(iseries)

Deploy the Enterprise Identity Mapping sample application

We can deploy the sample application into the WAS environment.

Use Enterprise Identity Mapping (EIM) identity token connection factories requires that WebSphere Application Server administrative security be enabled. However, no restrictions or limitations exist on how you choose to configure administrative security.

Before you deploy the sample application, enable WebSphere Application Server administrative security. This step is not required if you already have administrative security enabled for the WAS profile. For more information on how to configure security, see Enable security.

The source code files used to implement the sample application are contained in the testIdentityToken.ear file and can be used as a model for creating our own applications.

The com.ibm.identitytoken.IdentityTokenTest class is a servlet in the sample application. After the application is deployed, the source code file for the IdentityTokenTest servlet is in this directory:

profile_root/installedApps/testIdentityToken.ear/testIdentityTokenWeb.war
/WEB-INF/source/com/ibm/identityToken/IdentityTokenTest.java

Note the IdentityTokenTest servlet design features when you implement our own application.

• A profile variable with a String type and the name, sourceApplicationID, is set in the init method of the IdentityTokenTest servlet. This variable is later used with the setSourceApplicationID method of a ConnectionSpecImpl object to uniquely identify the application to Enterprise Identity Mapping (EIM). When you implement our own applications, use a similar convention to assign a unique SourceApplicationID ID.

• After an identity token is generated, it is used to create a com.ibm.as400.access.AS400 object, which is stored in an HTTPSession object immediately after the AS400 object is used to run the OS/400 server command on the selected host server. Only the AS400 object persists across requests to the server (not the IdentityToken object), which provides improved performance for subsequent requests, and the identity token does not expire.

The following steps help you deploy the sample application into the WAS environment.

1. Restart the application server.

2. Deploy the sample application.

   1. In the WAS console, click Applications > Install applications.

   2. Select Local path if we have a drive mapped to the iSeries server. Otherwise, select Server path.

   3. Specify the path name or browse to the path name for the testidentitytoken.ear EAR file. This file is found in the /QIBM/ProdData/OS400/security/eim/ directory on the server.

   4. Click Next.

   5. Optional: Change the virtual host values.

   6. Click Next.

   7. Select the installation options, and click Next.

   8. Decide whether to map modules to servers and click Next.

   9. Select the module in the Map resource references to resources panel and click Next.

   10. Optional: Change the JNDI name for the eis/IdentityToken_Shared_Reference reference binding . Do this step if you configured the connection factory with a JNDI name other than eis/IdentityToken.

   11. Accept the default values for the remainder of the panels and click Next.

   12. On the Summary panel, click Finish.

   13. Expand System administration and click Save Changes to Master Repository.

   14. Click Save.

3. Run the sample application.

   1. In the WAS console, click Applications > Enterprise applications.

   2. Select the testIdentityToken application.

   3. Click Start.

   4. Open a new session of the web browser.

   5. If we mapped the sample application web module to an external web server, refresh the WAS web server plug-in.

      To refresh the web server plug-in, perform the following steps:

      1. Click Servers > Web servers > Web_server_name.

      2. Click Generate Plug-in.

   6. Specify the application welcome page from the web browser. Use the following web address:
      http://your.server.name:port/testIdentityTokenWeb/IDTknTest.jsp

      The your.server.name and port variables are the values for the external web server or internal HTTP transport (WAS container).

   7. Specify a value for OS/400 host system name and for OS/400 command. For example, if we have EIM configured for the my_server server, specify my_server in the OS/400 host system name field. Specify crtlib my_library in the OS/400 command field.

   8. Click Submit.

   9. Specify a user ID and password at the login prompt.

      After you click Submit, the request is sent to the IdentityTokenTest servlet, which is protected by the allUsers role. The allUsers role is bound to the AllAuthenticated special subject so any user in the WAS user registry is authorized to access the IdentityTokenTest servlet.

   10. Click OK. If we specified my_library, the response is similar to the following example:
       Library my_library created.

   11. Verify that the library is created under the user profile that is mapped by EIM:

       1. From a CL command line, enter wrklnk '/QSYS.LIB/my_library.lib'.

       2. On the Work with Object Links screen, enter 8 in the option field for my_library.lib.

       3. Verify that the value of the Owner attribute for the my_library library is the user profile that is mapped by EIM.

Related tasks

Configure single sign-on capability with Enterprise Identity Mapping

Enable security

Start an application server

Stopping an application server

Related information:

Toolbox for Java

Enterprise Identity Mapping (EIM) in the iSeries Information Center

WAS v6 for OS/400