Entitlements Service

I am among the team of 4 engineers who work on designing and implementing the entitlements service for OpenSSO project for a year. And we are happy to see that entitlements service is the key feature in OpenSSO Express 9 (see our press release).

Followings are the key things that we have done (I wrote about 80% of the SDK so it is ok to blame me if things are not working)

  1. Improve scalability.
    We use indexes in LDAP server to locate policies for evaluation. This fast and heuristic approach helps us to eliminate most of unrelated policies and retrieve the related ones rapidly. Our latest test shows that we can handle over 1 million policies.
  2. Improve performance.
    We use multi-threading, re-entrance read-write lock (Java concurrency package) and LDAP indexes to speed up policy evaluation. The performance has improved significantly as we benchmark it against the previous policy evaluation engine. We are in the process of tuning the caching system. And better results would be expected.
  3. REST interfaces
    We have REST interfaces for policy evaluation and management. This means that non Java (such as PHP and Python) clients can make policy evaluation requests. State of art, Jersey is used for our REST implementation; and JSON is used too.
  4. User friendly UI
    My co-worker has developed a nice set of entitlements services UI using icefaces
  5. XACML support
    Able to import and export XACML.

Currently, we are working with technical writers on documenting entitlement services. You should be able to see these document early next year when OpenSSO Express 9 is shipped.

Well, year 2009 is coming to an end. It has been a fun year working on entitlements service (among my other doings). Sleepless nights, long meetings, ranting and hanging my head on the keyboard (just kidding) are part of the fun :-). I hope that 2010 will be more exciting.


My OpenSSO’s activity

Markmail is kind of cool as it archives emails. I was looking at it today to see OpenSSO’s archive and found this.

Gee, I have sent over 9000 emails to OpenSSO’s email aliases for the past 4 years.
That’s 2381 emails per year. About 9 emails per day (excluding weekends). So, 1 email per hour! (8-9 hours work day). 🙂

Entitlements Service in OpenSSO

Finally, we have moved the entitlements service (an OpenSSO extension) to the products directory i.e. opensso/extensions/entitlements to opensso/products/ directory (if you are familiar with OpenSSO workspace).

Here is where you can find the source code for entitlements service.

  • console resources: opensso/products/federation/openfm/web
  • console source: opensso/products/federation/openfm/source
  • entitlement APIs and backend implementation: opensso/products/amserver/com/sun/identity/entitlement
  • CLI: opensso/products/amserver/com/sun/identity/cli/entitlement

Entitlements Service is released part of OpenSSO Express 8.0.

Update OpenSSO’s Configuration store password

There was a question posted to our internal (Sun) alias, and I think I should share it out for the benefit of OpenSSO community. The question was “How to update OpenSSO configuration store password?”

There are two types of datastore in OpenSSO server, namely the configuration datastore and user datastore. As the name suggest, the former stores the configuration data that are required by OpenSSO server to operate properly. The latter stores users related information, such as role, group and user entries.

It can be done through Command Line Interface or Administration Console.

The Command Line Interface way.

  1. Output the current server configuration XML
    ./ssoadm get-svrcfg-xml -u amadmin -f /tmp/fampass -s \
    http://owen1.red.iplanet.com:8080/opensso -o /tmp/serverconfig.xml

  2. Encrypt new password
    ./ampassword -e /tmp/newpassword

  3. edit /tmp/serverconfig.xml. replace admin password with the new encrypted password.
  4. Output the current server configuration XML
    ./ssoadm set-svrcfg-xml -u amadmin -f /tmp/fampass -s \
    http://owen1.red.iplanet.com:8080/opensso -X /tmp/serverconfig.xml

The Administration Console Interface way.

  1. Login as amadmin
  2. select Configuration tab
  3. select Sites and Servers tab
  4. Choose the server
  5. select Directory Configuration tab
  6. set the password

OpenSSO Java Runtime >= 1.5

We have recently modified our Java build target to 1.5. Hence, you need Java Runtime version 1.5 and above to run OpenSSO Client. The Java runtime version requirement for OpenSSO server remains unchanged i.e. 1.5.

This new client runtime requirement shall be in our next official release i.e. OpenSSO Express 8 which is scheduled to released in a couple of months from now.

Busy week ahead

OpenSSO team has a busy week ahead.

  1. OpenSSO Community Day 3.0 Sunday (1:00 PM until 7:00 PM) May 31st 2009, Moscone Center, SF, CA.

    Open discussions on all OpenSSO related features.

  2. CommunityOne West June 1-3 2009, Moscone Center, SF, CA.

    Hands On Lab. Web Application Security with OpenSSO.
    Monday June 1, 1:40 – 3:30 PM by Himanshu Vijay and Baby Sunil.

    Pragmatic Identity 2.0: Invoking Identity Services with a Simplified REST/ROA Architecture.
    Monday June 1, 11:50 AM – 12:40 PM by Daniel Raskin,

    Deep Dives. Identity Management with OpenSSO: Deploy an Identity Management Solution in 4 hours Learn how to build an identity management solution based on OpenSolaris, Open DS, and Sun OpenSSO Express 7.
    Wednesday, June 3, Morning Session. by Mrudul Uchil and David Goldsmith.

  3. JavaOne Conference June 2-5, 2009, Moscone Center, SF, CA.

    BOF-5275 – Using and Participating in the OpenSSO Project
    Tuesday night, June 02, 9:30 PM – 10:20 PM hosted by Sean Brydon, Pat Patterson and Aravindan Ranganathan.

    TS-5295 Designing and Building Security into REST Applications
    Wednesday, June 03, 2:50 PM – 3:50 PM by Sean Brydon, Aravindan Ranganathan, Paul Bryan.

    TS-4012 – Pragmatic Identity 2.0: Simple, Open, Identity Services Using REST
    Thursday, June 04, 10:50 AM – 11:50 AM by – Pat Patterson and Ron Ten-Hove.

    LAB-6727 – Web Application Security with OpenSSO: From Simple Log-In to Single Sign-On to Federation
    Thursday, June 4, 1:30 – 3:00 pm by Pat Patterson, Himanshu Vijay and Baby Sunil.

    BOF-4903 – A RESTful approach to identity-based web services
    Thursday, June 04, 7:30 PM – 8:20 PM by Hubert Le Van Gong and Marc Hadley.

Perl script to figure out change in service schema

As we have already shipped OpenSSO Enterprise 8.0; and we are working on the next official release, service schema XML files are likely to change (upgrade). Here is the PERL script that finds them.

Remember to set the values of $EIGHT_DOT_ZERO and $CURRENT

#!/usr/bin/perl -w

use strict;

my $EIGHT_DOT_ZERO = '/home/dennis/workspace/opensso8.0';
my $CURRENT = '/home/dennis/workspace/opensso1';

my %eightdotXMLs;
my %currentXMLs;


foreach (keys %currentXMLs) {
    my $name = $_;
    my $rev = $currentXMLs{$_};
    if (! defined $eightdotXMLs{$name}) {
        print "$name ($rev) \n";

sub getServiceXMLs {
    my $base = shift;
    my $hash = shift;
    opendir(DIR, $base);
    foreach (readdir DIR) {
        my $f = $_;
        if (($f !~ /^\./) && ($f =~ /\.xml$/)) {
            getRev("$base/$f", $hash);
    closedir DIR;

sub getRev {
    my $file = shift;
    my $hash = shift;
    my $f = $file;
    $f =~ s/.+\///;
    my $buff = '';
    open(FILE, $file);
    while () {
        $buff .= $_;
    close FILE;
    if ($buff =~ /<Schema .+?revisionNumber="(.+?)"/) {
        ${%{$hash}}{$f} = $1;       
    } else {
        ${%{$hash}}{$f} = 0;