IBM Tivoli Composite Application Manager for Application Diagnostics, Version 7.1.0.1

Install, configuring, and running ITCAM for WebSphere on z/OS with Global Security turned on

The problem: Installing, configuring, and running ITCAM for WebSphere on z/OS with Global Security turned on might require additional steps, depending on your security configuration.

The solution: If WebSphere Global Security has been turned on, perform the following steps before running the setupwas.sh script:

  1. Make sure the user ID you use to log on to UNIX System Services (z/OS UNIX System Services) and run the setupwas.sh script has read-write access to the WAS configuration root files. This user ID must also have permission to run the WebSphere Scripting Client script (wsadmin.sh).

  2. Make sure the user ID you use to run setupwas.sh is a member of the same UNIX group as the servant user ID. Because this user ID will create the ITCAM for WebSphere runtime directories for the server, the servant user ID must also have read-write access to these directories.

  3. Make sure the user ID you use to run setupwas.sh fulfills the requirements for Secure Sockets Layer (SSL) security.


Background Information for Step 3

When Global Security is enabled, SSL security is always used by the administrative subsystem to secure administrative commands, the WAS administrative console, and communications between WAS processes (which includes the wsadmin.sh scripting facility). SSL support always provides a mechanism by which the server proves its identity.

In addition, SSL support on WAS for z/OS allows the following ways for a client to prove its identity:

For the client to authenticate the server, the server (actually, the controller user ID) must possess a signed certificate created by a certificate authority. The server passes the signed certificate to prove its identity to the client. The client must possess the CA certificate from the same certificate authority that issued the certificate of the server. The WAS customization dialogs generate jobs that, among other things, define the user IDs for the various WAS regions (Deployment Manager, Node Agent, Server Controller, and Servant tasks). These jobs also specify user IDs that can be used to log on to the WAS administrative console. The RACF customization jobs create key rings for each of these user IDs and connects certificates to them. You can use one of these user IDs to perform the ITCAM for WebSphere data collector setup if it also has the necessary permissions to access the WAS configuration files mentioned in Step 1.


Procedure for Step 3

If you do not already have a user ID with the necessary permissions and certificates, you can define one. Perform the following procedure:

  1. Find the following information:

    • The user ID and group of the WAS servant started task.

    • The name of the CA certificate that was used to sign the server certificate of the controller user ID. (If configuring a server in a Network Deployment, find the name of the CA certificate that was used to sign the deployment manager server certificate).

    If you do not know the group ID of the servant ID, issue the TSO RACF command LISTUSER (LU) for servant task owner. This shows that the group default group name for the ID is WSCFG1.

  2. Define a user ID that you use exclusively for running the ITCAM for WebSphere setup configuration using the TSO RACF command ADDUSER (AU). The TSO segment for this user profile is required if you intend to run the ITCAM for WebSphere setup from TSO OMVS or with a batch job. This same user ID will be used for the ITCAM for WebSphere JMX client (See Step 7 for information about how to manually define the user ID and password for the ITCAM for WebSphere JMX client).

  3. Create a keyring for this user ID, and have the cell signing CA certificate placed on it, as follows:
    RACDCERT ID(ITCAMWS) CONNECT -
    (RING(WASKeyring) LABEL('WebSphereCA') CERTAUTH)
    Access to keyrings and certificates is protected by RACF by a set of profiles in the FACILITY class. Although the keyring is associated with the user ID, the user must have READ authority to the IRR.DIGTCERT.LISTRING profile in order to access its keyring. The user must also have ‘READ' access to the IRR.DIGTCERT.LIST profile to be able to access its certificate.

  4. If you selected Use SAF EJBROLE profiles to enforce J2EE roles during security domain setup in the WAS Customization Dialogs, make sure the user ID you use to run setupwas.sh has READ access to the EJBROLE administrator profile. The following administrative roles were defined by the customization jobs:
    RDEFINE EJBROLE (optionalSecurityDomainName.)administrator UACC(NONE)
    RDEFINE EJBROLE (optionalSecurityDomainName.)monitor UACC(NONE)
    RDEFINE EJBROLE (optionalSecurityDomainName.)configurator UACC(NONE)
    RDEFINE EJBROLE (optionalSecurityDomainName.)operator UACC(NONE)
    Ideally, your user ID will be a member of the servant ID group, which is already granted permission to these profiles.

  5. For any RACF classes whose profiles have been added or modified, refresh the RACF cache. An authorized RACF administrator must issue the following command:
    SETROPTS RACLIST(classname) GENERIC(classname) REFRESH

  6. Use the WebSphere Scripting Client directly to see if the user ID is set up correctly. From a z/OS UNIX System Services session, change to the bin directory of WAS and issue the following command:
    ./wsadmin.sh –user itcamws –password itcamws
    You will see the following messages if the user ID is set up correctly. This example is from a Network Deployment environment:
    WASX7209I: Connected to process "dmgr" on node PLEX1Manager using SOAP 
      connector; 
    The type of process is: DeploymentManagerWASX7029I:
    For help, enter:
    "$Help help"
    <wsadmin>
    Enter quit to terminate the WebSphere Scripting Client.

  7. If needed, change the user ID and password used by the ITCAM for WebSphere JMX client. The setupwas.sh script configures the ITCAM for WebSphere Data Collector JMX client security using the user ID and password that you supply in the setupwas.sh script parameters –user and –password. To change the user ID and password used by the JMX client:

    1. Before running the amcrypto.sh script, set the JAVA_home and DATACOLLECTOR_home environment variables. For example,
      JAVA_home=/usr/lpp/java/J1.4
      export JAVA_home
      DATACOLLECTOR_home=/usr/lpp/itcam/WebSphere/DC
      export DATACOLLECTOR_home
      The value for DATACOLLECTOR_home is the directory where the data collector is installed.

    2. Run the amcrypto.sh script from the ITCAM for WebSphere bin directory (Default /usr/lpp/itcam/WebSphere/DC/bin.) to encrypt the password, as follows:
      amcrypto.sh -encrypt itcampw
      Your encrypted value is: 127-32-236-237-43-36-114-16

    3. Set properties for your user ID and encrypted password in the DATACOLLECTOR_home/runtime/appserver_version.node_name.server_name /appserver_version.node_name.server_name.datacollector.properties file, as follows:
      appserver.userid=your_userid
      appserver.password=your_encrypted_password


Parent topic:

z/OS systems

+

Search Tips   |   Advanced Search