WAS v8.5 > Script the application serving environment (wsadmin) > Scripting for security

Configure security with scripting

We can configure security with scripting and wsadmin.

Before starting this task, wsadmin must be running. Read about Starting the wsadmin scripting client for more information. If you enable security for an application server cell, supply authentication information to communicate with servers. The sas.client.props and the soap.client.props files are located in the following properties directory for each application server profile:

• profile_root/properties

• The nature of the properties file updates required for running in secure mode depend on whether you connect with a Remote Method Invocation (RMI) connector, a JSR160RMI connector, an Inter-Process Communications (IPC) or a SOAP connector:

  • If we use a Remote Method Invocation (RMI) connector or a JSR160RMI connector, set the following properties in the sas.client.props file with the appropriate values:

    com.ibm.CORBA.loginUserid=
    com.ibm.CORBA.loginPassword=

    Also, set the following property:
    com.ibm.CORBA.loginSource=properties
    The default value for this property is prompt in the sas.client.props file. If you leave the default value, then a dialog box is displayed with a password prompt. If the script is running unattended, then the system stops.

  • If we use a SOAP connector, set the following properties in the soap.client.props file with the appropriate values:

    com.ibm.SOAP.securityEnabled=true
    com.ibm.SOAP.loginUserid=
    com.ibm.SOAP.loginPassword=

    Optionally, set the following property:

    com.ibm.SOAP.loginSource=none
    The default value for this property is prompt in the soap.client.props file. If you leave the default value, a dialog box is displayed with a password prompt. If the script is running unattended, then the system stops.

  • If we use an IPC connector, set the following properties in the ipc.client.props file with the appropriate values:

    com.ibm.IPC.loginUserid=
    com.ibm.IPC.loginPassword=

    Optionally, set the following property:

    com.ibm.IPC.loginSource=prompt
    The default value for this property is prompt in the soap.client.props file. If you leave the default value, a dialog box appears with a password prompt. If the script is running unattended, it appears to hang.

• Specify user and password information. Choose one of the following methods:

  • Specify user name and password on a command line, using the -user and -password commands, as the following examples demonstrate:
    wsadmin -conntype JSR160RMI -port 2809 -user u1 -password secret1

  • Specify user name and password in the sas.client.props file for an RMI connector, the ipc.client.props file for the IPC connector, or the soap.client.props file for a SOAP connector.

  If we specify user and password information on a command line and in the sas.client.props file or the soap.client.props file, the command line information overrides the information in the props file.

  The use of -password option may result in security exposure as the password information becomes visible to the system status program such as ps command which can be invoked by other user to display all the running processes. Do not use this option if security exposure is a concern. Instead, specify user and password information in the soap.client.props file for the SOAP connector, the sas.client.props file for the JSR160RMI connector or the Remote Method Invocation (RMI) connector, or the ipc.client.props file for the IPC connector. The soap.client.props, sas.client.props, and ipc.client.props files are located in the properties directory of your profile.

Subtopics

• Enable and disable security using scripting
  We can use scripting to enable or disable application security, global security, administrative security based on the LocalOS registry, and authentication mechanisms.
• Enable and disable Java 2 security using scripting
  We can enable or disable Java 2 security with scripting and wsadmin.
• Configure multiple security domains using scripting
  We can customize your security configuration at the cell, sever, or cluster level by configuring multiple security domains.
• Configure the JACC provider for Tivoli Access Manager using the wsadmin utility
  We can use the wsadmin utility to configure Tivoli Access Manager security for WAS.
• Secure communications using wsadmin
  The application server provides several methods to secure communication between a server and a client. Use this topic to configure SSL, keystores, certificate authorities, key sets and groups, and certificates.
• Enable authentication in the file transfer service using scripting
  The file transfer service provides role-based authentication. We can enable authentication in the file transfer service using scripting and wsadmin.
• Propagating security policy of installed applications to a JACC provider using wsadmin.sh
  It is possible that we have applications installed prior to enabling the Java Authorization Contract for Containers (JACC)-based authorization. We can start with default authorization and then move to an external provider-based authorization using JACC later.
• Configure custom adapters for federated repositories using wsadmin
  We can use the Jython or Jacl scripting language with wsadmin to define custom adapters in the federated repositories configuration file.
• Disable embedded Tivoli Access Manager client using wsadmin
  Follow these steps to unconfigure the Java Authorization Contract for Containers (JACC) provider for Tivoli Access Manager.
• Configure security auditing using scripting
  Security auditing provides tracking and archiving of auditable events. This topic uses wsadmin to enable and administer your security auditing configurations.
• SSLMigrationCommands command group for AdminTask
  We can use the Jython or Jacl scripting languages to migrate key store configurations. Use the commands in the SSLMigrationCommands group to convert self-signed certificates to chained personal certificates and to enable writable key rings.
• IdMgrConfig command group for AdminTask
  We can use the Jython or Jacl scripting languages to configure the virtual member manager with wsadmin. The commands and parameters in the IdMgrConfig group can be used to create and manage your entity type configuration.
• IdMgrRepositoryConfig command group for AdminTask
  We can use the Jython or Jacl scripting languages to configure security. The commands and parameters in the IdMgrRepositoryConfig group can be used to create and manage the virtual member manager and LDAP directory properties.
• IdMgrRealmConfig command group for AdminTask
  We can use the Jython or Jacl scripting languages to configure federated repositories realms. The commands and parameters in the IdMgrRealmConfig group can be used to create and manage your realm configuration.
• IdMgrDataModel command group for AdminTask
  We can use the Jython or Jacl scripting language to manage the federated repository schema using wsadmin. Use the commands and parameters in the IdMgrDataModel group to manage the property extension repository. The commands are available in connected or local mode using the –conntype NONE option.
• IdMgrDBSetup command group for AdminTask
  We can use the Jython or Jacl scripting language to manage the federated repository schema using wsadmin. Use the deleteIdMgrPropertyExtensionEntityDatacommand and its parameters in the IdMgrDBSetup group to manage the property extension repository. The command is available in both connected and local mode using the –conntype NONE option.
• WIMManagementCommands command group for AdminTask
  We can use the Jython or Jacl scripting languages to configure security with wsadmin. The commands and parameters in the WIMManagementCommands group can be used to create and manage groups, members, and users in the virtual member manager.
• DescriptivePropCommands command group for AdminTask
  We can use the Jython or Jacl scripting languages to configure security with wsadmin. The commands and parameters in the DescriptivePropCommands group can be used to create, delete, and manage key manager setting in your configuration.
• ManagementScopeCommands command group for AdminTask
  We can use the Jython or Jacl scripting languages to configure security with wsadmin. Inbound and outbound management scopes represent opposing directions during the connection handshake process. The commands and parameters in the ManagementScopeCommands group can be used to create, delete, and list management scopes.
• AuthorizationGroupCommands command group for AdminTask
  We can use the Jython or Jacl scripting languages to configure security with wsadmin. The commands and parameters in the AuthorizationGroupCommands group can be used to create and manage authorization groups.
• ChannelFrameworkManagement command group for AdminTask
  We can use the Jython or Jacl scripting languages to configure security. The commands and parameters in the ChannelFrameworkManagement group can be used to create and manage transport channels and transport channel chains.
• SpnegoTAICommands group for AdminTask (deprecated)
  We can use the Jython or Jacl scripting languages to configure security with wsadmin. The commands and parameters in the SpnegoTAICommands group can be used to create and manage configurations used by the Simple and Protected GSS-API Negotiation Mechanism (SPNEGO) TAI.
• The Kerberos configuration file
  The Kerberos configuration properties, krb5.ini or krb5.conf files, must be configured on every WAS instance in a cell in order to use the Simple and Protected GSS-API Negotiation Mechanism (SPNEGO) TAI for WAS.
• SPNEGO web authentication configuration commands
  Use wsadmin commands to configure, unconfigure, validate, or display Simple and Protected GSS-API Negotiation Mechanism (SPNEGO) in the security configuration.
• SPNEGO web authentication filter commands
  Use wsadmin commands to add, modify, delete, or show Simple and Protected GSS-API Negotiation Mechanism (SPNEGO) Web authentication filters in the security configuration.
• Kerberos authentication commands
  Use wsadmin commands to create, modify or delete Kerberos as the authentication mechanism for WAS.
• LTPA_LDAPSecurityOn and LTPA_LDAPSecurityOff command usage
  Use the examples in this topic to enable and disable LTPA/LDAP security, based on single sign-on using the LDAP user registry.
• JaspiManagement command group for AdminTask
  Use the commands and parameters in the JaspiManagement command group to manage the configuration of authentication providers.
• Enable and disable security using scripting
  We can use scripting to enable or disable application security, global security, administrative security based on the LocalOS registry, and authentication mechanisms.
• Enable and disable Java 2 security using scripting
  We can enable or disable Java 2 security with scripting and wsadmin.
• WizardCommands command group for AdminTask
  We can use the Jython or Jacl scripting languages to configure security with wsadmin. The commands and parameters in the WizardCommands group can be used to configure security using similar actions to the security wizard panels in the dmgr console.
• Configure multiple security domains using scripting
  We can customize your security configuration at the cell, sever, or cluster level by configuring multiple security domains.
• Configure the JACC provider for Tivoli Access Manager using the wsadmin utility
  We can use the wsadmin utility to configure Tivoli Access Manager security for WAS.
• Secure communications using wsadmin
  The application server provides several methods to secure communication between a server and a client. Use this topic to configure Secure Sockets Layer (SSL), keystores, certificate authorities, key sets and groups, and certificates.
• Enable authentication in the file transfer service using scripting
  The file transfer service provides role-based authentication. We can enable authentication in the file transfer service using scripting and wsadmin.
• Propagating security policy of installed applications to a JACC provider using wsadmin.sh
  It is possible that we have applications installed prior to enabling the Java Authorization Contract for Containers (JACC)-based authorization. We can start with default authorization and then move to an external provider-based authorization using JACC later.
• Configure custom adapters for federated repositories using wsadmin
  We can use the Jython or Jacl scripting language with wsadmin to define custom adapters in the federated repositories configuration file.
• Disable embedded Tivoli Access Manager client using wsadmin
  Follow these steps to unconfigure the Java Authorization Contract for Containers (JACC) provider for Tivoli Access Manager.
• Configure security auditing using scripting
  Security auditing provides tracking and archiving of auditable events. This topic uses wsadmin to enable and administer your security auditing configurations.
• SSLMigrationCommands command group for AdminTask
  We can use the Jython or Jacl scripting languages to migrate key store configurations. Use the commands in the SSLMigrationCommands group to convert self-signed certificates to chained personal certificates and to enable writable key rings.
• IdMgrConfig command group for AdminTask
  We can use the Jython or Jacl scripting languages to configure the virtual member manager with wsadmin. The commands and parameters in the IdMgrConfig group can be used to create and manage your entity type configuration.
• IdMgrRepositoryConfig command group for AdminTask
  We can use the Jython or Jacl scripting languages to configure security. The commands and parameters in the IdMgrRepositoryConfig group can be used to create and manage the virtual member manager and LDAP directory properties.
• IdMgrRealmConfig command group for AdminTask
  We can use the Jython or Jacl scripting languages to configure federated repositories realms. The commands and parameters in the IdMgrRealmConfig group can be used to create and manage your realm configuration.
• IdMgrDataModel command group for AdminTask
  We can use the Jython or Jacl scripting language to manage the federated repository schema using wsadmin. Use the commands and parameters in the IdMgrDataModel group to manage the property extension repository. The commands are available in connected or local mode using the –conntype NONE option.
• IdMgrDBSetup command group for AdminTask
  We can use the Jython or Jacl scripting language to manage the federated repository schema using wsadmin. Use the deleteIdMgrPropertyExtensionEntityDatacommand and its parameters in the IdMgrDBSetup group to manage the property extension repository. The command is available in both connected and local mode using the –conntype NONE option.
• JaspiManagement command group for AdminTask
  Use the commands and parameters in the JaspiManagement command group to manage the configuration of authentication providers.
• LTPACommandGroup command group for AdminTask
  We can use the Jython or Jacl scripting languages to import and export LTPA keys.
• WIMManagementCommands command group for AdminTask
  We can use the Jython or Jacl scripting languages to configure security with wsadmin. The commands and parameters in the WIMManagementCommands group can be used to create and manage groups, members, and users in the virtual member manager.
• DescriptivePropCommands command group for AdminTask
  We can use the Jython or Jacl scripting languages to configure security with wsadmin. The commands and parameters in the DescriptivePropCommands group can be used to create, delete, and manage key manager setting in your configuration.
• ManagementScopeCommands command group for AdminTask
  We can use the Jython or Jacl scripting languages to configure security with wsadmin. Inbound and outbound management scopes represent opposing directions during the connection handshake process. The commands and parameters in the ManagementScopeCommands group can be used to create, delete, and list management scopes.
• AuthorizationGroupCommands command group for AdminTask
  We can use the Jython or Jacl scripting languages to configure security with wsadmin. The commands and parameters in the AuthorizationGroupCommands group can be used to create and manage authorization groups.
• ChannelFrameworkManagement command group for AdminTask
  We can use the Jython or Jacl scripting languages to configure security. The commands and parameters in the ChannelFrameworkManagement group can be used to create and manage transport channels and transport channel chains.
• FIPSCommands command group for AdminTask
  We can use the Jython or Jacl scripting languages to configure Federal Information Processing Standards (FIPS) with wsadmin.
• SpnegoTAICommands group for AdminTask (deprecated)
  We can use the Jython or Jacl scripting languages to configure security with wsadmin. The commands and parameters in the SpnegoTAICommands group can be used to create and manage configurations used by the Simple and Protected GSS-API Negotiation Mechanism (SPNEGO) TAI.
• The Kerberos configuration file
  The Kerberos configuration properties, krb5.ini or krb5.conf files, must be configured on every WAS instance in a cell in order to use the Simple and Protected GSS-API Negotiation Mechanism (SPNEGO) TAI for WAS.
• SPNEGO web authentication configuration commands
  Use wsadmin commands to configure, unconfigure, validate, or display Simple and Protected GSS-API Negotiation Mechanism (SPNEGO) in the security configuration.
• SPNEGO web authentication filter commands
  Use wsadmin commands to add, modify, delete, or show Simple and Protected GSS-API Negotiation Mechanism (SPNEGO) Web authentication filters in the security configuration.
• Kerberos authentication commands
  Use wsadmin commands to create, modify or delete Kerberos as the authentication mechanism for WAS.
• LTPA_LDAPSecurityOn and LTPA_LDAPSecurityOff command usage
  Use the examples in this topic to enable and disable LTPA/LDAP security, based on single sign-on using the LDAP user registry.

Related

Use wsadmin scripting
Get started with wsadmin scripting
Start the wsadmin scripting client using wsadmin.sh

Reference:

SPNEGO TAI JVM configuration custom properties (deprecated)

+

Search Tips   |   Advanced Search