Tivoli Access Manager migrateEAR utility



Search Tips   |   Advanced Search




Migrates changes made to console users and groups in the admin-authz.xml file into the Tivoli Access Manager object space.



migrateEAR -j path -c URI -a admin_ID -p admin_pwd -w Websphere_admin_user -d user_registry_domain_suffix [-r root_objectspace_name] [-t ssl_timeout]



-a admin_ID

Specifies the administrative user identifier. The administrative user must have the privileges required to create users, objects, and access control lists (ACLs). For example, -a sec_master.

This parameter is optional. When the parameter is not specified, you are prompted to supply it at run time.

-c URI

Specifies the Uniform Resource Indicator (URI) location of the PdPerm.properties file that is configured by the pdwascfg utility. When WebSphere Application Server is installed in the default location, the URI is:



file:/c:\Program Files\IBM\WebSphere\AppServer\java\jre\PdPerm.properties”

-d user_registry_domain_suffix

Domain suffix for the user registry to use. For example, for Lightweight Directory Access Protocol (LDAP) user registries, this value is the domain suffix, such as: "o=ibm,c=us"

Windows platforms require that the domain suffix is enclosed within quotes.

Use the pdadmin user show command to display the distinguished name (DN) for a user.

-j path

Specifies the fully qualified path and file name of the Java 2 Platform Enterprise Edition application archive file. Optionally, this path can also be a directory of an expanded enterprise application. When WAS is installed in the default location, the paths to data files to migrate include:



c:\Program Files\IBM\WebSphere\AppServer\profiles\profileName\config\cells\cellName\admin-authz.xml”

-p admin_pwd

Specifies the password for the Tivoli Access Manager administrative user. The administrative user must have the privileges required to create users, objects, and access control lists (ACLs). For example, one can specify the password for the -a sec_master administrative user as -p myPassword.

This parameter is optional. When it is not specified, the user is prompted to supply the password for the administrative user name.

-r root_objectspace_name

Specifies the space name of the root object. The value is the name of the root of the protected object namespace hierarchy that is created for WAS policy data. This parameter is optional.

The default value for the root object space is WebAppServer.

The Tivoli Access Manager root object space name is set by modifying the amwas.amjacc.template.properties prior to configuring the Tivoli Access Manager Java Authorization Contract for Containers (JACC) provider for the first time. This option should be used if the default object space value is not used in the configuration of the Tivoli Access Manager JACC provider.

The Tivoli Access Manager object space name should never be changed after the Tivoli Access Manager JACC provider has been configured.

-t ssl_timeout

Number of minutes for the SSL timeout. This parameter is used to disconnect and reconnect the SSL context between the Tivoli Access Manager authorization server and policy server before the default connection times out.

The default is 60 minutes. The minimum is 10 minutes. The maximum value cannot exceed the Tivoli Access Manager ssl-v3-timeout value. The default value for ssl-v3-timeout is 120 minutes.

This parameter is optional. If you are not familiar with the administration of this value, one can safely use the default value.

-w WebSphere_admin_user

Specifies the user name that is configured in the WAS security user registry field as the administrator. This value matches the account that you created or imported in Creating the security administrative user. Access permission for this user is needed to create or update the Tivoli Access Manager protected object space.

When the WAS administrative user does not already exist in the protected object space, it is created or imported. In this case, a random password is generated for the user and the account is set to not valid. Change this password to a known value and set the account to valid.

A protected object and access control list (ACL) are created. The administrative user is added to the pdwas-admin group with the following ACL attributes:


Traverse permission


Invoke permission


Specifies the action group name. WebAppServer is the default name. This action group name (and the matching root object space) can be overwritten when the migration utility is run with the -r option.



This utility migrates security policy information from deployment descriptors (enterprise archive files) to Tivoli Access Manager for WebSphere Application Server. The script calls the Java class: com.tivoli.pdwas.migrate.Migrate.

Before invoking the script run setupCmdLine.bat or setupCmdLine.sh. These files can be found in the %WAS_HOME%/bin directory.

The script is dependent on finding the correct environment variables for the location of prerequisite software. The script calls Java code with the following options:


The directory containing the native language support libraries that are provided with the Tivoli Access Manager JACC provider. These libraries are located in a subdirectory under the Tivoli Access Manager JACC provider installation directory. For example:


-cp %CLASSPATH% com.tivoli.pdwas.migrate.Migrate

The CLASSPATH variable must be set correctly for your Java installation.

On Windows platforms, both the -j option and the -c option can reference the %WAS_HOME% variable to determine where WAS is installed. This information is used to:


Return codes

The following exit status codes can

be returned:


The command completed successfully.


The command failed.




WebSphere is a trademark of the IBM Corporation in the United States, other countries, or both.
IBM is a trademark of the IBM Corporation in the United States, other countries, or both.
Tivoli is a trademark of the IBM Corporation in the United States, other countries, or both.