A valid license key.


SETSAMLCONFIG SAMLCONFIGFILEPATH

Description: Completely configure the SAML domain objects based on a SAML domain object configuration file.
Arguments:
  SAMLCONFIGFILEPATH - This is the path and filename of the SAML domain object configuration file.


SHOWAUTHENTICATIONURL userId password

Description: Show authentication url.
Arguments:
  userId - Username to use for login.
  password - Password for username.


UNINSTALLSERVICE servertype

Description: (Windows) Uninstalls the RSA Mobile service.
Arguments:
  servertype - Possible values: managed | admin.


UPDATEVERSIONPATCH userId password

Description: Sets the kit version and patch version in the LDAP.
Arguments:
  userId - Username to use for ldap update.
  password - Password for username.


USERCONFIG userId password operation filename [-rsamobile] [-stoponerror]

Description: Enables/Disables users for authentication and registers users for RSA Mobile.
Arguments:
  userId - Username to use for LDAP update.
  password - Password for username.
  operation - (Required) Whether user authentication is to be enabled or disabled (-enabled | -disabled) .
  filename - (Required) The file containing the comma separated list of user information in the form:
 userId,PIN,cellPhoneNumber,operatorKey.
  [-rsamobile] - (Optional) Indicates that the user should be registered for RSA Mobile authentication.
  [-stoponerror] - (Optional) Specifies that the utility will stop processing when an error occurs.
Legacy Article IDa23161

Attachments

    Outcomes