+

Search Tips   |   Advanced Search

Migrate trust association interceptors

Use this topic to manually migrate trust associations.

  • Data sources are not supported for use within a Trust Association Interceptor (TAI). Data sources are intended for use within J2EE applications and designed to operate within the EJB and web containers. Trust Association Interceptors do not run within a container, and while data sources may function in the TAI environment, they are untested and not guaranteed to function properly.

    The following topics are addressed in this document:

    Changes to the product-provided trust association interceptors

    For the product-provided implementation for the WebSEAL server, a new optional com.ibm.websphere.security.webseal.ignoreProxy property is added. If true or yes, the implementation does not check for the proxy host names and the proxy ports to match any of the host names and ports listed in the com.ibm.websphere.security.webseal.hostnames and the com.ibm.websphere.security.webseal.ports property respectively. For example, if the VIA header contains the following information:

      HTTP/1.1 Fred (Proxy), 1.1 Sam (Apache/1.1), HTTP/1.1 webseal1:7002, 1.1 webseal2:7001

    and the com.ibm.websphere.security.webseal.ignoreProxy property is set to true or yes, the host name Fred, is not used when matching the host names. By default, this property is not set, which implies that any proxy host names and ports that are expected in the VIA header are listed in the host names and the ports properties to satisfy the isTargetInterceptor method.

    The previous VIA header information was split onto two lines for illustrative purposes only.

    For more information about the com.ibm.websphere.security.webseal.ignoreProxy property, see Configuring single signon using trust association interceptor ++.

    Migrate product-provided trust association interceptors

    The properties that are located in the webseal.properties and trustedserver.properties files are not migrated from previous versions of WAS. We must migrate the appropriate properties to WAS v6.0.x using the trust association panels in the console. For more information, see Configuring trust association interceptors.

    Changes to the custom trust association interceptors

    If the custom interceptor extends the com.ibm.websphere.security.WebSphereBaseTrustAssociationInterceptor property, implement the following new method to initialize the interceptor:

    public int init (java.util.Properties props);

    WebSphere Application Server checks the return status before using the trust association implementation. Zero (0) is the default value for indicating that the interceptor is successfully initialized.

    However, if a previous implementation of the trust association interceptor returns a different error status, we can either change the implementation to match the expectations or make one of the following changes:

    Method 1:

    Add the com.ibm.websphere.security.trustassociation.initStatus property in the trust association interceptor custom properties. Set the property to the value that indicates the interceptor is successfully initialized. All of the other possible values imply failure. In case of failure, the corresponding trust association interceptor is not used.

    Method 2:

    Add the com.ibm.websphere.security.trustassociation.ignoreInitStatus property in the trust association interceptor custom properties. Set the value of this property to true, which tells WebSphere Application Server to ignore the status of this method. If we add this property to the custom properties, WAS does not check the return status, which is similar to previous versions of WAS.

    The public int init (java.util.Properties props method replaces the public int init (String propsFile) method.

    The init(Properties) method accepts a java.util.Properties object, which contains the set of properties required to initialize the interceptor. All of the properties set for an interceptor are sent to this method. The interceptor can use these properties to initialize itself. For example, in the product-provided implementation for the WebSEAL server, this method reads the hosts and ports so that a request coming in can be verified to come from trusted hosts and ports. A return value of Zero (0) implies that the interceptor initialization is successful. Any other value implies that the initialization is not successful and the interceptor is not used.

    The init(String) method still works to use it instead of implementing the init(Properties) method. The only requirement is that you enter the file name containing the custom trust association properties using the Custom Properties link of the interceptor in the console or by using scripts. We can enter the property using either of the following methods. The first method is used for backward compatibility with previous versions of WAS.

    (dist)(zos) Method 1:

    The same property names used in the previous release are used to obtain the file name. The file name is obtained by concatenating .config to the com.ibm.websphere.security.trustassociation.types property value. If the myTAI.properties file is located in the app_server_root/properties directory, set the following properties:

    • com.ibm.websphere.security.trustassociation.types = myTAItype

    • com.ibm.websphere.security.trustassociation.myTAItype.config = app_server_root/properties/myTAI.properties

    (iseries) Method 1:

    The same property names used in the previous release are used to obtain the file name. The file name is obtained by concatenating .config to the com.ibm.websphere.security.trustassociation.types property value. If the myTAI.properties file is located in the profile_root/properties directory, set the following properties:

    • com.ibm.websphere.security.trustassociation.types = myTAItype

    • com.ibm.websphere.security.trustassociation.myTAItype.config = profile_root/properties/myTAI.properties

    (dist)(zos) Method 2:

    We can set the com.ibm.websphere.security.trustassociation.initPropsFile property in the trust association custom properties to the location of the file. For example, set the following property: 
    com.ibm.websphere.security.trustassociation.initPropsFile=
app_server_root/properties/myTAI.properties

    The previous line of code is split into two lines for illustrative purposes only. Type as one continuous line.

    (iseries) Method 2:

    We can set the com.ibm.websphere.security.trustassociation.initPropsFile property in the trust association custom properties to the location of the file. For example, set the following property: 
    com.ibm.websphere.security.trustassociation.initPropsFile=
 profile_root/properties/myTAI.properties

    The previous line of code is split into two lines for illustrative purposes only. Type as one continuous line.

    In a WAS Network Deployment installation, where the location of the file name can vary for different nodes, use the variable install_root to refer to the WAS installation directory.

    However, it is highly recommended that the implementation be changed to implement the init(Properties) method instead of relying on the init (String propsfile) method.

    Migrate custom trust association interceptors

    The trust associations from previous versions of WAS are not automatically migrated to WebSphere Application Server v8.5. We can manually migrate these trust associations using the following steps:

    1. Recompile the implementation file, if necessary.

      For more information, refer to the "Changes to the custom trust association interceptors" section previously discussed in this document.

      (dist)(zos) To recompile the implementation file, type the following code: 

      %WAS_HOME%/java/bin/javac -classpath %WAS_HOME%/plugins/com.ibm.ws.runtime.jar;
%WAS_HOME%/dev/JavaEE/j2ee.jar your_implementation_file.java
      The previous line of code is broken into two lines for illustrative purposes only. Type the code as one continuous line. (iseries)

      1. Enter QSH from a command line to start the QShell environment.

      2. Change to the directory containing the Java source file.

      3. Enter the command to recompile the implementation file.

          javac -Djava.version=1.6 -classpath app_server_root/plugins/com.ibm.ws.runtime.jar: install_root/dev/JavaEE/j2ee.jar your_implementation_file.java

    2. (dist)(zos) Identify the trust association interceptor class file for use when the server is restarted. Place the file either at theapp_server_root/classes directory OR use the Java Virtual Machine (JVM) system property, -Dws.ext.dirs to specify where the file resides.

    3. (iseries) Copy the custom trust association interceptor class files to a location in the product class path. Copy these class files into the profile_root/classes directory.

      We must copy this class file to the profile_root/classes directory of each node and cell.

    4. Restart all the serversWebSphere Application Server.

    5. Enable security to use the trust association interceptor. The properties that are located in the custom trust association properties file and in the trustedserver.properties file are not migrated from previous versions of WAS. We must migrate the appropriate properties to WebSphere Application Server v8.5 using the trust association panels in the console.

      For more information, see Configure trust association interceptors.


    Related tasks

  • Integrate third-party HTTP reverse proxy servers