com.tivoli.pd.jcfg.SvrSslCfg utility for SSO

The SvrSslCfg script integrates WAS user account and server entries with the ISAM user registry, generating a configuration file and a Java keystore file that stores a client certificate in the application server profile. This allows Callers to authenticate against ISAM authentication services.

The svrsslcfg script wraps the SvrSslCfg class and provides support for multiple WAS profiles. The use of multiple profiles allows us to create multiple WAS environments that are completely isolated from one another.

Run svrsslcfg first on the deployment manager and then on all the other nodes in the cell.

cd app_server_root/bin
java com.tivoli.pd.jcfg.SvrSslCfg \
        -action {config | unconfig} \
        -admin_id admin_user_ID \
        -admin_pwd admin_password \
        -appsvr_id application_server \
        -appsvr_pwd application_server_password \
        -mode{local|remote} \
        -host host_name_of_application_server \
        -policysvr policy_server:port:rank [,...] \
        -authzsvr authorization_server:port:rank [,...] \
        -cfg_file path_to_configuration_file \
        -domain ISAM_domain \
        -key_file path_to_keystore_file \
        -cfg_action {create|replace}

Parameters

-action {config | unconfig}

Configuration action performed by the script.

-action config

Create user and server information in the user registry. Create local configuration and key store files on the application server. Fails if the caller is unauthorized or the policy server cannot be contacted.

-action unconfig

• Remove the user and server information from the user registry
• Delete the local key store file
• Remove information for this application from the configuration file without deleting the file

This action can succeed if the configuration file does not exist. If the configuration file does not exist, it is created and used as a temporary file to hold configuration information during the operation, and then the file is deleted completely.

-admin_id admin_user_ID

The ISAM administrator name. If not specified, sec_master is the default.

A valid administrative ID is an alphanumeric, case-sensitive string. String values are expected to be characters that are part of the local code set. We cannot use a space in the administrative ID.

For example, for U.S. English the valid characters are the letters a-Z, the numbers 0-9, a period (.), an underscore (_), a plus sign (+), a hyphen (-), an at sign (@), an ampersand (&), and an asterisk (*). The minimum and maximum lengths of the administrative ID, if there are limits, are imposed by the underlying registry.

-admin_password admin_password

Password of the ISAM administrator user associated with the -admin_id parameter. The password restrictions depend upon the password policy for our ISAM configuration.

-appsvr_id application_server

Name of the application server. The name is combined with the host name to create unique names for ISAM objects created for the application. The following names are reserved for ISAM applications: ivacld, secmgrd, ivnet, and ivweb.

-appsvr_pwd application_server_password

Password of the application server. This option is required. A password is created by the system and the configuration file is updated with the password created by the system.

If not specified, the server password will be read from standard input.

-authzsvr authorization_server

Name of the ISAM authorization server with which the application server communicates. The server is specified by fully qualified host name, the SSL port number, and the rank. The default SSL port number is 7136. For example: myauth.mycompany.com:7136:1. We can specify multiple servers if the entries are separated by a comma (,).

-cfg_action {create | replace}

Action to take when creating the configuration and key files. Valid values are create or replace. Use the create option to initially create the configuration and keystore files. Use the replace option if these files already exist. If we use the create option and the configuration or keystore files already exist, an exception is created.

Options are as follows:

create

To create the configuration and key store files during server configuration. Configuration fails if either of these files already exists.

replace

Replace the configuration and key store files during server configuration. Configuration deletes any existing files and replaces them with new ones.

-cfg_file path_to_configuration_file

Configuration file path and name.

A file name should be an absolute file name (fully qualified file name) to be valid.

-domain Tivoli_Access_Manager_domain

The ISAM domain name to which the administrator is authenticated. This domain must exist and an the administrator ID and password must be valid for this domain. The application server is specified in this domain.

If not specified, the local domain that was specified during ISAM runtime configuration will be used. The local domain value will be retrieved from the configuration file.

A valid domain name is an alphanumeric, case-sensitive string. String values are expected to be characters that are part of the local code set. We cannot use a space in the domain name.

For example, for U.S. English the valid characters for domain names are the letters a-Z, the numbers 0-9, a period ( . ), an underscore (_), a plus sign (+), a hyphen (-), an at sign (@), an ampersand (&), and an asterisk (*). The minimum and maximum lengths of the domain name, if there are limits, are imposed by the underlying registry.

-host host_name_of_application_server

The TCP host name used by the ISAM policy server to contact this server. This name is saved in the configuration file using the azn-app-host key. The default is the local host name returned by the operating system. Valid values for host_name include any valid IP host name.

Examples:

host = libra
host = libra.dallas.ibm.com

-key_file path_to_keystore_file

Directory that is to contain the key files for the server. A valid directory name is determined by the operating system. Use a fully qualified file name containing the application server certificate and key file. Verify the server user (for example, ivmgr) or all users have permission to access the .kdb file and the folder containing the .kdb file.

This option is required.

-mode server_mode

Mode in which the application operates. This value must be either local or remote.

(iSeries) Mode in which the application server processes requests. Only the remote mode is supported.

-policysvr policy_server

Name of the policy server.

(iSeries) Names of servers that run the ISAM policy server (ivmgrd) with which the application server communicates. A server is specified by a fully qualified host name, the SSL port number, and the rank. The default SSL port number is 7135. For example: mypolicy.mycompany.com:7135:1. We can specify multiple servers if the entries are separated by a comma (,).

(iSeries) -port port_number

(iSeries) The TCP/IP communications port on which the application server listens for communications from the policy servers.

(iSeries) -profileName profile

(iSeries) Name of our WAS profile. If not specified, the default server1 profile is used.

After the successful configuration of an ISAM Java application server, SvrSslCfg creates a user account and server entries representing the Java application server in the ISAM user registry. In addition, SvrSslCfg creates a configuration file and a Java key store file, which securely stores a client certificate, locally on the application server. This client certificate permits callers to make authenticated use of ISAM services. Conversely, reconfiguration removes the user and server entries from the user registry and cleans up the local configuration and keystore files.

The contents of an existing configuration file can be modified using the SvrSslCfg utility. The configuration file and the key store file must already exist when calling SvrSslCfg with all options other than -action config or -action unconfig.

The following options are parsed and processed into the configuration file, but are otherwise ignored in this version of ISAM:

The host name is used to build a unique name (identity) for the application. The pdadmin user list command displays the application identity name in the following format:

server/host_name

The pdadmin server list command displays the server name in a slightly different format:

server-host_name

Example:

CLASSPATH=${WAS_HOME}/tivoli/tam/PD.jar:${WAS_CLASSPATH}
java -cp ${CLASSPATH} \
-Dpd.cfg.home= ${WAS_HOME}/java/jre \
-Dfile.encoding=ISO8859-1 \
-Xnoargsconversion \
com.tivoli.pd.jcfg.SvrSslCfg \
-action config \
-admin_id sec_master \
-admin_pwd $TAM_PASSWORD \
-appsvr_id $APPSVR_ID \
-policysvr ${TAM_HOST}:7135:1 \
-port 7135 \
-authzsvr ${TAM_HOST}:7136:1 \
-mode remote \
-cfg_file ${CFG_FILE} \
-key_file ${KEY_FILE} \
-cfg_action create

See also:

• Configure SSO capability with ISAM WebSEAL