Propagating security policy of installed applications to a JACC provider using wsadmin scripting

 

Before you begin

It is possible that you have applications installed prior to enabling the Java Authorization Contract for Containers (JACC)-based authorization. We can start with default authorization and then move to an external provider based authorization using JACC later on. In this case, the security policy of the previously installed applications would not exist in the JACC provider to make the access decisions. We can reinstall all of the applications once JACC is enabled. The wsadmin scripting tool can be used to propagate information to the JACC provider independent of the application install process. The tool eliminates the need for reinstalling the applications.

The tool uses the SecurityAdmin MBean to propagate the policy information in the deployment descriptor of any installed application to the JACC provider. The wsadmin tool can be used to invoke this method at the deployment manager level.

Use propagatePolicyToJACCProvider(String appNames) to propagate the policy information in the deployment descriptor of the EAR files to the JACC provider. If the RoleConfigurationFactory and the RoleConfiguration interfaces are implemented by the JACC provider, the authorization table information in the binding file of the EAR files is also propagated to the provider. See Interfaces used to support JACC for more information about these interfaces.

The appNames contains the list of application names, delimited by a colon (:), whose policy information must be stored in the provider. If a null value is passed, the policy information of the deployed applications is propagated to the provider.

Also, be aware of the following items:

  • Before migrating application(s) to the Tivoli Access Manager JACC provider, please create or import the users and groups that are in the application(s) to Tivoli Access Manager.

  • Depending on the application or the number of applications propagated you might have to increase the request time-out period either in the soap.client.props (if using SOAP) or the sas.client.props (if using RMI) for the command to complete. We can set the request time-out value to 0 to avoid the timeout problem, and change it back to the original value after the command is run.

 

Procedure

  1. Configure your JACC provider in WebSphere Application Server. See Configuring a JACC provider for more information.

  2. Restart the server.

  3. Enter the following commands:

    // use the SecurityAdmin Mbean at the Deployment Manager or the unmanaged base application server
    wsadmin -user serverID -password serverPWD
    set secadm [lindex [$AdminControl queryNames type=SecurityAdmin,*] 0]

    // to propagate specific applications security policy information
    wsadmin>set appNames [list app1:app2]
    // or to propagate all applications installed
    wsadmin>set appNames [list null]

    // Run the command to propagate
    wsadmin>$AdminControl invoke $secadm propagatePolicyToJACCProvider $appNames

 

See Also


Authorization in WebSphere Application Server
Tivoli Access Manager integration as the JACC provider
JACC providers
JACC support in WebSphere Application Server

 

Related Tasks


Configuring a JACC provider
Enabling an external JACC provider

 

See Also


Interfaces used to support JACC
Troubleshooting authorization providers