The TAM com.tivoli.pd.jcfg.SvrSslCfg utility
Overview
SvrSslCfg creates user account and server entries representing the Tivoli Access Manager (TAM) application server in the TAM user registry.
In addition, SvrSslCfg creates a configuration file and a Java key store file, which securely stores a client certificate, locally on the application server. This client certificate permits callers to make authenticated use of TAM services. Conversely, reconfiguration removes the user and server entries from the user registry and cleans up the local configuration and keystore files.
For a TAI to be able to establish trust for a request it requires that SvrSslCfg has been run for the WebSphere JVM resulting in a properties file being created. If this properties file is not at the default URL...
file://java.home/PdPerm.properties...then the correct URL of the properties file must be set in the config URL property.
The contents of an existing configuration file can be modified by using the SvrSslCfg utility. The configuration file and the key store file must already exist when calling SvrSslCfg with all options other than -action config or -action unconfig.
The following options are parsed and processed into the configuration file, but are otherwise ignored in this version of TAM:
The host name is used to build a unique name (identity) for the application. The pdadmin user list command displays the application identity name in the following format:
servername/host_name
Note that the pdadmin server list command displays the server name in a slightly different format:
servername-host_name
Set configuration information associated with a Tivoli Access Manager (TAM) Java application server.
java com.tivoli.pd.jcfg.SvrSslCfg \ -action {config | unconfig} \ -admin_id admin_user_ID \ -admin_pwd admin_password \ -appsvr_id application_servername \ -appsvr_pwd application_server_password \ -mode{local|remote} \ -host host_name_of_application_server \ -policysvr policy_servername:port:rank [,...] \ -authzsvr authorization_servername:port:rank [,...] \ -cfg_file fully_qualified_name_of_configuration_file \ -domain Tivoli_Acccess_Manager_domain \ -key_file fully_qualified_name_of_keystore_file \ -cfg_action {create|replace}
Parameters
- action {config | unconfig}
- Configures or reconfigures an application server. Options are as follows:
- action config
- Configuring a server creates user and server information in the user registry and creates local configuration and key store files on the application server. Use the -action unconfig option to reverse this operation.
- -action unconfig
- Reconfigures an application server to remove the user and server information from the user registry, delete the local key store file, and remove information for this application from the configuration file (without deleting the configuration file). The reconfiguration operation fails only if the caller is unauthorized or the policy server cannot be contacted.
This action can succeed when there is no configuration file. When the configuration file does not exist, it is created and used as a temporary file to hold configuration information during the operation, and then the file is deleted completely.
- -admin_id admin_user_ID
- TAM administrator name. If this option is not specified, sec_master is the default.
A valid administrative ID is an alphanumeric, case-sensitive string. String values are expected to be characters that are part of the local code set. We cannot use a space in the administrative ID.
For example, for U.S. English the valid characters are the letters a-Z, the numbers 0-9, a period (.), an underscore (_), a plus sign (+), a hyphen (-), an at sign (@), an ampersand (&), and an asterisk (*). The minimum and maximum lengths of the administrative ID, if there are limits, are imposed by the underlying registry.
- -admin_password admin_password
Password of the TAM administrator user that is associated with the admin_id parameter. The password restrictions depend upon the password policy for your TAM configuration.
- -appsvr_id application_servername
- Name of the application server. The name is combined with the host name to create unique names for TAM objects created for your application. The following names are reserved for TAM applications: ivacld, secmgrd, ivnet, and ivweb.
- -appsvr_pwd application_server_password
- Password of the application server. This option is required. A password is created by the system and the configuration file is updated with the password created by the system.
If this option is not specified, the server password will be read from standard input.
- -authzsvr authorization_servername
- Name of the authorization server.
- -cfg_action {create | replace}
- Options are as follows:
- create
- Create the configuration and key store files during server configuration. Configuration fails if either of these files already exists.
- replace
- Replace the configuration and key store files during server configuration. Configuration deletes any existing files and replaces them with new ones.
- -cfg_file fully_qualified_name_of_configuration_file
- Configuration file path and name.
A file name should be an absolute file name (fully qualified file name) to be valid.
- -domain Tivoli_Access_Manager_domain
- Domain name for the domain to which this server is configured. This domain must exist and an the administrator ID and password must be valid for this domain.
If not specified, the local domain that was specified during TAM runtime configuration will be used. The local domain value will be retrieved from the configuration file.
A valid domain name is an alphanumeric, case-sensitive string. String values are expected to be characters that are part of the local code set. We cannot use a space in the domain name.
For example, for U.S. English the valid characters for domain names are the letters a-Z, the numbers 0-9, a period ( . ), an underscore (_), a plus sign (+), a hyphen (-), an at sign (@), an ampersand (&), and an asterisk (*). The minimum and maximum lengths of the domain name, if there are limits, are imposed by the underlying registry.
- -host host_name_of_application_server
- TCP host name used by the TAM policy server to contact this server. This name is saved in the configuration file using the azn-app-host key.
The default is the local host name returned by the operating system. Valid values for host_name include any valid IP host name.
Examples:
host = libra
host = libra.dallas.ibm.com- -key_file fully_qualified_name_of_keystore_file
- Directory that is to contain the key files for the server. A valid directory name is determined by the operating system. Do not use relative directory names.
Make sure that server user (for example, ivmgr) or all users have permission to access the .kdb file and the folder that contains the .kdb file.
- -mode server_mode
- Mode in which the application operates. This value must be either local or remote.
- -policysvr policy_servername
- Name of the policy server.
Example
CLASSPATH=${WAS_HOME}/java/jre/lib/ext/PD.jar:${WAS_CLASSPATH} java -cp ${CLASSPATH} \ -Dpd.cfg.home= ${WAS_HOME}/java/jre \ -Dfile.encoding=ISO8859-1 \ -Dws.output.encoding=CP1047 \ -Xnoargsconversion \ com.tivoli.pd.jcfg.SvrSslCfg \ -action config \ -admin_id sec_master \ -admin_pwd $TAM_PASSWORD \ -appsvr_id $APPSVR_ID \ -policysvr ${TAM_HOST}:7135:1 \ -port 7135 \ -authzsvr ${TAM_HOST}:7136:1 \ -mode remote \ -cfg_file ${CFG_FILE} \ -key_file ${KEY_FILE} \ -cfg_action create