WAS v8.5 > Secure applications > Set up security > Migrate, coexist, and interoperate – Security considerations

Migrating with Tivoli Access Manager for authentication enabled

When Tivoli Access Manager security is configured for the existing environment and security is enabled, we can migrate to WebSphere Application Server, v8.5.

Your profiles must be migrated using the migration tools to migrate product configurations.

Do not restart the WAS v8.5 server until after performing the following procedure. The migration tools omit some files that enable the server to start correctly.

After migrating your profiles, additional steps are required when Tivoli Access Manager security is configured.

WAS v8.0 and above hosts Tivoli Access Manager specific files under the %WAS_HOME%/tivoli/tam directory. In previous versions, these files were hosted under the %WAS_HOME%/java/jre/ hierarchy.

In the following steps, %WASX% refers to the installation root of the source WAS product, and %WAS8% refers to the installation root of the target WAS product (the v8.0 installation root).

  1. Copy the following files from the source location to target location.

    Files to copy from the source location to the target location. Files to copy from the source location to the target location

    Source Location Target Location
    %WASX%\java\jre\PDPerm.properties %WAS8%\tivoli\tam\PDPerm.properties
    %WASX%\java\jre\lib\security\PdPerm.ks (if found) %WAS8%\tivoli\tam\lib\security\PdPerm.ks
    %WASX%\java\jre\lib\PdPerm.ks (if found) %WAS8%\tivoli\tam\PdPerm.ks
    %WASX%\java\jre\PolicyDirector\PDCA.ks %WAS8%\tivoli\tam\PolicyDirector\PDCA.ks
    %WASX%\java\jre\PolicyDirector\PD.properties %WAS8%\tivoli\tam\PolicyDirector\PD.properties
    %WASX%\java\jre\PolicyDirector\etc\pdjrte_paths %WAS8%\tivoli\tam\PolicyDirector\etc\pdjrte_paths
    %WASX%\java\jre\PolicyDirector\etc\pdjrte_mapping %WAS8%\tivoli\tam\PolicyDirector\etc\pdjrte_mapping

  2. Edit the PD.properties file, and change the following configuration settings: 
    appsvr-plcysvrs=null\:0:\:1
config_type=standalone
    Make the appropriate changes to point to your Tivoli Access Manager Policy Server, for example: 
    appsvr-plcysvrs=pdmgrd.test.gc.au.ibm.com\:7135\:1
config_type=full
  3. Edit the following four files on the target system and verify all of the path references are corrected:

    • %WAS8%/tivoli/tam/PdPerm.properties
    • %WAS8%/tivoli/tam/PolicyDirector/PD.properties
    • %WAS8%/tivoli/tam/PolicyDirector/etc/pdjrte_paths
    • %WAS8%/tivoli/tam/PolicyDirector/etc/pdjrte_mapping

    When you correct the paths...in order:

    1. Ensure that all references from %WASX%/java/jre/PolicyDirector are changed to %WAS8%/tivoli/tam/PolicyDirector.
    2. Ensure that all references (in the PdPerm.properties file) from the%WASX%/java/jre/[security]/PdPerm.ks file are changed to %WAS8%/tivoli/tam/pdPerm.ks.
    3. Ensure that all remaining references from %WASX%/java/jre are changed to %WAS8%/java/jre.
    4. Edit the %WAS8%/tivoli/tam/PolicyDirector/etc/pdjrte_mapping file. It contains the JRE->JRE mapping: %WAS8%/java/jre=%WAS8%/java/jre.

      Change this mapping to JRE->tivoli/tam: %WAS8%/java/jre=%WAS8%/tivoli/tam.

    Also see Migrating with Tivoli Access Manager for authentication enabled on multiple nodes for more information.


    Related


    Migrate, coexist, and interoperate – Security considerations


    +

    Search Tips   |   Advanced Search