Propagating security policy of installed applications to a JACC provider using wsadmin.sh

WAS v8.5 > Script the application serving environment (wsadmin) > Scripting for security > Configure security with scripting
Propagating security policy of installed applications to a JACC provider using wsadmin.sh

It is possible that we have applications installed prior to enabling the Java Authorization Contract for Containers (JACC)-based authorization. We can start with default authorization and then move to an external provider-based authorization using JACC later.

Best practice: Use wsadmin to propagate information to the JACC provider independent of the application installation process, avoiding the need to reinstall applications. Also, during application installation or modification you might have had problems propagating the security policy information to the JACC provider. For example, network problems might occur, the JACC provider might not be available, and so on. For these cases, the security policy of the previously installed applications does not exist in the JACC provider to make the access decisions. One choice is to reinstall the applications involved. However, we can avoid reinstalling using wsadmin.sh. Use this tool to propagate information to the JACC provider independent of the application installation process. The tool eliminates the need for reinstalling the applications.
The tool uses the SecurityAdmin MBean to propagate the policy information in the deployment descriptor of any installed application to the JACC provider. We can invoke this tool using wsadmin at the base application server for base and deployment manager level for WebSphere Application Server, Network Deployment. Note the SecurityAdmin MBean is available only when the server is running.
Use propagatePolicyToJACCProvider{-appNames appNames} to propagate the policy information in the deployment descriptor or annotations of the EAR files to the JACC provider. If the RoleConfigurationFactory and the RoleConfiguration interfaces are implemented by the JACC provider, the authorization table information in the binding file of the EAR files is also propagated to the provider. See the Interfaces that support JACC article for more information about these interfaces.
The appNames String contains the list of application names, delimited by a colon (:), whose policy information must be stored in the provider. If appNames is not present, the policy information of all the deployed applications is propagated to the provider.
Also, be aware of the following items:

Before migrating applications to the Tivoli Access Manager JACC provider, create or import the users and groups that are in the applications to Tivoli Access Manager.
Depending on the application or the number of applications that are propagated, you might have to increase the request time-out period either in the soap.client.props file in the directory profile_root/properties (if using SOAP) or in the sas.client.props file (if using RMI) for the command to complete. We can set the request time-out value to 0 to avoid the timeout problem, and change it back to the original value after the command is run.

Configure your JACC provider in WAS.
See the Authorizing access to J2EE resources using Tivoli Access Manager article for more information.
Restart the server.

Enter the following commands:
wsadmin>$AdminTask propagatePolicyToJACCProvider {-appNames appNames}

Subtopics

JACCUtilityCommands command group for AdminTask
Use this topic as a reference for the commands for the JACCUtilityCommands group for AdminTask. Use these commands to determine whether Java Authorization Contract for Containers (JACC) is enabled and whether the runtime uses a single security domain. We can also use these commands to propagate the security policies for application to the JACC provider.
JACCUtilityCommands command group for AdminTask
Use this topic as a reference for the commands for the JACCUtilityCommands group for AdminTask. Use these commands to determine whether Java Authorization Contract for Containers (JACC) is enabled and whether the runtime uses a single security domain. We can also use these commands to propagate the security policies for application to the JACC provider.

Related concepts:

Authorization providers
Tivoli Access Manager integration as the JACC provider
JACC providers
JACC support in WAS

Related

Authorizing access to Java EE resources using Tivoli Access Manager
Enable an external JACC provider

Reference:

Interfaces that support JACC
Security authorization provider troubleshooting tips

+
Search Tips | Advanced Search